feat(roomcrypto): direct AES-256-GCM room encryption; add client decoder

broadcast-worker/handler.go

@@ -39,10 +39,11 @@ type Handler struct {
 	pub       Publisher
 	keyStore  RoomKeyProvider
 	encrypt   bool
+	encoder   *roomcrypto.Encoder
 }
 
-func NewHandler(store Store, userStore userstore.UserStore, pub Publisher, keyStore RoomKeyProvider, encrypt bool) *Handler {
-	return &Handler{store: store, userStore: userStore, pub: pub, keyStore: keyStore, encrypt: encrypt}
+func NewHandler(store Store, userStore userstore.UserStore, pub Publisher, keyStore RoomKeyProvider, encrypt bool, encoder *roomcrypto.Encoder) *Handler {
+	return &Handler{store: store, userStore: userStore, pub: pub, keyStore: keyStore, encrypt: encrypt, encoder: encoder}
 }
 
 // HandleMessage processes a single MESSAGES_CANONICAL message payload.
@@ -207,7 +208,7 @@ func (h *Handler) encryptEditedContent(ctx context.Context, roomID string, edite
 	if err != nil {
 		return err
 	}
-	encrypted, err := roomcrypto.Encode(edited.NewContent, key.KeyPair.PublicKey, key.Version)
+	encrypted, err := h.encoder.Encode(roomID, edited.NewContent, key.KeyPair.PrivateKey, key.Version)
 	if err != nil {
 		return fmt.Errorf("encrypt edit content for room %s: %w", roomID, err)
 	}
@@ -251,7 +252,7 @@ func (h *Handler) publishChannelEvent(ctx context.Context, meta roommetacache.Me
 			return err
 		}
 
-		encrypted, err := roomcrypto.Encode(string(msgJSON), key.KeyPair.PublicKey, key.Version)
+		encrypted, err := h.encoder.Encode(meta.ID, string(msgJSON), key.KeyPair.PrivateKey, key.Version)
 		if err != nil {
 			return fmt.Errorf("encrypt message for room %s: %w", meta.ID, err)
 		}

broadcast-worker/handler_test.go

@@ -138,7 +138,7 @@ func TestHandleMessage_DispatchesByEvent(t *testing.T) {
 				us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"sender"}).Return(nil, nil)
 			}
 
-			h := NewHandler(store, us, pub, keyStore, true)
+			h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 			err = h.HandleMessage(context.Background(), data)
 
 			if tc.wantErr {
@@ -222,7 +222,7 @@ func TestHandler_HandleMessage_ChannelRoom(t *testing.T) {
 			// Sender lookup
 			us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"sender"}).Return([]model.User{senderUser}, nil)
 
-			h := NewHandler(store, us, pub, keyStore, true)
+			h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 			err := h.HandleMessage(context.Background(), makeMessageEvent("room-1", tc.content, msgTime))
 			require.NoError(t, err)
 
@@ -321,7 +321,7 @@ func TestHandler_HandleMessage_DMRoom(t *testing.T) {
 			us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"alice"}).Return([]model.User{testUsers[0]}, nil)
 
 			keyStore := NewMockRoomKeyProvider(ctrl)
-			h := NewHandler(store, us, pub, keyStore, true)
+			h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 			err := h.HandleMessage(context.Background(), data)
 			require.NoError(t, err)
 
@@ -361,7 +361,7 @@ func TestHandler_HandleMessage_Errors(t *testing.T) {
 		us := NewMockUserStore(ctrl)
 		pub := &mockPublisher{}
 		keyStore := NewMockRoomKeyProvider(ctrl)
-		h := NewHandler(store, us, pub, keyStore, true)
+		h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 
 		err := h.HandleMessage(context.Background(), []byte("not json"))
 		require.Error(t, err)
@@ -377,7 +377,7 @@ func TestHandler_HandleMessage_Errors(t *testing.T) {
 		store.EXPECT().UpdateRoomLastMessage(gomock.Any(), "room-1", "msg-1", msgTime, false).Return(errors.New("not found"))
 
 		keyStore := NewMockRoomKeyProvider(ctrl)
-		h := NewHandler(store, us, pub, keyStore, true)
+		h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 		err := h.HandleMessage(context.Background(), makeMessageEvent("room-1", "hello", msgTime))
 		require.Error(t, err)
 		assert.Empty(t, pub.records)
@@ -392,7 +392,7 @@ func TestHandler_HandleMessage_Errors(t *testing.T) {
 		store.EXPECT().UpdateRoomLastMessage(gomock.Any(), "room-1", "msg-1", msgTime, false).Return(errors.New("db error"))
 
