feat:handshake

[JarbasAl]

Summary by CodeRabbit

• New Features

  • Enhanced security and functionality for encrypted communication and session management in the application.
  • Added new methods for secure handshake operations and key generation.
  • Introduced message processing for session management and handshake completion.
  • Comprehensive updates to the documentation, including installation instructions and usage examples.

• Bug Fixes

  • Updated existing methods to utilize improved encryption logic.

• Documentation

  • Expanded the README to provide an overview of the HiveMind JS client and detailed usage instructions.

[coderabbitai]

Walkthrough

The pull request introduces a comprehensive documentation update for the HiveMind JavaScript client in the README.md file, detailing its purpose, key features, prerequisites, installation instructions, usage examples, API methods, and troubleshooting tips. Additionally, extensive modifications are made to the JarbasHiveMind class in static/js/hivemind.js, enhancing encryption, handshake processes, and message handling. New utility functions and methods are added, and existing methods are updated to improve session management and secure communication.

Changes

File	Change Summary
README.md	- Comprehensive documentation update including overview, features, prerequisites, installation, usage examples, API methods, and troubleshooting tips.
static/js/hivemind.js	- Added multiple utility methods for IV generation and handshake - Enhanced encryption and decryption logic - Updated connect method to accept a password - Introduced new methods for message handling and session management - Updated sendMessage and sendUtterance methods to reflect changes in the payload structure

Poem

🐰 In the land of code, where secrets reside,
A handshake of trust, with encryption as guide.
From messages sent, to keys that entwine,
HiveMind's new dance is simply divine!
With each little change, our spirits take flight,
A rabbit's delight in the code's soft light! 🔐

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

static/js/hivemind.js (2)

1-7: Initialize all object properties consistently.

Currently, the constructor sets several properties (password, sessionId, binarize, etc.). However, it would improve clarity and maintainability to define all commonly used properties within the constructor, even if initialized to null. This ensures future methods won't inadvertently reference undefined properties.

---

205-213: Add security measures to the connection logic.

While it’s convenient to pass credentials via a query parameter, consider robust alternatives (e.g., using secure web sockets (wss://) or a token-based authentication). This helps avoid accidentally logging or exposing sensitive info.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf89692 and ccb5982.

📒 Files selected for processing (2)

• README.md (2 hunks)
• static/js/hivemind.js (2 hunks)

🧰 Additional context used

🪛 Gitleaks (8.21.2)

README.md

27-27: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🔇 Additional comments (1)

README.md (1)

24-27: Be cautious with embedding secrets in client code.

Line 27 exposes a static password. If this is for demonstration only, it’s fine. Otherwise, consider securely obtaining sensitive credentials (e.g., from a backend).

Static analysis flagged this line for a Generic API Key leak. If this is a real credential, rotate or revoke it. You can verify usage across the repository:

🧰 Tools

🪛 Gitleaks (8.21.2)

27-27: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

static/js/hivemind.js (1)

63-66: ⚠️ Potential issue

Fix undefined variable 'ivFromShake'.

The function uses an undefined variable ivFromShake which will cause a ReferenceError.

 async function receiveHandshake(envelope) {
     const iv = ivFromHSub(envelope);
-    return new Uint8Array(iv.map((byte, idx) => byte ^ ivFromShake[idx]));
+    if (!iv) {
+        throw new Error('Invalid envelope format');
+    }
+    // TODO: Define the source of ivFromShake or modify the logic
+    return iv;
 }

🧹 Nitpick comments (2)

static/js/hivemind.js (2)

177-178: Consider tracking the binarize TODO.

The comment indicates future work needed for binarize support.

Would you like me to create a GitHub issue to track the implementation of binarize support?

---

152-157: Add timeout mechanism for handshake process.

The handshake process should include a timeout to prevent hanging in case of network issues or failed handshakes.

 JarbasHiveMind.prototype.receive_handshake = async function(envelope) {
     console.log("Received password envelope");
-    let salt = await receiveHandshake(envelope);
-    this.encryptionKey = await getSecret(this.password, salt);
-    this.handshakeEvent = true;
+    try {
+        const timeoutPromise = new Promise((_, reject) => {
+            setTimeout(() => reject(new Error('Handshake timeout')), 5000);
+        });
+        const handshakePromise = async () => {
+            const salt = await receiveHandshake(envelope);
+            this.encryptionKey = await getSecret(this.password, salt);
+            this.handshakeEvent = true;
+        };
+        await Promise.race([handshakePromise(), timeoutPromise]);
+    } catch (error) {
+        console.error('Handshake failed:', error);
+        this.handshakeEvent = false;
+        throw error;
+    }
 };

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ccb5982 and 70335e1.

