@zeph-to/hook-sdk 1.4.0 → 1.5.1

package/dist/crypto.d.ts

@@ -0,0 +1,59 @@
+/**
+ * E2E encryption for Hook SDK — self-contained ECDH P-256 + AES-256-GCM
+ * Mirrors @zeph/crypto API but bundled inline (no external dependency).
+ * Uses Web Crypto API (globalThis.crypto.subtle) — Node.js 18+.
+ */
+/**
+ * Initialize crypto: sync keys with server, then fallback to local/generate.
+ * Server is source of truth for per-user key pair.
+ * Safe to call concurrently — deduplicates to single init.
+ * Returns the exported public key (Base64 SPKI).
+ */
+export declare const initCrypto: (apiKey?: string, baseUrl?: string) => Promise<string>;
+export declare const getKeyPair: () => CryptoKeyPair | null;
+export declare const getPublicKey: () => string | null;
+/**
+ * Encrypt push body for a recipient.
+ * Returns fields ready to merge into the sendPush payload.
+ */
+export declare const encryptPushBody: (input: {
+    title?: string;
+    body?: string;
+    url?: string;
+}, recipientPublicKeyRaw: string) => Promise<{
+    body: string;
+    encryptedKey: string;
+    senderPublicKey: string;
+    isEncrypted: true;
+}>;
+/**
+ * Encrypt push body for self (all own devices).
+ */
+export declare const encryptPushBodyForSelf: (input: {
+    title?: string;
+    body?: string;
+    url?: string;
+}) => Promise<{
+    body: string;
+    encryptedKey: string;
+    senderPublicKey: string;
+    isEncrypted: true;
+}>;
+/**
+ * Encrypt file content for a recipient.
+ * Returns encrypted buffer + key material for file attachment metadata.
+ */
+export declare const encryptFileForRecipient: (content: string, recipientPublicKeyRaw: string) => Promise<{
+    ciphertext: Buffer;
+    iv: string;
+    encryptedKey: string;
+}>;
+/**
+ * Encrypt file content for self (all own devices).
+ */
+export declare const encryptFileForSelf: (content: string) => Promise<{
+    ciphertext: Buffer;
+    iv: string;
+    encryptedKey: string;
+}>;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA0JH;;;;;GAKG;AACH,eAAO,MAAM,UAAU,GAAI,SAAS,MAAM,EAAE,UAAU,MAAM,KAAG,OAAO,CAAC,MAAM,CA6D5E,CAAC;AA4BF,eAAO,MAAM,UAAU,QAAO,aAAa,GAAG,IAAqB,CAAC;AACpE,eAAO,MAAM,YAAY,QAAO,MAAM,GAAG,IAA+B,CAAC;AAEzE;;;GAGG;AACH,eAAO,MAAM,eAAe,GAC1B,OAAO;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,EACtD,uBAAuB,MAAM,KAC5B,OAAO,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,IAAI,CAAC;CACnB,CAeA,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB,GACjC,OAAO;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,KACrD,OAAO,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,IAAI,CAAC;CACnB,CAaA,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,uBAAuB,GAClC,SAAS,MAAM,EACf,uBAAuB,MAAM,KAC5B,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CASlE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,GAC7B,SAAS,MAAM,KACd,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAQlE,CAAC"}

package/dist/crypto.js

@@ -0,0 +1,257 @@
+"use strict";
+/**
+ * E2E encryption for Hook SDK — self-contained ECDH P-256 + AES-256-GCM
+ * Mirrors @zeph/crypto API but bundled inline (no external dependency).
