@agentunion/fastaun 0.4.3 → 0.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +198 -185
- package/_packed_docs/AUN_SDK_0.4.0_/350/256/276/350/256/241/345/257/271/346/257/224/345/210/206/346/236/220.md +194 -194
- package/_packed_docs/AUN_SDK_/351/207/215/346/236/204/345/256/236/346/226/275/350/256/241/345/210/222.md +596 -596
- package/_packed_docs/AUN_SDK_/351/207/215/346/236/204/350/256/276/350/256/241/346/226/271/346/241/210_v3.md +1698 -1697
- package/_packed_docs/CHANGELOG.md +198 -185
- package/_packed_docs/INDEX.md +17 -17
- package/_packed_docs/KITE_DOCS_GUIDE.md +11 -11
- package/_packed_docs/agent.md/SCHEMA.md +49 -49
- package/_packed_docs/agent.md/examples/signed-openclaw-lobster.md +22 -22
- package/_packed_docs/agent.md//350/277/234/347/250/213agent.md/347/274/223/345/255/230/344/270/216etag/351/200/217/344/274/240/346/226/271/346/241/210.md +327 -327
- package/_packed_docs/cli/AUN-CLI/350/256/276/350/256/241/346/226/207/346/241/243.md +686 -686
- package/_packed_docs/design/2026-05-22-aun-rpc-trace-enhancement.md +542 -542
- package/_packed_docs/design/E2EE_V2/347/256/200/345/214/226/344/270/2721DH/345/212/240Per-AID_Wrap/346/226/271/346/241/210.md +124 -124
- package/_packed_docs/design//350/267/250/350/257/255/350/250/200/345/256/271/345/231/250E2E/346/265/213/350/257/225/346/226/271/346/241/210.md +665 -665
- package/_packed_docs/protocol/01-/350/272/253/344/273/275/344/270/216/345/207/255/350/257/201/345/215/217/350/256/256-auth.md +2 -2
- package/_packed_docs/protocol/14-/344/272/244/344/272/222/346/234/272/345/210/266-/345/223/215/345/272/224/346/250/241/345/274/217/344/270/216/350/207/252/344/270/273/346/250/241/345/274/217.md +170 -170
- package/_packed_docs/protocol/15-/347/246/273/347/272/277/346/216/250/351/200/201/351/200/232/347/237/245/345/215/217/350/256/256.md +419 -419
- package/_packed_docs/protocol/README.md +1 -1
- package/_packed_docs/protocol/aun-docs-guide.md +1 -1
- package/_packed_docs/protocol//351/231/204/345/275/225A-/346/234/257/350/257/255/350/241/250.md +15 -15
- package/_packed_docs/protocol//351/231/204/345/275/225B-/346/211/251/345/261/225/346/200/247/346/214/207/345/215/227.md +4 -4
- package/_packed_docs/protocol//351/231/204/345/275/225J-/345/256/242/346/210/267/347/253/257/346/216/245/345/205/245/347/244/272/344/276/213.md +98 -98
- package/_packed_docs/protocol//351/231/204/345/275/225M-JWT/350/256/244/350/257/201/345/256/236/347/216/260/346/214/207/345/215/227.md +46 -46
- package/_packed_docs/protocol//351/231/204/345/275/225N-/345/210/206/345/270/203/345/274/217Trace/345/215/217/350/256/256.md +257 -257
- package/_packed_docs/python-sdk-v2-only-changelog.md +189 -189
- package/_packed_docs/sdk/01-/345/277/253/351/200/237/345/274/200/345/247/213.md +1 -1
- package/_packed_docs/sdk/05-E2EE/345/212/240/345/257/206/351/200/232/344/277/241.md +1 -1
- package/_packed_docs/sdk/06-API/346/211/213/345/206/214.md +1 -0
- package/_packed_docs/sdk/09-payload-reference.md +13 -13
- package/_packed_docs/sdk/E2EE_V2/346/266/210/346/201/257/351/200/232/344/277/241/346/227/266/345/272/217/345/233/276.md +171 -171
