@agentvault/claude-bridge 0.2.1 → 0.3.1

package/dist/bridge.d.ts

@@ -3,14 +3,60 @@ export interface RoomMessage {
     senderName: string;
     plaintext: string;
 }
+/** Metadata SecureChannel attaches to a 1:1 `message` event. `roomId` is set only
+ *  when the `message` actually originated in a room (handled by room_message), so
+ *  its ABSENCE is how we identify a true owner↔agent 1:1 DM. */
+export interface MessageMeta {
+    roomId?: string;
+}
 export interface RoomChannel {
     on(ev: "room_message", cb: (e: RoomMessage) => void): unknown;
+    on(ev: "message", cb: (text: string, metadata: MessageMeta) => void): unknown;
     on(ev: "error", cb: (err: unknown) => void): unknown;
     sendToRoom(roomId: string, text: string): Promise<void>;
+    send(text: string): Promise<void>;
 }
 export interface RoomSession {
-    push(text: string): void;
-    onActiveRoom(roomId: string): void;
+    /** `reply` is the immutable reply sink captured for THIS message (see
+     *  ActiveTarget.snapshotReply) — the session invokes it when Claude answers. */
+    push(text: string, reply?: (text: string) => Promise<void>): void;
+}
+/** Where a reply should go: a room (sendToRoom) or a 1:1 DM (send). */
+export type BridgeTarget = {
+    kind: "room";
+    roomId: string;
+} | {
+    kind: "dm";
+};
+/** Channel surface ActiveTarget needs to route an outbound reply. */
+export interface ReplyChannel {
+    sendToRoom(roomId: string, text: string): Promise<void>;
+    send(text: string): Promise<void>;
+}
+/**
+ * Tracks the destination of the most recent inbound message and routes outbound
+ * replies there. Replaces the bridge's old single `activeRoomId` string so the
+ * same Claude session can answer BOTH room traffic and 1:1 owner DMs.
+ *
+ * Known limitation (matches the prior room-only behavior): the target is global,
+ * set per-inbound. If a room message lands while Claude is mid-compose on a DM
+ * reply, the reply routes to the room. Binding a reply to its originating turn is
+ * a larger redesign; for now the single-conversation-at-a-time assumption holds.
+ */
+export declare class ActiveTarget {
+    private target;
+    setRoom(roomId: string): void;
+    setDm(): void;
+    get current(): BridgeTarget | null;
+    reply(channel: ReplyChannel, text: string): Promise<void>;
+    /**
+     * Capture the CURRENT target into an immutable reply closure. This is the leak
+     * fix: a reply built here routes to where its inbound message came from, even if
+     * a later inbound flips the live `current` target. The bridge captures one of
+     * these per inbound (at push time) and hands it to the session, so a room message
+     * arriving mid-compose can never redirect a private 1:1 reply into the room.
+     */
+    snapshotReply(channel: ReplyChannel, log?: (msg: string) => void): (text: string) => Promise<void>;
 }
 export interface LifecycleChannel {
     on(ev: "auth_failed", cb: (e: {
@@ -38,7 +84,7 @@ export declare function attachLifecycle(channel: LifecycleChannel, opts?: {
     log?: (msg: string) => void;
     onTerminal?: (reason: string) => void;
 }): void;
-export declare function wireBridge(channel: RoomChannel, session: RoomSession, opts?: {
+export declare function wireBridge(channel: RoomChannel, session: RoomSession, target: ActiveTarget, opts?: {
     roomFilter?: string;
     log?: (msg: string) => void;
 }): void;

package/dist/config.d.ts

@@ -1,6 +1,8 @@
+export type DataDirSource = "explicit" | "per-agent" | "legacy";
 export interface BridgeConfig {
     inviteToken: string;
     dataDir: string;
+    dataDirSource: DataDirSource;
     apiUrl: string;
     agentName: string;
     roomFilter?: string;

