feat(files): @shade/files 0.3.0 — E2EE filesystem RPC primitive

M-Files-1..6 land the full files-RPC layer + everything 0.3.0 needs to
ship. Apps keep their own UI; this layer ships the typed RPC, the
streams bridge for content I/O, and production hooks (rate limit,
retention, fingerprint gate, metrics).

@shade/files (NEW)
- Standard ops: list/stat/mkdir/delete/move/read/write/getThumbnail with
  Zod-validated wire schemas + clean user-handler types.
- Custom ops: typed via TypeScript declaration merging on CustomOpsMap
  + per-op Zod schemas; client.custom('app.foo', {...}) is fully typed.
- Content I/O: inline (≤ 256 KiB plaintext) base64-in-RPC; streams
  (> 256 KiB) ride @shade/transfer via userMetadata.shadeFilesWriteId
  / shadeFilesReadStreamId correlation. Server-side TransformStream
  bridges accept inbound transfers immediately (engine rejects chunks
  that arrive before accept) and park the readable for the matching
  RPC.
- Directory ops: walk(path, opts) async-iterable depth-first walker;
  uploadDirectory()/downloadDirectory() with bounded concurrency pool
  (default 4, cap 16), aggregated progress, abort.
- Production hooks (callback-based, vendor-neutral): rate-limit (op +
  byte), idempotency cache (LRU + TTL + in-flight de-dupe), path
  policy (traversal + percent-decode hardening), fingerprint gate
  (required/optional/reject), pluggable Ed25519 sig verification with
  ±5 min replay window, onMetric sink (standard names).
- React hooks (subpath @shade/files/react): ShadeFilesProvider,
  useShadeFiles, useFileList, useFileTransfer/Upload/Download.
- Shade.files.serve(handler) + Shade.files.client(peer) high-level
  entrypoint in @shade/sdk; lazy + memoized; one handler per Shade.

Wire format bump
- @shade/proto wire VERSION 0x01 → 0x02. Length prefixes changed from
  u16 to u32. The previous u16 silently truncated payloads above
  64 KiB — a hard correctness ceiling that blocked inline file ops
  up to 256 KiB. Wire-incompatible with 0.2.x peers; new sessions
  only. Cross-platform Kotlin port (android/shade-android) updated to
  match; test-vectors/wire-format.json regenerated.

Concurrency safety
- ShadeSessionManager.encrypt/.decrypt now run under per-peer mutex.
  Concurrent decryptions of the same peer raced ratchet state
  (manifested as sporadic "Failed to decrypt — wrong key or tampered
  data" under load — surfaced once concurrent uploadDirectory pumped
  many writes in flight). Encrypt was already serialized via
  Shade.send's encryptChains; decrypt is now serialized at the
  manager layer too.

@shade/streams extension
- StreamMetadata.userMetadata?: Record<string, string> for
  application-level key/value pairs that round-trip verbatim through
  stream-init plaintext. Used by @shade/files for write/read
  correlation; available to any consumer.

@shade/sdk extension
- Shade.files getter (lazy + memoized).
- BackgroundHooks.onPruneFiles + periodic timer (default 5 min) +
  BackgroundTasks.setHook(name, fn) for runtime hook registration.

Bundles in-flight 0.2.0 work
- packages/shade-streams/, packages/shade-transfer/, related
  shade-sdk streams-bridge + shade-widgets transfer hooks were
  uncommitted prior to this session. Including them keeps the
  workspace consistent at 0.3.0 since @shade/files depends on them.

Tests
- 74 new tests in @shade/files (572 → 646 workspace pass; 0 fail;
  3× stable). Coverage spans unit (inline-threshold + concurrency),
  integration (read-write inline + streams up to 1 MiB, walk +
  upload/download directory, custom-op, metrics, SDK namespace
  end-to-end), and security (tampered-envelope sig verification,
  replay window, fingerprint gate, rate-limit + quota).

Release artifacts
- All packages bumped to 0.3.0 via scripts/bump-version.ts.
- scripts/publish-all.ts PACKAGES updated with shade-files in
  topological order (after shade-transfer, before shade-sdk).
- bun run publish:dry clean (14 packed, 0 failed).
- examples/08-files-browser/ — three-process CLI demo (prekey + Bob
  server + Alice CLI) covering list/stat/mkdir/delete/upload/download.
- docs/files.md — full API + design doc.
- CHANGELOG.md 0.3.0 entry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

packages/shade-files/tests/security/fingerprint-gate.test.ts

@@ -0,0 +1,86 @@
+import { describe, test, expect, beforeAll, afterAll } from 'bun:test';
+import { setupFileRig, type FileTestRig } from '../integration/helpers/rig.js';
+import { FingerprintRequiredError, NotFoundError, type FileEntry } from '../../src/index.js';
+
+describe('Fingerprint gate', () => {
+  let rig: FileTestRig;
+  const verifiedSet = new Set<string>();
+
+  beforeAll(async () => {
+    verifiedSet.clear();
+    rig = await setupFileRig({
+      requireFingerprintVerifiedFor: (ctx) => {
+        // Mutations require verification; reads are optional.
+        const op = ctx.op;
+        if (op === 'mkdir' || op === 'delete' || op === 'move' || op === 'write') return 'required';
+        if (op === 'list') return 'optional';
+        return 'optional';
+      },
+      isFingerprintVerified: (sender) => verifiedSet.has(sender),
+      stat: async (ctx) => {
+        const e: FileEntry = {
+          name: ctx.path.split('/').filter(Boolean).pop() ?? '',
+          kind: 'file', size: 1, mtime: 0, metadata: {},
+        };
+        return e;
+      },
+      mkdir: async (ctx) => {
+        const e: FileEntry = {
+          name: ctx.path.split('/').filter(Boolean).pop() ?? '',
+          kind: 'dir', size: 0, mtime: 0, metadata: {},
+        };
+        return { entry: e };
+      },
+      delete: async () => ({ deletedCount: 1 }),
+      list: async () => ({ entries: [], hasMore: false }),
+    });
+  });
+
+  afterAll(async () => {
+    await rig.teardown();
+  });
+
+  test('mutation without verification → FingerprintRequiredError', async () => {
+    verifiedSet.delete('alice');
+    await expect(rig.fs.mkdir('/locked')).rejects.toBeInstanceOf(FingerprintRequiredError);
+    await expect(rig.fs.delete('/locked')).rejects.toBeInstanceOf(FingerprintRequiredError);
+  });
+
+  test('mutation after marking peer verified → succeeds', async () => {
+    verifiedSet.add('alice');
+    const result = await rig.fs.mkdir('/verified-dir');
+    expect(result.entry.name).toBe('verified-dir');
+  });
+
+  test('optional ops (stat, list) work without verification', async () => {
+    verifiedSet.delete('alice');
+    const stat = await rig.fs.stat('/anything');
+    expect(stat.name).toBe('anything');
+    const list = await rig.fs.list('/anything');
+    expect(list.entries).toEqual([]);
+  });
+});
+
+describe('Fingerprint gate with reject policy', () => {
+  let rig: FileTestRig;
+  beforeAll(async () => {
+    rig = await setupFileRig({
+      requireFingerprintVerifiedFor: () => 'reject',
+      stat: async (ctx) => {
+        const e: FileEntry = {
+          name: 'x',
+          kind: 'file',
+          size: 1,
+          mtime: 0,
+          metadata: {},
+        };
+        return e;
+      },
+    });
+  });
+  afterAll(async () => { await rig.teardown(); });
+
+  test('all ops rejected outright', async () => {
+    await expect(rig.fs.stat('/x')).rejects.toBeInstanceOf(FingerprintRequiredError);
+  });
+});

packages/shade-files/tests/security/quota.test.ts

@@ -0,0 +1,55 @@
+import { describe, test, expect, beforeAll, afterAll } from 'bun:test';
+import { setupFileRig, type FileTestRig } from '../integration/helpers/rig.js';
+import { FsRateLimitError, QuotaExceededError, type FileEntry } from '../../src/index.js';
+
+describe('Op rate limit', () => {
+  let rig: FileTestRig;
+  let listCount = 0;
+  beforeAll(async () => {
+    listCount = 0;
+    rig = await setupFileRig({
+      rateLimits: { maxOpsPerMinutePerSender: 5 },
+      list: async () => {
+        listCount++;
+        return { entries: [], hasMore: false };
+      },
+    });
+  });
+  afterAll(async () => { await rig.teardown(); });
+
+  test('op rate-limit kicks in after capacity', async () => {
+    listCount = 0;
+    for (let i = 0; i < 5; i++) await rig.fs.list('/');
+    expect(listCount).toBe(5);
+    await expect(rig.fs.list('/')).rejects.toBeInstanceOf(FsRateLimitError);
+  });
+});
+
+describe('Byte quota', () => {
+  let rig: FileTestRig;
+  beforeAll(async () => {
+    rig = await setupFileRig({
+      rateLimits: {
+        // Plenty of ops, but tight byte cap for the quota test.
+        maxOpsPerMinutePerSender: 100,
+        maxBytesPerHourPerSender: 1024,
+      },
+      write: async (ctx) => {
+        const e: FileEntry = {
+          name: ctx.args.path.split('/').filter(Boolean).pop() ?? '',
+          kind: 'file',
+          size: ctx.args.content.kind === 'inline' ? ctx.args.content.bytes.byteLength : ctx.args.content.size,
+          mtime: 0,
+          metadata: {},
+        };
+        return { entry: e };
+      },
+    });
+  });
+  afterAll(async () => { await rig.teardown(); });
+
+  test('write 2 KiB inline → exceeds 1 KiB/hour cap', async () => {
+    const big = new Uint8Array(2048);
+    await expect(rig.fs.write('/big.bin', big)).rejects.toBeInstanceOf(QuotaExceededError);
+  });
+});

