feat(roomcrypto): direct AES-256-GCM room encryption; add client decoder

broadcast-worker/handler.go

@@ -39,10 +39,18 @@ type Handler struct {
 	pub       Publisher
 	keyStore  RoomKeyProvider
 	encrypt   bool
+	encoder   *roomcrypto.Encoder
 }
 
 func NewHandler(store Store, userStore userstore.UserStore, pub Publisher, keyStore RoomKeyProvider, encrypt bool) *Handler {
-	return &Handler{store: store, userStore: userStore, pub: pub, keyStore: keyStore, encrypt: encrypt}
+	return &Handler{
+		store:     store,
+		userStore: userStore,
+		pub:       pub,
+		keyStore:  keyStore,
+		encrypt:   encrypt,
+		encoder:   roomcrypto.NewEncoder(),
+	}
 }
 
 // HandleMessage processes a single MESSAGES_CANONICAL message payload.
@@ -209,7 +217,7 @@ func (h *Handler) encryptEditedContent(ctx context.Context, roomID string, edite
 	if err != nil {
 		return err
 	}
-	encrypted, err := roomcrypto.Encode(edited.NewContent, key.KeyPair.PublicKey, key.Version)
+	encrypted, err := h.encoder.Encode(roomID, edited.NewContent, key.KeyPair.PrivateKey, key.Version)
 	if err != nil {
 		return fmt.Errorf("encrypt edit content for room %s: %w", roomID, err)
 	}
@@ -253,7 +261,7 @@ func (h *Handler) publishChannelEvent(ctx context.Context, meta roommetacache.Me
 			return err
 		}
 
-		encrypted, err := roomcrypto.Encode(string(msgJSON), key.KeyPair.PublicKey, key.Version)
+		encrypted, err := h.encoder.Encode(meta.ID, string(msgJSON), key.KeyPair.PrivateKey, key.Version)
 		if err != nil {
 			return fmt.Errorf("encrypt message for room %s: %w", meta.ID, err)
 		}

broadcast-worker/handler_test.go

@@ -658,7 +658,6 @@ func TestHandler_HandleMessage_ChannelRoom_Encryption(t *testing.T) {
 		var env roomcrypto.EncryptedMessage
 		require.NoError(t, json.Unmarshal(evt.EncryptedMessage, &env))
 		assert.Equal(t, key.Version, env.Version)
-		assert.NotEmpty(t, env.EphemeralPublicKey)
 		assert.NotEmpty(t, env.Nonce)
 		assert.NotEmpty(t, env.Ciphertext)
 

broadcast-worker/testhelpers_test.go

@@ -3,16 +3,12 @@ package main
 import (
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/ecdh"
 	"crypto/rand"
-	"crypto/sha256"
 	"encoding/json"
 	"fmt"
-	"io"
 	"testing"
 
 	"github.com/stretchr/testify/require"
-	"golang.org/x/crypto/hkdf"
 
 	"github.com/hmchangw/chat/pkg/model"
 	"github.com/hmchangw/chat/pkg/roomcrypto"
@@ -21,36 +17,20 @@ import (
 
 func testRoomKey(t *testing.T) *roomkeystore.VersionedKeyPair {
 	t.Helper()
-	priv, err := ecdh.P256().GenerateKey(rand.Reader)
+	buf := make([]byte, 32)
+	_, err := rand.Read(buf)
 	require.NoError(t, err)
 	return &roomkeystore.VersionedKeyPair{
 		Version: 3,
 		KeyPair: roomkeystore.RoomKeyPair{
-			PublicKey:  priv.PublicKey().Bytes(),
-			PrivateKey: priv.Bytes(),
+			PrivateKey: buf,
 		},
 	}
 }
 
