@drakkar.software/starfish-client 2.3.0 → 3.0.0-alpha.0

package/dist/keyring.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Phase-2 transitional shim. The implementation lives in
+ * `@drakkar.software/starfish-keyring`. This file is removed in Phase 3.
+ */
+export { KEYRING_WRAP_SALT, KEYRING_WRAP_INFO, KEYRING_IV_BYTES, wrapForRecipient, unwrapFromEntry, verifyEntrySignature, createKeyring, addRecipient, rotateEpoch, createKeyringEncryptor, } from "@drakkar.software/starfish-keyring";
+export type { WrappedKeyEntry, KeyringEpoch, Keyring, KeyringEncryptor, } from "@drakkar.software/starfish-keyring";

package/dist/keyring.js

@@ -0,0 +1,26 @@
+// src/keyring.ts
+import {
+  KEYRING_WRAP_SALT,
+  KEYRING_WRAP_INFO,
+  KEYRING_IV_BYTES,
+  wrapForRecipient,
+  unwrapFromEntry,
+  verifyEntrySignature,
+  createKeyring,
+  addRecipient,
+  rotateEpoch,
+  createKeyringEncryptor
+} from "@drakkar.software/starfish-keyring";
+export {
+  KEYRING_IV_BYTES,
+  KEYRING_WRAP_INFO,
+  KEYRING_WRAP_SALT,
+  addRecipient,
+  createKeyring,
+  createKeyringEncryptor,
+  rotateEpoch,
+  unwrapFromEntry,
+  verifyEntrySignature,
+  wrapForRecipient
+};
+//# sourceMappingURL=keyring.js.map

package/dist/keyring.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/keyring.ts"],
+  "sourcesContent": ["/**\n * Phase-2 transitional shim. The implementation lives in\n * `@drakkar.software/starfish-keyring`. This file is removed in Phase 3.\n */\nexport {\n  KEYRING_WRAP_SALT,\n  KEYRING_WRAP_INFO,\n  KEYRING_IV_BYTES,\n  wrapForRecipient,\n  unwrapFromEntry,\n  verifyEntrySignature,\n  createKeyring,\n  addRecipient,\n  rotateEpoch,\n  createKeyringEncryptor,\n} from \"@drakkar.software/starfish-keyring\"\nexport type {\n  WrappedKeyEntry,\n  KeyringEpoch,\n  Keyring,\n  KeyringEncryptor,\n} from \"@drakkar.software/starfish-keyring\"\n"],
+  "mappings": ";AAIA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;",
+  "names": []
+}

package/dist/pairing.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Phase-2 transitional shim. The implementation lives in
+ * `@drakkar.software/starfish-identities`. Removed in Phase 3.
+ */
+export { bootstrapRootIdentity, buildPairingQr, parsePairingQr, assemblePairingBundle, installPairingBundle, deriveCodeKey, buildPairingRequest, readPairingRequest, buildPairingResponse, readPairingResponse, } from "@drakkar.software/starfish-identities";
+export type { DeviceCredentials, PairingQrPayload, PairingBundle, WrappedCekEntry, InstalledPairingResult, AssemblePairingBundleOpts, PairingRequestEncrypted, PairingResponseEncrypted, } from "@drakkar.software/starfish-identities";

package/dist/pairing.js

@@ -0,0 +1,26 @@
+// src/pairing.ts
+import {
+  bootstrapRootIdentity,
+  buildPairingQr,
+  parsePairingQr,
+  assemblePairingBundle,
+  installPairingBundle,
+  deriveCodeKey,
+  buildPairingRequest,
+  readPairingRequest,
+  buildPairingResponse,
+  readPairingResponse
+} from "@drakkar.software/starfish-identities";
+export {
+  assemblePairingBundle,
+  bootstrapRootIdentity,
+  buildPairingQr,
+  buildPairingRequest,
+  buildPairingResponse,
+  deriveCodeKey,
+  installPairingBundle,
+  parsePairingQr,
+  readPairingRequest,
+  readPairingResponse
+};
+//# sourceMappingURL=pairing.js.map

package/dist/pairing.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/pairing.ts"],
+  "sourcesContent": ["/**\n * Phase-2 transitional shim. The implementation lives in\n * `@drakkar.software/starfish-identities`. Removed in Phase 3.\n */\nexport {\n  bootstrapRootIdentity,\n  buildPairingQr,\n  parsePairingQr,\n  assemblePairingBundle,\n  installPairingBundle,\n  deriveCodeKey,\n  buildPairingRequest,\n  readPairingRequest,\n  buildPairingResponse,\n  readPairingResponse,\n} from \"@drakkar.software/starfish-identities\"\nexport type {\n  DeviceCredentials,\n  PairingQrPayload,\n  PairingBundle,\n  WrappedCekEntry,\n  InstalledPairingResult,\n  AssemblePairingBundleOpts,\n  PairingRequestEncrypted,\n  PairingResponseEncrypted,\n} from \"@drakkar.software/starfish-identities\"\n"],
+  "mappings": ";AAIA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;",
+  "names": []
+}

