@agentvault/agentvault 0.13.8 → 0.13.10

package/dist/index.d.ts

@@ -5,5 +5,5 @@ export type { ResolvedAccount } from "./account-config.js";
 export { agentVaultPlugin, setOcRuntime, getActiveChannel } from "./openclaw-plugin.js";
 export { sendToOwner, checkGateway } from "./gateway-send.js";
 export type { GatewaySendOptions, GatewaySendResult, GatewayStatusResult, } from "./gateway-send.js";
-export declare const VERSION = "0.13.8";
+export declare const VERSION = "0.13.9";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -44880,6 +44880,7 @@ var DoubleRatchet = class _DoubleRatchet {
   serialize() {
     const s2 = this.state;
     return JSON.stringify({
+      version: 1,
       rootKey: libsodium_wrappers_default.to_hex(s2.rootKey),
       sendingChain: s2.sendingChain ? {
         chainKey: libsodium_wrappers_default.to_hex(s2.sendingChain.chainKey),
@@ -44907,33 +44908,59 @@ var DoubleRatchet = class _DoubleRatchet {
     });
   }
   static deserialize(json) {
-    const d2 = JSON.parse(json);
-    return new _DoubleRatchet({
-      rootKey: libsodium_wrappers_default.from_hex(d2.rootKey),
-      sendingChain: d2.sendingChain ? {
-        chainKey: libsodium_wrappers_default.from_hex(d2.sendingChain.chainKey),
-        messageNumber: d2.sendingChain.messageNumber
-      } : null,
-      receivingChain: d2.receivingChain ? {
-        chainKey: libsodium_wrappers_default.from_hex(d2.receivingChain.chainKey),
-        messageNumber: d2.receivingChain.messageNumber
-      } : null,
-      dhSendingKeypair: {
-        publicKey: libsodium_wrappers_default.from_hex(d2.dhSendingKeypair.publicKey),
-        privateKey: libsodium_wrappers_default.from_hex(d2.dhSendingKeypair.privateKey)
-      },
-      dhReceivingPublicKey: d2.dhReceivingPublicKey ? libsodium_wrappers_default.from_hex(d2.dhReceivingPublicKey) : null,
-      identityKeypair: {
-        publicKey: libsodium_wrappers_default.from_hex(d2.identityKeypair.publicKey),
-        privateKey: libsodium_wrappers_default.from_hex(d2.identityKeypair.privateKey)
-      },
-      previousSendingChainLength: d2.previousSendingChainLength,
-      skippedKeys: d2.skippedKeys.map((sk) => ({
-        dhPub: sk.dhPub,
-        n: sk.n,
-        messageKey: libsodium_wrappers_default.from_hex(sk.messageKey)
-      }))
-    });
+    let d2;
+    try {
+      d2 = JSON.parse(json);
+    } catch {
+      throw new Error("Ratchet state: corrupt JSON");
+    }
+    if (d2.version !== void 0 && d2.version !== 1) {
+      throw new Error(`Ratchet state version ${d2.version} not supported`);
+    }
+    if (typeof d2.rootKey !== "string") {
+      throw new Error("Ratchet state: missing required field rootKey");
+    }
+    const dhSend = d2.dhSendingKeypair;
+    if (!dhSend || typeof dhSend.publicKey !== "string" || typeof dhSend.privateKey !== "string") {
+      throw new Error("Ratchet state: missing required field dhSendingKeypair");
+    }
+    const idKp = d2.identityKeypair;
+    if (!idKp || typeof idKp.publicKey !== "string" || typeof idKp.privateKey !== "string") {
+      throw new Error("Ratchet state: missing required field identityKeypair");
+    }
+    try {
+      return new _DoubleRatchet({
+        rootKey: libsodium_wrappers_default.from_hex(d2.rootKey),
+        sendingChain: d2.sendingChain ? {
+          chainKey: libsodium_wrappers_default.from_hex(d2.sendingChain.chainKey),
+          messageNumber: d2.sendingChain.messageNumber
+        } : null,
+        receivingChain: d2.receivingChain ? {
+          chainKey: libsodium_wrappers_default.from_hex(d2.receivingChain.chainKey),
+          messageNumber: d2.receivingChain.messageNumber
