happy-coder 0.10.0-2 → 0.10.0-4

package/dist/{types-WP9wteZE.cjs → types-BcDnTXMg.cjs}

@@ -2,8 +2,8 @@
 
 var axios = require('axios');
 var chalk = require('chalk');
-var fs = require('fs');
-var node_fs = require('node:fs');
+var fs$1 = require('fs');
+var fs = require('node:fs');
 var os = require('node:os');
 var node_path = require('node:path');
 var promises = require('node:fs/promises');
@@ -14,10 +14,11 @@ var node_events = require('node:events');
 var socket_ioClient = require('socket.io-client');
 var child_process = require('child_process');
 var util = require('util');
-var fs$1 = require('fs/promises');
+var fs$2 = require('fs/promises');
 var crypto = require('crypto');
 var path = require('path');
 var url = require('url');
+var os$1 = require('os');
 var expoServerSdk = require('expo-server-sdk');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
@@ -41,8 +42,8 @@ function _interopNamespaceDefault(e) {
 var z__namespace = /*#__PURE__*/_interopNamespaceDefault(z);
 
 var name = "happy-coder";
-var version = "0.10.0-2";
-var description = "Claude Code session sharing CLI";
+var version = "0.10.0-4";
+var description = "Mobile and Web client for Claude Code and Codex";
 var author = "Kirill Dubovitskiy";
 var license = "MIT";
 var type = "module";
@@ -50,7 +51,8 @@ var homepage = "https://github.com/slopus/happy-cli";
 var bugs = "https://github.com/slopus/happy-cli/issues";
 var repository = "slopus/happy-cli";
 var bin = {
-	happy: "./bin/happy.mjs"
+	happy: "./bin/happy.mjs",
+	"happy-mcp": "./bin/happy-mcp.mjs"
 };
 var main = "./dist/index.cjs";
 var module$1 = "./dist/index.mjs";
@@ -75,13 +77,23 @@ var exports$1 = {
 			types: "./dist/lib.d.mts",
 			"default": "./dist/lib.mjs"
 		}
+	},
+	"./codex/happyMcpStdioBridge": {
+		require: {
+			types: "./dist/codex/happyMcpStdioBridge.d.cts",
+			"default": "./dist/codex/happyMcpStdioBridge.cjs"
+		},
+		"import": {
+			types: "./dist/codex/happyMcpStdioBridge.d.mts",
+			"default": "./dist/codex/happyMcpStdioBridge.mjs"
+		}
 	}
 };
 var files = [
 	"dist",
 	"bin",
 	"scripts",
-	"ripgrep",
+	"tools",
 	"package.json"
 ];
 var scripts = {
@@ -90,17 +102,19 @@ var scripts = {
 	build: "shx rm -rf dist && npx tsc --noEmit && pkgroll",
 	test: "yarn build && tsx --env-file .env.integration-test node_modules/.bin/vitest run",
 	start: "yarn build && ./bin/happy.mjs",
-	dev: "yarn build && tsx --env-file .env.dev src/index.ts",
+	dev: "tsx --env-file .env.dev src/index.ts",
 	"dev:local-server": "yarn build && tsx --env-file .env.dev-local-server src/index.ts",
 	"dev:integration-test-env": "yarn build && tsx --env-file .env.integration-test src/index.ts",
 	prepublishOnly: "yarn build && yarn test",
-	release: "release-it"
+	release: "release-it",
+	postinstall: "node scripts/unpack-tools.cjs"
 };
 var dependencies = {
 	"@anthropic-ai/claude-code": "^1.0.102",
 	"@anthropic-ai/sdk": "^0.56.0",
 	"@modelcontextprotocol/sdk": "^1.15.1",
 	"@stablelib/base64": "^2.0.1",
+	"@stablelib/hex": "^2.0.1",
 	"@types/cross-spawn": "^6.0.6",
 	"@types/http-proxy": "^1.17.16",
 	"@types/ps-list": "^6.2.1",
@@ -120,6 +134,7 @@ var dependencies = {
 	"qrcode-terminal": "^0.12.0",
 	react: "^19.1.1",
 	"socket.io-client": "^4.8.1",
+	tar: "^7.4.3",
 	tweetnacl: "^1.0.3",
 	zod: "^3.23.8"
 };
@@ -173,6 +188,7 @@ var packageJson = {
 
 class Configuration {
   serverUrl;
+  webappUrl;
   isDaemonProcess;
   // Directories and paths (from persistence)
   happyHomeDir;
@@ -185,6 +201,7 @@ class Configuration {
   isExperimentalEnabled;
   constructor() {
     this.serverUrl = process.env.HAPPY_SERVER_URL || "https://api.cluster-fluster.com";
+    this.webappUrl = process.env.HAPPY_WEBAPP_URL || "https://app.happy.engineering";
     const args = process.argv.slice(2);
     this.isDaemonProcess = args.length >= 2 && args[0] === "daemon" && args[1] === "start-sync";
     if (process.env.HAPPY_HOME_DIR) {
@@ -200,11 +217,11 @@ class Configuration {
     this.daemonLockFile = node_path.join(this.happyHomeDir, "daemon.state.json.lock");
     this.isExperimentalEnabled = ["true", "1", "yes"].includes(process.env.HAPPY_EXPERIMENTAL?.toLowerCase() || "");
     this.currentCliVersion = packageJson.version;
-    if (!node_fs.existsSync(this.happyHomeDir)) {
-      node_fs.mkdirSync(this.happyHomeDir, { recursive: true });
+    if (!fs.existsSync(this.happyHomeDir)) {
+      fs.mkdirSync(this.happyHomeDir, { recursive: true });
     }
-    if (!node_fs.existsSync(this.logsDir)) {
-      node_fs.mkdirSync(this.logsDir, { recursive: true });
+    if (!fs.existsSync(this.logsDir)) {
+      fs.mkdirSync(this.logsDir, { recursive: true });
     }
   }
 }
@@ -229,7 +246,17 @@ function decodeBase64(base64, variant = "base64") {
 function getRandomBytes(size) {
   return new Uint8Array(node_crypto.randomBytes(size));
 }
-function encrypt(data, secret) {
+function libsodiumEncryptForPublicKey(data, recipientPublicKey) {
+  const ephemeralKeyPair = tweetnacl.box.keyPair();
+  const nonce = getRandomBytes(tweetnacl.box.nonceLength);
+  const encrypted = tweetnacl.box(data, nonce, recipientPublicKey, ephemeralKeyPair.secretKey);
+  const result = new Uint8Array(ephemeralKeyPair.publicKey.length + nonce.length + encrypted.length);
+  result.set(ephemeralKeyPair.publicKey, 0);
+  result.set(nonce, ephemeralKeyPair.publicKey.length);
+  result.set(encrypted, ephemeralKeyPair.publicKey.length + nonce.length);
+  return result;
+}
+function encryptLegacy(data, secret) {
   const nonce = getRandomBytes(tweetnacl.secretbox.nonceLength);
   const encrypted = tweetnacl.secretbox(new TextEncoder().encode(JSON.stringify(data)), nonce, secret);
   const result = new Uint8Array(nonce.length + encrypted.length);
@@ -237,7 +264,7 @@ function encrypt(data, secret) {
   result.set(encrypted, nonce.length);
   return result;
 }
-function decrypt(data, secret) {
+function decryptLegacy(data, secret) {
   const nonce = data.slice(0, tweetnacl.secretbox.nonceLength);
   const encrypted = data.slice(tweetnacl.secretbox.nonceLength);
   const decrypted = tweetnacl.secretbox.open(encrypted, nonce, secret);
@@ -246,12 +273,67 @@ function decrypt(data, secret) {
   }
   return JSON.parse(new TextDecoder().decode(decrypted));
 }
+function encryptWithDataKey(data, dataKey) {
+  const nonce = getRandomBytes(12);
+  const cipher = node_crypto.createCipheriv("aes-256-gcm", dataKey, nonce);
+  const plaintext = new TextEncoder().encode(JSON.stringify(data));
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  const bundle = new Uint8Array(12 + encrypted.length + 16 + 1);
+  bundle.set([0], 0);
+  bundle.set(nonce, 1);
+  bundle.set(new Uint8Array(encrypted), 13);
+  bundle.set(new Uint8Array(authTag), 13 + encrypted.length);
+  return bundle;
+}
+function decryptWithDataKey(bundle, dataKey) {
+  if (bundle.length < 1) {
+    return null;
+  }
+  if (bundle[0] !== 0) {
+    return null;
+  }
+  if (bundle.length < 12 + 16 + 1) {
+    return null;
+  }
+  const nonce = bundle.slice(1, 13);
+  const authTag = bundle.slice(bundle.length - 16);
+  const ciphertext = bundle.slice(13, bundle.length - 16);
+  try {
+    const decipher = node_crypto.createDecipheriv("aes-256-gcm", dataKey, nonce);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final()
+    ]);
+    return JSON.parse(new TextDecoder().decode(decrypted));
+  } catch (error) {
+    return null;
+  }
+}
+function encrypt(key, variant, data) {
+  if (variant === "legacy") {
+    return encryptLegacy(data, key);
+  } else {
+    return encryptWithDataKey(data, key);
+  }
+}
+function decrypt(key, variant, data) {
+  if (variant === "legacy") {
+    return decryptLegacy(data, key);
+  } else {
+    return decryptWithDataKey(data, key);
+  }
+}
 
 const defaultSettings = {
   onboardingCompleted: false
 };
 async function readSettings() {
-  if (!node_fs.existsSync(configuration.settingsFile)) {
+  if (!fs.existsSync(configuration.settingsFile)) {
     return { ...defaultSettings };
   }
   try {
@@ -271,7 +353,7 @@ async function updateSettings(updater) {
   let attempts = 0;
   while (attempts < MAX_LOCK_ATTEMPTS) {
     try {
-      fileHandle = await promises.open(lockFile, node_fs.constants.O_CREAT | node_fs.constants.O_EXCL | node_fs.constants.O_WRONLY);
+      fileHandle = await promises.open(lockFile, fs.constants.O_CREAT | fs.constants.O_EXCL | fs.constants.O_WRONLY);
       break;
     } catch (err) {
       if (err.code === "EEXIST") {
@@ -296,7 +378,7 @@ async function updateSettings(updater) {
   try {
     const current = await readSettings() || { ...defaultSettings };
     const updated = await updater(current);
-    if (!node_fs.existsSync(configuration.happyHomeDir)) {
+    if (!fs.existsSync(configuration.happyHomeDir)) {
       await promises.mkdir(configuration.happyHomeDir, { recursive: true });
     }
     await promises.writeFile(tmpFile, JSON.stringify(updated, null, 2));
@@ -309,26 +391,46 @@ async function updateSettings(updater) {
   }
 }
 const credentialsSchema = z__namespace.object({
-  secret: z__namespace.string().base64(),
-  token: z__namespace.string()
+  token: z__namespace.string(),
+  secret: z__namespace.string().base64().nullish(),
+  // Legacy
+  encryption: z__namespace.object({
+    publicKey: z__namespace.string().base64(),
+    machineKey: z__namespace.string().base64()
+  }).nullish()
 });
 async function readCredentials() {
-  if (!node_fs.existsSync(configuration.privateKeyFile)) {
+  if (!fs.existsSync(configuration.privateKeyFile)) {
     return null;
   }
   try {
     const keyBase64 = await promises.readFile(configuration.privateKeyFile, "utf8");
     const credentials = credentialsSchema.parse(JSON.parse(keyBase64));
-    return {
-      secret: new Uint8Array(Buffer.from(credentials.secret, "base64")),
-      token: credentials.token
-    };
+    if (credentials.secret) {
+      return {
+        token: credentials.token,
+        encryption: {
+          type: "legacy",
+          secret: new Uint8Array(Buffer.from(credentials.secret, "base64"))
+        }
+      };
+    } else if (credentials.encryption) {
+      return {
+        token: credentials.token,
+        encryption: {
+          type: "dataKey",
+          publicKey: new Uint8Array(Buffer.from(credentials.encryption.publicKey, "base64")),
+          machineKey: new Uint8Array(Buffer.from(credentials.encryption.machineKey, "base64"))
+        }
+      };
+    }
   } catch {
     return null;
   }
+  return null;
 }
-async function writeCredentials(credentials) {
-  if (!node_fs.existsSync(configuration.happyHomeDir)) {
+async function writeCredentialsLegacy(credentials) {
+  if (!fs.existsSync(configuration.happyHomeDir)) {
     await promises.mkdir(configuration.happyHomeDir, { recursive: true });
   }
   await promises.writeFile(configuration.privateKeyFile, JSON.stringify({
@@ -336,8 +438,17 @@ async function writeCredentials(credentials) {
     token: credentials.token
   }, null, 2));
 }
+async function writeCredentialsDataKey(credentials) {
+  if (!fs.existsSync(configuration.happyHomeDir)) {
+    await promises.mkdir(configuration.happyHomeDir, { recursive: true });
+  }
+  await promises.writeFile(configuration.privateKeyFile, JSON.stringify({
+    encryption: { publicKey: encodeBase64(credentials.publicKey), machineKey: encodeBase64(credentials.machineKey) },
+    token: credentials.token
+  }, null, 2));
+}
 async function clearCredentials() {
-  if (node_fs.existsSync(configuration.privateKeyFile)) {
+  if (fs.existsSync(configuration.privateKeyFile)) {
