recall-mcp-v3 3.0.1 → 3.1.0

package/dist/api.d.ts

@@ -1,18 +1,39 @@
 /**
  * Recall API Client
  *
- * Simple HTTP client for the Recall v3 API.
- * Reads token from RECALL_API_TOKEN environment variable.
+ * HTTP client for the Recall v3 API with encryption support.
+ * - Reads token from RECALL_API_TOKEN environment variable
+ * - Fetches team encryption key from API
+ * - Encrypts content before sending, decrypts after receiving
  */
 declare class RecallApiError extends Error {
     code: string;
     status: number;
     constructor(message: string, code: string, status: number);
 }
+/**
+ * Fetch the team encryption key from API.
+ * Caches the key in memory for the duration of the process.
+ */
+export declare function getTeamKey(): Promise<string>;
+/**
+ * Get cached team tier (must call getTeamKey first).
+ */
+export declare function getCachedTier(): string | null;
+/**
+ * Clear cached team key (useful for testing or key rotation).
+ */
+export declare function clearKeyCache(): void;
 interface ResolveRepoResponse {
     repoId: string;
     teamId: string;
 }
+interface SessionUser {
+    id: string;
+    name: string | null;
+    github_username: string | null;
+    avatar_url?: string | null;
+}
 interface Session {
     id: string;
     summary: string;
@@ -25,36 +46,19 @@ interface Session {
     files_changed?: string[];
     blockers?: string | null;
     next_steps?: string | null;
-    user: {
-        id: string;
-        name: string | null;
-        github_username: string | null;
-    };
+    user: SessionUser;
 }
-interface ContextResponse {
-    sessions: Session[];
-    cached_context: string;
-    session_count: number;
-    tier: string;
+interface HistoryDecision {
+    id: string;
+    decision: string;
+    reasoning: string;
+    created_at: string;
+    user: SessionUser;
 }
-interface HistoryResponse {
-    sessions: Session[];
-    decisions: Array<{
-        id: string;
-        decision: string;
-        reasoning: string;
-        created_at: string;
-        user: {
-            id: string;
-            name: string | null;
-            github_username: string | null;
-        };
-    }>;
-    mistakes: Array<{
-        id: string;
-        content: string;
-        created_at: string;
-    }>;
+interface HistoryMistake {
+    id: string;
+    content: string;
+    created_at: string;
 }
 interface SaveSessionResponse {
     id: string;
@@ -65,9 +69,34 @@ interface LogDecisionResponse {
     created_at: string;
 }
 export declare function resolveRepo(fullName: string, defaultBranch?: string): Promise<ResolveRepoResponse>;
-export declare function getContext(repoId: string): Promise<ContextResponse>;
-export declare function getHistory(repoId: string, days?: number): Promise<HistoryResponse>;
-export declare function getTranscripts(repoId: string): Promise<HistoryResponse>;
+/**
+ * Get context for a repo. Decrypts session content.
+ */
+export declare function getContext(repoId: string): Promise<{
+    sessions: Session[];
+    cached_context: string;
+    session_count: number;
+    tier: string;
+}>;
+/**
+ * Get history for a repo. Decrypts session, decision, and mistake content.
+ */
+export declare function getHistory(repoId: string, days?: number): Promise<{
+    sessions: Session[];
+    decisions: HistoryDecision[];
+    mistakes: HistoryMistake[];
+}>;
+/**
+ * Get transcripts for a repo. Same as history but for Pro tier with full content.
+ */
+export declare function getTranscripts(repoId: string): Promise<{
+    sessions: Session[];
+    decisions: HistoryDecision[];
+    mistakes: HistoryMistake[];
+}>;
+/**
+ * Save a session. Encrypts content before sending.
+ */
 export declare function saveSession(repoId: string, data: {
     summary: string;
     status?: 'complete' | 'in-progress' | 'blocked';
@@ -80,6 +109,9 @@ export declare function saveSession(repoId: string, data: {
     next_steps?: string;
     blockers?: string;
 }): Promise<SaveSessionResponse>;
+/**
+ * Log a decision. Encrypts content before sending.
+ */
 export declare function logDecision(repoId: string, decision: string, reasoning: string): Promise<LogDecisionResponse>;
 export { RecallApiError };
 //# sourceMappingURL=api.d.ts.map

package/dist/api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,cAAM,cAAe,SAAQ,KAAK;IAGvB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,MAAM;gBAFrB,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM;CAKxB;AA4CD,UAAU,mBAAmB;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,UAAU,OAAO;IACf,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,UAAU,GAAG,aAAa,GAAG,SAAS,CAAC;IAC/C,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QACpB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;KAChC,CAAC;CACH;AAED,UAAU,eAAe;IACvB,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,UAAU,eAAe;IACvB,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,SAAS,EAAE,KAAK,CAAC;QACf,EAAE,EAAE,MAAM,CAAC;QACX,QAAQ,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;YAAC,eAAe,EAAE,MAAM,GAAG,IAAI,CAAA;SAAE,CAAC;KAC3E,CAAC,CAAC;IACH,QAAQ,EAAE,KAAK,CAAC;QACd,EAAE,EAAE,MAAM,CAAC;QACX,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC,CAAC;CACJ;AAED,UAAU,mBAAmB;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,mBAAmB;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;CACpB;AAGD,wBAAsB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAExG;AAED,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAEzE;AAED,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,SAAK,GAAG,OAAO,CAAC,eAAe,CAAC,CAEpF;AAED,wBAAsB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAE7E;AAED,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE;IACJ,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,UAAU,GAAG,aAAa,GAAG,SAAS,CAAC;IAChD,SAAS,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACjD,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,mBAAmB,CAAC,CAY9B;AAED,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,mBAAmB,CAAC,CAK9B;AAED,OAAO,EAAE,cAAc,EAAE,CAAC"}
+{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAgBH,cAAM,cAAe,SAAQ,KAAK;IAGvB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,MAAM;gBAFrB,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM;CAKxB;AAyDD;;;GAGG;AACH,wBAAsB,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,CAgBlD;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,MAAM,GAAG,IAAI,CAE7C;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAIpC;AAMD,UAAU,mBAAmB;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,UAAU,WAAW;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,UAAU,OAAO;IACf,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,UAAU,GAAG,aAAa,GAAG,SAAS,CAAC;IAC/C,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,IAAI,EAAE,WAAW,CAAC;CACnB;AAmBD,UAAU,eAAe;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,WAAW,CAAC;CACnB;AAED,UAAU,cAAc;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACpB;AA8BD,UAAU,mBAAmB;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,mBAAmB;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;CACpB;AAMD,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,mBAAmB,CAAC,CAK9B;AAED;;GAEG;AACH,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IACxD,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;CACd,CAAC,CAsCD;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC9B,MAAM,EAAE,MAAM,EACd,IAAI,SAAK,GACR,OAAO,CAAC;IACT,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,QAAQ,EAAE,cAAc,EAAE,CAAC;CAC5B,CAAC,CA+DD;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IAC5D,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,QAAQ,EAAE,cAAc,EAAE,CAAC;CAC5B,CAAC,CAGD;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE;IACJ,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,UAAU,GAAG,aAAa,GAAG,SAAS,CAAC;IAChD,SAAS,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACjD,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,mBAAmB,CAAC,CAuC9B;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,mBAAmB,CAAC,CAY9B;AAED,OAAO,EAAE,cAAc,EAAE,CAAC"}

package/dist/api.js

@@ -1,10 +1,17 @@
 /**
  * Recall API Client
  *
- * Simple HTTP client for the Recall v3 API.
- * Reads token from RECALL_API_TOKEN environment variable.
+ * HTTP client for the Recall v3 API with encryption support.
+ * - Reads token from RECALL_API_TOKEN environment variable
+ * - Fetches team encryption key from API
+ * - Encrypts content before sending, decrypts after receiving
  */
+import { encrypt, decrypt, isEncrypted, safeDecrypt } from './crypto.js';
 const API_URL = process.env.RECALL_API_URL || 'https://api-v3.recall.team';
+// Cache team key in memory (per process)
+let cachedTeamKey = null;
+let cachedTeamId = null;
+let cachedTier = null;
 class RecallApiError extends Error {
     code;
     status;
@@ -29,46 +36,212 @@ async function request(method, path, body) {
         method,
         headers: {
             'Content-Type': 'application/json',
-            'Authorization': `Bearer ${token}`,
+            Authorization: `Bearer ${token}`,
         },
         body: body ? JSON.stringify(body) : undefined,
     });
     if (!response.ok) {
-        const errorBody = await response.json().catch(() => ({}));
+        const errorBody = (await response.json().catch(() => ({})));
         throw new RecallApiError(errorBody.error || `HTTP ${response.status}`, errorBody.code || 'API_ERROR', response.status);
     }
     return response.json();
 }
+/**
+ * Fetch the team encryption key from API.
