kojee-mcp 0.5.3 → 0.5.6

package/dist/{webhook-sink-7OYZBWXA.js → webhook-sink-NWGCUDGY.js}

@@ -1,3 +1,8 @@
+import {
+  WEBHOOK_DEFAULT_SIGNATURE_HEADER,
+  WEBHOOK_DEFAULT_SIGNATURE_PREFIX
+} from "./chunk-V5VZPYMZ.js";
+
 // src/tandem/webhook-sink.ts
 import crypto from "crypto";
 import { ulid } from "ulidx";
@@ -26,12 +31,15 @@ function createWebhookSink(config, options = {}) {
   const maxQueue = options.maxQueue ?? DEFAULT_MAX_QUEUE;
   const backoffMs = options.backoffMs ?? defaultBackoffMs;
   const log = options.log ?? ((line) => console.error(`[webhook] ${line}`));
+  const signatureHeader = config.signatureHeader ?? WEBHOOK_DEFAULT_SIGNATURE_HEADER;
+  const signaturePrefix = config.signaturePrefix ?? WEBHOOK_DEFAULT_SIGNATURE_PREFIX;
   const queue = [];
   let inFlight = false;
   let stopped = false;
   let draining = false;
   const stats = {
     delivered: 0,
+    deliveredUnconfirmed: 0,
     dropped: 0,
     overflowDropped: 0,
     queueDepth: 0,
@@ -51,20 +59,26 @@ function createWebhookSink(config, options = {}) {
   }
   function prepare(event) {
     const body = JSON.stringify(event);
-    const signature = computeWebhookSignature(config.secret, body);
+    const signature = signaturePrefix + computeWebhookSignature(config.secret, body);
     const deliveryId = event.id || ulid();
     return { event, body, signature, deliveryId };
   }
   async function attempt(item) {
     const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), config.timeoutMs);
+    let timedOut = false;
+    const timer = setTimeout(() => {
+      timedOut = true;
+      controller.abort();
+    }, config.timeoutMs);
     try {
       const res = await fetchImpl(config.url, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
-          // hex SHA-256 HMAC of the RAW body bytes — the receiver re-verifies.
-          "X-Kojee-Signature": item.signature,
+          // (prefix +) hex SHA-256 HMAC of the RAW body bytes — the receiver
+          // re-verifies. Header name defaults to X-Kojee-Signature; the
+          // GitHub-convention preset emits X-Hub-Signature-256 / sha256=.
+          [signatureHeader]: item.signature,
           "X-Kojee-Delivery": item.deliveryId
         },
         body: item.body,
@@ -72,7 +86,7 @@ function createWebhookSink(config, options = {}) {
       });
       return classifyStatus(res.status);
     } catch {
-      return "retry";
+      return timedOut ? "timeout" : "retry";
     } finally {
       clearTimeout(timer);
     }
@@ -87,6 +101,15 @@ function createWebhookSink(config, options = {}) {
         stats.lastAttemptAt = Date.now();
         return;
       }
+      if (outcome === "timeout") {
+        stats.deliveredUnconfirmed += 1;
+        stats.lastOutcome = "delivered-unconfirmed";
+        stats.lastAttemptAt = Date.now();
+        log(
+          `delivery=${item.deliveryId} delivered-unconfirmed (receiver slow: no response within ${config.timeoutMs}ms) \u2014 not retrying, a re-POST could duplicate the receiver's side effects`
+        );
+        return;
+      }
       if (outcome === "permanent") {
         stats.dropped += 1;
         stats.lastOutcome = "dropped";

package/dist/{wizard-7KHD5JT4.js → wizard-OSOAY4GO.js}

@@ -1,31 +1,32 @@
+import {
+  clearRuntimeRecord,
+  readRecordedRuntime,
+  recordRuntime
+} from "./chunk-EW72ZNQL.js";
 import {
   buildCodexMcpServerTable,
   buildCodexStopHookBlock,
   removeCodexConfig,
   writeCodexConfig
-} from "./chunk-ZW4SW7LJ.js";
+} from "./chunk-64EOLZNI.js";
+import {
+  kojeeHomeDir
+} from "./chunk-SQL56SEB.js";
 import {
   WIZARD_RUNTIMES,
   isWizardRuntime
 } from "./chunk-LVL25VLO.js";
 import {
-  clearRuntimeRecord,
-  readRecordedRuntime,
-  recordRuntime
-} from "./chunk-EW72ZNQL.js";
-import {
-  kojeeHomeDir
-} from "./chunk-SQL56SEB.js";
+  resolveSignatureEmission,
+  resolveWebhookConfig
+} from "./chunk-V5VZPYMZ.js";
 import {
   CODEX_LISTEN_CAP_MS,
   buildWebhookReceiverNote
-} from "./chunk-C6GZ2L2W.js";
+} from "./chunk-X672ZN7V.js";
 import {
   secureFile
 } from "./chunk-BLEGIR35.js";
-import {
-  resolveWebhookConfig
-} from "./chunk-F7L25L2J.js";
 
