@buildautomaton/cli 0.1.15 → 0.1.16

package/dist/index.js

@@ -2240,7 +2240,7 @@ var require_websocket = __commonJS({
     var http = __require("http");
     var net = __require("net");
     var tls = __require("tls");
-    var { randomBytes, createHash: createHash2 } = __require("crypto");
+    var { randomBytes: randomBytes2, createHash: createHash2 } = __require("crypto");
     var { Duplex, Readable: Readable2 } = __require("stream");
     var { URL: URL2 } = __require("url");
     var PerMessageDeflate = require_permessage_deflate();
@@ -2770,7 +2770,7 @@ var require_websocket = __commonJS({
         }
       }
       const defaultPort = isSecure ? 443 : 80;
-      const key = randomBytes(16).toString("base64");
+      const key = randomBytes2(16).toString("base64");
       const request = isSecure ? https2.request : http.request;
       const protocolSet = /* @__PURE__ */ new Set();
       let perMessageDeflate;
@@ -22787,8 +22787,8 @@ var PREVIEW_API_BASE_PATH = "/__preview";
 var PREVIEW_SECRET_HEADER = "X-Preview-Secret";
 var DEFAULT_PORT = 3e3;
 var DEFAULT_COMMAND = "npm run preview";
-var PREVIEW_COMMAND_ENV = "BUILDAMATON_PREVIEW_COMMAND";
-var PREVIEW_PORT_ENV = "BUILDAMATON_PREVIEW_PORT";
+var PREVIEW_COMMAND_ENV = "BUILDAUTOMATON_PREVIEW_COMMAND";
+var PREVIEW_PORT_ENV = "BUILDAUTOMATON_PREVIEW_PORT";
 var previewProcess = null;
 var previewPort = DEFAULT_PORT;
 var previewSecret = "";
@@ -22841,7 +22841,7 @@ var OPERATIONS = [
 var previewSkill = {
   id: "preview",
   name: "Preview",
-  description: "Start and manage a local preview server that implements the BuildAutomaton Preview Server API. Configure the command with BUILDAMATON_PREVIEW_COMMAND (default: npm run preview). The server receives PORT and PREVIEW_SECRET and must expose /__preview/status and /__preview/stop.",
+  description: "Start and manage a local preview server that implements the BuildAutomaton Preview Server API. Configure the command with BUILDAUTOMATON_PREVIEW_COMMAND (default: npm run preview). The server receives PORT and PREVIEW_SECRET and must expose /__preview/status and /__preview/stop.",
   operations: OPERATIONS,
   async execute(operationId, params) {
     const command = getPreviewCommand();
@@ -23564,8 +23564,11 @@ function isLocalApiUrl(apiUrl) {
     return false;
   }
 }
+function appUrlForApiUrl(apiUrl) {
+  return apiUrl && isLocalApiUrl(apiUrl) ? process.env.BUILDAUTOMATON_APP_URL ?? "http://localhost:3000" : process.env.BUILDAUTOMATON_APP_URL ?? "https://app.buildautomaton.com";
+}
 async function openBrowser(connectionId, initialWorkspaceId, preferredBridgeName, apiUrl, logFn = log) {
-  const appUrl = apiUrl && isLocalApiUrl(apiUrl) ? process.env.BUILDAUTOMATON_APP_URL ?? "http://localhost:3000" : process.env.BUILDAUTOMATON_APP_URL ?? "https://app.buildautomaton.com";
+  const appUrl = appUrlForApiUrl(apiUrl);
   let connectCliUrl = `${appUrl.replace(/\/$/, "")}/bridges/connect?connectionId=${connectionId}`;
   if (initialWorkspaceId) {
     try {
@@ -28994,7 +28997,7 @@ async function createCursorAcpClient(options) {
     onRequest,
     onFileChange
   } = options;
-  const dbgFs = process.env.BUILDAMATON_DEBUG_ACP_FS === "1";
+  const dbgFs = process.env.BUILDAUTOMATON_DEBUG_ACP_FS === "1";
   const isWindows = process.platform === "win32";
   const child = spawn4(command[0], command.slice(1), {
     cwd,
@@ -31541,7 +31544,7 @@ function startFileIndexWatcher(cwd = getBridgeWorkspaceDirectory()) {
 }
 
 // src/dev-servers/manager/dev-server-manager.ts
-import { rm } from "node:fs/promises";
+import { rm as rm2 } from "node:fs/promises";
 
 // src/dev-servers/process/send-server-status.ts
 function sendDevServerStatus(getWs, serverId, status, options) {
@@ -32050,8 +32053,90 @@ var StreamTail = class {
   }
 };
 
-// src/dev-servers/manager/dev-server-manager.ts
+// src/dev-servers/manager/dev-server-constants.ts
 var BRIDGE_SHUTDOWN_GRACE_MS = 8e3;
+
+// src/dev-servers/manager/dev-server-firehose-messages.ts
+function buildFirehoseSnapshotMessage(params) {
+  const payload = {
+    type: "log_snapshot",
+    serverId: params.serverId,
+    viewerId: params.viewerId,
+    stdoutTail: params.tails.stdout,
+    stderrTail: params.tails.stderr
+  };
+  return params.e2ee ? params.e2ee.encryptFields(payload, ["stdoutTail", "stderrTail"]) : payload;
+}
+function buildFirehoseLogChunkMessage(params) {
+  const payload = {
+    type: "log_chunk",
+    serverId: params.serverId,
+    stream: params.stream,
+    text: params.text
+  };
+  return params.e2ee ? params.e2ee.encryptFields(payload, ["text"]) : payload;
+}
+
+// src/dev-servers/manager/dev-server-firehose-sink.ts
+var DevServerFirehoseSink = class {
+  constructor(options) {
+    this.options = options;
+  }
+  logViewerRefCountByServerId = /* @__PURE__ */ new Map();
+  firehoseSend = null;
+  attach(send) {
+    this.firehoseSend = send;
+  }
+  detach() {
+    this.firehoseSend = null;
+    this.logViewerRefCountByServerId.clear();
+  }
+  openLogViewer(serverId, viewerId) {
+    const next = (this.logViewerRefCountByServerId.get(serverId) ?? 0) + 1;
+    this.logViewerRefCountByServerId.set(serverId, next);
+    this.sendSnapshot(serverId, viewerId);
+  }
+  closeLogViewer(serverId) {
+    const n = (this.logViewerRefCountByServerId.get(serverId) ?? 0) - 1;
+    if (n <= 0) this.logViewerRefCountByServerId.delete(serverId);
+    else this.logViewerRefCountByServerId.set(serverId, n);
+  }
+  pushLogChunk(serverId, stream, chunk) {
+    if ((this.logViewerRefCountByServerId.get(serverId) ?? 0) <= 0) return;
+    if (!this.options.isPipedCaptureEnabled(serverId)) return;
+    if (!this.firehoseSend) return;
+    const text = chunk.toString("utf8");
+    setImmediate(() => {
+      if (!this.firehoseSend) return;
+      this.firehoseSend(buildFirehoseLogChunkMessage({ serverId, stream, text, e2ee: this.options.e2ee }));
+    });
+  }
+  sendSnapshot(serverId, viewerId) {
+    const payload = buildFirehoseSnapshotMessage({
+      serverId,
+      viewerId,
+      tails: this.options.getTails(serverId),
+      e2ee: this.options.e2ee
+    });
+    setImmediate(() => {
+      const send = this.firehoseSend;
+      if (!send) return;
+      send(payload);
+    });
+  }
+};
+
+// src/dev-servers/manager/cleanup-merged-log-dir.ts
+import { rm } from "node:fs/promises";
+function cleanupMergedLogDirForServer(map2, serverId) {
+  const mergedDir = map2.get(serverId);
+  if (!mergedDir) return;
+  map2.delete(serverId);
+  void rm(mergedDir, { recursive: true, force: true }).catch(() => {
+  });
+}
+
+// src/dev-servers/manager/dev-server-manager.ts
 var emptyTails = () => ({ stdout: [], stderr: [] });
 var DevServerManager = class {
   defsById = /* @__PURE__ */ new Map();
@@ -32059,66 +32144,36 @@ var DevServerManager = class {
   streamTailsByServerId = /* @__PURE__ */ new Map();
   spawnGenerationByServerId = /* @__PURE__ */ new Map();
   pipedCaptureByServerId = /* @__PURE__ */ new Map();
-  logViewerRefCountByServerId = /* @__PURE__ */ new Map();
-  firehoseSend = null;
   mergedLogPollByServerId = /* @__PURE__ */ new Map();
   mergedLogCleanupDirByServerId = /* @__PURE__ */ new Map();
   abortControllersByServerId = /* @__PURE__ */ new Map();
   getWs;
   log;
   getBridgeCwd;
+  e2ee;
+  firehoseSink;
   constructor(options) {
     this.getWs = options.getWs;
     this.log = options.log;
     this.getBridgeCwd = options.getBridgeCwd ?? (() => process.cwd());
+    this.e2ee = options.e2ee;
+    this.firehoseSink = new DevServerFirehoseSink({
+      getTails: (serverId) => this.snapshotTails(serverId),
+      isPipedCaptureEnabled: (serverId) => this.pipedCaptureByServerId.get(serverId) === true,
+      e2ee: this.e2ee
+    });
   }
   attachFirehose(send) {
-    this.firehoseSend = send;
+    this.firehoseSink.attach(send);
   }
   detachFirehose() {
-    this.firehoseSend = null;
-    this.logViewerRefCountByServerId.clear();
+    this.firehoseSink.detach();
   }
   handleFirehoseLogViewerOpen(serverId, _viewerId) {
-    const next = (this.logViewerRefCountByServerId.get(serverId) ?? 0) + 1;
-    this.logViewerRefCountByServerId.set(serverId, next);
-    this.sendSnapshotToFirehose(serverId, _viewerId);
+    this.firehoseSink.openLogViewer(serverId, _viewerId);
   }
   handleFirehoseLogViewerClose(serverId, _viewerId) {
-    const n = (this.logViewerRefCountByServerId.get(serverId) ?? 0) - 1;
-    if (n <= 0) this.logViewerRefCountByServerId.delete(serverId);
-    else this.logViewerRefCountByServerId.set(serverId, n);
-  }
-  sendSnapshotToFirehose(serverId, viewerId) {
-    const tails = this.streamTailsByServerId.get(serverId);
-    const payload = {
-      type: "log_snapshot",
-      serverId,
-      viewerId,
-      stdoutTail: tails?.stdout.getTail() ?? [],
-      stderrTail: tails?.stderr.getTail() ?? []
-    };
-    setImmediate(() => {
-      const send = this.firehoseSend;
-      if (!send) return;
-      send(payload);
-    });
-  }
-  pushRemoteLogChunk(serverId, stream, chunk) {
-    if ((this.logViewerRefCountByServerId.get(serverId) ?? 0) <= 0) return;
-    if (!this.pipedCaptureByServerId.get(serverId)) return;
-    const send = this.firehoseSend;
-    if (!send) return;
-    const text = chunk.toString("utf8");
-    setImmediate(() => {
-      if (!this.firehoseSend) return;
-      this.firehoseSend({
-        type: "log_chunk",
-        serverId,
-        stream,
-        text
-      });
-    });
+    this.firehoseSink.closeLogViewer(serverId);
   }
   applyConfig(servers) {
     this.defsById.clear();
@@ -32171,12 +32226,7 @@ var DevServerManager = class {
     }
     this.clearTails(serverId);
     this.pipedCaptureByServerId.delete(serverId);
-    const mergedDir = this.mergedLogCleanupDirByServerId.get(serverId);
-    if (mergedDir) {
-      this.mergedLogCleanupDirByServerId.delete(serverId);
-      void rm(mergedDir, { recursive: true, force: true }).catch(() => {
-      });
-    }
+    cleanupMergedLogDirForServer(this.mergedLogCleanupDirByServerId, serverId);
     this.sendStatus(serverId, "stopped", void 0, tails);
   }
   start(serverId) {
@@ -32259,7 +32309,7 @@ var DevServerManager = class {
         log: this.log,
         stdoutTail,
         stderrTail,
-        pushRemoteLogChunk: (sid, stream, chunk) => this.pushRemoteLogChunk(sid, stream, chunk),
+        pushRemoteLogChunk: (sid, stream, chunk) => this.firehoseSink.pushLogChunk(sid, stream, chunk),
         sendStatus: (status, detail, tails) => this.sendStatus(serverId, status, detail, tails),
         setPollInterval: (iv) => {
           if (iv) this.mergedLogPollByServerId.set(serverId, iv);
@@ -32273,7 +32323,7 @@ var DevServerManager = class {
           this.mergedLogCleanupDirByServerId.delete(serverId);
         },
         rmMergedCleanupDir: (dir) => {
-          void rm(dir, { recursive: true, force: true }).catch(() => {
+          void rm2(dir, { recursive: true, force: true }).catch(() => {
           });
         },
         clearTailBuffers: () => this.clearTails(serverId)
@@ -32310,12 +32360,7 @@ var DevServerManager = class {
     this.processes.delete(serverId);
     this.clearPoll(serverId);
     this.pipedCaptureByServerId.delete(serverId);
-    const mergedDir = this.mergedLogCleanupDirByServerId.get(serverId);
-    if (mergedDir) {
-      this.mergedLogCleanupDirByServerId.delete(serverId);
-      void rm(mergedDir, { recursive: true, force: true }).catch(() => {
-      });
-    }
+    cleanupMergedLogDirForServer(this.mergedLogCleanupDirByServerId, serverId);
     const tails = this.snapshotTails(serverId);
     this.clearTails(serverId);
     this.sendStatus(serverId, "unknown", "Bridge closed before process exited", tails);
@@ -32775,7 +32820,7 @@ function reportGitRepos(getWs, log2) {
 var handleAuthToken = (msg, { log: log2 }) => {
   if (typeof msg.token !== "string") return;
   log2("Received auth token. Save it for future runs:");
-  log2(`  export BUILDAMATON_AUTH_TOKEN="${msg.token}"`);
+  log2(`  export BUILDAUTOMATON_AUTH_TOKEN="${msg.token}"`);
 };
 
 // src/bridge/routing/handlers/bridge-identified.ts
@@ -32895,21 +32940,28 @@ function handleBridgePrompt(msg, deps) {
   const sessionId = msg.sessionId;
   const runId = typeof msg.runId === "string" ? msg.runId : void 0;
   const promptId = typeof msg.id === "string" ? msg.id : void 0;
+  const sendBridgeMessage = (message, encryptedFields = []) => {
+    const s = getWs();
