@agentvault/secure-channel 0.6.12 → 0.6.14

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 export { SecureChannel } from "./channel.js";
-export type { SecureChannelConfig, ChannelState, MessageMetadata, PersistedState, LegacyPersistedState, DeviceSession, HistoryEntry, } from "./types.js";
+export type { SecureChannelConfig, ChannelState, MessageMetadata, AttachmentData, PersistedState, LegacyPersistedState, DeviceSession, HistoryEntry, } from "./types.js";
 export { agentVaultPlugin, setOcRuntime, getActiveChannel } from "./openclaw-plugin.js";
-export declare const VERSION = "0.6.12";
+export declare const VERSION = "0.6.13";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,YAAY,EACV,mBAAmB,EACnB,YAAY,EACZ,eAAe,EACf,cAAc,EACd,oBAAoB,EACpB,aAAa,EACb,YAAY,GACb,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExF,eAAO,MAAM,OAAO,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,YAAY,EACV,mBAAmB,EACnB,YAAY,EACZ,eAAe,EACf,cAAc,EACd,cAAc,EACd,oBAAoB,EACpB,aAAa,EACb,YAAY,GACb,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExF,eAAO,MAAM,OAAO,WAAW,CAAC"}

package/dist/index.js

@@ -2,6 +2,9 @@
 import { EventEmitter } from "node:events";
 import { createServer } from "node:http";
 import { randomUUID } from "node:crypto";
+import { writeFile as writeFile2, mkdir as mkdir2 } from "node:fs/promises";
+import { join as join2 } from "node:path";
+import { readFile as readFile2 } from "node:fs/promises";
 
 // ../../node_modules/libsodium-sumo/dist/modules-sumo-esm/libsodium-sumo.mjs
 var __filename;
@@ -44918,6 +44921,39 @@ var DoubleRatchet = class _DoubleRatchet {
   }
 };
 
+// ../crypto/dist/file-crypto.js
+function encryptFile(plainData) {
+  const fileKey = libsodium_wrappers_default.randombytes_buf(libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_KEYBYTES);
+  const fileNonce = libsodium_wrappers_default.randombytes_buf(libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES);
+  const encryptedData = libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_encrypt(
+    plainData,
+    null,
+    // no additional data
+    null,
+    // secret nonce (unused)
+    fileNonce,
+    fileKey
+  );
+  const digestBytes = libsodium_wrappers_default.crypto_generichash(32, encryptedData);
+  const digest = libsodium_wrappers_default.to_hex(digestBytes);
+  return { encryptedData, fileKey, fileNonce, digest };
+}
+function decryptFile(encryptedData, fileKey, fileNonce) {
+  return libsodium_wrappers_default.crypto_aead_xchacha20poly1305_ietf_decrypt(
+    null,
+    // secret nonce (unused)
+    encryptedData,
+    null,
+    // no additional data
+    fileNonce,
+    fileKey
+  );
+}
+function computeFileDigest(data) {
+  const digestBytes = libsodium_wrappers_default.crypto_generichash(32, data);
+  return libsodium_wrappers_default.to_hex(digestBytes);
+}
+
 // src/crypto-helpers.ts
 function hexToBytes(hex) {
   return libsodium_wrappers_default.from_hex(hex);
@@ -45239,7 +45275,11 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
               res.end(JSON.stringify({ ok: false, error: "Missing 'text' field" }));
               return;
             }
-            await this.send(text, { topicId: parsed.topicId });
+            if (parsed.file_path && typeof parsed.file_path === "string") {
+              await this.sendWithAttachment(text, parsed.file_path, { topicId: parsed.topicId });
+            } else {
+              await this.send(text, { topicId: parsed.topicId });
+            }
             res.writeHead(200, { "Content-Type": "application/json" });
             res.end(JSON.stringify({ ok: true }));
           } catch (err) {
@@ -45592,10 +45632,14 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     let messageText;
     let messageType;
+    let attachmentInfo = null;
     try {
       const parsed = JSON.parse(plaintext);
       messageType = parsed.type || "message";
       messageText = parsed.text || plaintext;
+      if (parsed.attachment) {
+        attachmentInfo = parsed.attachment;
+      }
     } catch {
       messageType = "message";
       messageText = plaintext;
@@ -45608,15 +45652,56 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     if (messageType === "message") {
       const topicId = msgData.topic_id;
+      let attachData;
+      if (attachmentInfo) {
+        try {
+          const { filePath, decrypted } = await this._downloadAndDecryptAttachment(attachmentInfo);
+          attachData = {
+            filename: attachmentInfo.filename,
+            mime: attachmentInfo.mime,
+            size: decrypted.length,
+            filePath
+          };
+          if (attachmentInfo.mime.startsWith("image/")) {
+            attachData.base64 = `data:${attachmentInfo.mime};base64,${bytesToBase64(decrypted)}`;
+          }
+          const textMimes = ["text/", "application/json", "application/xml", "application/csv"];
+          if (textMimes.some((m2) => attachmentInfo.mime.startsWith(m2))) {
+            attachData.textContent = new TextDecoder().decode(decrypted);
+          }
+        } catch (err) {
+          console.error(`[SecureChannel] Failed to download attachment:`, err);
+        }
+      }
       this._appendHistory("owner", messageText, topicId);
+      let emitText = messageText;
+      if (attachData) {
+        if (attachData.textContent) {
+          emitText = `[Attachment: ${attachData.filename} (${attachData.mime})]
+---
+${attachData.textContent}
+---
+
+${messageText}`;
+        } else if (attachData.base64) {
+          emitText = `[Image attachment: ${attachData.filename}]
+
+${messageText}`;
+        } else {
+          emitText = `[Attachment: ${attachData.filename} saved to ${attachData.filePath}]
+
+${messageText}`;
+        }
+      }
       const metadata = {
         messageId: msgData.message_id,
         conversationId: convId,
         timestamp: msgData.created_at,
-        topicId
+        topicId,
+        attachment: attachData
       };
-      this.emit("message", messageText, metadata);
-      this.config.onMessage?.(messageText, metadata);
+      this.emit("message", emitText, metadata);
+      this.config.onMessage?.(emitText, metadata);
       await this._relaySyncToSiblings(convId, session.ownerDeviceId, messageText, topicId);
     }
     if (this._persisted) {
@@ -45624,6 +45709,111 @@ var SecureChannel = class _SecureChannel extends EventEmitter {
     }
     await this._persistState();
   }
+  /**
+   * Download an encrypted attachment blob, decrypt it, verify integrity,
+   * and save the plaintext file to disk.
+   */
+  async _downloadAndDecryptAttachment(info) {
+    const attachDir = join2(this.config.dataDir, "attachments");
+    await mkdir2(attachDir, { recursive: true });
+    const url = `${this.config.apiUrl}${info.blobUrl}`;
+    const res = await fetch(url, {
+      headers: { Authorization: `Bearer ${this._deviceJwt}` }
+    });
+    if (!res.ok) {
+      throw new Error(`Attachment download failed: ${res.status}`);
+    }
+    const buffer = await res.arrayBuffer();
+    const encryptedData = new Uint8Array(buffer);
+    const digest = computeFileDigest(encryptedData);
+    if (digest !== info.digest) {
+      throw new Error("Attachment digest mismatch \u2014 possible tampering");
+    }
+    const fileKey = base64ToBytes(info.fileKey);
+    const fileNonce = base64ToBytes(info.fileNonce);
+    const decrypted = decryptFile(encryptedData, fileKey, fileNonce);
+    const filePath = join2(attachDir, info.filename);
+    await writeFile2(filePath, decrypted);
+    console.log(`[SecureChannel] Attachment saved: ${filePath} (${decrypted.length} bytes)`);
+    return { filePath, decrypted };
+  }
+  /**
+   * Upload an attachment file: encrypt, upload to server, return metadata
+   * for inclusion in the message envelope.
+   */
+  async _uploadAttachment(filePath, conversationId) {
+    const data = await readFile2(filePath);
+    const plainData = new Uint8Array(data);
+    const result = encryptFile(plainData);
+    const { Blob: NodeBlob, FormData: NodeFormData } = await import("node:buffer").then(
+      () => globalThis
+    );
+    const formData = new FormData();
+    formData.append("conversation_id", conversationId);
+    formData.append(
+      "file",
+      new Blob([result.encryptedData.buffer], { type: "application/octet-stream" }),
+      "attachment.bin"
+    );
+    const res = await fetch(`${this.config.apiUrl}/api/v1/attachments/upload`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${this._deviceJwt}` },
+      body: formData
+    });
+    if (!res.ok) {
+      const detail = await res.text();
+      throw new Error(`Attachment upload failed (${res.status}): ${detail}`);
+    }
+    const resp = await res.json();
+    const filename = filePath.split("/").pop() || "file";
+    return {
+      blobId: resp.blob_id,
+      blobUrl: resp.blob_url,
+      fileKey: bytesToBase64(result.fileKey),
+      fileNonce: bytesToBase64(result.fileNonce),
+      digest: result.digest,
+      filename,
+      mime: "application/octet-stream",
+      size: plainData.length
+    };
+  }
+  /**
+   * Send a message with an attached file. Encrypts the file, uploads it,
+   * then sends the envelope with attachment metadata via Double Ratchet.
+   */
+  async sendWithAttachment(plaintext, filePath, options) {
+    if (this._state !== "ready" || this._sessions.size === 0 || !this._ws) {
+      throw new Error("Channel is not ready");
+    }
+    const topicId = options?.topicId ?? this._persisted?.defaultTopicId;
+    const attachMeta = await this._uploadAttachment(filePath, this._primaryConversationId);
+    const envelope = JSON.stringify({
+      type: "message",
+      text: plaintext,
+      topicId,
+      attachment: attachMeta
+    });
+    this._appendHistory("agent", plaintext, topicId);
+    const messageGroupId = randomUUID();
+    for (const [convId, session] of this._sessions) {
+      if (!session.activated) continue;
+      const encrypted = session.ratchet.encrypt(envelope);
+      const transport = encryptedMessageToTransport(encrypted);
+      this._ws.send(
+        JSON.stringify({
+          event: "message",
+          data: {
+            conversation_id: convId,
+            header_blob: transport.header_blob,
+            ciphertext: transport.ciphertext,
+            message_group_id: messageGroupId,
+            topic_id: topicId
+          }
+        })
+      );
+    }
+    await this._persistState();
+  }
   /**
    * Relay an owner's message to all sibling sessions as encrypted sync messages.
    * This allows all owner devices to see messages from any single device.
@@ -46084,7 +46274,7 @@ async function _handleInbound(params) {
 }
 
 // src/index.ts
-var VERSION = "0.6.12";
+var VERSION = "0.6.13";
 export {
   SecureChannel,
   VERSION,