package/dist/index.js

@@ -68497,6 +68497,21 @@ ${messageText}`;
               return;
             }
           }
+          if (welcomeRoomId && this._persisted) {
+            await this._registerRoomFromWelcome(
+              welcomeRoomId,
+              groupId,
+              mgr,
+              data.room_name
+            );
+            this._pendingMlsKpBundle = void 0;
+            await releaseA2ASyncLock(this.config.dataDir, `room-kp-${groupId}`).catch(() => {
+            });
+            console.log(
+              `[SecureChannel] Registered room ${welcomeRoomId.slice(0, 8)} from unmatched Welcome (epoch=${mgr.epoch})`
+            );
+            return;
+          }
           const a2aChannelId = data.a2a_channel_id;
           for (const [channelId, entry] of Object.entries(this._persisted?.a2aChannels ?? {})) {
             if (entry.mlsGroupId === groupId || channelId === a2aChannelId) {
@@ -68553,6 +68568,33 @@ ${messageText}`;
           throw err;
         }
       }
+      /**
+       * Self-bootstrap a room entry + MLS group mapping from a Welcome whose room is
+       * not yet persisted. Happens when we were added to an EXISTING room and the
+       * `room_joined` that registers the room raced behind (or was lost relative to)
+       * the Welcome. Without a room entry the Welcome room-match loop can't match, and
+       * every subsequent room message is dropped with "No room found for MLS group".
+       * Mirrors the A2A self-bootstrap fallback. The backend now also sends the new
+       * device its own `room_joined` (PR #412); this is defense-in-depth for the race
+       * where that delivery is missed. A later `room_joined` enriches name/members.
+       */
+      async _registerRoomFromWelcome(roomId, groupId, mgr, roomName) {
+        if (!this._persisted) return;
+        if (!this._persisted.rooms) this._persisted.rooms = {};
+        const existing = this._persisted.rooms[roomId];
+        this._persisted.rooms[roomId] = {
+          roomId,
+          name: existing?.name ?? (roomName ?? ""),
+          conversationIds: existing?.conversationIds ?? [],
+          members: existing?.members ?? [],
+          mlsGroupId: groupId,
+          lastMlsMessageTs: existing?.lastMlsMessageTs
+        };
+        this._mlsGroups.set(roomId, mgr);
+        await saveMlsState(this.config.dataDir, groupId, JSON.stringify(mgr.exportState()));
+        await this._persistState();
+        await this._applyBufferedMlsCommits(groupId, mgr);
+      }
       /**
        * Pull pending MLS messages from the delivery queue and process them.
        * Called on WS connect, on mls_delivery ping, and every 30s heartbeat.
@@ -69967,6 +70009,40 @@ var init_account_config = __esm({
     DEFAULT_HTTP_PORT = 18790;
   }
 });
+function terminalReenrollMessage(agentName, reason) {
+  const who = agentName ? `[${agentName}] ` : "";
+  return `${who}device is no longer valid (${reason}) \u2014 it was revoked or replaced. Re-enroll with a fresh token from AgentVault; the old credentials are dead. This agent will stop reconnecting.`;
+}
+function attachLifecycle(channel, opts = {}) {
+  const log = opts.log ?? (() => {
+  });
+  const agentName = opts.agentName ?? "";
+  const onTerminal = opts.onTerminal ?? (() => {
+  });
+  let fired = false;
+  const terminal = (reason) => {
+    if (fired) return;
+    fired = true;
+    log(terminalReenrollMessage(agentName, reason));
+    void Promise.resolve(onTerminal(reason)).catch(() => {
+    });
+  };
+  channel.on("auth_failed", (e7) => terminal(e7.reason));
+  channel.on(
+    "session_replaced",
+    (e7) => terminal(e7?.code ? `session_replaced (${e7.code})` : "session_replaced")
+  );
+  channel.on("error", (err) => {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (/reconnect loop detected/i.test(msg)) terminal("reconnect_loop");
+    else if (/device (was )?revoked/i.test(msg)) terminal("device_revoked");
+  });
+}
+var init_lifecycle = __esm({
+  "src/lifecycle.ts"() {
+    "use strict";
+  }
+});
 async function _handleInbound(params) {
   const { plaintext, metadata, channel, account, cfg } = params;
   const core = _ocRuntime;
@@ -70051,6 +70127,7 @@ var init_openclaw_plugin = __esm({
     await init_channel();
     init_account_config();
     init_openclaw_compat();
+    init_lifecycle();
     _ocRuntime = null;
     _channels = /* @__PURE__ */ new Map();
     agentVaultPlugin = {
@@ -70108,6 +70185,7 @@ var init_openclaw_plugin = __esm({
           const dataDir = resolve(account.dataDir.replace(/^~/, process.env.HOME ?? "~"));
           _log?.(`[AgentVault] starting channel (dataDir=${dataDir})`);
           await new Promise((resolvePromise, reject) => {
+            let terminalStopped = false;
             const channel = new SecureChannel({
               inviteToken: "",
               dataDir,
@@ -70126,13 +70204,29 @@ var init_openclaw_plugin = __esm({
               },
               onStateChange: (state) => {
                 _log?.(`[AgentVault] state \u2192 ${state}`);
-                if (state === "error") reject(new Error("AgentVault channel permanent error"));
+                if (state === "error") {
+                  queueMicrotask(() => {
+                    if (!terminalStopped) reject(new Error("AgentVault channel permanent error"));
+                  });
+                }
               }
             });
             _channels.set(account.accountId, channel);
             channel.on("error", (err) => {
               _log?.(`[AgentVault] channel error (non-fatal): ${String(err)}`);
             });
+            attachLifecycle(channel, {
+              agentName: account.agentName,
+              log: (m22) => _log?.(`[AgentVault] ${m22}`),
+              onTerminal: async () => {
+                terminalStopped = true;
+                try {
+                  await channel.stop();
+                } catch {
+                }
+                _channels.delete(account.accountId);
+              }
+            });
             const httpPort = account.httpPort;
             channel.on("ready", () => {
               channel.startHttpServer(httpPort);
@@ -70143,7 +70237,9 @@ var init_openclaw_plugin = __esm({
               _channels.delete(account.accountId);
               resolvePromise();
             });
-            channel.start().catch(reject);
+            channel.start().catch((e7) => {
+              if (!terminalStopped) reject(e7);
+            });
           });
           return { stop: async () => {
           } };
@@ -70262,6 +70358,7 @@ var init_openclaw_entry = __esm({
     init_fetch_interceptor();
     init_http_handlers();
     init_openclaw_compat();
+    init_lifecycle();
     init_types();
     isUsingManagedRoutes = false;
   }
@@ -96325,8 +96422,19 @@ var CRED_FILES = ["agentvault.json", "secure-channel.json"];
 function hasPersistedCreds(dataDir) {
   return CRED_FILES.some((f7) => existsSync(join5(dataDir, f7)));
 }
+function slugify2(name) {
+  return name.toLowerCase().replace(/[^a-z0-9-]/g, "-");
+}
+function resolveDataDir(env) {
+  if (env.AV_DATA_DIR) return { dataDir: env.AV_DATA_DIR, source: "explicit" };
+  const base = join5(env.HOME ?? "", ".agentvault", "claude-room-bridge");
+  const perAgent = join5(base, slugify2(env.AV_AGENT_NAME ?? "claude"));
+  if (hasPersistedCreds(perAgent)) return { dataDir: perAgent, source: "per-agent" };
+  if (hasPersistedCreds(base)) return { dataDir: base, source: "legacy" };
+  return { dataDir: perAgent, source: "per-agent" };
+}
 function loadConfig(env, argv = []) {
-  const dataDir = env.AV_DATA_DIR ?? `${env.HOME}/.agentvault/claude-room-bridge`;
+  const { dataDir, source: dataDirSource } = resolveDataDir(env);
   const inviteToken = (argv[0] && !argv[0].startsWith("-") ? argv[0] : "") || env.AV_INVITE_TOKEN || "";
   if (!inviteToken && !hasPersistedCreds(dataDir)) {
     throw new Error(
@@ -96336,6 +96444,7 @@ function loadConfig(env, argv = []) {
   return {
     inviteToken,
     dataDir,
+    dataDirSource,
     apiUrl: env.AV_API_URL ?? "https://api.agentvault.chat",
     // Identity shown to the agent's own session. Set this to the agent's
     // AgentVault name via AV_AGENT_NAME (the native connect command passes it).
@@ -118294,7 +118403,7 @@ __export(util_exports2, {
   required: () => required2,
   safeExtend: () => safeExtend2,
   shallowClone: () => shallowClone2,
-  slugify: () => slugify2,
+  slugify: () => slugify3,
   stringifyPrimitive: () => stringifyPrimitive2,
   uint8ArrayToBase64: () => uint8ArrayToBase643,
   uint8ArrayToBase64url: () => uint8ArrayToBase64url2,
@@ -118435,7 +118544,7 @@ function randomString2(length = 10) {
 function esc2(str) {
   return JSON.stringify(str);
 }
-function slugify2(input) {
+function slugify3(input) {
   return input.toLowerCase().trim().replace(/[^\w\s-]/g, "").replace(/[\s_-]+/g, "-").replace(/^-+|-+$/g, "");
 }
 var captureStackTrace2 = "captureStackTrace" in Error ? Error.captureStackTrace : (..._args) => {
@@ -128169,7 +128278,7 @@ function _toUpperCase2() {
 }
 // @__NO_SIDE_EFFECTS__
 function _slugify2() {
-  return /* @__PURE__ */ _overwrite2((input) => slugify2(input));
+  return /* @__PURE__ */ _overwrite2((input) => slugify3(input));
 }
 // @__NO_SIDE_EFFECTS__
 function _array2(Class3, element, params) {
@@ -131413,11 +131522,11 @@ config2(en_default3());
 function makeRoomSayTool(onSay) {
   return bs(
     "say",
-    "Send a message to the current AgentVault room so the other participants see it. Call this ONLY when you have something worth adding. If you have nothing to say, do not call it \u2014 stay silent.",
-    { message: external_exports.string().describe("The message to post to the room.") },
+    "Send a message to the current AgentVault conversation \u2014 your owner in a 1:1 direct message, or the other participants in a room. In a room, call this ONLY when you have something worth adding; if you have nothing to say, stay silent.",
+    { message: external_exports.string().describe("The message to send to the current conversation.") },
     async (args) => {
       await onSay(args.message);
-      return { content: [{ type: "text", text: "Message sent to the room." }] };
+      return { content: [{ type: "text", text: "Message sent." }] };
     }
   );
 }
@@ -131429,37 +131538,52 @@ var PersistentClaudeSession = class {
   opts;
   waiting = null;
   pending = [];
-  push(text) {
+  /** Reply sink bound to the message currently being processed. Set as each
+   *  message is handed to the model so the say tool routes to the right place. */
+  activeReply;
+  push(text, reply) {
     const msg = {
       type: "user",
       message: { role: "user", content: text },
       parent_tool_use_id: null,
       session_id: ""
     };
+    const item = { msg, reply };
     if (this.waiting) {
       const w2 = this.waiting;
       this.waiting = null;
-      w2(msg);
+      w2(item);
     } else {
-      this.pending.push(msg);
+      this.pending.push(item);
     }
   }
+  /** Route a say-tool message to the reply bound to the in-flight message, falling
+   *  back to opts.onSay. This is what closes the DM→room leak: the destination is
+   *  the one captured for the message being answered, not a live global target. */
+  async deliver(text) {
+    if (this.activeReply) await this.activeReply(text);
+    else if (this.opts.onSay) await this.opts.onSay(text);
+  }
   async *input() {
     while (true) {
       if (this.pending.length > 0) {
-        yield this.pending.shift();
+        const item2 = this.pending.shift();
+        this.activeReply = item2.reply;
+        yield item2.msg;
         continue;
       }
-      yield await new Promise((resolve2) => {
+      const item = await new Promise((resolve2) => {
         this.waiting = resolve2;
       });
+      this.activeReply = item.reply;
+      yield item.msg;
     }
   }
   async start() {
     const roomServer = _s({
       name: "room",
       version: "0.2.0",
-      tools: [makeRoomSayTool(this.opts.onSay)]
+      tools: [makeRoomSayTool((text) => this.deliver(text))]
     });
     const sdkOptions = {
       model: this.opts.model,
@@ -131505,7 +131629,47 @@ var PersistentClaudeSession = class {
 };
 