 		keyStore := NewMockRoomKeyProvider(ctrl)
-		h := NewHandler(store, us, pub, keyStore, true)
+		h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 		err := h.HandleMessage(context.Background(), makeMessageEvent("room-1", "hello", msgTime))
 		require.Error(t, err)
 		assert.Empty(t, pub.records)
@@ -410,7 +410,7 @@ func TestHandler_HandleMessage_Errors(t *testing.T) {
 		store.EXPECT().SetSubscriptionMentions(gomock.Any(), "room-1", gomock.Any()).Return(errors.New("db error"))
 
 		keyStore := NewMockRoomKeyProvider(ctrl)
-		h := NewHandler(store, us, pub, keyStore, true)
+		h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 		err := h.HandleMessage(context.Background(), makeMessageEvent("room-1", "hey @alice", msgTime))
 		require.Error(t, err)
 		assert.Contains(t, err.Error(), "set subscription mentions")
@@ -432,7 +432,7 @@ func TestHandler_HandleMessage_Errors(t *testing.T) {
 		us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"sender"}).Return(nil, nil) // sender lookup
 
 		keyStore := NewMockRoomKeyProvider(ctrl)
-		h := NewHandler(store, us, pub, keyStore, true)
+		h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 		err := h.HandleMessage(context.Background(), makeMessageEvent("room-1", "hello", msgTime))
 		require.NoError(t, err)
 		assert.Empty(t, pub.records)
@@ -450,7 +450,7 @@ func TestHandler_HandleMessage_Errors(t *testing.T) {
 		store.EXPECT().ListSubscriptions(gomock.Any(), "dm-1").Return(nil, errors.New("db error"))
 
 		keyStore := NewMockRoomKeyProvider(ctrl)
-		h := NewHandler(store, us, pub, keyStore, true)
+		h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 		evt := model.MessageEvent{
 			Event:  model.EventCreated,
 			SiteID: "site-a",
@@ -483,7 +483,7 @@ func TestHandler_HandleMessage_Errors(t *testing.T) {
 		us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"sender"}).Return([]model.User{senderUser}, nil) // mention lookup
 		us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"sender"}).Return([]model.User{senderUser}, nil) // sender lookup
 
-		h := NewHandler(store, us, pub, keyStore, true)
+		h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 		err := h.HandleMessage(context.Background(), makeMessageEvent("room-1", "hey @sender", msgTime))
 		require.NoError(t, err)
 
@@ -509,7 +509,7 @@ func TestHandler_HandleMessage_Errors(t *testing.T) {
 		store.EXPECT().GetRoomMeta(gomock.Any(), "room-1").Return(metaOf(testChannelRoom), nil)
 		us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"sender"}).Return(nil, errors.New("db error")) // sender lookup
 
-		h := NewHandler(store, us, pub, keyStore, true)
+		h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 		err := h.HandleMessage(context.Background(), makeMessageEvent("room-1", "hello", msgTime))
 		require.NoError(t, err)
 
@@ -551,7 +551,7 @@ func TestHandler_HandleMessage_DMRoom_PublishError(t *testing.T) {
 	us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"alice"}).Return([]model.User{testUsers[0]}, nil) // sender lookup
 
 	keyStore := NewMockRoomKeyProvider(ctrl)
-	h := NewHandler(store, us, pub, keyStore, true)
+	h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 	evt := model.MessageEvent{
 		Event:  model.EventCreated,
 		SiteID: "site-a",
@@ -583,7 +583,7 @@ func TestHandler_HandleMessage_ChannelRoom_Encryption(t *testing.T) {
 		store.EXPECT().GetRoomMeta(gomock.Any(), "room-1").Return(metaOf(testChannelRoom), nil)
 		us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"sender"}).Return(nil, nil)
 
-		h := NewHandler(store, us, pub, keyStore, true)
+		h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 		err := h.HandleMessage(context.Background(), makeMessageEvent("room-1", "hello", msgTime))
 		require.Error(t, err)
 		assert.ErrorIs(t, err, errNoCurrentKey)
@@ -603,7 +603,7 @@ func TestHandler_HandleMessage_ChannelRoom_Encryption(t *testing.T) {
 		store.EXPECT().GetRoomMeta(gomock.Any(), "room-1").Return(metaOf(testChannelRoom), nil)
 		us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"sender"}).Return(nil, nil)
 
