Stian/Shade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

release(v4.0.0): Shade GA — V3.x consolidation + audit prep
Some checks failed
Test / test (push) Has been cancelled
Details
Cross-platform vectors / TypeScript vectors (bun) (push) Has been cancelled
Details
Cross-platform vectors / Kotlin vectors (gradle) (push) Has been cancelled
Details
Docker build and publish / docker (push) Has been cancelled
Details
Publish / publish (push) Has been cancelled
Details

Browse Source 
V3.1 → V3.12 consolidated and tagged for the first GA release. Wire
format unchanged from 0.4.x — 4.0 peers interoperate with 0.4.x peers
byte-for-byte. The version bump is semantic: audit-cycle complete,
opt-in surface fully exposed, threat model refreshed for every new
surface.

Highlights:
- All 24 @shade/* packages bumped to 4.0.0 in lockstep.
- CHANGELOG 4.0.0 section is the canonical manifest of what landed.
- THREAT-MODEL extended (§10 fingerprint gates, §11 WebRTC P2P, §12
  Web-Worker boundary) + residual-risks table refreshed.
- OpenAPI now covers all 27 routes: prekey, transfer, KT, inbox,
  bridge, observer, /metrics, /healthz, /ready.
- MIGRATION 0.3.x → 4.0 documented + smoke-tested against
  shade migrate-storage on a real SQLite DB.
- docs/audit/REVIEW-BUNDLE.md + SCOPE.md ready for external reviewer.
- scripts/soak.ts harness for the GA-stable 2-week soak window.
- All V*.md plans archived under docs/archive/ with Status: Done.
- Voice/Video carved out into V5.0; 4.0 audit focuses on the frozen
  non-realtime stack.

Tests: TS 1000/1000 + Kotlin 11/11 cross-platform vectors green.
Docker: gt.zyon.no/stian/shade-prekey:4.0.0 builds and reports
  version 4.0.0 on /health.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sterister
2026-05-03 18:35:35 +02:00
parent 8b055912b7
commit e6fdf31b49
298 changed files with 37909 additions and 256 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/shade-transport/package.json
View File

@@ -1,12 +1,13 @@
{
"name": "@shade/transport",
"version": "0.3.0",
"version": "4.0.0",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/crypto-web": "workspace:*",
"@shade/key-transparency": "workspace:*",
"@shade/proto": "workspace:*",
"@shade/server": "workspace:*"
}

155
packages/shade-transport/src/fetch-transport.ts
View File

@@ -1,5 +1,18 @@
import type { PreKeyBundle, OneTimePreKey, CryptoProvider } from '@shade/core';
import { NetworkError } from '@shade/core';
import {
type KTProof,
type KTProofWire,
type SignedTreeHead,
ktProofFromWire,
verifyBundleAbsence,
verifyBundleInclusion,
verifyBundleTombstone,
} from '@shade/key-transparency';
import {
KTSplitViewError,
KTVerificationError,
} from '@shade/key-transparency';
/**
* HTTP transport client for the Shade Prekey Server.
@@ -19,17 +32,56 @@ import { NetworkError } from '@shade/core';
* const bundle = await transport.fetchBundle('bob'); // anonymous
* ```
*/
/** Result of a KT-aware bundle fetch. */
export interface FetchBundleResult {
bundle: PreKeyBundle;
/**
* Verified Signed Tree Head when KT was active and the proof verified.
* Callers should feed this into a `LightWitness` for split-view tracking.
*/
ktSth?: SignedTreeHead;
}
/**
* Optional KT verifier callback. When provided to `ShadeFetchTransport`,
* the transport verifies every bundle proof before handing the bundle to
* the SDK. Missing-or-invalid proofs throw `KTVerificationError`.
*
* `mode`:
* - `'observe'` verify proof when present, do not fail when missing.
* - `'observe-strict'` require a proof; throw if absent.