package/dist/recipients.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Phase-2 transitional shim. The implementation lives in
+ * `@drakkar.software/starfish-keyring`. This file is removed in Phase 3.
+ */
+export { keyringPathFor, addCollectionRecipient, removeRecipient, listRecipients, currentEpoch, } from "@drakkar.software/starfish-keyring";
+export type { RecipientRef, AdderKeys, ListedRecipient, } from "@drakkar.software/starfish-keyring";

package/dist/recipients.js

@@ -0,0 +1,16 @@
+// src/recipients.ts
+import {
+  keyringPathFor,
+  addCollectionRecipient,
+  removeRecipient,
+  listRecipients,
+  currentEpoch
+} from "@drakkar.software/starfish-keyring";
+export {
+  addCollectionRecipient,
+  currentEpoch,
+  keyringPathFor,
+  listRecipients,
+  removeRecipient
+};
+//# sourceMappingURL=recipients.js.map

package/dist/recipients.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/recipients.ts"],
+  "sourcesContent": ["/**\n * Phase-2 transitional shim. The implementation lives in\n * `@drakkar.software/starfish-keyring`. This file is removed in Phase 3.\n */\nexport {\n  keyringPathFor,\n  addCollectionRecipient,\n  removeRecipient,\n  listRecipients,\n  currentEpoch,\n} from \"@drakkar.software/starfish-keyring\"\nexport type {\n  RecipientRef,\n  AdderKeys,\n  ListedRecipient,\n} from \"@drakkar.software/starfish-keyring\"\n"],
+  "mappings": ";AAIA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;",
+  "names": []
+}

package/dist/sync.d.ts

@@ -1,12 +1,34 @@
 import type { PullResult } from "@drakkar.software/starfish-protocol";
 import type { ConflictResolver } from "./types.js";
+import type { Encryptor } from "@drakkar.software/starfish-protocol";
 import { StarfishClient } from "./client.js";
-import type { Encryptor } from "./crypto.js";
 import type { SyncLogger } from "./logger.js";
 import type { Validator } from "./validate.js";
 export declare class AbortError extends Error {
     constructor();
 }
+/**
+ * v3.0 author-signature plumbing for `SyncManager`.
+ *
+ * Returns the device's Ed25519 public key (hex) and a function that signs
+ * arbitrary payload bytes. `SyncManager` calls `getSigner()` once per push
+ * and uses the returned `sign` to produce a base64-encoded signature over
+ * the canonical stringification of the encrypted payload (sans author fields).
+ *
+ * Implementations typically wrap the same Ed25519 private key used by
+ * `StarfishCapProvider` so that `cap.sub === devEdPubHex`.
+ */
+export interface SyncSigner {
+    /**
+     * Returns the device's `cap.sub` (Ed25519 pubkey, hex) and a payload signer.
+     * The `sign` function receives the canonical signing input bytes and must
+     * return the raw 64-byte Ed25519 signature.
+     */
+    getSigner(): Promise<{
+        devEdPubHex: string;
+        sign(payload: Uint8Array): Promise<Uint8Array>;
+    }>;
+}
 export interface SyncManagerOptions {
     client: StarfishClient;
     pullPath: string;
@@ -15,15 +37,17 @@ export interface SyncManagerOptions {
     onConflict?: ConflictResolver;
     /** Max conflict retry attempts (default: 3). */
     maxRetries?: number;
-    encryptionSecret?: string;
-    encryptionSalt?: string;
-    encryptionInfo?: string;
     /**
-     * Pre-created Encryptor. Use this with `createGroupEncryptor` for group encryption.
-     * Takes precedence over `encryptionSecret` / `encryptionSalt` if both are provided.
+     * Encryptor for client-side E2E encryption. For v3 `delegated` collections,
+     * build it via `createKeyringEncryptor(keyring, deviceKemKeys)`.
      */
     encryptor?: Encryptor;
-    signData?: (data: string) => Promise<string>;
+    /**
+     * v3 author-signature plumbing. When set, every push attaches
+     * `authorPubkey` (= `cap.sub`) and `authorSignature` (= base64 Ed25519 over
+     * stable-stringify of the encrypted payload minus author fields).
+     */
+    signer?: SyncSigner;
     /** Structured logger for sync events. */
     logger?: SyncLogger;
     /** Name passed to logger methods (default: derived from pullPath). */
@@ -38,7 +62,7 @@ export declare class SyncManager {
     private readonly onConflict;
     private readonly maxRetries;
     private readonly encryptor;
-    private readonly signData?;
+    private readonly signer?;
     private readonly logger?;
     private readonly loggerName;
     private readonly validate?;

package/dist/testing.d.ts

@@ -1,7 +1,7 @@
 import type { PullResult, PushSuccess } from "@drakkar.software/starfish-protocol";
 import { StarfishClient } from "./client.js";
 type PullFn = (path: string, checkpoint?: number) => Promise<PullResult>;
-type PushFn = (path: string, data: Record<string, unknown>, baseHash: string | null, sig?: string) => Promise<PushSuccess>;
+type PushFn = (path: string, data: Record<string, unknown>, baseHash: string | null) => Promise<PushSuccess>;
 /**
  * Creates a mock StarfishClient for testing.
  * Override individual methods or use the defaults (returns static data).

