@aura-stack/jose 0.2.0 → 0.4.0

package/dist/assert.js

@@ -4,8 +4,8 @@ import {
   isInvalidPayload,
   isInvalidSecretError,
   isObject
-} from "./chunk-ZHFHDRQH.js";
-import "./chunk-BMXFAB6Q.js";
+} from "./chunk-MWFJ4CA5.js";
+import "./chunk-NGBYHSRN.js";
 export {
   isAuraJoseError,
   isFalsy,

package/dist/chunk-FCUM7BTG.js

@@ -0,0 +1,67 @@
+import {
+  isObject
+} from "./chunk-MWFJ4CA5.js";
+import {
+  encoder
+} from "./chunk-RQFUZSWH.js";
+import {
+  InvalidSecretError
+} from "./chunk-NGBYHSRN.js";
+
+// src/secret.ts
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
+  if (typeof secret === "string") {
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
+    }
+    return encoded;
+  }
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
+    }
+    return secret;
+  }
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
+};
+var getSecrets = (secret) => {
+  const jwsSecret = isObject(secret) && "jws" in secret ? secret.jws : secret;
+  const jweSecret = isObject(secret) && "jwe" in secret ? secret.jwe : secret;
+  return {
+    jwsSecret,
+    jweSecret
+  };
+};
+
+export {
+  MIN_SECRET_ENTROPY_BITS,
+  getEntropy,
+  createSecret,
+  getSecrets
+};

package/dist/{chunk-ZHFHDRQH.js → chunk-MWFJ4CA5.js}

@@ -1,7 +1,7 @@
 import {
   AuraJoseError,
   InvalidSecretError
-} from "./chunk-BMXFAB6Q.js";
+} from "./chunk-NGBYHSRN.js";
 
 // src/assert.ts
 var isAuraJoseError = (error) => {

package/dist/{chunk-BMXFAB6Q.js → chunk-NGBYHSRN.js}

@@ -33,6 +33,9 @@ var JWEEncryptionError = class extends AuraJoseError {
 var InvalidSecretError = class extends AuraJoseError {
   static code = "ERR_INVALID_SECRET";
 };
+var KeyDerivationError = class extends AuraJoseError {
+  static code = "ERR_KEY_DERIVATION";
+};
 
 export {
   AuraJoseError,
@@ -43,5 +46,6 @@ export {
   JWSSigningError,
   JWEDecryptionError,
   JWEEncryptionError,
-  InvalidSecretError
+  InvalidSecretError,
+  KeyDerivationError
 };

package/dist/chunk-OG4QRUXH.js

@@ -0,0 +1,47 @@
+import {
+  createSecret
+} from "./chunk-FCUM7BTG.js";
+import {
+  encoder,
+  getSubtleCrypto
+} from "./chunk-RQFUZSWH.js";
+import {
+  KeyDerivationError
+} from "./chunk-NGBYHSRN.js";
+
+// src/deriveKey.ts
+var deriveKey = async (secret, salt, info, length = 32) => {
+  try {
+    const subtle = getSubtleCrypto();
+    const secretBuffer = secret.buffer.slice(secret.byteOffset, secret.byteOffset + secret.byteLength);
+    const baseKey = await subtle.importKey("raw", secretBuffer, "HKDF", false, ["deriveBits"]);
+    const saltBuffer = typeof salt === "string" ? encoder.encode(salt) : salt;
+    const infoBuffer = typeof info === "string" ? encoder.encode(info) : info;
+    const derivedBits = await subtle.deriveBits(
+      {
+        name: "HKDF",
+        hash: "SHA-256",
+        salt: saltBuffer,
+        info: infoBuffer
+      },
+      baseKey,
+      length << 3
+    );
+    return new Uint8Array(derivedBits);
+  } catch (error) {
+    throw new KeyDerivationError("Failed to create a derived key (HKDF)", { cause: error });
+  }
+};
+var createDeriveKey = async (secret, salt, info, length = 32) => {
+  const secretKey = createSecret(secret);
+  if (secretKey instanceof CryptoKey) {
+    throw new KeyDerivationError("Cannot derive key from CryptoKey. Use Uint8Array or string secret instead.");
+  }
+  const key = await deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+  return key;
+};
+
+export {
+  deriveKey,
+  createDeriveKey
+};

package/dist/{chunk-VPFE27PW.js → chunk-Q2LAK6W2.js}

@@ -1,27 +1,29 @@
 import {
   createSecret
-} from "./chunk-GXM4P5MQ.js";
+} from "./chunk-FCUM7BTG.js";
 import {
   isAuraJoseError,
   isFalsy
-} from "./chunk-ZHFHDRQH.js";
+} from "./chunk-MWFJ4CA5.js";
+import {
+  getRandomBytes
+} from "./chunk-RQFUZSWH.js";
 import {
   InvalidPayloadError,
   JWEDecryptionError,
   JWEEncryptionError
-} from "./chunk-BMXFAB6Q.js";
+} from "./chunk-NGBYHSRN.js";
 
