botschat 0.1.4 → 0.1.7

package/README.md

@@ -1,12 +1,12 @@
 # BotsChat
 
 [![npm](https://img.shields.io/npm/v/botschat)](https://www.npmjs.com/package/botschat)
-[![npm](https://img.shields.io/npm/v/@botschat/openclaw-plugin)](https://www.npmjs.com/package/@botschat/openclaw-plugin)
+[![npm](https://img.shields.io/npm/v/@botschat/botschat)](https://www.npmjs.com/package/@botschat/botschat)
 [![License](https://img.shields.io/badge/license-Apache--2.0-blue)](LICENSE)
 
-A self-hosted chat interface for [OpenClaw](https://github.com/openclaw/openclaw) AI agents.
+A self-hosted, **end-to-end encrypted** chat interface for [OpenClaw](https://github.com/openclaw/openclaw) AI agents.
 
-BotsChat gives you a modern, Slack-like web UI to interact with your OpenClaw agents — organize conversations into **Channels**, schedule **Background Tasks**, and monitor **Job** executions. Everything runs on your own infrastructure; your API keys and data never leave your machine.
+BotsChat gives you a modern, Slack-like web UI to interact with your OpenClaw agents — organize conversations into **Channels**, schedule **Background Tasks**, and monitor **Job** executions. With **E2E encryption**, your chat messages, cron prompts, and job summaries are encrypted on your device before they ever leave — the server only sees ciphertext it cannot decrypt. Your API keys and data never leave your machine.
 
 ## Key Features
 
@@ -34,6 +34,15 @@ Schedule **cron-style background tasks** that run your agents on autopilot. Each
 
 ![Background Task — Schedule, prompt, and execution history](docs/cron.png)
 
+### End-to-End Encryption
+
+BotsChat supports **optional E2E encryption** so the server never sees your content in plaintext:
+
+- **What's encrypted**: Chat messages, cron task prompts, and job execution summaries — all encrypted with AES-256-CTR before leaving your browser or plugin.
+- **Zero-knowledge server**: The BotsChat cloud/server stores only ciphertext and cannot decrypt your data. No keys, no salts stored server-side.
+- **How it works**: You set an E2E password in both the web UI and the OpenClaw plugin. Both sides derive the same encryption key using `PBKDF2(password, userId)`. Messages are encrypted/decrypted locally — the server just relays and stores opaque bytes.
+- **Zero overhead**: AES-CTR produces ciphertext the same size as plaintext — no bloat, no padding.
+
 ### Built-in Debug Log
 
 A collapsible **Debug Log** panel at the bottom of the UI gives you real-time visibility into what's happening under the hood — WebSocket events, cron task loading, agent scan results, and more. Filter by log level (ALL, WS, WST, API, INF, WRN, ERR) to quickly diagnose issues without leaving the chat interface.
@@ -46,7 +55,9 @@ A collapsible **Debug Log** panel at the bottom of the UI gives you real-time vi
 
 ![BotsChat Architecture](docs/architecture.png)
 
-OpenClaw runs your agents locally (with your API keys, data, and configs). The BotsChat plugin establishes an **outbound WebSocket** to the BotsChat server — no port forwarding, no tunnels. Your API keys and data never leave your machine; only chat messages travel through the relay.
+OpenClaw runs your agents locally (with your API keys, data, and configs). The BotsChat plugin establishes an **outbound WebSocket** to the BotsChat server — no port forwarding, no tunnels. Your API keys and data never leave your machine.
+
+When **E2E encryption** is enabled, messages are encrypted on the sender's device (browser or plugin) before transmission. The BotsChat server (ConnectionDO) only relays and stores opaque ciphertext — it has no access to keys and cannot read your content. Encryption keys are derived locally from your password and never sent over the network.
 
 You can run BotsChat locally on the same machine, or deploy it to Cloudflare for remote access (e.g. from your phone).
 
