agent-yes 1.120.0 → 1.121.0

package/dist/{ts-C78N0K4F.js → ts-D91dm1E0.js}

@@ -1,5 +1,5 @@
 import { n as logger, t as addTransport } from "./logger-B9h0djqx.js";
-import { r as getInstalledPackage } from "./versionChecker-CYZtJKMG.js";
+import { r as getInstalledPackage } from "./versionChecker-CAtpgnoQ.js";
 import { t as agentYesHome } from "./agentYesHome-BvaUOzCV.js";
 import { i as shouldUseLock, r as releaseLock, t as acquireLock } from "./runningLock-CJxsoGdb.js";
 import { t as PidStore } from "./pidStore-B5vBu8Px.js";
@@ -1715,4 +1715,4 @@ function sleep(ms) {
 
 //#endregion
 export { removeControlCharacters as a, AgentContext as i, agentYes as n, config as r, CLIS_CONFIG as t };
-//# sourceMappingURL=ts-C78N0K4F.js.map
+//# sourceMappingURL=ts-D91dm1E0.js.map

package/dist/{versionChecker-CYZtJKMG.js → versionChecker-CAtpgnoQ.js}

@@ -7,7 +7,7 @@ import { fileURLToPath } from "url";
 
 //#region package.json
 var name = "agent-yes";
-var version = "1.120.0";
+var version = "1.121.0";
 
 //#endregion
 //#region ts/versionChecker.ts
@@ -221,4 +221,4 @@ async function displayVersion() {
 
 //#endregion
 export { versionString as i, displayVersion as n, getInstalledPackage as r, checkAndAutoUpdate as t };
-//# sourceMappingURL=versionChecker-CYZtJKMG.js.map
+//# sourceMappingURL=versionChecker-CAtpgnoQ.js.map

