npm - @bananalink-sdk/protocol - Versions diffs - 1.2.7 - Mend

@bananalink-sdk/protocol 1.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (158) hide show

package/README.md +604 -0
package/dist/chunk-32OWUOZ3.js +308 -0
package/dist/chunk-32OWUOZ3.js.map +1 -0
package/dist/chunk-65HNHRJK.cjs +123 -0
package/dist/chunk-65HNHRJK.cjs.map +1 -0
package/dist/chunk-7KYDLL3B.js +480 -0
package/dist/chunk-7KYDLL3B.js.map +1 -0
package/dist/chunk-A6FLEJ7R.cjs +62 -0
package/dist/chunk-A6FLEJ7R.cjs.map +1 -0
package/dist/chunk-CUJK7ZTS.js +217 -0
package/dist/chunk-CUJK7ZTS.js.map +1 -0
package/dist/chunk-GI3BUPIH.cjs +236 -0
package/dist/chunk-GI3BUPIH.cjs.map +1 -0
package/dist/chunk-JXHV66Q4.js +106 -0
package/dist/chunk-JXHV66Q4.js.map +1 -0
package/dist/chunk-KNGZKGRS.cjs +552 -0
package/dist/chunk-KNGZKGRS.cjs.map +1 -0
package/dist/chunk-LELPCIE7.js +840 -0
package/dist/chunk-LELPCIE7.js.map +1 -0
package/dist/chunk-MCZG7QEM.cjs +310 -0
package/dist/chunk-MCZG7QEM.cjs.map +1 -0
package/dist/chunk-TCVKC227.js +56 -0
package/dist/chunk-TCVKC227.js.map +1 -0
package/dist/chunk-VXLUSU5B.cjs +856 -0
package/dist/chunk-VXLUSU5B.cjs.map +1 -0
package/dist/chunk-WCQVDF3K.js +12 -0
package/dist/chunk-WCQVDF3K.js.map +1 -0
package/dist/chunk-WGEGR3DF.cjs +15 -0
package/dist/chunk-WGEGR3DF.cjs.map +1 -0
package/dist/client-session-claim-3QF3noOr.d.ts +197 -0
package/dist/client-session-claim-C4lUik3b.d.cts +197 -0
package/dist/core-DMhuNfoz.d.cts +62 -0
package/dist/core-DMhuNfoz.d.ts +62 -0
package/dist/crypto/providers/noble-provider.cjs +14 -0
package/dist/crypto/providers/noble-provider.cjs.map +1 -0
package/dist/crypto/providers/noble-provider.d.cts +30 -0
package/dist/crypto/providers/noble-provider.d.ts +30 -0
package/dist/crypto/providers/noble-provider.js +5 -0
package/dist/crypto/providers/noble-provider.js.map +1 -0
package/dist/crypto/providers/node-provider.cjs +308 -0
package/dist/crypto/providers/node-provider.cjs.map +1 -0
package/dist/crypto/providers/node-provider.d.cts +32 -0
package/dist/crypto/providers/node-provider.d.ts +32 -0
package/dist/crypto/providers/node-provider.js +306 -0
package/dist/crypto/providers/node-provider.js.map +1 -0
package/dist/crypto/providers/quickcrypto-provider.cjs +339 -0
package/dist/crypto/providers/quickcrypto-provider.cjs.map +1 -0
package/dist/crypto/providers/quickcrypto-provider.d.cts +34 -0
package/dist/crypto/providers/quickcrypto-provider.d.ts +34 -0
package/dist/crypto/providers/quickcrypto-provider.js +337 -0
package/dist/crypto/providers/quickcrypto-provider.js.map +1 -0
package/dist/crypto/providers/webcrypto-provider.cjs +310 -0
package/dist/crypto/providers/webcrypto-provider.cjs.map +1 -0
package/dist/crypto/providers/webcrypto-provider.d.cts +30 -0
package/dist/crypto/providers/webcrypto-provider.d.ts +30 -0
package/dist/crypto/providers/webcrypto-provider.js +308 -0
package/dist/crypto/providers/webcrypto-provider.js.map +1 -0
package/dist/crypto-BUS06Qz-.d.cts +40 -0
package/dist/crypto-BUS06Qz-.d.ts +40 -0
package/dist/crypto-export.cjs +790 -0
package/dist/crypto-export.cjs.map +1 -0
package/dist/crypto-export.d.cts +257 -0
package/dist/crypto-export.d.ts +257 -0
package/dist/crypto-export.js +709 -0
package/dist/crypto-export.js.map +1 -0
package/dist/crypto-provider-deYoVIxi.d.cts +36 -0
package/dist/crypto-provider-deYoVIxi.d.ts +36 -0
package/dist/index.cjs +615 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +379 -0
package/dist/index.d.ts +379 -0
package/dist/index.js +504 -0
package/dist/index.js.map +1 -0
package/dist/schemas-export.cjs +294 -0
package/dist/schemas-export.cjs.map +1 -0
package/dist/schemas-export.d.cts +1598 -0
package/dist/schemas-export.d.ts +1598 -0
package/dist/schemas-export.js +5 -0
