@majikah/majik-message 0.1.20 → 0.2.0

package/dist/core/database/thread/mail/majik-message-mail.d.ts

@@ -1,9 +1,10 @@
 import { ISODateString, MajikMessageAccountID, MajikMessageMailID, MajikMessagePublicKey, MajikMessageThreadID } from "../../../types";
 import { MajikMessageIdentity } from "../../system/identity";
 import { MajikMessageThread } from "../majik-message-thread";
+import { FileContext, MajikFile } from "@majikah/majik-file";
 export interface MailMetadata {
     subject?: string;
-    attachments?: string[];
+    attachments?: MailAttachmentRef[];
     priority?: "low" | "medium" | "high" | "urgent";
     labels?: string[];
     isForwarded?: boolean;
@@ -23,6 +24,22 @@ export interface MajikMessageMailJSON {
     previous_mail_id?: MajikMessageMailID;
     read_by: MajikMessagePublicKey[];
 }
+export interface MailAttachmentRef {
+    /** MajikFile UUID — used to fetch the .mjkb from R2 via your file service */
+    fileId: string;
+    /** SHA-256 hex of original bytes — for dedup checks */
+    fileHash: string;
+    /** Original filename for display (e.g. "resume.pdf") */
+    originalName: string | null;
+    /** MIME type for icon/preview logic */
+    mimeType: string | null;
+    /** Original size in bytes — for "2.3 MB" display */
+    sizeOriginal: number;
+    /** R2 key — lets the Worker fetch directly without a DB lookup */
+    r2Key: string;
+    /** context from MajikFile — so the UI knows if it's a thread_attachment */
+    context: FileContext;
+}
 export declare class MajikMailError extends Error {
     code: string;
     constructor(message: string, code: string);
@@ -73,10 +90,11 @@ export declare class MajikMessageMail {
      * @param message - Plain text message (encrypted)
      * @param recipients - Array of recipient public keys (excluding sender)
      * @param metadata - Optional mail metadata
+     * @param id - Optional ID to use
      * @returns Promise resolving to new MajikMessageMail instance
      * @throws Error if validation fails or thread is closed
      */
-    static create(thread: MajikMessageThread, identity: MajikMessageIdentity, message: string, recipients: MajikMessagePublicKey[], metadata?: MailMetadata): Promise<MajikMessageMail>;
+    static create(thread: MajikMessageThread, identity: MajikMessageIdentity, message: string, recipients: MajikMessagePublicKey[], metadata?: MailMetadata, id?: MajikMessageMailID): Promise<MajikMessageMail>;
     /**
      * Creates a reply to an existing mail item in the thread.
      * Uses the previous mail's hash as part of the p_hash.
@@ -87,10 +105,30 @@ export declare class MajikMessageMail {
      * @param message - Plain text message (encrypted)
      * @param recipients - Array of recipient public keys (excluding sender)
      * @param metadata - Optional mail metadata
+     * @param id - Optional ID to use
      * @returns Promise resolving to new MajikMessageMail instance
      * @throws Error if validation fails or thread is closed
      */
-    static reply(thread: MajikMessageThread, previousMail: MajikMessageMail, identity: MajikMessageIdentity, message: string, recipients: MajikMessagePublicKey[], metadata?: MailMetadata): Promise<MajikMessageMail>;
+    static reply(thread: MajikMessageThread, previousMail: MajikMessageMail, identity: MajikMessageIdentity, message: string, recipients: MajikMessagePublicKey[], metadata?: MailMetadata, id?: MajikMessageMailID): Promise<MajikMessageMail>;
+    /**
+     * Attach a MajikFile to this mail.
+     * Automatically wires thread_id and thread_message_id from the instance.
+     *
+     * @throws MailValidationError if the file context is not "thread_attachment"
+     * @throws MailOperationError if this file is already attached (by fileId or fileHash)
+     */
+    attachFile(file: MajikFile): MailAttachmentRef;
+    /**
+     * Remove an attached file by fileId.
+     * Returns true if removed, false if it wasn't attached.
+     */
+    detachFile(fileId: string): boolean;
+    /** Returns all attachment refs on this mail, typed correctly. */
+    get attachments(): MailAttachmentRef[];
+    /** Returns true if this mail has at least one attachment. */
+    get hasAttachments(): boolean;
+    /** Returns the attachment ref for a given fileId, or null if not found. */
+    getAttachment(fileId: string): MailAttachmentRef | null;
     /**
      * Generates the hash for the current mail item.
      * Format: SHA256(id:message:sender:recipients:timestamp)
@@ -114,7 +152,6 @@ export declare class MajikMessageMail {
      * @returns true if p_hash is valid
      */
     validatePHash(previousHash: string): boolean;
-    private validateMessage;
     /**
      * Validates an entire chain of mail items in a thread.
      * Verifies both hash and p_hash integrity for all items.
@@ -180,5 +217,6 @@ export declare class MajikMessageMail {
      * Validates raw message length
      */
     private static validateRawMessageLength;
+    private static isValidAttachmentRef;
     private static isValidJSON;
 }

package/dist/core/database/thread/mail/majik-message-mail.js

@@ -113,10 +113,11 @@ export class MajikMessageMail {
      * @param message - Plain text message (encrypted)
      * @param recipients - Array of recipient public keys (excluding sender)
      * @param metadata - Optional mail metadata
+     * @param id - Optional ID to use
      * @returns Promise resolving to new MajikMessageMail instance
      * @throws Error if validation fails or thread is closed
      */
-    static async create(thread, identity, message, recipients, metadata = {}) {
+    static async create(thread, identity, message, recipients, metadata = {}, id) {
         try {
             // Validate thread
             if (!thread) {
@@ -175,10 +176,11 @@ export class MajikMessageMail {
             // Normalize recipients (sort for consistency)
             const normalizedRecipients = [...recipients].sort();
             // Generate ID and timestamp
-            const id = uuidv4();
+            const generatedID = uuidv4();
+            const finalID = id || generatedID;
             const timestamp = new Date();
             // Generate hash for this mail item
-            const hash = this.generateHash(id, message.trim(), senderPublicKey, normalizedRecipients, timestamp);
+            const hash = this.generateHash(finalID, message.trim(), senderPublicKey, normalizedRecipients, timestamp);
             // For the first item, p_hash is the thread's hash
             const p_hash = this.generatePHash(hash, thread.hash);
             // Mark as reply metadata
@@ -186,7 +188,7 @@ export class MajikMessageMail {
                 ...metadata,
                 isReply: false,
             };
-            return new MajikMessageMail(id, thread.id, accountID, message.trim(), senderPublicKey, normalizedRecipients, timestamp, finalMetadata, hash, p_hash, undefined, // No previous mail ID for first item
+            return new MajikMessageMail(finalID, thread.id, accountID, message.trim(), senderPublicKey, normalizedRecipients, timestamp, finalMetadata, hash, p_hash, undefined, // No previous mail ID for first item
             []);
         }
         catch (error) {
@@ -207,10 +209,11 @@ export class MajikMessageMail {
      * @param message - Plain text message (encrypted)
      * @param recipients - Array of recipient public keys (excluding sender)
      * @param metadata - Optional mail metadata
+     * @param id - Optional ID to use
      * @returns Promise resolving to new MajikMessageMail instance
      * @throws Error if validation fails or thread is closed
      */
-    static async reply(thread, previousMail, identity, message, recipients, metadata = {}) {
+    static async reply(thread, previousMail, identity, message, recipients, metadata = {}, id) {
         try {
             // Validate thread
             if (!thread) {
@@ -279,10 +282,11 @@ export class MajikMessageMail {
             // Normalize recipients (sort for consistency)
             const normalizedRecipients = [...recipients].sort();
             // Generate ID and timestamp
-            const id = uuidv4();
+            const generatedID = uuidv4();
+            const finalID = id || generatedID;
             const timestamp = new Date();
             // Generate hash for this mail item
-            const hash = this.generateHash(id, message.trim(), senderPublicKey, normalizedRecipients, timestamp);
+            const hash = this.generateHash(finalID, message.trim(), senderPublicKey, normalizedRecipients, timestamp);
             // For replies, p_hash links to previous mail's hash
             const p_hash = this.generatePHash(hash, previousMail.hash);
             // Mark as reply in metadata
@@ -290,7 +294,7 @@ export class MajikMessageMail {
                 ...metadata,
                 isReply: true,
             };
-            return new MajikMessageMail(id, thread.id, accountID, message.trim(), senderPublicKey, normalizedRecipients, timestamp, finalMetadata, hash, p_hash, previousMail.id, []);
+            return new MajikMessageMail(finalID, thread.id, accountID, message.trim(), senderPublicKey, normalizedRecipients, timestamp, finalMetadata, hash, p_hash, previousMail.id, []);
         }
         catch (error) {
             if (error instanceof MajikMailError) {
@@ -299,6 +303,78 @@ export class MajikMessageMail {
             throw new MailOperationError(`Failed to create reply: ${error instanceof Error ? error.message : "Unknown error"}`);
         }
     }
+    // In MajikMessageMail
+    /**
+     * Attach a MajikFile to this mail.
+     * Automatically wires thread_id and thread_message_id from the instance.
+     *
+     * @throws MailValidationError if the file context is not "thread_attachment"
+     * @throws MailOperationError if this file is already attached (by fileId or fileHash)
+     */
+    attachFile(file) {
+        // Enforce context — only thread attachments belong on mail
+        if (file.context !== "thread_attachment") {
+            throw new MailValidationError(`attachFile: file must have context "thread_attachment" (got "${file.context}")`);
+        }
+        const existing = (this._metadata.attachments ?? []);
+        // Guard: duplicate by fileId
+        if (existing.some((a) => a.fileId === file.id)) {
+            throw new MailOperationError(`attachFile: file "${file.id}" is already attached to this mail`);
+        }
+        // Guard: duplicate by content hash (same file re-encrypted)
+        if (existing.some((a) => a.fileHash === file.fileHash)) {
+            throw new MailOperationError(`attachFile: a file with hash "${file.fileHash.slice(0, 8)}…" is already attached`);
+        }
+        // Wire thread context onto the file if not already bound.
+        // bindToThreadMail is a no-op guard — it throws if already set,
+        // so we only call it when both IDs are missing.
+        if (!file.threadId && !file.threadMessageId) {
+            file.bindToThreadMail(this._threadID, this._id);
+        }
+        else if (file.threadId !== this._threadID ||
+            file.threadMessageId !== this._id) {
+            // File was pre-bound to a DIFFERENT mail/thread — that's a real error
+            throw new MailOperationError(`attachFile: file "${file.id}" is already bound to a different thread/mail`);
+        }
+        const ref = {
+            fileId: file.id,
+            fileHash: file.fileHash,
+            originalName: file.originalName,
+            mimeType: file.mimeType,
+            sizeOriginal: file.sizeOriginal,
+            r2Key: file.r2Key,
+            context: file.context,
+        };
+        this._metadata = {
+            ...this._metadata,
+            attachments: [...existing, ref],
+        };
+        return ref;
+    }
+    /**
+     * Remove an attached file by fileId.
+     * Returns true if removed, false if it wasn't attached.
+     */
+    detachFile(fileId) {
+        const existing = (this._metadata.attachments ?? []);
+        const filtered = existing.filter((a) => a.fileId !== fileId);
+        if (filtered.length === existing.length)
+            return false;
+        this._metadata = { ...this._metadata, attachments: filtered };
+        return true;
+    }
+    /** Returns all attachment refs on this mail, typed correctly. */
+    get attachments() {
+        return [...(this._metadata.attachments ?? [])];
+    }
+    /** Returns true if this mail has at least one attachment. */
+    get hasAttachments() {
+        return ((this._metadata.attachments ?? []).length > 0);
+    }
+    /** Returns the attachment ref for a given fileId, or null if not found. */
+    getAttachment(fileId) {
+        return ((this._metadata.attachments ?? []).find((a) => a.fileId === fileId) ?? null);
+    }
     // ==================== Hash Generation Methods ====================
     /**
      * Generates the hash for the current mail item.
@@ -426,11 +502,6 @@ export class MajikMessageMail {
             throw new MailValidationError(`p_hash validation failed: ${error instanceof Error ? error.message : "Unknown error"}`);
         }
     }
-    validateMessage(message) {
-        if (!message || typeof message !== "string" || message.trim() === "") {
-            throw new Error("Invalid message: must be a non-empty string");
-        }
-    }
     // ==================== Static Blockchain Validation ====================
     /**
      * Validates an entire chain of mail items in a thread.
@@ -691,6 +762,16 @@ export class MajikMessageMail {
             if (!this.isValidJSON(data)) {
                 throw new MailValidationError("Invalid JSON: missing required fields or invalid types");
             }
+            if (data.metadata?.attachments !== undefined) {
+                if (!Array.isArray(data.metadata.attachments)) {
+                    throw new MailValidationError("Invalid JSON: metadata.attachments must be an array");
+                }
+                for (let i = 0; i < data.metadata.attachments.length; i++) {
+                    if (!MajikMessageMail.isValidAttachmentRef(data.metadata.attachments[i])) {
+                        throw new MailValidationError(`Invalid JSON: metadata.attachments[${i}] is not a valid MailAttachmentRef`);
+                    }
+                }
+            }
             // Parse timestamp
             const timestamp = new Date(data.timestamp);
             if (isNaN(timestamp.getTime())) {
@@ -725,6 +806,17 @@ export class MajikMessageMail {
                 `Current length: ${message.length}`);
         }
     }
+    static isValidAttachmentRef(a) {
+        return (a &&
+            typeof a === "object" &&
+            typeof a.fileId === "string" &&
+            typeof a.fileHash === "string" &&
+            typeof a.r2Key === "string" &&
+            typeof a.sizeOriginal === "number" &&
+            (a.originalName === null || typeof a.originalName === "string") &&
+            (a.mimeType === null || typeof a.mimeType === "string") &&
+            typeof a.context === "string");
+    }
     static isValidJSON(json) {
         return (json &&
             typeof json === "object" &&