package/lab/ui/blog/e2ee-share-links/index.html

@@ -0,0 +1,299 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>End-to-end encryption for agent-yes share links</title>
+    <meta
+      name="description"
+      content="How agent-yes share links stay private even if the signaling relay is hacked: an HKDF key split, AES-256-GCM with per-connection keys, and a fail-closed handshake."
+    />
+    <style>
+      :root {
+        --bg: #0d1117;
+        --fg: #e6edf3;
+        --muted: #8b949e;
+        --accent: #58a6ff;
+        --green: #3fb950;
+        --red: #f85149;
+        --card: #161b22;
+        --border: #30363d;
+      }
+      @media (prefers-color-scheme: light) {
+        :root {
+          --bg: #ffffff;
+          --fg: #1f2328;
+          --muted: #59636e;
+          --accent: #0969da;
+          --green: #1a7f37;
+          --red: #cf222e;
+          --card: #f6f8fa;
+          --border: #d0d7de;
+        }
+      }
+      * {
+        box-sizing: border-box;
+      }
+      body {
+        background: var(--bg);
+        color: var(--fg);
+        font:
+          16px/1.65 -apple-system,
+          BlinkMacSystemFont,
+          "Segoe UI",
+          Helvetica,
+          Arial,
+          sans-serif;
+        margin: 0;
+        padding: 0 20px;
+      }
+      main {
+        max-width: 760px;
+        margin: 0 auto;
+        padding: 56px 0 96px;
+      }
+      .tag {
+        background: var(--accent);
+        color: #fff;
+        padding: 2px 8px;
+        border-radius: 6px;
+        font-size: 0.8em;
+        letter-spacing: 0.02em;
+      }
+      h1 {
+        font-size: 2em;
+        line-height: 1.2;
+        margin: 18px 0 8px;
+      }
+      h2 {
+        font-size: 1.3em;
+        margin: 40px 0 10px;
+        border-top: 1px solid var(--border);
+        padding-top: 28px;
+      }
+      .sub {
+        color: var(--muted);
+        font-size: 1.05em;
+      }
+      a {
+        color: var(--accent);
+      }
+      code {
+        background: var(--card);
+        border: 1px solid var(--border);
+        border-radius: 5px;
+        padding: 1px 5px;
+        font-size: 0.88em;
+        font-family: ui-monospace, "SF Mono", Menlo, Consolas, monospace;
+      }
+      pre {
+        background: var(--card);
+        border: 1px solid var(--border);
+        border-radius: 10px;
+        padding: 14px 16px;
+        overflow-x: auto;
+        font-size: 0.86em;
+        line-height: 1.5;
+      }
+      pre code {
+        background: none;
+        border: 0;
+        padding: 0;
+      }
+      .note {
+        border-left: 3px solid var(--accent);
+        background: var(--card);
+        padding: 10px 16px;
+        border-radius: 0 8px 8px 0;
+        margin: 18px 0;
+      }
+      .ok {
+        color: var(--green);
+      }
+      .no {
+        color: var(--red);
+      }
+      footer {
+        color: var(--muted);
+        font-size: 0.9em;
+        margin-top: 48px;
+        border-top: 1px solid var(--border);
+        padding-top: 20px;
+      }
+      table {
+        border-collapse: collapse;
+        width: 100%;
+        margin: 16px 0;
+        font-size: 0.92em;
+      }
+      th,
+      td {
+        border: 1px solid var(--border);
+        padding: 8px 10px;
+        text-align: left;
+        vertical-align: top;
+      }
+      th {
+        background: var(--card);
+      }
+    </style>
+  </head>
+  <body>
+    <main>
+      <p><span class="tag">agent-yes</span> · engineering</p>
+      <h1>End-to-end encryption for share links: even a hacked relay can't read your terminal</h1>
+      <p class="sub">
+        agent-yes share links now run an end-to-end-encrypted protocol. The signaling server that
+        introduces your browser to your machine never sees a key — so even if it is fully
+        compromised, it cannot read your terminal, type into your agents, or spawn new ones.
+      </p>
+
+      <h2>What a share link does</h2>
+      <p>
+        When you run <code>ay serve --webrtc</code>, your machine connects to a tiny Cloudflare
+        signaling server and waits for a browser to open the printed link on
+        <code>agent-yes.com</code>. The signaling server is only a <em>matchmaker</em>: it relays
+        the WebRTC handshake (SDP + ICE) so the two sides can find each other, then your terminal
+        traffic flows <strong>peer-to-peer</strong> over an encrypted WebRTC DataChannel — it never
+        passes through the server. The room link looks like:
+      </p>
+      <pre><code>https://agent-yes.com/#&lt;room&gt;:e1.&lt;secret&gt;</code></pre>
+
+      <h2>The threat: "what if the matchmaker is hacked?"</h2>
+      <p>
+        Previously, the link's token did double duty — it was both the value the server used to
+        match peers <em>and</em> the only shared secret. That meant the server
+        <em>saw the secret</em>. A compromised signaling server could therefore impersonate a
+        browser or man-in-the-middle the connection, and a breach would expose <em>every</em> user's
+        token at once. The bar we want instead:
+      </p>
+      <div class="note">
+        A fully compromised signaling server (or an active network attacker who can rewrite the
+        relayed handshake) may slow you down or learn metadata — but must
+        <strong>never</strong> read terminal I/O, inject input, spawn agents, or recover any key.
+      </div>
+
+      <h2>One secret, two derived keys (the HKDF split)</h2>
+      <p>
+        The link still carries one 32-byte secret <code>S</code>. We run it through HKDF-SHA256 to
+        derive two unrelated values:
+      </p>
+      <pre><code>authToken = HKDF(S, "ay/ay-e2e-1/auth")   →  the ONLY value the server sees
+e2e keys  = HKDF(S, "ay/ay-e2e-1/key/…")  →  never leave your machine or browser</code></pre>
+      <p>
+        HKDF is one-way, so from <code>authToken</code> the server cannot recover <code>S</code> or
