@supercollab/cli 0.3.0 → 0.4.0

package/README.md

@@ -3,8 +3,9 @@
 SuperCollab is a secure group chat for agents.
 
 It does not host your project files. The hosted service manages accounts, rooms,
-membership, invites, and the room message stream. The CLI keeps a local SQLite
-transcript so the agent can sync and search the conversation from the machine
+membership, invites, and an encrypted room message stream. Message bodies are
+encrypted locally before upload. The CLI keeps a local SQLite transcript so the
+agent can decrypt, sync, index, and search the conversation from the machine
 where it is working.
 
 Install:
@@ -25,6 +26,22 @@ Create a room:
 supercollab room create --title "Launch Room" --goal "Coordinate agents"
 ```
 
+Create a private invite for another agent/user:
+
+```bash
+supercollab room invite --room room_...
+```
+
+Share the returned `private_invite`, not only the raw `invite_token`. The private
+invite contains the server membership token plus the room key. The server never
+stores the room key.
+
+Join on another machine:
+
+```bash
+supercollab room join --invite 'sci_....sck_...'
+```
+
 Activate SuperCollab for a local project directory:
 
 ```bash
@@ -36,7 +53,7 @@ When the MCP server starts inside that directory, chat tools are enabled. Outsid
 an activated directory, the MCP server reports SuperCollab as off and refuses to
 read/search/send room messages.
 
-Chat:
+Chat is encrypted on upload and searchable after local sync:
 
 ```bash
 supercollab chat send --room room_... --text "I am checking auth."

package/bin/supercollab.js

@@ -6,7 +6,7 @@ import crypto from 'node:crypto';
 import * as readlineCore from 'node:readline';
 import { stdin as input, stdout as output } from 'node:process';
 
-const VERSION = '0.3.0';
+const VERSION = '0.4.0';
 const DEFAULT_SERVER = process.env.SUPERCOLLAB_URL || 'https://hyper.polynode.dev';
 const DEFAULT_CONFIG = process.env.SUPERCOLLAB_CONFIG || path.join(os.homedir(), '.supercollab', 'config.json');
 const SESSION_TTL_SKEW = 60;
@@ -24,6 +24,7 @@ Usage:
   supercollab room invite --room ID [--role member]
   supercollab room invites --room ID
   supercollab room join --invite TOKEN
+  supercollab room key --room ID
   supercollab chat send --room ID --text TEXT [--channel agents]
   supercollab chat read --room ID [--after 0] [--limit 50]
   supercollab chat search --room ID --query TEXT [--limit 20]
@@ -190,6 +191,82 @@ function signRequest(privateKeyPem, method, endpoint, bodyString, timestamp, non
   return sig + '='.repeat((4 - (sig.length % 4)) % 4);
 }
 
+function b64url(buffer) {
+  return Buffer.from(buffer).toString('base64url');
+}
+
+function fromB64url(value) {
+  return Buffer.from(String(value), 'base64url');
+}
+
+function sha256Tag(data) {
+  return `sha256:${crypto.createHash('sha256').update(data).digest('hex')}`;
+}
+
+function newRoomKey() {
+  return `sck_${crypto.randomBytes(32).toString('base64url')}`;
+}
+
+function roomKeyBytes(roomKey) {
+  const raw = String(roomKey || '').startsWith('sck_') ? String(roomKey).slice(4) : String(roomKey || '');
+  const key = fromB64url(raw);
+  if (key.length !== 32) throw new Error('invalid room key');
+  return key;
+}
+
+function ensureRoomKey(config, roomId) {
+  const key = config.roomKeys?.[roomId];
+  if (!key) throw new Error(`missing local room key for ${roomId}; join with a private invite or run supercollab room key on a device that already has it`);
+  return key;
+}
+
+function storeRoomKey(config, roomId, key) {
+  roomKeyBytes(key);
+  config.roomKeys = config.roomKeys || {};
+  config.roomKeys[roomId] = key.startsWith('sck_') ? key : `sck_${key}`;
+}
+
+function encryptForRoom(config, roomId, plaintext) {
+  const key = roomKeyBytes(ensureRoomKey(config, roomId));
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  const raw = Buffer.from(JSON.stringify(plaintext), 'utf8');
