neozip-mcp 0.1.0-beta

package/.cursor/mcp.json.global.example

@@ -0,0 +1,10 @@
+{
+  "mcpServers": {
+    "neozip-mcp": {
+      "command": "neozip-mcp",
+      "env": {
+        "NEOZIP_MCP_SANDBOX_PATHS": "${workspaceFolder},${userHome}"
+      }
+    }
+  }
+}

package/CHANGELOG.md

@@ -0,0 +1,16 @@
+# Changelog
+
+Release notes for [neozip-mcp](https://www.npmjs.com/package/neozip-mcp).
+
+## 0.1.0-beta (2026-06-26)
+
+First npm release (**beta**).
+
+- MCP stdio server with ZIP tools (`compress`, `extract`, `list`, `info`, `test`, `read_entry`, `search_entries`, `grep_entries`) and `zip://` resources
+- Blockchain notarization tools (`stamp`, `mint`, `verify`, `upgrade_timestamped`, `wallet_info`)
+- NeoZip Token Service integration via **`neozip-connect`** CLI and account tools
+- Recipient encryption (Token Service X25519) bundled at build time — no GitHub Packages install required at runtime
+- Path sandboxing, capability scoping, rate limiting, and resource limits
+- Shipped docs, Claude Code install guides, and example agent skills under `docs/examples/claude/skills/`
+
+See [README.md](README.md) and [docs/OPERATIONS.md](docs/OPERATIONS.md) for setup and tool reference.

package/DOCUMENTATION.md

@@ -0,0 +1,40 @@
+# NeoZip MCP documentation
+
+Documentation shipped with the [neozip-mcp](https://www.npmjs.com/package/neozip-mcp) npm package (**beta** — install with `npm install -g neozip-mcp@beta`).
+
+## Getting started
+
+| Document | Description |
+|----------|-------------|
+| [README.md](README.md) | Installation, MCP host setup, environment variables |
+| [CHANGELOG.md](CHANGELOG.md) | Version history and release notes |
+| [SECURITY.md](SECURITY.md) | Security considerations and vulnerability reporting |
+
+## Tool reference
+
+| Document | Description |
+|----------|-------------|
+| [docs/OPERATIONS.md](docs/OPERATIONS.md) | Full MCP tool and parameter reference |
+| [docs/NEOZIP_CONNECT_CLI.md](docs/NEOZIP_CONNECT_CLI.md) | `neozip-connect` account setup CLI |
+| [docs/NEOZIP_CONNECTION_STORE.md](docs/NEOZIP_CONNECTION_STORE.md) | Connection store layout (`~/.neozip/connection/`) |
+
+## MCP host installation
+
+| Document | Description |
+|----------|-------------|
+| [docs/installation-guides/README.md](docs/installation-guides/README.md) | Index of host guides |
+| [docs/installation-guides/INSTALL_CLAUDE_CODE.md](docs/installation-guides/INSTALL_CLAUDE_CODE.md) | Claude Code (user scope) |
+| [docs/installation-guides/INSTALL_CLAUDE_WORKSPACE.md](docs/installation-guides/INSTALL_CLAUDE_WORKSPACE.md) | Claude Code workspace (`.mcp.json`) |
+
+## Examples (in package)
+
+| Path | Description |
+|------|-------------|
+| [docs/examples/mcp.json.claude.example](docs/examples/mcp.json.claude.example) | Claude Code `.mcp.json` template |
+| [docs/examples/claude/skills/](docs/examples/claude/skills/) | Agent skills for archives and notarization |
+| [.cursor/mcp.json.global.example](.cursor/mcp.json.global.example) | Cursor global MCP config template |
+
+## Support
+
+- **GitHub Issues:** [NeoWareInc/neozip-support](https://github.com/NeoWareInc/neozip-support/issues)
+- **Email:** [support@neozip.io](mailto:support@neozip.io)