*/
export interface KTVerifierOptions {
mode: 'observe' | 'observe-strict';
logPublicKey: Uint8Array;
/** Inject `now` for tests; defaults to `Date.now()`. */
now?: () => number;
/** Override default 24h freshness. */
maxStaleMs?: number;
/** Optional hook to track every observed STH (e.g. into a LightWitness). */
onObserveSth?: (sth: SignedTreeHead) => void | Promise<void>;
}
export class ShadeFetchTransport {
private readonly baseUrl: string;
private readonly crypto: CryptoProvider;
private readonly signingPrivateKey?: Uint8Array;
private readonly kt?: KTVerifierOptions;
constructor(options: { baseUrl: string; crypto: CryptoProvider; signingPrivateKey?: Uint8Array }) {
constructor(options: {
baseUrl: string;
crypto: CryptoProvider;
signingPrivateKey?: Uint8Array;
keyTransparency?: KTVerifierOptions;
}) {
this.baseUrl = options.baseUrl;
this.crypto = options.crypto;
if (options.signingPrivateKey !== undefined) {
this.signingPrivateKey = options.signingPrivateKey;
}
if (options.keyTransparency !== undefined) {
this.kt = options.keyTransparency;
}
}
private headers(): Record<string, string> {
@@ -89,12 +141,45 @@ export class ShadeFetchTransport {
if (!res.ok) throw new NetworkError(`Register failed: ${res.status}`, res.status);
}
/** Fetch a prekey bundle for a peer (anonymous, consumes one one-time prekey) */
/**
* Fetch a prekey bundle for a peer (anonymous, consumes one one-time prekey).
*
* When the transport was created with `keyTransparency`, this also verifies
* the inclusion proof and (if configured) feeds the STH into the supplied
* `onObserveSth` hook for split-view tracking.
*/
async fetchBundle(address: string): Promise<PreKeyBundle> {
const result = await this.fetchBundleVerified(address);
return result.bundle;
}
/**
* Same as `fetchBundle` but returns the verified STH alongside the bundle
* so callers can wire it into a `LightWitness`. Use this when you want
* direct access to the proof side-channel.
*/
async fetchBundleVerified(address: string): Promise<FetchBundleResult> {
const res = await fetch(`${this.baseUrl}/v1/keys/bundle/${encodeURIComponent(address)}`, {
headers: this.headers(),
});
if (!res.ok) throw new NetworkError(`Fetch bundle failed: ${res.status}`, res.status);
if (!res.ok) {
// KT-aware 404: read the body for an absence/tombstone proof so the
// negative answer is also pinned to a tree state.
if (res.status === 404 && this.kt) {
const body = (await res.json().catch(() => null)) as
| { ktProof?: KTProofWire }
| null;
if (body?.ktProof) {
const proof = ktProofFromWire(body.ktProof);
await this.verifyAbsenceOrTombstone(address, proof);
} else if (this.kt.mode === 'observe-strict') {
throw new KTVerificationError(
`KT-strict: 404 for ${address} but no ktProof in response`,
);
}
}
throw new NetworkError(`Fetch bundle failed: ${res.status}`, res.status);
}
const data = (await res.json()) as {
registrationId?: number;
@@ -102,6 +187,7 @@ export class ShadeFetchTransport {
identityDHKey: string;
signedPreKey: { keyId: number; publicKey: string; signature: string };
oneTimePreKey?: { keyId: number; publicKey: string };
ktProof?: KTProofWire;
};
const bundle: PreKeyBundle = {
registrationId: data.registrationId ?? 0,
@@ -119,7 +205,68 @@ export class ShadeFetchTransport {
publicKey: fromB64(data.oneTimePreKey.publicKey),
};
}
return bundle;
let ktSth: SignedTreeHead | undefined;
if (this.kt) {
if (data.ktProof) {
const proof = ktProofFromWire(data.ktProof);
ktSth = await this.verifyInclusion(address, bundle, proof);
if (this.kt.onObserveSth) await this.kt.onObserveSth(ktSth);
} else if (this.kt.mode === 'observe-strict') {
throw new KTVerificationError(
`KT-strict: bundle for ${address} missing ktProof`,
);
}
}
return ktSth ? { bundle, ktSth } : { bundle };
}
private async verifyInclusion(
address: string,
bundle: PreKeyBundle,
proof: KTProof,
): Promise<SignedTreeHead> {
if (!this.kt) throw new Error('KT verifier not configured');
const opts = {
crypto: this.crypto,
logPublicKey: this.kt.logPublicKey,
...(this.kt.maxStaleMs !== undefined ? { maxStaleMs: this.kt.maxStaleMs } : {}),
...(this.kt.now !== undefined ? { nowMs: this.kt.now() } : {}),
};
if (proof.body.kind === 'inclusion') {
return verifyBundleInclusion(opts, address, bundle, proof);
}
if (proof.body.kind === 'tombstone') {
// A tombstone proof on a 200 response would mean the server delivered
// a deleted address — this is malicious.
