happy-coder 0.10.0-3 → 0.10.0-4

package/dist/{types-xds_c-JJ.mjs → types-2wHnX7UW.mjs}

@@ -7,7 +7,7 @@ import { join, basename } from 'node:path';
 import { readFile, open, stat, unlink, mkdir, writeFile, rename } from 'node:fs/promises';
 import * as z from 'zod';
 import { z as z$1 } from 'zod';
-import { randomBytes, randomUUID } from 'node:crypto';
+import { randomBytes, createCipheriv, createDecipheriv, randomUUID } from 'node:crypto';
 import tweetnacl from 'tweetnacl';
 import { EventEmitter } from 'node:events';
 import { io } from 'socket.io-client';
@@ -21,7 +21,7 @@ import { platform } from 'os';
 import { Expo } from 'expo-server-sdk';
 
 var name = "happy-coder";
-var version = "0.10.0-3";
+var version = "0.10.0-4";
 var description = "Mobile and Web client for Claude Code and Codex";
 var author = "Kirill Dubovitskiy";
 var license = "MIT";
@@ -81,7 +81,7 @@ var scripts = {
 	build: "shx rm -rf dist && npx tsc --noEmit && pkgroll",
 	test: "yarn build && tsx --env-file .env.integration-test node_modules/.bin/vitest run",
 	start: "yarn build && ./bin/happy.mjs",
-	dev: "yarn build && tsx --env-file .env.dev src/index.ts",
+	dev: "tsx --env-file .env.dev src/index.ts",
 	"dev:local-server": "yarn build && tsx --env-file .env.dev-local-server src/index.ts",
 	"dev:integration-test-env": "yarn build && tsx --env-file .env.integration-test src/index.ts",
 	prepublishOnly: "yarn build && yarn test",
@@ -93,6 +93,7 @@ var dependencies = {
 	"@anthropic-ai/sdk": "^0.56.0",
 	"@modelcontextprotocol/sdk": "^1.15.1",
 	"@stablelib/base64": "^2.0.1",
+	"@stablelib/hex": "^2.0.1",
 	"@types/cross-spawn": "^6.0.6",
 	"@types/http-proxy": "^1.17.16",
 	"@types/ps-list": "^6.2.1",
@@ -166,6 +167,7 @@ var packageJson = {
 
 class Configuration {
   serverUrl;
+  webappUrl;
   isDaemonProcess;
   // Directories and paths (from persistence)
   happyHomeDir;
@@ -178,6 +180,7 @@ class Configuration {
   isExperimentalEnabled;
   constructor() {
     this.serverUrl = process.env.HAPPY_SERVER_URL || "https://api.cluster-fluster.com";
+    this.webappUrl = process.env.HAPPY_WEBAPP_URL || "https://app.happy.engineering";
     const args = process.argv.slice(2);
     this.isDaemonProcess = args.length >= 2 && args[0] === "daemon" && args[1] === "start-sync";
     if (process.env.HAPPY_HOME_DIR) {
@@ -222,7 +225,17 @@ function decodeBase64(base64, variant = "base64") {
 function getRandomBytes(size) {
   return new Uint8Array(randomBytes(size));
 }
-function encrypt(data, secret) {
+function libsodiumEncryptForPublicKey(data, recipientPublicKey) {
+  const ephemeralKeyPair = tweetnacl.box.keyPair();
+  const nonce = getRandomBytes(tweetnacl.box.nonceLength);
+  const encrypted = tweetnacl.box(data, nonce, recipientPublicKey, ephemeralKeyPair.secretKey);
+  const result = new Uint8Array(ephemeralKeyPair.publicKey.length + nonce.length + encrypted.length);
+  result.set(ephemeralKeyPair.publicKey, 0);
+  result.set(nonce, ephemeralKeyPair.publicKey.length);
+  result.set(encrypted, ephemeralKeyPair.publicKey.length + nonce.length);
+  return result;
+}
+function encryptLegacy(data, secret) {
   const nonce = getRandomBytes(tweetnacl.secretbox.nonceLength);
   const encrypted = tweetnacl.secretbox(new TextEncoder().encode(JSON.stringify(data)), nonce, secret);
   const result = new Uint8Array(nonce.length + encrypted.length);
@@ -230,7 +243,7 @@ function encrypt(data, secret) {
   result.set(encrypted, nonce.length);
   return result;
 }
-function decrypt(data, secret) {
+function decryptLegacy(data, secret) {
   const nonce = data.slice(0, tweetnacl.secretbox.nonceLength);
   const encrypted = data.slice(tweetnacl.secretbox.nonceLength);
   const decrypted = tweetnacl.secretbox.open(encrypted, nonce, secret);
@@ -239,6 +252,61 @@ function decrypt(data, secret) {
   }
   return JSON.parse(new TextDecoder().decode(decrypted));
 }
+function encryptWithDataKey(data, dataKey) {
