@abraca/dabra 1.0.3 → 1.0.5

package/dist/abracadabra-provider.cjs

@@ -1908,7 +1908,6 @@ var AbracadabraWS = class extends EventEmitter {
 		if (this.connectionAttempt) this.rejectConnectionAttempt();
 		this.status = WebSocketStatus.Disconnected;
 		this.emit("status", { status: WebSocketStatus.Disconnected });
-		console.log("[DEBUG] onClose event:", typeof event, JSON.stringify(event), "code:", event?.code);
 		const isRateLimited = event?.code === 4429 || event === 4429;
 		this.emit("disconnect", { event });
 		if (isRateLimited) this.emit("rateLimited");
@@ -2966,7 +2965,7 @@ var AbracadabraProvider = class AbracadabraProvider extends AbracadabraBaseProvi
 		const childProvider = new AbracadabraProvider({
 			name: childId,
 			document: childDoc,
-			url: this.abracadabraConfig.url ?? this.configuration.websocketProvider?.url,
+			websocketProvider: this.configuration.websocketProvider,
 			token: this.configuration.token,
 			subdocLoading: this.subdocLoading,
 			disableOfflineStore: this.abracadabraConfig.disableOfflineStore,
@@ -2976,6 +2975,7 @@ var AbracadabraProvider = class AbracadabraProvider extends AbracadabraBaseProvi
 			docKeyManager: this.abracadabraConfig.docKeyManager,
 			keystore: this.abracadabraConfig.keystore
 		});
+		childProvider.attach();
 		this.childProviders.set(childId, childProvider);
 		this.emit("subdocLoaded", {
 			childId,
@@ -6944,7 +6944,7 @@ function fromBase64url(b64) {
 const DB_NAME = "abracadabra:identity";
 const STORE_NAME = "identity";
 const RECORD_KEY = "current";
-const HKDF_INFO$1 = new TextEncoder().encode("abracadabra-identity-v1");
+const HKDF_INFO$2 = new TextEncoder().encode("abracadabra-identity-v1");
 function openDb$4() {
 	return new Promise((resolve, reject) => {
 		const req = indexedDB.open(DB_NAME, 1);
@@ -6977,7 +6977,7 @@ async function dbDelete(db) {
 	});
 }
 async function deriveAesKey(prfOutput, salt) {
-	const keyBytes = hkdf(sha256, new Uint8Array(prfOutput), salt, HKDF_INFO$1, 32);
+	const keyBytes = hkdf(sha256, new Uint8Array(prfOutput), salt, HKDF_INFO$2, 32);
 	return crypto.subtle.importKey("raw", keyBytes, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
 }
 var CryptoIdentityKeystore = class {
@@ -7694,7 +7694,7 @@ var FileBlobStore = class extends EventEmitter {
 * Manages AES-256-GCM document keys for CSE and E2E encrypted documents.
 * Keys are wrapped per-user using X25519 ECDH + HKDF-SHA256 + AES-256-GCM.
 */
-const HKDF_INFO = new TextEncoder().encode("abracadabra-dockey-v1");
+const HKDF_INFO$1 = new TextEncoder().encode("abracadabra-dockey-v1");
 function fromBase64$1(b64) {
 	return Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
 }
@@ -7738,7 +7738,7 @@ var DocKeyManager = class {
 	async wrapKeyForRecipient(docKey, recipientX25519PubKey, docId) {
 		const ephemeralPriv = crypto.getRandomValues(new Uint8Array(32));
 		const ephemeralPub = x25519.getPublicKey(ephemeralPriv);
-		const keyBytes = hkdf(sha256, x25519.getSharedSecret(ephemeralPriv, recipientX25519PubKey), new TextEncoder().encode(docId), HKDF_INFO, 32);
+		const keyBytes = hkdf(sha256, x25519.getSharedSecret(ephemeralPriv, recipientX25519PubKey), new TextEncoder().encode(docId), HKDF_INFO$1, 32);
 		const wrapKey = await crypto.subtle.importKey("raw", keyBytes, { name: "AES-GCM" }, false, ["encrypt"]);
 		const rawDocKey = await crypto.subtle.exportKey("raw", docKey);
 		const nonce = crypto.getRandomValues(new Uint8Array(12));
@@ -7756,7 +7756,7 @@ var DocKeyManager = class {
 		const ephemeralPub = wrapped.slice(0, 32);
 		const nonce = wrapped.slice(32, 44);
 		const ciphertext = wrapped.slice(44);
-		const keyBytes = hkdf(sha256, x25519.getSharedSecret(recipientX25519PrivKey, ephemeralPub), new TextEncoder().encode(docId), HKDF_INFO, 32);
+		const keyBytes = hkdf(sha256, x25519.getSharedSecret(recipientX25519PrivKey, ephemeralPub), new TextEncoder().encode(docId), HKDF_INFO$1, 32);
 		const wrapKey = await crypto.subtle.importKey("raw", keyBytes, { name: "AES-GCM" }, false, ["decrypt"]);
 		const rawDocKey = await crypto.subtle.decrypt({
 			name: "AES-GCM",
@@ -8748,15 +8748,23 @@ const SHA256_BYTES = 32;
 
 //#endregion
 //#region packages/provider/src/webrtc/DataChannelRouter.ts
+/** Name of the data channel used for E2EE key exchange. */
+const KEY_EXCHANGE_CHANNEL = "key-exchange";
 var DataChannelRouter = class extends EventEmitter {
 	constructor(connection) {
 		super();
 		this.connection = connection;
 		this.channels = /* @__PURE__ */ new Map();
+		this.encryptor = null;
+		this.plaintextChannels = new Set([KEY_EXCHANGE_CHANNEL]);
 		this.connection.ondatachannel = (event) => {
 			this.registerChannel(event.channel);
 		};
 	}
+	/** Attach an E2EE encryptor. All channels (except key-exchange) will be encrypted. */
+	setEncryptor(encryptor) {
+		this.encryptor = encryptor;
+	}
 	/** Create a named data channel (initiator side). */
 	createChannel(name, options) {
 		const channel = this.connection.createDataChannel(name, options);
@@ -8772,12 +8780,35 @@ var DataChannelRouter = class extends EventEmitter {
 		});
 		if (opts.enableFileTransfer) this.createChannel(CHANNEL_NAMES.FILE_TRANSFER, { ordered: true });
 	}
+	/**
+	* Create namespaced channels for a child/subdocument.
+	* Channel names are prefixed with `{childId}:` to avoid collisions.
+	*/
+	createSubdocChannels(childId, opts) {
+		if (opts.enableDocSync) this.createChannel(`${childId}:${CHANNEL_NAMES.YJS_SYNC}`, { ordered: true });
+		if (opts.enableAwareness) this.createChannel(`${childId}:${CHANNEL_NAMES.AWARENESS}`, {
+			ordered: false,
+			maxRetransmits: 0
+		});
+	}
 	getChannel(name) {
 		return this.channels.get(name) ?? null;
 	}
 	isOpen(name) {
 		return this.channels.get(name)?.readyState === "open";
 	}
+	/**
+	* Send data on a named channel, encrypting if E2EE is active.
+	* Falls back to plaintext if no encryptor is set or for exempt channels.
+	*/
+	async send(name, data) {
+		const channel = this.channels.get(name);
+		if (!channel || channel.readyState !== "open") return;
+		if (this.encryptor?.isEstablished && !this.plaintextChannels.has(name)) {
+			const encrypted = await this.encryptor.encrypt(data);
+			channel.send(encrypted);
+		} else channel.send(data);
+	}
 	registerChannel(channel) {
 		channel.binaryType = "arraybuffer";
 		this.channels.set(channel.label, channel);
@@ -8791,10 +8822,22 @@ var DataChannelRouter = class extends EventEmitter {
 			this.emit("channelClose", { name: channel.label });
 			this.channels.delete(channel.label);
 		};
-		channel.onmessage = (event) => {
+		channel.onmessage = async (event) => {
+			const name = channel.label;
+			let data = event.data;
+			if (this.encryptor?.isEstablished && !this.plaintextChannels.has(name) && (data instanceof ArrayBuffer || data instanceof Uint8Array)) try {
+				const buf = data instanceof ArrayBuffer ? new Uint8Array(data) : data;
+				data = await this.encryptor.decrypt(buf);
+			} catch (err) {
+				this.emit("channelError", {
+					name,
+					error: err
+				});
+				return;
+			}
 			this.emit("channelMessage", {
-				name: channel.label,
-				data: event.data
+				name,
+				data
 			});
 		};
 		channel.onerror = (event) => {
@@ -8922,7 +8965,13 @@ var PeerConnection = class extends EventEmitter {
 * prevent echo loops with the server-based provider.
 */
 var YjsDataChannel = class {
-	constructor(document, awareness, router) {
+	/**
+	* @param document - The Y.Doc to sync
+	* @param awareness - Optional Awareness instance
+	* @param router - DataChannelRouter for the peer connection
+	* @param channelPrefix - Optional prefix for subdocument channels (e.g. `"{childId}:"`)
+	*/
+	constructor(document, awareness, router, channelPrefix) {
 		this.document = document;
 		this.awareness = awareness;
 		this.router = router;
@@ -8930,52 +8979,49 @@ var YjsDataChannel = class {
 		this.awarenessUpdateHandler = null;
 		this.channelOpenHandler = null;
 		this.channelMessageHandler = null;
+		const prefix = channelPrefix ?? "";
+		this.syncChannelName = `${prefix}${CHANNEL_NAMES.YJS_SYNC}`;
+		this.awarenessChannelName = `${prefix}${CHANNEL_NAMES.AWARENESS}`;
 	}
 	/** Start listening for Y.js updates and data channel messages. */
 	attach() {
 		this.docUpdateHandler = (update, origin) => {
 			if (origin === this) return;
-			const channel = this.router.getChannel(CHANNEL_NAMES.YJS_SYNC);
-			if (!channel || channel.readyState !== "open") return;
+			if (!this.router.isOpen(this.syncChannelName)) return;
 			const encoder = createEncoder();
 			writeVarUint(encoder, YJS_MSG.UPDATE);
 			writeVarUint8Array(encoder, update);
-			channel.send(toUint8Array(encoder));
+			this.router.send(this.syncChannelName, toUint8Array(encoder));
 		};
 		this.document.on("update", this.docUpdateHandler);
 		if (this.awareness) {
 			this.awarenessUpdateHandler = ({ added, updated, removed }, _origin) => {
-				const channel = this.router.getChannel(CHANNEL_NAMES.AWARENESS);
-				if (!channel || channel.readyState !== "open") return;
+				if (!this.router.isOpen(this.awarenessChannelName)) return;
 				const changedClients = added.concat(updated).concat(removed);
 				const update = encodeAwarenessUpdate(this.awareness, changedClients);
-				channel.send(update);
+				this.router.send(this.awarenessChannelName, update);
 			};
 			this.awareness.on("update", this.awarenessUpdateHandler);
 		}
 		this.channelMessageHandler = ({ name, data }) => {
-			if (name === CHANNEL_NAMES.YJS_SYNC) this.handleSyncMessage(data);
-			else if (name === CHANNEL_NAMES.AWARENESS) this.handleAwarenessMessage(data);
+			if (name === this.syncChannelName) this.handleSyncMessage(data);
+			else if (name === this.awarenessChannelName) this.handleAwarenessMessage(data);
 		};
 		this.router.on("channelMessage", this.channelMessageHandler);
 		this.channelOpenHandler = ({ name }) => {
-			if (name === CHANNEL_NAMES.YJS_SYNC) this.sendSyncStep1();
-			else if (name === CHANNEL_NAMES.AWARENESS && this.awareness) {
-				const channel = this.router.getChannel(CHANNEL_NAMES.AWARENESS);
-				if (channel?.readyState === "open") {
+			if (name === this.syncChannelName) this.sendSyncStep1();
+			else if (name === this.awarenessChannelName && this.awareness) {
+				if (this.router.isOpen(this.awarenessChannelName)) {
 					const update = encodeAwarenessUpdate(this.awareness, Array.from(this.awareness.getStates().keys()));
-					channel.send(update);
+					this.router.send(this.awarenessChannelName, update);
 				}
 			}
 		};
 		this.router.on("channelOpen", this.channelOpenHandler);
-		if (this.router.isOpen(CHANNEL_NAMES.YJS_SYNC)) this.sendSyncStep1();
-		if (this.awareness && this.router.isOpen(CHANNEL_NAMES.AWARENESS)) {
-			const channel = this.router.getChannel(CHANNEL_NAMES.AWARENESS);
-			if (channel?.readyState === "open") {
-				const update = encodeAwarenessUpdate(this.awareness, Array.from(this.awareness.getStates().keys()));
-				channel.send(update);
-			}
+		if (this.router.isOpen(this.syncChannelName)) this.sendSyncStep1();
+		if (this.awareness && this.router.isOpen(this.awarenessChannelName)) {
+			const update = encodeAwarenessUpdate(this.awareness, Array.from(this.awareness.getStates().keys()));
+			this.router.send(this.awarenessChannelName, update);
 		}
 	}
 	/** Stop listening and clean up handlers. */
@@ -9002,12 +9048,11 @@ var YjsDataChannel = class {
 		this.detach();
 	}
 	sendSyncStep1() {
-		const channel = this.router.getChannel(CHANNEL_NAMES.YJS_SYNC);
-		if (!channel || channel.readyState !== "open") return;
+		if (!this.router.isOpen(this.syncChannelName)) return;
 		const encoder = createEncoder();
 		writeVarUint(encoder, YJS_MSG.SYNC);
 		writeSyncStep1(encoder, this.document);
-		channel.send(toUint8Array(encoder));
+		this.router.send(this.syncChannelName, toUint8Array(encoder));
 	}
 	handleSyncMessage(data) {
 		const buf = data instanceof ArrayBuffer ? new Uint8Array(data) : data;
@@ -9020,8 +9065,7 @@ var YjsDataChannel = class {
 				const responseEncoder = createEncoder();
 				writeVarUint(responseEncoder, YJS_MSG.SYNC);
 				writeUint8Array(responseEncoder, toUint8Array(encoder));
-				const channel = this.router.getChannel(CHANNEL_NAMES.YJS_SYNC);
-				if (channel?.readyState === "open") channel.send(toUint8Array(responseEncoder));
+				if (this.router.isOpen(this.syncChannelName)) this.router.send(this.syncChannelName, toUint8Array(responseEncoder));
 			}
 			if (syncMessageType === messageYjsSyncStep2) this.isSynced = true;
 		} else if (msgType === YJS_MSG.UPDATE) {
@@ -9271,6 +9315,136 @@ function constantTimeEqual(a, b) {
 	return result === 0;
 }
 
+//#endregion
+//#region packages/provider/src/webrtc/E2EEChannel.ts
+/**
+* E2EEChannel
+*
+* Per-peer end-to-end encryption for WebRTC data channels using
+* X25519 ECDH key agreement + HKDF-SHA256 + AES-256-GCM.
