Stian/Shade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(files): @shade/files 0.3.0 — E2EE filesystem RPC primitive
Some checks failed
Test / test (push) Has been cancelled
Details

Browse Source 
M-Files-1..6 land the full files-RPC layer + everything 0.3.0 needs to
ship. Apps keep their own UI; this layer ships the typed RPC, the
streams bridge for content I/O, and production hooks (rate limit,
retention, fingerprint gate, metrics).

@shade/files (NEW)
- Standard ops: list/stat/mkdir/delete/move/read/write/getThumbnail with
  Zod-validated wire schemas + clean user-handler types.
- Custom ops: typed via TypeScript declaration merging on CustomOpsMap
  + per-op Zod schemas; client.custom('app.foo', {...}) is fully typed.
- Content I/O: inline (≤ 256 KiB plaintext) base64-in-RPC; streams
  (> 256 KiB) ride @shade/transfer via userMetadata.shadeFilesWriteId
  / shadeFilesReadStreamId correlation. Server-side TransformStream
  bridges accept inbound transfers immediately (engine rejects chunks
  that arrive before accept) and park the readable for the matching
  RPC.
- Directory ops: walk(path, opts) async-iterable depth-first walker;
  uploadDirectory()/downloadDirectory() with bounded concurrency pool
  (default 4, cap 16), aggregated progress, abort.
- Production hooks (callback-based, vendor-neutral): rate-limit (op +
  byte), idempotency cache (LRU + TTL + in-flight de-dupe), path
  policy (traversal + percent-decode hardening), fingerprint gate
  (required/optional/reject), pluggable Ed25519 sig verification with
  ±5 min replay window, onMetric sink (standard names).
- React hooks (subpath @shade/files/react): ShadeFilesProvider,
  useShadeFiles, useFileList, useFileTransfer/Upload/Download.
- Shade.files.serve(handler) + Shade.files.client(peer) high-level
  entrypoint in @shade/sdk; lazy + memoized; one handler per Shade.

Wire format bump
- @shade/proto wire VERSION 0x01 → 0x02. Length prefixes changed from
  u16 to u32. The previous u16 silently truncated payloads above
  64 KiB — a hard correctness ceiling that blocked inline file ops
  up to 256 KiB. Wire-incompatible with 0.2.x peers; new sessions
  only. Cross-platform Kotlin port (android/shade-android) updated to
  match; test-vectors/wire-format.json regenerated.

Concurrency safety
- ShadeSessionManager.encrypt/.decrypt now run under per-peer mutex.
  Concurrent decryptions of the same peer raced ratchet state
  (manifested as sporadic "Failed to decrypt — wrong key or tampered
  data" under load — surfaced once concurrent uploadDirectory pumped
  many writes in flight). Encrypt was already serialized via
  Shade.send's encryptChains; decrypt is now serialized at the
  manager layer too.

@shade/streams extension
- StreamMetadata.userMetadata?: Record<string, string> for
  application-level key/value pairs that round-trip verbatim through
  stream-init plaintext. Used by @shade/files for write/read
  correlation; available to any consumer.

@shade/sdk extension
- Shade.files getter (lazy + memoized).
- BackgroundHooks.onPruneFiles + periodic timer (default 5 min) +
  BackgroundTasks.setHook(name, fn) for runtime hook registration.

Bundles in-flight 0.2.0 work
- packages/shade-streams/, packages/shade-transfer/, related
  shade-sdk streams-bridge + shade-widgets transfer hooks were
  uncommitted prior to this session. Including them keeps the
  workspace consistent at 0.3.0 since @shade/files depends on them.

Tests
- 74 new tests in @shade/files (572 → 646 workspace pass; 0 fail;
  3× stable). Coverage spans unit (inline-threshold + concurrency),
  integration (read-write inline + streams up to 1 MiB, walk +
  upload/download directory, custom-op, metrics, SDK namespace
  end-to-end), and security (tampered-envelope sig verification,
  replay window, fingerprint gate, rate-limit + quota).

Release artifacts
- All packages bumped to 0.3.0 via scripts/bump-version.ts.
- scripts/publish-all.ts PACKAGES updated with shade-files in
  topological order (after shade-transfer, before shade-sdk).
- bun run publish:dry clean (14 packed, 0 failed).
- examples/08-files-browser/ — three-process CLI demo (prekey + Bob
  server + Alice CLI) covering list/stat/mkdir/delete/upload/download.
- docs/files.md — full API + design doc.
- CHANGELOG.md 0.3.0 entry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sterister
2026-05-02 14:00:01 +02:00
parent 7e0f7320a9
commit fa770d3063
198 changed files with 20412 additions and 256 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
packages/shade-sdk/package.json
View File

