driggsby 0.0.1 → 0.1.2

package/dist/broker/authentication.js

@@ -0,0 +1,49 @@
+import { createHash, randomUUID } from "node:crypto";
+import { importJWK, jwtVerify, SignJWT, } from "jose";
+export function generateLocalAuthToken() {
+    return randomUUID();
+}
+export function hashBrokerPayload(payload) {
+    return createHash("sha256").update(JSON.stringify(payload)).digest("base64url");
+}
+export async function signBrokerProof(claims, privateJwk) {
+    const signingKey = await importPrivateKey(privateJwk);
+    return await new SignJWT({
+        challenge: claims.challenge,
+        payloadSha256: claims.payloadSha256,
+        requestId: claims.requestId,
+        requestMethod: claims.requestMethod,
+    })
+        .setProtectedHeader({ alg: "ES256", typ: "JWT" })
+        .setAudience(claims.aud)
+        .setSubject(claims.sub)
+        .setIssuedAt()
+        .setJti(randomUUID())
+        .sign(signingKey);
+}
+export async function verifyBrokerProof(proof, publicJwk, expected) {
+    try {
+        const verificationKey = await importPublicKey(publicJwk);
+        const { payload } = await jwtVerify(proof, verificationKey, {
+            algorithms: ["ES256"],
+            audience: expected.aud,
+            subject: expected.sub,
+        });
+        return claimsMatch(payload, expected);
+    }
+    catch {
+        return false;
+    }
+}
+async function importPrivateKey(privateJwk) {
+    return await importJWK(privateJwk, "ES256");
+}
+async function importPublicKey(publicJwk) {
+    return await importJWK(publicJwk, "ES256");
+}
+function claimsMatch(payload, expected) {
+    return (payload["challenge"] === expected.challenge &&
+        payload["payloadSha256"] === expected.payloadSha256 &&
+        payload["requestId"] === expected.requestId &&
+        payload["requestMethod"] === expected.requestMethod);
+}

package/dist/broker/client.js

@@ -0,0 +1,148 @@
+import { randomUUID } from "node:crypto";
+import net from "node:net";
+import { readBrokerMetadata, readBrokerLocalAuthToken } from "./installation.js";
+import { decodeResponse, encodeRequest } from "./ipc.js";
+import { hashBrokerPayload, verifyBrokerProof } from "./authentication.js";
+export async function pingBroker(options) {
+    const response = await sendBrokerRequest(options, "ping");
+    if (response?.ok !== true) {
+        return null;
+    }
+    return response.result;
+}
+export async function getBrokerStatus(options) {
+    const response = await sendBrokerRequest(options, "get_status");
+    if (response?.ok !== true) {
+        return null;
+    }
+    return response.result.status;
+}
+export async function shutdownBroker(options) {
+    const response = await sendBrokerRequest(options, "shutdown");
+    return response?.ok === true && response.result.stopped;
+}
+export async function listBrokerTools(options) {
+    const response = await sendBrokerRequest(options, "list_tools");
+    if (response === null) {
+        return null;
+    }
+    if (!response.ok) {
+        throw new Error(response.error);
+    }
+    return response.result;
+}
+export async function callBrokerTool(options, toolName, args) {
+    const response = await sendBrokerRequest(options, "call_tool", {
+        toolName,
+        ...(args === undefined ? {} : { args }),
+    });
+    if (response === null) {
+        return null;
+    }
+    if (!response.ok) {
+        throw new Error(response.error);
+    }
+    return response.result;
+}
+async function sendBrokerRequest(options, method, extraFields) {
+    const metadata = await readBrokerMetadata(options.runtimePaths);
+    if (metadata === null) {
+        return null;
+    }
+    const authToken = await readBrokerLocalAuthToken(options.secretStore, metadata.brokerId);
+    if (authToken === null) {
+        return null;
+    }
+    const challenge = randomUUID();
+    const request = buildBrokerRequest(method, authToken, challenge, extraFields);
+    const response = await new Promise((resolve) => {
+        const socket = net.createConnection(options.runtimePaths.socketPath);
+        let buffer = "";
+        let settled = false;
+        const settle = (value) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            resolve(value);
+        };
+        socket.setEncoding("utf8");
+        socket.setTimeout(1_500);
+        socket.once("connect", () => {
+            socket.write(encodeRequest(request));
+        });
+        socket.on("data", (chunk) => {
+            buffer += chunk;
+            const newlineIndex = buffer.indexOf("\n");
+            if (newlineIndex < 0) {
+                return;
+            }
+            const message = buffer.slice(0, newlineIndex);
+            try {
+                settle(decodeResponse(message));
+            }
+            catch {
+                settle(null);
+            }
+            finally {
+                socket.end();
+            }
+        });
+        socket.once("timeout", () => {
+            settle(null);
+            socket.destroy();
+        });
+        socket.once("error", () => {
+            settle(null);
+        });
+        socket.once("end", () => {
+            if (buffer.length === 0) {
+                settle(null);
+            }
+        });
+    });
+    if (response === null) {
+        return null;
+    }
+    const expectedClaims = buildExpectedClaims(request, response, metadata.brokerId);
+    const proofValid = await verifyBrokerProof(response.brokerProof, metadata.dpop.publicJwk, expectedClaims);
+    return proofValid ? response : null;
+}
+function buildBrokerRequest(method, authToken, challenge, extraFields) {
+    const baseRequest = {
+        authToken,
+        challenge,
+        id: randomUUID(),
+    };
+    if (method === "call_tool") {
