npm - @agentvault/secure-channel - Versions diffs - 0.1.2 → 0.2.0 - Mend

@agentvault/secure-channel 0.1.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/__tests__/functional.test.d.ts +21 -0
package/dist/__tests__/functional.test.d.ts.map +1 -0
package/dist/__tests__/multi-session.test.d.ts +2 -0
package/dist/__tests__/multi-session.test.d.ts.map +1 -0
package/dist/channel.d.ts +36 -2
package/dist/channel.d.ts.map +1 -1
package/dist/cli.js +278 -59
package/dist/cli.js.map +3 -3
package/dist/index.d.ts +1 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +278 -59
package/dist/index.js.map +3 -3
package/dist/state.d.ts +6 -1
package/dist/state.d.ts.map +1 -1
package/dist/types.d.ts +21 -0
package/dist/types.d.ts.map +1 -1
package/package.json +1 -1

package/dist/__tests__/functional.test.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Functional QA Test Suite — Agent Setup & Connection
+ *
+ * Tests the full agent lifecycle against the production API:
+ * 1. Package installation & CLI
+ * 2. Crypto operations (key gen, proof, fingerprint)
+ * 3. API connectivity & error handling
+ * 4. Full enrollment flow (create invite → enroll → approve → activate → connect)
+ *
+ * Requires env vars:
+ *   CLERK_SECRET_KEY     — Clerk backend secret for session token creation
+ *   CLERK_SESSION_ID     — Active Clerk session ID (for Eric's account)
+ *   API_URL              — Backend API URL (default: https://api.agentvault.chat)
+ *
+ * Rate limit note: enrollment is limited to 5 requests/IP/10min.
+ * This suite uses 2 enrollment calls (4.2 + 4.9). Error-case enrollment
+ * tests (3.3, 3.4) are removed to conserve rate limit budget.
+ * Test 4.2 will retry with backoff if rate-limited (up to 3 retries, 30s apart).
+ */
+export {};
+//# sourceMappingURL=functional.test.d.ts.map

package/dist/__tests__/functional.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"functional.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/functional.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG"}

package/dist/__tests__/multi-session.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=multi-session.test.d.ts.map

package/dist/__tests__/multi-session.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"multi-session.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/multi-session.test.ts"],"names":[],"mappings":""}

package/dist/channel.d.ts CHANGED Viewed

@@ -5,9 +5,9 @@ export declare class SecureChannel extends EventEmitter {
     private _state;
     private _deviceId;
     private _fingerprint;
-    private _conversationId;
+    private _primaryConversationId;
     private _deviceJwt;
-    private _ratchet;
+    private _sessions;
     private _ws;
     private _pollTimer;
     private _reconnectAttempt;
@@ -18,18 +18,52 @@ export declare class SecureChannel extends EventEmitter {
     get state(): ChannelState;
     get deviceId(): string | null;
     get fingerprint(): string | null;
+    /** Returns the primary conversation ID (backward-compatible). */
     get conversationId(): string | null;
+    /** Returns all active conversation IDs. */
+    get conversationIds(): string[];
+    /** Returns the number of active sessions. */
+    get sessionCount(): number;
     start(): Promise<void>;
+    /**
+     * Encrypt and send a message to ALL owner devices (fanout).
+     * Each session gets the same plaintext encrypted independently.
+     */
     send(plaintext: string): Promise<void>;
     stop(): Promise<void>;
     private _enroll;
     private _poll;
     private _activate;
     private _connect;
+    /**
+     * Handle an incoming encrypted message from a specific conversation.
+     * Decrypts using the appropriate session ratchet, emits to the agent,
+     * and relays as sync messages to sibling sessions.
+     */
+    private _handleIncomingMessage;
+    /**
+     * Relay an owner's message to all sibling sessions as encrypted sync messages.
+     * This allows all owner devices to see messages from any single device.
+     */
+    private _relaySyncToSiblings;
+    /**
+     * Handle a device_linked event: a new owner device has joined.
+     * Fetches the new device's public keys, performs X3DH, and initializes
+     * a new ratchet session.
+     */
+    private _handleDeviceLinked;
+    /**
+     * Sync missed messages across ALL sessions.
+     * For each conversation, fetches messages since last sync and decrypts.
+     */
     private _syncMissedMessages;
     private _scheduleReconnect;
     private _setState;
     private _handleError;
+    /**
+     * Persist all ratchet session states to disk.
+     * Syncs live ratchet states back into the persisted sessions map.
+     */
     private _persistState;
 }
 //# sourceMappingURL=channel.d.ts.map

