feat(BUY-9085): add JWS-signed Agent Card at .well-known/agent.json#36
Open
feat(BUY-9085): add JWS-signed Agent Card at .well-known/agent.json#36
Conversation
…lthz endpoint to Node.js MCP dist
…thog.ts, rebuild dist files, fix Node.js MCP healthz endpoint (BUY-5978)
…cy), increase initialDelay to 30s
Previously call_tool extracted the API key from the ApiKey model using key_hash, which is a bcrypt hash — not usable as a bearer token for downstream calls. Extract the raw Authorization header Bearer value instead, matching what the client actually sent. Fixes BUY-5978 Co-Authored-By: Paperclip <noreply@paperclip.ing>
…I_KEY Co-Authored-By: Paperclip <noreply@paperclip.ing>
… @buywhere/mcp-server - Remove 'not yet published' callout and STDIO 'coming soon' text - Add local package install path (npx -y @buywhere/mcp-server) - Add STDIO config examples for Claude Desktop and Cursor alongside HTTP transport Co-Authored-By: Paperclip <noreply@paperclip.ing>
…p-server - Remove 'not yet published' callout and 'coming soon' STDIO text - Add local package install path (npx -y @buywhere/mcp-server) - Add STDIO config examples for Claude Desktop and Cursor alongside HTTP transport - Remove duplicate 'Configure Cursor' section that was an accidental copy-paste Co-Authored-By: Paperclip <noreply@paperclip.ing>
…conf Proxies /mcp/ requests to the API backend (127.0.0.1:8000) which should have the MCP router mounted. Fixes 404 on /mcp/ after nginx adds a trailing slash redirect.
- Detect Paperclip JWT tokens by decoding payload (iss/aud check) - Verify tokens via GET /api/agents/me on Paperclip API - Auto-provision agent API keys on first valid token (enterprise tier) - Reuse provisioned keys on subsequent calls via signup_channel lookup - Replace inline res.status().json() with structured sendError/sendRateLimitError Co-Authored-By: Paperclip <noreply@paperclip.ing>
…n migration on deploy
Merge fix/BUY-8065-paperclip-jwt into main - Paperclip JWT auth middleware - API key auto-provisioning for Paperclip agents - merchants/merchant_events table migration - Deploy workflow: add migration step, remove GAR token logic
…ript build The middleware/errors.ts module was missing from this branch, causing TypeScript compilation failures in apiKey.ts and developers.ts. - Add api/src/middleware/errors.ts with ErrorCode enum, sendError, and sendRateLimitError helper functions - Add corresponding compiled dist files - Regenerate all stale dist files from successful tsc build This is a prerequisite for the MCP Docker build (Dockerfile.mcp), which runs tsc during image build and was failing without this module. Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Added import for metricsRouter from ./routes/metrics - Mounted at /admin/metrics matching existing pattern - Route file (api/src/routes/metrics.ts) already had correct query logic Co-Authored-By: Paperclip <noreply@paperclip.ing>
…ith JWKS - Generate ES256 keypair for buywhere.ai domain-bound identity - Pre-sign Agent Card with JWS compact serialization (alg:ES256, kid:buywhere-agent-card) - Add src/app/.well-known/agent.json/route.ts with signed card + Cache-Control - Add src/app/.well-known/jwks.json/route.ts for public key verification - Add scripts/gen-agent-keys.mjs, sign-agent-card.mjs, verify-agent-card.mjs - Ignore private/ directory for key material
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.well-known/agent.jsonroute.well-known/jwks.jsonrouteVerification
JWS signature verified end-to-end. Payload matches canonical card JSON, signature valid against JWKS public key.
Next steps
Merge to main -> Cloud Run deployment triggers automatically.