@blackbox_ai/blackbox-cli 0.0.7 → 0.8.1

package/dist/src/encrypt/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/encrypt/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,sBAAsB;IACtB,0BAA0B;IAC1B,yBAAyB;IACzB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;IAClB,cAAc;CACf,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,QAAQ,CAC/C,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,IAAI,SAAS,EACtD,EAAE,CACH,CAAC;AAEF,MAAM,CAAC,MAAM,6BAA6B,GAAG,QAAQ,CACnD,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,IAAI,GAAG,EACpD,EAAE,CACH,CAAC;AAEF,6CAA6C;AAC7C,MAAM,CAAC,MAAM,mBAAmB,GAAG,QAAQ,CACzC,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,IAAI,OAAO,EAAE,aAAa;AACrE,EAAE,CACH,CAAC;AAEF,6CAA6C;AAC7C,MAAM,CAAC,MAAM,mBAAmB,GAAG,QAAQ,CACzC,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,IAAI,MAAM,EAAE,WAAW;AAClE,EAAE,CACH,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,QAAQ,CACrC,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,IAAI,OAAO,EAAE,aAAa;AACjE,EAAE,CACH,CAAC;AAEF,MAAM,CAAC,MAAM,wBAAwB,GAAG,UAAU,CAChD,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,IAAI,GAAG,CACxD,CAAC;AAEF,gDAAgD;AAChD,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;AAE3D;;GAEG;AAEH,0CAA0C;AAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,IAAI,gCAAgC,CAAC;AAEhG,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,OAAO;IACP,cAAc,EAAE,GAAG,OAAO,cAAc;IACxC,gBAAgB,EAAE,GAAG,OAAO,iBAAiB;IAC7C,wBAAwB;IACxB,gBAAgB,EAAE,yBAAyB;IAC3C,kBAAkB,EAAE,mBAAmB;IACvC,UAAU,EAAE,6BAA6B;CAC1C,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,SAAiB,EAAW,EAAE;IAC7D,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAE7B,OAAO,gBAAgB,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAC5C,SAAS,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC,CAC/D,CAAC;AACJ,CAAC,CAAC"}

package/dist/src/encrypt/crypto-utils.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Low-level cryptographic utilities extracted from streaming-client.ts
+ */
+export interface CryptoKeyPair {
+    ecdhPrivate: CryptoKey;
+    ecdsaPrivate: CryptoKey;
+    ecdsaPublic: CryptoKey;
+}
+/**
+ * Convert Uint8Array to base64 string
+ */
+export declare const toB64: (u8: Uint8Array) => string;
+/**
+ * Convert base64 string to Uint8Array
+ */
+export declare const fromB64: (b64: string) => Uint8Array;
+/**
+ * Generate a UUID for identification (moved from streaming-client.ts)
+ */
+export declare const generateUuid: () => string;
+/**
+ * Generate a P-384 keypair for both ECDSA and ECDH operations (moved from streaming-client.ts)
+ * Reuses the same key material for both operations (matching Rust behavior)
+ */
+export declare function generateKeyPair(): Promise<CryptoKeyPair>;
+export declare function ecdsaRawToDer(raw: Uint8Array): Uint8Array;
+export declare function ecdsaDerToRaw(der: Uint8Array): Uint8Array;
+/**
+ * Serialize a WebCrypto ECDSA/ECDH public key to PEM (SPKI)
+ */
+export declare function serializePublicKeyPem(publicKey: CryptoKey): Promise<string>;
+/**
+ * Deserialize PEM (SPKI) public key string to Uint8Array bytes
+ */
+export declare function deserializePublicKeyPem(pem: string): Uint8Array;
+/**
+ * Derive a shared key using ECDH + HKDF (SHA-256) from local private key and server public key (SPKI)
+ * Matches the Rust implementation detail (using only X coordinate for HKDF input).
+ */
+export declare function deriveSharedKey(localPrivateKey: CryptoKey, serverPublicKeySpki: Uint8Array): Promise<Uint8Array>;
+/**
+ * Encrypted payload interface (moved from streaming-client.ts)
+ */
+export interface EncryptedPayload {
+    nonce: number;
+    iv: string;
+    ciphertext: string;
+    signature: string;
+}
+/**
+ * Encrypt and sign a message using AES-GCM and ECDSA (moved from streaming-client.ts)
+ */
+export declare function encryptAndSign(plaintext: string, sharedKey: Uint8Array, signingKey: CryptoKey, nonce: number): Promise<EncryptedPayload>;
+/**
+ * Decrypt and verify a message using AES-GCM and ECDSA (moved from streaming-client.ts)
+ */
+export declare function decryptAndVerify(payload: EncryptedPayload, sharedKey: Uint8Array, serverVerifyingKeySpki: Uint8Array): Promise<string>;