 // src/encrypt.ts
-import crypto from "crypto";
-import { EncryptJWT, jwtDecrypt } from "jose";
+import { base64url, EncryptJWT, jwtDecrypt } from "jose";
 var encryptJWE = async (payload, secret, options) => {
   try {
     if (isFalsy(payload)) {
       throw new InvalidPayloadError("The payload must be a non-empty string");
     }
     const secretKey = createSecret(secret);
-    const jti = crypto.randomBytes(32).toString("base64url");
-    return new EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
+    const jti = base64url.encode(getRandomBytes(32));
+    return await new EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;

package/dist/chunk-RQFUZSWH.js

@@ -0,0 +1,19 @@
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getRandomBytes = (size) => {
+  return globalThis.crypto.getRandomValues(new Uint8Array(size));
+};
+var getSubtleCrypto = () => {
+  if (globalThis.crypto?.subtle) {
+    return globalThis.crypto.subtle;
+  }
+  throw new Error("SubtleCrypto is not available in this runtime");
+};
+
+export {
+  encoder,
+  decoder,
+  getRandomBytes,
+  getSubtleCrypto
+};

package/dist/{chunk-ZHDED44B.js → chunk-WXGX6PJ5.js}

@@ -1,28 +1,30 @@
 import {
   createSecret
-} from "./chunk-GXM4P5MQ.js";
+} from "./chunk-FCUM7BTG.js";
 import {
   isAuraJoseError,
   isFalsy,
   isInvalidPayload
-} from "./chunk-ZHFHDRQH.js";
+} from "./chunk-MWFJ4CA5.js";
+import {
+  getRandomBytes
+} from "./chunk-RQFUZSWH.js";
 import {
   InvalidPayloadError,
   JWSSigningError,
   JWSVerificationError
-} from "./chunk-BMXFAB6Q.js";
+} from "./chunk-NGBYHSRN.js";
 
 // src/sign.ts
-import crypto from "crypto";
-import { jwtVerify, SignJWT } from "jose";
+import { base64url, jwtVerify, SignJWT } from "jose";
 var signJWS = async (payload, secret) => {
   try {
     if (isInvalidPayload(payload)) {
       throw new InvalidPayloadError("The payload must be a non-empty object");
     }
     const secretKey = createSecret(secret);
-    const jti = crypto.randomBytes(32).toString("base64url");
-    return new SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
+    const jti = base64url.encode(getRandomBytes(32));
+    return await new SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;

package/dist/crypto.cjs

@@ -0,0 +1,46 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/crypto.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  decoder: () => decoder,
+  encoder: () => encoder,
+  getRandomBytes: () => getRandomBytes,
+  getSubtleCrypto: () => getSubtleCrypto
+});
+module.exports = __toCommonJS(crypto_exports);
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getRandomBytes = (size) => {
+  return globalThis.crypto.getRandomValues(new Uint8Array(size));
+};
+var getSubtleCrypto = () => {
+  if (globalThis.crypto?.subtle) {
+    return globalThis.crypto.subtle;
+  }
+  throw new Error("SubtleCrypto is not available in this runtime");
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  decoder,
+  encoder,
+  getRandomBytes,
+  getSubtleCrypto
+});

package/dist/crypto.d.ts

@@ -0,0 +1,19 @@
+declare const encoder: TextEncoder;
+declare const decoder: TextDecoder;
+/**
+ * Generate random bytes using the Web Crypto API
+ * Works in Node.js 15+, Deno, Bun, and browsers
+ *
+ * @param size - Number of random bytes to generate with a max value of 65 bytes
+ * @returns Uint8Array containing random bytes
+ */
+declare const getRandomBytes: (size: number) => Uint8Array;
+/**
+ * Get a unified source of entropy - prefers crypto.subtle but falls back if needed
+ * All modern runtimes support globalThis.crypto.subtle
+ *
+ * @returns SubtleCrypto interface for cryptographic operations
+ */
+declare const getSubtleCrypto: () => SubtleCrypto;
+
+export { decoder, encoder, getRandomBytes, getSubtleCrypto };

