context-chest-mcp 0.1.0

package/README.md

@@ -0,0 +1,39 @@
+# @context-chest/mcp-server
+
+MCP server that gives AI agents encrypted, persistent memory.
+
+## Setup
+
+Add to your Claude Code or Cursor MCP config:
+
+```json
+{
+  "mcpServers": {
+    "context-chest": {
+      "command": "npx",
+      "args": ["@context-chest/mcp-server"]
+    }
+  }
+}
+```
+
+## Tools
+
+| Tool | Description |
+|------|-------------|
+| `context-chest_remember` | Store encrypted memory |
+| `context-chest_recall` | Search memories |
+| `context-chest_read` | Read decrypted content |
+| `context-chest_forget` | Delete a memory |
+| `context-chest_browse` | Browse memory tree |
+| `context-chest_session-start` | Start tracking a conversation |
+| `context-chest_session-append` | Add message to session |
+| `context-chest_session-save` | Extract memories and close session |
+
+## How it works
+
+Content is encrypted client-side with AES-256-GCM before leaving your machine. The server stores only ciphertext. Keys are derived via HKDF from your credentials.
+
+## More info
+
+See [Context Chest](https://github.com/fuckupic/context-chest) for full documentation.

package/dist/auth.d.ts

@@ -0,0 +1,13 @@
+export interface Credentials {
+    jwt: string;
+    refreshToken?: string;
+    wrappedMasterKey: string;
+    exportKey: string;
+    userId: string;
+    apiUrl: string;
+}
+export declare function loadCredentials(): Credentials | null;
+export declare function saveCredentials(credentials: Credentials): void;
+export declare function clearCredentials(): void;
+export declare function isTokenExpired(jwt: string): boolean;
+export declare function tokenExpiresWithin(jwt: string, marginMs: number): boolean;

package/dist/auth.js

@@ -0,0 +1,49 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadCredentials = loadCredentials;
+exports.saveCredentials = saveCredentials;
+exports.clearCredentials = clearCredentials;
+exports.isTokenExpired = isTokenExpired;
+exports.tokenExpiresWithin = tokenExpiresWithin;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const CONFIG_DIR = (0, path_1.join)((0, os_1.homedir)(), '.context-chest');
+const CREDENTIALS_FILE = (0, path_1.join)(CONFIG_DIR, 'credentials.json');
+function loadCredentials() {
+    if (!(0, fs_1.existsSync)(CREDENTIALS_FILE)) {
+        return null;
+    }
+    const raw = (0, fs_1.readFileSync)(CREDENTIALS_FILE, 'utf-8');
+    return JSON.parse(raw);
+}
+function saveCredentials(credentials) {
+    if (!(0, fs_1.existsSync)(CONFIG_DIR)) {
+        (0, fs_1.mkdirSync)(CONFIG_DIR, { recursive: true });
+    }
+    (0, fs_1.writeFileSync)(CREDENTIALS_FILE, JSON.stringify(credentials, null, 2), { mode: 0o600 });
+}
+function clearCredentials() {
+    if ((0, fs_1.existsSync)(CREDENTIALS_FILE)) {
+        (0, fs_1.writeFileSync)(CREDENTIALS_FILE, '', { mode: 0o600 });
+    }
+}
+function isTokenExpired(jwt) {
+    try {
+        const payload = JSON.parse(Buffer.from(jwt.split('.')[1], 'base64').toString());
+        return Date.now() >= payload.exp * 1000;
+    }
+    catch {
+        return true;
+    }
+}
+function tokenExpiresWithin(jwt, marginMs) {
+    try {
+        const payload = JSON.parse(Buffer.from(jwt.split('.')[1], 'base64').toString());
+        return Date.now() >= (payload.exp * 1000) - marginMs;
+    }
+    catch {
+        return true;
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,150 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const readline_1 = require("readline");
+const auth_1 = require("./auth");
+const crypto_1 = require("./crypto");
+const config_1 = require("./config");
+function prompt(question, hidden = false) {
+    return new Promise((resolve) => {
+        const rl = (0, readline_1.createInterface)({ input: process.stdin, output: process.stdout });
+        if (hidden) {
+            process.stdout.write(question);
+            let input = '';
+            process.stdin.setRawMode?.(true);
+            process.stdin.resume();
+            process.stdin.setEncoding('utf-8');
+            const onData = (char) => {
+                if (char === '\n' || char === '\r') {
+                    process.stdin.setRawMode?.(false);
+                    process.stdin.removeListener('data', onData);
+                    process.stdout.write('\n');
+                    rl.close();
+                    resolve(input);
+                }
+                else if (char === '\u0003') {
+                    process.exit(0);
+                }
+                else if (char === '\u007F') {
+                    input = input.slice(0, -1);
+                }
+                else {
+                    input += char;
+                }
+            };
+            process.stdin.on('data', onData);
+        }
+        else {
+            rl.question(question, (answer) => {
+                rl.close();
+                resolve(answer.trim());
+            });
+        }
+    });
+}
+async function login() {
+    console.log('\n  Context Chest — Login\n');
+    const apiUrl = await prompt(`  API URL [${config_1.DEFAULT_API_URL}]: `);
+    const baseUrl = apiUrl || config_1.DEFAULT_API_URL;
+    const email = await prompt('  Email: ');
+    const password = await prompt('  Password: ', true);
+    if (!email || !password) {
+        console.error('  Email and password required.');
+        process.exit(1);
+    }
+    console.log('\n  Authenticating...');
+    const loginRes = await fetch(`${baseUrl}/v1/auth/login`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ email, password }),
+    });
+    if (!loginRes.ok) {
+        const err = await loginRes.json().catch(() => ({ message: `HTTP ${loginRes.status}` }));
+        console.error(`  Login failed: ${err.message}`);
+        process.exit(1);
+    }
+    const loginData = (await loginRes.json());
+    // Fetch or create master key
+    const authedHeaders = {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${loginData.token}`,
+    };
+    const mkRes = await fetch(`${baseUrl}/v1/auth/master-key`, { headers: authedHeaders });
+    let masterKeyHex;
+    if (mkRes.ok) {
+        // Existing user — unwrap master key to verify it works
+        const mkData = (await mkRes.json());
+        const exportKeyBuf = Buffer.from(loginData.exportKey, 'hex');
+        const wrappingKey = (0, crypto_1.deriveWrappingKey)(exportKeyBuf, loginData.userId);
+        try {
+            const mk = (0, crypto_1.unwrapMasterKey)(mkData.encryptedMasterKey, wrappingKey);
+            masterKeyHex = mk.toString('hex');
+        }
+        catch {
+            console.error('  Failed to unwrap master key. Wrong password?');
+            process.exit(1);
+        }
+    }
+    else {
+        // New user — generate and upload master key
+        console.log('  Generating master key...');
+        const mk = (0, crypto_1.generateMasterKey)();
+        const exportKeyBuf = Buffer.from(loginData.exportKey, 'hex');
+        const wrappingKey = (0, crypto_1.deriveWrappingKey)(exportKeyBuf, loginData.userId);
+        const wrapped = (0, crypto_1.wrapMasterKey)(mk, wrappingKey);
+        const putRes = await fetch(`${baseUrl}/v1/auth/master-key`, {
+            method: 'PUT',
+            headers: authedHeaders,
+            body: JSON.stringify({ encryptedMasterKey: wrapped }),
+        });
+        if (!putRes.ok) {
+            console.error('  Failed to store master key.');
+            process.exit(1);
+        }
+        masterKeyHex = mk.toString('hex');
+    }
+    // Fetch wrapped MK for storage
+    const wrappedRes = await fetch(`${baseUrl}/v1/auth/master-key`, { headers: authedHeaders });
+    const wrappedData = (await wrappedRes.json());
+    (0, auth_1.saveCredentials)({
+        jwt: loginData.token,
+        refreshToken: loginData.refreshToken,
+        wrappedMasterKey: wrappedData.encryptedMasterKey,
+        exportKey: loginData.exportKey,
+        userId: loginData.userId,
+        apiUrl: baseUrl,
+    });
+    console.log(`  Logged in as ${email}`);
+    console.log(`  Credentials saved to ~/.context-chest/credentials.json`);
+    console.log(`  API: ${baseUrl}\n`);
+    console.log('  Now add to your Claude Code / Cursor MCP config:');
+    console.log(`
+  {
+    "mcpServers": {
+      "context-chest": {
+        "command": "npx",
+        "args": ["@context-chest/mcp-server"]
+      }
+    }
+  }
+  `);
+}
+const command = process.argv[2];
+if (command === 'login') {
+    login().catch((err) => {
+        console.error(`  Error: ${err.message}`);
+        process.exit(1);
+    });
+}
+else {
+    console.log(`
+  Context Chest CLI
+
+  Commands:
+    context-chest login    Authenticate and save credentials
+
+  Usage:
+    npx @context-chest/mcp-server login
+  `);
+}
+//# sourceMappingURL=cli.js.map

package/dist/client.d.ts

@@ -0,0 +1,92 @@
+interface ClientConfig {
+    baseUrl: string;
+    token: string;
+    refreshToken?: string;
+}
+interface RememberInput {
+    uri: string;
+    l0: string;
+    l1: string;
+    encryptedL2: string;
+    sha256: string;
+}
+interface RecallResult {
+    data: Array<{
+        uri: string;
+        l0: string;
+        l1: string;
+        score: number;
+    }>;
+    meta: {
+        total: number;
+        page: number;
+        limit: number;
+    };
+}
+interface SessionMemory {
+    uri: string;
+    l0: string;
+    l1: string;
+    encryptedL2: string;
+    sha256: string;
+}
+export declare class ContextChestClient {
+    private readonly baseUrl;
+    private token;
+    private refreshToken;
+    private refreshing;
+    constructor(config: ClientConfig);
+    setToken(token: string): void;
+    setRefreshToken(refreshToken: string): void;
+    private headers;
+    private ensureFreshToken;
+    private doRefresh;
+    private request;
+    private requestBinary;
+    remember(input: RememberInput): Promise<{
+        success: boolean;
+        data: {
+            uri: string;
+            createdAt: string;
+        };
+    }>;
+    recall(query: string, limit: number, offset: number): Promise<{
+        success: boolean;
+    } & RecallResult>;
+    getContent(uri: string): Promise<Buffer>;
+    forget(uri: string): Promise<void>;
+    browse(path?: string, depth?: number): Promise<{
+        success: boolean;
+        data: {
+            tree: unknown[];
+        };
+    }>;
+    createSession(clientId?: string): Promise<{
+        success: boolean;
+        data: {
+            id: string;
+        };
+    }>;
+    appendMessage(sessionId: string, input: {
+        role: string;
+        encryptedContent: string;
+        l0Summary: string;
+        sha256: string;
+    }): Promise<{
+        success: boolean;
+        data: {
+            messageIndex: number;
+        };
+    }>;
+    closeSession(sessionId: string, memories: SessionMemory[]): Promise<{
+        success: boolean;
+        data: {
+            memoriesExtracted: number;
+        };
+    }>;
+    putMasterKey(encryptedMasterKey: string): Promise<{
+        success: boolean;
+    }>;
+    getMasterKey(): Promise<string>;
+}
+export {};

package/dist/client.js

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ContextChestClient = void 0;
+const auth_1 = require("./auth");
+const REFRESH_MARGIN_MS = 5 * 60 * 1000; // refresh 5 min before expiry
+class ContextChestClient {
+    baseUrl;
+    token;
+    refreshToken;
+    refreshing = null;
+    constructor(config) {
+        this.baseUrl = config.baseUrl;
+        this.token = config.token;
+        this.refreshToken = config.refreshToken;
+    }
+    setToken(token) {
+        this.token = token;
+    }
+    setRefreshToken(refreshToken) {
+        this.refreshToken = refreshToken;
+    }
+    headers() {
+        return {
+            'Content-Type': 'application/json',
+            Authorization: `Bearer ${this.token}`,
+            'X-Agent-Name': 'Claude Code',
+        };
+    }
+    async ensureFreshToken() {
+        if (!this.refreshToken)
+            return;
+        if (!(0, auth_1.tokenExpiresWithin)(this.token, REFRESH_MARGIN_MS))
+            return;
+        // Deduplicate concurrent refresh calls
+        if (this.refreshing) {
+            await this.refreshing;
+            return;
+        }
+        this.refreshing = this.doRefresh();
+        try {
+            await this.refreshing;
+        }
+        finally {
+            this.refreshing = null;
+        }
+    }
+    async doRefresh() {
+        try {
+            const response = await fetch(`${this.baseUrl}/v1/auth/refresh`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ refreshToken: this.refreshToken }),
+            });
+            if (!response.ok) {
+                process.stderr.write(`[context-chest] Token refresh failed: HTTP ${response.status}\n`);
+                return;
+            }
+            const data = (await response.json());
+            this.token = data.token;
+            this.refreshToken = data.refreshToken;
+            // Persist the new tokens to credentials file
+            const creds = (0, auth_1.loadCredentials)();
+            if (creds) {
+                (0, auth_1.saveCredentials)({
+                    ...creds,
+                    jwt: data.token,
+                    refreshToken: data.refreshToken,
+                });
+            }
+            process.stderr.write('[context-chest] Token refreshed successfully\n');
+        }
+        catch (err) {
+            process.stderr.write(`[context-chest] Token refresh error: ${err.message}\n`);
+        }
+    }
+    async request(method, path, body) {
+        await this.ensureFreshToken();
+        const response = await fetch(`${this.baseUrl}${path}`, {
+            method,
+            headers: this.headers(),
+            body: body ? JSON.stringify(body) : undefined,
+        });
+        // If we get a 401, try one refresh and retry
+        if (response.status === 401 && this.refreshToken) {
+            await this.doRefresh();
+            const retry = await fetch(`${this.baseUrl}${path}`, {
+                method,
+                headers: this.headers(),
+                body: body ? JSON.stringify(body) : undefined,
+            });
+            if (!retry.ok) {
+                const error = await retry.json().catch(() => ({ code: 'UNKNOWN', message: `HTTP ${retry.status}` }));
+                throw new Error(error.code ?? `HTTP ${retry.status}`);
+            }
+            if (retry.status === 204)
+                return undefined;
+            return retry.json();
+        }
+        if (!response.ok) {
+            const error = await response.json().catch(() => ({ code: 'UNKNOWN', message: `HTTP ${response.status}` }));
+            throw new Error(error.code ?? `HTTP ${response.status}`);
+        }
+        if (response.status === 204) {
+            return undefined;
+        }
+        return response.json();
+    }
+    async requestBinary(path) {
+        await this.ensureFreshToken();
+        const response = await fetch(`${this.baseUrl}${path}`, {
+            method: 'GET',
+            headers: { Authorization: `Bearer ${this.token}`, 'X-Agent-Name': 'Claude Code' },
+        });
+        if (!response.ok) {
+            const error = await response.json().catch(() => ({ code: 'UNKNOWN' }));
+            throw new Error(error.code ?? `HTTP ${response.status}`);
+        }
+        const arrayBuf = await response.arrayBuffer();
+        return Buffer.from(arrayBuf);
+    }
+    async remember(input) {
+        return this.request('POST', '/v1/memory/remember', input);
+    }
+    async recall(query, limit, offset) {
+        return this.request('POST', '/v1/memory/recall', { query, limit, offset });
+    }
+    async getContent(uri) {
+        return this.requestBinary(`/v1/memory/content/${uri}`);
+    }
+    async forget(uri) {
+        return this.request('DELETE', `/v1/memory/forget/${uri}`);
+    }
+    async browse(path = '', depth = 2) {
+        return this.request('GET', `/v1/memory/browse?path=${encodeURIComponent(path)}&depth=${depth}`);
+    }
+    async createSession(clientId) {
+        return this.request('POST', '/v1/sessions', clientId ? { clientId } : {});
+    }
+    async appendMessage(sessionId, input) {
+        return this.request('POST', `/v1/sessions/${sessionId}/messages`, input);
+    }
+    async closeSession(sessionId, memories) {
+        return this.request('POST', `/v1/sessions/${sessionId}/close`, { memories });
+    }
+    async putMasterKey(encryptedMasterKey) {
+        return this.request('PUT', '/v1/auth/master-key', { encryptedMasterKey });
+    }
+    async getMasterKey() {
+        const result = await this.request('GET', '/v1/auth/master-key');
+        return result.encryptedMasterKey;
+    }
+}
+exports.ContextChestClient = ContextChestClient;
+//# sourceMappingURL=client.js.map

package/dist/config.d.ts

@@ -0,0 +1 @@
+export declare const DEFAULT_API_URL = "https://api-production-e2cd6.up.railway.app";

package/dist/config.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_API_URL = void 0;
+exports.DEFAULT_API_URL = 'https://api-production-e2cd6.up.railway.app';
+//# sourceMappingURL=config.js.map

package/dist/crypto.d.ts

@@ -0,0 +1,8 @@
+export declare function generateMasterKey(): Buffer;
+export declare function deriveWrappingKey(exportKey: Buffer, userId: string): Buffer;
+export declare function deriveItemKey(masterKey: Buffer, uri: string): Buffer;
+export declare function wrapMasterKey(masterKey: Buffer, wrappingKey: Buffer): string;
+export declare function unwrapMasterKey(wrapped: string, wrappingKey: Buffer): Buffer;
+export declare function encryptL2(masterKey: Buffer, uri: string, plaintext: Buffer): string;
+export declare function decryptL2(masterKey: Buffer, uri: string, encryptedBase64: string): Buffer;
+export declare function sha256(data: Buffer): string;

package/dist/crypto.js

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateMasterKey = generateMasterKey;
+exports.deriveWrappingKey = deriveWrappingKey;
+exports.deriveItemKey = deriveItemKey;
+exports.wrapMasterKey = wrapMasterKey;
+exports.unwrapMasterKey = unwrapMasterKey;
+exports.encryptL2 = encryptL2;
+exports.decryptL2 = decryptL2;
+exports.sha256 = sha256;
+const crypto_1 = require("crypto");
+const HKDF_HASH = 'sha256';
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+function generateMasterKey() {
+    return (0, crypto_1.randomBytes)(KEY_LENGTH);
+}
+function deriveWrappingKey(exportKey, userId) {
+    return Buffer.from((0, crypto_1.hkdfSync)(HKDF_HASH, exportKey, userId, 'context-chest-mk-wrap', KEY_LENGTH));
+}
+function deriveItemKey(masterKey, uri) {
+    return Buffer.from((0, crypto_1.hkdfSync)(HKDF_HASH, masterKey, uri, 'context-chest-l2', KEY_LENGTH));
+}
+function wrapMasterKey(masterKey, wrappingKey) {
+    const iv = (0, crypto_1.randomBytes)(IV_LENGTH);
+    const cipher = (0, crypto_1.createCipheriv)('aes-256-gcm', wrappingKey, iv);
+    const encrypted = Buffer.concat([cipher.update(masterKey), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([iv, encrypted, authTag]).toString('base64');
+}
+function unwrapMasterKey(wrapped, wrappingKey) {
+    const data = Buffer.from(wrapped, 'base64');
+    const iv = data.subarray(0, IV_LENGTH);
+    const authTag = data.subarray(data.length - AUTH_TAG_LENGTH);
+    const ciphertext = data.subarray(IV_LENGTH, data.length - AUTH_TAG_LENGTH);
+    const decipher = (0, crypto_1.createDecipheriv)('aes-256-gcm', wrappingKey, iv);
+    decipher.setAuthTag(authTag);
+    return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+}
+function encryptL2(masterKey, uri, plaintext) {
+    const itemKey = deriveItemKey(masterKey, uri);
+    const iv = (0, crypto_1.randomBytes)(IV_LENGTH);
+    const cipher = (0, crypto_1.createCipheriv)('aes-256-gcm', itemKey, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([iv, encrypted, authTag]).toString('base64');
+}
+function decryptL2(masterKey, uri, encryptedBase64) {
+    const itemKey = deriveItemKey(masterKey, uri);
+    const data = Buffer.from(encryptedBase64, 'base64');
+    const iv = data.subarray(0, IV_LENGTH);
+    const authTag = data.subarray(data.length - AUTH_TAG_LENGTH);
+    const ciphertext = data.subarray(IV_LENGTH, data.length - AUTH_TAG_LENGTH);
+    const decipher = (0, crypto_1.createDecipheriv)('aes-256-gcm', itemKey, iv);
+    decipher.setAuthTag(authTag);
+    return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+}
+function sha256(data) {
+    return (0, crypto_1.createHash)('sha256').update(data).digest('hex');
+}
+//# sourceMappingURL=crypto.js.map

