borgmcp 0.9.56 → 0.9.58

package/dist/token-crypto.js

@@ -0,0 +1,91 @@
+/**
+ * gh#557 — AES-256-GCM crypto for the keychain-less token store.
+ *
+ * ⚠ OBFUSCATION-GRADE, BY DESIGN. The encryption key is DERIVED from stable
+ * machine+user identifiers (hostname, username, platform) — there is no
+ * passphrase. This means:
+ *
+ *   - It DEFENDS against casual/accidental exposure: a dotfile backup, an
+ *     `scp -r ~`, a synced home directory, a shoulder-surfed `cat`. The
+ *     on-disk bytes are ciphertext, not a readable token.
+ *   - It does NOT defend against a same-uid process or root on the SAME
+ *     machine: anything that can read ~/.borg/credentials can also read the
+ *     same hostname/username/platform and re-derive the key. That is an
+ *     accepted limitation (SR-endorsed, gh#557 ESCALATION 2) and matches
+ *     gcloud's own at-rest posture for its credential files.
+ *
+ * The OS keychain (config.ts default) remains the real at-rest encryption
+ * path; this fallback only engages when no keychain is available (headless
+ * Linux without Secret Service, etc.).
+ *
+ * Machine identifiers are injected (MachineKeyInputs) rather than read here,
+ * both for testability and so the production caller can choose OS primitives
+ * that work in headless/container environments (os.hostname()/os.userInfo()
+ * never spawn a subprocess, unlike a hardware machine-id probe).
+ */
+import crypto from 'crypto';
+/**
+ * Static application salt — domain-separates this key derivation from any
+ * other use of the same machine identifiers. NOT a secret (it ships in the
+ * published client); its only job is to make the derived key specific to
+ * borg-mcp token storage.
+ */
+const KEY_SALT = 'borg-mcp/token-store/v1';
+const ENVELOPE_VERSION = 'v1';
+const IV_BYTES = 12; // 96-bit nonce, the GCM standard
+const KEY_BYTES = 32; // AES-256
+/**
+ * Derive a stable 32-byte AES-256 key from machine+user identifiers.
+ * Deterministic for a given machine+user (so a token written today decrypts
+ * tomorrow) and distinct across machines/users.
+ */
+export function deriveMachineKey(inputs) {
+    const material = [inputs.hostname, inputs.username, inputs.platform, KEY_SALT].join('\0');
+    return crypto.createHash('sha256').update(material).digest(); // 32 bytes
+}
+/**
+ * Encrypt a plaintext string under the given key. Returns a versioned,
+ * dot-delimited envelope: `v1.<base64(iv)>.<base64(tag)>.<base64(ct)>`.
+ * A fresh random IV per call means the same plaintext encrypts differently
+ * every time (no deterministic-ciphertext leak).
+ */
+export function encryptString(plaintext, key) {
+    if (key.length !== KEY_BYTES) {
+        throw new Error(`token-crypto: key must be ${KEY_BYTES} bytes`);
+    }
+    const iv = crypto.randomBytes(IV_BYTES);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return [
+        ENVELOPE_VERSION,
+        iv.toString('base64'),
+        tag.toString('base64'),
+        ciphertext.toString('base64'),
+    ].join('.');
+}
+/**
+ * Decrypt an envelope produced by encryptString. Throws on a malformed
+ * envelope, a wrong key, or a tampered ciphertext (the GCM auth tag fails
+ * verification) — fail-closed is correct for credential material.
+ */
+export function decryptString(envelope, key) {
+    if (key.length !== KEY_BYTES) {
+        throw new Error(`token-crypto: key must be ${KEY_BYTES} bytes`);
+    }
+    const parts = envelope.split('.');
+    if (parts.length !== 4 || parts[0] !== ENVELOPE_VERSION) {
+        throw new Error('token-crypto: malformed or unsupported envelope');
+    }
+    const iv = Buffer.from(parts[1], 'base64');
+    const tag = Buffer.from(parts[2], 'base64');
+    const ciphertext = Buffer.from(parts[3], 'base64');
+    if (iv.length !== IV_BYTES) {
+        throw new Error('token-crypto: malformed IV');
+    }
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(tag);
+    const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return plaintext.toString('utf8');
+}
+//# sourceMappingURL=token-crypto.js.map

package/dist/token-crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-crypto.js","sourceRoot":"","sources":["../src/token-crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B;;;;;GAKG;AACH,MAAM,QAAQ,GAAG,yBAAyB,CAAC;AAC3C,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAC9B,MAAM,QAAQ,GAAG,EAAE,CAAC,CAAC,iCAAiC;AACtD,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,UAAU;AAQhC;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAwB;IACvD,MAAM,QAAQ,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1F,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,WAAW;AAC3E,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,GAAW;IAC1D,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,6BAA6B,SAAS,QAAQ,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO;QACL,gBAAgB;QAChB,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACrB,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtB,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC9B,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB,EAAE,GAAW;IACzD,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,6BAA6B,SAAS,QAAQ,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,gBAAgB,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAC5C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IACnD,IAAI,EAAE,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACjE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACjF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC"}

package/dist/token-store.d.ts

@@ -0,0 +1,98 @@
+/**
+ * gh#557 — token storage backends + selection.
+ *
+ * config.ts exposes the public token API (storeIdToken/getIdToken/...). This
+ * module supplies the interchangeable storage engines it sits on top of:
+ *
+ *   - KeychainBackend      — OS keychain via @napi-rs/keyring (the default;
+ *                            real platform at-rest encryption).
+ *   - EncryptedFileBackend — ~/.borg/credentials, all accounts in one
+ *                            AES-256-GCM blob, file 0600 / dir 0700. Engages
+ *                            only when no keychain is available. Obfuscation-
+ *                            grade (see token-crypto.ts).
+ *   - caller-managed       — BORG_TOKEN / BORG_TOKEN_FILE: an externally
+ *                            supplied id_token, used read-only with no store
+ *                            (the caller owns its lifecycle/freshness).
+ *
+ * Every engine takes its side-effecting dependencies (keyring entry factory,
+ * fs, machine key) by injection so the logic is unit-tested without a real
+ * keychain or disk.
+ */
+export type TokenBackendName = 'keychain' | 'encrypted-file';
+/**
+ * Account-agnostic key/value store over a backing engine. `account` is one
+ * of config.ts's three slots (id-token, refresh-token, expiry).
+ */
+export interface TokenBackend {
+    readonly name: TokenBackendName;
+    get(account: string): Promise<string | null>;
+    set(account: string, value: string): Promise<void>;
+    delete(account: string): Promise<void>;
+}
+/**
+ * The slice of @napi-rs/keyring's AsyncEntry this backend depends on. The
+ * return types mirror AsyncEntry exactly (deletePassword resolves to an
+ * implementation-defined value we ignore) so the real class is assignable.
+ */
+export interface KeyringEntry {
+    setPassword(value: string): Promise<void>;
+    getPassword(): Promise<string | null | undefined>;
+    deletePassword(): Promise<unknown>;
+}
+export type KeyringEntryFactory = (account: string) => KeyringEntry;
+/**
+ * Build the OS-keychain backend. Preserves config.ts's prior semantics:
+ * a missing entry reads as null, and delete is silent on a NoEntry error
+ * (idempotent clear) while other errors propagate (fail-loud).
+ */
+export declare function makeKeychainBackend(entryFactory?: KeyringEntryFactory): TokenBackend;
+/** The minimal fs surface the file backend needs (injected for tests). */
+export interface FileStoreFs {
+    readFile(filePath: string): Promise<string>;
+    writeFile(filePath: string, data: string, mode: number): Promise<void>;
+    mkdir(dir: string, mode: number): Promise<void>;
+}
+export interface EncryptedFileBackendDeps {
+    filePath: string;
+    key: Buffer;
+    fs: FileStoreFs;
+}
+/**
+ * Build the encrypted-file backend. All accounts live in one JSON object
+ * encrypted as a single AES-256-GCM envelope at `filePath`.
+ *
+ * A missing file reads as an empty map. A file that won't decrypt (wrong
+ * machine key after a hostname change, truncation, tampering) is ALSO
+ * treated as empty: the only consequence is the user re-runs `borg setup`,
+ * which is the right fail-safe for credential material — a hard crash on a
+ * corrupt dotfile would be worse UX than transparent re-auth.
+ */
+export declare function makeEncryptedFileBackend(deps: EncryptedFileBackendDeps): TokenBackend;
+/** User-facing BORG_TOKEN_STORE values (friendlier than the backend names). */
+export type ForcedStore = 'keychain' | 'file';
+export interface SelectTokenBackendDeps {
+    keyringAvailable: () => Promise<boolean>;
+    makeKeychain: () => TokenBackend;
+    makeFile: () => TokenBackend;
+    /** BORG_TOKEN_STORE override: skip probing and force a backend. */
+    forced?: ForcedStore;
+}
+/**
+ * Select the persistent backend: a forced choice (BORG_TOKEN_STORE=keychain|file)
+ * wins and skips the probe; otherwise probe the keychain and fall back to the
+ * encrypted file when it's unavailable.
+ */
+export declare function selectTokenBackend(deps: SelectTokenBackendDeps): Promise<TokenBackend>;
+export interface CallerManagedDeps {
+    env: NodeJS.ProcessEnv;
+    readFile: (filePath: string) => Promise<string>;
+}
+/**
+ * Resolve an externally-supplied id_token (no storage). BORG_TOKEN takes
+ * precedence; otherwise BORG_TOKEN_FILE is read from disk. Returns null when
+ * neither is configured. The value is trimmed (env vars and files commonly
+ * carry trailing newlines). The caller owns this token's freshness, so it
+ * bypasses the keychain AND the expiry check in config.ts.
+ */
+export declare function readCallerManagedIdToken(deps: CallerManagedDeps): Promise<string | null>;
+//# sourceMappingURL=token-store.d.ts.map

