release(v4.9.0): relay-side encrypted blob primitive + SDK Profile namespace
Ships the Prism FR (encrypted-profile-storage-v4.9.md) as a generic relay-side encrypted blob primitive: deterministically-located, AEAD-sealed blobs keyed by a 32-byte slotId derived client-side via HKDF from the user's master key. Unlocks credential-only bootstrap of new devices into existing E2EE state — no QR, no physical access. Server: BlobStore interface + Memory/Sqlite/Postgres impls, createBlobRoutes for GET/PUT/DELETE /v1/blob/:slotId with TOFU pubkey auth and If-Match CAS (409/412 semantics). Mounted on the same Hono app as the inbox; SHADE_BLOB_PG_URL / SHADE_BLOB_DB_PATH / SHADE_DISABLE_BLOB env-var plumbing in standalone. SDK: createProfileNamespace high-level wrapper (HKDF derivation, random-nonce AEAD seal, slotId-bound AAD) + low-level BlobClient. Cross-platform test vectors in test-vectors/blob-storage.json. New errors: ConflictError (409), PreconditionFailedError (412). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
50
packages/shade-storage-encrypted/tests/blob-vectors.test.ts
Normal file
50
packages/shade-storage-encrypted/tests/blob-vectors.test.ts
Normal file
@@ -0,0 +1,50 @@
|
||||
import { describe, test, expect } from 'bun:test';
|
||||
import { readFileSync } from 'fs';
|
||||
import { join } from 'path';
|
||||
import {
|
||||
deriveBlobSlotId,
|
||||
deriveBlobKey,
|
||||
deriveBlobSigningSeed,
|
||||
} from '../src/crypto/kdf.js';
|
||||
import { ed25519PublicKeyFromSeed } from '@shade/crypto-web';
|
||||
|
||||
function fromHex(s: string): Uint8Array {
|
||||
const out = new Uint8Array(s.length / 2);
|
||||
for (let i = 0; i < out.length; i++) {
|
||||
out[i] = parseInt(s.substr(i * 2, 2), 16);
|
||||
}
|
||||
return out;
|
||||
}
|
||||
|
||||
function toHex(b: Uint8Array): string {
|
||||
let s = '';
|
||||
for (const x of b) s += x.toString(16).padStart(2, '0');
|
||||
return s;
|
||||
}
|
||||
|
||||
describe('V4.9 blob-storage KDF vectors', () => {
|
||||
// Resolve relative to this file, not to cwd, so the test passes
|
||||
// regardless of which directory `bun test` is invoked from.
|
||||
const vectorPath = join(import.meta.dir, '..', '..', '..', 'test-vectors', 'blob-storage.json');
|
||||
const vectors = JSON.parse(readFileSync(vectorPath, 'utf-8')) as {
|
||||
kdf: Array<{
|
||||
masterKey: string;
|
||||
app: string;
|
||||
slotId: string;
|
||||
blobKey: string;
|
||||
signingSeed: string;
|
||||
ownerPubkey: string;
|
||||
}>;
|
||||
};
|
||||
|
||||
for (const v of vectors.kdf) {
|
||||
test(`(master=${v.masterKey.slice(0, 8)}…, app=${v.app})`, () => {
|
||||
const km = fromHex(v.masterKey);
|
||||
expect(toHex(deriveBlobSlotId(km, v.app))).toBe(v.slotId);
|
||||
expect(toHex(deriveBlobKey(km, v.app))).toBe(v.blobKey);
|
||||
const seed = deriveBlobSigningSeed(km, v.app);
|
||||
expect(toHex(seed)).toBe(v.signingSeed);
|
||||
expect(toHex(ed25519PublicKeyFromSeed(seed))).toBe(v.ownerPubkey);
|
||||
});
|
||||
}
|
||||
});
|
||||
Reference in New Issue
Block a user