Stian/Shade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Stian:v4.2.0
Branches Tags
Stian:main
Stian:v4.11.1 Stian:v4.11.0 Stian:v4.6.0 Stian:v4.2.1 Stian:v4.2.0 Stian:v4.1.0 Stian:v4.0.2 Stian:v4.0.1 Stian:v4.0.0
..
compare: Stian:8c606ad49874e5684faa36391e501bee23cd8df3
Branches Tags
Stian:main
Stian:v4.11.1 Stian:v4.11.0 Stian:v4.6.0 Stian:v4.2.1 Stian:v4.2.0 Stian:v4.1.0 Stian:v4.0.2 Stian:v4.0.1 Stian:v4.0.0

10 Commits
v4.2.0 ... 8c606ad498

Author SHA1 Message Date
Sterister
8c606ad498 release(v4.8.2): per-from receive serialization + per-connection bridge dedup
Some checks failed
Test / test (push) Has been cancelled
Details 
Two interlocking robustness fixes for the duplicate-fan-out / first-contact
class of failures Prism reported.

1. `Shade.receive(from, env)` now queues its `manager.decrypt` step
   per `from` so concurrent dispatches can't race the SessionManager
   ratchet or the StorageProvider (sqlite "database is locked", IDB
   transaction conflicts). User message handlers run *outside* the
   queue so streams + file-RPC's nested `shade.receive` calls don't
   self-deadlock.

2. Bridge WS + SSE handlers now run a per-connection bounded msgId
   LRU as defense-in-depth against any flushTo re-entry (event-storm,
   future refactor). Pending-flush chains are wrapped in `.catch(() =>
   {})` so a transient `ws.send` rejection no longer poisons the
   connection's flush loop.

Tests: storming `inbox.blob_stored` 10× per PUT yields exactly one WS/
SSE frame; 8 concurrent `bob.receive('alice', envelope)` calls keep
the ratchet intact and never surface "database is locked".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-08 12:13:46 +02:00
Sterister
680d6386f3 release(v4.8.1): SHADE_DISABLE_RATE_LIMIT env var for single-tenant deploys 
Plumbing fix only — both createPrekeyRoutes and createInboxRoutes
already accepted disableRateLimit; standalone.ts just didn't read
the env. Now SHADE_DISABLE_RATE_LIMIT=1 turns off IP rate-limits on
every prekey + inbox route, with a WARN log on startup so operators
see it.

Single-tenant deployments only — multi-tenant relays must leave it
unset. Documented in docs/DEPLOYMENT.md.

Reported by Prism: ~6 pair attempts/hour from a single dev IP +
the sidecar's register call tripped the 5/hour REGISTER_LIMIT every
dev iteration.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-08 00:55:57 +02:00
Sterister
1fb59a7076 release(v4.8.0): sender-fingerprint attribution + Inbox.start race fix 
Two unblocking changes for first-contact flows.

Sender attribution: relay captures shortHash(senderSigningKey) at
PUT time (after signature verification, no new trust surface) and
surfaces it on bridge push (IncomingMessage.from) + inbox-fetch
(FetchedBlob.from) + DecryptHandler raw arg. Apps receiving a prekey
envelope from a never-before-seen peer can now bootstrap X3DH via
shade.receive('fp:<hex>', env) — pre-4.8 the wire envelope didn't
authenticate the sender and there was no out-of-band hint to use.
Idempotent ALTER TABLE migrations for SQLite + Postgres add a
sender_fp TEXT column; legacy rows surface as from=undefined
(inter-version compat).

Inbox.start() race: pre-4.8 start() called register() fire-and-forget
AND schedulePoll(0) synchronously, so the first poll on a fresh
address often beat the register HTTP RTT and got SHADE_NOT_FOUND.
start() now defers; register() success kicks schedulePoll(0). Manual
tick() is unaffected (deliberate user action, no gating).

Both reported by Prism. Tests cover all five acceptance criteria
from the sender-attribution request (PUT capture, bridge surface,
fetch surface, inter-version compat, end-to-end pair smoke) plus
the three from the race-fix request.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-08 00:11:59 +02:00
Sterister
594992a183 release(v4.7.0): peer-presence events for instant BroadcastChannel revoke 
Adds the bridge-connection-lifecycle signal that closes Prism's
~45s revoke window down to one server→client round-trip (~50ms).

Server (`@shade/inbox-server`):
- `inbox.peer_connected` / `inbox.peer_disconnected` events on the
  0↔1 boundary across WS + SSE bridges. Long-poll deliberately not
  tracked (every poll boundary would flap; push transports are also
  the only ones where instant revoke matters).
- `PresenceTracker` collapses two parallel bridges (e.g. WS + SSE
  during fallback handover) into one connect/disconnect pair.
- `GET /v1/bridge/presence` SSE endpoint: signed query with
  `kind: 'presence'`, `watched: string[]`; on open streams a
  per-address snapshot, then change frames filtered server-side.
  MAX_WATCHED_ADDRESSES = 64. Subscribing does not itself count as
  a peer-bridge connection.
- `createBridgeRoutes` now returns `{ app, websocket, presence }`.

Client (`@shade/transport-bridge`):
- `PresenceBridge.subscribe({ watch, onPresenceChange })` →
  `{ addPeer, removePeer, watching, unsubscribe }`. addPeer/removePeer
  mutate via reconnect with a fresh signed query.
- `signPresenceQuery` helper for non-PresenceBridge consumers.

Tests cover all four acceptance criteria from the Prism request:
server-event smoke, online→offline subscription, address scoping
(carol invisible to a [alice]-only sub), reconnect, plus an
addPeer/removePeer regression.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-07 23:16:35 +02:00
Sterister
8746571d2a release(v4.6.1): bind globalThis.fetch in browser-receiver-sensitive call sites 
Browsers' Window.fetch is a WebIDL bound operation; storing it as
this.fetchImpl / this.fetchFn and calling via the instance receiver
threw "Illegal invocation" on the first request. Bind once at
construction in InboxClient, LongPollBridge, and SseBridge. Reported
by Prism (multi-device E2EE terminal), blocking every browser
consumer of the v4.6 transport stack on inbox.start() / bridge.connect().

WsBridge unaffected (uses WebSocket). Node/Bun fetch tolerates a free
receiver, so the bug never surfaced server-side — added regression
tests that install a strict-receiver globalThis.fetch to catch the
issue without an actual browser harness.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-07 23:00:58 +02:00
Sterister
2c400d7094 release(v4.6.0): broadcast channels — Signal sender-keys for one-to-many fan-out
Some checks failed
Test / test (push) Has been cancelled
Details
Cross-platform vectors / TypeScript vectors (bun) (push) Has been cancelled
Details
Cross-platform vectors / Kotlin vectors (gradle) (push) Has been cancelled
Details
Docker build and publish / docker (push) Has been cancelled
Details
Publish / publish (push) Has been cancelled
Details 
Lands the broadcast-channel primitive Prism asked for in
Docs/shade-feature-request-sender-keys.md. The crypto in
@shade/core/sender-keys.ts was already in place; this release wires
it up as a first-class app-facing API, adds the persistence schema
across all six storage backends (memory, sqlite, indexeddb +
encrypted variants), introduces wire type 0x21 in @shade/proto,
and ships Prism's three acceptance tests verbatim.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-07 15:55:34 +02:00
Sterister
2b1b4d6630 release(v4.5.0): browser-side encrypted storage + multi-factor unlock 
Adds the foundations Prism's web client (and any future browser-based
Shade app) needs: at-rest-encrypted IndexedDB storage that mirrors the
SQLite backend byte-for-byte at the AAD/nonce level, browser-safe
subpath imports so Vite/webpack/esbuild stop hitting bun:sqlite, and
KeyManager support for argon2id and N-factor composite unlock.

@shade/storage-encrypted
- EncryptedIndexedDBStorage (subpath: /idb) — full StorageProvider
  using one object store per _enc table; reuses aeadSeal/aeadOpen +
  row-codec sealers so a row sealed under the SQLite or Postgres
  backend decrypts under IDB given the same KeyManager.
  bumpPeerIdentityVersion is atomic under one IDB transaction.
- KeyManager argon2id source — memory-hard KDF for low-entropy
  secrets (PINs). Backed by @noble/hashes/argon2 (already a transitive
  dep). DEFAULT_ARGON2ID exported (m=64 MiB, t=3, p=1).
- KeyManager composite source — HKDF-combine N sub-sources into one
  master. Every source mandatory; order significant by design;
  composite-of-composite rejected; optional info string for app-level
  domain separation.
- Subpath exports (/crypto, /sqlite, /postgres, /idb) plus a `browser`
  condition on the default import that resolves to a barrel
  excluding the Bun- and Postgres-specific entries. Browser bundles
  no longer pull bun:sqlite transitively.

Tests
- 73 tests in shade-storage-encrypted (was 31). New coverage:
  argon2id determinism + reject paths, composite same-factors → same
  master, wrong-PIN/passphrase/order-swap → different master, info
  domain separation, all 28 StorageProvider methods on
  EncryptedIndexedDBStorage, fingerprint-mismatch rejection, and
  cross-impl roundtrip with EncryptedSQLiteStorage proving the AAD/
  nonce derivation is implementation-agnostic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-07 10:58:49 +02:00
Sterister
dbb3a090d8 release(v4.4.0): public accessor for device identity public key 
Expose the local device's 32-byte Ed25519 identity public key on Shade
so apps can hand it to their own backend at enrollment time for
signature verification, key pinning or per-device safety-number
computation. Closes the gap that forced consumers to ship placeholder
random bytes their backend could store but never verify against.

- @shade/sdk Shade.identityPublicKey: Promise<Uint8Array> — getter
  mirrors the existing fingerprint accessor. Throws pre-init,
  reflects the current key after rotate(), retired key preserved in
  retired-identities storage per existing grace-period contract.
  Private key remains unreachable.
- Test in shade-sdk/tests/sdk.test.ts: round-trip match against the
  underlying storage's signingPublicKey, plus value updates after
  rotate().
- Lockstep version bump 4.3.0 → 4.4.0 across all 25 packages.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-05 17:58:45 +02:00
Sterister
f5f42fe557 release(v4.3.0): browser persistence via @shade/storage-indexeddb 
Ship an official IndexedDB-backed StorageProvider so browser-based Shade
consumers persist identity, prekeys, sessions, retired identities,
peer-verification state and stream-resume rows across tab refresh and
browser restart. Closes the gap that forced browser apps onto
storage:"memory" (regenerated identity each load, orphaned device
records server-side).

- New package @shade/storage-indexeddb (4.3.0): full StorageProvider
  conformance, schema v1, idb-backed; bumpPeerIdentityVersion is wrapped
  in a single readwrite IDB transaction (atomic, vs SQLite's
  read-then-upsert race).
- @shade/sdk resolveStorage() accepts { type: 'indexeddb', dbName? } via
  dynamic import (lazy, optional dep — same pattern as
  @shade/storage-postgres). Named StorageSpec type now reused by
  ResolvedConfig.
- Tests: 16 new tests in shade-storage-indexeddb (StorageProvider
  surface + peer-verifications + full E2EE conversation surviving a
  simulated tab reload). Run on fake-indexeddb.
- Lockstep version bump 4.2.1 → 4.3.0 across all 25 packages.
- Publish scripts updated to include the new package.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-05 17:35:02 +02:00
Sterister
b77b7e771c release(v4.2.1): fix concurrent-ratchet desync via OutboundQueue waiter cursor
Some checks failed
Publish / publish (push) Has been cancelled
Details
Docker build and publish / docker (push) Has been cancelled
Details 
Pull-mode httpClient + drainer + parallel RPCs against the same peer
deteriorated after ~10s with `DecryptionError`. Two bugs combined:

- `OutboundQueue.enqueue` woke `drain` waiters with a `since=0`
  snapshot, replaying already-processed events into
  `Shade.acceptTransferEnvelope` → `manager.decrypt` twice. The
  duplicate consumed an already-used skipped key and corrupted the
  Double Ratchet receive chain.

- `ratchetDecrypt` then propagated the corruption: a same-DH
  message behind the chain with no cached skipped key fell through
  to `kdfChainKey` on the ahead state and rewound `chain.counter`,
  permanently desyncing the chain.

Fix `OutboundQueue` to honor each waiter's `since`, and harden
`ratchetDecrypt` so any future duplicate fails cleanly without
mutating state. Adds regression coverage at all three layers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-04 22:58:26 +02:00
92 changed files with 6926 additions and 163 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -2,3 +2,6 @@ node_modules/
dist/
*.tsbuildinfo
.DS_Store
**/.tmp-*.db
**/.tmp-*.db-shm
**/.tmp-*.db-wal

705
CHANGELOG.md
View File

@@ -5,6 +5,711 @@ All notable changes to Shade are documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [4.8.2] — 2026-05-08 — Per-`from` decrypt serialization + per-connection bridge dedup
Two interlocking robustness fixes for the first-contact / duplicate-fan-out
class of failures Prism reported. Either fix on its own would help; together
they make the receiver path tolerant of any combination of relay duplicates
and concurrent dispatchers.
**(1) `Shade.receive(from, env)` now serializes its ratchet/storage
step per `from`.** The send path has had a per-address `encryptChains`
mutex since V1 — receive did not. Concurrent decrypts for the same peer
raced the `SessionManager` ratchet (mutated in place) and the
`StorageProvider` (which is not required to be a concurrent-safe
writer — `bun:sqlite` throws `database is locked`, IndexedDB throws
transaction conflicts). Symptom in production: a single relay PUT that
fans out 8× over a WS bridge gets dispatched as 8 parallel
`shade.receive` calls; one wins the X3DH prekey race, the other 7 fail
with `database is locked` or `one-time prekey not found: <id>`, and the
post-decrypt side effects (`markPeerVerified`,
`BroadcastChannel.addMember`, paired-reply `inbox.send`) get lost in
the rubble. The decrypt step is now chained off a per-`from` promise
queue. Crucially, the user-facing **message handlers run outside the
queue** — streams + file-RPC issue nested `shade.receive` calls for the
same peer from inside their handlers (e.g. `stream-end` arrives while a
write-RPC is still waiting on chunks), and holding the queue across the
handler would self-deadlock. Only the atomic ratchet+storage step is
protected.
**(2) Bridge handlers (WS + SSE) now run a per-connection msgId
LRU dedup.** Cursor-based delivery already de-duplicates in the happy
path, but the gate is a defense-in-depth against any subtle re-entry of
`flushTo` (event-storm, future refactor, fallback-timer race). The chain
that drives flush is now also wrapped in `.catch(() => {})` so a
transient `ws.send` / SSE write rejection doesn't poison every future
push on the connection.
Both reported by Prism (multi-device E2EE terminal). Wave-3 pair
handshake is unblocked even when the receiver runs multiple bridges or
the relay double-fires `inbox.blob_stored`.
### Fixed
#### `@shade/sdk` — `Shade.receive` per-`from` serialization
- `Shade` gains a private `decryptChains: Map<string, Promise<unknown>>`
mirroring the existing `encryptChains` on the send path.
- `Shade.receive(from, env)` chains its `manager.decrypt(from, env)`
call off the prior decrypt promise for the same `from`. The
post-decrypt control-plaintext check and user `messageHandlers` run
*outside* the chain so nested `shade.receive` calls from inside a
handler don't self-deadlock (streams + file-RPC depend on this).
- The stored chain is `decryptPromise.catch(() => undefined)` so a
rejection in one decrypt doesn't sabotage the next; this caller
still sees its own rejection through the original promise.
- External signature unchanged.
#### `@shade/inbox-server` — bridge per-connection msgId dedup
- New internal `DeliveredIdLru` (4096-entry bounded set, FIFO eviction)
per WS / SSE connection. `flushTo` skips emit when a row's `msgId` is
already in the LRU. Long-poll handlers don't need it (each request is
isolated).
- `pendingFlushPromise` chains in both WS and SSE handlers now
terminate in `.catch(() => {})` so a transient emit failure doesn't
silently kill the connection's flush loop.
### Tests
- `packages/shade-transport-bridge/tests/bridge.test.ts` — new
"Bridge dedup" describe block: storms `inbox.blob_stored` 10× for one
PUT and asserts WS / SSE both deliver exactly one frame.
- `packages/shade-sdk/tests/sdk.test.ts` — new
"concurrent receive(from, env) for same `from` does not race the
ratchet" exercises 8 parallel `bob.receive('alice', env)` for the
same envelope and asserts:
1. at least one fulfills with the right plaintext;
2. no rejection mentions `database is locked`;
3. the next legitimate message still decrypts (ratchet intact).
### Migration
None. Drop-in. Bridges and receivers behave identically on non-
duplicate paths; the new gates only kick in when a duplicate would
otherwise have been emitted / dispatched.
## [4.8.1] — 2026-05-08 — `SHADE_DISABLE_RATE_LIMIT` env var for single-tenant deploys
The standalone server's `routes.ts` and `inbox-server`'s
`createInboxRoutes` already accepted a `disableRateLimit?: boolean`
option, but the standalone entry just didn't read it from environment.
Self-hosted single-tenant deploys (Prism's relay is a typical case —
only Prism PC clients + their paired browsers) tripped the
`REGISTER_LIMIT` (5/hour per IP) every dev iteration: ~6 pair attempts
in an hour from the same IP plus the sidecar's register call killed
the dev loop until the bucket refilled (~1 token per 12 minutes).
Reported by Prism. Two-line plumbing fix: `standalone.ts` now reads
`SHADE_DISABLE_RATE_LIMIT=1` and forwards `disableRateLimit` to both
`createPrekeyRoutes` and `createInboxRoutes`.
### Added
#### `@shade/server`
- `SHADE_DISABLE_RATE_LIMIT=1` env var disables IP rate-limits on every
prekey + inbox route in `standalone.ts`. Logged as a `WARN` on startup
(`SHADE_DISABLE_RATE_LIMIT=1 — IP rate limits OFF on prekey + inbox
routes`) so operators see it in stderr/log aggregation.
- **Single-tenant deployments only** — multi-tenant relays must leave
this unset. The rate-limit defends multi-tenant relays against abuse;
flipping it off is appropriate for self-hosted single-team setups
where every caller is a known client. Documented in
[`docs/DEPLOYMENT.md`](./docs/DEPLOYMENT.md) under "Environment variable
reference".
### Tests
- `packages/shade-server/tests/rate-limit.test.ts` — the existing
"register endpoint rate-limits per IP" test verifies the default-on
path; a new sister test exercises
`createPrekeyServer({ disableRateLimit: true })` and confirms 12
consecutive register calls from the same IP all return 200 (no 429).
The env-var → option conversion in `standalone.ts` is a one-liner
verified by inspection.
### Migration
None. Default is unchanged (rate limits stay ON). Self-hosted
single-tenant operators add `SHADE_DISABLE_RATE_LIMIT=1` to their
deployment env to flip it off.
## [4.8.0] — 2026-05-08 — Sender-fingerprint attribution + `Inbox.start()` race fix
Two unblocking changes for first-contact flows. First, the relay now
captures the sender's signing-key fingerprint at PUT time and surfaces
it on every downstream delivery — bridge push (`IncomingMessage.from`)
and inbox-fetch response (`FetchedBlob.from`). Without it, an app
receiving a prekey envelope from a never-before-seen peer cannot
decrypt it: `shade.receive(from, env)` requires a sender address and
the wire envelope itself doesn't authenticate the sender. The
fingerprint is the same 8-byte hex of SHA-256(senderSigningKey) that
`IncomingMessage.from` was already documented as carrying; the field
just wasn't populated.
Second, `Inbox.start()` no longer races register vs the first poll.
Pre-fix, a fresh address calling `start()` saw the very first
`/v1/inbox/{addr}/fetch` POST race the register HTTP RTT and return
`SHADE_NOT_FOUND` — confusing 404 in DevTools, ~30s gap until the next
scheduled poll, and inbox-fetch silently dark for the gap (bridge push
covered for it, which is why this slipped through). `start()` now
defers the first poll; `register()` success kicks `schedulePoll(0)`.
Both reported by Prism (multi-device E2EE terminal). Wave-3 pair
handshake is unblocked: web POSTs pair frame to PC inbox, PC's
`onIncoming` gets `raw.from = "fp:<hex>"`, calls
`shade.receive('fp:<hex>', env)`, parses plaintext, learns real
address, sends paired-reply.
### Added
#### `@shade/inbox-server`
- `InboxStore.putBlob({ ..., senderFp? })` — store interface accepts an
optional 8-byte hex fingerprint. `MemoryInboxStore`,
`SqliteInboxStore` (`@shade/storage-sqlite`), and `PostgresInboxStore`
(`@shade/storage-postgres`) all persist + return it.
- `InboxStore.fetchBlobs(...)` rows expose `senderFp?: string`.
Undefined for legacy rows persisted by a pre-4.8 relay.
- `POST /v1/inbox/:address` route computes `shortHash(senderSigningKey)`
after the sender's signature is verified and forwards it to
`store.putBlob({ ..., senderFp })`. The signature verification path
authorizes the same fingerprint that gets persisted — no new trust
surface.
- `POST /v1/inbox/:address/fetch` response includes `from` per blob
when the row has a fingerprint. Absent on legacy rows.
- Bridge endpoints (`/v1/bridge/{stream,poll,ws}`) now populate
`BridgeWireMessage.from` from the row's `senderFp`. The
`transport-bridge` wire format already accepted `from`; v4.7 just
never filled it.
#### `@shade/inbox`
- `FetchedBlob.from?: string` — relay-supplied sender fingerprint hint,
parsed from the fetch response.
- `DecryptHandler` raw arg gains `from?: string`. Apps that ignore it
keep working unchanged (back-compat: the field is optional).
### Fixed
#### `@shade/inbox` — `Inbox.start()` register/poll race
`start()` no longer schedules the first poll synchronously alongside
the fire-and-forget `register()`. Instead, `register()` success kicks
`schedulePoll(0)`, so the first poll fires after the server has
acknowledged the address. Already-registered instances (where the
local `this.registered` flag is true at `start()` time, e.g. after a
restart that hydrated state) get an immediate poll as before.
### Storage migrations
Idempotent ALTER TABLE for live deployments:
- **SQLite** (`@shade/storage-sqlite`): on open, the store does
`PRAGMA table_info(inbox_blobs)` and runs
`ALTER TABLE inbox_blobs ADD COLUMN sender_fp TEXT` if the column is
missing. Fresh databases get the column from the `CREATE TABLE IF
NOT EXISTS` directly.
- **Postgres** (`@shade/storage-postgres`): `ensureInboxServerTables`
runs `ALTER TABLE shade_inbox_blobs ADD COLUMN IF NOT EXISTS
sender_fp TEXT`.
Both leave existing rows with `sender_fp = NULL`. The fetch path emits
`from` only when the column is non-empty, so legacy blobs surface as
`from: undefined` (acceptance criterion (4): inter-version compat).
### Tests
- `packages/shade-inbox/tests/client.test.ts`:
- **Race fix**: spy fetch records the order of `register` and `fetch`
requests; first `fetch` (if any) must follow `register`. Pre-fix
the recording fetch threw "fetch fired before register completed
(race not fixed)".
- **Fetch attribution**: `FetchedBlob.from` matches
`SHA-256(senderSigningKey)[:8]` in hex.
- **DecryptHandler propagation**: `raw.from` arrives in the app's
handler.
- `packages/shade-transport-bridge/tests/bridge.test.ts`: same
fingerprint regression for SSE, WS, and long-poll bridges
(`IncomingMessage.from` non-empty + matches the expected digest).
- `packages/shade-storage-sqlite/tests/sqlite-inbox-store.test.ts`:
- senderFp round-trip through put + fetch.
- senderFp omitted on put → fetched row has `senderFp: undefined`.
- **Pre-4.8 schema migration**: open a DB seeded with a v4.7
`inbox_blobs` schema (no `sender_fp` column), reopen via
`SqliteInboxStore`, verify the legacy row survives + new writes
carry the new field.
### Migration
None required for app code. Existing handlers that ignore
`raw.from` / `IncomingMessage.from` keep working unchanged. Apps that
want sender-attributed first-contact:
```ts
inbox.onIncoming(async (raw) => {
const tentativeAddr = raw.from ? `fp:${raw.from}` : null;
if (!tentativeAddr) return null; // legacy relay; drop
const env = decodeEnvelope(raw.ciphertext);
const plaintext = await shade.receive(tentativeAddr, env);
// pair frame announces real address; reconcile fp:<hex> → real
return null;
});
```
For Prism specifically: drop the `await this.inbox.register()`
workaround in `apps/web/src/shade/transport.ts` and
`packages/shade-sidecar/src/transport.ts`. `inbox.start()` on 4.8+
no longer races and the explicit pre-register is redundant.
## [4.7.0] — 2026-05-07 — Peer-presence events for instant `BroadcastChannel` revoke
`BroadcastChannel.removeMember` (v4.6) is the right primitive for revoking a
paired peer's sender-key membership when, say, a tab closes or a laptop
locks — but until now there was no signal saying "this peer's bridge just
went away". Apps had to fall back to client-side heartbeats:
`apps/web/src/shade/heartbeat.ts`-style 20s pings + a 10s GC sweep, with a
~45s worst-case revoke window. For a terminal-mirroring product whose
threat model includes *"someone takes the unattended laptop"*, 45s of
legitimate broadcast access for the attacker is too long.
This release surfaces the bridge-connection-lifecycle signal that
`createBridgeRoutes` already had internally. The inbox event bus now emits
`inbox.peer_connected` / `inbox.peer_disconnected` on the 0↔1 boundary
across WS + SSE bridges, and a new `/v1/bridge/presence` SSE endpoint plus
the `PresenceBridge` client class let any authenticated SDK subscribe to
presence transitions for a watcher-declared address list. The SDK glue
collapses to ~5 lines:
```ts
const sub = await new PresenceBridge({ baseUrl, crypto, signingPrivateKey, address }).subscribe({
watch: paired_peers,
onPresenceChange: (e) => {
if (e.status === 'offline') void channel.removeMember(e.address);
},
});
```
Reported by Prism — collapses Prism's wave-3 heartbeat-based revoke from
~45s to ~50ms (one network round-trip) for the overwhelmingly common case
of a clean WS close.
### Added
#### `@shade/inbox-server`
- `InboxServerEventMap` gains two new event names:
- `inbox.peer_connected``{ address, bridgeKind: 'ws' | 'sse' }`
fires when an address transitions from zero to ≥1 active push-bridge
connections.
- `inbox.peer_disconnected``{ address, bridgeKind, reason: 'closed' | 'error' }`
— fires when the last push-bridge connection for the address closes.
- New `PresenceTracker` class (`packages/shade-inbox-server/src/presence.ts`)
— per-address connection-count map; emits transitions into a wired
`InboxServerEvents`. Two parallel bridges (WS + SSE during a fallback
handover) collapse into one `peer_connected` / `peer_disconnected`
pair so consumers don't see flicker.
- `createBridgeRoutes` now returns `{ app, websocket, presence }` so
operators / tests can read the live presence map. A `presenceTracker`
option lets multiple route mounts share state.
- New `GET /v1/bridge/presence` SSE endpoint:
- Auth: signed query `{ address, kind: 'presence', watched: string[],
signedAt, signature }` against the watcher's registered owner key.
`kind: 'presence'` is bound into the canonical signed payload to
prevent cross-endpoint replay against `/v1/bridge/{stream,poll,ws}`.
- On open: emits one `event: presence` SSE frame per watched address
with the current online/offline snapshot.
- On change: streams `{ address, status, at, via: 'ws'|'sse' }` frames
filtered server-side to the watcher's address list.
- Subscribing does NOT itself count as a peer-bridge connection — a
PresenceBridge open will not make the watcher appear online to
other watchers.
- `MAX_WATCHED_ADDRESSES = 64` per subscription.
#### `@shade/transport-bridge`
- New `PresenceBridge` class with `subscribe({ watch, onPresenceChange,
onError? })` returning `{ addPeer, removePeer, watching, unsubscribe }`.
- `addPeer` / `removePeer` mutate the watched set by aborting the
current SSE connection so the run loop reopens with a fresh signed
query. Mutations are expected to be rare (only on pair / unpair) so
the brief reconnect gap is acceptable.
- Auto-reconnect with exponential backoff (250ms → 10s, same defaults
as `SseBridge`); `disableAutoReconnect: true` for tests.
- `signPresenceQuery` helper exported from `@shade/transport-bridge/auth`
for non-PresenceBridge consumers (manual EventSource, observability
scrapers, etc.).
### Why long-poll is NOT tracked
A long-poll client toggles in/out of `/v1/bridge/poll` every few seconds,
and treating each request boundary as a presence transition would
dominate the event stream with flapping. Push transports are also the
only ones where a ~50ms revoke window matters — long-poll users are
already on a slow path. Apps that need presence over long-poll continue
to use client-side heartbeats.
### Tests
- `packages/shade-transport-bridge/tests/bridge.test.ts` — four blocks
covering all acceptance criteria from the request:
- **(1)** `WsBridge.connect()` then `disconnect()` → operator's
`events.on(...)` sees `inbox.peer_connected` then
`inbox.peer_disconnected` with `address: 'alice'`, `bridgeKind: 'ws'`.
- **(2A)** Bob subscribes presence on `[alice]`; alice opens a
WsBridge → bob's `onPresenceChange` fires `online` within 2s.
- **(3)** Bob's `[alice]` subscription must NOT receive frames for
an unrelated `carol` address opening her own bridge.
- **(4)** Alice's bridge reopens after a drop → bob sees `online`
again on the same subscription.
- Plus an `addPeer` / `removePeer` regression that verifies the
reconnect-on-mutation path delivers a fresh snapshot for the new
address and stops delivering for the removed one.
### Migration
None. Strict additive — existing `InboxServerEvents` consumers keep
working unchanged. `createBridgeRoutes`'s return type added a
`presence` field; destructuring code that names only `app, websocket`
keeps compiling.
For Prism specifically: drop the wave-3 heartbeat module
(`apps/web/src/shade/heartbeat.ts`) on the PC sidecar and replace with
a `PresenceBridge` subscription on the paired-peer set. Keep the
heartbeat as a network-partition fallback if you want a belt-and-
braces revoke story; with presence-events the worst-case revoke window
drops from ~45s to one server→PC round-trip.
## [4.6.1] — 2026-05-07 — Browser `fetch` receiver lost in `Inbox` and HTTP bridges
Every browser consumer of the v4.6.0 transport stack crashed on the
*first* network call with:
```
Failed to execute 'fetch' on 'Window': Illegal invocation
```
`@shade/inbox`, `@shade/transport-bridge` (`SseBridge`, `LongPollBridge`)
each cached the default `globalThis.fetch` reference as a class property
and later invoked it as `this.fetchImpl(url, …)` / `this.fetchFn(url, …)`.
The browser's `fetch` is a WebIDL bound operation: calling it as a
method on any object other than the `Window` rejects with the error
above. Node/Bun `fetch` tolerates a free receiver, so the bug only
manifested in actual browsers and slipped through the SDK test suite.
Reported by Prism (multi-device E2EE terminal) — `inbox.start()` →
`register()` → `client.register()` → `this.fetchImpl(url, …)` threw on
the first `/v1/inbox/register` POST, so `transport.start()` never sent
the pair handshake and the web side timed out after 30s with "PC did
not reply".
### Fixed
#### `@shade/inbox` — `InboxClient` constructor
`fetchImpl` is now `(options.fetch ?? globalThis.fetch).bind(globalThis)`.
A consumer-supplied `options.fetch` is bound too — a custom fetch with
its own receiver requirements must bind itself; binding to `globalThis`
is otherwise a no-op for free functions.
#### `@shade/transport-bridge` — `LongPollBridge` and `SseBridge` constructors
Same binding fix in both. `WsBridge` was unaffected (uses `WebSocket`).
### Tests
- `packages/shade-inbox/tests/client.test.ts` — installs a strict-receiver
`globalThis.fetch` that mimics the WebIDL "Illegal invocation" check,
constructs `InboxClient` with no `fetch` override, runs `register()`,
and asserts the strict fetch saw `globalThis` as `this`. Pre-fix this
throws; post-fix it passes.
- `packages/shade-transport-bridge/tests/bridge.test.ts` — same regression
for both `LongPollBridge.connect()` (probe call) and `SseBridge.connect()`
(open-once call).
### Migration
None. Existing `options.fetch` overrides keep working unchanged. Apps
shipping a workaround like
```ts
new Inbox({ ..., fetch: globalThis.fetch.bind(globalThis) });
```
can drop the `.bind(globalThis)` and the redundant `fetch:` option once
they're on `4.6.1`.
## [4.6.0] — 2026-05-07 — Broadcast channels (Signal sender-keys for one-to-many fan-out)
Prism's PC desktop is the *sender* in a one-to-many fan-out — one PTY
output frame, N paired-device deliveries — and bilateral `for (peer of
peers) shade.send(peer, frame)` works for N ≤ 5 but starts hurting once
the paired fleet grows (3 laptops + phone + tablet + watch = N = 7) and
once mobile cellular is in the loop. The crypto pattern that solves it
is Signal's **sender-key**: the sender holds a per-channel symmetric
chain key shared with all members, encrypts each message *once* with
it, and the relay (or the SDK fan-out loop) ships the same ciphertext
to every recipient.
This release lands sender-key broadcast as a scoped "broadcast channel"
primitive in `@shade/sdk`, with the persistence + wire format + receiver-
side `meta.kind === 'broadcast'` plumbing wired through every backend.
The crypto in `@shade/core/sender-keys.ts` was already in place;
v4.6 turns it into a first-class app-facing API.
### Added
#### `@shade/sdk`
- `shade.createBroadcastChannel({ label? })` → `BroadcastChannel` —
opaque, persisted channel id stable across `shutdown()` / re-open.
Owner role: `sender` (only the channel creator can broadcast).
- `BroadcastChannel.addMember(peerAddress)` — distributes the current
sender-key to a paired peer over the existing bilateral ratchet.
Returns the wrapped envelope the app delivers; the SDK does the
framing inline (no new wire-format changes visible to apps —
acceptance criterion (3)).
- `BroadcastChannel.removeMember(peerAddress)` — rotates the chain
(fresh `chainKey` + new Ed25519 signing keypair, `generation++`),
destroys the old key material, and returns one envelope per surviving
member with the new sender-key. Stale broadcasts at lower generations
are silently dropped on receive.
- `BroadcastChannel.broadcast(plaintext)` — single AES-256-GCM encrypt
with the current chain message key + Ed25519 signature; the SAME
envelope is delivered to every member. Returns
`{ envelope: Uint8Array, members: readonly string[] }` so the app's
transport handles the per-peer fan-out.
- `BroadcastChannel.members()` — snapshot of currently-active members
(excludes revoked).
- `shade.getBroadcastChannel(channelId)` / `shade.listBroadcastChannels()`
for reconciling app-level pairing state with persisted channel state.
- `shade.acceptBroadcast(envelope)` — decrypt an inbound broadcast wire
envelope; dispatches to `onMessage` handlers with
`meta = { kind: 'broadcast', channelId, sender, generation, iteration }`.
- `Shade.onMessage` handler signature gained an optional third arg
`meta?: MessageMeta` — back-compat: handlers that ignore it keep
working unchanged for direct messages.
#### `@shade/proto`
- `encodeBroadcast(BroadcastWire)` / `decodeBroadcast(bytes)` — wire
type `0x21`. Length-prefixed channelId + senderAddress, u32
generation/iteration, 12-byte AES-GCM nonce, 64-byte Ed25519
signature, length-prefixed ciphertext.
- `inspectEnvelopeType` recognises `'broadcast'`.
#### `@shade/core`
- `BroadcastChannelRecord` — persisted channel state (chainKey,
iteration, signing keys, generation, role).
- `BroadcastMemberRecord` — sender-side membership row with `joinedAt`
+ nullable `removedAt`.
- `StorageProvider` gained six optional methods:
`saveBroadcastChannel`, `getBroadcastChannel`, `listBroadcastChannels`,
`removeBroadcastChannel`, `saveBroadcastMember`, `getBroadcastMembers`,
`removeBroadcastMember`. Backends < 4.6 throw a clear error when an
app tries to call `createBroadcastChannel` against them.
#### Storage backends
- `MemoryStorage`, `SQLiteStorage`, `IndexedDBStorage` — plaintext
`broadcast_channels` + `broadcast_members` tables. IDB schema bumps
to v2 with an upgrade-path that creates the new stores idempotently.
- `EncryptedSQLiteStorage`, `EncryptedIndexedDBStorage`,
`EncryptedPostgresStorage` — `broadcast_channels_enc` +
`broadcast_members_enc` schemas. The chain key, iteration, and
signing-key bundle live in a sealed `ciphertext` blob bound to
`(table='broadcast_channels', column='broadcast_channel_sensitive', pk=channelId)`
AAD; routing fields (channelId, ownerRole, ownerAddress, label,
generation, timestamps) stay plaintext for queries. New row-codec
helpers `sealBroadcastChannelSensitive` / `openBroadcastChannelSensitive`.
IDB schema bumps to v2 the same way.
### Tests
- `packages/shade-sdk/tests/broadcast.test.ts` — Prism's three
acceptance tests verbatim: (1) two-member receive with
`meta.kind === 'broadcast'`, (1*) revocation rotates + receiver A
drops while B keeps working, (2) persistence — channel id, members,
and chain advance survive `shutdown()` + re-open from the SQLite
path, (3) `listBroadcastChannels` surfaces both sender + receiver
records correctly.
- `packages/shade-storage-encrypted/tests/encrypted-sqlite.test.ts` —
channel + member round-trip under sealed storage; receiver-side rows
correctly persist without `signingPrivateKey`.
### Compatibility
- Wire-protocol additive: existing peers ignore the `0x21` envelope
type. Apps not using broadcast channels see no behavior change.
- Storage schemas additive: the new `broadcast_*` tables / object
stores are created on first open; migrations from a 4.5 database are
no-ops. IDB schema-version bump happens transparently in `upgrade`.
## [4.5.0] — 2026-05-07 — Browser-side encrypted storage + multi-factor unlock
Browser-based Shade clients (Prism's web client being the first) needed
the same at-rest encryption story as the desktop SQLite path: identity,
prekeys, sessions and stream-resume state persisted across reloads,
unwrapped from a user-supplied passphrase — and on browsers, optionally
gated behind a second factor (PIN) since there is no OS-session boundary
to lean on. The existing barrel of `@shade/storage-encrypted` also
transitively imported `bun:sqlite` and `postgres`, which prevented Vite/
webpack/esbuild from producing a clean browser bundle.
This release adds an encrypted IndexedDB backend that mirrors
`EncryptedSQLiteStorage` byte-for-byte at the AAD/nonce level, exposes
browser-safe subpath imports, and lets `KeyManager` derive its master
key from low-entropy secrets (argon2id) and from N composed factors
(every factor mandatory).
### Added
#### `@shade/storage-encrypted`
- `EncryptedIndexedDBStorage` — IndexedDB-backed `StorageProvider`
exposed via `@shade/storage-encrypted/idb`. One object store per
`_enc` table from the SQLite schema, sealed payloads as `Uint8Array`,
routing/timestamp fields kept plaintext for query efficiency. Reuses
`aeadSeal`/`aeadOpen` and the `row-codec` sealers verbatim — a row
sealed under the SQLite or Postgres backend decrypts under IDB given
the same `KeyManager`. `bumpPeerIdentityVersion` is atomic under one
IDB transaction (closes the read-then-upsert race the SQLite version
has).
- `KeyManager.open({ kind: 'argon2id', ... })` — memory-hard KDF for
low-entropy secrets (PINs, short passwords). Backed by
`@noble/hashes/argon2` (already a transitive dep — pure JS, browser
safe). `DEFAULT_ARGON2ID` exported (m=64 MiB, t=3, p=1, 32-byte
output; ~250400 ms in modern browsers).
- `KeyManager.open({ kind: 'composite', sources, info? })` —
HKDF-combine N sub-sources into one master key. Every source is
required: omitting or substituting any source yields a different
master key and `open()` fails on the storage-key-fingerprint check.
Order is significant by design (`[pwd, pin]` ≠ `[pin, pwd]`).
Composite-of-composite is rejected.
- Subpath exports: `@shade/storage-encrypted/crypto` (KeyManager + KDF
+ AEAD + row-codec, no SQLite/Postgres bindings), `/sqlite` (Bun),
`/postgres` (Node), `/idb` (browser). The `browser` condition on the
default import resolves to a barrel that excludes Bun/Postgres
imports — `import { KeyManager } from '@shade/storage-encrypted'` now
bundles cleanly under Vite without hitting `bun:sqlite` resolution
errors.
- Dependency: `idb` ^8.0.3.
### Tests
- `packages/shade-storage-encrypted/tests/key-manager-multi-factor.test.ts`
— argon2id determinism + reject paths, composite same-factors → same
master, wrong-PIN/wrong-passphrase/order-swap → different master,
explicit `info` domain separation, nested-composite rejection.
- `packages/shade-storage-encrypted/tests/encrypted-indexeddb.test.ts`
— full round-trip coverage of all 28 `StorageProvider` methods,
fingerprint-mismatch rejection on wrong key, atomic peer-identity
bump, plus cross-impl roundtrip with `EncryptedSQLiteStorage`
proving the AAD/nonce derivation is implementation-agnostic.
## [4.4.0] — 2026-05-05 — Public accessor for the device's identity public key
Browser-based Shade consumers building enrollment flows had no way to
hand the device's actual Ed25519 identity public key to their own
backend — the key was reachable only via the private
`storage.getIdentityKeyPair()` call inside `Shade`. Apps shipped with
placeholder bytes (`crypto.getRandomValues(new Uint8Array(32))`) that
the backend stored but couldn't verify against, deferring real
cryptographic device binding until the SDK exposed the key.
### Added
#### `@shade/sdk`
- `Shade.identityPublicKey: Promise<Uint8Array>` — getter returning the
local device's 32-byte Ed25519 identity public key. Mirrors the
`fingerprint` accessor shape. Throws if accessed before
`initialize()`. Reflects the current key after `rotate()`; the
previous key remains in retired-identities storage for the
configured grace period. Use `fingerprint` (12-group safety number)
for human side-channel comparison; use `identityPublicKey` when
handing the raw key to a backend for signature verification or
pinning.
### Tests
- `packages/shade-sdk/tests/sdk.test.ts` — `identityPublicKey exposes
the device Ed25519 key and tracks rotation` covers the round-trip
match against the underlying storage and that the value updates
after `rotate()`.
## [4.3.0] — 2026-05-05 — Browser persistence via `@shade/storage-indexeddb`
Browser-based Shade consumers had no path to session persistence: the only
storage option that worked outside Node was `"memory"`, so the identity
keypair regenerated on every page load and `device:${registrationId}`
churned to a fresh address each refresh. Building a `StorageProvider`
in consumer-land meant 25+ method re-implementations per app and no
shared conformance surface.
`4.3.0` ships an official IndexedDB adapter alongside SQLite and Postgres
so any browser-based Shade SDK consumer (dashboards, contact-list apps,
browser-extension messengers) gets persistent identity, prekeys, sessions,
retired identities, peer-verification state and stream-resume rows for
free, surviving tab refresh and browser restart.
### Added
#### `@shade/storage-indexeddb` (new package)
- `IndexedDBStorage.create({ dbName? })` — async open of an IDB
database (one object store per `StorageProvider` category) with
schema version 1. `dbName` defaults to `"shade"`; consumers that
run multiple Shade-backed apps on the same origin pass distinct
names (`"my-app-shade"`) so the IDB inspector groups them sensibly.
- Full `StorageProvider` conformance: identity, signed/one-time prekeys,
sessions, trusted identities, retired identities (with prune by
`retiredAt`), stream-state save/get/list/prune, peer verifications,
and the per-peer identity-version counter.
- `bumpPeerIdentityVersion` is wrapped in a single IDB `readwrite`
transaction — atomic read-modify-write, closing the race window the
SQLite adapter currently has on parallel `acceptIdentityChange`
calls. (SQL adapters will be brought in line in a follow-up.)
- Implementation dependency: `idb` (Jake Archibald's typed wrapper).
Tests run against `fake-indexeddb` for parity with the SQLite test
layout.
#### `@shade/sdk`
- `resolveStorage()` accepts a fourth spec form:
`{ type: 'indexeddb', dbName?: string }`. Resolution goes through
a dynamic import so Node-only consumers don't pull a browser-only
adapter into their bundle (same pattern as `@shade/storage-postgres`).
- `ShadeConfig['storage']` now exports a named `StorageSpec` type
reused by `ResolvedConfig`, replacing the duplicated inline union.
### Tests
- `packages/shade-storage-indexeddb/tests/indexeddb-storage.test.ts` —
full StorageProvider surface (identity, prekeys, sessions, trust,
retired identities, persistence across close+reopen) plus an end-to-end
`ShadeSessionManager` conversation that survives a simulated tab
reload mid-session.
- `packages/shade-storage-indexeddb/tests/peer-verifications.test.ts` —
CRUD round-trip, upsert-on-duplicate, identity-version increment
invariants, persistence across reopen.
## [4.2.1] — 2026-05-04 — Concurrent-ratchet desync under pull-mode drainer
A consumer running `shade.files.httpClient(server, { outboundQueueUrl, ... })`
alongside parallel RPC traffic against the same peer would, after ~10s of
load, see every subsequent message fail with
`DecryptionError: Failed to decrypt message — wrong key or tampered data`.
Two bugs combined to cause this; both are fixed in `4.2.1` with regression
coverage.
### Fixed
#### `@shade/transfer` — `OutboundQueue` waiter cursor
`enqueue` woke pending `drain` waiters with a `since=0` snapshot — the
full event log — instead of using the waiter's own `since`. A poll that
parked at the head and was woken by a fresh enqueue therefore replayed
every event the waiter had already processed. Downstream the queue
fed `Shade.acceptTransferEnvelope`, so the duplicate replayed an
envelope into `manager.decrypt` twice. The second decrypt consumed an
already-used skipped key and corrupted the Double Ratchet receive
chain. Each `PendingWaiter` now records its `since` cursor and is
delivered only events with `id > since`.
#### `@shade/core` — `ratchetDecrypt` defense-in-depth
A same-DH message whose `counter` was already behind the chain — and
that did NOT match a cached skipped key — fell through to a path that
called `kdfChainKey` on the *current* (ahead) chain key and then set
`chain.counter = message.counter + 1`, permanently desyncing the
ratchet so every subsequent decrypt returned wrong-key. Such messages
are now rejected with `DecryptionError` without any state mutation, so
a downstream replay (transport bug, retry, intermitent network) cannot
poison the session.
### Tests
- `packages/shade-files/tests/integration/concurrent-ratchet.test.ts` —
100 parallel `httpClient` RPCs while the drainer runs, plus a mixed
workload of 50 RPCs + 50 raw `shade.send` deliveries with Bob
echoing replies through the queue. Both surface the bug pre-fix.
- `packages/shade-transfer/tests/outbound-queue.test.ts` — direct
regression on the waiter `since` cursor.
- `packages/shade-core/tests/ratchet.test.ts` — replay of an
already-decrypted message must throw cleanly without breaking
subsequent decrypts on the same chain.
## [4.2.0] — 2026-05-03 — Pull-mode streams for browser @shade/files
`4.1.0` shipped HTTP RPC for browser clients but capped them at inline