package/LICENSE

@@ -0,0 +1,16 @@
+Copyright (c) 2026 NeoWare, Inc. All rights reserved.
+
+This software and associated documentation files (the "Software") are
+proprietary to NeoWare, Inc. The Software is provided only to authorized
+recipients for internal use.
+
+No license is granted to copy, modify, merge, publish, distribute,
+sublicense, or sell copies of the Software except as expressly authorized
+in writing by NeoWare, Inc.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+NEOWARE, INC. BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,223 @@
+# neozip-mcp
+
+> MCP server for ZIP archives, blockchain notarization, and AI agent integration — powered by [neozipkit](https://www.npmjs.com/package/neozipkit) and [neozip-blockchain](https://www.npmjs.com/package/neozip-blockchain)
+
+[![npm version](https://img.shields.io/npm/v/neozip-mcp?label=beta&color=blue)](https://www.npmjs.com/package/neozip-mcp)
+[![Node.js Version](https://img.shields.io/badge/node-%3E%3D20.0.0-brightgreen)](https://nodejs.org/)
+
+> **Beta version warning:** NeoZip MCP is currently in **beta** status. This means:
+> - The MCP tool surface and CLI may change in future releases
+> - Some features may be incomplete or experimental
+> - Breaking changes may occur before the stable release
+> - Use in production with caution and thorough testing
+>
+> Install the beta channel: `npm install -g neozip-mcp@beta`. Report issues on [GitHub](https://github.com/NeoWareInc/neozip-support/issues) or email [support@neozip.io](mailto:support@neozip.io).
+
+## Release notice
+
+**Current version: v0.1.0-beta.** See [CHANGELOG.md](CHANGELOG.md) for details.
+
+- **API stability:** MCP tool names and parameters may change before a stable release
+- **Testing:** Test thoroughly in your MCP host before production use
+- **Feedback:** Report issues via [GitHub Issues](https://github.com/NeoWareInc/neozip-support/issues) or email [support@neozip.io](mailto:support@neozip.io)
+- **License:** Proprietary — NeoWare, Inc. See [LICENSE](LICENSE)
+
+## Overview
+
+NeoZip MCP is a local stdio MCP server for AI coding agents (Claude Code, Cursor, and other MCP hosts). It exposes ZIP operations, blockchain notarization, and NeoZip Token Service tools to the agent — no repository checkout required.
+
+## Features
+
+### ZIP Operations
+- **compress** -- Create ZIP archives (default: Zstandard). Options: `recipientEmails` (Token Service public-key encryption via `META-INF/ACCESS.NZIP`), `password` + `encryptionMethod`, `timestamp`, `tokenize`. SHA-256 is auto-enabled for timestamped/tokenized archives.
+- **extract** -- Extract ZIP files to directories (password-protected archives supported)
+- **list** -- List ZIP archive contents (text or JSON manifest)
+- **info** -- Get detailed ZIP metadata (sizes, ratios, merkle root)
+- **test** -- Test ZIP integrity per entry
+- **read_entry** -- Read a single file inside an archive with pagination (optional `options.password` for encrypted entries)
+- **search_entries** -- Search archive entry names by keyword or regex
+- **grep_entries** -- Search file contents inside an archive for text or regex matches (no extraction)
+
+### MCP Resources
+- **zip://** -- Direct access to archive manifests and entry contents as MCP resources
+
+See [docs/OPERATIONS.md](docs/OPERATIONS.md) for full parameter reference.
+
+### NeoZip Token Service
+Account, identity, and recipient-key tools that talk to the NeoZip Token Service (configured via `neozip-connect`); they do not operate on ZIP archives directly.
+- **connect_status** -- Fast neozip-connect readiness: phase, compress option readiness, next terminal command (no secrets, no network)
+- **token_service_status** -- Check Token Service email verification status
+- **token_service_register** -- Register email and send verification code (requires `blockchain`)
+- **token_service_verify** -- Verify email with 6-digit code (requires `blockchain`)
+- **lookup_recipient** -- Resolve a recipient's Token Service X25519 public key by email before encrypting
+- **identity_status** -- Token Service `/crypto/self` identity provisioning (Bearer token in env)
