npm - @bananalink-sdk/protocol - Versions diffs - 1.2.7 - Mend

@bananalink-sdk/protocol 1.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (158) hide show

package/README.md +604 -0
package/dist/chunk-32OWUOZ3.js +308 -0
package/dist/chunk-32OWUOZ3.js.map +1 -0
package/dist/chunk-65HNHRJK.cjs +123 -0
package/dist/chunk-65HNHRJK.cjs.map +1 -0
package/dist/chunk-7KYDLL3B.js +480 -0
package/dist/chunk-7KYDLL3B.js.map +1 -0
package/dist/chunk-A6FLEJ7R.cjs +62 -0
package/dist/chunk-A6FLEJ7R.cjs.map +1 -0
package/dist/chunk-CUJK7ZTS.js +217 -0
package/dist/chunk-CUJK7ZTS.js.map +1 -0
package/dist/chunk-GI3BUPIH.cjs +236 -0
package/dist/chunk-GI3BUPIH.cjs.map +1 -0
package/dist/chunk-JXHV66Q4.js +106 -0
package/dist/chunk-JXHV66Q4.js.map +1 -0
package/dist/chunk-KNGZKGRS.cjs +552 -0
package/dist/chunk-KNGZKGRS.cjs.map +1 -0
package/dist/chunk-LELPCIE7.js +840 -0
package/dist/chunk-LELPCIE7.js.map +1 -0
package/dist/chunk-MCZG7QEM.cjs +310 -0
package/dist/chunk-MCZG7QEM.cjs.map +1 -0
package/dist/chunk-TCVKC227.js +56 -0
package/dist/chunk-TCVKC227.js.map +1 -0
package/dist/chunk-VXLUSU5B.cjs +856 -0
package/dist/chunk-VXLUSU5B.cjs.map +1 -0
package/dist/chunk-WCQVDF3K.js +12 -0
package/dist/chunk-WCQVDF3K.js.map +1 -0
package/dist/chunk-WGEGR3DF.cjs +15 -0
package/dist/chunk-WGEGR3DF.cjs.map +1 -0
package/dist/client-session-claim-3QF3noOr.d.ts +197 -0
package/dist/client-session-claim-C4lUik3b.d.cts +197 -0
package/dist/core-DMhuNfoz.d.cts +62 -0
package/dist/core-DMhuNfoz.d.ts +62 -0
package/dist/crypto/providers/noble-provider.cjs +14 -0
package/dist/crypto/providers/noble-provider.cjs.map +1 -0
package/dist/crypto/providers/noble-provider.d.cts +30 -0
package/dist/crypto/providers/noble-provider.d.ts +30 -0
package/dist/crypto/providers/noble-provider.js +5 -0
package/dist/crypto/providers/noble-provider.js.map +1 -0
package/dist/crypto/providers/node-provider.cjs +308 -0
package/dist/crypto/providers/node-provider.cjs.map +1 -0
package/dist/crypto/providers/node-provider.d.cts +32 -0
package/dist/crypto/providers/node-provider.d.ts +32 -0
package/dist/crypto/providers/node-provider.js +306 -0
package/dist/crypto/providers/node-provider.js.map +1 -0
package/dist/crypto/providers/quickcrypto-provider.cjs +339 -0
package/dist/crypto/providers/quickcrypto-provider.cjs.map +1 -0
package/dist/crypto/providers/quickcrypto-provider.d.cts +34 -0
package/dist/crypto/providers/quickcrypto-provider.d.ts +34 -0
package/dist/crypto/providers/quickcrypto-provider.js +337 -0
package/dist/crypto/providers/quickcrypto-provider.js.map +1 -0
package/dist/crypto/providers/webcrypto-provider.cjs +310 -0
package/dist/crypto/providers/webcrypto-provider.cjs.map +1 -0
package/dist/crypto/providers/webcrypto-provider.d.cts +30 -0
package/dist/crypto/providers/webcrypto-provider.d.ts +30 -0
package/dist/crypto/providers/webcrypto-provider.js +308 -0
package/dist/crypto/providers/webcrypto-provider.js.map +1 -0
package/dist/crypto-BUS06Qz-.d.cts +40 -0
package/dist/crypto-BUS06Qz-.d.ts +40 -0
package/dist/crypto-export.cjs +790 -0
package/dist/crypto-export.cjs.map +1 -0
package/dist/crypto-export.d.cts +257 -0
package/dist/crypto-export.d.ts +257 -0
package/dist/crypto-export.js +709 -0
package/dist/crypto-export.js.map +1 -0
package/dist/crypto-provider-deYoVIxi.d.cts +36 -0
package/dist/crypto-provider-deYoVIxi.d.ts +36 -0
package/dist/index.cjs +615 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +379 -0
package/dist/index.d.ts +379 -0
package/dist/index.js +504 -0
package/dist/index.js.map +1 -0
package/dist/schemas-export.cjs +294 -0
package/dist/schemas-export.cjs.map +1 -0
package/dist/schemas-export.d.cts +1598 -0
package/dist/schemas-export.d.ts +1598 -0
package/dist/schemas-export.js +5 -0
package/dist/schemas-export.js.map +1 -0
package/dist/siwe-export.cjs +237 -0
