@agentvault/secure-channel 0.1.2 → 0.4.0

package/dist/cli.js

@@ -2,6 +2,7 @@
 
 // src/channel.ts
 import { EventEmitter } from "node:events";
+import { randomUUID } from "node:crypto";
 
 // ../../node_modules/libsodium-sumo/dist/modules-sumo-esm/libsodium-sumo.mjs
 var __filename;
@@ -45035,6 +45036,28 @@ async function activateDevice(apiUrl2, deviceId) {
 var POLL_INTERVAL_MS = 5e3;
 var RECONNECT_BASE_MS = 1e3;
 var RECONNECT_MAX_MS = 3e4;
+function migratePersistedState(raw) {
+  if (raw.sessions && raw.primaryConversationId) {
+    return raw;
+  }
+  const legacy = raw;
+  return {
+    deviceId: legacy.deviceId,
+    deviceJwt: legacy.deviceJwt,
+    primaryConversationId: legacy.conversationId,
+    sessions: {
+      [legacy.conversationId]: {
+        ownerDeviceId: "",
+        ratchetState: legacy.ratchetState
+      }
+    },
+    identityKeypair: legacy.identityKeypair,
+    ephemeralKeypair: legacy.ephemeralKeypair,
+    fingerprint: legacy.fingerprint,
+    lastMessageTimestamp: legacy.lastMessageTimestamp,
+    messageHistory: []
+  };
+}
 var SecureChannel = class extends EventEmitter {
   constructor(config) {
     super();
@@ -45043,9 +45066,9 @@ var SecureChannel = class extends EventEmitter {
   _state = "idle";
   _deviceId = null;
   _fingerprint = null;
-  _conversationId = null;
+  _primaryConversationId = "";
   _deviceJwt = null;
-  _ratchet = null;
+  _sessions = /* @__PURE__ */ new Map();
   _ws = null;
   _pollTimer = null;
   _reconnectAttempt = 0;
@@ -45061,41 +45084,94 @@ var SecureChannel = class extends EventEmitter {
   get fingerprint() {
     return this._fingerprint;
   }
+  /** Returns the primary conversation ID (backward-compatible). */
   get conversationId() {
-    return this._conversationId;
+    return this._primaryConversationId || null;
+  }
+  /** Returns all active conversation IDs. */
+  get conversationIds() {
+    return Array.from(this._sessions.keys());
+  }
+  /** Returns the number of active sessions. */
+  get sessionCount() {
+    return this._sessions.size;
   }
   async start() {
     this._stopped = false;
     await libsodium_wrappers_default.ready;
-    const persisted = await loadState(this.config.dataDir);
-    if (persisted) {
-      this._persisted = persisted;
-      this._deviceId = persisted.deviceId;
-      this._deviceJwt = persisted.deviceJwt;
-      this._conversationId = persisted.conversationId;
-      this._fingerprint = persisted.fingerprint;
-      this._ratchet = DoubleRatchet.deserialize(persisted.ratchetState);
+    const raw = await loadState(this.config.dataDir);
+    if (raw) {
+      this._persisted = migratePersistedState(raw);
+      if (!this._persisted.messageHistory) {
+        this._persisted.messageHistory = [];
+      }
+      this._deviceId = this._persisted.deviceId;
+      this._deviceJwt = this._persisted.deviceJwt;
+      this._primaryConversationId = this._persisted.primaryConversationId;
+      this._fingerprint = this._persisted.fingerprint;
+      for (const [convId, sessionData] of Object.entries(
+        this._persisted.sessions
+      )) {
+        if (sessionData.ratchetState) {
+          const ratchet = DoubleRatchet.deserialize(sessionData.ratchetState);
+          this._sessions.set(convId, {
+            ownerDeviceId: sessionData.ownerDeviceId,
+            ratchet,
+            activated: sessionData.activated ?? false
+          });
+        }
+      }
       this._connect();
       return;
     }
     await this._enroll();
   }
+  /**
+   * Append a message to persistent history for cross-device replay.