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,160 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const client_1 = require("./client");
+const auth_1 = require("./auth");
+const crypto_1 = require("./crypto");
+const summarizer_1 = require("./summarizer");
+const config_1 = require("./config");
+const remember_1 = require("./tools/remember");
+const recall_1 = require("./tools/recall");
+const read_1 = require("./tools/read");
+const forget_1 = require("./tools/forget");
+const browse_1 = require("./tools/browse");
+const session_start_1 = require("./tools/session-start");
+const session_append_1 = require("./tools/session-append");
+const session_save_1 = require("./tools/session-save");
+const server = new mcp_js_1.McpServer({
+    name: 'context-chest',
+    version: '0.1.0',
+});
+let client = null;
+let masterKey = null;
+function ensureInitialized() {
+    if (!client || !masterKey) {
+        throw new Error('Not authenticated. Run `context-chest login` first, or set credentials in ~/.context-chest/credentials.json');
+    }
+    return { client, masterKey };
+}
+async function generateSummaries(content, uri) {
+    // Generate safe, vague labels — never leak actual content
+    const path = uri ?? 'memory';
+    const segments = path.split('/').filter(Boolean);
+    const category = segments[0] ?? 'general';
+    const topic = segments.slice(1).join(' / ') || 'item';
+    const wordCount = content.split(/\s+/).length;
+    const l0 = (0, summarizer_1.parseL0Response)(`${category}: ${topic}`);
+    const l1 = (0, summarizer_1.parseL1Response)(`Category: ${category}\nTopic: ${topic}\nSize: ~${wordCount} words\nType: encrypted memory`);
+    return { l0, l1 };
+}
+async function generateL0(content, uri) {
+    const { l0 } = await generateSummaries(content, uri);
+    return l0;
+}
+server.tool('context-chest_remember', 'Store a memory in your encrypted vault', remember_1.rememberSchema.shape, async (params) => {
+    const ctx = ensureInitialized();
+    const result = await (0, remember_1.handleRemember)(params, ctx.client, ctx.masterKey, generateSummaries);
+    return { content: [{ type: 'text', text: result }] };
+});
+server.tool('context-chest_recall', 'Search your memories', recall_1.recallSchema.shape, async (params) => {
+    const ctx = ensureInitialized();
+    const result = await (0, recall_1.handleRecall)(params, ctx.client);
+    return { content: [{ type: 'text', text: result }] };
+});
+server.tool('context-chest_read', 'Read full content of a memory', read_1.readSchema.shape, async (params) => {
+    const ctx = ensureInitialized();
+    const result = await (0, read_1.handleRead)(params, ctx.client, ctx.masterKey);
+    return { content: [{ type: 'text', text: result }] };
+});
+server.tool('context-chest_forget', 'Delete a memory', forget_1.forgetSchema.shape, async (params) => {
+    const ctx = ensureInitialized();
+    const result = await (0, forget_1.handleForget)(params, ctx.client);
+    return { content: [{ type: 'text', text: result }] };
+});
+server.tool('context-chest_browse', 'Browse your memory directory', browse_1.browseSchema.shape, async (params) => {
+    const ctx = ensureInitialized();
+    const result = await (0, browse_1.handleBrowse)(params, ctx.client);
+    return { content: [{ type: 'text', text: result }] };
+});
+server.tool('context-chest_session-start', 'Start tracking this conversation', {}, async () => {
+    const ctx = ensureInitialized();
+    const result = await (0, session_start_1.handleSessionStart)(ctx.client);
+    return { content: [{ type: 'text', text: result }] };
+});
+server.tool('context-chest_session-append', 'Add a message to current session', session_append_1.sessionAppendSchema.shape, async (params) => {
+    const ctx = ensureInitialized();
+    const result = await (0, session_append_1.handleSessionAppend)(params, ctx.client, ctx.masterKey, generateL0);
+    return { content: [{ type: 'text', text: result }] };
+});
+server.tool('context-chest_session-save', 'Extract memories and close session', session_save_1.sessionSaveSchema.shape, async (params) => {
+    const ctx = ensureInitialized();
+    const result = await (0, session_save_1.handleSessionSave)(params, ctx.client, ctx.masterKey, generateSummaries);
+    return { content: [{ type: 'text', text: result }] };
+});
+async function refreshAndInit(apiUrl, refreshToken, creds) {
+    try {
+        const response = await fetch(`${apiUrl}/v1/auth/refresh`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ refreshToken }),
+        });
+        if (!response.ok) {
+            process.stderr.write(`[context-chest] Refresh failed: HTTP ${response.status}\n`);
+            return false;
+        }
+        const data = (await response.json());
+        // Update credentials on disk
+        if (creds) {
+            (0, auth_1.saveCredentials)({
+                ...creds,
+                jwt: data.token,
+                refreshToken: data.refreshToken,
+            });
+        }
+        client = new client_1.ContextChestClient({
+            baseUrl: apiUrl,
+            token: data.token,
+            refreshToken: data.refreshToken,
+        });
+        process.stderr.write('[context-chest] Token refreshed on startup\n');
+        return true;
+    }
+    catch (err) {
+        process.stderr.write(`[context-chest] Refresh error: ${err.message}\n`);
+        return false;
+    }
+}
+async function main() {
+    const creds = (0, auth_1.loadCredentials)();
+    if (creds) {
+        if (!(0, auth_1.isTokenExpired)(creds.jwt)) {
+            // Token is still valid
+            client = new client_1.ContextChestClient({
+                baseUrl: creds.apiUrl || config_1.DEFAULT_API_URL,
+                token: creds.jwt,
+                refreshToken: creds.refreshToken,
+            });
+        }
+        else if (creds.refreshToken) {
+            // JWT expired but we have a refresh token — try to refresh
+            const ok = await refreshAndInit(creds.apiUrl || config_1.DEFAULT_API_URL, creds.refreshToken, creds);
+            if (!ok) {
+                process.stderr.write('[context-chest] Could not refresh token. Run context-chest login.\n');
+            }
+        }
+        else {
+            process.stderr.write('[context-chest] Token expired and no refresh token. Run context-chest login.\n');
+        }
+        // Unwrap master key if client is ready
+        if (client && creds.wrappedMasterKey && creds.exportKey && creds.userId) {
+            try {
+                const wrappedMK = await client.getMasterKey();
+                const exportKeyBuf = Buffer.from(creds.exportKey, 'hex');
+                const wrappingKey = (0, crypto_1.deriveWrappingKey)(exportKeyBuf, creds.userId);
+                masterKey = (0, crypto_1.unwrapMasterKey)(wrappedMK, wrappingKey);
+            }
+            catch (err) {
+                process.stderr.write(`[context-chest] MK unwrap failed: ${err.message}\n`);
+            }
+        }
+    }
+    else {
+        process.stderr.write('[context-chest] No credentials found. Run context-chest login first.\n');
+    }
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+}
+main().catch(console.error);
+//# sourceMappingURL=index.js.map