 func decryptForTest(env *roomcrypto.EncryptedMessage, roomPrivateKey []byte) (string, error) {
-	privKey, err := ecdh.P256().NewPrivateKey(roomPrivateKey)
-	if err != nil {
-		return "", fmt.Errorf("parse room private key: %w", err)
-	}
-	ephPubKey, err := ecdh.P256().NewPublicKey(env.EphemeralPublicKey)
-	if err != nil {
-		return "", fmt.Errorf("parse ephemeral public key: %w", err)
-	}
-	sharedSecret, err := privKey.ECDH(ephPubKey)
-	if err != nil {
-		return "", fmt.Errorf("ecdh: %w", err)
-	}
-	aesKey := make([]byte, 32)
-	hkdfReader := hkdf.New(sha256.New, sharedSecret, nil, []byte("room-message-encryption"))
-	if _, err := io.ReadFull(hkdfReader, aesKey); err != nil {
-		return "", fmt.Errorf("hkdf: %w", err)
-	}
-	block, err := aes.NewCipher(aesKey)
+	// The room private key is used directly as the AES-256-GCM key (no HKDF step).
+	block, err := aes.NewCipher(roomPrivateKey)
 	if err != nil {
 		return "", fmt.Errorf("aes cipher: %w", err)
 	}

chat-frontend/scripts/gen-crypto-fixtures.go

@@ -0,0 +1,67 @@
+//go:build ignore
+
+// gen-crypto-fixtures generates a known-plaintext encrypted message for
+// chat-frontend's lib/roomcrypto round-trip tests. Run with:
+//
+//	go run chat-frontend/scripts/gen-crypto-fixtures.go > chat-frontend/test/fixtures/encrypted-message.json
+//
+// Commit the output. The fixture exists to lock the cross-language wire
+// format: any change in the server encoder's AES-GCM parameters or wire
+// shape MUST update this fixture together with the corresponding TS
+// decoder.
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/hmchangw/chat/pkg/roomcrypto"
+)
+
+func main() {
+	// Deterministic private key so the fixture is stable across runs.
+	priv := make([]byte, 32)
+	for i := range priv {
+		priv[i] = byte(i + 1)
+	}
+	const plaintext = "fixture plaintext — encoded by the Go server, decoded by chat-frontend"
+	const version = 1
+	const roomID = "fixture-room"
+
+	// Construct an Encoder with a fixed-nonce reader so the ciphertext is
+	// reproducible. Twelve-byte zero nonce is fine for a fixture (it's a
+	// known-key test, not real traffic).
+	enc := roomcrypto.NewEncoder(roomcrypto.WithRand(zeroReader{}))
+	msg, err := enc.Encode(roomID, plaintext, priv, version)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "encode:", err)
+		os.Exit(1)
+	}
+
+	out := struct {
+		PrivateKey string                       `json:"privateKey"`
+		Plaintext  string                       `json:"plaintext"`
+		Message    *roomcrypto.EncryptedMessage `json:"message"`
+	}{
+		PrivateKey: base64.StdEncoding.EncodeToString(priv),
+		Plaintext:  plaintext,
+		Message:    msg,
+	}
+	data, err := json.MarshalIndent(out, "", "  ")
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "marshal:", err)
+		os.Exit(1)
+	}
+	fmt.Println(string(data))
+}
+
+type zeroReader struct{}
+
+func (zeroReader) Read(p []byte) (int, error) {
+	for i := range p {
+		p[i] = 0
+	}
+	return len(p), nil
+}

chat-frontend/src/App.jsx

@@ -1,5 +1,6 @@
 import { useEffect, useState, useCallback } from 'react'
 import { NatsProvider, useNats } from '@/context/NatsContext'
+import { RoomKeysProvider } from '@/context/RoomKeysContext'
 import { RoomEventsProvider } from '@/context/RoomEventsContext'
 import { ThreadEventsProvider } from '@/context/ThreadEventsContext'
 import LoginPage from '@/pages/LoginPage'
@@ -35,11 +36,13 @@ function AppContent() {
   }
 
   return (
-    <RoomEventsProvider>
-      <ThreadEventsProvider>
-        <MainApp />
-      </ThreadEventsProvider>
-    </RoomEventsProvider>
+    <RoomKeysProvider>
+      <RoomEventsProvider>
+        <ThreadEventsProvider>
+          <MainApp />
+        </ThreadEventsProvider>
+      </RoomEventsProvider>
+    </RoomKeysProvider>
   )
 }
 

chat-frontend/src/api/_transport/subjects.test.js

@@ -1,6 +1,7 @@
 import { describe, it, expect } from 'vitest'
 import {
   userRoomEvent,
+  userRoomKey,
   roomEvent,
   memberAdd,
   memberRemove,
@@ -135,5 +136,11 @@ describe('subjects', () => {
       'chat.user.alice.request.user.site-A.subscription.count'
     )
   })
+})
 
