forkoff 1.0.8 → 1.0.10

package/dist/crypto/sessionPersistence.js

@@ -0,0 +1,173 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.persistSessionKey = persistSessionKey;
+exports.loadPersistedSessionKey = loadPersistedSessionKey;
+exports.deletePersistedSession = deletePersistedSession;
+exports.deleteAllPersistedSessions = deleteAllPersistedSessions;
+exports.listPersistedSessions = listPersistedSessions;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+/**
+ * Session Persistence
+ * Stores session keys to disk so they survive reconnections after IP changes
+ */
+const SESSION_STORE_DIR = path.join(os.homedir(), '.forkoff-cli', 'sessions');
+/**
+ * Ensures the session store directory exists
+ */
+function ensureSessionStoreExists() {
+    if (!fs.existsSync(SESSION_STORE_DIR)) {
+        fs.mkdirSync(SESSION_STORE_DIR, { recursive: true });
+    }
+}
+/**
+ * Gets the file path for a device's session
+ */
+function getSessionFilePath(deviceId, targetDeviceId) {
+    return path.join(SESSION_STORE_DIR, `${deviceId}-${targetDeviceId}.json`);
+}
+/**
+ * Persists a session key to disk
+ * @param deviceId - Current device ID
+ * @param targetDeviceId - Target device ID
+ * @param sessionKeys - Session encryption keys
+ */
+function persistSessionKey(deviceId, targetDeviceId, sessionKeys) {
+    try {
+        ensureSessionStoreExists();
+        const data = {
+            encryptionKey: Array.from(sessionKeys.encryptionKey), // Convert Uint8Array to Array for JSON
+            sessionId: sessionKeys.sessionId,
+            timestamp: new Date().toISOString(),
+        };
+        const filePath = getSessionFilePath(deviceId, targetDeviceId);
+        fs.writeFileSync(filePath, JSON.stringify(data, null, 2), 'utf8');
+    }
+    catch (error) {
+        console.error('Failed to persist session key:', error);
+    }
+}
+/**
+ * Loads a persisted session key from disk
+ * @param deviceId - Current device ID
+ * @param targetDeviceId - Target device ID
+ * @returns SessionKeys or null if not found
+ */
+function loadPersistedSessionKey(deviceId, targetDeviceId) {
+    try {
+        const filePath = getSessionFilePath(deviceId, targetDeviceId);
+        if (!fs.existsSync(filePath)) {
+            return null;
+        }
+        const data = JSON.parse(fs.readFileSync(filePath, 'utf8'));
+        // Check if session is expired (older than 24 hours)
+        const timestamp = new Date(data.timestamp);
+        const now = new Date();
+        const hoursSinceCreation = (now.getTime() - timestamp.getTime()) / (1000 * 60 * 60);
+        if (hoursSinceCreation > 24) {
+            // Session expired, delete it
+            fs.unlinkSync(filePath);
+            return null;
+        }
+        return {
+            encryptionKey: new Uint8Array(data.encryptionKey),
+            sessionId: data.sessionId,
+        };
+    }
+    catch (error) {
+        console.error('Failed to load persisted session key:', error);
+        return null;
+    }
+}
+/**
+ * Deletes a persisted session
+ * @param deviceId - Current device ID
+ * @param targetDeviceId - Target device ID
+ */
+function deletePersistedSession(deviceId, targetDeviceId) {
+    try {
+        const filePath = getSessionFilePath(deviceId, targetDeviceId);
+        if (fs.existsSync(filePath)) {
+            fs.unlinkSync(filePath);
+        }
+    }
+    catch (error) {
+        console.error('Failed to delete persisted session:', error);
+    }
+}
+/**
+ * Deletes all persisted sessions for a device
+ * @param deviceId - Current device ID
+ */
+function deleteAllPersistedSessions(deviceId) {
+    try {
+        if (!fs.existsSync(SESSION_STORE_DIR)) {
+            return;
+        }
+        const files = fs.readdirSync(SESSION_STORE_DIR);
+        for (const file of files) {
+            if (file.startsWith(`${deviceId}-`)) {
+                fs.unlinkSync(path.join(SESSION_STORE_DIR, file));
+            }
+        }
+    }
+    catch (error) {
+        console.error('Failed to delete all persisted sessions:', error);
+    }
+}
+/**
+ * Lists all persisted sessions for a device
+ * @param deviceId - Current device ID
+ * @returns Array of target device IDs with active sessions
+ */
+function listPersistedSessions(deviceId) {
+    try {
+        if (!fs.existsSync(SESSION_STORE_DIR)) {
+            return [];
+        }
+        const files = fs.readdirSync(SESSION_STORE_DIR);
+        const prefix = `${deviceId}-`;
+        return files
+            .filter((file) => file.startsWith(prefix) && file.endsWith('.json'))
+            .map((file) => file.substring(prefix.length, file.length - 5)); // Remove prefix and .json
+    }
+    catch (error) {
+        console.error('Failed to list persisted sessions:', error);
+        return [];
+    }
+}
+//# sourceMappingURL=sessionPersistence.js.map

