@zeph-to/mcp-server 1.9.2 → 1.11.0

package/README.md

@@ -52,6 +52,7 @@ Add to `~/.claude/settings.json`:
 | `ZEPH_HOOK_ID` | No | Hook ID (optional — only needed for interactive tools like `zeph_ask`/`zeph_prompt`/`zeph_input`) |
 | `ZEPH_DEVICE_ID` | No | Target device ID (optional — only needed for interactive tools like `zeph_ask`/`zeph_prompt`/`zeph_input`). Omit to send to all devices |
 | `ZEPH_BASE_URL` | No | API base URL (default: `https://api.zeph.to/v1`) |
+| `ZEPH_DISABLE_SESSION_CACHE` | No | Set to `1`/`true` to skip writing the session-id handoff file under `~/.cache/zeph/`. Useful for read-only filesystems, ephemeral CI runners, or sandboxed envs that audit filesystem writes. The plugin's stop hook still works without it (transcript-path UUID extraction is the primary path; the cache is a fallback for older Claude Code versions). |
 
 \* If env vars are not set, the server reads from `~/.zeph/config.json` (created by `npx @zeph-to/hook-sdk install`). Unresolved `${...}` interpolations are also treated as unset.
 
@@ -266,9 +267,11 @@ The API key needs the following scopes:
 
 Create an API key with the **MCP** preset in Settings > API Keys for the correct permissions.
 
-## E2E Encryption
+## Encryption
 
-Push notifications are encrypted end-to-end by default (AES-256-GCM + ECDH P-256). Keys are synced with the server on startup. When encryption is disabled in the Zeph app, the server sends plaintext. No configuration needed — encryption is automatic.
+Push bodies are encrypted with AES-256-GCM. The wrapping key is derived via ECDH P-256 and synced across your own devices on first server startup so every device can read the same push. Toggle encryption in the Zeph app (Settings → Encryption); when disabled, the server sends plaintext. No configuration needed.
+
+**Threat model honesty:** keys are persisted on the Zeph backend to enable cross-device sync, so this is *device-shared* encryption — not true end-to-end. It protects push contents from passive network observers and from a leaked database snapshot taken without the key store, but it does **not** protect against the Zeph backend itself (it has the keys it serves to your devices). A true E2E mode (per-device keypairs, server stores only public keys, no key escrow) is on the roadmap.
 
 ## License
 

package/dist/config.d.ts

@@ -4,6 +4,15 @@ export interface McpServerConfig {
     hookId?: string;
     deviceId?: string;
     sessionId?: string;
+    /** Last path segment of the project directory — prefixed onto push titles. */
+    projectName: string;
 }
+/**
+ * Prefix a push title with the project name so the device feed stays
+ * scannable — "zeph · Build finished" instead of a bare "Build finished".
+ * Idempotent: a title already carrying the project segment is returned
+ * unchanged (guards against double-prefixing on retries).
+ */
+export declare const formatPushTitle: (projectName: string, title: string) => string;
 export declare const loadConfig: () => McpServerConfig;
 //# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAwCD,eAAO,MAAM,UAAU,QAAO,eA0B7B,CAAC"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,eAAe;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8EAA8E;IAC9E,WAAW,EAAE,MAAM,CAAC;CACvB;AAiBD;;;;;GAKG;AACH,eAAO,MAAM,eAAe,GAAI,aAAa,MAAM,EAAE,OAAO,MAAM,KAAG,MAGpE,CAAC;AAgGF,eAAO,MAAM,UAAU,QAAO,eAsB7B,CAAC"}

package/dist/config.js

@@ -1,18 +1,42 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.loadConfig = void 0;
+exports.loadConfig = exports.formatPushTitle = void 0;
 const fs_1 = require("fs");
+const os_1 = require("os");
 const crypto_1 = require("crypto");
 const child_process_1 = require("child_process");
 const path_1 = require("path");
 const DEFAULT_BASE_URL = 'https://api.zeph.to/v1';
+const PROJECT_DIR_ENV_KEYS = ['CLAUDE_PROJECT_DIR', 'CURSOR_PROJECT_DIR', 'WINDSURF_PROJECT_DIR'];
+/** The project directory the agent runs in, across supported agents. */
+const detectProjectDir = () => {
+    for (const key of PROJECT_DIR_ENV_KEYS) {
+        const val = process.env[key];
+        if (val)
+            return val;
+    }
+    return process.cwd();
+};
+/** Last path segment of a directory: "/Users/me/code/zeph" -> "zeph". */
+const projectNameFromDir = (dir) => dir.split('/').filter(Boolean).pop() ?? 'project';
+/**
+ * Prefix a push title with the project name so the device feed stays
+ * scannable — "zeph · Build finished" instead of a bare "Build finished".
+ * Idempotent: a title already carrying the project segment is returned
+ * unchanged (guards against double-prefixing on retries).
+ */
+const formatPushTitle = (projectName, title) => {
+    const prefix = `${projectName} · `;
+    return title.startsWith(prefix) ? title : prefix + title;
+};
+exports.formatPushTitle = formatPushTitle;
 const resolvedEnv = (key) => {
     const val = process.env[key];
     return val && !val.startsWith('${') ? val : undefined;
 };
 const loadFileConfig = () => {
     try {
-        const configPath = (0, path_1.join)(process.env.HOME ?? '~', '.zeph', 'config.json');
+        const configPath = (0, path_1.join)((0, os_1.homedir)(), '.zeph', 'config.json');
         return JSON.parse((0, fs_1.readFileSync)(configPath, 'utf-8'));
     }
     catch {
@@ -24,18 +48,77 @@ const detectClaudeSessionId = () => {
     try {
         const projectDir = process.env.CLAUDE_PROJECT_DIR ?? process.cwd();
         const projectHash = projectDir.replace(/\//g, '-');
-        const sessionsDir = (0, path_1.join)(process.env.HOME ?? '~', '.claude', 'projects', projectHash);
-        const entries = (0, fs_1.readdirSync)(sessionsDir)
-            .filter((name) => /^[0-9a-f]{8}-/.test(name))
-            .filter((name) => (0, fs_1.statSync)((0, path_1.join)(sessionsDir, name)).isDirectory())
-            .map((name) => ({ name, mtime: (0, fs_1.statSync)((0, path_1.join)(sessionsDir, name)).mtimeMs }))
-            .sort((a, b) => b.mtime - a.mtime);
-        return entries[0]?.name;
+        const sessionsDir = (0, path_1.join)((0, os_1.homedir)(), '.claude', 'projects', projectHash);
+        let latest;
+        for (const name of (0, fs_1.readdirSync)(sessionsDir)) {
+            if (!/^[0-9a-f]{8}-[0-9a-f]{4}-/.test(name))
+                continue;
+            const fullPath = (0, path_1.join)(sessionsDir, name);
+            const stat = (0, fs_1.statSync)(fullPath);
+            if (!stat.isDirectory())
+                continue;
+            if (!latest || stat.mtimeMs > latest.mtime) {
+                latest = { name, mtime: stat.mtimeMs };
+            }
+        }
+        return latest?.name;
     }
     catch {
         return undefined;
     }
 };
+/**
+ * Truthy-env helper — accepts "1", "true", "yes", "on" (case-insensitive).
+ */
+const envIsTrue = (key) => {
+    const v = process.env[key];
+    if (!v)
+        return false;
+    return /^(1|true|yes|on)$/i.test(v.trim());
+};
+/**
+ * Write the resolved session id to a per-user cache file so shell hooks
+ * (e.g. plugin/hooks/zeph-stop.sh) can pick it up when their own transcript
+ * scrape misses. The previous location was /tmp/zeph-session-<hash>, which
+ * on multi-user machines exposed a symlink race — predictable filename,
+ * world-writable directory. Living under ~/.cache (or $XDG_CACHE_HOME)
+ * removes that — only the owning user can write there. The file is also
+ * opened with O_NOFOLLOW so a pre-existing symlink can never redirect us
+ * to /etc/passwd or similar.
+ *
+ * Users can opt out entirely by setting ZEPH_DISABLE_SESSION_CACHE=1.
+ * Useful for:
+ *   - Read-only filesystems (some container runtimes)
+ *   - CI runners where ~/.cache isn't persisted anyway, so the write is
+ *     pure overhead
+ *   - Sandboxed environments where extra filesystem writes trigger audit
+ *     noise
+ * The shell hook still works without the cache — it primarily extracts
+ * the session id from the transcript_path UUID; the cache is just a
+ * fallback for older Claude Code versions.
+ */
+const writeSessionCache = (sessionId, projectDir) => {
+    if (envIsTrue('ZEPH_DISABLE_SESSION_CACHE'))
+        return;
+    try {
+        const hash = (0, child_process_1.execFileSync)('cksum', { input: projectDir, encoding: 'utf-8' }).split(' ')[0];
+        const cacheDir = (0, path_1.join)(process.env.XDG_CACHE_HOME ?? (0, path_1.join)((0, os_1.homedir)(), '.cache'), 'zeph');
+        (0, fs_1.mkdirSync)(cacheDir, { recursive: true, mode: 0o700 });
+        const cachePath = (0, path_1.join)(cacheDir, `session-${hash}`);
+        const flags = fs_1.constants.O_WRONLY | fs_1.constants.O_CREAT | fs_1.constants.O_TRUNC | fs_1.constants.O_NOFOLLOW;
+        const fd = (0, fs_1.openSync)(cachePath, flags, 0o600);
+        try {
+            (0, fs_1.writeSync)(fd, sessionId);
+        }
+        finally {
+            (0, fs_1.closeSync)(fd);
+        }
+    }
+    catch {
+        /* best-effort — hook stop script also extracts session id from
+         * the transcript path, so failing here is non-fatal. */
+    }
+};
 const loadConfig = () => {
     const fileConfig = loadFileConfig();
     const apiKey = resolvedEnv('ZEPH_API_KEY') ?? fileConfig.apiKey;
@@ -43,19 +126,15 @@ const loadConfig = () => {
         throw new Error('ZEPH_API_KEY not found. Run "npx @zeph-to/hook-sdk install" or set ZEPH_API_KEY env var.');
     }
     const sessionId = resolvedEnv('ZEPH_SESSION_ID') ?? detectClaudeSessionId() ?? `sess_${(0, crypto_1.randomBytes)(12).toString('base64url')}`;
-    // Write sessionId to tmp file so shell hooks (zeph-stop.sh) can read it
-    try {
-        const projectDir = process.env.CLAUDE_PROJECT_DIR ?? process.cwd();
-        const hash = (0, child_process_1.execFileSync)('cksum', { input: projectDir, encoding: 'utf-8' }).split(' ')[0];
-        (0, fs_1.writeFileSync)(`/tmp/zeph-session-${hash}`, sessionId);
-    }
-    catch { /* best-effort */ }
+    const projectDir = process.env.CLAUDE_PROJECT_DIR ?? process.cwd();
+    writeSessionCache(sessionId, projectDir);
     return {
         apiKey,
         baseUrl: (resolvedEnv('ZEPH_BASE_URL') ?? fileConfig.baseUrl ?? DEFAULT_BASE_URL).replace(/\/$/, ''),
         hookId: resolvedEnv('ZEPH_HOOK_ID') ?? fileConfig.hookId,
         deviceId: resolvedEnv('ZEPH_DEVICE_ID') ?? fileConfig.deviceId,
         sessionId,
+        projectName: projectNameFromDir(detectProjectDir()),
     };
 };
 exports.loadConfig = loadConfig;

package/dist/crypto.d.ts

@@ -1,13 +1,39 @@
 /**
- * E2E encryption for MCP server — self-contained ECDH P-256 + AES-256-GCM
- * Mirrors @zeph/crypto API but bundled inline (no external dependency).
- * Uses Web Crypto API (globalThis.crypto.subtle) — Node.js 18+.
+ * Device-shared encryption for MCP server — self-contained ECDH P-256 +
+ * AES-256-GCM. Mirrors @zeph/crypto API but bundled inline (no external
+ * dependency). Uses Web Crypto API (globalThis.crypto.subtle) — Node.js 18+.
+ *
+ * Threat model honesty (do not call this "E2E" without a footnote):
+ *
+ *   The Zeph backend persists the per-user private key in plaintext so it
+ *   can be synced down to a fresh device (fetchServerKeys / uploadServerKeys
+ *   below). That means the backend can decrypt any push body — this is NOT
+ *   end-to-end in the standard sense. What it gives you is:
+ *     • Protection against passive network observers
+ *     • Protection against a leaked DB snapshot taken without the key store
+ *     • Cross-device readability (all your devices share one keypair)
+ *   What it does NOT give you:
+ *     • Protection against the Zeph backend itself
+ *     • Forward secrecy — encryptPushBodyForSelf / encryptFileForSelf do
+ *       ECDH(self, self), which collapses to a static derived key. A single
+ *       device compromise (since all your devices share the same keypair)
+ *       lets the attacker decrypt every past push for which they have the
+ *       ciphertext. The per-message AES key is random, but its wrap key is
+ *       static, so wrapped keys are decryptable forever.
+ *
+ *   True E2E would require a per-device keypair (server stores only public
+ *   keys; senders wrap the message key once per recipient device public
+ *   key). That refactor is on the roadmap; until then, treat push bodies as
+ *   sensitive-but-not-secret.
  */
 /**
  * Initialize crypto: sync keys with server, then fallback to local/generate.
  * Server is source of truth for per-user key pair.
  * Safe to call concurrently — deduplicates to single init.
  * Returns the exported public key (Base64 SPKI).
+ *
+ * NOTE: when `apiKey` is provided, `baseUrl` is required — otherwise a
+ * caller in a dev environment would silently upload keys to prod.
  */
 export declare const initCrypto: (apiKey?: string, baseUrl?: string) => Promise<string>;
 export declare const getKeyPair: () => CryptoKeyPair | null;

package/dist/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA0JH;;;;;GAKG;AACH,eAAO,MAAM,UAAU,GAAI,SAAS,MAAM,EAAE,UAAU,MAAM,KAAG,OAAO,CAAC,MAAM,CAiE5E,CAAC;AAqCF,eAAO,MAAM,UAAU,QAAO,aAAa,GAAG,IAAqB,CAAC;AACpE,eAAO,MAAM,YAAY,QAAO,MAAM,GAAG,IAA+B,CAAC;AAEzE;;GAEG;AACH,eAAO,MAAM,sBAAsB,GACjC,OAAO;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,KACrD,OAAO,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,IAAI,CAAC;CACnB,CAaA,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,GAC7B,SAAS,MAAM,KACd,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAQlE,CAAC"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AA2JH;;;;;;;;GAQG;AACH,eAAO,MAAM,UAAU,GAAI,SAAS,MAAM,EAAE,UAAU,MAAM,KAAG,OAAO,CAAC,MAAM,CAyE5E,CAAC;AAqCF,eAAO,MAAM,UAAU,QAAO,aAAa,GAAG,IAAqB,CAAC;AACpE,eAAO,MAAM,YAAY,QAAO,MAAM,GAAG,IAA+B,CAAC;AAEzE;;GAEG;AACH,eAAO,MAAM,sBAAsB,GACjC,OAAO;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,KACrD,OAAO,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,IAAI,CAAC;CACnB,CAaA,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,GAC7B,SAAS,MAAM,KACd,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAQlE,CAAC"}

package/dist/crypto.js

@@ -1,13 +1,37 @@
 "use strict";
 /**
- * E2E encryption for MCP server — self-contained ECDH P-256 + AES-256-GCM
- * Mirrors @zeph/crypto API but bundled inline (no external dependency).
- * Uses Web Crypto API (globalThis.crypto.subtle) — Node.js 18+.
+ * Device-shared encryption for MCP server — self-contained ECDH P-256 +
+ * AES-256-GCM. Mirrors @zeph/crypto API but bundled inline (no external
+ * dependency). Uses Web Crypto API (globalThis.crypto.subtle) — Node.js 18+.
+ *
+ * Threat model honesty (do not call this "E2E" without a footnote):
+ *
+ *   The Zeph backend persists the per-user private key in plaintext so it
+ *   can be synced down to a fresh device (fetchServerKeys / uploadServerKeys
+ *   below). That means the backend can decrypt any push body — this is NOT
+ *   end-to-end in the standard sense. What it gives you is:
+ *     • Protection against passive network observers
+ *     • Protection against a leaked DB snapshot taken without the key store
+ *     • Cross-device readability (all your devices share one keypair)
+ *   What it does NOT give you:
+ *     • Protection against the Zeph backend itself
+ *     • Forward secrecy — encryptPushBodyForSelf / encryptFileForSelf do
+ *       ECDH(self, self), which collapses to a static derived key. A single
+ *       device compromise (since all your devices share the same keypair)
+ *       lets the attacker decrypt every past push for which they have the
+ *       ciphertext. The per-message AES key is random, but its wrap key is
+ *       static, so wrapped keys are decryptable forever.
+ *
+ *   True E2E would require a per-device keypair (server stores only public
+ *   keys; senders wrap the message key once per recipient device public
+ *   key). That refactor is on the roadmap; until then, treat push bodies as
+ *   sensitive-but-not-secret.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.encryptFileForSelf = exports.encryptPushBodyForSelf = exports.getPublicKey = exports.getKeyPair = exports.initCrypto = void 0;
 /// <reference lib="dom" />
 const fs_1 = require("fs");
+const os_1 = require("os");
 const path_1 = require("path");
 // ─── Base64 helpers ───
 const toBase64 = (buffer) => {
@@ -79,7 +103,7 @@ const encryptFileContent = async (content, senderPrivateKey, recipientPublicKey)
     };
 };
 // ─── Key persistence (~/.config/zeph/keys.json) ───
-const KEYS_DIR = (0, path_1.join)(process.env.HOME ?? '~', '.config', 'zeph');
+const KEYS_DIR = (0, path_1.join)(process.env.XDG_CONFIG_HOME ?? (0, path_1.join)((0, os_1.homedir)(), '.config'), 'zeph');
 const KEYS_PATH = (0, path_1.join)(KEYS_DIR, 'keys.json');
 const loadStoredKeys = () => {
     try {
@@ -103,15 +127,24 @@ let initPromise = null;
  * Server is source of truth for per-user key pair.
  * Safe to call concurrently — deduplicates to single init.
  * Returns the exported public key (Base64 SPKI).
+ *
+ * NOTE: when `apiKey` is provided, `baseUrl` is required — otherwise a
+ * caller in a dev environment would silently upload keys to prod.
  */
 const initCrypto = (apiKey, baseUrl) => {
+    if (apiKey && !baseUrl) {
+        return Promise.reject(new Error('initCrypto: baseUrl is required when apiKey is provided. ' +
+            'Pass the resolved config.baseUrl to avoid silently syncing dev keys to prod.'));
+    }
     if (initPromise)
         return initPromise;
+    // The check above guarantees baseUrl is defined when apiKey is — narrow once.
+    const baseUrlRequired = apiKey ? baseUrl : baseUrl;
     initPromise = (async () => {
         const stored = loadStoredKeys();
         // Try server sync if API key available
         if (apiKey) {
-            const serverResult = await fetchServerKeys(apiKey, baseUrl);
+            const serverResult = await fetchServerKeys(apiKey, baseUrlRequired);
             // Server says encryption disabled — skip crypto init
             if (serverResult && !serverResult.encryptionEnabled) {
                 cachedKeyPair = null;
@@ -129,7 +162,7 @@ const initCrypto = (apiKey, baseUrl) => {
                 return serverResult.keys.publicKey;
             }
             if (stored) {
-                await uploadServerKeys(stored, apiKey, baseUrl);
+                await uploadServerKeys(stored, apiKey, baseUrlRequired);
                 cachedKeyPair = await importKeyPair(stored);
                 cachedExportedPublicKey = stored.publicKey;
                 cachedOwnPublicKey = cachedKeyPair.publicKey;
@@ -138,7 +171,7 @@ const initCrypto = (apiKey, baseUrl) => {
             const keyPair = await generateKeyPair();
             const exported = await exportKeyPair(keyPair);
             storeKeys(exported);
-            await uploadServerKeys(exported, apiKey, baseUrl);
+            await uploadServerKeys(exported, apiKey, baseUrlRequired);
             cachedKeyPair = keyPair;
             cachedExportedPublicKey = exported.publicKey;
             cachedOwnPublicKey = keyPair.publicKey;
@@ -167,7 +200,7 @@ const initCrypto = (apiKey, baseUrl) => {
 exports.initCrypto = initCrypto;
 const fetchServerKeys = async (apiKey, baseUrl) => {
     try {
-        const url = `${(baseUrl ?? 'https://api.zeph.to/v1').replace(/\/$/, '')}/users/me/keys`;
+        const url = `${baseUrl.replace(/\/$/, '')}/users/me/keys`;
         const res = await fetch(url, { headers: { 'X-API-Key': apiKey } });
         if (!res.ok)
             return null;
@@ -185,7 +218,7 @@ const fetchServerKeys = async (apiKey, baseUrl) => {
 };
 const uploadServerKeys = async (keys, apiKey, baseUrl) => {
     try {
-        const url = `${(baseUrl ?? 'https://api.zeph.to/v1').replace(/\/$/, '')}/users/me/keys`;
+        const url = `${baseUrl.replace(/\/$/, '')}/users/me/keys`;
         await fetch(url, {
             method: 'PUT',
             headers: { 'X-API-Key': apiKey, 'Content-Type': 'application/json' },

