kojee-mcp 0.5.3 → 0.5.6

package/dist/chunk-2MIISF2W.js

@@ -0,0 +1,35 @@
+// src/auth/dpop.ts
+import { SignJWT, base64url } from "jose";
+import crypto from "crypto";
+async function createDPoPProof(privateKey, kid, method, url, nonce, accessToken) {
+  const payload = {
+    htm: method,
+    htu: url,
+    jti: crypto.randomUUID()
+  };
+  if (nonce) {
+    payload.nonce = nonce;
+  }
+  if (accessToken) {
+    payload.ath = computeAth(accessToken);
+  }
+  const header = {
+    typ: "dpop+jwt",
+    alg: "ES256",
+    jwk: { kid }
+  };
+  return new SignJWT(payload).setProtectedHeader(header).setIssuedAt().sign(privateKey);
+}
+function computeAth(accessToken) {
+  const hash = crypto.createHash("sha256").update(accessToken).digest();
+  return base64url.encode(hash);
+}
+
+// src/tandem/session-id.ts
+import { ulid } from "ulidx";
+var MCP_SESSION_ID = ulid();
+
+export {
+  createDPoPProof,
+  MCP_SESSION_ID
+};

package/dist/chunk-3XDJOHMZ.js

@@ -0,0 +1,223 @@
+import {
+  MCP_SESSION_ID,
+  createDPoPProof
+} from "./chunk-2MIISF2W.js";
+import {
+  translateHttpError,
+  translateJsonRpcError,
+  translateNetworkError
+} from "./chunk-LDZXU3DW.js";
+import {
+  secureDir,
+  secureFile
+} from "./chunk-BLEGIR35.js";
+
+// src/auth/keystore.ts
+import { importJWK, exportJWK, generateKeyPair } from "jose";
+import crypto from "crypto";
+import fs from "fs";
+import os from "os";
+import path from "path";
+var DEFAULT_PATH = path.join(os.homedir(), ".kojee", "keypair.json");
+function defaultPairedKeystorePath() {
+  return path.join(os.homedir(), ".kojee", "keypair.json");
+}
+function deriveKeystorePath(token) {
+  const hash = crypto.createHash("sha256").update(token).digest("hex").slice(0, 12);
+  return path.join(os.homedir(), ".kojee", `keypair-${hash}.json`);
+}
+async function loadKeystore(keystorePath = DEFAULT_PATH, expectedBrokerUrl) {
+  if (!fs.existsSync(keystorePath)) {
+    return null;
+  }
+  const raw = fs.readFileSync(keystorePath, "utf-8");
+  const data = JSON.parse(raw);
+  if (expectedBrokerUrl && data.broker_url !== expectedBrokerUrl) {
+    return null;
+  }
+  const privateKey = await importJWK(data.private_key_jwk, "ES256");
+  return {
+    privateKey,
+    publicJwk: data.public_jwk,
+    kid: data.kid,
+    data
+  };
+}
+async function saveKeystore(privateKey, publicJwk, kid, brokerUrl, keystorePath = DEFAULT_PATH) {
+  const dir = path.dirname(keystorePath);
+  fs.mkdirSync(dir, { recursive: true, mode: 448 });
+  secureDir(dir);
+  const privateJwk = await exportJWK(privateKey);
+  const data = {
+    private_key_jwk: privateJwk,
+    kid,
+    broker_url: brokerUrl,
+    public_jwk: publicJwk,
+    enrolled_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  fs.writeFileSync(keystorePath, JSON.stringify(data, null, 2), {
+    mode: 384
+  });
+  secureFile(keystorePath);
+}
+async function generateES256KeyPair() {
+  const { privateKey, publicKey } = await generateKeyPair("ES256");
+  const publicJwk = await exportJWK(publicKey);
+  publicJwk.kty = "EC";
+  publicJwk.crv = "P-256";
+  return { privateKey, publicJwk };
+}
+
+// src/gateway-client.ts
+import crypto2 from "crypto";
+var GatewayClient = class {
+  constructor(brokerUrl, token, privateKey, kid, sessionId) {
+    this.brokerUrl = brokerUrl;
+    this.token = token;
+    this.privateKey = privateKey;
+    this.kid = kid;
+    this.endpoint = `${brokerUrl}/mcp/messages/${sessionId}/`;
+  }
+  brokerUrl;
+  token;
+  privateKey;
+  kid;
+  currentNonce;
+  requestCounter = 0;
+  endpoint;
+  /**
+   * Expose the DPoP signing key so peer modules sharing auth state
+   * (e.g. tandem/event-stream.ts) can sign their own requests.
+   */
+  getPrivateKey() {
+    return this.privateKey;
+  }
+  /**
+   * Expose the bot_key_id (kid) for DPoP proof headers. Paired with
+   * getPrivateKey() so peer modules can construct proofs without
+   * threading the key material through their own constructors.
+   */
+  getKid() {
+    return this.kid;
+  }
+  /**
