neozip-mcp 0.1.0-beta

package/dist/account/profile-store.js

@@ -0,0 +1,108 @@
+import { applyActiveConnectionToEnv, clearConnectionCredentialsFromEnv, createConnection, getActiveConnection, getActiveConnectionId, getConnectionDir, listConnections, logoutConnection, readActiveConnectionSecrets, readConnectionSecrets, saveAccessToken, saveEvmWallet, saveIdentityProvision, savePhoneVerified, saveWalletLink, selectConnection, updateConnection, } from "../connection/store.js";
+import { hasLegacyMcpProfiles, migrateFromMcpProfileStore } from "../connection/migrate.js";
+export function getMcpProfileDir() {
+    return getConnectionDir();
+}
+function ensureMigrated() {
+    if (hasLegacyMcpProfiles()) {
+        migrateFromMcpProfileStore();
+    }
+}
+function toProfile(meta) {
+    if (!meta)
+        return null;
+    return {
+        id: meta.id,
+        label: meta.label,
+        tokenServiceUrl: meta.tokenServiceOrigin,
+        email: meta.email,
+        emailVerified: meta.emailVerified,
+        evmAddress: meta.evmAddress,
+        walletId: meta.walletId,
+        linkId: meta.linkId,
+        identityKeyId: meta.identityKeyId,
+        x25519Fingerprint: meta.x25519Fingerprint,
+        createdAt: meta.createdAt,
+        updatedAt: meta.updatedAt,
+    };
+}
+function toSecrets(secrets) {
+    if (!secrets)
+        return null;
+    return {
+        accessToken: secrets.accessToken,
+        evmPrivateKey: secrets.evmPrivateKeyHex,
+        accessTokenObtainedAt: secrets.accessTokenObtainedAt,
+    };
+}
+export function listProfiles() {
+    ensureMigrated();
+    return listConnections().map((c) => ({
+        id: c.id,
+        label: c.label,
+        tokenServiceUrl: c.tokenServiceOrigin,
+        email: c.email,
+        emailVerified: c.emailVerified,
+        evmAddress: c.evmAddress,
+        walletId: c.walletId,
+        linkId: c.linkId,
+        identityKeyId: c.identityKeyId,
+        x25519Fingerprint: c.x25519Fingerprint,
+        createdAt: c.createdAt,
+        updatedAt: c.updatedAt,
+    }));
+}
+export function getActiveProfileId() {
+    ensureMigrated();
+    return getActiveConnectionId();
+}
+export function getActiveProfile() {
+    ensureMigrated();
+    return toProfile(getActiveConnection());
+}
+export function selectProfile(profileId) {
+    ensureMigrated();
+    return toProfile(selectConnection(profileId));
+}
+export function createProfile(input) {
+    ensureMigrated();
+    return toProfile(createConnection({ label: input.label, tokenServiceUrl: input.tokenServiceUrl }));
+}
+export function updateProfile(profileId, patch) {
+    ensureMigrated();
+    const mapped = { ...patch };
+    if (patch.tokenServiceUrl) {
+        mapped.tokenServiceOrigin = patch.tokenServiceUrl;
+        delete mapped.tokenServiceUrl;
+    }
+    return toProfile(updateConnection(profileId, mapped));
+}
+export function removeProfile(_profileId, confirm) {
+    if (!confirm) {
+        throw new Error("Set confirm: true to delete the profile and its secrets.");
+    }
+    throw new Error("Profile removal via account_remove is deprecated. Use neozip-connect logout.");
+}
+export function readSecrets(profileId) {
+    ensureMigrated();
+    return toSecrets(readConnectionSecrets(profileId));
+}
+export function readActiveSecrets() {
+    ensureMigrated();
+    return toSecrets(readActiveConnectionSecrets());
+}
+export { saveAccessToken, saveEvmWallet, saveWalletLink, saveIdentityProvision, savePhoneVerified, };
+export function logoutProfile(profileId) {
+    ensureMigrated();
+    const out = logoutConnection(profileId);
+    return { ...out, profileId: out.connectionId };
+}
+export function clearProfileCredentialsFromEnv() {
+    clearConnectionCredentialsFromEnv();
+}
+export function applyActiveProfileToEnv() {
+    ensureMigrated();
+    const out = applyActiveConnectionToEnv();
+    return { applied: out.applied, profileId: out.connectionId };
+}
+//# sourceMappingURL=profile-store.js.map

package/dist/account/require-account.js

@@ -0,0 +1,29 @@
+import { computeConnectionPhase, nextConnectCommand } from "../connection/phase.js";
+import { getActiveConnection, readActiveConnectionSecrets, } from "../connection/store.js";
+import { formatTokenReauthGuidance, isAccessTokenExpired, } from "../connection/token-auth.js";
+export async function requireAccountReady(context) {
+    const phase = computeConnectionPhase();
+    const meta = getActiveConnection();
