@agentvault/secure-channel 0.1.2 → 0.2.0

package/dist/index.d.ts

@@ -1,4 +1,4 @@
 export { SecureChannel } from "./channel.js";
-export type { SecureChannelConfig, ChannelState, MessageMetadata, PersistedState, } from "./types.js";
+export type { SecureChannelConfig, ChannelState, MessageMetadata, PersistedState, LegacyPersistedState, DeviceSession, } from "./types.js";
 export declare const VERSION = "0.1.0";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,YAAY,EACV,mBAAmB,EACnB,YAAY,EACZ,eAAe,EACf,cAAc,GACf,MAAM,YAAY,CAAC;AACpB,eAAO,MAAM,OAAO,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,YAAY,EACV,mBAAmB,EACnB,YAAY,EACZ,eAAe,EACf,cAAc,EACd,oBAAoB,EACpB,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,eAAO,MAAM,OAAO,UAAU,CAAC"}

package/dist/index.js

@@ -1,5 +1,6 @@
 // src/channel.ts
 import { EventEmitter } from "node:events";
+import { randomUUID } from "node:crypto";
 
 // ../../node_modules/libsodium-sumo/dist/modules-sumo-esm/libsodium-sumo.mjs
 var __filename;
@@ -45033,6 +45034,27 @@ async function activateDevice(apiUrl, deviceId) {
 var POLL_INTERVAL_MS = 5e3;
 var RECONNECT_BASE_MS = 1e3;
 var RECONNECT_MAX_MS = 3e4;
+function migratePersistedState(raw) {
+  if (raw.sessions && raw.primaryConversationId) {
+    return raw;
+  }
+  const legacy = raw;
+  return {
+    deviceId: legacy.deviceId,
+    deviceJwt: legacy.deviceJwt,
+    primaryConversationId: legacy.conversationId,
+    sessions: {
+      [legacy.conversationId]: {
+        ownerDeviceId: "",
+        ratchetState: legacy.ratchetState
+      }
+    },
+    identityKeypair: legacy.identityKeypair,
+    ephemeralKeypair: legacy.ephemeralKeypair,
+    fingerprint: legacy.fingerprint,
+    lastMessageTimestamp: legacy.lastMessageTimestamp
+  };
+}
 var SecureChannel = class extends EventEmitter {
   constructor(config) {
     super();
@@ -45041,9 +45063,9 @@ var SecureChannel = class extends EventEmitter {
   _state = "idle";
   _deviceId = null;
   _fingerprint = null;
-  _conversationId = null;
+  _primaryConversationId = "";
   _deviceJwt = null;
-  _ratchet = null;
+  _sessions = /* @__PURE__ */ new Map();
   _ws = null;
   _pollTimer = null;
   _reconnectAttempt = 0;
@@ -45059,41 +45081,68 @@ var SecureChannel = class extends EventEmitter {
   get fingerprint() {
     return this._fingerprint;
   }
+  /** Returns the primary conversation ID (backward-compatible). */
   get conversationId() {
-    return this._conversationId;
+    return this._primaryConversationId || null;
+  }
+  /** Returns all active conversation IDs. */
+  get conversationIds() {
+    return Array.from(this._sessions.keys());
+  }
+  /** Returns the number of active sessions. */
+  get sessionCount() {
+    return this._sessions.size;
   }
   async start() {
     this._stopped = false;
     await libsodium_wrappers_default.ready;
-    const persisted = await loadState(this.config.dataDir);
-    if (persisted) {
-      this._persisted = persisted;
-      this._deviceId = persisted.deviceId;
-      this._deviceJwt = persisted.deviceJwt;
-      this._conversationId = persisted.conversationId;
-      this._fingerprint = persisted.fingerprint;
-      this._ratchet = DoubleRatchet.deserialize(persisted.ratchetState);
+    const raw = await loadState(this.config.dataDir);
+    if (raw) {
+      this._persisted = migratePersistedState(raw);
+      this._deviceId = this._persisted.deviceId;
+      this._deviceJwt = this._persisted.deviceJwt;
+      this._primaryConversationId = this._persisted.primaryConversationId;
+      this._fingerprint = this._persisted.fingerprint;
+      for (const [convId, sessionData] of Object.entries(
+        this._persisted.sessions
+      )) {
+        if (sessionData.ratchetState) {
+          const ratchet = DoubleRatchet.deserialize(sessionData.ratchetState);
+          this._sessions.set(convId, {
+            ownerDeviceId: sessionData.ownerDeviceId,
+            ratchet
+          });
+        }
+      }
       this._connect();
       return;
     }
     await this._enroll();
   }
+  /**
+   * Encrypt and send a message to ALL owner devices (fanout).