+ * Uses Web Crypto API (globalThis.crypto.subtle) — Node.js 18+.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encryptFileForSelf = exports.encryptFileForRecipient = exports.encryptPushBodyForSelf = exports.encryptPushBody = exports.getPublicKey = exports.getKeyPair = exports.initCrypto = void 0;
+/// <reference lib="dom" />
+const fs_1 = require("fs");
+const path_1 = require("path");
+// ─── Base64 helpers ───
+const toBase64 = (buffer) => {
+    const bytes = new Uint8Array(buffer);
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+};
+const fromBase64 = (base64) => {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+};
+// ─── ECDH key management ───
+const ECDH_PARAMS = { name: 'ECDH', namedCurve: 'P-256' };
+const generateKeyPair = async () => crypto.subtle.generateKey(ECDH_PARAMS, true, ['deriveKey', 'deriveBits']);
+const exportKeyPair = async (keyPair) => {
+    const [publicRaw, privateRaw] = await Promise.all([
+        crypto.subtle.exportKey('spki', keyPair.publicKey),
+        crypto.subtle.exportKey('pkcs8', keyPair.privateKey),
+    ]);
+    return { publicKey: toBase64(publicRaw), privateKey: toBase64(privateRaw) };
+};
+const importPublicKey = async (base64) => crypto.subtle.importKey('spki', fromBase64(base64), ECDH_PARAMS, true, []);
+const importPrivateKey = async (base64) => crypto.subtle.importKey('pkcs8', fromBase64(base64), ECDH_PARAMS, true, ['deriveKey', 'deriveBits']);
+const importKeyPair = async (exported) => {
+    const [publicKey, privateKey] = await Promise.all([
+        importPublicKey(exported.publicKey),
+        importPrivateKey(exported.privateKey),
+    ]);
+    return { publicKey, privateKey };
+};
+const deriveAesKey = async (privateKey, publicKey) => crypto.subtle.deriveKey({ name: 'ECDH', public: publicKey }, privateKey, { name: 'AES-GCM', length: 256 }, false, ['encrypt', 'decrypt']);
+const encrypt = async (plaintext, senderPrivateKey, recipientPublicKey) => {
+    const messageKey = await crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt', 'decrypt']);
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, messageKey, new TextEncoder().encode(plaintext));
+    const sharedKey = await deriveAesKey(senderPrivateKey, recipientPublicKey);
+    const rawMessageKey = await crypto.subtle.exportKey('raw', messageKey);
+    const keyIv = crypto.getRandomValues(new Uint8Array(12));
+    const encryptedKey = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: keyIv }, sharedKey, rawMessageKey);
+    return {
+        ciphertext: toBase64(ciphertext),
+        iv: toBase64(iv.buffer),
+        encryptedKey: toBase64(encryptedKey),
+        keyIv: toBase64(keyIv.buffer),
+    };
+};
+// ─── File encryption ───
+const encryptFileContent = async (content, senderPrivateKey, recipientPublicKey) => {
+    const buffer = new TextEncoder().encode(content).buffer;
+    const fileKey = await crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt', 'decrypt']);
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, fileKey, buffer);
+    const sharedKey = await deriveAesKey(senderPrivateKey, recipientPublicKey);
+    const rawFileKey = await crypto.subtle.exportKey('raw', fileKey);
+    const keyIv = crypto.getRandomValues(new Uint8Array(12));
+    const encryptedKey = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: keyIv }, sharedKey, rawFileKey);
+    return {
+        ciphertext: Buffer.from(ciphertext),
+        iv: toBase64(iv.buffer),
+        encryptedKey: toBase64(encryptedKey),
+        keyIv: toBase64(keyIv.buffer),
+    };
+};
+// ─── Key persistence (~/.config/zeph/keys.json) ───
+const KEYS_DIR = (0, path_1.join)(process.env.HOME ?? '~', '.config', 'zeph');
+const KEYS_PATH = (0, path_1.join)(KEYS_DIR, 'keys.json');
+const loadStoredKeys = () => {
+    try {
+        return JSON.parse((0, fs_1.readFileSync)(KEYS_PATH, 'utf-8'));
+    }
+    catch {
+        return null;
+    }
+};
+const storeKeys = (exported) => {
+    (0, fs_1.mkdirSync)(KEYS_DIR, { recursive: true, mode: 0o700 });
+    (0, fs_1.writeFileSync)(KEYS_PATH, JSON.stringify(exported, null, 2), { mode: 0o600 });
+};
+// ─── Cached state ───
+let cachedKeyPair = null;
+let cachedExportedPublicKey = null;
+let cachedOwnPublicKey = null;
+let initPromise = null;
+/**
+ * Initialize crypto: sync keys with server, then fallback to local/generate.