throw new KTVerificationError(`server returned tombstoned bundle for ${address}`);
}
if (proof.body.kind === 'absence') {
throw new KTVerificationError(`server returned bundle but absence proof for ${address}`);
}
throw new KTSplitViewError(`unknown proof kind`);
}
private async verifyAbsenceOrTombstone(address: string, proof: KTProof): Promise<void> {
if (!this.kt) return;
const opts = {
crypto: this.crypto,
logPublicKey: this.kt.logPublicKey,
...(this.kt.maxStaleMs !== undefined ? { maxStaleMs: this.kt.maxStaleMs } : {}),
...(this.kt.now !== undefined ? { nowMs: this.kt.now() } : {}),
};
let sth: SignedTreeHead;
if (proof.body.kind === 'absence') {
sth = await verifyBundleAbsence(opts, address, proof);
} else if (proof.body.kind === 'tombstone') {
sth = await verifyBundleTombstone(opts, address, proof);
} else {
throw new KTVerificationError(
`404 with non-absence/non-tombstone proof for ${address}`,
);
}
if (this.kt.onObserveSth) await this.kt.onObserveSth(sth);
}
/** Upload additional one-time prekeys (signed) */

1
packages/shade-transport/src/index.ts
View File

@@ -1,2 +1,3 @@
export { ShadeFetchTransport } from './fetch-transport.js';
export type { FetchBundleResult, KTVerifierOptions } from './fetch-transport.js';
export { ShadeWebSocket } from './ws-adapter.js';

176
packages/shade-transport/tests/kt-split-view-e2e.test.ts Normal file
View File

@@ -0,0 +1,176 @@
/**
* Acceptance test for V3.12 §"End-to-end test: split-view detection".
*
* Scenario:
* - One legitimate STH-signing key (the operator's pinned key).
* - Two divergent log views A and B, both signed by the same key
* (simulating a malicious server that hands different responses to
* different clients).
* - Two clients (Bob, Charlie) each fetch alice's bundle, but each is
* served from a different view.
* - A `LightWitness` cross-pollinates the two clients' STHs.
* - The witness must reject the second STH at the same tree_size with
* a `KTSplitViewError`.
*
* Also asserts the *positive* path: when both clients see the same view,
* no error is raised.
*/
import { describe, expect, test } from 'bun:test';
import { SubtleCryptoProvider } from '@shade/crypto-web';
import {
KTLogManager,
KTSplitViewError,
LightWitness,
MemoryKTLogStore,
computeBundleHash,
computeLogId,
} from '@shade/key-transparency';
const crypto = new SubtleCryptoProvider();
function fakeBundle(seed: number) {
return {
identitySigningKey: new Uint8Array(32).fill(seed),
identityDHKey: new Uint8Array(32).fill(seed + 1),
signedPreKey: {
keyId: 1,
publicKey: new Uint8Array(32).fill(seed + 2),
signature: new Uint8Array(64).fill(seed + 3),
},
};
}
describe('Split-view E2E', () => {
test('two divergent views at the same tree_size are caught by witness', async () => {
const operator = await crypto.generateEd25519KeyPair();
// View A — alice has the *real* identity (seed 0x10)
const viewA = await KTLogManager.create({
crypto,
store: new MemoryKTLogStore(),
signingPrivateKey: operator.privateKey,
signingPublicKey: operator.publicKey,
});
await viewA.recordRegister('alice', computeBundleHash(fakeBundle(0x10)));
const sthA = await viewA.publishSTH();
// View B — alice has a *malicious* identity (seed 0xff)
const viewB = await KTLogManager.create({
crypto,
store: new MemoryKTLogStore(),
signingPrivateKey: operator.privateKey,
signingPublicKey: operator.publicKey,
});
await viewB.recordRegister('alice', computeBundleHash(fakeBundle(0xff)));
const sthB = await viewB.publishSTH();
// Both STHs claim tree_size = 1 with the same logId, but with
// different rootHash + indexRoot. This is what a split-view attack
// looks like on the wire.