+   * Each session gets the same plaintext encrypted independently.
+   */
   async send(plaintext) {
-    if (this._state !== "ready" || !this._ratchet || !this._ws) {
+    if (this._state !== "ready" || this._sessions.size === 0 || !this._ws) {
       throw new Error("Channel is not ready");
     }
-    const encrypted = this._ratchet.encrypt(plaintext);
-    const transport = encryptedMessageToTransport(encrypted);
-    this._ws.send(
-      JSON.stringify({
-        event: "message",
-        data: {
-          conversation_id: this._conversationId,
-          header_blob: transport.header_blob,
-          ciphertext: transport.ciphertext
-        }
-      })
-    );
+    const messageGroupId = randomUUID();
+    for (const [convId, session] of this._sessions) {
+      const encrypted = session.ratchet.encrypt(plaintext);
+      const transport = encryptedMessageToTransport(encrypted);
+      this._ws.send(
+        JSON.stringify({
+          event: "message",
+          data: {
+            conversation_id: convId,
+            header_blob: transport.header_blob,
+            ciphertext: transport.ciphertext,
+            message_group_id: messageGroupId
+          }
+        })
+      );
+    }
     await this._persistState();
   }
   async stop() {
@@ -45138,8 +45187,10 @@ var SecureChannel = class extends EventEmitter {
         deviceId: result.device_id,
         deviceJwt: "",
         // set after activation
-        conversationId: "",
+        primaryConversationId: "",
         // set after activation
+        sessions: {},
+        // populated after activation
         identityKeypair: {
           publicKey: bytesToHex(identity.publicKey),
           privateKey: bytesToHex(identity.privateKey)
@@ -45148,9 +45199,7 @@ var SecureChannel = class extends EventEmitter {
           publicKey: bytesToHex(ephemeral.publicKey),
           privateKey: bytesToHex(ephemeral.privateKey)
         },
-        fingerprint: result.fingerprint,
-        ratchetState: ""
-        // set after activation
+        fingerprint: result.fingerprint
       };
       this._poll();
     } catch (err) {
@@ -45189,11 +45238,19 @@ var SecureChannel = class extends EventEmitter {
         this.config.apiUrl,
         this._deviceId
       );
-      this._conversationId = result.conversation_id;
+      const conversations = result.conversations || [
+        {
+          conversation_id: result.conversation_id,
+          owner_device_id: "",
+          is_primary: true
+        }
+      ];
+      const primary = conversations.find((c2) => c2.is_primary) || conversations[0];
+      this._primaryConversationId = primary.conversation_id;
       this._deviceJwt = result.device_jwt;
       const identity = this._persisted.identityKeypair;
       const ephemeral = this._persisted.ephemeralKeypair;
-      const sharedSecret = await performX3DH({
+      const sharedSecret = performX3DH({
         myIdentityPrivate: hexToBytes(identity.privateKey),
         myEphemeralPrivate: hexToBytes(ephemeral.privateKey),
         theirIdentityPublic: hexToBytes(result.owner_identity_public_key),
@@ -45202,16 +45259,25 @@ var SecureChannel = class extends EventEmitter {
         ),
         isInitiator: false
       });
-      this._ratchet = DoubleRatchet.initReceiver(sharedSecret, {
+      const ratchet = DoubleRatchet.initReceiver(sharedSecret, {
         publicKey: hexToBytes(identity.publicKey),
         privateKey: hexToBytes(identity.privateKey),
         keyType: "ed25519"
       });
+      this._sessions.set(primary.conversation_id, {
+        ownerDeviceId: primary.owner_device_id,
+        ratchet
+      });
       this._persisted = {
         ...this._persisted,
         deviceJwt: result.device_jwt,
-        conversationId: result.conversation_id,
-        ratchetState: this._ratchet.serialize()
+        primaryConversationId: primary.conversation_id,
+        sessions: {
+          [primary.conversation_id]: {
+            ownerDeviceId: primary.owner_device_id,
+            ratchetState: ratchet.serialize()
+          }
+        }
       };
       await saveState(this.config.dataDir, this._persisted);