package/dist/siwe-export.cjs.map +1 -0
package/dist/siwe-export.d.cts +27 -0
package/dist/siwe-export.d.ts +27 -0
package/dist/siwe-export.js +228 -0
package/dist/siwe-export.js.map +1 -0
package/dist/testing.cjs +54 -0
package/dist/testing.cjs.map +1 -0
package/dist/testing.d.cts +20 -0
package/dist/testing.d.ts +20 -0
package/dist/testing.js +51 -0
package/dist/testing.js.map +1 -0
package/dist/validation-export.cjs +359 -0
package/dist/validation-export.cjs.map +1 -0
package/dist/validation-export.d.cts +3 -0
package/dist/validation-export.d.ts +3 -0
package/dist/validation-export.js +6 -0
package/dist/validation-export.js.map +1 -0
package/dist/validators-export.cjs +73 -0
package/dist/validators-export.cjs.map +1 -0
package/dist/validators-export.d.cts +37 -0
package/dist/validators-export.d.ts +37 -0
package/dist/validators-export.js +4 -0
package/dist/validators-export.js.map +1 -0
package/package.json +140 -0
package/src/constants/index.ts +205 -0
package/src/crypto/context.ts +228 -0
package/src/crypto/diagnostics.ts +772 -0
package/src/crypto/errors.ts +114 -0
package/src/crypto/index.ts +89 -0
package/src/crypto/payload-handler.ts +102 -0
package/src/crypto/providers/compliance-provider.ts +579 -0
package/src/crypto/providers/factory.ts +204 -0
package/src/crypto/providers/index.ts +44 -0
package/src/crypto/providers/noble-provider.ts +392 -0
package/src/crypto/providers/node-provider.ts +433 -0
package/src/crypto/providers/quickcrypto-provider.ts +483 -0
package/src/crypto/providers/registry.ts +129 -0
package/src/crypto/providers/webcrypto-provider.ts +364 -0
package/src/crypto/session-security.ts +185 -0
package/src/crypto/types.ts +93 -0
package/src/crypto/utils.ts +190 -0
package/src/crypto-export.ts +21 -0
package/src/index.ts +38 -0
package/src/schemas/auth.ts +60 -0
package/src/schemas/client-messages.ts +57 -0
package/src/schemas/core.ts +144 -0
package/src/schemas/crypto.ts +65 -0
package/src/schemas/discovery.ts +79 -0
package/src/schemas/index.ts +239 -0
package/src/schemas/relay-messages.ts +45 -0
package/src/schemas/wallet-messages.ts +177 -0
package/src/schemas-export.ts +23 -0
package/src/siwe-export.ts +27 -0
package/src/testing.ts +71 -0
package/src/types/auth.ts +60 -0
package/src/types/client-messages.ts +84 -0
package/src/types/core.ts +131 -0
package/src/types/crypto-provider.ts +264 -0
package/src/types/crypto.ts +90 -0
package/src/types/discovery.ts +50 -0
package/src/types/errors.ts +87 -0
package/src/types/index.ts +197 -0
package/src/types/post-auth-operations.ts +363 -0
package/src/types/providers.ts +72 -0
package/src/types/relay-messages.ts +60 -0
package/src/types/request-lifecycle.ts +161 -0
package/src/types/signing-operations.ts +99 -0
package/src/types/wallet-messages.ts +251 -0
package/src/utils/client-session-claim.ts +188 -0
package/src/utils/index.ts +54 -0
package/src/utils/public-keys.ts +49 -0
package/src/utils/siwe.ts +362 -0
package/src/utils/url-decoding.ts +126 -0
package/src/utils/url-encoding.ts +144 -0
package/src/utils/wallet-session-claim.ts +188 -0
package/src/validation-export.ts +32 -0
package/src/validators/index.ts +222 -0
package/src/validators-export.ts +8 -0

package/src/crypto/providers/compliance-provider.ts ADDED Viewed

@@ -0,0 +1,579 @@
+import type { Logger } from '@bananalink-sdk/logger';
+import type { CryptoProvider, CryptoKeyLike, ProviderKeyPair } from '../../types/crypto-provider';
+/**
+ * Compliance audit event types
+ */
+export type ComplianceEventType =
+  | 'key_generation'
+  | 'key_import'
+  | 'key_export'
+  | 'key_derivation'
+  | 'encryption'
+  | 'decryption'
+  | 'hmac_generation'
+  | 'hmac_verification'
+  | 'random_generation';
+/**
+ * Compliance audit event
+ */
+export interface ComplianceAuditEvent {
+  eventType: ComplianceEventType;
+  timestamp: string;
+  sessionId?: string;
+  keyUsage?: readonly string[];
+  dataSize?: number;
+  algorithm?: string;
+  success: boolean;
+  error?: string;
+  metadata?: Record<string, unknown>;
+}
+/**
+ * Compliance audit logger interface
+ */
+export interface ComplianceAuditor {
+  logEvent(event: ComplianceAuditEvent): void;
+  getAuditLog(): ComplianceAuditEvent[];
+  clearAuditLog(): void;
+}
+/**
+ * Default compliance auditor implementation
+ */
+export class DefaultComplianceAuditor implements ComplianceAuditor {
+  private auditLog: ComplianceAuditEvent[] = [];
+  private readonly logger?: Logger;
+  constructor(logger?: Logger) {
+    this.logger = logger?.child({ component: 'ComplianceAuditor' });
+  }
+  logEvent(event: ComplianceAuditEvent): void {
+    this.auditLog.push(event);
+    this.logger?.info('Compliance audit event', {
+      eventType: event.eventType,
+      success: event.success,
+      sessionId: event.sessionId,
+      timestamp: event.timestamp
+    });
+  }
+  getAuditLog(): ComplianceAuditEvent[] {
+    return [...this.auditLog];
+  }
+  clearAuditLog(): void {
+    this.auditLog = [];
+    this.logger?.debug('Compliance audit log cleared');
+  }
+}
+/**
+ * Key usage restrictions for compliance
+ */
+export interface KeyUsageRestrictions {
+  allowKeyExport?: boolean;
+  allowKeyImport?: boolean;
+  requiredKeyUsages?: string[];
+  forbiddenKeyUsages?: string[];
+  maxDataSize?: number;
+  requireSessionId?: boolean;
+}
+/**
+ * Compliance configuration
+ */
+export interface ComplianceConfig {
+  enabled?: boolean;
+  auditor?: ComplianceAuditor;
+  keyRestrictions?: KeyUsageRestrictions;
+  sessionId?: string;
+  enableStrictMode?: boolean;
+  strictMode?: boolean;
+}
+/**
+ * Compliance wrapper for CryptoProvider implementations
+ * Provides audit logging, key usage restrictions, and regulatory compliance features
+ */
+export class ComplianceCryptoProvider implements CryptoProvider {
+  public readonly name: string;
+  public readonly isAvailable: boolean;
+  private readonly underlyingProvider: CryptoProvider;
+  private readonly config: ComplianceConfig;
+  private readonly auditor: ComplianceAuditor;
+  private readonly logger?: Logger;
+  constructor(
+    underlyingProvider: CryptoProvider,
+    config: ComplianceConfig = {},
+    logger?: Logger
+  ) {
+    this.underlyingProvider = underlyingProvider;
+    this.config = config;
+    this.auditor = config.auditor || new DefaultComplianceAuditor(logger);
+    this.logger = logger?.child({
+      component: 'ComplianceCryptoProvider',
+      underlyingProvider: underlyingProvider.name
+    });
+    this.name = `Compliance(${underlyingProvider.name})`;
+    this.isAvailable = underlyingProvider.isAvailable;
+  }
+  /**
+   * Create compliance audit event
+   */
+  private createAuditEvent(
+    eventType: ComplianceEventType,
+    success: boolean,
+    metadata: Record<string, unknown> = {},
+    error?: string
+  ): ComplianceAuditEvent {
+    return {
+      eventType,
+      timestamp: new Date().toISOString(),
+      sessionId: this.config.sessionId,
+      success,
+      error,
+      metadata,
+      ...metadata
+    };
+  }
+  /**
+   * Validate key usage restrictions
+   */
+  private validateKeyUsage(operation: string, keyUsages?: readonly string[], dataSize?: number): void {
+    const restrictions = this.config.keyRestrictions;
+    if (!restrictions) return;
+    if (restrictions.requireSessionId && !this.config.sessionId) {
+      throw new Error('Session ID required for compliance but not provided');
+    }
+    if (restrictions.maxDataSize && dataSize && dataSize > restrictions.maxDataSize) {
+      throw new Error(`Data size ${dataSize} exceeds maximum allowed ${restrictions.maxDataSize} bytes`);
+    }
