chat-ma 1.0.0

package/README.md

@@ -0,0 +1,100 @@
+# chat-ma
+
+Cinematic Matrix-style one-time terminal messenger distributed as an npm CLI package.
+
+## Features
+
+- WebSocket-based incoming message notifications.
+- Full-screen terminal UI with Matrix digital rain and glitching header.
+- Green hacker status boxes for register/login/send flows.
+- One-time ephemeral messages only stored in memory.
+- SQLite storage only for users + bcrypt password hashes.
+- Password confirmation required before decrypting a message.
+
+## Install
+
+```bash
+npm install
+```
+
+## Run server
+
+```bash
+npm run serve
+```
+
+Server default: `http://localhost:3000`
+
+## Use CLI
+
+```bash
+npx chat-ma register
+npx chat-ma login
+npx chat-ma send
+npx chat-ma open
+```
+
+## Authentication + local config
+
+After successful register/login, client stores token in:
+
+`~/.chat-ma/config.json`
+
+Example:
+
+```json
+{
+  "serverUrl": "http://localhost:3000",
+  "token": "...",
+  "username": "alice"
+}
+```
+
+## Security model
+
+- Passwords are hashed with bcrypt and never stored plaintext.
+- JWT session token for API/WebSocket auth.
+- In-memory messages only (never written to SQLite).
+- Message TTL defaults to 5 minutes.
+- Message is destroyed after close (`VIEW_CLOSE`) or expiry.
+- Basic rate limiting on register/login endpoints.
+
+## Publish to npm
+
+1. Update `version` in `package.json`.
+2. Login to npm:
+   ```bash
+   npm login
+   ```
+3. Publish:
+   ```bash
+   npm publish --access public
+   ```
+
+## Project structure
+
+```
+chat-ma/
+  package.json
+  README.md
+  /bin
+    chat.js
+  /server
+    server.js
+    ws.js
+    auth.js
+    userDb.js
+    memoryMessages.js
+    rateLimit.js
+    config.js
+  /client
+    /lib
+      ui.js
+      matrixRain.js
+      glitch.js
+      hackerBoxes.js
+      decryptAnimation.js
+      wsClient.js
+      prompts.js
+      localConfig.js
+```

package/bin/chat.js

@@ -0,0 +1,279 @@
+#!/usr/bin/env node
+import blessed from 'blessed';
+import ora from 'ora';
+import cliProgress from 'cli-progress';
+import { askCredentials, askSendPayload } from '../client/lib/prompts.js';
+import { loadLocalConfig, requireAuthConfig, saveLocalConfig } from '../client/lib/localConfig.js';
+import { printBanner } from '../client/lib/ui.js';
+import {
+  showAuthorizedBox,
+  showDeniedBox,
+  showMessageFailedBox,
+  showMessageSentBox,
+  showStatusBox
+} from '../client/lib/hackerBoxes.js';
+import { connectWs } from '../client/lib/wsClient.js';
+import { runDecryptAnimation } from '../client/lib/decryptAnimation.js';
+import { startHeaderGlitch } from '../client/lib/glitch.js';
+import { startMatrixRain } from '../client/lib/matrixRain.js';
+
+const [, , command] = process.argv;
+
+async function postJson(url, payload, token) {
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      ...(token ? { Authorization: `Bearer ${token}` } : {})
+    },
+    body: JSON.stringify(payload)
+  });
+  const data = await res.json();
+  if (!res.ok) throw new Error(data.error || 'Request failed');
+  return data;
+}
+
+async function register() {
+  printBanner();
+  const cfg = loadLocalConfig();
+  const { username, password } = await askCredentials('Register');
+  const spinner = ora('Provisioning identity...').start();
+  try {
+    const data = await postJson(`${cfg.serverUrl}/register`, { username, password });
+    spinner.succeed('Identity created');
+    saveLocalConfig({ token: data.token, username: data.username, serverUrl: cfg.serverUrl });
+    showAuthorizedBox();
+  } catch (err) {
+    spinner.fail(err.message);
+    showDeniedBox();
+  }
+}
+
+async function login() {
+  printBanner();
+  const cfg = loadLocalConfig();
+  const { username, password } = await askCredentials('Login');
+  const spinner = ora('Authenticating...').start();
+  try {
+    const data = await postJson(`${cfg.serverUrl}/login`, { username, password });
+    spinner.succeed('Session established');
+    saveLocalConfig({ token: data.token, username: data.username, serverUrl: cfg.serverUrl });
+    showAuthorizedBox();
+  } catch (err) {
+    spinner.fail(err.message);
+    showDeniedBox();
+  }
+}
+
+async function send() {
+  printBanner();
+  const cfg = requireAuthConfig();
+  const { to, body } = await askSendPayload();
+  const bar = new cliProgress.SingleBar({ format: 'UPLINK [{bar}] {percentage}%' }, cliProgress.Presets.shades_classic);
+  bar.start(100, 0);
+
+  showStatusBox('INITIALIZING UPLINK');
+  await new Promise((r) => setTimeout(r, 500));
+  bar.update(40);
+  showStatusBox('ENCAPSULATING PAYLOAD');
+  await new Promise((r) => setTimeout(r, 500));
+  bar.update(85);
+
+  try {
+    await postJson(`${cfg.serverUrl}/send`, { to, body }, cfg.token);
+    bar.update(100);
+    bar.stop();
+    showMessageSentBox();
+  } catch (err) {
+    bar.stop();
+    process.stdout.write(`${err.message}\n`);
+    showMessageFailedBox();
+  }
+}
+
+function askPasswordInScreen(screen) {
+  return new Promise((resolve) => {
+    const prompt = blessed.prompt({
+      parent: screen,
+      border: 'line',
+      label: ' Decrypt ',
+      top: 'center',
+      left: 'center',
+      width: '50%',
+      height: 8,
+      keys: true,
+      vi: true,
+      style: { border: { fg: 'green' }, fg: 'green' }
+    });
+
+    prompt.input('Enter password to decrypt:', '', (_err, value) => resolve(value || ''));
+  });
+}
+
+async function openInbox() {
+  const cfg = requireAuthConfig();
+
+  const screen = blessed.screen({ smartCSR: true, title: 'chat-ma terminal' });
+  const rain = blessed.box({
+    parent: screen,
+    top: 0,
+    left: 0,
+    width: '100%',
+    height: '100%',
+    tags: true,
+    style: { fg: 'green' }
+  });
+
+  const headerText = 'AUTHORIZED TERMINAL';