     await promises.unlink(configuration.privateKeyFile);
   }
 }
@@ -349,7 +460,7 @@ async function clearMachineId() {
 }
 async function readDaemonState() {
   try {
-    if (!node_fs.existsSync(configuration.daemonStateFile)) {
+    if (!fs.existsSync(configuration.daemonStateFile)) {
       return null;
     }
     const content = await promises.readFile(configuration.daemonStateFile, "utf-8");
@@ -360,13 +471,13 @@ async function readDaemonState() {
   }
 }
 function writeDaemonState(state) {
-  node_fs.writeFileSync(configuration.daemonStateFile, JSON.stringify(state, null, 2), "utf-8");
+  fs.writeFileSync(configuration.daemonStateFile, JSON.stringify(state, null, 2), "utf-8");
 }
 async function clearDaemonState() {
-  if (node_fs.existsSync(configuration.daemonStateFile)) {
+  if (fs.existsSync(configuration.daemonStateFile)) {
     await promises.unlink(configuration.daemonStateFile);
   }
-  if (node_fs.existsSync(configuration.daemonLockFile)) {
+  if (fs.existsSync(configuration.daemonLockFile)) {
     try {
       await promises.unlink(configuration.daemonLockFile);
     } catch {
@@ -378,19 +489,19 @@ async function acquireDaemonLock(maxAttempts = 5, delayIncrementMs = 200) {
     try {
       const fileHandle = await promises.open(
         configuration.daemonLockFile,
-        node_fs.constants.O_CREAT | node_fs.constants.O_EXCL | node_fs.constants.O_WRONLY
+        fs.constants.O_CREAT | fs.constants.O_EXCL | fs.constants.O_WRONLY
       );
       await fileHandle.writeFile(String(process.pid));
       return fileHandle;
     } catch (error) {
       if (error.code === "EEXIST") {
         try {
-          const lockPid = node_fs.readFileSync(configuration.daemonLockFile, "utf-8").trim();
+          const lockPid = fs.readFileSync(configuration.daemonLockFile, "utf-8").trim();
           if (lockPid && !isNaN(Number(lockPid))) {
             try {
               process.kill(Number(lockPid), 0);
             } catch {
-              node_fs.unlinkSync(configuration.daemonLockFile);
+              fs.unlinkSync(configuration.daemonLockFile);
               continue;
             }
           }
@@ -412,8 +523,8 @@ async function releaseDaemonLock(lockHandle) {
   } catch {
   }
   try {
-    if (node_fs.existsSync(configuration.daemonLockFile)) {
-      node_fs.unlinkSync(configuration.daemonLockFile);
+    if (fs.existsSync(configuration.daemonLockFile)) {
+      fs.unlinkSync(configuration.daemonLockFile);
     }
   } catch {
   }
@@ -503,6 +614,13 @@ class Logger {
       this.logToConsole("info", "[DEV]", message, ...args);
     }
   }
+  warn(message, ...args) {
+    this.logToConsole("warn", "", message, ...args);
+    this.debug(`[WARN] ${message}`, ...args);
+  }
+  getLogPath() {
+    return this.logFilePath;
+  }
   logToConsole(level, prefix, message, ...args) {
     switch (level) {
       case "debug": {
@@ -561,7 +679,7 @@ class Logger {
       });
     }
     try {
-      fs.appendFileSync(this.logFilePath, logLine);
+      fs$1.appendFileSync(this.logFilePath, logLine);
     } catch (appendError) {
       if (process.env.DEBUG) {
         console.error("[DEV MODE ONLY THROWING] Failed to append to log file:", appendError);
@@ -574,12 +692,12 @@ let logger = new Logger();
 async function listDaemonLogFiles(limit = 50) {
   try {
     const logsDir = configuration.logsDir;
-    if (!node_fs.existsSync(logsDir)) {
+    if (!fs.existsSync(logsDir)) {
       return [];
     }
-    const logs = node_fs.readdirSync(logsDir).filter((file) => file.endsWith("-daemon.log")).map((file) => {
+    const logs = fs.readdirSync(logsDir).filter((file) => file.endsWith("-daemon.log")).map((file) => {
       const fullPath = node_path.join(logsDir, file);
-      const stats = node_fs.statSync(fullPath);
+      const stats = fs.statSync(fullPath);
       return { file, path: fullPath, modified: stats.mtime };
     }).sort((a, b) => b.modified.getTime() - a.modified.getTime());
     try {
@@ -587,8 +705,8 @@ async function listDaemonLogFiles(limit = 50) {
       if (!state) {
         return logs;
       }
-      if (state.daemonLogPath && node_fs.existsSync(state.daemonLogPath)) {
-        const stats = node_fs.statSync(state.daemonLogPath);
+      if (state.daemonLogPath && fs.existsSync(state.daemonLogPath)) {
+        const stats = fs.statSync(state.daemonLogPath);
         const persisted = {
           file: node_path.basename(state.daemonLogPath),
           path: state.daemonLogPath,
@@ -663,38 +781,13 @@ z.z.object({
   ]),
   createdAt: z.z.number()
 });
-z.z.object({
-  createdAt: z.z.number(),
-  id: z.z.string(),
-  seq: z.z.number(),
-  updatedAt: z.z.number(),
-  metadata: z.z.any(),
-  metadataVersion: z.z.number(),
-  agentState: z.z.any().nullable(),
-  agentStateVersion: z.z.number(),
-  // Connectivity tracking (from server)
-  connectivityStatus: z.z.union([
-    z.z.enum(["neverConnected", "online", "offline"]),
-    z.z.string()
-    // Forward compatibility
-  ]).optional(),
-  connectivityStatusSince: z.z.number().optional(),
-  connectivityStatusReason: z.z.string().optional(),
-  // State tracking (from server)
-  state: z.z.union([
-    z.z.enum(["running", "archiveRequested", "archived"]),
-    z.z.string()
-    // Forward compatibility
-  ]).optional(),
-  stateSince: z.z.number().optional(),
-  stateReason: z.z.string().optional()
-});
 z.z.object({
   host: z.z.string(),
   platform: z.z.string(),
   happyCliVersion: z.z.string(),
   homeDir: z.z.string(),
-  happyHomeDir: z.z.string()
+  happyHomeDir: z.z.string(),
+  happyLibDir: z.z.string()
 });
 z.z.object({
   status: z.z.union([
@@ -712,37 +805,6 @@ z.z.object({
     // Forward compatibility
   ]).optional()
 });
-z.z.object({
