Skip to content

[_]: chore/update internxt-crypto dependency to version 1.6.0 and adjust encryption#72

Merged
jzunigax2 merged 2 commits into
masterfrom
feat/crypto-1.6
Jul 16, 2026
Merged

[_]: chore/update internxt-crypto dependency to version 1.6.0 and adjust encryption#72
jzunigax2 merged 2 commits into
masterfrom
feat/crypto-1.6

Conversation

@jzunigax2

Copy link
Copy Markdown
Contributor

Update crypto to v1.6 and adjust accordingly

@jzunigax2
jzunigax2 requested a review from xabg2 as a code owner July 16, 2026 14:52
@jzunigax2
jzunigax2 requested a review from TamaraFinogina July 16, 2026 14:52
@jzunigax2 jzunigax2 self-assigned this Jul 16, 2026
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Changes

Mail encryption v3 migration

Layer / File(s) Summary
Build v3 encryption blocks
package.json, src/services/mail-encryption/index.ts
Crypto dependencies and buildEncryptionBlock now produce v3 ciphertexts for text, preview, and the attachments session key with shared wrapped keys.
Decrypt v3 envelope data
src/services/mail-encryption/index.ts
Decryption selects recipient keys from wrappedKeys and returns decrypted text, preview, or attachments-session-key bytes.
Update encryption contracts and integration tests
src/components/compose-message/hooks/*, src/hooks/mail/useAttachmentsSessionKey.test.tsx, src/services/mail-encryption/index.test.ts, src/services/sdk/mail/mail.service.test.ts
Tests now use and assert the v3 encryption block shape across compose, draft, attachment, encryption-service, and mail-service flows.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Suggested reviewers: tamarafinogina, xabg2, xabg2

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the dependency update and the related encryption adjustments.
Description check ✅ Passed The description is directly related to the crypto version bump and matching encryption changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/crypto-1.6

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install timed out. The project may have too many dependencies for the sandbox.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 16, 2026

Copy link
Copy Markdown

Deploying mail-web with  Cloudflare Pages  Cloudflare Pages

Latest commit: b08cf35
Status: ✅  Deploy successful!
Preview URL: https://d435fa8f.mail-web-ea0.pages.dev
Branch Preview URL: https://feat-crypto-1-6.mail-web-ea0.pages.dev

View logs

@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/services/mail-encryption/index.ts`:
- Around line 105-115: Update decryptForCaller and the related decryption paths
to detect and support v2 envelope shapes in addition to v3, using a
version-specific fallback or equivalent migration path for existing stored mail.
Preserve current v3 behavior and add or retain a v2 regression fixture covering
decryption of legacy envelopes.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2e3c677f-4a8f-404d-a393-34b3bf4c2dfd

📥 Commits

Reviewing files that changed from the base of the PR and between 0d747a9 and b08cf35.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (7)
  • package.json
  • src/components/compose-message/hooks/useComposeSend.test.ts
  • src/components/compose-message/hooks/useDraftMessage.test.ts
  • src/hooks/mail/useAttachmentsSessionKey.test.tsx
  • src/services/mail-encryption/index.test.ts
  • src/services/mail-encryption/index.ts
  • src/services/sdk/mail/mail.service.test.ts

Comment on lines +105 to +115
private decryptForCaller(envelope: EncryptionBlock, keypair: HybridKeyPair, address: string) {
const wrapped = this.findKeyFor(envelope.wrappedKeys, address);
return decryptEmailHybrid(
{
encText: envelope.encryptedText,
encPreview: envelope.encryptedPreview,
encAttachmentsSessionKey: envelope.encryptedAttachmentsSessionKey,
},
wrapped,
keypair.secretKey,
);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== AGENTS.md ==\n'
sed -n '1,240p' AGENTS.md

printf '\n== mail-encryption files ==\n'
git ls-files 'src/services/mail-encryption/*' 'src/services/mail-encryption/**/*' | sed -n '1,200p'

printf '\n== outline of src/services/mail-encryption/index.ts ==\n'
ast-grep outline src/services/mail-encryption/index.ts --view expanded

printf '\n== relevant search for v2/v3/mail encryption symbols ==\n'
rg -n "v2|v3|decryptEmailHybrid|encryptedAttachmentsSessionKey|preview-key|preview key|mail-encryption" src/services/mail-encryption src -g '!**/dist/**'

Repository: internxt/mail-web

Length of output: 19495


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' src/services/mail-encryption/index.ts

Repository: internxt/mail-web

Length of output: 8496


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf 'AGENTS exists: '; test -f AGENTS.md && echo yes || echo no
printf 'Index exists: '; test -f src/services/mail-encryption/index.ts && echo yes || echo no
wc -l AGENTS.md src/services/mail-encryption/index.ts

Repository: internxt/mail-web

Length of output: 264


🌐 Web query:

"decryptEmailHybrid encAttachmentsSessionKey v2 v3 internxt crypto"

💡 Result:

Internxt utilizes advanced cryptographic methods to secure user data, including emails and file attachments [1][2]. The functions decryptEmailHybrid and related encryption methods are part of the internxt/crypto repository, which provides client-side, end-to-end encryption for Internxt's ecosystem [1]. Key aspects of their implementation include: 1. Hybrid Encryption: The codebase includes functions like encryptEmailHybrid and decryptEmailHybrid to manage secure email communication [1]. This hybrid approach typically involves using asymmetric cryptography for key exchange and symmetric encryption for the actual content [1]. 2. Post-Quantum Security: Internxt has implemented Kyber-512, a NIST-selected post-quantum encryption standard, to protect files and data against potential future quantum computing threats [2][3]. 3. File Encryption: File storage relies on deterministic key generation from user mnemonics, bucket IDs, and file indices, typically using AES-256-CTR for stream encryption [4][5]. 4. Versioning: Internxt uses versioning for various services, such as public sharing (e.g., inxt-v2 vs. inxt-v3) [6]. While specific terms like encAttachmentsSessionKey are common in secure messaging platforms (often associated with XChaCha20-Poly1305 in projects like Session [7]), Internxt's internal implementation focuses on its own proprietary crypto-services to ensure zero-knowledge privacy [2][3]. The v2 and v3 references in the Internxt ecosystem often correspond to protocol upgrades, such as improvements to sharing mechanisms or specific crypto-service iterations [6]. Developers should refer to the official internxt/crypto and associated drive-web repositories for the most current implementation details and library structures [1][4].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== v2 mentions in mail-encryption tests ==\n'
rg -n "v2|encryptedAttachmentsSessionKey|decryptEmailHybrid|preview" src/services/mail-encryption/index.test.ts

printf '\n== mail-encryption test file (relevant sections) ==\n'
sed -n '1,260p' src/services/mail-encryption/index.test.ts

printf '\n== repo-wide v2 encryption envelope mentions ==\n'
rg -n "version:\s*'v2'|version:\s*\"v2\"|encryptedAttachmentsSessionKey|decryptSummaryPreview|decryptEnvelope" src -g '!**/dist/**'

Repository: internxt/mail-web

Length of output: 13777


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== envelope type references ==\n'
rg -n "type EncryptionBlock|interface EncryptionBlock|EncryptionBlock" src . -g '!**/dist/**' -g '!**/node_modules/**'

printf '\n== mail service / sender-side version handling ==\n'
sed -n '300,380p' src/services/sdk/mail/mail.service.test.ts
sed -n '1,240p' src/services/sdk/mail/index.ts

printf '\n== any migration / legacy v2 logic ==\n'
rg -n "legacy|v2|v3|version" src/services src/hooks src/components -g '!**/dist/**'

Repository: internxt/mail-web

Length of output: 30792


🌐 Web query:

"site:github.com internxt crypto email-crypto v2 v3 encryptEmailHybrid decryptEmailHybrid encAttachmentsSessionKey"

💡 Result:

The methods encryptEmailHybrid and decryptEmailHybrid are part of the internxt/crypto repository and are designed for end-to-end email encryption using hybrid cryptography [1]. Key findings from the Internxt codebase include: - Hybrid Email Cryptography: encryptEmailHybrid and decryptEmailHybrid allow for secure email processing by leveraging both ECC (Elliptic Curve Cryptography) and, in newer implementations, post-quantum algorithms like Kyber [1][2]. - Asymmetric Encryption Service: Internxt has integrated Kyber as a provider within their asymmetric encryption service to support hybrid encryption, as seen in their server-side and web-client repositories [2][3][4]. - encAttachmentsSessionKey: While not explicitly detailed as a standalone public function in the provided snippets, the codebase uses hybrid encryption patterns to handle keys and attachments [1][5]. In the context of Internxt's architecture, encrypted session keys are frequently managed alongside primary encryption keys (ECC/Kyber) to secure file or email attachments [6][5]. - Code Context: The internxt/crypto library provides the core logic for these hybrid operations [1]. In implementations such as drive-web, the system generates keys (both ECC and Kyber) and encrypts them using AES for secure storage or recovery [6][5]. These functions are used to ensure that email content is encrypted at the client side before being transmitted, preserving privacy by using the recipient's public keys for encryption and the sender's/recipient's private keys for the respective encryption/decryption workflows [1].

Citations:


Preserve v2 envelope support. These decrypt paths only handle the v3 envelope shape; add a versioned fallback or migrate existing stored mail before release, and keep a v2 regression fixture.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/services/mail-encryption/index.ts` around lines 105 - 115, Update
decryptForCaller and the related decryption paths to detect and support v2
envelope shapes in addition to v3, using a version-specific fallback or
equivalent migration path for existing stored mail. Preserve current v3 behavior
and add or retain a v2 regression fixture covering decryption of legacy
envelopes.

@jzunigax2
jzunigax2 merged commit f5479d9 into master Jul 16, 2026
6 checks passed
@jzunigax2
jzunigax2 deleted the feat/crypto-1.6 branch July 16, 2026 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants