@quantiya/codevibe-claude-plugin 1.0.13 → 1.0.15

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "codevibe-claude",
-  "version": "1.0.13",
+  "version": "1.0.15",
   "description": "Sync Claude Code sessions with iOS mobile app via AWS backend. Control Claude Code from your phone with real-time bidirectional synchronization.",
   "author": {
     "name": "CodeVibe Team"

package/node_modules/@quantiya/codevibe-core/README.md

@@ -0,0 +1,179 @@
+# @quantiya/codevibe-core
+
+Core library for CodeVibe plugins — shared keychain, crypto, AppSync, authentication, session lifecycle, and network-resilience functionality. Used by [`@quantiya/codevibe-claude-plugin`](https://www.npmjs.com/package/@quantiya/codevibe-claude-plugin), [`@quantiya/codevibe-gemini-plugin`](https://www.npmjs.com/package/@quantiya/codevibe-gemini-plugin), and [`@quantiya/codevibe-codex-plugin`](https://www.npmjs.com/package/@quantiya/codevibe-codex-plugin).
+
+**Current version:** `1.0.3`
+
+## Installation
+
+```bash
+npm install @quantiya/codevibe-core
+```
+
+## Features
+
+- **Keychain Management** — Secure storage for device keys and OAuth tokens using native keychain (macOS Keychain, Linux libsecret, Windows Credential Manager)
+- **Cryptographic Services** — E2E encryption using ECDH P-256 and AES-256-GCM, with dedicated helpers for event content, metadata, and binary attachments
+- **AppSync Client** — GraphQL API and WebSocket subscriptions for AWS AppSync, with automatic token refresh
+- **Two-phase WebSocket reconnection** — exponential backoff (1s→60s) for 10 attempts, then persistent 5-minute retry indefinitely. Survives laptop sleep, network drops, DNS blips, and extended outages without ever giving up.
+- **Session heartbeat system** — `startHeartbeat(sessionId)` sends `updateSession({ lastHeartbeatAt })` every 2 minutes so mobile clients can show desktop connectivity status (green/red dot with 5-minute staleness threshold)
+- **Centralized session lifecycle** — `resumeOrCreateSession()` is the single source of truth for session fingerprint matching, reuse, and per-device ECDH session key distribution. Used identically by all three plugins.
+- **WSL-aware networking** — auto-detects WSL via `/proc/sys/kernel/osrelease` and applies IPv4-first DNS ordering to work around broken WSL IPv6 stacks. Zero behavioral change on macOS, native Linux, and Windows.
+- **Diagnostic fetch wrapper** — `fetchWithDiagnostics()` unpacks undici's generic "fetch failed" errors into detailed platform-specific messages (DNS failures, TLS clock skew, corporate MITM proxies, etc.) so failures are debuggable without trawling logs.
+- **Cross-platform browser launcher** — `AuthService` opens the user's default browser during OAuth login via `wslview` → `cmd.exe` → `powershell.exe` → `xdg-open` fallback chain on Linux/WSL, native `open` on macOS, `cmd /c start` on Windows. Always prints the sign-in URL to stdout as a copy-paste fallback if automatic launching fails.
+- **Authentication CLI** — Browser-based OAuth login/logout commands (Sign in with Apple / Sign in with Google via Cognito)
+- **Prompt Parser** — Extracts numbered options from tmux pane snapshots so plugins can forward the exact options a CLI offers to mobile clients without hardcoding
+- **Shared TypeScript types** — Events, sessions, attachments, encryption structures used across all plugins
+
+## CLI Usage
+
+```bash