+  const header = blessed.box({
+    parent: screen,
+    top: 0,
+    left: 'center',
+    width: 'shrink',
+    height: 1,
+    tags: true,
+    content: `{green-fg}${headerText}{/green-fg}`
+  });
+
+  const status = blessed.box({
+    parent: screen,
+    bottom: 0,
+    left: 1,
+    height: 1,
+    tags: true,
+    content: `{green-fg}CONNECTED | USER: ${cfg.username} | ONE TIME MODE{/green-fg}`
+  });
+
+  const modal = blessed.list({
+    parent: screen,
+    width: 40,
+    height: 11,
+    top: 'center',
+    left: 'center',
+    border: 'line',
+    style: {
+      fg: 'green',
+      border: { fg: 'green' },
+      selected: { bg: 'green', fg: 'black' }
+    },
+    keys: true,
+    vi: true,
+    mouse: false,
+    tags: true,
+    hidden: true,
+    label: ' INCOMING '
+  });
+
+  const messageBox = blessed.box({
+    parent: screen,
+    width: '70%',
+    height: 9,
+    top: 'center',
+    left: 'center',
+    border: 'line',
+    style: { fg: 'green', border: { fg: 'green' } },
+    tags: true,
+    hidden: true
+  });
+
+  const stopRain = startMatrixRain(screen, rain);
+  const stopGlitch = startHeaderGlitch(header, headerText, screen);
+
+  let currentIncoming = null;
+
+  const ws = connectWs(cfg.serverUrl, cfg.token, {
+    onMessage: async (msg, socket) => {
+      if (msg.type === 'INCOMING') {
+        currentIncoming = msg;
+        modal.setItems([
+          '',
+          ' NEW ENCRYPTED MESSAGE RECEIVED ',
+          ` FROM: ${msg.from} (${msg.len} chars)`,
+          '',
+          ' [ VIEW ]',
+          ' [ DISMISS ]'
+        ]);
+        modal.select(4);
+        modal.show();
+        modal.focus();
+        screen.render();
+        return;
+      }
+
+      if (msg.type === 'VIEW_PAYLOAD') {
+        messageBox.show();
+        messageBox.setContent('{green-fg}Decrypting...{/green-fg}');
+        screen.render();
+
+        await runDecryptAnimation((line) => {
+          messageBox.setContent(`{green-fg}${line}{/green-fg}\n\n{green-fg}[ CLOSE ]{/green-fg}`);
+          screen.render();
+        }, msg.body);
+
+        messageBox.key(['enter'], () => {
+          socket.send(JSON.stringify({ type: 'VIEW_CLOSE', id: msg.id }));
+          messageBox.hide();
+          screen.render();
+        });
+        messageBox.focus();
+      }
+
+      if (msg.type === 'VIEW_MISSING') {
+        messageBox.show();
+        messageBox.setContent('{green-fg}MESSAGE EXPIRED OR ALREADY VIEWED{/green-fg}');
+        screen.render();
+        setTimeout(() => {
+          messageBox.hide();
+          screen.render();
+        }, 1000);
+      }
+    }
+  });
+
+  modal.on('select', async (_el, index) => {
+    if (!currentIncoming) return;
+    if (index === 4) {
+      modal.hide();
+      screen.render();
+      const password = await askPasswordInScreen(screen);
+      try {
+        await postJson(`${cfg.serverUrl}/verify-password`, { password }, cfg.token);
+        ws.send(JSON.stringify({ type: 'VIEW_REQUEST', id: currentIncoming.id }));
+      } catch {
+        modal.setItems(['', ' ACCESS DENIED ', '', ' [ OK ]']);
+        modal.select(3);
+        modal.show();
+        screen.render();
+      }
+    }
+
+    if (index === 5 || index === 3) {
+      modal.hide();
+      currentIncoming = null;
+      screen.render();
+    }
+  });
+
+  screen.key(['C-c', 'q'], () => {
+    stopRain();
+    stopGlitch();
+    ws.close();
+    return process.exit(0);
+  });
+
+  screen.render();
+}
+
+async function main() {
+  if (command === 'register') return register();
+  if (command === 'login') return login();
+  if (command === 'send') return send();
+  if (command === 'open') return openInbox();
+
+  process.stdout.write('Usage: chat-ma <register|login|send|open>\n');
+}
+
+main().catch((err) => {
+  process.stderr.write(`Error: ${err.message}\n`);
+  process.exit(1);
+});

