@zuoyehaoduoa/wire 0.1.0

package/dist/index.mjs

@@ -0,0 +1,796 @@
+import * as z from 'zod';
+import { isCuid, createId } from '@paralleldrive/cuid2';
+import * as opaque from '@serenity-kit/opaque';
+import tweetnacl from 'tweetnacl';
+
+const sessionRoleSchema = z.enum(["user", "agent"]);
+const sessionTextEventSchema = z.object({
+  t: z.literal("text"),
+  text: z.string(),
+  thinking: z.boolean().optional()
+});
+const sessionServiceMessageEventSchema = z.object({
+  t: z.literal("service"),
+  text: z.string()
+});
+const sessionToolCallStartEventSchema = z.object({
+  t: z.literal("tool-call-start"),
+  call: z.string(),
+  name: z.string(),
+  title: z.string(),
+  description: z.string(),
+  args: z.record(z.string(), z.unknown())
+});
+const sessionToolCallEndEventSchema = z.object({
+  t: z.literal("tool-call-end"),
+  call: z.string()
+});
+const sessionFileEventSchema = z.object({
+  t: z.literal("file"),
+  ref: z.string(),
+  name: z.string(),
+  size: z.number(),
+  image: z.object({
+    width: z.number(),
+    height: z.number(),
+    thumbhash: z.string()
+  }).optional()
+});
+const sessionTurnStartEventSchema = z.object({
+  t: z.literal("turn-start")
+});
+const sessionStartEventSchema = z.object({
+  t: z.literal("start"),
+  title: z.string().optional()
+});
+const sessionTurnEndStatusSchema = z.enum([
+  "completed",
+  "failed",
+  "cancelled"
+]);
+const sessionTurnEndEventSchema = z.object({
+  t: z.literal("turn-end"),
+  status: sessionTurnEndStatusSchema
+});
+const sessionStopEventSchema = z.object({
+  t: z.literal("stop")
+});
+const sessionEventSchema = z.discriminatedUnion("t", [
+  sessionTextEventSchema,
+  sessionServiceMessageEventSchema,
+  sessionToolCallStartEventSchema,
+  sessionToolCallEndEventSchema,
+  sessionFileEventSchema,
+  sessionTurnStartEventSchema,
+  sessionStartEventSchema,
+  sessionTurnEndEventSchema,
+  sessionStopEventSchema
+]);
+const sessionEnvelopeSchema = z.object({
+  id: z.string(),
+  time: z.number(),
+  role: sessionRoleSchema,
+  turn: z.string().optional(),
+  subagent: z.string().refine((value) => isCuid(value), {
+    message: "subagent must be a cuid2 value"
+  }).optional(),
+  ev: sessionEventSchema
+}).superRefine((envelope, ctx) => {
+  if (envelope.ev.t === "service" && envelope.role !== "agent") {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: 'service events must use role "agent"',
+      path: ["role"]
+    });
+  }
+  if ((envelope.ev.t === "start" || envelope.ev.t === "stop") && envelope.role !== "agent") {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: `${envelope.ev.t} events must use role "agent"`,
+      path: ["role"]
+    });
+  }
+});
+function createEnvelope(role, ev, opts = {}) {
+  return sessionEnvelopeSchema.parse({
+    id: opts.id ?? createId(),
+    time: opts.time ?? Date.now(),
+    role,
+    ...opts.turn ? { turn: opts.turn } : {},
+    ...opts.subagent ? { subagent: opts.subagent } : {},
+    ev
+  });
+}
+
+const MessageMetaSchema = z.object({
+  sentFrom: z.string().optional(),
+  permissionMode: z.enum([
+    "default",
+    "acceptEdits",
+    "bypassPermissions",
+    "plan",
+    "read-only",
+    "safe-yolo",
+    "yolo"
+  ]).optional(),
+  model: z.string().nullable().optional(),
+  fallbackModel: z.string().nullable().optional(),
+  customSystemPrompt: z.string().nullable().optional(),
+  appendSystemPrompt: z.string().nullable().optional(),
