npm - @bandeira-tech/b3nd-web - Versions diffs - 0.2.3 → 0.2.4 - Mend

@bandeira-tech/b3nd-web 0.2.3 → 0.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/chunk-F3W5GZU6.js +1775 -0
package/dist/{chunk-K3ZSSVHR.js → chunk-JN75UL5C.js} +2 -0
package/dist/core-CgxQpSVM.d.ts +275 -0
package/dist/encrypt/mod.d.ts +1 -1
package/dist/encrypt/mod.js +1 -1
package/dist/{mod-D02790g_.d.ts → mod-CII9wqu2.d.ts} +1 -1
package/dist/src/mod.web.d.ts +1 -1
package/dist/src/mod.web.js +4 -4
package/dist/wallet-server/adapters/browser.d.ts +76 -0
package/dist/wallet-server/adapters/browser.js +105 -0
package/dist/wallet-server/mod.d.ts +320 -0
package/dist/wallet-server/mod.js +77 -0
package/package.json +13 -3

package/dist/chunk-F3W5GZU6.js ADDED Viewed

@@ -0,0 +1,1775 @@
+import {
+  createAuthenticatedMessage,
+  createSignedEncryptedMessage,
+  decodeHex,
+  decrypt,
+  encodeHex,
+  encrypt,
+  verifyPayload
+} from "./chunk-JN75UL5C.js";
+import {
+  HttpClient
+} from "./chunk-LFUC4ETD.js";
+// wallet-server/interfaces.ts
+var defaultLogger = {
+  log: (...args) => console.log(...args),
+  warn: (...args) => console.warn(...args),
+  error: (...args) => console.error(...args)
+};
+var MemoryFileStorage = class {
+  constructor() {
+    this.storage = /* @__PURE__ */ new Map();
+  }
+  async readTextFile(path) {
+    const content = this.storage.get(path);
+    if (content === void 0) {
+      throw new Error(`File not found: ${path}`);
+    }
+    return content;
+  }
+  async writeTextFile(path, content) {
+    this.storage.set(path, content);
+  }
+  async exists(path) {
+    return this.storage.has(path);
+  }
+};
+var ConfigEnvironment = class {
+  constructor(config = {}) {
+    this.config = config;
+  }
+  get(key) {
+    return this.config[key];
+  }
+};
+// wallet-server/jwt.ts
+function base64urlEncode(data) {
+  const base64 = btoa(data);
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64urlDecode(encoded) {
+  const padded = encoded.replace(/-/g, "+").replace(/_/g, "/").padEnd(encoded.length + (4 - encoded.length % 4) % 4, "=");
+  return atob(padded);
+}
+async function createJwt(username, secret, expirationSeconds) {
+  const now = Math.floor(Date.now() / 1e3);
+  const header = {
+    alg: "HS256",
+    typ: "JWT"
+  };
+  const payload = {
+    username,
+    iat: now,
+    exp: now + expirationSeconds,
+    type: "access"
+  };
+  const headerEncoded = base64urlEncode(JSON.stringify(header));
+  const payloadEncoded = base64urlEncode(JSON.stringify(payload));
+  const message = `${headerEncoded}.${payloadEncoded}`;
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    encoder.encode(message)
+  );
+  const signatureEncoded = base64urlEncode(
+    String.fromCharCode(...new Uint8Array(signature))
+  );
+  return `${message}.${signatureEncoded}`;
+}
+async function verifyJwt(token, secret) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid JWT format");
+  }
+  const [headerEncoded, payloadEncoded, signatureEncoded] = parts;
+  const message = `${headerEncoded}.${payloadEncoded}`;
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["verify"]
+  );
+  const signaturePadded = signatureEncoded.replace(/-/g, "+").replace(/_/g, "/").padEnd(signatureEncoded.length + (4 - signatureEncoded.length % 4) % 4, "=");
+  const signatureBytes = new Uint8Array(
+    atob(signaturePadded).split("").map((c) => c.charCodeAt(0))
+  );
+  const isValid = await crypto.subtle.verify(
+    "HMAC",
+    key,
+    signatureBytes,
+    encoder.encode(message)
+  );
+  if (!isValid) {
+    throw new Error("Invalid JWT signature");
+  }
+  const payloadJson = base64urlDecode(payloadEncoded);
+  const payload = JSON.parse(payloadJson);
+  const now = Math.floor(Date.now() / 1e3);
+  if (payload.exp < now) {
+    throw new Error("JWT token has expired");
+  }
+  if (payload.type !== "access") {
+    throw new Error("Invalid token type");
+  }
+  return payload;
+}
+function extractUsernameFromJwt(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payloadJson = base64urlDecode(parts[1]);
+    const payload = JSON.parse(payloadJson);
+    return payload.username;
+  } catch {
+    return null;
+  }
+}
+// wallet-server/obfuscation.ts
+async function deriveObfuscatedPath(serverPublicKey, username, operationType, ...params) {
+  const encoder = new TextEncoder();
+  const parts = [username, operationType, serverPublicKey, ...params];
+  const input = parts.join("|");
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(serverPublicKey),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    encoder.encode(input)
+  );
+  return encodeHex(new Uint8Array(signature)).substring(0, 32);
+}
+async function pemToCryptoKey(pem, algorithm = "Ed25519") {
+  const base64 = pem.split("\n").filter((line) => !line.startsWith("-----")).join("");
+  const binaryString = atob(base64);
+  const bytes = new Uint8Array(binaryString.length);
+  for (let i = 0; i < binaryString.length; i++) {
+    bytes[i] = binaryString.charCodeAt(i);
+  }
+  const buffer = bytes.buffer.slice(
+    bytes.byteOffset,
+    bytes.byteOffset + bytes.byteLength
+  );
+  if (algorithm === "Ed25519") {
+    return await crypto.subtle.importKey(
+      "pkcs8",
+      buffer,
+      { name: "Ed25519", namedCurve: "Ed25519" },
+      false,
+      ["sign"]
+    );
+  } else {
+    return await crypto.subtle.importKey(
+      "pkcs8",
+      buffer,
+      { name: "X25519", namedCurve: "X25519" },
+      false,
+      ["deriveBits"]
+    );
+  }
+}
+async function createSignedEncryptedPayload(data, serverIdentityPrivateKeyPem, serverIdentityPublicKeyHex, serverEncryptionPublicKeyHex) {
+  const identityPrivateKey = await pemToCryptoKey(
+    serverIdentityPrivateKeyPem,
+    "Ed25519"
+  );
+  return await createSignedEncryptedMessage(
+    data,
+    [{ privateKey: identityPrivateKey, publicKeyHex: serverIdentityPublicKeyHex }],
+    serverEncryptionPublicKeyHex
+  );
+}
+async function decryptSignedEncryptedPayload(signedMessage, serverEncryptionPrivateKeyPem) {
+  const encryptionPrivateKey = await pemToCryptoKey(
+    serverEncryptionPrivateKeyPem,
+    "X25519"
+  );
+  const { verified, signers } = await verifyPayload({
+    payload: signedMessage.payload,
+    auth: signedMessage.auth
+  });
+  const data = await decrypt(signedMessage.payload, encryptionPrivateKey);
+  return { data, verified, signers };
+}
+async function encryptForBackend(data, serverEncryptionPublicKeyHex) {
+  return await encrypt(data, serverEncryptionPublicKeyHex);
+}
+async function decryptFromBackend(encryptedPayload, serverEncryptionPrivateKeyPem) {
+  const privateKey = await pemToCryptoKey(
+    serverEncryptionPrivateKeyPem,
+    "X25519"
+  );
+  return await decrypt(encryptedPayload, privateKey);
+}
+// wallet-server/keys.ts
+function bytesToBase64(bytes) {
+  return btoa(String.fromCharCode(...bytes));
+}
+async function generateAccountKeyPair() {
+  const keyPair = await crypto.subtle.generateKey("Ed25519", true, [
+    "sign",
+    "verify"
+  ]);
+  const privateKeyBuffer = await crypto.subtle.exportKey(
+    "pkcs8",
+    keyPair.privateKey
+  );
+  const publicKeyBuffer = await crypto.subtle.exportKey(
+    "raw",
+    keyPair.publicKey
+  );
+  const privateKeyBase64 = bytesToBase64(new Uint8Array(privateKeyBuffer));
+  const privateKeyPem = `-----BEGIN PRIVATE KEY-----
+${privateKeyBase64.match(/.{1,64}/g)?.join("\n")}
+-----END PRIVATE KEY-----`;
+  const publicKeyHex = encodeHex(new Uint8Array(publicKeyBuffer));
+  return { privateKeyPem, publicKeyHex };
+}
+async function generateEncryptionKeyPair() {
+  const keyPair = await crypto.subtle.generateKey(
+    {
+      name: "X25519",
+      namedCurve: "X25519"
+    },
+    true,
+    ["deriveBits"]
+  );
+  const privateKeyBuffer = await crypto.subtle.exportKey(
+    "pkcs8",
+    keyPair.privateKey
+  );
+  const publicKeyBuffer = await crypto.subtle.exportKey(
+    "raw",
+    keyPair.publicKey
+  );
+  const privateKeyBase64 = bytesToBase64(new Uint8Array(privateKeyBuffer));
+  const privateKeyPem = `-----BEGIN PRIVATE KEY-----
+${privateKeyBase64.match(/.{1,64}/g)?.join("\n")}
+-----END PRIVATE KEY-----`;
+  const publicKeyHex = encodeHex(new Uint8Array(publicKeyBuffer));
+  return { privateKeyPem, publicKeyHex };
+}
+async function generateUserKeys(client, serverPublicKey, username, serverIdentityPrivateKeyPem, serverIdentityPublicKeyHex, serverEncryptionPublicKeyHex) {
+  const [accountKey, encryptionKey] = await Promise.all([
+    generateAccountKeyPair(),
+    generateEncryptionKeyPair()
+  ]);
+  await Promise.all([
+    (async () => {
+      const path = await deriveObfuscatedPath(
+        serverPublicKey,
+        username,
+        "account-key"
+      );
+      const signed = await createSignedEncryptedPayload(
+        accountKey,
+        serverIdentityPrivateKeyPem,
+        serverIdentityPublicKeyHex,
+        serverEncryptionPublicKeyHex
+      );
+      await client.write(
+        `mutable://accounts/${serverPublicKey}/${path}`,
+        signed
+      );
+    })(),
+    (async () => {
+      const path = await deriveObfuscatedPath(
+        serverPublicKey,
+        username,
+        "encryption-key"
+      );
+      const signed = await createSignedEncryptedPayload(
+        encryptionKey,
+        serverIdentityPrivateKeyPem,
+        serverIdentityPublicKeyHex,
+        serverEncryptionPublicKeyHex
+      );
+      await client.write(
+        `mutable://accounts/${serverPublicKey}/${path}`,
+        signed
+      );
+    })()
+  ]);
+  return { accountKey, encryptionKey };
+}
+async function loadUserAccountKey(client, serverPublicKey, username, serverEncryptionPrivateKeyPem, logger) {
+  const path = await deriveObfuscatedPath(
+    serverPublicKey,
+    username,
+    "account-key"
+  );
+  const result = await client.read(
+    `mutable://accounts/${serverPublicKey}/${path}`
+  );
+  if (!result.success || !result.record?.data) {
+    throw new Error("Account key not found");
+  }
+  const { data, verified } = await decryptSignedEncryptedPayload(
+    result.record.data,
+    serverEncryptionPrivateKeyPem
+  );
+  if (!verified) {
+    logger?.warn(
+      "Account key signature verification failed for user:",
+      username
+    );
+  }
+  return data;
+}
+async function loadUserEncryptionKey(client, serverPublicKey, username, serverEncryptionPrivateKeyPem, logger) {
+  const path = await deriveObfuscatedPath(
+    serverPublicKey,
+    username,
+    "encryption-key"
+  );
+  const result = await client.read(
+    `mutable://accounts/${serverPublicKey}/${path}`
+  );
+  if (!result.success || !result.record?.data) {
+    throw new Error("Encryption key not found");
+  }
+  const { data, verified } = await decryptSignedEncryptedPayload(
+    result.record.data,
+    serverEncryptionPrivateKeyPem
+  );
+  if (!verified) {
+    logger?.warn(
+      "Encryption key signature verification failed for user:",
+      username
+    );
+  }
+  return data;
+}
+async function loadUserKeys(client, serverPublicKey, username, serverEncryptionPrivateKeyPem, logger) {
+  const [accountKey, encryptionKey] = await Promise.all([
+    loadUserAccountKey(
+      client,
+      serverPublicKey,
+      username,
+      serverEncryptionPrivateKeyPem,
+      logger
+    ),
+    loadUserEncryptionKey(
+      client,
+      serverPublicKey,
+      username,
+      serverEncryptionPrivateKeyPem,
+      logger
+    )
+  ]);
+  return { accountKey, encryptionKey };
+}
+async function getUserPublicKeys(client, serverPublicKey, username, serverEncryptionPrivateKeyPem, logger) {
+  const { accountKey, encryptionKey } = await loadUserKeys(
+    client,
+    serverPublicKey,
+    username,
+    serverEncryptionPrivateKeyPem,
+    logger
+  );
+  return {
+    accountPublicKeyHex: accountKey.publicKeyHex,
+    encryptionPublicKeyHex: encryptionKey.publicKeyHex
+  };
+}
+// wallet-server/proxy.ts
+async function proxyWrite(proxyClient, credentialClient, serverPublicKey, username, serverEncryptionPrivateKeyPem, request) {
+  try {
+    const [accountKey, encryptionKey] = await Promise.all([
+      loadUserAccountKey(
+        credentialClient,
+        serverPublicKey,
+        username,
+        serverEncryptionPrivateKeyPem
+      ),
+      loadUserEncryptionKey(
+        credentialClient,
+        serverPublicKey,
+        username,
+        serverEncryptionPrivateKeyPem
+      )
+    ]);
+    const resolvedUri = request.uri.replace(/:key/g, accountKey.publicKeyHex);
+    const userPrivateKey = await pemToCryptoKey(
+      accountKey.privateKeyPem,
+      "Ed25519"
+    );
+    const signer = {
+      privateKey: userPrivateKey,
+      publicKeyHex: accountKey.publicKeyHex
+    };
+    let signedMessage;
+    if (request.encrypt) {
+      signedMessage = await createSignedEncryptedMessage(
+        request.data,
+        [signer],
+        encryptionKey.publicKeyHex
+      );
+    } else {
+      signedMessage = await createAuthenticatedMessage(request.data, [signer]);
+    }
+    const result = await proxyClient.write(resolvedUri, signedMessage);
+    if (!result.success) {
+      return {
+        success: false,
+        error: result.error || "Write failed"
+      };
+    }
+    return {
+      success: true,
+      resolvedUri,
+      record: result.record
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: `Proxy write failed: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+}
+async function proxyRead(proxyClient, uri, serverEncryptionPrivateKeyPem) {
+  try {
+    const result = await proxyClient.read(uri);
+    if (!result.success) {
+      return {
+        success: false,
+        error: result.error || "Read failed"
+      };
+    }
+    const response = {
+      success: true,
+      record: result.record
+    };
+    if (serverEncryptionPrivateKeyPem && result.record?.data) {
+      try {
+        const data = result.record.data;
+        if (typeof data === "object" && data.payload && typeof data.payload === "object") {
+          const payload = data.payload;
+          if (payload.data && payload.nonce && payload.ephemeralPublicKey) {
+            const privateKey = await pemToCryptoKey(
+              serverEncryptionPrivateKeyPem,
+              "X25519"
+            );
+            const encryptedPayload = {
+              data: payload.data,
+              nonce: payload.nonce,
+              ephemeralPublicKey: payload.ephemeralPublicKey
+            };
+            const decrypted = await decrypt(
+              encryptedPayload,
+              privateKey
+            );
+            return {
+              ...response,
+              decrypted
+            };
+          }
+        }
+      } catch {
+      }
+    }
+    return response;
+  } catch (error) {
+    return {
+      success: false,
+      error: `Proxy read failed: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+}
+// wallet-server/auth.ts
+function generateSalt() {
+  const bytes = crypto.getRandomValues(new Uint8Array(16));
+  return encodeHex(bytes);
+}
+async function hashPassword(password, salt) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(password);
+  const saltBytes = new Uint8Array(decodeHex(salt));
+  const key = await crypto.subtle.importKey("raw", data, "PBKDF2", false, [
+    "deriveBits"
+  ]);
+  const derived = await crypto.subtle.deriveBits(
+    {
+      name: "PBKDF2",
+      salt: saltBytes.buffer,
+      iterations: 1e5,
+      hash: "SHA-256"
+    },
+    key,
+    256
+  );
+  return encodeHex(new Uint8Array(derived));
+}
+async function verifyPassword(password, salt, hash) {
+  const computedHash = await hashPassword(password, salt);
+  return computedHash === hash;
+}
+async function userExists(client, serverPublicKey, username, appScope) {
+  const path = await deriveObfuscatedPath(
+    serverPublicKey,
+    username,
+    "profile",
+    ...appScope ? [appScope] : []
+  );
+  const result = await client.read(
+    `mutable://accounts/${serverPublicKey}/${path}`
+  );
+  return result.success;
+}
+async function createUser(client, serverPublicKey, username, password, serverIdentityPrivateKeyPem, serverIdentityPublicKeyHex, serverEncryptionPublicKeyHex, appScope) {
+  if (await userExists(client, serverPublicKey, username, appScope)) {
+    throw new Error("User already exists");
+  }
+  const salt = generateSalt();
+  const hash = await hashPassword(password, salt);
+  const profilePath = await deriveObfuscatedPath(
+    serverPublicKey,
+    username,
+    "profile",
+    ...appScope ? [appScope] : []
+  );
+  const profileData = {
+    username,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const profileSigned = await createSignedEncryptedPayload(
+    profileData,
+    serverIdentityPrivateKeyPem,
+    serverIdentityPublicKeyHex,
+    serverEncryptionPublicKeyHex
+  );
+  await client.write(
+    `mutable://accounts/${serverPublicKey}/${profilePath}`,
+    profileSigned
+  );
+  const passwordPath = await deriveObfuscatedPath(
+    serverPublicKey,
+    username,
+    "password",
+    ...appScope ? [appScope] : []
+  );
+  const passwordData = { hash, salt };
+  const passwordSigned = await createSignedEncryptedPayload(
+    passwordData,
+    serverIdentityPrivateKeyPem,
+    serverIdentityPublicKeyHex,
+    serverEncryptionPublicKeyHex
+  );
+  await client.write(
+    `mutable://accounts/${serverPublicKey}/${passwordPath}`,
+    passwordSigned
+  );
+  return { salt, hash };
+}
+async function authenticateUser(client, serverPublicKey, username, password, serverIdentityPublicKeyHex, serverEncryptionPrivateKeyPem, appScope, logger) {
+  const passwordPath = await deriveObfuscatedPath(
+    serverPublicKey,
+    username,
+    "password",
+    ...appScope ? [appScope] : []
+  );
+  const result = await client.read(
+    `mutable://accounts/${serverPublicKey}/${passwordPath}`
+  );
+  if (!result.success || !result.record?.data) {
+    return false;
+  }
+  const { data, verified } = await decryptSignedEncryptedPayload(
+    result.record.data,
+    serverEncryptionPrivateKeyPem
+  );
+  if (!verified) {
+    logger?.warn(
+      "Password credential signature verification failed for user:",
+      username
+    );
+  }
+  const { salt, hash } = data;
+  return await verifyPassword(password, salt, hash);
+}
+async function changePassword(client, serverPublicKey, username, oldPassword, newPassword, serverIdentityPrivateKeyPem, serverIdentityPublicKeyHex, serverEncryptionPublicKeyHex, serverEncryptionPrivateKeyPem, appScope) {
+  const isValid = await authenticateUser(
+    client,
+    serverPublicKey,
+    username,
+    oldPassword,
+    serverIdentityPublicKeyHex,
+    serverEncryptionPrivateKeyPem,
+    appScope
+  );
+  if (!isValid) {
+    throw new Error("Current password is incorrect");
+  }
+  const salt = generateSalt();
+  const hash = await hashPassword(newPassword, salt);
+  const passwordPath = await deriveObfuscatedPath(
+    serverPublicKey,
+    username,
+    "password",
+    ...appScope ? [appScope] : []
+  );
+  const passwordData = { hash, salt };
+  const passwordSigned = await createSignedEncryptedPayload(
+    passwordData,
+    serverIdentityPrivateKeyPem,
+    serverIdentityPublicKeyHex,
+    serverEncryptionPublicKeyHex
+  );
+  await client.write(
+    `mutable://accounts/${serverPublicKey}/${passwordPath}`,
+    passwordSigned
+  );
+}
+async function createPasswordResetToken(client, serverPublicKey, username, ttlSeconds, serverIdentityPrivateKeyPem, serverIdentityPublicKeyHex, serverEncryptionPublicKeyHex, appScope) {
+  if (!await userExists(client, serverPublicKey, username)) {
+    throw new Error("User not found");
+  }
+  const tokenBytes = crypto.getRandomValues(new Uint8Array(32));
+  const token = encodeHex(tokenBytes);
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(now.getTime() + ttlSeconds * 1e3);
+  const tokenPath = await deriveObfuscatedPath(
+    serverPublicKey,
+    username,
+    "reset-tokens",
+    token,
+    ...appScope ? [appScope] : []
+  );
+  const tokenData = {
+    username,
+    createdAt: now.toISOString(),
+    expiresAt: expiresAt.toISOString()
+  };
+  const tokenSigned = await createSignedEncryptedPayload(
+    tokenData,
+    serverIdentityPrivateKeyPem,
+    serverIdentityPublicKeyHex,
+    serverEncryptionPublicKeyHex
+  );
+  await client.write(
+    `mutable://accounts/${serverPublicKey}/${tokenPath}`,
+    tokenSigned
+  );
+  return token;
+}
+async function resetPasswordWithToken(client, serverPublicKey, token, newPassword, serverIdentityPrivateKeyPem, serverIdentityPublicKeyHex, serverEncryptionPublicKeyHex, serverEncryptionPrivateKeyPem, username, appScope, logger) {
+  const tokenPath = await deriveObfuscatedPath(
+    serverPublicKey,
+    username,
+    "reset-tokens",
+    token,
+    ...appScope ? [appScope] : []
+  );
+  const result = await client.read(
+    `mutable://accounts/${serverPublicKey}/${tokenPath}`
+  );
+  if (!result.success || !result.record?.data) {
+    throw new Error("Invalid or expired reset token");
+  }
+  const { data: tokenData, verified } = await decryptSignedEncryptedPayload(
+    result.record.data,
+    serverEncryptionPrivateKeyPem
+  );
+  if (!verified) {
+    logger?.warn(
+      "Reset token signature verification failed for user:",
+      username
+    );
+  }
+  const { username: tokenUsername, expiresAt } = tokenData;
+  if (tokenUsername !== username) {
+    throw new Error("Invalid reset token");
+  }
+  if (new Date(expiresAt) < /* @__PURE__ */ new Date()) {
+    throw new Error("Reset token has expired");
+  }
+  const salt = generateSalt();
+  const hash = await hashPassword(newPassword, salt);
+  const passwordPath = await deriveObfuscatedPath(
+    serverPublicKey,
+    username,
+    "password",
+    ...appScope ? [appScope] : []
+  );
+  const passwordData = { hash, salt };
+  const passwordSigned = await createSignedEncryptedPayload(
+    passwordData,
+    serverIdentityPrivateKeyPem,
+    serverIdentityPublicKeyHex,
+    serverEncryptionPublicKeyHex
+  );
+  await client.write(
+    `mutable://accounts/${serverPublicKey}/${passwordPath}`,
+    passwordSigned
+  );
+  await client.delete(`mutable://accounts/${serverPublicKey}/${tokenPath}`);
+  return tokenUsername;
+}
+async function googleUserExists(client, serverPublicKey, googleSub, appScope) {
+  const path = await deriveObfuscatedPath(
+    serverPublicKey,
+    googleSub,
+    "google-profile",
+    ...appScope ? [appScope] : []
+  );
+  const result = await client.read(
+    `mutable://accounts/${serverPublicKey}/${path}`
+  );
+  return result.success;
+}
+async function createGoogleUser(client, serverPublicKey, username, googlePayload, serverIdentityPrivateKeyPem, serverIdentityPublicKeyHex, serverEncryptionPublicKeyHex, appScope) {
+  if (await googleUserExists(client, serverPublicKey, googlePayload.sub, appScope)) {
+    throw new Error("Google account already registered");
+  }
+  if (await userExists(client, serverPublicKey, username, appScope)) {
+    throw new Error("Username already exists");
+  }
+  const profilePath = await deriveObfuscatedPath(
+    serverPublicKey,
+    username,
+    "profile",
+    ...appScope ? [appScope] : []
+  );
+  const profileData = {
+    username,
+    authProvider: "google",
+    googleSub: googlePayload.sub,
+    email: googlePayload.email,
+    name: googlePayload.name,
+    picture: googlePayload.picture,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const profileSigned = await createSignedEncryptedPayload(
+    profileData,
+    serverIdentityPrivateKeyPem,
+    serverIdentityPublicKeyHex,
+    serverEncryptionPublicKeyHex
+  );
+  await client.write(
+    `mutable://accounts/${serverPublicKey}/${profilePath}`,
+    profileSigned
+  );
+  const googleProfilePath = await deriveObfuscatedPath(
+    serverPublicKey,
+    googlePayload.sub,
+    "google-profile",
+    ...appScope ? [appScope] : []
+  );
+  const googleProfileData = {
+    googleSub: googlePayload.sub,
+    username,
+    email: googlePayload.email,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const googleProfileSigned = await createSignedEncryptedPayload(
+    googleProfileData,
+    serverIdentityPrivateKeyPem,
+    serverIdentityPublicKeyHex,
+    serverEncryptionPublicKeyHex
+  );
+  await client.write(
+    `mutable://accounts/${serverPublicKey}/${googleProfilePath}`,
+    googleProfileSigned
+  );
+  return { username, googleSub: googlePayload.sub };
+}
+async function authenticateGoogleUser(client, serverPublicKey, googleSub, serverEncryptionPrivateKeyPem, appScope, logger) {
+  const googleProfilePath = await deriveObfuscatedPath(
+    serverPublicKey,
+    googleSub,
+    "google-profile",
+    ...appScope ? [appScope] : []
+  );
+  const result = await client.read(
+    `mutable://accounts/${serverPublicKey}/${googleProfilePath}`
+  );
+  if (!result.success || !result.record?.data) {
+    return null;
+  }
+  const { data, verified } = await decryptSignedEncryptedPayload(
+    result.record.data,
+    serverEncryptionPrivateKeyPem
+  );
+  if (!verified) {
+    logger?.warn(
+      "Google profile signature verification failed for sub:",
+      googleSub
+    );
+  }
+  const { username } = data;
+  return username;
+}
+// wallet-server/google-oauth.ts
+var cachedKeys = [];
+var cacheExpiry = 0;
+async function getGooglePublicKeys(fetchImpl = fetch) {
+  const now = Date.now();
+  if (cachedKeys.length > 0 && now < cacheExpiry) {
+    return cachedKeys;
+  }
+  const response = await fetchImpl(
+    "https://www.googleapis.com/oauth2/v3/certs"
+  );
+  if (!response.ok) {
+    throw new Error("Failed to fetch Google public keys");
+  }
+  const cacheControl = response.headers.get("cache-control");
+  let maxAge = 3600;
+  if (cacheControl) {
+    const match = cacheControl.match(/max-age=(\d+)/);
+    if (match) {
+      maxAge = parseInt(match[1], 10);
+    }
+  }
+  const data = await response.json();
+  cachedKeys = data.keys;
+  cacheExpiry = now + maxAge * 1e3;
+  return cachedKeys;
+}
+function clearGooglePublicKeyCache() {
+  cachedKeys = [];
+  cacheExpiry = 0;
+}
+function base64UrlDecode(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4) {
+    base64 += "=";
+  }
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function importRsaPublicKey(key) {
+  const jwk = {
+    kty: key.kty,
+    n: key.n,
+    e: key.e,
+    alg: key.alg,
+    use: key.use
+  };
+  return await crypto.subtle.importKey(
+    "jwk",
+    jwk,
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: { name: "SHA-256" }
+    },
+    false,
+    ["verify"]
+  );
+}
+async function verifyGoogleIdToken(idToken, clientId, fetchImpl = fetch) {
+  const parts = idToken.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid Google ID token format");
+  }
+  const [headerB64, payloadB64, signatureB64] = parts;
+  const headerJson = new TextDecoder().decode(base64UrlDecode(headerB64));
+  const header = JSON.parse(headerJson);
+  const kid = header.kid;
+  if (!kid) {
+    throw new Error("Google ID token missing key ID");
+  }
+  let keys = await getGooglePublicKeys(fetchImpl);
+  let key = keys.find((k) => k.kid === kid);
+  if (!key) {
+    clearGooglePublicKeyCache();
+    keys = await getGooglePublicKeys(fetchImpl);
+    key = keys.find((k) => k.kid === kid);
+    if (!key) {
+      throw new Error("Google public key not found for token");
+    }
+  }
+  const publicKey = await importRsaPublicKey(key);
+  const signatureData = base64UrlDecode(signatureB64);
+  const signedData = new TextEncoder().encode(`${headerB64}.${payloadB64}`);
+  const isValid = await crypto.subtle.verify(
+    "RSASSA-PKCS1-v1_5",
+    publicKey,
+    signatureData.buffer,
+    signedData
+  );
+  if (!isValid) {
+    throw new Error("Google ID token signature verification failed");
+  }
+  const payloadJson = new TextDecoder().decode(base64UrlDecode(payloadB64));
+  const payload = JSON.parse(payloadJson);
+  if (payload.iss !== "accounts.google.com" && payload.iss !== "https://accounts.google.com") {
+    throw new Error("Invalid Google ID token issuer");
+  }
+  if (payload.aud !== clientId) {
+    throw new Error("Google ID token audience mismatch");
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (payload.exp < now) {
+    throw new Error("Google ID token has expired");
+  }
+  if (!payload.email_verified) {
+    throw new Error("Google email not verified");
+  }
+  return payload;
+}
+async function generateGoogleUsername(googleSub) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(`google:${googleSub}`);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashHex = encodeHex(new Uint8Array(hashBuffer));
+  return `g_${hashHex.substring(0, 12)}`;
+}
+// wallet-server/credentials.ts
+var PasswordCredentialHandler = class {
+  async signup(payload, context) {
+    const { username, password } = payload;
+    if (!username || typeof username !== "string") {
+      throw new Error("username is required");
+    }
+    if (!password || typeof password !== "string" || password.length < 8) {
+      throw new Error(
