kojee-mcp 0.5.2 → 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +29 -0
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -220,6 +220,35 @@ in it is Hermes-specific — and it is **OFF by default**.
220
220
  | `KOJEE_WEBHOOK_SECRET` | HMAC-SHA256 key for the signature header. URL set but secret unset ⇒ sink **DISABLED with an error** (the proxy NEVER sends unsigned webhooks). |
221
221
  | `KOJEE_WEBHOOK_TIMEOUT_MS` | Per-attempt request timeout (default `5000`). |
222
222
  | `KOJEE_WEBHOOK_MAX_RETRIES` | Retries on a retryable failure — network / 5xx / 408 / 429 (default `4`). |
223
+ | `KOJEE_WEBHOOK_SIGNATURE_HEADER` | Header name carrying the signature (default `X-Kojee-Signature`). |
224
+ | `KOJEE_WEBHOOK_SIGNATURE_PREFIX` | Literal string prepended to the hex digest (default empty — bare hex). |
225
+ | `KOJEE_WEBHOOK_SIGNATURE_FORMAT` | Optional preset. `github` ⇒ header `X-Hub-Signature-256`, prefix `sha256=` (the GitHub-webhook convention). Explicit `_HEADER`/`_PREFIX` vars override the preset's corresponding value. Unknown values are **warned about once and ignored** — never fatal. |
226
+
227
+ **Signature emission is configurable (0.5.3)** — the HMAC *computation* never
228
+ changes (hex SHA-256 HMAC of the raw body bytes, keyed by
229
+ `KOJEE_WEBHOOK_SECRET`); only the header name and an optional digest prefix do.
230
+ Defaults are byte-identical to 0.5.2. For a GitHub-convention receiver (Hermes
231
+ and most off-the-shelf webhook verifiers):
232
+
233
+ ```bash
234
+ export KOJEE_WEBHOOK_SIGNATURE_FORMAT=github
235
+ # Each POST then carries:
236
+ # X-Hub-Signature-256: sha256=<hex HMAC-SHA256 of the raw body, keyed by KOJEE_WEBHOOK_SECRET>
237
+ # which verifies with any GitHub-style check, e.g.:
238
+ # expected = "sha256=" + HMAC_SHA256_hex(secret, raw_body)
239
+ # timing_safe_equal(header, expected)
240
+ ```
241
+
242
+ Or set the pieces individually (these override the preset):
243
+
244
+ ```bash
245
+ export KOJEE_WEBHOOK_SIGNATURE_HEADER="X-Hub-Signature-256"
246
+ export KOJEE_WEBHOOK_SIGNATURE_PREFIX="sha256="
247
+ ```
248
+
249
+ The wizard can persist this non-interactively, e.g.
250
+ `kojee-mcp init --runtime hermes --webhook-url https://… --webhook-signature-format github`
251
+ (also `--webhook-signature-header` / `--webhook-signature-prefix`).
223
252
 
224
253
  **Receiver contract** (the single source of truth is `buildWebhookReceiverNote()`
225
254
  in `src/tandem/recipe.ts`, and the exact body shape is the `WEBHOOK_BODY_SHAPE`
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "kojee-mcp",
3
- "version": "0.5.2",
3
+ "version": "0.5.3",
4
4
  "type": "module",
5
5
  "main": "dist/index.js",
6
6
  "bin": {