@@ -1,16 +1,19 @@
{
"name": "@shade/sdk",
"version": "0.1.0",
"version": "0.3.0",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/crypto-web": "workspace:*",
"@shade/storage-sqlite": "workspace:*",
"@shade/server": "workspace:*",
"@shade/transport": "workspace:*",
"@shade/files": "workspace:*",
"@shade/observer": "workspace:*",
"@shade/proto": "workspace:*"
"@shade/proto": "workspace:*",
"@shade/server": "workspace:*",
"@shade/storage-sqlite": "workspace:*",
"@shade/streams": "workspace:*",
"@shade/transfer": "workspace:*",
"@shade/transport": "workspace:*"
}
}

65
packages/shade-sdk/src/background.ts
View File

@@ -16,14 +16,29 @@ export interface BackgroundHooks {
onReplenish?: (count: number, total: number) => void;
/** Called after identity rotation completes and new bundle is published */
onRotate?: () => void;
/**
* Called periodically to prune `@shade/files` retention state (idempotency
* cache, parked transfers). Wired by `Shade.files.serve()`. Synchronous —
* heavy retention work should self-yield.
*/
onPruneFiles?: () => void;
/** Called if a background task throws */
onError?: (error: Error, task: 'replenish' | 'rotate') => void;
onError?: (error: Error, task: 'replenish' | 'rotate' | 'prune-files') => void;
}
/** Options forwarded to `BackgroundTasks` (in addition to `ResolvedConfig`). */
export interface BackgroundOptions {
hooks?: BackgroundHooks;
/** Override the file-prune interval. Default 5 min. */
pruneFilesIntervalMs?: number;
}
export class BackgroundTasks {
private replenishTimer: ReturnType<typeof setInterval> | null = null;
private rotateTimer: ReturnType<typeof setTimeout> | null = null;
private pruneFilesTimer: ReturnType<typeof setInterval> | null = null;
private running = false;
private readonly pruneFilesIntervalMs: number;
constructor(
private readonly manager: ShadeSessionManager,
@@ -31,7 +46,21 @@ export class BackgroundTasks {
private readonly address: string,
private readonly config: ResolvedConfig,
private readonly hooks: BackgroundHooks = {},
) {}
options: BackgroundOptions = {},
) {
this.pruneFilesIntervalMs = options.pruneFilesIntervalMs ?? 5 * 60 * 1000;
}
/**
* Update or replace background hooks at runtime. Used by
* `Shade.files.serve()` to register `onPruneFiles` after construction.
*/
setHook<K extends keyof BackgroundHooks>(name: K, fn: BackgroundHooks[K]): void {
(this.hooks as BackgroundHooks)[name] = fn;
if (name === 'onPruneFiles' && this.running && fn !== undefined) {
this.startPruneFilesTimer();
}
}
start(): void {
if (this.running) return;
@@ -51,6 +80,23 @@ export class BackgroundTasks {
if (this.config.autoRotate) {
this.scheduleNextRotation();
}
// Files retention timer
if (this.hooks.onPruneFiles !== undefined) {
this.startPruneFilesTimer();
}
}
private startPruneFilesTimer(): void {
if (this.pruneFilesTimer !== null) clearInterval(this.pruneFilesTimer);
this.pruneFilesTimer = setInterval(() => {
try {
this.hooks.onPruneFiles?.();
} catch (err) {
this.hooks.onError?.(err as Error, 'prune-files');
}
}, this.pruneFilesIntervalMs);
this.pruneFilesTimer.unref?.();
}
stop(): void {
@@ -63,6 +109,10 @@ export class BackgroundTasks {
clearTimeout(this.rotateTimer);
this.rotateTimer = null;
}
if (this.pruneFilesTimer) {
clearInterval(this.pruneFilesTimer);
this.pruneFilesTimer = null;
}
}
/**
@@ -82,12 +132,11 @@ export class BackgroundTasks {
// we instead ask the manager to expose them. For now, we just re-publish
// a fresh bundle + upload everything fresh.
try {
const newKeys = await this.manager.generateOneTimePreKeys(0); // no-op to keep types
// Fetch all current one-time prekeys via the storage and upload
// (the manager doesn't expose them directly; we work around by using the
// public newly-generated array returned above, but that was empty.)
// TODO: improve ShadeSessionManager to expose recent prekeys for re-upload.
// For now, simply log — correct upload will be handled on next rotate.
// No-op call to keep the manager warm. The proper re-upload path is
// exposed once ShadeSessionManager surfaces newly-generated prekeys
// (TODO: improve manager API). Until then, correct upload is handled
// on the next rotate.
await this.manager.generateOneTimePreKeys(0);
} catch {
// ignore
}

2
packages/shade-sdk/src/backup.ts
View File

@@ -1,4 +1,4 @@
import type { CryptoProvider, StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState } from '@shade/core';
import type { CryptoProvider, StorageProvider } from '@shade/core';
import {
toBase64,
fromBase64,

