@xtr-dev/rondevu-client 0.21.6 → 0.21.8

package/dist/core/index.d.ts

@@ -20,3 +20,4 @@ export { ICE_SERVER_PRESETS } from './ice-config.js';
 export type { RondevuOptions, OfferOptions, OfferHandle, DiscoverOptions, DiscoverResult, } from './rondevu.js';
 export type { PeerState, PeerOptions } from './peer.js';
 export type { IceServerPreset } from './ice-config.js';
+export type { KeyPair, CryptoAdapter } from '../crypto/adapter.js';

package/dist/core/offer-pool.d.ts

@@ -20,6 +20,12 @@ export interface OfferPoolOptions {
     webrtcAdapter: WebRTCAdapter;
     connectionConfig?: Partial<ConnectionConfig>;
     debugEnabled?: boolean;
+    /**
+     * Delay in milliseconds between creating each offer during pool filling.
+     * Helps avoid rate limiting when creating multiple offers.
+     * Default: 100ms
+     */
+    offerCreationThrottleMs?: number;
 }
 interface OfferPoolEvents {
     'connection:opened': (offerId: string, connection: OffererConnection, matchedTags?: string[]) => void;
@@ -44,6 +50,7 @@ export declare class OfferPool extends EventEmitter<OfferPoolEvents> {
     private readonly webrtcAdapter;
     private readonly connectionConfig?;
     private readonly debugEnabled;
+    private readonly offerCreationThrottleMs;
     private readonly activeConnections;
     private readonly matchedTagsByOffer;
     private readonly fillLock;

package/dist/core/offer-pool.js

@@ -25,6 +25,7 @@ export class OfferPool extends EventEmitter {
         this.iceTransportPolicy = options.iceTransportPolicy;
         this.connectionConfig = options.connectionConfig;
         this.debugEnabled = options.debugEnabled || false;
+        this.offerCreationThrottleMs = options.offerCreationThrottleMs ?? 100;
     }
     /**
      * Start filling offers
@@ -116,6 +117,10 @@ export class OfferPool extends EventEmitter {
             for (let i = 0; i < needed; i++) {
                 try {
                     await this.createOffer();
+                    // Throttle between offer creations to avoid rate limiting
+                    if (i < needed - 1 && this.offerCreationThrottleMs > 0) {
+                        await new Promise(resolve => setTimeout(resolve, this.offerCreationThrottleMs));
+                    }
                 }
                 catch (err) {
                     console.error('[OfferPool] Failed to create offer:', err);

package/dist/core/rondevu-types.d.ts

@@ -59,6 +59,8 @@ export interface OfferOptions {
     connectionConfig?: Partial<ConnectionConfig>;
     /** Auto-start filling offers (default: true). Set to false to manually call startFilling() */
     autoStart?: boolean;
+    /** Delay in ms between creating each offer during pool filling (default: 100). Helps avoid rate limiting. */
+    offerCreationThrottleMs?: number;
 }
 /**
  * Handle returned by rondevu.offer() for controlling the offer lifecycle

package/dist/core/rondevu.d.ts

@@ -1,4 +1,5 @@
 import { KeyPair, IceCandidate } from '../api/client.js';
+import { CryptoAdapter } from '../crypto/adapter.js';
 import { WebRTCAdapter } from '../webrtc/adapter.js';
 import { EventEmitter } from 'eventemitter3';
 import { OffererConnection } from '../connections/offerer.js';
@@ -111,6 +112,11 @@ export declare class Rondevu extends EventEmitter {
      * Used internally by offer pool and connections
      */
     getWebRTCAdapter(): WebRTCAdapter;
+    /**
+     * Get the crypto adapter for signing/verification operations
+     * Used for meta.json signing and other crypto operations
+     */
+    getCryptoAdapter(): CryptoAdapter;
     /**
      * Default offer factory - creates a simple data channel connection
      * The RTCPeerConnection is created by Rondevu and passed in

package/dist/core/rondevu.js

@@ -1,4 +1,5 @@
 import { RondevuAPI } from '../api/client.js';
+import { WebCryptoAdapter } from '../crypto/web.js';
 import { BrowserWebRTCAdapter } from '../webrtc/browser.js';
 import { EventEmitter } from 'eventemitter3';
 import { OfferPool } from './offer-pool.js';
@@ -122,12 +123,14 @@ export class Rondevu extends EventEmitter {
                 iceTransportPolicy: iceConfig.iceTransportPolicy || 'all',
             });
         }
+        // Ensure crypto adapter is available (default to WebCryptoAdapter for browser)
+        const cryptoAdapter = options.cryptoAdapter || new WebCryptoAdapter();
         // Generate keypair if not provided (purely client-side, no server registration)
         let keyPair = options.keyPair;
         if (!keyPair) {
             if (options.debug)
                 console.log('[Rondevu] Generating new keypair...');
-            keyPair = await RondevuAPI.generateKeyPair(options.cryptoAdapter);
+            keyPair = await cryptoAdapter.generateKeyPair();
             if (options.debug)
                 console.log('[Rondevu] Generated keypair, public key:', keyPair.publicKey);
         }
@@ -136,10 +139,10 @@ export class Rondevu extends EventEmitter {
                 console.log('[Rondevu] Using existing keypair, public key:', keyPair.publicKey);
         }
         // Create API instance
-        const api = new RondevuAPI(apiUrl, keyPair, options.cryptoAdapter);
+        const api = new RondevuAPI(apiUrl, keyPair, cryptoAdapter);
         if (options.debug)
             console.log('[Rondevu] Created API instance');
-        return new Rondevu(apiUrl, keyPair, api, iceConfig.iceServers || [], iceConfig.iceTransportPolicy, webrtcAdapter, options.cryptoAdapter, options.debug || false);
+        return new Rondevu(apiUrl, keyPair, api, iceConfig.iceServers || [], iceConfig.iceTransportPolicy, webrtcAdapter, cryptoAdapter, options.debug || false);
     }
     // ============================================
     // Identity Access
@@ -170,6 +173,16 @@ export class Rondevu extends EventEmitter {
     getWebRTCAdapter() {
         return this.webrtcAdapter;
     }
+    /**
+     * Get the crypto adapter for signing/verification operations
+     * Used for meta.json signing and other crypto operations
+     */
+    getCryptoAdapter() {
+        if (!this.cryptoAdapter) {
+            throw new Error('Crypto adapter not available');
+        }
+        return this.cryptoAdapter;
+    }
     // ============================================
     // Service Publishing
     // ============================================
@@ -202,7 +215,7 @@ export class Rondevu extends EventEmitter {
      * ```
      */
     async offer(options) {
-        const { tags, maxOffers, offerFactory, ttl, connectionConfig, autoStart = true } = options;
+        const { tags, maxOffers, offerFactory, ttl, connectionConfig, autoStart = true, offerCreationThrottleMs, } = options;
         this.currentTags = tags;
         this.connectionConfig = connectionConfig;
         this.debug(`Creating offers with tags: ${tags.join(', ')} with maxOffers: ${maxOffers}`);
@@ -219,6 +232,7 @@ export class Rondevu extends EventEmitter {
             webrtcAdapter: this.webrtcAdapter,
             connectionConfig,
             debugEnabled: this.debugEnabled,
+            offerCreationThrottleMs,
         });
         // Forward events from OfferPool
         this.offerPool.on('connection:opened', (offerId, connection, matchedTags) => {

