happy-coder 0.10.0-3 → 0.10.0-4

package/dist/{types-CsJGQvQ3.cjs → types-BcDnTXMg.cjs}

@@ -42,7 +42,7 @@ function _interopNamespaceDefault(e) {
 var z__namespace = /*#__PURE__*/_interopNamespaceDefault(z);
 
 var name = "happy-coder";
-var version = "0.10.0-3";
+var version = "0.10.0-4";
 var description = "Mobile and Web client for Claude Code and Codex";
 var author = "Kirill Dubovitskiy";
 var license = "MIT";
@@ -102,7 +102,7 @@ var scripts = {
 	build: "shx rm -rf dist && npx tsc --noEmit && pkgroll",
 	test: "yarn build && tsx --env-file .env.integration-test node_modules/.bin/vitest run",
 	start: "yarn build && ./bin/happy.mjs",
-	dev: "yarn build && tsx --env-file .env.dev src/index.ts",
+	dev: "tsx --env-file .env.dev src/index.ts",
 	"dev:local-server": "yarn build && tsx --env-file .env.dev-local-server src/index.ts",
 	"dev:integration-test-env": "yarn build && tsx --env-file .env.integration-test src/index.ts",
 	prepublishOnly: "yarn build && yarn test",
@@ -114,6 +114,7 @@ var dependencies = {
 	"@anthropic-ai/sdk": "^0.56.0",
 	"@modelcontextprotocol/sdk": "^1.15.1",
 	"@stablelib/base64": "^2.0.1",
+	"@stablelib/hex": "^2.0.1",
 	"@types/cross-spawn": "^6.0.6",
 	"@types/http-proxy": "^1.17.16",
 	"@types/ps-list": "^6.2.1",
@@ -187,6 +188,7 @@ var packageJson = {
 
 class Configuration {
   serverUrl;
+  webappUrl;
   isDaemonProcess;
   // Directories and paths (from persistence)
   happyHomeDir;
@@ -199,6 +201,7 @@ class Configuration {
   isExperimentalEnabled;
   constructor() {
     this.serverUrl = process.env.HAPPY_SERVER_URL || "https://api.cluster-fluster.com";
+    this.webappUrl = process.env.HAPPY_WEBAPP_URL || "https://app.happy.engineering";
     const args = process.argv.slice(2);
     this.isDaemonProcess = args.length >= 2 && args[0] === "daemon" && args[1] === "start-sync";
     if (process.env.HAPPY_HOME_DIR) {
@@ -243,7 +246,17 @@ function decodeBase64(base64, variant = "base64") {
 function getRandomBytes(size) {
   return new Uint8Array(node_crypto.randomBytes(size));
 }
-function encrypt(data, secret) {
+function libsodiumEncryptForPublicKey(data, recipientPublicKey) {
+  const ephemeralKeyPair = tweetnacl.box.keyPair();
+  const nonce = getRandomBytes(tweetnacl.box.nonceLength);
+  const encrypted = tweetnacl.box(data, nonce, recipientPublicKey, ephemeralKeyPair.secretKey);
+  const result = new Uint8Array(ephemeralKeyPair.publicKey.length + nonce.length + encrypted.length);
+  result.set(ephemeralKeyPair.publicKey, 0);
+  result.set(nonce, ephemeralKeyPair.publicKey.length);
+  result.set(encrypted, ephemeralKeyPair.publicKey.length + nonce.length);
+  return result;
+}
+function encryptLegacy(data, secret) {
   const nonce = getRandomBytes(tweetnacl.secretbox.nonceLength);
   const encrypted = tweetnacl.secretbox(new TextEncoder().encode(JSON.stringify(data)), nonce, secret);
   const result = new Uint8Array(nonce.length + encrypted.length);
@@ -251,7 +264,7 @@ function encrypt(data, secret) {
   result.set(encrypted, nonce.length);
   return result;
 }
-function decrypt(data, secret) {
+function decryptLegacy(data, secret) {
   const nonce = data.slice(0, tweetnacl.secretbox.nonceLength);
   const encrypted = data.slice(tweetnacl.secretbox.nonceLength);
   const decrypted = tweetnacl.secretbox.open(encrypted, nonce, secret);
@@ -260,6 +273,61 @@ function decrypt(data, secret) {
   }
   return JSON.parse(new TextDecoder().decode(decrypted));
 }
+function encryptWithDataKey(data, dataKey) {
+  const nonce = getRandomBytes(12);
+  const cipher = node_crypto.createCipheriv("aes-256-gcm", dataKey, nonce);
+  const plaintext = new TextEncoder().encode(JSON.stringify(data));
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  const bundle = new Uint8Array(12 + encrypted.length + 16 + 1);
+  bundle.set([0], 0);
+  bundle.set(nonce, 1);
+  bundle.set(new Uint8Array(encrypted), 13);
+  bundle.set(new Uint8Array(authTag), 13 + encrypted.length);
+  return bundle;
+}
+function decryptWithDataKey(bundle, dataKey) {
+  if (bundle.length < 1) {
+    return null;
+  }
+  if (bundle[0] !== 0) {
+    return null;
+  }
+  if (bundle.length < 12 + 16 + 1) {
+    return null;
+  }
+  const nonce = bundle.slice(1, 13);
+  const authTag = bundle.slice(bundle.length - 16);
+  const ciphertext = bundle.slice(13, bundle.length - 16);
+  try {
+    const decipher = node_crypto.createDecipheriv("aes-256-gcm", dataKey, nonce);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final()
+    ]);
+    return JSON.parse(new TextDecoder().decode(decrypted));
+  } catch (error) {
+    return null;
+  }
+}
+function encrypt(key, variant, data) {
+  if (variant === "legacy") {
+    return encryptLegacy(data, key);
+  } else {
+    return encryptWithDataKey(data, key);
+  }
+}
+function decrypt(key, variant, data) {
+  if (variant === "legacy") {
+    return decryptLegacy(data, key);
+  } else {
+    return decryptWithDataKey(data, key);
+  }
+}
 
 const defaultSettings = {
   onboardingCompleted: false
@@ -323,8 +391,13 @@ async function updateSettings(updater) {
   }
 }
 const credentialsSchema = z__namespace.object({
-  secret: z__namespace.string().base64(),
-  token: z__namespace.string()
+  token: z__namespace.string(),
+  secret: z__namespace.string().base64().nullish(),
+  // Legacy
+  encryption: z__namespace.object({
+    publicKey: z__namespace.string().base64(),
+    machineKey: z__namespace.string().base64()
+  }).nullish()
 });
 async function readCredentials() {
   if (!fs.existsSync(configuration.privateKeyFile)) {
@@ -333,15 +406,30 @@ async function readCredentials() {
   try {
     const keyBase64 = await promises.readFile(configuration.privateKeyFile, "utf8");
     const credentials = credentialsSchema.parse(JSON.parse(keyBase64));
-    return {
-      secret: new Uint8Array(Buffer.from(credentials.secret, "base64")),
-      token: credentials.token
-    };
+    if (credentials.secret) {
+      return {
+        token: credentials.token,
+        encryption: {
+          type: "legacy",
+          secret: new Uint8Array(Buffer.from(credentials.secret, "base64"))
+        }
+      };
+    } else if (credentials.encryption) {
+      return {
+        token: credentials.token,
+        encryption: {
+          type: "dataKey",
+          publicKey: new Uint8Array(Buffer.from(credentials.encryption.publicKey, "base64")),
+          machineKey: new Uint8Array(Buffer.from(credentials.encryption.machineKey, "base64"))
+        }
+      };
+    }
   } catch {
     return null;
   }
+  return null;
 }
-async function writeCredentials(credentials) {
+async function writeCredentialsLegacy(credentials) {
   if (!fs.existsSync(configuration.happyHomeDir)) {
     await promises.mkdir(configuration.happyHomeDir, { recursive: true });
   }
@@ -350,6 +438,15 @@ async function writeCredentials(credentials) {
     token: credentials.token
   }, null, 2));
 }
+async function writeCredentialsDataKey(credentials) {
+  if (!fs.existsSync(configuration.happyHomeDir)) {
+    await promises.mkdir(configuration.happyHomeDir, { recursive: true });
+  }
+  await promises.writeFile(configuration.privateKeyFile, JSON.stringify({
+    encryption: { publicKey: encodeBase64(credentials.publicKey), machineKey: encodeBase64(credentials.machineKey) },
+    token: credentials.token
+  }, null, 2));
+}
 async function clearCredentials() {
   if (fs.existsSync(configuration.privateKeyFile)) {
     await promises.unlink(configuration.privateKeyFile);
@@ -684,32 +781,6 @@ z.z.object({
   ]),
   createdAt: z.z.number()
 });
-z.z.object({
-  createdAt: z.z.number(),
-  id: z.z.string(),
-  seq: z.z.number(),
-  updatedAt: z.z.number(),
-  metadata: z.z.any(),
-  metadataVersion: z.z.number(),
-  agentState: z.z.any().nullable(),
-  agentStateVersion: z.z.number(),
-  // Connectivity tracking (from server)
-  connectivityStatus: z.z.union([
-    z.z.enum(["neverConnected", "online", "offline"]),
-    z.z.string()
-    // Forward compatibility
-  ]).optional(),
-  connectivityStatusSince: z.z.number().optional(),
-  connectivityStatusReason: z.z.string().optional(),
-  // State tracking (from server)
-  state: z.z.union([
-    z.z.enum(["running", "archiveRequested", "archived"]),
-    z.z.string()
-    // Forward compatibility
-  ]).optional(),
-  stateSince: z.z.number().optional(),
-  stateReason: z.z.string().optional()
-});
 z.z.object({
   host: z.z.string(),
   platform: z.z.string(),
@@ -734,37 +805,6 @@ z.z.object({
     // Forward compatibility
   ]).optional()
 });
-z.z.object({
-  id: z.z.string(),
-  metadata: z.z.any(),
-  // Decrypted MachineMetadata
-  metadataVersion: z.z.number(),
-  daemonState: z.z.any().nullable(),
-  // Decrypted DaemonState
-  daemonStateVersion: z.z.number(),
-  // We don't really care about these on the CLI for now
-  // ApiMachineClient will not sync these
-  active: z.z.boolean(),
-  activeAt: z.z.number(),
-  createdAt: z.z.number(),
-  updatedAt: z.z.number(),
-  // Connectivity tracking (from server)
-  connectivityStatus: z.z.union([
-    z.z.enum(["neverConnected", "online", "offline"]),
-    z.z.string()
-    // Forward compatibility
-  ]).optional(),
-  connectivityStatusSince: z.z.number().optional(),
-  connectivityStatusReason: z.z.string().optional(),
-  // State tracking (from server)
-  state: z.z.union([
-    z.z.enum(["running", "archiveRequested", "archived"]),
-    z.z.string()
-    // Forward compatibility
-  ]).optional(),
-  stateSince: z.z.number().optional(),
-  stateReason: z.z.string().optional()
-});
 z.z.object({
   content: SessionMessageContentSchema,
   createdAt: z.z.number(),
@@ -888,12 +928,14 @@ class AsyncLock {
 class RpcHandlerManager {
   handlers = /* @__PURE__ */ new Map();
   scopePrefix;
-  secret;
+  encryptionKey;
+  encryptionVariant;
   logger;
   socket = null;
   constructor(config) {
     this.scopePrefix = config.scopePrefix;
-    this.secret = config.secret;
+    this.encryptionKey = config.encryptionKey;
+    this.encryptionVariant = config.encryptionVariant;
     this.logger = config.logger || ((msg, data) => logger.debug(msg, data));
   }
   /**
@@ -919,20 +961,19 @@ class RpcHandlerManager {
       if (!handler) {
         this.logger("[RPC] [ERROR] Method not found", { method: request.method });
         const errorResponse = { error: "Method not found" };
-        const encryptedError = encodeBase64(encrypt(errorResponse, this.secret));
+        const encryptedError = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, errorResponse));
         return encryptedError;
       }
-      const decryptedParams = decrypt(decodeBase64(request.params), this.secret);
+      const decryptedParams = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(request.params));
       const result = await handler(decryptedParams);
-      const encryptedResponse = encodeBase64(encrypt(result, this.secret));
+      const encryptedResponse = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, result));
       return encryptedResponse;
     } catch (error) {
       this.logger("[RPC] [ERROR] Error handling request", { error });
       const errorResponse = {
         error: error instanceof Error ? error.message : "Unknown error"
       };
-      const encryptedError = encodeBase64(encrypt(errorResponse, this.secret));
-      return encryptedError;
+      return encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, errorResponse));
     }
   }
   onSocketConnect(socket) {
@@ -974,7 +1015,7 @@ class RpcHandlerManager {
   }
 }
 
-const __dirname$1 = path.dirname(url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('types-CsJGQvQ3.cjs', document.baseURI).href))));
+const __dirname$1 = path.dirname(url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('types-BcDnTXMg.cjs', document.baseURI).href))));
 function projectPath() {
   const path$1 = path.resolve(__dirname$1, "..");
   return path$1;
@@ -1277,7 +1318,6 @@ function registerCommonHandlers(rpcHandlerManager) {
 
 class ApiSessionClient extends node_events.EventEmitter {
   token;
-  secret;
   sessionId;
   metadata;
   metadataVersion;
@@ -1289,18 +1329,22 @@ class ApiSessionClient extends node_events.EventEmitter {
   rpcHandlerManager;
   agentStateLock = new AsyncLock();
   metadataLock = new AsyncLock();
-  constructor(token, secret, session) {
+  encryptionKey;
+  encryptionVariant;
+  constructor(token, session) {
     super();
     this.token = token;
-    this.secret = secret;
     this.sessionId = session.id;
     this.metadata = session.metadata;
     this.metadataVersion = session.metadataVersion;
     this.agentState = session.agentState;
     this.agentStateVersion = session.agentStateVersion;
+    this.encryptionKey = session.encryptionKey;
+    this.encryptionVariant = session.encryptionVariant;
     this.rpcHandlerManager = new RpcHandlerManager({
       scopePrefix: this.sessionId,
-      secret: this.secret,
+      encryptionKey: this.encryptionKey,
+      encryptionVariant: this.encryptionVariant,
       logger: (msg, data) => logger.debug(msg, data)
     });
     registerCommonHandlers(this.rpcHandlerManager);
@@ -1342,7 +1386,7 @@ class ApiSessionClient extends node_events.EventEmitter {
           return;
         }
         if (data.body.t === "new-message" && data.body.message.content.t === "encrypted") {
-          const body = decrypt(decodeBase64(data.body.message.content.c), this.secret);
+          const body = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(data.body.message.content.c));
           logger.debugLargeJson("[SOCKET] [UPDATE] Received update:", body);
           const userResult = UserMessageSchema.safeParse(body);
           if (userResult.success) {
@@ -1356,11 +1400,11 @@ class ApiSessionClient extends node_events.EventEmitter {
           }
         } else if (data.body.t === "update-session") {
           if (data.body.metadata && data.body.metadata.version > this.metadataVersion) {
-            this.metadata = decrypt(decodeBase64(data.body.metadata.value), this.secret);
+            this.metadata = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(data.body.metadata.value));
             this.metadataVersion = data.body.metadata.version;
           }
           if (data.body.agentState && data.body.agentState.version > this.agentStateVersion) {
-            this.agentState = data.body.agentState.value ? decrypt(decodeBase64(data.body.agentState.value), this.secret) : null;
+            this.agentState = data.body.agentState.value ? decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(data.body.agentState.value)) : null;
             this.agentStateVersion = data.body.agentState.version;
           }
         } else if (data.body.t === "update-machine") {
@@ -1414,7 +1458,7 @@ class ApiSessionClient extends node_events.EventEmitter {
       };
     }
     logger.debugLargeJson("[SOCKET] Sending message through socket:", content);
-    const encrypted = encodeBase64(encrypt(content, this.secret));
+    const encrypted = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, content));
     this.socket.emit("message", {
       sid: this.sessionId,
       message: encrypted
@@ -1448,7 +1492,7 @@ class ApiSessionClient extends node_events.EventEmitter {
         sentFrom: "cli"
       }
     };
-    const encrypted = encodeBase64(encrypt(content, this.secret));
+    const encrypted = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, content));
     this.socket.emit("message", {
       sid: this.sessionId,
       message: encrypted
@@ -1463,7 +1507,7 @@ class ApiSessionClient extends node_events.EventEmitter {
         data: event
       }
     };
-    const encrypted = encodeBase64(encrypt(content, this.secret));
+    const encrypted = encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, content));
     this.socket.emit("message", {
       sid: this.sessionId,
       message: encrypted
@@ -1523,14 +1567,14 @@ class ApiSessionClient extends node_events.EventEmitter {
     this.metadataLock.inLock(async () => {
       await backoff(async () => {
         let updated = handler(this.metadata);
-        const answer = await this.socket.emitWithAck("update-metadata", { sid: this.sessionId, expectedVersion: this.metadataVersion, metadata: encodeBase64(encrypt(updated, this.secret)) });
+        const answer = await this.socket.emitWithAck("update-metadata", { sid: this.sessionId, expectedVersion: this.metadataVersion, metadata: encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, updated)) });
         if (answer.result === "success") {
-          this.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+          this.metadata = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.metadata));
           this.metadataVersion = answer.version;
         } else if (answer.result === "version-mismatch") {
           if (answer.version > this.metadataVersion) {
             this.metadataVersion = answer.version;
-            this.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+            this.metadata = decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.metadata));
           }
           throw new Error("Metadata version mismatch");
         } else if (answer.result === "error") ;
@@ -1546,15 +1590,15 @@ class ApiSessionClient extends node_events.EventEmitter {
     this.agentStateLock.inLock(async () => {
       await backoff(async () => {
         let updated = handler(this.agentState || {});
-        const answer = await this.socket.emitWithAck("update-state", { sid: this.sessionId, expectedVersion: this.agentStateVersion, agentState: updated ? encodeBase64(encrypt(updated, this.secret)) : null });
+        const answer = await this.socket.emitWithAck("update-state", { sid: this.sessionId, expectedVersion: this.agentStateVersion, agentState: updated ? encodeBase64(encrypt(this.encryptionKey, this.encryptionVariant, updated)) : null });
         if (answer.result === "success") {
-          this.agentState = answer.agentState ? decrypt(decodeBase64(answer.agentState), this.secret) : null;
+          this.agentState = answer.agentState ? decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.agentState)) : null;
           this.agentStateVersion = answer.version;
           logger.debug("Agent state updated", this.agentState);
         } else if (answer.result === "version-mismatch") {
           if (answer.version > this.agentStateVersion) {
             this.agentStateVersion = answer.version;
-            this.agentState = answer.agentState ? decrypt(decodeBase64(answer.agentState), this.secret) : null;
+            this.agentState = answer.agentState ? decrypt(this.encryptionKey, this.encryptionVariant, decodeBase64(answer.agentState)) : null;
           }
           throw new Error("Agent state version mismatch");
         } else if (answer.result === "error") ;
@@ -1584,13 +1628,13 @@ class ApiSessionClient extends node_events.EventEmitter {
 }
 
 class ApiMachineClient {
-  constructor(token, secret, machine) {
+  constructor(token, machine) {
     this.token = token;
-    this.secret = secret;
     this.machine = machine;
     this.rpcHandlerManager = new RpcHandlerManager({
       scopePrefix: this.machine.id,
-      secret: this.secret,
+      encryptionKey: this.machine.encryptionKey,
+      encryptionVariant: this.machine.encryptionVariant,
       logger: (msg, data) => logger.debug(msg, data)
     });
     registerCommonHandlers(this.rpcHandlerManager);
@@ -1651,17 +1695,17 @@ class ApiMachineClient {