+    if (!s) return false;
+    const wire = deps.e2ee && encryptedFields.length > 0 ? deps.e2ee.encryptFields(message, encryptedFields) : message;
+    sendWsMessage(s, wire);
+    return true;
+  };
   if (!promptText.trim()) {
     log2(
       `[Bridge service] Prompt ignored: empty or missing prompt text (session ${typeof msg.sessionId === "string" ? msg.sessionId.slice(0, 8) : "\u2014"}\u2026, run ${typeof msg.runId === "string" ? msg.runId.slice(0, 8) : "\u2014"}\u2026).`
     );
-    const s = getWs();
-    if (s) {
-      sendWsMessage(s, {
+    sendBridgeMessage(
+      {
         type: "prompt_result",
         ...promptId ? { id: promptId } : {},
         ...sessionId ? { sessionId } : {},
         ...runId ? { runId } : {},
         success: false,
         error: "Empty or missing prompt text from the bridge; this turn was not sent to the agent."
-      });
-    }
+      },
+      ["error"]
+    );
     return;
   }
   const isNewSession = msg.isNewSession === true;
@@ -32918,8 +32970,7 @@ function handleBridgePrompt(msg, deps) {
   const mode = typeof msg.mode === "string" && msg.mode.trim() ? msg.mode.trim() : void 0;
   acpManager.logPromptReceivedFromBridge({ agentType, mode });
   const sendResult2 = (result) => {
-    const s = getWs();
-    if (s) sendWsMessage(s, result);
+    sendBridgeMessage(result, result.type === "prompt_result" ? ["output", "error"] : []);
   };
   const sendSessionUpdate = (payload) => {
     const s = getWs();
@@ -32928,7 +32979,15 @@ function handleBridgePrompt(msg, deps) {
       return;
     }
     const p = payload;
-    sendWsMessage(s, payload);
+    const wire = p.type === "session_update" && deps.e2ee ? deps.e2ee.encryptFields(payload, ["payload"]) : p.type === "session_file_change" && deps.e2ee ? deps.e2ee.encryptFields(payload, [
+      "path",
+      "oldText",
+      "newText",
+      "patchContent",
+      "isDirectory",
+      "directoryRemoved"
+    ]) : payload;
+    sendWsMessage(s, wire);
   };
   async function preambleAndPrompt(resolvedCwd) {
     const s = getWs();
@@ -33309,28 +33368,30 @@ async function readFileAsync(relativePath, startLine, endLine, lineOffset, lineC
 
 // src/files/handle-file-browser-search.ts
 var SEARCH_LIMIT = 100;
-function handleFileBrowserSearch(msg, socket) {
+function handleFileBrowserSearch(msg, socket, e2ee) {
   void (async () => {
     await yieldToEventLoop();
     const q = typeof msg.q === "string" ? msg.q : "";
     const cwd = getBridgeWorkspaceDirectory();
     const index = loadFileIndex(cwd);
     if (index === null) {
-      sendWsMessage(socket, {
+      const payload2 = {
         type: "file_browser_search_response",
         id: msg.id,
         paths: [],
         indexReady: false
-      });
+      };
+      sendWsMessage(socket, e2ee ? e2ee.encryptFields(payload2, ["paths"]) : payload2);
       return;
     }
     const results = await searchFileIndexAsync(index, q, SEARCH_LIMIT);
-    sendWsMessage(socket, {
+    const payload = {
       type: "file_browser_search_response",
       id: msg.id,
       paths: results,
       indexReady: true
-    });
+    };
+    sendWsMessage(socket, e2ee ? e2ee.encryptFields(payload, ["paths"]) : payload);
   })();
 }
 function triggerFileIndexBuild() {
@@ -33342,7 +33403,10 @@ function triggerFileIndexBuild() {
 }
 
 // src/files/handle-file-browser-request.ts
-function handleFileBrowserRequest(msg, socket) {
+function sendFileBrowserMessage(socket, e2ee, payload) {
+  sendWsMessage(socket, e2ee ? e2ee.encryptFields(payload, ["entries", "content", "totalLines", "size", "lineOffset"]) : payload);
+}
+function handleFileBrowserRequest(msg, socket, e2ee) {
   void (async () => {
     const reqPath = msg.path.replace(/^\/+/, "") || ".";
     const op = msg.op === "read" ? "read" : "list";
@@ -33351,7 +33415,7 @@ function handleFileBrowserRequest(msg, socket) {
       if ("error" in result) {
         sendWsMessage(socket, { type: "file_browser_response", id: msg.id, error: result.error });
       } else {
-        sendWsMessage(socket, { type: "file_browser_response", id: msg.id, entries: result.entries });
