fix(crypto): stable keyfile-based config encryption (closes #15)

[askalf]

Closes #15.

TL;DR

The pre-3.3 config encryption key was a SHA-256 hash that included every currently-up non-loopback MAC address. Docker/VPN/Wi-Fi churn → MAC list changed between agent process lifetimes → derived key changed → AES-GCM auth tag failed → loadConfig's catch-all returned the encrypted ciphertext as the Bearer token → AUTH_FAILED on every systemctl restart, every reboot, every config change, with no recoverable diagnostic.

Fix: switch to a randomly-generated 32-byte keyfile at ~/.askalf/keyfile (chmod 600) — stable across every restart. Plus a one-shot legacy-key migration on upgrade for hosts where the old key still happens to work, and a clear re-pair error for hosts where it doesn't.

Root cause walkthrough

src/crypto.ts:deriveMachineKey() ran on every agent start:

const macs = Object.values(networkInterfaces()).flat()
  .filter(i => !!i && !i.internal && i.mac !== '00:00:00:00:00:00')
  .map(i => i.mac).sort();
const machineId = [hostname(), user, arch, platform, macs.join(',')].join(':');
return scryptSync(sha256(machineId), 'askalf-agent-v2', 32);

i.internal only excludes loopback. docker0, veth*, br-*, tun0, wg0 all sail through the filter. The MAC list reorders/shrinks/grows on:

• Docker container start/stop (every askalf-fleet device runs Docker — Hetzner CX33 has the 8-service compose stack; alf-prod-docker also runs containers)
• ProtonVPN/gluetun reconnecting (memory: searxng routes through ProtonVPN)
• Wi-Fi reconnecting with MAC-randomization (Win 10/11 default)

And the silent-corruption mechanism — src/cli.ts:loadConfig pre-fix:

try {
  return decryptConfig(raw);
} catch {
  // Backwards compatibility: old plaintext config files
  return raw;            // ← returns the encrypted ciphertext unchanged
}

Whether the catch saw "this file was never encrypted in the first place" or "this file was encrypted with a different key" was indistinguishable, so the agent happily kept booting and sending the still-encrypted base64 blob as Authorization: Bearer <blob> until the bridge slammed the WS shut.

Fix design (issue's "A + C together")

A — stable on-disk keyfile (src/crypto.ts)

• New getStableKey() reads or creates ~/.askalf/keyfile: 32 random bytes, chmod 600, O_EXCL write to be race-safe against parallel installs.
• Old deriveMachineKey() renamed to deriveLegacyMachineKey(), exported, used only for one-shot migration. Comment in the file explains why it can never be the primary key again.
• encrypt / decrypt default-key changed; old optional key?: Buffer parameter preserved for migration callers.

C — loadConfig distinguishes wrong-key vs legacy-plaintext (src/cli.ts)

if (!raw['_encrypted']) return raw as AgentConfig;          // legacy plaintext

try {
  return decryptConfig(raw);                                  // stable v3.3+ key
} catch {
  try {
    const migrated = decryptConfig(raw, deriveLegacyMachineKey());
    saveConfig(migrated);                                     // transparent migration
    return migrated;
  } catch {
    throw new Error('Could not decrypt ... re-pair: link to #15');
  }
}

Migration story

Pre-3.3 install state	First load under 3.3	Outcome
Plaintext (_encrypted: false)	Returned as-is, encrypted with stable key on next save	Healed
Encrypted, network state stable since write	Legacy key decrypts, re-saved under stable key	Healed transparently, logs migration line
Encrypted, network state churned	Both keys fail	Re-pair error with #15 link (instead of silent AUTH_FAILED)

No data loss in any case — the recovery recipe in #15 is one INSERT + one file write, ~30 seconds.

Smoke tests (run locally before push)

PASS round-trip via stable keyfile
PASS keyfile created at ~/.askalf/keyfile (32 bytes)
PASS wrong-key decrypt throws (instead of returning garbage)

After merge

1. Cut release v3.3.0 — publish.yml fires on release: published and will ship to npm now that the token + repo-public fixes from earlier today are in place.
2. On Hetzner + alf-prod-docker: npm i -g @askalf/agent@3.3.0, then re-pair each device once (per the agent.json apiKey re-encrypted with per-process entropy — restart corrupts credential, requires manual re-pair #15 recipe). Future restarts won't need this dance ever again.
3. Close agent.json apiKey re-encrypted with per-process entropy — restart corrupts credential, requires manual re-pair #15 with a link to the published release.

Out of scope (deliberate)

• No test infrastructure added — the repo has none, and adding tsx/vitest/etc. is a separate concern. The smoke test was sufficient to verify the change locally; the code is small enough to read.
• No CHANGELOG backfill for v3.1.6 / v3.2.0 / v3.2.1 (which had stale CHANGELOG entries pre-this-PR). Worth a separate housekeeping PR.
• No README update yet for the keyfile location / security implications. Worth a follow-up.