+# Sign in via browser (opens Cognito Hosted UI)
+codevibe login
+
+# Sign out
+codevibe logout
+
+# Check authentication status
+codevibe status
+
+# Reset device identity (destructive - old sessions become inaccessible)
+codevibe reset-device
+
+# Use specific environment
+codevibe --env development login
+```
+
+## API Usage
+
+### Keychain Manager
+
+```typescript
+import { keychainManager, DeviceIdentity } from '@quantiya/codevibe-core';
+
+// Get or create device identity (stored in native keychain)
+const identity = await keychainManager.getOrCreateDeviceIdentity();
+console.log(identity.deviceId, identity.publicKey);
+
+// Get OAuth tokens
+const tokens = await keychainManager.getTokens('production');
+if (tokens) {
+  console.log(tokens.email, tokens.userId);
+}
+```
+
+### Crypto Service
+
+```typescript
+import { cryptoService } from '@quantiya/codevibe-core';
+
+// Generate key pair
+const keyPair = cryptoService.generateKeyPair();
+
+// Generate session key
+const sessionKey = cryptoService.generateSessionKey();
+
+// Encrypt content
+const encrypted = cryptoService.encryptContent('Hello World', sessionKey);
+
+// Decrypt content
+const decrypted = cryptoService.decryptContent(encrypted, sessionKey);
+```
+
+### AppSync Client
+
+```typescript
+import { AppSyncClient, loadConfig } from '@quantiya/codevibe-core';
+
+// Load environment configuration
+loadConfig('production');
+
+// Create client
+const client = new AppSyncClient('production');
+
+// Authenticate with stored tokens
+const authenticated = await client.authenticateWithStoredTokens();
+if (!authenticated) {
+  console.log('Run "codevibe login" first');
+  process.exit(1);
+}
+
+// Create session
+const session = await client.createSession({
+  userId: client.getCurrentUserId(),
+  agentType: 'CLAUDE',
+  projectPath: '/path/to/project',
+});
+
+// Subscribe to events
+const unsubscribe = client.subscribeToEvents(session.sessionId, (event) => {
+  console.log('Event received:', event);
+});
+
+// Clean up
+unsubscribe();
+```
+
+### Auth Service
+
+```typescript
+import { authService, loadConfig } from '@quantiya/codevibe-core';
+
+// Set environment
+loadConfig('production');
+authService.setEnvironment('production');
+
+// Login (opens browser)
+const tokens = await authService.login();
+
+// Check status
+const status = await authService.getStatus();
+console.log(status.authenticated, status.tokens?.email);
+
+// Logout
+await authService.logout();
+```
+
+## Keychain Storage
+
+All sensitive data is stored in the native system keychain:
+
+- **Service Name:** `ai.quantiya.app.codevibe`
+- **Device Identity:** Stored as `device-identity` account
+- **Tokens:** Stored as `tokens-{environment}` accounts (e.g., `tokens-production`)
+
+This ensures:
+- Data persists across terminal sessions
+- Data is encrypted at rest by the OS
+- Data survives plugin reinstalls/updates
+- Device identity is shared across all CodeVibe plugins
+
+## Security
+
+- Device keys are ECDH P-256 key pairs
+- Session keys are 256-bit AES keys
+- Content is encrypted with AES-256-GCM
+- Session keys are encrypted per-device using ECDH
+- OAuth tokens are stored securely in native keychain
+
+## Development
+
+```bash
+# Install dependencies
+npm install
+
+# Build
+npm run build
+
+# Watch mode
+npm run watch
+
+# Local development with plugin
+npm link
+cd ../codevibe-claude-plugin
+npm link @quantiya/codevibe-core
+```
+
+## License
+
+MIT