package/dist/schemas-export.js.map +1 -0
package/dist/siwe-export.cjs +237 -0
package/dist/siwe-export.cjs.map +1 -0
package/dist/siwe-export.d.cts +27 -0
package/dist/siwe-export.d.ts +27 -0
package/dist/siwe-export.js +228 -0
package/dist/siwe-export.js.map +1 -0
package/dist/testing.cjs +54 -0
package/dist/testing.cjs.map +1 -0
package/dist/testing.d.cts +20 -0
package/dist/testing.d.ts +20 -0
package/dist/testing.js +51 -0
package/dist/testing.js.map +1 -0
package/dist/validation-export.cjs +359 -0
package/dist/validation-export.cjs.map +1 -0
package/dist/validation-export.d.cts +3 -0
package/dist/validation-export.d.ts +3 -0
package/dist/validation-export.js +6 -0
package/dist/validation-export.js.map +1 -0
package/dist/validators-export.cjs +73 -0
package/dist/validators-export.cjs.map +1 -0
package/dist/validators-export.d.cts +37 -0
package/dist/validators-export.d.ts +37 -0
package/dist/validators-export.js +4 -0
package/dist/validators-export.js.map +1 -0
package/package.json +140 -0
package/src/constants/index.ts +205 -0
package/src/crypto/context.ts +228 -0
package/src/crypto/diagnostics.ts +772 -0
package/src/crypto/errors.ts +114 -0
package/src/crypto/index.ts +89 -0
package/src/crypto/payload-handler.ts +102 -0
package/src/crypto/providers/compliance-provider.ts +579 -0
package/src/crypto/providers/factory.ts +204 -0
package/src/crypto/providers/index.ts +44 -0
package/src/crypto/providers/noble-provider.ts +392 -0
package/src/crypto/providers/node-provider.ts +433 -0
package/src/crypto/providers/quickcrypto-provider.ts +483 -0
package/src/crypto/providers/registry.ts +129 -0
package/src/crypto/providers/webcrypto-provider.ts +364 -0
package/src/crypto/session-security.ts +185 -0
package/src/crypto/types.ts +93 -0
package/src/crypto/utils.ts +190 -0
package/src/crypto-export.ts +21 -0
package/src/index.ts +38 -0
package/src/schemas/auth.ts +60 -0
package/src/schemas/client-messages.ts +57 -0
package/src/schemas/core.ts +144 -0
package/src/schemas/crypto.ts +65 -0
package/src/schemas/discovery.ts +79 -0
package/src/schemas/index.ts +239 -0
package/src/schemas/relay-messages.ts +45 -0
package/src/schemas/wallet-messages.ts +177 -0
package/src/schemas-export.ts +23 -0
package/src/siwe-export.ts +27 -0
package/src/testing.ts +71 -0
package/src/types/auth.ts +60 -0
package/src/types/client-messages.ts +84 -0
package/src/types/core.ts +131 -0
package/src/types/crypto-provider.ts +264 -0
package/src/types/crypto.ts +90 -0
package/src/types/discovery.ts +50 -0
package/src/types/errors.ts +87 -0
package/src/types/index.ts +197 -0
package/src/types/post-auth-operations.ts +363 -0
package/src/types/providers.ts +72 -0
package/src/types/relay-messages.ts +60 -0
package/src/types/request-lifecycle.ts +161 -0
package/src/types/signing-operations.ts +99 -0
package/src/types/wallet-messages.ts +251 -0
package/src/utils/client-session-claim.ts +188 -0
package/src/utils/index.ts +54 -0
package/src/utils/public-keys.ts +49 -0
package/src/utils/siwe.ts +362 -0
package/src/utils/url-decoding.ts +126 -0
package/src/utils/url-encoding.ts +144 -0
package/src/utils/wallet-session-claim.ts +188 -0
package/src/validation-export.ts +32 -0
package/src/validators/index.ts +222 -0
package/src/validators-export.ts +8 -0

package/src/crypto/providers/webcrypto-provider.ts ADDED Viewed

@@ -0,0 +1,364 @@
+import type { Logger } from '@bananalink-sdk/logger';
+import type { CryptoProvider, CryptoKeyLike, ProviderKeyPair } from '../../types/crypto-provider';
+import { registerCryptoProvider } from './registry';
+/**
+ * WebCrypto CryptoKey wrapper to implement CryptoKeyLike interface
+ */
+class WebCryptoKeyWrapper implements CryptoKeyLike {
+  constructor(private readonly cryptoKey: CryptoKey) {}
+  get type(): 'public' | 'private' | 'secret' {
+    return this.cryptoKey.type as 'public' | 'private' | 'secret';
+  }
+  get algorithm(): string {
+    if (typeof this.cryptoKey.algorithm === 'string') {
+      return this.cryptoKey.algorithm;
+    }
+    return this.cryptoKey.algorithm.name;
+  }
+  get extractable(): boolean {
+    return this.cryptoKey.extractable;
+  }
+  get usages(): readonly string[] {
+    return this.cryptoKey.usages;
+  }
+  get nativeKey(): CryptoKey {
+    return this.cryptoKey;
+  }
+}
+/**
+ * Helper function to unwrap CryptoKeyLike to native CryptoKey
+ */
+function unwrapCryptoKey(keyLike: CryptoKeyLike): CryptoKey {
+  if (keyLike instanceof WebCryptoKeyWrapper) {
+    return keyLike.nativeKey;
+  }
+  // For backward compatibility, assume it's already a CryptoKey
+  return keyLike as unknown as CryptoKey;
+}
+/**
+ * Web Crypto API implementation of CryptoProvider
+ * Works in browsers and Node.js environments with Web Crypto support
+ */
+export class WebCryptoProvider implements CryptoProvider {
+  public readonly name = 'WebCrypto';
+  private readonly logger?: Logger;
+  public get isAvailable(): boolean {
+    return typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined';
+  }
+  constructor(logger?: Logger) {
+    if (!this.isAvailable) {
+      throw new Error('Web Crypto API not available in this environment');
+    }
+    this.logger = logger?.child({ component: 'WebCryptoProvider' });
+  }
+  /**
+   * Generate ECDH P-256 key pair
+   */
+  async generateKeyPair(): Promise<ProviderKeyPair> {
+    this.logger?.debug('Generating ECDH P-256 key pair');
+    const keyPair = await crypto.subtle.generateKey(
+      {
+        name: 'ECDH',
+        namedCurve: 'P-256',
+      },
+      true, // extractable
+      ['deriveKey']
+    );
+    this.logger?.debug('Key pair generation completed');
+    return {
+      publicKey: new WebCryptoKeyWrapper(keyPair.publicKey),
+      privateKey: new WebCryptoKeyWrapper(keyPair.privateKey),
+    };
+  }
+  /**
+   * Export public key to ArrayBuffer (raw format)
+   */
+  async exportPublicKey(publicKey: CryptoKeyLike): Promise<ArrayBuffer> {
+    return crypto.subtle.exportKey('raw', unwrapCryptoKey(publicKey));
+  }
+  /**
+   * Export private key to ArrayBuffer (raw format)
+   */
+  async exportPrivateKey(privateKey: CryptoKeyLike): Promise<ArrayBuffer> {
+    // WebCrypto doesn't support 'raw' export for ECDH private keys
+    // Use JWK export and extract the d-value (32 bytes)
+    const jwk = await crypto.subtle.exportKey('jwk', unwrapCryptoKey(privateKey));
+    const dValue = new Uint8Array(Buffer.from(jwk.d as string, 'base64url'));
+    return dValue.buffer.slice(dValue.byteOffset, dValue.byteOffset + dValue.byteLength);
+  }
+  /**
+   * Import public key from ArrayBuffer (raw format)
+   */
+  async importPublicKey(keyData: ArrayBuffer): Promise<CryptoKeyLike> {
+    const keyBytes = new Uint8Array(keyData);
+    this.logger?.debug('importPublicKey called', {
+      keyLength: keyBytes.length,
+      keyBytesFirst20: Array.from(keyBytes.slice(0, 20)).map(b => b.toString(16).padStart(2, '0')).join(' ')
+    });
+    try {
+      const cryptoKey = await crypto.subtle.importKey(
+        'raw',
+        keyData,
+        {
+          name: 'ECDH',
+          namedCurve: 'P-256',
+        },
+        true,
+        []
+      );
+      this.logger?.debug('Public key import successful');
+      return new WebCryptoKeyWrapper(cryptoKey);
+    } catch (error) {
+      this.logger?.error('Public key import failed', {
+        error: {
+          message: error instanceof Error ? error.message : String(error),
+          stack: error instanceof Error ? error.stack : undefined
+        }
+      });