+        } : null,
+        dhSendingKeypair: {
+          publicKey: libsodium_wrappers_default.from_hex(dhSend.publicKey),
+          privateKey: libsodium_wrappers_default.from_hex(dhSend.privateKey)
+        },
+        dhReceivingPublicKey: d2.dhReceivingPublicKey ? libsodium_wrappers_default.from_hex(d2.dhReceivingPublicKey) : null,
+        identityKeypair: {
+          publicKey: libsodium_wrappers_default.from_hex(idKp.publicKey),
+          privateKey: libsodium_wrappers_default.from_hex(idKp.privateKey)
+        },
+        previousSendingChainLength: d2.previousSendingChainLength,
+        skippedKeys: d2.skippedKeys.map((sk) => ({
+          dhPub: sk.dhPub,
+          n: sk.n,
+          messageKey: libsodium_wrappers_default.from_hex(sk.messageKey)
+        }))
+      });
+    } catch (err) {
+      if (err instanceof Error && err.message.startsWith("Ratchet state")) {
+        throw err;
+      }
+      throw new Error(`Ratchet state: corrupt hex data \u2014 ${err instanceof Error ? err.message : String(err)}`);
+    }
   }
 };
 
@@ -45632,6 +45659,8 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
   _telemetryReporter = null;
   /** Topic ID from the most recent inbound message — used as fallback for replies. */
   _lastIncomingTopicId;
+  /** Rate-limit: last resync_request timestamp per conversation (5-min cooldown). */
+  _lastResyncRequest = /* @__PURE__ */ new Map();
   // Liveness detection: server sends app-level {"event":"ping"} every 30s.
   // We check every 30s; if no data received in 90s (3 missed pings), connection is dead.
   static PING_INTERVAL_MS = 3e4;
@@ -46890,6 +46919,13 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
           await this._handleDeviceLinked(data.data);
           return;
         }
+        if (data.event === "resync_request") {
+          await this._handleResyncRequest(data.data);
+          return;
+        }
+        if (data.event === "resync_ack") {
+          return;
+        }
         if (data.event === "message") {
           try {
             await this._handleIncomingMessage(data.data);
@@ -47295,6 +47331,26 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
       } catch (restoreErr) {
         console.error("[SecureChannel] Ratchet restore failed:", restoreErr);
       }
+      const RESYNC_COOLDOWN_MS = 5 * 60 * 1e3;
+      const lastResync = this._lastResyncRequest.get(convId) ?? 0;
+      if (Date.now() - lastResync > RESYNC_COOLDOWN_MS && this._ws && this._persisted) {
+        this._lastResyncRequest.set(convId, Date.now());
+        const idPubHex = this._persisted.identityKeypair.publicKey;
+        const ephPubHex = this._persisted.ephemeralKeypair.publicKey;
+        this._ws.send(
+          JSON.stringify({
+            event: "resync_request",
+            data: {
+              conversation_id: convId,
+              reason: "decrypt_failure",
+              identity_public_key: idPubHex,
+              ephemeral_public_key: ephPubHex
+            }
+          })
+        );
+        console.log(`[SecureChannel] Sent resync_request for conv ${convId.slice(0, 8)}...`);
+        this.emit("resync_requested", { conversationId: convId, reason: "decrypt_failure" });
+      }
       return;
     }
     this._sendAck(msgData.message_id);
@@ -47619,6 +47675,70 @@ ${messageText}`;
       this.emit("error", err);
     }
   }
+  /**
+   * Handle a resync_request from the owner (owner-initiated ratchet re-establishment).
+   * Re-derives shared secret via X3DH as responder, initializes fresh receiver ratchet,
+   * and sends resync_ack back with agent's public keys.
