@soyeht/soyeht 0.2.1 → 0.2.3

package/openclaw.plugin.json

@@ -5,7 +5,7 @@
   ],
   "name": "Soyeht",
   "description": "Channel plugin for the Soyeht Flutter mobile app",
-  "version": "0.2.1",
+  "version": "0.2.3",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soyeht/soyeht",
-  "version": "0.2.1",
+  "version": "0.2.3",
   "description": "OpenClaw channel plugin for the Soyeht Flutter mobile app",
   "type": "module",
   "main": "src/index.ts",

package/src/http.ts

@@ -1,10 +1,27 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
-import { normalizeAccountId } from "./config.js";
+import { normalizeAccountId, resolveSoyehtAccount } from "./config.js";
 import { decryptEnvelopeV2, validateEnvelopeV2, type EnvelopeV2 } from "./envelope-v2.js";
-import { cloneRatchetSession } from "./ratchet.js";
+import { cloneRatchetSession, zeroBuffer, type RatchetState } from "./ratchet.js";
 import type { SecurityV2Deps } from "./service.js";
 import { PLUGIN_VERSION } from "./version.js";
+import {
+  base64UrlDecode,
+  computeFingerprint,
+  generateX25519KeyPair,
+  importEd25519PublicKey,
+  importX25519PublicKey,
+  ed25519Verify,
+  isTimestampValid,
+} from "./crypto.js";
+import { buildPairingProofTranscript } from "./pairing.js";
+import {
+  buildHandshakeTranscript,
+  signHandshakeTranscript,
+  verifyHandshakeTranscript,
+  performX3DH,
+} from "./x3dh.js";
+import { savePeer, saveSession, deleteSession, type PeerIdentity } from "./identity.js";
 
 // ---------------------------------------------------------------------------
 // Helpers
@@ -341,6 +358,442 @@ export function sseHandler(
   };
 }
 
+// ---------------------------------------------------------------------------
+// Helpers for HTTP pairing
+// ---------------------------------------------------------------------------
+
+function isWellFormedNonce(nonce: string): boolean {
+  try {
+    const decoded = base64UrlDecode(nonce);
+    return decoded.length >= 16 && decoded.length <= 64;
+  } catch {
+    return false;
+  }
+}
+
+function clearAccountSessionState(v2deps: SecurityV2Deps, accountId: string): void {
+  const existing = v2deps.sessions.get(accountId);
+  if (existing) {
+    zeroBuffer(existing.rootKey);
+    zeroBuffer(existing.sending.chainKey);
+    zeroBuffer(existing.receiving.chainKey);
+    v2deps.sessions.delete(accountId);
+  }
+  for (const [key, pending] of v2deps.pendingHandshakes) {
+    if (pending.accountId === accountId) {
+      v2deps.pendingHandshakes.delete(key);
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// GET /soyeht/pairing/info?t=<pairingToken>
+// ---------------------------------------------------------------------------
+
+export function pairingInfoHandler(
+  _api: OpenClawPluginApi,
+  v2deps: SecurityV2Deps,
+) {
+  return async (req: IncomingMessage, res: ServerResponse) => {
+    if (req.method !== "GET") {
+      sendJson(res, 405, { ok: false, error: "method_not_allowed" });
+      return;
+    }
+
+    if (!v2deps.ready || !v2deps.identity) {
+      sendJson(res, 503, { ok: false, error: "service_unavailable" });
+      return;
+    }
+
+    const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
+    const pairingToken = url.searchParams.get("t") ?? "";
+    if (!pairingToken) {
+      sendJson(res, 400, { ok: false, error: "missing_pairing_token" });
+      return;
+    }
+
+    const { allowed } = v2deps.rateLimiter.check(`pairing:info:${pairingToken}`);
+    if (!allowed) {
+      sendJson(res, 429, { ok: false, error: "rate_limited" });
+      return;
+    }
+
+    const session = v2deps.pairingSessions.get(pairingToken);
+    if (!session) {
+      sendJson(res, 404, { ok: false, error: "pairing_not_found" });
+      return;
+    }
+
+    if (session.expiresAt <= Date.now()) {
+      sendJson(res, 410, { ok: false, error: "pairing_expired" });
+      return;
+    }
+
+    sendJson(res, 200, {
+      ok: true,
+      accountId: session.accountId,
+      pluginIdentityKey: v2deps.identity.signKey.publicKeyB64,
+      pluginDhKey: v2deps.identity.dhKey.publicKeyB64,
+      fingerprint: computeFingerprint(v2deps.identity),
+      expiresAt: session.expiresAt,
+      allowOverwrite: session.allowOverwrite,
+    });
+  };
+}
+
+// ---------------------------------------------------------------------------
+// POST /soyeht/pairing/pair — register peer + start handshake in one step
+// ---------------------------------------------------------------------------
+
+const PAIRING_HANDSHAKE_TOLERANCE_MS = 120_000; // 2 minutes for HTTP round-trip
+
+export function pairingPairHandler(
+  api: OpenClawPluginApi,
+  v2deps: SecurityV2Deps,
+) {
+  return async (req: IncomingMessage, res: ServerResponse) => {
+    if (req.method !== "POST") {
+      sendJson(res, 405, { ok: false, error: "method_not_allowed" });
+      return;
+    }
+
+    if (!v2deps.ready || !v2deps.identity) {
+      sendJson(res, 503, { ok: false, error: "service_unavailable" });
+      return;
+    }
+
+    let body: Record<string, unknown>;
+    try {
+      const raw = await readRawBodyBuffer(req);
+      body = JSON.parse(raw.toString("utf8"));
+    } catch {
+      sendJson(res, 400, { ok: false, error: "invalid_json" });
+      return;
+    }
+
+    const pairingToken = body["pairingToken"] as string | undefined;
+    const accountId = normalizeAccountId(body["accountId"] as string | undefined);
+    const appIdentityKey = body["appIdentityKey"] as string | undefined;
+    const appDhKey = body["appDhKey"] as string | undefined;
+    const appSignature = body["appSignature"] as string | undefined;
+    const appEphemeralKey = body["appEphemeralKey"] as string | undefined;
+    const nonce = body["nonce"] as string | undefined;
+    const timestamp = body["timestamp"] as number | undefined;
+
+    if (!pairingToken || !appIdentityKey || !appDhKey || !appSignature ||
+        !appEphemeralKey || !nonce || typeof timestamp !== "number") {
+      sendJson(res, 400, { ok: false, error: "missing_params" });
+      return;
+    }
+
+    const { allowed } = v2deps.rateLimiter.check(`pairing:pair:${accountId}`);
+    if (!allowed) {
+      sendJson(res, 429, { ok: false, error: "rate_limited" });
+      return;
+    }
+
+    // --- Validate pairing session ---
+
