kojee-mcp 0.5.4 → 0.5.7

package/dist/lib.d.ts

@@ -0,0 +1,427 @@
+import { KeyLike, JWK } from 'jose';
+import { L as LoadedKeyPair, K as KeystoreData, G as GatewayClient } from './gateway-client-93P1E0CZ.js';
+export { P as ProxyConfig, T as ToolCallResult } from './gateway-client-93P1E0CZ.js';
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+
+/**
+ * Wire shape of a single SSE event from /api/v2/tandems/stream.
+ * Matches A2A spec §6.1 + impl plan B2 SSE event payload.
+ */
+interface TandemEvent {
+    type: "message" | "state_change";
+    id: string;
+    tandem_id: string;
+    cursor: number;
+    time: string;
+    from: {
+        member_id: string;
+        principal: string;
+        agent_id?: string;
+        session_id?: string;
+        displayname: string;
+    };
+    kind: "tell" | "ask" | "ack" | "status" | "message" | "system";
+    content: {
+        body: string;
+        format?: string;
+    };
+    mentions?: Array<{
+        type: "principal";
+        member_id: string;
+        displayname_at_mention: string;
+    } | {
+        type: "class";
+        class: "all" | "humans" | "agents" | "businesses";
+    } | {
+        type: "unresolved";
+        raw: string;
+    }>;
+    reply_to?: string | null;
+    severity?: string;
+}
+
+/**
+ * Orchestrates key enrollment: checks keystore, generates keys if needed,
+ * runs register -> confirm flow.
+ */
+declare class AuthModule {
+    private readonly token;
+    private readonly brokerUrl;
+    private readonly keystorePath;
+    private privateKey;
+    private publicJwk;
+    private kid;
+    constructor(token: string, brokerUrl: string, keystorePath: string);
+    /**
+     * Ensure we have an enrolled keypair. Either loads from disk or
+     * performs the full enrollment flow.
+     */
+    ensureEnrolled(): Promise<LoadedKeyPair>;
+    getPrivateKey(): KeyLike;
+    getPublicJwk(): JWK;
+    getKid(): string;
+}
+
+/**
+ * Create a DPoP proof JWT for authenticating requests to the Kojee gateway.
+ *
+ * The JWT header must contain:
+ *   - typ: "dpop+jwt"
+ *   - alg: "ES256"
+ *   - jwk: { kid: <bot_key_id> }  (server reads kid from the jwk sub-object)
+ *
+ * The JWT payload must contain:
+ *   - htm: HTTP method
+ *   - htu: request URL
+ *   - iat: issued-at (unix seconds)
+ *   - jti: unique identifier (UUID) for replay protection
+ *   - nonce: server-issued DPoP nonce (when available)
+ *   - ath: base64url(SHA-256(access_token)) — binds proof to the token
+ *
+ * @param privateKey  - ES256 private key for signing
+ * @param kid         - bot_key_id from enrollment
+ * @param method      - HTTP method (e.g. "POST")
+ * @param url         - Full URL of the request endpoint
+ * @param nonce       - Server-issued DPoP nonce (optional on first request)
+ * @param accessToken - Gateway token for ath claim
+ * @returns Signed DPoP proof JWT string
+ */
+declare function createDPoPProof(privateKey: KeyLike, kid: string, method: string, url: string, nonce?: string, accessToken?: string): Promise<string>;
+
+/**
+ * Canonical keystore path for PAIRED mode (`kojee-mcp pair`):
+ * ~/.kojee/keypair.json.
+ *
+ * The backend keeps exactly ONE DPoP key per gateway token (register_bot_key
+ * REPLACES; verification is exact-kid-match) — so every client of the same
+ * credential on a box MUST share one keystore or they enroll over each other
+ * in a lockout ping-pong. These two functions ARE that contract; out-of-repo
+ * consumers (the OpenClaw/Hermes plugins via `kojee-mcp/lib`) reuse them
+ * rather than reimplementing the paths.
+ */
+declare function defaultPairedKeystorePath(): string;
+/**
+ * Canonical keystore path for TOKEN mode (explicit `--token` / env token):
+ * ~/.kojee/keypair-<sha256(token)[:12]>.json — one slot per distinct token.
