@peers-app/peers-sdk 0.10.3 → 0.10.4

package/dist/data/user-permissions.js

@@ -19,6 +19,13 @@ function signUserObject(user, secretKey) {
  * @throws Error if signature is invalid or unauthorized
  */
 function verifyUserSignature(user, oldUser) {
+    if (!user.signature) {
+        // Allow unsigned stubs only when no signed record already exists
+        if (oldUser?.signature) {
+            throw new Error('Cannot overwrite a signed user record with an unsigned one');
+        }
+        return;
+    }
     (0, keys_1.verifyObjectSignature)(user);
     const signerPublicKey = (0, keys_1.getPublicKeyFromObjectSignature)(user) ?? '';
     // New user: signature must match their own public key

package/dist/data/user-permissions.test.js

@@ -92,9 +92,9 @@ describe('User Permissions Logic', () => {
             const signedUpdatedUser = (0, user_permissions_1.signUserObject)(updatedUser, userKeys.secretKey);
             expect(() => (0, user_permissions_1.verifyUserSignature)(signedUpdatedUser, originalUser)).toThrow('Public key changes are not currently supported');
         });
-        it('should handle missing signature gracefully', () => {
+        it('should allow missing signature when no existing record', () => {
             const userWithoutSignature = { ...testUser };
-            expect(() => (0, user_permissions_1.verifyUserSignature)(userWithoutSignature)).toThrow();
+            expect(() => (0, user_permissions_1.verifyUserSignature)(userWithoutSignature)).not.toThrow();
         });
     });
     describe('verifyUserSignature - Group Context (With Signature)', () => {
@@ -154,23 +154,51 @@ describe('User Permissions Logic', () => {
         });
     });
     describe('verifyUserSignature - Signature Requirements', () => {
-        it('should reject updates without signature when signature is required', () => {
+        it('should allow unsigned record when no existing record', () => {
             const userWithoutSignature = { ...testUser };
-            expect(() => (0, user_permissions_1.verifyUserSignature)(userWithoutSignature, undefined)).toThrow();
+            expect(() => (0, user_permissions_1.verifyUserSignature)(userWithoutSignature, undefined)).not.toThrow();
         });
         it('should accept valid signature when signature is provided', () => {
             const signedUser = (0, user_permissions_1.signUserObject)(testUser, userKeys.secretKey);
             expect(() => (0, user_permissions_1.verifyUserSignature)(signedUser, undefined)).not.toThrow();
         });
-        it('should reject empty signature when signature is required', () => {
+        it('should allow empty signature when no existing record', () => {
             const userWithEmptySignature = { ...testUser, signature: '' };
-            expect(() => (0, user_permissions_1.verifyUserSignature)(userWithEmptySignature, undefined)).toThrow();
+            expect(() => (0, user_permissions_1.verifyUserSignature)(userWithEmptySignature, undefined)).not.toThrow();
         });
-        it('should reject whitespace-only signature when signature is required', () => {
+        it('should reject whitespace-only signature (treated as a bad signature, not a stub)', () => {
             const userWithWhitespaceSignature = { ...testUser, signature: '   ' };
             expect(() => (0, user_permissions_1.verifyUserSignature)(userWithWhitespaceSignature, undefined)).toThrow();
         });
     });
+    describe('verifyUserSignature - Unsigned stubs', () => {
+        it('should allow unsigned stub when no existing record', () => {
+            const stub = { ...testUser, signature: undefined };
+            expect(() => (0, user_permissions_1.verifyUserSignature)(stub)).not.toThrow();
+        });
+        it('should allow unsigned stub to overwrite an existing unsigned stub', () => {
+            const existingStub = { ...testUser, signature: undefined };
+            const incomingStub = { ...testUser, name: 'Updated Name', signature: undefined };
+            expect(() => (0, user_permissions_1.verifyUserSignature)(incomingStub, existingStub)).not.toThrow();
+        });
+        it('should reject unsigned stub when a signed record already exists', () => {
+            const signedExisting = (0, user_permissions_1.signUserObject)(testUser, userKeys.secretKey);
+            const incomingStub = { ...testUser, signature: undefined };
+            expect(() => (0, user_permissions_1.verifyUserSignature)(incomingStub, signedExisting))
+                .toThrow('Cannot overwrite a signed user record with an unsigned one');
+        });
+        it('should reject unsigned stub with different keys when signed record exists', () => {
+            const signedExisting = (0, user_permissions_1.signUserObject)(testUser, userKeys.secretKey);
+            const incomingStub = { ...testUser, publicKey: otherUserKeys.publicKey, signature: undefined };
+            expect(() => (0, user_permissions_1.verifyUserSignature)(incomingStub, signedExisting))
+                .toThrow('Cannot overwrite a signed user record with an unsigned one');
+        });
+        it('should allow a signed record to replace an unsigned stub', () => {
+            const existingStub = { ...testUser, signature: undefined };
+            const signedIncoming = (0, user_permissions_1.signUserObject)(testUser, userKeys.secretKey);
+            expect(() => (0, user_permissions_1.verifyUserSignature)(signedIncoming, existingStub)).not.toThrow();
+        });
+    });
     describe('edge cases and error handling', () => {
         it('should handle undefined user gracefully', () => {
             // @ts-ignore - Testing edge case

package/dist/device/connection.js

@@ -314,6 +314,9 @@ class Connection {
         await this.emit('reset');
         const remoteDeviceInfoSigned = await this.emit('requestDeviceInfo');
         const remoteDeviceInfo = (0, keys_1.openSignedObject)(remoteDeviceInfoSigned);
+        if (remoteDeviceInfoSigned.publicKey !== remoteDeviceInfo.publicKey) {
+            throw new Error('Device info signing key does not match claimed identity key');
+        }
         const handshake = await this.initiateHandshake(remoteAddress, remoteDeviceInfo);
         const handshakeResponseBox = await this.emit('completeHandshake', handshake);
         const handshakeResponse = await this.localDevice.openBoxedAndSignedData(handshakeResponseBox);

package/dist/device/connection.test.js

@@ -276,4 +276,61 @@ describe(connection_1.Connection, () => {
         expect(result).toMatch(/Remote device's system clock is too far out of sync/);
     });
     it.todo("should handle RPC calls that return undefined");
+    // ─── Security: key confusion attack ────────────────────────────────────────
+    //
+    // openSignedObject verifies the signature using signedObj.publicKey (the
+    // envelope key — the ACTUAL signer). Identity is then recorded from
+    // contents.publicKey (the CLAIMED key). There is no check that these match.
+    //
+    // A malicious peer can sign a handshake with their real key KA while
+    // claiming victim's publicKey KV in the payload contents. The signature
+    // check passes, but the server registers KV as the connected identity.
+    //
+    // Fix: after openSignedObject succeeds, assert
+    //   signedHandshake.publicKey === signedHandshake.contents.publicKey
+    //
+    describe('Security: key confusion — signing key vs claimed identity key', () => {
+        it('rejects handshake where signing key (KA) differs from claimed identity key in contents (KV)', async () => {
+            const serverAddress = 'http://localhost';
+            const { clientSocket, serverSocket } = createTestSocketPair();
+            const attackerDevice = new device_1.Device();
+            const victimDevice = new device_1.Device(); // identity the attacker wants to impersonate
+            const serverDevice = new device_1.Device();
+            const attackerConnection = new connection_1.Connection(clientSocket, attackerDevice);
+            const serverConnection = new connection_1.Connection(serverSocket, serverDevice, [serverAddress]);
+            // Craft a malicious handshake:
+            //   signedObj.publicKey  = KA  (attacker's real signing key — used for verification)
+            //   contents.publicKey   = KV  (victim's signing key   — recorded as identity)
+            //   contents.userId      = victim's userId
+            //   contents.publicBoxKey = KA_box  (attacker's box key, kept so the server
+            //                                    boxes its response for the attacker and
+            //                                    the attacker can decrypt it to finish the
+            //                                    handshake — making the whole flow succeed)
+            const originalGetHandshake = attackerDevice.getHandshake.bind(attackerDevice);
+            attackerDevice.getHandshake = function (connectionId, addr) {
+                const real = originalGetHandshake(connectionId, addr);
+                const maliciousContents = {
+                    ...real.contents, // keep connectionId, timestamp, serverAddress
+                    userId: victimDevice.userId, // claim victim's userId
+                    publicKey: victimDevice.publicKey, // claim victim's Ed25519 key (KV)
+                    // publicBoxKey stays as attacker's own box key (KA_box) so the server
+                    // encrypts its handshake response for a key the attacker can open
+                };
+                // Sign with attacker's secret key:
+                //   signedObj.publicKey = KA   (actual signer)
+                //   contents.publicKey  = KV   (claimed identity) — DIFFERENT
+                return attackerDevice.signObjectWithSecretKey(maliciousContents);
+            };
+            // The server must reject this — the signing key (KA) does not match the
+            // claimed identity key in the payload contents (KV).
+            // Server-side errors travel back through the RPC layer as plain objects
+            // { error: '...', errorType: 'RPC_ERROR' } rather than Error instances.
+            const result = await attackerConnection.doHandshake(serverAddress).catch(err => err);
+            const errorMessage = result instanceof Error ? result.message : result?.error ?? String(result);
+            expect(errorMessage).toMatch(/signing key does not match claimed identity key/i);
+            // Neither side should be left in a verified state
+            expect(attackerConnection.verified).toBe(false);
+            expect(serverConnection.verified).toBe(false);
+        });
+    });
 });

package/dist/device/device.js

@@ -80,6 +80,9 @@ class Device {
     handshakeResponse(remoteHandshake, connectionId, thisServerAddress) {
         try {
             const deviceInfo = (0, keys_1.openSignedObject)(remoteHandshake);
+            if (remoteHandshake.publicKey !== deviceInfo.publicKey) {
+                throw new Error('Handshake signing key does not match claimed identity key');
+            }
             if (deviceInfo.connectionId !== connectionId) {
                 throw new Error(`Invalid connectionId ${deviceInfo.connectionId}, expected ${connectionId}`);
             }

package/dist/device/device.test.js

@@ -73,21 +73,18 @@ describe(device_1.Device, () => {
                 const handshake = client.getHandshake(c1.connectionId, 'localhost');
                 expect(() => server.handshakeResponse(handshake, c2.connectionId, 'localhost')).toThrow(/Invalid connectionId/);
             });
-            it("should throw when the client can't unbox the data", async () => {
-                const c1 = {
-                    connectionId: (0, utils_1.newid)(),
-                };
-                const c2 = {
-                    connectionId: c1.connectionId,
-                };
+            it("should reject a handshake signed by a different key than the one claimed in the payload (key confusion)", async () => {
+                const connectionId = (0, utils_1.newid)();
+                // Imposter holds a random secret key but claims the real client's publicKey/publicBoxKey.
+                // getHandshake signs with the random key, so signedObj.publicKey != contents.publicKey.
                 const clientImposter = new device_1.Device(userId1, client.deviceId, {
                     secretKey: (0, keys_1.newKeys)().secretKey,
                     publicKey: client.publicKey,
                     publicBoxKey: client.publicBoxKey
                 });
-                const handshake = clientImposter.getHandshake(c1.connectionId, 'localhost');
-                const response = server.handshakeResponse(handshake, c2.connectionId, 'localhost');
-                // expect(() =>  clientImposter.openBoxWithSecretKey(response)).toThrow(/Message was null or verification failed/);        
+                const handshake = clientImposter.getHandshake(connectionId, 'localhost');
+                expect(() => server.handshakeResponse(handshake, connectionId, 'localhost'))
+                    .toThrow(/signing key does not match claimed identity key/i);
             });
             it("should detect when requests and responses are being forwarded through a different address", async () => {
                 const connToServer = {

package/dist/device/get-trust-level-fn.d.ts

@@ -1,4 +1,3 @@
-import { UserContext } from "../context";
 import { IDeviceInfo } from "../data";
 import { TrustLevel } from "./socket.type";
-export declare function getTrustLevelFn(me: Pick<IDeviceInfo, 'userId' | 'publicKey' | 'publicBoxKey'>, serverUrl?: string, injectedUserContext?: UserContext): (deviceInfo: IDeviceInfo, registerNew?: boolean) => Promise<TrustLevel>;
+export declare function getTrustLevelFn(me: Pick<IDeviceInfo, 'userId' | 'publicKey' | 'publicBoxKey'>, serverUrl?: string): (deviceInfo: IDeviceInfo, registerNew?: boolean) => Promise<TrustLevel>;

