npm - forkoff - Versions diffs - 1.0.16 → 1.0.18 - Mend

forkoff 1.0.16 → 1.0.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/README.md +3 -6
package/dist/approval.d.ts +1 -0
package/dist/approval.js +9 -0
package/dist/config.d.ts +3 -0
package/dist/config.js +62 -16
package/dist/crypto/e2eeManager.d.ts +49 -52
package/dist/crypto/e2eeManager.js +256 -181
package/dist/crypto/encryption.d.ts +8 -10
package/dist/crypto/encryption.js +29 -94
package/dist/crypto/index.d.ts +10 -0
package/dist/crypto/index.js +22 -0
package/dist/crypto/keyExchange.d.ts +6 -20
package/dist/crypto/keyExchange.js +18 -110
package/dist/crypto/keyGeneration.d.ts +2 -13
package/dist/crypto/keyGeneration.js +14 -88
package/dist/crypto/keyStorage.d.ts +32 -5
package/dist/crypto/keyStorage.js +152 -8
package/dist/crypto/sessionPersistence.d.ts +7 -13
package/dist/crypto/sessionPersistence.js +108 -33
package/dist/crypto/types.d.ts +24 -3
package/dist/crypto/types.js +2 -1
package/dist/crypto/websocketE2EE.d.ts +6 -17
package/dist/crypto/websocketE2EE.js +21 -38
package/dist/index.js +203 -280
package/dist/integration.d.ts +0 -1
package/dist/integration.js +2 -4
package/dist/logger.d.ts +15 -0
package/dist/logger.js +209 -1
package/dist/server.d.ts +30 -0
package/dist/server.js +162 -0
package/dist/startup.js +15 -6
package/dist/terminal.d.ts +1 -0
package/dist/terminal.js +94 -1
package/dist/tools/claude-process.d.ts +8 -0
package/dist/tools/claude-process.js +199 -26
package/dist/tools/claude-sessions.d.ts +1 -0
package/dist/tools/claude-sessions.js +36 -10
package/dist/tools/detector.js +11 -3
package/dist/tools/permission-hook.js +94 -27
package/dist/tools/permission-ipc.d.ts +1 -0
package/dist/tools/permission-ipc.js +61 -14
package/dist/transcript-streamer.d.ts +1 -0
package/dist/transcript-streamer.js +18 -4
package/dist/usage-tracker.d.ts +45 -0
package/dist/usage-tracker.js +243 -0
package/dist/websocket.d.ts +43 -12
package/dist/websocket.js +418 -214
package/package.json +7 -5
package/dist/__tests__/cli-commands.test.d.ts +0 -6
package/dist/__tests__/cli-commands.test.d.ts.map +0 -1
package/dist/__tests__/cli-commands.test.js +0 -213
package/dist/__tests__/cli-commands.test.js.map +0 -1
package/dist/__tests__/crypto/e2e-integration.test.d.ts +0 -17
package/dist/__tests__/crypto/e2e-integration.test.d.ts.map +0 -1
package/dist/__tests__/crypto/e2e-integration.test.js +0 -338
package/dist/__tests__/crypto/e2e-integration.test.js.map +0 -1
package/dist/__tests__/crypto/e2eeManager.test.d.ts +0 -2
package/dist/__tests__/crypto/e2eeManager.test.d.ts.map +0 -1
package/dist/__tests__/crypto/e2eeManager.test.js +0 -242
package/dist/__tests__/crypto/e2eeManager.test.js.map +0 -1
package/dist/__tests__/crypto/encryption.test.d.ts +0 -2
package/dist/__tests__/crypto/encryption.test.d.ts.map +0 -1
package/dist/__tests__/crypto/encryption.test.js +0 -116
package/dist/__tests__/crypto/encryption.test.js.map +0 -1
package/dist/__tests__/crypto/keyExchange.test.d.ts +0 -2
package/dist/__tests__/crypto/keyExchange.test.d.ts.map +0 -1
package/dist/__tests__/crypto/keyExchange.test.js +0 -84
package/dist/__tests__/crypto/keyExchange.test.js.map +0 -1
package/dist/__tests__/crypto/keyGeneration.test.d.ts +0 -2
package/dist/__tests__/crypto/keyGeneration.test.d.ts.map +0 -1
package/dist/__tests__/crypto/keyGeneration.test.js +0 -61
package/dist/__tests__/crypto/keyGeneration.test.js.map +0 -1
package/dist/__tests__/crypto/keyStorage.test.d.ts +0 -2
package/dist/__tests__/crypto/keyStorage.test.d.ts.map +0 -1
package/dist/__tests__/crypto/keyStorage.test.js +0 -133
package/dist/__tests__/crypto/keyStorage.test.js.map +0 -1
package/dist/__tests__/crypto/websocketIntegration.test.d.ts +0 -2
package/dist/__tests__/crypto/websocketIntegration.test.d.ts.map +0 -1
package/dist/__tests__/crypto/websocketIntegration.test.js +0 -259