-		h := NewHandler(store, us, pub, keyStore, true)
+		h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 		err := h.HandleMessage(context.Background(), makeMessageEvent("room-1", "hello", msgTime))
 		require.Error(t, err)
 		assert.Contains(t, err.Error(), "get room key")
@@ -625,7 +625,7 @@ func TestHandler_HandleMessage_ChannelRoom_Encryption(t *testing.T) {
 		store.EXPECT().GetRoomMeta(gomock.Any(), "room-1").Return(metaOf(testChannelRoom), nil)
 		us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"sender"}).Return([]model.User{{ID: "u-sender", Account: "sender", EngName: "Sender Lin", ChineseName: "寄件者", SiteID: "site-a"}}, nil)
 
-		h := NewHandler(store, us, pub, keyStore, true)
+		h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 		err := h.HandleMessage(context.Background(), makeMessageEvent("room-1", "hello", msgTime))
 		require.NoError(t, err)
 
@@ -650,7 +650,7 @@ func TestHandler_HandleMessage_ChannelRoom_Encryption(t *testing.T) {
 		var env roomcrypto.EncryptedMessage
 		require.NoError(t, json.Unmarshal(evt.EncryptedMessage, &env))
 		assert.Equal(t, key.Version, env.Version)
-		assert.NotEmpty(t, env.EphemeralPublicKey)
+		assert.Empty(t, env.EphemeralPublicKey, "HKDF-only scheme does not use ephemeral public key")
 		assert.NotEmpty(t, env.Nonce)
 		assert.NotEmpty(t, env.Ciphertext)
 
@@ -706,7 +706,7 @@ func TestHandler_FetchAndUpdateRoom_Missing(t *testing.T) {
 		Return(fmt.Errorf("update room last message ghost-room: %w", mongo.ErrNoDocuments))
 
 	keyStore := NewMockRoomKeyProvider(ctrl)
-	h := NewHandler(store, us, pub, keyStore, true)
+	h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 
 	err := h.HandleMessage(context.Background(), makeMessageEvent("ghost-room", "hello", msgTime))
 	require.Error(t, err)
@@ -744,7 +744,7 @@ func TestHandleUpdated_ChannelRoomScopedPublish(t *testing.T) {
 	data, err := json.Marshal(&evt)
 	require.NoError(t, err)
 
-	h := NewHandler(store, us, pub, keyStore, false)
+	h := NewHandler(store, us, pub, keyStore, false, roomcrypto.NewEncoder())
 	require.NoError(t, h.HandleMessage(context.Background(), data))
 
 	require.Len(t, pub.records, 1, "channel: single room-scoped publish")
@@ -792,7 +792,7 @@ func TestHandleUpdated_EncryptedChannel_EncryptsContent(t *testing.T) {
 	data, err := json.Marshal(&evt)
 	require.NoError(t, err)
 
-	h := NewHandler(store, us, pub, keyStore, true)
+	h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 	require.NoError(t, h.HandleMessage(context.Background(), data))
 
 	require.Len(t, pub.records, 1, "channel: single room-scoped publish")
@@ -828,7 +828,7 @@ func TestHandleUpdated_MissingEditedAt_ReturnsError(t *testing.T) {
 	data, err := json.Marshal(&evt)
 	require.NoError(t, err)
 
-	h := NewHandler(store, us, pub, keyStore, true)
+	h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 	err = h.HandleMessage(context.Background(), data)
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "missing EditedAt")
@@ -863,7 +863,7 @@ func TestHandleDeleted_ChannelRoomScopedPublish(t *testing.T) {
 	data, err := json.Marshal(&evt)
 	require.NoError(t, err)
 
-	h := NewHandler(store, us, pub, keyStore, true)
+	h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 	require.NoError(t, h.HandleMessage(context.Background(), data))
 
 	require.Len(t, pub.records, 1, "channel: single room-scoped publish")
@@ -898,7 +898,7 @@ func TestHandleDeleted_MissingUpdatedAt_ReturnsError(t *testing.T) {
 	data, err := json.Marshal(&evt)
 	require.NoError(t, err)
 
-	h := NewHandler(store, us, pub, keyStore, true)
+	h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 	err = h.HandleMessage(context.Background(), data)
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "missing UpdatedAt")
@@ -940,7 +940,7 @@ func TestHandleUpdated_DMRoom_FansOutToBothMembers(t *testing.T) {
 	data, err := json.Marshal(&evt)
 	require.NoError(t, err)
 
-	h := NewHandler(store, us, pub, keyStore, true)
+	h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 	require.NoError(t, h.HandleMessage(context.Background(), data))
 
 	require.Len(t, pub.records, 2, "per-user fan-out: one publish per DM member")
@@ -996,7 +996,7 @@ func TestHandleDeleted_DMRoom_FansOutToBothMembers(t *testing.T) {
 	data, err := json.Marshal(&evt)
 	require.NoError(t, err)
 
