feat(files): @shade/files 0.3.0 — E2EE filesystem RPC primitive

M-Files-1..6 land the full files-RPC layer + everything 0.3.0 needs to
ship. Apps keep their own UI; this layer ships the typed RPC, the
streams bridge for content I/O, and production hooks (rate limit,
retention, fingerprint gate, metrics).

@shade/files (NEW)
- Standard ops: list/stat/mkdir/delete/move/read/write/getThumbnail with
  Zod-validated wire schemas + clean user-handler types.
- Custom ops: typed via TypeScript declaration merging on CustomOpsMap
  + per-op Zod schemas; client.custom('app.foo', {...}) is fully typed.
- Content I/O: inline (≤ 256 KiB plaintext) base64-in-RPC; streams
  (> 256 KiB) ride @shade/transfer via userMetadata.shadeFilesWriteId
  / shadeFilesReadStreamId correlation. Server-side TransformStream
  bridges accept inbound transfers immediately (engine rejects chunks
  that arrive before accept) and park the readable for the matching
  RPC.
- Directory ops: walk(path, opts) async-iterable depth-first walker;
  uploadDirectory()/downloadDirectory() with bounded concurrency pool
  (default 4, cap 16), aggregated progress, abort.
- Production hooks (callback-based, vendor-neutral): rate-limit (op +
  byte), idempotency cache (LRU + TTL + in-flight de-dupe), path
  policy (traversal + percent-decode hardening), fingerprint gate
  (required/optional/reject), pluggable Ed25519 sig verification with
  ±5 min replay window, onMetric sink (standard names).
- React hooks (subpath @shade/files/react): ShadeFilesProvider,
  useShadeFiles, useFileList, useFileTransfer/Upload/Download.
- Shade.files.serve(handler) + Shade.files.client(peer) high-level
  entrypoint in @shade/sdk; lazy + memoized; one handler per Shade.

Wire format bump
- @shade/proto wire VERSION 0x01 → 0x02. Length prefixes changed from
  u16 to u32. The previous u16 silently truncated payloads above
  64 KiB — a hard correctness ceiling that blocked inline file ops
  up to 256 KiB. Wire-incompatible with 0.2.x peers; new sessions
  only. Cross-platform Kotlin port (android/shade-android) updated to
  match; test-vectors/wire-format.json regenerated.

Concurrency safety
- ShadeSessionManager.encrypt/.decrypt now run under per-peer mutex.
  Concurrent decryptions of the same peer raced ratchet state
  (manifested as sporadic "Failed to decrypt — wrong key or tampered
  data" under load — surfaced once concurrent uploadDirectory pumped
  many writes in flight). Encrypt was already serialized via
  Shade.send's encryptChains; decrypt is now serialized at the
  manager layer too.

@shade/streams extension
- StreamMetadata.userMetadata?: Record<string, string> for
  application-level key/value pairs that round-trip verbatim through
  stream-init plaintext. Used by @shade/files for write/read
  correlation; available to any consumer.

@shade/sdk extension
- Shade.files getter (lazy + memoized).
- BackgroundHooks.onPruneFiles + periodic timer (default 5 min) +
  BackgroundTasks.setHook(name, fn) for runtime hook registration.

Bundles in-flight 0.2.0 work
- packages/shade-streams/, packages/shade-transfer/, related
  shade-sdk streams-bridge + shade-widgets transfer hooks were
  uncommitted prior to this session. Including them keeps the
  workspace consistent at 0.3.0 since @shade/files depends on them.

Tests
- 74 new tests in @shade/files (572 → 646 workspace pass; 0 fail;
  3× stable). Coverage spans unit (inline-threshold + concurrency),
  integration (read-write inline + streams up to 1 MiB, walk +
  upload/download directory, custom-op, metrics, SDK namespace
  end-to-end), and security (tampered-envelope sig verification,
  replay window, fingerprint gate, rate-limit + quota).

Release artifacts
- All packages bumped to 0.3.0 via scripts/bump-version.ts.
- scripts/publish-all.ts PACKAGES updated with shade-files in
  topological order (after shade-transfer, before shade-sdk).
- bun run publish:dry clean (14 packed, 0 failed).
- examples/08-files-browser/ — three-process CLI demo (prekey + Bob
  server + Alice CLI) covering list/stat/mkdir/delete/upload/download.
- docs/files.md — full API + design doc.
- CHANGELOG.md 0.3.0 entry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

packages/shade-crypto-web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@shade/crypto-web",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "type": "module",
   "main": "src/index.ts",
   "types": "src/index.ts",

packages/shade-crypto-web/src/memory-storage.ts

@@ -1,4 +1,4 @@
-import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState, RetiredIdentity } from '@shade/core';
+import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState, RetiredIdentity, PersistedStreamState } from '@shade/core';
 import { constantTimeEqual } from '@shade/core';
 
