packages/shade-core/src/storage.ts

import type { IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState } from './types.js';

/** A retired identity kept in history during the rotation grace period */
export interface RetiredIdentity {
  keyPair: IdentityKeyPair;
  retiredAt: number;
}

/**
 * Persisted stream-transfer resume record. Holds enough state for either
 * side of a transfer to resume after restart. The `streamSecret` MUST be
 * encrypted before storage (see `@shade/transfer` for the deviceKey-based
 * AES-GCM at-rest scheme).
 */
export interface PersistedStreamState {
  streamId: string;
  direction: 'send' | 'receive';
  peerAddress: string;
  status: 'active' | 'paused' | 'finished' | 'aborted';
  /** JSON-serialized `StreamMetadata`. */
  metadataJson: string;
  /** JSON-serialized `LaneInitSpec[]`. */
  partitionJson: string;
  /** JSON-serialized per-lane progress array (laneId/nextSeq/bytesProcessed). */
  laneStateJson: string;
  /** JSON-serialized I/O descriptor (file path / file handle reference / buffer). */
  ioDescriptorJson: string;
  /** AES-GCM-encrypted streamSecret (under deviceKey). */
  secretEnc: Uint8Array;
  /** AES-GCM nonce used for `secretEnc`. */
  secretNonce: Uint8Array;
  /**
   * Reserved for future hasher serialization. Empty in v0.2.0; resume
   * re-hashes received bytes from disk.
   */
  overallHashState?: string;
  createdAt: number;
  updatedAt: number;
}

/**
 * StorageProvider — abstract interface for persisting cryptographic state.
 *
 * Implementations per platform:
 *  - In-memory (testing)
 *  - IndexedDB (browser)
 *  - SQLite/PostgreSQL (server)
 *  - EncryptedSharedPreferences (Android)
 */
export interface StorageProvider {
  // ─── Identity ──────────────────────────────────────────────

  /** Get our local identity keypair, or null if not yet generated */
  getIdentityKeyPair(): Promise<IdentityKeyPair | null>;

  /** Persist our local identity keypair */
  saveIdentityKeyPair(keyPair: IdentityKeyPair): Promise<void>;

  /** Get our local registration ID (unique per installation) */
  getLocalRegistrationId(): Promise<number>;

  /** Save our local registration ID */
  saveLocalRegistrationId(id: number): Promise<void>;

  // ─── Signed Pre-Keys ──────────────────────────────────────

  /** Get a signed prekey by ID */
  getSignedPreKey(keyId: number): Promise<SignedPreKey | null>;

  /** Persist a signed prekey */
  saveSignedPreKey(key: SignedPreKey): Promise<void>;

  /** Remove a signed prekey (after rotation grace period) */
  removeSignedPreKey(keyId: number): Promise<void>;

  // ─── One-Time Pre-Keys ────────────────────────────────────

  /** Get a one-time prekey by ID */
  getOneTimePreKey(keyId: number): Promise<OneTimePreKey | null>;

  /** Persist a one-time prekey */
  saveOneTimePreKey(key: OneTimePreKey): Promise<void>;

  /** Remove a consumed one-time prekey */
  removeOneTimePreKey(keyId: number): Promise<void>;

  /** Count remaining one-time prekeys */
  getOneTimePreKeyCount(): Promise<number>;

  // ─── Sessions ─────────────────────────────────────────────

  /** Get session state for a peer address (e.g. "device:abc123") */
  getSession(address: string): Promise<SessionState | null>;

  /** Persist session state for a peer */
  saveSession(address: string, state: SessionState): Promise<void>;

  /** Remove session for a peer */
  removeSession(address: string): Promise<void>;

  /** Check if we trust a remote identity key (for TOFU or pinned keys) */
  isTrustedIdentity(address: string, identityKey: Uint8Array): Promise<boolean>;

  /** Save a trusted remote identity key */
  saveTrustedIdentity(address: string, identityKey: Uint8Array): Promise<void>;

  // ─── Identity History (rotation with grace period) ──────

  /** Add an identity to the retired history */
  addRetiredIdentity(identity: RetiredIdentity): Promise<void>;

  /** Get all retired identities (for grace-period decryption) */
  getRetiredIdentities(): Promise<RetiredIdentity[]>;