 // src/bridge.ts
-function attachLifecycle(channel, opts = {}) {
+var ActiveTarget = class {
+  target = null;
+  setRoom(roomId) {
+    this.target = { kind: "room", roomId };
+  }
+  setDm() {
+    this.target = { kind: "dm" };
+  }
+  get current() {
+    return this.target;
+  }
+  async reply(channel, text) {
+    const t7 = this.target;
+    if (!t7) return;
+    if (t7.kind === "room") await channel.sendToRoom(t7.roomId, text);
+    else await channel.send(text);
+  }
+  /**
+   * Capture the CURRENT target into an immutable reply closure. This is the leak
+   * fix: a reply built here routes to where its inbound message came from, even if
+   * a later inbound flips the live `current` target. The bridge captures one of
+   * these per inbound (at push time) and hands it to the session, so a room message
+   * arriving mid-compose can never redirect a private 1:1 reply into the room.
+   */
+  snapshotReply(channel, log = () => {
+  }) {
+    const t7 = this.target;
+    const where = !t7 ? "nowhere" : t7.kind === "room" ? `room ${t7.roomId.slice(0, 8)}` : "1:1 owner";
+    return async (text) => {
+      if (!t7) return;
+      try {
+        if (t7.kind === "room") await channel.sendToRoom(t7.roomId, text);
+        else await channel.send(text);
+        log(`said to ${where}`);
+      } catch (err) {
+        log(`send failed to ${where}: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    };
+  }
+};
+function attachLifecycle2(channel, opts = {}) {
   const log = opts.log ?? (() => {
   });
   const onTerminal = opts.onTerminal ?? (() => process.exit(1));
@@ -131525,7 +131689,7 @@ function attachLifecycle(channel, opts = {}) {
     if (/reconnect loop detected/i.test(msg)) terminal("reconnect_loop");
   });
 }
-function wireBridge(channel, session, opts = {}) {
+function wireBridge(channel, session, target, opts = {}) {
   const log = opts.log ?? (() => {
   });
   channel.on("error", (err) => {
@@ -131535,8 +131699,14 @@ function wireBridge(channel, session, opts = {}) {
   channel.on("room_message", (e7) => {
     if (opts.roomFilter && e7.roomId !== opts.roomFilter) return;
     log(`inbound from ${e7.senderName} in ${e7.roomId.slice(0, 8)}`);
-    session.onActiveRoom(e7.roomId);
-    session.push(`[${e7.senderName}]: ${e7.plaintext}`);
+    target.setRoom(e7.roomId);
+    session.push(`[${e7.senderName}]: ${e7.plaintext}`, target.snapshotReply(channel, log));
+  });
+  channel.on("message", (text, metadata) => {
+    if (metadata?.roomId) return;
+    log("inbound 1:1 DM from owner");
+    target.setDm();
+    session.push(text, target.snapshotReply(channel, log));
   });
 }
 
