@bitgo-beta/sdk-api 1.10.1-beta.185 → 1.10.1-beta.1851

package/dist/src/encrypt.d.ts

@@ -1,4 +1,3 @@
-/// <reference types="node" />
 /**
  * convert a 4 element Uint8Array to a 4 byte Number
  *
@@ -6,9 +5,29 @@
  * @return 4 byte number
  */
 export declare function bytesToWord(bytes?: Uint8Array | number[]): number;
-export declare function encrypt(password: string, plaintext: string, { salt, iv }?: {
-    salt?: Buffer | undefined;
-    iv?: Buffer | undefined;
+/** Encrypt using legacy v1 SJCL (PBKDF2-SHA256 + AES-256-CCM). */
+export declare function encrypt(password: string, plaintext: string, options?: {
+    salt?: Buffer;
+    iv?: Buffer;
+    adata?: string;
 }): string;
+/**
+ * Async encrypt that dispatches to v1 (SJCL) or v2 (Argon2id + AES-256-GCM)
+ * when `encryptionVersion` is 2. Defaults to v1, matching sync `encrypt()`.
+ */
+export declare function encryptAsync(password: string, plaintext: string, options?: {
+    salt?: Buffer;
+    iv?: Buffer;
+    adata?: string;
+    encryptionVersion?: 1 | 2;
+}): Promise<string>;
+/** Decrypt a v1 SJCL envelope. */
 export declare function decrypt(password: string, ciphertext: string): string;
+/**
+ * Auto-detect v1 (SJCL) or v2 (Argon2id + AES-256-GCM) from the envelope `v` field and decrypt.
+ *
+ * Migration path from sync `decrypt()`. Move call sites to `decryptAsync()` before
+ * the breaking release that flips the default to v2.
+ */
+export declare function decryptAsync(password: string, ciphertext: string): Promise<string>;
 //# sourceMappingURL=encrypt.d.ts.map

package/dist/src/encrypt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../../src/encrypt.ts"],"names":[],"mappings":";AAGA;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,KAAK,CAAC,EAAE,UAAU,GAAG,MAAM,EAAE,GAAG,MAAM,CAMjE;AAED,wBAAgB,OAAO,CACrB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,EAAE,IAAqB,EAAE,EAAoB,EAAE;;;CAAK,GACnD,MAAM,CAoBR;AAED,wBAAgB,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAEpE"}
+{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../../src/encrypt.ts"],"names":[],"mappings":"AAKA;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,KAAK,CAAC,EAAE,UAAU,GAAG,MAAM,EAAE,GAAG,MAAM,CAKjE;AAED,kEAAkE;AAClE,wBAAgB,OAAO,CACrB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,EAAE,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACvD,MAAM,CAmBR;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,EAAE,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,iBAAiB,CAAC,EAAE,CAAC,GAAG,CAAC,CAAA;CAAE,GAClF,OAAO,CAAC,MAAM,CAAC,CAKjB;AAED,kCAAkC;AAClC,wBAAgB,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAEpE;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAgBxF"}

package/dist/src/encrypt.js

@@ -1,8 +1,46 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.decrypt = exports.encrypt = exports.bytesToWord = void 0;
-const sjcl = require("@bitgo-beta/sjcl");
+exports.bytesToWord = bytesToWord;
+exports.encrypt = encrypt;
+exports.encryptAsync = encryptAsync;
+exports.decrypt = decrypt;
+exports.decryptAsync = decryptAsync;
+const sjcl = __importStar(require("@bitgo-beta/sjcl"));
 const crypto_1 = require("crypto");
+const encryptV2_1 = require("./encryptV2");
 /**
  * convert a 4 element Uint8Array to a 4 byte Number
  *
@@ -15,14 +53,14 @@ function bytesToWord(bytes) {
     }
     return bytes.reduce((num, byte) => num * 0x100 + byte, 0);
 }
-exports.bytesToWord = bytesToWord;
-function encrypt(password, plaintext, { salt = crypto_1.randomBytes(8), iv = crypto_1.randomBytes(16) } = {}) {
-    if (salt.length !== 8) {
-        throw new Error(`salt must be 8 bytes`);
-    }
-    if (iv.length !== 16) {
-        throw new Error(`iv must be 16 bytes`);
-    }
+/** Encrypt using legacy v1 SJCL (PBKDF2-SHA256 + AES-256-CCM). */
+function encrypt(password, plaintext, options) {
+    const salt = options?.salt || (0, crypto_1.randomBytes)(8);
+    if (salt.length !== 8)
+        throw new Error('salt must be 8 bytes');
+    const iv = options?.iv || (0, crypto_1.randomBytes)(16);
+    if (iv.length !== 16)
+        throw new Error('iv must be 16 bytes');
     const encryptOptions = {
         iter: 10000,
         ks: 256,
@@ -34,11 +72,46 @@ function encrypt(password, plaintext, { salt = crypto_1.randomBytes(8), iv = cry
             bytesToWord(iv.slice(12, 16)),
         ],
     };
+    if (options?.adata)
+        encryptOptions.adata = options.adata;
     return sjcl.encrypt(password, plaintext, encryptOptions);
 }
-exports.encrypt = encrypt;
+/**
+ * Async encrypt that dispatches to v1 (SJCL) or v2 (Argon2id + AES-256-GCM)
+ * when `encryptionVersion` is 2. Defaults to v1, matching sync `encrypt()`.
+ */
+async function encryptAsync(password, plaintext, options) {
+    if (options?.encryptionVersion === 2) {
+        return (0, encryptV2_1.encryptV2)(password, plaintext, { adata: options.adata });
+    }
+    return encrypt(password, plaintext, options);
+}
+/** Decrypt a v1 SJCL envelope. */
 function decrypt(password, ciphertext) {
     return sjcl.decrypt(password, ciphertext);
 }
-exports.decrypt = decrypt;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZW5jcnlwdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9lbmNyeXB0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLHlDQUF5QztBQUN6QyxtQ0FBcUM7QUFFckM7Ozs7O0dBS0c7QUFDSCxTQUFnQixXQUFXLENBQUMsS0FBNkI7SUFDdkQsSUFBSSxDQUFDLENBQUMsS0FBSyxZQUFZLFVBQVUsQ0FBQyxJQUFJLEtBQUssQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFO1FBQ3hELE1BQU0sSUFBSSxLQUFLLENBQUMsMENBQTBDLENBQUMsQ0FBQztLQUM3RDtJQUVELE9BQU8sS0FBSyxDQUFDLE1BQU0sQ0FBQyxDQUFDLEdBQUcsRUFBRSxJQUFJLEVBQUUsRUFBRSxDQUFDLEdBQUcsR0FBRyxLQUFLLEdBQUcsSUFBSSxFQUFFLENBQUMsQ0FBQyxDQUFDO0FBQzVELENBQUM7QUFORCxrQ0FNQztBQUVELFNBQWdCLE9BQU8sQ0FDckIsUUFBZ0IsRUFDaEIsU0FBaUIsRUFDakIsRUFBRSxJQUFJLEdBQUcsb0JBQVcsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLEdBQUcsb0JBQVcsQ0FBQyxFQUFFLENBQUMsRUFBRSxHQUFHLEVBQUU7SUFFcEQsSUFBSSxJQUFJLENBQUMsTUFBTSxLQUFLLENBQUMsRUFBRTtRQUNyQixNQUFNLElBQUksS0FBSyxDQUFDLHNCQUFzQixDQUFDLENBQUM7S0FDekM7SUFDRCxJQUFJLEVBQUUsQ0FBQyxNQUFNLEtBQUssRUFBRSxFQUFFO1FBQ3BCLE1BQU0sSUFBSSxLQUFLLENBQUMscUJBQXFCLENBQUMsQ0FBQztLQUN4QztJQUNELE1BQU0sY0FBYyxHQUFHO1FBQ3JCLElBQUksRUFBRSxLQUFLO1FBQ1gsRUFBRSxFQUFFLEdBQUc7UUFDUCxJQUFJLEVBQUUsQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsRUFBRSxXQUFXLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2pFLEVBQUUsRUFBRTtZQUNGLFdBQVcsQ0FBQyxFQUFFLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztZQUMzQixXQUFXLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7WUFDM0IsV0FBVyxDQUFDLEVBQUUsQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1lBQzVCLFdBQVcsQ0FBQyxFQUFFLENBQUMsS0FBSyxDQUFDLEVBQUUsRUFBRSxFQUFFLENBQUMsQ0FBQztTQUM5QjtLQUNGLENBQUM7SUFFRixPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxFQUFFLFNBQVMsRUFBRSxjQUFjLENBQUMsQ0FBQztBQUMzRCxDQUFDO0FBeEJELDBCQXdCQztBQUVELFNBQWdCLE9BQU8sQ0FBQyxRQUFnQixFQUFFLFVBQWtCO0lBQzFELE9BQU8sSUFBSSxDQUFDLE9BQU8sQ0FBQyxRQUFRLEVBQUUsVUFBVSxDQUFDLENBQUM7QUFDNUMsQ0FBQztBQUZELDBCQUVDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0ICogYXMgc2pjbCBmcm9tICdAYml0Z28tYmV0YS9zamNsJztcbmltcG9ydCB7IHJhbmRvbUJ5dGVzIH0gZnJvbSAnY3J5cHRvJztcblxuLyoqXG4gKiBjb252ZXJ0IGEgNCBlbGVtZW50IFVpbnQ4QXJyYXkgdG8gYSA0IGJ5dGUgTnVtYmVyXG4gKlxuICogQHBhcmFtIGJ5dGVzXG4gKiBAcmV0dXJuIDQgYnl0ZSBudW1iZXJcbiAqL1xuZXhwb3J0IGZ1bmN0aW9uIGJ5dGVzVG9Xb3JkKGJ5dGVzPzogVWludDhBcnJheSB8IG51bWJlcltdKTogbnVtYmVyIHtcbiAgaWYgKCEoYnl0ZXMgaW5zdGFuY2VvZiBVaW50OEFycmF5KSB8fCBieXRlcy5sZW5ndGggIT09IDQpIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoJ2J5dGVzIG11c3QgYmUgYSBVaW50OEFycmF5IHdpdGggbGVuZ3RoIDQnKTtcbiAgfVxuXG4gIHJldHVybiBieXRlcy5yZWR1Y2UoKG51bSwgYnl0ZSkgPT4gbnVtICogMHgxMDAgKyBieXRlLCAwKTtcbn1cblxuZXhwb3J0IGZ1bmN0aW9uIGVuY3J5cHQoXG4gIHBhc3N3b3JkOiBzdHJpbmcsXG4gIHBsYWludGV4dDogc3RyaW5nLFxuICB7IHNhbHQgPSByYW5kb21CeXRlcyg4KSwgaXYgPSByYW5kb21CeXRlcygxNikgfSA9IHt9XG4pOiBzdHJpbmcge1xuICBpZiAoc2FsdC5sZW5ndGggIT09IDgpIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoYHNhbHQgbXVzdCBiZSA4IGJ5dGVzYCk7XG4gIH1cbiAgaWYgKGl2Lmxlbmd0aCAhPT0gMTYpIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoYGl2IG11c3QgYmUgMTYgYnl0ZXNgKTtcbiAgfVxuICBjb25zdCBlbmNyeXB0T3B0aW9ucyA9IHtcbiAgICBpdGVyOiAxMDAwMCxcbiAgICBrczogMjU2LFxuICAgIHNhbHQ6IFtieXRlc1RvV29yZChzYWx0LnNsaWNlKDAsIDQpKSwgYnl0ZXNUb1dvcmQoc2FsdC5zbGljZSg0KSldLFxuICAgIGl2OiBbXG4gICAgICBieXRlc1RvV29yZChpdi5zbGljZSgwLCA0KSksXG4gICAgICBieXRlc1RvV29yZChpdi5zbGljZSg0LCA4KSksXG4gICAgICBieXRlc1RvV29yZChpdi5zbGljZSg4LCAxMikpLFxuICAgICAgYnl0ZXNUb1dvcmQoaXYuc2xpY2UoMTIsIDE2KSksXG4gICAgXSxcbiAgfTtcblxuICByZXR1cm4gc2pjbC5lbmNyeXB0KHBhc3N3b3JkLCBwbGFpbnRleHQsIGVuY3J5cHRPcHRpb25zKTtcbn1cblxuZXhwb3J0IGZ1bmN0aW9uIGRlY3J5cHQocGFzc3dvcmQ6IHN0cmluZywgY2lwaGVydGV4dDogc3RyaW5nKTogc3RyaW5nIHtcbiAgcmV0dXJuIHNqY2wuZGVjcnlwdChwYXNzd29yZCwgY2lwaGVydGV4dCk7XG59XG4iXX0=
+/**
+ * Auto-detect v1 (SJCL) or v2 (Argon2id + AES-256-GCM) from the envelope `v` field and decrypt.