package/dist/__tests__/crypto/websocketIntegration.test.js.map +0 -1
package/dist/__tests__/startup.test.d.ts +0 -11
package/dist/__tests__/startup.test.d.ts.map +0 -1
package/dist/__tests__/startup.test.js +0 -241
package/dist/__tests__/startup.test.js.map +0 -1
package/dist/__tests__/tools/claude-process.test.d.ts +0 -8
package/dist/__tests__/tools/claude-process.test.d.ts.map +0 -1
package/dist/__tests__/tools/claude-process.test.js +0 -430
package/dist/__tests__/tools/claude-process.test.js.map +0 -1
package/dist/__tests__/tools/permission-hook.test.d.ts +0 -17
package/dist/__tests__/tools/permission-hook.test.d.ts.map +0 -1
package/dist/__tests__/tools/permission-hook.test.js +0 -616
package/dist/__tests__/tools/permission-hook.test.js.map +0 -1
package/dist/__tests__/tools/permission-ipc.test.d.ts +0 -11
package/dist/__tests__/tools/permission-ipc.test.d.ts.map +0 -1
package/dist/__tests__/tools/permission-ipc.test.js +0 -612
package/dist/__tests__/tools/permission-ipc.test.js.map +0 -1
package/dist/__tests__/websocket.test.d.ts +0 -13
package/dist/__tests__/websocket.test.d.ts.map +0 -1
package/dist/__tests__/websocket.test.js +0 -204
package/dist/__tests__/websocket.test.js.map +0 -1
package/dist/api.d.ts +0 -44
package/dist/api.d.ts.map +0 -1
package/dist/api.js +0 -76
package/dist/api.js.map +0 -1
package/dist/approval.d.ts.map +0 -1
package/dist/approval.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/crypto/e2eeManager.d.ts.map +0 -1
package/dist/crypto/e2eeManager.js.map +0 -1
package/dist/crypto/encryption.d.ts.map +0 -1
package/dist/crypto/encryption.js.map +0 -1
package/dist/crypto/keyExchange.d.ts.map +0 -1
package/dist/crypto/keyExchange.js.map +0 -1
package/dist/crypto/keyGeneration.d.ts.map +0 -1
package/dist/crypto/keyGeneration.js.map +0 -1
package/dist/crypto/keyStorage.d.ts.map +0 -1
package/dist/crypto/keyStorage.js.map +0 -1
package/dist/crypto/sessionPersistence.d.ts.map +0 -1
package/dist/crypto/sessionPersistence.js.map +0 -1
package/dist/crypto/types.d.ts.map +0 -1
package/dist/crypto/types.js.map +0 -1
package/dist/crypto/websocketE2EE.d.ts.map +0 -1
package/dist/crypto/websocketE2EE.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/integration.d.ts.map +0 -1
package/dist/integration.js.map +0 -1
package/dist/logger.d.ts.map +0 -1
package/dist/logger.js.map +0 -1
package/dist/startup.d.ts.map +0 -1
package/dist/startup.js.map +0 -1
package/dist/terminal.d.ts.map +0 -1
package/dist/terminal.js.map +0 -1
package/dist/tools/__tests__/claude-sessions.test.d.ts +0 -2
package/dist/tools/__tests__/claude-sessions.test.d.ts.map +0 -1
package/dist/tools/__tests__/claude-sessions.test.js +0 -306
package/dist/tools/__tests__/claude-sessions.test.js.map +0 -1
package/dist/tools/claude-hooks.d.ts.map +0 -1
package/dist/tools/claude-hooks.js.map +0 -1
package/dist/tools/claude-process.d.ts.map +0 -1
package/dist/tools/claude-process.js.map +0 -1
package/dist/tools/claude-sessions.d.ts.map +0 -1
package/dist/tools/claude-sessions.js.map +0 -1
package/dist/tools/detector.d.ts.map +0 -1
package/dist/tools/detector.js.map +0 -1
package/dist/tools/index.d.ts.map +0 -1
package/dist/tools/index.js.map +0 -1
package/dist/tools/permission-hook.d.ts.map +0 -1
package/dist/tools/permission-hook.js.map +0 -1
package/dist/tools/permission-ipc.d.ts.map +0 -1
package/dist/tools/permission-ipc.js.map +0 -1
package/dist/transcript-streamer.d.ts.map +0 -1
package/dist/transcript-streamer.js.map +0 -1
package/dist/websocket.d.ts.map +0 -1
package/dist/websocket.js.map +0 -1
package/jest.config.js +0 -18

package/dist/crypto/e2eeManager.js CHANGED Viewed

@@ -4,267 +4,342 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.E2EEManager = void 0;
-const axios_1 = __importDefault(require("axios"));
+/**
+ * E2EE Manager for CLI
+ * Orchestrates key generation, storage, exchange, and message encryption/decryption.