- package/dist/aid.d.ts +2 -1
- package/dist/aid.js +7 -6
- package/dist/aid.js.map +1 -1
- package/dist/auth.js +4 -0
- package/dist/auth.js.map +1 -1
- package/dist/client.d.ts +6 -0
- package/dist/client.js +204 -52
- package/dist/client.js.map +1 -1
- package/dist/keystore/file.d.ts +0 -2
- package/dist/keystore/file.js +6 -44
- package/dist/keystore/file.js.map +1 -1
- package/dist/tools/cross-sdk-agent.js +0 -9
- package/dist/tools/cross-sdk-agent.js.map +1 -1
- package/dist/transport.d.ts +1 -0
- package/dist/transport.js +7 -1
- package/dist/transport.js.map +1 -1
- package/dist/v2/session/keystore.js +2 -2
- package/dist/version.d.ts +1 -1
- package/dist/version.js +1 -1
- package/package.json +1 -1
|
@@ -1,171 +1,171 @@
|
|
|
1
|
-
# E2EE V2 消息通信时序图
|
|
2
|
-
|
|
3
|
-
本文只描述当前 V2-only 链路下的主要时序:P2P/GROUP 明文消息、P2P/GROUP 加密消息,以及 V2 设备密钥注册前置流程。不包含 V1 E2EE、旧 group epoch secret 分发、thought 内容读写。
|
|
4
|
-
|
|
5
|
-
## 范围约定
|
|
6
|
-
|
|
7
|
-
- SDK 默认 `message.send` / `group.send` 为 `encrypt=true`,由 SDK 本地构造 V2 加密 envelope。
|
|
8
|
-
- 显式 `encrypt=false` 时走明文发送;V2 SDK 接收端仍通过 `message.v2.pull` / `group.v2.pull` 合并拉取明文历史行。
|
|
9
|
-
- P2P 加密 envelope 类型为 `e2ee.p2p_encrypted`,通过 `message.send` 提交,服务端按 V2 分流处理。
|
|
10
|
-
- GROUP 加密 envelope 类型为 `e2ee.group_encrypted`,通过 `group.v2.send` 提交。
|
|
11
|
-
- 服务端只做认证、路由、结构校验、密文存储和事件通知,不持有明文 payload,也不执行端到端解密。
|
|
12
|
-
|
|
13
|
-
## V2 设备密钥注册
|
|
14
|
-
|
|
15
|
-
```mermaid
|
|
16
|
-
sequenceDiagram
|
|
17
|
-
participant SDK as 接收方 SDK
|
|
18
|
-
participant Message as message 服务
|
|
19
|
-
participant Group as group 服务
|
|
20
|
-
participant CA as CA/Auth
|
|
21
|
-
|
|
22
|
-
SDK->>SDK: 初始化 V2Session<br/>IK=AID 长期密钥,生成或加载 P2P SPK
|
|
23
|
-
SDK->>Message: message.v2.put_peer_pk<br/>peer_device_prekey + SPK 签名
|
|
24
|
-
Message->>CA: ca.get_cert / 校验 AID 公钥
|
|
25
|
-
Message-->>SDK: ok
|
|
26
|
-
|
|
27
|
-
opt 已加入某个群
|
|
28
|
-
SDK->>SDK: ensure_group_spk(group_id)
|
|
29
|
-
SDK->>Group: group.v2.put_group_pk<br/>group_device_prekey + SPK 签名
|
|
30
|
-
Group->>CA: ca.get_cert / 校验 AID 公钥
|
|
31
|
-
Group-->>SDK: ok
|
|
32
|
-
end
|
|
33
|
-
```
|
|
34
|
-
|
|
35
|
-
## P2P 明文消息
|
|
36
|
-
|
|
37
|
-
```mermaid
|
|
38
|
-
sequenceDiagram
|
|
39
|
-
participant A as Sender SDK
|
|
40
|
-
participant M as message 服务
|
|
41
|
-
participant G as gateway
|
|
42
|
-
participant B as Receiver SDK
|
|
43
|
-
|
|
44
|
-
A->>M: message.send<br/>encrypt=false, payload=明文
|
|
45
|
-
alt 目标跨域
|
|
46
|
-
M->>G: gateway.forward_federation<br/>namespace=message, method=send
|
|
47
|
-
G->>M: 转发到目标域 message 服务
|
|
48
|
-
end
|
|
49
|
-
M->>M: 按接收方 device 分配 seq<br/>写普通消息存储
|
|
50
|
-
M->>G: dispatch_event(message.received)
|
|
51
|
-
G-->>B: event/message.received 或通知
|
|
52
|
-
|
|
53
|
-
B->>M: message.v2.pull(after_seq, limit)
|
|
54
|
-
M-->>B: messages[]<br/>明文行 version=v1 / legacy_v1
|
|
55
|
-
B->>B: 直接发布 message.received<br/>不做 E2EE 解密
|
|
56
|
-
B->>M: message.v2.ack(up_to_seq)
|
|
57
|
-
```
|
|
58
|
-
|
|
59
|
-
## P2P 加密消息
|
|
60
|
-
|
|
61
|
-
```mermaid
