feat(hardening): M-Hard 1-5 — crypto, auth, rate limit, fingerprints, rotation

M-Hard 1: Cryptographic Hardening
- constantTimeEqual, zeroize, randomUint32 on CryptoProvider
- Fix Math.random() → crypto.randomUint32() for registrationId
- Zero message keys and chain keys after use in ratchet.ts
- Constant-time trust comparison in MemoryStorage + SQLiteStorage
- Timing variance test catches early-exit regressions

M-Hard 2: Self-Authenticated Prekey Server
- Ed25519 signature verification on all write routes
- signPayload/verifyPayload with canonical JSON, ±5 min replay window
- Address validation (NFKC, alphanumeric + :_-.)
- Global ShadeError → HTTP status mapping
- ShadeFetchTransport signs requests when signingPrivateKey provided
- Anonymous bundle fetches still allowed (read-only)

M-Hard 3: Rate Limiting + DoS Protection
- Token bucket rate limiter with pluggable store
- Per-route limits: register 5/h/IP, fetch 60/min/IP, replenish 10/min/id
- 64KB body size limit on POST
- Retry-After header on 429 responses

M-Hard 4: Auto-replenish + Fingerprints + Session Reset
- Safety numbers (12 groups × 5 digits, Signal-style)
- ensurePreKeyStock, resetSession, acceptIdentityChange
- verifyRemoteIdentity for out-of-band comparison

M-Hard 5: Identity Rotation with Grace Period
- rotateIdentity archives old identity, generates fresh signed prekey
- RetiredIdentity storage with addRetired/getRetired/pruneRetired
- 7-day default grace period for decrypting old sessions
- pruneExpiredIdentities for cleanup

M-Hard 8: Error Hierarchy
- New error types: Network, Storage, Validation, Timeout, RateLimit,
  Configuration, Unauthorized, Replay, IdentityRotation
- All errors have stable SHADE_* codes
- errorToHttpStatus for consistent HTTP mapping
- toJSON() for network serialization

188 tests passing, zero failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/shade-crypto-web/src/memory-storage.ts

@@ -1,4 +1,5 @@
-import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState } from '@shade/core';
+import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState, RetiredIdentity } from '@shade/core';
+import { constantTimeEqual } from '@shade/core';
 
 /**
  * In-memory StorageProvider for testing and embedded use.
@@ -11,6 +12,7 @@ export class MemoryStorage implements StorageProvider {
   private oneTimePreKeys = new Map<number, OneTimePreKey>();
   private sessions = new Map<string, SessionState>();
   private trustedIdentities = new Map<string, Uint8Array>();
+  private retiredIdentities: RetiredIdentity[] = [];
 
   // ─── Identity ──────────────────────────────────────────────
 
@@ -81,18 +83,24 @@ export class MemoryStorage implements StorageProvider {
   async isTrustedIdentity(address: string, identityKey: Uint8Array): Promise<boolean> {
     const stored = this.trustedIdentities.get(address);
     if (!stored) return true; // TOFU: trust on first use
-    return arraysEqual(stored, identityKey);
+    return constantTimeEqual(stored, identityKey);
   }
 
   async saveTrustedIdentity(address: string, identityKey: Uint8Array): Promise<void> {
     this.trustedIdentities.set(address, identityKey);
   }
-}
 
-function arraysEqual(a: Uint8Array, b: Uint8Array): boolean {
-  if (a.length !== b.length) return false;
-  for (let i = 0; i < a.length; i++) {
-    if (a[i] !== b[i]) return false;
+  // ─── Identity History ─────────────────────────────────────
+
+  async addRetiredIdentity(identity: RetiredIdentity): Promise<void> {
+    this.retiredIdentities.push(identity);
+  }
+
+  async getRetiredIdentities(): Promise<RetiredIdentity[]> {
+    return [...this.retiredIdentities];
+  }
+
+  async pruneRetiredIdentities(olderThan: number): Promise<void> {
+    this.retiredIdentities = this.retiredIdentities.filter((r) => r.retiredAt >= olderThan);
   }
-  return true;
 }

packages/shade-crypto-web/src/provider.ts

@@ -115,4 +115,24 @@ export class SubtleCryptoProvider implements CryptoProvider {
     globalThis.crypto.getRandomValues(buf);
     return buf;
   }
+
+  // ─── Hardening ─────────────────────────────────────────────
+
+  constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {
+    if (a.length !== b.length) return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++) {
+      diff |= a[i]! ^ b[i]!;
+    }
+    return diff === 0;
+  }
+
+  zeroize(buf: Uint8Array): void {
+    buf.fill(0);
+  }
+
+  randomUint32(): number {
+    const buf = this.randomBytes(4);
+    return new DataView(buf.buffer, buf.byteOffset, 4).getUint32(0, false);
+  }
 }

