Stian/Shade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

release(v4.7.0): peer-presence events for instant BroadcastChannel revoke

Browse Source 
Adds the bridge-connection-lifecycle signal that closes Prism's
~45s revoke window down to one server→client round-trip (~50ms).

Server (`@shade/inbox-server`):
- `inbox.peer_connected` / `inbox.peer_disconnected` events on the
  0↔1 boundary across WS + SSE bridges. Long-poll deliberately not
  tracked (every poll boundary would flap; push transports are also
  the only ones where instant revoke matters).
- `PresenceTracker` collapses two parallel bridges (e.g. WS + SSE
  during fallback handover) into one connect/disconnect pair.
- `GET /v1/bridge/presence` SSE endpoint: signed query with
  `kind: 'presence'`, `watched: string[]`; on open streams a
  per-address snapshot, then change frames filtered server-side.
  MAX_WATCHED_ADDRESSES = 64. Subscribing does not itself count as
  a peer-bridge connection.
- `createBridgeRoutes` now returns `{ app, websocket, presence }`.

Client (`@shade/transport-bridge`):
- `PresenceBridge.subscribe({ watch, onPresenceChange })` →
  `{ addPeer, removePeer, watching, unsubscribe }`. addPeer/removePeer
  mutate via reconnect with a fresh signed query.
- `signPresenceQuery` helper for non-PresenceBridge consumers.

Tests cover all four acceptance criteria from the Prism request:
server-event smoke, online→offline subscription, address scoping
(carol invisible to a [alice]-only sub), reconnect, plus an
addPeer/removePeer regression.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sterister
2026-05-07 23:16:35 +02:00
parent 8746571d2a
commit 594992a183
34 changed files with 1042 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
packages/shade-transport-bridge/src/auth.ts
View File

@@ -62,3 +62,39 @@ export function bridgeQueryToCanonical(qs: URLSearchParams): {
if (!Number.isFinite(signedAt)) return null;
return { address, kind, since, signedAt, signature };
}
// ─── V4.7 — presence subscription auth ────────────────────────────
export interface PresenceAuthInput {
crypto: CryptoProvider;
signingPrivateKey: Uint8Array;
/** The watcher's own address (signer of the request). */
address: string;
/** Addresses to subscribe presence updates for. May be empty. */
watched: readonly string[];
}
/**
* Build the signed query string for `GET /v1/bridge/presence`. The
* `kind: 'presence'` field is bound into the canonical payload to
* prevent cross-endpoint replay against `/v1/bridge/{stream,poll,ws}`.
*
* The `watched` array is sorted to give the signed bytes a canonical
* order; the wire form encodes it as a single comma-separated
* `watched=` parameter (address syntax disallows `,`).
*/
export async function signPresenceQuery(input: PresenceAuthInput): Promise<URLSearchParams> {
const watched = [...input.watched].sort();
const signed = await signPayload(input.crypto, input.signingPrivateKey, {
address: input.address,
kind: 'presence',
watched,
});
const qs = new URLSearchParams();
qs.set('address', input.address);
qs.set('kind', 'presence');
qs.set('watched', watched.join(','));
qs.set('signedAt', String(signed.signedAt));
qs.set('signature', signed.signature);
return qs;
}