+    if (keyUsages && restrictions.requiredKeyUsages) {
+      const hasRequiredUsage = restrictions.requiredKeyUsages.some(usage => keyUsages.includes(usage));
+      if (!hasRequiredUsage) {
+        throw new Error(`Key must have one of required usages: ${restrictions.requiredKeyUsages.join(', ')}`);
+      }
+    }
+    if (keyUsages && restrictions.forbiddenKeyUsages) {
+      const hasForbiddenUsage = restrictions.forbiddenKeyUsages.some(usage => keyUsages.includes(usage));
+      if (hasForbiddenUsage) {
+        throw new Error(`Key has forbidden usage. Forbidden: ${restrictions.forbiddenKeyUsages.join(', ')}`);
+      }
+    }
+    // Operation-specific restrictions
+    if (operation === 'export' && restrictions.allowKeyExport === false) {
+      throw new Error('Key export is forbidden by compliance policy');
+    }
+    if (operation === 'import' && restrictions.allowKeyImport === false) {
+      throw new Error('Key import is forbidden by compliance policy');
+    }
+  }
+  /**
+   * Generate ECDH P-256 key pair with compliance audit
+   */
+  async generateKeyPair(): Promise<ProviderKeyPair> {
+    const startTime = Date.now();
+    try {
+      this.logger?.debug('Generating key pair with compliance audit');
+      const keyPair = await this.underlyingProvider.generateKeyPair();
+      this.validateKeyUsage('generation', keyPair.privateKey.usages);
+      this.auditor.logEvent(this.createAuditEvent('key_generation', true, {
+        algorithm: keyPair.privateKey.algorithm,
+        keyUsage: keyPair.privateKey.usages,
+        duration: Date.now() - startTime
+      }));
+      return keyPair;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('key_generation', false, {
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Export public key with compliance audit
+   */
+  async exportPublicKey(publicKey: CryptoKeyLike): Promise<ArrayBuffer> {
+    const startTime = Date.now();
+    try {
+      this.validateKeyUsage('export', publicKey.usages);
+      const keyData = await this.underlyingProvider.exportPublicKey(publicKey);
+      this.auditor.logEvent(this.createAuditEvent('key_export', true, {
+        keyType: 'public',
+        algorithm: publicKey.algorithm,
+        keySize: keyData.byteLength,
+        duration: Date.now() - startTime
+      }));
+      return keyData;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('key_export', false, {
+        keyType: 'public',
+        algorithm: publicKey.algorithm,
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Export private key with compliance audit
+   */
+  async exportPrivateKey(privateKey: CryptoKeyLike): Promise<ArrayBuffer> {
+    const startTime = Date.now();
+    try {
+      this.validateKeyUsage('export', privateKey.usages);
+      // Extra security check for private key export
+      if (this.config.enableStrictMode) {
+        this.logger?.warn('Private key export in strict compliance mode', {
+          sessionId: this.config.sessionId,
+          algorithm: privateKey.algorithm
+        });
+      }
+      const keyData = await this.underlyingProvider.exportPrivateKey(privateKey);
+      this.auditor.logEvent(this.createAuditEvent('key_export', true, {
+        keyType: 'private',
+        algorithm: privateKey.algorithm,
+        keySize: keyData.byteLength,
+        strictMode: this.config.enableStrictMode,
+        duration: Date.now() - startTime
+      }));
+      return keyData;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('key_export', false, {
+        keyType: 'private',
+        algorithm: privateKey.algorithm,
+        strictMode: this.config.enableStrictMode,
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Import public key with compliance audit
+   */
+  async importPublicKey(keyData: ArrayBuffer): Promise<CryptoKeyLike> {