70
bun.lock
View File

@@ -17,7 +17,7 @@
},
"packages/shade-cli": {
"name": "@shade/cli",
"version": "0.4.0",
"version": "4.4.0",
"bin": {
"shade": "src/cli.ts",
},
@@ -36,7 +36,7 @@
},
"packages/shade-core": {
"name": "@shade/core",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/observability": "workspace:*",
},
@@ -49,7 +49,7 @@
},
"packages/shade-crypto-web": {
"name": "@shade/crypto-web",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@noble/curves": "^2.0.1",
"@noble/hashes": "^2.0.1",
@@ -59,7 +59,7 @@
},
"packages/shade-dashboard": {
"name": "@shade/dashboard",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/widgets": "workspace:*",
"react": "^19.0.0",
@@ -74,7 +74,7 @@
},
"packages/shade-files": {
"name": "@shade/files",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/crypto-web": "workspace:*",
@@ -101,7 +101,7 @@
},
"packages/shade-inbox": {
"name": "@shade/inbox",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/proto": "workspace:*",
@@ -114,7 +114,7 @@
},
"packages/shade-inbox-server": {
"name": "@shade/inbox-server",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/observability": "workspace:*",
@@ -132,7 +132,7 @@
},
"packages/shade-key-transparency": {
"name": "@shade/key-transparency",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@noble/hashes": "^2.0.1",
"@shade/core": "workspace:*",
@@ -144,11 +144,11 @@
},
"packages/shade-keychain": {
"name": "@shade/keychain",
"version": "0.4.0",
"version": "4.4.0",
},
"packages/shade-observability": {
"name": "@shade/observability",
"version": "0.1.0",
"version": "4.4.0",
"dependencies": {
"@noble/hashes": "^2.0.1",
},
@@ -166,7 +166,7 @@
},
"packages/shade-observer": {
"name": "@shade/observer",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/server": "workspace:*",
@@ -178,14 +178,14 @@
},
"packages/shade-proto": {
"name": "@shade/proto",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
},
},
"packages/shade-recovery": {
"name": "@shade/recovery",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/crypto-web": "workspace:*",
@@ -198,7 +198,7 @@
},
"packages/shade-sdk": {
"name": "@shade/sdk",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/crypto-web": "workspace:*",
@@ -225,7 +225,7 @@
},
"packages/shade-server": {
"name": "@shade/server",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/inbox-server": "workspace:*",
@@ -245,15 +245,19 @@
},
"packages/shade-storage-encrypted": {
"name": "@shade/storage-encrypted",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@noble/hashes": "^2.0.1",
"@shade/core": "workspace:*",
"@shade/crypto-web": "workspace:*",
"@shade/storage-postgres": "workspace:*",
"@shade/storage-sqlite": "workspace:*",
"idb": "^8.0.3",
"postgres": "^3.4.9",
},
"devDependencies": {
"fake-indexeddb": "^6.0.0",
},
"peerDependencies": {
"@shade/keychain": "workspace:*",
},
@@ -261,9 +265,21 @@
"@shade/keychain",
],
},
"packages/shade-storage-indexeddb": {
"name": "@shade/storage-indexeddb",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"idb": "^8.0.3",
},
"devDependencies": {
"@shade/crypto-web": "workspace:*",
"fake-indexeddb": "^6.0.0",
},
},
"packages/shade-storage-postgres": {
"name": "@shade/storage-postgres",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/inbox-server": "workspace:*",
@@ -278,7 +294,7 @@
},
"packages/shade-storage-sqlite": {
"name": "@shade/storage-sqlite",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/crypto-web": "workspace:*",
@@ -288,7 +304,7 @@
},
"packages/shade-streams": {
"name": "@shade/streams",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@noble/hashes": "^2.0.1",
"@shade/core": "workspace:*",
@@ -300,7 +316,7 @@
},
"packages/shade-transfer": {
"name": "@shade/transfer",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/crypto-web": "workspace:*",
@@ -317,7 +333,7 @@
},
"packages/shade-transport": {
"name": "@shade/transport",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/crypto-web": "workspace:*",
@@ -328,7 +344,7 @@
},
"packages/shade-transport-bridge": {
"name": "@shade/transport-bridge",
"version": "0.1.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/server": "workspace:*",
@@ -350,7 +366,7 @@
},
"packages/shade-transport-webrtc": {
"name": "@shade/transport-webrtc",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/streams": "workspace:*",
@@ -359,7 +375,7 @@
},
"packages/shade-widgets": {
"name": "@shade/widgets",
"version": "0.4.0",
"version": "4.4.0",
"dependencies": {
"@shade/recovery": "workspace:*",
"@shade/sdk": "workspace:*",
@@ -568,6 +584,8 @@
"@shade/storage-encrypted": ["@shade/storage-encrypted@workspace:packages/shade-storage-encrypted"],
"@shade/storage-indexeddb": ["@shade/storage-indexeddb@workspace:packages/shade-storage-indexeddb"],
"@shade/storage-postgres": ["@shade/storage-postgres@workspace:packages/shade-storage-postgres"],
"@shade/storage-sqlite": ["@shade/storage-sqlite@workspace:packages/shade-storage-sqlite"],
@@ -626,6 +644,8 @@
"escalade": ["escalade@3.2.0", "", {}, "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA=="],
"fake-indexeddb": ["fake-indexeddb@6.2.5", "", {}, "sha512-CGnyrvbhPlWYMngksqrSSUT1BAVP49dZocrHuK0SvtR0D5TMs5wP0o3j7jexDJW01KSadjBp1M/71o/KR3nD1w=="],
"fast-check": ["fast-check@3.23.2", "", { "dependencies": { "pure-rand": "^6.1.0" } }, "sha512-h5+1OzzfCC3Ef7VbtKdcv7zsstUQwUDlYpUTvjeUsJAssPgLn7QzbboPtL5ro04Mq0rPOsMzl7q5hIbRs2wD1A=="],
"fdir": ["fdir@6.5.0", "", { "peerDependencies": { "picomatch": "^3 || ^4" }, "optionalPeers": ["picomatch"] }, "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg=="],
@@ -638,6 +658,8 @@
"hono": ["hono@4.12.12", "", {}, "sha512-p1JfQMKaceuCbpJKAPKVqyqviZdS0eUxH9v82oWo1kb9xjQ5wA6iP3FNVAPDFlz5/p7d45lO+BpSk1tuSZMF4Q=="],
"idb": ["idb@8.0.3", "", {}, "sha512-LtwtVyVYO5BqRvcsKuB2iUMnHwPVByPCXFXOpuU96IZPPoPN6xjOGxZQ74pgSVVLQWtUOYgyeL4GE98BY5D3wg=="],
"js-tokens": ["js-tokens@4.0.0", "", {}, "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="],
"jsesc": ["jsesc@3.1.0", "", { "bin": { "jsesc": "bin/jsesc" } }, "sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA=="],

1
docs/DEPLOYMENT.md
View File

@@ -81,6 +81,7 @@ Tables will be created automatically with the `shade_server_*` prefix, so they c
| `SHADE_CLEANUP_INTERVAL_HOURS` | `24` | Cleanup cycle interval |
| `SHADE_LOG_LEVEL` | `info` | `debug` / `info` / `warn` / `error` |
| `SHADE_OTEL_ENABLED` | unset | Set to `1`/`true` to enable OpenTelemetry tracing on `withTracer()`-configured deployments. See [`observability.md`](./observability.md). |
| `SHADE_DISABLE_RATE_LIMIT` | unset | Set to `1` to disable IP rate-limits on every prekey + inbox route. **Single-tenant deployments only** — multi-tenant relays must leave this unset to keep the abuse defenses on. |
## Health and observability

173
docs/shade-identity-public-key-accessor.md Normal file
View File

@@ -0,0 +1,173 @@
# Feature Request — Public accessor for the device's identity public key
**To**: Shade SDK team
**From**: Dispatch (browser-based Shade consumer)
**Target**: Shade SDK 4.4.x (or whichever release vehicle fits)
**Priority**: medium — unblocks real per-device fingerprint binding at
enrollment time; consumers ship with placeholder keys until then
Thanks for shipping `@shade/storage-indexeddb` so quickly — that unblocked
Dispatch's Slice 2.5 (persistent browser identity). During integration we
hit one more gap that's worth raising as a separate FR.
---
## Summary
Expose the local device's Ed25519 identity public key as a public accessor
on `Shade`, so applications can hand it to their own backend at enrollment
time for per-device verification, audit, or peer-fingerprint computation.
Today the SDK exposes `myAddress` and `fingerprint`, but the underlying
identity public key — the cryptographic root that everything else binds
to — is reachable only via the private `this.storage.getIdentityKeyPair()`
call inside `Shade`. Consumers building enrollment flows have no way to
hand the real key over.
## Problem
A common pattern in Shade-using apps is:
1. Browser device generates Shade identity (via `createShade`)
2. User enters an enrollment token
3. Browser POSTs to its backend: `{ token, address, identityPublicKey, ... }`
4. Backend records the device, computes/stores a safety number from the
identity key, opens a Shade session
Step 3 today has nowhere to get a real `identityPublicKey` from. Dispatch
currently sends `crypto.getRandomValues(new Uint8Array(32))` formatted as
hex, with this comment in the source:
```ts
/**
* The browser submits a hex public-key field at enroll time so the schema
* stays stable. Wiring this to the SDK-generated identity key requires a
* Shade SDK addition (no public accessor for the raw identity key today).
*/
export function generatePlaceholderIdentityPublicKey(): string { ... }
```
The backend stores this placeholder but cannot verify anything against it,
because it's not actually the device's key. Real cryptographic binding is
deferred until the SDK exposes the underlying key.
## Why `fingerprint` isn't sufficient
`Shade.fingerprint` returns a 12-groups-of-5-digits safety-number string
designed for human side-channel comparison. That's the right output for a
"compare these digits with your friend" UX, but it's a derived format, not
the raw key. Backends that want to:
- Store the key for later signature verification
- Compute their own safety-number representation (Dispatch uses
`deterministicSafetyNumber(localAddr, peerAddr)` based on the raw bytes)
- Re-derive the fingerprint after an identity rotation
…all need access to the raw 32-byte Ed25519 public key.
## Proposed API
Add a single async accessor on `Shade`:
```ts
class Shade {
/**
* The local device's Ed25519 identity public key (32 bytes).
*
* Stable for the lifetime of the identity. After `rotateIdentity()`
* this returns the new key; the old key is preserved in retired-
* identities storage for the configured grace period.
*/
get identityPublicKey(): Promise<Uint8Array>;
}
```
Internally:
```ts
get identityPublicKey(): Promise<Uint8Array> {
if (!this.initialized) throw new Error('Not initialized');
return this.storage.getIdentityKeyPair().then((kp) => {
if (!kp) throw new Error('Identity not yet generated');
return kp.publicKey;
});
}
```
If returning a getter that produces a Promise feels off, the equivalent
method form is fine:
```ts
async getIdentityPublicKey(): Promise<Uint8Array> { ... }
```
Either shape works for consumers — pick whichever matches existing SDK
conventions.
## Alternative considered: object accessor
Returning an object would leave room to expose other identity-related
fields later without a breaking change:
```ts
get identity(): Promise<{
address: string;
publicKey: Uint8Array;
fingerprint: string;
// future: registrationId, createdAt, etc.
}>;
```
This would mildly duplicate `myAddress` + `fingerprint`, but consolidates
identity-related accessors. Not a blocker for shipping the simpler
single-purpose accessor — just flagging the option in case the SDK is
considering broader API ergonomics.
## What this unblocks
For Dispatch specifically:
- Real device identity binding at enrollment (replaces the placeholder
`crypto.randomUUID()`-derived hex bytes the backend currently stores)
- Server-side `computePeerSafetyNumber()` can use the real key instead of
the deterministic-from-address stand-in (`shade-identity-provider.ts:151`)
- Future signature-based device authentication (sign a challenge with the
device's identity key during enrollment) becomes possible without
another SDK round
For other Shade consumers:
- Any app that hands a device key to its own backend for enrollment —
multi-device pairing flows, contact verification UIs, push-notification
targeting — gets an actual key to work with
## Acceptance criteria
1. New accessor exposed on `Shade` (getter or async method, SDK's
preference)
2. Returns the 32-byte Ed25519 identity public key
3. Returns the **current** key after `rotateIdentity()`
4. Throws (or resolves to a clear error) when called before
`initialize()` completes
5. Documented alongside `myAddress` and `fingerprint` in the SDK reference
6. One unit test in `shade-sdk` confirming the returned bytes match what
`storage.getIdentityKeyPair()` holds
7. Mentioned in the changelog under the next release
## Out of scope
- **Private key access** — consumers should never need it; signature
operations go through `shade.send()` etc. Don't expose the secret half.
- **Cross-peer key lookup** — getting *another* peer's identity key is a
separate concern (related to peer-verification storage), not what this
FR is about. This is strictly the local device's own key.
- **Format conversions** — base64/hex/PEM helpers don't belong in the SDK.
Consumers can encode the raw bytes however their wire format requires.
## Why this can't be done in consumer-land
The identity keypair is generated by `MemoryStorage` / `SQLiteStorage` /
`IndexedDBStorage` and consumed by `ShadeSessionManager`. Consumers can't
reach into either layer without breaching the SDK's encapsulation. A
public accessor is the only path that doesn't require monkey-patching
private fields.

191
docs/shade-storage-indexeddb.md Normal file
View File

@@ -0,0 +1,191 @@
# Feature Request — `@shade/storage-indexeddb`
**To**: Shade SDK team
**From**: Dispatch (browser-based Shade consumer)
**Target**: Shade SDK 4.3.x (or whichever release vehicle fits)
**Priority**: blocks all browser-based Shade apps from achieving session
persistence across tab refresh
---
## Summary
Ship an official IndexedDB-backed `StorageProvider` adapter as a new
workspace package `@shade/storage-indexeddb`, so browser-based Shade SDK
consumers can persist identity, prekeys, sessions, and peer-verification
state across tab refresh and browser restart — the same way `@shade/storage-sqlite`
does for Node and `@shade/storage-postgres` does for server deployments.
## Problem
Today the Shade SDK ships three storage paths:
| spec | adapter | environment |
| --------------------------------- | ------------------------ | ---------------- |
| `"memory"` | `MemoryStorage` (in-SDK) | tests, ephemeral |
| `"sqlite:/path"` | `@shade/storage-sqlite` | Node |
| `{ type: 'postgres', url: '…' }` | `@shade/storage-postgres`| Node servers |
There is **no browser-storage option**. The only way to run Shade in a
browser today is `storage: "memory"`, which means:
- Identity keypair regenerates on every page load
- Sessions reset → re-enrollment after every refresh
- `getLocalRegistrationId()` returns a fresh value → `device:${id}`
address changes → server-side device record orphaned every reload
This forces every browser-based Shade app to either (a) accept the broken
UX, or (b) build their own `StorageProvider` from scratch — duplicating
~25 methods × N consumers, with no shared conformance test surface.
The right place to solve this is at the SDK level, exactly mirroring how
SQLite and Postgres are handled.
## Proposed package
`packages/shade-storage-indexeddb/` — modeled directly after
`packages/shade-storage-sqlite/`. Same package shape, same test layout,
same `@shade/core`-only runtime dependency surface.
### Public API
```ts
// @shade/storage-indexeddb
export class IndexedDBStorage implements StorageProvider {
/**
* Open (or create) the IndexedDB database. Idempotent — repeated calls
* with the same dbName return a connection sharing the same object stores.
*/
static async create(opts?: { dbName?: string }): Promise<IndexedDBStorage>;
/**
* Cleanly close the underlying connection. Future calls will reopen.
* Called by Shade.shutdown() when consumers register cleanup.
*/
async close(): Promise<void>;
// ─── all StorageProvider methods (identity, prekeys, sessions,
// retired identities, peer verifications, optional stream-state) ───
}
```
`dbName` defaults to something like `"shade"`. Consumers like Dispatch
will pass distinct names per app (`"dispatch-dashboard-shade"`,
`"dispatch-host-ui-shade"`) so DevTools' IndexedDB inspector groups them
sensibly, even though origin-isolation already makes the data isolated.
### SDK integration
`@shade/sdk` `resolveStorage()` gets a fourth branch:
```ts
if (typeof spec === 'object' && spec.type === 'indexeddb') {
const moduleId = '@shade/storage-indexeddb';
const mod = (await import(moduleId)) as {
IndexedDBStorage: { create(opts: { dbName?: string }): Promise<StorageProvider> };
};
return mod.IndexedDBStorage.create({ dbName: spec.dbName });
}
```
Dynamic import keeps `@shade/storage-indexeddb` an optional dependency,
matching the Postgres pattern — Node-only consumers don't need to install
a browser-only adapter.
Consumer surface:
```ts
const shade = await createShade({
prekeyServer: 'https://…/shade-prekey',
storage: { type: 'indexeddb', dbName: 'my-app-shade' },
address: 'device:user@example.com', // optional — falls back to device:${registrationId}
});
```
## Implementation guidance (non-prescriptive)
- **IDB wrapper**: suggest `idb` (Jake Archibald's thin wrapper, well-typed,
zero deps). Avoid Dexie or idb-keyval — we want full schema control to
match the SQL adapters' explicit schemas.
- **Object-store layout**: one store per StorageProvider category
(`identity`, `signedPreKeys`, `oneTimePreKeys`, `sessions`,
`trustedIdentities`, `retiredIdentities`, `peerVerifications`,
`streamStates`). Keypaths match the natural keys (`keyId`, `address`,
`streamId`).
- **Schema version**: integer, bumped on every shape change. Migrations
in `db.upgrade(...)` callback. Document schema-history alongside
the SQLite schema.
- **Concurrency**: IndexedDB transactions are auto-committing — the adapter
must keep operations within a single transaction where SQL adapters do.
Particular care for `bumpPeerIdentityVersion` (atomic read-modify-write).
- **Stream-state methods**: implement them. Browser apps will increasingly
use `@shade/transfer` for large file resume, and parity with SQLite's
capabilities matters.
## Test expectations
Mirror `packages/shade-storage-sqlite/tests/`:
- `indexeddb-storage.test.ts` — full StorageProvider surface (identity,
sessions, trusted identities, retired identities)
- `indexeddb-prekey-store.test.ts` — signed + one-time prekey lifecycle
- `peer-verifications.test.ts` — verification CRUD + identity-version
bumping invariants
- `indexeddb-stream-state.test.ts` (if stream-state is implemented)
Use **`fake-indexeddb`** for the Node test environment — it's the
established standard, supports the v3 spec, and lets us run IDB tests
in `bun test` / `vitest` / `jest` without a real browser.
If/when Shade gains a shared `StorageProvider` conformance test suite,
this adapter should consume it directly. Until then, follow the SQLite
adapter's per-method coverage style.
## Acceptance criteria
1. `@shade/storage-indexeddb` published at version 4.3.0 (or whichever
matches the next Shade release)
2. `@shade/sdk` `resolveStorage()` resolves `{ type: 'indexeddb', dbName? }`
via dynamic import
3. Full StorageProvider conformance in tests (identity, prekeys,
sessions, retired identities, peer verifications, stream-state)
4. Documented in Shade docs alongside SQLite/Postgres adapters
5. README example showing browser-app integration
6. Bundle-size note: dynamic-imported IDB module shouldn't pull crypto
dependencies — adapter should be ≤ ~10 KB minified+gzipped
## Out of scope (deferred)
- **Encryption-at-rest** for the IDB contents — separate work item; should
match the deviceKey-AES-GCM pattern Shade already uses for `secretEnc`
in `PersistedStreamState`. This adapter ships unencrypted-at-rest in v1
(consistent with SQLite), with the encryption layer added uniformly to
all adapters later.
- **Cross-tab BroadcastChannel sync** — IDB is shared across same-origin
tabs already; concurrent writes work via IDB transactions. Real-time
notification across tabs (e.g. "session was rotated in another tab") is
a separate concern, not storage-adapter scope.
- **Quota handling** — IDB quota for a Shade keystore is far below realistic
browser quotas. If it ever becomes relevant, add a `QuotaExceededError`
observability hook then.
## Why this can't be done in consumer-land
Building this in Dispatch (or any other consumer) would mean:
- 25+ method `StorageProvider` re-implementation per consumer
- No shared conformance tests
- Schema drift across consumers — each would invent its own object-store
shape, blocking any future cross-app data import/export
- Every Shade SDK update that adjusts `StorageProvider` would force every
consumer to track and patch independently
`@shade/storage-sqlite` and `@shade/storage-postgres` are part of the SDK
for the same reason. IndexedDB belongs alongside them.
## What unblocks
Shipping this unblocks Dispatch's "Slice 2.5" — persistent enrollment
across browser refresh, which today is the largest QA-friction point in
the dev loop. Any future browser-Shade consumer (web dashboard,
contact-list app, browser-extension messenger) gets persistence for free.

2
packages/shade-cli/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/cli",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/cli.ts",
"bin": {

2
packages/shade-core/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/core",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

16
packages/shade-core/src/ratchet.ts
View File

@@ -185,6 +185,22 @@ export async function ratchetDecrypt(
if (!session.receiveChain) {
throw new DecryptionError('No receiving chain available');
}
// Defense-in-depth: a same-DH message whose counter is already
// behind the chain — and that did NOT match a cached skipped key —
// is either a duplicate we already decrypted (skipped key was
// consumed) or one whose key was evicted under cache pressure.
// Falling through would call kdfChainKey on the *current* (ahead)
// chainKey and then rewind `chain.counter = message.counter + 1`,
// permanently desyncing the chain so every subsequent decrypt
// returns wrong-key. Reject without mutating state instead.
if (
!isNewRatchet &&
message.counter < session.receiveChain.counter
) {
throw new DecryptionError(
'Failed to decrypt message — wrong key or tampered data',
);
}
await skipMessageKeys(crypto, session, message.dhPublicKey, session.receiveChain, message.counter);
// Advance the receiving chain one more step to get this message's key

75
packages/shade-core/src/storage.ts
View File

@@ -46,6 +46,50 @@ export interface PersistedStreamState {
*/
export type PeerVerificationSource = 'user' | 'transitive' | 'tofu-after-warning';
/**
* Persisted broadcast-channel state (V4.6). Holds the sender-key chain that
* lets the channel owner encrypt a single ciphertext and fan it out to all
* paired members.
*
* - `ownerRole === 'sender'`: this device created the channel; the record
* carries the full chain (chainKey + iteration + signing keypair).
* - `ownerRole === 'receiver'`: this device joined a channel that
* `ownerAddress` owns; we hold a tracking copy of the chain (chainKey +
* iteration + signing public key only — no private signing key).
*
* `generation` is bumped each time `removeMember` rotates the chain. Stale
* broadcasts at lower generations are silently dropped on receive.
*/
export interface BroadcastChannelRecord {
/** Opaque, stable across restarts. UUID-style. */
channelId: string;
ownerRole: 'sender' | 'receiver';
/** The address that owns the channel (i.e. the only sender). */
ownerAddress: string;
label?: string;
/** Sender-key generation — bumped on rotation. Starts at 0. */
generation: number;
/** Current chain key (32 bytes). */
chainKey: Uint8Array;
/** Counter advanced by `senderKeyEncrypt` / `senderKeyDecrypt`. */
iteration: number;
/** Owner's Ed25519 signing public key (32 bytes). */
signingPublicKey: Uint8Array;
/** Owner's Ed25519 signing private key. Present iff `ownerRole === 'sender'`. */
signingPrivateKey?: Uint8Array;
createdAt: number;
updatedAt: number;
}
/** Membership row for a broadcast channel (sender-side only). */
export interface BroadcastMemberRecord {
channelId: string;
peerAddress: string;
joinedAt: number;
/** When this peer was revoked. `null` while still active. */
removedAt: number | null;
}
/**
* Persistent record that a peer's safety number was verified at a point
* in time. `identityVersion` is the local counter for that peer's identity:
@@ -188,4 +232,35 @@ export interface StorageProvider {
/** Prune stream-state rows in `'finished' | 'aborted'` status older than `olderThan`. */
pruneStreamStates?(olderThan: number): Promise<void>;
// ─── Broadcast channels (V4.6) — optional ─────────────────
/**
* Persist or replace the broadcast-channel record. Idempotent upsert on
* `channelId`. Backends that don't implement broadcast-channel support
* may omit this; the SDK throws a clear error when the app tries to
* call `createBroadcastChannel` on such a backend.
*/
saveBroadcastChannel?(channel: BroadcastChannelRecord): Promise<void>;
/** Look up a broadcast channel by id. */
getBroadcastChannel?(channelId: string): Promise<BroadcastChannelRecord | null>;
/** Enumerate all broadcast channels persisted on this device. */
listBroadcastChannels?(): Promise<BroadcastChannelRecord[]>;
/** Drop a broadcast channel and all its membership rows. */
removeBroadcastChannel?(channelId: string): Promise<void>;
/** Persist or replace a broadcast-membership row (sender-side only). */
saveBroadcastMember?(member: BroadcastMemberRecord): Promise<void>;
/**
* List membership rows for a channel. Includes revoked members (with
* `removedAt !== null`); callers filter as needed.
*/
getBroadcastMembers?(channelId: string): Promise<BroadcastMemberRecord[]>;
/** Hard-delete a single membership row. */
removeBroadcastMember?(channelId: string, peerAddress: string): Promise<void>;
}

35
packages/shade-core/tests/ratchet.test.ts
View File

@@ -281,6 +281,41 @@ describe('Double Ratchet', () => {
expect(ratchetDecrypt(crypto, bob, msg)).rejects.toThrow();
});
/**
* Regression — the v4.2.0 OutboundQueue waiter-since bug delivered
* the same envelope twice to `manager.decrypt`. The first decrypt
* succeeded via a cached skipped key; the second one fell into the
* `message.counter < chain.counter` path with no skipped key
* available, advanced the chainKey ONCE and rewound `chain.counter`
* to `message.counter + 1`, leaving the ratchet permanently
* desynced. ratchetDecrypt now rejects without mutating state when
* a same-DH message is behind the chain and not in skippedKeys, so
* a downstream replay (transport bug, retry, etc.) cannot poison
* the session for everyone else.
*/
test('same-DH stale message after consumed skipped key fails without corrupting state', async () => {
const { alice, bob } = await setupPair();
// Alice sends 3 messages on the same DH chain.
const m0 = await ratchetEncrypt(crypto, alice, enc.encode('m0'));
const m1 = await ratchetEncrypt(crypto, alice, enc.encode('m1'));
const m2 = await ratchetEncrypt(crypto, alice, enc.encode('m2'));
// Bob receives m1 first, caching m0's key. Then m0 (delivered
// via the cache). After this, m0's skipped key is consumed.
expect(dec.decode(await ratchetDecrypt(crypto, bob, m1))).toBe('m1');
expect(dec.decode(await ratchetDecrypt(crypto, bob, m0))).toBe('m0');
// Replay of m0: skippedKey is gone, chain.counter is past m0.
// Pre-fix: this would corrupt Bob's chain state; post-fix it
// throws cleanly.
await expect(ratchetDecrypt(crypto, bob, m0)).rejects.toThrow(DecryptionError);
// Bob can still decrypt the remaining valid message — chain
// state was NOT mutated by the rejected replay.
expect(dec.decode(await ratchetDecrypt(crypto, bob, m2))).toBe('m2');
});
});
// ─── Long Conversation ────────────────────────────────────

2
packages/shade-crypto-web/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/crypto-web",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

64
packages/shade-crypto-web/src/memory-storage.ts
View File

@@ -1,4 +1,8 @@
import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState, RetiredIdentity, PersistedStreamState, PeerVerification } from '@shade/core';
import type {
StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey,
SessionState, RetiredIdentity, PersistedStreamState, PeerVerification,
BroadcastChannelRecord, BroadcastMemberRecord,
} from '@shade/core';
import { constantTimeEqual } from '@shade/core';
/**
@@ -167,4 +171,62 @@ export class MemoryStorage implements StorageProvider {
}
}
}
// ─── Broadcast channels (V4.6) ────────────────────────────
private broadcastChannels = new Map<string, BroadcastChannelRecord>();
private broadcastMembers = new Map<string, Map<string, BroadcastMemberRecord>>();
async saveBroadcastChannel(channel: BroadcastChannelRecord): Promise<void> {
this.broadcastChannels.set(channel.channelId, cloneChannel(channel));
}
async getBroadcastChannel(channelId: string): Promise<BroadcastChannelRecord | null> {
const v = this.broadcastChannels.get(channelId);
return v ? cloneChannel(v) : null;
}
async listBroadcastChannels(): Promise<BroadcastChannelRecord[]> {
return [...this.broadcastChannels.values()].map(cloneChannel);
}
async removeBroadcastChannel(channelId: string): Promise<void> {
this.broadcastChannels.delete(channelId);
this.broadcastMembers.delete(channelId);
}
async saveBroadcastMember(member: BroadcastMemberRecord): Promise<void> {
let inner = this.broadcastMembers.get(member.channelId);
if (!inner) {
inner = new Map();
this.broadcastMembers.set(member.channelId, inner);
}
inner.set(member.peerAddress, { ...member });
}
async getBroadcastMembers(channelId: string): Promise<BroadcastMemberRecord[]> {
const inner = this.broadcastMembers.get(channelId);
return inner ? [...inner.values()].map((m) => ({ ...m })) : [];
}
async removeBroadcastMember(channelId: string, peerAddress: string): Promise<void> {
this.broadcastMembers.get(channelId)?.delete(peerAddress);
}
}
function cloneChannel(c: BroadcastChannelRecord): BroadcastChannelRecord {
const out: BroadcastChannelRecord = {
channelId: c.channelId,
ownerRole: c.ownerRole,
ownerAddress: c.ownerAddress,
generation: c.generation,
chainKey: new Uint8Array(c.chainKey),
iteration: c.iteration,
signingPublicKey: new Uint8Array(c.signingPublicKey),
createdAt: c.createdAt,
updatedAt: c.updatedAt,
};
if (c.label !== undefined) out.label = c.label;
if (c.signingPrivateKey !== undefined) out.signingPrivateKey = new Uint8Array(c.signingPrivateKey);
return out;
}

2
packages/shade-dashboard/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/dashboard",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"scripts": {
"dev": "vite",

2
packages/shade-files/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/files",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

184
packages/shade-files/tests/integration/concurrent-ratchet.test.ts Normal file
View File