-	h := NewHandler(store, us, pub, keyStore, true)
+	h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 	require.NoError(t, h.HandleMessage(context.Background(), data))
 
 	require.Len(t, pub.records, 2, "per-user fan-out: one publish per DM member")
@@ -1053,7 +1053,7 @@ func TestHandleUpdated_BotDMRoom_SkipsBotAccount(t *testing.T) {
 	data, err := json.Marshal(&evt)
 	require.NoError(t, err)
 
-	h := NewHandler(store, us, pub, keyStore, true)
+	h := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 	require.NoError(t, h.HandleMessage(context.Background(), data))
 
 	require.Len(t, pub.records, 1, "botDM: only the human recipient gets the live event")
@@ -1109,7 +1109,7 @@ func TestHandler_HandleMessage_ChannelEncryptionDisabled(t *testing.T) {
 			us.EXPECT().FindUsersByAccounts(gomock.Any(), []string{"sender"}).Return([]model.User{senderUser}, nil)
 
 			// nil keyStore — handler must NOT dereference it when encrypt=false
-			h := NewHandler(store, us, pub, nil, false)
+			h := NewHandler(store, us, pub, nil, false, roomcrypto.NewEncoder())
 			err := h.HandleMessage(context.Background(), makeMessageEvent("room-1", tc.content, msgTime))
 			require.NoError(t, err)
 

broadcast-worker/integration_test.go

@@ -15,6 +15,7 @@ import (
 	"go.mongodb.org/mongo-driver/v2/mongo"
 
 	"github.com/hmchangw/chat/pkg/model"
+	"github.com/hmchangw/chat/pkg/roomcrypto"
 	"github.com/hmchangw/chat/pkg/roomkeystore"
 	"github.com/hmchangw/chat/pkg/subject"
 	"github.com/hmchangw/chat/pkg/testutil"
@@ -82,7 +83,7 @@ func TestBroadcastWorker_ChannelRoom_Integration(t *testing.T) {
 	pub := &recordingPublisher{}
 	key := testRoomKey(t)
 	keyStore := &fakeRoomKeyProvider{pair: key}
-	handler := NewHandler(store, us, pub, keyStore, true)
+	handler := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 
 	msgTime := time.Now().UTC().Truncate(time.Millisecond)
 	evt := model.MessageEvent{
@@ -128,7 +129,7 @@ func TestBroadcastWorker_ChannelRoom_MentionAll_Integration(t *testing.T) {
 	pub := &recordingPublisher{}
 	key := testRoomKey(t)
 	keyStore := &fakeRoomKeyProvider{pair: key}
-	handler := NewHandler(store, us, pub, keyStore, true)
+	handler := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 
 	msgTime := time.Now().UTC().Truncate(time.Millisecond)
 	evt := model.MessageEvent{
@@ -168,7 +169,7 @@ func TestBroadcastWorker_ChannelRoom_IndividualMention_Integration(t *testing.T)
 	pub := &recordingPublisher{}
 	key := testRoomKey(t)
 	keyStore := &fakeRoomKeyProvider{pair: key}
-	handler := NewHandler(store, us, pub, keyStore, true)
+	handler := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 
 	msgTime := time.Now().UTC().Truncate(time.Millisecond)
 	evt := model.MessageEvent{
@@ -218,7 +219,7 @@ func TestBroadcastWorker_DMRoom_Integration(t *testing.T) {
 	us := userstore.NewMongoStore(db.Collection("users"))
 	pub := &recordingPublisher{}
 	keyStore := &fakeRoomKeyProvider{pair: nil}
-	handler := NewHandler(store, us, pub, keyStore, true)
+	handler := NewHandler(store, us, pub, keyStore, true, roomcrypto.NewEncoder())
 
 	msgTime := time.Now().UTC().Truncate(time.Millisecond)
 	evt := model.MessageEvent{
@@ -280,7 +281,7 @@ func TestBroadcastWorker_ChannelRoom_EncryptionDisabled_Integration(t *testing.T
 	pub := &recordingPublisher{}
 
