getbased-mcp 0.2.4__tar.gz → 0.2.6__tar.gz

getbased_mcp-0.2.6/LICENSE

@@ -0,0 +1,20 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  For the full license text, see <https://www.gnu.org/licenses/agpl-3.0.txt>

{getbased_mcp-0.2.4/getbased_mcp.egg-info → getbased_mcp-0.2.6}/PKG-INFO

@@ -1,13 +1,14 @@
 Metadata-Version: 2.4
 Name: getbased-mcp
-Version: 0.2.4
+Version: 0.2.6
 Summary: MCP server for querying blood work data and knowledge base from getbased
-License-Expression: GPL-3.0-only
+License-Expression: AGPL-3.0-or-later
 Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: mcp>=1.0.0
 Requires-Dist: httpx>=0.27
+Requires-Dist: cryptography>=42.0
 Provides-Extra: test
 Requires-Dist: pytest>=8.0; extra == "test"
 Requires-Dist: pytest-asyncio>=0.23; extra == "test"
@@ -25,11 +26,13 @@ An [MCP](https://modelcontextprotocol.io) server that exposes blood work data an
 ```
 getbased (browser)
   ├── your data, your mnemonic
-  ├── generates a read-only token
-  └── pushes lab context to sync gateway on every save
+  ├── generates a read-only relay token
+  ├── generates a separate Agent Context encryption key
+  ├── encrypts the rendered agent context with that context key
+  └── pushes ciphertext to sync gateway on every save
 
 Sync Gateway (sync.getbased.health/api/context)
-  └── stores context text behind token auth
+  └── stores encrypted context behind token auth; it cannot read the plaintext
 
 RAG Server (localhost, optional)
   ├── Vector database with embedded chunks
@@ -42,7 +45,7 @@ This MCP Server (on your machine)
   └── exposes everything as tools to any MCP client
 ```
 
-Your mnemonic never leaves your browser. The MCP server receives the same lab context text the getbased AI chat uses — not raw data.
+Your mnemonic never leaves your browser. The sync gateway receives only an end-to-end encrypted agent-context envelope; this MCP decrypts it locally with `GETBASED_AGENT_CONTEXT_KEY` and then exposes the same lab context text the getbased AI chat uses — not raw data. `GETBASED_TOKEN` is only the relay bearer token.
 
 ## Tools
 
@@ -116,9 +119,12 @@ The gateway stores context per profile ID. To work with multiple profiles:
 
 ## Setup
 
-### 1. Enable messenger access in getbased
+### 1. Enable Agent Access in getbased
 
-Go to **Settings > Data > Messenger Access** and toggle it on. Copy the read-only token.
+Go to **Settings > Data > Agent Access** and toggle it on. Copy both values:
+
+- **Read-only token** → `GETBASED_TOKEN` for relay authorization
+- **Context encryption key** → `GETBASED_AGENT_CONTEXT_KEY` for local decryption
 
 ### 2. Set up a RAG server (optional — for knowledge_search)
 
@@ -152,7 +158,8 @@ Add to your MCP config (`~/.claude/claude_desktop_config.json` or similar):
       "command": "python3",
       "args": ["/path/to/getbased_mcp.py"],
       "env": {
-        "GETBASED_TOKEN": "your-token-here"
+        "GETBASED_TOKEN": "your-token-here",
+        "GETBASED_AGENT_CONTEXT_KEY": "your-context-key-here"
       }
     }
   }
@@ -167,7 +174,7 @@ hermes mcp add getbased \
   --args /path/to/getbased_mcp.py
 ```
 
-Then set `GETBASED_TOKEN` in `~/.hermes/.env` or in the MCP server's `env` config in `config.yaml`:
+Then set `GETBASED_TOKEN` and `GETBASED_AGENT_CONTEXT_KEY` in `~/.hermes/.env` or in the MCP server's `env` config in `config.yaml`:
 