package/dist/crypto/sessionPersistence.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessionPersistence.js","sourceRoot":"","sources":["../../src/crypto/sessionPersistence.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCA,8CAmBC;AAQD,0DAgCC;AAOD,wDAaC;AAMD,gEAgBC;AAOD,sDAgBC;AA9JD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAGzB;;;GAGG;AAEH,MAAM,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,cAAc,EAAE,UAAU,CAAC,CAAC;AAE9E;;GAEG;AACH,SAAS,wBAAwB;IAC/B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACtC,EAAE,CAAC,SAAS,CAAC,iBAAiB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,QAAgB,EAAE,cAAsB;IAClE,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,GAAG,QAAQ,IAAI,cAAc,OAAO,CAAC,CAAC;AAC5E,CAAC;AAED;;;;;GAKG;AACH,SAAgB,iBAAiB,CAC/B,QAAgB,EAChB,cAAsB,EACtB,WAAwB;IAExB,IAAI,CAAC;QACH,wBAAwB,EAAE,CAAC;QAE3B,MAAM,IAAI,GAAG;YACX,aAAa,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,EAAE,uCAAuC;YAC7F,SAAS,EAAE,WAAW,CAAC,SAAS;YAChC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;QAEF,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAC9D,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,uBAAuB,CACrC,QAAgB,EAChB,cAAsB;IAEtB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAE9D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;QAE3D,oDAAoD;QACpD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,kBAAkB,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;QAEpF,IAAI,kBAAkB,GAAG,EAAE,EAAE,CAAC;YAC5B,6BAA6B;YAC7B,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO;YACL,aAAa,EAAE,IAAI,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC;YACjD,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,uCAAuC,EAAE,KAAK,CAAC,CAAC;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,sBAAsB,CACpC,QAAgB,EAChB,cAAsB;IAEtB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAE9D,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,0BAA0B,CAAC,QAAgB;IACzD,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACtC,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;QAEhD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;gBACpC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;IACnE,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,qBAAqB,CAAC,QAAgB;IACpD,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACtC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,GAAG,QAAQ,GAAG,CAAC;QAE9B,OAAO,KAAK;aACT,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;aACnE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,0BAA0B;IAC9F,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;QAC3D,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/crypto/types.d.ts

@@ -0,0 +1,35 @@
+/**
+ * E2EE Type Definitions for ForkOff CLI
+ *
+ * X25519 key exchange + AES-256-GCM encryption
+ */
+export interface E2EEKeyPair {
+    publicKey: string;
+    privateKey: string;
+}
+export interface EncryptedPayload {
+    ciphertext: string;
+    nonce: string;
+    authTag: string;
+}
+export interface EncryptedMessage {
+    senderDeviceId: string;
+    recipientDeviceId: string;
+    sessionId: string;
+    payload: EncryptedPayload;
+    messageCounter: number;
+    timestamp: string;
+}
+export interface SessionKeys {
+    encryptionKey: Uint8Array;
+    sessionId: string;
+}
+export interface KeyExchangeInit {
+    senderDeviceId: string;
+    ephemeralPublicKey: string;
+}
+export interface KeyExchangeAck {
+    recipientDeviceId: string;
+    ephemeralPublicKey: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/crypto/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/crypto/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,gBAAgB,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,aAAa,EAAE,UAAU,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,cAAc;IAC7B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;CAC5B"}

package/dist/crypto/types.js

@@ -0,0 +1,8 @@
+"use strict";
+/**
+ * E2EE Type Definitions for ForkOff CLI
+ *
+ * X25519 key exchange + AES-256-GCM encryption
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/crypto/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/crypto/types.ts"],"names":[],"mappings":";AAAA;;;;GAIG"}

package/dist/crypto/websocketE2EE.d.ts

@@ -0,0 +1,47 @@
+import { WebSocketClient } from '../websocket';
+/**
+ * WebSocket E2EE Integration
+ * Adds end-to-end encryption capabilities to WebSocket client
+ */
+export declare class WebSocketE2EEIntegration {
+    private wsClient;
+    private e2eeManager;
+    private enabled;
+    constructor(wsClient: WebSocketClient);
+    /**
+     * Initializes E2EE and sets up event handlers
+     */
+    initialize(deviceId: string, apiUrl: string, authToken: string): Promise<void>;
+    /**
+     * Sets up WebSocket event handlers for E2EE
+     */
+    private setupEventHandlers;
+    /**
+     * Initiates key exchange with a target device
+     */
+    initiateKeyExchange(targetDeviceId: string): Promise<void>;
+    /**
+     * Encrypts and sends a message to a target device
+     */
+    sendEncryptedMessage(plaintext: string, targetDeviceId: string, sessionId: string): void;
+    /**
+     * Checks if E2EE session exists for a device
+     */
+    hasSession(deviceId: string): boolean;
+    /**
+     * Checks if E2EE is enabled
+     */
+    isEnabled(): boolean;
+    /**
+     * Cleans up E2EE sessions
+     */
+    cleanup(): void;
+    private emitKeyExchangeInit;
+    private emitKeyExchangeAck;
+    private emitEncryptedMessage;
+}
+/**
+ * Factory function to create E2EE-enabled WebSocket client
+ */
+export declare function createE2EEWebSocketClient(wsClient: WebSocketClient, deviceId: string, apiUrl: string, authToken: string): Promise<WebSocketE2EEIntegration>;
+//# sourceMappingURL=websocketE2EE.d.ts.map

package/dist/crypto/websocketE2EE.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"websocketE2EE.d.ts","sourceRoot":"","sources":["../../src/crypto/websocketE2EE.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAI/C;;;GAGG;AACH,qBAAa,wBAAwB;IACnC,OAAO,CAAC,QAAQ,CAAkB;IAClC,OAAO,CAAC,WAAW,CAA4B;IAC/C,OAAO,CAAC,OAAO,CAAS;gBAEZ,QAAQ,EAAE,eAAe;IAIrC;;OAEG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOpF;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA6D1B;;OAEG;IACG,mBAAmB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAWhE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,EACtB,SAAS,EAAE,MAAM,GAChB,IAAI;IAqBP;;OAEG;IACH,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAIrC;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,OAAO,IAAI,IAAI;IAMf,OAAO,CAAC,mBAAmB;IAQ3B,OAAO,CAAC,kBAAkB;IAQ1B,OAAO,CAAC,oBAAoB;CAG7B;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,eAAe,EACzB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,wBAAwB,CAAC,CAGnC"}