|
|
62
|
-
sequenceDiagram
|
|
63
|
-
participant A as Sender SDK
|
|
64
|
-
participant M as message 服务
|
|
65
|
-
participant G as gateway
|
|
66
|
-
participant B as Receiver SDK
|
|
67
|
-
|
|
68
|
-
A->>M: message.v2.bootstrap(peer_aid=B)
|
|
69
|
-
M-->>A: B active devices<br/>IK + peer_device_prekey SPK<br/>self_devices + audit_recipients
|
|
70
|
-
|
|
71
|
-
A->>A: 构造 recipients<br/>peer + self_sync + audit
|
|
72
|
-
A->>A: 生成 master_key / msg_nonce / sender_session_key
|
|
73
|
-
A->>A: 3DH/1DH wrap master_key<br/>AES-GCM 加密 payload<br/>ECDSA 签名 ct+tag+AAD+recipients_digest
|
|
74
|
-
A->>M: message.send<br/>payload.type=e2ee.p2p_encrypted, version=v2, encrypt=false
|
|
75
|
-
|
|
76
|
-
alt 目标跨域
|
|
77
|
-
M->>G: gateway.forward_federation<br/>namespace=message, method=send
|
|
78
|
-
G->>M: 转发到目标域 message 服务
|
|
79
|
-
end
|
|
80
|
-
|
|
81
|
-
M->>M: 校验 AAD/from/to/device、t_send、recipients_digest、audit wrap
|
|
82
|
-
M->>M: 写 v2_peer_messages 共享密文体
|
|
83
|
-
M->>M: 按 device 写 v2_peer_wraps<br/>seq per owner_aid + device_id
|
|
84
|
-
M->>G: dispatch_event(peer.v2.message_received)<br/>只含 seq/message_id/device_id
|
|
85
|
-
G-->>B: peer.v2.message_received
|
|
86
|
-
|
|
87
|
-
B->>M: message.v2.pull(after_seq, limit)
|
|
88
|
-
M-->>B: per-device envelope_json<br/>recipient wrap + merkle_proof
|
|
89
|
-
B->>B: 验 sender_signature / recipients proof
|
|
90
|
-
B->>B: 用本地 IK/SPK 解 wrap_key -> master_key
|
|
91
|
-
B->>B: AES-GCM 解密 payload
|
|
92
|
-
B-->>B: 发布 message.received
|
|
93
|
-
B->>M: message.v2.ack(up_to_seq)
|
|
94
|
-
B->>B: 若消费当前 SPK,异步 rotate_spk()
|
|
95
|
-
```
|
|
96
|
-
|
|
97
|
-
## GROUP 明文消息
|
|
98
|
-
|
|
99
|
-
```mermaid
|
|
100
|
-
sequenceDiagram
|
|
101
|
-
participant A as Sender SDK
|
|
102
|
-
participant Group as group 服务
|
|
103
|
-
participant G as gateway
|
|
104
|
-
participant B as Member SDK
|
|
105
|
-
|
|
106
|
-
A->>Group: group.send<br/>encrypt=false, payload=明文
|
|
107
|
-
Group->>Group: 校验成员/禁言/消息类型/epoch 边界
|
|
108
|
-
Group->>Group: 写 group_messages + group_events<br/>递增 group.message_seq / event_seq
|
|
109
|
-
Group->>G: dispatch_event(group.message_created)<br/>member_aids / dispatch 信息
|
|
110
|
-
G-->>B: group.message_created 通知
|
|
111
|
-
|
|
112
|
-
B->>Group: group.v2.pull(group_id, after_seq, limit)
|
|
113
|
-
Group->>Group: 合并普通明文 group_messages
|
|
114
|
-
Group-->>B: messages[]<br/>明文行 version=v1 + payload
|
|
115
|
-
B->>B: 直接发布 group.message_created
|
|
116
|
-
B->>Group: group.v2.ack(group_id, up_to_seq)
|
|
117
|
-
```
|
|
118
|
-
|
|
119
|
-
## GROUP 加密消息
|
|
120
|
-
|
|
121
|
-
```mermaid
|
|
122
|
-
sequenceDiagram
|
|
123
|
-
participant A as Sender SDK
|
|
124
|
-
participant Group as group 服务
|
|
125
|
-
participant Msg as message 服务
|
|
126
|
-
participant G as gateway
|
|
127
|
-
participant B as Member SDK
|
|
128
|
-
|
|
129
|
-
A->>Group: group.v2.bootstrap(group_id)
|
|
130
|
-
Group->>Group: 校验成员资格,读取 epoch/state_chain
|
|
131
|
-
Group->>Group: 读取 v2_group_devices<br/>group_device_prekey
|
|
132
|
-
Group->>Msg: message.v2.group_bootstrap(member_aids)