+*
+* Leverages the same cryptographic primitives as `DocKeyManager` and
+* `CryptoIdentityKeystore` but applied to data channel messages rather
+* than stored document keys.
+*
+* Key agreement flow:
+*   1. Both peers exchange Ed25519 public keys via the `key-exchange` data channel
+*   2. Convert Ed25519 → X25519 (Montgomery form)
+*   3. Run X25519 ECDH to derive a shared secret
+*   4. HKDF-SHA256(sharedSecret, salt, info) → 32-byte AES-256-GCM session key
+*   5. All subsequent data channel messages are encrypted with this key
+*
+* Message wire format: [12-byte nonce || AES-256-GCM ciphertext]
+*
+* Dependencies: @noble/curves (already in the project for CryptoIdentityKeystore)
+*/
+const HKDF_INFO = new TextEncoder().encode("abracadabra-webrtc-e2ee-v1");
+const NONCE_BYTES = 12;
+var E2EEChannel = class extends EventEmitter {
+	constructor(identity, docId) {
+		super();
+		this.identity = identity;
+		this.docId = docId;
+		this.sessionKey = null;
+		this.remotePublicKey = null;
+		this._isEstablished = false;
+	}
+	get isEstablished() {
+		return this._isEstablished;
+	}
+	/**
+	* Process a key-exchange message from the remote peer.
+	* Called when the `key-exchange` data channel receives a message.
+	*
+	* The message is the remote peer's raw 32-byte Ed25519 public key.
+	* After receiving it, ECDH is computed and the session key derived.
+	*/
+	async handleKeyExchange(remoteEdPubKey) {
+		if (remoteEdPubKey.length !== 32) {
+			this.emit("error", /* @__PURE__ */ new Error("Invalid remote public key length"));
+			return;
+		}
+		this.remotePublicKey = remoteEdPubKey;
+		const remoteX25519Pub = ed25519.utils.toMontgomery(remoteEdPubKey);
+		const sharedSecret = x25519.getSharedSecret(this.identity.x25519PrivateKey, remoteX25519Pub);
+		const localPub = this.identity.publicKey;
+		const remotePub = remoteEdPubKey;
+		const [first, second] = this.sortKeys(localPub, remotePub);
+		const saltParts = [
+			new TextEncoder().encode(this.docId),
+			first,
+			second
+		];
+		const salt = new Uint8Array(saltParts.reduce((acc, p) => acc + p.length, 0));
+		let offset = 0;
+		for (const part of saltParts) {
+			salt.set(part, offset);
+			offset += part.length;
+		}
+		const keyBytes = hkdf(sha256, sharedSecret, salt, HKDF_INFO, 32);
+		this.sessionKey = await crypto.subtle.importKey("raw", keyBytes, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
+		this._isEstablished = true;
+		this.emit("established", { remotePublicKey: remoteEdPubKey });
+	}
+	/**
+	* Returns the local Ed25519 public key to send to the remote peer
+	* via the `key-exchange` data channel.
+	*/
+	getKeyExchangeMessage() {
+		return this.identity.publicKey;
+	}
+	/**
+	* Encrypt a message for sending over a data channel.
+	* Returns `[12-byte nonce || AES-256-GCM ciphertext]`.
+	*
+	* @throws if the session key has not been established yet.
+	*/
+	async encrypt(plaintext) {
+		if (!this.sessionKey) throw new Error("E2EE session key not established");
+		const nonce = crypto.getRandomValues(new Uint8Array(NONCE_BYTES));
+		const ciphertext = new Uint8Array(await crypto.subtle.encrypt({
+			name: "AES-GCM",
+			iv: nonce
+		}, this.sessionKey, plaintext));
+		const result = new Uint8Array(NONCE_BYTES + ciphertext.length);
+		result.set(nonce, 0);
+		result.set(ciphertext, NONCE_BYTES);
+		return result;
+	}
+	/**
+	* Decrypt a message received from a data channel.
+	* Expects `[12-byte nonce || AES-256-GCM ciphertext]`.
+	*
+	* @throws if the session key has not been established or decryption fails.
+	*/
+	async decrypt(data) {
+		if (!this.sessionKey) throw new Error("E2EE session key not established");
+		if (data.length < NONCE_BYTES + 16) throw new Error("E2EE ciphertext too short");
+		const nonce = data.slice(0, NONCE_BYTES);
+		const ciphertext = data.slice(NONCE_BYTES);
+		const plaintext = await crypto.subtle.decrypt({
+			name: "AES-GCM",
+			iv: nonce
+		}, this.sessionKey, ciphertext);
+		return new Uint8Array(plaintext);
+	}
+	/** Destroy the session key and wipe sensitive material. */
+	destroy() {
+		this.sessionKey = null;
+		this.remotePublicKey = null;
+		this._isEstablished = false;
+		this.removeAllListeners();
+	}
+	/** Sort two keys lexicographically so both peers produce the same order. */
+	sortKeys(a, b) {
+		for (let i = 0; i < Math.min(a.length, b.length); i++) {
+			if (a[i] < b[i]) return [a, b];
+			if (a[i] > b[i]) return [b, a];
+		}
+		return a.length <= b.length ? [a, b] : [b, a];
+	}
+};
+
 //#endregion
 //#region packages/provider/src/webrtc/AbracadabraWebRTC.ts
 const HAS_RTC = typeof globalThis.RTCPeerConnection !== "undefined";
@@ -9291,6 +9465,7 @@ var AbracadabraWebRTC = class AbracadabraWebRTC extends EventEmitter {
 		this.peerConnections = /* @__PURE__ */ new Map();
 		this.yjsChannels = /* @__PURE__ */ new Map();
 		this.fileChannels = /* @__PURE__ */ new Map();
+		this.e2eeChannels = /* @__PURE__ */ new Map();
 		this.peers = /* @__PURE__ */ new Map();
 		this.localPeerId = null;
 		this.isConnected = false;
@@ -9299,6 +9474,7 @@ var AbracadabraWebRTC = class AbracadabraWebRTC extends EventEmitter {
 		this.config = {
 			docId: configuration.docId,
 			url: configuration.url,
+			signalingUrl: configuration.signalingUrl ?? null,
 			token: configuration.token,
 			document: doc,
 			awareness,
@@ -9309,6 +9485,7 @@ var AbracadabraWebRTC = class AbracadabraWebRTC extends EventEmitter {
 			enableAwarenessSync: configuration.enableAwarenessSync ?? !!awareness,
 			enableFileTransfer: configuration.enableFileTransfer ?? false,
 			fileChunkSize: configuration.fileChunkSize ?? 16384,
+			e2ee: configuration.e2ee ?? null,
 			WebSocketPolyfill: configuration.WebSocketPolyfill
 		};
 		if (configuration.autoConnect !== false && HAS_RTC) this.connect();
@@ -9489,6 +9666,11 @@ var AbracadabraWebRTC = class AbracadabraWebRTC extends EventEmitter {
 	}
 	removePeer(peerId) {
 		this.peers.delete(peerId);
+		const e2ee = this.e2eeChannels.get(peerId);
+		if (e2ee) {
+			e2ee.destroy();
+			this.e2eeChannels.delete(peerId);
+		}
 		const yjs = this.yjsChannels.get(peerId);
 		if (yjs) {
 			yjs.destroy();
@@ -9544,12 +9726,39 @@ var AbracadabraWebRTC = class AbracadabraWebRTC extends EventEmitter {
 		return pc;
 	}
 	attachDataHandlers(peerId, pc) {
+		if (this.config.e2ee) {
+			const e2ee = new E2EEChannel(this.config.e2ee, this.config.docId);
+			this.e2eeChannels.set(peerId, e2ee);
+			pc.router.setEncryptor(e2ee);
+			pc.router.on("channelMessage", async ({ name, data }) => {
+				if (name === KEY_EXCHANGE_CHANNEL) {
+					const buf = data instanceof ArrayBuffer ? new Uint8Array(data) : data;
+					await e2ee.handleKeyExchange(buf);
+				}
+			});
+			pc.router.on("channelOpen", ({ name, channel }) => {
+				if (name === KEY_EXCHANGE_CHANNEL) channel.send(e2ee.getKeyExchangeMessage());
+			});
+			e2ee.on("established", () => {
+				this.emit("e2eeEstablished", { peerId });
+				this.startDataSync(peerId, pc);
+			});
+			e2ee.on("error", (err) => {
+				this.emit("e2eeFailed", {
+					peerId,
+					error: err
+				});
+			});
+		} else this.startDataSync(peerId, pc);
+	}
+	startDataSync(peerId, pc) {
 		if (this.config.document && this.config.enableDocSync) {
+			if (this.yjsChannels.has(peerId)) return;
 			const yjs = new YjsDataChannel(this.config.document, this.config.enableAwarenessSync ? this.config.awareness : null, pc.router);
 			yjs.attach();
 			this.yjsChannels.set(peerId, yjs);
 		}
-		if (this.config.enableFileTransfer) {
+		if (this.config.enableFileTransfer && !this.fileChannels.has(peerId)) {
 			const fc = new FileTransferChannel(pc.router, this.config.fileChunkSize);
 			fc.on("receiveStart", (meta) => {
 				this.emit("fileReceiveStart", {
@@ -9586,6 +9795,7 @@ var AbracadabraWebRTC = class AbracadabraWebRTC extends EventEmitter {
 	}
 	async initiateConnection(peerId) {
 		const pc = this.createPeerConnection(peerId);
+		if (this.config.e2ee) pc.router.createChannel(KEY_EXCHANGE_CHANNEL, { ordered: true });
 		pc.router.createDefaultChannels({
 			enableDocSync: this.config.enableDocSync,
 			enableAwareness: this.config.enableAwarenessSync,
@@ -9617,6 +9827,12 @@ var AbracadabraWebRTC = class AbracadabraWebRTC extends EventEmitter {
 		}
 	}
 	buildSignalingUrl() {
+		if (this.config.signalingUrl) {
+			let sigBase = this.config.signalingUrl;
+			while (sigBase.endsWith("/")) sigBase = sigBase.slice(0, -1);
+			sigBase = sigBase.replace(/^https:/, "wss:").replace(/^http:/, "ws:");
+			return `${sigBase}/ws/${encodeURIComponent(this.config.docId)}/signaling`;
+		}
 		let base = this.config.url;
 		while (base.endsWith("/")) base = base.slice(0, -1);
 		base = base.replace(/^https:/, "wss:").replace(/^http:/, "ws:");
@@ -9624,6 +9840,310 @@ var AbracadabraWebRTC = class AbracadabraWebRTC extends EventEmitter {
 	}
 };
 
+//#endregion
+//#region packages/provider/src/webrtc/ManualSignaling.ts
+/**
+* ManualSignaling
+*
+* Serverless signaling adapter for WebRTC peer-to-peer connections.
+* Instead of a WebSocket server relaying SDP/ICE, peers exchange
+* offer and answer "blobs" out-of-band (QR code, copy-paste, NFC, etc.).
+*
+* Designed as a drop-in replacement for `SignalingSocket` — emits the
+* same events (`welcome`, `joined`, `offer`, `answer`, `ice`) so
+* `AbracadabraWebRTC` can use it transparently.
+*
+* Flow:
+*   Device A (initiator):
+*     1. `createOffer()` → gathers ICE candidates → returns offer blob
+*     2. Share blob via QR/paste
+*     3. Receive answer blob → `acceptAnswer(blob)`
+*
+*   Device B (responder):
+*     1. Receive offer blob → `acceptOffer(blob)` → returns answer blob
+*     2. Share answer blob via QR/paste
+*/
+var ManualSignaling = class extends EventEmitter {
+	constructor(iceServers) {
+		super();
+		this.isConnected = false;
+		this.pc = null;
+		this.localPeerId = crypto.randomUUID();
+		this.iceServers = iceServers ?? [{ urls: "stun:stun.l.google.com:19302" }];
+	}
+	/**
+	* Initiator: create an offer blob with gathered ICE candidates.
+	* Returns a blob to share with the remote peer.
+	*/
+	async createOfferBlob() {
+		this.pc = new RTCPeerConnection({ iceServers: this.iceServers });
+		const candidates = [];
+		const gatheringComplete = new Promise((resolve) => {
+			this.pc.onicecandidate = (event) => {
+				if (event.candidate) candidates.push(JSON.stringify(event.candidate.toJSON()));
+				else resolve();
+			};
+		});
+		const offer = await this.pc.createOffer();
+		await this.pc.setLocalDescription(offer);
+		await gatheringComplete;
+		this.isConnected = true;
+		this.emit("welcome", {
+			peerId: this.localPeerId,
+			peers: []
+		});
+		return {
+			sdp: this.pc.localDescription.sdp,
+			candidates,
+			peerId: this.localPeerId
+		};
+	}
+	/**
+	* Responder: accept an offer blob and create an answer blob.
+	* The answer blob should be shared back to the initiator.
+	*/
+	async acceptOffer(offerBlob) {
+		this.pc = new RTCPeerConnection({ iceServers: this.iceServers });
+		const candidates = [];
+		const gatheringComplete = new Promise((resolve) => {
+			this.pc.onicecandidate = (event) => {
+				if (event.candidate) candidates.push(JSON.stringify(event.candidate.toJSON()));
+				else resolve();
+			};
+		});
+		await this.pc.setRemoteDescription(new RTCSessionDescription({
+			type: "offer",
+			sdp: offerBlob.sdp
+		}));
+		for (const c of offerBlob.candidates) await this.pc.addIceCandidate(new RTCIceCandidate(JSON.parse(c)));
+		const answer = await this.pc.createAnswer();
+		await this.pc.setLocalDescription(answer);
+		await gatheringComplete;
+		this.isConnected = true;
+		this.emit("welcome", {
+			peerId: this.localPeerId,
+			peers: []
+		});
+		this.emit("joined", {
+			peer_id: offerBlob.peerId,
+			user_id: offerBlob.peerId,
+			muted: false,
+			video: false,
+			screen: false,
+			name: null,
+			color: null
+		});
+		this.emit("offer", {
+			from: offerBlob.peerId,
+			sdp: offerBlob.sdp
+		});
+		for (const c of offerBlob.candidates) this.emit("ice", {
+			from: offerBlob.peerId,
+			candidate: c
+		});
+		return {
+			sdp: this.pc.localDescription.sdp,
+			candidates,
+			peerId: this.localPeerId
+		};
+	}
+	/**
+	* Initiator: accept the answer blob from the responder.