+ * Uses NaCl (tweetnacl) — compatible with mobile app's implementation.
+ *
+ * Security features:
+ * - X25519 ECDH key exchange for shared secret derivation
+ * - Ed25519 identity signatures on ephemeral keys (MITM protection)
+ * - TOFU (Trust On First Use) for peer identity verification
+ * - XSalsa20-Poly1305 authenticated encryption
+ * - Per-peer monotonic message counters (replay protection)
+ */
+const tweetnacl_1 = __importDefault(require("tweetnacl"));
+const tweetnacl_util_1 = require("tweetnacl-util");
 const keyGeneration_1 = require("./keyGeneration");
-const keyStorage_1 = require("./keyStorage");
 const keyExchange_1 = require("./keyExchange");
 const encryption_1 = require("./encryption");
+const keyStorage_1 = require("./keyStorage");
 const sessionPersistence_1 = require("./sessionPersistence");
-/**
- * E2EE Manager for CLI
- * Orchestrates all end-to-end encryption operations
- */
 class E2EEManager {
-    constructor(deviceId, apiUrl, authToken) {
+    constructor(deviceId) {
         this.keyPair = null;
+        this.signingKeyPair = null;
         this.initialized = false;
-        // Track ephemeral keys for pending key exchanges
-        this.pendingKeyExchanges = new Map(); // deviceId -> ephemeralPrivateKey
-        // Track message counters for replay protection
-        this.outgoingCounters = new Map(); // deviceId -> counter
-        this.incomingCounters = new Map(); // deviceId -> last seen counter
+        // In-memory active sessions (parallel to keyStorage for fast access)
+        this.sessions = new Map();
+        this.pendingExchanges = new Map();
         this.deviceId = deviceId;
-        this.apiUrl = apiUrl;
-        this.authToken = authToken;
-        this.axiosInstance = axios_1.default.create({
-            headers: {
-                Authorization: `Bearer ${authToken}`,
-            },
-        });
     }
     /**
-     * Initializes E2EE manager
-     * - Loads or generates key pair
-     * - Uploads public key to backend
+     * Initializes E2EE manager: loads or generates identity key pairs (DH + signing).
      */
     async initialize() {
-        // Try to load existing key pair
+        // Load or generate X25519 DH key pair
         const existingPrivateKey = await (0, keyStorage_1.getPrivateKey)(this.deviceId);
         if (existingPrivateKey) {
-            // Derive public key from existing private key
-            const publicKey = this.derivePublicKeyFromPrivateKey(existingPrivateKey);
+            const secretKey = (0, tweetnacl_util_1.decodeBase64)(existingPrivateKey);
+            const kp = tweetnacl_1.default.box.keyPair.fromSecretKey(secretKey);
             this.keyPair = {
-                publicKey,
+                publicKey: (0, tweetnacl_util_1.encodeBase64)(kp.publicKey),
                 privateKey: existingPrivateKey,
             };
         }
         else {
-            // Generate new key pair
             this.keyPair = (0, keyGeneration_1.generateKeyPair)();
             await (0, keyStorage_1.storePrivateKey)(this.deviceId, this.keyPair.privateKey);
         }
-        // Upload public key to backend
-        await this.uploadPublicKey();
+        // Load or generate Ed25519 signing key pair
+        const existingSigningKP = await (0, keyStorage_1.getSigningKeyPair)(this.deviceId);
+        if (existingSigningKP) {
+            this.signingKeyPair = existingSigningKP;
+        }
+        else {
+            const signKP = tweetnacl_1.default.sign.keyPair();
+            this.signingKeyPair = {
+                publicKey: (0, tweetnacl_util_1.encodeBase64)(signKP.publicKey),
+                secretKey: (0, tweetnacl_util_1.encodeBase64)(signKP.secretKey),
+            };
+            await (0, keyStorage_1.storeSigningKeyPair)(this.deviceId, this.signingKeyPair);
+        }
+        // Load trusted peer keys from disk
+        (0, keyStorage_1.loadTrustedPeerKeys)();
+        // Initialize session persistence encryption (derives key from identity private key)
+        (0, sessionPersistence_1.initSessionPersistence)(this.keyPair.privateKey);
         this.initialized = true;
     }
+    /** Get the public key (for uploading to server) */
+    getPublicKey() {
+        return this.keyPair?.publicKey ?? null;
+    }
+    /** Get the signing public key */
+    getSigningPublicKey() {
+        return this.signingKeyPair?.publicKey ?? null;
+    }
+    /** Check if manager is initialized */
+    isInitialized() {
+        return this.initialized;
+    }
     /**
-     * Derives X25519 public key from private key
+     * Sign a key exchange payload with our Ed25519 identity key.