  /** Remove retired identities older than the given timestamp */
  pruneRetiredIdentities(olderThan: number): Promise<void>;

  // ─── Stream-transfer resume state (optional, added in v0.2.0) ──

  /**
   * Persist or update the stream-state row for a given streamId. Idempotent:
   * upserts on `streamId`. Optional — providers that don't support resume
   * can omit this and consumers will fall back to in-memory state.
   */
  saveStreamState?(state: PersistedStreamState): Promise<void>;

  /** Look up the stream-state row by streamId. Returns null if absent. */
  getStreamState?(streamId: string): Promise<PersistedStreamState | null>;

  /** Remove a stream-state row (e.g. on completion or abort). */
  removeStreamState?(streamId: string): Promise<void>;

  /** List active or paused stream-state rows (for resume on startup). */
  listActiveStreamStates?(
    direction?: 'send' | 'receive',
  ): Promise<PersistedStreamState[]>;

  /** Prune stream-state rows in `'finished' | 'aborted'` status older than `olderThan`. */
  pruneStreamStates?(olderThan: number): Promise<void>;
}
feat: Shade E2EE library — M1-M3 complete Signal Protocol implementation with full X3DH + Double Ratchet: - M1: Core types, CryptoProvider interface, KDF chain functions, SubtleCrypto+noble/curves provider, MemoryStorage - M2: X3DH key agreement (identity keys, signed prekeys, one-time prekeys, bundle processing for both initiator and responder) - M3: Double Ratchet (symmetric-key ratchet, DH ratchet, skipped message key cache, out-of-order delivery, AAD-bound headers) 68 tests, 0 failures — including full integration test of X3DH handshake → Double Ratchet conversation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 20:08:19 +02:00			`import type { IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState } from './types.js';`

feat(hardening): M-Hard 1-5 — crypto, auth, rate limit, fingerprints, rotation M-Hard 1: Cryptographic Hardening - constantTimeEqual, zeroize, randomUint32 on CryptoProvider - Fix Math.random() → crypto.randomUint32() for registrationId - Zero message keys and chain keys after use in ratchet.ts - Constant-time trust comparison in MemoryStorage + SQLiteStorage - Timing variance test catches early-exit regressions M-Hard 2: Self-Authenticated Prekey Server - Ed25519 signature verification on all write routes - signPayload/verifyPayload with canonical JSON, ±5 min replay window - Address validation (NFKC, alphanumeric + :_-.) - Global ShadeError → HTTP status mapping - ShadeFetchTransport signs requests when signingPrivateKey provided - Anonymous bundle fetches still allowed (read-only) M-Hard 3: Rate Limiting + DoS Protection - Token bucket rate limiter with pluggable store - Per-route limits: register 5/h/IP, fetch 60/min/IP, replenish 10/min/id - 64KB body size limit on POST - Retry-After header on 429 responses M-Hard 4: Auto-replenish + Fingerprints + Session Reset - Safety numbers (12 groups × 5 digits, Signal-style) - ensurePreKeyStock, resetSession, acceptIdentityChange - verifyRemoteIdentity for out-of-band comparison M-Hard 5: Identity Rotation with Grace Period - rotateIdentity archives old identity, generates fresh signed prekey - RetiredIdentity storage with addRetired/getRetired/pruneRetired - 7-day default grace period for decrypting old sessions - pruneExpiredIdentities for cleanup M-Hard 8: Error Hierarchy - New error types: Network, Storage, Validation, Timeout, RateLimit, Configuration, Unauthorized, Replay, IdentityRotation - All errors have stable SHADE_* codes - errorToHttpStatus for consistent HTTP mapping - toJSON() for network serialization 188 tests passing, zero failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-10 17:45:34 +02:00			`/** A retired identity kept in history during the rotation grace period */`
			`export interface RetiredIdentity {`
			`keyPair: IdentityKeyPair;`
			`retiredAt: number;`
			`}`

