@duckmind/dm-darwin-x64 0.13.2 → 0.13.5

package/extensions/dm-multicodex/package.json

@@ -1,58 +1,58 @@
 {
-  "name": "dm-multicodex",
-  "version": "2.3.1",
-  "description": "Codex account rotation extension for DM",
-  "type": "module",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/victor-software-house/pi-multicodex.git"
-  },
-  "homepage": "https://github.com/victor-software-house/pi-multicodex#readme",
-  "bugs": {
-    "url": "https://github.com/victor-software-house/pi-multicodex/issues"
-  },
-  "scripts": {
-    "lint": "biome check .",
-    "test": "vitest run -c vitest.config.ts",
-    "tsgo": "tsgo -p tsconfig.json",
-    "generate:schema": "bun scripts/generate-schema.ts",
-    "check": "pnpm lint && pnpm tsgo && pnpm test",
-    "pack:dry": "npm pack --dry-run",
-    "release:dry": "pnpm exec semantic-release --dry-run"
-  },
-  "dependencies": {
-    "pi-provider-utils": "^0.0.0",
-    "zod": "^4.3.6"
-  },
-  "peerDependencies": {
-    "@mariozechner/pi-ai": "*",
-    "@mariozechner/pi-coding-agent": "*",
-    "@mariozechner/pi-tui": "*"
-  },
-  "devDependencies": {
-    "@biomejs/biome": "^2.4.7",
-    "@commitlint/cli": "^20.4.4",
-    "@commitlint/config-conventional": "^20.4.4",
-    "@mariozechner/pi-ai": "^0.63.1",
-    "@mariozechner/pi-coding-agent": "^0.63.1",
-    "@mariozechner/pi-tui": "^0.63.1",
-    "@semantic-release/changelog": "^6.0.3",
-    "@semantic-release/commit-analyzer": "^13.0.1",
-    "@semantic-release/git": "^10.0.1",
-    "@semantic-release/github": "^12.0.6",
-    "@semantic-release/npm": "^13.1.5",
-    "@semantic-release/release-notes-generator": "^14.1.0",
-    "@types/node": "^25.5.0",
-    "@typescript/native-preview": "7.0.0-dev.20260314.1",
-    "conventional-changelog-conventionalcommits": "^9.3.0",
-    "semantic-release": "^25.0.3",
-    "typescript": "^5.9.3",
-    "vitest": "^4.1.0"
-  },
-  "pi": {
-    "extensions": [
-      "./index.ts"
-    ]
-  }
+	"name": "dm-multicodex",
+	"version": "2.3.1",
+	"description": "Codex account rotation extension for DM",
+	"type": "module",
+	"license": "MIT",
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/victor-software-house/pi-multicodex.git"
+	},
+	"homepage": "https://github.com/victor-software-house/pi-multicodex#readme",
+	"bugs": {
+		"url": "https://github.com/victor-software-house/pi-multicodex/issues"
+	},
+	"scripts": {
+		"lint": "biome check .",
+		"test": "vitest run -c vitest.config.ts",
+		"tsgo": "tsgo -p tsconfig.json",
+		"generate:schema": "bun scripts/generate-schema.ts",
+		"check": "pnpm lint && pnpm tsgo && pnpm test",
+		"pack:dry": "npm pack --dry-run",
+		"release:dry": "pnpm exec semantic-release --dry-run"
+	},
+	"dependencies": {
+		"pi-provider-utils": "^0.0.0",
+		"zod": "^4.3.6"
+	},
+	"peerDependencies": {
+		"@mariozechner/pi-ai": "*",
+		"@mariozechner/pi-coding-agent": "*",
+		"@mariozechner/pi-tui": "*"
+	},
+	"devDependencies": {
+		"@biomejs/biome": "^2.4.7",
+		"@commitlint/cli": "^20.4.4",
+		"@commitlint/config-conventional": "^20.4.4",
+		"@mariozechner/pi-ai": "^0.63.1",
+		"@mariozechner/pi-coding-agent": "^0.63.1",
+		"@mariozechner/pi-tui": "^0.63.1",
+		"@semantic-release/changelog": "^6.0.3",
+		"@semantic-release/commit-analyzer": "^13.0.1",
+		"@semantic-release/git": "^10.0.1",
+		"@semantic-release/github": "^12.0.6",
+		"@semantic-release/npm": "^13.1.5",
+		"@semantic-release/release-notes-generator": "^14.1.0",
+		"@types/node": "^25.5.0",
+		"@typescript/native-preview": "7.0.0-dev.20260314.1",
+		"conventional-changelog-conventionalcommits": "^9.3.0",
+		"semantic-release": "^25.0.3",
+		"typescript": "^5.9.3",
+		"vitest": "^4.1.0"
+	},
+	"pi": {
+		"extensions": [
+			"./index.ts"
+		]
+	}
 }

package/extensions/dm-multicodex/storage.ts

@@ -90,7 +90,7 @@ function stripLegacyFields(raw: Record<string, unknown>): boolean {
 	return stripped;
 }
 
