@viewportai/daemon 0.1.0 → 0.2.0

package/docs/relay-noise-conformance-vectors.json

@@ -0,0 +1,41 @@
+{
+  "schemaVersion": 1,
+  "generatedAt": "2026-03-04",
+  "notes": "Deterministic vectors for relay handshake profile validation (noise-ik / noise-ikpsk2).",
+  "vectors": [
+    {
+      "id": "ik-basic",
+      "profile": "noise-ik",
+      "requestId": "kex-vector-ik-1",
+      "clientPrivateKey": "ERERERERERERERERERERERERERERERERERERERERERE",
+      "clientPublicKey": "BAIX5hfwtkQ5KCePlpmeaaI6TywVK99tbN9m5bgCgtTtGUp968uXcS0t2jyoWqh2Wlb0X8dYWZZS8ol8ZTBuV5Q",
+      "daemonPrivateKey": "IiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiI",
+      "daemonPublicKey": "BNZak5d8qj0bCBhS_1ennkZfFmBXcwS66tUF3TpIWJzzUBheiVNy32Ih6joTdVfkc_3bZ1XwW9UHw8Uz_OnJEoU",
+      "clientNonce": "ABEiM0RVZneImaq7zN3u_w",
+      "daemonNonce": "_-7dzLuqmYh3ZlVEMyIRAA",
+      "sessionId": "rs_vector_ik_001",
+      "epoch": 1,
+      "expectedClientProof": "V1-7QcRCwkCgpUZdz92mmA",
+      "expectedSessionKey": "2Bw_9xNEr7U2bshJajaT6a63Bm77dZmgmGiPw9fbS58",
+      "expectedDaemonProof": "m15GgIvhB0WjKzB3oZU3Kw"
+    },
+    {
+      "id": "ikpsk2-basic",
+      "profile": "noise-ikpsk2",
+      "requestId": "kex-vector-ikpsk2-1",
+      "clientPrivateKey": "MzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM",
+      "clientPublicKey": "BFGnWAgziY6hsYPL1zUKQJkHjG7xweGOlwzXaDA18l59ARBSJxKwtafP8IFoVIaYSpTmgx7axG5zYPqdg0p6gaE",
+      "daemonPrivateKey": "REREREREREREREREREREREREREREREREREREREREREQ",
+      "daemonPublicKey": "BFs2iQ2svXyalrt0oe4os9LXW3LgmiDvJc-Ob9ip8DUNDhS-2NRoKjTYNTi9_1uW6JpmZuwNtXRdAvoSEAct91o",
+      "pairingSecret": "VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU",
+      "clientNonce": "ECEyQ1RldoeYqbq8vdzt_g",
+      "daemonNonce": "ASNFZ4mrze_-3LqYdlQyEA",
+      "sessionId": "rs_vector_ikpsk2_001",
+      "previousSessionId": "rs_prev_ikpsk2_000",
+      "epoch": 2,
+      "expectedClientProof": "gxbCj7oTAia0k6YEW5T2PA",
+      "expectedSessionKey": "vm3VqaI4W7Ck1qvRYSFQzK4qXr8phYC8D6pNVuAmRmI",
+      "expectedDaemonProof": "vLWX1F1A5AIvXwS9E9B3wA"
+    }
+  ]
+}

