nexting-cc-bridge 0.8.3

package/dist/e2e/codec.js

@@ -0,0 +1,119 @@
+import { sealEnvelope, openEnvelope, isEnvelope } from "./crypto.js";
+/**
+ * EnvelopeCodec — the single seam between bridge transport and crypto.
+ *
+ * Business logic stays plaintext; only this module calls sealEnvelope / openEnvelope.
+ *
+ * AAD contract (must match phone side exactly):
+ *   Outbound (bridge → phone):
+ *     cc_snapshot  title      → `${sid}|0|title`
+ *                  summary    → `${sid}|0|summary`
+ *                  msg.text   → `${sid}|0|msg`
+ *     cc_event  transcript_append  entry.text → `${sid}|0|text`
+ *               stream_*_delta     payload.delta → `${sid}|0|delta`
+ *
+ *   Inbound (phone → bridge):
+ *     cc_send    content      → `${sid}|0|send`
+ *     cc_answer  updatedInput → `${sid}|0|answer`
+ *
+ * Seq is always `0` (no per-frame sequence number in the current wire protocol).
+ */
+export class EnvelopeCodec {
+    keys;
+    enabled;
+    constructor(keys, enabled) {
+        this.keys = keys;
+        this.enabled = enabled;
+    }
+    /**
+     * Encrypt content fields of an outbound frame.
+     * Returns a new object — never mutates the input.
+     * Passthrough (returns the SAME reference) when disabled.
+     */
+    encryptOutbound(frame) {
+        if (!this.enabled())
+            return frame;
+        switch (frame?.type) {
+            case "cc_snapshot": {
+                const sessions = (frame.sessions ?? []).map((s) => {
+                    const sid = s.sessionId;
+                    const aad = (field) => `${sid}|0|${field}`;
+                    const out = { ...s };
+                    if (typeof s.title === "string")
+                        out.title = sealEnvelope(s.title, this.keys.cekFor(sid), aad("title"));
+                    if (typeof s.summary === "string")
+                        out.summary = sealEnvelope(s.summary, this.keys.cekFor(sid), aad("summary"));
+                    if (Array.isArray(s.recentMessages))
+                        out.recentMessages = s.recentMessages.map((m) => typeof m?.text === "string"
+                            ? {
+                                ...m,
+                                text: sealEnvelope(m.text, this.keys.cekFor(sid), aad("msg")),
+                            }
+                            : m);
+                    return out;
+                });
+                return { ...frame, sessions };
+            }
+            case "cc_event": {
+                const sid = frame.sessionId;
+                const cek = this.keys.cekFor(sid);
+                const p = frame.payload ?? {};
+                if (frame.kind === "transcript_append" && Array.isArray(p.entries)) {
+                    return {
+                        ...frame,
+                        payload: {
+                            ...p,
+                            entries: p.entries.map((e) => typeof e?.text === "string"
+                                ? { ...e, text: sealEnvelope(e.text, cek, `${sid}|0|text`) }
+                                : e),
+                        },
+                    };
+                }
+                if ((frame.kind === "stream_text_delta" ||
+                    frame.kind === "stream_thinking_delta") &&
+                    typeof p.delta === "string") {
+                    return {
+                        ...frame,
+                        payload: {
+                            ...p,
+                            delta: sealEnvelope(p.delta, cek, `${sid}|0|delta`),
+                        },
+                    };
+                }
+                return frame;
+            }
+            default:
+                return frame;
+        }
+    }
+    /**
+     * Decrypt content fields of an inbound frame.
+     * Always attempts decryption when a field IS an envelope (even when disabled),
+     * so a temporarily-disabled bridge can still receive encrypted frames from the phone.
+     * Passthrough when field is plaintext — back-compat with unencrypted phone clients.
+     */
+    decryptInbound(frame) {
+        switch (frame?.type) {
+            case "cc_send": {
+                const sid = frame.sessionId;
+                if (isEnvelope(frame.content) && this.keys.hasCek(sid))
+                    return {
+                        ...frame,
+                        content: openEnvelope(frame.content, this.keys.cekFor(sid), `${sid}|0|send`),
+                    };
+                return frame;
+            }
+            case "cc_answer": {
+                const sid = frame.sessionId;
+                if (isEnvelope(frame.updatedInput) && this.keys.hasCek(sid))
+                    return {
+                        ...frame,
+                        updatedInput: openEnvelope(frame.updatedInput, this.keys.cekFor(sid), `${sid}|0|answer`),
+                    };
+                return frame;
+            }
+            default:
+                return frame;
+        }
+    }
+}

