@keyhive/keyhive 0.1.0-alpha.2 → 0.1.0-alpha.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@keyhive/keyhive",
3
- "version": "0.1.0-alpha.2",
3
+ "version": "0.1.0-alpha.4",
4
4
  "description": "",
5
5
  "main": "pkg/keyhive_wasm.js",
6
6
  "keywords": [],
@@ -10,23 +10,13 @@ export class Access {
10
10
  }
11
11
 
12
12
  /**
13
- * The result of adding a member: the membership delegation, plus any new leaf
14
- * secrets produced by auto-rekeying a non-forward-secret document on add.
13
+ * The result of adding a member: the membership delegation.
15
14
  */
16
15
  export class AddMemberUpdate {
17
16
  private constructor();
18
17
  free(): void;
19
18
  [Symbol.dispose](): void;
20
19
  readonly delegation: SignedDelegation;
21
- /**
22
- * New leaf secret keypairs from auto-rekeying a non-forward-secret document
23
- * when this reader was added, serialized as a
24
- * `BTreeMap<ShareKey, ShareSecretKey>` (the format `importPrekeySecrets`
25
- * accepts). A sibling instance of this identity (e.g. a tab and its
26
- * SharedWorker) installs them to derive the rotated key. `undefined` when
27
- * no rotation occurred (a forward-secret document).
28
- */
29
- readonly leafSecrets: Uint8Array | undefined;
30
20
  }
31
21
 
32
22
  export class Agent {
@@ -135,6 +125,23 @@ export class ContactCard {
135
125
  readonly shareKey: ShareKey;
136
126
  }
137
127
 
128
+ /**
129
+ * Plaintext plus the application secret key that decrypted it.
130
+ *
131
+ * The key lets the consumer recover the blob's external predecessor-secret
132
+ * chain and chain further encryptions onto it, without re-entering CGKA.
133
+ */
134
+ export class DecryptedWithKey {
135
+ private constructor();
136
+ free(): void;
137
+ [Symbol.dispose](): void;
138
+ /**
139
+ * The 32-byte application secret key used to decrypt this content.
140
+ */
141
+ readonly applicationSecret: Uint8Array;
142
+ readonly plaintext: Uint8Array;
143
+ }
144
+
138
145
  export class Delegation {
139
146
  private constructor();
140
147
  free(): void;
@@ -183,6 +190,12 @@ export class Encrypted {
183
190
  private constructor();
184
191
  free(): void;
185
192
  [Symbol.dispose](): void;
193
+ /**
194
+ * Decrypt this content with an explicit 32-byte application secret key,
195
+ * bypassing CGKA. The consumer uses this to follow the external
196
+ * predecessor-secret chain once it has recovered a blob's key.
197
+ */
198
+ decryptWithKey(key: Uint8Array): Uint8Array;
186
199
  static fromBytes(bytes: Uint8Array): Encrypted;
187
200
  serialize(): Uint8Array;
188
201
  toBytes(): Uint8Array;
@@ -199,6 +212,13 @@ export class EncryptedContentWithUpdate {
199
212
  [Symbol.dispose](): void;
200
213
  encrypted_content(): Encrypted;
201
214
  update_op(): SignedCgkaOperation | undefined;
215
+ /**
216
+ * The 32-byte application secret key used to encrypt this content.
217
+ *
218
+ * Lets the consumer build the external predecessor-secret chain and chain
219
+ * further encryptions onto this blob.
220
+ */
221
+ readonly applicationSecret: Uint8Array;
202
222
  }
203
223
 