feat(files): @shade/files 0.3.0 — E2EE filesystem RPC primitive M-Files-1..6 land the full files-RPC layer + everything 0.3.0 needs to ship. Apps keep their own UI; this layer ships the typed RPC, the streams bridge for content I/O, and production hooks (rate limit, retention, fingerprint gate, metrics). @shade/files (NEW) - Standard ops: list/stat/mkdir/delete/move/read/write/getThumbnail with Zod-validated wire schemas + clean user-handler types. - Custom ops: typed via TypeScript declaration merging on CustomOpsMap + per-op Zod schemas; client.custom('app.foo', {...}) is fully typed. - Content I/O: inline (≤ 256 KiB plaintext) base64-in-RPC; streams (> 256 KiB) ride @shade/transfer via userMetadata.shadeFilesWriteId / shadeFilesReadStreamId correlation. Server-side TransformStream bridges accept inbound transfers immediately (engine rejects chunks that arrive before accept) and park the readable for the matching RPC. - Directory ops: walk(path, opts) async-iterable depth-first walker; uploadDirectory()/downloadDirectory() with bounded concurrency pool (default 4, cap 16), aggregated progress, abort. - Production hooks (callback-based, vendor-neutral): rate-limit (op + byte), idempotency cache (LRU + TTL + in-flight de-dupe), path policy (traversal + percent-decode hardening), fingerprint gate (required/optional/reject), pluggable Ed25519 sig verification with ±5 min replay window, onMetric sink (standard names). - React hooks (subpath @shade/files/react): ShadeFilesProvider, useShadeFiles, useFileList, useFileTransfer/Upload/Download. - Shade.files.serve(handler) + Shade.files.client(peer) high-level entrypoint in @shade/sdk; lazy + memoized; one handler per Shade. Wire format bump - @shade/proto wire VERSION 0x01 → 0x02. Length prefixes changed from u16 to u32. The previous u16 silently truncated payloads above 64 KiB — a hard correctness ceiling that blocked inline file ops up to 256 KiB. Wire-incompatible with 0.2.x peers; new sessions only. Cross-platform Kotlin port (android/shade-android) updated to match; test-vectors/wire-format.json regenerated. Concurrency safety - ShadeSessionManager.encrypt/.decrypt now run under per-peer mutex. Concurrent decryptions of the same peer raced ratchet state (manifested as sporadic "Failed to decrypt — wrong key or tampered data" under load — surfaced once concurrent uploadDirectory pumped many writes in flight). Encrypt was already serialized via Shade.send's encryptChains; decrypt is now serialized at the manager layer too. @shade/streams extension - StreamMetadata.userMetadata?: Record<string, string> for application-level key/value pairs that round-trip verbatim through stream-init plaintext. Used by @shade/files for write/read correlation; available to any consumer. @shade/sdk extension - Shade.files getter (lazy + memoized). - BackgroundHooks.onPruneFiles + periodic timer (default 5 min) + BackgroundTasks.setHook(name, fn) for runtime hook registration. Bundles in-flight 0.2.0 work - packages/shade-streams/, packages/shade-transfer/, related shade-sdk streams-bridge + shade-widgets transfer hooks were uncommitted prior to this session. Including them keeps the workspace consistent at 0.3.0 since @shade/files depends on them. Tests - 74 new tests in @shade/files (572 → 646 workspace pass; 0 fail; 3× stable). Coverage spans unit (inline-threshold + concurrency), integration (read-write inline + streams up to 1 MiB, walk + upload/download directory, custom-op, metrics, SDK namespace end-to-end), and security (tampered-envelope sig verification, replay window, fingerprint gate, rate-limit + quota). Release artifacts - All packages bumped to 0.3.0 via scripts/bump-version.ts. - scripts/publish-all.ts PACKAGES updated with shade-files in topological order (after shade-transfer, before shade-sdk). - bun run publish:dry clean (14 packed, 0 failed). - examples/08-files-browser/ — three-process CLI demo (prekey + Bob server + Alice CLI) covering list/stat/mkdir/delete/upload/download. - docs/files.md — full API + design doc. - CHANGELOG.md 0.3.0 entry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-02 14:00:01 +02:00			`/**`
			`* Persisted stream-transfer resume record. Holds enough state for either`
			* side of a transfer to resume after restart. The `streamSecret` MUST be
			* encrypted before storage (see `@shade/transfer` for the deviceKey-based
			`* AES-GCM at-rest scheme).`
			`*/`
			`export interface PersistedStreamState {`
			`streamId: string;`
			`direction: 'send' \| 'receive';`
			`peerAddress: string;`
			`status: 'active' \| 'paused' \| 'finished' \| 'aborted';`
			/** JSON-serialized `StreamMetadata`. */
			`metadataJson: string;`
			/** JSON-serialized `LaneInitSpec[]`. */
			`partitionJson: string;`
			`/** JSON-serialized per-lane progress array (laneId/nextSeq/bytesProcessed). */`
			`laneStateJson: string;`
			`/** JSON-serialized I/O descriptor (file path / file handle reference / buffer). */`
			`ioDescriptorJson: string;`
			`/** AES-GCM-encrypted streamSecret (under deviceKey). */`
			`secretEnc: Uint8Array;`
			/** AES-GCM nonce used for `secretEnc`. */
			`secretNonce: Uint8Array;`
			`/**`
			`* Reserved for future hasher serialization. Empty in v0.2.0; resume`
			`* re-hashes received bytes from disk.`
			`*/`
			`overallHashState?: string;`
			`createdAt: number;`
			`updatedAt: number;`
			`}`