+   * Derive a deterministic session ID from the gateway token.
+   * session_id = sha256(token + "proxy").slice(0, 16)
+   */
+  static deriveSessionId(token) {
+    const hash = crypto2.createHash("sha256").update(token + "proxy").digest("hex");
+    return hash.slice(0, 16);
+  }
+  /**
+   * Send a JSON-RPC 2.0 request to the gateway, handling DPoP auth and
+   * nonce retry transparently. A 403 `step_up_required` (deprecated feature,
+   * owner ruling 2026-06-10) is no longer polled — it surfaces immediately as
+   * a structured tool error via translateHttpError.
+   *
+   * `signal` (ROUND-3 MAJOR A) is a REAL AbortSignal threaded into the
+   * underlying `fetch` option — NOT placed inside `params`/`arguments`. A
+   * caller with a per-call timeout budget (e.g. resubscribeMemberships) passes
+   * its controller's signal here so a hung backend aborts at the budget instead
+   * of hanging forever. Putting the signal in `arguments` (the round-2 bug) both
+   * left fetch un-aborted AND serialized a junk `{}` onto the wire body.
+   */
+  async sendRpc(method, params = {}, signal) {
+    const rpcRequest = {
+      jsonrpc: "2.0",
+      id: ++this.requestCounter,
+      method,
+      params
+    };
+    return this.executeWithRetries(rpcRequest, signal);
+  }
+  async executeWithRetries(rpcRequest, signal) {
+    let response;
+    try {
+      response = await this.sendHttpRequest(rpcRequest, signal);
+    } catch (err) {
+      return translateNetworkError(err);
+    }
+    this.trackNonce(response);
+    if (response.status === 401) {
+      const body = await this.tryParseErrorBody(response);
+      if (body?.error === "use_dpop_nonce") {
+        console.error("[gateway] Nonce expired, retrying with fresh nonce...");
+        try {
+          response = await this.sendHttpRequest(rpcRequest, signal);
+        } catch (err) {
+          return translateNetworkError(err);
+        }
+        this.trackNonce(response);
+      } else {
+        const translated = translateHttpError(401, body?.error);
+        if (translated) return translated;
+      }
+    }
+    if (response.status === 403) {
+      const body = await this.tryParseErrorBody(response);
+      const translated = translateHttpError(403, body?.error, body?.trigger);
+      if (translated) return translated;
+    }
+    if (!response.ok) {
+      const body = await this.tryParseErrorBody(response);
+      const translated = translateHttpError(response.status, body?.error);
+      if (translated) return translated;
+      return {
+        content: [{ type: "text", text: `Gateway error: ${response.status}` }],
+        isError: true
+      };
+    }
+    const rpcResponse = await response.json();
+    if (rpcResponse.error) {
+      return translateJsonRpcError(rpcResponse.error);
+    }
+    const result = rpcResponse.result;
+    return result ?? { content: [{ type: "text", text: "No result" }] };
+  }
+  async sendHttpRequest(rpcRequest, signal) {
+    const proof = await createDPoPProof(
+      this.privateKey,
+      this.kid,
+      "POST",
+      this.endpoint,
+      this.currentNonce,
+      this.token
+    );
+    return fetch(this.endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `DPoP ${this.token}`,
+        DPoP: proof,
+        "Mcp-Session-Id": MCP_SESSION_ID
+      },
+      body: JSON.stringify(rpcRequest),
+      // ROUND-3 MAJOR A: the caller's AbortSignal rides HERE (a real fetch
+      // option), never inside the JSON-RPC body. `undefined` is a valid value
+      // for the fetch `signal` option (no abort wired).
+      ...signal ? { signal } : {}
+    });
+  }
+  trackNonce(response) {
+    const nonce = response.headers.get("DPoP-Nonce");
+    if (nonce) {
+      this.currentNonce = nonce;
+    }
+  }
+  async tryParseErrorBody(response) {
+    try {
+      return await response.json();
+    } catch {
+      return null;
+    }
+  }
+};
+
+export {
+  defaultPairedKeystorePath,
+  deriveKeystorePath,
+  loadKeystore,
+  saveKeystore,
+  generateES256KeyPair,
+  GatewayClient
+};

