@agentrix/shared 2.2.3 → 2.2.5

package/dist/index.cjs

@@ -1,11 +1,10 @@
 'use strict';
 
 var zod = require('zod');
-var node_fs = require('node:fs');
-var node_path = require('node:path');
-var os = require('node:os');
 var tweetnacl = require('tweetnacl');
 var base64js = require('base64-js');
+var CryptoJS = require('crypto-js');
+var errors = require('./errors-myQvpVrM.cjs');
 
 function _interopNamespaceDefault(e) {
   var n = Object.create(null);
@@ -24,7 +23,6 @@ function _interopNamespaceDefault(e) {
   return Object.freeze(n);
 }
 
-var os__namespace = /*#__PURE__*/_interopNamespaceDefault(os);
 var base64js__namespace = /*#__PURE__*/_interopNamespaceDefault(base64js);
 
 const ApiErrorSchema = zod.z.object({
@@ -1352,6 +1350,235 @@ const RpcResponseSchema = zod.z.object({
   }).optional()
 });
 
+async function hmac_sha512(key, data) {
+  const keyWordArray = CryptoJS.lib.WordArray.create(key);
+  const dataWordArray = CryptoJS.lib.WordArray.create(data);
+  const hmac = CryptoJS.HmacSHA512(dataWordArray, keyWordArray);
+  const words = hmac.words;
+  const sigBytes = hmac.sigBytes;
+  const result = new Uint8Array(sigBytes);
+  for (let i = 0; i < sigBytes; i++) {
+    const byte = words[i >>> 2] >>> 24 - i % 4 * 8 & 255;
+    result[i] = byte;
+  }
+  return result;
+}
+
+async function deriveSecretKeyTreeRoot(seed, usage) {
+  const I = await hmac_sha512(new TextEncoder().encode(usage + " Master Seed"), seed);
+  return {
+    key: I.slice(0, 32),
+    chainCode: I.slice(32)
+  };
+}
+async function deriveSecretKeyTreeChild(chainCode, index) {
+  const data = new Uint8Array([0, ...new TextEncoder().encode(index)]);
+  const I = await hmac_sha512(chainCode, data);
+  return {
+    key: I.subarray(0, 32),
+    chainCode: I.subarray(32)
+  };
+}
+async function deriveKey(master, usage, path) {
+  let state = await deriveSecretKeyTreeRoot(master, usage);
+  let remaining = [...path];
+  while (remaining.length > 0) {
+    let index = remaining[0];
+    remaining = remaining.slice(1);
+    state = await deriveSecretKeyTreeChild(state.chainCode, index);
+  }
+  return state.key;
+}
+
+function encodeBase64(buffer, variant = "base64") {
+  if (variant === "base64url") {
+    return encodeBase64Url(buffer);
+  }
+  return base64js__namespace.fromByteArray(buffer);
+}
+function encodeBase64Url(buffer) {
+  return base64js__namespace.fromByteArray(buffer).replaceAll("+", "-").replaceAll("/", "_").replaceAll("=", "");
+}
+function decodeBase64(base64, variant = "base64") {
+  if (!base64) {
+    throw new Error("Invalid base64 input: must be a non-empty string");
+  }
+  const cleaned = base64.replace(/\s/g, "");
+  if (!cleaned) {
+    throw new Error("Invalid base64 input: empty after removing whitespace");
+  }
+  try {
+    if (variant === "base64url") {
+      let base64Standard = cleaned.replace(/-/g, "+").replace(/_/g, "/");
+      const padding = (4 - base64Standard.length % 4) % 4;
+      if (padding > 0) {
+        base64Standard += "=".repeat(padding);
+      }
+      return base64js__namespace.toByteArray(base64Standard);
+    }
+    return base64js__namespace.toByteArray(cleaned);
+  } catch (error) {
+    throw new Error(`Failed to decode base64 (variant: ${variant}): ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+function getRandomBytes(size) {
+  return tweetnacl.randomBytes(size);
+}
+function generateAESKey() {
+  return getRandomBytes(tweetnacl.secretbox.keyLength);
+}
+function generateAESKeyBase64(variant = "base64") {
+  const key = generateAESKey();
+  return encodeBase64(key, variant);
+}
+function encryptAES(data, dataKey) {
+  if (dataKey.length !== tweetnacl.secretbox.keyLength) {
+    throw new Error(`Invalid key length: expected ${tweetnacl.secretbox.keyLength}, got ${dataKey.length}`);
+  }
+  const nonce = getRandomBytes(tweetnacl.secretbox.nonceLength);
+  const plaintext = new TextEncoder().encode(JSON.stringify(data));
+  const encrypted = tweetnacl.secretbox(plaintext, nonce, dataKey);
+  const bundle = new Uint8Array(1 + nonce.length + encrypted.length);
+  bundle.set([0], 0);
+  bundle.set(nonce, 1);
+  bundle.set(encrypted, 1 + nonce.length);
+  return bundle;
+}
+function decryptAES(bundle, dataKey) {
+  if (dataKey.length !== tweetnacl.secretbox.keyLength) {
+    return null;
+  }
+  if (bundle.length < 1) {
+    return null;
+  }
+  if (bundle[0] !== 0) {
+    return null;
+  }
+  const minLength = 1 + tweetnacl.secretbox.nonceLength + tweetnacl.secretbox.overheadLength;
+  if (bundle.length < minLength) {
+    return null;
+  }
+  const nonce = bundle.slice(1, 1 + tweetnacl.secretbox.nonceLength);
