@tt-a1i/hive 1.6.0 → 2.0.1

package/dist/src/server/remote-device-session.d.ts

@@ -0,0 +1,40 @@
+import type { Direction } from '../shared/remote-crypto.js';
+export interface DeviceSession {
+    deviceId: string;
+    /**
+     * 32-byte directional ROOT keys from M1 deriveDaemonSession. M6.1: these are ROOTS — the bridge
+     * derives the per-connection AEAD keys from them via deriveConnectionKeys + the bilateral connection
+     * salts, and seals/opens ONLY under those connKeys. These bytes are NEVER passed to sealNext/openNext
+     * directly; that is what makes resetting seq to 0 per connection safe (the AEAD key is fresh per
+     * connection even though the root is persisted/reused).
+     */
+    keys: {
+        d2p: Uint8Array;
+        p2d: Uint8Array;
+    };
+}
+export interface DeviceSessionProvider {
+    /**
+     * null => unknown / revoked / no established session. The tunnel resets the stream and audits
+     * 'no_session'; it never bridges a frame for a device it has no key for.
+     */
+    get(deviceId: string): DeviceSession | null;
+    /**
+     * Every established session. Used ONLY to resolve which device a CHANNEL_STREAM_ID Hello came
+     * from: the relay does not tag the source device, so the daemon trial-opens the Hello against
+     * each candidate's p2d key until one authenticates (AEAD makes a wrong key fail cleanly). After
+     * the Hello opens, the daemon binds (deviceId, streamId)->device and never trial-opens that
+     * stream again. deviceId is therefore only ever the result of a successful open (invariant 5).
+     */
+    candidates(): DeviceSession[];
+}
+export declare const DAEMON_OPEN_DIRECTION: Direction;
+export declare const DAEMON_SEAL_DIRECTION: Direction;
+export declare class InMemoryDeviceSessionProvider implements DeviceSessionProvider {
+    private readonly sessions;
+    set(session: DeviceSession): void;
+    /** Models a revoke: the key is gone, so the next frame for this device fails 'no_session'. */
+    remove(deviceId: string): void;
+    get(deviceId: string): DeviceSession | null;
+    candidates(): DeviceSession[];
+}

package/dist/src/server/remote-device-session.js

@@ -0,0 +1,22 @@
+// Daemon directions — the mirror of the device's. Exported so the tunnel, the bridge and the tests
+// all agree on ONE source of truth for which key opens/seals which way.
+//   - the daemon OPENS inbound phone→daemon frames with p2d
+//   - the daemon SEALS outbound daemon→phone frames with d2p
+export const DAEMON_OPEN_DIRECTION = 'p2d';
+export const DAEMON_SEAL_DIRECTION = 'd2p';
+export class InMemoryDeviceSessionProvider {
+    sessions = new Map();
+    set(session) {
+        this.sessions.set(session.deviceId, session);
+    }
+    /** Models a revoke: the key is gone, so the next frame for this device fails 'no_session'. */
+    remove(deviceId) {
+        this.sessions.delete(deviceId);
+    }
+    get(deviceId) {
+        return this.sessions.get(deviceId) ?? null;
+    }
+    candidates() {
+        return [...this.sessions.values()];
+    }
+}

package/dist/src/server/remote-device-store.d.ts

@@ -0,0 +1,36 @@
+import type { Database } from 'better-sqlite3';
+import type { DeviceSession, DeviceSessionProvider } from './remote-device-session.js';
+export interface RemoteDeviceRecord {
+    id: string;
+    name: string;
+    createdAt: number;
+    lastActive: number | null;
+    revokedAt: number | null;
+}
+export interface PersistDeviceInput {
+    id: string;
+    name: string;
+    /** The M3 DeviceSession.keys — a stored secret. */
+    keys: {
+        d2p: Uint8Array;
+        p2d: Uint8Array;
+    };
+    devicePublicKey: Uint8Array;
+}
+export interface RemoteDeviceStore {
+    /** TRUST-ROOT write. ONLY remote-pairing.confirmPairing calls this, ONLY on desktop confirm. */
+    insert(input: PersistDeviceInput, now?: number): RemoteDeviceRecord;
+    /** Provider read path (returns key material). null if absent OR revoked. INTERNAL. */
+    getLiveSession(deviceId: string): DeviceSession | null;
+    /** Active (non-revoked) sessions only — backs DeviceSessionProvider.candidates(). */
+    liveSessions(): DeviceSession[];
+    /** Device-management read path — metadata ONLY, no keys. Newest first. */
+    list(includeRevoked?: boolean): RemoteDeviceRecord[];
+    get(deviceId: string): RemoteDeviceRecord | null;
+    /** Local half of the revocation closed loop. Idempotent; false if unknown / already revoked. */
+    revoke(deviceId: string, now?: number): boolean;
+    /** Best-effort last_active bump. Never resurrects a revoked row. */
+    touchActive(deviceId: string, now?: number): void;
+}
+export declare const createRemoteDeviceStore: (db: Database) => RemoteDeviceStore;
+export declare const createPersistentDeviceSessionProvider: (store: RemoteDeviceStore) => DeviceSessionProvider;