+      throw new Error(`Invalid P-256 public key: ${String(error)}`);
+    }
+  }
+  /**
+   * Import private key from ArrayBuffer (raw format)
+   */
+  async importPrivateKey(keyData: ArrayBuffer): Promise<CryptoKeyLike> {
+    this.logger?.debug('Importing private key', {
+      keyLength: keyData.byteLength
+    });
+    try {
+      const cryptoKey = await crypto.subtle.importKey(
+        'raw',
+        keyData,
+        {
+          name: 'ECDH',
+          namedCurve: 'P-256',
+        },
+        true,
+        ['deriveKey']
+      );
+      this.logger?.debug('Private key import successful');
+      return new WebCryptoKeyWrapper(cryptoKey);
+    } catch (error) {
+      this.logger?.error('Private key import failed', {
+        error: {
+          message: error instanceof Error ? error.message : String(error),
+          stack: error instanceof Error ? error.stack : undefined
+        }
+      });
+      throw new Error(`Invalid P-256 private key: ${String(error)}`);
+    }
+  }
+  /**
+   * Derive shared secret from ECDH key agreement
+   */
+  async deriveSharedSecret(privateKey: CryptoKeyLike, publicKey: CryptoKeyLike): Promise<CryptoKeyLike> {
+    this.logger?.debug('Deriving shared secret using ECDH');
+    try {
+      const derivedKey = await crypto.subtle.deriveKey(
+        {
+          name: 'ECDH',
+          public: unwrapCryptoKey(publicKey),
+        },
+        unwrapCryptoKey(privateKey),
+        {
+          name: 'AES-GCM',
+          length: 256,
+        },
+        true,
+        ['encrypt', 'decrypt']
+      );
+      this.logger?.debug('Shared secret derivation completed');
+      return new WebCryptoKeyWrapper(derivedKey);
+    } catch (error) {
+      this.logger?.error('Shared secret derivation failed', {
+        error: {
+          message: error instanceof Error ? error.message : String(error),
+          stack: error instanceof Error ? error.stack : undefined
+        }
+      });
+      throw error;
+    }
+  }
+  /**
+   * Derive AES-GCM key from shared secret using HKDF
+   */
+  async deriveEncryptionKey(sharedSecret: CryptoKeyLike, salt: ArrayBuffer, info: ArrayBuffer): Promise<CryptoKeyLike> {
+    // Import shared secret as HKDF base key
+    const baseKey = await crypto.subtle.importKey(
+      'raw',
+      await crypto.subtle.exportKey('raw', unwrapCryptoKey(sharedSecret)),
+      { name: 'HKDF' },
+      false,
+      ['deriveKey']
+    );
+    // Derive encryption key using HKDF
+    const derivedKey = await crypto.subtle.deriveKey(
+      {
+        name: 'HKDF',
+        salt: salt,
+        info: info,
+        hash: 'SHA-256',
+      },
+      baseKey,
+      { name: 'AES-GCM', length: 256 },
+      true,
+      ['encrypt', 'decrypt']
+    );
+    return new WebCryptoKeyWrapper(derivedKey);
+  }
+  /**
+   * Generate random bytes
+   */
+  randomBytes(length: number): ArrayBuffer {
+    const buffer = new ArrayBuffer(length);
+    const view = new Uint8Array(buffer);
+    crypto.getRandomValues(view);
+    return buffer;
+  }
+  /**
+   * Encrypt data using AES-GCM
+   */
+  async encrypt(key: CryptoKeyLike, data: ArrayBuffer, iv: ArrayBuffer): Promise<ArrayBuffer> {
+    this.logger?.debug('Encrypting data with AES-GCM', {
+      dataSize: data.byteLength,
+      ivSize: iv.byteLength
+    });
+    try {
+      const ciphertext = await crypto.subtle.encrypt(
+        {
+          name: 'AES-GCM',
+          iv: iv,
+          tagLength: 128, // 128-bit tag
+        },
+        unwrapCryptoKey(key),
+        data
+      );
+      this.logger?.debug('Encryption completed', {
+        ciphertextSize: ciphertext.byteLength
+      });
+      return ciphertext;
+    } catch (error) {
+      this.logger?.error('Encryption failed', {
+        error: {