feat: Shade E2EE library — M1-M3 complete Signal Protocol implementation with full X3DH + Double Ratchet: - M1: Core types, CryptoProvider interface, KDF chain functions, SubtleCrypto+noble/curves provider, MemoryStorage - M2: X3DH key agreement (identity keys, signed prekeys, one-time prekeys, bundle processing for both initiator and responder) - M3: Double Ratchet (symmetric-key ratchet, DH ratchet, skipped message key cache, out-of-order delivery, AAD-bound headers) 68 tests, 0 failures — including full integration test of X3DH handshake → Double Ratchet conversation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 20:08:19 +02:00			`/**`
			`* StorageProvider — abstract interface for persisting cryptographic state.`
			`*`
			`* Implementations per platform:`
			`* - In-memory (testing)`
			`* - IndexedDB (browser)`
			`* - SQLite/PostgreSQL (server)`
			`* - EncryptedSharedPreferences (Android)`
			`*/`
			`export interface StorageProvider {`
			`// ─── Identity ──────────────────────────────────────────────`

			`/** Get our local identity keypair, or null if not yet generated */`
			`getIdentityKeyPair(): Promise<IdentityKeyPair \| null>;`

			`/** Persist our local identity keypair */`
			`saveIdentityKeyPair(keyPair: IdentityKeyPair): Promise<void>;`

			`/** Get our local registration ID (unique per installation) */`
			`getLocalRegistrationId(): Promise<number>;`

			`/** Save our local registration ID */`
			`saveLocalRegistrationId(id: number): Promise<void>;`

			`// ─── Signed Pre-Keys ──────────────────────────────────────`

			`/** Get a signed prekey by ID */`
			`getSignedPreKey(keyId: number): Promise<SignedPreKey \| null>;`

			`/** Persist a signed prekey */`
			`saveSignedPreKey(key: SignedPreKey): Promise<void>;`

			`/** Remove a signed prekey (after rotation grace period) */`
			`removeSignedPreKey(keyId: number): Promise<void>;`

			`// ─── One-Time Pre-Keys ────────────────────────────────────`

			`/** Get a one-time prekey by ID */`
			`getOneTimePreKey(keyId: number): Promise<OneTimePreKey \| null>;`

			`/** Persist a one-time prekey */`
			`saveOneTimePreKey(key: OneTimePreKey): Promise<void>;`

			`/** Remove a consumed one-time prekey */`
			`removeOneTimePreKey(keyId: number): Promise<void>;`

			`/** Count remaining one-time prekeys */`
			`getOneTimePreKeyCount(): Promise<number>;`

			`// ─── Sessions ─────────────────────────────────────────────`

			`/** Get session state for a peer address (e.g. "device:abc123") */`
			`getSession(address: string): Promise<SessionState \| null>;`

			`/** Persist session state for a peer */`
			`saveSession(address: string, state: SessionState): Promise<void>;`

			`/** Remove session for a peer */`
			`removeSession(address: string): Promise<void>;`

			`/** Check if we trust a remote identity key (for TOFU or pinned keys) */`
			`isTrustedIdentity(address: string, identityKey: Uint8Array): Promise<boolean>;`

