forkoff 1.0.8 → 1.0.9

package/dist/crypto/keyGeneration.js

@@ -0,0 +1,99 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateKeyPair = generateKeyPair;
+exports.generateKeyPairFromSeed = generateKeyPairFromSeed;
+const crypto = __importStar(require("crypto"));
+/**
+ * Generates a random X25519 key pair for E2EE
+ * Uses Node.js crypto module
+ *
+ * @returns E2EEKeyPair with Base64-encoded public and private keys (32 bytes each)
+ */
+function generateKeyPair() {
+    const { publicKey, privateKey } = crypto.generateKeyPairSync('x25519', {
+        publicKeyEncoding: {
+            type: 'spki',
+            format: 'der',
+        },
+        privateKeyEncoding: {
+            type: 'pkcs8',
+            format: 'der',
+        },
+    });
+    // Extract raw 32-byte keys from DER-encoded buffers
+    // X25519 public key: last 32 bytes of SPKI
+    // X25519 private key: last 32 bytes of PKCS8
+    const rawPublicKey = publicKey.slice(-32);
+    const rawPrivateKey = privateKey.slice(-32);
+    return {
+        publicKey: rawPublicKey.toString('base64'),
+        privateKey: rawPrivateKey.toString('base64'),
+    };
+}
+/**
+ * Generates a deterministic X25519 key pair from a seed
+ * Useful for testing and key derivation
+ *
+ * @param seed - 32-byte buffer to use as the private key seed
+ * @returns E2EEKeyPair with Base64-encoded public and private keys
+ * @throws Error if seed is not 32 bytes
+ */
+function generateKeyPairFromSeed(seed) {
+    if (seed.length !== 32) {
+        throw new Error('Seed must be exactly 32 bytes');
+    }
+    // In X25519, the private key IS the seed (32 random bytes)
+    // The public key is derived: publicKey = privateKey * basepoint
+    const privateKeyObject = crypto.createPrivateKey({
+        key: Buffer.concat([
+            Buffer.from([0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e, 0x04, 0x22, 0x04, 0x20]),
+            seed,
+        ]),
+        format: 'der',
+        type: 'pkcs8',
+    });
+    const publicKeyObject = crypto.createPublicKey(privateKeyObject);
+    // Export raw keys
+    const publicKeyDER = publicKeyObject.export({ type: 'spki', format: 'der' });
+    const privateKeyDER = privateKeyObject.export({ type: 'pkcs8', format: 'der' });
+    const rawPublicKey = publicKeyDER.slice(-32);
+    const rawPrivateKey = privateKeyDER.slice(-32);
+    return {
+        publicKey: rawPublicKey.toString('base64'),
+        privateKey: rawPrivateKey.toString('base64'),
+    };
+}
+//# sourceMappingURL=keyGeneration.js.map

package/dist/crypto/keyGeneration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyGeneration.js","sourceRoot":"","sources":["../../src/crypto/keyGeneration.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AASA,0CAsBC;AAUD,0DA6BC;AAtED,+CAAiC;AAGjC;;;;;GAKG;AACH,SAAgB,eAAe;IAC7B,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC,mBAAmB,CAAC,QAAQ,EAAE;QACrE,iBAAiB,EAAE;YACjB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,KAAK;SACd;QACD,kBAAkB,EAAE;YAClB,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,KAAK;SACd;KACF,CAAC,CAAC;IAEH,oDAAoD;IACpD,2CAA2C;IAC3C,6CAA6C;IAC7C,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;IAE5C,OAAO;QACL,SAAS,EAAE,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC1C,UAAU,EAAE,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC7C,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,uBAAuB,CAAC,IAAY;IAClD,IAAI,IAAI,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,2DAA2D;IAC3D,gEAAgE;IAChE,MAAM,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,CAAC;QAC/C,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;YAC7G,IAAI;SACL,CAAC;QACF,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,OAAO;KACd,CAAC,CAAC;IAEH,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC,gBAAgB,CAAC,CAAC;IAEjE,kBAAkB;IAClB,MAAM,YAAY,GAAG,eAAe,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IACvF,MAAM,aAAa,GAAG,gBAAgB,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IAE1F,MAAM,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;IAC7C,MAAM,aAAa,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;IAE/C,OAAO;QACL,SAAS,EAAE,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC1C,UAAU,EAAE,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC7C,CAAC;AACJ,CAAC"}