+ *
+ * Migration path from sync `decrypt()`. Move call sites to `decryptAsync()` before
+ * the breaking release that flips the default to v2.
+ */
+async function decryptAsync(password, ciphertext) {
+    let envelopeVersion;
+    try {
+        const envelope = JSON.parse(ciphertext);
+        envelopeVersion = envelope.v;
+    }
+    catch {
+        throw new Error('decrypt: ciphertext is not valid JSON');
+    }
+    if (envelopeVersion === 2) {
+        // Do not catch: wrong password on v2 must not silently fall through to v1.
+        return (0, encryptV2_1.decryptV2)(password, ciphertext);
+    }
+    if (envelopeVersion !== undefined && envelopeVersion !== 1) {
+        throw new Error(`decrypt: unknown envelope version ${envelopeVersion}`);
+    }
+    return sjcl.decrypt(password, ciphertext);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZW5jcnlwdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9lbmNyeXB0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBV0Esa0NBS0M7QUFHRCwwQkF1QkM7QUFNRCxvQ0FTQztBQUdELDBCQUVDO0FBUUQsb0NBZ0JDO0FBdEZELHVEQUF5QztBQUN6QyxtQ0FBcUM7QUFFckMsMkNBQW1EO0FBRW5EOzs7OztHQUtHO0FBQ0gsU0FBZ0IsV0FBVyxDQUFDLEtBQTZCO0lBQ3ZELElBQUksQ0FBQyxDQUFDLEtBQUssWUFBWSxVQUFVLENBQUMsSUFBSSxLQUFLLENBQUMsTUFBTSxLQUFLLENBQUMsRUFBRSxDQUFDO1FBQ3pELE1BQU0sSUFBSSxLQUFLLENBQUMsMENBQTBDLENBQUMsQ0FBQztJQUM5RCxDQUFDO0lBQ0QsT0FBTyxLQUFLLENBQUMsTUFBTSxDQUFDLENBQUMsR0FBRyxFQUFFLElBQUksRUFBRSxFQUFFLENBQUMsR0FBRyxHQUFHLEtBQUssR0FBRyxJQUFJLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFDNUQsQ0FBQztBQUVELGtFQUFrRTtBQUNsRSxTQUFnQixPQUFPLENBQ3JCLFFBQWdCLEVBQ2hCLFNBQWlCLEVBQ2pCLE9BQXdEO0lBRXhELE1BQU0sSUFBSSxHQUFHLE9BQU8sRUFBRSxJQUFJLElBQUksSUFBQSxvQkFBVyxFQUFDLENBQUMsQ0FBQyxDQUFDO0lBQzdDLElBQUksSUFBSSxDQUFDLE1BQU0sS0FBSyxDQUFDO1FBQUUsTUFBTSxJQUFJLEtBQUssQ0FBQyxzQkFBc0IsQ0FBQyxDQUFDO0lBQy9ELE1BQU0sRUFBRSxHQUFHLE9BQU8sRUFBRSxFQUFFLElBQUksSUFBQSxvQkFBVyxFQUFDLEVBQUUsQ0FBQyxDQUFDO0lBQzFDLElBQUksRUFBRSxDQUFDLE1BQU0sS0FBSyxFQUFFO1FBQUUsTUFBTSxJQUFJLEtBQUssQ0FBQyxxQkFBcUIsQ0FBQyxDQUFDO0lBRTdELE1BQU0sY0FBYyxHQUErRTtRQUNqRyxJQUFJLEVBQUUsS0FBSztRQUNYLEVBQUUsRUFBRSxHQUFHO1FBQ1AsSUFBSSxFQUFFLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLEVBQUUsV0FBVyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNqRSxFQUFFLEVBQUU7WUFDRixXQUFXLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7WUFDM0IsV0FBVyxDQUFDLEVBQUUsQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO1lBQzNCLFdBQVcsQ0FBQyxFQUFFLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQztZQUM1QixXQUFXLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxFQUFFLEVBQUUsRUFBRSxDQUFDLENBQUM7U0FDOUI7S0FDRixDQUFDO0lBQ0YsSUFBSSxPQUFPLEVBQUUsS0FBSztRQUFFLGNBQWMsQ0FBQyxLQUFLLEdBQUcsT0FBTyxDQUFDLEtBQUssQ0FBQztJQUN6RCxPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxFQUFFLFNBQVMsRUFBRSxjQUFjLENBQUMsQ0FBQztBQUMzRCxDQUFDO0FBRUQ7OztHQUdHO0FBQ0ksS0FBSyxVQUFVLFlBQVksQ0FDaEMsUUFBZ0IsRUFDaEIsU0FBaUIsRUFDakIsT0FBbUY7SUFFbkYsSUFBSSxPQUFPLEVBQUUsaUJBQWlCLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDckMsT0FBTyxJQUFBLHFCQUFTLEVBQUMsUUFBUSxFQUFFLFNBQVMsRUFBRSxFQUFFLEtBQUssRUFBRSxPQUFPLENBQUMsS0FBSyxFQUFFLENBQUMsQ0FBQztJQUNsRSxDQUFDO0lBQ0QsT0FBTyxPQUFPLENBQUMsUUFBUSxFQUFFLFNBQVMsRUFBRSxPQUFPLENBQUMsQ0FBQztBQUMvQyxDQUFDO0FBRUQsa0NBQWtDO0FBQ2xDLFNBQWdCLE9BQU8sQ0FBQyxRQUFnQixFQUFFLFVBQWtCO0lBQzFELE9BQU8sSUFBSSxDQUFDLE9BQU8sQ0FBQyxRQUFRLEVBQUUsVUFBVSxDQUFDLENBQUM7QUFDNUMsQ0FBQztBQUVEOzs7OztHQUtHO0FBQ0ksS0FBSyxVQUFVLFlBQVksQ0FBQyxRQUFnQixFQUFFLFVBQWtCO0lBQ3JFLElBQUksZUFBbUMsQ0FBQztJQUN4QyxJQUFJLENBQUM7UUFDSCxNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQyxDQUFDO1FBQ3hDLGVBQWUsR0FBRyxRQUFRLENBQUMsQ0FBQyxDQUFDO0lBQy9CLENBQUM7SUFBQyxNQUFNLENBQUM7UUFDUCxNQUFNLElBQUksS0FBSyxDQUFDLHVDQUF1QyxDQUFDLENBQUM7SUFDM0QsQ0FBQztJQUNELElBQUksZUFBZSxLQUFLLENBQUMsRUFBRSxDQUFDO1FBQzFCLDJFQUEyRTtRQUMzRSxPQUFPLElBQUEscUJBQVMsRUFBQyxRQUFRLEVBQUUsVUFBVSxDQUFDLENBQUM7SUFDekMsQ0FBQztJQUNELElBQUksZUFBZSxLQUFLLFNBQVMsSUFBSSxlQUFlLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDM0QsTUFBTSxJQUFJLEtBQUssQ0FBQyxxQ0FBcUMsZUFBZSxFQUFFLENBQUMsQ0FBQztJQUMxRSxDQUFDO0lBQ0QsT0FBTyxJQUFJLENBQUMsT0FBTyxDQUFDLFFBQVEsRUFBRSxVQUFVLENBQUMsQ0FBQztBQUM1QyxDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0ICogYXMgc2pjbCBmcm9tICdAYml0Z28tYmV0YS9zamNsJztcbmltcG9ydCB7IHJhbmRvbUJ5dGVzIH0gZnJvbSAnY3J5cHRvJztcblxuaW1wb3J0IHsgZGVjcnlwdFYyLCBlbmNyeXB0VjIgfSBmcm9tICcuL2VuY3J5cHRWMic7XG5cbi8qKlxuICogY29udmVydCBhIDQgZWxlbWVudCBVaW50OEFycmF5IHRvIGEgNCBieXRlIE51bWJlclxuICpcbiAqIEBwYXJhbSBieXRlc1xuICogQHJldHVybiA0IGJ5dGUgbnVtYmVyXG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBieXRlc1RvV29yZChieXRlcz86IFVpbnQ4QXJyYXkgfCBudW1iZXJbXSk6IG51bWJlciB7XG4gIGlmICghKGJ5dGVzIGluc3RhbmNlb2YgVWludDhBcnJheSkgfHwgYnl0ZXMubGVuZ3RoICE9PSA0KSB7XG4gICAgdGhyb3cgbmV3IEVycm9yKCdieXRlcyBtdXN0IGJlIGEgVWludDhBcnJheSB3aXRoIGxlbmd0aCA0Jyk7XG4gIH1cbiAgcmV0dXJuIGJ5dGVzLnJlZHVjZSgobnVtLCBieXRlKSA9PiBudW0gKiAweDEwMCArIGJ5dGUsIDApO1xufVxuXG4vKiogRW5jcnlwdCB1c2luZyBsZWdhY3kgdjEgU0pDTCAoUEJLREYyLVNIQTI1NiArIEFFUy0yNTYtQ0NNKS4gKi9cbmV4cG9ydCBmdW5jdGlvbiBlbmNyeXB0KFxuICBwYXNzd29yZDogc3RyaW5nLFxuICBwbGFpbnRleHQ6IHN0cmluZyxcbiAgb3B0aW9ucz86IHsgc2FsdD86IEJ1ZmZlcjsgaXY/OiBCdWZmZXI7IGFkYXRhPzogc3RyaW5nIH1cbik6IHN0cmluZyB7XG4gIGNvbnN0IHNhbHQgPSBvcHRpb25zPy5zYWx0IHx8IHJhbmRvbUJ5dGVzKDgpO1xuICBpZiAoc2FsdC5sZW5ndGggIT09IDgpIHRocm93IG5ldyBFcnJvcignc2FsdCBtdXN0IGJlIDggYnl0ZXMnKTtcbiAgY29uc3QgaXYgPSBvcHRpb25zPy5pdiB8fCByYW5kb21CeXRlcygxNik7XG4gIGlmIChpdi5sZW5ndGggIT09IDE2KSB0aHJvdyBuZXcgRXJyb3IoJ2l2IG11c3QgYmUgMTYgYnl0ZXMnKTtcblxuICBjb25zdCBlbmNyeXB0T3B0aW9uczogeyBpdGVyOiBudW1iZXI7IGtzOiBudW1iZXI7IHNhbHQ6IG51bWJlcltdOyBpdjogbnVtYmVyW107IGFkYXRhPzogc3RyaW5nIH0gPSB7XG4gICAgaXRlcjogMTAwMDAsXG4gICAga3M6IDI1NixcbiAgICBzYWx0OiBbYnl0ZXNUb1dvcmQoc2FsdC5zbGljZSgwLCA0KSksIGJ5dGVzVG9Xb3JkKHNhbHQuc2xpY2UoNCkpXSxcbiAgICBpdjogW1xuICAgICAgYnl0ZXNUb1dvcmQoaXYuc2xpY2UoMCwgNCkpLFxuICAgICAgYnl0ZXNUb1dvcmQoaXYuc2xpY2UoNCwgOCkpLFxuICAgICAgYnl0ZXNUb1dvcmQoaXYuc2xpY2UoOCwgMTIpKSxcbiAgICAgIGJ5dGVzVG9Xb3JkKGl2LnNsaWNlKDEyLCAxNikpLFxuICAgIF0sXG4gIH07XG4gIGlmIChvcHRpb25zPy5hZGF0YSkgZW5jcnlwdE9wdGlvbnMuYWRhdGEgPSBvcHRpb25zLmFkYXRhO1xuICByZXR1cm4gc2pjbC5lbmNyeXB0KHBhc3N3b3JkLCBwbGFpbnRleHQsIGVuY3J5cHRPcHRpb25zKTtcbn1cblxuLyoqXG4gKiBBc3luYyBlbmNyeXB0IHRoYXQgZGlzcGF0Y2hlcyB0byB2MSAoU0pDTCkgb3IgdjIgKEFyZ29uMmlkICsgQUVTLTI1Ni1HQ00pXG4gKiB3aGVuIGBlbmNyeXB0aW9uVmVyc2lvbmAgaXMgMi4gRGVmYXVsdHMgdG8gdjEsIG1hdGNoaW5nIHN5bmMgYGVuY3J5cHQoKWAuXG4gKi9cbmV4cG9ydCBhc3luYyBmdW5jdGlvbiBlbmNyeXB0QXN5bmMoXG4gIHBhc3N3b3JkOiBzdHJpbmcsXG4gIHBsYWludGV4dDogc3RyaW5nLFxuICBvcHRpb25zPzogeyBzYWx0PzogQnVmZmVyOyBpdj86IEJ1ZmZlcjsgYWRhdGE/OiBzdHJpbmc7IGVuY3J5cHRpb25WZXJzaW9uPzogMSB8IDIgfVxuKTogUHJvbWlzZTxzdHJpbmc+IHtcbiAgaWYgKG9wdGlvbnM/LmVuY3J5cHRpb25WZXJzaW9uID09PSAyKSB7XG4gICAgcmV0dXJuIGVuY3J5cHRWMihwYXNzd29yZCwgcGxhaW50ZXh0LCB7IGFkYXRhOiBvcHRpb25zLmFkYXRhIH0pO1xuICB9XG4gIHJldHVybiBlbmNyeXB0KHBhc3N3b3JkLCBwbGFpbnRleHQsIG9wdGlvbnMpO1xufVxuXG4vKiogRGVjcnlwdCBhIHYxIFNKQ0wgZW52ZWxvcGUuICovXG5leHBvcnQgZnVuY3Rpb24gZGVjcnlwdChwYXNzd29yZDogc3RyaW5nLCBjaXBoZXJ0ZXh0OiBzdHJpbmcpOiBzdHJpbmcge1xuICByZXR1cm4gc2pjbC5kZWNyeXB0KHBhc3N3b3JkLCBjaXBoZXJ0ZXh0KTtcbn1cblxuLyoqXG4gKiBBdXRvLWRldGVjdCB2MSAoU0pDTCkgb3IgdjIgKEFyZ29uMmlkICsgQUVTLTI1Ni1HQ00pIGZyb20gdGhlIGVudmVsb3BlIGB2YCBmaWVsZCBhbmQgZGVjcnlwdC5cbiAqXG4gKiBNaWdyYXRpb24gcGF0aCBmcm9tIHN5bmMgYGRlY3J5cHQoKWAuIE1vdmUgY2FsbCBzaXRlcyB0byBgZGVjcnlwdEFzeW5jKClgIGJlZm9yZVxuICogdGhlIGJyZWFraW5nIHJlbGVhc2UgdGhhdCBmbGlwcyB0aGUgZGVmYXVsdCB0byB2Mi5cbiAqL1xuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIGRlY3J5cHRBc3luYyhwYXNzd29yZDogc3RyaW5nLCBjaXBoZXJ0ZXh0OiBzdHJpbmcpOiBQcm9taXNlPHN0cmluZz4ge1xuICBsZXQgZW52ZWxvcGVWZXJzaW9uOiBudW1iZXIgfCB1bmRlZmluZWQ7XG4gIHRyeSB7XG4gICAgY29uc3QgZW52ZWxvcGUgPSBKU09OLnBhcnNlKGNpcGhlcnRleHQpO1xuICAgIGVudmVsb3BlVmVyc2lvbiA9IGVudmVsb3BlLnY7XG4gIH0gY2F0Y2gge1xuICAgIHRocm93IG5ldyBFcnJvcignZGVjcnlwdDogY2lwaGVydGV4dCBpcyBub3QgdmFsaWQgSlNPTicpO1xuICB9XG4gIGlmIChlbnZlbG9wZVZlcnNpb24gPT09IDIpIHtcbiAgICAvLyBEbyBub3QgY2F0Y2g6IHdyb25nIHBhc3N3b3JkIG9uIHYyIG11c3Qgbm90IHNpbGVudGx5IGZhbGwgdGhyb3VnaCB0byB2MS5cbiAgICByZXR1cm4gZGVjcnlwdFYyKHBhc3N3b3JkLCBjaXBoZXJ0ZXh0KTtcbiAgfVxuICBpZiAoZW52ZWxvcGVWZXJzaW9uICE9PSB1bmRlZmluZWQgJiYgZW52ZWxvcGVWZXJzaW9uICE9PSAxKSB7XG4gICAgdGhyb3cgbmV3IEVycm9yKGBkZWNyeXB0OiB1bmtub3duIGVudmVsb3BlIHZlcnNpb24gJHtlbnZlbG9wZVZlcnNpb259YCk7XG4gIH1cbiAgcmV0dXJuIHNqY2wuZGVjcnlwdChwYXNzd29yZCwgY2lwaGVydGV4dCk7XG59XG4iXX0=

package/dist/src/encryptV2.d.ts

@@ -0,0 +1,68 @@
+import * as t from 'io-ts';
+/** Default Argon2id parameters per RFC 9106 second recommendation
+ * @see https://www.rfc-editor.org/rfc/rfc9106#section-4
+ */
+export declare const ARGON2_DEFAULTS: {
+    readonly memorySize: 65536;
+    readonly iterations: 3;
+    readonly parallelism: 4;
+    readonly hashLength: 32;
+    readonly saltLength: 16;
+};
+/** AES-256-GCM IV length in bytes */
+export declare const GCM_IV_LENGTH = 12;
+/** HKDF per-call salt length in bytes */
+export declare const HKDF_SALT_LENGTH = 32;
+declare const V2EnvelopeCodec: t.IntersectionC<[t.TypeC<{
+    v: t.LiteralC<2>;
+    m: t.Type<number, number, unknown>;
+    t: t.Type<number, number, unknown>;
+    p: t.Type<number, number, unknown>;
+    salt: t.Type<string, string, unknown>;
+    iv: t.Type<string, string, unknown>;
+    ct: t.Type<string, string, unknown>;
+}>, t.PartialC<{
+    /** Base64-encoded per-call HKDF salt -- present only in session-produced envelopes */
+    hkdfSalt: t.Type<string, string, unknown>;
+    /** Additional authenticated data for context binding (e.g. transaction hash + derivation path) */
+    adata: t.StringC;
+}>]>;
+export type V2Envelope = t.TypeOf<typeof V2EnvelopeCodec>;
+export declare function argon2ToHkdfKey(password: string, salt: Uint8Array, params: {
+    memorySize: number;
+    iterations: number;
+    parallelism: number;
+}): Promise<CryptoKey>;
+export declare function hkdfDeriveAesKey(hkdfKey: CryptoKey, hkdfSalt: Uint8Array, usage: KeyUsage): Promise<CryptoKey>;
+export declare function aesGcmEncrypt(key: CryptoKey, iv: Uint8Array, plaintext: string, additionalData?: Uint8Array): Promise<Uint8Array>;
+export declare function aesGcmDecrypt(key: CryptoKey, iv: Uint8Array, ct: Uint8Array, additionalData?: Uint8Array): Promise<string>;
+export declare function parseV2Envelope(ciphertext: string): V2Envelope;
+/**
+ * Encrypt plaintext using Argon2id KDF + AES-256-GCM.
+ *
+ * Returns a self-describing JSON v2 envelope containing all Argon2id parameters,
+ * salt, IV, and ciphertext -- fully standalone for decryption.
