antimatter-gateway 0.1.0__tar.gz

antimatter_gateway-0.1.0/PKG-INFO

@@ -0,0 +1,8 @@
+Metadata-Version: 2.4
+Name: antimatter-gateway
+Version: 0.1.0
+Requires-Dist: websockets>=12.0
+Requires-Dist: qrcode>=7.4.2
+Requires-Dist: antimatter-shared-config
+Requires-Dist: antimatter-shared-crypto
+Requires-Dist: antimatter-shared-protocol

antimatter_gateway-0.1.0/pyproject.toml

@@ -0,0 +1,19 @@
+[project]
+name = "antimatter-gateway"
+version = "0.1.0"
+dependencies = [
+    "websockets>=12.0",
+    "qrcode>=7.4.2",
+    "antimatter-shared-config",
+    "antimatter-shared-crypto",
+    "antimatter-shared-protocol"
+]
+
+[tool.uv.sources]
+antimatter-shared-config = { path = "../shared-config" }
+antimatter-shared-crypto = { path = "../shared-crypto" }
+antimatter-shared-protocol = { path = "../shared-protocol" }
+
+[project.scripts]
+antimatter = "antimatter_gateway.server:main"
+antimatter-pair = "antimatter_gateway.qr:main"

antimatter_gateway-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

antimatter_gateway-0.1.0/src/antimatter_gateway/qr.py

@@ -0,0 +1,71 @@
+import urllib.parse
+import qrcode
+import logging
+
+logger = logging.getLogger(__name__)
+
+def generate_qr_payload(
+    cloudflare_url: str | None,
+    pairing_token: str,
+    gateway_x25519_pub: str,
+    client_id: str | None = None
+) -> str:
+    """
+    Generates the canonical Deep Link payload for Android pairing.
+    Includes the X25519 public key for the E2EE ECDH handshake.
+    """
+    # For now, default to local dev if cloudflare is off
+    base_url = "https://antimatter.saifmukhtar.dev/connect"
+    
+    params = {
+        "url": cloudflare_url or "ws://127.0.0.1:8765",
+        "token": pairing_token,
+        "x25519_pub": gateway_x25519_pub
+    }
+    
+    if client_id:
+        params["cid"] = client_id
+        
+    query = urllib.parse.urlencode(params)
+    return f"{base_url}?{query}"
+
+def print_qr_to_terminal(payload: str) -> None:
+    qr = qrcode.QRCode(error_correction=qrcode.constants.ERROR_CORRECT_L, box_size=10, border=4)
+    qr.add_data(payload)
+    
+    try:
+        qr.print_ascii(invert=True)
+    except Exception:
+        logger.warning("Failed to print ASCII QR. Terminal might not support it.")
+
+def main():
+    from antimatter_shared_config.config import load_config
+    config = load_config()
+    if not config.gateway_priv_x25519 or not config.pairing_token:
+        print("Error: Gateway not initialized. Please run 'antimatter-gateway' first.")
+        return
+        
+    # We construct the public key from the private key if needed, or simply assume it's in config
+    # Actually, E2EESession handles derivation.
+    from antimatter_crypto.e2ee import E2EESession
+    e2ee = E2EESession(role="gateway", private_key_b64=config.gateway_priv_x25519)
+    
+    payload = generate_qr_payload(
+        cloudflare_url=config.cloudflare_url,
+        pairing_token=config.pairing_token,
+        gateway_x25519_pub=e2ee.public_key_b64,
+        client_id=config.cloudflare_client_id
+    )
+    
+    print("\n" + "="*50)
+    print("ANTIMATTER E2EE GATEWAY SECURE PAIRING")
+    print("="*50)
+    if config.cloudflare_url:
+        print(f"\nTunnel: {config.cloudflare_url}")
+    
+    print("\nScan this QR Code with the Antimatter App:\n")
+    print_qr_to_terminal(payload)
+    print("="*50)
+
+if __name__ == "__main__":
+    main()