package/dist/device/get-trust-level-fn.js

@@ -4,9 +4,9 @@ exports.getTrustLevelFn = getTrustLevelFn;
 const context_1 = require("../context");
 const data_1 = require("../data");
 const socket_type_1 = require("./socket.type");
-function getTrustLevelFn(me, serverUrl, injectedUserContext) {
+function getTrustLevelFn(me, serverUrl) {
     return async function getTrustLevel(deviceInfo, registerNew) {
-        const userContext = injectedUserContext ?? await (0, context_1.getUserContext)();
+        const userContext = await (0, context_1.getUserContext)();
         const userDataContext = userContext.userDataContext;
         // if this is my own device it is trusted
         if (deviceInfo.userId === me.userId && deviceInfo.publicKey === me.publicKey && deviceInfo.publicBoxKey === me.publicBoxKey) {
@@ -42,34 +42,32 @@ function getTrustLevelFn(me, serverUrl, injectedUserContext) {
             return device.trustLevel;
         }
         // TODO check user trust level, if they are untrusted, return immediately
-        if (user && device && !(deviceInfo.userId === device.userId && deviceInfo.userId === user.userId && deviceInfo.publicKey === user.publicKey && deviceInfo.publicBoxKey === user.publicBoxKey)) {
-            // The stored user record has different public keys than what this device is presenting.
-            //
-            // By the time getTrustLevel is called the handshake has already been
-            // cryptographically verified: the connecting device proved ownership of
-            // deviceInfo.publicKey by signing the IDeviceHandshake with the
-            // corresponding secret key (verified in Device.handshakeResponse via
-            // openSignedObject).  The stored record is therefore stale — most
-            // commonly because it was synced from a relay before the first direct
-            // WebRTC connection and the relay's copy had wrong/empty keys.
-            //
-            // Rather than returning Untrusted (which would permanently block this
-            // device on every reconnect after the first), we refresh the stored
-            // keys with the verified values.  The signature is cleared so a
-            // subsequent sync of the real signed user record can replace this
-            // interim version.
-            if (deviceInfo.userId === device.userId) {
-                user.publicKey = deviceInfo.publicKey;
-                user.publicBoxKey = deviceInfo.publicBoxKey;
-                const { signature: _sig, ...userWithoutSig } = user;
-                await (0, data_1.Users)(userDataContext).save(userWithoutSig, { restoreIfDeleted: true });
-                user = userWithoutSig;
-            }
-            else {
-                // userId mismatch — genuinely untrusted
-                return socket_type_1.TrustLevel.Untrusted;
+        // If the user isn't in our personal DB, check all group data contexts.
+        // Group data takes a back seat to personal data — we never write to those
+        // group records here, and we never copy a group-sourced user into the
+        // personal DB (that requires an explicit user action).
+        let groupUser = null;
+        let groupTrustLevel;
+        if (!user) {
+            for (const [, groupContext] of userContext.groupDataContexts) {
+                const found = await (0, data_1.Users)(groupContext).get(deviceInfo.userId);
+                if (!found)
+                    continue;
+                groupUser = groupUser ?? found; // all groups sync the same signed record
+                const gtl = await (0, data_1.UserTrustLevels)(groupContext).get(deviceInfo.userId);
+                if (gtl?.trustLevel !== undefined) {
+                    groupTrustLevel = groupTrustLevel === undefined
+                        ? gtl.trustLevel
+                        : Math.min(groupTrustLevel, gtl.trustLevel);
+                }
             }
         }
+        const effectiveUser = user ?? groupUser;
+        if (effectiveUser && device && !(deviceInfo.userId === device.userId && deviceInfo.userId === effectiveUser.userId && deviceInfo.publicKey === effectiveUser.publicKey && deviceInfo.publicBoxKey === effectiveUser.publicBoxKey)) {
+            // deviceInfo does not align with local info about user and device, return Untrusted
+            // TODO check if user has changed their public keys
+            return socket_type_1.TrustLevel.Untrusted;
+        }
         if (userTrustLevel?.trustLevel && userTrustLevel.trustLevel >= socket_type_1.TrustLevel.Trusted && device?.trustLevel && device.trustLevel >= socket_type_1.TrustLevel.Trusted) {
             device.lastSeen = new Date();
             await (0, data_1.Devices)(userDataContext).save(device, { restoreIfDeleted: true });
@@ -101,8 +99,10 @@ function getTrustLevelFn(me, serverUrl, injectedUserContext) {
         }
         trustLevel = device.trustLevel;
         let newUser = false;
-        let staleUserKeys = false;
-        if (!user) {
+        if (!user && !groupUser) {
+            // Truly unknown user — create an unsigned stub in the personal DB so
+            // subsequent connections can match against it until a signed record
+            // arrives via sync.
             user = {
                 userId: deviceInfo.userId,
                 publicKey: deviceInfo.publicKey,
@@ -112,16 +112,6 @@ function getTrustLevelFn(me, serverUrl, injectedUserContext) {
             trustLevel = socket_type_1.TrustLevel.NewUser;
             newUser = true;
         }
-        else if (user.publicKey !== deviceInfo.publicKey || user.publicBoxKey !== deviceInfo.publicBoxKey) {
-            // User record exists but has stale keys (e.g. from a sync that arrived
-            // before this direct connection).  Refresh them with the verified keys
-            // so subsequent connections don't hit the mismatch check above.
-            user.publicKey = deviceInfo.publicKey;
-            user.publicBoxKey = deviceInfo.publicBoxKey;
-            const { signature: _sig, ...userWithoutSig } = user;
-            user = userWithoutSig;
-            staleUserKeys = true;
-        }
         // TODO - reimplement this, checks with peers to see if this is an untrusted device
         // let remoteTrustLevel = TrustLevel.Unknown;
         // for (const [serverUrl, conn] of Object.entries(getActiveConnections())) {
@@ -157,14 +147,16 @@ function getTrustLevelFn(me, serverUrl, injectedUserContext) {
                 weakInsert: true,
             });
         }
-        else if (staleUserKeys) {
-            await (0, data_1.Users)(userDataContext).save(user, { restoreIfDeleted: true });
-        }
         // device.trustLevel = remoteTrustLevel || trustLevel;
         await (0, data_1.Devices)(userDataContext).save(device, {
             restoreIfDeleted: true,
             weakInsert: true,
         });
+        // If the user was found only in group contexts (not personal), apply the minimum
+        // trust level we observed across those groups as a floor on the result.
+        if (groupTrustLevel !== undefined) {
+            return Math.min(device.trustLevel, groupTrustLevel);
+        }
         return device.trustLevel;
     };
 }

