Skip to content

progress.md

Latest commit

 

History

History
482 lines (437 loc) · 31.3 KB

progress.md

File metadata and controls

482 lines (437 loc) · 31.3 KB

MeshKit Progress

Current State

MeshKit is a TypeScript SDK foundation for mobile-friendly decentralized storage. It now has real encrypted storage primitives, package metadata, release gates, local-dev workflows, provider integration surfaces, and publish automation, but it is not yet a fully live decentralized network.

The key boundary is clear: the SDK can be built, tested, packed, smoke-tested from local tarballs, and integrated by TypeScript developers today. Live provider validation, non-exportable native mobile key operations, Dart/Flutter toolchain validation, npm registry ownership, and external security review are still pending before a public production launch.

Implemented Packages

  • @meshkit/meshkit: one-import SDK facade; the CLI binary remains meshkit.
  • @meshkit/core: encrypted storage, records, files, batches, messages, sharing, proofs, provider protocol, and local-dev provider.
  • @meshkit/cli: init, dev, doctor, inspect, logs, policies, deals, provider testing, and durable local sandbox.
  • @meshkit/mcp: scoped agent tools with schemas and input limits.
  • @meshkit/web: browser/PWA entrypoint and capability detection.
  • @meshkit/react-native: React Native entrypoint and capability detection.
  • @meshkit/node: Node.js/server entrypoint and capability detection.
  • @meshkit/flutter: real Flutter plugin package with Dart method-channel contract and native Android/iOS source.
  • @meshkit/ionic or Capacitor package: real Ionic/mobile-web plugin package.
  • Provider adapter package boundary decision: adapters intentionally remain in @meshkit/core for 1.0; dedicated packages are a future ADR-gated split only.

Verification Checklist

  • npm run typecheck
  • npm run check
  • Full package test suite: 25 test files, 214 tests.
  • Built SDK import smoke test.
  • Built CLI smoke test.
  • Local packed-tarball postpublish smoke test.
  • npm package metadata validation for 8 public packages.
  • Example validation for 8 runnable examples, 1 runnable template, Ionic source contracts, and Flutter source contracts.
  • Production dependency audit: 0 vulnerabilities.
  • No-stub production audit with a documented allowlist.
  • Final npm run pack:dry after this checklist update.
  • Parallel launch-readiness audits for external IPFS/Filecoin reality, npm/DX readiness, and contributor ergonomics.
  • Contributor guide expanded with repo map, package workflow, commands, docs/API generation, conformance guidance, example requirements, testing matrix, and release expectations.
  • Live provider test matrix documented for Kubo, browser/Kubo boundaries, Helia, pinning, gateways, React Native remote providers, and Filecoin.
  • npm name ownership decision: meshkit is occupied on npm, so launch must use confirmed @meshkit/* ownership, a different facade name, or an ownership transfer before publishing unscoped meshkit.
  • Registry-safe postpublish smoke must avoid installing an unrelated public unscoped meshkit@latest; the default registry spec now uses @meshkit/meshkit@latest.
  • Live npm-registry postpublish smoke after package ownership and auth are available.

Completed In This GO Pass

  • Kubo-compatible HttpIpfsProvider with CID verification and pin lifecycle.
  • Kubo-compatible HttpIpfsProvider now uses raw block/put and block/get semantics for raw CID parity instead of UnixFS add/cat assumptions.
  • Remote pinning service provider backed by a storage provider.
  • Gateway retrieval provider with verified fallback reads.
  • Private IPFS cluster provider for add, cat, metadata, pin removal, and diagnostics.
  • Helia UnixFS provider for app-owned web/mobile Helia nodes.
  • Opt-in live Kubo daemon validation command for HttpIpfsProvider.
  • Opt-in live validation commands for pinning service, gateway retrieval, and private cluster providers.
  • Multi-provider fallback provider with traceable fallback logs.
  • Provider retry, timeout, auth, health checks, and typed MeshKitError mapping.
  • HTTP Filecoin persistence provider for deal creation, status, and renewal APIs.
  • Filecoin status normalization for proposed, accepted, active, under-replicated, failed, rejected, and expired states.
  • CLI deals status and deals renew --duration-days for configured persistence providers.
  • Filecoin bridge metadata for storage provider selection, quoted cost, verified deals, piece metadata, and retrieval hints.
  • Filecoin bridge capability discovery and CID lookup API.
  • CID-verified Filecoin bridge retrieval API plus CLI deals retrieve --output.
  • Opt-in live Filecoin bridge validation command for deal creation, status, and CID-verified retrieval.
  • Async Filecoin live validation polling for proposed and accepted deals until active before retrieval.
  • Filecoin bridge docs for costs, guarantees, renewals, direct Boost/Lotus boundaries, and retrieval behavior.
  • Persistence now requires a configured provider for deal operations.
  • Lit-compatible HTTP policy provider for policy creation, authorization, revocation, membership, and audit.
  • Policy-backed share capsule authorization before decrypting shared content.
  • Policy expiry, denied-member, unavailable-network, and already-opened plaintext behavior covered by tests.
  • Policy docs for fail-closed authorization and revocation limits after plaintext reaches a device.
  • Real Lit node/client integration boundary recorded in ADR 0007: optional adapter packages later, no direct core dependency, no mobile runtime claim without validation.
  • Identity export/import, device registration, device removal, and device listing.
  • Identity key rotation that keeps pre-rotation content readable while new writes use the rotated public key.
  • Local contact/address book model for verified recipient public keys.
  • Public identity directory provider for recipient key discovery without private-key sharing.
  • Identity trust model documentation for key-directory boundaries.
  • Provider-backed durable sync jobs.
  • Caller-managed offline sync queue with idempotent operation IDs, retry backoff, and retry exhaustion.
  • Chunked stream upload/download with authenticated chunk digests and whole-stream digest.
  • MeshKit CAR v1 export/import for encrypted block portability.
  • Redacted observability bundle export.
  • Privacy-safe SDK telemetry hooks with best-effort and required sink delivery modes.
  • Node/server SDK package.
  • React Native native key vault bridge with Android Keystore-backed encrypted storage and iOS Keychain storage.
  • React Native exported identity-record access-control policies for device passcode and current biometric set where the OS supports them.
  • React Native non-exportable key-operation API now fails closed unless native bridge methods are actually implemented.
  • Flutter MethodChannel contract tests and source validation for native key-vault calls.
  • Flutter Dart-facing identity client, typed identity record model, README usage, and source example validation.
  • Flutter key-vault access-control request API with Android/iOS capability reporting and fail-closed native rejection for unsupported exported identity-record policies.
  • Ionic/Capacitor exported identity-record access-control request API with fail-closed bridge capability checks and additive policy merging.
  • Kubo version-matrix hardening for derived Basic/Bearer auth redaction, unique default payload CIDs, cleanup after CID mismatch, and matrix env isolation in tests.
  • Trustless gateway live harness with fixture coverage for format=raw, format=car&dag-scope=block, trustless Accept/Content-Type enforcement, CID/hash verification, size limits, auth success/redaction, URL validation, and timeout behavior.
  • Deterministic raw-CID round-trip harness with fixture coverage for Kubo raw blocks, raw gateway retrieval, PSA-style pinning with required CID evidence, CID drift failures, auth redaction, async unpin confirmation, body-read timeouts, and cleanup behavior.
  • Flutter toolchain validation command and release-readiness tests for skip, missing-toolchain failure, fake-toolchain success, Windows .cmd launchers, exact argument boundaries, and timeout behavior.
  • Flutter native access-control option parsing now rejects malformed putIdentityWithOptions payloads instead of silently treating them as none.
  • Flutter and Ionic capability reporting now avoids positive secure-storage claims unless bridge/native fields explicitly advertise them.
  • Ionic createMeshkitIonic fails closed when access-control policy is requested without an enforceable Capacitor key vault.
  • Opt-in Helia browser E2E harness, npm script, config gates, checked-in fixture app, source validator, and docs; live Chromium/Firefox evidence remains pending.
  • Vanilla Kubo metadata negative harness proving stock Kubo does not serve MeshKit metadata routes.
  • No-stub audit script with structured allowlist and release-readiness regression coverage.
  • Contribution-first repository structure: packages, docs, RFCs, examples, templates, conformance, test vectors, benchmarks, scripts, GitHub workflows, and governance docs.
  • Release gate that scans package source, public docs, and root README for forbidden release language.
  • npm publish workflow with provenance.
  • npm package metadata validator wired into npm run check.
  • Registry-safe postpublish smoke now requires explicit package specs or an unsafe registry opt-in.
  • publish:dry now runs a true npm publish dry-run by default, with explicit pack-only mode for offline checks.
  • Release metadata validator now checks package-name ownership plan, maintainer/security metadata, package-manager metadata, README substance, funding/keywords, and license inclusion.
  • Postpublish smoke now imports all public package entrypoints and exercises the CLI binary from packed tarballs.
  • Runnable quickstart validator wired into npm run check.
  • Generated API reference with source drift checking.
  • Copy-paste TypeScript runtime recipes.
  • Runnable basic app template with package metadata, config, source, test, and validation.
  • MeshKitError and provider troubleshooting guide.
  • Runnable Node stream example.
  • Runnable browser File/Blob streaming example.
  • Release docs for version compatibility, npm deprecation/unpublish, maintainer token policy, and public roadmap labels.
  • Public decryptable envelope v1 test vector with automated import/decrypt verification.
  • Shared meshkit-sdk-v1 conformance tests for @meshkit/meshkit, @meshkit/web, @meshkit/react-native, and @meshkit/node.
  • Postpublish smoke script that installs a complete locally packed workspace tarball set, then imports all public package entrypoints and exercises the CLI. Registry-latest smoke remains gated until the npm package set is published.

