@nice-code/action 0.25.0 → 0.26.0

package/build/{createHibernatableWsServerAdapter-FSDWrxoF.cjs → createHibernatableWsServerAdapter-j96U9vgo.cjs}

@@ -1734,6 +1734,16 @@ function createInMemoryTofuVerifyKeyResolver() {
 * Storage-backed trust-on-first-use resolver: pins survive process restarts / Durable Object eviction
 * (e.g. back it with `createDurableObjectStorageAdapter`). Same policy as the in-memory variant — trust
 * + pin the first verify key per client identity, reject a different one thereafter.
+*
+* Fail-closed by construction: a thrown storage read (`getJson`) or first-pin write (`updateJsonWithDef`)
+* propagates out of `resolve`, which makes `onProve` reject the handshake — a storage error can never be
+* mistaken for "first use" and silently trusted. (A genuine `undefined`/absent read is the only path to
+* a fresh pin; the underlying adapters never coerce a thrown read to `undefined`.) Keep it that way: do
+* not wrap the storage calls in a `try/catch` that swallows the error.
+*
+* On an *eventually-consistent* store a stale "absent" read re-pins the **same** verify key the client
+* just presented (it is signature-verified before this runs), so the worst case is a harmless re-write,
+* never a weakened trust decision. Cross-isolate-strong pinning still wants a strongly-consistent store.
 */
 function createStorageTofuVerifyKeyResolver(storageAdapter) {
 	const storage = (0, _nice_code_util.createTypedStorage)({ storageAdapter });
@@ -1787,6 +1797,13 @@ function createClientHandshake(config) {
 					bindVerifyKeysIntoDerivation: true
 				} : {}
 			});
+			const encryptionKeyMaterial = wantsEncryption && welcome.exchangePublicKey != null ? {
+				verifyPublicKey: welcome.verifyPublicKey,
+				exchangePublicKey: welcome.exchangePublicKey,
+				saltString: sessionSalt(clientNonce, welcome.serverNonce),
+				infoString: handshakeInfo(dictionaryVersion),
+				bindVerifyKeysIntoDerivation: true
+			} : void 0;
 			const challenge = buildHandshakeChallenge({
 				securityLevel,
 				dictionaryVersion,
@@ -1802,7 +1819,8 @@ function createClientHandshake(config) {
 			pending = {
 				linkedServerId,
 				server: welcome.server,
-				challenge
+				challenge,
+				encryptionKeyMaterial
 			};
 			return {
 				t: "prove",
@@ -1821,7 +1839,8 @@ function createClientHandshake(config) {
 			return {
 				linkedClientId: pending.linkedServerId,
 				remote: pending.server,
-				securityLevel
+				securityLevel,
+				encryptionKeyMaterial: pending.encryptionKeyMaterial
 			};
 		}
 	};
@@ -1916,6 +1935,16 @@ function createServerHandshake(config) {
 		/** The completed handshake result once `onProve` has accepted, else `undefined`. */
 		getResult() {
 			return result;
+		},
+		exportPending() {
+			return pending;
+		},
+		async restorePending(restored) {
+			pending = restored;
+			await link.linkClient({
+				linkedClientId: restored.linkedClientId,
+				verifyPublicKey: restored.clientVerifyKey
+			});
 		}
 	};
 }
@@ -1946,14 +1975,16 @@ function parseJsonActionFrame(message) {
 const ENCRYPTED_ENVELOPE_LENGTH = 2;
 /**
 * Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
-* level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
+* level. The shared key is derived once from {@link IActionFrameCryptoConfig.keyMaterial} and captured
+* for this connection alone, decoupling it from the link's shared key cache.