+  const nonce = getRandomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", dataKey, nonce);
+  const plaintext = new TextEncoder().encode(JSON.stringify(data));
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  const bundle = new Uint8Array(12 + encrypted.length + 16 + 1);
+  bundle.set([0], 0);
+  bundle.set(nonce, 1);
+  bundle.set(new Uint8Array(encrypted), 13);
+  bundle.set(new Uint8Array(authTag), 13 + encrypted.length);
+  return bundle;
+}
+function decryptWithDataKey(bundle, dataKey) {
+  if (bundle.length < 1) {
+    return null;
+  }
+  if (bundle[0] !== 0) {
+    return null;
+  }
+  if (bundle.length < 12 + 16 + 1) {
+    return null;
+  }
+  const nonce = bundle.slice(1, 13);
+  const authTag = bundle.slice(bundle.length - 16);
+  const ciphertext = bundle.slice(13, bundle.length - 16);
+  try {
+    const decipher = createDecipheriv("aes-256-gcm", dataKey, nonce);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final()
+    ]);
+    return JSON.parse(new TextDecoder().decode(decrypted));
+  } catch (error) {
+    return null;
+  }
+}
+function encrypt(key, variant, data) {
+  if (variant === "legacy") {
+    return encryptLegacy(data, key);
+  } else {
+    return encryptWithDataKey(data, key);
+  }
+}
+function decrypt(key, variant, data) {
+  if (variant === "legacy") {
+    return decryptLegacy(data, key);
+  } else {
+    return decryptWithDataKey(data, key);
+  }
+}
 
 const defaultSettings = {
   onboardingCompleted: false
@@ -302,8 +370,13 @@ async function updateSettings(updater) {
   }
 }
 const credentialsSchema = z.object({
-  secret: z.string().base64(),
-  token: z.string()
+  token: z.string(),
+  secret: z.string().base64().nullish(),
+  // Legacy
+  encryption: z.object({
+    publicKey: z.string().base64(),
+    machineKey: z.string().base64()
+  }).nullish()
 });
 async function readCredentials() {
   if (!existsSync(configuration.privateKeyFile)) {
@@ -312,15 +385,30 @@ async function readCredentials() {
   try {
     const keyBase64 = await readFile(configuration.privateKeyFile, "utf8");
     const credentials = credentialsSchema.parse(JSON.parse(keyBase64));
-    return {
-      secret: new Uint8Array(Buffer.from(credentials.secret, "base64")),
-      token: credentials.token
-    };
+    if (credentials.secret) {
+      return {
+        token: credentials.token,
+        encryption: {
+          type: "legacy",
+          secret: new Uint8Array(Buffer.from(credentials.secret, "base64"))
+        }
+      };
+    } else if (credentials.encryption) {
+      return {
+        token: credentials.token,
+        encryption: {
+          type: "dataKey",
+          publicKey: new Uint8Array(Buffer.from(credentials.encryption.publicKey, "base64")),
+          machineKey: new Uint8Array(Buffer.from(credentials.encryption.machineKey, "base64"))
+        }
+      };
+    }
   } catch {
     return null;
   }
+  return null;
 }
-async function writeCredentials(credentials) {
+async function writeCredentialsLegacy(credentials) {
   if (!existsSync(configuration.happyHomeDir)) {
     await mkdir(configuration.happyHomeDir, { recursive: true });
   }
@@ -329,6 +417,15 @@ async function writeCredentials(credentials) {
     token: credentials.token
   }, null, 2));
 }
+async function writeCredentialsDataKey(credentials) {
+  if (!existsSync(configuration.happyHomeDir)) {
+    await mkdir(configuration.happyHomeDir, { recursive: true });
+  }
+  await writeFile(configuration.privateKeyFile, JSON.stringify({
+    encryption: { publicKey: encodeBase64(credentials.publicKey), machineKey: encodeBase64(credentials.machineKey) },
+    token: credentials.token
+  }, null, 2));
+}
 async function clearCredentials() {
   if (existsSync(configuration.privateKeyFile)) {
     await unlink(configuration.privateKeyFile);
@@ -663,32 +760,6 @@ z$1.object({
   ]),
   createdAt: z$1.number()
 });
-z$1.object({
-  createdAt: z$1.number(),
-  id: z$1.string(),
