Skip to content

Content-key re-wrap for account devices (0243 Phase 2, P2.3)#331

Merged
crs48 merged 1 commit into
mainfrom
claude/0243-rewrap
Jun 29, 2026
Merged

Content-key re-wrap for account devices (0243 Phase 2, P2.3)#331
crs48 merged 1 commit into
mainfrom
claude/0243-rewrap

Conversation

@crs48

@crs48 crs48 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Completes P2.3 of exploration 0243 — the content-key re-wrap that lets a user's data follow their devices, on top of the ledger schemas (#328) and operations (#329).

What this adds

computeRecipients gains an optional expandDeviceRecipients dependency: each DID recipient expands to every currently active device of the account it belongs to (built from ledger records via the new deviceRecipientExpander). So:

  • Admit a device (a DeviceRecord) → it becomes a recipient on the next recompute → it can decrypt the account's data.
  • Revoke a device (a RevocationRecord) → it's dropped from future re-wraps.
  • An identity that belongs to no account expands to only itself → an unrelated DID never gains access to another account's data (privacy guarantee holds).
  • Omitting the dependency leaves recipients exactly as before — fully additive, no behavior change for today's single-DID paths.

8 new tests (4 pure expander + 4 computeRecipients integration covering admit/revoke/no-leak/no-op); the full @xnetjs/data suite (1729 tests) stays green.

Status

This checks P2.3 plus the "admit grants / revoke removes" and "unrelated DID can't decrypt" validation items. The doc is now 11/13 implementation, 7/9 validation. Remaining are the two deliberately-deferred items: P1.4 (synced-passkey surfacing — convenience) and P3.1 (opt-in WorkOS-gated KMS escrow — optional, privacy tradeoff).

Changeset: @xnetjs/data minor. No user-visible behavior wired yet → skip-changelog.

🤖 Generated with Claude Code

…0243 P2.3)

Complete P2.3: a new optional expandDeviceRecipients dependency on computeRecipients
expands each DID recipient to every active device of its account (built from ledger
records via deviceRecipientExpander). Admitting a device makes it a recipient on the
next recompute; revoking removes it from future re-wraps; an identity in no account
expands to only itself, so an unrelated DID never reaches another account's data.
Omitting the dependency leaves recipients unchanged (additive, no regression).

8 new tests (4 expander + 4 computeRecipients integration); full @xnetjs/data suite
(1729) green. Checks P2.3 + the admit/revoke and unrelated-DID validation items.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: xNet Test <test@xnet.dev>
@crs48 crs48 added the skip-changelog Exclude this PR from the changelog label Jun 29, 2026
@crs48 crs48 temporarily deployed to pr-331 June 29, 2026 00:21 — with GitHub Actions Inactive
@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Preview removed for PR #331.

github-actions Bot added a commit that referenced this pull request Jun 29, 2026
@crs48 crs48 merged commit e44c75d into main Jun 29, 2026
16 of 17 checks passed
@crs48 crs48 deleted the claude/0243-rewrap branch June 29, 2026 00:27
github-actions Bot added a commit that referenced this pull request Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip-changelog Exclude this PR from the changelog

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant