packages/shade-inbox-server/src/events.ts

/**
 * Inbox server event emitter.
 *
 * Mirrors `PrekeyServerEvents`. Emits structural facts only — no plaintext,
 * no signatures, no key material. Used by the observer dashboard and
 * operator metrics.
 */

export interface InboxServerEventBase {
  seq: number;
  timestamp: number;
}

export interface InboxServerEventMap {
  'inbox.address_registered': { address: string; signingKeyHash: string };
  'inbox.address_deleted': { address: string };
  'inbox.blob_stored': { address: string; msgId: string; bytes: number; ttlSeconds: number };
  'inbox.blob_idempotent_replay': { address: string; msgId: string };
  'inbox.blob_fetched': { address: string; count: number; bytes: number };
  'inbox.blob_acked': { address: string; msgId: string };
  'inbox.expired_purged': { count: number };
  'inbox.rate_limited': { route: string; key: string };
  'inbox.quota_rejected': { address: string; reason: 'address-quota' | 'sender-quota' | 'body-too-large' };
  // V4.7 — bridge presence transitions. Emitted on the 0↔1 boundary
  // across tracked transports for a given address. Long-poll is
  // intentionally NOT tracked: an LP client toggles in/out of a request
  // every few seconds, and the resulting flapping would dominate the
  // event stream. Push transports (WS, SSE) are also the only ones
  // where the ~50ms revoke window for `BroadcastChannel.removeMember`
  // matters — long-poll users are already on a slow path.
  'inbox.peer_connected': { address: string; bridgeKind: 'ws' | 'sse' };
  'inbox.peer_disconnected': {
    address: string;
    bridgeKind: 'ws' | 'sse';
    reason: 'closed' | 'error';
  };
}

export type InboxServerEventName = keyof InboxServerEventMap;

export type InboxServerEvent = {
  [K in InboxServerEventName]: InboxServerEventBase & { name: K; data: InboxServerEventMap[K] };
}[InboxServerEventName];

export type InboxServerEventListener = (event: InboxServerEvent) => void;

export class InboxServerEvents {
  private listeners = new Set<InboxServerEventListener>();
  private nextSeq = 1;
  private buffer: InboxServerEvent[] = [];
  private readonly maxBuffer: number;

  constructor(options: { bufferSize?: number } = {}) {
    this.maxBuffer = options.bufferSize ?? 1000;
  }

  on(listener: InboxServerEventListener): () => void {
    this.listeners.add(listener);
    return () => this.listeners.delete(listener);
  }

  off(listener: InboxServerEventListener): void {
    this.listeners.delete(listener);
  }

  emit<K extends InboxServerEventName>(name: K, data: InboxServerEventMap[K]): void {
    const event = {
      seq: this.nextSeq++,
      timestamp: Date.now(),
      name,
      data,
    } as InboxServerEvent;

    this.buffer.push(event);
    if (this.buffer.length > this.maxBuffer) this.buffer.shift();

    for (const listener of this.listeners) {
      try {
        listener(event);
      } catch (err) {
        console.error('[Shade] Inbox event listener threw:', err);
      }
    }
  }

  getBufferedSince(since: number): InboxServerEvent[] {
    return this.buffer.filter((e) => e.seq > since);
  }

  getRecent(n: number): InboxServerEvent[] {
    return this.buffer.slice(-n);
  }

  get currentSeq(): number {
    return this.nextSeq - 1;
  }
}

export async function shortHash(key: Uint8Array): Promise<string> {
  const buf = await globalThis.crypto.subtle.digest('SHA-256', key as unknown as ArrayBuffer);
  const arr = new Uint8Array(buf).slice(0, 8);
  return Array.from(arr, (b) => b.toString(16).padStart(2, '0')).join('');
}
release(v4.0.0): Shade GA — V3.x consolidation + audit prep V3.1 → V3.12 consolidated and tagged for the first GA release. Wire format unchanged from 0.4.x — 4.0 peers interoperate with 0.4.x peers byte-for-byte. The version bump is semantic: audit-cycle complete, opt-in surface fully exposed, threat model refreshed for every new surface. Highlights: - All 24 @shade/* packages bumped to 4.0.0 in lockstep. - CHANGELOG 4.0.0 section is the canonical manifest of what landed. - THREAT-MODEL extended (§10 fingerprint gates, §11 WebRTC P2P, §12 Web-Worker boundary) + residual-risks table refreshed. - OpenAPI now covers all 27 routes: prekey, transfer, KT, inbox, bridge, observer, /metrics, /healthz, /ready. - MIGRATION 0.3.x → 4.0 documented + smoke-tested against shade migrate-storage on a real SQLite DB. - docs/audit/REVIEW-BUNDLE.md + SCOPE.md ready for external reviewer. - scripts/soak.ts harness for the GA-stable 2-week soak window. - All V*.md plans archived under docs/archive/ with Status: Done. - Voice/Video carved out into V5.0; 4.0 audit focuses on the frozen non-realtime stack. Tests: TS 1000/1000 + Kotlin 11/11 cross-platform vectors green. Docker: gt.zyon.no/stian/shade-prekey:4.0.0 builds and reports version 4.0.0 on /health. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-03 18:35:35 +02:00			`/**`
			`* Inbox server event emitter.`
			`*`
			* Mirrors `PrekeyServerEvents`. Emits structural facts only — no plaintext,
			`* no signatures, no key material. Used by the observer dashboard and`
			`* operator metrics.`
			`*/`

			`export interface InboxServerEventBase {`
			`seq: number;`
			`timestamp: number;`
			`}`

			`export interface InboxServerEventMap {`
			`'inbox.address_registered': { address: string; signingKeyHash: string };`
			`'inbox.address_deleted': { address: string };`
			`'inbox.blob_stored': { address: string; msgId: string; bytes: number; ttlSeconds: number };`
			`'inbox.blob_idempotent_replay': { address: string; msgId: string };`
			`'inbox.blob_fetched': { address: string; count: number; bytes: number };`
			`'inbox.blob_acked': { address: string; msgId: string };`
			`'inbox.expired_purged': { count: number };`
			`'inbox.rate_limited': { route: string; key: string };`
			`'inbox.quota_rejected': { address: string; reason: 'address-quota' \| 'sender-quota' \| 'body-too-large' };`
release(v4.7.0): peer-presence events for instant BroadcastChannel revoke Adds the bridge-connection-lifecycle signal that closes Prism's ~45s revoke window down to one server→client round-trip (~50ms). Server (`@shade/inbox-server`): - `inbox.peer_connected` / `inbox.peer_disconnected` events on the 0↔1 boundary across WS + SSE bridges. Long-poll deliberately not tracked (every poll boundary would flap; push transports are also the only ones where instant revoke matters). - `PresenceTracker` collapses two parallel bridges (e.g. WS + SSE during fallback handover) into one connect/disconnect pair. - `GET /v1/bridge/presence` SSE endpoint: signed query with `kind: 'presence'`, `watched: string[]`; on open streams a per-address snapshot, then change frames filtered server-side. MAX_WATCHED_ADDRESSES = 64. Subscribing does not itself count as a peer-bridge connection. - `createBridgeRoutes` now returns `{ app, websocket, presence }`. Client (`@shade/transport-bridge`): - `PresenceBridge.subscribe({ watch, onPresenceChange })` → `{ addPeer, removePeer, watching, unsubscribe }`. addPeer/removePeer mutate via reconnect with a fresh signed query. - `signPresenceQuery` helper for non-PresenceBridge consumers. Tests cover all four acceptance criteria from the Prism request: server-event smoke, online→offline subscription, address scoping (carol invisible to a [alice]-only sub), reconnect, plus an addPeer/removePeer regression. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-07 23:16:35 +02:00			`// V4.7 — bridge presence transitions. Emitted on the 0↔1 boundary`
			`// across tracked transports for a given address. Long-poll is`
			`// intentionally NOT tracked: an LP client toggles in/out of a request`
			`// every few seconds, and the resulting flapping would dominate the`
			`// event stream. Push transports (WS, SSE) are also the only ones`
			// where the ~50ms revoke window for `BroadcastChannel.removeMember`
			`// matters — long-poll users are already on a slow path.`
			`'inbox.peer_connected': { address: string; bridgeKind: 'ws' \| 'sse' };`
			`'inbox.peer_disconnected': {`
			`address: string;`
			`bridgeKind: 'ws' \| 'sse';`
			`reason: 'closed' \| 'error';`
			`};`
release(v4.0.0): Shade GA — V3.x consolidation + audit prep V3.1 → V3.12 consolidated and tagged for the first GA release. Wire format unchanged from 0.4.x — 4.0 peers interoperate with 0.4.x peers byte-for-byte. The version bump is semantic: audit-cycle complete, opt-in surface fully exposed, threat model refreshed for every new surface. Highlights: - All 24 @shade/* packages bumped to 4.0.0 in lockstep. - CHANGELOG 4.0.0 section is the canonical manifest of what landed. - THREAT-MODEL extended (§10 fingerprint gates, §11 WebRTC P2P, §12 Web-Worker boundary) + residual-risks table refreshed. - OpenAPI now covers all 27 routes: prekey, transfer, KT, inbox, bridge, observer, /metrics, /healthz, /ready. - MIGRATION 0.3.x → 4.0 documented + smoke-tested against shade migrate-storage on a real SQLite DB. - docs/audit/REVIEW-BUNDLE.md + SCOPE.md ready for external reviewer. - scripts/soak.ts harness for the GA-stable 2-week soak window. - All V*.md plans archived under docs/archive/ with Status: Done. - Voice/Video carved out into V5.0; 4.0 audit focuses on the frozen non-realtime stack. Tests: TS 1000/1000 + Kotlin 11/11 cross-platform vectors green. Docker: gt.zyon.no/stian/shade-prekey:4.0.0 builds and reports version 4.0.0 on /health. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-03 18:35:35 +02:00			`}`

			`export type InboxServerEventName = keyof InboxServerEventMap;`

			`export type InboxServerEvent = {`
			`[K in InboxServerEventName]: InboxServerEventBase & { name: K; data: InboxServerEventMap[K] };`
			`}[InboxServerEventName];`

			`export type InboxServerEventListener = (event: InboxServerEvent) => void;`

			`export class InboxServerEvents {`
			`private listeners = new Set<InboxServerEventListener>();`
			`private nextSeq = 1;`
			`private buffer: InboxServerEvent[] = [];`
			`private readonly maxBuffer: number;`

			`constructor(options: { bufferSize?: number } = {}) {`
			`this.maxBuffer = options.bufferSize ?? 1000;`
			`}`

			`on(listener: InboxServerEventListener): () => void {`
			`this.listeners.add(listener);`
			`return () => this.listeners.delete(listener);`
			`}`

			`off(listener: InboxServerEventListener): void {`
			`this.listeners.delete(listener);`
			`}`

			`emit<K extends InboxServerEventName>(name: K, data: InboxServerEventMap[K]): void {`
			`const event = {`
			`seq: this.nextSeq++,`
			`timestamp: Date.now(),`
			`name,`
			`data,`
			`} as InboxServerEvent;`

			`this.buffer.push(event);`
			`if (this.buffer.length > this.maxBuffer) this.buffer.shift();`

			`for (const listener of this.listeners) {`
			`try {`
			`listener(event);`
			`} catch (err) {`
			`console.error('[Shade] Inbox event listener threw:', err);`
			`}`
			`}`
			`}`

			`getBufferedSince(since: number): InboxServerEvent[] {`
			`return this.buffer.filter((e) => e.seq > since);`
			`}`

			`getRecent(n: number): InboxServerEvent[] {`
			`return this.buffer.slice(-n);`
			`}`

			`get currentSeq(): number {`
			`return this.nextSeq - 1;`
			`}`
			`}`

			`export async function shortHash(key: Uint8Array): Promise<string> {`
			`const buf = await globalThis.crypto.subtle.digest('SHA-256', key as unknown as ArrayBuffer);`
			`const arr = new Uint8Array(buf).slice(0, 8);`
			`return Array.from(arr, (b) => b.toString(16).padStart(2, '0')).join('');`
			`}`