estatehelm 1.0.21 → 1.0.22

package/README.md

@@ -68,17 +68,21 @@ Remove credentials and revoke device access.
 Start the MCP server.
 
 Options:
-- `-m, --mode <mode>` - Privacy mode: `full` (default) or `safe`
+- `-m, --mode <mode>` - Privacy mode: `safe` (default) or `full`
+- `-t, --token <token>` - MCP access token (or set ESTATEHELM_MCP_TOKEN env var)
 - `--poll <interval>` - Background sync interval (e.g., `15m`)
 
 ### `estatehelm status`
 
 Show current login status and cache information.
 
-### `estatehelm sync`
+### `estatehelm sync [options]`
 
 Force sync cache from server.
 
+Options:
+- `-t, --token <token>` - MCP access token (or set ESTATEHELM_MCP_TOKEN env var)
+
 ### `estatehelm cache clear`
 
 Clear local cache (keeps credentials).
@@ -100,20 +104,20 @@ Get configuration value(s).
 
 ## Privacy Modes
 
-### Full Mode (default)
+### Safe Mode (default)
 
-All data is returned as-is. Use this when you're alone and want full access.
+Sensitive fields (passwords, account numbers, etc.) are redacted. Use this when sharing your screen or when uncertain.
 
 ```bash
-estatehelm mcp --mode full
+estatehelm mcp --mode safe
 ```
 
-### Safe Mode
+### Full Mode
 
-Sensitive fields (passwords, account numbers, etc.) are redacted. Use this when sharing your screen or when uncertain.
+All data is returned as-is. Use this when you're alone and want full access.
 
 ```bash
-estatehelm mcp --mode safe
+estatehelm mcp --mode full
 ```
 
 Redacted fields by entity type:
@@ -202,7 +206,7 @@ The device was revoked from EstateHelm settings. Run `estatehelm login` to re-re
 
 ### Cache issues
 
-Try clearing the cache: `estatehelm cache clear`, then `estatehelm sync`.
+Try clearing the cache: `estatehelm cache clear`, then `estatehelm sync --token YOUR_TOKEN`.
 
 ## License
 

package/dist/index.js

@@ -744,195 +744,6 @@ async function decryptEntity(householdKey, encrypted, options = {}) {
   }
 }
 