-  id: z.z.string(),
-  metadata: z.z.any(),
-  // Decrypted MachineMetadata
-  metadataVersion: z.z.number(),
-  daemonState: z.z.any().nullable(),
-  // Decrypted DaemonState
-  daemonStateVersion: z.z.number(),
-  // We don't really care about these on the CLI for now
-  // ApiMachineClient will not sync these
-  active: z.z.boolean(),
-  activeAt: z.z.number(),
-  createdAt: z.z.number(),
-  updatedAt: z.z.number(),
-  // Connectivity tracking (from server)
-  connectivityStatus: z.z.union([
-    z.z.enum(["neverConnected", "online", "offline"]),
-    z.z.string()
-    // Forward compatibility
-  ]).optional(),
-  connectivityStatusSince: z.z.number().optional(),
-  connectivityStatusReason: z.z.string().optional(),
-  // State tracking (from server)
-  state: z.z.union([
-    z.z.enum(["running", "archiveRequested", "archived"]),
-    z.z.string()
-    // Forward compatibility
-  ]).optional(),
-  stateSince: z.z.number().optional(),
-  stateReason: z.z.string().optional()
-});
 z.z.object({
   content: SessionMessageContentSchema,
   createdAt: z.z.number(),
@@ -866,12 +928,14 @@ class AsyncLock {
 class RpcHandlerManager {
   handlers = /* @__PURE__ */ new Map();
   scopePrefix;
-  secret;
+  encryptionKey;
+  encryptionVariant;
   logger;
   socket = null;
   constructor(config) {
     this.scopePrefix = config.scopePrefix;
-    this.secret = config.secret;
+    this.encryptionKey = config.encryptionKey;
+    this.encryptionVariant = config.encryptionVariant;
     this.logger = config.logger || ((msg, data) => logger.debug(msg, data));
   }
   /**
@@ -897,20 +961,19 @@ class RpcHandlerManager {
       if (!handler) {
         this.logger("[RPC] [ERROR] Method not found", { method: request.method });
         const errorResponse = { error: "Method not found" };
-        const encryptedError = encodeBase64(encrypt(errorResponse, this.secret));
+        const encryptedError = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, errorResponse));
         return encryptedError;
       }
-      const decryptedParams = decrypt(decodeBase64(request.params), this.secret);
+      const decryptedParams = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(request.params));
       const result = await handler(decryptedParams);
-      const encryptedResponse = encodeBase64(encrypt(result, this.secret));
+      const encryptedResponse = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, result));
       return encryptedResponse;
     } catch (error) {
       this.logger("[RPC] [ERROR] Error handling request", { error });
       const errorResponse = {
         error: error instanceof Error ? error.message : "Unknown error"
       };
-      const encryptedError = encodeBase64(encrypt(errorResponse, this.secret));
-      return encryptedError;
+      return encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, errorResponse));
     }
   }
   onSocketConnect(socket) {
@@ -952,13 +1015,13 @@ class RpcHandlerManager {
   }
 }
 
-const __dirname$1 = path.dirname(url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('types-WP9wteZE.cjs', document.baseURI).href))));
+const __dirname$1 = path.dirname(url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('types-BcDnTXMg.cjs', document.baseURI).href))));
 function projectPath() {
   const path$1 = path.resolve(__dirname$1, "..");
   return path$1;
 }
 
-function run(args, options) {
+function run$1(args, options) {
   const RUNNER_PATH = path.resolve(path.join(projectPath(), "scripts", "ripgrep_launcher.cjs"));
   return new Promise((resolve2, reject) => {
     const child = child_process.spawn("node", [RUNNER_PATH, JSON.stringify(args)], {
@@ -986,6 +1049,44 @@ function run(args, options) {
   });
 }
 
+function getBinaryPath() {
+  const platformName = os$1.platform();
+  const binaryName = platformName === "win32" ? "difft.exe" : "difft";
+  return path.resolve(path.join(projectPath(), "tools", "unpacked", binaryName));
+}
+function run(args, options) {
+  const binaryPath = getBinaryPath();
+  return new Promise((resolve2, reject) => {
+    const child = child_process.spawn(binaryPath, args, {
+      stdio: ["pipe", "pipe", "pipe"],
+      cwd: options?.cwd,
+      env: {
+        ...process.env,
+        // Force color output when needed
+        FORCE_COLOR: "1"
+      }
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (data) => {
+      stdout += data.toString();
+    });
+    child.stderr.on("data", (data) => {
+      stderr += data.toString();
+    });
+    child.on("close", (code) => {
+      resolve2({
+        exitCode: code || 0,
+        stdout,
+        stderr
+      });
+    });
+    child.on("error", (err) => {
+      reject(err);
+    });
+  });
+}
+
 const execAsync = util.promisify(child_process.exec);
 function registerCommonHandlers(rpcHandlerManager) {
   rpcHandlerManager.registerHandler("bash", async (data) => {
@@ -1026,7 +1127,7 @@ function registerCommonHandlers(rpcHandlerManager) {
   rpcHandlerManager.registerHandler("readFile", async (data) => {
     logger.debug("Read file request:", data.path);
     try {
-      const buffer = await fs$1.readFile(data.path);
+      const buffer = await fs$2.readFile(data.path);
       const content = buffer.toString("base64");
       return { success: true, content };
     } catch (error) {
@@ -1039,7 +1140,7 @@ function registerCommonHandlers(rpcHandlerManager) {
     try {
       if (data.expectedHash !== null && data.expectedHash !== void 0) {
         try {
-          const existingBuffer = await fs$1.readFile(data.path);
+          const existingBuffer = await fs$2.readFile(data.path);
           const existingHash = crypto.createHash("sha256").update(existingBuffer).digest("hex");
           if (existingHash !== data.expectedHash) {