package/dist/token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../src/token-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAQH,MAAM,MAAM,gBAAgB,GAAG,UAAU,GAAG,gBAAgB,CAAC;AAE7D;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,IAAI,EAAE,gBAAgB,CAAC;IAChC,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7C,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACxC;AAID;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1C,WAAW,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC,CAAC;IAClD,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,EAAE,MAAM,KAAK,YAAY,CAAC;AAKpE;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,YAAY,GAAE,mBAAyC,GACtD,YAAY,CAmBd;AAID,0EAA0E;AAC1E,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5C,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvE,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,EAAE,EAAE,WAAW,CAAC;CACjB;AAID;;;;;;;;;GASG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,wBAAwB,GAAG,YAAY,CA2CrF;AAID,+EAA+E;AAC/E,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,CAAC;AAE9C,MAAM,WAAW,sBAAsB;IACrC,gBAAgB,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;IACzC,YAAY,EAAE,MAAM,YAAY,CAAC;IACjC,QAAQ,EAAE,MAAM,YAAY,CAAC;IAC7B,mEAAmE;IACnE,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,sBAAsB,GAC3B,OAAO,CAAC,YAAY,CAAC,CAIvB;AAID,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAC,UAAU,CAAC;IACvB,QAAQ,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CACjD;AAED;;;;;;GAMG;AACH,wBAAsB,wBAAwB,CAC5C,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAWxB"}

