@agentvault/secure-channel 0.2.0 → 0.4.0

package/dist/channel.d.ts

@@ -25,6 +25,10 @@ export declare class SecureChannel extends EventEmitter {
     /** Returns the number of active sessions. */
     get sessionCount(): number;
     start(): Promise<void>;
+    /**
+     * Append a message to persistent history for cross-device replay.
+     */
+    private _appendHistory;
     /**
      * Encrypt and send a message to ALL owner devices (fanout).
      * Each session gets the same plaintext encrypted independently.
@@ -46,6 +50,11 @@ export declare class SecureChannel extends EventEmitter {
      * This allows all owner devices to see messages from any single device.
      */
     private _relaySyncToSiblings;
+    /**
+     * Send stored message history to a newly-activated session.
+     * Batches all history into a single encrypted message.
+     */
+    private _replayHistoryToSession;
     /**
      * Handle a device_linked event: a new owner device has joined.
      * Fetches the new device's public keys, performs X3DH, and initializes

package/dist/channel.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAa3C,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAIb,MAAM,YAAY,CAAC;AAgDpB,qBAAa,aAAc,SAAQ,YAAY;IAiBjC,OAAO,CAAC,MAAM;IAhB1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;gBAE7B,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAkC5B;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA4BtC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAoBb,OAAO;IA+CrB,OAAO,CAAC,KAAK;YAgCC,SAAS;IAyEvB,OAAO,CAAC,QAAQ;IA4DhB;;;;OAIG;YACW,sBAAsB;IAmEpC;;;OAGG;YACW,oBAAoB;IAiClC;;;;OAIG;YACW,mBAAmB;IAuEjC;;;OAGG;YACW,mBAAmB;IA+EjC,OAAO,CAAC,kBAAkB;IAgB1B,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;CAa5B"}
+{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAa3C,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAKb,MAAM,YAAY,CAAC;AAiDpB,qBAAa,aAAc,SAAQ,YAAY;IAiBjC,OAAO,CAAC,MAAM;IAhB1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;gBAE7B,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsC5B;;OAEG;IACH,OAAO,CAAC,cAAc;IAmBtB;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAsCtC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAoBb,OAAO;IAgDrB,OAAO,CAAC,KAAK;YAgCC,SAAS;IA2HvB,OAAO,CAAC,QAAQ;IA4DhB;;;;OAIG;YACW,sBAAsB;IAoFpC;;;OAGG;YACW,oBAAoB;IAmClC;;;OAGG;YACW,uBAAuB;IAkCrC;;;;OAIG;YACW,mBAAmB;IAkEjC;;;OAGG;YACW,mBAAmB;IAwFjC,OAAO,CAAC,kBAAkB;IAgB1B,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;CAc5B"}

package/dist/cli.js

@@ -45054,7 +45054,8 @@ function migratePersistedState(raw) {
     identityKeypair: legacy.identityKeypair,
     ephemeralKeypair: legacy.ephemeralKeypair,
     fingerprint: legacy.fingerprint,
-    lastMessageTimestamp: legacy.lastMessageTimestamp
+    lastMessageTimestamp: legacy.lastMessageTimestamp,
+    messageHistory: []
   };
 }
 var SecureChannel = class extends EventEmitter {
@@ -45101,6 +45102,9 @@ var SecureChannel = class extends EventEmitter {
     const raw = await loadState(this.config.dataDir);
     if (raw) {
       this._persisted = migratePersistedState(raw);
+      if (!this._persisted.messageHistory) {
+        this._persisted.messageHistory = [];
+      }
       this._deviceId = this._persisted.deviceId;
       this._deviceJwt = this._persisted.deviceJwt;
       this._primaryConversationId = this._persisted.primaryConversationId;
@@ -45112,7 +45116,8 @@ var SecureChannel = class extends EventEmitter {
           const ratchet = DoubleRatchet.deserialize(sessionData.ratchetState);
           this._sessions.set(convId, {
             ownerDeviceId: sessionData.ownerDeviceId,
-            ratchet
+            ratchet,
+            activated: sessionData.activated ?? false
           });
         }
       }
@@ -45121,6 +45126,24 @@ var SecureChannel = class extends EventEmitter {
     }
     await this._enroll();
   }
+  /**
+   * Append a message to persistent history for cross-device replay.