package/node_modules/@quantiya/codevibe-core/bin/codevibe.js

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+//
+// codevibe CLI entry point
+// @quantiya/codevibe-core
+//
+
+require('../dist/index').runAuthCli(process.argv);

package/node_modules/@quantiya/codevibe-core/dist/appsync/appsync-client.d.ts

@@ -0,0 +1,132 @@
+import { CreateEventInput, CreateSessionInput, UpdateSessionInput, UpdateEventStatusInput, Event, Session, EventSource, DeviceKey } from '../types';
+/**
+ * Download URL response
+ */
+export interface DownloadUrlResponse {
+    downloadUrl: string;
+    expiresAt: string;
+}
+/**
+ * AppSync GraphQL client with WebSocket subscriptions
+ */
+export declare class AppSyncClient {
+    private authenticated;
+    private currentUserId;
+    private currentEmail;
+    private tokens;
+    private activeSubscriptions;
+    private environment;
+    constructor();
+    /**
+     * Get the current authenticated user ID
+     */
+    getCurrentUserId(): string;
+    /**
+     * Get the current authenticated user email
+     */
+    getCurrentUserEmail(): string | null;
+    /**
+     * Authenticate using stored OAuth tokens from keychain
+     */
+    authenticateWithStoredTokens(): Promise<boolean>;
+    /**
+     * Refresh expired tokens
+     */
+    private refreshTokens;
+    /**
+     * Check if authenticated
+     */
+    isAuthenticated(): boolean;
+    /**
+     * Sign out
+     */
+    signOut(): void;
+    /**
+     * Make a GraphQL request
+     */
+    private graphqlRequest;
+    /**
+     * Create a session
+     */
+    createSession(input: CreateSessionInput): Promise<Session>;
+    /**
+     * Update a session
+     */
+    updateSession(input: UpdateSessionInput): Promise<Session>;
+    /**
+     * Get a session
+     */
+    getSession(sessionId: string): Promise<Session | null>;
+    /**
+     * Create an event
+     */
+    createEvent(input: CreateEventInput): Promise<Event>;
+    /**
+     * Update event status
+     */
+    updateEventStatus(input: UpdateEventStatusInput): Promise<Event>;
+    /**
+     * List events for a session
+     */
+    listEvents(sessionId: string, source?: EventSource, limit?: number): Promise<Event[]>;
+    /**
+     * List user device keys
+     */
+    listUserDeviceKeys(): Promise<DeviceKey[]>;
+    /**
+     * Register device key
+     */
+    registerDeviceKey(deviceId: string, publicKey: string, platform: string, deviceName: string): Promise<void>;
+    /**
+     * Get attachment download URL
+     */
+    getAttachmentDownloadUrl(s3Key: string): Promise<DownloadUrlResponse>;
+    /**
+     * Subscribe to events for a session
+     */
+    subscribeToEvents(sessionId: string, onEvent: (event: Event) => void, onError?: (error: Error) => void): () => void;
+    /**
+     * Build WebSocket URL
+     */
+    private buildRealtimeUrl;
+    /**
+     * Create WebSocket subscription
+     */
+    private createSubscription;
+    /**
+     * Send subscription start message
+     */
+    private sendSubscriptionStart;
+    /**
+     * Reset keep-alive timer
+     */
+    private resetKeepAliveTimer;
+    /**
+     * Handle subscription error with two-phase reconnection:
+     * Phase 1 (urgent): Exponential backoff for first N attempts
+     * Phase 2 (persistent): Fixed interval retry indefinitely
+     */
+    private handleSubscriptionError;
+    /**
+     * Cleanup subscription state
+     */
+    private cleanupSubscriptionState;
+    private heartbeatTimers;
+    /**
+     * Start periodic heartbeat for a session.
+     * Updates lastHeartbeatAt on the session every intervalMs (default 2 minutes).
+     */
+    startHeartbeat(sessionId: string, intervalMs?: number): void;
+    /**
+     * Stop heartbeat for a session.
+     */
+    stopHeartbeat(sessionId: string): void;
+    /**
+     * Send a single heartbeat update.
+     */
+    private sendHeartbeat;
+    /**
+     * Cleanup all subscriptions and heartbeats
+     */
+    cleanupSubscriptions(): void;
+}

package/node_modules/@quantiya/codevibe-core/dist/appsync/index.d.ts

@@ -0,0 +1,2 @@
+export { AppSyncClient, DownloadUrlResponse } from './appsync-client';
+export { queries, mutations, subscriptions } from './queries';

package/node_modules/@quantiya/codevibe-core/dist/appsync/queries.d.ts

@@ -0,0 +1,16 @@
+export declare const queries: {
+    getSession: string;
+    listEvents: string;
+    listUserDeviceKeys: string;
+};
+export declare const mutations: {
+    createSession: string;
+    updateSession: string;
+    createEvent: string;
+    updateEventStatus: string;
+    registerDeviceKey: string;
+    getAttachmentDownloadUrl: string;
+};
+export declare const subscriptions: {
+    onEventCreated: string;
+};