package/dist/crypto/keyStorage.d.ts

@@ -0,0 +1,39 @@
+import { SessionKeys } from './types';
+/**
+ * Stores private key in OS keychain
+ * @param deviceId - Device ID
+ * @param privateKey - Base64-encoded X25519 private key
+ */
+export declare function storePrivateKey(deviceId: string, privateKey: string): Promise<void>;
+/**
+ * Retrieves private key from OS keychain
+ * @param deviceId - Device ID
+ * @returns Base64-encoded private key or null if not found
+ */
+export declare function getPrivateKey(deviceId: string): Promise<string | null>;
+/**
+ * Deletes private key from OS keychain
+ * @param deviceId - Device ID
+ */
+export declare function deletePrivateKey(deviceId: string): Promise<void>;
+/**
+ * Stores session encryption key in memory
+ * Session keys are ephemeral and not persisted to disk
+ *
+ * @param deviceId - Target device ID
+ * @param encryptionKey - AES-256-GCM encryption key (32 bytes)
+ * @param sessionId - Unique session identifier
+ */
+export declare function storeSessionKey(deviceId: string, encryptionKey: Uint8Array, sessionId: string): void;
+/**
+ * Retrieves session encryption key from memory
+ * @param deviceId - Target device ID
+ * @returns SessionKeys or null if not found
+ */
+export declare function getSessionKey(deviceId: string): SessionKeys | null;
+/**
+ * Clears all session keys from memory
+ * Called on disconnect or logout
+ */
+export declare function clearSessionKeys(): void;
+//# sourceMappingURL=keyStorage.d.ts.map

package/dist/crypto/keyStorage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyStorage.d.ts","sourceRoot":"","sources":["../../src/crypto/keyStorage.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAOtC;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAW5E;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAUtE;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,UAAU,EACzB,SAAS,EAAE,MAAM,GAChB,IAAI,CAKN;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAElE;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAEvC"}

package/dist/crypto/keyStorage.js

@@ -0,0 +1,117 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.storePrivateKey = storePrivateKey;
+exports.getPrivateKey = getPrivateKey;
+exports.deletePrivateKey = deletePrivateKey;
+exports.storeSessionKey = storeSessionKey;
+exports.getSessionKey = getSessionKey;
+exports.clearSessionKeys = clearSessionKeys;
+const keytar = __importStar(require("keytar"));
+const SERVICE_NAME = 'forkoff-cli';
+// In-memory storage for session keys (not persisted)
+const sessionKeyStore = new Map();
+/**
+ * Stores private key in OS keychain
+ * @param deviceId - Device ID
+ * @param privateKey - Base64-encoded X25519 private key
+ */
+async function storePrivateKey(deviceId, privateKey) {
+    try {
+        await keytar.setPassword(SERVICE_NAME, `e2ee-private-key-${deviceId}`, privateKey);
+    }
+    catch (error) {
+        console.error('Failed to store private key in keychain:', error);
+        throw error;
+    }
+}
+/**
+ * Retrieves private key from OS keychain
+ * @param deviceId - Device ID
+ * @returns Base64-encoded private key or null if not found
+ */
+async function getPrivateKey(deviceId) {
+    try {
+        const key = await keytar.getPassword(SERVICE_NAME, `e2ee-private-key-${deviceId}`);
+        return key;
+    }
+    catch (error) {
+        console.error('Failed to retrieve private key from keychain:', error);
+        return null;
+    }
+}
+/**
+ * Deletes private key from OS keychain
+ * @param deviceId - Device ID
+ */
+async function deletePrivateKey(deviceId) {
+    try {
+        await keytar.deletePassword(SERVICE_NAME, `e2ee-private-key-${deviceId}`);
+    }
+    catch (error) {
+        console.error('Failed to delete private key from keychain:', error);
+        throw error;
+    }
+}
+/**
+ * Stores session encryption key in memory
+ * Session keys are ephemeral and not persisted to disk
+ *
+ * @param deviceId - Target device ID
+ * @param encryptionKey - AES-256-GCM encryption key (32 bytes)
+ * @param sessionId - Unique session identifier
+ */
+function storeSessionKey(deviceId, encryptionKey, sessionId) {
+    sessionKeyStore.set(deviceId, {
+        encryptionKey,
+        sessionId,
+    });
+}
+/**
+ * Retrieves session encryption key from memory
+ * @param deviceId - Target device ID
+ * @returns SessionKeys or null if not found
+ */
+function getSessionKey(deviceId) {
+    return sessionKeyStore.get(deviceId) ?? null;
+}
+/**
+ * Clears all session keys from memory
+ * Called on disconnect or logout
+ */
+function clearSessionKeys() {
+    sessionKeyStore.clear();
+}
+//# sourceMappingURL=keyStorage.js.map

package/dist/crypto/keyStorage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyStorage.js","sourceRoot":"","sources":["../../src/crypto/keyStorage.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA,0CAcC;AAOD,sCAWC;AAMD,4CAUC;AAUD,0CASC;AAOD,sCAEC;AAMD,4CAEC;AAjGD,+CAAiC;AAGjC,MAAM,YAAY,GAAG,aAAa,CAAC;AAEnC,qDAAqD;AACrD,MAAM,eAAe,GAAG,IAAI,GAAG,EAAuB,CAAC;AAEvD;;;;GAIG;AACI,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,UAAkB;IAElB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,WAAW,CACtB,YAAY,EACZ,oBAAoB,QAAQ,EAAE,EAC9B,UAAU,CACX,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;QACjE,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,aAAa,CAAC,QAAgB;IAClD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,WAAW,CAClC,YAAY,EACZ,oBAAoB,QAAQ,EAAE,CAC/B,CAAC;QACF,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,gBAAgB,CAAC,QAAgB;IACrD,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,cAAc,CACzB,YAAY,EACZ,oBAAoB,QAAQ,EAAE,CAC/B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,KAAK,CAAC,CAAC;QACpE,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,eAAe,CAC7B,QAAgB,EAChB,aAAyB,EACzB,SAAiB;IAEjB,eAAe,CAAC,GAAG,CAAC,QAAQ,EAAE;QAC5B,aAAa;QACb,SAAS;KACV,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,QAAgB;IAC5C,OAAO,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,SAAgB,gBAAgB;IAC9B,eAAe,CAAC,KAAK,EAAE,CAAC;AAC1B,CAAC"}

package/dist/crypto/sessionPersistence.d.ts

@@ -0,0 +1,33 @@
+import { SessionKeys } from './types';
+/**
+ * Persists a session key to disk
+ * @param deviceId - Current device ID
+ * @param targetDeviceId - Target device ID
+ * @param sessionKeys - Session encryption keys
+ */
+export declare function persistSessionKey(deviceId: string, targetDeviceId: string, sessionKeys: SessionKeys): void;
+/**
+ * Loads a persisted session key from disk
+ * @param deviceId - Current device ID
+ * @param targetDeviceId - Target device ID
+ * @returns SessionKeys or null if not found
+ */
+export declare function loadPersistedSessionKey(deviceId: string, targetDeviceId: string): SessionKeys | null;
+/**
+ * Deletes a persisted session
+ * @param deviceId - Current device ID
+ * @param targetDeviceId - Target device ID
+ */
+export declare function deletePersistedSession(deviceId: string, targetDeviceId: string): void;
+/**
+ * Deletes all persisted sessions for a device
+ * @param deviceId - Current device ID
+ */
+export declare function deleteAllPersistedSessions(deviceId: string): void;
+/**
+ * Lists all persisted sessions for a device
+ * @param deviceId - Current device ID
+ * @returns Array of target device IDs with active sessions
+ */
+export declare function listPersistedSessions(deviceId: string): string[];
+//# sourceMappingURL=sessionPersistence.d.ts.map