Pending Work By Area

1. Real IPFS Provider Layer

  • HTTP IPFS adapter surface.
  • Helia adapter for web/mobile runtimes.
  • Pinning service adapter surface.
  • Gateway retrieval adapter surface.
  • Private cluster adapter surface.
  • Provider fixture tests for pinning, gateway retrieval, and private cluster behavior.
  • Live local-daemon validation command for the IPFS HTTP adapter.
  • Live validation commands for pinning service, private cluster, and gateway adapters.
  • Run live local-daemon validation against an actual Kubo daemon in the launch environment.
  • Run live pinning, private cluster, and gateway validators against actual launch services or credentials.
  • Integration tests against a local IPFS daemon or Helia node.
  • Integration tests against at least one remote pinning provider.
  • Launch-ready credential examples for selected IPFS providers.
  • Kubo version-matrix live harness with fixture coverage for raw block write/read, pin removal, version reporting, auth headers, config failures, and cleanup.
  • Kubo version-matrix fixture coverage for derived Basic auth redaction, CID-mismatch cleanup, unique default payloads, and inherited environment isolation.
  • Kubo version-matrix live suite for supported latest and N-1 versions covering raw block write/read, pin removal, version reporting, auth boundary, and cleanup.
  • Kubo raw-block versus UnixFS contract decision: use block/put/block/get for raw CID parity, or use multipart add/cat with UnixFS-aware verification.
  • Browser Kubo boundary test proving direct admin RPC is not a supported browser/mobile path while gateway or verified retrieval remains supported.
  • Vanilla Kubo metadata negative harness proving /meshkit/* routes are not stock Kubo features and require a MeshKit metadata service or future IPLD/IPNS adapter.
  • Split IPFS Cluster validation into documented Cluster REST behavior and Cluster IPFS Proxy behavior before claiming broad Cluster compatibility.
  • Helia browser E2E suite for Chromium and Firefox covering put/get, reload, app-persisted metadata restore, and missing-metadata failure behavior.
  • Checked-in Helia browser E2E fixture app exposing window.__meshkitHeliaE2E with real Helia UnixFS-backed MeshKit put/get/proof behavior and source-only validation.
  • Helia routing matrix for default delegated routing and a self-hosted HTTP Routing v1 endpoint.
  • Helia/Kubo CID parity suite with locked importer settings and CAR round trips.
  • PSA-compatible pinning provider matrix with status polling, bearer auth, unpin confirmation, and CAR capability detection.
  • Kubo remote-pin flow matrix with status polling, bearer auth, unpin, and provider-specific capability handling.
  • Gateway mode suite for subdomain gateway isolation and CID-verified retrieval; path-gateway success is not enough for launch claims.
  • Trustless gateway harness covering format=raw and format=car retrieval.
  • Deterministic raw-CID round-trip harness that authors one client-side CID and verifies it through Kubo, gateway, and a pinning provider.
  • CAR archive determinism harness that exports a client-side CAR and verifies the same archive/root through Kubo, gateway, and a pinning provider.
  • React Native remote-provider E2E on Android and iOS covering app restart, foreground/background, key-vault restore, and large-file streaming.
  • Live provider test matrix document capturing the exact launch validation rows still required.

