botschat 0.1.4 → 0.1.7

package/packages/web/src/ws.ts

@@ -1,6 +1,7 @@
 /** WebSocket client for connecting to the BotsChat ConnectionDO. */
 
 import { dlog } from "./debug-log";
+import { E2eService } from "./e2e";
 
 export type WSMessage = {
   type: string;
@@ -31,6 +32,8 @@ export class BotsChatWSClient {
   connect(): void {
     this.intentionalClose = false;
     const protocol = window.location.protocol === "https:" ? "wss:" : "ws:";
+    // Token is NOT included in the URL to avoid leaking it in logs/history.
+    // Authentication is handled via the "auth" message after connection.
     const url = `${protocol}//${window.location.host}/api/ws/${this.opts.userId}/${this.opts.sessionId}`;
 
     dlog.info("WS", `Connecting to ${url}`);
@@ -42,19 +45,75 @@ export class BotsChatWSClient {
       this.ws!.send(JSON.stringify({ type: "auth", token: this.opts.token }));
     };
 
-    this.ws.onmessage = (evt) => {
+    this.ws.onmessage = async (evt) => {
       try {
         const msg = JSON.parse(evt.data) as WSMessage;
+        
+        // Handle E2E Decryption
+        if (msg.encrypted && E2eService.hasKey()) {
+           try {
+             if (msg.type === "agent.text" || msg.type === "agent.media") {
+                // Decrypt text/caption
+                const text = msg.text as string | undefined;
+                const caption = msg.caption as string | undefined;
+                const messageId = msg.messageId as string;
+                
+                if (text && messageId) {
+                    msg.text = await E2eService.decrypt(text, messageId);
+                    msg.encrypted = false;
+                }
+                if (caption && messageId) {
+                    msg.caption = await E2eService.decrypt(caption, messageId);
+                     msg.encrypted = false;
+                }
+             } else if (msg.type === "job.update") {
+                const summary = msg.summary as string;
+                 // Job ID is contextId
+                const jobId = msg.jobId as string;
+                if (summary && jobId) {
+                    msg.summary = await E2eService.decrypt(summary, jobId);
+                    msg.encrypted = false;
+                }
+             }
+           } catch (err) {
+               dlog.warn("E2E", "Decryption failed", err);
+               msg.decryptionError = true;
+           }
+        }
+        
+        // Handle Task Scan Results (array items)
+        if (msg.type === "task.scan.result" && Array.isArray(msg.tasks) && E2eService.hasKey()) {
+            for (const t of msg.tasks) {
+                if (t.encrypted && t.iv) {
+                    try {
+                        if (t.schedule) t.schedule = await E2eService.decrypt(t.schedule, t.iv);
+                        if (t.instructions) t.instructions = await E2eService.decrypt(t.instructions, t.iv);
+                        t.encrypted = false;
+                    } catch (err) {
+                         dlog.warn("E2E", `Task decryption failed for ${t.cronJobId}`, err);
+                         t.decryptionError = true;
+                    }
+                }
+            }
+        }
+
         if (msg.type === "auth.ok") {
           dlog.info("WS", "Auth OK — connected");
+          
+          // Try to load E2E password
+          const userId = msg.userId as string;
+          if (userId) {
+              await E2eService.loadSavedPassword(userId);
+          }
+          
           this.backoffMs = 1000;
           this._connected = true;
           this.opts.onStatusChange(true);
         } else {
           this.opts.onMessage(msg);
         }
-      } catch {
-        dlog.warn("WS", "Failed to parse incoming message", evt.data);
+      } catch (err) {
+        dlog.warn("WS", "Failed to process incoming message", err);
       }
     };
 