8
packages/shade-sdk/src/config.ts
View File

@@ -24,9 +24,9 @@ export interface ShadeConfig {
/**
* Your address on the prekey server (e.g. "alice@example.com" or "device:abc123").
* If omitted, a random UUID is generated and persisted.
* If omitted (undefined), a random UUID is generated and persisted.
*/
address?: string;
address?: string | undefined;
/**
* Auto-replenish configuration. When the one-time prekey stock drops
@@ -61,12 +61,12 @@ export interface ShadeConfig {
export interface ResolvedConfig {
prekeyServer: string;
storage: string | StorageProvider | { type: 'postgres'; url: string };
address?: string;
address?: string | undefined;
autoReplenish: { min: number; target: number; intervalMs: number } | false;
autoRotate: false | '1d' | '7d' | '30d' | '90d';
observer?: {
token: string;
port?: number;
port?: number | undefined;
basePath: string;
};
}

44
packages/shade-sdk/src/index.ts
View File

@@ -11,3 +11,47 @@ export {
export type { ShadeConfig, ResolvedConfig } from './config.js';
export type { BackgroundHooks } from './background.js';
export type { BackupBlob, BackupPayload } from './backup.js';
// ─── Stream transfers (v0.2.0) ─────────────────────────────
export {
ShadeControlChannel,
ShadeTransferAuthenticator,
canonicalChunkBytes,
canonicalControlBytes,
} from './streams-bridge.js';
export type { ControlEnvelopeTransport } from './streams-bridge.js';
export {
TransferEngine,
MemoryControlChannel,
MemoryTransferTransport,
ShadeTransferHttpTransport,
createTransferRoutes,
PermissiveAuthenticator,
TransferError,
TransferAbortError,
TransferIntegrityError,
TransferProtocolError,
TransferOfflineError,
TransferResumeError,
} from '@shade/transfer';
export type {
TransferOptions,
TransferProgress,
TransferEvent,
TransferHandle,
TransferResult,
TransferInput,
TransferOutput,
IncomingTransfer,
IncomingTransferAcceptOptions,
TransferSummary,
TransferRouteOptions,
TransferRouteAuthenticator,
ITransferTransport,
IControlChannel,
TransferAuthenticator,
ChunkAck,
TransferResumeState,
LaneProgress,
} from '@shade/transfer';
export type { StreamMetadata, LaneInitSpec, LanePartition } from '@shade/streams';