 ```yaml
 mcp_servers:
@@ -176,6 +183,7 @@ mcp_servers:
     args: [/path/to/getbased_mcp.py]
     env:
       GETBASED_TOKEN: your-token-here
+      GETBASED_AGENT_CONTEXT_KEY: your-context-key-here
 ```
 
 ### 4. Use it
@@ -191,7 +199,8 @@ Ask about your labs in any connected conversation:
 
 | Variable | Required | Description |
 |---|---|---|
-| `GETBASED_TOKEN` | Yes | Read-only token from getbased Settings > Data > Messenger Access |
+| `GETBASED_TOKEN` | Yes | Read-only bearer token from getbased Settings > Data > Agent Access; authorizes fetches from the context gateway |
+| `GETBASED_AGENT_CONTEXT_KEY` | Yes for encrypted Agent Access payloads | Context encryption key from getbased Settings > Data > Agent Access; decrypts the relay payload locally in this MCP |
 | `GETBASED_GATEWAY` | No | Context gateway URL (default: `https://sync.getbased.health`) |
 | `LENS_URL` | No | RAG server URL (default: `http://localhost:8322`). Overrides `LENS_PORT` |
 | `LENS_PORT` | No | RAG server port, only used to build default `LENS_URL` (default: `8322`) |
@@ -241,8 +250,8 @@ That's expected — they're independent. Blood work tools talk to the sync gatew
 
 ## Related projects
 
-- **[getbased](https://github.com/elkimek/get-based)** — the health dashboard. This MCP reads the same lab context the in-app AI chat uses, and queries the same Knowledge Source endpoint configured in Settings → AI → Custom Knowledge Source. The [endpoint contract](https://github.com/elkimek/get-based/blob/main/docs/guide/interpretive-lens.md#for-developers-endpoint-contract) is shared — one server backs both the app and this MCP.
+- **[getbased](https://github.com/elkimek/get-based)** — the health dashboard. This MCP reads the same lab context the in-app AI chat uses, and queries the same Knowledge Source endpoint configured in Settings → AI → Custom Knowledge Source. The [endpoint contract](https://github.com/elkimek/get-based/blob/main/dev-docs/lens-endpoint-contract.md) is shared — one server backs both the app and this MCP.
 
 ## License
 
-GPL-3.0
+AGPL-3.0-or-later

getbased_mcp-0.2.4/PKG-INFO → getbased_mcp-0.2.6/README.md

@@ -1,19 +1,3 @@
-Metadata-Version: 2.4
-Name: getbased-mcp
-Version: 0.2.4
-Summary: MCP server for querying blood work data and knowledge base from getbased
-License-Expression: GPL-3.0-only
-Requires-Python: >=3.10
-Description-Content-Type: text/markdown
-License-File: LICENSE
-Requires-Dist: mcp>=1.0.0
-Requires-Dist: httpx>=0.27
-Provides-Extra: test
-Requires-Dist: pytest>=8.0; extra == "test"
-Requires-Dist: pytest-asyncio>=0.23; extra == "test"
-Requires-Dist: respx>=0.21; extra == "test"
-Dynamic: license-file
-
 # getbased MCP Server
 
 An [MCP](https://modelcontextprotocol.io) server that exposes blood work data and an optional RAG knowledge base from [getbased](https://getbased.health) as tools. Works with any MCP-compatible client (Claude Code, Hermes, Claude Desktop, etc.).
@@ -25,11 +9,13 @@ An [MCP](https://modelcontextprotocol.io) server that exposes blood work data an
 ```
 getbased (browser)
   ├── your data, your mnemonic
-  ├── generates a read-only token
-  └── pushes lab context to sync gateway on every save
+  ├── generates a read-only relay token
+  ├── generates a separate Agent Context encryption key
+  ├── encrypts the rendered agent context with that context key
+  └── pushes ciphertext to sync gateway on every save
 
 Sync Gateway (sync.getbased.health/api/context)
-  └── stores context text behind token auth
+  └── stores encrypted context behind token auth; it cannot read the plaintext
 
 RAG Server (localhost, optional)
   ├── Vector database with embedded chunks
@@ -42,7 +28,7 @@ This MCP Server (on your machine)
   └── exposes everything as tools to any MCP client
 ```
 
-Your mnemonic never leaves your browser. The MCP server receives the same lab context text the getbased AI chat uses — not raw data.
+Your mnemonic never leaves your browser. The sync gateway receives only an end-to-end encrypted agent-context envelope; this MCP decrypts it locally with `GETBASED_AGENT_CONTEXT_KEY` and then exposes the same lab context text the getbased AI chat uses — not raw data. `GETBASED_TOKEN` is only the relay bearer token.
 
 ## Tools
 
@@ -116,9 +102,12 @@ The gateway stores context per profile ID. To work with multiple profiles:
 
 ## Setup
 
-### 1. Enable messenger access in getbased
+### 1. Enable Agent Access in getbased
+
+Go to **Settings > Data > Agent Access** and toggle it on. Copy both values:
 
-Go to **Settings > Data > Messenger Access** and toggle it on. Copy the read-only token.
+- **Read-only token** → `GETBASED_TOKEN` for relay authorization
+- **Context encryption key** → `GETBASED_AGENT_CONTEXT_KEY` for local decryption
 
 ### 2. Set up a RAG server (optional — for knowledge_search)
 
@@ -152,7 +141,8 @@ Add to your MCP config (`~/.claude/claude_desktop_config.json` or similar):
       "command": "python3",
       "args": ["/path/to/getbased_mcp.py"],
       "env": {
-        "GETBASED_TOKEN": "your-token-here"
+        "GETBASED_TOKEN": "your-token-here",
+        "GETBASED_AGENT_CONTEXT_KEY": "your-context-key-here"
       }
     }
   }
@@ -167,7 +157,7 @@ hermes mcp add getbased \
   --args /path/to/getbased_mcp.py
 ```
 