-// ../encryption/src/entityKeyMapping.ts
-var ENTITY_KEY_TYPE_MAP = {
-  // General household items
-  "property": "general",
-  "maintenance_task": "task",
-  "pet": "general",
-  "vehicle": "general",
-  "device": "general",
-  "valuable": "general",
-  "valuables": "general",
-  // Route alias
-  "access_code": "access_code",
-  "contact": "general",
-  "service": "general",
-  "document": "general",
-  "travel": "general",
-  "resident": "general",
-  "home_improvement": "general",
-  // Property improvements
-  "vehicle_maintenance": "general",
-  // Vehicle maintenance history
-  "vehicle_service_visit": "general",
-  // Vehicle service visits
-  "pet_vet_visit": "general",
-  // Pet vet visits (like vehicle_service_visit for vehicles)
-  "pet_health": "general",
-  // Pet health records (simple single records)
-  "military_record": "general",
-  // Military service records
-  "education_record": "general",
-  // Education records (diplomas, transcripts, etc.)
-  "credential": "general",
-  // Credentials (professional licenses, government IDs, etc.)
-  "credentials": "general",
-  // Route alias
-  "membership_record": "general",
-  // Membership records (airline, hotel, retail loyalty programs)
-  // Health records (sensitive - requires health key)
-  "health_record": "health",
-  // Financial
-  "bank_account": "financial",
-  "investment": "financial",
-  "tax_document": "financial",
-  "tax_year": "financial",
-  "taxes": "financial",
-  // Route alias
-  "financial_account": "financial",
-  "financial": "financial",
-  // Route alias
-  // Legal (owner-only)
-  "legal": "legal",
-  // Insurance (both names for compatibility)
-  "insurance": "general",
-  "insurance_policy": "general",
-  "subscription": "subscription",
-  // Passwords (shared household credentials)
-  "password": "password",
-  // Identity (Personal Vault)
-  "identity": "identity",
-  // Calendar Connections (Personal Vault - user's OAuth tokens for calendar sync)
-  "calendar_connection": "identity",
-  // Continuity (Personal Vault - shared messages for beneficiaries)
-  "continuity": "continuity",
-  // Emergency (household-scoped emergency info, encrypted with general key so all members can decrypt)
-  "emergency": "general"
-};
-function getKeyTypeForEntity(entityType) {
-  const keyType = ENTITY_KEY_TYPE_MAP[entityType];
-  if (!keyType) {
-    throw new Error(
-      `No key type mapping found for entity type: ${entityType}. Please add it to ENTITY_KEY_TYPE_MAP in entityKeyMapping.ts`
-    );
-  }
-  return keyType;
-}
-
-// ../encryption/src/recoveryKey.ts
-var RECOVERY_KEY_SIZE = 16;
-var GROUP_SIZE = 4;
-var BASE32_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-function encodeBase32(bytes) {
-  let bits = "";
-  for (const byte of bytes) {
-    bits += byte.toString(2).padStart(8, "0");
-  }
-  while (bits.length % 5 !== 0) {
-    bits += "0";
-  }
-  let result = "";
-  for (let i = 0; i < bits.length; i += 5) {
-    const chunk = bits.substring(i, i + 5);
-    const index = parseInt(chunk, 2);
-    result += BASE32_ALPHABET[index];
-  }
-  return result;
-}
-function decodeBase32(base32) {
-  const cleaned = base32.toUpperCase().replace(/[^A-Z2-7]/g, "");
-  let bits = "";
-  for (const char of cleaned) {
-    const index = BASE32_ALPHABET.indexOf(char);
-    if (index === -1) {
-      throw new Error(`Invalid base32 character: ${char}`);
-    }
-    bits += index.toString(2).padStart(5, "0");
-  }
-  const bytes = [];
-  for (let i = 0; i < bits.length - bits.length % 8; i += 8) {
-    const byte = parseInt(bits.substring(i, i + 8), 2);
-    bytes.push(byte);
-  }
-  return new Uint8Array(bytes);
-}
-function formatRecoveryKey(base32) {
-  const groups = [];
-  for (let i = 0; i < base32.length; i += GROUP_SIZE) {
-    groups.push(base32.substring(i, i + GROUP_SIZE));
-  }
-  return groups.join("-");
-}
-function unformatRecoveryKey(formatted) {
-  return formatted.toUpperCase().replace(/[^A-Z2-7]/g, "");
-}
-function validateRecoveryKey(recoveryKey) {
-  try {
-    const unformatted = unformatRecoveryKey(recoveryKey);
-    if (unformatted.length < 20 || unformatted.length > 30) {
-      return false;
-    }
-    for (const char of unformatted) {
-      if (!BASE32_ALPHABET.includes(char)) {
-        return false;
-      }
-    }
-    const bytes = decodeBase32(unformatted);
-    return bytes.length >= RECOVERY_KEY_SIZE - 2 && bytes.length <= RECOVERY_KEY_SIZE + 2;
-  } catch {
-    return false;
-  }
-}
-function parseRecoveryKey(recoveryKey) {
-  if (!validateRecoveryKey(recoveryKey)) {
-    throw new Error("Invalid recovery key format");
-  }
-  const unformatted = unformatRecoveryKey(recoveryKey);
-  const bytes = decodeBase32(unformatted);
-  const normalizedBytes = new Uint8Array(RECOVERY_KEY_SIZE);
-  normalizedBytes.set(bytes.slice(0, RECOVERY_KEY_SIZE));
-  const base32 = encodeBase32(normalizedBytes);
-  const formatted = formatRecoveryKey(base32);
-  const base64 = base64Encode(normalizedBytes);
-  return {
-    bytes: normalizedBytes,
-    formatted,
-    base64
-  };
-}
-async function deriveWrapKey(recoveryKeyBytes, serverWrapSecret, info = "hearthcoo-wrap-key-v1") {
-  if (recoveryKeyBytes.length !== RECOVERY_KEY_SIZE) {
-    throw new Error(`Recovery key must be ${RECOVERY_KEY_SIZE} bytes`);
-  }
-  if (serverWrapSecret.length !== 32) {
-    throw new Error("Server wrap secret must be 32 bytes");
-  }
-  const recoveryKeyMaterial = await crypto.subtle.importKey(
-    "raw",
-    recoveryKeyBytes,
-    "HKDF",
-    false,
-    ["deriveKey"]
-  );
-  const wrapKey = await crypto.subtle.deriveKey(
-    {
-      name: "HKDF",
-      hash: "SHA-256",
-      salt: serverWrapSecret,
-      info: new TextEncoder().encode(info)
-    },
-    recoveryKeyMaterial,
-    {
-      name: "AES-GCM",
-      length: 256
-    },
-    false,
-    ["encrypt", "decrypt"]
-  );
-  return wrapKey;
-}
-
 // ../types/src/contacts.ts
 function getContactDisplayName(contact, fallback = "") {
   const personName = [contact.first_name, contact.last_name].filter(Boolean).join(" ");
@@ -946,6 +757,76 @@ function getContactDisplayName(contact, fallback = "") {
 // ../types/src/keys.ts
 var DEFAULT_KEY_BUNDLE_ALG = "ECDH-P-521";
 
+// ../types/src/entities.ts
+var ENTITIES = {
+  // ===== General household items =====
+  property: { keyType: "general" },
+  pet: { keyType: "general" },
+  vehicle: { keyType: "general" },
+  contact: { keyType: "general" },
+  device: { keyType: "general" },
+  valuable: { keyType: "general" },
+  resident: { keyType: "general" },
+  service: { keyType: "general" },
+  home_improvement: { keyType: "general" },
+  vehicle_maintenance: { keyType: "general" },
+  vehicle_service_visit: { keyType: "general" },
+  pet_vet_visit: { keyType: "general" },
+  military_record: { keyType: "general" },
+  education_record: { keyType: "general" },
+  credential: { keyType: "general" },
+  membership_record: { keyType: "general" },
+  maintenance_task: { keyType: "task" },
+  // ===== Access codes =====
+  access_code: { keyType: "access_code" },
+  // ===== Insurance =====
+  insurance_policy: { keyType: "general" },
+  // ===== Subscriptions =====
+  subscription: { keyType: "subscription" },
+  // ===== Financial (sensitive) =====
+  financial_account: { keyType: "financial" },
+  tax_year: { keyType: "financial" },
+  // ===== Health (sensitive) =====
+  health_record: { keyType: "health" },
+  // ===== Legal (owner-only) =====
+  legal_document: { keyType: "legal" },
+  // ===== Personal vault =====
+  digital_identity: { keyType: "identity" },
+  calendar_connection: { keyType: "identity" },
+  // ===== Shared passwords =====
+  password: { keyType: "password", hasSchema: false },
+  // ===== Internal/legacy types (no schemas) =====
+  emergency: { keyType: "general", hasSchema: false },
+  continuity: { keyType: "continuity", hasSchema: false },
+  document: { keyType: "general", hasSchema: false },
+  travel: { keyType: "general", hasSchema: false },
+  pet_health: { keyType: "general", hasSchema: false },
+  bank_account: { keyType: "financial", hasSchema: false },
+  investment: { keyType: "financial", hasSchema: false },
+  tax_document: { keyType: "financial", hasSchema: false }
+};
+var ENTITY_ALIASES = {
+  valuables: "valuable",
+  credentials: "credential",
+  taxes: "tax_year",
+  financial: "financial_account",
+  insurance: "insurance_policy",
+  legal: "legal_document",
+  identity: "digital_identity"
+};
+var ENTITY_TYPES = Object.keys(ENTITIES);
+var SCHEMA_ENTITY_TYPES = Object.entries(ENTITIES).filter(([_, config]) => config.hasSchema !== false).map(([type]) => type);
+function getKeyTypeForEntity(entityType) {
+  const resolvedType = entityType in ENTITY_ALIASES ? ENTITY_ALIASES[entityType] : entityType;
+  const config = ENTITIES[resolvedType];
+  if (!config) {
+    throw new Error(
+      `Unknown entity type: ${entityType}. Please add it to ENTITIES in entities.ts`
+    );
+  }
+  return config.keyType;
+}
+
 // ../types/src/options.ts
 var PERSONAL_LEGAL_DOCUMENT_TYPE_OPTIONS = [
   { label: "Birth Certificate", value: "birth_certificate" },
@@ -1209,6 +1090,131 @@ var COSTARICA_NAV_COLORS = stripeColors([
   // Blue stripe
 ]);
 