package/dist/core/types.d.ts

@@ -1,4 +1,4 @@
-import type { FileContext, MajikFile, MajikFileJSON } from "@majikah/majik-file";
+import type { FileContext, MajikFile, MajikFileJSON, TempFileDuration } from "@majikah/majik-file";
 export type ISODateString = string;
 export type MajikMessageAccountID = string;
 export type MajikMessagePublicKey = string;
@@ -95,6 +95,8 @@ export interface MajikKeyMetadata {
 export interface EncryptFileOptions {
     /** Raw binary content of the file to encrypt. */
     data: Uint8Array | ArrayBuffer;
+    /** UUID from auth.users — used for R2 key construction and ownership checks. */
+    userId?: string;
     /**
      * File context — drives storage routing, WebP conversion, and R2 key prefix.
      *   "user_upload"      → permanent storage,  no WebP conversion
@@ -125,14 +127,16 @@ export interface EncryptFileOptions {
      * @default false
      */
     isTemporary?: boolean;
-    /** ISO-8601 expiry timestamp. Required when isTemporary is true. */
-    expiresAt?: string;
+    /** TempFileDuration in days. Required when isTemporary is true. */
+    expiresAt?: TempFileDuration;
     /** Bypass the 100 MB file size limit. @default false */
     bypassSizeLimit?: boolean;
     /** Foreign-key association with a chat message. */
     chatMessageId?: string;
     /** Foreign-key association with a thread message. */
     threadMessageId?: string;
+    /** Foreign-key association with a thread. */
+    threadId?: string;
 }
 /**
  * Returned by MajikMessage.encryptFile().

