exochain-wasm 0.2.0-beta

ExoChain governance engine — WebAssembly bindings for Node.js
Documentation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
// Copyright 2026 Exochain Foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at:
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// SPDX-License-Identifier: Apache-2.0

//! Messaging bindings: X25519 key exchange, message encrypt/decrypt, death verification

use std::collections::BTreeMap;

use serde::Deserialize;
use wasm_bindgen::prelude::*;
use zeroize::Zeroizing;

use crate::serde_bridge::*;

const MAX_WASM_AUTHORIZED_TRUSTEES: usize = 1_024;

#[derive(Deserialize)]
struct WasmAuthorizedTrustee {
    did: String,
    public_key_hex: String,
}

/// Legacy X25519 key generation entrypoint.
///
/// This fails closed because the WASM bridge must not fabricate X25519 key
/// material internally.
#[wasm_bindgen]
pub fn wasm_generate_x25519_keypair() -> Result<JsValue, JsValue> {
    Err(JsValue::from_str(
        "X25519 key generation is disabled at the WASM boundary; use external key management and pass caller-supplied ephemeral material to wasm_prepare_encrypted_message",
    ))
}

/// Derive an X25519 public key from a secret key hex string.
/// Returns `{ public_key_hex }`.
#[wasm_bindgen]
pub fn wasm_x25519_public_from_secret(_secret_hex: &str) -> Result<JsValue, JsValue> {
    Err(JsValue::from_str(
        "raw X25519 secret public derivation is disabled at the WASM boundary; derive public keys in external key management before calling WASM",
    ))
}

/// Derive the public key for caller-managed X25519 material.
///
/// The bridge does not generate, persist, or export secret material. Browser or
/// service key management supplies the secret bytes explicitly and receives only
/// the corresponding public key.
#[wasm_bindgen]
pub fn wasm_caller_managed_x25519_public_from_secret(secret_hex: &str) -> Result<JsValue, JsValue> {
    let secret = exo_messaging::X25519SecretKey::from_hex(secret_hex)
        .map_err(|e| JsValue::from_str(&format!("invalid caller-managed X25519 secret: {e}")))?;
    let public = secret.public_key();
    to_js_value(&serde_json::json!({
        "public_key_hex": public.to_hex(),
    }))
}

/// Encrypt a message for a specific recipient (Lock & Send).
///
/// # Parameters
/// - `plaintext`: The message content (UTF-8 string)
/// - `content_type_json`: Content type as JSON string (e.g., `"\"Text\""`)
/// - `sender_did`: Sender's DID string
/// - `recipient_did`: Recipient's DID string
/// - `_legacy_sender_key_hex`: ignored; raw sender signing keys are refused
/// - `recipient_x25519_public_hex`: Recipient's X25519 public key (hex)
/// - `message_id`: Caller-supplied non-nil message UUID
/// - `created_physical_ms`: Caller-supplied non-zero HLC physical milliseconds
/// - `created_logical`: Caller-supplied HLC logical counter
/// - `release_on_death`: Whether to release after sender's death
/// - `release_delay_hours`: Hours to wait after death verification
///
/// # Returns
/// The encrypted envelope as JSON.
#[wasm_bindgen]
#[allow(clippy::too_many_arguments)]
// Mirrors `exo_messaging::compose::lock_and_send`; the WASM boundary
// cannot take Rust structs directly, so envelope metadata crosses as
// primitive fields and is validated before encryption.
pub fn wasm_encrypt_message(
    plaintext: &str,
    content_type_json: &str,
    sender_did: &str,
    recipient_did: &str,
    _legacy_sender_key_hex: &str,
    recipient_x25519_public_hex: &str,
    message_id: &str,
    created_physical_ms: u64,
    created_logical: u32,
    release_on_death: bool,
    release_delay_hours: u32,
) -> Result<JsValue, JsValue> {
    let _ = (
        plaintext,
        content_type_json,
        sender_did,
        recipient_did,
        recipient_x25519_public_hex,
        message_id,
        created_physical_ms,
        created_logical,
        release_on_death,
        release_delay_hours,
    );
    Err(JsValue::from_str(
        "raw Ed25519 sender signing is disabled at the WASM boundary; call wasm_prepare_encrypted_message with caller-supplied ephemeral X25519 material, sign externally, then call wasm_attach_message_signature",
    ))
}

/// Encrypt a message and return an unsigned envelope plus canonical signing bytes.
#[wasm_bindgen]
#[allow(clippy::too_many_arguments)]
pub fn wasm_prepare_encrypted_message(
    plaintext: &str,
    content_type_json: &str,
    sender_did: &str,
    recipient_did: &str,
    recipient_x25519_public_hex: &str,
    ephemeral_x25519_secret_hex: &str,
    message_id: &str,
    created_physical_ms: u64,
    created_logical: u32,
    release_on_death: bool,
    release_delay_hours: u32,
) -> Result<JsValue, JsValue> {
    let content_type: exo_messaging::ContentType = from_json_str(content_type_json)?;

    let sender = exo_core::Did::new(sender_did)
        .map_err(|e| JsValue::from_str(&format!("invalid sender DID: {e}")))?;
    let recipient = exo_core::Did::new(recipient_did)
        .map_err(|e| JsValue::from_str(&format!("invalid recipient DID: {e}")))?;

    let recipient_pub = exo_messaging::X25519PublicKey::from_hex(recipient_x25519_public_hex)
        .map_err(|e| JsValue::from_str(&format!("invalid recipient X25519 key: {e}")))?;
    let ephemeral_keypair =
        parse_x25519_keypair_hex("ephemeral X25519 secret", ephemeral_x25519_secret_hex)?;
    let message_uuid = uuid::Uuid::parse_str(message_id)
        .map_err(|e| JsValue::from_str(&format!("invalid message id: {e}")))?;
    let metadata = exo_messaging::ComposeMetadata::new(
        message_uuid,
        exo_core::Timestamp::new(created_physical_ms, created_logical),
    )
    .map_err(|e| JsValue::from_str(&format!("invalid envelope metadata: {e}")))?;

    let envelope = exo_messaging::prepare_envelope_for_signing_with_ephemeral(
        plaintext.as_bytes(),
        content_type,
        &sender,
        &recipient,
        &recipient_pub,
        &ephemeral_keypair,
        metadata,
        release_on_death,
        release_delay_hours,
    )
    .map_err(|e| JsValue::from_str(&format!("encryption failed: {e}")))?;
    let signing_payload = envelope
        .signing_payload()
        .map_err(|e| JsValue::from_str(&format!("signature payload failed: {e}")))?;

    to_js_value(&serde_json::json!({
        "envelope": envelope,
        "signing_payload_hex": hex::encode(signing_payload),
    }))
}

fn parse_x25519_keypair_hex(
    label: &str,
    secret_hex: &str,
) -> Result<exo_messaging::X25519KeyPair, JsValue> {
    let bytes = Zeroizing::new(
        hex::decode(secret_hex)
            .map_err(|e| JsValue::from_str(&format!("{label} must be hex: {e}")))?,
    );
    if bytes.len() != 32 {
        return Err(JsValue::from_str(&format!("{label} must be 32 bytes")));
    }
    let mut secret = Zeroizing::new([0u8; 32]);
    secret.copy_from_slice(bytes.as_slice());
    exo_messaging::X25519KeyPair::from_secret_bytes(*secret)
        .map_err(|e| JsValue::from_str(&format!("invalid {label}: {e}")))
}

/// Attach a caller-produced Ed25519 signature to a prepared encrypted envelope.
#[wasm_bindgen]
pub fn wasm_attach_message_signature(
    envelope_json: &str,
    sender_ed25519_public_hex: &str,
    signature_hex: &str,
) -> Result<JsValue, JsValue> {
    let envelope: exo_messaging::EncryptedEnvelope = from_json_str(envelope_json)?;
    let sender_public =
        parse_ed25519_public_key_hex("sender Ed25519 public key", sender_ed25519_public_hex)?;
    let signature = parse_ed25519_signature_hex("sender envelope signature", signature_hex)?;
    let envelope = exo_messaging::attach_verified_signature(envelope, signature, &sender_public)
        .map_err(|e| JsValue::from_str(&format!("signature attachment failed: {e}")))?;

    to_js_value(&envelope)
}

/// Decrypt an encrypted message envelope.
///
/// # Parameters
/// - `envelope_json`: The encrypted envelope as JSON string
/// - `recipient_x25519_secret_hex`: Recipient's X25519 secret key (hex)
/// - `sender_ed25519_public_hex`: Sender's Ed25519 public key (hex)
///
/// # Returns
/// `{ plaintext: string, content_type: string }`
#[wasm_bindgen]
pub fn wasm_decrypt_message(
    envelope_json: &str,
    recipient_x25519_secret_hex: &str,
    sender_ed25519_public_hex: &str,
) -> Result<JsValue, JsValue> {
    let envelope: exo_messaging::EncryptedEnvelope = from_json_str(envelope_json)?;

    let recipient_secret = exo_messaging::X25519SecretKey::from_hex(recipient_x25519_secret_hex)
        .map_err(|e| JsValue::from_str(&format!("invalid recipient secret: {e}")))?;

    let pk_bytes = hex::decode(sender_ed25519_public_hex)
        .map_err(|e| JsValue::from_str(&format!("invalid sender public key hex: {e}")))?;
    if pk_bytes.len() != 32 {
        return Err(JsValue::from_str(
            "sender Ed25519 public key must be 32 bytes",
        ));
    }
    let mut pk_arr = [0u8; 32];
    pk_arr.copy_from_slice(&pk_bytes);
    let sender_pk = exo_core::PublicKey::from_bytes(pk_arr);

    let plaintext = exo_messaging::unlock(&envelope, &recipient_secret, &sender_pk)
        .map_err(|e| JsValue::from_str(&format!("decryption failed: {e}")))?;

    let plaintext_str = String::from_utf8(plaintext)
        .map_err(|e| JsValue::from_str(&format!("plaintext is not valid UTF-8: {e}")))?;

    to_js_value(&serde_json::json!({
        "plaintext": plaintext_str,
        "content_type": envelope.content_type,
    }))
}

/// Verify the sender's signature on an encrypted envelope without decrypting.
#[wasm_bindgen]
pub fn wasm_verify_message_signature(
    envelope_json: &str,
    sender_ed25519_public_hex: &str,
) -> Result<bool, JsValue> {
    let envelope: exo_messaging::EncryptedEnvelope = from_json_str(envelope_json)?;

    let pk_bytes = hex::decode(sender_ed25519_public_hex)
        .map_err(|e| JsValue::from_str(&format!("invalid public key hex: {e}")))?;
    if pk_bytes.len() != 32 {
        return Err(JsValue::from_str("public key must be 32 bytes"));
    }
    let mut pk_arr = [0u8; 32];
    pk_arr.copy_from_slice(&pk_bytes);
    let sender_pk = exo_core::PublicKey::from_bytes(pk_arr);

    let signable = envelope
        .signing_payload()
        .map_err(|e| JsValue::from_str(&format!("signature payload failed: {e}")))?;
    Ok(exo_core::crypto::verify(
        &signable,
        &envelope.signature,
        &sender_pk,
    ))
}

fn parse_ed25519_public_key_hex(label: &str, value: &str) -> Result<exo_core::PublicKey, JsValue> {
    let bytes =
        hex::decode(value).map_err(|e| JsValue::from_str(&format!("invalid {label} hex: {e}")))?;
    if bytes.len() != 32 {
        return Err(JsValue::from_str(&format!("{label} must be 32 bytes")));
    }
    let mut arr = [0u8; 32];
    arr.copy_from_slice(&bytes);
    Ok(exo_core::PublicKey::from_bytes(arr))
}

