@agentvault/secure-channel 0.6.11 → 0.6.13

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 export { SecureChannel } from "./channel.js";
 export type { SecureChannelConfig, ChannelState, MessageMetadata, PersistedState, LegacyPersistedState, DeviceSession, HistoryEntry, } from "./types.js";
 export { agentVaultPlugin, setOcRuntime, getActiveChannel } from "./openclaw-plugin.js";
-export declare const VERSION = "0.5.1";
+export declare const VERSION = "0.6.12";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,YAAY,EACV,mBAAmB,EACnB,YAAY,EACZ,eAAe,EACf,cAAc,EACd,oBAAoB,EACpB,aAAa,EACb,YAAY,GACb,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExF,eAAO,MAAM,OAAO,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,YAAY,EACV,mBAAmB,EACnB,YAAY,EACZ,eAAe,EACf,cAAc,EACd,oBAAoB,EACpB,aAAa,EACb,YAAY,GACb,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExF,eAAO,MAAM,OAAO,WAAW,CAAC"}

package/dist/index.js

@@ -1,6 +1,10 @@
 // src/channel.ts
 import { EventEmitter } from "node:events";
+import { createServer } from "node:http";
 import { randomUUID } from "node:crypto";
+import { writeFile as writeFile2, mkdir as mkdir2 } from "node:fs/promises";
+import { join as join2 } from "node:path";
+import { readFile as readFile2 } from "node:fs/promises";
 
 // ../../node_modules/libsodium-sumo/dist/modules-sumo-esm/libsodium-sumo.mjs
 var __filename;
@@ -44917,6 +44921,39 @@ var DoubleRatchet = class _DoubleRatchet {
   }
 };
 
+// ../crypto/dist/file-crypto.js
+function encryptFile(plainData) {
+  const fileKey = libsodium_wrappers_default.randombytes_buf(libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_KEYBYTES);
+  const fileNonce = libsodium_wrappers_default.randombytes_buf(libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES);
+  const encryptedData = libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_encrypt(
+    plainData,
+    null,
+    // no additional data
+    null,
+    // secret nonce (unused)
+    fileNonce,
+    fileKey
+  );
+  const digestBytes = libsodium_wrappers_default.crypto_generichash(32, encryptedData);
+  const digest = libsodium_wrappers_default.to_hex(digestBytes);
+  return { encryptedData, fileKey, fileNonce, digest };
+}
+function decryptFile(encryptedData, fileKey, fileNonce) {
+  return libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_decrypt(
+    null,
+    // secret nonce (unused)
+    encryptedData,
+    null,
+    // no additional data
+    fileNonce,
+    fileKey
+  );
+}
+function computeFileDigest(data) {
+  const digestBytes = libsodium_wrappers_default.crypto_generichash(32, data);
+  return libsodium_wrappers_default.to_hex(digestBytes);
+}
+
 // src/crypto-helpers.ts
 function hexToBytes(hex) {
   return libsodium_wrappers_default.from_hex(hex);
@@ -45081,6 +45118,7 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
   _ackTimer = null;
   _stopped = false;
   _persisted = null;
+  _httpServer = null;
   static PING_INTERVAL_MS = 3e4;
   // Send ping every 30s
   static PING_TIMEOUT_MS = 1e4;
@@ -45193,6 +45231,7 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     this._stopped = true;
     this._flushAcks();
     this._stopPing();
+    this._stopHttpServer();
     if (this._ackTimer) {
       clearTimeout(this._ackTimer);
       this._ackTimer = null;
@@ -45212,6 +45251,65 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     this._setState("disconnected");
   }
+  // --- Local HTTP server for proactive sends ---
+  startHttpServer(port) {
+    if (this._httpServer) return;
+    this._httpServer = createServer(async (req, res) => {
+      const remote = req.socket.remoteAddress;
+      if (remote !== "127.0.0.1" && remote !== "::1" && remote !== "::ffff:127.0.0.1") {
+        res.writeHead(403, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ ok: false, error: "Forbidden" }));
+        return;
+      }
+      if (req.method === "POST" && req.url === "/send") {
+        let body = "";
+        req.on("data", (chunk) => {
+          body += chunk.toString();
+        });
+        req.on("end", async () => {
+          try {
+            const parsed = JSON.parse(body);
+            const text = parsed.text;
+            if (!text || typeof text !== "string") {
+              res.writeHead(400, { "Content-Type": "application/json" });
+              res.end(JSON.stringify({ ok: false, error: "Missing 'text' field" }));
+              return;
+            }
+            if (parsed.file_path && typeof parsed.file_path === "string") {
+              await this.sendWithAttachment(text, parsed.file_path, { topicId: parsed.topicId });
+            } else {
+              await this.send(text, { topicId: parsed.topicId });
+            }
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: true }));
+          } catch (err) {
+            res.writeHead(500, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: false, error: String(err) }));
+          }
+        });
+      } else if (req.method === "GET" && req.url === "/status") {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({
+          ok: true,
+          state: this._state,
+          deviceId: this._deviceId,
+          sessions: this._sessions.size
+        }));
+      } else {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ ok: false, error: "Not found. Use POST /send or GET /status" }));
+      }
+    });
+    this._httpServer.listen(port, "127.0.0.1", () => {
+      this.emit("http-ready", port);
+    });
+  }
+  _stopHttpServer() {
+    if (this._httpServer) {
+      this._httpServer.close();
+      this._httpServer = null;
+    }
+  }
   // --- Topic management ---
   /**
    * Create a new topic within the conversation group.
@@ -45534,10 +45632,14 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     let messageText;
     let messageType;
+    let attachmentInfo = null;
     try {
       const parsed = JSON.parse(plaintext);
       messageType = parsed.type || "message";
       messageText = parsed.text || plaintext;
+      if (parsed.attachment) {
+        attachmentInfo = parsed.attachment;
+      }
     } catch {
       messageType = "message";
       messageText = plaintext;
@@ -45550,15 +45652,29 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     if (messageType === "message") {
       const topicId = msgData.topic_id;
+      let attachmentPath;
+      if (attachmentInfo) {
+        try {
+          attachmentPath = await this._downloadAndDecryptAttachment(attachmentInfo);
+        } catch (err) {
+          console.error(`[SecureChannel] Failed to download attachment:`, err);
+        }
+      }
       this._appendHistory("owner", messageText, topicId);
+      let emitText = messageText;
+      if (attachmentPath) {
+        emitText = `[Attachment: ${attachmentInfo.filename} saved to ${attachmentPath}]
+
+${messageText}`;
+      }
       const metadata = {
         messageId: msgData.message_id,
         conversationId: convId,
         timestamp: msgData.created_at,
         topicId
       };
-      this.emit("message", messageText, metadata);
-      this.config.onMessage?.(messageText, metadata);
+      this.emit("message", emitText, metadata);
+      this.config.onMessage?.(emitText, metadata);
       await this._relaySyncToSiblings(convId, session.ownerDeviceId, messageText, topicId);
     }
     if (this._persisted) {
@@ -45566,6 +45682,111 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     await this._persistState();
