@hashtree/worker 0.2.0 → 0.2.2

package/src/relay/signing.ts

@@ -0,0 +1,332 @@
+// @ts-nocheck
+/**
+ * Worker Signing & Encryption
+ *
+ * Provides signing, encryption, and gift wrap functions.
+ * Uses nsec directly when available, delegates to main thread otherwise.
+ */
+
+import { generateSecretKey, finalizeEvent, nip44 } from 'nostr-tools';
+import type { EventTemplate } from 'nostr-tools';
+import { getSecretKey, getPubkey, getEphemeralSecretKey } from './identity';
+import type { SignedEvent, UnsignedEvent } from './protocol';
+
+// Pending NIP-07 requests (waiting for main thread)
+const pendingSignRequests = new Map<string, (event: SignedEvent | null, error?: string) => void>();
+const pendingEncryptRequests = new Map<string, (ciphertext: string | null, error?: string) => void>();
+const pendingDecryptRequests = new Map<string, (plaintext: string | null, error?: string) => void>();
+
+// Response sender (set by worker.ts)
+let postResponse: ((msg: unknown) => void) | null = null;
+
+export function setResponseSender(fn: (msg: unknown) => void) {
+  postResponse = fn;
+}
+
+function bytesToHex(bytes: Uint8Array): string {
+  let hex = '';
+  for (const byte of bytes) {
+    hex += byte.toString(16).padStart(2, '0');
+  }
+  return hex;
+}
+
+function normalizeTagValue(value: unknown): string {
+  if (typeof value === 'string') return value;
+  if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {
+    return String(value);
+  }
+  if (value == null) return '';
+  if (value instanceof Uint8Array) return bytesToHex(value);
+  if (ArrayBuffer.isView(value)) {
+    return bytesToHex(new Uint8Array(value.buffer, value.byteOffset, value.byteLength));
+  }
+  if (value instanceof ArrayBuffer) return bytesToHex(new Uint8Array(value));
+  try {
+    return JSON.stringify(value);
+  } catch {
+    return String(value);
+  }
+}
+
+function sanitizeTags(tags: unknown): string[][] {
+  if (!Array.isArray(tags)) return [];
+
+  let needsSanitize = false;
+  for (const tag of tags) {
+    if (!Array.isArray(tag)) {
+      needsSanitize = true;
+      break;
+    }
+    for (const value of tag) {
+      if (typeof value !== 'string') {
+        needsSanitize = true;
+        break;
+      }
+    }
+    if (needsSanitize) break;
+  }
+
+  if (!needsSanitize) return tags as string[][];
+
+  const sanitized: string[][] = [];
+  for (const tag of tags) {
+    if (!Array.isArray(tag)) continue;
+    const normalized: string[] = [];
+    for (const value of tag) {
+      normalized.push(normalizeTagValue(value));
+    }
+    sanitized.push(normalized);
+  }
+  return sanitized;
+}
+
+// ============================================================================
+// Signing
+// ============================================================================
+
+/**
+ * Sign an event with user's real identity.
+ * - For nsec login: signs directly with secret key
+ * - For extension login: delegates to main thread via NIP-07
+ */
+export async function signEvent(template: EventTemplate): Promise<SignedEvent> {
+  template.tags = sanitizeTags(template.tags ?? []);
+  const secretKey = getSecretKey();
+  if (secretKey) {
+    const event = finalizeEvent(template, secretKey);
+    return {
+      id: event.id,
+      pubkey: event.pubkey,
+      kind: event.kind,
+      content: event.content,
+      tags: event.tags,
+      created_at: event.created_at,
+      sig: event.sig,
+    };
+  } else {
+    return requestSign({
+      kind: template.kind,
+      created_at: template.created_at,
+      content: template.content,
+      tags: template.tags,
+    });
+  }
+}
+
+/**
+ * Synchronous sign (only works with nsec, falls back to ephemeral)
+ */
+export function signEventSync(template: EventTemplate): SignedEvent {
+  template.tags = sanitizeTags(template.tags ?? []);
+  const secretKey = getSecretKey() || getEphemeralSecretKey();
+  if (!secretKey) {
+    throw new Error('No signing key available');
+  }
+  const event = finalizeEvent(template, secretKey);
+  return {
+    id: event.id,
+    pubkey: event.pubkey,
+    kind: event.kind,
+    content: event.content,
+    tags: event.tags,
+    created_at: event.created_at,
+    sig: event.sig,
+  };
+}
+
+// ============================================================================
+// Encryption
+// ============================================================================
+
+/**
+ * Encrypt plaintext for a recipient using NIP-44
+ */
+export async function encrypt(recipientPubkey: string, plaintext: string): Promise<string> {
+  const secretKey = getSecretKey();
+  if (secretKey) {
+    const conversationKey = nip44.v2.utils.getConversationKey(secretKey, recipientPubkey);
+    return nip44.v2.encrypt(plaintext, conversationKey);
+  } else {
+    return requestEncrypt(recipientPubkey, plaintext);
+  }
+}
+
+/**
+ * Decrypt ciphertext from a sender using NIP-44
+ */
+export async function decrypt(senderPubkey: string, ciphertext: string): Promise<string> {
+  const secretKey = getSecretKey();
+  if (secretKey) {
+    const conversationKey = nip44.v2.utils.getConversationKey(secretKey, senderPubkey);
+    return nip44.v2.decrypt(ciphertext, conversationKey);
+  } else {
+    return requestDecrypt(senderPubkey, ciphertext);
+  }
+}
+
+// ============================================================================
+// Gift Wrap (NIP-17 style private messaging)
+// ============================================================================
+
+interface Seal {
+  pubkey: string;
+  kind: number;
+  content: string;
+  tags: string[][];
+}
+
+/**
+ * Gift wrap an event for private delivery.
