@howler/cli 0.1.0 → 0.2.0

package/README.md

@@ -1,6 +1,6 @@
 # @howler/cli
 
-Terminal UI client for [Howler](https://howler.pages.dev) encrypted messaging.
+Terminal UI client for [Howler](https://howler.pages.dev) encrypted messaging. Same account, same E2E encryption, same conversations — from your terminal.
 
 ## Install
 
@@ -8,33 +8,64 @@ Terminal UI client for [Howler](https://howler.pages.dev) encrypted messaging.
 npm install -g @howler/cli
 ```
 
+Or run without installing:
+
+```bash
+npx @howler/cli
+```
+
+## Getting started
+
+1. Run `howler` in your terminal
+2. On first launch, your browser opens to log in with your Howler account
+3. Once authenticated, the TUI connects and loads your inbox
+4. Use `Tab` to switch between the inbox panel (left) and conversation panel (right)
+5. Press `Enter` on a chat to open it, type a message, and press `Enter` to send
+
+If you don't have an account yet, sign up at https://howler.pages.dev.
+
 ## Usage
 
 ```bash
 howler          # Launch TUI (opens browser for login on first run)
-howler --logout # Sign out
+howler --logout # Sign out and clear stored credentials
 ```
 
-### Keyboard shortcuts
+## Keyboard shortcuts
 
 | Key | Action |
 |-----|--------|
-| `Tab` / `Shift+Tab` | Switch between panels |
+| `Tab` / `Shift+Tab` | Switch between inbox and conversation panels |
 | `↑` / `↓` | Navigate list or scroll messages |
 | `Enter` | Select chat / send message |
-| `Escape` | Return to chat list |
-| `1` `2` `3` `4` | Filter: All, 1:1, Groups, AI |
+| `Escape` | Return to chat list or branch list |
+| `1` `2` `3` `4` | Filter inbox: All, 1:1, Groups, AI |
 | `l` | Load older messages |
+| `/` | Open slash command autocomplete |
+
+## Slash commands
 
-### Slash commands
+Type `/` in the message input to see autocomplete suggestions.
 
 | Command | Description |
 |---------|-------------|
 | `/vault <query>` | Search your Obsidian vault |
 | `/agent <goal>` | Create an agent task (bot chats only) |
 | `/bot <name> <message>` | Send a message to a named bot |
+| `/addmember @username` | Add a member to the current group |
+| `/change-branch` | Switch branch in repo bot chats |
+| `/current-branch` | Show the active branch |
+| `/exit` | Quit the TUI |
+
+## Features
+
+- **E2E encrypted** — Signal Protocol, same keys as the web app
+- **Real-time** — messages appear instantly via Supabase subscriptions
+- **Multi-device** — works alongside the web app on the same account
+- **Bot/agent support** — interact with AI agents, view branch-based conversations
+- **Vault search** — query your Obsidian vault from the terminal
 
 ## Requirements
 
 - Node.js 18+
-- A Howler account (sign up at howler.pages.dev)
+- A Howler account (sign up at https://howler.pages.dev)

package/dist/bin.js

@@ -201,6 +201,8 @@ var init_store = __esm({
     init_db();
     SignalProtocolStore = class _SignalProtocolStore {
       static instance = null;
+      /** Callback invoked when a remote identity key changes. */
+      onIdentityKeyChanged = null;
       static getInstance() {
         if (!_SignalProtocolStore.instance) {
           _SignalProtocolStore.instance = new _SignalProtocolStore();
@@ -230,7 +232,11 @@ var init_store = __esm({
           const existingB64 = arrayBufferToBase64(existing.identityKey);
           const newB64 = arrayBufferToBase64(publicKey);
           if (existingB64 !== newB64) {
+            const previousKey = existing.identityKey;
             await db2.put("trustedIdentities", { identityKey: publicKey }, encodedAddress);
+            if (this.onIdentityKeyChanged) {
+              this.onIdentityKeyChanged({ address: encodedAddress, previousKey, newKey: publicKey });
+            }
             return true;
           }
           return false;
@@ -703,6 +709,7 @@ async function verifyDeviceExists(userId) {
 var LEGACY_DEVICE_ID_KEY, LEGACY_DEVICE_NAME_KEY, LEGACY_DEVICE_CREATED_AT_KEY, cachedDeviceId, cachedDeviceName, cachedDeviceCreatedAt, cacheInitialized;
 var init_device = __esm({
   "../../packages/core/src/lib/device/index.ts"() {
+    "use strict";
     init_define_import_meta_env();
     init_supabase();
     init_db();
@@ -784,7 +791,7 @@ async function fetchAllDeviceKeyBundles(userId) {
     const bundle = await fetchPublicKeyBundle(userId, 1);
     return bundle ? [bundle] : [];
   }
-  console.log(`[Signal] Found ${keyBundles.length} key bundle(s) for user ${userId.slice(0, 8)}`);
+  if (define_import_meta_env_default.DEV) console.log(`[Signal] Found ${keyBundles.length} key bundle(s) for user ${userId.slice(0, 8)}`);
   const bundles = await Promise.all(
     keyBundles.map(
       (d) => fetchPublicKeyBundle(userId, d.device_id)
@@ -893,13 +900,13 @@ async function decryptFromSender(ciphertext, senderUserId, deviceId = 1) {
   const address = new SignalProtocolAddress(senderUserId, deviceId);
   const addressKey = `${senderUserId}.${deviceId}`;
   const existingSession = await signalStore.loadSession(addressKey);
-  console.log(`[Signal] Decrypting from ${senderUserId.slice(0, 8)}.${deviceId}, type: ${ciphertext.type}, hasSession: ${!!existingSession}`);
+  if (define_import_meta_env_default.DEV) console.log(`[Signal] Decrypting from ${senderUserId.slice(0, 8)}.${deviceId}, type: ${ciphertext.type}, hasSession: ${!!existingSession}`);
   const sessionCipher = new SessionCipher(signalStore, address);
   const binaryBody = base64ToBinaryString(ciphertext.body);
   let plaintext;
   try {
     if (ciphertext.type === 3) {
-      console.log("[Signal] Decrypting PreKeyWhisperMessage (type 3) - will establish session");
+      if (define_import_meta_env_default.DEV) console.log("[Signal] Decrypting PreKeyWhisperMessage (type 3) - will establish session");
       plaintext = await sessionCipher.decryptPreKeyWhisperMessage(binaryBody, "binary");
     } else {
       if (!existingSession) {
@@ -938,9 +945,9 @@ async function hasSessionWith(userId, deviceId = 1) {
   return !!session;
 }
 async function resetSessionWith(userId) {
-  console.log("[Signal] Resetting encryption session with:", userId);
+  if (define_import_meta_env_default.DEV) console.log("[Signal] Resetting encryption session with:", userId);
   await signalStore.removeAllSessions(userId);
-  console.log("[Signal] Session reset complete");
+  if (define_import_meta_env_default.DEV) console.log("[Signal] Session reset complete");
 }
 var init_crypto = __esm({
   "../../packages/core/src/lib/signal/crypto.ts"() {
@@ -1032,6 +1039,17 @@ async function generateAESKey() {
 async function exportKey(key) {
   return crypto.subtle.exportKey("raw", key);
 }
+async function sealKey(key) {
+  const raw = await crypto.subtle.exportKey("raw", key);
+  return crypto.subtle.importKey(
+    "raw",
+    raw,
+    { name: "AES-GCM", length: 256 },
+    false,
+    // non-extractable
+    ["encrypt", "decrypt"]
+  );
+}
 async function importKey(keyData) {
   return crypto.subtle.importKey(
     "raw",
@@ -1085,18 +1103,19 @@ async function encryptAudioForRecipient(audioData, recipientUserId) {
 }
 async function encryptAudioForAllDevices(audioData, recipientUserId, senderUserId, transcript, providedAesKey) {
   const aesKey = providedAesKey || await generateAESKey();
-  const { ciphertext, iv } = await encryptWithAES(audioData, aesKey);
+  const keyBytes = await exportKey(aesKey);
+  const sealedKey = await sealKey(aesKey);
+  const { ciphertext, iv } = await encryptWithAES(audioData, sealedKey);
   let encryptedTranscript;
   let transcriptIv;
   if (transcript && transcript.length > 0) {
     const transcriptJson = JSON.stringify(transcript);
     const transcriptBytes = new TextEncoder().encode(transcriptJson);
-    const { ciphertext: transcriptCiphertext, iv: tIv } = await encryptWithAES(transcriptBytes.buffer, aesKey);
+    const { ciphertext: transcriptCiphertext, iv: tIv } = await encryptWithAES(transcriptBytes.buffer, sealedKey);
     encryptedTranscript = transcriptCiphertext;
     transcriptIv = arrayBufferToBase643(tIv.buffer);
-    console.log(`[E2E] Encrypted transcript (${transcript.length} segments)`);
+    if (define_import_meta_env_default.DEV) console.log(`[E2E] Encrypted transcript (${transcript.length} segments)`);
   }
-  const keyBytes = await exportKey(aesKey);
   const [recipientBundles, senderBundles] = await Promise.all([
     fetchAllDeviceKeyBundles(recipientUserId),
     fetchAllDeviceKeyBundles(senderUserId)
@@ -1113,20 +1132,19 @@ async function encryptAudioForAllDevices(audioData, recipientUserId, senderUserI
   if (allDevices.length === 0) {
     throw new Error(`No devices found for users`);
   }
-  console.log(`[E2E] Encrypting for ${allDevices.length} device(s): ${recipientBundles.length} recipient + ${senderUserId !== recipientUserId ? senderBundles.length : 0} sender`);
-  const encryptedKeys = await Promise.all(
-    allDevices.map(async ({ userId, deviceId }) => {
-      const encrypted = await encryptForRecipient(keyBytes, userId, deviceId);
-      return {
-        userId,
-        deviceId,
-        type: encrypted.type,
-        body: encrypted.body,
-        registrationId: encrypted.registrationId
-      };
-    })
-  );
-  console.log(`[E2E] Encrypted for ${encryptedKeys.length} device(s)`);
+  if (define_import_meta_env_default.DEV) console.log(`[E2E] Encrypting for ${allDevices.length} device(s): ${recipientBundles.length} recipient + ${senderUserId !== recipientUserId ? senderBundles.length : 0} sender`);
+  const encryptedKeys = [];
+  for (const { userId, deviceId } of allDevices) {
+    const encrypted = await encryptForRecipient(keyBytes, userId, deviceId);
+    encryptedKeys.push({
+      userId,
+      deviceId,
+      type: encrypted.type,
