Sterister
dbb3a090d8
Expose the local device's 32-byte Ed25519 identity public key on Shade so apps can hand it to their own backend at enrollment time for signature verification, key pinning or per-device safety-number computation. Closes the gap that forced consumers to ship placeholder random bytes their backend could store but never verify against. - @shade/sdk Shade.identityPublicKey: Promise<Uint8Array> — getter mirrors the existing fingerprint accessor. Throws pre-init, reflects the current key after rotate(), retired key preserved in retired-identities storage per existing grace-period contract. Private key remains unreachable. - Test in shade-sdk/tests/sdk.test.ts: round-trip match against the underlying storage's signingPublicKey, plus value updates after rotate(). - Lockstep version bump 4.3.0 → 4.4.0 across all 25 packages. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@shade/observer
Live observability backend for Shade — exposes a snapshot endpoint, an SSE event stream, and serves the bundled dashboard SPA.
Install
bun add @shade/observer @shade/server @shade/core
Usage
import { createObserver } from '@shade/observer';
import { ShadeEventEmitter, ShadeSessionManager } from '@shade/core';
import { PrekeyServerEvents, createPrekeyServer } from '@shade/server';
// 1. Create event emitters
const clientEvents = new ShadeEventEmitter();
const serverEvents = new PrekeyServerEvents();
// 2. Wire them into your session manager and prekey server
const manager = new ShadeSessionManager(crypto, storage, { events: clientEvents });
const prekeyServer = createPrekeyServer({ crypto, events: serverEvents });
// 3. Create the observer
const observer = createObserver({
token: process.env.SHADE_OBSERVER_TOKEN!,
clientEvents,
serverEvents,
});
// 4. Mount or serve standalone
import { Hono } from 'hono';
const app = new Hono();
app.route('/shade-observer', observer);
Bun.serve({ port: 3900, fetch: app.fetch });
After this, visit http://localhost:3900/shade-observer/dashboard/ and enter your bearer token to see the dashboard.
Endpoints
| Method | Path | Auth | Description |
|---|---|---|---|
| GET | /api/state |
Bearer | Current snapshot (identity, sessions, prekeys, server stats) |
| GET | /api/events |
Bearer (or ?token=) |
SSE stream of live events |
| GET | /dashboard/ |
None | Bundled web UI |
| GET | /health |
None | Liveness check |
Configuration
| Env var | Required | Description |
|---|---|---|
SHADE_OBSERVER_TOKEN |
Yes | Bearer token (min 16 chars). Refuses to start if shorter. |
The token is checked with constant-time comparison.
Security notes
- Event payloads contain NO key material, plaintext, or signatures — only structural facts (counters, addresses, short hashes for display).
- The observer is intended for internal/debugging use. Put it behind a reverse proxy and authenticate access.
- The dashboard stores the bearer token in
localStoragefor convenience. Don't load the dashboard on shared computers.