neozip-mcp 0.1.0-beta

package/dist/archive/blockchain-status.js

@@ -0,0 +1,303 @@
+import neozipkit from "neozipkit";
+const { HashCalculator } = neozipkit;
+import { TOKENIZED_METADATA, ZipkitVerifier } from "neozip-blockchain";
+import { findMetadataEntry, verifyTimestamp, verifyTimestampedZip, } from "neozip-blockchain/token-service";
+import { extractEntryToBuffer } from "./extract-entry-buffer.js";
+import { isMetadataEntryPath } from "./metadata-paths.js";
+import { hasRecipientAccessMetadata } from "./recipient-access.js";
+import { computeMerkleRoot } from "./merkle.js";
+import { enrichTimestampMetadata } from "./timestamp-network.js";
+import { requireTokenServiceConfigured } from "../token-service/require-configured.js";
+export { isMetadataEntryPath } from "./metadata-paths.js";
+/** Pending TS-SUBMIT archives require live Token Service checks; upgrade for standalone verification. */
+export function timestampUpgradeWarningLines() {
+    return [
+        "WARNING: Archive has not been upgraded to META-INF/TIMESTAMP.NZIP.",
+        "Blockchain verification depends on the NeoZip Token Service and cannot be verified independently.",
+        "Run upgrade_timestamped once the batch is confirmed on-chain.",
+    ];
+}
+/** Shown when the digest is queued at Token Service and not yet on-chain. */
+export function timestampQueuedWarningLines() {
+    return [
+        "The digest has been submitted to NeoZip Token Service and is queued.",
+        "The service will submit the batch to the blockchain; until then the timestamp stays pending.",
+    ];
+}
+function isTimestampArchiveKind(kind) {
+    return kind === "timestamped-pending" || kind === "timestamped-confirmed";
+}
+export function formatBlockchainVerificationSummary(verification) {
+    if (verification.kind === "plain")
+        return null;
+    if (verification.status === "failed" || verification.status === "error") {
+        return "Blockchain verification check: FAILED";
+    }
+    if (verification.verifiedOnChain) {
+        if (verification.kind === "timestamped-pending") {
+            return "Blockchain verification check: VERIFIED (via Token Service only — not independently verifiable)";
+        }
+        return "Blockchain verification check: VERIFIED";
+    }
+    return "Blockchain verification check: PENDING";
+}
+export function detectArchiveKind(entries) {
+    const hasToken = entries.some((e) => (e.fileName || e.filename) === TOKENIZED_METADATA);
+    if (hasToken)
+        return "tokenized";
+    const metadata = findMetadataEntry(entries);
+    if (metadata?.type === "confirmed")
+        return "timestamped-confirmed";
+    if (metadata?.type === "pending")
+        return "timestamped-pending";
+    if (hasRecipientAccessMetadata(entries))
+        return "recipient-encrypted";
+    return "plain";
+}
+function buildServiceOptions(config) {
+    return config.tokenServiceUrl
+        ? { serverUrl: config.tokenServiceUrl, debug: config.debug }
+        : { debug: config.debug };
+}
+export async function verifyArchiveBlockchain(zip, entries, config) {
+    const kind = detectArchiveKind(entries);
+    const merkleRoot = computeMerkleRoot(entries) ?? undefined;
+    if (kind === "plain" || kind === "recipient-encrypted") {
+        return {
+            kind,
+            status: "not_applicable",
+            verifiedOnChain: false,
+            message: kind === "recipient-encrypted"
+                ? "Recipient-encrypted archive (META-INF/ACCESS.NZIP). Blockchain metadata not applicable."