+   */
+  _appendHistory(sender, text) {
+    if (!this._persisted) return;
+    if (!this._persisted.messageHistory) {
+      this._persisted.messageHistory = [];
+    }
+    const maxSize = this.config.maxHistorySize ?? 500;
+    this._persisted.messageHistory.push({
+      sender,
+      text,
+      ts: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    if (this._persisted.messageHistory.length > maxSize) {
+      this._persisted.messageHistory = this._persisted.messageHistory.slice(-maxSize);
+    }
+  }
+  /**
+   * Encrypt and send a message to ALL owner devices (fanout).
+   * Each session gets the same plaintext encrypted independently.
+   */
   async send(plaintext) {
-    if (this._state !== "ready" || !this._ratchet || !this._ws) {
+    if (this._state !== "ready" || this._sessions.size === 0 || !this._ws) {
       throw new Error("Channel is not ready");
     }
-    const encrypted = this._ratchet.encrypt(plaintext);
-    const transport = encryptedMessageToTransport(encrypted);
-    this._ws.send(
-      JSON.stringify({
-        event: "message",
-        data: {
-          conversation_id: this._conversationId,
-          header_blob: transport.header_blob,
-          ciphertext: transport.ciphertext
-        }
-      })
-    );
+    this._appendHistory("agent", plaintext);
+    const messageGroupId = randomUUID();
+    for (const [convId, session] of this._sessions) {
+      if (!session.activated) {
+        continue;
+      }
+      const encrypted = session.ratchet.encrypt(plaintext);
+      const transport = encryptedMessageToTransport(encrypted);
+      this._ws.send(
+        JSON.stringify({
+          event: "message",
+          data: {
+            conversation_id: convId,
+            header_blob: transport.header_blob,
+            ciphertext: transport.ciphertext,
+            message_group_id: messageGroupId
+          }
+        })
+      );
+    }
     await this._persistState();
   }
   async stop() {
@@ -45140,8 +45216,10 @@ var SecureChannel = class extends EventEmitter {
         deviceId: result.device_id,
         deviceJwt: "",
         // set after activation
-        conversationId: "",
+        primaryConversationId: "",
         // set after activation
+        sessions: {},
+        // populated after activation
         identityKeypair: {
           publicKey: bytesToHex(identity.publicKey),
           privateKey: bytesToHex(identity.privateKey)
@@ -45151,8 +45229,7 @@ var SecureChannel = class extends EventEmitter {
           privateKey: bytesToHex(ephemeral.privateKey)
         },
         fingerprint: result.fingerprint,
-        ratchetState: ""
-        // set after activation
+        messageHistory: []
       };
       this._poll();
     } catch (err) {
@@ -45191,31 +45268,85 @@ var SecureChannel = class extends EventEmitter {
         this.config.apiUrl,
         this._deviceId
       );
-      this._conversationId = result.conversation_id;
+      const conversations = result.conversations || [
+        {
+          conversation_id: result.conversation_id,
+          owner_device_id: "",
+          is_primary: true
+        }
+      ];
+      const primary = conversations.find((c2) => c2.is_primary) || conversations[0];
+      this._primaryConversationId = primary.conversation_id;
       this._deviceJwt = result.device_jwt;
       const identity = this._persisted.identityKeypair;
       const ephemeral = this._persisted.ephemeralKeypair;
-      const sharedSecret = await performX3DH({
-        myIdentityPrivate: hexToBytes(identity.privateKey),
-        myEphemeralPrivate: hexToBytes(ephemeral.privateKey),
-        theirIdentityPublic: hexToBytes(result.owner_identity_public_key),
-        theirEphemeralPublic: hexToBytes(
-          result.owner_ephemeral_public_key ?? result.owner_identity_public_key
-        ),
-        isInitiator: false
-      });
-      this._ratchet = DoubleRatchet.initReceiver(sharedSecret, {
-        publicKey: hexToBytes(identity.publicKey),
-        privateKey: hexToBytes(identity.privateKey),
-        keyType: "ed25519"
-      });
+      const sessions = {};
+      for (const conv of conversations) {
+        const ownerIdentityKey = conv.owner_identity_public_key || result.owner_identity_public_key;
+        const ownerEphemeralKey = conv.owner_ephemeral_public_key || result.owner_ephemeral_public_key || ownerIdentityKey;