fn parse_ed25519_signature_hex(label: &str, value: &str) -> Result<exo_core::Signature, JsValue> {
    let bytes =
        hex::decode(value).map_err(|e| JsValue::from_str(&format!("invalid {label} hex: {e}")))?;
    if bytes.len() != 64 {
        return Err(JsValue::from_str(&format!("{label} must be 64 bytes")));
    }
    let mut arr = [0u8; 64];
    arr.copy_from_slice(&bytes);
    Ok(exo_core::Signature::from_bytes(arr))
}

fn parse_authorized_trustees_json(
    authorized_trustees_json: &str,
) -> Result<BTreeMap<exo_core::Did, exo_core::PublicKey>, JsValue> {
    let trustees: Vec<WasmAuthorizedTrustee> = from_json_bounded_vec(
        authorized_trustees_json,
        "authorized trustees",
        MAX_WASM_AUTHORIZED_TRUSTEES,
    )?;
    let mut authorized = BTreeMap::new();
    for trustee in trustees {
        let did = exo_core::Did::new(&trustee.did)
            .map_err(|e| JsValue::from_str(&format!("invalid trustee DID: {e}")))?;
        let public_key =
            parse_ed25519_public_key_hex("trustee Ed25519 public key", &trustee.public_key_hex)?;
        if authorized.insert(did.clone(), public_key).is_some() {
            return Err(JsValue::from_str(&format!(
                "duplicate authorized trustee: {}",
                did.as_str()
            )));
        }
    }
    Ok(authorized)
}

/// Compute the canonical death-verification initial confirmation payload.
///
/// Returns the CBOR bytes that `initiated_by_did` signs before calling
/// [`wasm_death_verification_new`].
#[wasm_bindgen]
pub fn wasm_death_verification_initial_signing_payload(
    subject_did: &str,
    initiated_by_did: &str,
    required_confirmations: u8,
    authorized_trustees_json: &str,
    claim_nonce_hex: &str,
    created_physical_ms: u64,
    created_logical: u32,
) -> Result<Vec<u8>, JsValue> {
    let subject = exo_core::Did::new(subject_did)
        .map_err(|e| JsValue::from_str(&format!("invalid subject DID: {e}")))?;
    let initiator = exo_core::Did::new(initiated_by_did)
        .map_err(|e| JsValue::from_str(&format!("invalid initiator DID: {e}")))?;
    let authorized_trustees = parse_authorized_trustees_json(authorized_trustees_json)?;
    let claim_nonce = hex::decode(claim_nonce_hex)
        .map_err(|e| JsValue::from_str(&format!("invalid claim nonce hex: {e}")))?;
    let metadata = exo_messaging::death_trigger::DeathVerificationCreationMetadata::new(
        exo_core::Timestamp::new(created_physical_ms, created_logical),
    )
    .map_err(|e| JsValue::from_str(&format!("invalid death verification metadata: {e}")))?;

    exo_messaging::death_trigger::initial_confirmation_signing_payload(
        &subject,
        &initiator,
        required_confirmations,
        &authorized_trustees,
        &claim_nonce,
        &metadata.created_at,
    )
    .map_err(|e| JsValue::from_str(&format!("death verification signing payload failed: {e}")))
}

/// Create a new death verification request.
///
/// `authorized_trustees_json` must be an array of
/// `{ "did": "...", "public_key_hex": "..." }` objects. `claim_nonce_hex`
/// and `initiator_signature_hex` bind the initiator's first confirmation to
/// this claim instance.
/// Returns the verification state as JSON.
#[wasm_bindgen]
#[allow(clippy::too_many_arguments)]
// WASM cannot take Rust metadata structs directly, so the death-verification
// creation boundary exposes the HLC metadata as primitive fields and validates
// it before touching the state machine.
pub fn wasm_death_verification_new(
    subject_did: &str,
    initiated_by_did: &str,
    required_confirmations: u8,
    authorized_trustees_json: &str,
    claim_nonce_hex: &str,
    initiator_signature_hex: &str,
    created_physical_ms: u64,
    created_logical: u32,
) -> Result<JsValue, JsValue> {
    let subject = exo_core::Did::new(subject_did)
        .map_err(|e| JsValue::from_str(&format!("invalid subject DID: {e}")))?;
    let initiator = exo_core::Did::new(initiated_by_did)
        .map_err(|e| JsValue::from_str(&format!("invalid initiator DID: {e}")))?;
    let authorized_trustees = parse_authorized_trustees_json(authorized_trustees_json)?;
    let claim_nonce = hex::decode(claim_nonce_hex)
        .map_err(|e| JsValue::from_str(&format!("invalid claim nonce hex: {e}")))?;
    let initiator_signature =
        parse_ed25519_signature_hex("initiator confirmation signature", initiator_signature_hex)?;
    let metadata = exo_messaging::death_trigger::DeathVerificationCreationMetadata::new(
        exo_core::Timestamp::new(created_physical_ms, created_logical),
    )
    .map_err(|e| JsValue::from_str(&format!("invalid death verification metadata: {e}")))?;

    let dv = exo_messaging::death_trigger::DeathVerification::new(
        subject,
        initiator,
        required_confirmations,
        authorized_trustees,
        claim_nonce,
        initiator_signature,
        metadata,
    )
    .map_err(|e| JsValue::from_str(&format!("death verification creation failed: {e}")))?;
    to_js_value(&dv)
}

/// Compute the canonical trustee confirmation payload for an existing claim.
///
/// Returns the CBOR bytes that `trustee_did` signs before calling
/// [`wasm_death_verification_confirm`].
#[wasm_bindgen]
pub fn wasm_death_verification_confirmation_signing_payload(
    state_json: &str,
    trustee_did: &str,
    confirmed_physical_ms: u64,
    confirmed_logical: u32,
) -> Result<Vec<u8>, JsValue> {
    let dv: exo_messaging::death_trigger::DeathVerification = from_json_str(state_json)?;
    let trustee = exo_core::Did::new(trustee_did)
        .map_err(|e| JsValue::from_str(&format!("invalid trustee DID: {e}")))?;
    let metadata = exo_messaging::death_trigger::DeathConfirmationMetadata::new(
        exo_core::Timestamp::new(confirmed_physical_ms, confirmed_logical),
    )
    .map_err(|e| JsValue::from_str(&format!("invalid death confirmation metadata: {e}")))?;
    dv.confirmation_signing_payload(&trustee, &metadata.confirmed_at)
        .map_err(|e| {
            JsValue::from_str(&format!(
                "death verification confirmation payload failed: {e}"
            ))
        })
}

/// Add a trustee confirmation to a death verification.
/// Returns `{ verified: bool, confirmations_remaining: number, state: object }`.
#[wasm_bindgen]
pub fn wasm_death_verification_confirm(
    state_json: &str,
    trustee_did: &str,
    trustee_public_key_hex: &str,
    signature_hex: &str,
    confirmed_physical_ms: u64,
    confirmed_logical: u32,
) -> Result<JsValue, JsValue> {
    let mut dv: exo_messaging::death_trigger::DeathVerification = from_json_str(state_json)?;
    let trustee = exo_core::Did::new(trustee_did)
        .map_err(|e| JsValue::from_str(&format!("invalid trustee DID: {e}")))?;
    let trustee_public_key =
        parse_ed25519_public_key_hex("trustee Ed25519 public key", trustee_public_key_hex)?;
    let signature = parse_ed25519_signature_hex("trustee confirmation signature", signature_hex)?;
    let metadata = exo_messaging::death_trigger::DeathConfirmationMetadata::new(
        exo_core::Timestamp::new(confirmed_physical_ms, confirmed_logical),
    )
    .map_err(|e| JsValue::from_str(&format!("invalid death confirmation metadata: {e}")))?;

    let verified = dv
        .confirm(trustee, trustee_public_key, signature, metadata)
        .map_err(|e| JsValue::from_str(&format!("confirmation failed: {e}")))?;

    to_js_value(&serde_json::json!({
        "verified": verified,
        "confirmations_remaining": dv.confirmations_remaining(),
        "state": dv,
    }))
}