+    const secrets = readActiveConnectionSecrets();
+    if (secrets?.accessToken?.trim() && isAccessTokenExpired(secrets)) {
+        return [
+            `${context} requires a valid Token Service access token.`,
+            formatTokenReauthGuidance(meta?.email),
+        ].join("\n\n");
+    }
+    if (phase !== "ready") {
+        const nextCmd = nextConnectCommand(phase, {
+            email: meta?.email,
+            phoneE164: meta?.phoneE164,
+        });
+        const parts = [
+            `${context} requires a fully initialized NeoZip account (phase: ${phase}).`,
+        ];
+        if (nextCmd)
+            parts.push(`Run: ${nextCmd}`);
+        parts.push("Reload MCP after setup so credentials load into this session.");
+        return parts.join(" ");
+    }
+    return null;
+}
+//# sourceMappingURL=require-account.js.map

package/dist/account/token-service-identity.js

@@ -0,0 +1,395 @@
+import { getAddress } from "ethers";
+import { resolveTokenServiceBaseUrl } from "../archive/recipient-lookup.js";
+import { formatTokenServiceFetchError } from "../util/token-service-fetch.js";
+import { parseAccessTokenExpiry, tokenServiceAuthErrorMessage, } from "../connection/token-auth.js";
+import { signEvmMessage } from "./wallet-evm.js";
+const DEFAULT_RECIPIENT_SUITE = "ecies-x25519-aes256gcm";
+function challengeBody(bundle) {
+    return {
+        x25519PublicKeyB64: bundle.x25519PublicKeyB64,
+        wrappedPrivateKeyB64: bundle.wrappedPrivateKeyB64,
+        wrapFormatVersion: bundle.wrapFormatVersion,
+        wrapKdfInfo: bundle.wrapKdfInfo,
+        wrapKdfSaltB64: bundle.wrapKdfSaltB64,
+        wrapAead: bundle.wrapAead,
+        wrapIvB64: bundle.wrapIvB64,
+        wrapAadB64: bundle.wrapAadB64,
+        recipientSuites: bundle.recipientSuites ?? [DEFAULT_RECIPIENT_SUITE],
+    };
+}
+function pickString(obj, ...keys) {
+    for (const k of keys) {
+        const v = obj[k];
+        if (typeof v === "string" && v.length > 0)
+            return v;
+    }
+    return null;
+}
+function extractError(parsed, fallback, options) {
+    const authHint = options?.status != null
+        ? tokenServiceAuthErrorMessage(options.status, options.email)
+        : null;
+    if (authHint)
+        return authHint;
+    if (parsed && typeof parsed === "object") {
+        const p = parsed;
+        if (typeof p.error === "string")
+            return p.error;
+        if (typeof p.message === "string")
+            return p.message;
+    }
+    return fallback;
+}
+async function safeJson(response) {
+    const ct = response.headers.get("content-type") || "";
+    if (!ct.includes("json"))
+        return null;
+    try {
+        return (await response.json());
+    }
+    catch {
+        return null;
+    }
+}
+export async function registerEmailWithDelivery(baseUrl, email, verificationDelivery) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    let res;
+    try {
+        res = await fetch(`${url}/auth/register`, {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({
+                email: email.trim().toLowerCase(),
+                verificationDelivery,
+            }),
+        });
+    }
+    catch (err) {
+        return { success: false, error: formatTokenServiceFetchError(url, err) };
+    }
+    const parsed = await safeJson(res);
+    if (!res.ok || !parsed || parsed.success !== true) {
+        return {
+            success: false,
+            error: extractError(parsed, `HTTP ${res.status}`),
+        };
+    }
+    return {
+        success: true,
+        message: typeof parsed.message === "string" ? parsed.message : "Verification email sent.",
+    };
+}
+/** Desktop-style registration (deep link email). */
+export async function registerEmailApp(baseUrl, email) {
+    return registerEmailWithDelivery(baseUrl, email, "app");
+}
+/** Terminal / neozip-connect registration (6-digit code only). */
+export async function registerEmailCli(baseUrl, email) {
+    return registerEmailWithDelivery(baseUrl, email, "cli");
+}
+export async function verifyEmailAndExtractToken(baseUrl, email, code) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    let res;
+    try {
+        res = await fetch(`${url}/auth/verify-email-code`, {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ email: email.trim().toLowerCase(), code: code.trim() }),
+        });
+    }
+    catch (err) {
+        throw new Error(formatTokenServiceFetchError(url, err));
+    }
+    const parsed = await safeJson(res);
