packages/shade-storage-sqlite/tests/sqlite-storage.test.ts

import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
import { tmpdir } from 'os';
import { join } from 'path';
import { unlinkSync } from 'fs';
import { SQLiteStorage } from '../src/sqlite-storage.js';
import { SubtleCryptoProvider, MemoryStorage } from '@shade/crypto-web';
import { ShadeSessionManager } from '@shade/core';
import type { IdentityKeyPair, SignedPreKey, OneTimePreKey } from '@shade/core';

const crypto = new SubtleCryptoProvider();

function randBytes(n: number): Uint8Array {
  const buf = new Uint8Array(n);
  globalThis.crypto.getRandomValues(buf);
  return buf;
}

function tempDbPath(): string {
  return join(tmpdir(), `shade-test-${Date.now()}-${Math.random().toString(36).slice(2)}.db`);
}

describe('SQLiteStorage', () => {
  let dbPath: string;
  let storage: SQLiteStorage;

  beforeEach(() => {
    dbPath = tempDbPath();
    storage = new SQLiteStorage(dbPath);
  });

  afterEach(() => {
    storage.close();
    try { unlinkSync(dbPath); } catch {}
    try { unlinkSync(dbPath + '-wal'); } catch {}
    try { unlinkSync(dbPath + '-shm'); } catch {}
  });

  // ─── Identity ──────────────────────────────────────────────

  describe('identity', () => {
    test('returns null when no identity stored', async () => {
      expect(await storage.getIdentityKeyPair()).toBeNull();
    });

    test('save and retrieve identity keypair', async () => {
      const ikp: IdentityKeyPair = {
        signingPublicKey: randBytes(32),
        signingPrivateKey: randBytes(32),
        dhPublicKey: randBytes(32),
        dhPrivateKey: randBytes(32),
      };
      await storage.saveIdentityKeyPair(ikp);
      const restored = await storage.getIdentityKeyPair();
      expect(restored).not.toBeNull();
      expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);
      expect(restored!.dhPrivateKey).toEqual(ikp.dhPrivateKey);
    });

    test('registration ID roundtrip', async () => {
      expect(await storage.getLocalRegistrationId()).toBe(0);
      await storage.saveLocalRegistrationId(42);
      expect(await storage.getLocalRegistrationId()).toBe(42);
    });
  });

  // ─── Signed PreKeys ───────────────────────────────────────

  describe('signed prekeys', () => {
    test('save, get, remove', async () => {
      const spk: SignedPreKey = {
        keyId: 1,
        keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
        signature: randBytes(64),
        timestamp: Date.now(),
      };
      await storage.saveSignedPreKey(spk);
      const restored = await storage.getSignedPreKey(1);
      expect(restored).not.toBeNull();
      expect(restored!.keyId).toBe(1);
      expect(restored!.keyPair.publicKey).toEqual(spk.keyPair.publicKey);

      await storage.removeSignedPreKey(1);
      expect(await storage.getSignedPreKey(1)).toBeNull();
    });
  });

  // ─── One-Time PreKeys ─────────────────────────────────────

  describe('one-time prekeys', () => {
    test('save, get, remove, count', async () => {
      const otpk: OneTimePreKey = {
        keyId: 100,
        keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
      };
      await storage.saveOneTimePreKey(otpk);
      expect(await storage.getOneTimePreKeyCount()).toBe(1);

      const restored = await storage.getOneTimePreKey(100);
      expect(restored!.keyId).toBe(100);

      await storage.removeOneTimePreKey(100);
      expect(await storage.getOneTimePreKeyCount()).toBe(0);
      expect(await storage.getOneTimePreKey(100)).toBeNull();
    });
  });

  // ─── Sessions ─────────────────────────────────────────────

  describe('sessions', () => {
    test('save and restore session with skipped keys', async () => {
      const state = {
        remoteIdentityKey: randBytes(32),
        rootKey: randBytes(32),
        sendChain: { chainKey: randBytes(32), counter: 5 },
        receiveChain: { chainKey: randBytes(32), counter: 3 },
        dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
        dhReceive: randBytes(32),
        previousSendCounter: 4,
        skippedKeys: new Map([['key:1', randBytes(32)]]),
      };

      await storage.saveSession('bob', state);
      const restored = await storage.getSession('bob');
      expect(restored).not.toBeNull();
      expect(restored!.sendChain.counter).toBe(5);
      expect(restored!.skippedKeys.size).toBe(1);
      expect(restored!.skippedKeys.get('key:1')).toEqual(state.skippedKeys.get('key:1'));
    });

    test('remove session', async () => {
      await storage.saveSession('bob', {
        remoteIdentityKey: randBytes(32),
        rootKey: randBytes(32),
        sendChain: { chainKey: randBytes(32), counter: 0 },
        receiveChain: null,
        dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
        dhReceive: null,
        previousSendCounter: 0,
        skippedKeys: new Map(),
      });
      await storage.removeSession('bob');
      expect(await storage.getSession('bob')).toBeNull();
    });
  });

  // ─── Trust ────────────────────────────────────────────────

  describe('trust', () => {
    test('TOFU: first use is trusted', async () => {
      expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(true);
    });

    test('saved identity matches', async () => {
      const key = randBytes(32);
      await storage.saveTrustedIdentity('bob', key);
      expect(await storage.isTrustedIdentity('bob', key)).toBe(true);
      expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(false);
    });
  });

  // ─── Crash Recovery ───────────────────────────────────────

  describe('persistence across close/reopen', () => {
    test('data survives close and reopen', async () => {
      const ikp: IdentityKeyPair = {
        signingPublicKey: randBytes(32),
        signingPrivateKey: randBytes(32),
        dhPublicKey: randBytes(32),
        dhPrivateKey: randBytes(32),
      };
      await storage.saveIdentityKeyPair(ikp);
      await storage.saveLocalRegistrationId(99);
      await storage.saveSession('alice', {
        remoteIdentityKey: randBytes(32),
        rootKey: randBytes(32),
        sendChain: { chainKey: randBytes(32), counter: 7 },
        receiveChain: null,
        dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
        dhReceive: null,
        previousSendCounter: 0,
        skippedKeys: new Map(),
      });

      // Close and reopen
      storage.close();
      storage = new SQLiteStorage(dbPath);

      const restored = await storage.getIdentityKeyPair();
      expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);
      expect(await storage.getLocalRegistrationId()).toBe(99);
      const session = await storage.getSession('alice');
      expect(session!.sendChain.counter).toBe(7);
    });
  });

  // ─── Full E2EE with SQLiteStorage ─────────────────────────

  describe('full E2EE conversation with persistent storage', () => {
    test('encrypt, close, reopen, continue conversation', async () => {
      const bobDbPath = tempDbPath();
      let bobStorage = new SQLiteStorage(bobDbPath);

      try {
        const alice = new ShadeSessionManager(crypto, storage);
        let bob = new ShadeSessionManager(crypto, bobStorage);
        await alice.initialize();
        await bob.initialize();

        const otpks = await bob.generateOneTimePreKeys(5);
        const bundle = await bob.createPreKeyBundle();
        bundle.oneTimePreKey = { keyId: otpks[0].keyId, publicKey: otpks[0].keyPair.publicKey };

        await alice.initSessionFromBundle('bob', bundle);

        // Alice → Bob
        const env1 = await alice.encrypt('bob', 'Hello persistent!');
        expect(await bob.decrypt('alice', env1)).toBe('Hello persistent!');

        // Bob → Alice
        const env2 = await bob.encrypt('alice', 'Got it!');
        expect(await alice.decrypt('bob', env2)).toBe('Got it!');

        // "Crash" Bob — close DB and reopen
        bobStorage.close();
        bobStorage = new SQLiteStorage(bobDbPath);
        bob = new ShadeSessionManager(crypto, bobStorage);
        await bob.initialize();

        // Continue conversation after "crash"
        const env3 = await alice.encrypt('bob', 'After your restart');
        expect(await bob.decrypt('alice', env3)).toBe('After your restart');

        const env4 = await bob.encrypt('alice', 'I survived!');
        expect(await alice.decrypt('bob', env4)).toBe('I survived!');
      } finally {
        bobStorage.close();
        try { unlinkSync(bobDbPath); } catch {}
        try { unlinkSync(bobDbPath + '-wal'); } catch {}
        try { unlinkSync(bobDbPath + '-shm'); } catch {}
      }
    });
  });
});
feat: persistent storage — SQLite backends for crash resilience Shade sessions and keys now survive server crashes, container restarts, and power outages via SQLite with WAL mode. New packages: - @shade/storage-sqlite: SQLiteStorage (StorageProvider) + SqlitePrekeyStore (PrekeyStore), both using bun:sqlite with auto-created tables and WAL mode - Serialization layer in shade-core for SessionState/keys ↔ JSON/base64 Docker usage: mount volume at /data, set SHADE_DB_PATH=/data/shade-client.db Prekey server auto-detects SHADE_PREKEY_DB_PATH for SQLite persistence Includes crash recovery integration test: encrypt → close DB → reopen → conversation continues seamlessly. 129 tests, 0 failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-10 00:19:54 +02:00			`import { describe, test, expect, beforeEach, afterEach } from 'bun:test';`
			`import { tmpdir } from 'os';`
			`import { join } from 'path';`
			`import { unlinkSync } from 'fs';`
			`import { SQLiteStorage } from '../src/sqlite-storage.js';`
			`import { SubtleCryptoProvider, MemoryStorage } from '@shade/crypto-web';`
			`import { ShadeSessionManager } from '@shade/core';`
			`import type { IdentityKeyPair, SignedPreKey, OneTimePreKey } from '@shade/core';`

