happy-imou-cloud 1.1.6 → 1.1.7

package/dist/{config-DSI9r8Jl.cjs → config-BQNrtwRY.cjs}

@@ -4,7 +4,7 @@ var fs = require('fs');
 var path = require('path');
 var os = require('os');
 var child_process = require('child_process');
-var api = require('./types-DSQA_cBn.cjs');
+var api = require('./types-BSTmyv9d.cjs');
 
 const GEMINI_API_KEY_ENV = "GEMINI_API_KEY";
 const GOOGLE_API_KEY_ENV = "GOOGLE_API_KEY";

package/dist/{config-C4c3eRAq.mjs → config-Dn99YH37.mjs}

@@ -2,7 +2,7 @@ import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
 import { execSync } from 'child_process';
-import { l as logger } from './types-DY1-MAPO.mjs';
+import { l as logger } from './types-BXyraW9R.mjs';
 
 const GEMINI_API_KEY_ENV = "GEMINI_API_KEY";
 const GOOGLE_API_KEY_ENV = "GOOGLE_API_KEY";

package/dist/{index-B3bkHdEU.mjs → index-CUmYqKWt.mjs}

@@ -1,7 +1,7 @@
 import{createRequire as _pkgrollCR}from"node:module";const require=_pkgrollCR(import.meta.url);import chalk from 'chalk';
 import os$1, { homedir, tmpdir } from 'node:os';
 import { randomUUID, randomBytes } from 'node:crypto';
-import { l as logger, f as backoff, d as delay, R as RawJSONLinesSchema, g as AsyncLock, c as configuration, H as HAPPY_CLOUD_DAEMON_PORT, p as packageJson, e as encodeBase64, h as encodeBase64Url, i as decodeBase64, A as ApiClient, b as connectionState, s as startOfflineReconnection, j as getLatestDaemonLog } from './types-DY1-MAPO.mjs';
+import { l as logger, f as backoff, d as delay, R as RawJSONLinesSchema, g as AsyncLock, c as configuration, H as HAPPY_CLOUD_DAEMON_PORT, p as packageJson, e as encodeBase64, h as buildAuthenticatedHeaders, i as encodeBase64Url, j as buildClientHeaders, k as decodeBase64, A as ApiClient, b as connectionState, s as startOfflineReconnection, m as getLatestDaemonLog } from './types-BXyraW9R.mjs';
 import { spawn, execSync, execFileSync } from 'node:child_process';
 import { resolve, isAbsolute, join } from 'node:path';
 import { createInterface } from 'node:readline';
@@ -19,7 +19,7 @@ import 'socket.io-client';
 import tweetnacl from 'tweetnacl';
 import 'expo-server-sdk';
 import { isDeepStrictEqual } from 'node:util';
-import { readDaemonState, clearDaemonState, readSettings, readCredentials, updateSettings, writeCredentialsLegacy, writeCredentialsDataKey, acquireDaemonLock, writeDaemonState, releaseDaemonLock, validateProfileForAgent, getProfileEnvironmentVariables, clearCredentials, clearMachineId } from './persistence-DS4-Wbnm.mjs';
+import { readDaemonState, clearDaemonState, readSettings, readCredentials, updateSettings, writeCredentialsLegacy, writeCredentialsDataKey, acquireDaemonLock, writeDaemonState, releaseDaemonLock, validateProfileForAgent, getProfileEnvironmentVariables, clearCredentials, clearMachineId } from './persistence-BGsuPqaO.mjs';
 import { createHash, randomBytes as randomBytes$1 } from 'crypto';
 import { spawn as spawn$1, execSync as execSync$1, exec } from 'child_process';
 import { readFileSync as readFileSync$1, existsSync as existsSync$1, writeFileSync as writeFileSync$1, chmodSync, unlinkSync as unlinkSync$1, mkdirSync as mkdirSync$1 } from 'fs';
@@ -4127,6 +4127,7 @@ async function runDoctorCommand(filter) {
       const credentials = await readCredentials();
       if (credentials) {
         console.log(chalk.green("\u2713 Authenticated (credentials found)"));
+        console.log(`Request signing: ${credentials.signing ? chalk.green("ready") : chalk.yellow("legacy credentials")}`);
       } else {
         console.log(chalk.yellow("\u26A0\uFE0F  Not authenticated (no credentials)"));
       }
@@ -4454,6 +4455,8 @@ async function createTerminalAuthRequest(keypair) {
   const response = await axios.post(`${configuration.serverUrl}/v1/auth/request`, {
     publicKey: encodeBase64(keypair.publicKey),
     supportsV2: true
+  }, {
+    headers: buildClientHeaders()
   });
   if (process.env.DEBUG) {
     console.log("[AUTH DEBUG] Auth request sent successfully");
@@ -4722,6 +4725,7 @@ async function authAndSetupMachineIfNeeded() {
   } else {
     logger.debug("[AUTH] Using existing credentials");
   }
+  credentials = await ensureSigningCredentials(credentials);
   const settings = await updateSettings(async (s) => {
     if (newAuth || !s.machineId) {
       return {
@@ -4734,6 +4738,53 @@ async function authAndSetupMachineIfNeeded() {
   logger.debug(`[AUTH] Machine ID: ${settings.machineId}`);
   return { credentials, machineId: settings.machineId };
 }
+async function ensureSigningCredentials(credentials) {
+  if (credentials.signing) {
+    return credentials;
+  }
+  try {
+    const response = await axios.post(`${configuration.serverUrl}/v1/auth/refresh`, {}, {
+      headers: buildAuthenticatedHeaders({
+        credentials,
+        method: "POST",
+        url: `${configuration.serverUrl}/v1/auth/refresh`,
+        body: {},
+        headers: {
+          "Content-Type": "application/json"
+        },
+        signRequest: false
+      })
+    });
+    if (!response.data?.success || !response.data?.token || !response.data?.signing) {
+      logger.debug("[AUTH] Signing bootstrap returned incomplete payload");
+      return credentials;
+    }
+    const upgradedCredentials = {
+      ...credentials,
+      token: response.data.token,
+      signing: response.data.signing
+    };
+    if (upgradedCredentials.encryption.type === "legacy") {
+      await writeCredentialsLegacy({
+        secret: upgradedCredentials.encryption.secret,
+        token: upgradedCredentials.token,
+        signing: upgradedCredentials.signing
+      });
+    } else {
+      await writeCredentialsDataKey({
+        publicKey: upgradedCredentials.encryption.publicKey,
+        machineKey: upgradedCredentials.encryption.machineKey,
+        token: upgradedCredentials.token,
+        signing: upgradedCredentials.signing
+      });
+    }
+    logger.debug("[AUTH] Signing credentials bootstrapped successfully");
+    return upgradedCredentials;
+  } catch (error) {
+    logger.debug("[AUTH] Failed to bootstrap signing credentials", error);
+    return credentials;
+  }
+}
 