@@ -131549,7 +131719,9 @@ async function main() {
       "[bridge] warning: passing the invite token on the command line is visible to other local users via 'ps'. Prefer: AV_INVITE_TOKEN=\u2026 npx @agentvault/claude-bridge"
     );
   }
-  let activeRoomId = cfg.roomFilter ?? "";
+  console.error(`[bridge] data dir: ${cfg.dataDir} (${cfg.dataDirSource})`);
+  const target = new ActiveTarget();
+  if (cfg.roomFilter) target.setRoom(cfg.roomFilter);
   const channel = new SecureChannel({
     inviteToken: cfg.inviteToken,
     dataDir: cfg.dataDir,
@@ -131559,28 +131731,22 @@ async function main() {
   });
   const session = new PersistentClaudeSession({
     model: cfg.model,
-    systemPrompt: cfg.systemPrompt ?? `You are ${cfg.agentName}, an AI agent collaborating with other agents in an AgentVault room. That is your identity in this room \u2014 introduce yourself by that name and do not claim to be any other agent. You see every room message. To speak, call the room_say tool \u2014 and only when you have something worth adding. If you have nothing to contribute, stay silent (do not call room_say). Keep messages concise.`,
-    // Claude speaks by calling room_say → posted to the active room.
-    onSay: async (text) => {
-      if (!activeRoomId) return;
-      try {
-        await channel.sendToRoom(activeRoomId, text);
-        console.error(`[bridge] said in ${activeRoomId.slice(0, 8)}`);
-      } catch (err) {
-        console.error(`[bridge] send failed to ${activeRoomId.slice(0, 8)}:`, err);
-      }
-    },
+    systemPrompt: cfg.systemPrompt ?? `You are ${cfg.agentName}, an AI agent on AgentVault. You talk with your owner in 1:1 direct messages and collaborate with other agents in shared rooms. That is your identity \u2014 introduce yourself by that name and do not claim to be any other agent. To speak, call the say tool. In a 1:1 with your owner, reply to what they say. In a room you see every message \u2014 call say only when you have something worth adding, and otherwise stay silent. Keep messages concise.`,
+    // Claude speaks by calling the say tool → the session routes it to the reply
+    // bound to the message being answered (wireBridge captures that per inbound via
+    // ActiveTarget.snapshotReply, which also logs the "said to …" line). This
+    // per-message binding is what prevents a private 1:1 reply from leaking into a
+    // room when room traffic arrives mid-compose.
     // Assistant reasoning that wasn't sent — log a short trace only.
     onObserve: (text) => console.error(`[bridge] observed (${text.length} chars, not sent)`)
   });
   wireBridge(
     channel,
-    { push: (t7) => session.push(t7), onActiveRoom: (r7) => {
-      activeRoomId = r7;
-    } },
+    { push: (t7, reply) => session.push(t7, reply) },
+    target,
     { roomFilter: cfg.roomFilter, log: (m6) => console.error("[bridge] " + m6) }
   );
-  attachLifecycle(channel, {
+  attachLifecycle2(channel, {
     log: (m6) => console.error("[bridge] " + m6)
   });
   channel.on("state", (s10) => console.error(`[bridge] channel state: ${JSON.stringify(s10)}`));