+- **wallet_config_status** -- Diagnose credential sources and readiness (no secrets)
+
+### Blockchain Operations
+- **mint** -- Mint ZIP hash as NFT on Base network
+- **verify** -- Verify token authenticity against blockchain
+- **stamp** -- Submit ZIP merkle root to the NeoZip Token Service for timestamping
+- **upgrade_timestamped** -- Upgrade pending timestamp to confirmed (`META-INF/TIMESTAMP.NZIP`)
+- **wallet_info** -- View wallet and network status (address, balance)
+
+### Security
+- **Path sandboxing** -- Allowlist-based directory restrictions with symlink and traversal prevention
+- **Capability scoping** -- Enable/disable tool groups (zip, blockchain, readonly)
+- **Rate limiting** -- Token-bucket rate limiting per tool
+- **Resource limiting** -- Max file size, entry count, and operation timeouts
+- **Authentication** -- Wallet key sourcing and optional API key
+
+## Installation
+
+### Prerequisites
+
+- Node.js 20.0.0 or higher
+- npm or pnpm
+
+### Install from npm (beta)
+
+```bash
+npm install -g neozip-mcp@beta
+```
+
+After installation:
+
+| Command | Purpose |
+|---------|---------|
+| `neozip-mcp` | MCP server (your host spawns this) |
+| `neozip-connect` | Interactive account setup |
+
+### Verify installation
+
+```bash
+which neozip-mcp
+which neozip-connect
+neozip-connect status
+```
+
+### Install in MCP hosts
+
+| Host | Guide |
+|------|-------|
+| **Claude Code** (user/local scope) | [docs/installation-guides/INSTALL_CLAUDE_CODE.md](docs/installation-guides/INSTALL_CLAUDE_CODE.md) |
+| **Claude Code workspace** (project `.mcp.json`) | [docs/installation-guides/INSTALL_CLAUDE_WORKSPACE.md](docs/installation-guides/INSTALL_CLAUDE_WORKSPACE.md) |
+| **Cursor** | Quick start below |
+
+Full index: [docs/installation-guides/README.md](docs/installation-guides/README.md)
+
+## Claude Code setup
+
+1. Install from npm (see above).
+2. Register MCP — user scope (all projects):
+
+   ```bash
+   claude mcp add-json neozip-mcp \
+     '{"type":"stdio","command":"neozip-mcp","env":{"NEOZIP_MCP_SANDBOX_PATHS":"${CLAUDE_PROJECT_DIR:-.},${HOME}"}}' \
+     --scope user
+   ```
+
+   For team repos, copy [`docs/examples/mcp.json.claude.example`](docs/examples/mcp.json.claude.example) to `.mcp.json` — see [INSTALL_CLAUDE_WORKSPACE.md](docs/installation-guides/INSTALL_CLAUDE_WORKSPACE.md).
+
+3. **Agent skills (recommended)** — copy from the package:
+
+   ```bash
+   pkg="$(npm root -g)/neozip-mcp"
+   mkdir -p ~/.claude/skills/neozip-mcp ~/.claude/skills/neozip-notarization
+   cp "$pkg/docs/examples/claude/skills/neozip-mcp/SKILL.md" ~/.claude/skills/neozip-mcp/
+   cp "$pkg/docs/examples/claude/skills/neozip-notarization/SKILL.md" ~/.claude/skills/neozip-notarization/
+   ```
+
+   Workspace teams: `cp -R node_modules/neozip-mcp/docs/examples/claude/skills .claude/` and commit.
+
+4. Optional always-on memory: copy [`docs/examples/CLAUDE.md.example`](docs/examples/CLAUDE.md.example) to `CLAUDE.md`.
+
+5. For tokenize/timestamp/encryption: run **`neozip-connect`** once, then start a new Claude Code session.
+
+Full guide: [docs/installation-guides/INSTALL_CLAUDE_CODE.md](docs/installation-guides/INSTALL_CLAUDE_CODE.md)
+
+## Cursor setup
+
+1. Install from npm (see above).
+2. Copy [`.cursor/mcp.json.global.example`](.cursor/mcp.json.global.example) to `~/.cursor/mcp.json` (or `.cursor/mcp.json` in your project).
+3. Optional agent steering (pick one):
+   - **Skills:** copy [`docs/examples/claude/skills/neozip-mcp/`](docs/examples/claude/skills/neozip-mcp/) to `~/.cursor/skills/neozip-mcp/` (archives), and [`docs/examples/claude/skills/neozip-notarization/`](docs/examples/claude/skills/neozip-notarization/) to `~/.cursor/skills/neozip-notarization/` (tokenize/timestamp/verify + recipient encryption)
+   - **Cursor rule:** copy [docs/examples/neozip-mcp-cursor-rule.mdc](docs/examples/neozip-mcp-cursor-rule.mdc) to `~/.cursor/rules/neozip-mcp.mdc`
+4. For tokenize/timestamp/encryption: run **`neozip-connect`** once, then reload MCP in Cursor Settings.
+
+```json
+{
+  "mcpServers": {
+    "neozip-mcp": {
