npm - @vex-chat/libvex - Versions diffs - 5.1.0 → 5.3.0 - Mend

@vex-chat/libvex 5.1.0 → 5.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (142) hide show

package/CLA.md +38 -0
package/LICENSE-COMMERCIAL +10 -0
package/LICENSING.md +15 -0
package/README.md +8 -2
package/dist/Client.d.ts +47 -3
package/dist/Client.d.ts.map +1 -1
package/dist/Client.js +998 -496
package/dist/Client.js.map +1 -1
package/dist/Storage.d.ts +5 -0
package/dist/Storage.d.ts.map +1 -1
package/dist/Storage.js +5 -0
package/dist/Storage.js.map +1 -1
package/dist/__tests__/harness/memory-storage.d.ts +7 -2
package/dist/__tests__/harness/memory-storage.d.ts.map +1 -1
package/dist/__tests__/harness/memory-storage.js +44 -29
package/dist/__tests__/harness/memory-storage.js.map +1 -1
package/dist/codec.d.ts +9 -9
package/dist/codec.d.ts.map +1 -1
package/dist/codec.js +17 -19
package/dist/codec.js.map +1 -1
package/dist/codecs.d.ts +5 -0
package/dist/codecs.d.ts.map +1 -1
package/dist/codecs.js +5 -0
package/dist/codecs.js.map +1 -1
package/dist/index.d.ts +5 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +5 -0
package/dist/index.js.map +1 -1
package/dist/keystore/memory.d.ts +5 -0
package/dist/keystore/memory.d.ts.map +1 -1
package/dist/keystore/memory.js +5 -0
package/dist/keystore/memory.js.map +1 -1
package/dist/keystore/node.d.ts +5 -0
package/dist/keystore/node.d.ts.map +1 -1
package/dist/keystore/node.js +16 -8
package/dist/keystore/node.js.map +1 -1
package/dist/preset/common.d.ts +5 -0
package/dist/preset/common.d.ts.map +1 -1
package/dist/preset/common.js +5 -0
package/dist/preset/common.js.map +1 -1
package/dist/preset/node.d.ts +5 -0
package/dist/preset/node.d.ts.map +1 -1
package/dist/preset/node.js +9 -1
package/dist/preset/node.js.map +1 -1
package/dist/preset/test.d.ts +5 -0
package/dist/preset/test.d.ts.map +1 -1
package/dist/preset/test.js +9 -1
package/dist/preset/test.js.map +1 -1
package/dist/storage/node/http-agents.d.ts +5 -0
package/dist/storage/node/http-agents.d.ts.map +1 -1
package/dist/storage/node/http-agents.js +5 -0
package/dist/storage/node/http-agents.js.map +1 -1
package/dist/storage/node.d.ts +6 -1
package/dist/storage/node.d.ts.map +1 -1
package/dist/storage/node.js +7 -4
package/dist/storage/node.js.map +1 -1
package/dist/storage/schema.d.ts +5 -0
package/dist/storage/schema.d.ts.map +1 -1
package/dist/storage/schema.js +5 -0
package/dist/storage/schema.js.map +1 -1
package/dist/storage/sqlite.d.ts +22 -4
package/dist/storage/sqlite.d.ts.map +1 -1
package/dist/storage/sqlite.js +172 -98
package/dist/storage/sqlite.js.map +1 -1
package/dist/transport/types.d.ts +5 -0
package/dist/transport/types.d.ts.map +1 -1
package/dist/transport/types.js +5 -0
package/dist/transport/types.js.map +1 -1
package/dist/transport/websocket.d.ts +5 -0
package/dist/transport/websocket.d.ts.map +1 -1
package/dist/transport/websocket.js +5 -0
package/dist/transport/websocket.js.map +1 -1