package/dist/{chunk-ZW4SW7LJ.js → chunk-64EOLZNI.js}

@@ -24,7 +24,9 @@ function buildCodexMcpServerTable(opts) {
     "[mcp_servers.kojee.env]",
     'KOJEE_RUNTIME = "codex"',
     `KOJEE_WEBHOOK_URL = "${escapeTomlString(opts.webhookUrl)}"`,
-    `KOJEE_WEBHOOK_SECRET = "${escapeTomlString(opts.webhookSecret)}"`
+    `KOJEE_WEBHOOK_SECRET = "${escapeTomlString(opts.webhookSecret)}"`,
+    // Signature emission overrides (0.5.3) — emitted only when configured.
+    ...(opts.signatureEnv ?? []).map(([k, v]) => `${k} = "${escapeTomlString(v)}"`)
   ].join("\n");
 }
 function buildCodexStopHookBlock() {
@@ -48,7 +50,7 @@ function writeCodexConfig(inputs) {
     toml = fs.readFileSync(configPath, "utf8");
   } catch {
   }
-  toml = upsertKojeeTomlTables(toml, inputs.webhookUrl, inputs.webhookSecret);
+  toml = upsertKojeeTomlTables(toml, inputs.webhookUrl, inputs.webhookSecret, inputs.signatureEnv ?? []);
   writeFile600(configPath, toml);
   const hooks = readJson(hooksPath);
   hooks.hooks ??= {};
@@ -93,10 +95,14 @@ function removeCodexConfig(opts = {}) {
   }
   return result;
 }
-function upsertKojeeTomlTables(existing, webhookUrl, webhookSecret) {
+function upsertKojeeTomlTables(existing, webhookUrl, webhookSecret, signatureEnv = []) {
   const parsed = extractKojeeBlock(existing);
   if (!parsed) {
-    const block = buildCodexMcpServerTable({ webhookUrl, webhookSecret });
+    const block = buildCodexMcpServerTable({
+      webhookUrl,
+      webhookSecret,
+      ...signatureEnv.length > 0 ? { signatureEnv } : {}
+    });
     const base2 = existing.replace(/\s*$/, "");
     return base2.length === 0 ? block + "\n" : base2 + "\n\n" + block + "\n";
   }
@@ -107,7 +113,10 @@ function upsertKojeeTomlTables(existing, webhookUrl, webhookSecret) {
   const envKeys = upsertKeyLines(parsed.envKeys, [
     ["KOJEE_RUNTIME", '"codex"'],
     ["KOJEE_WEBHOOK_URL", `"${escapeTomlString(webhookUrl)}"`],
-    ["KOJEE_WEBHOOK_SECRET", `"${escapeTomlString(webhookSecret)}"`]
+    ["KOJEE_WEBHOOK_SECRET", `"${escapeTomlString(webhookSecret)}"`],
+    // Signature emission overrides (0.5.3) — owned only when configured this
+    // run; an operator's existing signature lines are otherwise preserved.
+    ...signatureEnv.map(([k, v]) => [k, `"${escapeTomlString(v)}"`])
   ]);
   const merged = [
     KOJEE_TABLE_HEADER,