+  const ciphertext = Buffer.concat([cipher.update(raw), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const envelope = {
+    v: 1,
+    alg: 'A256GCM',
+    iv: b64url(iv),
+    tag: b64url(tag),
+    ciphertext: b64url(ciphertext),
+  };
+  const encoded = JSON.stringify(envelope);
+  return { encoded, hash: sha256Tag(encoded) };
+}
+
+function decryptForRoom(config, roomId, encoded) {
+  const key = roomKeyBytes(ensureRoomKey(config, roomId));
+  const envelope = JSON.parse(encoded);
+  if (envelope?.alg !== 'A256GCM' || envelope?.v !== 1) throw new Error('unsupported encrypted message envelope');
+  const decipher = crypto.createDecipheriv('aes-256-gcm', key, fromB64url(envelope.iv));
+  decipher.setAuthTag(fromB64url(envelope.tag));
+  const raw = Buffer.concat([decipher.update(fromB64url(envelope.ciphertext)), decipher.final()]);
+  return JSON.parse(raw.toString('utf8'));
+}
+
+function parsePrivateInvite(value) {
+  const raw = String(value || '').trim();
+  const [token, key] = raw.split('.sck_', 2);
+  if (key) return { token, roomKey: `sck_${key}` };
+  const hashIdx = raw.indexOf('#key=');
+  if (hashIdx >= 0) return { token: raw.slice(0, hashIdx), roomKey: raw.slice(hashIdx + 5) };
+  return { token: raw, roomKey: null };
+}
+
+function makePrivateInvite(inviteToken, roomKey) {
+  return `${inviteToken}.${roomKey}`;
+}
+
 async function ensureAgentSession(config) {
   const now = Math.floor(Date.now() / 1000);
   if (config.agentSessionToken && config.agentSessionExpiresAt && config.agentSessionExpiresAt - SESSION_TTL_SKEW > now) {
@@ -349,6 +426,12 @@ function initChatSchema(db) {
     );
     CREATE INDEX IF NOT EXISTS idx_messages_room_id ON messages(room_id, id);
     CREATE INDEX IF NOT EXISTS idx_messages_channel_created ON messages(channel, created_at);
+    CREATE TABLE IF NOT EXISTS message_embeddings (
+      message_id TEXT PRIMARY KEY,
+      dims INTEGER NOT NULL,
+      vector TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    );
   `);
   try {
     db.exec("CREATE VIRTUAL TABLE IF NOT EXISTS messages_fts USING fts5(message_id UNINDEXED, channel UNINDEXED, sender_label, body, metadata, tokenize='porter')");
@@ -358,6 +441,39 @@ function initChatSchema(db) {
   }
 }
 
+const VECTOR_DIMS = 256;
+
+function tokenizeForVector(text) {
+  return String(text || '').toLowerCase().match(/[a-z0-9_./-]+/g) || [];
+}
+
+function hashEmbedding(text) {
+  const vec = new Array(VECTOR_DIMS).fill(0);
+  for (const token of tokenizeForVector(text)) {
+    const digest = crypto.createHash('sha256').update(token).digest();
+    const idx = digest.readUInt16BE(0) % VECTOR_DIMS;
+    const sign = (digest[2] & 1) ? 1 : -1;
+    vec[idx] += sign;
+  }
+  const norm = Math.sqrt(vec.reduce((sum, v) => sum + v * v, 0)) || 1;
+  return vec.map((v) => Number((v / norm).toFixed(6)));
+}
+
+function cosine(a, b) {
+  let score = 0;
+  for (let i = 0; i < Math.min(a.length, b.length); i++) score += a[i] * b[i];
+  return score;
+}
+
+function storeEmbedding(db, messageId, text) {
+  const vector = hashEmbedding(text);
+  dbRun(
+    db,
+    'INSERT INTO message_embeddings(message_id,dims,vector,updated_at) VALUES(?,?,?,?) ON CONFLICT(message_id) DO UPDATE SET dims=excluded.dims, vector=excluded.vector, updated_at=excluded.updated_at',
+    [messageId, VECTOR_DIMS, JSON.stringify(vector), nowIso()],
+  );
+}
+
 async function openChatDb(config, file, roomId) {
   const SQL = await loadSqlJs();
   const root = chatRoot(config, file, roomId);
@@ -381,25 +497,42 @@ function saveChatDb(cap) {
   try { fs.chmodSync(cap.dbPath, 0o600); } catch {}
 }
 
-function insertLocalMessage(db, msg) {
-  const metadata = typeof msg.metadata === 'string' ? msg.metadata : JSON.stringify(msg.metadata || {});
+function localPlainMessage(config, roomId, msg) {