+  allowedTools: z.array(z.string()).nullable().optional(),
+  disallowedTools: z.array(z.string()).nullable().optional(),
+  displayText: z.string().optional()
+});
+
+const SessionMessageContentSchema = z.object({
+  c: z.string(),
+  t: z.literal("encrypted")
+});
+const SessionMessageSchema = z.object({
+  id: z.string(),
+  seq: z.number(),
+  localId: z.string().nullish(),
+  content: SessionMessageContentSchema,
+  createdAt: z.number(),
+  updatedAt: z.number()
+});
+const SessionProtocolMessageSchema = z.object({
+  role: z.literal("session"),
+  content: sessionEnvelopeSchema,
+  meta: MessageMetaSchema.optional()
+});
+const MessageContentSchema = SessionProtocolMessageSchema;
+const VersionedEncryptedValueSchema = z.object({
+  version: z.number(),
+  value: z.string()
+});
+const VersionedNullableEncryptedValueSchema = z.object({
+  version: z.number(),
+  value: z.string().nullable()
+});
+const UpdateNewMessageBodySchema = z.object({
+  t: z.literal("new-message"),
+  sid: z.string(),
+  message: SessionMessageSchema
+});
+const UpdateSessionBodySchema = z.object({
+  t: z.literal("update-session"),
+  id: z.string(),
+  metadata: VersionedEncryptedValueSchema.nullish(),
+  agentState: VersionedNullableEncryptedValueSchema.nullish()
+});
+const VersionedMachineEncryptedValueSchema = z.object({
+  version: z.number(),
+  value: z.string()
+});
+const UpdateMachineBodySchema = z.object({
+  t: z.literal("update-machine"),
+  machineId: z.string(),
+  metadata: VersionedMachineEncryptedValueSchema.nullish(),
+  daemonState: VersionedMachineEncryptedValueSchema.nullish(),
+  active: z.boolean().optional(),
+  activeAt: z.number().optional()
+});
+const CoreUpdateBodySchema = z.discriminatedUnion("t", [
+  UpdateNewMessageBodySchema,
+  UpdateSessionBodySchema,
+  UpdateMachineBodySchema
+]);
+const CoreUpdateContainerSchema = z.object({
+  id: z.string(),
+  seq: z.number(),
+  body: CoreUpdateBodySchema,
+  createdAt: z.number()
+});
+
+const PASSWORD_SECRET_SALT = "codexdeck-password-bootstrap-v2";
+const PASSWORD_SECRET_ITERATIONS = 2e5;
+const PASSWORD_SECRET_LENGTH_BITS = 256;
+const TRANSPORT_BUNDLE_VERSION = 0;
+const REMOTE_SECRET_LENGTH_BYTES = 32;
+const REMOTE_OPAQUE_KEY_STRETCHING = "memory-constrained";
+const REMOTE_RELAY_KEY_SALT = "codexdeck:remote-relay-salt:v2";
+const REMOTE_RELAY_KEY_INFO = "codexdeck:remote-relay-info:v2";
+const REMOTE_OPAQUE_SERVER_IDENTIFIER_PREFIX = "codexdeck:remote-server:v1:";
+const REMOTE_RPC_SIGNATURE_VERSION = "codexdeck:remote-rpc-signature:v1";
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+function isCryptoAvailable(cryptoObject) {
+  return !!cryptoObject?.subtle && typeof cryptoObject.getRandomValues === "function";
+}
+let cryptoPromise = null;
+async function getCrypto() {
+  const cryptoObject = globalThis.crypto;
+  if (isCryptoAvailable(cryptoObject)) {
+    return cryptoObject;
+  }
+  if (!cryptoPromise) {
+    cryptoPromise = (async () => {
+      const processObject = globalThis.process;
+      if (!processObject?.versions?.node) {
+        throw new Error("Web Crypto API is required");
+      }
+      const nodeCryptoModule = await import('node:crypto');
+      if (!isCryptoAvailable(nodeCryptoModule.webcrypto)) {
+        throw new Error("Web Crypto API is required");
+      }
+      return nodeCryptoModule.webcrypto;
+    })();
+  }
+  return cryptoPromise;
+}
+function concatBytes(...chunks) {
+  const totalLength = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