+      "command": "neozip-mcp",
+      "env": {
+        "NEOZIP_MCP_SANDBOX_PATHS": "${workspaceFolder},${userHome}"
+      }
+    }
+  }
+}
+```
+
+Capabilities default to **`auto`**: `zip,blockchain,readonly` after `neozip-connect` reaches `phase: ready`, otherwise `zip,readonly`. Set `NEOZIP_MCP_CAPABILITIES` explicitly to override (e.g. `zip` for ZIP-only). See [docs/OPERATIONS.md](docs/OPERATIONS.md) for every tool and option.
+
+Connection secrets use **machine-local encryption** in `~/.neozip/connection/`. Optionally set `NEOZIP_UNLOCK_PASSPHRASE` if you use a custom passphrase.
+
+## Configuration
+
+### Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `NEOZIP_MCP_CAPABILITIES` | `auto` | Tool groups: `zip`, `blockchain`, `readonly`, `account`, or `auto` (default). `auto` → `zip,blockchain,readonly` when connect is `phase: ready` with a valid token; otherwise `zip,readonly` |
+| `NEOZIP_MCP_REQUIRE_ACCOUNT` | on when `account` or `blockchain` cap | Exit at startup if connection not `phase: ready` or token expired (`false` to disable) |
+| `NEOZIP_UNLOCK_PASSPHRASE` | machine-local key | Optional custom passphrase for `~/.neozip/connection/` (default: hostname + username on this machine) |
+| `NEOZIP_MCP_STARTUP_SUMMARY` | on | Log wallet/account summary to stderr on start |
+| `NEOZIP_MCP_SANDBOX_PATHS` | cwd, home | Comma-separated allowed directories |
+| `NEOZIP_MCP_RATE_LIMIT` | `60` | Requests per minute (ZIP tools) |
+| `NEOZIP_MCP_BLOCKCHAIN_RATE_LIMIT` | `10` | Requests per minute (blockchain tools) |
+| `NEOZIP_MCP_MAX_FILE_SIZE` | `524288000` | Max file size in bytes (500 MB) |
+| `NEOZIP_MCP_MAX_ENTRIES` | `10000` | Max ZIP entries |
+| `NEOZIP_MCP_TIMEOUT` | `300` | Operation timeout in seconds |
+| `NEOZIP_MCP_DEFAULT_MAX_CHARS` | `10000` | Default read size for `read_entry` |
+| `NEOZIP_MCP_MAX_READ_CHARS` | `100000` | Hard cap on `read_entry` output |
+| `NEOZIP_MCP_GREP_MAX_MATCHES` | `100` | Default max matches for `grep_entries` |
+| `NEOZIP_MCP_GREP_MAX_SNIPPET_CHARS` | `200` | Max snippet length per grep match |
+| `NEOZIP_MCP_GREP_MAX_FILE_BYTES` | `1048576` | Skip grepping entries larger than this (bytes) |
+| `NEOZIP_MCP_API_KEY` | -- | Optional API key for access control |
+| `NEOZIP_NETWORK` | `base-sepolia` | Blockchain network for tokenize/mint |
+| `NEOZIP_TOKEN_SERVICE_INFO_URL` | `{profile URL}/info` | Link shown when Token Service setup is required |
+| `NEOZIP_IDENTITY_PRIVATE_KEY_HEX` | -- | Optional X25519 private key (hex) for opening recipient-encrypted archives (MCP env only) |
+
+Token Service email, access token, wallet key, and service URL come from **`neozip-connect`** (`~/.neozip/connection/`), not MCP env or NeoZip Desktop `wallet.json`.
+
+## Documentation
+
+The following documentation is included with this package:
+
+- **[README.md](README.md)** — Installation, MCP host setup, configuration
+- **[DOCUMENTATION.md](DOCUMENTATION.md)** — Documentation index
+- **[CHANGELOG.md](CHANGELOG.md)** — Version history
+- **[SECURITY.md](SECURITY.md)** — Security considerations
+- **[docs/OPERATIONS.md](docs/OPERATIONS.md)** — Full MCP tool reference
+
+## Publishing (npm)
+
+The published tarball includes **`dist/`**, **`docs/`**, **`README.md`**, **`LICENSE`**, **`CHANGELOG.md`**, **`DOCUMENTATION.md`**, and **`SECURITY.md`** only. Preview with **`pnpm pack:dry-run`**.
+
+Maintainers: see the [PUBLISHING.md](https://github.com/NeoWareInc/neozip-mcp/blob/main/docs-dev/PUBLISHING.md) guide in the GitHub repository.
+
+## Contributing
+
+We welcome feedback and bug reports:
+
+1. **Report issues:** [GitHub Issues](https://github.com/NeoWareInc/neozip-support/issues) or [support@neozip.io](mailto:support@neozip.io)
+2. **Test and provide feedback:** Help us improve by testing in your MCP host
+
+## License
+
+Proprietary — NeoWare, Inc. All rights reserved. See [LICENSE](LICENSE).
+
+## Support
+
+- **GitHub Issues:** [NeoWareInc/neozip-support](https://github.com/NeoWareInc/neozip-support/issues)
+- **Email:** [support@neozip.io](mailto:support@neozip.io)
+- **Documentation:** [DOCUMENTATION.md](DOCUMENTATION.md)