+ */
+export async function giftWrap(
+  innerEvent: { kind: number; content: string; tags: string[][] },
+  recipientPubkey: string
+): Promise<SignedEvent> {
+  const myPubkey = getPubkey();
+  if (!myPubkey) throw new Error('No pubkey available');
+
+  const seal: Seal = {
+    pubkey: myPubkey,
+    kind: innerEvent.kind,
+    content: innerEvent.content,
+    tags: innerEvent.tags,
+  };
+
+  // Generate ephemeral keypair for the wrapper
+  const ephemeralSk = generateSecretKey();
+
+  // Encrypt the seal for the recipient
+  const conversationKey = nip44.v2.utils.getConversationKey(ephemeralSk, recipientPubkey);
+  const encryptedContent = nip44.v2.encrypt(JSON.stringify(seal), conversationKey);
+
+  const createdAt = Math.floor(Date.now() / 1000);
+  const expiration = createdAt + 5 * 60;
+
+  const event = finalizeEvent({
+    kind: 25050,
+    created_at: createdAt,
+    tags: [
+      ['p', recipientPubkey],
+      ['expiration', expiration.toString()],
+    ],
+    content: encryptedContent,
+  }, ephemeralSk);
+
+  return {
+    id: event.id,
+    pubkey: event.pubkey,
+    kind: event.kind,
+    content: event.content,
+    tags: event.tags,
+    created_at: event.created_at,
+    sig: event.sig,
+  };
+}
+
+/**
+ * Unwrap a gift wrapped event.
+ */
+export async function giftUnwrap(event: SignedEvent): Promise<Seal | null> {
+  try {
+    const decrypted = await decrypt(event.pubkey, event.content);
+    return JSON.parse(decrypted) as Seal;
+  } catch {
+    return null;
+  }
+}
+
+// ============================================================================
+// NIP-07 Delegation (for extension login)
+// ============================================================================
+
+async function requestSign(event: UnsignedEvent): Promise<SignedEvent> {
+  const id = `sign_${Date.now()}_${Math.random().toString(36).slice(2)}`;
+
+  return new Promise((resolve, reject) => {
+    pendingSignRequests.set(id, (signed, error) => {
+      if (error) reject(new Error(error));
+      else if (signed) resolve(signed);
+      else reject(new Error('Signing failed'));
+    });
+
+    postResponse?.({ type: 'signEvent', id, event });
+
+    setTimeout(() => {
+      if (pendingSignRequests.has(id)) {
+        pendingSignRequests.delete(id);
+        reject(new Error('Signing timeout'));
+      }
+    }, 60000);
+  });
+}
+
+async function requestEncrypt(pubkey: string, plaintext: string): Promise<string> {
+  const id = `enc_${Date.now()}_${Math.random().toString(36).slice(2)}`;
+
+  return new Promise((resolve, reject) => {
+    pendingEncryptRequests.set(id, (ciphertext, error) => {
+      if (error) reject(new Error(error));
+      else if (ciphertext) resolve(ciphertext);
+      else reject(new Error('Encryption failed'));
+    });
+
+    postResponse?.({ type: 'nip44Encrypt', id, pubkey, plaintext });
+
+    setTimeout(() => {
+      if (pendingEncryptRequests.has(id)) {
+        pendingEncryptRequests.delete(id);
+        reject(new Error('Encryption timeout'));
+      }
+    }, 30000);
+  });
+}
+
+async function requestDecrypt(pubkey: string, ciphertext: string): Promise<string> {
+  const id = `dec_${Date.now()}_${Math.random().toString(36).slice(2)}`;
+
+  return new Promise((resolve, reject) => {
+    pendingDecryptRequests.set(id, (plaintext, error) => {
+      if (error) reject(new Error(error));
+      else if (plaintext) resolve(plaintext);
+      else reject(new Error('Decryption failed'));
+    });
+
+    postResponse?.({ type: 'nip44Decrypt', id, pubkey, ciphertext });
+
+    setTimeout(() => {
+      if (pendingDecryptRequests.has(id)) {
+        pendingDecryptRequests.delete(id);
+        reject(new Error('Decryption timeout'));
+      }
+    }, 30000);
+  });
+}
+