package/dist/crypto/sessionPersistence.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessionPersistence.d.ts","sourceRoot":"","sources":["../../src/crypto/sessionPersistence.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAyBtC;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,EACtB,WAAW,EAAE,WAAW,GACvB,IAAI,CAeN;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACrB,WAAW,GAAG,IAAI,CA6BpB;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACrB,IAAI,CAUN;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAgBjE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAgBhE"}

package/dist/crypto/sessionPersistence.js

@@ -0,0 +1,173 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.persistSessionKey = persistSessionKey;
+exports.loadPersistedSessionKey = loadPersistedSessionKey;
+exports.deletePersistedSession = deletePersistedSession;
+exports.deleteAllPersistedSessions = deleteAllPersistedSessions;
+exports.listPersistedSessions = listPersistedSessions;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+/**
+ * Session Persistence
+ * Stores session keys to disk so they survive reconnections after IP changes
+ */
+const SESSION_STORE_DIR = path.join(os.homedir(), '.forkoff-cli', 'sessions');
+/**
+ * Ensures the session store directory exists
+ */
+function ensureSessionStoreExists() {
+    if (!fs.existsSync(SESSION_STORE_DIR)) {
+        fs.mkdirSync(SESSION_STORE_DIR, { recursive: true });
+    }
+}
+/**
+ * Gets the file path for a device's session
+ */
+function getSessionFilePath(deviceId, targetDeviceId) {
+    return path.join(SESSION_STORE_DIR, `${deviceId}-${targetDeviceId}.json`);
+}
+/**
+ * Persists a session key to disk
+ * @param deviceId - Current device ID
+ * @param targetDeviceId - Target device ID
+ * @param sessionKeys - Session encryption keys
+ */
+function persistSessionKey(deviceId, targetDeviceId, sessionKeys) {
+    try {
+        ensureSessionStoreExists();
+        const data = {
+            encryptionKey: Array.from(sessionKeys.encryptionKey), // Convert Uint8Array to Array for JSON
+            sessionId: sessionKeys.sessionId,
+            timestamp: new Date().toISOString(),
+        };
+        const filePath = getSessionFilePath(deviceId, targetDeviceId);
+        fs.writeFileSync(filePath, JSON.stringify(data, null, 2), 'utf8');
+    }
+    catch (error) {
+        console.error('Failed to persist session key:', error);
+    }
+}
+/**
+ * Loads a persisted session key from disk
+ * @param deviceId - Current device ID
+ * @param targetDeviceId - Target device ID
+ * @returns SessionKeys or null if not found
+ */
+function loadPersistedSessionKey(deviceId, targetDeviceId) {
+    try {
+        const filePath = getSessionFilePath(deviceId, targetDeviceId);
+        if (!fs.existsSync(filePath)) {
+            return null;
+        }
+        const data = JSON.parse(fs.readFileSync(filePath, 'utf8'));
+        // Check if session is expired (older than 24 hours)
+        const timestamp = new Date(data.timestamp);
+        const now = new Date();
+        const hoursSinceCreation = (now.getTime() - timestamp.getTime()) / (1000 * 60 * 60);
+        if (hoursSinceCreation > 24) {
+            // Session expired, delete it
+            fs.unlinkSync(filePath);
+            return null;
+        }
+        return {
+            encryptionKey: new Uint8Array(data.encryptionKey),
+            sessionId: data.sessionId,
+        };
+    }
+    catch (error) {
+        console.error('Failed to load persisted session key:', error);
+        return null;
+    }
+}
+/**
+ * Deletes a persisted session
+ * @param deviceId - Current device ID
+ * @param targetDeviceId - Target device ID
+ */
+function deletePersistedSession(deviceId, targetDeviceId) {
+    try {
+        const filePath = getSessionFilePath(deviceId, targetDeviceId);
+        if (fs.existsSync(filePath)) {
+            fs.unlinkSync(filePath);
+        }
+    }
+    catch (error) {
+        console.error('Failed to delete persisted session:', error);
+    }
+}
+/**
+ * Deletes all persisted sessions for a device
+ * @param deviceId - Current device ID
+ */
+function deleteAllPersistedSessions(deviceId) {
+    try {
+        if (!fs.existsSync(SESSION_STORE_DIR)) {
+            return;
+        }
+        const files = fs.readdirSync(SESSION_STORE_DIR);
+        for (const file of files) {
+            if (file.startsWith(`${deviceId}-`)) {
+                fs.unlinkSync(path.join(SESSION_STORE_DIR, file));
+            }
+        }
+    }
+    catch (error) {
+        console.error('Failed to delete all persisted sessions:', error);
+    }
+}
+/**
+ * Lists all persisted sessions for a device
+ * @param deviceId - Current device ID
+ * @returns Array of target device IDs with active sessions
+ */
+function listPersistedSessions(deviceId) {
+    try {
+        if (!fs.existsSync(SESSION_STORE_DIR)) {
+            return [];
+        }
+        const files = fs.readdirSync(SESSION_STORE_DIR);
+        const prefix = `${deviceId}-`;
+        return files
+            .filter((file) => file.startsWith(prefix) && file.endsWith('.json'))
+            .map((file) => file.substring(prefix.length, file.length - 5)); // Remove prefix and .json
+    }
+    catch (error) {
+        console.error('Failed to list persisted sessions:', error);
+        return [];
+    }
+}
+//# sourceMappingURL=sessionPersistence.js.map

