@agentvault/secure-channel 0.6.11 → 0.6.13

package/dist/channel.d.ts

@@ -18,6 +18,7 @@ export declare class SecureChannel extends EventEmitter {
     private _ackTimer;
     private _stopped;
     private _persisted;
+    private _httpServer;
     private static readonly PING_INTERVAL_MS;
     private static readonly PING_TIMEOUT_MS;
     constructor(config: SecureChannelConfig);
@@ -43,6 +44,8 @@ export declare class SecureChannel extends EventEmitter {
         topicId?: string;
     }): Promise<void>;
     stop(): Promise<void>;
+    startHttpServer(port: number): void;
+    private _stopHttpServer;
     /**
      * Create a new topic within the conversation group.
      * Requires the channel to be initialized with a groupId (from activation).
@@ -71,6 +74,23 @@ export declare class SecureChannel extends EventEmitter {
      * and relays as sync messages to sibling sessions.
      */
     private _handleIncomingMessage;
+    /**
+     * Download an encrypted attachment blob, decrypt it, verify integrity,
+     * and save the plaintext file to disk.
+     */
+    private _downloadAndDecryptAttachment;
+    /**
+     * Upload an attachment file: encrypt, upload to server, return metadata
+     * for inclusion in the message envelope.
+     */
+    private _uploadAttachment;
+    /**
+     * Send a message with an attached file. Encrypts the file, uploads it,
+     * then sends the envelope with attachment metadata via Double Ratchet.
+     */
+    sendWithAttachment(plaintext: string, filePath: string, options?: {
+        topicId?: string;
+    }): Promise<void>;
     /**
      * Relay an owner's message to all sibling sessions as encrypted sync messages.
      * This allows all owner devices to see messages from any single device.

package/dist/channel.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAa3C,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAKb,MAAM,YAAY,CAAC;AAiDpB,qBAAa,aAAc,SAAQ,YAAY;IAwBjC,OAAO,CAAC,MAAM;IAvB1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,UAAU,CAA+C;IACjE,OAAO,CAAC,YAAY,CAA8C;IAClE,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,SAAS,CAA8C;IAC/D,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;IAEjD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAU;IAClD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAW;gBAE9B,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsC5B;;OAEG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAyCtE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IA0B3B;;;OAGG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC;IAsC1F;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;YAiCtE,OAAO;IAgDrB,OAAO,CAAC,KAAK;YAsCC,SAAS;IAyIvB,OAAO,CAAC,QAAQ;IAwEhB;;;;OAIG;YACW,sBAAsB;IA2FpC;;;OAGG;YACW,oBAAoB;IAqClC;;;OAGG;YACW,uBAAuB;IAkCrC;;;;OAIG;YACW,mBAAmB;IAkEjC;;;OAGG;YACW,mBAAmB;IA+FjC,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,UAAU;IAMlB,OAAO,CAAC,UAAU;IAoBlB,OAAO,CAAC,SAAS;IAWjB,OAAO,CAAC,kBAAkB;IAiB1B,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;CAc5B"}
+{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAoB3C,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAKb,MAAM,YAAY,CAAC;AAmDpB,qBAAa,aAAc,SAAQ,YAAY;IAyBjC,OAAO,CAAC,MAAM;IAxB1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,UAAU,CAA+C;IACjE,OAAO,CAAC,YAAY,CAA8C;IAClE,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,SAAS,CAA8C;IAC/D,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;IACjD,OAAO,CAAC,WAAW,CAAuB;IAE1C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAU;IAClD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAW;gBAE9B,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsC5B;;OAEG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAyCtE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IA2B3B,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IA0DnC,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC;IAsC1F;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;YAiCtE,OAAO;IAgDrB,OAAO,CAAC,KAAK;YAsCC,SAAS;IAyIvB,OAAO,CAAC,QAAQ;IAwEhB;;;;OAIG;YACW,sBAAsB;IA+GpC;;;OAGG;YACW,6BAA6B;IA6C3C;;;OAGG;YACW,iBAAiB;IAwD/B;;;OAGG;IACG,kBAAkB,CACtB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAC7B,OAAO,CAAC,IAAI,CAAC;IA8ChB;;;OAGG;YACW,oBAAoB;IAqClC;;;OAGG;YACW,uBAAuB;IAkCrC;;;;OAIG;YACW,mBAAmB;IAkEjC;;;OAGG;YACW,mBAAmB;IA+FjC,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,UAAU;IAMlB,OAAO,CAAC,UAAU;IAoBlB,OAAO,CAAC,SAAS;IAWjB,OAAO,CAAC,kBAAkB;IAiB1B,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;CAc5B"}

package/dist/cli.js

@@ -2,7 +2,11 @@
 
 // src/channel.ts
 import { EventEmitter } from "node:events";
+import { createServer } from "node:http";
 import { randomUUID } from "node:crypto";
+import { writeFile as writeFile2, mkdir as mkdir2 } from "node:fs/promises";
+import { join as join2 } from "node:path";
+import { readFile as readFile2 } from "node:fs/promises";
 
