@castlekit/castle 0.1.5 → 0.3.0

package/src/lib/db/schema.ts

@@ -0,0 +1,160 @@
+import { sqliteTable, text, integer, primaryKey, index } from "drizzle-orm/sqlite-core";
+
+// ============================================================================
+// channels
+// ============================================================================
+
+export const channels = sqliteTable("channels", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull(),
+  defaultAgentId: text("default_agent_id").notNull(),
+  createdAt: integer("created_at").notNull(), // unix ms
+  updatedAt: integer("updated_at"),           // unix ms
+  lastAccessedAt: integer("last_accessed_at"), // unix ms — last time user opened this channel
+  archivedAt: integer("archived_at"),           // unix ms — null if active, set when archived
+});
+
+// ============================================================================
+// settings (key-value store for user preferences)
+// ============================================================================
+
+export const settings = sqliteTable("settings", {
+  key: text("key").primaryKey(),
+  value: text("value").notNull(),
+  updatedAt: integer("updated_at").notNull(), // unix ms
+});
+
+// ============================================================================
+// agent_statuses (live agent activity state)
+// ============================================================================
+
+export const agentStatuses = sqliteTable("agent_statuses", {
+  agentId: text("agent_id").primaryKey(),
+  status: text("status").notNull().default("idle"), // "idle" | "thinking" | "active"
+  updatedAt: integer("updated_at").notNull(), // unix ms
+});
+
+// ============================================================================
+// channel_agents (many-to-many junction)
+// ============================================================================
+
+export const channelAgents = sqliteTable(
+  "channel_agents",
+  {
+    channelId: text("channel_id")
+      .notNull()
+      .references(() => channels.id, { onDelete: "cascade" }),
+    agentId: text("agent_id").notNull(),
+  },
+  (table) => [
+    primaryKey({ columns: [table.channelId, table.agentId] }),
+  ]
+);
+
+// ============================================================================
+// sessions
+// ============================================================================
+
+export const sessions = sqliteTable(
+  "sessions",
+  {
+    id: text("id").primaryKey(),
+    channelId: text("channel_id")
+      .notNull()
+      .references(() => channels.id, { onDelete: "cascade" }),
+    sessionKey: text("session_key"),           // Gateway session key
+    startedAt: integer("started_at").notNull(), // unix ms
+    endedAt: integer("ended_at"),               // unix ms, nullable
+    summary: text("summary"),
+    totalInputTokens: integer("total_input_tokens").default(0),
+    totalOutputTokens: integer("total_output_tokens").default(0),
+  },
+  (table) => [
+    index("idx_sessions_channel").on(table.channelId, table.startedAt),
+  ]
+);
+
+// ============================================================================
+// messages
+// ============================================================================
+
+export const messages = sqliteTable(
+  "messages",
+  {
+    id: text("id").primaryKey(),
+    channelId: text("channel_id")
+      .notNull()
+      .references(() => channels.id, { onDelete: "cascade" }),
+    sessionId: text("session_id").references(() => sessions.id),
+    senderType: text("sender_type").notNull(), // "user" | "agent"
+    senderId: text("sender_id").notNull(),
+    senderName: text("sender_name"),
+    content: text("content").notNull().default(""),
+    status: text("status").notNull().default("complete"), // "complete" | "interrupted" | "aborted"
+    mentionedAgentId: text("mentioned_agent_id"),
+    runId: text("run_id"),                     // Gateway run ID for streaming correlation
+    sessionKey: text("session_key"),           // Gateway session key
+    inputTokens: integer("input_tokens"),
+    outputTokens: integer("output_tokens"),
+    createdAt: integer("created_at").notNull(), // unix ms
+  },
+  (table) => [
+    index("idx_messages_channel").on(table.channelId, table.createdAt),
+    index("idx_messages_session").on(table.sessionId, table.createdAt),
+    index("idx_messages_run_id").on(table.runId),
+  ]
+);
+
+// ============================================================================
+// message_attachments
+// ============================================================================
+
+export const messageAttachments = sqliteTable(
+  "message_attachments",
+  {
+    id: text("id").primaryKey(),
+    messageId: text("message_id")
+      .notNull()
+      .references(() => messages.id, { onDelete: "cascade" }),
+    attachmentType: text("attachment_type").notNull(), // "image" | "audio"
+    filePath: text("file_path").notNull(),
+    mimeType: text("mime_type"),
+    fileSize: integer("file_size"),
+    originalName: text("original_name"),
+    createdAt: integer("created_at").notNull(), // unix ms
+  },
+  (table) => [
+    index("idx_attachments_message").on(table.messageId),
+  ]
+);
+
+// ============================================================================
+// recent_searches
+// ============================================================================
+
+export const recentSearches = sqliteTable("recent_searches", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  query: text("query").notNull(),
+  createdAt: integer("created_at").notNull(), // unix ms
+});
+
+// ============================================================================
+// message_reactions
+// ============================================================================
+
+export const messageReactions = sqliteTable(
+  "message_reactions",
+  {
+    id: text("id").primaryKey(),
+    messageId: text("message_id")
+      .notNull()
+      .references(() => messages.id, { onDelete: "cascade" }),
+    agentId: text("agent_id"),
+    emoji: text("emoji").notNull(),
+    emojiChar: text("emoji_char").notNull(),
+    createdAt: integer("created_at").notNull(), // unix ms
+  },
+  (table) => [
+    index("idx_reactions_message").on(table.messageId),
+  ]
+);

package/src/lib/device-identity.ts

@@ -0,0 +1,303 @@
+import { generateKeyPairSync, sign, createHash } from "crypto";
+import { readFileSync, writeFileSync, existsSync, unlinkSync, chmodSync } from "fs";
+import { join } from "path";
+import { platform } from "os";
+import { getCastleDir, ensureCastleDir } from "./config";
+
+// ============================================================================
+// Types
+// ============================================================================
+
+export interface DeviceIdentity {
+  deviceId: string;
+  publicKey: string;   // PEM-encoded Ed25519 public key
+  privateKey: string;  // PEM-encoded Ed25519 private key
+  createdAt: string;   // ISO-8601
+  deviceToken?: string;
+  pairedAt?: string;   // ISO-8601
+  gatewayUrl?: string;
+}
+
+export interface DeviceInfo {
+  deviceId: string;
+  publicKey: string;
+  fingerprint: string;
+  createdAt: string;
+  isPaired: boolean;
+  pairedAt?: string;
+  gatewayUrl?: string;
+}
+
+// ============================================================================
+// Paths
+// ============================================================================
+
+function getDevicePath(): string {
+  return join(getCastleDir(), "device.json");
+}
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+/**
+ * Check if a stored key is PEM format (vs old hex format).
+ */
+function isPem(key: string): boolean {
+  return key.startsWith("-----BEGIN ");
+}
+
+/**
+ * Derive device ID from public key per Gateway protocol.
+ * Gateway expects: SHA-256 hash of raw Ed25519 public key bytes, hex-encoded.
+ *
+ * The PEM contains a DER-encoded SPKI structure:
+ *   [12 bytes algorithm info] + [32 bytes raw Ed25519 key]
+ */
+function deriveDeviceId(publicKeyPem: string): string {
+  const base64 = publicKeyPem
+    .split("\n")
+    .filter(line => !line.includes("BEGIN") && !line.includes("END") && line.trim())
+    .join("");
+  const der = Buffer.from(base64, "base64");
+  // SPKI for Ed25519: 12-byte header + 32-byte raw key
+  const rawPublicKey = der.slice(12);
+  return createHash("sha256").update(rawPublicKey).digest("hex");
+}
+
+/**
+ * Write identity to disk with restrictive permissions.
+ */
+let _windowsPermWarnShown = false;
+
+function persistIdentity(identity: DeviceIdentity): void {
+  const devicePath = getDevicePath();
+  ensureCastleDir();
+  writeFileSync(devicePath, JSON.stringify(identity, null, 2), "utf-8");
+
+  if (platform() === "win32") {
+    // chmod is a no-op on Windows — warn once
+    if (!_windowsPermWarnShown) {
+      console.warn("[Device] Warning: On Windows, device.json file permissions cannot be restricted.");
+      console.warn("[Device] Keep your user account secure to protect your device private key.");
+      _windowsPermWarnShown = true;
+    }
+  } else {
+    try {
+      chmodSync(devicePath, 0o600);
+    } catch {
+      // Ignore — may fail on some filesystems
+    }
+  }
+}
+
+// ============================================================================
+// Core API
+// ============================================================================
+
+/**
+ * Load existing device identity or generate a new Ed25519 keypair.
+ * Keys are stored in PEM format as required by the Gateway protocol.
+ * Identity is persisted in ~/.castle/device.json with mode 0600.
+ */
+export function getOrCreateIdentity(): DeviceIdentity {
+  const devicePath = getDevicePath();
+
+  // Try loading existing identity
+  if (existsSync(devicePath)) {
+    try {
+      const raw = readFileSync(devicePath, "utf-8");
+      const identity = JSON.parse(raw) as DeviceIdentity;
+      if (identity.deviceId && identity.publicKey && identity.privateKey) {
+        // Auto-upgrade: if keys are in old hex/DER format, regenerate entirely
+        if (!isPem(identity.publicKey)) {
+          console.log("[Device] Upgrading key format from hex to PEM — regenerating keypair");
+          return generateIdentity();
+        }
+        // Auto-fix: if deviceId is a UUID instead of derived from public key, re-derive
+        const expectedId = deriveDeviceId(identity.publicKey);
+        if (identity.deviceId !== expectedId) {
+          console.log("[Device] Fixing deviceId — deriving from public key per Gateway protocol");
+          identity.deviceId = expectedId;
+          persistIdentity(identity);
+        }
+        return identity;
+      }
+    } catch {
+      // Corrupted file — regenerate
+    }
+  }
+
+  return generateIdentity();
+}
+
+/**
+ * Generate a new Ed25519 keypair and persist it.
+ */
+function generateIdentity(): DeviceIdentity {
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519", {
+    publicKeyEncoding: { type: "spki", format: "pem" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" },
+  });
+
+  const pubKeyStr = publicKey as unknown as string;
+
+  const identity: DeviceIdentity = {
+    deviceId: deriveDeviceId(pubKeyStr),
+    publicKey: pubKeyStr,
+    privateKey: privateKey as unknown as string,
+    createdAt: new Date().toISOString(),
+  };
+
+  persistIdentity(identity);
+  return identity;
+}
+
+/**
+ * Parameters for signing a device auth payload.
+ * Must match the Gateway's buildDeviceAuthPayload() format exactly.
+ */
+export interface DeviceAuthSignParams {
+  nonce: string;
+  clientId: string;
+  clientMode: string;
+  role: string;
+  scopes: string[];
+  token: string;
+}
+
+/**
+ * Sign a device auth payload per the Gateway protocol.
+ *
+ * The Gateway builds a pipe-delimited string:
+ *   v2|deviceId|clientId|clientMode|role|scopes|signedAtMs|token|nonce
+ * and verifies the Ed25519 signature against that string.
+ *
+ * Returns { signature (base64url), signedAt (ms) }.
+ */
+export function signDeviceAuth(params: DeviceAuthSignParams): {
+  signature: string;
+  signedAt: number;
+} {
+  const identity = getOrCreateIdentity();
+  const signedAt = Date.now();
+
+  // Build the exact same payload string the Gateway builds
+  const payload = [
+    "v2",                          // version (v2 when nonce is present)
+    identity.deviceId,
+    params.clientId,
+    params.clientMode,
+    params.role,
+    params.scopes.join(","),
+    String(signedAt),
+    params.token,
+    params.nonce,
+  ].join("|");
+
+  // Ed25519 doesn't use a digest algorithm (pass null)
+  const sig = sign(null, Buffer.from(payload, "utf-8"), identity.privateKey);
+
+  // Gateway expects base64url encoding
+  const signature = sig
+    .toString("base64")
+    .replaceAll("+", "-")
+    .replaceAll("/", "_")
+    .replace(/=+$/g, "");
+
+  return { signature, signedAt };
+}
+
+/**
+ * Save a device token received after successful pairing.
+ */
+export function saveDeviceToken(token: string, gatewayUrl?: string): void {
+  const identity = getOrCreateIdentity();
+  identity.deviceToken = token;
+  identity.pairedAt = new Date().toISOString();
+  if (gatewayUrl) {
+    identity.gatewayUrl = gatewayUrl;
+  }
+  persistIdentity(identity);
+}
+
+/**
+ * Get the saved device token, or null if not yet paired.
+ */
+export function getDeviceToken(): string | null {
+  const devicePath = getDevicePath();
+  if (!existsSync(devicePath)) return null;
+
+  try {
+    const raw = readFileSync(devicePath, "utf-8");
+    const identity = JSON.parse(raw) as DeviceIdentity;
+    return identity.deviceToken || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Clear the saved device token without deleting the identity.
+ * Used when a device token is rejected (e.g. Gateway was reset).
+ * The device keypair is preserved so it can re-pair.
+ */
+export function clearDeviceToken(): void {
+  const devicePath = getDevicePath();
+  if (!existsSync(devicePath)) return;
+
+  try {
+    const raw = readFileSync(devicePath, "utf-8");
+    const identity = JSON.parse(raw) as DeviceIdentity;
+    delete identity.deviceToken;
+    delete identity.pairedAt;
+    delete identity.gatewayUrl;
+    persistIdentity(identity);
+    console.log("[Device] Cleared device token");
+  } catch {
+    // If we can't read/parse, nothing to clear
+  }
+}
+
+/**
+ * Delete device identity entirely. Forces re-pairing on next connection.
+ */
+export function resetIdentity(): boolean {
+  const devicePath = getDevicePath();
+  if (existsSync(devicePath)) {
+    unlinkSync(devicePath);
+    return true;
+  }
+  return false;
+}
+
+/**
+ * Get a summary of device identity for display (no private key).
+ */
+export function getDeviceInfo(): DeviceInfo | null {
+  const devicePath = getDevicePath();
+  if (!existsSync(devicePath)) return null;
+
+  try {
+    const raw = readFileSync(devicePath, "utf-8");
+    const identity = JSON.parse(raw) as DeviceIdentity;
+
+    // Create a fingerprint from the public key
+    const fingerprint = createHash("sha256")
+      .update(identity.publicKey)
+      .digest("hex")
+      .slice(0, 16);
+
+    return {
+      deviceId: identity.deviceId,
+      publicKey: identity.publicKey,
+      fingerprint,
+      createdAt: identity.createdAt,
+      isPaired: !!identity.deviceToken,
+      pairedAt: identity.pairedAt,
+      gatewayUrl: identity.gatewayUrl,
+    };
+  } catch {
+    return null;
+  }
+}