package/dist/testing.js

@@ -16,9 +16,9 @@ function createMockClient(overrides) {
       pullCalls.push({ path, checkpoint });
       return pull(path, checkpoint);
     },
-    push: async (path, data, baseHash, sig) => {
+    push: async (path, data, baseHash) => {
       pushCalls.push({ path, data, baseHash });
-      return push(path, data, baseHash, sig);
+      return push(path, data, baseHash);
     },
     pullCalls,
     pushCalls

package/dist/testing.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../src/testing.ts"],
-  "sourcesContent": ["import type { PullResult, PushSuccess } from \"@drakkar.software/starfish-protocol\"\nimport { StarfishClient } from \"./client.js\"\n\ntype PullFn = (path: string, checkpoint?: number) => Promise<PullResult>\ntype PushFn = (path: string, data: Record<string, unknown>, baseHash: string | null, sig?: string) => Promise<PushSuccess>\n\n/**\n * Creates a mock StarfishClient for testing.\n * Override individual methods or use the defaults (returns static data).\n *\n * @example\n * ```ts\n * const client = createMockClient({\n *   pull: async () => ({ data: { key: \"value\" }, hash: \"h1\", timestamp: 100 }),\n * })\n * const sync = new SyncManager({ client, pullPath: \"/pull/test\", pushPath: \"/push/test\" })\n * ```\n */\nexport function createMockClient(overrides?: {\n  pull?: PullFn\n  push?: PushFn\n}): StarfishClient & { pullCalls: Array<{ path: string; checkpoint?: number }>; pushCalls: Array<{ path: string; data: Record<string, unknown>; baseHash: string | null }> } {\n  const pullCalls: Array<{ path: string; checkpoint?: number }> = []\n  const pushCalls: Array<{ path: string; data: Record<string, unknown>; baseHash: string | null }> = []\n\n  const pull: PullFn = overrides?.pull ?? (async () => ({\n    data: {},\n    hash: \"mock-hash\",\n    timestamp: Date.now(),\n  }))\n\n  const push: PushFn = overrides?.push ?? (async () => ({\n    hash: \"mock-push-hash\",\n    timestamp: Date.now(),\n  }))\n\n  return {\n    pull: async (path: string, checkpoint?: number) => {\n      pullCalls.push({ path, checkpoint })\n      return pull(path, checkpoint)\n    },\n    push: async (path: string, data: Record<string, unknown>, baseHash: string | null, sig?: string) => {\n      pushCalls.push({ path, data, baseHash })\n      return push(path, data, baseHash, sig)\n    },\n    pullCalls,\n    pushCalls,\n  } as unknown as StarfishClient & { pullCalls: typeof pullCalls; pushCalls: typeof pushCalls }\n}\n\n/**\n * Creates a mock fetch that returns predefined responses.\n * Useful for testing StarfishClient directly.\n *\n * @example\n * ```ts\n * const fetch = createMockFetch({ data: { key: \"value\" }, hash: \"h1\", timestamp: 100 })\n * const client = new StarfishClient({ baseUrl: \"https://example.com\", fetch })\n * ```\n */\nexport function createMockFetch(\n  pullResponse?: PullResult,\n  pushResponse?: PushSuccess,\n): typeof globalThis.fetch {\n  return async (input) => {\n    const url = typeof input === \"string\" ? input : input instanceof URL ? input.href : (input as Request).url\n    if (url.includes(\"/pull/\")) {\n      return new Response(JSON.stringify(pullResponse ?? { data: {}, hash: \"h\", timestamp: 1 }), {\n        status: 200,\n        headers: { \"Content-Type\": \"application/json\" },\n      })\n    }\n    return new Response(JSON.stringify(pushResponse ?? { hash: \"h\", timestamp: 1 }), {\n      status: 200,\n      headers: { \"Content-Type\": \"application/json\" },\n    })\n  }\n}\n\n/**\n * Creates a mock fetch that simulates a conflict (409) on the first push,\n * then succeeds on retry. Useful for testing conflict resolution.