2. Filecoin Persistence

  • HTTP persistence provider contract.
  • Deal creation, status, renewal, and normalized lifecycle states through configured provider APIs.
  • CLI deal status and renewal commands.
  • Tests proving deal operations require a configured persistence provider.
  • Storage provider selection UX through per-write storageProvider.
  • Cost, duration, replication, and retrieval configuration through per-write bridge options.
  • Deal proof mapping into the MeshKit proof model.
  • Retrieval from Filecoin-backed data through CID-verified bridge payload reads.
  • Public docs for costs, guarantees, renewals, and retrieval behavior.
  • Opt-in live Filecoin bridge validation command.
  • Filecoin bridge capability discovery and CID lookup API.
  • Live or testnet Filecoin path.
  • Integration tests with a real or testnet Filecoin route.
  • Filecoin Pin or equivalent managed Filecoin-backed service harness with verified retrieval, kept behind a bridge/service abstraction.
  • Filecoin devnet or Calibration suite backed by a real bridge, Boost/Lotus path, or aggregator flow for create, poll, activation, retrieval, renewal, and recorded deal metadata.
  • Async Filecoin live harness that accepts proposed/accepted, polls until active, and only then requires CID-verified retrieval.
  • Filecoin negative matrix for wrong bytes, active-status but failed retrieval, auth rejection, delayed activation, renewal failure, and expired deals.
  • Keep HttpFilecoinPersistenceProvider documented as a backend-specific abstraction until a live route proves storage-provider negotiation, publication, sealing, retrieval, and renewal.

3. Native Mobile Key Vaults

  • Browser/PWA capability profile.
  • React Native capability profile.
  • Documentation describing lower-trust browser key storage.
  • Android Keystore bridge for React Native identity export persistence.
  • iOS Keychain bridge for React Native identity export persistence.
  • React Native native module.
  • React Native exported identity-record storage access-control policies for device-passcode and biometric-current-set.
  • Flutter access-control request API and native fail-closed behavior for exported identity-record storage.
  • Ionic/Capacitor access-control request API and fail-closed bridge capability checks for exported identity-record storage.
  • Flutter and Ionic capability detectors default positive security backing claims to false unless native bridges explicitly advertise them.
  • Flutter Android/iOS access-control option parsing rejects malformed method-channel payloads before any identity write.
  • Ionic client creation fails closed when access-control policy is requested without a native vault capable of enforcing it.
  • Secure Enclave support where available.
  • Flutter plugin bridge.
  • Ionic/Capacitor plugin bridge.
  • Non-exportable private key behavior where the platform supports it.
  • Biometric/passcode access policy support across every mobile package and native prompt UX.
  • Durable backup, migration, restore, and recovery behavior for historical key material.