-function migrateRawStorage(raw: unknown): StorageData {
+export function coerceStorageData(raw: unknown): StorageData {
 	if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
 		return { version: CURRENT_VERSION, accounts: [], activeEmail: undefined };
 	}
@@ -141,7 +141,7 @@ export function loadStorage(): StorageData {
 				!("version" in raw) ||
 				raw.version !== CURRENT_VERSION ||
 				needsLegacyStrip(raw);
-			const data = migrateRawStorage(raw);
+			const data = coerceStorageData(raw);
 			if (needsMigration) {
 				saveStorage(data);
 			}

package/extensions/dm-multicodex/sync.test.ts

@@ -0,0 +1,114 @@
+import {
+	createCipheriv,
+	createHash,
+	pbkdf2Sync,
+	randomBytes,
+} from "node:crypto";
+import { describe, expect, it, vi } from "vitest";
+import {
+	decryptCodexAccountsBundle,
+	type EncryptedCodexAccountsBundle,
+	syncManagedAccountsFromDuckMind,
+} from "./sync";
+
+function createEncryptedBundle(
+	secret: string,
+	plaintext: Record<string, unknown>,
+): EncryptedCodexAccountsBundle {
+	const salt = randomBytes(16);
+	const iv = randomBytes(12);
+	const iterations = 100_000;
+	const serialized = Buffer.from(JSON.stringify(plaintext), "utf8");
+	const key = pbkdf2Sync(secret, salt, iterations, 32, "sha256");
+	const cipher = createCipheriv("aes-256-gcm", key, iv);
+	const ciphertext = Buffer.concat([
+		cipher.update(serialized),
+		cipher.final(),
+		cipher.getAuthTag(),
+	]);
+	return {
+		version: 1,
+		algorithm: "AES-256-GCM",
+		kdf: {
+			name: "PBKDF2",
+			hash: "SHA-256",
+			iterations,
+			salt: salt.toString("base64"),
+		},
+		iv: iv.toString("base64"),
+		ciphertext: ciphertext.toString("base64"),
+		file_name: "codex-accounts.json",
+		content_type: "application/json",
+		plaintext_sha256: createHash("sha256").update(serialized).digest("hex"),
+		plaintext_bytes: serialized.length,
+		uploaded_at: "2026-04-13T18:00:00.000Z",
+	};
+}
+
+describe("decryptCodexAccountsBundle", () => {
+	it("decrypts a DuckMind bundle into normalized storage data", () => {
+		const secret = "duckmind-secret";
+		const bundle = createEncryptedBundle(secret, {
+			accounts: [
+				{
+					email: "alpha@example.com",
+					accessToken: "access-token",
+					refreshToken: "refresh-token",
+					expiresAt: 1234567890,
+				},
+			],
+			activeEmail: "alpha@example.com",
+		});
+
+		const result = decryptCodexAccountsBundle(bundle, secret);
+		expect(result.storage.accounts).toHaveLength(1);
+		expect(result.storage.accounts[0]?.email).toBe("alpha@example.com");
+		expect(result.storage.activeEmail).toBe("alpha@example.com");
+		expect(result.uploadedAt).toBe("2026-04-13T18:00:00.000Z");
+	});
+
+	it("rejects an invalid sync secret", () => {
+		const bundle = createEncryptedBundle("right-secret", {
+			accounts: [],
+			activeEmail: undefined,
+		});
+
+		expect(() => decryptCodexAccountsBundle(bundle, "wrong-secret")).toThrow(
+			/invalid/i,
+		);
+	});
+});
+
+describe("syncManagedAccountsFromDuckMind", () => {
+	it("downloads the encrypted bundle with browser-like headers", async () => {
+		const secret = "duckmind-secret";
+		const bundle = createEncryptedBundle(secret, {
+			accounts: [],
+			activeEmail: undefined,
+		});
+		const fetchImpl = vi.fn(
+			async (_url: string, init?: { headers?: Record<string, string> }) => ({
+				ok: true,
+				status: 200,
+				text: async () => JSON.stringify(bundle),
+				init,
+			}),
+		);
+
+		const result = await syncManagedAccountsFromDuckMind(secret, {
+			fetchImpl,
+			sourceUrl: "https://example.com/codex-accounts.json",
+		});
+
+		expect(fetchImpl).toHaveBeenCalledWith(
+			"https://example.com/codex-accounts.json",
+			expect.objectContaining({
+				headers: expect.objectContaining({
+					Accept: expect.stringContaining("application/json"),
+					"User-Agent": "Mozilla/5.0",
+				}),
+			}),
+		);
+		expect(result.sourceUrl).toBe("https://example.com/codex-accounts.json");
+	});
+});