package/dist/summarizer.d.ts

@@ -0,0 +1,4 @@
+export declare function buildL0Prompt(content: string): string;
+export declare function buildL1Prompt(content: string): string;
+export declare function parseL0Response(response: string): string;
+export declare function parseL1Response(response: string): string;

package/dist/summarizer.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildL0Prompt = buildL0Prompt;
+exports.buildL1Prompt = buildL1Prompt;
+exports.parseL0Response = parseL0Response;
+exports.parseL1Response = parseL1Response;
+const MAX_INPUT_LENGTH = 5000;
+const MAX_L0_LENGTH = 500;
+const MAX_L1_LENGTH = 10000;
+function buildL0Prompt(content) {
+    const truncated = content.slice(0, MAX_INPUT_LENGTH);
+    return `Summarize the following content in one sentence. Be generic — no secrets, no PII, no specific values, no API keys, no passwords. Focus on topic and type only.
+
+Content:
+${truncated}
+
+Respond with ONLY the one-sentence summary, nothing else.`;
+}
+function buildL1Prompt(content) {
+    const truncated = content.slice(0, MAX_INPUT_LENGTH);
+    return `Create a structured overview of the following content. Include: topic, key concepts, entities mentioned (generic names OK), and type of content. Do NOT include specific values, credentials, code secrets, or personal data.
+
+Keep it under 2000 tokens. Use markdown formatting.
+
+Content:
+${truncated}
+
+Respond with ONLY the structured overview, nothing else.`;
+}
+function parseL0Response(response) {
+    return response.trim().slice(0, MAX_L0_LENGTH);
+}
+function parseL1Response(response) {
+    return response.trim().slice(0, MAX_L1_LENGTH);
+}
+//# sourceMappingURL=summarizer.js.map

package/dist/tools/browse.d.ts

@@ -0,0 +1,11 @@
+import { z } from 'zod';
+import { ContextChestClient } from '../client';
+export declare const browseSchema: z.ZodObject<{
+    path: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+}, {
+    path?: string | undefined;
+}>;
+export type BrowseInput = z.infer<typeof browseSchema>;
+export declare function handleBrowse(input: BrowseInput, client: ContextChestClient): Promise<string>;

package/dist/tools/browse.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.browseSchema = void 0;
+exports.handleBrowse = handleBrowse;
+const zod_1 = require("zod");
+exports.browseSchema = zod_1.z.object({
+    path: zod_1.z.string().optional().default('').describe('Directory path to browse'),
+});
+async function handleBrowse(input, client) {
+    const result = await client.browse(input.path);
+    return JSON.stringify(result.data.tree, null, 2);
+}
+//# sourceMappingURL=browse.js.map

package/dist/tools/forget.d.ts

@@ -0,0 +1,11 @@
+import { z } from 'zod';
+import { ContextChestClient } from '../client';
+export declare const forgetSchema: z.ZodObject<{
+    uri: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    uri: string;
+}, {
+    uri: string;
+}>;
+export type ForgetInput = z.infer<typeof forgetSchema>;
+export declare function handleForget(input: ForgetInput, client: ContextChestClient): Promise<string>;

package/dist/tools/forget.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.forgetSchema = void 0;
+exports.handleForget = handleForget;
+const zod_1 = require("zod");
+exports.forgetSchema = zod_1.z.object({
+    uri: zod_1.z.string().min(1).describe('Memory URI to delete'),
+});
+async function handleForget(input, client) {
+    await client.forget(input.uri);
+    return `Deleted memory at ${input.uri}`;
+}
+//# sourceMappingURL=forget.js.map