+ *
+ * For multi-call operations (MPC signing, wallet creation), prefer
+ * createEncryptionSession to run Argon2id once and derive per-call keys via HKDF.
+ */
+export declare function encryptV2(password: string, plaintext: string, options?: {
+    salt?: Uint8Array;
+    iv?: Uint8Array;
+    memorySize?: number;
+    iterations?: number;
+    parallelism?: number;
+    adata?: string;
+}): Promise<string>;
+/**
+ * Decrypt a v2 envelope (Argon2id + AES-256-GCM).
+ *
+ * Handles both envelope types automatically:
+ *   - Standard  (no hkdfSalt): Argon2id -> AES-GCM
+ *   - Session   (hkdfSalt present): Argon2id -> HKDF -> AES-GCM
+ *
+ * All parameters are stored in the envelope -- no session context required.
+ */
+export declare function decryptV2(password: string, ciphertext: string): Promise<string>;
+export {};
+//# sourceMappingURL=encryptV2.d.ts.map

package/dist/src/encryptV2.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryptV2.d.ts","sourceRoot":"","sources":["../../src/encryptV2.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,CAAC,MAAM,OAAO,CAAC;AAK3B;;GAEG;AACH,eAAO,MAAM,eAAe;;;;;;CAMlB,CAAC;AAaX,qCAAqC;AACrC,eAAO,MAAM,aAAa,KAAK,CAAC;AAEhC,yCAAyC;AACzC,eAAO,MAAM,gBAAgB,KAAK,CAAC;AAOnC,QAAA,MAAM,eAAe;;;;;;;;;IAWjB,sFAAsF;;IAEtF,kGAAkG;;IAGpG,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,eAAe,CAAC,CAAC;AA6B1D,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,MAAM,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACtE,OAAO,CAAC,SAAS,CAAC,CAGpB;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,CAQ9G;AAED,wBAAsB,aAAa,CACjC,GAAG,EAAE,SAAS,EACd,EAAE,EAAE,UAAU,EACd,SAAS,EAAE,MAAM,EACjB,cAAc,CAAC,EAAE,UAAU,GAC1B,OAAO,CAAC,UAAU,CAAC,CAKrB;AAED,wBAAsB,aAAa,CACjC,GAAG,EAAE,SAAS,EACd,EAAE,EAAE,UAAU,EACd,EAAE,EAAE,UAAU,EACd,cAAc,CAAC,EAAE,UAAU,GAC1B,OAAO,CAAC,MAAM,CAAC,CAKjB;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,CAQ9D;AAID;;;;;;;;GAQG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;IACR,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,EAAE,CAAC,EAAE,UAAU,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GACA,OAAO,CAAC,MAAM,CAAC,CA0BjB;AAED;;;;;;;;GAQG;AACH,wBAAsB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAiBrF"}

package/dist/src/encryptV2.js

@@ -0,0 +1,202 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HKDF_SALT_LENGTH = exports.GCM_IV_LENGTH = exports.ARGON2_DEFAULTS = void 0;
+exports.argon2ToHkdfKey = argon2ToHkdfKey;
+exports.hkdfDeriveAesKey = hkdfDeriveAesKey;
+exports.aesGcmEncrypt = aesGcmEncrypt;
+exports.aesGcmDecrypt = aesGcmDecrypt;
+exports.parseV2Envelope = parseV2Envelope;
+exports.encryptV2 = encryptV2;
+exports.decryptV2 = decryptV2;
+const argon2_1 = require("@bitgo-beta/argon2");
+const sdk_core_1 = require("@bitgo-beta/sdk-core");
+const crypto_1 = require("crypto");
+const t = __importStar(require("io-ts"));
+/** Web Crypto subtle — browser global in DOM; Node/Electron main must use `webcrypto`. */
+const subtle = globalThis.crypto?.subtle ?? crypto_1.webcrypto.subtle;
+/** Default Argon2id parameters per RFC 9106 second recommendation
+ * @see https://www.rfc-editor.org/rfc/rfc9106#section-4
+ */
+exports.ARGON2_DEFAULTS = {
+    memorySize: 65536, // 64 MiB in KiB
+    iterations: 3,
+    parallelism: 4,
+    hashLength: 32, // 256-bit key
+    saltLength: 16, // 128-bit salt
+};
+/** Maximum allowed Argon2id parameters to prevent DoS via crafted envelopes.
+ * memorySize: 256 MiB (4x default) -- caps memory allocation on untrusted input.
+ * iterations: 16 -- caps CPU time.
+ * parallelism: 16 -- caps thread count.
+ */
+const ARGON2_MAX = {
+    memorySize: 262144,
+    iterations: 16,
+    parallelism: 16,
+};
+/** AES-256-GCM IV length in bytes */
+exports.GCM_IV_LENGTH = 12;
+/** HKDF per-call salt length in bytes */
+exports.HKDF_SALT_LENGTH = 32;
+/** Fixed HKDF info string for domain separation across BitGo v2 session keys */
+const HKDF_INFO = new TextEncoder().encode('bitgo-v2-session');
+// Envelope codec
+const V2EnvelopeCodec = t.intersection([
+    t.type({
+        v: t.literal(2),
+        m: (0, sdk_core_1.boundedInt)(1, ARGON2_MAX.memorySize, 'memorySize'),
+        t: (0, sdk_core_1.boundedInt)(1, ARGON2_MAX.iterations, 'iterations'),
+        p: (0, sdk_core_1.boundedInt)(1, ARGON2_MAX.parallelism, 'parallelism'),
+        salt: sdk_core_1.base64String,
+        iv: sdk_core_1.base64String,
+        ct: sdk_core_1.base64String,
+    }),
+    t.partial({
+        /** Base64-encoded per-call HKDF salt -- present only in session-produced envelopes */
+        hkdfSalt: sdk_core_1.base64String,
+        /** Additional authenticated data for context binding (e.g. transaction hash + derivation path) */
+        adata: t.string,
+    }),
+]);
+// Crypto helpers
+async function argon2Hash(password, salt, params) {
+    return (0, argon2_1.argon2id)({
+        password,
+        salt,
+        memorySize: params.memorySize,
+        iterations: params.iterations,
+        parallelism: params.parallelism,
+        hashLength: exports.ARGON2_DEFAULTS.hashLength,
+        outputType: 'binary',
+    });
+}
+async function argon2ToAesKey(password, salt, params) {
+    const keyBytes = await argon2Hash(password, salt, params);
+    return subtle.importKey('raw', keyBytes, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
+}
+async function argon2ToHkdfKey(password, salt, params) {
+    const keyBytes = await argon2Hash(password, salt, params);
+    return subtle.importKey('raw', keyBytes, 'HKDF', false, ['deriveKey']);
+}
+function hkdfDeriveAesKey(hkdfKey, hkdfSalt, usage) {
+    return subtle.deriveKey({ name: 'HKDF', hash: 'SHA-256', salt: hkdfSalt, info: HKDF_INFO }, hkdfKey, { name: 'AES-GCM', length: 256 }, false, [usage]);
+}
+async function aesGcmEncrypt(key, iv, plaintext, additionalData) {
+    const params = { name: 'AES-GCM', iv, tagLength: 128 };
+    if (additionalData)
+        params.additionalData = additionalData;
+    const ct = await subtle.encrypt(params, key, new TextEncoder().encode(plaintext));
+    return new Uint8Array(ct);
+}
+async function aesGcmDecrypt(key, iv, ct, additionalData) {
+    const params = { name: 'AES-GCM', iv, tagLength: 128 };
+    if (additionalData)
+        params.additionalData = additionalData;
+    const plaintext = await subtle.decrypt(params, key, ct);
+    return new TextDecoder().decode(plaintext);
+}
+function parseV2Envelope(ciphertext) {
+    let parsed;
+    try {
+        parsed = JSON.parse(ciphertext);
+    }
+    catch {
+        throw new Error('v2 decrypt: invalid JSON envelope');
+    }
+    return (0, sdk_core_1.decodeWithCodec)(V2EnvelopeCodec, parsed, 'v2 decrypt: invalid envelope');
+}
+// Public API
+/**
+ * Encrypt plaintext using Argon2id KDF + AES-256-GCM.
+ *
+ * Returns a self-describing JSON v2 envelope containing all Argon2id parameters,
+ * salt, IV, and ciphertext -- fully standalone for decryption.
+ *
+ * For multi-call operations (MPC signing, wallet creation), prefer
+ * createEncryptionSession to run Argon2id once and derive per-call keys via HKDF.
+ */
+async function encryptV2(password, plaintext, options) {
+    const memorySize = options?.memorySize ?? exports.ARGON2_DEFAULTS.memorySize;
+    const iterations = options?.iterations ?? exports.ARGON2_DEFAULTS.iterations;
+    const parallelism = options?.parallelism ?? exports.ARGON2_DEFAULTS.parallelism;
+    const salt = options?.salt ?? new Uint8Array((0, crypto_1.randomBytes)(exports.ARGON2_DEFAULTS.saltLength));
+    if (salt.length !== exports.ARGON2_DEFAULTS.saltLength)
+        throw new Error(`salt must be ${exports.ARGON2_DEFAULTS.saltLength} bytes`);
+    const iv = options?.iv ?? new Uint8Array((0, crypto_1.randomBytes)(exports.GCM_IV_LENGTH));
+    if (iv.length !== exports.GCM_IV_LENGTH)
+        throw new Error(`iv must be ${exports.GCM_IV_LENGTH} bytes`);
+    const adataBytes = options?.adata ? new TextEncoder().encode(options.adata) : undefined;
+    const key = await argon2ToAesKey(password, salt, { memorySize, iterations, parallelism });
+    const ct = await aesGcmEncrypt(key, iv, plaintext, adataBytes);
+    const envelope = {
+        v: 2,
+        m: memorySize,
+        t: iterations,
+        p: parallelism,
+        salt: Buffer.from(salt).toString('base64'),
+        iv: Buffer.from(iv).toString('base64'),
+        ct: Buffer.from(ct).toString('base64'),
+    };
+    if (options?.adata)
+        envelope.adata = options.adata;
+    return JSON.stringify(envelope);
+}
+/**
+ * Decrypt a v2 envelope (Argon2id + AES-256-GCM).
+ *
+ * Handles both envelope types automatically:
+ *   - Standard  (no hkdfSalt): Argon2id -> AES-GCM
+ *   - Session   (hkdfSalt present): Argon2id -> HKDF -> AES-GCM
+ *
+ * All parameters are stored in the envelope -- no session context required.