 */
-function createActionFrameCrypto({ link, linkedClientId }) {
+function createActionFrameCrypto({ link, keyMaterial }) {
+	const keyPromise = link.deriveSharedAesGcmKey(keyMaterial);
 	return {
 		async encryptFrame(frame) {
-			const { nonce, ciphertext } = await link.encryptBytesForLinkedClient({
-				linkedClientId,
-				dataToEncrypt: frame
+			const { nonce, ciphertext } = await (0, _nice_code_util.encryptBytesWithAesGcmKey)({
+				dataToEncrypt: frame,
+				aesGcmKey: await keyPromise
 			});
 			return (0, msgpackr.pack)([nonce, ciphertext]);
 		},
@@ -1963,12 +1994,12 @@ function createActionFrameCrypto({ link, linkedClientId }) {
 			if (!Array.isArray(envelope) || envelope.length !== ENCRYPTED_ENVELOPE_LENGTH) throw new Error("[ws-crypto] malformed encrypted frame envelope");
 			const [nonce, ciphertext] = envelope;
 			if (!(nonce instanceof Uint8Array) || !(ciphertext instanceof Uint8Array)) throw new Error("[ws-crypto] malformed encrypted frame fields");
-			return await link.decryptBytesFromLinkedClient({
-				linkedClientId,
+			return await (0, _nice_code_util.decryptBytesWithAesGcmKey)({
 				dataToDecrypt: {
 					nonce,
 					ciphertext
-				}
+				},
+				aesGcmKey: await keyPromise
 			});
 		}
 	};
@@ -2079,9 +2110,9 @@ var AcceptorSecureSession = class {
 	_complete(result) {
 		this._authed = true;
 		this._handshake = void 0;
-		if (result.securityLevel === "encrypted") this._pipe = this._buildPipe(createActionFrameCrypto({
+		if (result.securityLevel === "encrypted" && result.encryptionKeyMaterial != null) this._pipe = this._buildPipe(createActionFrameCrypto({
 			link: this.config.link,
-			linkedClientId: result.linkedClientId
+			keyMaterial: result.encryptionKeyMaterial
 		}));
 		this.config.onAuthenticated({
 			client: new RuntimeCoordinate(result.remote),
@@ -2100,17 +2131,10 @@ var AcceptorSecureSession = class {
 		this._authed = true;
 		if (state.securityLevel !== "encrypted" || state.keyMaterial == null) return;
 		const { link } = this.config;
-		const { linkedClientId, keyMaterial } = state;
-		const cryptoReady = link.initialize().then(() => link.linkClient({
-			linkedClientId,
-			verifyPublicKey: keyMaterial.verifyPublicKey,
-			exchangePublicKey: keyMaterial.exchangePublicKey,
-			saltString: keyMaterial.saltString,
-			infoString: keyMaterial.infoString,
-			bindVerifyKeysIntoDerivation: keyMaterial.bindVerifyKeysIntoDerivation
-		})).then(() => createActionFrameCrypto({
+		const { keyMaterial } = state;
+		const cryptoReady = link.initialize().then(() => createActionFrameCrypto({
 			link,
-			linkedClientId
+			keyMaterial
 		}));
 		cryptoReady.catch((err) => console.error("[ws-server] failed to restore encrypted session", err));
 		this._pipe = this._buildPipe(cryptoReady);
@@ -2889,11 +2913,9 @@ async function runConnectorExchangeHandshake(carrier, secure) {
 		dictionaryVersion: secure.dictionaryVersion,
 		securityLevel: secure.securityLevel
 	});
-	const hsid = (0, nanoid.nanoid)();
 	const hello = await handshake.createHello();
 	const welcomeReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
 		k: "hs",
-		hsid,
 		m: encodeHandshakeMessage(hello)
 	}))));
 	if (welcomeReply?.k !== "hs") throw new Error("[exchange-handshake] expected a welcome reply");
@@ -2901,11 +2923,12 @@ async function runConnectorExchangeHandshake(carrier, secure) {
 	if (welcome == null) throw new Error("[exchange-handshake] malformed welcome");
 	if (welcome.t === "reject") throw new Error(`[exchange-handshake] rejected by peer: ${welcome.reason}`);
 	if (welcome.t !== "welcome") throw new Error(`[exchange-handshake] expected welcome, got ${welcome.t}`);
+	if (welcomeReply.hsc == null) throw new Error("[exchange-handshake] welcome missing handshake continuation token");
 	const prove = await handshake.onWelcome(welcome);
 	const acceptReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
 		k: "hs",
-		hsid,
-		m: encodeHandshakeMessage(prove)
+		m: encodeHandshakeMessage(prove),
