@ajna-inc/vaults 0.1.0

package/LICENSE

@@ -0,0 +1,202 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2020-present Hyperledger Contributors.
+   Copyright 2021 Queen’s Printer for Ontario. Mostafa Youssef (https://github.com/MosCD3), Amit Padmani (https://github.com/nbAmit), Prasad Katkar (https://github.com/NB-PrasadKatkar), Mike Richardson (https://github.com/NB-MikeRichardson)
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/build/VaultsApi.js

@@ -0,0 +1,263 @@
+"use strict";
+var __esDecorate = (this && this.__esDecorate) || function (ctor, descriptorIn, decorators, contextIn, initializers, extraInitializers) {
+    function accept(f) { if (f !== void 0 && typeof f !== "function") throw new TypeError("Function expected"); return f; }
+    var kind = contextIn.kind, key = kind === "getter" ? "get" : kind === "setter" ? "set" : "value";
+    var target = !descriptorIn && ctor ? contextIn["static"] ? ctor : ctor.prototype : null;
+    var descriptor = descriptorIn || (target ? Object.getOwnPropertyDescriptor(target, contextIn.name) : {});
+    var _, done = false;
+    for (var i = decorators.length - 1; i >= 0; i--) {
+        var context = {};
+        for (var p in contextIn) context[p] = p === "access" ? {} : contextIn[p];
+        for (var p in contextIn.access) context.access[p] = contextIn.access[p];
+        context.addInitializer = function (f) { if (done) throw new TypeError("Cannot add initializers after decoration has completed"); extraInitializers.push(accept(f || null)); };
+        var result = (0, decorators[i])(kind === "accessor" ? { get: descriptor.get, set: descriptor.set } : descriptor[key], context);
+        if (kind === "accessor") {
+            if (result === void 0) continue;
+            if (result === null || typeof result !== "object") throw new TypeError("Object expected");
+            if (_ = accept(result.get)) descriptor.get = _;
+            if (_ = accept(result.set)) descriptor.set = _;
+            if (_ = accept(result.init)) initializers.unshift(_);
+        }
+        else if (_ = accept(result)) {
+            if (kind === "field") initializers.unshift(_);
+            else descriptor[key] = _;
+        }
+    }
+    if (target) Object.defineProperty(target, contextIn.name, descriptor);
+    done = true;
+};
+var __runInitializers = (this && this.__runInitializers) || function (thisArg, initializers, value) {
+    var useValue = arguments.length > 2;
+    for (var i = 0; i < initializers.length; i++) {
+        value = useValue ? initializers[i].call(thisArg, value) : initializers[i].call(thisArg);
+    }
+    return useValue ? value : void 0;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+var __setFunctionName = (this && this.__setFunctionName) || function (f, name, prefix) {
+    if (typeof name === "symbol") name = name.description ? "[".concat(name.description, "]") : "";
+    return Object.defineProperty(f, "name", { configurable: true, value: prefix ? "".concat(prefix, " ", name) : name });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VaultsApi = void 0;
+var core_1 = require("@credo-ts/core");
+/**
+ * Vaults API
+ *
+ * Public API for vault operations.
+ * Provides a clean interface for creating, opening, and managing encrypted vaults.
+ *
+ * All encryption and decryption happens client-side.
+ */
+var VaultsApi = function () {
+    var _classDecorators = [(0, core_1.injectable)()];
+    var _classDescriptor;
+    var _classExtraInitializers = [];
+    var _classThis;
+    var VaultsApi = _classThis = /** @class */ (function () {
+        function VaultsApi_1(agentContext, vaultService) {
+            this.vaultService = vaultService;
+            this.agentContext = agentContext;
+        }
+        /**
+         * Create a new encrypted vault
+         *
+         * @param data - Raw data to encrypt (e.g., PDF bytes)
+         * @param options - Creation options including passphrase
+         * @returns Created vault identifiers
+         *
+         * @example
+         * ```typescript
+         * const pdfBytes = await fs.readFile('contract.pdf')
+         * const { vaultId } = await agent.modules.vaults.create(pdfBytes, {
+         *   passphrase: 'my-secure-passphrase',
+         *   metadata: { description: 'Employment Contract' }
+         * })
+         * ```
+         */
+        VaultsApi_1.prototype.create = function (data, options) {
+            return __awaiter(this, void 0, void 0, function () {
+                return __generator(this, function (_a) {
+                    return [2 /*return*/, this.vaultService.createVault(this.agentContext, data, options)];
+                });
+            });
+        };
+        /**
+         * Open (decrypt) a vault
+         *
+         * @param vaultId - Vault identifier
+         * @param options - Open options including passphrase
+         * @returns Decrypted data
+         *
+         * @example
+         * ```typescript
+         * const decrypted = await agent.modules.vaults.open(vaultId, {
+         *   passphrase: 'my-secure-passphrase'
+         * })
+         * await fs.writeFile('contract-decrypted.pdf', decrypted)