package/dist/types/crypto.d.ts +5 -0
package/dist/types/crypto.d.ts.map +1 -1
package/dist/types/crypto.js +3 -5
package/dist/types/crypto.js.map +1 -1
package/dist/types/identity.d.ts +5 -0
package/dist/types/identity.d.ts.map +1 -1
package/dist/types/identity.js +3 -2
package/dist/types/identity.js.map +1 -1
package/dist/types/index.d.ts +5 -0
package/dist/types/index.d.ts.map +1 -1
package/dist/types/index.js +5 -0
package/dist/types/index.js.map +1 -1
package/dist/utils/capitalize.d.ts +5 -0
package/dist/utils/capitalize.d.ts.map +1 -1
package/dist/utils/capitalize.js +5 -0
package/dist/utils/capitalize.js.map +1 -1
package/dist/utils/fipsMailExtra.d.ts +30 -0
package/dist/utils/fipsMailExtra.d.ts.map +1 -0
package/dist/utils/fipsMailExtra.js +114 -0
package/dist/utils/fipsMailExtra.js.map +1 -0
package/dist/utils/formatBytes.d.ts +5 -0
package/dist/utils/formatBytes.d.ts.map +1 -1
package/dist/utils/formatBytes.js +5 -0
package/dist/utils/formatBytes.js.map +1 -1
package/dist/utils/resolveAtRestAesKey.d.ts +13 -0
package/dist/utils/resolveAtRestAesKey.d.ts.map +1 -0
package/dist/utils/resolveAtRestAesKey.js +26 -0
package/dist/utils/resolveAtRestAesKey.js.map +1 -0
package/dist/utils/sqlSessionToCrypto.d.ts +5 -0
package/dist/utils/sqlSessionToCrypto.d.ts.map +1 -1
package/dist/utils/sqlSessionToCrypto.js +5 -0
package/dist/utils/sqlSessionToCrypto.js.map +1 -1
package/dist/utils/uint8uuid.d.ts +5 -0
package/dist/utils/uint8uuid.d.ts.map +1 -1
package/dist/utils/uint8uuid.js +5 -0
package/dist/utils/uint8uuid.js.map +1 -1
package/package.json +10 -3
package/src/Client.ts +1281 -642
package/src/Storage.ts +6 -0
package/src/__tests__/codec.test.ts +6 -0
package/src/__tests__/harness/fixtures.ts +6 -0
package/src/__tests__/harness/memory-storage.ts +72 -52
package/src/__tests__/harness/platform-transports.ts +6 -0
package/src/__tests__/harness/poison-node-imports.ts +6 -0
package/src/__tests__/harness/shared-suite.ts +288 -124
package/src/__tests__/platform-browser.test.ts +15 -1
package/src/__tests__/platform-node.test.ts +17 -3
package/src/codec.ts +21 -8
package/src/codecs.ts +6 -0
package/src/index.ts +6 -0
package/src/keystore/memory.ts +6 -0
package/src/keystore/node.ts +27 -13
package/src/preset/common.ts +6 -0
package/src/preset/node.ts +14 -1
package/src/preset/test.ts +14 -1
package/src/storage/node/http-agents.ts +6 -0
package/src/storage/node.ts +11 -4
package/src/storage/schema.ts +6 -0
package/src/storage/sqlite.ts +208 -135
package/src/transport/types.ts +6 -0
package/src/transport/websocket.ts +6 -0
package/src/types/crypto.ts +6 -0
package/src/types/identity.ts +6 -0
package/src/types/index.ts +6 -0
package/src/utils/capitalize.ts +6 -0
package/src/utils/fipsMailExtra.ts +164 -0
package/src/utils/formatBytes.ts +6 -0
package/src/utils/resolveAtRestAesKey.ts +39 -0
package/src/utils/sqlSessionToCrypto.ts +6 -0
package/src/utils/uint8uuid.ts +6 -0

package/src/__tests__/harness/shared-suite.ts CHANGED Viewed

@@ -1,17 +1,178 @@
+/**
+ * Copyright (c) 2020-2026 Vex Heavy Industries LLC
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ * Commercial licenses available at vex.wtf
+ */
 /**
  * Shared integration test body. Called by each platform entry file
  * with a different adapter factory.
  *
  * Runs register → login → connect → send/receive DM against a real spire.
+ *
+ * **Vitest e2e only** — the published `Client` does not read the environment;
+ * app code passes `ClientOptions` (`host`, `devApiKey`, `cryptoProfile`, …).
+ * These `process.env` values are for running **this** repo’s platform tests
+ * (shell, CI, or your own env injection — not a “libvex .env” contract).
+ * - `API_URL` — Spire base, e.g. `http://127.0.0.1:16777` or `host:port` (http assumed).
+ *   When set, `beforeAll` reads `GET …/status` `cryptoProfile` and **sets the
+ *   test process to match** (so a FIPS Spire does not require a separate client flag).
+ *   A post-check then fails if the client and server still disagree.
+ * - `DEV_API_KEY` — must match the Spire `DEV_API_KEY` so the client can send
+ *   `x-dev-api-key` and avoid dev rate limits.
+ * - `LIBVEX_E2E_SKIP_STATUS_CHECK=1` — opt out of the /status profile read + check
+ *   (e.g. older Spire). Then `LIBVEX_E2E_CRYPTO` or default tweetnacl is used.
+ * - `LIBVEX_E2E_CRYPTO` — optional override: `fips` | `tweetnacl` (wins over auto
+ *   detect from /status; use to force a profile when you know what you need).
+ * - `LIBVEX_DEBUG_DM=1` — logs DM/X3dh paths in `Client` to stderr (remove / gate off when done).
  */
 import type { ClientOptions, Message } from "../../index.js";
 import type { Storage } from "../../Storage.js";
+import { getCryptoProfile, setCryptoProfile } from "@vex-chat/crypto";
+import { isAxiosError } from "axios";
 import { Client } from "../../index.js";
 import { testFile, testImage } from "./fixtures.js";
+/**
+ * `GET` `{API_URL or http://}{host}/status` — used for crypto profile preflight
+ * (must match `getCryptoProfile()` when running e2e against a custom Spire).
+ */
+function spireStatusUrlFromEnv(): null | string {
+    const raw = process.env["API_URL"]?.trim();
+    if (raw === undefined || raw.length === 0) {
+        return null;
+    }
+    if (/^https?:\/\//i.test(raw)) {
+        const u = new URL(raw);
+        return `${u.protocol}//${u.host}/status`;
+    }
+    return `http://${raw}/status`;
+}
+/** `LIBVEX_E2E_CRYPTO` only — used when status auto-detect is skipped. */
+function e2eCryptoProfileFromEnvOnly(): "fips" | "tweetnacl" {
+    const v = process.env["LIBVEX_E2E_CRYPTO"]?.trim().toLowerCase();
+    if (v === "fips" || v === "p-256" || v === "p256") {
+        return "fips";
+    }
+    if (v === "tweetnacl" || v === "nacl" || v === "ed25519") {
+        return "tweetnacl";
+    }
+    return "tweetnacl";
+}
+/**
+ * Picks the signing profile for the suite: optional env override, else `GET` Spire
+ * `/status` when `API_URL` is set, else tweetnacl.
+ */
+async function resolveE2eCryptoProfile(): Promise<"fips" | "tweetnacl"> {
+    if (process.env["LIBVEX_E2E_SKIP_STATUS_CHECK"] === "1") {
+        return e2eCryptoProfileFromEnvOnly();
+    }
+    const v = process.env["LIBVEX_E2E_CRYPTO"]?.trim().toLowerCase();
+    if (v === "fips" || v === "p-256" || v === "p256") {
+        return "fips";
+    }
+    if (v === "tweetnacl" || v === "nacl" || v === "ed25519") {
+        return "tweetnacl";
+    }
+    if (v !== undefined && v.length > 0) {
+        throw new Error(
+            `libvex e2e: invalid LIBVEX_E2E_CRYPTO=${JSON.stringify(v)}. Use fips, tweetnacl, or leave unset to auto-detect from Spire /status`,
+        );
+    }
+    const url = spireStatusUrlFromEnv();
+    if (url === null) {
+        return "tweetnacl";
+    }
+    let res: Response;
+    try {
+        res = await fetch(url, { method: "GET" });
+    } catch {
+        return "tweetnacl";
+    }
+    if (!res.ok) {
+        return "tweetnacl";
+    }
+    const data: unknown = await res.json();
+    if (
