release(v4.0.0): Shade GA — V3.x consolidation + audit prep

V3.1 → V3.12 consolidated and tagged for the first GA release. Wire
format unchanged from 0.4.x — 4.0 peers interoperate with 0.4.x peers
byte-for-byte. The version bump is semantic: audit-cycle complete,
opt-in surface fully exposed, threat model refreshed for every new
surface.

Highlights:
- All 24 @shade/* packages bumped to 4.0.0 in lockstep.
- CHANGELOG 4.0.0 section is the canonical manifest of what landed.
- THREAT-MODEL extended (§10 fingerprint gates, §11 WebRTC P2P, §12
  Web-Worker boundary) + residual-risks table refreshed.
- OpenAPI now covers all 27 routes: prekey, transfer, KT, inbox,
  bridge, observer, /metrics, /healthz, /ready.
- MIGRATION 0.3.x → 4.0 documented + smoke-tested against
  shade migrate-storage on a real SQLite DB.
- docs/audit/REVIEW-BUNDLE.md + SCOPE.md ready for external reviewer.
- scripts/soak.ts harness for the GA-stable 2-week soak window.
- All V*.md plans archived under docs/archive/ with Status: Done.
- Voice/Video carved out into V5.0; 4.0 audit focuses on the frozen
  non-realtime stack.

Tests: TS 1000/1000 + Kotlin 11/11 cross-platform vectors green.
Docker: gt.zyon.no/stian/shade-prekey:4.0.0 builds and reports
  version 4.0.0 on /health.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

packages/shade-transport/src/fetch-transport.ts

@@ -1,5 +1,18 @@
 import type { PreKeyBundle, OneTimePreKey, CryptoProvider } from '@shade/core';
 import { NetworkError } from '@shade/core';
+import {
+  type KTProof,
+  type KTProofWire,
+  type SignedTreeHead,
+  ktProofFromWire,
+  verifyBundleAbsence,
+  verifyBundleInclusion,
+  verifyBundleTombstone,
+} from '@shade/key-transparency';
+import {
+  KTSplitViewError,
+  KTVerificationError,
+} from '@shade/key-transparency';
 