-Then set `GETBASED_TOKEN` in `~/.hermes/.env` or in the MCP server's `env` config in `config.yaml`:
+Then set `GETBASED_TOKEN` and `GETBASED_AGENT_CONTEXT_KEY` in `~/.hermes/.env` or in the MCP server's `env` config in `config.yaml`:
 
 ```yaml
 mcp_servers:
@@ -176,6 +166,7 @@ mcp_servers:
     args: [/path/to/getbased_mcp.py]
     env:
       GETBASED_TOKEN: your-token-here
+      GETBASED_AGENT_CONTEXT_KEY: your-context-key-here
 ```
 
 ### 4. Use it
@@ -191,7 +182,8 @@ Ask about your labs in any connected conversation:
 
 | Variable | Required | Description |
 |---|---|---|
-| `GETBASED_TOKEN` | Yes | Read-only token from getbased Settings > Data > Messenger Access |
+| `GETBASED_TOKEN` | Yes | Read-only bearer token from getbased Settings > Data > Agent Access; authorizes fetches from the context gateway |
+| `GETBASED_AGENT_CONTEXT_KEY` | Yes for encrypted Agent Access payloads | Context encryption key from getbased Settings > Data > Agent Access; decrypts the relay payload locally in this MCP |
 | `GETBASED_GATEWAY` | No | Context gateway URL (default: `https://sync.getbased.health`) |
 | `LENS_URL` | No | RAG server URL (default: `http://localhost:8322`). Overrides `LENS_PORT` |
 | `LENS_PORT` | No | RAG server port, only used to build default `LENS_URL` (default: `8322`) |
@@ -241,8 +233,8 @@ That's expected — they're independent. Blood work tools talk to the sync gatew
 
 ## Related projects
 
-- **[getbased](https://github.com/elkimek/get-based)** — the health dashboard. This MCP reads the same lab context the in-app AI chat uses, and queries the same Knowledge Source endpoint configured in Settings → AI → Custom Knowledge Source. The [endpoint contract](https://github.com/elkimek/get-based/blob/main/docs/guide/interpretive-lens.md#for-developers-endpoint-contract) is shared — one server backs both the app and this MCP.
+- **[getbased](https://github.com/elkimek/get-based)** — the health dashboard. This MCP reads the same lab context the in-app AI chat uses, and queries the same Knowledge Source endpoint configured in Settings → AI → Custom Knowledge Source. The [endpoint contract](https://github.com/elkimek/get-based/blob/main/dev-docs/lens-endpoint-contract.md) is shared — one server backs both the app and this MCP.
 
 ## License
 
-GPL-3.0
+AGPL-3.0-or-later

getbased_mcp-0.2.4/README.md → getbased_mcp-0.2.6/getbased_mcp.egg-info/PKG-INFO

@@ -1,3 +1,20 @@
+Metadata-Version: 2.4
+Name: getbased-mcp
+Version: 0.2.6
+Summary: MCP server for querying blood work data and knowledge base from getbased
+License-Expression: AGPL-3.0-or-later
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: mcp>=1.0.0
+Requires-Dist: httpx>=0.27
+Requires-Dist: cryptography>=42.0
+Provides-Extra: test
+Requires-Dist: pytest>=8.0; extra == "test"
+Requires-Dist: pytest-asyncio>=0.23; extra == "test"
+Requires-Dist: respx>=0.21; extra == "test"
+Dynamic: license-file
+
 # getbased MCP Server
 
