release(v4.0.0): Shade GA — V3.x consolidation + audit prep
V3.1 → V3.12 consolidated and tagged for the first GA release. Wire
format unchanged from 0.4.x — 4.0 peers interoperate with 0.4.x peers
byte-for-byte. The version bump is semantic: audit-cycle complete,
opt-in surface fully exposed, threat model refreshed for every new
surface.
Highlights:
- All 24 @shade/* packages bumped to 4.0.0 in lockstep.
- CHANGELOG 4.0.0 section is the canonical manifest of what landed.
- THREAT-MODEL extended (§10 fingerprint gates, §11 WebRTC P2P, §12
Web-Worker boundary) + residual-risks table refreshed.
- OpenAPI now covers all 27 routes: prekey, transfer, KT, inbox,
bridge, observer, /metrics, /healthz, /ready.
- MIGRATION 0.3.x → 4.0 documented + smoke-tested against
shade migrate-storage on a real SQLite DB.
- docs/audit/REVIEW-BUNDLE.md + SCOPE.md ready for external reviewer.
- scripts/soak.ts harness for the GA-stable 2-week soak window.
- All V*.md plans archived under docs/archive/ with Status: Done.
- Voice/Video carved out into V5.0; 4.0 audit focuses on the frozen
non-realtime stack.
Tests: TS 1000/1000 + Kotlin 11/11 cross-platform vectors green.
Docker: gt.zyon.no/stian/shade-prekey:4.0.0 builds and reports
version 4.0.0 on /health.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 18:35:35 +02:00
|
|
|
/**
|
|
|
|
|
* Bridge auth primitive.
|
|
|
|
|
*
|
|
|
|
|
* SSE/EventSource cannot carry custom headers in browsers, so the bridge
|
|
|
|
|
* protocol uses signed query parameters for every endpoint kind. The
|
|
|
|
|
* signature is over the canonical `{address, kind, since, signedAt}` payload
|
|
|
|
|
* using the recipient's Ed25519 signing key. The server looks up the owner
|
|
|
|
|
* key for `address` (registered via `/v1/inbox/register`) and verifies the
|
|
|
|
|
* signature with the same `verifyPayload` path used by the inbox.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
import type { CryptoProvider } from '@shade/core';
|
|
|
|
|
import { signPayload } from '@shade/server';
|
|
|
|
|
|
|
|
|
|
export type BridgeKind = 'stream' | 'poll' | 'ws';
|
|
|
|
|
|
|
|
|
|
export interface BridgeAuthInput {
|
|
|
|
|
crypto: CryptoProvider;
|
|
|
|
|
signingPrivateKey: Uint8Array;
|
|
|
|
|
address: string;
|
|
|
|
|
kind: BridgeKind;
|
|
|
|
|
since: number;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Returns the URLSearchParams that must be appended to the bridge URL
|
|
|
|
|
* (`/v1/bridge/stream`, `/v1/bridge/poll`, `/v1/bridge/ws`). The same shape
|
|
|
|
|
* is consumed by `verifyBridgeAuth` on the server side.
|
|
|
|
|
*/
|
|
|
|
|
export async function signBridgeQuery(input: BridgeAuthInput): Promise<URLSearchParams> {
|
|
|
|
|
const signed = await signPayload(input.crypto, input.signingPrivateKey, {
|
|
|
|
|
address: input.address,
|
|
|
|
|
kind: input.kind,
|
|
|
|
|
since: input.since,
|
|
|
|
|
});
|
|
|
|
|
const qs = new URLSearchParams();
|
|
|
|
|
qs.set('address', input.address);
|
|
|
|
|
qs.set('kind', input.kind);
|
|
|
|
|
qs.set('since', String(input.since));
|
|
|
|
|
qs.set('signedAt', String(signed.signedAt));
|
|
|
|
|
qs.set('signature', signed.signature);
|
|
|
|
|
return qs;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function bridgeQueryToCanonical(qs: URLSearchParams): {
|
|
|
|
|
address: string;
|
|
|
|
|
kind: BridgeKind;
|
|
|
|
|
since: number;
|
|
|
|
|
signedAt: number;
|
|
|
|
|
signature: string;
|
|
|
|
|
} | null {
|
|
|
|
|
const address = qs.get('address');
|
|
|
|
|
const kind = qs.get('kind') as BridgeKind | null;
|
|
|
|
|
const sinceStr = qs.get('since');
|
|
|
|
|
const signedAtStr = qs.get('signedAt');
|
|
|
|
|
const signature = qs.get('signature');
|
|
|
|
|
if (!address || !kind || sinceStr === null || !signedAtStr || !signature) return null;
|
|
|
|
|
if (kind !== 'stream' && kind !== 'poll' && kind !== 'ws') return null;
|
|
|
|
|
const since = Number(sinceStr);
|
|
|
|
|
const signedAt = Number(signedAtStr);
|
|
|
|
|
if (!Number.isFinite(since) || since < 0) return null;
|
|
|
|
|
if (!Number.isFinite(signedAt)) return null;
|
|
|
|
|
return { address, kind, since, signedAt, signature };
|
|
|
|
|
}
|
release(v4.7.0): peer-presence events for instant BroadcastChannel revoke
Adds the bridge-connection-lifecycle signal that closes Prism's
~45s revoke window down to one server→client round-trip (~50ms).