packages/shade-files/tests/security/replay.test.ts

@@ -0,0 +1,119 @@
+import { describe, test, expect, beforeAll, afterAll } from 'bun:test';
+import { setupFileRig, type FileTestRig } from '../integration/helpers/rig.js';
+import { ConflictError, NotFoundError, type FileEntry } from '../../src/index.js';
+
+/**
+ * Replay-window: the dispatcher rejects requests where `signedAt` is more
+ * than ±5 min from the server clock. Plus: idempotent retries on the same
+ * mutation key produce a single side-effect even with stale signedAt.
+ */
+
+describe('Replay window + idempotent retry', () => {
+  let rig: FileTestRig;
+  let writeCount = 0;
+  const blobs = new Map<string, Uint8Array>();
+
+  beforeAll(async () => {
+    rig = await setupFileRig({
+      mkdir: async (ctx) => {
+        if (blobs.has(ctx.path)) throw new ConflictError('exists');
+        blobs.set(ctx.path, new Uint8Array(0));
+        const e: FileEntry = {
+          name: ctx.path.split('/').filter(Boolean).pop() ?? '',
+          kind: 'dir', size: 0, mtime: Date.now(), metadata: {},
+        };
+        return { entry: e };
+      },
+      write: async (ctx) => {
+        writeCount++;
+        if (ctx.args.content.kind !== 'inline') throw new Error('inline expected');
+        blobs.set(ctx.args.path, ctx.args.content.bytes);
+        const e: FileEntry = {
+          name: ctx.args.path.split('/').filter(Boolean).pop() ?? '',
+          kind: 'file',
+          size: ctx.args.content.bytes.byteLength,
+          mtime: Date.now(),
+          metadata: { sha256: ctx.args.content.sha256 },
+        };
+        return { entry: e };
+      },
+      stat: async (ctx) => {
+        if (!blobs.has(ctx.path)) throw new NotFoundError(ctx.path);
+        return {
+          name: ctx.path.split('/').filter(Boolean).pop() ?? '',
+          kind: 'file', size: 0, mtime: 0, metadata: {},
+        };
+      },
+    });
+  });
+
+  afterAll(async () => {
+    await rig.teardown();
+  });
+
+  test('idempotent retry: same key + same args → single side-effect', async () => {
+    writeCount = 0;
+    // Idempotency keys are exactly 22 chars, base64url alphabet.
+    const key = 'replay_key_1234567890A';
+    const data = new Uint8Array([1, 2, 3]);
+    const r1 = await rig.fs.write('/replay.bin', data, { idempotencyKey: key });
+    const r2 = await rig.fs.write('/replay.bin', data, { idempotencyKey: key });
+    const r3 = await rig.fs.write('/replay.bin', data, { idempotencyKey: key });
+    expect(writeCount).toBe(1);
+    expect(r1.entry.size).toBe(3);
+    expect(r2.entry.size).toBe(3);
+    expect(r3.entry.size).toBe(3);
+  });
+
+  test('out-of-window signedAt → InvalidSignatureError (skew rejection)', async () => {
+    // Build a custom client that LIES about signedAt. We hand-craft an
+    // RpcRequest envelope and ship it via the underlying channel.
+    const {
+      ShadeFileRpcChannel,
+      PendingRpcRegistry,
+      attachClientRouting,
+      KIND_STAT_V1,
+      generateRequestId,
+    } = await import('../../src/index.js');
+    const aliceChannel = new ShadeFileRpcChannel(rig.alice);
+    const alicePending = new PendingRpcRegistry();
+    attachClientRouting(aliceChannel, alicePending);
+
+    const requestId = generateRequestId();
+    const stalePromise = alicePending.register<unknown>(requestId, { timeoutMs: 3000 });
+    await aliceChannel.send('bob', {
+      kind: KIND_STAT_V1,
+      id: requestId,
+      args: { path: '/replay.bin' },
+      sig: 'unsigned',
+      signedAt: Date.now() - 10 * 60 * 1000, // 10 min in the past — outside ±5 min window
+    });
+    await expect(stalePromise).rejects.toThrow(/replay window|signature/i);
+    aliceChannel.destroy();
+  });
+
+  test('signedAt far in the future → also rejected', async () => {
+    const {
+      ShadeFileRpcChannel,
+      PendingRpcRegistry,
+      attachClientRouting,
+      KIND_STAT_V1,
+      generateRequestId,
+    } = await import('../../src/index.js');
+    const aliceChannel = new ShadeFileRpcChannel(rig.alice);
+    const alicePending = new PendingRpcRegistry();
+    attachClientRouting(aliceChannel, alicePending);
+
+    const requestId = generateRequestId();
+    const promise = alicePending.register<unknown>(requestId, { timeoutMs: 3000 });
+    await aliceChannel.send('bob', {
+      kind: KIND_STAT_V1,
+      id: requestId,
+      args: { path: '/replay.bin' },
+      sig: 'unsigned',
+      signedAt: Date.now() + 10 * 60 * 1000,
+    });
+    await expect(promise).rejects.toThrow(/replay window|signature/i);
+    aliceChannel.destroy();
+  });
+});

