claudemesh-cli 1.7.0 → 1.8.0

package/README.md

@@ -2,7 +2,9 @@
 
 Peer mesh for Claude Code sessions. Connect multiple Claude Code instances into a shared mesh with real-time messaging, shared state, memory, file sharing, vector store, scheduled jobs, and more — all driven from the `claudemesh` CLI. The MCP server is a tool-less push-pipe that delivers inbound peer messages to Claude as `<channel>` interrupts; everything else lives behind CLI verbs that Claude learns from the auto-installed `claudemesh` skill.
 
-> **What's new in 1.7.0:** terminal parity for the v1.6.x server features. New verbs: `claudemesh topic tail` (live SSE message stream — Ctrl-C to exit), `claudemesh notification list` (recent `@you` mentions across topics), `claudemesh member list` (mesh roster with online dots, distinct from `peer list`'s live-session view). Each command auto-mints a 5-minute read-only apikey via the WebSocket and revokes it on exit, so no token plumbing is needed.
+> **What's new in 1.8.0:** per-topic end-to-end encryption (v0.3.0 phase 3, CLI side). `claudemesh topic post <topic> <msg>` encrypts the body with `crypto_secretbox` under the topic's symmetric key — broker stores ciphertext only. `claudemesh topic tail` now decrypts v2 messages on render and runs a background re-seal loop every 30s, so new topic joiners get their sealed keys without manual action. `topic-key` cache is process-only — kill the CLI, the key forgets. Web dashboard reads v1 plaintext for now (phase 3.5 brings browser-side identity).
+>
+> **What was new in 1.7.0:** terminal parity for the v1.6.x server features. New verbs: `claudemesh topic tail` (live SSE message stream — Ctrl-C to exit), `claudemesh notification list` (recent `@you` mentions across topics), `claudemesh member list` (mesh roster with online dots, distinct from `peer list`'s live-session view). Each command auto-mints a 5-minute read-only apikey via the WebSocket and revokes it on exit, so no token plumbing is needed.
 >
 > **What was new in 1.6.0:** topics (channel pub/sub), API keys for human/REST clients, and bridge peers that forward a topic between two meshes. New verbs: `claudemesh topic`, `claudemesh apikey`, `claudemesh bridge`. A REST surface at `https://claudemesh.com/api/v1/*` (messages, topics, peers, history) accepts `Authorization: Bearer cm_...` keys, so any HTTPS client can participate without WebSocket + ed25519 plumbing. **Note**: REST lives on the web host (`claudemesh.com`), not the broker host (`ic.claudemesh.com`) — the broker only speaks WebSocket.
 >
@@ -45,7 +47,8 @@ USAGE
   claudemesh profile         view or edit your profile
 
   claudemesh topic ...       create, list, join, send to topics
-  claudemesh topic tail <t>  live SSE tail of a topic
+  claudemesh topic tail <t>  live SSE tail of a topic (decrypts v2)
+  claudemesh topic post <t>  encrypted REST post (v2 ciphertext)
   claudemesh member list     mesh roster with online state
   claudemesh notification list  recent @-mentions of you
   claudemesh apikey ...      issue, list, revoke API keys (REST clients)

package/dist/entrypoints/cli.js

@@ -88,7 +88,7 @@ __export(exports_urls, {
   VERSION: () => VERSION,
   URLS: () => URLS
 });
-var URLS, VERSION = "1.7.0", env;
+var URLS, VERSION = "1.8.0", env;
 var init_urls = __esm(() => {
   URLS = {
     BROKER: process.env.CLAUDEMESH_BROKER_URL ?? "wss://ic.claudemesh.com/ws",
@@ -11679,18 +11679,140 @@ var init_with_rest_key = __esm(() => {
   init_connect();
 });
 