+  const ciphertext = bundle.slice(1 + tweetnacl.secretbox.nonceLength);
+  try {
+    const decrypted = tweetnacl.secretbox.open(ciphertext, nonce, dataKey);
+    if (!decrypted) {
+      return null;
+    }
+    return JSON.parse(new TextDecoder().decode(decrypted));
+  } catch (error) {
+    return null;
+  }
+}
+async function createKeyPairWithUit8Array(masterSecret) {
+  const contentDataKey = await deriveKey(masterSecret, "Agentrix EnCoder", ["content"]);
+  return tweetnacl.box.keyPair.fromSecretKey(contentDataKey);
+}
+async function createKeyPair(masterSecret, variant = "base64") {
+  return await createKeyPairWithUit8Array(decodeBase64(masterSecret, variant));
+}
+function decryptWithEphemeralKey(encryptedBundle, secretKey) {
+  const ephemeralPublicKey = encryptedBundle.slice(0, 32);
+  const nonce = encryptedBundle.slice(32, 32 + tweetnacl.box.nonceLength);
+  const encrypted = encryptedBundle.slice(32 + tweetnacl.box.nonceLength);
+  const decrypted = tweetnacl.box.open(encrypted, nonce, ephemeralPublicKey, secretKey);
+  if (!decrypted) {
+    return null;
+  }
+  return decrypted;
+}
+function encryptWithEphemeralKey(data, publicKey) {
+  const ephemeralKeyPair = tweetnacl.box.keyPair();
+  const nonce = getRandomBytes(tweetnacl.box.nonceLength);
+  const encrypted = tweetnacl.box(data, nonce, publicKey, ephemeralKeyPair.secretKey);
+  const result = new Uint8Array(ephemeralKeyPair.publicKey.length + nonce.length + encrypted.length);
+  result.set(ephemeralKeyPair.publicKey, 0);
+  result.set(nonce, ephemeralKeyPair.publicKey.length);
+  result.set(encrypted, ephemeralKeyPair.publicKey.length + nonce.length);
+  return result;
+}
+function encryptSdkMessage(message, dataKey) {
+  const encryptedWithVersion = encryptAES(message, dataKey);
+  const encryptedWithoutVersion = encryptedWithVersion.slice(1);
+  return encodeBase64(encryptedWithoutVersion);
+}
+function decryptSdkMessage(encryptedMessage, dataKey) {
+  try {
+    const encryptedWithoutVersion = decodeBase64(encryptedMessage);
+    const encryptedWithVersion = new Uint8Array(1 + encryptedWithoutVersion.length);
+    encryptedWithVersion.set([0], 0);
+    encryptedWithVersion.set(encryptedWithoutVersion, 1);
+    return decryptAES(encryptedWithVersion, dataKey);
+  } catch (error) {
+    return null;
+  }
+}
+function encryptMachineEncryptionKey(machinePublicKey, aesKey, userPublicKey) {
+  if (machinePublicKey.length !== 32) {
+    throw new Error(`Invalid machine public key length: expected 32, got ${machinePublicKey.length}`);
+  }
+  if (aesKey.length !== tweetnacl.secretbox.keyLength) {
+    throw new Error(`Invalid AES key length: expected ${tweetnacl.secretbox.keyLength}, got ${aesKey.length}`);
+  }
+  if (userPublicKey.length !== 32) {
+    throw new Error(`Invalid user public key length: expected 32, got ${userPublicKey.length}`);
+  }
+  const combined = new Uint8Array(machinePublicKey.length + aesKey.length);
+  combined.set(machinePublicKey, 0);
+  combined.set(aesKey, machinePublicKey.length);
+  const encrypted = encryptWithEphemeralKey(combined, userPublicKey);
+  return encodeBase64(encrypted);
+}
+function decryptMachineEncryptionKey(encryptedData, userPrivateKey) {
+  if (userPrivateKey.length !== 32) {
+    return null;
+  }
+  try {
+    const encryptedBundle = decodeBase64(encryptedData);
+    const decrypted = decryptWithEphemeralKey(encryptedBundle, userPrivateKey);
+    if (!decrypted) {
+      return null;
+    }
+    const expectedLength = 32 + tweetnacl.secretbox.keyLength;
+    if (decrypted.length !== expectedLength) {
+      return null;
+    }
+    const machinePublicKey = decrypted.slice(0, 32);
+    const aesKey = decrypted.slice(32);
+    return { machinePublicKey, aesKey };
+  } catch (error) {
+    return null;
+  }
+}
+function createTaskEncryptionPayload(machineEncryptionKey) {
+  const taskDataKey = generateAESKey();
+  return {
+    taskDataKey,
+    dataEncryptionKey: encodeBase64(
+      encryptWithEphemeralKey(taskDataKey, machineEncryptionKey.machinePublicKey)
+    ),
+    ownerEncryptedDataKey: encodeBase64(
+      encryptAES(encodeBase64(taskDataKey), machineEncryptionKey.aesKey)
+    )
+  };
+}
+function encryptFileContent(fileContentBase64, dataKey) {
+  const encryptedWithVersion = encryptAES(fileContentBase64, dataKey);
+  const encryptedWithoutVersion = encryptedWithVersion.slice(1);
+  return encodeBase64(encryptedWithoutVersion);
+}
+function decryptFileContent(encryptedContent, dataKey) {
+  try {
+    const encryptedWithoutVersion = decodeBase64(encryptedContent);
+    const encryptedWithVersion = new Uint8Array(1 + encryptedWithoutVersion.length);