package/SECURITY.md

@@ -0,0 +1,37 @@
+# Security
+
+Security considerations for **neozip-mcp** and how to report vulnerabilities.
+
+## Scope of this package
+
+**neozip-mcp** is a local MCP (stdio) server. It reads and writes ZIP archives within configured sandbox paths, optionally talks to the NeoZip Token Service and Base network, and stores account credentials in `~/.neozip/connection/` (machine-local encryption).
+
+ZIP format handling uses [neozipkit](https://www.npmjs.com/package/neozipkit). On-chain operations use [neozip-blockchain](https://www.npmjs.com/package/neozip-blockchain). See those packages for library-level crypto and archive security.
+
+## MCP host configuration
+
+- **Sandbox paths** — Set `NEOZIP_MCP_SANDBOX_PATHS` to the smallest directory set the agent needs. The server rejects paths outside the allowlist.
+- **Capabilities** — Default `auto` enables blockchain tools only after `neozip-connect` reaches `phase: ready`. Use `NEOZIP_MCP_CAPABILITIES=zip,readonly` for ZIP-only hosts.
+- **Secrets in env** — Do not put wallet keys, Token Service tokens, or archive passwords in MCP `env` blocks committed to git. Use `neozip-connect` for account secrets; pass archive passwords per tool call when needed.
+
+## Connection store
+
+- Credentials live under `~/.neozip/connection/` and are encrypted with a machine-local key (hostname + username by default, or `NEOZIP_UNLOCK_PASSPHRASE`).
+- Treat this directory like SSH keys: restrict filesystem permissions and do not copy it to shared machines without understanding the risk.
+
+## General practices
+
+- **Dependencies** — Run `pnpm audit` (or `npm audit`) before release; address high/critical issues.
+- **Published tarball** — Recipient encryption code is bundled into `dist/vendor/neozipkit-pro.js` at build time; the published package does not require `@neowareinc/neozipkit-pro` at install time.
+- **Inputs** — The server validates paths via `PathSandbox`; still avoid pointing sandbox paths at sensitive system directories unless required.
+
+## Reporting a vulnerability
+
+1. **Do not** open a public GitHub issue for security bugs.
+2. Report privately via [GitHub Security Advisories](https://github.com/NeoWareInc/neozip-mcp/security/advisories) for this repository, or email [support@neozip.io](mailto:support@neozip.io).
+3. Allow time for a fix before public disclosure.
+
+## References
+
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [Model Context Protocol security best practices](https://modelcontextprotocol.io/)