+        "password is required and must be at least 8 characters"
+      );
+    }
+    context.logger?.log(`Creating password user: ${username}`);
+    await createUser(
+      context.client,
+      context.serverPublicKey,
+      username,
+      password,
+      context.serverIdentityPrivateKeyPem,
+      context.serverIdentityPublicKeyHex,
+      context.serverEncryptionPublicKeyHex,
+      context.appKey
+    );
+    context.logger?.log(`Password user created: ${username}`);
+    context.logger?.log(`Generating keys for user: ${username}`);
+    await generateUserKeys(
+      context.client,
+      context.serverPublicKey,
+      username,
+      context.serverIdentityPrivateKeyPem,
+      context.serverIdentityPublicKeyHex,
+      context.serverEncryptionPublicKeyHex
+    );
+    context.logger?.log(`Keys generated for user: ${username}`);
+    return { username };
+  }
+  async login(payload, context) {
+    const { username, password } = payload;
+    if (!username || !password) {
+      throw new Error("username and password are required");
+    }
+    const isValid = await authenticateUser(
+      context.client,
+      context.serverPublicKey,
+      username,
+      password,
+      context.serverIdentityPublicKeyHex,
+      context.serverEncryptionPrivateKeyPem,
+      context.appKey,
+      context.logger
+    );
+    if (!isValid) {
+      throw new Error("Invalid username or password");
+    }
+    return { username };
+  }
+};
+var GoogleCredentialHandler = class {
+  async signup(payload, context) {
+    if (!context.googleClientId) {
+      throw new Error("Google OAuth is not configured");
+    }
+    const { googleIdToken } = payload;
+    if (!googleIdToken || typeof googleIdToken !== "string") {
+      throw new Error("googleIdToken is required");
+    }
+    context.logger?.log("Verifying Google ID token...");
+    const googlePayload = await verifyGoogleIdToken(
+      googleIdToken,
+      context.googleClientId,
+      context.fetch
+    );
+    context.logger?.log(`Google token verified for: ${googlePayload.email}`);
+    const username = await generateGoogleUsername(googlePayload.sub);
+    context.logger?.log(`Creating Google user: ${username}`);
+    await createGoogleUser(
+      context.client,
+      context.serverPublicKey,
+      username,
+      googlePayload,
+      context.serverIdentityPrivateKeyPem,
+      context.serverIdentityPublicKeyHex,
+      context.serverEncryptionPublicKeyHex,
+      context.appKey
+    );
+    context.logger?.log(`Google user created: ${username}`);
+    context.logger?.log(`Generating keys for Google user: ${username}`);
+    await generateUserKeys(
+      context.client,
+      context.serverPublicKey,
+      username,
+      context.serverIdentityPrivateKeyPem,
+      context.serverIdentityPublicKeyHex,
+      context.serverEncryptionPublicKeyHex
+    );
+    context.logger?.log(`Keys generated for Google user: ${username}`);
+    return {
+      username,
+      metadata: {
+        email: googlePayload.email,
+        name: googlePayload.name,
+        picture: googlePayload.picture
+      }
+    };
+  }
+  async login(payload, context) {
+    if (!context.googleClientId) {
+      throw new Error("Google OAuth is not configured");
+    }
+    const { googleIdToken } = payload;
+    if (!googleIdToken || typeof googleIdToken !== "string") {
+      throw new Error("googleIdToken is required");
+    }
+    context.logger?.log("Verifying Google ID token for login...");
+    const googlePayload = await verifyGoogleIdToken(
+      googleIdToken,
+      context.googleClientId,
+      context.fetch
+    );
+    context.logger?.log(`Google token verified for: ${googlePayload.email}`);
+    const username = await authenticateGoogleUser(
+      context.client,
+      context.serverPublicKey,
+      googlePayload.sub,
+      context.serverEncryptionPrivateKeyPem,
+      context.appKey,
+      context.logger
+    );
+    if (!username) {
+      throw new Error("Google account not registered. Please sign up first.");
+    }
+    context.logger?.log(`Google login successful for user: ${username}`);
+    return {
+      username,
+      metadata: {
+        email: googlePayload.email,
+        name: googlePayload.name,
+        picture: googlePayload.picture
+      }
+    };
+  }
+};
+var credentialHandlers = /* @__PURE__ */ new Map([
+  ["password", new PasswordCredentialHandler()],
+  ["google", new GoogleCredentialHandler()]
+]);
+function getCredentialHandler(type) {
+  const handler = credentialHandlers.get(type);
+  if (!handler) {
+    throw new Error(`Unknown credential type: ${type}`);
+  }
+  return handler;
+}
+function registerCredentialHandler(type, handler) {
+  credentialHandlers.set(type, handler);
+}
+function getSupportedCredentialTypes() {
+  return Array.from(credentialHandlers.keys());
+}
+// wallet-server/core.ts
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+var WalletServerCore = class {
+  constructor(userConfig) {
+    this.validateConfig(userConfig);
+    this.serverKeys = userConfig.serverKeys;
+    this.config = this.applyDefaults(userConfig);
+    this.logger = userConfig.deps?.logger ?? defaultLogger;
+    this.storage = userConfig.deps?.storage ?? new MemoryFileStorage();
+    this.fetchImpl = userConfig.deps?.fetch ?? fetch;
+    this.credentialClient = userConfig.deps?.credentialClient ?? new HttpClient({ url: userConfig.credentialNodeUrl });
+    this.proxyClient = userConfig.deps?.proxyClient ?? new HttpClient({ url: userConfig.proxyNodeUrl });
+    this.app = this.createApp();
+  }
+  validateConfig(config) {
+    if (!config.serverKeys?.identityKey?.privateKeyPem) {
+      throw new Error("serverKeys.identityKey.privateKeyPem is required");
+    }
+    if (!config.serverKeys?.identityKey?.publicKeyHex) {
+      throw new Error("serverKeys.identityKey.publicKeyHex is required");
+    }
+    if (!config.serverKeys?.encryptionKey?.privateKeyPem) {
+      throw new Error("serverKeys.encryptionKey.privateKeyPem is required");
+    }
+    if (!config.serverKeys?.encryptionKey?.publicKeyHex) {
+      throw new Error("serverKeys.encryptionKey.publicKeyHex is required");
+    }
+    if (!config.jwtSecret || config.jwtSecret.length < 32) {
+      throw new Error("jwtSecret is required and must be at least 32 characters");
+    }
+    if (!config.credentialNodeUrl && !config.deps?.credentialClient) {
+      throw new Error(
+        "Either credentialNodeUrl or deps.credentialClient is required"
+      );
+    }
+    if (!config.proxyNodeUrl && !config.deps?.proxyClient) {
+      throw new Error("Either proxyNodeUrl or deps.proxyClient is required");
+    }
+  }
+  applyDefaults(config) {
+    return {
+      serverKeys: config.serverKeys,
+      jwtSecret: config.jwtSecret,
+      jwtExpirationSeconds: config.jwtExpirationSeconds ?? 86400,
+      allowedOrigins: config.allowedOrigins ?? ["*"],
+      passwordResetTokenTtlSeconds: config.passwordResetTokenTtlSeconds ?? 3600,
+      googleClientId: config.googleClientId ?? null,
+      bootstrapStatePath: config.bootstrapStatePath ?? null,
+      appBackend: config.appBackend ?? null
+    };
+  }
+  /**
+   * Get the Hono app instance
+   */
+  getApp() {
+    return this.app;
+  }
+  /**
+   * Get the fetch handler for use with various runtimes