+  const output = new Uint8Array(totalLength);
+  let offset = 0;
+  for (const chunk of chunks) {
+    output.set(chunk, offset);
+    offset += chunk.length;
+  }
+  return output;
+}
+function normalizeUsername(username) {
+  return username.normalize("NFKC").trim().toLowerCase();
+}
+function normalizePassword(password) {
+  return password.normalize("NFKC");
+}
+function encodeBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary);
+}
+function decodeBase64(base64) {
+  const normalized = base64.replace(/-/g, "+").replace(/_/g, "/").padEnd(Math.ceil(base64.length / 4) * 4, "=");
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(normalized, "base64"));
+  }
+  const binary = atob(normalized);
+  const output = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i += 1) {
+    output[i] = binary.charCodeAt(i);
+  }
+  return output;
+}
+function normalizeRealmId(realmId) {
+  const normalized = realmId.trim();
+  if (!normalized) {
+    throw new Error("Realm id must not be empty");
+  }
+  return normalized;
+}
+function normalizeCredentialInputs(username, password, realmId) {
+  const normalizedUsername = normalizeUsername(username);
+  if (!normalizedUsername) {
+    throw new Error("Username must not be empty");
+  }
+  const normalizedPassword = normalizePassword(password);
+  if (normalizedPassword.trim().length === 0) {
+    throw new Error("Password must not be empty");
+  }
+  return {
+    username: normalizedUsername,
+    password: normalizedPassword,
+    realmId: normalizeRealmId(realmId)
+  };
+}
+async function deriveCredentialSecret(username, password, realmId) {
+  const normalized = normalizeCredentialInputs(username, password, realmId);
+  const cryptoObject = await getCrypto();
+  const baseKey = await cryptoObject.subtle.importKey(
+    "raw",
+    encoder.encode(normalized.password),
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const bits = await cryptoObject.subtle.deriveBits(
+    {
+      name: "PBKDF2",
+      hash: "SHA-256",
+      salt: encoder.encode(
+        `${PASSWORD_SECRET_SALT}
+${normalized.realmId}
+${normalized.username}`
+      ),
+      iterations: PASSWORD_SECRET_ITERATIONS
+    },
+    baseKey,
+    PASSWORD_SECRET_LENGTH_BITS
+  );
+  return new Uint8Array(bits);
+}
+function normalizeSecretBytes(secret) {
+  if (secret.length !== REMOTE_SECRET_LENGTH_BYTES) {
+    throw new Error(
+      `Remote secret must be ${REMOTE_SECRET_LENGTH_BYTES} bytes`
+    );
+  }
+  return Uint8Array.from(secret);
+}
+function deriveSubkey(secret, label) {
+  const digest = tweetnacl.hash(
+    concatBytes(secret, encoder.encode(`codexdeck:${label}`))
+  );
+  return digest.slice(0, 32);
+}
+function deriveContentKeyPair(secret) {
+  const seed = deriveSubkey(secret, "content-seed");
+  const boxSecretKey = tweetnacl.hash(seed).slice(0, 32);
+  const keyPair = tweetnacl.box.keyPair.fromSecretKey(boxSecretKey);
+  return {
+    publicKey: keyPair.publicKey,
+    secretKey: keyPair.secretKey
+  };
+}
+function deriveRemoteMaterialFromSecret(secret) {
+  const normalizedSecret = normalizeSecretBytes(secret);
+  const authKeyPair = tweetnacl.sign.keyPair.fromSeed(normalizedSecret);
+  const contentKeyPair = deriveContentKeyPair(normalizedSecret);
+  const relayKey = deriveSubkey(normalizedSecret, "remote-relay");
+  return {
+    secret: normalizedSecret,
+    relayKey,
+    authKeyPair,
+    contentKeyPair,