package/dist/account/account-state.js

@@ -0,0 +1,86 @@
+import { getTokenServiceUrl } from "neozip-blockchain/token-service";
+import { maskEmail } from "../util/mask.js";
+import { getActiveProfile, getActiveProfileId, listProfiles, readActiveSecrets, } from "./profile-store.js";
+import { fetchCoordinatorConfig } from "./token-service-identity.js";
+function nextStepsForPhase(phase) {
+    switch (phase) {
+        case "no_profile":
+            return listProfiles().length > 0
+                ? ["account_select", "account_list", "account_create"]
+                : ["account_create", "account_list"];
+        case "email_unverified":
+            return ["account_register_email", "account_verify_email"];
+        case "no_wallet":
+            return ["account_create_wallet", "account_import_wallet"];
+        case "wallet_unlinked":
+            return ["account_link_wallet"];
+        case "identity_missing":
+            return ["account_provision_identity"];
+        case "ready":
+            return ["account_logout"];
+        case "degraded":
+            return ["account_status"];
+        default:
+            return ["account_status"];
+    }
+}
+export function computeAccountPhase() {
+    const profileId = getActiveProfileId();
+    if (!profileId) {
+        return "no_profile";
+    }
+    const profile = getActiveProfile();
+    const secrets = readActiveSecrets();
+    if (!profile || !secrets)
+        return "no_profile";
+    if (!secrets.accessToken || !profile.emailVerified) {
+        return "email_unverified";
+    }
+    if (!secrets.evmPrivateKey || !profile.evmAddress) {
+        return "no_wallet";
+    }
+    if (!profile.walletId || profile.linkId == null) {
+        return "wallet_unlinked";
+    }
+    if (!profile.identityKeyId) {
+        return "identity_missing";
+    }
+    return "ready";
+}
+export async function buildAccountStatusReport(options) {
+    const profile = getActiveProfile();
+    const phase = computeAccountPhase();
+    const tokenServiceUrl = getTokenServiceUrl({
+        serverUrl: profile?.tokenServiceUrl || process.env.TOKEN_SERVICE_URL || undefined,
+    });
+    let tokenServiceReachable = null;
+    if (options?.probeTokenService !== false) {
+        try {
+            tokenServiceReachable = await fetchCoordinatorConfig(tokenServiceUrl);
+        }
+        catch {
+            tokenServiceReachable = false;
+        }
+    }
+    const nextSteps = nextStepsForPhase(tokenServiceReachable === false && phase !== "ready" ? "degraded" : phase);
+    const reloadRequired = phase === "ready" &&
+        Boolean(profile &&
+            (!process.env.NEOZIP_TOKEN_SERVICE_ACCESS_TOKEN ||
+                !process.env.NEOZIP_WALLET_PASSKEY));
+    return {
+        success: true,
+        phase: tokenServiceReachable === false && phase !== "ready" ? "degraded" : phase,
+        activeProfileId: getActiveProfileId(),
+        profile: profile
+            ? {
+                ...profile,
+                email: profile.email ? maskEmail(profile.email) : null,
+            }
+            : null,
+        tokenServiceReachable,
+        tokenServiceUrl,
+        nextSteps,
+        reloadRequired,
+    };
+}
+//# sourceMappingURL=account-state.js.map

package/dist/account/format-account-status.js

@@ -0,0 +1,37 @@
+export function formatAccountStatusText(report) {
+    const lines = [];
+    lines.push("NeoZip account status");
+    lines.push(`Phase: ${report.phase}`);
+    lines.push(`Token Service: ${report.tokenServiceUrl}`);
+    if (report.tokenServiceReachable != null) {
+        lines.push(`Token Service reachable: ${report.tokenServiceReachable ? "yes" : "no"}`);
+    }
+    if (report.activeProfileId) {
+        lines.push(`Active profile: ${report.activeProfileId}`);
+    }
+    if (report.profile) {
+        lines.push(`Label: ${report.profile.label}`);
+        if (report.profile.email)
+            lines.push(`Email: ${report.profile.email}`);
+        if (report.profile.evmAddress) {
+            lines.push(`EVM address: ${report.profile.evmAddress}`);
+        }
+        if (report.profile.walletId != null) {
+            lines.push(`Wallet ID: ${report.profile.walletId}`);
+        }
+        if (report.profile.identityKeyId != null) {
+            lines.push(`Identity key ID: ${report.profile.identityKeyId}`);
+        }
+        if (report.profile.x25519Fingerprint) {
+            lines.push(`X25519 fingerprint: ${report.profile.x25519Fingerprint}`);
+        }
+    }
+    if (report.nextSteps.length) {
+        lines.push(`Next steps: ${report.nextSteps.join(", ")}`);
+    }
+    if (report.reloadRequired) {
+        lines.push("Reload MCP in Cursor so the active connection credentials are loaded into this session.");
+    }
+    return lines.join("\n");
+}
+//# sourceMappingURL=format-account-status.js.map