+    const startTime = Date.now();
+    try {
+      this.validateKeyUsage('import');
+      const key = await this.underlyingProvider.importPublicKey(keyData);
+      this.auditor.logEvent(this.createAuditEvent('key_import', true, {
+        keyType: 'public',
+        algorithm: key.algorithm,
+        keySize: keyData.byteLength,
+        keyUsage: key.usages,
+        duration: Date.now() - startTime
+      }));
+      return key;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('key_import', false, {
+        keyType: 'public',
+        keySize: keyData.byteLength,
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Import private key with compliance audit
+   */
+  async importPrivateKey(keyData: ArrayBuffer): Promise<CryptoKeyLike> {
+    const startTime = Date.now();
+    try {
+      this.validateKeyUsage('import');
+      const key = await this.underlyingProvider.importPrivateKey(keyData);
+      this.auditor.logEvent(this.createAuditEvent('key_import', true, {
+        keyType: 'private',
+        algorithm: key.algorithm,
+        keySize: keyData.byteLength,
+        keyUsage: key.usages,
+        duration: Date.now() - startTime
+      }));
+      return key;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('key_import', false, {
+        keyType: 'private',
+        keySize: keyData.byteLength,
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Derive shared secret with compliance audit
+   */
+  async deriveSharedSecret(privateKey: CryptoKeyLike, publicKey: CryptoKeyLike): Promise<CryptoKeyLike> {
+    const startTime = Date.now();
+    try {
+      this.validateKeyUsage('derivation', privateKey.usages);
+      const sharedSecret = await this.underlyingProvider.deriveSharedSecret(privateKey, publicKey);
+      this.auditor.logEvent(this.createAuditEvent('key_derivation', true, {
+        operation: 'ECDH',
+        algorithm: privateKey.algorithm,
+        duration: Date.now() - startTime
+      }));
+      return sharedSecret;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('key_derivation', false, {
+        operation: 'ECDH',
+        algorithm: privateKey.algorithm,
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Derive encryption key with compliance audit
+   */
+  async deriveEncryptionKey(sharedSecret: CryptoKeyLike, salt: ArrayBuffer, info: ArrayBuffer): Promise<CryptoKeyLike> {
+    const startTime = Date.now();
+    try {
+      const encryptionKey = await this.underlyingProvider.deriveEncryptionKey(sharedSecret, salt, info);
+      this.auditor.logEvent(this.createAuditEvent('key_derivation', true, {
+        operation: 'HKDF',
+        algorithm: 'HKDF-SHA256',
+        saltSize: salt.byteLength,
+        infoSize: info.byteLength,
+        duration: Date.now() - startTime
+      }));
+      return encryptionKey;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('key_derivation', false, {
+        operation: 'HKDF',
+        algorithm: 'HKDF-SHA256',
+        saltSize: salt.byteLength,
+        infoSize: info.byteLength,
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Generate random bytes with compliance audit
+   */
+  randomBytes(length: number): ArrayBuffer {
+    const startTime = Date.now();
+    try {
+      const randomData = this.underlyingProvider.randomBytes(length);
+      this.auditor.logEvent(this.createAuditEvent('random_generation', true, {
+        length,
+        duration: Date.now() - startTime
+      }));
+      return randomData;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('random_generation', false, {
+        length,
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Encrypt data with compliance audit
+   */
+  async encrypt(key: CryptoKeyLike, data: ArrayBuffer, iv: ArrayBuffer): Promise<ArrayBuffer> {
+    const startTime = Date.now();
+    try {