📒 Files selected for processing (1)

• static/js/hivemind.js (2 hunks)

🔇 Additional comments (1)

static/js/hivemind.js (1)

113-127: LGTM! Well-implemented encryption/decryption methods.

The implementation:

• Uses secure WebCrypto API for cryptographic operations
• Properly handles IV generation and management
• Correctly implements AES-GCM encryption/decryption

[coderabbitai]

⚠️ Potential issue

Replace Math.random() with crypto.getRandomValues() for secure IV generation.

The current implementation uses Math.random() which isn't cryptographically secure. For cryptographic operations, use crypto.getRandomValues().

 function generateIV(keyLength = 8) {
-    const validChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
-    let iv = '';
-    for (let i = 0; i < keyLength; i++) {
-        iv += validChars.charAt(Math.floor(Math.random() * validChars.length));
-    }
-    return new TextEncoder().encode(iv); // Return as Uint8Array
+    return crypto.getRandomValues(new Uint8Array(keyLength));
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function generateIV(keyLength = 8) {
	const validChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
	let iv = '';
	for (let i = 0; i < keyLength; i++) {
	iv += validChars.charAt(Math.floor(Math.random() * validChars.length));
	}
	return new TextEncoder().encode(iv); // Return as Uint8Array
	}
	function generateIV(keyLength = 8) {
	return crypto.getRandomValues(new Uint8Array(keyLength));
	}

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

static/js/hivemind.js (1)

11-18: ⚠️ Potential issue

Replace Math.random() with crypto.getRandomValues() for secure IV generation.

Using Math.random() for cryptographic operations is not secure.

🧹 Nitpick comments (4)

README.md (2)

106-114: Add error handling documentation for API methods.

The API documentation should include information about potential errors and how to handle them. This helps users implement proper error handling in their applications.

Add error scenarios and handling, for example:

 ### `connect(host, port, username, accessKey, password)`
 Establishes a WebSocket connection to the HiveMind server.
 
 - **Parameters**:
   - `host`: The IP address or hostname of the HiveMind server.
   - `port`: The port number on which the HiveMind server is listening.
   - `username`: Username for authentication.
   - `accessKey`: Access key for authentication.
   - `password`: Password for secure encryption.
+
+- **Errors**:
+  - `ConnectionError`: Thrown when the WebSocket connection fails
+  - `AuthenticationError`: Thrown when credentials are invalid
+  - `NetworkError`: Thrown when network is unreachable
+
+- **Example error handling**:
+```javascript
+try {
+    hivemind.connect(host, port, username, accessKey, password);
+} catch (error) {
+    console.error('Connection failed:', error);
+}
+```

🧰 Tools

🪛 LanguageTool

[uncategorized] ~111-~111: Loose punctuation mark.
Context: ...tname of the HiveMind server. - port: The port number on which the HiveMind s...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~112-~112: Loose punctuation mark.
Context: ...Mind server is listening. - username: Username for authentication. - `acces...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~113-~113: Loose punctuation mark.
Context: ...name for authentication. - accessKey: Access key for authentication. - `pas...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~114-~114: Loose punctuation mark.
Context: ...s key for authentication. - password: Password for secure encryption. ### `s...

(UNLIKELY_OPENING_PUNCTUATION)

---

137-140: Enhance troubleshooting documentation.

The troubleshooting section could be more comprehensive to help users diagnose and resolve common issues.

Add more scenarios and solutions:

 ## Troubleshooting
 
 - **Connection Issues**: Ensure the HiveMind server is running and accessible at the provided IP address and port.
 - **Encryption Errors**: Check that the correct password and encryption keys are being used.
+- **Authentication Failures**: Verify that the username and access key are valid and properly encoded.
+- **Message Sending Failures**: Check WebSocket connection state and message format.
+- **Handshake Issues**: Ensure the handshake process completes before sending encrypted messages.
+- **Browser Compatibility**: Verify WebCrypto API support in your browser.
+
+### Common Error Messages
+- `WebSocket connection failed`: Check network connectivity and server status
+- `Encryption failed`: Verify encryption key derivation and message format
+- `Invalid handshake envelope`: Ensure proper password and handshake sequence

static/js/hivemind.js (2)

198-198: Track binarize support implementation.