+// src/services/crypto/topic-key.ts
+function cacheKey(apiKeySecret, topicName) {
+  return `${apiKeySecret.slice(0, 12)}:${topicName}`;
+}
+async function getTopicKey(args) {
+  const cacheId = cacheKey(args.apiKeySecret, args.topicName);
+  if (!args.fresh) {
+    const cached = cache.get(cacheId);
+    if (cached)
+      return { ok: true, topicKey: cached.topicKey };
+  }
+  let sealed;
+  try {
+    sealed = await request({
+      path: `/api/v1/topics/${encodeURIComponent(args.topicName)}/key`,
+      token: args.apiKeySecret
+    });
+  } catch (e) {
+    if (e instanceof ApiError) {
+      if (e.status === 404)
+        return { ok: false, error: "not_sealed" };
+      if (e.status === 409)
+        return { ok: false, error: "topic_unencrypted" };
+    }
+    return {
+      ok: false,
+      error: "network",
+      message: e instanceof Error ? e.message : String(e)
+    };
+  }
+  const sodium4 = (await import("libsodium-wrappers")).default;
+  await sodium4.ready;
+  let recipientX25519Secret;
+  try {
+    const ed = sodium4.from_hex(args.memberSecretKeyHex);
+    recipientX25519Secret = sodium4.crypto_sign_ed25519_sk_to_curve25519(ed);
+  } catch {
+    return { ok: false, error: "bad_member_secret" };
+  }
+  let topicKey;
+  try {
+    const blob = sodium4.from_base64(sealed.encryptedKey, sodium4.base64_variants.ORIGINAL);
+    const nonce = sodium4.from_base64(sealed.nonce, sodium4.base64_variants.ORIGINAL);
+    if (blob.length < 32 + sodium4.crypto_box_MACBYTES) {
+      return {
+        ok: false,
+        error: "decrypt_failed",
+        message: "sealed key blob too short to contain sender pubkey + cipher"
+      };
+    }
+    const senderX25519 = blob.slice(0, 32);
+    const cipher = blob.slice(32);
+    topicKey = sodium4.crypto_box_open_easy(cipher, nonce, senderX25519, recipientX25519Secret);
+  } catch (e) {
+    return {
+      ok: false,
+      error: "decrypt_failed",
+      message: e instanceof Error ? e.message : String(e)
+    };
+  }
+  cache.set(cacheId, { topicKey, fetchedAt: Date.now() });
+  return { ok: true, topicKey };
+}
+async function encryptMessage(topicKey, plaintext) {
+  const sodium4 = (await import("libsodium-wrappers")).default;
+  await sodium4.ready;
+  const nonceBytes = sodium4.randombytes_buf(sodium4.crypto_secretbox_NONCEBYTES);
+  const cipher = sodium4.crypto_secretbox_easy(sodium4.from_string(plaintext), nonceBytes, topicKey);
+  return {
+    ciphertext: sodium4.to_base64(cipher, sodium4.base64_variants.ORIGINAL),
+    nonce: sodium4.to_base64(nonceBytes, sodium4.base64_variants.ORIGINAL)
+  };
+}
+async function decryptMessage(topicKey, ciphertextB64, nonceB64) {
+  try {
+    const sodium4 = (await import("libsodium-wrappers")).default;
+    await sodium4.ready;
+    const cipher = sodium4.from_base64(ciphertextB64, sodium4.base64_variants.ORIGINAL);
+    const nonce = sodium4.from_base64(nonceB64, sodium4.base64_variants.ORIGINAL);
+    const plain = sodium4.crypto_secretbox_open_easy(cipher, nonce, topicKey);
+    return sodium4.to_string(plain);
+  } catch {
+    return null;
+  }
+}
+async function sealTopicKeyFor(topicKey, recipientPubkeyHex, ourMemberSecretKeyHex) {
+  try {
+    const sodium4 = (await import("libsodium-wrappers")).default;
+    await sodium4.ready;
+    const recipientX25519 = sodium4.crypto_sign_ed25519_pk_to_curve25519(sodium4.from_hex(recipientPubkeyHex));
+    const ourEdSecret = sodium4.from_hex(ourMemberSecretKeyHex);
+    const ourX25519Secret = sodium4.crypto_sign_ed25519_sk_to_curve25519(ourEdSecret);
+    const ourEdPublic = ourEdSecret.slice(32, 64);
+    const ourX25519Public = sodium4.crypto_sign_ed25519_pk_to_curve25519(ourEdPublic);