 function spawnHappyCLI(args, options = {}) {
   const projectRoot = projectPath();
@@ -6840,6 +6891,7 @@ async function handleAuthStatus() {
   console.log(chalk.green("\u2713 Authenticated"));
   const tokenPreview = credentials.token.substring(0, 30) + "...";
   console.log(chalk.gray(`  Token: ${tokenPreview}`));
+  console.log(chalk.gray(`  Request signing: ${credentials.signing ? "ready" : "legacy credentials (will auto-upgrade on use)"}`));
   if (settings?.machineId) {
     console.log(chalk.green("\u2713 Machine registered"));
     console.log(chalk.gray(`  Machine ID: ${settings.machineId}`));
@@ -7583,7 +7635,7 @@ function getVersionString() {
     return;
   } else if (subcommand === "codex") {
     try {
-      const { runCodex } = await import('./runCodex-DHo2-Vmd.mjs');
+      const { runCodex } = await import('./runCodex-X0BfjcZH.mjs');
       let startedBy = void 0;
       for (let i = 1; i < args.length; i++) {
         if (args[i] === "--started-by") {
@@ -7676,9 +7728,9 @@ function getVersionString() {
     if (geminiSubcommand === "project" && args[2] === "set" && args[3]) {
       const projectId = args[3];
       try {
-        const { saveGoogleCloudProjectToConfig } = await import('./config-C4c3eRAq.mjs').then(function (n) { return n.e; });
-        const { readCredentials: readCredentials2 } = await import('./persistence-DS4-Wbnm.mjs');
-        const { ApiClient: ApiClient2 } = await import('./types-DY1-MAPO.mjs').then(function (n) { return n.k; });
+        const { saveGoogleCloudProjectToConfig } = await import('./config-Dn99YH37.mjs').then(function (n) { return n.e; });
+        const { readCredentials: readCredentials2 } = await import('./persistence-BGsuPqaO.mjs');
+        const { ApiClient: ApiClient2 } = await import('./types-BXyraW9R.mjs').then(function (n) { return n.n; });
         let userEmail = void 0;
         try {
           const credentials = await readCredentials2();
@@ -7709,7 +7761,7 @@ function getVersionString() {
     }
     if (geminiSubcommand === "project" && args[2] === "get") {
       try {
-        const { readGeminiLocalConfig } = await import('./config-C4c3eRAq.mjs').then(function (n) { return n.e; });
+        const { readGeminiLocalConfig } = await import('./config-Dn99YH37.mjs').then(function (n) { return n.e; });
         const config = readGeminiLocalConfig();
         if (config.googleCloudProject) {
           console.log(`Current Google Cloud Project: ${config.googleCloudProject}`);
@@ -7749,7 +7801,7 @@ function getVersionString() {
       process.exit(0);
     }
     try {
-      const { runGemini } = await import('./runGemini-D1DZS8IL.mjs');
+      const { runGemini } = await import('./runGemini-B-EK_BJQ.mjs');
       let startedBy = void 0;
       for (let i = 1; i < args.length; i++) {
         if (args[i] === "--started-by") {