@@ -71,36 +82,42 @@ BotsChat introduces a few UI-level concepts that map to OpenClaw primitives:
 
 ### Prerequisites
 
-- [Node.js](https://nodejs.org/) 22+
-- [Wrangler CLI](https://developers.cloudflare.com/workers/wrangler/install-and-update/)
 - An [OpenClaw](https://github.com/openclaw/openclaw) instance
+- For self-hosting (Option B or C): [Node.js](https://nodejs.org/) 22+, [Wrangler CLI](https://developers.cloudflare.com/workers/wrangler/install-and-update/)
 
-### Step 1: Clone and Install
+### Choose Your Deployment
 
-```bash
-git clone https://github.com/botschat-app/botsChat.git
-cd botsChat
-npm install
-```
+BotsChat is **100% open source** — the [same code](https://github.com/botschat-app/botsChat) runs whether you use our hosted console, run it locally, or deploy to your own Cloudflare. The only difference is *where* the server runs; your API keys and data always stay on your machine.
+
+| Mode | Best for | Clone repo? |
+|------|----------|-------------|
+| **A. Hosted Console** | Zero setup, start in minutes | No |
+| **B. Run Locally** | Development, no cloud account | Yes |
+| **C. Deploy to Cloudflare** | Remote access (e.g. from phone) | Yes |
 
-### Step 2: Deploy BotsChat Server
+Pick one below and follow its steps, then continue to [Install the OpenClaw Plugin](#install-the-openclaw-plugin).
+
+---
 
-Choose one of the three options below:
+#### Option A: Hosted Console (Recommended)
 
-#### Option A: Use Hosted Console (Recommended)
+We run the same open-source stack at **[console.botschat.app](https://console.botschat.app)**. No clone, no deploy: open the link → sign up → create a pairing token → connect OpenClaw.
 
-The easiest way to get started — no deployment needed. We run a hosted BotsChat instance at **[console.botschat.app](https://console.botschat.app)**. Just sign up, generate a pairing token, and connect your OpenClaw instance directly.
+Your API keys and data still stay on your machine; the hosted console only relays chat messages via WebSocket. Enable **E2E encryption** for complete privacy — the hosted console cannot decrypt your content.
 
-Your API keys and data still stay on your machine — the hosted console only relays chat messages via WebSocket, exactly the same as a self-hosted deployment.
+→ Then go to [Install the OpenClaw Plugin](#install-the-openclaw-plugin).
 
-> Skip to [Step 3](#step-3-install-the-openclaw-plugin) after signing up.
+---
 
 #### Option B: Run Locally
 
-Wrangler uses [Miniflare](https://miniflare.dev) under the hood, so D1, R2, and Durable Objects all run locally — **no Cloudflare account needed**.
+Clone, install, and run the server on your machine. Wrangler uses [Miniflare](https://miniflare.dev), so D1, R2, and Durable Objects all run locally — **no Cloudflare account needed**.
 
 ```bash
-# One-command startup: build web → migrate D1 → start server on 0.0.0.0:8787
+git clone https://github.com/botschat-app/botsChat.git
+cd botsChat
+npm install
+# One-command startup: build web → migrate D1 → start on 0.0.0.0:8787
 ./scripts/dev.sh
 ```
 
@@ -124,11 +141,19 @@ Other dev commands:
 ./scripts/dev.sh logs      # Tail remote gateway logs
 ```
 
+→ Then go to [Install the OpenClaw Plugin](#install-the-openclaw-plugin).
+
+---
+
 #### Option C: Deploy to Cloudflare
 
-For remote access (e.g. chatting with your agents from your phone), deploy to Cloudflare Workers. The free tier is more than enough for personal use.
+For remote access (e.g. chatting from your phone), deploy the same code to Cloudflare Workers. The free tier is enough for personal use.
 
 ```bash
+git clone https://github.com/botschat-app/botsChat.git
+cd botsChat
+npm install
+
 # Create Cloudflare resources
 wrangler d1 create botschat-db          # Copy the database_id into wrangler.toml
 wrangler r2 bucket create botschat-media
@@ -147,14 +172,18 @@ wrangler secret put JWT_SECRET          # Set a production JWT secret
 | D1               | Database (users, channels, tasks)      | 5M reads/day, 100K writes/day   |
 | R2               | Media storage                          | 10GB, no egress fees             |
 
-### Step 3: Install the OpenClaw Plugin
+→ Then go to [Install the OpenClaw Plugin](#install-the-openclaw-plugin).
+
+---
+
+### Install the OpenClaw Plugin
 
 After the BotsChat server is running, connect your OpenClaw instance to it.
 
 **1. Install the plugin**
 
 ```bash
-openclaw plugins install @botschat/openclaw-plugin
+openclaw plugins install @botschat/botschat
 ```
 
 **2. Create a pairing token**
@@ -172,6 +201,14 @@ openclaw config set channels.botschat.pairingToken <YOUR_PAIRING_TOKEN>
 openclaw config set channels.botschat.enabled true
 ```
 
+**3b. (Optional) Enable E2E encryption**
+
+Set the same password you'll use in the BotsChat web UI:
+
+```bash
+openclaw config set channels.botschat.e2ePassword "your-secret-e2e-password"
+```
+
 This writes the following to your `~/.openclaw/openclaw.json`:
 
 ```json
@@ -180,7 +217,8 @@ This writes the following to your `~/.openclaw/openclaw.json`:
     "botschat": {
       "enabled": true,
       "cloudUrl": "http://localhost:8787",
-      "pairingToken": "bc_pat_xxxxxxxxxxxxxxxx"
+      "pairingToken": "bc_pat_xxxxxxxxxxxxxxxx",
+      "e2ePassword": "your-secret-e2e-password"
     }
   }
 }
@@ -207,6 +245,7 @@ Open the BotsChat web UI in your browser, sign in, and start chatting with your
 2. This WebSocket stays connected (with automatic reconnection if it drops).
 3. When you type a message in the web UI, it travels: **Browser → ConnectionDO → WebSocket → OpenClaw → Agent → response back through the same path**.
 4. Your API keys, agent configs, and data never leave your machine — only chat messages travel through the relay.
+5. With **E2E encryption** enabled, messages are encrypted **before** step 3 and decrypted **after** — the ConnectionDO and database only ever see ciphertext.
 
 ## Plugin Reference
 
@@ -219,6 +258,7 @@ All config lives under `channels.botschat` in your `openclaw.json`:
 | `enabled`       | boolean | no       | Enable/disable the channel (default: true)           |
 | `cloudUrl`      | string  | yes      | BotsChat server URL (e.g. `http://localhost:8787`)   |
 | `pairingToken`  | string  | yes      | Your pairing token from the BotsChat dashboard       |
+| `e2ePassword`   | string  | no       | E2E encryption password (must match the web UI)      |
 | `name`          | string  | no       | Display name for this connection                     |
 
 ### Message Protocol

package/migrations/0011_e2e_encryption.sql

@@ -0,0 +1,35 @@
+-- E2E Encryption: rebuild messages and jobs tables with BLOB columns + encrypted flag.
+-- WARNING: This migration drops all existing data in messages and jobs tables.
+
+DROP TABLE IF EXISTS messages;
+CREATE TABLE messages (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  session_key TEXT NOT NULL,
+  thread_id TEXT,
+  sender TEXT NOT NULL CHECK (sender IN ('user', 'agent')),
+  text BLOB,
+  media_url TEXT,
+  a2ui BLOB,
+  encrypted INTEGER NOT NULL DEFAULT 0,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch())
+);
+CREATE INDEX IF NOT EXISTS idx_messages_session ON messages(session_key, created_at);
+CREATE INDEX IF NOT EXISTS idx_messages_thread ON messages(thread_id, created_at);
+
+DROP TABLE IF EXISTS jobs;
+CREATE TABLE jobs (
+  id TEXT PRIMARY KEY,
+  task_id TEXT NOT NULL,
+  user_id TEXT NOT NULL,
+  session_key TEXT NOT NULL,
+  status TEXT NOT NULL CHECK (status IN ('running', 'ok', 'error', 'skipped')),
+  started_at INTEGER NOT NULL DEFAULT (unixepoch()),
+  finished_at INTEGER,
+  duration_ms INTEGER,
+  summary BLOB,
+  encrypted INTEGER NOT NULL DEFAULT 0,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch())
+);
+CREATE INDEX IF NOT EXISTS idx_jobs_task ON jobs(task_id, started_at DESC);
+CREATE INDEX IF NOT EXISTS idx_jobs_session ON jobs(session_key);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "botschat",
-  "version": "0.1.4",
+  "version": "0.1.7",
   "description": "A self-hosted chat interface for OpenClaw AI agents",
   "workspaces": [
     "packages/*"
@@ -15,7 +15,9 @@
     "db:migrate": "wrangler d1 migrations apply botschat-db --local",
     "db:migrate:remote": "wrangler d1 migrations apply botschat-db --remote",
     "typecheck": "tsc --noEmit",
-    "build:plugin": "npm run build -w packages/plugin"
+    "build:plugin": "npm run build -w packages/plugin",
+    "test:e2e": "npx tsx scripts/verify-e2e.ts && npx tsx packages/e2e-crypto/e2e-crypto.test.ts",
+    "test:e2e-db": "npx tsx scripts/verify-e2e-db.ts"
   },
   "files": [
     "packages/api/src/",
@@ -49,5 +51,8 @@
   "devDependencies": {
     "typescript": "^5.7.0",
     "wrangler": "^3.100.0"
+  },
+  "dependencies": {
+    "react-resizable-panels": "^4.6.2"
   }
 }

package/packages/api/package.json

@@ -8,7 +8,8 @@
     "deploy": "wrangler deploy --config ../../wrangler.toml"
   },
   "dependencies": {
-    "hono": "^4.6.0"
+    "hono": "^4.6.0",
+    "jose": "^6.1.3"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20250109.0",

package/packages/api/src/do/connection-do.ts

@@ -1,4 +1,6 @@
 import type { Env } from "../env.js";
+import { verifyToken, getJwtSecret } from "../utils/auth.js";
+import { generateId as generateIdUtil } from "../utils/id.js";
 
 /**
  * ConnectionDO — one Durable Object instance per BotsChat user.
@@ -177,7 +179,10 @@ export class ConnectionDO implements DurableObject {
 
       if (isValid) {
         ws.serializeAttachment({ ...attachment, authenticated: true });
-        ws.send(JSON.stringify({ type: "auth.ok" }));
+        // Include userId so the plugin can derive the E2E key
+        const userId = await this.state.storage.get<string>("userId");
+        console.log(`[DO] auth.ok → userId=${userId}`);
+        ws.send(JSON.stringify({ type: "auth.ok", userId }));
         // Store gateway default model from plugin auth
         if (msg.model) {
           this.defaultModel = msg.model as string;
@@ -226,12 +231,14 @@ export class ConnectionDO implements DurableObject {
       }
 
       await this.persistMessage({
+        id: msg.messageId as string | undefined,
         sender: "agent",
         sessionKey: msg.sessionKey as string,
         threadId: (msg.threadId ?? msg.replyToId) as string | undefined,
         text: (msg.text ?? msg.caption ?? "") as string,
         mediaUrl: persistedMediaUrl,
         a2ui: msg.jsonl as string | undefined,
+        encrypted: msg.encrypted ? 1 : 0,
       });
     }
 
@@ -268,6 +275,15 @@ export class ConnectionDO implements DurableObject {
       );
     }
 
+    // Plugin applied BotsChat default model to OpenClaw config — update and broadcast
+    if (msg.type === "defaultModel.updated" && typeof msg.model === "string") {
+      this.defaultModel = msg.model;
+      await this.state.storage.put("defaultModel", this.defaultModel);
+      this.broadcastToBrowsers(
+        JSON.stringify({ type: "connection.status", openclawConnected: true, defaultModel: this.defaultModel, models: this.cachedModels }),
+      );
+    }
+
     // Handle job updates from plugin — persist and forward to browsers
     if (msg.type === "job.update") {
       await this.handleJobUpdate(msg);
@@ -283,12 +299,35 @@ export class ConnectionDO implements DurableObject {
   ): Promise<void> {
     const attachment = ws.deserializeAttachment() as { authenticated: boolean; tag: string } | null;
 