antimatter_gateway-0.1.0/src/antimatter_gateway/router.py

@@ -0,0 +1,76 @@
+import asyncio
+import json
+import logging
+from antimatter_crypto.e2ee import E2EESession
+
+logger = logging.getLogger(__name__)
+
+class MessageRouter:
+    def __init__(self, gateway=None):
+        self.gateway = gateway
+        self.clients = set()
+        self.adapters = {} # id -> {"name": str, "ws": websocket}
+
+    def add_client(self, websocket):
+        self.clients.add(websocket)
+        # When a client connects, instantly send them the list of agents
+        asyncio.create_task(self.broadcast_system_state())
+
+    def remove_client(self, websocket):
+        self.clients.discard(websocket)
+
+    async def register_adapter(self, agent_id: str, agent_name: str, websocket):
+        self.adapters[agent_id] = {"name": agent_name, "ws": websocket}
+        await self.broadcast_system_state()
+
+    async def unregister_adapter(self, agent_id: str):
+        if agent_id in self.adapters:
+            del self.adapters[agent_id]
+            await self.broadcast_system_state()
+
+    async def broadcast_system_state(self):
+        # Implementation to send AVAILABLE_AGENTS to clients
+        if not self.clients or not self.gateway:
+            return
+            
+        agents = [
+            {"id": aid, "name": info["name"], "status": "online"}
+            for aid, info in self.adapters.items()
+        ]
+        payload = {"type": "AVAILABLE_AGENTS", "agents": agents}
+        
+        await self.broadcast_to_clients(payload, self.gateway.e2ee)
+
+    async def route_to_adapter(self, parsed_cmd: dict, e2ee: E2EESession, websocket):
+        """
+        Receives decrypted command from client, routes to local adapter.
+        """
+        agent_id = parsed_cmd.get("agentId")
+        if not agent_id:
+            logger.warning(f"No agentId specified in command: {parsed_cmd.get('type')}")
+            return
+            
+        adapter = self.adapters.get(agent_id)
+        if not adapter:
+            logger.warning(f"Target agent {agent_id} is offline. Dropping command.")
+            return
+            
+        try:
+            await adapter["ws"].send(json.dumps(parsed_cmd))
+        except Exception as e:
+            logger.error(f"Failed to route to adapter {agent_id}: {e}")
+
+    async def broadcast_to_clients(self, payload: dict, e2ee: E2EESession):
+        """
+        Takes raw JSON payload from an adapter, encrypts it with the 
+        server-to-client key, and sends it to all Android apps.
+        """
+        plaintext = json.dumps(payload)
+        envelope = e2ee.encrypt(plaintext, direction="output")
+        payload_str = json.dumps(envelope)
+        
+        for client in list(self.clients):
+            try:
+                await client.send(payload_str)
+            except Exception:
+                self.clients.discard(client)

antimatter_gateway-0.1.0/src/antimatter_gateway/server.py

@@ -0,0 +1,224 @@
+import asyncio
+import json
+import logging
+import time
+import websockets
+from websockets.exceptions import ConnectionClosed
+
+from antimatter_shared_config.config import load_config, save_config, AntimatterConfig
+from antimatter_crypto.auth import Ed25519Auth
+from antimatter_crypto.e2ee import E2EESession
+from .qr import generate_qr_payload, print_qr_to_terminal
+from .tunnel import CloudflaredManager
+from .router import MessageRouter
+
+logger = logging.getLogger(__name__)
+
+# Rate Limiting
+_ip_failure_counts: dict[str, dict] = {}
+RATE_LIMIT_MAX_FAILURES = 5
+RATE_LIMIT_WINDOW = 60
+
+def _record_failure(ip: str):
+    now = time.monotonic()
+    data = _ip_failure_counts.get(ip, {"count": 0, "reset_at": 0.0})
+    if now >= data["reset_at"]:
+        data = {"count": 0, "reset_at": now + RATE_LIMIT_WINDOW}
+    data["count"] += 1
+    _ip_failure_counts[ip] = data
+
+class GatewayServer:
+    def __init__(self):
+        self.config = load_config()
+        self.auth = Ed25519Auth(self.config.private_key_pem)
+        self.router = MessageRouter(gateway=self)
+        
+        # Initialize E2EE Gateway Session
+        self.e2ee = E2EESession(role="gateway", private_key_b64=self.config.gateway_priv_x25519)
+        
+        # Persist keys if newly generated
+        needs_save = False
+        if not self.config.private_key_pem:
+            self.config.private_key_pem = self.auth.private_key_base64
+            self.config.pairing_token = self.auth.pairing_token
+            needs_save = True
+        
+        if not self.config.gateway_priv_x25519:
+            self.config.gateway_priv_x25519 = self.e2ee.private_key_b64
+            needs_save = True
+            
+        if needs_save:
+            save_config(self.config)
+
+    async def handler(self, websocket):
+        ip = getattr(websocket, "remote_address", ("unknown",))[0]
+        now = time.monotonic()
+        
+        # 1. Rate Limiting Check
+        rate_data = _ip_failure_counts.get(ip)
+        if rate_data and rate_data["count"] >= RATE_LIMIT_MAX_FAILURES and now < rate_data["reset_at"]:
+            logger.warning(f"Rate limited connection rejected: {ip}")
+            await websocket.close(1008, "Rate Limited")
+            return
+
+        # 2. Origin Validation
+        # In a real setup, we check req.headers.origin against cloudflareaccess.com
+        # For simplicity in python websockets, we handle it natively or trust localhost.
+
+        authenticated = False
+        e2ee_established = False
+
+        try:
+            async for message in websocket:
+                try:
+                    data = json.loads(message)
+                except Exception:
+                    continue
+                
+                msg_type = data.get("type")
+
+                msg_type = data.get("type")
+
+                # Adapter Registration (Local IPC)
+                if msg_type == "REGISTER_ADAPTER":
+                    agent_id = data.get("id")
+                    agent_name = data.get("name")
+                    if agent_id and agent_name:
+                        logger.info(f"Adapter registered: {agent_name} ({agent_id})")
+                        await self.router.register_adapter(agent_id, agent_name, websocket)
+                        # We break out of the auth loop into a dedicated adapter loop
+                        await self._adapter_loop(websocket, agent_id)
+                        return
+                    else:
+                        await websocket.close(1008, "Missing adapter id/name")
+                        return
+
+                # State 1: Legacy Ed25519 Auth Challenge (Client)
+                if msg_type == "AUTH_CHALLENGE":
+                    challenge = data.get("challenge")
+                    if not challenge:
+                        await websocket.close(1008, "Missing challenge")
+                        return
+                    
+                    sig = self.auth.sign_challenge(challenge)
+                    await websocket.send(json.dumps({"type": "AUTH_RESPONSE", "signature": sig}))
+                    authenticated = True
+                    logger.info(f"Client {ip} authenticated successfully.")
+                    
+                    # Add client to router once authenticated
+                    self.router.add_client(websocket)
+                    continue
+                
+                if not authenticated:
+                    _record_failure(ip)
+                    await websocket.close(1008, "Unauthorized")
+                    return
+
+                # State 2: E2EE Handshake
+                if msg_type == "HELLO":
+                    client_pubkey = data.get("pubkey")
+                    if not client_pubkey:
+                        await websocket.close(1008, "Missing X25519 pubkey")
+                        return
+                    
+                    self.e2ee.derive_session_keys(client_pubkey)
+                    e2ee_established = True
+                    logger.info("E2EE Session established (ECDH + HKDF).")
+                    
+                    # Notify adapters
+                    await self.router.broadcast_system_state()
+                    continue
+                
+                if not e2ee_established:
+                    await websocket.send(json.dumps({"type": "ERROR", "message": "E2EE Handshake required."}))
+                    continue
+
+                # State 3: E2EE Encrypted Payload Routing
+                if "iv" in data and "ct" in data and "aad" in data:
+                    try:
+                        # Decrypt client->server command
+                        plaintext = self.e2ee.decrypt(data, expected_direction="cmd:")
+                        parsed_cmd = json.loads(plaintext)
+                        
+                        # Route to local adapter via IPC
+                        await self.router.route_to_adapter(parsed_cmd, self.e2ee, websocket)
+                    except ValueError as e:
+                        logger.error(f"E2EE Decryption/AAD failed: {e}")
+                        await websocket.close(1008, "Encryption Error")
+                        return
+                else:
+                    logger.warning("Unencrypted message received post-handshake. Dropping.")
+
+        except ConnectionClosed:
+            logger.info(f"Connection closed: {ip}")
+        finally:
+            self.router.remove_client(websocket)
+
+    async def _adapter_loop(self, websocket, agent_id: str):
+        """
+        Dedicated loop for listening to incoming messages from a local adapter.
+        When an adapter sends a message, it needs to be broadcast or routed to clients.
+        """
+        try:
+            async for message in websocket:
+                try:
+                    data = json.loads(message)
+                except Exception:
+                    continue
+                
+                # Currently we only have one e2ee session and one client.
+                # If we have multiple clients, we need to map adapter messages to clients.
+                # For now, we broadcast to all connected, authenticated clients.
+                await self.router.broadcast_to_clients(data, self.e2ee)
+                
+        except ConnectionClosed:
+            logger.info(f"Adapter connection closed: {agent_id}")
+        finally:
+            await self.router.unregister_adapter(agent_id)
+
+    async def start(self):
+        logger.info("Starting Gateway WebSocket server on ws://127.0.0.1:8765")
+        
+        # Start Tunnel if configured
+        tunnel_url = self.config.cloudflare_url
+        self.cf_manager = None
+        
+        if not tunnel_url:
+            logger.info("Starting Cloudflare Quick Tunnel...")
+            self.cf_manager = CloudflaredManager(8765)
+            if await self.cf_manager.start():
+                try:
+                    await asyncio.wait_for(self.cf_manager.ready_event.wait(), timeout=15.0)
+                    tunnel_url = self.cf_manager.url
+                except asyncio.TimeoutError:
+                    logger.warning("Quick tunnel timeout.")
+        
+        payload = generate_qr_payload(
+            cloudflare_url=tunnel_url,
+            pairing_token=self.auth.pairing_token,
+            gateway_x25519_pub=self.e2ee.public_key_b64,
+            client_id=self.config.cloudflare_client_id
+        )
+        
+        print("\n" + "="*50)
+        print("ANTIMATTER E2EE GATEWAY SECURE PAIRING")
+        print("="*50)
+        if tunnel_url:
+            print(f"\nTunnel: {tunnel_url}")
+        
+        print("\nScan this QR Code with the Antimatter App:\n")
+        print_qr_to_terminal(payload)
+        print("="*50)
+
+        async with websockets.serve(self.handler, "127.0.0.1", 8765):
+            await asyncio.Future()
+
+async def main_async():
+    server = GatewayServer()
+    await server.start()
+
+def main():
+    asyncio.run(main_async())
+
+if __name__ == "__main__":
+    main()