-  seq: z$1.number(),
-  updatedAt: z$1.number(),
-  metadata: z$1.any(),
-  metadataVersion: z$1.number(),
-  agentState: z$1.any().nullable(),
-  agentStateVersion: z$1.number(),
-  // Connectivity tracking (from server)
-  connectivityStatus: z$1.union([
-    z$1.enum(["neverConnected", "online", "offline"]),
-    z$1.string()
-    // Forward compatibility
-  ]).optional(),
-  connectivityStatusSince: z$1.number().optional(),
-  connectivityStatusReason: z$1.string().optional(),
-  // State tracking (from server)
-  state: z$1.union([
-    z$1.enum(["running", "archiveRequested", "archived"]),
-    z$1.string()
-    // Forward compatibility
-  ]).optional(),
-  stateSince: z$1.number().optional(),
-  stateReason: z$1.string().optional()
-});
 z$1.object({
   host: z$1.string(),
   platform: z$1.string(),
@@ -713,37 +784,6 @@ z$1.object({
     // Forward compatibility
   ]).optional()
 });
-z$1.object({
-  id: z$1.string(),
-  metadata: z$1.any(),
-  // Decrypted MachineMetadata
-  metadataVersion: z$1.number(),
-  daemonState: z$1.any().nullable(),
-  // Decrypted DaemonState
-  daemonStateVersion: z$1.number(),
-  // We don't really care about these on the CLI for now
-  // ApiMachineClient will not sync these
-  active: z$1.boolean(),
-  activeAt: z$1.number(),
-  createdAt: z$1.number(),
-  updatedAt: z$1.number(),
-  // Connectivity tracking (from server)
-  connectivityStatus: z$1.union([
-    z$1.enum(["neverConnected", "online", "offline"]),
-    z$1.string()
-    // Forward compatibility
-  ]).optional(),
-  connectivityStatusSince: z$1.number().optional(),
-  connectivityStatusReason: z$1.string().optional(),
-  // State tracking (from server)
-  state: z$1.union([
-    z$1.enum(["running", "archiveRequested", "archived"]),
-    z$1.string()
-    // Forward compatibility
-  ]).optional(),
-  stateSince: z$1.number().optional(),
-  stateReason: z$1.string().optional()
-});
 z$1.object({
   content: SessionMessageContentSchema,
   createdAt: z$1.number(),
@@ -867,12 +907,14 @@ class AsyncLock {
 class RpcHandlerManager {
   handlers = /* @__PURE__ */ new Map();
   scopePrefix;
-  secret;
+  encryptionKey;
+  encryptionVariant;
   logger;
   socket = null;
   constructor(config) {
     this.scopePrefix = config.scopePrefix;
-    this.secret = config.secret;
+    this.encryptionKey = config.encryptionKey;
+    this.encryptionVariant = config.encryptionVariant;
     this.logger = config.logger || ((msg, data) => logger.debug(msg, data));
   }
   /**
@@ -898,20 +940,19 @@ class RpcHandlerManager {
       if (!handler) {
         this.logger("[RPC] [ERROR] Method not found", { method: request.method });
         const errorResponse = { error: "Method not found" };
-        const encryptedError = encodeBase64(encrypt(errorResponse, this.secret));
+        const encryptedError = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, errorResponse));
         return encryptedError;
       }
-      const decryptedParams = decrypt(decodeBase64(request.params), this.secret);
+      const decryptedParams = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(request.params));
       const result = await handler(decryptedParams);
-      const encryptedResponse = encodeBase64(encrypt(result, this.secret));
+      const encryptedResponse = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, result));
       return encryptedResponse;
     } catch (error) {
       this.logger("[RPC] [ERROR] Error handling request", { error });
       const errorResponse = {
         error: error instanceof Error ? error.message : "Unknown error"
       };
-      const encryptedError = encodeBase64(encrypt(errorResponse, this.secret));
-      return encryptedError;
+      return encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, errorResponse));
     }
   }
   onSocketConnect(socket) {
@@ -1256,7 +1297,6 @@ function registerCommonHandlers(rpcHandlerManager) {
 
 class ApiSessionClient extends EventEmitter {
