driggsby 0.1.12 → 0.1.13

package/dist/broker/remote-mcp.js

@@ -1,129 +0,0 @@
-import { Client } from "@modelcontextprotocol/sdk/client/index.js";
-import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
-import { CallToolResultSchema, ListToolsResultSchema, } from "@modelcontextprotocol/sdk/types.js";
-import { createDpopProof } from "../auth/dpop.js";
-import { assertBrokerRemoteUrl } from "../auth/url-security.js";
-import { buildReauthenticationRequiredMessage } from "../lib/user-guidance.js";
-const BROKER_CLIENT_INFO = {
-    name: "driggsby-local-broker",
-    version: "0.1.0",
-};
-export async function listRemoteTools(session, dpopKeyPair) {
-    return await withRemoteClient(session, dpopKeyPair, async (client) => {
-        const result = await client.request({
-            method: "tools/list",
-            params: {},
-        }, ListToolsResultSchema);
-        return result.tools;
-    });
-}
-export async function callRemoteTool(session, dpopKeyPair, name, args) {
-    return await withRemoteClient(session, dpopKeyPair, async (client) => {
-        return await client.request({
-            method: "tools/call",
-            params: args === undefined
-                ? { name }
-                : {
-                    arguments: args,
-                    name,
-                },
-        }, CallToolResultSchema);
-    });
-}
-async function withRemoteClient(session, dpopKeyPair, action) {
-    assertBrokerRemoteUrl(session.resource, "The Driggsby MCP resource URL");
-    const transport = new StreamableHTTPClientTransport(new URL(session.resource), {
-        fetch: createDpopAuthenticatedFetch(session, dpopKeyPair),
-    });
-    const client = new Client(BROKER_CLIENT_INFO, {
-        capabilities: {},
-    });
-    try {
-        await client.connect(toTransport(transport));
-        return await action(client);
-    }
-    catch (error) {
-        throw mapRemoteMcpError(error);
-    }
-    finally {
-        await closeRemoteTransport(transport);
-    }
-}
-function toTransport(transport) {
-    return transport;
-}
-function mapRemoteMcpError(error) {
-    if (!(error instanceof Error)) {
-        return new Error("Driggsby could not complete that remote MCP request. Try again in a moment.");
-    }
-    const message = error.message.toLowerCase();
-    if (message.includes("tool") && message.includes("not found")) {
-        return new Error("That Driggsby tool is not available in this session anymore. Start a fresh client session and try again.");
-    }
-    if (message.includes("fetch failed") ||
-        message.includes("failed to open sse stream") ||
-        message.includes("error posting to endpoint") ||
-        message.includes("streamable http error") ||
-        message.includes("sse stream disconnected")) {
-        return new Error("Driggsby could not reach the remote MCP service right now. Try again in a moment.");
-    }
-    return error;
-}
-async function closeRemoteTransport(transport) {
-    try {
-        await transport.terminateSession();
-    }
-    catch {
-        // Best-effort cleanup only.
-    }
-    await transport.close();
-}
-function createDpopAuthenticatedFetch(session, dpopKeyPair) {
-    return async (input, init) => {
-        const httpMethod = resolveRequestMethod(input, init);
-        const headers = new Headers(input instanceof Request ? input.headers : undefined);
-        if (init?.headers !== undefined) {
-            new Headers(init.headers).forEach((value, key) => {
-                headers.set(key, value);
-            });
-        }
-        headers.set("Authorization", `${session.tokenType} ${session.accessToken}`);
-        headers.set("DPoP", await createDpopProof({
-            accessToken: session.accessToken,
-            httpMethod,
-            privateJwk: dpopKeyPair.privateJwk,
-            publicJwk: dpopKeyPair.publicJwk,
-            targetUrl: resolveRequestUrl(input),
-        }));
-        return await ensureAuthenticatedRemoteResponse(fetch(input, {
-            ...init,
-            headers,
-            method: httpMethod,
-        }));
-    };
-}
-async function ensureAuthenticatedRemoteResponse(responsePromise) {
-    const response = await responsePromise;
-    if (response.status === 401 || response.status === 403) {
-        throw new Error(buildReauthenticationRequiredMessage("Authentication has expired or the saved broker session is no longer authorized for Driggsby"));
-    }
-    return response;
-}
-function resolveRequestMethod(input, init) {
-    if (init?.method !== undefined) {
-        return init.method;
-    }
-    if (input instanceof Request) {
-        return input.method;
-    }
-    return "GET";
-}
-function resolveRequestUrl(input) {
-    if (typeof input === "string") {
-        return input;
-    }
-    if (input instanceof URL) {
-        return input.toString();
-    }
-    return input.url;
-}

package/dist/broker/remote-session.js

@@ -1,173 +0,0 @@
-import { fetchAuthorizationServerMetadata, } from "../auth/discovery.js";
-import { createDpopProof } from "../auth/dpop.js";
-import { refreshAccessToken } from "../auth/oauth.js";
-import { assertBrokerRemoteUrl } from "../auth/url-security.js";
-import { retryOperation } from "../lib/retry.js";
-import { buildReauthenticationRequiredMessage, DRIGGSBY_LOGIN_COMMAND, DRIGGSBY_STATUS_COMMAND, errorMessageIncludesReauthenticationCommand, } from "../lib/user-guidance.js";
-import { readBrokerDpopKeyPair } from "./installation.js";
-import { readBrokerRemoteSession, summarizeBrokerRemoteSession, writeBrokerRemoteSession, } from "./session.js";
-const ACCESS_TOKEN_REFRESH_SKEW_MS = 60_000;
-const STATUS_REFRESH_RETRY_DELAYS_MS = [0, 250, 500];
-export class BrokerRemoteSessionManager {
-    brokerId;
-    fetchImpl;
-    runtimePaths;
-    secretStore;
-    refreshInFlight = null;
-    constructor(options) {
-        this.brokerId = options.brokerId;
-        this.fetchImpl = options.fetchImpl ?? fetch;
-        this.runtimePaths = options.runtimePaths;
-        this.secretStore = options.secretStore;
-    }
-    async ensureFreshSession() {
-        const session = await readBrokerRemoteSession(this.secretStore, this.brokerId);
-        if (session === null) {
-            throw new Error(buildReauthenticationRequiredMessage("The local Driggsby broker is not connected"));
-        }
-        if (!sessionNeedsRefresh(session)) {
-            return session;
-        }
-        this.refreshInFlight ??= refreshRemoteSession(this.runtimePaths, this.secretStore, this.brokerId, session, this.fetchImpl).finally(() => {
-            this.refreshInFlight = null;
-        });
-        return await this.refreshInFlight;
-    }
-}
-export async function ensureFreshRemoteSession(options) {
-    const manager = new BrokerRemoteSessionManager(options);
-    return await manager.ensureFreshSession();
-}
-export async function inspectRemoteSessionReadiness(options) {
-    const session = await readBrokerRemoteSession(options.secretStore, options.brokerId);
-    if (session === null) {
-        return buildNotConnectedReadiness();
-    }
-    if (options.refreshIfNeeded && sessionNeedsRefresh(session)) {
-        try {
-            const refreshedSession = await retryOperation(async () => await ensureFreshRemoteSession(options), {
-                delaysMs: STATUS_REFRESH_RETRY_DELAYS_MS,
-                shouldRetry: shouldRetryStatusRefresh,
-            });
-            return buildReadyReadiness(refreshedSession);
-        }
-        catch (error) {
-            return buildFailedRefreshReadiness(error, session);
-        }
-    }
-    if (sessionNeedsRefresh(session)) {
-        return {
-            connected: true,
-            detail: "The saved remote session needs a token refresh before remote MCP forwarding can run.",
-            nextStepCommand: DRIGGSBY_STATUS_COMMAND,
-            ready: false,
-            reauthenticationRequired: false,
-            session: summarizeBrokerRemoteSession(session),
-            state: "temporarily_unavailable",
-        };
-    }
-    return buildReadyReadiness(session);
-}
-export function sessionNeedsRefresh(session, nowMs = Date.now()) {
-    const expiresAtMs = Date.parse(session.accessTokenExpiresAt);
-    if (!Number.isFinite(expiresAtMs)) {
-        return true;
-    }
-    return expiresAtMs - nowMs <= ACCESS_TOKEN_REFRESH_SKEW_MS;
-}
-async function refreshRemoteSession(runtimePaths, secretStore, brokerId, session, fetchImpl) {
-    assertBrokerRemoteUrl(session.issuer, "The Driggsby issuer URL");
-    let authorizationServerMetadata;
-    try {