+ */
+declare function deriveKeystorePath(token: string): string;
+/**
+ * Load an existing keypair from disk.
+ * Returns null if the file does not exist or the broker URL does not match.
+ */
+declare function loadKeystore(keystorePath?: string, expectedBrokerUrl?: string): Promise<(LoadedKeyPair & {
+    data: KeystoreData;
+}) | null>;
+/**
+ * Save a keypair to disk with restrictive file permissions.
+ */
+declare function saveKeystore(privateKey: KeyLike, publicJwk: JWK, kid: string, brokerUrl: string, keystorePath?: string): Promise<void>;
+/**
+ * Generate a new ES256 key pair and export the public JWK.
+ */
+declare function generateES256KeyPair(): Promise<{
+    privateKey: KeyLike;
+    publicJwk: JWK;
+}>;
+
+interface PairedConfig {
+    token: string;
+    broker_url: string;
+    paired_at: string;
+    principal_id?: string;
+    agent_id?: string;
+}
+declare function pairedConfigPath(): string;
+declare function loadPairedConfig(filePath?: string): PairedConfig | null;
+
+type Runtime = "claude-code" | "codex" | "unknown";
+
+/**
+ * Per-harness adapter. Today: minimal — only what's needed for the
+ * Channels wake-path. Grows as Codex/Cursor/Openclaw adapters land.
+ */
+interface HarnessAdapter {
+    readonly runtime: Runtime;
+    readonly supportsChannels: boolean;
+    /**
+     * Format a Tandem event into the {content, meta} pair that becomes
+     * a <channel source="..." key=value ...>content</channel> tag in
+     * the agent's context.
+     *
+     * Meta keys must match /^[a-z_][a-z0-9_]*$/ (CC docs requirement);
+     * values are free-form strings.
+     *
+     * Adapters with supportsChannels=false MUST throw if this is called;
+     * server.ts gates the call site on supportsChannels.
+     */
+    formatTandemEvent(event: TandemEvent): {
+        content: string;
+        meta: Record<string, string>;
+    };
+}
+
+interface QueueEntry {
+    event: TandemEvent;
+    receivedAt: number;
+    deliveredViaChannel: boolean;
+    deliveredViaMonitor: boolean;
+    deliveredViaHook: boolean;
+}
+interface EventQueueOptions {
+    capacity?: number;
+    maxAgeMs?: number;
+}
+/**
+ * In-memory queue of Tandem events with per-event delivery-tracking metadata.
+ *
+ * Dedup rule (locked in spec §0 decision 3): hook-deliverable subset is
+ * entries where !deliveredViaChannel && !deliveredViaHook. Channel-delivered
+ * events are suppressed from the hook path to avoid double-delivery.
+ *
+ * Eviction: by maxAgeMs on read of push (default 10min), by capacity FIFO
+ * (default 200). Bounds memory under "agent isn't paying attention" cases.
+ */
+declare class EventQueue {
+    private entries;
+    private readonly capacity;
+    private readonly maxAgeMs;
+    constructor(opts?: EventQueueOptions);
+    push(event: TandemEvent): void;
+    markChannelDelivered(eventId: string): void;
+    markMonitorDelivered(eventId: string): void;
+    takeForHook(): QueueEntry[];
+    snapshot(): QueueEntry[];
+}
+
+interface EventLog {
+    /** The MESSAGES-ONLY log (byte-compatible with the old deployed recipe). */
+    path: string;
+    /** The SEPARATE status/telemetry sibling, next to `path`. */
+    statusPath: string;
+    append(event: TandemEvent): Promise<void>;
+    /**
+     * Append a raw STATUS line (round-2: SPLIT THE STREAMS). Status/heartbeat
+     * lines describe stream health, not Tandem messages — and they NEVER touch
+     * the messages log. They go to a SEPARATE sibling file (`statusPath`) so the
+     * messages log stays byte-compatible with every OLD deployed Monitor (which
+     * runs raw `tail -n +1 -F <messages-log>` and wakes on every line it sees).
+     * Status lines bypass the per-event-id dedup set (they have no event.id) and