+		hsc: welcomeReply.hsc
 	}))));
 	if (acceptReply?.k !== "hs") throw new Error("[exchange-handshake] expected an accept reply");
 	const accept = decodeHandshakeMessage(acceptReply.m);
@@ -2914,9 +2937,9 @@ async function runConnectorExchangeHandshake(carrier, secure) {
 	if (accept.t !== "accept") throw new Error(`[exchange-handshake] expected accept, got ${accept.t}`);
 	if (acceptReply.t == null) throw new Error("[exchange-handshake] accept missing session token");
 	const result = await handshake.onAccept(accept);
-	const crypto = result.securityLevel === "encrypted" ? createActionFrameCrypto({
+	const crypto = result.securityLevel === "encrypted" && result.encryptionKeyMaterial != null ? createActionFrameCrypto({
 		link: secure.link,
-		linkedClientId: result.linkedClientId
+		keyMaterial: result.encryptionKeyMaterial
 	}) : void 0;
 	return {
 		token: acceptReply.t,
@@ -3224,9 +3247,9 @@ async function runClientHandshake(channel, secure, nextHandshakeMessage) {
 	if (accept.t === "reject") throw new Error(`[link-handshake] rejected by peer: ${accept.reason}`);
 	if (accept.t !== "accept") throw new Error(`[link-handshake] expected accept, got ${accept.t}`);
 	const result = await handshake.onAccept(accept);
-	return result.securityLevel === "encrypted" ? createActionFrameCrypto({
+	return result.securityLevel === "encrypted" && result.encryptionKeyMaterial != null ? createActionFrameCrypto({
 		link: secure.link,
-		linkedClientId: result.linkedClientId
+		keyMaterial: result.encryptionKeyMaterial
 	}) : void 0;
 }
 function buildSendMethods(ctx, pipe, disconnectListeners, abortSet) {
@@ -3380,82 +3403,154 @@ var LinkTransport = class LinkTransport extends Transport {
 	}
 };
 //#endregion
+//#region src/ActionRuntime/Transport/SecureSession/exchangeTicketSeal.ts
+const SEALED_ENVELOPE_LENGTH = 2;
+function createExchangeTicketSealer(link, options = {}) {
+	let keyPromise;
+	const getKey = () => {
+		if (keyPromise == null) keyPromise = link.deriveLocalSealKey({ version: options.version }).catch((err) => {
+			keyPromise = void 0;
+			throw err;
+		});
+		return keyPromise;
+	};
+	return {
+		async seal(value, ttlMs) {
+			const { nonce, ciphertext } = await (0, _nice_code_util.encryptBytesWithAesGcmKey)({
+				dataToEncrypt: (0, msgpackr.pack)({
+					v: value,
+					exp: Date.now() + ttlMs
+				}),
+				aesGcmKey: await getKey()
+			});
+			return bytesToBase64((0, msgpackr.pack)([nonce, ciphertext]));
+		},
+		async open(blob) {
+			try {
+				const envelope = (0, msgpackr.unpack)(base64ToBytes(blob));
+				if (!Array.isArray(envelope) || envelope.length !== SEALED_ENVELOPE_LENGTH) return void 0;
+				const [nonce, ciphertext] = envelope;
+				if (!(nonce instanceof Uint8Array) || !(ciphertext instanceof Uint8Array)) return void 0;
+				const payload = (0, msgpackr.unpack)(await (0, _nice_code_util.decryptBytesWithAesGcmKey)({
+					dataToDecrypt: {
+						nonce,
+						ciphertext
+					},
+					aesGcmKey: await getKey()
+				}));
+				if (payload == null || typeof payload.exp !== "number" || payload.exp < Date.now()) return;
+				return payload.v;
+			} catch {
+				return;
+			}
+		}
+	};
+}
+//#endregion
 //#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.ts
+/** The default session-ticket lifetime — see {@link IExchangeAcceptorConfig.sessionTtlMs}. */
+const DEFAULT_SESSION_TTL_MS = 720 * 60 * 1e3;
+/** The handshake continuation (`hsc`) only bridges the two handshake POSTs, so it expires quickly. */
+const HANDSHAKE_CONTINUATION_TTL_MS = 120 * 1e3;
 const textEncoder = new TextEncoder();
 const textDecoder = new TextDecoder();
 /**
 * Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
 * {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
-* acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
-* requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
-* POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
-* and returns the (encrypted) result inline as the reply.