+ * Caches the key in memory for the duration of the process.
+ */
+export async function getTeamKey() {
+    if (cachedTeamKey) {
+        return cachedTeamKey;
+    }
+    const response = await request('GET', '/v1/keys/team');
+    if (!response.hasAccess) {
+        throw new RecallApiError('No access to team encryption key', 'NO_ACCESS', 403);
+    }
+    cachedTeamKey = response.encryptionKey;
+    cachedTeamId = response.teamId;
+    cachedTier = response.tier;
+    return cachedTeamKey;
+}
+/**
+ * Get cached team tier (must call getTeamKey first).
+ */
+export function getCachedTier() {
+    return cachedTier;
+}
+/**
+ * Clear cached team key (useful for testing or key rotation).
+ */
+export function clearKeyCache() {
+    cachedTeamKey = null;
+    cachedTeamId = null;
+    cachedTier = null;
+}
+// ============================================================================
 // API Methods
+// ============================================================================
 export async function resolveRepo(fullName, defaultBranch) {
-    return request('POST', '/v1/repos/resolve', { fullName, defaultBranch });
+    return request('POST', '/v1/repos/resolve', {
+        fullName,
+        defaultBranch,
+    });
 }
+/**
+ * Get context for a repo. Decrypts session content.
+ */
 export async function getContext(repoId) {
-    return request('GET', `/v1/repos/${repoId}/context`);
+    // Ensure we have the team key for decryption
+    const teamKey = await getTeamKey();
+    const response = await request('GET', `/v1/repos/${repoId}/context`);
+    // Decrypt session content
+    const sessions = response.sessions.map((raw) => {
+        // Try to decrypt encrypted_content, use tldr_summary as fallback
+        let summary = raw.tldr_summary || '';
+        if (raw.encrypted_content && isEncrypted(raw.encrypted_content)) {
+            try {
+                summary = decrypt(raw.encrypted_content, teamKey);
+            }
+            catch {
+                // If decryption fails, use tldr_summary
+                summary = raw.tldr_summary || '';
+            }
+        }
+        else if (raw.encrypted_content) {
+            // Not encrypted (legacy or plaintext) - use as-is
+            summary = raw.encrypted_content;
+        }
+        return {
+            id: raw.id,
+            summary,
+            status: raw.status,
+            started_at: raw.started_at,
+            ended_at: raw.ended_at,
+            user: raw.user,
+        };
+    });
+    return {
+        sessions,
+        cached_context: response.cached_context,
+        session_count: response.session_count,
+        tier: response.tier,
+    };
 }
+/**
+ * Get history for a repo. Decrypts session, decision, and mistake content.
+ */
 export async function getHistory(repoId, days = 30) {
-    return request('GET', `/v1/repos/${repoId}/history?days=${days}`);
+    // Ensure we have the team key for decryption
+    const teamKey = await getTeamKey();
+    const response = await request('GET', `/v1/repos/${repoId}/history?days=${days}`);
+    // Decrypt sessions
+    const sessions = response.sessions.map((raw) => {
+        let summary = raw.tldr_summary || '';
+        if (raw.encrypted_content && isEncrypted(raw.encrypted_content)) {
+            summary = safeDecrypt(raw.encrypted_content, teamKey);
+        }
+        else if (raw.encrypted_content) {
+            summary = raw.encrypted_content;
+        }
+        return {
+            id: raw.id,
+            summary,
+            status: raw.status,
+            started_at: raw.started_at,
+            ended_at: raw.ended_at,
+            user: raw.user,
+        };
+    });
+    // Decrypt decisions
+    const decisions = response.decisions.map((raw) => {
+        let reasoning = '';
+        if (raw.encrypted_content && isEncrypted(raw.encrypted_content)) {
+            reasoning = safeDecrypt(raw.encrypted_content, teamKey);
+        }
+        else if (raw.encrypted_content) {
+            reasoning = raw.encrypted_content;
+        }
+        return {
+            id: raw.id,
+            decision: raw.title,
+            reasoning,
+            created_at: raw.created_at,
+            user: raw.user,
+        };
+    });
+    // Decrypt mistakes
+    const mistakes = response.mistakes.map((raw) => {
+        let content = raw.title;
+        if (raw.encrypted_content && isEncrypted(raw.encrypted_content)) {
+            content = safeDecrypt(raw.encrypted_content, teamKey);
+        }
+        else if (raw.encrypted_content) {
+            content = raw.encrypted_content;
+        }
+        return {
+            id: raw.id,
+            content,
+            created_at: raw.created_at,
+        };
+    });
+    return { sessions, decisions, mistakes };
 }
+/**
+ * Get transcripts for a repo. Same as history but for Pro tier with full content.