+    publicKeyHex: Array.from(authKeyPair.publicKey).map((value) => value.toString(16).padStart(2, "0")).join("").toUpperCase()
+  };
+}
+function deriveRemoteAuthMaterialFromSecret(secret) {
+  const normalizedSecret = typeof secret === "string" ? decodeBase64(secret) : secret;
+  return deriveRemoteMaterialFromSecret(normalizedSecret);
+}
+async function digestSha256(input) {
+  const cryptoObject = await getCrypto();
+  const digest = await cryptoObject.subtle.digest("SHA-256", input);
+  return new Uint8Array(digest);
+}
+async function ensureOpaqueReady() {
+  await opaque.ready;
+}
+function normalizeRemoteOpaquePassword(password) {
+  const normalized = normalizePassword(password);
+  if (normalized.trim().length === 0) {
+    throw new Error("Password must not be empty");
+  }
+  return normalized;
+}
+function buildRemoteOpaqueIdentifiers(loginHandle, realmId) {
+  return {
+    client: normalizeLoginHandle(loginHandle),
+    server: `${REMOTE_OPAQUE_SERVER_IDENTIFIER_PREFIX}${normalizeRealmId(realmId)}`
+  };
+}
+function normalizeLoginHandle(loginHandle) {
+  const normalized = loginHandle.trim().toLowerCase();
+  if (!normalized) {
+    throw new Error("Login handle must not be empty");
+  }
+  return normalized;
+}
+async function deriveRemoteLoginHandle(username, realmId) {
+  const normalizedUsername = normalizeUsername(username);
+  if (!normalizedUsername) {
+    throw new Error("Username must not be empty");
+  }
+  const digest = await digestSha256(
+    encoder.encode(
+      `codexdeck:remote-login-handle:v1:${normalizeRealmId(realmId)}:${normalizedUsername}`
+    )
+  );
+  return Array.from(digest).map((value) => value.toString(16).padStart(2, "0")).join("");
+}
+async function createRemoteOpaqueServerSetup() {
+  await ensureOpaqueReady();
+  return opaque.server.createSetup();
+}
+async function getRemoteOpaqueServerPublicKey(serverSetup) {
+  await ensureOpaqueReady();
+  return opaque.server.getPublicKey(serverSetup);
+}
+async function deriveRemoteRelayKeyFromExportKey(exportKey) {
+  const normalizedExportKey = typeof exportKey === "string" ? decodeBase64(exportKey) : exportKey;
+  if (normalizedExportKey.length === 0) {
+    throw new Error("Export key must not be empty");
+  }
+  const cryptoObject = await getCrypto();
+  const baseKey = await cryptoObject.subtle.importKey(
+    "raw",
+    normalizedExportKey,
+    "HKDF",
+    false,
+    ["deriveBits"]
+  );
+  const bits = await cryptoObject.subtle.deriveBits(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: encoder.encode(REMOTE_RELAY_KEY_SALT),
+      info: encoder.encode(REMOTE_RELAY_KEY_INFO)
+    },
+    baseKey,
+    256
+  );
+  return new Uint8Array(bits);
+}
+async function startRemoteOpaqueRegistration(password) {
+  await ensureOpaqueReady();
+  return opaque.client.startRegistration({
+    password: normalizeRemoteOpaquePassword(password)
+  });
+}
+async function createRemoteOpaqueRegistrationResponse(params) {
+  await ensureOpaqueReady();
+  return opaque.server.createRegistrationResponse({
+    serverSetup: params.serverSetup,
+    userIdentifier: normalizeLoginHandle(params.loginHandle),
+    registrationRequest: params.registrationRequest
+  });
+}
+async function finishRemoteOpaqueRegistration(params) {
+  await ensureOpaqueReady();
+  const result = opaque.client.finishRegistration({
+    password: normalizeRemoteOpaquePassword(params.password),
+    clientRegistrationState: params.clientRegistrationState,
