@capsara/sdk 1.0.1

package/dist/internal/capsa-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capsa-cache.d.ts","sourceRoot":"","sources":["../../src/internal/capsa-cache.ts"],"names":[],"mappings":"AAGA,uDAAuD;AACvD,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,4DAA4D;AAC5D,MAAM,WAAW,WAAW;IAC1B,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAC/B,sDAAsD;IACtD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,sDAAsD;IACtD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAOD;;;GAGG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,KAAK,CAAuC;IACpD,OAAO,CAAC,MAAM,CAA6B;gBAE/B,MAAM,CAAC,EAAE,gBAAgB;IAIrC,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,GAAG,kBAAkB,CAAC,GAAG,IAAI;IA0BpG,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI;IAexC,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAK5C,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,kBAAkB,GAAG,IAAI;IAK3E,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAI7B,+CAA+C;IAC/C,KAAK,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAQ5B,mDAAmD;IACnD,QAAQ,IAAI,IAAI;IAKhB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAQrC,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,KAAK,IAAI,IAAI;IAYb,OAAO,CAAC,WAAW;CAmBpB;AAED,wBAAgB,gBAAgB,CAAC,MAAM,CAAC,EAAE,gBAAgB,GAAG,mBAAmB,CAE/E"}

package/dist/internal/capsa-cache.js

@@ -0,0 +1,118 @@
+// In-memory cache for decrypted capsa master keys and file metadata.
+// Security: master keys stored in memory only, cleared on logout, TTL-based expiry.
+const DEFAULT_CONFIG = {
+    ttl: 5 * 60 * 1000, // 5 minutes
+    maxSize: 100,
+};
+/**
+ * Caches master keys after getCapsa() to avoid redundant RSA-4096 decryption
+ * on each file download.
+ */
+export class DecryptedCapsaCache {
+    cache = new Map();
+    config;
+    constructor(config) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+    }
+    set(capsaId, masterKey, files) {
+        if (this.cache.size >= this.config.maxSize) {
+            this.evictOldest();
+        }
+        const now = Date.now();
+        const fileMap = new Map();
+        for (const file of files) {
+            fileMap.set(file.fileId, {
+                iv: file.iv,
+                authTag: file.authTag,
+                compressed: file.compressed,
+                encryptedFilename: file.encryptedFilename,
+                filenameIV: file.filenameIV,
+                filenameAuthTag: file.filenameAuthTag,
+            });
+        }
+        this.cache.set(capsaId, {
+            masterKey,
+            files: fileMap,
+            cachedAt: now,
+            expiresAt: now + this.config.ttl,
+        });
+    }
+    get(capsaId) {
+        const entry = this.cache.get(capsaId);
+        if (!entry) {
+            return null;
+        }
+        if (Date.now() > entry.expiresAt) {
+            entry.masterKey.fill(0);
+            this.cache.delete(capsaId);
+            return null;
+        }
+        return entry;
+    }
+    getMasterKey(capsaId) {
+        const entry = this.get(capsaId);
+        return entry?.masterKey ?? null;
+    }
+    getFileMetadata(capsaId, fileId) {
+        const entry = this.get(capsaId);
+        return entry?.files.get(fileId) ?? null;
+    }
+    has(capsaId) {
+        return this.get(capsaId) !== null;
+    }
+    /** Zeroes master key and removes the entry. */
+    clear(capsaId) {
+        const entry = this.cache.get(capsaId);
+        if (entry) {
+            entry.masterKey.fill(0);
+            this.cache.delete(capsaId);
+        }
+    }
+    /** Zeroes all master keys and clears the cache. */
+    clearAll() {
+        this.cache.forEach(entry => entry.masterKey.fill(0));
+        this.cache.clear();
+    }
+    clearMasterKey(capsaId) {
+        const entry = this.cache.get(capsaId);
+        if (entry) {
+            entry.masterKey.fill(0);
+            this.cache.delete(capsaId);
+        }
+    }
+    get size() {
+        return this.cache.size;
+    }
+    prune() {
+        const now = Date.now();
+        const toDelete = [];
+        this.cache.forEach((entry, capsaId) => {
+            if (now > entry.expiresAt) {
+                entry.masterKey.fill(0);
+                toDelete.push(capsaId);
+            }
+        });
+        toDelete.forEach(id => this.cache.delete(id));
+    }
+    evictOldest() {
+        let oldestKey = null;
+        let oldestTime = Infinity;
+        this.cache.forEach((entry, key) => {
+            if (entry.cachedAt < oldestTime) {
+                oldestTime = entry.cachedAt;
+                oldestKey = key;
+            }
+        });
+        if (oldestKey) {
+            const entry = this.cache.get(oldestKey);
+            if (entry) {
+                entry.masterKey.fill(0);
+            }
+            this.cache.delete(oldestKey);
+        }
+    }
+}
+export function createCapsaCache(config) {
+    return new DecryptedCapsaCache(config);
+}
+//# sourceMappingURL=capsa-cache.js.map

package/dist/internal/capsa-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capsa-cache.js","sourceRoot":"","sources":["../../src/internal/capsa-cache.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,oFAAoF;AA4BpF,MAAM,cAAc,GAA+B;IACjD,GAAG,EAAE,CAAC,GAAG,EAAE,GAAG,IAAI,EAAG,YAAY;IACjC,OAAO,EAAE,GAAG;CACb,CAAC;AAEF;;;GAGG;AACH,MAAM,OAAO,mBAAmB;IACtB,KAAK,GAA6B,IAAI,GAAG,EAAE,CAAC;IAC5C,MAAM,CAA6B;IAE3C,YAAY,MAAyB;QACnC,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,MAAM,EAAE,CAAC;IACjD,CAAC;IAED,GAAG,CAAC,OAAe,EAAE,SAAiB,EAAE,KAAqD;QAC3F,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAC3C,IAAI,CAAC,WAAW,EAAE,CAAC;QACrB,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8B,CAAC;QACtD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE;gBACvB,EAAE,EAAE,IAAI,CAAC,EAAE;gBACX,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;gBACzC,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,eAAe,EAAE,IAAI,CAAC,eAAe;aACtC,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE;YACtB,SAAS;YACT,KAAK,EAAE,OAAO;YACd,QAAQ,EAAE,GAAG;YACb,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG;SACjC,CAAC,CAAC;IACL,CAAC;IAED,GAAG,CAAC,OAAe;QACjB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACxB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC3B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,YAAY,CAAC,OAAe;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAChC,OAAO,KAAK,EAAE,SAAS,IAAI,IAAI,CAAC;IAClC,CAAC;IAED,eAAe,CAAC,OAAe,EAAE,MAAc;QAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAChC,OAAO,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED,GAAG,CAAC,OAAe;QACjB,OAAO,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC;IACpC,CAAC;IAED,+CAA+C;IAC/C,KAAK,CAAC,OAAe;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACxB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,mDAAmD;IACnD,QAAQ;QACN,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACrD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAED,cAAc,CAAC,OAAe;QAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACxB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;IAED,KAAK;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;YACpC,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;gBAC1B,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACxB,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;QACH,CAAC,CAAC,CAAC;QACH,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAChD,CAAC;IAEO,WAAW;QACjB,IAAI,SAAS,GAAkB,IAAI,CAAC;QACpC,IAAI,UAAU,GAAG,QAAQ,CAAC;QAE1B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAChC,IAAI,KAAK,CAAC,QAAQ,GAAG,UAAU,EAAE,CAAC;gBAChC,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC;gBAC5B,SAAS,GAAG,GAAG,CAAC;YAClB,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxC,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC1B,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAyB;IACxD,OAAO,IAAI,mBAAmB,CAAC,MAAM,CAAC,CAAC;AACzC,CAAC"}

package/dist/internal/config/http-client.d.ts

@@ -0,0 +1,37 @@
+import * as http from 'http';
+import * as https from 'https';
+import type { AxiosRequestConfig, AxiosInstance } from 'axios';
+import { type RetryConfig } from './retry-interceptor.js';
+export interface HttpTimeoutConfig {
+    /** Timeout for standard API requests (ms) */
+    apiTimeout: number;
+    /** Timeout for multipart envelope uploads (ms) */
+    uploadTimeout: number;
+    /** Timeout for file downloads (ms) */
+    downloadTimeout: number;
+    /** Socket connection timeout (ms) */
+    connectTimeout: number;
+    /** Keep-alive probe interval (ms) */
+    keepAliveInterval: number;
+    /** Maximum concurrent sockets per host */
+    maxSockets: number;
+    /** Maximum idle sockets to keep alive */
+    maxFreeSockets: number;
+}
+export declare const DEFAULT_TIMEOUT_CONFIG: HttpTimeoutConfig;
+export declare function createHttpAgent(config?: HttpTimeoutConfig): http.Agent;
+export declare function createHttpsAgent(config?: HttpTimeoutConfig): https.Agent;
+export interface AxiosConfigOptions {
+    /** API base URL */
+    baseURL: string;
+    /** Request timeout in milliseconds */
+    timeout?: number;
+    /** Timeout configuration for agents */
+    timeoutConfig?: HttpTimeoutConfig;
+    /** Custom user agent string to append to default SDK user agent */
+    userAgent?: string;
+}
+export declare function createAxiosConfig(baseURL: string, timeout?: number, config?: HttpTimeoutConfig, userAgent?: string): AxiosRequestConfig;
+export declare function configureRetryInterceptor(axiosInstance: AxiosInstance, retryConfig?: RetryConfig): void;
+export declare function createAgentForProtocol(protocol: string, timeout: number, config?: HttpTimeoutConfig): http.Agent | https.Agent;
+//# sourceMappingURL=http-client.d.ts.map

package/dist/internal/config/http-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-client.d.ts","sourceRoot":"","sources":["../../../src/internal/config/http-client.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAC/D,OAAO,EAAuB,KAAK,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAG/E,MAAM,WAAW,iBAAiB;IAChC,6CAA6C;IAC7C,UAAU,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,aAAa,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,eAAe,EAAE,MAAM,CAAC;IACxB,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,0CAA0C;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,yCAAyC;IACzC,cAAc,EAAE,MAAM,CAAC;CACxB;AAKD,eAAO,MAAM,sBAAsB,EAAE,iBAQpC,CAAC;AAEF,wBAAgB,eAAe,CAAC,MAAM,GAAE,iBAA0C,GAAG,IAAI,CAAC,KAAK,CAQ9F;AAED,wBAAgB,gBAAgB,CAAC,MAAM,GAAE,iBAA0C,GAAG,KAAK,CAAC,KAAK,CAQhG;AAED,MAAM,WAAW,kBAAkB;IACjC,mBAAmB;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uCAAuC;IACvC,aAAa,CAAC,EAAE,iBAAiB,CAAC;IAClC,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,EACf,OAAO,GAAE,MAA0C,EACnD,MAAM,GAAE,iBAA0C,EAClD,SAAS,CAAC,EAAE,MAAM,GACjB,kBAAkB,CAWpB;AAED,wBAAgB,yBAAyB,CACvC,aAAa,EAAE,aAAa,EAC5B,WAAW,CAAC,EAAE,WAAW,GACxB,IAAI,CAEN;AAED,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,MAAM,GAAE,iBAA0C,GACjD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAY1B"}

package/dist/internal/config/http-client.js

@@ -0,0 +1,63 @@
+// HTTP client configuration with timeout and keep-alive settings.
+import * as http from 'http';
+import * as https from 'https';
+import { addRetryInterceptor } from './retry-interceptor.js';
+import { SDK_VERSION, buildUserAgent } from '../version.js';
+// SDK timeouts must exceed server timeouts to avoid ECONNRESET errors.
+// If SDK timeout < server timeout, client kills the connection before the server responds.
+// vault.api server timeout: 10 min request, 11 min keepAlive, 30s MongoDB/circuit breaker.
+export const DEFAULT_TIMEOUT_CONFIG = {
+    apiTimeout: 12 * 60 * 1000, // 12 minutes (exceeds server 10 min timeout)
+    uploadTimeout: 15 * 60 * 1000, // 15 minutes for multipart uploads (extra margin for large payloads)
+    downloadTimeout: 60 * 1000, // 1 minute for file downloads (Azure Blob Storage should be fast)
+    connectTimeout: 30 * 1000, // 30 seconds for socket connection
+    keepAliveInterval: 30 * 1000, // 30 seconds keep-alive probe interval
+    maxSockets: 50, // Max 50 concurrent sockets per host
+    maxFreeSockets: 10, // Keep 10 idle sockets alive
+};
+export function createHttpAgent(config = DEFAULT_TIMEOUT_CONFIG) {
+    return new http.Agent({
+        keepAlive: true,
+        keepAliveMsecs: config.keepAliveInterval,
+        timeout: config.apiTimeout,
+        maxSockets: config.maxSockets,
+        maxFreeSockets: config.maxFreeSockets,
+    });
+}
+export function createHttpsAgent(config = DEFAULT_TIMEOUT_CONFIG) {
+    return new https.Agent({
+        keepAlive: true,
+        keepAliveMsecs: config.keepAliveInterval,
+        timeout: config.apiTimeout,
+        maxSockets: config.maxSockets,
+        maxFreeSockets: config.maxFreeSockets,
+    });
+}
+export function createAxiosConfig(baseURL, timeout = DEFAULT_TIMEOUT_CONFIG.apiTimeout, config = DEFAULT_TIMEOUT_CONFIG, userAgent) {
+    return {
+        baseURL,
+        timeout,
+        httpAgent: createHttpAgent(config),
+        httpsAgent: createHttpsAgent(config),
+        headers: {
+            'User-Agent': buildUserAgent(userAgent),
+            'X-SDK-Version': SDK_VERSION,
+        },
+    };
+}
+export function configureRetryInterceptor(axiosInstance, retryConfig) {
+    addRetryInterceptor(axiosInstance, retryConfig);
+}
+export function createAgentForProtocol(protocol, timeout, config = DEFAULT_TIMEOUT_CONFIG) {
+    const agentConfig = {
+        keepAlive: true,
+        keepAliveMsecs: config.keepAliveInterval,
+        timeout,
+        maxSockets: config.maxSockets,
+        maxFreeSockets: config.maxFreeSockets,
+    };
+    return protocol === 'https:'
+        ? new https.Agent(agentConfig)
+        : new http.Agent(agentConfig);
+}
+//# sourceMappingURL=http-client.js.map

package/dist/internal/config/http-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-client.js","sourceRoot":"","sources":["../../../src/internal/config/http-client.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAElE,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAE/B,OAAO,EAAE,mBAAmB,EAAoB,MAAM,wBAAwB,CAAC;AAC/E,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAmB5D,uEAAuE;AACvE,2FAA2F;AAC3F,2FAA2F;AAC3F,MAAM,CAAC,MAAM,sBAAsB,GAAsB;IACvD,UAAU,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAS,6CAA6C;IAChF,aAAa,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAM,qEAAqE;IACxG,eAAe,EAAE,EAAE,GAAG,IAAI,EAAS,kEAAkE;IACrG,cAAc,EAAE,EAAE,GAAG,IAAI,EAAU,mCAAmC;IACtE,iBAAiB,EAAE,EAAE,GAAG,IAAI,EAAO,uCAAuC;IAC1E,UAAU,EAAE,EAAE,EAAqB,qCAAqC;IACxE,cAAc,EAAE,EAAE,EAAiB,6BAA6B;CACjE,CAAC;AAEF,MAAM,UAAU,eAAe,CAAC,SAA4B,sBAAsB;IAChF,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC;QACpB,SAAS,EAAE,IAAI;QACf,cAAc,EAAE,MAAM,CAAC,iBAAiB;QACxC,OAAO,EAAE,MAAM,CAAC,UAAU;QAC1B,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,cAAc,EAAE,MAAM,CAAC,cAAc;KACtC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,SAA4B,sBAAsB;IACjF,OAAO,IAAI,KAAK,CAAC,KAAK,CAAC;QACrB,SAAS,EAAE,IAAI;QACf,cAAc,EAAE,MAAM,CAAC,iBAAiB;QACxC,OAAO,EAAE,MAAM,CAAC,UAAU;QAC1B,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,cAAc,EAAE,MAAM,CAAC,cAAc;KACtC,CAAC,CAAC;AACL,CAAC;AAaD,MAAM,UAAU,iBAAiB,CAC/B,OAAe,EACf,UAAkB,sBAAsB,CAAC,UAAU,EACnD,SAA4B,sBAAsB,EAClD,SAAkB;IAElB,OAAO;QACL,OAAO;QACP,OAAO;QACP,SAAS,EAAE,eAAe,CAAC,MAAM,CAAC;QAClC,UAAU,EAAE,gBAAgB,CAAC,MAAM,CAAC;QACpC,OAAO,EAAE;YACP,YAAY,EAAE,cAAc,CAAC,SAAS,CAAC;YACvC,eAAe,EAAE,WAAW;SAC7B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,aAA4B,EAC5B,WAAyB;IAEzB,mBAAmB,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,QAAgB,EAChB,OAAe,EACf,SAA4B,sBAAsB;IAElD,MAAM,WAAW,GAAG;QAClB,SAAS,EAAE,IAAI;QACf,cAAc,EAAE,MAAM,CAAC,iBAAiB;QACxC,OAAO;QACP,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,cAAc,EAAE,MAAM,CAAC,cAAc;KACtC,CAAC;IAEF,OAAO,QAAQ,KAAK,QAAQ;QAC1B,CAAC,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC;QAC9B,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;AAClC,CAAC"}

package/dist/internal/config/retry-interceptor.d.ts

@@ -0,0 +1,18 @@
+import type { AxiosInstance } from 'axios';
+export interface RetryLogger {
+    log: (message: string) => void;
+}
+export interface RetryConfig {
+    /** Maximum number of retry attempts (default: 3) */
+    maxRetries?: number;
+    /** Base delay for exponential backoff in ms (default: 1000) */
+    baseDelay?: number;
+    /** Maximum delay between retries in ms (default: 30000 = 30 seconds) */
+    maxDelay?: number;
+    /** Enable debug logging for retries (default: false) */
+    enableLogging?: boolean;
+    /** Custom logger (defaults to console) */
+    logger?: RetryLogger;
+}
+export declare function addRetryInterceptor(axiosInstance: AxiosInstance, config?: RetryConfig): void;
+//# sourceMappingURL=retry-interceptor.d.ts.map

package/dist/internal/config/retry-interceptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"retry-interceptor.d.ts","sourceRoot":"","sources":["../../../src/internal/config/retry-interceptor.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAc,aAAa,EAA8B,MAAM,OAAO,CAAC;AAEnF,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CAChC;AAED,MAAM,WAAW,WAAW;IAC1B,oDAAoD;IACpD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wEAAwE;IACxE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wDAAwD;IACxD,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AA4FD,wBAAgB,mBAAmB,CACjC,aAAa,EAAE,aAAa,EAC5B,MAAM,GAAE,WAAgB,GACvB,IAAI,CAsDN"}

package/dist/internal/config/retry-interceptor.js

@@ -0,0 +1,103 @@
+// Axios retry interceptor for 503 and 429 errors with exponential backoff.
+const defaultLogger = {
+    // eslint-disable-next-line no-console
+    log: (message) => console.log(message),
+};
+const DEFAULT_RETRY_CONFIG = {
+    maxRetries: 3,
+    baseDelay: 1000, // 1 second base delay
+    maxDelay: 30000, // 30 seconds max delay
+    enableLogging: false,
+    logger: defaultLogger,
+};
+/** Parses Retry-After header as seconds or HTTP date, returns delay in ms. */
+function parseRetryAfterHeader(retryAfter) {
+    if (!retryAfter)
+        return null;
+    const seconds = parseInt(retryAfter, 10);
+    if (!isNaN(seconds)) {
+        return seconds * 1000;
+    }
+    // Try parsing as HTTP date
+    const date = new Date(retryAfter);
+    if (!isNaN(date.getTime())) {
+        const delay = date.getTime() - Date.now();
+        return delay > 0 ? delay : 0;
+    }
+    return null;
+}
+function calculateExponentialBackoff(retryCount, baseDelay, maxDelay) {
+    // baseDelay * 2^retryCount with +30% jitter
+    const exponentialDelay = baseDelay * Math.pow(2, retryCount);
+    const jitter = Math.random() * 0.3 * exponentialDelay;
+    const delay = Math.min(exponentialDelay + jitter, maxDelay);
+    return Math.floor(delay);
+}
+function hasRetryAfter(data) {
+    return (typeof data === 'object' &&
+        data !== null &&
+        'error' in data &&
+        typeof data.error === 'object' &&
+        data.error !== null &&
+        'retryAfter' in data.error);
+}
+/** Extracts retry delay from response body (error.retryAfter) or Retry-After header. */
+function getServerSuggestedDelay(error) {
+    const responseData = error.response?.data;
+    if (hasRetryAfter(responseData)) {
+        const retryAfter = responseData.error?.retryAfter;
+        if (typeof retryAfter === 'number') {
+            return retryAfter * 1000;
+        }
+    }
+    const headers = error.response?.headers;
+    const retryAfterHeader = headers?.['retry-after'];
+    if (retryAfterHeader && typeof retryAfterHeader === 'string') {
+        return parseRetryAfterHeader(retryAfterHeader);
+    }
+    return null;
+}
+function isRetryableError(error) {
+    if (!error.response)
+        return false;
+    const status = error.response.status;
+    return status === 503 || status === 429;
+}
+function sleep(ms) {
+    return new Promise(resolve => globalThis.setTimeout(resolve, ms));
+}
+export function addRetryInterceptor(axiosInstance, config = {}) {
+    const retryConfig = { ...DEFAULT_RETRY_CONFIG, ...config };
+    axiosInstance.interceptors.response.use((response) => response, async (error) => {
+        const requestConfig = error.config;
+        if (!requestConfig) {
+            return Promise.reject(error);
+        }
+        if (requestConfig.__retryCount === undefined) {
+            requestConfig.__retryCount = 0;
+        }
+        if (!isRetryableError(error) || requestConfig.__retryCount >= retryConfig.maxRetries) {
+            return Promise.reject(error);
+        }
+        requestConfig.__retryCount++;
+        let retryDelay;
+        const serverDelay = getServerSuggestedDelay(error);
+        if (serverDelay !== null) {
+            retryDelay = Math.min(serverDelay, retryConfig.maxDelay);
+            if (retryConfig.enableLogging) {
+                retryConfig.logger.log(`[Capsara SDK] Retry attempt ${requestConfig.__retryCount}/${retryConfig.maxRetries} ` +
+                    `for ${error.response?.status} error - waiting ${retryDelay}ms (server suggested)`);
+            }
+        }
+        else {
+            retryDelay = calculateExponentialBackoff(requestConfig.__retryCount - 1, retryConfig.baseDelay, retryConfig.maxDelay);
+            if (retryConfig.enableLogging) {
+                retryConfig.logger.log(`[Capsara SDK] Retry attempt ${requestConfig.__retryCount}/${retryConfig.maxRetries} ` +
+                    `for ${error.response?.status} error - waiting ${retryDelay}ms (exponential backoff)`);
+            }
+        }
+        await sleep(retryDelay);
+        return axiosInstance.request(requestConfig);
+    });
+}
+//# sourceMappingURL=retry-interceptor.js.map

package/dist/internal/config/retry-interceptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"retry-interceptor.js","sourceRoot":"","sources":["../../../src/internal/config/retry-interceptor.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAqB3E,MAAM,aAAa,GAAgB;IACjC,sCAAsC;IACtC,GAAG,EAAE,CAAC,OAAe,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;CAC/C,CAAC;AAEF,MAAM,oBAAoB,GAA0B;IAClD,UAAU,EAAE,CAAC;IACb,SAAS,EAAE,IAAI,EAAM,sBAAsB;IAC3C,QAAQ,EAAE,KAAK,EAAM,uBAAuB;IAC5C,aAAa,EAAE,KAAK;IACpB,MAAM,EAAE,aAAa;CACtB,CAAC;AAMF,8EAA8E;AAC9E,SAAS,qBAAqB,CAAC,UAA8B;IAC3D,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAE7B,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACpB,OAAO,OAAO,GAAG,IAAI,CAAC;IACxB,CAAC;IAED,2BAA2B;IAC3B,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC1C,OAAO,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,2BAA2B,CAAC,UAAkB,EAAE,SAAiB,EAAE,QAAgB;IAC1F,4CAA4C;IAC5C,MAAM,gBAAgB,GAAG,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IAC7D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,GAAG,gBAAgB,CAAC;IACtD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,gBAAgB,GAAG,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC5D,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC;AAQD,SAAS,aAAa,CAAC,IAAa;IAClC,OAAO,CACL,OAAO,IAAI,KAAK,QAAQ;QACxB,IAAI,KAAK,IAAI;QACb,OAAO,IAAI,IAAI;QACf,OAAQ,IAA0B,CAAC,KAAK,KAAK,QAAQ;QACpD,IAA0B,CAAC,KAAK,KAAK,IAAI;QAC1C,YAAY,IAAM,IAA0B,CAAC,KAAgB,CAC9D,CAAC;AACJ,CAAC;AAED,wFAAwF;AACxF,SAAS,uBAAuB,CAAC,KAAiB;IAChD,MAAM,YAAY,GAAG,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC;IAC1C,IAAI,aAAa,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,EAAE,UAAU,CAAC;QAClD,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,UAAU,GAAG,IAAI,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,EAAE,OAA6C,CAAC;IAC9E,MAAM,gBAAgB,GAAG,OAAO,EAAE,CAAC,aAAa,CAAC,CAAC;IAClD,IAAI,gBAAgB,IAAI,OAAO,gBAAgB,KAAK,QAAQ,EAAE,CAAC;QAC7D,OAAO,qBAAqB,CAAC,gBAAgB,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAiB;IACzC,IAAI,CAAC,KAAK,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAClC,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC;IACrC,OAAO,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,CAAC;AAC1C,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,aAA4B,EAC5B,SAAsB,EAAE;IAExB,MAAM,WAAW,GAAG,EAAE,GAAG,oBAAoB,EAAE,GAAG,MAAM,EAAE,CAAC;IAE3D,aAAa,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CACrC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,EAEtB,KAAK,EAAE,KAAiB,EAAE,EAAE;QAC1B,MAAM,aAAa,GAAG,KAAK,CAAC,MAA0C,CAAC;QAEvE,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC;QAED,IAAI,aAAa,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YAC7C,aAAa,CAAC,YAAY,GAAG,CAAC,CAAC;QACjC,CAAC;QAED,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,IAAI,aAAa,CAAC,YAAY,IAAI,WAAW,CAAC,UAAU,EAAE,CAAC;YACrF,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC;QAED,aAAa,CAAC,YAAY,EAAE,CAAC;QAE7B,IAAI,UAAkB,CAAC;QACvB,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;QAEnD,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;YACzB,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;YAEzD,IAAI,WAAW,CAAC,aAAa,EAAE,CAAC;gBAC9B,WAAW,CAAC,MAAM,CAAC,GAAG,CACpB,+BAA+B,aAAa,CAAC,YAAY,IAAI,WAAW,CAAC,UAAU,GAAG;oBACtF,OAAO,KAAK,CAAC,QAAQ,EAAE,MAAM,oBAAoB,UAAU,uBAAuB,CACnF,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,UAAU,GAAG,2BAA2B,CACtC,aAAa,CAAC,YAAY,GAAG,CAAC,EAC9B,WAAW,CAAC,SAAS,EACrB,WAAW,CAAC,QAAQ,CACrB,CAAC;YAEF,IAAI,WAAW,CAAC,aAAa,EAAE,CAAC;gBAC9B,WAAW,CAAC,MAAM,CAAC,GAAG,CACpB,+BAA+B,aAAa,CAAC,YAAY,IAAI,WAAW,CAAC,UAAU,GAAG;oBACtF,OAAO,KAAK,CAAC,QAAQ,EAAE,MAAM,oBAAoB,UAAU,0BAA0B,CACtF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;QACxB,OAAO,aAAa,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC9C,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/internal/crypto/compression.d.ts

@@ -0,0 +1,15 @@
+/** Gzip compression/decompression applied before encryption. */
+export interface CompressionResult {
+    compressedData: Buffer;
+    originalSize: number;
+    compressedSize: number;
+}
+/** Compress data using gzip. */
+export declare function compressData(data: Buffer): Promise<CompressionResult>;
+/** @throws Error if decompression fails */
+export declare function decompressData(data: Buffer): Promise<Buffer>;
+/**
+ * Files smaller than 150 bytes don't benefit from compression (gzip header overhead breakeven).
+ */
+export declare function shouldCompress(size: number): boolean;
+//# sourceMappingURL=compression.d.ts.map

package/dist/internal/crypto/compression.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compression.d.ts","sourceRoot":"","sources":["../../../src/internal/crypto/compression.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAQhE,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,gCAAgC;AAChC,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAW3E;AAED,2CAA2C;AAC3C,wBAAsB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAMlE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAGpD"}

package/dist/internal/crypto/compression.js

@@ -0,0 +1,34 @@
+/** Gzip compression/decompression applied before encryption. */
+import * as zlib from 'zlib';
+import { promisify } from 'util';
+const gzipAsync = promisify(zlib.gzip);
+const gunzipAsync = promisify(zlib.gunzip);
+/** Compress data using gzip. */
+export async function compressData(data) {
+    const originalSize = data.length;
+    const compressedData = await gzipAsync(data, {
+        level: zlib.constants.Z_DEFAULT_COMPRESSION, // Balance between speed and compression
+    });
+    return {
+        compressedData,
+        originalSize,
+        compressedSize: compressedData.length,
+    };
+}
+/** @throws Error if decompression fails */
+export async function decompressData(data) {
+    try {
+        return await gunzipAsync(data);
+    }
+    catch (error) {
+        throw new Error(`Failed to decompress data: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+}
+/**
+ * Files smaller than 150 bytes don't benefit from compression (gzip header overhead breakeven).
+ */
+export function shouldCompress(size) {
+    const MIN_COMPRESSION_SIZE = 150; // 150 bytes (gzip header overhead breakeven point)
+    return size >= MIN_COMPRESSION_SIZE;
+}
+//# sourceMappingURL=compression.js.map

package/dist/internal/crypto/compression.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compression.js","sourceRoot":"","sources":["../../../src/internal/crypto/compression.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAEhE,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACvC,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAQ3C,gCAAgC;AAChC,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAY;IAC7C,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC;IACjC,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE;QAC3C,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,qBAAqB,EAAE,wCAAwC;KACtF,CAAC,CAAC;IAEH,OAAO;QACL,cAAc;QACd,YAAY;QACZ,cAAc,EAAE,cAAc,CAAC,MAAM;KACtC,CAAC;AACJ,CAAC;AAED,2CAA2C;AAC3C,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAAY;IAC/C,IAAI,CAAC;QACH,OAAO,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,8BAA8B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;IAC5G,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,oBAAoB,GAAG,GAAG,CAAC,CAAC,mDAAmD;IACrF,OAAO,IAAI,IAAI,oBAAoB,CAAC;AACtC,CAAC"}