             return {
@@ -1059,7 +1160,7 @@ function registerCommonHandlers(rpcHandlerManager) {
         }
       } else {
         try {
-          await fs$1.stat(data.path);
+          await fs$2.stat(data.path);
           return {
             success: false,
             error: "File already exists but was expected to be new"
@@ -1072,7 +1173,7 @@ function registerCommonHandlers(rpcHandlerManager) {
         }
       }
       const buffer = Buffer.from(data.content, "base64");
-      await fs$1.writeFile(data.path, buffer);
+      await fs$2.writeFile(data.path, buffer);
       const hash = crypto.createHash("sha256").update(buffer).digest("hex");
       return { success: true, hash };
     } catch (error) {
@@ -1083,7 +1184,7 @@ function registerCommonHandlers(rpcHandlerManager) {
   rpcHandlerManager.registerHandler("listDirectory", async (data) => {
     logger.debug("List directory request:", data.path);
     try {
-      const entries = await fs$1.readdir(data.path, { withFileTypes: true });
+      const entries = await fs$2.readdir(data.path, { withFileTypes: true });
       const directoryEntries = await Promise.all(
         entries.map(async (entry) => {
           const fullPath = path.join(data.path, entry.name);
@@ -1096,7 +1197,7 @@ function registerCommonHandlers(rpcHandlerManager) {
             type = "file";
           }
           try {
-            const stats = await fs$1.stat(fullPath);
+            const stats = await fs$2.stat(fullPath);
             size = stats.size;
             modified = stats.mtime.getTime();
           } catch (error) {
@@ -1125,7 +1226,7 @@ function registerCommonHandlers(rpcHandlerManager) {
     logger.debug("Get directory tree request:", data.path, "maxDepth:", data.maxDepth);
     async function buildTree(path$1, name, currentDepth) {
       try {
-        const stats = await fs$1.stat(path$1);
+        const stats = await fs$2.stat(path$1);
         const node = {
           name,
           path: path$1,
@@ -1134,7 +1235,7 @@ function registerCommonHandlers(rpcHandlerManager) {
           modified: stats.mtime.getTime()
         };
         if (stats.isDirectory() && currentDepth < data.maxDepth) {
-          const entries = await fs$1.readdir(path$1, { withFileTypes: true });
+          const entries = await fs$2.readdir(path$1, { withFileTypes: true });
           const children = [];
           await Promise.all(
             entries.map(async (entry) => {
@@ -1180,7 +1281,7 @@ function registerCommonHandlers(rpcHandlerManager) {
   rpcHandlerManager.registerHandler("ripgrep", async (data) => {
     logger.debug("Ripgrep request with args:", data.args, "cwd:", data.cwd);
     try {
-      const result = await run(data.args, { cwd: data.cwd });
+      const result = await run$1(data.args, { cwd: data.cwd });
       return {
         success: true,
         exitCode: result.exitCode,
@@ -1195,11 +1296,28 @@ function registerCommonHandlers(rpcHandlerManager) {
       };
     }
   });
+  rpcHandlerManager.registerHandler("difftastic", async (data) => {
+    logger.debug("Difftastic request with args:", data.args, "cwd:", data.cwd);
+    try {
+      const result = await run(data.args, { cwd: data.cwd });
+      return {
+        success: true,
+        exitCode: result.exitCode,
+        stdout: result.stdout.toString(),
+        stderr: result.stderr.toString()
+      };
+    } catch (error) {
+      logger.debug("Failed to run difftastic:", error);
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : "Failed to run difftastic"
+      };
+    }
+  });
 }
 
 class ApiSessionClient extends node_events.EventEmitter {
   token;
-  secret;
   sessionId;
   metadata;
   metadataVersion;
@@ -1211,18 +1329,22 @@ class ApiSessionClient extends node_events.EventEmitter {
   rpcHandlerManager;
   agentStateLock = new AsyncLock();
   metadataLock = new AsyncLock();
-  constructor(token, secret, session) {
+  encryptionKey;
+  encryptionVariant;
+  constructor(token, session) {
     super();
     this.token = token;
-    this.secret = secret;
     this.sessionId = session.id;
     this.metadata = session.metadata;
     this.metadataVersion = session.metadataVersion;
     this.agentState = session.agentState;
     this.agentStateVersion = session.agentStateVersion;
+    this.encryptionKey = session.encryptionKey;
+    this.encryptionVariant = session.encryptionVariant;
     this.rpcHandlerManager = new RpcHandlerManager({
       scopePrefix: this.sessionId,
-      secret: this.secret,
+      encryptionKey: this.encryptionKey,
+      encryptionVariant: this.encryptionVariant,
       logger: (msg, data) => logger.debug(msg, data)
     });
     registerCommonHandlers(this.rpcHandlerManager);
@@ -1264,7 +1386,7 @@ class ApiSessionClient extends node_events.EventEmitter {
           return;
         }
         if (data.body.t === "new-message" && data.body.message.content.t === "encrypted") {
-          const body = decrypt(decodeBase64(data.body.message.content.c), this.secret);
+          const body = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(data.body.message.content.c));
           logger.debugLargeJson("[SOCKET] [UPDATE] Received update:", body);
           const userResult = UserMessageSchema.safeParse(body);
           if (userResult.success) {
@@ -1278,11 +1400,11 @@ class ApiSessionClient extends node_events.EventEmitter {
           }
         } else if (data.body.t === "update-session") {
           if (data.body.metadata && data.body.metadata.version > this.metadataVersion) {
-            this.metadata = decrypt(decodeBase64(data.body.metadata.value), this.secret);
+            this.metadata = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(data.body.metadata.value));
