chainlesschain 0.47.8 → 0.47.9

package/src/lib/mcp-scaffold.js

@@ -0,0 +1,385 @@
+/**
+ * MCP server scaffolder — pure template generator.
+ *
+ * Turns a `{name, description, transport, author}` spec into a list of
+ * `{path, content}` files that together form a runnable boilerplate
+ * project built on `@modelcontextprotocol/sdk`. Intentionally pure: the
+ * command layer decides where to write the files (and whether to
+ * overwrite), so tests can snapshot the output without hitting disk.
+ *
+ * Two transports are supported:
+ *
+ *   - **stdio** — default, matches every MCP example under
+ *     `@modelcontextprotocol/server-*`. Uses `StdioServerTransport`,
+ *     run via `node index.js` and wired into a host's MCP config with
+ *     `command: "node"`.
+ *   - **http**  — streamable HTTP + SSE. Uses `StreamableHTTPServerTransport`
+ *     behind a tiny Express app so `cc mcp add <name> -u http://...`
+ *     (or any MCP host) can connect.
+ *
+ * Every generated project includes:
+ *
+ *   - package.json     — `type: module`, `start` script, MCP SDK dep
+ *   - index.js         — 1 example tool (`echo`) + 1 example resource
+ *                        (`hello://world`) wired through the chosen transport
+ *   - README.md        — run + wire-up instructions tailored to transport
+ *   - .gitignore       — node_modules / logs / `.env`
+ *
+ * The scaffold stays intentionally tiny — "hello-world MCP server" —
+ * rather than trying to demo every SDK feature. Authors clone and extend.
+ */
+
+/* ── constants ──────────────────────────────────────────────── */
+
+export const SUPPORTED_TRANSPORTS = Object.freeze(["stdio", "http"]);
+
+export const SDK_VERSION = "^1.0.0";
+export const EXPRESS_VERSION = "^4.19.2";
+
+const NAME_PATTERN = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
+
+/* ── public API ─────────────────────────────────────────────── */
+
+/**
+ * Generate the full file set for a new MCP server project.
+ *
+ * @param {object} spec
+ * @param {string} spec.name         — npm-style kebab-case package name
+ * @param {string} [spec.description]
+ * @param {"stdio"|"http"} [spec.transport="stdio"]
+ * @param {string} [spec.author]
+ * @param {number} [spec.port=3333]  — only used for http transport
+ * @returns {{ files: Array<{path:string, content:string}>, summary: object }}
+ */
+export function generateMcpServerScaffold(spec = {}) {
+  const name = normalizeName(spec.name);
+  const description =
+    (typeof spec.description === "string" && spec.description.trim()) ||
+    `An MCP server — ${name}`;
+  const transport = normalizeTransport(spec.transport);
+  const author = typeof spec.author === "string" ? spec.author.trim() : "";
+  const port = Number.isInteger(spec.port) && spec.port > 0 ? spec.port : 3333;
+
+  const files = [
+    {
+      path: "package.json",
+      content: renderPackageJson({ name, description, transport, author }),
+    },
+    {
+      path: "index.js",
+      content: renderIndexJs({ name, description, transport, port }),
+    },
+    {
+      path: "README.md",
+      content: renderReadme({ name, description, transport, port }),
+    },
+    { path: ".gitignore", content: renderGitignore() },
+  ];
+
+  const summary = {
+    name,
+    description,
+    transport,
+    port: transport === "http" ? port : null,
+    fileCount: files.length,
+  };
+
+  return { files, summary };
+}
+
+/**
+ * Validate a proposed server name. Throws with a concrete reason —
+ * callers can surface the message verbatim.
+ */
+export function normalizeName(raw) {
+  if (typeof raw !== "string" || !raw.trim()) {
+    throw new Error("Server name is required.");
+  }
+  const name = raw.trim().toLowerCase();
+  if (!NAME_PATTERN.test(name)) {
+    throw new Error(
+      `Invalid server name "${raw}". ` +
+        `Use lowercase letters, digits, or hyphens (e.g. "my-weather").`,
+    );
+  }
+  if (name.length > 60) {
+    throw new Error("Server name must be 60 characters or fewer.");
+  }
+  return name;
+}
+
+export function normalizeTransport(raw) {
+  const t =
+    (typeof raw === "string" ? raw.trim().toLowerCase() : "stdio") || "stdio";
+  if (!SUPPORTED_TRANSPORTS.includes(t)) {
+    throw new Error(
+      `Unknown transport "${raw}". Supported: ${SUPPORTED_TRANSPORTS.join(", ")}.`,
+    );
+  }
+  return t;
+}
+
+/* ── renderers ──────────────────────────────────────────────── */
+
+function renderPackageJson({ name, description, transport, author }) {
+  const deps = {
+    "@modelcontextprotocol/sdk": SDK_VERSION,
+  };
+  if (transport === "http") deps.express = EXPRESS_VERSION;
+
+  const pkg = {
+    name,
+    version: "0.1.0",
+    description,
+    type: "module",
+    main: "index.js",
+    scripts: {
+      start: "node index.js",
+    },
+    dependencies: deps,
+  };
+  if (author) pkg.author = author;
+
+  return JSON.stringify(pkg, null, 2) + "\n";
+}
+
+function renderIndexJs({ name, description, transport, port }) {
+  if (transport === "stdio") return renderStdioIndex({ name, description });
+  return renderHttpIndex({ name, description, port });
+}
+
+function renderStdioIndex({ name, description }) {
+  return `#!/usr/bin/env node
+/**
+ * ${name} — ${description}
+ *
+ * An MCP server over stdio. Registered by an MCP host via:
+ *
+ *   { "command": "node", "args": ["./index.js"] }
+ *
+ * (Or via \`cc mcp add ${name} -c node -a "./index.js"\`.)
+ */
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import {
+  CallToolRequestSchema,
+  ListResourcesRequestSchema,
+  ListToolsRequestSchema,
+  ReadResourceRequestSchema,
+} from "@modelcontextprotocol/sdk/types.js";
+
+const server = new Server(
+  { name: "${name}", version: "0.1.0" },
+  { capabilities: { tools: {}, resources: {} } },
+);
+
+// ── Example tool ─────────────────────────────────────────────
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+  tools: [
+    {
+      name: "echo",
+      description: "Echo back the supplied message.",
+      inputSchema: {
+        type: "object",
+        required: ["message"],
+        properties: {
+          message: { type: "string", description: "Text to echo." },
+        },
+      },
+    },
+  ],
+}));
+
+server.setRequestHandler(CallToolRequestSchema, async (req) => {
+  const { name: tool, arguments: args } = req.params;
+  if (tool === "echo") {
+    return {
+      content: [{ type: "text", text: String(args?.message ?? "") }],
+    };
+  }
+  throw new Error(\`Unknown tool: \${tool}\`);
+});
+
+// ── Example resource ─────────────────────────────────────────
+server.setRequestHandler(ListResourcesRequestSchema, async () => ({
+  resources: [
+    {
+      uri: "hello://world",
+      name: "Hello world",
+      description: "A trivial resource you can read to test connectivity.",
+      mimeType: "text/plain",
+    },
+  ],
+}));
+
+server.setRequestHandler(ReadResourceRequestSchema, async (req) => {
+  if (req.params.uri === "hello://world") {
+    return {
+      contents: [
+        { uri: req.params.uri, mimeType: "text/plain", text: "Hello, MCP!" },
+      ],
+    };
+  }
+  throw new Error(\`Unknown resource: \${req.params.uri}\`);
+});
+
+// ── Start ────────────────────────────────────────────────────
+const transport = new StdioServerTransport();
+await server.connect(transport);
+`;
+}
+
+function renderHttpIndex({ name, description, port }) {
+  return `#!/usr/bin/env node
+/**
+ * ${name} — ${description}
+ *
+ * An MCP server over Streamable HTTP + SSE. Started with:
+ *
+ *   npm start               # listens on 0.0.0.0:${port}
+ *   PORT=9001 npm start     # override port
+ *
+ * Hosts connect by URL — with this CLI:
+ *
+ *   cc mcp add ${name} -u http://localhost:${port}/mcp
+ */
+import express from "express";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import {
+  CallToolRequestSchema,
+  ListResourcesRequestSchema,
+  ListToolsRequestSchema,
+  ReadResourceRequestSchema,
+} from "@modelcontextprotocol/sdk/types.js";
+
+function makeServer() {
+  const server = new Server(
+    { name: "${name}", version: "0.1.0" },
+    { capabilities: { tools: {}, resources: {} } },
+  );
+
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: [
+      {
+        name: "echo",
+        description: "Echo back the supplied message.",
+        inputSchema: {
+          type: "object",
+          required: ["message"],
+          properties: {
+            message: { type: "string", description: "Text to echo." },
+          },
+        },
+      },
+    ],
+  }));
+
+  server.setRequestHandler(CallToolRequestSchema, async (req) => {
+    const { name: tool, arguments: args } = req.params;
+    if (tool === "echo") {
+      return {
+        content: [{ type: "text", text: String(args?.message ?? "") }],
+      };
+    }
+    throw new Error(\`Unknown tool: \${tool}\`);
+  });
+
+  server.setRequestHandler(ListResourcesRequestSchema, async () => ({
+    resources: [
+      {
+        uri: "hello://world",
+        name: "Hello world",
+        description: "A trivial resource you can read to test connectivity.",
+        mimeType: "text/plain",
+      },
+    ],
+  }));
+
+  server.setRequestHandler(ReadResourceRequestSchema, async (req) => {
+    if (req.params.uri === "hello://world") {
+      return {
+        contents: [
+          { uri: req.params.uri, mimeType: "text/plain", text: "Hello, MCP!" },
+        ],
+      };
+    }
+    throw new Error(\`Unknown resource: \${req.params.uri}\`);
+  });
+
+  return server;
+}
+
+const app = express();
+app.use(express.json());
+
+app.all("/mcp", async (req, res) => {
+  const transport = new StreamableHTTPServerTransport({
+    sessionIdGenerator: () => crypto.randomUUID(),
+  });
+  const server = makeServer();
+  await server.connect(transport);
+  await transport.handleRequest(req, res, req.body);
+});
+
+const port = Number(process.env.PORT) || ${port};
+app.listen(port, () => {
+  console.log(\`[${name}] MCP server listening on http://localhost:\${port}/mcp\`);
+});
+`;
+}
+
+function renderReadme({ name, description, transport, port }) {
+  const wireUp =
+    transport === "stdio"
+      ? `cc mcp add ${name} -c node -a "./index.js"`
+      : `cc mcp add ${name} -u http://localhost:${port}/mcp`;
+
+  const run =
+    transport === "stdio"
+      ? "An MCP host invokes the server on demand — there's no long-running process. Use `node index.js` only to sanity-check that the file parses."
+      : `\`\`\`bash\nnpm install\nnpm start    # listens on http://localhost:${port}/mcp\n\`\`\``;
+
+  return `# ${name}
+
+${description}
+
+Transport: **${transport}**${transport === "http" ? ` (port ${port})` : ""}
+
+## Install
+
+\`\`\`bash
+npm install
+\`\`\`
+
+## Run
+
+${run}
+
+## Wire into a host
+
+${transport === "stdio" ? "" : ""}\`\`\`bash
+${wireUp}
+cc mcp tools      # list discovered tools
+cc mcp call ${name} echo --args '{"message":"hi"}'
+\`\`\`
+
+## What's in the box
+
+- \`echo\` tool — accepts \`{message}\`, returns it verbatim.
+- \`hello://world\` resource — a trivial plain-text resource you can read
+  to confirm the server is reachable.
+
+Extend \`index.js\` with your own \`Set*RequestHandler\` calls; the MCP SDK
+docs at https://modelcontextprotocol.io/docs cover every request type.
+`;
+}
+
+function renderGitignore() {
+  return `node_modules/
+*.log
+.env
+.env.*
+!.env.example
+`;
+}