package/dist/src/server/remote-device-store.js

@@ -0,0 +1,67 @@
+import { fromBase64Url, toBase64Url } from '../shared/remote-crypto.js';
+const toRecord = (row) => ({
+    id: row.id,
+    name: row.name,
+    createdAt: row.created_at,
+    lastActive: row.last_active,
+    revokedAt: row.revoked_at,
+});
+const toSession = (row) => ({
+    deviceId: row.id,
+    keys: { d2p: fromBase64Url(row.key_d2p), p2d: fromBase64Url(row.key_p2d) },
+});
+export const createRemoteDeviceStore = (db) => {
+    const insertStmt = db.prepare(`INSERT INTO remote_devices
+       (id, name, key_d2p, key_p2d, device_pubkey, created_at, last_active, revoked_at)
+     VALUES (?, ?, ?, ?, ?, ?, NULL, NULL)`);
+    // Note: the SELECT projections for the metadata path deliberately OMIT key_d2p/key_p2d/device_pubkey
+    // so key material can never escape through list()/get() (invariant 7).
+    const getMetaStmt = db.prepare(`SELECT id, name, created_at, last_active, revoked_at FROM remote_devices WHERE id = ?`);
+    const listStmt = db.prepare(`SELECT id, name, created_at, last_active, revoked_at
+       FROM remote_devices
+      ORDER BY created_at DESC, id DESC`);
+    const listActiveStmt = db.prepare(`SELECT id, name, created_at, last_active, revoked_at
+       FROM remote_devices
+      WHERE revoked_at IS NULL
+      ORDER BY created_at DESC, id DESC`);
+    const liveSessionStmt = db.prepare(`SELECT id, key_d2p, key_p2d FROM remote_devices WHERE id = ? AND revoked_at IS NULL`);
+    const liveSessionsStmt = db.prepare(`SELECT id, key_d2p, key_p2d FROM remote_devices WHERE revoked_at IS NULL`);
+    // revoke only flips a row that is not already revoked, so a second call changes 0 rows -> false,
+    // and the original revoked_at timestamp is never overwritten.
+    const revokeStmt = db.prepare(`UPDATE remote_devices SET revoked_at = ? WHERE id = ? AND revoked_at IS NULL`);
+    const touchStmt = db.prepare(`UPDATE remote_devices SET last_active = ? WHERE id = ? AND revoked_at IS NULL`);
+    return {
+        insert(input, now = Date.now()) {
+            insertStmt.run(input.id, input.name, toBase64Url(input.keys.d2p), toBase64Url(input.keys.p2d), toBase64Url(input.devicePublicKey), now);
+            return { id: input.id, name: input.name, createdAt: now, lastActive: null, revokedAt: null };
+        },
+        getLiveSession(deviceId) {
+            const row = liveSessionStmt.get(deviceId);
+            return row ? toSession(row) : null;
+        },
+        liveSessions() {
+            return liveSessionsStmt.all().map(toSession);
+        },
+        list(includeRevoked = false) {
+            const rows = (includeRevoked ? listStmt : listActiveStmt).all();
+            return rows.map(toRecord);
+        },
+        get(deviceId) {
+            const row = getMetaStmt.get(deviceId);
+            return row ? toRecord(row) : null;
+        },
+        revoke(deviceId, now = Date.now()) {
+            return revokeStmt.run(now, deviceId).changes > 0;
+        },
+        touchActive(deviceId, now = Date.now()) {
+            touchStmt.run(now, deviceId);
+        },
+    };
+};
+// Persistent DeviceSessionProvider — no cache. get()/candidates() read the store live, so a revoke()
+// write makes the next inbound frame fail in the M3 bridge (resolveAndOpen -> get null / candidate
+// gone -> drop + audit 'no_session'). Zero bridge change for the persistence half (invariant 5).
+export const createPersistentDeviceSessionProvider = (store) => ({
+    get: (deviceId) => store.getLiveSession(deviceId),
+    candidates: () => store.liveSessions(),
+});