+    registrationResponse: params.registrationResponse,
+    keyStretching: REMOTE_OPAQUE_KEY_STRETCHING,
+    identifiers: buildRemoteOpaqueIdentifiers(
+      params.loginHandle,
+      params.realmId
+    )
+  });
+  if (params.expectedServerPublicKey && result.serverStaticPublicKey !== params.expectedServerPublicKey) {
+    throw new Error("Remote server public key mismatch");
+  }
+  return {
+    ...result,
+    relayKey: await deriveRemoteRelayKeyFromExportKey(result.exportKey)
+  };
+}
+async function startRemoteOpaqueLogin(password) {
+  await ensureOpaqueReady();
+  return opaque.client.startLogin({
+    password: normalizeRemoteOpaquePassword(password)
+  });
+}
+async function startRemoteOpaqueServerLogin(params) {
+  await ensureOpaqueReady();
+  return opaque.server.startLogin({
+    serverSetup: params.serverSetup,
+    registrationRecord: params.registrationRecord,
+    startLoginRequest: params.startLoginRequest,
+    userIdentifier: normalizeLoginHandle(params.loginHandle),
+    identifiers: buildRemoteOpaqueIdentifiers(
+      params.loginHandle,
+      params.realmId
+    )
+  });
+}
+async function finishRemoteOpaqueLogin(params) {
+  await ensureOpaqueReady();
+  const result = opaque.client.finishLogin({
+    password: normalizeRemoteOpaquePassword(params.password),
+    clientLoginState: params.clientLoginState,
+    loginResponse: params.loginResponse,
+    keyStretching: REMOTE_OPAQUE_KEY_STRETCHING,
+    identifiers: buildRemoteOpaqueIdentifiers(
+      params.loginHandle,
+      params.realmId
+    )
+  });
+  if (!result) {
+    return null;
+  }
+  if (params.expectedServerPublicKey && result.serverStaticPublicKey !== params.expectedServerPublicKey) {
+    throw new Error("Remote server public key mismatch");
+  }
+  return {
+    ...result,
+    relayKey: await deriveRemoteRelayKeyFromExportKey(result.exportKey)
+  };
+}
+async function finishRemoteOpaqueServerLogin(params) {
+  await ensureOpaqueReady();
+  return opaque.server.finishLogin({
+    serverLoginState: params.serverLoginState,
+    finishLoginRequest: params.finishLoginRequest,
+    identifiers: buildRemoteOpaqueIdentifiers(
+      params.loginHandle,
+      params.realmId
+    )
+  });
+}
+function encodeRemoteStoredSecret(secret) {
+  return encodeBase64(normalizeSecretBytes(secret));
+}
+function decodeRemoteStoredSecret(secret) {
+  return normalizeSecretBytes(decodeBase64(secret));
+}
+async function deriveRemoteStoredAccessMaterial(storedSecret) {
+  return deriveRemoteAuthMaterialFromSecret(
+    decodeRemoteStoredSecret(storedSecret)
+  );
+}
+async function deriveRemoteAccessStorageSecret(username, password, realmId) {
+  const material = await deriveRemoteAccessMaterial(
+    username,
+    password,
+    realmId
+  );
+  return encodeRemoteStoredSecret(material.secret);
+}
+async function deriveRemoteAccessMaterial(username, password, realmId) {
+  const normalized = normalizeCredentialInputs(username, password, realmId);
+  const secret = await deriveCredentialSecret(
+    normalized.username,
+    normalized.password,
+    normalized.realmId
+  );
+  return {
+    ...deriveRemoteMaterialFromSecret(secret),
+    loginHandle: await deriveRemoteLoginHandle(
+      normalized.username,
+      normalized.realmId
+    ),
+    realmId: normalized.realmId
+  };
+}
+async function deriveRemoteAuthMaterial(username, password, realmId) {
+  return deriveRemoteAccessMaterial(username, password, realmId);
+}
