@aegis-fluxion/core 0.7.2 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/README.md +127 -1
  2. package/dist/index.cjs +1312 -20
  3. package/dist/index.cjs.map +1 -1
  4. package/dist/index.d.cts +82 -1
  5. package/dist/index.d.ts +82 -1
  6. package/dist/index.js +1313 -21
  7. package/dist/index.js.map +1 -1
  8. package/package.json +1 -1
package/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  Low-level encrypted WebSocket primitives for the `aegis-fluxion` ecosystem.
4
4
 
5
- Version: **0.7.2**
5
+ Version: **0.9.0**
6
6
 
7
7
  ---
8
8
 
@@ -11,9 +11,11 @@ Version: **0.7.2**
11
11
  - Ephemeral ECDH handshake (`prime256v1`)
12
12
  - AES-256-GCM encrypted envelopes
13
13
  - ACK request/response (Promise + callback styles)
14
+ - Encrypted chunked streaming for large `Buffer`/`Readable` payloads
14
15
  - Secure room routing (`join`, `leave`, `leaveAll`, `to(room).emit(...)`)
15
16
  - Middleware phases: `connection`, `incoming`, `outgoing`
16
17
  - Rate limiting and DDoS controls per connection and IP
18
+ - TLS 1.3-style session resumption with encrypted one-time tickets
17
19
  - **Horizontal scaling hooks** via pluggable `SecureServerAdapter`
18
20
 
19
21
  ---
@@ -26,6 +28,130 @@ npm install @aegis-fluxion/core ws
26
28
 
27
29
  ---
28
30
 
31
+ ## Chunked streaming (new in 0.9.0)
32
+
33
+ `@aegis-fluxion/core@0.9.0` adds secure chunked stream transport for large payloads.
34
+
35
+ ### Supported stream sources
36
+
37
+ - `Buffer`
38
+ - `Uint8Array`
39
+ - `Readable`
40
+ - `AsyncIterable<Buffer | Uint8Array | ArrayBuffer>`
41
+
42
+ ### Stream APIs
43
+
44
+ - Client outbound: `client.emitStream(event, source, options?)`
45
+ - Client inbound: `client.onStream(event, handler)`
46
+ - Server outbound: `server.emitStreamTo(clientId, event, source, options?)`
47
+ - Server inbound: `server.onStream(event, handler)`
48
+ - Per-client server outbound helper: `serverClient.emitStream(event, source, options?)`
49
+
50
+ ### Options
51
+
52
+ - `chunkSizeBytes` (default `64 * 1024`, max `1024 * 1024`)
53
+ - `metadata` (optional object attached to the stream start frame)
54
+ - `totalBytes` (optional size hint; required when source size is unknown and you want announced size)
55
+ - `signal` (`AbortSignal` to cancel transfer)
56
+
57
+ ### Example
58
+
59
+ ```ts
60
+ import { Readable } from "node:stream";
61
+ import { SecureClient, SecureServer } from "@aegis-fluxion/core";
62
+
63
+ const server = new SecureServer({ host: "127.0.0.1", port: 8080 });
64
+ const client = new SecureClient("ws://127.0.0.1:8080");
65
+
66
+ server.onStream("media:upload", async (stream, info, peer) => {
67
+ const chunks: Buffer[] = [];
68
+
69
+ for await (const chunk of stream) {
70
+ chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
71
+ }
72
+
73
+ const uploaded = Buffer.concat(chunks);
74
+
75
+ await peer.emitStream("media:download", Readable.from(uploaded), {
76
+ chunkSizeBytes: 64 * 1024,
77
+ totalBytes: uploaded.length,
78
+ metadata: { direction: "server-to-client" }
79
+ });
80
+
81
+ console.log("Server received stream", {
82
+ streamId: info.streamId,
83
+ announcedTotalBytes: info.totalBytes,
84
+ receivedBytes: uploaded.length
85
+ });
86
+ });
87
+
88
+ client.on("ready", async () => {
89
+ const payload = Buffer.from("chunked secure payload");
90
+
91
+ const result = await client.emitStream("media:upload", payload, {
92
+ chunkSizeBytes: 64 * 1024,
93
+ totalBytes: payload.length,
94
+ metadata: { direction: "client-to-server" }
95
+ });
96
+
97
+ console.log(result); // { streamId, chunkCount, totalBytes }
98
+ });
99
+ ```
100
+
101
+ Each chunk is delivered inside reserved internal `start/chunk/end/abort` frames and encrypted
102
+ through the same AES-256-GCM channel used by standard events.
103
+
104
+ ---
105
+
106
+ ## Session resumption (TLS 1.3-style)
107
+
108
+ `@aegis-fluxion/core@0.8.0` introduced secure resume-first reconnect behavior:
109
+
110
+ - Full handshake path uses ephemeral ECDH (`hello` frame).
111
+ - Resume path uses ticket-bound proofs (`resume` / `resume-ack` frames).
112
+ - Successful resumes derive fresh channel keys from ticket secret + client nonce.
113
+ - Servers enforce ticket TTL, bounded cache size, and one-time ticket consumption.
114
+ - Clients automatically fall back to full handshake when resume is rejected.
115
+
116
+ ### Server configuration
117
+
118
+ ```ts
119
+ import { SecureServer } from "@aegis-fluxion/core";
120
+
121
+ const server = new SecureServer({
122
+ host: "127.0.0.1",
123
+ port: 8080,
124
+ sessionResumption: {
125
+ enabled: true,
126
+ ticketTtlMs: 60_000,
127
+ maxCachedTickets: 10_000
128
+ }
129
+ });
130
+ ```
131
+
132
+ ### Client configuration
133
+
134
+ ```ts
135
+ import { SecureClient } from "@aegis-fluxion/core";
136
+
137
+ const client = new SecureClient("ws://127.0.0.1:8080", {
138
+ reconnect: true,
139
+ sessionResumption: {
140
+ enabled: true,
141
+ maxAcceptedTicketTtlMs: 60_000
142
+ }
143
+ });
144
+ ```
145
+
146
+ ### Security model
147
+
148
+ - Resume proofs are validated with HMAC and constant-time comparison.
149
+ - Resume tickets are encrypted in transit (same channel protections as all payloads).
150
+ - Resume tickets are discarded if expired, policy-invalid, or already consumed.
151
+ - Reserved internal events (e.g., session-ticket transport) cannot be emitted by user code.
152
+
153
+ ---
154
+
29
155
  ## SecureServer adapter API (horizontal scaling)
30
156
 
31
157
  ### Core types