             this.metadataVersion = data.body.metadata.version;
           }
           if (data.body.agentState && data.body.agentState.version > this.agentStateVersion) {
-            this.agentState = data.body.agentState.value ? decrypt(decodeBase64(data.body.agentState.value), this.secret) : null;
+            this.agentState = data.body.agentState.value ? decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(data.body.agentState.value)) : null;
             this.agentStateVersion = data.body.agentState.version;
           }
         } else if (data.body.t === "update-machine") {
@@ -1336,7 +1458,7 @@ class ApiSessionClient extends node_events.EventEmitter {
       };
     }
     logger.debugLargeJson("[SOCKET] Sending message through socket:", content);
-    const encrypted = encodeBase64(encrypt(content, this.secret));
+    const encrypted = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, content));
     this.socket.emit("message", {
       sid: this.sessionId,
       message: encrypted
@@ -1358,6 +1480,24 @@ class ApiSessionClient extends node_events.EventEmitter {
       }));
     }
   }
+  sendCodexMessage(body) {
+    let content = {
+      role: "agent",
+      content: {
+        type: "codex",
+        data: body
+        // This wraps the entire Claude message
+      },
+      meta: {
+        sentFrom: "cli"
+      }
+    };
+    const encrypted = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, content));
+    this.socket.emit("message", {
+      sid: this.sessionId,
+      message: encrypted
+    });
+  }
   sendSessionEvent(event, id) {
     let content = {
       role: "agent",
@@ -1367,7 +1507,7 @@ class ApiSessionClient extends node_events.EventEmitter {
         data: event
       }
     };
-    const encrypted = encodeBase64(encrypt(content, this.secret));
+    const encrypted = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, content));
     this.socket.emit("message", {
       sid: this.sessionId,
       message: encrypted
@@ -1427,14 +1567,14 @@ class ApiSessionClient extends node_events.EventEmitter {
     this.metadataLock.inLock(async () => {
       await backoff(async () => {
         let updated = handler(this.metadata);
-        const answer = await this.socket.emitWithAck("update-metadata", { sid: this.sessionId, expectedVersion: this.metadataVersion, metadata: encodeBase64(encrypt(updated, this.secret)) });
+        const answer = await this.socket.emitWithAck("update-metadata", { sid: this.sessionId, expectedVersion: this.metadataVersion, metadata: encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, updated)) });
         if (answer.result === "success") {
-          this.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+          this.metadata = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.metadata));
           this.metadataVersion = answer.version;
         } else if (answer.result === "version-mismatch") {
           if (answer.version > this.metadataVersion) {
             this.metadataVersion = answer.version;
-            this.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+            this.metadata = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.metadata));
           }
           throw new Error("Metadata version mismatch");
         } else if (answer.result === "error") ;
@@ -1450,15 +1590,15 @@ class ApiSessionClient extends node_events.EventEmitter {
     this.agentStateLock.inLock(async () => {
       await backoff(async () => {
         let updated = handler(this.agentState || {});
-        const answer = await this.socket.emitWithAck("update-state", { sid: this.sessionId, expectedVersion: this.agentStateVersion, agentState: updated ? encodeBase64(encrypt(updated, this.secret)) : null });
+        const answer = await this.socket.emitWithAck("update-state", { sid: this.sessionId, expectedVersion: this.agentStateVersion, agentState: updated ? encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, updated)) : null });
         if (answer.result === "success") {
-          this.agentState = answer.agentState ? decrypt(decodeBase64(answer.agentState), this.secret) : null;
+          this.agentState = answer.agentState ? decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.agentState)) : null;
           this.agentStateVersion = answer.version;
           logger.debug("Agent state updated", this.agentState);
         } else if (answer.result === "version-mismatch") {
           if (answer.version > this.agentStateVersion) {
             this.agentStateVersion = answer.version;
-            this.agentState = answer.agentState ? decrypt(decodeBase64(answer.agentState), this.secret) : null;
+            this.agentState = answer.agentState ? decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.agentState)) : null;
           }
           throw new Error("Agent state version mismatch");
         } else if (answer.result === "error") ;
@@ -1482,18 +1622,19 @@ class ApiSessionClient extends node_events.EventEmitter {
     });
   }
   async close() {
+    logger.debug("[API] socket.close() called");
     this.socket.close();
   }
 }
 
 class ApiMachineClient {
-  constructor(token, secret, machine) {
+  constructor(token, machine) {
     this.token = token;
-    this.secret = secret;
     this.machine = machine;
     this.rpcHandlerManager = new RpcHandlerManager({
       scopePrefix: this.machine.id,
-      secret: this.secret,
+      encryptionKey: this.machine.encryptionKey,
+      encryptionVariant: this.machine.encryptionVariant,
       logger: (msg, data) => logger.debug(msg, data)
     });
     registerCommonHandlers(this.rpcHandlerManager);
@@ -1554,17 +1695,17 @@ class ApiMachineClient {
       const updated = handler(this.machine.metadata);