The TODO comment indicates planned support for binarize in a future PR.

Would you like me to create a GitHub issue to track the implementation of binarize support?

---

205-233: Improve error handling specificity in onHiveMessage.

The current error handling uses generic error logging. Consider categorizing errors and providing more specific error messages.

 JarbasHiveMind.prototype.onHiveMessage = async function(message) {
     try {
-        message = JSON.parse(message.data);
+        try {
+            message = JSON.parse(message.data);
+        } catch (error) {
+            throw new Error(`Invalid message format: ${error.message}`);
+        }
         if (this.encryptionKey && message.ciphertext) {
-            const decrypted = await this.decrypt_msg(message.ciphertext, message.nonce);
-            message = JSON.parse(decrypted);
+            try {
+                const decrypted = await this.decrypt_msg(message.ciphertext, message.nonce);
+                if (!decrypted) throw new Error('Decryption failed');
+                message = JSON.parse(decrypted);
+            } catch (error) {
+                throw new Error(`Message decryption failed: ${error.message}`);
+            }
         }
         // ... rest of the function
     } catch (err) {
-        console.error('Error processing HiveMind message:', err);
+        console.error(`Error processing HiveMind message: ${err.message}`);
+        this.onError?.(err); // Optional error callback for client handling
     }
 };

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 70335e1 and ff75617.

📒 Files selected for processing (2)

• README.md (1 hunks)
• static/js/hivemind.js (2 hunks)

🧰 Additional context used

🪛 LanguageTool

README.md

[uncategorized] ~98-~98: Loose punctuation mark.
Context: ... your application. - onMycroftSpeak: This event is triggered when HiveMind s...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~99-~99: Loose punctuation mark.
Context: ...d in your app. - onHiveDisconnected: This event is triggered when the connec...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~111-~111: Loose punctuation mark.
Context: ...tname of the HiveMind server. - port: The port number on which the HiveMind s...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~112-~112: Loose punctuation mark.
Context: ...Mind server is listening. - username: Username for authentication. - `acces...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~113-~113: Loose punctuation mark.
Context: ...name for authentication. - accessKey: Access key for authentication. - `pas...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~114-~114: Loose punctuation mark.
Context: ...s key for authentication. - password: Password for secure encryption. ### `s...

(UNLIKELY_OPENING_PUNCTUATION)

---

[style] ~134-~134: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...HiveMind is lost. ### onMycroftSpeak Callback function triggered when HiveMind sends ...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~143-~143: The phrase ‘feel free to’ is used quite frequently. Consider using a less frequent alternative to set your writing apart from others and make it sound more professional.
Context: ... keys are being used. ## Contributing Feel free to fork this repository and submit pull re...

(FEEL_FREE_TO_STYLE_ME)

🪛 Gitleaks (8.21.2)

README.md

55-55: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🔇 Additional comments (1)

static/js/hivemind.js (1)

255-263: 🛠️ Refactor suggestion

Add connection state validation and error handling in sendMessage.

The method should verify WebSocket connection state and handle potential errors.

 JarbasHiveMind.prototype.sendMessage = async function(message) {
+    if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+        throw new Error('WebSocket is not connected');
+    }
     if (this.encryptionKey) {
-        message = await this.encrypt_msg(JSON.stringify(message));
+        try {
+            message = await this.encrypt_msg(JSON.stringify(message));
+            if (!message) throw new Error('Encryption failed');
+        } catch (error) {
+            console.error('Message encryption failed:', error);
+            throw error;
+        }
     }
-    // TODO - inject sessionId in context
-    this.ws.send(JSON.stringify(message));
+    try {
+        this.ws.send(JSON.stringify(message));
+    } catch (error) {
+        console.error('Failed to send message:', error);
+        throw error;
+    }
 };

Likely invalid or redundant comment.

[coderabbitai]

🛠️ Refactor suggestion

Enhance error handling in getSecret function.

The function should validate input parameters more thoroughly and provide specific error messages.

 async function getSecret(password, salt) {
-    if (!password || !salt) return null;  // Check if password and salt are provided
+    if (!password || typeof password !== 'string') {
+        throw new Error('Password must be a non-empty string');
+    }
+    if (!salt || !(salt instanceof Uint8Array)) {
+        throw new Error('Salt must be a Uint8Array');
+    }
     try {
         const keyMaterial = await crypto.subtle.importKey(
             'raw',

Committable suggestion skipped: line range outside the PR's diff.