+ * Server is source of truth for per-user key pair.
+ * Safe to call concurrently — deduplicates to single init.
+ * Returns the exported public key (Base64 SPKI).
+ */
+const initCrypto = (apiKey, baseUrl) => {
+    if (initPromise)
+        return initPromise;
+    initPromise = (async () => {
+        // Try local cache first
+        const stored = loadStoredKeys();
+        // Try server sync if API key available
+        if (apiKey) {
+            const serverKeys = await fetchServerKeys(apiKey, baseUrl);
+            if (serverKeys) {
+                // Server has keys — adopt them (server is source of truth)
+                if (!stored || stored.publicKey !== serverKeys.publicKey) {
+                    storeKeys(serverKeys);
+                }
+                cachedKeyPair = await importKeyPair(serverKeys);
+                cachedExportedPublicKey = serverKeys.publicKey;
+                cachedOwnPublicKey = cachedKeyPair.publicKey;
+                return serverKeys.publicKey;
+            }
+            // Server has no keys
+            if (stored) {
+                // Upload local keys to server
+                await uploadServerKeys(stored, apiKey, baseUrl);
+                cachedKeyPair = await importKeyPair(stored);
+                cachedExportedPublicKey = stored.publicKey;
+                cachedOwnPublicKey = cachedKeyPair.publicKey;
+                return stored.publicKey;
+            }
+            // No keys anywhere — generate + upload
+            const keyPair = await generateKeyPair();
+            const exported = await exportKeyPair(keyPair);
+            storeKeys(exported);
+            await uploadServerKeys(exported, apiKey, baseUrl);
+            cachedKeyPair = keyPair;
+            cachedExportedPublicKey = exported.publicKey;
+            cachedOwnPublicKey = keyPair.publicKey;
+            return exported.publicKey;
+        }
+        // No API key — local-only mode
+        if (stored) {
+            cachedKeyPair = await importKeyPair(stored);
+            cachedExportedPublicKey = stored.publicKey;
+            cachedOwnPublicKey = cachedKeyPair.publicKey;
+            return stored.publicKey;
+        }
+        const keyPair = await generateKeyPair();
+        const exported = await exportKeyPair(keyPair);
+        storeKeys(exported);
+        cachedKeyPair = keyPair;
+        cachedExportedPublicKey = exported.publicKey;
+        cachedOwnPublicKey = keyPair.publicKey;
+        return exported.publicKey;
+    })().catch((err) => {
+        initPromise = null;
+        throw err;
+    });
+    return initPromise;
+};
+exports.initCrypto = initCrypto;
+// ─── Server key sync helpers ───
+const fetchServerKeys = async (apiKey, baseUrl) => {
+    try {
+        const url = `${(baseUrl ?? 'https://api.zeph.to/v1').replace(/\/$/, '')}/users/me/keys`;
+        const res = await fetch(url, { headers: { 'X-API-Key': apiKey } });
+        if (!res.ok)
+            return null;
+        const json = await res.json();
+        const keys = json.data?.encryptionKeys;
+        return keys?.publicKey && keys?.privateKey ? keys : null;
+    }
+    catch {
+        return null;
+    }
+};
+const uploadServerKeys = async (keys, apiKey, baseUrl) => {
+    try {
+        const url = `${(baseUrl ?? 'https://api.zeph.to/v1').replace(/\/$/, '')}/users/me/keys`;
+        await fetch(url, {
+            method: 'PUT',
+            headers: { 'X-API-Key': apiKey, 'Content-Type': 'application/json' },
+            body: JSON.stringify(keys),
+        });
+    }
+    catch { /* non-critical */ }
+};
+const getKeyPair = () => cachedKeyPair;
+exports.getKeyPair = getKeyPair;
+const getPublicKey = () => cachedExportedPublicKey;
+exports.getPublicKey = getPublicKey;
+/**
+ * Encrypt push body for a recipient.
