@arbidocs/sdk 0.1.0

package/dist/index.js

@@ -0,0 +1,1107 @@
+import createFetchClient from 'openapi-fetch';
+import sodium from 'libsodium-wrappers-sumo';
+
+// src/client.ts
+
+// src/session.ts
+function createInitialState() {
+  return {
+    accessToken: null,
+    userEmail: null,
+    userExtId: null,
+    selectedWorkspaceId: null,
+    cachedWorkspaceHeaders: {},
+    isSsoMode: false,
+    isAuth0Authenticated: false,
+    auth0AccessToken: null
+  };
+}
+function createSessionManager() {
+  let state = createInitialState();
+  const listeners = /* @__PURE__ */ new Set();
+  function notify() {
+    const snapshot = { ...state };
+    for (const listener of listeners) {
+      listener(snapshot);
+    }
+  }
+  return {
+    getState() {
+      return state;
+    },
+    setAccessToken(token) {
+      state = { ...state, accessToken: token };
+      notify();
+    },
+    setUser(email, extId) {
+      state = { ...state, userEmail: email, userExtId: extId ?? state.userExtId };
+      notify();
+    },
+    setSelectedWorkspace(id) {
+      state = { ...state, selectedWorkspaceId: id };
+      notify();
+    },
+    setCachedWorkspaceHeader(workspaceId, header) {
+      state = {
+        ...state,
+        cachedWorkspaceHeaders: {
+          ...state.cachedWorkspaceHeaders,
+          [workspaceId]: header
+        }
+      };
+      notify();
+    },
+    clearWorkspaceHeaders() {
+      state = { ...state, cachedWorkspaceHeaders: {} };
+      notify();
+    },
+    getWorkspaceKeyHeader() {
+      const { selectedWorkspaceId, cachedWorkspaceHeaders } = state;
+      if (!selectedWorkspaceId) return null;
+      return cachedWorkspaceHeaders[selectedWorkspaceId] ?? null;
+    },
+    setSsoState(opts) {
+      state = {
+        ...state,
+        isSsoMode: opts.isSsoMode ?? state.isSsoMode,
+        isAuth0Authenticated: opts.isAuth0Authenticated ?? state.isAuth0Authenticated,
+        auth0AccessToken: opts.auth0AccessToken !== void 0 ? opts.auth0AccessToken : state.auth0AccessToken
+      };
+      notify();
+    },
+    clear() {
+      state = createInitialState();
+      notify();
+    },
+    subscribe(listener) {
+      listeners.add(listener);
+      return () => {
+        listeners.delete(listener);
+      };
+    }
+  };
+}
+function createTokenProvider(session) {
+  return {
+    getAccessToken: () => session.getState().accessToken
+  };
+}
+function createWorkspaceKeyProvider(session) {
+  return {
+    getWorkspaceKeyHeader: () => session.getWorkspaceKeyHeader()
+  };
+}
+function createAuthStateProvider(session) {
+  return {
+    getUserEmail: () => session.getState().userEmail,
+    getSsoState: () => {
+      const s = session.getState();
+      return {
+        isSsoMode: s.isSsoMode,
+        isAuth0Authenticated: s.isAuth0Authenticated,
+        auth0AccessToken: s.auth0AccessToken
+      };
+    },
+    getSelectedWorkspaceId: () => session.getState().selectedWorkspaceId,
+    setAccessToken: (token) => session.setAccessToken(token),
+    clearWorkspaceHeaders: () => session.clearWorkspaceHeaders(),
+    setCachedWorkspaceHeader: (workspaceId, header) => session.setCachedWorkspaceHeader(workspaceId, header)
+  };
+}
+var sodiumReady = null;
+async function initSodium() {
+  if (sodiumReady) {
+    await sodiumReady;
+    return;
+  }
+  sodiumReady = sodium.ready;
+  await sodiumReady;
+}
+function base64ToBytes(base64String) {
+  return sodium.from_base64(base64String, sodium.base64_variants.ORIGINAL);
+}
+function bytesToBase64(bytes) {
+  return sodium.to_base64(bytes, sodium.base64_variants.ORIGINAL);
+}
+function base64Encode(bytes) {
+  const binString = Array.from(bytes, (byte) => String.fromCodePoint(byte)).join("");
+  return btoa(binString);
+}
+function base64Decode(base64) {
+  const binString = atob(base64);
+  return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
+}
+function generateSalt(username, deploymentDomain) {
+  if (!deploymentDomain) {
+    throw new Error("Deployment domain must be provided for salt generation");
+  }
+  const normalized = username.toLowerCase();
+  const saltString = `${normalized}|${deploymentDomain}`;
+  const hash = sodium.crypto_hash_sha256(sodium.from_string(saltString));
+  return hash.slice(0, 16);
+}
+async function generateKeyPairs(username, password, deploymentDomain) {
+  await initSodium();
+  if (!deploymentDomain) {
+    throw new Error("Deployment domain not available. Cannot generate keys.");
+  }
+  const salt = generateSalt(username, deploymentDomain);
+  const seed = sodium.crypto_pwhash(
+    32,
+    // 32 bytes for Ed25519 seed
+    password,
+    salt,
+    sodium.crypto_pwhash_OPSLIMIT_INTERACTIVE,
+    sodium.crypto_pwhash_MEMLIMIT_INTERACTIVE,
+    sodium.crypto_pwhash_ALG_ARGON2ID13
+  );
+  const signingKeyPair = sodium.crypto_sign_seed_keypair(seed);
+  const encryptionPublicKey = sodium.crypto_sign_ed25519_pk_to_curve25519(signingKeyPair.publicKey);
+  const encryptionPrivateKey = sodium.crypto_sign_ed25519_sk_to_curve25519(
+    signingKeyPair.privateKey
+  );
+  return {
+    signing: {
+      publicKey: signingKeyPair.publicKey,
+      privateKey: signingKeyPair.privateKey,
+      publicKeyBase64: sodium.to_base64(signingKeyPair.publicKey, sodium.base64_variants.ORIGINAL)
+    },
+    encryption: {
+      publicKey: encryptionPublicKey,
+      privateKey: encryptionPrivateKey,
+      publicKeyBase64: sodium.to_base64(encryptionPublicKey, sodium.base64_variants.ORIGINAL)
+    }
+  };
+}
+function signMessage(message, privateKey) {
+  const messageBytes = sodium.from_string(message);
+  const signature = sodium.crypto_sign_detached(messageBytes, privateKey);
+  return base64Encode(signature);
+}
+async function createWorkspaceKeyHeader(workspaceKey, serverSessionPublicKey) {
+  await initSodium();
+  const encryptedKey = sealedBoxEncrypt(workspaceKey, serverSessionPublicKey);
+  return encryptedKey;
+}
+function sealedBoxDecrypt(encryptedBase64, userEncryptionPrivateKey) {
+  const encrypted = base64ToBytes(encryptedBase64);
+  const publicKey = sodium.crypto_scalarmult_base(userEncryptionPrivateKey);
+  const decrypted = sodium.crypto_box_seal_open(encrypted, publicKey, userEncryptionPrivateKey);
+  return decrypted;
+}
+function sealedBoxEncrypt(message, publicKey) {
+  const encrypted = sodium.crypto_box_seal(message, publicKey);
+  return bytesToBase64(encrypted);
+}
+function derivePublicKey(privateKey) {
+  return sodium.crypto_scalarmult_base(privateKey);
+}
+function deriveEncryptionKeypairFromSigning(signingKeyPair) {
+  const encryptionPublicKey = sodium.crypto_sign_ed25519_pk_to_curve25519(signingKeyPair.publicKey);
+  const encryptionPrivateKey = sodium.crypto_sign_ed25519_sk_to_curve25519(signingKeyPair.secretKey);
+  return {
+    publicKey: encryptionPublicKey,
+    secretKey: encryptionPrivateKey
+  };
+}
+async function computeSharedSecret(theirPublicKeyBase64, myPrivateKey) {
+  await initSodium();
+  const theirPublicKey = base64ToBytes(theirPublicKeyBase64);
+  return sodium.crypto_box_beforenm(theirPublicKey, myPrivateKey);
+}
+async function encryptMessageWithSharedSecret(message, sharedSecret) {
+  await initSodium();
+  const messageBytes = sodium.from_string(message);
+  const nonce = sodium.randombytes_buf(sodium.crypto_box_NONCEBYTES);
+  const ciphertext = sodium.crypto_box_easy_afternm(messageBytes, nonce, sharedSecret);
+  const combined = new Uint8Array(nonce.length + ciphertext.length);
+  combined.set(nonce, 0);
+  combined.set(ciphertext, nonce.length);
+  return bytesToBase64(combined);
+}
+async function decryptMessageWithSharedSecret(encryptedBase64, sharedSecret) {
+  await initSodium();
+  const combined = base64ToBytes(encryptedBase64);
+  const nonce = combined.slice(0, sodium.crypto_box_NONCEBYTES);
+  const ciphertext = combined.slice(sodium.crypto_box_NONCEBYTES);
+  const decrypted = sodium.crypto_box_open_easy_afternm(ciphertext, nonce, sharedSecret);
+  return sodium.to_string(decrypted);
+}
+async function encryptMessage(message, recipientPublicKeyBase64, senderPrivateKey) {
+  await initSodium();
+  const recipientPublicKey = base64ToBytes(recipientPublicKeyBase64);
+  const messageBytes = sodium.from_string(message);
+  const nonce = sodium.randombytes_buf(sodium.crypto_box_NONCEBYTES);
+  const ciphertext = sodium.crypto_box_easy(
+    messageBytes,
+    nonce,
+    recipientPublicKey,
+    senderPrivateKey
+  );
+  const combined = new Uint8Array(nonce.length + ciphertext.length);
+  combined.set(nonce, 0);
+  combined.set(ciphertext, nonce.length);
+  return bytesToBase64(combined);
+}
+async function decryptMessage(encryptedBase64, senderPublicKeyBase64, recipientPrivateKey) {
+  await initSodium();
+  const combined = base64ToBytes(encryptedBase64);
+  const senderPublicKey = base64ToBytes(senderPublicKeyBase64);
+  const nonce = combined.slice(0, sodium.crypto_box_NONCEBYTES);
+  const ciphertext = combined.slice(sodium.crypto_box_NONCEBYTES);
+  const decrypted = sodium.crypto_box_open_easy(
+    ciphertext,