+        the encryption keys. The actual terminal frames are sealed with AES-256-GCM under keys the
+        server has never seen. Because the link is pasted directly between the two endpoints, both
+        sides already share <code>S</code> without the server ever being told it.
+      </p>
+
+      <h2>The subtle part nobody gets right: nonce reuse</h2>
+      <p>
+        AES-GCM is catastrophic if a <code>(key, nonce)</code> pair ever repeats — it leaks
+        plaintext <em>and</em> lets an attacker forge messages. The naive design (one key per room
+        plus a per-connection counter) reuses nonces across reconnects, host restarts, and multiple
+        browsers in the same room. Our fix: derive the encryption keys
+        <strong>per connection</strong> by folding the live DTLS handshake fingerprint into HKDF as
+        the salt. Every session and every peer therefore gets fresh keys, so a counter that restarts
+        at 0 is always paired with a never-before-used key. We also use
+        <strong>directional keys</strong>
+        (host→client and client→host are different keys), so the two senders never share a nonce
+        space.
+      </p>
+
+      <h2>Binding to the real connection (anti-MITM), done right</h2>
+      <p>
+        We hash both peers' DTLS fingerprints — plus the handshake role and ICE ufrag — from the
+        negotiated session, and use that hash as <strong>both</strong> the HKDF salt for the keys
+        <strong>and</strong> the authenticated data on every frame. On top of that, the channel runs
+        a mandatory, bidirectional <strong>key-confirmation handshake</strong> (each side sends a
+        fresh challenge nonce and must see it echoed back) that has to complete in
+        <em>both</em> directions before a single byte of terminal I/O is processed. If a relay sat
+        in the middle, the fingerprints differ, the keys differ, confirmation fails, and the
+        connection <span class="no">closes</span> — there is no "connected but unverified" window
+        and no silent fallback.
+      </p>
+
+      <h2>Replay, reordering, and forged aborts</h2>
+      <p>
+        The DataChannel is reliable and ordered, and we add a mandatory monotonic frame counter,
+        128-bit random request ids, and per-stream sequence numbers. So a captured frame can't be
+        replayed to re-run a command, a stale "abort" can't cancel a fresh request, and a truncated
+        stream can't masquerade as a complete response.
+      </p>
+
+      <h2>Fail closed, always</h2>
+      <p>
+        Encrypted links carry a version marker (<code>#room:e1.&lt;secret&gt;</code>). The grammar
+        is strict: anything that looks like a marker but isn't exactly <code>e1.</code> + 64 hex is
+        rejected, never quietly treated as a legacy link. Legacy plaintext is hard-disabled in the
+        client, the host refuses to bridge a plaintext channel for an encrypted room, and on any
+        version skew, missing marker, bad tag, fingerprint mismatch, or confirmation timeout we
+        <span class="no">refuse</span> rather than downgrade.
+      </p>
+
+      <h2>One implementation, no dependencies</h2>
+      <p>
+        The crypto is a single WebCrypto module shared by both ends — the browser imports it, and
+        the host (running on Bun, which ships WebCrypto) bundles the exact same file. One
+        implementation means the two sides can't drift apart, and there are no new dependencies. A
+        test suite pins the key derivation, the frame format, and every fail-closed path.
+      </p>
+
+      <h2>What a hacked server gets — and doesn't</h2>
+      <table>
+        <tr>
+          <th></th>
+          <th>Before</th>
+          <th>Now</th>
+        </tr>
+        <tr>
+          <td>Read your terminal I/O</td>
+          <td class="no">possible (sees the secret)</td>
+          <td class="ok">no — keys never reach the server</td>
+        </tr>
+        <tr>
+          <td>Inject input / spawn agents</td>
+          <td class="no">possible</td>
+          <td class="ok">no — frames it forges fail decryption</td>
+        </tr>
+        <tr>
+          <td>Harvest every user's secret in a breach</td>
+          <td class="no">yes (stores raw tokens)</td>
+          <td class="ok">no — only one-way authTokens</td>
+        </tr>
+        <tr>
+          <td>DoS / see metadata (rooms, timing, IPs)</td>
+          <td class="no">yes</td>
+          <td class="no">still yes</td>
+        </tr>
+      </table>
+
+      <h2>What changed for you</h2>
+      <p>
+        Old share links rotate to a fresh encrypted room automatically on upgrade — re-open the new
+        printed link (or <code>rm ~/.agent-yes/.share-room</code> to force a rotation). The
+        signaling server got one small additive change (it pins a protocol version) but still never
+        sees a key.
+      </p>
+
+      <h2>Honest limitations</h2>
+      <p>
+        End-to-end encryption protects the <em>channel</em>, not the <em>capability</em>: anyone you
+        hand the full link to gets control, so treat it like an SSH key. The server can still deny
+        service and observe metadata (which rooms exist, connection timing, IPs via ICE). The
+        channel binding uses DTLS fingerprints from the SDP rather than a true RFC 5705 keying
+        exporter (a limitation of the host's WebRTC stack today), and the secret still sits in your
+        browser's local storage until it ages out. Forward secrecy / rekeying, and the separate
+        codehost transport, are future work.
+      </p>
+
+      <footer>
+        Curious how it's built? The whole thing is about 200 lines:
+        <code>lab/ui/e2e.js</code> (the shared crypto), <code>ts/share.ts</code> (host), and the
+        console client in <code>lab/ui/index.html</code>. ·
+        <a href="https://agent-yes.com/">← back to the console</a>
+      </footer>
+    </main>
+  </body>
+</html>

package/lab/ui/e2e.d.ts

@@ -0,0 +1,47 @@
+// Types for the shared WebCrypto e2e module (lab/ui/e2e.js), so the host
+// (ts/share.ts, lab/ui/share-host.ts) can import it under TypeScript.
+
+export const V: number;
+export const PROTO: string;
+export const MARKER: string;
+export const MAX_CHUNK: number;
+export const CONFIRM_TIMEOUT_MS: number;
+export const ALLOW_LEGACY_PLAINTEXT: boolean;
+export const FLAG_CONFIRM: number;
+
+export interface SendState {
+  sendCtr: bigint;
+}
+export interface RecvState {
+  lastSeen: bigint;
+}
+export interface OpenResult {
+  counter: bigint;
+  flags: number;
+  plaintext: Uint8Array;
+}
+
+export function validateS(s: string): string;
+export function deriveAuthToken(s: string, room: string, sighost: string): Promise<string>;
+export function deriveDirKeys(
+  s: string,
+  transcriptHash: Uint8Array,
+): Promise<{ keyH2C: CryptoKey; keyC2H: CryptoKey }>;
+export function computeTranscriptHash(offerSdp: string, answerSdp: string): Promise<Uint8Array>;
+export function seal(
+  key: CryptoKey,
+  sendState: SendState,
+  flags: number,
+  transcriptHash: Uint8Array,
+  plaintext: Uint8Array,
+): Promise<ArrayBuffer>;
+export function open(
+  key: CryptoKey,
+  frame: ArrayBuffer | Uint8Array,
+  transcriptHash: Uint8Array,
+  recvState: RecvState,
+): Promise<OpenResult>;
+export function packEnvelope(obj: unknown): Uint8Array;
+export function unpackEnvelope(bytes: Uint8Array): any;
+export function parseSecret(token: string): { s: string; v2: boolean };
+export function randomHex(n: number): string;

