release(v4.0.0): Shade GA — V3.x consolidation + audit prep

V3.1 → V3.12 consolidated and tagged for the first GA release. Wire format unchanged from 0.4.x — 4.0 peers interoperate with 0.4.x peers byte-for-byte. The version bump is semantic: audit-cycle complete, opt-in surface fully exposed, threat model refreshed for every new surface. Highlights: - All 24 @shade/* packages bumped to 4.0.0 in lockstep. - CHANGELOG 4.0.0 section is the canonical manifest of what landed. - THREAT-MODEL extended (§10 fingerprint gates, §11 WebRTC P2P, §12 Web-Worker boundary) + residual-risks table refreshed. - OpenAPI now covers all 27 routes: prekey, transfer, KT, inbox, bridge, observer, /metrics, /healthz, /ready. - MIGRATION 0.3.x → 4.0 documented + smoke-tested against shade migrate-storage on a real SQLite DB. - docs/audit/REVIEW-BUNDLE.md + SCOPE.md ready for external reviewer. - scripts/soak.ts harness for the GA-stable 2-week soak window. - All V*.md plans archived under docs/archive/ with Status: Done. - Voice/Video carved out into V5.0; 4.0 audit focuses on the frozen non-realtime stack. Tests: TS 1000/1000 + Kotlin 11/11 cross-platform vectors green. Docker: gt.zyon.no/stian/shade-prekey:4.0.0 builds and reports version 4.0.0 on /health. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 18:35:35 +02:00
parent 8b055912b7
commit e6fdf31b49
298 changed files with 37909 additions and 256 deletions
--- a/packages/shade-transport-bridge/src/auth.ts
+++ b/packages/shade-transport-bridge/src/auth.ts
@@ -0,0 +1,64 @@
+/**
+ * Bridge auth primitive.
+ *
+ * SSE/EventSource cannot carry custom headers in browsers, so the bridge
+ * protocol uses signed query parameters for every endpoint kind. The
+ * signature is over the canonical `{address, kind, since, signedAt}` payload
+ * using the recipient's Ed25519 signing key. The server looks up the owner
+ * key for `address` (registered via `/v1/inbox/register`) and verifies the
+ * signature with the same `verifyPayload` path used by the inbox.
+ */
+
+import type { CryptoProvider } from '@shade/core';
+import { signPayload } from '@shade/server';
+
+export type BridgeKind = 'stream' | 'poll' | 'ws';
+
+export interface BridgeAuthInput {
+  crypto: CryptoProvider;
+  signingPrivateKey: Uint8Array;
+  address: string;
+  kind: BridgeKind;
+  since: number;
+}
+
+/**
+ * Returns the URLSearchParams that must be appended to the bridge URL
+ * (`/v1/bridge/stream`, `/v1/bridge/poll`, `/v1/bridge/ws`). The same shape
+ * is consumed by `verifyBridgeAuth` on the server side.
+ */
+export async function signBridgeQuery(input: BridgeAuthInput): Promise<URLSearchParams> {
+  const signed = await signPayload(input.crypto, input.signingPrivateKey, {
+    address: input.address,
+    kind: input.kind,
+    since: input.since,
+  });
+  const qs = new URLSearchParams();
+  qs.set('address', input.address);
+  qs.set('kind', input.kind);
+  qs.set('since', String(input.since));
+  qs.set('signedAt', String(signed.signedAt));
+  qs.set('signature', signed.signature);
+  return qs;
+}
+
+export function bridgeQueryToCanonical(qs: URLSearchParams): {
+  address: string;
+  kind: BridgeKind;
+  since: number;
+  signedAt: number;
+  signature: string;
+} | null {
+  const address = qs.get('address');
+  const kind = qs.get('kind') as BridgeKind | null;
+  const sinceStr = qs.get('since');
+  const signedAtStr = qs.get('signedAt');
+  const signature = qs.get('signature');
+  if (!address || !kind || sinceStr === null || !signedAtStr || !signature) return null;
+  if (kind !== 'stream' && kind !== 'poll' && kind !== 'ws') return null;
+  const since = Number(sinceStr);
+  const signedAt = Number(signedAtStr);
+  if (!Number.isFinite(since) || since < 0) return null;
+  if (!Number.isFinite(signedAt)) return null;
+  return { address, kind, since, signedAt, signature };
+}