feat: Shade E2EE library — M1-M3 complete

Signal Protocol implementation with full X3DH + Double Ratchet:

- M1: Core types, CryptoProvider interface, KDF chain functions,
  SubtleCrypto+noble/curves provider, MemoryStorage
- M2: X3DH key agreement (identity keys, signed prekeys, one-time
  prekeys, bundle processing for both initiator and responder)
- M3: Double Ratchet (symmetric-key ratchet, DH ratchet, skipped
  message key cache, out-of-order delivery, AAD-bound headers)

68 tests, 0 failures — including full integration test of
X3DH handshake → Double Ratchet conversation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/shade-crypto-web/src/index.ts

@@ -0,0 +1,2 @@
+export { SubtleCryptoProvider } from './provider.js';
+export { MemoryStorage } from './memory-storage.js';

packages/shade-crypto-web/src/memory-storage.ts

@@ -0,0 +1,98 @@
+import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState } from '@shade/core';
+
+/**
+ * In-memory StorageProvider for testing and embedded use.
+ * All data is lost when the instance is garbage collected.
+ */
+export class MemoryStorage implements StorageProvider {
+  private identityKeyPair: IdentityKeyPair | null = null;
+  private registrationId: number = 0;
+  private signedPreKeys = new Map<number, SignedPreKey>();
+  private oneTimePreKeys = new Map<number, OneTimePreKey>();
+  private sessions = new Map<string, SessionState>();
+  private trustedIdentities = new Map<string, Uint8Array>();
+
+  // ─── Identity ──────────────────────────────────────────────
+
+  async getIdentityKeyPair(): Promise<IdentityKeyPair | null> {
+    return this.identityKeyPair;
+  }
+
+  async saveIdentityKeyPair(keyPair: IdentityKeyPair): Promise<void> {
+    this.identityKeyPair = keyPair;
+  }
+
+  async getLocalRegistrationId(): Promise<number> {
+    return this.registrationId;
+  }
+
+  async saveLocalRegistrationId(id: number): Promise<void> {
+    this.registrationId = id;
+  }
+
+  // ─── Signed Pre-Keys ──────────────────────────────────────
+
+  async getSignedPreKey(keyId: number): Promise<SignedPreKey | null> {
+    return this.signedPreKeys.get(keyId) ?? null;
+  }
+
+  async saveSignedPreKey(key: SignedPreKey): Promise<void> {
+    this.signedPreKeys.set(key.keyId, key);
+  }
+
+  async removeSignedPreKey(keyId: number): Promise<void> {
+    this.signedPreKeys.delete(keyId);
+  }
+
+  // ─── One-Time Pre-Keys ────────────────────────────────────
+
+  async getOneTimePreKey(keyId: number): Promise<OneTimePreKey | null> {
+    return this.oneTimePreKeys.get(keyId) ?? null;
+  }
+
+  async saveOneTimePreKey(key: OneTimePreKey): Promise<void> {
+    this.oneTimePreKeys.set(key.keyId, key);
+  }
+
+  async removeOneTimePreKey(keyId: number): Promise<void> {
+    this.oneTimePreKeys.delete(keyId);
+  }
+
+  async getOneTimePreKeyCount(): Promise<number> {
+    return this.oneTimePreKeys.size;
+  }
+
+  // ─── Sessions ─────────────────────────────────────────────
+
+  async getSession(address: string): Promise<SessionState | null> {
+    return this.sessions.get(address) ?? null;
+  }
+
+  async saveSession(address: string, state: SessionState): Promise<void> {
+    this.sessions.set(address, state);
+  }
+
+  async removeSession(address: string): Promise<void> {
+    this.sessions.delete(address);
+  }
+
+  // ─── Trust ────────────────────────────────────────────────
+
+  async isTrustedIdentity(address: string, identityKey: Uint8Array): Promise<boolean> {
+    const stored = this.trustedIdentities.get(address);
+    if (!stored) return true; // TOFU: trust on first use
+    return arraysEqual(stored, identityKey);
+  }
+
+  async saveTrustedIdentity(address: string, identityKey: Uint8Array): Promise<void> {
+    this.trustedIdentities.set(address, identityKey);
+  }
+}
+
+function arraysEqual(a: Uint8Array, b: Uint8Array): boolean {
+  if (a.length !== b.length) return false;
+  for (let i = 0; i < a.length; i++) {
+    if (a[i] !== b[i]) return false;
+  }
+  return true;
+}