package/dist/{index-BJ0xEdNB.cjs → index-DVI4b0mv.cjs}

@@ -3,7 +3,7 @@
 var chalk = require('chalk');
 var os = require('node:os');
 var node_crypto = require('node:crypto');
-var api = require('./types-DSQA_cBn.cjs');
+var api = require('./types-BSTmyv9d.cjs');
 var node_child_process = require('node:child_process');
 var node_path = require('node:path');
 var node_readline = require('node:readline');
@@ -21,7 +21,7 @@ require('socket.io-client');
 var tweetnacl = require('tweetnacl');
 require('expo-server-sdk');
 var node_util = require('node:util');
-var persistence = require('./persistence-DW_z9Bsh.cjs');
+var persistence = require('./persistence-BRH9F6RS.cjs');
 var crypto = require('crypto');
 var child_process = require('child_process');
 var fs$2 = require('fs');
@@ -256,7 +256,7 @@ function claudeFindLastSession(workingDirectory) {
   }
 }
 
-const __dirname$2 = path.dirname(url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index-BJ0xEdNB.cjs', document.baseURI).href))));
+const __dirname$2 = path.dirname(url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index-DVI4b0mv.cjs', document.baseURI).href))));
 function projectPath() {
   const path$1 = path.resolve(__dirname$2, "..");
   return path$1;
@@ -1169,7 +1169,7 @@ function getRuntime() {
 }
 const isBun = () => getRuntime() === "bun";
 
-const __filename$1 = node_url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index-BJ0xEdNB.cjs', document.baseURI).href)));
+const __filename$1 = node_url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index-DVI4b0mv.cjs', document.baseURI).href)));
 const __dirname$1 = node_path.join(__filename$1, "..");
 function getGlobalClaudeVersion() {
   try {
@@ -4149,6 +4149,7 @@ async function runDoctorCommand(filter) {
       const credentials = await persistence.readCredentials();
       if (credentials) {
         console.log(chalk.green("\u2713 Authenticated (credentials found)"));
+        console.log(`Request signing: ${credentials.signing ? chalk.green("ready") : chalk.yellow("legacy credentials")}`);
       } else {
         console.log(chalk.yellow("\u26A0\uFE0F  Not authenticated (no credentials)"));
       }
@@ -4274,7 +4275,7 @@ async function openBrowser(url) {
   }
 }
 