+          message: error instanceof Error ? error.message : String(error),
+          stack: error instanceof Error ? error.stack : undefined
+        }
+      });
+      throw error;
+    }
+  }
+  /**
+   * Decrypt data using AES-GCM
+   */
+  async decrypt(key: CryptoKeyLike, data: ArrayBuffer, iv: ArrayBuffer): Promise<ArrayBuffer> {
+    this.logger?.debug('Decrypting data with AES-GCM', {
+      dataSize: data.byteLength,
+      ivSize: iv.byteLength
+    });
+    try {
+      const plaintext = await crypto.subtle.decrypt(
+        {
+          name: 'AES-GCM',
+          iv: iv,
+          tagLength: 128, // 128-bit tag
+        },
+        unwrapCryptoKey(key),
+        data
+      );
+      this.logger?.debug('Decryption completed', {
+        plaintextSize: plaintext.byteLength
+      });
+      return plaintext;
+    } catch (error) {
+      this.logger?.error('Decryption failed', {
+        error: {
+          message: error instanceof Error ? error.message : String(error),
+          stack: error instanceof Error ? error.stack : undefined
+        }
+      });
+      throw error;
+    }
+  }
+  /**
+   * Generate HMAC-SHA256
+   */
+  async generateHMAC(key: CryptoKeyLike, data: ArrayBuffer): Promise<ArrayBuffer> {
+    // Convert AES key to HMAC key
+    const hmacKey = await crypto.subtle.importKey(
+      'raw',
+      await crypto.subtle.exportKey('raw', unwrapCryptoKey(key)),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['sign']
+    );
+    return crypto.subtle.sign('HMAC', hmacKey, data);
+  }
+  /**
+   * Verify HMAC-SHA256
+   */
+  async verifyHMAC(key: CryptoKeyLike, data: ArrayBuffer, mac: ArrayBuffer): Promise<boolean> {
+    // Convert AES key to HMAC key
+    const hmacKey = await crypto.subtle.importKey(
+      'raw',
+      await crypto.subtle.exportKey('raw', unwrapCryptoKey(key)),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['verify']
+    );
+    return crypto.subtle.verify('HMAC', hmacKey, mac, data);
+  }
+}
+/**
+ * Self-register WebCrypto provider on import
+ * This allows the provider to be available when explicitly imported
+ */
+registerCryptoProvider('webcrypto', () => new WebCryptoProvider());
+// TypeScript module augmentation to track this provider is available
+declare global {
+  // eslint-disable-next-line @typescript-eslint/no-namespace
+  namespace BananaLink {
+    interface RegisteredCryptoProviders {
+      webcrypto: true;
+    }
+  }
+}

package/src/crypto/session-security.ts ADDED Viewed

@@ -0,0 +1,185 @@
+import type { Logger } from '@bananalink-sdk/logger';
+import type { SessionKeys, EncryptedMessage, CryptoConfig } from './types';
+import { arrayBufferToBase64, base64ToArrayBuffer, stringToArrayBuffer, arrayBufferToString } from './utils';
+import type { CryptoProvider, CryptoKeyLike, ProviderKeyPair } from './providers';
+import { createCryptoProvider } from './providers';
+const CRYPTO_CONFIG: CryptoConfig = {
+  algorithm: 'AES-GCM',
+  keyLength: 256,
+  ivLength: 12,
+  tagLength: 128, // tagLength is in bits for Web Crypto API (128 bits = 16 bytes)
+  curve: 'P-256',
+};
+export class SessionSecurity {
+  private keyPair?: ProviderKeyPair;
+  private sharedSecret?: CryptoKeyLike;
+  private sessionId: string;
+  private encryptionKey?: CryptoKeyLike; // For AES-GCM
+  private provider: CryptoProvider;
+  constructor(sessionId?: string, provider?: CryptoProvider, logger?: Logger) {
+    this.provider = provider || createCryptoProvider(undefined, logger);
+    this.sessionId = sessionId || this.generateSessionId();
+  }
+  /**
+   * Get the crypto provider used by this session
+   */
+  getCryptoProvider(): CryptoProvider {
+    return this.provider;
+  }
+  /**
+   * Establish a new session with ephemeral key generation
+   */