package/dist/crypto/websocketE2EE.js

@@ -0,0 +1,144 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebSocketE2EEIntegration = void 0;
+exports.createE2EEWebSocketClient = createE2EEWebSocketClient;
+const e2eeManager_1 = require("./e2eeManager");
+/**
+ * WebSocket E2EE Integration
+ * Adds end-to-end encryption capabilities to WebSocket client
+ */
+class WebSocketE2EEIntegration {
+    constructor(wsClient) {
+        this.e2eeManager = null;
+        this.enabled = false;
+        this.wsClient = wsClient;
+    }
+    /**
+     * Initializes E2EE and sets up event handlers
+     */
+    async initialize(deviceId, apiUrl, authToken) {
+        this.e2eeManager = new e2eeManager_1.E2EEManager(deviceId, apiUrl, authToken);
+        await this.e2eeManager.initialize();
+        this.setupEventHandlers();
+        this.enabled = true;
+    }
+    /**
+     * Sets up WebSocket event handlers for E2EE
+     */
+    setupEventHandlers() {
+        if (!this.e2eeManager)
+            return;
+        // Handle incoming key exchange init
+        this.wsClient.on('encrypted_key_exchange_init', async (data) => {
+            if (!this.e2eeManager)
+                return;
+            try {
+                // Handle key exchange and send ack
+                const ackPayload = await this.e2eeManager.handleKeyExchangeInit(data.senderDeviceId, data.ephemeralPublicKey);
+                // Emit ack back to sender
+                this.emitKeyExchangeAck(data.senderDeviceId, ackPayload.ephemeralPublicKey);
+            }
+            catch (error) {
+                console.error('[E2EE] Failed to handle key exchange init:', error);
+            }
+        });
+        // Handle incoming key exchange ack
+        this.wsClient.on('encrypted_key_exchange_ack', async (data) => {
+            if (!this.e2eeManager)
+                return;
+            try {
+                await this.e2eeManager.handleKeyExchangeAck(data.senderDeviceId, data.ephemeralPublicKey);
+                console.log(`[E2EE] Key exchange completed with ${data.senderDeviceId}`);
+            }
+            catch (error) {
+                console.error('[E2EE] Failed to handle key exchange ack:', error);
+            }
+        });
+        // Handle incoming encrypted messages
+        this.wsClient.on('encrypted_message', (data) => {
+            if (!this.e2eeManager)
+                return;
+            try {
+                const plaintext = this.e2eeManager.decryptMessage(data, data.senderDeviceId);
+                // Emit decrypted message as a regular user_message event
+                this.wsClient.emit('decrypted_message', {
+                    ...data,
+                    decryptedContent: plaintext,
+                });
+            }
+            catch (error) {
+                console.error('[E2EE] Failed to decrypt message:', error);
+            }
+        });
+    }
+    /**
+     * Initiates key exchange with a target device
+     */
+    async initiateKeyExchange(targetDeviceId) {
+        if (!this.e2eeManager) {
+            throw new Error('E2EE not initialized');
+        }
+        const initPayload = await this.e2eeManager.initiateKeyExchange(targetDeviceId);
+        // Emit key exchange init via WebSocket
+        this.emitKeyExchangeInit(targetDeviceId, initPayload.ephemeralPublicKey);
+    }
+    /**
+     * Encrypts and sends a message to a target device
+     */
+    sendEncryptedMessage(plaintext, targetDeviceId, sessionId) {
+        if (!this.e2eeManager) {
+            throw new Error('E2EE not initialized');
+        }
+        if (!this.e2eeManager.hasSessionKey(targetDeviceId)) {
+            throw new Error(`No E2EE session with ${targetDeviceId}. Must complete key exchange first.`);
+        }
+        const encryptedMessage = this.e2eeManager.encryptMessage(plaintext, targetDeviceId, sessionId);
+        // Emit encrypted message via WebSocket
+        this.emitEncryptedMessage(encryptedMessage);
+    }
+    /**
+     * Checks if E2EE session exists for a device
+     */
+    hasSession(deviceId) {
+        return this.e2eeManager?.hasSessionKey(deviceId) ?? false;
+    }
+    /**
+     * Checks if E2EE is enabled
+     */
+    isEnabled() {
+        return this.enabled && this.e2eeManager !== null;
+    }
+    /**
+     * Cleans up E2EE sessions
+     */
+    cleanup() {
+        this.e2eeManager?.cleanup();
+    }
+    // Private WebSocket emit methods
+    emitKeyExchangeInit(recipientDeviceId, ephemeralPublicKey) {
+        this.wsClient.emitKeyExchangeInit({
+            recipientDeviceId,
+            senderDeviceId: this.e2eeManager?.['deviceId'] || '',
+            ephemeralPublicKey,
+        });
+    }
+    emitKeyExchangeAck(recipientDeviceId, ephemeralPublicKey) {
+        this.wsClient.emitKeyExchangeAck({
+            recipientDeviceId,
+            senderDeviceId: this.e2eeManager?.['deviceId'] || '',
+            ephemeralPublicKey,
+        });
+    }
+    emitEncryptedMessage(message) {
+        this.wsClient.emitEncryptedMessage(message);
+    }
+}
+exports.WebSocketE2EEIntegration = WebSocketE2EEIntegration;
+/**
+ * Factory function to create E2EE-enabled WebSocket client
+ */
+function createE2EEWebSocketClient(wsClient, deviceId, apiUrl, authToken) {
+    const integration = new WebSocketE2EEIntegration(wsClient);
+    return integration.initialize(deviceId, apiUrl, authToken).then(() => integration);
+}
+//# sourceMappingURL=websocketE2EE.js.map