+function buildRemoteAuthChallengeMessage(binding) {
+  const machineId = binding.machineId?.trim() || "";
+  return encoder.encode(
+    [
+      "codexdeck-auth-v1",
+      binding.challengeId,
+      binding.challenge,
+      binding.clientKind,
+      machineId
+    ].join("\n")
+  );
+}
+function signRemoteAuthChallenge(secretKey, binding) {
+  const signature = tweetnacl.sign.detached(
+    buildRemoteAuthChallengeMessage(binding),
+    secretKey
+  );
+  return encodeBase64(signature);
+}
+function verifyRemoteAuthChallengeSignature(publicKey, signature, binding) {
+  return tweetnacl.sign.detached.verify(
+    buildRemoteAuthChallengeMessage(binding),
+    signature,
+    publicKey
+  );
+}
+function parseSigningPublicKey(publicKey) {
+  const parsed = typeof publicKey === "string" ? decodeBase64(publicKey) : publicKey;
+  if (parsed.length !== tweetnacl.sign.publicKeyLength) {
+    throw new Error("Invalid remote RPC signing public key");
+  }
+  return parsed;
+}
+function parseSigningSecretKey(secretKey) {
+  const parsed = typeof secretKey === "string" ? decodeBase64(secretKey) : secretKey;
+  if (parsed.length !== tweetnacl.sign.secretKeyLength) {
+    throw new Error("Invalid remote RPC signing secret key");
+  }
+  return parsed;
+}
+function parseSigningSignature(signature) {
+  const parsed = typeof signature === "string" ? decodeBase64(signature) : signature;
+  if (parsed.length !== tweetnacl.sign.signatureLength) {
+    throw new Error("Invalid remote RPC signature");
+  }
+  return parsed;
+}
+function buildRemoteRpcSignatureMessage(params) {
+  const machineId = params.machineId.trim();
+  const requestId = params.requestId.trim();
+  if (!machineId) {
+    throw new Error("Remote RPC signature machineId must not be empty");
+  }
+  if (!requestId) {
+    throw new Error("Remote RPC signature requestId must not be empty");
+  }
+  if (!params.encryptedResult.trim()) {
+    throw new Error("Remote RPC signature payload must not be empty");
+  }
+  return encoder.encode(
+    [
+      REMOTE_RPC_SIGNATURE_VERSION,
+      machineId,
+      requestId,
+      params.encryptedResult
+    ].join("\n")
+  );
+}
+function generateRemoteRpcSigningKeyPair() {
+  const keyPair = tweetnacl.sign.keyPair();
+  return {
+    publicKey: encodeBase64(keyPair.publicKey),
+    secretKey: encodeBase64(keyPair.secretKey)
+  };
+}
+function signRemoteRpcResult(params) {
+  const signature = tweetnacl.sign.detached(
+    buildRemoteRpcSignatureMessage(params),
+    parseSigningSecretKey(params.secretKey)
+  );
+  return encodeBase64(signature);
+}
+function verifyRemoteRpcResultSignature(params) {
+  return tweetnacl.sign.detached.verify(
+    buildRemoteRpcSignatureMessage(params),
+    parseSigningSignature(params.signature),
+    parseSigningPublicKey(params.publicKey)
+  );
+}
+async function importAesKey(key) {
+  const cryptoObject = await getCrypto();
+  return cryptoObject.subtle.importKey(
+    "raw",
+    key,
+    {
+      name: "AES-GCM",
+      length: 256
+    },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function encryptRemotePayload(key, payload) {
+  const cryptoObject = await getCrypto();
+  const iv = cryptoObject.getRandomValues(new Uint8Array(12));
+  const cryptoKey = await importAesKey(key);
+  const encrypted = await cryptoObject.subtle.encrypt(
+    {
+      name: "AES-GCM",
+      iv
+    },
+    cryptoKey,
+    encoder.encode(JSON.stringify(payload))
+  );