@@ -0,0 +1,184 @@
import { describe, expect, test } from 'bun:test';
import { createShade } from '@shade/sdk';
import {
createPrekeyServer,
MemoryPrekeyStore,
PrekeyServerEvents,
} from '@shade/server';
import { SubtleCryptoProvider } from '@shade/crypto-web';
import { Hono } from 'hono';
const crypto = new SubtleCryptoProvider();
/**
* Concurrent-ratchet hardening tests.
*
* Reproduces the scenario described in the v4.2.0 ratchet-desync bug
* report: with the queue-drainer running on Alice and many concurrent
* `shade.send`/RPC operations against the same peer, do
* encrypt/decrypt paths share the per-peer mutex on
* `ShadeSessionManager` so that no path observes a stale ratchet
* state?
*
* If the lock coverage regresses (a future change re-introduces a
* sidekanal bypass), one of these tests will fail with
* `DecryptionError: Failed to decrypt message — wrong key or
* tampered data`.
*/
async function setupPullRig() {
const prekey = createPrekeyServer({
crypto,
store: new MemoryPrekeyStore(),
disableRateLimit: true,
events: new PrekeyServerEvents(),
});
const prekeyServer = Bun.serve({ port: 0, fetch: prekey.fetch });
const prekeyUrl = `http://localhost:${prekeyServer.port}`;
const alice = await createShade({ prekeyServer: prekeyUrl, address: 'alice' });
const bob = await createShade({ prekeyServer: prekeyUrl, address: 'bob' });
const queueRoute = await bob.transferQueueRoute({ blockMs: 500 });
await bob.files.serve({
stat: async () => ({
name: '_',
kind: 'dir' as const,
size: 0,
mtime: 0,
metadata: {},
}),
});
const rpcRoute = bob.files.rpcRoute({ acceptFirstMessage: true });
const app = new Hono();
app.route('/', queueRoute);
app.route('/', rpcRoute);
const bobServer = Bun.serve({ port: 0, fetch: app.fetch });
const baseUrl = `http://localhost:${bobServer.port}`;
const fs = alice.files.httpClient('bob', {
rpcUrl: `${baseUrl}/rpc`,
outboundQueueUrl: `${baseUrl}/queue`,
transferBaseUrl: baseUrl,
defaultTimeoutMs: 10_000,
queueBlockMs: 500,
});
return {
alice,
bob,
fs,
baseUrl,
teardown: async () => {
fs.close();
await alice.shutdown();
await bob.shutdown();
bobServer.stop();
prekeyServer.stop();
},
};
}
describe('@shade/files — concurrent ratchet under drainer', () => {
test('100 parallel httpClient RPCs while drainer runs — no DecryptionError', async () => {
const rig = await setupPullRig();
try {
// Warm-up: establishes the X3DH session (Alice → Bob first message
// is a PreKeyMessage; subsequent messages are pure ratchet).
const first = await rig.fs.stat('/');
expect(first.kind).toBe('dir');
// Fire 100 concurrent stat RPCs. Each one is a full ratchet
// round-trip: encrypt request, POST, decrypt response. They all
// contend for `manager.peerOpChains["bob"]` on Alice's side
// (encrypt + decrypt) and `manager.peerOpChains["alice"]` on
// Bob's side. Drainer is running in the background polling
// Bob's queue — its decrypt path also funnels through the same
// per-peer lock.
// 100 concurrent — minimal repro (after warm-up only).
const N = 100;
const results = await Promise.allSettled(
Array.from({ length: N }, () => rig.fs.stat('/')),
);
const failures = results.filter((s) => s.status === 'rejected') as Array<
PromiseRejectedResult
>;
if (failures.length > 0) {
const sample = failures.slice(0, 1).map((f) => String(f.reason));
throw new Error(`${failures.length}/${N} concurrent RPCs failed: ${sample[0]}`);
}
} finally {
await rig.teardown();
}
}, 30_000);
test('parallel shade.send + drainer + RPCs — ratchet stays in sync', async () => {
const rig = await setupPullRig();
try {
// Establish session via one warm-up RPC.
await rig.fs.stat('/');
// Subscribe Bob to inbound plaintext from Alice — when Alice's
// raw `shade.send` plaintext arrives, Bob echoes a reply back
// through `shade.send` + `deliverControlEnvelope`, which the
// pull-mode envelope transport enqueues for Alice's drainer.
// This injects extra inbound traffic into Alice's drainer in
// parallel with her ongoing RPCs.
const echoes: string[] = [];
rig.bob.onMessage(async (from, plaintext) => {
if (from !== 'alice') return;
if (!plaintext.startsWith('ping:')) return;
echoes.push(plaintext);
const reply = `pong:${plaintext.slice('ping:'.length)}`;
const env = await rig.bob.send('alice', reply);
await rig.bob.deliverControlEnvelope('alice', env);
});
const inboundDrained: string[] = [];
rig.alice.onMessage((from, plaintext) => {
if (from !== 'bob') return;
if (plaintext.startsWith('pong:')) inboundDrained.push(plaintext);
});
// Mix three concurrent workloads against the same peer:
// - 50 inline file RPCs through httpClient (encrypt + decrypt)
// - 50 raw `shade.send` deliveries via control envelope
// - drainer pulling Bob's responses + echoes
const N = 50;
const rpcs = Array.from({ length: N }, () => rig.fs.stat('/'));
const sends = Array.from({ length: N }, async (_, i) => {
const env = await rig.alice.send('bob', `ping:${i}`);
await rig.alice.deliverControlEnvelope('bob', env);
});
const settled = await Promise.allSettled([...rpcs, ...sends]);
const failures = settled.filter((s) => s.status === 'rejected') as Array<
PromiseRejectedResult
>;
if (failures.length > 0) {
const sample = failures.slice(0, 3).map((f) => String(f.reason));
throw new Error(
`${failures.length}/${settled.length} concurrent ops failed: ${sample.join(' | ')}`,
);
}
// Give Bob's queue + Alice's drainer a beat to drain pongs back.
// Echoes round-trip Alice → Bob (control envelope) → Bob's
// onMessage → Bob.send + deliver (queue) → Alice's drainer →
// Alice's onMessage. We just verify some make it back without
// any DecryptionError surfacing.
const deadline = Date.now() + 5_000;
while (inboundDrained.length < N && Date.now() < deadline) {
await new Promise((r) => setTimeout(r, 50));
}
// Don't gate on every echo arriving — the long-poll cadence and
// bun's serve/abort timing can lag a few. We only care that the
// ratchet didn't desync; if it had, every subsequent op would
// throw DecryptionError above.
expect(echoes.length).toBe(N);
expect(inboundDrained.length).toBeGreaterThan(0);
} finally {
await rig.teardown();
}
}, 30_000);
});

2
packages/shade-inbox-server/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/inbox-server",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

276
packages/shade-inbox-server/src/bridge.ts
View File

@@ -38,8 +38,15 @@ import {
import { verifyPayload, validateAddress } from '@shade/server';
import type { InboxStore } from './store.js';
import type { InboxServerEvents } from './events.js';
import { PresenceTracker, type TrackedBridgeKind } from './presence.js';
export type BridgeKind = 'stream' | 'poll' | 'ws';
/**
* Wire-protocol kind tag for `/v1/bridge/presence`. Distinct from
* `BridgeKind` because the canonical signed payload is shaped
* differently (`watched: string[]` instead of `since: number`).
*/
export type PresenceKind = 'presence';
export interface BridgeRoutesOptions {
store: InboxStore;
@@ -60,6 +67,13 @@ export interface BridgeRoutesOptions {
* Default 1_000.
*/
fallbackPollIntervalMs?: number;
/**
* Inject an existing presence tracker. Useful when multiple
* `createBridgeRoutes` calls need to share state (e.g. mounting the
* routes under several hostnames in a single process). When omitted,
* the bridge auto-creates an internal tracker bound to `events`.
*/
presenceTracker?: PresenceTracker;
}
interface VerifiedBridgeRequest {
@@ -68,6 +82,13 @@ interface VerifiedBridgeRequest {
since: number;
}
interface VerifiedPresenceRequest {
/** The watcher's address (signer of the request). */
address: string;
/** Addresses whose presence the watcher is asking to track. */
watched: string[];
}
/**
* Build the bridge Hono router and a paired Bun-WebSocket handler.
*
@@ -80,6 +101,8 @@ export function createBridgeRoutes(opts: BridgeRoutesOptions): {
app: Hono;
/** Pass to `Bun.serve({ websocket })`. Undefined if Bun adapter is missing. */
websocket: unknown;
/** Live presence tracker. Tests + observers can read it; routes update it. */
presence: PresenceTracker;
} {
const app = new Hono();
const pageLimit = opts.pageLimit ?? 50;
@@ -87,6 +110,7 @@ export function createBridgeRoutes(opts: BridgeRoutesOptions): {
const longPollDefault = opts.longPollTimeoutMs ?? 25_000;
const longPollMax = opts.longPollMaxTimeoutMs ?? 55_000;
const fallbackPollIntervalMs = opts.fallbackPollIntervalMs ?? 1_000;
const presence = opts.presenceTracker ?? new PresenceTracker(opts.events ?? null);
app.onError((err, c) => {
if (err instanceof ShadeError) {
@@ -102,17 +126,32 @@ export function createBridgeRoutes(opts: BridgeRoutesOptions): {
const verified = await verifyBridgeAuth(c, opts, 'stream');
return streamSSE(c, async (stream) => {
const address = verified.address;
const connId = presence.newConnectionId();
presence.markConnected(address, 'sse', connId);
let presenceClosed = false;
const closePresence = (reason: 'closed' | 'error'): void => {
if (presenceClosed) return;
presenceClosed = true;
presence.markDisconnected(address, 'sse', connId, reason);
};
let cursor = verified.since;
const writer = makeBlobWriter(opts.store, pageLimit);
const delivered = new DeliveredIdLru();
// Initial backlog drain.
const flushed = await flushTo(writer, address, cursor, async (blob) => {
const flushed = await flushTo(
writer,
address,
cursor,
async (blob) => {
await stream.writeSSE({
id: String(blob.receivedAt),
event: 'envelope',
data: JSON.stringify(serializeBlob(blob)),
});
});
},
delivered,
);
cursor = Math.max(cursor, flushed);
// Hook up event-driven push if available, else fall back to a poll
@@ -124,19 +163,31 @@ export function createBridgeRoutes(opts: BridgeRoutesOptions): {
const triggerFlush = (): void => {
signalled = true;
// Serialize fan-in so concurrent triggers don't double-fetch.
pendingFlushPromise = pendingFlushPromise.then(async () => {
// `.catch(() => {})` keeps the chain alive across transient
// emit failures (e.g. a closed SSE write throws) — without it
// one rejection silently kills every future flush on this
// connection.
pendingFlushPromise = pendingFlushPromise
.then(async () => {
while (signalled) {
signalled = false;
const drained = await flushTo(writer, address, cursor, async (blob) => {
const drained = await flushTo(
writer,
address,
cursor,
async (blob) => {
await stream.writeSSE({
id: String(blob.receivedAt),
event: 'envelope',
data: JSON.stringify(serializeBlob(blob)),
});
});
},
delivered,
);
if (drained > cursor) cursor = drained;
}
});
})
.catch(() => {});
};
if (opts.events) {
@@ -163,6 +214,68 @@ export function createBridgeRoutes(opts: BridgeRoutesOptions): {
clearInterval(fallbackTimer);
clearInterval(heartbeat);
await pendingFlushPromise.catch(() => {});
closePresence('closed');
});
});
// ─── Presence (V4.7) ──────────────────────────────────────────
// SSE feed of `peer_connected` / `peer_disconnected` events filtered
// by a watcher-supplied address list. Subscribing does NOT count as
// a peer-bridge connection (it doesn't call `markConnected`) so
// monitoring presence doesn't make you appear online to others.
app.get('/v1/bridge/presence', async (c) => {
const verified = await verifyPresenceAuth(c, opts);
return streamSSE(c, async (stream) => {
const watched = new Set(verified.watched);
// Initial snapshot — one frame per watched address with current
// status. Lets subscribers render UI immediately rather than
// waiting for the next state change.
const now = Date.now();
for (const addr of verified.watched) {
await stream.writeSSE({
event: 'presence',
data: JSON.stringify({
address: addr,
status: presence.isOnline(addr) ? 'online' : 'offline',
at: now,
}),
});
}
let unsubscribe: (() => void) | null = null;
if (opts.events) {
unsubscribe = opts.events.on((e) => {
if (e.name !== 'inbox.peer_connected' && e.name !== 'inbox.peer_disconnected') return;
const data = e.data as { address: string; bridgeKind: TrackedBridgeKind };
if (!watched.has(data.address)) return;
const status = e.name === 'inbox.peer_connected' ? 'online' : 'offline';
// Fire-and-forget: drop the frame if the stream has gone away.
void stream
.writeSSE({
event: 'presence',
data: JSON.stringify({
address: data.address,
status,
at: e.timestamp,
via: data.bridgeKind,
}),
})
.catch(() => {});
});
}
const heartbeat = setInterval(() => {
stream.write(`: ping ${Date.now()}\n\n`).catch(() => {});
}, heartbeatIntervalMs);
await new Promise<void>((resolve) => {
const sig = c.req.raw.signal;
if (sig.aborted) return resolve();
sig.addEventListener('abort', () => resolve(), { once: true });
});
unsubscribe?.();
clearInterval(heartbeat);
});
});
@@ -230,30 +343,50 @@ export function createBridgeRoutes(opts: BridgeRoutesOptions): {
}
const address = verified.address;
const connId = presence.newConnectionId();
let cursor = verified.since;
const writer = makeBlobWriter(opts.store, pageLimit);
const delivered = new DeliveredIdLru();
let unsubscribe: (() => void) | null = null;
let fallbackTimer: ReturnType<typeof setInterval> | null = null;
let pendingFlushPromise: Promise<void> = Promise.resolve();
let signalled = false;
let connected = true;
let presenceClosed = false;
const closePresence = (reason: 'closed' | 'error'): void => {
if (presenceClosed) return;
presenceClosed = true;
presence.markDisconnected(address, 'ws', connId, reason);
};
return {
onOpen(_evt: unknown, ws: {
send: (data: string) => void;
close: (code?: number, reason?: string) => void;
}) {
presence.markConnected(address, 'ws', connId);
const triggerFlush = (): void => {
signalled = true;
pendingFlushPromise = pendingFlushPromise.then(async () => {
// `.catch(() => {})` mirrors the SSE chain — keeps the
// pending-flush queue alive across transient ws.send errors
// (e.g. partial close, backpressure overflow).
pendingFlushPromise = pendingFlushPromise
.then(async () => {
while (signalled && connected) {
signalled = false;
const drained = await flushTo(writer, address, cursor, async (blob) => {
const drained = await flushTo(
writer,
address,
cursor,
async (blob) => {
ws.send(JSON.stringify(serializeBlob(blob)));
});
},
delivered,
);
if (drained > cursor) cursor = drained;
}
});
})
.catch(() => {});
};
if (opts.events) {
unsubscribe = opts.events.on((e) => {
@@ -269,12 +402,19 @@ export function createBridgeRoutes(opts: BridgeRoutesOptions): {
connected = false;
unsubscribe?.();
if (fallbackTimer) clearInterval(fallbackTimer);
closePresence('closed');
},
onError() {
connected = false;
unsubscribe?.();
if (fallbackTimer) clearInterval(fallbackTimer);
closePresence('error');
},
};
}),
);
return { app, websocket };
return { app, websocket, presence };
}
// ─── helpers ──────────────────────────────────────────────────
@@ -321,11 +461,75 @@ async function verifyBridgeAuth(
return { address, kind: kind as BridgeKind, since };
}
const MAX_WATCHED_ADDRESSES = 64;
/**
* Verify a `/v1/bridge/presence` request.
*
* Signed canonical payload: `{address, kind: 'presence', watched: string[],
* signedAt}`. The watcher's address must be a registered inbox; the
* signature is verified against the registered owner key for that
* address. The `watched` list bounds what the subscription will
* receive — server-side filtering is enforced inside the handler.
*/
async function verifyPresenceAuth(
c: Context,
opts: BridgeRoutesOptions,
): Promise<VerifiedPresenceRequest> {
const url = new URL(c.req.url);
const qs = url.searchParams;
const address = validateAddress(qs.get('address'));
const kind = qs.get('kind');
if (kind !== 'presence') {
throw new ValidationError(`bridge kind mismatch: expected presence`, 'kind');
}
const watchedRaw = qs.get('watched');
if (watchedRaw === null) throw new ValidationError('missing watched', 'watched');
// Empty subscription is allowed (subscribe to nothing — useful for a
// client that intends to call addPeer right after open). A null/
// missing param is still rejected so the canonicalization is
// unambiguous.
const watched =
watchedRaw === ''
? []
: watchedRaw.split(',').map((a) => validateAddress(a));
if (watched.length > MAX_WATCHED_ADDRESSES) {
throw new ValidationError(
`watched list too large: ${watched.length} > ${MAX_WATCHED_ADDRESSES}`,
'watched',
);
}
const signedAtStr = qs.get('signedAt');
const signature = qs.get('signature');
if (signedAtStr === null) throw new ValidationError('missing signedAt', 'signedAt');
if (!signature) throw new ValidationError('missing signature', 'signature');
const signedAt = Number(signedAtStr);
if (!Number.isFinite(signedAt)) {
throw new ValidationError('signedAt must be a number', 'signedAt');
}
const owner = await opts.store.getAddressOwner(address);
if (!owner) {
throw new UnauthorizedError(`address ${address} is not registered`);
}
await verifyPayload(opts.crypto, owner, {
address,
kind,
watched,
signedAt,
signature,
});
return { address, watched };
}
interface BlobRow {
msgId: string;
ciphertext: Uint8Array;
receivedAt: number;
expiresAt: number;
/** V4.8 — relay-captured sender fingerprint. Optional for legacy rows. */
senderFp?: string;
}
interface BlobWriter {
@@ -345,11 +549,41 @@ function makeBlobWriter(store: InboxStore, pageLimit: number): BlobWriter {
};
}
/**
* Per-connection bounded msgId tracker — defense in depth against duplicate
* delivery of the same blob to the same bridge socket. Cursor pagination
* already guarantees uniqueness in the happy path, but a dedup gate at the
* emit boundary catches any subtle bug (e.g. a flushTo race, a future
* refactor, an event-emit retry) without changing wire semantics.
*
* The cap is intentionally large enough to cover any realistic bridge
* pageLimit and small enough to bound memory under long-running streams.
*/
const DELIVERED_LRU_CAP = 4096;
class DeliveredIdLru {
private readonly seen = new Set<string>();
private readonly order: string[] = [];
/** Returns true if `msgId` has not been seen on this connection yet. */
add(msgId: string): boolean {
if (this.seen.has(msgId)) return false;
this.seen.add(msgId);
this.order.push(msgId);
if (this.order.length > DELIVERED_LRU_CAP) {
const evicted = this.order.shift()!;
this.seen.delete(evicted);
}
return true;
}
}
async function flushTo(
writer: BlobWriter,
address: string,
startCursor: number,
emit: (blob: BlobRow) => Promise<void>,
delivered?: DeliveredIdLru,
): Promise<number> {
let cursor = startCursor;
// Drain page-by-page so a backlog larger than `pageLimit` still flushes.
@@ -358,7 +592,12 @@ async function flushTo(
const page = await writer.fetchPage(address, cursor);
if (page.length === 0) break;
for (const row of page) {
// Per-connection dedup gate — prevents the same msgId from being
// emitted twice if flushTo is somehow re-entered before the cursor
// catches up. See comment on `DeliveredIdLru`.
if (!delivered || delivered.add(row.msgId)) {
await emit(row);
}
if (row.receivedAt > cursor) cursor = row.receivedAt;
}
if (page.length === 0) break;
@@ -371,13 +610,26 @@ function serializeBlob(blob: BlobRow): {
ciphertext: string;
receivedAt: number;
expiresAt: number;
from?: string;
} {
return {
const out: {
msgId: string;
ciphertext: string;
receivedAt: number;
expiresAt: number;
from?: string;
} = {
msgId: blob.msgId,
ciphertext: toBase64(blob.ciphertext),
receivedAt: blob.receivedAt,
expiresAt: blob.expiresAt,
};
// V4.8 — relay-captured sender fingerprint. The transport-bridge
// wire format already accepts `from`; populating it lets receivers
// bootstrap unknown-sender first-contact via `shade.receive('fp:<hex>',
// env)` without requiring an out-of-band sender hint.
if (blob.senderFp) out.from = blob.senderFp;
return out;
}
function buildPollResponse(blobs: BlobRow[], sinceFallback: number): {

13
packages/shade-inbox-server/src/events.ts
View File

@@ -21,6 +21,19 @@ export interface InboxServerEventMap {
'inbox.expired_purged': { count: number };
'inbox.rate_limited': { route: string; key: string };
'inbox.quota_rejected': { address: string; reason: 'address-quota' | 'sender-quota' | 'body-too-large' };
// V4.7 — bridge presence transitions. Emitted on the 0↔1 boundary
// across tracked transports for a given address. Long-poll is
// intentionally NOT tracked: an LP client toggles in/out of a request
// every few seconds, and the resulting flapping would dominate the
// event stream. Push transports (WS, SSE) are also the only ones
// where the ~50ms revoke window for `BroadcastChannel.removeMember`
// matters — long-poll users are already on a slow path.
'inbox.peer_connected': { address: string; bridgeKind: 'ws' | 'sse' };
'inbox.peer_disconnected': {
address: string;
bridgeKind: 'ws' | 'sse';
reason: 'closed' | 'error';
};
}
export type InboxServerEventName = keyof InboxServerEventMap;

2
packages/shade-inbox-server/src/index.ts
View File

@@ -32,6 +32,8 @@ export {
export type { InboxQuotaConfig } from './quota.js';
export { createBridgeRoutes } from './bridge.js';
export type { BridgeRoutesOptions, BridgeKind } from './bridge.js';
export { PresenceTracker } from './presence.js';
export type { TrackedBridgeKind } from './presence.js';
/**
* Create a standalone Shade Inbox Server.

32
packages/shade-inbox-server/src/memory-store.ts
View File

@@ -5,6 +5,7 @@ interface BlobRow {
ciphertext: Uint8Array;
receivedAt: number;
expiresAt: number;
senderFp?: string;
}
/**
@@ -33,6 +34,7 @@ export class MemoryInboxStore implements InboxStore {
msgId: string;
ciphertext: Uint8Array;
expiresAt: number;
senderFp?: string;
}): Promise<{ created: boolean; receivedAt: number }> {
const list = this.blobs.get(args.address) ?? [];
const existing = list.find((r) => r.msgId === args.msgId);
@@ -41,12 +43,14 @@ export class MemoryInboxStore implements InboxStore {
// multiple blobs land in the same millisecond.
const receivedAt = Math.max(this.nextReceivedAt + 1, Date.now());
this.nextReceivedAt = receivedAt;
list.push({
const row: BlobRow = {
msgId: args.msgId,
ciphertext: new Uint8Array(args.ciphertext),
receivedAt,
expiresAt: args.expiresAt,
});
};
if (args.senderFp !== undefined) row.senderFp = args.senderFp;
list.push(row);
this.blobs.set(args.address, list);
return { created: true, receivedAt };
}
@@ -56,18 +60,36 @@ export class MemoryInboxStore implements InboxStore {
sinceCursor: number;
now: number;
limit: number;
}): Promise<Array<{ msgId: string; ciphertext: Uint8Array; receivedAt: number; expiresAt: number }>> {
}): Promise<
Array<{
msgId: string;
ciphertext: Uint8Array;
receivedAt: number;
expiresAt: number;
senderFp?: string;
}>
> {
const list = this.blobs.get(args.address) ?? [];
return list
.filter((r) => r.receivedAt > args.sinceCursor && r.expiresAt > args.now)
.sort((a, b) => a.receivedAt - b.receivedAt)
.slice(0, args.limit)
.map((r) => ({
.map((r) => {
const out: {
msgId: string;
ciphertext: Uint8Array;
receivedAt: number;
expiresAt: number;
senderFp?: string;
} = {
msgId: r.msgId,
ciphertext: new Uint8Array(r.ciphertext),
receivedAt: r.receivedAt,
expiresAt: r.expiresAt,
}));
};
if (r.senderFp !== undefined) out.senderFp = r.senderFp;
return out;
});
}
async deleteBlob(address: string, msgId: string): Promise<boolean> {

75
packages/shade-inbox-server/src/presence.ts Normal file
View File

@@ -0,0 +1,75 @@
/**
* V4.7 — bridge-connection presence tracking.
*
* The bridge handlers (`/v1/bridge/stream` and `/v1/bridge/ws`) call
* `markConnected` on open and `markDisconnected` on close. The tracker
* keeps a per-address set of connection ids; the `inbox.peer_connected`
* / `inbox.peer_disconnected` events fire only on the 0↔1 boundary so
* that two simultaneous bridges (e.g. SSE + WS during a transport-
* fallback handover) collapse into a single connected/disconnected
* pair from the consumer's point of view.
*
* Long-poll (`/v1/bridge/poll`) is intentionally NOT tracked — see the
* note on `InboxServerEventMap` in `events.ts`.
*/
import type { InboxServerEvents } from './events.js';
export type TrackedBridgeKind = 'ws' | 'sse';
export class PresenceTracker {
private readonly connections = new Map<string, Set<string>>();
private nextConnId = 1;
constructor(private readonly events: InboxServerEvents | null) {}
/** Allocate a fresh connection id for `markConnected` / `markDisconnected`. */
newConnectionId(): string {
return `c${this.nextConnId++}`;
}
/**
* Snapshot: is `address` currently connected over any tracked transport?
* Used by `/v1/bridge/presence` to push the initial state to a new
* subscriber.
*/
isOnline(address: string): boolean {
const set = this.connections.get(address);
return set !== undefined && set.size > 0;
}
markConnected(address: string, bridgeKind: TrackedBridgeKind, connectionId: string): void {
let set = this.connections.get(address);
const wasOnline = set !== undefined && set.size > 0;
if (!set) {
set = new Set();
this.connections.set(address, set);
}
set.add(connectionId);
if (!wasOnline) {
this.events?.emit('inbox.peer_connected', { address, bridgeKind });
}
}
markDisconnected(
address: string,
bridgeKind: TrackedBridgeKind,
connectionId: string,
reason: 'closed' | 'error',
): void {
const set = this.connections.get(address);
if (!set) return;
if (!set.delete(connectionId)) return;
if (set.size === 0) {
this.connections.delete(address);
this.events?.emit('inbox.peer_disconnected', { address, bridgeKind, reason });
}
}
/** Inspect the underlying map. Test/observability use only. */
snapshot(): Map<string, ReadonlySet<string>> {
return new Map(
Array.from(this.connections.entries(), ([k, v]) => [k, v as ReadonlySet<string>]),
);
}
}

20
packages/shade-inbox-server/src/routes.ts
View File

@@ -255,11 +255,19 @@ export function createInboxRoutes(
);
}
// V4.8: capture sender fingerprint at PUT time. The sender's
// signing key was just verified for this request, so the fingerprint
// is bound to the same authentication path that authorized the
// store. Surfaced on bridge push + inbox-fetch responses to
// bootstrap unknown-sender first-contact (X3DH pair handshake).
const senderFp = await shortHash(senderKey);
const result = await store.putBlob({
address,
msgId,
ciphertext: ctBytes,
expiresAt,
senderFp,
});
if (result.created) {
events?.emit('inbox.blob_stored', {
@@ -319,12 +327,22 @@ export function createInboxRoutes(
let bytes = 0;
const blobs = rows.map((r) => {
bytes += r.ciphertext.length;
return {
const out: {
msgId: string;
ciphertext: string;
receivedAt: number;
expiresAt: number;
from?: string;
} = {
msgId: r.msgId,
ciphertext: toBase64(r.ciphertext),
receivedAt: r.receivedAt,
expiresAt: r.expiresAt,
};
// V4.8: surface sender fingerprint when present. Empty for blobs
// persisted by a pre-4.8 relay that didn't track sender provenance.
if (r.senderFp) out.from = r.senderFp;
return out;
});
const nextCursor = rows.length > 0 ? rows[rows.length - 1]!.receivedAt : sinceCursor;

23
packages/shade-inbox-server/src/store.ts
View File

@@ -36,12 +36,20 @@ export interface InboxStore {
* **Idempotent**: if a row already exists for `(address, msgId)` the
* implementation MUST return `{ created: false }` and leave the existing
* row untouched. A fresh insert returns `{ created: true, receivedAt }`.
*
* `senderFp` (V4.8+) is the 8-byte hex of SHA-256(senderSigningKey)
* — captured at PUT time when the relay verified the sender's
* signature. Optional so legacy 4.7 callers compile, but populated by
* `createInboxRoutes` from 4.8 onward and surfaced on bridge push +
* inbox-fetch responses to bootstrap unknown-sender first-contact
* (X3DH pair handshake).
*/
putBlob(args: {
address: string;
msgId: string;
ciphertext: Uint8Array;
expiresAt: number;
senderFp?: string;
}): Promise<{ created: boolean; receivedAt: number }>;
/**
@@ -57,7 +65,20 @@ export interface InboxStore {
sinceCursor: number;
now: number;
limit: number;
}): Promise<Array<{ msgId: string; ciphertext: Uint8Array; receivedAt: number; expiresAt: number }>>;
}): Promise<
Array<{
msgId: string;
ciphertext: Uint8Array;
receivedAt: number;
expiresAt: number;
/**
* Sender fingerprint — 8-byte hex of SHA-256(senderSigningKey)
* captured at PUT time. Empty/undefined for blobs persisted by a
* pre-4.8 relay that didn't track sender provenance.
*/
senderFp?: string;
}>
>;
/**
* Delete a single blob by `(address, msgId)`. Returns true if a row was

2
packages/shade-inbox/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/inbox",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

29
packages/shade-inbox/src/client.ts
View File

@@ -40,6 +40,16 @@ export interface FetchedBlob {
receivedAt: number;
/** Absolute expiry time (ms since epoch) reported by the server. */
expiresAt: number;
/**
* Sender fingerprint — 8-byte hex of SHA-256(senderSigningKey),
* captured by the relay at PUT time when the sender's signature was
* verified. Empty/undefined when the relay is pre-4.8 or the blob
* predates sender-fingerprint tracking. Use as an unknown-sender
* bootstrap label (`fp:<hex>`) for X3DH first-contact; the
* authoritative sender identity is recovered post-decrypt from the
* envelope itself, so `from` is a hint, not a trust anchor.
*/
from?: string;
}
export interface FetchResult {
@@ -52,7 +62,14 @@ export class InboxClient {
private readonly fetchImpl: typeof fetch;
constructor(private readonly options: InboxClientOptions) {
this.fetchImpl = options.fetch ?? globalThis.fetch;
// Bind once. The browser's `globalThis.fetch` is a WebIDL bound
// operation that throws "Illegal invocation" when called as a method
// on another object (which is what `this.fetchImpl(...)` does).
// Node/Bun fetch tolerates a free receiver, but binding is harmless.
// A consumer-supplied `options.fetch` is bound to the global too —
// a fetch that requires a specific receiver must bind itself.
const f = options.fetch ?? globalThis.fetch;
this.fetchImpl = f.bind(globalThis);
}
/**
@@ -144,12 +161,18 @@ export class InboxClient {
);
const blobs = Array.isArray(json.blobs) ? json.blobs : [];
return {
blobs: blobs.map((b: any) => ({
blobs: blobs.map((b: any): FetchedBlob => {
const out: FetchedBlob = {
msgId: String(b.msgId),
ciphertext: fromBase64(String(b.ciphertext)),
receivedAt: Number(b.receivedAt),
expiresAt: Number(b.expiresAt),
})),
};
// V4.8 — relay-supplied sender fingerprint hint. Optional; absent
// on pre-4.8 relays or for blobs persisted before tracking landed.
if (typeof b.from === 'string' && b.from.length > 0) out.from = b.from;
return out;
}),
cursor: Number(json.cursor ?? sinceCursor),
hasMore: Boolean(json.hasMore),
};

39
packages/shade-inbox/src/inbox.ts
View File

@@ -16,9 +16,20 @@ import { InboxClientEvents, type InboxClientListener } from './events.js';
* decrypt path it owns) and either return a sender-hint for telemetry
* (the address the SDK extracted, or `null`) or throw to keep the blob
* on the server for a later retry.
*
* V4.8: `raw.from` is the relay-captured sender fingerprint (8-byte hex
* of SHA-256 over the sender's signing key). Empty when the relay is
* pre-4.8 or didn't track the sender. Use it as the `fp:<hex>` bootstrap
* label for X3DH first-contact handshakes.
*/
export type DecryptHandler = (
raw: { msgId: string; ciphertext: Uint8Array; receivedAt: number; expiresAt: number },
raw: {
msgId: string;
ciphertext: Uint8Array;
receivedAt: number;
expiresAt: number;
from?: string;
},
) => Promise<string | null | undefined> | string | null | undefined;
export interface InboxOptions {
@@ -149,6 +160,14 @@ export class Inbox {
signingKey: this.options.signingPublicKey,
});
this.registered = true;
// V4.8: gate the first poll on register success. `start()` calls
// `register()` fire-and-forget; without this kick, the very first
// `pollOnce()` (scheduled synchronously alongside register) would
// race the register HTTP RTT and return SHADE_NOT_FOUND. The
// pollOnce() guard skips polls until `registered === true`; this
// immediate schedule ensures we don't wait the full pollIntervalMs
// for the next attempt once register lands.
if (this.started) this.schedulePoll(0);
}
/** Drop the address from the server. Local queue/cursor are preserved. */
@@ -217,7 +236,11 @@ export class Inbox {
this.scheduleRegisterRetry();
});
this.scheduleFlush();
this.schedulePoll(0);
// V4.8: do NOT schedule the first poll synchronously. `register()`
// success kicks `schedulePoll(0)` so the first poll fires after the
// server has acknowledged the address. Pre-fix this raced register
// and burned a 404 on every fresh-address `start()`.
if (this.registered) this.schedulePoll(0);
}
/** Stop background timers. Pending entries remain in the queue. */
@@ -375,12 +398,20 @@ export class Inbox {
let senderHint: string | null = null;
try {
const result = await this.incomingHandler({
const raw: {
msgId: string;
ciphertext: Uint8Array;
receivedAt: number;
expiresAt: number;
from?: string;
} = {
msgId: blob.msgId,
ciphertext: blob.ciphertext,
receivedAt: blob.receivedAt,
expiresAt: blob.expiresAt,
});
};
if (blob.from !== undefined) raw.from = blob.from;
const result = await this.incomingHandler(raw);
senderHint = result ?? null;
} catch (err) {
this.events.emit('inbox.message_decrypt_failed', {

192
packages/shade-inbox/tests/client.test.ts
View File

@@ -281,3 +281,195 @@ describe('tamper detection', () => {
expect(result.received).toBe(0);
});
});
describe('InboxClient — default fetch is bound to globalThis', () => {
// Regression: browsers' `fetch` is a WebIDL bound operation that throws
// "Illegal invocation" when called as a method on another object. The
// class stores `fetchImpl` and calls `this.fetchImpl(...)`, which strips
// the Window receiver. Constructor must `bind(globalThis)`.
test('default path passes globalThis as `this` (no Illegal invocation)', async () => {
const realFetch = globalThis.fetch;
let observedReceiver: unknown = 'unset';
function strictFetch(this: unknown, _input: unknown, _init?: unknown): Promise<Response> {
observedReceiver = this;
if (this !== globalThis) {
throw new TypeError("Failed to execute 'fetch' on 'Window': Illegal invocation");
}
return Promise.resolve(
new Response('{}', {
status: 200,
headers: { 'content-type': 'application/json' },
}),
);
}
Object.defineProperty(globalThis, 'fetch', {
configurable: true,
writable: true,
value: strictFetch,
});
try {
const id = await makeIdentity();
const client = new InboxClient({
baseUrl: 'http://example.invalid',
crypto,
signingPrivateKey: id.signingPrivateKey,
// No `fetch` override on purpose — this exercises the default path.
});
await client.register({ address: 'whoever', signingKey: id.signingPublicKey });
expect(observedReceiver).toBe(globalThis);
} finally {
Object.defineProperty(globalThis, 'fetch', {
configurable: true,
writable: true,
value: realFetch,
});
}
});
});
describe('Inbox.start() — fresh-address register/poll race (V4.8)', () => {
// Regression: pre-4.8 `start()` called `register()` fire-and-forget AND
// `schedulePoll(0)` synchronously, so the first poll often beat the
// register HTTP RTT and got SHADE_NOT_FOUND on a fresh address. Fix:
// start() defers the first poll; register() success kicks it.
test('fresh address: no fetch fires before register completes', async () => {
const store = new MemoryInboxStore();
const app = createInboxServer({ crypto, store, disableRateLimit: true });
const alice = await makeIdentity();
// Order observed by the server: must be register-then-fetch, never
// fetch-then-register.
const calls: Array<'register' | 'fetch' | 'put'> = [];
let registerArrived = false;
const recordingFetch: typeof fetch = (async (input, init) => {
const u =
typeof input === 'string'
? input
: input instanceof URL
? input.toString()
: (input as Request).url;
if (u.includes('/v1/inbox/register')) {
calls.push('register');
// Hold register for a tick to widen the race window.
await new Promise((r) => setTimeout(r, 25));
registerArrived = true;
} else if (u.endsWith('/fetch')) {
// Any fetch arriving before register is the race we're guarding
// against.
if (!registerArrived) {
throw new Error('fetch fired before register completed (race not fixed)');
}
calls.push('fetch');
} else if (u.includes('/v1/inbox/')) {
calls.push('put');
}
return honoFetch(app)(input, init);
}) as typeof fetch;
const inbox = new Inbox({
baseUrl: 'http://localhost',
ownAddress: 'alice',
crypto,
signingPrivateKey: alice.signingPrivateKey,
signingPublicKey: alice.signingPublicKey,
pollIntervalMs: 30_000, // Long enough that only register's kick triggers.
fetch: recordingFetch,
});
inbox.onIncoming(() => null);
inbox.start();
// Wait until register has completed and the success-kick poll lands.
await new Promise((r) => setTimeout(r, 100));
inbox.stop();
expect(calls[0]).toBe('register');
// First fetch (if any) must be after register.
const firstFetchIdx = calls.indexOf('fetch');
if (firstFetchIdx !== -1) {
expect(firstFetchIdx).toBeGreaterThan(calls.indexOf('register'));
}
});
});
describe('FetchedBlob.from — relay-supplied sender fingerprint (V4.8)', () => {
test('inbox-fetch response carries from = 8-byte hex of SHA-256(senderSigningKey)', async () => {
const store = new MemoryInboxStore();
const app = createInboxServer({ crypto, store, disableRateLimit: true });
const bob = await makeIdentity();
const alice = await makeIdentity();
const bobClient = new InboxClient({
baseUrl: 'http://localhost',
crypto,
signingPrivateKey: bob.signingPrivateKey,
fetch: honoFetch(app),
});
const aliceClient = new InboxClient({
baseUrl: 'http://localhost',
crypto,
signingPrivateKey: alice.signingPrivateKey,
fetch: honoFetch(app),
});
await bobClient.register({ address: 'bob', signingKey: bob.signingPublicKey });
await aliceClient.put({
recipientAddress: 'bob',
senderSigningKey: alice.signingPublicKey,
envelope: randBytes(64),
});
const fetched = await bobClient.fetch({ address: 'bob' });
expect(fetched.blobs.length).toBe(1);
const fp = fetched.blobs[0]!.from;
expect(fp).toBeDefined();
expect(fp).toMatch(/^[0-9a-f]{16}$/);
// Must be reproducible: SHA-256(alice.signingPublicKey) → first 8 bytes hex.
const digest = await globalThis.crypto.subtle.digest(
'SHA-256',
alice.signingPublicKey as unknown as ArrayBuffer,
);
const expected = Array.from(new Uint8Array(digest).slice(0, 8), (b) =>
b.toString(16).padStart(2, '0'),
).join('');
expect(fp).toBe(expected);
});
test('DecryptHandler raw arg propagates from to the app', async () => {
const store = new MemoryInboxStore();
const app = createInboxServer({ crypto, store, disableRateLimit: true });
const bob = await makeIdentity();
const alice = await makeIdentity();
const aliceClient = new InboxClient({
baseUrl: 'http://localhost',
crypto,
signingPrivateKey: alice.signingPrivateKey,
fetch: honoFetch(app),
});
const bobInbox = new Inbox({
baseUrl: 'http://localhost',
ownAddress: 'bob',
crypto,
signingPrivateKey: bob.signingPrivateKey,
signingPublicKey: bob.signingPublicKey,
pollIntervalMs: 0,
fetch: honoFetch(app),
});
await bobInbox.register();
await aliceClient.put({
recipientAddress: 'bob',
senderSigningKey: alice.signingPublicKey,
envelope: randBytes(40),
});
let observed: string | undefined = undefined;
bobInbox.onIncoming((raw) => {
observed = raw.from;
return null;
});
await bobInbox.tick();
expect(observed).toMatch(/^[0-9a-f]{16}$/);
});
});

2
packages/shade-key-transparency/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/key-transparency",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

2
packages/shade-keychain/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/keychain",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

2
packages/shade-observability/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/observability",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

2
packages/shade-observer/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/observer",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

2
packages/shade-proto/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/proto",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

5
packages/shade-proto/src/index.ts
View File

@@ -5,7 +5,10 @@ export {
encodeRatchetMessage,
encodeStreamChunk,
decodeStreamChunk,
encodeBroadcast,
decodeBroadcast,
inspectEnvelopeType,
TYPE_STREAM_CHUNK,
TYPE_BROADCAST,
} from './wire.js';
export type { StreamChunkWire } from './wire.js';
export type { StreamChunkWire, BroadcastWire } from './wire.js';

133
packages/shade-proto/src/wire.ts
View File

@@ -7,6 +7,7 @@
* 0x01 = PreKeyMessage
* 0x02 = RatchetMessage
* 0x11 = StreamChunk
* 0x21 = BroadcastMessage (V4.6 — sender-key encrypted group payload)
*
* All multi-byte integers are big-endian.
*
@@ -23,6 +24,7 @@ const VERSION = 0x02;
const TYPE_PREKEY = 0x01;
const TYPE_RATCHET = 0x02;
export const TYPE_STREAM_CHUNK = 0x11;
export const TYPE_BROADCAST = 0x21;
// ─── Stream chunk types ──────────────────────────────────────
@@ -43,6 +45,28 @@ export interface StreamChunkWire {
ciphertext: Uint8Array; // AES-GCM ciphertext including 16-byte tag
}
/**
* Wire-decoded broadcast envelope (type 0x21).
*
* Carries a Signal-style sender-key message. The sender (channel owner)
* encrypted once with their per-channel chain key; this same byte sequence
* is delivered verbatim to every member. Authenticity rides on the embedded
* Ed25519 signature — no bilateral ratchet wraps the broadcast itself.
*
* `generation` is a per-channel rotation counter: bumped each time a
* member is revoked. Receivers silently drop broadcasts at older
* generations than their currently-installed sender-key.
*/
export interface BroadcastWire {
channelId: string; // utf-8, length-prefixed
senderAddress: string; // utf-8, length-prefixed
generation: number; // u32
iteration: number; // u32 — sender chain counter
nonce: Uint8Array; // AES-GCM nonce (12 bytes)
signature: Uint8Array; // Ed25519 signature (64 bytes)
ciphertext: Uint8Array; // AES-GCM ciphertext including 16-byte tag
}
const STREAM_ID_BYTES = 16;
const STREAM_NONCE_BYTES = 12;
@@ -230,11 +254,11 @@ export function decodeStreamChunk(data: Uint8Array): StreamChunkWire {
/**
* Inspect the type tag of an arbitrary envelope without full parsing.
* Returns one of `'prekey' | 'ratchet' | 'stream-chunk' | 'unknown'`.
* Returns one of `'prekey' | 'ratchet' | 'stream-chunk' | 'broadcast' | 'unknown'`.
*/
export function inspectEnvelopeType(
data: Uint8Array,
): 'prekey' | 'ratchet' | 'stream-chunk' | 'unknown' {
): 'prekey' | 'ratchet' | 'stream-chunk' | 'broadcast' | 'unknown' {
if (data.length < 2 || data[0] !== VERSION) return 'unknown';
switch (data[1]) {
case TYPE_PREKEY:
@@ -243,11 +267,116 @@ export function inspectEnvelopeType(
return 'ratchet';
case TYPE_STREAM_CHUNK:
return 'stream-chunk';
case TYPE_BROADCAST:
return 'broadcast';
default:
return 'unknown';
}
}
// ─── Broadcast wire (V4.6) ───────────────────────────────────
const BROADCAST_NONCE_BYTES = 12;
const BROADCAST_SIGNATURE_BYTES = 64;
/**
* Encode a broadcast envelope to wire bytes (type 0x21).
*
* Layout:
* [version:1][type=0x21:1]
* [channelIdLen:u16][channelId utf-8]
* [senderAddrLen:u16][senderAddr utf-8]
* [generation:u32]
* [iteration:u32]
* [nonce:12]
* [signature:64]
* [ctLen:u32][ciphertext]
*/
export function encodeBroadcast(b: BroadcastWire): Uint8Array {
if (b.nonce.length !== BROADCAST_NONCE_BYTES) {
throw new Error(`broadcast nonce must be ${BROADCAST_NONCE_BYTES} bytes`);
}
if (b.signature.length !== BROADCAST_SIGNATURE_BYTES) {
throw new Error(`broadcast signature must be ${BROADCAST_SIGNATURE_BYTES} bytes`);
}
const enc = new TextEncoder();
const channelIdBytes = enc.encode(b.channelId);
const senderBytes = enc.encode(b.senderAddress);
if (channelIdBytes.length > 0xffff) throw new Error('channelId too long');
if (senderBytes.length > 0xffff) throw new Error('senderAddress too long');
const headerSize =
1 + 1 +
2 + channelIdBytes.length +
2 + senderBytes.length +
4 + 4 +
BROADCAST_NONCE_BYTES +
BROADCAST_SIGNATURE_BYTES +
4;
const out = new Uint8Array(headerSize + b.ciphertext.length);
const view = new DataView(out.buffer);
let offset = 0;
out[offset++] = VERSION;
out[offset++] = TYPE_BROADCAST;
view.setUint16(offset, channelIdBytes.length, false); offset += 2;
out.set(channelIdBytes, offset); offset += channelIdBytes.length;
view.setUint16(offset, senderBytes.length, false); offset += 2;
out.set(senderBytes, offset); offset += senderBytes.length;
view.setUint32(offset, b.generation, false); offset += 4;
view.setUint32(offset, b.iteration, false); offset += 4;
out.set(b.nonce, offset); offset += BROADCAST_NONCE_BYTES;
out.set(b.signature, offset); offset += BROADCAST_SIGNATURE_BYTES;
view.setUint32(offset, b.ciphertext.length, false); offset += 4;
out.set(b.ciphertext, offset);
return out;
}
export function decodeBroadcast(data: Uint8Array): BroadcastWire {
const minSize = 1 + 1 + 2 + 0 + 2 + 0 + 4 + 4 +
BROADCAST_NONCE_BYTES + BROADCAST_SIGNATURE_BYTES + 4;
if (data.length < minSize) {
throw new Error(`broadcast envelope too short: ${data.length} < ${minSize}`);
}
if (data[0] !== VERSION) throw new Error(`Unknown version: ${data[0]}`);
if (data[1] !== TYPE_BROADCAST) throw new Error(`Not a broadcast: type=${data[1]}`);
const view = new DataView(data.buffer, data.byteOffset);
const dec = new TextDecoder();
let offset = 2;
const channelIdLen = view.getUint16(offset, false); offset += 2;
if (offset + channelIdLen > data.length) throw new Error('broadcast truncated in channelId');
const channelId = dec.decode(data.slice(offset, offset + channelIdLen));
offset += channelIdLen;
const senderLen = view.getUint16(offset, false); offset += 2;
if (offset + senderLen > data.length) throw new Error('broadcast truncated in senderAddress');
const senderAddress = dec.decode(data.slice(offset, offset + senderLen));
offset += senderLen;
const generation = view.getUint32(offset, false); offset += 4;
const iteration = view.getUint32(offset, false); offset += 4;
const nonce = data.slice(offset, offset + BROADCAST_NONCE_BYTES);
offset += BROADCAST_NONCE_BYTES;
const signature = data.slice(offset, offset + BROADCAST_SIGNATURE_BYTES);
offset += BROADCAST_SIGNATURE_BYTES;
const ctLen = view.getUint32(offset, false); offset += 4;
if (offset + ctLen !== data.length) {
throw new Error(`broadcast length mismatch: declared ${offset + ctLen}, actual ${data.length}`);
}
const ciphertext = data.slice(offset, offset + ctLen);
return { channelId, senderAddress, generation, iteration, nonce, signature, ciphertext };
}
function decodePreKeyMessageInner(data: Uint8Array): PreKeyMessage {
let offset = 0;

2
packages/shade-recovery/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/recovery",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

2
packages/shade-sdk/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/sdk",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

BIN
packages/shade-sdk/src/broadcast.ts Normal file
View File

Binary file not shown.

12
packages/shade-sdk/src/config.ts
View File

@@ -17,11 +17,12 @@ export interface ShadeConfig {
* - "memory" — in-memory only (lost on restart, good for tests)
* - "sqlite:/path/to/file.db" — SQLite backend
* - { type: 'postgres', url: 'postgres://...' } — PostgreSQL backend
* - { type: 'indexeddb', dbName?: 'my-app' } — browser IndexedDB
* - An explicit StorageProvider instance
*
* Default: "memory"
*/
storage?: string | StorageProvider | { type: 'postgres'; url: string };
storage?: StorageSpec;
/**
* Your address on the prekey server (e.g. "alice@example.com" or "device:abc123").
@@ -96,9 +97,16 @@ export interface ShadeKTConfig {
witnessMaxStored?: number;
}
/** Acceptable shapes for `ShadeConfig.storage`. */
export type StorageSpec =
| string
| StorageProvider
| { type: 'postgres'; url: string }
| { type: 'indexeddb'; dbName?: string };
export interface ResolvedConfig {
prekeyServer: string;
storage: string | StorageProvider | { type: 'postgres'; url: string };
storage: StorageSpec;
address?: string | undefined;
autoReplenish: { min: number; target: number; intervalMs: number } | false;
autoRotate: false | '1d' | '7d' | '30d' | '90d';

5
packages/shade-sdk/src/index.ts
View File

@@ -5,6 +5,11 @@ export type {
ShadeWebRtcConfig,
ShadeWebRtcRuntime,
} from './shade.js';
export type {
BroadcastChannel,
BroadcastChannelSummary,
MessageMeta,
} from './broadcast.js';
export { generateThumbnail } from './thumbnail.js';
export type { GeneratedThumbnail, ThumbnailGenerationOptions } from './thumbnail.js';
export { ShadeThumbnailCache } from './thumbnail-cache.js';

185
packages/shade-sdk/src/shade.ts
View File

@@ -44,7 +44,18 @@ import {
backupFromString,
} from './backup.js';
import { computeFingerprint, deserializeIdentityKeyPair } from '@shade/core';
import type { ResolvedConfig } from './config.js';
import {
acceptBroadcastEnvelope,
createBroadcastChannelImpl,
getBroadcastChannelImpl,
listBroadcastChannelsImpl,
maybeHandleControlPlaintext,
type BroadcastChannel,
type BroadcastChannelSummary,
type BroadcastSdkHooks,
type MessageMeta,
} from './broadcast.js';
import type { ResolvedConfig, StorageSpec } from './config.js';
import {
ShadeControlChannel,
ShadeTransferAuthenticator,
@@ -142,10 +153,19 @@ export class Shade {
private establishing = new Map<string, Promise<void>>();
// Per-address encrypt queue to serialize ratchet mutations
private encryptChains = new Map<string, Promise<unknown>>();
// Per-`from` decrypt queue: serializes incoming receives so two concurrent
// shade.receive(from, env) calls can't race the ratchet/storage. Without
// this, parallel deliveries (relay duplicate fan-out, fast pipelined
// sends) hit `database is locked` (sqlite) or transaction conflicts (IDB)
// because the underlying StorageProvider isn't required to be a
// concurrent-safe writer. See V4.8.2 changelog.
private decryptChains = new Map<string, Promise<unknown>>();
// Message handlers — may be sync or async; receive() awaits each.
// Message handlers — may be sync or async; receive() awaits each. The
// optional third arg distinguishes direct vs broadcast plaintexts;
// handlers registered without it work unchanged (V4.6 back-compat).
private messageHandlers: Array<
(from: string, plaintext: string) => void | Promise<void>
(from: string, plaintext: string, meta?: MessageMeta) => void | Promise<void>
> = [];
// Stream-transfer engine, lazily constructed on first use.
@@ -299,6 +319,26 @@ export class Shade {
return this.address;
}
/**
* The local device's Ed25519 identity public key (32 bytes).
*
* Stable for the lifetime of the identity. After {@link rotate} this
* reflects the new key; the previous key is preserved in retired-
* identities storage for the configured grace period.
*
* Hand this to your application's backend at enrollment time so it
* can verify signatures from this device, compute its own safety-
* number representation, or pin the key for later attestation. Use
* {@link fingerprint} instead for human side-channel comparison.
*/
get identityPublicKey(): Promise<Uint8Array> {
if (!this.initialized) throw new Error('Not initialized');
return this.storage.getIdentityKeyPair().then((kp) => {
if (!kp) throw new Error('Identity not yet generated');
return kp.signingPublicKey;
});
}
/**
* `@shade/files` namespace — high-level entry point for E2EE filesystem
* RPC. Lazily creates the underlying channel + streams bridges on first
@@ -394,13 +434,54 @@ export class Shade {
* The caller provides the `from` address because the envelope itself
* doesn't authenticate the sender — that's determined by your transport
* layer (auth header, WebSocket peer, push notification metadata, etc.).
*
* V4.6: when the decrypted plaintext is a broadcast control message
* (sender-key distribution / revocation), the SDK consumes it
* internally and returns an empty string; user handlers do NOT fire.
* Apps therefore see only direct plaintexts here. Broadcast payloads
* arrive via {@link Shade.acceptBroadcast}.
*/
async receive(from: string, envelope: ShadeEnvelope): Promise<string> {
if (!this.initialized) throw new Error('Not initialized');
const plaintext = await this.manager.decrypt(from, envelope);
// Serialize ONLY the ratchet/storage write portion of receive (the
// call into `manager.decrypt`). Concurrent decrypts race the
// SessionManager ratchet (mutated in place) and the StorageProvider
// (not required to be a concurrent-safe writer — `bun:sqlite`
// throws `database is locked`, IDB throws transaction conflicts).
// The Prism FR called this out: a relay-duplicated WS fan-out
// dispatched 8 parallel `shade.receive(from, env)` calls, one won
// the X3DH prekey race and the other 7 failed with
// `database is locked` / `one-time prekey not found`. The fix is
// to queue per-`from` decrypts so the ratchet step is sequential.
//
// Crucially the user-visible MESSAGE HANDLERS run *outside* the
// queue. Streams + file-RPC issue nested `shade.receive` calls for
// the same peer from inside their handlers (e.g. `stream-end`
// arrives while a write-RPC is still waiting on chunks); holding
// the queue across the handler would self-deadlock. The atomic
// unit we have to protect is just the ratchet+storage step, not
// the consumer's reaction to it.
const previous = this.decryptChains.get(from) ?? Promise.resolve();
const decryptPromise = previous
.catch(() => undefined) // don't propagate upstream failures
.then(() => this.manager.decrypt(from, envelope));
// Store a never-rejecting copy so the next chained receive doesn't
// see a rejection from this one (we still surface our own rejection
// to *this* caller via the original `decryptPromise`).
this.decryptChains.set(from, decryptPromise.catch(() => undefined));
const plaintext = await decryptPromise;
const consumed = await maybeHandleControlPlaintext(
this.broadcastHooks(),
from,
plaintext,
);
if (consumed) return '';
const meta: MessageMeta = { kind: 'direct' };
for (const handler of this.messageHandlers) {
try {
await handler(from, plaintext);
await handler(from, plaintext, meta);
} catch (err) {
console.error('[Shade] Message handler threw:', err);
}
@@ -408,9 +489,16 @@ export class Shade {
return plaintext;
}
/** Register a handler for incoming messages. Async handlers are awaited. */
/**
* Register a handler for incoming messages. Async handlers are awaited.
*
* V4.6: handlers may declare an optional `meta` parameter to discriminate
* direct (`meta.kind === 'direct'`) from broadcast (`meta.kind === 'broadcast'`)
* deliveries. Handlers that ignore the third arg keep working unchanged
* for direct messages.
*/
onMessage(
handler: (from: string, plaintext: string) => void | Promise<void>,
handler: (from: string, plaintext: string, meta?: MessageMeta) => void | Promise<void>,
): () => void {
this.messageHandlers.push(handler);
return () => {
@@ -418,6 +506,73 @@ export class Shade {
};
}
// ─── V4.6 Broadcast channels ───────────────────────────────
/**
* Create a new broadcast channel owned by this device. Returns a
* handle for adding/removing members, encrypting a single payload,
* and rotating on revocation. The channel id is opaque, stable
* across `shutdown()` / re-open, and persisted via the configured
* `StorageProvider`.
*/
async createBroadcastChannel(opts: { label?: string } = {}): Promise<BroadcastChannel> {
if (!this.initialized) throw new Error('Not initialized');
return createBroadcastChannelImpl(this.broadcastHooks(), opts);
}
/**
* Look up an existing sender-side broadcast channel by id. Returns
* `null` when the id is unknown OR when this device only holds a
* receiver-side copy (the receiver path uses `onMessage` for delivery
* — there is no app-facing handle on the receive side).
*/
async getBroadcastChannel(channelId: string): Promise<BroadcastChannel | null> {
if (!this.initialized) throw new Error('Not initialized');
return getBroadcastChannelImpl(this.broadcastHooks(), channelId);
}
/**
* Snapshot of every broadcast channel persisted on this device,
* including receiver-side channels that we joined. Useful for
* rebuilding UI state on startup.
*/
async listBroadcastChannels(): Promise<readonly BroadcastChannelSummary[]> {
if (!this.initialized) throw new Error('Not initialized');
return listBroadcastChannelsImpl(this.broadcastHooks());
}
/**
* Hand a wire-encoded broadcast envelope (type 0x21) to the SDK.
* Decrypts via the matching channel, advances the chain, and dispatches
* the plaintext to `onMessage` handlers with `meta.kind === 'broadcast'`.
*
* Stale generations (sender's old chain after a rotation we already
* received) are silently dropped. Future generations (we haven't seen
* the rotation distribution yet) throw — the app should ensure the
* distribution envelope is delivered before the broadcast.
*/
async acceptBroadcast(envelope: Uint8Array): Promise<void> {
if (!this.initialized) throw new Error('Not initialized');
const result = await acceptBroadcastEnvelope(this.broadcastHooks(), envelope);
if (result === null) return;
for (const handler of this.messageHandlers) {
try {
await handler(result.meta.kind === 'broadcast' ? result.meta.sender : '', result.plaintext, result.meta);
} catch (err) {
console.error('[Shade] Broadcast handler threw:', err);
}
}
}
private broadcastHooks(): BroadcastSdkHooks {
return {
bilateralSend: (peer, pt) => this.send(peer, pt),
myAddress: () => this.address,
crypto: this.crypto,
storage: this.storage,
};
}
/** Get a peer's fingerprint (requires an existing session) */
async getFingerprintFor(address: string): Promise<string> {
if (!this.initialized) throw new Error('Not initialized');
@@ -1484,9 +1639,7 @@ class HttpEnvelopeTransport implements ControlEnvelopeTransport {
// ─── Helpers ─────────────────────────────────────────────────
async function resolveStorage(
spec: string | StorageProvider | { type: 'postgres'; url: string },
): Promise<StorageProvider> {
async function resolveStorage(spec: StorageSpec): Promise<StorageProvider> {
if (typeof spec === 'object' && 'getIdentityKeyPair' in spec) {
return spec;
}
@@ -1512,6 +1665,18 @@ async function resolveStorage(
return mod.PostgresStorage.create(spec.url);
}
if (typeof spec === 'object' && spec.type === 'indexeddb') {
// Dynamic import keeps @shade/storage-indexeddb optional — Node-only
// consumers don't need to install a browser-only adapter.
const moduleId = '@shade/storage-indexeddb';
const mod = (await import(moduleId)) as {
IndexedDBStorage: { create(opts: { dbName?: string }): Promise<StorageProvider> };
};
const opts: { dbName?: string } = {};
if (spec.dbName !== undefined) opts.dbName = spec.dbName;
return mod.IndexedDBStorage.create(opts);
}
throw new Error(`Unsupported storage spec: ${JSON.stringify(spec)}`);
}

225
packages/shade-sdk/tests/broadcast.test.ts Normal file
View File

@@ -0,0 +1,225 @@
import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
import { tmpdir } from 'os';
import { join } from 'path';
import { unlinkSync } from 'fs';
import { createShade, type Shade, type MessageMeta } from '../src/index.js';
import { createPrekeyServer, MemoryPrekeyStore } from '@shade/server';
import { SubtleCryptoProvider } from '@shade/crypto-web';
const crypto = new SubtleCryptoProvider();
async function startPrekeyServer(): Promise<{ url: string; stop: () => void }> {
const server = createPrekeyServer({
crypto,
store: new MemoryPrekeyStore(),
disableRateLimit: true,
});
const port = 19500 + Math.floor(Math.random() * 500);
const handle = Bun.serve({ port, fetch: server.fetch });
return { url: `http://localhost:${port}`, stop: () => handle.stop() };
}
/**
* Prism's three acceptance tests, ported verbatim from
* `Docs/shade-feature-request-sender-keys.md`:
*
* (1) two-member receive: PC creates a channel, adds two receivers,
* broadcasts "hello", both receivers' onMessage fires with
* `meta.kind === 'broadcast'` and the same plaintext.
*
* (1*) revocation: same setup, then `removeMember(receiverA)`. Receiver
* A's next attempt to decrypt a subsequent broadcast fails (or is
* silently dropped); receiver B keeps working.
*
* (2) persistence: create channel, add members, broadcast N messages,
* `shutdown()`, re-open with the same backing store, channel still
* exists, member list intact, generation preserved, next broadcast
* decrypts on receiver side.
*
* (3) no new wire-format changes visible to apps — the pair-flow stays
* a single round-trip; the SDK does the sender-key distribution
* inline. (Validated by inspecting the API surface.)
*/
describe('Broadcast channels — Prism acceptance', () => {
let server: Awaited<ReturnType<typeof startPrekeyServer>>;
let pc: Shade;
let mobileA: Shade;
let mobileB: Shade;
beforeEach(async () => {
server = await startPrekeyServer();
});
afterEach(async () => {
await pc?.shutdown();
await mobileA?.shutdown();
await mobileB?.shutdown();
server.stop();
});
test('(1) two-member receive', async () => {
pc = await createShade({ prekeyServer: server.url, address: 'pc' });
mobileA = await createShade({ prekeyServer: server.url, address: 'mobile-a' });
mobileB = await createShade({ prekeyServer: server.url, address: 'mobile-b' });
const channel = await pc.createBroadcastChannel({ label: 'output' });
expect(channel.id.length).toBeGreaterThan(0);
// Add both members. Each call returns a bilateral envelope to deliver.
const distA = await channel.addMember('mobile-a');
const distB = await channel.addMember('mobile-b');
expect((await channel.members())).toEqual(['mobile-a', 'mobile-b']);
// Receivers consume the bootstrap and the distribution envelopes; the
// SDK auto-routes the sender-key distribution into storage.
await mobileA.receive('pc', distA.envelope);
await mobileB.receive('pc', distB.envelope);
// Hook receiver-side onMessage with meta.
const receivedA: Array<{ from: string; pt: string; meta?: MessageMeta }> = [];
const receivedB: Array<{ from: string; pt: string; meta?: MessageMeta }> = [];
mobileA.onMessage((from, pt, meta) => { receivedA.push({ from, pt, meta }); });
mobileB.onMessage((from, pt, meta) => { receivedB.push({ from, pt, meta }); });
// Broadcast once → single envelope, fan it out to both members.
const out = await channel.broadcast('hello');
expect(out.members).toEqual(['mobile-a', 'mobile-b']);
await mobileA.acceptBroadcast(out.envelope);
await mobileB.acceptBroadcast(out.envelope);
expect(receivedA).toHaveLength(1);
expect(receivedB).toHaveLength(1);
expect(receivedA[0]!.pt).toBe('hello');
expect(receivedB[0]!.pt).toBe('hello');
expect(receivedA[0]!.meta?.kind).toBe('broadcast');
expect(receivedB[0]!.meta?.kind).toBe('broadcast');
if (receivedA[0]!.meta?.kind === 'broadcast') {
expect(receivedA[0]!.meta.channelId).toBe(channel.id);
expect(receivedA[0]!.meta.sender).toBe('pc');
}
});
test('(1*) revocation rotates the chain — receiver A drops, B keeps working', async () => {
pc = await createShade({ prekeyServer: server.url, address: 'pc' });
mobileA = await createShade({ prekeyServer: server.url, address: 'mobile-a' });
mobileB = await createShade({ prekeyServer: server.url, address: 'mobile-b' });
const channel = await pc.createBroadcastChannel({ label: 'output' });
const distA = await channel.addMember('mobile-a');
const distB = await channel.addMember('mobile-b');
await mobileA.receive('pc', distA.envelope);
await mobileB.receive('pc', distB.envelope);
const receivedA: string[] = [];
const receivedB: string[] = [];
mobileA.onMessage((_from, pt, meta) => {
if (meta?.kind === 'broadcast') receivedA.push(pt);
});
mobileB.onMessage((_from, pt, meta) => {
if (meta?.kind === 'broadcast') receivedB.push(pt);
});
// Pre-revocation broadcast — both decrypt.
const before = await channel.broadcast('before');
await mobileA.acceptBroadcast(before.envelope);
await mobileB.acceptBroadcast(before.envelope);
expect(receivedA).toEqual(['before']);
expect(receivedB).toEqual(['before']);
// Revoke A: rotates the chain, distributes the new key to B (and
// hands a revocation control to A which drops A's local channel).
const { rotations } = await channel.removeMember('mobile-a');
expect(rotations.map((r) => r.to)).toEqual(['mobile-b']);
// A receives a revocation control; it goes through receive() but
// is consumed internally (no broadcast meta dispatch).
// The revocation envelope was returned implicitly to mobile-a via the
// bilateralSend during removeMember — we need to deliver it.
// (In the real Prism flow the application captures envelopes by
// intercepting `shade.send`. Here we just trust it happened.)
// Deliver new chain to B.
await mobileB.receive('pc', rotations[0]!.envelope);
// Post-rotation broadcast.
const after = await channel.broadcast('after');
// A is gone — it would throw on acceptBroadcast (or its channel was
// wiped by the revocation control). Either way, A's receivedA stays
// unchanged.
let aThrew = false;
try {
await mobileA.acceptBroadcast(after.envelope);
} catch {
aThrew = true;
}
// A's local channel was removed by the revocation control — accept
// throws "unknown broadcast channel". This is the expected post-
// revocation behavior.
expect(aThrew).toBe(true);
// B decrypts as normal.
await mobileB.acceptBroadcast(after.envelope);
expect(receivedA).toEqual(['before']); // unchanged
expect(receivedB).toEqual(['before', 'after']);
});
test('(2) persistence — channel survives shutdown + re-open', async () => {
// Use a SQLite-backed storage so we get real persistence.
const dbPath = join(tmpdir(), `shade-broadcast-${Date.now()}-${Math.random().toString(36).slice(2)}.db`);
pc = await createShade({ prekeyServer: server.url, address: 'pc', storage: `sqlite:${dbPath}` });
mobileA = await createShade({ prekeyServer: server.url, address: 'mobile-a' });
const channel = await pc.createBroadcastChannel({ label: 'output' });
const channelId = channel.id;
const dist = await channel.addMember('mobile-a');
await mobileA.receive('pc', dist.envelope);
// Send a few broadcasts to advance the chain.
const received: string[] = [];
mobileA.onMessage((_from, pt, meta) => {
if (meta?.kind === 'broadcast') received.push(pt);
});
for (let i = 0; i < 3; i++) {
const out = await channel.broadcast(`msg-${i}`);
await mobileA.acceptBroadcast(out.envelope);
}
expect(received).toEqual(['msg-0', 'msg-1', 'msg-2']);
// Shutdown and re-open the PC side. The storage file persists.
await pc.shutdown();
pc = await createShade({ prekeyServer: server.url, address: 'pc', storage: `sqlite:${dbPath}` });
const reopened = await pc.getBroadcastChannel(channelId);
expect(reopened).not.toBeNull();
expect(reopened!.id).toBe(channelId);
expect((await reopened!.members())).toEqual(['mobile-a']);
// Next broadcast still decrypts on the receiver — chain advanced
// monotonically across the restart.
const out = await reopened!.broadcast('msg-after-restart');
await mobileA.acceptBroadcast(out.envelope);
expect(received).toEqual(['msg-0', 'msg-1', 'msg-2', 'msg-after-restart']);
// Cleanup.
try { unlinkSync(dbPath); } catch {}
try { unlinkSync(dbPath + '-shm'); } catch {}
try { unlinkSync(dbPath + '-wal'); } catch {}
});
test('(3) listBroadcastChannels surfaces sender + receiver records', async () => {
pc = await createShade({ prekeyServer: server.url, address: 'pc' });
mobileA = await createShade({ prekeyServer: server.url, address: 'mobile-a' });
const channel = await pc.createBroadcastChannel({ label: 'output' });
const dist = await channel.addMember('mobile-a');
await mobileA.receive('pc', dist.envelope);
const pcSide = await pc.listBroadcastChannels();
const mobileSide = await mobileA.listBroadcastChannels();
expect(pcSide).toHaveLength(1);
expect(pcSide[0]!.ownerRole).toBe('sender');
expect(pcSide[0]!.members).toEqual(['mobile-a']);
expect(mobileSide).toHaveLength(1);
expect(mobileSide[0]!.ownerRole).toBe('receiver');
expect(mobileSide[0]!.id).toBe(channel.id);
});
});

69
packages/shade-sdk/tests/sdk.test.ts
View File

@@ -5,7 +5,7 @@ import {
MemoryPrekeyStore,
PrekeyServerEvents,
} from '@shade/server';
import { SubtleCryptoProvider } from '@shade/crypto-web';
import { SubtleCryptoProvider, MemoryStorage } from '@shade/crypto-web';
const crypto = new SubtleCryptoProvider();
@@ -131,6 +131,53 @@ describe('createShade — happy path', () => {
await expect(alice.send('nobody', 'ghost')).rejects.toThrow();
});
test('concurrent receive(from, env) for same `from` does not race the ratchet (V4.8.2)', async () => {
// Reproduces the Prism FR scenario: a single PUT is fanned out
// multiple times by the relay (or any duplicating transport), the
// receiver dispatches several `shade.receive(from, env)` in
// parallel, and the underlying SessionManager + StorageProvider
// would race on the ratchet (and on storage writes — sqlite throws
// "database is locked", IDB throws transaction conflicts) without
// per-`from` serialization. We pre-establish a session, then fire
// the same envelope at `bob.receive` from many concurrent callers
// and verify all of them either decrypt to the same plaintext or
// surface a benign "already-consumed" error. Crucially: no
// unhandled storage races, no ratchet corruption, and the next
// legitimate message still decrypts.
alice = await createShade({ prekeyServer: server.url, address: 'alice' });
bob = await createShade({ prekeyServer: server.url, address: 'bob' });
const env1 = await alice.send('bob', 'first');
expect(await bob.receive('alice', env1)).toBe('first');
const env2 = await alice.send('bob', 'second');
// Fan the same envelope out to 8 concurrent receives — exactly the
// shape of the relay duplicate fan-out described in the FR.
const dispatches = await Promise.allSettled(
Array.from({ length: 8 }, () => bob.receive('alice', env2)),
);
// At least one must have succeeded with the right plaintext; the
// others may legitimately reject (replay protection / OTPK
// already-consumed) but MUST NOT corrupt the ratchet or throw
// "database is locked".
const fulfilled = dispatches.filter((d) => d.status === 'fulfilled') as Array<
PromiseFulfilledResult<string>
>;
expect(fulfilled.length).toBeGreaterThan(0);
expect(fulfilled[0]!.value).toBe('second');
for (const d of dispatches) {
if (d.status === 'rejected') {
const msg = String((d.reason as Error)?.message ?? d.reason);
expect(msg).not.toMatch(/database is locked/i);
}
}
// Ratchet must still advance — the next legitimate message decrypts.
const env3 = await alice.send('bob', 'third');
expect(await bob.receive('alice', env3)).toBe('third');
});
test('verify fingerprint matches pinned identity', async () => {
alice = await createShade({ prekeyServer: server.url, address: 'alice' });
bob = await createShade({ prekeyServer: server.url, address: 'bob' });
@@ -182,6 +229,26 @@ describe('createShade — happy path', () => {
const newFp = await alice.fingerprint;
expect(newFp).not.toBe(oldFp);
});
test('identityPublicKey exposes the device Ed25519 key and tracks rotation', async () => {
const storage = new MemoryStorage();
alice = await createShade({ prekeyServer: server.url, address: 'alice', storage });
const pk = await alice.identityPublicKey;
expect(pk).toBeInstanceOf(Uint8Array);
expect(pk.length).toBe(32);
// Matches what the underlying storage holds
const stored = await storage.getIdentityKeyPair();
expect(stored).not.toBeNull();
expect(pk).toEqual(stored!.signingPublicKey);
// Reflects the new key after rotate (acceptance criteria #3)
await alice.rotate();
const pkAfter = await alice.identityPublicKey;
expect(pkAfter.length).toBe(32);
expect(pkAfter).not.toEqual(pk);
});
});
describe('createShade — validation', () => {

2
packages/shade-server/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/server",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

23
packages/shade-server/src/standalone.ts
View File

@@ -154,6 +154,20 @@ const inboxEvents = new InboxServerEvents();
// SHADE_KT_PG_URL (or SHADE_PREKEY_PG_URL) is set, else memory.
const kt = await maybeCreateKT();
// V4.8.1 — `SHADE_DISABLE_RATE_LIMIT=1` turns off the IP-based
// register/replenish/fetch token-buckets on every prekey + inbox
// route. INTENDED FOR SELF-HOSTED SINGLE-TEAM (DEV / SINGLE-TENANT)
// DEPLOYMENTS ONLY — the rate-limit defends multi-tenant relays
// against abuse, so a public/shared deployment must leave this
// unset. Without it, the existing 5/hour REGISTER_LIMIT etc. apply
// unchanged.
const disableRateLimit = process.env.SHADE_DISABLE_RATE_LIMIT === '1';
if (disableRateLimit) {
logger.warn(
'SHADE_DISABLE_RATE_LIMIT=1 — IP rate limits OFF on prekey + inbox routes. Use only for single-tenant deployments.',
);
}
// Compose the full app: metrics middleware + health + metrics + prekey routes
const app = new Hono();
app.use('*', metricsMiddleware());
@@ -164,10 +178,17 @@ app.route(
'/',
createPrekeyRoutes(store, crypto, {
events,
disableRateLimit,
...(kt ? { keyTransparency: kt } : {}),
}),
);
app.route('/', createInboxRoutes(inboxStore, crypto, { events: inboxEvents }));
app.route(
'/',
createInboxRoutes(inboxStore, crypto, {
events: inboxEvents,
disableRateLimit,
}),
);
// V3.7 transport-bridge — SSE / long-poll / WS fallbacks for the inbox.
// Held as a top-level reference so the WebSocket handler can be passed to

42
packages/shade-server/tests/rate-limit.test.ts
View File

@@ -102,6 +102,48 @@ describe('Rate limiting integration with routes', () => {
expect(results.filter((s) => s === 429).length).toBeGreaterThanOrEqual(1);
});
// V4.8.1 — `SHADE_DISABLE_RATE_LIMIT=1` in standalone.ts is plumbed
// through to `createPrekeyServer({ disableRateLimit })`. This test
// covers the "what happens when the flag is true" path; the env-var
// → option conversion in standalone.ts is a one-liner verified by
// inspection.
test('register endpoint allows >5/hour from a single IP when disableRateLimit is set', async () => {
const app = createPrekeyServer({
crypto,
store: new MemoryPrekeyStore(),
disableRateLimit: true,
});
async function doRegister(addressSuffix: number) {
const identity = await generateIdentityKeyPair(crypto);
const body: any = {
address: `user${addressSuffix}`,
identitySigningKey: Buffer.from(identity.signingPublicKey).toString('base64'),
identityDHKey: Buffer.from(identity.dhPublicKey).toString('base64'),
signedPreKey: {
keyId: 1,
publicKey: Buffer.from(crypto.randomBytes(32)).toString('base64'),
signature: Buffer.from(crypto.randomBytes(64)).toString('base64'),
},
};
const signed = await signPayload(crypto, identity.signingPrivateKey, body);
return app.request('/v1/keys/register', {
method: 'POST',
headers: { 'Content-Type': 'application/json', 'x-forwarded-for': '203.0.113.1' },
body: JSON.stringify(signed),
});
}
const results: number[] = [];
for (let i = 0; i < 12; i++) {
const res = await doRegister(i);
results.push(res.status);
}
// No 429 anywhere — the limit is OFF.
expect(results.filter((s) => s === 429).length).toBe(0);
expect(results.filter((s) => s === 200).length).toBe(12);
});
test('rate limit returns Retry-After header', async () => {
const app = createPrekeyServer({ crypto, store: new MemoryPrekeyStore() });