package/dist/crypto/websocketE2EE.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"websocketE2EE.js","sourceRoot":"","sources":["../../src/crypto/websocketE2EE.ts"],"names":[],"mappings":";;;AAoLA,8DAQC;AA3LD,+CAA4C;AAG5C;;;GAGG;AACH,MAAa,wBAAwB;IAKnC,YAAY,QAAyB;QAH7B,gBAAW,GAAuB,IAAI,CAAC;QACvC,YAAO,GAAG,KAAK,CAAC;QAGtB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CAAC,QAAgB,EAAE,MAAc,EAAE,SAAiB;QAClE,IAAI,CAAC,WAAW,GAAG,IAAI,yBAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QAChE,MAAM,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;QACpC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;IACtB,CAAC;IAED;;OAEG;IACK,kBAAkB;QACxB,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,OAAO;QAE9B,oCAAoC;QACpC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,6BAA6B,EAAE,KAAK,EAAE,IAGtD,EAAE,EAAE;YACH,IAAI,CAAC,IAAI,CAAC,WAAW;gBAAE,OAAO;YAE9B,IAAI,CAAC;gBACH,mCAAmC;gBACnC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,qBAAqB,CAC7D,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,kBAAkB,CACxB,CAAC;gBAEF,0BAA0B;gBAC1B,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,cAAc,EAAE,UAAU,CAAC,kBAAkB,CAAC,CAAC;YAC9E,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,4CAA4C,EAAE,KAAK,CAAC,CAAC;YACrE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,mCAAmC;QACnC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,4BAA4B,EAAE,KAAK,EAAE,IAGrD,EAAE,EAAE;YACH,IAAI,CAAC,IAAI,CAAC,WAAW;gBAAE,OAAO;YAE9B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,WAAW,CAAC,oBAAoB,CACzC,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,kBAAkB,CACxB,CAAC;gBAEF,OAAO,CAAC,GAAG,CAAC,sCAAsC,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;YAC3E,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,KAAK,CAAC,CAAC;YACpE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,qCAAqC;QACrC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,mBAAmB,EAAE,CAAC,IAAsB,EAAE,EAAE;YAC/D,IAAI,CAAC,IAAI,CAAC,WAAW;gBAAE,OAAO;YAE9B,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;gBAE7E,yDAAyD;gBACzD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,EAAE;oBACtC,GAAG,IAAI;oBACP,gBAAgB,EAAE,SAAS;iBAC5B,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,mBAAmB,CAAC,cAAsB;QAC9C,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,cAAc,CAAC,CAAC;QAE/E,uCAAuC;QACvC,IAAI,CAAC,mBAAmB,CAAC,cAAc,EAAE,WAAW,CAAC,kBAAkB,CAAC,CAAC;IAC3E,CAAC;IAED;;OAEG;IACH,oBAAoB,CAClB,SAAiB,EACjB,cAAsB,EACtB,SAAiB;QAEjB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,cAAc,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CACb,wBAAwB,cAAc,qCAAqC,CAC5E,CAAC;QACJ,CAAC;QAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,WAAW,CAAC,cAAc,CACtD,SAAS,EACT,cAAc,EACd,SAAS,CACV,CAAC;QAEF,uCAAuC;QACvC,IAAI,CAAC,oBAAoB,CAAC,gBAAgB,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,QAAgB;QACzB,OAAO,IAAI,CAAC,WAAW,EAAE,aAAa,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC;IAC5D,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,WAAW,KAAK,IAAI,CAAC;IACnD,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC;IAC9B,CAAC;IAED,iCAAiC;IAEzB,mBAAmB,CAAC,iBAAyB,EAAE,kBAA0B;QAC/E,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC;YAChC,iBAAiB;YACjB,cAAc,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE;YACpD,kBAAkB;SACnB,CAAC,CAAC;IACL,CAAC;IAEO,kBAAkB,CAAC,iBAAyB,EAAE,kBAA0B;QAC9E,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC;YAC/B,iBAAiB;YACjB,cAAc,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE;YACpD,kBAAkB;SACnB,CAAC,CAAC;IACL,CAAC;IAEO,oBAAoB,CAAC,OAAyB;QACpD,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;CACF;AAvKD,4DAuKC;AAED;;GAEG;AACH,SAAgB,yBAAyB,CACvC,QAAyB,EACzB,QAAgB,EAChB,MAAc,EACd,SAAiB;IAEjB,MAAM,WAAW,GAAG,IAAI,wBAAwB,CAAC,QAAQ,CAAC,CAAC;IAC3D,OAAO,WAAW,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;AACrF,CAAC"}