-const require$1 = node_module.createRequire((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index-BJ0xEdNB.cjs', document.baseURI).href)));
+const require$1 = node_module.createRequire((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index-DVI4b0mv.cjs', document.baseURI).href)));
 const QRCode = require$1("qrcode-terminal/vendor/QRCode");
 const QRErrorCorrectLevel = require$1("qrcode-terminal/vendor/QRCode/QRErrorCorrectLevel");
 const pendingTempFiles = /* @__PURE__ */ new Set();
@@ -4476,6 +4477,8 @@ async function createTerminalAuthRequest(keypair) {
   const response = await axios.post(`${api.configuration.serverUrl}/v1/auth/request`, {
     publicKey: api.encodeBase64(keypair.publicKey),
     supportsV2: true
+  }, {
+    headers: api.buildClientHeaders()
   });
   if (process.env.DEBUG) {
     console.log("[AUTH DEBUG] Auth request sent successfully");
@@ -4744,6 +4747,7 @@ async function authAndSetupMachineIfNeeded() {
   } else {
     api.logger.debug("[AUTH] Using existing credentials");
   }
+  credentials = await ensureSigningCredentials(credentials);
   const settings = await persistence.updateSettings(async (s) => {
     if (newAuth || !s.machineId) {
       return {
@@ -4756,6 +4760,53 @@ async function authAndSetupMachineIfNeeded() {
   api.logger.debug(`[AUTH] Machine ID: ${settings.machineId}`);
   return { credentials, machineId: settings.machineId };
 }
+async function ensureSigningCredentials(credentials) {
+  if (credentials.signing) {
+    return credentials;
+  }
+  try {
+    const response = await axios.post(`${api.configuration.serverUrl}/v1/auth/refresh`, {}, {
+      headers: api.buildAuthenticatedHeaders({
+        credentials,
+        method: "POST",
+        url: `${api.configuration.serverUrl}/v1/auth/refresh`,
+        body: {},
+        headers: {
+          "Content-Type": "application/json"
+        },
+        signRequest: false
+      })
+    });
+    if (!response.data?.success || !response.data?.token || !response.data?.signing) {
+      api.logger.debug("[AUTH] Signing bootstrap returned incomplete payload");
+      return credentials;
+    }
+    const upgradedCredentials = {
+      ...credentials,
+      token: response.data.token,
+      signing: response.data.signing
+    };
+    if (upgradedCredentials.encryption.type === "legacy") {
+      await persistence.writeCredentialsLegacy({
+        secret: upgradedCredentials.encryption.secret,
+        token: upgradedCredentials.token,
+        signing: upgradedCredentials.signing
+      });
+    } else {
+      await persistence.writeCredentialsDataKey({
+        publicKey: upgradedCredentials.encryption.publicKey,
+        machineKey: upgradedCredentials.encryption.machineKey,
+        token: upgradedCredentials.token,
+        signing: upgradedCredentials.signing
+      });
+    }
+    api.logger.debug("[AUTH] Signing credentials bootstrapped successfully");
+    return upgradedCredentials;
+  } catch (error) {
+    api.logger.debug("[AUTH] Failed to bootstrap signing credentials", error);
+    return credentials;
+  }
+}
 
 function spawnHappyCLI(args, options = {}) {
   const projectRoot = projectPath();
@@ -6862,6 +6913,7 @@ async function handleAuthStatus() {
   console.log(chalk.green("\u2713 Authenticated"));
   const tokenPreview = credentials.token.substring(0, 30) + "...";
   console.log(chalk.gray(`  Token: ${tokenPreview}`));
+  console.log(chalk.gray(`  Request signing: ${credentials.signing ? "ready" : "legacy credentials (will auto-upgrade on use)"}`));
   if (settings?.machineId) {
     console.log(chalk.green("\u2713 Machine registered"));
     console.log(chalk.gray(`  Machine ID: ${settings.machineId}`));
@@ -7605,7 +7657,7 @@ function getVersionString() {
     return;
   } else if (subcommand === "codex") {
     try {
-      const { runCodex } = await Promise.resolve().then(function () { return require('./runCodex-BCgor8vK.cjs'); });
+      const { runCodex } = await Promise.resolve().then(function () { return require('./runCodex-Cez8cuIh.cjs'); });
       let startedBy = void 0;
       for (let i = 1; i < args.length; i++) {
         if (args[i] === "--started-by") {
@@ -7698,9 +7750,9 @@ function getVersionString() {
     if (geminiSubcommand === "project" && args[2] === "set" && args[3]) {
       const projectId = args[3];
       try {
-        const { saveGoogleCloudProjectToConfig } = await Promise.resolve().then(function () { return require('./config-DSI9r8Jl.cjs'); }).then(function (n) { return n.config; });
-        const { readCredentials: readCredentials2 } = await Promise.resolve().then(function () { return require('./persistence-DW_z9Bsh.cjs'); });
-        const { ApiClient: ApiClient2 } = await Promise.resolve().then(function () { return require('./types-DSQA_cBn.cjs'); }).then(function (n) { return n.api; });
+        const { saveGoogleCloudProjectToConfig } = await Promise.resolve().then(function () { return require('./config-BQNrtwRY.cjs'); }).then(function (n) { return n.config; });
+        const { readCredentials: readCredentials2 } = await Promise.resolve().then(function () { return require('./persistence-BRH9F6RS.cjs'); });
+        const { ApiClient: ApiClient2 } = await Promise.resolve().then(function () { return require('./types-BSTmyv9d.cjs'); }).then(function (n) { return n.api; });
         let userEmail = void 0;
         try {
           const credentials = await readCredentials2();
@@ -7731,7 +7783,7 @@ function getVersionString() {
     }
     if (geminiSubcommand === "project" && args[2] === "get") {
       try {
-        const { readGeminiLocalConfig } = await Promise.resolve().then(function () { return require('./config-DSI9r8Jl.cjs'); }).then(function (n) { return n.config; });
+        const { readGeminiLocalConfig } = await Promise.resolve().then(function () { return require('./config-BQNrtwRY.cjs'); }).then(function (n) { return n.config; });
         const config = readGeminiLocalConfig();
         if (config.googleCloudProject) {
           console.log(`Current Google Cloud Project: ${config.googleCloudProject}`);
@@ -7771,7 +7823,7 @@ function getVersionString() {
       process.exit(0);
     }
     try {
-      const { runGemini } = await Promise.resolve().then(function () { return require('./runGemini-81Ogay0E.cjs'); });
+      const { runGemini } = await Promise.resolve().then(function () { return require('./runGemini-C3dDtGOV.cjs'); });
       let startedBy = void 0;
       for (let i = 1; i < args.length; i++) {
         if (args[i] === "--started-by") {

package/dist/index.cjs

@@ -1,9 +1,9 @@
 'use strict';
 
 require('chalk');
-require('./index-BJ0xEdNB.cjs');
-require('./types-DSQA_cBn.cjs');
-require('./persistence-DW_z9Bsh.cjs');
+require('./index-DVI4b0mv.cjs');
+require('./types-BSTmyv9d.cjs');
+require('./persistence-BRH9F6RS.cjs');
 require('zod');
 require('node:child_process');
 require('node:fs');

package/dist/index.mjs

@@ -1,7 +1,7 @@
 import 'chalk';
-import './index-B3bkHdEU.mjs';
-import './types-DY1-MAPO.mjs';
-import './persistence-DS4-Wbnm.mjs';
+import './index-CUmYqKWt.mjs';
+import './types-BXyraW9R.mjs';
+import './persistence-BGsuPqaO.mjs';
 import 'zod';
 import 'node:child_process';
 import 'node:fs';

package/dist/lib.cjs

@@ -1,6 +1,6 @@
 'use strict';
 
-var api = require('./types-DSQA_cBn.cjs');
+var api = require('./types-BSTmyv9d.cjs');
 require('axios');
 require('chalk');
 require('fs');

package/dist/lib.d.cts

@@ -580,6 +580,31 @@ declare class RpcHandlerManager {
     private getPrefixedMethod;
 }
 