+ */
 export async function getTranscripts(repoId) {
-    return request('GET', `/v1/repos/${repoId}/transcripts`);
+    // Use the history endpoint with longer timeframe for transcripts
+    return getHistory(repoId, 90);
 }
+/**
+ * Save a session. Encrypts content before sending.
+ */
 export async function saveSession(repoId, data) {
-    return request('POST', `/v1/repos/${repoId}/sessions`, {
+    // Ensure we have the team key for encryption
+    const teamKey = await getTeamKey();
+    // Build the content to encrypt (full session summary)
+    const contentToEncrypt = JSON.stringify({
         summary: data.summary,
-        status: data.status || 'complete',
         decisions: data.decisions,
         mistakes: data.mistakes,
         files_changed: data.files_changed,
         next_steps: data.next_steps,
         blockers: data.blockers,
-        started_at: new Date().toISOString(),
-        ended_at: new Date().toISOString(),
+    });
+    // Encrypt the content
+    const encryptedContent = encrypt(contentToEncrypt, teamKey);
+    // Build TLDR for plaintext metadata
+    const tldr = {
+        summary: data.summary.substring(0, 1000), // First 1000 chars for search
+        status: data.status || 'complete',
+        decisions: data.decisions?.map((d) => d.what) || [],
+        mistakes: data.mistakes || [],
+        tags: [], // Could extract tags from content
+        files_changed: data.files_changed || [],
+        blockers: data.blockers || null,
+        next_steps: data.next_steps || null,
+    };
+    const now = new Date().toISOString();
+    // Send to API with encrypted content + plaintext TLDR
+    return request('POST', `/v1/repos/${repoId}/sessions`, {
+        encrypted_content: encryptedContent,
+        tldr,
+        started_at: now,
+        ended_at: now,
+        tool: 'claude-code',
     });
 }
+/**
+ * Log a decision. Encrypts content before sending.
+ */
 export async function logDecision(repoId, decision, reasoning) {
+    // Ensure we have the team key for encryption
+    const teamKey = await getTeamKey();
+    // Encrypt the reasoning (the full decision context)
+    const encryptedContent = encrypt(reasoning, teamKey);
+    // API expects: title (plaintext for search) + encrypted_content
     return request('POST', `/v1/repos/${repoId}/decisions`, {
-        decision,
-        reasoning,
+        title: decision, // Plaintext title for search/display
+        encrypted_content: encryptedContent, // Encrypted reasoning
     });
 }
 export { RecallApiError };

package/dist/api.js.map

@@ -1 +1 @@
-{"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,4BAA4B,CAAC;AAO3E,MAAM,cAAe,SAAQ,KAAK;IAGvB;IACA;IAHT,YACE,OAAe,EACR,IAAY,EACZ,MAAc;QAErB,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,SAAI,GAAJ,IAAI,CAAQ;QACZ,WAAM,GAAN,MAAM,CAAQ;QAGrB,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAED,SAAS,QAAQ;IACf,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,cAAc,CACtB,+CAA+C,EAC/C,UAAU,EACV,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,OAAO,CACpB,MAAyC,EACzC,IAAY,EACZ,IAAc;IAEd,MAAM,KAAK,GAAG,QAAQ,EAAE,CAAC;IACzB,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,IAAI,EAAE,CAAC;IAEhC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM;QACN,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,eAAe,EAAE,UAAU,KAAK,EAAE;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;KAC9C,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAa,CAAC;QACtE,MAAM,IAAI,cAAc,CACtB,SAAS,CAAC,KAAK,IAAI,QAAQ,QAAQ,CAAC,MAAM,EAAE,EAC5C,SAAS,CAAC,IAAI,IAAI,WAAW,EAC7B,QAAQ,CAAC,MAAM,CAChB,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAgB,CAAC;AACvC,CAAC;AA4DD,cAAc;AACd,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,QAAgB,EAAE,aAAsB;IACxE,OAAO,OAAO,CAAsB,MAAM,EAAE,mBAAmB,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC,CAAC;AAChG,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAc;IAC7C,OAAO,OAAO,CAAkB,KAAK,EAAE,aAAa,MAAM,UAAU,CAAC,CAAC;AACxE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAc,EAAE,IAAI,GAAG,EAAE;IACxD,OAAO,OAAO,CAAkB,KAAK,EAAE,aAAa,MAAM,iBAAiB,IAAI,EAAE,CAAC,CAAC;AACrF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAc;IACjD,OAAO,OAAO,CAAkB,KAAK,EAAE,aAAa,MAAM,cAAc,CAAC,CAAC;AAC5E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,IAQC;IAED,OAAO,OAAO,CAAsB,MAAM,EAAE,aAAa,MAAM,WAAW,EAAE;QAC1E,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,UAAU;QACjC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,QAAgB,EAChB,SAAiB;IAEjB,OAAO,OAAO,CAAsB,MAAM,EAAE,aAAa,MAAM,YAAY,EAAE;QAC3E,QAAQ;QACR,SAAS;KACV,CAAC,CAAC;AACL,CAAC;AAED,OAAO,EAAE,cAAc,EAAE,CAAC"}
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEzE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,4BAA4B,CAAC;AAE3E,yCAAyC;AACzC,IAAI,aAAa,GAAkB,IAAI,CAAC;AACxC,IAAI,YAAY,GAAkB,IAAI,CAAC;AACvC,IAAI,UAAU,GAAkB,IAAI,CAAC;AAOrC,MAAM,cAAe,SAAQ,KAAK;IAGvB;IACA;IAHT,YACE,OAAe,EACR,IAAY,EACZ,MAAc;QAErB,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,SAAI,GAAJ,IAAI,CAAQ;QACZ,WAAM,GAAN,MAAM,CAAQ;QAGrB,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAED,SAAS,QAAQ;IACf,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,cAAc,CACtB,+CAA+C,EAC/C,UAAU,EACV,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,OAAO,CACpB,MAAyC,EACzC,IAAY,EACZ,IAAc;IAEd,MAAM,KAAK,GAAG,QAAQ,EAAE,CAAC;IACzB,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,IAAI,EAAE,CAAC;IAEhC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM;QACN,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,KAAK,EAAE;SACjC;QACD,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;KAC9C,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAa,CAAC;QACxE,MAAM,IAAI,cAAc,CACtB,SAAS,CAAC,KAAK,IAAI,QAAQ,QAAQ,CAAC,MAAM,EAAE,EAC5C,SAAS,CAAC,IAAI,IAAI,WAAW,EAC7B,QAAQ,CAAC,MAAM,CAChB,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAgB,CAAC;AACvC,CAAC;AAgBD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAkB,KAAK,EAAE,eAAe,CAAC,CAAC;IAExE,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QACxB,MAAM,IAAI,cAAc,CAAC,kCAAkC,EAAE,WAAW,EAAE,GAAG,CAAC,CAAC;IACjF,CAAC;IAED,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC;IACvC,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC;IAC/B,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC;IAE3B,OAAO,aAAa,CAAC;AACvB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,aAAa,GAAG,IAAI,CAAC;IACrB,YAAY,GAAG,IAAI,CAAC;IACpB,UAAU,GAAG,IAAI,CAAC;AACpB,CAAC;AAsGD,+EAA+E;AAC/E,cAAc;AACd,+EAA+E;AAE/E,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAAgB,EAChB,aAAsB;IAEtB,OAAO,OAAO,CAAsB,MAAM,EAAE,mBAAmB,EAAE;QAC/D,QAAQ;QACR,aAAa;KACd,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAc;IAM7C,6CAA6C;IAC7C,MAAM,OAAO,GAAG,MAAM,UAAU,EAAE,CAAC;IAEnC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAkB,KAAK,EAAE,aAAa,MAAM,UAAU,CAAC,CAAC;IAEtF,0BAA0B;IAC1B,MAAM,QAAQ,GAAc,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACxD,iEAAiE;QACjE,IAAI,OAAO,GAAG,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;QACrC,IAAI,GAAG,CAAC,iBAAiB,IAAI,WAAW,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAChE,IAAI,CAAC;gBACH,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;YACpD,CAAC;YAAC,MAAM,CAAC;gBACP,wCAAwC;gBACxC,OAAO,GAAG,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;YACnC,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,CAAC,iBAAiB,EAAE,CAAC;YACjC,kDAAkD;YAClD,OAAO,GAAG,GAAG,CAAC,iBAAiB,CAAC;QAClC,CAAC;QAED,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,OAAO;YACP,MAAM,EAAE,GAAG,CAAC,MAAgD;YAC5D,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ;QACR,cAAc,EAAE,QAAQ,CAAC,cAAc;QACvC,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,IAAI,EAAE,QAAQ,CAAC,IAAI;KACpB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAc,EACd,IAAI,GAAG,EAAE;IAMT,6CAA6C;IAC7C,MAAM,OAAO,GAAG,MAAM,UAAU,EAAE,CAAC;IAEnC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,KAAK,EACL,aAAa,MAAM,iBAAiB,IAAI,EAAE,CAC3C,CAAC;IAEF,mBAAmB;IACnB,MAAM,QAAQ,GAAc,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACxD,IAAI,OAAO,GAAG,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;QACrC,IAAI,GAAG,CAAC,iBAAiB,IAAI,WAAW,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAChE,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QACxD,CAAC;aAAM,IAAI,GAAG,CAAC,iBAAiB,EAAE,CAAC;YACjC,OAAO,GAAG,GAAG,CAAC,iBAAiB,CAAC;QAClC,CAAC;QAED,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,OAAO;YACP,MAAM,EAAE,GAAG,CAAC,MAAgD;YAC5D,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,oBAAoB;IACpB,MAAM,SAAS,GAAsB,QAAQ,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QAClE,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,GAAG,CAAC,iBAAiB,IAAI,WAAW,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAChE,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QAC1D,CAAC;aAAM,IAAI,GAAG,CAAC,iBAAiB,EAAE,CAAC;YACjC,SAAS,GAAG,GAAG,CAAC,iBAAiB,CAAC;QACpC,CAAC;QAED,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,QAAQ,EAAE,GAAG,CAAC,KAAK;YACnB,SAAS;YACT,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,mBAAmB;IACnB,MAAM,QAAQ,GAAqB,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QAC/D,IAAI,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC;QACxB,IAAI,GAAG,CAAC,iBAAiB,IAAI,WAAW,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAChE,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QACxD,CAAC;aAAM,IAAI,GAAG,CAAC,iBAAiB,EAAE,CAAC;YACjC,OAAO,GAAG,GAAG,CAAC,iBAAiB,CAAC;QAClC,CAAC;QAED,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,OAAO;YACP,UAAU,EAAE,GAAG,CAAC,UAAU;SAC3B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAc;IAKjD,iEAAiE;IACjE,OAAO,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,IAQC;IAED,6CAA6C;IAC7C,MAAM,OAAO,GAAG,MAAM,UAAU,EAAE,CAAC;IAEnC,sDAAsD;IACtD,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC;QACtC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;KACxB,CAAC,CAAC;IAEH,sBAAsB;IACtB,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IAE5D,oCAAoC;IACpC,MAAM,IAAI,GAAG;QACX,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,8BAA8B;QACxE,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,UAAU;QACjC,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE;QACnD,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE;QAC7B,IAAI,EAAE,EAAE,EAAE,kCAAkC;QAC5C,aAAa,EAAE,IAAI,CAAC,aAAa,IAAI,EAAE;QACvC,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;QAC/B,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,IAAI;KACpC,CAAC;IAEF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,sDAAsD;IACtD,OAAO,OAAO,CAAsB,MAAM,EAAE,aAAa,MAAM,WAAW,EAAE;QAC1E,iBAAiB,EAAE,gBAAgB;QACnC,IAAI;QACJ,UAAU,EAAE,GAAG;QACf,QAAQ,EAAE,GAAG;QACb,IAAI,EAAE,aAAa;KACpB,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,QAAgB,EAChB,SAAiB;IAEjB,6CAA6C;IAC7C,MAAM,OAAO,GAAG,MAAM,UAAU,EAAE,CAAC;IAEnC,oDAAoD;IACpD,MAAM,gBAAgB,GAAG,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAErD,gEAAgE;IAChE,OAAO,OAAO,CAAsB,MAAM,EAAE,aAAa,MAAM,YAAY,EAAE;QAC3E,KAAK,EAAE,QAAQ,EAAE,qCAAqC;QACtD,iBAAiB,EAAE,gBAAgB,EAAE,sBAAsB;KAC5D,CAAC,CAAC;AACL,CAAC;AAED,OAAO,EAAE,cAAc,EAAE,CAAC"}

package/dist/crypto.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Recall Encryption Module
+ *
+ * Client-side AES-256-GCM encryption/decryption for zero-knowledge architecture.