+* acceptor drives the server handshake over the two `hs` POSTs, mints a session **token** on accept, and
+* on every later `act` POST resolves the session by token, decrypts the body (at `encrypted`), routes it
+* through the runtime, and returns the (encrypted) result inline as the reply.
 *
-* Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
-* Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
-* same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
+* **Stateless.** It holds no in-memory handshakes or sessions: the in-flight handshake `pending` is
+* sealed into the `hsc` continuation token returned on `welcome` and echoed back on `prove`, and the live
+* session is sealed into the `t` token replayed on every `act`. Both are sealed under the acceptor's own
+* persisted identity ({@link createExchangeTicketSealer}), so any isolate that loaded the same identity
+* can serve any POST — no request needs to co-locate with another (no Durable Object required just to
+* pin a handshake to one instance). A tampered, wrong-key, or expired token opens to "no valid session".
 */
 var ExchangeAcceptor = class {
 	_security;
 	_runtime;
 	_allowedLevels;
 	_noneAllowed;
-	_pendingHandshakes = /* @__PURE__ */ new Map();
-	_sessions = /* @__PURE__ */ new Map();
+	_sealer;
+	_sessionTtlMs;
 	constructor(config) {
 		this._security = config.security;
 		this._runtime = config.runtime;
 		this._allowedLevels = Array.isArray(config.security.securityLevel) ? config.security.securityLevel : [config.security.securityLevel];
 		this._noneAllowed = this._allowedLevels.includes("none");
+		this._sealer = createExchangeTicketSealer(config.security.link);
+		this._sessionTtlMs = config.sessionTtlMs ?? DEFAULT_SESSION_TTL_MS;
 	}
 	/** Process one POST body (an exchange envelope), returning the reply body to send back. */
 	async handlePost(body) {
 		const request = decodeExchangeRequest(body);
 		if (request == null) return this._err("malformed exchange request");
+		await this._security.link.initialize();
 		if (request.k === "hs") return encodeExchange(await this._handleHandshake(request));
 		return encodeExchange(await this._handleAction(request));
 	}
+	_makeHandshake() {
+		const security = this._security;
+		return createServerHandshake({
+			link: security.link,
+			localCoordinate: security.localCoordinate,
+			dictionaryVersion: security.dictionaryVersion,
+			securityLevel: security.securityLevel,
+			verifyKeyResolver: security.verifyKeyResolver
+		});
+	}
 	async _handleHandshake(request) {
 		const message = decodeHandshakeMessage(request.m);
 		if (message == null) return {
 			k: "err",
 			message: "malformed handshake message"
 		};
-		const security = this._security;
-		await security.link.initialize();
-		let handshake = this._pendingHandshakes.get(request.hsid);
-		if (handshake == null) {
-			handshake = createServerHandshake({
-				link: security.link,
-				localCoordinate: security.localCoordinate,
-				dictionaryVersion: security.dictionaryVersion,
-				securityLevel: security.securityLevel,
-				verifyKeyResolver: security.verifyKeyResolver
-			});
-			this._pendingHandshakes.set(request.hsid, handshake);
+		if (message.t === "hello") {
+			const handshake = this._makeHandshake();
+			const reply = await handshake.onHello(message);
+			if (reply.t === "reject") return {
+				k: "hs",
+				m: encodeHandshakeMessage(reply)
+			};
+			const pending = handshake.exportPending();
+			if (pending == null) return {
+				k: "err",
+				message: "handshake produced no continuation state"
+			};