@@ -77,8 +136,23 @@ export class BotsChatWSClient {
     };
   }
 
-  send(msg: WSMessage): void {
+  async send(msg: WSMessage): Promise<void> {
     if (this.ws?.readyState === WebSocket.OPEN) {
+      // E2E Encryption for user messages
+      if (msg.type === "user.message" && E2eService.hasKey() && typeof msg.text === "string") {
+          try {
+              const { ciphertext, messageId } = await E2eService.encrypt(msg.text);
+              msg.text = ciphertext;
+              msg.messageId = messageId;
+              msg.encrypted = true;
+          } catch (err) {
+              dlog.error("E2E", "Encryption failed", err);
+              // Fail? or send as plaintext?
+              // Security first: if key exists but encrypt fails, abort.
+              return; 
+          }
+      }
+      
       this.ws.send(JSON.stringify(msg));
     } else {
       dlog.warn("WS", `Cannot send — socket not open (readyState=${this.ws?.readyState})`, msg);

package/scripts/dev.sh

@@ -54,41 +54,41 @@ do_build_web() {
 do_start() {
   kill_port 8787
   info "Starting wrangler dev on 0.0.0.0:8787…"
-  exec npx wrangler dev --config wrangler.toml --ip 0.0.0.0
+  exec npx wrangler dev --config wrangler.toml --ip 0.0.0.0 --var ENVIRONMENT:development
 }
 
 do_sync_plugin() {
-  local REMOTE="YinTong@mini.local"
+  local REMOTE_USER="mini.local"
   local REMOTE_DIR="~/Projects/botsChat/packages/plugin"
 
-  info "Syncing plugin to $REMOTE…"
+  info "Syncing plugin to mini.local…"
   rsync -avz --exclude node_modules --exclude .git --exclude dist --exclude .wrangler \
-    packages/plugin/ "$REMOTE:$REMOTE_DIR/"
+    packages/plugin/ "$REMOTE_USER:$REMOTE_DIR/"
   ok "Plugin files synced"
 
-  info "Building plugin + restarting gateway on mini.local…"
-  ssh "$REMOTE" "$(cat <<'REMOTE_SCRIPT'
-export PATH="/opt/homebrew/bin:$PATH"
+  info "Building plugin, deploying to extensions, restarting gateway on mini.local…"
+  ssh "$REMOTE_USER" 'export PATH="/opt/homebrew/bin:$PATH"
 cd ~/Projects/botsChat/packages/plugin
 npm run build
-echo "--- Plugin build OK ---"
+EXT_DIR=~/.openclaw/extensions/botschat
+rsync -av --delete dist/ "$EXT_DIR/dist/"
+rsync -av bin/ "$EXT_DIR/bin/" 2>/dev/null || true
+cp -f package.json openclaw.plugin.json "$EXT_DIR/" 2>/dev/null || true
+echo "--- Deployed to $EXT_DIR ---"
 pkill -9 -f openclaw-gateway 2>/dev/null || true
 sleep 3
-nohup openclaw gateway run --bind loopback --port 18789 --force \
-  > /tmp/openclaw-gateway.log 2>&1 &
-echo "Gateway restarted (PID=$!)"
-REMOTE_SCRIPT
-)"
-  ok "Plugin synced and gateway restarted"
+nohup openclaw gateway run --bind loopback --port 18789 --force > /tmp/openclaw-gateway.log 2>&1 &
+echo "Gateway restarted (PID=$!)"'
+  ok "Plugin synced, deployed to extensions, gateway restarted"
 
   sleep 4
   info "Checking connection…"
-  ssh "$REMOTE" 'tail -5 /tmp/openclaw-gateway.log | grep -i "authenticated\|error\|Task scan"'
+  ssh "$REMOTE_USER" 'tail -5 /tmp/openclaw-gateway.log | grep -i "authenticated\|error\|Task scan"'
 }
 
 do_logs() {
   info "Tailing gateway logs on mini.local…"
-  ssh YinTong@mini.local 'tail -f /tmp/openclaw-gateway.log'
+  ssh mini.local 'tail -f /tmp/openclaw-gateway.log'
 }
 