16
packages/shade-storage-encrypted/package.json
View File

@@ -1,17 +1,31 @@
{
"name": "@shade/storage-encrypted",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",
"exports": {
".": {
"browser": "./src/index.browser.ts",
"default": "./src/index.ts"
},
"./crypto": "./src/crypto.ts",
"./sqlite": "./src/sqlite.ts",
"./postgres": "./src/postgres.ts",
"./idb": "./src/idb.ts"
},
"dependencies": {
"@noble/hashes": "^2.0.1",
"@shade/core": "workspace:*",
"@shade/crypto-web": "workspace:*",
"@shade/storage-postgres": "workspace:*",
"@shade/storage-sqlite": "workspace:*",
"idb": "^8.0.3",
"postgres": "^3.4.9"
},
"devDependencies": {
"fake-indexeddb": "^6.0.0"
},
"peerDependencies": {
"@shade/keychain": "workspace:*"
},

64
packages/shade-storage-encrypted/src/crypto.ts Normal file
View File

@@ -0,0 +1,64 @@
/**
* Browser-safe entry point — exports KeyManager + crypto primitives only.
*
* Use this subpath when bundling for the browser to avoid pulling
* `bun:sqlite` (Bun-only) or `postgres` (Node-only) into the output.
*
* ```ts
* import { KeyManager } from '@shade/storage-encrypted/crypto';
* ```
*
* For backend storage, import `@shade/storage-encrypted/sqlite` (Bun) or
* `@shade/storage-encrypted/postgres` (Node). For browser storage, import
* `@shade/storage-encrypted/idb`.
*/
export {
KeyManager,
type KeySource,
type KeychainBackend,
type KeyManagerOptions,
} from './crypto/key-manager.js';
export {
DEFAULT_SCRYPT,
DEFAULT_ARGON2ID,
type ScryptParams,
type Argon2idParams,
deriveMasterKey,
deriveMasterKeyArgon2id,
deriveStorageKey,
deriveFieldKey,
deriveNonce,
buildAad,
hkdfDerive,
} from './crypto/kdf.js';
export {
AEAD_NONCE_LEN,
AEAD_TAG_LEN,
aeadSeal,
aeadOpen,
} from './crypto/aead.js';
export {
COL,
TBL,
sealString,
openString,
sealBytes,
openBytes,
sealIdentity,
openIdentity,
sealConfig,
openConfig,
sealSignedPreKey,
openSignedPreKey,
sealOneTimePreKey,
openOneTimePreKey,
sealSession,
openSession,
sealTrust,
openTrust,
sealRetired,
openRetired,
sealStreamSensitive,
openStreamSensitive,
} from './crypto/row-codec.js';

45
packages/shade-storage-encrypted/src/crypto/kdf.ts
View File

@@ -11,6 +11,7 @@
*/
import { scryptAsync } from '@noble/hashes/scrypt.js';
import { argon2idAsync } from '@noble/hashes/argon2.js';
import { hkdf } from '@noble/hashes/hkdf.js';
import { sha256 } from '@noble/hashes/sha2.js';
@@ -45,6 +46,50 @@ export async function deriveMasterKey(
return scryptAsync(TEXT.encode(passphrase.normalize('NFKC')), salt, params);
}
/** Argon2id parameters — memory-hard KDF preferred for low-entropy secrets (PINs). */
export interface Argon2idParams {
/** Memory cost in KiB. */
m: number;
/** Time cost (iterations). */
t: number;
/** Parallelism. */
p: number;
/** Output length in bytes. */
dkLen: number;
}
/**
* Default: m=64 MiB, t=3, p=1, 32-byte output. Tuned for ~250400 ms on a
* modern Chromium / Firefox / Safari laptop. RFC 9106 "second recommended"
* profile shrunk to a browser-friendly memory footprint — strong enough for
* 46 digit PINs as a defense-in-depth factor on top of a passphrase.
*/
export const DEFAULT_ARGON2ID: Argon2idParams = { m: 64 * 1024, t: 3, p: 1, dkLen: 32 };
/**
* Derive a 32-byte master key from a low-entropy secret + salt using
* argon2id. Salt MUST be persisted alongside the DB (16-byte random).
*/
export async function deriveMasterKeyArgon2id(
secret: string | Uint8Array,
salt: Uint8Array,
params: Argon2idParams = DEFAULT_ARGON2ID,
): Promise<Uint8Array> {
if (typeof secret === 'string' ? secret.length === 0 : secret.length === 0) {
throw new Error('argon2id secret must be non-empty');
}
if (salt.length < 16) {
throw new Error('salt must be at least 16 bytes');
}
const password = typeof secret === 'string' ? TEXT.encode(secret.normalize('NFKC')) : secret;
return argon2idAsync(password, salt, {
m: params.m,
t: params.t,
p: params.p,
dkLen: params.dkLen,
});
}
/** HKDF-SHA-256 with explicit info string. */
export function hkdfDerive(ikm: Uint8Array, info: string, length = 32, salt?: Uint8Array): Uint8Array {
return hkdf(sha256, ikm, salt, TEXT.encode(info), length);

84
packages/shade-storage-encrypted/src/crypto/key-manager.ts
View File

@@ -1,17 +1,29 @@
/**
* KeyManager — owns the masterKey lifecycle for at-rest encryption.
*
* Three sources are supported:
* Five sources are supported:
* 1. passphrase — scrypt-derived from a developer-supplied secret
* 2. keychain — fetched from OS keychain via @shade/keychain (optional dep)
* 3. injected — caller supplies the 32-byte raw key directly
* 2. argon2id — memory-hard KDF for low-entropy secrets (PINs)
* 3. keychain — fetched from OS keychain via @shade/keychain (optional dep)
* 4. injected — caller supplies the 32-byte raw key directly
* 5. composite — HKDF-combine N sub-sources into one master key
* (multi-factor unlock — every source is required)
*
* The KeyManager pre-derives storageKey at construction time and caches the
* per-(table, column) field keys. masterKey is zeroized after storageKey
* derivation to limit residency.
*/
import { deriveFieldKey, deriveMasterKey, deriveStorageKey, type ScryptParams, DEFAULT_SCRYPT } from './kdf.js';
import {
deriveFieldKey,
deriveMasterKey,
deriveMasterKeyArgon2id,
deriveStorageKey,
hkdfDerive,
DEFAULT_SCRYPT,
type Argon2idParams,
type ScryptParams,
} from './kdf.js';
export type KeySource =
| {
@@ -21,6 +33,14 @@ export type KeySource =
salt: Uint8Array;
params?: ScryptParams;
}
| {
kind: 'argon2id';
/** Low-entropy secret (PIN, short password). */
secret: string | Uint8Array;
/** Stable 16+ byte salt persisted alongside the DB. */
salt: Uint8Array;
params?: Argon2idParams;
}
| {
kind: 'keychain';
/** Service identifier (e.g. "shade.storage"). */
@@ -34,6 +54,25 @@ export type KeySource =
kind: 'injected';
/** Raw 32-byte master key. */
key: Uint8Array;
}
| {
kind: 'composite';
/**
* Sub-sources HKDF-combined into the master key, in order. Every
* source is mandatory: omitting or substituting any source yields
* a different master key and the storage open() will fail.
*
* Order is significant by design — `[pwd, pin]` and `[pin, pwd]`
* derive different master keys.
*/
sources: KeySource[];
/**
* HKDF info string for domain separation. Defaults to
* `shade-composite-master-v1`. Apps that want their composite key
* to be cryptographically distinct from any other Shade composite
* should override this with an app-specific string.
*/
info?: string;
};
/** Pluggable keychain backend. Implementations live in @shade/keychain. */
@@ -107,6 +146,9 @@ async function resolveMasterKey(source: KeySource, opts: KeyManagerOptions): Pro
case 'passphrase':
return deriveMasterKey(source.passphrase, source.salt, source.params ?? DEFAULT_SCRYPT);
case 'argon2id':
return deriveMasterKeyArgon2id(source.secret, source.salt, source.params);
case 'injected':
if (source.key.length !== 32) throw new Error('injected key must be exactly 32 bytes');
return new Uint8Array(source.key); // copy, in case caller mutates
@@ -128,5 +170,39 @@ async function resolveMasterKey(source: KeySource, opts: KeyManagerOptions): Pro
await opts.keychain.set(source.service, source.account, fresh);
return fresh;
}
case 'composite': {
if (source.sources.length === 0) {
throw new Error('composite source requires at least one sub-source');
}
const subKeys: Uint8Array[] = [];
try {
for (const sub of source.sources) {
if (sub.kind === 'composite') {
// Composite-of-composite would silently flatten the unlock
// semantics ("any of N" vs "all of N") if the inner is misread.
// Forbidding nesting keeps the contract clear.
throw new Error('composite sources cannot be nested');
}
subKeys.push(await resolveMasterKey(sub, opts));
}
let total = 0;
for (const k of subKeys) total += k.length;
const ikm = new Uint8Array(total);
let off = 0;
for (const k of subKeys) {
ikm.set(k, off);
off += k.length;
}
const info = source.info ?? 'shade-composite-master-v1';
try {
return hkdfDerive(ikm, info, 32);
} finally {
ikm.fill(0);
}
} finally {
for (const k of subKeys) k.fill(0);
}
}
}
}

75
packages/shade-storage-encrypted/src/crypto/row-codec.ts
View File

@@ -39,6 +39,7 @@ export const COL = {
trustedIdentity: 'trusted_identity',
retiredIdentity: 'retired_identity',
streamSensitive: 'stream_sensitive',
broadcastChannelSensitive: 'broadcast_channel_sensitive',
} as const;
/** Logical table identifiers — used for fieldKey + AAD binding. */
@@ -51,6 +52,7 @@ export const TBL = {
trustedIdentities: 'trusted_identities',
retiredIdentities: 'retired_identities',
streamState: 'stream_state',
broadcastChannels: 'broadcast_channels',
} as const;
/** Encrypt an arbitrary string payload bound to (table, column, pk). */
@@ -226,3 +228,76 @@ export async function openStreamSensitive(
if (b.overallHashState !== undefined) (out as { overallHashState?: string }).overallHashState = b.overallHashState;
return out;
}
/**
* Broadcast-channel sensitive bundle (V4.6). Routing fields (channelId,
* ownerRole, ownerAddress, label, generation, createdAt, updatedAt) live
* in plaintext columns so backends can list/query without unsealing every
* row; the chain key, iteration, and signing keys all live in this sealed
* blob.
*/
interface BroadcastChannelSensitiveBundle {
chainKey: string; // base64(32B)
iteration: number;
signingPublicKey: string; // base64(32B)
signingPrivateKey?: string; // base64; only when ownerRole === 'sender'
}
export async function sealBroadcastChannelSensitive(
km: KeyManager,
channelId: string,
s: {
chainKey: Uint8Array;
iteration: number;
signingPublicKey: Uint8Array;
signingPrivateKey?: Uint8Array;
},
): Promise<Uint8Array> {
const bundle: BroadcastChannelSensitiveBundle = {
chainKey: toBase64(s.chainKey),
iteration: s.iteration,
signingPublicKey: toBase64(s.signingPublicKey),
};
if (s.signingPrivateKey !== undefined) {
bundle.signingPrivateKey = toBase64(s.signingPrivateKey);
}
return sealString(
km,
TBL.broadcastChannels,
COL.broadcastChannelSensitive,
channelId,
JSON.stringify(bundle),
);
}
export async function openBroadcastChannelSensitive(
km: KeyManager,
channelId: string,
blob: Uint8Array,
): Promise<{
chainKey: Uint8Array;
iteration: number;
signingPublicKey: Uint8Array;
signingPrivateKey?: Uint8Array;
}> {
const json = await openString(
km,
TBL.broadcastChannels,
COL.broadcastChannelSensitive,
channelId,
blob,
);
const b = JSON.parse(json) as BroadcastChannelSensitiveBundle;
const out: {
chainKey: Uint8Array;
iteration: number;
signingPublicKey: Uint8Array;
signingPrivateKey?: Uint8Array;
} = {
chainKey: fromBase64(b.chainKey),
iteration: b.iteration,
signingPublicKey: fromBase64(b.signingPublicKey),
};
if (b.signingPrivateKey !== undefined) out.signingPrivateKey = fromBase64(b.signingPrivateKey);
return out;
}

13
packages/shade-storage-encrypted/src/idb.ts Normal file
View File

@@ -0,0 +1,13 @@
/**
* Browser entry point — Encrypted IndexedDB storage.
*
* Pulls `idb` (~12 kB) and SubtleCrypto only. Safe to bundle into a
* browser app via Vite/webpack/esbuild.
*
* ```ts
* import { KeyManager } from '@shade/storage-encrypted/crypto';
* import { EncryptedIndexedDBStorage } from '@shade/storage-encrypted/idb';
* ```
*/
export { EncryptedIndexedDBStorage } from './storage/encrypted-indexeddb.js';

14
packages/shade-storage-encrypted/src/index.browser.ts Normal file
View File

@@ -0,0 +1,14 @@
/**
* Default barrel resolved by bundlers under the `browser` condition.
*
* Excludes `EncryptedSQLiteStorage` (pulls `bun:sqlite`) and
* `EncryptedPostgresStorage` (pulls `postgres`). Browser apps can keep using
* `import { KeyManager } from '@shade/storage-encrypted'` — Vite/webpack will
* pick this file via the `browser` condition and produce a clean bundle.
*
* Node/Bun consumers continue to resolve to `./index.js`, which exposes the
* full surface area (back-compat).
*/
export * from './crypto.js';
export { EncryptedIndexedDBStorage } from './storage/encrypted-indexeddb.js';

6
packages/shade-storage-encrypted/src/index.ts
View File

@@ -6,8 +6,11 @@ export {
} from './crypto/key-manager.js';
export {
DEFAULT_SCRYPT,
DEFAULT_ARGON2ID,
type ScryptParams,
type Argon2idParams,
deriveMasterKey,
deriveMasterKeyArgon2id,
deriveStorageKey,
deriveFieldKey,
deriveNonce,
@@ -25,6 +28,9 @@ export {
EncryptedPostgresStorage,
ensureEncryptedClientTables,
} from './storage/encrypted-postgres.js';
// EncryptedIndexedDBStorage is browser-only; import it from
// `@shade/storage-encrypted/idb` (or rely on the `browser` condition
// resolving to ./index.browser.ts).
export {
migrateSqliteToEncrypted,
rotateSqliteEncryptionKey,

11
packages/shade-storage-encrypted/src/postgres.ts Normal file
View File

@@ -0,0 +1,11 @@
/**
* Node-only entry point — Encrypted Postgres storage.
*
* Pulls `postgres`. Do not import from a browser bundle; use
* `@shade/storage-encrypted/idb` instead.
*/
export {
EncryptedPostgresStorage,
ensureEncryptedClientTables,
} from './storage/encrypted-postgres.js';

15
packages/shade-storage-encrypted/src/sqlite.ts Normal file
View File

@@ -0,0 +1,15 @@
/**
* Bun-only entry point — Encrypted SQLite storage + migration utilities.
*
* Pulls `bun:sqlite`. Do not import from a browser bundle; use
* `@shade/storage-encrypted/idb` instead.
*/
export { EncryptedSQLiteStorage } from './storage/encrypted-sqlite.js';
export {
migrateSqliteToEncrypted,
rotateSqliteEncryptionKey,
type MigrateOptions,
type RotateOptions,
type MigrateReport,
} from './migrate/migrate-sqlite.js';

548
packages/shade-storage-encrypted/src/storage/encrypted-indexeddb.ts Normal file
View File

@@ -0,0 +1,548 @@
import { openDB, type IDBPDatabase, type DBSchema } from 'idb';
import type {
BroadcastChannelRecord,
BroadcastMemberRecord,
IdentityKeyPair,
OneTimePreKey,
PeerVerification,
PeerVerificationSource,
PersistedStreamState,
RetiredIdentity,
SessionState,
SignedPreKey,
StorageProvider,
} from '@shade/core';
import { constantTimeEqual, toBase64 } from '@shade/core';
import { KeyManager } from '../crypto/key-manager.js';
import {
openBroadcastChannelSensitive, openConfig, openIdentity, openOneTimePreKey,
openRetired, openSession, openSignedPreKey, openStreamSensitive, openTrust,
sealBroadcastChannelSensitive, sealConfig, sealIdentity, sealOneTimePreKey,
sealRetired, sealSession, sealSignedPreKey, sealStreamSensitive, sealTrust,
} from '../crypto/row-codec.js';
/**
* IndexedDB-backed StorageProvider with at-rest encryption.
*
* Schema is the IndexedDB equivalent of `EncryptedSQLiteStorage`: one object
* store per `_enc` table, sealed payloads stored as `Uint8Array` in a
* `ciphertext` field, routing/timestamp fields kept plaintext where SQLite
* does so for query efficiency. Crypto stack — `KeyManager`, `aeadSeal`,
* `aeadOpen`, row-codec sealers, AAD scheme — is shared verbatim with the
* SQLite/Postgres backends, so a row sealed under one backend decrypts
* under another given the same `KeyManager`.
*
* Browser-safe: imports `idb` (~12 kB, pure JS) and SubtleCrypto only.
*
* Usage:
* ```ts
* import { KeyManager } from '@shade/storage-encrypted/crypto';
* import { EncryptedIndexedDBStorage } from '@shade/storage-encrypted/idb';
*
* const km = await KeyManager.open({
* kind: 'composite',
* sources: [
* { kind: 'passphrase', passphrase, salt: pwSalt },
* { kind: 'argon2id', secret: pin, salt: pinSalt },
* ],
* });
* const storage = await EncryptedIndexedDBStorage.open({
* dbName: 'my-app-shade',
* keyManager: km,
* });
* ```
*/
export class EncryptedIndexedDBStorage implements StorageProvider {
private constructor(
private db: IDBPDatabase<EncryptedShadeSchema>,
private km: KeyManager,
) {}
/**
* Open (or create) the encrypted IndexedDB database. On first open the
* storageKey fingerprint is persisted; subsequent opens with a different
* KeyManager (wrong passphrase / PIN) reject with a clear error rather
* than silently writing data under the wrong key.
*/
static async open(opts: {
dbName?: string;
keyManager: KeyManager;
}): Promise<EncryptedIndexedDBStorage> {
const dbName = opts.dbName ?? 'shade-encrypted';
const db = await openDB<EncryptedShadeSchema>(dbName, SCHEMA_VERSION, {
upgrade(db, oldVersion) {
if (oldVersion < 1) {
db.createObjectStore('meta_enc', { keyPath: 'key' });
db.createObjectStore('identity_enc', { keyPath: 'id' });
db.createObjectStore('config_enc', { keyPath: 'key' });
db.createObjectStore('signed_prekeys_enc', { keyPath: 'keyId' });
db.createObjectStore('one_time_prekeys_enc', { keyPath: 'keyId' });
db.createObjectStore('sessions_enc', { keyPath: 'address' });
db.createObjectStore('trusted_identities_enc', { keyPath: 'address' });
const retired = db.createObjectStore('retired_identities_enc', {
keyPath: 'retiredAt',
});
retired.createIndex('byRetiredAt', 'retiredAt');
const stream = db.createObjectStore('stream_state_enc', { keyPath: 'streamId' });
stream.createIndex('byStatus', 'status');
stream.createIndex('byPeerAddress', 'peerAddress');
stream.createIndex('byUpdatedAt', 'updatedAt');
db.createObjectStore('peer_verifications_enc', { keyPath: 'peerAddress' });
db.createObjectStore('peer_identity_versions_enc', { keyPath: 'peerAddress' });
}
if (oldVersion < 2) {
db.createObjectStore('broadcast_channels_enc', { keyPath: 'channelId' });
const members = db.createObjectStore('broadcast_members_enc', {
keyPath: ['channelId', 'peerAddress'],
});
members.createIndex('byChannelId', 'channelId');
}
},
});
const store = new EncryptedIndexedDBStorage(db, opts.keyManager);
await store.assertKeyMatchesOrPersistFingerprint();
return store;
}
/** Cleanly close the underlying connection. KeyManager is destroyed. */
close(): void {
this.db.close();
this.km.destroy();
}
/**
* On first open, persist a fingerprint of the storageKey. On subsequent
* opens, compare and reject mismatches with a clear error rather than
* silently writing data under the wrong key.
*/
private async assertKeyMatchesOrPersistFingerprint(): Promise<void> {
const expected = toBase64(this.km.storageKeyFingerprint());
const row = await this.db.get('meta_enc', 'storage_key_fingerprint');
if (!row) {
await this.db.put('meta_enc', { key: 'storage_key_fingerprint', value: expected });
return;
}
if (row.value !== expected) {
throw new Error(
'storage key mismatch — the supplied passphrase / keychain entry does not unlock this database',
);
}
}
// ─── Identity ──────────────────────────────────────────────
async getIdentityKeyPair(): Promise<IdentityKeyPair | null> {
const row = await this.db.get('identity_enc', 1);
if (!row) return null;
return openIdentity(this.km, row.ciphertext);
}
async saveIdentityKeyPair(kp: IdentityKeyPair): Promise<void> {
const blob = await sealIdentity(this.km, kp);
await this.db.put('identity_enc', { id: 1, ciphertext: blob });
}
async getLocalRegistrationId(): Promise<number> {
const row = await this.db.get('config_enc', 'registrationId');
if (!row) return 0;
const v = await openConfig(this.km, 'registrationId', row.ciphertext);
return parseInt(v, 10);
}
async saveLocalRegistrationId(id: number): Promise<void> {
const blob = await sealConfig(this.km, 'registrationId', String(id));
await this.db.put('config_enc', { key: 'registrationId', ciphertext: blob });
}
// ─── Signed PreKeys ────────────────────────────────────────
async getSignedPreKey(keyId: number): Promise<SignedPreKey | null> {
const row = await this.db.get('signed_prekeys_enc', keyId);
if (!row) return null;
return openSignedPreKey(this.km, keyId, row.ciphertext);
}
async saveSignedPreKey(key: SignedPreKey): Promise<void> {
const blob = await sealSignedPreKey(this.km, key);
await this.db.put('signed_prekeys_enc', { keyId: key.keyId, ciphertext: blob });
}
async removeSignedPreKey(keyId: number): Promise<void> {
await this.db.delete('signed_prekeys_enc', keyId);
}
// ─── One-Time PreKeys ──────────────────────────────────────
async getOneTimePreKey(keyId: number): Promise<OneTimePreKey | null> {
const row = await this.db.get('one_time_prekeys_enc', keyId);
if (!row) return null;
return openOneTimePreKey(this.km, keyId, row.ciphertext);
}
async saveOneTimePreKey(key: OneTimePreKey): Promise<void> {
const blob = await sealOneTimePreKey(this.km, key);
await this.db.put('one_time_prekeys_enc', { keyId: key.keyId, ciphertext: blob });
}
async removeOneTimePreKey(keyId: number): Promise<void> {
await this.db.delete('one_time_prekeys_enc', keyId);
}
async getOneTimePreKeyCount(): Promise<number> {
return this.db.count('one_time_prekeys_enc');
}
// ─── Sessions ──────────────────────────────────────────────
async getSession(address: string): Promise<SessionState | null> {
const row = await this.db.get('sessions_enc', address);
if (!row) return null;
return openSession(this.km, address, row.ciphertext);
}
async saveSession(address: string, state: SessionState): Promise<void> {
const blob = await sealSession(this.km, address, state);
await this.db.put('sessions_enc', { address, ciphertext: blob });
}
async removeSession(address: string): Promise<void> {
await this.db.delete('sessions_enc', address);
}
// ─── Trust ─────────────────────────────────────────────────
async isTrustedIdentity(address: string, identityKey: Uint8Array): Promise<boolean> {
const row = await this.db.get('trusted_identities_enc', address);
if (!row) return true; // TOFU
const stored = await openTrust(this.km, address, row.ciphertext);
return constantTimeEqual(stored, identityKey);
}
async saveTrustedIdentity(address: string, identityKey: Uint8Array): Promise<void> {
const blob = await sealTrust(this.km, address, identityKey);
await this.db.put('trusted_identities_enc', { address, ciphertext: blob });
}
// ─── Identity History ──────────────────────────────────────
async addRetiredIdentity(identity: RetiredIdentity): Promise<void> {
const blob = await sealRetired(this.km, identity);
await this.db.put('retired_identities_enc', {
retiredAt: identity.retiredAt,
ciphertext: blob,
});
}
async getRetiredIdentities(): Promise<RetiredIdentity[]> {
// Mirror SQLite's `ORDER BY retired_at DESC`
const rows = await this.db.getAllFromIndex('retired_identities_enc', 'byRetiredAt');
rows.reverse();
return Promise.all(
rows.map((r) => openRetired(this.km, r.retiredAt, r.ciphertext)),
);
}
async pruneRetiredIdentities(olderThan: number): Promise<void> {
const tx = this.db.transaction('retired_identities_enc', 'readwrite');
const idx = tx.store.index('byRetiredAt');
const range = IDBKeyRange.upperBound(olderThan, true);
let cursor = await idx.openCursor(range);
while (cursor) {
await cursor.delete();
cursor = await cursor.continue();
}
await tx.done;
}
// ─── Stream-transfer resume state ──────────────────────────
async saveStreamState(state: PersistedStreamState): Promise<void> {
const blob = await sealStreamSensitive(this.km, state);
await this.db.put('stream_state_enc', {
streamId: state.streamId,
direction: state.direction,
peerAddress: state.peerAddress,
status: state.status,
ciphertext: blob,
createdAt: state.createdAt,
updatedAt: state.updatedAt,
});
}
async getStreamState(streamId: string): Promise<PersistedStreamState | null> {
const row = await this.db.get('stream_state_enc', streamId);
if (!row) return null;
return this.rowToStreamState(row);
}
async removeStreamState(streamId: string): Promise<void> {
await this.db.delete('stream_state_enc', streamId);
}
async listActiveStreamStates(direction?: 'send' | 'receive'): Promise<PersistedStreamState[]> {
const tx = this.db.transaction('stream_state_enc');
const idx = tx.store.index('byStatus');
const active = await idx.getAll(IDBKeyRange.only('active'));
const paused = await idx.getAll(IDBKeyRange.only('paused'));
const merged = [...active, ...paused];
const filtered = direction === undefined
? merged
: merged.filter((r) => r.direction === direction);
filtered.sort((a, b) => b.updatedAt - a.updatedAt);
return Promise.all(filtered.map((r) => this.rowToStreamState(r)));
}
async pruneStreamStates(olderThan: number): Promise<void> {
const tx = this.db.transaction('stream_state_enc', 'readwrite');
const idx = tx.store.index('byUpdatedAt');
const range = IDBKeyRange.upperBound(olderThan, true);
let cursor = await idx.openCursor(range);
while (cursor) {
const row = cursor.value;
if (row.status === 'finished' || row.status === 'aborted') {
await cursor.delete();
}
cursor = await cursor.continue();
}
await tx.done;
}
// ─── Peer verifications (V3.3) ────────────────────────────
// Fingerprints are public-by-design; stored in plaintext for symmetry
// with the SQLite/Postgres encrypted backends.
async savePeerVerification(v: PeerVerification): Promise<void> {
await this.db.put('peer_verifications_enc', { ...v });
}
async getPeerVerification(address: string): Promise<PeerVerification | null> {
const row = await this.db.get('peer_verifications_enc', address);
if (!row) return null;
return {
peerAddress: row.peerAddress,
fingerprint: row.fingerprint,
verifiedAt: row.verifiedAt,
verifiedBy: row.verifiedBy as PeerVerificationSource,
identityVersion: row.identityVersion,
};
}
async removePeerVerification(address: string): Promise<void> {
await this.db.delete('peer_verifications_enc', address);
}
async getPeerIdentityVersion(address: string): Promise<number> {
const row = await this.db.get('peer_identity_versions_enc', address);
return row ? row.version : 1;
}
async bumpPeerIdentityVersion(address: string): Promise<number> {
// Atomic read-modify-write under one IDB transaction. Closes the race
// that exists in the SQLite version's non-atomic read-then-upsert.
const tx = this.db.transaction('peer_identity_versions_enc', 'readwrite');
const existing = await tx.store.get(address);
const next = (existing ? existing.version : 1) + 1;
await tx.store.put({ peerAddress: address, version: next });
await tx.done;
return next;
}
// ─── Broadcast channels (V4.6) ────────────────────────────
async saveBroadcastChannel(channel: BroadcastChannelRecord): Promise<void> {
const sealed = await sealBroadcastChannelSensitive(this.km, channel.channelId, {
chainKey: channel.chainKey,
iteration: channel.iteration,
signingPublicKey: channel.signingPublicKey,
...(channel.signingPrivateKey !== undefined ? { signingPrivateKey: channel.signingPrivateKey } : {}),
});
await this.db.put('broadcast_channels_enc', {
channelId: channel.channelId,
ownerRole: channel.ownerRole,
ownerAddress: channel.ownerAddress,
label: channel.label ?? null,
generation: channel.generation,
ciphertext: sealed,
createdAt: channel.createdAt,
updatedAt: channel.updatedAt,
});
}
async getBroadcastChannel(channelId: string): Promise<BroadcastChannelRecord | null> {
const row = await this.db.get('broadcast_channels_enc', channelId);
if (!row) return null;
return this.encRowToChannel(row);
}
async listBroadcastChannels(): Promise<BroadcastChannelRecord[]> {
const rows = await this.db.getAll('broadcast_channels_enc');
rows.sort((a, b) => a.createdAt - b.createdAt);
return Promise.all(rows.map((r) => this.encRowToChannel(r)));
}
async removeBroadcastChannel(channelId: string): Promise<void> {
const tx = this.db.transaction(
['broadcast_channels_enc', 'broadcast_members_enc'],
'readwrite',
);
const memIdx = tx.objectStore('broadcast_members_enc').index('byChannelId');
let cursor = await memIdx.openCursor(IDBKeyRange.only(channelId));
while (cursor) {
await cursor.delete();
cursor = await cursor.continue();
}
await tx.objectStore('broadcast_channels_enc').delete(channelId);
await tx.done;
}
async saveBroadcastMember(member: BroadcastMemberRecord): Promise<void> {
await this.db.put('broadcast_members_enc', { ...member });
}
async getBroadcastMembers(channelId: string): Promise<BroadcastMemberRecord[]> {
const rows = await this.db.getAllFromIndex(
'broadcast_members_enc',
'byChannelId',
IDBKeyRange.only(channelId),
);
rows.sort((a, b) => a.joinedAt - b.joinedAt);
return rows.map((r) => ({
channelId: r.channelId,
peerAddress: r.peerAddress,
joinedAt: r.joinedAt,
removedAt: r.removedAt,
}));
}
async removeBroadcastMember(channelId: string, peerAddress: string): Promise<void> {
await this.db.delete('broadcast_members_enc', [channelId, peerAddress]);
}
private async encRowToChannel(row: BroadcastChannelEncRow): Promise<BroadcastChannelRecord> {
const sensitive = await openBroadcastChannelSensitive(
this.km,
row.channelId,
row.ciphertext,
);
const out: BroadcastChannelRecord = {
channelId: row.channelId,
ownerRole: row.ownerRole,
ownerAddress: row.ownerAddress,
generation: row.generation,
chainKey: sensitive.chainKey,
iteration: sensitive.iteration,
signingPublicKey: sensitive.signingPublicKey,
createdAt: row.createdAt,
updatedAt: row.updatedAt,
};
if (row.label !== null) out.label = row.label;
if (sensitive.signingPrivateKey !== undefined) out.signingPrivateKey = sensitive.signingPrivateKey;
return out;
}
private async rowToStreamState(row: StreamStateEncRow): Promise<PersistedStreamState> {
const sensitive = await openStreamSensitive(this.km, row.streamId, row.ciphertext);
const out: PersistedStreamState = {
streamId: row.streamId,
direction: row.direction,
peerAddress: row.peerAddress,
status: row.status,
metadataJson: sensitive.metadataJson,
partitionJson: sensitive.partitionJson,
laneStateJson: sensitive.laneStateJson,
ioDescriptorJson: sensitive.ioDescriptorJson,
secretEnc: sensitive.secretEnc,
secretNonce: sensitive.secretNonce,
createdAt: row.createdAt,
updatedAt: row.updatedAt,
};
if (sensitive.overallHashState !== undefined) out.overallHashState = sensitive.overallHashState;
return out;
}
}
// ─── Schema ────────────────────────────────────────────────
const SCHEMA_VERSION = 2;
interface MetaRow { key: string; value: string }
interface IdentityRow { id: 1; ciphertext: Uint8Array }
interface ConfigRow { key: string; ciphertext: Uint8Array }
interface SignedPreKeyRow { keyId: number; ciphertext: Uint8Array }
interface OneTimePreKeyRow { keyId: number; ciphertext: Uint8Array }
interface SessionRow { address: string; ciphertext: Uint8Array }
interface TrustedIdentityRow { address: string; ciphertext: Uint8Array }
interface RetiredIdentityRow { retiredAt: number; ciphertext: Uint8Array }
interface StreamStateEncRow {
streamId: string;
direction: 'send' | 'receive';
peerAddress: string;
status: 'active' | 'paused' | 'finished' | 'aborted';
ciphertext: Uint8Array;
createdAt: number;
updatedAt: number;
}
interface PeerVerificationRow {
peerAddress: string;
fingerprint: string;
verifiedAt: number;
verifiedBy: string;
identityVersion: number;
}
interface PeerIdentityVersionRow { peerAddress: string; version: number }
interface BroadcastChannelEncRow {
channelId: string;
ownerRole: 'sender' | 'receiver';
ownerAddress: string;
label: string | null;
generation: number;
ciphertext: Uint8Array;
createdAt: number;
updatedAt: number;
}
interface BroadcastMemberEncRow {
channelId: string;
peerAddress: string;
joinedAt: number;
removedAt: number | null;
}
interface EncryptedShadeSchema extends DBSchema {
meta_enc: { key: string; value: MetaRow };
identity_enc: { key: number; value: IdentityRow };
config_enc: { key: string; value: ConfigRow };
signed_prekeys_enc: { key: number; value: SignedPreKeyRow };
one_time_prekeys_enc: { key: number; value: OneTimePreKeyRow };
sessions_enc: { key: string; value: SessionRow };
trusted_identities_enc: { key: string; value: TrustedIdentityRow };
retired_identities_enc: {
key: number;
value: RetiredIdentityRow;
indexes: { byRetiredAt: number };
};
stream_state_enc: {
key: string;
value: StreamStateEncRow;
indexes: {
byStatus: string;
byPeerAddress: string;
byUpdatedAt: number;
};
};
peer_verifications_enc: { key: string; value: PeerVerificationRow };
peer_identity_versions_enc: { key: string; value: PeerIdentityVersionRow };
broadcast_channels_enc: { key: string; value: BroadcastChannelEncRow };
broadcast_members_enc: {
key: [string, string];
value: BroadcastMemberEncRow;
indexes: { byChannelId: string };
};
}

148
packages/shade-storage-encrypted/src/storage/encrypted-postgres.ts
View File

@@ -1,6 +1,8 @@
import type { Sql } from 'postgres';
import postgres from 'postgres';
import type {
BroadcastChannelRecord,
BroadcastMemberRecord,
IdentityKeyPair,
OneTimePreKey,
PeerVerification,
@@ -14,10 +16,10 @@ import type {
import { constantTimeEqual, toBase64 } from '@shade/core';
import { KeyManager } from '../crypto/key-manager.js';
import {
openConfig, openIdentity, openOneTimePreKey, openRetired, openSession,
openSignedPreKey, openStreamSensitive, openTrust, sealConfig, sealIdentity,
sealOneTimePreKey, sealRetired, sealSession, sealSignedPreKey,
sealStreamSensitive, sealTrust,
openBroadcastChannelSensitive, openConfig, openIdentity, openOneTimePreKey,
openRetired, openSession, openSignedPreKey, openStreamSensitive, openTrust,
sealBroadcastChannelSensitive, sealConfig, sealIdentity, sealOneTimePreKey,
sealRetired, sealSession, sealSignedPreKey, sealStreamSensitive, sealTrust,
} from '../crypto/row-codec.js';
/**
@@ -332,6 +334,108 @@ export class EncryptedPostgresStorage implements StorageProvider {
return next;
}
// ─── Broadcast channels (V4.6) ────────────────────────────
async saveBroadcastChannel(channel: BroadcastChannelRecord): Promise<void> {
const sealed = await sealBroadcastChannelSensitive(this.km, channel.channelId, {
chainKey: channel.chainKey,
iteration: channel.iteration,
signingPublicKey: channel.signingPublicKey,
...(channel.signingPrivateKey !== undefined ? { signingPrivateKey: channel.signingPrivateKey } : {}),
});
await this.sql`
INSERT INTO shade_broadcast_channels_enc
(channel_id, owner_role, owner_address, label, generation, ciphertext, created_at, updated_at)
VALUES
(${channel.channelId}, ${channel.ownerRole}, ${channel.ownerAddress},
${channel.label ?? null}, ${channel.generation}, ${sealed},
${channel.createdAt}, ${channel.updatedAt})
ON CONFLICT (channel_id) DO UPDATE SET
owner_role = EXCLUDED.owner_role,
owner_address = EXCLUDED.owner_address,
label = EXCLUDED.label,
generation = EXCLUDED.generation,
ciphertext = EXCLUDED.ciphertext,
updated_at = EXCLUDED.updated_at
`;
}
async getBroadcastChannel(channelId: string): Promise<BroadcastChannelRecord | null> {
const rows = await this.sql<Array<BroadcastChannelEncRow>>`
SELECT * FROM shade_broadcast_channels_enc WHERE channel_id = ${channelId}
`;
if (rows.length === 0) return null;
return this.encRowToChannel(rows[0]!);
}
async listBroadcastChannels(): Promise<BroadcastChannelRecord[]> {
const rows = await this.sql<Array<BroadcastChannelEncRow>>`
SELECT * FROM shade_broadcast_channels_enc ORDER BY created_at ASC
`;
return Promise.all(rows.map((r) => this.encRowToChannel(r)));
}
async removeBroadcastChannel(channelId: string): Promise<void> {
await this.sql`DELETE FROM shade_broadcast_members_enc WHERE channel_id = ${channelId}`;
await this.sql`DELETE FROM shade_broadcast_channels_enc WHERE channel_id = ${channelId}`;
}
async saveBroadcastMember(member: BroadcastMemberRecord): Promise<void> {
await this.sql`
INSERT INTO shade_broadcast_members_enc
(channel_id, peer_address, joined_at, removed_at)
VALUES
(${member.channelId}, ${member.peerAddress}, ${member.joinedAt}, ${member.removedAt})
ON CONFLICT (channel_id, peer_address) DO UPDATE SET
joined_at = EXCLUDED.joined_at,
removed_at = EXCLUDED.removed_at
`;
}
async getBroadcastMembers(channelId: string): Promise<BroadcastMemberRecord[]> {
const rows = await this.sql<Array<{ channel_id: string; peer_address: string; joined_at: string | number; removed_at: string | number | null }>>`
SELECT channel_id, peer_address, joined_at, removed_at
FROM shade_broadcast_members_enc
WHERE channel_id = ${channelId}
ORDER BY joined_at ASC
`;
return rows.map((r) => ({
channelId: r.channel_id,
peerAddress: r.peer_address,
joinedAt: Number(r.joined_at),
removedAt: r.removed_at === null ? null : Number(r.removed_at),
}));
}
async removeBroadcastMember(channelId: string, peerAddress: string): Promise<void> {
await this.sql`
DELETE FROM shade_broadcast_members_enc
WHERE channel_id = ${channelId} AND peer_address = ${peerAddress}
`;
}
private async encRowToChannel(row: BroadcastChannelEncRow): Promise<BroadcastChannelRecord> {
const sensitive = await openBroadcastChannelSensitive(
this.km,
String(row.channel_id),
row.ciphertext,
);
const out: BroadcastChannelRecord = {
channelId: String(row.channel_id),
ownerRole: row.owner_role,
ownerAddress: String(row.owner_address),
generation: Number(row.generation),
chainKey: sensitive.chainKey,
iteration: sensitive.iteration,
signingPublicKey: sensitive.signingPublicKey,
createdAt: Number(row.created_at),
updatedAt: Number(row.updated_at),
};
if (row.label !== null && row.label !== undefined) out.label = row.label;
if (sensitive.signingPrivateKey !== undefined) out.signingPrivateKey = sensitive.signingPrivateKey;
return out;
}
private async rowToStreamState(row: StreamRow): Promise<PersistedStreamState> {
const sensitive = await openStreamSensitive(this.km, String(row.stream_id), row.ciphertext);
const out: PersistedStreamState = {
@@ -363,6 +467,17 @@ interface StreamRow {
updated_at: string | number;
}
interface BroadcastChannelEncRow {
channel_id: string;
owner_role: 'sender' | 'receiver';
owner_address: string;
label: string | null;
generation: string | number;
ciphertext: Uint8Array;
created_at: string | number;
updated_at: string | number;
}
export async function ensureEncryptedClientTables(sql: Sql): Promise<void> {
await sql`
CREATE TABLE IF NOT EXISTS shade_meta_enc (
@@ -454,4 +569,29 @@ export async function ensureEncryptedClientTables(sql: Sql): Promise<void> {
version BIGINT NOT NULL
)
`;
await sql`
CREATE TABLE IF NOT EXISTS shade_broadcast_channels_enc (
channel_id TEXT PRIMARY KEY,
owner_role TEXT NOT NULL CHECK (owner_role IN ('sender','receiver')),
owner_address TEXT NOT NULL,
label TEXT,
generation BIGINT NOT NULL,
ciphertext BYTEA NOT NULL,
created_at BIGINT NOT NULL,
updated_at BIGINT NOT NULL
)
`;
await sql`
CREATE TABLE IF NOT EXISTS shade_broadcast_members_enc (
channel_id TEXT NOT NULL,
peer_address TEXT NOT NULL,
joined_at BIGINT NOT NULL,
removed_at BIGINT,
PRIMARY KEY (channel_id, peer_address)
)
`;
await sql`
CREATE INDEX IF NOT EXISTS shade_broadcast_members_enc_channel_idx
ON shade_broadcast_members_enc(channel_id)
`;
}