package/dist/tools/read.d.ts

@@ -0,0 +1,11 @@
+import { z } from 'zod';
+import { ContextChestClient } from '../client';
+export declare const readSchema: z.ZodObject<{
+    uri: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    uri: string;
+}, {
+    uri: string;
+}>;
+export type ReadInput = z.infer<typeof readSchema>;
+export declare function handleRead(input: ReadInput, client: ContextChestClient, masterKey: Buffer): Promise<string>;

package/dist/tools/read.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readSchema = void 0;
+exports.handleRead = handleRead;
+const zod_1 = require("zod");
+const crypto_1 = require("../crypto");
+exports.readSchema = zod_1.z.object({
+    uri: zod_1.z.string().min(1).describe('Memory URI to read'),
+});
+async function handleRead(input, client, masterKey) {
+    const encrypted = await client.getContent(input.uri);
+    const encryptedBase64 = encrypted.toString('base64');
+    const decrypted = (0, crypto_1.decryptL2)(masterKey, input.uri, encryptedBase64);
+    return decrypted.toString('utf-8');
+}
+//# sourceMappingURL=read.js.map

package/dist/tools/recall.d.ts

@@ -0,0 +1,14 @@
+import { z } from 'zod';
+import { ContextChestClient } from '../client';
+export declare const recallSchema: z.ZodObject<{
+    query: z.ZodString;
+    limit: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+}, "strip", z.ZodTypeAny, {
+    query: string;
+    limit: number;
+}, {
+    query: string;
+    limit?: number | undefined;
+}>;
+export type RecallInput = z.infer<typeof recallSchema>;
+export declare function handleRecall(input: RecallInput, client: ContextChestClient): Promise<string>;

package/dist/tools/recall.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.recallSchema = void 0;
+exports.handleRecall = handleRecall;
+const zod_1 = require("zod");
+exports.recallSchema = zod_1.z.object({
+    query: zod_1.z.string().min(1).describe('What to search for'),
+    limit: zod_1.z.number().optional().default(5).describe('Max results'),
+});
+async function handleRecall(input, client) {
+    const result = await client.recall(input.query, input.limit, 0);
+    if (result.data.length === 0) {
+        return 'No memories found matching your query.';
+    }
+    const lines = result.data.map((r, i) => `${i + 1}. [${r.uri}] (score: ${r.score.toFixed(2)})\n   ${r.l0}\n   ${r.l1}`);
+    return `Found ${result.meta.total} memories:\n\n${lines.join('\n\n')}`;
+}
+//# sourceMappingURL=recall.js.map

package/dist/tools/remember.d.ts

@@ -0,0 +1,20 @@
+import { z } from 'zod';
+import { ContextChestClient } from '../client';
+export declare const rememberSchema: z.ZodObject<{
+    content: z.ZodString;
+    path: z.ZodOptional<z.ZodString>;
+    tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    content: string;
+    path?: string | undefined;
+    tags?: string[] | undefined;
+}, {
+    content: string;
+    path?: string | undefined;
+    tags?: string[] | undefined;
+}>;
+export type RememberInput = z.infer<typeof rememberSchema>;
+export declare function handleRemember(input: RememberInput, client: ContextChestClient, masterKey: Buffer, generateSummaries: (content: string, uri?: string) => Promise<{
+    l0: string;
+    l1: string;
+}>): Promise<string>;

package/dist/tools/remember.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rememberSchema = void 0;
+exports.handleRemember = handleRemember;
+const zod_1 = require("zod");
+const crypto_1 = require("../crypto");
+exports.rememberSchema = zod_1.z.object({
+    content: zod_1.z.string().min(1).describe('The content to remember'),
+    path: zod_1.z.string().optional().describe('Memory path (e.g., "preferences/editor")'),
+    tags: zod_1.z.array(zod_1.z.string()).optional().describe('Tags for categorization'),
+});
+async function handleRemember(input, client, masterKey, generateSummaries) {
+    const uri = input.path ?? `auto/${Date.now()}`;
+    const { l0, l1 } = await generateSummaries(input.content, uri);
+    const plaintext = Buffer.from(input.content, 'utf-8');
+    const encryptedL2 = (0, crypto_1.encryptL2)(masterKey, uri, plaintext);
+    const hash = (0, crypto_1.sha256)(Buffer.from(encryptedL2, 'base64'));
+    const result = await client.remember({ uri, l0, l1, encryptedL2, sha256: hash });
+    return `Remembered at ${result.data.uri}`;
+}
+//# sourceMappingURL=remember.js.map

package/dist/tools/session-append.d.ts

@@ -0,0 +1,17 @@
+import { z } from 'zod';
+import { ContextChestClient } from '../client';
+export declare const sessionAppendSchema: z.ZodObject<{
+    sessionId: z.ZodString;
+    role: z.ZodString;
+    content: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    content: string;
+    sessionId: string;
+    role: string;
+}, {
+    content: string;
+    sessionId: string;
+    role: string;
+}>;
+export type SessionAppendInput = z.infer<typeof sessionAppendSchema>;
+export declare function handleSessionAppend(input: SessionAppendInput, client: ContextChestClient, masterKey: Buffer, generateL0: (content: string, uri?: string) => Promise<string>): Promise<string>;

