first pass at fetching dag data, we'll see

Author: tylerccarson

keeperapi/package.json

@@ -10,8 +10,8 @@
   "scripts": {
     "start": "rollup -cw",
     "build": "node ./scripts/cleanDistFolder.js && rollup -c && cp src/proto.d.ts dist",
-    "update-proto:es6": "pbjs -t static-module -w es6 -o src/proto.js ../../keeperapp-protobuf/APIRequest.proto ../../keeperapp-protobuf/AccountSummary.proto ../../keeperapp-protobuf/automator.proto ../../keeperapp-protobuf/breachwatch.proto ../../keeperapp-protobuf/client.proto ../../keeperapp-protobuf/externalservice.proto ../../keeperapp-protobuf/folder.proto ../../keeperapp-protobuf/push.proto ../../keeperapp-protobuf/record.proto ../../keeperapp-protobuf/servicelogger.proto ../../keeperapp-protobuf/ssocloud.proto ../../keeperapp-protobuf/token.proto ../../keeperapp-protobuf/upsell.proto ../../keeperapp-protobuf/SyncDown.proto ../../keeperapp-protobuf/BI.proto && pbts -o src/proto.d.ts src/proto.js",
-    "update-proto:cjs": "pbjs -t json-module -w commonjs -o src/proto.js ../../keeperapp-protobuf/APIRequest.proto ../../keeperapp-protobuf/AccountSummary.proto ../../keeperapp-protobuf/automator.proto ../../keeperapp-protobuf/breachwatch.proto ../../keeperapp-protobuf/client.proto ../../keeperapp-protobuf/externalservice.proto ../../keeperapp-protobuf/folder.proto ../../keeperapp-protobuf/push.proto ../../keeperapp-protobuf/record.proto ../../keeperapp-protobuf/servicelogger.proto ../../keeperapp-protobuf/ssocloud.proto ../../keeperapp-protobuf/token.proto ../../keeperapp-protobuf/upsell.proto ../../keeperapp-protobuf/SyncDown.proto && pbjs -t static-module -w commonjs ../../keeperapp-protobuf/APIRequest.proto ../../keeperapp-protobuf/AccountSummary.proto ../../keeperapp-protobuf/automator.proto ../../keeperapp-protobuf/breachwatch.proto ../../keeperapp-protobuf/client.proto ../../keeperapp-protobuf/externalservice.proto ../../keeperapp-protobuf/folder.proto ../../keeperapp-protobuf/push.proto ../../keeperapp-protobuf/record.proto ../../keeperapp-protobuf/servicelogger.proto ../../keeperapp-protobuf/ssocloud.proto ../../keeperapp-protobuf/token.proto ../../keeperapp-protobuf/upsell.proto ../../keeperapp-protobuf/SyncDown.proto ../../keeperapp-protobuf/BI.proto | pbts -o src/proto.d.ts -",
+    "update-proto:es6": "pbjs -t static-module -w es6 -o src/proto.js ../../keeperapp-protobuf/APIRequest.proto ../../keeperapp-protobuf/AccountSummary.proto ../../keeperapp-protobuf/automator.proto ../../keeperapp-protobuf/breachwatch.proto ../../keeperapp-protobuf/client.proto ../../keeperapp-protobuf/externalservice.proto ../../keeperapp-protobuf/folder.proto ../../keeperapp-protobuf/push.proto ../../keeperapp-protobuf/record.proto ../../keeperapp-protobuf/servicelogger.proto ../../keeperapp-protobuf/ssocloud.proto ../../keeperapp-protobuf/token.proto ../../keeperapp-protobuf/upsell.proto ../../keeperapp-protobuf/SyncDown.proto ../../keeperapp-protobuf/BI.proto ../../keeperapp-protobuf/router.proto && pbts -o src/proto.d.ts src/proto.js",
+    "update-proto:cjs": "pbjs -t json-module -w commonjs -o src/proto.js ../../keeperapp-protobuf/APIRequest.proto ../../keeperapp-protobuf/AccountSummary.proto ../../keeperapp-protobuf/automator.proto ../../keeperapp-protobuf/breachwatch.proto ../../keeperapp-protobuf/client.proto ../../keeperapp-protobuf/externalservice.proto ../../keeperapp-protobuf/folder.proto ../../keeperapp-protobuf/push.proto ../../keeperapp-protobuf/record.proto ../../keeperapp-protobuf/servicelogger.proto ../../keeperapp-protobuf/ssocloud.proto ../../keeperapp-protobuf/token.proto ../../keeperapp-protobuf/upsell.proto ../../keeperapp-protobuf/SyncDown.proto ../../keeperapp-protobuf/router.proto && pbjs -t static-module -w commonjs ../../keeperapp-protobuf/APIRequest.proto ../../keeperapp-protobuf/AccountSummary.proto ../../keeperapp-protobuf/automator.proto ../../keeperapp-protobuf/breachwatch.proto ../../keeperapp-protobuf/client.proto ../../keeperapp-protobuf/externalservice.proto ../../keeperapp-protobuf/folder.proto ../../keeperapp-protobuf/push.proto ../../keeperapp-protobuf/record.proto ../../keeperapp-protobuf/servicelogger.proto ../../keeperapp-protobuf/ssocloud.proto ../../keeperapp-protobuf/token.proto ../../keeperapp-protobuf/upsell.proto ../../keeperapp-protobuf/SyncDown.proto ../../keeperapp-protobuf/BI.proto ../../keeperapp-protobuf/router.proto | pbts -o src/proto.d.ts -",
     "test": "jest",
     "types": "tsc --watch",
     "types:ci": "tsc",

keeperapi/src/auth.ts

@@ -1121,6 +1121,10 @@ export class Auth {
         return this.endpoint.executeRest(message, this._sessionToken, options);
     }
 
+    async executeRouterRest<TIn, TOut>(message: RestMessage<TIn, TOut>): Promise<TOut> {
+        return this.endpoint.executeRouterRest(message, this._sessionToken);
+    }
+
     async executeRestCommand<Request, Response>(command: RestCommand<Request, Response>): Promise<Response> {
         if (!command.baseRequest.username) {
             command.baseRequest.username = this._username;

keeperapi/src/browser/index.ts

@@ -11,6 +11,7 @@ export * from "../platform";
 export * from "../proto";
 export * from "../cryptoWorker";
 export * from "../qrc";
+export * from "../pam";
 import {connectPlatform} from "../platform";
 import {browserPlatform} from "./platform";
 

keeperapi/src/endpoint.ts

@@ -1,10 +1,11 @@
 import {KeeperError} from './configuration'
-import {Authentication, Push, SsoCloud} from './proto'
+import {Authentication, Push, Router, SsoCloud} from './proto'
 import {platform} from './platform'
 import {
     formatTimeDiff,
     generateTransmissionKey,
     generateHpkeTransmissionKey,
+    getKeeperRouterUrl,
     getKeeperUrl,
     isTwoFactorResultCode, log,
     normal64Bytes,
@@ -167,6 +168,36 @@ export class KeeperEndpoint {
         return this.executeRestInternal(message, sessionToken)
     }
 
+    /**
+     * Executes a request against the PAM router endpoint.
+     * Unlike the standard Keeper API, the router uses header-based auth (EC-only, no HPKE):
+     *   TransmissionKey: base64(eciesEncrypt(transmissionKey, serverPublicKey))
+     *   Authorization: KeeperUser base64(aesGcmEncrypt(sessionTokenBytes, transmissionKey))
+     * The request body is the raw AES-GCM-encrypted protobuf (no ApiRequest wrapper).
+     * The response is a Router.RouterResponse protobuf with an encrypted payload.
+     */
+    async executeRouterRest<TIn, TOut>(message: RestMessage<TIn, TOut>, sessionToken: string): Promise<TOut> {
+        const transmissionKey = await this.getTransmissionKey()
+        const sessionTokenBytes = normal64Bytes(sessionToken)
+        const encryptedSessionToken = await platform.aesGcmEncrypt(sessionTokenBytes, transmissionKey.key)
+        const encryptedPayload = await platform.aesGcmEncrypt(message.toBytes(), transmissionKey.key)
+        const headers = {
+            'TransmissionKey': platform.bytesToBase64(transmissionKey.ecEncryptedKey),
+            'Authorization': `KeeperUser ${platform.bytesToBase64(encryptedSessionToken)}`
+        }
+        const url = getKeeperRouterUrl(this.options.host, message.path)
+        const response = await platform.post(url, encryptedPayload, headers)
+        if (!response.data || response.data.length === 0) {
+            throw new Error(`Empty response from router for ${message.path}`)
+        }
+        const routerResponse = Router.RouterResponse.decode(response.data)
+        if (!routerResponse.encryptedPayload || routerResponse.encryptedPayload.length === 0) {
+            throw new Error(`Router error for ${message.path}: [${routerResponse.responseCode}] ${routerResponse.errorMessage}`)
+        }
+        const decryptedPayload = await platform.aesGcmDecrypt(routerResponse.encryptedPayload, transmissionKey.key)
+        return message.fromBytes(decryptedPayload)
+    }
+
     private async executeRestInternal<TIn, TOut>(message: RestInMessage<TIn> | RestOutMessage<TOut> | RestMessage<TIn, TOut> | RestActionMessage, sessionToken?: string, options?: ExecuteRestOptions): Promise<TOut | void> {
         this._transmissionKey = await this.getTransmissionKey()
         while (true) {

keeperapi/src/node/index.ts

@@ -11,6 +11,7 @@ export * from "../platform";
 export * from "../proto";
 export * from "../cryptoWorker";
 export * from "../qrc";
+export * from "../pam";
 import {connectPlatform} from "../platform";
 import {nodePlatform} from "./platform";
 

keeperapi/src/pam.ts

@@ -0,0 +1,109 @@
+import {Auth} from './auth'
+import {GraphSync} from './proto'
+import {normal64Bytes, webSafe64FromBytes} from './utils'
+import {pamGetLeafsMessage, pamMultiSyncMessage, pamSyncMessage} from './restMessages'
+
+export type PamDagSyncRequest = {
+    streamId: string
+    syncPoint?: number
+}
+
+/**
+ * Syncs the PAM link DAG for a single record UID.
+ * Resolves the config root via get_leafs, then syncs that stream.
+ * Use this for on-demand per-record syncing.
+ */
+export async function syncDagForPamRecord(
+    auth: Auth,
+    recordUid: string,
+    origin?: Uint8Array
+): Promise<GraphSync.IGraphSyncMultiResult> {
+    const recordUidBytes = normal64Bytes(recordUid)
+    const leafsResult = await auth.executeRouterRest(pamGetLeafsMessage({ vertices: [recordUidBytes] }))
+    const refs = leafsResult.refs ?? []
+    if (refs.length === 0) {
+        return { results: [] }
+    }
+    const queries: GraphSync.IGraphSyncQuery[] = refs
+        .filter(ref => ref.value && ref.value.length > 0)
+        .map(ref => ({
+            streamId: ref.value!,
+            origin,
+            syncPoint: 0
+        }))
+    if (queries.length === 0) {
+        return { results: [] }
+    }
+    return auth.executeRouterRest(pamMultiSyncMessage({ queries }))
+}
+
+/**
+ * Syncs the PAM link DAG for a known config root UID.
+ * Use this when the config/network UID is already known.
+ */
+export async function syncPamLinkDagForConfigRoot(
+    auth: Auth,
+    configUid: string,
+    syncPoint: number = 0,
+    origin?: Uint8Array
+): Promise<GraphSync.IGraphSyncResult> {
+    const streamId = normal64Bytes(configUid)
+    return auth.executeRouterRest(pamSyncMessage({ streamId, origin, syncPoint }))
+}
+
+/**
+ * Bulk-loads the PAM link DAG for multiple record UIDs and/or config UIDs.
+ * Resolves config roots for all record UIDs via get_leafs, unions with explicit
+ * configUids, then multi-syncs all streams. Use this for startup bulk loading.
+ */
+export async function loadPamLinkDag(
+    auth: Auth,
+    recordUids: string[],
+    configUids: string[] = [],
+    origin?: Uint8Array
+): Promise<GraphSync.IGraphSyncMultiResult> {
+    const uniqueConfigUidBytes = new Map<string, Uint8Array>()
+
+    if (recordUids.length > 0) {
+        const vertices = recordUids.map(uid => normal64Bytes(uid))
+        const leafsResult = await auth.executeRouterRest(pamGetLeafsMessage({ vertices }))
+        for (const ref of leafsResult.refs ?? []) {
+            if (ref.value && ref.value.length > 0) {
+                const key = webSafe64FromBytes(ref.value)
+                uniqueConfigUidBytes.set(key, ref.value)
+            }
+        }
+    }
+
+    for (const uid of configUids) {
+        const bytes = normal64Bytes(uid)
+        uniqueConfigUidBytes.set(uid, bytes)
+    }
+
+    if (uniqueConfigUidBytes.size === 0) {
+        return { results: [] }
+    }
+
+    const queries: GraphSync.IGraphSyncQuery[] = Array.from(uniqueConfigUidBytes.values()).map(streamId => ({
+        streamId,
+        origin,
+        syncPoint: 0,
+        maxCount: 500
+    }))
+
+    return auth.executeRouterRest(pamMultiSyncMessage({ queries }))
+}
+
+/**
+ * Fetches the config root UIDs (stream IDs) for the given leaf (resource) UIDs.
+ * Returns the raw refs from the router response.
+ */
+export async function getConfigRootsForRecordUids(
+    auth: Auth,
+    recordUids: string[]
+): Promise<GraphSync.IGraphSyncRef[]> {
+    if (recordUids.length === 0) return []
+    const vertices = recordUids.map(uid => normal64Bytes(uid))
+    const result = await auth.executeRouterRest(pamGetLeafsMessage({ vertices }))
+    return result.refs ?? []
+}