 An [MCP](https://modelcontextprotocol.io) server that exposes blood work data and an optional RAG knowledge base from [getbased](https://getbased.health) as tools. Works with any MCP-compatible client (Claude Code, Hermes, Claude Desktop, etc.).
@@ -9,11 +26,13 @@ An [MCP](https://modelcontextprotocol.io) server that exposes blood work data an
 ```
 getbased (browser)
   ├── your data, your mnemonic
-  ├── generates a read-only token
-  └── pushes lab context to sync gateway on every save
+  ├── generates a read-only relay token
+  ├── generates a separate Agent Context encryption key
+  ├── encrypts the rendered agent context with that context key
+  └── pushes ciphertext to sync gateway on every save
 
 Sync Gateway (sync.getbased.health/api/context)
-  └── stores context text behind token auth
+  └── stores encrypted context behind token auth; it cannot read the plaintext
 
 RAG Server (localhost, optional)
   ├── Vector database with embedded chunks
@@ -26,7 +45,7 @@ This MCP Server (on your machine)
   └── exposes everything as tools to any MCP client
 ```
 
-Your mnemonic never leaves your browser. The MCP server receives the same lab context text the getbased AI chat uses — not raw data.
+Your mnemonic never leaves your browser. The sync gateway receives only an end-to-end encrypted agent-context envelope; this MCP decrypts it locally with `GETBASED_AGENT_CONTEXT_KEY` and then exposes the same lab context text the getbased AI chat uses — not raw data. `GETBASED_TOKEN` is only the relay bearer token.
 
 ## Tools
 
@@ -100,9 +119,12 @@ The gateway stores context per profile ID. To work with multiple profiles:
 
 ## Setup
 
-### 1. Enable messenger access in getbased
+### 1. Enable Agent Access in getbased
+
+Go to **Settings > Data > Agent Access** and toggle it on. Copy both values:
 
-Go to **Settings > Data > Messenger Access** and toggle it on. Copy the read-only token.
+- **Read-only token** → `GETBASED_TOKEN` for relay authorization
+- **Context encryption key** → `GETBASED_AGENT_CONTEXT_KEY` for local decryption
 
 ### 2. Set up a RAG server (optional — for knowledge_search)
 
@@ -136,7 +158,8 @@ Add to your MCP config (`~/.claude/claude_desktop_config.json` or similar):
       "command": "python3",
       "args": ["/path/to/getbased_mcp.py"],
       "env": {
-        "GETBASED_TOKEN": "your-token-here"
+        "GETBASED_TOKEN": "your-token-here",
+        "GETBASED_AGENT_CONTEXT_KEY": "your-context-key-here"
       }
     }
   }
@@ -151,7 +174,7 @@ hermes mcp add getbased \
   --args /path/to/getbased_mcp.py
 ```
 
-Then set `GETBASED_TOKEN` in `~/.hermes/.env` or in the MCP server's `env` config in `config.yaml`:
+Then set `GETBASED_TOKEN` and `GETBASED_AGENT_CONTEXT_KEY` in `~/.hermes/.env` or in the MCP server's `env` config in `config.yaml`:
 
