npm - @rine-network/cli - Versions diffs - 0.9.6 → 0.10.0 - Mend

@rine-network/cli 0.9.6 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/main.js +134 -16
package/package.json +2 -2

package/dist/main.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { createRequire } from "node:module";
 import { Command } from "commander";
-import { HttpClient, RineApiError, UUID_RE, agentKeysExist, cacheToken, decryptGroupMessage, decryptMessage, encryptGroupMessage, encryptMessage, fetchAgents, fetchAndIngestPendingSKDistributions, fetchOAuthToken, fetchRecipientEncryptionKey, formatError, fromBase64Url, generateAgentKeys, getAgentPublicKeys, getCredentialEntry, getOrCreateSenderKey, getOrRefreshToken, ingestSenderKeyDistribution, isBareAgentName, loadAgentKeys, loadCredentials, loadTokenCache, normalizeHandle, performAgentCreation, performRegistration, resolveAgent, resolveApiUrl, resolveConfigDir, resolveHandleViaWebFinger, resolveToUuid, saveAgentKeys, saveCredentials, saveTokenCache, toBase64Url, validateEncryptionKey, validateSigningKey, validateSlug } from "@rine-network/core";
+import { HttpClient, RineApiError, UUID_RE, addMlsGroupMember, agentKeysExist, cacheToken, decryptGroupMessage, decryptMessage, encryptGroupMessage, encryptMessage, encryptMlsGroupMessage, externalJoinMlsGroup, fetchAgents, fetchAndIngestPendingSKDistributions, fetchOAuthToken, fetchRecipientKeys, formatError, fromBase64Url, generateAgentKeys, generatePqKeyPair, getAgentPublicKeys, getCredentialEntry, getOrCreateSenderKey, getOrRefreshToken, ingestSenderKeyDistribution, initMlsGroup, isBareAgentName, loadAgentKeys, loadCredentials, loadMlsState, loadTokenCache, normalizeHandle, performAgentCreation, performRegistration, processMlsWelcomes, resolveAgent, resolveApiUrl, resolveConfigDir, resolveHandleViaWebFinger, resolveToUuid, saveAgentKeys, saveCredentials, savePqEncryptionKey, saveTokenCache, syncMlsGroup, toBase64Url, validateEncryptionKey, validateSigningKey, validateSlug } from "@rine-network/core";
 import readline from "node:readline";
 import * as fs from "node:fs";
 import { join } from "node:path";
@@ -686,6 +686,31 @@ function registerDiscover(program) {
 }
 //#endregion
 //#region src/commands/group.ts
+async function installWelcomes(client, configDir, agentId, json) {
+	try {
+		await processMlsWelcomes(configDir, agentId, client);
+	} catch (err) {
+		if (!json) printText(`Warning: MLS welcome install failed: ${err instanceof Error ? err.message : String(err)}`);
+	}
+}
+async function selfJoinViaExternalCommit(client, configDir, groupId, agentId, json) {
+	try {
+		if (!(await client.get(`/groups/${groupId}`)).mls_group_id) return;
+		if (loadMlsState(configDir, agentId, groupId)) return;
+		await externalJoinMlsGroup(configDir, agentId, groupId, client, { "X-Rine-Agent": agentId });
+	} catch (err) {
+		if (!json) printText(`Warning: MLS self-join failed: ${err instanceof Error ? err.message : String(err)}`);
+	}
+}
+async function addMemberToMls(client, configDir, apiUrl, groupId, memberAgentId, as, json) {
+	try {
+		if (!(await client.get(`/groups/${groupId}`)).mls_group_id) return;
+		const adminId = await resolveAgent(apiUrl, await fetchAgents(client), void 0, as);
+		await addMlsGroupMember(configDir, adminId, groupId, memberAgentId, client, { "X-Rine-Agent": adminId });
+	} catch (err) {
+		if (!json) printText(`Warning: MLS add-member failed: ${err instanceof Error ? err.message : String(err)}`);
+	}
+}
 function groupRow(g) {
 	return {
 		ID: g.id,
@@ -731,7 +756,7 @@ function requestRow(r) {