 // ../../node_modules/libsodium-sumo/dist/modules-sumo-esm/libsodium-sumo.mjs
 var __filename;
@@ -44919,6 +44923,39 @@ var DoubleRatchet = class _DoubleRatchet {
   }
 };
 
+// ../crypto/dist/file-crypto.js
+function encryptFile(plainData) {
+  const fileKey = libsodium_wrappers_default.randombytes_buf(libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_KEYBYTES);
+  const fileNonce = libsodium_wrappers_default.randombytes_buf(libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES);
+  const encryptedData = libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_encrypt(
+    plainData,
+    null,
+    // no additional data
+    null,
+    // secret nonce (unused)
+    fileNonce,
+    fileKey
+  );
+  const digestBytes = libsodium_wrappers_default.crypto_generichash(32, encryptedData);
+  const digest = libsodium_wrappers_default.to_hex(digestBytes);
+  return { encryptedData, fileKey, fileNonce, digest };
+}
+function decryptFile(encryptedData, fileKey, fileNonce) {
+  return libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_decrypt(
+    null,
+    // secret nonce (unused)
+    encryptedData,
+    null,
+    // no additional data
+    fileNonce,
+    fileKey
+  );
+}
+function computeFileDigest(data) {
+  const digestBytes = libsodium_wrappers_default.crypto_generichash(32, data);
+  return libsodium_wrappers_default.to_hex(digestBytes);
+}
+
 // src/crypto-helpers.ts
 function hexToBytes(hex) {
   return libsodium_wrappers_default.from_hex(hex);
@@ -45083,6 +45120,7 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
   _ackTimer = null;
   _stopped = false;
   _persisted = null;
+  _httpServer = null;
   static PING_INTERVAL_MS = 3e4;
   // Send ping every 30s
   static PING_TIMEOUT_MS = 1e4;
@@ -45195,6 +45233,7 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     this._stopped = true;
     this._flushAcks();
     this._stopPing();
+    this._stopHttpServer();
     if (this._ackTimer) {
       clearTimeout(this._ackTimer);
       this._ackTimer = null;
@@ -45214,6 +45253,65 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     this._setState("disconnected");
   }
+  // --- Local HTTP server for proactive sends ---
+  startHttpServer(port) {
+    if (this._httpServer) return;
+    this._httpServer = createServer(async (req, res) => {
+      const remote = req.socket.remoteAddress;
+      if (remote !== "127.0.0.1" && remote !== "::1" && remote !== "::ffff:127.0.0.1") {
+        res.writeHead(403, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ ok: false, error: "Forbidden" }));
+        return;
+      }
+      if (req.method === "POST" && req.url === "/send") {
+        let body = "";
+        req.on("data", (chunk) => {
+          body += chunk.toString();
+        });
+        req.on("end", async () => {
+          try {
+            const parsed = JSON.parse(body);
+            const text = parsed.text;
+            if (!text || typeof text !== "string") {
+              res.writeHead(400, { "Content-Type": "application/json" });
+              res.end(JSON.stringify({ ok: false, error: "Missing 'text' field" }));
+              return;
+            }
+            if (parsed.file_path && typeof parsed.file_path === "string") {
+              await this.sendWithAttachment(text, parsed.file_path, { topicId: parsed.topicId });
+            } else {
+              await this.send(text, { topicId: parsed.topicId });
+            }
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: true }));
+          } catch (err) {
+            res.writeHead(500, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: false, error: String(err) }));
+          }
+        });
+      } else if (req.method === "GET" && req.url === "/status") {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({
+          ok: true,
+          state: this._state,
+          deviceId: this._deviceId,
+          sessions: this._sessions.size
+        }));
+      } else {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ ok: false, error: "Not found. Use POST /send or GET /status" }));
+      }
+    });
+    this._httpServer.listen(port, "127.0.0.1", () => {
+      this.emit("http-ready", port);
+    });
+  }
+  _stopHttpServer() {
+    if (this._httpServer) {
+      this._httpServer.close();
+      this._httpServer = null;
+    }
+  }
   // --- Topic management ---
   /**
    * Create a new topic within the conversation group.
@@ -45536,10 +45634,14 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     let messageText;
     let messageType;
+    let attachmentInfo = null;
     try {
       const parsed = JSON.parse(plaintext);
       messageType = parsed.type || "message";
       messageText = parsed.text || plaintext;
+      if (parsed.attachment) {
+        attachmentInfo = parsed.attachment;
+      }
     } catch {
       messageType = "message";
       messageText = plaintext;
@@ -45552,15 +45654,29 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     if (messageType === "message") {
       const topicId = msgData.topic_id;
+      let attachmentPath;
+      if (attachmentInfo) {
+        try {
+          attachmentPath = await this._downloadAndDecryptAttachment(attachmentInfo);
