0 Releases 9 Tags

RSS Feed

• v4.11.0 037f994572

  Compare

  release(v4.11.0): streaming Double-Ratchet sub-sessions (ShadeStream)

  Stian released this 2026-05-15 11:29:09 +02:00 | 1 commits to main since this release

  Answers Vyvern FR shade-ws-streaming-ratchet.md with a first-class
  streaming-session API rather than the documented-contract fallback.
  The Double-Ratchet crypto was already safe for high-frequency
  one-directional use; the send/receive wrapper was not (per-frame
  saveSession keystore write; shared per-peer mutex + single stored
  session row coupling reuse to the HTTP path).

  • @shade/core: stream.ts — identity-bound 3-DH seeding (X3DH-minus-
    prekeys, no prekey-server round trip, mutually authenticated against
    the parent session's pinned identities), bootstrapStreamSession
    reusing init{Sender,Receiver}Session verbatim, in-memory-only
    StreamRatchet (own op-mutex, never persisted, zeroized on close).
    beginStream/acceptStream on ShadeSessionManager; Stream{Closed,
    Handshake}Error; stream.opened/closed events.
  • @shade/proto: STREAM_OPEN/OPEN_ACK/FRAME wire (0x31/0x32/0x33),
    additive; inspectEnvelopeType extended.
  • @shade/sdk: Shade.openStream/acceptStream → ShadeStream
    (handshakeFrame/handleHandshake/seal/open/close), transport-
    agnostic, independent of encrypt/decrypt queues + parent session,
    identical server (sqlite:) and browser (IndexedDB) — touches no
    storage.
  • Tests: 5000-frame one-directional burst (bounded skipped keys + FS
    zeroize), parent-session independence, replay/rewind rejection,
    mutual-auth, proto wire round-trips. Full suite green (1159 pass).
  • docs/streaming-sessions.md (R1–R7 contract); SECURITY.md matrix rows.

  Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)