+        const toolRequest = {
+            ...baseRequest,
+            method,
+            toolName: extraFields?.toolName ?? "",
+        };
+        if (extraFields?.args !== undefined) {
+            return {
+                ...toolRequest,
+                args: extraFields.args,
+            };
+        }
+        return toolRequest;
+    }
+    return {
+        ...baseRequest,
+        method,
+    };
+}
+function buildExpectedClaims(request, response, brokerId) {
+    const payload = response.ok
+        ? { ok: true, result: response.result }
+        : { ok: false, error: response.error };
+    return {
+        aud: "driggsby-local-shim",
+        challenge: request.challenge,
+        payloadSha256: hashBrokerPayload(payload),
+        requestId: request.id,
+        requestMethod: request.method,
+        sub: brokerId,
+    };
+}

package/dist/broker/daemon.js

@@ -0,0 +1,64 @@
+import { buildBrokerStatus, ensureBrokerInstallation, readBrokerDpopKeyPair, readBrokerLocalAuthToken, readBrokerPrivateJwk, } from "./installation.js";
+import { BrokerRemoteSessionManager } from "./remote-session.js";
+import { callRemoteTool, listRemoteTools } from "./remote-mcp.js";
+import { KeyringSecretStore } from "./secret-store.js";
+import { LocalBrokerServer } from "./server.js";
+export async function runBrokerDaemon(runtimePaths) {
+    const secretStore = new KeyringSecretStore();
+    const metadata = await ensureBrokerInstallation(runtimePaths, secretStore);
+    const localAuthToken = await readRequiredLocalAuthToken(secretStore, metadata.brokerId);
+    const privateJwk = await readRequiredPrivateJwk(secretStore, metadata.brokerId);
+    const dpopKeyPair = await readRequiredDpopKeyPair(runtimePaths, secretStore, metadata.brokerId);
+    const remoteSessionManager = new BrokerRemoteSessionManager({
+        brokerId: metadata.brokerId,
+        runtimePaths,
+        secretStore,
+    });
+    const server = new LocalBrokerServer({
+        brokerId: metadata.brokerId,
+        callTool: async (toolName, args) => {
+            const session = await remoteSessionManager.ensureFreshSession();
+            return await callRemoteTool(session, dpopKeyPair, toolName, args);
+        },
+        localAuthToken,
+        listTools: async () => {
+            const session = await remoteSessionManager.ensureFreshSession();
+            return await listRemoteTools(session, dpopKeyPair);
+        },
+        privateJwk,
+        runtimePaths,
+        statusProvider: async () => await buildBrokerStatus(runtimePaths, secretStore, true),
+    });
+    await server.listen();
+    await new Promise((resolve, reject) => {
+        const shutdown = () => {
+            void server
+                .close()
+                .then(resolve)
+                .catch(reject);
+        };
+        process.once("SIGINT", shutdown);
+        process.once("SIGTERM", shutdown);
+    });
+}
+async function readRequiredLocalAuthToken(secretStore, brokerId) {
+    const localAuthToken = await readBrokerLocalAuthToken(secretStore, brokerId);
+    if (localAuthToken === null) {
+        throw new Error("The local broker auth state is incomplete. Run `npx -y driggsby login` again.");
+    }
+    return localAuthToken;
+}
+async function readRequiredPrivateJwk(secretStore, brokerId) {
+    const privateJwkRaw = await readBrokerPrivateJwk(secretStore, brokerId);
+    if (privateJwkRaw === null) {
+        throw new Error("The local broker signing key is missing. Run `npx -y driggsby login` again.");
+    }
+    return JSON.parse(privateJwkRaw);
+}
+async function readRequiredDpopKeyPair(runtimePaths, secretStore, brokerId) {
+    const dpopKeyPair = await readBrokerDpopKeyPair(runtimePaths, secretStore, brokerId);
+    if (dpopKeyPair === null) {
+        throw new Error("The local broker DPoP key is missing. Run `npx -y driggsby login` again.");
+    }
+    return dpopKeyPair;
+}