+   */
+  _appendHistory(sender, text) {
+    if (!this._persisted) return;
+    if (!this._persisted.messageHistory) {
+      this._persisted.messageHistory = [];
+    }
+    const maxSize = this.config.maxHistorySize ?? 500;
+    this._persisted.messageHistory.push({
+      sender,
+      text,
+      ts: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    if (this._persisted.messageHistory.length > maxSize) {
+      this._persisted.messageHistory = this._persisted.messageHistory.slice(-maxSize);
+    }
+  }
   /**
    * Encrypt and send a message to ALL owner devices (fanout).
    * Each session gets the same plaintext encrypted independently.
@@ -45129,8 +45152,12 @@ var SecureChannel = class extends EventEmitter {
     if (this._state !== "ready" || this._sessions.size === 0 || !this._ws) {
       throw new Error("Channel is not ready");
     }
+    this._appendHistory("agent", plaintext);
     const messageGroupId = randomUUID();
     for (const [convId, session] of this._sessions) {
+      if (!session.activated) {
+        continue;
+      }
       const encrypted = session.ratchet.encrypt(plaintext);
       const transport = encryptedMessageToTransport(encrypted);
       this._ws.send(
@@ -45201,7 +45228,8 @@ var SecureChannel = class extends EventEmitter {
           publicKey: bytesToHex(ephemeral.publicKey),
           privateKey: bytesToHex(ephemeral.privateKey)
         },
-        fingerprint: result.fingerprint
+        fingerprint: result.fingerprint,
+        messageHistory: []
       };
       this._poll();
     } catch (err) {
@@ -45252,36 +45280,73 @@ var SecureChannel = class extends EventEmitter {
       this._deviceJwt = result.device_jwt;
       const identity = this._persisted.identityKeypair;
       const ephemeral = this._persisted.ephemeralKeypair;
-      const sharedSecret = performX3DH({
-        myIdentityPrivate: hexToBytes(identity.privateKey),
-        myEphemeralPrivate: hexToBytes(ephemeral.privateKey),
-        theirIdentityPublic: hexToBytes(result.owner_identity_public_key),
-        theirEphemeralPublic: hexToBytes(
-          result.owner_ephemeral_public_key ?? result.owner_identity_public_key
-        ),
-        isInitiator: false
-      });
-      const ratchet = DoubleRatchet.initReceiver(sharedSecret, {
-        publicKey: hexToBytes(identity.publicKey),
-        privateKey: hexToBytes(identity.privateKey),
-        keyType: "ed25519"
-      });
-      this._sessions.set(primary.conversation_id, {
-        ownerDeviceId: primary.owner_device_id,
-        ratchet
-      });
+      const sessions = {};
+      for (const conv of conversations) {
+        const ownerIdentityKey = conv.owner_identity_public_key || result.owner_identity_public_key;
+        const ownerEphemeralKey = conv.owner_ephemeral_public_key || result.owner_ephemeral_public_key || ownerIdentityKey;
+        const sharedSecret = performX3DH({
+          myIdentityPrivate: hexToBytes(identity.privateKey),
+          myEphemeralPrivate: hexToBytes(ephemeral.privateKey),
+          theirIdentityPublic: hexToBytes(ownerIdentityKey),
+          theirEphemeralPublic: hexToBytes(ownerEphemeralKey),
+          isInitiator: false
+        });
+        const ratchet = DoubleRatchet.initReceiver(sharedSecret, {
+          publicKey: hexToBytes(identity.publicKey),
+          privateKey: hexToBytes(identity.privateKey),
+          keyType: "ed25519"
+        });
+        this._sessions.set(conv.conversation_id, {
+          ownerDeviceId: conv.owner_device_id,
+          ratchet,
+          activated: false
+          // Wait for owner's first message before sending to this session
+        });
+        sessions[conv.conversation_id] = {
+          ownerDeviceId: conv.owner_device_id,
+          ratchetState: ratchet.serialize()
+        };
+        console.log(
+          `[SecureChannel] Session initialized for conv ${conv.conversation_id.slice(0, 8)}... (owner ${conv.owner_device_id.slice(0, 8)}..., primary=${conv.is_primary})`
+        );
+      }
       this._persisted = {
         ...this._persisted,
         deviceJwt: result.device_jwt,
         primaryConversationId: primary.conversation_id,
-        sessions: {