   }
+  /**
+   * Download an encrypted attachment blob, decrypt it, verify integrity,
+   * and save the plaintext file to disk.
+   */
+  async _downloadAndDecryptAttachment(info) {
+    const attachDir = join2(this.config.dataDir, "attachments");
+    await mkdir2(attachDir, { recursive: true });
+    const url = `${this.config.apiUrl}${info.blobUrl}`;
+    const res = await fetch(url, {
+      headers: { Authorization: `Bearer ${this._deviceJwt}` }
+    });
+    if (!res.ok) {
+      throw new Error(`Attachment download failed: ${res.status}`);
+    }
+    const buffer = await res.arrayBuffer();
+    const encryptedData = new Uint8Array(buffer);
+    const digest = computeFileDigest(encryptedData);
+    if (digest !== info.digest) {
+      throw new Error("Attachment digest mismatch \u2014 possible tampering");
+    }
+    const fileKey = base64ToBytes(info.fileKey);
+    const fileNonce = base64ToBytes(info.fileNonce);
+    const decrypted = decryptFile(encryptedData, fileKey, fileNonce);
+    const filePath = join2(attachDir, info.filename);
+    await writeFile2(filePath, decrypted);
+    console.log(`[SecureChannel] Attachment saved: ${filePath} (${decrypted.length} bytes)`);
+    return filePath;
+  }
+  /**
+   * Upload an attachment file: encrypt, upload to server, return metadata
+   * for inclusion in the message envelope.
+   */
+  async _uploadAttachment(filePath, conversationId) {
+    const data = await readFile2(filePath);
+    const plainData = new Uint8Array(data);
+    const result = encryptFile(plainData);
+    const { Blob: NodeBlob, FormData: NodeFormData } = await import("node:buffer").then(
+      () => globalThis
+    );
+    const formData = new FormData();
+    formData.append("conversation_id", conversationId);
+    formData.append(
+      "file",
+      new Blob([result.encryptedData.buffer], { type: "application/octet-stream" }),
+      "attachment.bin"
+    );
+    const res = await fetch(`${this.config.apiUrl}/api/v1/attachments/upload`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${this._deviceJwt}` },
+      body: formData
+    });
+    if (!res.ok) {
+      const detail = await res.text();
+      throw new Error(`Attachment upload failed (${res.status}): ${detail}`);
+    }
+    const resp = await res.json();
+    const filename = filePath.split("/").pop() || "file";
+    return {
+      blobId: resp.blob_id,
+      blobUrl: resp.blob_url,
+      fileKey: bytesToBase64(result.fileKey),
+      fileNonce: bytesToBase64(result.fileNonce),
+      digest: result.digest,
+      filename,
+      mime: "application/octet-stream",
+      size: plainData.length
+    };
+  }
+  /**
+   * Send a message with an attached file. Encrypts the file, uploads it,
+   * then sends the envelope with attachment metadata via Double Ratchet.
+   */
+  async sendWithAttachment(plaintext, filePath, options) {
+    if (this._state !== "ready" || this._sessions.size === 0 || !this._ws) {
+      throw new Error("Channel is not ready");
+    }
+    const topicId = options?.topicId ?? this._persisted?.defaultTopicId;
+    const attachMeta = await this._uploadAttachment(filePath, this._primaryConversationId);
+    const envelope = JSON.stringify({
+      type: "message",
+      text: plaintext,
+      topicId,
+      attachment: attachMeta
+    });
+    this._appendHistory("agent", plaintext, topicId);
+    const messageGroupId = randomUUID();
+    for (const [convId, session] of this._sessions) {
+      if (!session.activated) continue;
+      const encrypted = session.ratchet.encrypt(envelope);
+      const transport = encryptedMessageToTransport(encrypted);
+      this._ws.send(
+        JSON.stringify({
+          event: "message",
+          data: {
+            conversation_id: convId,
+            header_blob: transport.header_blob,
+            ciphertext: transport.ciphertext,
+            message_group_id: messageGroupId,
+            topic_id: topicId
+          }
+        })
+      );
+    }
+    await this._persistState();
+  }
   /**
    * Relay an owner's message to all sibling sessions as encrypted sync messages.
    * This allows all owner devices to see messages from any single device.
@@ -45862,6 +46083,7 @@ var agentVaultPlugin = {
         dataDir: av.dataDir ?? "~/.openclaw/agentvault",
         apiUrl: av.apiUrl ?? "https://api.agentvault.chat",
         agentName: av.agentName ?? "OpenClaw Agent",
+        httpPort: av.httpPort ?? 18790,
         configured: Boolean(av.dataDir)
       };
     }
@@ -45898,6 +46120,11 @@ var agentVaultPlugin = {
         }
       });
       _channels.set(account.accountId, channel);
+      const httpPort = account.httpPort;
+      channel.on("ready", () => {
+        channel.startHttpServer(httpPort);
+        log?.(`[AgentVault] HTTP send server listening on http://127.0.0.1:${httpPort}`);
+      });
       abortSignal?.addEventListener("abort", () => {
         _channels.delete(account.accountId);
       });
@@ -45912,11 +46139,25 @@ var agentVaultPlugin = {
   },
   outbound: {
     deliveryMode: "direct",
+    targets: [
+      {
+        id: "owner",
+        label: "AgentVault Owner",
+        accountId: "default"
+      },
+      {
+        id: "default",
+        label: "AgentVault Owner (default)",
+        accountId: "default"
+      }
+    ],
     sendText: async ({
       text,
-      accountId
+      accountId,
+      targetId
     }) => {
-      const channel = _channels.get(accountId ?? "default");
+      const resolvedId = accountId ?? (targetId === "owner" ? "default" : targetId ?? "default");
+      const channel = _channels.get(resolvedId);
       if (!channel) {
         return { ok: false, error: "AgentVault channel is not connected" };
       }
@@ -46006,7 +46247,7 @@ async function _handleInbound(params) {
 }
 
 // src/index.ts
-var VERSION = "0.5.1";
+var VERSION = "0.6.12";
 export {
   SecureChannel,
   VERSION,