       this._connect();
@@ -45244,23 +45310,12 @@ var SecureChannel = class extends EventEmitter {
           this._handleError(new Error("Device was revoked"));
           return;
         }
+        if (data.event === "device_linked") {
+          await this._handleDeviceLinked(data.data);
+          return;
+        }
         if (data.event === "message") {
-          const msgData = data.data;
-          if (msgData.sender_device_id === this._deviceId) return;
-          const encrypted = transportToEncryptedMessage({
-            header_blob: msgData.header_blob,
-            ciphertext: msgData.ciphertext
-          });
-          const plaintext = this._ratchet.decrypt(encrypted);
-          await this._persistState();
-          const metadata = {
-            messageId: msgData.message_id,
-            conversationId: msgData.conversation_id,
-            timestamp: msgData.created_at
-          };
-          this.emit("message", plaintext, metadata);
-          this.config.onMessage?.(plaintext, metadata);
-          this._persisted.lastMessageTimestamp = msgData.created_at;
+          await this._handleIncomingMessage(data.data);
         }
       } catch (err) {
         this.emit("error", err);
@@ -45275,6 +45330,142 @@ var SecureChannel = class extends EventEmitter {
       this.emit("error", err);
     });
   }
+  /**
+   * Handle an incoming encrypted message from a specific conversation.
+   * Decrypts using the appropriate session ratchet, emits to the agent,
+   * and relays as sync messages to sibling sessions.
+   */
+  async _handleIncomingMessage(msgData) {
+    if (msgData.sender_device_id === this._deviceId) return;
+    const convId = msgData.conversation_id;
+    const session = this._sessions.get(convId);
+    if (!session) {
+      console.warn(
+        `[SecureChannel] No session for conversation ${convId}, skipping`
+      );
+      return;
+    }
+    const encrypted = transportToEncryptedMessage({
+      header_blob: msgData.header_blob,
+      ciphertext: msgData.ciphertext
+    });
+    const plaintext = session.ratchet.decrypt(encrypted);
+    let messageText;
+    let messageType;
+    try {
+      const parsed = JSON.parse(plaintext);
+      messageType = parsed.type || "message";
+      messageText = parsed.text || plaintext;
+    } catch {
+      messageType = "message";
+      messageText = plaintext;
+    }
+    if (messageType === "message") {
+      const metadata = {
+        messageId: msgData.message_id,
+        conversationId: convId,
+        timestamp: msgData.created_at
+      };
+      this.emit("message", messageText, metadata);
+      this.config.onMessage?.(messageText, metadata);
+      await this._relaySyncToSiblings(convId, session.ownerDeviceId, messageText);
+    }
+    if (this._persisted) {
+      this._persisted.lastMessageTimestamp = msgData.created_at;
+    }
+    await this._persistState();
+  }
+  /**
+   * Relay an owner's message to all sibling sessions as encrypted sync messages.
+   * This allows all owner devices to see messages from any single device.
+   */
+  async _relaySyncToSiblings(sourceConvId, senderOwnerDeviceId, messageText) {
+    if (!this._ws || this._sessions.size <= 1) return;
+    const syncPayload = JSON.stringify({
+      type: "sync",
+      sender: senderOwnerDeviceId,
+      text: messageText,
+      ts: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    for (const [siblingConvId, siblingSession] of this._sessions) {
+      if (siblingConvId === sourceConvId) continue;
+      const syncEncrypted = siblingSession.ratchet.encrypt(syncPayload);
+      const syncTransport = encryptedMessageToTransport(syncEncrypted);
+      this._ws.send(
+        JSON.stringify({
+          event: "message",
+          data: {
+            conversation_id: siblingConvId,
+            header_blob: syncTransport.header_blob,
+            ciphertext: syncTransport.ciphertext
+          }
+        })
+      );
+    }
+  }
+  /**
+   * Handle a device_linked event: a new owner device has joined.
+   * Fetches the new device's public keys, performs X3DH, and initializes
+   * a new ratchet session.