+    nonce,
+    senderPublicKey,
+    recipientPrivateKey
+  );
+  return sodium.to_string(decrypted);
+}
+
+// src/crypto/keypairs.ts
+async function generateUserKeypairs(username, password, deploymentDomain) {
+  if (!deploymentDomain) {
+    throw new Error("Deployment domain must be provided. Cannot generate keypairs.");
+  }
+  const keypairs = await generateKeyPairs(username, password, deploymentDomain);
+  const signingKeyPair = {
+    publicKey: keypairs.signing.publicKey,
+    secretKey: keypairs.signing.privateKey
+  };
+  const encryptionKeyPair = {
+    publicKey: keypairs.encryption.publicKey,
+    secretKey: keypairs.encryption.privateKey
+  };
+  return {
+    signingKeyPair,
+    encryptionKeyPair
+  };
+}
+
+// src/crypto/credentials.ts
+async function generateRegistrationCredentials(registrationData, password, deploymentDomain) {
+  const { signingKeyPair } = await generateUserKeypairs(
+    registrationData.email,
+    password,
+    deploymentDomain
+  );
+  const request = {
+    ...registrationData,
+    signing_key: base64Encode(signingKeyPair.publicKey)
+  };
+  return { request, signingPrivateKey: signingKeyPair.secretKey };
+}
+async function generateLoginCredentials(loginData, password, deploymentDomain) {
+  const { signingKeyPair } = await generateUserKeypairs(loginData.email, password, deploymentDomain);
+  const timestamp = Math.floor(Date.now() / 1e3);
+  const message = `${loginData.email}|${timestamp}`;
+  const signature = signMessage(message, signingKeyPair.secretKey);
+  const request = {
+    ...loginData,
+    signature,
+    timestamp
+  };
+  return { request, signingPrivateKey: signingKeyPair.secretKey };
+}
+function generateLoginCredentialsFromKey(loginData, signingPrivateKey) {
+  if (signingPrivateKey.length !== 64) {
+    throw new Error("Invalid signing key: must be exactly 64 bytes");
+  }
+  const timestamp = Math.floor(Date.now() / 1e3);
+  const message = `${loginData.email}|${timestamp}`;
+  const signature = signMessage(message, signingPrivateKey);
+  const request = {
+    ...loginData,
+    signature,
+    timestamp
+  };
+  return { request, signingPrivateKey };
+}
+async function generatePasswordChangeCredentials(email, currentPassword, newPassword, deploymentDomain) {
+  const currentKeypairs = await generateUserKeypairs(email, currentPassword, deploymentDomain);
+  const newKeypairs = await generateUserKeypairs(email, newPassword, deploymentDomain);
+  const timestamp = Math.floor(Date.now() / 1e3);
+  const message = `${email}|${timestamp}`;
+  const signature = signMessage(message, currentKeypairs.signingKeyPair.secretKey);
+  const request = {
+    signature,
+    timestamp,
+    new_signing_key: base64Encode(newKeypairs.signingKeyPair.publicKey)
+  };
+  return { request, newSigningPrivateKey: newKeypairs.signingKeyPair.secretKey };
+}
+async function generateRecoveryPasswordChangeCredentials(email, currentSigningKey, newPassword, deploymentDomain) {
+  const newKeypairs = await generateUserKeypairs(email, newPassword, deploymentDomain);
+  const timestamp = Math.floor(Date.now() / 1e3);
+  const message = `${email}|${timestamp}`;
+  const signature = signMessage(message, currentSigningKey);
+  const request = {
+    signature,
+    timestamp,
+    new_signing_key: base64Encode(newKeypairs.signingKeyPair.publicKey)
+  };
+  return { request, newSigningPrivateKey: newKeypairs.signingKeyPair.secretKey };
+}
+
+// src/middleware/bearer-auth.ts
+function createBearerAuthMiddleware(config) {
+  return {
+    async onRequest({ request }) {
+      const accessToken = config.tokenProvider.getAccessToken();
+      if (accessToken) {
+        request.headers.set("Authorization", `Bearer ${accessToken}`);
+      }
+      return request;
+    }
+  };
+}
+
+// src/middleware/workspace-key.ts
+function needsWorkspaceKey(url, urlConfig) {
+  if (urlConfig.excludePatterns.some((pattern) => url.includes(pattern))) {
+    return false;
+  }
+  return urlConfig.includePatterns.some((pattern) => url.includes(pattern));
+}
+function createWorkspaceKeyMiddleware(config) {
+  return {
+    async onRequest({ request }) {
+      if (needsWorkspaceKey(request.url, config.urlConfig)) {
+        const workspaceHeader = config.workspaceKeyProvider.getWorkspaceKeyHeader();
+        if (workspaceHeader) {
+          request.headers.set("Workspace-Key", workspaceHeader);
+        }
+      }
+      return request;
+    }
+  };
+}
+
+// src/middleware/auto-relogin.ts
+function createAutoReloginMiddleware(config) {