+  const bundle = concatBytes(
+    Uint8Array.of(TRANSPORT_BUNDLE_VERSION),
+    iv,
+    new Uint8Array(encrypted)
+  );
+  return encodeBase64(bundle);
+}
+async function decryptRemotePayload(key, encoded) {
+  const bundle = decodeBase64(encoded);
+  if (bundle.length < 13 || bundle[0] !== TRANSPORT_BUNDLE_VERSION) {
+    throw new Error("Invalid encrypted payload");
+  }
+  const iv = bundle.slice(1, 13);
+  const ciphertext = bundle.slice(13);
+  const cryptoKey = await importAesKey(key);
+  const cryptoObject = await getCrypto();
+  const decrypted = await cryptoObject.subtle.decrypt(
+    {
+      name: "AES-GCM",
+      iv
+    },
+    cryptoKey,
+    ciphertext
+  );
+  return JSON.parse(decoder.decode(decrypted));
+}
+
+const RemoteRpcEnvelopeSchema = z.object({
+  requestId: z.string(),
+  body: z.unknown()
+});
+const RemoteRpcResultEnvelopeSchema = z.discriminatedUnion("ok", [
+  z.object({
+    ok: z.literal(true),
+    requestId: z.string(),
+    body: z.unknown()
+  }),
+  z.object({
+    ok: z.literal(false),
+    requestId: z.string(),
+    error: z.string()
+  })
+]);
+const RemoteMachineMetadataSchema = z.object({
+  machineId: z.string(),
+  label: z.string(),
+  host: z.string(),
+  platform: z.string(),
+  codexDir: z.string(),
+  cliVersion: z.string(),
+  rpcSigningPublicKey: z.string().min(1)
+});
+const RemoteMachineStateSchema = z.object({
+  status: z.enum(["running", "offline", "error"]),
+  connectedAt: z.number(),
+  lastHeartbeatAt: z.number(),
+  localWebUrl: z.string().nullable().optional()
+});
+const RemoteMachineDescriptionSchema = z.object({
+  id: z.string(),
+  metadata: RemoteMachineMetadataSchema,
+  state: RemoteMachineStateSchema.nullable(),
+  active: z.boolean(),
+  activeAt: z.number()
+});
+
+const RemoteAuthErrorCode = {
+  accountNotFound: "remote_account_not_found",
+  accountMismatch: "remote_account_mismatch",
+  setupTokensMissing: "remote_setup_tokens_missing",
+  setupTokenInvalid: "remote_setup_token_invalid",
+  loginAlreadyBound: "remote_login_already_bound",
+  machineAlreadyBound: "remote_machine_already_bound",
+  invalidLogin: "remote_invalid_login",
+  invalidRegister: "remote_invalid_register",
+  invalidLoginState: "remote_invalid_login_state",
+  adminPasswordInvalid: "remote_admin_password_invalid",
+  authUpgradeRequired: "remote_auth_upgrade_required"
+};
+const REMOTE_AUTH_ERROR_CODE_SET = new Set(
+  Object.values(RemoteAuthErrorCode)
+);
+function isRemoteAuthErrorCode(value) {
+  return typeof value === "string" && REMOTE_AUTH_ERROR_CODE_SET.has(value);
+}
+function getRemoteAuthHint(params) {
+  const code = isRemoteAuthErrorCode(params.code) ? params.code : null;
+  if (code === RemoteAuthErrorCode.invalidLogin) {
+    if (params.context === "cli") {
+      return "Remote password is incorrect for this registered CLI account. Update --remote-password (or CODEXDECK_REMOTE_PASSWORD) to match the target server credentials.";
+    }
+    if (params.context === "admin") {
+      return "Admin password is incorrect.";
+    }
+    return "Incorrect password for this remote username. Use the same password configured on the target CLI.";
+  }
+  if (code === RemoteAuthErrorCode.accountNotFound) {
+    if (params.context === "cli") {
+      return "Remote account not found. Register this CLI first using a valid --remote-setup-token, --remote-username, and --remote-password.";
+    }
