@capsara/sdk 1.0.1

package/dist/internal/services/auth-service.js

@@ -0,0 +1,170 @@
+/** Authentication service for managing access tokens and refresh tokens. */
+import { CapsaraAuthError } from '../../errors/auth-error.js';
+import { createHttpClient } from '../http-factory.js';
+export class AuthService {
+    accessToken = null;
+    refreshToken = null;
+    tokenExpiresAt = null;
+    http;
+    authStateCallbacks = new Set();
+    expectedIssuer;
+    expectedAudience;
+    lastRefreshError = null;
+    constructor(baseUrl, options) {
+        const httpOptions = {
+            baseUrl,
+            timeout: options?.timeout,
+            retry: options?.retry,
+            userAgent: options?.userAgent,
+        };
+        this.http = createHttpClient(httpOptions);
+        this.expectedIssuer = options?.expectedIssuer ?? 'vault.api';
+        this.expectedAudience = options?.expectedAudience ?? 'vault.api';
+    }
+    onAuthChange(callback) {
+        this.authStateCallbacks.add(callback);
+    }
+    offAuthChange(callback) {
+        this.authStateCallbacks.delete(callback);
+    }
+    emitAuthChange(event) {
+        const state = { isAuthenticated: this.isAuthenticated(), event };
+        this.authStateCallbacks.forEach((callback) => {
+            try {
+                callback(state);
+            }
+            catch (error) {
+                // eslint-disable-next-line no-console
+                console.error('Auth state callback error:', error);
+            }
+        });
+    }
+    decodeJWT(token) {
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 3)
+                return null;
+            const payload = parts[1];
+            if (!payload)
+                return null;
+            const base64 = payload.replace(/-/g, '+').replace(/_/g, '/');
+            const jsonPayload = Buffer.from(base64, 'base64').toString('utf-8');
+            return JSON.parse(jsonPayload);
+        }
+        catch {
+            return null;
+        }
+    }
+    validateAndExtractExpiry(token) {
+        const payload = this.decodeJWT(token);
+        if (!payload || !payload.exp)
+            return null;
+        const expiryMs = payload.exp * 1000;
+        if (payload.iss && payload.iss !== this.expectedIssuer) {
+            // eslint-disable-next-line no-console
+            console.warn(`JWT issuer mismatch: expected '${this.expectedIssuer}', got '${payload.iss}'`);
+        }
+        if (payload.aud && payload.aud !== this.expectedAudience) {
+            // eslint-disable-next-line no-console
+            console.warn(`JWT audience mismatch: expected '${this.expectedAudience}', got '${payload.aud}'`);
+        }
+        return expiryMs;
+    }
+    isTokenExpired(bufferSeconds = 30) {
+        if (!this.tokenExpiresAt)
+            return true;
+        return Date.now() >= this.tokenExpiresAt - bufferSeconds * 1000;
+    }
+    async login(credentials) {
+        try {
+            const response = await this.http.post('/api/auth/login', credentials);
+            this.accessToken = response.data.accessToken;
+            this.refreshToken = response.data.refreshToken || null;
+            if (response.data.expiresIn) {
+                this.tokenExpiresAt = Date.now() + response.data.expiresIn * 1000;
+            }
+            else if (response.data.accessToken) {
+                this.tokenExpiresAt = this.validateAndExtractExpiry(response.data.accessToken);
+            }
+            this.emitAuthChange('login');
+            return response.data;
+        }
+        catch (error) {
+            throw CapsaraAuthError.fromApiError(error);
+        }
+    }
+    async refresh() {
+        if (!this.refreshToken)
+            return false;
+        try {
+            const response = await this.http.post('/api/auth/refresh', { refreshToken: this.refreshToken });
+            this.accessToken = response.data.accessToken;
+            this.refreshToken = response.data.refreshToken || this.refreshToken;
+            if (response.data.expiresIn) {
+                this.tokenExpiresAt = Date.now() + response.data.expiresIn * 1000;
+            }
+            else if (response.data.accessToken) {
+                this.tokenExpiresAt = this.validateAndExtractExpiry(response.data.accessToken);
+            }
+            this.lastRefreshError = null;
+            this.emitAuthChange('refresh');
+            return true;
+        }
+        catch (error) {
+            this.lastRefreshError = error instanceof Error ? error : new Error(String(error));
+            // eslint-disable-next-line no-console
+            console.warn('Token refresh failed:', error instanceof Error ? error.message : 'Unknown error');
+            return false;
+        }
+    }
+    getLastRefreshError() {
+        return this.lastRefreshError;
+    }
+    getToken() {
+        return this.accessToken;
+    }
+    getRefreshToken() {
+        return this.refreshToken;
+    }
+    isAuthenticated() {
+        return this.accessToken !== null;
+    }
+    canRefresh() {
+        return this.refreshToken !== null;
+    }
+    async logout() {
+        const currentAccessToken = this.accessToken;
+        const currentRefreshToken = this.refreshToken;
+        this.accessToken = null;
+        this.refreshToken = null;
+        this.tokenExpiresAt = null;
+        if (currentAccessToken && currentRefreshToken) {
+            try {
+                await this.http.post('/api/auth/logout', { refreshToken: currentRefreshToken }, { headers: { Authorization: `Bearer ${currentAccessToken}` } });
+                this.emitAuthChange('logout');
+                return true;
+            }
+            catch (error) {
+                // eslint-disable-next-line no-console
+                console.warn('Server-side logout failed (tokens cleared locally):', error instanceof Error ? error.message : 'Unknown error');
+                this.emitAuthChange('logout');
+                return false;
+            }
+        }
+        this.emitAuthChange('logout');
+        return true;
+    }
+    setToken(token) {
+        this.accessToken = token;
+        this.tokenExpiresAt = this.validateAndExtractExpiry(token);
+    }
+    setRefreshToken(token) {
+        this.refreshToken = token;
+    }
+    setTokens(accessToken, refreshToken) {
+        this.accessToken = accessToken;
+        this.refreshToken = refreshToken;
+        this.tokenExpiresAt = this.validateAndExtractExpiry(accessToken);
+    }
+}
+//# sourceMappingURL=auth-service.js.map