+     * are NOT subject to body truncation. Callers pass the field body (e.g.
+     * "status=connected", "status=heartbeat", "status=subscribed n=3"); this
+     * method prefixes the timestamp + sentinel.
+     */
+    appendStatus(fields: string): Promise<void>;
+    cleanup(): void;
+}
+
+interface WebhookSinkStats {
+    /** Events successfully delivered (a 2xx response). */
+    delivered: number;
+    /**
+     * Events whose attempt TIMED OUT: the receiver may well have processed them
+     * (a session-spawning receiver answers late), so they are NOT retried and
+     * NOT counted as dropped — delivery is unconfirmed, not failed (0.5.6).
+     */
+    deliveredUnconfirmed: number;
+    /** Events dropped after a permanent failure or exhausted retries. */
+    dropped: number;
+    /** Events dropped because the bounded queue was full at enqueue time. */
+    overflowDropped: number;
+    /** Current depth = buffered + (in-flight ? 1 : 0). */
+    queueDepth: number;
+    /** Last delivery outcome, for doctor/status. */
+    lastOutcome: "delivered" | "delivered-unconfirmed" | "dropped" | "none";
+    /** Epoch-ms of the last delivery attempt's completion (success or final drop). */
+    lastAttemptAt: number | null;
+}
+interface WebhookSink {
+    /**
+     * Fire-and-forget. Push an event for delivery. SYNCHRONOUS — never blocks,
+     * never throws, never awaits the in-flight POST. This is what consumeSse
+     * calls AFTER the channel + event-log sinks, so a webhook can't delay a wake.
+     */
+    enqueue(event: TandemEvent): void;
+    /** Snapshot of delivery counters (for /status + doctor). */
+    stats(): WebhookSinkStats;
+    /** A log-safe summary that NEVER contains the secret. */
+    configSummary(): string;
+    /** Resolves when the queue is fully drained (no buffered, none in flight). */
+    idle(): Promise<void>;
+    /** Stop the drainer and drop any buffered events (best-effort, on shutdown). */
+    stop(): Promise<void>;
+}
+
+interface EventStreamOptions {
+    brokerUrl: string;
+    token: string;
+    gateway: GatewayClient;
+    adapter: HarnessAdapter;
+    server: Server;
+    queue?: EventQueue;
+    eventLog?: EventLog;
+    /**
+     * Optional WEBHOOK SINK — a third, isolated delivery sink. When wired, every
+     * normalized TandemEvent is also pushed (fire-and-forget) to a configured
+     * HTTP endpoint so a daemonized proxy can wake a runtime via a local receiver.
+     * The push is SYNCHRONOUS and runs LAST in the fan-out, AFTER the event-log
+     * (Monitor wake) and channel sinks, so a slow/hanging/failing webhook can
+     * never delay or break those wake paths (see webhook-sink.ts). Unset ⇒ no
+     * webhook delivery, zero behavior change.
+     */
+    webhookSink?: WebhookSink;
+    /**
+     * Resubscribe-on-start hook (P0 audit item #2). Called once after each
+     * successful (re)connect with the live `Response`. Implementations touch
+     * the agent's memberships so a backend that scopes the stream by
+     * session-touch self-heals on every backend restart / scope reset, and
+     * write a `status=subscribed n=<count>` line to the event log. Injected so
+     * the proxy startup wires it (it owns the tandem_list result + gateway) and
+     * the unit tests can assert it fires per-connect without a live backend.
+     *
+     * CAVEAT (documented in resubscribeMemberships): which tool call actually
+     * registers a session for streaming is an UNVERIFIED backend contract — see
+     * docs/forward-to-backend. Until the backend defines it, the touch is a
+     * best-effort no-op-safe read and the status line is the load-bearing part.
+     */
+    onConnected?: () => void | Promise<void>;
+}
+/**
+ * Live stream state, surfaced by the hook-server's GET /status so `kojee-mcp