+// ============================================================================
+// Response Handlers (called by worker.ts when main thread responds)
+// ============================================================================
+
+export function handleSignedResponse(id: string, event?: SignedEvent, error?: string) {
+  const resolver = pendingSignRequests.get(id);
+  if (resolver) {
+    pendingSignRequests.delete(id);
+    resolver(event || null, error);
+  }
+}
+
+export function handleEncryptedResponse(id: string, ciphertext?: string, error?: string) {
+  const resolver = pendingEncryptRequests.get(id);
+  if (resolver) {
+    pendingEncryptRequests.delete(id);
+    resolver(ciphertext || null, error);
+  }
+}
+
+export function handleDecryptedResponse(id: string, plaintext?: string, error?: string) {
+  const resolver = pendingDecryptRequests.get(id);
+  if (resolver) {
+    pendingDecryptRequests.delete(id);
+    resolver(plaintext || null, error);
+  }
+}

package/src/relay/treeRootCache.ts

@@ -0,0 +1,354 @@
+// @ts-nocheck
+/**
+ * Tree Root Cache
+ *
+ * Persists npub/treeName → CID mappings using any Store implementation.
+ * This allows quick resolution of tree roots without waiting for Nostr.
+ *
+ * Storage format:
+ * - Key prefix: "root:" (to distinguish from content chunks)
+ * - Key: SHA256("root:" + npub + "/" + treeName)
+ * - Value: MessagePack { hash, key?, visibility, updatedAt }
+ */
+
+import type { CID, Store, TreeVisibility } from '@hashtree/core';
+import { sha256 } from '@hashtree/core';
+import { encode, decode } from '@msgpack/msgpack';
+import { LRUCache } from './utils/lruCache';
+
+// Cached root entry
+interface CachedRoot {
+  hash: Uint8Array;        // Root hash
+  key?: Uint8Array;        // CHK decryption key (for encrypted trees)
+  visibility: TreeVisibility;
+  labels?: string[];
+  updatedAt: number;       // Unix timestamp
+  eventId?: string;        // Source event id for same-second tie-breaking
+  snapshotNhash?: string;  // Signed root-event snapshot permalink
+  encryptedKey?: string;   // For link-visible trees
+  keyId?: string;          // For link-visible trees
+  selfEncryptedKey?: string; // For private trees
+  selfEncryptedLinkKey?: string; // For link-visible trees
+}
+
+export interface SetCachedRootResult {
+  applied: boolean;
+  record: CachedRoot;
+}
+
+// In-memory LRU cache for fast lookups (limited to 1000 entries to prevent memory leak)
+// Data is backed by persistent store so eviction is safe
+const memoryCache = new LRUCache<string, CachedRoot>(1000);
+const updateListeners = new Set<(npub: string, treeName: string, cid: CID | null) => void>();
+
+// Store reference
+let store: Store | null = null;
+
+function compareReplaceableEventOrder(
+  candidateUpdatedAt: number,
+  candidateEventId: string | null | undefined,
+  currentUpdatedAt: number,
+  currentEventId: string | null | undefined,
+): number {
+  if (candidateUpdatedAt !== currentUpdatedAt) {
+    return candidateUpdatedAt - currentUpdatedAt;
+  }
+
+  const candidateId = candidateEventId ?? '';
+  const currentId = currentEventId ?? '';
+  if (candidateId === currentId) {
+    return 0;
+  }
+
+  if (!candidateId) return -1;
+  if (!currentId) return 1;
+  return candidateId.localeCompare(currentId);
+}
+
+function notifyUpdate(npub: string, treeName: string, cid: CID | null): void {
+  for (const listener of updateListeners) {
+    listener(npub, treeName, cid);
+  }
+}
+
+/**
+ * Initialize the cache with a store
+ */
+export function initTreeRootCache(storeImpl: Store): void {
+  store = storeImpl;
+}
+
+export function getTreeRootCacheStore(): Store | null {
+  return store;
+}
+
+/**
+ * Generate storage key for a tree root
+ */
+async function makeStorageKey(npub: string, treeName: string): Promise<Uint8Array> {
+  const keyStr = `root:${npub}/${treeName}`;
+  return sha256(new TextEncoder().encode(keyStr));
+}
+
+/**
+ * Get a cached tree root
+ */
+export async function getCachedRoot(npub: string, treeName: string): Promise<CID | null> {
+  const cacheKey = `${npub}/${treeName}`;
+
+  // Check memory cache first
+  const memCached = memoryCache.get(cacheKey);
+  if (memCached) {
+    return { hash: memCached.hash, key: memCached.key };
+  }
+
+  // Check persistent store
+  if (!store) return null;
+
+  const storageKey = await makeStorageKey(npub, treeName);
+  const data = await store.get(storageKey);
+  if (!data) return null;
+
+  try {
+    const cached = decode(data) as CachedRoot;
+    // Update memory cache
+    memoryCache.set(cacheKey, cached);
+    return { hash: cached.hash, key: cached.key };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Get full cached root info (including visibility)
+ */
+export async function getCachedRootInfo(npub: string, treeName: string): Promise<CachedRoot | null> {
+  const cacheKey = `${npub}/${treeName}`;
+
+  // Check memory cache first
+  const memCached = memoryCache.get(cacheKey);
+  if (memCached) return memCached;
+
+  // Check persistent store
+  if (!store) return null;
+
+  const storageKey = await makeStorageKey(npub, treeName);
+  const data = await store.get(storageKey);
+  if (!data) return null;
+
+  try {
+    const cached = decode(data) as CachedRoot;
+    memoryCache.set(cacheKey, cached);
+    return cached;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Cache a tree root
+ */
+export async function setCachedRoot(
+  npub: string,
+  treeName: string,
+  cid: CID,
+  visibility: TreeVisibility = 'public',
+  options?: {
+    updatedAt?: number;
+    eventId?: string;
+    labels?: string[];
+    snapshotNhash?: string;
+    encryptedKey?: string;
+    keyId?: string;
+    selfEncryptedKey?: string;
+    selfEncryptedLinkKey?: string;
+  }
+): Promise<SetCachedRootResult> {
+  const cacheKey = `${npub}/${treeName}`;
+  const existing = await getCachedRootInfo(npub, treeName);
+  const updatedAt = options?.updatedAt ?? Math.floor(Date.now() / 1000);
+  const eventId = options?.eventId;
+  const sameHash = !!existing && hashEquals(existing.hash, cid.hash);
+
+  if (existing && compareReplaceableEventOrder(updatedAt, eventId, existing.updatedAt, existing.eventId) < 0) {
+    return { applied: false, record: existing };
+  }
+
+  const cached: CachedRoot = {
+    hash: cid.hash,
+    key: cid.key ?? (sameHash ? existing?.key : undefined),
+    visibility,
+    labels: options?.labels ?? existing?.labels,
+    updatedAt,
+    eventId: eventId ?? (sameHash ? existing?.eventId : undefined),
+    snapshotNhash: options?.snapshotNhash ?? (sameHash ? existing?.snapshotNhash : undefined),
+    encryptedKey: options?.encryptedKey ?? (sameHash ? existing?.encryptedKey : undefined),
+    keyId: options?.keyId ?? (sameHash ? existing?.keyId : undefined),
+    selfEncryptedKey: options?.selfEncryptedKey ?? (sameHash ? existing?.selfEncryptedKey : undefined),
+    selfEncryptedLinkKey: options?.selfEncryptedLinkKey ?? (sameHash ? existing?.selfEncryptedLinkKey : undefined),
+  };
+
+  if (existing && cachedRootEquals(existing, cached)) {
+    return { applied: false, record: existing };
+  }
+
+  // Update memory cache
+  memoryCache.set(cacheKey, cached);
+  notifyUpdate(npub, treeName, { hash: cached.hash, key: cached.key });
+
+  // Persist to store
+  if (store) {
+    const storageKey = await makeStorageKey(npub, treeName);
+    const data = encode(cached);
+    await store.put(storageKey, new Uint8Array(data));
+  }
+
+  return { applied: true, record: cached };
+}
+
+/**
+ * Merge a decrypted key into an existing cache entry (if hash matches).