 	// nil keyStore — encryption is disabled, handler must not consult it
-	handler := NewHandler(store, us, pub, nil, false)
+	handler := NewHandler(store, us, pub, nil, false, roomcrypto.NewEncoder())
 
 	msgTime := time.Now().UTC().Truncate(time.Millisecond)
 	evt := model.MessageEvent{
@@ -331,7 +332,7 @@ func TestBroadcastWorker_PersistsLastMessage_Integration(t *testing.T) {
 	require.NoError(t, err)
 
 	pub := &recordingPublisher{}
-	h := NewHandler(cached, userstore.NewMongoStore(db.Collection("users")), pub, &fakeRoomKeyProvider{}, false)
+	h := NewHandler(cached, userstore.NewMongoStore(db.Collection("users")), pub, &fakeRoomKeyProvider{}, false, roomcrypto.NewEncoder())
 
 	msgTime := time.Date(2026, 5, 18, 12, 0, 0, 0, time.UTC)
 	evt := model.MessageEvent{

broadcast-worker/main.go

@@ -17,6 +17,7 @@ import (
 	"github.com/hmchangw/chat/pkg/mongoutil"
 	"github.com/hmchangw/chat/pkg/natsutil"
 	"github.com/hmchangw/chat/pkg/otelutil"
+	"github.com/hmchangw/chat/pkg/roomcrypto"
 	"github.com/hmchangw/chat/pkg/roomkeystore"
 	"github.com/hmchangw/chat/pkg/shutdown"
 	"github.com/hmchangw/chat/pkg/stream"
@@ -43,6 +44,7 @@ type config struct {
 	ValkeyAddr           string                  `env:"VALKEY_ADDR"`
 	ValkeyPassword       string                  `env:"VALKEY_PASSWORD"           envDefault:""`
 	ValkeyKeyGracePeriod time.Duration           `env:"VALKEY_KEY_GRACE_PERIOD" envDefault:"24h"`
+	RoomCryptoCacheSize  int                     `env:"ROOM_CRYPTO_CACHE_SIZE" envDefault:"4096"`
 	Consumer             stream.ConsumerSettings `envPrefix:"CONSUMER_"`
 	Bootstrap            bootstrapConfig         `envPrefix:"BOOTSTRAP_"`
 	Encryption           encryptionConfig        `envPrefix:"ENCRYPTION_"`
@@ -130,8 +132,10 @@ func main() {
 		os.Exit(1)
 	}
 
+	encoder := roomcrypto.NewEncoder(roomcrypto.WithMaxCacheEntries(cfg.RoomCryptoCacheSize))
+	slog.Info("roomcrypto-encoder-cache enabled", "size", cfg.RoomCryptoCacheSize)
 	publisher := &natsPublisher{nc: nc}
-	handler := NewHandler(cachedStore, us, publisher, keyStore, cfg.Encryption.Enabled)
+	handler := NewHandler(cachedStore, us, publisher, keyStore, cfg.Encryption.Enabled, encoder)
 
 	iter, err := cons.Messages(jetstream.PullMaxMessages(2 * cfg.MaxWorkers))
 	if err != nil {

broadcast-worker/testhelpers_test.go

@@ -19,6 +19,9 @@ import (
 	"github.com/hmchangw/chat/pkg/roomkeystore"
 )
 
+// hkdfInfo is the HKDF info string used by the Encoder (HKDF-only scheme).
+const hkdfInfo = "room-message-encryption-v2"
+
 func testRoomKey(t *testing.T) *roomkeystore.VersionedKeyPair {
 	t.Helper()
 	priv, err := ecdh.P256().GenerateKey(rand.Reader)
@@ -33,20 +36,9 @@ func testRoomKey(t *testing.T) *roomkeystore.VersionedKeyPair {
 }
 
 func decryptForTest(env *roomcrypto.EncryptedMessage, roomPrivateKey []byte) (string, error) {
-	privKey, err := ecdh.P256().NewPrivateKey(roomPrivateKey)
-	if err != nil {
-		return "", fmt.Errorf("parse room private key: %w", err)
-	}
-	ephPubKey, err := ecdh.P256().NewPublicKey(env.EphemeralPublicKey)
-	if err != nil {
-		return "", fmt.Errorf("parse ephemeral public key: %w", err)
-	}
-	sharedSecret, err := privKey.ECDH(ephPubKey)
-	if err != nil {
-		return "", fmt.Errorf("ecdh: %w", err)
-	}
+	// New HKDF-only scheme: derive AES key directly from the room private key.
 	aesKey := make([]byte, 32)
-	hkdfReader := hkdf.New(sha256.New, sharedSecret, nil, []byte("room-message-encryption"))
+	hkdfReader := hkdf.New(sha256.New, roomPrivateKey, nil, []byte(hkdfInfo))
 	if _, err := io.ReadFull(hkdfReader, aesKey); err != nil {
 		return "", fmt.Errorf("hkdf: %w", err)
 	}