\n */\nexport function createConflictFetch(\n  conflictPullResponse: PullResult,\n  successPushResponse?: PushSuccess,\n): typeof globalThis.fetch {\n  let pushCount = 0\n  return async (input, init?) => {\n    const url = typeof input === \"string\" ? input : input instanceof URL ? input.href : (input as Request).url\n    if (url.includes(\"/pull/\")) {\n      return new Response(JSON.stringify(conflictPullResponse), {\n        status: 200,\n        headers: { \"Content-Type\": \"application/json\" },\n      })\n    }\n    pushCount++\n    if (pushCount === 1) {\n      return new Response(JSON.stringify({ error: \"hash_mismatch\" }), { status: 409 })\n    }\n    return new Response(JSON.stringify(successPushResponse ?? { hash: \"resolved\", timestamp: Date.now() }), {\n      status: 200,\n      headers: { \"Content-Type\": \"application/json\" },\n    })\n  }\n}\n"],
-  "mappings": ";AAkBO,SAAS,iBAAiB,WAG4I;AAC3K,QAAM,YAA0D,CAAC;AACjE,QAAM,YAA6F,CAAC;AAEpG,QAAM,OAAe,WAAW,SAAS,aAAa;AAAA,IACpD,MAAM,CAAC;AAAA,IACP,MAAM;AAAA,IACN,WAAW,KAAK,IAAI;AAAA,EACtB;AAEA,QAAM,OAAe,WAAW,SAAS,aAAa;AAAA,IACpD,MAAM;AAAA,IACN,WAAW,KAAK,IAAI;AAAA,EACtB;AAEA,SAAO;AAAA,IACL,MAAM,OAAO,MAAc,eAAwB;AACjD,gBAAU,KAAK,EAAE,MAAM,WAAW,CAAC;AACnC,aAAO,KAAK,MAAM,UAAU;AAAA,IAC9B;AAAA,IACA,MAAM,OAAO,MAAc,MAA+B,UAAyB,QAAiB;AAClG,gBAAU,KAAK,EAAE,MAAM,MAAM,SAAS,CAAC;AACvC,aAAO,KAAK,MAAM,MAAM,UAAU,GAAG;AAAA,IACvC;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAYO,SAAS,gBACd,cACA,cACyB;AACzB,SAAO,OAAO,UAAU;AACtB,UAAM,MAAM,OAAO,UAAU,WAAW,QAAQ,iBAAiB,MAAM,MAAM,OAAQ,MAAkB;AACvG,QAAI,IAAI,SAAS,QAAQ,GAAG;AAC1B,aAAO,IAAI,SAAS,KAAK,UAAU,gBAAgB,EAAE,MAAM,CAAC,GAAG,MAAM,KAAK,WAAW,EAAE,CAAC,GAAG;AAAA,QACzF,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAChD,CAAC;AAAA,IACH;AACA,WAAO,IAAI,SAAS,KAAK,UAAU,gBAAgB,EAAE,MAAM,KAAK,WAAW,EAAE,CAAC,GAAG;AAAA,MAC/E,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAChD,CAAC;AAAA,EACH;AACF;AAMO,SAAS,oBACd,sBACA,qBACyB;AACzB,MAAI,YAAY;AAChB,SAAO,OAAO,OAAO,SAAU;AAC7B,UAAM,MAAM,OAAO,UAAU,WAAW,QAAQ,iBAAiB,MAAM,MAAM,OAAQ,MAAkB;AACvG,QAAI,IAAI,SAAS,QAAQ,GAAG;AAC1B,aAAO,IAAI,SAAS,KAAK,UAAU,oBAAoB,GAAG;AAAA,QACxD,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAChD,CAAC;AAAA,IACH;AACA;AACA,QAAI,cAAc,GAAG;AACnB,aAAO,IAAI,SAAS,KAAK,UAAU,EAAE,OAAO,gBAAgB,CAAC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACjF;AACA,WAAO,IAAI,SAAS,KAAK,UAAU,uBAAuB,EAAE,MAAM,YAAY,WAAW,KAAK,IAAI,EAAE,CAAC,GAAG;AAAA,MACtG,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAChD,CAAC;AAAA,EACH;AACF;",
+  "sourcesContent": ["import type { PullResult, PushSuccess } from \"@drakkar.software/starfish-protocol\"\nimport { StarfishClient } from \"./client.js\"\n\ntype PullFn = (path: string, checkpoint?: number) => Promise<PullResult>\ntype PushFn = (path: string, data: Record<string, unknown>, baseHash: string | null) => Promise<PushSuccess>\n\n/**\n * Creates a mock StarfishClient for testing.\n * Override individual methods or use the defaults (returns static data).\n *\n * @example\n * ```ts\n * const client = createMockClient({\n *   pull: async () => ({ data: { key: \"value\" }, hash: \"h1\", timestamp: 100 }),\n * })\n * const sync = new SyncManager({ client, pullPath: \"/pull/test\", pushPath: \"/push/test\" })\n * ```\n */\nexport function createMockClient(overrides?: {\n  pull?: PullFn\n  push?: PushFn\n}): StarfishClient & { pullCalls: Array<{ path: string; checkpoint?: number }>; pushCalls: Array<{ path: string; data: Record<string, unknown>; baseHash: string | null }> } {\n  const pullCalls: Array<{ path: string; checkpoint?: number }> = []\n  const pushCalls: Array<{ path: string; data: Record<string, unknown>; baseHash: string | null }> = []\n\n  const pull: PullFn = overrides?.pull ?? (async () => ({\n    data: {},\n    hash: \"mock-hash\",\n    timestamp: Date.now(),\n  }))\n\n  const push: PushFn = overrides?.push ?? (async () => ({\n    hash: \"mock-push-hash\",\n    timestamp: Date.now(),\n  }))\n\n  return {\n    pull: async (path: string, checkpoint?: number) => {\n      pullCalls.push({ path, checkpoint })\n      return pull(path, checkpoint)\n    },\n    push: async (path: string, data: Record<string, unknown>, baseHash: string | null) => {\n      pushCalls.push({ path, data, baseHash })\n      return push(path, data, baseHash)\n    },\n    pullCalls,\n    pushCalls,\n  } as unknown as StarfishClient & { pullCalls: typeof pullCalls; pushCalls: typeof pushCalls }\n}\n\n/**\n * Creates a mock fetch that returns predefined responses.