Codex: resume via MCP and improve local/remote switching

src/api/api.ts

@@ -39,14 +39,15 @@ export class ApiClient {
     let encryptionVariant: 'legacy' | 'dataKey';
     if (this.credential.encryption.type === 'dataKey') {
 
-      // Generate new encryption key
-      encryptionKey = getRandomBytes(32);
+      // Use a stable per-machine key so resuming an existing session tag can decrypt
+      // previously-encrypted metadata and agent state.
+      encryptionKey = this.credential.encryption.machineKey;
       encryptionVariant = 'dataKey';
 
       // Derive and encrypt data encryption key
       // const contentDataKey = await deriveKey(this.secret, 'Happy EnCoder', ['content']);
       // const publicKey = libsodiumPublicKeyFromSecretKey(contentDataKey);
-      let encryptedDataKey = libsodiumEncryptForPublicKey(encryptionKey, this.credential.encryption.publicKey);
+      let encryptedDataKey = libsodiumEncryptForPublicKey(this.credential.encryption.machineKey, this.credential.encryption.publicKey);
       dataEncryptionKey = new Uint8Array(encryptedDataKey.length + 1);
       dataEncryptionKey.set([0], 0); // Version byte
       dataEncryptionKey.set(encryptedDataKey, 1); // Data key

src/api/apiSession.ts

@@ -72,7 +72,16 @@ export class ApiSessionClient extends EventEmitter {
             encryptionVariant: this.encryptionVariant,
             logger: (msg, data) => logger.debug(msg, data)
         });
-        registerCommonHandlers(this.rpcHandlerManager, this.metadata.path);
+
+        // Some legacy/invalid sessions may fail to decrypt metadata (null). Avoid crashing the CLI;
+        // the session can still function for remote messaging and will receive metadata updates later.
+        if (this.metadata?.path) {
+            registerCommonHandlers(this.rpcHandlerManager, this.metadata.path);
+        } else {
+            logger.debug('[API] Session metadata unavailable; skipping common handler registration', {
+                sessionId: this.sessionId,
+            });
+        }
 
         //
         // Create socket

src/api/rpc/RpcHandlerManager.ts

@@ -56,7 +56,21 @@ export class RpcHandlerManager {
         request: RpcRequest,
     ): Promise<any> {
         try {
-            const handler = this.handlers.get(request.method);
+            let handler = this.handlers.get(request.method);
+
+            // Compatibility: some clients may send unscoped methods (e.g. "permission")
+            // instead of the usual scoped `${scopePrefix}:${method}` form.
+            if (!handler && !request.method.includes(':')) {
+                const prefixedMethod = this.getPrefixedMethod(request.method);
+                handler = this.handlers.get(prefixedMethod);
+                if (handler) {
+                    this.logger('[RPC] Matched unscoped method to scoped handler', {
+                        method: request.method,
+                        prefixedMethod,
+                    });
+                    request = { ...request, method: prefixedMethod };
+                }
+            }
 
             if (!handler) {
                 this.logger('[RPC] [ERROR] Method not found', { method: request.method });
@@ -135,4 +149,4 @@ export class RpcHandlerManager {
  */
 export function createRpcHandlerManager(config: RpcHandlerConfig): RpcHandlerManager {
     return new RpcHandlerManager(config);
-}
+}

src/api/rpc/__tests__/RpcHandlerManager.test.ts

@@ -0,0 +1,51 @@
+import { describe, it, expect } from 'vitest';
+import { RpcHandlerManager } from '../RpcHandlerManager';
+import { decodeBase64, decrypt, encodeBase64, encrypt } from '@/api/encryption';
+
+describe('RpcHandlerManager', () => {
+  it('routes unscoped method names to scoped handlers', async () => {
+    const key = new Uint8Array(32).fill(7);
+    const encryptionVariant: 'legacy' = 'legacy';
+
+    const manager = new RpcHandlerManager({
+      scopePrefix: 'sid123',
+      encryptionKey: key,
+      encryptionVariant,
+      logger: () => {},
+    });
+
+    let seen: unknown = null;
+    manager.registerHandler('permission', async (params) => {
+      seen = params;
+      return { ok: true };
+    });
+
+    const encryptedParams = encodeBase64(encrypt(key, encryptionVariant, { id: 'p1', approved: true }));
+    const response = await manager.handleRequest({ method: 'permission', params: encryptedParams });
+    const decrypted = decrypt(key, encryptionVariant, decodeBase64(response));
+
+    expect(seen).toEqual({ id: 'p1', approved: true });
+    expect(decrypted).toEqual({ ok: true });
+  });
+
+  it('accepts already-scoped method names', async () => {
+    const key = new Uint8Array(32).fill(9);
+    const encryptionVariant: 'legacy' = 'legacy';
+
+    const manager = new RpcHandlerManager({
+      scopePrefix: 'sid123',
+      encryptionKey: key,
+      encryptionVariant,
+      logger: () => {},
+    });
+
+    manager.registerHandler('permission', async () => ({ ok: true }));
+
+    const encryptedParams = encodeBase64(encrypt(key, encryptionVariant, { id: 'p1', approved: true }));
+    const response = await manager.handleRequest({ method: 'sid123:permission', params: encryptedParams });
+    const decrypted = decrypt(key, encryptionVariant, decodeBase64(response));
+
+    expect(decrypted).toEqual({ ok: true });
+  });
+});
+