+  static async establishSession(sessionId?: string, provider?: CryptoProvider, logger?: Logger): Promise<SessionSecurity> {
+    const session = new SessionSecurity(sessionId, provider, logger);
+    await session.generateKeyPair();
+    return session;
+  }
+  /**
+   * Generate ECDH key pair for this session
+   */
+  private async generateKeyPair(): Promise<void> {
+    this.keyPair = await this.provider.generateKeyPair();
+  }
+  /**
+   * Get the public key for sharing (base64 encoded)
+   */
+  async getPublicKey(): Promise<string> {
+    if (!this.keyPair?.publicKey) {
+      throw new Error('Key pair not generated. Call generateKeyPair() first.');
+    }
+    const exported = await this.provider.exportPublicKey(this.keyPair.publicKey);
+    return arrayBufferToBase64(exported);
+  }
+  /**
+   * Derive shared secret from peer's public key
+   */
+  async deriveSharedSecret(peerPublicKeyBase64: string): Promise<void> {
+    if (!this.keyPair?.privateKey) {
+      throw new Error('Key pair not generated');
+    }
+    const peerPublicKeyBuffer = base64ToArrayBuffer(peerPublicKeyBase64);
+    const importedPeerKey = await this.provider.importPublicKey(peerPublicKeyBuffer);
+    this.sharedSecret = await this.provider.deriveSharedSecret(this.keyPair.privateKey, importedPeerKey);
+  }
+  /**
+   * Derives an encryption key from the shared secret using HKDF.
+   * @param salt - A non-secret random value.
+   * @param info - Context-specific information.
+   */
+  async deriveEncryptionKey(salt: ArrayBuffer, info: ArrayBuffer): Promise<void> {
+    if (!this.sharedSecret) {
+      throw new Error('Shared secret not derived yet.');
+    }
+    this.encryptionKey = await this.provider.deriveEncryptionKey(this.sharedSecret, salt, info);
+  }
+  /**
+   * Encrypt a message using the derived session key
+   */
+  async encrypt(message: Record<string, unknown>): Promise<EncryptedMessage> {
+    if (!this.encryptionKey) {
+      throw new Error('Encryption key not derived');
+    }
+    const iv = this.provider.randomBytes(CRYPTO_CONFIG.ivLength);
+    const plaintext = stringToArrayBuffer(JSON.stringify(message));
+    const ciphertext = await this.provider.encrypt(this.encryptionKey, plaintext, iv);
+    // Generate HMAC for authentication
+    const dataToSign = new Uint8Array([
+      ...new Uint8Array(iv),
+      ...new Uint8Array(ciphertext)
+    ]);
+    const macBuffer = await this.provider.generateHMAC(this.encryptionKey, dataToSign.buffer);
+    return {
+      iv: arrayBufferToBase64(iv),
+      ciphertext: arrayBufferToBase64(ciphertext),
+      mac: arrayBufferToBase64(macBuffer),
+    };
+  }
+  /**
+   * Decrypt a message using the derived session key
+   */
+  async decrypt(encryptedMessage: EncryptedMessage): Promise<Record<string, unknown>> {
+    if (!this.encryptionKey) {
+      throw new Error('Encryption key not derived');
+    }
+    const iv = base64ToArrayBuffer(encryptedMessage.iv);
+    const ciphertext = base64ToArrayBuffer(encryptedMessage.ciphertext);
+    const receivedMac = base64ToArrayBuffer(encryptedMessage.mac);
+    // Verify HMAC first
+    const dataToVerify = new Uint8Array([
+      ...new Uint8Array(iv),
+      ...new Uint8Array(ciphertext)
+    ]);
+    const isValidMac = await this.provider.verifyHMAC(this.encryptionKey, dataToVerify.buffer, receivedMac);
+    if (!isValidMac) {
+      throw new Error('Message authentication failed');
+    }
+    // Decrypt the message
+    const plaintextBuffer = await this.provider.decrypt(this.encryptionKey, ciphertext, iv);
+    const plaintextString = arrayBufferToString(plaintextBuffer);
+    return JSON.parse(plaintextString) as Record<string, unknown>;
+  }
+  /**
+   * Get session information
+   */
