Skip to content

Feature/jss 141 add update function for wrapped keys #1006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ansonhkg wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Feature/jss 141 add update function for wrapped keys #1006

Ansonhkg wants to merge 9 commits into from
+281 −5

Conversation

@Ansonhkg
Copy link
Collaborator

@Ansonhkg Ansonhkg commented Dec 9, 2025
edited
Loading

Related PRs

WHAT

Wrapped-keys now supports updating a stored key and fetching version history (includeVersions=true)

  • Add a wrapped key update e2e test and register it in the local test runner.
  • Wire a new updateEncryptedKey API (PUT /encrypted/{pkpAddress}/{id}) through the SDK exports, service client, and types, including optional includeVersions on getEncryptedKey .
  • Expose updatedAt/versions in stored key metadata to support opt-in versioned reads.

USAGE

// BEFORE const key = await getEncryptedKey({ pkpSessionSigs, litNodeClient, id }); // no versions // AFTER await updateEncryptedKey({ pkpSessionSigs, litNodeClient, id, ciphertext, memo: 'rotated memo' }); const keyWithVersions = await getEncryptedKey({ pkpSessionSigs, litNodeClient, id, includeVersions: true }); console.log(keyWithVersions.versions?.length); // previous snapshots available

TEST

RUN_IN_BAND=true NETWORK=datil-dev yarn test:local --filter=testUpdateWrappedKey

1. Fetch PKP session sigs 2. Generate a wrapped key { id: '209eb062-ca2e-4b3e-8f07-11a397858130', pkpAddress: '0x3B60fB6f94Ff34605C5d7eddA0eE522FE006e353' } 3. Fetch initial encrypted key (without versions) { getEncryptedKeyFirst: { ciphertext: 'qIfeMQMqhhUytXKaZQjlB2qI4plNC1a3f5oq2iNTl3UO27pKHl2HT4fI2XTzcBBlcKl4NcLRjqDeXhqaoaUoxk2s5KiKHfb5AN8i1nRunm1HhqkibHuBL5ItMF5wPcsK4EKFaOA162po683nzCEAbxjnFe/YNWIo9v2Z2vHZnGRXblADeyax2wZWyuGBjE6whI04O8Ryo00C', dataToEncryptHash: 'bb1fd8e2d0e683d02f11b830bf39f2900f7e89a3f432510f2ce7a06ae0bbdcca', id: '209eb062-ca2e-4b3e-8f07-11a397858130', keyType: 'K256', memo: 'Test update key', pkpAddress: '0x3B60fB6f94Ff34605C5d7eddA0eE522FE006e353', publicKey: '0x04b374212a751379ac7b4c4b9d6fd55f851238cea64d5bfa5f9b97c16a4c0c678ff8e8fe044c3955a8f3ec7fadf23fafcaa736909fdc4dd8955f47d0600f6bcd97', litNetwork: 'datil-dev' } } 4. Update encrypted key with new ciphertext/memo { updateEncryptedKeyFirst: { id: '209eb062-ca2e-4b3e-8f07-11a397858130', pkpAddress: '0x3B60fB6f94Ff34605C5d7eddA0eE522FE006e353', updatedAt: '2025-12-09T21:40:09.764Z' } } 5. Second update to generate another version { updateEncryptedKeySecond: { id: '209eb062-ca2e-4b3e-8f07-11a397858130', pkpAddress: '0x3B60fB6f94Ff34605C5d7eddA0eE522FE006e353', updatedAt: '2025-12-09T21:40:10.003Z' } } 6. Fetch updated key including versions { getEncryptedKeyUpdated: { ciphertext: 'bhU+1fzvcnFsTNVCHZ4wvBs+jXoWkgD6GZratrgPETLBCOpKXsIX8/Bx+855uoNL', dataToEncryptHash: 'bb1fd8e2d0e683d02f11b830bf39f2900f7e89a3f432510f2ce7a06ae0bbdcca', id: '209eb062-ca2e-4b3e-8f07-11a397858130', keyType: 'K256', memo: 'rotated memo v2', pkpAddress: '0x3B60fB6f94Ff34605C5d7eddA0eE522FE006e353', publicKey: '0x04b374212a751379ac7b4c4b9d6fd55f851238cea64d5bfa5f9b97c16a4c0c678ff8e8fe044c3955a8f3ec7fadf23fafcaa736909fdc4dd8955f47d0600f6bcd97', litNetwork: 'datil-dev', updatedAt: '2025-12-09T21:40:10.003Z', versions: [ [Object], [Object] ] } } testUpdateWrappedKey - Passed (7370.93 ms)