+    if (!res.ok || !parsed || parsed.success !== true) {
+        throw new Error(extractError(parsed, `Verification failed (HTTP ${res.status})`, {
+            status: res.status,
+            email,
+        }));
+    }
+    const accessToken = pickString(parsed, "accessToken", "token", "bearerToken") ?? null;
+    if (!accessToken) {
+        throw new Error("Verification succeeded but no accessToken in response. Set NEOZIP_TOKEN_SERVICE_ACCESS_TOKEN manually or update neozip-blockchain.");
+    }
+    const verifiedEmail = pickString(parsed, "email") ?? email.trim().toLowerCase();
+    return {
+        accessToken,
+        email: verifiedEmail,
+        expiresAt: parseAccessTokenExpiry(parsed),
+    };
+}
+export async function exchangeMagicLinkToken(baseUrl, token) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    let res;
+    try {
+        res = await fetch(`${url}/auth/exchange-token`, {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ token: token.trim() }),
+        });
+    }
+    catch (err) {
+        throw new Error(formatTokenServiceFetchError(url, err));
+    }
+    const parsed = await safeJson(res);
+    if (!res.ok || !parsed || parsed.success !== true) {
+        throw new Error(extractError(parsed, `Magic link exchange failed (HTTP ${res.status})`, {
+            status: res.status,
+        }));
+    }
+    const accessToken = pickString(parsed, "accessToken", "token", "bearerToken") ?? null;
+    if (!accessToken) {
+        throw new Error("Magic link exchange succeeded but no accessToken in response.");
+    }
+    const verifiedEmail = pickString(parsed, "email") ?? "";
+    if (!verifiedEmail) {
+        throw new Error("Magic link exchange succeeded but no email in response.");
+    }
+    return {
+        accessToken,
+        email: verifiedEmail,
+        expiresAt: parseAccessTokenExpiry(parsed),
+    };
+}
+export async function requestPhoneOtp(baseUrl, accessToken, phoneE164) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    let res;
+    try {
+        res = await fetch(`${url}/auth/phone/request-otp`, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({ phoneE164: phoneE164.trim() }),
+        });
+    }
+    catch (err) {
+        return { success: false, error: formatTokenServiceFetchError(url, err) };
+    }
+    const parsed = await safeJson(res);
+    if (!res.ok || !parsed || parsed.success !== true) {
+        return {
+            success: false,
+            error: extractError(parsed, `Phone OTP request failed (HTTP ${res.status})`),
+        };
+    }
+    return { success: true };
+}
+export async function verifyPhoneOtp(baseUrl, accessToken, phoneE164, code) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    let res;
+    try {
+        res = await fetch(`${url}/auth/phone/verify`, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({
+                phoneE164: phoneE164.trim(),
+                code: code.trim(),
+            }),
+        });
+    }
+    catch (err) {
+        return { success: false, error: formatTokenServiceFetchError(url, err) };
+    }
+    const parsed = await safeJson(res);
+    if (!res.ok || !parsed || parsed.success !== true) {
+        return {
+            success: false,
+            error: extractError(parsed, `Phone verification failed (HTTP ${res.status})`),
+        };
+    }
+    return { success: true };
+}
+export class IdentityKeyConflictError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "IdentityKeyConflictError";
+    }
+}
+function authHeaders(accessToken) {
+    return {
+        Authorization: `Bearer ${accessToken}`,
+        "content-type": "application/json",
+    };
+}
+export async function fetchCoordinatorConfig(baseUrl) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    try {
+        const res = await fetch(`${url}/crypto/coordinator-config`, { method: "GET" });
+        return res.ok;
+    }
+    catch {
+        return false;
+    }
+}
+export async function requestWalletEnsureChallenge(baseUrl, evmAddress) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    const checksummed = getAddress(evmAddress.trim());
+    const res = await fetch(`${url}/identity/wallets/challenge`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ evmAddress: checksummed }),
+    });
+    const parsed = await safeJson(res);
+    if (!res.ok || !parsed || parsed.success !== true) {
+        throw new Error(extractError(parsed, `Wallet challenge failed (HTTP ${res.status})`));