			`/** Save a trusted remote identity key */`
			`saveTrustedIdentity(address: string, identityKey: Uint8Array): Promise<void>;`
feat(hardening): M-Hard 1-5 — crypto, auth, rate limit, fingerprints, rotation M-Hard 1: Cryptographic Hardening - constantTimeEqual, zeroize, randomUint32 on CryptoProvider - Fix Math.random() → crypto.randomUint32() for registrationId - Zero message keys and chain keys after use in ratchet.ts - Constant-time trust comparison in MemoryStorage + SQLiteStorage - Timing variance test catches early-exit regressions M-Hard 2: Self-Authenticated Prekey Server - Ed25519 signature verification on all write routes - signPayload/verifyPayload with canonical JSON, ±5 min replay window - Address validation (NFKC, alphanumeric + :_-.) - Global ShadeError → HTTP status mapping - ShadeFetchTransport signs requests when signingPrivateKey provided - Anonymous bundle fetches still allowed (read-only) M-Hard 3: Rate Limiting + DoS Protection - Token bucket rate limiter with pluggable store - Per-route limits: register 5/h/IP, fetch 60/min/IP, replenish 10/min/id - 64KB body size limit on POST - Retry-After header on 429 responses M-Hard 4: Auto-replenish + Fingerprints + Session Reset - Safety numbers (12 groups × 5 digits, Signal-style) - ensurePreKeyStock, resetSession, acceptIdentityChange - verifyRemoteIdentity for out-of-band comparison M-Hard 5: Identity Rotation with Grace Period - rotateIdentity archives old identity, generates fresh signed prekey - RetiredIdentity storage with addRetired/getRetired/pruneRetired - 7-day default grace period for decrypting old sessions - pruneExpiredIdentities for cleanup M-Hard 8: Error Hierarchy - New error types: Network, Storage, Validation, Timeout, RateLimit, Configuration, Unauthorized, Replay, IdentityRotation - All errors have stable SHADE_* codes - errorToHttpStatus for consistent HTTP mapping - toJSON() for network serialization 188 tests passing, zero failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-10 17:45:34 +02:00
			`// ─── Identity History (rotation with grace period) ──────`

			`/** Add an identity to the retired history */`
			`addRetiredIdentity(identity: RetiredIdentity): Promise<void>;`

			`/** Get all retired identities (for grace-period decryption) */`
			`getRetiredIdentities(): Promise<RetiredIdentity[]>;`