DynamoDB Results

Command

aws-vault exec lit-wrappedkeys-testnetworks -- aws dynamodb get-item \ --table-name EncryptedPrivateKeyMetadataByPkp \ --key '{ "identity": {"S": "PKP_ADDRESS#0xC4987AF8b7294Bcb93bd62e4F787db50bB256A66"}, "id": {"S": "d9502373-25a4-4cb5-bea2-c03bddb8d2b8"} }' --output json

Results

{ "Item": { "ciphertext": { "S": "/NYaoZpg3sSN12TLGyKVFmy7H1vO7nu3U+9SC02WwxZJab7XZvcw+foNHeRWnph/" }, "dataToEncryptHash": { "S": "052590aad08d89922d6d509024b15bab2ea6112bbe3329945d99300746f23b97" }, "pkpAddress": { "S": "0xC4987AF8b7294Bcb93bd62e4F787db50bB256A66" }, "keyType": { "S": "K256" }, "id": { "S": "d9502373-25a4-4cb5-bea2-c03bddb8d2b8" }, "litNetwork": { "S": "datil-dev" }, "updatedAt": { "S": "2025-12-09T21:29:36.021Z" }, "identity": { "S": "PKP_ADDRESS#0xC4987AF8b7294Bcb93bd62e4F787db50bB256A66" }, "memo": { "S": "rotated memo v2" }, "publicKey": { "S": "0x041c4b210b24e4788131e01fb66af5590b75cf002bd67872c78622102a5c932fbd7e765fc816385120c02f6acdf618d14a94165cf530322228a510d57f34fb4163" }, "versions": { "L": [ { "M": { "dataToEncryptHash": { "S": "052590aad08d89922d6d509024b15bab2ea6112bbe3329945d99300746f23b97" }, "ciphertext": { "S": "pnJjZGc4LicMgf3Qvpg9G+0qM4EW4HA5soHjbf5EjxXpwePecunwxPM0Na4teBnwK/wd3Od1AwxXLFyLyKcEzGDFe5oufS9A3l3u2C0qt1lHJ5bnCqlh/yURaDTrCBPu71GRD+xz8gLZV9X+BTbL2V46l8GlOuTjXzAbnpdK1OS6xXcq/wrEH0EnJuJ+qRpA9EuZkfMJndkC" }, "litNetwork": { "S": "datil-dev" }, "memo": { "S": "Test update key" }, "id": { "S": "d9502373-25a4-4cb5-bea2-c03bddb8d2b8" }, "publicKey": { "S": "0x041c4b210b24e4788131e01fb66af5590b75cf002bd67872c78622102a5c932fbd7e765fc816385120c02f6acdf618d14a94165cf530322228a510d57f34fb4163" }, "keyType": { "S": "K256" }, "updatedAt": { "S": "2025-12-09T21:29:35.784Z" } } }, { "M": { "dataToEncryptHash": { "S": "052590aad08d89922d6d509024b15bab2ea6112bbe3329945d99300746f23b97" }, "ciphertext": { "S": "/+/lyOgNfQ4f057pSGBCqe6hXAlHV+aMdURG+bQMT9u1KcnxAHsYLVjo/rFQBDMw" }, "litNetwork": { "S": "datil-dev" }, "memo": { "S": "rotated memo" }, "id": { "S": "d9502373-25a4-4cb5-bea2-c03bddb8d2b8" }, "publicKey": { "S": "0x041c4b210b24e4788131e01fb66af5590b75cf002bd67872c78622102a5c932fbd7e765fc816385120c02f6acdf618d14a94165cf530322228a510d57f34fb4163" }, "keyType": { "S": "K256" }, "updatedAt": { "S": "2025-12-09T21:29:35.784Z" } } } ] } } }
@Ansonhkg
feat(workflow): add 'explorer' app to Docker image build matrix
71e1a10
@Ansonhkg
feat(wrapped-keys): add update encrypted key support with versions
81fc31e 
# WHAT - Add a wrapped key update e2e test and register it in Tinny. - Wire a new updateEncryptedKey API (PUT /encrypted/{pkpAddress}/{id}) through the SDK exports, service client, and types, including optional includeVersions on getEncryptedKey and the WrappedKeyVersion typing. - Expose updatedAt/versions in stored key metadata to support opt-in versioned reads.
@Ansonhkg
chore: add loggings
e4ac967
Copilot AI review requested due to automatic review settings December 9, 2025 21:28
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for updating wrapped keys and fetching version history. The feature allows clients to update encrypted keys while preserving previous versions, enabling key rotation workflows. The implementation follows existing patterns in the wrapped-keys package with proper type safety and comprehensive test coverage.