+     * The signed message is: "prefix:senderDeviceId:ephemeralPublicKey[:recipientDeviceId]"
      */
-    derivePublicKeyFromPrivateKey(privateKey) {
-        const crypto = require('crypto');
-        const privateKeyBytes = Buffer.from(privateKey, 'base64');
-        // Create private key object
-        const privateKeyObject = crypto.createPrivateKey({
-            key: Buffer.concat([
-                Buffer.from([
-                    0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
-                    0x6e, 0x04, 0x22, 0x04, 0x20,
-                ]),
-                privateKeyBytes,
-            ]),
-            format: 'der',
-            type: 'pkcs8',
-        });
-        // Derive public key
-        const publicKeyObject = crypto.createPublicKey(privateKeyObject);
-        const publicKeyDER = publicKeyObject.export({
-            type: 'spki',
-            format: 'der',
-        });
-        // Extract raw 32-byte public key
-        const rawPublicKey = publicKeyDER.slice(-32);
-        return rawPublicKey.toString('base64');
+    signPayload(prefix, ephemeralPublicKey, recipientDeviceId) {
+        if (!this.signingKeyPair)
+            return undefined;
+        const parts = [prefix, this.deviceId, ephemeralPublicKey];
+        if (recipientDeviceId)
+            parts.push(recipientDeviceId);
+        const message = (0, tweetnacl_util_1.decodeUTF8)(parts.join(':'));
+        const secretKey = (0, tweetnacl_util_1.decodeBase64)(this.signingKeyPair.secretKey);
+        const signature = tweetnacl_1.default.sign.detached(message, secretKey);
+        return (0, tweetnacl_util_1.encodeBase64)(signature);
     }
     /**
-     * Uploads public key to backend
+     * Verify a peer's signature on a key exchange payload.
+     * Returns true if signature is valid OR if peer has no identity key (unsigned exchange accepted with warning).
+     * Throws if the peer's identity key doesn't match TOFU record (potential MITM).
      */
-    async uploadPublicKey() {
-        if (!this.keyPair) {
-            throw new Error('Key pair not initialized');
+    verifyPeerSignature(peerId, identityPublicKey, signature, ephemeralPublicKey, prefix, recipientDeviceId) {
+        if (!identityPublicKey || !signature) {
+            throw new Error(`E2EE: Peer ${peerId} sent UNSIGNED key exchange. ` +
+                `Identity verification is required. Update the peer to the latest version.`);
+        }
+        // TOFU: check if we already trust a different key for this peer
+        const trusted = (0, keyStorage_1.getTrustedPeerKey)(peerId);
+        if (trusted && trusted !== identityPublicKey) {
+            throw new Error(`E2EE: IDENTITY KEY MISMATCH for device ${peerId}! ` +
+                `Expected ${trusted.substring(0, 8)}... but got ${identityPublicKey.substring(0, 8)}... ` +
+                `This could indicate a man-in-the-middle attack. Key exchange rejected.`);
+        }
+        // Verify the Ed25519 signature
+        const parts = [prefix, peerId, ephemeralPublicKey];
+        if (recipientDeviceId)
+            parts.push(recipientDeviceId);
+        const msgString = parts.join(':');
+        const message = (0, tweetnacl_util_1.decodeUTF8)(msgString);
+        const sigBytes = (0, tweetnacl_util_1.decodeBase64)(signature);
+        const pubKeyBytes = (0, tweetnacl_util_1.decodeBase64)(identityPublicKey);
+        const valid = tweetnacl_1.default.sign.detached.verify(message, sigBytes, pubKeyBytes);
+        if (!valid) {
+            throw new Error(`E2EE: INVALID SIGNATURE from device ${peerId}! ` +
+                `The ephemeral key was not properly signed. Key exchange rejected.`);
+        }
+        // TOFU: trust this key if it's new
+        if (!trusted) {
+            (0, keyStorage_1.trustPeerKey)(peerId, identityPublicKey);
         }
-        await this.axiosInstance.put(`${this.apiUrl}/devices/${this.deviceId}/public-key`, { publicKey: this.keyPair.publicKey });
     }
     /**
-     * Initiates key exchange with target device
-     * Returns payload to send via WebSocket
+     * Create a key exchange initiation to send to a remote device.
