@keyhive/keyhive 0.1.0-alpha.3 → 0.1.0-alpha.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@keyhive/keyhive",
3
- "version": "0.1.0-alpha.3",
3
+ "version": "0.1.0-alpha.5",
4
4
  "description": "",
5
5
  "main": "pkg/keyhive_wasm.js",
6
6
  "keywords": [],
@@ -9,26 +9,6 @@ export class Access {
9
9
  static tryFromString(s: string): Access | undefined;
10
10
  }
11
11
 
12
- /**
13
- * The result of adding a member: the membership delegation, plus any new leaf
14
- * secrets produced by auto-rekeying a non-forward-secret document on add.
15
- */
16
- export class AddMemberUpdate {
17
- private constructor();
18
- free(): void;
19
- [Symbol.dispose](): void;
20
- readonly delegation: SignedDelegation;
21
- /**
22
- * New leaf secret keypairs from auto-rekeying a non-forward-secret document
23
- * when this reader was added, serialized as a
24
- * `BTreeMap<ShareKey, ShareSecretKey>` (the format `importPrekeySecrets`
25
- * accepts). A sibling instance of this identity (e.g. a tab and its
26
- * SharedWorker) installs them to derive the rotated key. `undefined` when
27
- * no rotation occurred (a forward-secret document).
28
- */
29
- readonly leafSecrets: Uint8Array | undefined;
30
- }
31
-
32
12
  export class Agent {
33
13
  private constructor();
34
14
  free(): void;
@@ -135,6 +115,21 @@ export class ContactCard {
135
115
  readonly shareKey: ShareKey;
136
116
  }
137
117
 
118
+ /**
119
+ * Plaintext plus the application secret key that decrypted it.
120
+ */
121
+ export class DecryptedKeyed {
122
+ private constructor();
123
+ free(): void;
124
+ [Symbol.dispose](): void;
125
+ /**
126
+ * The 32-byte application secret key used to decrypt this content.
127
+ * Treat as secret: do not log or persist unencrypted.
128
+ */
129
+ readonly applicationSecret: Uint8Array;
130
+ readonly plaintext: Uint8Array;
131
+ }
132
+
138
133
  export class Delegation {
139
134
  private constructor();
140
135
  free(): void;
@@ -183,6 +178,11 @@ export class Encrypted {
183
178
  private constructor();
184
179
  free(): void;
185
180
  [Symbol.dispose](): void;
181
+ /**
182
+ * Decrypt this content with an explicit 32-byte application secret key,
183
+ * bypassing CGKA.
184
+ */
185
+ decryptWithKey(key: Uint8Array): Uint8Array;
186
186
  static fromBytes(bytes: Uint8Array): Encrypted;
187
187
  serialize(): Uint8Array;
188
188
  toBytes(): Uint8Array;
@@ -201,6 +201,21 @@ export class EncryptedContentWithUpdate {
201
201
  update_op(): SignedCgkaOperation | undefined;
202
202
  }
203
203
 