 // src/wizard/wizard.ts
 import crypto from "crypto";
@@ -57,28 +58,55 @@ function resolveWizardWebhook(opts) {
   const url = (opts.webhookUrl ?? env["KOJEE_WEBHOOK_URL"] ?? "").trim();
   let secret = (opts.webhookSecret ?? env["KOJEE_WEBHOOK_SECRET"] ?? "").trim();
   if (url && !secret) secret = generateWebhookSecret();
+  const sigFormat = (opts.webhookSignatureFormat ?? env["KOJEE_WEBHOOK_SIGNATURE_FORMAT"] ?? "").trim();
+  const sigHeader = (opts.webhookSignatureHeader ?? env["KOJEE_WEBHOOK_SIGNATURE_HEADER"] ?? "").trim();
+  const sigPrefix = opts.webhookSignaturePrefix ?? env["KOJEE_WEBHOOK_SIGNATURE_PREFIX"];
+  const signatureEnv = [];
+  if (sigFormat) signatureEnv.push(["KOJEE_WEBHOOK_SIGNATURE_FORMAT", sigFormat]);
+  if (sigHeader) signatureEnv.push(["KOJEE_WEBHOOK_SIGNATURE_HEADER", sigHeader]);
+  if (sigPrefix !== void 0) signatureEnv.push(["KOJEE_WEBHOOK_SIGNATURE_PREFIX", sigPrefix]);
+  const emission = resolveSignatureEmission(Object.fromEntries(signatureEnv));
   const resolution = resolveWebhookConfig({
     KOJEE_WEBHOOK_URL: url,
     KOJEE_WEBHOOK_SECRET: secret,
     ...env["KOJEE_WEBHOOK_TIMEOUT_MS"] !== void 0 ? { KOJEE_WEBHOOK_TIMEOUT_MS: env["KOJEE_WEBHOOK_TIMEOUT_MS"] } : {},
-    ...env["KOJEE_WEBHOOK_MAX_RETRIES"] !== void 0 ? { KOJEE_WEBHOOK_MAX_RETRIES: env["KOJEE_WEBHOOK_MAX_RETRIES"] } : {}
+    ...env["KOJEE_WEBHOOK_MAX_RETRIES"] !== void 0 ? { KOJEE_WEBHOOK_MAX_RETRIES: env["KOJEE_WEBHOOK_MAX_RETRIES"] } : {},
+    ...Object.fromEntries(signatureEnv)
   });
+  const warning = resolution.warning ?? (emission.warnings.length > 0 ? emission.warnings.join("; ") : void 0);
   if (resolution.error) {
-    return { url, secret, redactedSummary: "", error: resolution.error };
+    return {
+      url,
+      secret,
+      redactedSummary: "",
+      signatureEnv,
+      signatureHeader: emission.header,
+      signaturePrefix: emission.prefix,
+      error: resolution.error
+    };
   }
   return {
     url,
     secret,
-    redactedSummary: resolution.config?.redactedSummary ?? `url=${url} secret=<redacted>`
+    redactedSummary: resolution.config?.redactedSummary ?? `url=${url} secret=<redacted>`,
+    signatureEnv,
+    signatureHeader: emission.header,
+    signaturePrefix: emission.prefix,
+    ...warning !== void 0 ? { warning } : {}
   };
 }
-function writeRuntimeEnvFile(runtime, url, secret) {
+function shellSingleQuote(value) {
+  return `'${value.replace(/'/g, `'\\''`)}'`;
+}
+function writeRuntimeEnvFile(runtime, url, secret, signatureEnv = []) {
   const envPath = path.join(kojeeHomeDir(), ".kojee", `${runtime}.env`);
   const body = [
     `# kojee daemon env for runtime=${runtime} (source this before starting the daemon)`,
-    `export KOJEE_RUNTIME="${runtime}"`,
-    `export KOJEE_WEBHOOK_URL="${url}"`,
-    `export KOJEE_WEBHOOK_SECRET="${secret}"`,
+    `export KOJEE_RUNTIME=${shellSingleQuote(runtime)}`,
+    `export KOJEE_WEBHOOK_URL=${shellSingleQuote(url)}`,
+    `export KOJEE_WEBHOOK_SECRET=${shellSingleQuote(secret)}`,
+    // Signature emission overrides (0.5.3) — only when explicitly configured.
+    ...signatureEnv.map(([k, v]) => `export ${k}=${shellSingleQuote(v)}`),
     ""
   ].join("\n");
   fs.mkdirSync(path.dirname(envPath), { recursive: true, mode: 448 });
@@ -156,7 +184,8 @@ function configureCodex(opts) {
     ...opts.configPath ? { configPath: opts.configPath } : {},
     ...opts.hooksPath ? { hooksPath: opts.hooksPath } : {},
     webhookUrl: url,
-    webhookSecret: secret
+    webhookSecret: secret,
+    ...wh.signatureEnv.length > 0 ? { signatureEnv: wh.signatureEnv } : {}
   });
   recordRuntime("codex");
   const lines = [];
@@ -164,7 +193,12 @@ function configureCodex(opts) {
   lines.push("Wake mode: webhook-sink + stop-hook peek (Codex has no channel injection).");
   lines.push("");
   lines.push("Wrote [mcp_servers.kojee] to ~/.codex/config.toml:");
-  lines.push(indent(buildCodexMcpServerTable({ webhookUrl: url, webhookSecret: "<redacted>" })));
+  lines.push(indent(buildCodexMcpServerTable({
+    webhookUrl: url,
+    webhookSecret: "<redacted>",
+    ...wh.signatureEnv.length > 0 ? { signatureEnv: wh.signatureEnv } : {}
+  })));
+  if (wh.warning) lines.push(`webhook WARNING: ${wh.warning}`);
   lines.push("");
   lines.push("Wrote the Codex Stop hook (~/.codex/hooks.json; inline TOML form):");
   lines.push(indent(buildCodexStopHookBlock()));
@@ -175,7 +209,7 @@ function configureCodex(opts) {
   lines.push("Next steps (codex):");
   lines.push("  Restart Codex (or start a new `codex` / `codex exec` session) to load the MCP server and hook.");
   lines.push("  Stand up your webhook receiver at KOJEE_WEBHOOK_URL \u2014 contract:");
-  lines.push(indent(buildWebhookReceiverNote()));
+  lines.push(indent(buildWebhookReceiverNote({ header: wh.signatureHeader, prefix: wh.signaturePrefix })));
   lines.push("  Verify: kojee-mcp doctor");
   lines.push("");
   lines.push(CODEX_UNVERIFIED_NOTE);
@@ -191,23 +225,26 @@ function configureWebhookDaemon(runtime, opts) {
   lines.push(`Configured runtime: ${runtime}`);
   lines.push("Wake mode: webhook sink (daemon-consumed). NO MCP-config file, NO hooks written.");
   lines.push("");
+  if (wh.warning) lines.push(`webhook WARNING: ${wh.warning}`);
   if (wh.url) {
-    const envFile = writeRuntimeEnvFile(runtime, wh.url, wh.secret);
+    const envFile = writeRuntimeEnvFile(runtime, wh.url, wh.secret, wh.signatureEnv);
     lines.push("Export these before starting the daemon (also written to a source-able file):");
-    lines.push(`  export KOJEE_RUNTIME="${runtime}"`);
-    lines.push(`  export KOJEE_WEBHOOK_URL="${wh.url}"`);
+    lines.push(`  export KOJEE_RUNTIME=${shellSingleQuote(runtime)}`);
+    lines.push(`  export KOJEE_WEBHOOK_URL=${shellSingleQuote(wh.url)}`);
     lines.push(`  export KOJEE_WEBHOOK_SECRET=<generated; in ${envFile}>`);
+    for (const [k, v] of wh.signatureEnv) lines.push(`  export ${k}=${shellSingleQuote(v)}`);
     lines.push(`  (validated: ${wh.redactedSummary})`);
     lines.push(`  source ${envFile}`);
   } else {
     lines.push("Set the daemon env (no receiver URL supplied yet):");
-    lines.push(`  export KOJEE_RUNTIME="${runtime}"`);
+    lines.push(`  export KOJEE_RUNTIME=${shellSingleQuote(runtime)}`);
     lines.push(`  export KOJEE_WEBHOOK_URL="https://YOUR-RECEIVER.local/kojee"`);
     lines.push(`  export KOJEE_WEBHOOK_SECRET=<generate a hex secret>`);
+    for (const [k, v] of wh.signatureEnv) lines.push(`  export ${k}=${shellSingleQuote(v)}`);
   }
   lines.push("");
   lines.push("Receiver contract:");
-  lines.push(indent(buildWebhookReceiverNote()));
+  lines.push(indent(buildWebhookReceiverNote({ header: wh.signatureHeader, prefix: wh.signaturePrefix })));
   lines.push("");
   lines.push(`Next steps (${runtime}):`);
   lines.push("  Start the daemon with the env above. Verify: kojee-mcp doctor (after the daemon is up).");