+   */
+  getFetchHandler() {
+    return this.app.fetch.bind(this.app);
+  }
+  /**
+   * Get server public keys
+   */
+  getServerKeys() {
+    return {
+      identityPublicKeyHex: this.serverKeys.identityKey.publicKeyHex,
+      encryptionPublicKeyHex: this.serverKeys.encryptionKey.publicKeyHex
+    };
+  }
+  /**
+   * Bootstrap wallet app registration (optional)
+   */
+  async bootstrap() {
+    if (!this.config.appBackend) {
+      this.logger.warn(
+        "App backend not configured; skipping wallet app bootstrap"
+      );
+      return null;
+    }
+    const appKey = this.serverKeys.identityKey.publicKeyHex;
+    const apiBasePath = this.normalizeApiBasePath(
+      this.config.appBackend.apiBasePath ?? "/api/v1"
+    );
+    const appServerUrl = this.config.appBackend.url.replace(/\/$/, "");
+    if (this.config.bootstrapStatePath) {
+      try {
+        const existingState = await this.readBootstrapState(
+          this.config.bootstrapStatePath
+        );
+        if (existingState) {
+          if (existingState.appKey !== appKey) {
+            throw new Error(
+              `Bootstrap state belongs to ${existingState.appKey}, expected ${appKey}`
+            );
+          }
+          return existingState;
+        }
+      } catch {
+      }
+    }
+    const bootstrapJwt = await createJwt(
+      "__wallet_bootstrap__",
+      this.config.jwtSecret,
+      this.config.jwtExpirationSeconds
+    );
+    const signMessage = async (payload) => {
+      const privateKey = await pemToCryptoKey(
+        this.serverKeys.identityKey.privateKeyPem,
+        "Ed25519"
+      );
+      return await createAuthenticatedMessage(payload, [
+        { privateKey, publicKeyHex: appKey }
+      ]);
+    };
+    const originsMessage = await signMessage({
+      allowedOrigins: this.config.allowedOrigins,
+      encryptionPublicKeyHex: this.serverKeys.encryptionKey.publicKeyHex
+    });
+    const originsRes = await this.fetchImpl(
+      `${appServerUrl}${apiBasePath}/apps/origins/${appKey}`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${bootstrapJwt}`
+        },
+        body: JSON.stringify(originsMessage)
+      }
+    );
+    const originsBody = await originsRes.json().catch(() => ({}));
+    if (!originsRes.ok || !originsBody?.success) {
+      throw new Error(
+        `Wallet app origins bootstrap failed: ${originsBody?.error || originsRes.statusText}`
+      );
+    }
+    const schemaMessage = await signMessage({
+      actions: [],
+      encryptionPublicKeyHex: this.serverKeys.encryptionKey.publicKeyHex
+    });
+    const schemaRes = await this.fetchImpl(
+      `${appServerUrl}${apiBasePath}/apps/schema/${appKey}`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${bootstrapJwt}`
+        },
+        body: JSON.stringify(schemaMessage)
+      }
+    );
+    const schemaBody = await schemaRes.json().catch(() => ({}));
+    if (!schemaRes.ok || !schemaBody?.success) {
+      throw new Error(
+        `Wallet app schema bootstrap failed: ${schemaBody?.error || schemaRes.statusText}`
+      );
+    }
+    const state = {
+      appKey,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      appServerUrl,
+      apiBasePath
+    };
+    if (this.config.bootstrapStatePath) {
+      await this.writeBootstrapState(this.config.bootstrapStatePath, state);
+    }
+    return state;
+  }
+  normalizeApiBasePath(path) {
+    if (!path || typeof path !== "string") {
+      return "/api/v1";
+    }
+    const base = path.startsWith("/") ? path : `/${path}`;
+    return base.replace(/\/$/, "");
+  }
+  async readBootstrapState(path) {
+    try {
+      const text = await this.storage.readTextFile(path);
+      const parsed = JSON.parse(text);
+      if (!parsed.appKey || !parsed.createdAt || !parsed.appServerUrl || !parsed.apiBasePath) {
+        throw new Error(`Invalid bootstrap state file at ${path}`);
+      }
+      return parsed;
+    } catch {
+      return null;
+    }
+  }
+  async writeBootstrapState(path, state) {
+    await this.storage.writeTextFile(path, JSON.stringify(state, null, 2));
+  }
+  async sessionExists(appKey, sessionKey) {
+    const input = new TextEncoder().encode(sessionKey);
+    const digest = await crypto.subtle.digest("SHA-256", input);
+    const sigHex = Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("").substring(0, 32);
+    const uri = `mutable://accounts/${appKey}/sessions/${sigHex}`;
+    const res = await this.proxyClient.read(uri);
+    return res.success;
+  }
+  createApp() {
+    const app = new Hono();
+    const serverPublicKey = this.serverKeys.identityKey.publicKeyHex;
+    const serverIdentityPrivateKeyPem = this.serverKeys.identityKey.privateKeyPem;
+    const serverIdentityPublicKeyHex = this.serverKeys.identityKey.publicKeyHex;
+    const serverEncryptionPublicKeyHex = this.serverKeys.encryptionKey.publicKeyHex;
+    const serverEncryptionPrivateKeyPem = this.serverKeys.encryptionKey.privateKeyPem;
+    app.use(
+      "/*",
+      cors({
+        origin: (origin) => this.config.allowedOrigins[0] === "*" ? origin : this.config.allowedOrigins.join(","),
+        allowMethods: ["GET", "POST", "OPTIONS"],
+        allowHeaders: ["Content-Type", "Authorization"]
+      })
+    );
+    app.use(async (c, next) => {
+      const start = Date.now();
+      await next();
+      const duration = Date.now() - start;
+      this.logger.log(
+        `[${(/* @__PURE__ */ new Date()).toISOString()}] ${c.req.method} ${c.req.path} ${c.res.status} - ${duration}ms`
+      );
+    });
+    app.get("/api/v1/health", (c) => {
+      return c.json({
+        success: true,
+        status: "ok",
+        server: "b3nd-wallet-server",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    });
+    app.get("/api/v1/server-keys", (c) => {
+      return c.json({
+        success: true,
+        identityPublicKeyHex: serverIdentityPublicKeyHex,
+        encryptionPublicKeyHex: serverEncryptionPublicKeyHex
+      });
+    });
+    app.get("/api/v1/auth/public-keys/:appKey", async (c) => {
+      try {
+        const appKey = c.req.param("appKey");
+        const authHeader = c.req.header("Authorization");
+        if (!appKey) {
+          return c.json({ success: false, error: "appKey is required" }, 400);
+        }
+        if (!authHeader?.startsWith("Bearer ")) {
+          return c.json({ success: false, error: "Authorization required" }, 401);
+        }
+        const token = authHeader.substring(7);
+        const payload = await verifyJwt(token, this.config.jwtSecret);
+        const keys = await getUserPublicKeys(
+          this.credentialClient,
+          serverPublicKey,
+          payload.username,
+          serverEncryptionPrivateKeyPem,
+          this.logger
+        );
+        return c.json({
+          success: true,
+          accountPublicKeyHex: keys.accountPublicKeyHex,
+          encryptionPublicKeyHex: keys.encryptionPublicKeyHex
+        });
+      } catch (error) {
+        return c.json({
+          success: false,
+          error: error instanceof Error ? error.message : String(error)
+        }, 400);
+      }
+    });
+    app.get("/api/v1/auth/verify/:appKey", async (c) => {
+      try {
+        const appKey = c.req.param("appKey");
