release(v4.0.0): Shade GA — V3.x consolidation + audit prep

V3.1 → V3.12 consolidated and tagged for the first GA release. Wire format unchanged from 0.4.x — 4.0 peers interoperate with 0.4.x peers byte-for-byte. The version bump is semantic: audit-cycle complete, opt-in surface fully exposed, threat model refreshed for every new surface. Highlights: - All 24 @shade/* packages bumped to 4.0.0 in lockstep. - CHANGELOG 4.0.0 section is the canonical manifest of what landed. - THREAT-MODEL extended (§10 fingerprint gates, §11 WebRTC P2P, §12 Web-Worker boundary) + residual-risks table refreshed. - OpenAPI now covers all 27 routes: prekey, transfer, KT, inbox, bridge, observer, /metrics, /healthz, /ready. - MIGRATION 0.3.x → 4.0 documented + smoke-tested against shade migrate-storage on a real SQLite DB. - docs/audit/REVIEW-BUNDLE.md + SCOPE.md ready for external reviewer. - scripts/soak.ts harness for the GA-stable 2-week soak window. - All V*.md plans archived under docs/archive/ with Status: Done. - Voice/Video carved out into V5.0; 4.0 audit focuses on the frozen non-realtime stack. Tests: TS 1000/1000 + Kotlin 11/11 cross-platform vectors green. Docker: gt.zyon.no/stian/shade-prekey:4.0.0 builds and reports version 4.0.0 on /health. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 18:35:35 +02:00
parent 8b055912b7
commit e6fdf31b49
298 changed files with 37909 additions and 256 deletions
--- a/packages/shade-key-transparency/tests/manager.test.ts
+++ b/packages/shade-key-transparency/tests/manager.test.ts
@@ -0,0 +1,223 @@
+import { describe, expect, test } from 'bun:test';
+import { SubtleCryptoProvider } from '@shade/crypto-web';
+import {
+  KTLogManager,
+  MemoryKTLogStore,
+  computeBundleHash,
+  ktProofFromWire,
+  ktProofToWire,
+  verifyBundleAbsence,
+  verifyBundleInclusion,
+  verifyBundleTombstone,
+} from '../src/index.js';
+import { KTSplitViewError, KTVerificationError } from '../src/errors.js';
+
+const crypto = new SubtleCryptoProvider();
+
+async function makeManager() {
+  const kp = await crypto.generateEd25519KeyPair();
+  const store = new MemoryKTLogStore();
+  const mgr = await KTLogManager.create({
+    crypto,
+    store,
+    signingPrivateKey: kp.privateKey,
+    signingPublicKey: kp.publicKey,
+  });
+  return { mgr, kp, store };
+}
+
+function fakeBundle(seed: number) {
+  return {
+    identitySigningKey: new Uint8Array(32).fill(seed),
+    identityDHKey: new Uint8Array(32).fill(seed + 1),
+    signedPreKey: {
+      keyId: 1,
+      publicKey: new Uint8Array(32).fill(seed + 2),
+      signature: new Uint8Array(64).fill(seed + 3),
+    },
+  };
+}
+
+describe('KTLogManager — happy paths', () => {
+  test('register + buildBundleInclusionProof + verify', async () => {
+    const { mgr, kp } = await makeManager();
+    const bundle = fakeBundle(0x10);
+    const bundleHash = computeBundleHash(bundle);
+    await mgr.recordRegister('alice', bundleHash);
+    const sth = await mgr.publishSTH();
+
+    const proof = await mgr.buildBundleInclusionProof('alice', sth);
+    expect(proof).not.toBeNull();
+    expect(proof!.body.kind).toBe('inclusion');
+
+    const verified = await verifyBundleInclusion(
+      { crypto, logPublicKey: kp.publicKey },
+      'alice',
+      bundle,
+      proof!,
+    );
+    expect(verified.treeSize).toBe(1);
+  });
+
+  test('absence proof for unknown address verifies', async () => {
+    const { mgr, kp } = await makeManager();
+    await mgr.recordRegister('alice', computeBundleHash(fakeBundle(0x10)));
+    const sth = await mgr.publishSTH();
+    const proof = mgr.buildBundleAbsenceProof('zeta', sth);
+    expect(proof).not.toBeNull();
+    expect(proof!.body.kind).toBe('absence');
+    await verifyBundleAbsence({ crypto, logPublicKey: kp.publicKey }, 'zeta', proof!);
+  });
+
+  test('tombstone proof verifies after delete', async () => {
+    const { mgr, kp } = await makeManager();
+    await mgr.recordRegister('alice', computeBundleHash(fakeBundle(0x10)));
+    await mgr.recordDelete('alice');
+    const sth = await mgr.publishSTH();
+    const proof = await mgr.buildBundleInclusionProof('alice', sth);
+    expect(proof!.body.kind).toBe('tombstone');
+    const verified = await verifyBundleTombstone(
+      { crypto, logPublicKey: kp.publicKey },
+      'alice',
+      proof!,
+    );
+    expect(verified.treeSize).toBe(2);
+  });
+
+  test('multiple addresses + STH at increasing tree sizes', async () => {
+    const { mgr, kp } = await makeManager();
+    const aliceBundle = fakeBundle(0x10);
+    const bobBundle = fakeBundle(0x20);
+    await mgr.recordRegister('alice', computeBundleHash(aliceBundle));
+    await mgr.recordRegister('bob', computeBundleHash(bobBundle));
+    const sth = await mgr.publishSTH();
+    expect(sth.treeSize).toBe(2);
+
+    const proofAlice = await mgr.buildBundleInclusionProof('alice', sth);
+    const proofBob = await mgr.buildBundleInclusionProof('bob', sth);
+    await verifyBundleInclusion(
+      { crypto, logPublicKey: kp.publicKey },
+      'alice',
+      aliceBundle,
+      proofAlice!,
+    );
+    await verifyBundleInclusion(
+      { crypto, logPublicKey: kp.publicKey },
+      'bob',
+      bobBundle,
+      proofBob!,
+    );
+  });
+
+  test('rotation: new register replaces old', async () => {
+    const { mgr, kp } = await makeManager();
+    const v1 = fakeBundle(0x10);
+    const v2 = fakeBundle(0x55);
+    await mgr.recordRegister('alice', computeBundleHash(v1));
+    await mgr.recordRegister('alice', computeBundleHash(v2));
+    const sth = await mgr.publishSTH();
+    const proof = await mgr.buildBundleInclusionProof('alice', sth);
+    // Latest is v2; verifying with v1's bundle should fail.
