Sterister
1fb59a7076
Two unblocking changes for first-contact flows.
Sender attribution: relay captures shortHash(senderSigningKey) at
PUT time (after signature verification, no new trust surface) and
surfaces it on bridge push (IncomingMessage.from) + inbox-fetch
(FetchedBlob.from) + DecryptHandler raw arg. Apps receiving a prekey
envelope from a never-before-seen peer can now bootstrap X3DH via
shade.receive('fp:<hex>', env) — pre-4.8 the wire envelope didn't
authenticate the sender and there was no out-of-band hint to use.
Idempotent ALTER TABLE migrations for SQLite + Postgres add a
sender_fp TEXT column; legacy rows surface as from=undefined
(inter-version compat).
Inbox.start() race: pre-4.8 start() called register() fire-and-forget
AND schedulePoll(0) synchronously, so the first poll on a fresh
address often beat the register HTTP RTT and got SHADE_NOT_FOUND.
start() now defers; register() success kicks schedulePoll(0). Manual
tick() is unaffected (deliberate user action, no gating).
Both reported by Prism. Tests cover all five acceptance criteria
from the sender-attribution request (PUT capture, bridge surface,
fetch surface, inter-version compat, end-to-end pair smoke) plus
the three from the race-fix request.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@shade/observer
Live observability backend for Shade — exposes a snapshot endpoint, an SSE event stream, and serves the bundled dashboard SPA.
Install
bun add @shade/observer @shade/server @shade/core
Usage
import { createObserver } from '@shade/observer';
import { ShadeEventEmitter, ShadeSessionManager } from '@shade/core';
import { PrekeyServerEvents, createPrekeyServer } from '@shade/server';
// 1. Create event emitters
const clientEvents = new ShadeEventEmitter();
const serverEvents = new PrekeyServerEvents();
// 2. Wire them into your session manager and prekey server
const manager = new ShadeSessionManager(crypto, storage, { events: clientEvents });
const prekeyServer = createPrekeyServer({ crypto, events: serverEvents });
// 3. Create the observer
const observer = createObserver({
token: process.env.SHADE_OBSERVER_TOKEN!,
clientEvents,
serverEvents,
});
// 4. Mount or serve standalone
import { Hono } from 'hono';
const app = new Hono();
app.route('/shade-observer', observer);
Bun.serve({ port: 3900, fetch: app.fetch });
After this, visit http://localhost:3900/shade-observer/dashboard/ and enter your bearer token to see the dashboard.
Endpoints
| Method | Path | Auth | Description |
|---|---|---|---|
| GET | /api/state |
Bearer | Current snapshot (identity, sessions, prekeys, server stats) |
| GET | /api/events |
Bearer (or ?token=) |
SSE stream of live events |
| GET | /dashboard/ |
None | Bundled web UI |
| GET | /health |
None | Liveness check |
Configuration
| Env var | Required | Description |
|---|---|---|
SHADE_OBSERVER_TOKEN |
Yes | Bearer token (min 16 chars). Refuses to start if shorter. |
The token is checked with constant-time comparison.
Security notes
- Event payloads contain NO key material, plaintext, or signatures — only structural facts (counters, addresses, short hashes for display).
- The observer is intended for internal/debugging use. Put it behind a reverse proxy and authenticate access.
- The dashboard stores the bearer token in
localStoragefor convenience. Don't load the dashboard on shared computers.