slashvibe-mcp 0.2.9 → 0.3.13

package/bridges/x-webhook.js

@@ -0,0 +1,423 @@
+/**
+ * /vibe X (Twitter) Webhook Bridge
+ * 
+ * Receives real-time updates from X via webhooks:
+ * - Mentions of your account
+ * - DMs received  
+ * - Likes, retweets, follows (optional)
+ * 
+ * Requires X API v2 with webhook subscription.
+ */
+
+const crypto = require('crypto');
+const twitter = require('../twitter');
+const config = require('../config');
+
+/**
+ * Get X webhook configuration
+ */
+function getConfig() {
+  const cfg = config.load();
+  return {
+    webhookSecret: cfg.x_webhook_secret || process.env.X_WEBHOOK_SECRET || null,
+    bearerToken: cfg.x_bearer_token || process.env.X_BEARER_TOKEN || null,
+    clientId: cfg.x_client_id || process.env.X_CLIENT_ID || null,
+    subscriptionId: cfg.x_subscription_id || process.env.X_SUBSCRIPTION_ID || null,
+    challengeVerified: cfg.x_challenge_verified || false
+  };
+}
+
+/**
+ * Verify X webhook signature
+ */
+function verifyXSignature(body, signature, secret) {
+  if (!secret) {
+    console.warn('X webhook secret not configured - skipping signature verification');
+    return true;
+  }
+  
+  const expectedSignature = crypto
+    .createHmac('sha256', secret)
+    .update(body)
+    .digest('base64');
+    
+  return signature === `sha256=${expectedSignature}`;
+}
+
+/**
+ * Handle X webhook challenge (CRC)
+ * Required for webhook URL verification
+ */
+function handleChallenge(crcToken, secret) {
+  if (!secret) {
+    throw new Error('X webhook secret required for CRC challenge');
+  }
+  
+  const responseToken = crypto
+    .createHmac('sha256', secret)
+    .update(crcToken)
+    .digest('base64');
+    
+  return { response_token: `sha256=${responseToken}` };
+}
+
+/**
+ * Process incoming X webhook event
+ */
+async function processWebhookEvent(event) {
+  const results = [];
+  
+  // Handle tweet create events (mentions)
+  if (event.tweet_create_events) {
+    for (const tweet of event.tweet_create_events) {
+      const result = await processTweetEvent(tweet);
+      if (result) results.push(result);
+    }
+  }
+  
+  // Handle direct message events
+  if (event.direct_message_events) {
+    for (const dm of event.direct_message_events) {
+      const result = await processDMEvent(dm);
+      if (result) results.push(result);
+    }
+  }
+  
+  // Handle favorite events (likes)
+  if (event.favorite_events) {
+    for (const favorite of event.favorite_events) {
+      const result = await processFavoriteEvent(favorite);
+      if (result) results.push(result);
+    }
+  }
+  
+  // Handle follow events
+  if (event.follow_events) {
+    for (const follow of event.follow_events) {
+      const result = await processFollowEvent(follow);
+      if (result) results.push(result);
+    }
+  }
+  
+  return {
+    processed: results.length > 0,
+    events: results,
+    summary: `Processed ${results.length} events`
+  };
+}
+
+/**
+ * Process tweet creation (potential mention)
+ */
+async function processTweetEvent(tweet) {
+  try {
+    // Check if this is a mention of our user
+    const credentials = twitter.getCredentials();
+    if (!credentials) return null;
+    
+    // Get our user info to check for mentions
+    const me = await twitter.getMe();
+    const myUsername = me.data.username.toLowerCase();
+    const myUserId = me.data.id;
+    
+    // Skip our own tweets
+    if (tweet.user.id_str === myUserId) return null;
+    
+    const tweetText = tweet.text.toLowerCase();
+    const isMention = tweetText.includes(`@${myUsername}`) || 
+                     (tweet.in_reply_to_user_id_str === myUserId);
+    
+    if (!isMention) return null;
+    
+    // Format mention for /vibe
+    const mention = {
+      id: `x:${tweet.id_str}`,
+      type: 'mention',
+      platform: 'x',
+      from: {
+        id: tweet.user.id_str,