314
packages/shade-sdk/src/shade.ts
View File

@@ -5,10 +5,27 @@ import {
NoSessionError,
} from '@shade/core';
import { SubtleCryptoProvider, MemoryStorage } from '@shade/crypto-web';
import { encodeEnvelope, decodeEnvelope, inspectEnvelopeType } from '@shade/proto';
import { ShadeFetchTransport } from '@shade/transport';
import { BackgroundTasks, type BackgroundHooks } from './background.js';
import { exportBackup, importBackup, backupToString, backupFromString, type BackupBlob } from './backup.js';
import {
TransferEngine,
ShadeTransferHttpTransport,
type ITransferTransport,
type IncomingTransfer,
type TransferHandle,
type TransferOptions,
type TransferSummary,
} from '@shade/transfer';
import type { Hono } from 'hono';
import { BackgroundTasks } from './background.js';
import { exportBackup, importBackup, backupToString, backupFromString } from './backup.js';
import type { ResolvedConfig } from './config.js';
import {
ShadeControlChannel,
ShadeTransferAuthenticator,
type ControlEnvelopeTransport,
} from './streams-bridge.js';
import { createFilesNamespace, type FilesNamespace } from '@shade/files';
/**
* The high-level Shade API.
@@ -23,7 +40,7 @@ export class Shade {
private storage!: StorageProvider;
private manager!: ShadeSessionManager;
private transport!: ShadeFetchTransport;
private background: BackgroundTasks | null = null;
private _background: BackgroundTasks | null = null;
private address!: string;
private initialized = false;
@@ -32,8 +49,19 @@ export class Shade {
// Per-address encrypt queue to serialize ratchet mutations
private encryptChains = new Map<string, Promise<unknown>>();
// Message handlers
private messageHandlers: Array<(from: string, plaintext: string) => void> = [];
// Message handlers — may be sync or async; receive() awaits each.
private messageHandlers: Array<
(from: string, plaintext: string) => void | Promise<void>
> = [];
// Stream-transfer engine, lazily constructed on first use.
private transferEngine: TransferEngine | null = null;
private controlChannel: ShadeControlChannel | null = null;
private peerBaseUrlResolver: ((peerAddress: string) => Promise<string>) | null = null;
private envelopeOutboxes: ControlEnvelopeTransport | null = null;
// `@shade/files` namespace, lazy + memoized.
private filesNamespace: FilesNamespace | null = null;
constructor(private readonly config: ResolvedConfig) {}
@@ -88,13 +116,13 @@ export class Shade {
}
// Step 6: Background tasks
this.background = new BackgroundTasks(
this._background = new BackgroundTasks(
this.manager,
this.transport,
this.address,
this.config,
);
this.background.start();
this._background.start();
this.initialized = true;
}
@@ -111,6 +139,35 @@ export class Shade {
return this.address;
}
/**
* `@shade/files` namespace — high-level entry point for E2EE filesystem
* RPC. Lazily creates the underlying channel + streams bridges on first
* access; subsequent accesses return the same instance.
*
* ```ts
* const files = shade.files;
* const stop = await files.serve({ list: ..., write: ..., ... });
* const fs = await files.client('bob');
* await fs.list('/');
* ```
*
* Requires `configureTransfers({ resolveBaseUrl })` to be called first
* (same as `upload`/`onIncomingTransfer`).
*/
get files(): FilesNamespace {
if (!this.initialized) throw new Error('Not initialized');
if (this.filesNamespace !== null) return this.filesNamespace;
// `@shade/files` only imports `Shade` as a type, so the cyclic ESM
// import is type-only at the value layer — safe to bind synchronously.
this.filesNamespace = createFilesNamespace(this);
return this.filesNamespace;
}
/** Internal — exposes the BackgroundTasks for `@shade/files` to wire prune. */
get background(): BackgroundTasks | null {
return this._background;
}
/** Access the underlying event emitter (for observer integration) */
getEvents(): ShadeEventEmitter {
return this.events;
@@ -164,7 +221,7 @@ export class Shade {
const plaintext = await this.manager.decrypt(from, envelope);
for (const handler of this.messageHandlers) {
try {
handler(from, plaintext);
await handler(from, plaintext);
} catch (err) {
console.error('[Shade] Message handler threw:', err);
}
@@ -172,8 +229,10 @@ export class Shade {
return plaintext;
}
/** Register a handler for incoming messages */
onMessage(handler: (from: string, plaintext: string) => void): () => void {
/** Register a handler for incoming messages. Async handlers are awaited. */
onMessage(
handler: (from: string, plaintext: string) => void | Promise<void>,
): () => void {
this.messageHandlers.push(handler);
return () => {
this.messageHandlers = this.messageHandlers.filter((h) => h !== handler);
@@ -218,23 +277,23 @@ export class Shade {
);
// Rebuild background tasks so they use the new transport
if (this.background) {