   token;
-  secret;
   sessionId;
   metadata;
   metadataVersion;
@@ -1268,18 +1308,22 @@ class ApiSessionClient extends EventEmitter {
   rpcHandlerManager;
   agentStateLock = new AsyncLock();
   metadataLock = new AsyncLock();
-  constructor(token, secret, session) {
+  encryptionKey;
+  encryptionVariant;
+  constructor(token, session) {
     super();
     this.token = token;
-    this.secret = secret;
     this.sessionId = session.id;
     this.metadata = session.metadata;
     this.metadataVersion = session.metadataVersion;
     this.agentState = session.agentState;
     this.agentStateVersion = session.agentStateVersion;
+    this.encryptionKey = session.encryptionKey;
+    this.encryptionVariant = session.encryptionVariant;
     this.rpcHandlerManager = new RpcHandlerManager({
       scopePrefix: this.sessionId,
-      secret: this.secret,
+      encryptionKey: this.encryptionKey,
+      encryptionVariant: this.encryptionVariant,
       logger: (msg, data) => logger.debug(msg, data)
     });
     registerCommonHandlers(this.rpcHandlerManager);
@@ -1321,7 +1365,7 @@ class ApiSessionClient extends EventEmitter {
           return;
         }
         if (data.body.t === "new-message" && data.body.message.content.t === "encrypted") {
-          const body = decrypt(decodeBase64(data.body.message.content.c), this.secret);
+          const body = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(data.body.message.content.c));
           logger.debugLargeJson("[SOCKET] [UPDATE] Received update:", body);
           const userResult = UserMessageSchema.safeParse(body);
           if (userResult.success) {
@@ -1335,11 +1379,11 @@ class ApiSessionClient extends EventEmitter {
           }
         } else if (data.body.t === "update-session") {
           if (data.body.metadata && data.body.metadata.version > this.metadataVersion) {
-            this.metadata = decrypt(decodeBase64(data.body.metadata.value), this.secret);
+            this.metadata = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(data.body.metadata.value));
             this.metadataVersion = data.body.metadata.version;
           }
           if (data.body.agentState && data.body.agentState.version > this.agentStateVersion) {
-            this.agentState = data.body.agentState.value ? decrypt(decodeBase64(data.body.agentState.value), this.secret) : null;
+            this.agentState = data.body.agentState.value ? decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(data.body.agentState.value)) : null;
             this.agentStateVersion = data.body.agentState.version;
           }
         } else if (data.body.t === "update-machine") {
@@ -1393,7 +1437,7 @@ class ApiSessionClient extends EventEmitter {
       };
     }
     logger.debugLargeJson("[SOCKET] Sending message through socket:", content);
-    const encrypted = encodeBase64(encrypt(content, this.secret));
+    const encrypted = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, content));
     this.socket.emit("message", {
       sid: this.sessionId,
       message: encrypted
@@ -1427,7 +1471,7 @@ class ApiSessionClient extends EventEmitter {
         sentFrom: "cli"
       }
     };
-    const encrypted = encodeBase64(encrypt(content, this.secret));
+    const encrypted = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, content));
     this.socket.emit("message", {
       sid: this.sessionId,
       message: encrypted
@@ -1442,7 +1486,7 @@ class ApiSessionClient extends EventEmitter {
         data: event
       }
     };
-    const encrypted = encodeBase64(encrypt(content, this.secret));
+    const encrypted = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, content));
     this.socket.emit("message", {
       sid: this.sessionId,
       message: encrypted
@@ -1502,14 +1546,14 @@ class ApiSessionClient extends EventEmitter {
     this.metadataLock.inLock(async () => {
       await backoff(async () => {