package/dist/src/encrypt/crypto-utils.js

@@ -0,0 +1,257 @@
+/**
+ * Low-level cryptographic utilities extracted from streaming-client.ts
+ */
+/**
+ * Convert Uint8Array to base64 string
+ */
+export const toB64 = (u8) => {
+    // Handle large arrays by chunking to avoid "Maximum call stack size exceeded"
+    if (u8.length > 8192) {
+        let result = '';
+        for (let i = 0; i < u8.length; i += 8192) {
+            const chunk = u8.slice(i, i + 8192);
+            result += String.fromCharCode.apply(null, Array.from(chunk));
+        }
+        return btoa(result);
+    }
+    return btoa(String.fromCharCode.apply(null, Array.from(u8)));
+};
+/**
+ * Convert base64 string to Uint8Array
+ */
+export const fromB64 = (b64) => new Uint8Array(Array.from(atob(b64), c => c.charCodeAt(0)));
+/**
+ * Generate a UUID for identification (moved from streaming-client.ts)
+ */
+export const generateUuid = () => 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, (c) => {
+    const r = Math.random() * 16 | 0;
+    const v = c === 'x' ? r : (r & 0x3 | 0x8);
+    return v.toString(16);
+});
+/**
+ * Generate a P-384 keypair for both ECDSA and ECDH operations (moved from streaming-client.ts)
+ * Reuses the same key material for both operations (matching Rust behavior)
+ */
+export async function generateKeyPair() {
+    // Generate a single P-384 keypair
+    const ecdsaKeyPair = await crypto.subtle.generateKey({ name: 'ECDSA', namedCurve: 'P-384' }, true, ['sign', 'verify']);
+    // Export the private key to reuse for ECDH
+    const pkcs8 = await crypto.subtle.exportKey('pkcs8', ecdsaKeyPair.privateKey);
+    // Import the same private key for ECDH operations
+    const ecdhPrivate = await crypto.subtle.importKey('pkcs8', pkcs8, { name: 'ECDH', namedCurve: 'P-384' }, false, ['deriveBits']);
+    return {
+        ecdhPrivate,
+        ecdsaPrivate: ecdsaKeyPair.privateKey,
+        ecdsaPublic: ecdsaKeyPair.publicKey
+    };
+}
+export function ecdsaRawToDer(raw) {
+    // raw is Uint8Array of length 96 for P-384: r(48) || s(48)
+    const n = raw.length / 2;
+    let r = new Uint8Array(raw.buffer.slice(0, n));
+    let s = new Uint8Array(raw.buffer.slice(n));
+    // Trim leading zeros
+    r = trimZeros(r);
+    s = trimZeros(s);
+    // Ensure positive (prepend 0x00 if high bit is set)
+    if (r[0] & 0x80) {
+        const padding = new Uint8Array([0x00]);
+        r = concatBytes(padding, r);
+    }
+    if (s[0] & 0x80) {
+        const padding = new Uint8Array([0x00]);
+        s = concatBytes(padding, s);
+    }
+    const rHeader = new Uint8Array([0x02, r.length]);
+    const rEnc = concatBytes(rHeader, r);
+    const sHeader = new Uint8Array([0x02, s.length]);
+    const sEnc = concatBytes(sHeader, s);
+    const seqLen = rEnc.length + sEnc.length;
+    const seqHeader = new Uint8Array([0x30, seqLen]);
+    const der = concatBytes(seqHeader, rEnc, sEnc);
+    return der;
+    function trimZeros(bytes) {
+        let i = 0;
+        while (i < bytes.length - 1 && bytes[i] === 0)
+            i++;
+        const trimmed = new Uint8Array(bytes.length - i);
+        for (let j = 0; j < trimmed.length; j++) {
+            trimmed[j] = bytes[i + j];
+        }
+        return trimmed;
+    }
+    function concatBytes(a, b, c) {
+        if (c) {
+            const total = a.length + b.length + c.length;
+            const out = new Uint8Array(total);
+            out.set(a, 0);
+            out.set(b, a.length);
+            out.set(c, a.length + b.length);
+            return out;
