beachviber 1.0.34

package/dist/connection-machine.js

@@ -0,0 +1,222 @@
+/**
+ * Desktop connection state machine.
+ *
+ * 8 states with validated transitions:
+ *
+ *   ┌──────────────┐  CONNECT   ┌────────────┐  WS_OPEN   ┌─────────────┐
+ *   │ disconnected │──────────▶│ connecting  │──────────▶│ registering │
+ *   └──────────────┘           └────────────┘           └─────────────┘
+ *         ▲                         │                      │          │
+ *         │ AUTH_FAILURE /          │ WS_CLOSE              │ REGISTERED│
+ *         │ FORCE_DISCONNECT       ▼                      │          ▼
+ *         │                  ┌──────────────┐             │   ┌─────────┐
+ *         │◀─────────────────│ reconnecting │◀────────────┼───│ pairing │
+ *         │                  └──────────────┘  WS_CLOSE   │   └─────────┘
+ *         │                       ▲  │                    │       │
+ *         │                       │  │ RECONNECT_TIMER    │       │ PAIRED
+ *         │                       │  └─────▶ connecting   │       ▼
+ *         │                       │                       │   ┌────────┐
+ *         │                       └───────────────────────┴───│ paired │
+ *         │                            WS_CLOSE               └────────┘
+ *         │
+ *         │  Setup mode (first-time pairing via desktops_list):
+ *         │
+ *         │  ENTER_SETUP              ┌─────────────────────┐
+ *         └──────────────────────────▶│ setup_reconnecting  │
+ *                                     └─────────────────────┘
+ *                                        │  SETUP_RECONNECT_FAILED
+ *                                        ▼
+ *                                     ┌───────────────┐
+ *                                     │ setup_pairing │──PAIRED──▶ paired
+ *                                     └───────────────┘
+ */
+/** Must match RECONNECT_BASE_MS in state.ts — duplicated to avoid circular import. */
+const DEFAULT_RECONNECT_DELAY = 1000;
+const AUTH_FAILURE_THRESHOLD = 3;
+export class ConnectionMachine {
+    state = "disconnected";
+    context = {
+        consecutiveFailures: 0,
+        reconnectDelay: DEFAULT_RECONNECT_DELAY,
+        disconnectReason: "none",
+    };
+    transition(event) {
+        const prev = this.state;
+        const next = this._nextState(prev, event);
+        if (next === undefined) {
+            throw new Error(`Invalid transition: ${event.type} from state "${prev}"`);
+        }
+        this.state = next;
+        return next;
+    }
+    /** Reset the machine to its initial state (for testing or full restart). */
+    reset() {
+        this.state = "disconnected";
+        this.context = {
+            consecutiveFailures: 0,
+            reconnectDelay: DEFAULT_RECONNECT_DELAY,
+            disconnectReason: "none",
+        };
+    }
+    // ------------------------------------------------------------------
+    // Backward-compatible computed getters
+    // ------------------------------------------------------------------
+    get connectionPhase() {
+        switch (this.state) {
+            case "disconnected":
+            case "connecting":
+            case "registering":
+                return "registering";
+            case "pairing":
+            case "setup_reconnecting":
+            case "setup_pairing":
+                return "pairing";
+            case "paired":
+                return "paired";
+            case "reconnecting":
+                // Reconnecting implies we were previously paired or registered.
+                // Map to "paired" so incoming messages for paired state still pass
+                // the phase gate during the brief reconnect window.
+                return "paired";
+        }
+    }
+    get inSetupMode() {
+        return this.state === "setup_reconnecting" || this.state === "setup_pairing";
+    }
+    get disconnectedByRemote() {
+        return this.context.disconnectReason === "remote";
+    }
+    // ------------------------------------------------------------------
+    // Transition logic
+    // ------------------------------------------------------------------
+    _nextState(current, event) {
+        switch (current) {
+            case "disconnected":
+                return this._fromDisconnected(event);
+            case "connecting":
+                return this._fromConnecting(event);
+            case "registering":
+                return this._fromRegistering(event);
+            case "pairing":
+                return this._fromPairing(event);
+            case "paired":
+                return this._fromPaired(event);
+            case "reconnecting":
+                return this._fromReconnecting(event);
+            case "setup_reconnecting":
+                return this._fromSetupReconnecting(event);
+            case "setup_pairing":
+                return this._fromSetupPairing(event);
+        }
+    }
+    _fromDisconnected(event) {
+        switch (event.type) {
+            case "CONNECT":
+                this.context.disconnectReason = "none";
+                return "connecting";
+            case "ENTER_SETUP":
+                this.context.disconnectReason = "none";
+                return event.hasSavedState ? "setup_reconnecting" : "setup_pairing";
+        }
+    }
+    _fromConnecting(event) {
+        switch (event.type) {
+            case "WS_OPEN":
+                this.context.consecutiveFailures = 0;
+                this.context.reconnectDelay = DEFAULT_RECONNECT_DELAY;
+                return "registering";
+            case "WS_CLOSE":
+                if (event.networkError) {
+                    return "reconnecting";
+                }
+                // Non-network close before open = possible auth failure
+                this.context.consecutiveFailures++;
+                if (this.context.consecutiveFailures >= AUTH_FAILURE_THRESHOLD) {
+                    this.context.disconnectReason = "auth";
+                    this.context.consecutiveFailures = 0;
+                    return "disconnected";
+                }
+                return "reconnecting";
+        }
+    }
+    _fromRegistering(event) {
+        switch (event.type) {
+            case "REGISTERED":
+                return event.hasSharedSecret ? "paired" : "pairing";
+            case "WS_CLOSE":
+                return "reconnecting";
+            case "FORCE_DISCONNECT":
+                this.context.disconnectReason = "remote";
+                return "disconnected";
+        }
+    }
+    _fromPairing(event) {
+        switch (event.type) {
+            case "PAIRED":
+                return "paired";
+            case "FORCE_DISCONNECT":
+                this.context.disconnectReason = "remote";
+                return "disconnected";
+            case "WS_CLOSE":
+                this.context.disconnectReason = "network";
+                return "disconnected";
+        }
+    }
+    _fromPaired(event) {
+        switch (event.type) {
+            case "WS_CLOSE":
+                return "reconnecting";
+            case "FORCE_DISCONNECT":
+                this.context.disconnectReason = "remote";
+                return "disconnected";
+        }
+    }
+    _fromReconnecting(event) {
+        switch (event.type) {
+            case "RECONNECT_TIMER":
+                return "connecting";
+            case "FORCE_DISCONNECT":
+                this.context.disconnectReason = "remote";
+                return "disconnected";
+        }
+    }
+    _fromSetupReconnecting(event) {
+        switch (event.type) {
+            case "PAIRED":
+                return "paired";
+            case "SETUP_RECONNECT_FAILED":
+                return "setup_pairing";
+            // Allow connect/ws events during setup reconnect loop
+            case "CONNECT":
+                return "setup_reconnecting";
+            case "WS_OPEN":
+                return "setup_reconnecting";
+            case "WS_CLOSE":
+                return "setup_reconnecting";
+            case "REGISTERED":
+                return event.hasSharedSecret ? "paired" : "setup_pairing";
+        }
+    }
+    _fromSetupPairing(event) {
+        switch (event.type) {
+            case "PAIRED":
+                return "paired";
+            case "FORCE_DISCONNECT":
+                this.context.disconnectReason = "remote";
+                return "disconnected";
+            // Allow connect/ws events during setup pairing flow
+            case "CONNECT":
+                return "setup_pairing";
+            case "WS_OPEN":
+                return "setup_pairing";
+            case "WS_CLOSE":
+                return "setup_pairing";
+            // Stay in setup_pairing until explicit PAIRED event fires after verification.
+            // handleRegistered() still runs (sends projects/sessions to webapp), but
+            // the machine must not jump to "paired" — that would break the close handler
+            // and skip the verification step.