+    const pairingSession = v2deps.pairingSessions.get(pairingToken);
+    if (!pairingSession) {
+      sendJson(res, 404, { ok: false, error: "pairing_not_found" });
+      return;
+    }
+
+    if (pairingSession.expiresAt <= Date.now()) {
+      v2deps.pairingSessions.delete(pairingToken);
+      sendJson(res, 410, { ok: false, error: "pairing_expired" });
+      return;
+    }
+
+    if (pairingSession.accountId !== accountId) {
+      sendJson(res, 403, { ok: false, error: "account_mismatch" });
+      return;
+    }
+
+    // --- Validate keys ---
+
+    let appIdentityPub;
+    try {
+      appIdentityPub = importEd25519PublicKey(appIdentityKey);
+    } catch {
+      sendJson(res, 400, { ok: false, error: "invalid_identity_key" });
+      return;
+    }
+
+    try {
+      importX25519PublicKey(appDhKey);
+    } catch {
+      sendJson(res, 400, { ok: false, error: "invalid_dh_key" });
+      return;
+    }
+
+    try {
+      importX25519PublicKey(appEphemeralKey);
+    } catch {
+      sendJson(res, 400, { ok: false, error: "invalid_ephemeral_key" });
+      return;
+    }
+
+    // --- Verify pairing signature ---
+
+    const proofTranscript = buildPairingProofTranscript({
+      accountId,
+      pairingToken,
+      expiresAt: pairingSession.expiresAt,
+      appIdentityKey,
+      appDhKey,
+    });
+    if (!ed25519Verify(appIdentityPub, proofTranscript, base64UrlDecode(appSignature))) {
+      sendJson(res, 403, { ok: false, error: "invalid_signature" });
+      return;
+    }
+
+    // --- Validate nonce + timestamp ---
+
+    if (!isWellFormedNonce(nonce)) {
+      sendJson(res, 400, { ok: false, error: "invalid_nonce" });
+      return;
+    }
+
+    if (!isTimestampValid(timestamp, PAIRING_HANDSHAKE_TOLERANCE_MS)) {
+      sendJson(res, 400, { ok: false, error: "timestamp_out_of_range" });
+      return;
+    }
+
+    if (!v2deps.nonceCache.add(`pairing:http:${accountId}:${nonce}`)) {
+      sendJson(res, 409, { ok: false, error: "nonce_reused" });
+      return;
+    }
+
+    // --- Check existing peer ---
+
+    if (v2deps.peers.has(accountId) && !pairingSession.allowOverwrite) {
+      sendJson(res, 409, { ok: false, error: "peer_already_paired" });
+      return;
+    }
+
+    // --- Register peer (clear old state first) ---
+
+    clearAccountSessionState(v2deps, accountId);
+    if (v2deps.stateDir) {
+      await deleteSession(v2deps.stateDir, accountId).catch(() => {});
+    }
+
+    const peer: PeerIdentity = {
+      accountId,
+      identityKeyB64: appIdentityKey,
+      dhKeyB64: appDhKey,
+    };
+    v2deps.peers.set(accountId, peer);
+    v2deps.pairingSessions.delete(pairingToken);
+
+    if (v2deps.stateDir) {
+      await savePeer(v2deps.stateDir, peer).catch(() => {});
+    }
+
+    // --- Start handshake ---
+
+    const cfg = await api.runtime.config.loadConfig();
+    const account = resolveSoyehtAccount(cfg, accountId);
+    const now = Date.now();
+    const challengeExpiresAt = now + PAIRING_HANDSHAKE_TOLERANCE_MS;
+    const sessionExpiresAt = now + account.security.sessionMaxAgeMs;
+    const pluginEphemeralKey = generateX25519KeyPair();
+
+    const transcript = buildHandshakeTranscript({
+      accountId,
+      appEphKeyB64: appEphemeralKey,
+      pluginEphKeyB64: pluginEphemeralKey.publicKeyB64,
+      nonce,
+      timestamp,
+      expiresAt: sessionExpiresAt,
+    });
+    const pluginSignature = signHandshakeTranscript(
+      v2deps.identity.signKey.privateKey,
+      transcript,
+    );
+
+    const pendingKey = `${accountId}:${nonce}`;
+    v2deps.pendingHandshakes.set(pendingKey, {
+      key: pendingKey,
+      accountId,
+      nonce,
+      appEphemeralKey,
+      pluginEphemeralKey,
+      transcript,
+      challengeExpiresAt,
+      sessionExpiresAt,
+    });
+
+    api.logger.info("[soyeht] HTTP pairing + handshake init completed", { accountId });
+
+    sendJson(res, 200, {
+      ok: true,
+      accountId,
+      pluginIdentityKey: v2deps.identity.signKey.publicKeyB64,
+      pluginDhKey: v2deps.identity.dhKey.publicKeyB64,
+      fingerprint: computeFingerprint(v2deps.identity),
+      pluginEphemeralKey: pluginEphemeralKey.publicKeyB64,
+      pluginSignature,
+      nonce,
+      timestamp,
+      serverTimestamp: now,
+      challengeExpiresAt,
+      sessionExpiresAt,
+    });
+  };
+}
+
+// ---------------------------------------------------------------------------
+// POST /soyeht/pairing/finish — complete handshake, derive session, return streamToken
+// ---------------------------------------------------------------------------
+
+export function pairingFinishHandler(
+  api: OpenClawPluginApi,