+        handle: tweet.user.screen_name,
+        name: tweet.user.name,
+        avatar: tweet.user.profile_image_url_https
+      },
+      content: tweet.text,
+      timestamp: new Date(tweet.created_at).toISOString(),
+      url: `https://twitter.com/${tweet.user.screen_name}/status/${tweet.id_str}`,
+      isReply: !!tweet.in_reply_to_status_id_str,
+      replyToId: tweet.in_reply_to_status_id_str,
+      raw: tweet
+    };
+    
+    // Forward to /vibe
+    await forwardMentionToVibe(mention);
+    
+    return {
+      type: 'mention',
+      message: `Mention from @${tweet.user.screen_name}`,
+      content: tweet.text.slice(0, 100) + (tweet.text.length > 100 ? '...' : '')
+    };
+    
+  } catch (e) {
+    console.error('Error processing tweet event:', e);
+    return null;
+  }
+}
+
+/**
+ * Process direct message event
+ */
+async function processDMEvent(dm) {
+  try {
+    // Skip if this is a message we sent
+    const credentials = twitter.getCredentials();
+    if (!credentials) return null;
+    
+    const me = await twitter.getMe();
+    const myUserId = me.data.id;
+    
+    if (dm.message_create.sender_id === myUserId) return null;
+    
+    // Format DM for /vibe
+    const message = {
+      id: `x:dm:${dm.id}`,
+      type: 'dm',
+      platform: 'x',
+      from: {
+        id: dm.message_create.sender_id,
+        handle: 'unknown', // Would need to lookup user
+        name: 'Unknown User'
+      },
+      content: dm.message_create.message_data.text,
+      timestamp: new Date(parseInt(dm.created_timestamp)).toISOString(),
+      conversationId: dm.message_create.target.recipient_id,
+      raw: dm
+    };
+    
+    // Forward to /vibe
+    await forwardDMToVibe(message);
+    
+    return {
+      type: 'dm',
+      message: `DM received`,
+      content: dm.message_create.message_data.text.slice(0, 100)
+    };
+    
+  } catch (e) {
+    console.error('Error processing DM event:', e);
+    return null;
+  }
+}
+
+/**
+ * Process favorite (like) event
+ */
+async function processFavoriteEvent(favorite) {
+  try {
+    const credentials = twitter.getCredentials();
+    if (!credentials) return null;
+    
+    const me = await twitter.getMe();
+    const myUserId = me.data.id;
+    
+    // Only care about likes on our tweets
+    if (favorite.favorited_status.user.id_str !== myUserId) return null;
+    
+    const like = {
+      id: `x:like:${favorite.id_str}`,
+      type: 'like',
+      platform: 'x',
+      from: {
+        id: favorite.user.id_str,
+        handle: favorite.user.screen_name,
+        name: favorite.user.name
+      },
+      tweetId: favorite.favorited_status.id_str,
+      tweetText: favorite.favorited_status.text.slice(0, 100),
+      timestamp: new Date(favorite.created_at).toISOString()
+    };
+    
+    // Forward to /vibe (optional, might be noisy)
+    // await forwardLikeToVibe(like);
+    
+    return {
+      type: 'like',
+      message: `@${favorite.user.screen_name} liked your tweet`,
+      content: favorite.favorited_status.text.slice(0, 50)
+    };
+    
+  } catch (e) {
+    console.error('Error processing favorite event:', e);
+    return null;
+  }
+}
+
+/**
+ * Process follow event
+ */
+async function processFollowEvent(follow) {
+  try {
+    const credentials = twitter.getCredentials();
+    if (!credentials) return null;
+    
+    const me = await twitter.getMe();
+    const myUserId = me.data.id;
+    
+    // Only care about follows of our account
+    if (follow.target.id_str !== myUserId) return null;
+    
+    const follower = {
+      id: `x:follow:${follow.source.id_str}`,
+      type: 'follow',
+      platform: 'x',
+      from: {
+        id: follow.source.id_str,
+        handle: follow.source.screen_name,
+        name: follow.source.name,
+        avatar: follow.source.profile_image_url_https