+    const nonceBytes = sodium4.randombytes_buf(sodium4.crypto_box_NONCEBYTES);
+    const cipher = sodium4.crypto_box_easy(topicKey, nonceBytes, recipientX25519, ourX25519Secret);
+    const blob = new Uint8Array(32 + cipher.length);
+    blob.set(ourX25519Public, 0);
+    blob.set(cipher, 32);
+    return {
+      encryptedKey: sodium4.to_base64(blob, sodium4.base64_variants.ORIGINAL),
+      nonce: sodium4.to_base64(nonceBytes, sodium4.base64_variants.ORIGINAL)
+    };
+  } catch {
+    return null;
+  }
+}
+var cache;
+var init_topic_key = __esm(() => {
+  init_client();
+  init_errors();
+  cache = new Map;
+});
+
 // src/commands/topic-tail.ts
 var exports_topic_tail = {};
 __export(exports_topic_tail, {
   runTopicTail: () => runTopicTail
 });
-function decodeCiphertext(b64) {
+function decodeV1(b64) {
   try {
     return Buffer.from(b64, "base64").toString("utf-8");
   } catch {
     return "[decode failed]";
   }
 }
+async function decryptForRender(m, topicKey) {
+  if ((m.bodyVersion ?? 1) === 1)
+    return decodeV1(m.ciphertext);
+  if (!topicKey)
+    return "[encrypted — no topic key]";
+  const plain = await decryptMessage(topicKey, m.ciphertext, m.nonce);
+  return plain ?? "[decrypt failed]";
+}
 function fmtTime(iso) {
   try {
     return new Date(iso).toLocaleTimeString([], {
@@ -11702,13 +11824,14 @@ function fmtTime(iso) {
     return iso;
   }
 }
-function printMessage(m, json) {
-  const text = decodeCiphertext(m.ciphertext);
+async function printMessage(m, topicKey, json) {
+  const text = await decryptForRender(m, topicKey);
   if (json) {
     console.log(JSON.stringify({ ...m, message: text }));
     return;
   }
-  process.stdout.write(`  ${dim(fmtTime(m.createdAt))}  ${bold(m.senderName || m.senderPubkey.slice(0, 8))}  ${text}
+  const v2Marker = (m.bodyVersion ?? 1) === 2 ? dim("\uD83D\uDD12 ") : "";
+  process.stdout.write(`  ${dim(fmtTime(m.createdAt))}  ${bold(m.senderName || m.senderPubkey.slice(0, 8))}  ${v2Marker}${text}
 `);
 }
 async function* readSseStream(reader) {
@@ -11761,7 +11884,55 @@ async function runTopicTail(name, flags) {
     purpose: `tail-${cleanName}`,
     capabilities: ["read"],
     topicScopes: [cleanName]
-  }, async ({ secret, meshSlug }) => {
+  }, async ({ secret, meshSlug, mesh }) => {
+    const keyResult = await getTopicKey({
+      apiKeySecret: secret,
+      memberSecretKeyHex: mesh.secretKey,
+      topicName: cleanName
+    });
+    const topicKey = keyResult.ok ? keyResult.topicKey ?? null : null;
+    let resealTimer = null;
+    if (topicKey) {
+      const reseal = async () => {
+        try {
+          const pending = await request({
+            path: `/api/v1/topics/${encodeURIComponent(cleanName)}/pending-seals`,
+            token: secret
+          });
+          for (const target of pending.pending) {
+            const sealed = await sealTopicKeyFor(topicKey, target.pubkey, mesh.secretKey);
+            if (!sealed)
+              continue;
+            try {
+              await request({
+                path: `/api/v1/topics/${encodeURIComponent(cleanName)}/seal`,
+                method: "POST",
+                token: secret,
+                body: {
+                  memberId: target.memberId,
+                  encryptedKey: sealed.encryptedKey,
+                  nonce: sealed.nonce
+                }
+              });
+              if (!flags.json) {
+                render.info(dim(`re-sealed topic key for ${target.displayName}`));
+              }
+            } catch {}
+          }
+        } catch {}
+      };
+      reseal();
+      resealTimer = setInterval(reseal, 30000);
+    }
+    if (!flags.json && !keyResult.ok) {
+      if (keyResult.error === "topic_unencrypted") {
