sema-cli 0.1.0

package/experiments/spike-shell-stream/mobile-web/index.html

@@ -0,0 +1,1093 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Sema</title>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@xterm/xterm@5.5.0/css/xterm.min.css" />
+    <style>
+      :root {
+        color-scheme: dark;
+        font-family: Inter, ui-sans-serif, system-ui, -apple-system, sans-serif;
+        background: #101417;
+        color: #f4f1e8;
+      }
+
+      * { box-sizing: border-box; }
+
+      body {
+        margin: 0;
+        min-height: 100vh;
+        min-height: 100dvh;
+        background: #101417;
+        display: flex;
+        flex-direction: column;
+      }
+
+      header {
+        display: flex;
+        align-items: center;
+        justify-content: space-between;
+        gap: 12px;
+        padding: 10px 14px;
+        border-bottom: 1px solid #2b3337;
+        flex-shrink: 0;
+      }
+
+      h1 {
+        margin: 0;
+        font-size: 16px;
+        font-weight: 700;
+        flex: 1;
+        overflow: hidden;
+        text-overflow: ellipsis;
+        white-space: nowrap;
+      }
+
+      .back-btn {
+        color: #4ec9b0;
+        text-decoration: none;
+        font-size: 14px;
+        flex-shrink: 0;
+        padding: 4px 0;
+      }
+
+      .status {
+        min-width: 100px;
+        border: 1px solid #3a444a;
+        border-radius: 6px;
+        padding: 5px 10px;
+        color: #d7d0c0;
+        font-size: 12px;
+        text-align: center;
+      }
+
+      .status.connected { border-color: #4f9b72; color: #91e0b1; }
+      .status.waiting { border-color: #a77a3d; color: #f0c076; }
+
+      #terminal-container {
+        flex: 1;
+        min-height: 0;
+        padding: 4px;
+        overflow: hidden;
+      }
+
+      #terminal {
+        width: 100%;
+        height: 100%;
+      }
+
+      form {
+        display: grid;
+        grid-template-columns: 1fr auto;
+        gap: 8px;
+        padding: 10px 14px;
+        border-top: 1px solid #2b3337;
+        background: #141a1d;
+        flex-shrink: 0;
+        padding-bottom: max(10px, env(safe-area-inset-bottom));
+      }
+
+      input {
+        width: 100%;
+        min-width: 0;
+        border: 1px solid #394349;
+        border-radius: 8px;
+        background: #0b0f11;
+        color: #f4f1e8;
+        font: inherit;
+        font-size: 15px;
+        padding: 10px 12px;
+      }
+
+      button {
+        border: 1px solid #b86b4b;
+        border-radius: 8px;
+        background: #d97852;
+        color: #190e0a;
+        font: inherit;
+        font-weight: 700;
+        padding: 0 16px;
+        min-height: 44px;
+      }
+
+      button:disabled { opacity: 0.5; }
+
+      .quick-keys {
+        display: flex;
+        gap: 6px;
+        padding: 6px 14px;
+        border-top: 1px solid #2b3337;
+        background: #141a1d;
+        overflow-x: auto;
+        flex-shrink: 0;
+      }
+
+      .quick-keys button {
+        background: #2b3337;
+        border-color: #3a444a;
+        color: #d7d0c0;
+        font-size: 12px;
+        padding: 6px 10px;
+        min-height: 32px;
+        white-space: nowrap;
+        flex-shrink: 0;
+      }
+
+      /* Smart alert notification card */
+      .smart-alert {
+        display: none;
+        flex-direction: column;
+        gap: 8px;
+        padding: 12px 14px;
+        background: #1a2a1f;
+        border-bottom: 2px solid #4f9b72;
+        flex-shrink: 0;
+        animation: slideDown 0.3s ease-out;
+      }
+
+      .smart-alert.visible { display: flex; }
+
+      .smart-alert-header {
+        display: flex;
+        align-items: flex-start;
+        gap: 8px;
+      }
+
+      .smart-alert-icon { font-size: 16px; flex-shrink: 0; }
+
+      .smart-alert-question {
+        font-size: 14px;
+        font-weight: 600;
+        color: #91e0b1;
+        line-height: 1.4;
+        word-break: break-word;
+      }
+
+      .smart-alert-context {
+        font-size: 12px;
+        color: #8a9099;
+        line-height: 1.3;
+        max-height: 60px;
+        overflow: hidden;
+        white-space: pre-wrap;
+        word-break: break-word;
+      }
+
+      .smart-alert-actions {
+        display: flex;
+        gap: 8px;
+        flex-wrap: wrap;
+      }
+
+      .smart-alert-actions button {
+        flex: 1;
+        min-width: 60px;
+        border: 1px solid #4f9b72;
+        border-radius: 8px;
+        background: #2a4a35;
+        color: #91e0b1;
+        font-size: 14px;
+        font-weight: 600;
+        padding: 10px 14px;
+        min-height: 40px;
+        cursor: pointer;
+      }
+
+      .smart-alert-actions button:disabled { opacity: 0.5; }
+
+      .smart-alert-actions button.manual-btn {
+        background: transparent;
+        border-color: #3a444a;
+        color: #8a9099;
+        font-size: 12px;
+        font-weight: 400;
+        flex: 0;
+        padding: 10px 12px;
+      }
+
+      @keyframes slideDown {
+        from { transform: translateY(-100%); opacity: 0; }
+        to { transform: translateY(0); opacity: 1; }
+      }
+
+      /* Fingerprint verification banner */
+      .fingerprint-bar {
+        display: none;
+        align-items: center;
+        gap: 8px;
+        padding: 8px 12px;
+        background: #1a2332;
+        border-bottom: 1px solid #1e3a5f;
+        font-family: "SF Mono", SFMono-Regular, ui-monospace, Menlo, monospace;
+        font-size: 13px;
+        color: #79b8ff;
+        flex-shrink: 0;
+      }
+
+      .fingerprint-bar.verified { background: #152a1a; border-color: #1e5f2e; color: #4ec9b0; }
+      .fingerprint-bar.mismatch { background: #2a1515; border-color: #5f1e1e; color: #f97583; }
+
+      .fp-value { flex: 1; letter-spacing: 1px; }
+
+      .fp-verify-btn {
+        background: transparent;
+        border: 1px solid currentColor;
+        color: inherit;
+        padding: 2px 10px;
+        border-radius: 4px;
+        font-size: 12px;
+        font-weight: 600;
+        cursor: pointer;
+        min-height: auto;
+      }
+
+      .fp-verify-btn:disabled { opacity: 0.6; cursor: default; }
+
+      /* Fingerprint verification dialog overlay */
+      .fp-dialog {
+        position: fixed;
+        inset: 0;
+        background: rgba(0, 0, 0, 0.7);
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        z-index: 100;
+        padding: 24px;
+      }
+
+      .fp-dialog-content {
+        background: #1a1f24;
+        border: 1px solid #2b3337;
+        border-radius: 12px;
+        padding: 28px 24px;
+        max-width: 360px;
+        width: 100%;
+        text-align: center;
+      }
+
+      .fp-dialog h3 {
+        margin: 0 0 12px 0;
+        font-size: 16px;
+        font-weight: 700;
+      }
+
+      .fp-dialog p {
+        margin: 0 0 16px 0;
+        font-size: 14px;
+        color: #8a9099;
+        line-height: 1.5;
+      }
+
+      .fp-display {
+        font-family: "SF Mono", SFMono-Regular, ui-monospace, Menlo, monospace;
+        font-size: 22px;
+        font-weight: 700;
+        letter-spacing: 3px;
+        padding: 16px;
+        background: #0d1117;
+        border: 1px solid #2b3337;
+        border-radius: 8px;
+        margin: 16px 0;
+        color: #79b8ff;
+      }
+
+      .fp-instruction {
+        font-size: 12px !important;
+        color: #5a6068 !important;
+      }
+
+      .fp-actions {
+        display: flex;
+        gap: 12px;
+        margin-top: 20px;
+      }
+
+      .fp-actions button {
+        flex: 1;
+        border-radius: 8px;
+        font-size: 14px;
+        font-weight: 600;
+        padding: 12px;
+        min-height: 44px;
+        cursor: pointer;
+      }
+
+      .btn-danger {
+        background: #3a1a1a;
+        border-color: #5f1e1e;
+        color: #f97583;
+      }
+
+      .btn-primary {
+        background: #1a3a2a;
+        border-color: #1e5f2e;
+        color: #4ec9b0;
+      }
+    </style>
+  </head>
+  <body>
+    <header>
+      <a href="/inbox.html" id="back-btn" class="back-btn">← Sessions</a>
+      <h1 id="session-title">Sema</h1>
+      <div id="status" class="status waiting">Connecting</div>
+    </header>
+
+    <div id="fingerprint-bar" class="fingerprint-bar">
+      <span>🔐</span>
+      <span id="fp-value" class="fp-value"></span>
+      <button id="fp-verify-btn" class="fp-verify-btn" onclick="verifyFingerprint()">Verify</button>
+    </div>
+
+    <div id="fp-dialog" class="fp-dialog" style="display:none">
+      <div class="fp-dialog-content">
+        <h3>Verify Connection Security</h3>
+        <p>Compare this fingerprint with the one shown on your Mac terminal:</p>
+        <div class="fp-display" id="fp-dialog-value"></div>
+        <p class="fp-instruction">If they match, tap Confirm. If not, disconnect immediately.</p>
+        <div class="fp-actions">
+          <button class="btn-danger" onclick="disconnectAndWarn()">Disconnect</button>
+          <button class="btn-primary" onclick="confirmFingerprint()">Confirm Match</button>
+        </div>
+      </div>
+    </div>
+
+    <div id="smart-alert" class="smart-alert">
+      <div class="smart-alert-header">
+        <span class="smart-alert-icon">⚡</span>
+        <span id="smart-alert-question" class="smart-alert-question"></span>
+      </div>
+      <div id="smart-alert-context" class="smart-alert-context"></div>
+      <div id="smart-alert-actions" class="smart-alert-actions"></div>
+    </div>
+
+    <div id="terminal-container">
+      <div id="terminal"></div>
+    </div>
+
+    <div class="quick-keys">
+      <button type="button" data-ctrl="c">Ctrl+C</button>
+      <button type="button" data-ctrl="d">Ctrl+D</button>
+      <button type="button" data-ctrl="z">Ctrl+Z</button>
+      <button type="button" data-ctrl="l">Ctrl+L</button>
+      <button type="button" data-special="tab">Tab</button>
+      <button type="button" data-special="up">↑</button>
+      <button type="button" data-special="down">↓</button>
+      <button type="button" data-special="left">←</button>
+      <button type="button" data-special="right">→</button>
+      <button type="button" data-special="escape">Esc</button>
+    </div>
+
+    <form id="command-form">
+      <input
+        id="command"
+        autocomplete="off"
+        autocapitalize="off"
+        spellcheck="false"
+        placeholder="Send to Mac"
+      />
+      <button id="send" type="submit" disabled>Send</button>
+    </form>
+
+    <script src="https://cdn.jsdelivr.net/npm/@xterm/xterm@5.5.0/lib/xterm.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/@xterm/addon-fit@0.10.0/lib/addon-fit.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/@xterm/addon-web-links@0.11.0/lib/addon-web-links.min.js"></script>
+    <script>
+      // --- Session & token management ---
+      const params = new URLSearchParams(location.search);
+      const sessionId = params.get("sessionId");
+
+      // Multi-session storage helpers
+      function getStoredSessions() {
+        try {
+          return JSON.parse(localStorage.getItem("vc_sessions") || "{}");
+        } catch { return {}; }
+      }
+
+      function storeSession(id, token, macPublicKey, command) {
+        const sessions = getStoredSessions();
+        sessions[id] = {
+          token: token,
+          macPublicKey: macPublicKey || null,
+          command: command || null,
+          pairedAt: Date.now(),
+        };
+        localStorage.setItem("vc_sessions", JSON.stringify(sessions));
+      }
+
+      function removeStoredSession(id) {
+        const sessions = getStoredSessions();
+        delete sessions[id];
+        localStorage.setItem("vc_sessions", JSON.stringify(sessions));
+      }
+
+      const storedSessions = getStoredSessions();
+      let sessionToken = params.get("sessionToken")
+        || (storedSessions[sessionId] ? storedSessions[sessionId].token : null)
+        || sessionStorage.getItem("sessionToken")
+        || null;
+
+      // If token came via URL, store in localStorage + sessionStorage and clean URL
+      if (params.get("sessionToken")) {
+        storeSession(sessionId, params.get("sessionToken"),
+          sessionStorage.getItem("macPublicKey"));
+        sessionStorage.setItem("sessionToken", params.get("sessionToken"));
+        params.delete("sessionToken");
+        const cleanUrl = params.toString()
+          ? `${location.pathname}?${params}`
+          : location.pathname;
+        history.replaceState(null, "", cleanUrl);
+        sessionToken = sessionStorage.getItem("sessionToken")
+          || (storedSessions[sessionId] ? storedSessions[sessionId].token : null);
+      }
+
+      // No session → redirect to inbox
+      if (!sessionId || !sessionToken) {
+        window.location.href = "/inbox.html";
+        throw new Error("redirecting");
+      }
+
+      // Set session title from stored command
+      const sessionInfo = storedSessions[sessionId];
+      const displayName = (sessionInfo && sessionInfo.command) || "Session";
+      document.getElementById("session-title").textContent = displayName;
+      document.title = displayName + " — Sema";
+
+      // Back button: close WebSocket before navigating
+      document.getElementById("back-btn").addEventListener("click", function(e) {
+        e.preventDefault();
+        if (typeof socket !== "undefined" && socket) {
+          socket.onclose = null; // prevent auto-reconnect
+          socket.close();
+        }
+        window.location.href = "/inbox.html";
+      });
+
+      const statusEl = document.getElementById("status");
+      const formEl = document.getElementById("command-form");
+      const commandEl = document.getElementById("command");
+      const sendEl = document.getElementById("send");
+      // --- Smart alert notification system ---
+      let audioCtx = null;
+
+      function getAudioContext() {
+        if (!audioCtx) {
+          audioCtx = new (window.AudioContext || window.webkitAudioContext)();
+        }
+        return audioCtx;
+      }
+
+      function playAlertSound() {
+        try {
+          const ctx = getAudioContext();