package/dist/crypto.js

@@ -0,0 +1,12 @@
+import {
+  decoder,
+  encoder,
+  getRandomBytes,
+  getSubtleCrypto
+} from "./chunk-RQFUZSWH.js";
+export {
+  decoder,
+  encoder,
+  getRandomBytes,
+  getSubtleCrypto
+};

package/dist/deriveKey.cjs

@@ -24,7 +24,6 @@ __export(deriveKey_exports, {
   deriveKey: () => deriveKey
 });
 module.exports = __toCommonJS(deriveKey_exports);
-var import_node_crypto = require("crypto");
 
 // src/errors.ts
 var AuraJoseError = class extends Error {
@@ -40,35 +39,93 @@ var AuraJoseError = class extends Error {
 var InvalidSecretError = class extends AuraJoseError {
   static code = "ERR_INVALID_SECRET";
 };
+var KeyDerivationError = class extends AuraJoseError {
+  static code = "ERR_KEY_DERIVATION";
+};
+
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getSubtleCrypto = () => {
+  if (globalThis.crypto?.subtle) {
+    return globalThis.crypto.subtle;
+  }
+  throw new Error("SubtleCrypto is not available in this runtime");
+};
 
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
     }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
+    return encoded;
   }
-  return secret;
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
+    }
+    return secret;
+  }
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
 };
 
 // src/deriveKey.ts
-var deriveKey = (secret, salt, info, length = 32) => {
+var deriveKey = async (secret, salt, info, length = 32) => {
   try {
-    const key = (0, import_node_crypto.hkdfSync)("SHA256", secret, salt, info, length);
-    const derivedKey = Buffer.from(key);
-    return {
-      key,
-      derivedKey
-    };
+    const subtle = getSubtleCrypto();
+    const secretBuffer = secret.buffer.slice(secret.byteOffset, secret.byteOffset + secret.byteLength);
+    const baseKey = await subtle.importKey("raw", secretBuffer, "HKDF", false, ["deriveBits"]);
+    const saltBuffer = typeof salt === "string" ? encoder.encode(salt) : salt;
+    const infoBuffer = typeof info === "string" ? encoder.encode(info) : info;
+    const derivedBits = await subtle.deriveBits(
+      {
+        name: "HKDF",
+        hash: "SHA-256",
+        salt: saltBuffer,
+        info: infoBuffer
+      },
+      baseKey,
+      length << 3
+    );
+    return new Uint8Array(derivedBits);
   } catch (error) {
-    throw new Error("Failed to create a derived key (HKDF)", { cause: error });
+    throw new KeyDerivationError("Failed to create a derived key (HKDF)", { cause: error });
   }
 };
-var createDeriveKey = (secret, salt, info, length = 32) => {
+var createDeriveKey = async (secret, salt, info, length = 32) => {
   const secretKey = createSecret(secret);
-  return deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+  if (secretKey instanceof CryptoKey) {
+    throw new KeyDerivationError("Cannot derive key from CryptoKey. Use Uint8Array or string secret instead.");
+  }
+  const key = await deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+  return key;
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/deriveKey.d.ts

@@ -1,3 +1,3 @@
-import 'node:crypto';
-export { createDeriveKey, deriveKey } from './index.js';
+export { i as createDeriveKey, l as deriveKey } from './sign.js';
 import 'jose';
+import './crypto.js';

package/dist/deriveKey.js

@@ -1,10 +1,11 @@
 import {
   createDeriveKey,
   deriveKey
-} from "./chunk-K5BQTFSO.js";
-import "./chunk-GXM4P5MQ.js";
-import "./chunk-ZHFHDRQH.js";
-import "./chunk-BMXFAB6Q.js";
+} from "./chunk-OG4QRUXH.js";
+import "./chunk-FCUM7BTG.js";
+import "./chunk-MWFJ4CA5.js";
+import "./chunk-RQFUZSWH.js";
+import "./chunk-NGBYHSRN.js";
 export {
   createDeriveKey,
   deriveKey

package/dist/encrypt.cjs

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/encrypt.ts
@@ -35,7 +25,6 @@ __export(encrypt_exports, {
   encryptJWE: () => encryptJWE
 });
 module.exports = __toCommonJS(encrypt_exports);
-var import_node_crypto = __toESM(require("crypto"), 1);
 var import_jose = require("jose");
 
 // src/errors.ts
@@ -70,16 +59,54 @@ var isFalsy = (value) => {
   return value === null || value === void 0 || value === false || value === 0 || value === "" || Number.isNaN(value);
 };
 
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getRandomBytes = (size) => {
+  return globalThis.crypto.getRandomValues(new Uint8Array(size));
+};
+
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
+    }
+    return encoded;
+  }
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
     }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
+    return secret;
   }
-  return secret;
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
 };
 
 // src/encrypt.ts
@@ -89,8 +116,8 @@ var encryptJWE = async (payload, secret, options) => {
       throw new InvalidPayloadError("The payload must be a non-empty string");
     }
     const secretKey = createSecret(secret);
-    const jti = import_node_crypto.default.randomBytes(32).toString("base64url");
-    return new import_jose.EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
+    const jti = import_jose.base64url.encode(getRandomBytes(32));
+    return await new import_jose.EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;

package/dist/encrypt.d.ts

@@ -1,3 +1,3 @@
 export { JWTDecryptOptions } from 'jose';
-export { EncryptOptions, EncryptedPayload, createJWE, decryptJWE, encryptJWE } from './index.js';
-import 'node:crypto';
+export { E as EncryptOptions, a as EncryptedPayload, c as createJWE, d as decryptJWE, e as encryptJWE } from './sign.js';
+import './crypto.js';

package/dist/encrypt.js

@@ -2,10 +2,11 @@ import {
   createJWE,
   decryptJWE,
   encryptJWE
-} from "./chunk-VPFE27PW.js";
-import "./chunk-GXM4P5MQ.js";
-import "./chunk-ZHFHDRQH.js";
-import "./chunk-BMXFAB6Q.js";
+} from "./chunk-Q2LAK6W2.js";
+import "./chunk-FCUM7BTG.js";
+import "./chunk-MWFJ4CA5.js";
+import "./chunk-RQFUZSWH.js";
+import "./chunk-NGBYHSRN.js";
 export {
   createJWE,
   decryptJWE,

package/dist/errors.cjs

@@ -28,7 +28,8 @@ __export(errors_exports, {
   JWSSigningError: () => JWSSigningError,
   JWSVerificationError: () => JWSVerificationError,
   JWTDecodingError: () => JWTDecodingError,
-  JWTEncodingError: () => JWTEncodingError
+  JWTEncodingError: () => JWTEncodingError,
+  KeyDerivationError: () => KeyDerivationError
 });
 module.exports = __toCommonJS(errors_exports);
 var AuraJoseError = class extends Error {
@@ -65,6 +66,9 @@ var JWEEncryptionError = class extends AuraJoseError {
 var InvalidSecretError = class extends AuraJoseError {
   static code = "ERR_INVALID_SECRET";
 };
+var KeyDerivationError = class extends AuraJoseError {
+  static code = "ERR_KEY_DERIVATION";
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuraJoseError,
@@ -75,5 +79,6 @@ var InvalidSecretError = class extends AuraJoseError {
   JWSSigningError,
   JWSVerificationError,
   JWTDecodingError,
-  JWTEncodingError
+  JWTEncodingError,
+  KeyDerivationError
 });

package/dist/errors.d.ts

@@ -30,5 +30,8 @@ declare class JWEEncryptionError extends AuraJoseError {
 declare class InvalidSecretError extends AuraJoseError {
     static code: string;
 }
+declare class KeyDerivationError extends AuraJoseError {
+    static code: string;
+}
 
-export { AuraJoseError, InvalidPayloadError, InvalidSecretError, JWEDecryptionError, JWEEncryptionError, JWSSigningError, JWSVerificationError, JWTDecodingError, JWTEncodingError };
+export { AuraJoseError, InvalidPayloadError, InvalidSecretError, JWEDecryptionError, JWEEncryptionError, JWSSigningError, JWSVerificationError, JWTDecodingError, JWTEncodingError, KeyDerivationError };

package/dist/errors.js

@@ -7,8 +7,9 @@ import {
   JWSSigningError,
   JWSVerificationError,
   JWTDecodingError,
-  JWTEncodingError
-} from "./chunk-BMXFAB6Q.js";
+  JWTEncodingError,
+  KeyDerivationError
+} from "./chunk-NGBYHSRN.js";
 export {
   AuraJoseError,
   InvalidPayloadError,
@@ -18,5 +19,6 @@ export {
   JWSSigningError,
   JWSVerificationError,
   JWTDecodingError,
-  JWTEncodingError
+  JWTEncodingError,
+  KeyDerivationError
 };