package/dist/chunk-6SK6ITFE.js

@@ -0,0 +1,142 @@
+import {
+  generateES256KeyPair,
+  loadKeystore,
+  saveKeystore
+} from "./chunk-3XDJOHMZ.js";
+
+// src/auth/auth-module.ts
+import { calculateJwkThumbprint } from "jose";
+import crypto from "crypto";
+
+// src/auth/registration.ts
+async function registerKey(brokerUrl, token, publicJwk) {
+  const url = `${brokerUrl}/api/v1/bots/keys/register/`;
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${token}`
+    },
+    body: JSON.stringify({ public_jwk: publicJwk })
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(
+      `Key registration failed (${response.status}): ${body}`
+    );
+  }
+  return await response.json();
+}
+async function confirmKey(brokerUrl, token, botKeyId, challenge, signature) {
+  const url = `${brokerUrl}/api/v1/bots/keys/confirm/`;
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${token}`
+    },
+    body: JSON.stringify({
+      bot_key_id: botKeyId,
+      challenge,
+      signature
+    })
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(
+      `Key confirmation failed (${response.status}): ${body}`
+    );
+  }
+  return await response.json();
+}
+
+// src/auth/auth-module.ts
+async function signChallengeRaw(privateKey, data) {
+  const signer = crypto.createSign("SHA256");
+  signer.update(data);
+  signer.end();
+  const derSignature = signer.sign(
+    privateKey
+  );
+  return derSignature.toString("base64url");
+}
+var AuthModule = class {
+  constructor(token, brokerUrl, keystorePath) {
+    this.token = token;
+    this.brokerUrl = brokerUrl;
+    this.keystorePath = keystorePath;
+  }
+  token;
+  brokerUrl;
+  keystorePath;
+  privateKey = null;
+  publicJwk = null;
+  kid = null;
+  /**
+   * Ensure we have an enrolled keypair. Either loads from disk or
+   * performs the full enrollment flow.
+   */
+  async ensureEnrolled() {
+    const existing = await loadKeystore(this.keystorePath, this.brokerUrl);
+    if (existing) {
+      this.privateKey = existing.privateKey;
+      this.publicJwk = existing.publicJwk;
+      this.kid = existing.kid;
+      console.error("[auth] Loaded existing keypair from keystore");
+      return {
+        privateKey: existing.privateKey,
+        publicJwk: existing.publicJwk,
+        kid: existing.kid
+      };
+    }
+    console.error("[auth] No valid keystore found, enrolling new keypair...");
+    const { privateKey, publicJwk } = await generateES256KeyPair();
+    const regResult = await registerKey(this.brokerUrl, this.token, publicJwk);
+    console.error(`[auth] Key registered: ${regResult.bot_key_id}`);
+    const thumbprint = await calculateJwkThumbprint(publicJwk, "sha256");
+    const challengeData = `${regResult.challenge}.${thumbprint}`;
+    const signature = await signChallengeRaw(privateKey, challengeData);
+    const confirmResult = await confirmKey(
+      this.brokerUrl,
+      this.token,
+      regResult.bot_key_id,
+      regResult.challenge,
+      signature
+    );
+    if (!confirmResult.key_confirmed) {
+      throw new Error("Key enrollment failed: confirmation was rejected");
+    }
+    console.error("[auth] Key enrollment confirmed");
+    await saveKeystore(
+      privateKey,
+      publicJwk,
+      regResult.bot_key_id,
+      this.brokerUrl,
+      this.keystorePath
+    );
+    this.privateKey = privateKey;
+    this.publicJwk = publicJwk;
+    this.kid = regResult.bot_key_id;
+    return {
+      privateKey,
+      publicJwk,
+      kid: regResult.bot_key_id
+    };
+  }
+  getPrivateKey() {
+    if (!this.privateKey) throw new Error("Not enrolled yet");
+    return this.privateKey;
+  }
+  getPublicJwk() {
+    if (!this.publicJwk) throw new Error("Not enrolled yet");
+    return this.publicJwk;
+  }
+  getKid() {
+    if (!this.kid) throw new Error("Not enrolled yet");
+    return this.kid;
+  }
+};
+
+export {
+  AuthModule
+};