 ```yaml
 mcp_servers:
@@ -160,6 +183,7 @@ mcp_servers:
     args: [/path/to/getbased_mcp.py]
     env:
       GETBASED_TOKEN: your-token-here
+      GETBASED_AGENT_CONTEXT_KEY: your-context-key-here
 ```
 
 ### 4. Use it
@@ -175,7 +199,8 @@ Ask about your labs in any connected conversation:
 
 | Variable | Required | Description |
 |---|---|---|
-| `GETBASED_TOKEN` | Yes | Read-only token from getbased Settings > Data > Messenger Access |
+| `GETBASED_TOKEN` | Yes | Read-only bearer token from getbased Settings > Data > Agent Access; authorizes fetches from the context gateway |
+| `GETBASED_AGENT_CONTEXT_KEY` | Yes for encrypted Agent Access payloads | Context encryption key from getbased Settings > Data > Agent Access; decrypts the relay payload locally in this MCP |
 | `GETBASED_GATEWAY` | No | Context gateway URL (default: `https://sync.getbased.health`) |
 | `LENS_URL` | No | RAG server URL (default: `http://localhost:8322`). Overrides `LENS_PORT` |
 | `LENS_PORT` | No | RAG server port, only used to build default `LENS_URL` (default: `8322`) |
@@ -225,8 +250,8 @@ That's expected — they're independent. Blood work tools talk to the sync gatew
 
 ## Related projects
 
-- **[getbased](https://github.com/elkimek/get-based)** — the health dashboard. This MCP reads the same lab context the in-app AI chat uses, and queries the same Knowledge Source endpoint configured in Settings → AI → Custom Knowledge Source. The [endpoint contract](https://github.com/elkimek/get-based/blob/main/docs/guide/interpretive-lens.md#for-developers-endpoint-contract) is shared — one server backs both the app and this MCP.
+- **[getbased](https://github.com/elkimek/get-based)** — the health dashboard. This MCP reads the same lab context the in-app AI chat uses, and queries the same Knowledge Source endpoint configured in Settings → AI → Custom Knowledge Source. The [endpoint contract](https://github.com/elkimek/get-based/blob/main/dev-docs/lens-endpoint-contract.md) is shared — one server backs both the app and this MCP.
 
 ## License
 
-GPL-3.0
+AGPL-3.0-or-later

{getbased_mcp-0.2.4 → getbased_mcp-0.2.6}/getbased_mcp.egg-info/requires.txt

@@ -1,5 +1,6 @@
 mcp>=1.0.0
 httpx>=0.27
+cryptography>=42.0
 
 [test]
 pytest>=8.0

{getbased_mcp-0.2.4 → getbased_mcp-0.2.6}/getbased_mcp.py

@@ -2,7 +2,7 @@
 """getbased MCP server — exposes blood work data and knowledge base search as tools.
 
 Architecture:
-  getbased (browser) → sync gateway → this MCP → your AI client
+  getbased (browser encrypts context) → sync gateway → this MCP decrypts → AI client
                                           ↕
                                     Lens RAG server (Qdrant + BGE-M3)
 
@@ -11,7 +11,10 @@ Knowledge base queries go through the Lens RAG server (separate process).
 No models are loaded in this process — everything is HTTP.
 """
 
+import base64
+import binascii
 import functools
+import hashlib
 import json
 import logging
 import os
@@ -19,6 +22,10 @@ import re
 import time
 
 import httpx
+from cryptography.exceptions import InvalidTag
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.primitives.kdf.hkdf import HKDF
 from mcp.server.fastmcp import FastMCP
 
 
@@ -63,7 +70,10 @@ mcp = FastMCP("getbased")
 
 # ── Config ───────────────────────────────────────────────────────────
 TOKEN = os.environ.get("GETBASED_TOKEN", "")
+AGENT_CONTEXT_KEY = os.environ.get("GETBASED_AGENT_CONTEXT_KEY", "")
 GATEWAY = os.environ.get("GETBASED_GATEWAY", "https://sync.getbased.health")
+AGENT_CONTEXT_V1_KDF_INFO = b"getbased-agent-access-context-v1"
+AGENT_CONTEXT_AAD_PREFIX = b"getbased-agent-context-v2"
 
 LENS_URL = os.environ.get("LENS_URL", f"http://localhost:{os.environ.get('LENS_PORT', '8322')}")
 
@@ -178,8 +188,134 @@ def _instrumented(label: str):
 
 # ── Helpers ──────────────────────────────────────────────────────────
 
-async def _fetch_context(profile: str = "") -> dict:
-    """Fetch formatted lab context from the getbased sync gateway."""
+def _token_bytes(token: str) -> bytes:
+    token = (token or "").strip()
+    if re.fullmatch(r"[0-9a-fA-F]{64}", token):
+        try:
+            return bytes.fromhex(token)
+        except ValueError:
+            pass
+    return token.encode("utf-8")
+
+
+def _decode_agent_context_key(value: str) -> bytes:
+    key = (value or "").strip()
+    if not key:
+        raise ValueError("GETBASED_AGENT_CONTEXT_KEY not set")
+    if key.startswith("gbctx_v1_"):
+        key = key[len("gbctx_v1_"):]
+    padded = key + "=" * (-len(key) % 4)
+    try:
+        raw = base64.urlsafe_b64decode(padded.encode("ascii"))
+    except (binascii.Error, UnicodeEncodeError) as e:
+        raise ValueError("GETBASED_AGENT_CONTEXT_KEY is not valid base64url") from e
+    if len(raw) != 32:
+        raise ValueError("GETBASED_AGENT_CONTEXT_KEY must decode to 32 bytes")
+    return raw
+
+
+def _agent_context_key_id(raw_key: bytes) -> str:
+    return base64.urlsafe_b64encode(hashlib.sha256(raw_key).digest()[:12]).decode("ascii").rstrip("=")
+
+
+def _b64decode_required(value: object, field: str) -> bytes:
+    if not isinstance(value, str) or not value:
+        raise ValueError(f"encrypted context missing {field}")
+    try:
+        return base64.b64decode(value, validate=True)
+    except binascii.Error as e:
+        raise ValueError(f"encrypted context has invalid base64 in {field}") from e
+
+
+def _decrypt_agent_context(envelope: dict, profile_id: str) -> str:
+    """Decrypt a browser-produced Agent Access context envelope.
+
+    v2 separates relay authorization from content secrecy: GETBASED_TOKEN
+    authorizes the HTTPS fetch, while GETBASED_AGENT_CONTEXT_KEY decrypts the
+    AES-256-GCM payload locally. v1 token-derived envelopes remain readable as
+    a temporary rollout fallback.
+    """
+    if not isinstance(envelope, dict):
+        raise ValueError("encrypted context envelope is invalid")
+    version = envelope.get("version")
+    if envelope.get("alg") != "AES-256-GCM":
+        raise ValueError("unsupported encrypted context crypto parameters")
+
+    iv = _b64decode_required(envelope.get("iv"), "iv")
+    ciphertext = _b64decode_required(envelope.get("ciphertext"), "ciphertext")
+
+    if version == 2:
+        if envelope.get("keyDerivation") != "raw-256-bit-key":
+            raise ValueError("unsupported encrypted context crypto parameters")
+        raw_key = _decode_agent_context_key(AGENT_CONTEXT_KEY)
+        key_id = envelope.get("keyId")
+        if key_id and key_id != _agent_context_key_id(raw_key):
+            raise ValueError("encrypted context could not be decrypted with this Agent Context key")
+        aad = AGENT_CONTEXT_AAD_PREFIX + b":" + (profile_id or "default").encode("utf-8")
+        failure = "encrypted context could not be decrypted with this Agent Context key"
+    elif version == 1:
+        if not TOKEN:
+            raise ValueError("GETBASED_TOKEN not set")
+        if envelope.get("kdf") != "HKDF-SHA-256":
+            raise ValueError("unsupported encrypted context crypto parameters")
+        salt = _b64decode_required(envelope.get("salt"), "salt")
+        raw_key = HKDF(
+            algorithm=hashes.SHA256(),
+            length=32,
+            salt=salt,
+            info=AGENT_CONTEXT_V1_KDF_INFO,
+        ).derive(_token_bytes(TOKEN))
+        aad = AGENT_CONTEXT_V1_KDF_INFO + b":" + (profile_id or "default").encode("utf-8")
+        failure = "encrypted context could not be decrypted with this Agent Access token"
+    else:
+        raise ValueError("unsupported encrypted context version")
+
+    try:
+        plaintext = AESGCM(raw_key).decrypt(iv, ciphertext, aad)
+        return plaintext.decode("utf-8")
+    except InvalidTag as e:
+        raise ValueError(failure) from e
+    except UnicodeDecodeError as e:
+        raise ValueError("encrypted context decrypted to invalid UTF-8") from e
+
+
+def _decode_context_payload(data: dict) -> dict:
+    """Return gateway payload with plaintext `context` restored for tool code.
+
+    Legacy plaintext gateway rows are still accepted so existing users do not
+    lose access during rollout. New browser builds publish an encrypted JSON
+    envelope inside the relay's legacy `context` string field, because the
+    deployed relay validates that `context` is a string.
+    """
+    if not isinstance(data, dict):
+        return {"error": "getbased gateway returned invalid payload"}
+    envelope = data.get("encryptedContext")
+    context_value = data.get("context")
+    if not envelope and isinstance(context_value, str):
+        try:
+            parsed_context = json.loads(context_value)
+            if isinstance(parsed_context, dict):
+                envelope = parsed_context.get("encryptedContext")
+        except json.JSONDecodeError:
+            envelope = None