package/dist/internal/services/auth-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-service.js","sourceRoot":"","sources":["../../../src/internal/services/auth-service.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAI5E,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAE9D,OAAO,EAAE,gBAAgB,EAAkD,MAAM,oBAAoB,CAAC;AAuBtG,MAAM,OAAO,WAAW;IACd,WAAW,GAAkB,IAAI,CAAC;IAClC,YAAY,GAAkB,IAAI,CAAC;IACnC,cAAc,GAAkB,IAAI,CAAC;IACrC,IAAI,CAAgB;IACpB,kBAAkB,GAAiC,IAAI,GAAG,EAAE,CAAC;IAC7D,cAAc,CAAS;IACvB,gBAAgB,CAAS;IACzB,gBAAgB,GAAiB,IAAI,CAAC;IAE9C,YAAY,OAAe,EAAE,OAA4B;QACvD,MAAM,WAAW,GAAsB;YACrC,OAAO;YACP,OAAO,EAAE,OAAO,EAAE,OAAO;YACzB,KAAK,EAAE,OAAO,EAAE,KAAK;YACrB,SAAS,EAAE,OAAO,EAAE,SAAS;SAC9B,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAC1C,IAAI,CAAC,cAAc,GAAG,OAAO,EAAE,cAAc,IAAI,WAAW,CAAC;QAC7D,IAAI,CAAC,gBAAgB,GAAG,OAAO,EAAE,gBAAgB,IAAI,WAAW,CAAC;IACnE,CAAC;IAED,YAAY,CAAC,QAAiC;QAC5C,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAED,aAAa,CAAC,QAAiC;QAC7C,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAEO,cAAc,CAAC,KAAiD;QACtE,MAAM,KAAK,GAAG,EAAE,eAAe,EAAE,IAAI,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,CAAC;QACjE,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;YAC3C,IAAI,CAAC;gBACH,QAAQ,CAAC,KAAK,CAAC,CAAC;YAClB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,sCAAsC;gBACtC,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;YACrD,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,SAAS,CAAC,KAAa;QAC7B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACpC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACzB,IAAI,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC;YAC1B,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAC7D,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAe,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,wBAAwB,CAAC,KAAa;QAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACtC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAC1C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;QAEpC,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,cAAc,EAAE,CAAC;YACvD,sCAAsC;YACtC,OAAO,CAAC,IAAI,CAAC,kCAAkC,IAAI,CAAC,cAAc,WAAW,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC;QAC/F,CAAC;QACD,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACzD,sCAAsC;YACtC,OAAO,CAAC,IAAI,CAAC,oCAAoC,IAAI,CAAC,gBAAgB,WAAW,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC;QACnG,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,cAAc,CAAC,aAAa,GAAG,EAAE;QAC/B,IAAI,CAAC,IAAI,CAAC,cAAc;YAAE,OAAO,IAAI,CAAC;QACtC,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,cAAc,GAAG,aAAa,GAAG,IAAI,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,WAA4B;QACtC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAe,iBAAiB,EAAE,WAAW,CAAC,CAAC;YACpF,IAAI,CAAC,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC;YAC7C,IAAI,CAAC,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC;YAEvD,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC5B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;YACpE,CAAC;iBAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACjF,CAAC;YAED,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;YAC7B,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,gBAAgB,CAAC,YAAY,CAAC,KAAuB,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,OAAO,KAAK,CAAC;QAErC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CACnC,mBAAmB,EACnB,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CACpC,CAAC;YACF,IAAI,CAAC,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC;YAC7C,IAAI,CAAC,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,YAAY,CAAC;YAEpE,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC5B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;YACpE,CAAC;iBAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACjF,CAAC;YAED,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;YAC7B,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;YAC/B,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,gBAAgB,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YAClF,sCAAsC;YACtC,OAAO,CAAC,IAAI,CAAC,uBAAuB,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC;YAChG,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,mBAAmB;QACjB,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAED,QAAQ;QACN,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,eAAe;QACb,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,eAAe;QACb,OAAO,IAAI,CAAC,WAAW,KAAK,IAAI,CAAC;IACnC,CAAC;IAED,UAAU;QACR,OAAO,IAAI,CAAC,YAAY,KAAK,IAAI,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM;QACV,MAAM,kBAAkB,GAAG,IAAI,CAAC,WAAW,CAAC;QAC5C,MAAM,mBAAmB,GAAG,IAAI,CAAC,YAAY,CAAC;QAE9C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAE3B,IAAI,kBAAkB,IAAI,mBAAmB,EAAE,CAAC;YAC9C,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAClB,kBAAkB,EAClB,EAAE,YAAY,EAAE,mBAAmB,EAAE,EACrC,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,kBAAkB,EAAE,EAAE,EAAE,CAC/D,CAAC;gBACF,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;gBAC9B,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,sCAAsC;gBACtC,OAAO,CAAC,IAAI,CAAC,qDAAqD,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC;gBAC9H,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;gBAC9B,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,QAAQ,CAAC,KAAa;QACpB,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC;QACzB,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAC;IAC7D,CAAC;IAED,eAAe,CAAC,KAAa;QAC3B,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC;IAC5B,CAAC;IAED,SAAS,CAAC,WAAmB,EAAE,YAAoB;QACjD,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,wBAAwB,CAAC,WAAW,CAAC,CAAC;IACnE,CAAC;CACF"}

package/dist/internal/services/capsa-service.d.ts

@@ -0,0 +1,40 @@
+/** Capsa CRUD operations service. */
+import type { AxiosInstance } from 'axios';
+import { type DecryptedCapsa } from '../decryptor/capsa-decryptor.js';
+import type { Capsa, CapsaListFilters, CapsaListResponse } from '../../types/index.js';
+import type { KeyManager } from './key-service.js';
+export interface CapsaServiceOptions {
+    axiosInstance: AxiosInstance;
+    keyManager: KeyManager;
+}
+export declare class CapsaService {
+    private http;
+    private keyManager;
+    constructor(options: CapsaServiceOptions);
+    /**
+     * Get capsa by ID (encrypted)
+     * @param capsaId - Capsa ID
+     * @returns Encrypted capsa
+     */
+    getCapsa(capsaId: string): Promise<Capsa>;
+    /**
+     * Get and decrypt capsa
+     * @param capsaId - Capsa ID
+     * @param privateKey - Private key for decryption
+     * @param verifySignature - Whether to verify signature (default: true)
+     * @returns Decrypted capsa
+     */
+    getDecryptedCapsa(capsaId: string, privateKey: string, verifySignature?: boolean): Promise<DecryptedCapsa>;
+    /**
+     * List capsas with cursor-based pagination
+     * @param filters - Query filters
+     * @returns Paginated capsa list (always returns valid structure, even if empty)
+     */
+    listCapsas(filters?: CapsaListFilters): Promise<CapsaListResponse>;
+    /**
+     * Soft delete a capsa
+     * @param capsaId - Capsa ID
+     */
+    deleteCapsa(capsaId: string): Promise<void>;
+}
+//# sourceMappingURL=capsa-service.d.ts.map