package/node_modules/@quantiya/codevibe-core/dist/auth/auth-cli.d.ts

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+/**
+ * Main CLI entry point
+ */
+export declare function runAuthCli(argv: string[]): Promise<void>;

package/node_modules/@quantiya/codevibe-core/dist/auth/auth-service.d.ts

@@ -0,0 +1,87 @@
+import { TokenData } from '../types';
+/**
+ * Authentication service for OAuth flows
+ */
+export declare class AuthService {
+    private static instance;
+    private constructor();
+    static getInstance(): AuthService;
+    /**
+     * Open URL in the user's default browser. Cross-platform: macOS, Linux,
+     * WSL, Windows. Always prints the URL to stdout first as a fallback —
+     * if no browser-opening command is available, the user can copy-paste.
+     *
+     * On WSL, prefers opening the Windows host browser via WSL interop
+     * (wslview → cmd.exe → powershell.exe) before falling back to xdg-open.
+     */
+    private openBrowser;
+    /**
+     * Returns the list of browser-opening commands to try in order, based on
+     * the current platform. On WSL, returns WSL interop commands first so the
+     * Windows browser opens (which is what users actually want on WSL).
+     */
+    private getBrowserCommands;
+    /**
+     * Detect whether we're running inside WSL (1 or 2). Returns false on
+     * any non-Linux platform or if /proc/sys/kernel/osrelease is not readable.
+     */
+    private isRunningInWSL;
+    /**
+     * Try each browser-opening command in order. Advances to the next fallback on:
+     *   - Spawn failure (ENOENT / the command not being installed)
+     *   - Synchronous throw from spawn()
+     *   - Runtime failure where the command spawns but exits with a non-zero
+     *     code (e.g. wslview when WSL interop is disabled, xdg-open when no
+     *     default browser is registered, cmd.exe failing to launch start)
+     *   - Process terminated by signal
+     *
+     * Stays on the current command when:
+     *   - Process exits with code 0 (success)
+     *   - Process is still running after 3 seconds (assumed success — opener
+     *     is doing real work like launching a slow app, not hung)
+     *
+     * If all attempts exhaust, logs at debug level — the user still has the
+     * sign-in URL printed to stdout as a copy-paste fallback.
+     */
+    private tryBrowserCommand;
+    /**
+     * Generate state for CSRF protection
+     */
+    private generateState;
+    /**
+     * Build authorization URL
+     */
+    private buildAuthUrl;
+    /**
+     * Exchange authorization code for tokens
+     */
+    private exchangeCodeForTokens;
+    /**
+     * Decode JWT payload
+     */
+    private decodeJwt;
+    /**
+     * Refresh tokens
+     */
+    refreshTokens(refreshToken: string): Promise<{
+        accessToken: string;
+        idToken: string;
+        expiresIn: number;
+    }>;
+    /**
+     * Login via OAuth browser flow
+     */
+    login(): Promise<TokenData | null>;
+    /**
+     * Logout
+     */
+    logout(): Promise<boolean>;
+    /**
+     * Get current auth status
+     */
+    getStatus(): Promise<{
+        authenticated: boolean;
+        tokens?: TokenData;
+    }>;
+}
+export declare const authService: AuthService;

package/node_modules/@quantiya/codevibe-core/dist/auth/fetch-helpers.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Wraps fetch() and rewrites "fetch failed" errors to include the underlying
+ * cause and a user-actionable diagnostic tip when possible. Non-network errors
+ * and HTTP error responses (non-2xx) are not affected — the caller still
+ * handles response.ok checks themselves.
+ *
+ * @param url The URL to fetch
+ * @param init Standard fetch init options
+ * @param context Optional short label (e.g. "token exchange") for the error message
+ */
+export declare function fetchWithDiagnostics(url: string, init?: any, context?: string): Promise<Response>;

package/node_modules/@quantiya/codevibe-core/dist/auth/index.d.ts

@@ -0,0 +1,2 @@
+export { AuthService, authService } from './auth-service';
+export { runAuthCli } from './auth-cli';

package/node_modules/@quantiya/codevibe-core/dist/config/config.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Environment type
+ */
+export type Environment = 'development' | 'production';
+/**
+ * Configuration interface
+ */
+export interface Config {
+    environment: Environment;
+    aws: {
+        region: string;
+        appsyncUrl: string;
+        cognitoUserPoolId: string;
+        cognitoClientId: string;
+        cognitoDomain: string;
+    };
+    keychain: {
+        serviceName: string;
+    };
+    server: {
+        port: number;
+        host: string;
+        dynamicPort: boolean;
+    };
+    claude: {
+        command: string;
+        defaultTimeout: number;
+    };
+    codex: {
+        command: string;
+        defaultTimeout: number;
+        sessionsDir: string;
+        approvalTimeoutMs: number;
+    };
+    gemini: {
+        command: string;
+        defaultTimeout: number;
+        transcriptDir: string;
+    };
+}
+/**
+ * Get environment from process.env.ENVIRONMENT, defaults to 'production'
+ */
+export declare function getEnvironment(): Environment;
+/**
+ * Load configuration for specific environment
+ * If no environment specified, uses process.env.ENVIRONMENT or defaults to 'production'
+ */
+export declare function loadConfig(environment?: Environment): Config;
+/**
+ * Get current configuration (auto-initializes if not already loaded)
+ */
+export declare function getConfig(): Config;

package/node_modules/@quantiya/codevibe-core/dist/config/index.d.ts

@@ -0,0 +1,2 @@
+export { loadConfig, getConfig, getEnvironment } from './config';
+export type { Config, Environment } from './config';

package/node_modules/@quantiya/codevibe-core/dist/crypto/crypto-service.d.ts

@@ -0,0 +1,118 @@
+import { EncryptedSessionKey, KeyPair } from '../types';
+/**
+ * Error class for cryptographic operations
+ */
+export declare class CryptoError extends Error {
+    constructor(message: string);
+}
+/**
+ * Current encryption version for future algorithm upgrades
+ */
+export declare const ENCRYPTION_VERSION = 1;
+/**
+ * Service for end-to-end encryption operations
+ */
+export declare class CryptoService {
+    private static instance;
+    private constructor();
+    static getInstance(): CryptoService;
+    /**
+     * Generate a new ECDH P-256 key pair
+     * @returns Object with privateKey (base64), publicKey (base64 raw)
+     */
+    generateKeyPair(): KeyPair;
+    /**
+     * Generate a random 256-bit session key
+     * @returns Base64-encoded session key
+     */
+    generateSessionKey(): string;
+    /**
+     * Derive a shared secret using ECDH and HKDF
+     * @param privateKeyBase64 Our private key (base64)
+     * @param publicKeyBase64 Other party's public key (base64)
+     * @returns 256-bit derived key as Buffer
+     */
+    deriveSharedKey(privateKeyBase64: string, publicKeyBase64: string): Buffer;
+    /**
+     * Encrypt a session key for a target device using ECDH
+     * @param sessionKeyBase64 The session key to encrypt (base64)
+     * @param targetPublicKeyBase64 Target device's public key (base64)
+     * @returns EncryptedSessionKey containing encrypted key and ephemeral public key
+     */
+    encryptSessionKey(sessionKeyBase64: string, targetPublicKeyBase64: string): Omit<EncryptedSessionKey, 'deviceId'>;
+    /**
+     * Decrypt a session key using our private key
+     * @param encryptedSessionKey The encrypted session key data
+     * @param privateKeyBase64 Our device's private key (base64)
+     * @returns Decrypted session key (base64)
+     */
+    decryptSessionKey(encryptedSessionKey: EncryptedSessionKey, privateKeyBase64: string): string;
+    /**
+     * Encrypt content using AES-256-GCM
+     * @param content String content to encrypt
+     * @param sessionKeyBase64 Session key (base64)
+     * @returns Base64-encoded ciphertext (nonce + ciphertext + tag)
+     */
+    encryptContent(content: string, sessionKeyBase64: string): string;
+    /**
+     * Decrypt content using AES-256-GCM
+     * @param encryptedContent Base64-encoded ciphertext
+     * @param sessionKeyBase64 Session key (base64)
+     * @returns Decrypted string content
+     */
+    decryptContent(encryptedContent: string, sessionKeyBase64: string): string;
+    /**
+     * Encrypt JSON-serializable metadata
+     * @param metadata Object to encrypt
+     * @param sessionKeyBase64 Session key (base64)
+     * @returns Base64-encoded encrypted JSON
+     */
+    encryptMetadata(metadata: Record<string, any>, sessionKeyBase64: string): string;
+    /**
+     * Decrypt encrypted metadata
+     * @param encryptedMetadata Base64-encoded encrypted JSON
+     * @param sessionKeyBase64 Session key (base64)
+     * @returns Decrypted object
+     */
+    decryptMetadata(encryptedMetadata: string, sessionKeyBase64: string): Record<string, any>;
+    /**
+     * Encrypt binary data using AES-256-GCM
+     * @param data Binary data to encrypt (Buffer)
+     * @param sessionKeyBase64 Session key (base64)
+     * @returns Encrypted data (Buffer containing nonce + ciphertext + tag)
+     */
+    encryptData(data: Buffer, sessionKeyBase64: string): Buffer;
+    /**
+     * Decrypt binary data using AES-256-GCM
+     * @param encryptedData Encrypted data (Buffer containing nonce + ciphertext + tag)
+     * @param sessionKeyBase64 Session key (base64)
+     * @returns Decrypted binary data (Buffer)
+     */
+    decryptData(encryptedData: Buffer, sessionKeyBase64: string): Buffer;
+    /**
+     * Encrypt data using AES-256-GCM
+     * @param data Data to encrypt
+     * @param key Symmetric key (32 bytes)
+     * @returns Combined nonce + ciphertext + tag
+     */
+    private encrypt;
+    /**
+     * Decrypt data using AES-256-GCM
+     * @param data Combined nonce + ciphertext + tag
+     * @param key Symmetric key (32 bytes)
+     * @returns Decrypted data
+     */
+    private decrypt;
+    /**
+     * Serialize a private key for storage
+     */
+    serializePrivateKey(privateKeyBase64: string): string;
+    /**
+     * Deserialize a private key from storage
+     */
+    deserializePrivateKey(base64: string): string;
+}
+/**
+ * Export singleton instance
+ */
+export declare const cryptoService: CryptoService;

package/node_modules/@quantiya/codevibe-core/dist/crypto/index.d.ts

@@ -0,0 +1 @@
+export { CryptoService, cryptoService, CryptoError, ENCRYPTION_VERSION } from './crypto-service';

package/node_modules/@quantiya/codevibe-core/dist/index.d.ts

@@ -0,0 +1,14 @@
+export { KeychainManager, keychainManager, KeychainError } from './keychain';
+export { CryptoService, cryptoService, CryptoError, ENCRYPTION_VERSION } from './crypto';
+export { AppSyncClient, DownloadUrlResponse } from './appsync';
+export { queries, mutations, subscriptions } from './appsync';
+export { AuthService, authService } from './auth';
+export { runAuthCli } from './auth';
+export { loadConfig, getConfig, getEnvironment } from './config';
+export type { Config, Environment } from './config';
+export { Logger, logger, createLogger } from './logger';
+export { parseInteractivePrompt, normalizeSnapshot, } from './prompt-parser';
+export type { ParsedInteractivePrompt, PromptKind, InteractivePromptOption, } from './prompt-parser';
+export { resumeOrCreateSession, prepareSessionEncryption } from './session';
+export type { ResumeOrCreateSessionInput, ResumeOrCreateSessionResult } from './session';
+export * from './types';