       const answer = await this.socket.emitWithAck("machine-update-metadata", {
         machineId: this.machine.id,
-        metadata: encodeBase64(encrypt(updated, this.secret)),
+        metadata: encodeBase64(encrypt(this.machine.encryptionKey, this.machine.encryptionVariant, updated)),
         expectedVersion: this.machine.metadataVersion
       });
       if (answer.result === "success") {
-        this.machine.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+        this.machine.metadata = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.metadata));
         this.machine.metadataVersion = answer.version;
         logger.debug("[API MACHINE] Metadata updated successfully");
       } else if (answer.result === "version-mismatch") {
         if (answer.version > this.machine.metadataVersion) {
           this.machine.metadataVersion = answer.version;
-          this.machine.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+          this.machine.metadata = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.metadata));
         }
         throw new Error("Metadata version mismatch");
       }
@@ -1579,17 +1720,17 @@ class ApiMachineClient {
       const updated = handler(this.machine.daemonState);
       const answer = await this.socket.emitWithAck("machine-update-state", {
         machineId: this.machine.id,
-        daemonState: encodeBase64(encrypt(updated, this.secret)),
+        daemonState: encodeBase64(encrypt(this.machine.encryptionKey, this.machine.encryptionVariant, updated)),
         expectedVersion: this.machine.daemonStateVersion
       });
       if (answer.result === "success") {
-        this.machine.daemonState = decrypt(decodeBase64(answer.daemonState), this.secret);
+        this.machine.daemonState = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.daemonState));
         this.machine.daemonStateVersion = answer.version;
         logger.debug("[API MACHINE] Daemon state updated successfully");
       } else if (answer.result === "version-mismatch") {
         if (answer.version > this.machine.daemonStateVersion) {
           this.machine.daemonStateVersion = answer.version;
-          this.machine.daemonState = decrypt(decodeBase64(answer.daemonState), this.secret);
+          this.machine.daemonState = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.daemonState));
         }
         throw new Error("Daemon state version mismatch");
       }
@@ -1636,12 +1777,12 @@ class ApiMachineClient {
         const update = data.body;
         if (update.metadata) {
           logger.debug("[API MACHINE] Received external metadata update");
-          this.machine.metadata = decrypt(decodeBase64(update.metadata.value), this.secret);
+          this.machine.metadata = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(update.metadata.value));
           this.machine.metadataVersion = update.metadata.version;
         }
         if (update.daemonState) {
           logger.debug("[API MACHINE] Received external daemon state update");
-          this.machine.daemonState = decrypt(decodeBase64(update.daemonState.value), this.secret);
+          this.machine.daemonState = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(update.daemonState.value));
           this.machine.daemonStateVersion = update.daemonState.version;
         }
       } else {
@@ -1813,46 +1954,62 @@ class PushNotificationClient {
 }
 
 class ApiClient {
-  token;
-  secret;
+  static async create(credential) {
+    return new ApiClient(credential);
+  }
+  credential;
   pushClient;
-  constructor(token, secret) {
-    this.token = token;
-    this.secret = secret;
-    this.pushClient = new PushNotificationClient(token);
+  constructor(credential) {
+    this.credential = credential;
+    this.pushClient = new PushNotificationClient(credential.token, configuration.serverUrl);
   }
   /**
    * Create a new session or load existing one with the given tag
    */
   async getOrCreateSession(opts) {
+    let dataEncryptionKey = null;
+    let encryptionKey;
+    let encryptionVariant;
+    if (this.credential.encryption.type === "dataKey") {
+      encryptionKey = getRandomBytes(32);
+      encryptionVariant = "dataKey";
+      let encryptedDataKey = libsodiumEncryptForPublicKey(encryptionKey, this.credential.encryption.publicKey);
+      dataEncryptionKey = new Uint8Array(encryptedDataKey.length + 1);
+      dataEncryptionKey.set([0], 0);
+      dataEncryptionKey.set(encryptedDataKey, 1);
+    } else {
+      encryptionKey = this.credential.encryption.secret;
+      encryptionVariant = "legacy";
+    }
     try {
       const response = await axios.post(
         `${configuration.serverUrl}/v1/sessions`,
         {
           tag: opts.tag,
-          metadata: encodeBase64(encrypt(opts.metadata, this.secret)),
-          agentState: opts.state ? encodeBase64(encrypt(opts.state, this.secret)) : null
+          metadata: encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.metadata)),
+          agentState: opts.state ? encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.state)) : null,
+          dataEncryptionKey: dataEncryptionKey ? encodeBase64(dataEncryptionKey) : null
         },
         {
           headers: {
-            "Authorization": `Bearer ${this.token}`,
+            "Authorization": `Bearer ${this.credential.token}`,
             "Content-Type": "application/json"
           },
-          timeout: 5e3
-          // 5 second timeout
+          timeout: 6e4
+          // 1 minute timeout for very bad network connections
         }
       );
       logger.debug(`Session created/loaded: ${response.data.session.id} (tag: ${opts.tag})`);
       let raw = response.data.session;
       let session = {
         id: raw.id,
-        createdAt: raw.createdAt,
-        updatedAt: raw.updatedAt,
         seq: raw.seq,
-        metadata: decrypt(decodeBase64(raw.metadata), this.secret),
+        metadata: decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.metadata)),
         metadataVersion: raw.metadataVersion,
-        agentState: raw.agentState ? decrypt(decodeBase64(raw.agentState), this.secret) : null,
-        agentStateVersion: raw.agentStateVersion
+        agentState: raw.agentState ? decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.agentState)) : null,
+        agentStateVersion: raw.agentStateVersion,
+        encryptionKey,
+        encryptionVariant
       };
       return session;
     } catch (error) {
@@ -1860,54 +2017,40 @@ class ApiClient {
       throw new Error(`Failed to get or create session: ${error instanceof Error ? error.message : "Unknown error"}`);
     }
   }
-  /**
-   * Get machine by ID from the server
-   * Returns the current machine state from the server with decrypted metadata and daemonState
-   */
-  async getMachine(machineId) {
-    const response = await axios.get(`${configuration.serverUrl}/v1/machines/${machineId}`, {
-      headers: {
-        "Authorization": `Bearer ${this.token}`,
-        "Content-Type": "application/json"
-      },
-      timeout: 2e3
-    });
-    const raw = response.data.machine;
-    if (!raw) {
-      return null;
-    }
-    logger.debug(`[API] Machine ${machineId} fetched from server`);
-    const machine = {
-      id: raw.id,
-      metadata: raw.metadata ? decrypt(decodeBase64(raw.metadata), this.secret) : null,
-      metadataVersion: raw.metadataVersion || 0,
-      daemonState: raw.daemonState ? decrypt(decodeBase64(raw.daemonState), this.secret) : null,
-      daemonStateVersion: raw.daemonStateVersion || 0,
-      active: raw.active,
-      activeAt: raw.activeAt,
-      createdAt: raw.createdAt,
-      updatedAt: raw.updatedAt
-    };
-    return machine;
-  }
   /**
    * Register or update machine with the server
    * Returns the current machine state from the server with decrypted metadata and daemonState
    */
   async getOrCreateMachine(opts) {
+    let dataEncryptionKey = null;
+    let encryptionKey;
+    let encryptionVariant;
+    if (this.credential.encryption.type === "dataKey") {
+      encryptionVariant = "dataKey";
+      encryptionKey = this.credential.encryption.machineKey;
+      let encryptedDataKey = libsodiumEncryptForPublicKey(this.credential.encryption.machineKey, this.credential.encryption.publicKey);
+      dataEncryptionKey = new Uint8Array(encryptedDataKey.length + 1);
+      dataEncryptionKey.set([0], 0);
+      dataEncryptionKey.set(encryptedDataKey, 1);
+    } else {
+      encryptionKey = this.credential.encryption.secret;
+      encryptionVariant = "legacy";
+    }
     const response = await axios.post(
       `${configuration.serverUrl}/v1/machines`,
       {
         id: opts.machineId,
-        metadata: encodeBase64(encrypt(opts.metadata, this.secret)),
-        daemonState: opts.daemonState ? encodeBase64(encrypt(opts.daemonState, this.secret)) : void 0
+        metadata: encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.metadata)),
+        daemonState: opts.daemonState ? encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.daemonState)) : void 0,
+        dataEncryptionKey: dataEncryptionKey ? encodeBase64(dataEncryptionKey) : void 0
       },
       {
         headers: {
-          "Authorization": `Bearer ${this.token}`,
+          "Authorization": `Bearer ${this.credential.token}`,
           "Content-Type": "application/json"
         },
-        timeout: 5e3
+        timeout: 6e4
+        // 1 minute timeout for very bad network connections
       }
     );
     if (response.status !== 200) {
@@ -1919,22 +2062,20 @@ class ApiClient {
     logger.debug(`[API] Machine ${opts.machineId} registered/updated with server`);
     const machine = {
       id: raw.id,
-      metadata: raw.metadata ? decrypt(decodeBase64(raw.metadata), this.secret) : null,
+      encryptionKey,
+      encryptionVariant,
+      metadata: raw.metadata ? decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.metadata)) : null,
       metadataVersion: raw.metadataVersion || 0,
-      daemonState: raw.daemonState ? decrypt(decodeBase64(raw.daemonState), this.secret) : null,
-      daemonStateVersion: raw.daemonStateVersion || 0,
-      active: raw.active,
-      activeAt: raw.activeAt,
-      createdAt: raw.createdAt,
-      updatedAt: raw.updatedAt
+      daemonState: raw.daemonState ? decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.daemonState)) : null,
+      daemonStateVersion: raw.daemonStateVersion || 0
     };
     return machine;
   }
   sessionSyncClient(session) {
-    return new ApiSessionClient(this.token, this.secret, session);
+    return new ApiSessionClient(this.credential.token, session);
   }
   machineSyncClient(machine) {
-    return new ApiMachineClient(this.token, this.secret, machine);
+    return new ApiMachineClient(this.credential.token, machine);
   }
   push() {
     return this.pushClient;
@@ -1952,7 +2093,7 @@ class ApiClient {
         },
         {
           headers: {
-            "Authorization": `Bearer ${this.token}`,
+            "Authorization": `Bearer ${this.credential.token}`,
             "Content-Type": "application/json"
           },
           timeout: 5e3
@@ -2040,5 +2181,6 @@ exports.readDaemonState = readDaemonState;
 exports.readSettings = readSettings;
 exports.releaseDaemonLock = releaseDaemonLock;
 exports.updateSettings = updateSettings;
-exports.writeCredentials = writeCredentials;
+exports.writeCredentialsDataKey = writeCredentialsDataKey;
+exports.writeCredentialsLegacy = writeCredentialsLegacy;
 exports.writeDaemonState = writeDaemonState;