+ * Team key is fetched from API and used to encrypt content before sending,
+ * and decrypt content after receiving.
+ *
+ * Format: RECALL_ENCRYPTED:v1:[base64_iv]:[base64_ciphertext]:[base64_tag]
+ */
+/**
+ * Encrypt content using AES-256-GCM.
+ *
+ * @param plaintext - The content to encrypt
+ * @param teamKeyBase64 - The team encryption key (base64)
+ * @returns Encrypted string in format: RECALL_ENCRYPTED:v1:[iv]:[ciphertext]:[tag]
+ */
+export declare function encrypt(plaintext: string, teamKeyBase64: string): string;
+/**
+ * Decrypt content that was encrypted with AES-256-GCM.
+ *
+ * @param encryptedString - The encrypted content (RECALL_ENCRYPTED:v1:...)
+ * @param teamKeyBase64 - The team encryption key (base64)
+ * @returns Decrypted plaintext
+ * @throws Error if decryption fails or format is invalid
+ */
+export declare function decrypt(encryptedString: string, teamKeyBase64: string): string;
+/**
+ * Check if a string is encrypted content.
+ */
+export declare function isEncrypted(content: string): boolean;
+/**
+ * Safely decrypt content - returns original if not encrypted or if decryption fails.
+ * This allows gradual migration and handling of mixed content.
+ */
+export declare function safeDecrypt(content: string, teamKeyBase64: string): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAyBH;;;;;;GAMG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CAYxE;AAED;;;;;;;GAOG;AACH,wBAAgB,OAAO,CAAC,eAAe,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CAwC9E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAEpD;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CAW1E"}

package/dist/crypto.js

@@ -0,0 +1,104 @@
+/**
+ * Recall Encryption Module
+ *
+ * Client-side AES-256-GCM encryption/decryption for zero-knowledge architecture.
+ * Team key is fetched from API and used to encrypt content before sending,
+ * and decrypt content after receiving.
+ *
+ * Format: RECALL_ENCRYPTED:v1:[base64_iv]:[base64_ciphertext]:[base64_tag]
+ */
+import * as crypto from 'crypto';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16; // 128 bits
+const TAG_LENGTH = 16; // 128 bits
+const ENCRYPTED_PREFIX = 'RECALL_ENCRYPTED:v1:';
+/**
+ * Derive a 256-bit key from the base64 team key.
+ * The team key from API is already a raw 256-bit key in base64.
+ */
+function deriveKey(teamKeyBase64) {
+    // Decode the base64 key - it's already 256 bits (32 bytes)
+    const keyBuffer = Buffer.from(teamKeyBase64, 'base64');
+    // If the key is not 32 bytes, hash it to get 32 bytes
+    if (keyBuffer.length !== 32) {
+        return crypto.createHash('sha256').update(teamKeyBase64).digest();
+    }
+    return keyBuffer;
+}
+/**
+ * Encrypt content using AES-256-GCM.
+ *
+ * @param plaintext - The content to encrypt
+ * @param teamKeyBase64 - The team encryption key (base64)
+ * @returns Encrypted string in format: RECALL_ENCRYPTED:v1:[iv]:[ciphertext]:[tag]
+ */
+export function encrypt(plaintext, teamKeyBase64) {
+    const key = deriveKey(teamKeyBase64);
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(plaintext, 'utf8', 'base64');
+    encrypted += cipher.final('base64');
+    const authTag = cipher.getAuthTag();
+    return `${ENCRYPTED_PREFIX}${iv.toString('base64')}:${encrypted}:${authTag.toString('base64')}`;
+}
+/**
+ * Decrypt content that was encrypted with AES-256-GCM.