package/docs/relay-noise-v3-conformance-vectors.json

@@ -0,0 +1,50 @@
+{
+  "schemaVersion": 1,
+  "notes": "Deterministic canonical Noise v3 vectors (IK + IKpsk2 over P256/AESGCM/SHA256).",
+  "daemonIdentity": {
+    "publicKey": "BEjeT9qtvf7dbK9yPDuvSgIT_gIuC9_8DdJNtM6yu70uaCxRVd08fy2qBFGWRo_HfQ_Ic8IWNb0I-PaM9El6Bxw",
+    "privateKey": "1V4lEUVCsNxmJrw8SKKiloYegBmQXbjg6ULOYaCbExA"
+  },
+  "clientDeterministicKeys": {
+    "staticPrivateKey": "v4lfwcrqWG-_LamDGhdRAKpVCdMdZH9AYp4yVI7pZgs",
+    "ephemeralPrivateKey": "Y4yFYdFFptSiqrsWLNb0BF8FujQ4Gp54yOiuUO2wnSw"
+  },
+  "daemonDeterministicEphemeralPrivateKey": "xwtFlQfRSqj7TfIfVp2cPcD2TrrzTZc-5E61gdW4XjM",
+  "vectors": [
+    {
+      "id": "noise-v3-ik-basic",
+      "profile": "noise-ik",
+      "requestId": "kex-v3-vector-1",
+      "sessionId": "rs_v3_ik_001",
+      "epoch": 1,
+      "init": {
+        "clientEphemeralPublicKey": "BHErztyDPFhPO3RxajbwuTwrAEesaf3--FHDHImukoCoxQIw6ew2a-qL-c6dnQh2bOvKeVgoJTZT2Zx_PJLD0s4",
+        "encryptedClientStatic": "9K4kr_VZJmhalGOiYr_IpvLDm0PEp0jDZtSd6YxdOpuNBD1vGD4C1-Pxv6MBQtYJ6I_9lw6e2qW9sIE2ySIhFFFrC97k2e2tO0wc8c_gZleu"
+      },
+      "response": {
+        "daemonEphemeralPublicKey": "BCFLYWYVAiqwpxnxZm11SNq3fv1hFPtla1C9kBqczCEtnAQbFDtdcg9SzT8ko_YoWCBzcEc-XYe3LVTtDVXTWmk",
+        "encryptedMetadata": "kh17Tgmt2gdzgTzpZVQHYr7DJ7FmU8Kx-iF0cSoCilnADs4JMDgnHQ71P4aP4m47y54W_VEK",
+        "proof": "EsL1rhQdgvL_2AoOh8BWMxNX4VShoDtt3YRlG2HHbxs"
+      },
+      "sessionKey": "CtfvOunKO94iXJLzudF7smlvEG5lkoxvMh3fvFRVehw"
+    },
+    {
+      "id": "noise-v3-ikpsk2-basic",
+      "profile": "noise-ikpsk2",
+      "requestId": "kex-v3-vector-1",
+      "pairingSecret": "uMcC7ZiGjk2YUNTDxbfbvhRHAQ59gVld9ip-w6-ho_g",
+      "sessionId": "rs_v3_ikpsk2_001",
+      "epoch": 1,
+      "init": {
+        "clientEphemeralPublicKey": "BHErztyDPFhPO3RxajbwuTwrAEesaf3--FHDHImukoCoxQIw6ew2a-qL-c6dnQh2bOvKeVgoJTZT2Zx_PJLD0s4",
+        "encryptedClientStatic": "FrVP0AVl8_uQgoHC2KW_7cmtwkv1oSxYam82utmGOxYduS0tjBU4UZQXv-scDEojEsrhkgQwSRoa7gLR97PIfswEjmS9vHlFtiYoRkdzPlMy"
+      },
+      "response": {
+        "daemonEphemeralPublicKey": "BCFLYWYVAiqwpxnxZm11SNq3fv1hFPtla1C9kBqczCEtnAQbFDtdcg9SzT8ko_YoWCBzcEc-XYe3LVTtDVXTWmk",
+        "encryptedMetadata": "hd-OUzTSqxTDw0_o3gRF0VbCU7IUDX9aDbQ9WFisV1oRLvZkQp7mPeFDakxNTzappXSiG5IaU2U_vA",
+        "proof": "zx6bUnDrHuanKjH9XBOnyx_m-sVfuL6j_esaWMJS9H0"
+      },
+      "sessionKey": "bgjWrm-nTtATWBYP1ph0wfFbZSlSbLhOQcCvR8PjrOA"
+    }
+  ]
+}

package/docs/security.md

@@ -19,8 +19,9 @@
 - Host header allowlist enforcement.
 - Origin allowlist enforcement.
 - Token auth (`~/.viewport/auth-token`) for protected API/WS.
-- WS auth supports `?token=` query fallback for browser compatibility.
-  - Tradeoff: query tokens can leak via logs/history.
+- WS auth supports `?token=` query fallback only in `local` profile by default.
+  - In `lan`/`relay`, query-token auth is disabled unless `VIEWPORT_ALLOW_QUERY_TOKEN_NON_LOCAL=1`.
+  - Tradeoff: query tokens can leak via logs/history, so use `Authorization: Bearer ...` whenever possible.
   - Preferred path is `Authorization: Bearer ...`.
 - WebSocket payload limits, backpressure handling, and rate limiting.
 - Path traversal protection for file APIs.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@viewportai/daemon",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Viewport daemon — supervision and orchestration layer for AI coding agents",
   "license": "Apache-2.0",
   "type": "module",