+        render.info(dim("topic is on v1 (plaintext) — encryption will activate after creator-seal"));
+      } else if (keyResult.error === "not_sealed") {
+        render.warn(yellow("no topic key sealed for you yet — wait for a holder to re-seal"));
+      } else if (keyResult.error === "decrypt_failed") {
+        render.warn(yellow(`topic key fetched but decrypt failed: ${keyResult.message ?? ""}`));
+      }
+    }
     if (!flags.forwardOnly && limit > 0) {
       try {
         const history = await request({
@@ -11772,7 +11943,7 @@ async function runTopicTail(name, flags) {
           render.section(`${clay("#" + cleanName)} on ${dim(meshSlug)} — backfill ${history.messages.length}, then live`);
         }
         for (const m of history.messages.slice().reverse()) {
-          printMessage(m, flags.json ?? false);
+          await printMessage(m, topicKey, flags.json ?? false);
         }
       } catch (err) {
         render.warn(`backfill failed: ${err.message}`);
@@ -11811,7 +11982,7 @@ async function runTopicTail(name, flags) {
         if (ev.event === "message") {
           try {
             const m = JSON.parse(ev.data);
-            printMessage(m, flags.json ?? false);
+            await printMessage(m, topicKey, flags.json ?? false);
           } catch {}
         }
       }
@@ -11824,6 +11995,8 @@ async function runTopicTail(name, flags) {
     } finally {
       process.removeListener("SIGINT", onSig);
       process.removeListener("SIGTERM", onSig);
+      if (resealTimer)
+        clearInterval(resealTimer);
     }
   });
 }
@@ -11831,6 +12004,87 @@ var init_topic_tail = __esm(() => {
   init_urls();
   init_with_rest_key();
   init_client();
+  init_topic_key();
+  init_render();
+  init_styles();
+  init_exit_codes();
+});
+
+// src/commands/topic-post.ts
+var exports_topic_post = {};
+__export(exports_topic_post, {
+  runTopicPost: () => runTopicPost
+});
+async function runTopicPost(topicName, message, flags) {
+  if (!topicName || !message) {
+    render.err("Usage: claudemesh topic post <topic> <message>");
+    return EXIT.INVALID_ARGS;
+  }
+  const cleanName = topicName.replace(/^#/, "");
+  const mentions = [];
+  const mentionRe = /(^|[^A-Za-z0-9_-])@([A-Za-z0-9_-]{1,64})(?=$|[^A-Za-z0-9_-])/g;
+  let m;
+  while ((m = mentionRe.exec(message)) !== null) {
+    mentions.push(m[2].toLowerCase());
+    if (mentions.length >= 16)
+      break;
+  }
+  return withRestKey({
+    meshSlug: flags.mesh ?? null,
+    purpose: `post-${cleanName}`,
+    capabilities: ["read", "send"],
+    topicScopes: [cleanName]
+  }, async ({ secret, mesh }) => {
+    let bodyVersion = 1;
+    let ciphertext;
+    let nonce;
+    if (flags.plaintext) {
+      ciphertext = Buffer.from(message, "utf-8").toString("base64");
+      nonce = Buffer.from(new Uint8Array(24)).toString("base64");
+    } else {
+      const keyResult = await getTopicKey({
+        apiKeySecret: secret,
+        memberSecretKeyHex: mesh.secretKey,
+        topicName: cleanName
+      });
+      if (keyResult.ok && keyResult.topicKey) {
+        const enc = await encryptMessage(keyResult.topicKey, message);
+        ciphertext = enc.ciphertext;
+        nonce = enc.nonce;
+        bodyVersion = 2;
+      } else if (keyResult.error === "topic_unencrypted") {
+        ciphertext = Buffer.from(message, "utf-8").toString("base64");
+        nonce = Buffer.from(new Uint8Array(24)).toString("base64");
+      } else {
+        render.err(`cannot encrypt for #${cleanName}: ${keyResult.error ?? "unknown"}${keyResult.message ? " — " + keyResult.message : ""}`);
+        return EXIT.INTERNAL_ERROR;
+      }
+    }
+    const result = await request({
+      path: "/api/v1/messages",
+      method: "POST",
+      token: secret,