+  return {
+    async onResponse({ response, request }) {
+      if (needsWorkspaceKey(request.url, config.urlConfig)) {
+        const hasWorkspaceKey = request.headers.has("Workspace-Key");
+        console.debug(
+          `[${request.method}] ${response.status}`,
+          request.url,
+          `Workspace-Key: ${hasWorkspaceKey ? "\u2713" : "\u2717"}`
+        );
+      }
+      if (response.status === 400) {
+        const isSafeMethod = ["GET", "HEAD", "DELETE"].includes(request.method);
+        if (isSafeMethod) {
+          console.info("[API] 400 error on protected endpoint - triggering instant re-login");
+          const newToken = await config.reloginHandler();
+          if (newToken) {
+            const newRequest = request.clone();
+            newRequest.headers.set("Authorization", `Bearer ${newToken}`);
+            if (needsWorkspaceKey(request.url, config.urlConfig)) {
+              const workspaceHeader = config.workspaceKeyProvider.getWorkspaceKeyHeader();
+              if (workspaceHeader) {
+                newRequest.headers.set("Workspace-Key", workspaceHeader);
+              }
+            }
+            console.info("[API] Retrying request after re-login");
+            return fetch(newRequest);
+          }
+        }
+      }
+      if (response.status === 401) {
+        const excludePatterns = config.reloginExcludePatterns ?? [];
+        const isExcluded = excludePatterns.some((pattern) => request.url.includes(pattern));
+        if (!isExcluded) {
+          const newToken = await config.reloginHandler();
+          if (newToken) {
+            try {
+              const newRequest = request.clone();
+              newRequest.headers.set("Authorization", `Bearer ${newToken}`);
+              if (needsWorkspaceKey(request.url, config.urlConfig)) {
+                const workspaceHeader = config.workspaceKeyProvider.getWorkspaceKeyHeader();
+                if (workspaceHeader) {
+                  newRequest.headers.set("Workspace-Key", workspaceHeader);
+                }
+              }
+              console.info("[API] Retrying request after re-login:", request.method, request.url);
+              return fetch(newRequest);
+            } catch (cloneError) {
+              console.warn("[API] Could not clone request for retry:", cloneError);
+              config.onRetryCloneFailed?.();
+            }
+          }
+        }
+      }
+      return response;
+    }
+  };
+}
+
+// src/relogin/handler.ts
+function createReloginHandler(deps) {
+  let reloginPromise = null;
+  return function instantReLogin() {
+    if (reloginPromise) {
+      console.info("[API] Re-login already in progress, waiting...");
+      return reloginPromise;
+    }
+    reloginPromise = (async () => {
+      try {
+        await deps.crypto.ensureReady();
+        const userEmail = deps.authState.getUserEmail();
+        if (!userEmail) {
+          console.warn("[API] No user email found for instant re-login");
+          return null;
+        }
+        const session = await deps.sessionStorage.getSession();
+        if (!session) {
+          console.warn("[API] No session found for instant re-login");
+          return null;
+        }
+        const ed25519PublicKey = session.signingPrivateKey.slice(32, 64);
+        const encryptionKeyPair = deps.crypto.deriveEncryptionKeypair({
+          publicKey: ed25519PublicKey,
+          secretKey: session.signingPrivateKey
+        });
+        const timestamp = Math.floor(Date.now() / 1e3);
+        const message = `${userEmail}|${timestamp}`;
+        const signature = deps.crypto.signMessage(message, session.signingPrivateKey);
+        console.info("[API] Attempting instant re-login");
+        const ssoState = deps.authState.getSsoState();
+        console.info("[API] Re-login SSO mode:", ssoState.isSsoMode);
+        console.info("[API] Auth0 authenticated:", ssoState.isAuth0Authenticated);
+        console.info("[API] Persisted Auth0 token available:", !!ssoState.auth0AccessToken);
+        const isSsoAccount = ssoState.isSsoMode || ssoState.isAuth0Authenticated || !!ssoState.auth0AccessToken;
+        let ssoToken = null;
+        if (deps.ssoTokenProvider) {
+          console.info("[API] SSO token provider available: true");
+          try {
+            ssoToken = await deps.ssoTokenProvider.getToken();
+            console.info(
+              "[API] Got SSO token from provider:",
+              ssoToken ? "yes (length: " + ssoToken.length + ")" : "no"
+            );
+          } catch (error) {
+            console.error("[API] Failed to get SSO token from provider:", error);
+          }
+        } else {
+          console.info("[API] SSO token provider available: false");
+        }
+        if (!ssoToken && ssoState.auth0AccessToken) {
+          ssoToken = ssoState.auth0AccessToken;
+          console.info(
+            "[API] Using persisted SSO token (length:",
+            ssoToken.length,
+            ") - may be expired"
+          );
+        }
+        if (!ssoToken && isSsoAccount) {
+          console.warn("[API] SSO account requires token but none available - aborting re-login");
+          return null;
+        }
+        const loginResult = await deps.loginProvider.login({
+          email: userEmail,
+          signature,
+          timestamp,
+          ssoToken: ssoToken ?? void 0
+        });
+        if (!loginResult) {
+          console.warn("[API] Instant re-login failed");
+          return null;
+        }
+        await deps.sessionStorage.saveSession({
+          signingPrivateKey: session.signingPrivateKey,
+          serverSessionKey: loginResult.sessionKey,
+          userExtId: loginResult.userExtId
+        });
+        deps.onReloginSuccess?.({
+          email: userEmail,
+          accessToken: loginResult.accessToken,
+          userExtId: loginResult.userExtId,
+          serverSessionKey: loginResult.sessionKey
+        });
+        deps.authState.setAccessToken(loginResult.accessToken);
+        deps.authState.clearWorkspaceHeaders();
+        const selectedWorkspaceId = deps.authState.getSelectedWorkspaceId();
+        if (selectedWorkspaceId) {
+          try {
+            const wrappedKey = await deps.workspaceKeyRefreshProvider.getWrappedKey(
+              loginResult.accessToken,
+              selectedWorkspaceId
+            );
+            if (wrappedKey) {
+              const workspaceKey = deps.crypto.sealedBoxDecrypt(
+                wrappedKey,
+                encryptionKeyPair.secretKey
+              );
+              const workspaceKeyHeader = await deps.crypto.createWorkspaceKeyHeader(
+                workspaceKey,
+                loginResult.sessionKey
+              );
+              deps.authState.setCachedWorkspaceHeader(selectedWorkspaceId, workspaceKeyHeader);
+            }
+          } catch (error) {
+            console.error("[API] Failed to regenerate workspace header:", error);
+          }
+        }
+        console.info("[API] Re-login successful");
+        return loginResult.accessToken;
+      } catch (error) {
+        console.error("[API] Instant re-login error:", error);
+        return null;
+      } finally {
+        reloginPromise = null;
+      }
+    })();
+    return reloginPromise;
+  };
+}
+
+// src/storage/indexed-db.ts
+var DB_NAME = "arbi-crypto";
+var DB_VERSION = 2;
+var db = null;
+async function initializeDatabase() {
+  return new Promise((resolve, reject) => {
+    const request = indexedDB.open(DB_NAME, DB_VERSION);
+    request.onerror = () => {
+      console.error("[STORAGE] Failed to open IndexedDB:", request.error);
+      reject(request.error);
+    };
+    request.onsuccess = () => {
+      db = request.result;
+      resolve(db);
+    };
+    request.onupgradeneeded = (event) => {
+      const database = event.target.result;
+      if (!database.objectStoreNames.contains("session")) {
+        database.createObjectStore("session", { keyPath: "id" });
+      }
+      if (!database.objectStoreNames.contains("wrapping-key")) {
+        database.createObjectStore("wrapping-key", { keyPath: "id" });
+      }
+    };
+  });
+}
+async function ensureDatabase() {
+  if (!db) {
+    await initializeDatabase();
+  }
+}
+async function getOrCreateWrappingKey() {
+  await ensureDatabase();
+  if (!db) {
+    throw new Error("Database not initialized");
+  }
+  return new Promise((resolve, reject) => {
+    if (!db) {
+      reject(new Error("Database not initialized"));
+      return;
+    }
+    const transaction = db.transaction(["wrapping-key"], "readwrite");
+    const store = transaction.objectStore("wrapping-key");
+    const request = store.get("master");
+    request.onsuccess = () => {
+      const result = request.result;
+      if (result?.key) {
+        resolve(result.key);
+      } else {
+        crypto.subtle.generateKey(
+          {
+            name: "AES-GCM",
+            length: 256
+          },
+          false,
+          // ❌ NON-EXTRACTABLE - Can't be exported!
+          ["encrypt", "decrypt"]
+        ).then((key) => {
+          if (!db) {
+            reject(new Error("Database not initialized"));
+            return;
+          }
+          const putTransaction = db.transaction(["wrapping-key"], "readwrite");
+          const putStore = putTransaction.objectStore("wrapping-key");
+          const putRequest = putStore.put({
+            id: "master",
+            key,
+            created: Date.now()
+          });
+          putRequest.onsuccess = () => {
+            resolve(key);
+          };
+          putRequest.onerror = () => {
+            reject(new Error("Failed to store wrapping key"));
+          };
+        }).catch((error) => {
+          const errorMsg = error instanceof Error ? error.message : String(error);
+          reject(new Error(`Failed to generate wrapping key: ${errorMsg}`));
+        });
+      }
+    };
+    request.onerror = () => {
+      reject(new Error("Failed to retrieve wrapping key from IndexedDB"));
+    };
+  });
+}
+async function encryptWithWrappingKey(data) {
+  const wrappingKey = await getOrCreateWrappingKey();
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const ciphertext = await crypto.subtle.encrypt(
+    {
+      name: "AES-GCM",
+      iv
+    },
+    wrappingKey,
+    data
+  );
+  return {
+    ciphertext: new Uint8Array(ciphertext),
+    iv
+  };
+}
+async function decryptWithWrappingKey(ciphertext, iv) {
+  const wrappingKey = await getOrCreateWrappingKey();
+  const decrypted = await crypto.subtle.decrypt(
+    {
+      name: "AES-GCM",
+      iv
+    },
+    wrappingKey,
+    ciphertext
+  );
+  return new Uint8Array(decrypted);
+}
+async function saveSession(sessionData) {
+  await ensureDatabase();
+  if (!db) {
+    throw new Error("Database not initialized");
+  }
+  try {
+    const encryptedSigningKey = await encryptWithWrappingKey(sessionData.signingPrivateKey);
+    let encryptedServerSessionKey;
+    if (sessionData.serverSessionKey) {
+      encryptedServerSessionKey = await encryptWithWrappingKey(sessionData.serverSessionKey);
+    }
+    return new Promise((resolve, reject) => {
+      if (!db) {
+        reject(new Error("Database not initialized"));
+        return;
+      }
+      const transaction = db.transaction(["session"], "readwrite");
+      const store = transaction.objectStore("session");
+      const data = {
+        id: "current",
+        encryptedSigningPrivateKey: encryptedSigningKey.ciphertext,
+        signingPrivateKeyIV: encryptedSigningKey.iv,
+        encryptedServerSessionKey: encryptedServerSessionKey?.ciphertext,
+        serverSessionKeyIV: encryptedServerSessionKey?.iv,
+        userExtId: sessionData.userExtId,
+        timestamp: Date.now()
+      };
+      const request = store.put(data);
+      request.onsuccess = () => {
+        resolve();
+      };
+      request.onerror = () => {
+        console.error("[STORAGE] Failed to save session:", request.error);
+        reject(request.error);
+      };
+    });
+  } catch (error) {
+    console.error("[STORAGE] Failed to encrypt session data:", error);
+    throw error;
+  }
+}
+async function getSession() {
+  await ensureDatabase();
+  if (!db) {
+    throw new Error("Database not initialized");
+  }
+  return new Promise((resolve, reject) => {
+    if (!db) {
+      reject(new Error("Database not initialized"));
+      return;
+    }
+    const transaction = db.transaction(["session"], "readonly");
+    const store = transaction.objectStore("session");
+    const request = store.get("current");
+    request.onsuccess = async () => {
+      const result = request.result;
+      if (result) {
+        try {
+          const signingPrivateKey = await decryptWithWrappingKey(
+            result.encryptedSigningPrivateKey,
+            result.signingPrivateKeyIV
+          );
+          let serverSessionKey;
+          if (result.encryptedServerSessionKey && result.serverSessionKeyIV) {
+            serverSessionKey = await decryptWithWrappingKey(
+              result.encryptedServerSessionKey,
+              result.serverSessionKeyIV
+            );
+          }
+          resolve({
+            signingPrivateKey,
+            serverSessionKey,
+            userExtId: result.userExtId
+          });
+        } catch (error) {
+          console.error("[STORAGE] Failed to decrypt session data:", error);
+          reject(error);
+        }
+      } else {
+        resolve(null);
+      }
+    };
+    request.onerror = () => {
+      console.error("[STORAGE] Failed to get session:", request.error);
+      reject(request.error);
+    };
+  });
+}
+async function updateSigningPrivateKey(newSigningPrivateKey) {
+  await ensureDatabase();
+  try {
+    const existingSession = await getSession();
+    if (!existingSession) {
+      throw new Error("No existing session to update");
+    }
+    await saveSession({
+      signingPrivateKey: newSigningPrivateKey,
+      serverSessionKey: existingSession.serverSessionKey,
+      userExtId: existingSession.userExtId
+    });
+  } catch (error) {
+    console.error("[STORAGE] Failed to update signing private key:", error);
+    throw error;
+  }
+}
+async function clearSession() {
+  await ensureDatabase();
+  if (!db) {
+    throw new Error("Database not initialized");