-          [primary.conversation_id]: {
-            ownerDeviceId: primary.owner_device_id,
-            ratchetState: ratchet.serialize()
-          }
-        }
+        sessions,
+        messageHistory: this._persisted.messageHistory ?? []
       };
       await saveState(this.config.dataDir, this._persisted);
+      if (this.config.webhookUrl) {
+        try {
+          const webhookResp = await fetch(
+            `${this.config.apiUrl}/api/v1/devices/self/webhook`,
+            {
+              method: "PATCH",
+              headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${this._deviceJwt}`
+              },
+              body: JSON.stringify({ webhook_url: this.config.webhookUrl })
+            }
+          );
+          if (webhookResp.ok) {
+            const webhookData = await webhookResp.json();
+            console.log(
+              `[SecureChannel] Webhook registered: ${this.config.webhookUrl} (secret: ${webhookData.webhook_secret?.slice(0, 8)}...)`
+            );
+            this.emit("webhook_registered", {
+              url: this.config.webhookUrl,
+              secret: webhookData.webhook_secret
+            });
+          } else {
+            console.warn(`[SecureChannel] Webhook registration failed: ${webhookResp.status}`);
+          }
+        } catch (err) {
+          console.warn(`[SecureChannel] Webhook registration error: ${err}`);
+        }
+      }
       this._connect();
     } catch (err) {
       this._handleError(err);
@@ -45352,6 +45417,10 @@ var SecureChannel = class extends EventEmitter {
       ciphertext: msgData.ciphertext
     });
     const plaintext = session.ratchet.decrypt(encrypted);
+    if (!session.activated) {
+      session.activated = true;
+      console.log(`[SecureChannel] Session ${convId.slice(0, 8)}... activated by first owner message`);
+    }
     let messageText;
     let messageType;
     try {
@@ -45362,7 +45431,14 @@ var SecureChannel = class extends EventEmitter {
       messageType = "message";
       messageText = plaintext;
     }
+    if (messageType === "session_init") {
+      console.log(`[SecureChannel] session_init received for ${convId.slice(0, 8)}..., replaying history`);
+      await this._replayHistoryToSession(convId);
+      await this._persistState();
+      return;
+    }
     if (messageType === "message") {
+      this._appendHistory("owner", messageText);
       const metadata = {
         messageId: msgData.message_id,
         conversationId: convId,
@@ -45391,6 +45467,7 @@ var SecureChannel = class extends EventEmitter {
     });
     for (const [siblingConvId, siblingSession] of this._sessions) {
       if (siblingConvId === sourceConvId) continue;
+      if (!siblingSession.activated) continue;
       const syncEncrypted = siblingSession.ratchet.encrypt(syncPayload);
       const syncTransport = encryptedMessageToTransport(syncEncrypted);
       this._ws.send(
@@ -45405,6 +45482,38 @@ var SecureChannel = class extends EventEmitter {
       );
     }
   }
+  /**
+   * Send stored message history to a newly-activated session.
+   * Batches all history into a single encrypted message.
+   */
+  async _replayHistoryToSession(convId) {
+    const session = this._sessions.get(convId);
+    if (!session || !session.activated || !this._ws) return;
+    const history = this._persisted?.messageHistory ?? [];
+    if (history.length === 0) {
+      console.log(`[SecureChannel] No history to replay for ${convId.slice(0, 8)}...`);
+      return;
+    }
+    console.log(
+      `[SecureChannel] Replaying ${history.length} messages to session ${convId.slice(0, 8)}...`
+    );
+    const replayPayload = JSON.stringify({
+      type: "history_replay",
+      messages: history
+    });
+    const encrypted = session.ratchet.encrypt(replayPayload);
+    const transport = encryptedMessageToTransport(encrypted);
+    this._ws.send(
+      JSON.stringify({
+        event: "message",
+        data: {
+          conversation_id: convId,
+          header_blob: transport.header_blob,
+          ciphertext: transport.ciphertext
+        }
+      })
+    );
+  }
   /**
    * Handle a device_linked event: a new owner device has joined.