+// ../encryption/src/entityKeyMapping.ts
+var ENTITY_KEY_TYPE_MAP = {
+  // Build from ENTITIES
+  ...Object.fromEntries(
+    Object.entries(ENTITIES).map(([type, config]) => [type, config.keyType])
+  ),
+  // Add aliases
+  ...Object.fromEntries(
+    Object.entries(ENTITY_ALIASES).map(([alias, target]) => [alias, ENTITIES[target].keyType])
+  )
+};
+
+// ../encryption/src/recoveryKey.ts
+var RECOVERY_KEY_SIZE = 16;
+var GROUP_SIZE = 4;
+var BASE32_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function encodeBase32(bytes) {
+  let bits = "";
+  for (const byte of bytes) {
+    bits += byte.toString(2).padStart(8, "0");
+  }
+  while (bits.length % 5 !== 0) {
+    bits += "0";
+  }
+  let result = "";
+  for (let i = 0; i < bits.length; i += 5) {
+    const chunk = bits.substring(i, i + 5);
+    const index = parseInt(chunk, 2);
+    result += BASE32_ALPHABET[index];
+  }
+  return result;
+}
+function decodeBase32(base32) {
+  const cleaned = base32.toUpperCase().replace(/[^A-Z2-7]/g, "");
+  let bits = "";
+  for (const char of cleaned) {
+    const index = BASE32_ALPHABET.indexOf(char);
+    if (index === -1) {
+      throw new Error(`Invalid base32 character: ${char}`);
+    }
+    bits += index.toString(2).padStart(5, "0");
+  }
+  const bytes = [];
+  for (let i = 0; i < bits.length - bits.length % 8; i += 8) {
+    const byte = parseInt(bits.substring(i, i + 8), 2);
+    bytes.push(byte);
+  }
+  return new Uint8Array(bytes);
+}
+function formatRecoveryKey(base32) {
+  const groups = [];
+  for (let i = 0; i < base32.length; i += GROUP_SIZE) {
+    groups.push(base32.substring(i, i + GROUP_SIZE));
+  }
+  return groups.join("-");
+}
+function unformatRecoveryKey(formatted) {
+  return formatted.toUpperCase().replace(/[^A-Z2-7]/g, "");
+}
+function validateRecoveryKey(recoveryKey) {
+  try {
+    const unformatted = unformatRecoveryKey(recoveryKey);
+    if (unformatted.length < 20 || unformatted.length > 30) {
+      return false;
+    }
+    for (const char of unformatted) {
+      if (!BASE32_ALPHABET.includes(char)) {
+        return false;
+      }
+    }
+    const bytes = decodeBase32(unformatted);
+    return bytes.length >= RECOVERY_KEY_SIZE - 2 && bytes.length <= RECOVERY_KEY_SIZE + 2;
+  } catch {
+    return false;
+  }
+}
+function parseRecoveryKey(recoveryKey) {
+  if (!validateRecoveryKey(recoveryKey)) {
+    throw new Error("Invalid recovery key format");
+  }
+  const unformatted = unformatRecoveryKey(recoveryKey);
+  const bytes = decodeBase32(unformatted);
+  const normalizedBytes = new Uint8Array(RECOVERY_KEY_SIZE);
+  normalizedBytes.set(bytes.slice(0, RECOVERY_KEY_SIZE));
+  const base32 = encodeBase32(normalizedBytes);
+  const formatted = formatRecoveryKey(base32);
+  const base64 = base64Encode(normalizedBytes);
+  return {
+    bytes: normalizedBytes,
+    formatted,
+    base64
+  };
+}
+async function deriveWrapKey(recoveryKeyBytes, serverWrapSecret, info = "hearthcoo-wrap-key-v1") {
+  if (recoveryKeyBytes.length !== RECOVERY_KEY_SIZE) {
+    throw new Error(`Recovery key must be ${RECOVERY_KEY_SIZE} bytes`);
+  }
+  if (serverWrapSecret.length !== 32) {
+    throw new Error("Server wrap secret must be 32 bytes");
+  }
+  const recoveryKeyMaterial = await crypto.subtle.importKey(
+    "raw",
+    recoveryKeyBytes,
+    "HKDF",
+    false,
+    ["deriveKey"]
+  );
+  const wrapKey = await crypto.subtle.deriveKey(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: serverWrapSecret,
+      info: new TextEncoder().encode(info)
+    },
+    recoveryKeyMaterial,
+    {
+      name: "AES-GCM",
+      length: 256
+    },
+    false,
+    ["encrypt", "decrypt"]
+  );
+  return wrapKey;
+}
+
 // ../encryption/src/keyBundle.ts
 async function decryptPrivateKeyWithWrapKey(encryptedPrivateKey, wrapKey) {
   const packed = base64Decode(encryptedPrivateKey);
@@ -1889,7 +1895,7 @@ async function getPrivateKey(mcpToken) {
 // src/server.ts
 var import_server = require("@modelcontextprotocol/sdk/server/index.js");
 var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
-var import_types42 = require("@modelcontextprotocol/sdk/types.js");
+var import_types44 = require("@modelcontextprotocol/sdk/types.js");
 