+    await expect(
+      verifyBundleInclusion({ crypto, logPublicKey: kp.publicKey }, 'alice', v1, proof!),
+    ).rejects.toBeInstanceOf(KTVerificationError);
+    await verifyBundleInclusion(
+      { crypto, logPublicKey: kp.publicKey },
+      'alice',
+      v2,
+      proof!,
+    );
+  });
+});
+
+describe('KTLogManager — wire encoding roundtrip', () => {
+  test('inclusion proof survives wire roundtrip', async () => {
+    const { mgr, kp } = await makeManager();
+    const bundle = fakeBundle(0x42);
+    await mgr.recordRegister('alice', computeBundleHash(bundle));
+    const sth = await mgr.publishSTH();
+    const proof = await mgr.buildBundleInclusionProof('alice', sth);
+
+    const wire = ktProofToWire(proof!);
+    const json = JSON.stringify(wire);
+    const back = ktProofFromWire(JSON.parse(json));
+    await verifyBundleInclusion(
+      { crypto, logPublicKey: kp.publicKey },
+      'alice',
+      bundle,
+      back,
+    );
+  });
+});
+
+describe('Tampering detection', () => {
+  test('forged bundle (different signing key) is rejected', async () => {
+    const { mgr, kp } = await makeManager();
+    const real = fakeBundle(0x10);
+    await mgr.recordRegister('alice', computeBundleHash(real));
+    const sth = await mgr.publishSTH();
+    const proof = await mgr.buildBundleInclusionProof('alice', sth);
+
+    const forged = { ...real, identitySigningKey: new Uint8Array(32).fill(0xff) };
+    await expect(
+      verifyBundleInclusion({ crypto, logPublicKey: kp.publicKey }, 'alice', forged, proof!),
+    ).rejects.toBeInstanceOf(KTVerificationError);
+  });
+
+  test('proof for alice cannot be re-used for bob (address mismatch)', async () => {
+    const { mgr, kp } = await makeManager();
+    const aliceBundle = fakeBundle(0x10);
+    await mgr.recordRegister('alice', computeBundleHash(aliceBundle));
+    const sth = await mgr.publishSTH();
+    const proof = await mgr.buildBundleInclusionProof('alice', sth);
+    await expect(
+      verifyBundleInclusion(
+        { crypto, logPublicKey: kp.publicKey },
+        'bob',
+        aliceBundle,
+        proof!,
+      ),
+    ).rejects.toBeInstanceOf(KTVerificationError);
+  });
+
+  test('split-view: same tree_size with different roots is detected by witness', async () => {
+    const { mgr, kp } = await makeManager();
+    const bundle = fakeBundle(0x10);
+    await mgr.recordRegister('alice', computeBundleHash(bundle));
+    const sth = await mgr.publishSTH();
+    // Forge a *different* STH at the same tree_size — pretend the server
+    // signed two divergent versions.
+    const sth2 = await mgr.publishSTH();
+    expect(sth2.treeSize).toBe(sth.treeSize);
+
+    // To simulate a conflicting STH, sign one with a tampered root_hash.
+    const tampered = { ...sth, rootHash: new Uint8Array(sth.rootHash) };
+    tampered.rootHash[0] ^= 0xff;
+    // Re-sign with the same key so it would individually verify…
+    const forged = await (await import('../src/sth.js')).signSth(crypto, kp.privateKey, {
+      treeSize: tampered.treeSize,
+      timestampMs: tampered.timestampMs,
+      rootHash: tampered.rootHash,
+      indexRoot: tampered.indexRoot,
+      logId: tampered.logId,
+    });
+
+    const { LightWitness } = await import('../src/witness.js');
+    const witness = new LightWitness({
+      crypto,
+      logPublicKey: kp.publicKey,
+      fetcher: {
+        async fetchLatestSTH() {
+          return (await import('../src/sth.js')).sthToWire(sth, (b) =>
+            Buffer.from(b).toString('base64'),
+          );
+        },
+        async fetchConsistencyProof() {
+          return { proof: [] };
+        },
+      },
+    });
+    await witness.observe(sth);
+    await expect(witness.observe(forged)).rejects.toBeInstanceOf(KTSplitViewError);
+  });
+});