packages/shade-crypto-web/tests/hardening.test.ts

@@ -0,0 +1,143 @@
+import { describe, test, expect } from 'bun:test';
+import { SubtleCryptoProvider } from '../src/provider.js';
+import { constantTimeEqual } from '@shade/core';
+
+const crypto = new SubtleCryptoProvider();
+
+describe('Cryptographic Hardening', () => {
+  // ─── constantTimeEqual ───────────────────────────────────
+
+  describe('constantTimeEqual', () => {
+    test('equal arrays return true', () => {
+      const a = new Uint8Array([1, 2, 3, 4, 5]);
+      const b = new Uint8Array([1, 2, 3, 4, 5]);
+      expect(crypto.constantTimeEqual(a, b)).toBe(true);
+    });
+
+    test('unequal arrays return false', () => {
+      const a = new Uint8Array([1, 2, 3, 4, 5]);
+      const b = new Uint8Array([1, 2, 3, 4, 6]);
+      expect(crypto.constantTimeEqual(a, b)).toBe(false);
+    });
+
+    test('different lengths return false', () => {
+      const a = new Uint8Array([1, 2, 3]);
+      const b = new Uint8Array([1, 2, 3, 4]);
+      expect(crypto.constantTimeEqual(a, b)).toBe(false);
+    });
+
+    test('empty arrays are equal', () => {
+      expect(crypto.constantTimeEqual(new Uint8Array(0), new Uint8Array(0))).toBe(true);
+    });
+
+    test('works on full 32-byte keys', () => {
+      const k1 = crypto.randomBytes(32);
+      const k2 = new Uint8Array(k1);
+      expect(crypto.constantTimeEqual(k1, k2)).toBe(true);
+
+      k2[31] ^= 0x01;
+      expect(crypto.constantTimeEqual(k1, k2)).toBe(false);
+    });
+
+    test('standalone function gives same result', () => {
+      const a = crypto.randomBytes(32);
+      const b = new Uint8Array(a);
+      expect(constantTimeEqual(a, b)).toBe(true);
+      b[0] ^= 0x01;
+      expect(constantTimeEqual(a, b)).toBe(false);
+    });
+
+    // Statistical timing test — measure variance between mismatch-at-start vs mismatch-at-end
+    // This is noisy on CI but catches obvious early-exit regressions.
+    test('timing variance stays bounded across mismatch positions', () => {
+      const len = 256;
+      const target = crypto.randomBytes(len);
+
+      const mismatchAtStart = new Uint8Array(target);
+      mismatchAtStart[0] ^= 0xff;
+
+      const mismatchAtEnd = new Uint8Array(target);
+      mismatchAtEnd[len - 1] ^= 0xff;
+
+      // Measure many iterations to get a stable signal
+      const iterations = 50000;
+
+      const start1 = performance.now();
+      for (let i = 0; i < iterations; i++) {
+        crypto.constantTimeEqual(target, mismatchAtStart);
+      }
+      const timeStart = performance.now() - start1;
+
+      const start2 = performance.now();
+      for (let i = 0; i < iterations; i++) {
+        crypto.constantTimeEqual(target, mismatchAtEnd);
+      }
+      const timeEnd = performance.now() - start2;
+
+      // With constant-time comparison, these should be very close.
+      // Non-constant-time would show timeEnd >> timeStart (early exit vs full scan).
+      // Allow 2x variance for JIT/noise, but it should never be 10x.
+      const ratio = Math.max(timeStart, timeEnd) / Math.min(timeStart, timeEnd);
+      expect(ratio).toBeLessThan(3);
+    });
+  });
+
+  // ─── zeroize ──────────────────────────────────────────────
+
+  describe('zeroize', () => {
+    test('fills buffer with zeros', () => {
+      const buf = crypto.randomBytes(32);
+      // Make sure it's not already zero
+      const anyNonZero = buf.some((b) => b !== 0);
+      expect(anyNonZero).toBe(true);
+
+      crypto.zeroize(buf);
+      expect(buf.every((b) => b === 0)).toBe(true);
+    });
+
+    test('handles empty buffer', () => {
+      crypto.zeroize(new Uint8Array(0));
+      // Should not throw
+    });
+
+    test('handles large buffer', () => {
+      const buf = crypto.randomBytes(4096);
+      crypto.zeroize(buf);
+      expect(buf.every((b) => b === 0)).toBe(true);
+    });
+  });
+
+  // ─── randomUint32 ─────────────────────────────────────────
+
+  describe('randomUint32', () => {
+    test('returns number in 32-bit unsigned range', () => {
+      for (let i = 0; i < 100; i++) {
+        const n = crypto.randomUint32();
+        expect(n).toBeGreaterThanOrEqual(0);
+        expect(n).toBeLessThanOrEqual(0xffffffff);
+        expect(Number.isInteger(n)).toBe(true);
+      }
+    });
+
+    test('produces different values each call', () => {
+      const values = new Set<number>();
+      for (let i = 0; i < 100; i++) {
+        values.add(crypto.randomUint32());
+      }
+      // With 32 bits, 100 samples should all be unique
+      expect(values.size).toBe(100);
+    });
+
+    test('distribution is not biased toward low values', () => {
+      // Generate many and check that at least some are above 2^31
+      // (would fail if using Math.random() with weird multiplier bugs)
+      let highCount = 0;
+      for (let i = 0; i < 1000; i++) {
+        if (crypto.randomUint32() >= 0x80000000) highCount++;
+      }
+      // Should be around 500, accept 400-600 as "not obviously broken"
+      expect(highCount).toBeGreaterThan(400);
+      expect(highCount).toBeLessThan(600);
+    });
+  });
+});