|
|
133
|
-
Msg-->>Group: fallback P2P device prekeys + audit_recipients
|
|
134
|
-
Group-->>A: devices + epoch + state_commitment<br/>pending/committed members + audit_recipients
|
|
135
|
-
|
|
136
|
-
A->>A: 校验 group state 签名 / 分叉
|
|
137
|
-
A->>A: 构造 targets<br/>member + self_sync + audit
|
|
138
|
-
A->>A: 生成 e2ee.group_encrypted envelope<br/>AAD 含 group_id/epoch/state_commitment
|
|
139
|
-
A->>Group: group.v2.send(group_id, envelope)
|
|
140
|
-
|
|
141
|
-
alt 群在异域
|
|
142
|
-
Group->>G: gateway.forward_federation<br/>namespace=group, method=v2.send
|
|
143
|
-
G->>Group: 转发到群归属域 group 服务
|
|
144
|
-
end
|
|
145
|
-
|
|
146
|
-
Group->>Group: 校验成员、e2ee_version=v2、epoch 匹配
|
|
147
|
-
Group->>Group: 校验 AAD/from/group_id/from_device/message_id
|
|
148
|
-
Group->>Group: 校验 recipients 排序、digest、audit wrap
|
|
149
|
-
Group->>Group: 写 v2_group_messages 共享密文体
|
|
150
|
-
Group->>Group: 按 recipient 写 v2_group_wraps
|
|
151
|
-
Group->>G: dispatch_event(group.v2.message_created)<br/>seq/message_id/sender/member_aids
|
|
152
|
-
G-->>B: group.v2.message_created 通知
|
|
153
|
-
|
|
154
|
-
B->>Group: group.v2.pull(group_id, after_seq, limit)
|
|
155
|
-
Group-->>B: per-device envelope_json<br/>recipient wrap + merkle_proof
|
|
156
|
-
B->>B: 选择 group_id 对应 group SPK<br/>fallback 到 P2P SPK 仅兼容旧 wrap
|
|
157
|
-
B->>B: 验签 / 验 proof / 解 wrap / 解密 payload
|
|
158
|
-
B-->>B: 发布 group.message_created
|
|
159
|
-
B->>Group: group.v2.ack(group_id, up_to_seq)
|
|
160
|
-
B->>B: 若消费 group_device_prekey,异步 rotate_group_spk()
|
|
161
|
-
```
|
|
162
|
-
|
|
163
|
-
## 核心差异
|
|
164
|
-
|
|
165
|
-
| 场景 | 发送入口 | 服务端存储 | 接收入口 | 解密位置 |
|
|
166
|
-
|------|----------|------------|----------|----------|
|
|
167
|
-
| P2P 明文 | `message.send(encrypt=false)` | 普通 device message | `message.v2.pull` 合并明文行 | 不解密 |
|
|
168
|
-
| P2P 加密 | `message.send` 承载 `e2ee.p2p_encrypted` | `v2_peer_messages` + `v2_peer_wraps` | `message.v2.pull` | 接收方 SDK |
|
|
169
|
-
| GROUP 明文 | `group.send(encrypt=false)` | `group_messages` + `group_events` | `group.v2.pull` 合并明文行 | 不解密 |
|
|
170
|
-
| GROUP 加密 | `group.v2.send` 承载 `e2ee.group_encrypted` | `v2_group_messages` + `v2_group_wraps` | `group.v2.pull` | 接收方 SDK |
|
|
171
|
-
|
|
1
|
+
# E2EE V2 消息通信时序图
|
|
2
|
+
|
|
3
|
+
本文只描述当前 V2-only 链路下的主要时序:P2P/GROUP 明文消息、P2P/GROUP 加密消息,以及 V2 设备密钥注册前置流程。不包含 V1 E2EE、旧 group epoch secret 分发、thought 内容读写。
|
|
4
|
+
|
|
5
|
+
## 范围约定
|
|
6
|
+
|
|
7
|
+
- SDK 默认 `message.send` / `group.send` 为 `encrypt=true`,由 SDK 本地构造 V2 加密 envelope。
|
|
8
|
+
- 显式 `encrypt=false` 时走明文发送;V2 SDK 接收端仍通过 `message.v2.pull` / `group.v2.pull` 合并拉取明文历史行。
|
|
9
|
+
- P2P 加密 envelope 类型为 `e2ee.p2p_encrypted`,通过 `message.send` 提交,服务端按 V2 分流处理。
|
|
10
|
+
- GROUP 加密 envelope 类型为 `e2ee.group_encrypted`,通过 `group.v2.send` 提交。
|
|
11
|
+
- 服务端只做认证、路由、结构校验、密文存储和事件通知,不持有明文 payload,也不执行端到端解密。
|
|
12
|
+
|
|
13
|
+
## V2 设备密钥注册
|
|
14
|
+
|
|
15
|
+
```mermaid
|
|
16
|
+
sequenceDiagram
|
|
17
|
+
participant SDK as 接收方 SDK
|
|
18
|
+
participant Message as message 服务
|
|
19
|
+
participant Group as group 服务
|
|
20
|
+
participant CA as CA/Auth
|
|
21
|
+
|
|
22
|
+
SDK->>SDK: 初始化 V2Session<br/>IK=AID 长期密钥,生成或加载 P2P SPK
|
|
23
|
+
SDK->>Message: message.v2.put_peer_pk<br/>peer_device_prekey + SPK 签名
|
|
24
|
+
Message->>CA: ca.get_cert / 校验 AID 公钥
|
|
25
|
+
Message-->>SDK: ok
|
|
26
|
+
|
|
27
|
+
opt 已加入某个群
|
|
28
|
+
SDK->>SDK: ensure_group_spk(group_id)
|
|
29
|
+
SDK->>Group: group.v2.put_group_pk<br/>group_device_prekey + SPK 签名
|
|
30
|
+
Group->>CA: ca.get_cert / 校验 AID 公钥
|
|
31
|
+
Group-->>SDK: ok
|
|
32
|
+
end
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
## P2P 明文消息
|
|
36
|
+
|
|
37
|
+
```mermaid
|
|
38
|
+
sequenceDiagram
|
|
39
|
+
participant A as Sender SDK
|
|
40
|
+
participant M as message 服务
|
|
41
|
+
participant G as gateway
|
|
42
|
+
participant B as Receiver SDK
|
|
43
|
+
|
|
44
|
+
A->>M: message.send<br/>encrypt=false, payload=明文
|
|
45
|
+
alt 目标跨域
|
|
46
|
+
M->>G: gateway.forward_federation<br/>namespace=message, method=send
|
|
47
|
+
G->>M: 转发到目标域 message 服务
|
|
48
|
+
end
|
|
49
|
+
M->>M: 按接收方 device 分配 seq<br/>写普通消息存储
|
|
50
|
+
M->>G: dispatch_event(message.received)
|
|
51
|
+
G-->>B: event/message.received 或通知
|
|
52
|
+
|
|
53
|
+
B->>M: message.v2.pull(after_seq, limit)
|
|
54
|
+
M-->>B: messages[]<br/>明文行 version=v1 / legacy_v1
|
|
55
|
+
B->>B: 直接发布 message.received<br/>不做 E2EE 解密
|
|
56
|
+
B->>M: message.v2.ack(up_to_seq)
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
## P2P 加密消息
|
|
60
|
+
|
|
61
|
+
```mermaid
|
|
62
|
+
sequenceDiagram
|
|
63
|
+
participant A as Sender SDK
|
|
64
|
+
participant M as message 服务
|
|
65
|
+
participant G as gateway
|
|
66
|
+
participant B as Receiver SDK
|
|
67
|
+
|
|
68
|
+
A->>M: message.v2.bootstrap(peer_aid=B)
|
|
69
|
+
M-->>A: B active devices<br/>IK + peer_device_prekey SPK<br/>self_devices + audit_recipients
|
|
70
|
+
|
|
71
|
+
A->>A: 构造 recipients<br/>peer + self_sync + audit
|
|
72
|
+
A->>A: 生成 master_key / msg_nonce / sender_session_key
|
|
73
|
+
A->>A: 3DH/1DH wrap master_key<br/>AES-GCM 加密 payload<br/>ECDSA 签名 ct+tag+AAD+recipients_digest
|
|
74
|
+
A->>M: message.send<br/>payload.type=e2ee.p2p_encrypted, version=v2, encrypt=false
|
|
75
|
+
|
|
76
|
+
alt 目标跨域
|
|
77
|
+
M->>G: gateway.forward_federation<br/>namespace=message, method=send
|
|
78
|
+
G->>M: 转发到目标域 message 服务
|
|
79
|
+
end
|
|
80
|
+
|
|
81
|
+
M->>M: 校验 AAD/from/to/device、t_send、recipients_digest、audit wrap
|
|
82
|
+
M->>M: 写 v2_peer_messages 共享密文体
|
|
83
|
+
M->>M: 按 device 写 v2_peer_wraps<br/>seq per owner_aid + device_id
|
|
84
|
+
M->>G: dispatch_event(peer.v2.message_received)<br/>只含 seq/message_id/device_id
|
|
85
|
+
G-->>B: peer.v2.message_received
|
|
86
|
+
|
|
87
|
+
B->>M: message.v2.pull(after_seq, limit)
|
|
88
|
+
M-->>B: per-device envelope_json<br/>recipient wrap + merkle_proof
|
|
89
|
+
B->>B: 验 sender_signature / recipients proof
|
|
90
|
+
B->>B: 用本地 IK/SPK 解 wrap_key -> master_key
|
|
91
|
+
B->>B: AES-GCM 解密 payload
|
|
92
|
+
B-->>B: 发布 message.received
|
|
93
|
+
B->>M: message.v2.ack(up_to_seq)
|
|
94
|
+
B->>B: 若消费当前 SPK,异步 rotate_spk()
|
|
95
|
+
```
|
|
96
|
+
|
|
97
|
+
## GROUP 明文消息
|
|
98
|
+
|
|
99
|
+
```mermaid
|
|
100
|
+
sequenceDiagram
|
|
101
|
+
participant A as Sender SDK
|
|
102
|
+
participant Group as group 服务
|
|
103
|
+
participant G as gateway
|
|
104
|
+
participant B as Member SDK
|
|
105
|
+
|
|
106
|
+
A->>Group: group.send<br/>encrypt=false, payload=明文
|
|
107
|
+
Group->>Group: 校验成员/禁言/消息类型/epoch 边界
|
|
108
|
+
Group->>Group: 写 group_messages + group_events<br/>递增 group.message_seq / event_seq
|
|
109
|
+
Group->>G: dispatch_event(group.message_created)<br/>member_aids / dispatch 信息
|
|
110
|
+
G-->>B: group.message_created 通知
|
|
111
|
+
|
|
112
|
+
B->>Group: group.v2.pull(group_id, after_seq, limit)
|
|
113
|
+
Group->>Group: 合并普通明文 group_messages
|
|
114
|
+
Group-->>B: messages[]<br/>明文行 version=v1 + payload
|
|
115
|
+
B->>B: 直接发布 group.message_created
|
|
116
|
+
B->>Group: group.v2.ack(group_id, up_to_seq)
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
## GROUP 加密消息
|
|
120
|
+
|
|
121
|
+
```mermaid
|
|
122
|
+
sequenceDiagram
|
|
123
|
+
participant A as Sender SDK
|
|
124
|
+
participant Group as group 服务
|
|
125
|
+
participant Msg as message 服务
|
|
126
|
+
participant G as gateway
|
|
127
|
+
participant B as Member SDK
|
|
128
|
+
|
|
129
|
+
A->>Group: group.v2.bootstrap(group_id)
|
|
130
|
+
Group->>Group: 校验成员资格,读取 epoch/state_chain
|
|
131
|
+
Group->>Group: 读取 v2_group_devices<br/>group_device_prekey
|
|
132
|
+
Group->>Msg: message.v2.group_bootstrap(member_aids)
|
|
133
|
+
Msg-->>Group: fallback P2P device prekeys + audit_recipients
|
|
134
|
+
Group-->>A: devices + epoch + state_commitment<br/>pending/committed members + audit_recipients
|
|
135
|
+
|
|
136
|
+
A->>A: 校验 group state 签名 / 分叉
|
|
137
|
+
A->>A: 构造 targets<br/>member + self_sync + audit
|
|
138
|
+
A->>A: 生成 e2ee.group_encrypted envelope<br/>AAD 含 group_id/epoch/state_commitment
|
|
139
|
+
A->>Group: group.v2.send(group_id, envelope)
|
|
140
|
+
|
|
141
|
+
alt 群在异域
|
|
142
|
+
Group->>G: gateway.forward_federation<br/>namespace=group, method=v2.send
|
|
143
|
+
G->>Group: 转发到群归属域 group 服务
|
|
144
|
+
end
|
|
145
|
+
|
|
146
|
+
Group->>Group: 校验成员、e2ee_version=v2、epoch 匹配
|
|
147
|
+
Group->>Group: 校验 AAD/from/group_id/from_device/message_id
|
|
148
|
+
Group->>Group: 校验 recipients 排序、digest、audit wrap
|
|
149
|
+
Group->>Group: 写 v2_group_messages 共享密文体
|
|
150
|
+
Group->>Group: 按 recipient 写 v2_group_wraps
|
|
151
|
+
Group->>G: dispatch_event(group.v2.message_created)<br/>seq/message_id/sender/member_aids
|
|
152
|
+
G-->>B: group.v2.message_created 通知
|
|
153
|
+
|
|
154
|
+
B->>Group: group.v2.pull(group_id, after_seq, limit)
|
|
155
|
+
Group-->>B: per-device envelope_json<br/>recipient wrap + merkle_proof
|
|
156
|
+
B->>B: 选择 group_id 对应 group SPK<br/>fallback 到 P2P SPK 仅兼容旧 wrap
|
|
157
|
+
B->>B: 验签 / 验 proof / 解 wrap / 解密 payload
|
|
158
|
+
B-->>B: 发布 group.message_created
|
|
159
|
+
B->>Group: group.v2.ack(group_id, up_to_seq)
|
|
160
|
+
B->>B: 若消费 group_device_prekey,异步 rotate_group_spk()