+/**
+ * Minimal persistence functions for happy CLI
+ *
+ * Handles settings and private key storage in ~/.happy/ or local .happy/
+ */
+
+type SigningCredentials = {
+    version: 1;
+    keyId: string;
+    seed: string;
+    algorithm: 'HMAC-SHA256';
+};
+type Credentials = {
+    token: string;
+    signing?: SigningCredentials | null;
+    encryption: {
+        type: 'legacy';
+        secret: Uint8Array;
+    } | {
+        type: 'dataKey';
+        publicKey: Uint8Array;
+        machineKey: Uint8Array;
+    };
+};
+
 /**
  * ACP (Agent Communication Protocol) message data types.
  * This is the unified format for all agent messages - CLI adapts each provider's format to ACP.
@@ -637,7 +662,7 @@ type ACPMessageData = {
     [key: string]: unknown;
 };
 declare class ApiSessionClient extends EventEmitter {
-    private readonly token;
+    private readonly credentials;
     readonly sessionId: string;
     private metadata;
     private metadataVersion;
@@ -651,7 +676,7 @@ declare class ApiSessionClient extends EventEmitter {
     private metadataLock;
     private encryptionKey;
     private encryptionVariant;
-    constructor(token: string, session: Session);
+    constructor(credentials: Credentials, session: Session);
     onUserMessage(callback: (data: UserMessage) => void): void;
     /**
      * Send message to session
@@ -745,12 +770,12 @@ type MachineRpcHandlers = {
     requestShutdown: () => void;
 };
 declare class ApiMachineClient {
-    private token;
+    private credentials;
     private machine;
     private socket;
     private keepAliveInterval;
     private rpcHandlerManager;
-    constructor(token: string, machine: Machine);
+    constructor(credentials: Credentials, machine: Machine);
     setRPCHandlers({ spawnSession, stopSession, requestShutdown }: MachineRpcHandlers): void;
     /**
      * Update machine metadata
@@ -776,10 +801,10 @@ interface PushToken {
     updatedAt: number;
 }
 declare class PushNotificationClient {
-    private readonly token;
+    private readonly credentials;
     private readonly baseUrl;
     private readonly expo;
-    constructor(token: string, baseUrl?: string);
+    constructor(credentials: Credentials, baseUrl?: string);
     /**
      * Fetch all push tokens for the authenticated user
      */
@@ -798,29 +823,12 @@ declare class PushNotificationClient {
     sendToAllDevices(title: string, body: string, data?: Record<string, any>): void;
 }
 
-/**
- * Minimal persistence functions for happy CLI
- *
- * Handles settings and private key storage in ~/.happy/ or local .happy/
- */
-
-type Credentials = {
-    token: string;
-    encryption: {
-        type: 'legacy';
-        secret: Uint8Array;
-    } | {
-        type: 'dataKey';
-        publicKey: Uint8Array;
-        machineKey: Uint8Array;
-    };
-};
-
 declare class ApiClient {
     static create(credential: Credentials): Promise<ApiClient>;
     private readonly credential;
     private readonly pushClient;
     private constructor();
+    private request;
     /**
      * Create a new session or load existing one with the given tag
      */

package/dist/lib.d.mts

@@ -580,6 +580,31 @@ declare class RpcHandlerManager {
     private getPrefixedMethod;
 }
 
+/**
+ * Minimal persistence functions for happy CLI
+ *
+ * Handles settings and private key storage in ~/.happy/ or local .happy/
+ */
+
+type SigningCredentials = {
+    version: 1;
+    keyId: string;
+    seed: string;
+    algorithm: 'HMAC-SHA256';
+};
+type Credentials = {
+    token: string;
+    signing?: SigningCredentials | null;
+    encryption: {
+        type: 'legacy';
+        secret: Uint8Array;
+    } | {
+        type: 'dataKey';
+        publicKey: Uint8Array;
+        machineKey: Uint8Array;
+    };
+};
+
 /**
  * ACP (Agent Communication Protocol) message data types.
  * This is the unified format for all agent messages - CLI adapts each provider's format to ACP.
@@ -637,7 +662,7 @@ type ACPMessageData = {
     [key: string]: unknown;
 };
 declare class ApiSessionClient extends EventEmitter {
-    private readonly token;
+    private readonly credentials;
     readonly sessionId: string;
     private metadata;
     private metadataVersion;
@@ -651,7 +676,7 @@ declare class ApiSessionClient extends EventEmitter {
     private metadataLock;
     private encryptionKey;
     private encryptionVariant;
-    constructor(token: string, session: Session);
+    constructor(credentials: Credentials, session: Session);
     onUserMessage(callback: (data: UserMessage) => void): void;
     /**
      * Send message to session
@@ -745,12 +770,12 @@ type MachineRpcHandlers = {
     requestShutdown: () => void;
 };
 declare class ApiMachineClient {
-    private token;
+    private credentials;
     private machine;
     private socket;
     private keepAliveInterval;
     private rpcHandlerManager;
-    constructor(token: string, machine: Machine);
+    constructor(credentials: Credentials, machine: Machine);
     setRPCHandlers({ spawnSession, stopSession, requestShutdown }: MachineRpcHandlers): void;
     /**
      * Update machine metadata
@@ -776,10 +801,10 @@ interface PushToken {
     updatedAt: number;
 }
 declare class PushNotificationClient {
-    private readonly token;
+    private readonly credentials;
     private readonly baseUrl;
     private readonly expo;
-    constructor(token: string, baseUrl?: string);
+    constructor(credentials: Credentials, baseUrl?: string);
     /**
      * Fetch all push tokens for the authenticated user
      */
@@ -798,29 +823,12 @@ declare class PushNotificationClient {
     sendToAllDevices(title: string, body: string, data?: Record<string, any>): void;
 }
 