+ */
+async function decryptV2(password, ciphertext) {
+    const envelope = parseV2Envelope(ciphertext);
+    const salt = new Uint8Array(Buffer.from(envelope.salt, 'base64'));
+    const iv = new Uint8Array(Buffer.from(envelope.iv, 'base64'));
+    const ct = new Uint8Array(Buffer.from(envelope.ct, 'base64'));
+    const params = { memorySize: envelope.m, iterations: envelope.t, parallelism: envelope.p };
+    const adataBytes = envelope.adata ? new TextEncoder().encode(envelope.adata) : undefined;
+    if (envelope.hkdfSalt) {
+        const hkdfKey = await argon2ToHkdfKey(password, salt, params);
+        const hkdfSalt = new Uint8Array(Buffer.from(envelope.hkdfSalt, 'base64'));
+        const aesKey = await hkdfDeriveAesKey(hkdfKey, hkdfSalt, 'decrypt');
+        return aesGcmDecrypt(aesKey, iv, ct, adataBytes);
+    }
+    const key = await argon2ToAesKey(password, salt, params);
+    return aesGcmDecrypt(key, iv, ct, adataBytes);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZW5jcnlwdFYyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2VuY3J5cHRWMi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUF3RkEsMENBT0M7QUFFRCw0Q0FRQztBQUVELHNDQVVDO0FBRUQsc0NBVUM7QUFFRCwwQ0FRQztBQWFELDhCQXFDQztBQVdELDhCQWlCQztBQXpORCwrQ0FBOEM7QUFDOUMsbURBQWlGO0FBQ2pGLG1DQUFnRDtBQUNoRCx5Q0FBMkI7QUFFM0IsMEZBQTBGO0FBQzFGLE1BQU0sTUFBTSxHQUFHLFVBQVUsQ0FBQyxNQUFNLEVBQUUsTUFBTSxJQUFJLGtCQUFTLENBQUMsTUFBTSxDQUFDO0FBRTdEOztHQUVHO0FBQ1UsUUFBQSxlQUFlLEdBQUc7SUFDN0IsVUFBVSxFQUFFLEtBQUssRUFBRSxnQkFBZ0I7SUFDbkMsVUFBVSxFQUFFLENBQUM7SUFDYixXQUFXLEVBQUUsQ0FBQztJQUNkLFVBQVUsRUFBRSxFQUFFLEVBQUUsY0FBYztJQUM5QixVQUFVLEVBQUUsRUFBRSxFQUFFLGVBQWU7Q0FDdkIsQ0FBQztBQUVYOzs7O0dBSUc7QUFDSCxNQUFNLFVBQVUsR0FBRztJQUNqQixVQUFVLEVBQUUsTUFBTTtJQUNsQixVQUFVLEVBQUUsRUFBRTtJQUNkLFdBQVcsRUFBRSxFQUFFO0NBQ1AsQ0FBQztBQUVYLHFDQUFxQztBQUN4QixRQUFBLGFBQWEsR0FBRyxFQUFFLENBQUM7QUFFaEMseUNBQXlDO0FBQzVCLFFBQUEsZ0JBQWdCLEdBQUcsRUFBRSxDQUFDO0FBRW5DLGdGQUFnRjtBQUNoRixNQUFNLFNBQVMsR0FBRyxJQUFJLFdBQVcsRUFBRSxDQUFDLE1BQU0sQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDO0FBRS9ELGlCQUFpQjtBQUVqQixNQUFNLGVBQWUsR0FBRyxDQUFDLENBQUMsWUFBWSxDQUFDO0lBQ3JDLENBQUMsQ0FBQyxJQUFJLENBQUM7UUFDTCxDQUFDLEVBQUUsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUM7UUFDZixDQUFDLEVBQUUsSUFBQSxxQkFBVSxFQUFDLENBQUMsRUFBRSxVQUFVLENBQUMsVUFBVSxFQUFFLFlBQVksQ0FBQztRQUNyRCxDQUFDLEVBQUUsSUFBQSxxQkFBVSxFQUFDLENBQUMsRUFBRSxVQUFVLENBQUMsVUFBVSxFQUFFLFlBQVksQ0FBQztRQUNyRCxDQUFDLEVBQUUsSUFBQSxxQkFBVSxFQUFDLENBQUMsRUFBRSxVQUFVLENBQUMsV0FBVyxFQUFFLGFBQWEsQ0FBQztRQUN2RCxJQUFJLEVBQUUsdUJBQVk7UUFDbEIsRUFBRSxFQUFFLHVCQUFZO1FBQ2hCLEVBQUUsRUFBRSx1QkFBWTtLQUNqQixDQUFDO0lBQ0YsQ0FBQyxDQUFDLE9BQU8sQ0FBQztRQUNSLHNGQUFzRjtRQUN0RixRQUFRLEVBQUUsdUJBQVk7UUFDdEIsa0dBQWtHO1FBQ2xHLEtBQUssRUFBRSxDQUFDLENBQUMsTUFBTTtLQUNoQixDQUFDO0NBQ0gsQ0FBQyxDQUFDO0FBSUgsaUJBQWlCO0FBRWpCLEtBQUssVUFBVSxVQUFVLENBQ3ZCLFFBQWdCLEVBQ2hCLElBQWdCLEVBQ2hCLE1BQXVFO0lBRXZFLE9BQU8sSUFBQSxpQkFBUSxFQUFDO1FBQ2QsUUFBUTtRQUNSLElBQUk7UUFDSixVQUFVLEVBQUUsTUFBTSxDQUFDLFVBQVU7UUFDN0IsVUFBVSxFQUFFLE1BQU0sQ0FBQyxVQUFVO1FBQzdCLFdBQVcsRUFBRSxNQUFNLENBQUMsV0FBVztRQUMvQixVQUFVLEVBQUUsdUJBQWUsQ0FBQyxVQUFVO1FBQ3RDLFVBQVUsRUFBRSxRQUFRO0tBQ3JCLENBQUMsQ0FBQztBQUNMLENBQUM7QUFFRCxLQUFLLFVBQVUsY0FBYyxDQUMzQixRQUFnQixFQUNoQixJQUFnQixFQUNoQixNQUF1RTtJQUV2RSxNQUFNLFFBQVEsR0FBRyxNQUFNLFVBQVUsQ0FBQyxRQUFRLEVBQUUsSUFBSSxFQUFFLE1BQU0sQ0FBQyxDQUFDO0lBQzFELE9BQU8sTUFBTSxDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsUUFBUSxFQUFFLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxFQUFFLEtBQUssRUFBRSxDQUFDLFNBQVMsRUFBRSxTQUFTLENBQUMsQ0FBQyxDQUFDO0FBQy9GLENBQUM7QUFFTSxLQUFLLFVBQVUsZUFBZSxDQUNuQyxRQUFnQixFQUNoQixJQUFnQixFQUNoQixNQUF1RTtJQUV2RSxNQUFNLFFBQVEsR0FBRyxNQUFNLFVBQVUsQ0FBQyxRQUFRLEVBQUUsSUFBSSxFQUFFLE1BQU0sQ0FBQyxDQUFDO0lBQzFELE9BQU8sTUFBTSxDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsUUFBUSxFQUFFLE1BQU0sRUFBRSxLQUFLLEVBQUUsQ0FBQyxXQUFXLENBQUMsQ0FBQyxDQUFDO0FBQ3pFLENBQUM7QUFFRCxTQUFnQixnQkFBZ0IsQ0FBQyxPQUFrQixFQUFFLFFBQW9CLEVBQUUsS0FBZTtJQUN4RixPQUFPLE1BQU0sQ0FBQyxTQUFTLENBQ3JCLEVBQUUsSUFBSSxFQUFFLE1BQU0sRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLElBQUksRUFBRSxRQUFRLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxFQUNsRSxPQUFPLEVBQ1AsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLE1BQU0sRUFBRSxHQUFHLEVBQUUsRUFDaEMsS0FBSyxFQUNMLENBQUMsS0FBSyxDQUFDLENBQ1IsQ0FBQztBQUNKLENBQUM7QUFFTSxLQUFLLFVBQVUsYUFBYSxDQUNqQyxHQUFjLEVBQ2QsRUFBYyxFQUNkLFNBQWlCLEVBQ2pCLGNBQTJCO0lBRTNCLE1BQU0sTUFBTSxHQUFpQixFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsRUFBRSxFQUFFLFNBQVMsRUFBRSxHQUFHLEVBQUUsQ0FBQztJQUNyRSxJQUFJLGNBQWM7UUFBRSxNQUFNLENBQUMsY0FBYyxHQUFHLGNBQWMsQ0FBQztJQUMzRCxNQUFNLEVBQUUsR0FBRyxNQUFNLE1BQU0sQ0FBQyxPQUFPLENBQUMsTUFBTSxFQUFFLEdBQUcsRUFBRSxJQUFJLFdBQVcsRUFBRSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFDO0lBQ2xGLE9BQU8sSUFBSSxVQUFVLENBQUMsRUFBRSxDQUFDLENBQUM7QUFDNUIsQ0FBQztBQUVNLEtBQUssVUFBVSxhQUFhLENBQ2pDLEdBQWMsRUFDZCxFQUFjLEVBQ2QsRUFBYyxFQUNkLGNBQTJCO0lBRTNCLE1BQU0sTUFBTSxHQUFpQixFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsRUFBRSxFQUFFLFNBQVMsRUFBRSxHQUFHLEVBQUUsQ0FBQztJQUNyRSxJQUFJLGNBQWM7UUFBRSxNQUFNLENBQUMsY0FBYyxHQUFHLGNBQWMsQ0FBQztJQUMzRCxNQUFNLFNBQVMsR0FBRyxNQUFNLE1BQU0sQ0FBQyxPQUFPLENBQUMsTUFBTSxFQUFFLEdBQUcsRUFBRSxFQUFFLENBQUMsQ0FBQztJQUN4RCxPQUFPLElBQUksV0FBVyxFQUFFLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxDQUFDO0FBQzdDLENBQUM7QUFFRCxTQUFnQixlQUFlLENBQUMsVUFBa0I7SUFDaEQsSUFBSSxNQUFlLENBQUM7SUFDcEIsSUFBSSxDQUFDO1FBQ0gsTUFBTSxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLENBQUM7SUFDbEMsQ0FBQztJQUFDLE1BQU0sQ0FBQztRQUNQLE1BQU0sSUFBSSxLQUFLLENBQUMsbUNBQW1DLENBQUMsQ0FBQztJQUN2RCxDQUFDO0lBQ0QsT0FBTyxJQUFBLDBCQUFlLEVBQUMsZUFBZSxFQUFFLE1BQU0sRUFBRSw4QkFBOEIsQ0FBQyxDQUFDO0FBQ2xGLENBQUM7QUFFRCxhQUFhO0FBRWI7Ozs7Ozs7O0dBUUc7QUFDSSxLQUFLLFVBQVUsU0FBUyxDQUM3QixRQUFnQixFQUNoQixTQUFpQixFQUNqQixPQU9DO0lBRUQsTUFBTSxVQUFVLEdBQUcsT0FBTyxFQUFFLFVBQVUsSUFBSSx1QkFBZSxDQUFDLFVBQVUsQ0FBQztJQUNyRSxNQUFNLFVBQVUsR0FBRyxPQUFPLEVBQUUsVUFBVSxJQUFJLHVCQUFlLENBQUMsVUFBVSxDQUFDO0lBQ3JFLE1BQU0sV0FBVyxHQUFHLE9BQU8sRUFBRSxXQUFXLElBQUksdUJBQWUsQ0FBQyxXQUFXLENBQUM7SUFFeEUsTUFBTSxJQUFJLEdBQUcsT0FBTyxFQUFFLElBQUksSUFBSSxJQUFJLFVBQVUsQ0FBQyxJQUFBLG9CQUFXLEVBQUMsdUJBQWUsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDO0lBQ3RGLElBQUksSUFBSSxDQUFDLE1BQU0sS0FBSyx1QkFBZSxDQUFDLFVBQVU7UUFBRSxNQUFNLElBQUksS0FBSyxDQUFDLGdCQUFnQix1QkFBZSxDQUFDLFVBQVUsUUFBUSxDQUFDLENBQUM7SUFFcEgsTUFBTSxFQUFFLEdBQUcsT0FBTyxFQUFFLEVBQUUsSUFBSSxJQUFJLFVBQVUsQ0FBQyxJQUFBLG9CQUFXLEVBQUMscUJBQWEsQ0FBQyxDQUFDLENBQUM7SUFDckUsSUFBSSxFQUFFLENBQUMsTUFBTSxLQUFLLHFCQUFhO1FBQUUsTUFBTSxJQUFJLEtBQUssQ0FBQyxjQUFjLHFCQUFhLFFBQVEsQ0FBQyxDQUFDO0lBRXRGLE1BQU0sVUFBVSxHQUFHLE9BQU8sRUFBRSxLQUFLLENBQUMsQ0FBQyxDQUFDLElBQUksV0FBVyxFQUFFLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDO0lBQ3hGLE1BQU0sR0FBRyxHQUFHLE1BQU0sY0FBYyxDQUFDLFFBQVEsRUFBRSxJQUFJLEVBQUUsRUFBRSxVQUFVLEVBQUUsVUFBVSxFQUFFLFdBQVcsRUFBRSxDQUFDLENBQUM7SUFDMUYsTUFBTSxFQUFFLEdBQUcsTUFBTSxhQUFhLENBQUMsR0FBRyxFQUFFLEVBQUUsRUFBRSxTQUFTLEVBQUUsVUFBVSxDQUFDLENBQUM7SUFFL0QsTUFBTSxRQUFRLEdBQWU7UUFDM0IsQ0FBQyxFQUFFLENBQUM7UUFDSixDQUFDLEVBQUUsVUFBVTtRQUNiLENBQUMsRUFBRSxVQUFVO1FBQ2IsQ0FBQyxFQUFFLFdBQVc7UUFDZCxJQUFJLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDO1FBQzFDLEVBQUUsRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUM7UUFDdEMsRUFBRSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQztLQUN2QyxDQUFDO0lBQ0YsSUFBSSxPQUFPLEVBQUUsS0FBSztRQUFFLFFBQVEsQ0FBQyxLQUFLLEdBQUcsT0FBTyxDQUFDLEtBQUssQ0FBQztJQUNuRCxPQUFPLElBQUksQ0FBQyxTQUFTLENBQUMsUUFBUSxDQUFDLENBQUM7QUFDbEMsQ0FBQztBQUVEOzs7Ozs7OztHQVFHO0FBQ0ksS0FBSyxVQUFVLFNBQVMsQ0FBQyxRQUFnQixFQUFFLFVBQWtCO0lBQ2xFLE1BQU0sUUFBUSxHQUFHLGVBQWUsQ0FBQyxVQUFVLENBQUMsQ0FBQztJQUM3QyxNQUFNLElBQUksR0FBRyxJQUFJLFVBQVUsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQztJQUNsRSxNQUFNLEVBQUUsR0FBRyxJQUFJLFVBQVUsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQztJQUM5RCxNQUFNLEVBQUUsR0FBRyxJQUFJLFVBQVUsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQztJQUM5RCxNQUFNLE1BQU0sR0FBRyxFQUFFLFVBQVUsRUFBRSxRQUFRLENBQUMsQ0FBQyxFQUFFLFVBQVUsRUFBRSxRQUFRLENBQUMsQ0FBQyxFQUFFLFdBQVcsRUFBRSxRQUFRLENBQUMsQ0FBQyxFQUFFLENBQUM7SUFDM0YsTUFBTSxVQUFVLEdBQUcsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsSUFBSSxXQUFXLEVBQUUsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxTQUFTLENBQUM7SUFFekYsSUFBSSxRQUFRLENBQUMsUUFBUSxFQUFFLENBQUM7UUFDdEIsTUFBTSxPQUFPLEdBQUcsTUFBTSxlQUFlLENBQUMsUUFBUSxFQUFFLElBQUksRUFBRSxNQUFNLENBQUMsQ0FBQztRQUM5RCxNQUFNLFFBQVEsR0FBRyxJQUFJLFVBQVUsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQztRQUMxRSxNQUFNLE1BQU0sR0FBRyxNQUFNLGdCQUFnQixDQUFDLE9BQU8sRUFBRSxRQUFRLEVBQUUsU0FBUyxDQUFDLENBQUM7UUFDcEUsT0FBTyxhQUFhLENBQUMsTUFBTSxFQUFFLEVBQUUsRUFBRSxFQUFFLEVBQUUsVUFBVSxDQUFDLENBQUM7SUFDbkQsQ0FBQztJQUVELE1BQU0sR0FBRyxHQUFHLE1BQU0sY0FBYyxDQUFDLFFBQVEsRUFBRSxJQUFJLEVBQUUsTUFBTSxDQUFDLENBQUM7SUFDekQsT0FBTyxhQUFhLENBQUMsR0FBRyxFQUFFLEVBQUUsRUFBRSxFQUFFLEVBQUUsVUFBVSxDQUFDLENBQUM7QUFDaEQsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IGFyZ29uMmlkIH0gZnJvbSAnQGJpdGdvLWJldGEvYXJnb24yJztcbmltcG9ydCB7IGJhc2U2NFN0cmluZywgYm91bmRlZEludCwgZGVjb2RlV2l0aENvZGVjIH0gZnJvbSAnQGJpdGdvLWJldGEvc2RrLWNvcmUnO1xuaW1wb3J0IHsgcmFuZG9tQnl0ZXMsIHdlYmNyeXB0byB9IGZyb20gJ2NyeXB0byc7XG5pbXBvcnQgKiBhcyB0IGZyb20gJ2lvLXRzJztcblxuLyoqIFdlYiBDcnlwdG8gc3VidGxlIOKAlCBicm93c2VyIGdsb2JhbCBpbiBET007IE5vZGUvRWxlY3Ryb24gbWFpbiBtdXN0IHVzZSBgd2ViY3J5cHRvYC4gKi9cbmNvbnN0IHN1YnRsZSA9IGdsb2JhbFRoaXMuY3J5cHRvPy5zdWJ0bGUgPz8gd2ViY3J5cHRvLnN1YnRsZTtcblxuLyoqIERlZmF1bHQgQXJnb24yaWQgcGFyYW1ldGVycyBwZXIgUkZDIDkxMDYgc2Vjb25kIHJlY29tbWVuZGF0aW9uXG4gKiBAc2VlIGh0dHBzOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmM5MTA2I3NlY3Rpb24tNFxuICovXG5leHBvcnQgY29uc3QgQVJHT04yX0RFRkFVTFRTID0ge1xuICBtZW1vcnlTaXplOiA2NTUzNiwgLy8gNjQgTWlCIGluIEtpQlxuICBpdGVyYXRpb25zOiAzLFxuICBwYXJhbGxlbGlzbTogNCxcbiAgaGFzaExlbmd0aDogMzIsIC8vIDI1Ni1iaXQga2V5XG4gIHNhbHRMZW5ndGg6IDE2LCAvLyAxMjgtYml0IHNhbHRcbn0gYXMgY29uc3Q7XG5cbi8qKiBNYXhpbXVtIGFsbG93ZWQgQXJnb24yaWQgcGFyYW1ldGVycyB0byBwcmV2ZW50IERvUyB2aWEgY3JhZnRlZCBlbnZlbG9wZXMuXG4gKiBtZW1vcnlTaXplOiAyNTYgTWlCICg0eCBkZWZhdWx0KSAtLSBjYXBzIG1lbW9yeSBhbGxvY2F0aW9uIG9uIHVudHJ1c3RlZCBpbnB1dC5cbiAqIGl0ZXJhdGlvbnM6IDE2IC0tIGNhcHMgQ1BVIHRpbWUuXG4gKiBwYXJhbGxlbGlzbTogMTYgLS0gY2FwcyB0aHJlYWQgY291bnQuXG4gKi9cbmNvbnN0IEFSR09OMl9NQVggPSB7XG4gIG1lbW9yeVNpemU6IDI2MjE0NCxcbiAgaXRlcmF0aW9uczogMTYsXG4gIHBhcmFsbGVsaXNtOiAxNixcbn0gYXMgY29uc3Q7XG5cbi8qKiBBRVMtMjU2LUdDTSBJViBsZW5ndGggaW4gYnl0ZXMgKi9cbmV4cG9ydCBjb25zdCBHQ01fSVZfTEVOR1RIID0gMTI7XG5cbi8qKiBIS0RGIHBlci1jYWxsIHNhbHQgbGVuZ3RoIGluIGJ5dGVzICovXG5leHBvcnQgY29uc3QgSEtERl9TQUxUX0xFTkdUSCA9IDMyO1xuXG4vKiogRml4ZWQgSEtERiBpbmZvIHN0cmluZyBmb3IgZG9tYWluIHNlcGFyYXRpb24gYWNyb3NzIEJpdEdvIHYyIHNlc3Npb24ga2V5cyAqL1xuY29uc3QgSEtERl9JTkZPID0gbmV3IFRleHRFbmNvZGVyKCkuZW5jb2RlKCdiaXRnby12Mi1zZXNzaW9uJyk7XG5cbi