204
+ /**
205
+ * Encrypted content plus the application secret key it was encrypted under.
206
+ */
207
+ export class EncryptedKeyed {
208
+ private constructor();
209
+ free(): void;
210
+ [Symbol.dispose](): void;
211
+ encrypted_content(): Encrypted;
212
+ update_op(): SignedCgkaOperation | undefined;
213
+ /**
214
+ * The 32-byte application secret key used to encrypt this content.
215
+ */
216
+ readonly applicationSecret: Uint8Array;
217
+ }
218
+
204
219
  export class Event {
205
220
  private constructor();
206
221
  free(): void;
@@ -293,7 +308,7 @@ export class Keyhive {
293
308
  free(): void;
294
309
  [Symbol.dispose](): void;
295
310
  accessForDoc(id: Identifier, doc_id: DocumentId): Promise<Access | undefined>;
296
- addMember(to_add: Agent, membered: Membered, access: Access, other_relevant_docs: Document[]): Promise<AddMemberUpdate>;
311
+ addMember(to_add: Agent, membered: Membered, access: Access, other_relevant_docs: Document[]): Promise<SignedDelegation>;
297
312
  /**
298
313
  * Returns all agent events with deduplicated storage and two-tier indirection
299
314
  * for membership, prekey, and CGKA ops.
@@ -314,14 +329,9 @@ export class Keyhive {
314
329
  /**
315
330
  * Force a PCS key rotation and return the new leaf secret, serialized as a
316
331
  * one-entry `BTreeMap<ShareKey, ShareSecretKey>` (the exact format
317
- * `importPrekeySecrets` accepts). A sibling instance of this identity can
318
- * install it to derive the rotated key without re-importing the whole bundle.
332
+ * `importPrekeySecrets` accepts).
319
333
  */
320
334
  forcePcsUpdate(doc: Document): Promise<Uint8Array>;
321
- /**
322
- * Generate a document. Whether it provides forward secrecy is determined by
323
- * this peer's forward-secrecy policy (chosen at `Keyhive.init`).
324
- */
325
335
  generateDocument(coparents: Peer[], initial_content_ref_head: ChangeId, more_initial_content_refs: ChangeId[]): Promise<Document>;
326
336
  generateGroup(js_coparents: Peer[]): Promise<Group>;
327
337
  getAgent(id: Identifier): Promise<Agent | undefined>;
@@ -332,16 +342,7 @@ export class Keyhive {
332
342
  importPrekeySecrets(bytes: Uint8Array): Promise<void>;
333
343
  ingestArchive(archive: Archive): Promise<void>;
334
344
  ingestEventsBytes(events_bytes_array: Array<any>): Promise<Array<any>>;
335
- /**
336
- * Initialize a peer.
337
- *
338
- * `forward_secrecy` is this peer's policy for all documents it creates or
339
- * receives. When `false`, documents carry the CGKA predecessor key chain
340
- * (a member added later reads the whole prior history) and adding a reader
341
- * auto-rekeys (see `addMember`'s `leafSecrets`). When `true`, a member
342
- * added later cannot read content from before they joined.
343
- */
344
- static init(signer: Signer, ciphertext_store: CiphertextStore, event_handler: Function, forward_secrecy: boolean): Promise<Keyhive>;
345
+ static init(signer: Signer, ciphertext_store: CiphertextStore, event_handler: Function): Promise<Keyhive>;
345
346
  intoArchive(): Promise<Archive>;
346
347
  membershipOpsForAgent(agent: Agent): Promise<Map<any, any>>;
347
348
  pendingEventHashes(): Promise<Set<any>>;
@@ -353,8 +354,17 @@ export class Keyhive {
353
354
  stats(): Promise<Stats>;
354
355
  toArchive(): Promise<Archive>;
355
356
  tryDecrypt(doc: Document, encrypted: Encrypted): Promise<Uint8Array>;
357
+ /**
358
+ * Decrypt content and also return the 32-byte application secret key used.
359
+ */
360
+ tryDecryptKeyed(doc: Document, encrypted: Encrypted): Promise<DecryptedKeyed>;
356
361
  tryEncrypt(doc: Document, content_ref: ChangeId, js_pred_refs: ChangeId[], content: Uint8Array): Promise<EncryptedContentWithUpdate>;
357
362
  tryEncryptArchive(doc: Document, content_ref: ChangeId, pred_refs: ChangeId[], content: Uint8Array): Promise<EncryptedContentWithUpdate>;
363
+ /**
364
+ * Encrypt content and also return the application secret key it was
365
+ * encrypted under.
366
+ */
367
+ tryEncryptKeyed(doc: Document, content_ref: ChangeId, js_pred_refs: ChangeId[], content: Uint8Array): Promise<EncryptedKeyed>;
358
368
  tryPcsKeyHash(doc: Document): Promise<Uint8Array | undefined>;
359
369
  trySign(data: Uint8Array): Promise<Signed>;
360
370
  readonly id: IndividualId;
@@ -514,3 +524,13 @@ export class Summary {
514
524
  * https://rustwasm.github.io/docs/wasm-pack/tutorials/npm-browser-packages/template-deep-dive/src-utils-rs.html#2-what-is-console_error_panic_hook
515
525
  */
516
526
  export function setPanicHook(): void;
527
+
528
+ /**
529
+ * Inverse of [`symmetric_encrypt`]. Reads `nonce(24) || ciphertext`.
530
+ */
531
+ export function symmetricDecrypt(key: Uint8Array, blob: Uint8Array): Uint8Array;
532
+
533
+ /**
534
+ * Encrypt `plaintext` under a 32-byte `key`, returning `nonce(24) || ciphertext`.
535
+ */
536
+ export function symmetricEncrypt(key: Uint8Array, plaintext: Uint8Array, associated_data: Uint8Array): Uint8Array;
@@ -5,5 +5,5 @@ import { __wbg_set_wasm } from "./keyhive_wasm_bg.js";
5
5
  __wbg_set_wasm(wasm);
6
6
  wasm.__wbindgen_start();
7
7
  export {
8
- Access, AddMemberUpdate, Agent, AllAgentEvents, Archive, CannotParseEd25519SigningKey, CannotParseIdentifier, Capability, CgkaOperation, ChangeId, CiphertextStore, ContactCard, Delegation, DocContentRefs, Document, DocumentId, Encrypted, EncryptedContentWithUpdate, Event, GenerateWebCryptoError, Group, GroupId, History, Identifier, Individual, IndividualId, Invocation, Keyhive, Membered, Membership, Peer, Revocation, ShareKey, Signed, SignedCgkaOperation, SignedDelegation, SignedInvocation, SignedRevocation, Signer, Stats, Summary, setPanicHook
8
+ Access, Agent, AllAgentEvents, Archive, CannotParseEd25519SigningKey, CannotParseIdentifier, Capability, CgkaOperation, ChangeId, CiphertextStore, ContactCard, DecryptedKeyed, Delegation, DocContentRefs, Document, DocumentId, Encrypted, EncryptedContentWithUpdate, EncryptedKeyed, Event, GenerateWebCryptoError, Group, GroupId, History, Identifier, Individual, IndividualId, Invocation, Keyhive, Membered, Membership, Peer, Revocation, ShareKey, Signed, SignedCgkaOperation, SignedDelegation, SignedInvocation, SignedRevocation, Signer, Stats, Summary, setPanicHook, symmetricDecrypt, symmetricEncrypt
9
9
  } from "./keyhive_wasm_bg.js";