+ *
+ * @param encryptedString - The encrypted content (RECALL_ENCRYPTED:v1:...)
+ * @param teamKeyBase64 - The team encryption key (base64)
+ * @returns Decrypted plaintext
+ * @throws Error if decryption fails or format is invalid
+ */
+export function decrypt(encryptedString, teamKeyBase64) {
+    // Check format
+    if (!encryptedString.startsWith(ENCRYPTED_PREFIX)) {
+        throw new Error('Invalid encrypted content format: missing RECALL_ENCRYPTED prefix');
+    }
+    // Parse components
+    const withoutPrefix = encryptedString.substring(ENCRYPTED_PREFIX.length);
+    const parts = withoutPrefix.split(':');
+    if (parts.length !== 3) {
+        throw new Error(`Invalid encrypted content format: expected 3 parts (iv:ciphertext:tag), got ${parts.length}`);
+    }
+    const [ivBase64, ciphertextBase64, tagBase64] = parts;
+    const key = deriveKey(teamKeyBase64);
+    const iv = Buffer.from(ivBase64, 'base64');
+    const ciphertext = Buffer.from(ciphertextBase64, 'base64');
+    const authTag = Buffer.from(tagBase64, 'base64');
+    // Validate IV length
+    if (iv.length !== IV_LENGTH) {
+        throw new Error(`Invalid IV length: expected ${IV_LENGTH}, got ${iv.length}`);
+    }
+    // Validate auth tag length
+    if (authTag.length !== TAG_LENGTH) {
+        throw new Error(`Invalid auth tag length: expected ${TAG_LENGTH}, got ${authTag.length}`);
+    }
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(ciphertext, undefined, 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+}
+/**
+ * Check if a string is encrypted content.
+ */
+export function isEncrypted(content) {
+    return content.startsWith(ENCRYPTED_PREFIX);
+}
+/**
+ * Safely decrypt content - returns original if not encrypted or if decryption fails.
+ * This allows gradual migration and handling of mixed content.
+ */
+export function safeDecrypt(content, teamKeyBase64) {
+    if (!isEncrypted(content)) {
+        return content;
+    }
+    try {
+        return decrypt(content, teamKeyBase64);
+    }
+    catch (error) {
+        console.error('Failed to decrypt content:', error);
+        return content; // Return as-is if decryption fails
+    }
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAEjC,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,WAAW;AACjC,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,WAAW;AAClC,MAAM,gBAAgB,GAAG,sBAAsB,CAAC;AAEhD;;;GAGG;AACH,SAAS,SAAS,CAAC,aAAqB;IACtC,2DAA2D;IAC3D,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAEvD,sDAAsD;IACtD,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,EAAE,CAAC;IACpE,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,aAAqB;IAC9D,MAAM,GAAG,GAAG,SAAS,CAAC,aAAa,CAAC,CAAC;IACrC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IAEzC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAEzD,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3D,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAEpC,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,OAAO,GAAG,gBAAgB,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;AAClG,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,OAAO,CAAC,eAAuB,EAAE,aAAqB;IACpE,eAAe;IACf,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACvF,CAAC;IAED,mBAAmB;IACnB,MAAM,aAAa,GAAG,eAAe,CAAC,SAAS,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACzE,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEvC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CACb,+EAA+E,KAAK,CAAC,MAAM,EAAE,CAC9F,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;IAEtD,MAAM,GAAG,GAAG,SAAS,CAAC,aAAa,CAAC,CAAC;IACrC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAEjD,qBAAqB;IACrB,IAAI,EAAE,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,+BAA+B,SAAS,SAAS,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;IAChF,CAAC;IAED,2BAA2B;IAC3B,IAAI,OAAO,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,qCAAqC,UAAU,SAAS,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5F,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAE7B,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAU,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAC/D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAEpC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,OAAO,OAAO,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe,EAAE,aAAqB;IAChE,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;QACnD,OAAO,OAAO,CAAC,CAAC,mCAAmC;IACrD,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "recall-mcp-v3",
-  "version": "3.0.1",
+  "version": "3.1.0",
   "description": "Recall MCP server for Claude Code - team memory for AI coding assistants",
   "type": "module",
   "main": "dist/index.js",