+    return "Remote account not found. Start the CLI first with --remote-setup-token, --remote-username, and --remote-password.";
+  }
+  if (code === RemoteAuthErrorCode.accountMismatch) {
+    return "This login is bound to a different machine. Use the credentials originally registered for this machine, or configure a different --remote-machine-id.";
+  }
+  if (code === RemoteAuthErrorCode.setupTokenInvalid) {
+    return "Setup token is invalid or disabled. Generate a valid setup token in the server admin page and retry.";
+  }
+  if (code === RemoteAuthErrorCode.setupTokensMissing) {
+    return "Remote server has no setup tokens configured. Add setup tokens in server admin before registering a CLI.";
+  }
+  if (code === RemoteAuthErrorCode.invalidLoginState) {
+    return "Remote login attempt expired or is no longer valid. Retry login.";
+  }
+  if (code === RemoteAuthErrorCode.invalidRegister) {
+    return "Remote registration attempt expired or is no longer valid. Retry CLI registration.";
+  }
+  if (code === RemoteAuthErrorCode.loginAlreadyBound || code === RemoteAuthErrorCode.machineAlreadyBound) {
+    return "This remote login or machine is already bound to different credentials. Verify --remote-username, --remote-password, and --remote-machine-id.";
+  }
+  if (code === RemoteAuthErrorCode.authUpgradeRequired) {
+    return "Legacy remote auth is no longer supported. Re-register this CLI using the current codex-deck version.";
+  }
+  if (code === RemoteAuthErrorCode.adminPasswordInvalid) {
+    return "Admin password is incorrect.";
+  }
+  const fallback = params.error?.trim();
+  if (fallback) {
+    return fallback;
+  }
+  if (params.context === "admin") {
+    return "Remote admin login failed.";
+  }
+  return "Remote login failed.";
+}
+
+export { CoreUpdateBodySchema, CoreUpdateContainerSchema, MessageContentSchema, MessageMetaSchema, RemoteAuthErrorCode, RemoteMachineDescriptionSchema, RemoteMachineMetadataSchema, RemoteMachineStateSchema, RemoteRpcEnvelopeSchema, RemoteRpcResultEnvelopeSchema, SessionMessageContentSchema, SessionMessageSchema, SessionProtocolMessageSchema, UpdateMachineBodySchema, UpdateNewMessageBodySchema, UpdateSessionBodySchema, VersionedEncryptedValueSchema, VersionedMachineEncryptedValueSchema, VersionedNullableEncryptedValueSchema, buildRemoteAuthChallengeMessage, createEnvelope, createRemoteOpaqueRegistrationResponse, createRemoteOpaqueServerSetup, decodeBase64, decodeRemoteStoredSecret, decryptRemotePayload, deriveRemoteAccessMaterial, deriveRemoteAccessStorageSecret, deriveRemoteAuthMaterial, deriveRemoteAuthMaterialFromSecret, deriveRemoteLoginHandle, deriveRemoteRelayKeyFromExportKey, deriveRemoteStoredAccessMaterial, encodeBase64, encodeRemoteStoredSecret, encryptRemotePayload, finishRemoteOpaqueLogin, finishRemoteOpaqueRegistration, finishRemoteOpaqueServerLogin, generateRemoteRpcSigningKeyPair, getRemoteAuthHint, getRemoteOpaqueServerPublicKey, isRemoteAuthErrorCode, sessionEnvelopeSchema, sessionEventSchema, sessionFileEventSchema, sessionRoleSchema, sessionServiceMessageEventSchema, sessionStartEventSchema, sessionStopEventSchema, sessionTextEventSchema, sessionToolCallEndEventSchema, sessionToolCallStartEventSchema, sessionTurnEndEventSchema, sessionTurnEndStatusSchema, sessionTurnStartEventSchema, signRemoteAuthChallenge, signRemoteRpcResult, startRemoteOpaqueLogin, startRemoteOpaqueRegistration, startRemoteOpaqueServerLogin, verifyRemoteAuthChallengeSignature, verifyRemoteRpcResultSignature };