@vex-chat/libvex 2.0.0 → 5.0.0

package/src/Storage.ts

@@ -24,7 +24,7 @@ export interface Storage extends EventEmitter {
     /**
      * Deletes history for a direct conversation or group channel.
      *
-     * @param channelOrUserID Channel ID or user ID whose history should be deleted.
+     * @param channelOrUserID - Channel ID or user ID whose history should be deleted.
      */
     deleteHistory: (channelOrUserID: string) => Promise<void>;
     /** Deletes one message by `mailID`. */
@@ -108,8 +108,8 @@ export interface Storage extends EventEmitter {
     /**
      * Saves signed prekeys.
      *
-     * @param preKeys Prekeys to persist.
-     * @param oneTime `true` for one-time keys, `false` for the long-lived signed prekey.
+     * @param preKeys - Prekeys to persist.
+     * @param oneTime - `true` for one-time keys, `false` for the long-lived signed prekey.
      */
     savePreKeys: (
         preKeys: UnsavedPreKey[],

package/src/__tests__/codec.test.ts

@@ -21,6 +21,28 @@ const hexVar = (min: number, max: number) =>
 const rec = (arbs: Record<string, fc.Arbitrary<unknown>>) =>
     fc.record(arbs, { noNullPrototype: true });
 
+/**
+ * Strip keys that are magic in JS (`__proto__`, `constructor`, `prototype`)
+ * from generated JSON values. These can't round-trip through msgpack because
+ * the JS runtime intercepts them on plain objects.
+ */
+function stripProtoKeys(val: unknown): unknown {
+    if (val === null || typeof val !== "object") return val;
+    if (Array.isArray(val)) return val.map(stripProtoKeys);
+    const out: Record<string, unknown> = {};
+    for (const [k, v] of Object.entries(val)) {
+        if (k === "__proto__" || k === "constructor" || k === "prototype")
+            continue;
+        out[k] = stripProtoKeys(v);
+    }
+    return out;
+}
+
+const safeJsonValue = (opts?: { maxDepth?: number }) =>
+    fc
+        .jsonValue(opts)
+        .map((v) => stripProtoKeys(JSON.parse(JSON.stringify(v))));
+
 // ── Arbitraries ──────────────────────────────────────────────────────────────
 
 const arbBaseMsg = rec({
@@ -29,21 +51,14 @@ const arbBaseMsg = rec({
 });
 
 const arbSuccessMsg = rec({
-    data: fc
-        .jsonValue({ maxDepth: 1 })
-        .map((v) => JSON.parse(JSON.stringify(v)) as unknown),
+    data: safeJsonValue({ maxDepth: 1 }),
     timestamp: fc.option(fc.string(), { nil: null }),
     transmissionID: fc.uuid({ version: 4 }),
     type: fc.constant("success"),
 });
 
 const arbErrMsg = rec({
-    data: fc.option(
-        fc
-            .jsonValue({ maxDepth: 1 })
-            .map((v) => JSON.parse(JSON.stringify(v)) as unknown),
-        { nil: null },
-    ),
+    data: fc.option(safeJsonValue({ maxDepth: 1 }), { nil: null }),
     error: fc.string({ minLength: 1 }),
     transmissionID: fc.uuid({ version: 4 }),
     type: fc.constant("error"),
@@ -51,24 +66,14 @@ const arbErrMsg = rec({
 
 const arbResourceMsg = rec({
     action: fc.constantFrom("CREATE", "RETRIEVE", "UPDATE", "DELETE"),
-    data: fc.option(
-        fc
-            .jsonValue({ maxDepth: 1 })
-            .map((v) => JSON.parse(JSON.stringify(v)) as unknown),
-        { nil: null },
-    ),
+    data: fc.option(safeJsonValue({ maxDepth: 1 }), { nil: null }),
     resourceType: fc.constantFrom("mail", "preKeys", "otk"),
     transmissionID: fc.uuid({ version: 4 }),
     type: fc.constant("resource"),
 });
 
 const arbNotifyMsg = rec({
-    data: fc.option(
-        fc
-            .jsonValue({ maxDepth: 1 })
-            .map((v) => JSON.parse(JSON.stringify(v)) as unknown),
-        { nil: null },
-    ),
+    data: fc.option(safeJsonValue({ maxDepth: 1 }), { nil: null }),
     event: fc.constantFrom("mail", "serverChange", "permission"),
     transmissionID: fc.uuid({ version: 4 }),
     type: fc.constant("notify"),