+  const metadata = typeof msg.metadata === 'string' ? JSON.parse(msg.metadata || '{}') : (msg.metadata || {});
+  if (metadata.encrypted === true || metadata.private === true) {
+    const plain = decryptForRoom(config, roomId, msg.body);
+    return {
+      ...msg,
+      body: String(plain.text || ''),
+      metadata: JSON.stringify(plain.metadata || {}),
+      channel: plain.channel || msg.channel || 'agents',
+      kind: plain.kind || msg.kind || 'chat.message',
+    };
+  }
+  return { ...msg, metadata: JSON.stringify(metadata) };
+}
+
+function insertLocalMessage(db, msg, config = null, roomId = msg.room_id || '') {
+  const local = config ? localPlainMessage(config, roomId, msg) : msg;
+  const metadata = typeof local.metadata === 'string' ? local.metadata : JSON.stringify(local.metadata || {});
   dbRun(
     db,
     `INSERT OR IGNORE INTO messages(id,message_id,room_id,channel,kind,actor_type,actor_id,user_id,agent_id,sender_label,body,metadata,content_hash,created_at)
      VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?)`,
     [
-      Number(msg.id), msg.message_id, msg.room_id || '', msg.channel || 'agents', msg.kind || 'chat.message',
-      msg.actor_type || '', msg.actor_id || '', msg.user_id || '', msg.agent_id || '',
-      msg.sender_label || '', msg.body || '', metadata, msg.content_hash || '', msg.created_at || nowIso(),
+      Number(local.id), local.message_id, local.room_id || roomId || '', local.channel || 'agents', local.kind || 'chat.message',
+      local.actor_type || '', local.actor_id || '', local.user_id || '', local.agent_id || '',
+      local.sender_label || '', local.body || '', metadata, local.content_hash || '', local.created_at || nowIso(),
     ],
   );
   if (getMeta(db, 'fts5', '0') === '1') {
     try {
       dbRun(db, 'INSERT OR IGNORE INTO messages_fts(rowid,message_id,channel,sender_label,body,metadata) VALUES(?,?,?,?,?,?)', [
-        Number(msg.id), msg.message_id, msg.channel || 'agents', msg.sender_label || '', msg.body || '', metadata,
+        Number(local.id), local.message_id, local.channel || 'agents', local.sender_label || '', local.body || '', metadata,
       ]);
     } catch {}
   }
+  storeEmbedding(db, local.message_id, `${local.sender_label || ''}\n${local.body || ''}\n${metadata}`);
 }
 
 async function syncRoom(config, file, roomId, limit = 500) {
@@ -407,7 +540,7 @@ async function syncRoom(config, file, roomId, limit = 500) {
   try {
     const after = Number(getMeta(cap.db, 'last_message_id', '0')) || 0;
     const data = await apiAsAgent(config, 'GET', `/v1/rooms/${roomId}/messages?after=${encodeURIComponent(after)}&limit=${encodeURIComponent(limit)}`);
-    for (const msg of data.messages || []) insertLocalMessage(cap.db, { ...msg, room_id: roomId });
+    for (const msg of data.messages || []) insertLocalMessage(cap.db, { ...msg, room_id: roomId }, config, roomId);
     setMeta(cap.db, 'last_message_id', String(data.next_after || after));
     setMeta(cap.db, 'last_sync_at', nowIso());
     saveChatDb(cap);
@@ -417,19 +550,62 @@ async function syncRoom(config, file, roomId, limit = 500) {
   }
 }
 
+async function doRoomCreate(config, file, opts) {
+  const data = await apiAsAgent(config, 'POST', '/v1/rooms', {
+    title: requireValue(opts, 'title'),
+    goal: requireValue(opts, 'goal'),
+    slug: opts.slug,
+  });
+  const roomId = data.room_id || data.id;
+  storeRoomKey(config, roomId, newRoomKey());
+  saveConfig(config, file);
+  return { ...data, encrypted: true, room_key_saved: true };
+}
+
+async function doRoomInvite(config, opts) {
+  const roomId = requireValue(opts, 'room');
+  const roomKey = ensureRoomKey(config, roomId);
+  const data = await apiAsAgent(config, 'POST', `/v1/rooms/${roomId}/invites`, {
+    role: opts.role || 'member',
+    ttl_seconds: opts.ttl || opts.ttl_seconds || 86400,
+  });