package/dist/e2e/crypto.js

@@ -0,0 +1,127 @@
+import { randomBytes, createCipheriv, createDecipheriv, createHash, generateKeyPairSync, createPublicKey, createPrivateKey, diffieHellman, hkdfSync, } from "node:crypto";
+const ALG = "aes-256-gcm";
+const ENV_PREFIX = "e2e:v1:";
+const WRAP_PREFIX = "wrap:v1:";
+const B32 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+export function generateCEK() {
+    // 32-byte key (Uint8Array-compatible); Swift/Kotlin treat as raw bytes.
+    return randomBytes(32);
+}
+export function sealEnvelope(plaintext, cek, aad) {
+    const nonce = randomBytes(12);
+    const cipher = createCipheriv(ALG, cek, nonce);
+    cipher.setAAD(Buffer.from(aad, "utf8"));
+    const ct = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return ENV_PREFIX + Buffer.concat([nonce, ct, tag]).toString("base64");
+}
+export function openEnvelope(sealed, cek, aad) {
+    if (!sealed.startsWith(ENV_PREFIX))
+        throw new Error("not an e2e envelope");
+    const buf = Buffer.from(sealed.slice(ENV_PREFIX.length), "base64");
+    if (buf.length < 12 + 16)
+        throw new Error("envelope too short");
+    const nonce = buf.subarray(0, 12);
+    const tag = buf.subarray(buf.length - 16);
+    const ct = buf.subarray(12, buf.length - 16);
+    const decipher = createDecipheriv(ALG, cek, nonce);
+    decipher.setAAD(Buffer.from(aad, "utf8"));
+    decipher.setAuthTag(tag);
+    return decipher.update(ct, undefined, "utf8") + decipher.final("utf8");
+}
+export function isEnvelope(v) {
+    return typeof v === "string" && v.startsWith(ENV_PREFIX);
+}
+export function generateDeviceKeyPair() {
+    const { publicKey, privateKey } = generateKeyPairSync("x25519");
+    return {
+        publicKeyB64: publicKey
+            .export({ type: "spki", format: "der" })
+            .toString("base64"),
+        privateKeyB64: privateKey
+            .export({ type: "pkcs8", format: "der" })
+            .toString("base64"),
+    };
+}
+// HKDF-SHA256: salt = UTF-8(sessionId), info = UTF-8("pinclaw-e2e-cek-wrap"), L=32.
+// Must match cloud/iOS/Android byte-for-byte or unwrap fails silently.
+function deriveWrapKey(shared, salt) {
+    return Buffer.from(hkdfSync("sha256", shared, Buffer.from(salt, "utf8"), "pinclaw-e2e-cek-wrap", 32));
+}
+export function wrapCEK(cek, recipientPubB64, sessionId) {
+    const eph = generateKeyPairSync("x25519");
+    const recipientPub = createPublicKey({
+        key: Buffer.from(recipientPubB64, "base64"),
+        type: "spki",
+        format: "der",
+    });
+    const shared = Buffer.from(diffieHellman({ privateKey: eph.privateKey, publicKey: recipientPub }));
+    const wrapKey = deriveWrapKey(shared, sessionId);
+    const nonce = randomBytes(12);
+    const cipher = createCipheriv(ALG, wrapKey, nonce);
+    const ct = Buffer.concat([cipher.update(cek), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    const ephPub = eph.publicKey.export({ type: "spki", format: "der" });
+    return (WRAP_PREFIX + Buffer.concat([ephPub, nonce, ct, tag]).toString("base64"));
+}
+export function unwrapCEK(wrapped, recipientPrivB64, sessionId) {
+    if (!wrapped.startsWith(WRAP_PREFIX))
+        throw new Error("not a wrapped key");
+    const buf = Buffer.from(wrapped.slice(WRAP_PREFIX.length), "base64");
+    if (buf.length < 44 + 12 + 16)
+        throw new Error("wrapped key too short");
+    const ephPubDer = buf.subarray(0, 44); // X25519 SPKI DER is 44 bytes
+    const nonce = buf.subarray(44, 56);
+    const tag = buf.subarray(buf.length - 16);
+    const ct = buf.subarray(56, buf.length - 16);
+    const ephPub = createPublicKey({
+        key: ephPubDer,
+        type: "spki",
+        format: "der",
+    });
+    const priv = createPrivateKey({
+        key: Buffer.from(recipientPrivB64, "base64"),
+        type: "pkcs8",
+        format: "der",
+    });
+    const shared = Buffer.from(diffieHellman({ privateKey: priv, publicKey: ephPub }));
+    const wrapKey = deriveWrapKey(shared, sessionId);
+    const decipher = createDecipheriv(ALG, wrapKey, nonce);
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(ct), decipher.final()]);
+}
+/**
+ * Binary-oriented AES-256-GCM seal/open.
+ *
+ * Layout on wire: nonce[12] || ciphertext || tag[16]
+ * No text prefix — the metadata `encrypted:true` flag marks blobs encrypted.
+ * AAD for media: `${sessionId}|0|media`
+ */
+export function sealBytes(data, cek, aad) {
+    const nonce = randomBytes(12);
+    const cipher = createCipheriv(ALG, cek, nonce);
+    cipher.setAAD(Buffer.from(aad, "utf8"));
+    const ct = Buffer.concat([cipher.update(data), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return Buffer.concat([nonce, ct, tag]);
+}
+export function openBytes(buf, cek, aad) {
+    if (buf.length < 12 + 16)
+        throw new Error("encrypted buffer too short");
+    const nonce = buf.subarray(0, 12);
+    const tag = buf.subarray(buf.length - 16);
+    const ct = buf.subarray(12, buf.length - 16);
+    const decipher = createDecipheriv(ALG, cek, nonce);
+    decipher.setAAD(Buffer.from(aad, "utf8"));
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(ct), decipher.final()]);
+}
+// Human-verification fingerprint (~50 bits base32), NOT a secret. Order-independent.
+export function safetyNumber(pubA, pubB) {
+    const [x, y] = [pubA, pubB].sort();
+    const h = createHash("sha256").update(x).update(y).digest();
+    let s = "";
+    for (let i = 0; i < 10; i++)
+        s += B32[h[i] & 31];
+    return s.slice(0, 5) + "-" + s.slice(5);
+}