			`const crypto = new SubtleCryptoProvider();`

			`function randBytes(n: number): Uint8Array {`
			`const buf = new Uint8Array(n);`
			`globalThis.crypto.getRandomValues(buf);`
			`return buf;`
			`}`

			`function tempDbPath(): string {`
			return join(tmpdir(), `shade-test-${Date.now()}-${Math.random().toString(36).slice(2)}.db`);
			`}`

			`describe('SQLiteStorage', () => {`
			`let dbPath: string;`
			`let storage: SQLiteStorage;`

			`beforeEach(() => {`
			`dbPath = tempDbPath();`
			`storage = new SQLiteStorage(dbPath);`
			`});`

			`afterEach(() => {`
			`storage.close();`
			`try { unlinkSync(dbPath); } catch {}`
			`try { unlinkSync(dbPath + '-wal'); } catch {}`
			`try { unlinkSync(dbPath + '-shm'); } catch {}`
			`});`

			`// ─── Identity ──────────────────────────────────────────────`

			`describe('identity', () => {`
			`test('returns null when no identity stored', async () => {`
			`expect(await storage.getIdentityKeyPair()).toBeNull();`
			`});`

			`test('save and retrieve identity keypair', async () => {`
			`const ikp: IdentityKeyPair = {`
			`signingPublicKey: randBytes(32),`
			`signingPrivateKey: randBytes(32),`
			`dhPublicKey: randBytes(32),`
			`dhPrivateKey: randBytes(32),`
			`};`
			`await storage.saveIdentityKeyPair(ikp);`
			`const restored = await storage.getIdentityKeyPair();`
			`expect(restored).not.toBeNull();`
			`expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);`
			`expect(restored!.dhPrivateKey).toEqual(ikp.dhPrivateKey);`
			`});`

			`test('registration ID roundtrip', async () => {`
			`expect(await storage.getLocalRegistrationId()).toBe(0);`
			`await storage.saveLocalRegistrationId(42);`
			`expect(await storage.getLocalRegistrationId()).toBe(42);`
			`});`
			`});`

			`// ─── Signed PreKeys ───────────────────────────────────────`

			`describe('signed prekeys', () => {`
			`test('save, get, remove', async () => {`
			`const spk: SignedPreKey = {`
			`keyId: 1,`
			`keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },`
			`signature: randBytes(64),`
			`timestamp: Date.now(),`
			`};`
			`await storage.saveSignedPreKey(spk);`
			`const restored = await storage.getSignedPreKey(1);`
			`expect(restored).not.toBeNull();`
			`expect(restored!.keyId).toBe(1);`
			`expect(restored!.keyPair.publicKey).toEqual(spk.keyPair.publicKey);`

			`await storage.removeSignedPreKey(1);`
			`expect(await storage.getSignedPreKey(1)).toBeNull();`
			`});`
			`});`

			`// ─── One-Time PreKeys ─────────────────────────────────────`

			`describe('one-time prekeys', () => {`
			`test('save, get, remove, count', async () => {`
			`const otpk: OneTimePreKey = {`
			`keyId: 100,`
			`keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },`
			`};`
			`await storage.saveOneTimePreKey(otpk);`
			`expect(await storage.getOneTimePreKeyCount()).toBe(1);`

			`const restored = await storage.getOneTimePreKey(100);`
			`expect(restored!.keyId).toBe(100);`

			`await storage.removeOneTimePreKey(100);`
			`expect(await storage.getOneTimePreKeyCount()).toBe(0);`
			`expect(await storage.getOneTimePreKey(100)).toBeNull();`
			`});`
			`});`

			`// ─── Sessions ─────────────────────────────────────────────`

			`describe('sessions', () => {`
			`test('save and restore session with skipped keys', async () => {`
			`const state = {`
			`remoteIdentityKey: randBytes(32),`
			`rootKey: randBytes(32),`
			`sendChain: { chainKey: randBytes(32), counter: 5 },`
			`receiveChain: { chainKey: randBytes(32), counter: 3 },`
			`dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },`
			`dhReceive: randBytes(32),`
			`previousSendCounter: 4,`
			`skippedKeys: new Map([['key:1', randBytes(32)]]),`
			`};`