package/dist/meta.d.ts

@@ -0,0 +1,221 @@
+/**
+ * meta.json format for authenticated torrent metadata
+ *
+ * Provides cryptographic proof of authorship using Ed25519 signatures.
+ * Supports extensible metadata for audio, video, image, and document files.
+ */
+import { CryptoAdapter, KeyPair } from './crypto/adapter.js';
+/**
+ * Root meta.json structure
+ */
+export interface TorrentMeta {
+    version: string;
+    infohash?: string;
+    created: number;
+    title: string;
+    description?: string;
+    files: MetaFile[];
+    authors: MetaAuthor[];
+    extensions?: MetaExtensions;
+}
+/**
+ * File entry with optional per-file metadata
+ */
+export interface MetaFile {
+    path: string;
+    size: number;
+    type?: string;
+    sha256?: string;
+    role?: FileRole;
+    meta?: FileMetaExtensions;
+}
+/**
+ * Special file roles for cover art, thumbnails, etc.
+ */
+export type FileRole = 'cover' | 'thumbnail' | 'preview' | 'lyrics' | 'subtitles';
+/**
+ * Author entry with signature
+ */
+export interface MetaAuthor {
+    publicKey: string;
+    role?: AuthorRole;
+    signedAt: number;
+    signature: string;
+}
+/**
+ * Author roles
+ */
+export type AuthorRole = 'creator' | 'co-author' | 'endorser';
+/**
+ * Torrent-level metadata extensions
+ */
+export interface MetaExtensions {
+    audio?: AudioMeta;
+    video?: VideoMeta;
+    image?: ImageMeta;
+    document?: DocumentMeta;
+}
+/**
+ * Per-file metadata extensions
+ */
+export interface FileMetaExtensions {
+    audio?: AudioFileMeta;
+    video?: VideoMeta;
+    image?: ImageMeta;
+    document?: DocumentMeta;
+}
+/**
+ * Audio metadata (torrent-level, e.g., album info)
+ */
+export interface AudioMeta {
+    artist?: string;
+    album?: string;
+    genre?: string;
+    year?: number;
+    totalTracks?: number;
+}
+/**
+ * Audio metadata (file-level, e.g., track info)
+ */
+export interface AudioFileMeta {
+    title?: string;
+    track?: number;
+    duration?: number;
+    artist?: string;
+    bpm?: number;
+}
+/**
+ * Video metadata
+ */
+export interface VideoMeta {
+    duration?: number;
+    width?: number;
+    height?: number;
+    codec?: string;
+    framerate?: number;
+    bitrate?: number;
+}
+/**
+ * Image metadata
+ */
+export interface ImageMeta {
+    width?: number;
+    height?: number;
+    format?: string;
+    camera?: string;
+    takenAt?: number;
+    gps?: {
+        lat: number;
+        lon: number;
+    };
+}
+/**
+ * Document metadata
+ */
+export interface DocumentMeta {
+    pages?: number;
+    author?: string;
+    language?: string;
+    format?: string;
+}
+/**
+ * The canonical payload that gets signed
+ * Includes author public keys to prevent fake co-author additions
+ * Note: infohash is optional because we may not know it before signing
+ * (torrent infohash includes meta.json, creating a chicken-egg problem)
+ * Content authenticity is ensured by sha256 hashes in the files array
+ */
+export interface SigningPayload {
+    created: number;
+    title: string;
+    files: MetaFile[];
+    authors: string[];
+    signedAt: number;
+}
+/**
+ * Canonicalize an object to JSON with sorted keys (deterministic)
+ * This ensures the same object always produces the same string for signing