packages/shade-crypto-web/src/provider.ts

@@ -0,0 +1,118 @@
+import type { CryptoProvider } from '@shade/core';
+import { x25519 } from '@noble/curves/ed25519.js';
+import { ed25519 } from '@noble/curves/ed25519.js';
+
+/**
+ * SubtleCrypto + noble/curves implementation of CryptoProvider.
+ *
+ * Uses @noble/curves for X25519 and Ed25519 (reliable across all runtimes)
+ * and Web Crypto API for AES-256-GCM, HKDF, and HMAC (hardware-accelerated).
+ */
+export class SubtleCryptoProvider implements CryptoProvider {
+  private readonly subtle: SubtleCrypto;
+
+  constructor(subtle?: SubtleCrypto) {
+    this.subtle = subtle ?? globalThis.crypto.subtle;
+  }
+
+  // ─── X25519 (via @noble/curves) ────────────────────────────
+
+  async generateX25519KeyPair(): Promise<{ publicKey: Uint8Array; privateKey: Uint8Array }> {
+    const privateKey = this.randomBytes(32);
+    const publicKey = x25519.getPublicKey(privateKey);
+    return { publicKey, privateKey };
+  }
+
+  async x25519(privateKey: Uint8Array, publicKey: Uint8Array): Promise<Uint8Array> {
+    return x25519.getSharedSecret(privateKey, publicKey);
+  }
+
+  // ─── Ed25519 (via @noble/curves) ───────────────────────────
+
+  async generateEd25519KeyPair(): Promise<{ publicKey: Uint8Array; privateKey: Uint8Array }> {
+    const privateKey = this.randomBytes(32);
+    const publicKey = ed25519.getPublicKey(privateKey);
+    return { publicKey, privateKey };
+  }
+
+  async sign(privateKey: Uint8Array, message: Uint8Array): Promise<Uint8Array> {
+    return ed25519.sign(message, privateKey);
+  }
+
+  async verify(publicKey: Uint8Array, message: Uint8Array, signature: Uint8Array): Promise<boolean> {
+    try {
+      return ed25519.verify(signature, message, publicKey);
+    } catch {
+      return false;
+    }
+  }
+
+  // ─── AES-256-GCM (via SubtleCrypto) ───────────────────────
+
+  async aesGcmEncrypt(
+    key: Uint8Array,
+    plaintext: Uint8Array,
+    aad?: Uint8Array,
+  ): Promise<{ ciphertext: Uint8Array; nonce: Uint8Array }> {
+    const nonce = this.randomBytes(12);
+    const aesKey = await this.subtle.importKey('raw', key, 'AES-GCM', false, ['encrypt']);
+    const encrypted = await this.subtle.encrypt(
+      { name: 'AES-GCM', iv: nonce, additionalData: aad },
+      aesKey,
+      plaintext,
+    );
+    return { ciphertext: new Uint8Array(encrypted), nonce };
+  }
+
+  async aesGcmDecrypt(
+    key: Uint8Array,
+    ciphertext: Uint8Array,
+    nonce: Uint8Array,
+    aad?: Uint8Array,
+  ): Promise<Uint8Array> {
+    const aesKey = await this.subtle.importKey('raw', key, 'AES-GCM', false, ['decrypt']);
+    const decrypted = await this.subtle.decrypt(
+      { name: 'AES-GCM', iv: nonce, additionalData: aad },
+      aesKey,
+      ciphertext,
+    );
+    return new Uint8Array(decrypted);
+  }
+
+  // ─── Key Derivation (via SubtleCrypto) ─────────────────────
+
+  async hkdf(
+    ikm: Uint8Array,
+    salt: Uint8Array,
+    info: Uint8Array,
+    length: number,
+  ): Promise<Uint8Array> {
+    const baseKey = await this.subtle.importKey('raw', ikm, 'HKDF', false, ['deriveBits']);
+    const bits = await this.subtle.deriveBits(
+      { name: 'HKDF', hash: 'SHA-256', salt, info },
+      baseKey,
+      length * 8,
+    );
+    return new Uint8Array(bits);
+  }
+
+  async hmacSha256(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {
+    const hmacKey = await this.subtle.importKey(
+      'raw',
+      key,
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['sign'],
+    );
+    const sig = await this.subtle.sign('HMAC', hmacKey, data);
+    return new Uint8Array(sig);
+  }
+
+  // ─── Random ────────────────────────────────────────────────
+
+  randomBytes(length: number): Uint8Array {
+    const buf = new Uint8Array(length);
+    globalThis.crypto.getRandomValues(buf);
+    return buf;
+  }
+}