package/dist/index.js

@@ -542,9 +542,14 @@ async function startConnection() {
         websocket_1.wsClient.on('claude_start_session', async (data) => {
             console.log(chalk_1.default.cyan(`[Claude] Start session request: ${data.directory}`));
             try {
-                const result = await tools_1.claudeProcessManager.startSession(data.directory, data.terminalSessionId);
+                const result = await tools_1.claudeProcessManager.startSession(data.directory, data.terminalSessionId, data.dangerouslySkipPermissions);
                 websocket_1.wsClient.sendToolStatusUpdate('claude_code', 'active');
                 websocket_1.wsClient.sendTerminalCwd({ terminalSessionId: data.terminalSessionId, cwd: result.cwd });
+                // Notify mobile that the session is ready for input
+                websocket_1.wsClient.sendClaudeSessionEvent({
+                    sessionKey: data.terminalSessionId,
+                    event: { type: 'ready' },
+                });
                 console.log(chalk_1.default.green(`[Claude] Session started: ${data.terminalSessionId}`));
             }
             catch (error) {
@@ -570,7 +575,7 @@ async function startConnection() {
             }
             resolvedDir = path.resolve(resolvedDir);
             // Register session info for later use when message is sent (don't spawn yet)
-            tools_1.claudeProcessManager.registerSession(data.sessionKey, resolvedDir, data.terminalSessionId);
+            tools_1.claudeProcessManager.registerSession(data.sessionKey, resolvedDir, data.terminalSessionId, data.dangerouslySkipPermissions);
             websocket_1.wsClient.sendToolStatusUpdate('claude_code', 'active');
             websocket_1.wsClient.sendClaudeSessionUpdate({
                 sessionKey: data.sessionKey,
@@ -618,6 +623,79 @@ async function startConnection() {
                 websocket_1.wsClient.sendDirectoryListResponse({ requestId: data.requestId, entries: [], currentPath: data.path });
             }
         });
+        // Handle read file requests from mobile (e.g., CLAUDE.md)
+        websocket_1.wsClient.on('read_file', async (data) => {
+            console.log(chalk_1.default.dim(`[File] Read request: ${data.filePath}`));
+            try {
+                // SECURITY: Whitelist of allowed filenames
+                const allowedFiles = ['CLAUDE.md', 'README.md', 'package.json'];
+                const fileName = path.basename(data.filePath);
+                if (!allowedFiles.includes(fileName)) {
+                    console.warn(chalk_1.default.yellow(`[File] Access denied - file not in whitelist: ${fileName}`));
+                    websocket_1.wsClient.sendReadFileResponse({
+                        requestId: data.requestId,
+                        exists: false,
+                        fileName,
+                        error: 'File not allowed',
+                    });
+                    return;
+                }
+                // Resolve path
+                let resolvedPath = data.filePath;
+                if (resolvedPath === '~' || resolvedPath.startsWith('~/')) {
+                    resolvedPath = resolvedPath === '~' ? os.homedir() : resolvedPath.replace('~', os.homedir());
+                }
+                resolvedPath = path.resolve(resolvedPath);
+                // SECURITY: Only allow access under home directory
+                const homeDir = os.homedir();
+                if (!resolvedPath.startsWith(homeDir)) {
+                    console.warn(chalk_1.default.yellow(`[File] Access denied - path outside home directory: ${resolvedPath}`));
+                    websocket_1.wsClient.sendReadFileResponse({
+                        requestId: data.requestId,
+                        exists: false,
+                        fileName,
+                        error: 'Path outside home directory',
+                    });
+                    return;
+                }
+                // Check if file exists
+                if (!fs.existsSync(resolvedPath)) {
+                    websocket_1.wsClient.sendReadFileResponse({