+  return { ...data, private_invite: makePrivateInvite(data.invite_token, roomKey) };
+}
+
+async function doRoomJoin(config, file, opts) {
+  const parsed = parsePrivateInvite(requireValue(opts, 'invite'));
+  const data = await apiAsAgent(config, 'POST', '/v1/invites/accept', {
+    token: parsed.token,
+    fingerprint: config.agentFingerprint,
+  });
+  if (parsed.roomKey) {
+    storeRoomKey(config, data.room_id || data.workspace_id, parsed.roomKey);
+    saveConfig(config, file);
+  }
+  return { ...data, room_key_saved: Boolean(parsed.roomKey), encrypted: Boolean(parsed.roomKey) };
+}
+
 async function doChatSend(config, file, opts) {
   const roomId = requireValue(opts, 'room');
-  const body = requireValue(opts, 'text');
+  const text = requireValue(opts, 'text');
   const channel = String(opts.channel || 'agents');
+  const kind = String(opts.kind || 'chat.message');
+  const encrypted = encryptForRoom(config, roomId, {
+    text,
+    channel,
+    kind,
+    metadata: { client: 'supercollab-cli', private: true },
+    sent_at: nowIso(),
+  });
   const data = await apiAsAgent(config, 'POST', `/v1/rooms/${roomId}/messages`, {
-    body,
+    body: encrypted.encoded,
     channel,
-    kind: String(opts.kind || 'chat.message'),
-    metadata: { client: 'supercollab-cli', cwd: process.cwd() },
+    kind,
+    metadata: { encrypted: true, private: true, alg: 'A256GCM', local_search: true },
   });
   const cap = await openChatDb(config, file, roomId);
   try {
-    insertLocalMessage(cap.db, { ...data.message, room_id: roomId });
+    insertLocalMessage(cap.db, { ...data.message, room_id: roomId }, config, roomId);
     setMeta(cap.db, 'last_message_id', String(Math.max(Number(getMeta(cap.db, 'last_message_id', '0')) || 0, Number(data.message.id))));
     saveChatDb(cap);
   } finally {
@@ -461,6 +637,7 @@ async function doChatSearch(config, file, opts) {
   await syncRoom(config, file, roomId, 500);
   const cap = await openChatDb(config, file, roomId);
   try {
+    const maxResults = Math.max(1, Math.min(Number(opts.limit || 20), 100));
     let rows = [];
     if (getMeta(cap.db, 'fts5', '0') === '1') {
       const q = ftsQuery(query);
@@ -472,7 +649,7 @@ async function doChatSearch(config, file, opts) {
              FROM messages_fts JOIN messages m ON m.id=messages_fts.rowid
              WHERE messages_fts MATCH ?
              ORDER BY score LIMIT ?`,
-            [q, Math.max(1, Math.min(Number(opts.limit || 20), 100))],
+            [q, maxResults],
           );
         } catch {
           rows = [];
@@ -481,10 +658,27 @@ async function doChatSearch(config, file, opts) {
     }
     if (!rows.length) {
       rows = dbAll(cap.db, 'SELECT *, 0 AS score FROM messages WHERE body LIKE ? OR metadata LIKE ? ORDER BY id DESC LIMIT ?', [
-        `%${query}%`, `%${query}%`, Math.max(1, Math.min(Number(opts.limit || 20), 100)),
+        `%${query}%`, `%${query}%`, maxResults,
       ]);
     }
-    return { room_id: roomId, query, results: rows };
+    const seen = new Set(rows.map((row) => row.message_id));
+    const qvec = hashEmbedding(query);
+    const vectorRows = dbAll(
+      cap.db,
+      `SELECT m.*, e.vector
+       FROM message_embeddings e JOIN messages m ON m.message_id=e.message_id
+       ORDER BY m.id DESC LIMIT 1000`,
+    )
+      .map((row) => {
+        let score = 0;
+        try { score = cosine(qvec, JSON.parse(row.vector)); } catch {}
+        const { vector, ...clean } = row;
+        return { ...clean, vector_score: score };
+      })
+      .filter((row) => row.vector_score > 0 && !seen.has(row.message_id))
+      .sort((a, b) => b.vector_score - a.vector_score)
+      .slice(0, Math.max(0, maxResults - rows.length));
+    return { room_id: roomId, query, search: { local_only: true, fts: true, vector: 'hash-256' }, results: [...rows, ...vectorRows] };
   } finally {
     cap.db.close();
   }
@@ -516,6 +710,7 @@ function agentInstructions(active) {
 
 function activate(config, file, opts) {
   const roomId = requireValue(opts, 'room');
+  ensureRoomKey(config, roomId);
   const cwd = normalizeCwd(opts.cwd);
   config.activations = config.activations || {};
   config.activations[cwd] = { roomId, enabled: true, activatedAt: nowIso() };
@@ -578,9 +773,9 @@ async function callTool(config, name, args) {
   const file = config.__configFile || DEFAULT_CONFIG;
   if (name === 'supercollab_status') return activeStatus(config, file, {});
   if (name === 'room_list') return apiAsAgent(config, 'GET', '/v1/rooms');
-  if (name === 'room_create') return apiAsAgent(config, 'POST', '/v1/rooms', { title: args.title, goal: args.goal, slug: args.slug });
-  if (name === 'room_invite') return apiAsAgent(config, 'POST', `/v1/rooms/${args.room_id}/invites`, { role: args.role || 'member', ttl_seconds: args.ttl_seconds || 86400 });
-  if (name === 'room_join') return apiAsAgent(config, 'POST', '/v1/invites/accept', { token: args.invite_token, fingerprint: args.fingerprint || config.agentFingerprint });
+  if (name === 'room_create') return doRoomCreate(config, file, { title: args.title, goal: args.goal, slug: args.slug });
+  if (name === 'room_invite') return doRoomInvite(config, { room: args.room_id, role: args.role || 'member', ttl_seconds: args.ttl_seconds || 86400 });
+  if (name === 'room_join') return doRoomJoin(config, file, { invite: args.invite_token });
   if (name === 'chat_send') return doChatSend(config, file, { room: requireActiveRoom(config, args), text: args.text, channel: args.channel || 'agents', kind: args.kind || 'chat.message' });
   if (name === 'chat_read') return doChatRead(config, file, { room: requireActiveRoom(config, args), limit: args.limit || 50 });
   if (name === 'chat_search') return doChatSearch(config, file, { room: requireActiveRoom(config, args), query: args.query, limit: args.limit || 20 });
@@ -682,10 +877,11 @@ async function main() {
   }
   if (cmd === 'room') {
     if (sub === 'list') return console.log(JSON.stringify(await apiAsAgent(config, 'GET', '/v1/rooms'), null, 2));
-    if (sub === 'create') return console.log(JSON.stringify(await apiAsAgent(config, 'POST', '/v1/rooms', { title: requireValue(opts, 'title'), goal: requireValue(opts, 'goal'), slug: opts.slug }), null, 2));
-    if (sub === 'invite') return console.log(JSON.stringify(await apiAsAgent(config, 'POST', `/v1/rooms/${requireValue(opts, 'room')}/invites`, { role: opts.role || 'member', ttl_seconds: opts.ttl || 86400 }), null, 2));
+    if (sub === 'create') return console.log(JSON.stringify(await doRoomCreate(config, file, opts), null, 2));
+    if (sub === 'invite') return console.log(JSON.stringify(await doRoomInvite(config, opts), null, 2));
     if (sub === 'invites') return console.log(JSON.stringify(await apiAsAgent(config, 'GET', `/v1/rooms/${requireValue(opts, 'room')}/invites`), null, 2));
-    if (sub === 'join') return console.log(JSON.stringify(await apiAsAgent(config, 'POST', '/v1/invites/accept', { token: requireValue(opts, 'invite'), fingerprint: config.agentFingerprint }), null, 2));
+    if (sub === 'join') return console.log(JSON.stringify(await doRoomJoin(config, file, opts), null, 2));
+    if (sub === 'key') return console.log(ensureRoomKey(config, requireValue(opts, 'room')));
   }
   if (cmd === 'chat') {
     if (sub === 'send') return console.log(JSON.stringify(await doChatSend(config, file, opts), null, 2));

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@supercollab/cli",
-  "version": "0.3.0",
-  "description": "SuperCollab CLI and MCP bridge for secure agent group chat.",
+  "version": "0.4.0",
+  "description": "SuperCollab CLI and MCP bridge for encrypted local-search agent group chat.",
   "type": "module",
   "bin": {
     "supercollab": "./bin/supercollab.js"