package/dist/e2e/key-store.js

@@ -0,0 +1,48 @@
+import { generateCEK, generateDeviceKeyPair, wrapCEK, unwrapCEK, } from "./crypto.js";
+export class SessionKeyStore {
+    idStore;
+    identity;
+    ceks = new Map(); // sessionId -> CEK
+    constructor(idStore) {
+        this.idStore = idStore;
+        this.identity = idStore.load() ?? this.#initIdentity();
+    }
+    #initIdentity() {
+        const kp = generateDeviceKeyPair();
+        this.idStore.save(kp);
+        return kp;
+    }
+    publicKeyB64() {
+        return this.identity.publicKeyB64;
+    }
+    // Get-or-create the CEK for a session (bridge originates sessions).
+    cekFor(sessionId) {
+        let c = this.ceks.get(sessionId);
+        if (!c) {
+            c = generateCEK();
+            this.ceks.set(sessionId, c);
+        }
+        return c;
+    }
+    hasCek(sessionId) {
+        return this.ceks.has(sessionId);
+    }
+    // Adopt a CEK we unwrapped (e.g. a session another device originated).
+    setCek(sessionId, cek) {
+        this.ceks.set(sessionId, cek);
+    }
+    // Wrap this session's CEK for each recipient device pubkey (for upload to cloud session_keys).
+    wrapForDevices(sessionId, recipientPubsB64) {
+        const cek = this.cekFor(sessionId);
+        return recipientPubsB64.map((pub) => ({
+            deviceKey: pub,
+            wrappedCek: wrapCEK(cek, pub, sessionId),
+        }));
+    }
+    // Unwrap a CEK addressed to THIS device and cache it.
+    acceptWrapped(sessionId, wrapped) {
+        const cek = unwrapCEK(wrapped, this.identity.privateKeyB64, sessionId);
+        this.ceks.set(sessionId, cek);
+        return cek;
+    }
+}

package/dist/e2e/keychain-identity.js

@@ -0,0 +1,29 @@
+import { execFileSync } from "node:child_process";
+// Stores the device identity keypair (JSON) in the macOS login keychain under a
+// service name. Private key never leaves the machine. Falls back to throwing on
+// non-darwin so callers can choose a file fallback if needed.
+export function keychainIdentityStore(service = "pinclaw-bridge-e2e") {
+    return {
+        load() {
+            try {
+                const out = execFileSync("security", ["find-generic-password", "-s", service, "-w"], { encoding: "utf8" }).trim();
+                return out ? JSON.parse(out) : null;
+            }
+            catch {
+                return null;
+            }
+        },
+        save(kp) {
+            const val = JSON.stringify(kp);
+            try {
+                execFileSync("security", ["delete-generic-password", "-s", service], {
+                    stdio: "ignore",
+                });
+            }
+            catch {
+                /* none existed */
+            }
+            execFileSync("security", ["add-generic-password", "-s", service, "-a", service, "-w", val], { stdio: "ignore" });
+        },
+    };
+}