package/client/lib/decryptAnimation.js

@@ -0,0 +1,26 @@
+const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+-=[]{}|;:,.<>?';
+
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+
+export async function runDecryptAnimation(setLine, message) {
+  const initial = 'X'.repeat(message.length);
+  setLine(initial);
+  const duration = 1400 + Math.floor(Math.random() * 1200);
+  const steps = Math.max(20, Math.floor(duration / 45));
+
+  for (let s = 0; s < steps; s += 1) {
+    const locked = Math.floor((s / steps) * message.length);
+    let line = '';
+    for (let i = 0; i < message.length; i += 1) {
+      if (i <= locked) {
+        line += message[i];
+      } else {
+        line += chars[Math.floor(Math.random() * chars.length)];
+      }
+    }
+    setLine(line);
+    await sleep(45);
+  }
+
+  setLine(message);
+}

package/client/lib/glitch.js

@@ -0,0 +1,23 @@
+const glitchChars = '!@#$%^&*?';
+
+function mutate(text) {
+  return text
+    .split('')
+    .map((c) => (Math.random() > 0.8 && c !== ' ' ? glitchChars[Math.floor(Math.random() * glitchChars.length)] : c))
+    .join('');
+}
+
+export function startHeaderGlitch(headerBox, normalText, screen) {
+  const timer = setInterval(() => {
+    if (Math.random() > 0.82) {
+      headerBox.setContent(`{green-fg}${mutate(normalText)}{/green-fg}`);
+      screen.render();
+      setTimeout(() => {
+        headerBox.setContent(`{green-fg}${normalText}{/green-fg}`);
+        screen.render();
+      }, 140);
+    }
+  }, 700);
+
+  return () => clearInterval(timer);
+}

package/client/lib/hackerBoxes.js

@@ -0,0 +1,38 @@
+function center(line) {
+  const cols = process.stdout.columns || 80;
+  const pad = Math.max(0, Math.floor((cols - line.length) / 2));
+  return `${' '.repeat(pad)}${line}`;
+}
+
+function buildBox(lines = []) {
+  const width = Math.max(...lines.map((l) => l.length), 30) + 4;
+  const top = `╔${'═'.repeat(width - 2)}╗`;
+  const bottom = `╚${'═'.repeat(width - 2)}╝`;
+  const rows = lines.map((line) => {
+    const pad = width - 2 - line.length;
+    const left = Math.floor(pad / 2);
+    const right = pad - left;
+    return `║${' '.repeat(left)}${line}${' '.repeat(right)}║`;
+  });
+  return [top, ...rows, bottom].map(center).join('\n');
+}
+
+export function showStatusBox(text) {
+  process.stdout.write(`${buildBox(['', text, ''])}\n`);
+}
+
+export function showAuthorizedBox() {
+  showStatusBox('AUTHORIZED TERMINAL');
+}
+
+export function showDeniedBox() {
+  showStatusBox('ACCESS DENIED');
+}
+
+export function showMessageSentBox() {
+  showStatusBox('MESSAGE SENT');
+}
+
+export function showMessageFailedBox() {
+  showStatusBox('MESSAGE FAILED');
+}

package/client/lib/localConfig.js

@@ -0,0 +1,32 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+const cfgDir = path.join(os.homedir(), '.chat-ma');
+const cfgPath = path.join(cfgDir, 'config.json');
+
+export function loadLocalConfig() {
+  try {
+    return JSON.parse(fs.readFileSync(cfgPath, 'utf8'));
+  } catch {
+    return {
+      serverUrl: process.env.CHAT_MA_SERVER || 'http://localhost:3000'
+    };
+  }
+}
+
+export function saveLocalConfig(partial) {
+  const current = loadLocalConfig();
+  const merged = { ...current, ...partial };
+  fs.mkdirSync(cfgDir, { recursive: true });
+  fs.writeFileSync(cfgPath, JSON.stringify(merged, null, 2));
+  return merged;
+}
+
+export function requireAuthConfig() {
+  const cfg = loadLocalConfig();
+  if (!cfg.token || !cfg.username) {
+    throw new Error('Not logged in. Run: npx chat-ma login');
+  }
+  return cfg;
+}

package/client/lib/matrixRain.js

@@ -0,0 +1,26 @@
+const glyphs = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@#$%&*+-?<>[]{}';
+
+export function startMatrixRain(screen, targetBox) {
+  const width = screen.width;
+  const height = screen.height;
+  const drops = Array.from({ length: width }, () => Math.floor(Math.random() * height));
+
+  const timer = setInterval(() => {
+    const frame = Array.from({ length: height }, () => Array.from({ length: width }, () => ' '));
+
+    for (let x = 0; x < width; x += 1) {
+      const y = drops[x];
+      frame[y % height][x] = glyphs[Math.floor(Math.random() * glyphs.length)];
+      if (Math.random() > 0.96) {
+        drops[x] = 0;
+      } else {
+        drops[x] += 1 + (Math.random() > 0.7 ? 1 : 0);
+      }
+    }
+
+    targetBox.setContent(`{green-fg}${frame.map((r) => r.join('')).join('\n')}{/green-fg}`);
+    screen.render();
+  }, 90);
+
+  return () => clearInterval(timer);
+}

package/client/lib/prompts.js

@@ -0,0 +1,35 @@
+import prompts from 'prompts';
+
+export async function askCredentials(action) {
+  return prompts([
+    {
+      type: 'text',
+      name: 'username',
+      message: `${action} - Username:`,
+      validate: (v) => (v?.trim() ? true : 'Username required')
+    },
+    {
+      type: 'password',
+      name: 'password',
+      message: `${action} - Password:`,
+      validate: (v) => (v?.length ? true : 'Password required')
+    }
+  ]);
+}
+
+export async function askSendPayload() {
+  return prompts([
+    {
+      type: 'text',
+      name: 'to',
+      message: 'Recipient username:',
+      validate: (v) => (v?.trim() ? true : 'Recipient required')
+    },
+    {
+      type: 'text',
+      name: 'body',
+      message: 'Message:',
+      validate: (v) => (v?.length ? true : 'Message required')
+    }
+  ]);
+}

package/client/lib/ui.js

@@ -0,0 +1,12 @@
+import chalk from 'chalk';
+
+export const palette = {
+  green: chalk.hex('#00ff66'),
+  dim: chalk.hex('#44aa66')
+};
+
+export function printBanner() {
+  process.stdout.write(
+    `${palette.green('\n[ AUTHORIZED TERMINAL ]')} ${palette.dim('ONE-TIME EPHEMERAL CHANNEL\n')}`
+  );
+}

package/client/lib/wsClient.js

@@ -0,0 +1,24 @@
+import WebSocket from 'ws';
+
+export function connectWs(serverHttpUrl, token, handlers) {
+  const wsUrl = serverHttpUrl.replace(/^http/, 'ws') + '/ws';
+  const ws = new WebSocket(wsUrl);
+
+  ws.on('open', () => {
+    ws.send(JSON.stringify({ type: 'AUTH', token }));
+  });
+
+  ws.on('message', (raw) => {
+    try {
+      const msg = JSON.parse(raw.toString());
+      handlers?.onMessage?.(msg, ws);
+    } catch {
+      // ignore malformed frames
+    }
+  });
+
+  ws.on('close', () => handlers?.onClose?.());
+  ws.on('error', (err) => handlers?.onError?.(err));
+
+  return ws;
+}

package/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "chat-ma",
+  "version": "1.0.0",
+  "description": "Cinematic Matrix-style ephemeral terminal messenger",
+  "type": "module",
+  "bin": {
+    "chat-ma": "./bin/chat.js"
+  },
+  "scripts": {
+    "serve": "node server/server.js"
+  },
+  "dependencies": {
+    "bcrypt": "^5.1.1",
+    "better-sqlite3": "^11.7.0",
+    "blessed": "^0.1.81",
+    "chalk": "^5.3.0",
+    "cli-progress": "^3.12.0",
+    "jsonwebtoken": "^9.0.2",
+    "ora": "^8.1.1",
+    "prompts": "^2.4.2",
+    "ws": "^8.18.0"
+  }
+}

package/server/auth.js

@@ -0,0 +1,47 @@
+import bcrypt from 'bcrypt';
+import jwt from 'jsonwebtoken';
+import { config } from './config.js';
+import { createUser, findUserById, findUserByUsername } from './userDb.js';
+
+const SALT_ROUNDS = 12;
+
+export async function registerUser(username, password) {
+  if (!username || !password) {
+    throw new Error('Username and password required');
+  }
+  if (findUserByUsername(username)) {
+    throw new Error('Username already exists');
+  }
+  const passhash = await bcrypt.hash(password, SALT_ROUNDS);
+  const user = createUser(username, passhash);
+  const token = issueToken(user);
+  return { user, token };
+}
+
+export async function loginUser(username, password) {
+  const user = findUserByUsername(username);
+  if (!user) {
+    throw new Error('Invalid credentials');
+  }
+  const ok = await bcrypt.compare(password, user.passhash);
+  if (!ok) {
+    throw new Error('Invalid credentials');
+  }
+  return { user, token: issueToken(user) };
+}
+
+export async function verifyUserPassword(userId, password) {
+  const user = findUserById(userId);
+  if (!user) return false;
+  return bcrypt.compare(password, user.passhash);
+}
+
+function issueToken(user) {
+  return jwt.sign({ sub: user.id, username: user.username }, config.jwtSecret, {
+    expiresIn: config.jwtExpiresIn
+  });
+}
+
+export function verifyToken(token) {
+  return jwt.verify(token, config.jwtSecret);
+}

package/server/config.js

@@ -0,0 +1,12 @@
+import path from 'path';
+import os from 'os';
+
+export const config = {
+  port: process.env.PORT ? Number(process.env.PORT) : 3000,
+  jwtSecret: process.env.JWT_SECRET || 'chat-ma-dev-secret-change-me',
+  jwtExpiresIn: '7d',
+  messageTtlMs: 5 * 60 * 1000,
+  dataDir: path.resolve(process.cwd(), 'server', 'data'),
+  userDbPath: path.resolve(process.cwd(), 'server', 'data', 'users.db'),
+  clientConfigPath: path.join(os.homedir(), '.chat-ma', 'config.json')
+};

package/server/memoryMessages.js

@@ -0,0 +1,58 @@
+import crypto from 'crypto';
+import { config } from './config.js';
+
+const messages = new Map();
+
+export function createMessage({ from, to, body }) {
+  const id = crypto.randomUUID();
+  const now = Date.now();
+  messages.set(id, {
+    id,
+    from,
+    to,
+    body,
+    createdAt: new Date(now).toISOString(),
+    expiresAt: now + config.messageTtlMs,
+    viewed: false
+  });
+  return messages.get(id);
+}
+
+export function getPendingForUser(username) {
+  const now = Date.now();
+  return [...messages.values()].filter(
+    (msg) => msg.to === username && msg.expiresAt > now && !msg.viewed
+  );
+}
+
+export function getMessageForRecipient(id, username) {
+  const msg = messages.get(id);
+  if (!msg || msg.to !== username) return null;
+  if (msg.expiresAt <= Date.now()) {
+    messages.delete(id);
+    return null;
+  }
+  return msg;
+}
+
+export function markViewed(id) {
+  const msg = messages.get(id);
+  if (!msg) return false;
+  msg.viewed = true;
+  return true;
+}
+
+export function deleteMessage(id) {
+  return messages.delete(id);
+}
+
+export function cleanupExpired() {
+  const now = Date.now();
+  for (const [id, msg] of messages) {
+    if (msg.expiresAt <= now) {
+      messages.delete(id);
+    }
+  }
+}
+
+setInterval(cleanupExpired, 15_000).unref();

package/server/rateLimit.js

@@ -0,0 +1,19 @@
+const buckets = new Map();
+
+export function createRateLimiter({ windowMs, maxHits }) {
+  return (key) => {
+    const now = Date.now();
+    const current = buckets.get(key);
+    if (!current || now > current.resetAt) {
+      buckets.set(key, { count: 1, resetAt: now + windowMs });
+      return { allowed: true, remaining: maxHits - 1 };
+    }
+
+    if (current.count >= maxHits) {
+      return { allowed: false, retryMs: current.resetAt - now };
+    }
+
+    current.count += 1;
+    return { allowed: true, remaining: maxHits - current.count };
+  };
+}

