packages/shade-streams/tests/tamper.test.ts

import { describe, test, expect } from 'bun:test';
import { SubtleCryptoProvider } from '@shade/crypto-web';
import { decodeStreamChunk, encodeStreamChunk } from '@shade/proto';
import {
  StreamSender,
  StreamReceiver,
  StreamDecryptionError,
  StreamProtocolError,
  generateStreamId,
  generateStreamSecret,
} from '../src/index.js';

const crypto = new SubtleCryptoProvider();

async function pair() {
  const streamId = generateStreamId(crypto);
  const streamSecret = generateStreamSecret(crypto);
  const sender = await StreamSender.create({ crypto, streamId, streamSecret, laneId: 0 });
  const receiver = await StreamReceiver.create({ crypto, streamId, streamSecret, laneId: 0 });
  return { sender, receiver };
}

describe('Tamper detection', () => {
  test('flipping a ciphertext byte → StreamDecryptionError', async () => {
    const { sender, receiver } = await pair();
    const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);
    const env = decodeStreamChunk(bytes);
    env.ciphertext[0] ^= 0x01;
    const reencoded = encodeStreamChunk(env);
    await expect(receiver.decryptChunk(reencoded)).rejects.toThrow(StreamDecryptionError);
  });

  test('flipping the AEAD tag → StreamDecryptionError', async () => {
    const { sender, receiver } = await pair();
    const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);
    const env = decodeStreamChunk(bytes);
    env.ciphertext[env.ciphertext.length - 1] ^= 0x80;
    await expect(receiver.decryptChunk(encodeStreamChunk(env))).rejects.toThrow(
      StreamDecryptionError,
    );
  });

  test('tampering with isLast flag → StreamDecryptionError (AAD mismatch)', async () => {
    const { sender, receiver } = await pair();
    const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);
    const env = decodeStreamChunk(bytes);
    env.isLast = true;
    await expect(receiver.decryptChunk(encodeStreamChunk(env))).rejects.toThrow(
      StreamDecryptionError,
    );
  });

  test('tampering with the wire nonce → StreamProtocolError (deterministic check)', async () => {
    const { sender, receiver } = await pair();
    const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);
    const env = decodeStreamChunk(bytes);
    env.nonce[0] ^= 0x01;
    await expect(receiver.decryptChunk(encodeStreamChunk(env))).rejects.toThrow(
      StreamProtocolError,
    );
  });

  test('tampering with streamId → StreamProtocolError', async () => {
    const { sender, receiver } = await pair();
    const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);
    const env = decodeStreamChunk(bytes);
    env.streamId[0] ^= 0xff;
    await expect(receiver.decryptChunk(encodeStreamChunk(env))).rejects.toThrow(
      StreamProtocolError,
    );
  });

  test('routing a chunk to wrong-lane receiver → StreamProtocolError', async () => {
    const streamId = generateStreamId(crypto);
    const streamSecret = generateStreamSecret(crypto);
    const sender0 = await StreamSender.create({ crypto, streamId, streamSecret, laneId: 0 });
    const receiver1 = await StreamReceiver.create({ crypto, streamId, streamSecret, laneId: 1 });
    const { bytes } = await sender0.encryptChunk(new TextEncoder().encode('payload'), false);
    await expect(receiver1.decryptChunk(bytes)).rejects.toThrow(StreamProtocolError);
  });

  test('non-empty AAD on wire → StreamProtocolError (reserved in v0.2.0)', async () => {
    const { sender, receiver } = await pair();
    const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);
    const env = decodeStreamChunk(bytes);
    env.aad = new Uint8Array([1, 2, 3]);
    await expect(receiver.decryptChunk(encodeStreamChunk(env))).rejects.toThrow(
      StreamProtocolError,
    );
  });