+      this.validateKeyUsage('encryption', key.usages, data.byteLength);
+      const ciphertext = await this.underlyingProvider.encrypt(key, data, iv);
+      this.auditor.logEvent(this.createAuditEvent('encryption', true, {
+        algorithm: key.algorithm,
+        dataSize: data.byteLength,
+        ivSize: iv.byteLength,
+        ciphertextSize: ciphertext.byteLength,
+        duration: Date.now() - startTime
+      }));
+      return ciphertext;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('encryption', false, {
+        algorithm: key.algorithm,
+        dataSize: data.byteLength,
+        ivSize: iv.byteLength,
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Decrypt data with compliance audit
+   */
+  async decrypt(key: CryptoKeyLike, data: ArrayBuffer, iv: ArrayBuffer): Promise<ArrayBuffer> {
+    const startTime = Date.now();
+    try {
+      this.validateKeyUsage('decryption', key.usages, data.byteLength);
+      const plaintext = await this.underlyingProvider.decrypt(key, data, iv);
+      this.auditor.logEvent(this.createAuditEvent('decryption', true, {
+        algorithm: key.algorithm,
+        dataSize: data.byteLength,
+        ivSize: iv.byteLength,
+        plaintextSize: plaintext.byteLength,
+        duration: Date.now() - startTime
+      }));
+      return plaintext;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('decryption', false, {
+        algorithm: key.algorithm,
+        dataSize: data.byteLength,
+        ivSize: iv.byteLength,
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Generate HMAC with compliance audit
+   */
+  async generateHMAC(key: CryptoKeyLike, data: ArrayBuffer): Promise<ArrayBuffer> {
+    const startTime = Date.now();
+    try {
+      this.validateKeyUsage('hmac', key.usages, data.byteLength);
+      const mac = await this.underlyingProvider.generateHMAC(key, data);
+      this.auditor.logEvent(this.createAuditEvent('hmac_generation', true, {
+        algorithm: 'HMAC-SHA256',
+        dataSize: data.byteLength,
+        macSize: mac.byteLength,
+        duration: Date.now() - startTime
+      }));
+      return mac;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('hmac_generation', false, {
+        algorithm: 'HMAC-SHA256',
+        dataSize: data.byteLength,
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Verify HMAC with compliance audit
+   */
+  async verifyHMAC(key: CryptoKeyLike, data: ArrayBuffer, mac: ArrayBuffer): Promise<boolean> {
+    const startTime = Date.now();
+    try {
+      this.validateKeyUsage('hmac', key.usages, data.byteLength);
+      const isValid = await this.underlyingProvider.verifyHMAC(key, data, mac);
+      this.auditor.logEvent(this.createAuditEvent('hmac_verification', true, {
+        algorithm: 'HMAC-SHA256',
+        dataSize: data.byteLength,
+        macSize: mac.byteLength,
+        verified: isValid,
+        duration: Date.now() - startTime
+      }));
+      return isValid;
+    } catch (error) {
+      this.auditor.logEvent(this.createAuditEvent('hmac_verification', false, {
+        algorithm: 'HMAC-SHA256',
+        dataSize: data.byteLength,
+        macSize: mac.byteLength,
+        duration: Date.now() - startTime
+      }, error instanceof Error ? error.message : String(error)));
+      throw error;
+    }
+  }
+  /**
+   * Get compliance auditor for external access
+   */
+  getAuditor(): ComplianceAuditor {
+    return this.auditor;
+  }
+  /**
+   * Update compliance configuration
+   */
+  updateConfig(newConfig: Partial<ComplianceConfig>): void {
+    Object.assign(this.config, newConfig);
+    this.logger?.debug('Compliance configuration updated', newConfig);
+  }
+  /**
+   * Get underlying provider (for debugging/testing)
+   */
+  getUnderlyingProvider(): CryptoProvider {
+    return this.underlyingProvider;
+  }
+}