+          const osc = ctx.createOscillator();
+          const gain = ctx.createGain();
+          osc.connect(gain);
+          gain.connect(ctx.destination);
+          osc.type = "sine";
+          osc.frequency.setValueAtTime(880, ctx.currentTime);
+          osc.frequency.setValueAtTime(1100, ctx.currentTime + 0.1);
+          gain.gain.setValueAtTime(0.3, ctx.currentTime);
+          gain.gain.exponentialRampToValueAtTime(0.01, ctx.currentTime + 0.3);
+          osc.start(ctx.currentTime);
+          osc.stop(ctx.currentTime + 0.3);
+        } catch (e) {
+          // Audio not available
+        }
+      }
+
+      function showSmartAlert(message) {
+        const card = document.getElementById("smart-alert");
+        const questionEl = document.getElementById("smart-alert-question");
+        const contextEl = document.getElementById("smart-alert-context");
+        const actionsEl = document.getElementById("smart-alert-actions");
+
+        questionEl.textContent = message.question || "Needs attention";
+        contextEl.textContent = message.context || "";
+        contextEl.style.display = message.context ? "block" : "none";
+
+        // Build action buttons
+        actionsEl.innerHTML = "";
+
+        const options = message.options || [];
+        for (const opt of options) {
+          const btn = document.createElement("button");
+          btn.type = "button";
+          btn.textContent = opt.label;
+          btn.addEventListener("click", () => {
+            // Debounce: disable all buttons immediately
+            actionsEl.querySelectorAll("button").forEach(b => { b.disabled = true; });
+            if (opt.data) {
+              sendToMac(opt.data);
+            } else {
+              commandEl.focus();
+            }
+            hideSmartAlert();
+          });
+          actionsEl.appendChild(btn);
+        }
+
+        // Always add "Manual" button
+        const manualBtn = document.createElement("button");
+        manualBtn.type = "button";
+        manualBtn.className = "manual-btn";
+        manualBtn.textContent = "Manual";
+        manualBtn.addEventListener("click", () => {
+          hideSmartAlert();
+          commandEl.focus();
+        });
+        actionsEl.appendChild(manualBtn);
+
+        // Show card
+        card.classList.add("visible");
+
+        // Sound + vibration
+        if (navigator.vibrate) navigator.vibrate(200);
+        if (document.visibilityState === "visible") playAlertSound();
+        if (document.visibilityState === "hidden" && Notification.permission === "granted") {
+          new Notification("Sema", {
+            body: message.question || "Needs attention",
+            icon: "data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>⚡</text></svg>",
+          });
+        }
+      }
+
+      function hideSmartAlert() {
+        document.getElementById("smart-alert").classList.remove("visible");
+      }
+
+      // Request notification permission on first interaction
+      if ("Notification" in window && Notification.permission === "default") {
+        document.addEventListener("click", function requestPermission() {
+          Notification.requestPermission();
+          document.removeEventListener("click", requestPermission);
+        }, { once: true });
+      }
+      // --- End smart alert system ---
+
+      const term = new Terminal({
+        cursorBlink: true,
+        fontSize: 13,
+        fontFamily: '"SF Mono", Menlo, Consolas, monospace',
+        theme: {
+          background: "#080b0d",
+          foreground: "#e8e1d2",
+          cursor: "#d97852",
+          selectionBackground: "#3a444a",
+        },
+        allowProposedApi: true,
+      });
+
+      const fitAddon = new FitAddon.FitAddon();
+      const webLinksAddon = new WebLinksAddon.WebLinksAddon();
+      term.loadAddon(fitAddon);
+      term.loadAddon(webLinksAddon);
+      term.open(document.getElementById("terminal"));
+      fitAddon.fit();
+
+      let socket;
+      let reconnectTimer;
+      let authFailed = false;
+
+      // --- E2E Encryption ---
+      const macPublicKeyB64 = sessionStorage.getItem("macPublicKey")
+        || (storedSessions[sessionId] ? storedSessions[sessionId].macPublicKey : null);
+      let aesKey = null;       // CryptoKey for AES-GCM
+      let encryptionReady = false;
+      let mobileKeyPair = null; // CryptoKeyPair — persists across key_rotation
+      const deviceId = (() => {
+        let id = localStorage.getItem("sema_device_id");
+        if (!id) {
+          id = crypto.randomUUID();
+          localStorage.setItem("sema_device_id", id);
+        }
+        return id;
+      })();
+
+      // Generate mobile keypair and derive shared key with mac