    * Fetches the new device's public keys, performs X3DH, and initializes
@@ -45415,27 +45524,20 @@ var SecureChannel = class extends EventEmitter {
       `[SecureChannel] New owner device linked: ${event.owner_device_id.slice(0, 8)}...`
     );
     try {
-      const keysRes = await fetch(
-        `${this.config.apiUrl}/api/v1/conversations/${event.conversation_id}/keys`,
-        {
-          headers: { Authorization: `Bearer ${this._deviceJwt}` }
-        }
-      );
-      if (!keysRes.ok) {
+      if (!event.owner_identity_public_key) {
         console.error(
-          `[SecureChannel] Failed to fetch keys for linked device: ${keysRes.status}`
+          `[SecureChannel] device_linked event missing owner keys for conv ${event.conversation_id.slice(0, 8)}...`
         );
         return;
       }
-      const keys = await keysRes.json();
       const identity = this._persisted.identityKeypair;
       const ephemeral = this._persisted.ephemeralKeypair;
       const sharedSecret = performX3DH({
         myIdentityPrivate: hexToBytes(identity.privateKey),
         myEphemeralPrivate: hexToBytes(ephemeral.privateKey),
-        theirIdentityPublic: hexToBytes(keys.identity_public_key),
+        theirIdentityPublic: hexToBytes(event.owner_identity_public_key),
         theirEphemeralPublic: hexToBytes(
-          keys.ephemeral_public_key ?? keys.identity_public_key
+          event.owner_ephemeral_public_key ?? event.owner_identity_public_key
         ),
         isInitiator: false
       });
@@ -45446,15 +45548,18 @@ var SecureChannel = class extends EventEmitter {
       });
       this._sessions.set(event.conversation_id, {
         ownerDeviceId: event.owner_device_id,
-        ratchet
+        ratchet,
+        activated: false
+        // Wait for owner's first message
       });
       this._persisted.sessions[event.conversation_id] = {
         ownerDeviceId: event.owner_device_id,
-        ratchetState: ratchet.serialize()
+        ratchetState: ratchet.serialize(),
+        activated: false
       };
       await this._persistState();
       console.log(
-        `[SecureChannel] Session initialized for device ${event.owner_device_id.slice(0, 8)}...`
+        `[SecureChannel] Session initialized for device ${event.owner_device_id.slice(0, 8)}... (conv ${event.conversation_id.slice(0, 8)}...)`
       );
     } catch (err) {
       console.error(
@@ -45493,6 +45598,10 @@ var SecureChannel = class extends EventEmitter {
             ciphertext: msg.ciphertext
           });
           const plaintext = session.ratchet.decrypt(encrypted);
+          if (!session.activated) {
+            session.activated = true;
+            console.log(`[SecureChannel] Session ${msg.conversation_id.slice(0, 8)}... activated during sync`);
+          }
           let messageText;
           let messageType;
           try {
@@ -45504,6 +45613,7 @@ var SecureChannel = class extends EventEmitter {
             messageText = plaintext;
           }
           if (messageType === "message") {
+            this._appendHistory("owner", messageText);
             const metadata = {
               messageId: msg.id,
               conversationId: msg.conversation_id,
@@ -45554,7 +45664,8 @@ var SecureChannel = class extends EventEmitter {
     for (const [convId, session] of this._sessions) {
       this._persisted.sessions[convId] = {
         ownerDeviceId: session.ownerDeviceId,
-        ratchetState: session.ratchet.serialize()
+        ratchetState: session.ratchet.serialize(),
+        activated: session.activated
       };
     }
     await saveState(this.config.dataDir, this._persisted);