+    }
+    const challengeId = pickString(parsed, "challengeId");
+    const message = pickString(parsed, "message");
+    const addr = pickString(parsed, "evmAddress");
+    if (!challengeId || !message || !addr) {
+        throw new Error("Wallet challenge response missing fields");
+    }
+    return { challengeId, message, evmAddress: addr };
+}
+export async function completeWalletEnsure(baseUrl, input) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    const checksummed = getAddress(input.evmAddress.trim());
+    const res = await fetch(`${url}/identity/wallets/ensure`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({
+            evmAddress: checksummed,
+            challengeId: input.challengeId,
+            evmSignature: input.evmSignature,
+        }),
+    });
+    const parsed = await safeJson(res);
+    if (!res.ok || !parsed || parsed.success !== true) {
+        throw new Error(extractError(parsed, `Wallet ensure failed (HTTP ${res.status})`));
+    }
+    const walletId = typeof parsed.walletId === "number" ? parsed.walletId : Number(parsed.walletId);
+    const addr = pickString(parsed, "evmAddress");
+    if (!Number.isFinite(walletId) || !addr) {
+        throw new Error("Wallet ensure response missing walletId");
+    }
+    return { walletId, evmAddress: addr };
+}
+export async function requestWalletAttachChallenge(baseUrl, accessToken, walletId) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    const res = await fetch(`${url}/identity/users/me/wallets/${walletId}/attach/challenge`, { method: "POST", headers: authHeaders(accessToken) });
+    const parsed = await safeJson(res);
+    if (!res.ok || !parsed || parsed.success !== true) {
+        throw new Error(extractError(parsed, `Attach challenge failed (HTTP ${res.status})`));
+    }
+    const challengeId = pickString(parsed, "challengeId");
+    const message = pickString(parsed, "message");
+    const wid = typeof parsed.walletId === "number" ? parsed.walletId : Number(parsed.walletId);
+    const addr = pickString(parsed, "evmAddress");
+    if (!challengeId || !message || !Number.isFinite(wid) || !addr) {
+        throw new Error("Attach challenge response missing fields");
+    }
+    return { challengeId, message, walletId: wid, evmAddress: addr };
+}
+export async function completeWalletAttach(baseUrl, accessToken, walletId, input) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    const res = await fetch(`${url}/identity/users/me/wallets/${walletId}/attach/complete`, {
+        method: "POST",
+        headers: authHeaders(accessToken),
+        body: JSON.stringify({
+            challengeId: input.challengeId,
+            evmSignature: input.evmSignature,
+            setPrimary: true,
+        }),
+    });
+    const parsed = await safeJson(res);
+    if (!res.ok || !parsed || parsed.success !== true) {
+        throw new Error(extractError(parsed, `Attach complete failed (HTTP ${res.status})`));
+    }
+    const linkId = typeof parsed.linkId === "number" ? parsed.linkId : Number(parsed.linkId);
+    if (!Number.isFinite(linkId)) {
+        throw new Error("Attach complete response missing linkId");
+    }
+    return { linkId };
+}
+export async function runWalletEnsureAndAttach(baseUrl, accessToken, evmPrivateKey, evmAddress) {
+    const ensureCh = await requestWalletEnsureChallenge(baseUrl, evmAddress);
+    const ensureSig = await signEvmMessage(evmPrivateKey, ensureCh.message);
+    const ensured = await completeWalletEnsure(baseUrl, {
+        evmAddress,
+        challengeId: ensureCh.challengeId,
+        evmSignature: ensureSig,
+    });
+    const attachCh = await requestWalletAttachChallenge(baseUrl, accessToken, ensured.walletId);
+    const attachSig = await signEvmMessage(evmPrivateKey, attachCh.message);
+    const { linkId } = await completeWalletAttach(baseUrl, accessToken, ensured.walletId, {
+        challengeId: attachCh.challengeId,
+        evmSignature: attachSig,
+    });
+    return { walletId: ensured.walletId, evmAddress: ensured.evmAddress, linkId };
+}
+export async function getIdentityKeyBundle(baseUrl, accessToken, walletId) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    const res = await fetch(`${url}/identity/wallets/${walletId}/identity-key`, {
+        method: "GET",
+        headers: authHeaders(accessToken),
+    });
+    if (res.status === 404)
+        return { found: false };
+    const parsed = await safeJson(res);