+      async function setupEncryption() {
+        if (!macPublicKeyB64) {
+          console.log("[mobile] No macPublicKey, E2E disabled");
+          return false;
+        }
+        try {
+          // Import mac's public key
+          const macKeyBytes = Uint8Array.from(atob(macPublicKeyB64), c => c.charCodeAt(0));
+          const macPublicKey = await crypto.subtle.importKey(
+            "spki", macKeyBytes.buffer, "X25519", true, []
+          );
+
+          // Generate our keypair (module-level — reused for key_rotation)
+          mobileKeyPair = await crypto.subtle.generateKey("X25519", true, ["deriveBits"]);
+
+          // Derive shared secret (256 bits)
+          const sharedBits = await crypto.subtle.deriveBits(
+            { name: "X25519", public: macPublicKey },
+            mobileKeyPair.privateKey,
+            256
+          );
+
+          // HKDF → AES-256 key
+          const hkdfKey = await crypto.subtle.importKey("raw", sharedBits, "HKDF", false, ["deriveKey"]);
+          aesKey = await crypto.subtle.deriveKey(
+            {
+              name: "HKDF",
+              hash: "SHA-256",
+              salt: new TextEncoder().encode("sema-e2e"),
+              info: new TextEncoder().encode("aes-256-key"),
+            },
+            hkdfKey,
+            { name: "AES-GCM", length: 256 },
+            false,
+            ["encrypt", "decrypt"]
+          );
+
+          // Export our public key for key_exchange
+          const pubKeySpki = await crypto.subtle.exportKey("spki", mobileKeyPair.publicKey);
+          window._mobilePublicKeyB64 = btoa(String.fromCharCode(...new Uint8Array(pubKeySpki)));
+
+          console.log("[mobile] E2E keys derived");
+          return true;
+        } catch (err) {
+          console.error("[mobile] E2E setup failed:", err);
+          return false;
+        }
+      }
+
+      // Encrypt plaintext → { iv, ct, tag } (base64)
+      async function encryptPayload(plaintext) {
+        const iv = crypto.getRandomValues(new Uint8Array(12));
+        const encoded = new TextEncoder().encode(plaintext);
+        const encrypted = await crypto.subtle.encrypt(
+          { name: "AES-GCM", iv },
+          aesKey,
+          encoded
+        );
+        const bytes = new Uint8Array(encrypted);
+        // Web Crypto appends 16-byte tag to ciphertext
+        const ct = bytes.slice(0, bytes.length - 16);
+        const tag = bytes.slice(bytes.length - 16);
+        return {
+          iv: btoa(String.fromCharCode(...iv)),
+          ct: btoa(String.fromCharCode(...ct)),
+          tag: btoa(String.fromCharCode(...tag)),
+        };
+      }
+
+      // Decrypt { iv, ct, tag } → plaintext string
+      async function decryptPayload({ iv, ct, tag }) {
+        const ivBytes = Uint8Array.from(atob(iv), c => c.charCodeAt(0));
+        const ctBytes = Uint8Array.from(atob(ct), c => c.charCodeAt(0));
+        const tagBytes = Uint8Array.from(atob(tag), c => c.charCodeAt(0));
+        // Web Crypto expects ct || tag combined
+        const combined = new Uint8Array(ctBytes.length + tagBytes.length);
+        combined.set(ctBytes);
+        combined.set(tagBytes, ctBytes.length);
+        const decrypted = await crypto.subtle.decrypt(
+          { name: "AES-GCM", iv: ivBytes },
+          aesKey,
+          combined
+        );
+        return new TextDecoder().decode(decrypted);
+      }
+
+      // Compute fingerprint from X25519 shared bits (must match Node.js computeFingerprint)
+      async function computeFingerprint(sharedBits) {
+        const prefix = new TextEncoder().encode("sema-fp");
+        const combined = new Uint8Array(prefix.length + sharedBits.byteLength);
+        combined.set(prefix);
+        combined.set(new Uint8Array(sharedBits), prefix.length);
+        const hash = await crypto.subtle.digest("SHA-256", combined);
+        const bytes = new Uint8Array(hash).slice(0, 6);
+        return Array.from(bytes).map(b => b.toString(16).padStart(2, "0")).join(":");
+      }
+
+      function setStatus(label, className) {
+        statusEl.textContent = label;
+        statusEl.className = `status ${className || ""}`;
+      }
+
+      async function sendToMac(data) {
+        if (!socket || socket.readyState !== WebSocket.OPEN) return;
+        if (encryptionReady) {
+          const payload = JSON.stringify({ type: "input", data });
+          const enc = await encryptPayload(payload);
+          socket.send(JSON.stringify({
+            type: "input",
+            sessionId,
+            deviceId,
+            ...enc,
+          }));
+        } else {
+          socket.send(JSON.stringify({ type: "input", sessionId, data }));
+        }
+      }
+
+      async function sendResize() {
+        if (!socket || socket.readyState !== WebSocket.OPEN) return;
+        if (encryptionReady) {
+          const payload = JSON.stringify({ type: "resize", cols: term.cols, rows: term.rows });
+          const enc = await encryptPayload(payload);
+          socket.send(JSON.stringify({
+            type: "resize",
+            sessionId,
+            deviceId,
+            ...enc,
+          }));
+        } else {
+          socket.send(JSON.stringify({
+            type: "resize",
+            sessionId,
+            cols: term.cols,
+            rows: term.rows,
+          }));
+        }
+      }
+
+      term.onData((data) => {
+        // Filter out terminal DA responses from xterm.js.
+        // The Mac's tmux/zsh sends DA queries (\x1b[c, \x1b[>c) during init.
+        // xterm.js auto-responds — these must NOT be forwarded as shell input.
+        const isResponse =
+          /^\x1b\[\?[0-9;]*[a-z]$/i.test(data) ||
+          /^\x1b\[>[0-9;]*c$/.test(data) ||
+          /^\x1b\[[0-9;]*c$/.test(data);
+        if (!isResponse) {
+          sendToMac(data);
+        }
+        hideSmartAlert();
+      });
+
+      term.onResize(() => {
+        sendResize();
+      });
+
+      window.addEventListener("resize", () => {
+        fitAddon.fit();
+      });
+
+      document.querySelectorAll(".quick-keys button").forEach((btn) => {
+        btn.addEventListener("click", () => {
+          const ctrl = btn.dataset.ctrl;
+          const special = btn.dataset.special;
+
+          if (ctrl) {
+            // Ctrl+A=1, Ctrl+B=2, ..., Ctrl+Z=26
+            const code = ctrl.charCodeAt(0) - 96;
+            sendToMac(String.fromCharCode(code));
+            return;
+          }
+
+          if (special) {
+            const map = {
+              tab: "\t",
+              up: "\x1b[A",
+              down: "\x1b[B",
+              left: "\x1b[D",
+              right: "\x1b[C",
+              escape: "\x1b",
+            };
+            if (map[special]) sendToMac(map[special]);
+          }
+        });
+      });
+
+      // --- Fingerprint verification ---
+
+      function showFingerprintDialog(fp, isMismatch) {
+        document.getElementById("fp-dialog-value").textContent = fp;
+        document.getElementById("fp-dialog").style.display = "flex";
+        const h3 = document.querySelector(".fp-dialog h3");
+        if (isMismatch) {
+          h3.textContent = "⚠ Fingerprint Changed";
+        } else {
+          h3.textContent = "Verify Connection Security";
+        }
+      }
+
+      function showFingerprint(fp) {
+        const bar = document.getElementById("fingerprint-bar");
+        const fpValue = document.getElementById("fp-value");
+        const verifyBtn = document.getElementById("fp-verify-btn");
+
+        bar.style.display = "flex";
+        fpValue.textContent = fp;
+
+        const stored = getStoredSessions()[sessionId]?.verifiedFingerprint;
+
+        if (!stored) {
+          // First connection — show dialog, BLOCK input until user confirms
+          bar.className = "fingerprint-bar";
+          verifyBtn.textContent = "Verify";
+          verifyBtn.disabled = false;
+          showFingerprintDialog(fp, false);
+          // encryptionReady stays false — input disabled until confirmFingerprint()
+        } else if (stored === fp) {
+          // Matches stored fingerprint — auto-verified, unblock immediately
+          bar.className = "fingerprint-bar verified";
+          verifyBtn.textContent = "✓ Verified";
+          verifyBtn.disabled = true;
+          encryptionReady = true;
+          setStatus("Connected", "connected");
+          sendEl.disabled = false;
+          sendResize();
+        } else {
+          // Mismatch — BLOCK input and warn
+          bar.className = "fingerprint-bar mismatch";
+          verifyBtn.textContent = "⚠ Changed";
+          verifyBtn.disabled = false;
+          showFingerprintDialog(fp, true);
+          // encryptionReady stays false — input blocked
+        }
+      }
+
+      function confirmFingerprint() {
+        const fp = document.getElementById("fp-value").textContent;
+        const sessions = getStoredSessions();
+        if (sessions[sessionId]) {
+          sessions[sessionId].verifiedFingerprint = fp;
+          localStorage.setItem("vc_sessions", JSON.stringify(sessions));
+        }
+        document.getElementById("fp-dialog").style.display = "none";
+        const bar = document.getElementById("fingerprint-bar");
+        bar.className = "fingerprint-bar verified";
+        document.getElementById("fp-verify-btn").textContent = "✓ Verified";
+        document.getElementById("fp-verify-btn").disabled = true;
+
+        // Unblock input — user has confirmed fingerprint match
+        encryptionReady = true;
+        setStatus("Connected", "connected");
+        sendEl.disabled = false;
+        sendResize();
+      }
+
+      function verifyFingerprint() {
+        const fp = document.getElementById("fp-value").textContent;
+        if (fp) showFingerprintDialog(fp, false);
+      }
+
+      function disconnectAndWarn() {
+        document.getElementById("fp-dialog").style.display = "none";
+        if (socket) { socket.onclose = null; socket.close(); }
+        authFailed = true;
+        document.body.innerHTML = `
+          <div style="padding:40px;text-align:center;color:#f97583;min-height:100vh;display:flex;flex-direction:column;align-items:center;justify-content:center">
+            <h2>⚠ Security Warning</h2>
+            <p>Fingerprint mismatch detected. Connection may be intercepted.</p>
+            <p>Do NOT enter sensitive information.</p>
+            <a href="/inbox.html" style="color:#4ec9b0;margin-top:16px">← Back to Sessions</a>
+          </div>`;
+      }
+
+      // --- End fingerprint verification ---
+
+      async function connect() {
+        clearTimeout(reconnectTimer);
+        setStatus("Connecting", "waiting");
+
+        // Setup E2E encryption before connecting
+        if (!aesKey && macPublicKeyB64) {
+          await setupEncryption();
+        }
+
+        const protocol = location.protocol === "https:" ? "wss:" : "ws:";
+        const url = `${protocol}//${location.host}/ws?role=mobile&sessionId=${encodeURIComponent(sessionId)}&sessionToken=${encodeURIComponent(sessionToken)}`;
+        socket = new WebSocket(url);
+
+        socket.addEventListener("open", () => {
+          sendEl.disabled = false;
+          fitAddon.fit();
+
+          // Send key_exchange if E2E is set up
+          if (aesKey && window._mobilePublicKeyB64) {
+            socket.send(JSON.stringify({
+              type: "key_exchange",
+              deviceId,
+              publicKey: window._mobilePublicKeyB64,
+            }));
+            setStatus("Handshake", "waiting");
+          } else {
+            // No E2E — immediately connected
+            setStatus("Connected", "connected");
+            encryptionReady = false;
+            sendResize();
+          }
+        });
+
+        socket.addEventListener("message", async (event) => {
+          const message = JSON.parse(event.data);
+
+          // Handle key_ack (Phase 1: confirms K_old works, wait for key_rotation)
+          if (message.type === "key_ack") {
+            try {
+              const plaintext = await decryptPayload(message);
+              const ack = JSON.parse(plaintext);
+              if (ack.type === "key_ack") {
+                setStatus("Rotating keys...", "waiting");
+                console.log("[mobile] key_ack received, awaiting key_rotation");
+              }
+            } catch (err) {
+              console.error("[mobile] key_ack decryption failed:", err);
+              setStatus("Crypto Error", "waiting");
+            }
+            return;
+          }
+
+          // Handle key_rotation (Phase 2: derive new key with mac ephemeral)
+          if (message.type === "key_rotation" && message.iv && message.ct && message.tag) {
+            try {
+              // Decrypt with K_old (current aesKey)
+              const plaintext = await decryptPayload(message);
+              const rotation = JSON.parse(plaintext);
+
+              if (rotation.type === "key_rotation" && rotation.publicKey && mobileKeyPair) {
+                // Import mac's ephemeral public key
+                const macEphBytes = Uint8Array.from(atob(rotation.publicKey), c => c.charCodeAt(0));
+                const macEphPub = await crypto.subtle.importKey(
+                  "spki", macEphBytes.buffer, "X25519", true, []
+                );
+
+                // Derive new shared secret: DH(macEphPub, mobilePriv)
+                const newSharedBits = await crypto.subtle.deriveBits(
+                  { name: "X25519", public: macEphPub },
+                  mobileKeyPair.privateKey,
+                  256
+                );
+
+                // Derive new AES key via HKDF
+                const hkdfKey = await crypto.subtle.importKey("raw", newSharedBits, "HKDF", false, ["deriveKey"]);
+                const newAesKey = await crypto.subtle.deriveKey(
+                  {
+                    name: "HKDF", hash: "SHA-256",
+                    salt: new TextEncoder().encode("sema-e2e"),
+                    info: new TextEncoder().encode("aes-256-key"),
+                  },
+                  hkdfKey,
