Currently, downloading a keyring-encrypted document only works for the keyring creator (who has the group key stored locally from 'keyring create'). A member added via 'add-member' has their wrapped group key entry in the keyring record on the owner's PDS, but no way to fetch and unwrap it.
Needed flow: 1. Fetch document record from owner's PDS (unauthenticated) 2. Detect keyring encryption, extract keyring URI 3. Fetch keyring record from owner's PDS (unauthenticated) 4. Find member's wrapped entry by DID 5. Unwrap group key with member's X25519 private key (x25519-hkdf-a256kw) 6. Unwrap content key from document's keyringEncryption.wrappedContentKey (AES-256-KW) 7. Fetch and decrypt blob
This is analogous to the --grant cross-PDS flow but for keyring-based access. Might need a new CLI flag (--keyring-member?) or auto-detection. Core function likely goes in documents/download.rs alongside download_from_grant.
The group key should be cached locally after first unwrap so subsequent downloads don't repeat the asymmetric unwrap.
Currently, downloading a keyring-encrypted document only works for the keyring creator (who has the group key stored locally from 'keyring create'). A member added via 'add-member' has their wrapped group key entry in the keyring record on the owner's PDS, but no way to fetch and unwrap it.
Needed flow: 1. Fetch document record from owner's PDS (unauthenticated) 2. Detect keyring encryption, extract keyring URI 3. Fetch keyring record from owner's PDS (unauthenticated) 4. Find member's wrapped entry by DID 5. Unwrap group key with member's X25519 private key (x25519-hkdf-a256kw) 6. Unwrap content key from document's keyringEncryption.wrappedContentKey (AES-256-KW) 7. Fetch and decrypt blob
This is analogous to the --grant cross-PDS flow but for keyring-based access. Might need a new CLI flag (--keyring-member?) or auto-detection. Core function likely goes in documents/download.rs alongside download_from_grant.
The group key should be cached locally after first unwrap so subsequent downloads don't repeat the asymmetric unwrap.