 // ../cache-sqlite/src/sqliteStore.ts
 var import_better_sqlite3 = __toESM(require("better-sqlite3"));
@@ -4844,7 +4850,7 @@ function enrichEntities(entities, entityType) {
 }
 
 // src/resources/entities.ts
-var ENTITY_TYPES = Object.keys(ENTITY_KEY_TYPE_MAP).filter(
+var ENTITY_TYPES2 = Object.keys(ENTITY_KEY_TYPE_MAP).filter(
   (t) => !ROUTE_ALIASES.has(t)
 );
 async function getEntities(householdId, entityType, privateKey, privacyMode) {
@@ -5096,7 +5102,7 @@ async function startServer(mode, mcpToken) {
       }
     }
   );
-  server.setRequestHandler(import_types42.ListResourcesRequestSchema, async () => {
+  server.setRequestHandler(import_types44.ListResourcesRequestSchema, async () => {
     const households = await listHouseholds();
     const resources = [
       {
@@ -5113,7 +5119,7 @@ async function startServer(mode, mcpToken) {
         description: `Household: ${household.name}`,
         mimeType: "application/json"
       });
-      for (const type of ENTITY_TYPES) {
+      for (const type of ENTITY_TYPES2) {
         resources.push({
           uri: `estatehelm://households/${household.id}/${type}`,
           name: `${household.name} - ${formatEntityType(type)}`,
@@ -5124,7 +5130,7 @@ async function startServer(mode, mcpToken) {
     }
     return { resources };
   });
-  server.setRequestHandler(import_types42.ReadResourceRequestSchema, async (request) => {
+  server.setRequestHandler(import_types44.ReadResourceRequestSchema, async (request) => {
     const uri = request.params.uri;
     const parsed = parseResourceUri(uri);
     if (!parsed) {
@@ -5153,7 +5159,7 @@ async function startServer(mode, mcpToken) {
       ]
     };
   });
-  server.setRequestHandler(import_types42.ListToolsRequestSchema, async () => {
+  server.setRequestHandler(import_types44.ListToolsRequestSchema, async () => {
     return {
       tools: [
         {
@@ -5246,7 +5252,7 @@ async function startServer(mode, mcpToken) {
       ]
     };
   });
-  server.setRequestHandler(import_types42.CallToolRequestSchema, async (request) => {
+  server.setRequestHandler(import_types44.CallToolRequestSchema, async (request) => {
     const { name, arguments: args } = request.params;
     trackToolUse(name);
     switch (name) {
@@ -5296,7 +5302,7 @@ async function startServer(mode, mcpToken) {
         throw new Error(`Unknown tool: ${name}`);
     }
   });
-  server.setRequestHandler(import_types42.ListPromptsRequestSchema, async () => {
+  server.setRequestHandler(import_types44.ListPromptsRequestSchema, async () => {
     return {
       prompts: [
         {
@@ -5329,7 +5335,7 @@ async function startServer(mode, mcpToken) {
       ]
     };
   });
-  server.setRequestHandler(import_types42.GetPromptRequestSchema, async (request) => {
+  server.setRequestHandler(import_types44.GetPromptRequestSchema, async (request) => {
     const { name, arguments: args } = request.params;
     switch (name) {
       case "household_summary": {
@@ -5485,17 +5491,23 @@ program.command("status").description("Show current login status and cache info"
     process.exit(1);
   }
 });
-program.command("sync").description("Force sync cache from server").action(async () => {
+program.command("sync").description("Force sync cache from server").option("-t, --token <token>", "MCP access token (or set ESTATEHELM_MCP_TOKEN env var)").action(async (options) => {
   try {
+    const token = options.token || process.env.ESTATEHELM_MCP_TOKEN;
+    if (!token) {
+      console.error("Access token required.");
+      console.error("Use --token flag or set ESTATEHELM_MCP_TOKEN environment variable.");
+      process.exit(1);
+    }
     console.log("Syncing...");
     const client = await getAuthenticatedClient();
     if (!client) {
       console.error("Not logged in. Run: estatehelm login");
       process.exit(1);
     }
-    const privateKey = await getPrivateKey();
+    const privateKey = await getPrivateKey(token);
     if (!privateKey) {
-      console.error("Failed to load encryption keys. Run: estatehelm login");
+      console.error("Failed to load encryption keys. Check your MCP token or run: estatehelm login");
       process.exit(1);
     }
     await initCache();