+ */
+export declare function canonicalize(obj: unknown): string;
+/**
+ * Build the signing payload from meta.json data
+ */
+export declare function buildSigningPayload(meta: Pick<TorrentMeta, 'created' | 'title' | 'files'>, authorPublicKeys: string[], signedAt: number): SigningPayload;
+/**
+ * Sign a torrent meta.json
+ *
+ * @param crypto - Crypto adapter for signing
+ * @param keyPair - The signer's key pair
+ * @param meta - The meta.json data (without this author's signature)
+ * @param authorPublicKeys - All author public keys (including this signer)
+ * @param role - This author's role
+ * @returns MetaAuthor entry with signature
+ */
+export declare function signMeta(crypto: CryptoAdapter, keyPair: KeyPair, meta: Pick<TorrentMeta, 'created' | 'title' | 'files'>, authorPublicKeys: string[], role?: AuthorRole): Promise<MetaAuthor>;
+/**
+ * Verify a single author's signature
+ *
+ * @param crypto - Crypto adapter for verification
+ * @param meta - The meta.json data
+ * @param author - The author entry to verify
+ * @returns True if signature is valid
+ */
+export declare function verifyAuthorSignature(crypto: CryptoAdapter, meta: Pick<TorrentMeta, 'created' | 'title' | 'files' | 'authors'>, author: MetaAuthor): Promise<boolean>;
+/**
+ * Verify all author signatures in a meta.json
+ *
+ * @param crypto - Crypto adapter for verification
+ * @param meta - The complete meta.json
+ * @returns Object with verification results per author
+ */
+export declare function verifyMeta(crypto: CryptoAdapter, meta: TorrentMeta): Promise<{
+    valid: boolean;
+    results: Map<string, boolean>;
+}>;
+/**
+ * Create a complete meta.json with signatures from all authors
+ *
+ * @param crypto - Crypto adapter for signing
+ * @param options - Meta creation options
+ * @returns Complete TorrentMeta with all signatures
+ */
+export declare function createMeta(crypto: CryptoAdapter, options: {
+    title: string;
+    description?: string;
+    files: MetaFile[];
+    authors: Array<{
+        keyPair: KeyPair;
+        role?: AuthorRole;
+    }>;
+    extensions?: MetaExtensions;
+    infohash?: string;
+}): Promise<TorrentMeta>;
+/**
+ * Parse and validate a meta.json string
+ * Does NOT verify signatures - use verifyMeta for that
+ *
+ * @param json - JSON string to parse
+ * @returns Parsed TorrentMeta or null if invalid
+ */
+export declare function parseMeta(json: string): TorrentMeta | null;
+/**
+ * Find a file with a specific role (e.g., cover art)
+ */
+export declare function findFileByRole(meta: TorrentMeta, role: FileRole): MetaFile | undefined;
+/**
+ * Get the cover art file if present
+ */
+export declare function getCoverFile(meta: TorrentMeta): MetaFile | undefined;
+/**
+ * Compute SHA256 hash of a file (browser-compatible)
+ */
+export declare function computeFileSha256(file: File | Blob | ArrayBuffer): Promise<string>;
+/**
+ * Build MetaFile entries from File objects with SHA256 hashes
+ */
+export declare function buildMetaFiles(files: File[]): Promise<MetaFile[]>;
+/**
+ * Set the infohash on a TorrentMeta after torrent creation
+ * Note: This does NOT re-sign - infohash is informational only
+ */
+export declare function setInfohash(meta: TorrentMeta, infohash: string): TorrentMeta;

package/dist/meta.js

@@ -0,0 +1,213 @@
+/**
+ * meta.json format for authenticated torrent metadata
+ *
+ * Provides cryptographic proof of authorship using Ed25519 signatures.
+ * Supports extensible metadata for audio, video, image, and document files.
+ */
+// =============================================================================
+// Utility Functions
+// =============================================================================
+/**
+ * Canonicalize an object to JSON with sorted keys (deterministic)
+ * This ensures the same object always produces the same string for signing
+ */
+export function canonicalize(obj) {
+    return JSON.stringify(obj, (_, value) => {
+        if (value && typeof value === 'object' && !Array.isArray(value)) {
+            return Object.keys(value)
+                .sort()
+                .reduce((sorted, key) => {
+                sorted[key] = value[key];
+                return sorted;
+            }, {});
+        }
+        return value;
+    });
+}
+/**
+ * Build the signing payload from meta.json data
+ */
+export function buildSigningPayload(meta, authorPublicKeys, signedAt) {
+    return {
+        created: meta.created,
+        title: meta.title,
+        files: meta.files,
+        authors: authorPublicKeys,
+        signedAt
+    };
+}
+/**
+ * Sign a torrent meta.json
+ *
+ * @param crypto - Crypto adapter for signing
+ * @param keyPair - The signer's key pair
+ * @param meta - The meta.json data (without this author's signature)
+ * @param authorPublicKeys - All author public keys (including this signer)
+ * @param role - This author's role
+ * @returns MetaAuthor entry with signature
+ */
+export async function signMeta(crypto, keyPair, meta, authorPublicKeys, role) {
+    const signedAt = Date.now();
+    const payload = buildSigningPayload(meta, authorPublicKeys, signedAt);
+    const message = canonicalize(payload);
+    const signature = await crypto.signMessage(keyPair.privateKey, message);
+    return {
+        publicKey: keyPair.publicKey,
+        role,
+        signedAt,
+        signature
+    };
+}
+/**
+ * Verify a single author's signature
+ *
+ * @param crypto - Crypto adapter for verification
+ * @param meta - The meta.json data
+ * @param author - The author entry to verify
+ * @returns True if signature is valid
+ */
+export async function verifyAuthorSignature(crypto, meta, author) {
+    const authorPublicKeys = meta.authors.map(a => a.publicKey);
+    const payload = buildSigningPayload(meta, authorPublicKeys, author.signedAt);
+    const message = canonicalize(payload);
+    return crypto.verifySignature(author.publicKey, message, author.signature);
+}
+/**
+ * Verify all author signatures in a meta.json
+ *
+ * @param crypto - Crypto adapter for verification
+ * @param meta - The complete meta.json
+ * @returns Object with verification results per author
+ */
+export async function verifyMeta(crypto, meta) {
+    const results = new Map();
+    let allValid = true;
+    for (const author of meta.authors) {
+        const isValid = await verifyAuthorSignature(crypto, meta, author);
+        results.set(author.publicKey, isValid);
+        if (!isValid) {
+            allValid = false;
+        }
+    }
+    return { valid: allValid, results };
+}
+/**
+ * Create a complete meta.json with signatures from all authors
+ *
+ * @param crypto - Crypto adapter for signing
+ * @param options - Meta creation options
+ * @returns Complete TorrentMeta with all signatures
+ */
+export async function createMeta(crypto, options) {
+    const created = Date.now();
+    const authorPublicKeys = options.authors.map(a => a.keyPair.publicKey);
+    const baseMeta = {
+        created,
+        title: options.title,
+        files: options.files
+    };
+    // Sign with each author
+    const signedAuthors = [];
+    for (const { keyPair, role } of options.authors) {
+        const author = await signMeta(crypto, keyPair, baseMeta, authorPublicKeys, role);
+        signedAuthors.push(author);
+    }
+    const meta = {
+        version: '1',
+        created,
+        title: options.title,
+        files: options.files,
+        authors: signedAuthors,
+    };
+    if (options.infohash) {
+        meta.infohash = options.infohash;
+    }
+    if (options.description) {
+        meta.description = options.description;
+    }
+    if (options.extensions) {
+        meta.extensions = options.extensions;
+    }
+    return meta;
+}
+/**
+ * Parse and validate a meta.json string
+ * Does NOT verify signatures - use verifyMeta for that
+ *
+ * @param json - JSON string to parse
+ * @returns Parsed TorrentMeta or null if invalid
+ */
+export function parseMeta(json) {
+    try {
+        const data = JSON.parse(json);
+        // Basic validation
+        if (typeof data.version !== 'string')
+            return null;
+        // infohash is optional
+        if (data.infohash !== undefined && typeof data.infohash !== 'string')
+            return null;
+        if (typeof data.created !== 'number')
+            return null;
+        if (typeof data.title !== 'string')
+            return null;
+        if (!Array.isArray(data.files))
+            return null;
+        if (!Array.isArray(data.authors))
+            return null;
+        return data;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Find a file with a specific role (e.g., cover art)
+ */
+export function findFileByRole(meta, role) {
+    return meta.files.find(f => f.role === role);
+}
+/**
+ * Get the cover art file if present
+ */
+export function getCoverFile(meta) {
+    return findFileByRole(meta, 'cover');
+}
+/**
+ * Compute SHA256 hash of a file (browser-compatible)
+ */
+export async function computeFileSha256(file) {
+    let buffer;
+    if (file instanceof ArrayBuffer) {
+        buffer = file;
+    }
+    else {
+        buffer = await file.arrayBuffer();
+    }
+    const hashBuffer = await crypto.subtle.digest('SHA-256', buffer);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+}
+/**
+ * Build MetaFile entries from File objects with SHA256 hashes
+ */
+export async function buildMetaFiles(files) {
+    const metaFiles = [];
+    for (const file of files) {
+        const sha256 = await computeFileSha256(file);
+        const metaFile = {
+            path: file.name,
+            size: file.size,
+            type: file.type || undefined,
+            sha256
+        };
+        metaFiles.push(metaFile);
+    }
+    return metaFiles;
+}
+/**
+ * Set the infohash on a TorrentMeta after torrent creation
+ * Note: This does NOT re-sign - infohash is informational only
+ */
+export function setInfohash(meta, infohash) {
+    return { ...meta, infohash };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xtr-dev/rondevu-client",
-  "version": "0.21.6",
+  "version": "0.21.8",
   "description": "TypeScript client for Rondevu with durable WebRTC connections, automatic reconnection, and message queuing",
   "type": "module",
   "main": "dist/core/index.js",