package/dist/mime.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Shared MIME-type inference for file/notify/ask payloads.
+ *
+ * Kept in one place so different tools don't produce inconsistent types
+ * for the same extension (e.g. `.csv` ending up as text/plain in one
+ * code path and text/csv in another).
+ */
+export declare const inferMimeType: (fileName: string) => string;
+//# sourceMappingURL=mime.d.ts.map

package/dist/mime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mime.d.ts","sourceRoot":"","sources":["../src/mime.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAkBH,eAAO,MAAM,aAAa,GAAI,UAAU,MAAM,KAAG,MAGhD,CAAC"}

package/dist/mime.js

@@ -0,0 +1,30 @@
+"use strict";
+/**
+ * Shared MIME-type inference for file/notify/ask payloads.
+ *
+ * Kept in one place so different tools don't produce inconsistent types
+ * for the same extension (e.g. `.csv` ending up as text/plain in one
+ * code path and text/csv in another).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.inferMimeType = void 0;
+const EXT_TO_MIME = {
+    txt: 'text/plain',
+    log: 'text/plain',
+    md: 'text/markdown',
+    json: 'application/json',
+    csv: 'text/csv',
+    html: 'text/html',
+    xml: 'text/xml',
+    yaml: 'text/yaml',
+    yml: 'text/yaml',
+    ts: 'text/typescript',
+    js: 'text/javascript',
+    py: 'text/x-python',
+    sh: 'text/x-shellscript',
+};
+const inferMimeType = (fileName) => {
+    const ext = fileName.split('.').pop()?.toLowerCase();
+    return EXT_TO_MIME[ext ?? ''] ?? 'text/plain';
+};
+exports.inferMimeType = inferMimeType;

package/dist/tools/ask.d.ts

@@ -1,5 +1,5 @@
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import type { ZephApiClient } from '../api-client.js';
-import type { McpServerConfig } from '../config.js';
+import { type McpServerConfig } from '../config.js';
 export declare const registerAskTool: (server: McpServer, client: ZephApiClient, config: McpServerConfig) => void;
 //# sourceMappingURL=ask.d.ts.map

package/dist/tools/ask.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ask.d.ts","sourceRoot":"","sources":["../../src/tools/ask.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAYpD,eAAO,MAAM,eAAe,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAmHhG,CAAC"}
+{"version":3,"file":"ask.d.ts","sourceRoot":"","sources":["../../src/tools/ask.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAuBrE,eAAO,MAAM,eAAe,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAwHhG,CAAC"}

package/dist/tools/ask.js

@@ -4,13 +4,21 @@ exports.registerAskTool = void 0;
 const zod_1 = require("zod");
 const error_format_js_1 = require("../error-format.js");
 const poll_js_1 = require("../poll.js");
+const config_js_1 = require("../config.js");
 const crypto_js_1 = require("../crypto.js");
-const BODY_FILE_THRESHOLD = 512;
+const mime_js_1 = require("../mime.js");
+// The device feed shows a short preview of the body. Anything longer than
+// this gets truncated there, so we attach the full text as a file — the
+// user can always open the complete content instead of squinting at a
+// clipped preview.
 const PREVIEW_LENGTH = 200;
-const inferMimeType = (fileName) => {
-    const ext = fileName.split('.').pop()?.toLowerCase();
-    const map = { md: 'text/markdown', txt: 'text/plain', json: 'application/json' };
-    return map[ext ?? ''] ?? 'text/plain';
+/** Self-contained Markdown for the attached response.md: heading + body + options. */
+const buildAskMarkdown = (title, body, actions) => {
+    const parts = [`# ${title}`, '', body];
+    if (actions && actions.length > 0) {
+        parts.push('', '---', '', `**Options:** ${actions.map((a) => a.label).join(' · ')}`);
+    }
+    return parts.join('\n');
 };
 const registerAskTool = (server, client, config) => {
     server.registerTool('zeph_ask', {
@@ -54,21 +62,25 @@ const registerAskTool = (server, client, config) => {
         if (!config.hookId)
             return (0, error_format_js_1.hookNotConfiguredError)();
         try {
-            const bodyBytes = body ? new TextEncoder().encode(body).byteLength : 0;
-            const isLongBody = bodyBytes > BODY_FILE_THRESHOLD;
+            const pushTitle = (0, config_js_1.formatPushTitle)(config.projectName, title);
+            // Attach a file whenever the body would be clipped in the feed preview.
+            const exceedsPreview = !!body && body.length > PREVIEW_LENGTH;
             let triggerBody = body;
             let files;
-            if (isLongBody && body) {
+            if (exceedsPreview && body) {
                 const fileName = 'response.md';
-                const fileType = inferMimeType(fileName);
+                const fileType = (0, mime_js_1.inferMimeType)(fileName);
                 const canEncrypt = !!(0, crypto_js_1.getKeyPair)() && !!(0, crypto_js_1.getPublicKey)();
-                let uploadContent = body;
+                // Self-contained Markdown so the file alone tells the whole story.
+                const fileMarkdown = buildAskMarkdown(title, body, actions);
+                const fileBytes = new TextEncoder().encode(fileMarkdown).byteLength;
+                let uploadContent = fileMarkdown;
                 let uploadContentType = fileType;
                 let fileIv;
                 let fileEncryptedKey;
                 if (canEncrypt) {
                     try {
-                        const encrypted = await (0, crypto_js_1.encryptFileForSelf)(body);
+                        const encrypted = await (0, crypto_js_1.encryptFileForSelf)(fileMarkdown);
                         uploadContent = encrypted.ciphertext;
                         uploadContentType = 'application/octet-stream';
                         fileIv = encrypted.iv;
@@ -78,13 +90,13 @@ const registerAskTool = (server, client, config) => {
                         console.error('[Crypto] File encryption failed, sending plaintext:', err);
                     }
                 }
-                const upload = await client.requestUpload({ fileName, fileType: uploadContentType, fileSize: typeof uploadContent === 'string' ? bodyBytes : uploadContent.length });
+                const upload = await client.requestUpload({ fileName, fileType: uploadContentType, fileSize: typeof uploadContent === 'string' ? fileBytes : uploadContent.length });
                 await client.uploadToS3(upload.data.uploadUrl, uploadContent, uploadContentType);
-                triggerBody = body.length > PREVIEW_LENGTH ? body.slice(0, PREVIEW_LENGTH) + '...' : body;
-                files = [{ fileKey: upload.data.fileKey, fileName, fileSize: bodyBytes, fileType, iv: fileIv, encryptedKey: fileEncryptedKey }];
+                triggerBody = body.slice(0, PREVIEW_LENGTH) + '...';
+                files = [{ fileKey: upload.data.fileKey, fileName, fileSize: fileBytes, fileType, iv: fileIv, encryptedKey: fileEncryptedKey }];
             }
             const trigger = await client.triggerHook(config.hookId, {
-                title,
+                title: pushTitle,
                 body: triggerBody,
                 actions,
                 timeout,