+      },
+      timestamp: new Date(follow.created_at).toISOString()
+    };
+    
+    // Forward to /vibe
+    await forwardFollowToVibe(follower);
+    
+    return {
+      type: 'follow',
+      message: `@${follow.source.screen_name} followed you`,
+      content: follow.source.description || 'No bio'
+    };
+    
+  } catch (e) {
+    console.error('Error processing follow event:', e);
+    return null;
+  }
+}
+
+/**
+ * Forward mention to /vibe core
+ */
+async function forwardMentionToVibe(mention) {
+  console.log(`[X Webhook] Mention from @${mention.from.handle}: ${mention.content}`);
+  
+  // In a full implementation, this would:
+  // 1. Add to /vibe inbox
+  // 2. Notify online users
+  // 3. Check for /vibe commands in the mention
+  // 4. Auto-reply if appropriate
+}
+
+/**
+ * Forward DM to /vibe core
+ */
+async function forwardDMToVibe(dm) {
+  console.log(`[X Webhook] DM: ${dm.content}`);
+  
+  // In a full implementation, this would:
+  // 1. Add to /vibe DM inbox
+  // 2. Check for /vibe commands
+  // 3. Route to appropriate user if multi-user
+}
+
+/**
+ * Forward follow to /vibe core
+ */
+async function forwardFollowToVibe(follow) {
+  console.log(`[X Webhook] New follower: @${follow.from.handle}`);
+  
+  // In a full implementation, this would:
+  // 1. Add to /vibe activity feed
+  // 2. Optionally auto-follow back
+  // 3. Check if follower is in /vibe community
+}
+
+/**
+ * Setup X webhook subscription
+ * This requires X API v2 Premium/Enterprise access
+ */
+async function setupWebhook(webhookUrl) {
+  const config = getConfig();
+  
+  if (!config.bearerToken) {
+    throw new Error('X Bearer Token required for webhook setup');
+  }
+  
+  // This would use X API v2 to create webhook subscription
+  // Implementation depends on X's webhook API
+  console.log(`Setting up X webhook for: ${webhookUrl}`);
+  
+  return {
+    success: true,
+    webhookUrl,
+    subscriptionId: 'mock-subscription-id',
+    events: ['tweet.create', 'direct_message_events', 'favorite_events', 'follow_events']
+  };
+}
+
+/**
+ * Get X webhook subscription status
+ */
+async function getWebhookStatus() {
+  const config = getConfig();
+  
+  return {
+    configured: !!config.webhookSecret,
+    subscriptionActive: !!config.subscriptionId,
+    challengeVerified: config.challengeVerified,
+    events: [
+      'tweet.create (mentions)',
+      'direct_message_events', 
+      'favorite_events (likes)',
+      'follow_events'
+    ]
+  };
+}
+
+/**
+ * Express middleware for X webhook endpoint
+ */
+function createXWebhookHandler() {
+  return async (req, res) => {
+    const { method, query, body, headers } = req;
+    
+    try {
+      // Handle CRC challenge
+      if (method === 'GET' && query.crc_token) {
+        const config = getConfig();
+        const response = handleChallenge(query.crc_token, config.webhookSecret);
+        return res.json(response);
+      }
+      
+      // Handle webhook events
+      if (method === 'POST') {
+        const config = getConfig();
+        const signature = headers['x-twitter-webhooks-signature'];
+        
+        if (!verifyXSignature(JSON.stringify(body), signature, config.webhookSecret)) {
+          return res.status(401).json({ error: 'Invalid signature' });
+        }
+        
+        const result = await processWebhookEvent(body);
+        return res.json({ 
+          status: 'ok', 
+          ...result 
+        });
+      }
+      
+      res.status(405).json({ error: 'Method not allowed' });
+      
+    } catch (e) {
+      console.error('X webhook error:', e);
+      res.status(500).json({ error: 'Internal server error' });
+    }
+  };
+}
+
+module.exports = {
+  getConfig,
+  verifyXSignature,
+  handleChallenge,
+  processWebhookEvent,
+  setupWebhook,
+  getWebhookStatus,
+  createXWebhookHandler
+};

