@nice-code/action 0.25.0 → 0.26.0

package/build/{createHibernatableWsServerAdapter-BkjESd01.mjs → createHibernatableWsServerAdapter-BD5n-Ev9.mjs}

@@ -3,7 +3,7 @@ import { nanoid } from "nanoid";
 import { NiceError, castNiceError, err, err_nice, isNiceErrorObject } from "@nice-code/error";
 import { extractMessageFromStandardSchema } from "@nice-code/common-errors";
 import { runtime } from "std-env";
-import { ClientCryptoKeyLink, createTypedStorage } from "@nice-code/util";
+import { ClientCryptoKeyLink, createTypedStorage, decryptBytesWithAesGcmKey, encryptBytesWithAesGcmKey } from "@nice-code/util";
 import * as v from "valibot";
 import { pack, unpack } from "msgpackr";
 const UNSET_RUNTIME_ENV_ID = "_unset_";
@@ -1732,6 +1732,16 @@ function createInMemoryTofuVerifyKeyResolver() {
 * Storage-backed trust-on-first-use resolver: pins survive process restarts / Durable Object eviction
 * (e.g. back it with `createDurableObjectStorageAdapter`). Same policy as the in-memory variant — trust
 * + pin the first verify key per client identity, reject a different one thereafter.
+*
+* Fail-closed by construction: a thrown storage read (`getJson`) or first-pin write (`updateJsonWithDef`)
+* propagates out of `resolve`, which makes `onProve` reject the handshake — a storage error can never be
+* mistaken for "first use" and silently trusted. (A genuine `undefined`/absent read is the only path to
+* a fresh pin; the underlying adapters never coerce a thrown read to `undefined`.) Keep it that way: do
+* not wrap the storage calls in a `try/catch` that swallows the error.
+*
+* On an *eventually-consistent* store a stale "absent" read re-pins the **same** verify key the client
+* just presented (it is signature-verified before this runs), so the worst case is a harmless re-write,
+* never a weakened trust decision. Cross-isolate-strong pinning still wants a strongly-consistent store.
 */
 function createStorageTofuVerifyKeyResolver(storageAdapter) {
 	const storage = createTypedStorage({ storageAdapter });
@@ -1785,6 +1795,13 @@ function createClientHandshake(config) {
 					bindVerifyKeysIntoDerivation: true
 				} : {}
 			});
+			const encryptionKeyMaterial = wantsEncryption && welcome.exchangePublicKey != null ? {
+				verifyPublicKey: welcome.verifyPublicKey,
+				exchangePublicKey: welcome.exchangePublicKey,
+				saltString: sessionSalt(clientNonce, welcome.serverNonce),
+				infoString: handshakeInfo(dictionaryVersion),
+				bindVerifyKeysIntoDerivation: true
+			} : void 0;
 			const challenge = buildHandshakeChallenge({
 				securityLevel,
 				dictionaryVersion,
@@ -1800,7 +1817,8 @@ function createClientHandshake(config) {
 			pending = {
 				linkedServerId,
 				server: welcome.server,
-				challenge
+				challenge,
+				encryptionKeyMaterial
 			};
 			return {
 				t: "prove",
@@ -1819,7 +1837,8 @@ function createClientHandshake(config) {
 			return {
 				linkedClientId: pending.linkedServerId,
 				remote: pending.server,
-				securityLevel
+				securityLevel,
+				encryptionKeyMaterial: pending.encryptionKeyMaterial
 			};
 		}
 	};
@@ -1914,6 +1933,16 @@ function createServerHandshake(config) {
 		/** The completed handshake result once `onProve` has accepted, else `undefined`. */
 		getResult() {
 			return result;
+		},
+		exportPending() {
+			return pending;
+		},
+		async restorePending(restored) {
+			pending = restored;
+			await link.linkClient({
+				linkedClientId: restored.linkedClientId,
+				verifyPublicKey: restored.clientVerifyKey
+			});
 		}
 	};
 }
@@ -1944,14 +1973,16 @@ function parseJsonActionFrame(message) {
 const ENCRYPTED_ENVELOPE_LENGTH = 2;
 /**
 * Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
-* level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
+* level. The shared key is derived once from {@link IActionFrameCryptoConfig.keyMaterial} and captured
+* for this connection alone, decoupling it from the link's shared key cache.