antimatter_gateway-0.1.0/src/antimatter_gateway/tunnel.py

@@ -0,0 +1,52 @@
+import asyncio
+import re
+import logging
+
+logger = logging.getLogger(__name__)
+
+class CloudflaredManager:
+    def __init__(self, port: int):
+        self.port = port
+        self.process = None
+        self.url = None
+        self.ready_event = asyncio.Event()
+
+    async def start(self):
+        try:
+            self.process = await asyncio.create_subprocess_exec(
+                "cloudflared", "tunnel", "--url", f"http://127.0.0.1:{self.port}",
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE
+            )
+            
+            # Cloudflared prints to stderr
+            asyncio.create_task(self._read_stderr())
+        except FileNotFoundError:
+            logger.error("cloudflared CLI not found. Please install it to use Quick Tunnels.")
+            return False
+        return True
+
+    async def _read_stderr(self):
+        url_pattern = re.compile(r"https://[a-zA-Z0-9-]+\.trycloudflare\.com")
+        while True:
+            line = await self.process.stderr.readline()
+            if not line:
+                break
+            line_str = line.decode('utf-8').strip()
+            
+            logger.info(f"[Cloudflared] {line_str}")
+
+            if not self.url:
+                match = url_pattern.search(line_str)
+                if match:
+                    # Convert https to wss
+                    self.url = match.group(0).replace("https://", "wss://")
+                    self.ready_event.set()
+
+    async def stop(self):
+        if self.process:
+            self.process.terminate()
+            try:
+                await asyncio.wait_for(self.process.wait(), timeout=5.0)
+            except asyncio.TimeoutError:
+                self.process.kill()

antimatter_gateway-0.1.0/src/antimatter_gateway.egg-info/PKG-INFO

@@ -0,0 +1,8 @@
+Metadata-Version: 2.4
+Name: antimatter-gateway
+Version: 0.1.0
+Requires-Dist: websockets>=12.0
+Requires-Dist: qrcode>=7.4.2
+Requires-Dist: antimatter-shared-config
+Requires-Dist: antimatter-shared-crypto
+Requires-Dist: antimatter-shared-protocol

antimatter_gateway-0.1.0/src/antimatter_gateway.egg-info/SOURCES.txt

@@ -0,0 +1,11 @@
+pyproject.toml
+src/antimatter_gateway/qr.py
+src/antimatter_gateway/router.py
+src/antimatter_gateway/server.py
+src/antimatter_gateway/tunnel.py
+src/antimatter_gateway.egg-info/PKG-INFO
+src/antimatter_gateway.egg-info/SOURCES.txt
+src/antimatter_gateway.egg-info/dependency_links.txt
+src/antimatter_gateway.egg-info/entry_points.txt
+src/antimatter_gateway.egg-info/requires.txt
+src/antimatter_gateway.egg-info/top_level.txt

antimatter_gateway-0.1.0/src/antimatter_gateway.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

antimatter_gateway-0.1.0/src/antimatter_gateway.egg-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+antimatter = antimatter_gateway.server:main
+antimatter-pair = antimatter_gateway.qr:main

antimatter_gateway-0.1.0/src/antimatter_gateway.egg-info/requires.txt

@@ -0,0 +1,5 @@
+websockets>=12.0
+qrcode>=7.4.2
+antimatter-shared-config
+antimatter-shared-crypto
+antimatter-shared-protocol

antimatter_gateway-0.1.0/src/antimatter_gateway.egg-info/top_level.txt

@@ -0,0 +1 @@
+antimatter_gateway