Expose generateKey() and getPublicKey() in CryptoAdapter surface

[transphorm]

Summary

• Adds generateKey(keyRef) and getPublicKey(keyRef) to the CryptoAdapter interface, closing the gap between the bridge protocol (which already declares both methods) and the TypeScript adapter contract
• Implements bridge-delegating versions in webview-bridge that forward to native handlers with base64 decoding
• Adds throwing stubs in browser and RN default adapters (key ops require native keychain)
• Adds tests covering bridge param wiring, base64 response decoding, and throw paths

Test plan

---

Native Consolidation Checklist

• CONTRACTS.md reviewed - no unintended contract changes
• Layer 1 bridge contract tests pass (cd app && yarn jest:run / yarn workspace @selfxyz/rn-sdk-test-app test)
• Layer 3 builds pass (app iOS, RN test app iOS, RN test app Android)
• Layer 4 manual smoke test signed off (if consolidation PR)
• No new native business logic added (logic belongs in TypeScript)

Summary by CodeRabbit

• New Features

  • Crypto API now includes generateKey() and getPublicKey() for creating keys and retrieving public key bytes.

• Behavior

  • Bridge-backed platforms implement these methods; web/default adapters currently throw "not implemented" until a native keychain adapter is provided.

• Tests

  • Added tests for generateKey and getPublicKey success and failure paths.

• Documentation

  • Specs and planning docs updated to reflect the new public API surface.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3a01b514-0bec-4f36-a9ae-72c24d9325d4

📥 Commits

Reviewing files that changed from the base of the PR and between d824ab2 and 30e81fa.

📒 Files selected for processing (1)

• packages/webview-bridge/src/adapters/crypto.ts

---

📝 Walkthrough

Walkthrough

Adds generateKey and getPublicKey to the CryptoAdapter and BridgeCryptoAdapter surfaces. Bridge implementation delegates to native via bridge.request and decodes base64 public keys; browser/React Native adapters and app provider expose throwing stubs. Tests, mocks, and specs updated accordingly.

Changes

Cohort / File(s)	Summary
Type Definition Updates packages/mobile-sdk-alpha/src/types/public.ts	Added signatures for generateKey(keyRef: string): Promise<{ keyRef: string }> and getPublicKey(keyRef: string): Promise<Uint8Array> to the public crypto interfaces.
Bridge Adapter Implementation & Tests packages/webview-bridge/src/adapters/crypto.ts, packages/webview-bridge/src/__tests__/adapters.test.ts	Implemented generateKey and getPublicKey to call bridge.request('crypto', ...), validate responses, decode base64 public keys to Uint8Array, and added success/failure tests.
Browser & React-Native Adapters (stubs) packages/mobile-sdk-alpha/src/adapters/browser/crypto.ts, packages/mobile-sdk-alpha/src/adapters/react-native/crypto.ts	Added stub implementations that throw explicit "not implemented / requires native keychain" errors to preserve API contract where native keychain access is unavailable.
App Provider & Test Mocks app/src/providers/selfClientProvider.tsx, packages/mobile-sdk-alpha/tests/*, packages/mobile-sdk-alpha/tests/utils/testHelpers.ts, packages/mobile-sdk-alpha/tests/client.test.ts, packages/mobile-sdk-alpha/tests/documents/utils.test.ts	Extended SelfClient provider and test mocks to include generateKey and getPublicKey; added tests asserting browser adapter throws and bridge adapter behavior.
Specs & Planning Docs specs/projects/sdk/.../SPEC.md, specs/projects/sdk/.../SC-02-crypto-bridge-surface.md	Updated docs/specs to reflect new public API exposure and completion status for SC-02.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant BridgeCryptoAdapter
    participant NativeBridge
    participant NativeKeychain

    rect rgba(100, 150, 255, 0.5)
    Note over Client,NativeKeychain: generateKey Flow
    Client->>BridgeCryptoAdapter: generateKey(keyRef)
    BridgeCryptoAdapter->>NativeBridge: request('crypto', { action: 'generateKey', params: { keyRef } })
    NativeBridge->>NativeKeychain: create key & store
    NativeKeychain-->>NativeBridge: { keyRef }
    NativeBridge-->>BridgeCryptoAdapter: { success: true, keyRef }
    BridgeCryptoAdapter-->>Client: { keyRef }
    end

    rect rgba(150, 200, 100, 0.5)
    Note over Client,NativeKeychain: getPublicKey Flow
    Client->>BridgeCryptoAdapter: getPublicKey(keyRef)
    BridgeCryptoAdapter->>NativeBridge: request('crypto', { action: 'getPublicKey', params: { keyRef } })
    NativeBridge->>NativeKeychain: extract public key
    NativeKeychain-->>NativeBridge: { publicKey: base64String }
    NativeBridge-->>BridgeCryptoAdapter: { success: true, publicKey: base64String }
    BridgeCryptoAdapter->>BridgeCryptoAdapter: decode base64 -> Uint8Array
    BridgeCryptoAdapter-->>Client: Uint8Array
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Expose generateKey() and getPublicKey() in CryptoAdapter surface #1849: Same feature additions—exposes generateKey and getPublicKey across crypto/bridge surfaces.
• chore: address spec inconsistencies #1774: Related changes routing key generation/public-key retrieval through the native bridge.
• Add VERIFICATION_COMPLETE event and optional relay listener for WebView mode #1765: Related extension of crypto adapter surface in React Native adapter.

Suggested labels

codex

Suggested reviewers

• aaronmgdr

Poem

🔐 A tiny bridge that sings for keys,
Native calls wake from browser breeze.
Base64 folds into byte-array light,
Stubs stand guard till platforms write.
🗝️✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers what changed and how, but the 'Tested' section is incomplete and 'How to QA' section is missing per the template requirements.	Complete the 'Tested' section with specific test details and add a 'How to QA' section with repeatable testing steps.
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: exposing two new methods (generateKey and getPublicKey) in the CryptoAdapter interface, which aligns perfectly with the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch justin/kmp-sc-02

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/webview-bridge/src/adapters/crypto.ts`:
- Around line 42-49: The generateKey function currently ignores result.success
and always returns a keyRef even when native generation failed; update
generateKey (in packages/webview-bridge/src/adapters/crypto.ts) to check the
bridge.request response (result.success) and throw/reject when success is false
or undefined instead of returning { keyRef }, otherwise return the keyRef only
when result.success is true; reference the generateKey function and the
bridge.request('crypto','generateKey', ...) call when making the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c54a795d-c061-4e79-aa22-9355407e4fe3

📥 Commits

Reviewing files that changed from the base of the PR and between cbe2d75 and 46737fb.

📒 Files selected for processing (11)

• packages/mobile-sdk-alpha/src/adapters/browser/crypto.ts
• packages/mobile-sdk-alpha/src/adapters/react-native/crypto.ts
• packages/mobile-sdk-alpha/src/types/public.ts
• packages/mobile-sdk-alpha/tests/adapters/browser/crypto.test.ts
• packages/mobile-sdk-alpha/tests/client.test.ts
• packages/mobile-sdk-alpha/tests/documents/utils.test.ts
• packages/mobile-sdk-alpha/tests/utils/testHelpers.ts
• packages/webview-bridge/src/__tests__/adapters.test.ts
• packages/webview-bridge/src/adapters/crypto.ts
• specs/projects/sdk/workstreams/sdk-core/SPEC.md
• specs/projects/sdk/workstreams/sdk-core/plans/SC-02-crypto-bridge-surface.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/webview-bridge/src/adapters/crypto.ts`:
- Around line 54-61: The getPublicKey implementation decodes bridge.request
result.publicKey without validating it; update getPublicKey to fail closed by
explicitly checking that result and result.publicKey are present, are non-empty
strings, and match an expected base64 pattern before calling base64ToUint8Array,
and if any check fails throw a clear error (e.g., "Invalid or empty publicKey
from bridge") rather than returning an empty array or letting decode errors
leak; wrap the base64ToUint8Array call in a try/catch and rethrow a normalized
error on decode failure so callers see a consistent failure mode.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e1a4be61-9caf-4a13-9f71-3359038ebe66

📥 Commits

Reviewing files that changed from the base of the PR and between 46737fb and d824ab2.

📒 Files selected for processing (3)

• app/src/providers/selfClientProvider.tsx
• packages/webview-bridge/src/__tests__/adapters.test.ts
• packages/webview-bridge/src/adapters/crypto.ts