			`/** Remove retired identities older than the given timestamp */`
			`pruneRetiredIdentities(olderThan: number): Promise<void>;`
feat(files): @shade/files 0.3.0 — E2EE filesystem RPC primitive M-Files-1..6 land the full files-RPC layer + everything 0.3.0 needs to ship. Apps keep their own UI; this layer ships the typed RPC, the streams bridge for content I/O, and production hooks (rate limit, retention, fingerprint gate, metrics). @shade/files (NEW) - Standard ops: list/stat/mkdir/delete/move/read/write/getThumbnail with Zod-validated wire schemas + clean user-handler types. - Custom ops: typed via TypeScript declaration merging on CustomOpsMap + per-op Zod schemas; client.custom('app.foo', {...}) is fully typed. - Content I/O: inline (≤ 256 KiB plaintext) base64-in-RPC; streams (> 256 KiB) ride @shade/transfer via userMetadata.shadeFilesWriteId / shadeFilesReadStreamId correlation. Server-side TransformStream bridges accept inbound transfers immediately (engine rejects chunks that arrive before accept) and park the readable for the matching RPC. - Directory ops: walk(path, opts) async-iterable depth-first walker; uploadDirectory()/downloadDirectory() with bounded concurrency pool (default 4, cap 16), aggregated progress, abort. - Production hooks (callback-based, vendor-neutral): rate-limit (op + byte), idempotency cache (LRU + TTL + in-flight de-dupe), path policy (traversal + percent-decode hardening), fingerprint gate (required/optional/reject), pluggable Ed25519 sig verification with ±5 min replay window, onMetric sink (standard names). - React hooks (subpath @shade/files/react): ShadeFilesProvider, useShadeFiles, useFileList, useFileTransfer/Upload/Download. - Shade.files.serve(handler) + Shade.files.client(peer) high-level entrypoint in @shade/sdk; lazy + memoized; one handler per Shade. Wire format bump - @shade/proto wire VERSION 0x01 → 0x02. Length prefixes changed from u16 to u32. The previous u16 silently truncated payloads above 64 KiB — a hard correctness ceiling that blocked inline file ops up to 256 KiB. Wire-incompatible with 0.2.x peers; new sessions only. Cross-platform Kotlin port (android/shade-android) updated to match; test-vectors/wire-format.json regenerated. Concurrency safety - ShadeSessionManager.encrypt/.decrypt now run under per-peer mutex. Concurrent decryptions of the same peer raced ratchet state (manifested as sporadic "Failed to decrypt — wrong key or tampered data" under load — surfaced once concurrent uploadDirectory pumped many writes in flight). Encrypt was already serialized via Shade.send's encryptChains; decrypt is now serialized at the manager layer too. @shade/streams extension - StreamMetadata.userMetadata?: Record<string, string> for application-level key/value pairs that round-trip verbatim through stream-init plaintext. Used by @shade/files for write/read correlation; available to any consumer. @shade/sdk extension - Shade.files getter (lazy + memoized). - BackgroundHooks.onPruneFiles + periodic timer (default 5 min) + BackgroundTasks.setHook(name, fn) for runtime hook registration. Bundles in-flight 0.2.0 work - packages/shade-streams/, packages/shade-transfer/, related shade-sdk streams-bridge + shade-widgets transfer hooks were uncommitted prior to this session. Including them keeps the workspace consistent at 0.3.0 since @shade/files depends on them. Tests - 74 new tests in @shade/files (572 → 646 workspace pass; 0 fail; 3× stable). Coverage spans unit (inline-threshold + concurrency), integration (read-write inline + streams up to 1 MiB, walk + upload/download directory, custom-op, metrics, SDK namespace end-to-end), and security (tampered-envelope sig verification, replay window, fingerprint gate, rate-limit + quota). Release artifacts - All packages bumped to 0.3.0 via scripts/bump-version.ts. - scripts/publish-all.ts PACKAGES updated with shade-files in topological order (after shade-transfer, before shade-sdk). - bun run publish:dry clean (14 packed, 0 failed). - examples/08-files-browser/ — three-process CLI demo (prekey + Bob server + Alice CLI) covering list/stat/mkdir/delete/upload/download. - docs/files.md — full API + design doc. - CHANGELOG.md 0.3.0 entry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-02 14:00:01 +02:00
			`// ─── Stream-transfer resume state (optional, added in v0.2.0) ──`

			`/**`
			`* Persist or update the stream-state row for a given streamId. Idempotent:`
			* upserts on `streamId`. Optional — providers that don't support resume
			`* can omit this and consumers will fall back to in-memory state.`
			`*/`
			`saveStreamState?(state: PersistedStreamState): Promise<void>;`

			`/** Look up the stream-state row by streamId. Returns null if absent. */`
			`getStreamState?(streamId: string): Promise<PersistedStreamState \| null>;`

			`/** Remove a stream-state row (e.g. on completion or abort). */`
			`removeStreamState?(streamId: string): Promise<void>;`

			`/** List active or paused stream-state rows (for resume on startup). */`
			`listActiveStreamStates?(`
			`direction?: 'send' \| 'receive',`
			`): Promise<PersistedStreamState[]>;`

			/** Prune stream-state rows in `'finished' \| 'aborted'` status older than `olderThan`. */
			`pruneStreamStates?(olderThan: number): Promise<void>;`
feat: Shade E2EE library — M1-M3 complete Signal Protocol implementation with full X3DH + Double Ratchet: - M1: Core types, CryptoProvider interface, KDF chain functions, SubtleCrypto+noble/curves provider, MemoryStorage - M2: X3DH key agreement (identity keys, signed prekeys, one-time prekeys, bundle processing for both initiator and responder) - M3: Double Ratchet (symmetric-key ratchet, DH ratchet, skipped message key cache, out-of-order delivery, AAD-bound headers) 68 tests, 0 failures — including full integration test of X3DH handshake → Double Ratchet conversation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 20:08:19 +02:00			`}`