package/dist/tools/file.d.ts

@@ -1,5 +1,5 @@
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import type { ZephApiClient } from '../api-client.js';
-import type { McpServerConfig } from '../config.js';
+import { type McpServerConfig } from '../config.js';
 export declare const registerFileTool: (server: McpServer, client: ZephApiClient, config: McpServerConfig) => void;
 //# sourceMappingURL=file.d.ts.map

package/dist/tools/file.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"file.d.ts","sourceRoot":"","sources":["../../src/tools/file.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACtD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAwBpD,eAAO,MAAM,gBAAgB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SA2EjG,CAAC"}
+{"version":3,"file":"file.d.ts","sourceRoot":"","sources":["../../src/tools/file.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAKrE,eAAO,MAAM,gBAAgB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SA2EjG,CAAC"}

package/dist/tools/file.js

@@ -2,27 +2,10 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.registerFileTool = void 0;
 const zod_1 = require("zod");
+const config_js_1 = require("../config.js");
 const error_format_js_1 = require("../error-format.js");
 const crypto_js_1 = require("../crypto.js");
-const inferMimeType = (fileName) => {
-    const ext = fileName.split('.').pop()?.toLowerCase();
-    const map = {
-        txt: 'text/plain',
-        json: 'application/json',
-        csv: 'text/csv',
-        md: 'text/markdown',
-        html: 'text/html',
-        xml: 'text/xml',
-        yaml: 'text/yaml',
-        yml: 'text/yaml',
-        log: 'text/plain',
-        ts: 'text/typescript',
-        js: 'text/javascript',
-        py: 'text/x-python',
-        sh: 'text/x-shellscript',
-    };
-    return map[ext ?? ''] ?? 'text/plain';
-};
+const mime_js_1 = require("../mime.js");
 const registerFileTool = (server, client, config) => {
     server.registerTool('zeph_file', {
         description: 'Send a text file to the user\'s device. The content is uploaded and delivered as a file push. Use for logs, reports, code snippets, or any text content.',
@@ -40,7 +23,7 @@ const registerFileTool = (server, client, config) => {
     }, async ({ fileName, content, title, targetDeviceId }) => {
         try {
             const canEncrypt = !!(0, crypto_js_1.getKeyPair)() && !!(0, crypto_js_1.getPublicKey)();
-            let fileType = inferMimeType(fileName);
+            let fileType = (0, mime_js_1.inferMimeType)(fileName);
             const originalSize = new TextEncoder().encode(content).byteLength;
             // Step 1: Optionally encrypt file content
             let uploadContent = content;
@@ -65,11 +48,11 @@ const registerFileTool = (server, client, config) => {
             // Step 3: Upload content to S3
             await client.uploadToS3(upload.data.uploadUrl, uploadContent, fileType);
             // Step 4: Send file push (encrypt push body if possible)
-            const pushTitle = title ?? fileName;
+            const pushTitle = (0, config_js_1.formatPushTitle)(config.projectName, title ?? fileName);
             let pushPayload = {
                 title: pushTitle,
                 type: 'file',
-                files: [{ fileKey: upload.data.fileKey, fileName, fileSize: originalSize, fileType: inferMimeType(fileName), iv: fileIv, encryptedKey: fileEncryptedKey }],
+                files: [{ fileKey: upload.data.fileKey, fileName, fileSize: originalSize, fileType: (0, mime_js_1.inferMimeType)(fileName), iv: fileIv, encryptedKey: fileEncryptedKey }],
                 targetDeviceId: targetDeviceId ?? config.deviceId,
                 sessionId: config.sessionId,
             };