+      body: {
+        topic: cleanName,
+        ciphertext,
+        nonce,
+        bodyVersion,
+        ...mentions.length > 0 ? { mentions } : {}
+      }
+    });
+    if (flags.json) {
+      console.log(JSON.stringify({ ...result, bodyVersion, mentions }));
+      return EXIT.SUCCESS;
+    }
+    const versionTag = bodyVersion === 2 ? green("\uD83D\uDD12 v2") : dim("v1");
+    render.ok("posted", `${clay("#" + cleanName)}  ${versionTag}  ${dim(`(${result.notifications} mentions)`)}`);
+    return EXIT.SUCCESS;
+  });
+}
+var init_topic_post = __esm(() => {
+  init_with_rest_key();
+  init_client();
+  init_topic_key();
   init_render();
   init_styles();
   init_exit_codes();
@@ -11841,7 +12095,7 @@ var exports_notification = {};
 __export(exports_notification, {
   runNotificationList: () => runNotificationList
 });
-function decodeCiphertext2(b64) {
+function decodeCiphertext(b64) {
   try {
     return Buffer.from(b64, "base64").toString("utf-8");
   } catch {
@@ -11868,7 +12122,7 @@ async function runNotificationList(flags) {
     if (flags.json) {
       const decoded = result.notifications.map((n) => ({
         ...n,
-        message: decodeCiphertext2(n.ciphertext)
+        message: decodeCiphertext(n.ciphertext)
       }));
       console.log(JSON.stringify({ ...result, notifications: decoded }, null, 2));
       return EXIT.SUCCESS;
@@ -11880,7 +12134,7 @@ async function runNotificationList(flags) {
     render.section(`mentions of @${bold(result.mentionedAs)} (${result.notifications.length})`);
     for (const n of result.notifications) {
       const when = fmtRelative(n.createdAt);
-      const msg = decodeCiphertext2(n.ciphertext).replace(/\s+/g, " ").trim();
+      const msg = decodeCiphertext(n.ciphertext).replace(/\s+/g, " ").trim();
       const snippet = msg.length > 100 ? msg.slice(0, 97) + "…" : msg;
       process.stdout.write(`  ${clay("#" + n.topicName)}  ${dim(when)}  ${bold(n.senderName)}
 `);
@@ -13518,7 +13772,8 @@ Topic  (conversation scope, v0.2.0)
   claudemesh topic history <t>     fetch message history [--limit --before]
   claudemesh topic read <topic>    mark all as read
   claudemesh topic tail <topic>    live SSE tail [--limit --forward-only]
-  claudemesh send "#topic" "msg"   send to a topic
+  claudemesh topic post <t> <msg>  encrypted REST post (v0.3.0 v2)
+  claudemesh send "#topic" "msg"   send to a topic (WS path, v1 plaintext)
   claudemesh member list           mesh roster with online state [--online]
   claudemesh notification list     recent @-mentions of you [--since <ISO>]
 
@@ -14308,8 +14563,17 @@ async function main() {
         };
         const { runTopicTail: runTopicTail2 } = await Promise.resolve().then(() => (init_topic_tail(), exports_topic_tail));
         process.exit(await runTopicTail2(arg, tailFlags));
+      } else if (sub === "post") {
+        const postFlags = {
+          mesh: flags.mesh,
+          json: !!flags.json,
+          plaintext: !!flags.plaintext
+        };
+        const message = positionals.slice(2).join(" ");
+        const { runTopicPost: runTopicPost2 } = await Promise.resolve().then(() => (init_topic_post(), exports_topic_post));
+        process.exit(await runTopicPost2(arg, message, postFlags));
       } else {
-        console.error("Usage: claudemesh topic <create|list|join|leave|members|history|read|tail>");
+        console.error("Usage: claudemesh topic <create|list|join|leave|members|history|read|tail|post>");
         process.exit(EXIT.INVALID_ARGS);
       }
       break;
@@ -14396,4 +14660,4 @@ main().catch((err) => {
   process.exit(EXIT.INTERNAL_ERROR);
 });
 
-//# debugId=81FA5977F36B50C364756E2164756E21
+//# debugId=25484051F3F24E9464756E2164756E21