\n * Useful for testing StarfishClient directly.\n *\n * @example\n * ```ts\n * const fetch = createMockFetch({ data: { key: \"value\" }, hash: \"h1\", timestamp: 100 })\n * const client = new StarfishClient({ baseUrl: \"https://example.com\", fetch })\n * ```\n */\nexport function createMockFetch(\n  pullResponse?: PullResult,\n  pushResponse?: PushSuccess,\n): typeof globalThis.fetch {\n  return async (input) => {\n    const url = typeof input === \"string\" ? input : input instanceof URL ? input.href : (input as Request).url\n    if (url.includes(\"/pull/\")) {\n      return new Response(JSON.stringify(pullResponse ?? { data: {}, hash: \"h\", timestamp: 1 }), {\n        status: 200,\n        headers: { \"Content-Type\": \"application/json\" },\n      })\n    }\n    return new Response(JSON.stringify(pushResponse ?? { hash: \"h\", timestamp: 1 }), {\n      status: 200,\n      headers: { \"Content-Type\": \"application/json\" },\n    })\n  }\n}\n\n/**\n * Creates a mock fetch that simulates a conflict (409) on the first push,\n * then succeeds on retry. Useful for testing conflict resolution.\n */\nexport function createConflictFetch(\n  conflictPullResponse: PullResult,\n  successPushResponse?: PushSuccess,\n): typeof globalThis.fetch {\n  let pushCount = 0\n  return async (input, init?) => {\n    const url = typeof input === \"string\" ? input : input instanceof URL ? input.href : (input as Request).url\n    if (url.includes(\"/pull/\")) {\n      return new Response(JSON.stringify(conflictPullResponse), {\n        status: 200,\n        headers: { \"Content-Type\": \"application/json\" },\n      })\n    }\n    pushCount++\n    if (pushCount === 1) {\n      return new Response(JSON.stringify({ error: \"hash_mismatch\" }), { status: 409 })\n    }\n    return new Response(JSON.stringify(successPushResponse ?? { hash: \"resolved\", timestamp: Date.now() }), {\n      status: 200,\n      headers: { \"Content-Type\": \"application/json\" },\n    })\n  }\n}\n"],
+  "mappings": ";AAkBO,SAAS,iBAAiB,WAG4I;AAC3K,QAAM,YAA0D,CAAC;AACjE,QAAM,YAA6F,CAAC;AAEpG,QAAM,OAAe,WAAW,SAAS,aAAa;AAAA,IACpD,MAAM,CAAC;AAAA,IACP,MAAM;AAAA,IACN,WAAW,KAAK,IAAI;AAAA,EACtB;AAEA,QAAM,OAAe,WAAW,SAAS,aAAa;AAAA,IACpD,MAAM;AAAA,IACN,WAAW,KAAK,IAAI;AAAA,EACtB;AAEA,SAAO;AAAA,IACL,MAAM,OAAO,MAAc,eAAwB;AACjD,gBAAU,KAAK,EAAE,MAAM,WAAW,CAAC;AACnC,aAAO,KAAK,MAAM,UAAU;AAAA,IAC9B;AAAA,IACA,MAAM,OAAO,MAAc,MAA+B,aAA4B;AACpF,gBAAU,KAAK,EAAE,MAAM,MAAM,SAAS,CAAC;AACvC,aAAO,KAAK,MAAM,MAAM,QAAQ;AAAA,IAClC;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAYO,SAAS,gBACd,cACA,cACyB;AACzB,SAAO,OAAO,UAAU;AACtB,UAAM,MAAM,OAAO,UAAU,WAAW,QAAQ,iBAAiB,MAAM,MAAM,OAAQ,MAAkB;AACvG,QAAI,IAAI,SAAS,QAAQ,GAAG;AAC1B,aAAO,IAAI,SAAS,KAAK,UAAU,gBAAgB,EAAE,MAAM,CAAC,GAAG,MAAM,KAAK,WAAW,EAAE,CAAC,GAAG;AAAA,QACzF,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAChD,CAAC;AAAA,IACH;AACA,WAAO,IAAI,SAAS,KAAK,UAAU,gBAAgB,EAAE,MAAM,KAAK,WAAW,EAAE,CAAC,GAAG;AAAA,MAC/E,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAChD,CAAC;AAAA,EACH;AACF;AAMO,SAAS,oBACd,sBACA,qBACyB;AACzB,MAAI,YAAY;AAChB,SAAO,OAAO,OAAO,SAAU;AAC7B,UAAM,MAAM,OAAO,UAAU,WAAW,QAAQ,iBAAiB,MAAM,MAAM,OAAQ,MAAkB;AACvG,QAAI,IAAI,SAAS,QAAQ,GAAG;AAC1B,aAAO,IAAI,SAAS,KAAK,UAAU,oBAAoB,GAAG;AAAA,QACxD,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAChD,CAAC;AAAA,IACH;AACA;AACA,QAAI,cAAc,GAAG;AACnB,aAAO,IAAI,SAAS,KAAK,UAAU,EAAE,OAAO,gBAAgB,CAAC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACjF;AACA,WAAO,IAAI,SAAS,KAAK,UAAU,uBAAuB,EAAE,MAAM,YAAY,WAAW,KAAK,IAAI,EAAE,CAAC,GAAG;AAAA,MACtG,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAChD,CAAC;AAAA,EACH;AACF;",
   "names": []
 }