package/dist/tools/input.d.ts

@@ -1,5 +1,5 @@
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import type { ZephApiClient } from '../api-client.js';
-import type { McpServerConfig } from '../config.js';
+import { type McpServerConfig } from '../config.js';
 export declare const registerInputTool: (server: McpServer, client: ZephApiClient, config: McpServerConfig) => void;
 //# sourceMappingURL=input.d.ts.map

package/dist/tools/input.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"input.d.ts","sourceRoot":"","sources":["../../src/tools/input.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEpD,eAAO,MAAM,iBAAiB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAwDlG,CAAC"}
+{"version":3,"file":"input.d.ts","sourceRoot":"","sources":["../../src/tools/input.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAErE,eAAO,MAAM,iBAAiB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAwDlG,CAAC"}

package/dist/tools/input.js

@@ -4,6 +4,7 @@ exports.registerInputTool = void 0;
 const zod_1 = require("zod");
 const error_format_js_1 = require("../error-format.js");
 const poll_js_1 = require("../poll.js");
+const config_js_1 = require("../config.js");
 const registerInputTool = (server, client, config) => {
     server.registerTool('zeph_input', {
         description: 'Request text input from the user via push notification. The tool blocks until the user responds or the timeout is reached. Requires ZEPH_HOOK_ID environment variable.',
@@ -32,7 +33,7 @@ const registerInputTool = (server, client, config) => {
             return (0, error_format_js_1.hookNotConfiguredError)();
         try {
             const trigger = await client.triggerHook(config.hookId, {
-                title,
+                title: (0, config_js_1.formatPushTitle)(config.projectName, title),
                 body,
                 timeout,
                 hookType: 'input',

package/dist/tools/notify.d.ts

@@ -1,5 +1,5 @@
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import type { ZephApiClient } from '../api-client.js';
-import type { McpServerConfig } from '../config.js';
+import { type McpServerConfig } from '../config.js';
 export declare const registerNotifyTool: (server: McpServer, client: ZephApiClient, config: McpServerConfig) => void;
 //# sourceMappingURL=notify.d.ts.map

package/dist/tools/notify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"notify.d.ts","sourceRoot":"","sources":["../../src/tools/notify.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEtD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAYpD,eAAO,MAAM,kBAAkB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SA6GnG,CAAC"}
+{"version":3,"file":"notify.d.ts","sourceRoot":"","sources":["../../src/tools/notify.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAQrE,eAAO,MAAM,kBAAkB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAiHnG,CAAC"}

package/dist/tools/notify.js

@@ -3,17 +3,15 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.registerNotifyTool = void 0;
 const zod_1 = require("zod");
 const error_format_js_1 = require("../error-format.js");
+const config_js_1 = require("../config.js");
 const crypto_js_1 = require("../crypto.js");
-const BODY_FILE_THRESHOLD = 512;
+const mime_js_1 = require("../mime.js");
+// The device feed shows a short preview of the body. Anything longer gets
+// truncated there, so we attach the full text as a file for full viewing.
 const PREVIEW_LENGTH = 200;
-const inferMimeType = (fileName) => {
-    const ext = fileName.split('.').pop()?.toLowerCase();
-    const map = { md: 'text/markdown', txt: 'text/plain', json: 'application/json' };
-    return map[ext ?? ''] ?? 'text/plain';
-};
 const registerNotifyTool = (server, client, config) => {
     server.registerTool('zeph_notify', {
-        description: 'Send a one-way push notification to the user\'s devices. Use this to inform the user about task completion, errors, or status updates. Long bodies (>512B) are automatically uploaded as a file for full viewing.',
+        description: 'Send a one-way push notification to the user\'s devices. Use this to inform the user about task completion, errors, or status updates. Long bodies are automatically uploaded as a file for full viewing.',
         annotations: {
             readOnlyHint: false,
             destructiveHint: false,
@@ -32,21 +30,24 @@ const registerNotifyTool = (server, client, config) => {
     }, async ({ title, body, url, priority, targetDeviceId }) => {
         try {
             const deviceId = targetDeviceId ?? config.deviceId;
-            const bodyBytes = body ? new TextEncoder().encode(body).byteLength : 0;
-            const isLongBody = bodyBytes > BODY_FILE_THRESHOLD;
+            const pushTitle = (0, config_js_1.formatPushTitle)(config.projectName, title);
+            // Attach a file whenever the body would be clipped in the feed preview.
+            const isLongBody = !!body && body.length > PREVIEW_LENGTH;
             const canEncrypt = !!(0, crypto_js_1.getKeyPair)() && !!(0, crypto_js_1.getPublicKey)();
             if (isLongBody && body) {
                 const fileName = 'response.md';
-                const fileType = inferMimeType(fileName);
-                const fileSize = bodyBytes;
+                const fileType = (0, mime_js_1.inferMimeType)(fileName);
+                // Self-contained Markdown so the file alone carries the full text.
+                const fileMarkdown = `# ${title}\n\n${body}`;
+                const fileBytes = new TextEncoder().encode(fileMarkdown).byteLength;
                 // Encrypt file content if keys available
-                let uploadContent = body;
+                let uploadContent = fileMarkdown;
                 let uploadContentType = fileType;
                 let fileIv;
                 let fileEncryptedKey;
                 if (canEncrypt) {
                     try {
-                        const encrypted = await (0, crypto_js_1.encryptFileForSelf)(body);
+                        const encrypted = await (0, crypto_js_1.encryptFileForSelf)(fileMarkdown);
                         uploadContent = encrypted.ciphertext;
                         uploadContentType = 'application/octet-stream';
                         fileIv = encrypted.iv;
@@ -56,23 +57,23 @@ const registerNotifyTool = (server, client, config) => {
                         console.error('[Crypto] File encryption failed, sending plaintext:', err);
                     }
                 }
-                const upload = await client.requestUpload({ fileName, fileType: uploadContentType, fileSize: typeof uploadContent === 'string' ? fileSize : uploadContent.length });
+                const upload = await client.requestUpload({ fileName, fileType: uploadContentType, fileSize: typeof uploadContent === 'string' ? fileBytes : uploadContent.length });
                 await client.uploadToS3(upload.data.uploadUrl, uploadContent, uploadContentType);
-                const preview = body.length > PREVIEW_LENGTH ? body.slice(0, PREVIEW_LENGTH) + '...' : body;
+                const preview = body.slice(0, PREVIEW_LENGTH) + '...';
                 // Encrypt push body (title/preview/url) if keys available
                 let pushPayload = {
-                    title,
+                    title: pushTitle,
                     body: preview,
                     url,
                     type: 'file',
                     priority,
-                    files: [{ fileKey: upload.data.fileKey, fileName, fileSize, fileType, iv: fileIv, encryptedKey: fileEncryptedKey }],
+                    files: [{ fileKey: upload.data.fileKey, fileName, fileSize: fileBytes, fileType, iv: fileIv, encryptedKey: fileEncryptedKey }],
                     targetDeviceId: deviceId,
                     sessionId: config.sessionId,
                 };
                 if (canEncrypt) {
                     try {
-                        const enc = await (0, crypto_js_1.encryptPushBodyForSelf)({ title, body: preview, url });
+                        const enc = await (0, crypto_js_1.encryptPushBodyForSelf)({ title: pushTitle, body: preview, url });
                         pushPayload = { ...pushPayload, title: undefined, body: enc.body, isEncrypted: enc.isEncrypted, encryptedKey: enc.encryptedKey, senderPublicKey: enc.senderPublicKey };
                     }
                     catch (err) {
@@ -84,7 +85,7 @@ const registerNotifyTool = (server, client, config) => {
             }
             // Short body — encrypt push only
             let pushPayload = {
-                title,
+                title: pushTitle,
                 body,
                 url,
                 type: 'hook',
@@ -94,7 +95,7 @@ const registerNotifyTool = (server, client, config) => {
             };
             if (canEncrypt) {
                 try {
-                    const enc = await (0, crypto_js_1.encryptPushBodyForSelf)({ title, body, url });
+                    const enc = await (0, crypto_js_1.encryptPushBodyForSelf)({ title: pushTitle, body, url });
                     pushPayload = { ...pushPayload, title: undefined, body: enc.body, isEncrypted: enc.isEncrypted, encryptedKey: enc.encryptedKey, senderPublicKey: enc.senderPublicKey };
                 }
                 catch (err) {