+  async getSessionKeys(): Promise<SessionKeys> {
+    if (!this.keyPair || !this.sharedSecret) {
+      throw new Error('Session not properly initialized');
+    }
+    return {
+      sessionId: this.sessionId,
+      publicKey: await this.getPublicKey(),
+      sharedSecret: this.sharedSecret, // We know it exists due to the check above
+    };
+  }
+  /**
+   * Generate a random session ID
+   */
+  private generateSessionId(): string {
+    const sessionBytes = this.provider.randomBytes(16); // 128 bits
+    return arrayBufferToBase64(sessionBytes);
+  }
+  /**
+   * Get provider information
+   */
+  getProviderInfo(): { name: string; isAvailable: boolean } {
+    return {
+      name: this.provider.name,
+      isAvailable: this.provider.isAvailable,
+    };
+  }
+  /**
+   * Check if session is ready for encryption/decryption
+   */
+  get isReady(): boolean {
+    return !!(this.keyPair && this.sharedSecret && this.encryptionKey);
+  }
+}

package/src/crypto/types.ts ADDED Viewed

@@ -0,0 +1,93 @@
+/**
+ * Crypto Runtime Types
+ *
+ * Type definitions for crypto operations and configuration used by implementations.
+ * These types are separate from the provider interface and describe data structures
+ * used during encryption, decryption, and key management.
+ *
+ * IMPORTANT: This file contains ONLY type definitions with zero runtime code.
+ */
+import type { CryptoKeyLike } from '../types/crypto-provider';
+/**
+ * Supported encryption algorithms
+ * - AES-GCM: AES-256 in Galois/Counter Mode with authentication
+ * - plaintext: No encryption (development/testing only)
+ */
+export type EncryptionAlgorithm = 'AES-GCM' | 'plaintext';
+/**
+ * Encrypted message structure
+ * Contains all components needed to decrypt and verify a message
+ */
+export interface EncryptedMessage {
+  /** Base64-encoded initialization vector (12 bytes for GCM) */
+  iv: string;
+  /** Base64-encoded ciphertext */
+  ciphertext: string;
+  /** Base64-encoded HMAC-SHA256 authentication code */
+  mac: string;
+}
+/**
+ * Asymmetric key pair structure
+ * Using CryptoKey for Web Crypto API compatibility
+ *
+ * Note: This is kept for backward compatibility with existing code.
+ * New code should use ProviderKeyPair from crypto-provider types.
+ */
+export interface KeyPair {
+  publicKey: CryptoKey;
+  privateKey: CryptoKey;
+}
+/**
+ * Session-specific encryption keys
+ * Manages shared secrets and public keys for a session
+ */
+export interface SessionKeys {
+  /** Shared secret derived from ECDH key exchange */
+  sharedSecret: CryptoKey | CryptoKeyLike;
+  /** Unique session identifier */
+  sessionId: string;
+  /** Base64-encoded public key for sharing with remote party */
+  publicKey: string;
+}
+/**
+ * Cryptographic algorithm configuration
+ * Defines the parameters for BananaLink's crypto implementation
+ */
+export interface CryptoConfig {
+  /** Encryption algorithm (always AES-GCM for production) */
+  algorithm: 'AES-GCM';
+  /** AES key length in bits */
+  keyLength: 256;
+  /** Initialization vector length in bytes (12 bytes for GCM) */
+  ivLength: 12;
+  /** Authentication tag length in bits (128 bits = 16 bytes) */
+  tagLength: 128;
+  /** Elliptic curve for ECDH key exchange */
+  curve: 'P-256';
+}
+/**
+ * Options for creating a crypto payload
+ * Supports both encrypted and plaintext modes
+ */
+export type CreatePayloadOptions =
+  | {
+      /** Plaintext mode (no encryption) */
+      encAlgo: 'plaintext';
+      /** Session identifier */
+      sessionId: string;
+    }
+  | {
+      /** Encrypted mode with AES-GCM */
+      encAlgo: 'AES-GCM';
+      /** Session identifier */
+      sessionId: string;
+      /** Base64-encoded remote public key for ECDH */
+      publicKeyB64: string;
+    };