setStrategyWrappedDEKs
Sets the full envelope set for one Strategy. Idempotent: passing the same envelopes twice is a no-op. Requires:
- edit scope on the Strategy (parent @hasScope).
- The org's plan includes the passkeyE2EE feature.
- Every passkeyEncryptionKeyID names an active (non-revoked) row owned by the strategy's owner OR by a user the resource has been shared with (T2.4 wires the latter; PR-2 enforces owner-only).
Returns the resulting envelope list.
setStrategyWrappedDEKs(
id: ID!
input: SetStrategyWrappedDEKsInput!
): [WrappedDEK!]!
Arguments
setStrategyWrappedDEKs.id ● ID! non-null scalar
setStrategyWrappedDEKs.input ● SetStrategyWrappedDEKsInput! non-null input
Type
WrappedDEK object
A single envelope of a per-resource Data Encryption Key (DEK) wrapped to one passkey-bound X25519 public key. Multiple WrappedDEK rows can exist per resource — one per active passkey of the owner, plus recipient passkeys when the resource is shared (T2.4) and admin escrow keys (T2.5). The browser unwraps with the X25519 priv derived from the WebAuthn PRF output, then AES-GCM-decrypts the resource's ciphertext with the recovered DEK.
Wire shape mirrors console/src/crypto/passkey/wrap.ts: ephemeral sender pubkey + AES-GCM nonce + AES-GCM ciphertext, all base64- standard. The ENT row stores raw bytes; this resolver layer encodes.