+  }
+  return new Promise((resolve, reject) => {
+    if (!db) {
+      reject(new Error("Database not initialized"));
+      return;
+    }
+    const transaction = db.transaction(["session"], "readwrite");
+    const store = transaction.objectStore("session");
+    const request = store.delete("current");
+    request.onsuccess = () => {
+      resolve();
+    };
+    request.onerror = () => {
+      console.error("[STORAGE] Failed to clear session:", request.error);
+      reject(request.error);
+    };
+  });
+}
+async function clearWrappingKey() {
+  await ensureDatabase();
+  if (!db) {
+    throw new Error("Database not initialized");
+  }
+  return new Promise((resolve, reject) => {
+    if (!db) {
+      reject(new Error("Database not initialized"));
+      return;
+    }
+    const transaction = db.transaction(["wrapping-key"], "readwrite");
+    const store = transaction.objectStore("wrapping-key");
+    const request = store.delete("master");
+    request.onsuccess = () => {
+      resolve();
+    };
+    request.onerror = () => {
+      console.error("[STORAGE] Failed to clear wrapping key:", request.error);
+      reject(request.error);
+    };
+  });
+}
+async function clearAllData() {
+  await clearSession();
+  await clearWrappingKey();
+}
+async function hasSession() {
+  const session = await getSession();
+  return session !== null;
+}
+
+// src/auth/register.ts
+async function register(params, deps) {
+  const credentials = await generateRegistrationCredentials(
+    {
+      email: params.email,
+      verification_credential: params.verificationCode,
+      given_name: params.firstName,
+      family_name: params.lastName,
+      picture: params.picture
+    },
+    params.password,
+    deps.deploymentDomain
+  );
+  const response = await deps.fetchClient.POST("/api/user/register", {
+    body: credentials.request
+  });
+  if (response.error) {
+    throw new Error(
+      `Registration failed: ${typeof response.error === "object" && response.error !== null && "detail" in response.error ? response.error.detail : "Unknown error"}`
+    );
+  }
+  return { signingPrivateKey: credentials.signingPrivateKey };
+}
+
+// src/auth/login.ts
+async function login(params, deps) {
+  const credentials = await generateLoginCredentials(
+    {
+      email: params.email,
+      sso_token: params.ssoToken
+    },
+    params.password,
+    deps.deploymentDomain
+  );
+  return performLogin(credentials.request, credentials.signingPrivateKey, deps);
+}
+async function loginWithKey(params, deps) {
+  const credentials = generateLoginCredentialsFromKey(
+    {
+      email: params.email,
+      sso_token: params.ssoToken
+    },
+    params.signingPrivateKey
+  );
+  return performLogin(credentials.request, credentials.signingPrivateKey, deps);
+}
+async function performLogin(request, signingPrivateKey, deps) {
+  const response = await deps.fetchClient.POST("/api/user/login", {
+    body: request
+  });
+  if (response.error || !response.data) {
+    throw new Error(
+      `Login failed: ${typeof response.error === "object" && response.error !== null && "detail" in response.error ? response.error.detail : "Unknown error"}`
+    );
+  }
+  const data = response.data;
+  const serverSessionKey = base64ToBytes(data.session_key);
+  await saveSession({
+    signingPrivateKey,
+    serverSessionKey,
+    userExtId: data.user.external_id ?? void 0
+  });
+  deps.session.setAccessToken(data.access_token);
+  deps.session.setUser(request.email, data.user.external_id ?? void 0);
+  return {
+    accessToken: data.access_token,
+    userExtId: data.user.external_id ?? void 0,
+    signingPrivateKey,
+    serverSessionKey
+  };
+}
+
+// src/auth/logout.ts
+async function logout(session) {
+  session.clear();
+  await clearAllData();
+}
+
+// src/auth/change-password.ts
+async function changePassword(params, deps) {
+  const credentials = await generatePasswordChangeCredentials(
+    params.email,
+    params.currentPassword,
+    params.newPassword,
+    deps.deploymentDomain
+  );
+  const response = await deps.fetchClient.POST("/api/user/change_password", {
+    body: {
+      ...credentials.request,
+      rewrapped_workspace_keys: params.rewrappedWorkspaceKeys ?? {}
+    }
+  });
+  if (response.error) {
+    throw new Error(
+      `Password change failed: ${typeof response.error === "object" && response.error !== null && "detail" in response.error ? response.error.detail : "Unknown error"}`
+    );
+  }
+  await updateSigningPrivateKey(credentials.newSigningPrivateKey);
+  return { newSigningPrivateKey: credentials.newSigningPrivateKey };
+}
+
+// src/client.ts
+var DEFAULT_WORKSPACE_KEY_URL_CONFIG = {
+  excludePatterns: ["/api/user/", "/api/health/", "/api/configs/", "/api/workspace/create"],
+  includePatterns: [
+    "/api/workspace/wrk-",
+    "/api/document/",
+    "/api/conversation/",
+    "/api/assistant/",
+    "/api/tag/"
+  ]
+};
+function createArbiClient(options) {
+  const {
+    baseUrl,
+    deploymentDomain,
+    workspaceKeyUrlConfig = DEFAULT_WORKSPACE_KEY_URL_CONFIG,
+    reloginExcludePatterns = ["/api/user/login"],
+    credentials = "include",
+    ssoTokenProvider = null,
+    onReloginSuccess
+  } = options;
+  const session = createSessionManager();