+	* Completes the connection.
+	*/
+	async acceptAnswer(answerBlob) {
+		if (!this.pc) throw new Error("Call createOfferBlob() first");
+		this.emit("joined", {
+			peer_id: answerBlob.peerId,
+			user_id: answerBlob.peerId,
+			muted: false,
+			video: false,
+			screen: false,
+			name: null,
+			color: null
+		});
+		this.emit("answer", {
+			from: answerBlob.peerId,
+			sdp: answerBlob.sdp
+		});
+		for (const c of answerBlob.candidates) this.emit("ice", {
+			from: answerBlob.peerId,
+			candidate: c
+		});
+	}
+	sendOffer(_to, _sdp) {}
+	sendAnswer(_to, _sdp) {}
+	sendIce(_to, _candidate) {}
+	sendMute(_muted) {}
+	sendMediaState(_video, _screen) {}
+	sendProfile(_name, _color) {}
+	sendLeave() {}
+	async connect() {}
+	disconnect() {
+		this.isConnected = false;
+		if (this.pc) {
+			this.pc.close();
+			this.pc = null;
+		}
+		this.emit("disconnected");
+	}
+	destroy() {
+		this.disconnect();
+		this.removeAllListeners();
+	}
+};
+
+//#endregion
+//#region packages/provider/src/sync/BroadcastChannelSync.ts
+/**
+* Cross-tab Y.js document and awareness sync via the BroadcastChannel API.
+*
+* Opens a BroadcastChannel per document, relays Y.js updates and awareness
+* state between tabs on the same origin. No server, no WebRTC — just same-device
+* multi-tab sync. Same-origin means same trust boundary, so no encryption needed.
+*
+* Uses the same y-protocols/sync encoding as `YjsDataChannel` for consistency.
+*/
+const CHANNEL_PREFIX = "abra:sync:";
+/** Message type discriminators (first byte). */
+const MSG = {
+	SYNC: 0,
+	UPDATE: 1,
+	AWARENESS: 2,
+	QUERY_PEERS: 3
+};
+var BroadcastChannelSync = class BroadcastChannelSync extends EventEmitter {
+	constructor(document, awareness, channelName) {
+		super();
+		this.document = document;
+		this.awareness = awareness;
+		this.channelName = channelName;
+		this.channel = null;
+		this.docUpdateHandler = null;
+		this.awarenessUpdateHandler = null;
+		this.destroyed = false;
+	}
+	/** Convenience factory using standard channel naming. */
+	static forDoc(document, docId, awareness) {
+		return new BroadcastChannelSync(document, awareness ?? null, `${CHANNEL_PREFIX}${docId}`);
+	}
+	/** Start syncing. Opens the BroadcastChannel and initiates a sync handshake. */
+	connect() {
+		if (this.destroyed || this.channel) return;
+		if (typeof globalThis.BroadcastChannel === "undefined") return;
+		this.channel = new BroadcastChannel(this.channelName);
+		this.channel.onmessage = (event) => this.handleMessage(event.data);
+		this.docUpdateHandler = (update, origin) => {
+			if (origin === this) return;
+			this.broadcastUpdate(update);
+		};
+		this.document.on("update", this.docUpdateHandler);
+		if (this.awareness) {
+			this.awarenessUpdateHandler = ({ added, updated, removed }, _origin) => {
+				const changedClients = added.concat(updated).concat(removed);
+				const update = encodeAwarenessUpdate(this.awareness, changedClients);
+				this.broadcastAwareness(update);
+			};
+			this.awareness.on("update", this.awarenessUpdateHandler);
+		}
+		this.broadcastQueryPeers();
+		this.sendSyncStep1();
+		this.emit("connected");
+	}
+	/** Stop syncing and close the BroadcastChannel. */
+	disconnect() {
+		if (this.docUpdateHandler) {
+			this.document.off("update", this.docUpdateHandler);
+			this.docUpdateHandler = null;
+		}
+		if (this.awarenessUpdateHandler && this.awareness) {
+			this.awareness.off("update", this.awarenessUpdateHandler);
+			this.awarenessUpdateHandler = null;
+		}
+		if (this.channel) {
+			this.channel.close();
+			this.channel = null;
+		}
+		this.emit("disconnected");
+	}
+	/** Disconnect and prevent reconnection. */
+	destroy() {
+		this.disconnect();
+		this.destroyed = true;
+		this.removeAllListeners();