-    // Handle browser auth (session cookie/token validation)
+    // Handle browser auth — verify JWT token
     if (msg.type === "auth") {
-      // For now, accept browser connections. In production, validate
-      // the session token against D1.
+      const token = msg.token as string | undefined;
+      if (!token) {
+        ws.send(JSON.stringify({ type: "auth.fail", reason: "Missing token" }));
+        ws.close(4001, "Missing auth token");
+        return;
+      }
+
+      const secret = getJwtSecret(this.env);
+      const payload = await verifyToken(token, secret);
+      if (!payload) {
+        ws.send(JSON.stringify({ type: "auth.fail", reason: "Invalid or expired token" }));
+        ws.close(4001, "Authentication failed");
+        return;
+      }
+
+      // Verify the token's userId matches this DO's userId
+      const doUserId = await this.state.storage.get<string>("userId");
+      if (doUserId && payload.sub !== doUserId) {
+        ws.send(JSON.stringify({ type: "auth.fail", reason: "User mismatch" }));
+        ws.close(4001, "User mismatch");
+        return;
+      }
+
       ws.serializeAttachment({ ...attachment, authenticated: true });
-      ws.send(JSON.stringify({ type: "auth.ok" }));
+      // Include userId so the browser can derive the E2E key
+      const doUserId2 = doUserId ?? payload.sub;
+      ws.send(JSON.stringify({ type: "auth.ok", userId: doUserId2 }));
 
       // Send current OpenClaw connection status + cached models
       await this.ensureCachedModels();
@@ -323,6 +362,7 @@ export class ConnectionDO implements DurableObject {
         sessionKey: msg.sessionKey as string,
         text: (msg.text ?? "") as string,
         mediaUrl: msg.mediaUrl as string | undefined,
+        encrypted: msg.encrypted ? 1 : 0,
       });
     }
 
@@ -377,6 +417,8 @@ export class ConnectionDO implements DurableObject {
         instructions: (t.instructions as string) ?? "",
         model: (t.model as string) ?? "",
         enabled: t.enabled as boolean,
+        encrypted: (t.encrypted as boolean) ?? false,
+        iv: (t.iv as string) ?? undefined,
       }));
       return Response.json({ tasks: result });
     } catch (err) {
@@ -472,6 +514,37 @@ export class ConnectionDO implements DurableObject {
 
   // ---- Media caching ----
 
+  // ---- SSRF protection ----
+
+  /** Check if a URL is safe to fetch (not pointing to private/internal networks). */
+  private isUrlSafeToFetch(urlStr: string): boolean {
+    try {
+      const parsed = new URL(urlStr);
+      // Only allow https (block http, ftp, file, etc.)
+      if (parsed.protocol !== "https:") return false;
+
+      const hostname = parsed.hostname;
+      // Block private/reserved IP ranges and localhost
+      if (
+        hostname === "localhost" ||
+        hostname === "127.0.0.1" ||
+        hostname === "[::1]" ||
+        hostname.endsWith(".local") ||
+        /^10\./.test(hostname) ||
+        /^172\.(1[6-9]|2\d|3[01])\./.test(hostname) ||
+        /^192\.168\./.test(hostname) ||
+        /^169\.254\./.test(hostname) || // link-local
+        /^0\./.test(hostname) ||
+        hostname === "[::ffff:127.0.0.1]"
+      ) {
+        return false;
+      }
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
   /**
    * Download an external image and cache it in R2. Returns the local
    * API URL (e.g. /api/media/...) or null if caching fails.
@@ -483,17 +556,28 @@ export class ConnectionDO implements DurableObject {
     // Also skip URLs that point back to our own media endpoint (absolute form)
     if (/\/api\/media\//.test(url)) return null;
 
+    // SSRF protection: only allow HTTPS URLs to public hosts
+    if (!this.isUrlSafeToFetch(url)) {
+      console.warn(`[DO] cacheExternalMedia: blocked unsafe URL ${url.slice(0, 120)}`);
+      return null;
+    }
+
     console.log(`[DO] cacheExternalMedia: attempting to cache ${url.slice(0, 120)}`);
 
+    const MAX_MEDIA_SIZE = 20 * 1024 * 1024; // 20 MB max
+
     try {
       const userId = (await this.state.storage.get<string>("userId")) ?? "unknown";
 