4. Access Control And Policy Layer

  • Lit-compatible HTTP policy provider.
  • Policy creation API.
  • Policy authorization API.
  • Policy revocation API.
  • Group membership API surface.
  • Permission audit API surface.
  • Lit V7 adapter package boundary and live-gated test strategy documented.
  • Policy-backed sharing tests for allowed and revoked access.
  • Real Lit node/client integration.
  • Time-bound access enforcement.
  • Shared team/project vaults.
  • Capability tokens.
  • Offline access behavior definition.
  • Failure handling when the policy network is unavailable.
  • Tests for denied, expired, network-failed, and already-downloaded access cases.
  • Docs explaining what revocation can and cannot guarantee after plaintext has already reached a device.

5. Identity And Device System

  • Identity import/export.
  • Device registration.
  • Device removal.
  • Device listing.
  • Multi-device recipient fanout foundation through registered public keys.
  • Key rotation tests.
  • DID adapter.
  • Passkey adapter.
  • Wallet signature adapter.
  • Contact/address book model.
  • Public key directory/provider model.
  • Recovery key or social recovery design.
  • Tests for recovery, lost device, and compromised device flows.
  • Identity trust model documentation.

6. Production Networking

  • Provider retry and timeout behavior.
  • Provider fallback.
  • Gateway fallback.
  • Provider health checks.
  • Sync jobs API.
  • Network diagnostics foundations.
  • Privacy-safe telemetry hooks.
  • Offline queue.
  • Background sync scheduler.
  • Conflict detection and resolution policy.
  • Idempotent operation IDs.
  • Durable retry queue.
  • Caller-managed network state handling.
  • Partial failure recovery.
  • Tests for offline, flaky network, duplicate delivery, and retry exhaustion.

7. Large File And Streaming Support

  • Chunked upload path.
  • Chunked download path.
  • Per-chunk authentication.
  • Whole-stream integrity verification.
  • Upload/download progress callbacks.
  • Typed cancellation errors.
  • CAR writer/export.
  • CAR reader/import.
  • Resume interrupted uploads.
  • Resume interrupted downloads.
  • Resume token format.
  • Memory-safe native mobile filesystem integration.
  • Browser File/Blob streaming example.
  • Node stream example.
  • Tests with launch-scale files beyond normal CI memory comfort.

8. Security Hardening

  • Envelope encryption by default.
  • Fresh per-object data encryption keys.
  • AES-256-GCM authenticated encryption.
  • ECDH P-256 plus HKDF-SHA256 recipient key wrapping.
  • Authenticated envelope metadata through AEAD additional data.
  • Cross-runtime public vector verification.
  • Key rotation preserving access to historical content.
  • Privacy-safe telemetry redaction tests.
  • Release language gate for public claims.
  • Formal threat model review.
  • External crypto/security review.
  • FIPS-compatible crypto module path.
  • Secure key backup design.
  • Post-quantum roadmap implementation.
  • Metadata leakage review.
  • Revocation semantics review.
  • Envelope canonicalization review.
  • AAD coverage review.
  • Key lifecycle review.
  • Runtime secure-random review.
  • Supply-chain dependency review.
  • Abuse-case test suite.
  • No-stub audit with structured allowlist and release-readiness regression coverage.

9. Developer Experience

  • One-import SDK facade.
  • Package READMEs.
  • Root README with product, security, and IPFS routing explanation.
  • Node quickstart example.
  • CLI init writes meshkit.config.json.
  • CLI provider testing.
  • CLI doctor JSON output.
  • Error types with actionable codes.
  • Provider configuration docs.
  • SDK config-object init with typed provider, persistence, and policy config objects.
  • Happy-path put, get, share, and open aliases on the SDK facade.
  • Complete docs site.
  • Reusable config loader/factory so apps can initialize from meshkit.config.json without copying CLI-only provider wiring.
  • Typed provider config objects for SDK init, such as { type: "ipfs-http", ... }.
  • Happy-path aliases such as put, get, share, and open on the facade while keeping grouped APIs.
  • Decide whether fortress changes real behavior or remove it from public options.
  • React example app.
  • React Native bridge example app.
  • Flutter source example app.
  • Flutter MethodChannel contract tests for key-vault calls.
  • Ionic example app.
  • CLI dev dashboard or removal of dashboard claims.
  • Copy-paste recipes for each supported runtime.
  • Error guide and troubleshooting page.
  • API reference generation.
  • Runnable MCP example with package metadata and validation.
  • Runnable starter template with package metadata, source, config, and validation.
  • Migration guide between versions.

