@mobvibe/cli 0.1.7 → 0.1.9

package/README.md

@@ -1,42 +1,64 @@
 # @mobvibe/cli
 
-CLI daemon for remote-claude (mobvibe) - connects ACP-compatible agents to the gateway.
+CLI daemon for mobvibe — connects ACP-compatible agents to the gateway with end-to-end encryption.
 
 ## Installation
 
+Requires [Bun](https://bun.sh/) 1.0+.
+
 ```bash
 npm install -g @mobvibe/cli
 ```
 
-## Usage
-
-### Login (first time)
+## Quick Start
 
 ```bash
+# 1. Authenticate and generate E2EE master secret
 mobvibe login
+
+# 2. Start the daemon
+mobvibe start
 ```
 
-Opens browser for authentication, registers your machine.
+After login, copy the displayed master secret and paste it into WebUI Settings > End-to-End Encryption > Pair.
 
-### Start daemon
+## Commands
 
-```bash
-mobvibe start
-```
+| Command | Description |
+|---------|-------------|
+| `mobvibe login` | Authenticate with email/password, generate master secret, register device |
+| `mobvibe logout` | Remove stored credentials |
+| `mobvibe auth-status` | Show authentication and key status |
+| `mobvibe start [--gateway <url>]` | Start daemon |
+| `mobvibe stop` | Stop daemon |
+| `mobvibe status` | Show daemon status |
+| `mobvibe logs [-f] [-n <lines>]` | View daemon logs |
+| `mobvibe e2ee show` | Display master secret for WebUI pairing |
+| `mobvibe e2ee status` | Show E2EE key status (public key fingerprints) |
+| `mobvibe compact [--session <id>]` | Compact WAL database |
 
-### Check status
+## E2EE
 
-```bash
-mobvibe status
-```
+All session content is encrypted on the CLI before sending to the gateway. The gateway routes events but cannot read their content.
 
-### Stop daemon
+**Login flow:**
+1. `mobvibe login` prompts for email and password (password masked)
+2. Authenticates via Better Auth session cookie
+3. Generates a 32-byte master secret and derives an Ed25519 keypair
+4. Registers the device public key with the gateway
+5. Saves the master secret to `~/.mobvibe/credentials.json` (mode 0600)
+6. Displays the master secret (base64) for WebUI pairing
 
-```bash
-mobvibe stop
-```
+**Runtime encryption:**
+- Each session gets a random DEK (data encryption key)
+- Events are encrypted with `crypto_secretbox` (XSalsa20-Poly1305)
+- DEKs are wrapped with `crypto_box_seal` so only paired devices can unwrap them
+- CLI authenticates to the gateway with Ed25519 signed tokens (no stored API keys)
 
 ## Environment Variables
 
-- `MOBVIBE_GATEWAY_URL` - Gateway server URL (default: from login)
-- `ANTHROPIC_AUTH_TOKEN` - Required for Claude Code backend
+| Variable | Description |
+|----------|-------------|
+| `MOBVIBE_GATEWAY_URL` | Gateway server URL (default: production) |
+| `MOBVIBE_HOME` | CLI home directory (default: `~/.mobvibe`) |
+| `MOBVIBE_MASTER_SECRET` | Override master secret (base64, instead of credentials file) |

package/bin/mobvibe.mjs

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env bun
 import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 

package/dist/acp/__tests__/acp-connection.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/acp/__tests__/session-manager.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/acp/acp-connection.d.ts

@@ -0,0 +1,98 @@
+import { type ContentBlock, type CreateTerminalRequest, type CreateTerminalResponse, type Implementation, type KillTerminalCommandRequest, type KillTerminalCommandResponse, type LoadSessionResponse, type NewSessionResponse, type PromptResponse, type ReleaseTerminalRequest, type ReleaseTerminalResponse, type RequestPermissionRequest, type RequestPermissionResponse, type SessionInfo, type SessionNotification, type TerminalOutputRequest, type TerminalOutputResponse, type WaitForTerminalExitRequest, type WaitForTerminalExitResponse } from "@agentclientprotocol/sdk";
+import { type AcpConnectionState, type AgentSessionCapabilities, type ErrorDetail, type TerminalOutputEvent } from "@mobvibe/shared";
+import type { AcpBackendConfig } from "../config.js";
+type ClientInfo = {
+    name: string;
+    version: string;
+};
+export type AcpBackendStatus = {
+    backendId: string;
+    backendLabel: string;
+    state: AcpConnectionState;
+    command: string;
+    args: string[];
+    connectedAt?: string;
+    error?: ErrorDetail;
+    sessionId?: string;
+    pid?: number;
+};
+type SessionUpdateListener = (notification: SessionNotification) => void;
+export declare class AcpConnection {
+    private readonly options;
+    private connection?;
+    private process?;
+    private closedPromise?;
+    private state;
+    private connectedAt?;
+    private error?;
+    private sessionId?;
+    private agentInfo?;
+    private agentCapabilities?;
+    private readonly sessionUpdateEmitter;
+    private readonly statusEmitter;
+    private readonly terminalOutputEmitter;
+    private permissionHandler?;
+    private terminals;
+    constructor(options: {
+        backend: AcpBackendConfig;
+        client: ClientInfo;
+    });
+    getStatus(): AcpBackendStatus;
+    getAgentInfo(): Implementation | undefined;
+    /**
+     * Get the agent's session capabilities.
+     */
+    getSessionCapabilities(): AgentSessionCapabilities;
+    /**
+     * Check if the agent supports session/list.
+     */
+    supportsSessionList(): boolean;
+    /**
+     * Check if the agent supports session/load.
+     */
+    supportsSessionLoad(): boolean;
+    /**
+     * List sessions from the agent (session/list).
+     * @param params Optional filter parameters
+     * @returns List of session info from the agent
+     */
+    listSessions(params?: {
+        cursor?: string;
+        cwd?: string;
+    }): Promise<{
+        sessions: SessionInfo[];
+        nextCursor?: string;
+    }>;
+    /**
+     * Load a historical session with message history replay (session/load).
+     * @param sessionId The session ID to load
+     * @param cwd The working directory
+     * @returns Load session response with modes/models state
+     */
+    loadSession(sessionId: string, cwd: string): Promise<LoadSessionResponse>;
+    setPermissionHandler(handler?: (params: RequestPermissionRequest) => Promise<RequestPermissionResponse>): void;
+    onTerminalOutput(listener: (payload: TerminalOutputEvent) => void): () => void;
+    onSessionUpdate(listener: SessionUpdateListener): () => void;
+    onStatusChange(listener: (status: AcpBackendStatus) => void): () => void;
+    private updateStatus;
+    connect(): Promise<void>;
+    createSession(options?: {
+        cwd?: string;
+    }): Promise<NewSessionResponse>;
+    prompt(sessionId: string, prompt: ContentBlock[]): Promise<PromptResponse>;
+    cancel(sessionId: string): Promise<void>;
+    setSessionMode(sessionId: string, modeId: string): Promise<void>;
+    setSessionModel(sessionId: string, modelId: string): Promise<void>;
+    createTerminal(params: CreateTerminalRequest): Promise<CreateTerminalResponse>;
+    getTerminalOutput(params: TerminalOutputRequest): Promise<TerminalOutputResponse>;
+    waitForTerminalExit(params: WaitForTerminalExitRequest): Promise<WaitForTerminalExitResponse>;
+    killTerminal(params: KillTerminalCommandRequest): Promise<KillTerminalCommandResponse>;
+    releaseTerminal(params: ReleaseTerminalRequest): Promise<ReleaseTerminalResponse>;
+    disconnect(): Promise<void>;
+    private ensureReady;
+    private createSessionInternal;
+    private emitSessionUpdate;
+    private handlePermissionRequest;
+    private stopProcess;
+}
+export {};

package/dist/acp/session-manager.d.ts

@@ -0,0 +1,178 @@
+import type { AvailableCommand, RequestPermissionResponse } from "@agentclientprotocol/sdk";
+import { type AcpSessionInfo, type DiscoverSessionsRpcResult, type PermissionDecisionPayload, type PermissionRequestPayload, type SessionEvent, type SessionEventsParams, type SessionEventsResponse, type SessionSummary, type SessionsChangedPayload, type StopReason } from "@mobvibe/shared";
+import type { AcpBackendConfig, CliConfig } from "../config.js";
+import type { CliCryptoService } from "../e2ee/crypto-service.js";
+import { AcpConnection } from "./acp-connection.js";
+type SessionRecord = {
+    sessionId: string;
+    title: string;
+    backendId: string;
+    backendLabel: string;
+    connection: AcpConnection;
+    createdAt: Date;
+    updatedAt: Date;
+    cwd?: string;
+    agentName?: string;
+    modelId?: string;
+    modelName?: string;
+    modeId?: string;
+    modeName?: string;
+    availableModes?: Array<{
+        id: string;
+        name: string;
+    }>;
+    availableModels?: Array<{
+        id: string;
+        name: string;
+        description?: string | null;
+    }>;
+    availableCommands?: AvailableCommand[];
+    unsubscribe?: () => void;
+    unsubscribeTerminal?: () => void;
+    isAttached?: boolean;
+    attachedAt?: Date;
+    /** Current WAL revision for this session */
+    revision: number;
+};
+export declare class SessionManager {
+    private readonly config;
+    private sessions;
+    private discoveredSessions;
+    private backendById;
+    private permissionRequests;
+    private readonly permissionRequestEmitter;
+    private readonly permissionResultEmitter;
+    private readonly sessionsChangedEmitter;
+    private readonly sessionAttachedEmitter;
+    private readonly sessionDetachedEmitter;
+    private readonly sessionEventEmitter;
+    private readonly walStore;
+    private readonly cryptoService?;
+    constructor(config: CliConfig, cryptoService?: CliCryptoService);
+    createConnection(backend: AcpBackendConfig): AcpConnection;
+    listSessions(): SessionSummary[];
+    /**
+     * List all sessions: active sessions merged with persisted discovered sessions.
+     * Used for the gateway heartbeat so that `sessions:list` sends the
+     * complete set, allowing the gateway to replace its cache.
+     */
+    listAllSessions(): SessionSummary[];
+    getSession(sessionId: string): SessionRecord | undefined;
+    /**
+     * Get the current WAL revision for a session.
+     */
+    getSessionRevision(sessionId: string): number | undefined;
+    onPermissionRequest(listener: (payload: PermissionRequestPayload) => void): () => void;
+    onPermissionResult(listener: (payload: PermissionDecisionPayload) => void): () => void;
+    onSessionsChanged(listener: (payload: SessionsChangedPayload) => void): () => void;
+    onSessionAttached(listener: (payload: {
+        sessionId: string;
+        machineId: string;
+        attachedAt: string;
+    }) => void): () => void;
+    onSessionDetached(listener: (payload: {
+        sessionId: string;
+        machineId: string;
+        detachedAt: string;
+        reason: "agent_exit" | "cli_disconnect" | "gateway_disconnect" | "unknown";
+    }) => void): () => void;
+    /**
+     * Listen for session events (WAL-persisted events with seq/revision).
+     */
+    onSessionEvent(listener: (event: SessionEvent) => void): () => void;
+    /**
+     * Query session events from the WAL.
+     */
+    getSessionEvents(params: SessionEventsParams): SessionEventsResponse;
+    /**
+     * Get unacked events for a session/revision (for reconnection replay).
+     */
+    getUnackedEvents(sessionId: string, revision: number): SessionEvent[];
+    /**
+     * Acknowledge events up to a given sequence.
+     */
+    ackEvents(sessionId: string, revision: number, upToSeq: number): void;
+    recordTurnEnd(sessionId: string, stopReason: StopReason): void;
+    /**
+     * Write an event to the WAL and emit it.
+     */
+    private writeAndEmitEvent;
+    private emitSessionsChanged;
+    private emitSessionAttached;
+    private emitSessionDetached;
+    listPendingPermissions(sessionId: string): PermissionRequestPayload[];
+    resolvePermissionRequest(sessionId: string, requestId: string, outcome: RequestPermissionResponse["outcome"]): PermissionDecisionPayload;
+    private resolveBackend;
+    createSession(options: {
+        cwd?: string;
+        title?: string;
+        backendId: string;
+    }): Promise<SessionSummary>;
+    private buildPermissionRequestPayload;
+    private handlePermissionRequest;
+    private cancelPermissionRequests;
+    updateTitle(sessionId: string, title: string): SessionSummary;
+    touchSession(sessionId: string): void;
+    setSessionMode(sessionId: string, modeId: string): Promise<SessionSummary>;
+    setSessionModel(sessionId: string, modelId: string): Promise<SessionSummary>;
+    cancelSession(sessionId: string): Promise<boolean>;
+    closeSession(sessionId: string): Promise<boolean>;
+    closeAll(): Promise<void>;
+    /**
+     * Archive a session: close if active, delete WAL messages, mark as archived.
+     */
+    archiveSession(sessionId: string): Promise<void>;
+    /**
+     * Archive multiple sessions at once.
+     */
+    bulkArchiveSessions(sessionIds: string[]): Promise<{
+        archivedCount: number;
+    }>;
+    /**
+     * Shutdown the session manager and close resources.
+     */
+    shutdown(): Promise<void>;
+    /**
+     * Get previously discovered sessions from WAL storage.
+     * Filters out sessions that are already loaded.
+     * @param backendId Optional backend ID to filter by
+     * @returns List of discovered sessions not currently loaded
+     */
+    getPersistedDiscoveredSessions(backendId?: string): AcpSessionInfo[];
+    /**
+     * Discover sessions persisted by the ACP agent.
+     * Creates a temporary connection to query sessions.
+     * @param options Optional parameters for discovery
+     * @returns List of discovered sessions and agent capabilities
+     */
+    discoverSessions(options: {
+        cwd?: string;
+        backendId: string;
+        cursor?: string;
+    }): Promise<DiscoverSessionsRpcResult>;
+    /**
+     * Load a historical session from the ACP agent.
+     * This will replay the session's message history.
+     * @param sessionId The session ID to load
+     * @param cwd The working directory
+     * @param backendId Optional backend ID
+     * @returns The loaded session summary
+     */
+    loadSession(sessionId: string, cwd: string, backendId: string): Promise<SessionSummary>;
+    /**
+     * Reload a historical session from the ACP agent.
+     * Replays session history even if the session is already loaded.
+     */
+    reloadSession(sessionId: string, cwd: string, backendId: string): Promise<SessionSummary>;
+    private applySessionUpdateToRecord;
+    /**
+     * Map a SessionNotification to WAL event kind and write to WAL.
+     */
+    private writeSessionUpdateToWal;
+    /**
+     * Set up event subscriptions for a session record.
+     */
+    private setupSessionSubscriptions;
+    private buildSummary;
+}
+export {};

package/dist/auth/credentials.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Credentials management for CLI authentication.
+ * Stores API key in ~/.mobvibe/credentials.json
+ */
+export interface Credentials {
+    /** Base64-encoded master secret (32 bytes) — the single root credential */
+    masterSecret: string;
+    /** When the credentials were created */
+    createdAt: number;
+    /** Optional: custom gateway URL (user can manually set this) */
+    gatewayUrl?: string;
+}
+/**
+ * Load credentials from the credentials file.
+ * Returns null if no credentials exist.
+ */
+export declare function loadCredentials(): Promise<Credentials | null>;
+/**
+ * Save credentials to the credentials file.
+ */
+export declare function saveCredentials(credentials: Credentials): Promise<void>;
+/**
+ * Delete the credentials file.
+ */
+export declare function deleteCredentials(): Promise<void>;
+/**
+ * Check if credentials exist.
+ */
+export declare function hasCredentials(): Promise<boolean>;
+/**
+ * Get the master secret from credentials.
+ * Also checks MOBVIBE_MASTER_SECRET env var as override.
+ * Returns base64-encoded string.
+ */
+export declare function getMasterSecret(): Promise<string | undefined>;
+/**
+ * Get the gateway URL with the following priority:
+ * 1. MOBVIBE_GATEWAY_URL env var
+ * 2. gatewayUrl in credentials file
+ * 3. Default production URL
+ */
+export declare function getGatewayUrl(): Promise<string>;

package/dist/auth/login.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Login command for CLI authentication.
+ * Generates a master secret, authenticates via email/password,
+ * and registers the device public key with the gateway.
+ */
+export interface LoginResult {
+    success: boolean;
+    error?: string;
+}
+export declare function login(): Promise<LoginResult>;
+/**
+ * Logout - delete stored credentials.
+ */
+export declare function logout(): Promise<void>;
+/**
+ * Show current login status.
+ */
+export declare function loginStatus(): Promise<void>;

package/dist/config-loader.d.ts

@@ -0,0 +1,7 @@
+import type { MobvibeUserConfig } from "@mobvibe/shared";
+export type ConfigLoadResult = {
+    config: MobvibeUserConfig | null;
+    errors: string[];
+    path: string;
+};
+export declare const loadUserConfig: (homePath: string) => Promise<ConfigLoadResult>;

package/dist/config.d.ts

@@ -0,0 +1,40 @@
+import type { AcpBackendId } from "@mobvibe/shared";
+export type AcpBackendConfig = {
+    id: AcpBackendId;
+    label: string;
+    command: string;
+    args: string[];
+    envOverrides?: Record<string, string>;
+};
+export type CompactionConfig = {
+    /** Enable automatic compaction */
+    enabled: boolean;
+    /** Keep acked events for this many days (default: 7) */
+    ackedEventRetentionDays: number;
+    /** Always keep this many latest revisions (default: 2) */
+    keepLatestRevisionsCount: number;
+    /** Run compaction on daemon startup (default: false) */
+    runOnStartup: boolean;
+    /** Run compaction every N hours (default: 24) */
+    runIntervalHours: number;
+    /** Safety: minimum events to keep per session (default: 1000) */
+    minEventsToKeep: number;
+};
+export declare const DEFAULT_COMPACTION_CONFIG: CompactionConfig;
+export type CliConfig = {
+    gatewayUrl: string;
+    acpBackends: AcpBackendConfig[];
+    clientName: string;
+    clientVersion: string;
+    homePath: string;
+    logPath: string;
+    pidFile: string;
+    walDbPath: string;
+    machineId: string;
+    hostname: string;
+    platform: string;
+    userConfigPath?: string;
+    userConfigErrors?: string[];
+    compaction: CompactionConfig;
+};
+export declare const getCliConfig: () => Promise<CliConfig>;

package/dist/daemon/daemon.d.ts

@@ -0,0 +1,27 @@
+import type { CliConfig } from "../config.js";
+type DaemonStatus = {
+    running: boolean;
+    pid?: number;
+    connected?: boolean;
+    sessionCount?: number;
+};
+export declare class DaemonManager {
+    private readonly config;
+    constructor(config: CliConfig);
+    ensureHomeDirectory(): Promise<void>;
+    getPid(): Promise<number | null>;
+    writePidFile(pid: number): Promise<void>;
+    removePidFile(): Promise<void>;
+    status(): Promise<DaemonStatus>;
+    start(options?: {
+        foreground?: boolean;
+    }): Promise<void>;
+    stop(): Promise<void>;
+    private spawnBackground;
+    runForeground(): Promise<void>;
+    logs(options?: {
+        follow?: boolean;
+        lines?: number;
+    }): Promise<void>;
+}
+export {};

package/dist/daemon/socket-client.d.ts

@@ -0,0 +1,36 @@
+import { EventEmitter } from "node:events";
+import type { SessionManager } from "../acp/session-manager.js";
+import type { CliConfig } from "../config.js";
+import type { CliCryptoService } from "../e2ee/crypto-service.js";
+type SocketClientOptions = {
+    config: CliConfig;
+    sessionManager: SessionManager;
+    /** Crypto service for E2EE */
+    cryptoService: CliCryptoService;
+};
+export declare class SocketClient extends EventEmitter {
+    private readonly options;
+    private socket;
+    private connected;
+    private reconnectAttempts;
+    private heartbeatInterval?;
+    constructor(options: SocketClientOptions);
+    private setupEventHandlers;
+    private setupRpcHandlers;
+    private setupSessionManagerListeners;
+    private listSessionResources;
+    private listAllFiles;
+    private sendRpcResponse;
+    private sendRpcError;
+    private register;
+    private startHeartbeat;
+    private stopHeartbeat;
+    /**
+     * Replay unacked events for all active sessions after reconnection.
+     */
+    private replayUnackedEvents;
+    connect(): void;
+    disconnect(): void;
+    isConnected(): boolean;
+}
+export {};

package/dist/e2ee/__tests__/crypto-service.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/e2ee/crypto-service.d.ts

@@ -0,0 +1,33 @@
+import type { CryptoKeyPair, SessionEvent } from "@mobvibe/shared";
+export declare class CliCryptoService {
+    readonly authKeyPair: CryptoKeyPair;
+    private contentKeyPair;
+    private sessionDeks;
+    private wrappedDekCache;
+    constructor(masterSecret: Uint8Array);
+    /**
+     * Initialize a DEK for a session. Generates a random DEK and wraps it
+     * with the content public key.
+     */
+    initSessionDek(sessionId: string): {
+        dek: Uint8Array;
+        wrappedDek: string;
+    };
+    /**
+     * Set an existing DEK for a session (e.g., loaded from WAL).
+     */
+    setSessionDek(sessionId: string, dek: Uint8Array): void;
+    /**
+     * Encrypt a session event's payload in place.
+     * Returns a new event with the payload replaced by an EncryptedPayload.
+     */
+    encryptEvent(event: SessionEvent): SessionEvent;
+    /**
+     * Get the wrapped DEK for a session, or null if not initialized.
+     */
+    getWrappedDek(sessionId: string): string | null;
+    /**
+     * Get the base64-encoded auth public key.
+     */
+    getAuthPublicKeyBase64(): string;
+}

package/dist/index.d.ts

@@ -1,3 +1 @@
-declare function run(): Promise<void>;
-
-export { run };
+export declare function run(): Promise<void>;