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
## 核心差异
|
|
164
|
+
|
|
165
|
+
| 场景 | 发送入口 | 服务端存储 | 接收入口 | 解密位置 |
|
|
166
|
+
|------|----------|------------|----------|----------|
|
|
167
|
+
| P2P 明文 | `message.send(encrypt=false)` | 普通 device message | `message.v2.pull` 合并明文行 | 不解密 |
|
|
168
|
+
| P2P 加密 | `message.send` 承载 `e2ee.p2p_encrypted` | `v2_peer_messages` + `v2_peer_wraps` | `message.v2.pull` | 接收方 SDK |
|
|
169
|
+
| GROUP 明文 | `group.send(encrypt=false)` | `group_messages` + `group_events` | `group.v2.pull` 合并明文行 | 不解密 |
|
|
170
|
+
| GROUP 加密 | `group.v2.send` 承载 `e2ee.group_encrypted` | `v2_group_messages` + `v2_group_wraps` | `group.v2.pull` | 接收方 SDK |
|
|
171
|
+
|
package/dist/aid.d.ts
CHANGED
|
@@ -20,7 +20,8 @@ export declare class AID {
|
|
|
20
20
|
readonly verifySsl: boolean;
|
|
21
21
|
readonly rootCaPath: string | null;
|
|
22
22
|
readonly debug: boolean;
|
|
23
|
-
|
|
23
|
+
/** AIDStore 加载时注入的明文私钥 PEM,供 AUNClient 直接使用(无需 seed)。*/
|
|
24
|
+
readonly privateKeyPem: string;
|
|
24
25
|
private readonly _certValid;
|
|
25
26
|
private readonly _privateKeyValid;
|
|
26
27
|
private constructor();
|
package/dist/aid.js
CHANGED
|
@@ -15,7 +15,8 @@ export class AID {
|
|
|
15
15
|
verifySsl;
|
|
16
16
|
rootCaPath;
|
|
17
17
|
debug;
|
|
18
|
-
|
|
18
|
+
/** AIDStore 加载时注入的明文私钥 PEM,供 AUNClient 直接使用(无需 seed)。*/
|
|
19
|
+
privateKeyPem;
|
|
19
20
|
_certValid;
|
|
20
21
|
_privateKeyValid;
|
|
21
22
|
constructor(params) {
|
|
@@ -27,9 +28,9 @@ export class AID {
|
|
|
27
28
|
this.verifySsl = params.verifySsl ?? false;
|
|
28
29
|
this.rootCaPath = params.rootCaPath ?? null;
|
|
29
30
|
this.debug = params.debug ?? false;
|
|
30
|
-
this._privateKeyPem = params.privateKeyPem;
|
|
31
31
|
this._certValid = params.certValid;
|
|
32
32
|
this._privateKeyValid = params.privateKeyValid;
|
|
33
|
+
this.privateKeyPem = params.privateKeyPem ?? '';
|
|
33
34
|
}
|
|
34
35
|
static _create(params) {
|
|
35
36
|
return new AID(params);
|
|
@@ -59,12 +60,12 @@ export class AID {
|
|
|
59
60
|
return this._privateKeyValid;
|
|
60
61
|
}
|
|
61
62
|
sign(payload) {
|
|
62
|
-
if (!this._privateKeyValid || !this.
|
|
63
|
+
if (!this._privateKeyValid || !this.privateKeyPem) {
|
|
63
64
|
return resultErr(codes.PRIVATE_KEY_NOT_VALID, 'private key is not valid');
|
|
64
65
|
}
|
|
65
66
|
try {
|
|
66
67
|
const data = typeof payload === 'string' ? Buffer.from(payload, 'utf-8') : payload;
|
|
67
|
-
const sig = signBytes(this.
|
|
68
|
+
const sig = signBytes(this.privateKeyPem, data);
|
|
68
69
|
return resultOk({ signature: sig.toString('base64') });
|
|
69
70
|
}
|
|
70
71
|
catch (exc) {
|
|
@@ -86,12 +87,12 @@ export class AID {
|
|
|
86
87
|
}
|
|
87
88
|
}
|
|
88
89
|
signAgentMd(content) {
|
|
89
|
-
if (!this._privateKeyValid || !this.
|
|
90
|
+
if (!this._privateKeyValid || !this.privateKeyPem) {
|
|
90
91
|
return resultErr(codes.PRIVATE_KEY_NOT_VALID, 'private key is not valid');
|
|
91
92
|
}
|
|
92
93
|
try {
|
|
93
94
|
const payload = normalizeAgentMdPayload(content);
|
|
94
|
-
const sig = signBytes(this.
|
|
95
|
+
const sig = signBytes(this.privateKeyPem, Buffer.from(payload, 'utf-8'));
|
|
95
96
|
const block = buildAgentMdSignatureBlock(this.certFingerprint, Math.trunc(Date.now() / 1000), sig.toString('base64'));
|
|
96
97
|
return resultOk({ signed: payload + block });
|
|
97
98
|
}
|
package/dist/aid.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aid.js","sourceRoot":"","sources":["../src/aid.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,KAAK,KAAK,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EACL,0BAA0B,EAC1B,cAAc,EACd,eAAe,IAAI,gBAAgB,EACnC,iBAAiB,EACjB,uBAAuB,EACvB,yBAAyB,EACzB,eAAe,EACf,SAAS,EACT,uBAAuB,GACxB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAe,SAAS,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAW/D,MAAM,OAAO,GAAG;IACL,GAAG,CAAS;IACZ,OAAO,CAAS;IAChB,OAAO,CAAS;IAChB,QAAQ,CAAS;IACjB,MAAM,CAAS;IACf,SAAS,CAAU;IACnB,UAAU,CAAgB;IAC1B,KAAK,CAAU;
|
|
1
|
+
{"version":3,"file":"aid.js","sourceRoot":"","sources":["../src/aid.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,KAAK,KAAK,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EACL,0BAA0B,EAC1B,cAAc,EACd,eAAe,IAAI,gBAAgB,EACnC,iBAAiB,EACjB,uBAAuB,EACvB,yBAAyB,EACzB,eAAe,EACf,SAAS,EACT,uBAAuB,GACxB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAe,SAAS,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAW/D,MAAM,OAAO,GAAG;IACL,GAAG,CAAS;IACZ,OAAO,CAAS;IAChB,OAAO,CAAS;IAChB,QAAQ,CAAS;IACjB,MAAM,CAAS;IACf,SAAS,CAAU;IACnB,UAAU,CAAgB;IAC1B,KAAK,CAAU;IAExB,wDAAwD;IAC/C,aAAa,CAAS;IACd,UAAU,CAAU;IACpB,gBAAgB,CAAU;IAE3C,YAAoB,MAYnB;QACC,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACtB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;QACtC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,SAAS,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,KAAK,CAAC;QAC3C,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC;QAC5C,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,KAAK,CAAC;QACnC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,gBAAgB,GAAG,MAAM,CAAC,eAAe,CAAC;QAC/C,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC;IAClD,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,MAYd;QACC,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IACzB,CAAC;IAED,IAAI,SAAS;QACX,OAAO,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,WAAW;QACb,OAAO,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,aAAa;QACf,OAAO,IAAI,IAAI,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,YAAY;QACd,OAAO,IAAI,IAAI,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,UAAU;QACZ,OAAO,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,eAAe;QACjB,OAAO,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED,iBAAiB;QACf,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAED,IAAI,CAAC,OAAwB;QAC3B,IAAI,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YAClD,OAAO,SAAS,CAAC,KAAK,CAAC,qBAAqB,EAAE,0BAA0B,CAAC,CAAC;QAC5E,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;YACnF,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;YAChD,OAAO,QAAQ,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,SAAS,CAAC,KAAK,CAAC,yBAAyB,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAED,MAAM,CAAC,OAAwB,EAAE,SAAiB;QAChD,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO,SAAS,CAAC,KAAK,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;YACnF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAChD,MAAM,KAAK,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;YAClE,OAAO,QAAQ,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,SAAS,CAAC,KAAK,CAAC,4BAA4B,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,WAAW,CAAC,OAAe;QACzB,IAAI,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YAClD,OAAO,SAAS,CAAC,KAAK,CAAC,qBAAqB,EAAE,0BAA0B,CAAC,CAAC;QAC5E,CAAC;QACD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;YACjD,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;YACzE,MAAM,KAAK,GAAG,0BAA0B,CACtC,IAAI,CAAC,eAAe,EACpB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAC7B,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CACvB,CAAC;YACF,OAAO,QAAQ,CAAC,EAAE,MAAM,EAAE,OAAO,GAAG,KAAK,EAAE,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,SAAS,CAAC,KAAK,CAAC,yBAAyB,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAED,aAAa,CAAC,OAAe;QAC3B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO,SAAS,CAAC,KAAK,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,yBAAyB,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC;YACzF,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;gBACpB,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;oBACvB,OAAO,QAAQ,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;gBACnD,CAAC;gBACD,OAAO,QAAQ,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;YACtE,CAAC;YAED,MAAM,UAAU,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;YAC9C,IAAI,UAAU,IAAI,UAAU,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC;gBAC1C,OAAO,QAAQ,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;YAC3F,CAAC;YACD,IAAI,MAAM,CAAC,gBAAgB,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,EAAE,CAAC;gBACjF,OAAO,QAAQ,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC,CAAC;YAC7G,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YACvD,MAAM,KAAK,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;YAC3F,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,QAAQ,CAAC;oBACd,MAAM,EAAE,SAAS;oBACjB,OAAO;oBACP,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;oBACzC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC;oBACnC,MAAM,EAAE,+BAA+B;iBACxC,CAAC,CAAC;YACL,CAAC;YAED,OAAO,QAAQ,CAAC;gBACd,MAAM,EAAE,UAAU;gBAClB,OAAO;gBACP,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;gBACzC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC;aACpC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,SAAS,CAAC,KAAK,CAAC,4BAA4B,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;CACF"}
|
package/dist/auth.js
CHANGED
|
@@ -2028,6 +2028,10 @@ export class AuthFlow {
|
|
|
2028
2028
|
delete persisted[key];
|
|
2029
2029
|
}
|
|
2030
2030
|
}
|
|
2031
|
+
// 私钥由 AIDStore 管理,AUNClient 不写 key.json
|
|
2032
|
+
for (const key of ['private_key_pem', 'public_key_der_b64', 'curve']) {
|
|
2033
|
+
delete persisted[key];
|
|
2034
|
+
}
|
|
2031
2035
|
this._keystore.saveIdentity(aid, persisted);
|
|
2032
2036
|
// 从共享 metadata_kv 中移除实例级字段(它们已保存到 instance_state)
|
|
2033
2037
|
const db = this._keystore._getDB?.(aid);
|