-        authorizationServerMetadata = await fetchAuthorizationServerMetadata(session.issuer, fetchImpl);
-    }
-    catch {
-        throw new Error("Driggsby could not refresh the local broker session right now because it could not reach the authorization server. Wait a moment and try again.");
-    }
-    let refreshedTokens;
-    try {
-        refreshedTokens = await refreshAccessToken({
-            clientId: session.clientId,
-            dpopProof: await refreshTokenDpopProof(runtimePaths, secretStore, brokerId, authorizationServerMetadata.token_endpoint),
-            metadata: authorizationServerMetadata,
-            refreshToken: session.refreshToken,
-            resource: session.resource,
-        }, fetchImpl);
-    }
-    catch (error) {
-        throwRefreshSessionError(error);
-    }
-    const refreshedSession = {
-        ...session,
-        accessToken: refreshedTokens.accessToken,
-        accessTokenExpiresAt: refreshedTokens.accessTokenExpiresAt,
-        refreshToken: refreshedTokens.refreshToken,
-        scope: refreshedTokens.scope,
-        tokenType: refreshedTokens.tokenType,
-    };
-    await writeBrokerRemoteSession(secretStore, brokerId, refreshedSession);
-    return refreshedSession;
-}
-async function refreshTokenDpopProof(runtimePaths, secretStore, brokerId, tokenEndpoint) {
-    const dpopKeyPair = await readBrokerDpopKeyPair(runtimePaths, secretStore, brokerId);
-    if (dpopKeyPair === null) {
-        throw new Error(buildReauthenticationRequiredMessage("The local Driggsby broker key is missing"));
-    }
-    return await createDpopProof({
-        httpMethod: "POST",
-        privateJwk: dpopKeyPair.privateJwk,
-        publicJwk: dpopKeyPair.publicJwk,
-        targetUrl: tokenEndpoint,
-    });
-}
-function throwRefreshSessionError(error) {
-    if (errorMessageIncludesReauthenticationCommand(error)) {
-        throw error;
-    }
-    throw new Error("Driggsby could not refresh the local broker session right now. Wait a moment and try again.");
-}
-function shouldRetryStatusRefresh(error) {
-    return !errorMessageIncludesReauthenticationCommand(error);
-}
-function buildFailedRefreshReadiness(error, session) {
-    if (errorMessageIncludesReauthenticationCommand(error)) {
-        return {
-            connected: true,
-            detail: "The saved remote session is no longer authorized. Remote MCP forwarding will stay blocked until Driggsby signs in again.",
-            nextStepCommand: DRIGGSBY_LOGIN_COMMAND,
-            ready: false,
-            reauthenticationRequired: true,
-            session: summarizeBrokerRemoteSession(session),
-            state: "reauth_required",
-        };
-    }
-    return {
-        connected: true,
-        detail: "Driggsby could not refresh remote MCP access right now. Remote MCP forwarding is blocked until the refresh succeeds.",
-        nextStepCommand: DRIGGSBY_STATUS_COMMAND,
-        ready: false,
-        reauthenticationRequired: false,
-        session: summarizeBrokerRemoteSession(session),
-        state: "temporarily_unavailable",
-    };
-}
-export function buildNotConnectedReadiness() {
-    return {
-        connected: false,
-        detail: "Driggsby does not have a saved remote session yet.",
-        nextStepCommand: DRIGGSBY_LOGIN_COMMAND,
-        ready: false,
-        reauthenticationRequired: false,
-        state: "not_connected",
-    };
-}
-function buildReadyReadiness(session) {
-    return {
-        connected: true,
-        detail: "Remote MCP forwarding is ready to use.",
-        ready: true,
-        reauthenticationRequired: false,
-        session: summarizeBrokerRemoteSession(session),
-        state: "ready",
-    };
-}