package/dist/channel.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;~~AAY3C~~,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,~~EAGb~~,MAAM,YAAY,CAAC;~~AAkBpB~~,qBAAa,aAAc,SAAQ,YAAY;~~IAcjC~~,OAAO,CAAC,MAAM;~~IAb1B~~,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,~~eAAe~~,~~CAAuB~~;~~IAC9C~~,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,~~QAAQ~~,~~CAA8B~~;~~IAC9C~~,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;gBAE7B,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;~~IAqBtB~~,IAAI,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;~~IAuBtC~~,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAoBb,OAAO;IA+CrB,OAAO,CAAC,KAAK;YAgCC,SAAS;~~IAgDvB~~,OAAO,CAAC,QAAQ;~~YAgFF~~,mBAAmB;~~IAuDjC~~,OAAO,CAAC,kBAAkB;IAgB1B,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;~~YAKN~~,aAAa;~~CAK5B~~"}
1	+ {"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAa3C,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAIb,MAAM,YAAY,CAAC;AAgDpB,qBAAa,aAAc,SAAQ,YAAY;IAiBjC,OAAO,CAAC,MAAM;IAhB1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;gBAE7B,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAkC5B;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA4BtC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAoBb,OAAO;IA+CrB,OAAO,CAAC,KAAK;YAgCC,SAAS;IAyEvB,OAAO,CAAC,QAAQ;IA4DhB;;;;OAIG;YACW,sBAAsB;IAmEpC;;;OAGG;YACW,oBAAoB;IAiClC;;;;OAIG;YACW,mBAAmB;IAuEjC;;;OAGG;YACW,mBAAmB;IA+EjC,OAAO,CAAC,kBAAkB;IAgB1B,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;CAa5B"}