package/dist/types.d.ts

@@ -1,3 +1,4 @@
+import type { CapCert } from "@drakkar.software/starfish-protocol";
 /** Push conflict error (HTTP 409). */
 export declare class ConflictError extends Error {
     constructor();
@@ -9,22 +10,60 @@ export declare class StarfishHttpError extends Error {
     constructor(status: number, body: string);
 }
 /**
- * Auth provider: returns headers to include in requests.
- * Called for every authenticated request (pull and push).
+ * v3.0 cap-cert provider for `StarfishClient`. Returns the device's cap-cert and
+ * the matching Ed25519 private key (hex). The client calls `getCap()` once per
+ * outgoing request; implementations are expected to cache so this is cheap.
+ *
+ * When set, the client signs every outgoing request: each call carries
+ * `Authorization: Cap <base64(stableStringify(cap))>` plus `X-Starfish-Sig`,
+ * `X-Starfish-Ts`, `X-Starfish-Nonce`.
  */
-export type AuthProvider = (req: {
-    method: string;
-    path: string;
-    body: string | null;
-}) => Record<string, string> | Promise<Record<string, string>>;
+export interface StarfishCapProvider {
+    /**
+     * Returns the device's cap-cert and its Ed25519 private key (hex).
+     * Implementations are expected to cache; the client may call this once per
+     * authenticated request.
+     */
+    getCap(): Promise<{
+        cap: CapCert;
+        devEdPrivHex: string;
+    }>;
+}
 /** Options for creating a StarfishClient. */
 export interface StarfishClientOptions {
     /** Base URL of the Starfish server (e.g. "https://api.example.com/v1"). */
     baseUrl: string;
-    /** Auth provider that returns headers for authenticated requests. Optional for public-read collections. */
-    auth?: AuthProvider;
+    /**
+     * Cap-cert provider. When set, requests are signed with Ed25519 and carry
+     * `Authorization: Cap <…>`. Omit for unauthenticated public-read collections.
+     */
+    capProvider?: StarfishCapProvider;
     /** Optional fetch implementation (defaults to global fetch). */
     fetch?: typeof fetch;
+    /**
+     * Optional list of client-side plugins. The list is stored on the client
+     * instance but does not fire any hooks yet — the contract is plumbed so
+     * extension packages (`starfish-identities`, `starfish-keyring`,
+     * `starfish-sharing`, …) can register against it later without a breaking
+     * API change.
+     *
+     * The current set of hooks is purposely empty; extensions that need to
+     * react to mint events or transport actions today can wrap the client
+     * directly. Future hook additions will be additive.
+     */
+    plugins?: ClientPlugin[];
+}
+/**
+ * Client-side plugin contract.
+ *
+ * A placeholder shape: the interface intentionally has no required hooks
+ * yet; extensions declare a plugin object with `name` and opt into
+ * specific lifecycle hooks once those exist. Apps wire plugins via
+ * `new StarfishClient({ plugins: [...] })`.
+ */
+export interface ClientPlugin {
+    /** Human-readable name. Used in error messages and audit output. */
+    name: string;
 }
 /** Conflict resolver: given local and remote data, return merged result. */
 export type ConflictResolver = (local: Record<string, unknown>, remote: Record<string, unknown>) => Record<string, unknown>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@drakkar.software/starfish-client",
-  "version": "2.3.0",
+  "version": "3.0.0-alpha.0",
   "repository": {
     "type": "git",
     "url": "https://github.com/Drakkar-Software/starfish.git",
@@ -37,14 +37,6 @@
     "./testing": {
       "types": "./dist/testing.d.ts",
       "import": "./dist/testing.js"
-    },
-    "./identity": {
-      "types": "./dist/identity.d.ts",
-      "import": "./dist/identity.js"
-    },
-    "./group": {
-      "types": "./dist/group-crypto.d.ts",
-      "import": "./dist/group-crypto.js"
     }
   },
   "peerDependencies": {
@@ -68,20 +60,19 @@
     }
   },
   "dependencies": {
-    "@noble/curves": "^2.2.0",
-    "@drakkar.software/starfish-protocol": "2.3.0"
+    "@drakkar.software/starfish-protocol": "3.0.0-alpha.0"
   },
   "devDependencies": {
     "@legendapp/state": "^2.0.0",
     "@testing-library/react": "^16.3.2",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
+    "esbuild": "^0.27.4",
     "hono": "^4.12.7",
     "immer": "^11.1.4",
     "jsdom": "^29.0.1",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
-    "esbuild": "^0.27.4",
     "typescript": "^5.5.0",
     "vitest": "^3.0.0",
     "zustand": "^5.0.11"