+     * Generates an ephemeral key pair and signs it with our identity key.
+     */
+    /**
+     * Evict expired or excess pending key exchanges.
      */
-    async initiateKeyExchange(targetDeviceId) {
-        if (!this.keyPair) {
-            throw new Error('E2EE Manager not initialized');
+    cleanupPendingExchanges() {
+        const now = Date.now();
+        for (const [deviceId, entry] of this.pendingExchanges) {
+            if (now - entry.createdAt > E2EEManager.PENDING_EXCHANGE_TTL_MS) {
+                this.pendingExchanges.delete(deviceId);
+                // Evicted expired pending exchange
+            }
+        }
+        while (this.pendingExchanges.size >= E2EEManager.MAX_PENDING_EXCHANGES) {
+            const oldestKey = this.pendingExchanges.keys().next().value;
+            if (oldestKey) {
+                this.pendingExchanges.delete(oldestKey);
+                // MAX_PENDING_EXCHANGES reached, evicted oldest
+            }
+            else
+                break;
         }
-        // Generate ephemeral key pair for this exchange
-        const ephemeralKeyPair = (0, keyGeneration_1.generateKeyPair)();
-        // Store ephemeral private key for when we receive ack
-        this.pendingKeyExchanges.set(targetDeviceId, ephemeralKeyPair.privateKey);
-        // Fetch target device's public key
-        const response = await this.axiosInstance.get(`${this.apiUrl}/devices/${targetDeviceId}/public-key`);
-        const targetPublicKey = response.data.publicKey;
-        // Compute session key using our ephemeral private key and their public key
-        const sessionKey = (0, keyExchange_1.performKeyExchange)(ephemeralKeyPair.privateKey, targetPublicKey);
-        // Store session key (in memory and on disk for reconnection resilience)
-        const sessionId = `session-${this.deviceId}-${targetDeviceId}-${Date.now()}`;
-        const sessionKeys = { encryptionKey: sessionKey, sessionId };
-        (0, keyStorage_1.storeSessionKey)(targetDeviceId, sessionKey, sessionId);
-        (0, sessionPersistence_1.persistSessionKey)(this.deviceId, targetDeviceId, sessionKeys); // Persist to disk
-        // Initialize counters
-        this.outgoingCounters.set(targetDeviceId, 0);
-        this.incomingCounters.set(targetDeviceId, -1); // Start at -1 so first message (counter: 0) is accepted
+    }
+    createKeyExchangeInit(targetDeviceId) {
+        this.cleanupPendingExchanges();
+        const ephemeral = (0, keyGeneration_1.generateKeyPair)();
+        this.pendingExchanges.set(targetDeviceId, { keyPair: ephemeral, createdAt: Date.now() });
+        const signature = this.signPayload('KEY_EXCHANGE_INIT', ephemeral.publicKey);
         return {
             senderDeviceId: this.deviceId,
-            ephemeralPublicKey: ephemeralKeyPair.publicKey,
+            ephemeralPublicKey: ephemeral.publicKey,
+            identityPublicKey: this.signingKeyPair?.publicKey,
+            signature,
         };
     }
     /**
-     * Handles incoming key exchange init from sender
-     * Returns ack payload to send back via WebSocket
+     * Handle an incoming key exchange init from a remote device.
+     * Verifies the peer's identity signature (TOFU), computes shared key,
+     * and returns a signed ack.
      */
-    async handleKeyExchangeInit(senderDeviceId, senderEphemeralPublicKey) {
-        if (!this.keyPair) {
-            throw new Error('E2EE Manager not initialized');
-        }
-        // Generate our ephemeral key pair
-        const ephemeralKeyPair = (0, keyGeneration_1.generateKeyPair)();
-        // Compute session key using our ephemeral private key and their ephemeral public key
-        const sessionKey = (0, keyExchange_1.performKeyExchange)(ephemeralKeyPair.privateKey, senderEphemeralPublicKey);
-        // Store session key (in memory and on disk for reconnection resilience)
-        const sessionId = `session-${senderDeviceId}-${this.deviceId}-${Date.now()}`;
-        const sessionKeys = { encryptionKey: sessionKey, sessionId };
-        (0, keyStorage_1.storeSessionKey)(senderDeviceId, sessionKey, sessionId);
-        (0, sessionPersistence_1.persistSessionKey)(this.deviceId, senderDeviceId, sessionKeys); // Persist to disk
-        // Initialize counters
-        this.outgoingCounters.set(senderDeviceId, 0);
-        this.incomingCounters.set(senderDeviceId, -1); // Start at -1 so first message (counter: 0) is accepted
+    handleKeyExchangeInit(init) {
+        // Verify peer's signature (TOFU)
+        this.verifyPeerSignature(init.senderDeviceId, init.identityPublicKey, init.signature, init.ephemeralPublicKey, 'KEY_EXCHANGE_INIT');
+        const ephemeral = (0, keyGeneration_1.generateKeyPair)();
+        const sharedKey = (0, keyExchange_1.computeSharedKey)(ephemeral.privateKey, init.ephemeralPublicKey);
+        // Store session
+        const sessionId = `session-${init.senderDeviceId}-${this.deviceId}-${Date.now()}`;
+        this.sessions.set(init.senderDeviceId, {
+            sharedKey,
+            outgoingCounter: 0,
+            lastReceivedCounter: -1,
+        });
+        (0, keyStorage_1.storeSessionKey)(init.senderDeviceId, sharedKey, sessionId);
+        // Persist to disk for reconnection resilience
+        const sessionKeys = {
+            sharedKey,
+            sessionId,
+            deviceId: init.senderDeviceId,
+            messageCounter: 0,
+            lastReceivedCounter: -1,
+        };
+        (0, sessionPersistence_1.persistSessionKey)(this.deviceId, init.senderDeviceId, sessionKeys);
+        // E2EE session established
+        // Sign our ack
+        const signature = this.signPayload('KEY_EXCHANGE_ACK', ephemeral.publicKey, init.senderDeviceId);
         return {
-            recipientDeviceId: this.deviceId,
-            ephemeralPublicKey: ephemeralKeyPair.publicKey,
+            senderDeviceId: this.deviceId,
+            recipientDeviceId: init.senderDeviceId,
+            ephemeralPublicKey: ephemeral.publicKey,
+            identityPublicKey: this.signingKeyPair?.publicKey,
+            signature,
         };
     }
     /**
-     * Handles incoming key exchange ack from recipient
-     * Completes the key exchange by deriving the final session key
+     * Handle an incoming key exchange ack from a remote device.
+     * Verifies the peer's identity signature (TOFU) and completes the key exchange.
      */
-    async handleKeyExchangeAck(recipientDeviceId, recipientEphemeralPublicKey) {
-        const ephemeralPrivateKey = this.pendingKeyExchanges.get(recipientDeviceId);
-        if (!ephemeralPrivateKey) {
-            throw new Error('No pending key exchange for this device. Must call initiateKeyExchange first.');
+    handleKeyExchangeAck(ack) {
+        const peerId = ack.senderDeviceId;
+        const pendingEntry = this.pendingExchanges.get(peerId);
+        if (!pendingEntry) {
+            throw new Error(`E2EE: No pending key exchange for device ${peerId}`);
         }
-        // Compute session key using our ephemeral private key and their ephemeral public key
-        const sessionKey = (0, keyExchange_1.performKeyExchange)(ephemeralPrivateKey, recipientEphemeralPublicKey);
-        // Store session key (overwrites the one from init, in memory and on disk)
-        const sessionId = `session-${this.deviceId}-${recipientDeviceId}-${Date.now()}`;
-        const sessionKeys = { encryptionKey: sessionKey, sessionId };
-        (0, keyStorage_1.storeSessionKey)(recipientDeviceId, sessionKey, sessionId);
-        (0, sessionPersistence_1.persistSessionKey)(this.deviceId, recipientDeviceId, sessionKeys); // Persist to disk
-        // Clean up pending exchange
-        this.pendingKeyExchanges.delete(recipientDeviceId);
+        const pending = pendingEntry.keyPair;
+        // Verify peer's signature (TOFU)
+        this.verifyPeerSignature(peerId, ack.identityPublicKey, ack.signature, ack.ephemeralPublicKey, 'KEY_EXCHANGE_ACK', ack.recipientDeviceId);
+        const sharedKey = (0, keyExchange_1.computeSharedKey)(pending.privateKey, ack.ephemeralPublicKey);
+        // Store session
+        const sessionId = `session-${this.deviceId}-${peerId}-${Date.now()}`;
+        this.sessions.set(peerId, {
+            sharedKey,
+            outgoingCounter: 0,
+            lastReceivedCounter: -1,
+        });
+        (0, keyStorage_1.storeSessionKey)(peerId, sharedKey, sessionId);
+        // Persist to disk
+        const sessionKeys = {
+            sharedKey,
+            sessionId,
+            deviceId: peerId,
+            messageCounter: 0,
+            lastReceivedCounter: -1,
+        };
+        (0, sessionPersistence_1.persistSessionKey)(this.deviceId, peerId, sessionKeys);
+        this.pendingExchanges.delete(peerId);
+        // E2EE session established
     }
     /**
-     * Attempts to restore a persisted session after reconnection
-     * Useful when IP changes cause WebSocket disconnection
+     * Attempts to restore a persisted session after reconnection.
      */
     async restorePersistedSession(targetDeviceId) {
-        const persistedKeys = (0, sessionPersistence_1.loadPersistedSessionKey)(this.deviceId, targetDeviceId);
-        if (!persistedKeys) {
+        const persisted = (0, sessionPersistence_1.loadPersistedSessionKey)(this.deviceId, targetDeviceId);
+        if (!persisted) {
             return false;
         }
-        // Restore session to memory
-        (0, keyStorage_1.storeSessionKey)(targetDeviceId, persistedKeys.encryptionKey, persistedKeys.sessionId);
-        // Reset counters (conservative approach - could be persisted too)
-        this.outgoingCounters.set(targetDeviceId, 0);
-        this.incomingCounters.set(targetDeviceId, -1);
-        console.log(`[E2EE] Restored persisted session for ${targetDeviceId}`);
+        this.sessions.set(targetDeviceId, {
+            sharedKey: persisted.sharedKey,
+            outgoingCounter: persisted.messageCounter,
+            lastReceivedCounter: persisted.lastReceivedCounter,
+        });
+        (0, keyStorage_1.storeSessionKey)(targetDeviceId, persisted.sharedKey, persisted.sessionId);
+        // Restored persisted E2EE session
         return true;
     }
-    /**
-     * Lists all devices with persisted sessions
-     * Useful for auto-reconnection after network changes
-     */
+    /** Lists all devices with persisted sessions */
     listPersistedDevices() {
         return (0, sessionPersistence_1.listPersistedSessions)(this.deviceId);
     }
-    /**
-     * Encrypts a message for a target device
-     */
-    encryptMessage(plaintext, targetDeviceId, sessionId) {
-        const sessionKeys = (0, keyStorage_1.getSessionKey)(targetDeviceId);
-        if (!sessionKeys) {
-            throw new Error(`No session key found for device ${targetDeviceId}. Must complete key exchange first.`);
+    /** Check if an encrypted session is established with a device */
+    hasSessionKey(deviceId) {
+        return this.sessions.has(deviceId);
+    }
+    /** Encrypt a message for a specific device */
+    encryptMessage(plaintext, recipientDeviceId, sessionId) {
+        const session = this.sessions.get(recipientDeviceId);
+        if (!session) {
+            throw new Error(`E2EE: No session established with device ${recipientDeviceId}`);
         }
-        // Encrypt message
-        const encryptedPayload = (0, encryption_1.encrypt)(plaintext, sessionKeys.encryptionKey);
-        // Get and increment counter
-        const counter = this.outgoingCounters.get(targetDeviceId) ?? 0;
-        this.outgoingCounters.set(targetDeviceId, counter + 1);
+        const payload = (0, encryption_1.encrypt)(plaintext, session.sharedKey);
+        session.outgoingCounter++;
         return {
             senderDeviceId: this.deviceId,
-            recipientDeviceId: targetDeviceId,
+            recipientDeviceId,
             sessionId,
-            payload: encryptedPayload,
-            messageCounter: counter,
+            payload,
+            messageCounter: session.outgoingCounter,
             timestamp: new Date().toISOString(),
         };
     }
-    /**
-     * Decrypts a message from a sender device
-     */
-    decryptMessage(encryptedMessage, senderDeviceId) {
-        const sessionKeys = (0, keyStorage_1.getSessionKey)(senderDeviceId);
-        if (!sessionKeys) {
-            throw new Error(`No session key found for device ${senderDeviceId}. Key exchange not completed.`);
+    /** Decrypt an incoming encrypted message */
+    decryptMessage(message, senderDeviceId) {
+        const session = this.sessions.get(senderDeviceId);
+        if (!session) {
+            throw new Error(`E2EE: No session established with device ${senderDeviceId}`);
         }
-        // Replay protection: check message counter
-        const lastCounter = this.incomingCounters.get(senderDeviceId) ?? -1;
-        if (encryptedMessage.messageCounter <= lastCounter) {
-            throw new Error(`Invalid message counter. Possible replay attack. Expected > ${lastCounter}, got ${encryptedMessage.messageCounter}`);
+        // SECURITY: Validate counter is a positive finite integer within safe bounds
+        if (typeof message.messageCounter !== 'number' ||
+            !Number.isFinite(message.messageCounter) ||
+            !Number.isInteger(message.messageCounter) ||
+            message.messageCounter < 1 ||
+            message.messageCounter > Number.MAX_SAFE_INTEGER - 1) {
+            throw new Error('E2EE: Invalid message counter value');
         }
-        // Update last seen counter
-        this.incomingCounters.set(senderDeviceId, encryptedMessage.messageCounter);
-        // Decrypt message
-        const plaintext = (0, encryption_1.decrypt)(encryptedMessage.payload, sessionKeys.encryptionKey);
+        // Replay protection
+        if (message.messageCounter <= session.lastReceivedCounter) {
+            throw new Error('E2EE: Replay attack detected - message counter too low');
+        }
+        const plaintext = (0, encryption_1.decrypt)(message.payload, session.sharedKey);
+        session.lastReceivedCounter = message.messageCounter;
         return plaintext;
     }
-    /**
-     * Checks if a session key exists for a device
-     */
-    hasSessionKey(deviceId) {
-        return (0, keyStorage_1.getSessionKey)(deviceId) !== null;
-    }
-    /**
-     * Checks if manager is initialized
-     */
-    isInitialized() {
-        return this.initialized;
+    /** Clear session for a specific device */
+    clearSession(deviceId) {
+        this.sessions.delete(deviceId);
+        this.pendingExchanges.delete(deviceId);
     }
     /**
-     * Cleans up all session keys and pending exchanges
-     * @param deletePersisted - Whether to delete persisted sessions from disk (default: false)
+     * Cleans up all session keys and pending exchanges.