+        sendFileBrowserMessage(socket, e2ee, { type: "file_browser_response", id: msg.id, entries: result.entries });
         if (reqPath === "." || reqPath === "") {
           triggerFileIndexBuild();
         }
@@ -33373,27 +33437,28 @@ function handleFileBrowserRequest(msg, socket) {
           size: result.size
         };
         if (result.lineOffset != null) payload.lineOffset = result.lineOffset;
-        sendWsMessage(socket, payload);
+        sendFileBrowserMessage(socket, e2ee, payload);
       }
     }
   })();
 }
 
 // src/bridge/routing/handlers/file-browser-messages.ts
-function handleFileBrowserRequestMessage(msg, { getWs }) {
+function handleFileBrowserRequestMessage(msg, { getWs, e2ee }) {
   if (typeof msg.id !== "string" || typeof msg.path !== "string") return;
   const socket = getWs();
   if (!socket) return;
   handleFileBrowserRequest(
     msg,
-    socket
+    socket,
+    e2ee
   );
 }
-function handleFileBrowserSearchMessage(msg, { getWs }) {
+function handleFileBrowserSearchMessage(msg, { getWs, e2ee }) {
   if (typeof msg.id !== "string") return;
   const socket = getWs();
   if (!socket) return;
-  handleFileBrowserSearch(msg, socket);
+  handleFileBrowserSearch(msg, socket, e2ee);
 }
 
 // src/bridge/routing/handlers/skill-layout-request.ts
@@ -33463,9 +33528,10 @@ var handleRefreshLocalSkills = (_msg, deps) => {
 };
 
 // src/bridge/routing/handlers/session-git-request.ts
-function sendResult(ws, id, payload) {
+function sendResult(ws, id, payload, e2ee, encryptedFields = []) {
   if (!ws) return;
-  sendWsMessage(ws, { type: "session_git_result", id, ...payload });
+  const message = { type: "session_git_result", id, ...payload };
+  sendWsMessage(ws, e2ee && encryptedFields.length > 0 ? e2ee.encryptFields(message, encryptedFields) : message);
 }
 var handleSessionGitRequestMessage = (msg, deps) => {
   if (typeof msg.id !== "string") return;
@@ -33475,7 +33541,7 @@ var handleSessionGitRequestMessage = (msg, deps) => {
     return;
   void (async () => {
     const ws = deps.getWs();
-    const reply = (payload) => sendResult(ws, msg.id, payload);
+    const reply = (payload, encryptedFields = []) => sendResult(ws, msg.id, payload, deps.e2ee, encryptedFields);
     try {
       if (action === "status") {
         const r = await deps.sessionWorktreeManager.getSessionWorkingTreeStatus(sessionId);
@@ -33501,7 +33567,7 @@ var handleSessionGitRequestMessage = (msg, deps) => {
         reply({
           ok: true,
           repos
-        });
+        }, ["repos"]);
         return;
       }
       if (action === "push") {
@@ -33603,8 +33669,15 @@ var handleRevertTurnSnapshotMessage = (msg, deps) => {
 
 // src/bridge/routing/handlers/dev-server-control.ts
 var handleDevServerControl = (msg, deps) => {
-  const serverId = typeof msg.serverId === "string" ? msg.serverId : "";
-  const action = msg.action === "start" || msg.action === "stop" ? msg.action : null;
+  let wire = msg;
+  try {
+    wire = deps.e2ee ? deps.e2ee.decryptMessage(msg) : msg;
+  } catch (e) {
+    deps.log(`[E2EE] Could not decrypt dev server command: ${e instanceof Error ? e.message : String(e)}`);
+    return;
+  }
+  const serverId = typeof wire.serverId === "string" ? wire.serverId : "";
+  const action = wire.action === "start" || wire.action === "stop" ? wire.action : null;
   if (!serverId || !action) return;
   deps.devServerManager?.handleControl(serverId, action);
 };
@@ -33730,7 +33803,8 @@ function createMainBridgeWebSocketLifecycle(params) {
     messageDeps,
     tokens,
     persistTokens,
-    onAuthInvalid
+    onAuthInvalid,
+    e2ee
   } = params;
   let authRefreshInFlight = false;
   function handleOpen() {
@@ -33743,15 +33817,15 @@ function createMainBridgeWebSocketLifecycle(params) {
     }
     const socket = getWs();
     if (socket) {
-      sendWsMessage(socket, { type: "identify", role: "cli" });
+      sendWsMessage(socket, { type: "identify", role: "cli", ...e2ee ? { e: e2ee.handshake } : {} });
       reportGitRepos(getWs, logFn);
     }
     if (justAuthenticated && socket) {
       logFn(