package/lab/ui/e2e.js

@@ -0,0 +1,245 @@
+// agent-yes end-to-end encryption for the WebRTC share DataChannel (protocol
+// "ay-e2e-1", URL marker "e1.").
+//
+// ONE implementation, shared by both ends so they can never diverge:
+//   - the browser console (lab/ui/index.html) imports it over HTTP as ./e2e.js
+//   - the host (ts/share.ts, lab/ui/share-host.ts) bundles it via a relative
+//     import — Bun ships WebCrypto, so the same code runs on both ends
+//   - the test suite (tests/e2e-crypto.test.ts) imports it under Node's WebCrypto
+//
+// Threat model: a fully compromised signaling Durable Object (lab/ui/cf/worker.ts)
+// — or an active MITM on the WebRTC media path — may DoS and observe metadata, but
+// MUST NOT read terminal I/O, inject input, spawn agents, or recover the secret S
+// or any AES key. The signaling server only ever sees `authToken = HKDF(S,…)`,
+// which is one-way; the AES keys never leave the endpoints.
+//
+// See agent-yes.com/blog/e2ee-share-links for the design writeup.
+
+export const V = 1;
+export const PROTO = `ay-e2e-${V}`; // "ay-e2e-1"
+export const MARKER = `e${V}.`; // "e1."
+const INFO_AUTH = `ay/${PROTO}/auth`;
+const INFO_H2C = `ay/${PROTO}/key/host->client`;
+const INFO_C2H = `ay/${PROTO}/key/client->host`;
+export const MAX_CHUNK = 12_000; // bytes of plaintext per sealed frame, << SCTP max
+export const CONFIRM_TIMEOUT_MS = 5_000; // bidirectional key-confirmation deadline
+export const ALLOW_LEGACY_PLAINTEXT = false; // NEVER silently downgrade to plaintext
+
+const VER = 0x01; // frame version byte
+export const FLAG_CONFIRM = 0x01; // FLAGS bit: key-confirmation frame
+const HEADER_LEN = 14; // VER(1) + FLAGS(1) + NONCE(12)
+const NONCE_LEN = 12;
+const TAG_LEN = 16; // AES-GCM tag, appended to ciphertext (WebCrypto convention)
+const COUNTER_MAX = (1n << 64n) - 1n;
+
+// Startup self-check: the single version source must be internally consistent, so
+// a future bump can't leave the marker, info strings, and PROTO disagreeing.
+if (PROTO !== `ay-e2e-${V}` || MARKER !== `e${V}.` || !INFO_AUTH.startsWith(`ay/${PROTO}/`)) {
+  throw new Error("e2e: version constants disagree");
+}
+
+const subtle = globalThis.crypto.subtle;
+const enc = new TextEncoder();
+const dec = new TextDecoder();
+const HEX64 = /^[0-9a-f]{64}$/;
+
+// ---- small byte helpers ----------------------------------------------------
+function concatBytes(...arrs) {
+  let len = 0;
+  for (const a of arrs) len += a.length;
+  const out = new Uint8Array(len);
+  let o = 0;
+  for (const a of arrs) {
+    out.set(a, o);
+    o += a.length;
+  }
+  return out;
+}
+function hexToBytes(hex) {
+  const out = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < out.length; i++) out[i] = parseInt(hex.substr(i * 2, 2), 16);
+  return out;
+}
+function bytesToHex(b) {
+  let s = "";
+  for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
+  return s;
+}
+async function sha256(bytes) {
+  return new Uint8Array(await subtle.digest("SHA-256", bytes));
+}
+async function hkdf32(ikm, salt, info) {
+  const base = await subtle.importKey("raw", ikm, "HKDF", false, ["deriveBits"]);
+  const bits = await subtle.deriveBits(
+    { name: "HKDF", hash: "SHA-256", salt, info: enc.encode(info) },
+    base,
+    256,
+  );
+  return new Uint8Array(bits);
+}
+
+// ---- secret validation + key derivation -----------------------------------
+
+// Reject anything that isn't a full-entropy 64-hex secret BEFORE it reaches HKDF.
+// Fail-closed, and the error never echoes the input (no token in logs).
+export function validateS(s) {
+  if (typeof s !== "string" || !HEX64.test(s)) throw new Error("invalid share token");
+  return s;
+}