+  v2deps: SecurityV2Deps,
+) {
+  return async (req: IncomingMessage, res: ServerResponse) => {
+    if (req.method !== "POST") {
+      sendJson(res, 405, { ok: false, error: "method_not_allowed" });
+      return;
+    }
+
+    if (!v2deps.ready || !v2deps.identity) {
+      sendJson(res, 503, { ok: false, error: "service_unavailable" });
+      return;
+    }
+
+    let body: Record<string, unknown>;
+    try {
+      const raw = await readRawBodyBuffer(req);
+      body = JSON.parse(raw.toString("utf8"));
+    } catch {
+      sendJson(res, 400, { ok: false, error: "invalid_json" });
+      return;
+    }
+
+    const accountId = normalizeAccountId(body["accountId"] as string | undefined);
+    const nonce = body["nonce"] as string | undefined;
+    const appSignature = body["appSignature"] as string | undefined;
+
+    if (!nonce || !appSignature) {
+      sendJson(res, 400, { ok: false, error: "missing_params" });
+      return;
+    }
+
+    const { allowed } = v2deps.rateLimiter.check(`pairing:finish:${accountId}`);
+    if (!allowed) {
+      sendJson(res, 429, { ok: false, error: "rate_limited" });
+      return;
+    }
+
+    const pendingKey = `${accountId}:${nonce}`;
+    const pending = v2deps.pendingHandshakes.get(pendingKey);
+    if (!pending) {
+      sendJson(res, 404, { ok: false, error: "handshake_not_found" });
+      return;
+    }
+
+    if (pending.challengeExpiresAt <= Date.now()) {
+      v2deps.pendingHandshakes.delete(pendingKey);
+      sendJson(res, 410, { ok: false, error: "handshake_expired" });
+      return;
+    }
+
+    const peer = v2deps.peers.get(accountId);
+    if (!peer) {
+      sendJson(res, 404, { ok: false, error: "peer_not_found" });
+      return;
+    }
+
+    let appIdentityPub;
+    try {
+      appIdentityPub = importEd25519PublicKey(peer.identityKeyB64);
+    } catch {
+      sendJson(res, 500, { ok: false, error: "invalid_peer_key" });
+      return;
+    }
+
+    if (!verifyHandshakeTranscript(appIdentityPub, pending.transcript, appSignature)) {
+      sendJson(res, 403, { ok: false, error: "invalid_signature" });
+      return;
+    }
+
+    let appEphemeralPub;
+    try {
+      appEphemeralPub = importX25519PublicKey(pending.appEphemeralKey);
+    } catch {
+      v2deps.pendingHandshakes.delete(pendingKey);
+      sendJson(res, 500, { ok: false, error: "invalid_ephemeral_key" });
+      return;
+    }
+
+    let peerStaticDhPub;
+    try {
+      peerStaticDhPub = importX25519PublicKey(peer.dhKeyB64);
+    } catch {
+      sendJson(res, 500, { ok: false, error: "invalid_peer_dh_key" });
+      return;
+    }
+
+    const x3dhResult = await performX3DH({
+      myStaticDhKey: v2deps.identity.dhKey,
+      myEphemeralKey: pending.pluginEphemeralKey,
+      peerStaticDhPub,
+      peerEphemeralPub: appEphemeralPub,
+      nonce,
+    });
+
+    // Clear any existing session for this account
+    const existingSession = v2deps.sessions.get(accountId);
+    if (existingSession) {
+      zeroBuffer(existingSession.rootKey);
+      zeroBuffer(existingSession.sending.chainKey);
+      zeroBuffer(existingSession.receiving.chainKey);
+      v2deps.sessions.delete(accountId);
+    }
+
+    const session: RatchetState = {
+      accountId,
+      rootKey: x3dhResult.rootKey,
+      sending: { chainKey: x3dhResult.sendChainKey, counter: 0 },
+      receiving: { chainKey: x3dhResult.recvChainKey, counter: 0 },
+      myCurrentEphDhKey: pending.pluginEphemeralKey,
+      peerLastEphDhKeyB64: pending.appEphemeralKey,
+      dhRatchetSendCount: 0,
+      dhRatchetRecvCount: 0,
+      createdAt: Date.now(),
+      expiresAt: pending.sessionExpiresAt,
+    };
+
+    v2deps.sessions.set(accountId, session);
+    v2deps.pendingHandshakes.delete(pendingKey);
+
+    if (v2deps.stateDir) {
+      await saveSession(v2deps.stateDir, session).catch((err) => {
+        api.logger.error("[soyeht] Failed to persist session", { accountId, err });
+      });
+    }
+
+    // Issue stream token for SSE auth
+    v2deps.outboundQueue.revokeStreamTokensForAccount(accountId);
+    const streamToken = v2deps.outboundQueue.createStreamToken(
+      accountId,
+      pending.sessionExpiresAt,
+    );
+
+    api.logger.info("[soyeht] HTTP pairing handshake completed", { accountId });
+
+    sendJson(res, 200, {
+      ok: true,
+      complete: true,
+      sessionExpiresAt: pending.sessionExpiresAt,
+      streamToken,
+    });
+  };
+}
+
 // ---------------------------------------------------------------------------
 // POST /soyeht/livekit/token — stub
 // ---------------------------------------------------------------------------

package/src/index.ts

@@ -15,6 +15,9 @@ import {
   livekitTokenHandler,
   inboundHandler,
   sseHandler,
+  pairingInfoHandler,
+  pairingPairHandler,
+  pairingFinishHandler,
 } from "./http.js";
 import {
   createSoyehtService,
@@ -23,6 +26,7 @@ import {
 import {
   handleSecurityIdentity,
   handleSecurityPair,
+  handleSecurityPairingInfo,
   handleSecurityPairingStart,
 } from "./pairing.js";
 import { PLUGIN_VERSION } from "./version.js";
@@ -89,6 +93,7 @@ const soyehtPlugin: OpenClawPluginDefinition = {
     // Security RPC
     api.registerGatewayMethod("soyeht.security.identity", handleSecurityIdentity(api, v2deps));
     api.registerGatewayMethod("soyeht.security.pairing.start", handleSecurityPairingStart(api, v2deps));
+    api.registerGatewayMethod("soyeht.security.pairing.info", handleSecurityPairingInfo(api, v2deps));
     api.registerGatewayMethod("soyeht.security.pair", handleSecurityPair(api, v2deps));
     api.registerGatewayMethod("soyeht.security.handshake.init", handleSecurityHandshake(api, v2deps));
     api.registerGatewayMethod("soyeht.security.handshake.finish", handleSecurityHandshakeFinish(api, v2deps));
@@ -125,6 +130,23 @@ const soyehtPlugin: OpenClawPluginDefinition = {
       handler: sseHandler(api, v2deps),
     });
 
+    // HTTP pairing routes (app pairs via HTTP, no WebSocket needed)
+    api.registerHttpRoute({
+      path: "/soyeht/pairing/info",
+      auth: "plugin",
+      handler: pairingInfoHandler(api, v2deps),
+    });
+    api.registerHttpRoute({
+      path: "/soyeht/pairing/pair",
+      auth: "plugin",
+      handler: pairingPairHandler(api, v2deps),
+    });
+    api.registerHttpRoute({
+      path: "/soyeht/pairing/finish",
+      auth: "plugin",
+      handler: pairingFinishHandler(api, v2deps),
+    });
+
     // Background service (manages state lifecycle)
     api.registerService(createSoyehtService(api, v2deps));
 

package/src/pairing.ts

@@ -136,6 +136,61 @@ function resolveGatewayUrl(api: OpenClawPluginApi, configGatewayUrl: string): st
   return "";
 }
 
+// ---------------------------------------------------------------------------
+// soyeht.security.pairing.info — return session data for a given pairing token
+// ---------------------------------------------------------------------------
+
+export function handleSecurityPairingInfo(
+  _api: OpenClawPluginApi,
+  v2deps: SecurityV2Deps,
+): GatewayRequestHandler {
+  return async ({ params, respond }) => {
+    if (!v2deps.ready) {
+      respond(false, undefined, { code: "NOT_READY", message: "Service not ready" });
+      return;
+    }
+    if (!v2deps.identity) {
+      respond(false, undefined, { code: "NO_IDENTITY", message: "Identity not initialized" });
+      return;
+    }
+
+    const pairingToken = params["pairingToken"] as string | undefined;
+    if (!pairingToken) {
+      respond(false, undefined, {
+        code: "INVALID_PARAMS",
+        message: "Missing required param: pairingToken",
+      });
+      return;
+    }
+
+    const session = v2deps.pairingSessions.get(pairingToken);
+    if (!session) {
+      respond(false, undefined, {
+        code: "PAIRING_REQUIRED",
+        message: "No active pairing session. Scan a fresh QR code first.",
+      });
+      return;
+    }
+
+    if (session.expiresAt <= Date.now()) {
+      respond(false, undefined, {
+        code: "PAIRING_EXPIRED",
+        message: "Pairing QR expired. Scan a fresh QR code first.",
+      });
+      return;
+    }
+
+    respond(true, {
+      accountId: session.accountId,
+      expiresAt: session.expiresAt,
+      allowOverwrite: session.allowOverwrite,
+      pluginIdentityKey: v2deps.identity.signKey.publicKeyB64,
+      pluginDhKey: v2deps.identity.dhKey.publicKeyB64,
+      fingerprint: computeFingerprint(v2deps.identity),
+    });
+  };
+}
+
 // ---------------------------------------------------------------------------
 // soyeht.security.identity — expose plugin public keys
 // ---------------------------------------------------------------------------

package/src/service.ts

@@ -10,13 +10,12 @@ import {
 } from "./security.js";
 import { loadOrGenerateIdentity, loadPeers, loadSessions, saveSession } from "./identity.js";
 import { zeroBuffer } from "./ratchet.js";
-import { base64UrlEncode, computeFingerprint, ed25519Sign, type X25519KeyPair } from "./crypto.js";
+import { base64UrlEncode, computeFingerprint, type X25519KeyPair } from "./crypto.js";
 import type { IdentityBundle, PeerIdentity } from "./identity.js";
 import type { RatchetState } from "./ratchet.js";
 import { createOutboundQueue, type OutboundQueue } from "./outbound-queue.js";
 import { renderQrTerminal } from "./qr.js";
 import { resolveSoyehtAccount } from "./config.js";
-import { buildPairingQrTranscript, buildPairingQrTranscriptV2 } from "./pairing.js";
 
 const HEARTBEAT_INTERVAL_MS = 60_000; // 60s
 
@@ -92,51 +91,10 @@ async function showPairingQr(api: OpenClawPluginApi, v2deps: SecurityV2Deps): Pr
   const expiresAt = Date.now() + AUTO_PAIRING_TTL_MS;
   const fingerprint = computeFingerprint(identity);
 
-  // Resolve gatewayUrl from config or runtime
+  // Resolve gatewayUrl from config
   const cfg = await api.runtime.config.loadConfig();
   const account = resolveSoyehtAccount(cfg, accountId);
-  let gatewayUrl = account.gatewayUrl;
-  if (!gatewayUrl) {
-    const runtime = api.runtime as Record<string, unknown>;
-    if (typeof runtime["gatewayUrl"] === "string" && runtime["gatewayUrl"]) {
-      gatewayUrl = runtime["gatewayUrl"];
-    } else if (typeof runtime["baseUrl"] === "string" && runtime["baseUrl"]) {
-      gatewayUrl = runtime["baseUrl"];
-    }
-  }
-
-  const basePayload = {
-    accountId,
-    pairingToken,
-    expiresAt,
-    allowOverwrite: false,
-    pluginIdentityKey: identity.signKey.publicKeyB64,
-    pluginDhKey: identity.dhKey.publicKeyB64,
-    fingerprint,
-  };
-
-  let qrPayload: Record<string, unknown>;
-
-  if (gatewayUrl) {
-    const transcript = buildPairingQrTranscriptV2({ gatewayUrl, ...basePayload });
-    const signature = base64UrlEncode(ed25519Sign(identity.signKey.privateKey, transcript));
-    qrPayload = {
-      version: 2,
-      type: "soyeht_pairing_qr",
-      gatewayUrl,
-      ...basePayload,
-      signature,
-    };
-  } else {
-    const transcript = buildPairingQrTranscript(basePayload);
-    const signature = base64UrlEncode(ed25519Sign(identity.signKey.privateKey, transcript));
-    qrPayload = {
-      version: 1,
-      type: "soyeht_pairing_qr",
-      ...basePayload,
-      signature,
-    };
-  }
+  const gatewayUrl = account.gatewayUrl;
 
   v2deps.pairingSessions.set(pairingToken, {
     token: pairingToken,
@@ -145,11 +103,15 @@ async function showPairingQr(api: OpenClawPluginApi, v2deps: SecurityV2Deps): Pr
     allowOverwrite: false,
   });
 
-  const qrText = JSON.stringify(qrPayload);
+  // Compact QR: soyeht://pair?g=<gatewayUrl>&t=<token>&fp=<fingerprint>
+  // App fetches full key material via RPC soyeht.security.pairing.info
+  const qrText = `soyeht://pair?g=${encodeURIComponent(gatewayUrl)}&t=${pairingToken}&fp=${fingerprint}`;
   const rendered = renderQrTerminal(qrText);
 
   if (rendered) {
-    api.logger.info("[soyeht] Scan this QR code with the Soyeht app to pair:\n\n" + rendered);
+    // Write QR directly to stdout to avoid logger prefixes breaking ANSI escape codes
+    process.stdout.write("\n" + rendered + "\n\n");
+    api.logger.info(`[soyeht] Scan the QR code above with the Soyeht app to pair`);
     api.logger.info(`[soyeht] Fingerprint: ${fingerprint}`);
     api.logger.info(`[soyeht] QR expires in ${AUTO_PAIRING_TTL_MS / 1000}s — restart plugin to generate a new one`);
   } else {

package/src/version.ts

@@ -1 +1 @@
-export const PLUGIN_VERSION = "0.2.1";
+export const PLUGIN_VERSION = "0.2.3";