+  const tokenProvider = createTokenProvider(session);
+  const workspaceKeyProvider = createWorkspaceKeyProvider(session);
+  const authState = createAuthStateProvider(session);
+  const cryptoProvider = {
+    ensureReady: initSodium,
+    signMessage,
+    deriveEncryptionKeypair: deriveEncryptionKeypairFromSigning,
+    sealedBoxDecrypt,
+    createWorkspaceKeyHeader,
+    fromBase64: base64ToBytes
+  };
+  const loginProvider = {
+    async login(payload) {
+      const rawFetch = createFetchClient({
+        baseUrl,
+        credentials
+      });
+      const response = await rawFetch.POST("/api/user/login", {
+        body: {
+          email: payload.email,
+          signature: payload.signature,
+          timestamp: payload.timestamp,
+          sso_token: payload.ssoToken
+        }
+      });
+      if (response.error || !response.data) {
+        console.warn("[API] Login call failed:", response.error);
+        return null;
+      }
+      const data = response.data;
+      return {
+        accessToken: data.access_token,
+        sessionKey: base64ToBytes(data.session_key),
+        userExtId: data.user.external_id ?? void 0
+      };
+    }
+  };
+  const workspaceKeyRefreshProvider = {
+    async getWrappedKey(accessToken, workspaceId) {
+      const workspacesResponse = await fetch(`${baseUrl}/api/user/workspaces`, {
+        method: "GET",
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Content-Type": "application/json"
+        },
+        credentials
+      });
+      if (!workspacesResponse.ok) return null;
+      const workspacesData = await workspacesResponse.json();
+      const workspace = workspacesData.find(
+        (w) => w.external_id === workspaceId
+      );
+      return workspace?.wrapped_key ?? null;
+    }
+  };
+  const reloginHandler = createReloginHandler({
+    crypto: cryptoProvider,
+    sessionStorage: { getSession, saveSession },
+    authState,
+    ssoTokenProvider,
+    loginProvider,
+    workspaceKeyRefreshProvider,
+    onReloginSuccess
+  });
+  const fetchClient = createFetchClient({
+    baseUrl,
+    credentials
+  });
+  fetchClient.use(createBearerAuthMiddleware({ tokenProvider }));
+  fetchClient.use(
+    createWorkspaceKeyMiddleware({
+      workspaceKeyProvider,
+      urlConfig: workspaceKeyUrlConfig
+    })
+  );
+  fetchClient.use(
+    createAutoReloginMiddleware({
+      reloginHandler,
+      workspaceKeyProvider,
+      urlConfig: workspaceKeyUrlConfig,
+      reloginExcludePatterns
+    })
+  );
+  const authDeps = {
+    fetchClient,
+    session,
+    deploymentDomain
+  };
+  return {
+    fetch: fetchClient,
+    session,
+    auth: {
+      register: (params) => register(params, authDeps),
+      login: (params) => login(params, authDeps),
+      loginWithKey: (params) => loginWithKey(params, authDeps),
+      logout: () => logout(session),
+      changePassword: (params) => changePassword(params, authDeps),
+      relogin: reloginHandler
+    },
+    crypto: {
+      initSodium,
+      generateUserKeypairs: (email, password) => generateUserKeypairs(email, password, deploymentDomain),
+      signMessage,
+      sealedBoxDecrypt,
+      sealedBoxEncrypt,
+      createWorkspaceKeyHeader,
+      deriveEncryptionKeypairFromSigning,
+      derivePublicKey,
+      base64ToBytes,
+      bytesToBase64,
+      base64Encode,
+      base64Decode,
+      computeSharedSecret,
+      encryptMessage,
+      decryptMessage,
+      encryptMessageWithSharedSecret,
+      decryptMessageWithSharedSecret
+    },
+    storage: {
+      getSession,
+      saveSession
+    }
+  };
+}
+
+// src/websocket.ts
+function buildWebSocketUrl(baseUrl) {
+  const wsScheme = baseUrl.startsWith("https") ? "wss" : "ws";
+  const hostAndPath = baseUrl.replace(/^https?:\/\//, "").replace(/\/+$/, "");
+  return `${wsScheme}://${hostAndPath}/api/notifications/ws`;
+}
+function createAuthMessage(accessToken) {
+  const msg = { type: "auth", token: accessToken };
+  return JSON.stringify(msg);
+}
+function parseServerMessage(data) {
+  try {
+    const parsed = JSON.parse(data);
+    if (typeof parsed === "object" && parsed !== null && typeof parsed.type === "string") {
+      return parsed;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function isMessageType(msg, type) {
+  return msg.type === type;
+}
+
+export { base64Decode, base64Encode, base64ToBytes, buildWebSocketUrl, bytesToBase64, clearAllData, clearSession, computeSharedSecret, createArbiClient, createAuthMessage, createAutoReloginMiddleware, createBearerAuthMiddleware, createReloginHandler, createSessionManager, createWorkspaceKeyHeader, createWorkspaceKeyMiddleware, decryptMessage, decryptMessageWithSharedSecret, deriveEncryptionKeypairFromSigning, derivePublicKey, encryptMessage, encryptMessageWithSharedSecret, generateKeyPairs, generateLoginCredentials, generateLoginCredentialsFromKey, generatePasswordChangeCredentials, generateRecoveryPasswordChangeCredentials, generateRegistrationCredentials, generateUserKeypairs, getSession, hasSession, initSodium, initializeDatabase, isMessageType, needsWorkspaceKey, parseServerMessage, saveSession, sealedBoxDecrypt, sealedBoxEncrypt, signMessage, updateSigningPrivateKey };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map