+                        requestId: data.requestId,
+                        exists: false,
+                        fileName,
+                    });
+                    return;
+                }
+                // SECURITY: Check file size (max 100KB)
+                const stats = fs.statSync(resolvedPath);
+                if (stats.size > 100 * 1024) {
+                    websocket_1.wsClient.sendReadFileResponse({
+                        requestId: data.requestId,
+                        exists: true,
+                        fileName,
+                        error: 'File too large (max 100KB)',
+                    });
+                    return;
+                }
+                const content = fs.readFileSync(resolvedPath, 'utf-8');
+                websocket_1.wsClient.sendReadFileResponse({
+                    requestId: data.requestId,
+                    content,
+                    exists: true,
+                    fileName,
+                });
+            }
+            catch (error) {
+                console.error(chalk_1.default.red(`[File] Error: ${error.message}`));
+                websocket_1.wsClient.sendReadFileResponse({
+                    requestId: data.requestId,
+                    exists: false,
+                    fileName: path.basename(data.filePath),
+                    error: error.message,
+                });
+            }
+        });
         // Handle transcript fetch requests from mobile
         websocket_1.wsClient.on('transcript_fetch', async (data) => {
             console.log(chalk_1.default.dim(`[Transcript] Fetching: ${data.sessionKey}, offset: ${data.offset}, limit: ${data.limit}, reverse: ${data.reverse}`));
@@ -817,6 +895,11 @@ async function startConnection() {
             console.log(chalk_1.default.yellow(`[Claude] Approval request: ${data.approvalId}`));
             websocket_1.wsClient.sendClaudeApprovalRequest(data);
         });
+        // Forward tool activity events to mobile (non-blocking notifications)
+        tools_1.claudeProcessManager.on('tool_activity', (data) => {
+            console.log(chalk_1.default.dim(`[Claude] Tool activity: ${data.toolName} - ${data.inputSummary?.substring(0, 60)}`));
+            websocket_1.wsClient.sendToolActivity(data);
+        });
         // Handle Claude approval responses from mobile
         websocket_1.wsClient.on('claude_approval_response', (data) => {
             console.log(chalk_1.default.green(`[Claude] Approval response: ${data.approvalId} -> ${data.response}`));
@@ -835,6 +918,24 @@ async function startConnection() {
             }
             // Check if this session is registered (either active or registered for later spawn)
             if (!tools_1.claudeProcessManager.isClaudeSession(terminalSessionId)) {
+                // Fresh session from auto-prompt (quick action): start new session with directory
+                if (data.directory) {
+                    console.log(chalk_1.default.cyan(`[Claude] Starting fresh session for auto-prompt in ${data.directory}`));
+                    const sent = await tools_1.claudeProcessManager.startAndSendMessage(data.directory, terminalSessionId, data.message);
+                    if (sent) {
+                        // Notify mobile that session is ready
+                        websocket_1.wsClient.sendClaudeSessionUpdate({
+                            sessionKey: terminalSessionId,
+                            directory: data.directory,
+                            state: 'active',
+                            lastUsedAt: new Date().toISOString(),
+                        });
+                    }
+                    else {
+                        console.log(chalk_1.default.yellow(`[Claude] Failed to start fresh session`));
+                    }
+                    return;
+                }
                 console.log(chalk_1.default.yellow(`[Claude] Session not registered: ${terminalSessionId}`));
                 console.log(chalk_1.default.dim(`[Claude] Hint: Mobile should send claude_resume_session first`));
                 return;