10. SDK Ecosystem

  • TypeScript core SDK.
  • Browser/PWA SDK entrypoint.
  • React Native SDK entrypoint.
  • Node/server SDK entrypoint.
  • Shared conformance tests for TypeScript entrypoints.
  • Platform limitation reporting.
  • React Native native SDK key vault bridge.
  • React Native native background sync and file streaming bridges.
  • Flutter source SDK package, Dart method-channel API, native Android/iOS source, and source example.
  • Flutter MethodChannel package tests and source validator coverage.
  • Flutter typed identity-storage client and source example validator coverage.
  • Flutter key-vault access-control method-channel contract and native source validation.
  • Flutter toolchain validation script for flutter pub get and flutter test, skipped by default until a Flutter/Dart toolchain is installed.
  • Ionic/Capacitor SDK.
  • Cross-platform envelope compatibility tests including Flutter and Ionic.
  • Runnable React app example.
  • Runnable React Native bridge example.
  • Runnable/source-validated example app for every framework package.
  • Production install docs for every framework package.

11. Production Observability

  • Structured privacy-safe telemetry events.
  • Telemetry sink delivery modes.
  • Redaction rules and tests.
  • Redacted debug bundle export.
  • Provider operation tracing foundations.
  • Deal lifecycle tracing foundations.
  • Retrieval path tracing foundations.
  • CLI diagnostics bundle foundation.
  • Hosted/provider adapters for external telemetry pipelines.
  • Provider-backed audit/event sinks where configured.
  • Mobile sync tracing.
  • Storage health dashboards.
  • Launch docs for observability retention and privacy.

12. Release Readiness

  • CI workflow running npm run check and npm run pack:dry.
  • npm publish workflow with provenance.
  • npm dry-run script.
  • Package metadata validator.
  • Package README presence validation.
  • Export map validation.
  • Exact internal dependency version validation.
  • Public-access publish config validation.
  • Local packed-tarball smoke test before npm publish.
  • Security policy.
  • Contribution guide.
  • License file.
  • Changelog file.
  • Publish packages to the npm registry/directory.
  • Reserve/confirm npm package names: meshkit, @meshkit/core, @meshkit/cli, @meshkit/mcp, @meshkit/web, @meshkit/react-native.
  • Resolve public meshkit npm name collision or remove unscoped facade publish expectations.
  • Confirm ownership and availability for the @meshkit npm organization and scoped package names.
  • Replace registry-latest default in postpublish smoke with an explicit package spec, a verified scoped package, or an explicit unsafe opt-in.
  • Replace publish:dry pack-only behavior with a true registry/auth dry-run gate where safe to run.
  • Add tarball license validation and ensure package tarballs include full license text.
  • Add package metadata checks for maintainer readiness, root package manager, README substance, funding/keywords where appropriate, and forbidden TBD release fields.
  • Add install/import smoke coverage for packed exports across @meshkit/meshkit, @meshkit/node, @meshkit/web, @meshkit/react-native, CLI bin, and MCP exports.
  • npm organization setup for @meshkit.
  • npm access token provisioning.
  • npm access-token and maintainer policy draft.
  • Live npm-registry postpublish smoke.
  • Package deprecation/unpublish policy.
  • No-stub audit wired into the release gate.
  • Version compatibility matrix.
  • Public roadmap labels for planned work.
  • Release readiness issue template covering npm ownership, publish credentials, local gates, SBOM/audit artifacts, live-provider evidence, and registry smoke.

13. Open Source Repository Structure

  • Contribution-first folder structure.
  • packages/ for SDK packages.
  • examples/ for runnable examples.
  • docs/ for architecture, guides, security, providers, mobile, and API reference.
  • rfcs/ for major design decisions.
  • templates/ for starter apps.
  • conformance/ for shared SDK behavior tests.
  • test-vectors/ for crypto/envelope interoperability.
  • benchmarks/ for future performance work.
  • scripts/ for release, checks, package validation, and example validation.
  • .github/ workflows, issue template, PR template, and funding metadata.
  • CODE_OF_CONDUCT.md.
  • CONTRIBUTING.md.
  • SECURITY.md.
  • GOVERNANCE.md.
  • CHANGELOG.md.
  • ROADMAP.md.
  • LICENSE.
  • MAINTAINERS.md.
  • Expand CONTRIBUTING.md with repo map, package ownership, test matrix, docs/API generation, example requirements, and conformance extension guidance.
  • Replace MAINTAINERS.md TBD fields with real maintainer, security, and npm ownership contacts before public release.
  • Add full dual-license texts or clear license files rather than only an SPDX expression.
  • Provider adapter split decision recorded in ADR 0006: adapters stay in @meshkit/core for 1.0; future dedicated packages require a new ADR and compatibility plan.
  • Add Flutter and Ionic package directories when implementation starts.
  • Add issue labels for providers, crypto, mobile, docs, first-time contributors, security, and conformance.
  • Add architecture decision records for major protocol choices beyond the first RFC.

Mentor Requirements Coverage

  • Developer-friendly mobile ecosystem direction is represented by web, React Native, Node, Flutter, and Ionic packages.
  • One-import TypeScript SDK facade exists.
  • Decentralized storage complexity is hidden behind provider adapters.
  • Encryption is on by default.
  • Access-control provider surface exists for Lit-compatible policy systems.
  • CLI and MCP surfaces exist for developer and agent workflows.
  • Flutter and Ionic native key vaults have real source bridges.
  • React Native exported identity-record storage supports device-passcode and biometric-current-set access-control policies where the OS supports them.
  • React Native non-exportable key-operation API fails closed instead of trusting advertised capability flags without native methods.
  • React Native still needs non-exportable native ECDH/signing operations.
  • Flutter source package exists, but real Flutter/Dart toolchain validation for packages/flutter and examples/flutter-app has not been run in this environment.
  • Live provider tests must prove the adapters against real services before launch claims.

Suggested Next Build Order

  1. Run final npm run pack:dry after this progress update.
  2. Commit and push the local packed-tarball postpublish smoke slice.
  3. Build Helia adapter and live local-daemon validation command.
  4. Add real React Native key vault native module.
  5. Harden npm smoke/publish safety around the occupied meshkit registry name.
  6. Expand release metadata checks for license, maintainer, package name, and import smoke readiness.
  7. Add SDK config-loader and one-method facade ergonomics.
  8. Add remote pinning provider integration test with launch credentials.
  9. Run Flutter/Dart toolchain validation for the Flutter SDK and example once flutter/dart are available.
  10. Build a dedicated optional Lit adapter package after a concrete package spec and live Lit validation environment are ready.
  11. Add live or testnet Filecoin route.
  12. Publish package names to npm once org/auth/ownership are ready.
  13. Run live npm-registry postpublish smoke and record the release result.

End-To-End Completion Definition

A feature is complete only when all required boxes for that feature are checked:

  • Public API implemented.
  • Real provider/platform behavior implemented.
  • Unit tests added.
  • Integration tests added.
  • CLI support added where relevant.
  • Docs added.
  • Example added where relevant.
  • Error handling implemented.
  • Security implications documented.
  • Release/pack validation passes.
  • Public claims are backed by implementation and tests.

Open Decisions

  • Should MeshKit use Helia directly in web/mobile, or keep Helia behind a provider adapter only?
  • Should Filecoin persistence be built directly, or via a partner service/provider first?
  • Should Lit Protocol be first-class, optional, or a separate plugin package?
  • Should recipient identities be DID-first, passkey-first, wallet-first, or MeshKit-native first?
  • Should Flutter/Ionic/React Native be built now, or should the TypeScript provider layer become production-ready first?
  • Should MeshKit position itself as SDK-only, or SDK plus hosted coordination service?
  • Should the public facade package stay unscoped as meshkit, move to a scoped package, or be renamed if ownership cannot be obtained?