 /**
@@ -103,4 +103,40 @@ export class MemoryStorage implements StorageProvider {
   async pruneRetiredIdentities(olderThan: number): Promise<void> {
     this.retiredIdentities = this.retiredIdentities.filter((r) => r.retiredAt >= olderThan);
   }
+
+  // ─── Stream-transfer resume state (v0.2.0) ────────────────
+
+  private streamStates = new Map<string, PersistedStreamState>();
+
+  async saveStreamState(state: PersistedStreamState): Promise<void> {
+    this.streamStates.set(state.streamId, { ...state });
+  }
+
+  async getStreamState(streamId: string): Promise<PersistedStreamState | null> {
+    const v = this.streamStates.get(streamId);
+    return v ? { ...v } : null;
+  }
+
+  async removeStreamState(streamId: string): Promise<void> {
+    this.streamStates.delete(streamId);
+  }
+
+  async listActiveStreamStates(direction?: 'send' | 'receive'): Promise<PersistedStreamState[]> {
+    const out: PersistedStreamState[] = [];
+    for (const s of this.streamStates.values()) {
+      if (s.status !== 'active' && s.status !== 'paused') continue;
+      if (direction !== undefined && s.direction !== direction) continue;
+      out.push({ ...s });
+    }
+    out.sort((a, b) => b.updatedAt - a.updatedAt);
+    return out;
+  }
+
+  async pruneStreamStates(olderThan: number): Promise<void> {
+    for (const [id, s] of this.streamStates) {
+      if ((s.status === 'finished' || s.status === 'aborted') && s.updatedAt < olderThan) {
+        this.streamStates.delete(id);
+      }
+    }
+  }
 }

packages/shade-crypto-web/src/provider.ts

@@ -2,6 +2,19 @@ import type { CryptoProvider } from '@shade/core';
 import { x25519 } from '@noble/curves/ed25519.js';
 import { ed25519 } from '@noble/curves/ed25519.js';
 
+/**
+ * Cast a Uint8Array to a SubtleCrypto-compatible buffer source. TS 5.7+
+ * tightened Uint8Array's buffer generic to ArrayBuffer, but our public API
+ * accepts Uint8Array<ArrayBufferLike>. SubtleCrypto methods are runtime-
+ * compatible with both — only the type system needs the bridge.
+ *
+ * Returns `ArrayBuffer` (rather than the DOM `BufferSource` alias) so this
+ * file type-checks without DOM lib in the consumer's tsconfig.
+ */
+function bs(u: Uint8Array | undefined): ArrayBuffer {
+  return u as unknown as ArrayBuffer;
+}
+
 /**
  * SubtleCrypto + noble/curves implementation of CryptoProvider.
  *
@@ -55,11 +68,11 @@ export class SubtleCryptoProvider implements CryptoProvider {
     aad?: Uint8Array,
   ): Promise<{ ciphertext: Uint8Array; nonce: Uint8Array }> {
     const nonce = this.randomBytes(12);
-    const aesKey = await this.subtle.importKey('raw', key, 'AES-GCM', false, ['encrypt']);
+    const aesKey = await this.subtle.importKey('raw', bs(key), 'AES-GCM', false, ['encrypt']);
     const encrypted = await this.subtle.encrypt(
-      { name: 'AES-GCM', iv: nonce, additionalData: aad },
+      { name: 'AES-GCM', iv: bs(nonce), additionalData: aad ? bs(aad) : undefined },
       aesKey,
-      plaintext,
+      bs(plaintext),
     );
     return { ciphertext: new Uint8Array(encrypted), nonce };
   }
@@ -70,11 +83,11 @@ export class SubtleCryptoProvider implements CryptoProvider {
     nonce: Uint8Array,
     aad?: Uint8Array,
   ): Promise<Uint8Array> {
-    const aesKey = await this.subtle.importKey('raw', key, 'AES-GCM', false, ['decrypt']);
+    const aesKey = await this.subtle.importKey('raw', bs(key), 'AES-GCM', false, ['decrypt']);
     const decrypted = await this.subtle.decrypt(
-      { name: 'AES-GCM', iv: nonce, additionalData: aad },
+      { name: 'AES-GCM', iv: bs(nonce), additionalData: aad ? bs(aad) : undefined },
       aesKey,
-      ciphertext,
+      bs(ciphertext),
     );
     return new Uint8Array(decrypted);
   }
@@ -87,9 +100,9 @@ export class SubtleCryptoProvider implements CryptoProvider {
     info: Uint8Array,
     length: number,
   ): Promise<Uint8Array> {
-    const baseKey = await this.subtle.importKey('raw', ikm, 'HKDF', false, ['deriveBits']);
+    const baseKey = await this.subtle.importKey('raw', bs(ikm), 'HKDF', false, ['deriveBits']);
     const bits = await this.subtle.deriveBits(
-      { name: 'HKDF', hash: 'SHA-256', salt, info },
+      { name: 'HKDF', hash: 'SHA-256', salt: bs(salt), info: bs(info) },
       baseKey,
       length * 8,
     );
@@ -99,12 +112,12 @@ export class SubtleCryptoProvider implements CryptoProvider {
   async hmacSha256(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {
     const hmacKey = await this.subtle.importKey(
       'raw',
-      key,
+      bs(key),
       { name: 'HMAC', hash: 'SHA-256' },
       false,
       ['sign'],
     );
-    const sig = await this.subtle.sign('HMAC', hmacKey, data);
+    const sig = await this.subtle.sign('HMAC', hmacKey, bs(data));
     return new Uint8Array(sig);
   }