package/dist/broker/resolve-secret-store.js

@@ -1,52 +0,0 @@
-import { readBrokerMetadata } from "./installation.js";
-import { FileSecretStore } from "./file-secret-store.js";
-import { KeyringSecretStore } from "./keyring-secret-store.js";
-const KEYRING_UNAVAILABLE_WITH_EXISTING_INSTALL_MESSAGE = "This Driggsby broker install already depends on platform secure storage, but that storage is unavailable in this shell. Reopen the original desktop session or restore keyring access before using this install.";
-const LOGOUT_FALLBACK_NOTICE = "Platform secure storage is unavailable here, so logout will clear local broker files only. Any unreachable platform-keyring entries will remain until you return to the original session.";
-export class ExistingInstallRequiresKeyringError extends Error {
-    constructor() {
-        super(KEYRING_UNAVAILABLE_WITH_EXISTING_INSTALL_MESSAGE);
-        this.name = "ExistingInstallRequiresKeyringError";
-    }
-}
-export async function resolveSecretStore(runtimePaths, options = {}) {
-    const fileStore = options.fileStore ?? new FileSecretStore(runtimePaths);
-    if (await fileStore.hasStoredSecrets()) {
-        return {
-            backend: "file",
-            notice: null,
-            store: fileStore,
-        };
-    }
-    const keyringStore = options.keyringStore ?? new KeyringSecretStore();
-    if (await keyringStore.isAvailable()) {
-        return {
-            backend: "keyring",
-            notice: null,
-            store: keyringStore,
-        };
-    }
-    if ((await readBrokerMetadata(runtimePaths)) !== null) {
-        throw new ExistingInstallRequiresKeyringError();
-    }
-    return {
-        backend: "file",
-        notice: `Platform secure storage is unavailable here. Driggsby will use an owner-only file-backed secret store under ${runtimePaths.configDir}.`,
-        store: fileStore,
-    };
-}
-export async function resolveSecretStoreForLogout(runtimePaths, options = {}) {
-    try {
-        return await resolveSecretStore(runtimePaths, options);
-    }
-    catch (error) {
-        if (!(error instanceof ExistingInstallRequiresKeyringError)) {
-            throw error;
-        }
-        return {
-            backend: "file",
-            notice: LOGOUT_FALLBACK_NOTICE,
-            store: options.fileStore ?? new FileSecretStore(runtimePaths),
-        };
-    }
-}

package/dist/broker/secret-store.js

@@ -1,13 +0,0 @@
-export class MemorySecretStore {
-    secrets = new Map();
-    setSecret(account, secret) {
-        this.secrets.set(account, secret);
-        return Promise.resolve();
-    }
-    getSecret(account) {
-        return Promise.resolve(this.secrets.get(account) ?? null);
-    }
-    deleteSecret(account) {
-        return Promise.resolve(this.secrets.delete(account));
-    }
-}

package/dist/broker/server.js

@@ -1,177 +0,0 @@
-import { promises as fs } from "node:fs";
-import net from "node:net";
-import { ensureRuntimeDirectories } from "../lib/runtime-paths.js";
-import { acquireBrokerLock } from "./lock.js";
-import { decodeRequest, encodeResponse } from "./ipc.js";
-import { hashBrokerPayload, signBrokerProof } from "./authentication.js";
-export class LocalBrokerServer {
-    brokerId;
-    localAuthToken;
-    privateJwk;
-    runtimePaths;
-    statusProvider;
-    listToolsProvider;
-    callToolProvider;
-    lockLease = null;
-    server = null;
-    constructor(options) {
-        this.brokerId = options.brokerId;
-        this.localAuthToken = options.localAuthToken;
-        this.privateJwk = options.privateJwk;
-        this.runtimePaths = options.runtimePaths;
-        this.statusProvider = options.statusProvider;
-        this.listToolsProvider = options.listTools;
-        this.callToolProvider = options.callTool;
-    }
-    async listen() {
-        if (this.server !== null) {
-            return;
-        }
-        await ensureRuntimeDirectories(this.runtimePaths);
-        const lockLease = await acquireBrokerLock(this.runtimePaths.lockPath);
-        if (lockLease === null) {
-            throw new Error("The local Driggsby broker is already running.");
-        }
-        this.lockLease = lockLease;
-        if (process.platform !== "win32") {
-            await removeSocketIfPresent(this.runtimePaths.socketPath);
-        }
-        this.server = net.createServer((socket) => {
-            socket.setEncoding("utf8");
-            let buffer = "";
-            socket.on("data", (chunk) => {
-                buffer += chunk;
-                const newlineIndex = buffer.indexOf("\n");
-                if (newlineIndex < 0) {
-                    return;
-                }
-                const payload = buffer.slice(0, newlineIndex);
-                void this.handleRequest(payload, socket);
-            });
-        });
-        try {
-            await new Promise((resolve, reject) => {
-                this.server?.once("error", reject);
-                this.server?.listen(this.runtimePaths.socketPath, resolve);
-            });
-        }
-        catch (error) {
-            await this.releaseLock();
-            throw error;
-        }
-        if (process.platform !== "win32") {
-            await fs.chmod(this.runtimePaths.socketPath, 0o600);
-        }
-    }
-    async close() {
-        if (this.server !== null) {
-            const server = this.server;
-            this.server = null;
-            await new Promise((resolve, reject) => {
-                server.close((error) => {
-                    if (error) {
-                        reject(error);
-                        return;
-                    }
-                    resolve();
-                });
-            });
-        }
-        if (process.platform !== "win32") {
-            await removeSocketIfPresent(this.runtimePaths.socketPath);
-        }
-        await this.releaseLock();
-    }
-    async handleRequest(payload, socket) {
-        let response;
-        try {
-            const request = decodeRequest(payload);
-            response = await this.dispatchRequest(request);
-        }
-        catch (error) {
-            response = await this.buildErrorResponse("unknown", "unknown", "unknown", error instanceof Error ? error.message : "Broker request failed.");
-        }
-        socket.end(encodeResponse(response));
-    }
-    async dispatchRequest(request) {
-        if (request.authToken !== this.localAuthToken) {
-            return await this.buildErrorResponse(request.id, request.method, request.challenge, "Broker authentication failed.");
-        }
-        switch (request.method) {
-            case "ping": {
-                const status = await this.statusProvider();
-                return await this.buildSuccessResponse(request, {
-                    ok: true,
-                    brokerId: status.brokerId ?? "unknown",
-                });
-            }
-            case "get_status":
-                return await this.buildSuccessResponse(request, {
-                    status: await this.statusProvider(),
-                });
-            case "shutdown":
-                setImmediate(() => {
-                    void this.close();
-                });
-                return await this.buildSuccessResponse(request, {
-                    stopped: true,
-                });
-            case "list_tools":
-                return await this.buildSuccessResponse(request, await this.listToolsProvider());
-            case "call_tool":
-                return await this.buildSuccessResponse(request, await this.callToolProvider(request.toolName, request.args));
-        }
-    }
-    async buildSuccessResponse(request, result) {
-        const payload = { ok: true, result };
-        return {
-            brokerProof: await signBrokerProof({
-                aud: "driggsby-local-shim",
-                challenge: request.challenge,
-                payloadSha256: hashBrokerPayload(payload),
-                requestId: request.id,
-                requestMethod: request.method,
-                sub: this.brokerId,
-            }, this.privateJwk),
-            id: request.id,
-            ok: true,
-            result,
-        };
-    }
-    async buildErrorResponse(requestId, requestMethod, challenge, error) {
-        const payload = { ok: false, error };
-        return {
-            brokerProof: await signBrokerProof({
-                aud: "driggsby-local-shim",
-                challenge,
-                payloadSha256: hashBrokerPayload(payload),
-                requestId,
-                requestMethod: requestMethod === "unknown" ? "ping" : requestMethod,
-                sub: this.brokerId,
-            }, this.privateJwk),
-            id: requestId,
-            ok: false,
-            error,
-        };
-    }
-    async releaseLock() {
-        if (this.lockLease === null) {
-            return;
-        }
-        const lease = this.lockLease;
-        this.lockLease = null;
-        await lease.release();
-    }
-}
-async function removeSocketIfPresent(socketPath) {
-    try {
-        await fs.rm(socketPath);
-    }
-    catch (error) {
-        if (!(error instanceof Error) ||
-            !("code" in error) ||
-            error.code !== "ENOENT") {
-            throw error;
-        }
-    }
-}

package/dist/broker/session.js

@@ -1,31 +0,0 @@
-const REMOTE_SESSION_ACCOUNT_SUFFIX = "remote-session";
-export async function readBrokerRemoteSession(secretStore, brokerId) {
-    const raw = await secretStore.getSecret(remoteSessionAccountName(brokerId));
-    if (raw === null) {
-        return null;
-    }
-    const parsed = JSON.parse(raw);
-    return {
-        ...parsed,
-        tokenType: parsed.tokenType ?? "Bearer",
-    };
-}
-export async function writeBrokerRemoteSession(secretStore, brokerId, session) {
-    await secretStore.setSecret(remoteSessionAccountName(brokerId), JSON.stringify(session));
-}
-export async function clearBrokerRemoteSession(secretStore, brokerId) {
-    await secretStore.deleteSecret(remoteSessionAccountName(brokerId));
-}
-export function summarizeBrokerRemoteSession(session) {
-    return {
-        accessTokenExpiresAt: session.accessTokenExpiresAt,
-        authenticatedAt: session.authenticatedAt,
-        clientId: session.clientId,
-        issuer: session.issuer,
-        resource: session.resource,
-        scope: session.scope,
-    };
-}
-function remoteSessionAccountName(brokerId) {
-    return `${brokerId}:${REMOTE_SESSION_ACCOUNT_SUFFIX}`;
-}