         "Save these for future runs (access token may rotate; refresh token is stored in ~/.buildautomaton/config.json when you use browser auth):"
       );
-      logFn(`  export BUILDAMATON_AUTH_TOKEN="${tokens.accessToken}"`);
-      logFn(`  export BUILDAMATON_WORKSPACE_ID="${workspaceId}"`);
+      logFn(`  export BUILDAUTOMATON_AUTH_TOKEN="${tokens.accessToken}"`);
+      logFn(`  export BUILDAUTOMATON_WORKSPACE_ID="${workspaceId}"`);
     }
   }
   function handleClose(code, reason) {
@@ -33833,6 +33907,100 @@ function createMainBridgeWebSocketLifecycle(params) {
   return { connect };
 }
 
+// ../e2ee/src/constants.ts
+var E2EE_NONCE_BYTES = 12;
+
+// ../e2ee/src/types.ts
+function isE2eeEnvelope(value) {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
+  const o = value;
+  return typeof o.k === "string" && typeof o.n === "string" && typeof o.c === "string";
+}
+
+// ../e2ee/src/encoding.ts
+function base64UrlEncode(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i += 1) binary += String.fromCharCode(bytes[i]);
+  const b64 = btoa(binary);
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function base64UrlDecode(value) {
+  const b64 = value.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
+  const binary = atob(padded);
+  const out = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i += 1) out[i] = binary.charCodeAt(i);
+  return out;
+}
+
+// src/lib/e2ee/cli-e2ee-runtime.ts
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+function nonceFromCounter(prefix, counter) {
+  const nonce = Buffer.alloc(E2EE_NONCE_BYTES);
+  prefix.copy(nonce, 0);
+  nonce.writeBigUInt64BE(counter, 4);
+  return nonce;
+}
+function createCliE2eeRuntime(key) {
+  const rawKey = Buffer.from(base64UrlDecode(key.k));
+  const prefix = randomBytes(4);
+  let counter = 0n;
+  function nextNonce() {
+    counter += 1n;
+    return nonceFromCounter(prefix, counter);
+  }
+  function encryptObject(messageWithoutSensitiveFields, plaintext) {
+    const nonce = nextNonce();
+    const cipher = createCipheriv("aes-256-gcm", rawKey, nonce);
+    const ciphertext = Buffer.concat([cipher.update(JSON.stringify(plaintext), "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return {
+      k: key.id,
+      n: base64UrlEncode(nonce),
+      c: base64UrlEncode(Buffer.concat([ciphertext, tag]))
+    };
+  }
+  return {
+    keyId: key.id,
+    handshake: { k: key.id, a: key.a },
+    encryptFields(message, fields) {
+      const plaintext = {};
+      const stripped = { ...message };
+      let hasPlaintext = false;
+      for (const field of fields) {
+        if (Object.prototype.hasOwnProperty.call(stripped, field) && stripped[field] !== void 0) {
+          plaintext[field] = stripped[field];
+          delete stripped[field];
+          hasPlaintext = true;
+        }
+      }
+      if (!hasPlaintext) return message;
+      stripped.ee = encryptObject(stripped, plaintext);
+      return stripped;
+    },
+    decryptMessage(message) {
+      const envelope = message.ee;
+      if (!isE2eeEnvelope(envelope)) return message;
+      if (envelope.k !== key.id) throw new Error(`E2EE key mismatch: ${envelope.k}`);
+      const sealed = Buffer.from(base64UrlDecode(envelope.c));
+      if (sealed.length < 16) throw new Error("Invalid E2EE payload.");
+      const ciphertext = sealed.subarray(0, sealed.length - 16);
+      const tag = sealed.subarray(sealed.length - 16);
+      const nonce = Buffer.from(base64UrlDecode(envelope.n));
+      const decipher = createDecipheriv("aes-256-gcm", rawKey, nonce);
+      decipher.setAuthTag(tag);
+      const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
+      const parsed = JSON.parse(decrypted);
+      if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error("E2EE payload did not decode to an object.");
+      }
+      const merged = { ...message, ...parsed };
+      delete merged.ee;
+      return merged;
+    }
+  };
+}
+
 // src/bridge/connection/create-bridge-connection.ts
 async function createBridgeConnection(options) {
   const { apiUrl, workspaceId, justAuthenticated, onAuthInvalid, persistTokens } = options;
@@ -33866,7 +34034,8 @@ async function createBridgeConnection(options) {