expect(sthA.treeSize).toBe(sthB.treeSize);
expect(Buffer.from(sthA.logId).toString('hex')).toBe(
Buffer.from(sthB.logId).toString('hex'),
);
expect(Buffer.from(sthA.rootHash).toString('hex')).not.toBe(
Buffer.from(sthB.rootHash).toString('hex'),
);
// Bob has been served STH A; Charlie has been served STH B.
// They share a witness (gossip-style):
const witness = new LightWitness({
crypto,
logPublicKey: operator.publicKey,
fetcher: {
async fetchLatestSTH() {
throw new Error('not used in this test');
},
async fetchConsistencyProof() {
return { proof: [] };
},
},
});
await witness.observe(sthA);
expect(witness.compare(sthA)).toBe('agree');
expect(witness.compare(sthB)).toBe('split-view');
await expect(witness.observe(sthB)).rejects.toBeInstanceOf(KTSplitViewError);
});
test('positive path: same view → no false alarm', async () => {
const operator = await crypto.generateEd25519KeyPair();
const view = await KTLogManager.create({
crypto,
store: new MemoryKTLogStore(),
signingPrivateKey: operator.privateKey,
signingPublicKey: operator.publicKey,
});
await view.recordRegister('alice', computeBundleHash(fakeBundle(0x10)));
const sth1 = await view.publishSTH();
await view.recordRegister('bob', computeBundleHash(fakeBundle(0x20)));
const sth2 = await view.publishSTH();
const witness = new LightWitness({
crypto,
logPublicKey: operator.publicKey,
fetcher: {
async fetchLatestSTH() {
throw new Error('not used');
},
async fetchConsistencyProof(from, to) {
const result = await view.buildHistoricalConsistencyProof(from, to);
return { proof: result.map((b) => Buffer.from(b).toString('base64')) };
},
},
});
await witness.observe(sth1);
await witness.observe(sth2);
expect(witness.compare(sth2)).toBe('agree');
});
test('rewriting history (forked log at tree_size 1) fails consistency from sth1 → sth2', async () => {
const operator = await crypto.generateEd25519KeyPair();
const real = await KTLogManager.create({
crypto,
store: new MemoryKTLogStore(),
signingPrivateKey: operator.privateKey,
signingPublicKey: operator.publicKey,
});
await real.recordRegister('alice', computeBundleHash(fakeBundle(0x10)));
const sth1 = await real.publishSTH();
// Build a divergent log that pretends 'mallory' was the first leaf,
// not 'alice'. The forked tree's STH at size 2 must NOT pass a
// consistency proof against sth1.
const fork = await KTLogManager.create({
crypto,
store: new MemoryKTLogStore(),
signingPrivateKey: operator.privateKey,
signingPublicKey: operator.publicKey,
});
await fork.recordRegister('mallory', computeBundleHash(fakeBundle(0xee)));
await fork.recordRegister('bob', computeBundleHash(fakeBundle(0x20)));
const forkedSth2 = await fork.publishSTH();
const forkedConsistency = await fork.buildConsistencyProof(sth1.treeSize);
const witness = new LightWitness({
crypto,
logPublicKey: operator.publicKey,
fetcher: {
async fetchLatestSTH() {
throw new Error('not used');
},
async fetchConsistencyProof() {
return { proof: forkedConsistency.proof.map((b) => Buffer.from(b).toString('base64')) };
},
},
});
await witness.observe(sth1);
await expect(witness.observe(forkedSth2)).rejects.toThrow();
// sanity: logId pinning still valid
expect(Buffer.from(forkedSth2.logId).toString('hex')).toBe(
Buffer.from(computeLogId(operator.publicKey)).toString('hex'),
);
});
});

230
packages/shade-transport/tests/kt-transport.test.ts Normal file
View File

@@ -0,0 +1,230 @@
import { describe, test, expect } from 'bun:test';
import { SubtleCryptoProvider, MemoryStorage } from '@shade/crypto-web';
import { ShadeSessionManager } from '@shade/core';
import {