package/dist/chunk-GI2CKKBL.js

@@ -0,0 +1,46 @@
+import {
+  secureDir,
+  secureFile
+} from "./chunk-BLEGIR35.js";
+
+// src/tandem/control-token.ts
+import crypto from "crypto";
+import fs from "fs";
+import os from "os";
+import path from "path";
+function controlTokenPath(kojeeDir = path.join(os.homedir(), ".kojee")) {
+  return path.join(kojeeDir, "control-token");
+}
+function issueControlToken(filePath = controlTokenPath()) {
+  const token = crypto.randomBytes(32).toString("hex");
+  const dir = path.dirname(filePath);
+  fs.mkdirSync(dir, { recursive: true, mode: 448 });
+  secureDir(dir);
+  try {
+    fs.unlinkSync(filePath);
+  } catch (err) {
+    if (err.code !== "ENOENT") throw err;
+  }
+  fs.writeFileSync(filePath, token + "\n", { mode: 384, flag: "wx" });
+  secureFile(filePath);
+  return token;
+}
+function loadControlToken(filePath = controlTokenPath()) {
+  try {
+    const raw = fs.readFileSync(filePath, "utf8").trim();
+    return raw.length > 0 ? raw : null;
+  } catch {
+    return null;
+  }
+}
+function controlTokenAuthHeaders(filePath) {
+  const token = loadControlToken(filePath);
+  return token ? { Authorization: `Bearer ${token}` } : {};
+}
+
+export {
+  controlTokenPath,
+  issueControlToken,
+  loadControlToken,
+  controlTokenAuthHeaders
+};