   function getWs() {
     return state.currentWs;
   }
-  const devServerManager = new DevServerManager({ getWs, log: logFn, getBridgeCwd: getBridgeWorkspaceDirectory });
+  const e2ee = options.e2eCertificate ? createCliE2eeRuntime(options.e2eCertificate) : void 0;
+  const devServerManager = new DevServerManager({ getWs, log: logFn, getBridgeCwd: getBridgeWorkspaceDirectory, e2ee });
   const onBridgeIdentified = createOnBridgeIdentified({
     sessionWorktreeManager,
     devServerManager,
@@ -33885,7 +34054,8 @@ async function createBridgeConnection(options) {
     onBridgeIdentified,
     sendLocalSkillsReport,
     reportAutoDetectedAgents,
-    devServerManager
+    devServerManager,
+    e2ee
   };
   const { connect } = createMainBridgeWebSocketLifecycle({
     state,
@@ -33897,7 +34067,8 @@ async function createBridgeConnection(options) {
     messageDeps,
     tokens,
     persistTokens,
-    onAuthInvalid
+    onAuthInvalid,
+    e2ee
   });
   connect();
   const stopFileIndexWatcher = startFileIndexWatcher(getBridgeWorkspaceDirectory());
@@ -33909,56 +34080,72 @@ async function createBridgeConnection(options) {
   };
 }
 
-// src/run-bridge.ts
-async function runBridge(options) {
-  installBridgeProcessResilience();
-  const { apiUrl, workspaceId, authToken, refreshToken, bridgeName, justAuthenticated, worktreesRootAbs } = options;
-  const firehoseServerUrl = options.firehoseServerUrl ?? options.proxyServerUrl;
-  const hasAuth = workspaceId && authToken;
-  if (!hasAuth) {
-    const handle2 = runPendingAuth({
-      apiUrl,
-      initialWorkspaceId: workspaceId,
-      preferredBridgeName: bridgeName,
-      log,
-      onAuth: (_auth) => {
-      }
-    });
-    const onSignal2 = (kind) => {
-      logImmediate(
-        kind === "interrupt" ? "Keyboard interrupt (Ctrl+C) \u2014 stopping\u2026" : "Stop requested \u2014 shutting down\u2026"
-      );
-      setImmediate(() => {
-        handle2.close();
-        process.exit(0);
-      });
+// src/e2e-certificates/key-command.ts
+import * as readline3 from "node:readline";
+function installE2eCertificateKeyCommand({
+  log: log2,
+  onOpenCertificate,
+  onInterrupt
+}) {
+  if (!process.stdin.isTTY || typeof process.stdin.setRawMode !== "function") {
+    log2("[E2EE] Press c to import the E2EE key in a browser when running in an interactive terminal.");
+    return () => {
     };
-    const onSigInt2 = () => onSignal2("interrupt");
-    const onSigTerm2 = () => onSignal2("stop");
-    process.on("SIGINT", onSigInt2);
-    process.on("SIGTERM", onSigTerm2);
-    const auth = await handle2.authPromise;
-    process.off("SIGINT", onSigInt2);
-    process.off("SIGTERM", onSigTerm2);
-    handle2.close();
-    if (!auth) return;
-    writeConfigForApi(apiUrl, {
-      workspaceId: auth.workspaceId,
-      token: auth.token,
-      refreshToken: auth.refreshToken
-    });
-    await runBridge({
-      apiUrl,
-      workspaceId: auth.workspaceId,
-      authToken: auth.token,
-      refreshToken: auth.refreshToken,
-      firehoseServerUrl,
-      bridgeName,
-      justAuthenticated: true,
-      worktreesRootAbs
-    });
-    return;
   }
+  readline3.emitKeypressEvents(process.stdin);
+  process.stdin.setRawMode(true);
+  process.stdin.resume();
+  const onKeypress = (str, key) => {
+    if (key?.ctrl && key.name === "c") {
+      onInterrupt();
+      return;
+    }
+    if (!key?.ctrl && !key?.meta && (key?.name === "c" || str === "c")) {
+      onOpenCertificate();
+    }
+  };
+  process.stdin.on("keypress", onKeypress);
+  log2("[E2EE] Press c to import the active E2EE key into the browser.");
+  return () => {
+    process.stdin.off("keypress", onKeypress);
+    if (process.stdin.isTTY && typeof process.stdin.setRawMode === "function") {
+      process.stdin.setRawMode(false);
+    }
+  };
+}
+
+// src/e2e-certificates/open-import-url.ts
+async function openE2eCertificateImportUrl({
+  apiUrl,
+  workspaceId,
+  certificate,
+  log: log2
+}) {
+  const appUrl = appUrlForApiUrl(apiUrl);
+  const payload = encodeURIComponent(certificate.pemBundle);