       const updated = handler(this.machine.metadata);
       const answer = await this.socket.emitWithAck("machine-update-metadata", {
         machineId: this.machine.id,
-        metadata: encodeBase64(encrypt(updated, this.secret)),
+        metadata: encodeBase64(encrypt(this.machine.encryptionKey, this.machine.encryptionVariant, updated)),
         expectedVersion: this.machine.metadataVersion
       });
       if (answer.result === "success") {
-        this.machine.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+        this.machine.metadata = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.metadata));
         this.machine.metadataVersion = answer.version;
         logger.debug("[API MACHINE] Metadata updated successfully");
       } else if (answer.result === "version-mismatch") {
         if (answer.version > this.machine.metadataVersion) {
           this.machine.metadataVersion = answer.version;
-          this.machine.metadata = decrypt(decodeBase64(answer.metadata), this.secret);
+          this.machine.metadata = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.metadata));
         }
         throw new Error("Metadata version mismatch");
       }
@@ -1676,17 +1720,17 @@ class ApiMachineClient {
       const updated = handler(this.machine.daemonState);
       const answer = await this.socket.emitWithAck("machine-update-state", {
         machineId: this.machine.id,
-        daemonState: encodeBase64(encrypt(updated, this.secret)),
+        daemonState: encodeBase64(encrypt(this.machine.encryptionKey, this.machine.encryptionVariant, updated)),
         expectedVersion: this.machine.daemonStateVersion
       });
       if (answer.result === "success") {
-        this.machine.daemonState = decrypt(decodeBase64(answer.daemonState), this.secret);
+        this.machine.daemonState = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.daemonState));
         this.machine.daemonStateVersion = answer.version;
         logger.debug("[API MACHINE] Daemon state updated successfully");
       } else if (answer.result === "version-mismatch") {
         if (answer.version > this.machine.daemonStateVersion) {
           this.machine.daemonStateVersion = answer.version;
-          this.machine.daemonState = decrypt(decodeBase64(answer.daemonState), this.secret);
+          this.machine.daemonState = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(answer.daemonState));
         }
         throw new Error("Daemon state version mismatch");
       }
@@ -1733,12 +1777,12 @@ class ApiMachineClient {
         const update = data.body;
         if (update.metadata) {
           logger.debug("[API MACHINE] Received external metadata update");
-          this.machine.metadata = decrypt(decodeBase64(update.metadata.value), this.secret);
+          this.machine.metadata = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(update.metadata.value));
           this.machine.metadataVersion = update.metadata.version;
         }
         if (update.daemonState) {
           logger.debug("[API MACHINE] Received external daemon state update");
-          this.machine.daemonState = decrypt(decodeBase64(update.daemonState.value), this.secret);
+          this.machine.daemonState = decrypt(this.machine.encryptionKey, this.machine.encryptionVariant, decodeBase64(update.daemonState.value));
           this.machine.daemonStateVersion = update.daemonState.version;
         }
       } else {
@@ -1910,46 +1954,62 @@ class PushNotificationClient {
 }
 
 class ApiClient {
-  token;
-  secret;
+  static async create(credential) {
+    return new ApiClient(credential);
+  }
+  credential;
   pushClient;
-  constructor(token, secret) {
-    this.token = token;
-    this.secret = secret;
-    this.pushClient = new PushNotificationClient(token);
+  constructor(credential) {
+    this.credential = credential;