+     * @param deletePersisted - Whether to delete persisted sessions from disk
      */
     cleanup(deletePersisted = false) {
         (0, keyStorage_1.clearSessionKeys)();
-        this.pendingKeyExchanges.clear();
-        this.outgoingCounters.clear();
-        this.incomingCounters.clear();
-        // Optionally delete persisted sessions
+        this.sessions.clear();
+        this.pendingExchanges.clear();
         if (deletePersisted) {
             (0, sessionPersistence_1.deleteAllPersistedSessions)(this.deviceId);
         }
     }
-    /**
-     * Removes a specific persisted session
-     */
+    /** Removes a specific persisted session */
     removePersistedSession(targetDeviceId) {
         (0, sessionPersistence_1.deletePersistedSession)(this.deviceId, targetDeviceId);
     }
+    /** Reset TOFU trust for a peer (used on re-pair so new keys are accepted) */
+    resetPeerTrust(targetDeviceId) {
+        (0, keyStorage_1.removeTrustedPeerKey)(targetDeviceId);
+        this.sessions.delete(targetDeviceId);
+        this.pendingExchanges.delete(targetDeviceId);
+        (0, sessionPersistence_1.deletePersistedSession)(this.deviceId, targetDeviceId);
+    }
+    /** Light trust reset — only clears TOFU key, preserves pending exchanges in-flight */
+    clearTrustOnly(targetDeviceId) {
+        (0, keyStorage_1.removeTrustedPeerKey)(targetDeviceId);
+    }
 }
 exports.E2EEManager = E2EEManager;
+// Ephemeral keys for pending key exchanges (with creation timestamp for TTL)
+E2EEManager.MAX_PENDING_EXCHANGES = 20;
+E2EEManager.PENDING_EXCHANGE_TTL_MS = 5 * 60 * 1000; // 5 minutes
 //# sourceMappingURL=e2eeManager.js.map

package/dist/crypto/encryption.d.ts CHANGED Viewed

@@ -1,18 +1,16 @@
 import { EncryptedPayload } from './types';
 /**
- * Encrypts plaintext using AES-256-GCM
- *
- * @param plaintext - Text to encrypt
- * @param key - 32-byte encryption key (AES-256)
- * @returns EncryptedPayload with Base64-encoded ciphertext, nonce, and authTag
+ * Encrypt a plaintext string using NaCl secretbox.
+ * @param plaintext - The message to encrypt
+ * @param key - 32-byte shared secret key
+ * @returns EncryptedPayload with Base64-encoded ciphertext and nonce
  */
 export declare function encrypt(plaintext: string, key: Uint8Array): EncryptedPayload;
 /**
- * Decrypts ciphertext using AES-256-GCM
- *
- * @param payload - EncryptedPayload with Base64-encoded ciphertext, nonce, and authTag
- * @param key - 32-byte encryption key (AES-256)
- * @returns Decrypted plaintext
+ * Decrypt an EncryptedPayload back to plaintext.
+ * @param payload - The encrypted payload (ciphertext + nonce)
+ * @param key - 32-byte shared secret key (must match encryption key)
+ * @returns Decrypted plaintext string
  * @throws Error if decryption fails (wrong key, tampered data, etc.)
  */
 export declare function decrypt(payload: EncryptedPayload, key: Uint8Array): string;