+      body: encrypted.body,
+      registrationId: encrypted.registrationId
+    });
+  }
+  if (define_import_meta_env_default.DEV) console.log(`[E2E] Encrypted for ${encryptedKeys.length} device(s)`);
   const senderDeviceId = getLocalDeviceId();
   if (!senderDeviceId) {
     throw new Error("Sender device ID not found. Please refresh the page.");
@@ -1150,7 +1168,7 @@ async function encryptAudioForAllDevices(audioData, recipientUserId, senderUserI
   };
 }
 async function decryptAudioFromSender(encryptedAudio, ivBase64, encryptedKey, senderUserId, encryptedKeys, myUserId, myDeviceId, encryptedTranscript, transcriptIv, encryptedAttachments, senderDeviceId) {
-  console.log(`[E2E] decryptAudioFromSender called:`, {
+  if (define_import_meta_env_default.DEV) console.log(`[E2E] decryptAudioFromSender called:`, {
     senderUserId,
     myUserId,
     myDeviceId,
@@ -1164,23 +1182,23 @@ async function decryptAudioFromSender(encryptedAudio, ivBase64, encryptedKey, se
   let sessionDeviceId = 1;
   if (senderDeviceId) {
     sessionDeviceId = senderDeviceId;
-    console.log(`[E2E] Using senderDeviceId from metadata: ${senderDeviceId}`);
+    if (define_import_meta_env_default.DEV) console.log(`[E2E] Using senderDeviceId from metadata: ${senderDeviceId}`);
   }
   if (encryptedKeys && encryptedKeys.length > 0 && myUserId && myDeviceId) {
     const availableDevices = encryptedKeys.filter((k) => k.userId === myUserId).map((k) => k.deviceId);
-    console.log(`[E2E] Message encrypted for user ${myUserId} devices: [${availableDevices.join(", ")}], current device: ${myDeviceId}`);
+    if (define_import_meta_env_default.DEV) console.log(`[E2E] Message encrypted for user ${myUserId} devices: [${availableDevices.join(", ")}], current device: ${myDeviceId}`);
     const myKey = encryptedKeys.find((k) => k.userId === myUserId && k.deviceId === myDeviceId);
     if (!senderDeviceId) {
       const senderKey = encryptedKeys.find((k) => k.userId === senderUserId);
       if (senderKey) {
         sessionDeviceId = senderKey.deviceId;
-        console.log(`[E2E] Fallback: using first sender device found: ${sessionDeviceId} (may be incorrect for multi-device senders)`);
+        if (define_import_meta_env_default.DEV) console.log(`[E2E] Fallback: using first sender device found: ${sessionDeviceId} (may be incorrect for multi-device senders)`);
       }
     }
     if (myKey) {
       keyToDecrypt = { type: myKey.type, body: myKey.body };
       sessionUserId = myUserId === senderUserId ? myUserId : senderUserId;
-      console.log(`[E2E] Found key for user ${myUserId} device ${myDeviceId}, using session ${sessionUserId}.${sessionDeviceId}`);
+      if (define_import_meta_env_default.DEV) console.log(`[E2E] Found key for user ${myUserId} device ${myDeviceId}, using session ${sessionUserId}.${sessionDeviceId}`);
     } else {
       console.error(`[E2E] No key for device ${myDeviceId}. Message was encrypted for devices: [${availableDevices.join(", ")}]`);
       throw new Error(`This message was sent before this device was registered. Available devices: [${availableDevices.join(", ")}], your device: ${myDeviceId}`);
@@ -1198,18 +1216,18 @@ async function decryptAudioFromSender(encryptedAudio, ivBase64, encryptedKey, se
       const transcriptBytes = await decryptWithAES(transcriptCiphertext, aesKey, tIv);
       const transcriptJson = new TextDecoder().decode(transcriptBytes);
       transcript = JSON.parse(transcriptJson);
-      console.log(`[E2E] Decrypted transcript (${transcript.length} segments)`);
+      if (define_import_meta_env_default.DEV) console.log(`[E2E] Decrypted transcript (${transcript.length} segments)`);
     } catch (err) {
       console.error("[E2E] Failed to decrypt transcript:", err);
     }
   }
   let attachments;
   if (encryptedAttachments && encryptedAttachments.length > 0) {
-    console.log(`[E2E] Decrypting ${encryptedAttachments.length} attachment(s)...`);
+    if (define_import_meta_env_default.DEV) console.log(`[E2E] Decrypting ${encryptedAttachments.length} attachment(s)...`);
     attachments = [];
     for (const encAtt of encryptedAttachments) {
       if (!encAtt.encrypted || !encAtt.iv) {
-        console.log(`[E2E] Skipping unencrypted attachment: ${encAtt.name}`);
+        if (define_import_meta_env_default.DEV) console.log(`[E2E] Skipping unencrypted attachment: ${encAtt.name}`);
         continue;
       }
       try {
@@ -1228,13 +1246,13 @@ async function decryptAudioFromSender(encryptedAudio, ivBase64, encryptedKey, se
           mimeType: encAtt.mimeType,
           size: encAtt.size
         });
-        console.log(`[E2E] Decrypted attachment: ${encAtt.name}`);
+        if (define_import_meta_env_default.DEV) console.log(`[E2E] Decrypted attachment: ${encAtt.name}`);
       } catch (err) {
         console.error(`[E2E] Failed to decrypt attachment ${encAtt.name}:`, err);
       }
     }
     if (attachments.length > 0) {
-      console.log(`[E2E] Successfully decrypted ${attachments.length} attachment(s)`);
+      if (define_import_meta_env_default.DEV) console.log(`[E2E] Successfully decrypted ${attachments.length} attachment(s)`);
     }
   }
   return { audio: audioData, transcript, attachments };
@@ -1312,6 +1330,7 @@ __export(signal_exports, {
 });
 var init_signal = __esm({
   "../../packages/core/src/lib/signal/index.ts"() {
+    "use strict";
     init_define_import_meta_env();
     init_db();
     init_store();
@@ -1494,6 +1513,7 @@ async function isAdmin(groupId, userId) {
 }
 var init_members = __esm({
   "../../packages/core/src/lib/groups/members.ts"() {
+    "use strict";
     init_define_import_meta_env();
     init_supabase();
     init_senderKeyStore();
@@ -1549,25 +1569,26 @@ __export(groupEncryption_exports, {
   encryptAudioForGroup: () => encryptAudioForGroup
 });
 async function encryptAudioForGroup(groupId, audioData, _senderUserId, transcript, providedAesKey) {
-  console.log("[Group E2E] Starting encryption for group:", groupId);
+  if (define_import_meta_env_default.DEV) console.log("[Group E2E] Starting encryption for group:", groupId);
   const members = await getGroupMembers(groupId);
   const memberUserIds = members.map((m) => m.user_id);
-  console.log(`[Group E2E] Encrypting for ${members.length} group members`);
+  if (define_import_meta_env_default.DEV) console.log(`[Group E2E] Encrypting for ${members.length} group members`);
   const aesKey = providedAesKey || await generateAESKey();
-  const { ciphertext, iv } = await encryptWithAES(audioData, aesKey);
-  console.log(`[Group E2E] Audio encrypted (${ciphertext.byteLength} bytes)`);
+  const keyBytes = await exportKey(aesKey);
+  const sealedKey = await sealKey(aesKey);
+  const { ciphertext, iv } = await encryptWithAES(audioData, sealedKey);
+  if (define_import_meta_env_default.DEV) console.log(`[Group E2E] Audio encrypted (${ciphertext.byteLength} bytes)`);
   let encryptedTranscript;
   let transcriptIv;
   if (transcript && transcript.length > 0) {
     const transcriptJson = JSON.stringify(transcript);
     const transcriptBytes = new TextEncoder().encode(transcriptJson);
-    const { ciphertext: transcriptCiphertext, iv: tIv } = await encryptWithAES(transcriptBytes.buffer, aesKey);
+    const { ciphertext: transcriptCiphertext, iv: tIv } = await encryptWithAES(transcriptBytes.buffer, sealedKey);
     encryptedTranscript = transcriptCiphertext;
     transcriptIv = arrayBufferToBase643(tIv.buffer);
-    console.log(`[Group E2E] Encrypted transcript (${transcript.length} segments)`);
+    if (define_import_meta_env_default.DEV) console.log(`[Group E2E] Encrypted transcript (${transcript.length} segments)`);
   }
-  const keyBytes = await exportKey(aesKey);
-  console.log("[Group E2E] Fetching device bundles for all members...");
+  if (define_import_meta_env_default.DEV) console.log("[Group E2E] Fetching device bundles for all members...");
   const allBundles = await Promise.all(
     memberUserIds.map((userId) => fetchAllDeviceKeyBundles(userId))
   );
@@ -1582,22 +1603,21 @@ async function encryptAudioForGroup(groupId, audioData, _senderUserId, transcrip
   if (allDevices.length === 0) {
     throw new Error(`No devices found for group members`);
   }
-  console.log(`[Group E2E] Encrypting AES key for ${allDevices.length} device(s) across ${members.length} members`);
+  if (define_import_meta_env_default.DEV) console.log(`[Group E2E] Encrypting AES key for ${allDevices.length} device(s) across ${members.length} members`);
   const startTime = performance.now();
-  const encryptedKeys = await Promise.all(
-    allDevices.map(async ({ userId, deviceId }) => {
-      const encrypted = await encryptForRecipient(keyBytes, userId, deviceId);
-      return {
-        userId,
-        deviceId,
-        type: encrypted.type,
-        body: encrypted.body,
-        registrationId: encrypted.registrationId
-      };
-    })
-  );
+  const encryptedKeys = [];
+  for (const { userId, deviceId } of allDevices) {
+    const encrypted = await encryptForRecipient(keyBytes, userId, deviceId);
+    encryptedKeys.push({
+      userId,
+      deviceId,
+      type: encrypted.type,
+      body: encrypted.body,
+      registrationId: encrypted.registrationId
+    });
+  }
   const encryptionTime = performance.now() - startTime;
-  console.log(`[Group E2E] Encrypted for ${encryptedKeys.length} device(s) in ${encryptionTime.toFixed(0)}ms`);
+  if (define_import_meta_env_default.DEV) console.log(`[Group E2E] Encrypted for ${encryptedKeys.length} device(s) in ${encryptionTime.toFixed(0)}ms`);
   const senderDeviceId = getLocalDeviceId();
   if (!senderDeviceId) {
     throw new Error("Sender device ID not found. Please refresh the page.");
@@ -2028,7 +2048,9 @@ __export(cache_exports, {
   getCachedAttachments: () => getCachedAttachments,
   getCachedAudio: () => getCachedAudio,
   getCachedTranscript: () => getCachedTranscript,
-  revokeAttachmentBlobUrls: () => revokeAttachmentBlobUrls
+  getTranscriptCacheProvider: () => getTranscriptCacheProvider,
+  revokeAttachmentBlobUrls: () => revokeAttachmentBlobUrls,
+  setTranscriptCacheProvider: () => setTranscriptCacheProvider
 });
 import { openDB as openDB2 } from "idb";
 async function getAudioCacheDB() {
@@ -2079,7 +2101,7 @@ async function cacheAudio(howlerId, audioBlob, transcript, attachments) {
     console.error("[AudioCache] Error caching audio:", err);
   }
 }
-async function cacheTranscript(howlerId, transcript) {
+async function cacheTranscriptInIndexedDB(howlerId, transcript) {
   try {
     const db2 = await getAudioCacheDB();
     await db2.put("decryptedAudio", {
@@ -2095,7 +2117,7 @@ async function cacheTranscript(howlerId, transcript) {
     console.error("[AudioCache] Error caching transcript:", err);
   }
 }
-async function getCachedTranscript(howlerId) {
+async function getCachedTranscriptFromIndexedDB(howlerId) {
   try {
     const db2 = await getAudioCacheDB();
     const cached = await db2.get("decryptedAudio", howlerId);
@@ -2188,7 +2210,19 @@ async function getCacheStats() {
     return { count: 0, estimatedSize: 0 };
   }
 }
-var DB_NAME2, DB_VERSION2, dbInstance2, attachmentBlobUrlCache;
+async function cacheTranscript(howlerId, transcript) {
+  await transcriptCacheProvider.cacheTranscript(howlerId, transcript);
+}
+async function getCachedTranscript(howlerId) {
+  return transcriptCacheProvider.getCachedTranscript(howlerId);
+}
+function setTranscriptCacheProvider(provider) {
+  transcriptCacheProvider = provider;
+}
+function getTranscriptCacheProvider() {
+  return transcriptCacheProvider;
+}
+var DB_NAME2, DB_VERSION2, dbInstance2, attachmentBlobUrlCache, transcriptCacheProvider;
 var init_cache = __esm({
   "../../packages/core/src/lib/audio/cache.ts"() {
     "use strict";
@@ -2197,6 +2231,10 @@ var init_cache = __esm({
     DB_VERSION2 = 3;
     dbInstance2 = null;
     attachmentBlobUrlCache = /* @__PURE__ */ new Map();
+    transcriptCacheProvider = {
+      getCachedTranscript: getCachedTranscriptFromIndexedDB,
+      cacheTranscript: cacheTranscriptInIndexedDB
+    };
   }
 });
 
@@ -2223,8 +2261,10 @@ __export(messages_exports, {
   sendEncryptedTextMessage: () => sendEncryptedTextMessage,
   sendGroupHowler: () => sendGroupHowler,
   sendGroupMessage: () => sendGroupMessage,
+  sendGroupPlainTextMessage: () => sendGroupPlainTextMessage,
   sendGroupTextMessage: () => sendGroupTextMessage,
   sendHowler: () => sendHowler,
+  sendPlainTextMessage: () => sendPlainTextMessage,
   updateHowlerTranscript: () => updateHowlerTranscript
 });
 function parseEncryptionMetadata(json) {
@@ -2285,6 +2325,36 @@ async function sendHowler(params) {
   });
   return data;
 }
+async function sendPlainTextMessage(params) {
+  return sendHowler({
+    recipientId: params.recipientId,
+    recordingUrl: "text://plain",
+    transcript: params.transcript,
+    parentHowlerId: params.parentHowlerId
+  });
+}
+async function sendGroupPlainTextMessage(params) {
+  const { data: { user } } = await db.auth.getUser();
+  if (!user) throw new Error("Not authenticated");
+  const { data, error } = await db.from("howlers").insert({
+    sender_id: user.id,
+    group_id: params.groupId,
+    recipient_id: null,
+    recording_url: "text://plain",
+    duration_seconds: 0,
+    parent_howler_id: params.parentHowlerId,
+    transcript: JSON.stringify(params.transcript)
+  }).select().single();
+  if (error) throw error;
+  const { data: senderData } = await db.from("users").select("first_name").eq("id", user.id).single();
+  const { data: groupData } = await db.from("groups").select("name").eq("id", params.groupId).single();
+  sendGroupPushNotification({
+    groupId: params.groupId,
+    senderName: senderData?.first_name || void 0,
+    groupName: groupData?.name || void 0
+  });
+  return data;
+}
 async function updateHowlerTranscript(howlerId, transcript) {
   const { error } = await db.from("howlers").update({ transcript: JSON.stringify(transcript) }).eq("id", howlerId);
   if (error) {
@@ -2751,12 +2821,13 @@ async function isEncryptionAvailable() {
   return hasLocalKeys();
 }
 async function getDecryptedTranscript(howlerId) {
-  const { getCachedTranscript: getCachedTranscript3 } = await Promise.resolve().then(() => (init_cache(), cache_exports));
-  return getCachedTranscript3(howlerId);
+  const { getTranscriptCacheProvider: getTranscriptCacheProvider2 } = await Promise.resolve().then(() => (init_cache(), cache_exports));
+  return getTranscriptCacheProvider2().getCachedTranscript(howlerId);
 }
 async function decryptTextOnlyTranscript(howlerId) {
-  const { getCachedTranscript: getCachedTranscript3, cacheTranscript: cacheTranscript3 } = await Promise.resolve().then(() => (init_cache(), cache_exports));
-  const cached = await getCachedTranscript3(howlerId);
+  const { getTranscriptCacheProvider: getTranscriptCacheProvider2 } = await Promise.resolve().then(() => (init_cache(), cache_exports));
+  const provider = getTranscriptCacheProvider2();
+  const cached = await provider.getCachedTranscript(howlerId);
   if (cached) return cached;
   const { data: howler, error } = await db.from("howlers").select("id, sender_id, transcript, encryption_metadata").eq("id", howlerId).single();
   if (error || !howler) return null;
@@ -2800,7 +2871,7 @@ async function decryptTextOnlyTranscript(howlerId) {
     const plaintext = await decryptWithAES2(ciphertext, aesKey, iv);
     const json = new TextDecoder().decode(plaintext);
     const transcript = JSON.parse(json);
-    await cacheTranscript3(howlerId, transcript);
+    await provider.cacheTranscript(howlerId, transcript);
     console.log("[E2E] Decrypted text-only transcript:", howlerId);
     return transcript;
   } catch (err) {
@@ -28613,6 +28684,7 @@ init_messages();
 
 // src/client.ts
 init_signal();
+init_cache();
 
 // src/signal/index.ts
 init_define_import_meta_env();
@@ -28681,6 +28753,8 @@ async function removeFile(path) {
 }
 var FileSignalStore = class _FileSignalStore {
   static instance = null;
+  /** Callback invoked when a remote identity key changes. */
+  onIdentityKeyChanged = null;
   static getInstance() {
     if (!_FileSignalStore.instance) {
       _FileSignalStore.instance = new _FileSignalStore();
@@ -28709,7 +28783,11 @@ var FileSignalStore = class _FileSignalStore {
     const newB64 = arrayBufferToBase644(publicKey);
     if (existing) {
       if (existing.identityKey !== newB64) {
+        const previousKey = base64ToArrayBuffer3(existing.identityKey);
         await writeJSON(filePath, { identityKey: newB64 });
+        if (this.onIdentityKeyChanged) {
+          this.onIdentityKeyChanged({ address: encodedAddress, previousKey, newKey: publicKey });
+        }
         return true;
       }
       return false;
@@ -28915,10 +28993,44 @@ var FileSenderKeyStore = class _FileSenderKeyStore {
 };
 var fileSenderKeyStore = FileSenderKeyStore.getInstance();
 
+// src/hooks/transcriptCache.ts
+init_define_import_meta_env();
+import { join as join4 } from "node:path";
+import { homedir as homedir4 } from "node:os";
+import { readFile as readFile4, writeFile as writeFile4, mkdir as mkdir4 } from "node:fs/promises";
+var CACHE_DIR = join4(homedir4(), ".howler", "transcript-cache");
+var dirEnsured = false;
+async function ensureDir4() {
+  if (dirEnsured) return;
+  await mkdir4(CACHE_DIR, { recursive: true, mode: 448 });
+  dirEnsured = true;
+}
+async function getCachedTranscript2(howlerId) {
+  try {
+    await ensureDir4();
+    const data = await readFile4(join4(CACHE_DIR, `${howlerId}.json`), "utf-8");
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
+async function cacheTranscript2(howlerId, transcript) {
+  try {
+    await ensureDir4();
+    await writeFile4(
+      join4(CACHE_DIR, `${howlerId}.json`),
+      JSON.stringify(transcript),
+      { mode: 384 }
+    );
+  } catch {
+  }
+}
+
 // src/client.ts
 function initializeClient() {
   initializeSupabase(getSupabase());
   setSignalStore(fileSignalStore);
+  setTranscriptCacheProvider({ getCachedTranscript: getCachedTranscript2, cacheTranscript: cacheTranscript2 });
 }
 
 // src/components/ChatList.tsx
@@ -29493,39 +29605,6 @@ function useRealtimeMessages(conversation, currentUserId, onNewMessage, onUpdate
   }, [conversation?.id, conversation?.type, currentUserId, retryTick]);
 }
 
-// src/hooks/transcriptCache.ts
-init_define_import_meta_env();
-import { join as join4 } from "node:path";
-import { homedir as homedir4 } from "node:os";
-import { readFile as readFile4, writeFile as writeFile4, mkdir as mkdir4 } from "node:fs/promises";
-var CACHE_DIR = join4(homedir4(), ".howler", "transcript-cache");
-var dirEnsured = false;
-async function ensureDir4() {
-  if (dirEnsured) return;
-  await mkdir4(CACHE_DIR, { recursive: true, mode: 448 });
-  dirEnsured = true;
-}
-async function getCachedTranscript2(howlerId) {
-  try {
-    await ensureDir4();
-    const data = await readFile4(join4(CACHE_DIR, `${howlerId}.json`), "utf-8");
-    return JSON.parse(data);
-  } catch {
-    return null;
-  }
-}
-async function cacheTranscript2(howlerId, transcript) {
-  try {
-    await ensureDir4();
-    await writeFile4(
-      join4(CACHE_DIR, `${howlerId}.json`),
-      JSON.stringify(transcript),
-      { mode: 384 }
-    );
-  } catch {
-  }
-}
-
 // src/hooks/useMessages.ts
 async function getGroupMessages(groupId, limit = 50, beforeTimestamp) {
   const { data, error } = await supabase.rpc("get_group_messages", {
@@ -29561,16 +29640,8 @@ async function getGroupMessages(groupId, limit = 50, beforeTimestamp) {
 async function tryDecrypt(msg) {
   if (!msg.isEncrypted || msg.recording_url === "text://plain") return msg;
   try {
-    const cached = await getCachedTranscript2(msg.id);
-    if (cached && cached.length > 0) {
-      return {
-        ...msg,
-        transcript: JSON.stringify(cached)
-      };
-    }
     const transcript = await decryptTextOnlyTranscript(msg.id);
     if (transcript && transcript.length > 0) {
-      await cacheTranscript2(msg.id, transcript);
       return {
         ...msg,
         transcript: JSON.stringify(transcript)
@@ -29581,12 +29652,26 @@ async function tryDecrypt(msg) {
   }
   return msg;
 }
+function isCacheableTranscriptJson(transcript) {
+  if (!transcript) return false;
+  try {
+    const parsed = JSON.parse(transcript);
+    return Array.isArray(parsed) || typeof parsed === "string" || !!parsed;
+  } catch {
+    return false;
+  }
+}
 function useMessages(conversation, currentUserId) {
   const [messages, setMessages] = useState3([]);
   const [loading, setLoading] = useState3(!!conversation);
   const [error, setError] = useState3(null);
   const [hasMore, setHasMore] = useState3(false);
   const decryptedIds = useRef3(/* @__PURE__ */ new Set());
+  const transcriptCache = useRef3(/* @__PURE__ */ new Map());
+  const rememberResolvedTranscript = useCallback2((msg) => {
+    if (!isCacheableTranscriptJson(msg.transcript)) return;
+    transcriptCache.current.set(msg.id, msg.transcript);
+  }, []);
   const fetchMessages = useCallback2(
     (beforeTimestamp) => {
       if (!conversation) return;
@@ -29612,27 +29697,35 @@ function useMessages(conversation, currentUserId) {
           conversation.name,
           "hasMore=" + result.hasMore
         );
+        const withCached = result.messages.map((m) => {
+          const cached = transcriptCache.current.get(m.id);
+          return cached ? { ...m, transcript: cached } : m;
+        });
         if (beforeTimestamp) {
           setMessages((prev) => {
             const ids = new Set(prev.map((m) => m.id));
-            const newMsgs = result.messages.filter(
+            const newMsgs = withCached.filter(
               (m) => !ids.has(m.id)
             );
             return [...newMsgs, ...prev];
           });
         } else {
-          setMessages(result.messages);
+          setMessages(withCached);
         }
         setHasMore(result.hasMore);
         setLoading(false);
         const encrypted = result.messages.filter(
           (m) => m.isEncrypted && !decryptedIds.current.has(m.id)
         );
-        if (encrypted.length > 0) {
-          Promise.all(encrypted.map(tryDecrypt)).then((decrypted) => {
+        const needsDecrypt = encrypted.filter(
+          (m) => !transcriptCache.current.has(m.id)
+        );
+        if (needsDecrypt.length > 0) {
+          Promise.all(needsDecrypt.map(tryDecrypt)).then((decrypted) => {
             const decryptedMap = /* @__PURE__ */ new Map();
             for (const msg of decrypted) {
               decryptedIds.current.add(msg.id);
+              rememberResolvedTranscript(msg);
               decryptedMap.set(msg.id, msg);
             }
             setMessages(
@@ -29663,6 +29756,7 @@ function useMessages(conversation, currentUserId) {
     if (msg.isEncrypted && !decryptedIds.current.has(msg.id)) {
       decryptedIds.current.add(msg.id);
       tryDecrypt(msg).then((processed) => {
+        rememberResolvedTranscript(processed);
         setMessages((prev) => {
           if (prev.some((m) => m.id === processed.id)) return prev;
           return [...prev, processed];
@@ -29674,7 +29768,7 @@ function useMessages(conversation, currentUserId) {
       if (prev.some((m) => m.id === msg.id)) return prev;
       return [...prev, msg];
     });
-  }, []);
+  }, [rememberResolvedTranscript]);
   const handleUpdateMessage = useCallback2(
     (id, updates) => {
       setMessages(
@@ -29686,7 +29780,9 @@ function useMessages(conversation, currentUserId) {
           if (!msg || !msg.isEncrypted || msg.recording_url === "text://plain") return prev;
           decryptedIds.current.delete(id);
           decryptedIds.current.add(id);
+          transcriptCache.current.delete(id);
           tryDecrypt(msg).then((processed) => {
+            rememberResolvedTranscript(processed);
             setMessages(
               (p) => p.map((m) => m.id === id ? processed : m)
             );
@@ -29695,7 +29791,7 @@ function useMessages(conversation, currentUserId) {
         });
       }
     },
-    []
+    [rememberResolvedTranscript]
   );
   useRealtimeMessages(
     conversation,
@@ -29714,11 +29810,15 @@ function useMessages(conversation, currentUserId) {
     fetchMessages();
   }, [fetchMessages]);
   const addMessage = useCallback2((msg) => {
+    if (msg.isEncrypted && msg.recording_url !== "text://plain" && isCacheableTranscriptJson(msg.transcript)) {
+      decryptedIds.current.add(msg.id);
+      rememberResolvedTranscript(msg);
+    }
     setMessages((prev) => {
       if (prev.some((m) => m.id === msg.id)) return prev;
       return [...prev, msg];
     });
-  }, []);
+  }, [rememberResolvedTranscript]);
   return { messages, loading, error, hasMore, loadMore, refresh, addMessage };
 }
 
@@ -29726,7 +29826,7 @@ function useMessages(conversation, currentUserId) {
 init_define_import_meta_env();
 init_messages();
 import { useState as useState4, useCallback as useCallback3 } from "react";
-function useSendMessage(conversation, currentUserId) {
+function useSendMessage(conversation, currentUserId, encrypted = true) {
   const [sending, setSending] = useState4(false);
   const [error, setError] = useState4(null);
   const send = useCallback3(
@@ -29739,14 +29839,27 @@ function useSendMessage(conversation, currentUserId) {
       ];
       const isGroup = conversation.type === "group";
       try {
-        const data = isGroup ? await sendGroupTextMessage({
-          groupId: conversation.id,
-          transcript,
-          parentHowlerId: options?.parentHowlerId
-        }) : await sendEncryptedTextMessage({
-          recipientId: conversation.id,
-          transcript
-        });
+        let data;
+        if (encrypted) {
+          data = isGroup ? await sendGroupTextMessage({
+            groupId: conversation.id,
+            transcript,
+            parentHowlerId: options?.parentHowlerId
+          }) : await sendEncryptedTextMessage({
+            recipientId: conversation.id,
+            transcript
+          });
+        } else {
+          data = isGroup ? await sendGroupPlainTextMessage({
+            groupId: conversation.id,
+            transcript,
+            parentHowlerId: options?.parentHowlerId
+          }) : await sendPlainTextMessage({
+            recipientId: conversation.id,
+            transcript,
+            parentHowlerId: options?.parentHowlerId
+          });
+        }
         const msg = {
           ...data,
           transcript: JSON.stringify(transcript),
@@ -29757,7 +29870,7 @@ function useSendMessage(conversation, currentUserId) {
             last_name: null,
             avatar_url: null
           },
-          isEncrypted: true
+          isEncrypted: encrypted
         };
         setSending(false);
         return msg;
@@ -29768,7 +29881,7 @@ function useSendMessage(conversation, currentUserId) {
         return null;
       }
     },
-    [conversation, currentUserId]
+    [conversation, currentUserId, encrypted]
   );
   return { send, sending, error };
 }
@@ -30455,11 +30568,12 @@ var ConversationPanel = React2.forwardRef(
     panelWidth: panelWidthProp
   }, ref) {
     const { messages, loading, error, hasMore, loadMore, addMessage } = useMessages(conversation, currentUserId);
+    const [encryptionEnabled, setEncryptionEnabled] = React2.useState(true);
     const {
       send,
       sending,
       error: sendError
-    } = useSendMessage(conversation, currentUserId);
+    } = useSendMessage(conversation, currentUserId, encryptionEnabled);
     const { branches, loading: branchesLoading, selectedBranch, selectBranch, filteredMessages, threadMap } = useBranches(conversation, messages);
     const {
       execute: executeCommand,
@@ -30558,6 +30672,17 @@ var ConversationPanel = React2.forwardRef(
           }
           return;
         }
+        if (text.trim().toLowerCase() === "/encrypt") {
+          setEncryptionEnabled((prev) => {
+            const next = !prev;
+            setStatusMsg({
+              text: next ? "Encryption ON" : "Encryption OFF (diagnostic mode)",
+              color: next ? "green" : "yellow"
+            });
+            return next;
+          });
+          return;
+        }
         if (isCommand(text)) {
           await executeCommand(text);
           return;
@@ -30786,6 +30911,7 @@ var SLASH_COMMANDS = [
   { name: "/bot", args: "<name> <msg>", description: "Send to a bot" },
   { name: "/change-branch", args: "[name]", description: "Switch branch" },
   { name: "/current-branch", args: "", description: "Show current branch" },
+  { name: "/encrypt", args: "", description: "Toggle encryption on/off" },
   { name: "/exit", args: "", description: "Quit Howler TUI" },
   { name: "/vault", args: "<query>", description: "Search your vault" }
 ];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@howler/cli",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "type": "module",
   "description": "Terminal UI client for Howler encrypted messaging",
   "bin": {