this.background.stop();
this.background = new BackgroundTasks(
if (this._background) {
this._background.stop();
this._background = new BackgroundTasks(
this.manager,
this.transport,
this.address,
this.config,
);
this.background.start();
this._background.start();
}
}
/** Manually trigger replenishment (normally background task handles this) */
async replenish(): Promise<number> {
if (!this.initialized) throw new Error('Not initialized');
if (!this.background) return 0;
return this.background.runReplenish();
if (!this._background) return 0;
return this._background.runReplenish();
}
/**
@@ -273,7 +332,9 @@ export class Shade {
/** Clean shutdown: stop timers, close storage if it supports it */
async shutdown(): Promise<void> {
this.background?.stop();
this._background?.stop();
if (this.transferEngine !== null) this.transferEngine.destroy();
if (this.controlChannel !== null) this.controlChannel.destroy();
// Close storage if it has a close method (SQLite)
const closable = this.storage as unknown as { close?: () => void | Promise<void> };
if (typeof closable.close === 'function') {
@@ -282,8 +343,166 @@ export class Shade {
this.initialized = false;
}
// ─── Stream transfers (v0.2.0) ─────────────────────────────
/**
* Configure how stream-transfer chunks reach peers. Provide a resolver
* that returns the peer's HTTP base URL (e.g. by looking up a
* `transfer.baseUrl` field in your prekey-bundle metadata or a static
* directory map). If unset, `upload()` rejects with a clear error.
*
* Optionally also override the control-envelope transport (defaults to
* HTTP POSTs to `<base>/v1/transfer/control`).
*/
configureTransfers(opts: {
resolveBaseUrl: (peerAddress: string) => Promise<string>;
envelopeTransport?: ControlEnvelopeTransport;
}): void {
this.peerBaseUrlResolver = opts.resolveBaseUrl;
this.envelopeOutboxes =
opts.envelopeTransport ?? new HttpEnvelopeTransport(opts.resolveBaseUrl, this.address);
}
/**
* Deliver a freshly-encrypted ratchet envelope to a peer using the
* configured envelope transport (HTTP POST to `/v1/transfer/control` by
* default). Used by `@shade/files` for RPC plaintext delivery.
*/
async deliverControlEnvelope(peerAddress: string, envelope: ShadeEnvelope): Promise<void> {
if (this.envelopeOutboxes === null) {
throw new Error(
'Call shade.configureTransfers({ resolveBaseUrl }) before deliverControlEnvelope()',
);
}
await this.envelopeOutboxes.send(peerAddress, envelope);
}
/**
* Upload bytes to a peer. Returns a `TransferHandle` that can be paused/
* aborted and awaited. Requires `configureTransfers` to be called first.
*/
async upload(opts: TransferOptions): Promise<TransferHandle> {
return (await this.engine()).upload(opts);
}
/**
* Subscribe to incoming transfers from peers. Handler is invoked when a
* `stream-init` arrives; the handler MUST call `incoming.accept(...)` to
* begin receiving (or `incoming.decline(...)` to reject).
*/
async onIncomingTransfer(
handler: (incoming: IncomingTransfer) => void | Promise<void>,
): Promise<() => void> {
return (await this.engine()).onIncomingTransfer(handler);
}
/**
* Mount the receiver-side HTTP routes on a Hono app. Mount under any
* base path: `app.route('/shade', await shade.transferRoute())`.
*
* Routes:
* POST /v1/transfer/:streamId/chunk — wire-encoded 0x11 chunks
* GET /v1/transfer/:streamId/state — resume-state lookup
* POST /v1/transfer/control — wire-encoded 0x02 control envelopes
* GET /v1/transfer/health — peer reachability probe
*/
async transferRoute(): Promise<Hono> {
const engine = await this.engine();
const { createTransferRoutes, PermissiveAuthenticator } = await import('@shade/transfer');
const app = await createTransferRoutes(engine, {
authenticator: PermissiveAuthenticator,
});
// Add the control-envelope POST route on top.
app.post('/v1/transfer/control', async (c) => {
const senderAddress = c.req.header('X-Shade-Sender-Address');
if (senderAddress === undefined || senderAddress === '') {
return c.json({ error: 'missing X-Shade-Sender-Address' }, 400);
}
const ab = await c.req.arrayBuffer();
const bytes = new Uint8Array(ab);
try {
await this.acceptTransferEnvelope(senderAddress, bytes);
} catch (err) {
return c.json({ error: (err as Error).message }, 400);
}
return c.json({ ok: true });
});
return app;
}
/**
* Low-level entry for custom transports: hand a `0x02` ratchet envelope
* (control-plane) or a `0x11` stream-chunk envelope to the engine.
* Used internally by `transferRoute()`.
*/
async acceptTransferEnvelope(from: string, env: ShadeEnvelope | Uint8Array): Promise<void> {
const engine = await this.engine();
if (env instanceof Uint8Array) {
const kind = inspectEnvelopeType(env);
if (kind === 'stream-chunk') {
// Engine extracts laneId/seq from the wire bytes via decodeStreamChunk.