package/dist/device/get-trust-level-fn.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/device/get-trust-level-fn.test.js

@@ -0,0 +1,553 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const get_trust_level_fn_1 = require("./get-trust-level-fn");
+const socket_type_1 = require("./socket.type");
+const utils_1 = require("../utils");
+jest.mock('../context', () => ({
+    getUserContext: jest.fn(),
+}));
+jest.mock('../data', () => ({
+    Devices: jest.fn(),
+    Users: jest.fn(),
+    UserTrustLevels: jest.fn(),
+}));
+const context_1 = require("../context");
+const data_1 = require("../data");
+const mockGetUserContext = context_1.getUserContext;
+const mockDevices = data_1.Devices;
+const mockUsers = data_1.Users;
+const mockUserTrustLevels = data_1.UserTrustLevels;
+function makeDeviceTable(deviceRecord = null) {
+    return {
+        get: jest.fn().mockResolvedValue(deviceRecord),
+        save: jest.fn().mockResolvedValue(undefined),
+    };
+}
+function makeUsersTable(userRecord = null) {
+    return {
+        get: jest.fn().mockResolvedValue(userRecord),
+        save: jest.fn().mockResolvedValue(undefined),
+    };
+}
+function makeTrustTable(trustRecord = null) {
+    return {
+        get: jest.fn().mockResolvedValue(trustRecord),
+    };
+}
+function makeTestIdentity() {
+    return {
+        userId: (0, utils_1.newid)(),
+        publicKey: `pk_${(0, utils_1.newid)()}`,
+        publicBoxKey: `pbk_${(0, utils_1.newid)()}`,
+        deviceId: (0, utils_1.newid)(),
+    };
+}
+function setupMocks(deviceRecord = null, userRecord = null, trustRecord = null) {
+    const mockUserDataContext = {};
+    mockGetUserContext.mockResolvedValue({
+        userDataContext: mockUserDataContext,
+        groupDataContexts: new Map(),
+    });
+    const devTable = makeDeviceTable(deviceRecord);
+    const usersTable = makeUsersTable(userRecord);
+    const trustTable = makeTrustTable(trustRecord);
+    mockDevices.mockReturnValue(devTable);
+    mockUsers.mockReturnValue(usersTable);
+    mockUserTrustLevels.mockReturnValue(trustTable);
+    return { devTable, usersTable, trustTable };
+}
+describe('getTrustLevelFn', () => {
+    beforeEach(() => {
+        jest.clearAllMocks();
+    });
+    // ─── Own-device fast path ───────────────────────────────────────────────────
+    describe('own device (userId + publicKey + publicBoxKey all match)', () => {
+        it('returns NewDevice when device is newly seen (< 2 days old)', async () => {
+            const me = makeTestIdentity();
+            const deviceInfo = { ...me };
+            const recentDate = new Date(Date.now() - 1000 * 60 * 60 * 24); // 1 day ago
+            const existingDevice = {
+                deviceId: me.deviceId,
+                userId: me.userId,
+                firstSeen: recentDate,
+                lastSeen: recentDate,
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            };
+            const { devTable } = setupMocks(existingDevice);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(deviceInfo);
+            expect(result).toBe(socket_type_1.TrustLevel.NewDevice);
+            expect(devTable.save).toHaveBeenCalledWith(expect.objectContaining({ trustLevel: socket_type_1.TrustLevel.NewDevice }), expect.objectContaining({ restoreIfDeleted: true, weakInsert: true }));
+        });
+        it('returns Trusted when own device has been seen for more than 2 days', async () => {
+            const me = makeTestIdentity();
+            const deviceInfo = { ...me };
+            const oldDate = new Date(Date.now() - 1000 * 60 * 60 * 24 * 3); // 3 days ago
+            const existingDevice = {
+                deviceId: me.deviceId,
+                userId: me.userId,
+                firstSeen: oldDate,
+                lastSeen: oldDate,
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            };
+            setupMocks(existingDevice);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(deviceInfo);
+            expect(result).toBe(socket_type_1.TrustLevel.Trusted);
+        });
+        it('creates a new device record if own device has not been seen before', async () => {
+            const me = makeTestIdentity();
+            const deviceInfo = { ...me };
+            const { devTable } = setupMocks(null); // no existing device
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me, 'https://myserver.example.com');
+            const result = await getTrustLevel(deviceInfo);
+            expect(result).toBe(socket_type_1.TrustLevel.NewDevice);
+            expect(devTable.save).toHaveBeenCalledWith(expect.objectContaining({
+                deviceId: me.deviceId,
+                userId: me.userId,
+                serverUrl: 'https://myserver.example.com',
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            }), expect.objectContaining({ restoreIfDeleted: true, weakInsert: true }));
+        });
+        it('does not look up Users or UserTrustLevels for own device', async () => {
+            const me = makeTestIdentity();
+            const deviceInfo = { ...me };
+            setupMocks(null);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            await getTrustLevel(deviceInfo);
+            expect(mockUsers).not.toHaveBeenCalled();
+            expect(mockUserTrustLevels).not.toHaveBeenCalled();
+        });
+        it('updates lastSeen on every call for own device', async () => {
+            const me = makeTestIdentity();
+            const deviceInfo = { ...me };
+            const pastDate = new Date(Date.now() - 1000 * 60 * 5); // 5 minutes ago
+            const existingDevice = {
+                deviceId: me.deviceId,
+                userId: me.userId,
+                firstSeen: pastDate,
+                lastSeen: pastDate,
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            };
+            const { devTable } = setupMocks(existingDevice);
+            const before = Date.now();
+            await (0, get_trust_level_fn_1.getTrustLevelFn)(me)(deviceInfo);
+            const after = Date.now();
+            const savedDevice = devTable.save.mock.calls[0][0];
+            expect(savedDevice.lastSeen.getTime()).toBeGreaterThanOrEqual(before);
+            expect(savedDevice.lastSeen.getTime()).toBeLessThanOrEqual(after);
+        });
+    });
+    // ─── Blocked device early exit ──────────────────────────────────────────────
+    describe('explicitly blocked device (trustLevel < Unknown)', () => {
+        it('returns Untrusted immediately without saving any records', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const blockedDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(),
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.Untrusted,
+            };
+            const { devTable } = setupMocks(blockedDevice);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            // All three tables are fetched in parallel before the block check
+            expect(result).toBe(socket_type_1.TrustLevel.Untrusted);
+            // Should not save anything — returns early before any writes
+            expect(devTable.save).not.toHaveBeenCalled();
+        });
+        it('returns Malicious immediately for malicious-flagged devices', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const maliciousDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(),
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.Malicious,
+            };
+            setupMocks(maliciousDevice);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).toBe(socket_type_1.TrustLevel.Malicious);
+        });
+    });
+    // ─── Key-mismatch guard ─────────────────────────────────────────────────────
+    describe('key-mismatch guard (user AND device both exist)', () => {
+        it('returns Untrusted when publicKey does not match stored user record', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: `different_pk_${(0, utils_1.newid)()}`,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(),
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            };
+            setupMocks(existingDevice, existingUser);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).toBe(socket_type_1.TrustLevel.Untrusted);
+        });
+        it('returns Untrusted when publicBoxKey does not match stored user record', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: `different_pbk_${(0, utils_1.newid)()}`,
+                name: 'Alice',
+            };
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(),
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            };
+            setupMocks(existingDevice, existingUser);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).toBe(socket_type_1.TrustLevel.Untrusted);
+        });
+        it('returns Untrusted when device.userId does not match deviceInfo.userId', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: (0, utils_1.newid)(), // different userId stored on device record
+                firstSeen: new Date(),
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            };
+            setupMocks(existingDevice, existingUser);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).toBe(socket_type_1.TrustLevel.Untrusted);
+        });
+        it('does NOT return Untrusted when only device exists (no user record yet)', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(),
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            };
+            // user record is null — mismatch check is skipped
+            setupMocks(existingDevice, null);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).not.toBe(socket_type_1.TrustLevel.Untrusted);
+        });
+        it('does NOT return Untrusted when only user exists (no device record yet)', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: `different_pk_${(0, utils_1.newid)()}`, // key mismatch present but device is missing
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            // device record is null — mismatch check is skipped
+            setupMocks(null, existingUser);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).not.toBe(socket_type_1.TrustLevel.Untrusted);