			`await storage.saveSession('bob', state);`
			`const restored = await storage.getSession('bob');`
			`expect(restored).not.toBeNull();`
			`expect(restored!.sendChain.counter).toBe(5);`
			`expect(restored!.skippedKeys.size).toBe(1);`
			`expect(restored!.skippedKeys.get('key:1')).toEqual(state.skippedKeys.get('key:1'));`
			`});`

			`test('remove session', async () => {`
			`await storage.saveSession('bob', {`
			`remoteIdentityKey: randBytes(32),`
			`rootKey: randBytes(32),`
			`sendChain: { chainKey: randBytes(32), counter: 0 },`
			`receiveChain: null,`
			`dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },`
			`dhReceive: null,`
			`previousSendCounter: 0,`
			`skippedKeys: new Map(),`
			`});`
			`await storage.removeSession('bob');`
			`expect(await storage.getSession('bob')).toBeNull();`
			`});`
			`});`

			`// ─── Trust ────────────────────────────────────────────────`

			`describe('trust', () => {`
			`test('TOFU: first use is trusted', async () => {`
			`expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(true);`
			`});`

			`test('saved identity matches', async () => {`
			`const key = randBytes(32);`
			`await storage.saveTrustedIdentity('bob', key);`
			`expect(await storage.isTrustedIdentity('bob', key)).toBe(true);`
			`expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(false);`
			`});`
			`});`

			`// ─── Crash Recovery ───────────────────────────────────────`

			`describe('persistence across close/reopen', () => {`
			`test('data survives close and reopen', async () => {`
			`const ikp: IdentityKeyPair = {`
			`signingPublicKey: randBytes(32),`
			`signingPrivateKey: randBytes(32),`
			`dhPublicKey: randBytes(32),`
			`dhPrivateKey: randBytes(32),`
			`};`
			`await storage.saveIdentityKeyPair(ikp);`
			`await storage.saveLocalRegistrationId(99);`
			`await storage.saveSession('alice', {`
			`remoteIdentityKey: randBytes(32),`
			`rootKey: randBytes(32),`
			`sendChain: { chainKey: randBytes(32), counter: 7 },`
			`receiveChain: null,`
			`dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },`
			`dhReceive: null,`
			`previousSendCounter: 0,`
			`skippedKeys: new Map(),`
			`});`

			`// Close and reopen`
			`storage.close();`
			`storage = new SQLiteStorage(dbPath);`

			`const restored = await storage.getIdentityKeyPair();`
			`expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);`
			`expect(await storage.getLocalRegistrationId()).toBe(99);`
			`const session = await storage.getSession('alice');`
			`expect(session!.sendChain.counter).toBe(7);`
			`});`
			`});`

			`// ─── Full E2EE with SQLiteStorage ─────────────────────────`

			`describe('full E2EE conversation with persistent storage', () => {`
			`test('encrypt, close, reopen, continue conversation', async () => {`
			`const bobDbPath = tempDbPath();`
			`let bobStorage = new SQLiteStorage(bobDbPath);`

			`try {`
			`const alice = new ShadeSessionManager(crypto, storage);`
			`let bob = new ShadeSessionManager(crypto, bobStorage);`
			`await alice.initialize();`
			`await bob.initialize();`

			`const otpks = await bob.generateOneTimePreKeys(5);`
			`const bundle = await bob.createPreKeyBundle();`
			`bundle.oneTimePreKey = { keyId: otpks[0].keyId, publicKey: otpks[0].keyPair.publicKey };`

			`await alice.initSessionFromBundle('bob', bundle);`

			`// Alice → Bob`
			`const env1 = await alice.encrypt('bob', 'Hello persistent!');`
			`expect(await bob.decrypt('alice', env1)).toBe('Hello persistent!');`

			`// Bob → Alice`
			`const env2 = await bob.encrypt('alice', 'Got it!');`
			`expect(await alice.decrypt('bob', env2)).toBe('Got it!');`

			`// "Crash" Bob — close DB and reopen`
			`bobStorage.close();`
			`bobStorage = new SQLiteStorage(bobDbPath);`
			`bob = new ShadeSessionManager(crypto, bobStorage);`
			`await bob.initialize();`

			`// Continue conversation after "crash"`
			`const env3 = await alice.encrypt('bob', 'After your restart');`
			`expect(await bob.decrypt('alice', env3)).toBe('After your restart');`

			`const env4 = await bob.encrypt('alice', 'I survived!');`
			`expect(await alice.decrypt('bob', env4)).toBe('I survived!');`
			`} finally {`
			`bobStorage.close();`
			`try { unlinkSync(bobDbPath); } catch {}`
			`try { unlinkSync(bobDbPath + '-wal'); } catch {}`
			`try { unlinkSync(bobDbPath + '-shm'); } catch {}`
			`}`
			`});`
			`});`
			`});`