const headers = parseChunkHeader(env);
await engine.receiveChunk(from, headers.streamId, headers.laneId, headers.seq, env);
return;
}
if (kind === 'ratchet' || kind === 'prekey') {
const decoded = decodeEnvelope(env);
await this.controlChannel!.acceptEnvelope(from, decoded);
return;
}
throw new Error(`Unknown envelope type ${kind}`);
}
// Already-decoded envelope (ratchet or prekey)
await this.controlChannel!.acceptEnvelope(from, env);
}
// ─── Internals ─────────────────────────────────────────────
private async engine(): Promise<TransferEngine> {
if (this.transferEngine !== null) return this.transferEngine;
if (this.peerBaseUrlResolver === null || this.envelopeOutboxes === null) {
throw new Error(
'Call shade.configureTransfers({ resolveBaseUrl }) before using upload()/onIncomingTransfer()',
);
}
this.controlChannel = new ShadeControlChannel(this, this.envelopeOutboxes);
const transport: ITransferTransport = new ShadeTransferHttpTransport({
resolveBaseUrl: this.peerBaseUrlResolver,
authenticator: await this.makeAuthenticator(),
});
this.transferEngine = new TransferEngine({
crypto: this.crypto,
controlChannel: this.controlChannel,
transport,
myAddress: this.address,
});
return this.transferEngine;
}
private async makeAuthenticator(): Promise<ShadeTransferAuthenticator> {
const identity = await this.storage.getIdentityKeyPair();
if (identity === null) throw new Error('Identity not initialized');
return new ShadeTransferAuthenticator(this.crypto, this.address, identity.signingPrivateKey);
}
/** Returns a list of in-flight stream transfers from storage (resume support). */
async listTransfers(filter?: {
direction?: 'send' | 'receive';
}): Promise<TransferSummary[]> {
if (this.storage.listActiveStreamStates === undefined) return [];
const rows = await this.storage.listActiveStreamStates(filter?.direction);
return rows.map((s) => ({
streamId: s.streamId,
direction: s.direction,
peerAddress: s.peerAddress,
status: s.status,
bytesProcessed: 0, // computed from laneState
createdAt: s.createdAt,
updatedAt: s.updatedAt,
metadata: tryParseMetadata(s.metadataJson),
}));
}
private async ensureSession(address: string): Promise<void> {
// Deduplicate concurrent establishment requests
const existing = this.establishing.get(address);
@@ -306,6 +525,57 @@ export class Shade {
}
}
function tryParseMetadata(json: string): import('@shade/streams').StreamMetadata | null {
try {
return JSON.parse(json) as import('@shade/streams').StreamMetadata;
} catch {
return null;
}
}
function parseChunkHeader(bytes: Uint8Array): {
streamId: string;
laneId: number;
seq: bigint;
} {
// [0]=ver [1]=type [2..18]=streamId(16) [18..22]=laneId u32 [22..30]=seq u64
if (bytes.length < 30) throw new Error('truncated stream-chunk header');
const view = new DataView(bytes.buffer, bytes.byteOffset);
const sidBytes = bytes.slice(2, 18);
const laneId = view.getUint32(18, false);
const seq = view.getBigUint64(22, false);
// Encode streamId as base64url
let bin = '';
for (let i = 0; i < sidBytes.length; i++) bin += String.fromCharCode(sidBytes[i]!);
const streamId = btoa(bin).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
return { streamId, laneId, seq };
}
// ─── Default HTTP envelope transport ──────────────────────────
class HttpEnvelopeTransport implements ControlEnvelopeTransport {
constructor(
private readonly resolveBaseUrl: (peerAddress: string) => Promise<string>,
private readonly myAddress: string,
) {}
async send(peerAddress: string, envelope: ShadeEnvelope): Promise<void> {
const base = (await this.resolveBaseUrl(peerAddress)).replace(/\/$/, '');
const url = `${base}/v1/transfer/control`;
const bytes = encodeEnvelope(envelope);
const res = await fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/octet-stream',
'X-Shade-Sender-Address': this.myAddress,
},
body: bytes as unknown as never,
});
if (!res.ok) {
throw new Error(`control envelope POST failed: ${res.status} ${await res.text()}`);
}
}
}
// ─── Helpers ─────────────────────────────────────────────────
async function resolveStorage(
@@ -326,8 +596,14 @@ async function resolveStorage(
}
if (typeof spec === 'object' && spec.type === 'postgres') {
const { PostgresStorage } = await import('@shade/storage-postgres');
return PostgresStorage.create(spec.url);
// Dynamic import keeps @shade/storage-postgres optional — consumers that
// never use postgres don't need to install it. The string-form import
// path makes the resolver lazy at type-check time too.
const moduleId = '@shade/storage-postgres';
const mod = (await import(moduleId)) as {
PostgresStorage: { create(url: string): Promise<StorageProvider> };
};
return mod.PostgresStorage.create(spec.url);
}
throw new Error(`Unsupported storage spec: ${JSON.stringify(spec)}`);