package/dist/internal/crypto/key-generator.d.ts

@@ -0,0 +1,23 @@
+/** RSA-4096 key pair generation and validation. */
+export interface GeneratedKeyPair {
+    publicKey: string;
+    privateKey: string;
+    publicKeyFingerprint: string;
+    algorithm: 'RSA-4096';
+    keySize: 4096;
+    publicExponent: 65537;
+}
+/**
+ * Generate RSA-4096 key pair for use with Capsara API.
+ * Private key must be stored securely by the application (password-protected storage).
+ * Public key should be uploaded to the API via AccountClient.addPublicKey().
+ */
+export declare function generateKeyPair(): Promise<GeneratedKeyPair>;
+/**
+ * Calculate SHA-256 fingerprint of public key.
+ * Matches API's computeKeyFingerprint: hashes the entire PEM string including headers/footers.
+ */
+export declare function calculateKeyFingerprint(publicKeyPEM: string): string;
+/** Validate that public and private keys are PEM-formatted and form a working pair. */
+export declare function validateKeyPair(publicKey: string, privateKey: string): boolean;
+//# sourceMappingURL=key-generator.d.ts.map

package/dist/internal/crypto/key-generator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-generator.d.ts","sourceRoot":"","sources":["../../../src/internal/crypto/key-generator.ts"],"names":[],"mappings":"AAAA,mDAAmD;AAOnD,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,SAAS,EAAE,UAAU,CAAC;IACtB,OAAO,EAAE,IAAI,CAAC;IACd,cAAc,EAAE,KAAK,CAAC;CACvB;AAED;;;;GAIG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAwBjE;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAIpE;AAED,uFAAuF;AACvF,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CA8B9E"}

package/dist/internal/crypto/key-generator.js

@@ -0,0 +1,65 @@
+/** RSA-4096 key pair generation and validation. */
+import * as crypto from 'crypto';
+import { promisify } from 'util';
+const generateKeyPairAsync = promisify(crypto.generateKeyPair);
+/**
+ * Generate RSA-4096 key pair for use with Capsara API.
+ * Private key must be stored securely by the application (password-protected storage).
+ * Public key should be uploaded to the API via AccountClient.addPublicKey().
+ */
+export async function generateKeyPair() {
+    const { publicKey, privateKey } = await generateKeyPairAsync('rsa', {
+        modulusLength: 4096,
+        publicExponent: 65537,
+        publicKeyEncoding: {
+            type: 'spki', // X.509 SubjectPublicKeyInfo
+            format: 'pem',
+        },
+        privateKeyEncoding: {
+            type: 'pkcs8', // PKCS#8
+            format: 'pem',
+        },
+    });
+    const fingerprint = calculateKeyFingerprint(publicKey);
+    return {
+        publicKey,
+        privateKey,
+        publicKeyFingerprint: fingerprint,
+        algorithm: 'RSA-4096',
+        keySize: 4096,
+        publicExponent: 65537,
+    };
+}
+/**
+ * Calculate SHA-256 fingerprint of public key.
+ * Matches API's computeKeyFingerprint: hashes the entire PEM string including headers/footers.
+ */
+export function calculateKeyFingerprint(publicKeyPEM) {
+    const hash = crypto.createHash('sha256');
+    hash.update(publicKeyPEM);
+    return hash.digest('hex');
+}
+/** Validate that public and private keys are PEM-formatted and form a working pair. */
+export function validateKeyPair(publicKey, privateKey) {
+    try {
+        if (!publicKey.includes('BEGIN PUBLIC KEY') || !privateKey.includes('BEGIN PRIVATE KEY')) {
+            return false;
+        }
+        const testData = Buffer.from('test-validation-data');
+        const encrypted = crypto.publicEncrypt({
+            key: publicKey,
+            padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+            oaepHash: 'sha256',
+        }, testData);
+        const decrypted = crypto.privateDecrypt({
+            key: privateKey,
+            padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+            oaepHash: 'sha256',
+        }, encrypted);
+        return decrypted.equals(testData);
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=key-generator.js.map

package/dist/internal/crypto/key-generator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-generator.js","sourceRoot":"","sources":["../../../src/internal/crypto/key-generator.ts"],"names":[],"mappings":"AAAA,mDAAmD;AAEnD,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,MAAM,oBAAoB,GAAG,SAAS,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;AAW/D;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,oBAAoB,CAAC,KAAK,EAAE;QAClE,aAAa,EAAE,IAAI;QACnB,cAAc,EAAE,KAAK;QACrB,iBAAiB,EAAE;YACjB,IAAI,EAAE,MAAM,EAAG,6BAA6B;YAC5C,MAAM,EAAE,KAAK;SACd;QACD,kBAAkB,EAAE;YAClB,IAAI,EAAE,OAAO,EAAE,SAAS;YACxB,MAAM,EAAE,KAAK;SACd;KACF,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,uBAAuB,CAAC,SAAS,CAAC,CAAC;IAEvD,OAAO;QACL,SAAS;QACT,UAAU;QACV,oBAAoB,EAAE,WAAW;QACjC,SAAS,EAAE,UAAU;QACrB,OAAO,EAAE,IAAI;QACb,cAAc,EAAE,KAAK;KACtB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,YAAoB;IAC1D,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1B,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5B,CAAC;AAED,uFAAuF;AACvF,MAAM,UAAU,eAAe,CAAC,SAAiB,EAAE,UAAkB;IACnE,IAAI,CAAC;QACH,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACzF,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAErD,MAAM,SAAS,GAAG,MAAM,CAAC,aAAa,CACpC;YACE,GAAG,EAAE,SAAS;YACd,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,sBAAsB;YAChD,QAAQ,EAAE,QAAQ;SACnB,EACD,QAAQ,CACT,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,CAAC,cAAc,CACrC;YACE,GAAG,EAAE,UAAU;YACf,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,sBAAsB;YAChD,QAAQ,EAAE,QAAQ;SACnB,EACD,SAAS,CACV,CAAC;QAEF,OAAO,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/internal/crypto/primitives.d.ts