package/dist/internal/services/capsa-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capsa-service.d.ts","sourceRoot":"","sources":["../../../src/internal/services/capsa-service.ts"],"names":[],"mappings":"AAAA,qCAAqC;AAErC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAC3C,OAAO,EAAgB,KAAK,cAAc,EAAE,MAAM,iCAAiC,CAAC;AAGpF,OAAO,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACvF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD,MAAM,WAAW,mBAAmB;IAClC,aAAa,EAAE,aAAa,CAAC;IAC7B,UAAU,EAAE,UAAU,CAAC;CACxB;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,IAAI,CAAgB;IAC5B,OAAO,CAAC,UAAU,CAAa;gBAEnB,OAAO,EAAE,mBAAmB;IAKxC;;;;OAIG;IACG,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;IAS/C;;;;;;OAMG;IACG,iBAAiB,CACrB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,eAAe,UAAO,GACrB,OAAO,CAAC,cAAc,CAAC;IAmB1B;;;;OAIG;IACG,UAAU,CAAC,OAAO,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAsBxE;;;OAGG;IACG,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAOlD"}

package/dist/internal/services/capsa-service.js

@@ -0,0 +1,82 @@
+/** Capsa CRUD operations service. */
+import { decryptCapsa } from '../decryptor/capsa-decryptor.js';
+import { CapsaraCapsaError } from '../../errors/capsa-error.js';
+export class CapsaService {
+    http;
+    keyManager;
+    constructor(options) {
+        this.http = options.axiosInstance;
+        this.keyManager = options.keyManager;
+    }
+    /**
+     * Get capsa by ID (encrypted)
+     * @param capsaId - Capsa ID
+     * @returns Encrypted capsa
+     */
+    async getCapsa(capsaId) {
+        try {
+            const response = await this.http.get(`/api/capsas/${capsaId}`);
+            return response.data;
+        }
+        catch (error) {
+            throw CapsaraCapsaError.fromApiError(error);
+        }
+    }
+    /**
+     * Get and decrypt capsa
+     * @param capsaId - Capsa ID
+     * @param privateKey - Private key for decryption
+     * @param verifySignature - Whether to verify signature (default: true)
+     * @returns Decrypted capsa
+     */
+    async getDecryptedCapsa(capsaId, privateKey, verifySignature = true) {
+        const capsa = await this.getCapsa(capsaId);
+        // Fetch creator's public key for signature verification
+        let creatorPublicKey;
+        if (verifySignature) {
+            const creatorKey = await this.keyManager.fetchExplicitPartyKey(capsa.creator);
+            creatorPublicKey = creatorKey?.publicKey;
+        }
+        return decryptCapsa(capsa, privateKey, undefined, // Auto-detect party from keychain
+        creatorPublicKey, verifySignature);
+    }
+    /**
+     * List capsas with cursor-based pagination
+     * @param filters - Query filters
+     * @returns Paginated capsa list (always returns valid structure, even if empty)
+     */
+    async listCapsas(filters) {
+        try {
+            const response = await this.http.get('/api/capsas', {
+                params: filters,
+            });
+            // Defensive handling for null/undefined response data
+            const data = response.data;
+            return {
+                capsas: data?.capsas ?? [],
+                pagination: {
+                    limit: data?.pagination?.limit ?? filters?.limit ?? 20,
+                    hasMore: data?.pagination?.hasMore ?? false,
+                    nextCursor: data?.pagination?.nextCursor,
+                    prevCursor: data?.pagination?.prevCursor,
+                },
+            };
+        }
+        catch (error) {
+            throw CapsaraCapsaError.fromApiError(error);
+        }
+    }
+    /**
+     * Soft delete a capsa
+     * @param capsaId - Capsa ID
+     */
+    async deleteCapsa(capsaId) {
+        try {
+            await this.http.delete(`/api/capsas/${capsaId}`);
+        }
+        catch (error) {
+            throw CapsaraCapsaError.fromApiError(error);
+        }
+    }
+}
+//# sourceMappingURL=capsa-service.js.map