215
packages/shade-sdk/src/streams-bridge.ts Normal file
View File

@@ -0,0 +1,215 @@
import type { CryptoProvider, ShadeEnvelope } from '@shade/core';
import { ValidationError } from '@shade/core';
import {
encodeStreamControl,
parseStreamControl,
type StreamControlMessage,
} from '@shade/streams';
import {
type IControlChannel,
type TransferAuthenticator,
} from '@shade/transfer';
import type { Shade } from './shade.js';
/**
* Adapter contract for shipping ratchet envelopes between two Shade
* instances. The SDK provides an HTTP implementation that POSTs to the
* peer's `transferRoute()` control endpoint; tests use a memory pair.
*/
export interface ControlEnvelopeTransport {
send(peerAddress: string, envelope: ShadeEnvelope): Promise<void>;
}
/**
* `IControlChannel` implementation that rides on top of an existing Shade
* instance's `send`/`receive` API. Each control message is JSON-encoded
* plaintext and shipped through the Double Ratchet — the same path as
* regular chat messages.
*
* Receiver-side: the SDK installs a `Shade.onMessage` handler at
* construction. Plaintext is parsed for the `shade.stream-` `kind` prefix;
* matches are dispatched to subscribed handlers, non-matches are passed
* through to the consumer's regular onMessage handlers via `passthrough`.
*/
export class ShadeControlChannel implements IControlChannel {
private readonly handlers = new Set<
(from: string, message: StreamControlMessage) => void | Promise<void>
>();
private readonly unsubscribeShadeMessages: () => void;
constructor(
private readonly shade: Shade,
private readonly envelopeTransport: ControlEnvelopeTransport,
private readonly passthrough?: (from: string, plaintext: string) => void,
) {
this.unsubscribeShadeMessages = shade.onMessage(async (from, plaintext) => {
if (!plaintext.includes('shade.stream-')) {
this.passthrough?.(from, plaintext);
return;
}
let msg: StreamControlMessage;
try {
msg = parseStreamControl(plaintext);
} catch {
// Not a stream control message; treat as ordinary plaintext.
this.passthrough?.(from, plaintext);
return;
}
// Await each handler. The engine relies on this for sequencing:
// sender's `controlChannel.send` only resolves once the receiver has
// fully processed `stream-init`, so chunks never race ahead.
for (const handler of [...this.handlers]) {
try {
await handler(from, msg);
} catch (err) {
console.error('[ShadeControlChannel] handler error:', err);
}
}
});
}
async send(peerAddress: string, message: StreamControlMessage): Promise<void> {
const envelope = await this.shade.send(peerAddress, encodeStreamControl(message));
await this.envelopeTransport.send(peerAddress, envelope);
}
/**
* Receive-side: hand a freshly-decrypted envelope from the peer to this
* channel. The plaintext is fed through the same `onMessage` pipeline.
* Used by `Shade.acceptTransferEnvelope` for control-plane messages.
*/
async acceptEnvelope(from: string, envelope: ShadeEnvelope): Promise<void> {
await this.shade.receive(from, envelope);
}
onMessage(
handler: (from: string, message: StreamControlMessage) => void | Promise<void>,
): () => void {
this.handlers.add(handler);
return () => this.handlers.delete(handler);
}
destroy(): void {
this.unsubscribeShadeMessages();
this.handlers.clear();
}
}
/**
* Ed25519-signing authenticator for `ShadeTransferHttpTransport`.
*
* Header format on `/chunk`:
* `X-Shade-Sender-Address: <address>`
* `X-Shade-Signed-At: <unix-ms>`
* `X-Shade-Signature: <base64-of-sig-over: address|signedAt|streamId|laneId|seq|sha256(body)>`
*
* The receiver-side `ShadeTransferRouteAuthenticator` (below) verifies this
* using the sender's public identity key fetched from the prekey server.
*/
export class ShadeTransferAuthenticator implements TransferAuthenticator {
constructor(
private readonly crypto: CryptoProvider,
private readonly senderAddress: string,
private readonly signingPrivateKey: Uint8Array,
) {
if (signingPrivateKey.length !== 32) {
throw new ValidationError('signingPrivateKey must be 32 bytes', 'signingPrivateKey');
}
}
async signChunk(args: {
streamId: string;
laneId: number;
seq: bigint;
bodyHash: Uint8Array;
}): Promise<Record<string, string>> {
const signedAt = Date.now();
const message = canonicalChunkBytes({
address: this.senderAddress,
signedAt,
streamId: args.streamId,
laneId: args.laneId,
seq: args.seq,
bodyHash: args.bodyHash,
});
const sig = await this.crypto.sign(this.signingPrivateKey, message);
return {
'X-Shade-Sender-Address': this.senderAddress,
'X-Shade-Signed-At': String(signedAt),
'X-Shade-Signature': bytesToBase64(sig),
};
}
async signControl(args: {
streamId: string;
method: string;
path: string;
}): Promise<Record<string, string>> {
const signedAt = Date.now();
const message = canonicalControlBytes({
address: this.senderAddress,
signedAt,
streamId: args.streamId,
method: args.method,
path: args.path,
});
const sig = await this.crypto.sign(this.signingPrivateKey, message);
return {
'X-Shade-Sender-Address': this.senderAddress,
'X-Shade-Signed-At': String(signedAt),
'X-Shade-Signature': bytesToBase64(sig),
};
}
}
/** Helper: canonical bytes for chunk signature. */
export function canonicalChunkBytes(args: {
address: string;
signedAt: number;
streamId: string;
laneId: number;
seq: bigint;
bodyHash: Uint8Array;
}): Uint8Array {
const enc = new TextEncoder();
const fields = [
`chunk\0`,
`addr=${args.address}\0`,
`at=${args.signedAt}\0`,
`sid=${args.streamId}\0`,
`lane=${args.laneId}\0`,
`seq=${args.seq.toString()}\0`,
`bodyHash=${bytesToHex(args.bodyHash)}\0`,
];
return enc.encode(fields.join(''));
}
/** Helper: canonical bytes for control signature. */
export function canonicalControlBytes(args: {
address: string;
signedAt: number;
streamId: string;
method: string;
path: string;
}): Uint8Array {
const enc = new TextEncoder();
const fields = [
`control\0`,
`addr=${args.address}\0`,
`at=${args.signedAt}\0`,
`sid=${args.streamId}\0`,
`method=${args.method}\0`,
`path=${args.path}\0`,
];
return enc.encode(fields.join(''));
}
function bytesToBase64(b: Uint8Array): string {
let bin = '';
for (let i = 0; i < b.length; i++) bin += String.fromCharCode(b[i]!);
return btoa(bin);
}
function bytesToHex(b: Uint8Array): string {
return Array.from(b, (x) => x.toString(16).padStart(2, '0')).join('');
}