package/dist/engine/adapter.js

@@ -0,0 +1,5 @@
+// Per-session engine adapter. One instance per SessionRunner. Captures everything
+// engine-specific: how to spawn the child, an optional async handshake before the
+// first turn, how to encode stdin actions, and how to translate one parsed stdout
+// JSON object into zero-or-more TranslatedFrame the cloud/phone understand.
+export {};

package/dist/engine/claude-adapter.js

@@ -0,0 +1,77 @@
+// Claude Code engine adapter. Wraps the existing (unchanged) claude stdin-encode +
+// stream-translate + stream-json spawn flags. Behavior identical to the pre-refactor
+// hardcoded path — covered by the existing session-runner / translate / encode tests.
+import os from "node:os";
+import path from "node:path";
+import fs from "node:fs";
+import { buildUserMessageLine, buildControlAllowLine, buildControlDenyLine, } from "../stdin-encode.js";
+import { translateChildEvent } from "../stream-translate.js";
+/** Resolve the `claude` binary by absolute path (launchd PATH is minimal). */
+export function resolveClaudeBin() {
+    const home = os.homedir();
+    const candidates = [
+        process.env.NEXTING_CC_CLAUDE_BIN,
+        path.join(home, "Library/pnpm/claude"),
+        path.join(home, ".local/bin/claude"),
+        path.join(home, ".npm-global/bin/claude"),
+        "/opt/homebrew/bin/claude",
+        "/usr/local/bin/claude",
+    ].filter((p) => !!p);
+    for (const c of candidates) {
+        try {
+            if (fs.existsSync(c))
+                return c;
+        }
+        catch {
+            /* keep looking */
+        }
+    }
+    return "claude";
+}
+/** TUI substrings Claude Code prints while a turn is running (status line
+ * "… (esc to interrupt)"). Matched case-insensitively by the pty turn probe. */
+export const CLAUDE_RUNNING_MARKERS = ["esc to interrupt"];
+export function createClaudeAdapter() {
+    return {
+        runningMarkers: CLAUDE_RUNNING_MARKERS,
+        command(resumeSessionId, ctx) {
+            const args = [
+                "--print",
+                "--input-format",
+                "stream-json",
+                "--output-format",
+                "stream-json",
+                "--include-partial-messages",
+                "--replay-user-messages",
+                "--verbose",
+                "--dangerously-skip-permissions",
+                // Disable the native AskUserQuestion tool: in --print mode it auto-
+                // dismisses (no interactive consumer attached), so the phone could only
+                // ever SHOW the question read-only. With it disabled the model routes to
+                // our `ask_user` MCP tool (mcp-device-proxy), which blocks for a phone
+                // answer. Applies to every session so argv stays identical. Variadic
+                // flag — the next arg starts with `--`, so it consumes only
+                // "AskUserQuestion".
+                "--disallowed-tools",
+                "AskUserQuestion",
+            ];
+            // Device-tool MCP proxy: `--mcp-config <path>` is a global flag that
+            // works in --print mode (verified CLI 2.1.170), so we load the per-session
+            // config file (written by mcp-config.ts) instead of dropping a `.mcp.json`
+            // into the user's repo. Pushed before --resume; order is irrelevant to
+            // claude but keeps resume last for readability.
+            if (ctx?.mcpConfigPath)
+                args.push("--mcp-config", ctx.mcpConfigPath);
+            if (resumeSessionId)
+                args.push("--resume", resumeSessionId);
+            return { bin: resolveClaudeBin(), args };
+        },
+        start: (_io, _resumeSessionId) => {
+            /* Claude needs no handshake. */
+        },
+        encodeUserTurn: (content) => buildUserMessageLine(content),
+        encodeAnswer: (id, updatedInput) => buildControlAllowLine(id, updatedInput),
+        encodeDeny: (id, message) => buildControlDenyLine(id, message),
+        translate: (parsed) => translateChildEvent(parsed),
+    };
+}