+describe('userRoomKey', () => {
+  it('builds the per-user room-key event subject', () => {
+    expect(userRoomKey('alice')).toBe('chat.user.alice.event.room.key')
+  })
 })
+

chat-frontend/src/api/_transport/subjects.ts

@@ -56,6 +56,10 @@ export function userRoomEvent(account: string): string {
   return `chat.user.${account}.event.room`
 }
 
+export function userRoomKey(account: string): string {
+  return `chat.user.${account}.event.room.key`
+}
+
 export function memberAdd(account: string, roomId: string, siteId: string): string {
   return `chat.user.${account}.request.room.${roomId}.${siteId}.member.add`
 }

chat-frontend/src/api/index.ts

@@ -32,6 +32,7 @@ export { searchRooms } from './searchRooms'
 export { sendMessage } from './sendMessage'
 export { subscribeToRoomEvents } from './subscribeToRoomEvents'
 export { subscribeToRoomMetadataUpdates } from './subscribeToRoomMetadataUpdates'
+export { subscribeToRoomKeyEvents } from './subscribeToRoomKeyEvents'
 export { subscribeToSubscriptionUpdates } from './subscribeToSubscriptionUpdates'
 export { subscribeToUserRoomEvents } from './subscribeToUserRoomEvents'
 export { updateMemberRole } from './updateMemberRole'
@@ -72,4 +73,5 @@ export type {
   ChannelRef,
   HistoryConfig,
   HistoryMode,
+  RoomKeyEvent,
 } from './types'

chat-frontend/src/api/subscribeToRoomKeyEvents/index.test.ts

@@ -0,0 +1,15 @@
+import { describe, it, expect, vi } from 'vitest'
+import { subscribeToRoomKeyEvents } from './index'
+
+describe('subscribeToRoomKeyEvents', () => {
+  it('subscribes to chat.user.{account}.event.room.key with the given callback', () => {
+    const subscribe = vi.fn().mockReturnValue({ unsubscribe: vi.fn() })
+    const nats = { subscribe, user: { account: 'alice', id: '' }, request: vi.fn(), publish: vi.fn(), requestWithAsyncResult: vi.fn(), connected: true, error: null }
+    const cb = vi.fn()
+
+    const sub = subscribeToRoomKeyEvents(nats as never, cb)
+
+    expect(subscribe).toHaveBeenCalledWith('chat.user.alice.event.room.key', cb)
+    expect(sub).toBeDefined()
+  })
+})

chat-frontend/src/api/subscribeToRoomKeyEvents/index.ts

@@ -0,0 +1,10 @@
+import { userRoomKey } from '../_transport/subjects'
+import type { Nats, NatsSubscription, SubscriptionCallback } from '../types'
+
+/** Subscribe to the calling user's room-key event stream. */
+export function subscribeToRoomKeyEvents(
+  { subscribe, user }: Pick<Nats, 'subscribe' | 'user'>,
+  callback: SubscriptionCallback,
+): NatsSubscription {
+  return subscribe(userRoomKey(user.account), callback)
+}

chat-frontend/src/api/types.ts

@@ -262,6 +262,19 @@ export interface SubscriptionUpdateEvent {
   timestamp: number
 }
 
+/**
+ * Mirrors pkg/model.RoomKeyEvent — payload of
+ * chat.user.{account}.event.room.key. PrivateKey is base64-encoded on
+ * the wire (Go's encoding/json default for []byte). PublicKey is
+ * omitted from the client wire payload.
+ */
+export interface RoomKeyEvent {
+  roomId: string
+  version: number
+  privateKey: string  // base64
+  timestamp: number
+}
+
 /** Two-phase async-job result returned by `requestWithAsyncResult`. */
 export interface AsyncJobResult<S = unknown, A = unknown> {
   requestId: string

chat-frontend/src/components/MainApp/MainApp.integration.test.jsx

@@ -23,6 +23,12 @@ import MainApp from './MainApp'
 // If this test passes but the user reports the panel doesn't appear, the
 // remaining suspects are CSS clipping or browser-specific (nginx caching).
 