package/dist/session.d.ts

@@ -45,9 +45,11 @@ export type QueryFn = (args: {
     type: string;
     [k: string]: unknown;
 }>;
+type ReplySink = (text: string) => void | Promise<void>;
 export interface SessionOpts {
-    /** Called when Claude chooses to speak (via the room_say tool). */
-    onSay: (text: string) => void | Promise<void>;
+    /** Fallback reply sink when a message carries no per-message reply (e.g. a
+     *  proactive say). Per-message replies passed to push() take precedence. */
+    onSay?: ReplySink;
     /** Called with assistant text that is NOT sent to the room (for logging). */
     onObserve?: (text: string) => void;
     model?: string;
@@ -58,9 +60,17 @@ export declare class PersistentClaudeSession {
     private opts;
     private waiting;
     private pending;
+    /** Reply sink bound to the message currently being processed. Set as each
+     *  message is handed to the model so the say tool routes to the right place. */
+    private activeReply?;
     constructor(opts: SessionOpts);
-    push(text: string): void;
+    push(text: string, reply?: ReplySink): void;
+    /** Route a say-tool message to the reply bound to the in-flight message, falling
+     *  back to opts.onSay. This is what closes the DM→room leak: the destination is
+     *  the one captured for the message being answered, not a live global target. */
+    deliver(text: string): Promise<void>;
     private input;
     start(): Promise<void>;
 }
+export {};
 //# sourceMappingURL=session.d.ts.map

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@agentvault/claude-bridge",
-  "version": "0.2.1",
+  "version": "0.3.1",
   "type": "module",
-  "description": "AgentVault Claude Room Bridge — daemon for bridging AI agents into secure E2E-encrypted AgentVault rooms.",
+  "description": "AgentVault Claude Bridge — daemon for bridging a Claude agent into secure E2E-encrypted AgentVault 1:1 direct messages and rooms.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "bin": {