package/dist/background-sync.js

@@ -1,29 +0,0 @@
-/**
- * Background Sync API integration for pending changes.
- * Uses the Web Background Sync API to retry failed sync operations
- * when connectivity is restored, even if the app is closed.
- */
-/** Check if the Background Sync API is supported in the current environment. */
-export function isBackgroundSyncSupported() {
-    return (typeof navigator !== "undefined" &&
-        "serviceWorker" in navigator &&
-        "SyncManager" in globalThis);
-}
-/**
- * Register a background sync event with the active service worker.
- * Returns true if registration succeeded, false if not supported or no active SW.
- */
-export async function registerBackgroundSync(opts) {
-    if (!isBackgroundSyncSupported())
-        return false;
-    const tag = opts?.tag ?? "starfish-sync";
-    try {
-        const registration = await navigator.serviceWorker.ready;
-        // @ts-expect-error - SyncManager types may not be available
-        await registration.sync.register(tag);
-        return true;
-    }
-    catch {
-        return false;
-    }
-}

package/dist/bindings/suspense.js

@@ -1,49 +0,0 @@
-/**
- * React Suspense integration for Starfish sync data.
- * Creates resources that throw Promises while loading (Suspense protocol).
- */
-/**
- * Create a Suspense-compatible resource from an async fetcher.
- * The first call to `read()` triggers the fetch. While loading, `read()` throws
- * a Promise (which React Suspense catches to show a fallback). Once resolved,
- * `read()` returns the value synchronously.
- *
- * @example
- * ```tsx
- * const resource = createSuspenseResource(() => syncManager.pull())
- * function MyComponent() {
- *   const data = resource.read() // throws while loading, returns data when ready
- *   return <div>{JSON.stringify(data)}</div>
- * }
- * ```
- */
-export function createSuspenseResource(fetcher) {
-    let status = "pending";
-    let result;
-    let error;
-    let promise = null;
-    function init() {
-        if (promise)
-            return promise;
-        promise = fetcher().then((value) => {
-            status = "resolved";
-            result = value;
-        }, (err) => {
-            status = "rejected";
-            error = err;
-        });
-        return promise;
-    }
-    return {
-        read() {
-            switch (status) {
-                case "pending":
-                    throw init();
-                case "resolved":
-                    return result;
-                case "rejected":
-                    throw error;
-            }
-        },
-    };
-}