package/server/server.js

@@ -0,0 +1,106 @@
+import http from 'http';
+import { loginUser, registerUser, verifyToken, verifyUserPassword } from './auth.js';
+import { config } from './config.js';
+import { createMessage } from './memoryMessages.js';
+import { createRateLimiter } from './rateLimit.js';
+import { attachWsServer, pushIncomingMessage } from './ws.js';
+
+const authLimiter = createRateLimiter({ windowMs: 60_000, maxHits: 15 });
+
+function json(res, status, payload) {
+  res.writeHead(status, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(payload));
+}
+
+function getIp(req) {
+  return req.headers['x-forwarded-for']?.toString() || req.socket.remoteAddress || 'unknown';
+}
+
+async function bodyParser(req) {
+  const chunks = [];
+  for await (const chunk of req) chunks.push(chunk);
+  if (!chunks.length) return {};
+  return JSON.parse(Buffer.concat(chunks).toString('utf8'));
+}
+
+function getBearer(req) {
+  const auth = req.headers.authorization || '';
+  const [scheme, token] = auth.split(' ');
+  if (scheme !== 'Bearer' || !token) return null;
+  try {
+    return verifyToken(token);
+  } catch {
+    return null;
+  }
+}
+
+const server = http.createServer(async (req, res) => {
+  if (req.method === 'POST' && req.url === '/register') {
+    const limit = authLimiter(`register:${getIp(req)}`);
+    if (!limit.allowed) return json(res, 429, { error: 'Too many attempts' });
+    try {
+      const { username, password } = await bodyParser(req);
+      const result = await registerUser(username?.trim(), password);
+      return json(res, 200, {
+        token: result.token,
+        username: result.user.username
+      });
+    } catch (err) {
+      return json(res, 400, { error: err.message });
+    }
+  }
+
+  if (req.method === 'POST' && req.url === '/login') {
+    const limit = authLimiter(`login:${getIp(req)}`);
+    if (!limit.allowed) return json(res, 429, { error: 'Too many attempts' });
+    try {
+      const { username, password } = await bodyParser(req);
+      const result = await loginUser(username?.trim(), password);
+      return json(res, 200, {
+        token: result.token,
+        username: result.user.username
+      });
+    } catch (err) {
+      return json(res, 401, { error: err.message });
+    }
+  }
+
+  if (req.method === 'POST' && req.url === '/send') {
+    const auth = getBearer(req);
+    if (!auth) return json(res, 401, { error: 'Unauthorized' });
+    try {
+      const { to, body } = await bodyParser(req);
+      if (!to || !body) return json(res, 400, { error: 'Recipient and body required' });
+      const message = createMessage({ from: auth.username, to: to.trim(), body: String(body) });
+      pushIncomingMessage(to.trim(), message);
+      return json(res, 200, {
+        ok: true,
+        id: message.id,
+        expiresAt: message.expiresAt
+      });
+    } catch {
+      return json(res, 400, { error: 'Failed to send message' });
+    }
+  }
+
+  if (req.method === 'POST' && req.url === '/verify-password') {
+    const auth = getBearer(req);
+    if (!auth) return json(res, 401, { error: 'Unauthorized' });
+
+    try {
+      const { password } = await bodyParser(req);
+      const ok = await verifyUserPassword(auth.sub, password);
+      return json(res, ok ? 200 : 403, { ok });
+    } catch {
+      return json(res, 400, { ok: false });
+    }
+  }
+
+  json(res, 404, { error: 'Not found' });
+});
+
+attachWsServer(server);
+
+server.listen(config.port, () => {
+  process.stdout.write(`chat-ma server listening on ${config.port}\n`);
+});