       // Download the external image — use arrayBuffer to avoid stream issues
       const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), 30_000);
+      const timeoutId = setTimeout(() => controller.abort(), 15_000); // 15s timeout
       let response: Response;
       try {
-        response = await fetch(url, { signal: controller.signal });
+        response = await fetch(url, {
+          signal: controller.signal,
+          redirect: "follow",   // follow redirects, but URL was already validated
+        });
       } finally {
         clearTimeout(timeoutId);
       }
@@ -506,8 +590,21 @@ export class ConnectionDO implements DurableObject {
       const contentType = response.headers.get("Content-Type") ?? "image/png";
       // Validate that the response is actually an image
       if (!contentType.startsWith("image/")) {
-        console.warn(`[DO] cacheExternalMedia: unexpected Content-Type "${contentType}" for ${url.slice(0, 120)}`);
-        // Still try to cache it — some servers return wrong content types
+        console.warn(`[DO] cacheExternalMedia: non-image Content-Type "${contentType}", skipping ${url.slice(0, 120)}`);
+        return null;
+      }
+
+      // Reject SVG (can contain scripts — XSS vector)
+      if (contentType.includes("svg")) {
+        console.warn(`[DO] cacheExternalMedia: blocked SVG content from ${url.slice(0, 120)}`);
+        return null;
+      }
+
+      // Check Content-Length header early if available
+      const contentLength = parseInt(response.headers.get("Content-Length") ?? "0", 10);
+      if (contentLength > MAX_MEDIA_SIZE) {
+        console.warn(`[DO] cacheExternalMedia: Content-Length ${contentLength} exceeds limit for ${url.slice(0, 120)}`);
+        return null;
       }
 
       // Read the body as ArrayBuffer for maximum compatibility with R2
@@ -516,14 +613,17 @@ export class ConnectionDO implements DurableObject {
         console.warn(`[DO] cacheExternalMedia: empty body for ${url.slice(0, 120)}`);
         return null;
       }
+      if (body.byteLength > MAX_MEDIA_SIZE) {
+        console.warn(`[DO] cacheExternalMedia: body size ${body.byteLength} exceeds limit for ${url.slice(0, 120)}`);
+        return null;
+      }
 
-      // Determine extension from Content-Type
+      // Determine extension from Content-Type (no SVG)
       const extMap: Record<string, string> = {
         "image/png": "png",
         "image/jpeg": "jpg",
         "image/gif": "gif",
         "image/webp": "webp",
-        "image/svg+xml": "svg",
       };
       const ext = extMap[contentType] ?? "png";
       const key = `media/${userId}/${Date.now()}-${crypto.randomUUID().slice(0, 8)}.${ext}`;
@@ -552,10 +652,12 @@ export class ConnectionDO implements DurableObject {
     text: string;
     mediaUrl?: string;
     a2ui?: string;
+    encrypted?: number;
   }): Promise<void> {
     try {
       const userId = (await this.state.storage.get<string>("userId")) ?? "unknown";
       const id = opts.id ?? crypto.randomUUID();
+      const encrypted = opts.encrypted ?? 0;
 
       // Extract threadId from sessionKey pattern: ....:thread:{threadId}
       let threadId = opts.threadId;
@@ -565,10 +667,10 @@ export class ConnectionDO implements DurableObject {
       }
 
       await this.env.DB.prepare(
-        `INSERT INTO messages (id, user_id, session_key, thread_id, sender, text, media_url, a2ui)
-         VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+        `INSERT INTO messages (id, user_id, session_key, thread_id, sender, text, media_url, a2ui, encrypted)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
       )
-        .bind(id, userId, opts.sessionKey, threadId ?? null, opts.sender, opts.text, opts.mediaUrl ?? null, opts.a2ui ?? null)
+        .bind(id, userId, opts.sessionKey, threadId ?? null, opts.sender, opts.text, opts.mediaUrl ?? null, opts.a2ui ?? null, encrypted)
         .run();
     } catch (err) {
       console.error("Failed to persist message:", err);
@@ -590,7 +692,7 @@ export class ConnectionDO implements DurableObject {
       if (threadId) {
         // Load thread messages
         result = await this.env.DB.prepare(
-          `SELECT id, session_key, thread_id, sender, text, media_url, a2ui, created_at
+          `SELECT id, session_key, thread_id, sender, text, media_url, a2ui, encrypted, created_at
            FROM messages
            WHERE session_key = ? AND thread_id = ?
            ORDER BY created_at ASC
@@ -601,7 +703,7 @@ export class ConnectionDO implements DurableObject {
       } else {
         // Load main session messages (exclude thread messages from the main list)
         result = await this.env.DB.prepare(
-          `SELECT id, session_key, thread_id, sender, text, media_url, a2ui, created_at
+          `SELECT id, session_key, thread_id, sender, text, media_url, a2ui, encrypted, created_at
            FROM messages
            WHERE session_key = ? AND thread_id IS NULL
            ORDER BY created_at ASC
@@ -639,6 +741,7 @@ export class ConnectionDO implements DurableObject {
         mediaUrl: row.media_url ?? undefined,
         a2ui: row.a2ui ?? undefined,
         threadId: row.thread_id ?? undefined,
+        encrypted: row.encrypted ?? 0,
       }));
 
       return Response.json({ messages, replyCounts });
@@ -853,14 +956,9 @@ export class ConnectionDO implements DurableObject {
     return channelId;
   }
 