+         * ```
+         */
+        VaultsApi_1.prototype.open = function (vaultId, options) {
+            return __awaiter(this, void 0, void 0, function () {
+                return __generator(this, function (_a) {
+                    return [2 /*return*/, this.vaultService.openVault(this.agentContext, vaultId, options)];
+                });
+            });
+        };
+        /**
+         * Update vault with new data
+         *
+         * @param vaultId - Vault identifier
+         * @param data - New data to encrypt
+         * @param options - Update options including passphrase
+         *
+         * @example
+         * ```typescript
+         * const newPdfBytes = await fs.readFile('contract-v2.pdf')
+         * await agent.modules.vaults.update(vaultId, newPdfBytes, {
+         *   passphrase: 'my-secure-passphrase'
+         * })
+         * ```
+         */
+        VaultsApi_1.prototype.update = function (vaultId, data, options) {
+            return __awaiter(this, void 0, void 0, function () {
+                return __generator(this, function (_a) {
+                    return [2 /*return*/, this.vaultService.updateVault(this.agentContext, vaultId, data, options)];
+                });
+            });
+        };
+        /**
+         * Delete a vault
+         *
+         * @param vaultId - Vault identifier
+         *
+         * @example
+         * ```typescript
+         * await agent.modules.vaults.delete(vaultId)
+         * ```
+         */
+        VaultsApi_1.prototype.delete = function (vaultId) {
+            return __awaiter(this, void 0, void 0, function () {
+                return __generator(this, function (_a) {
+                    return [2 /*return*/, this.vaultService.deleteVault(this.agentContext, vaultId)];
+                });
+            });
+        };
+        /**
+         * List all vaults
+         *
+         * @returns Array of vault records
+         *
+         * @example
+         * ```typescript
+         * const vaults = await agent.modules.vaults.list()
+         * console.log(`Total vaults: ${vaults.length}`)
+         * ```
+         */
+        VaultsApi_1.prototype.list = function () {
+            return __awaiter(this, void 0, void 0, function () {
+                return __generator(this, function (_a) {
+                    return [2 /*return*/, this.vaultService.listVaults(this.agentContext)];
+                });
+            });
+        };
+        /**
+         * Get vault info (metadata without decrypting)
+         *
+         * @param vaultId - Vault identifier
+         * @returns Vault information
+         *
+         * @example
+         * ```typescript
+         * const info = await agent.modules.vaults.getInfo(vaultId)
+         * console.log(`Vault: ${info.vaultId}, Epoch: ${info.header.epoch}`)
+         * ```
+         */
+        VaultsApi_1.prototype.getInfo = function (vaultId) {
+            return __awaiter(this, void 0, void 0, function () {
+                return __generator(this, function (_a) {
+                    return [2 /*return*/, this.vaultService.getVaultInfo(this.agentContext, vaultId)];
+                });
+            });
+        };
+        /**
+         * Check if a vault exists
+         *
+         * @param vaultId - Vault identifier
+         * @returns True if vault exists
+         *
+         * @example
+         * ```typescript
+         * if (await agent.modules.vaults.exists(vaultId)) {
+         *   console.log('Vault found!')
+         * }
+         * ```
+         */
+        VaultsApi_1.prototype.exists = function (vaultId) {
+            return __awaiter(this, void 0, void 0, function () {
+                return __generator(this, function (_a) {
+                    return [2 /*return*/, this.vaultService.vaultExists(this.agentContext, vaultId)];
+                });
+            });
+        };
+        /**
+         * Get the raw vault record (for advanced operations)
+         *
+         * @param vaultId - Vault identifier
+         * @returns Vault record or null
+         */
+        VaultsApi_1.prototype.getRecord = function (vaultId) {
+            return __awaiter(this, void 0, void 0, function () {
+                return __generator(this, function (_a) {
+                    return [2 /*return*/, this.vaultService.getVaultRecord(this.agentContext, vaultId)];
+                });
+            });
+        };
+        return VaultsApi_1;
+    }());
+    __setFunctionName(_classThis, "VaultsApi");
+    (function () {
+        var _metadata = typeof Symbol === "function" && Symbol.metadata ? Object.create(null) : void 0;
+        __esDecorate(null, _classDescriptor = { value: _classThis }, _classDecorators, { kind: "class", name: _classThis.name, metadata: _metadata }, null, _classExtraInitializers);
+        VaultsApi = _classThis = _classDescriptor.value;
+        if (_metadata) Object.defineProperty(_classThis, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
+        __runInitializers(_classThis, _classExtraInitializers);
+    })();
+    return VaultsApi = _classThis;
+}();
+exports.VaultsApi = VaultsApi;

package/build/VaultsEvents.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VaultEventTypes = void 0;
+/**
+ * Vault event types
+ */
+var VaultEventTypes;
+(function (VaultEventTypes) {
+    VaultEventTypes["VaultCreated"] = "VaultCreated";
+    VaultEventTypes["VaultOpened"] = "VaultOpened";
+    VaultEventTypes["VaultUpdated"] = "VaultUpdated";
+    VaultEventTypes["VaultDeleted"] = "VaultDeleted";
+    VaultEventTypes["VaultShared"] = "VaultShared";
+    VaultEventTypes["AccessRequested"] = "AccessRequested";
+    VaultEventTypes["AccessGranted"] = "AccessGranted";
+    VaultEventTypes["AccessDenied"] = "AccessDenied";
+    VaultEventTypes["ThresholdMet"] = "ThresholdMet";
+    VaultEventTypes["ShareProvided"] = "ShareProvided";
+})(VaultEventTypes || (exports.VaultEventTypes = VaultEventTypes = {}));

package/build/VaultsModule.js

@@ -0,0 +1,71 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VaultsModule = void 0;
+var VaultsApi_1 = require("./VaultsApi");
+var VaultService_1 = require("./services/VaultService");
+var VaultEncryptionService_1 = require("./services/VaultEncryptionService");
+var VaultRepository_1 = require("./repository/VaultRepository");
+var ThresholdSessionRepository_1 = require("./repository/ThresholdSessionRepository");
+/**
+ * Vaults Module
+ *
+ * Credo-TS module for post-quantum encrypted vaults with local storage support.
+ *
+ * Features:
+ * - Client-side encryption (all crypto happens in the agent)
+ * - Passphrase-based encryption (S3 suite with Argon2id)
+ * - Post-quantum encryption (P1 suite with ML-KEM-768)
+ * - Multiple access policies: passphrase, any-of, all-of, threshold
+ * - Local storage via agent wallet
+ *
+ * @example
+ * ```typescript
+ * import { Agent } from '@credo-ts/core'
+ * import { VaultsModule } from '@credo-ts/vaults'
+ *
+ * const agent = new Agent({
+ *   config: { label: 'My Agent' },
+ *   modules: {
+ *     vaults: new VaultsModule()
+ *   }
+ * })
+ *
+ * await agent.initialize()
+ *
+ * // Store encrypted PDF
+ * const { vaultId } = await agent.modules.vaults.create(pdfBytes, {
+ *   passphrase: 'my-secure-passphrase'
+ * })
+ *
+ * // Retrieve and decrypt
+ * const decrypted = await agent.modules.vaults.open(vaultId, {
+ *   passphrase: 'my-secure-passphrase'
+ * })
+ * ```
+ */
+var VaultsModule = /** @class */ (function () {
+    function VaultsModule() {
+        this.api = VaultsApi_1.VaultsApi;
+    }
+    /**
+     * Register module dependencies
+     */
+    VaultsModule.prototype.register = function (dependencyManager, featureRegistry) {
+        // Register repositories
+        dependencyManager.registerSingleton(VaultRepository_1.VaultRepository);
+        dependencyManager.registerSingleton(ThresholdSessionRepository_1.ThresholdSessionRepository);
+        // Register services
+        dependencyManager.registerSingleton(VaultEncryptionService_1.VaultEncryptionService);
+        dependencyManager.registerSingleton(VaultService_1.VaultService);
+        // Note: Message handlers for P2P sharing will be added in Phase 5
+        // For now, we focus on local storage operations
+        // Register protocol feature
+        featureRegistry.register({
+            type: 'protocol',
+            id: 'https://didcomm.org/vaults/1.0',
+            roles: ['owner', 'participant', 'storage'],
+        });
+    };
+    return VaultsModule;
+}());
+exports.VaultsModule = VaultsModule;