+        const authHeader = c.req.header("Authorization");
+        if (!appKey) {
+          return c.json({ success: false, error: "appKey is required" }, 400);
+        }
+        if (!authHeader?.startsWith("Bearer ")) {
+          return c.json({ success: false, error: "Authorization required" }, 401);
+        }
+        const token = authHeader.substring(7);
+        const payload = await verifyJwt(token, this.config.jwtSecret);
+        return c.json({
+          success: true,
+          username: payload.username,
+          exp: payload.exp
+        });
+      } catch (error) {
+        return c.json({
+          success: false,
+          error: error instanceof Error ? error.message : String(error)
+        }, 401);
+      }
+    });
+    app.post("/api/v1/auth/signup/:appKey", async (c) => {
+      try {
+        const appKey = c.req.param("appKey");
+        const payload = await c.req.json();
+        if (!appKey) {
+          return c.json({ success: false, error: "appKey is required" }, 400);
+        }
+        if (!payload.type) {
+          return c.json({
+            success: false,
+            error: `type is required. Supported: ${getSupportedCredentialTypes().join(", ")}`
+          }, 400);
+        }
+        const handler = getCredentialHandler(payload.type);
+        let googleClientId;
+        if (payload.type === "google") {
+          const appProfileUri = `mutable://accounts/${appKey}/app-profile`;
+          const appProfileResult = await this.credentialClient.read(appProfileUri);
+          if (appProfileResult.success && appProfileResult.record?.data) {
+            const appProfile = appProfileResult.record.data;
+            if (appProfile.payload && typeof appProfile.payload === "object") {
+              googleClientId = appProfile.payload.googleClientId;
+            } else {
+              googleClientId = appProfile.googleClientId;
+            }
+          }
+          if (!googleClientId) {
+            throw new Error("Google Client ID not configured for this app");
+          }
+        }
+        const context = {
+          client: this.credentialClient,
+          serverPublicKey,
+          serverIdentityPrivateKeyPem,
+          serverIdentityPublicKeyHex,
+          serverEncryptionPublicKeyHex,
+          serverEncryptionPrivateKeyPem,
+          appKey,
+          googleClientId,
+          logger: this.logger,
+          fetch: this.fetchImpl
+        };
+        const result = await handler.signup(payload, context);
+        const jwt = await createJwt(
+          result.username,
+          this.config.jwtSecret,
+          this.config.jwtExpirationSeconds
+        );
+        return c.json({
+          success: true,
+          username: result.username,
+          token: jwt,
+          expiresIn: this.config.jwtExpirationSeconds,
+          ...result.metadata
+        });
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (message.includes("already exists") || message.includes("already registered")) {
+          return c.json({ success: false, error: message }, 409);
+        }
+        if (message.includes("Unknown credential type")) {
+          return c.json({ success: false, error: message }, 400);
+        }
+        this.logger.error("Signup error:", error);
+        return c.json({ success: false, error: message }, 500);
+      }
+    });
+    app.post("/api/v1/auth/login/:appKey", async (c) => {
+      try {
+        const appKey = c.req.param("appKey");
+        const payload = await c.req.json();
+        if (!appKey) {
+          return c.json({ success: false, error: "appKey is required" }, 400);
+        }
+        if (!payload.session) {
+          return c.json({ success: false, error: "session is required" }, 400);
+        }
+        if (!payload.type) {
+          return c.json({
+            success: false,
+            error: `type is required. Supported: ${getSupportedCredentialTypes().join(", ")}`
+          }, 400);
+        }
+        if (!await this.sessionExists(appKey, payload.session)) {
+          return c.json({ success: false, error: "Invalid session" }, 401);
+        }
+        const handler = getCredentialHandler(payload.type);
+        let googleClientId;
+        if (payload.type === "google") {
+          const appProfileUri = `mutable://accounts/${appKey}/app-profile`;
+          const appProfileResult = await this.credentialClient.read(appProfileUri);
+          if (appProfileResult.success && appProfileResult.record?.data) {
+            const appProfile = appProfileResult.record.data;
+            if (appProfile.payload && typeof appProfile.payload === "object") {
+              googleClientId = appProfile.payload.googleClientId;
+            } else {
+              googleClientId = appProfile.googleClientId;
+            }
+          }
+          if (!googleClientId) {
+            throw new Error("Google Client ID not configured for this app");
+          }
+        }
+        const context = {
+          client: this.credentialClient,
+          serverPublicKey,
+          serverIdentityPrivateKeyPem,
+          serverIdentityPublicKeyHex,
+          serverEncryptionPublicKeyHex,
+          serverEncryptionPrivateKeyPem,
+          appKey,
+          googleClientId,
+          logger: this.logger,
+          fetch: this.fetchImpl
+        };
+        const result = await handler.login(payload, context);
+        const jwt = await createJwt(
+          result.username,
+          this.config.jwtSecret,
+          this.config.jwtExpirationSeconds
+        );
+        return c.json({
+          success: true,
+          username: result.username,
+          token: jwt,
+          expiresIn: this.config.jwtExpirationSeconds,
+          ...result.metadata
+        });
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (message.includes("Unknown credential type")) {
+          return c.json({ success: false, error: message }, 400);
+        }
+        this.logger.error("Login error:", error);
+        return c.json({ success: false, error: message }, 500);
+      }
+    });
+    app.post("/api/v1/auth/credentials/change-password/:appKey", async (c) => {
+      try {
+        const appKey = c.req.param("appKey");
+        const authHeader = c.req.header("Authorization");
+        if (!appKey) {
+          return c.json({ success: false, error: "appKey is required" }, 400);
+        }
+        if (!authHeader?.startsWith("Bearer ")) {
+          return c.json({ success: false, error: "Authorization required" }, 401);
+        }
+        const token = authHeader.substring(7);
+        const jwtPayload = await verifyJwt(token, this.config.jwtSecret);
+        const { oldPassword, newPassword } = await c.req.json();
+        if (!oldPassword || !newPassword) {
+          return c.json({ success: false, error: "oldPassword and newPassword are required" }, 400);
+        }
+        if (newPassword.length < 8) {
+          return c.json({ success: false, error: "newPassword must be at least 8 characters" }, 400);
+        }
+        await changePassword(
+          this.credentialClient,
+          serverPublicKey,
+          jwtPayload.username,
+          oldPassword,
+          newPassword,
+          serverIdentityPrivateKeyPem,
+          serverIdentityPublicKeyHex,