+                : "No timestamp or token metadata in archive.",
+            merkleRoot,
+        };
+    }
+    if (isTimestampArchiveKind(kind)) {
+        const tsErr = requireTokenServiceConfigured("Blockchain verification for timestamped archives", config);
+        if (tsErr) {
+            return {
+                kind,
+                status: "error",
+                verifiedOnChain: false,
+                message: tsErr,
+                merkleRoot,
+            };
+        }
+    }
+    if (kind === "tokenized") {
+        const tokenEntry = entries.find((e) => (e.fileName || e.filename) === TOKENIZED_METADATA);
+        if (!tokenEntry) {
+            return {
+                kind,
+                status: "error",
+                verifiedOnChain: false,
+                message: "Token metadata entry missing.",
+                merkleRoot,
+            };
+        }
+        const tokenBuffer = await extractEntryToBuffer(zip, tokenEntry);
+        const verifier = new ZipkitVerifier({ debug: config.debug });
+        const metadataResult = await verifier.extractTokenMetadata(tokenBuffer);
+        if (!metadataResult?.success || !metadataResult.metadata) {
+            return {
+                kind,
+                metadataEntry: TOKENIZED_METADATA,
+                status: "error",
+                verifiedOnChain: false,
+                message: "Failed to parse token metadata.",
+                merkleRoot,
+            };
+        }
+        const hashCalc = new HashCalculator({ enableAccumulation: true });
+        let hasHashes = false;
+        for (const entry of entries) {
+            const name = entry.fileName || entry.filename;
+            if (name === TOKENIZED_METADATA || isMetadataEntryPath(name))
+                continue;
+            if (entry.sha256) {
+                hashCalc.addHash(Buffer.from(entry.sha256, "hex"));
+                hasHashes = true;
+            }
+        }
+        const calculatedMerkleRoot = hasHashes
+            ? hashCalc.merkleRoot()
+            : null;
+        const verificationResult = await verifier.verifyToken(metadataResult.metadata, calculatedMerkleRoot, { debug: config.debug });
+        const details = verificationResult.verificationDetails;
+        const verified = Boolean(verificationResult.success);
+        return {
+            kind,
+            metadataEntry: TOKENIZED_METADATA,
+            status: verified ? "verified" : "failed",
+            verifiedOnChain: verified,
+            message: verificationResult.message || (verified ? "Token verified on-chain." : "Token verification failed."),
+            merkleRoot: calculatedMerkleRoot ?? merkleRoot,
+            tokenId: details?.tokenId,
+            transactionHash: details?.transactionHash,
+            network: details?.network,
+        };
+    }
+    const metadata = findMetadataEntry(entries);
+    const metadataPath = metadata.entry.filename || metadata.entry.fileName;
+    let result = await verifyTimestampedZip(zip, buildServiceOptions(config));
+    const verifyFromEmbeddedMetadata = async () => {
+        const metadataBuffer = await extractEntryToBuffer(zip, metadata.entry);
+        const timestampData = JSON.parse(metadataBuffer.toString("utf-8"));
+        const enriched = enrichTimestampMetadata(timestampData, config.network);
+        const digest = enriched.digest ||
+            enriched.merkleRoot ||
+            merkleRoot;
+        if (digest &&
+            merkleRoot &&
+            digest.toLowerCase() !== merkleRoot.toLowerCase()) {
+            return {
+                kind,
+                metadataEntry: metadataPath,
+                status: "error",
+                verifiedOnChain: false,
+                message: "Timestamp digest does not match archive merkle root.",
+                merkleRoot,
+                digest,
+            };
+        }
+        return verifyTimestamp((merkleRoot || digest), enriched, buildServiceOptions(config));
+    };
+    const needsMetadataFallback = result.status === "error" &&
+        (result.message?.includes("extract") ||
+            result.message?.includes("Validation error") ||
+            result.message?.includes("Digest not found"));
+    if (needsMetadataFallback) {
+        try {
+            const fallbackResult = await verifyFromEmbeddedMetadata();
+            if ("verifiedOnChain" in fallbackResult) {
+                return fallbackResult;
+            }
+            result = fallbackResult;
+        }
+        catch (err) {
+            return {
+                kind,
+                metadataEntry: metadataPath,
+                status: "error",
+                verifiedOnChain: false,
+                message: err instanceof Error
+                    ? err.message
+                    : "Failed to extract timestamp metadata.",
+                merkleRoot,
+            };
+        }
+    }
+    if (result.status === "none") {
+        return {
+            kind,
+            metadataEntry: metadataPath,
+            status: "error",
+            verifiedOnChain: false,
+            message: result.message || "Timestamp metadata not readable.",
+            merkleRoot,
+        };
+    }
+    if (result.status === "error") {
+        return {
+            kind,