159
packages/shade-sdk/tests/streams-integration.test.ts Normal file
View File

@@ -0,0 +1,159 @@
import { describe, test, expect, beforeAll, afterAll } from 'bun:test';
import { createShade, type Shade, type TransferHandle, type TransferResult } from '../src/index.js';
import {
createPrekeyServer,
MemoryPrekeyStore,
PrekeyServerEvents,
} from '@shade/server';
import { SubtleCryptoProvider } from '@shade/crypto-web';
import { sha256Once } from '@shade/streams';
const crypto = new SubtleCryptoProvider();
interface TestRig {
alice: Shade;
bob: Shade;
bobBaseUrl: string;
prekeyStop: () => void;
bobServerStop: () => void;
}
async function startPrekeyServer(): Promise<{ url: string; stop: () => void }> {
const events = new PrekeyServerEvents();
const server = createPrekeyServer({
crypto,
store: new MemoryPrekeyStore(),
disableRateLimit: true,
events,
});
const port = 21000 + Math.floor(Math.random() * 500);
const handle = Bun.serve({ port, fetch: server.fetch });
return { url: `http://localhost:${port}`, stop: () => handle.stop() };
}
async function setupRig(): Promise<TestRig> {
const prekey = await startPrekeyServer();
const alice = await createShade({ prekeyServer: prekey.url, address: 'alice' });
const bob = await createShade({ prekeyServer: prekey.url, address: 'bob' });
// Bob's transferRoute lazily creates a TransferEngine, which requires
// configureTransfers first.
bob.configureTransfers({
resolveBaseUrl: async () => {
throw new Error('bob is receive-only in this test');
},
});
// Spin up Bob's HTTP transfer endpoint.
const bobApp = await bob.transferRoute();
const port = 21500 + Math.floor(Math.random() * 500);
const bobServer = Bun.serve({ port, fetch: bobApp.fetch });
const bobBaseUrl = `http://localhost:${port}`;
// Wire up Alice's outgoing transfer routing.
alice.configureTransfers({
resolveBaseUrl: async (addr) => {
if (addr === 'bob') return bobBaseUrl;
throw new Error(`unknown peer ${addr}`);
},
});
return {
alice,
bob,
bobBaseUrl,
prekeyStop: prekey.stop,
bobServerStop: () => bobServer.stop(),
};
}
async function teardownRig(rig: TestRig): Promise<void> {
await rig.alice.shutdown();
await rig.bob.shutdown();
rig.bobServerStop();
rig.prekeyStop();
}
function hex(b: Uint8Array): string {
return Array.from(b, (x) => x.toString(16).padStart(2, '0')).join('');
}
async function uploadAndAwait(
rig: TestRig,
input: Uint8Array,
opts?: { lanes?: number; chunkSize?: number },
): Promise<{ senderResult: TransferResult; received: Uint8Array }> {
let resolveRecv!: (h: TransferHandle) => void;
const recvHandlePromise = new Promise<TransferHandle>((r) => {
resolveRecv = r;
});
const unsubscribe = await rig.bob.onIncomingTransfer(async (incoming) => {
const h = await incoming.accept({ output: { kind: 'buffer' } });
resolveRecv(h);
});
const handle = await rig.alice.upload({
to: 'bob',
input,
...(opts?.lanes !== undefined ? { lanes: opts.lanes } : {}),
...(opts?.chunkSize !== undefined ? { chunkSize: opts.chunkSize } : {}),
metadata: { name: 'integration-test.bin' },
});
const recvHandle = await recvHandlePromise;
const [senderResult, recvResult] = await Promise.all([handle.done(), recvHandle.done()]);
unsubscribe();
const received =
(recvResult as TransferResult & { bytes?: Uint8Array }).bytes ?? new Uint8Array();
return { senderResult, received };
}
describe('Shade SDK end-to-end E2EE transfer', () => {
let rig: TestRig;
beforeAll(async () => {
rig = await setupRig();
});
afterAll(async () => {
await teardownRig(rig);
});
test('64 KiB payload — 1 lane', async () => {
const input = crypto.randomBytes(64 * 1024);
const { senderResult, received } = await uploadAndAwait(rig, input, {
lanes: 1,
chunkSize: 16 * 1024,
});
expect(received).toEqual(input);
expect(senderResult.sha256).toBe(hex(sha256Once(input)));
});
test('512 KiB payload — 4 lanes range partition', async () => {
const input = crypto.randomBytes(512 * 1024);
const { senderResult, received } = await uploadAndAwait(rig, input, {
lanes: 4,
chunkSize: 32 * 1024,
});
expect(received).toEqual(input);
expect(senderResult.sha256).toBe(hex(sha256Once(input)));
});
test(
'4 MiB payload — 4 lanes, simulates Dispatch upload',
async () => {
const input = crypto.randomBytes(4 * 1024 * 1024);
const { senderResult, received } = await uploadAndAwait(rig, input, {
lanes: 4,
chunkSize: 128 * 1024,
});
expect(received).toEqual(input);
expect(senderResult.sha256).toBe(hex(sha256Once(input)));
},
30_000,
);
test('listTransfers returns empty before transfer (memory storage)', async () => {
// MemoryStorage's listActiveStreamStates is implemented but never
// populated by the engine in v0.2.0 (resume persistence is M-Stream-6).
const list = await rig.alice.listTransfers();
expect(Array.isArray(list)).toBe(true);
});
});