+        typeof data !== "object" ||
+        data === null ||
+        !("cryptoProfile" in data)
+    ) {
+        return "tweetnacl";
+    }
+    const cp = (data as { cryptoProfile: unknown }).cryptoProfile;
+    if (cp === "fips" || cp === "tweetnacl") {
+        return cp;
+    }
+    return "tweetnacl";
+}
+function e2eClientOptionsBase(): ClientOptions {
+    return {
+        inMemoryDb: true,
+        ...apiUrlOverrideFromEnv(),
+        cryptoProfile: getCryptoProfile(),
+    };
+}
+async function e2eGenerateSecretKey(): Promise<string> {
+    return await Client.generateSecretKeyAsync();
+}
+async function assertSpireCryptoProfileMatchesTest(): Promise<void> {
+    if (process.env["LIBVEX_E2E_SKIP_STATUS_CHECK"] === "1") {
+        return;
+    }
+    const url = spireStatusUrlFromEnv();
+    if (url === null) {
+        return;
+    }
+    const want = getCryptoProfile();
+    let res: Response;
+    try {
+        res = await fetch(url, { method: "GET" });
+    } catch (e: unknown) {
+        const msg = e instanceof Error ? e.message : String(e);
+        throw new Error(
+            `libvex e2e: could not GET ${url} (check API_URL; is Spire running?): ${msg}`,
+        );
+    }
+    if (!res.ok) {
+        throw new Error(
+            `libvex e2e: ${url} returned HTTP ${String(res.status)} — Spire not reachable on this base URL?`,
+        );
+    }
+    const data: unknown = await res.json();
+    if (
+        typeof data !== "object" ||
+        data === null ||
+        !("cryptoProfile" in data) ||
+        typeof (data as { cryptoProfile: unknown }).cryptoProfile !== "string"
+    ) {
+        throw new Error(
+            `libvex e2e: Spire /status is missing a string "cryptoProfile" (upgrade Spire) or set LIBVEX_E2E_SKIP_STATUS_CHECK=1 to skip this check`,
+        );
+    }
+    const gotStr = (data as { cryptoProfile: string }).cryptoProfile;
+    if (gotStr !== "fips" && gotStr !== "tweetnacl") {
+        throw new Error(
+            `libvex e2e: Spire /status cryptoProfile is not fips|tweetnacl: ${gotStr}`,
+        );
+    }
+    if (gotStr !== want) {
+        throw new Error(
+            `libvex e2e: Spire is cryptoProfile=${gotStr} (see SPIRE_FIPS + SPK) but this test has getCryptoProfile()=${want}. Use matching keys/scripts (gen-spk.js vs gen-spk-fips.js) and the same mode on client and server.`,
+        );
+    }
+}
 export function platformSuite(
     platformName: string,
     makeStorage: (SK: string, opts: ClientOptions) => Promise<Storage>,
@@ -22,14 +183,14 @@ export function platformSuite(
         const password = "platform-test-pw";
         beforeAll(async () => {
-            const SK = Client.generateSecretKey();
+            const profile = await resolveE2eCryptoProfile();
+            setCryptoProfile(profile);
+            const SK = await e2eGenerateSecretKey();
-            const opts: ClientOptions = {
-                inMemoryDb: true,
-                ...apiUrlOverrideFromEnv(),
-            };
+            const opts: ClientOptions = e2eClientOptionsBase();
             const storage = await makeStorage(SK, opts);
             client = await Client.create(SK, opts, storage);
+            await assertSpireCryptoProfileMatchesTest();
         });
         afterAll(async () => {
@@ -67,11 +228,8 @@ export function platformSuite(
         });
         test("two-user DM", async () => {
-            const SK2 = Client.generateSecretKey();
-            const opts2: ClientOptions = {
-                inMemoryDb: true,
-                ...apiUrlOverrideFromEnv(),
-            };
+            const SK2 = await e2eGenerateSecretKey();
+            const opts2: ClientOptions = e2eClientOptionsBase();
             const storage2 = await makeStorage(SK2, opts2);
             const client2 = await Client.create(SK2, opts2, storage2);
             const username2 = Client.randomUsername();
@@ -104,14 +262,12 @@ export function platformSuite(
         });
         test("group messaging in channel", async () => {
-            const SK2 = Client.generateSecretKey();