package/config.js

@@ -66,7 +66,15 @@ function save(config) {
     publicKey: config.publicKey || existing.publicKey || null,
     privateKey: config.privateKey || existing.privateKey || null,
     // Guided mode (AskUserQuestion menus)
-    guided_mode: config.guided_mode !== undefined ? config.guided_mode : existing.guided_mode
+    guided_mode: config.guided_mode !== undefined ? config.guided_mode : existing.guided_mode,
+    // Notification level
+    notifications: config.notifications || existing.notifications || null,
+    // GitHub Activity settings
+    github_activity_enabled: config.github_activity_enabled !== undefined ? config.github_activity_enabled : existing.github_activity_enabled,
+    github_activity_privacy: config.github_activity_privacy || existing.github_activity_privacy || null,
+    // OAuth token (persisted across MCP process restarts)
+    authToken: config.authToken || config.privyToken || existing.authToken || existing.privyToken || null,
+    authMethod: config.authMethod || existing.authMethod || null
   };
   fs.writeFileSync(PRIMARY_CONFIG, JSON.stringify(data, null, 2));
 }
@@ -203,11 +211,86 @@ function setAuthToken(token, sessionId = null) {
 }
 
 function getAuthToken() {
+  // First check session data
   const data = getSessionData();
   if (data?.token) return data.token;
-  // Fall back to privyToken in config (for persistence across sessions)
-  const config = load();
-  return config?.privyToken || null;
+
+  // Fall back to shared config (persisted across MCP process restarts)
+  const cfg = load();
+  return cfg?.authToken || cfg?.privyToken || null;
+}
+
+/**
+ * Save auth token (used after browser OAuth flow)
+ * @param {string} token - JWT access token from GitHub OAuth
+ */
+function saveAuthToken(token) {
+  // Save to session data
+  const data = getSessionData() || {};
+  saveSessionData({
+    ...data,
+    sessionId: data.sessionId || generateSessionId(),
+    token,
+    authMethod: 'github'  // Track that this is GitHub OAuth
+  });
+
+  // Also save to shared config for persistence across MCP restarts
+  const cfg = load();
+  cfg.authToken = token;
+  cfg.authMethod = 'github';
+  save(cfg);
+}
+
+// Backwards compatibility alias
+const savePrivyToken = saveAuthToken;
+
+/**
+ * Check if user has OAuth auth (vs legacy keypair)
+ * Accepts 'github', 'privy', and 'browser' as valid auth methods (backwards compat)
+ */
+function hasOAuth() {
+  const validAuthMethods = ['github', 'privy', 'browser'];
+
+  const data = getSessionData();
+  if (validAuthMethods.includes(data?.authMethod) && data?.token) return true;
+
+  const cfg = load();
+  return validAuthMethods.includes(cfg?.authMethod) && (cfg?.authToken || cfg?.privyToken);
+}
+
+// Backwards compatibility alias
+const hasPrivyAuth = hasOAuth;
+
+/**
+ * Remove keypair after migration to GitHub OAuth
+ * Clears private key from config (security improvement)
+ */
+function removeKeypair() {
+  const cfg = load();
+  delete cfg.publicKey;
+  delete cfg.privateKey;
+  save(cfg);
+
+  // Also clear from session
+  const data = getSessionData();
+  if (data) {
+    delete data.publicKey;
+    delete data.privateKey;
+    saveSessionData(data);
+  }
+}
+
+/**
+ * Get auth URL for browser-based GitHub OAuth
+ * @param {string|null} handle - Custom handle (optional - defaults to GitHub username)
+ */
+function getAuthUrl(handle = null) {
+  const apiUrl = getApiUrl();
+  if (handle) {
+    return `${apiUrl}/api/auth/github?handle=${encodeURIComponent(handle)}`;
+  }
+  // No handle = use GitHub username as handle
+  return `${apiUrl}/api/auth/github`;
 }
 
 function clearSession() {
@@ -251,11 +334,61 @@ function setNotifications(level) {
   save(config);
 }
 
+// GitHub Activity settings
+// Shows shipping status based on GitHub commit activity
+// Default: false (opt-in for privacy)
+function getGithubActivityEnabled() {
+  const config = load();
+  return config.github_activity_enabled === true;
+}
+
+function setGithubActivityEnabled(enabled) {
+  const config = load();
+  config.github_activity_enabled = enabled;
+  save(config);
+}
+
+// GitHub Activity privacy level
+// Levels: "full" | "status_only" | "off"
+// - full: Show repos, commit counts, tech stack (default when enabled)
+// - status_only: Just show shipping badge (🔥/⚡), no details
+// - off: Disabled completely
+function getGithubActivityPrivacy() {
+  const config = load();
+  return config.github_activity_privacy || 'full';
+}
+
+function setGithubActivityPrivacy(level) {
+  const validLevels = ['full', 'status_only', 'off'];
+  if (!validLevels.includes(level)) {
+    throw new Error(`Invalid privacy level. Use: ${validLevels.join(', ')}`);
+  }
+  const config = load();
+  config.github_activity_privacy = level;
+  save(config);
+}
+
 // API URL — central endpoint for all API calls
 function getApiUrl() {
   return process.env.VIBE_API_URL || 'https://www.slashvibe.dev';
 }
 
+// ─────────────────────────────────────────────────────────────
+// Generic key-value store for ephemeral session state
+// Used by presence-agent, mute, and other tools for runtime state
+// NOT persisted to disk — resets when MCP server restarts
+// ─────────────────────────────────────────────────────────────
+const sessionState = {};
+
+function get(key, defaultValue = null) {
+  return sessionState[key] !== undefined ? sessionState[key] : defaultValue;
+}
+
+function set(key, value) {
+  sessionState[key] = value;
+  return value;
+}
+
 module.exports = {
   VIBE_DIR,
   CONFIG_FILE,
@@ -279,5 +412,21 @@ module.exports = {
   setGuidedMode,
   getNotifications,
   setNotifications,
-  getApiUrl
+  // GitHub Activity settings
+  getGithubActivityEnabled,
+  setGithubActivityEnabled,
+  getGithubActivityPrivacy,
+  setGithubActivityPrivacy,
+  getApiUrl,
+  // OAuth helpers
+  saveAuthToken,
+  hasOAuth,
+  // Backwards compatibility aliases
+  savePrivyToken,
+  hasPrivyAuth,
+  removeKeypair,
+  getAuthUrl,
+  // Generic key-value for ephemeral session state
+  get,
+  set
 };

package/crypto.js

@@ -143,10 +143,9 @@ function generateMessageId() {
  * @param {string} [params.body] Message body
  * @param {object} [params.payload] Message payload
  * @param {string} privateKeyBase64 Sender's private key
- * @param {string} publicKeyBase64 Sender's public key (required for verification)
  * @returns {object} Complete signed message
  */
-function createSignedMessage({ from, to, body, payload }, privateKeyBase64, publicKeyBase64) {
+function createSignedMessage({ from, to, body, payload }, privateKeyBase64) {
   const message = {
     v: '0.1',
     id: generateMessageId(),
@@ -159,9 +158,8 @@ function createSignedMessage({ from, to, body, payload }, privateKeyBase64, publ
   if (body) message.body = body;
   if (payload) message.payload = payload;
 
-  // Sign and include public key for verification
+  // Sign
   message.signature = sign(message, privateKeyBase64);
-  message.publicKey = publicKeyBase64;
 
   return message;
 }
@@ -173,10 +171,9 @@ function createSignedMessage({ from, to, body, payload }, privateKeyBase64, publ
  * @param {string} status Status (online/idle/busy/offline)
  * @param {string} [context] Activity context
  * @param {string} privateKeyBase64 User's private key
- * @param {string} publicKeyBase64 User's public key (required for verification)
  * @returns {object} Signed heartbeat
  */
-function createSignedHeartbeat(handle, status, context, privateKeyBase64, publicKeyBase64) {
+function createSignedHeartbeat(handle, status, context, privateKeyBase64) {
   const heartbeat = {
     handle,
     status,
@@ -186,9 +183,7 @@ function createSignedHeartbeat(handle, status, context, privateKeyBase64, public
 
   if (context) heartbeat.context = context;
 
-  // Sign and include public key for verification
   heartbeat.signature = sign(heartbeat, privateKeyBase64);
-  heartbeat.publicKey = publicKeyBase64;
 
   return heartbeat;
 }