 # ── Main ─────────────────────────────────────────────────────────────

package/scripts/test-e2e-live.ts

@@ -0,0 +1,194 @@
+/**
+ * Live E2E encryption integration test.
+ *
+ * Tests:
+ *   1. Web sends encrypted user.message via WS → plugin decrypts → agent responds → encrypted agent.text → Web decrypts
+ *   2. D1 stores ciphertext (encrypted=1), not plaintext
+ *
+ * Prerequisites:
+ *   - wrangler dev running on localhost:8787 (ENVIRONMENT=development)
+ *   - mini.local gateway running with e2ePassword set
+ *   - Test user tong@mini.local exists
+ *
+ * Usage: npx tsx scripts/test-e2e-live.ts
+ */
+
+import WebSocket from "ws";
+import { deriveKey, encryptText, decryptText, toBase64, fromBase64 } from "../packages/e2e-crypto/e2e-crypto.js";
+import { execSync } from "node:child_process";
+import assert from "node:assert";
+
+const API_BASE = "http://localhost:8787";
+const E2E_PASSWORD = "e2e-test-2026";
+const TEST_EMAIL = "tong@mini.local";
+const TEST_PASS = "botschat123";
+const SECRET_TEXT = `E2E_TEST_SECRET_${Date.now()}`;
+
+async function login(): Promise<{ token: string; userId: string }> {
+  const res = await fetch(`${API_BASE}/api/auth/login`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ email: TEST_EMAIL, password: TEST_PASS }),
+  });
+  if (!res.ok) throw new Error(`Login failed: ${res.status}`);
+  const data = await res.json() as { token: string; id: string };
+  return { token: data.token, userId: data.id };
+}
+
+async function getFirstSessionKey(token: string): Promise<{ channelId: string; sessionKey: string }> {
+  const res = await fetch(`${API_BASE}/api/channels`, {
+    headers: { Authorization: `Bearer ${token}` },
+  });
+  let { channels } = await res.json() as { channels: Array<{ id: string }> };
+  if (!channels.length) {
+    // Create a channel
+    const cr = await fetch(`${API_BASE}/api/channels`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json" },
+      body: JSON.stringify({ name: "E2E Test", description: "E2E encryption test channel" }),
+    });
+    const ch = await cr.json() as { id: string };
+    channels = [ch];
+  }
+  const channelId = channels[0].id;
+
+  const res2 = await fetch(`${API_BASE}/api/channels/${channelId}/sessions`, {
+    headers: { Authorization: `Bearer ${token}` },
+  });
+  let { sessions } = await res2.json() as { sessions: Array<{ sessionKey: string }> };
+  if (!sessions.length) {
+    // Create a session
+    const sr = await fetch(`${API_BASE}/api/channels/${channelId}/sessions`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json" },
+      body: JSON.stringify({ name: "E2E Test Session" }),
+    });
+    const s = await sr.json() as { sessionKey: string };
+    sessions = [s];
+  }
+  return { channelId, sessionKey: sessions[0].sessionKey };
+}
+
+function connectWS(userId: string, token: string): Promise<WebSocket> {
+  return new Promise((resolve, reject) => {
+    const ws = new WebSocket(`ws://localhost:8787/api/ws/${userId}/live-test`);
+    ws.on("open", () => {
+      ws.send(JSON.stringify({ type: "auth", token }));
+    });
+    ws.on("message", (data) => {
+      const msg = JSON.parse(data.toString());
+      if (msg.type === "auth.ok") resolve(ws);
+      if (msg.type === "auth.fail") reject(new Error("WS auth failed"));
+    });
+    ws.on("error", reject);
+    setTimeout(() => reject(new Error("WS connect timeout")), 10000);
+  });
+}
+
+function waitForAgentReply(ws: WebSocket, timeoutMs = 60000): Promise<Record<string, unknown>> {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => reject(new Error("Agent reply timeout")), timeoutMs);
+    const handler = (data: WebSocket.Data) => {