package/dist/token-store.js

@@ -0,0 +1,136 @@
+/**
+ * gh#557 — token storage backends + selection.
+ *
+ * config.ts exposes the public token API (storeIdToken/getIdToken/...). This
+ * module supplies the interchangeable storage engines it sits on top of:
+ *
+ *   - KeychainBackend      — OS keychain via @napi-rs/keyring (the default;
+ *                            real platform at-rest encryption).
+ *   - EncryptedFileBackend — ~/.borg/credentials, all accounts in one
+ *                            AES-256-GCM blob, file 0600 / dir 0700. Engages
+ *                            only when no keychain is available. Obfuscation-
+ *                            grade (see token-crypto.ts).
+ *   - caller-managed       — BORG_TOKEN / BORG_TOKEN_FILE: an externally
+ *                            supplied id_token, used read-only with no store
+ *                            (the caller owns its lifecycle/freshness).
+ *
+ * Every engine takes its side-effecting dependencies (keyring entry factory,
+ * fs, machine key) by injection so the logic is unit-tested without a real
+ * keychain or disk.
+ */
+import path from 'path';
+import { AsyncEntry } from '@napi-rs/keyring';
+import { decryptString, encryptString } from './token-crypto.js';
+const SERVICE_NAME = 'borg-mcp';
+const defaultEntryFactory = (account) => new AsyncEntry(SERVICE_NAME, account);
+/**
+ * Build the OS-keychain backend. Preserves config.ts's prior semantics:
+ * a missing entry reads as null, and delete is silent on a NoEntry error
+ * (idempotent clear) while other errors propagate (fail-loud).
+ */
+export function makeKeychainBackend(entryFactory = defaultEntryFactory) {
+    return {
+        name: 'keychain',
+        async get(account) {
+            return (await entryFactory(account).getPassword()) ?? null;
+        },
+        async set(account, value) {
+            await entryFactory(account).setPassword(value);
+        },
+        async delete(account) {
+            try {
+                await entryFactory(account).deletePassword();
+            }
+            catch (err) {
+                const msg = String(err?.message ?? '');
+                if (/no entry|not found|no matching/i.test(msg))
+                    return;
+                throw err;
+            }
+        },
+    };
+}
+/**
+ * Build the encrypted-file backend. All accounts live in one JSON object
+ * encrypted as a single AES-256-GCM envelope at `filePath`.
+ *
+ * A missing file reads as an empty map. A file that won't decrypt (wrong
+ * machine key after a hostname change, truncation, tampering) is ALSO
+ * treated as empty: the only consequence is the user re-runs `borg setup`,
+ * which is the right fail-safe for credential material — a hard crash on a
+ * corrupt dotfile would be worse UX than transparent re-auth.
+ */
+export function makeEncryptedFileBackend(deps) {
+    const { filePath, key, fs } = deps;
+    async function readMap() {
+        let raw;
+        try {
+            raw = await fs.readFile(filePath);
+        }
+        catch {
+            return {}; // missing file → no stored tokens yet
+        }
+        try {
+            const json = decryptString(raw.trim(), key);
+            const parsed = JSON.parse(json);
+            return parsed && typeof parsed === 'object' ? parsed : {};
+        }
+        catch {
+            return {}; // undecryptable / corrupt → fail safe to re-auth
+        }
+    }
+    async function writeMap(map) {
+        await fs.mkdir(path.dirname(filePath), 0o700);
+        await fs.writeFile(filePath, encryptString(JSON.stringify(map), key), 0o600);
+    }
+    return {
+        name: 'encrypted-file',
+        async get(account) {
+            const map = await readMap();
+            return Object.prototype.hasOwnProperty.call(map, account) ? map[account] : null;
+        },
+        async set(account, value) {
+            const map = await readMap();
+            map[account] = value;
+            await writeMap(map);
+        },
+        async delete(account) {
+            const map = await readMap();
+            if (Object.prototype.hasOwnProperty.call(map, account)) {
+                delete map[account];
+                await writeMap(map);
+            }
+        },
+    };
+}
+/**
+ * Select the persistent backend: a forced choice (BORG_TOKEN_STORE=keychain|file)
+ * wins and skips the probe; otherwise probe the keychain and fall back to the
+ * encrypted file when it's unavailable.
+ */
+export async function selectTokenBackend(deps) {
+    if (deps.forced === 'keychain')
+        return deps.makeKeychain();
+    if (deps.forced === 'file')
+        return deps.makeFile();
+    return (await deps.keyringAvailable()) ? deps.makeKeychain() : deps.makeFile();
+}
+/**
+ * Resolve an externally-supplied id_token (no storage). BORG_TOKEN takes
+ * precedence; otherwise BORG_TOKEN_FILE is read from disk. Returns null when
+ * neither is configured. The value is trimmed (env vars and files commonly
+ * carry trailing newlines). The caller owns this token's freshness, so it
+ * bypasses the keychain AND the expiry check in config.ts.
+ */
+export async function readCallerManagedIdToken(deps) {
+    const inline = deps.env.BORG_TOKEN?.trim();
+    if (inline)
+        return inline;
+    const file = deps.env.BORG_TOKEN_FILE?.trim();
+    if (file) {
+        const contents = await deps.readFile(file);
+        return contents.trim();
+    }
+    return null;
+}
+//# sourceMappingURL=token-store.js.map

package/dist/token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.js","sourceRoot":"","sources":["../src/token-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAEjE,MAAM,YAAY,GAAG,UAAU,CAAC;AA8BhC,MAAM,mBAAmB,GAAwB,CAAC,OAAO,EAAE,EAAE,CAC3D,IAAI,UAAU,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;AAExC;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,eAAoC,mBAAmB;IAEvD,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,KAAK,CAAC,GAAG,CAAC,OAAO;YACf,OAAO,CAAC,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,IAAI,CAAC;QAC7D,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK;YACtB,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACjD,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,OAAO;YAClB,IAAI,CAAC;gBACH,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC;YAC/C,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;gBACvC,IAAI,iCAAiC,CAAC,IAAI,CAAC,GAAG,CAAC;oBAAE,OAAO;gBACxD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAmBD;;;;;;;;;GASG;AACH,MAAM,UAAU,wBAAwB,CAAC,IAA8B;IACrE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,IAAI,CAAC;IAEnC,KAAK,UAAU,OAAO;QACpB,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC,CAAC,sCAAsC;QACnD,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC;YAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAChC,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC,CAAC,iDAAiD;QAC9D,CAAC;IACH,CAAC;IAED,KAAK,UAAU,QAAQ,CAAC,GAAe;QACrC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,EAAE,KAAK,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO;QACL,IAAI,EAAE,gBAAgB;QACtB,KAAK,CAAC,GAAG,CAAC,OAAO;YACf,MAAM,GAAG,GAAG,MAAM,OAAO,EAAE,CAAC;YAC5B,OAAO,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAClF,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK;YACtB,MAAM,GAAG,GAAG,MAAM,OAAO,EAAE,CAAC;YAC5B,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,CAAC;YACrB,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,OAAO;YAClB,MAAM,GAAG,GAAG,MAAM,OAAO,EAAE,CAAC;YAC5B,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;gBACvD,OAAO,GAAG,CAAC,OAAO,CAAC,CAAC;gBACpB,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAeD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,IAA4B;IAE5B,IAAI,IAAI,CAAC,MAAM,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC;IAC3D,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;IACnD,OAAO,CAAC,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;AACjF,CAAC;AASD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,IAAuB;IAEvB,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC;IAC3C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,CAAC;IAC9C,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3C,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;IACzB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "borgmcp",
-  "version": "0.9.56",
+  "version": "0.9.58",
   "description": "Coordinate AI coding agents in shared cubes. Works with Claude Code and Codex. Create projects, assign roles, and share a live activity log.",
   "type": "module",
   "main": "dist/index.js",
@@ -40,15 +40,7 @@
   ],
   "author": "Theodor Storm <theodor@byteventures.se>",
   "license": "Apache-2.0",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/theodorstorm/borg-mcp",
-    "directory": "client"
-  },
   "homepage": "https://borgmcp.ai",
-  "bugs": {
-    "url": "https://github.com/theodorstorm/borg-mcp/issues"
-  },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.4",
     "@napi-rs/keyring": "^1.3.0",