+// RoomEventsProvider calls useRoomKeys() internally. Stub it so this test
+// doesn't need a real RoomKeysProvider (which would try to connect to NATS).
+vi.mock('@/context/RoomKeysContext', () => ({
+  useRoomKeys: () => ({ decrypt: async () => null, hasKey: () => false }),
+}))
+
 vi.mock('./AppHeader/AppHeader', () => ({
   default: ({ onSelectRoom }) => (
     <header>

chat-frontend/src/context/RoomEventsContext/RoomEventsContext.test.jsx

@@ -6,6 +6,14 @@ import { RoomEventsProvider, useRoomEvents, useRoomSummaries, useSidebarSections
 import { BUFFER_MODE } from './reducer'
 // jumpToMessage / resetToLiveTail tests — see suite below
 
+// RoomEventsContext now calls useRoomKeys() internally. Stub it out so tests
+// don't need a real RoomKeysProvider (which would try to connect to NATS and
+// fetch key material). The no-op decrypt matches the default used in
+// useRoomSubscriptions when no key is available.
+vi.mock('@/context/RoomKeysContext', () => ({
+  useRoomKeys: () => ({ decrypt: async () => null, hasKey: () => false }),
+}))
+
 /** Turn an inline "room-shaped" fixture into a subscription record that
  *  the new bootstrap (3 subscription RPCs) returns. The real user-service
  *  embeds room metadata (userCount, lastMsgAt) inline on each subscription

chat-frontend/src/context/RoomEventsContext/RoomEventsContext.tsx

@@ -9,6 +9,7 @@ import {
   type ReactNode,
 } from 'react'
 import { useNats } from '@/context/NatsContext'
+import { useRoomKeys } from '@/context/RoomKeysContext'
 import { BUFFER_MODE, initialState, roomEventsReducer } from './reducer'
 import { useRoomSubscriptions } from './useRoomSubscriptions'
 import { useUnreadCount as useUnreadCountQuery } from './useUnreadCount'
@@ -112,6 +113,7 @@ export function RoomEventsProvider({ children }: { children: ReactNode }) {
   // where the NATS handshake has populated user/request/etc.
   const nats = useNats() as unknown as Nats
   const { user } = nats
+  const { decrypt } = useRoomKeys()
   const [state, dispatch] = useReducer(roomEventsReducer, initialState) as unknown as [
     RoomEventsState,
     Dispatch<{ type: string; [k: string]: unknown }>,
@@ -147,6 +149,7 @@ export function RoomEventsProvider({ children }: { children: ReactNode }) {
     stateRef,
     threadReplyHandlerRef,
     threadMessageMutationHandlerRef,
+    decrypt,
   )
 
   const loadHistory = useCallback(

chat-frontend/src/context/RoomEventsContext/reducer.test.js

@@ -215,6 +215,32 @@ describe('roomEventsReducer: MESSAGE_RECEIVED', () => {
     })
   })
 
+  it('treats a successfully-decrypted MESSAGE_RECEIVED as a normal new-message event', () => {
+    // After Task 25, useRoomSubscriptions decrypts evt.encryptedMessage and
+    // dispatches with .message populated AND .encryptedMessage cleared.
+    // The reducer should see no difference between this and a plaintext event:
+    // no placeholder, content is the decoded plaintext, encrypted flag unset.
+    const event = newMessageEvent({
+      message: {
+        id: 'm-decoded',
+        roomId: 'a',
+        content: 'decrypted body',
+        createdAt: '2026-05-20T00:00:00Z',
+        sender: { account: 'bob', engName: 'Bob' },
+      },
+      lastMsgId: 'm-decoded',
+      encryptedMessage: undefined,
+    })
+    const next = roomEventsReducer(initialState, {
+      type: 'MESSAGE_RECEIVED',
+      event,
+    })
+    const inserted = next.roomState.a.messages.find((m) => m.id === 'm-decoded')
+    expect(inserted).toBeDefined()
+    expect(inserted.content).toBe('decrypted body')
+    expect(inserted.encrypted).toBeFalsy()
+  })
+
   it('does not drop an event that has both message and encryptedMessage — plaintext wins', () => {
     // Forward-compatible: if a future broadcaster sends both lanes (e.g.
     // during a rollout), the plaintext path is authoritative.