package/dist/src/server/remote-frame-bridge.d.ts

@@ -0,0 +1,102 @@
+import { type Direction } from '../shared/remote-crypto.js';
+import { type HttpResponseHead } from '../shared/remote-protocol.js';
+import type { RemoteAuditStore } from './remote-audit-store.js';
+import { type DeviceSessionProvider } from './remote-device-session.js';
+/** A loopback HTTP request in flight. The bridge feeds it body chunks then end()s it. */
+export interface LoopbackHttpRequest {
+    onData(chunk: Uint8Array): void;
+    onEnd(): void;
+    abort(): void;
+}
+export interface LoopbackHttpHandlers {
+    onHead(head: HttpResponseHead): void;
+    onBody(chunk: Uint8Array): void;
+    onEnd(): void;
+    onError(err: Error): void;
+}
+/** A loopback WS connection in flight. */
+export interface LoopbackWsConnection {
+    onData(data: Uint8Array, isText: boolean): void;
+    onClose(): void;
+    abort(): void;
+}
+export interface LoopbackWsHandlers {
+    onOpen(): void;
+    onMessage(data: Uint8Array, isText: boolean): void;
+    onClose(): void;
+    onError(err: Error): void;
+}
+export interface LoopbackTransports {
+    openHttp(args: {
+        port: number;
+        method: string;
+        path: string;
+        headers: Record<string, string>;
+    }, handlers: LoopbackHttpHandlers): LoopbackHttpRequest;
+    openWs(args: {
+        port: number;
+        path: string;
+        headers: Record<string, string>;
+    }, handlers: LoopbackWsHandlers): LoopbackWsConnection;
+}
+export interface FrameBridgeContext {
+    loopbackPort: number;
+    loopbackSecret: string;
+    deviceSessions: DeviceSessionProvider;
+    audit: RemoteAuditStore;
+    /**
+     * The daemon's own id (config.getDaemonId()). M6.1: it is bound into the per-connection HKDF info,
+     * so it MUST be the SAME value the phone put in its HandshakeIds.daemonId — a mismatch diverges the
+     * info strings and EVERY Hello fails to open (total outage). Sourced at socket-open time in
+     * remote-tunnel.ts (guarded non-null; the tunnel can't be online without it).
+     */
+    daemonId: string;
+    /**
+     * Injected loopback transports. Production omits this and gets the real node:http / ws clients;
+     * unit tests pass a stub so a single bridged request is observable without real I/O. Carried on
+     * the context (not a separate arg) so the tunnel's `createBridge: (ctx) => createFrameBridge(ctx)`
+     * wiring is untouched and a test can simply add the field.
+     */
+    loopbackTransports?: LoopbackTransports;
+    /**
+     * Seam: the per-connection daemon salt source. Defaults to the crypto export; a test injects a
+     * deterministic-but-distinct generator so it can recompute the connKey + nonce. NOT a mock — the
+     * real HKDF still runs over whatever bytes this returns.
+     */
+    generateConnSalt?: () => Uint8Array;
+    /**
+     * Observation hook (NOT a mock): fires for every daemon->phone seal with the REAL AEAD key + REAL
+     * 12-byte header. Lets the no-(key,nonce)-reuse + no-downgrade invariants be mutation-tested by a
+     * recorder; the production sealNext still runs unchanged.
+     */
+    onSeal?: (rec: {
+        key: Uint8Array;
+        direction: Direction;
+        headerBytes: Uint8Array;
+    }) => void;
+}
+export interface FrameBridge {
+    attachSocket(send: (frame: Uint8Array) => void): void;
+    onInbound(frame: ArrayBuffer | Uint8Array): void;
+    /**
+     * Tear down every in-flight stream. `keepSink` distinguishes the two callers:
+     *   - socket teardown (onSocketDown / revokeAndStop / close): the outbound socket is gone, so we
+     *     also null the sink (keepSink omitted/false) and audit a session_close.
+     *   - gateway 'peer-offline' control: the daemon socket STAYS OPEN (the gateway just told us the
+     *     phone dropped its streams). We reset the in-flight streams but MUST keep `send` live so the
+     *     phone can re-establish streams on the same socket after 'peer-online'. Audited as a
+     *     stream-reset, not a session_close.
+     */
+    resetAllStreams(reason: string, opts?: {
+        keepSink?: boolean;
+    }): void;
+    /**
+     * Close ONE device's in-flight streams (M4 revoke closed loop). Unlike resetAllStreams this leaves
+     * other devices + the outbound sink untouched, so revoking device A never tears down device B. The
+     * per-device opener/sealer is dropped too, so a re-pair of the same id starts from clean crypto
+     * state. The persistent provider's revoke (the security-load-bearing half) already makes NEW frames
+     * fail with no_session; this is the best-effort liveness half that kills an ALREADY-open stream now.
+     */
+    closeDevice(deviceId: string, reason: string): void;
+}
+export declare const createFrameBridge: (ctx: FrameBridgeContext) => FrameBridge;