204
224
  export class Event {
@@ -334,14 +354,8 @@ export class Keyhive {
334
354
  ingestEventsBytes(events_bytes_array: Array<any>): Promise<Array<any>>;
335
355
  /**
336
356
  * Initialize a peer.
337
- *
338
- * `forward_secrecy` is this peer's policy for all documents it creates or
339
- * receives. When `false`, documents carry the CGKA predecessor key chain
340
- * (a member added later reads the whole prior history) and adding a reader
341
- * auto-rekeys (see `addMember`'s `leafSecrets`). When `true`, a member
342
- * added later cannot read content from before they joined.
343
357
  */
344
- static init(signer: Signer, ciphertext_store: CiphertextStore, event_handler: Function, forward_secrecy: boolean): Promise<Keyhive>;
358
+ static init(signer: Signer, ciphertext_store: CiphertextStore, event_handler: Function): Promise<Keyhive>;
345
359
  intoArchive(): Promise<Archive>;
346
360
  membershipOpsForAgent(agent: Agent): Promise<Map<any, any>>;
347
361
  pendingEventHashes(): Promise<Set<any>>;
@@ -353,6 +367,13 @@ export class Keyhive {
353
367
  stats(): Promise<Stats>;
354
368
  toArchive(): Promise<Archive>;
355
369
  tryDecrypt(doc: Document, encrypted: Encrypted): Promise<Uint8Array>;
370
+ /**
371
+ * Decrypt content and also return the 32-byte application secret key used.
372
+ *
373
+ * The consumer follows the external predecessor-secret chain from this key
374
+ * with `Encrypted.decryptWithKey`, avoiding further CGKA dives.
375
+ */
376
+ tryDecryptWithKey(doc: Document, encrypted: Encrypted): Promise<DecryptedWithKey>;
356
377
  tryEncrypt(doc: Document, content_ref: ChangeId, js_pred_refs: ChangeId[], content: Uint8Array): Promise<EncryptedContentWithUpdate>;
357
378
  tryEncryptArchive(doc: Document, content_ref: ChangeId, pred_refs: ChangeId[], content: Uint8Array): Promise<EncryptedContentWithUpdate>;
358
379
  tryPcsKeyHash(doc: Document): Promise<Uint8Array | undefined>;
@@ -514,3 +535,19 @@ export class Summary {
514
535
  * https://rustwasm.github.io/docs/wasm-pack/tutorials/npm-browser-packages/template-deep-dive/src-utils-rs.html#2-what-is-console_error_panic_hook
515
536
  */
516
537
  export function setPanicHook(): void;
538
+
539
+ /**
540
+ * Inverse of [`symmetric_encrypt`]. Reads `nonce(24) || ciphertext`.
541
+ */
542
+ export function symmetricDecrypt(key: Uint8Array, blob: Uint8Array): Uint8Array;
543
+
544
+ /**
545
+ * AEAD-encrypt `plaintext` under a 32-byte `key`.
546
+ *
547
+ * `associated_data` flavors the synthetic nonce (e.g. the document or content
548
+ * id) so identical plaintext under the same key in different contexts produces
549
+ * distinct ciphertext. Returns `nonce(24) || ciphertext` (the ciphertext
550
+ * includes the Poly1305 tag). The nonce is carried in the output, so
551
+ * [`symmetric_decrypt`] does not need the associated data.
552
+ */
553
+ export function symmetricEncrypt(key: Uint8Array, plaintext: Uint8Array, associated_data: Uint8Array): Uint8Array;
@@ -5,5 +5,5 @@ import { __wbg_set_wasm } from "./keyhive_wasm_bg.js";
5
5
  __wbg_set_wasm(wasm);
6
6
  wasm.__wbindgen_start();
7
7
  export {
8
- Access, AddMemberUpdate, Agent, AllAgentEvents, Archive, CannotParseEd25519SigningKey, CannotParseIdentifier, Capability, CgkaOperation, ChangeId, CiphertextStore, ContactCard, Delegation, DocContentRefs, Document, DocumentId, Encrypted, EncryptedContentWithUpdate, Event, GenerateWebCryptoError, Group, GroupId, History, Identifier, Individual, IndividualId, Invocation, Keyhive, Membered, Membership, Peer, Revocation, ShareKey, Signed, SignedCgkaOperation, SignedDelegation, SignedInvocation, SignedRevocation, Signer, Stats, Summary, setPanicHook
8
+ Access, AddMemberUpdate, Agent, AllAgentEvents, Archive, CannotParseEd25519SigningKey, CannotParseIdentifier, Capability, CgkaOperation, ChangeId, CiphertextStore, ContactCard, DecryptedWithKey, Delegation, DocContentRefs, Document, DocumentId, Encrypted, EncryptedContentWithUpdate, Event, GenerateWebCryptoError, Group, GroupId, History, Identifier, Individual, IndividualId, Invocation, Keyhive, Membered, Membership, Peer, Revocation, ShareKey, Signed, SignedCgkaOperation, SignedDelegation, SignedInvocation, SignedRevocation, Signer, Stats, Summary, setPanicHook, symmetricDecrypt, symmetricEncrypt
9
9
  } from "./keyhive_wasm_bg.js";