package/dist/broker/installation.js

@@ -0,0 +1,142 @@
+import { randomUUID } from "node:crypto";
+import { promises as fs } from "node:fs";
+import { generateDpopKeyMaterial } from "../auth/dpop.js";
+import { readJsonFile, removeFileIfPresent, writeJsonFile } from "../lib/json-file.js";
+import { generateLocalAuthToken } from "./authentication.js";
+import { inspectRemoteSessionReadiness } from "./remote-session.js";
+import { clearBrokerRemoteSession, readBrokerRemoteSession, } from "./session.js";
+const LOCAL_AUTH_TOKEN_ACCOUNT_SUFFIX = "local-auth-token";
+const PRIVATE_KEY_ACCOUNT_SUFFIX = "dpop-private-jwk";
+export async function ensureBrokerInstallation(runtimePaths, secretStore) {
+    const readiness = await inspectBrokerReadiness(runtimePaths, secretStore);
+    if (readiness.installed && readiness.privateKeyPresent) {
+        const metadata = await readBrokerMetadata(runtimePaths);
+        if (metadata !== null) {
+            return metadata;
+        }
+    }
+    const brokerId = randomUUID();
+    const dpop = await generateDpopKeyMaterial();
+    const metadata = {
+        schemaVersion: 1,
+        brokerId,
+        createdAt: new Date().toISOString(),
+        dpop: {
+            algorithm: dpop.algorithm,
+            publicJwk: dpop.publicJwk,
+            thumbprint: dpop.thumbprint,
+        },
+    };
+    await secretStore.setSecret(localAuthTokenAccountName(brokerId), generateLocalAuthToken());
+    await secretStore.setSecret(privateKeyAccountName(brokerId), JSON.stringify(dpop.privateJwk));
+    await writeJsonFile(runtimePaths.metadataPath, metadata);
+    return metadata;
+}
+export async function inspectBrokerReadiness(runtimePaths, secretStore) {
+    const metadata = await readBrokerMetadata(runtimePaths);
+    if (metadata === null) {
+        return {
+            installed: false,
+            localAuthTokenPresent: false,
+            privateKeyPresent: false,
+            remoteSessionPresent: false,
+        };
+    }
+    const localAuthTokenPresent = (await secretStore.getSecret(localAuthTokenAccountName(metadata.brokerId))) !== null;
+    const privateKeyPresent = (await secretStore.getSecret(privateKeyAccountName(metadata.brokerId))) !== null;
+    const remoteSessionPresent = (await readBrokerRemoteSession(secretStore, metadata.brokerId)) !== null;
+    return {
+        installed: localAuthTokenPresent && privateKeyPresent,
+        brokerId: metadata.brokerId,
+        dpopThumbprint: metadata.dpop.thumbprint,
+        localAuthTokenPresent,
+        privateKeyPresent,
+        remoteSessionPresent,
+    };
+}
+export async function buildBrokerStatus(runtimePaths, secretStore, brokerRunning) {
+    const readiness = await inspectBrokerReadiness(runtimePaths, secretStore);
+    const remoteReadiness = readiness.brokerId === undefined
+        ? {
+            connected: false,
+            ready: false,
+        }
+        : await inspectRemoteSessionReadiness({
+            brokerId: readiness.brokerId,
+            runtimePaths,
+            secretStore,
+        });
+    const status = {
+        installed: readiness.installed && readiness.privateKeyPresent,
+        brokerRunning,
+        remoteMcpReady: remoteReadiness.ready,
+        socketPath: runtimePaths.socketPath,
+    };
+    if (readiness.brokerId !== undefined) {
+        Object.assign(status, { brokerId: readiness.brokerId });
+    }
+    if (readiness.dpopThumbprint !== undefined) {
+        Object.assign(status, { dpopThumbprint: readiness.dpopThumbprint });
+    }
+    if (remoteReadiness.session !== undefined) {
+        Object.assign(status, {
+            remoteSession: remoteReadiness.session,
+        });
+    }
+    return status;
+}
+export async function clearBrokerInstallation(runtimePaths, secretStore) {
+    const metadata = await readBrokerMetadata(runtimePaths);
+    if (metadata !== null) {
+        await clearBrokerRemoteSession(secretStore, metadata.brokerId);
+        await secretStore.deleteSecret(localAuthTokenAccountName(metadata.brokerId));
+        await secretStore.deleteSecret(privateKeyAccountName(metadata.brokerId));
+    }
+    await removeFileIfPresent(runtimePaths.metadataPath);
+    if (process.platform !== "win32") {
+        await removeFileIfPresent(runtimePaths.socketPath);
+    }
+    await removeEmptyDirectory(runtimePaths.configDir);
+    await removeEmptyDirectory(runtimePaths.stateDir);
+}
+export async function readBrokerMetadata(runtimePaths) {
+    return await readJsonFile(runtimePaths.metadataPath);
+}
+export async function readBrokerLocalAuthToken(secretStore, brokerId) {
+    return await secretStore.getSecret(localAuthTokenAccountName(brokerId));
+}
+export async function readBrokerPrivateJwk(secretStore, brokerId) {
+    return await secretStore.getSecret(privateKeyAccountName(brokerId));
+}
+export async function readBrokerDpopKeyPair(runtimePaths, secretStore, brokerId) {
+    const metadata = await readBrokerMetadata(runtimePaths);
+    if (metadata?.brokerId !== brokerId) {
+        return null;
+    }
+    const privateJwkRaw = await readBrokerPrivateJwk(secretStore, brokerId);
+    if (privateJwkRaw === null) {
+        return null;
+    }
+    return {
+        privateJwk: JSON.parse(privateJwkRaw),
+        publicJwk: metadata.dpop.publicJwk,
+    };
+}
+function localAuthTokenAccountName(brokerId) {
+    return `${brokerId}:${LOCAL_AUTH_TOKEN_ACCOUNT_SUFFIX}`;
+}
+function privateKeyAccountName(brokerId) {
+    return `${brokerId}:${PRIVATE_KEY_ACCOUNT_SUFFIX}`;
+}
+async function removeEmptyDirectory(directoryPath) {
+    try {
+        await fs.rmdir(directoryPath);
+    }
+    catch (error) {
+        if (!(error instanceof Error) ||
+            !("code" in error) ||
+            (error.code !== "ENOENT" && error.code !== "ENOTEMPTY")) {
+            throw error;
+        }
+    }
+}

package/dist/broker/ipc.js

@@ -0,0 +1,12 @@
+export function encodeRequest(request) {
+    return `${JSON.stringify(request)}\n`;
+}
+export function decodeResponse(raw) {
+    return JSON.parse(raw);
+}
+export function decodeRequest(raw) {
+    return JSON.parse(raw);
+}
+export function encodeResponse(response) {
+    return `${JSON.stringify(response)}\n`;
+}

package/dist/broker/launch.js

@@ -0,0 +1,34 @@
+import { spawn } from "node:child_process";
+import { setTimeout as sleep } from "node:timers/promises";
+import { getBrokerStatus, pingBroker } from "./client.js";
+export async function ensureBrokerRunning(options) {
+    if ((await pingBroker({
+        runtimePaths: options.runtimePaths,
+        secretStore: options.secretStore,
+    })) !== null) {
+        return;
+    }
+    spawnBrokerDaemon(options.entrypointPath);
+    const started = await waitForBroker(options.runtimePaths, options.secretStore, 4_000);
+    if (!started) {
+        throw new Error("The local Driggsby broker did not start cleanly. Try `npx -y driggsby login` again.");
+    }
+}
+export async function waitForBroker(runtimePaths, secretStore, timeoutMs) {
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline) {
+        if ((await getBrokerStatus({ runtimePaths, secretStore })) !== null) {
+            return true;
+        }
+        await sleep(100);
+    }
+    return false;
+}
+function spawnBrokerDaemon(entrypointPath) {
+    const child = spawn(process.execPath, [...process.execArgv, entrypointPath, "broker-daemon"], {
+        detached: true,
+        stdio: "ignore",
+        windowsHide: true,
+    });
+    child.unref();
+}

package/dist/broker/lock.js

@@ -0,0 +1,84 @@
+import { promises as fs } from "node:fs";
+export async function acquireBrokerLock(lockPath) {
+    const initialHandle = await tryOpenExclusive(lockPath);
+    if (initialHandle !== null) {
+        return await createLease(lockPath, initialHandle);
+    }
+    if (!(await removeStaleLock(lockPath))) {
+        return null;
+    }
+    const recoveredHandle = await tryOpenExclusive(lockPath);
+    if (recoveredHandle === null) {
+        return null;
+    }
+    return await createLease(lockPath, recoveredHandle);
+}
+async function createLease(lockPath, handle) {
+    let released = false;
+    await handle.truncate(0);
+    await handle.writeFile(JSON.stringify({ pid: process.pid }));
+    return {
+        async release() {
+            if (released) {
+                return;
+            }
+            released = true;
+            await handle.close();
+            await removeFileIfPresent(lockPath);
+        },
+    };
+}
+async function tryOpenExclusive(lockPath) {
+    try {
+        return await fs.open(lockPath, "wx", 0o600);
+    }
+    catch (error) {
+        if (isErrnoException(error) && error.code === "EEXIST") {
+            return null;
+        }
+        throw error;
+    }
+}
+async function removeStaleLock(lockPath) {
+    const stalePid = await readLockPid(lockPath);
+    if (stalePid === null || processAlive(stalePid)) {
+        return false;
+    }
+    await removeFileIfPresent(lockPath);
+    return true;
+}
+async function readLockPid(lockPath) {
+    try {
+        const contents = await fs.readFile(lockPath, "utf8");
+        const parsed = JSON.parse(contents);
+        return typeof parsed.pid === "number" ? parsed.pid : null;
+    }
+    catch (error) {
+        if (isErrnoException(error) && error.code === "ENOENT") {
+            return null;
+        }
+        return null;
+    }
+}
+function processAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function removeFileIfPresent(filePath) {
+    try {
+        await fs.rm(filePath);
+    }
+    catch (error) {
+        if (!(isErrnoException(error) && error.code === "ENOENT")) {
+            throw error;
+        }
+    }
+}
+function isErrnoException(error) {
+    return error instanceof Error && "code" in error;
+}

