Skip to main content

restClient

Initialize with initializeFromShyConfig — see the Web SDK overview for the common setup pattern.

Non-standard options for this client: deriveSealerKey, signMessage, getIdentityAttestation.

Initialize

const client = initializeFromShyConfig(shyconfig, {
getAuthHeaders: async () => ({ Authorization: `Bearer ${token}` }),
deriveSealerKey: async () => derivedKeyMaterial,
signMessage: async (msg) => ({ pubKeyHex, sigBytes })
});

const state = client.initialize();
// → { store: { secretCategories, recoveryMode, ... }, messaging: { surfaceModel, auditModel, ... } }

The initialized state exposes both the store and messaging surfaces so the operator UI can determine which intake flows are active.

Store a sealed submission

const { secretID } = await client.storeSecret({
bucketID: "intake-2026-q2",
plaintext: { case_type: "financial_fraud", evidence_ref: "ipfs://abc..." },
category: "informant_submission",
partitionID: "sealed"
});

The submission payload is sealed client-side (AES-GCM) before the canonical write. The ABCI layer writes only ciphertext to List 1. The submitter's identity hash lands on List 2 with no join key to List 1.

Reveal a submission (operator-gated)

const plain = await client.revealAndDecryptSecret({ secretID, bucketID });

Reveal is identity-gated at the reconciling authority. The operator cannot enumerate submissions — per-participant, per-secret retrieval only.

Dispatch a confidential message

const mailboxes = await client.listMailboxes();
const mailbox = await client.getMailbox("mbx-intake-001");

await client.queueDispatch({
mailboxId: "mbx-intake-001",
subject: "Evidence packet",
body: "Sealed off-canonical.",
contentClass: "report",
auditMode: "delivery_commitment_only"
});

The dispatch surface is the chatClient sub-surface. Readable content, private fields, and attachment references remain sealed off-canonical.

Underlying clients

restClient delegates to both sub-clients directly:

const store = client.getStoreClient();
const chat = client.getChatClient();

This lets operator code access the full storeClient and chatClient surfaces where needed without re-initializing.

Structural guarantee

shyrest-v1 is a 3-party sealer-governed embodiment. There is no count-match rescission pathway — TxTypeAuthorityRescind is structurally unavailable. Erasure means the operator (reconciling authority) deletes the sealer key; canonical records persist but submissions become permanently undecryptable. This is the structural protection informants rely on: no operator can be compelled to produce a decryptable submission after the sealer key is deleted, because decryption is physically impossible without the key.


Deployment guide — informant intake

shyrest-v1 is the correct contract version for whistleblower and informant intake: verified identity, structurally non-linkable submission.

Authority model:

AuthorityRoleCannot do
Operator (newsroom / platform)Holds sealer key; routes intake; deletes keys on erasureCannot link submission to source from canonical state alone
IDV provider (Didit)Verifies source identity; enables biometric re-derivationCannot forge submissions; cannot read sealed payloads
Canonical runtimeEnforces two-list invariantCannot decrypt payloads; cannot join List 1 to List 2

shyconfig:

{
"contract_version": "shyrest-v1",
"store": {
"secret_categories": ["informant_submission", "evidence_ref"],
"recovery_mode": "operator_sealer",
"payload_encryption": { "mode": "participant_derived_key" }
},
"messaging": {
"surface_model": "mail",
"audit_model": "delivery_commitment_only",
"retention_policy": "no_retention"
},
"deployment": {
"submission_dispatch": "cover_traffic",
"cover_traffic_rate": 10
}
}

cover_traffic fires dummy submissions at the configured rate — real submissions are indistinguishable from dummies at the API layer. audit_model: "delivery_commitment_only" means only delivery continuity appears in canonical state — no subject, content descriptor, or routing metadata.

Erasure: operator deletes the sealer key from the off-chain linkage store. Canonical List 1 and List 2 records persist (BFT-immutable) but the payload becomes permanently undecryptable. A compelled disclosure after key deletion produces mathematically irrecoverable ciphertext.

OFAC / export: the same jurisdictional gap analysis as hostile-regime voting applies — receipt store hosted in a rule-of-law jurisdiction inaccessible to a hostile government's legal process. Satisfies 31 C.F.R. § 560.540 anti-surveillance predicate.