package/dist/client.js

@@ -1,112 +0,0 @@
-import { ConflictError, StarfishHttpError } from "./types.js";
-/**
- * Low-level HTTP client for the Starfish sync protocol.
- * Handles auth headers and response parsing.
- */
-export class StarfishClient {
-    baseUrl;
-    auth;
-    fetch;
-    constructor(options) {
-        this.baseUrl = options.baseUrl.replace(/\/$/, "");
-        this.auth = options.auth;
-        this.fetch = options.fetch ?? globalThis.fetch.bind(globalThis);
-    }
-    /**
-     * Pull synced data from the server.
-     * @param path - The pull endpoint path (e.g. "/pull/users/abc/settings")
-     * @param checkpoint - Only return data updated after this timestamp (0 = full pull)
-     */
-    async pull(path, checkpoint) {
-        const url = checkpoint
-            ? `${this.baseUrl}${path}?checkpoint=${checkpoint}`
-            : `${this.baseUrl}${path}`;
-        const authHeaders = this.auth
-            ? await this.auth({ method: "GET", path, body: null })
-            : {};
-        const res = await this.fetch(url, {
-            method: "GET",
-            headers: { Accept: "application/json", ...authHeaders },
-        });
-        if (!res.ok) {
-            throw new StarfishHttpError(res.status, await res.text());
-        }
-        return res.json();
-    }
-    /**
-     * Push synced data to the server.
-     * @param path - The push endpoint path (e.g. "/push/users/abc/settings")
-     * @param data - The full document data to push
-     * @param baseHash - Hash of the document this push is based on (null for first push)
-     * @param authorSignature - Optional author signature for provenance
-     * @throws {ConflictError} if the server detects a hash mismatch (409)
-     */
-    async push(path, data, baseHash, authorSignature) {
-        const body = JSON.stringify({
-            data,
-            baseHash,
-            ...(authorSignature && { authorSignature }),
-        });
-        const authHeaders = this.auth
-            ? await this.auth({ method: "POST", path, body })
-            : {};
-        const res = await this.fetch(`${this.baseUrl}${path}`, {
-            method: "POST",
-            headers: {
-                "Content-Type": "application/json",
-                Accept: "application/json",
-                ...authHeaders,
-            },
-            body,
-        });
-        if (res.status === 409) {
-            throw new ConflictError();
-        }
-        if (!res.ok) {
-            throw new StarfishHttpError(res.status, await res.text());
-        }
-        return res.json();
-    }
-    /**
-     * Pull binary data from a blob collection.
-     * Returns raw bytes with the content hash from the ETag header.
-     */
-    async pullBlob(path) {
-        const authHeaders = this.auth
-            ? await this.auth({ method: "GET", path, body: null })
-            : {};
-        const res = await this.fetch(`${this.baseUrl}${path}`, {
-            method: "GET",
-            headers: { Accept: "*/*", ...authHeaders },
-        });
-        if (!res.ok) {
-            throw new StarfishHttpError(res.status, await res.text());
-        }
-        const etag = res.headers.get("ETag")?.replace(/"/g, "") ?? null;
-        const contentType = res.headers.get("Content-Type") ?? "application/octet-stream";
-        const data = await res.arrayBuffer();
-        return { data, hash: etag, contentType };
-    }
-    /**
-     * Push binary data to a blob collection.
-     * Binary collections use last-write-wins (no conflict detection).
-     */
-    async pushBlob(path, data, contentType) {
-        const authHeaders = this.auth
-            ? await this.auth({ method: "POST", path, body: null })
-            : {};
-        const res = await this.fetch(`${this.baseUrl}${path}`, {
-            method: "POST",
-            headers: {
-                "Content-Type": contentType,
-                Accept: "application/json",
-                ...authHeaders,
-            },
-            body: data,
-        });
-        if (!res.ok) {
-            throw new StarfishHttpError(res.status, await res.text());
-        }
-        return res.json();
-    }
-}

package/dist/config.js

@@ -1,18 +0,0 @@
-/**
- * Fetch the server's collection manifest from GET /config.
- *
- * @param baseUrl - Base URL of the Starfish server (e.g. `"https://api.example.com/v1"`).
- * @param options.headers - Optional request headers (e.g. `Authorization`).
- * @throws {Error} if the server returns a non-2xx response.
- */
-export async function fetchServerConfig(baseUrl, options) {
-    const url = `${baseUrl.replace(/\/$/, "")}/config`;
-    const res = await fetch(url, {
-        method: "GET",
-        headers: options?.headers,
-    });
-    if (!res.ok) {
-        throw new Error(`fetchServerConfig: ${res.status} ${res.statusText}`);
-    }
-    return res.json();
-}

package/dist/crypto.js

@@ -1,49 +0,0 @@
-import { getCrypto, getBase64, IV_BYTES, ENCRYPTED_KEY, deriveKey } from "@drakkar.software/starfish-protocol";
-const ALGO = "AES-GCM";
-export { ENCRYPTED_KEY };
-/**
- * Creates an Encryptor that uses AES-256-GCM with HKDF-derived keys.
- */
-export function createEncryptor(secret, salt, info = "starfish-e2e") {
-    if (!secret)
-        throw new Error("encryptionSecret must not be empty");
-    if (!salt)
-        throw new Error("encryptionSalt must not be empty");
-    const keyPromise = deriveKey(secret, salt, info);
-    return {
-        async encrypt(data) {
-            const key = await keyPromise;
-            const c = getCrypto();
-            const b64 = getBase64();
-            const plaintext = new TextEncoder().encode(JSON.stringify(data));
-            const iv = c.getRandomValues(new Uint8Array(IV_BYTES));
-            const ciphertext = await c.subtle.encrypt({ name: ALGO, iv }, key, plaintext);
-            const combined = new Uint8Array(iv.length + ciphertext.byteLength);
-            combined.set(iv);
-            combined.set(new Uint8Array(ciphertext), iv.length);
-            return { [ENCRYPTED_KEY]: b64.encode(combined) };
-        },
-        async decrypt(wrapper) {
-            const encoded = wrapper[ENCRYPTED_KEY];
-            if (typeof encoded !== "string") {
-                throw new Error("Expected encrypted data but received unencrypted document");
-            }
-            const key = await keyPromise;
-            const c = getCrypto();
-            const b64 = getBase64();
-            const combined = b64.decode(encoded);
-            if (combined.length < IV_BYTES) {
-                throw new Error("Encrypted data is too short");
-            }
-            const iv = combined.slice(0, IV_BYTES);
-            const ciphertext = combined.slice(IV_BYTES);
-            try {
-                const plaintext = await c.subtle.decrypt({ name: ALGO, iv }, key, ciphertext);
-                return JSON.parse(new TextDecoder().decode(plaintext));
-            }
-            catch (err) {
-                throw new Error("Decryption failed: data may be tampered or key is incorrect", { cause: err });
-            }
-        },
-    };
-}