+			const hsc = await this._sealer.seal(pending, HANDSHAKE_CONTINUATION_TTL_MS);
+			return {
+				k: "hs",
+				m: encodeHandshakeMessage(reply),
+				hsc
+			};
 		}
-		if (message.t === "hello") return {
-			k: "hs",
-			m: encodeHandshakeMessage(await handshake.onHello(message))
-		};
 		if (message.t === "prove") {
+			if (request.hsc == null) return {
+				k: "err",
+				message: "prove missing continuation token"
+			};
+			const pending = await this._sealer.open(request.hsc);
+			if (pending == null) return {
+				k: "err",
+				message: "invalid or expired continuation token"
+			};
+			const handshake = this._makeHandshake();
+			await handshake.restorePending(pending);
 			const reply = await handshake.onProve(message);
-			this._pendingHandshakes.delete(request.hsid);
 			const result = handshake.getResult();
 			if (reply.t === "accept" && result != null) {
-				const token = (0, nanoid.nanoid)();
-				this._sessions.set(token, {
-					client: new RuntimeCoordinate(result.remote),
+				const ticket = {
+					client: result.remote,
 					securityLevel: result.securityLevel,
-					crypto: result.securityLevel === "encrypted" ? createActionFrameCrypto({
-						link: security.link,
-						linkedClientId: result.linkedClientId
-					}) : void 0
-				});
+					keyMaterial: result.encryptionKeyMaterial
+				};
+				const t = await this._sealer.seal(ticket, this._sessionTtlMs);
 				return {
 					k: "hs",
 					m: encodeHandshakeMessage(reply),
-					t: token
+					t
 				};
 			}
 			return {
@@ -3469,20 +3564,26 @@ var ExchangeAcceptor = class {
 		};
 	}
 	async _handleAction(request) {
-		let session;
+		let client;
+		let crypto;
 		let candidate;
 		if (request.t != null) {
-			session = this._sessions.get(request.t);
-			if (session == null) return {
+			const ticket = await this._sealer.open(request.t);
+			if (ticket == null) return {
 				k: "err",
 				message: "unknown or expired session token"
 			};
+			client = new RuntimeCoordinate(ticket.client);
+			crypto = ticket.securityLevel === "encrypted" && ticket.keyMaterial != null ? createActionFrameCrypto({
+				link: this._security.link,
+				keyMaterial: ticket.keyMaterial
+			}) : void 0;
 			if ("c" in request) {
-				if (session.crypto == null) return {
+				if (crypto == null) return {
 					k: "err",
 					message: "session is not encrypted"
 				};
-				const plain = await session.crypto.decryptFrame(base64ToBytes(request.c));
+				const plain = await crypto.decryptFrame(base64ToBytes(request.c));
 				candidate = JSON.parse(textDecoder.decode(plain));
 			} else candidate = request.w;
 		} else {
@@ -3497,11 +3598,11 @@ var ExchangeAcceptor = class {
 			message: "malformed action wire"
 		};
 		const wire = candidate;
-		if (session != null && wire.type === "request") wire.context.originClient = session.client.toJsonObject();
+		if (client != null && wire.type === "request") wire.context.originClient = client.toJsonObject();
 		const resultWire = (await (await this._runtime.handleActionPayloadWire(wire)).waitForResultPayload()).toJsonObject();
-		if (session?.crypto != null) return {
+		if (crypto != null && "c" in request) return {
 			k: "act",
-			c: bytesToBase64(await session.crypto.encryptFrame(textEncoder.encode(JSON.stringify(resultWire))))
+			c: bytesToBase64(await crypto.encryptFrame(textEncoder.encode(JSON.stringify(resultWire))))
 		};
 		return {
 			k: "act",
@@ -4078,4 +4179,4 @@ Object.defineProperty(exports, "runtimeLinkId", {
 	}
 });
 
-//# sourceMappingURL=createHibernatableWsServerAdapter-FSDWrxoF.cjs.map
+//# sourceMappingURL=createHibernatableWsServerAdapter-j96U9vgo.cjs.map