package/dist/cli.js CHANGED Viewed

@@ -2,6 +2,7 @@
 // src/channel.ts
 import { EventEmitter } from "node:events";
+import { randomUUID } from "node:crypto";
 // ../../node_modules/libsodium-sumo/dist/modules-sumo-esm/libsodium-sumo.mjs
 var __filename;
@@ -45035,6 +45036,27 @@ async function activateDevice(apiUrl2, deviceId) {
 var POLL_INTERVAL_MS = 5e3;
 var RECONNECT_BASE_MS = 1e3;
 var RECONNECT_MAX_MS = 3e4;
+function migratePersistedState(raw) {
+  if (raw.sessions && raw.primaryConversationId) {
+    return raw;
+  }
+  const legacy = raw;
+  return {
+    deviceId: legacy.deviceId,
+    deviceJwt: legacy.deviceJwt,
+    primaryConversationId: legacy.conversationId,
+    sessions: {
+      [legacy.conversationId]: {
+        ownerDeviceId: "",
+        ratchetState: legacy.ratchetState
+      }
+    },
+    identityKeypair: legacy.identityKeypair,
+    ephemeralKeypair: legacy.ephemeralKeypair,
+    fingerprint: legacy.fingerprint,
+    lastMessageTimestamp: legacy.lastMessageTimestamp
+  };
+}
 var SecureChannel = class extends EventEmitter {
   constructor(config) {
     super();
@@ -45043,9 +45065,9 @@ var SecureChannel = class extends EventEmitter {
   _state = "idle";
   _deviceId = null;
   _fingerprint = null;
-  _conversationId = null;
+  _primaryConversationId = "";
   _deviceJwt = null;
-  _ratchet = null;
+  _sessions = /* @__PURE__ */ new Map();
   _ws = null;
   _pollTimer = null;
   _reconnectAttempt = 0;
@@ -45061,41 +45083,68 @@ var SecureChannel = class extends EventEmitter {
   get fingerprint() {
     return this._fingerprint;
   }
+  /** Returns the primary conversation ID (backward-compatible). */
   get conversationId() {
-    return this._conversationId;
+    return this._primaryConversationId || null;
+  }
+  /** Returns all active conversation IDs. */
+  get conversationIds() {
+    return Array.from(this._sessions.keys());
+  }
+  /** Returns the number of active sessions. */
+  get sessionCount() {
+    return this._sessions.size;
   }
   async start() {
     this._stopped = false;
     await libsodium_wrappers_default.ready;
-    const persisted = await loadState(this.config.dataDir);
-    if (persisted) {
-      this._persisted = persisted;
-      this._deviceId = persisted.deviceId;
-      this._deviceJwt = persisted.deviceJwt;
-      this._conversationId = persisted.conversationId;
-      this._fingerprint = persisted.fingerprint;
-      this._ratchet = DoubleRatchet.deserialize(persisted.ratchetState);
+    const raw = await loadState(this.config.dataDir);
+    if (raw) {
+      this._persisted = migratePersistedState(raw);
+      this._deviceId = this._persisted.deviceId;
+      this._deviceJwt = this._persisted.deviceJwt;
+      this._primaryConversationId = this._persisted.primaryConversationId;
+      this._fingerprint = this._persisted.fingerprint;
+      for (const [convId, sessionData] of Object.entries(
+        this._persisted.sessions
+      )) {
+        if (sessionData.ratchetState) {
+          const ratchet = DoubleRatchet.deserialize(sessionData.ratchetState);
+          this._sessions.set(convId, {
+            ownerDeviceId: sessionData.ownerDeviceId,
+            ratchet
+          });
+        }
+      }
       this._connect();
       return;
     }
     await this._enroll();
   }
+  /**
+   * Encrypt and send a message to ALL owner devices (fanout).
+   * Each session gets the same plaintext encrypted independently.
+   */
   async send(plaintext) {
-    if (this._state !== "ready" || !this._ratchet || !this._ws) {
+    if (this._state !== "ready" || this._sessions.size === 0 || !this._ws) {
       throw new Error("Channel is not ready");
     }
-    const encrypted = this._ratchet.encrypt(plaintext);
-    const transport = encryptedMessageToTransport(encrypted);
-    this._ws.send(
-      JSON.stringify({
-        event: "message",
-        data: {
-          conversation_id: this._conversationId,
-          header_blob: transport.header_blob,
-          ciphertext: transport.ciphertext
-        }
-      })
-    );
+    const messageGroupId = randomUUID();
+    for (const [convId, session] of this._sessions) {
+      const encrypted = session.ratchet.encrypt(plaintext);
+      const transport = encryptedMessageToTransport(encrypted);
+      this._ws.send(
+        JSON.stringify({
+          event: "message",
+          data: {
+            conversation_id: convId,
+            header_blob: transport.header_blob,
+            ciphertext: transport.ciphertext,
+            message_group_id: messageGroupId
+          }
+        })
+      );
+    }
     await this._persistState();
   }
   async stop() {
@@ -45140,8 +45189,10 @@ var SecureChannel = class extends EventEmitter {
         deviceId: result.device_id,
         deviceJwt: "",
         // set after activation
-        conversationId: "",
+        primaryConversationId: "",
         // set after activation
+        sessions: {},
+        // populated after activation
         identityKeypair: {
           publicKey: bytesToHex(identity.publicKey),
           privateKey: bytesToHex(identity.privateKey)
@@ -45150,9 +45201,7 @@ var SecureChannel = class extends EventEmitter {
           publicKey: bytesToHex(ephemeral.publicKey),
           privateKey: bytesToHex(ephemeral.privateKey)
         },
-        fingerprint: result.fingerprint,
-        ratchetState: ""
-        // set after activation
+        fingerprint: result.fingerprint
       };
       this._poll();
     } catch (err) {