Key Changes

  • Added updateEncryptedKey API function that updates a key and preserves previous state as a version
  • Extended getEncryptedKey with optional includeVersions parameter to retrieve version history
  • Introduced WrappedKeyVersion, UpdateEncryptedKeyParams, and UpdateEncryptedKeyResult types to support versioning

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
packages/wrapped-keys/src/lib/types.ts Added type definitions for update operations and version history including UpdateEncryptedKeyParams, UpdateEncryptedKeyResult, WrappedKeyVersion, and extended existing types with version-related fields
packages/wrapped-keys/src/lib/service-client/types.ts Added UpdateKeyParams interface and updated BaseRequestParams to support PUT method for updates; added includeVersions to FetchKeyParams
packages/wrapped-keys/src/lib/service-client/client.ts Implemented updatePrivateKey function for PUT requests and added query parameter support for version history in fetchPrivateKey
packages/wrapped-keys/src/lib/service-client/index.ts Exported new updatePrivateKey function
packages/wrapped-keys/src/lib/api/update-encrypted-key.ts New API layer function that wraps service client and handles session signature extraction
packages/wrapped-keys/src/lib/api/get-encrypted-key.ts Added includeVersions parameter passthrough to service client
packages/wrapped-keys/src/lib/api/index.ts Exported updateEncryptedKey function
packages/wrapped-keys/src/index.ts Added package-level exports for new types and functions
local-tests/tests/wrapped-keys/testUpdateWrappedKey.ts Comprehensive E2E test covering update flow and version history validation
local-tests/test.ts Registered new test in test suite
.github/workflows/release-docker-images.yml Added explorer to Docker image build matrix (unrelated to wrapped-keys feature)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
packages/wrapped-keys/src/lib/types.ts
*/
export type GetEncryptedKeyDataParams = BaseApiParams & {
id: string;
includeVersions?: boolean;
Copy link

Copilot AI Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new includeVersions property added to GetEncryptedKeyDataParams is not documented in the JSDoc comment above. The existing documentation should be updated to include this new optional property.

Add to the JSDoc comment:

 * @property { boolean } [includeVersions] Optional flag to include version history in the response
Copilot uses AI. Check for mistakes.
@Ansonhkg Ansonhkg requested a review from Copilot December 9, 2025 21:55
@Ansonhkg Ansonhkg self-assigned this Dec 9, 2025
@Ansonhkg Ansonhkg mentioned this pull request Dec 9, 2025
Open
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v7 | Datil

3 participants

@Ansonhkg @spacesailor24