+        } catch (err) {
+          console.error(`[SecureChannel] Failed to download attachment:`, err);
+        }
+      }
       this._appendHistory("owner", messageText, topicId);
+      let emitText = messageText;
+      if (attachmentPath) {
+        emitText = `[Attachment: ${attachmentInfo.filename} saved to ${attachmentPath}]
+
+${messageText}`;
+      }
       const metadata = {
         messageId: msgData.message_id,
         conversationId: convId,
         timestamp: msgData.created_at,
         topicId
       };
-      this.emit("message", messageText, metadata);
-      this.config.onMessage?.(messageText, metadata);
+      this.emit("message", emitText, metadata);
+      this.config.onMessage?.(emitText, metadata);
       await this._relaySyncToSiblings(convId, session.ownerDeviceId, messageText, topicId);
     }
     if (this._persisted) {
@@ -45568,6 +45684,111 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     await this._persistState();
   }
+  /**
+   * Download an encrypted attachment blob, decrypt it, verify integrity,
+   * and save the plaintext file to disk.
+   */
+  async _downloadAndDecryptAttachment(info) {
+    const attachDir = join2(this.config.dataDir, "attachments");
+    await mkdir2(attachDir, { recursive: true });
+    const url = `${this.config.apiUrl}${info.blobUrl}`;
+    const res = await fetch(url, {
+      headers: { Authorization: `Bearer ${this._deviceJwt}` }
+    });
+    if (!res.ok) {
+      throw new Error(`Attachment download failed: ${res.status}`);
+    }
+    const buffer = await res.arrayBuffer();
+    const encryptedData = new Uint8Array(buffer);
+    const digest = computeFileDigest(encryptedData);
+    if (digest !== info.digest) {
+      throw new Error("Attachment digest mismatch \u2014 possible tampering");
+    }
+    const fileKey = base64ToBytes(info.fileKey);
+    const fileNonce = base64ToBytes(info.fileNonce);
+    const decrypted = decryptFile(encryptedData, fileKey, fileNonce);
+    const filePath = join2(attachDir, info.filename);
+    await writeFile2(filePath, decrypted);
+    console.log(`[SecureChannel] Attachment saved: ${filePath} (${decrypted.length} bytes)`);
+    return filePath;
+  }
+  /**
+   * Upload an attachment file: encrypt, upload to server, return metadata
+   * for inclusion in the message envelope.
+   */
+  async _uploadAttachment(filePath, conversationId) {
+    const data = await readFile2(filePath);
+    const plainData = new Uint8Array(data);
+    const result = encryptFile(plainData);
+    const { Blob: NodeBlob, FormData: NodeFormData } = await import("node:buffer").then(
+      () => globalThis
+    );
+    const formData = new FormData();
+    formData.append("conversation_id", conversationId);
+    formData.append(
+      "file",
+      new Blob([result.encryptedData.buffer], { type: "application/octet-stream" }),
+      "attachment.bin"
+    );
+    const res = await fetch(`${this.config.apiUrl}/api/v1/attachments/upload`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${this._deviceJwt}` },
+      body: formData
+    });
+    if (!res.ok) {
+      const detail = await res.text();
+      throw new Error(`Attachment upload failed (${res.status}): ${detail}`);
+    }
+    const resp = await res.json();
+    const filename = filePath.split("/").pop() || "file";
+    return {
+      blobId: resp.blob_id,
+      blobUrl: resp.blob_url,
+      fileKey: bytesToBase64(result.fileKey),
+      fileNonce: bytesToBase64(result.fileNonce),
+      digest: result.digest,
+      filename,
+      mime: "application/octet-stream",
+      size: plainData.length
+    };
+  }
+  /**
+   * Send a message with an attached file. Encrypts the file, uploads it,
+   * then sends the envelope with attachment metadata via Double Ratchet.
+   */
+  async sendWithAttachment(plaintext, filePath, options) {
+    if (this._state !== "ready" || this._sessions.size === 0 || !this._ws) {
+      throw new Error("Channel is not ready");
+    }
+    const topicId = options?.topicId ?? this._persisted?.defaultTopicId;
+    const attachMeta = await this._uploadAttachment(filePath, this._primaryConversationId);
+    const envelope = JSON.stringify({
+      type: "message",
+      text: plaintext,
+      topicId,
+      attachment: attachMeta
+    });
+    this._appendHistory("agent", plaintext, topicId);
+    const messageGroupId = randomUUID();
+    for (const [convId, session] of this._sessions) {
+      if (!session.activated) continue;
+      const encrypted = session.ratchet.encrypt(envelope);
+      const transport = encryptedMessageToTransport(encrypted);
+      this._ws.send(
+        JSON.stringify({
+          event: "message",
+          data: {
+            conversation_id: convId,
+            header_blob: transport.header_blob,
+            ciphertext: transport.ciphertext,
+            message_group_id: messageGroupId,
+            topic_id: topicId
+          }
+        })
+      );
+    }
+    await this._persistState();
+  }
   /**
    * Relay an owner's message to all sibling sessions as encrypted sync messages.
    * This allows all owner devices to see messages from any single device.