package/dist/account/identity-provision.js

@@ -0,0 +1,75 @@
+import { IdentityKeyTamperError } from "../archive/identity-key.js";
+import { fetchCryptoSelf } from "../archive/crypto-self.js";
+import { buildIdentityKeyInitMessage, wrapNewX25519Keypair, } from "./identity-wrap.js";
+import { IdentityKeyConflictError, completeIdentityKeyInit, getIdentityKeyBundle, requestIdentityKeyInitChallenge, } from "./token-service-identity.js";
+import { rawEoaBytes, signEvmMessage } from "./wallet-evm.js";
+export async function provisionWalletIdentityKey(params) {
+    const existing = await getIdentityKeyBundle(params.baseUrl, params.accessToken, params.walletId);
+    if (existing.found) {
+        return {
+            identityKeyId: existing.identityKeyId,
+            x25519PublicKey: existing.x25519PublicKey,
+            provisioned: false,
+        };
+    }
+    const eoaPriv = rawEoaBytes(params.evmPrivateKey);
+    try {
+        const wrap = wrapNewX25519Keypair({
+            rawEoaPrivBytes: eoaPriv,
+            evmAddress: params.evmAddress,
+        });
+        const bundleBody = {
+            x25519PublicKeyB64: wrap.x25519PublicKeyB64,
+            ...wrap.bundle,
+        };
+        const challenge = await requestIdentityKeyInitChallenge(params.baseUrl, params.accessToken, params.walletId, bundleBody);
+        const expectedMessage = buildIdentityKeyInitMessage({
+            walletId: params.walletId,
+            challengeId: challenge.challengeId,
+            evmAddress: params.evmAddress,
+            formatVersion: wrap.bundle.wrapFormatVersion,
+            x25519PublicKeyB64: wrap.x25519PublicKeyB64,
+            wrappedSha256Hex: wrap.wrappedSha256Hex,
+        });
+        if (challenge.message !== expectedMessage) {
+            throw new IdentityKeyTamperError("Server init message does not match canonical form expected by this client.");
+        }
+        const evmSignature = await signEvmMessage(params.evmPrivateKey, challenge.message);
+        try {
+            const completed = await completeIdentityKeyInit(params.baseUrl, params.accessToken, params.walletId, bundleBody, challenge.challengeId, evmSignature);
+            return {
+                identityKeyId: completed.identityKeyId,
+                x25519PublicKey: completed.x25519PublicKey,
+                provisioned: true,
+            };
+        }
+        catch (err) {
+            if (err instanceof IdentityKeyConflictError) {
+                const reloaded = await getIdentityKeyBundle(params.baseUrl, params.accessToken, params.walletId);
+                if (reloaded.found) {
+                    return {
+                        identityKeyId: reloaded.identityKeyId,
+                        x25519PublicKey: reloaded.x25519PublicKey,
+                        provisioned: false,
+                    };
+                }
+            }
+            throw err;
+        }
+    }
+    finally {
+        eoaPriv.fill(0);
+    }
+}
+/** Sync profile metadata with live /crypto/self when token is available. */
+export async function refreshIdentityFromCryptoSelf(config) {
+    const self = await fetchCryptoSelf(config);
+    if (!self.ok) {
+        return { identityKeyId: null, walletId: null };
+    }
+    return {
+        identityKeyId: self.data.identityKeyId,
+        walletId: self.data.walletId,
+    };
+}
+//# sourceMappingURL=identity-provision.js.map

package/dist/account/identity-wrap.js

@@ -0,0 +1,69 @@
+import * as crypto from "node:crypto";
+import { WRAP_AEAD, WRAP_FORMAT_VERSION, WRAP_IV_LEN, WRAP_KDF_INFO, WRAP_KDF_SALT_LEN, } from "../constants/wallet-identity.js";
+function buildCanonicalAad(params) {
+    const lowerAddr = params.evmAddress.toLowerCase();
+    const addrBytes = Buffer.from(lowerAddr, "ascii");
+    return Buffer.concat([
+        addrBytes,
+        Buffer.from([WRAP_FORMAT_VERSION]),
+        params.x25519SpkiDer,
+    ]);
+}
+function deriveKek(rawEoaPrivBytes, saltB64) {
+    const salt = Buffer.from(saltB64, "base64");
+    if (salt.length !== WRAP_KDF_SALT_LEN) {
+        throw new Error(`Wrap KDF salt must be ${WRAP_KDF_SALT_LEN} bytes`);
+    }
+    return Buffer.from(crypto.hkdfSync("sha256", rawEoaPrivBytes, salt, WRAP_KDF_INFO, 32));
+}
+function sha256Hex(buf) {
+    return crypto.createHash("sha256").update(buf).digest("hex");
+}
+export function buildIdentityKeyInitMessage(params) {
+    return [
+        "NeoZip Token Service identity key init",
+        `walletId:${params.walletId}`,
+        `challenge:${params.challengeId}`,
+        `address:${params.evmAddress.toLowerCase()}`,
+        `formatVersion:${params.formatVersion}`,
+        `x25519:${params.x25519PublicKeyB64}`,
+        `wrappedSha256:${params.wrappedSha256Hex}`,
+    ].join("\n");
+}
+export function wrapNewX25519Keypair(params) {
+    const { publicKey, privateKey } = crypto.generateKeyPairSync("x25519");
+    const spkiDer = publicKey.export({ type: "spki", format: "der" });
+    const pkcs8Der = privateKey.export({ type: "pkcs8", format: "der" });
+    const rawPriv = pkcs8Der.subarray(pkcs8Der.length - 32);
+    const saltB64 = crypto.randomBytes(WRAP_KDF_SALT_LEN).toString("base64");
+    const ivB64 = crypto.randomBytes(WRAP_IV_LEN).toString("base64");
+    const aad = buildCanonicalAad({
+        evmAddress: params.evmAddress,
+        x25519SpkiDer: spkiDer,
+    });
+    const kek = deriveKek(params.rawEoaPrivBytes, saltB64);
+    const iv = Buffer.from(ivB64, "base64");
+    const cipher = crypto.createCipheriv("aes-256-gcm", kek, iv);
+    cipher.setAAD(aad);
+    const ct = Buffer.concat([cipher.update(rawPriv), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    const wrapped = Buffer.concat([ct, tag]);
+    kek.fill(0);
+    rawPriv.fill(0);
+    pkcs8Der.fill(0);
+    const bundle = {
+        wrappedPrivateKeyB64: wrapped.toString("base64"),
+        wrapFormatVersion: WRAP_FORMAT_VERSION,
+        wrapKdfInfo: WRAP_KDF_INFO,
+        wrapKdfSaltB64: saltB64,
+        wrapAead: WRAP_AEAD,
+        wrapIvB64: ivB64,
+        wrapAadB64: aad.toString("base64"),
+    };
+    return {
+        bundle,
+        x25519PublicKeyB64: spkiDer.toString("base64"),
+        wrappedSha256Hex: sha256Hex(wrapped),
+    };
+}
+//# sourceMappingURL=identity-wrap.js.map

package/dist/account/profile-crypto.js

@@ -0,0 +1,47 @@
+import * as crypto from "node:crypto";
+import * as os from "node:os";
+const PROFILE_KDF_INFO = "NeoZip/McpProfileSecrets/v1";
+const PROFILE_KDF_SALT = Buffer.from("NeoZipMcpProfileStoreSalt-v1", "utf8");
+export function deriveProfileKey() {
+    const passphrase = process.env.NEOZIP_UNLOCK_PASSPHRASE?.trim() ||
+        `${os.hostname()}:${os.userInfo().username}:neozip-mcp-profile`;
+    const okm = crypto.hkdfSync("sha256", Buffer.from(passphrase, "utf8"), PROFILE_KDF_SALT, PROFILE_KDF_INFO, 32);
+    return Buffer.from(okm);
+}
+export function encryptJson(payload) {
+    const key = deriveProfileKey();
+    const iv = crypto.randomBytes(12);
+    const plaintext = Buffer.from(JSON.stringify(payload), "utf8");
+    try {
+        const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+        const ct = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        return JSON.stringify({
+            v: 1,
+            iv: iv.toString("base64"),
+            tag: tag.toString("base64"),
+            data: ct.toString("base64"),
+        });
+    }
+    finally {
+        key.fill(0);
+        plaintext.fill(0);
+    }
+}
+export function decryptJson(encrypted) {
+    const key = deriveProfileKey();
+    const parsed = JSON.parse(encrypted);
+    const iv = Buffer.from(parsed.iv, "base64");
+    const tag = Buffer.from(parsed.tag, "base64");
+    const ct = Buffer.from(parsed.data, "base64");
+    try {
+        const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+        decipher.setAuthTag(tag);
+        const pt = Buffer.concat([decipher.update(ct), decipher.final()]);
+        return JSON.parse(pt.toString("utf8"));
+    }
+    finally {
+        key.fill(0);
+    }
+}
+//# sourceMappingURL=profile-crypto.js.map