package/package.json

@@ -1,14 +1,23 @@
 {
   "name": "kojee-mcp",
-  "version": "0.5.3",
+  "version": "0.5.6",
   "type": "module",
   "main": "dist/index.js",
+  "exports": {
+    ".": "./dist/index.js",
+    "./lib": {
+      "types": "./dist/lib.d.ts",
+      "default": "./dist/lib.js"
+    },
+    "./package.json": "./package.json"
+  },
   "bin": {
     "kojee-mcp": "dist/cli.js"
   },
   "_buildNote": "src/version.ts resolves package.json via '../package.json' from import.meta.url; this assumes dist output stays flat one level under the package root (tsup default outDir=dist, no nesting). If the build adds outDir nesting or a deeper entry, update version.ts's relative path.",
   "scripts": {
-    "build": "tsup src/cli.ts src/index.ts --format esm --dts --clean",
+    "build": "tsup src/cli.ts src/index.ts src/lib.ts --format esm --dts --clean",
+    "prepublishOnly": "npm run build && node scripts/verify-tarball.mjs",
     "dev": "tsup src/cli.ts --format esm --watch",
     "typecheck": "tsc --noEmit",
     "test": "vitest run",

package/dist/chunk-F7L25L2J.js

@@ -1,60 +0,0 @@
-// src/tandem/webhook-config.ts
-var WEBHOOK_DEFAULT_TIMEOUT_MS = 5e3;
-var WEBHOOK_DEFAULT_MAX_RETRIES = 4;
-function redactUrlUserinfo(rawUrl, parsed) {
-  if (!parsed.username && !parsed.password) return rawUrl;
-  parsed.username = "";
-  parsed.password = "";
-  return parsed.toString();
-}
-function parsePositiveInt(raw, fallback) {
-  if (raw === void 0) return fallback;
-  const n = Number(raw);
-  if (!Number.isFinite(n) || !Number.isInteger(n) || n <= 0) return fallback;
-  return n;
-}
-function resolveWebhookConfig(env = process.env) {
-  const url = (env["KOJEE_WEBHOOK_URL"] ?? "").trim();
-  if (!url) {
-    return { enabled: false, config: null };
-  }
-  let parsed;
-  try {
-    parsed = new URL(url);
-  } catch {
-    return {
-      enabled: false,
-      config: null,
-      error: `KOJEE_WEBHOOK_URL is not a valid URL \u2014 webhook sink DISABLED`
-    };
-  }
-  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-    return {
-      enabled: false,
-      config: null,
-      error: `KOJEE_WEBHOOK_URL must be http(s) (got ${parsed.protocol}) \u2014 webhook sink DISABLED`
-    };
-  }
-  const secret = (env["KOJEE_WEBHOOK_SECRET"] ?? "").trim();
-  if (!secret) {
-    return {
-      enabled: false,
-      config: null,
-      error: "KOJEE_WEBHOOK_URL is set but KOJEE_WEBHOOK_SECRET is missing \u2014 webhook sink DISABLED (the proxy NEVER sends unsigned webhooks)"
-    };
-  }
-  const timeoutMs = parsePositiveInt(env["KOJEE_WEBHOOK_TIMEOUT_MS"], WEBHOOK_DEFAULT_TIMEOUT_MS);
-  const maxRetries = parsePositiveInt(env["KOJEE_WEBHOOK_MAX_RETRIES"], WEBHOOK_DEFAULT_MAX_RETRIES);
-  const safeUrl = redactUrlUserinfo(url, parsed);
-  const redactedSummary = `url=${safeUrl} secret=<redacted> timeoutMs=${timeoutMs} maxRetries=${maxRetries}`;
-  return {
-    enabled: true,
-    config: { url, secret, timeoutMs, maxRetries, redactedSummary }
-  };
-}
-
-export {
-  WEBHOOK_DEFAULT_TIMEOUT_MS,
-  WEBHOOK_DEFAULT_MAX_RETRIES,
-  resolveWebhookConfig
-};

package/dist/webhook-config-5TLLX7RA.js

@@ -1,10 +0,0 @@
-import {
-  WEBHOOK_DEFAULT_MAX_RETRIES,
-  WEBHOOK_DEFAULT_TIMEOUT_MS,
-  resolveWebhookConfig
-} from "./chunk-F7L25L2J.js";
-export {
-  WEBHOOK_DEFAULT_MAX_RETRIES,
-  WEBHOOK_DEFAULT_TIMEOUT_MS,
-  resolveWebhookConfig
-};