@@ -0,0 +1,67 @@
+/** AES-256-GCM, RSA-4096-OAEP-SHA256, and SHA-256 cryptographic primitives. */
+import type { AESEncryptionResult } from '../types.js';
+/** Generate a 256-bit AES master key. */
+export declare function generateMasterKey(): Buffer;
+/**
+ * Generate a 96-bit initialization vector for AES-GCM.
+ * Used for optional fields (subject, body, metadata) that need separate IVs.
+ * encryptAES() generates its own IV automatically for file content.
+ */
+export declare function generateIV(): string;
+/**
+ * Encrypt data using AES-256-GCM.
+ * @param key - 256-bit AES key (32 bytes)
+ * @returns Encrypted data with IV and authentication tag, all base64url-encoded
+ * @throws Error if key is not 32 bytes
+ */
+export declare function encryptAES(data: Buffer, key: Buffer): AESEncryptionResult;
+/**
+ * Decrypt data using AES-256-GCM.
+ * @param encryptedData - Base64url-encoded ciphertext
+ * @param key - 256-bit AES key (32 bytes)
+ * @param iv - Base64url-encoded 12-byte IV
+ * @param authTag - Base64url-encoded 16-byte authentication tag
+ * @throws Error if key length is invalid, authentication fails, or decryption fails
+ */
+export declare function decryptAES(encryptedData: string, key: Buffer, iv: string, authTag: string): Buffer;
+/**
+ * Encrypt master key for a party using their RSA-4096 public key.
+ * @param masterKey - 32-byte AES master key
+ * @param publicKeyPEM - Party's RSA public key in PEM format
+ * @returns Base64url-encoded encrypted master key
+ * @throws Error if masterKey is not 32 bytes or publicKeyPEM is invalid
+ */
+export declare function encryptMasterKeyForParty(masterKey: Buffer, publicKeyPEM: string): string;
+/**
+ * Decrypt master key using party's RSA-4096 private key.
+ * @param encryptedKey - Base64url-encoded encrypted master key
+ * @param privateKeyPEM - Party's RSA private key in PEM format
+ * @returns Decrypted master key (32 bytes)
+ * @throws Error if privateKeyPEM is invalid or decryption fails
+ */
+export declare function decryptMasterKey(encryptedKey: string, privateKeyPEM: string): Buffer;
+/**
+ * Encrypt data using AES-256-GCM, returning raw Buffers instead of base64url.
+ * Avoids base64 round-trip overhead for large file content.
+ * @param key - 256-bit AES key (32 bytes)
+ * @throws Error if key is not 32 bytes
+ */
+export declare function encryptAESRaw(data: Buffer, key: Buffer): {
+    encryptedData: Buffer;
+    iv: Buffer;
+    authTag: Buffer;
+};
+/**
+ * Decrypt data using AES-256-GCM with raw Buffer inputs.
+ * Avoids base64 round-trip overhead for large file content.
+ * @param key - 256-bit AES key (32 bytes)
+ * @param iv - 12-byte initialization vector
+ * @param authTag - 16-byte authentication tag
+ * @throws Error if authentication fails or decryption fails
+ */
+export declare function decryptAESRaw(encryptedData: Buffer, key: Buffer, iv: Buffer, authTag: Buffer): Buffer;
+/** Compute SHA-256 hash, returned as lowercase hex. */
+export declare function computeHash(data: Buffer): string;
+/** Generate a cryptographically secure random ID, returned as base64url. */
+export declare function generateSecureId(length?: number): string;
+//# sourceMappingURL=primitives.d.ts.map

package/dist/internal/crypto/primitives.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"primitives.d.ts","sourceRoot":"","sources":["../../../src/internal/crypto/primitives.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAG/E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAmBvD,yCAAyC;AACzC,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED;;;;GAIG;AACH,wBAAgB,UAAU,IAAI,MAAM,CAGnC;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,mBAAmB,CAgBzE;AAED;;;;;;;GAOG;AACH,wBAAgB,UAAU,CACxB,aAAa,EAAE,MAAM,EACrB,GAAG,EAAE,MAAM,EACX,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,GACd,MAAM,CA4CR;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,MAAM,GACnB,MAAM,CAmCR;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,YAAY,EAAE,MAAM,EACpB,aAAa,EAAE,MAAM,GACpB,MAAM,CAoCR;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAY/G;AAED;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAC3B,aAAa,EAAE,MAAM,EACrB,GAAG,EAAE,MAAM,EACX,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,GACd,MAAM,CAsBR;AAED,uDAAuD;AACvD,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAEhD;AAED,4EAA4E;AAC5E,wBAAgB,gBAAgB,CAAC,MAAM,GAAE,MAAW,GAAG,MAAM,CAE5D"}