Sterister
e6fdf31b49
Some checks failed
Test / test (push) Has been cancelled
Cross-platform vectors / TypeScript vectors (bun) (push) Has been cancelled
Cross-platform vectors / Kotlin vectors (gradle) (push) Has been cancelled
Docker build and publish / docker (push) Has been cancelled
Publish / publish (push) Has been cancelled
V3.1 → V3.12 consolidated and tagged for the first GA release. Wire format unchanged from 0.4.x — 4.0 peers interoperate with 0.4.x peers byte-for-byte. The version bump is semantic: audit-cycle complete, opt-in surface fully exposed, threat model refreshed for every new surface. Highlights: - All 24 @shade/* packages bumped to 4.0.0 in lockstep. - CHANGELOG 4.0.0 section is the canonical manifest of what landed. - THREAT-MODEL extended (§10 fingerprint gates, §11 WebRTC P2P, §12 Web-Worker boundary) + residual-risks table refreshed. - OpenAPI now covers all 27 routes: prekey, transfer, KT, inbox, bridge, observer, /metrics, /healthz, /ready. - MIGRATION 0.3.x → 4.0 documented + smoke-tested against shade migrate-storage on a real SQLite DB. - docs/audit/REVIEW-BUNDLE.md + SCOPE.md ready for external reviewer. - scripts/soak.ts harness for the GA-stable 2-week soak window. - All V*.md plans archived under docs/archive/ with Status: Done. - Voice/Video carved out into V5.0; 4.0 audit focuses on the frozen non-realtime stack. Tests: TS 1000/1000 + Kotlin 11/11 cross-platform vectors green. Docker: gt.zyon.no/stian/shade-prekey:4.0.0 builds and reports version 4.0.0 on /health. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
75 lines
2.6 KiB
TypeScript
75 lines
2.6 KiB
TypeScript
import { Hono } from 'hono';
|
|
import { ValidationError } from '@shade/core';
|
|
import type { KeyTransparencyService } from './kt-integration.js';
|
|
import { encodeSthForWire } from './kt-integration.js';
|
|
|
|
/**
|
|
* Mountable routes that expose the KT log to clients and witnesses.
|
|
*
|
|
* GET /v1/kt/log_id — public-key + log_id (operator pinning)
|
|
* GET /v1/kt/sth — latest signed tree head
|
|
* GET /v1/kt/sth/:treeSize — historical STH at a specific tree_size
|
|
* GET /v1/kt/consistency — consistency proof between two tree_sizes
|
|
*
|
|
* These are intentionally **anonymous & read-only** so witnesses can
|
|
* poll without sharing identity. Rate-limiting is the prekey-server's
|
|
* existing fetch RL bucket.
|
|
*/
|
|
export function createKTRoutes(svc: KeyTransparencyService): Hono {
|
|
const app = new Hono();
|
|
|
|
app.get('/log_id', (c) => {
|
|
const logId = svc.getLogId();
|
|
const pub = svc.getSigningPublicKey();
|
|
return c.json({
|
|
logId: Buffer.from(logId).toString('base64'),
|
|
publicKey: Buffer.from(pub).toString('base64'),
|
|
});
|
|
});
|
|
|
|
app.get('/sth', async (c) => {
|
|
const sth = await svc.getLatestSTH();
|
|
return c.json(encodeSthForWire(sth));
|
|
});
|
|
|
|
app.get('/sth/:treeSize', async (c) => {
|
|
const sizeRaw = c.req.param('treeSize');
|
|
const size = Number(sizeRaw);
|
|
if (!Number.isFinite(size) || size < 0 || size !== Math.floor(size)) {
|
|
throw new ValidationError('treeSize must be a non-negative integer');
|
|
}
|
|
const sth = await svc.getSTHByTreeSize(size);
|
|
if (!sth) {
|
|
return c.json({ error: 'STH not found at that tree_size', code: 'SHADE_NOT_FOUND' }, 404);
|
|
}
|
|
return c.json(encodeSthForWire(sth));
|
|
});
|
|
|
|
app.get('/consistency', async (c) => {
|
|
const fromRaw = c.req.query('from');
|
|
const toRaw = c.req.query('to');
|
|
if (fromRaw === undefined) {
|
|
throw new ValidationError('from query param required');
|
|
}
|
|
const from = Number(fromRaw);
|
|
if (!Number.isFinite(from) || from < 0 || from !== Math.floor(from)) {
|
|
throw new ValidationError('from must be a non-negative integer');
|
|
}
|
|
let to: number | undefined;
|
|
if (toRaw !== undefined) {
|
|
to = Number(toRaw);
|
|
if (!Number.isFinite(to) || to < from || to !== Math.floor(to)) {
|
|
throw new ValidationError('to must be an integer >= from');
|
|
}
|
|
}
|
|
const result = await svc.buildConsistencyProof(from, to);
|
|
return c.json({
|
|
fromTreeSize: result.fromTreeSize,
|
|
toTreeSize: result.toTreeSize,
|
|
proof: result.proof.map((p) => Buffer.from(p).toString('base64')),
|
|
});
|
|
});
|
|
|
|
return app;
|
|
}
|