package/dist/broker/remote-mcp.js

@@ -0,0 +1,121 @@
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+import { CallToolResultSchema, ListToolsResultSchema, } from "@modelcontextprotocol/sdk/types.js";
+import { createDpopProof } from "../auth/dpop.js";
+import { assertBrokerRemoteUrl } from "../auth/url-security.js";
+const BROKER_CLIENT_INFO = {
+    name: "driggsby-local-broker",
+    version: "0.1.0",
+};
+export async function listRemoteTools(session, dpopKeyPair) {
+    return await withRemoteClient(session, dpopKeyPair, async (client) => {
+        const result = await client.request({
+            method: "tools/list",
+            params: {},
+        }, ListToolsResultSchema);
+        return result.tools;
+    });
+}
+export async function callRemoteTool(session, dpopKeyPair, name, args) {
+    return await withRemoteClient(session, dpopKeyPair, async (client) => {
+        return await client.request({
+            method: "tools/call",
+            params: args === undefined
+                ? { name }
+                : {
+                    arguments: args,
+                    name,
+                },
+        }, CallToolResultSchema);
+    });
+}
+async function withRemoteClient(session, dpopKeyPair, action) {
+    assertBrokerRemoteUrl(session.resource, "The Driggsby MCP resource URL");
+    const transport = new StreamableHTTPClientTransport(new URL(session.resource), {
+        fetch: createDpopAuthenticatedFetch(session, dpopKeyPair),
+    });
+    const client = new Client(BROKER_CLIENT_INFO, {
+        capabilities: {},
+    });
+    try {
+        await client.connect(toTransport(transport));
+        return await action(client);
+    }
+    catch (error) {
+        throw mapRemoteMcpError(error);
+    }
+    finally {
+        await closeRemoteTransport(transport);
+    }
+}
+function toTransport(transport) {
+    return transport;
+}
+function mapRemoteMcpError(error) {
+    if (!(error instanceof Error)) {
+        return new Error("Driggsby could not complete that remote MCP request. Try again in a moment.");
+    }
+    const message = error.message.toLowerCase();
+    if (message.includes("tool") && message.includes("not found")) {
+        return new Error("That Driggsby tool is not available in this session anymore. Start a fresh client session and try again.");
+    }
+    if (message.includes("fetch failed") ||
+        message.includes("failed to open sse stream") ||
+        message.includes("error posting to endpoint") ||
+        message.includes("streamable http error") ||
+        message.includes("sse stream disconnected")) {
+        return new Error("Driggsby could not reach the remote MCP service right now. Try again in a moment.");
+    }
+    return error;
+}
+async function closeRemoteTransport(transport) {
+    try {
+        await transport.terminateSession();
+    }
+    catch {
+        // Best-effort cleanup only.
+    }
+    await transport.close();
+}
+function createDpopAuthenticatedFetch(session, dpopKeyPair) {
+    return async (input, init) => {
+        const httpMethod = resolveRequestMethod(input, init);
+        const headers = new Headers(input instanceof Request ? input.headers : undefined);
+        if (init?.headers !== undefined) {
+            new Headers(init.headers).forEach((value, key) => {
+                headers.set(key, value);
+            });
+        }
+        headers.set("Authorization", `${session.tokenType} ${session.accessToken}`);
+        headers.set("DPoP", await createDpopProof({
+            accessToken: session.accessToken,
+            httpMethod,
+            privateJwk: dpopKeyPair.privateJwk,
+            publicJwk: dpopKeyPair.publicJwk,
+            targetUrl: resolveRequestUrl(input),
+        }));
+        return await fetch(input, {
+            ...init,
+            headers,
+            method: httpMethod,
+        });
+    };
+}
+function resolveRequestMethod(input, init) {
+    if (init?.method !== undefined) {
+        return init.method;
+    }
+    if (input instanceof Request) {
+        return input.method;
+    }
+    return "GET";
+}
+function resolveRequestUrl(input) {
+    if (typeof input === "string") {
+        return input;
+    }
+    if (input instanceof URL) {
+        return input.toString();
+    }
+    return input.url;
+}