+      const msg = JSON.parse(data.toString()) as Record<string, unknown>;
+      if (msg.type === "agent.text") {
+        clearTimeout(timer);
+        ws.off("message", handler);
+        resolve(msg);
+      }
+    };
+    ws.on("message", handler);
+  });
+}
+
+function d1Query(sql: string): string {
+  return execSync(
+    `npx wrangler d1 execute botschat-db --local --command "${sql.replace(/"/g, '\\"')}"`,
+    { encoding: "utf8", cwd: process.cwd() },
+  );
+}
+
+async function run() {
+  console.log("=== E2E Live Integration Test ===\n");
+
+  // Step 1: Login
+  console.log("1. Logging in...");
+  const { token, userId } = await login();
+  console.log(`   userId: ${userId}`);
+
+  // Step 2: Derive E2E key (same as plugin)
+  console.log("2. Deriving E2E key...");
+  const key = await deriveKey(E2E_PASSWORD, userId);
+  console.log(`   Key derived (${key.length} bytes)`);
+
+  // Step 3: Get session
+  console.log("3. Getting session key...");
+  const { sessionKey } = await getFirstSessionKey(token);
+  console.log(`   sessionKey: ${sessionKey}`);
+
+  // Step 4: Connect WS
+  console.log("4. Connecting WebSocket...");
+  const ws = connectWS(userId, token);
+  const wsConn = await ws;
+  console.log("   Connected and authenticated");
+
+  // Step 5: Send encrypted message
+  console.log(`5. Sending encrypted message: "${SECRET_TEXT}"`);
+  const messageId = `e2e-test-${Date.now()}`;
+  const ciphertext = await encryptText(key, SECRET_TEXT, messageId);
+  const ciphertextB64 = toBase64(ciphertext);
+
+  wsConn.send(JSON.stringify({
+    type: "user.message",
+    sessionKey,
+    text: ciphertextB64,
+    messageId,
+    encrypted: true,
+  }));
+  console.log(`   Sent (ciphertext length=${ciphertextB64.length}, messageId=${messageId})`);
+
+  // Step 6: Wait for agent reply
+  console.log("6. Waiting for agent reply (may take up to 60s)...");
+  const agentMsg = await waitForAgentReply(wsConn);
+  console.log(`   Got agent.text reply (encrypted=${agentMsg.encrypted})`);
+
+  if (agentMsg.encrypted && agentMsg.messageId) {
+    const agentCiphertext = fromBase64(agentMsg.text as string);
+    const agentPlain = await decryptText(key, agentCiphertext, agentMsg.messageId as string);
+    console.log(`   ✅ Decrypted agent reply: "${agentPlain.slice(0, 100)}..."`);
+  } else {
+    console.log(`   ⚠️  Agent reply was NOT encrypted (encrypted=${agentMsg.encrypted})`);
+    console.log(`   Text: "${(agentMsg.text as string || "").slice(0, 100)}..."`);
+  }
+
+  // Step 7: Check D1 for encrypted storage
+  console.log("7. Checking D1 for encrypted messages...");
+  // Allow a small delay for persistence
+  await new Promise((r) => setTimeout(r, 2000));
+
+  const result = d1Query(`SELECT id, text, encrypted FROM messages WHERE user_id = '${userId}' ORDER BY created_at DESC LIMIT 5`);
+  console.log("   D1 query result:");
+  console.log(result);
+
+  // Verify: the secret text should NOT appear as plaintext in D1
+  if (result.includes(SECRET_TEXT)) {
+    console.error("   ❌ FAIL: Plaintext found in D1! E2E storage is broken.");
+    process.exit(1);
+  } else {
+    console.log("   ✅ Plaintext NOT found in D1 — ciphertext stored correctly");
+  }
+
+  // Check that at least one message has encrypted=1
+  if (result.includes("encrypted: 1") || result.includes('"encrypted":1') || result.includes("encrypted\n1") || result.includes("| 1")) {
+    console.log("   ✅ Found encrypted=1 rows in D1");
+  } else {
+    console.log("   ⚠️  Could not confirm encrypted=1 in output (check manually)");
+  }
+
+  wsConn.close();
+  console.log("\n🎉 E2E Live Integration Test Complete!");
+}
+
+run().catch((err) => {
+  console.error("❌ Test failed:", err);
+  process.exit(1);
+});