package/dist/crypto/sessionPersistence.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessionPersistence.js","sourceRoot":"","sources":["../../src/crypto/sessionPersistence.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCA,8CAmBC;AAQD,0DAgCC;AAOD,wDAaC;AAMD,gEAgBC;AAOD,sDAgBC;AA9JD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAGzB;;;GAGG;AAEH,MAAM,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,cAAc,EAAE,UAAU,CAAC,CAAC;AAE9E;;GAEG;AACH,SAAS,wBAAwB;IAC/B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACtC,EAAE,CAAC,SAAS,CAAC,iBAAiB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,QAAgB,EAAE,cAAsB;IAClE,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,GAAG,QAAQ,IAAI,cAAc,OAAO,CAAC,CAAC;AAC5E,CAAC;AAED;;;;;GAKG;AACH,SAAgB,iBAAiB,CAC/B,QAAgB,EAChB,cAAsB,EACtB,WAAwB;IAExB,IAAI,CAAC;QACH,wBAAwB,EAAE,CAAC;QAE3B,MAAM,IAAI,GAAG;YACX,aAAa,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,EAAE,uCAAuC;YAC7F,SAAS,EAAE,WAAW,CAAC,SAAS;YAChC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;QAEF,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAC9D,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,uBAAuB,CACrC,QAAgB,EAChB,cAAsB;IAEtB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAE9D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;QAE3D,oDAAoD;QACpD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,kBAAkB,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;QAEpF,IAAI,kBAAkB,GAAG,EAAE,EAAE,CAAC;YAC5B,6BAA6B;YAC7B,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO;YACL,aAAa,EAAE,IAAI,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC;YACjD,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,uCAAuC,EAAE,KAAK,CAAC,CAAC;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,sBAAsB,CACpC,QAAgB,EAChB,cAAsB;IAEtB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAE9D,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,0BAA0B,CAAC,QAAgB;IACzD,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACtC,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;QAEhD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;gBACpC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;IACnE,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,qBAAqB,CAAC,QAAgB;IACpD,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACtC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,GAAG,QAAQ,GAAG,CAAC;QAE9B,OAAO,KAAK;aACT,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;aACnE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,0BAA0B;IAC9F,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;QAC3D,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/crypto/types.d.ts