+        });
+    });
+    // ─── Trusted fast path ──────────────────────────────────────────────────────
+    describe('trusted fast path', () => {
+        it('returns Trusted immediately when device and userTrustLevel are both >= Trusted', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(Date.now() - 1000 * 60 * 60 * 24 * 30),
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.Trusted,
+            };
+            const trustRecord = {
+                userId: other.userId,
+                trustLevel: socket_type_1.TrustLevel.Trusted,
+            };
+            const { devTable } = setupMocks(existingDevice, existingUser, trustRecord);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).toBe(socket_type_1.TrustLevel.Trusted);
+            expect(devTable.save).toHaveBeenCalledWith(expect.objectContaining({ trustLevel: socket_type_1.TrustLevel.Trusted }), expect.objectContaining({ restoreIfDeleted: true }));
+        });
+        it('does NOT trigger fast path when device is Trusted but userTrustLevel is not', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(Date.now() - 1000 * 60 * 60 * 24 * 10),
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.Trusted,
+            };
+            const trustRecord = {
+                userId: other.userId,
+                trustLevel: socket_type_1.TrustLevel.Known, // below Trusted
+            };
+            const { devTable } = setupMocks(existingDevice, existingUser, trustRecord);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            await getTrustLevel(other);
+            // save was called via the normal path (weakInsert), not the fast path
+            expect(devTable.save).toHaveBeenCalledWith(expect.anything(), expect.objectContaining({ weakInsert: true }));
+        });
+        it('does NOT trigger fast path when userTrustLevel is Trusted but device is not', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(Date.now() - 1000 * 60 * 60 * 24 * 10),
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.Known, // below Trusted
+            };
+            const trustRecord = {
+                userId: other.userId,
+                trustLevel: socket_type_1.TrustLevel.Trusted,
+            };
+            setupMocks(existingDevice, existingUser, trustRecord);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).not.toBe(socket_type_1.TrustLevel.Trusted);
+        });
+    });
+    // ─── New user / new device resolution ───────────────────────────────────────
+    describe('new user and new device', () => {
+        it('returns NewDevice and saves a user stub when both user and device are unseen', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const { devTable, usersTable } = setupMocks(null, null, null);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me, 'https://server.example.com');
+            const result = await getTrustLevel(other);
+            // The local `trustLevel` variable is set to NewUser (10), but the function returns
+            // `device.trustLevel` which remains NewDevice (20). The NewUser assignment was
+            // intended for the now-commented-out `device.trustLevel = remoteTrustLevel || trustLevel`.
+            expect(result).toBe(socket_type_1.TrustLevel.NewDevice);
+            expect(usersTable.save).toHaveBeenCalledWith(expect.objectContaining({
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'https://server.example.com',
+            }), expect.objectContaining({ restoreIfDeleted: true, weakInsert: true }));
+            expect(devTable.save).toHaveBeenCalledWith(expect.objectContaining({
+                deviceId: other.deviceId,
+                userId: other.userId,
+                serverUrl: 'https://server.example.com',
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            }), expect.objectContaining({ restoreIfDeleted: true, weakInsert: true }));
+        });
+        it('uses a fallback name from userId suffix when serverUrl is not provided', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const { usersTable } = setupMocks(null, null, null);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me); // no serverUrl
+            await getTrustLevel(other);
+            const savedUser = usersTable.save.mock.calls[0][0];
+            expect(savedUser.name).toBe(`Unnamed_${other.userId.substring(20)}`);
+        });
+        it('does not save a user stub when user already exists', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const { usersTable } = setupMocks(null, existingUser, null);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            await getTrustLevel(other);
+            expect(usersTable.save).not.toHaveBeenCalled();
+        });
+    });
+    // ─── Device aging ────────────────────────────────────────────────────────────
+    describe('device aging', () => {
+        it('returns NewDevice for a device first seen < 7 days ago', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(Date.now() - 1000 * 60 * 60 * 24 * 5), // 5 days ago