+    this.pushClient = new PushNotificationClient(credential.token, configuration.serverUrl);
   }
   /**
    * Create a new session or load existing one with the given tag
    */
   async getOrCreateSession(opts) {
+    let dataEncryptionKey = null;
+    let encryptionKey;
+    let encryptionVariant;
+    if (this.credential.encryption.type === "dataKey") {
+      encryptionKey = getRandomBytes(32);
+      encryptionVariant = "dataKey";
+      let encryptedDataKey = libsodiumEncryptForPublicKey(encryptionKey, this.credential.encryption.publicKey);
+      dataEncryptionKey = new Uint8Array(encryptedDataKey.length + 1);
+      dataEncryptionKey.set([0], 0);
+      dataEncryptionKey.set(encryptedDataKey, 1);
+    } else {
+      encryptionKey = this.credential.encryption.secret;
+      encryptionVariant = "legacy";
+    }
     try {
       const response = await axios.post(
         `${configuration.serverUrl}/v1/sessions`,
         {
           tag: opts.tag,
-          metadata: encodeBase64(encrypt(opts.metadata, this.secret)),
-          agentState: opts.state ? encodeBase64(encrypt(opts.state, this.secret)) : null
+          metadata: encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.metadata)),
+          agentState: opts.state ? encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.state)) : null,
+          dataEncryptionKey: dataEncryptionKey ? encodeBase64(dataEncryptionKey) : null
         },
         {
           headers: {
-            "Authorization": `Bearer ${this.token}`,
+            "Authorization": `Bearer ${this.credential.token}`,
             "Content-Type": "application/json"
           },
-          timeout: 5e3
-          // 5 second timeout
+          timeout: 6e4
+          // 1 minute timeout for very bad network connections
         }
       );
       logger.debug(`Session created/loaded: ${response.data.session.id} (tag: ${opts.tag})`);
       let raw = response.data.session;
       let session = {
         id: raw.id,
-        createdAt: raw.createdAt,
-        updatedAt: raw.updatedAt,
         seq: raw.seq,
-        metadata: decrypt(decodeBase64(raw.metadata), this.secret),
+        metadata: decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.metadata)),
         metadataVersion: raw.metadataVersion,
-        agentState: raw.agentState ? decrypt(decodeBase64(raw.agentState), this.secret) : null,
-        agentStateVersion: raw.agentStateVersion
+        agentState: raw.agentState ? decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.agentState)) : null,
+        agentStateVersion: raw.agentStateVersion,
+        encryptionKey,
+        encryptionVariant
       };
       return session;
     } catch (error) {
@@ -1957,54 +2017,40 @@ class ApiClient {
       throw new Error(`Failed to get or create session: ${error instanceof Error ? error.message : "Unknown error"}`);
     }
   }
-  /**
-   * Get machine by ID from the server
-   * Returns the current machine state from the server with decrypted metadata and daemonState
-   */
-  async getMachine(machineId) {
-    const response = await axios.get(`${configuration.serverUrl}/v1/machines/${machineId}`, {
-      headers: {
-        "Authorization": `Bearer ${this.token}`,
-        "Content-Type": "application/json"
-      },
-      timeout: 2e3
-    });
-    const raw = response.data.machine;
-    if (!raw) {
-      return null;
-    }
-    logger.debug(`[API] Machine ${machineId} fetched from server`);
-    const machine = {
-      id: raw.id,
-      metadata: raw.metadata ? decrypt(decodeBase64(raw.metadata), this.secret) : null,
-      metadataVersion: raw.metadataVersion || 0,
-      daemonState: raw.daemonState ? decrypt(decodeBase64(raw.daemonState), this.secret) : null,
-      daemonStateVersion: raw.daemonStateVersion || 0,
-      active: raw.active,
-      activeAt: raw.activeAt,
-      createdAt: raw.createdAt,
-      updatedAt: raw.updatedAt
-    };
-    return machine;
-  }
   /**
    * Register or update machine with the server
    * Returns the current machine state from the server with decrypted metadata and daemonState
    */
   async getOrCreateMachine(opts) {
+    let dataEncryptionKey = null;
+    let encryptionKey;
+    let encryptionVariant;
+    if (this.credential.encryption.type === "dataKey") {
+      encryptionVariant = "dataKey";
+      encryptionKey = this.credential.encryption.machineKey;
+      let encryptedDataKey = libsodiumEncryptForPublicKey(this.credential.encryption.machineKey, this.credential.encryption.publicKey);
+      dataEncryptionKey = new Uint8Array(encryptedDataKey.length + 1);
+      dataEncryptionKey.set([0], 0);
+      dataEncryptionKey.set(encryptedDataKey, 1);
+    } else {
+      encryptionKey = this.credential.encryption.secret;
+      encryptionVariant = "legacy";
+    }
     const response = await axios.post(
       `${configuration.serverUrl}/v1/machines`,
       {
         id: opts.machineId,
-        metadata: encodeBase64(encrypt(opts.metadata, this.secret)),
-        daemonState: opts.daemonState ? encodeBase64(encrypt(opts.daemonState, this.secret)) : void 0
+        metadata: encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.metadata)),
+        daemonState: opts.daemonState ? encodeBase64(encrypt(encryptionKey, encryptionVariant, opts.daemonState)) : void 0,
+        dataEncryptionKey: dataEncryptionKey ? encodeBase64(dataEncryptionKey) : void 0
       },
       {
         headers: {
-          "Authorization": `Bearer ${this.token}`,
+          "Authorization": `Bearer ${this.credential.token}`,
           "Content-Type": "application/json"
         },
-        timeout: 5e3
+        timeout: 6e4
+        // 1 minute timeout for very bad network connections
       }
     );
     if (response.status !== 200) {
@@ -2016,22 +2062,20 @@ class ApiClient {
     logger.debug(`[API] Machine ${opts.machineId} registered/updated with server`);
     const machine = {
       id: raw.id,
-      metadata: raw.metadata ? decrypt(decodeBase64(raw.metadata), this.secret) : null,
+      encryptionKey,
+      encryptionVariant,
+      metadata: raw.metadata ? decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.metadata)) : null,
       metadataVersion: raw.metadataVersion || 0,
-      daemonState: raw.daemonState ? decrypt(decodeBase64(raw.daemonState), this.secret) : null,
-      daemonStateVersion: raw.daemonStateVersion || 0,
-      active: raw.active,
-      activeAt: raw.activeAt,
-      createdAt: raw.createdAt,
-      updatedAt: raw.updatedAt
+      daemonState: raw.daemonState ? decrypt(encryptionKey, encryptionVariant, decodeBase64(raw.daemonState)) : null,
+      daemonStateVersion: raw.daemonStateVersion || 0
     };
     return machine;
   }
   sessionSyncClient(session) {
-    return new ApiSessionClient(this.token, this.secret, session);
+    return new ApiSessionClient(this.credential.token, session);
   }
   machineSyncClient(machine) {
-    return new ApiMachineClient(this.token, this.secret, machine);
+    return new ApiMachineClient(this.credential.token, machine);
   }
   push() {
     return this.pushClient;
@@ -2049,7 +2093,7 @@ class ApiClient {
         },
         {
           headers: {
-            "Authorization": `Bearer ${this.token}`,
+            "Authorization": `Bearer ${this.credential.token}`,
             "Content-Type": "application/json"
           },
           timeout: 5e3
@@ -2137,5 +2181,6 @@ exports.readDaemonState = readDaemonState;
 exports.readSettings = readSettings;
 exports.releaseDaemonLock = releaseDaemonLock;
 exports.updateSettings = updateSettings;
-exports.writeCredentials = writeCredentials;
+exports.writeCredentialsDataKey = writeCredentialsDataKey;
+exports.writeCredentialsLegacy = writeCredentialsLegacy;
 exports.writeDaemonState = writeDaemonState;