package/dist/majik-message.d.ts

@@ -66,15 +66,6 @@ export declare class MajikMessage {
      * @param accountId  Own account ID. Defaults to the active account.
      */
     private _resolveFileIdentity;
-    /**
-     * Resolve a list of contact IDs into MajikFileRecipient objects.
-     *
-     * Used for group file encryption — each recipient only needs their ML-KEM
-     * public key. Secret keys never leave their respective devices.
-     *
-     * @param ids  Contact IDs from the contact directory.
-     */
-    private _resolveFileRecipients;
     /**
      * Resolve a list of contact IDs into MajikFileRecipient objects.
      *
@@ -170,25 +161,7 @@ export declare class MajikMessage {
     decryptMajikMessageChat(encryptedPayload: string, recipientId?: string): Promise<string>;
     /**
      * Encrypt a binary file and return everything the caller needs to persist it.
-     *
-     * Flow:
-     *  1. Resolve the active account's full MajikFileIdentity from MajikKeyStore.
-     *  2. Resolve each recipientId into a MajikFileRecipient (public key only).
-     *     MajikFile.create() silently deduplicates and strips the sender's own ID
-     *     from the recipient list, so callers don't have to filter it out.
-     *  3. Delegate entirely to MajikFile.create() — it handles:
-     *       • SHA-256 content hash (dedup)
-     *       • WebP conversion for chat_image / chat_attachment image contexts
-     *       • Zstd compression for compressible formats
-     *       • ML-KEM encapsulation (single or group)
-     *       • AES-256-GCM encryption
-     *       • .mjkb binary encoding
-     *  4. Return the MajikFile instance, Supabase-ready metadata, and R2-ready Blob.
-     *
-     * The caller is responsible for:
-     *   • Uploading `result.binary` to R2 at `result.metadata.r2_key`
-     *   • Inserting `result.metadata` into the majik_files Supabase table
-     *
+  
      * @throws Error if no active account, account has no ML-KEM keys, or a
      *         recipient cannot be resolved from the contact directory.
      * @throws MajikFileError on validation failures or crypto errors (re-thrown