-            const opts2: ClientOptions = {
-                inMemoryDb: true,
-                ...apiUrlOverrideFromEnv(),
-            };
+            const SK2 = await e2eGenerateSecretKey();
+            const opts2: ClientOptions = e2eClientOptionsBase();
             const storage2 = await makeStorage(SK2, opts2);
             const client2 = await Client.create(SK2, opts2, storage2);
             const username2 = Client.randomUsername();
+            let serverIdForCleanup: string | undefined;
             try {
                 // Register + login + connect user2
@@ -120,8 +276,11 @@ export function platformSuite(
                 await connectAndWait(client2, "client2");
                 // user1 creates server + channel
-                const server = await client.servers.create("test-server");
+                const server = await withTransientRetry(() =>
+                    client.servers.create("test-server"),
+                );
                 expect(server).toBeTruthy();
+                serverIdForCleanup = server.serverID;
                 const channels = await client.channels.retrieve(
                     server.serverID,
                 );
@@ -130,12 +289,13 @@ export function platformSuite(
                 if (!channel) throw new Error("No channel found");
                 // user1 creates invite, user2 redeems it
-                const invite = await client.invites.create(
-                    server.serverID,
-                    "1h",
+                const invite = await withTransientRetry(() =>
+                    client.invites.create(server.serverID, "1h"),
                 );
                 expect(invite).toBeTruthy();
-                await client2.invites.redeem(invite.inviteID);
+                await withTransientRetry(() =>
+                    client2.invites.redeem(invite.inviteID),
+                );
                 // user1 sends group message, user2 receives it
                 const msgPromise = waitForMessage(
@@ -147,13 +307,21 @@ export function platformSuite(
                     "group message receive",
                     15_000,
                 );
-                void client.messages.group(channel.channelID, "hello channel");
+                await withTransientRetry(() =>
+                    client.messages.group(channel.channelID, "hello channel"),
+                );
                 const msg = await msgPromise;
                 expect(msg.message).toBe("hello channel");
                 // Cleanup
                 await client.servers.delete(server.serverID);
+                serverIdForCleanup = undefined;
             } finally {
+                if (serverIdForCleanup) {
+                    await client.servers
+                        .delete(serverIdForCleanup)
+                        .catch(() => {});
+                }
                 await client2.close().catch(() => {});
             }
         });
@@ -163,10 +331,7 @@ export function platformSuite(
             // device key, authenticate without password.
             const deviceKey = client.getKeys().private;
             const deviceID = client.me.device().deviceID;
-            const opts2: ClientOptions = {
-                inMemoryDb: true,
-                ...apiUrlOverrideFromEnv(),
-            };
+            const opts2: ClientOptions = e2eClientOptionsBase();
             const storage2 = await makeStorage(deviceKey, opts2);
             const client2 = await Client.create(deviceKey, opts2, storage2);
@@ -185,8 +350,8 @@ export function platformSuite(
         });
         test("server CRUD", async () => {
-            const permissions = await client.permissions.retrieve();
-            expect(permissions).toEqual([]);
+            // Do not assert permissions start empty: earlier tests in this sequential
+            // suite (or a partially cleaned server from a flaky run) may leave rows.
             const server = await client.servers.create("Test Server");
             const serverList = await client.servers.retrieve();
@@ -226,13 +391,30 @@ export function platformSuite(
         });
