Skip to content

feat(crypto/playground): payload keyring + key rotation for encrypted payloads#80

Draft
marcus-pousette wants to merge 4 commits intomainfrom
feat/key-rotation-v1
Draft

feat(crypto/playground): payload keyring + key rotation for encrypted payloads#80
marcus-pousette wants to merge 4 commits intomainfrom
feat/key-rotation-v1

Conversation

@marcus-pousette
Copy link
Copy Markdown
Collaborator

@marcus-pousette marcus-pousette commented Feb 17, 2026

Summary

This PR adds payload key rotation for encrypted payloads and wires the playground to key IDs (kid) end-to-end.

Crypto

  • Add payload keyring model (activeKid + key map) with helpers to create, upsert, and rotate keys.
  • Add keyring encryption/decryption APIs:
    • encryptTreecrdtPayloadWithKeyringV1
    • maybeDecryptTreecrdtPayloadWithKeyringV1
    • getTreecrdtEncryptedPayloadKeyIdV1
  • Encrypted envelopes now carry a kid, and keyring decrypt requires a matching key id.

Playground integration

  • Replace single payload-key storage with per-doc keyring metadata + sealed key entries.
  • Invite and grant payloads now include both payloadKeyB64 and payloadKeyKid.
  • Add UI to show the active payload key id and rotate payload keys from the auth panel.
  • Unknown-key encrypted payloads are surfaced as keyMissing instead of crashing.

Scope

  • Remove backward-compatibility shims in this branch (legacy key storage migration and keyring decrypt fallback without kid).

Related: #78

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant