Document launcher runtime key delivery

2026-04-14 11:33:35 +02:00
parent 075668d188
commit 127d670ebd
1 changed files with 55 additions and 0 deletions
--- a/docs/client-integration.md
+++ b/docs/client-integration.md
@@ -47,6 +47,61 @@ Minimum validation:
 - reject path traversal
 - verify AEAD tag before decompression

+## Launcher key delivery
+
+The client now supports runtime key overrides and no longer has to rely only on
+the compiled fallback key.
+
+Supported inputs, highest priority last:
+
+1. shared memory mapping
+2. environment variables
+3. command line arguments
+
+### Command line
+
+```text
+--m2pack-key-hex <64-hex-master-key>
+--m2pack-pubkey-hex <64-hex-public-key>
+--m2pack-key-map <mapping-name>
+```
+
+### Environment
+
+```text
+M2PACK_MASTER_KEY_HEX
+M2PACK_SIGN_PUBKEY_HEX
+M2PACK_KEY_MAP
+```
+
+### Shared memory
+
+Default mapping name:
+
+```text
+Local\M2PackSharedKeys
+```
+
+Binary layout:
+
+```c
+struct M2PackSharedKeys {
+  char magic[8];           // "M2KEYS1\0"
+  uint32_t version;        // 1
+  uint32_t flags;          // reserved
+  uint8_t master_key[32];
+  uint8_t sign_public_key[32];
+};
+```
+
+Recommended production path:
+
+- launcher fetches or unwraps the current content key
+- launcher creates the shared mapping
+- launcher starts the client with `--m2pack-key-map Local\\M2PackSharedKeys`
+- client reads runtime keys during startup
+- compiled fallback key remains only as migration fallback and should be removed later
+
 ## Loader notes

 - Use memory-mapped I/O for the archive.