+          serverEncryptionPublicKeyHex,
+          serverEncryptionPrivateKeyPem,
+          appKey
+        );
+        return c.json({ success: true, message: "Password changed successfully" });
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (message.includes("expired") || message.includes("incorrect")) {
+          return c.json({ success: false, error: message }, 401);
+        }
+        this.logger.error("Change password error:", error);
+        return c.json({ success: false, error: message }, 500);
+      }
+    });
+    app.post("/api/v1/auth/credentials/request-password-reset/:appKey", async (c) => {
+      try {
+        const appKey = c.req.param("appKey");
+        const { username } = await c.req.json();
+        if (!appKey) {
+          return c.json({ success: false, error: "appKey is required" }, 400);
+        }
+        if (!username) {
+          return c.json({ success: false, error: "username is required" }, 400);
+        }
+        const resetToken = await createPasswordResetToken(
+          this.credentialClient,
+          serverPublicKey,
+          username,
+          this.config.passwordResetTokenTtlSeconds,
+          serverIdentityPrivateKeyPem,
+          serverIdentityPublicKeyHex,
+          serverEncryptionPublicKeyHex,
+          appKey
+        );
+        return c.json({
+          success: true,
+          message: "Password reset token created",
+          resetToken,
+          expiresIn: this.config.passwordResetTokenTtlSeconds
+        });
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (message.includes("not found")) {
+          return c.json({ success: false, error: "User not found" }, 404);
+        }
+        this.logger.error("Request password reset error:", error);
+        return c.json({ success: false, error: message }, 500);
+      }
+    });
+    app.post("/api/v1/auth/credentials/reset-password/:appKey", async (c) => {
+      try {
+        const appKey = c.req.param("appKey");
+        const { username, resetToken, newPassword } = await c.req.json();
+        if (!appKey) {
+          return c.json({ success: false, error: "appKey is required" }, 400);
+        }
+        if (!username || !resetToken || !newPassword) {
+          return c.json({ success: false, error: "username, resetToken and newPassword are required" }, 400);
+        }
+        if (newPassword.length < 8) {
+          return c.json({ success: false, error: "newPassword must be at least 8 characters" }, 400);
+        }
+        const resetUsername = await resetPasswordWithToken(
+          this.credentialClient,
+          serverPublicKey,
+          resetToken,
+          newPassword,
+          serverIdentityPrivateKeyPem,
+          serverIdentityPublicKeyHex,
+          serverEncryptionPublicKeyHex,
+          serverEncryptionPrivateKeyPem,
+          username,
+          appKey,
+          this.logger
+        );
+        const newToken = await createJwt(
+          resetUsername,
+          this.config.jwtSecret,
+          this.config.jwtExpirationSeconds
+        );
+        return c.json({
+          success: true,
+          message: "Password reset successful",
+          username: resetUsername,
+          token: newToken,
+          expiresIn: this.config.jwtExpirationSeconds
+        });
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (message.includes("invalid") || message.includes("expired")) {
+          return c.json({ success: false, error: message }, 400);
+        }
+        this.logger.error("Reset password error:", error);
+        return c.json({ success: false, error: message }, 500);
+      }
+    });
+    app.post("/api/v1/proxy/write", async (c) => {
+      try {
+        const authHeader = c.req.header("Authorization");
+        if (!authHeader?.startsWith("Bearer ")) {
+          return c.json({ success: false, error: "Authorization required" }, 401);
+        }
+        const token = authHeader.substring(7);
+        const payload = await verifyJwt(token, this.config.jwtSecret);
+        const { uri, data, encrypt: encrypt2 } = await c.req.json();
+        if (!uri) {
+          return c.json({ success: false, error: "uri is required" }, 400);
+        }
+        if (data === void 0) {
+          return c.json({ success: false, error: "data is required" }, 400);
+        }
+        const result = await proxyWrite(
+          this.proxyClient,
+          this.credentialClient,
+          serverPublicKey,
+          payload.username,
+          serverEncryptionPrivateKeyPem,
+          { uri, data, encrypt: encrypt2 === true }
+        );
+        if (!result.success) {
+          return c.json({ success: false, error: result.error }, 400);
+        }
+        return c.json({
+          success: true,
+          uri,
+          resolvedUri: result.resolvedUri,
+          data,
+          record: result.record
+        });
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (message.includes("expired")) {
+          return c.json({ success: false, error: message }, 401);
+        }
+        this.logger.error("Proxy write error:", error);
+        return c.json({ success: false, error: message }, 500);
+      }
+    });
+    app.get("/api/v1/proxy/read", async (c) => {
+      try {
+        const authHeader = c.req.header("Authorization");
+        if (!authHeader?.startsWith("Bearer ")) {
+          return c.json({ success: false, error: "Authorization required" }, 401);
+        }
+        const token = authHeader.substring(7);
+        await verifyJwt(token, this.config.jwtSecret);
+        const uri = c.req.query("uri");
+        if (!uri) {
+          return c.json({ success: false, error: "uri query parameter is required" }, 400);
+        }
+        const result = await proxyRead(
+          this.proxyClient,
+          uri,
+          serverEncryptionPrivateKeyPem
+        );
+        if (!result.success) {
+          return c.json({ success: false, error: result.error }, 400);
+        }
+        return c.json({
+          success: true,
+          uri,
+          record: result.record,
+          decrypted: result.decrypted
+        });
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (message.includes("expired")) {
+          return c.json({ success: false, error: message }, 401);
+        }
+        this.logger.error("Proxy read error:", error);
+        return c.json({ success: false, error: message }, 500);
+      }
+    });
+    return app;
+  }
+};
+export {
+  defaultLogger,
+  MemoryFileStorage,
+  ConfigEnvironment,
+  createJwt,
+  verifyJwt,
+  extractUsernameFromJwt,
+  deriveObfuscatedPath,
+  pemToCryptoKey,
+  createSignedEncryptedPayload,
+  decryptSignedEncryptedPayload,
+  encryptForBackend,
+  decryptFromBackend,
+  generateUserKeys,
+  loadUserAccountKey,
+  loadUserEncryptionKey,
+  loadUserKeys,
+  getUserPublicKeys,
+  proxyWrite,
+  proxyRead,
+  userExists,
+  createUser,
+  authenticateUser,
+  changePassword,
+  createPasswordResetToken,
+  resetPasswordWithToken,
+  googleUserExists,
+  createGoogleUser,
+  authenticateGoogleUser,
+  clearGooglePublicKeyCache,
+  verifyGoogleIdToken,
+  generateGoogleUsername,
+  getCredentialHandler,
+  registerCredentialHandler,
+  getSupportedCredentialTypes,
+  WalletServerCore
+};