packages/shade-files/tests/security/tampered-envelope.test.ts

@@ -0,0 +1,115 @@
+import { describe, test, expect, beforeAll, afterAll } from 'bun:test';
+import { ed25519 } from '@noble/curves/ed25519.js';
+import { setupFileRig, type FileTestRig } from '../integration/helpers/rig.js';
+import {
+  bytesToBase64,
+  canonicalRpcBytes,
+  hashArgs,
+  InvalidSignatureError,
+  type FileEntry,
+  NotFoundError,
+} from '../../src/index.js';
+
+/**
+ * The dispatcher's `verifySender` callback gets the canonical bytes the
+ * client claims they signed. By plugging a real Ed25519 verify in tests,
+ * we can demonstrate that:
+ *   - A valid sig over the canonical bytes is accepted.
+ *   - Tampering ANY bound field (kind, args, signedAt, sender) breaks
+ *     verification → InvalidSignatureError.
+ */
+
+describe('Tampered envelope — Ed25519 sig verification', () => {
+  let rig: FileTestRig;
+  // Generate a stable Ed25519 keypair for Alice. Bob will pin it.
+  const alicePriv = ed25519.utils.randomSecretKey();
+  const alicePub = ed25519.getPublicKey(alicePriv);
+
+  beforeAll(async () => {
+    rig = await setupFileRig({
+      verifySender: (sender, canonical, sigBase64) => {
+        // We only know Alice's key for this test. Bob's pub key would be
+        // looked up similarly in a real app.
+        if (sender !== 'alice') return false;
+        // Decode base64 sig
+        try {
+          const bin = atob(sigBase64);
+          const sigBytes = new Uint8Array(bin.length);
+          for (let i = 0; i < bin.length; i++) sigBytes[i] = bin.charCodeAt(i);
+          return ed25519.verify(sigBytes, canonical, alicePub);
+        } catch {
+          return false;
+        }
+      },
+      stat: async (ctx) => {
+        if (ctx.path !== '/exists.txt') throw new NotFoundError(ctx.path);
+        const e: FileEntry = { name: 'exists.txt', kind: 'file', size: 1, mtime: 0, metadata: {} };
+        return e;
+      },
+    });
+    // Re-create the client with a real signRequest hook.
+    // (Rig's default fs has signRequest=undefined; we replace it.)
+    const { createFileClient, ShadeFileRpcChannel, PendingRpcRegistry, attachClientRouting } = await import('../../src/index.js');
+    const aliceChannel = new ShadeFileRpcChannel(rig.alice);
+    const alicePending = new PendingRpcRegistry();
+    attachClientRouting(aliceChannel, alicePending);
+    rig.fs = createFileClient(rig.alice, aliceChannel, alicePending, 'bob', {
+      defaultTimeoutMs: 5000,
+      signRequest: async (canonical) => {
+        const sig = ed25519.sign(canonical, alicePriv);
+        return bytesToBase64(sig);
+      },
+    });
+  });
+
+  afterAll(async () => {
+    await rig.teardown();
+  });
+
+  test('valid signature → request succeeds', async () => {
+    const result = await rig.fs.stat('/exists.txt');
+    expect(result.name).toBe('exists.txt');
+  });
+
+  test('tampered args → InvalidSignatureError', async () => {
+    // Craft a request manually: sign over '/a' but ship '/b'.
+    const { createFileClient, ShadeFileRpcChannel, PendingRpcRegistry, attachClientRouting } = await import('../../src/index.js');
+    const aliceChannel = new ShadeFileRpcChannel(rig.alice);
+    const alicePending = new PendingRpcRegistry();
+    attachClientRouting(aliceChannel, alicePending);
+    const tamperedFs = createFileClient(rig.alice, aliceChannel, alicePending, 'bob', {
+      defaultTimeoutMs: 3000,
+      signRequest: async (_canonical) => {
+        // Sign over a DIFFERENT canonical (different argsHash), so the
+        // server's recomputation won't match.
+        const fake = canonicalRpcBytes({
+          address: 'alice',
+          signedAt: 0,
+          kind: 'shade.fs.list/v1',
+          id: 'AAAAAAAAAAAAAAAAAAAAAA',
+          argsHash: hashArgs({ tampered: true }),
+        });
+        const sig = ed25519.sign(fake, alicePriv);
+        return bytesToBase64(sig);
+      },
+    });
+    await expect(tamperedFs.stat('/exists.txt')).rejects.toBeInstanceOf(InvalidSignatureError);
+  });
+
+  test('valid signature from unknown signer → InvalidSignatureError', async () => {
+    const { createFileClient, ShadeFileRpcChannel, PendingRpcRegistry, attachClientRouting } = await import('../../src/index.js');
+    const aliceChannel = new ShadeFileRpcChannel(rig.alice);
+    const alicePending = new PendingRpcRegistry();
+    attachClientRouting(aliceChannel, alicePending);
+
+    const otherPriv = ed25519.utils.randomSecretKey();
+    const wrongFs = createFileClient(rig.alice, aliceChannel, alicePending, 'bob', {
+      defaultTimeoutMs: 3000,
+      signRequest: async (canonical) => {
+        const sig = ed25519.sign(canonical, otherPriv);
+        return bytesToBase64(sig);
+      },
+    });
+    await expect(wrongFs.stat('/exists.txt')).rejects.toBeInstanceOf(InvalidSignatureError);
+  });
+});