package/dist/tools/prompt.d.ts

@@ -1,5 +1,5 @@
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import type { ZephApiClient } from '../api-client.js';
-import type { McpServerConfig } from '../config.js';
+import { type McpServerConfig } from '../config.js';
 export declare const registerPromptTool: (server: McpServer, client: ZephApiClient, config: McpServerConfig) => void;
 //# sourceMappingURL=prompt.d.ts.map

package/dist/tools/prompt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"prompt.d.ts","sourceRoot":"","sources":["../../src/tools/prompt.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEpD,eAAO,MAAM,kBAAkB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAuEnG,CAAC"}
+{"version":3,"file":"prompt.d.ts","sourceRoot":"","sources":["../../src/tools/prompt.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGtD,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAErE,eAAO,MAAM,kBAAkB,GAAI,QAAQ,SAAS,EAAE,QAAQ,aAAa,EAAE,QAAQ,eAAe,SAuEnG,CAAC"}

package/dist/tools/prompt.js

@@ -4,6 +4,7 @@ exports.registerPromptTool = void 0;
 const zod_1 = require("zod");
 const error_format_js_1 = require("../error-format.js");
 const poll_js_1 = require("../poll.js");
+const config_js_1 = require("../config.js");
 const registerPromptTool = (server, client, config) => {
     server.registerTool('zeph_prompt', {
         description: 'Ask the user to choose from predefined options via push notification. The tool blocks until the user responds or the timeout is reached. Requires ZEPH_HOOK_ID environment variable.',
@@ -41,7 +42,7 @@ const registerPromptTool = (server, client, config) => {
             return (0, error_format_js_1.hookNotConfiguredError)();
         try {
             const trigger = await client.triggerHook(config.hookId, {
-                title,
+                title: (0, config_js_1.formatPushTitle)(config.projectName, title),
                 body,
                 actions,
                 timeout,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zeph-to/mcp-server",
-  "version": "1.9.2",
+  "version": "1.11.0",
   "description": "Zeph MCP server — AI agent notifications, prompts, and input via MCP protocol",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -8,7 +8,7 @@
     "zeph-mcp": "./dist/index.js"
   },
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=18.17.0"
   },
   "files": [
     "dist",
@@ -16,6 +16,8 @@
   ],
   "scripts": {
     "build": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest",
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
@@ -23,8 +25,9 @@
     "zod": "^3.25.1"
   },
   "devDependencies": {
+    "@types/node": "^22.0.0",
     "typescript": "^5.8.0",
-    "@types/node": "^22.0.0"
+    "vitest": "^2.1.9"
   },
   "release": {
     "branches": [