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            };
+            setupMocks(existingDevice, existingUser, null);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).toBe(socket_type_1.TrustLevel.NewDevice);
+        });
+        it('promotes device to Known when first seen > 7 days ago', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(Date.now() - 1000 * 60 * 60 * 24 * 8), // 8 days ago
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            };
+            const { devTable } = setupMocks(existingDevice, existingUser, null);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).toBe(socket_type_1.TrustLevel.Known);
+            expect(devTable.save).toHaveBeenCalledWith(expect.objectContaining({ trustLevel: socket_type_1.TrustLevel.Known }), expect.anything());
+        });
+        it('bumps existing device with Unknown trust level up to NewDevice', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(Date.now() - 1000 * 60 * 60 * 24 * 3), // 3 days, under 7-day threshold
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.Unknown,
+            };
+            const { devTable } = setupMocks(existingDevice, existingUser, null);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).toBe(socket_type_1.TrustLevel.NewDevice);
+            expect(devTable.save).toHaveBeenCalledWith(expect.objectContaining({ trustLevel: socket_type_1.TrustLevel.NewDevice }), expect.anything());
+        });
+        it('does not downgrade a device already at Known when re-evaluated before 7 days', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(Date.now() - 1000 * 60 * 60 * 24 * 5), // 5 days — under 7-day threshold
+                lastSeen: new Date(),
+                trustLevel: socket_type_1.TrustLevel.Known, // manually promoted already
+            };
+            setupMocks(existingDevice, existingUser, null);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            const result = await getTrustLevel(other);
+            expect(result).toBe(socket_type_1.TrustLevel.Known);
+        });
+        it('updates lastSeen on the device record each time', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const pastDate = new Date(Date.now() - 1000 * 60 * 60); // 1 hour ago
+            const existingDevice = {
+                deviceId: other.deviceId,
+                userId: other.userId,
+                firstSeen: new Date(Date.now() - 1000 * 60 * 60 * 24 * 2),
+                lastSeen: pastDate,
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            };
+            const { devTable } = setupMocks(existingDevice, existingUser, null);
+            const before = Date.now();
+            await (0, get_trust_level_fn_1.getTrustLevelFn)(me)(other);
+            const after = Date.now();
+            const savedDevice = devTable.save.mock.calls[0][0];
+            expect(savedDevice.lastSeen.getTime()).toBeGreaterThanOrEqual(before);
+            expect(savedDevice.lastSeen.getTime()).toBeLessThanOrEqual(after);
+        });
+    });
+    // ─── Existing user, no device ────────────────────────────────────────────────
+    describe('existing user but no device record', () => {
+        it('creates a new device record with NewDevice trust level', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            const existingUser = {
+                userId: other.userId,
+                publicKey: other.publicKey,
+                publicBoxKey: other.publicBoxKey,
+                name: 'Alice',
+            };
+            const { devTable } = setupMocks(null, existingUser, null);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me, 'https://relay.example.com');
+            const result = await getTrustLevel(other);
+            expect(result).toBe(socket_type_1.TrustLevel.NewDevice);
+            expect(devTable.save).toHaveBeenCalledWith(expect.objectContaining({
+                deviceId: other.deviceId,
+                userId: other.userId,
+                serverUrl: 'https://relay.example.com',
+                trustLevel: socket_type_1.TrustLevel.NewDevice,
+            }), expect.anything());
+        });
+    });
+    // ─── Parallel DB lookups ────────────────────────────────────────────────────
+    describe('parallel DB lookups for non-self devices', () => {
+        it('queries Users, Devices and UserTrustLevels in parallel', async () => {
+            const me = makeTestIdentity();
+            const other = makeTestIdentity();
+            setupMocks(null, null, null);
+            const getTrustLevel = (0, get_trust_level_fn_1.getTrustLevelFn)(me);
+            await getTrustLevel(other);
+            expect(mockDevices).toHaveBeenCalled();
+            expect(mockUsers).toHaveBeenCalled();
+            expect(mockUserTrustLevels).toHaveBeenCalled();
+        });
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@peers-app/peers-sdk",
-  "version": "0.10.3",
+  "version": "0.10.4",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/peers-app/peers-sdk.git"