+ * doctor` can give an authoritative verdict instead of guessing from file
+ * mtimes (audit P2 doctor item). All timestamps are epoch ms, or null when the
+ * event hasn't happened yet.
+ */
+interface StreamState {
+    /** True between a successful connect and the next disconnect. */
+    connected: boolean;
+    /** When the current connection opened (null if never connected). */
+    connectedSince: number | null;
+    /** Last time ANY byte arrived on the stream (null if never). */
+    lastEventAt: number | null;
+    /** Last time a backend heartbeat arrived (null if never). */
+    lastHeartbeatAt: number | null;
+    /** Per-room high-water cursors (tandemId → cursor). */
+    cursors: Record<string, number>;
+    /** How many times the stream has (re)connected. */
+    reconnectCount: number;
+    /**
+     * The LEARNED stale-stream threshold in ms (3× the observed heartbeat
+     * interval, ≥90s floor), or null when the watchdog hasn't yet observed ≥2
+     * heartbeats. null ⇒ no cadence learned ⇒ the proxy will NOT abort on
+     * silence, and `/status` must NOT declare the stream stale (idle ≠ dead).
+     */
+    staleAfterMs: number | null;
+}
+/**
+ * A cancel function that also exposes the live stream state for /status and a
+ * graceful `reconnect()` (0.5.4 wake continuity): the subscription is a
+ * connect-time snapshot of the caller's memberships, so a seat acquired AFTER
+ * connect (tandem_join via the proxy) is invisible until the next reconnect.
+ * `reconnect()` closes the current connection and lets the existing
+ * backoff/jitter machinery re-open it — the new snapshot then includes the
+ * just-acquired seats. No-op after cancel.
+ */
+type StreamHandle = (() => void) & {
+    getState: () => StreamState;
+    reconnect: () => void;
+};
+/**
+ * Long-lived SSE subscription to /api/v2/tandems/stream.
+ * Returns a cancel function the caller can invoke on shutdown.
+ *
+ * Reconnect strategy: exponential backoff (1s → 30s) with full jitter.
+ * Resume via a PER-ROOM cursor map: ?since=<tandemId>:<cursor>,<tandemId>:<cursor>,…
+ * Cursors are per-tandem, so a single global `since` would skip/dupe events
+ * across rooms on a multi-room reconnect (H3). We track each room's high-water
+ * mark and resume each independently. Against a backend that predates H3 (which
+ * 400s the map), the proxy falls back to a bare global `?since=<n>` so it stays
+ * compatible with ANY backend version regardless of deploy order — see
+ * connectAndConsume.
+ *
+ * SSE failure never crashes the proxy — connector tool traffic
+ * continues uninterrupted.
+ */
+declare function startEventStream(opts: EventStreamOptions): Promise<StreamHandle>;
+/**
+ * Sanitize a wire-controlled displayname for terminal-bound output.
+ *
+ * `sender.display` lands in the line-oriented event log (`from=<name>`) AND in
+ * channel content/meta, both of which reach a terminal AND are read back by a
+ * Claude Code agent (a prompt-injection channel). Without sanitization an
+ * interior `\n` forges an entire fake wake-line (attacker-chosen
+ * `tandem=`/`cursor=`/`msg=`) that the Monitor delivers as a separate wake,
+ * ANSI escapes reach the terminal, and invisible code points (the TAG block,
+ * variation selectors, zero-width/bidi) smuggle hidden bytes into the agent's
+ * reading context.
+ *
+ * Defense-in-depth: we do NOT trust the backend to sanitize terminal-bound
+ * output. Same policy as the backend naming funnel (apps/tandems/naming.py
+ * `sanitize_display_name`), byte for byte:
+ *   1. NFC-normalize first so a decomposed base+combining input folds to its
+ *      precomposed form (`e` + combining acute → `é`) before filtering.
+ *   2. DROP every code point in the strip categories (Cc/Cf/Cs/Co/Cn) or the
+ *      invisible-Mn set. Allowlist-leaning: letters, marks, numbers,
+ *      punctuation, symbols, and spaces survive.
+ *   3. Cap any CONSECUTIVE combining-mark (Mn) run at MAX_COMBINING_RUN
+ *      (zalgo defense — legitimate single accents survive).
+ *   4. Collapse whitespace runs (incl. LS/PS and exotic Zs spaces) to single
+ *      ASCII spaces, trim.
+ *   5. Cap at MAX_DISPLAYNAME_CHARS without splitting a surrogate pair, then
+ *      trim any trailing space the cut exposed — so the function is
+ *      idempotent.
+ * Returns "" if nothing survives (all-hostile input) so the caller can fall
+ * back to the historical `principal:<prefix>` synthesis.
+ */
+declare function sanitizeDisplayname(name: string): string;
+declare function normalizeBackendEvent(raw: unknown, sseEventType: string): TandemEvent;
+
+/** Mutable debounce cursor shared across reconnects (one per proxy). */
+interface ResubscribeDebounceState {
+    /** Epoch-ms of the last SUCCESSFUL (non-skipped) resubscribe run. */
+    lastRunAt: number;
+}
+interface ResubscribeOptions {
+    gateway: GatewayClient;
+    eventLog?: EventLog;
+    /**
+     * The tandem_ids to touch. Provide EITHER `tandemIds` (a fixed snapshot) OR
+     * `listTandems` (a fresh fetch per call). ROUND-2 MINOR 6: the proxy should
+     * pass `listTandems` so the membership list is RE-LISTED on every reconnect —
+     * a tandem joined mid-session is then touched on the next reconnect instead
+     * of being frozen at boot. `tandemIds` remains for tests and simple callers.
+     * Empty result ⇒ nothing to touch; we still log `status=subscribed n=0`.
+     */
+    tandemIds?: string[];
+    /** Fresh membership fetch, called once per resubscribe (per reconnect). */
+    listTandems?: () => Promise<string[]>;
+    /** Per-touch timeout budget (AbortSignal). Default 10s. */
+    perCallTimeoutMs?: number;
+    /** Bounded touch concurrency. Default 4. */
+    concurrency?: number;
+    /**
+     * Flap-damping window (MINOR E). When `debounceState` is provided and the
+     * last successful run was < `debounceMs` ago, this resubscribe is SKIPPED
+     * (returns 0, no touches, no status line). Default 30s. With no
+     * `debounceState` the debounce is inert (every call runs) — preserving the
+     * existing test/simple-caller behavior.
+     */
+    debounceMs?: number;
+    /** Shared debounce cursor (one per proxy). Omit to disable debouncing. */
+    debounceState?: ResubscribeDebounceState;
+    /** Injectable clock for tests. Defaults to Date.now. */
+    now?: () => number;
+}
+/**
+ * Touch each membership (best-effort, in parallel with a bounded pool and a
+ * per-call AbortSignal timeout) and write a `status=subscribed n=<count>` line.
+ * Returns the number of tandems for which the touch call succeeded. Never
+ * throws — a failed/timed-out touch is folded into the status line's `touched=`
+ * count and to stderr, but must not break the stream loop that calls it.
+ *
+ * MINOR 6: this runs CONCURRENTLY with consumeSse (the caller does not await it
+ * before consuming the stream), so a hung gateway call can never stall
+ * first-event delivery; the per-call timeout caps each touch independently.
+ */
+declare function resubscribeMemberships(opts: ResubscribeOptions): Promise<number>;
+
+export { AuthModule, type EventLog, type EventStreamOptions, GatewayClient, type HarnessAdapter, type PairedConfig, type Runtime, type StreamHandle, type StreamState, type TandemEvent, type WebhookSink, createDPoPProof, defaultPairedKeystorePath, deriveKeystorePath, generateES256KeyPair, loadKeystore, loadPairedConfig, normalizeBackendEvent, pairedConfigPath, resubscribeMemberships, sanitizeDisplayname, saveKeystore, startEventStream };

package/dist/lib.js

@@ -0,0 +1,44 @@
+import {
+  resubscribeMemberships
+} from "./chunk-OT2GILXC.js";
+import {
+  loadPairedConfig,
+  pairedConfigPath
+} from "./chunk-YH27B6SW.js";
+import {
+  AuthModule
+} from "./chunk-6SK6ITFE.js";
+import {
+  GatewayClient,
+  defaultPairedKeystorePath,
+  deriveKeystorePath,
+  generateES256KeyPair,
+  loadKeystore,
+  saveKeystore
+} from "./chunk-3XDJOHMZ.js";
+import {
+  normalizeBackendEvent,
+  sanitizeDisplayname,
+  startEventStream
+} from "./chunk-UEGQGXPY.js";
+import {
+  createDPoPProof
+} from "./chunk-2MIISF2W.js";
+import "./chunk-LDZXU3DW.js";
+import "./chunk-BLEGIR35.js";
+export {
+  AuthModule,
+  GatewayClient,
+  createDPoPProof,
+  defaultPairedKeystorePath,
+  deriveKeystorePath,
+  generateES256KeyPair,
+  loadKeystore,
+  loadPairedConfig,
+  normalizeBackendEvent,
+  pairedConfigPath,
+  resubscribeMemberships,
+  sanitizeDisplayname,
+  saveKeystore,
+  startEventStream
+};

package/dist/parent-watchdog-RZLHYP7T.js

@@ -0,0 +1,65 @@
+import {
+  findClaudeAncestorPid
+} from "./chunk-BJMASMKX.js";
+
+// src/runtime/parent-watchdog.ts
+function defaultIsPidAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    if (err.code === "EPERM") return true;
+    return false;
+  }
+}
+function createParentWatchdog(opts) {
+  const intervalMs = opts.intervalMs ?? 7e3;
+  const isPidAlive = opts.isPidAlive ?? defaultIsPidAlive;
+  const resolveAncestor = opts.resolveAncestor ?? (() => findClaudeAncestorPid());
+  let timer = null;
+  let fired = false;
+  let checking = false;
+  function stop() {
+    if (timer !== null) {
+      clearInterval(timer);
+      timer = null;
+    }
+  }
+  async function check() {
+    if (fired || checking) return;
+    checking = true;
+    try {
+      const ccPidAlive = isPidAlive(opts.ccPid);
+      if (ccPidAlive) return;
+      let ancestor = null;
+      try {
+        ancestor = await resolveAncestor();
+      } catch {
+        ancestor = null;
+      }
+      if (ancestor !== null) return;
+      fired = true;
+      stop();
+      try {
+        opts.onParentGone();
+      } catch {
+      }
+    } finally {
+      checking = false;
+    }
+  }
+  return {
+    start() {
+      if (timer !== null || fired) return;
+      timer = setInterval(() => {
+        void check();
+      }, intervalMs);
+      timer.unref?.();
+    },
+    stop
+  };
+}
+export {
+  createParentWatchdog,
+  defaultIsPidAlive
+};

package/dist/reconnect-scheduler-ARV6JIWK.js

@@ -0,0 +1,36 @@
+// src/tandem/reconnect-scheduler.ts
+var DEFAULT_DEBOUNCE_MS = 1e3;
+function createJoinReconnectScheduler(opts) {
+  const debounceMs = opts.debounceMs ?? DEFAULT_DEBOUNCE_MS;
+  let pending = null;
+  let queued = false;
+  function fire() {
+    try {
+      return opts.reconnect() !== false;
+    } catch (err) {
+      console.error(
+        "[join-reconnect] reconnect action failed:",
+        err?.message ?? String(err)
+      );
+      return true;
+    }
+  }
+  return {
+    requestReconnect() {
+      if (pending !== null) return;
+      pending = setTimeout(() => {
+        pending = null;
+        if (!fire()) queued = true;
+      }, debounceMs);
+      pending.unref?.();
+    },
+    notifyReady() {
+      if (!queued) return;
+      queued = false;
+      if (!fire()) queued = true;
+    }
+  };
+}
+export {
+  createJoinReconnectScheduler
+};

package/dist/resubscribe-G5OGDZJD.js

@@ -0,0 +1,6 @@
+import {
+  resubscribeMemberships
+} from "./chunk-OT2GILXC.js";
+export {
+  resubscribeMemberships
+};

package/dist/{send-cli-7QJ36YY7.js → send-cli-C2F4WTBN.js}

@@ -4,7 +4,7 @@ import {
 import {
   GatewayClient,
   loadKeystore
-} from "./chunk-36L3GCU3.js";
+} from "./chunk-3XDJOHMZ.js";
 import "./chunk-2MIISF2W.js";
 import {
   executeSend,