+            case "REGISTERED":
+                return "setup_pairing";
+        }
+    }
+}

package/dist/connection.js

@@ -0,0 +1,198 @@
+import WebSocket from "ws";
+import chalk from "chalk";
+import { hostname, platform } from "os";
+import { execFileSync } from "child_process";
+import { state, VERSION, RELAY_URL, RECONNECT_MAX_MS, HEARTBEAT_INTERVAL_MS, } from "./state.js";
+import { handleMessage, computeReconnectDelay } from "./message-handler.js";
+import { encrypt, toBase64, exportPublicKeyRaw, ENCRYPTED_TYPES } from "./crypto.js";
+import { getDefaultSessionManager } from "./sessions.js";
+export function send(msg) {
+    if (state.ws && state.ws.readyState === WebSocket.OPEN) {
+        let outgoing = msg;
+        // Encrypt payload for encryptable message types
+        if (state.sharedSecret && ENCRYPTED_TYPES.has(msg.type) && msg.payload) {
+            const { payload, ...envelope } = msg;
+            outgoing = {
+                ...envelope,
+                encrypted: encrypt(payload, state.sharedSecret),
+            };
+        }
+        else if (!state.sharedSecret && ENCRYPTED_TYPES.has(msg.type) && msg.payload) {
+            console.warn(chalk.yellow(`  Dropped ${msg.type}: no encryption key available`));
+            return false;
+        }
+        const json = JSON.stringify({ ...outgoing, version: VERSION });
+        state.ws.send(json);
+        return true;
+    }
+    else {
+        console.error(chalk.red(`  Message dropped (not connected): ${msg.type}`));
+        return false;
+    }
+}
+/** Wait for the current WebSocket to reach OPEN state (or timeout). */
+export function waitForWsOpen(timeoutMs = 10_000) {
+    return new Promise((resolve) => {
+        if (state.ws && state.ws.readyState === WebSocket.OPEN) {
+            resolve(true);
+            return;
+        }
+        const check = setInterval(() => {
+            if (state.ws && state.ws.readyState === WebSocket.OPEN) {
+                clearInterval(check);
+                clearTimeout(timer);
+                resolve(true);
+            }
+        }, 100);
+        const timer = setTimeout(() => {
+            clearInterval(check);
+            resolve(false);
+        }, timeoutMs);
+    });
+}
+/** Wait for the relay to acknowledge registration (or timeout). */
+export function waitForRegistered(timeoutMs = 10_000) {
+    return new Promise((resolve) => {
+        const timer = setTimeout(() => {
+            state.registeredResolve = null;
+            resolve(false);
+        }, timeoutMs);
+        state.registeredResolve = () => {
+            clearTimeout(timer);
+            resolve(true);
+        };
+    });
+}
+const STALE_THRESHOLD_MS = HEARTBEAT_INTERVAL_MS * 2.5;
+function startHeartbeat() {
+    stopHeartbeat();
+    state.lastMessageAt = Date.now();
+    state.heartbeatTimer = setInterval(() => {
+        // Detect stale connection — relay hasn't sent anything in 2.5 heartbeat cycles
+        if (state.lastMessageAt && Date.now() - state.lastMessageAt > STALE_THRESHOLD_MS) {
+            console.log(chalk.yellow("  Relay unresponsive — forcing reconnect"));
+            state.ws?.close();
+            return;
+        }
+        send({
+            type: "heartbeat",
+            sessionId: null,
+            timestamp: Date.now(),
+            payload: {
+                activeSessions: getDefaultSessionManager().getActiveSessions(),
+            },
+        });
+    }, HEARTBEAT_INTERVAL_MS);
+}
+function stopHeartbeat() {
+    if (state.heartbeatTimer) {
+        clearInterval(state.heartbeatTimer);
+        state.heartbeatTimer = null;
+    }
+}
+export function connect() {
+    // Transition machine to connecting only if starting from disconnected.
+    // Other callers (scheduleReconnect, setup mode) manage their own transitions.
+    if (state.machine.state === "disconnected") {
+        state.machine.transition({ type: "CONNECT" });
+    }
+    // Send token via both query param (for API Gateway WebSocket authorizer)
+    // and Authorization header (for future relay support)
+    let url = RELAY_URL;
+    const wsHeaders = {};
+    if (state.deviceToken) {
+        url += `?token=${encodeURIComponent(state.deviceToken)}`;
+        wsHeaders["Authorization"] = `Bearer ${state.deviceToken}`;
+    }
+    state.ws = new WebSocket(url, { headers: wsHeaders });
+    let networkError = false;
+    state.ws.on("open", () => {
+        state.machine.transition({ type: "WS_OPEN" });
+        // Register with relay — ONLY send register here.
+        // All other messages must wait until the relay confirms registration,
+        // because the relay processes messages concurrently and the default
+        // handler will reject messages if register hasn't completed yet.
+        let computerName = hostname();
+        if (platform() === "darwin") {
+            try {
+                computerName = execFileSync("scutil", ["--get", "ComputerName"], { encoding: "utf-8" }).trim();
+            }
+            catch { }
+        }
+        send({
+            type: "register",
+            payload: {
+                role: "desktop",
+                deviceId: state.deviceId,
+                projectName: computerName,
+                projects: state.projects.map((p) => ({ name: p.name })),
+                publicKey: toBase64(exportPublicKeyRaw(state.ownKeyPair.publicKey)),
+            },
+        });
+        startHeartbeat();
+    });
+    state.ws.on("message", async (data) => {
+        state.lastMessageAt = Date.now();
+        const result = await handleMessage(data.toString(), send, state.projects, getDefaultSessionManager());
+        if (result.projects.length > 0) {
+            state.projects = result.projects;
+        }
+        // If force_disconnect or NOT_REGISTERED was received, close the socket
+        if (state.disconnectedByRemote && state.ws?.readyState === WebSocket.OPEN) {
+            state.ws.close();
+        }
+    });
+    state.ws.on("close", () => {
+        stopHeartbeat();
+        // If setup mode is active, silently reconnect without entering the
+        // standard reconnect loop.  The pairing flow (runSetupMode) manages
+        // its own state — we just need the WS to stay alive.
+        if (state.inSetupMode) {
+            setTimeout(() => connect(), 1000);
+            return;
+        }
+        // If the machine already transitioned to disconnected (e.g. FORCE_DISCONNECT
+        // fired by the message handler before the WS closed), enter setup mode.
+        if (state.machine.state === "disconnected") {
+            state.enterSetupMode?.();
+            return;
+        }
+        const newState = state.machine.transition({
+            type: "WS_CLOSE",
+            networkError,
+        });
+        if (newState === "disconnected") {
+            // Auth failure threshold reached
+            if (state.machine.context.disconnectReason === "auth") {
+                console.log(chalk.yellow("  Authentication failed — device token may be invalid."));
+                console.log(chalk.dim("  Re-entering setup mode..."));
+                console.log();
+            }
+            state.enterSetupMode?.();
+        }
+        else if (newState === "reconnecting") {
+            console.log(chalk.yellow("  Disconnected from relay"));
+            scheduleReconnect();
+        }
+    });
+    state.ws.on("error", (err) => {
+        // Flag network-level errors (DNS, TCP) so the close handler
+        // doesn't count them as auth failures
+        const msg = err.message || "";
+        if (msg.includes("ENOTFOUND") || msg.includes("ETIMEDOUT") ||
+            msg.includes("ENETUNREACH") || msg.includes("ECONNREFUSED") ||
+            msg.includes("EAI_AGAIN")) {
+            networkError = true;
+        }
+        console.error(chalk.red(`  Connection error: ${err.message}`));
+    });
+}
+function scheduleReconnect() {
+    const delay = state.reconnectDelay;
+    console.log(chalk.dim(`  Reconnecting in ${delay / 1000}s...`));
+    setTimeout(() => {
+        state.machine.context.reconnectDelay = computeReconnectDelay(state.machine.context.reconnectDelay, RECONNECT_MAX_MS);
+        state.machine.transition({ type: "RECONNECT_TIMER" });
+        connect();
+    }, delay);
+}

package/dist/crypto.js

@@ -0,0 +1,101 @@
+import crypto from "crypto";
+import { loadConfig, saveConfig, getProfileSuffix } from "./config.js";
+import { storeSecret, loadSecret } from "./secret-store.js";
+import { createLogger } from "./logger.js";
+const log = createLogger("crypto");
+export function generateKeyPair() {
+    const { publicKey, privateKey } = crypto.generateKeyPairSync("x25519");
+    return { publicKey, secretKey: privateKey };
+}
+export function exportPublicKeyRaw(key) {
+    const jwk = key.export({ format: "jwk" });
+    return Buffer.from(jwk.x, "base64url");
+}
+export function importPublicKeyRaw(raw) {
+    const x = raw.toString("base64url");
+    return crypto.createPublicKey({
+        format: "jwk",
+        key: { kty: "OKP", crv: "X25519", x },
+    });
+}
+export function computeSharedSecret(theirPublicKey, mySecretKey) {
+    return crypto.diffieHellman({ publicKey: theirPublicKey, privateKey: mySecretKey });
+}
+export function encrypt(payload, sharedSecret) {
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv("aes-256-gcm", sharedSecret, iv);
+    const message = Buffer.from(JSON.stringify(payload));
+    const encrypted = Buffer.concat([cipher.update(message), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    const ciphertextWithTag = Buffer.concat([encrypted, authTag]);
+    return {