+   */
+  async _handleDeviceLinked(event) {
+    console.log(
+      `[SecureChannel] New owner device linked: ${event.owner_device_id.slice(0, 8)}...`
+    );
+    try {
+      const keysRes = await fetch(
+        `${this.config.apiUrl}/api/v1/conversations/${event.conversation_id}/keys`,
+        {
+          headers: { Authorization: `Bearer ${this._deviceJwt}` }
+        }
+      );
+      if (!keysRes.ok) {
+        console.error(
+          `[SecureChannel] Failed to fetch keys for linked device: ${keysRes.status}`
+        );
+        return;
+      }
+      const keys = await keysRes.json();
+      const identity = this._persisted.identityKeypair;
+      const ephemeral = this._persisted.ephemeralKeypair;
+      const sharedSecret = performX3DH({
+        myIdentityPrivate: hexToBytes(identity.privateKey),
+        myEphemeralPrivate: hexToBytes(ephemeral.privateKey),
+        theirIdentityPublic: hexToBytes(keys.identity_public_key),
+        theirEphemeralPublic: hexToBytes(
+          keys.ephemeral_public_key ?? keys.identity_public_key
+        ),
+        isInitiator: false
+      });
+      const ratchet = DoubleRatchet.initReceiver(sharedSecret, {
+        publicKey: hexToBytes(identity.publicKey),
+        privateKey: hexToBytes(identity.privateKey),
+        keyType: "ed25519"
+      });
+      this._sessions.set(event.conversation_id, {
+        ownerDeviceId: event.owner_device_id,
+        ratchet
+      });
+      this._persisted.sessions[event.conversation_id] = {
+        ownerDeviceId: event.owner_device_id,
+        ratchetState: ratchet.serialize()
+      };
+      await this._persistState();
+      console.log(
+        `[SecureChannel] Session initialized for device ${event.owner_device_id.slice(0, 8)}...`
+      );
+    } catch (err) {
+      console.error(
+        `[SecureChannel] Failed to handle device_linked:`,
+        err
+      );
+      this.emit("error", err);
+    }
+  }
+  /**
+   * Sync missed messages across ALL sessions.
+   * For each conversation, fetches messages since last sync and decrypts.
+   */
   async _syncMissedMessages() {
     if (!this._persisted?.lastMessageTimestamp || !this._deviceJwt) return;
     try {
@@ -45287,19 +45478,38 @@ var SecureChannel = class extends EventEmitter {
       const messages = await res.json();
       for (const msg of messages) {
         if (msg.sender_device_id === this._deviceId) continue;
+        const session = this._sessions.get(msg.conversation_id);
+        if (!session) {
+          console.warn(
+            `[SecureChannel] No session for conversation ${msg.conversation_id} during sync, skipping`
+          );
+          continue;
+        }
         try {
           const encrypted = transportToEncryptedMessage({
             header_blob: msg.header_blob,
             ciphertext: msg.ciphertext
           });
-          const plaintext = this._ratchet.decrypt(encrypted);
-          const metadata = {
-            messageId: msg.id,
-            conversationId: msg.conversation_id,
-            timestamp: msg.created_at
-          };
-          this.emit("message", plaintext, metadata);
-          this.config.onMessage?.(plaintext, metadata);
+          const plaintext = session.ratchet.decrypt(encrypted);
+          let messageText;
+          let messageType;
+          try {
+            const parsed = JSON.parse(plaintext);
+            messageType = parsed.type || "message";
+            messageText = parsed.text || plaintext;
+          } catch {
+            messageType = "message";
+            messageText = plaintext;
+          }
+          if (messageType === "message") {
+            const metadata = {
+              messageId: msg.id,
+              conversationId: msg.conversation_id,
+              timestamp: msg.created_at
+            };
+            this.emit("message", messageText, metadata);
+            this.config.onMessage?.(messageText, metadata);
+          }
           this._persisted.lastMessageTimestamp = msg.created_at;
         } catch (err) {
           this.emit("error", err);
@@ -45333,9 +45543,18 @@ var SecureChannel = class extends EventEmitter {
     this._setState("error");
     this.emit("error", err);
   }
+  /**
+   * Persist all ratchet session states to disk.
+   * Syncs live ratchet states back into the persisted sessions map.
+   */
   async _persistState() {
-    if (!this._persisted || !this._ratchet) return;
-    this._persisted.ratchetState = this._ratchet.serialize();
+    if (!this._persisted || this._sessions.size === 0) return;
+    for (const [convId, session] of this._sessions) {
+      this._persisted.sessions[convId] = {
+        ownerDeviceId: session.ownerDeviceId,
+        ratchetState: session.ratchet.serialize()
+      };
+    }
     await saveState(this.config.dataDir, this._persisted);
   }
 };