+    if (!res.ok || !parsed || parsed.success !== true) {
+        throw new Error(extractError(parsed, `identity-key GET failed (HTTP ${res.status})`));
+    }
+    const ik = parsed.identityKey;
+    if (!ik)
+        throw new Error("identity-key response missing identityKey");
+    const identityKeyId = typeof ik.identityKeyId === "number" ? ik.identityKeyId : Number(ik.identityKeyId);
+    const x25519PublicKey = pickString(ik, "x25519PublicKeyB64", "x25519PublicKey");
+    if (!Number.isFinite(identityKeyId) || !x25519PublicKey) {
+        throw new Error("identity-key response incomplete");
+    }
+    return { found: true, identityKeyId, x25519PublicKey };
+}
+export async function requestIdentityKeyInitChallenge(baseUrl, accessToken, walletId, bundle) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    const res = await fetch(`${url}/identity/wallets/${walletId}/identity-key/init/challenge`, {
+        method: "POST",
+        headers: authHeaders(accessToken),
+        body: JSON.stringify(challengeBody(bundle)),
+    });
+    const parsed = await safeJson(res);
+    if (!res.ok || !parsed || parsed.success !== true) {
+        throw new Error(extractError(parsed, `init challenge failed (HTTP ${res.status})`));
+    }
+    const challengeId = pickString(parsed, "challengeId");
+    const message = pickString(parsed, "message");
+    const evmAddress = pickString(parsed, "evmAddress");
+    const wrappedSha256Hex = pickString(parsed, "wrappedSha256Hex");
+    if (!challengeId || !message || !evmAddress || !wrappedSha256Hex) {
+        throw new Error("init challenge response missing fields");
+    }
+    return { challengeId, message, evmAddress, wrappedSha256Hex };
+}
+export async function completeIdentityKeyInit(baseUrl, accessToken, walletId, bundle, challengeId, evmSignature) {
+    const url = resolveTokenServiceBaseUrl({ tokenServiceUrl: baseUrl });
+    const res = await fetch(`${url}/identity/wallets/${walletId}/identity-key/init/complete`, {
+        method: "POST",
+        headers: authHeaders(accessToken),
+        body: JSON.stringify({
+            ...challengeBody(bundle),
+            challengeId,
+            evmSignature,
+        }),
+    });
+    const parsed = await safeJson(res);
+    if (res.status === 409) {
+        throw new IdentityKeyConflictError(extractError(parsed, "Identity key already exists for this wallet."));
+    }
+    if (!res.ok || !parsed || parsed.success !== true) {
+        throw new Error(extractError(parsed, `init complete failed (HTTP ${res.status})`));
+    }
+    const ik = parsed.identityKey;
+    if (!ik)
+        throw new Error("init complete missing identityKey");
+    const identityKeyId = typeof ik.identityKeyId === "number" ? ik.identityKeyId : Number(ik.identityKeyId);
+    const x25519PublicKey = pickString(ik, "x25519PublicKeyB64", "x25519PublicKey");
+    if (!Number.isFinite(identityKeyId) || !x25519PublicKey) {
+        throw new Error("init complete response incomplete");
+    }
+    return { identityKeyId, x25519PublicKey };
+}
+//# sourceMappingURL=token-service-identity.js.map

package/dist/account/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/account/wallet-evm.js

@@ -0,0 +1,39 @@
+import { Wallet } from "ethers";
+export function generateEvmIdentity() {
+    const wallet = Wallet.createRandom();
+    return {
+        address: wallet.address,
+        privateKey: wallet.privateKey,
+        mnemonic: wallet.mnemonic?.phrase ?? null,
+    };
+}
+export function evmIdentityFromMnemonic(mnemonic) {
+    const phrase = mnemonic.trim().split(/\s+/).join(" ");
+    const wallet = Wallet.fromPhrase(phrase);
+    return {
+        address: wallet.address,
+        privateKey: wallet.privateKey,
+        mnemonic: wallet.mnemonic?.phrase ?? phrase,
+    };
+}
+export function evmIdentityFromPrivateKey(privateKey) {
+    const raw = privateKey.trim();
+    const normalized = raw.startsWith("0x") ? raw : `0x${raw}`;
+    const wallet = new Wallet(normalized);
+    return {
+        address: wallet.address,
+        privateKey: wallet.privateKey,
+        mnemonic: null,
+    };
+}
+export function signEvmMessage(privateKey, message) {
+    const wallet = new Wallet(privateKey);
+    return wallet.signMessage(message);
+}
+export function rawEoaBytes(privateKey) {
+    const stripped = privateKey.startsWith("0x")
+        ? privateKey.slice(2)
+        : privateKey;
+    return Buffer.from(stripped, "hex");
+}
+//# sourceMappingURL=wallet-evm.js.map