-/**
- * Minimal persistence functions for happy CLI
- *
- * Handles settings and private key storage in ~/.happy/ or local .happy/
- */
-
-type Credentials = {
-    token: string;
-    encryption: {
-        type: 'legacy';
-        secret: Uint8Array;
-    } | {
-        type: 'dataKey';
-        publicKey: Uint8Array;
-        machineKey: Uint8Array;
-    };
-};
-
 declare class ApiClient {
     static create(credential: Credentials): Promise<ApiClient>;
     private readonly credential;
     private readonly pushClient;
     private constructor();
+    private request;
     /**
      * Create a new session or load existing one with the given tag
      */

package/dist/lib.mjs

@@ -1,4 +1,4 @@
-export { A as ApiClient, a as ApiSessionClient, R as RawJSONLinesSchema, c as configuration, l as logger } from './types-DY1-MAPO.mjs';
+export { A as ApiClient, a as ApiSessionClient, R as RawJSONLinesSchema, c as configuration, l as logger } from './types-BXyraW9R.mjs';
 import 'axios';
 import 'chalk';
 import 'fs';

package/dist/{persistence-DS4-Wbnm.mjs → persistence-BGsuPqaO.mjs}

@@ -1,7 +1,7 @@
 import { readFile, open, stat, unlink, mkdir, writeFile, rename } from 'node:fs/promises';
 import { existsSync, constants, unlinkSync, writeFileSync, readdirSync, readFileSync } from 'node:fs';
 import { join, dirname } from 'node:path';
-import { c as configuration, l as logger, e as encodeBase64 } from './types-DY1-MAPO.mjs';
+import { c as configuration, l as logger, e as encodeBase64 } from './types-BXyraW9R.mjs';
 import * as z from 'zod';
 import 'axios';
 import 'chalk';
@@ -230,6 +230,12 @@ async function updateSettings(updater) {
 }
 const credentialsSchema = z.object({
   token: z.string(),
+  signing: z.object({
+    version: z.literal(1),
+    keyId: z.string(),
+    seed: z.string().base64(),
+    algorithm: z.literal("HMAC-SHA256")
+  }).nullish(),
   secret: z.string().base64().nullish(),
   // Legacy
   encryption: z.object({
@@ -247,6 +253,7 @@ async function readCredentials() {
     if (credentials.secret) {
       return {
         token: credentials.token,
+        signing: credentials.signing ?? null,
         encryption: {
           type: "legacy",
           secret: new Uint8Array(Buffer.from(credentials.secret, "base64"))
@@ -255,6 +262,7 @@ async function readCredentials() {
     } else if (credentials.encryption) {
       return {
         token: credentials.token,
+        signing: credentials.signing ?? null,
         encryption: {
           type: "dataKey",
           publicKey: new Uint8Array(Buffer.from(credentials.encryption.publicKey, "base64")),
@@ -273,7 +281,8 @@ async function writeCredentialsLegacy(credentials) {
   }
   await writeFile(configuration.privateKeyFile, JSON.stringify({
     secret: encodeBase64(credentials.secret),
-    token: credentials.token
+    token: credentials.token,
+    signing: credentials.signing
   }, null, 2));
 }
 async function writeCredentialsDataKey(credentials) {
@@ -282,7 +291,8 @@ async function writeCredentialsDataKey(credentials) {
   }
   await writeFile(configuration.privateKeyFile, JSON.stringify({
     encryption: { publicKey: encodeBase64(credentials.publicKey), machineKey: encodeBase64(credentials.machineKey) },
-    token: credentials.token
+    token: credentials.token,
+    signing: credentials.signing
   }, null, 2));
 }
 async function clearCredentials() {