+    if envelope:
+        try:
+            profile_id = str(data.get("profileId") or "default")
+            decoded = dict(data)
+            decoded["context"] = _decrypt_agent_context(envelope, profile_id)
+            decoded.pop("encryptedContext", None)
+            return decoded
+        except ValueError as e:
+            return {"error": str(e)}
+    return data
+
+
+async def _fetch_context(profile: str = "", *, decrypt_context: bool = True) -> dict:
+    """Fetch formatted lab context from the getbased sync gateway.
+
+    Profile discovery only needs token-authenticated metadata. Keep it usable
+    even on token-only installs by letting callers opt out of context decrypt.
+    """
     if not TOKEN:
         return {"error": "GETBASED_TOKEN not set"}
     try:
@@ -191,7 +327,8 @@ async def _fetch_context(profile: str = "") -> dict:
                 params=params,
             )
             r.raise_for_status()
-            return r.json()
+            data = r.json()
+            return _decode_context_payload(data) if decrypt_context else data
     except httpx.HTTPStatusError as e:
         return {"error": f"getbased gateway returned {e.response.status_code}"}
     except httpx.RequestError as e:
@@ -526,7 +663,7 @@ async def getbased_wearables_series(
 @_instrumented("getbased_list_profiles")
 async def getbased_list_profiles() -> str:
     """List all available profiles in getbased."""
-    data = await _fetch_context()
+    data = await _fetch_context(decrypt_context=False)
     if "error" in data:
         return f"Error: {data['error']}"
     profiles = data.get("profiles") or []

{getbased_mcp-0.2.4 → getbased_mcp-0.2.6}/pyproject.toml

@@ -4,14 +4,15 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "getbased-mcp"
-version = "0.2.4"
+version = "0.2.6"
 description = "MCP server for querying blood work data and knowledge base from getbased"
 readme = "README.md"
-license = "GPL-3.0-only"
+license = "AGPL-3.0-or-later"
 requires-python = ">=3.10"
 dependencies = [
     "mcp>=1.0.0",
     "httpx>=0.27",
+    "cryptography>=42.0",
 ]
 
 [project.optional-dependencies]

{getbased_mcp-0.2.4 → getbased_mcp-0.2.6}/tests/test_tools.py

@@ -8,8 +8,13 @@ Uses respx to intercept httpx calls. Verifies:
 """
 from __future__ import annotations
 
+import json
+
 import pytest
 import respx
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.primitives.kdf.hkdf import HKDF
 from httpx import Response
 
 
@@ -21,6 +26,47 @@ GATEWAY_CONTEXT_URL = "https://gateway.test/api/context"
 LENS_URL_PREFIX = "http://lens.test:8322"
 
 
+def _encrypted_context_payload(gm, context: str, profile_id: str = "abc", *, version: int = 2) -> dict:
+    import base64
+
+    iv = bytes(range(16, 28))
+    if version == 2:
+        raw_key = gm._decode_agent_context_key(gm.AGENT_CONTEXT_KEY)
+        aad = gm.AGENT_CONTEXT_AAD_PREFIX + b":" + profile_id.encode("utf-8")
+        ciphertext = AESGCM(raw_key).encrypt(iv, context.encode("utf-8"), aad)
+        envelope = {
+            "version": 2,
+            "alg": "AES-256-GCM",
+            "keyDerivation": "raw-256-bit-key",
+            "keyId": gm._agent_context_key_id(raw_key),
+            "iv": base64.b64encode(iv).decode("ascii"),
+            "ciphertext": base64.b64encode(ciphertext).decode("ascii"),
+        }
+    else:
+        salt = bytes(range(16))
+        key = HKDF(
+            algorithm=hashes.SHA256(),
+            length=32,
+            salt=salt,
+            info=gm.AGENT_CONTEXT_V1_KDF_INFO,
+        ).derive(gm._token_bytes(gm.TOKEN))
+        aad = gm.AGENT_CONTEXT_V1_KDF_INFO + b":" + profile_id.encode("utf-8")
+        ciphertext = AESGCM(key).encrypt(iv, context.encode("utf-8"), aad)
+        envelope = {
+            "version": 1,
+            "alg": "AES-256-GCM",
+            "kdf": "HKDF-SHA-256",
+            "info": gm.AGENT_CONTEXT_V1_KDF_INFO.decode("utf-8"),
+            "salt": base64.b64encode(salt).decode("ascii"),
+            "iv": base64.b64encode(iv).decode("ascii"),
+            "ciphertext": base64.b64encode(ciphertext).decode("ascii"),
+        }
+    return {
+        "profileId": profile_id,
+        "context": json.dumps({"encryptedContext": envelope}),
+    }
+
+
 @pytest.mark.asyncio
 @respx.mock
 async def test_getbased_list_profiles_happy(gm) -> None:
@@ -47,6 +93,20 @@ async def test_getbased_list_profiles_no_token(gm, monkeypatch: pytest.MonkeyPat