package/server/userDb.js

@@ -0,0 +1,41 @@
+import fs from 'fs';
+import path from 'path';
+import Database from 'better-sqlite3';
+import { config } from './config.js';
+
+fs.mkdirSync(path.dirname(config.userDbPath), { recursive: true });
+
+const db = new Database(config.userDbPath);
+
+db.exec(`
+  CREATE TABLE IF NOT EXISTS users (
+    id INTEGER PRIMARY KEY,
+    username TEXT UNIQUE,
+    passhash TEXT,
+    created_at TEXT
+  );
+`);
+
+const insertUserStmt = db.prepare(
+  'INSERT INTO users (username, passhash, created_at) VALUES (?, ?, ?)'
+);
+const findByUsernameStmt = db.prepare(
+  'SELECT id, username, passhash, created_at FROM users WHERE username = ?'
+);
+const findByIdStmt = db.prepare(
+  'SELECT id, username, passhash, created_at FROM users WHERE id = ?'
+);
+
+export function createUser(username, passhash) {
+  const createdAt = new Date().toISOString();
+  const info = insertUserStmt.run(username, passhash, createdAt);
+  return findByIdStmt.get(info.lastInsertRowid);
+}
+
+export function findUserByUsername(username) {
+  return findByUsernameStmt.get(username);
+}
+
+export function findUserById(id) {
+  return findByIdStmt.get(id);
+}

package/server/ws.js

@@ -0,0 +1,102 @@
+import { WebSocketServer } from 'ws';
+import { verifyToken } from './auth.js';
+import {
+  deleteMessage,
+  getMessageForRecipient,
+  getPendingForUser,
+  markViewed
+} from './memoryMessages.js';
+
+const sessionsByUser = new Map();
+
+export function attachWsServer(httpServer) {
+  const wss = new WebSocketServer({ noServer: true });
+
+  httpServer.on('upgrade', (req, socket, head) => {
+    if (req.url !== '/ws') {
+      socket.destroy();
+      return;
+    }
+    wss.handleUpgrade(req, socket, head, (ws) => {
+      wss.emit('connection', ws, req);
+    });
+  });
+
+  wss.on('connection', (ws) => {
+    let username = null;
+
+    ws.on('message', (raw) => {
+      let msg;
+      try {
+        msg = JSON.parse(raw.toString());
+      } catch {
+        return;
+      }
+
+      if (msg.type === 'AUTH') {
+        try {
+          const payload = verifyToken(msg.token);
+          username = payload.username;
+          sessionsByUser.set(username, ws);
+          ws.send(JSON.stringify({ type: 'AUTH_OK', username }));
+
+          const pending = getPendingForUser(username);
+          for (const item of pending) {
+            ws.send(
+              JSON.stringify({
+                type: 'INCOMING',
+                id: item.id,
+                from: item.from,
+                len: item.body.length
+              })
+            );
+          }
+        } catch {
+          ws.send(JSON.stringify({ type: 'AUTH_FAIL' }));
+        }
+        return;
+      }
+
+      if (!username) return;
+
+      if (msg.type === 'VIEW_REQUEST') {
+        const target = getMessageForRecipient(msg.id, username);
+        if (!target || target.viewed) {
+          ws.send(JSON.stringify({ type: 'VIEW_MISSING', id: msg.id }));
+          return;
+        }
+        markViewed(target.id);
+        ws.send(
+          JSON.stringify({ type: 'VIEW_PAYLOAD', id: target.id, body: target.body })
+        );
+        return;
+      }
+
+      if (msg.type === 'VIEW_CLOSE') {
+        deleteMessage(msg.id);
+      }
+    });
+
+    ws.on('close', () => {
+      if (username && sessionsByUser.get(username) === ws) {
+        sessionsByUser.delete(username);
+      }
+    });
+  });
+
+  return wss;
+}
+
+export function pushIncomingMessage(toUser, message) {
+  const ws = sessionsByUser.get(toUser);
+  if (!ws || ws.readyState !== ws.OPEN) return;
+
+  ws.send(
+    JSON.stringify({
+      type: 'INCOMING',
+      id: message.id,
+      from: message.from,
+      len: message.body.length
+    })
+  );
+}