package/src/__tests__/harness/platform-transports.ts

@@ -1,17 +1,4 @@
 /**
- * Test logger for integration tests.
+ * Shared test transport utilities — kept as a module boundary for
+ * platform-specific test setup.
  */
-import type { Logger } from "../../transport/types.js";
-
-export const testLogger: Logger = {
-    debug(_m: string) {},
-    error(m: string) {
-        console.error(`[test] ${m}`);
-    },
-    info(m: string) {
-        console.log(`[test] ${m}`);
-    },
-    warn(m: string) {
-        console.warn(`[test] ${m}`);
-    },
-};

package/src/__tests__/harness/poison-node-imports.ts

@@ -97,7 +97,6 @@ function findViolations(code: string): Violation[] {
 function isNodeOnlyFile(id: string): boolean {
     // These files are only loaded via dynamic import on the Node path.
     if (id.includes("/storage/node")) return true;
-    if (id.includes("/utils/createLogger")) return true;
     return false;
 }
 

package/src/__tests__/harness/shared-suite.ts

@@ -7,7 +7,6 @@
 
 import type { ClientOptions, Message } from "../../index.js";
 import type { Storage } from "../../Storage.js";
-import type { Logger } from "../../transport/types.js";
 
 import { Client } from "../../index.js";
 
@@ -15,7 +14,6 @@ import { testFile, testImage } from "./fixtures.js";
 
 export function platformSuite(
     platformName: string,
-    logger: Logger,
     makeStorage: (SK: string, opts: ClientOptions) => Promise<Storage>,
 ) {
     describe.sequential(`platform: ${platformName}`, () => {
@@ -25,11 +23,9 @@ export function platformSuite(
 
         beforeAll(async () => {
             const SK = Client.generateSecretKey();
+
             const opts: ClientOptions = {
-                dbLogLevel: "error",
                 inMemoryDb: true,
-                logger,
-                logLevel: "error",
                 ...apiUrlOverrideFromEnv(),
             };
             const storage = await makeStorage(SK, opts);
@@ -73,10 +69,7 @@ export function platformSuite(
         test("two-user DM", async () => {
             const SK2 = Client.generateSecretKey();
             const opts2: ClientOptions = {
-                dbLogLevel: "error",
                 inMemoryDb: true,
-                logger,
-                logLevel: "error",
                 ...apiUrlOverrideFromEnv(),
             };
             const storage2 = await makeStorage(SK2, opts2);
@@ -113,10 +106,7 @@ export function platformSuite(
         test("group messaging in channel", async () => {
             const SK2 = Client.generateSecretKey();
             const opts2: ClientOptions = {
-                dbLogLevel: "error",
                 inMemoryDb: true,
-                logger,
-                logLevel: "error",
                 ...apiUrlOverrideFromEnv(),
             };
             const storage2 = await makeStorage(SK2, opts2);
@@ -174,10 +164,7 @@ export function platformSuite(
             const deviceKey = client.getKeys().private;
             const deviceID = client.me.device().deviceID;
             const opts2: ClientOptions = {
-                dbLogLevel: "error",
                 inMemoryDb: true,
-                logger,
-                logLevel: "error",
                 ...apiUrlOverrideFromEnv(),
             };
             const storage2 = await makeStorage(deviceKey, opts2);
@@ -274,10 +261,7 @@ export function platformSuite(
         test.todo("multi-device message sync", async () => {
             const SK2 = Client.generateSecretKey();
             const opts2: ClientOptions = {
-                dbLogLevel: "error",
                 inMemoryDb: true,
-                logger,
-                logLevel: "error",
                 ...apiUrlOverrideFromEnv(),
             };
             const storage2 = await makeStorage(SK2, opts2);
@@ -286,10 +270,7 @@ export function platformSuite(
             // Sender: separate user
             const SK3 = Client.generateSecretKey();
             const opts3: ClientOptions = {
-                dbLogLevel: "error",
                 inMemoryDb: true,
-                logger,
-                logLevel: "error",
                 ...apiUrlOverrideFromEnv(),
             };
             const storage3 = await makeStorage(SK3, opts3);

package/src/__tests__/platform-browser.test.ts

@@ -1,19 +1,14 @@
 import type { ClientOptions } from "../index.js";
 
 import { MemoryStorage } from "./harness/memory-storage.js";
-import { browserTestAdapters } from "./harness/platform-transports.js";
 // Browser platform test — covers Tauri, Expo/RN, and web.
 // Runs with the poison plugin (vitest.config.browser.ts) which catches
 // Node builtins and globals at compile time. Uses MemoryStorage (no
 // Node SQLite) and BrowserTestWS (Uint8Array binary).
 import { platformSuite } from "./harness/shared-suite.js";
 
-platformSuite(
-    "browser",
-    browserTestAdapters,
-    async (SK: string, _opts: ClientOptions) => {
-        const storage = new MemoryStorage(SK);
-        await storage.init();
-        return storage;
-    },
-);
+platformSuite("browser", async (SK: string, _opts: ClientOptions) => {
+    const storage = new MemoryStorage(SK);
+    await storage.init();
+    return storage;
+});

package/src/__tests__/platform-node.test.ts

@@ -2,9 +2,8 @@ import type { ClientOptions } from "../index.js";
 
 import { createNodeStorage } from "../storage/node.js";
 
-import { testLogger } from "./harness/platform-transports.js";
 import { platformSuite } from "./harness/shared-suite.js";
 
-platformSuite("node", testLogger, (SK: string, _opts: ClientOptions) =>
+platformSuite("node", (SK: string, _opts: ClientOptions) =>
     Promise.resolve(createNodeStorage(":memory:", SK)),
 );

package/src/codec.ts

@@ -27,17 +27,17 @@ const _packr = new Packr({ moreTypes: false, useRecords: false });
 export function createCodec<T extends z.ZodType>(schema: T) {
     type Msg = z.infer<T>;
     return {
-        /** Decode msgpack data — typed but not validated. Fast path for SDK. */
+        /** Decode msgpack data and validate against the schema. */
         decode: (data: Uint8Array): Msg => schema.parse(decode(data)) as Msg,
 
-        /** Decode + validate with Zod. Safe path for trust boundaries (Spire). */
+        /** Alias for decode — both paths validate. Kept for API compat. */
         decodeSafe: (data: Uint8Array): Msg =>
             schema.parse(decode(data)) as Msg,
 
-        /** Encode to msgpack — typed but not validated. */
+        /** Encode to msgpack. */
         encode: (msg: Msg): Uint8Array => encode(msg),
 
-        /** Validate + encode. Ensures outgoing messages match the schema. */
+        /** Validate against the schema, then encode to msgpack. */
         encodeSafe: (msg: Msg): Uint8Array => {
             schema.parse(msg);
             return encode(msg);

package/src/codecs.ts

@@ -70,7 +70,6 @@ export const DeviceChallengeCodec = createCodec(
 export const WhoamiCodec = createCodec(
     z.object({
         exp: z.number(),
-        token: z.string(),
         user: UserSchema,
     }),
 );

package/src/index.ts

@@ -2,6 +2,7 @@ export { Client } from "./Client.js";
 export type {
     Channel,
     Channels,
+    ClientEvents,
     ClientOptions,
     Device,
     Devices,
@@ -27,7 +28,13 @@ export type {
 } from "./Client.js";
 export { createCodec, msgpack } from "./codec.js";
 export type { Storage } from "./Storage.js";
-export type { Logger } from "./transport/types.js";
-export type { KeyStore, StoredCredentials } from "./types/index.js";
+export type {
+    KeyPair,
+    KeyStore,
+    PreKeysCrypto,
+    SessionCrypto,
+    StoredCredentials,
+    UnsavedPreKey,
+} from "./types/index.js";
 // Re-export app-facing types
 export type { Invite } from "@vex-chat/types";

package/src/keystore/node.ts

@@ -13,8 +13,16 @@ import { XUtils } from "@vex-chat/crypto";
 
 export class NodeKeyStore implements KeyStore {
     private readonly dir: string;
+    private readonly passphrase: string;
 
-    constructor(dir: string = ".") {
+    constructor(passphrase: string, dir: string = ".") {
+        if (!passphrase) {
+            throw new Error(
+                "NodeKeyStore requires a non-empty passphrase. " +
+                    "The caller must supply a passphrase sourced from user input, OS keychain, or similar.",
+            );
+        }
+        this.passphrase = passphrase;
         this.dir = dir;
     }
 
@@ -54,7 +62,7 @@ export class NodeKeyStore implements KeyStore {
 
     save(creds: StoredCredentials): Promise<void> {
         const data = JSON.stringify(creds);
-        const encrypted = XUtils.encryptKeyData("", data);
+        const encrypted = XUtils.encryptKeyData(this.passphrase, data);
         fs.writeFileSync(this.filePath(creds.username), encrypted);
         return Promise.resolve();
     }
@@ -66,7 +74,10 @@ export class NodeKeyStore implements KeyStore {
     private readFile(filePath: string): null | StoredCredentials {
         try {
             const data = fs.readFileSync(filePath);
-            const decrypted = XUtils.decryptKeyData(new Uint8Array(data), "");
+            const decrypted = XUtils.decryptKeyData(
+                new Uint8Array(data),
+                this.passphrase,
+            );
             const parsed: unknown = JSON.parse(decrypted);
             if (isStoredCredentials(parsed)) {
                 return parsed;

package/src/preset/common.ts

@@ -1,13 +1,7 @@
 import type { Storage } from "../Storage.js";
-import type { Logger } from "../transport/types.js";
 
 /** Internal preset interface used by nodePreset and testPreset. */
 export interface PlatformPreset {
-    createStorage(
-        dbName: string,
-        privateKey: string,
-        logger: Logger,
-    ): Promise<Storage>;
+    createStorage(dbName: string, privateKey: string): Promise<Storage>;
     deviceName: string;
-    logger: Logger;
 }

package/src/preset/node.ts

@@ -1,34 +1,18 @@
 import type { Storage } from "../Storage.js";
-import type { Logger } from "../transport/types.js";
 /**
  * Platform preset for Node.js (CLI tools, bots, tests).
  *
  * - WebSocket: native global (Node 22+)
  * - Storage:   Kysely + better-sqlite3
- * - Logger:    winston (loaded dynamically)
  */
 import type { PlatformPreset } from "./common.js";
 
-export async function nodePreset(logLevel?: string): Promise<PlatformPreset> {
-    const { createLogger } = await import("../utils/createLogger.js");
-    const logger: Logger = createLogger("libvex", logLevel);
-
+export function nodePreset(): PlatformPreset {
     return {
-        async createStorage(
-            dbName,
-            privateKey,
-            storageLogger,
-        ): Promise<Storage> {
+        async createStorage(dbName, privateKey): Promise<Storage> {
             const { createNodeStorage } = await import("../storage/node.js");
-
-            const storage: Storage = createNodeStorage(
-                dbName,
-                privateKey,
-                storageLogger,
-            );
-            return storage;
+            return createNodeStorage(dbName, privateKey);
         },
         deviceName: process.platform,
-        logger,
     };
 }

package/src/preset/test.ts

@@ -1,30 +1,14 @@
-import type { Logger } from "../transport/types.js";
 /**
  * Platform preset for tests — no I/O, no platform dependencies.
  *
  * - WebSocket: native global (Node 22+)
  * - Storage:   in-memory (no persistence)
- * - Logger:    console
  */
 import type { PlatformPreset } from "./common.js";
 
-const logger: Logger = {
-    debug() {},
-    error(m: string) {
-        console.error(`[test] ${m}`);
-    },
-    info(m: string) {
-        console.log(`[test] ${m}`);
-    },
-    warn(m: string) {
-        console.warn(`[test] ${m}`);
-    },
-};
-
 export function testPreset(): PlatformPreset {
     return {
-        async createStorage(_dbName, privateKey, _logger) {
-            // Lazy import to avoid pulling eventemitter3 into the type graph
+        async createStorage(_dbName, privateKey) {
             const { MemoryStorage } =
                 await import("../__tests__/harness/memory-storage.js");
             const storage = new MemoryStorage(privateKey);
@@ -32,6 +16,5 @@ export function testPreset(): PlatformPreset {
             return storage;
         },
         deviceName: "test",
-        logger,
     };
 }

package/src/storage/node.ts

@@ -1,5 +1,4 @@
 import type { Storage } from "../Storage.js";
-import type { Logger } from "../transport/types.js";
 import type { ClientDatabase } from "./schema.js";
 
 import BetterSqlite3 from "better-sqlite3";
@@ -11,23 +10,13 @@ import { Kysely, SqliteDialect } from "kysely";
 
 import { SqliteStorage } from "./sqlite.js";
 
-export function createNodeStorage(
-    dbPath: string,
-    SK: string,
-    logger?: Logger,
-): Storage {
+export function createNodeStorage(dbPath: string, SK: string): Storage {
     const db = new Kysely<ClientDatabase>({
         dialect: new SqliteDialect({
             database: new BetterSqlite3(dbPath),
         }),
     });
-    const log: Logger = logger ?? {
-        debug() {},
-        error() {},
-        info() {},
-        warn() {},
-    };
-    const storage = new SqliteStorage(db, SK, log);
+    const storage = new SqliteStorage(db, SK);
     void storage.init();
     return storage;
 }