Server (`@shade/inbox-server`):
- `inbox.peer_connected` / `inbox.peer_disconnected` events on the
0↔1 boundary across WS + SSE bridges. Long-poll deliberately not
tracked (every poll boundary would flap; push transports are also
the only ones where instant revoke matters).
- `PresenceTracker` collapses two parallel bridges (e.g. WS + SSE
during fallback handover) into one connect/disconnect pair.
- `GET /v1/bridge/presence` SSE endpoint: signed query with
`kind: 'presence'`, `watched: string[]`; on open streams a
per-address snapshot, then change frames filtered server-side.
MAX_WATCHED_ADDRESSES = 64. Subscribing does not itself count as
a peer-bridge connection.
- `createBridgeRoutes` now returns `{ app, websocket, presence }`.
Client (`@shade/transport-bridge`):
- `PresenceBridge.subscribe({ watch, onPresenceChange })` →
`{ addPeer, removePeer, watching, unsubscribe }`. addPeer/removePeer
mutate via reconnect with a fresh signed query.
- `signPresenceQuery` helper for non-PresenceBridge consumers.
Tests cover all four acceptance criteria from the Prism request:
server-event smoke, online→offline subscription, address scoping
(carol invisible to a [alice]-only sub), reconnect, plus an
addPeer/removePeer regression.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 23:16:35 +02:00
|
|
|
|
|
|
|
|
// ─── V4.7 — presence subscription auth ────────────────────────────
|
|
|
|
|
|
|
|
|
|
export interface PresenceAuthInput {
|
|
|
|
|
crypto: CryptoProvider;
|
|
|
|
|
signingPrivateKey: Uint8Array;
|
|
|
|
|
/** The watcher's own address (signer of the request). */
|
|
|
|
|
address: string;
|
|
|
|
|
/** Addresses to subscribe presence updates for. May be empty. */
|
|
|
|
|
watched: readonly string[];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Build the signed query string for `GET /v1/bridge/presence`. The
|
|
|
|
|
* `kind: 'presence'` field is bound into the canonical payload to
|
|
|
|
|
* prevent cross-endpoint replay against `/v1/bridge/{stream,poll,ws}`.
|
|
|
|
|
*
|
|
|
|
|
* The `watched` array is sorted to give the signed bytes a canonical
|
|
|
|
|
* order; the wire form encodes it as a single comma-separated
|
|
|
|
|
* `watched=` parameter (address syntax disallows `,`).
|
|
|
|
|
*/
|
|
|
|
|
export async function signPresenceQuery(input: PresenceAuthInput): Promise<URLSearchParams> {
|
|
|
|
|
const watched = [...input.watched].sort();
|
|
|
|
|
const signed = await signPayload(input.crypto, input.signingPrivateKey, {
|
|
|
|
|
address: input.address,
|
|
|
|
|
kind: 'presence',
|
|
|
|
|
watched,
|
|
|
|
|
});
|
|
|
|
|
const qs = new URLSearchParams();
|
|
|
|
|
qs.set('address', input.address);
|
|
|
|
|
qs.set('kind', 'presence');
|
|
|
|
|
qs.set('watched', watched.join(','));
|
|
|
|
|
qs.set('signedAt', String(signed.signedAt));
|
|
|
|
|
qs.set('signature', signed.signature);
|
|
|
|
|
return qs;
|
|
|
|
|
}
|