Sterister
037f994572
Some checks failed
Cross-platform vectors / TypeScript vectors (bun) (push) Has been cancelled
Cross-platform vectors / Kotlin vectors (gradle) (push) Has been cancelled
Test / test (push) Has been cancelled
Docker build and publish / docker (push) Has been cancelled
Publish / publish (push) Has been cancelled
Answers Vyvern FR shade-ws-streaming-ratchet.md with a first-class
streaming-session API rather than the documented-contract fallback.
The Double-Ratchet crypto was already safe for high-frequency
one-directional use; the send/receive wrapper was not (per-frame
saveSession keystore write; shared per-peer mutex + single stored
session row coupling reuse to the HTTP path).
- @shade/core: stream.ts — identity-bound 3-DH seeding (X3DH-minus-
prekeys, no prekey-server round trip, mutually authenticated against
the parent session's pinned identities), bootstrapStreamSession
reusing init{Sender,Receiver}Session verbatim, in-memory-only
StreamRatchet (own op-mutex, never persisted, zeroized on close).
beginStream/acceptStream on ShadeSessionManager; Stream{Closed,
Handshake}Error; stream.opened/closed events.
- @shade/proto: STREAM_OPEN/OPEN_ACK/FRAME wire (0x31/0x32/0x33),
additive; inspectEnvelopeType extended.
- @shade/sdk: Shade.openStream/acceptStream → ShadeStream
(handshakeFrame/handleHandshake/seal/open/close), transport-
agnostic, independent of encrypt/decrypt queues + parent session,
identical server (sqlite:) and browser (IndexedDB) — touches no
storage.
- Tests: 5000-frame one-directional burst (bounded skipped keys + FS
zeroize), parent-session independence, replay/rewind rejection,
mutual-auth, proto wire round-trips. Full suite green (1159 pass).
- docs/streaming-sessions.md (R1–R7 contract); SECURITY.md matrix rows.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@shade/transport-webrtc
V3.11 — direct peer-to-peer chunk transport for Shade transfers via
RTCDataChannel. Plugs into @shade/transfer's ITransferTransport
contract and wires automatically into @shade/sdk via
shade.configureWebRTC().
import { createShade } from '@shade/sdk';
import { nativeRtcFactory } from '@shade/transport-webrtc';
const shade = await createShade({ prekeyServer });
shade.configureWebRTC({ factory: nativeRtcFactory() });
shade.configureTransfers({ resolveBaseUrl });
await shade.upload({ to: 'bob', input: file }); // → P2P when NAT allows,
// HTTP otherwise.
See docs/webrtc.md for the full guide: NAT-traversal realities, TURN config, glare resolution, wire format, diagnostics, and end-to-end test recipes.
What's inside
WebRtcConnection— one peer connection between two Shade endpoints, driving offer/answer/ICE through Shade's own ratchet.WebRtcConnectionManager— per-peer pool with deterministic glare resolution.WebRtcSignalingChannel— JSON signaling messages multiplexed overShade.send/Shade.onMessage.WebRtcTransferTransport— implementsITransferTransportover the managed DataChannel; ack-correlated by 16-byte requestId tokens.MemoryRtcFactory— in-process WebRTC simulator for tests.nativeRtcFactory()— adapter overglobalThis.RTCPeerConnection(browsers / Deno / Cloudflare Workers).
Adapters
@shade/transport-webrtc ships only the standard-API adapter
(nativeRtcFactory). For Bun / Node, wrap your library of choice
behind the IRtcFactory interface — only createPeerConnection,
createDataChannel, and standard addEventListener are required.
Recommended adapters: