@thecrossroads42/crypto-identity

Per-user asymmetric identity for multi-owner (shared) records — the sharing layer over the symmetric audit kit (@thecrossroads42/crypto).

The kit is symmetric-only: one per-account content key (CEK), with no way to share a key with another user (you can't hand someone the CEK — it unlocks the whole account). This module adds the missing primitive: a per-user identity keypair so a per-resource content key can be wrapped to a recipient's public key, offline, with the server never seeing a secret.

Primitives

• generateIdentity() → an X25519 encryption keypair + an Ed25519 signing keypair (public keys for the directory; secret keys to be wrapped under the account's existing unlock tier, exactly as the kit wraps the CEK).
• seal(plaintext, recipientEncPublicKey) / unseal(sealed, recipientEncSecretKey) — wrap a small secret (e.g. a visit DEK) to a recipient. Anonymous-sender ECIES: fresh ephemeral X25519 keypair per seal → ECDH → HKDF-SHA256 (bound to both public keys) → AES-256-GCM. The sender needs only the recipient's public key, so access can be granted while the recipient is offline.
• sign(message, sigSecretKey) / verify(message, signature, sigPublicKey) — Ed25519 authorship signatures. A shared visit key alone lets either holder forge a record indistinguishably; a signature pins who actually authored a contribution.

Trust model

Asymmetric crypto is @noble/curves (audited, pure-JS); the AEAD is WebCrypto AES-256-GCM (the same surface as the kit, so it runs in the browser, on React Native/Hermes via the kit's polyfill, and in Node 20+). Secret keys never leave the client unwrapped; only public keys are published.

Run npm test (node identity.mjs) for the round-trip proof.

Status: new layer, not part of the byte-frozen kit — separately auditable, to be frozen when it stabilizes. See todo/multi-user-spec.md ("Crypto v2").