+        }
+        else {
+            const total = a.length + b.length;
+            const out = new Uint8Array(total);
+            out.set(a, 0);
+            out.set(b, a.length);
+            return out;
+        }
+    }
+}
+// Convert ASN.1 DER signature to WebCrypto raw format (r||s)
+export function ecdsaDerToRaw(der) {
+    // Parse DER: SEQUENCE { INTEGER r, INTEGER s }
+    if (der[0] !== 0x30) {
+        throw new Error('Invalid DER signature: not a SEQUENCE');
+    }
+    let offset = 2; // Skip SEQUENCE tag and length
+    // Parse r
+    if (der[offset] !== 0x02) {
+        throw new Error('Invalid DER signature: r not an INTEGER');
+    }
+    offset++;
+    const rLen = der[offset++];
+    let r = der.slice(offset, offset + rLen);
+    offset += rLen;
+    // Parse s
+    if (der[offset] !== 0x02) {
+        throw new Error('Invalid DER signature: s not an INTEGER');
+    }
+    offset++;
+    const sLen = der[offset++];
+    let s = der.slice(offset, offset + sLen);
+    // Remove leading zero padding if present
+    if (r[0] === 0x00 && r.length > 1)
+        r = r.slice(1);
+    if (s[0] === 0x00 && s.length > 1)
+        s = s.slice(1);
+    // Pad to 48 bytes for P-384
+    const targetLen = 48;
+    if (r.length < targetLen) {
+        const padded = new Uint8Array(targetLen);
+        padded.set(r, targetLen - r.length);
+        r = padded;
+    }
+    if (s.length < targetLen) {
+        const padded = new Uint8Array(targetLen);
+        padded.set(s, targetLen - s.length);
+        s = padded;
+    }
+    // Concatenate r || s
+    const raw = new Uint8Array(targetLen * 2);
+    raw.set(r, 0);
+    raw.set(s, targetLen);
+    return raw;
+}
+/**
+ * Serialize a WebCrypto ECDSA/ECDH public key to PEM (SPKI)
+ */
+export async function serializePublicKeyPem(publicKey) {
+    const spkiBytes = await crypto.subtle.exportKey('spki', publicKey);
+    const spkiArray = new Uint8Array(spkiBytes);
+    const b64 = toB64(spkiArray);
+    const lines = b64.match(/.{1,64}/g) || [];
+    const body = lines.join('\r\n');
+    return `-----BEGIN PUBLIC KEY-----\r\n${body}\r\n-----END PUBLIC KEY-----\r\n`;
+}
+/**
+ * Deserialize PEM (SPKI) public key string to Uint8Array bytes
+ */
+export function deserializePublicKeyPem(pem) {
+    const b64 = pem
+        .replace('-----BEGIN PUBLIC KEY-----', '')
+        .replace('-----END PUBLIC KEY-----', '')
+        .replace(/\s/g, '');
+    const binaryString = atob(b64);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+    }
+    return bytes;
+}
+/**
+ * Derive a shared key using ECDH + HKDF (SHA-256) from local private key and server public key (SPKI)
+ * Matches the Rust implementation detail (using only X coordinate for HKDF input).
+ */
+export async function deriveSharedKey(localPrivateKey, serverPublicKeySpki) {
+    const serverPublicKey = await crypto.subtle.importKey('spki', serverPublicKeySpki.slice().buffer, { name: 'ECDH', namedCurve: 'P-384' }, false, []);
+    const sharedSecret = await crypto.subtle.deriveBits({ name: 'ECDH', public: serverPublicKey }, localPrivateKey, 384);
+    const sharedSecretBytes = new Uint8Array(sharedSecret);
+    // Use X coordinate only (48 bytes for P-384)
+    const xCoordinate = sharedSecretBytes.length === 48 ? sharedSecretBytes : sharedSecretBytes.slice(1, 49);
+    const hkdfKey = await crypto.subtle.importKey('raw', xCoordinate, 'HKDF', false, ['deriveBits']);
+    const derivedKey = await crypto.subtle.deriveBits({
+        name: 'HKDF',
+        hash: 'SHA-256',
+        salt: new Uint8Array(32), // 32 zero bytes for SHA-256
+        info: new TextEncoder().encode('handshake data'),
+    }, hkdfKey, 256);
+    return new Uint8Array(derivedKey);
+}
+/**
+ * Encrypt and sign a message using AES-GCM and ECDSA (moved from streaming-client.ts)
+ */
+export async function encryptAndSign(plaintext, sharedKey, signingKey, nonce) {
+    const plaintextBytes = new TextEncoder().encode(plaintext);
+    const iv = new Uint8Array(12);
+    crypto.getRandomValues(iv);
+    const aesKey = await crypto.subtle.importKey('raw', sharedKey.slice().buffer, { name: 'AES-GCM' }, false, ['encrypt']);
+    const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, aesKey, plaintextBytes);
+    const ciphertextArray = new Uint8Array(ciphertext);
+    const nonceBytes = new Uint8Array(8);
+    const view = new DataView(nonceBytes.buffer);
+    view.setBigUint64(0, BigInt(nonce), false);
+    const dataToSign = new Uint8Array(nonceBytes.length + iv.length + ciphertextArray.length);
+    dataToSign.set(nonceBytes, 0);
+    dataToSign.set(iv, nonceBytes.length);
+    dataToSign.set(ciphertextArray, nonceBytes.length + iv.length);
+    const rawSignature = new Uint8Array(await crypto.subtle.sign({ name: 'ECDSA', hash: 'SHA-256' }, signingKey, dataToSign));
+    // Convert to DER format if needed
+    let signature;
+    if (rawSignature[0] === 0x30) {
+        signature = rawSignature;
+    }
+    else {
+        signature = ecdsaRawToDer(rawSignature);
+    }
+    return {
+        nonce,
+        iv: toB64(iv),
+        ciphertext: toB64(ciphertextArray),
+        signature: toB64(signature)
+    };
+}
+/**
+ * Decrypt and verify a message using AES-GCM and ECDSA (moved from streaming-client.ts)
+ */
+export async function decryptAndVerify(payload, sharedKey, serverVerifyingKeySpki) {
+    const iv = new Uint8Array(Array.from(atob(payload.iv), c => c.charCodeAt(0)));
+    const ciphertext = new Uint8Array(Array.from(atob(payload.ciphertext), c => c.charCodeAt(0)));
+    const signatureBytes = new Uint8Array(Array.from(atob(payload.signature), c => c.charCodeAt(0)));
+    const nonceBytes = new Uint8Array(8);
+    const view = new DataView(nonceBytes.buffer);
+    view.setBigUint64(0, BigInt(payload.nonce), false);
+    const dataToVerify = new Uint8Array(nonceBytes.length + iv.length + ciphertext.length);
+    dataToVerify.set(nonceBytes, 0);
+    dataToVerify.set(iv, nonceBytes.length);
+    dataToVerify.set(ciphertext, nonceBytes.length + iv.length);
+    const serverVerifyingKey = await crypto.subtle.importKey('spki', serverVerifyingKeySpki.slice().buffer, { name: 'ECDSA', namedCurve: 'P-384' }, false, ['verify']);
+    // Convert DER signature to raw format for WebCrypto verification
+    let rawSignature;
+    if (signatureBytes[0] === 0x30) {
+        // DER format, convert to raw
+        rawSignature = ecdsaDerToRaw(signatureBytes);
+    }
+    else {
+        // Already raw format
+        rawSignature = signatureBytes;
+    }
+    const isValid = await crypto.subtle.verify({ name: 'ECDSA', hash: 'SHA-256' }, serverVerifyingKey, rawSignature, dataToVerify);
+    if (!isValid) {
+        throw new Error('Response signature verification failed');
+    }
+    const aesKey = await crypto.subtle.importKey('raw', sharedKey.slice().buffer, { name: 'AES-GCM' }, false, ['decrypt']);
+    const plaintext = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, aesKey, ciphertext);
+    return new TextDecoder().decode(plaintext);
+}
+//# sourceMappingURL=crypto-utils.js.map

package/dist/src/encrypt/crypto-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-utils.js","sourceRoot":"","sources":["../../../src/encrypt/crypto-utils.ts"],"names":[],"mappings":"AAAA;;GAEG;AAQH;;GAEG;AACH,MAAM,CAAC,MAAM,KAAK,GAAG,CAAC,EAAc,EAAU,EAAE;IAC9C,8EAA8E;IAC9E,IAAI,EAAE,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QACrB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;YACpC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AAC/D,CAAC,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,GAAW,EAAc,EAAE,CACjD,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,GAAW,EAAE,CACvC,sCAAsC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5D,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IACjC,MAAM,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC,CAAC;IAC1C,OAAO,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;AACxB,CAAC,CAAC,CAAC;AAEL;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,kCAAkC;IAClC,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAClD,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EACtC,IAAI,EACJ,CAAC,MAAM,EAAE,QAAQ,CAAC,CACnB,CAAC;IAEF,2CAA2C;IAC3C,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,YAAY,CAAC,UAAU,CAAC,CAAC;IAE9E,kDAAkD;IAClD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC/C,OAAO,EACP,KAAK,EACL,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAC;IAEF,OAAO;QACL,WAAW;QACX,YAAY,EAAE,YAAY,CAAC,UAAU;QACrC,WAAW,EAAE,YAAY,CAAC,SAAS;KACpC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,GAAe;IAC3C,2DAA2D;IAC3D,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,IAAI,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE5C,qBAAqB;IACrB,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAEjB,oDAAoD;IACpD,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC;QAChB,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACvC,CAAC,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC;QAChB,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACvC,CAAC,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAErC,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAErC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IACzC,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,MAAM,GAAG,GAAG,WAAW,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC/C,OAAO,GAAG,CAAC;IAEX,SAAS,SAAS,CAAC,KAAiB;QAClC,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;YAAE,CAAC,EAAE,CAAC;QACnD,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACjD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,OAAO,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5B,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,SAAS,WAAW,CAAC,CAAa,EAAE,CAAa,EAAE,CAAc;QAC/D,IAAI,CAAC,EAAE,CAAC;YACN,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;YAC7C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;YAClC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACd,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;YACrB,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;YAChC,OAAO,GAAG,CAAC;QACb,CAAC;aAAM,CAAC;YACN,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;YAClC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;YAClC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACd,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;YACrB,OAAO,GAAG,CAAC;QACb,CAAC;IACH,CAAC;AACH,CAAC;AAED,6DAA6D;AAC7D,MAAM,UAAU,aAAa,CAAC,GAAe;IAC3C,+CAA+C;IAC/C,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,MAAM,GAAG,CAAC,CAAC,CAAC,+BAA+B;IAE/C,UAAU;IACV,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,MAAM,EAAE,CAAC;IACT,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3B,IAAI,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC;IACzC,MAAM,IAAI,IAAI,CAAC;IAEf,UAAU;IACV,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,MAAM,EAAE,CAAC;IACT,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3B,IAAI,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC;IAEzC,yCAAyC;IACzC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClD,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAElD,4BAA4B;IAC5B,MAAM,SAAS,GAAG,EAAE,CAAC;IACrB,IAAI,CAAC,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;QACpC,CAAC,GAAG,MAAM,CAAC;IACb,CAAC;IACD,IAAI,CAAC,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;QACpC,CAAC,GAAG,MAAM,CAAC;IACb,CAAC;IAED,qBAAqB;IACrB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;IAC1C,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACd,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IACtB,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,SAAoB;IAC9D,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACnE,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC;IAC7B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,OAAO,iCAAiC,IAAI,kCAAkC,CAAC;AACjF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAW;IACjD,MAAM,GAAG,GAAG,GAAG;SACZ,OAAO,CAAC,4BAA4B,EAAE,EAAE,CAAC;SACzC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC;SACvC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACtB,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,KAAK,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,eAA0B,EAC1B,mBAA+B;IAE/B,MAAM,eAAe,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACnD,MAAM,EACN,mBAAmB,CAAC,KAAK,EAAE,CAAC,MAAM,EAClC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,KAAK,EACL,EAAE,CACH,CAAC;IAEF,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CACjD,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,EAAE,EACzC,eAAe,EACf,GAAG,CACJ,CAAC;IAEF,MAAM,iBAAiB,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,CAAC;IACvD,6CAA6C;IAC7C,MAAM,WAAW,GACf,iBAAiB,CAAC,MAAM,KAAK,EAAE,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAEvF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC;IAEjG,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC/C;QACE,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,IAAI,UAAU,CAAC,EAAE,CAAC,EAAE,4BAA4B;QACtD,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC;KACjD,EACD,OAAO,EACP,GAAG,CACJ,CAAC;IAEF,OAAO,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;AACpC,CAAC;AAYD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,SAAqB,EACrB,UAAqB,EACrB,KAAa;IAEb,MAAM,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAE3D,MAAM,EAAE,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAC9B,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;IAE3B,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1C,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,SAAS,CAAC,CACzE,CAAC;IAEF,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,cAAc,CAChD,CAAC;IAEF,MAAM,eAAe,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IAEnD,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC,CAAC;IAE3C,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAC1F,UAAU,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;IAC9B,UAAU,CAAC,GAAG,CAAC,EAAE,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;IACtC,UAAU,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;IAE/D,MAAM,YAAY,GAAG,IAAI,UAAU,CACjC,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,UAAU,EAAE,UAAU,CAAC,CACrF,CAAC;IAEF,kCAAkC;IAClC,IAAI,SAAS,CAAC;IACd,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC7B,SAAS,GAAG,YAAY,CAAC;IAC3B,CAAC;SAAM,CAAC;QACN,SAAS,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO;QACL,KAAK;QACL,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC;QACb,UAAU,EAAE,KAAK,CAAC,eAAe,CAAC;QAClC,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC;KAC5B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAyB,EACzB,SAAqB,EACrB,sBAAkC;IAElC,MAAM,EAAE,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9E,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9F,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEjG,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC,CAAC;IAEnD,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACvF,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;IAChC,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;IACxC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;IAE5D,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACtD,MAAM,EAAE,sBAAsB,CAAC,KAAK,EAAE,CAAC,MAAM,EAC7C,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,CAC1D,CAAC;IAEF,iEAAiE;IACjE,IAAI,YAAY,CAAC;IACjB,IAAI,cAAc,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC/B,6BAA6B;QAC7B,YAAY,GAAG,aAAa,CAAC,cAAc,CAAC,CAAC;IAC/C,CAAC;SAAM,CAAC;QACN,qBAAqB;QACrB,YAAY,GAAG,cAAc,CAAC;IAChC,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACxC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,kBAAkB,EAAE,YAAY,EAAE,YAAY,CACnF,CAAC;IAEF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1C,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,SAAS,CAAC,CACzE,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,CAC5C,CAAC;IAEF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC"}

package/dist/src/encrypt/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Barrel exports for the encryption module, now split across logical files:
+ * - types.ts: shared interfaces
+ * - config.ts: configuration and model detection
+ * - sessions.ts: session lifecycle management
+ * - client.ts: streaming/send functionality
+ */
+export type { EncryptedMessage, SecureSession } from './types.js';
+export { ENCRYPTED_MODELS, ENCRYPTION_CONFIG, isEncryptedModel } from './config.js';
+export { initializeSecureSession, initializeSessionCleanup, } from './sessions.js';
+export { sendMessageStream, } from './client.js';
+export { initializeSecureSession as initializeSession } from './sessions.js';

package/dist/src/encrypt/index.js

@@ -0,0 +1,13 @@
+/**
+ * Barrel exports for the encryption module, now split across logical files:
+ * - types.ts: shared interfaces
+ * - config.ts: configuration and model detection
+ * - sessions.ts: session lifecycle management
+ * - client.ts: streaming/send functionality
+ */
+export { ENCRYPTED_MODELS, ENCRYPTION_CONFIG, isEncryptedModel } from './config.js';
+export { initializeSecureSession, initializeSessionCleanup, } from './sessions.js';
+export { sendMessageStream, } from './client.js';
+// Backward-compatible alias
+export { initializeSecureSession as initializeSession } from './sessions.js';
+//# sourceMappingURL=index.js.map

package/dist/src/encrypt/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/encrypt/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpF,OAAO,EACL,uBAAuB,EACvB,wBAAwB,GACzB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,iBAAiB,GAClB,MAAM,aAAa,CAAC;AAErB,4BAA4B;AAC5B,OAAO,EAAE,uBAAuB,IAAI,iBAAiB,EAAE,MAAM,eAAe,CAAC"}

package/dist/src/encrypt/retry-utils.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Calculate exponential backoff delay
+ */
+export declare const calculateBackoffDelay: (attemptNumber: number, initialDelay?: number, maxDelay?: number, multiplier?: number) => number;
+/**
+ * Check if an HTTP status code should trigger a retry
+ */
+export declare const isRetryableStatusCode: (statusCode: number) => boolean;
+/**
+ * Check if an error is retryable
+ */
+export declare const isRetryableError: (error: unknown) => boolean;
+/**
+ * Retry a function with exponential backoff
+ */
+export declare function retryWithBackoff<T>(fn: () => Promise<T>, options: {
+    maxRetries: number;
+    onRetry?: (attempt: number, error: unknown, delay: number) => void;
+    shouldRetry?: (error: unknown) => boolean;
+}): Promise<T>;