     assert "GETBASED_TOKEN not set" in out
 
 
+@pytest.mark.asyncio
+@respx.mock
+async def test_getbased_list_profiles_works_without_context_key_for_encrypted_payload(gm, monkeypatch: pytest.MonkeyPatch) -> None:
+    payload = _encrypted_context_payload(gm, "[section:hormones]\nsecret\n[/section:hormones]", profile_id="abc")
+    payload["profiles"] = [{"id": "abc", "name": "Main"}]
+    monkeypatch.setattr(gm, "AGENT_CONTEXT_KEY", "")
+    respx.get(GATEWAY_CONTEXT_URL).mock(return_value=Response(200, json=payload))
+
+    out = await gm.getbased_list_profiles()
+
+    assert "abc  Main" in out
+    assert "GETBASED_AGENT_CONTEXT_KEY" not in out
+
+
 @pytest.mark.asyncio
 @respx.mock
 async def test_getbased_lab_context_happy(gm) -> None:
@@ -61,6 +121,89 @@ async def test_getbased_lab_context_happy(gm) -> None:
     assert "testosterone" in out
 
 
+@pytest.mark.asyncio
+@respx.mock
+async def test_getbased_lab_context_decrypts_agent_access_payload(gm) -> None:
+    plaintext = "[section:hormones]\ntestosterone: 18.4 nmol/L\n[/section:hormones]"
+    payload = _encrypted_context_payload(gm, plaintext, profile_id="abc")
+    assert "testosterone" not in payload["context"]
+    respx.get(GATEWAY_CONTEXT_URL).mock(return_value=Response(200, json=payload))
+
+    out = await gm.getbased_lab_context()
+
+    assert "Profile: abc" in out
+    assert "testosterone: 18.4" in out
+    assert "encryptedContext" not in out
+
+
+@pytest.mark.asyncio
+@respx.mock
+async def test_getbased_lab_context_rejects_wrong_agent_context_key(gm, monkeypatch: pytest.MonkeyPatch) -> None:
+    payload = _encrypted_context_payload(gm, "[section:hormones]\nsecret\n[/section:hormones]", profile_id="abc")
+    monkeypatch.setattr(gm, "AGENT_CONTEXT_KEY", "gbctx_v1_ICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj8")
+    respx.get(GATEWAY_CONTEXT_URL).mock(return_value=Response(200, json=payload))
+
+    out = await gm.getbased_lab_context()
+
+    assert "Error:" in out
+    assert "could not be decrypted" in out
+
+
+@pytest.mark.asyncio
+@respx.mock
+async def test_getbased_lab_context_token_alone_cannot_decrypt_v2(gm, monkeypatch: pytest.MonkeyPatch) -> None:
+    payload = _encrypted_context_payload(gm, "[section:hormones]\nsecret\n[/section:hormones]", profile_id="abc")
+    monkeypatch.setattr(gm, "AGENT_CONTEXT_KEY", "")
+    respx.get(GATEWAY_CONTEXT_URL).mock(return_value=Response(200, json=payload))
+
+    out = await gm.getbased_lab_context()
+
+    assert "Error:" in out
+    assert "GETBASED_AGENT_CONTEXT_KEY not set" in out
+
+
+@pytest.mark.asyncio
+@respx.mock
+async def test_getbased_lab_context_rejects_non_utf8_plaintext(gm) -> None:
+    import base64
+
+    profile_id = "abc"
+    raw_key = gm._decode_agent_context_key(gm.AGENT_CONTEXT_KEY)
+    iv = bytes(range(16, 28))
+    aad = gm.AGENT_CONTEXT_AAD_PREFIX + b":" + profile_id.encode("utf-8")
+    ciphertext = AESGCM(raw_key).encrypt(iv, b"\xff\xfe\xfd", aad)
+    payload = {
+        "profileId": profile_id,
+        "context": json.dumps({"encryptedContext": {
+            "version": 2,
+            "alg": "AES-256-GCM",
+            "keyDerivation": "raw-256-bit-key",
+            "keyId": gm._agent_context_key_id(raw_key),
+            "iv": base64.b64encode(iv).decode("ascii"),
+            "ciphertext": base64.b64encode(ciphertext).decode("ascii"),
+        }}),
+    }
+    respx.get(GATEWAY_CONTEXT_URL).mock(return_value=Response(200, json=payload))
+
+    out = await gm.getbased_lab_context()
+
+    assert "Error:" in out
+    assert "invalid UTF-8" in out
+
+
+@pytest.mark.asyncio
+@respx.mock
+async def test_getbased_lab_context_keeps_v1_rollout_fallback(gm, monkeypatch: pytest.MonkeyPatch) -> None:
+    plaintext = "[section:hormones]\nlegacy secret\n[/section:hormones]"
+    payload = _encrypted_context_payload(gm, plaintext, profile_id="abc", version=1)
+    monkeypatch.setattr(gm, "AGENT_CONTEXT_KEY", "")
+    respx.get(GATEWAY_CONTEXT_URL).mock(return_value=Response(200, json=payload))
+
+    out = await gm.getbased_lab_context()
+
+    assert "legacy secret" in out
+
+
 @pytest.mark.asyncio
 @respx.mock
 async def test_getbased_lab_context_gateway_error(gm) -> None:

getbased_mcp-0.2.4/LICENSE

@@ -1,22 +0,0 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  For the full license text, see <https://www.gnu.org/licenses/gpl-3.0.txt>