+ */
+export async function mergeCachedRootKey(
+  npub: string,
+  treeName: string,
+  hash: Uint8Array,
+  key: Uint8Array
+): Promise<boolean> {
+  const cacheKey = `${npub}/${treeName}`;
+
+  const cached = await getCachedRootInfo(npub, treeName);
+  if (!cached) return false;
+  if (cached.key) return false;
+  if (!hashEquals(cached.hash, hash)) return false;
+
+  const merged: CachedRoot = {
+    ...cached,
+    key,
+  };
+
+  memoryCache.set(cacheKey, merged);
+  notifyUpdate(npub, treeName, { hash: merged.hash, key: merged.key });
+
+  if (store) {
+    const storageKey = await makeStorageKey(npub, treeName);
+    const data = encode(merged);
+    await store.put(storageKey, new Uint8Array(data));
+  }
+
+  return true;
+}
+
+/**
+ * Remove a cached tree root
+ */
+export async function removeCachedRoot(npub: string, treeName: string): Promise<void> {
+  const cacheKey = `${npub}/${treeName}`;
+
+  // Remove from memory cache
+  memoryCache.delete(cacheKey);
+  notifyUpdate(npub, treeName, null);
+
+  // Remove from persistent store
+  if (store) {
+    const storageKey = await makeStorageKey(npub, treeName);
+    await store.delete(storageKey);
+  }
+}
+
+/**
+ * List all cached roots for an npub
+ * Note: This scans memory cache only - persistent lookup requires iteration
+ */
+export function listCachedRoots(npub: string): Array<{
+  treeName: string;
+  cid: CID;
+  visibility: TreeVisibility;
+  updatedAt: number;
+}> {
+  const prefix = `${npub}/`;
+  const results: Array<{
+    treeName: string;
+    cid: CID;
+    visibility: TreeVisibility;
+    updatedAt: number;
+  }> = [];
+
+  for (const [key, cached] of memoryCache) {
+    if (key.startsWith(prefix)) {
+      const treeName = key.slice(prefix.length);
+      results.push({
+        treeName,
+        cid: { hash: cached.hash, key: cached.key },
+        visibility: cached.visibility,
+        updatedAt: cached.updatedAt,
+      });
+    }
+  }
+
+  return results;
+}
+
+/**
+ * Clear all cached roots (memory only)
+ */
+export function clearMemoryCache(): void {
+  memoryCache.clear();
+}
+
+export function onCachedRootUpdate(
+  listener: (npub: string, treeName: string, cid: CID | null) => void
+): () => void {
+  updateListeners.add(listener);
+  return () => {
+    updateListeners.delete(listener);
+  };
+}
+
+/**
+ * Get cache stats
+ */
+export function getCacheStats(): { memoryEntries: number } {
+  return {
+    memoryEntries: memoryCache.size,
+  };
+}
+
+function hashEquals(a: Uint8Array, b: Uint8Array): boolean {
+  if (a.length !== b.length) return false;
+  for (let i = 0; i < a.length; i += 1) {
+    if (a[i] !== b[i]) return false;
+  }
+  return true;
+}
+
+function optionalHashEquals(a?: Uint8Array, b?: Uint8Array): boolean {
+  if (!a && !b) return true;
+  if (!a || !b) return false;
+  return hashEquals(a, b);
+}
+
+function labelsEqual(a?: string[], b?: string[]): boolean {
+  if (!a && !b) return true;
+  if (!a || !b) return false;
+  if (a.length !== b.length) return false;
+  for (let i = 0; i < a.length; i += 1) {
+    if (a[i] !== b[i]) return false;
+  }
+  return true;
+}
+
+function cachedRootEquals(a: CachedRoot, b: CachedRoot): boolean {
+  return (
+    hashEquals(a.hash, b.hash) &&
+    optionalHashEquals(a.key, b.key) &&
+    a.visibility === b.visibility &&
+    labelsEqual(a.labels, b.labels) &&
+    a.updatedAt === b.updatedAt &&
+    a.snapshotNhash === b.snapshotNhash &&
+    a.encryptedKey === b.encryptedKey &&
+    a.keyId === b.keyId &&
+    a.selfEncryptedKey === b.selfEncryptedKey &&
+    a.selfEncryptedLinkKey === b.selfEncryptedLinkKey
+  );
+}