+                  { name: "AES-GCM", length: 256 },
+                  false,
+                  ["encrypt", "decrypt"]
+                );
+
+                // Compute fingerprint from new shared secret
+                const fp = await computeFingerprint(newSharedBits);
+
+                // Switch to new key
+                aesKey = newAesKey;
+
+                // Send key_rot_ack encrypted with new key
+                const ackPayload = await encryptPayload(JSON.stringify({ type: "key_rot_ack" }));
+                socket.send(JSON.stringify({
+                  type: "key_rot_ack",
+                  sessionId,
+                  deviceId,
+                  ...ackPayload,
+                }));
+
+                // Show fingerprint — encryptionReady set by showFingerprint or confirmFingerprint
+                showFingerprint(fp);
+                console.log("[mobile] key rotation complete, fingerprint:", fp);
+              }
+            } catch (err) {
+              console.error("[mobile] key_rotation failed:", err);
+              setStatus("Crypto Error", "waiting");
+            }
+            return;
+          }
+
+          // Decrypt output if E2E is active
+          if (message.type === "output" && message.iv && message.ct && message.tag) {
+            try {
+              const plaintext = await decryptPayload(message);
+              const decrypted = JSON.parse(plaintext);
+              term.write(decrypted.data || "");
+            } catch (err) {
+              // Decryption failed (e.g., stale history with old key) — silently ignore
+              console.debug("[mobile] output decrypt failed (stale?):", err.message);
+            }
+            return;
+          }
+
+          // Plaintext output (no E2E or fallback)
+          if (message.type === "output") {
+            term.write(message.data || "");
+            return;
+          }
+
+          if (message.type === "status") {
+            // Don't override handshake status
+            if (!encryptionReady && aesKey) return;
+            setStatus(
+              message.macConnected ? "Connected" : "No Mac",
+              message.macConnected ? "connected" : "waiting",
+            );
+            return;
+          }
+
+          if (message.type === "error") {
+            term.write(`\r\n\x1b[31m[Error] ${message.message}\x1b[0m\r\n`);
+            if (message.message && (message.message.includes("expired") || message.message.includes("Invalid session token") || message.message.includes("Missing") || message.message.includes("not found"))) {
+              authFailed = true;
+              sessionStorage.removeItem("sessionToken");
+              removeStoredSession(sessionId);
+              setStatus("Session expired", "waiting");
+              setTimeout(() => { location.href = "/inbox.html"; }, 2000);
+            }
+            return;
+          }
+
+          // Decrypt smart_alert if E2E is active
+          if (message.type === "smart_alert" && message.iv && message.ct && message.tag) {
+            try {
+              const plaintext = await decryptPayload(message);
+              const decrypted = JSON.parse(plaintext);
+              showSmartAlert(decrypted);
+            } catch (err) {
+              console.error("[mobile] smart_alert decrypt failed:", err);
+            }
+            return;
+          }
+
+          // Plaintext smart_alert
+          if (message.type === "smart_alert") {
+            showSmartAlert(message);
+            return;
+          }
+
+          // Legacy alert — no longer shown (quality gate)
+          if (message.type === "alert") {
+            return;
+          }
+        });
+
+        socket.addEventListener("close", () => {
+          sendEl.disabled = true;
+          encryptionReady = false;
+          aesKey = null;  // Force re-setupEncryption on reconnect (fresh DH)
+          // mobileKeyPair preserved — reused for new DH exchange
+          // Hide fingerprint bar on disconnect
+          document.getElementById("fingerprint-bar").style.display = "none";
+          if (authFailed) return;
+          setStatus("Reconnecting", "waiting");
+          reconnectTimer = setTimeout(connect, 1000);
+        });
+
+        socket.addEventListener("error", () => {
+          socket.close();
+        });
+      }
+
+      formEl.addEventListener("submit", (event) => {
+        event.preventDefault();
+        const command = commandEl.value;
+        if (!command.trim() && command !== "") return;
+        sendToMac(command + "\r");
+        commandEl.value = "";
+        commandEl.focus();
+        hideSmartAlert();
+      });
+
+      connect();
+
+    </script>
+  </body>
+</html>