createPrekeyServerWithKT,
MemoryPrekeyStore,
} from '@shade/server';
import {
KTVerificationError,
LightWitness,
MemoryKTLogStore,
computeLogId,
signSth,
type SignedTreeHead,
} from '@shade/key-transparency';
import { ShadeFetchTransport } from '../src/fetch-transport.js';
const crypto = new SubtleCryptoProvider();
describe('ShadeFetchTransport with KT verifier', () => {
test('fetch verifies inclusion proof against pinned log key', async () => {
const logKp = await crypto.generateEd25519KeyPair();
const { app, kt } = await createPrekeyServerWithKT({
crypto,
store: new MemoryPrekeyStore(),
disableRateLimit: true,
keyTransparency: {
store: new MemoryKTLogStore(),
signingPrivateKey: logKp.privateKey,
signingPublicKey: logKp.publicKey,
},
});
const port = 20100 + Math.floor(Math.random() * 500);
const handle = Bun.serve({ port, fetch: app.fetch });
try {
const baseUrl = `http://localhost:${port}`;
// Bob registers
const bobStorage = new MemoryStorage();
const bobManager = new ShadeSessionManager(crypto, bobStorage);
await bobManager.initialize();
const bobIdentity = await bobStorage.getIdentityKeyPair();
const bobTransport = new ShadeFetchTransport({
baseUrl,
crypto,
signingPrivateKey: bobIdentity!.signingPrivateKey,
});
const bobOTPKs = await bobManager.generateOneTimePreKeys(3);
const bobBundle = await bobManager.createPreKeyBundle();
await bobTransport.register('bob', bobManager.getPublicIdentity(), bobBundle.signedPreKey, bobOTPKs);
// Alice fetches with KT verifier — should succeed
const observed: SignedTreeHead[] = [];
const aliceTransport = new ShadeFetchTransport({
baseUrl,
crypto,
keyTransparency: {
mode: 'observe-strict',
logPublicKey: logKp.publicKey,
onObserveSth: async (sth) => {
observed.push(sth);
},
},
});
const result = await aliceTransport.fetchBundleVerified('bob');
expect(result.bundle.identityDHKey).toEqual(bobManager.getPublicIdentity().dhKey);
expect(result.ktSth).toBeDefined();
expect(result.ktSth!.treeSize).toBe(1);
expect(observed.length).toBe(1);
// Sanity: server-side latest STH matches what client observed
const serverSth = await kt.getLatestSTH();
expect(Buffer.from(serverSth.rootHash).toString('hex')).toBe(
Buffer.from(result.ktSth!.rootHash).toString('hex'),
);
} finally {
handle.stop();
}
});
test('observe-strict throws KTVerificationError on missing proof', async () => {
// Plain server (no KT)
const { createPrekeyServer, MemoryPrekeyStore } = await import('@shade/server');
const app = createPrekeyServer({
crypto,
store: new MemoryPrekeyStore(),
disableRateLimit: true,
});
const port = 20800 + Math.floor(Math.random() * 200);
const handle = Bun.serve({ port, fetch: app.fetch });
try {
const baseUrl = `http://localhost:${port}`;
const bobStorage = new MemoryStorage();
const bobManager = new ShadeSessionManager(crypto, bobStorage);
await bobManager.initialize();
const bobIdentity = await bobStorage.getIdentityKeyPair();
const bobTransport = new ShadeFetchTransport({
baseUrl,
crypto,
signingPrivateKey: bobIdentity!.signingPrivateKey,
});
const bobOTPKs = await bobManager.generateOneTimePreKeys(2);
const bobBundle = await bobManager.createPreKeyBundle();
await bobTransport.register('bob', bobManager.getPublicIdentity(), bobBundle.signedPreKey, bobOTPKs);
const logKp = await crypto.generateEd25519KeyPair();
const aliceTransport = new ShadeFetchTransport({
baseUrl,
crypto,
keyTransparency: { mode: 'observe-strict', logPublicKey: logKp.publicKey },
});
await expect(aliceTransport.fetchBundle('bob')).rejects.toBeInstanceOf(KTVerificationError);
} finally {
handle.stop();
}
});
test('forged STH (server signed with wrong key) is rejected', async () => {
const realLogKp = await crypto.generateEd25519KeyPair();
const evilLogKp = await crypto.generateEd25519KeyPair();
const { app } = await createPrekeyServerWithKT({
crypto,
store: new MemoryPrekeyStore(),
disableRateLimit: true,
keyTransparency: {
store: new MemoryKTLogStore(),
// Operator signs with the EVIL key
signingPrivateKey: evilLogKp.privateKey,
signingPublicKey: evilLogKp.publicKey,
},
});
const port = 21100 + Math.floor(Math.random() * 200);
const handle = Bun.serve({ port, fetch: app.fetch });
try {
const baseUrl = `http://localhost:${port}`;
const bobStorage = new MemoryStorage();
const bobManager = new ShadeSessionManager(crypto, bobStorage);
await bobManager.initialize();
const bobIdentity = await bobStorage.getIdentityKeyPair();
const bobTransport = new ShadeFetchTransport({
baseUrl,
crypto,
signingPrivateKey: bobIdentity!.signingPrivateKey,
});
const bobOTPKs = await bobManager.generateOneTimePreKeys(2);
const bobBundle = await bobManager.createPreKeyBundle();
await bobTransport.register('bob', bobManager.getPublicIdentity(), bobBundle.signedPreKey, bobOTPKs);
// Client pinned the REAL log key — verification must fail
const aliceTransport = new ShadeFetchTransport({
baseUrl,
crypto,
keyTransparency: { mode: 'observe-strict', logPublicKey: realLogKp.publicKey },
});
await expect(aliceTransport.fetchBundle('bob')).rejects.toThrow();
} finally {
handle.stop();
}
});
test('observed STH feeds LightWitness; subsequent split-view detected', async () => {
const logKp = await crypto.generateEd25519KeyPair();
const { app, kt } = await createPrekeyServerWithKT({
crypto,
store: new MemoryPrekeyStore(),
disableRateLimit: true,
keyTransparency: {
store: new MemoryKTLogStore(),
signingPrivateKey: logKp.privateKey,
signingPublicKey: logKp.publicKey,
},
});
const port = 21500 + Math.floor(Math.random() * 200);
const handle = Bun.serve({ port, fetch: app.fetch });
try {
const baseUrl = `http://localhost:${port}`;
// Register Bob
const bobStorage = new MemoryStorage();
const bobManager = new ShadeSessionManager(crypto, bobStorage);
await bobManager.initialize();
const bobIdentity = await bobStorage.getIdentityKeyPair();
const bobTransport = new ShadeFetchTransport({
baseUrl,
crypto,
signingPrivateKey: bobIdentity!.signingPrivateKey,
});
const bobOTPKs = await bobManager.generateOneTimePreKeys(2);
const bobBundle = await bobManager.createPreKeyBundle();
await bobTransport.register('bob', bobManager.getPublicIdentity(), bobBundle.signedPreKey, bobOTPKs);
// Witness backed by the real /v1/kt/* endpoints
const witness = new LightWitness({
crypto,
logPublicKey: logKp.publicKey,
fetcher: {
async fetchLatestSTH() {
const res = await fetch(`${baseUrl}/v1/kt/sth`);
return res.json();
},
async fetchConsistencyProof(from, to) {
const res = await fetch(`${baseUrl}/v1/kt/consistency?from=${from}&to=${to}`);
return res.json();
},
},
});
const observedSth = await witness.pollOnce();
expect(observedSth.treeSize).toBe(1);
// Forge a divergent STH at the same tree_size and feed it to the
// witness (this simulates a malicious second view)
const realSth = await kt.getLatestSTH();
const tampered = new Uint8Array(realSth.rootHash);
tampered[0] ^= 0xff;
const forged = await signSth(crypto, logKp.privateKey, {
treeSize: realSth.treeSize,
timestampMs: realSth.timestampMs,
rootHash: tampered,
indexRoot: realSth.indexRoot,
logId: computeLogId(logKp.publicKey),
});
await expect(witness.observe(forged)).rejects.toThrow(/Split view/);
} finally {
handle.stop();
}
});
});