         test("invite create + redeem", async () => {
-            const server = await client.servers.create("Invite Test Server");
-            const invite = await client.invites.create(server.serverID, "1h");
-            expect(invite).toBeTruthy();
-            expect(invite.serverID).toBe(server.serverID);
+            let serverIdForCleanup: string | undefined;
+            try {
+                const server = await withTransientRetry(() =>
+                    client.servers.create("Invite Test Server"),
+                );
+                serverIdForCleanup = server.serverID;
+                const invite = await withTransientRetry(() =>
+                    client.invites.create(server.serverID, "1h"),
+                );
+                expect(invite).toBeTruthy();
+                expect(invite.serverID).toBe(server.serverID);
-            await client.invites.redeem(invite.inviteID);
-            await client.servers.delete(server.serverID);
+                await withTransientRetry(() =>
+                    client.invites.redeem(invite.inviteID),
+                );
+                await client.servers.delete(server.serverID);
+                serverIdForCleanup = undefined;
+            } finally {
+                if (serverIdForCleanup) {
+                    await client.servers
+                        .delete(serverIdForCleanup)
+                        .catch(() => {});
+                }
+            }
         });
         test("message history retrieve + delete", async () => {
@@ -255,91 +437,6 @@ export function platformSuite(
             expect(afterDelete.length).toBe(0);
         });
-        // TODO: multi-device fan-out requires sender to query fresh device
-        // list before sending. Currently the sender caches one device and
-        // the message only reaches device1.
-        test.todo("multi-device message sync", async () => {
-            const SK2 = Client.generateSecretKey();
-            const opts2: ClientOptions = {
-                inMemoryDb: true,
-                ...apiUrlOverrideFromEnv(),
-            };
-            const storage2 = await makeStorage(SK2, opts2);
-            const device2 = await Client.create(SK2, opts2, storage2);
-            // Sender: separate user
-            const SK3 = Client.generateSecretKey();
-            const opts3: ClientOptions = {
-                inMemoryDb: true,
-                ...apiUrlOverrideFromEnv(),
-            };
-            const storage3 = await makeStorage(SK3, opts3);
-            const sender = await Client.create(SK3, opts3, storage3);
-            const senderName = Client.randomUsername();
-            try {
-                // Register device2 under same account
-                await device2.login(username, password);
-                await connectAndWait(device2, "device2");
-                // Register + connect sender
-                await sender.register(senderName, "sender-pw");
-                await sender.login(senderName, "sender-pw");
-                await connectAndWait(sender, "sender");
-                const targetUserID = client.me.user().userID;
-                // Both devices listen for the incoming DM
-                const received = { device1: false, device2: false };
-                const waitForBoth = new Promise<void>((resolve, reject) => {
-                    const timer = setTimeout(() => {
-                        reject(
-                            new Error(
-                                `multi-device sync timed out (d1=${String(received.device1)}, d2=${String(received.device2)})`,
-                            ),
-                        );
-                    }, 15_000);
-                    const check = () => {
-                        if (received.device1 && received.device2) {
-                            clearTimeout(timer);
-                            resolve();
-                        }
-                    };
-                    client.on("message", (msg: Message) => {
-                        if (
-                            msg.direction === "incoming" &&
-                            msg.decrypted &&
-                            msg.message === "sync-test"
-                        ) {
-                            received.device1 = true;
-                            check();
-                        }
-                    });
-                    device2.on("message", (msg: Message) => {
-                        if (
-                            msg.direction === "incoming" &&
-                            msg.decrypted &&
-                            msg.message === "sync-test"
-                        ) {
-                            received.device2 = true;
-                            check();
-                        }
-                    });
-                });
-                void sender.messages.send(targetUserID, "sync-test");
-                await waitForBoth;
-                expect(received.device1).toBe(true);
-                expect(received.device2).toBe(true);
-            } finally {
-                await device2.close().catch(() => {});
-                await sender.close().catch(() => {});
-            }
-        });
         test("file upload + download", async () => {
             const [details, key] = await client.files.create(testFile);
             expect(details.fileID).toBeTruthy();
@@ -372,16 +469,83 @@ export function platformSuite(
 }
 function apiUrlOverrideFromEnv():
-    | Pick<ClientOptions, "host" | "unsafeHttp">
+    | Pick<ClientOptions, "host" | "unsafeHttp" | "devApiKey">
     | undefined {
     const raw = process.env["API_URL"]?.trim();
-    if (!raw) return undefined;
-    if (/^https?:\/\//i.test(raw)) {
-        const u = new URL(raw);
-        return { host: u.host, unsafeHttp: u.protocol === "http:" };
+    const devKey = process.env["DEV_API_KEY"]?.trim();
+    if (!raw && (devKey === undefined || devKey.length === 0)) {
+        return undefined;
+    }
+    const fromUrl = (s: string): Pick<ClientOptions, "host" | "unsafeHttp"> => {
+        if (/^https?:\/\//i.test(s)) {
+            const u = new URL(s);
+            return { host: u.host, unsafeHttp: u.protocol === "http:" };
+        }
+        return { host: s, unsafeHttp: true };
+    };
+    if (!raw) {
+        return devKey !== undefined && devKey.length > 0
+            ? { devApiKey: devKey }
+            : undefined;
+    }
+    return {
+        ...fromUrl(raw),
+        ...(devKey !== undefined && devKey.length > 0
+            ? { devApiKey: devKey }
+            : {}),
+    };
+}
+/** Shared staging / CI proxies sometimes return 502; retry a few times. */
+async function withTransientRetry<T>(fn: () => Promise<T>): Promise<T> {
+    const attempts = 4;
+    let last: unknown;
+    for (let i = 0; i < attempts; i++) {
+        try {
+            return await fn();
+        } catch (e) {
+            last = e;
+            const transient =
+                isAxiosError(e) &&
+                (e.response?.status === 502 || e.response?.status === 503);
+            if (transient && i < attempts - 1) {
+                await new Promise((r) => setTimeout(r, 400 * (i + 1)));
+                continue;
+            }
+            throw e;
+        }
+    }
+    throw last;
+}
+/*
+type ClientE2EInternals = { getMail(): Promise<void> };
+type ClientE2EDeviceList = {
+    fetchUserDeviceListOnce(userID: string): Promise<{ deviceID: string }[]>;
+};
+async function e2eWaitForPeerDeviceCount(
+    c: Client,
+    userID: string,
+    min: number,
+    totalMs: number,
+): Promise<void> {
+    const t0 = Date.now();
+    const f = c as unknown as ClientE2EDeviceList;
+    for (;;) {
+        if (Date.now() - t0 > totalMs) {
+            throw new Error(
+                `e2e: still fewer than ${String(min)} device(s) for user after ${String(totalMs)}ms`,
+            );
+        }
+        const list = await f.fetchUserDeviceListOnce(userID);
+        if (list.length >= min) {
+            return;
+        }
+        await new Promise((r) => setTimeout(r, 200));
     }
-    return { host: raw, unsafeHttp: true };
 }
+*/
 function connectAndWait(
     c: Client,