+            metadataEntry: metadataPath,
+            status: "error",
+            verifiedOnChain: false,
+            message: result.message || "Timestamp verification error.",
+            merkleRoot,
+        };
+    }
+    if (result.status === "valid" && result.verified) {
+        return {
+            kind,
+            metadataEntry: metadataPath,
+            status: "verified",
+            verifiedOnChain: true,
+            message: "Timestamp verified on blockchain.",
+            merkleRoot: result.digest || merkleRoot,
+            digest: result.digest,
+            batchId: result.batchId,
+            tokenId: result.tokenId,
+            transactionHash: result.transactionHash,
+            network: result.network,
+            blockNumber: result.blockNumber,
+        };
+    }
+    return {
+        kind,
+        metadataEntry: metadataPath,
+        status: "pending",
+        verifiedOnChain: false,
+        message: result.message ||
+            "The digest has been submitted to NeoZip Token Service and is queued.",
+        merkleRoot: result.digest || merkleRoot,
+        digest: result.digest,
+    };
+}
+export function formatBlockchainVerification(verification) {
+    const lines = [];
+    lines.push("");
+    lines.push("Blockchain verification:");
+    if (verification.kind === "plain") {
+        lines.push("  Archive type: plain (no timestamp/token metadata)");
+        lines.push(`  Status: ${verification.status}`);
+        return lines;
+    }
+    const kindLabel = verification.kind === "tokenized"
+        ? "tokenized"
+        : verification.kind === "timestamped-confirmed"
+            ? "timestamped (confirmed)"
+            : "timestamped (pending submission metadata)";
+    lines.push(`  Archive type: ${kindLabel}`);
+    if (verification.metadataEntry) {
+        lines.push(`  Metadata entry: ${verification.metadataEntry}`);
+    }
+    if (verification.merkleRoot) {
+        lines.push(`  Merkle root: ${verification.merkleRoot}`);
+    }
+    switch (verification.status) {
+        case "verified":
+            lines.push("  On-chain status: VERIFIED");
+            break;
+        case "pending":
+            lines.push("  On-chain status: PENDING");
+            break;
+        case "failed":
+            lines.push("  On-chain status: FAILED");
+            break;
+        case "error":
+            lines.push("  On-chain status: ERROR");
+            break;
+        default:
+            lines.push(`  On-chain status: ${verification.status}`);
+    }
+    lines.push(`  ${verification.message}`);
+    if (verification.tokenId)
+        lines.push(`  Token ID: ${verification.tokenId}`);
+    if (verification.transactionHash) {
+        lines.push(`  Transaction: ${verification.transactionHash}`);
+    }
+    if (verification.network)
+        lines.push(`  Network: ${verification.network}`);
+    if (verification.batchId)
+        lines.push(`  Batch ID: ${verification.batchId}`);
+    if (verification.blockNumber != null) {
+        lines.push(`  Block: ${verification.blockNumber}`);
+    }
+    if (verification.kind === "timestamped-pending" &&
+        verification.status !== "pending") {
+        lines.push("");
+        for (const warningLine of timestampUpgradeWarningLines()) {
+            lines.push(`  ${warningLine}`);
+        }
+    }
+    if (verification.status === "pending" && isTimestampArchiveKind(verification.kind)) {
+        lines.push("");
+        for (const warningLine of timestampQueuedWarningLines()) {
+            lines.push(`  ${warningLine}`);
+        }
+    }
+    return lines;
+}
+//# sourceMappingURL=blockchain-status.js.map

package/dist/archive/crypto-self.js

@@ -0,0 +1,114 @@
+import { resolveTokenServiceBaseUrl } from "./recipient-lookup.js";
+import { tokenServiceAuthErrorMessage } from "../connection/token-auth.js";
+import { getActiveConnection } from "../connection/store.js";
+function pickString(obj, key) {
+    const v = obj[key];
+    return typeof v === "string" && v.length > 0 ? v : null;
+}
+function parseCryptoSelfBody(parsed, status) {
+    if (parsed.success !== true) {
+        const err = typeof parsed.error === "string"
+            ? parsed.error
+            : "Unexpected /crypto/self response";
+        const hint = typeof parsed.hint === "string" ? parsed.hint : undefined;
+        return { ok: false, status, error: err, hint };
+    }
+    const cryptoRaw = parsed.crypto;
+    if (!cryptoRaw || typeof cryptoRaw !== "object") {
+        return { ok: false, status, error: "crypto/self missing crypto object" };
+    }
+    const c = cryptoRaw;
+    const walletId = typeof c.walletId === "number" ? c.walletId : Number(c.walletId);
+    const identityKeyIdRaw = c.identityKeyId;
+    const identityKeyId = typeof identityKeyIdRaw === "number"
+        ? identityKeyIdRaw
+        : identityKeyIdRaw == null
+            ? null
+            : Number.isFinite(Number(identityKeyIdRaw))
+                ? Number(identityKeyIdRaw)
+                : null;
+    const evmAddress = pickString(c, "evmAddress");
+    const x25519PublicKey = pickString(c, "x25519PublicKey");
+    if (!Number.isFinite(walletId) || !evmAddress || !x25519PublicKey) {
+        return { ok: false, status, error: "crypto/self crypto object incomplete" };
+    }
+    const recipientSuites = Array.isArray(c.recipientSuites)
+        ? c.recipientSuites.filter((s) => typeof s === "string")
+        : [];
+    return {
+        ok: true,
+        data: {
+            userId: typeof parsed.userId === "number"
+                ? parsed.userId
+                : Number(parsed.userId),
+            email: typeof parsed.email === "string" ? parsed.email : "",
+            phoneE164: typeof parsed.phoneE164 === "string" ? parsed.phoneE164 : null,
+            phoneVerified: parsed.phoneVerified === true,
+            walletId,
+            identityKeyId,
+            evmAddress,
+            x25519PublicKey,
+            cryptoProvisionedAt: typeof c.cryptoProvisionedAt === "string"
+                ? c.cryptoProvisionedAt
+                : null,
+            mlkem768PublicKeyB64: typeof c.mlkem768PublicKeyB64 === "string"
+                ? c.mlkem768PublicKeyB64
+                : null,
+            recipientSuites,
+        },
+    };
+}
+export async function fetchCryptoSelf(config, options) {
+    const accessToken = config.tokenServiceAccessToken?.trim();
+    if (!accessToken) {
+        return {
+            ok: false,
+            status: 0,
+            error: "NEOZIP_TOKEN_SERVICE_ACCESS_TOKEN not configured. Complete token_service_verify and set the token in MCP env.",
+        };
+    }
+    const baseUrl = resolveTokenServiceBaseUrl(config, options?.serverUrl);
+    const response = await fetch(`${baseUrl}/crypto/self`, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    const ct = response.headers.get("content-type") || "";
+    if (!ct.includes("json")) {
+        return {
+            ok: false,
+            status: response.status,
+            error: `Token Service returned non-JSON (HTTP ${response.status})`,
+        };
+    }
+    let parsed;
+    try {
+        parsed = (await response.json());
+    }
+    catch {
+        return {
+            ok: false,
+            status: response.status,
+            error: `Invalid JSON from Token Service (HTTP ${response.status})`,
+        };
+    }
+    if (response.status === 404) {
+        const err = typeof parsed.error === "string"
+            ? parsed.error
+            : "Identity key not found";
+        const hint = typeof parsed.hint === "string" ? parsed.hint : undefined;
+        return { ok: false, status: 404, error: err, hint };
+    }
+    if (!response.ok) {
+        const err = typeof parsed.error === "string"
+            ? parsed.error
+            : `HTTP ${response.status}`;
+        const authHint = tokenServiceAuthErrorMessage(response.status, getActiveConnection()?.email);
+        return {
+            ok: false,
+            status: response.status,
+            error: authHint ?? err,
+            hint: authHint ? "Re-run neozip-connect verify, then reload MCP." : undefined,
+        };
+    }
+    return parseCryptoSelfBody(parsed, response.status);
+}
+//# sourceMappingURL=crypto-self.js.map

package/dist/archive/detect-text.js

@@ -0,0 +1,56 @@
+const TEXT_EXTENSIONS = new Set([
+    ".txt", ".md", ".markdown", ".json", ".csv", ".xml", ".yaml", ".yml",
+    ".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs",
+    ".py", ".rb", ".go", ".rs", ".java", ".kt", ".swift",
+    ".c", ".h", ".cpp", ".hpp", ".cs",
+    ".html", ".htm", ".css", ".scss", ".less",
+    ".sh", ".bash", ".zsh", ".fish",
+    ".sql", ".toml", ".ini", ".cfg", ".conf", ".env",
+    ".log", ".svg",
+]);
+/** Extensionless benchmark text files (e.g. Calgary corpus). */
+const EXTENSIONLESS_TEXT_NAMES = new Set([
+    "bib", "book1", "book2", "news", "trans",
+    "paper1", "paper2", "paper3", "paper4", "paper5", "paper6",
+    "progc", "progl", "progp",
+]);
+export function detectTextSafety(entryPath, buffer) {
+    const ext = entryPath.includes(".")
+        ? entryPath.slice(entryPath.lastIndexOf(".")).toLowerCase()
+        : "";
+    const basename = entryPath.replace(/\\/g, "/").split("/").pop() ?? entryPath;
+    if (EXTENSIONLESS_TEXT_NAMES.has(basename)) {
+        return { isTextSafe: true, contentType: "text/plain", recommendedTool: "read_entry" };
+    }
+    if (TEXT_EXTENSIONS.has(ext)) {
+        const contentType = ext === ".json"
+            ? "application/json"
+            : ext === ".csv"
+                ? "text/csv"
+                : ext === ".md" || ext === ".markdown"
+                    ? "text/markdown"
+                    : "text/plain";
+        return { isTextSafe: true, contentType, recommendedTool: "read_entry" };
+    }
+    if (buffer) {
+        const sample = buffer.subarray(0, Math.min(buffer.length, 8192));
+        const nullIndex = sample.indexOf(0);
+        if (nullIndex === -1) {
+            return {
+                isTextSafe: true,
+                contentType: "text/plain",
+                recommendedTool: "read_entry",
+            };
+        }
+    }
+    return {
+        isTextSafe: false,
+        contentType: "application/octet-stream",
+        recommendedTool: "extract",
+    };
+}
+export function isBufferTextSafe(buffer) {
+    const sample = buffer.subarray(0, Math.min(buffer.length, 8192));
+    return sample.indexOf(0) === -1;
+}
+//# sourceMappingURL=detect-text.js.map