  test('different streamSecret → StreamDecryptionError', async () => {
    const streamId = generateStreamId(crypto);
    const sender = await StreamSender.create({
      crypto,
      streamId,
      streamSecret: new Uint8Array(32).fill(1),
      laneId: 0,
    });
    const receiver = await StreamReceiver.create({
      crypto,
      streamId,
      streamSecret: new Uint8Array(32).fill(2),
      laneId: 0,
    });
    const { bytes } = await sender.encryptChunk(new TextEncoder().encode('hi'), false);
    await expect(receiver.decryptChunk(bytes)).rejects.toThrow(StreamDecryptionError);
  });
});
feat(files): @shade/files 0.3.0 — E2EE filesystem RPC primitive M-Files-1..6 land the full files-RPC layer + everything 0.3.0 needs to ship. Apps keep their own UI; this layer ships the typed RPC, the streams bridge for content I/O, and production hooks (rate limit, retention, fingerprint gate, metrics). @shade/files (NEW) - Standard ops: list/stat/mkdir/delete/move/read/write/getThumbnail with Zod-validated wire schemas + clean user-handler types. - Custom ops: typed via TypeScript declaration merging on CustomOpsMap + per-op Zod schemas; client.custom('app.foo', {...}) is fully typed. - Content I/O: inline (≤ 256 KiB plaintext) base64-in-RPC; streams (> 256 KiB) ride @shade/transfer via userMetadata.shadeFilesWriteId / shadeFilesReadStreamId correlation. Server-side TransformStream bridges accept inbound transfers immediately (engine rejects chunks that arrive before accept) and park the readable for the matching RPC. - Directory ops: walk(path, opts) async-iterable depth-first walker; uploadDirectory()/downloadDirectory() with bounded concurrency pool (default 4, cap 16), aggregated progress, abort. - Production hooks (callback-based, vendor-neutral): rate-limit (op + byte), idempotency cache (LRU + TTL + in-flight de-dupe), path policy (traversal + percent-decode hardening), fingerprint gate (required/optional/reject), pluggable Ed25519 sig verification with ±5 min replay window, onMetric sink (standard names). - React hooks (subpath @shade/files/react): ShadeFilesProvider, useShadeFiles, useFileList, useFileTransfer/Upload/Download. - Shade.files.serve(handler) + Shade.files.client(peer) high-level entrypoint in @shade/sdk; lazy + memoized; one handler per Shade. Wire format bump - @shade/proto wire VERSION 0x01 → 0x02. Length prefixes changed from u16 to u32. The previous u16 silently truncated payloads above 64 KiB — a hard correctness ceiling that blocked inline file ops up to 256 KiB. Wire-incompatible with 0.2.x peers; new sessions only. Cross-platform Kotlin port (android/shade-android) updated to match; test-vectors/wire-format.json regenerated. Concurrency safety - ShadeSessionManager.encrypt/.decrypt now run under per-peer mutex. Concurrent decryptions of the same peer raced ratchet state (manifested as sporadic "Failed to decrypt — wrong key or tampered data" under load — surfaced once concurrent uploadDirectory pumped many writes in flight). Encrypt was already serialized via Shade.send's encryptChains; decrypt is now serialized at the manager layer too. @shade/streams extension - StreamMetadata.userMetadata?: Record<string, string> for application-level key/value pairs that round-trip verbatim through stream-init plaintext. Used by @shade/files for write/read correlation; available to any consumer. @shade/sdk extension - Shade.files getter (lazy + memoized). - BackgroundHooks.onPruneFiles + periodic timer (default 5 min) + BackgroundTasks.setHook(name, fn) for runtime hook registration. Bundles in-flight 0.2.0 work - packages/shade-streams/, packages/shade-transfer/, related shade-sdk streams-bridge + shade-widgets transfer hooks were uncommitted prior to this session. Including them keeps the workspace consistent at 0.3.0 since @shade/files depends on them. Tests - 74 new tests in @shade/files (572 → 646 workspace pass; 0 fail; 3× stable). Coverage spans unit (inline-threshold + concurrency), integration (read-write inline + streams up to 1 MiB, walk + upload/download directory, custom-op, metrics, SDK namespace end-to-end), and security (tampered-envelope sig verification, replay window, fingerprint gate, rate-limit + quota). Release artifacts - All packages bumped to 0.3.0 via scripts/bump-version.ts. - scripts/publish-all.ts PACKAGES updated with shade-files in topological order (after shade-transfer, before shade-sdk). - bun run publish:dry clean (14 packed, 0 failed). - examples/08-files-browser/ — three-process CLI demo (prekey + Bob server + Alice CLI) covering list/stat/mkdir/delete/upload/download. - docs/files.md — full API + design doc. - CHANGELOG.md 0.3.0 entry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-02 14:00:01 +02:00			`import { describe, test, expect } from 'bun:test';`
			`import { SubtleCryptoProvider } from '@shade/crypto-web';`
			`import { decodeStreamChunk, encodeStreamChunk } from '@shade/proto';`
			`import {`
			`StreamSender,`
			`StreamReceiver,`
			`StreamDecryptionError,`
			`StreamProtocolError,`
			`generateStreamId,`
			`generateStreamSecret,`
			`} from '../src/index.js';`