@@ -0,0 +1,35 @@
+/**
+ * E2EE Type Definitions for ForkOff CLI
+ *
+ * X25519 key exchange + AES-256-GCM encryption
+ */
+export interface E2EEKeyPair {
+    publicKey: string;
+    privateKey: string;
+}
+export interface EncryptedPayload {
+    ciphertext: string;
+    nonce: string;
+    authTag: string;
+}
+export interface EncryptedMessage {
+    senderDeviceId: string;
+    recipientDeviceId: string;
+    sessionId: string;
+    payload: EncryptedPayload;
+    messageCounter: number;
+    timestamp: string;
+}
+export interface SessionKeys {
+    encryptionKey: Uint8Array;
+    sessionId: string;
+}
+export interface KeyExchangeInit {
+    senderDeviceId: string;
+    ephemeralPublicKey: string;
+}
+export interface KeyExchangeAck {
+    recipientDeviceId: string;
+    ephemeralPublicKey: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/crypto/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/crypto/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,gBAAgB,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,aAAa,EAAE,UAAU,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,cAAc;IAC7B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;CAC5B"}

package/dist/crypto/types.js

@@ -0,0 +1,8 @@
+"use strict";
+/**
+ * E2EE Type Definitions for ForkOff CLI
+ *
+ * X25519 key exchange + AES-256-GCM encryption
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/crypto/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/crypto/types.ts"],"names":[],"mappings":";AAAA;;;;GAIG"}

package/dist/crypto/websocketE2EE.d.ts

@@ -0,0 +1,47 @@
+import { WebSocketClient } from '../websocket';
+/**
+ * WebSocket E2EE Integration
+ * Adds end-to-end encryption capabilities to WebSocket client
+ */
+export declare class WebSocketE2EEIntegration {
+    private wsClient;
+    private e2eeManager;
+    private enabled;
+    constructor(wsClient: WebSocketClient);
+    /**
+     * Initializes E2EE and sets up event handlers
+     */
+    initialize(deviceId: string, apiUrl: string, authToken: string): Promise<void>;
+    /**
+     * Sets up WebSocket event handlers for E2EE
+     */
+    private setupEventHandlers;
+    /**
+     * Initiates key exchange with a target device
+     */
+    initiateKeyExchange(targetDeviceId: string): Promise<void>;
+    /**
+     * Encrypts and sends a message to a target device
+     */
+    sendEncryptedMessage(plaintext: string, targetDeviceId: string, sessionId: string): void;
+    /**
+     * Checks if E2EE session exists for a device
+     */
+    hasSession(deviceId: string): boolean;
+    /**
+     * Checks if E2EE is enabled
+     */
+    isEnabled(): boolean;
+    /**
+     * Cleans up E2EE sessions
+     */
+    cleanup(): void;
+    private emitKeyExchangeInit;
+    private emitKeyExchangeAck;
+    private emitEncryptedMessage;
+}
+/**
+ * Factory function to create E2EE-enabled WebSocket client
+ */
+export declare function createE2EEWebSocketClient(wsClient: WebSocketClient, deviceId: string, apiUrl: string, authToken: string): Promise<WebSocketE2EEIntegration>;
+//# sourceMappingURL=websocketE2EE.d.ts.map

package/dist/crypto/websocketE2EE.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"websocketE2EE.d.ts","sourceRoot":"","sources":["../../src/crypto/websocketE2EE.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAI/C;;;GAGG;AACH,qBAAa,wBAAwB;IACnC,OAAO,CAAC,QAAQ,CAAkB;IAClC,OAAO,CAAC,WAAW,CAA4B;IAC/C,OAAO,CAAC,OAAO,CAAS;gBAEZ,QAAQ,EAAE,eAAe;IAIrC;;OAEG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOpF;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA6D1B;;OAEG;IACG,mBAAmB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAWhE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,EACtB,SAAS,EAAE,MAAM,GAChB,IAAI;IAqBP;;OAEG;IACH,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAIrC;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,OAAO,IAAI,IAAI;IAMf,OAAO,CAAC,mBAAmB;IAQ3B,OAAO,CAAC,kBAAkB;IAQ1B,OAAO,CAAC,oBAAoB;CAG7B;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,eAAe,EACzB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,wBAAwB,CAAC,CAGnC"}