+    encryptedWithVersion.set([0], 0);
+    encryptedWithVersion.set(encryptedWithoutVersion, 1);
+    return decryptAES(encryptedWithVersion, dataKey);
+  } catch (error) {
+    return null;
+  }
+}
+
 const AskUserOptionSchema = zod.z.object({
   label: zod.z.string(),
   // Option label (1-5 words)
@@ -1400,8 +1627,11 @@ function isCompanionHeartbeatMessage(message) {
 function isCompanionReminderMessage(message) {
   return typeof message === "object" && message !== null && "type" in message && message.type === "companion_reminder";
 }
+function isSubTaskAskUserMessage(message) {
+  return typeof message === "object" && message !== null && "type" in message && message.type === "sub_task_ask_user";
+}
 function isSDKMessage(message) {
-  return typeof message === "object" && message !== null && "type" in message && message.type !== "ask_user" && message.type !== "ask_user_response" && message.type !== "companion_heartbeat" && message.type !== "companion_reminder";
+  return typeof message === "object" && message !== null && "type" in message && message.type !== "ask_user" && message.type !== "ask_user_response" && message.type !== "companion_heartbeat" && message.type !== "companion_reminder" && message.type !== "sub_task_ask_user";
 }
 function isSDKUserMessage(message) {
   return isSDKMessage(message) && message.type === "user";
@@ -1410,7 +1640,10 @@ const EventBaseSchema = zod.z.object({
   eventId: zod.z.string()
 });
 const createEventId = () => {
-  return `event-${crypto.randomUUID()}`;
+  const bytes = getRandomBytes(16);
+  const hex = Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const uuid = `${hex.slice(0, 8)}-${hex.slice(8, 12)}-4${hex.slice(13, 16)}-${(parseInt(hex.slice(16, 18), 16) & 63 | 128).toString(16).padStart(2, "0")}${hex.slice(18, 20)}-${hex.slice(20, 32)}`;
+  return `event-${uuid}`;
 };
 const EventAckSchema = EventBaseSchema.extend({
   status: zod.z.enum(["success", "failed"]),
@@ -2050,305 +2283,21 @@ function workerAuth(token, machineId, taskId) {
   };
 }
 
-let agentContext = null;
-function setAgentContext(context) {
-  agentContext = context;
-}
-function getAgentContext() {
-  if (!agentContext) {
-    throw new Error("Agent context not initialized. Call setAgentContext() first.");
-  }
-  return agentContext;
-}
-
-const FRAMEWORK_TYPES = ["claude", "codex"];
-
-const AgentMetadataSchema = zod.z.object({
+const CompanionWorkspaceFileSchema = zod.z.object({
   name: zod.z.string(),
-  version: zod.z.string(),
-  description: zod.z.string().optional()
+  path: zod.z.string(),
+  // relative to workspace root
+  size: zod.z.number(),
+  modifiedAt: zod.z.number(),
+  isDirectory: zod.z.boolean()
 });
-const ClaudeConfigSchema = zod.z.object({
-  // SDK native model configuration
-  model: zod.z.string().optional(),
-  fallbackModel: zod.z.string().optional(),
-  maxTurns: zod.z.number().int().positive().optional(),
-  // SDK native extra arguments
-  extraArgs: zod.z.record(zod.z.string(), zod.z.string().nullable()).optional(),
-  systemPrompt: zod.z.object({
-    path: zod.z.string(),
-    mode: zod.z.enum(["append", "replace"]).optional().default("append")
-  }).optional(),
-  settings: zod.z.object({
-    permissionMode: zod.z.enum(["default", "acceptEdits", "bypassPermissions", "plan"]).optional(),
-    allowedTools: zod.z.array(zod.z.string()).optional()
-  }).optional(),
-  pullRequestPrompt: zod.z.object({
-    path: zod.z.string(),
-    mode: zod.z.enum(["append", "replace"]).optional().default("append")
-  }).optional(),
-  // SDK MCP Tools - scripts that export createSdkMcpServer()
-  sdkMcpTools: zod.z.array(zod.z.string()).optional()
-});
-
-class AgentError extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "AgentError";
-  }
-}
-class AgentNotFoundError extends AgentError {
-  constructor(agentId) {
-    super(`Agent not found: ${agentId}`);
-    this.name = "AgentNotFoundError";
-  }
-}
-class AgentConfigValidationError extends AgentError {
-  constructor(message, errors) {
-    super(message);
-    this.errors = errors;
-    this.name = "AgentConfigValidationError";
-  }
-}
-class FrameworkNotSupportedError extends AgentError {
-  constructor(agentId, framework) {
-    super(`Agent "${agentId}" does not support framework: ${framework}`);
-    this.name = "FrameworkNotSupportedError";
-  }
-}
-class AgentLoadError extends AgentError {
-  constructor(message, cause) {
-    super(message);
-    this.cause = cause;
-    this.name = "AgentLoadError";
-  }
-}
-class MissingAgentFileError extends AgentError {
-  constructor(filePath) {
-    super(`Required agent file missing: ${filePath}`);
-    this.name = "MissingAgentFileError";
-  }
-}
-
-function validateAgentDirectory(agentDir) {
-  const errors = [];
-  const warnings = [];
-  if (!node_fs.existsSync(agentDir)) {
-    errors.push(`Agent directory does not exist: ${agentDir}`);
-    return { valid: false, errors, warnings };
-  }
-  if (!node_fs.statSync(agentDir).isDirectory()) {
-    errors.push(`Path is not a directory: ${agentDir}`);
-    return { valid: false, errors, warnings };
-  }
-  const agentJsonPath = node_path.join(agentDir, "agent.json");
-  if (!node_fs.existsSync(agentJsonPath)) {
-    errors.push("Missing required file: agent.json");
-  }
-  const readmePath = node_path.join(agentDir, "README.md");
-  if (!node_fs.existsSync(readmePath)) {
-    warnings.push("Missing README.md (recommended)");
-  }
-  return {
-    valid: errors.length === 0,
-    errors,
-    warnings
-  };
-}
-function validateFrameworkDirectory(frameworkDir, framework) {
-  const errors = [];
-  const warnings = [];
-  if (!node_fs.existsSync(frameworkDir)) {
-    errors.push(`Framework directory does not exist: ${frameworkDir}`);
-    return { valid: false, errors, warnings };
-  }
-  const configPath = node_path.join(frameworkDir, "config.json");
-  if (!node_fs.existsSync(configPath)) {
-    errors.push(`Missing required file: ${framework}/config.json`);
-  }
-  if (framework === "claude") {
-    const mcpServersDir = node_path.join(frameworkDir, "mcp-servers");
-    if (!node_fs.existsSync(mcpServersDir)) {
-      warnings.push("Missing mcp-servers directory (optional)");
-    }
-    const skillsDir = node_path.join(frameworkDir, "skills");
-    if (!node_fs.existsSync(skillsDir)) {
-      warnings.push("Missing skills directory (optional)");
-    }
-  }
-  return {
-    valid: errors.length === 0,
-    errors,
-    warnings
-  };
-}
-function assertFileExists(filePath, description) {
-  if (!node_fs.existsSync(filePath)) {
-    throw new MissingAgentFileError(description || filePath);
-  }
-}
-function assertAgentExists(agentDir, agentId) {
-  if (!node_fs.existsSync(agentDir)) {
-    throw new AgentNotFoundError(agentId);
-  }
-}
-
-function discoverPlugins(pluginsDir) {
-  if (!node_fs.existsSync(pluginsDir)) {
-    return [];
-  }
-  return node_fs.readdirSync(pluginsDir, { withFileTypes: true }).filter((dirent) => dirent.isDirectory()).map((dirent) => node_path.join(pluginsDir, dirent.name)).filter((pluginPath) => isValidPluginDirectory(pluginPath));
-}
-function isValidPluginDirectory(pluginDir) {
-  const manifestPath = node_path.join(pluginDir, ".claude-plugin", "plugin.json");
-  return node_fs.existsSync(manifestPath);
-}
-
-async function loadAgentConfig(options) {
-  const { agentId, framework, validateOnly = false, agentDir: providedAgentDir } = options;
-  const agentContext = getAgentContext();
-  const agentDir = providedAgentDir || agentContext.resolveAgentDir(agentId);
-  assertAgentExists(agentDir, agentId);
-  const validation = validateAgentDirectory(agentDir);
-  if (!validation.valid) {
-    throw new AgentConfigValidationError(
-      `Agent directory validation failed for "${agentId}"`,
-      validation.errors
-    );
-  }
-  if (validation.warnings.length > 0) {
-    console.warn(`[AGENT] Warnings for agent "${agentId}":`, validation.warnings);
-  }
-  const metadata = await loadAgentMetadata(agentDir);
-  const frameworkDirName = framework === "claude" ? "claude" : `.${framework}`;
-  const frameworkDir = node_path.join(agentDir, frameworkDirName);
-  if (!node_fs.existsSync(frameworkDir)) {
-    throw new FrameworkNotSupportedError(agentId, framework);
-  }
-  if (validateOnly) {
-    return {
-      metadata,
-      framework
-    };
-  }
-  if (framework === "claude") {
-    const claudeConfig = await loadClaudeConfiguration(agentDir);
-    return {
-      metadata,
-      framework,
-      claude: claudeConfig
-    };
-  }
-  throw new AgentLoadError(`Framework "${framework}" loader not implemented`);
-}
-async function loadAgentMetadata(agentDir) {
-  const agentJsonPath = node_path.join(agentDir, "agent.json");
-  assertFileExists(agentJsonPath, "agent.json");
-  try {
-    const content = node_fs.readFileSync(agentJsonPath, "utf-8");
-    const rawData = JSON.parse(content);
-    const metadata = AgentMetadataSchema.parse(rawData);
-    return metadata;
-  } catch (error) {
-    if (error instanceof SyntaxError) {
-      throw new AgentConfigValidationError("Invalid JSON in agent.json");
-    }
-    throw new AgentConfigValidationError(
-      `Invalid agent metadata: ${error instanceof Error ? error.message : String(error)}`
-    );
-  }
-}
-async function loadClaudeConfiguration(agentDir, metadata) {
