@soyeht/soyeht 0.2.10 → 0.2.12

package/openclaw.plugin.json

@@ -5,7 +5,7 @@
   ],
   "name": "Soyeht",
   "description": "Channel plugin for the Soyeht Flutter mobile app",
-  "version": "0.2.10",
+  "version": "0.2.12",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soyeht/soyeht",
-  "version": "0.2.10",
+  "version": "0.2.12",
   "description": "OpenClaw channel plugin for the Soyeht Flutter mobile app",
   "type": "module",
   "main": "src/index.ts",

package/src/http.ts

@@ -1,3 +1,4 @@
+import { createHash, randomBytes } from "node:crypto";
 import type { IncomingMessage, ServerResponse } from "node:http";
 import type { OpenClawPluginApi, PluginRuntimeChannel } from "openclaw/plugin-sdk";
 import { normalizeAccountId, resolveSoyehtAccount } from "./config.js";
@@ -8,14 +9,22 @@ import type { SecurityV2Deps } from "./service.js";
 import { PLUGIN_VERSION } from "./version.js";
 import {
   base64UrlDecode,
+  base64UrlEncode,
   computeFingerprint,
+  ed25519Sign,
   generateX25519KeyPair,
   importEd25519PublicKey,
   importX25519PublicKey,
   ed25519Verify,
   isTimestampValid,
 } from "./crypto.js";
-import { buildPairingProofTranscript } from "./pairing.js";
+import {
+  buildPairingProofTranscript,
+  buildPairingQrTranscript,
+  buildPairingQrTranscriptV2,
+  resolveGatewayUrl,
+} from "./pairing.js";
+import { renderQrTerminal } from "./qr.js";
 import {
   buildHandshakeTranscript,
   signHandshakeTranscript,
@@ -69,6 +78,11 @@ export type ProcessInboundResult =
   | { ok: true; plaintext: string; accountId: string; envelope: EnvelopeV2 }
   | { ok: false; status: number; error: string };
 
+// Short hash for safe diagnostic logging (no key material leaked)
+function diagHash(buf: Buffer): string {
+  return createHash("sha256").update(buf).digest("hex").slice(0, 8);
+}
+
 export function processInboundEnvelope(
   api: OpenClawPluginApi,
   v2deps: SecurityV2Deps,
@@ -83,6 +97,7 @@ export function processInboundEnvelope(
   const accountId = hintedAccountId ?? envelopeAccountId;
   const session = v2deps.sessions.get(accountId);
   if (!session) {
+    api.logger.warn("[soyeht] DIAG: no session for account", { accountId, knownAccounts: [...v2deps.sessions.keys()] });
     return { ok: false, status: 401, error: "session_required" };
   }
 
@@ -94,9 +109,41 @@ export function processInboundEnvelope(
     return { ok: false, status: 401, error: "account_mismatch" };
   }
 
+  // --- Diagnostic logging: envelope + session state before decrypt ---
+  let ivLen = 0, ctLen = 0, tagLen = 0;
+  let b64DecodeError: string | undefined;
+  try {
+    ivLen = base64UrlDecode(envelope.iv).length;
+    ctLen = base64UrlDecode(envelope.ciphertext).length;
+    tagLen = base64UrlDecode(envelope.tag).length;
+  } catch (e) {
+    b64DecodeError = e instanceof Error ? e.message : String(e);
+  }
+
+  api.logger.info("[soyeht] DIAG inbound", {
+    accountId,
+    peerExists: v2deps.peers.has(accountId),
+    rootKeyHash: diagHash(session.rootKey),
+    recvChainKeyHash: diagHash(session.receiving.chainKey),
+    sendChainKeyHash: diagHash(session.sending.chainKey),
+    sessionRecvCounter: session.receiving.counter,
+    sessionSendCounter: session.sending.counter,
+    envelopeVersion: envelope.v,
+    envelopeDirection: envelope.direction,
+    envelopeCounter: envelope.counter,
+    envelopeTimestamp: envelope.timestamp,
+    hasDhRatchetKey: Boolean(envelope.dhRatchetKey),
+    ivLen,
+    ctLen,
+    tagLen,
+    b64DecodeError: b64DecodeError ?? "none",
+    aad: `${envelope.v}|${envelope.accountId}|${envelope.direction}|${envelope.counter}|${envelope.timestamp}`,
+  });
+  // --- End diagnostic logging ---
+
   const validation = validateEnvelopeV2(envelope, session);
   if (!validation.valid) {
-    api.logger.warn("[soyeht] Envelope validation failed", { error: validation.error, accountId });
+    api.logger.warn("[soyeht] DIAG validation failed", { error: validation.error, accountId });
     return { ok: false, status: 401, error: validation.error };
   }
 
@@ -112,10 +159,23 @@ export function processInboundEnvelope(
     updatedSession = result.updatedSession;
   } catch (err) {
     const msg = err instanceof Error ? err.message : "decryption_failed";
-    api.logger.warn("[soyeht] Envelope decryption failed", { error: msg, accountId });
+    const isAuthFailure = msg.includes("authenticate data") || msg.includes("auth");
+    api.logger.error("[soyeht] DIAG decrypt FAILED", {
+      accountId,
+      error: msg,
+      isGcmAuthFailure: isAuthFailure,
+      envelopeCounter: envelope.counter,
+      sessionRecvCounter: session.receiving.counter,
+      hasDhRatchetKey: Boolean(envelope.dhRatchetKey),
+      ivLen,
+      ctLen,
+      tagLen,
+    });
     return { ok: false, status: 401, error: msg };
   }
 
+  api.logger.info("[soyeht] DIAG decrypt OK", { accountId, plaintextLen: plaintext.length });
+
   // Update session
   v2deps.sessions.set(accountId, updatedSession);
 
@@ -537,6 +597,103 @@ function clearAccountSessionState(v2deps: SecurityV2Deps, accountId: string): vo
   }
 }
 
+// ---------------------------------------------------------------------------
+// GET /soyeht/pairing/start — generate a pairing QR via HTTP (no RPC needed)
+// ---------------------------------------------------------------------------
+
+const DEFAULT_PAIRING_TTL_MS = 90_000;
+
+export function pairingStartHandler(
+  api: OpenClawPluginApi,
+  v2deps: SecurityV2Deps,
+) {
+  return async (req: IncomingMessage, res: ServerResponse) => {
+    if (req.method !== "GET") {
+      sendJson(res, 405, { ok: false, error: "method_not_allowed" });
+      return;
+    }
+
+    if (!v2deps.ready || !v2deps.identity) {
+      sendJson(res, 503, { ok: false, error: "service_unavailable" });
+      return;
+    }
+
+    const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
+    const accountId = normalizeAccountId(url.searchParams.get("accountId") ?? "default");
+    const allowOverwrite = url.searchParams.get("allowOverwrite") !== "false";
+    const format = url.searchParams.get("format") ?? "json";
+
+    const { allowed } = v2deps.rateLimiter.check(`pairing:start:http:${accountId}`);
+    if (!allowed) {
+      sendJson(res, 429, { ok: false, error: "rate_limited" });
+      return;
+    }
+
+    if (v2deps.peers.has(accountId) && !allowOverwrite) {
+      sendJson(res, 409, { ok: false, error: "peer_already_paired" });
+      return;
+    }
+
+    // Clear stale pairing sessions for this account
+    for (const [token, session] of v2deps.pairingSessions) {
+      if (session.accountId === accountId) {
+        v2deps.pairingSessions.delete(token);
+      }
+    }
+
+    const pairingToken = base64UrlEncode(randomBytes(32));
+    const expiresAt = Date.now() + DEFAULT_PAIRING_TTL_MS;
+    const fingerprint = computeFingerprint(v2deps.identity);
+
+    const cfg = await api.runtime.config.loadConfig();
+    const account = resolveSoyehtAccount(cfg, accountId);
+    const gatewayUrl = resolveGatewayUrl(api, account.gatewayUrl);
+
+    const basePayload = {
+      accountId,
+      pairingToken,
+      expiresAt,
+      allowOverwrite,
+      pluginIdentityKey: v2deps.identity.signKey.publicKeyB64,
+      pluginDhKey: v2deps.identity.dhKey.publicKeyB64,
+      fingerprint,
+    };
+
+    let qrPayload: Record<string, unknown>;
+    if (gatewayUrl) {
+      const transcript = buildPairingQrTranscriptV2({ gatewayUrl, ...basePayload });
+      const signature = base64UrlEncode(ed25519Sign(v2deps.identity.signKey.privateKey, transcript));
+      qrPayload = { version: 2, type: "soyeht_pairing_qr", gatewayUrl, ...basePayload, signature };
+    } else {
+      const transcript = buildPairingQrTranscript(basePayload);
+      const signature = base64UrlEncode(ed25519Sign(v2deps.identity.signKey.privateKey, transcript));
+      qrPayload = { version: 1, type: "soyeht_pairing_qr", ...basePayload, signature };
+    }
+
+    v2deps.pairingSessions.set(pairingToken, {
+      token: pairingToken,
+      accountId,
+      expiresAt,
+      allowOverwrite,
+    });
+
+    const qrUrl = `soyeht://pair?g=${gatewayUrl}&t=${pairingToken}&fp=${fingerprint}`;
+    api.logger.info("[soyeht] Pairing started via HTTP", { accountId, expiresAt });
+
+    if (format === "terminal") {
+      const rendered = renderQrTerminal(qrUrl);
+      const text = rendered
+        ? `\n${rendered}\n\n${qrUrl}\n\nExpires in ${DEFAULT_PAIRING_TTL_MS / 1000}s\n`
+        : `QR too large for terminal.\n\n${qrUrl}\n\nExpires in ${DEFAULT_PAIRING_TTL_MS / 1000}s\n`;
+      res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
+      res.end(text);
+      return;
+    }
+
+    sendJson(res, 200, { ok: true, qrUrl, qrPayload, expiresAt });
+  };
+}
+
 // ---------------------------------------------------------------------------
 // GET /soyeht/pairing/info?t=<pairingToken>
 // ---------------------------------------------------------------------------

package/src/index.ts

@@ -15,6 +15,7 @@ import {
   livekitTokenHandler,
   inboundHandler,
   sseHandler,
+  pairingStartHandler,
   pairingInfoHandler,
   pairingPairHandler,
   pairingFinishHandler,
@@ -131,6 +132,11 @@ const soyehtPlugin: OpenClawPluginDefinition = {
     });
 
     // HTTP pairing routes (app pairs via HTTP, no WebSocket needed)
+    api.registerHttpRoute({
+      path: "/soyeht/pairing/start",
+      auth: "plugin",
+      handler: pairingStartHandler(api, v2deps),
+    });
     api.registerHttpRoute({
       path: "/soyeht/pairing/info",
       auth: "plugin",

package/src/pairing.ts

@@ -119,7 +119,7 @@ function clearAccountSessionState(v2deps: SecurityV2Deps, accountId: string): vo
 // Resolve the gateway URL for QR V2
 // ---------------------------------------------------------------------------
 
-function resolveGatewayUrl(api: OpenClawPluginApi, configGatewayUrl: string): string {
+export function resolveGatewayUrl(api: OpenClawPluginApi, configGatewayUrl: string): string {
   // 1) Explicit config
   if (configGatewayUrl) return configGatewayUrl;
 

package/src/version.ts

@@ -1 +1 @@
-export const PLUGIN_VERSION = "0.2.10";
+export const PLUGIN_VERSION = "0.2.12";