 /**
  * HTTP transport client for the Shade Prekey Server.
@@ -19,17 +32,56 @@ import { NetworkError } from '@shade/core';
  * const bundle = await transport.fetchBundle('bob'); // anonymous
  * ```
  */
+/** Result of a KT-aware bundle fetch. */
+export interface FetchBundleResult {
+  bundle: PreKeyBundle;
+  /**
+   * Verified Signed Tree Head when KT was active and the proof verified.
+   * Callers should feed this into a `LightWitness` for split-view tracking.
+   */
+  ktSth?: SignedTreeHead;
+}
+
+/**
+ * Optional KT verifier callback. When provided to `ShadeFetchTransport`,
+ * the transport verifies every bundle proof before handing the bundle to
+ * the SDK. Missing-or-invalid proofs throw `KTVerificationError`.
+ *
+ * `mode`:
+ *   - `'observe'`     verify proof when present, do not fail when missing.
+ *   - `'observe-strict'` require a proof; throw if absent.
+ */
+export interface KTVerifierOptions {
+  mode: 'observe' | 'observe-strict';
+  logPublicKey: Uint8Array;
+  /** Inject `now` for tests; defaults to `Date.now()`. */
+  now?: () => number;
+  /** Override default 24h freshness. */
+  maxStaleMs?: number;
+  /** Optional hook to track every observed STH (e.g. into a LightWitness). */
+  onObserveSth?: (sth: SignedTreeHead) => void | Promise<void>;
+}
+
 export class ShadeFetchTransport {
   private readonly baseUrl: string;
   private readonly crypto: CryptoProvider;
   private readonly signingPrivateKey?: Uint8Array;
+  private readonly kt?: KTVerifierOptions;
 
-  constructor(options: { baseUrl: string; crypto: CryptoProvider; signingPrivateKey?: Uint8Array }) {
+  constructor(options: {
+    baseUrl: string;
+    crypto: CryptoProvider;
+    signingPrivateKey?: Uint8Array;
+    keyTransparency?: KTVerifierOptions;
+  }) {
     this.baseUrl = options.baseUrl;
     this.crypto = options.crypto;
     if (options.signingPrivateKey !== undefined) {
       this.signingPrivateKey = options.signingPrivateKey;
     }
+    if (options.keyTransparency !== undefined) {
+      this.kt = options.keyTransparency;
+    }
   }
 
   private headers(): Record<string, string> {
@@ -89,12 +141,45 @@ export class ShadeFetchTransport {
     if (!res.ok) throw new NetworkError(`Register failed: ${res.status}`, res.status);
   }
 
-  /** Fetch a prekey bundle for a peer (anonymous, consumes one one-time prekey) */
+  /**
+   * Fetch a prekey bundle for a peer (anonymous, consumes one one-time prekey).
+   *
+   * When the transport was created with `keyTransparency`, this also verifies
+   * the inclusion proof and (if configured) feeds the STH into the supplied
+   * `onObserveSth` hook for split-view tracking.
+   */
   async fetchBundle(address: string): Promise<PreKeyBundle> {
+    const result = await this.fetchBundleVerified(address);
+    return result.bundle;
+  }
+
+  /**
+   * Same as `fetchBundle` but returns the verified STH alongside the bundle
+   * so callers can wire it into a `LightWitness`. Use this when you want
+   * direct access to the proof side-channel.
+   */
+  async fetchBundleVerified(address: string): Promise<FetchBundleResult> {
     const res = await fetch(`${this.baseUrl}/v1/keys/bundle/${encodeURIComponent(address)}`, {
       headers: this.headers(),
     });
-    if (!res.ok) throw new NetworkError(`Fetch bundle failed: ${res.status}`, res.status);
+    if (!res.ok) {
+      // KT-aware 404: read the body for an absence/tombstone proof so the
+      // negative answer is also pinned to a tree state.
+      if (res.status === 404 && this.kt) {
+        const body = (await res.json().catch(() => null)) as
+          | { ktProof?: KTProofWire }
+          | null;
+        if (body?.ktProof) {
+          const proof = ktProofFromWire(body.ktProof);
+          await this.verifyAbsenceOrTombstone(address, proof);
+        } else if (this.kt.mode === 'observe-strict') {
+          throw new KTVerificationError(
+            `KT-strict: 404 for ${address} but no ktProof in response`,
+          );
+        }
+      }
+      throw new NetworkError(`Fetch bundle failed: ${res.status}`, res.status);
+    }
 
     const data = (await res.json()) as {
       registrationId?: number;
@@ -102,6 +187,7 @@ export class ShadeFetchTransport {
       identityDHKey: string;
       signedPreKey: { keyId: number; publicKey: string; signature: string };
       oneTimePreKey?: { keyId: number; publicKey: string };
+      ktProof?: KTProofWire;
     };
     const bundle: PreKeyBundle = {
       registrationId: data.registrationId ?? 0,
@@ -119,7 +205,68 @@ export class ShadeFetchTransport {
         publicKey: fromB64(data.oneTimePreKey.publicKey),
       };
     }
-    return bundle;
+
+    let ktSth: SignedTreeHead | undefined;
+    if (this.kt) {
+      if (data.ktProof) {
+        const proof = ktProofFromWire(data.ktProof);
+        ktSth = await this.verifyInclusion(address, bundle, proof);
+        if (this.kt.onObserveSth) await this.kt.onObserveSth(ktSth);
+      } else if (this.kt.mode === 'observe-strict') {
+        throw new KTVerificationError(
+          `KT-strict: bundle for ${address} missing ktProof`,
+        );
+      }
+    }
+
+    return ktSth ? { bundle, ktSth } : { bundle };
+  }
+
+  private async verifyInclusion(
+    address: string,
+    bundle: PreKeyBundle,
+    proof: KTProof,
+  ): Promise<SignedTreeHead> {
+    if (!this.kt) throw new Error('KT verifier not configured');
+    const opts = {
+      crypto: this.crypto,
+      logPublicKey: this.kt.logPublicKey,
+      ...(this.kt.maxStaleMs !== undefined ? { maxStaleMs: this.kt.maxStaleMs } : {}),
+      ...(this.kt.now !== undefined ? { nowMs: this.kt.now() } : {}),
+    };
+    if (proof.body.kind === 'inclusion') {
+      return verifyBundleInclusion(opts, address, bundle, proof);
+    }
+    if (proof.body.kind === 'tombstone') {
+      // A tombstone proof on a 200 response would mean the server delivered
+      // a deleted address — this is malicious.
+      throw new KTVerificationError(`server returned tombstoned bundle for ${address}`);
+    }
+    if (proof.body.kind === 'absence') {
+      throw new KTVerificationError(`server returned bundle but absence proof for ${address}`);
+    }
+    throw new KTSplitViewError(`unknown proof kind`);
+  }
+
+  private async verifyAbsenceOrTombstone(address: string, proof: KTProof): Promise<void> {
+    if (!this.kt) return;
+    const opts = {
+      crypto: this.crypto,
+      logPublicKey: this.kt.logPublicKey,
+      ...(this.kt.maxStaleMs !== undefined ? { maxStaleMs: this.kt.maxStaleMs } : {}),
+      ...(this.kt.now !== undefined ? { nowMs: this.kt.now() } : {}),
+    };
+    let sth: SignedTreeHead;
+    if (proof.body.kind === 'absence') {
+      sth = await verifyBundleAbsence(opts, address, proof);
+    } else if (proof.body.kind === 'tombstone') {
+      sth = await verifyBundleTombstone(opts, address, proof);
+    } else {
+      throw new KTVerificationError(
+        `404 with non-absence/non-tombstone proof for ${address}`,
+      );
+    }
+    if (this.kt.onObserveSth) await this.kt.onObserveSth(sth);
   }
 
   /** Upload additional one-time prekeys (signed) */

packages/shade-transport/src/index.ts

@@ -1,2 +1,3 @@
 export { ShadeFetchTransport } from './fetch-transport.js';
+export type { FetchBundleResult, KTVerifierOptions } from './fetch-transport.js';
 export { ShadeWebSocket } from './ws-adapter.js';