Skip to content

feat: v2 relay session handoff — replace cloudflared tunnel with Durable Object relay + 6-digit code#63

Open
JamesLawton wants to merge 14 commits intomainfrom
feat/v2-relay-session
Open

feat: v2 relay session handoff — replace cloudflared tunnel with Durable Object relay + 6-digit code#63
JamesLawton wants to merge 14 commits intomainfrom
feat/v2-relay-session

Conversation

@JamesLawton
Copy link
Copy Markdown
Collaborator

@JamesLawton JamesLawton commented Mar 27, 2026

Summary

  • Adds packages/shared — new @polygonlabs/agent-shared workspace package with pure-JS X25519 ECDH + HKDF-SHA256 + XChaCha20-Poly1305 crypto protocol (works in both Node.js 20+ and Cloudflare Workers)
  • Replaces cloudflared tunnel + local HTTP server in the CLI with a Cloudflare Durable Object relay: the browser encrypts the session with the CLI's public key and posts it to the relay; the CLI retrieves it after the user enters a 6-digit out-of-band code
  • Updates connector-ui SPA: fetches CLI public key from relay, encrypts session, posts ciphertext, displays 6-digit code on new CodeDisplay screen; adds SessionRelay Durable Object + /api/relay/* route handlers to the Worker

Test Plan

  • packages/shared crypto round-trip tests pass (4/4)
  • pnpm typecheck clean across all packages
  • pnpm build (connector-ui) produces clean dist/
  • Wrangler local dev smoke test: relay API /request, /status, /session, /retrieve all return correct responses and state transitions
  • Deploy to staging with npx wrangler deploy --env staging and verify end-to-end flow with a real wallet

@JamesLawton
docs: add v2 relay session implementation plan
71d11e8
@JamesLawton
feat(shared): add v2 crypto protocol package (X25519+HKDF+XChaCha20)
a5c23b3
@JamesLawton
fix(shared): correct import path in plan, suppress vitest warning, ad…
84d5673 
…d requestId guard
@JamesLawton
feat(connector-ui): add Durable Object relay API + upgrade worker rou…
77a093c 
…ting
@JamesLawton
fix(connector-ui): relay init error check, rid validation, re-init gu…
509b34f 
…ard, payload size limit
@JamesLawton
feat(connector-ui): v2 session flow — relay encryption + 6-digit code…
b4ac674 
… display
@JamesLawton
fix(connector-ui): add @cloudflare/workers-types for relay DO type re…
5e9a070 
…solution
@JamesLawton
fix(connector-ui): preserve implicit session metadata, remove tweetna…
ca4c4aa 
…cl, add rid validation
@JamesLawton
feat(cli): replace cloudflared tunnel with relay + 6-digit code handoff
8dba6fb 
Removes cloudflared/HTTP server machinery from wallet create and replaces
it with X25519 key exchange through the connector-ui relay API. The new
flow registers a CLI public key with the relay, polls for browser approval,
then prompts for a 6-digit out-of-band code to decrypt the session payload.
Adds RelayClient, RelayCodeError, and sessionPayloadToWalletSession helpers;
updates wallet import to support both relay-code and legacy ciphertext modes.
@JamesLawton
fix(cli): wire --timeout to waitForReady, document ephemeral key storage
3c08268
@JamesLawton
fix: address code review issues — persist cliSk, raise payload limit,…
f38d2f2 
… validate inputs, cleanup
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 27, 2026
View reviewed changes
packages/connector-ui/src/App.tsx
Comment on lines +455 to +459
const relayRes = await fetch(`/api/relay/session/${rid}`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(encrypted)
});

Check warning

Code scanning / CodeQL

Client-side request forgery Medium

The
URL
Loading
of this request depends on a
user-provided value
Loading
.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JamesLawton