 */
-function createActionFrameCrypto({ link, linkedClientId }) {
+function createActionFrameCrypto({ link, keyMaterial }) {
+	const keyPromise = link.deriveSharedAesGcmKey(keyMaterial);
 	return {
 		async encryptFrame(frame) {
-			const { nonce, ciphertext } = await link.encryptBytesForLinkedClient({
-				linkedClientId,
-				dataToEncrypt: frame
+			const { nonce, ciphertext } = await encryptBytesWithAesGcmKey({
+				dataToEncrypt: frame,
+				aesGcmKey: await keyPromise
 			});
 			return pack([nonce, ciphertext]);
 		},
@@ -1961,12 +1992,12 @@ function createActionFrameCrypto({ link, linkedClientId }) {
 			if (!Array.isArray(envelope) || envelope.length !== ENCRYPTED_ENVELOPE_LENGTH) throw new Error("[ws-crypto] malformed encrypted frame envelope");
 			const [nonce, ciphertext] = envelope;
 			if (!(nonce instanceof Uint8Array) || !(ciphertext instanceof Uint8Array)) throw new Error("[ws-crypto] malformed encrypted frame fields");
-			return await link.decryptBytesFromLinkedClient({
-				linkedClientId,
+			return await decryptBytesWithAesGcmKey({
 				dataToDecrypt: {
 					nonce,
 					ciphertext
-				}
+				},
+				aesGcmKey: await keyPromise
 			});
 		}
 	};
@@ -2077,9 +2108,9 @@ var AcceptorSecureSession = class {
 	_complete(result) {
 		this._authed = true;
 		this._handshake = void 0;
-		if (result.securityLevel === "encrypted") this._pipe = this._buildPipe(createActionFrameCrypto({
+		if (result.securityLevel === "encrypted" && result.encryptionKeyMaterial != null) this._pipe = this._buildPipe(createActionFrameCrypto({
 			link: this.config.link,
-			linkedClientId: result.linkedClientId
+			keyMaterial: result.encryptionKeyMaterial
 		}));
 		this.config.onAuthenticated({
 			client: new RuntimeCoordinate(result.remote),
@@ -2098,17 +2129,10 @@ var AcceptorSecureSession = class {
 		this._authed = true;
 		if (state.securityLevel !== "encrypted" || state.keyMaterial == null) return;
 		const { link } = this.config;
-		const { linkedClientId, keyMaterial } = state;
-		const cryptoReady = link.initialize().then(() => link.linkClient({
-			linkedClientId,
-			verifyPublicKey: keyMaterial.verifyPublicKey,
-			exchangePublicKey: keyMaterial.exchangePublicKey,
-			saltString: keyMaterial.saltString,
-			infoString: keyMaterial.infoString,
-			bindVerifyKeysIntoDerivation: keyMaterial.bindVerifyKeysIntoDerivation
-		})).then(() => createActionFrameCrypto({
+		const { keyMaterial } = state;
+		const cryptoReady = link.initialize().then(() => createActionFrameCrypto({
 			link,
-			linkedClientId
+			keyMaterial
 		}));
 		cryptoReady.catch((err) => console.error("[ws-server] failed to restore encrypted session", err));
 		this._pipe = this._buildPipe(cryptoReady);
@@ -2887,11 +2911,9 @@ async function runConnectorExchangeHandshake(carrier, secure) {
 		dictionaryVersion: secure.dictionaryVersion,
 		securityLevel: secure.securityLevel
 	});
-	const hsid = nanoid();
 	const hello = await handshake.createHello();
 	const welcomeReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
 		k: "hs",
-		hsid,
 		m: encodeHandshakeMessage(hello)
 	}))));
 	if (welcomeReply?.k !== "hs") throw new Error("[exchange-handshake] expected a welcome reply");
@@ -2899,11 +2921,12 @@ async function runConnectorExchangeHandshake(carrier, secure) {
 	if (welcome == null) throw new Error("[exchange-handshake] malformed welcome");
 	if (welcome.t === "reject") throw new Error(`[exchange-handshake] rejected by peer: ${welcome.reason}`);
 	if (welcome.t !== "welcome") throw new Error(`[exchange-handshake] expected welcome, got ${welcome.t}`);
+	if (welcomeReply.hsc == null) throw new Error("[exchange-handshake] welcome missing handshake continuation token");
 	const prove = await handshake.onWelcome(welcome);
 	const acceptReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
 		k: "hs",
-		hsid,
-		m: encodeHandshakeMessage(prove)
+		m: encodeHandshakeMessage(prove),
+		hsc: welcomeReply.hsc
 	}))));
 	if (acceptReply?.k !== "hs") throw new Error("[exchange-handshake] expected an accept reply");
 	const accept = decodeHandshakeMessage(acceptReply.m);
@@ -2912,9 +2935,9 @@ async function runConnectorExchangeHandshake(carrier, secure) {
 	if (accept.t !== "accept") throw new Error(`[exchange-handshake] expected accept, got ${accept.t}`);
 	if (acceptReply.t == null) throw new Error("[exchange-handshake] accept missing session token");
 	const result = await handshake.onAccept(accept);
-	const crypto = result.securityLevel === "encrypted" ? createActionFrameCrypto({
+	const crypto = result.securityLevel === "encrypted" && result.encryptionKeyMaterial != null ? createActionFrameCrypto({
 		link: secure.link,
-		linkedClientId: result.linkedClientId
+		keyMaterial: result.encryptionKeyMaterial
 	}) : void 0;
 	return {
 		token: acceptReply.t,
@@ -3222,9 +3245,9 @@ async function runClientHandshake(channel, secure, nextHandshakeMessage) {
 	if (accept.t === "reject") throw new Error(`[link-handshake] rejected by peer: ${accept.reason}`);
 	if (accept.t !== "accept") throw new Error(`[link-handshake] expected accept, got ${accept.t}`);
 	const result = await handshake.onAccept(accept);
-	return result.securityLevel === "encrypted" ? createActionFrameCrypto({
+	return result.securityLevel === "encrypted" && result.encryptionKeyMaterial != null ? createActionFrameCrypto({
 		link: secure.link,
-		linkedClientId: result.linkedClientId
+		keyMaterial: result.encryptionKeyMaterial
 	}) : void 0;
 }
 function buildSendMethods(ctx, pipe, disconnectListeners, abortSet) {
@@ -3378,82 +3401,154 @@ var LinkTransport = class LinkTransport extends Transport {
 	}
 };
 //#endregion
+//#region src/ActionRuntime/Transport/SecureSession/exchangeTicketSeal.ts
+const SEALED_ENVELOPE_LENGTH = 2;
+function createExchangeTicketSealer(link, options = {}) {
+	let keyPromise;
+	const getKey = () => {
+		if (keyPromise == null) keyPromise = link.deriveLocalSealKey({ version: options.version }).catch((err) => {
+			keyPromise = void 0;
+			throw err;
+		});
+		return keyPromise;
+	};
+	return {
+		async seal(value, ttlMs) {
+			const { nonce, ciphertext } = await encryptBytesWithAesGcmKey({
+				dataToEncrypt: pack({
+					v: value,
+					exp: Date.now() + ttlMs
+				}),
+				aesGcmKey: await getKey()
+			});
+			return bytesToBase64(pack([nonce, ciphertext]));
+		},
+		async open(blob) {
+			try {
+				const envelope = unpack(base64ToBytes(blob));
+				if (!Array.isArray(envelope) || envelope.length !== SEALED_ENVELOPE_LENGTH) return void 0;
+				const [nonce, ciphertext] = envelope;
+				if (!(nonce instanceof Uint8Array) || !(ciphertext instanceof Uint8Array)) return void 0;
+				const payload = unpack(await decryptBytesWithAesGcmKey({
+					dataToDecrypt: {
+						nonce,
+						ciphertext
+					},
+					aesGcmKey: await getKey()
+				}));
+				if (payload == null || typeof payload.exp !== "number" || payload.exp < Date.now()) return;
+				return payload.v;
+			} catch {
+				return;
+			}
+		}
+	};
+}
+//#endregion
 //#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.ts
+/** The default session-ticket lifetime — see {@link IExchangeAcceptorConfig.sessionTtlMs}. */
+const DEFAULT_SESSION_TTL_MS = 720 * 60 * 1e3;
+/** The handshake continuation (`hsc`) only bridges the two handshake POSTs, so it expires quickly. */
+const HANDSHAKE_CONTINUATION_TTL_MS = 120 * 1e3;
 const textEncoder = new TextEncoder();
 const textDecoder = new TextDecoder();
 /**
 * Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
 * {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
-* acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
-* requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
-* POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
-* and returns the (encrypted) result inline as the reply.
+* acceptor drives the server handshake over the two `hs` POSTs, mints a session **token** on accept, and
+* on every later `act` POST resolves the session by token, decrypts the body (at `encrypted`), routes it
+* through the runtime, and returns the (encrypted) result inline as the reply.