package/extensions/dm-multicodex/sync.ts

@@ -0,0 +1,249 @@
+import { createDecipheriv, createHash, pbkdf2Sync } from "node:crypto";
+import { coerceStorageData, type StorageData } from "./storage";
+
+export const DUCKMIND_CODEX_ACCOUNTS_URL =
+	"https://duckmind.ai/codex-accounts.json";
+
+type EncryptedKdfConfig = {
+	name: string;
+	hash: string;
+	iterations: number;
+	salt: string;
+};
+
+export type EncryptedCodexAccountsBundle = {
+	version: number;
+	algorithm: string;
+	kdf: EncryptedKdfConfig;
+	iv: string;
+	ciphertext: string;
+	file_name?: string;
+	content_type?: string;
+	plaintext_sha256: string;
+	plaintext_bytes?: number;
+	uploaded_at?: string;
+};
+
+type FetchResponseLike = {
+	ok: boolean;
+	status: number;
+	statusText?: string;
+	text(): Promise<string>;
+};
+
+type FetchLike = (
+	url: string,
+	init?: {
+		headers?: Record<string, string>;
+	},
+) => Promise<FetchResponseLike>;
+
+export interface SyncManagedAccountsResult {
+	storage: StorageData;
+	uploadedAt?: string;
+	fileName?: string;
+	plaintextSha256: string;
+	sourceUrl: string;
+}
+
+function ensureString(value: unknown, label: string): string {
+	if (typeof value !== "string" || !value.trim()) {
+		throw new Error(`Missing ${label} in DuckMind account bundle.`);
+	}
+	return value.trim();
+}
+
+function ensurePositiveInteger(value: unknown, label: string): number {
+	if (!Number.isInteger(value) || typeof value !== "number" || value <= 0) {
+		throw new Error(`Invalid ${label} in DuckMind account bundle.`);
+	}
+	return value;
+}
+
+function parseBundle(raw: unknown): EncryptedCodexAccountsBundle {
+	if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+		throw new Error("DuckMind account bundle is not a JSON object.");
+	}
+
+	const record = raw as Record<string, unknown>;
+	const kdfRecord = record.kdf;
+	if (!kdfRecord || typeof kdfRecord !== "object" || Array.isArray(kdfRecord)) {
+		throw new Error("DuckMind account bundle is missing kdf settings.");
+	}
+
+	return {
+		version: ensurePositiveInteger(record.version, "version"),
+		algorithm: ensureString(record.algorithm, "algorithm"),
+		kdf: {
+			name: ensureString(
+				(kdfRecord as Record<string, unknown>).name,
+				"kdf.name",
+			),
+			hash: ensureString(
+				(kdfRecord as Record<string, unknown>).hash,
+				"kdf.hash",
+			),
+			iterations: ensurePositiveInteger(
+				(kdfRecord as Record<string, unknown>).iterations,
+				"kdf.iterations",
+			),
+			salt: ensureString(
+				(kdfRecord as Record<string, unknown>).salt,
+				"kdf.salt",
+			),
+		},
+		iv: ensureString(record.iv, "iv"),
+		ciphertext: ensureString(record.ciphertext, "ciphertext"),
+		file_name:
+			typeof record.file_name === "string" ? record.file_name : undefined,
+		content_type:
+			typeof record.content_type === "string" ? record.content_type : undefined,
+		plaintext_sha256: ensureString(record.plaintext_sha256, "plaintext_sha256"),
+		plaintext_bytes:
+			typeof record.plaintext_bytes === "number"
+				? record.plaintext_bytes
+				: undefined,
+		uploaded_at:
+			typeof record.uploaded_at === "string" ? record.uploaded_at : undefined,
+	};
+}
+
+function decodeBase64(value: string, label: string): Buffer {
+	try {
+		const decoded = Buffer.from(value, "base64");
+		if (decoded.length === 0) {
+			throw new Error("empty");
+		}
+		return decoded;
+	} catch {
+		throw new Error(`Invalid ${label} encoding in DuckMind account bundle.`);
+	}
+}
+
+export function decryptCodexAccountsBundle(