package/build/crypto/wasm/VaultCrypto.js

@@ -0,0 +1,70 @@
+"use strict";
+/**
+ * WASM Cryptographic Primitives Wrapper
+ *
+ * Wraps vault-crypto WASM module for use in Credo-TS
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildContext = exports.canonicalAad = exports.generateUuid = exports.fromHex = exports.toHex = exports.fromBase64Url = exports.toBase64Url = exports.constantTimeEq = exports.computeSummary = exports.blake2s256 = exports.sha256 = exports.verifyKeyCommitment = exports.keyCommitment = exports.generateNonceXchacha = exports.generateNonceAesGcm = exports.generateCek = exports.randomBytes = exports.shamirUnwrapAndReconstruct = exports.shamirSplitAndWrap = exports.shamirReconstruct = exports.shamirSplit = exports.deriveSymmetricKid = exports.deriveKid = exports.deriveCek = exports.hkdfJoin = exports.hkdfExpand = exports.kemUnwrapCek = exports.kemWrapCek = exports.kemDecapsulate = exports.kemEncapsulate = exports.kemGenerateKeypair = exports.xchachaDecrypt = exports.xchachaEncrypt = exports.aesGcmDecrypt = exports.aesGcmEncrypt = exports.initVaultCrypto = void 0;
+// Import WASM module
+// Note: In Node.js, this auto-initializes
+var wasm = require("../../../wasm/vault_crypto.js");
+/**
+ * Initialize WASM module
+ * Call once at agent startup
+ */
+function initVaultCrypto() {
+    return __awaiter(this, void 0, void 0, function () {
+        return __generator(this, function (_a) {
+            return [2 /*return*/];
+        });
+    });
+}
+exports.initVaultCrypto = initVaultCrypto;
+// Re-export all WASM functions with documentation
+// ========== AEAD Encryption ==========
+exports.aesGcmEncrypt = wasm.aesGcmEncrypt, exports.aesGcmDecrypt = wasm.aesGcmDecrypt, exports.xchachaEncrypt = wasm.xchachaEncrypt, exports.xchachaDecrypt = wasm.xchachaDecrypt;
+// ========== Key Encapsulation (KEM) ==========
+exports.kemGenerateKeypair = wasm.kemGenerateKeypair, exports.kemEncapsulate = wasm.kemEncapsulate, exports.kemDecapsulate = wasm.kemDecapsulate, exports.kemWrapCek = wasm.kemWrapCek, exports.kemUnwrapCek = wasm.kemUnwrapCek;
+// ========== Key Derivation (KDF) ==========
+exports.hkdfExpand = wasm.hkdfExpand, exports.hkdfJoin = wasm.hkdfJoin, exports.deriveCek = wasm.deriveCek, exports.deriveKid = wasm.deriveKid, exports.deriveSymmetricKid = wasm.deriveSymmetricKid;
+// ========== Shamir Secret Sharing ==========
+exports.shamirSplit = wasm.shamirSplit, exports.shamirReconstruct = wasm.shamirReconstruct, exports.shamirSplitAndWrap = wasm.shamirSplitAndWrap, exports.shamirUnwrapAndReconstruct = wasm.shamirUnwrapAndReconstruct;
+// ========== Utilities ==========
+exports.randomBytes = wasm.randomBytes, exports.generateCek = wasm.generateCek, exports.generateNonceAesGcm = wasm.generateNonceAesGcm, exports.generateNonceXchacha = wasm.generateNonceXchacha, exports.keyCommitment = wasm.keyCommitment, exports.verifyKeyCommitment = wasm.verifyKeyCommitment, exports.sha256 = wasm.sha256, exports.blake2s256 = wasm.blake2s256, exports.computeSummary = wasm.computeSummary, exports.constantTimeEq = wasm.constantTimeEq, exports.toBase64Url = wasm.toBase64Url, exports.fromBase64Url = wasm.fromBase64Url, exports.toHex = wasm.toHex, exports.fromHex = wasm.fromHex, exports.generateUuid = wasm.generateUuid, exports.canonicalAad = wasm.canonicalAad, exports.buildContext = wasm.buildContext;

package/build/errors/BadSuiteError.js

@@ -0,0 +1,34 @@
+"use strict";
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = function (d, b) {
+        extendStatics = Object.setPrototypeOf ||
+            ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+            function (d, b) { for (var p in b) if (Object.prototype.hasOwnProperty.call(b, p)) d[p] = b[p]; };
+        return extendStatics(d, b);
+    };
+    return function (d, b) {
+        if (typeof b !== "function" && b !== null)
+            throw new TypeError("Class extends value " + String(b) + " is not a constructor or null");
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BadSuiteError = void 0;
+var VaultError_1 = require("./VaultError");
+/**
+ * Error thrown when an unknown or unsupported ciphersuite is encountered
+ * Spec §11: ERR_BAD_SUITE
+ */
+var BadSuiteError = /** @class */ (function (_super) {
+    __extends(BadSuiteError, _super);
+    function BadSuiteError(message) {
+        var _this = _super.call(this, VaultError_1.VaultErrorCode.BAD_SUITE, message) || this;
+        _this.name = 'BadSuiteError';
+        Object.setPrototypeOf(_this, BadSuiteError.prototype);
+        return _this;
+    }
+    return BadSuiteError;
+}(VaultError_1.VaultError));
+exports.BadSuiteError = BadSuiteError;