package/src/lib/nostr-bridge.js

@@ -4,6 +4,14 @@
  */
 
 import crypto from "crypto";
+import {
+  generatePrivateKey as _genPriv,
+  getPublicKey as _getPub,
+  signEvent as _signEvent,
+  verifyEvent as _verifyEvent,
+  npubEncode as _npubEncode,
+  nsecEncode as _nsecEncode,
+} from "@chainlesschain/session-core/nostr-crypto";
 
 /* ── In-memory stores ──────────────────────────────────────── */
 const _relays = new Map();
@@ -88,36 +96,71 @@ export function addRelay(db, url) {
 
 /* ── Event Publishing ─────────────────────────────────────── */
 
-export function publishEvent(db, kind, content, pubkey, tags) {
+/**
+ * Publish a NIP-01 event. When `privateKey` is provided the event is
+ * schnorr-signed with BIP-340 and `pubkey` is derived from it (any
+ * caller-supplied `pubkey` is ignored and overridden to match the key).
+ * Without a private key the caller gets an *unsigned* event — useful
+ * for in-memory workflows (e.g. `cc nostr publish` from REPL demos) but
+ * such events will be rejected by real relays.
+ */
+export function publishEvent(db, kind, content, pubkey, tags, privateKey) {
   if (content === undefined || content === null)
     throw new Error("Content is required");
 
-  const now = new Date().toISOString();
-  const serialized = JSON.stringify([
-    0,
-    pubkey || "anonymous",
-    now,
-    kind || 1,
-    tags || [],
-    content,
-  ]);
-  const id = crypto.createHash("sha256").update(serialized).digest("hex");
-  const sig = crypto.randomBytes(64).toString("hex");
+  const createdAt = Math.floor(Date.now() / 1000);
+  const resolvedKind = kind || EVENT_KINDS.TEXT_NOTE;
+  const resolvedTags = tags || [];
+
+  let event;
+  if (privateKey) {
+    const derivedPubkey = _getPub(privateKey);
+    event = _signEvent(
+      {
+        pubkey: derivedPubkey,
+        created_at: createdAt,
+        kind: resolvedKind,
+        tags: resolvedTags,
+        content,
+      },
+      privateKey,
+    );
+  } else {
+    // Unsigned path: compute a deterministic id from canonical serialization
+    // so dedup still works, but leave sig empty to signal "not signed".
+    const fallbackPubkey = pubkey || "anonymous";
+    const serialized = JSON.stringify([
+      0,
+      fallbackPubkey,
+      createdAt,
+      resolvedKind,
+      resolvedTags,
+      content,
+    ]);
+    const id = crypto.createHash("sha256").update(serialized).digest("hex");
+    event = {
+      id,
+      pubkey: fallbackPubkey,
+      created_at: createdAt,
+      kind: resolvedKind,
+      tags: resolvedTags,
+      content,
+      sig: "",
+    };
+  }
 
-  const event = {
-    id,
-    pubkey: pubkey || "anonymous",
-    kind: kind || EVENT_KINDS.TEXT_NOTE,
-    content,
-    tags: tags || [],
-    sig,
-    createdAt: now,
+  const storedEvent = {
+    id: event.id,
+    pubkey: event.pubkey,
+    kind: event.kind,
+    content: event.content,
+    tags: event.tags,
+    sig: event.sig,
+    createdAt: event.created_at,
     relayUrl: null,
   };
+  _events.set(event.id, storedEvent);
 
-  _events.set(id, event);
-
-  // Count relays that received the event
   const writeRelays = [..._relays.values()].filter((r) => r.writeEnabled);
   let sentCount = 0;
   for (const relay of writeRelays) {
@@ -129,18 +172,35 @@ export function publishEvent(db, kind, content, pubkey, tags) {
     `INSERT INTO nostr_events (id, pubkey, kind, content, tags, sig, created_at, relay_url, imported)
      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
   ).run(
-    id,
+    event.id,
     event.pubkey,
     event.kind,
     content,
-    JSON.stringify(tags || []),
-    sig,
-    now,
+    JSON.stringify(resolvedTags),
+    event.sig,
+    new Date(createdAt * 1000).toISOString(),
     null,
     0,
   );
 
-  return { success: true, event, sentCount };
+  return { success: true, event: storedEvent, sentCount };
+}
+
+/**
+ * Verify an event's schnorr signature + id integrity (NIP-01).
+ * Returns false for unsigned events (empty `sig`).
+ */
+export function verifyEventSignature(event) {
+  if (!event || !event.sig) return false;
+  return _verifyEvent({
+    id: event.id,
+    pubkey: event.pubkey,
+    created_at: event.createdAt ?? event.created_at,
+    kind: event.kind,
+    tags: event.tags,
+    content: event.content,
+    sig: event.sig,
+  });
 }
 
 /* ── Event Retrieval ──────────────────────────────────────── */
@@ -157,21 +217,17 @@ export function getEvents(filter = {}) {
 /* ── Keypair Generation ───────────────────────────────────── */
 
 export function generateKeypair() {
-  const privateKey = crypto.randomBytes(32).toString("hex");
-  const publicKey = crypto
-    .createHash("sha256")
-    .update(privateKey)
-    .digest("hex");
-  const id = crypto.randomUUID();
-
+  const privateKey = _genPriv();
+  const publicKey = _getPub(privateKey);
   const keypair = {
-    id,
+    id: crypto.randomUUID(),
     publicKey,
     privateKey,
+    npub: _npubEncode(publicKey),
+    nsec: _nsecEncode(privateKey),
     createdAt: new Date().toISOString(),
   };
-  _keypairs.set(id, keypair);
-
+  _keypairs.set(keypair.id, keypair);
   return keypair;
 }
 
@@ -185,6 +241,126 @@ export function mapDid(did, nostrPubkey) {
   return { did, nostrPubkey, mapped: true };
 }
 
+/* ── NIP-04: Encrypted Direct Messages ─────────────────────── */
+
+/**
+ * Compute NIP-04 ECDH shared secret.
+ * Nostr pubkeys are x-only (32 bytes); prepend 0x02 to reconstruct a
+ * compressed point. Point negation yields the same x-coordinate, so the
+ * y-sign does not affect the shared secret.
+ */
+function _computeSharedSecret(privKeyHex, pubKeyHex) {
+  const ecdh = crypto.createECDH("secp256k1");
+  ecdh.setPrivateKey(Buffer.from(privKeyHex, "hex"));
+  const compressedPub = Buffer.concat([
+    Buffer.from([0x02]),
+    Buffer.from(pubKeyHex, "hex"),
+  ]);
+  return ecdh.computeSecret(compressedPub);
+}
+
+/**
+ * Publish a NIP-04 encrypted direct message (kind=4).
+ * @param {Object} db - SQLite database handle
+ * @param {Object} params - { senderPrivkey, senderPubkey, recipientPubkey, plaintext }
+ * @returns {Object} { success, event, sentCount }
+ */
+export function publishDirectMessage(
+  db,
+  { senderPrivkey, senderPubkey, recipientPubkey, plaintext },
+) {
+  if (!senderPrivkey || !senderPubkey || !recipientPubkey) {
+    throw new Error(
+      "senderPrivkey, senderPubkey, and recipientPubkey are required",
+    );
+  }
+  if (plaintext === undefined || plaintext === null) {
+    throw new Error("plaintext is required");
+  }
+
+  const sharedSecret = _computeSharedSecret(senderPrivkey, recipientPubkey);
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv("aes-256-cbc", sharedSecret, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final(),
+  ]);
+  const content = `${encrypted.toString("base64")}?iv=${iv.toString("base64")}`;
+
+  return publishEvent(db, EVENT_KINDS.ENCRYPTED_DM, content, senderPubkey, [
+    ["p", recipientPubkey],
+  ]);
+}
+
+/**
+ * Decrypt a NIP-04 direct message event.
+ * @param {Object} params - { event, recipientPrivkey }
+ * @returns {string} decrypted plaintext
+ */
+export function decryptDirectMessage({ event, recipientPrivkey }) {
+  if (!event || !event.content || !event.pubkey) {
+    throw new Error("event with content and pubkey is required");
+  }
+  if (!recipientPrivkey) {
+    throw new Error("recipientPrivkey is required");
+  }
+  if (event.kind !== EVENT_KINDS.ENCRYPTED_DM) {
+    throw new Error(
+      `Expected kind=${EVENT_KINDS.ENCRYPTED_DM}, got kind=${event.kind}`,
+    );
+  }
+
+  const parts = event.content.split("?iv=");
+  if (parts.length !== 2 || !parts[0] || !parts[1]) {
+    throw new Error("Invalid NIP-04 content format");
+  }
+
+  const ciphertext = Buffer.from(parts[0], "base64");
+  const iv = Buffer.from(parts[1], "base64");
+  const sharedSecret = _computeSharedSecret(recipientPrivkey, event.pubkey);
+  const decipher = crypto.createDecipheriv("aes-256-cbc", sharedSecret, iv);
+  const decrypted = Buffer.concat([
+    decipher.update(ciphertext),
+    decipher.final(),
+  ]);
+  return decrypted.toString("utf8");
+}
+
+/* ── NIP-09: Event Deletion Request ─────────────────────────── */
+
+/**
+ * Publish a NIP-09 deletion request (kind=5) referencing prior events.
+ * @param {Object} db - SQLite database handle
+ * @param {Object} params - { eventIds: string[], reason?: string, pubkey?: string }
+ */
+export function publishDeletion(db, { eventIds, reason = "", pubkey }) {
+  if (!Array.isArray(eventIds) || eventIds.length === 0) {
+    throw new Error("eventIds must be a non-empty array");
+  }
+  const tags = eventIds.map((id) => ["e", id]);
+  return publishEvent(db, EVENT_KINDS.DELETE, reason, pubkey, tags);
+}
+
+/* ── NIP-25: Reactions ──────────────────────────────────────── */
+
+/**
+ * Publish a NIP-25 reaction (kind=7) to another event.
+ * @param {Object} db - SQLite database handle
+ * @param {Object} params - { targetEventId, targetPubkey, content?, pubkey? }
+ */
+export function publishReaction(
+  db,
+  { targetEventId, targetPubkey, content = "+", pubkey },
+) {
+  if (!targetEventId || !targetPubkey) {
+    throw new Error("targetEventId and targetPubkey are required");
+  }
+  return publishEvent(db, EVENT_KINDS.REACTION, content, pubkey, [
+    ["e", targetEventId],
+    ["p", targetPubkey],
+  ]);
+}
+
 /* ── Reset (for testing) ───────────────────────────────────── */
 
 export function _resetState() {