solana-messenger-sdk 1.5.2 → 1.5.4

package/README.md

@@ -62,6 +62,97 @@ const messenger = new SolanaMessenger({
 await messenger.init(); // no filesystem access needed
 ```
 
+## Architecture: Keys & Roles
+
+Every user has **two separate keypairs**:
+
+| Key | Purpose | Who holds it |
+|-----|---------|-------------|
+| **Wallet key (A)** | Signs transactions | User, or custodial service (Privy, Turnkey) |
+| **Encryption key (B)** | Encrypts/decrypts messages | User's device only — never shared |
+
+`init()` generates key B, stores it locally (or accepts it via `encryptionKeypair` config), and registers the public part on-chain. Messages are encrypted with B — custodial services that hold A **cannot** read messages.
+
+### Who needs what
+
+| Role | Wallet key (A) | Encryption key (B) | Calls `init()`? |
+|------|:-:|:-:|:-:|
+| **End user** | ✅ | ✅ | Yes |
+| **Relayer / backend** | ❌ | ❌ | **No** |
+
+A **relayer** only forwards pre-signed transactions to the RPC — it doesn't instantiate `SolanaMessenger` or call `init()`. It just needs a Solana RPC connection:
+
+```typescript
+// Relayer — no SDK needed, just forward signed tx bytes
+import { Connection } from "@solana/web3.js";
+const conn = new Connection(rpcUrl);
+const sig = await conn.sendRawTransaction(signedTxBytes);
+```
+
+### Deployment Patterns
+
+#### 1. Client-Side (True E2E Encryption)
+
+Users hold their own encryption key B on-device. Server never sees plaintext. Maximum privacy.
+
+```
+User Device                          Solana
+├── Wallet key A (or Privy signer)   ├── EncryptionRegistry (pubkey B)
+├── Encryption key B (local)         ├── Messages (encrypted)
+├── SDK: encrypt → sign → send       └── Channels, Servers...
+└── SDK: read → decrypt → display
+```
+
+#### 2. Server-Managed (Slack/Discord Model)
+
+Server holds both keys per user. Handles all encryption/decryption, pushes plaintext to clients. Users trust the platform.
+
+```
+Server (Vercel, etc.)                Solana
+├── Per-user wallet key A (Privy)    ├── EncryptionRegistry (pubkey B)
+├── Per-user encryption key B (DB)   ├── Messages (encrypted)
+├── SDK: encrypt → sign → send       └── Channels, Servers...
+└── SDK: read → decrypt → push to client via WS/API
+```
+
+```typescript
+// First-time user setup
+const kp = SolanaMessenger.generateEncryptionKeypair();
+await db.users.update(userId, {
+  encryptionSecret: Buffer.from(kp.secretKey).toString("base64"),
+});
+
+// Per-request: create messenger for this user
+const messenger = new SolanaMessenger({
+  apiKey: process.env.HELIUS_API_KEY!,
+  walletAddress: user.walletAddress,
+  signer: async (tx) => await privy.signTransaction(user.id, tx),
+  encryptionKeypair: Buffer.from(user.encryptionSecret, "base64"),
+});
+await messenger.init();
+
+// Send on behalf of user
+await messenger.send(recipient, "hello from server");
+
+// Read, decrypt, push to client
+const messages = await messenger.read({ since: lastSeen });
+ws.send(JSON.stringify(messages)); // plaintext to client
+```
+
+> ⚠️ **Trust tradeoff:** In this model, the server can read all messages. E2E encryption protects data on-chain and in transit, but not from the platform operator. This is the same model as Slack, Discord, and most chat platforms.
+
+#### 3. Relayer Only (Gasless Transactions)
+
+Server just pays gas. Users handle their own encryption client-side. Server never sees keys or plaintext.
+
+```typescript
+// Relayer endpoint — no SDK, no keys
+app.post("/relay", async (req, res) => {
+  const sig = await conn.sendRawTransaction(req.body.signedTx);
+  res.json({ signature: sig });
+});
+```
+
 ## API
 
 ### Direct Messages

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "solana-messenger-sdk",
-  "version": "1.5.2",
+  "version": "1.5.4",
   "description": "TypeScript SDK for Solana Messenger — encrypted agent-to-agent messaging",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",