-  const claudeDir = node_path.join(agentDir, "claude");
-  const validation = validateFrameworkDirectory(claudeDir, "claude");
-  if (!validation.valid) {
-    throw new AgentConfigValidationError(
-      "Claude framework directory validation failed",
-      validation.errors
-    );
-  }
-  const config = await loadClaudeConfig(claudeDir);
-  let systemPrompt;
-  if (config.systemPrompt) {
-    systemPrompt = await loadSystemPrompt(claudeDir, config.systemPrompt.path);
-  }
-  let prPromptTemplate;
-  if (config.pullRequestPrompt) {
-    prPromptTemplate = await loadSystemPrompt(claudeDir, config.pullRequestPrompt.path);
-  }
-  const pluginsDir = node_path.join(claudeDir, "plugins");
-  const plugins = discoverPlugins(pluginsDir);
-  return {
-    config,
-    systemPrompt,
-    prPromptTemplate,
-    plugins
-  };
-}
-async function loadClaudeConfig(claudeDir) {
-  const configPath = node_path.join(claudeDir, "config.json");
-  assertFileExists(configPath, "claude/config.json");
-  try {
-    const content = node_fs.readFileSync(configPath, "utf-8");
-    const rawConfig = JSON.parse(content);
-    const config = ClaudeConfigSchema.parse(rawConfig);
-    return config;
-  } catch (error) {
-    if (error instanceof SyntaxError) {
-      throw new AgentConfigValidationError(
-        "Invalid JSON in claude/config.json"
-      );
-    }
-    throw new AgentConfigValidationError(
-      `Invalid Claude configuration: ${error instanceof Error ? error.message : String(error)}`
-    );
-  }
-}
-async function loadSystemPrompt(claudeDir, promptFile) {
-  const promptPath = node_path.join(claudeDir, promptFile);
-  if (!node_fs.existsSync(promptPath)) {
-    throw new MissingAgentFileError(`claude/${promptFile}`);
-  }
-  try {
-    return node_fs.readFileSync(promptPath, "utf-8");
-  } catch (error) {
-    throw new AgentLoadError(
-      `Failed to read system prompt: ${error instanceof Error ? error.message : String(error)}`
-    );
-  }
-}
-function replacePromptPlaceholders(template, cwd, extra) {
-  const vars = {
-    WORKING_DIR: cwd,
-    PLATFORM: process.platform,
-    OS_VERSION: `${os__namespace.type()} ${os__namespace.release()}`,
-    DATE: (/* @__PURE__ */ new Date()).toISOString().split("T")[0],
-    ...extra
-  };
-  let result = template.replace(
-    /\{\{#if\s+(\w+)\s*(==|!=)\s*(\w+)\}\}([\s\S]*?)\{\{\/if\}\}/g,
-    (_match, key, op, expected, content) => {
-      const actual = vars[key] ?? "";
-      const matches = op === "==" ? actual === expected : actual !== expected;
-      return matches ? content : "";
-    }
-  );
-  for (const [key, value] of Object.entries(vars)) {
-    result = result.replace(new RegExp(`\\{\\{${key}\\}\\}`, "g"), value);
-  }
-  return result;
-}
-
-const CompanionWorkspaceFileSchema = zod.z.object({
-  name: zod.z.string(),
-  path: zod.z.string(),
-  // relative to workspace root
-  size: zod.z.number(),
-  modifiedAt: zod.z.number(),
-  isDirectory: zod.z.boolean()
-});
-const RegisterCompanionRequestSchema = zod.z.object({
-  machineId: zod.z.string().min(1)
+const RegisterCompanionRequestSchema = zod.z.object({
+  machineId: zod.z.string().min(1),
+  // Optional: provision companion chat virtual task E2EE keys (local mode sharing).
+  dataEncryptionKey: zod.z.string().optional(),
+  ownerEncryptedDataKey: zod.z.string().optional(),
+  // Optional: preferred language for companion bootstrap/kickoff copy.
+  preferredLanguage: zod.z.enum(["en", "zh-Hans"]).optional()
 });
 const RegisterCompanionResponseSchema = zod.z.object({
   agentId: zod.z.string(),
@@ -2359,243 +2308,9 @@ const RegisterCompanionResponseSchema = zod.z.object({
 });
 const CompanionEnsureResponseSchema = zod.z.object({
   agentDir: zod.z.string(),
-  workspaceDir: zod.z.string()
+  homeDir: zod.z.string()
 });
 
-const cryptoModule = typeof globalThis.crypto !== "undefined" ? globalThis.crypto : (async () => {
-  try {
-    const nodeCrypto = await import('node:crypto');
-    return nodeCrypto.webcrypto;
-  } catch {
-    throw new Error("Web Crypto API not available");
-  }
-})();
-async function getCrypto() {
-  if (typeof cryptoModule === "object" && cryptoModule !== null && "subtle" in cryptoModule) {
-    return cryptoModule;
-  }
-  return await cryptoModule;
-}
-async function hmac_sha512(key, data) {
-  const crypto = await getCrypto();
-  const cryptoKey = await crypto.subtle.importKey(
-    "raw",
-    key,
-    { name: "HMAC", hash: "SHA-512" },
-    false,
-    ["sign"]
-  );
-  const signature = await crypto.subtle.sign(
-    "HMAC",
-    cryptoKey,
-    data
-  );
-  return new Uint8Array(signature);
-}
-
-async function deriveSecretKeyTreeRoot(seed, usage) {