package/dist/{stop-hook-GO363SMD.js → stop-hook-46BJD55B.js}

@@ -2,16 +2,19 @@ import {
   readHookStdin
 } from "./chunk-LSUB6QMP.js";
 import {
-  deriveDiscoveryKey,
-  findClaudeAncestorPid
-} from "./chunk-BJMASMKX.js";
+  monitorHeartbeatPath,
+  nudgeSentinelPath
+} from "./chunk-2TUAFAIW.js";
+import {
+  controlTokenAuthHeaders
+} from "./chunk-GI2CKKBL.js";
 import {
   buildMonitorNudge
 } from "./chunk-X672ZN7V.js";
 import {
-  monitorHeartbeatPath,
-  nudgeSentinelPath
-} from "./chunk-2TUAFAIW.js";
+  deriveDiscoveryKey,
+  findClaudeAncestorPid
+} from "./chunk-BJMASMKX.js";
 import {
   readSessionDiscoveryByKey
 } from "./chunk-DO42NPNR.js";
@@ -74,7 +77,12 @@ async function runStopHook() {
     discovery: discovery ? { port: discovery.port, eventLogPath: discovery.eventLogPath } : null,
     pollEvents: async () => {
       const res = await fetch(
-        `http://127.0.0.1:${discovery.port}/poll?type=stop&timeout_ms=${STOP_POLL_TIMEOUT_MS}`
+        `http://127.0.0.1:${discovery.port}/poll?type=stop&timeout_ms=${STOP_POLL_TIMEOUT_MS}`,
+        // 0.5.4: GET /poll is gated by the control token. Same-user hook —
+        // read the bearer from the path the discovery file advertises. A
+        // missing token yields no header and the !res.ok branch degrades to
+        // "no events" (fail-open, the Monitor file path is the primary wake).
+        { headers: controlTokenAuthHeaders(discovery.controlTokenPath) }
       );
       if (!res.ok) return { events: [], count: 0 };
       return await res.json();

package/dist/{tail-stream-U436QL2X.js → tail-stream-VUZBYKXS.js}

@@ -1,12 +1,12 @@
-import {
-  createAdaptiveWatchdog
-} from "./chunk-YVUXQ4Z2.js";
-import "./chunk-2MIISF2W.js";
 import {
   STATUS_LINE_PREFIX,
   monitorHeartbeatPath,
   statusLogPath
 } from "./chunk-2TUAFAIW.js";
+import {
+  createAdaptiveWatchdog
+} from "./chunk-UEGQGXPY.js";
+import "./chunk-2MIISF2W.js";
 import "./chunk-DO42NPNR.js";
 import "./chunk-BLEGIR35.js";
 

package/dist/{user-prompt-submit-hook-ARPEO6FF.js → user-prompt-submit-hook-ZD2XKN7U.js}

@@ -1,6 +1,9 @@
 import {
   readHookStdin
 } from "./chunk-LSUB6QMP.js";
+import {
+  controlTokenAuthHeaders
+} from "./chunk-GI2CKKBL.js";
 import {
   deriveDiscoveryKey,
   findClaudeAncestorPid
@@ -22,7 +25,10 @@ async function runUserPromptSubmitHook() {
   }
   let body;
   try {
-    const res = await fetch(`http://127.0.0.1:${discovery.port}/poll?type=user-prompt-submit&timeout_ms=0`);
+    const res = await fetch(
+      `http://127.0.0.1:${discovery.port}/poll?type=user-prompt-submit&timeout_ms=0`,
+      { headers: controlTokenAuthHeaders(discovery.controlTokenPath) }
+    );
     if (!res.ok) {
       process.stdout.write("{}");
       return;

package/dist/{webhook-config-UKUSI2FE.js → webhook-config-O4WMQ532.js}

@@ -7,7 +7,7 @@ import {
   emissionRejectionReason,
   resolveSignatureEmission,
   resolveWebhookConfig
-} from "./chunk-OSKHA5DS.js";
+} from "./chunk-V5VZPYMZ.js";
 export {
   WEBHOOK_DEFAULT_MAX_RETRIES,
   WEBHOOK_DEFAULT_SIGNATURE_HEADER,