 *
-* Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
-* Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
-* same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
+* **Stateless.** It holds no in-memory handshakes or sessions: the in-flight handshake `pending` is
+* sealed into the `hsc` continuation token returned on `welcome` and echoed back on `prove`, and the live
+* session is sealed into the `t` token replayed on every `act`. Both are sealed under the acceptor's own
+* persisted identity ({@link createExchangeTicketSealer}), so any isolate that loaded the same identity
+* can serve any POST — no request needs to co-locate with another (no Durable Object required just to
+* pin a handshake to one instance). A tampered, wrong-key, or expired token opens to "no valid session".
 */
 var ExchangeAcceptor = class {
 	_security;
 	_runtime;
 	_allowedLevels;
 	_noneAllowed;
-	_pendingHandshakes = /* @__PURE__ */ new Map();
-	_sessions = /* @__PURE__ */ new Map();
+	_sealer;
+	_sessionTtlMs;
 	constructor(config) {
 		this._security = config.security;
 		this._runtime = config.runtime;
 		this._allowedLevels = Array.isArray(config.security.securityLevel) ? config.security.securityLevel : [config.security.securityLevel];
 		this._noneAllowed = this._allowedLevels.includes("none");
+		this._sealer = createExchangeTicketSealer(config.security.link);
+		this._sessionTtlMs = config.sessionTtlMs ?? DEFAULT_SESSION_TTL_MS;
 	}
 	/** Process one POST body (an exchange envelope), returning the reply body to send back. */
 	async handlePost(body) {
 		const request = decodeExchangeRequest(body);
 		if (request == null) return this._err("malformed exchange request");
+		await this._security.link.initialize();
 		if (request.k === "hs") return encodeExchange(await this._handleHandshake(request));
 		return encodeExchange(await this._handleAction(request));
 	}
+	_makeHandshake() {
+		const security = this._security;
+		return createServerHandshake({
+			link: security.link,
+			localCoordinate: security.localCoordinate,
+			dictionaryVersion: security.dictionaryVersion,
+			securityLevel: security.securityLevel,
+			verifyKeyResolver: security.verifyKeyResolver
+		});
+	}
 	async _handleHandshake(request) {
 		const message = decodeHandshakeMessage(request.m);
 		if (message == null) return {
 			k: "err",
 			message: "malformed handshake message"
 		};
-		const security = this._security;
-		await security.link.initialize();
-		let handshake = this._pendingHandshakes.get(request.hsid);
-		if (handshake == null) {
-			handshake = createServerHandshake({
-				link: security.link,
-				localCoordinate: security.localCoordinate,
-				dictionaryVersion: security.dictionaryVersion,
-				securityLevel: security.securityLevel,
-				verifyKeyResolver: security.verifyKeyResolver
-			});
-			this._pendingHandshakes.set(request.hsid, handshake);
+		if (message.t === "hello") {
+			const handshake = this._makeHandshake();
+			const reply = await handshake.onHello(message);
+			if (reply.t === "reject") return {
+				k: "hs",
+				m: encodeHandshakeMessage(reply)
+			};
+			const pending = handshake.exportPending();
+			if (pending == null) return {
+				k: "err",
+				message: "handshake produced no continuation state"
+			};
+			const hsc = await this._sealer.seal(pending, HANDSHAKE_CONTINUATION_TTL_MS);
+			return {
+				k: "hs",
+				m: encodeHandshakeMessage(reply),
+				hsc
+			};
 		}
-		if (message.t === "hello") return {
-			k: "hs",
-			m: encodeHandshakeMessage(await handshake.onHello(message))
-		};
 		if (message.t === "prove") {
+			if (request.hsc == null) return {
+				k: "err",
+				message: "prove missing continuation token"
+			};
+			const pending = await this._sealer.open(request.hsc);
+			if (pending == null) return {
+				k: "err",
+				message: "invalid or expired continuation token"
+			};
+			const handshake = this._makeHandshake();
+			await handshake.restorePending(pending);
 			const reply = await handshake.onProve(message);
-			this._pendingHandshakes.delete(request.hsid);
 			const result = handshake.getResult();
 			if (reply.t === "accept" && result != null) {
-				const token = nanoid();
-				this._sessions.set(token, {
-					client: new RuntimeCoordinate(result.remote),
+				const ticket = {
+					client: result.remote,
 					securityLevel: result.securityLevel,
-					crypto: result.securityLevel === "encrypted" ? createActionFrameCrypto({
-						link: security.link,
-						linkedClientId: result.linkedClientId
-					}) : void 0
-				});
+					keyMaterial: result.encryptionKeyMaterial
+				};
+				const t = await this._sealer.seal(ticket, this._sessionTtlMs);
 				return {
 					k: "hs",
 					m: encodeHandshakeMessage(reply),
-					t: token
+					t
 				};
 			}
 			return {
@@ -3467,20 +3562,26 @@ var ExchangeAcceptor = class {
 		};
 	}
 	async _handleAction(request) {
-		let session;
+		let client;
+		let crypto;
 		let candidate;
 		if (request.t != null) {
-			session = this._sessions.get(request.t);
-			if (session == null) return {
+			const ticket = await this._sealer.open(request.t);
+			if (ticket == null) return {
 				k: "err",
 				message: "unknown or expired session token"
 			};
+			client = new RuntimeCoordinate(ticket.client);
+			crypto = ticket.securityLevel === "encrypted" && ticket.keyMaterial != null ? createActionFrameCrypto({
+				link: this._security.link,
+				keyMaterial: ticket.keyMaterial
+			}) : void 0;
 			if ("c" in request) {
-				if (session.crypto == null) return {
+				if (crypto == null) return {
 					k: "err",
 					message: "session is not encrypted"
 				};
-				const plain = await session.crypto.decryptFrame(base64ToBytes(request.c));
+				const plain = await crypto.decryptFrame(base64ToBytes(request.c));
 				candidate = JSON.parse(textDecoder.decode(plain));
 			} else candidate = request.w;
 		} else {
@@ -3495,11 +3596,11 @@ var ExchangeAcceptor = class {
 			message: "malformed action wire"
 		};
 		const wire = candidate;
-		if (session != null && wire.type === "request") wire.context.originClient = session.client.toJsonObject();
+		if (client != null && wire.type === "request") wire.context.originClient = client.toJsonObject();
 		const resultWire = (await (await this._runtime.handleActionPayloadWire(wire)).waitForResultPayload()).toJsonObject();
-		if (session?.crypto != null) return {
+		if (crypto != null && "c" in request) return {
 			k: "act",
-			c: bytesToBase64(await session.crypto.encryptFrame(textEncoder.encode(JSON.stringify(resultWire))))
+			c: bytesToBase64(await crypto.encryptFrame(textEncoder.encode(JSON.stringify(resultWire))))
 		};
 		return {
 			k: "act",
@@ -3717,4 +3818,4 @@ function createHibernatableWsServerAdapter(options) {
 //#endregion
 export { ActionPayload_Request as $, encodeHandshakeMessage as A, EErrId_NiceTransport as B, EHandshakeMessageType as C, createServerHandshake as D, createInMemoryTofuVerifyKeyResolver as E, ConnectorHandler as F, ActionSchema as G, err_nice_external_client as H, createConnectorHandler as I, isActionPayload_Result_JsonObject as J, EActionResponseMode as K, PeerLinkHandler as L, ActionLocalHandler as M, createLocalHandler as N, createStorageTofuVerifyKeyResolver as O, ActionRuntime as P, RunningAction as Q, ETransportShape as R, decodeActionFrame as S, createClientHandshake as T, isActionPayload_Any_JsonObject as U, err_nice_transport as V, isActionPayload_Request_JsonObject as W, EErrId_NiceAction as X, isAction_Base_JsonObject as Y, err_nice_action as Z, extractWirePayload as _, ExchangeAcceptor as a, RuntimeCoordinate as at, createAcceptorHandler as b, decodeExchangeReply as c, Transport as d, ActionPayload_Result as et, createBinaryWireSessionFactory as f, buildActionRouteDictionary as g, assembleWireJson as h, createActionFetchHandler as i, ActionBase as it, runtimeLinkId as j, decodeHandshakeMessage as k, decodeExchangeRequest as l, ReversePayloadType as m, ConnectionStateStore as n, EActionProgressType as nt, LinkTransport as o, runtimeCoordinateToStringIds as ot, PayloadTypeToInt as p, actionSchema as q, createConnectionStateStore as r, ActionPayload as rt, ExchangeTransport as s, createHibernatableWsServerAdapter as t, EActionPayloadType as tt, encodeExchange as u, createSecureAcceptorHandler as v, ESecurityLevel as w, createActionFrameCrypto as x, AcceptorHandler as y, ETransportStatus as z };
 
-//# sourceMappingURL=createHibernatableWsServerAdapter-BkjESd01.mjs.map
+//# sourceMappingURL=createHibernatableWsServerAdapter-BD5n-Ev9.mjs.map