package/scripts/verify-e2e-db.ts

@@ -0,0 +1,48 @@
+/**
+ * Verify E2E DB schema: messages and jobs have BLOB columns and encrypted flag.
+ * Requires: npm run db:migrate (local D1) first.
+ * Run: npx tsx scripts/verify-e2e-db.ts
+ *
+ * For full DB content test (encrypted=1, content is BLOB not plaintext),
+ * run dev server, send an E2E-encrypted message via WS/API, then query D1.
+ */
+
+import { execSync } from "node:child_process";
+
+function wranglerD1Sql(sql: string): string {
+  return execSync(
+    `npx wrangler d1 execute botschat-db --local --command "${sql.replace(/"/g, '\\"')}"`,
+    { encoding: "utf8" }
+  );
+}
+
+async function run() {
+  console.log("E2E DB schema verification (local D1)...\n");
+
+  // Check messages table: must have encrypted column and BLOB-capable columns
+  const msgSchema = wranglerD1Sql("PRAGMA table_info(messages);");
+  if (!msgSchema.includes("encrypted")) {
+    throw new Error("messages table missing 'encrypted' column. Run: npm run db:migrate");
+  }
+  if (!msgSchema.includes("text") || !msgSchema.includes("a2ui")) {
+    throw new Error("messages table missing text/a2ui columns");
+  }
+  console.log("  ✅ messages table has encrypted column");
+
+  // Check jobs table
+  const jobsSchema = wranglerD1Sql("PRAGMA table_info(jobs);");
+  if (!jobsSchema.includes("encrypted")) {
+    throw new Error("jobs table missing 'encrypted' column. Run: npm run db:migrate");
+  }
+  if (!jobsSchema.includes("summary")) {
+    throw new Error("jobs table missing summary column");
+  }
+  console.log("  ✅ jobs table has encrypted column");
+
+  console.log("\n🎉 E2E DB schema OK. For content verification, send an E2E message then inspect D1.");
+}
+
+run().catch((err) => {
+  console.error("❌", err.message);
+  process.exit(1);
+});

package/scripts/verify-e2e.ts

@@ -0,0 +1,56 @@
+import { deriveKey, encryptText, decryptText, toBase64, fromBase64 } from "../packages/e2e-crypto/e2e-crypto";
+import assert from "assert";
+
+async function run() {
+  console.log("Starting E2E Encryption Verification...");
+  
+  const password = "my-secret-password";
+  const userId = "user-123";
+  
+  // 1. Key Derivation (Simulate Plugin & Web)
+  console.log("Testing Key Derivation...");
+  const key1 = await deriveKey(password, userId);
+  const key2 = await deriveKey(password, userId);
+  
+  // Check keys byte-equal
+  assert.strictEqual(toBase64(new Uint8Array(key1)), toBase64(new Uint8Array(key2)), "Keys should be deterministic");
+  console.log("✅ Key Derivation Successful (consistent)");
+
+  // 2. Encrypt (Simulate Agent -> User)
+  console.log("Testing Encryption (Agent -> User)...");
+  const plaintext = "Hello Secret World";
+  const messageId = "msg-123-uuid"; // Context ID
+  
+  const encryptedBytes = await encryptText(key1, plaintext, messageId);
+  const ciphertextBase64 = toBase64(encryptedBytes);
+  console.log("Ciphertext (Base64):", ciphertextBase64);
+  
+  assert.notEqual(ciphertextBase64, plaintext, "Ciphertext should not match plaintext");
+  console.log("✅ Encryption Successful");
+
+  // 3. Decrypt (Simulate User -> Agent)
+  console.log("Testing Decryption (User -> Agent)...");
+  const decryptedText = await decryptText(key2, fromBase64(ciphertextBase64), messageId);
+  console.log("Decrypted:", decryptedText);
+  assert.strictEqual(decryptedText, plaintext, "Decrypted text MUST match original");
+  console.log("✅ Decryption Successful");
+
+  // 4. Test Task Encryption (Random IV flow)
+  console.log("Testing Task Encryption (Random IV)...");
+  const ivStr = "random-uuid-iv";
+  const schedule = "0 * * * *";
+  const encScheduleBytes = await encryptText(key1, schedule, ivStr);
+  const encScheduleBase64 = toBase64(encScheduleBytes);
+  
+  const originalScheduleText = await decryptText(key2, fromBase64(encScheduleBase64), ivStr);
+  
+  assert.strictEqual(originalScheduleText, schedule);
+  console.log("✅ Task Encryption/Decryption Successful");
+
+  console.log("🎉 All Checks Passed!");
+}
+
+run().catch(err => {
+  console.error("❌ Verification Failed:", err);
+  process.exit(1);
+});

package/wrangler.toml

@@ -33,9 +33,11 @@ new_sqlite_classes = ["ConnectionDO"]
 
 # --- Environment Variables ---
 [vars]
-ENVIRONMENT = "development"
+ENVIRONMENT = "production"
 # Firebase project ID for Google/GitHub Sign-In token verification.
 FIREBASE_PROJECT_ID = "botschat-130ff"
+# IMPORTANT: For production, set JWT_SECRET via `wrangler secret put JWT_SECRET`.
+# The app will refuse to start in non-development mode without it.
 
 # --- Dev settings ---
 [dev]