-  const I = await hmac_sha512(new TextEncoder().encode(usage + " Master Seed"), seed);
-  return {
-    key: I.slice(0, 32),
-    chainCode: I.slice(32)
-  };
-}
-async function deriveSecretKeyTreeChild(chainCode, index) {
-  const data = new Uint8Array([0, ...new TextEncoder().encode(index)]);
-  const I = await hmac_sha512(chainCode, data);
-  return {
-    key: I.subarray(0, 32),
-    chainCode: I.subarray(32)
-  };
-}
-async function deriveKey(master, usage, path) {
-  let state = await deriveSecretKeyTreeRoot(master, usage);
-  let remaining = [...path];
-  while (remaining.length > 0) {
-    let index = remaining[0];
-    remaining = remaining.slice(1);
-    state = await deriveSecretKeyTreeChild(state.chainCode, index);
-  }
-  return state.key;
-}
-
-function encodeBase64(buffer, variant = "base64") {
-  if (variant === "base64url") {
-    return encodeBase64Url(buffer);
-  }
-  return base64js__namespace.fromByteArray(buffer);
-}
-function encodeBase64Url(buffer) {
-  return base64js__namespace.fromByteArray(buffer).replaceAll("+", "-").replaceAll("/", "_").replaceAll("=", "");
-}
-function decodeBase64(base64, variant = "base64") {
-  if (!base64) {
-    throw new Error("Invalid base64 input: must be a non-empty string");
-  }
-  const cleaned = base64.replace(/\s/g, "");
-  if (!cleaned) {
-    throw new Error("Invalid base64 input: empty after removing whitespace");
-  }
-  try {
-    if (variant === "base64url") {
-      let base64Standard = cleaned.replace(/-/g, "+").replace(/_/g, "/");
-      const padding = (4 - base64Standard.length % 4) % 4;
-      if (padding > 0) {
-        base64Standard += "=".repeat(padding);
-      }
-      return base64js__namespace.toByteArray(base64Standard);
-    }
-    return base64js__namespace.toByteArray(cleaned);
-  } catch (error) {
-    throw new Error(`Failed to decode base64 (variant: ${variant}): ${error instanceof Error ? error.message : String(error)}`);
-  }
-}
-function getRandomBytes(size) {
-  return tweetnacl.randomBytes(size);
-}
-function generateAESKey() {
-  return getRandomBytes(tweetnacl.secretbox.keyLength);
-}
-function generateAESKeyBase64(variant = "base64") {
-  const key = generateAESKey();
-  return encodeBase64(key, variant);
-}
-function encryptAES(data, dataKey) {
-  if (dataKey.length !== tweetnacl.secretbox.keyLength) {
-    throw new Error(`Invalid key length: expected ${tweetnacl.secretbox.keyLength}, got ${dataKey.length}`);
-  }
-  const nonce = getRandomBytes(tweetnacl.secretbox.nonceLength);
-  const plaintext = new TextEncoder().encode(JSON.stringify(data));
-  const encrypted = tweetnacl.secretbox(plaintext, nonce, dataKey);
-  const bundle = new Uint8Array(1 + nonce.length + encrypted.length);
-  bundle.set([0], 0);
-  bundle.set(nonce, 1);
-  bundle.set(encrypted, 1 + nonce.length);
-  return bundle;
-}
-function decryptAES(bundle, dataKey) {
-  if (dataKey.length !== tweetnacl.secretbox.keyLength) {
-    return null;
-  }
-  if (bundle.length < 1) {
-    return null;
-  }
-  if (bundle[0] !== 0) {
-    return null;
-  }
-  const minLength = 1 + tweetnacl.secretbox.nonceLength + tweetnacl.secretbox.overheadLength;
-  if (bundle.length < minLength) {
-    return null;
-  }
-  const nonce = bundle.slice(1, 1 + tweetnacl.secretbox.nonceLength);
-  const ciphertext = bundle.slice(1 + tweetnacl.secretbox.nonceLength);
-  try {
-    const decrypted = tweetnacl.secretbox.open(ciphertext, nonce, dataKey);
-    if (!decrypted) {
-      return null;
-    }
-    return JSON.parse(new TextDecoder().decode(decrypted));
-  } catch (error) {
-    return null;
-  }
-}
-async function createKeyPairWithUit8Array(masterSecret) {
-  const contentDataKey = await deriveKey(masterSecret, "Agentrix EnCoder", ["content"]);
-  return tweetnacl.box.keyPair.fromSecretKey(contentDataKey);
-}
-async function createKeyPair(masterSecret, variant = "base64") {
-  return await createKeyPairWithUit8Array(decodeBase64(masterSecret, variant));
-}
-function decryptWithEphemeralKey(encryptedBundle, secretKey) {
-  const ephemeralPublicKey = encryptedBundle.slice(0, 32);
-  const nonce = encryptedBundle.slice(32, 32 + tweetnacl.box.nonceLength);
-  const encrypted = encryptedBundle.slice(32 + tweetnacl.box.nonceLength);
-  const decrypted = tweetnacl.box.open(encrypted, nonce, ephemeralPublicKey, secretKey);
-  if (!decrypted) {
-    return null;
-  }
-  return decrypted;
-}
-function encryptWithEphemeralKey(data, publicKey) {
-  const ephemeralKeyPair = tweetnacl.box.keyPair();
-  const nonce = getRandomBytes(tweetnacl.box.nonceLength);
-  const encrypted = tweetnacl.box(data, nonce, publicKey, ephemeralKeyPair.secretKey);
-  const result = new Uint8Array(ephemeralKeyPair.publicKey.length + nonce.length + encrypted.length);
-  result.set(ephemeralKeyPair.publicKey, 0);
-  result.set(nonce, ephemeralKeyPair.publicKey.length);
-  result.set(encrypted, ephemeralKeyPair.publicKey.length + nonce.length);
-  return result;
-}
-function encryptSdkMessage(message, dataKey) {
-  const encryptedWithVersion = encryptAES(message, dataKey);
-  const encryptedWithoutVersion = encryptedWithVersion.slice(1);
-  return encodeBase64(encryptedWithoutVersion);
-}
-function decryptSdkMessage(encryptedMessage, dataKey) {
-  try {
-    const encryptedWithoutVersion = decodeBase64(encryptedMessage);
-    const encryptedWithVersion = new Uint8Array(1 + encryptedWithoutVersion.length);
-    encryptedWithVersion.set([0], 0);
-    encryptedWithVersion.set(encryptedWithoutVersion, 1);
-    return decryptAES(encryptedWithVersion, dataKey);
-  } catch (error) {
-    return null;
-  }
-}
-function encryptMachineEncryptionKey(machinePublicKey, aesKey, userPublicKey) {
-  if (machinePublicKey.length !== 32) {
-    throw new Error(`Invalid machine public key length: expected 32, got ${machinePublicKey.length}`);
-  }
-  if (aesKey.length !== tweetnacl.secretbox.keyLength) {
-    throw new Error(`Invalid AES key length: expected ${tweetnacl.secretbox.keyLength}, got ${aesKey.length}`);
-  }
-  if (userPublicKey.length !== 32) {
-    throw new Error(`Invalid user public key length: expected 32, got ${userPublicKey.length}`);
-  }
-  const combined = new Uint8Array(machinePublicKey.length + aesKey.length);
-  combined.set(machinePublicKey, 0);
-  combined.set(aesKey, machinePublicKey.length);
-  const encrypted = encryptWithEphemeralKey(combined, userPublicKey);
-  return encodeBase64(encrypted);
-}
-function decryptMachineEncryptionKey(encryptedData, userPrivateKey) {
-  if (userPrivateKey.length !== 32) {
-    return null;
-  }
-  try {
-    const encryptedBundle = decodeBase64(encryptedData);
-    const decrypted = decryptWithEphemeralKey(encryptedBundle, userPrivateKey);
-    if (!decrypted) {
-      return null;
-    }
-    const expectedLength = 32 + tweetnacl.secretbox.keyLength;
-    if (decrypted.length !== expectedLength) {
-      return null;
-    }
-    const machinePublicKey = decrypted.slice(0, 32);
-    const aesKey = decrypted.slice(32);
-    return { machinePublicKey, aesKey };
-  } catch (error) {
-    return null;
-  }
-}
-function encryptFileContent(fileContentBase64, dataKey) {
-  const encryptedWithVersion = encryptAES(fileContentBase64, dataKey);
-  const encryptedWithoutVersion = encryptedWithVersion.slice(1);
-  return encodeBase64(encryptedWithoutVersion);
-}
-function decryptFileContent(encryptedContent, dataKey) {
-  try {
-    const encryptedWithoutVersion = decodeBase64(encryptedContent);
-    const encryptedWithVersion = new Uint8Array(1 + encryptedWithoutVersion.length);
-    encryptedWithVersion.set([0], 0);
-    encryptedWithVersion.set(encryptedWithoutVersion, 1);
-    return decryptAES(encryptedWithVersion, dataKey);
-  } catch (error) {
-    return null;
-  }
-}
-
 const RTC_CHUNK_HEADER_SIZE = 16;
 const RtcChunkFlags = {
   Start: 1,
@@ -2948,15 +2663,21 @@ function getFileExtension(filePath) {
   return filePath.substring(lastDot).toLowerCase();
 }
 
+exports.AgentConfigValidationError = errors.AgentConfigValidationError;
+exports.AgentError = errors.AgentError;
+exports.AgentLoadError = errors.AgentLoadError;
+exports.AgentMetadataSchema = errors.AgentMetadataSchema;
+exports.AgentNotFoundError = errors.AgentNotFoundError;
+exports.ClaudeConfigSchema = errors.ClaudeConfigSchema;
+exports.FRAMEWORK_TYPES = errors.FRAMEWORK_TYPES;
+exports.FrameworkNotSupportedError = errors.FrameworkNotSupportedError;
+exports.MissingAgentFileError = errors.MissingAgentFileError;
+exports.getAgentContext = errors.getAgentContext;
+exports.setAgentContext = errors.setAgentContext;
 exports.ActiveAgentSchema = ActiveAgentSchema;
 exports.AddChatMemberRequestSchema = AddChatMemberRequestSchema;
 exports.AddChatMemberResponseSchema = AddChatMemberResponseSchema;
-exports.AgentConfigValidationError = AgentConfigValidationError;
 exports.AgentCustomConfigSchema = AgentCustomConfigSchema;
-exports.AgentError = AgentError;
-exports.AgentLoadError = AgentLoadError;
-exports.AgentMetadataSchema = AgentMetadataSchema;
-exports.AgentNotFoundError = AgentNotFoundError;
 exports.AgentPermissionsSchema = AgentPermissionsSchema;
 exports.AgentSchema = AgentSchema;
 exports.AgentTypeSchema = AgentTypeSchema;
@@ -2990,7 +2711,6 @@ exports.ChatTypeSchema = ChatTypeSchema;
 exports.ChatWithMembersSchema = ChatWithMembersSchema;
 exports.ChatWorkersStatusRequestSchema = ChatWorkersStatusRequestSchema;
 exports.ChatWorkersStatusResponseSchema = ChatWorkersStatusResponseSchema;
-exports.ClaudeConfigSchema = ClaudeConfigSchema;
 exports.CloudJoinApprovalRequestSchema = CloudJoinApprovalRequestSchema;
 exports.CloudJoinRequestSchema = CloudJoinRequestSchema;
 exports.CloudJoinResultQuerySchema = CloudJoinResultQuerySchema;
@@ -3046,14 +2766,12 @@ exports.ENTRY_FILE_PATTERNS = ENTRY_FILE_PATTERNS;
 exports.EnvironmentVariableSchema = EnvironmentVariableSchema;
 exports.EventAckSchema = EventAckSchema;
 exports.EventSchemaMap = EventSchemaMap;
-exports.FRAMEWORK_TYPES = FRAMEWORK_TYPES;
 exports.FileItemSchema = FileItemSchema;
 exports.FileStatsSchema = FileStatsSchema;
 exports.FileVisibilitySchema = FileVisibilitySchema;
 exports.FillEventsRequestSchema = FillEventsRequestSchema;
 exports.FindTaskByAgentRequestSchema = FindTaskByAgentRequestSchema;
 exports.FindTaskByAgentResponseSchema = FindTaskByAgentResponseSchema;
-exports.FrameworkNotSupportedError = FrameworkNotSupportedError;
 exports.GetAgentResponseSchema = GetAgentResponseSchema;
 exports.GetChatResponseSchema = GetChatResponseSchema;
 exports.GetEnvironmentVariablesResponseSchema = GetEnvironmentVariablesResponseSchema;
@@ -3114,7 +2832,6 @@ exports.MachineRtcRequestSchema = MachineRtcRequestSchema;
 exports.MachineRtcResponseSchema = MachineRtcResponseSchema;
 exports.MergePullRequestEventSchema = MergePullRequestEventSchema;
 exports.MergeRequestEventSchema = MergeRequestEventSchema;
-exports.MissingAgentFileError = MissingAgentFileError;
 exports.OAuthAccountInfoSchema = OAuthAccountInfoSchema;
 exports.OAuthBindCallbackResponseSchema = OAuthBindCallbackResponseSchema;
 exports.OAuthBindQuerySchema = OAuthBindQuerySchema;
@@ -3235,8 +2952,6 @@ exports.WorkerStatusRequestSchema = WorkerStatusRequestSchema;
 exports.WorkerStatusValueSchema = WorkerStatusValueSchema;
 exports.WorkspaceFileRequestSchema = WorkspaceFileRequestSchema;
 exports.WorkspaceFileResponseSchema = WorkspaceFileResponseSchema;
-exports.assertAgentExists = assertAgentExists;
-exports.assertFileExists = assertFileExists;
 exports.baseTaskSchema = baseTaskSchema;
 exports.buildRtcChunkFrame = buildRtcChunkFrame;
 exports.cancelTaskRequestSchema = cancelTaskRequestSchema;
@@ -3245,6 +2960,7 @@ exports.createEventId = createEventId;
 exports.createKeyPair = createKeyPair;
 exports.createKeyPairWithUit8Array = createKeyPairWithUit8Array;
 exports.createMergeRequestSchema = createMergeRequestSchema;
+exports.createTaskEncryptionPayload = createTaskEncryptionPayload;
 exports.createTaskSchema = createTaskSchema;
 exports.decodeBase64 = decodeBase64;
 exports.decodeRtcChunkHeader = decodeRtcChunkHeader;
@@ -3254,7 +2970,6 @@ exports.decryptMachineEncryptionKey = decryptMachineEncryptionKey;
 exports.decryptSdkMessage = decryptSdkMessage;
 exports.decryptWithEphemeralKey = decryptWithEphemeralKey;
 exports.detectPreview = detectPreview;
-exports.discoverPlugins = discoverPlugins;
 exports.encodeBase64 = encodeBase64;
 exports.encodeBase64Url = encodeBase64Url;
 exports.encodeRtcChunkHeader = encodeRtcChunkHeader;
@@ -3265,7 +2980,6 @@ exports.encryptSdkMessage = encryptSdkMessage;
 exports.encryptWithEphemeralKey = encryptWithEphemeralKey;
 exports.generateAESKey = generateAESKey;
 exports.generateAESKeyBase64 = generateAESKeyBase64;
-exports.getAgentContext = getAgentContext;
 exports.getRandomBytes = getRandomBytes;
 exports.isAskUserMessage = isAskUserMessage;
 exports.isAskUserResponseMessage = isAskUserResponseMessage;
@@ -3273,18 +2987,14 @@ exports.isCompanionHeartbeatMessage = isCompanionHeartbeatMessage;
 exports.isCompanionReminderMessage = isCompanionReminderMessage;
 exports.isSDKMessage = isSDKMessage;
 exports.isSDKUserMessage = isSDKUserMessage;
-exports.loadAgentConfig = loadAgentConfig;
+exports.isSubTaskAskUserMessage = isSubTaskAskUserMessage;
 exports.machineAuth = machineAuth;
 exports.permissionResponseRequestSchema = permissionResponseRequestSchema;
-exports.replacePromptPlaceholders = replacePromptPlaceholders;
 exports.resumeTaskRequestSchema = resumeTaskRequestSchema;
 exports.resumeTaskSchema = resumeTaskSchema;
-exports.setAgentContext = setAgentContext;
 exports.splitRtcChunkFrame = splitRtcChunkFrame;
 exports.startTaskSchema = startTaskSchema;
 exports.stopTaskRequestSchema = stopTaskRequestSchema;
 exports.userAuth = userAuth;
-exports.validateAgentDirectory = validateAgentDirectory;
-exports.validateFrameworkDirectory = validateFrameworkDirectory;
 exports.workerAuth = workerAuth;
 exports.workerTaskEvents = workerTaskEvents;