+ * Returns fields ready to merge into the sendPush payload.
+ */
+const encryptPushBody = async (input, recipientPublicKeyRaw) => {
+    if (!cachedKeyPair || !cachedExportedPublicKey)
+        throw new Error('Crypto not initialized');
+    const recipientKey = await importPublicKey(recipientPublicKeyRaw);
+    const payload = await encrypt(JSON.stringify({ title: input.title, body: input.body, url: input.url }), cachedKeyPair.privateKey, recipientKey);
+    return {
+        body: JSON.stringify({ ciphertext: payload.ciphertext, iv: payload.iv }),
+        encryptedKey: JSON.stringify({ encryptedKey: payload.encryptedKey, keyIv: payload.keyIv }),
+        senderPublicKey: cachedExportedPublicKey,
+        isEncrypted: true,
+    };
+};
+exports.encryptPushBody = encryptPushBody;
+/**
+ * Encrypt push body for self (all own devices).
+ */
+const encryptPushBodyForSelf = async (input) => {
+    if (!cachedKeyPair || !cachedExportedPublicKey || !cachedOwnPublicKey)
+        throw new Error('Crypto not initialized');
+    const payload = await encrypt(JSON.stringify({ title: input.title, body: input.body, url: input.url }), cachedKeyPair.privateKey, cachedOwnPublicKey);
+    return {
+        body: JSON.stringify({ ciphertext: payload.ciphertext, iv: payload.iv }),
+        encryptedKey: JSON.stringify({ encryptedKey: payload.encryptedKey, keyIv: payload.keyIv }),
+        senderPublicKey: cachedExportedPublicKey,
+        isEncrypted: true,
+    };
+};
+exports.encryptPushBodyForSelf = encryptPushBodyForSelf;
+/**
+ * Encrypt file content for a recipient.
+ * Returns encrypted buffer + key material for file attachment metadata.
+ */
+const encryptFileForRecipient = async (content, recipientPublicKeyRaw) => {
+    if (!cachedKeyPair)
+        throw new Error('Crypto not initialized');
+    const recipientKey = await importPublicKey(recipientPublicKeyRaw);
+    const result = await encryptFileContent(content, cachedKeyPair.privateKey, recipientKey);
+    return {
+        ciphertext: result.ciphertext,
+        iv: result.iv,
+        encryptedKey: JSON.stringify({ encryptedKey: result.encryptedKey, keyIv: result.keyIv }),
+    };
+};
+exports.encryptFileForRecipient = encryptFileForRecipient;
+/**
+ * Encrypt file content for self (all own devices).
+ */
+const encryptFileForSelf = async (content) => {
+    if (!cachedKeyPair || !cachedOwnPublicKey)
+        throw new Error('Crypto not initialized');
+    const result = await encryptFileContent(content, cachedKeyPair.privateKey, cachedOwnPublicKey);
+    return {
+        ciphertext: result.ciphertext,
+        iv: result.iv,
+        encryptedKey: JSON.stringify({ encryptedKey: result.encryptedKey, keyIv: result.keyIv }),
+    };
+};
+exports.encryptFileForSelf = encryptFileForSelf;

package/dist/zeph-hook.d.ts

@@ -3,7 +3,9 @@ export declare class ZephHook {
     private readonly apiKey;
     private readonly baseUrl;
     private readonly timeoutMs;
+    private cryptoInitialized;
     constructor(options: ZephOptions);
+    private ensureCrypto;
     notify(payload: NotifyPayload): Promise<NotifyResult>;
     private notifyWithFile;
     requestUpload(params: {
@@ -11,7 +13,7 @@ export declare class ZephHook {
         fileType: string;
         fileSize: number;
     }): Promise<UploadRequestResult>;
-    uploadToS3(url: string, content: string, contentType: string): Promise<void>;
+    uploadToS3(url: string, content: string | Buffer, contentType: string): Promise<void>;
     list(params?: ListParams): Promise<ListResult>;
     dismiss(pushId: string): Promise<DismissOneResult>;
     dismissAll(): Promise<DismissAllResult>;

package/dist/zeph-hook.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"zeph-hook.d.ts","sourceRoot":"","sources":["../src/zeph-hook.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAY,gBAAgB,EAAE,gBAAgB,EAAoB,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAcxL,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAEvB,OAAO,EAAE,WAAW;IAS1B,MAAM,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;YAiB7C,cAAc;IAsBtB,aAAa,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAK7G,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAY5E,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAmB9C,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAKlD,UAAU,IAAI,OAAO,CAAC,gBAAgB,CAAC;YAK/B,OAAO;IAiCrB,OAAO,CAAC,UAAU;CASnB"}
+{"version":3,"file":"zeph-hook.d.ts","sourceRoot":"","sources":["../src/zeph-hook.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAY,gBAAgB,EAAE,gBAAgB,EAAoB,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAexL,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IAEnC,OAAO,CAAC,iBAAiB,CAAS;gBAEtB,OAAO,EAAE,WAAW;YASlB,YAAY;IAYpB,MAAM,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;YA6B7C,cAAc;IAsDtB,aAAa,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAK7G,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAcrF,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAmB9C,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAKlD,UAAU,IAAI,OAAO,CAAC,gBAAgB,CAAC;YAK/B,OAAO;IAiCrB,OAAO,CAAC,UAAU;CASnB"}

package/dist/zeph-hook.js

@@ -2,9 +2,10 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ZephHook = void 0;
 const errors_js_1 = require("./errors.js");
+const crypto_js_1 = require("./crypto.js");
 const DEFAULT_BASE_URL = 'https://api.zeph.to/v1';
 const DEFAULT_TIMEOUT_MS = 30_000;
-const BODY_FILE_THRESHOLD = 0;
+const BODY_FILE_THRESHOLD = 512;
 const PREVIEW_LENGTH = 200;
 const inferMimeType = (fileName) => {
     const ext = fileName.split('.').pop()?.toLowerCase();
@@ -15,6 +16,7 @@ class ZephHook {
     apiKey;
     baseUrl;
     timeoutMs;
+    cryptoInitialized = false;
     constructor(options) {
         if (!options.apiKey) {
             throw new errors_js_1.ZephError('apiKey is required', 'INVALID_OPTIONS', 400);
@@ -23,32 +25,86 @@ class ZephHook {
         this.baseUrl = (options.baseUrl ?? DEFAULT_BASE_URL).replace(/\/$/, '');
         this.timeoutMs = options.timeout ?? DEFAULT_TIMEOUT_MS;
     }
+    async ensureCrypto() {
+        if (this.cryptoInitialized)
+            return !!(0, crypto_js_1.getKeyPair)();
+        try {
+            await (0, crypto_js_1.initCrypto)(this.apiKey, this.baseUrl);
+            this.cryptoInitialized = true;
+            return !!(0, crypto_js_1.getKeyPair)();
+        }
+        catch {
+            this.cryptoInitialized = true;
+            return false;
+        }
+    }
     async notify(payload) {
+        const canEncrypt = await this.ensureCrypto();
         const body = payload.body;
         const bodyBytes = body ? new TextEncoder().encode(body).byteLength : 0;
         const isLongBody = bodyBytes > BODY_FILE_THRESHOLD;
         if (isLongBody && body) {
-            return this.notifyWithFile(payload, body, bodyBytes);
+            return this.notifyWithFile(payload, body, bodyBytes, canEncrypt);
+        }
+        // Encrypt push body if possible
+        let sendPayload = { ...payload };
+        if (canEncrypt) {
+            try {
+                const enc = await (0, crypto_js_1.encryptPushBodyForSelf)({ title: payload.title, body: payload.body, url: payload.url });
+                sendPayload = { ...sendPayload, title: undefined, body: enc.body, isEncrypted: true, encryptedKey: enc.encryptedKey, senderPublicKey: enc.senderPublicKey };
+            }
+            catch (err) {
+                console.error('[Crypto] Push encryption failed, sending plaintext:', err);
+            }
         }
-        const json = await this.request('POST', '/pushes/send', payload);
+        const json = await this.request('POST', '/pushes/send', sendPayload);
         const pushId = json.data?.pushId;
         if (!pushId) {
             throw new errors_js_1.ZephError('Server returned no pushId', 'INVALID_RESPONSE', 500);
         }
         return { pushId };
     }
-    async notifyWithFile(payload, body, fileSize) {
+    async notifyWithFile(payload, body, fileSize, canEncrypt) {
         const fileName = 'response.md';
-        const fileType = inferMimeType(fileName);
-        const upload = await this.requestUpload({ fileName, fileType, fileSize });
-        await this.uploadToS3(upload.uploadUrl, body, fileType);
+        let fileType = inferMimeType(fileName);
+        // Encrypt file content if possible
+        let uploadContent = body;
+        let uploadSize = fileSize;
+        let fileIv;
+        let fileEncryptedKey;
+        if (canEncrypt) {
+            try {
+                const encrypted = await (0, crypto_js_1.encryptFileForSelf)(body);
+                uploadContent = encrypted.ciphertext;
+                uploadSize = encrypted.ciphertext.length;
+                fileType = 'application/octet-stream';
+                fileIv = encrypted.iv;
+                fileEncryptedKey = encrypted.encryptedKey;
+            }
+            catch (err) {
+                console.error('[Crypto] File encryption failed, sending plaintext:', err);
+            }
+        }
+        const upload = await this.requestUpload({ fileName, fileType, fileSize: uploadSize });
+        await this.uploadToS3(upload.uploadUrl, uploadContent, fileType);
         const preview = body.length > PREVIEW_LENGTH ? body.slice(0, PREVIEW_LENGTH) + '...' : body;
-        const json = await this.request('POST', '/pushes/send', {
+        // Encrypt push body
+        let sendPayload = {
             ...payload,
             body: preview,
             type: payload.type ?? 'file',
-            files: [{ fileKey: upload.fileKey, fileName, fileSize, fileType }],
-        });
+            files: [{ fileKey: upload.fileKey, fileName, fileSize, fileType: inferMimeType(fileName), iv: fileIv, encryptedKey: fileEncryptedKey }],
+        };
+        if (canEncrypt) {
+            try {
+                const enc = await (0, crypto_js_1.encryptPushBodyForSelf)({ title: payload.title, body: preview, url: payload.url });
+                sendPayload = { ...sendPayload, title: undefined, body: enc.body, isEncrypted: true, encryptedKey: enc.encryptedKey, senderPublicKey: enc.senderPublicKey };
+            }
+            catch (err) {
+                console.error('[Crypto] Push encryption failed, sending plaintext:', err);
+            }
+        }
+        const json = await this.request('POST', '/pushes/send', sendPayload);
         const pushId = json.data?.pushId;
         if (!pushId) {
             throw new errors_js_1.ZephError('Server returned no pushId', 'INVALID_RESPONSE', 500);
@@ -60,10 +116,12 @@ class ZephHook {
         return json.data;
     }
     async uploadToS3(url, content, contentType) {
+        const isText = typeof content === 'string';
+        const body = isText ? content : new Uint8Array(content);
         const response = await fetch(url, {
             method: 'PUT',
-            headers: { 'Content-Type': `${contentType}; charset=utf-8` },
-            body: content,
+            headers: { 'Content-Type': isText ? `${contentType}; charset=utf-8` : contentType },
+            body,
             signal: AbortSignal.timeout(this.timeoutMs),
         });
         if (!response.ok) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zeph-to/hook-sdk",
-  "version": "1.4.0",
+  "version": "1.5.1",
   "description": "Zeph push notification SDK + CLI — zero dependencies",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",