+  const url2 = `${appUrl.replace(/\/$/, "")}/w/${encodeURIComponent(workspaceId)}/settings/e2e-encryption?certificate=${payload}`;
+  log2(`[E2EE] Opening browser to import key "${certificate.name}" (${certificate.id})...`);
+  try {
+    await open_default(url2, { wait: false });
+  } catch {
+    log2("[E2EE] Could not open browser. Open this URL manually:");
+    log2(url2);
+  }
+}
+
+// src/run-bridge-connected.ts
+async function runConnectedBridge(options, restartWithoutAuth) {
+  const {
+    apiUrl,
+    workspaceId,
+    authToken,
+    refreshToken,
+    justAuthenticated,
+    worktreesRootAbs,
+    e2eCertificate
+  } = options;
+  const firehoseServerUrl = options.firehoseServerUrl ?? options.proxyServerUrl;
+  let cleanupKeyCommand;
   const handle = await createBridgeConnection({
     apiUrl,
     workspaceId,
@@ -33967,6 +34154,7 @@ async function runBridge(options) {
     firehoseServerUrl,
     justAuthenticated,
     worktreesRootAbs,
+    e2eCertificate,
     log,
     persistTokens: (t) => {
       writeConfigForApi(apiUrl, {
@@ -33976,14 +34164,16 @@ async function runBridge(options) {
       });
     },
     onAuthInvalid: () => {
+      cleanupKeyCommand?.();
       log("[Bridge service] Access token invalid or revoked; re-authenticating\u2026");
       clearConfigForApi(apiUrl);
       void handle.close().then(() => {
-        void runBridge({ apiUrl, firehoseServerUrl, worktreesRootAbs });
+        void restartWithoutAuth({ apiUrl, firehoseServerUrl, worktreesRootAbs, e2eCertificate });
       });
     }
   });
   const onSignal = (kind) => {
+    cleanupKeyCommand?.();
     logImmediate(
       kind === "interrupt" ? "Keyboard interrupt (Ctrl+C) \u2014 stopping\u2026" : "Stop requested \u2014 shutting down\u2026"
     );
@@ -33997,6 +34187,86 @@ async function runBridge(options) {
   const onSigTerm = () => onSignal("stop");
   process.on("SIGINT", onSigInt);
   process.on("SIGTERM", onSigTerm);
+  if (e2eCertificate) {
+    let openingCertificate = false;
+    cleanupKeyCommand = installE2eCertificateKeyCommand({
+      log,
+      onInterrupt: onSigInt,
+      onOpenCertificate: () => {
+        if (openingCertificate) return;
+        openingCertificate = true;
+        void openE2eCertificateImportUrl({
+          apiUrl,
+          workspaceId,
+          certificate: e2eCertificate,
+          log
+        }).finally(() => {
+          openingCertificate = false;
+        });
+      }
+    });
+  }
+}
+
+// src/run-bridge.ts
+async function runBridge(options) {
+  installBridgeProcessResilience();
+  const {
+    apiUrl,
+    workspaceId,
+    authToken,
+    bridgeName,
+    worktreesRootAbs,
+    e2eCertificate
+  } = options;
+  const firehoseServerUrl = options.firehoseServerUrl ?? options.proxyServerUrl;
+  const hasAuth = workspaceId && authToken;
+  if (!hasAuth) {
+    const handle = runPendingAuth({
+      apiUrl,
+      initialWorkspaceId: workspaceId,
+      preferredBridgeName: bridgeName,
+      log,
+      onAuth: (_auth) => {
+      }
+    });
+    const onSignal = (kind) => {
+      logImmediate(
+        kind === "interrupt" ? "Keyboard interrupt (Ctrl+C) \u2014 stopping\u2026" : "Stop requested \u2014 shutting down\u2026"
+      );
+      setImmediate(() => {
+        handle.close();
+        process.exit(0);
+      });
+    };
+    const onSigInt = () => onSignal("interrupt");
+    const onSigTerm = () => onSignal("stop");
+    process.on("SIGINT", onSigInt);
+    process.on("SIGTERM", onSigTerm);
+    const auth = await handle.authPromise;
+    process.off("SIGINT", onSigInt);
+    process.off("SIGTERM", onSigTerm);
+    handle.close();
+    if (!auth) return;
+    writeConfigForApi(apiUrl, {
+      workspaceId: auth.workspaceId,
+      token: auth.token,
+      refreshToken: auth.refreshToken
+    });
+    await runBridge({
+      apiUrl,
+      workspaceId: auth.workspaceId,
+      authToken: auth.token,
+      refreshToken: auth.refreshToken,
+      firehoseServerUrl,
+      bridgeName,
+      justAuthenticated: true,
+      worktreesRootAbs,
+      e2eCertificate
+    });
+    return;
+  }
+  await runConnectedBridge(options, runBridge);
 }
 export {
   callSkill,