feat(crypto/playground): payload keyring + key rotation for encrypted payloads by marcus-pousette · Pull Request #80 · cybersemics/treecrdt

marcus-pousette · 2026-02-17T12:02:39Z

Summary

This PR adds payload key rotation for encrypted payloads and wires the playground to key IDs (kid) end-to-end.

Add payload keyring model (activeKid + key map) with helpers to create, upsert, and rotate keys.
Add keyring encryption/decryption APIs:
- encryptTreecrdtPayloadWithKeyringV1
- maybeDecryptTreecrdtPayloadWithKeyringV1
- getTreecrdtEncryptedPayloadKeyIdV1
Encrypted envelopes now carry a kid, and keyring decrypt requires a matching key id.

Replace single payload-key storage with per-doc keyring metadata + sealed key entries.
Invite and grant payloads now include both payloadKeyB64 and payloadKeyKid.
Add UI to show the active payload key id and rotate payload keys from the auth panel.
Unknown-key encrypted payloads are surfaced as keyMissing instead of crashing.

Remove backward-compatibility shims in this branch (legacy key storage migration and keyring decrypt fallback without kid).

Related: #78

marcus-pousette added 2 commits February 17, 2026 13:05

feat(crypto): add payload keyring rotation primitives

4215da1

feat(playground): wire payload key ids and rotation UX

954ab5f

marcus-pousette force-pushed the feat/key-rotation-v1 branch from 33fb68b to 954ab5f Compare February 17, 2026 12:07

marcus-pousette added 2 commits February 22, 2026 21:29

refactor(crypto/playground): remove backward-compat payload key paths

cbddb96

docs(architecture): rewrite into cleaner narrative format

7ca9289