+   */
+  async _handleResyncRequest(data) {
+    const convId = data.conversation_id;
+    console.log(
+      `[SecureChannel] Received resync_request for conv ${convId.slice(0, 8)}... (reason: ${data.reason ?? "unknown"})`
+    );
+    try {
+      if (!this._persisted) {
+        console.error("[SecureChannel] Cannot handle resync \u2014 no persisted state");
+        return;
+      }
+      const identity = this._persisted.identityKeypair;
+      const ephemeral = this._persisted.ephemeralKeypair;
+      const sharedSecret = performX3DH({
+        myIdentityPrivate: hexToBytes(identity.privateKey),
+        myEphemeralPrivate: hexToBytes(ephemeral.privateKey),
+        theirIdentityPublic: hexToBytes(data.identity_public_key),
+        theirEphemeralPublic: hexToBytes(data.ephemeral_public_key),
+        isInitiator: false
+      });
+      const ratchet = DoubleRatchet.initReceiver(sharedSecret, {
+        publicKey: hexToBytes(identity.publicKey),
+        privateKey: hexToBytes(identity.privateKey),
+        keyType: "ed25519"
+      });
+      const existingSession = this._sessions.get(convId);
+      const ownerDeviceId = data.sender_device_id ?? existingSession?.ownerDeviceId ?? "";
+      this._sessions.set(convId, {
+        ownerDeviceId,
+        ratchet,
+        activated: false
+        // Wait for owner's encrypted session_init
+      });
+      this._persisted.sessions[convId] = {
+        ownerDeviceId,
+        ratchetState: ratchet.serialize(),
+        activated: false
+      };
+      await this._persistState();
+      if (this._ws) {
+        this._ws.send(
+          JSON.stringify({
+            event: "resync_ack",
+            data: {
+              conversation_id: convId,
+              identity_public_key: identity.publicKey,
+              ephemeral_public_key: ephemeral.publicKey
+            }
+          })
+        );
+      }
+      console.log(
+        `[SecureChannel] Resync complete for conv ${convId.slice(0, 8)}... \u2014 waiting for owner session_init`
+      );
+      this.emit("resync_completed", { conversationId: convId });
+    } catch (err) {
+      console.error(`[SecureChannel] Resync failed for conv ${convId.slice(0, 8)}...:`, err);
+      this.emit("error", err);
+    }
+  }
   /**
    * Handle an incoming room message. Finds the pairwise conversation
    * for the sender, decrypts, and emits a room_message event.
@@ -48248,13 +48368,39 @@ var agentVaultPlugin = {
     aliases: ["av", "agent-vault"]
   },
   capabilities: {
-    chatTypes: ["direct"]
+    chatTypes: ["direct", "room"]
   },
   config: {
     listAccountIds,
     resolveAccount
   },
   gateway: {
+    /** Health probe for `openclaw channels status --probe` */
+    probe: async (ctx) => {
+      const accountId = ctx?.accountId ?? "default";
+      const ch = _channels.get(accountId);
+      if (!ch) return { ok: false, status: "disconnected", error: "Channel not started" };
+      const state = ch.state;
+      return {
+        ok: state === "ready",
+        status: state,
+        deviceId: ch.deviceId ?? void 0,
+        sessions: ch.sessionCount
+      };
+    },
+    /** Status for `openclaw health --json` per-channel summary */
+    status: (ctx) => {
+      const accountId = ctx?.accountId ?? "default";
+      const ch = _channels.get(accountId);
+      if (!ch) return { connected: false, status: "not_started" };
+      return {
+        connected: ch.state === "ready",
+        status: ch.state,
+        deviceId: ch.deviceId ?? void 0,
+        sessions: ch.sessionCount,
+        encrypted: true
+      };
+    },
     startAccount: async (ctx) => {
       const { account, cfg, log, abortSignal } = ctx;
       if (!account.configured) {
@@ -48336,6 +48482,25 @@ var agentVaultPlugin = {
       } catch (err) {
         return { ok: false, error: String(err) };
       }
+    },
+    sendMedia: async ({
+      text,
+      mediaUrl,
+      accountId
+    }) => {
+      const resolvedId = accountId ?? "default";
+      const channel = _channels.get(resolvedId);
+      if (!channel) {
+        return { ok: false, error: "AgentVault channel is not connected" };
+      }
+      try {
+        const message = text ? `${text}
+${mediaUrl}` : mediaUrl;
+        await channel.send(message);
+        return { ok: true };
+      } catch (err) {
+        return { ok: false, error: String(err) };
+      }
     }
   }
 };
@@ -48468,7 +48633,7 @@ async function checkGateway(options) {
 }
 
 // src/index.ts
-var VERSION = "0.13.8";
+var VERSION = "0.13.9";
 export {
   SecureChannel,
   VERSION,