-  /** Generate a short random ID (URL-safe). */
+  /** Generate a short random ID (URL-safe) using CSPRNG (bias-free). */
   private generateId(prefix = ""): string {
-    const chars = "abcdefghijklmnopqrstuvwxyz0123456789";
-    let id = prefix;
-    for (let i = 0; i < 16; i++) {
-      id += chars[Math.floor(Math.random() * chars.length)];
-    }
-    return id;
+    return generateIdUtil(prefix);
   }
 
   /**
@@ -891,9 +989,11 @@ export class ConnectionDO implements DurableObject {
         return;
       }
 
+      const encrypted = msg.encrypted ? 1 : 0;
+
       await this.env.DB.prepare(
-        `INSERT OR REPLACE INTO jobs (id, task_id, user_id, session_key, status, started_at, finished_at, duration_ms, summary)
-         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+        `INSERT OR REPLACE INTO jobs (id, task_id, user_id, session_key, status, started_at, finished_at, duration_ms, summary, encrypted)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
       )
         .bind(
           jobId,
@@ -905,6 +1005,7 @@ export class ConnectionDO implements DurableObject {
           finishedAt ?? null,
           durationMs ?? null,
           summary,
+          encrypted,
         )
         .run();
     } catch (err) {
@@ -913,23 +1014,42 @@ export class ConnectionDO implements DurableObject {
   }
 
   private async validatePairingToken(token: string): Promise<boolean> {
-    // Query D1 to validate the pairing token
-    // The DO receives the env via constructor, but D1 queries from DO
-    // require fetching through the API worker. For simplicity in the DO,
-    // we store validated tokens in DO storage after first validation.
-    //
-    // Check DO-local cache first:
-    const cached = await this.state.storage.get<boolean>(`token:${token}`);
-    if (cached === true) return true;
-    if (cached === false) return false;
-
-    // If not cached, we accept the token optimistically and let the
-    // API worker validate it on the next REST call. In production,
-    // the API worker should validate before routing to the DO.
+    // The API worker validates pairing tokens against D1 before routing
+    // to the DO (and passes ?verified=1). Connections that arrive here
+    // pre-verified are fast-tracked in handleOpenClawMessage.
     //
-    // For now, accept any non-empty bc_pat_ token:
-    const isValid = token.startsWith("bc_pat_") && token.length > 10;
-    await this.state.storage.put(`token:${token}`, isValid);
-    return isValid;
+    // For tokens that arrive WITHOUT pre-verification (e.g. direct DO
+    // access, which shouldn't happen in normal flow), we validate
+    // against D1 ourselves and cache the result with a TTL.
+
+    if (!token || !token.startsWith("bc_pat_") || token.length < 20) {
+      return false;
+    }
+
+    // Check DO-local cache first (with 30-second TTL — short to ensure
+    // revoked tokens are invalidated quickly)
+    const cacheKey = `token:${token}`;
+    const cached = await this.state.storage.get<{ valid: boolean; cachedAt: number }>(cacheKey);
+    if (cached) {
+      const ageMs = Date.now() - cached.cachedAt;
+      if (ageMs < 30_000) return cached.valid; // 30-second TTL
+      // Expired — fall through to re-validate
+    }
+
+    // Validate against D1
+    try {
+      const row = await this.env.DB.prepare(
+        "SELECT user_id FROM pairing_tokens WHERE token = ? AND revoked_at IS NULL",
+      )
+        .bind(token)
+        .first<{ user_id: string }>();
+
+      const isValid = !!row;
+      await this.state.storage.put(cacheKey, { valid: isValid, cachedAt: Date.now() });
+      return isValid;
+    } catch (err) {
+      console.error("[DO] Failed to validate pairing token against D1:", err);
+      return false;
+    }
   }
 }