+        const sharedSecret = performX3DH({
+          myIdentityPrivate: hexToBytes(identity.privateKey),
+          myEphemeralPrivate: hexToBytes(ephemeral.privateKey),
+          theirIdentityPublic: hexToBytes(ownerIdentityKey),
+          theirEphemeralPublic: hexToBytes(ownerEphemeralKey),
+          isInitiator: false
+        });
+        const ratchet = DoubleRatchet.initReceiver(sharedSecret, {
+          publicKey: hexToBytes(identity.publicKey),
+          privateKey: hexToBytes(identity.privateKey),
+          keyType: "ed25519"
+        });
+        this._sessions.set(conv.conversation_id, {
+          ownerDeviceId: conv.owner_device_id,
+          ratchet,
+          activated: false
+          // Wait for owner's first message before sending to this session
+        });
+        sessions[conv.conversation_id] = {
+          ownerDeviceId: conv.owner_device_id,
+          ratchetState: ratchet.serialize()
+        };
+        console.log(
+          `[SecureChannel] Session initialized for conv ${conv.conversation_id.slice(0, 8)}... (owner ${conv.owner_device_id.slice(0, 8)}..., primary=${conv.is_primary})`
+        );
+      }
       this._persisted = {
         ...this._persisted,
         deviceJwt: result.device_jwt,
-        conversationId: result.conversation_id,
-        ratchetState: this._ratchet.serialize()
+        primaryConversationId: primary.conversation_id,
+        sessions,
+        messageHistory: this._persisted.messageHistory ?? []
       };
       await saveState(this.config.dataDir, this._persisted);
+      if (this.config.webhookUrl) {
+        try {
+          const webhookResp = await fetch(
+            `${this.config.apiUrl}/api/v1/devices/self/webhook`,
+            {
+              method: "PATCH",
+              headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${this._deviceJwt}`
+              },
+              body: JSON.stringify({ webhook_url: this.config.webhookUrl })
+            }
+          );
+          if (webhookResp.ok) {
+            const webhookData = await webhookResp.json();
+            console.log(
+              `[SecureChannel] Webhook registered: ${this.config.webhookUrl} (secret: ${webhookData.webhook_secret?.slice(0, 8)}...)`
+            );
+            this.emit("webhook_registered", {
+              url: this.config.webhookUrl,
+              secret: webhookData.webhook_secret
+            });
+          } else {
+            console.warn(`[SecureChannel] Webhook registration failed: ${webhookResp.status}`);
+          }
+        } catch (err) {
+          console.warn(`[SecureChannel] Webhook registration error: ${err}`);
+        }
+      }
       this._connect();
     } catch (err) {
       this._handleError(err);
@@ -45246,23 +45377,12 @@ var SecureChannel = class extends EventEmitter {
           this._handleError(new Error("Device was revoked"));
           return;
         }
+        if (data.event === "device_linked") {
+          await this._handleDeviceLinked(data.data);
+          return;
+        }
         if (data.event === "message") {
-          const msgData = data.data;
-          if (msgData.sender_device_id === this._deviceId) return;
-          const encrypted = transportToEncryptedMessage({
-            header_blob: msgData.header_blob,
-            ciphertext: msgData.ciphertext
-          });
-          const plaintext = this._ratchet.decrypt(encrypted);
-          await this._persistState();
-          const metadata = {
-            messageId: msgData.message_id,
-            conversationId: msgData.conversation_id,
-            timestamp: msgData.created_at
-          };
-          this.emit("message", plaintext, metadata);
-          this.config.onMessage?.(plaintext, metadata);
-          this._persisted.lastMessageTimestamp = msgData.created_at;
+          await this._handleIncomingMessage(data.data);
         }
       } catch (err) {
         this.emit("error", err);
@@ -45277,6 +45397,182 @@ var SecureChannel = class extends EventEmitter {
       this.emit("error", err);
     });
   }
+  /**
+   * Handle an incoming encrypted message from a specific conversation.
+   * Decrypts using the appropriate session ratchet, emits to the agent,
+   * and relays as sync messages to sibling sessions.
+   */
+  async _handleIncomingMessage(msgData) {
+    if (msgData.sender_device_id === this._deviceId) return;
+    const convId = msgData.conversation_id;
+    const session = this._sessions.get(convId);
+    if (!session) {
+      console.warn(
+        `[SecureChannel] No session for conversation ${convId}, skipping`
+      );
+      return;
+    }
+    const encrypted = transportToEncryptedMessage({
+      header_blob: msgData.header_blob,
+      ciphertext: msgData.ciphertext
+    });
+    const plaintext = session.ratchet.decrypt(encrypted);
+    if (!session.activated) {
+      session.activated = true;
+      console.log(`[SecureChannel] Session ${convId.slice(0, 8)}... activated by first owner message`);
+    }
+    let messageText;
+    let messageType;
+    try {
+      const parsed = JSON.parse(plaintext);
+      messageType = parsed.type || "message";
+      messageText = parsed.text || plaintext;
+    } catch {
+      messageType = "message";
+      messageText = plaintext;
+    }
+    if (messageType === "session_init") {
+      console.log(`[SecureChannel] session_init received for ${convId.slice(0, 8)}..., replaying history`);
+      await this._replayHistoryToSession(convId);
+      await this._persistState();
+      return;
+    }
+    if (messageType === "message") {
+      this._appendHistory("owner", messageText);
+      const metadata = {
+        messageId: msgData.message_id,
+        conversationId: convId,
+        timestamp: msgData.created_at
+      };
+      this.emit("message", messageText, metadata);
+      this.config.onMessage?.(messageText, metadata);
+      await this._relaySyncToSiblings(convId, session.ownerDeviceId, messageText);
+    }
+    if (this._persisted) {
+      this._persisted.lastMessageTimestamp = msgData.created_at;
+    }
+    await this._persistState();
+  }
+  /**
+   * Relay an owner's message to all sibling sessions as encrypted sync messages.
+   * This allows all owner devices to see messages from any single device.
+   */
+  async _relaySyncToSiblings(sourceConvId, senderOwnerDeviceId, messageText) {
+    if (!this._ws || this._sessions.size <= 1) return;
+    const syncPayload = JSON.stringify({
+      type: "sync",
+      sender: senderOwnerDeviceId,
+      text: messageText,
+      ts: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    for (const [siblingConvId, siblingSession] of this._sessions) {
+      if (siblingConvId === sourceConvId) continue;
+      if (!siblingSession.activated) continue;
+      const syncEncrypted = siblingSession.ratchet.encrypt(syncPayload);
+      const syncTransport = encryptedMessageToTransport(syncEncrypted);
+      this._ws.send(
+        JSON.stringify({
+          event: "message",
+          data: {
+            conversation_id: siblingConvId,
+            header_blob: syncTransport.header_blob,
+            ciphertext: syncTransport.ciphertext
+          }
+        })
+      );
+    }
+  }
+  /**
+   * Send stored message history to a newly-activated session.
+   * Batches all history into a single encrypted message.
+   */
+  async _replayHistoryToSession(convId) {
+    const session = this._sessions.get(convId);
+    if (!session || !session.activated || !this._ws) return;
+    const history = this._persisted?.messageHistory ?? [];
+    if (history.length === 0) {
+      console.log(`[SecureChannel] No history to replay for ${convId.slice(0, 8)}...`);
+      return;
+    }
+    console.log(
+      `[SecureChannel] Replaying ${history.length} messages to session ${convId.slice(0, 8)}...`
+    );
+    const replayPayload = JSON.stringify({
+      type: "history_replay",
+      messages: history
+    });
+    const encrypted = session.ratchet.encrypt(replayPayload);
+    const transport = encryptedMessageToTransport(encrypted);
+    this._ws.send(
+      JSON.stringify({
+        event: "message",
+        data: {
+          conversation_id: convId,
+          header_blob: transport.header_blob,
+          ciphertext: transport.ciphertext
+        }
+      })
+    );
+  }
+  /**
+   * Handle a device_linked event: a new owner device has joined.
+   * Fetches the new device's public keys, performs X3DH, and initializes
+   * a new ratchet session.