package/src/__tests__/platform-browser.test.ts CHANGED Viewed

@@ -1,5 +1,15 @@
+/**
+ * Copyright (c) 2020-2026 Vex Heavy Industries LLC
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ * Commercial licenses available at vex.wtf
+ */
 import type { ClientOptions } from "../index.js";
+import { getCryptoProfile } from "@vex-chat/crypto";
+import { resolveAtRestAesKeyFromSignKeyHex } from "../utils/resolveAtRestAesKey.js";
 import { MemoryStorage } from "./harness/memory-storage.js";
 // Browser platform test — covers Tauri, Expo/RN, and web.
 // Runs with the poison plugin (vitest.config.browser.ts) which catches
@@ -8,7 +18,11 @@ import { MemoryStorage } from "./harness/memory-storage.js";
 import { platformSuite } from "./harness/shared-suite.js";
 platformSuite("browser", async (SK: string, _opts: ClientOptions) => {
-    const storage = new MemoryStorage(SK);
+    const atRest = await resolveAtRestAesKeyFromSignKeyHex(
+        SK,
+        getCryptoProfile(),
+    );
+    const storage = new MemoryStorage(atRest);
     await storage.init();
     return storage;
 });

package/src/__tests__/platform-node.test.ts CHANGED Viewed

@@ -1,9 +1,23 @@
+/**
+ * Copyright (c) 2020-2026 Vex Heavy Industries LLC
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ * Commercial licenses available at vex.wtf
+ */
 import type { ClientOptions } from "../index.js";
+import { getCryptoProfile } from "@vex-chat/crypto";
 import { createNodeStorage } from "../storage/node.js";
+import { resolveAtRestAesKeyFromSignKeyHex } from "../utils/resolveAtRestAesKey.js";
 import { platformSuite } from "./harness/shared-suite.js";
-platformSuite("node", (SK: string, _opts: ClientOptions) =>
-    Promise.resolve(createNodeStorage(":memory:", SK)),
-);
+// Profile is set in shared-suite `beforeAll` (see `LIBVEX_E2E_CRYPTO`).
+platformSuite("node", async (SK: string, _opts: ClientOptions) => {
+    const atRest = await resolveAtRestAesKeyFromSignKeyHex(
+        SK,
+        getCryptoProfile(),
+    );
+    return createNodeStorage(":memory:", atRest);
+});

package/src/codec.ts CHANGED Viewed

@@ -1,3 +1,9 @@
+/**
+ * Copyright (c) 2020-2026 Vex Heavy Industries LLC
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ * Commercial licenses available at vex.wtf
+ */
 /**
  * Type-safe codec factory for msgpack encode/decode with optional Zod validation.
  *
@@ -28,24 +34,25 @@ export function createCodec<T extends z.ZodType>(schema: T) {
     type Msg = z.infer<T>;
     return {
         /** Decode msgpack data and validate against the schema. */
-        decode: (data: Uint8Array): Msg => schema.parse(decode(data)) as Msg,
+        decode: (data: Uint8Array): Msg =>
+            schema.parse(msgpackDecode(data)) as Msg,
         /** Alias for decode — both paths validate. Kept for API compat. */
         decodeSafe: (data: Uint8Array): Msg =>
-            schema.parse(decode(data)) as Msg,
+            schema.parse(msgpackDecode(data)) as Msg,
         /** Encode to msgpack. */
-        encode: (msg: Msg): Uint8Array => encode(msg),
+        encode: (msg: Msg): Uint8Array => msgpackEncode(msg),
         /** Validate against the schema, then encode to msgpack. */
         encodeSafe: (msg: Msg): Uint8Array => {
             schema.parse(msg);
-            return encode(msg);
+            return msgpackEncode(msg);
         },
     };
 }
-function decode(data: Uint8Array): unknown {
+function msgpackDecode(data: Uint8Array): unknown {
     return _packr.decode(data) as unknown;
 }
@@ -54,7 +61,7 @@ function decode(data: Uint8Array): unknown {
  * (not a subarray of the internal pool buffer) to avoid browser
  * XMLHttpRequest.send() corruption (axios issue #4068).
  */
-function encode(value: unknown): Uint8Array {
+function msgpackEncode(value: unknown): Uint8Array {
     const packed = _packr.encode(value);
     return new Uint8Array(
         packed.buffer.slice(
@@ -64,5 +71,11 @@ function encode(value: unknown): Uint8Array {
     );
 }
-/** Raw msgpack encode/decode without schema validation. */
-export const msgpack = { decode, encode };
+/**
+ * Raw msgpack encode/decode without schema validation.
+ * (Wrappers avoid API Extractor ae-forgotten-export on internal helpers.)
+ */
+export const msgpack = {
+    decode: (data: Uint8Array): unknown => msgpackDecode(data),
+    encode: (value: unknown): Uint8Array => msgpackEncode(value),
+};

package/src/codecs.ts CHANGED Viewed

@@ -1,3 +1,9 @@
+/**
+ * Copyright (c) 2020-2026 Vex Heavy Industries LLC
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ * Commercial licenses available at vex.wtf
+ */
 /**
  * Pre-built codec instances for every HTTP response type.
  *

package/src/index.ts CHANGED Viewed

@@ -1,3 +1,9 @@
+/**
+ * Copyright (c) 2020-2026 Vex Heavy Industries LLC
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ * Commercial licenses available at vex.wtf
+ */
 export { Client } from "./Client.js";
 export type {
     Channel,

package/src/keystore/memory.ts CHANGED Viewed

@@ -1,3 +1,9 @@
+/**
+ * Copyright (c) 2020-2026 Vex Heavy Industries LLC
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ * Commercial licenses available at vex.wtf
+ */
 /**
  * In-memory KeyStore for testing and ephemeral sessions.
  * No persistence — credentials are lost when the process exits.