package/dist/src/encrypt/retry-utils.js

@@ -0,0 +1,60 @@
+import { RETRY_INITIAL_DELAY, RETRY_MAX_DELAY, RETRY_BACKOFF_MULTIPLIER, RETRYABLE_STATUS_CODES, } from './config.js';
+/**
+ * Sleep for a specified duration
+ */
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+/**
+ * Calculate exponential backoff delay
+ */
+export const calculateBackoffDelay = (attemptNumber, initialDelay = RETRY_INITIAL_DELAY, maxDelay = RETRY_MAX_DELAY, multiplier = RETRY_BACKOFF_MULTIPLIER) => {
+    const delay = initialDelay * Math.pow(multiplier, attemptNumber);
+    return Math.min(delay, maxDelay);
+};
+/**
+ * Check if an HTTP status code should trigger a retry
+ */
+export const isRetryableStatusCode = (statusCode) => RETRYABLE_STATUS_CODES.includes(statusCode);
+/**
+ * Check if an error is retryable
+ */
+export const isRetryableError = (error) => {
+    if (error instanceof Error) {
+        const message = error.message.toLowerCase();
+        // Retry on network errors, timeouts, and server errors
+        return (message.includes('network') ||
+            message.includes('timeout') ||
+            message.includes('econnreset') ||
+            message.includes('econnrefused') ||
+            message.includes('etimedout') ||
+            message.includes('streaming request failed: 5') // 5xx errors
+        );
+    }
+    return false;
+};
+/**
+ * Retry a function with exponential backoff
+ */
+export async function retryWithBackoff(fn, options) {
+    const { maxRetries, onRetry, shouldRetry = isRetryableError } = options;
+    let lastError;
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+        try {
+            return await fn();
+        }
+        catch (error) {
+            lastError = error;
+            // Don't retry if this is the last attempt or error is not retryable
+            if (attempt === maxRetries || !shouldRetry(error)) {
+                throw error;
+            }
+            // Calculate delay and notify
+            const delay = calculateBackoffDelay(attempt);
+            onRetry?.(attempt + 1, error, delay);
+            // Wait before retrying
+            await sleep(delay);
+        }
+    }
+    // This should never be reached, but TypeScript needs it
+    throw lastError;
+}
+//# sourceMappingURL=retry-utils.js.map

package/dist/src/encrypt/retry-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"retry-utils.js","sourceRoot":"","sources":["../../../src/encrypt/retry-utils.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EACnB,eAAe,EACf,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,aAAa,CAAC;AAErB;;GAEG;AACH,MAAM,KAAK,GAAG,CAAC,EAAU,EAAiB,EAAE,CAC1C,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAEpD;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CACnC,aAAqB,EACrB,eAAuB,mBAAmB,EAC1C,WAAmB,eAAe,EAClC,aAAqB,wBAAwB,EACrC,EAAE;IACV,MAAM,KAAK,GAAG,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IACjE,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;AACnC,CAAC,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,UAAkB,EAAW,EAAE,CACnE,sBAAsB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AAE9C;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,KAAc,EAAW,EAAE;IAC1D,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QAC5C,uDAAuD;QACvD,OAAO,CACL,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC3B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC3B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;YAC9B,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;YAChC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC7B,OAAO,CAAC,QAAQ,CAAC,6BAA6B,CAAC,CAAC,aAAa;SAC9D,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,EAAoB,EACpB,OAIC;IAED,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,WAAW,GAAG,gBAAgB,EAAE,GAAG,OAAO,CAAC;IAExE,IAAI,SAAkB,CAAC;IAEvB,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;QACvD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAC;QACpB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,SAAS,GAAG,KAAK,CAAC;YAElB,oEAAoE;YACpE,IAAI,OAAO,KAAK,UAAU,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;gBAClD,MAAM,KAAK,CAAC;YACd,CAAC;YAED,6BAA6B;YAC7B,MAAM,KAAK,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;YAC7C,OAAO,EAAE,CAAC,OAAO,GAAG,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;YAErC,uBAAuB;YACvB,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,MAAM,SAAS,CAAC;AAClB,CAAC"}

package/dist/src/encrypt/sessions.d.ts

@@ -0,0 +1,17 @@
+import type { SecureSession } from './types.js';
+/**
+ * Hydrates a session from sessionStorage by reconstructing crypto keys
+ * so that attestation is NOT required again for the same chatId.
+ */
+export declare const getHydratedSessionByChatId: (chatId: string) => Promise<SecureSession | undefined>;
+/**
+ * Initializes a secure session for encrypted communication.
+ * Sessions are stored in sessionStorage and keyed by chatId to ensure one session per chat per tab.
+ * Attestation happens only once per chatId - subsequent calls reuse existing crypto keys.
+ */
+export declare const initializeSecureSession: (chatId: string, systemPrompt?: string) => Promise<SecureSession>;
+/**
+ * Initializes session cleanup on page load and sets up cleanup on page unload
+ * Call this once when the app starts to ensure proper session lifecycle management
+ */
+export declare const initializeSessionCleanup: () => void;