 }
 function registerGroup(program) {
 	const group = program.command("group").description("Group management");
-	group.command("create").description("Create a new group").requiredOption("--name <name>", "Group name (DNS-safe slug)").option("--enrollment <policy>", "Enrollment policy (open|closed|majority|unanimity)").option("--visibility <vis>", "Visibility (public|private)").option("--isolated", "Isolate group communication").option("--vote-duration <hours>", "Vote duration in hours (1-72)").action(withClient(program, async ({ client, gOpts }, opts) => {
+	group.command("create").description("Create a new group").requiredOption("--name <name>", "Group name (DNS-safe slug)").option("--enrollment <policy>", "Enrollment policy (open|closed|majority|unanimity)").option("--visibility <vis>", "Visibility (public|private)").option("--isolated", "Isolate group communication").option("--vote-duration <hours>", "Vote duration in hours (1-72)").action(withClient(program, async ({ client, gOpts, configDir, apiUrl }, opts) => {
 		const body = { name: opts.name };
 		if (opts.enrollment) body.enrollment_policy = opts.enrollment;
 		if (opts.visibility) body.visibility = opts.visibility;
@@ -742,6 +767,12 @@ function registerGroup(program) {
 		if (opts.isolated) body.isolated = true;
 		if (opts.voteDuration) body.vote_duration_hours = Number(opts.voteDuration);
 		const data = await client.post("/groups", body);
+		try {
+			const actingAgentId = await resolveAgent(apiUrl, await fetchAgents(client), void 0, gOpts.as);
+			await initMlsGroup(configDir, actingAgentId, data.id, client, { "X-Rine-Agent": actingAgentId });
+		} catch (err) {
+			if (!gOpts.json) printText(`Warning: MLS init failed (group still created): ${err instanceof Error ? err.message : String(err)}`);
+		}
 		if (gOpts.json) printJson(data);
 		else {
 			printTable([groupDetailRow(data)]);
@@ -788,10 +819,14 @@ function registerGroup(program) {
 		if (gOpts.json) printJson(data);
 		else printTable(data.items.map(memberRow));
 	}));
-	group.command("join").description("Join a group").argument("<group-id>", "Group ID").option("--message <msg>", "Join request message").action(withClient(program, async ({ client, gOpts }, groupId, opts) => {
+	group.command("join").description("Join a group").argument("<group-id>", "Group ID").option("--message <msg>", "Join request message").action(withClient(program, async ({ client, gOpts, configDir }, groupId, opts) => {
 		const body = {};
 		if (opts.message) body.message = opts.message;
 		const data = await client.post(`/groups/${groupId}/join`, body);
+		if ("role" in data) {
+			await installWelcomes(client, configDir, data.agent_id, gOpts.json);
+			await selfJoinViaExternalCommit(client, configDir, groupId, data.agent_id, gOpts.json);
+		}
 		if (gOpts.json) printJson(data);
 		else if ("role" in data) {
 			printTable([memberRow(data)]);
@@ -811,10 +846,12 @@ function registerGroup(program) {
 		await client.delete(`/groups/${groupId}/members/${resolved}`);
 		printMutationOk("Member removed", gOpts.json);
 	}));
-	group.command("invite").description("Invite an agent to the group").argument("<group-id>", "Group ID").requiredOption("--agent <id>", "Agent ID to invite").option("--message <msg>", "Invitation message").action(withClient(program, async ({ client, gOpts, apiUrl }, groupId, opts) => {
-		const body = { agent_id: await resolveToUuid(apiUrl, opts.agent) };
+	group.command("invite").description("Invite an agent to the group").argument("<group-id>", "Group ID").requiredOption("--agent <id>", "Agent ID to invite").option("--message <msg>", "Invitation message").action(withClient(program, async ({ client, gOpts, configDir, apiUrl }, groupId, opts) => {
+		const agentId = await resolveToUuid(apiUrl, opts.agent);
+		const body = { agent_id: agentId };
 		if (opts.message) body.message = opts.message;
 		const data = await client.post(`/groups/${groupId}/invite`, body);
+		await addMemberToMls(client, configDir, apiUrl, groupId, agentId, gOpts.as, gOpts.json);
 		if (gOpts.json) printJson(data);
 		else {
 			printText("Invitation sent");
@@ -826,13 +863,16 @@ function registerGroup(program) {
 		if (gOpts.json) printJson(data);
 		else printTable(data.items.map(requestRow));
 	}));
-	group.command("vote").description("Vote on a join request").argument("<group-id>", "Group ID").argument("<request-id>", "Join request ID").requiredOption("--vote <vote>", "Vote: approve or deny").action(withClient(program, async ({ client, gOpts }, groupId, requestId, opts) => {
+	group.command("vote").description("Vote on a join request").argument("<group-id>", "Group ID").argument("<request-id>", "Join request ID").requiredOption("--vote <vote>", "Vote: approve or deny").action(withClient(program, async ({ client, gOpts, configDir, apiUrl }, groupId, requestId, opts) => {
 		if (opts.vote !== "approve" && opts.vote !== "deny") {
 			printError("--vote must be 'approve' or 'deny'");
 			process.exitCode = 2;
 			return;
 		}
+		let applicantId;
+		if (opts.vote === "approve") applicantId = (await client.get(`/groups/${groupId}/requests`)).items.find((r) => r.id === requestId)?.agent_id;
 		const data = await client.post(`/groups/${groupId}/requests/${requestId}/vote`, { vote: opts.vote });
+		if (data.status === "approved" && applicantId) await addMemberToMls(client, configDir, apiUrl, groupId, applicantId, gOpts.as, gOpts.json);
 		if (gOpts.json) printJson(data);
 		else printText(`Vote recorded. Request status: ${data.status}`);
 	}));
@@ -845,7 +885,11 @@ function getKeysDir(configDir, agentId) {
 function backupKeys(configDir, agentId) {
 	const dir = getKeysDir(configDir, agentId);
 	const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-	for (const name of ["signing.key", "encryption.key"]) {
+	for (const name of [
+		"signing.key",
+		"encryption.key",
+		"pq_encryption.key"
+	]) {
 		const src = join(dir, name);
 		if (!fs.existsSync(src)) continue;
 		for (const f of fs.readdirSync(dir)) if (f.startsWith(`${name}.bak.`)) fs.unlinkSync(join(dir, f));
@@ -855,6 +899,7 @@ function backupKeys(configDir, agentId) {
 async function verifyServerKeys(client, agentId, expected) {
 	const server = await client.get(`/agents/${agentId}/keys`);
 	if (server.signing_public_key.x !== expected.signing_public_key.x || server.encryption_public_key.x !== expected.encryption_public_key.x) throw new Error("Server key verification failed: uploaded keys do not match. Old keys preserved locally.");
+	if (expected.pq_encryption_public_key && server.pq_encryption_public_key?.x !== expected.pq_encryption_public_key.x) throw new Error("Server PQ key verification failed: uploaded PQ key does not match. Old keys preserved locally.");
 }
 function registerKeys(program) {
 	const keys = program.command("keys").description("E2EE key management");
@@ -873,13 +918,16 @@ function registerKeys(program) {
 		}
 		let sigFingerprint = "-";
 		let encFingerprint = "-";
+		let pqFingerprint = "-";
 		if (hasLocal) {
 			const agentKeys = loadAgentKeys(configDir, agentId);
 			sigFingerprint = toBase64Url(agentKeys.signing.publicKey).slice(0, 8);
 			encFingerprint = toBase64Url(agentKeys.encryption.publicKey).slice(0, 8);
+			if (agentKeys.pqEncryption) pqFingerprint = toBase64Url(agentKeys.pqEncryption.publicKey).slice(0, 8);
 		} else if (serverKeys) {
 			sigFingerprint = serverKeys.signing_public_key.x.slice(0, 8);
 			encFingerprint = serverKeys.encryption_public_key.x.slice(0, 8);
+			if (serverKeys.pq_encryption_public_key) pqFingerprint = serverKeys.pq_encryption_public_key.x.slice(0, 8);
 		}
 		const keysLabel = hasLocal && hasServer ? "local + server" : hasLocal ? "local only" : hasServer ? "server only" : "none";
 		if (gOpts.json) printJson({
@@ -888,7 +936,8 @@ function registerKeys(program) {
 			local_keys: hasLocal,
 			server_keys: hasServer,
 			signing_fingerprint: sigFingerprint !== "-" ? sigFingerprint : null,
-			encryption_fingerprint: encFingerprint !== "-" ? encFingerprint : null
+			encryption_fingerprint: encFingerprint !== "-" ? encFingerprint : null,
+			pq_encryption_fingerprint: pqFingerprint !== "-" ? pqFingerprint : null
 		});
 		else printTable([
 			{
@@ -918,6 +967,10 @@ function registerKeys(program) {
 			{
 				Field: "Encryption Fingerprint",
 				Value: encFingerprint
+			},
+			{
+				Field: "PQ Encryption Fingerprint",
+				Value: pqFingerprint
 			}
 		]);
 	}));
@@ -945,6 +998,30 @@ function registerKeys(program) {
 		saveAgentKeys(configDir, agentId, agentKeys);
 		printMutationOk(`E2EE keys rotated for agent ${agentId}`, gOpts.json);
 	}));
+	keys.command("add-pq").description("Add a post-quantum encryption key without rotating other keys").option("--agent <id>", "Agent ID").action(withClient(program, async ({ client, gOpts, configDir, apiUrl }, opts) => {
+		const agentId = await resolveAgent(apiUrl, await fetchAgents(client), opts.agent, gOpts.as);
+		if (!agentKeysExist(configDir, agentId)) {
+			printError(`No keys found for agent ${agentId}. Use 'rine keys generate' first.`);
+			process.exitCode = 1;
+			return;
+		}
+		const existingKeys = loadAgentKeys(configDir, agentId);
+		if (existingKeys.pqEncryption) {
+			printError(`Agent ${agentId} already has a post-quantum key. Use 'rine keys rotate' to replace all keys.`);
+			process.exitCode = 1;
+			return;
+		}
+		backupKeys(configDir, agentId);
+		const pqKeyPair = generatePqKeyPair();
+		const pubKeys = getAgentPublicKeys(configDir, agentId, {
+			...existingKeys,
+			pqEncryption: pqKeyPair
+		});
+		await client.post(`/agents/${agentId}/keys`, pubKeys);
+		await verifyServerKeys(client, agentId, pubKeys);
+		savePqEncryptionKey(configDir, agentId, pqKeyPair);
+		printMutationOk(`Post-quantum encryption key added for agent ${agentId}`, gOpts.json);
+	}));
 	keys.command("export").description("Export private keys to a file").option("--agent <id>", "Agent ID").requiredOption("--output <file>", "Output file path").action(withClient(program, async ({ client, gOpts, configDir, apiUrl }, opts) => {
 		const agentId = await resolveAgent(apiUrl, await fetchAgents(client), opts.agent, gOpts.as);
 		if (!agentKeysExist(configDir, agentId)) {
@@ -958,6 +1035,7 @@ function registerKeys(program) {
 			signing_private_key: toBase64Url(agentKeys.signing.privateKey),
 			encryption_private_key: toBase64Url(agentKeys.encryption.privateKey)
 		};
+		if (agentKeys.pqEncryption) exported.pq_encryption_private_key = toBase64Url(agentKeys.pqEncryption.privateKey);
 		fs.writeFileSync(opts.output, JSON.stringify(exported, null, 2));
 		fs.chmodSync(opts.output, 384);
 		if (gOpts.json) printJson({
@@ -988,6 +1066,14 @@ function registerKeys(program) {
 			process.exitCode = 2;
 			return;
 		}
+		if (data.pq_encryption_private_key) {
+			const pqBytes = fromBase64Url(data.pq_encryption_private_key);
+			if (pqBytes.length !== 2400) {
+				printError(`Invalid PQ encryption key: expected 2400 bytes, got ${pqBytes.length}`);
+				process.exitCode = 2;
+				return;
+			}
+		}
 		const dir = join(resolveConfigDir(), "keys", data.agent_id);
 		fs.mkdirSync(dir, {
 			recursive: true,
@@ -999,6 +1085,11 @@ function registerKeys(program) {
 		const encPath = join(dir, "encryption.key");
 		fs.writeFileSync(encPath, data.encryption_private_key, "utf-8");
 		fs.chmodSync(encPath, 384);
+		if (data.pq_encryption_private_key) {
+			const pqPath = join(dir, "pq_encryption.key");
+			fs.writeFileSync(pqPath, data.pq_encryption_private_key, "utf-8");
+			fs.chmodSync(pqPath, 384);
+		}
 		printMutationOk(`Keys imported for agent ${data.agent_id}`, gOpts.json);
 	}));
 }
@@ -1050,6 +1141,26 @@ function resolvePayload(payload, payloadFile) {
 		return { error: "Payload must be valid JSON" };
 	}
 }
+async function resolveGroup(client, handle) {
+	const group = (await client.get("/groups", { handle })).items?.[0];
+	if (!group) throw new Error(`Group not found: ${handle}`);
+	return group;
+}
+async function encryptMlsWithRecovery(client, configDir, senderAgentId, groupId, payload) {
+	const hdrs = { "X-Rine-Agent": senderAgentId };
+	await processMlsWelcomes(configDir, senderAgentId, client).catch(() => {});
+	await syncMlsGroup(configDir, senderAgentId, groupId, client, hdrs).catch(() => {});
+	try {
+		return await encryptMlsGroupMessage(configDir, senderAgentId, groupId, payload);
+	} catch (err) {
+		if (err instanceof Error && err.message.startsWith("No MLS state for group")) {
+			await processMlsWelcomes(configDir, senderAgentId, client);
+			await syncMlsGroup(configDir, senderAgentId, groupId, client, hdrs);
+			return await encryptMlsGroupMessage(configDir, senderAgentId, groupId, payload);
+		}
+		throw err;
+	}
+}
 function addMessageCommands(parent, program) {
 	parent.command("send").description("Send an encrypted message").requiredOption("--to <address>", "Recipient: agent handle (agent@org), agent ID, or group handle (#group@org)").option("--type <type>", "Message type (default: rine.v1.dm)").option("--payload <json>", "Message payload as JSON string").option("--payload-file <path>", "Read payload JSON from file (use - for stdin)").option("--from <address>", "Sender: agent handle (agent@org) or agent ID").option("--idempotency-key <key>", "Idempotency key header").action(withClient(program, async ({ client, gOpts, configDir, apiUrl }, opts) => {
 		const result = resolvePayload(opts.payload, opts.payloadFile);
@@ -1079,12 +1190,18 @@ function addMessageCommands(parent, program) {
 		else body.to_agent_id = to;
 		if (from?.includes("@")) body.from_handle = from;
 		if (to.startsWith("#") && senderAgentId) {
-			const { state, groupId } = await getOrCreateSenderKey(client, configDir, senderAgentId, to, Object.keys(extraHeaders).length > 0 ? extraHeaders : void 0);
-			const { result: encResult } = await encryptGroupMessage(configDir, senderAgentId, groupId, state, parsedPayload);
-			Object.assign(body, encResult);
+			const group = await resolveGroup(client, to);
+			if (group.mls_group_id) {
+				const encResult = await encryptMlsWithRecovery(client, configDir, senderAgentId, group.id, parsedPayload);
+				Object.assign(body, encResult);
+			} else {
+				const { state, groupId } = await getOrCreateSenderKey(client, configDir, senderAgentId, to, Object.keys(extraHeaders).length > 0 ? extraHeaders : void 0);
+				const { result: encResult } = await encryptGroupMessage(configDir, senderAgentId, groupId, state, parsedPayload);
+				Object.assign(body, encResult);
+			}
 		} else if (senderAgentId && recipientAgentId) {
-			const recipientPk = await fetchRecipientEncryptionKey(client, recipientAgentId);
-			const encrypted = await encryptMessage(configDir, senderAgentId, recipientPk, parsedPayload);
+			const recipientKeys = await fetchRecipientKeys(client, recipientAgentId);
+			const encrypted = await encryptMessage(configDir, senderAgentId, recipientKeys.encryption, parsedPayload, recipientKeys.pqEncryption);
 			Object.assign(body, encrypted);
 		} else throw new Error("Cannot encrypt: unable to resolve sender or recipient. Use UUIDs or ensure WebFinger is available.");
 		const data = await client.post("/messages", body, Object.keys(extraHeaders).length > 0 ? extraHeaders : void 0);
@@ -1094,9 +1211,9 @@ function addMessageCommands(parent, program) {
 	parent.command("read").description("Read and decrypt a message by ID").argument("<message-id>", "Message ID").option("--agent <id>", "Agent ID (for decryption key)").action(withClient(program, async ({ client, gOpts, configDir, apiUrl }, messageId, opts) => {
 		const data = await client.get(`/messages/${messageId}`);
 		const agentId = await resolveAgent(apiUrl, await fetchAgents(client), opts.agent, gOpts.as);
-		if ((data.encryption_version === "hpke-v1" || data.encryption_version === "sender-key-v1") && agentKeysExist(configDir, agentId)) {
+		if ((data.encryption_version === "hpke-v1" || data.encryption_version === "hpke-hybrid-v1" || data.encryption_version === "sender-key-v1" || data.encryption_version === "mls-v1") && agentKeysExist(configDir, agentId)) {
 			let decResult;
-			if (data.encryption_version === "sender-key-v1" && data.group_id) try {
+			if ((data.encryption_version === "sender-key-v1" || data.encryption_version === "mls-v1") && data.group_id) try {
 				decResult = await decryptGroupMessage(configDir, agentId, data.group_id, data.encrypted_payload, client);
 			} catch (err) {
 				const match = err instanceof Error && err.message.match(/^unknown sender key id: (.+)$/);
@@ -1190,7 +1307,8 @@ function addMessageCommands(parent, program) {
 		try {
 			const body = { type: resolvedType };
 			if (!recipientAgentId || !agentKeysExist(configDir, senderAgentId)) throw new Error("Cannot reply: encryption keys unavailable. Run 'rine keys generate' first.");
-			const encrypted = await encryptMessage(configDir, senderAgentId, await fetchRecipientEncryptionKey(client, recipientAgentId), parsedPayload);
+			const recipientKeys = await fetchRecipientKeys(client, recipientAgentId);
+			const encrypted = await encryptMessage(configDir, senderAgentId, recipientKeys.encryption, parsedPayload, recipientKeys.pqEncryption);
 			Object.assign(body, encrypted);
 			const data = await client.post(`/messages/${messageId}/reply`, body);
 			if (gOpts.json) printJson(data);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rine-network/cli",
-  "version": "0.9.6",
+  "version": "0.10.0",
   "description": "CLI client for rine.network \u2014 EU-first messaging infrastructure for AI agents",
   "author": "mmmbs <mmmbs@proton.me>",
   "license": "EUPL-1.2",
@@ -28,7 +28,7 @@
     "dev": "tsx src/main.ts"
   },
   "dependencies": {
-    "@rine-network/core": "^0.4.4",
+    "@rine-network/core": "^0.5.0",
     "commander": "^12.0.0",
     "eventsource-client": "^1.1.0"
   },