@@ -45191,11 +45240,19 @@ var SecureChannel = class extends EventEmitter {
         this.config.apiUrl,
         this._deviceId
       );
-      this._conversationId = result.conversation_id;
+      const conversations = result.conversations || [
+        {
+          conversation_id: result.conversation_id,
+          owner_device_id: "",
+          is_primary: true
+        }
+      ];
+      const primary = conversations.find((c2) => c2.is_primary) || conversations[0];
+      this._primaryConversationId = primary.conversation_id;
       this._deviceJwt = result.device_jwt;
       const identity = this._persisted.identityKeypair;
       const ephemeral = this._persisted.ephemeralKeypair;
-      const sharedSecret = await performX3DH({
+      const sharedSecret = performX3DH({
         myIdentityPrivate: hexToBytes(identity.privateKey),
         myEphemeralPrivate: hexToBytes(ephemeral.privateKey),
         theirIdentityPublic: hexToBytes(result.owner_identity_public_key),
@@ -45204,16 +45261,25 @@ var SecureChannel = class extends EventEmitter {
         ),
         isInitiator: false
       });
-      this._ratchet = DoubleRatchet.initReceiver(sharedSecret, {
+      const ratchet = DoubleRatchet.initReceiver(sharedSecret, {
         publicKey: hexToBytes(identity.publicKey),
         privateKey: hexToBytes(identity.privateKey),
         keyType: "ed25519"
       });
+      this._sessions.set(primary.conversation_id, {
+        ownerDeviceId: primary.owner_device_id,
+        ratchet
+      });
       this._persisted = {
         ...this._persisted,
         deviceJwt: result.device_jwt,
-        conversationId: result.conversation_id,
-        ratchetState: this._ratchet.serialize()
+        primaryConversationId: primary.conversation_id,
+        sessions: {
+          [primary.conversation_id]: {
+            ownerDeviceId: primary.owner_device_id,
+            ratchetState: ratchet.serialize()
+          }
+        }
       };
       await saveState(this.config.dataDir, this._persisted);
       this._connect();
@@ -45246,23 +45312,12 @@ var SecureChannel = class extends EventEmitter {
           this._handleError(new Error("Device was revoked"));
           return;
         }
+        if (data.event === "device_linked") {
+          await this._handleDeviceLinked(data.data);
+          return;
+        }
         if (data.event === "message") {
-          const msgData = data.data;
-          if (msgData.sender_device_id === this._deviceId) return;
-          const encrypted = transportToEncryptedMessage({
-            header_blob: msgData.header_blob,
-            ciphertext: msgData.ciphertext
-          });
-          const plaintext = this._ratchet.decrypt(encrypted);
-          await this._persistState();
-          const metadata = {
-            messageId: msgData.message_id,
-            conversationId: msgData.conversation_id,
-            timestamp: msgData.created_at
-          };
-          this.emit("message", plaintext, metadata);
-          this.config.onMessage?.(plaintext, metadata);
-          this._persisted.lastMessageTimestamp = msgData.created_at;
+          await this._handleIncomingMessage(data.data);
         }
       } catch (err) {
         this.emit("error", err);
@@ -45277,6 +45332,142 @@ var SecureChannel = class extends EventEmitter {
       this.emit("error", err);
     });
   }
+  /**
+   * Handle an incoming encrypted message from a specific conversation.
+   * Decrypts using the appropriate session ratchet, emits to the agent,
+   * and relays as sync messages to sibling sessions.
+   */
+  async _handleIncomingMessage(msgData) {
+    if (msgData.sender_device_id === this._deviceId) return;
+    const convId = msgData.conversation_id;
+    const session = this._sessions.get(convId);
+    if (!session) {
+      console.warn(
+        `[SecureChannel] No session for conversation ${convId}, skipping`
+      );
+      return;
+    }
+    const encrypted = transportToEncryptedMessage({
+      header_blob: msgData.header_blob,
+      ciphertext: msgData.ciphertext
+    });
+    const plaintext = session.ratchet.decrypt(encrypted);
+    let messageText;
+    let messageType;
+    try {
+      const parsed = JSON.parse(plaintext);
+      messageType = parsed.type || "message";
+      messageText = parsed.text || plaintext;
+    } catch {
+      messageType = "message";
+      messageText = plaintext;
+    }
+    if (messageType === "message") {
+      const metadata = {
+        messageId: msgData.message_id,
+        conversationId: convId,
+        timestamp: msgData.created_at
+      };
+      this.emit("message", messageText, metadata);
+      this.config.onMessage?.(messageText, metadata);
+      await this._relaySyncToSiblings(convId, session.ownerDeviceId, messageText);
+    }
+    if (this._persisted) {
+      this._persisted.lastMessageTimestamp = msgData.created_at;
+    }
+    await this._persistState();
+  }
+  /**
+   * Relay an owner's message to all sibling sessions as encrypted sync messages.
+   * This allows all owner devices to see messages from any single device.
+   */
+  async _relaySyncToSiblings(sourceConvId, senderOwnerDeviceId, messageText) {
+    if (!this._ws || this._sessions.size <= 1) return;
+    const syncPayload = JSON.stringify({
+      type: "sync",
+      sender: senderOwnerDeviceId,
+      text: messageText,
+      ts: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    for (const [siblingConvId, siblingSession] of this._sessions) {
+      if (siblingConvId === sourceConvId) continue;
+      const syncEncrypted = siblingSession.ratchet.encrypt(syncPayload);
+      const syncTransport = encryptedMessageToTransport(syncEncrypted);
+      this._ws.send(
+        JSON.stringify({
+          event: "message",
+          data: {
+            conversation_id: siblingConvId,
+            header_blob: syncTransport.header_blob,
+            ciphertext: syncTransport.ciphertext
+          }
+        })
+      );
+    }
+  }
+  /**
+   * Handle a device_linked event: a new owner device has joined.
+   * Fetches the new device's public keys, performs X3DH, and initializes
+   * a new ratchet session.
+   */
+  async _handleDeviceLinked(event) {
+    console.log(
+      `[SecureChannel] New owner device linked: ${event.owner_device_id.slice(0, 8)}...`
+    );
+    try {
+      const keysRes = await fetch(
+        `${this.config.apiUrl}/api/v1/conversations/${event.conversation_id}/keys`,
+        {
+          headers: { Authorization: `Bearer ${this._deviceJwt}` }
+        }
+      );
+      if (!keysRes.ok) {
+        console.error(
+          `[SecureChannel] Failed to fetch keys for linked device: ${keysRes.status}`
+        );
+        return;
+      }
+      const keys = await keysRes.json();
+      const identity = this._persisted.identityKeypair;
+      const ephemeral = this._persisted.ephemeralKeypair;
+      const sharedSecret = performX3DH({
+        myIdentityPrivate: hexToBytes(identity.privateKey),
+        myEphemeralPrivate: hexToBytes(ephemeral.privateKey),
+        theirIdentityPublic: hexToBytes(keys.identity_public_key),
+        theirEphemeralPublic: hexToBytes(
+          keys.ephemeral_public_key ?? keys.identity_public_key
+        ),
+        isInitiator: false
+      });
+      const ratchet = DoubleRatchet.initReceiver(sharedSecret, {
+        publicKey: hexToBytes(identity.publicKey),
+        privateKey: hexToBytes(identity.privateKey),
+        keyType: "ed25519"
+      });
+      this._sessions.set(event.conversation_id, {
+        ownerDeviceId: event.owner_device_id,
+        ratchet
+      });
+      this._persisted.sessions[event.conversation_id] = {
+        ownerDeviceId: event.owner_device_id,
+        ratchetState: ratchet.serialize()
+      };
+      await this._persistState();
+      console.log(
+        `[SecureChannel] Session initialized for device ${event.owner_device_id.slice(0, 8)}...`
+      );
+    } catch (err) {
+      console.error(
+        `[SecureChannel] Failed to handle device_linked:`,
+        err
+      );
+      this.emit("error", err);
+    }
+  }
+  /**
+   * Sync missed messages across ALL sessions.
+   * For each conversation, fetches messages since last sync and decrypts.
+   */
   async _syncMissedMessages() {
     if (!this._persisted?.lastMessageTimestamp || !this._deviceJwt) return;
     try {
@@ -45289,19 +45480,38 @@ var SecureChannel = class extends EventEmitter {
       const messages = await res.json();
       for (const msg of messages) {
         if (msg.sender_device_id === this._deviceId) continue;
+        const session = this._sessions.get(msg.conversation_id);
+        if (!session) {
+          console.warn(
+            `[SecureChannel] No session for conversation ${msg.conversation_id} during sync, skipping`
+          );
+          continue;
+        }
         try {
           const encrypted = transportToEncryptedMessage({
             header_blob: msg.header_blob,
             ciphertext: msg.ciphertext
           });
-          const plaintext = this._ratchet.decrypt(encrypted);
-          const metadata = {
-            messageId: msg.id,
-            conversationId: msg.conversation_id,
-            timestamp: msg.created_at
-          };
-          this.emit("message", plaintext, metadata);
-          this.config.onMessage?.(plaintext, metadata);
+          const plaintext = session.ratchet.decrypt(encrypted);
+          let messageText;
+          let messageType;
+          try {
+            const parsed = JSON.parse(plaintext);
+            messageType = parsed.type || "message";
+            messageText = parsed.text || plaintext;
+          } catch {
+            messageType = "message";
+            messageText = plaintext;
+          }
+          if (messageType === "message") {
+            const metadata = {
+              messageId: msg.id,
+              conversationId: msg.conversation_id,
+              timestamp: msg.created_at
+            };
+            this.emit("message", messageText, metadata);
+            this.config.onMessage?.(messageText, metadata);
+          }
           this._persisted.lastMessageTimestamp = msg.created_at;
         } catch (err) {
           this.emit("error", err);
@@ -45335,9 +45545,18 @@ var SecureChannel = class extends EventEmitter {
     this._setState("error");
     this.emit("error", err);
   }
+  /**
+   * Persist all ratchet session states to disk.
+   * Syncs live ratchet states back into the persisted sessions map.
+   */
   async _persistState() {
-    if (!this._persisted || !this._ratchet) return;
-    this._persisted.ratchetState = this._ratchet.serialize();
+    if (!this._persisted || this._sessions.size === 0) return;
+    for (const [convId, session] of this._sessions) {
+      this._persisted.sessions[convId] = {
+        ownerDeviceId: session.ownerDeviceId,
+        ratchetState: session.ratchet.serialize()
+      };
+    }
     await saveState(this.config.dataDir, this._persisted);
   }
 };