@agentvault/secure-channel 0.6.12 → 0.6.14

package/dist/channel.d.ts

@@ -74,6 +74,23 @@ export declare class SecureChannel extends EventEmitter {
      * and relays as sync messages to sibling sessions.
      */
     private _handleIncomingMessage;
+    /**
+     * Download an encrypted attachment blob, decrypt it, verify integrity,
+     * and save the plaintext file to disk.
+     */
+    private _downloadAndDecryptAttachment;
+    /**
+     * Upload an attachment file: encrypt, upload to server, return metadata
+     * for inclusion in the message envelope.
+     */
+    private _uploadAttachment;
+    /**
+     * Send a message with an attached file. Encrypts the file, uploads it,
+     * then sends the envelope with attachment metadata via Double Ratchet.
+     */
+    sendWithAttachment(plaintext: string, filePath: string, options?: {
+        topicId?: string;
+    }): Promise<void>;
     /**
      * Relay an owner's message to all sibling sessions as encrypted sync messages.
      * This allows all owner devices to see messages from any single device.

package/dist/channel.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAc3C,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAKb,MAAM,YAAY,CAAC;AAiDpB,qBAAa,aAAc,SAAQ,YAAY;IAyBjC,OAAO,CAAC,MAAM;IAxB1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,UAAU,CAA+C;IACjE,OAAO,CAAC,YAAY,CAA8C;IAClE,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,SAAS,CAA8C;IAC/D,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;IACjD,OAAO,CAAC,WAAW,CAAuB;IAE1C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAU;IAClD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAW;gBAE9B,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsC5B;;OAEG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAyCtE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IA2B3B,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAmDnC,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC;IAsC1F;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;YAiCtE,OAAO;IAgDrB,OAAO,CAAC,KAAK;YAsCC,SAAS;IAyIvB,OAAO,CAAC,QAAQ;IAwEhB;;;;OAIG;YACW,sBAAsB;IA2FpC;;;OAGG;YACW,oBAAoB;IAqClC;;;OAGG;YACW,uBAAuB;IAkCrC;;;;OAIG;YACW,mBAAmB;IAkEjC;;;OAGG;YACW,mBAAmB;IA+FjC,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,UAAU;IAMlB,OAAO,CAAC,UAAU;IAoBlB,OAAO,CAAC,SAAS;IAWjB,OAAO,CAAC,kBAAkB;IAiB1B,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;CAc5B"}
+{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAoB3C,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAMb,MAAM,YAAY,CAAC;AAmDpB,qBAAa,aAAc,SAAQ,YAAY;IAyBjC,OAAO,CAAC,MAAM;IAxB1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,UAAU,CAA+C;IACjE,OAAO,CAAC,YAAY,CAA8C;IAClE,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,SAAS,CAA8C;IAC/D,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;IACjD,OAAO,CAAC,WAAW,CAAuB;IAE1C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAU;IAClD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAW;gBAE9B,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsC5B;;OAEG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAyCtE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IA2B3B,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IA0DnC,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC;IAsC1F;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;YAiCtE,OAAO;IAgDrB,OAAO,CAAC,KAAK;YAsCC,SAAS;IAyIvB,OAAO,CAAC,QAAQ;IAwEhB;;;;OAIG;YACW,sBAAsB;IAuIpC;;;OAGG;YACW,6BAA6B;IA6C3C;;;OAGG;YACW,iBAAiB;IAwD/B;;;OAGG;IACG,kBAAkB,CACtB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAC7B,OAAO,CAAC,IAAI,CAAC;IA8ChB;;;OAGG;YACW,oBAAoB;IAqClC;;;OAGG;YACW,uBAAuB;IAkCrC;;;;OAIG;YACW,mBAAmB;IAkEjC;;;OAGG;YACW,mBAAmB;IA+FjC,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,UAAU;IAMlB,OAAO,CAAC,UAAU;IAoBlB,OAAO,CAAC,SAAS;IAWjB,OAAO,CAAC,kBAAkB;IAiB1B,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;CAc5B"}

package/dist/cli.js

@@ -4,6 +4,9 @@
 import { EventEmitter } from "node:events";
 import { createServer } from "node:http";
 import { randomUUID } from "node:crypto";
+import { writeFile as writeFile2, mkdir as mkdir2 } from "node:fs/promises";
+import { join as join2 } from "node:path";
+import { readFile as readFile2 } from "node:fs/promises";
 
 // ../../node_modules/libsodium-sumo/dist/modules-sumo-esm/libsodium-sumo.mjs
 var __filename;
@@ -44920,6 +44923,39 @@ var DoubleRatchet = class _DoubleRatchet {
   }
 };
 
+// ../crypto/dist/file-crypto.js
+function encryptFile(plainData) {
+  const fileKey = libsodium_wrappers_default.randombytes_buf(libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_KEYBYTES);
+  const fileNonce = libsodium_wrappers_default.randombytes_buf(libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES);
+  const encryptedData = libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_encrypt(
+    plainData,
+    null,
+    // no additional data
+    null,
+    // secret nonce (unused)
+    fileNonce,
+    fileKey
+  );
+  const digestBytes = libsodium_wrappers_default.crypto_generichash(32, encryptedData);
+  const digest = libsodium_wrappers_default.to_hex(digestBytes);
+  return { encryptedData, fileKey, fileNonce, digest };
+}
+function decryptFile(encryptedData, fileKey, fileNonce) {
+  return libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_decrypt(
+    null,
+    // secret nonce (unused)
+    encryptedData,
+    null,
+    // no additional data
+    fileNonce,
+    fileKey
+  );
+}
+function computeFileDigest(data) {
+  const digestBytes = libsodium_wrappers_default.crypto_generichash(32, data);
+  return libsodium_wrappers_default.to_hex(digestBytes);
+}
+
 // src/crypto-helpers.ts
 function hexToBytes(hex) {
   return libsodium_wrappers_default.from_hex(hex);
@@ -45241,7 +45277,11 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
               res.end(JSON.stringify({ ok: false, error: "Missing 'text' field" }));
               return;
             }
-            await this.send(text, { topicId: parsed.topicId });
+            if (parsed.file_path && typeof parsed.file_path === "string") {
+              await this.sendWithAttachment(text, parsed.file_path, { topicId: parsed.topicId });
+            } else {
+              await this.send(text, { topicId: parsed.topicId });
+            }
             res.writeHead(200, { "Content-Type": "application/json" });
             res.end(JSON.stringify({ ok: true }));
           } catch (err) {
@@ -45594,10 +45634,14 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     let messageText;
     let messageType;
+    let attachmentInfo = null;
     try {
       const parsed = JSON.parse(plaintext);
       messageType = parsed.type || "message";
       messageText = parsed.text || plaintext;
+      if (parsed.attachment) {
+        attachmentInfo = parsed.attachment;
+      }
     } catch {
       messageType = "message";
       messageText = plaintext;
@@ -45610,15 +45654,56 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     if (messageType === "message") {
       const topicId = msgData.topic_id;
+      let attachData;
+      if (attachmentInfo) {
+        try {
+          const { filePath, decrypted } = await this._downloadAndDecryptAttachment(attachmentInfo);
+          attachData = {
+            filename: attachmentInfo.filename,
+            mime: attachmentInfo.mime,
+            size: decrypted.length,
+            filePath
+          };
+          if (attachmentInfo.mime.startsWith("image/")) {
+            attachData.base64 = `data:${attachmentInfo.mime};base64,${bytesToBase64(decrypted)}`;
+          }
+          const textMimes = ["text/", "application/json", "application/xml", "application/csv"];
+          if (textMimes.some((m2) => attachmentInfo.mime.startsWith(m2))) {
+            attachData.textContent = new TextDecoder().decode(decrypted);
+          }
+        } catch (err) {
+          console.error(`[SecureChannel] Failed to download attachment:`, err);
+        }
+      }
       this._appendHistory("owner", messageText, topicId);
+      let emitText = messageText;
+      if (attachData) {
+        if (attachData.textContent) {
+          emitText = `[Attachment: ${attachData.filename} (${attachData.mime})]
+---
+${attachData.textContent}
+---
+
+${messageText}`;
+        } else if (attachData.base64) {
+          emitText = `[Image attachment: ${attachData.filename}]
+
+${messageText}`;
+        } else {
+          emitText = `[Attachment: ${attachData.filename} saved to ${attachData.filePath}]
+
+${messageText}`;
+        }
+      }
       const metadata = {
         messageId: msgData.message_id,
         conversationId: convId,
         timestamp: msgData.created_at,
-        topicId
+        topicId,
+        attachment: attachData
       };
-      this.emit("message", messageText, metadata);
-      this.config.onMessage?.(messageText, metadata);
+      this.emit("message", emitText, metadata);
+      this.config.onMessage?.(emitText, metadata);
       await this._relaySyncToSiblings(convId, session.ownerDeviceId, messageText, topicId);
     }
     if (this._persisted) {
@@ -45626,6 +45711,111 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     await this._persistState();
   }
+  /**
+   * Download an encrypted attachment blob, decrypt it, verify integrity,
+   * and save the plaintext file to disk.
+   */
+  async _downloadAndDecryptAttachment(info) {
+    const attachDir = join2(this.config.dataDir, "attachments");
+    await mkdir2(attachDir, { recursive: true });
+    const url = `${this.config.apiUrl}${info.blobUrl}`;
+    const res = await fetch(url, {
+      headers: { Authorization: `Bearer ${this._deviceJwt}` }
+    });
+    if (!res.ok) {
+      throw new Error(`Attachment download failed: ${res.status}`);
+    }
+    const buffer = await res.arrayBuffer();
+    const encryptedData = new Uint8Array(buffer);
+    const digest = computeFileDigest(encryptedData);
+    if (digest !== info.digest) {
+      throw new Error("Attachment digest mismatch \u2014 possible tampering");
+    }
+    const fileKey = base64ToBytes(info.fileKey);
+    const fileNonce = base64ToBytes(info.fileNonce);
+    const decrypted = decryptFile(encryptedData, fileKey, fileNonce);
+    const filePath = join2(attachDir, info.filename);
+    await writeFile2(filePath, decrypted);
+    console.log(`[SecureChannel] Attachment saved: ${filePath} (${decrypted.length} bytes)`);
+    return { filePath, decrypted };
+  }
+  /**
+   * Upload an attachment file: encrypt, upload to server, return metadata
+   * for inclusion in the message envelope.
+   */
+  async _uploadAttachment(filePath, conversationId) {
+    const data = await readFile2(filePath);
+    const plainData = new Uint8Array(data);
+    const result = encryptFile(plainData);
+    const { Blob: NodeBlob, FormData: NodeFormData } = await import("node:buffer").then(
+      () => globalThis
+    );
+    const formData = new FormData();
+    formData.append("conversation_id", conversationId);
+    formData.append(
+      "file",
+      new Blob([result.encryptedData.buffer], { type: "application/octet-stream" }),
+      "attachment.bin"
+    );
+    const res = await fetch(`${this.config.apiUrl}/api/v1/attachments/upload`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${this._deviceJwt}` },
+      body: formData
+    });
+    if (!res.ok) {
+      const detail = await res.text();
+      throw new Error(`Attachment upload failed (${res.status}): ${detail}`);
+    }
+    const resp = await res.json();
+    const filename = filePath.split("/").pop() || "file";
+    return {
+      blobId: resp.blob_id,
+      blobUrl: resp.blob_url,
+      fileKey: bytesToBase64(result.fileKey),
+      fileNonce: bytesToBase64(result.fileNonce),
+      digest: result.digest,
+      filename,
+      mime: "application/octet-stream",
+      size: plainData.length
+    };
+  }
+  /**
+   * Send a message with an attached file. Encrypts the file, uploads it,
+   * then sends the envelope with attachment metadata via Double Ratchet.
+   */
+  async sendWithAttachment(plaintext, filePath, options) {
+    if (this._state !== "ready" || this._sessions.size === 0 || !this._ws) {
+      throw new Error("Channel is not ready");
+    }
+    const topicId = options?.topicId ?? this._persisted?.defaultTopicId;
+    const attachMeta = await this._uploadAttachment(filePath, this._primaryConversationId);
+    const envelope = JSON.stringify({
+      type: "message",
+      text: plaintext,
+      topicId,
+      attachment: attachMeta
+    });
+    this._appendHistory("agent", plaintext, topicId);
+    const messageGroupId = randomUUID();
+    for (const [convId, session] of this._sessions) {
+      if (!session.activated) continue;
+      const encrypted = session.ratchet.encrypt(envelope);
+      const transport = encryptedMessageToTransport(encrypted);
+      this._ws.send(
+        JSON.stringify({
+          event: "message",
+          data: {
+            conversation_id: convId,
+            header_blob: transport.header_blob,
+            ciphertext: transport.ciphertext,
+            message_group_id: messageGroupId,
+            topic_id: topicId
+          }
+        })
+      );
+    }
+    await this._persistState();
+  }
   /**
    * Relay an owner's message to all sibling sessions as encrypted sync messages.
    * This allows all owner devices to see messages from any single device.