+	}
+	broadcastUpdate(update) {
+		if (!this.channel) return;
+		const encoder = createEncoder();
+		writeVarUint(encoder, MSG.UPDATE);
+		writeVarUint8Array(encoder, update);
+		this.channel.postMessage(toUint8Array(encoder));
+	}
+	broadcastAwareness(update) {
+		if (!this.channel) return;
+		const encoder = createEncoder();
+		writeVarUint(encoder, MSG.AWARENESS);
+		writeVarUint8Array(encoder, update);
+		this.channel.postMessage(toUint8Array(encoder));
+	}
+	sendSyncStep1() {
+		if (!this.channel) return;
+		const encoder = createEncoder();
+		writeVarUint(encoder, MSG.SYNC);
+		writeSyncStep1(encoder, this.document);
+		this.channel.postMessage(toUint8Array(encoder));
+	}
+	broadcastQueryPeers() {
+		if (!this.channel) return;
+		const encoder = createEncoder();
+		writeVarUint(encoder, MSG.QUERY_PEERS);
+		this.channel.postMessage(toUint8Array(encoder));
+	}
+	handleMessage(data) {
+		if (!(data instanceof ArrayBuffer || data instanceof Uint8Array)) return;
+		const buf = data instanceof ArrayBuffer ? new Uint8Array(data) : data;
+		const decoder = createDecoder(buf);
+		switch (readVarUint(decoder)) {
+			case MSG.SYNC:
+				this.handleSyncMessage(decoder);
+				break;
+			case MSG.UPDATE:
+				this.handleUpdateMessage(decoder);
+				break;
+			case MSG.AWARENESS:
+				this.handleAwarenessMessage(decoder);
+				break;
+			case MSG.QUERY_PEERS:
+				this.sendSyncStep1();
+				if (this.awareness) {
+					const update = encodeAwarenessUpdate(this.awareness, Array.from(this.awareness.getStates().keys()));
+					this.broadcastAwareness(update);
+				}
+				break;
+		}
+	}
+	handleSyncMessage(decoder) {
+		const encoder = createEncoder();
+		const syncMessageType = readSyncMessage(decoder, encoder, this.document, this);
+		if (length(encoder) > 0) {
+			const responseEncoder = createEncoder();
+			writeVarUint(responseEncoder, MSG.SYNC);
+			writeUint8Array(responseEncoder, toUint8Array(encoder));
+			this.channel?.postMessage(toUint8Array(responseEncoder));
+		}
+		if (syncMessageType === messageYjsSyncStep2) this.emit("synced");
+	}
+	handleUpdateMessage(decoder) {
+		const update = readVarUint8Array(decoder);
+		yjs.applyUpdate(this.document, update, this);
+	}
+	handleAwarenessMessage(decoder) {
+		if (!this.awareness) return;
+		const update = readVarUint8Array(decoder);
+		applyAwarenessUpdate(this.awareness, update, this);
+	}
+};
+
 //#endregion
 exports.AbracadabraBaseProvider = AbracadabraBaseProvider;
 exports.AbracadabraClient = AbracadabraClient;
@@ -9634,6 +10154,7 @@ exports.AuthMessageType = AuthMessageType;
 exports.AwarenessError = AwarenessError;
 exports.BackgroundSyncManager = BackgroundSyncManager;
 exports.BackgroundSyncPersistence = BackgroundSyncPersistence;
+exports.BroadcastChannelSync = BroadcastChannelSync;
 exports.CHANNEL_NAMES = CHANNEL_NAMES;
 exports.ConnectionTimeout = ConnectionTimeout;
 exports.CryptoIdentityKeystore = CryptoIdentityKeystore;
@@ -9643,6 +10164,7 @@ exports.DataChannelRouter = DataChannelRouter;
 exports.DocKeyManager = DocKeyManager;
 exports.DocumentCache = DocumentCache;
 exports.E2EAbracadabraProvider = E2EAbracadabraProvider;
+exports.E2EEChannel = E2EEChannel;
 exports.E2EOfflineStore = E2EOfflineStore;
 exports.EncryptedYMap = EncryptedYMap;
 exports.EncryptedYText = EncryptedYText;
@@ -9652,6 +10174,8 @@ exports.FileTransferHandle = FileTransferHandle;
 exports.Forbidden = Forbidden;
 exports.HocuspocusProvider = HocuspocusProvider;
 exports.HocuspocusProviderWebsocket = HocuspocusProviderWebsocket;
+exports.KEY_EXCHANGE_CHANNEL = KEY_EXCHANGE_CHANNEL;
+exports.ManualSignaling = ManualSignaling;
 exports.MessageTooBig = MessageTooBig;
 exports.MessageType = MessageType;
 exports.OfflineStore = OfflineStore;