         let updated = handler(this.metadata);
-        const answer = await this.socket.emitWithAck("update-metadata", { sid: this.sessionId, expectedVersion: this.metadataVersion, metadata: encodeBase64(encrypt(updated, this.secret)) });
+        const answer = await this.socket.emitWithAck("update-metadata", { sid: this.sessionId, expectedVersion: this.metadataVersion, metadata: encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, updated)) });
         if (answer.result === "success") {
-          this.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+          this.metadata = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.metadata));
           this.metadataVersion = answer.version;
         } else if (answer.result === "version-mismatch") {
           if (answer.version > this.metadataVersion) {
             this.metadataVersion = answer.version;
-            this.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+            this.metadata = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.metadata));
           }
           throw new Error("Metadata version mismatch");
         } else if (answer.result === "error") ;
@@ -1525,15 +1569,15 @@ class ApiSessionClient extends EventEmitter {
     this.agentStateLock.inLock(async () => {
       await backoff(async () => {
         let updated = handler(this.agentState || {});
-        const answer = await this.socket.emitWithAck("update-state", { sid: this.sessionId, expectedVersion: this.agentStateVersion, agentState: updated ? encodeBase64(encrypt(updated, this.secret)) : null });
+        const answer = await this.socket.emitWithAck("update-state", { sid: this.sessionId, expectedVersion: this.agentStateVersion, agentState: updated ? encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, updated)) : null });
         if (answer.result === "success") {
-          this.agentState = answer.agentState ? decrypt(decodeBase64(answer.agentState), this.secret) : null;
+          this.agentState = answer.agentState ? decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.agentState)) : null;
           this.agentStateVersion = answer.version;
           logger.debug("Agent state updated", this.agentState);
         } else if (answer.result === "version-mismatch") {
           if (answer.version > this.agentStateVersion) {
             this.agentStateVersion = answer.version;
-            this.agentState = answer.agentState ? decrypt(decodeBase64(answer.agentState), this.secret) : null;
+            this.agentState = answer.agentState ? decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.agentState)) : null;
           }
           throw new Error("Agent state version mismatch");
         } else if (answer.result === "error") ;
@@ -1563,13 +1607,13 @@ class ApiSessionClient extends EventEmitter {
 }
 
 class ApiMachineClient {
-  constructor(token, secret, machine) {
+  constructor(token, machine) {
     this.token = token;
-    this.secret = secret;
     this.machine = machine;
     this.rpcHandlerManager = new RpcHandlerManager({
       scopePrefix: this.machine.id,
-      secret: this.secret,
+      encryptionKey: this.machine.encryptionKey,
+      encryptionVariant: this.machine.encryptionVariant,
       logger: (msg, data) => logger.debug(msg, data)
     });
     registerCommonHandlers(this.rpcHandlerManager);
@@ -1630,17 +1674,17 @@ class ApiMachineClient {
       const updated = handler(this.machine.metadata);
       const answer = await this.socket.emitWithAck("machine-update-metadata", {
         machineId: this.machine.id,
-        metadata: encodeBase64(encrypt(updated, this.secret)),
+        metadata: encodeBase64(encrypt(this.machine.encryptionKey, this.machine.encryptionVariant, updated)),
         expectedVersion: this.machine.metadataVersion
       });
       if (answer.result === "success") {
-        this.machine.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+        this.machine.metadata = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.metadata));
         this.machine.metadataVersion = answer.version;
         logger.debug("[API MACHINE] Metadata updated successfully");
       } else if (answer.result === "version-mismatch") {
         if (answer.version > this.machine.metadataVersion) {
           this.machine.metadataVersion = answer.version;
-          this.machine.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+          this.machine.metadata = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.metadata));
         }
         throw new Error("Metadata version mismatch");
       }
@@ -1655,17 +1699,17 @@ class ApiMachineClient {
       const updated = handler(this.machine.daemonState);
       const answer = await this.socket.emitWithAck("machine-update-state", {
         machineId: this.machine.id,
-        daemonState: encodeBase64(encrypt(updated, this.secret)),
+        daemonState: encodeBase64(encrypt(this.machine.encryptionKey, this.machine.encryptionVariant, updated)),
         expectedVersion: this.machine.daemonStateVersion
       });
       if (answer.result === "success") {
-        this.machine.daemonState = decrypt(decodeBase64(answer.daemonState), this.secret);
+        this.machine.daemonState = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.daemonState));
         this.machine.daemonStateVersion = answer.version;
         logger.debug("[API MACHINE] Daemon state updated successfully");
       } else if (answer.result === "version-mismatch") {
         if (answer.version > this.machine.daemonStateVersion) {
           this.machine.daemonStateVersion = answer.version;
-          this.machine.daemonState = decrypt(decodeBase64(answer.daemonState), this.secret);
+          this.machine.daemonState = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.daemonState));
         }
         throw new Error("Daemon state version mismatch");
       }
@@ -1712,12 +1756,12 @@ class ApiMachineClient {
         const update = data.body;
         if (update.metadata) {
           logger.debug("[API MACHINE] Received external metadata update");
-          this.machine.metadata = decrypt(decodeBase64(update.metadata.value), this.secret);
+          this.machine.metadata = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(update.metadata.value));
           this.machine.metadataVersion = update.metadata.version;
         }
         if (update.daemonState) {
           logger.debug("[API MACHINE] Received external daemon state update");
-          this.machine.daemonState = decrypt(decodeBase64(update.daemonState.value), this.secret);
+          this.machine.daemonState = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(update.daemonState.value));
           this.machine.daemonStateVersion = update.daemonState.version;
         }
       } else {
@@ -1889,46 +1933,62 @@ class PushNotificationClient {
 }
 
 class ApiClient {
-  token;
-  secret;
+  static async create(credential) {
+    return new ApiClient(credential);
+  }
+  credential;
   pushClient;
-  constructor(token, secret) {
-    this.token = token;
-    this.secret = secret;
-    this.pushClient = new PushNotificationClient(token);
+  constructor(credential) {
+    this.credential = credential;
+    this.pushClient = new PushNotificationClient(credential.token, configuration.serverUrl);
   }
   /**
    * Create a new session or load existing one with the given tag
    */
   async getOrCreateSession(opts) {
+    let dataEncryptionKey = null;
+    let encryptionKey;
+    let encryptionVariant;
+    if (this.credential.encryption.type === "dataKey") {
+      encryptionKey = getRandomBytes(32);
+      encryptionVariant = "dataKey";
+      let encryptedDataKey = libsodiumEncryptForPublicKey(encryptionKey, this.credential.encryption.publicKey);
+      dataEncryptionKey = new Uint8Array(encryptedDataKey.length + 1);
+      dataEncryptionKey.set([0], 0);
+      dataEncryptionKey.set(encryptedDataKey, 1);
+    } else {
+      encryptionKey = this.credential.encryption.secret;
+      encryptionVariant = "legacy";
+    }
     try {
       const response = await axios.post(
         `${configuration.serverUrl}/v1/sessions`,
         {
           tag: opts.tag,
-          metadata: encodeBase64(encrypt(opts.metadata, this.secret)),
-          agentState: opts.state ? encodeBase64(encrypt(opts.state, this.secret)) : null
+          metadata: encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.metadata)),
+          agentState: opts.state ? encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.state)) : null,
+          dataEncryptionKey: dataEncryptionKey ? encodeBase64(dataEncryptionKey) : null
         },
         {
           headers: {
-            "Authorization": `Bearer ${this.token}`,
+            "Authorization": `Bearer ${this.credential.token}`,
             "Content-Type": "application/json"
           },
-          timeout: 5e3
-          // 5 second timeout
+          timeout: 6e4
+          // 1 minute timeout for very bad network connections
         }
       );
       logger.debug(`Session created/loaded: ${response.data.session.id} (tag: ${opts.tag})`);
       let raw = response.data.session;
       let session = {
         id: raw.id,
-        createdAt: raw.createdAt,
-        updatedAt: raw.updatedAt,
         seq: raw.seq,
-        metadata: decrypt(decodeBase64(raw.metadata), this.secret),
+        metadata: decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.metadata)),
         metadataVersion: raw.metadataVersion,
-        agentState: raw.agentState ? decrypt(decodeBase64(raw.agentState), this.secret) : null,
-        agentStateVersion: raw.agentStateVersion
+        agentState: raw.agentState ? decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.agentState)) : null,
+        agentStateVersion: raw.agentStateVersion,
+        encryptionKey,
+        encryptionVariant
       };
       return session;
     } catch (error) {
@@ -1936,54 +1996,40 @@ class ApiClient {
       throw new Error(`Failed to get or create session: ${error instanceof Error ? error.message : "Unknown error"}`);
     }
   }
-  /**
-   * Get machine by ID from the server
-   * Returns the current machine state from the server with decrypted metadata and daemonState
-   */
-  async getMachine(machineId) {
-    const response = await axios.get(`${configuration.serverUrl}/v1/machines/${machineId}`, {
-      headers: {
-        "Authorization": `Bearer ${this.token}`,
-        "Content-Type": "application/json"
-      },
-      timeout: 2e3
-    });
-    const raw = response.data.machine;
-    if (!raw) {
-      return null;
-    }
-    logger.debug(`[API] Machine ${machineId} fetched from server`);
-    const machine = {
-      id: raw.id,
-      metadata: raw.metadata ? decrypt(decodeBase64(raw.metadata), this.secret) : null,
-      metadataVersion: raw.metadataVersion || 0,
-      daemonState: raw.daemonState ? decrypt(decodeBase64(raw.daemonState), this.secret) : null,
-      daemonStateVersion: raw.daemonStateVersion || 0,
-      active: raw.active,
-      activeAt: raw.activeAt,
-      createdAt: raw.createdAt,
-      updatedAt: raw.updatedAt
-    };
-    return machine;
-  }
   /**
    * Register or update machine with the server
    * Returns the current machine state from the server with decrypted metadata and daemonState
    */
   async getOrCreateMachine(opts) {
+    let dataEncryptionKey = null;
+    let encryptionKey;
+    let encryptionVariant;
+    if (this.credential.encryption.type === "dataKey") {
+      encryptionVariant = "dataKey";
+      encryptionKey = this.credential.encryption.machineKey;
+      let encryptedDataKey = libsodiumEncryptForPublicKey(this.credential.encryption.machineKey, this.credential.encryption.publicKey);
+      dataEncryptionKey = new Uint8Array(encryptedDataKey.length + 1);
+      dataEncryptionKey.set([0], 0);