+	bundle: EncryptedCodexAccountsBundle,
+	secret: string,
+): SyncManagedAccountsResult {
+	const trimmedSecret = secret.trim();
+	if (!trimmedSecret) {
+		throw new Error("Sync secret is required.");
+	}
+
+	if (bundle.algorithm !== "AES-256-GCM") {
+		throw new Error(
+			`Unsupported DuckMind bundle algorithm: ${bundle.algorithm}`,
+		);
+	}
+	if (bundle.kdf.name !== "PBKDF2") {
+		throw new Error(`Unsupported DuckMind bundle KDF: ${bundle.kdf.name}`);
+	}
+	if (bundle.kdf.hash !== "SHA-256") {
+		throw new Error(`Unsupported DuckMind bundle hash: ${bundle.kdf.hash}`);
+	}
+
+	const salt = decodeBase64(bundle.kdf.salt, "kdf.salt");
+	const iv = decodeBase64(bundle.iv, "iv");
+	const encrypted = decodeBase64(bundle.ciphertext, "ciphertext");
+	if (iv.length !== 12) {
+		throw new Error(
+			`Unsupported DuckMind IV length: expected 12 bytes, got ${iv.length}.`,
+		);
+	}
+	if (encrypted.length <= 16) {
+		throw new Error("DuckMind ciphertext is too short to contain a GCM tag.");
+	}
+
+	const key = pbkdf2Sync(
+		trimmedSecret,
+		salt,
+		bundle.kdf.iterations,
+		32,
+		"sha256",
+	);
+	const authTag = encrypted.subarray(encrypted.length - 16);
+	const payload = encrypted.subarray(0, encrypted.length - 16);
+
+	let plaintext: Buffer;
+	try {
+		const decipher = createDecipheriv("aes-256-gcm", key, iv);
+		decipher.setAuthTag(authTag);
+		plaintext = Buffer.concat([decipher.update(payload), decipher.final()]);
+	} catch {
+		throw new Error(
+			"DuckMind sync secret is invalid or the bundle is corrupted.",
+		);
+	}
+
+	if (
+		typeof bundle.plaintext_bytes === "number" &&
+		plaintext.length !== bundle.plaintext_bytes
+	) {
+		throw new Error(
+			"DuckMind account bundle size check failed after decryption.",
+		);
+	}
+
+	const plaintextSha256 = createHash("sha256").update(plaintext).digest("hex");
+	if (plaintextSha256 !== bundle.plaintext_sha256) {
+		throw new Error(
+			"DuckMind account bundle integrity check failed after decryption.",
+		);
+	}
+
+	let parsed: unknown;
+	try {
+		parsed = JSON.parse(plaintext.toString("utf8"));
+	} catch {
+		throw new Error(
+			"DuckMind account bundle decrypted successfully, but the plaintext is not valid JSON.",
+		);
+	}
+
+	return {
+		storage: coerceStorageData(parsed),
+		uploadedAt: bundle.uploaded_at,
+		fileName: bundle.file_name,
+		plaintextSha256,
+		sourceUrl: DUCKMIND_CODEX_ACCOUNTS_URL,
+	};
+}
+
+export async function syncManagedAccountsFromDuckMind(
+	secret: string,
+	options?: {
+		fetchImpl?: FetchLike;
+		sourceUrl?: string;
+	},
+): Promise<SyncManagedAccountsResult> {
+	const fetchImpl =
+		options?.fetchImpl ?? (globalThis.fetch as FetchLike | undefined);
+	if (!fetchImpl) {
+		throw new Error("Runtime fetch API is unavailable for MultiCodex sync.");
+	}
+
+	const sourceUrl = options?.sourceUrl ?? DUCKMIND_CODEX_ACCOUNTS_URL;
+	const response = await fetchImpl(sourceUrl, {
+		headers: {
+			Accept: "application/json, text/plain, */*",
+			"User-Agent": "Mozilla/5.0",
+		},
+	});
+	if (!response.ok) {
+		throw new Error(
+			`DuckMind account sync failed with HTTP ${response.status}${response.statusText ? ` ${response.statusText}` : ""}.`,
+		);
+	}
+
+	let parsed: unknown;
+	try {
+		parsed = JSON.parse(await response.text());
+	} catch {
+		throw new Error("DuckMind account sync returned malformed JSON.");
+	}
+
+	const decrypted = decryptCodexAccountsBundle(parseBundle(parsed), secret);
+	return {
+		...decrypted,
+		sourceUrl,
+	};
+}

package/extensions/dm-multicodex/tsconfig.json

@@ -0,0 +1,17 @@
+{
+	"compilerOptions": {
+		"target": "ES2022",
+		"module": "ESNext",
+		"moduleResolution": "Bundler",
+		"lib": ["ES2022"],
+		"strict": true,
+		"esModuleInterop": true,
+		"skipLibCheck": true,
+		"forceConsistentCasingInFileNames": true,
+		"resolveJsonModule": true,
+		"types": ["node"],
+		"noEmit": true
+	},
+	"include": ["*.ts"],
+	"exclude": ["node_modules", "dist"]
+}

package/extensions/dm-subagents/async-execution.ts

@@ -264,6 +264,7 @@ export function executeAsyncChain(
 			asyncDir,
 			sessionId: ctx.currentSessionId,
 			piPackageRoot,
+			piArgv1: process.argv[1],
 			worktreeSetupHook,
 			worktreeSetupHookTimeoutMs,
 		},
@@ -384,6 +385,7 @@ export function executeAsyncSingle(
 			asyncDir,
 			sessionId: ctx.currentSessionId,
 			piPackageRoot,
+			piArgv1: process.argv[1],
 			worktreeSetupHook,
 			worktreeSetupHookTimeoutMs,
 		},

package/extensions/dm-subagents/execution.ts

@@ -155,7 +155,7 @@ async function runSingleAttempt(
 			finish(-2);
 		};
 
-		const unsubscribeIntercomDetach = options.intercomEvents?.on(INTERCOM_DETACH_REQUEST_EVENT, (payload) => {
+		const unsubscribeIntercomDetach = options.intercomEvents?.on?.(INTERCOM_DETACH_REQUEST_EVENT, (payload) => {
 			if (!options.allowIntercomDetach || detached || processClosed) return;
 			if (!payload || typeof payload !== "object") return;
 			const requestId = (payload as { requestId?: unknown }).requestId;

package/extensions/dm-subagents/intercom-bridge.ts

@@ -7,6 +7,7 @@ import type { ExtensionConfig, IntercomBridgeConfig, IntercomBridgeMode } from "
 const DEFAULT_INTERCOM_EXTENSION_DIR = path.join(os.homedir(), ".dm", "agent", "extensions", "pi-intercom");
 const DEFAULT_INTERCOM_CONFIG_PATH = path.join(os.homedir(), ".dm", "agent", "intercom", "config.json");
 const DEFAULT_SUBAGENT_CONFIG_DIR = path.join(os.homedir(), ".dm", "agent", "extensions", "subagent");
+const DEFAULT_INTERCOM_TARGET_PREFIX = "subagent-chat";
 const INTERCOM_BRIDGE_MARKER = "Intercom orchestration channel:";
 const DEFAULT_INTERCOM_BRIDGE_TEMPLATE = `Use intercom only for coordination with the orchestrator session:
 - Need a decision or blocked: intercom({ action: "ask", to: "{orchestratorTarget}", message: "<question>" })
@@ -30,6 +31,13 @@ interface ResolveIntercomBridgeInput {
 	settingsDir?: string;
 }
 
+export function resolveIntercomSessionTarget(sessionName: string | undefined, sessionId: string): string {
+	const trimmedName = sessionName?.trim();
+	if (trimmedName) return trimmedName;
+	const normalizedSessionId = sessionId.startsWith("session-") ? sessionId.slice("session-".length) : sessionId;
+	return `${DEFAULT_INTERCOM_TARGET_PREFIX}-${normalizedSessionId.slice(0, 8)}`;
+}
+
 export function resolveIntercomBridgeMode(value: unknown): IntercomBridgeMode {
 	if (value === "off" || value === "always" || value === "fork-only") return value;
 	return "always";

package/extensions/dm-subagents/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dm-subagents",
-  "version": "0.13.3",
+  "version": "0.13.4",
   "description": "DM extension for delegating tasks to subagents with chains, parallel execution, and TUI clarification",
   "author": "Nico Bailon",
   "license": "MIT",