+        nonce: iv.toString("base64"),
+        ciphertext: ciphertextWithTag.toString("base64"),
+    };
+}
+export function decrypt(encrypted, sharedSecret) {
+    const iv = Buffer.from(encrypted.nonce, "base64");
+    const ciphertextWithTag = Buffer.from(encrypted.ciphertext, "base64");
+    const ciphertext = ciphertextWithTag.subarray(0, ciphertextWithTag.length - 16);
+    const authTag = ciphertextWithTag.subarray(ciphertextWithTag.length - 16);
+    const decipher = crypto.createDecipheriv("aes-256-gcm", sharedSecret, iv);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return JSON.parse(decrypted.toString("utf-8"));
+}
+export function toBase64(bytes) {
+    return Buffer.from(bytes).toString("base64");
+}
+export function fromBase64(str) {
+    return Buffer.from(str, "base64");
+}
+function keychainAccount() {
+    return `default${getProfileSuffix()}`;
+}
+export function loadKeys() {
+    const config = loadConfig();
+    if (!config || !config.publicKey)
+        return null;
+    const secretKey = loadSecret(keychainAccount());
+    if (!secretKey)
+        return null;
+    return {
+        publicKey: config.publicKey,
+        secretKey,
+        peerPublicKey: config.peerPublicKey,
+    };
+}
+export function saveKeys(keys) {
+    const existing = loadConfig();
+    if (!storeSecret(keychainAccount(), keys.secretKey)) {
+        log.warn("OS secret store unavailable — secret key will not be persisted");
+    }
+    saveConfig({
+        ...existing,
+        deviceId: existing?.deviceId || "",
+        deviceToken: existing?.deviceToken,
+        publicKey: keys.publicKey,
+        peerPublicKey: keys.peerPublicKey,
+    });
+}
+/** Set of message types that should be encrypted when a shared secret exists */
+export const ENCRYPTED_TYPES = new Set([
+    "verify_code",
+    "verify_code_ack",
+    "prompt",
+    "stream_start",
+    "stream_delta",
+    "stream_end",
+    "session_create",
+    "session_created",
+    "session_end",
+    "projects_request",
+    "projects_response",
+    "tool_approval_request",
+    "tool_approval_response",
+    "sessions_request",
+    "sessions_response",
+    "session_history_request",
+    "session_history_response",
+    "error",
+]);

package/dist/hook-installer.js

@@ -0,0 +1,60 @@
+import fs from "fs";
+import path from "path";
+import { homedir } from "os";
+import { fileURLToPath } from "url";
+import { createLogger } from "./logger.js";
+const log = createLogger("hook");
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+export function getHookScriptPath() {
+    return path.join(__dirname, "approval-hook.mjs");
+}
+export function installHook() {
+    const settingsPath = path.join(homedir(), ".claude", "settings.json");
+    const claudeDir = path.join(homedir(), ".claude");
+    // Ensure ~/.claude exists
+    fs.mkdirSync(claudeDir, { recursive: true });
+    let settings = {};
+    try {
+        settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
+    }
+    catch { }
+    const hookCommand = `node "${getHookScriptPath()}"`;
+    settings.hooks ??= {};
+    settings.hooks.PreToolUse ??= [];
+    // Check if already installed — update path if it changed (e.g., source vs global install)
+    const existingIdx = settings.hooks.PreToolUse.findIndex((entry) => entry.hooks?.some((h) => h.command?.includes("approval-hook")));
+    if (existingIdx !== -1) {
+        const existing = settings.hooks.PreToolUse[existingIdx];
+        const existingCmd = existing.hooks?.find((h) => h.command?.includes("approval-hook"))?.command;
+        if (existingCmd === hookCommand) {
+            log.info("BeachViber approval hook already installed");
+            return;
+        }
+        // Path changed — update the hook command
+        log.info(`Updating hook path: ${existingCmd} -> ${hookCommand}`);
+        settings.hooks.PreToolUse[existingIdx] = {
+            matcher: "",
+            hooks: [{ type: "command", command: hookCommand, timeout: 310 }],
+        };
+    }
+    else {
+        settings.hooks.PreToolUse.push({
+            matcher: "",
+            hooks: [{ type: "command", command: hookCommand, timeout: 310 }],
+        });
+    }
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), { mode: 0o600 });
+    log.info(`Installed PreToolUse hook in ${settingsPath}`);
+}
+export function uninstallHook() {
+    const settingsPath = path.join(homedir(), ".claude", "settings.json");
+    try {
+        const settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
+        if (!settings.hooks?.PreToolUse)
+            return;
+        settings.hooks.PreToolUse = settings.hooks.PreToolUse.filter((entry) => !entry.hooks?.some((h) => h.command?.includes("approval-hook")));
+        fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), { mode: 0o600 });
+        log.info("Removed BeachViber approval hook");
+    }
+    catch { }
+}