Summary Update.

RelayClient/Crypto/E2EeHelper.cs

@@ -3,8 +3,14 @@ using System.Text;
 
 namespace RelayClient.Crypto;
 
+/// <summary>
+/// Client-side mirror of RelayServer.Services.Crypto.E2EeHelper. Identical algorithms +
+/// key formats so blobs round-trip cleanly between server and client.
+/// See the server class for full algorithm details.
+/// </summary>
 public static class E2EeHelper
 {
+    /// <summary>Generates a fresh RSA-2048 keypair. Called once per user on first launch and persisted via KeyStorage.</summary>
     public static (string publicKey, string privateKey) GenerateRsaKeyPair()
     {
         using var rsa = RSA.Create(2048);
@@ -15,6 +21,11 @@ public static class E2EeHelper
         );
     }
 
+    /// <summary>
+    /// Hybrid encrypts a plaintext string for a specific recipient: fresh AES-256 key encrypts
+    /// the payload (AES-GCM), then RSA-OAEP-SHA256 wraps the AES key with the recipient's
+    /// public key. Returns base64-encoded fields ready to ship in a SocketEncryptedMessage.
+    /// </summary>
     public static EncryptedPayload EncryptForRecipient(string plainText, string recipientPublicKeyBase64)
     {
         byte[] aesKey = RandomNumberGenerator.GetBytes(32);
@@ -44,6 +55,11 @@ public static class E2EeHelper
         };
     }
 
+    /// <summary>
+    /// Reverse of EncryptForRecipient: RSA-decrypt the AES key with the recipient's private
+    /// key, then AES-GCM-decrypt the ciphertext. Throws on tampered/corrupt payloads
+    /// (auth tag mismatch). Returns the original UTF-8 plaintext string.
+    /// </summary>
     public static string DecryptForRecipient(EncryptedPayload payload, string recipientPrivateKeyBase64)
     {
         byte[] aesKey;
@@ -69,6 +85,7 @@ public static class E2EeHelper
     }
 }
 
+/// <summary>The 4-tuple ciphertext bundle. Same shape on both client and server; matches SocketEncryptedMessage's encrypted fields.</summary>
 public class EncryptedPayload
 {
     public required string CipherText { get; set; }