+function ikmFromS(s) {
+  return hexToBytes(validateS(s)); // IKM is the 32 raw bytes, never the 64 ASCII chars
+}
+
+// The ONLY value the signaling server sees. Salted with the room+sighost context
+// (one-way) so it can't be used to link the same S across rooms, and so a hacked
+// server learns nothing about S or the AES keys.
+export async function deriveAuthToken(s, room, sighost) {
+  const salt = await sha256(enc.encode(`${room}\n${sighost}`));
+  return bytesToHex(await hkdf32(ikmFromS(s), salt, INFO_AUTH));
+}
+
+async function importAesKey(raw) {
+  return subtle.importKey("raw", raw, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
+}
+
+// The two directional AES-256-GCM keys, derived AFTER the DTLS handshake so the
+// per-connection transcriptHash is the HKDF salt: every session/peer therefore
+// gets fresh keys, which is what makes a counter that restarts at 0 always safe
+// (no cross-session (key,nonce) reuse). Directional keys also mean the two senders
+// never share a nonce space. HOST encrypts keyH2C / decrypts keyC2H; CLIENT the
+// mirror. These keys never leave the machine.
+export async function deriveDirKeys(s, transcriptHash) {
+  const ikm = ikmFromS(s);
+  const h2c = await hkdf32(ikm, transcriptHash, INFO_H2C);
+  const c2h = await hkdf32(ikm, transcriptHash, INFO_C2H);
+  return { keyH2C: await importAesKey(h2c), keyC2H: await importAesKey(c2h) };
+}
+
+// ---- transcript hash (channel binding) ------------------------------------
+
+function allFingerprints(sdp) {
+  const out = [];
+  const re = /^a=fingerprint:(.*)$/gim;
+  let m;
+  while ((m = re.exec(sdp))) out.push(m[1].trim().toLowerCase());
+  return out;
+}
+function firstAttr(sdp, name) {
+  const m = new RegExp(`^a=${name}:(.*)$`, "im").exec(sdp);
+  return m ? m[1].trim().toLowerCase() : "";
+}
+
+// Bind the session to the negotiated DTLS handshake by hashing both peers'
+// fingerprints (session- and media-level), DTLS setup role, and ICE ufrag. Used
+// as BOTH the HKDF salt for the directional keys AND the AEAD AAD on every frame,
+// so a relay that can't reproduce the exact transcript can neither derive the keys
+// nor forge a frame. Host passes offer=local/answer=remote; client passes
+// offer=remote/answer=local — both compute the identical string. Fail-closed if a
+// side has no fingerprint or offers a non-sha-256 (downgrade) fingerprint.
+export async function computeTranscriptHash(offerSdp, answerSdp) {
+  const offerFps = allFingerprints(offerSdp).sort();
+  const answerFps = allFingerprints(answerSdp).sort();
+  if (!offerFps.length || !answerFps.length) throw new Error("e2e: missing DTLS fingerprint");
+  for (const fp of offerFps.concat(answerFps)) {
+    if (!fp.startsWith("sha-256")) throw new Error("e2e: non-sha-256 DTLS fingerprint");
+  }
+  const input =
+    `${PROTO}\n` +
+    `offer=${offerFps.join(",")};setup=${firstAttr(offerSdp, "setup")};ufrag=${firstAttr(offerSdp, "ice-ufrag")}\n` +
+    `answer=${answerFps.join(",")};setup=${firstAttr(answerSdp, "setup")};ufrag=${firstAttr(answerSdp, "ice-ufrag")}`;
+  return await sha256(enc.encode(input));
+}
+
+// ---- AEAD frame seal / open -----------------------------------------------
+// Wire frame: VER(1) | FLAGS(1) | NONCE(12) | CIPHERTEXT | TAG(16)
+//   NONCE = [4-byte BE epoch = 0] | [8-byte BE monotonic per-direction counter]
+//   AAD   = header(14) | transcriptHash(32)   (on every frame)
+
+function nonceFromCounter(ctr) {
+  const n = new Uint8Array(NONCE_LEN); // bytes 0..3 epoch stay 0 in v2
+  new DataView(n.buffer).setBigUint64(4, ctr, false);
+  return n;
+}
+
+// sendState: { sendCtr: bigint }. The counter is captured-and-incremented