			`const crypto = new SubtleCryptoProvider();`

			`async function pair() {`
			`const streamId = generateStreamId(crypto);`
			`const streamSecret = generateStreamSecret(crypto);`
			`const sender = await StreamSender.create({ crypto, streamId, streamSecret, laneId: 0 });`
			`const receiver = await StreamReceiver.create({ crypto, streamId, streamSecret, laneId: 0 });`
			`return { sender, receiver };`
			`}`

			`describe('Tamper detection', () => {`
			`test('flipping a ciphertext byte → StreamDecryptionError', async () => {`
			`const { sender, receiver } = await pair();`
			`const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);`
			`const env = decodeStreamChunk(bytes);`
			`env.ciphertext[0] ^= 0x01;`
			`const reencoded = encodeStreamChunk(env);`
			`await expect(receiver.decryptChunk(reencoded)).rejects.toThrow(StreamDecryptionError);`
			`});`

			`test('flipping the AEAD tag → StreamDecryptionError', async () => {`
			`const { sender, receiver } = await pair();`
			`const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);`
			`const env = decodeStreamChunk(bytes);`
			`env.ciphertext[env.ciphertext.length - 1] ^= 0x80;`
			`await expect(receiver.decryptChunk(encodeStreamChunk(env))).rejects.toThrow(`
			`StreamDecryptionError,`
			`);`
			`});`

			`test('tampering with isLast flag → StreamDecryptionError (AAD mismatch)', async () => {`
			`const { sender, receiver } = await pair();`
			`const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);`
			`const env = decodeStreamChunk(bytes);`
			`env.isLast = true;`
			`await expect(receiver.decryptChunk(encodeStreamChunk(env))).rejects.toThrow(`
			`StreamDecryptionError,`
			`);`
			`});`

			`test('tampering with the wire nonce → StreamProtocolError (deterministic check)', async () => {`
			`const { sender, receiver } = await pair();`
			`const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);`
			`const env = decodeStreamChunk(bytes);`
			`env.nonce[0] ^= 0x01;`
			`await expect(receiver.decryptChunk(encodeStreamChunk(env))).rejects.toThrow(`
			`StreamProtocolError,`
			`);`
			`});`

			`test('tampering with streamId → StreamProtocolError', async () => {`
			`const { sender, receiver } = await pair();`
			`const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);`
			`const env = decodeStreamChunk(bytes);`
			`env.streamId[0] ^= 0xff;`
			`await expect(receiver.decryptChunk(encodeStreamChunk(env))).rejects.toThrow(`
			`StreamProtocolError,`
			`);`
			`});`

			`test('routing a chunk to wrong-lane receiver → StreamProtocolError', async () => {`
			`const streamId = generateStreamId(crypto);`
			`const streamSecret = generateStreamSecret(crypto);`
			`const sender0 = await StreamSender.create({ crypto, streamId, streamSecret, laneId: 0 });`
			`const receiver1 = await StreamReceiver.create({ crypto, streamId, streamSecret, laneId: 1 });`
			`const { bytes } = await sender0.encryptChunk(new TextEncoder().encode('payload'), false);`
			`await expect(receiver1.decryptChunk(bytes)).rejects.toThrow(StreamProtocolError);`
			`});`

			`test('non-empty AAD on wire → StreamProtocolError (reserved in v0.2.0)', async () => {`
			`const { sender, receiver } = await pair();`
			`const { bytes } = await sender.encryptChunk(new TextEncoder().encode('payload'), false);`
			`const env = decodeStreamChunk(bytes);`
			`env.aad = new Uint8Array([1, 2, 3]);`
			`await expect(receiver.decryptChunk(encodeStreamChunk(env))).rejects.toThrow(`
			`StreamProtocolError,`
			`);`
			`});`

			`test('different streamSecret → StreamDecryptionError', async () => {`
			`const streamId = generateStreamId(crypto);`
			`const sender = await StreamSender.create({`
			`crypto,`
			`streamId,`
			`streamSecret: new Uint8Array(32).fill(1),`
			`laneId: 0,`
			`});`
			`const receiver = await StreamReceiver.create({`
			`crypto,`
			`streamId,`
			`streamSecret: new Uint8Array(32).fill(2),`
			`laneId: 0,`
			`});`
			`const { bytes } = await sender.encryptChunk(new TextEncoder().encode('hi'), false);`
			`await expect(receiver.decryptChunk(bytes)).rejects.toThrow(StreamDecryptionError);`
			`});`
			`});`