8vIEVudmVsb3BlIGNvZGVjXG5cbmNvbnN0IFYyRW52ZWxvcGVDb2RlYyA9IHQuaW50ZXJzZWN0aW9uKFtcbiAgdC50eXBlKHtcbiAgICB2OiB0LmxpdGVyYWwoMiksXG4gICAgbTogYm91bmRlZEludCgxLCBBUkdPTjJfTUFYLm1lbW9yeVNpemUsICdtZW1vcnlTaXplJyksXG4gICAgdDogYm91bmRlZEludCgxLCBBUkdPTjJfTUFYLml0ZXJhdGlvbnMsICdpdGVyYXRpb25zJyksXG4gICAgcDogYm91bmRlZEludCgxLCBBUkdPTjJfTUFYLnBhcmFsbGVsaXNtLCAncGFyYWxsZWxpc20nKSxcbiAgICBzYWx0OiBiYXNlNjRTdHJpbmcsXG4gICAgaXY6IGJhc2U2NFN0cmluZyxcbiAgICBjdDogYmFzZTY0U3RyaW5nLFxuICB9KSxcbiAgdC5wYXJ0aWFsKHtcbiAgICAvKiogQmFzZTY0LWVuY29kZWQgcGVyLWNhbGwgSEtERiBzYWx0IC0tIHByZXNlbnQgb25seSBpbiBzZXNzaW9uLXByb2R1Y2VkIGVudmVsb3BlcyAqL1xuICAgIGhrZGZTYWx0OiBiYXNlNjRTdHJpbmcsXG4gICAgLyoqIEFkZGl0aW9uYWwgYXV0aGVudGljYXRlZCBkYXRhIGZvciBjb250ZXh0IGJpbmRpbmcgKGUuZy4gdHJhbnNhY3Rpb24gaGFzaCArIGRlcml2YXRpb24gcGF0aCkgKi9cbiAgICBhZGF0YTogdC5zdHJpbmcsXG4gIH0pLFxuXSk7XG5cbmV4cG9ydCB0eXBlIFYyRW52ZWxvcGUgPSB0LlR5cGVPZjx0eXBlb2YgVjJFbnZlbG9wZUNvZGVjPjtcblxuLy8gQ3J5cHRvIGhlbHBlcnNcblxuYXN5bmMgZnVuY3Rpb24gYXJnb24ySGFzaChcbiAgcGFzc3dvcmQ6IHN0cmluZyxcbiAgc2FsdDogVWludDhBcnJheSxcbiAgcGFyYW1zOiB7IG1lbW9yeVNpemU6IG51bWJlcjsgaXRlcmF0aW9uczogbnVtYmVyOyBwYXJhbGxlbGlzbTogbnVtYmVyIH1cbik6IFByb21pc2U8VWludDhBcnJheT4ge1xuICByZXR1cm4gYXJnb24yaWQoe1xuICAgIHBhc3N3b3JkLFxuICAgIHNhbHQsXG4gICAgbWVtb3J5U2l6ZTogcGFyYW1zLm1lbW9yeVNpemUsXG4gICAgaXRlcmF0aW9uczogcGFyYW1zLml0ZXJhdGlvbnMsXG4gICAgcGFyYWxsZWxpc206IHBhcmFtcy5wYXJhbGxlbGlzbSxcbiAgICBoYXNoTGVuZ3RoOiBBUkdPTjJfREVGQVVMVFMuaGFzaExlbmd0aCxcbiAgICBvdXRwdXRUeXBlOiAnYmluYXJ5JyxcbiAgfSk7XG59XG5cbmFzeW5jIGZ1bmN0aW9uIGFyZ29uMlRvQWVzS2V5KFxuICBwYXNzd29yZDogc3RyaW5nLFxuICBzYWx0OiBVaW50OEFycmF5LFxuICBwYXJhbXM6IHsgbWVtb3J5U2l6ZTogbnVtYmVyOyBpdGVyYXRpb25zOiBudW1iZXI7IHBhcmFsbGVsaXNtOiBudW1iZXIgfVxuKTogUHJvbWlzZTxDcnlwdG9LZXk+IHtcbiAgY29uc3Qga2V5Qnl0ZXMgPSBhd2FpdCBhcmdvbjJIYXNoKHBhc3N3b3JkLCBzYWx0LCBwYXJhbXMpO1xuICByZXR1cm4gc3VidGxlLmltcG9ydEtleSgncmF3Jywga2V5Qnl0ZXMsIHsgbmFtZTogJ0FFUy1HQ00nIH0sIGZhbHNlLCBbJ2VuY3J5cHQnLCAnZGVjcnlwdCddKTtcbn1cblxuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIGFyZ29uMlRvSGtkZktleShcbiAgcGFzc3dvcmQ6IHN0cmluZyxcbiAgc2FsdDogVWludDhBcnJheSxcbiAgcGFyYW1zOiB7IG1lbW9yeVNpemU6IG51bWJlcjsgaXRlcmF0aW9uczogbnVtYmVyOyBwYXJhbGxlbGlzbTogbnVtYmVyIH1cbik6IFByb21pc2U8Q3J5cHRvS2V5PiB7XG4gIGNvbnN0IGtleUJ5dGVzID0gYXdhaXQgYXJnb24ySGFzaChwYXNzd29yZCwgc2FsdCwgcGFyYW1zKTtcbiAgcmV0dXJuIHN1YnRsZS5pbXBvcnRLZXkoJ3JhdycsIGtleUJ5dGVzLCAnSEtERicsIGZhbHNlLCBbJ2Rlcml2ZUtleSddKTtcbn1cblxuZXhwb3J0IGZ1bmN0aW9uIGhrZGZEZXJpdmVBZXNLZXkoaGtkZktleTogQ3J5cHRvS2V5LCBoa2RmU2FsdDogVWludDhBcnJheSwgdXNhZ2U6IEtleVVzYWdlKTogUHJvbWlzZTxDcnlwdG9LZXk+IHtcbiAgcmV0dXJuIHN1YnRsZS5kZXJpdmVLZXkoXG4gICAgeyBuYW1lOiAnSEtERicsIGhhc2g6ICdTSEEtMjU2Jywgc2FsdDogaGtkZlNhbHQsIGluZm86IEhLREZfSU5GTyB9LFxuICAgIGhrZGZLZXksXG4gICAgeyBuYW1lOiAnQUVTLUdDTScsIGxlbmd0aDogMjU2IH0sXG4gICAgZmFsc2UsXG4gICAgW3VzYWdlXVxuICApO1xufVxuXG5leHBvcnQgYXN5bmMgZnVuY3Rpb24gYWVzR2NtRW5jcnlwdChcbiAga2V5OiBDcnlwdG9LZXksXG4gIGl2OiBVaW50OEFycmF5LFxuICBwbGFpbnRleHQ6IHN0cmluZyxcbiAgYWRkaXRpb25hbERhdGE/OiBVaW50OEFycmF5XG4pOiBQcm9taXNlPFVpbnQ4QXJyYXk+IHtcbiAgY29uc3QgcGFyYW1zOiBBZXNHY21QYXJhbXMgPSB7IG5hbWU6ICdBRVMtR0NNJywgaXYsIHRhZ0xlbmd0aDogMTI4IH07XG4gIGlmIChhZGRpdGlvbmFsRGF0YSkgcGFyYW1zLmFkZGl0aW9uYWxEYXRhID0gYWRkaXRpb25hbERhdGE7XG4gIGNvbnN0IGN0ID0gYXdhaXQgc3VidGxlLmVuY3J5cHQocGFyYW1zLCBrZXksIG5ldyBUZXh0RW5jb2RlcigpLmVuY29kZShwbGFpbnRleHQpKTtcbiAgcmV0dXJuIG5ldyBVaW50OEFycmF5KGN0KTtcbn1cblxuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIGFlc0djbURlY3J5cHQoXG4gIGtleTogQ3J5cHRvS2V5LFxuICBpdjogVWludDhBcnJheSxcbiAgY3Q6IFVpbnQ4QXJyYXksXG4gIGFkZGl0aW9uYWxEYXRhPzogVWludDhBcnJheVxuKTogUHJvbWlzZTxzdHJpbmc+IHtcbiAgY29uc3QgcGFyYW1zOiBBZXNHY21QYXJhbXMgPSB7IG5hbWU6ICdBRVMtR0NNJywgaXYsIHRhZ0xlbmd0aDogMTI4IH07XG4gIGlmIChhZGRpdGlvbmFsRGF0YSkgcGFyYW1zLmFkZGl0aW9uYWxEYXRhID0gYWRkaXRpb25hbERhdGE7XG4gIGNvbnN0IHBsYWludGV4dCA9IGF3YWl0IHN1YnRsZS5kZWNyeXB0KHBhcmFtcywga2V5LCBjdCk7XG4gIHJldHVybiBuZXcgVGV4dERlY29kZXIoKS5kZWNvZGUocGxhaW50ZXh0KTtcbn1cblxuZXhwb3J0IGZ1bmN0aW9uIHBhcnNlVjJFbnZlbG9wZShjaXBoZXJ0ZXh0OiBzdHJpbmcpOiBWMkVudmVsb3BlIHtcbiAgbGV0IHBhcnNlZDogdW5rbm93bjtcbiAgdHJ5IHtcbiAgICBwYXJzZWQgPSBKU09OLnBhcnNlKGNpcGhlcnRleHQpO1xuICB9IGNhdGNoIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoJ3YyIGRlY3J5cHQ6IGludmFsaWQgSlNPTiBlbnZlbG9wZScpO1xuICB9XG4gIHJldHVybiBkZWNvZGVXaXRoQ29kZWMoVjJFbnZlbG9wZUNvZGVjLCBwYXJzZWQsICd2MiBkZWNyeXB0OiBpbnZhbGlkIGVudmVsb3BlJyk7XG59XG5cbi8vIFB1YmxpYyBBUElcblxuLyoqXG4gKiBFbmNyeXB0IHBsYWludGV4dCB1c2luZyBBcmdvbjJpZCBLREYgKyBBRVMtMjU2LUdDTS5cbiAqXG4gKiBSZXR1cm5zIGEgc2VsZi1kZXNjcmliaW5nIEpTT04gdjIgZW52ZWxvcGUgY29udGFpbmluZyBhbGwgQXJnb24yaWQgcGFyYW1ldGVycyxcbiAqIHNhbHQsIElWLCBhbmQgY2lwaGVydGV4dCAtLSBmdWxseSBzdGFuZGFsb25lIGZvciBkZWNyeXB0aW9uLlxuICpcbiAqIEZvciBtdWx0aS1jYWxsIG9wZXJhdGlvbnMgKE1QQyBzaWduaW5nLCB3YWxsZXQgY3JlYXRpb24pLCBwcmVmZXJcbiAqIGNyZWF0ZUVuY3J5cHRpb25TZXNzaW9uIHRvIHJ1biBBcmdvbjJpZCBvbmNlIGFuZCBkZXJpdmUgcGVyLWNhbGwga2V5cyB2aWEgSEtERi5cbiAqL1xuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIGVuY3J5cHRWMihcbiAgcGFzc3dvcmQ6IHN0cmluZyxcbiAgcGxhaW50ZXh0OiBzdHJpbmcsXG4gIG9wdGlvbnM/OiB7XG4gICAgc2FsdD86IFVpbnQ4QXJyYXk7XG4gICAgaXY/OiBVaW50OEFycmF5O1xuICAgIG1lbW9yeVNpemU/OiBudW1iZXI7XG4gICAgaXRlcmF0aW9ucz86IG51bWJlcjtcbiAgICBwYXJhbGxlbGlzbT86IG51bWJlcjtcbiAgICBhZGF0YT86IHN0cmluZztcbiAgfVxuKTogUHJvbWlzZTxzdHJpbmc+IHtcbiAgY29uc3QgbWVtb3J5U2l6ZSA9IG9wdGlvbnM/Lm1lbW9yeVNpemUgPz8gQVJHT04yX0RFRkFVTFRTLm1lbW9yeVNpemU7XG4gIGNvbnN0IGl0ZXJhdGlvbnMgPSBvcHRpb25zPy5pdGVyYXRpb25zID8/IEFSR09OMl9ERUZBVUxUUy5pdGVyYXRpb25zO1xuICBjb25zdCBwYXJhbGxlbGlzbSA9IG9wdGlvbnM/LnBhcmFsbGVsaXNtID8/IEFSR09OMl9ERUZBVUxUUy5wYXJhbGxlbGlzbTtcblxuICBjb25zdCBzYWx0ID0gb3B0aW9ucz8uc2FsdCA/PyBuZXcgVWludDhBcnJheShyYW5kb21CeXRlcyhBUkdPTjJfREVGQVVMVFMuc2FsdExlbmd0aCkpO1xuICBpZiAoc2FsdC5sZW5ndGggIT09IEFSR09OMl9ERUZBVUxUUy5zYWx0TGVuZ3RoKSB0aHJvdyBuZXcgRXJyb3IoYHNhbHQgbXVzdCBiZSAke0FSR09OMl9ERUZBVUxUUy5zYWx0TGVuZ3RofSBieXRlc2ApO1xuXG4gIGNvbnN0IGl2ID0gb3B0aW9ucz8uaXYgPz8gbmV3IFVpbnQ4QXJyYXkocmFuZG9tQnl0ZXMoR0NNX0lWX0xFTkdUSCkpO1xuICBpZiAoaXYubGVuZ3RoICE9PSBHQ01fSVZfTEVOR1RIKSB0aHJvdyBuZXcgRXJyb3IoYGl2IG11c3QgYmUgJHtHQ01fSVZfTEVOR1RIfSBieXRlc2ApO1xuXG4gIGNvbnN0IGFkYXRhQnl0ZXMgPSBvcHRpb25zPy5hZGF0YSA/IG5ldyBUZXh0RW5jb2RlcigpLmVuY29kZShvcHRpb25zLmFkYXRhKSA6IHVuZGVmaW5lZDtcbiAgY29uc3Qga2V5ID0gYXdhaXQgYXJnb24yVG9BZXNLZXkocGFzc3dvcmQsIHNhbHQsIHsgbWVtb3J5U2l6ZSwgaXRlcmF0aW9ucywgcGFyYWxsZWxpc20gfSk7XG4gIGNvbnN0IGN0ID0gYXdhaXQgYWVzR2NtRW5jcnlwdChrZXksIGl2LCBwbGFpbnRleHQsIGFkYXRhQnl0ZXMpO1xuXG4gIGNvbnN0IGVudmVsb3BlOiBWMkVudmVsb3BlID0ge1xuICAgIHY6IDIsXG4gICAgbTogbWVtb3J5U2l6ZSxcbiAgICB0OiBpdGVyYXRpb25zLFxuICAgIHA6IHBhcmFsbGVsaXNtLFxuICAgIHNhbHQ6IEJ1ZmZlci5mcm9tKHNhbHQpLnRvU3RyaW5nKCdiYXNlNjQnKSxcbiAgICBpdjogQnVmZmVyLmZyb20oaXYpLnRvU3RyaW5nKCdiYXNlNjQnKSxcbiAgICBjdDogQnVmZmVyLmZyb20oY3QpLnRvU3RyaW5nKCdiYXNlNjQnKSxcbiAgfTtcbiAgaWYgKG9wdGlvbnM/LmFkYXRhKSBlbnZlbG9wZS5hZGF0YSA9IG9wdGlvbnMuYWRhdGE7XG4gIHJldHVybiBKU09OLnN0cmluZ2lmeShlbnZlbG9wZSk7XG59XG5cbi8qKlxuICogRGVjcnlwdCBhIHYyIGVudmVsb3BlIChBcmdvbjJpZCArIEFFUy0yNTYtR0NNKS5cbiAqXG4gKiBIYW5kbGVzIGJvdGggZW52ZWxvcGUgdHlwZXMgYXV0b21hdGljYWxseTpcbiAqICAgLSBTdGFuZGFyZCAgKG5vIGhrZGZTYWx0KTogQXJnb24yaWQgLT4gQUVTLUdDTVxuICogICAtIFNlc3Npb24gICAoaGtkZlNhbHQgcHJlc2VudCk6IEFyZ29uMmlkIC0+IEhLREYgLT4gQUVTLUdDTVxuICpcbiAqIEFsbCBwYXJhbWV0ZXJzIGFyZSBzdG9yZWQgaW4gdGhlIGVudmVsb3BlIC0tIG5vIHNlc3Npb24gY29udGV4dCByZXF1aXJlZC5cbiAqL1xuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIGRlY3J5cHRWMihwYXNzd29yZDogc3RyaW5nLCBjaXBoZXJ0ZXh0OiBzdHJpbmcpOiBQcm9taXNlPHN0cmluZz4ge1xuICBjb25zdCBlbnZlbG9wZSA9IHBhcnNlVjJFbnZlbG9wZShjaXBoZXJ0ZXh0KTtcbiAgY29uc3Qgc2FsdCA9IG5ldyBVaW50OEFycmF5KEJ1ZmZlci5mcm9tKGVudmVsb3BlLnNhbHQsICdiYXNlNjQnKSk7XG4gIGNvbnN0IGl2ID0gbmV3IFVpbnQ4QXJyYXkoQnVmZmVyLmZyb20oZW52ZWxvcGUuaXYsICdiYXNlNjQnKSk7XG4gIGNvbnN0IGN0ID0gbmV3IFVpbnQ4QXJyYXkoQnVmZmVyLmZyb20oZW52ZWxvcGUuY3QsICdiYXNlNjQnKSk7XG4gIGNvbnN0IHBhcmFtcyA9IHsgbWVtb3J5U2l6ZTogZW52ZWxvcGUubSwgaXRlcmF0aW9uczogZW52ZWxvcGUudCwgcGFyYWxsZWxpc206IGVudmVsb3BlLnAgfTtcbiAgY29uc3QgYWRhdGFCeXRlcyA9IGVudmVsb3BlLmFkYXRhID8gbmV3IFRleHRFbmNvZGVyKCkuZW5jb2RlKGVudmVsb3BlLmFkYXRhKSA6IHVuZGVmaW5lZDtcblxuICBpZiAoZW52ZWxvcGUuaGtkZlNhbHQpIHtcbiAgICBjb25zdCBoa2RmS2V5ID0gYXdhaXQgYXJnb24yVG9Ia2RmS2V5KHBhc3N3b3JkLCBzYWx0LCBwYXJhbXMpO1xuICAgIGNvbnN0IGhrZGZTYWx0ID0gbmV3IFVpbnQ4QXJyYXkoQnVmZmVyLmZyb20oZW52ZWxvcGUuaGtkZlNhbHQsICdiYXNlNjQnKSk7XG4gICAgY29uc3QgYWVzS2V5ID0gYXdhaXQgaGtkZkRlcml2ZUFlc0tleShoa2RmS2V5LCBoa2RmU2FsdCwgJ2RlY3J5cHQnKTtcbiAgICByZXR1cm4gYWVzR2NtRGVjcnlwdChhZXNLZXksIGl2LCBjdCwgYWRhdGFCeXRlcyk7XG4gIH1cblxuICBjb25zdCBrZXkgPSBhd2FpdCBhcmdvbjJUb0Flc0tleShwYXNzd29yZCwgc2FsdCwgcGFyYW1zKTtcbiAgcmV0dXJuIGFlc0djbURlY3J5cHQoa2V5LCBpdiwgY3QsIGFkYXRhQnl0ZXMpO1xufVxuIl19

package/dist/src/encryptionSession.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Runs Argon2id once on creation, then derives per-call AES-256-GCM keys via HKDF.
+ * Use when encrypting or decrypting multiple values with the same password.
+ *
+ * Session envelopes are self-describing and can be decrypted standalone via decryptV2.
+ * Call destroy() when done to clear the cached key from memory.
+ */
+export declare class EncryptionSession {
+    private hkdfKey;
+    private argon2SaltB64;
+    private readonly memorySize;
+    private readonly iterations;
+    private readonly parallelism;
+    /** Use createEncryptionSession() instead of calling this directly. */
+    constructor(hkdfKey: CryptoKey, argon2SaltB64: string, params: {
+        memorySize: number;
+        iterations: number;
+        parallelism: number;
+    });
+    encrypt(plaintext: string, adata?: string): Promise<string>;
+    decrypt(ciphertext: string): Promise<string>;
+    destroy(): void;
+    private getKeyOrThrow;
+    private getSaltOrThrow;
+    private buildEnvelope;
+}
+/** Create an EncryptionSession. Runs Argon2id once; all subsequent calls derive keys via HKDF. */
+export declare function createEncryptionSession(password: string, options?: {
+    memorySize?: number;
+    iterations?: number;
+    parallelism?: number;
+    salt?: Uint8Array;
+}): Promise<EncryptionSession>;
+//# sourceMappingURL=encryptionSession.d.ts.map

package/dist/src/encryptionSession.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryptionSession.d.ts","sourceRoot":"","sources":["../../src/encryptionSession.ts"],"names":[],"mappings":"AAcA;;;;;;GAMG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,OAAO,CAAmB;IAClC,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,sEAAsE;gBAEpE,OAAO,EAAE,SAAS,EAClB,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IASnE,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAY3D,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBlD,OAAO,IAAI,IAAI;IAKf,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,cAAc;IAOtB,OAAO,CAAC,aAAa;CAYtB;AAED,kGAAkG;AAClG,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,UAAU,CAAA;CAAE,GAC9F,OAAO,CAAC,iBAAiB,CAAC,CAe5B"}