+// synchronously BEFORE the await, so concurrent seals can never reuse a nonce.
+export async function seal(key, sendState, flags, transcriptHash, plaintext) {
+  const ctr = sendState.sendCtr;
+  if (ctr >= COUNTER_MAX) throw new Error("e2e: nonce counter overflow");
+  sendState.sendCtr = ctr + 1n;
+  const nonce = nonceFromCounter(ctr);
+  const header = new Uint8Array(HEADER_LEN);
+  header[0] = VER;
+  header[1] = flags & 0xff;
+  header.set(nonce, 2);
+  const aad = concatBytes(header, transcriptHash);
+  const sealed = new Uint8Array(
+    await subtle.encrypt(
+      { name: "AES-GCM", iv: nonce, additionalData: aad, tagLength: 128 },
+      key,
+      plaintext,
+    ),
+  );
+  return concatBytes(header, sealed).buffer; // ArrayBuffer, ready for dc.send
+}
+
+// recvState: { lastSeen: bigint } (init -1n). Throws (fail-closed) on bad
+// version/epoch, auth/AAD failure, or replay/reorder (counter <= lastSeen). The
+// caller MUST close the channel on any throw — never fall through to JSON.parse.
+export async function open(key, frame, transcriptHash, recvState) {
+  const buf = frame instanceof Uint8Array ? frame : new Uint8Array(frame);
+  if (buf.length < HEADER_LEN + TAG_LEN) throw new Error("e2e: short frame");
+  if (buf[0] !== VER) throw new Error("e2e: bad version");
+  const header = buf.subarray(0, HEADER_LEN);
+  const nonce = buf.subarray(2, HEADER_LEN);
+  const ndv = new DataView(nonce.buffer, nonce.byteOffset, NONCE_LEN);
+  if (ndv.getUint32(0, false) !== 0) throw new Error("e2e: bad epoch");
+  const ctr = ndv.getBigUint64(4, false);
+  const sealed = buf.subarray(HEADER_LEN);
+  const aad = concatBytes(header, transcriptHash);
+  const ptBuf = await subtle.decrypt(
+    { name: "AES-GCM", iv: nonce, additionalData: aad, tagLength: 128 },
+    key,
+    sealed,
+  ); // throws on auth/AAD failure
+  // The first accepted frame of a session MUST be counter-0 (the confirmation
+  // frame). Anything else means a skipped/forged opening frame — fail closed,
+  // so a counter can't jump ahead and strand the real opening frames as "replay".
+  if (recvState.lastSeen === -1n && ctr !== 0n)
+    throw new Error("e2e: first frame must be counter-0");
+  if (ctr <= recvState.lastSeen) throw new Error("e2e: replay/reorder");
+  recvState.lastSeen = ctr;
+  return { counter: ctr, flags: header[1], plaintext: new Uint8Array(ptBuf) };
+}
+
+// ---- envelope (the {t:…} JSON), sealed as UTF-8 bytes ---------------------
+export function packEnvelope(obj) {
+  return enc.encode(JSON.stringify(obj));
+}
+export function unpackEnvelope(bytes) {
+  return JSON.parse(dec.decode(bytes));
+}
+
+// ---- URL secret marker grammar (strict, fail-closed) ----------------------
+// Parses the secret slot of a share link. Returns { s, v2 }:
+//   "e1.<64hex>"  -> { s, v2:true }                 (v2 encrypted link)
+//   "<64hex>" / other custom token -> { s, v2:false } (legacy; gated by caller)
+// A token that LOOKS like a version marker but isn't exactly "e1.<64hex>" is
+// rejected outright — it must never silently fall back to a legacy/plaintext path.
+export function parseSecret(token) {
+  const mk = /^e(\d+)\.(.*)$/.exec(token);
+  if (mk) {
+    if (mk[1] !== String(V)) throw new Error("update required");
+    if (!HEX64.test(mk[2])) throw new Error("malformed encrypted link");
+    return { s: mk[2], v2: true };
+  }
+  if (/^e\d/i.test(token)) throw new Error("malformed encrypted link");
+  return { s: token, v2: false };
+}
+
+// Random hex string of n bytes — confirmation challenge nonces, request ids.
+export function randomHex(n) {
+  const b = new Uint8Array(n);
+  globalThis.crypto.getRandomValues(b);
+  return bytesToHex(b);
+}