+      dataEncryptionKey.set(encryptedDataKey, 1);
+    } else {
+      encryptionKey = this.credential.encryption.secret;
+      encryptionVariant = "legacy";
+    }
     const response = await axios.post(
       `${configuration.serverUrl}/v1/machines`,
       {
         id: opts.machineId,
-        metadata: encodeBase64(encrypt(opts.metadata, this.secret)),
-        daemonState: opts.daemonState ? encodeBase64(encrypt(opts.daemonState, this.secret)) : void 0
+        metadata: encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.metadata)),
+        daemonState: opts.daemonState ? encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.daemonState)) : void 0,
+        dataEncryptionKey: dataEncryptionKey ? encodeBase64(dataEncryptionKey) : void 0
       },
       {
         headers: {
-          "Authorization": `Bearer ${this.token}`,
+          "Authorization": `Bearer ${this.credential.token}`,
           "Content-Type": "application/json"
         },
-        timeout: 5e3
+        timeout: 6e4
+        // 1 minute timeout for very bad network connections
       }
     );
     if (response.status !== 200) {
@@ -1995,22 +2041,20 @@ class ApiClient {
     logger.debug(`[API] Machine ${opts.machineId} registered/updated with server`);
     const machine = {
       id: raw.id,
-      metadata: raw.metadata ? decrypt(decodeBase64(raw.metadata), this.secret) : null,
+      encryptionKey,
+      encryptionVariant,
+      metadata: raw.metadata ? decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.metadata)) : null,
       metadataVersion: raw.metadataVersion || 0,
-      daemonState: raw.daemonState ? decrypt(decodeBase64(raw.daemonState), this.secret) : null,
-      daemonStateVersion: raw.daemonStateVersion || 0,
-      active: raw.active,
-      activeAt: raw.activeAt,
-      createdAt: raw.createdAt,
-      updatedAt: raw.updatedAt
+      daemonState: raw.daemonState ? decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.daemonState)) : null,
+      daemonStateVersion: raw.daemonStateVersion || 0
     };
     return machine;
   }
   sessionSyncClient(session) {
-    return new ApiSessionClient(this.token, this.secret, session);
+    return new ApiSessionClient(this.credential.token, session);
   }
   machineSyncClient(machine) {
-    return new ApiMachineClient(this.token, this.secret, machine);
+    return new ApiMachineClient(this.credential.token, machine);
   }
   push() {
     return this.pushClient;
@@ -2028,7 +2072,7 @@ class ApiClient {
         },
         {
           headers: {
-            "Authorization": `Bearer ${this.token}`,
+            "Authorization": `Bearer ${this.credential.token}`,
             "Content-Type": "application/json"
           },
           timeout: 5e3
@@ -2093,4 +2137,4 @@ const RawJSONLinesSchema = z$1.discriminatedUnion("type", [
   }).passthrough()
 ]);
 
-export { ApiClient as A, RawJSONLinesSchema as R, ApiSessionClient as a, packageJson as b, configuration as c, backoff as d, delay as e, AsyncLock as f, readDaemonState as g, clearDaemonState as h, readCredentials as i, encodeBase64 as j, encodeBase64Url as k, logger as l, decodeBase64 as m, acquireDaemonLock as n, writeDaemonState as o, projectPath as p, releaseDaemonLock as q, readSettings as r, clearCredentials as s, clearMachineId as t, updateSettings as u, getLatestDaemonLog as v, writeCredentials as w };
+export { ApiClient as A, RawJSONLinesSchema as R, ApiSessionClient as a, packageJson as b, configuration as c, backoff as d, delay as e, AsyncLock as f, readDaemonState as g, clearDaemonState as h, readCredentials as i, encodeBase64 as j, encodeBase64Url as k, logger as l, decodeBase64 as m, writeCredentialsDataKey as n, acquireDaemonLock as o, projectPath as p, writeDaemonState as q, readSettings as r, releaseDaemonLock as s, clearCredentials as t, updateSettings as u, clearMachineId as v, writeCredentialsLegacy as w, getLatestDaemonLog as x };