package/dist/chunk-HIZ4NDWN.js

@@ -0,0 +1,141 @@
+import {
+  translateToolCallResult
+} from "./chunk-LDZXU3DW.js";
+
+// src/tandem/send.ts
+var SEND_KINDS = ["message", "status"];
+function sendFailure(error, message) {
+  return { ok: false, error, message };
+}
+function parseSendRequest(input) {
+  if (typeof input !== "object" || input === null || Array.isArray(input)) {
+    return sendFailure("bad_request", "request must be a JSON object");
+  }
+  const obj = input;
+  const tandemId = obj["tandem_id"];
+  if (typeof tandemId !== "string" || tandemId.length === 0) {
+    return sendFailure("bad_request", "tandem_id is required and must be a non-empty string");
+  }
+  const body = obj["body"];
+  if (typeof body !== "string" || body.length === 0) {
+    return sendFailure("bad_request", "body is required and must be a non-empty string");
+  }
+  const request = { tandem_id: tandemId, body };
+  if (obj["reply_to"] !== void 0) {
+    if (typeof obj["reply_to"] !== "string" || obj["reply_to"].length === 0) {
+      return sendFailure("bad_request", "reply_to must be a non-empty string when present");
+    }
+    request.reply_to = obj["reply_to"];
+  }
+  if (obj["kind"] !== void 0) {
+    const kind = obj["kind"];
+    if (typeof kind !== "string" || !SEND_KINDS.includes(kind)) {
+      return sendFailure(
+        "bad_request",
+        `kind must be one of: ${SEND_KINDS.join(", ")}`
+      );
+    }
+    request.kind = kind;
+  }
+  return { ok: true, request };
+}
+function classifySendFailure(text) {
+  if (/member[\s_-]?cap/i.test(text)) {
+    return sendFailure("member_cap", text);
+  }
+  if (/gateway error:\s*403/i.test(text) || /mcp_request_blocked/i.test(text) || /blocked by a firewall/i.test(text) || /security service/i.test(text)) {
+    return sendFailure(
+      "content_blocked",
+      `content blocked by gateway \u2014 the gateway's firewall rejected the message content (commonly a literal URL in the body). De-fang or split the content and retry. Gateway said: ${text}`
+    );
+  }
+  if (/token is invalid or expired/i.test(text) || /authentication failed/i.test(text) || /re-?authoriz/i.test(text)) {
+    return sendFailure("gateway_auth", text);
+  }
+  if (/aren'?t a member|not a member/i.test(text)) {
+    return sendFailure("not_member", text);
+  }
+  if (/rate limit/i.test(text)) {
+    return sendFailure("rate_limited", text);
+  }
+  if (/cannot reach kojee gateway/i.test(text)) {
+    return sendFailure("network", text);
+  }
+  if (/^DENIED:/.test(text)) {
+    return sendFailure("governance_denied", text);
+  }
+  if (/^APPROVAL REQUIRED:/.test(text)) {
+    return sendFailure("approval_required", text);
+  }
+  return sendFailure("send_failed", text);
+}
+async function executeSend(gateway, request) {
+  const args = {
+    tandem_id: request.tandem_id,
+    body: request.body,
+    ...request.reply_to !== void 0 ? { reply_to: request.reply_to } : {},
+    ...request.kind !== void 0 ? { kind: request.kind } : {}
+  };
+  let result;
+  try {
+    result = await gateway.sendRpc("tools/call", {
+      name: "tandem_send",
+      arguments: args
+    });
+  } catch (err) {
+    return classifySendFailure(
+      `tandem_send failed: ${err?.message ?? String(err)}`
+    );
+  }
+  const translated = translateToolCallResult(result);
+  const text = (translated.content ?? []).map((c) => typeof c?.text === "string" ? c.text : "").filter(Boolean).join("\n");
+  if (translated.isError) {
+    return classifySendFailure(text || "tandem_send returned an error with no text");
+  }
+  let messageId = null;
+  let cursor = null;
+  try {
+    const parsed = JSON.parse(text);
+    const rawId = parsed["message_id"] ?? parsed["id"];
+    if (rawId !== void 0 && rawId !== null) messageId = String(rawId);
+    const rawCursor = parsed["cursor"];
+    if (typeof rawCursor === "number") cursor = rawCursor;
+  } catch {
+  }
+  return {
+    ok: true,
+    tandem_id: request.tandem_id,
+    message_id: messageId,
+    cursor,
+    text
+  };
+}
+var HTTP_STATUS_BY_CODE = {
+  bad_request: 400,
+  unauthorized: 401,
+  content_blocked: 403,
+  member_cap: 403,
+  not_member: 403,
+  governance_denied: 403,
+  approval_required: 403,
+  rate_limited: 429,
+  // Upstream/credential problems — the LOCAL surface worked, the gateway leg
+  // failed: a gateway (502) class from the caller's point of view.
+  not_paired: 502,
+  not_enrolled: 502,
+  gateway_auth: 502,
+  network: 502,
+  send_failed: 502,
+  send_unavailable: 503
+};
+function httpStatusForEnvelope(envelope) {
+  if (envelope.ok) return 200;
+  return HTTP_STATUS_BY_CODE[envelope.error] ?? 502;
+}
+
+export {
+  sendFailure,
+  parseSendRequest,
+  executeSend,
+  httpStatusForEnvelope
+};