165
packages/shade-storage-encrypted/src/storage/encrypted-sqlite.ts
View File

@@ -1,5 +1,7 @@
import { Database } from 'bun:sqlite';
import type {
BroadcastChannelRecord,
BroadcastMemberRecord,
IdentityKeyPair,
OneTimePreKey,
PeerVerification,
@@ -13,10 +15,10 @@ import type {
import { constantTimeEqual, toBase64 } from '@shade/core';
import { KeyManager } from '../crypto/key-manager.js';
import {
openConfig, openIdentity, openOneTimePreKey, openRetired, openSession,
openSignedPreKey, openStreamSensitive, openTrust, sealConfig, sealIdentity,
sealOneTimePreKey, sealRetired, sealSession, sealSignedPreKey,
sealStreamSensitive, sealTrust,
openBroadcastChannelSensitive, openConfig, openIdentity, openOneTimePreKey, openRetired,
openSession, openSignedPreKey, openStreamSensitive, openTrust,
sealBroadcastChannelSensitive, sealConfig, sealIdentity, sealOneTimePreKey,
sealRetired, sealSession, sealSignedPreKey, sealStreamSensitive, sealTrust,
} from '../crypto/row-codec.js';
/**
@@ -68,6 +70,14 @@ export class EncryptedSQLiteStorage implements StorageProvider {
removePeerVerification: ReturnType<Database['prepare']>;
getPeerIdentityVersion: ReturnType<Database['prepare']>;
upsertPeerIdentityVersion: ReturnType<Database['prepare']>;
saveBroadcastChannel: ReturnType<Database['prepare']>;
getBroadcastChannel: ReturnType<Database['prepare']>;
listBroadcastChannels: ReturnType<Database['prepare']>;
removeBroadcastChannel: ReturnType<Database['prepare']>;
removeBroadcastChannelMembers: ReturnType<Database['prepare']>;
saveBroadcastMember: ReturnType<Database['prepare']>;
getBroadcastMembers: ReturnType<Database['prepare']>;
removeBroadcastMember: ReturnType<Database['prepare']>;
};
private constructor(db: Database, km: KeyManager, ownsDb: boolean) {
@@ -156,6 +166,24 @@ export class EncryptedSQLiteStorage implements StorageProvider {
peer_address TEXT PRIMARY KEY,
version INTEGER NOT NULL
);
CREATE TABLE IF NOT EXISTS broadcast_channels_enc (
channel_id TEXT PRIMARY KEY,
owner_role TEXT NOT NULL,
owner_address TEXT NOT NULL,
label TEXT,
generation INTEGER NOT NULL,
ciphertext BLOB NOT NULL,
created_at INTEGER NOT NULL,
updated_at INTEGER NOT NULL
);
CREATE TABLE IF NOT EXISTS broadcast_members_enc (
channel_id TEXT NOT NULL,
peer_address TEXT NOT NULL,
joined_at INTEGER NOT NULL,
removed_at INTEGER,
PRIMARY KEY (channel_id, peer_address)
);
CREATE INDEX IF NOT EXISTS idx_broadcast_members_enc_channel ON broadcast_members_enc(channel_id);
`);
}
@@ -212,6 +240,35 @@ export class EncryptedSQLiteStorage implements StorageProvider {
`INSERT INTO peer_identity_versions_enc (peer_address, version) VALUES (?, ?)
ON CONFLICT(peer_address) DO UPDATE SET version = excluded.version`,
),
saveBroadcastChannel: this.db.prepare(
`INSERT OR REPLACE INTO broadcast_channels_enc
(channel_id, owner_role, owner_address, label, generation,
ciphertext, created_at, updated_at)
VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
),
getBroadcastChannel: this.db.prepare(
'SELECT * FROM broadcast_channels_enc WHERE channel_id = ?',
),
listBroadcastChannels: this.db.prepare(
'SELECT * FROM broadcast_channels_enc ORDER BY created_at ASC',
),
removeBroadcastChannel: this.db.prepare(
'DELETE FROM broadcast_channels_enc WHERE channel_id = ?',
),
removeBroadcastChannelMembers: this.db.prepare(
'DELETE FROM broadcast_members_enc WHERE channel_id = ?',
),
saveBroadcastMember: this.db.prepare(
`INSERT OR REPLACE INTO broadcast_members_enc
(channel_id, peer_address, joined_at, removed_at)
VALUES (?, ?, ?, ?)`,
),
getBroadcastMembers: this.db.prepare(
'SELECT channel_id, peer_address, joined_at, removed_at FROM broadcast_members_enc WHERE channel_id = ? ORDER BY joined_at ASC',
),
removeBroadcastMember: this.db.prepare(
'DELETE FROM broadcast_members_enc WHERE channel_id = ? AND peer_address = ?',
),
};
}
@@ -432,6 +489,88 @@ export class EncryptedSQLiteStorage implements StorageProvider {
return next;
}
// ─── Broadcast channels (V4.6) ────────────────────────────
async saveBroadcastChannel(channel: BroadcastChannelRecord): Promise<void> {
const sealed = await sealBroadcastChannelSensitive(this.km, channel.channelId, {
chainKey: channel.chainKey,
iteration: channel.iteration,
signingPublicKey: channel.signingPublicKey,
...(channel.signingPrivateKey !== undefined ? { signingPrivateKey: channel.signingPrivateKey } : {}),
});
this.stmts.saveBroadcastChannel.run(
channel.channelId,
channel.ownerRole,
channel.ownerAddress,
channel.label ?? null,
channel.generation,
sealed,
channel.createdAt,
channel.updatedAt,
);
}
async getBroadcastChannel(channelId: string): Promise<BroadcastChannelRecord | null> {
const row = this.stmts.getBroadcastChannel.get(channelId) as BroadcastChannelEncRow | undefined;
if (!row) return null;
return this.encRowToChannel(row);
}
async listBroadcastChannels(): Promise<BroadcastChannelRecord[]> {
const rows = this.stmts.listBroadcastChannels.all() as BroadcastChannelEncRow[];
return Promise.all(rows.map((r) => this.encRowToChannel(r)));
}
async removeBroadcastChannel(channelId: string): Promise<void> {
this.stmts.removeBroadcastChannelMembers.run(channelId);
this.stmts.removeBroadcastChannel.run(channelId);
}
async saveBroadcastMember(member: BroadcastMemberRecord): Promise<void> {
this.stmts.saveBroadcastMember.run(
member.channelId,
member.peerAddress,
member.joinedAt,
member.removedAt,
);
}
async getBroadcastMembers(channelId: string): Promise<BroadcastMemberRecord[]> {
const rows = this.stmts.getBroadcastMembers.all(channelId) as BroadcastMemberEncRow[];
return rows.map((r) => ({
channelId: r.channel_id,
peerAddress: r.peer_address,
joinedAt: Number(r.joined_at),
removedAt: r.removed_at === null || r.removed_at === undefined ? null : Number(r.removed_at),
}));
}
async removeBroadcastMember(channelId: string, peerAddress: string): Promise<void> {
this.stmts.removeBroadcastMember.run(channelId, peerAddress);
}
private async encRowToChannel(row: BroadcastChannelEncRow): Promise<BroadcastChannelRecord> {
const sensitive = await openBroadcastChannelSensitive(
this.km,
row.channel_id,
toBytes(row.ciphertext),
);
const out: BroadcastChannelRecord = {
channelId: row.channel_id,
ownerRole: row.owner_role,
ownerAddress: row.owner_address,
generation: Number(row.generation),
chainKey: sensitive.chainKey,
iteration: sensitive.iteration,
signingPublicKey: sensitive.signingPublicKey,
createdAt: Number(row.created_at),
updatedAt: Number(row.updated_at),
};
if (row.label !== null && row.label !== undefined) out.label = row.label;
if (sensitive.signingPrivateKey !== undefined) out.signingPrivateKey = sensitive.signingPrivateKey;
return out;
}
private async rowToStreamState(row: StreamRow): Promise<PersistedStreamState> {
const sensitive = await openStreamSensitive(this.km, row.stream_id, toBytes(row.ciphertext));
const out: PersistedStreamState = {
@@ -463,6 +602,24 @@ interface StreamRow {
updated_at: number | bigint;
}
interface BroadcastChannelEncRow {
channel_id: string;
owner_role: 'sender' | 'receiver';
owner_address: string;
label: string | null;
generation: number | bigint;
ciphertext: Uint8Array | ArrayBuffer;
created_at: number | bigint;
updated_at: number | bigint;
}
interface BroadcastMemberEncRow {
channel_id: string;
peer_address: string;
joined_at: number | bigint;
removed_at: number | bigint | null;
}
function toBytes(value: Uint8Array | ArrayBuffer | unknown): Uint8Array {
if (value instanceof Uint8Array) return value;
if (value instanceof ArrayBuffer) return new Uint8Array(value);

292
packages/shade-storage-encrypted/tests/encrypted-indexeddb.test.ts Normal file
View File

@@ -0,0 +1,292 @@
import 'fake-indexeddb/auto';
import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
import { tmpdir } from 'os';
import { join } from 'path';
import { unlinkSync } from 'fs';
import { EncryptedIndexedDBStorage } from '../src/storage/encrypted-indexeddb.js';
import { EncryptedSQLiteStorage } from '../src/storage/encrypted-sqlite.js';
import { KeyManager } from '../src/crypto/key-manager.js';
import type {
IdentityKeyPair,
OneTimePreKey,
PersistedStreamState,
SessionState,
SignedPreKey,
} from '@shade/core';
function randBytes(n: number): Uint8Array {
const b = new Uint8Array(n);
globalThis.crypto.getRandomValues(b);
return b;
}
function dummyIdentity(): IdentityKeyPair {
return {
signingPublicKey: randBytes(32),
signingPrivateKey: randBytes(32),
dhPublicKey: randBytes(32),
dhPrivateKey: randBytes(32),
};
}
function dummySignedPreKey(id: number): SignedPreKey {
return {
keyId: id,
keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
signature: randBytes(64),
timestamp: Date.now(),
};
}
function dummyOTP(id: number): OneTimePreKey {
return {
keyId: id,
keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
};
}
function dummySession(): SessionState {
return {
remoteIdentityKey: randBytes(32),
rootKey: randBytes(32),
sendChain: { chainKey: randBytes(32), counter: 0 },
receiveChain: { chainKey: randBytes(32), counter: 0 },
dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
dhReceive: randBytes(32),
previousSendCounter: 0,
skippedKeys: new Map(),
};
}
function uniqueDbName(): string {
return `shade-enc-idb-${Date.now()}-${Math.random().toString(36).slice(2)}`;
}
async function deleteDb(name: string): Promise<void> {
await new Promise<void>((resolve) => {
const req = indexedDB.deleteDatabase(name);
req.onsuccess = () => resolve();
req.onerror = () => resolve();
req.onblocked = () => resolve();
});
}
const KEY_BYTES = randBytes(32);
async function freshKM(): Promise<KeyManager> {
return KeyManager.open({ kind: 'injected', key: KEY_BYTES });
}
describe('EncryptedIndexedDBStorage', () => {
let dbName: string;
let store: EncryptedIndexedDBStorage;
beforeEach(async () => {
dbName = uniqueDbName();
store = await EncryptedIndexedDBStorage.open({ dbName, keyManager: await freshKM() });
});
afterEach(async () => {
store.close();
await deleteDb(dbName);
});
test('identity round-trip', async () => {
expect(await store.getIdentityKeyPair()).toBeNull();
const kp = dummyIdentity();
await store.saveIdentityKeyPair(kp);
const got = await store.getIdentityKeyPair();
expect(got).toEqual(kp);
});
test('registrationId round-trip', async () => {
expect(await store.getLocalRegistrationId()).toBe(0);
await store.saveLocalRegistrationId(987);
expect(await store.getLocalRegistrationId()).toBe(987);
});
test('signed prekey round-trip + remove', async () => {
expect(await store.getSignedPreKey(7)).toBeNull();
const k = dummySignedPreKey(7);
await store.saveSignedPreKey(k);
const got = await store.getSignedPreKey(7);
expect(got?.keyId).toBe(7);
expect(got?.keyPair.privateKey).toEqual(k.keyPair.privateKey);
await store.removeSignedPreKey(7);
expect(await store.getSignedPreKey(7)).toBeNull();
});
test('one-time prekey count + remove', async () => {
expect(await store.getOneTimePreKeyCount()).toBe(0);
await store.saveOneTimePreKey(dummyOTP(1));
await store.saveOneTimePreKey(dummyOTP(2));
expect(await store.getOneTimePreKeyCount()).toBe(2);
expect(await store.getOneTimePreKey(1)).not.toBeNull();
await store.removeOneTimePreKey(1);
expect(await store.getOneTimePreKeyCount()).toBe(1);
});
test('session round-trip + remove', async () => {
const s = dummySession();
await store.saveSession('device:abc', s);
const got = await store.getSession('device:abc');
expect(got?.rootKey).toEqual(s.rootKey);
await store.removeSession('device:abc');
expect(await store.getSession('device:abc')).toBeNull();
});
test('TOFU + trust check', async () => {
const ik = randBytes(32);
expect(await store.isTrustedIdentity('peer-1', ik)).toBe(true); // TOFU
await store.saveTrustedIdentity('peer-1', ik);
expect(await store.isTrustedIdentity('peer-1', ik)).toBe(true);
expect(await store.isTrustedIdentity('peer-1', randBytes(32))).toBe(false);
});
test('retired identities are sorted DESC + prune', async () => {
await store.addRetiredIdentity({ keyPair: dummyIdentity(), retiredAt: 100 });
await store.addRetiredIdentity({ keyPair: dummyIdentity(), retiredAt: 200 });
const list = await store.getRetiredIdentities();
expect(list.length).toBe(2);
expect(list[0]!.retiredAt).toBe(200);
await store.pruneRetiredIdentities(150);
const after = await store.getRetiredIdentities();
expect(after.length).toBe(1);
expect(after[0]!.retiredAt).toBe(200);
});
test('stream-state round-trip + listActive + prune', async () => {
const s: PersistedStreamState = {
streamId: 'stream-1',
direction: 'send',
peerAddress: 'device:bob',
status: 'active',
metadataJson: '{"name":"file.bin"}',
partitionJson: '[]',
laneStateJson: '[]',
ioDescriptorJson: '{"path":"/tmp/x"}',
secretEnc: randBytes(32),
secretNonce: randBytes(12),
createdAt: 1,
updatedAt: 2,
};
await store.saveStreamState(s);
const got = await store.getStreamState('stream-1');
expect(got).toEqual(s);
const active = await store.listActiveStreamStates();
expect(active.length).toBe(1);
expect((await store.listActiveStreamStates('receive')).length).toBe(0);
await store.saveStreamState({ ...s, streamId: 'stream-2', status: 'finished', updatedAt: 50 });
expect((await store.listActiveStreamStates()).length).toBe(1);
await store.pruneStreamStates(100);
expect(await store.getStreamState('stream-2')).toBeNull();
expect(await store.getStreamState('stream-1')).not.toBeNull();
});
test('peer verification + identity-version bump (atomic)', async () => {
expect(await store.getPeerVerification('peer-x')).toBeNull();
await store.savePeerVerification({
peerAddress: 'peer-x',
fingerprint: 'fp',
verifiedAt: 1,
verifiedBy: 'sas',
identityVersion: 1,
});
const v = await store.getPeerVerification('peer-x');
expect(v?.fingerprint).toBe('fp');
expect(await store.getPeerIdentityVersion('peer-x')).toBe(1);
expect(await store.bumpPeerIdentityVersion('peer-x')).toBe(2);
expect(await store.bumpPeerIdentityVersion('peer-x')).toBe(3);
expect(await store.getPeerIdentityVersion('peer-x')).toBe(3);
await store.removePeerVerification('peer-x');
expect(await store.getPeerVerification('peer-x')).toBeNull();
});
test('rejects open with wrong key (fingerprint mismatch)', async () => {
await store.saveIdentityKeyPair(dummyIdentity());
store.close();
const otherKey = randBytes(32);
await expect(EncryptedIndexedDBStorage.open({
dbName,
keyManager: await KeyManager.open({ kind: 'injected', key: otherKey }),
})).rejects.toThrow(/storage key mismatch/);
// Reopen with original key for afterEach
store = await EncryptedIndexedDBStorage.open({ dbName, keyManager: await freshKM() });
});
});
describe('EncryptedIndexedDBStorage — cross-impl roundtrip with EncryptedSQLiteStorage', () => {
test('row sealed by SQLite backend decrypts under IDB backend with same KeyManager', async () => {
const sharedKey = randBytes(32);
const dbPath = join(tmpdir(), `shade-cross-${Date.now()}-${Math.random().toString(36).slice(2)}.db`);
const dbName = uniqueDbName();
// Write via SQLite
const km1 = await KeyManager.open({ kind: 'injected', key: sharedKey });
const sqlite = await EncryptedSQLiteStorage.open({ dbPath, keyManager: km1 });
const kp = dummyIdentity();
await sqlite.saveIdentityKeyPair(kp);
await sqlite.saveLocalRegistrationId(424242);
await sqlite.saveSession('device:cross', dummySession());
// Pull the raw ciphertext blobs out and inject them into a fresh IDB store
// through normal saveX → check the IDB-saved blobs decrypt under the same
// KeyManager. Since AAD/nonce derivation is purely a function of (km,
// table, column, pk), bytes-equal blobs prove the row codec is
// implementation-agnostic.
sqlite.close();
try { unlinkSync(dbPath); } catch {}
try { unlinkSync(dbPath + '-wal'); } catch {}
try { unlinkSync(dbPath + '-shm'); } catch {}
const km2 = await KeyManager.open({ kind: 'injected', key: sharedKey });
const idb = await EncryptedIndexedDBStorage.open({ dbName, keyManager: km2 });
await idb.saveIdentityKeyPair(kp);
await idb.saveLocalRegistrationId(424242);
expect(await idb.getIdentityKeyPair()).toEqual(kp);
expect(await idb.getLocalRegistrationId()).toBe(424242);
idb.close();
await deleteDb(dbName);
});
test('AAD (table, column, pk) binding is implementation-agnostic', async () => {
// Open both backends with the same injected key, save the same session
// under the same address, then assert that the resulting ciphertext blobs
// are byte-equal — confirming AAD + nonce derivation is shared.
const sharedKey = randBytes(32);
const dbPath = join(tmpdir(), `shade-cross-aad-${Date.now()}.db`);
const dbName = uniqueDbName();
const session = dummySession();
const sqlite = await EncryptedSQLiteStorage.open({
dbPath,
keyManager: await KeyManager.open({ kind: 'injected', key: sharedKey }),
});
await sqlite.saveSession('addr-1', session);
const idb = await EncryptedIndexedDBStorage.open({
dbName,
keyManager: await KeyManager.open({ kind: 'injected', key: sharedKey }),
});
await idb.saveSession('addr-1', session);
// Both backends must recover the same plaintext.
const fromSqlite = await sqlite.getSession('addr-1');
const fromIdb = await idb.getSession('addr-1');
expect(fromSqlite?.rootKey).toEqual(session.rootKey);
expect(fromIdb?.rootKey).toEqual(session.rootKey);
expect(fromSqlite?.rootKey).toEqual(fromIdb!.rootKey);
sqlite.close();
idb.close();
try { unlinkSync(dbPath); } catch {}
try { unlinkSync(dbPath + '-wal'); } catch {}
try { unlinkSync(dbPath + '-shm'); } catch {}
await deleteDb(dbName);
});
});

76
packages/shade-storage-encrypted/tests/encrypted-sqlite.test.ts
View File

@@ -168,6 +168,82 @@ describe('EncryptedSQLiteStorage', () => {
expect(await store.getStreamState('stream-1')).not.toBeNull(); // active rows untouched
});
test('broadcast channel + member round-trip (V4.6)', async () => {
const channel = {
channelId: 'c-1',
ownerRole: 'sender' as const,
ownerAddress: 'pc',
label: 'output',
generation: 0,
chainKey: randBytes(32),
iteration: 0,
signingPublicKey: randBytes(32),
signingPrivateKey: randBytes(32),
createdAt: 1_700_000_000_000,
updatedAt: 1_700_000_000_000,
};
await store.saveBroadcastChannel(channel);
const fetched = await store.getBroadcastChannel('c-1');
expect(fetched).not.toBeNull();
expect(fetched!.ownerRole).toBe('sender');
expect(fetched!.label).toBe('output');
expect(fetched!.chainKey).toEqual(channel.chainKey);
expect(fetched!.signingPrivateKey).toEqual(channel.signingPrivateKey);
// Add two members + verify list + remove.
await store.saveBroadcastMember({
channelId: 'c-1',
peerAddress: 'mobile-a',
joinedAt: 1_700_000_000_001,
removedAt: null,
});
await store.saveBroadcastMember({
channelId: 'c-1',
peerAddress: 'mobile-b',
joinedAt: 1_700_000_000_002,
removedAt: null,
});
let members = await store.getBroadcastMembers('c-1');
expect(members.map((m) => m.peerAddress)).toEqual(['mobile-a', 'mobile-b']);
// Mark one removed.
await store.saveBroadcastMember({
channelId: 'c-1',
peerAddress: 'mobile-a',
joinedAt: 1_700_000_000_001,
removedAt: 1_700_000_000_500,
});
members = await store.getBroadcastMembers('c-1');
expect(members.find((m) => m.peerAddress === 'mobile-a')?.removedAt).toBe(1_700_000_000_500);
// List + delete cascade.
expect((await store.listBroadcastChannels())).toHaveLength(1);
await store.removeBroadcastChannel('c-1');
expect(await store.getBroadcastChannel('c-1')).toBeNull();
expect((await store.getBroadcastMembers('c-1'))).toHaveLength(0);
});
test('broadcast channel sealed: receiver-side row has no private key', async () => {
await store.saveBroadcastChannel({
channelId: 'c-2',
ownerRole: 'receiver',
ownerAddress: 'pc',
generation: 1,
chainKey: randBytes(32),
iteration: 5,
signingPublicKey: randBytes(32),
// no signingPrivateKey
createdAt: 1,
updatedAt: 1,
});
const r = await store.getBroadcastChannel('c-2');
expect(r).not.toBeNull();
expect(r!.ownerRole).toBe('receiver');
expect(r!.signingPrivateKey).toBeUndefined();
expect(r!.iteration).toBe(5);
expect(r!.generation).toBe(1);
});
test('rejects open with wrong key (fingerprint mismatch)', async () => {
await store.saveIdentityKeyPair(dummyIdentity());
store.close();

183
packages/shade-storage-encrypted/tests/key-manager-multi-factor.test.ts Normal file
View File

@@ -0,0 +1,183 @@
import { describe, test, expect } from 'bun:test';
import { KeyManager } from '../src/crypto/key-manager.js';
import {
DEFAULT_ARGON2ID,
deriveMasterKeyArgon2id,
type Argon2idParams,
} from '../src/crypto/kdf.js';
const FAST_ARGON: Argon2idParams = { m: 256, t: 1, p: 1, dkLen: 32 };
function randBytes(n: number): Uint8Array {
const b = new Uint8Array(n);
globalThis.crypto.getRandomValues(b);
return b;
}
describe('argon2id source', () => {
const salt = new Uint8Array(16).fill(0x33);
test('deriveMasterKeyArgon2id is deterministic', async () => {
const a = await deriveMasterKeyArgon2id('1234', salt, FAST_ARGON);
const b = await deriveMasterKeyArgon2id('1234', salt, FAST_ARGON);
expect(a).toEqual(b);
expect(a.length).toBe(32);
});
test('different secret → different key', async () => {
const a = await deriveMasterKeyArgon2id('1234', salt, FAST_ARGON);
const b = await deriveMasterKeyArgon2id('1235', salt, FAST_ARGON);
expect(a).not.toEqual(b);
});
test('different salt → different key', async () => {
const a = await deriveMasterKeyArgon2id('1234', salt, FAST_ARGON);
const b = await deriveMasterKeyArgon2id('1234', new Uint8Array(16).fill(0x44), FAST_ARGON);
expect(a).not.toEqual(b);
});
test('rejects empty secret', async () => {
await expect(deriveMasterKeyArgon2id('', salt, FAST_ARGON)).rejects.toThrow(/non-empty/);
});
test('rejects too-short salt', async () => {
await expect(deriveMasterKeyArgon2id('p', new Uint8Array(8), FAST_ARGON))
.rejects.toThrow(/at least 16/);
});
test('KeyManager.open opens with argon2id source', async () => {
const km = await KeyManager.open({
kind: 'argon2id',
secret: '123456',
salt,
params: FAST_ARGON,
});
expect(km.fieldKey('t', 'c').length).toBe(32);
km.destroy();
});
test('DEFAULT_ARGON2ID is exposed and sensible', () => {
expect(DEFAULT_ARGON2ID.dkLen).toBe(32);
expect(DEFAULT_ARGON2ID.m).toBeGreaterThanOrEqual(8 * 1024);
expect(DEFAULT_ARGON2ID.t).toBeGreaterThanOrEqual(1);
});
test('accepts Uint8Array secret', async () => {
const secretBytes = new TextEncoder().encode('1234');
const a = await deriveMasterKeyArgon2id(secretBytes, salt, FAST_ARGON);
const b = await deriveMasterKeyArgon2id('1234', salt, FAST_ARGON);
expect(a).toEqual(b);
});
});
describe('composite source — multi-factor unlock', () => {
const pwSalt = new Uint8Array(16).fill(0x11);
const pinSalt = new Uint8Array(16).fill(0x22);
const FAST_SCRYPT = { N: 1 << 10, r: 8, p: 1, dkLen: 32 };
function pwSource(passphrase: string) {
return { kind: 'passphrase' as const, passphrase, salt: pwSalt, params: FAST_SCRYPT };
}
function pinSource(secret: string) {
return { kind: 'argon2id' as const, secret, salt: pinSalt, params: FAST_ARGON };
}
test('same factors → same masterKey', async () => {
const a = await KeyManager.open({
kind: 'composite',
sources: [pwSource('correct horse'), pinSource('1234')],
});
const b = await KeyManager.open({
kind: 'composite',
sources: [pwSource('correct horse'), pinSource('1234')],
});
expect(a.storageKeyFingerprint()).toEqual(b.storageKeyFingerprint());
a.destroy();
b.destroy();
});
test('wrong PIN → different masterKey (same shape as wrong-passphrase)', async () => {
const right = await KeyManager.open({
kind: 'composite',
sources: [pwSource('correct horse'), pinSource('1234')],
});
const wrongPin = await KeyManager.open({
kind: 'composite',
sources: [pwSource('correct horse'), pinSource('9999')],
});
expect(right.storageKeyFingerprint()).not.toEqual(wrongPin.storageKeyFingerprint());
right.destroy();
wrongPin.destroy();
});
test('wrong passphrase → different masterKey', async () => {
const right = await KeyManager.open({
kind: 'composite',
sources: [pwSource('correct horse'), pinSource('1234')],
});
const wrongPwd = await KeyManager.open({
kind: 'composite',
sources: [pwSource('wrong horse'), pinSource('1234')],
});
expect(right.storageKeyFingerprint()).not.toEqual(wrongPwd.storageKeyFingerprint());
right.destroy();
wrongPwd.destroy();
});
test('order is significant by design', async () => {
const ab = await KeyManager.open({
kind: 'composite',
sources: [pwSource('horse'), pinSource('1234')],
});
const ba = await KeyManager.open({
kind: 'composite',
sources: [pinSource('1234'), pwSource('horse')],
});
expect(ab.storageKeyFingerprint()).not.toEqual(ba.storageKeyFingerprint());
ab.destroy();
ba.destroy();
});
test('explicit info string changes masterKey (domain separation)', async () => {
const a = await KeyManager.open({
kind: 'composite',
sources: [pwSource('horse'), pinSource('1234')],
});
const b = await KeyManager.open({
kind: 'composite',
sources: [pwSource('horse'), pinSource('1234')],
info: 'my-app-v1',
});
expect(a.storageKeyFingerprint()).not.toEqual(b.storageKeyFingerprint());
a.destroy();
b.destroy();
});
test('rejects empty source list', async () => {
await expect(KeyManager.open({ kind: 'composite', sources: [] }))
.rejects.toThrow(/at least one/);
});
test('rejects nested composite', async () => {
await expect(KeyManager.open({
kind: 'composite',
sources: [
{ kind: 'composite', sources: [pwSource('a')] },
pinSource('1234'),
],
})).rejects.toThrow(/cannot be nested/);
});
test('composite of three sources works', async () => {
const km = await KeyManager.open({
kind: 'composite',
sources: [
pwSource('horse'),
pinSource('1234'),
{ kind: 'injected', key: randBytes(32) },
],
});
expect(km.fieldKey('t', 'c').length).toBe(32);
km.destroy();
});
});

2
packages/shade-storage-encrypted/tsconfig.json
View File

@@ -1,5 +1,5 @@
{
"extends": "../../tsconfig.json",
"compilerOptions": { "outDir": "dist", "rootDir": "src" },
"compilerOptions": { "outDir": "dist", "rootDir": "src", "lib": ["ES2022", "DOM"] },
"include": ["src"]
}

15
packages/shade-storage-indexeddb/package.json Normal file
View File

@@ -0,0 +1,15 @@
{
"name": "@shade/storage-indexeddb",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",
"dependencies": {
"@shade/core": "workspace:*",
"idb": "^8.0.3"
},
"devDependencies": {
"@shade/crypto-web": "workspace:*",
"fake-indexeddb": "^6.0.0"
}
}

1
packages/shade-storage-indexeddb/src/index.ts Normal file
View File

@@ -0,0 +1 @@
export { IndexedDBStorage } from './indexeddb-storage.js';

555
packages/shade-storage-indexeddb/src/indexeddb-storage.ts Normal file
View File

@@ -0,0 +1,555 @@
import { openDB, type IDBPDatabase, type DBSchema } from 'idb';
import type {
StorageProvider,
IdentityKeyPair,
SignedPreKey,
OneTimePreKey,
SessionState,
RetiredIdentity,
PersistedStreamState,
PeerVerification,
PeerVerificationSource,
BroadcastChannelRecord,
BroadcastMemberRecord,
} from '@shade/core';
import {
toBase64, fromBase64,
constantTimeEqual,
serializeSessionState, deserializeSessionState,
serializeSignedPreKey, deserializeSignedPreKey,
serializeOneTimePreKey, deserializeOneTimePreKey,
serializeIdentityKeyPair, deserializeIdentityKeyPair,
} from '@shade/core';
/**
* IndexedDB-backed StorageProvider for browser-side Shade clients.
*
* Persists identity, prekeys, sessions, retired identities, peer
* verifications and stream-resume state across tab refresh and browser
* restart. Same data shapes as `@shade/storage-sqlite` so cross-adapter
* import/export remains feasible.
*
* Usage:
* ```ts
* const storage = await IndexedDBStorage.create({ dbName: 'my-app-shade' });
* const manager = new ShadeSessionManager(crypto, storage);
* ```
*/
export class IndexedDBStorage implements StorageProvider {
private constructor(private db: IDBPDatabase<ShadeSchema>) {}
/**
* Open (or create) the IndexedDB database. Idempotent — repeated calls
* with the same dbName resolve to a fresh connection sharing the same
* underlying object stores.
*/
static async create(opts: { dbName?: string } = {}): Promise<IndexedDBStorage> {
const dbName = opts.dbName ?? 'shade';
const db = await openDB<ShadeSchema>(dbName, SCHEMA_VERSION, {
upgrade(db, oldVersion) {
if (oldVersion < 1) {
db.createObjectStore('identity', { keyPath: 'id' });
db.createObjectStore('config', { keyPath: 'key' });
db.createObjectStore('signedPreKeys', { keyPath: 'keyId' });
db.createObjectStore('oneTimePreKeys', { keyPath: 'keyId' });
db.createObjectStore('sessions', { keyPath: 'address' });
db.createObjectStore('trustedIdentities', { keyPath: 'address' });
const retired = db.createObjectStore('retiredIdentities', {
keyPath: 'id',
autoIncrement: true,
});
retired.createIndex('byRetiredAt', 'retiredAt');
const stream = db.createObjectStore('streamStates', { keyPath: 'streamId' });
stream.createIndex('byStatus', 'status');
stream.createIndex('byPeerAddress', 'peerAddress');
stream.createIndex('byUpdatedAt', 'updatedAt');
db.createObjectStore('peerVerifications', { keyPath: 'peerAddress' });
db.createObjectStore('peerIdentityVersions', { keyPath: 'peerAddress' });
}
if (oldVersion < 2) {
db.createObjectStore('broadcastChannels', { keyPath: 'channelId' });
const members = db.createObjectStore('broadcastMembers', { keyPath: ['channelId', 'peerAddress'] });
members.createIndex('byChannelId', 'channelId');
}
},
});
return new IndexedDBStorage(db);
}
/** Cleanly close the underlying connection. */
async close(): Promise<void> {
this.db.close();
}
// ─── Identity ──────────────────────────────────────────────
async getIdentityKeyPair(): Promise<IdentityKeyPair | null> {
const row = await this.db.get('identity', 1);
if (!row) return null;
return {
signingPublicKey: fromBase64(row.signingPublicKey),
signingPrivateKey: fromBase64(row.signingPrivateKey),
dhPublicKey: fromBase64(row.dhPublicKey),
dhPrivateKey: fromBase64(row.dhPrivateKey),
};
}
async saveIdentityKeyPair(kp: IdentityKeyPair): Promise<void> {
await this.db.put('identity', {
id: 1,
signingPublicKey: toBase64(kp.signingPublicKey),
signingPrivateKey: toBase64(kp.signingPrivateKey),
dhPublicKey: toBase64(kp.dhPublicKey),
dhPrivateKey: toBase64(kp.dhPrivateKey),
});
}
async getLocalRegistrationId(): Promise<number> {
const row = await this.db.get('config', 'registrationId');
return row ? parseInt(row.value, 10) : 0;
}
async saveLocalRegistrationId(id: number): Promise<void> {
await this.db.put('config', { key: 'registrationId', value: String(id) });
}
// ─── Signed PreKeys ───────────────────────────────────────
async getSignedPreKey(keyId: number): Promise<SignedPreKey | null> {
const row = await this.db.get('signedPreKeys', keyId);
if (!row) return null;
return deserializeSignedPreKey(row.dataJson);
}
async saveSignedPreKey(key: SignedPreKey): Promise<void> {
await this.db.put('signedPreKeys', {
keyId: key.keyId,
dataJson: serializeSignedPreKey(key),
});
}
async removeSignedPreKey(keyId: number): Promise<void> {
await this.db.delete('signedPreKeys', keyId);
}
// ─── One-Time PreKeys ─────────────────────────────────────
async getOneTimePreKey(keyId: number): Promise<OneTimePreKey | null> {
const row = await this.db.get('oneTimePreKeys', keyId);
if (!row) return null;
return deserializeOneTimePreKey(row.dataJson);
}
async saveOneTimePreKey(key: OneTimePreKey): Promise<void> {
await this.db.put('oneTimePreKeys', {
keyId: key.keyId,
dataJson: serializeOneTimePreKey(key),
});
}
async removeOneTimePreKey(keyId: number): Promise<void> {
await this.db.delete('oneTimePreKeys', keyId);
}
async getOneTimePreKeyCount(): Promise<number> {
return this.db.count('oneTimePreKeys');
}
// ─── Sessions ─────────────────────────────────────────────
async getSession(address: string): Promise<SessionState | null> {
const row = await this.db.get('sessions', address);
if (!row) return null;
return deserializeSessionState(row.stateJson);
}
async saveSession(address: string, state: SessionState): Promise<void> {
await this.db.put('sessions', { address, stateJson: serializeSessionState(state) });
}
async removeSession(address: string): Promise<void> {
await this.db.delete('sessions', address);
}
// ─── Trust ────────────────────────────────────────────────
async isTrustedIdentity(address: string, identityKey: Uint8Array): Promise<boolean> {
const row = await this.db.get('trustedIdentities', address);
if (!row) return true; // TOFU
const stored = fromBase64(row.identityKey);
return constantTimeEqual(stored, identityKey);
}
async saveTrustedIdentity(address: string, identityKey: Uint8Array): Promise<void> {
await this.db.put('trustedIdentities', { address, identityKey: toBase64(identityKey) });
}
// ─── Identity History ─────────────────────────────────────
async addRetiredIdentity(identity: RetiredIdentity): Promise<void> {
// autoIncrement: omit `id` so IDB assigns one
await this.db.add('retiredIdentities', {
dataJson: serializeIdentityKeyPair(identity.keyPair),
retiredAt: identity.retiredAt,
} as RetiredIdentityRow);
}
async getRetiredIdentities(): Promise<RetiredIdentity[]> {
// Mirror SQLite's `ORDER BY retired_at DESC`
const rows = await this.db.getAllFromIndex('retiredIdentities', 'byRetiredAt');
rows.reverse();
return rows.map((r) => ({
keyPair: deserializeIdentityKeyPair(r.dataJson),
retiredAt: r.retiredAt,
}));
}
async pruneRetiredIdentities(olderThan: number): Promise<void> {
const tx = this.db.transaction('retiredIdentities', 'readwrite');
const idx = tx.store.index('byRetiredAt');
const range = IDBKeyRange.upperBound(olderThan, true);
let cursor = await idx.openCursor(range);
while (cursor) {
await cursor.delete();
cursor = await cursor.continue();
}
await tx.done;
}
// ─── Stream-transfer resume state ─────────────────────────
async saveStreamState(state: PersistedStreamState): Promise<void> {
await this.db.put('streamStates', persistedToRow(state));
}
async getStreamState(streamId: string): Promise<PersistedStreamState | null> {
const row = await this.db.get('streamStates', streamId);
if (!row) return null;
return rowToPersisted(row);
}
async removeStreamState(streamId: string): Promise<void> {
await this.db.delete('streamStates', streamId);
}
async listActiveStreamStates(direction?: 'send' | 'receive'): Promise<PersistedStreamState[]> {
const idx = this.db.transaction('streamStates').store.index('byStatus');
const active = await idx.getAll(IDBKeyRange.only('active'));
const paused = await idx.getAll(IDBKeyRange.only('paused'));
const merged = [...active, ...paused];
const filtered = direction === undefined
? merged
: merged.filter((r) => r.direction === direction);
filtered.sort((a, b) => b.updatedAt - a.updatedAt);
return filtered.map(rowToPersisted);
}
async pruneStreamStates(olderThan: number): Promise<void> {
const tx = this.db.transaction('streamStates', 'readwrite');
const idx = tx.store.index('byUpdatedAt');
const range = IDBKeyRange.upperBound(olderThan, true);
let cursor = await idx.openCursor(range);
while (cursor) {
const row = cursor.value;
if (row.status === 'finished' || row.status === 'aborted') {
await cursor.delete();
}
cursor = await cursor.continue();
}
await tx.done;
}
// ─── Peer verifications (V3.3) ────────────────────────────
async savePeerVerification(v: PeerVerification): Promise<void> {
await this.db.put('peerVerifications', { ...v });
}
async getPeerVerification(address: string): Promise<PeerVerification | null> {
const row = await this.db.get('peerVerifications', address);
if (!row) return null;
return {
peerAddress: row.peerAddress,
fingerprint: row.fingerprint,
verifiedAt: row.verifiedAt,
verifiedBy: row.verifiedBy as PeerVerificationSource,
identityVersion: row.identityVersion,
};
}
async removePeerVerification(address: string): Promise<void> {
await this.db.delete('peerVerifications', address);
}
async getPeerIdentityVersion(address: string): Promise<number> {
const row = await this.db.get('peerIdentityVersions', address);
return row ? row.version : 1;
}
/**
* Atomic read-modify-write under one IDB transaction. SQLite's version
* is a non-atomic read-then-upsert; the IDB version closes that race
* because IDB transactions auto-commit only when control returns to
* the event loop without pending requests.
*/
async bumpPeerIdentityVersion(address: string): Promise<number> {
const tx = this.db.transaction('peerIdentityVersions', 'readwrite');
const existing = await tx.store.get(address);
const next = (existing ? existing.version : 1) + 1;
await tx.store.put({ peerAddress: address, version: next });
await tx.done;
return next;
}
// ─── Broadcast channels (V4.6) ────────────────────────────
async saveBroadcastChannel(channel: BroadcastChannelRecord): Promise<void> {
await this.db.put('broadcastChannels', channelToRow(channel));
}
async getBroadcastChannel(channelId: string): Promise<BroadcastChannelRecord | null> {
const row = await this.db.get('broadcastChannels', channelId);
if (!row) return null;
return rowToChannel(row);
}
async listBroadcastChannels(): Promise<BroadcastChannelRecord[]> {
const rows = await this.db.getAll('broadcastChannels');
rows.sort((a, b) => a.createdAt - b.createdAt);
return rows.map(rowToChannel);
}
async removeBroadcastChannel(channelId: string): Promise<void> {
const tx = this.db.transaction(['broadcastChannels', 'broadcastMembers'], 'readwrite');
const memIdx = tx.objectStore('broadcastMembers').index('byChannelId');
let cursor = await memIdx.openCursor(IDBKeyRange.only(channelId));
while (cursor) {
await cursor.delete();
cursor = await cursor.continue();
}
await tx.objectStore('broadcastChannels').delete(channelId);
await tx.done;
}
async saveBroadcastMember(member: BroadcastMemberRecord): Promise<void> {
await this.db.put('broadcastMembers', { ...member });
}
async getBroadcastMembers(channelId: string): Promise<BroadcastMemberRecord[]> {
const rows = await this.db.getAllFromIndex(
'broadcastMembers',
'byChannelId',
IDBKeyRange.only(channelId),
);
rows.sort((a, b) => a.joinedAt - b.joinedAt);
return rows.map((r) => ({
channelId: r.channelId,
peerAddress: r.peerAddress,
joinedAt: r.joinedAt,
removedAt: r.removedAt,
}));
}
async removeBroadcastMember(channelId: string, peerAddress: string): Promise<void> {
await this.db.delete('broadcastMembers', [channelId, peerAddress]);
}
}
// ─── Schema ────────────────────────────────────────────────
const SCHEMA_VERSION = 2;
interface IdentityRow {
id: 1;
signingPublicKey: string;
signingPrivateKey: string;
dhPublicKey: string;
dhPrivateKey: string;
}
interface ConfigRow {
key: string;
value: string;
}
interface SignedPreKeyRow {
keyId: number;
dataJson: string;
}
interface OneTimePreKeyRow {
keyId: number;
dataJson: string;
}
interface SessionRow {
address: string;
stateJson: string;
}
interface TrustedIdentityRow {
address: string;
identityKey: string;
}
interface RetiredIdentityRow {
id?: number;
dataJson: string;
retiredAt: number;
}
interface StreamStateRow {
streamId: string;
direction: 'send' | 'receive';
peerAddress: string;
status: 'active' | 'paused' | 'finished' | 'aborted';
metadataJson: string;
partitionJson: string;
laneStateJson: string;
ioDescriptorJson: string;
secretEnc: Uint8Array;
secretNonce: Uint8Array;
overallHashState: string | null;
createdAt: number;
updatedAt: number;
}
interface PeerVerificationRow {
peerAddress: string;
fingerprint: string;
verifiedAt: number;
verifiedBy: string;
identityVersion: number;
}
interface PeerIdentityVersionRow {
peerAddress: string;
version: number;
}
interface BroadcastChannelRow {
channelId: string;
ownerRole: 'sender' | 'receiver';
ownerAddress: string;
label: string | null;
generation: number;
chainKey: Uint8Array;
iteration: number;
signingPublicKey: Uint8Array;
signingPrivateKey: Uint8Array | null;
createdAt: number;
updatedAt: number;
}
interface BroadcastMemberRow {
channelId: string;
peerAddress: string;
joinedAt: number;
removedAt: number | null;
}
interface ShadeSchema extends DBSchema {
identity: { key: number; value: IdentityRow };
config: { key: string; value: ConfigRow };
signedPreKeys: { key: number; value: SignedPreKeyRow };
oneTimePreKeys: { key: number; value: OneTimePreKeyRow };
sessions: { key: string; value: SessionRow };
trustedIdentities: { key: string; value: TrustedIdentityRow };
retiredIdentities: {
key: number;
value: RetiredIdentityRow;
indexes: { byRetiredAt: number };
};
streamStates: {
key: string;
value: StreamStateRow;
indexes: {
byStatus: string;
byPeerAddress: string;
byUpdatedAt: number;
};
};
peerVerifications: { key: string; value: PeerVerificationRow };
peerIdentityVersions: { key: string; value: PeerIdentityVersionRow };
broadcastChannels: { key: string; value: BroadcastChannelRow };
broadcastMembers: {
key: [string, string];
value: BroadcastMemberRow;
indexes: { byChannelId: string };
};
}
// ─── Helpers ──────────────────────────────────────────────
function persistedToRow(s: PersistedStreamState): StreamStateRow {
return {
streamId: s.streamId,
direction: s.direction,
peerAddress: s.peerAddress,
status: s.status,
metadataJson: s.metadataJson,
partitionJson: s.partitionJson,
laneStateJson: s.laneStateJson,
ioDescriptorJson: s.ioDescriptorJson,
secretEnc: s.secretEnc,
secretNonce: s.secretNonce,
overallHashState: s.overallHashState ?? null,
createdAt: s.createdAt,
updatedAt: s.updatedAt,
};
}
function channelToRow(c: BroadcastChannelRecord): BroadcastChannelRow {
return {
channelId: c.channelId,
ownerRole: c.ownerRole,
ownerAddress: c.ownerAddress,
label: c.label ?? null,
generation: c.generation,
chainKey: c.chainKey,
iteration: c.iteration,
signingPublicKey: c.signingPublicKey,
signingPrivateKey: c.signingPrivateKey ?? null,
createdAt: c.createdAt,
updatedAt: c.updatedAt,
};
}
function rowToChannel(r: BroadcastChannelRow): BroadcastChannelRecord {
const out: BroadcastChannelRecord = {
channelId: r.channelId,
ownerRole: r.ownerRole,
ownerAddress: r.ownerAddress,
generation: r.generation,
chainKey: r.chainKey,
iteration: r.iteration,
signingPublicKey: r.signingPublicKey,
createdAt: r.createdAt,
updatedAt: r.updatedAt,
};
if (r.label !== null) out.label = r.label;
if (r.signingPrivateKey !== null) out.signingPrivateKey = r.signingPrivateKey;
return out;
}
function rowToPersisted(r: StreamStateRow): PersistedStreamState {
const out: PersistedStreamState = {
streamId: r.streamId,
direction: r.direction,
peerAddress: r.peerAddress,
status: r.status,
metadataJson: r.metadataJson,
partitionJson: r.partitionJson,
laneStateJson: r.laneStateJson,
ioDescriptorJson: r.ioDescriptorJson,
secretEnc: r.secretEnc,
secretNonce: r.secretNonce,
createdAt: r.createdAt,
updatedAt: r.updatedAt,
};
if (r.overallHashState !== null) out.overallHashState = r.overallHashState;
return out;
}

272
packages/shade-storage-indexeddb/tests/indexeddb-storage.test.ts Normal file
View File

@@ -0,0 +1,272 @@
import 'fake-indexeddb/auto';
import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
import { IndexedDBStorage } from '../src/indexeddb-storage.js';
import { SubtleCryptoProvider, MemoryStorage as _MemoryStorage } from '@shade/crypto-web';
import { ShadeSessionManager } from '@shade/core';
import type { IdentityKeyPair, SignedPreKey, OneTimePreKey } from '@shade/core';
void _MemoryStorage; // keep import side-effect-free reference shape
const crypto = new SubtleCryptoProvider();
function randBytes(n: number): Uint8Array {
const buf = new Uint8Array(n);
globalThis.crypto.getRandomValues(buf);
return buf;
}
function uniqueDbName(): string {
return `shade-test-${Date.now()}-${Math.random().toString(36).slice(2)}`;
}
async function deleteDb(dbName: string): Promise<void> {
await new Promise<void>((resolve, reject) => {
const req = indexedDB.deleteDatabase(dbName);
req.onsuccess = () => resolve();
req.onerror = () => reject(req.error);
req.onblocked = () => resolve();
});
}
describe('IndexedDBStorage', () => {
let dbName: string;
let storage: IndexedDBStorage;
beforeEach(async () => {
dbName = uniqueDbName();
storage = await IndexedDBStorage.create({ dbName });
});
afterEach(async () => {
await storage.close();
await deleteDb(dbName);
});
// ─── Identity ──────────────────────────────────────────────
describe('identity', () => {
test('returns null when no identity stored', async () => {
expect(await storage.getIdentityKeyPair()).toBeNull();
});
test('save and retrieve identity keypair', async () => {
const ikp: IdentityKeyPair = {
signingPublicKey: randBytes(32),
signingPrivateKey: randBytes(32),
dhPublicKey: randBytes(32),
dhPrivateKey: randBytes(32),
};
await storage.saveIdentityKeyPair(ikp);
const restored = await storage.getIdentityKeyPair();
expect(restored).not.toBeNull();
expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);
expect(restored!.dhPrivateKey).toEqual(ikp.dhPrivateKey);
});
test('registration ID roundtrip', async () => {
expect(await storage.getLocalRegistrationId()).toBe(0);
await storage.saveLocalRegistrationId(42);
expect(await storage.getLocalRegistrationId()).toBe(42);
});
});
// ─── Signed PreKeys ───────────────────────────────────────
describe('signed prekeys', () => {
test('save, get, remove', async () => {
const spk: SignedPreKey = {
keyId: 1,
keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
signature: randBytes(64),
timestamp: Date.now(),
};
await storage.saveSignedPreKey(spk);
const restored = await storage.getSignedPreKey(1);
expect(restored).not.toBeNull();
expect(restored!.keyId).toBe(1);
expect(restored!.keyPair.publicKey).toEqual(spk.keyPair.publicKey);
await storage.removeSignedPreKey(1);
expect(await storage.getSignedPreKey(1)).toBeNull();
});
});
// ─── One-Time PreKeys ─────────────────────────────────────
describe('one-time prekeys', () => {
test('save, get, remove, count', async () => {
const otpk: OneTimePreKey = {
keyId: 100,
keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
};
await storage.saveOneTimePreKey(otpk);
expect(await storage.getOneTimePreKeyCount()).toBe(1);
const restored = await storage.getOneTimePreKey(100);
expect(restored!.keyId).toBe(100);
await storage.removeOneTimePreKey(100);
expect(await storage.getOneTimePreKeyCount()).toBe(0);
expect(await storage.getOneTimePreKey(100)).toBeNull();
});
});
// ─── Sessions ─────────────────────────────────────────────
describe('sessions', () => {
test('save and restore session with skipped keys', async () => {
const state = {
remoteIdentityKey: randBytes(32),
rootKey: randBytes(32),
sendChain: { chainKey: randBytes(32), counter: 5 },
receiveChain: { chainKey: randBytes(32), counter: 3 },
dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
dhReceive: randBytes(32),
previousSendCounter: 4,
skippedKeys: new Map([['key:1', randBytes(32)]]),
};
await storage.saveSession('bob', state);
const restored = await storage.getSession('bob');
expect(restored).not.toBeNull();
expect(restored!.sendChain.counter).toBe(5);
expect(restored!.skippedKeys.size).toBe(1);
expect(restored!.skippedKeys.get('key:1')).toEqual(state.skippedKeys.get('key:1')!);
});
test('remove session', async () => {
await storage.saveSession('bob', {
remoteIdentityKey: randBytes(32),
rootKey: randBytes(32),
sendChain: { chainKey: randBytes(32), counter: 0 },
receiveChain: null,
dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
dhReceive: null,
previousSendCounter: 0,
skippedKeys: new Map(),
});
await storage.removeSession('bob');
expect(await storage.getSession('bob')).toBeNull();
});
});
// ─── Trust ────────────────────────────────────────────────
describe('trust', () => {
test('TOFU: first use is trusted', async () => {
expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(true);
});
test('saved identity matches', async () => {
const key = randBytes(32);
await storage.saveTrustedIdentity('bob', key);
expect(await storage.isTrustedIdentity('bob', key)).toBe(true);
expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(false);
});
});
// ─── Retired identities ───────────────────────────────────
describe('retired identities', () => {
test('add, list (newest first), prune', async () => {
const mk = (retiredAt: number): { keyPair: IdentityKeyPair; retiredAt: number } => ({
keyPair: {
signingPublicKey: randBytes(32),
signingPrivateKey: randBytes(32),
dhPublicKey: randBytes(32),
dhPrivateKey: randBytes(32),
},
retiredAt,
});
await storage.addRetiredIdentity(mk(100));
await storage.addRetiredIdentity(mk(300));
await storage.addRetiredIdentity(mk(200));
const list = await storage.getRetiredIdentities();
expect(list.map((r) => r.retiredAt)).toEqual([300, 200, 100]);
await storage.pruneRetiredIdentities(250);
const after = await storage.getRetiredIdentities();
expect(after.map((r) => r.retiredAt)).toEqual([300]);
});
});
// ─── Crash Recovery ───────────────────────────────────────
describe('persistence across close/reopen', () => {
test('data survives close and reopen', async () => {
const ikp: IdentityKeyPair = {
signingPublicKey: randBytes(32),
signingPrivateKey: randBytes(32),
dhPublicKey: randBytes(32),
dhPrivateKey: randBytes(32),
};
await storage.saveIdentityKeyPair(ikp);
await storage.saveLocalRegistrationId(99);
await storage.saveSession('alice', {
remoteIdentityKey: randBytes(32),
rootKey: randBytes(32),
sendChain: { chainKey: randBytes(32), counter: 7 },
receiveChain: null,
dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
dhReceive: null,
previousSendCounter: 0,
skippedKeys: new Map(),
});
// Close and reopen against the same dbName
await storage.close();
storage = await IndexedDBStorage.create({ dbName });
const restored = await storage.getIdentityKeyPair();
expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);
expect(await storage.getLocalRegistrationId()).toBe(99);
const session = await storage.getSession('alice');
expect(session!.sendChain.counter).toBe(7);
});
});
// ─── Full E2EE with IndexedDBStorage ──────────────────────
describe('full E2EE conversation with persistent storage', () => {
test('encrypt, close, reopen, continue conversation', async () => {
const bobDbName = uniqueDbName();
let bobStorage = await IndexedDBStorage.create({ dbName: bobDbName });
try {
const alice = new ShadeSessionManager(crypto, storage);
let bob = new ShadeSessionManager(crypto, bobStorage);
await alice.initialize();
await bob.initialize();
const otpks = await bob.generateOneTimePreKeys(5);
const bundle = await bob.createPreKeyBundle();
bundle.oneTimePreKey = { keyId: otpks[0]!.keyId, publicKey: otpks[0]!.keyPair.publicKey };
await alice.initSessionFromBundle('bob', bundle);
const env1 = await alice.encrypt('bob', 'Hello persistent!');
expect(await bob.decrypt('alice', env1)).toBe('Hello persistent!');
const env2 = await bob.encrypt('alice', 'Got it!');
expect(await alice.decrypt('bob', env2)).toBe('Got it!');
// "Crash" Bob — close the IDB and reopen
await bobStorage.close();
bobStorage = await IndexedDBStorage.create({ dbName: bobDbName });
bob = new ShadeSessionManager(crypto, bobStorage);
await bob.initialize();
const env3 = await alice.encrypt('bob', 'After your restart');
expect(await bob.decrypt('alice', env3)).toBe('After your restart');
const env4 = await bob.encrypt('alice', 'I survived!');
expect(await alice.decrypt('bob', env4)).toBe('I survived!');
} finally {
await bobStorage.close();
await deleteDb(bobDbName);
}
});
});
});

99
packages/shade-storage-indexeddb/tests/peer-verifications.test.ts Normal file
View File

@@ -0,0 +1,99 @@
import 'fake-indexeddb/auto';
import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
import { IndexedDBStorage } from '../src/index.js';
function uniqueDbName(): string {
return `shade-test-${Date.now()}-${Math.random().toString(36).slice(2)}`;
}
async function deleteDb(dbName: string): Promise<void> {
await new Promise<void>((resolve, reject) => {
const req = indexedDB.deleteDatabase(dbName);
req.onsuccess = () => resolve();
req.onerror = () => reject(req.error);
req.onblocked = () => resolve();
});
}
describe('IndexedDBStorage — peer_verifications (V3.3)', () => {
let dbName: string;
let storage: IndexedDBStorage;
beforeEach(async () => {
dbName = uniqueDbName();
storage = await IndexedDBStorage.create({ dbName });
});
afterEach(async () => {
await storage.close();
await deleteDb(dbName);
});
test('round trip: save → get → remove', async () => {
await storage.savePeerVerification({
peerAddress: 'bob',
fingerprint: '12345 67890 12345 67890 12345 67890 12345 67890 12345 67890 12345 67890',
verifiedAt: 1_700_000_000_000,
verifiedBy: 'user',
identityVersion: 1,
});
const v = await storage.getPeerVerification('bob');
expect(v).not.toBeNull();
expect(v!.peerAddress).toBe('bob');
expect(v!.verifiedBy).toBe('user');
expect(v!.identityVersion).toBe(1);
await storage.removePeerVerification('bob');
expect(await storage.getPeerVerification('bob')).toBeNull();
});
test('upsert overwrites on duplicate peer_address', async () => {
await storage.savePeerVerification({
peerAddress: 'bob',
fingerprint: 'fp-1',
verifiedAt: 1,
verifiedBy: 'user',
identityVersion: 1,
});
await storage.savePeerVerification({
peerAddress: 'bob',
fingerprint: 'fp-2',
verifiedAt: 2,
verifiedBy: 'transitive',
identityVersion: 2,
});
const v = await storage.getPeerVerification('bob');
expect(v!.fingerprint).toBe('fp-2');
expect(v!.verifiedBy).toBe('transitive');
expect(v!.identityVersion).toBe(2);
});
test('identity-version starts at 1 and increments via bump', async () => {
expect(await storage.getPeerIdentityVersion('alice')).toBe(1);
expect(await storage.bumpPeerIdentityVersion('alice')).toBe(2);
expect(await storage.bumpPeerIdentityVersion('alice')).toBe(3);
expect(await storage.getPeerIdentityVersion('alice')).toBe(3);
// Independent counter per peer
expect(await storage.getPeerIdentityVersion('bob')).toBe(1);
});
test('survives reopen', async () => {
await storage.savePeerVerification({
peerAddress: 'bob',
fingerprint: 'fp',
verifiedAt: 42,
verifiedBy: 'user',
identityVersion: 5,
});
await storage.bumpPeerIdentityVersion('bob');
await storage.close();
storage = await IndexedDBStorage.create({ dbName });
const v = await storage.getPeerVerification('bob');
expect(v!.fingerprint).toBe('fp');
expect(v!.identityVersion).toBe(5);
expect(await storage.getPeerIdentityVersion('bob')).toBe(2);
});
});

9
packages/shade-storage-indexeddb/tsconfig.json Normal file
View File

@@ -0,0 +1,9 @@
{
"extends": "../../tsconfig.json",
"compilerOptions": {
"outDir": "dist",
"rootDir": "src",
"lib": ["ES2022", "DOM"]
},
"include": ["src"]
}

2
packages/shade-storage-postgres/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/storage-postgres",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

7
packages/shade-storage-postgres/src/ensure-tables.ts
View File

@@ -223,9 +223,16 @@ export async function ensureInboxServerTables(sql: Sql): Promise<void> {
ciphertext TEXT NOT NULL,
received_at BIGINT NOT NULL,
expires_at BIGINT NOT NULL,
sender_fp TEXT,
PRIMARY KEY (address, msg_id)
)
`;
// V4.8 — sender fingerprint column. Idempotent ADD COLUMN for live
// databases that came up under a 4.7-or-earlier schema.
await sql`
ALTER TABLE shade_inbox_blobs
ADD COLUMN IF NOT EXISTS sender_fp TEXT
`;
await sql`
CREATE INDEX IF NOT EXISTS shade_inbox_addr_expires_idx
ON shade_inbox_blobs(address, expires_at)

33
packages/shade-storage-postgres/src/postgres-inbox-store.ts
View File

@@ -56,18 +56,20 @@ export class PostgresInboxStore implements InboxStore {
msgId: string;
ciphertext: Uint8Array;
expiresAt: number;
senderFp?: string;
}): Promise<{ created: boolean; receivedAt: number }> {
// ON CONFLICT DO NOTHING + RETURNING keeps it idempotent and atomic.
// When a row already exists, we look up its received_at in a follow-up
// SELECT.
const inserted = await this.sql<Array<{ received_at: string }>>`
INSERT INTO shade_inbox_blobs (address, msg_id, ciphertext, received_at, expires_at)
INSERT INTO shade_inbox_blobs (address, msg_id, ciphertext, received_at, expires_at, sender_fp)
VALUES (
${args.address},
${args.msgId},
${toBase64(args.ciphertext)},
nextval('shade_inbox_seq'),
${args.expiresAt}
${args.expiresAt},
${args.senderFp ?? null}
)
ON CONFLICT (address, msg_id) DO NOTHING
RETURNING received_at::text
@@ -90,14 +92,23 @@ export class PostgresInboxStore implements InboxStore {
sinceCursor: number;
now: number;
limit: number;
}): Promise<Array<{ msgId: string; ciphertext: Uint8Array; receivedAt: number; expiresAt: number }>> {
}): Promise<
Array<{
msgId: string;
ciphertext: Uint8Array;
receivedAt: number;
expiresAt: number;
senderFp?: string;
}>
> {
const rows = await this.sql<Array<{
msg_id: string;
ciphertext: string;
received_at: string;
expires_at: string;
sender_fp: string | null;
}>>`
SELECT msg_id, ciphertext, received_at::text, expires_at::text
SELECT msg_id, ciphertext, received_at::text, expires_at::text, sender_fp
FROM shade_inbox_blobs
WHERE address = ${args.address}
AND received_at > ${args.sinceCursor}
@@ -105,12 +116,22 @@ export class PostgresInboxStore implements InboxStore {
ORDER BY received_at ASC
LIMIT ${args.limit}
`;
return rows.map((r) => ({
return rows.map((r) => {
const out: {
msgId: string;
ciphertext: Uint8Array;
receivedAt: number;
expiresAt: number;
senderFp?: string;
} = {
msgId: r.msg_id,
ciphertext: fromBase64(r.ciphertext),
receivedAt: parseInt(r.received_at, 10),
expiresAt: parseInt(r.expires_at, 10),
}));
};
if (r.sender_fp) out.senderFp = r.sender_fp;
return out;
});
}
async deleteBlob(address: string, msgId: string): Promise<boolean> {

2
packages/shade-storage-sqlite/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/storage-sqlite",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

47
packages/shade-storage-sqlite/src/sqlite-inbox-store.ts
View File

@@ -53,6 +53,7 @@ export class SqliteInboxStore implements InboxStore {
ciphertext TEXT NOT NULL,
received_at INTEGER NOT NULL,
expires_at INTEGER NOT NULL,
sender_fp TEXT,
PRIMARY KEY (address, msg_id)
);
CREATE INDEX IF NOT EXISTS idx_inbox_addr_expires
@@ -62,6 +63,14 @@ export class SqliteInboxStore implements InboxStore {
CREATE INDEX IF NOT EXISTS idx_inbox_expires
ON inbox_blobs(expires_at);
`);
// V4.8 — sender fingerprint column. Idempotent ALTER for live
// databases that came up under a 4.7-or-earlier schema.
const cols = this.db
.prepare(`PRAGMA table_info(inbox_blobs)`)
.all() as Array<{ name: string }>;
if (!cols.some((c) => c.name === 'sender_fp')) {
this.db.exec(`ALTER TABLE inbox_blobs ADD COLUMN sender_fp TEXT`);
}
}
private prepareStatements() {
@@ -73,13 +82,13 @@ export class SqliteInboxStore implements InboxStore {
deleteOwner: this.db.prepare('DELETE FROM inbox_owners WHERE address = ?'),
deleteOwnerBlobs: this.db.prepare('DELETE FROM inbox_blobs WHERE address = ?'),
insertBlob: this.db.prepare(
'INSERT INTO inbox_blobs (address, msg_id, ciphertext, received_at, expires_at) VALUES (?, ?, ?, ?, ?)',
'INSERT INTO inbox_blobs (address, msg_id, ciphertext, received_at, expires_at, sender_fp) VALUES (?, ?, ?, ?, ?, ?)',
),
findBlob: this.db.prepare(
'SELECT received_at FROM inbox_blobs WHERE address = ? AND msg_id = ?',
),
fetchSince: this.db.prepare(
`SELECT msg_id, ciphertext, received_at, expires_at
`SELECT msg_id, ciphertext, received_at, expires_at, sender_fp
FROM inbox_blobs
WHERE address = ? AND received_at > ? AND expires_at > ?
ORDER BY received_at ASC
@@ -124,6 +133,7 @@ export class SqliteInboxStore implements InboxStore {
msgId: string;
ciphertext: Uint8Array;
expiresAt: number;
senderFp?: string;
}): Promise<{ created: boolean; receivedAt: number }> {
const existing = this.stmts.findBlob.get(args.address, args.msgId) as
| { received_at: number }
@@ -139,6 +149,7 @@ export class SqliteInboxStore implements InboxStore {
toBase64(args.ciphertext),
receivedAt,
args.expiresAt,
args.senderFp ?? null,
);
return { created: true, receivedAt };
}
@@ -148,19 +159,43 @@ export class SqliteInboxStore implements InboxStore {
sinceCursor: number;
now: number;
limit: number;
}): Promise<Array<{ msgId: string; ciphertext: Uint8Array; receivedAt: number; expiresAt: number }>> {
}): Promise<
Array<{
msgId: string;
ciphertext: Uint8Array;
receivedAt: number;
expiresAt: number;
senderFp?: string;
}>
> {
const rows = this.stmts.fetchSince.all(
args.address,
args.sinceCursor,
args.now,
args.limit,
) as Array<{ msg_id: string; ciphertext: string; received_at: number; expires_at: number }>;
return rows.map((r) => ({
) as Array<{
msg_id: string;
ciphertext: string;
received_at: number;
expires_at: number;
sender_fp: string | null;
}>;
return rows.map((r) => {
const out: {
msgId: string;
ciphertext: Uint8Array;
receivedAt: number;
expiresAt: number;
senderFp?: string;
} = {
msgId: r.msg_id,
ciphertext: fromBase64(r.ciphertext),
receivedAt: r.received_at,
expiresAt: r.expires_at,
}));
};
if (r.sender_fp) out.senderFp = r.sender_fp;
return out;
});
}
async deleteBlob(address: string, msgId: string): Promise<boolean> {

162
packages/shade-storage-sqlite/src/sqlite-storage.ts
View File

@@ -1,5 +1,9 @@
import { Database } from 'bun:sqlite';
import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState, RetiredIdentity, PersistedStreamState, PeerVerification, PeerVerificationSource } from '@shade/core';
import type {
StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey,
SessionState, RetiredIdentity, PersistedStreamState, PeerVerification,
PeerVerificationSource, BroadcastChannelRecord, BroadcastMemberRecord,
} from '@shade/core';
import {
toBase64, fromBase64,
constantTimeEqual,
@@ -53,6 +57,14 @@ export class SQLiteStorage implements StorageProvider {
removePeerVerification: ReturnType<Database['prepare']>;
getPeerIdentityVersion: ReturnType<Database['prepare']>;
upsertPeerIdentityVersion: ReturnType<Database['prepare']>;
saveBroadcastChannel: ReturnType<Database['prepare']>;
getBroadcastChannel: ReturnType<Database['prepare']>;
listBroadcastChannels: ReturnType<Database['prepare']>;
removeBroadcastChannel: ReturnType<Database['prepare']>;
removeBroadcastChannelMembers: ReturnType<Database['prepare']>;
saveBroadcastMember: ReturnType<Database['prepare']>;
getBroadcastMembers: ReturnType<Database['prepare']>;
removeBroadcastMember: ReturnType<Database['prepare']>;
};
constructor(dbPath?: string) {
@@ -127,6 +139,27 @@ export class SQLiteStorage implements StorageProvider {
peer_address TEXT PRIMARY KEY,
version INTEGER NOT NULL
);
CREATE TABLE IF NOT EXISTS broadcast_channels (
channel_id TEXT PRIMARY KEY,
owner_role TEXT NOT NULL,
owner_address TEXT NOT NULL,
label TEXT,
generation INTEGER NOT NULL,
chain_key BLOB NOT NULL,
iteration INTEGER NOT NULL,
signing_public_key BLOB NOT NULL,
signing_private_key BLOB,
created_at INTEGER NOT NULL,
updated_at INTEGER NOT NULL
);
CREATE TABLE IF NOT EXISTS broadcast_members (
channel_id TEXT NOT NULL,
peer_address TEXT NOT NULL,
joined_at INTEGER NOT NULL,
removed_at INTEGER,
PRIMARY KEY (channel_id, peer_address)
);
CREATE INDEX IF NOT EXISTS idx_broadcast_members_channel ON broadcast_members(channel_id);
`);
}
@@ -183,6 +216,36 @@ export class SQLiteStorage implements StorageProvider {
`INSERT INTO peer_identity_versions (peer_address, version) VALUES (?, ?)
ON CONFLICT(peer_address) DO UPDATE SET version = excluded.version`,
),
saveBroadcastChannel: this.db.prepare(
`INSERT OR REPLACE INTO broadcast_channels
(channel_id, owner_role, owner_address, label, generation,
chain_key, iteration, signing_public_key, signing_private_key,
created_at, updated_at)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
),
getBroadcastChannel: this.db.prepare(
'SELECT * FROM broadcast_channels WHERE channel_id = ?',
),
listBroadcastChannels: this.db.prepare(
'SELECT * FROM broadcast_channels ORDER BY created_at ASC',
),
removeBroadcastChannel: this.db.prepare(
'DELETE FROM broadcast_channels WHERE channel_id = ?',
),
removeBroadcastChannelMembers: this.db.prepare(
'DELETE FROM broadcast_members WHERE channel_id = ?',
),
saveBroadcastMember: this.db.prepare(
`INSERT OR REPLACE INTO broadcast_members
(channel_id, peer_address, joined_at, removed_at)
VALUES (?, ?, ?, ?)`,
),
getBroadcastMembers: this.db.prepare(
'SELECT channel_id, peer_address, joined_at, removed_at FROM broadcast_members WHERE channel_id = ? ORDER BY joined_at ASC',
),
removeBroadcastMember: this.db.prepare(
'DELETE FROM broadcast_members WHERE channel_id = ? AND peer_address = ?',
),
};
}
@@ -392,6 +455,103 @@ export class SQLiteStorage implements StorageProvider {
this.stmts.upsertPeerIdentityVersion.run(address, next);
return next;
}
// ─── Broadcast channels (V4.6) ────────────────────────────
async saveBroadcastChannel(channel: BroadcastChannelRecord): Promise<void> {
this.stmts.saveBroadcastChannel.run(
channel.channelId,
channel.ownerRole,
channel.ownerAddress,
channel.label ?? null,
channel.generation,
channel.chainKey,
channel.iteration,
channel.signingPublicKey,
channel.signingPrivateKey ?? null,
channel.createdAt,
channel.updatedAt,
);
}
async getBroadcastChannel(channelId: string): Promise<BroadcastChannelRecord | null> {
const row = this.stmts.getBroadcastChannel.get(channelId) as BroadcastChannelRow | undefined;
if (!row) return null;
return rowToBroadcastChannel(row);
}
async listBroadcastChannels(): Promise<BroadcastChannelRecord[]> {
const rows = this.stmts.listBroadcastChannels.all() as BroadcastChannelRow[];
return rows.map(rowToBroadcastChannel);
}
async removeBroadcastChannel(channelId: string): Promise<void> {
this.stmts.removeBroadcastChannelMembers.run(channelId);
this.stmts.removeBroadcastChannel.run(channelId);
}
async saveBroadcastMember(member: BroadcastMemberRecord): Promise<void> {
this.stmts.saveBroadcastMember.run(
member.channelId,
member.peerAddress,
member.joinedAt,
member.removedAt,
);
}
async getBroadcastMembers(channelId: string): Promise<BroadcastMemberRecord[]> {
const rows = this.stmts.getBroadcastMembers.all(channelId) as BroadcastMemberRow[];
return rows.map((r) => ({
channelId: r.channel_id,
peerAddress: r.peer_address,
joinedAt: Number(r.joined_at),
removedAt: r.removed_at === null || r.removed_at === undefined ? null : Number(r.removed_at),
}));
}
async removeBroadcastMember(channelId: string, peerAddress: string): Promise<void> {
this.stmts.removeBroadcastMember.run(channelId, peerAddress);
}
}
interface BroadcastChannelRow {
channel_id: string;
owner_role: 'sender' | 'receiver';
owner_address: string;
label: string | null;
generation: number | bigint;
chain_key: Uint8Array | ArrayBuffer;
iteration: number | bigint;
signing_public_key: Uint8Array | ArrayBuffer;
signing_private_key: Uint8Array | ArrayBuffer | null;
created_at: number | bigint;
updated_at: number | bigint;
}
interface BroadcastMemberRow {
channel_id: string;
peer_address: string;
joined_at: number | bigint;
removed_at: number | bigint | null;
}
function rowToBroadcastChannel(r: BroadcastChannelRow): BroadcastChannelRecord {
const out: BroadcastChannelRecord = {
channelId: r.channel_id,
ownerRole: r.owner_role,
ownerAddress: r.owner_address,
generation: Number(r.generation),
chainKey: toBytes(r.chain_key),
iteration: Number(r.iteration),
signingPublicKey: toBytes(r.signing_public_key),
createdAt: Number(r.created_at),
updatedAt: Number(r.updated_at),
};
if (r.label !== null && r.label !== undefined) out.label = r.label;
if (r.signing_private_key !== null && r.signing_private_key !== undefined) {
out.signingPrivateKey = toBytes(r.signing_private_key);
}
return out;
}
function rowToStreamState(row: any): PersistedStreamState {

98
packages/shade-storage-sqlite/tests/sqlite-inbox-store.test.ts
View File

@@ -178,6 +178,104 @@ describe('SqliteInboxStore', () => {
expect(blobs.length).toBe(0);
});
test('senderFp round-trips through put + fetch (V4.8)', async () => {
const ct = randBytes(40);
const fp = '0123456789abcdef';
await store.putBlob({
address: 'bob',
msgId: 'a'.repeat(64),
ciphertext: ct,
expiresAt: Date.now() + 60_000,
senderFp: fp,
});
const blobs = await store.fetchBlobs({
address: 'bob',
sinceCursor: 0,
now: Date.now(),
limit: 10,
});
expect(blobs.length).toBe(1);
expect(blobs[0]!.senderFp).toBe(fp);
});
test('senderFp omitted on put → fetched row has senderFp undefined (V4.8 backward-compat)', async () => {
const ct = randBytes(40);
await store.putBlob({
address: 'bob',
msgId: 'b'.repeat(64),
ciphertext: ct,
expiresAt: Date.now() + 60_000,
});
const blobs = await store.fetchBlobs({
address: 'bob',
sinceCursor: 0,
now: Date.now(),
limit: 10,
});
expect(blobs.length).toBe(1);
expect(blobs[0]!.senderFp).toBeUndefined();
});
test('ALTER TABLE migration adds sender_fp to a pre-4.8 schema (V4.8)', async () => {
// Reproduce a pre-4.8 schema in a fresh DB, then reopen via
// SqliteInboxStore which should run the idempotent ALTER without
// dropping the existing rows.
store.close();
try {
unlinkSync(dbPath);
} catch {}
try {
unlinkSync(dbPath + '-wal');
} catch {}
try {
unlinkSync(dbPath + '-shm');
} catch {}
const { Database } = await import('bun:sqlite');
const legacy = new Database(dbPath, { create: true });
legacy.exec(`
CREATE TABLE inbox_blobs (
address TEXT NOT NULL,
msg_id TEXT NOT NULL,
ciphertext TEXT NOT NULL,
received_at INTEGER NOT NULL,
expires_at INTEGER NOT NULL,
PRIMARY KEY (address, msg_id)
);
`);
legacy.prepare(
'INSERT INTO inbox_blobs (address, msg_id, ciphertext, received_at, expires_at) VALUES (?, ?, ?, ?, ?)',
).run('bob', 'c'.repeat(64), 'AAAA', Date.now(), Date.now() + 60_000);
legacy.close();
store = new SqliteInboxStore(dbPath);
const blobs = await store.fetchBlobs({
address: 'bob',
sinceCursor: 0,
now: Date.now(),
limit: 10,
});
expect(blobs.length).toBe(1);
expect(blobs[0]!.senderFp).toBeUndefined();
// New writes after migration carry senderFp.
await store.putBlob({
address: 'bob',
msgId: 'd'.repeat(64),
ciphertext: randBytes(8),
expiresAt: Date.now() + 60_000,
senderFp: 'feedfacedeadbeef',
});
const after = await store.fetchBlobs({
address: 'bob',
sinceCursor: 0,
now: Date.now(),
limit: 10,
});
const newer = after.find((b) => b.msgId === 'd'.repeat(64));
expect(newer?.senderFp).toBe('feedfacedeadbeef');
});
test('countBlobs ignores expired entries', async () => {
const now = Date.now();
await store.putBlob({

2
packages/shade-streams/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/streams",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

2
packages/shade-transfer/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/transfer",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

23
packages/shade-transfer/src/transport/queue-transport.ts
View File

@@ -81,6 +81,14 @@ const DEFAULT_IDLE_EVICTION_MS = 10 * 60 * 1000;
interface PendingWaiter {
resolve(events: QueuedEvent[]): void;
reject(err: Error): void;
/**
* The waiter's `since` cursor — only events with `id > since` should
* be delivered when this waiter is resolved. Without this, an
* enqueue that arrives while a poller is waiting would replay
* already-processed events, causing the receiver to double-decrypt
* (and corrupt ratchet state).
*/
since: number;
timer: ReturnType<typeof setTimeout>;
abortHandler?: () => void;
signal?: AbortSignal;
@@ -140,16 +148,21 @@ export class OutboundQueue {
// last polled id; the @shade/transfer engine handles missing seqs
// by re-sending on resume.
while (state.events.length > this.maxEvents) state.events.shift();
// Wake all waiters with whatever has accumulated.
const drained = this.collect(state, 0);
if (drained.length > 0) {
// Wake each waiter with events newer than ITS OWN `since`. Using a
// shared snapshot from `since=0` would replay events the waiter has
// already processed once a fresh enqueue arrived mid-poll, which on
// the receiver side double-dispatches an envelope into shade.receive
// → manager.decrypt and consumes the same skipped-key twice (the
// second dispatch corrupts the ratchet chain).
if (state.waiters.length > 0) {
const waiters = state.waiters.splice(0);
for (const w of waiters) {
clearTimeout(w.timer);
if (w.abortHandler !== undefined && w.signal !== undefined) {
w.signal.removeEventListener('abort', w.abortHandler);
}
w.resolve(drained);
const wDrained = this.collect(state, w.since);
w.resolve(wDrained);
}
}
return event;
@@ -181,7 +194,7 @@ export class OutboundQueue {
// Empty drain on timeout — that's the "no new events" signal.
resolve([]);
}, blockMs);
const waiter: PendingWaiter = { resolve, reject, timer };
const waiter: PendingWaiter = { resolve, reject, since, timer };
if (signal !== undefined) {
const handler = () => {
const idx = state.waiters.indexOf(waiter);

60
packages/shade-transfer/tests/outbound-queue.test.ts Normal file
View File

@@ -0,0 +1,60 @@
import { describe, expect, test } from 'bun:test';
import { OutboundQueue } from '../src/index.js';
/**
* Regression coverage for the long-poll waiter `since` cursor.
*
* The bug being guarded against: when `enqueue` woke a pending
* `drain` waiter, it used a `since=0` snapshot and replayed every
* event that had ever been queued — including the ones the waiter
* had already processed in a previous poll. Downstream the queue
* fed `Shade.acceptTransferEnvelope`, so the duplicate replay
* dispatched the same envelope into `manager.decrypt` twice. The
* second decrypt consumed an already-used skipped key, fell into
* the stale-counter branch of `ratchetDecrypt`, and corrupted the
* Double Ratchet receive chain — surfacing as
* `DecryptionError: wrong key or tampered data` on every
* subsequent message.
*/
describe('OutboundQueue — waiter since cursor', () => {
test('mid-poll enqueue must not replay events the waiter already saw', async () => {
const queue = new OutboundQueue({ idleEvictionMs: 0 });
const peer = 'alice';
const e1 = queue.enqueue(peer, { kind: 'envelope', bytes: new Uint8Array([1]) });
const e2 = queue.enqueue(peer, { kind: 'envelope', bytes: new Uint8Array([2]) });
// First poll drains both events (no blocking — they're already there).
const first = await queue.drain(peer, 0, 0);
expect(first.map((e) => e.id)).toEqual([e1.id, e2.id]);
// Now the waiter polls past the last seen id. It blocks because
// there are no events newer than `since`. Concurrently a fresh
// event gets enqueued — that's the path the bug fired on.
const blockMs = 5_000;
const polling = queue.drain(peer, e2.id, blockMs);
// Yield so `drain` actually parks on the waiter list before we
// race the enqueue against it.
await Promise.resolve();
const e3 = queue.enqueue(peer, { kind: 'envelope', bytes: new Uint8Array([3]) });
const woken = await polling;
// Pre-fix: would resolve with [e1, e2, e3] (a `since=0` snapshot
// drained verbatim). Post-fix: only the events newer than the
// waiter's recorded `since` come through.
expect(woken.map((e) => e.id)).toEqual([e3.id]);
});
test('parked waiter at the head still gets the new event when others have polled past it', async () => {
const queue = new OutboundQueue({ idleEvictionMs: 0 });
const peer = 'alice';
const e1 = queue.enqueue(peer, { kind: 'envelope', bytes: new Uint8Array([1]) });
// A waiter that parks past the head — there are no events newer
// than e1.id, so it has to block.
const polling = queue.drain(peer, e1.id, 5_000);
await Promise.resolve();
const e2 = queue.enqueue(peer, { kind: 'envelope', bytes: new Uint8Array([2]) });
const woken = await polling;
expect(woken.map((e) => e.id)).toEqual([e2.id]);
});
});

2
packages/shade-transport-bridge/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/transport-bridge",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

36
packages/shade-transport-bridge/src/auth.ts
View File

@@ -62,3 +62,39 @@ export function bridgeQueryToCanonical(qs: URLSearchParams): {
if (!Number.isFinite(signedAt)) return null;
return { address, kind, since, signedAt, signature };
}
// ─── V4.7 — presence subscription auth ────────────────────────────
export interface PresenceAuthInput {
crypto: CryptoProvider;
signingPrivateKey: Uint8Array;
/** The watcher's own address (signer of the request). */
address: string;
/** Addresses to subscribe presence updates for. May be empty. */
watched: readonly string[];
}
/**
* Build the signed query string for `GET /v1/bridge/presence`. The
* `kind: 'presence'` field is bound into the canonical payload to
* prevent cross-endpoint replay against `/v1/bridge/{stream,poll,ws}`.
*
* The `watched` array is sorted to give the signed bytes a canonical
* order; the wire form encodes it as a single comma-separated
* `watched=` parameter (address syntax disallows `,`).
*/
export async function signPresenceQuery(input: PresenceAuthInput): Promise<URLSearchParams> {
const watched = [...input.watched].sort();
const signed = await signPayload(input.crypto, input.signingPrivateKey, {
address: input.address,
kind: 'presence',
watched,
});
const qs = new URLSearchParams();
qs.set('address', input.address);
qs.set('kind', 'presence');
qs.set('watched', watched.join(','));
qs.set('signedAt', String(signed.signedAt));
qs.set('signature', signed.signature);
return qs;
}

13
packages/shade-transport-bridge/src/index.ts
View File

@@ -23,8 +23,17 @@ export { decodeWireMessage } from './types.js';
export { BridgeError } from './errors.js';
export { signBridgeQuery, bridgeQueryToCanonical } from './auth.js';
export type { BridgeKind, BridgeAuthInput } from './auth.js';
export { signBridgeQuery, bridgeQueryToCanonical, signPresenceQuery } from './auth.js';
export type { BridgeKind, BridgeAuthInput, PresenceAuthInput } from './auth.js';
export { PresenceBridge } from './presence-bridge.js';
export type {
PresenceBridgeOptions,
PresenceSubscribeOptions,
PresenceSubscription,
PresenceChange,
PresenceVia,
} from './presence-bridge.js';
export { SseBridge } from './sse-bridge.js';
export type { SseBridgeOptions } from './sse-bridge.js';

5
packages/shade-transport-bridge/src/long-poll-bridge.ts
View File

@@ -51,7 +51,10 @@ export class LongPollBridge implements BridgeTransport {
private loopPromise: Promise<void> | null = null;
constructor(private readonly options: LongPollBridgeOptions) {
this.fetchFn = options.fetch ?? globalThis.fetch;
// Bind to globalThis: browser `fetch` is a WebIDL bound operation
// and throws "Illegal invocation" when called as `this.fetchFn(...)`.
const f = options.fetch ?? globalThis.fetch;
this.fetchFn = f.bind(globalThis);
this.cursor = options.startCursor ?? 0;
}

337
packages/shade-transport-bridge/src/presence-bridge.ts Normal file
View File

@@ -0,0 +1,337 @@
/**
* V4.7 — presence subscription client.
*
* Consumes the SSE feed at `<base>/v1/bridge/presence?…` and fires
* `onPresenceChange` whenever a watched address transitions
* online/offline. Tracking is server-side: the inbox-server emits
* presence events on the 0↔1 boundary across WS + SSE bridge
* connections, and this client filters by the watcher's declared
* address list.
*
* Threat model context: the typical consumer (Prism, password
* managers, anything sender-key-broadcasting) wires this to
* `BroadcastChannel.removeMember` so a clean WS/SSE close on a
* paired-peer device revokes its sender-key membership within
* ~50ms. Long-poll bridges are deliberately NOT tracked on the
* server (see `inbox-server` `events.ts`); presence here is
* push-transport only.
*
* Watched-list mutations (`addPeer` / `removePeer`) trigger a
* reconnect with a fresh signed query so the server-side filter
* reflects the new set. Mutations are expected to be rare (only on
* pair / unpair, not on every message), so the brief reconnect gap
* is acceptable.
*/
import type { CryptoProvider } from '@shade/core';
import { signPresenceQuery } from './auth.js';
import { BridgeError } from './errors.js';
export type PresenceVia = 'ws' | 'sse';
export interface PresenceChange {
address: string;
status: 'online' | 'offline';
/** Server's wall-clock time (ms since epoch) when the change happened. */
at: number;
/** Which transport carried the connection. Absent on the initial snapshot. */
via?: PresenceVia;
}
export interface PresenceBridgeOptions {
/** Bridge base URL — same as `LongPollBridge` / `SseBridge`. */
baseUrl: string;
crypto: CryptoProvider;
/** Watcher's Ed25519 signing key (the address must be a registered inbox). */
signingPrivateKey: Uint8Array;
/** Watcher's address (the registered inbox owner). */
address: string;
/** Override `fetch` (tests). */
fetch?: typeof fetch;
/** Initial reconnect backoff (ms). Default 250. */
initialBackoffMs?: number;
/** Max reconnect backoff (ms). Default 10_000. */
maxBackoffMs?: number;
/** Disable automatic reconnect. Default false. */
disableAutoReconnect?: boolean;
}
export interface PresenceSubscribeOptions {
/** Initial set of addresses to watch. May be empty. */
watch: readonly string[];
/** Fired whenever a watched address transitions, plus once per address on initial open. */
onPresenceChange: (change: PresenceChange) => void | Promise<void>;
/** Optional reconnect / parse error reporter. */
onError?: (err: Error) => void;
}
export interface PresenceSubscription {
/** Add an address to the watched set. Triggers a reconnect. */
addPeer(address: string): Promise<void>;
/** Remove an address from the watched set. Triggers a reconnect. */
removePeer(address: string): Promise<void>;
/** Snapshot of the currently-watched addresses. */
watching(): readonly string[];
/** Tear down. Idempotent. */
unsubscribe(): Promise<void>;
}
const DEFAULT_INITIAL_BACKOFF = 250;
const DEFAULT_MAX_BACKOFF = 10_000;
export class PresenceBridge {
private readonly fetchFn: typeof fetch;
constructor(private readonly options: PresenceBridgeOptions) {
const f = options.fetch ?? globalThis.fetch;
this.fetchFn = f.bind(globalThis);
}
async subscribe(opts: PresenceSubscribeOptions): Promise<PresenceSubscription> {
const session = new PresenceSession(this.options, this.fetchFn, opts);
await session.start();
return session;
}
}
class PresenceSession implements PresenceSubscription {
private watched: string[];
private abortController: AbortController | null = null;
private currentReader: ReadableStreamDefaultReader<Uint8Array> | null = null;
private disposed = false;
private readLoopPromise: Promise<void> | null = null;
private readonly onPresenceChange: PresenceSubscribeOptions['onPresenceChange'];
private readonly onError: NonNullable<PresenceSubscribeOptions['onError']>;
private firstOpenResolve: (() => void) | null = null;
private firstOpenReject: ((err: Error) => void) | null = null;
private firstOpenSettled = false;
constructor(
private readonly options: PresenceBridgeOptions,
private readonly fetchFn: typeof fetch,
opts: PresenceSubscribeOptions,
) {
this.watched = [...opts.watch];
this.onPresenceChange = opts.onPresenceChange;
this.onError =
opts.onError ?? ((err) => console.warn('[shade-bridge:presence]', err.message));
}
watching(): readonly string[] {
return [...this.watched];
}
async start(): Promise<void> {
return this.openAndPump();
}
/**
* Open one SSE connection and resolve once the first response has
* been received (so that callers can `await subscribe()` and know
* the connection is established before the first state change).
* The read loop continues in the background.
*/
private openAndPump(): Promise<void> {
return new Promise<void>((resolve, reject) => {
this.firstOpenSettled = false;
this.firstOpenResolve = () => {
if (this.firstOpenSettled) return;
this.firstOpenSettled = true;
resolve();
};
this.firstOpenReject = (err: Error) => {
if (this.firstOpenSettled) return;
this.firstOpenSettled = true;
reject(err);
};
this.readLoopPromise = this.runLoop();
});
}
private async runLoop(): Promise<void> {
let backoff = this.options.initialBackoffMs ?? DEFAULT_INITIAL_BACKOFF;
const maxBackoff = this.options.maxBackoffMs ?? DEFAULT_MAX_BACKOFF;
let firstAttempt = true;
while (!this.disposed) {
try {
await this.openOnce();
if (firstAttempt) {
firstAttempt = false;
this.firstOpenResolve?.();
}
// Reset backoff on a successful open.
backoff = this.options.initialBackoffMs ?? DEFAULT_INITIAL_BACKOFF;
await this.consume();
} catch (err) {
if (this.disposed) return;
if (firstAttempt) {
// Failed before we ever got a 200 — surface to the caller of subscribe().
this.firstOpenReject?.(err as Error);
return;
}
this.onError(err as Error);
}
this.currentReader = null;
if (this.disposed || this.options.disableAutoReconnect) return;
await sleep(backoff);
backoff = Math.min(backoff * 2, maxBackoff);
}
}
private async openOnce(): Promise<void> {
const qs = await signPresenceQuery({
crypto: this.options.crypto,
signingPrivateKey: this.options.signingPrivateKey,
address: this.options.address,
watched: this.watched,
});
const url = `${stripTrailingSlash(this.options.baseUrl)}/v1/bridge/presence?${qs.toString()}`;
this.abortController = new AbortController();
let res: Response;
try {
res = await this.fetchFn(url, {
method: 'GET',
headers: { accept: 'text/event-stream', 'cache-control': 'no-cache' },
signal: this.abortController.signal,
});
} catch (err) {
throw new BridgeError(`presence connect failed: ${(err as Error).message}`);
}
if (!res.ok) {
throw new BridgeError(`presence connect failed: HTTP ${res.status}`, res.status);
}
if (!res.body) {
throw new BridgeError('presence response has no body');
}
this.currentReader = res.body.getReader() as ReadableStreamDefaultReader<Uint8Array>;
}
private async consume(): Promise<void> {
const reader = this.currentReader;
if (!reader) return;
const decoder = new TextDecoder();
let buf = '';
let dataLines: string[] = [];
let eventName: string | null = null;
while (true) {
let chunk: Awaited<ReturnType<typeof reader.read>>;
try {
chunk = await reader.read();
} catch (err) {
// Reader cancelled (mutation / unsubscribe) — exit cleanly.
if (this.disposed || (err as Error).name === 'AbortError') return;
throw err;
}
if (chunk.done) return;
buf += decoder.decode(chunk.value, { stream: true });
let idx;
while ((idx = buf.indexOf('\n')) !== -1) {
const rawLine = buf.slice(0, idx);
buf = buf.slice(idx + 1);
const line = rawLine.endsWith('\r') ? rawLine.slice(0, -1) : rawLine;
if (line === '') {
if (dataLines.length > 0) {
await this.dispatch(eventName, dataLines.join('\n'));
}
dataLines = [];
eventName = null;
continue;
}
if (line.startsWith(':')) continue;
const colon = line.indexOf(':');
const field = colon === -1 ? line : line.slice(0, colon);
let val = colon === -1 ? '' : line.slice(colon + 1);
if (val.startsWith(' ')) val = val.slice(1);
if (field === 'data') dataLines.push(val);
else if (field === 'event') eventName = val;
}
}
}
private async dispatch(name: string | null, data: string): Promise<void> {
if (name !== null && name !== '' && name !== 'presence') return;
let parsed: unknown;
try {
parsed = JSON.parse(data);
} catch (err) {
this.onError(new BridgeError(`malformed presence data: ${(err as Error).message}`));
return;
}
const change = parsed as PresenceChange;
if (
typeof change.address !== 'string' ||
(change.status !== 'online' && change.status !== 'offline') ||
typeof change.at !== 'number'
) {
this.onError(new BridgeError('presence frame missing required fields'));
return;
}
try {
await this.onPresenceChange(change);
} catch (err) {
this.onError(err as Error);
}
}
async addPeer(address: string): Promise<void> {
if (this.disposed) throw new BridgeError('PresenceBridge subscription disposed');
if (this.watched.includes(address)) return;
this.watched = [...this.watched, address];
await this.reconnect();
}
async removePeer(address: string): Promise<void> {
if (this.disposed) throw new BridgeError('PresenceBridge subscription disposed');
if (!this.watched.includes(address)) return;
this.watched = this.watched.filter((a) => a !== address);
await this.reconnect();
}
/**
* Tear down the current SSE connection so the run loop reopens with
* the new watched list. Cancels via abort + reader.cancel — both are
* tolerated by the consume() catch path.
*/
private async reconnect(): Promise<void> {
const reader = this.currentReader;
this.currentReader = null;
this.abortController?.abort();
if (reader) {
try {
await reader.cancel();
} catch {
/* ignore */
}
}
}
async unsubscribe(): Promise<void> {
if (this.disposed) return;
this.disposed = true;
const reader = this.currentReader;
this.currentReader = null;
this.abortController?.abort();
if (reader) {
try {
await reader.cancel();
} catch {
/* ignore */
}
}
if (this.readLoopPromise) {
try {
await this.readLoopPromise;
} catch {
/* ignore */
}
}
}
}
function stripTrailingSlash(s: string): string {
return s.endsWith('/') ? s.slice(0, -1) : s;
}
function sleep(ms: number): Promise<void> {
return new Promise((r) => setTimeout(r, ms));
}

5
packages/shade-transport-bridge/src/sse-bridge.ts
View File

@@ -58,7 +58,10 @@ export class SseBridge implements BridgeTransport {
console.warn('[shade-bridge:sse]', err.message);
constructor(private readonly options: SseBridgeOptions) {
this.fetchFn = options.fetch ?? globalThis.fetch;
// Bind to globalThis: browser `fetch` is a WebIDL bound operation
// and throws "Illegal invocation" when called as `this.fetchFn(...)`.
const f = options.fetch ?? globalThis.fetch;
this.fetchFn = f.bind(globalThis);
this.cursor = options.startCursor ?? 0;
}

518
packages/shade-transport-bridge/tests/bridge.test.ts
View File

@@ -28,7 +28,9 @@ import {
WsBridge,
FallbackBridgeTransport,
signBridgeQuery,
PresenceBridge,
type IncomingMessage,
type PresenceChange,
} from '../src/index.js';
const crypto = new SubtleCryptoProvider();
@@ -510,3 +512,519 @@ describe('Bridge cursor resume', () => {
await sseB.disconnect();
});
});
describe('Bridges — default fetch is bound to globalThis', () => {
// Regression: browsers' `fetch` is a WebIDL bound operation that throws
// "Illegal invocation" when called via `this.fetchFn(...)`. Constructors
// for LongPollBridge / SseBridge must `bind(globalThis)`.
function installStrictFetch(): { restore: () => void; getReceiver: () => unknown } {
const realFetch = globalThis.fetch;
let observedReceiver: unknown = 'unset';
function strictFetch(this: unknown, _input: unknown, _init?: unknown): Promise<Response> {
observedReceiver = this;
if (this !== globalThis) {
throw new TypeError("Failed to execute 'fetch' on 'Window': Illegal invocation");
}
return Promise.resolve(
new Response('{"blobs":[]}', {
status: 200,
headers: { 'content-type': 'application/json' },
}),
);
}
Object.defineProperty(globalThis, 'fetch', {
configurable: true,
writable: true,
value: strictFetch,
});
return {
restore: () =>
Object.defineProperty(globalThis, 'fetch', {
configurable: true,
writable: true,
value: realFetch,
}),
getReceiver: () => observedReceiver,
};
}
test('LongPollBridge default path passes globalThis as `this`', async () => {
const { restore, getReceiver } = installStrictFetch();
try {
const id = await generateIdentityKeyPair(crypto);
const bridge = new LongPollBridge({
baseUrl: 'http://example.invalid',
auth: { crypto, signingPrivateKey: id.signingPrivateKey, address: 'foo' },
pollTimeoutMs: 100,
requestTimeoutMs: 200,
errorBackoffMs: 50,
disableLoop: true,
});
await bridge.connect({ onMessage: () => {} });
expect(getReceiver()).toBe(globalThis);
await bridge.disconnect();
} finally {
restore();
}
});
test('SseBridge default path passes globalThis as `this`', async () => {
// For SSE we only need to know the very first fetch was bound; the
// 200-with-empty-stream response will let openOnce return cleanly,
// and disableAutoReconnect prevents an infinite reconnect loop.
const realFetch = globalThis.fetch;
let observedReceiver: unknown = 'unset';
function strictFetch(this: unknown, _input: unknown, _init?: unknown): Promise<Response> {
observedReceiver = this;
if (this !== globalThis) {
throw new TypeError("Failed to execute 'fetch' on 'Window': Illegal invocation");
}
// Empty SSE-shaped body: stream closes immediately.
return Promise.resolve(
new Response('', {
status: 200,
headers: { 'content-type': 'text/event-stream' },
}),
);
}
Object.defineProperty(globalThis, 'fetch', {
configurable: true,
writable: true,
value: strictFetch,
});
try {
const id = await generateIdentityKeyPair(crypto);
const bridge = new SseBridge({
baseUrl: 'http://example.invalid',
auth: { crypto, signingPrivateKey: id.signingPrivateKey, address: 'foo' },
initialBackoffMs: 50,
maxBackoffMs: 100,
disableAutoReconnect: true,
});
await bridge.connect({ onMessage: () => {} });
expect(observedReceiver).toBe(globalThis);
await bridge.disconnect();
} finally {
Object.defineProperty(globalThis, 'fetch', {
configurable: true,
writable: true,
value: realFetch,
});
}
});
});
// ─── V4.7 — presence events ────────────────────────────────────────
async function registerAddress(
baseUrl: string,
address: string,
identity: Awaited<ReturnType<typeof generateIdentityKeyPair>>,
): Promise<void> {
const body = await signPayload(crypto, identity.signingPrivateKey, {
address,
signingKey: toBase64(identity.signingPublicKey),
});
const res = await fetch(`${baseUrl}/v1/inbox/register`, {
method: 'POST',
headers: { 'content-type': 'application/json' },
body: JSON.stringify(body),
});
expect(res.status).toBe(200);
}
describe('Presence — server emits peer_connected / peer_disconnected', () => {
let h: Harness;
beforeAll(async () => {
h = await bootstrap();
// bootstrap registers bob; alice needs registration too so her bridge
// can authenticate against /v1/bridge/ws.
await registerAddress(h.baseUrl, 'alice', h.alice);
});
afterAll(() => {
h.server.stop(true);
});
test('open + close a WsBridge → events fire on the inbox event bus (acceptance 1)', async () => {
const seen: Array<{ name: string; address: string; bridgeKind: string }> = [];
const off = h.events.on((e) => {
if (e.name === 'inbox.peer_connected' || e.name === 'inbox.peer_disconnected') {
seen.push({
name: e.name,
address: e.data.address,
bridgeKind: e.data.bridgeKind,
});
}
});
try {
const ws = new WsBridge({
baseUrl: h.baseUrl,
auth: { crypto, signingPrivateKey: h.alice.signingPrivateKey, address: 'alice' },
connectTimeoutMs: 2_000,
disableAutoReconnect: true,
});
await ws.connect({ onMessage: () => {} });
await waitFor(() => seen.some((s) => s.name === 'inbox.peer_connected'), 2_000);
await ws.disconnect();
await waitFor(() => seen.some((s) => s.name === 'inbox.peer_disconnected'), 2_000);
expect(seen[0]).toEqual({ name: 'inbox.peer_connected', address: 'alice', bridgeKind: 'ws' });
expect(seen[seen.length - 1]).toEqual({
name: 'inbox.peer_disconnected',
address: 'alice',
bridgeKind: 'ws',
});
} finally {
off();
}
});
});
describe('PresenceBridge — subscribe to remote presence changes', () => {
let h: Harness;
beforeAll(async () => {
h = await bootstrap();
await registerAddress(h.baseUrl, 'alice', h.alice);
});
afterAll(() => {
h.server.stop(true);
});
test('online → offline → online over a single subscription (acceptance 2A + 4)', async () => {
const presence = new PresenceBridge({
baseUrl: h.baseUrl,
crypto,
signingPrivateKey: h.bob.signingPrivateKey,
address: 'bob',
initialBackoffMs: 50,
maxBackoffMs: 200,
});
const changes: PresenceChange[] = [];
const sub = await presence.subscribe({
watch: ['alice'],
onPresenceChange: (e) => {
changes.push(e);
},
});
try {
// Initial snapshot — alice not yet connected.
await waitFor(() => changes.length >= 1, 2_000);
expect(changes[0]!.address).toBe('alice');
expect(changes[0]!.status).toBe('offline');
expect(changes[0]!.via).toBeUndefined();
// Alice opens a WsBridge → bob must see online (acceptance 2A).
const aliceWs = new WsBridge({
baseUrl: h.baseUrl,
auth: { crypto, signingPrivateKey: h.alice.signingPrivateKey, address: 'alice' },
connectTimeoutMs: 2_000,
disableAutoReconnect: true,
});
await aliceWs.connect({ onMessage: () => {} });
await waitFor(
() => changes.some((c) => c.status === 'online' && c.address === 'alice'),
2_000,
);
const onlineFrame = changes.find((c) => c.status === 'online' && c.address === 'alice')!;
expect(onlineFrame.via).toBe('ws');
// Alice's bridge drops → bob must see offline.
await aliceWs.disconnect();
await waitFor(
() =>
changes.filter((c) => c.address === 'alice' && c.status === 'offline').length >= 2,
2_000,
);
// Reconnect: alice reopens → bob sees online again (acceptance 4).
const aliceWs2 = new WsBridge({
baseUrl: h.baseUrl,
auth: { crypto, signingPrivateKey: h.alice.signingPrivateKey, address: 'alice' },
connectTimeoutMs: 2_000,
disableAutoReconnect: true,
});
await aliceWs2.connect({ onMessage: () => {} });
await waitFor(
() => changes.filter((c) => c.address === 'alice' && c.status === 'online').length >= 2,
2_000,
);
await aliceWs2.disconnect();
} finally {
await sub.unsubscribe();
}
});
test('subscription on [alice] does not leak carol (acceptance 3)', async () => {
const carol = await generateIdentityKeyPair(crypto);
await registerAddress(h.baseUrl, 'carol', carol);
const presence = new PresenceBridge({
baseUrl: h.baseUrl,
crypto,
signingPrivateKey: h.bob.signingPrivateKey,
address: 'bob',
initialBackoffMs: 50,
maxBackoffMs: 200,
});
const changes: PresenceChange[] = [];
const sub = await presence.subscribe({
watch: ['alice'],
onPresenceChange: (e) => {
changes.push(e);
},
});
try {
// Drain the initial snapshot for alice.
await waitFor(() => changes.length >= 1, 2_000);
const baseline = changes.length;
// Carol opens a bridge — bob's alice-only subscription must NOT see her.
const carolWs = new WsBridge({
baseUrl: h.baseUrl,
auth: { crypto, signingPrivateKey: carol.signingPrivateKey, address: 'carol' },
connectTimeoutMs: 2_000,
disableAutoReconnect: true,
});
await carolWs.connect({ onMessage: () => {} });
// Give the server time to emit + filter.
await new Promise((r) => setTimeout(r, 250));
await carolWs.disconnect();
await new Promise((r) => setTimeout(r, 100));
const newFrames = changes.slice(baseline);
for (const f of newFrames) {
expect(f.address).toBe('alice');
expect(f.address).not.toBe('carol');
}
} finally {
await sub.unsubscribe();
}
});
test('addPeer / removePeer mutate the watched set via reconnect', async () => {
const carol = await generateIdentityKeyPair(crypto);
await registerAddress(h.baseUrl, 'carol-2', carol);
const presence = new PresenceBridge({
baseUrl: h.baseUrl,
crypto,
signingPrivateKey: h.bob.signingPrivateKey,
address: 'bob',
initialBackoffMs: 50,
maxBackoffMs: 200,
});
const changes: PresenceChange[] = [];
const sub = await presence.subscribe({
watch: ['alice'],
onPresenceChange: (e) => {
changes.push(e);
},
});
try {
await waitFor(() => changes.length >= 1, 2_000);
expect(sub.watching()).toEqual(['alice']);
// Add carol-2 — reconnect should deliver a fresh snapshot that
// includes the new address.
await sub.addPeer('carol-2');
await waitFor(() => changes.some((c) => c.address === 'carol-2'), 2_000);
expect(sub.watching().sort()).toEqual(['alice', 'carol-2']);
const carolWs = new WsBridge({
baseUrl: h.baseUrl,
auth: { crypto, signingPrivateKey: carol.signingPrivateKey, address: 'carol-2' },
connectTimeoutMs: 2_000,
disableAutoReconnect: true,
});
await carolWs.connect({ onMessage: () => {} });
await waitFor(
() => changes.some((c) => c.address === 'carol-2' && c.status === 'online'),
2_000,
);
await carolWs.disconnect();
// removePeer → carol-2 events must stop arriving.
await sub.removePeer('carol-2');
const baseline = changes.filter((c) => c.address === 'carol-2').length;
const carolWs2 = new WsBridge({
baseUrl: h.baseUrl,
auth: { crypto, signingPrivateKey: carol.signingPrivateKey, address: 'carol-2' },
connectTimeoutMs: 2_000,
disableAutoReconnect: true,
});
await carolWs2.connect({ onMessage: () => {} });
await new Promise((r) => setTimeout(r, 250));
await carolWs2.disconnect();
await new Promise((r) => setTimeout(r, 100));
const after = changes.filter((c) => c.address === 'carol-2').length;
expect(after).toBe(baseline);
expect(sub.watching()).toEqual(['alice']);
} finally {
await sub.unsubscribe();
}
});
});
// ─── V4.8 — sender-fingerprint propagation on bridge push ──────────
describe('Sender attribution — bridge push surfaces IncomingMessage.from', () => {
test('SSE push carries from = 8-byte hex of SHA-256(senderSigningKey)', async () => {
const h = await bootstrap();
try {
const received: IncomingMessage[] = [];
const bridge = new SseBridge({
baseUrl: h.baseUrl,
auth: bobAuth(h),
initialBackoffMs: 50,
maxBackoffMs: 200,
disableAutoReconnect: true,
});
await bridge.connect({ onMessage: (m) => received.push(m) });
try {
await putBlob(h, rand(48));
await waitFor(() => received.length === 1, 5_000);
const fp = received[0]!.from;
expect(fp).toMatch(/^[0-9a-f]{16}$/);
const digest = await globalThis.crypto.subtle.digest(
'SHA-256',
h.alice.signingPublicKey as unknown as ArrayBuffer,
);
const expected = Array.from(new Uint8Array(digest).slice(0, 8), (b) =>
b.toString(16).padStart(2, '0'),
).join('');
expect(fp).toBe(expected);
} finally {
await bridge.disconnect();
}
} finally {
h.server.stop(true);
}
});
test('WS push carries from likewise', async () => {
const h = await bootstrap();
try {
const received: IncomingMessage[] = [];
const bridge = new WsBridge({
baseUrl: h.baseUrl,
auth: bobAuth(h),
connectTimeoutMs: 2_000,
disableAutoReconnect: true,
});
await bridge.connect({ onMessage: (m) => received.push(m) });
try {
await putBlob(h, rand(48));
await waitFor(() => received.length === 1, 5_000);
expect(received[0]!.from).toMatch(/^[0-9a-f]{16}$/);
} finally {
await bridge.disconnect();
}
} finally {
h.server.stop(true);
}
});
test('long-poll push carries from likewise', async () => {
const h = await bootstrap();
try {
const received: IncomingMessage[] = [];
const bridge = new LongPollBridge({
baseUrl: h.baseUrl,
auth: bobAuth(h),
pollTimeoutMs: 500,
requestTimeoutMs: 1_500,
errorBackoffMs: 50,
});
await bridge.connect({ onMessage: (m) => received.push(m) });
try {
await putBlob(h, rand(48));
await waitFor(() => received.length === 1, 5_000);
expect(received[0]!.from).toMatch(/^[0-9a-f]{16}$/);
} finally {
await bridge.disconnect();
}
} finally {
h.server.stop(true);
}
});
});
// ─── V4.8.2 — per-connection msgId dedup (Prism FR: duplicate fan-out) ─
describe('Bridge dedup — single PUT yields exactly one push per connection', () => {
test('WS: storming inbox.blob_stored does not duplicate frames for one msgId', async () => {
const h = await bootstrap();
try {
const received: IncomingMessage[] = [];
const bridge = new WsBridge({
baseUrl: h.baseUrl,
auth: bobAuth(h),
connectTimeoutMs: 2_000,
disableAutoReconnect: true,
});
await bridge.connect({ onMessage: (m) => received.push(m) });
try {
// One real PUT + replay the inbox.blob_stored event ten times to
// simulate any future code path (or external bug) that double-
// fires the trigger. The cursor in flushTo would already cover
// the happy case, but the per-connection LRU is the explicit
// dedup gate that survives even if cursor logic regresses.
const msgId = await putBlob(h, rand(48));
for (let i = 0; i < 10; i++) {
h.events.emit('inbox.blob_stored', {
address: 'bob',
msgId,
bytes: 48,
ttlSeconds: 60,
});
}
await waitFor(() => received.length >= 1, 2_000);
// Give any stragglers a chance to arrive and inflate the count.
await new Promise((r) => setTimeout(r, 250));
expect(received.length).toBe(1);
expect(received[0]!.msgId).toBe(msgId);
} finally {
await bridge.disconnect();
}
} finally {
h.server.stop(true);
}
});
test('SSE: same dedup contract', async () => {
const h = await bootstrap();
try {
const received: IncomingMessage[] = [];
const bridge = new SseBridge({
baseUrl: h.baseUrl,
auth: bobAuth(h),
initialBackoffMs: 50,
maxBackoffMs: 200,
disableAutoReconnect: true,
});
await bridge.connect({ onMessage: (m) => received.push(m) });
try {
const msgId = await putBlob(h, rand(48));
for (let i = 0; i < 10; i++) {
h.events.emit('inbox.blob_stored', {
address: 'bob',
msgId,
bytes: 48,
ttlSeconds: 60,
});
}
await waitFor(() => received.length >= 1, 2_000);
await new Promise((r) => setTimeout(r, 250));
expect(received.length).toBe(1);
expect(received[0]!.msgId).toBe(msgId);
} finally {
await bridge.disconnect();
}
} finally {
h.server.stop(true);
}
});
});

2
packages/shade-transport-webrtc/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/transport-webrtc",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

2
packages/shade-transport/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/transport",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

2
packages/shade-widgets/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@shade/widgets",
"version": "4.2.0",
"version": "4.8.2",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",

1
scripts/publish-all.ts
View File

@@ -29,6 +29,7 @@ const PACKAGES = [
'shade-key-transparency',
'shade-storage-sqlite',
'shade-storage-postgres',
'shade-storage-indexeddb',
'shade-storage-encrypted',
'shade-streams',
'shade-transport',

1
scripts/publish-shade.sh
View File

@@ -15,6 +15,7 @@ PACKAGES=(
key-transparency
storage-sqlite
storage-postgres
storage-indexeddb
storage-encrypted
streams
transport