package/dist/tools/session-append.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sessionAppendSchema = void 0;
+exports.handleSessionAppend = handleSessionAppend;
+const zod_1 = require("zod");
+const crypto_1 = require("../crypto");
+exports.sessionAppendSchema = zod_1.z.object({
+    sessionId: zod_1.z.string().min(1).describe('Session ID'),
+    role: zod_1.z.string().min(1).describe('Message role (user/assistant)'),
+    content: zod_1.z.string().min(1).describe('Message content'),
+});
+async function handleSessionAppend(input, client, masterKey, generateL0) {
+    const l0Summary = await generateL0(input.content, `session/${input.sessionId}`);
+    const plaintext = Buffer.from(input.content, 'utf-8');
+    const encryptedContent = (0, crypto_1.encryptL2)(masterKey, `session-msg-${Date.now()}`, plaintext);
+    const hash = (0, crypto_1.sha256)(Buffer.from(encryptedContent, 'base64'));
+    const result = await client.appendMessage(input.sessionId, {
+        role: input.role,
+        encryptedContent,
+        l0Summary,
+        sha256: hash,
+    });
+    return `Message ${result.data.messageIndex} added to session ${input.sessionId}`;
+}
+//# sourceMappingURL=session-append.js.map

package/dist/tools/session-save.d.ts

@@ -0,0 +1,32 @@
+import { z } from 'zod';
+import { ContextChestClient } from '../client';
+export declare const sessionSaveSchema: z.ZodObject<{
+    sessionId: z.ZodString;
+    memories: z.ZodArray<z.ZodObject<{
+        content: z.ZodString;
+        path: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        content: string;
+        path: string;
+    }, {
+        content: string;
+        path: string;
+    }>, "many">;
+}, "strip", z.ZodTypeAny, {
+    sessionId: string;
+    memories: {
+        content: string;
+        path: string;
+    }[];
+}, {
+    sessionId: string;
+    memories: {
+        content: string;
+        path: string;
+    }[];
+}>;
+export type SessionSaveInput = z.infer<typeof sessionSaveSchema>;
+export declare function handleSessionSave(input: SessionSaveInput, client: ContextChestClient, masterKey: Buffer, generateSummaries: (content: string, uri?: string) => Promise<{
+    l0: string;
+    l1: string;
+}>): Promise<string>;

package/dist/tools/session-save.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sessionSaveSchema = void 0;
+exports.handleSessionSave = handleSessionSave;
+const zod_1 = require("zod");
+const crypto_1 = require("../crypto");
+exports.sessionSaveSchema = zod_1.z.object({
+    sessionId: zod_1.z.string().min(1).describe('Session ID to close'),
+    memories: zod_1.z.array(zod_1.z.object({
+        content: zod_1.z.string().min(1),
+        path: zod_1.z.string().min(1),
+    })).describe('Memories extracted from the conversation'),
+});
+async function handleSessionSave(input, client, masterKey, generateSummaries) {
+    const preparedMemories = await Promise.all(input.memories.map(async (m) => {
+        const { l0, l1 } = await generateSummaries(m.content, m.path);
+        const plaintext = Buffer.from(m.content, 'utf-8');
+        const encryptedL2 = (0, crypto_1.encryptL2)(masterKey, m.path, plaintext);
+        const hash = (0, crypto_1.sha256)(Buffer.from(encryptedL2, 'base64'));
+        return { uri: m.path, l0, l1, encryptedL2, sha256: hash };
+    }));
+    const result = await client.closeSession(input.sessionId, preparedMemories);
+    return `Session closed. ${result.data.memoriesExtracted} memories extracted.`;
+}
+//# sourceMappingURL=session-save.js.map

package/dist/tools/session-start.d.ts

@@ -0,0 +1,2 @@
+import { ContextChestClient } from '../client';
+export declare function handleSessionStart(client: ContextChestClient): Promise<string>;

package/dist/tools/session-start.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleSessionStart = handleSessionStart;
+async function handleSessionStart(client) {
+    const result = await client.createSession();
+    return `Session started: ${result.data.id}`;
+}
+//# sourceMappingURL=session-start.js.map

package/package.json

@@ -0,0 +1,49 @@
+{
+  "name": "context-chest-mcp",
+  "version": "0.1.0",
+  "description": "MCP server for encrypted AI agent memory — remember, recall, browse across sessions",
+  "main": "dist/index.js",
+  "bin": {
+    "context-chest-mcp": "dist/index.js",
+    "context-chest": "dist/cli.js"
+  },
+  "files": [
+    "dist/**/*.js",
+    "dist/**/*.d.ts",
+    "README.md"
+  ],
+  "keywords": [
+    "mcp",
+    "ai-memory",
+    "claude",
+    "cursor",
+    "encrypted",
+    "context",
+    "model-context-protocol"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/fuckupic/context-chest.git",
+    "directory": "packages/mcp-server"
+  },
+  "license": "MIT",
+  "scripts": {
+    "build": "tsc",
+    "dev": "ts-node src/index.ts",
+    "test": "jest --no-coverage",
+    "typecheck": "tsc --noEmit",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.12.1",
+    "zod": "^3.22.4"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.11",
+    "@types/node": "^20.10.5",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.1.1",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.3.3"
+  }
+}