+   */
+  async _handleDeviceLinked(event) {
+    console.log(
+      `[SecureChannel] New owner device linked: ${event.owner_device_id.slice(0, 8)}...`
+    );
+    try {
+      if (!event.owner_identity_public_key) {
+        console.error(
+          `[SecureChannel] device_linked event missing owner keys for conv ${event.conversation_id.slice(0, 8)}...`
+        );
+        return;
+      }
+      const identity = this._persisted.identityKeypair;
+      const ephemeral = this._persisted.ephemeralKeypair;
+      const sharedSecret = performX3DH({
+        myIdentityPrivate: hexToBytes(identity.privateKey),
+        myEphemeralPrivate: hexToBytes(ephemeral.privateKey),
+        theirIdentityPublic: hexToBytes(event.owner_identity_public_key),
+        theirEphemeralPublic: hexToBytes(
+          event.owner_ephemeral_public_key ?? event.owner_identity_public_key
+        ),
+        isInitiator: false
+      });
+      const ratchet = DoubleRatchet.initReceiver(sharedSecret, {
+        publicKey: hexToBytes(identity.publicKey),
+        privateKey: hexToBytes(identity.privateKey),
+        keyType: "ed25519"
+      });
+      this._sessions.set(event.conversation_id, {
+        ownerDeviceId: event.owner_device_id,
+        ratchet,
+        activated: false
+        // Wait for owner's first message
+      });
+      this._persisted.sessions[event.conversation_id] = {
+        ownerDeviceId: event.owner_device_id,
+        ratchetState: ratchet.serialize(),
+        activated: false
+      };
+      await this._persistState();
+      console.log(
+        `[SecureChannel] Session initialized for device ${event.owner_device_id.slice(0, 8)}... (conv ${event.conversation_id.slice(0, 8)}...)`
+      );
+    } catch (err) {
+      console.error(
+        `[SecureChannel] Failed to handle device_linked:`,
+        err
+      );
+      this.emit("error", err);
+    }
+  }
+  /**
+   * Sync missed messages across ALL sessions.
+   * For each conversation, fetches messages since last sync and decrypts.
+   */
   async _syncMissedMessages() {
     if (!this._persisted?.lastMessageTimestamp || !this._deviceJwt) return;
     try {
@@ -45289,19 +45585,43 @@ var SecureChannel = class extends EventEmitter {
       const messages = await res.json();
       for (const msg of messages) {
         if (msg.sender_device_id === this._deviceId) continue;
+        const session = this._sessions.get(msg.conversation_id);
+        if (!session) {
+          console.warn(
+            `[SecureChannel] No session for conversation ${msg.conversation_id} during sync, skipping`
+          );
+          continue;
+        }
         try {
           const encrypted = transportToEncryptedMessage({
             header_blob: msg.header_blob,
             ciphertext: msg.ciphertext
           });
-          const plaintext = this._ratchet.decrypt(encrypted);
-          const metadata = {
-            messageId: msg.id,
-            conversationId: msg.conversation_id,
-            timestamp: msg.created_at
-          };
-          this.emit("message", plaintext, metadata);
-          this.config.onMessage?.(plaintext, metadata);
+          const plaintext = session.ratchet.decrypt(encrypted);
+          if (!session.activated) {
+            session.activated = true;
+            console.log(`[SecureChannel] Session ${msg.conversation_id.slice(0, 8)}... activated during sync`);
+          }
+          let messageText;
+          let messageType;
+          try {
+            const parsed = JSON.parse(plaintext);
+            messageType = parsed.type || "message";
+            messageText = parsed.text || plaintext;
+          } catch {
+            messageType = "message";
+            messageText = plaintext;
+          }
+          if (messageType === "message") {
+            this._appendHistory("owner", messageText);
+            const metadata = {
+              messageId: msg.id,
+              conversationId: msg.conversation_id,
+              timestamp: msg.created_at
+            };
+            this.emit("message", messageText, metadata);
+            this.config.onMessage?.(messageText, metadata);
+          }
           this._persisted.lastMessageTimestamp = msg.created_at;
         } catch (err) {
           this.emit("error", err);
@@ -45335,9 +45655,19 @@ var SecureChannel = class extends EventEmitter {
     this._setState("error");
     this.emit("error", err);
   }
+  /**
+   * Persist all ratchet session states to disk.
+   * Syncs live ratchet states back into the persisted sessions map.
+   */
   async _persistState() {
-    if (!this._persisted || !this._ratchet) return;
-    this._persisted.ratchetState = this._ratchet.serialize();
+    if (!this._persisted || this._sessions.size === 0) return;
+    for (const [convId, session] of this._sessions) {
+      this._persisted.sessions[convId] = {
+        ownerDeviceId: session.ownerDeviceId,
+        ratchetState: session.ratchet.serialize(),
+        activated: session.activated
+      };
+    }
     await saveState(this.config.dataDir, this._persisted);
   }
 };