package/dist/majik-message.js

@@ -139,36 +139,12 @@ export class MajikMessage {
                 `Re-import via importAccountFromMnemonicBackup() to upgrade.`);
         }
         return {
-            userId: key.id,
+            publicKey: key.publicKeyBase64,
             fingerprint: key.fingerprint,
             mlKemPublicKey: key.mlKemPublicKey,
             mlKemSecretKey: key.getMlKemSecretKey(),
         };
     }
-    /**
-     * Resolve a list of contact IDs into MajikFileRecipient objects.
-     *
-     * Used for group file encryption — each recipient only needs their ML-KEM
-     * public key. Secret keys never leave their respective devices.
-     *
-     * @param ids  Contact IDs from the contact directory.
-     */
-    async _resolveFileRecipients(ids) {
-        return Promise.all(ids.map(async (id) => {
-            const contact = this.contactDirectory.getContact(id);
-            if (!contact)
-                throw new Error(`No contact found for id "${id}"`);
-            const mlPubKey = base64ToUint8Array(contact.mlKey);
-            if (!mlPubKey || mlPubKey.length === 0) {
-                throw new Error(`Contact "${id}" has no ML-KEM public key. ` +
-                    `They may need to upgrade their account via importFromMnemonicBackup().`);
-            }
-            return {
-                fingerprint: contact.fingerprint,
-                mlKemPublicKey: mlPubKey,
-            };
-        }));
-    }
     /**
      * Resolve a list of contact IDs into MajikFileRecipient objects.
      *
@@ -190,6 +166,7 @@ export class MajikMessage {
             return {
                 fingerprint: contact.fingerprint,
                 mlKemPublicKey: mlPubKey,
+                publicKey: pkey,
             };
         }));
     }
@@ -651,25 +628,7 @@ export class MajikMessage {
     // ── File Encryption / Decryption ──────────────────────────────────────────
     /**
      * Encrypt a binary file and return everything the caller needs to persist it.
-     *
-     * Flow:
-     *  1. Resolve the active account's full MajikFileIdentity from MajikKeyStore.
-     *  2. Resolve each recipientId into a MajikFileRecipient (public key only).
-     *     MajikFile.create() silently deduplicates and strips the sender's own ID
-     *     from the recipient list, so callers don't have to filter it out.
-     *  3. Delegate entirely to MajikFile.create() — it handles:
-     *       • SHA-256 content hash (dedup)
-     *       • WebP conversion for chat_image / chat_attachment image contexts
-     *       • Zstd compression for compressible formats
-     *       • ML-KEM encapsulation (single or group)
-     *       • AES-256-GCM encryption
-     *       • .mjkb binary encoding
-     *  4. Return the MajikFile instance, Supabase-ready metadata, and R2-ready Blob.
-     *
-     * The caller is responsible for:
-     *   • Uploading `result.binary` to R2 at `result.metadata.r2_key`
-     *   • Inserting `result.metadata` into the majik_files Supabase table
-     *
+  
      * @throws Error if no active account, account has no ML-KEM keys, or a
      *         recipient cannot be resolved from the contact directory.
      * @throws MajikFileError on validation failures or crypto errors (re-thrown
@@ -700,10 +659,11 @@ export class MajikMessage {
      * ```
      */
     async encryptFile(options) {
-        const { data, context, originalName, mimeType, recipients = [], conversationId, isTemporary = false, expiresAt, bypassSizeLimit = false, chatMessageId, threadMessageId, } = options;
+        const { data, context, originalName, mimeType, recipients = [], conversationId, isTemporary = false, expiresAt, bypassSizeLimit = false, chatMessageId, threadMessageId, threadId, userId, } = options;
         // ── 1. Resolve sender identity ──────────────────────────────────────────
         // Builds MajikFileIdentity with both public + secret keys from keystore.
         const identity = await this._resolveFileIdentity();
+        const finalUserID = userId ?? identity.publicKey;
         // ── 2. Resolve additional recipients ───────────────────────────────────
         // MajikFile.create() will silently drop the sender's own fingerprint if
         // it appears in this list, and will deduplicate any repeated entries.
@@ -725,6 +685,8 @@ export class MajikMessage {
             bypassSizeLimit,
             chatMessageId,
             threadMessageId,
+            userId: finalUserID,
+            threadId: threadId,
         });
         // ── 4. Package the result ───────────────────────────────────────────────
         return {

package/package.json

@@ -2,7 +2,7 @@
   "name": "@majikah/majik-message",
   "type": "module",
   "description": "Post-quantum end-to-end encryption with ML-KEM-768. Seed phrase–based accounts. Auto-expiring messages. Offline-ready. Exportable encrypted messages. Tamper-proof threads with blockchain-like integrity. Quantum-resistant messaging.",
-  "version": "0.1.20",
+  "version": "0.2.0",
   "license": "Apache-2.0",
   "author": "Zelijah",
   "main": "./dist/index.js",
@@ -81,8 +81,8 @@
   "dependencies": {
     "@bokuweb/zstd-wasm": "^0.0.27",
     "@majikah/majik-envelope": "^0.0.1",
-    "@majikah/majik-file": "^0.0.6",
-    "@majikah/majik-key": "^0.1.8",
+    "@majikah/majik-file": "^0.0.13",
+    "@majikah/majik-key": "^0.1.9",
     "@noble/hashes": "^2.0.1",
     "@noble/post-quantum": "^0.5.4",
     "@scure/bip39": "^1.6.0",