package/dist/internal/services/capsa-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capsa-service.js","sourceRoot":"","sources":["../../../src/internal/services/capsa-service.ts"],"names":[],"mappings":"AAAA,qCAAqC;AAGrC,OAAO,EAAE,YAAY,EAAuB,MAAM,iCAAiC,CAAC;AACpF,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAUhE,MAAM,OAAO,YAAY;IACf,IAAI,CAAgB;IACpB,UAAU,CAAa;IAE/B,YAAY,OAA4B;QACtC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC;QAClC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACvC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,QAAQ,CAAC,OAAe;QAC5B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAAQ,eAAe,OAAO,EAAE,CAAC,CAAC;YACtE,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,iBAAiB,CAAC,YAAY,CAAC,KAAuB,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,iBAAiB,CACrB,OAAe,EACf,UAAkB,EAClB,eAAe,GAAG,IAAI;QAEtB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAE3C,wDAAwD;QACxD,IAAI,gBAAoC,CAAC;QACzC,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC9E,gBAAgB,GAAG,UAAU,EAAE,SAAS,CAAC;QAC3C,CAAC;QAED,OAAO,YAAY,CACjB,KAAK,EACL,UAAU,EACV,SAAS,EAAE,kCAAkC;QAC7C,gBAAgB,EAChB,eAAe,CAChB,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,UAAU,CAAC,OAA0B;QACzC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAAoB,aAAa,EAAE;gBACrE,MAAM,EAAE,OAAkC;aAC3C,CAAC,CAAC;YAEH,sDAAsD;YACtD,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;YAC3B,OAAO;gBACL,MAAM,EAAE,IAAI,EAAE,MAAM,IAAI,EAAE;gBAC1B,UAAU,EAAE;oBACV,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,IAAI,OAAO,EAAE,KAAK,IAAI,EAAE;oBACtD,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,IAAI,KAAK;oBAC3C,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU;oBACxC,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU;iBACzC;aACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,iBAAiB,CAAC,YAAY,CAAC,KAAuB,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW,CAAC,OAAe;QAC/B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,OAAO,EAAE,CAAC,CAAC;QACnD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,iBAAiB,CAAC,YAAY,CAAC,KAAuB,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;CACF"}

package/dist/internal/services/download-service.d.ts

@@ -0,0 +1,62 @@
+/** File download and decryption service. */
+import type { AxiosInstance } from 'axios';
+import type { RetryConfig, RetryLogger } from '../config/retry-interceptor.js';
+export interface DownloadServiceOptions {
+    axiosInstance: AxiosInstance;
+    blobClient: AxiosInstance;
+    retryConfig: Required<RetryConfig>;
+    logger: RetryLogger;
+}
+export interface FileMetadata {
+    iv: string;
+    authTag: string;
+    compressed?: boolean;
+    encryptedFilename: string;
+    filenameIV: string;
+    filenameAuthTag: string;
+}
+export interface DecryptedFileResult {
+    data: Buffer;
+    filename: string;
+}
+export declare class DownloadService {
+    private http;
+    private blobDownloadClient;
+    private retryConfig;
+    private logger;
+    constructor(options: DownloadServiceOptions);
+    /**
+     * Get download URL for encrypted file
+     * @param capsaId - Capsa ID
+     * @param fileId - File ID
+     * @param expiresInMinutes - URL expiration in minutes (default: 60)
+     * @returns Download URL and expiration
+     */
+    getFileDownloadUrl(capsaId: string, fileId: string, expiresInMinutes?: number): Promise<{
+        downloadUrl: string;
+        expiresAt: string;
+    }>;
+    /**
+     * Download encrypted file from blob storage
+     * @param capsaId - Capsa ID
+     * @param fileId - File ID
+     * @returns Encrypted file data
+     */
+    downloadEncryptedFile(capsaId: string, fileId: string): Promise<Buffer>;
+    /**
+     * Download and decrypt file
+     * @param capsaId - Capsa ID
+     * @param fileId - File ID
+     * @param masterKey - Decrypted master key (raw Buffer)
+     * @param metadata - File metadata for decryption
+     * @returns Decrypted file data and filename
+     */
+    downloadAndDecryptFile(capsaId: string, fileId: string, masterKey: Buffer, metadata: FileMetadata): Promise<DecryptedFileResult>;
+    /** Download file with retry logic. */
+    private downloadFileWithRetry;
+    /**
+     * Calculate retry delay with exponential backoff
+     */
+    private calculateRetryDelay;
+}
+//# sourceMappingURL=download-service.d.ts.map

package/dist/internal/services/download-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"download-service.d.ts","sourceRoot":"","sources":["../../../src/internal/services/download-service.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAE5C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAM3C,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAE/E,MAAM,WAAW,sBAAsB;IACrC,aAAa,EAAE,aAAa,CAAC;IAC7B,UAAU,EAAE,aAAa,CAAC;IAC1B,WAAW,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;IACnC,MAAM,EAAE,WAAW,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,IAAI,CAAgB;IAC5B,OAAO,CAAC,kBAAkB,CAAgB;IAC1C,OAAO,CAAC,WAAW,CAAwB;IAC3C,OAAO,CAAC,MAAM,CAAc;gBAEhB,OAAO,EAAE,sBAAsB;IAO3C;;;;;;OAMG;IACG,kBAAkB,CACtB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,gBAAgB,SAAK,GACpB,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAmBtD;;;;;OAKG;IACG,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK7E;;;;;;;OAOG;IACG,sBAAsB,CAC1B,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,YAAY,GACrB,OAAO,CAAC,mBAAmB,CAAC;IA2B/B,sCAAsC;YACxB,qBAAqB;IA8BnC;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAc5B"}

package/dist/internal/services/download-service.js

@@ -0,0 +1,114 @@
+/** File download and decryption service. */
+import { decryptFilename } from '../decryptor/capsa-decryptor.js';
+import { decryptAESRaw } from '../crypto/primitives.js';
+import { decompressData } from '../crypto/compression.js';
+import { CapsaraCapsaError } from '../../errors/capsa-error.js';
+export class DownloadService {
+    http;
+    blobDownloadClient;
+    retryConfig;
+    logger;
+    constructor(options) {
+        this.http = options.axiosInstance;
+        this.blobDownloadClient = options.blobClient;
+        this.retryConfig = options.retryConfig;
+        this.logger = options.logger;
+    }
+    /**
+     * Get download URL for encrypted file
+     * @param capsaId - Capsa ID
+     * @param fileId - File ID
+     * @param expiresInMinutes - URL expiration in minutes (default: 60)
+     * @returns Download URL and expiration
+     */
+    async getFileDownloadUrl(capsaId, fileId, expiresInMinutes = 60) {
+        try {
+            const response = await this.http.get(`/api/capsas/${capsaId}/files/${fileId}/download`, {
+                params: { expires: expiresInMinutes },
+            });
+            return {
+                downloadUrl: response.data.downloadUrl,
+                expiresAt: response.data.expiresAt,
+            };
+        }
+        catch (error) {
+            throw CapsaraCapsaError.fromApiError(error);
+        }
+    }
+    /**
+     * Download encrypted file from blob storage
+     * @param capsaId - Capsa ID
+     * @param fileId - File ID
+     * @returns Encrypted file data
+     */
+    async downloadEncryptedFile(capsaId, fileId) {
+        const { downloadUrl } = await this.getFileDownloadUrl(capsaId, fileId);
+        return this.downloadFileWithRetry(downloadUrl, 0);
+    }
+    /**
+     * Download and decrypt file
+     * @param capsaId - Capsa ID
+     * @param fileId - File ID
+     * @param masterKey - Decrypted master key (raw Buffer)
+     * @param metadata - File metadata for decryption
+     * @returns Decrypted file data and filename
+     */
+    async downloadAndDecryptFile(capsaId, fileId, masterKey, metadata) {
+        try {
+            const encryptedData = await this.downloadEncryptedFile(capsaId, fileId);
+            // Decrypt using raw Buffer APIs to avoid base64 round-trip overhead
+            const ivBuffer = Buffer.from(metadata.iv, 'base64url');
+            const authTagBuffer = Buffer.from(metadata.authTag, 'base64url');
+            let decryptedData = decryptAESRaw(encryptedData, masterKey, ivBuffer, authTagBuffer);
+            if (metadata.compressed) {
+                decryptedData = await decompressData(decryptedData);
+            }
+            const filename = decryptFilename(metadata.encryptedFilename, masterKey, metadata.filenameIV, metadata.filenameAuthTag);
+            return { data: decryptedData, filename };
+        }
+        catch (error) {
+            // Wrap error with capsaId and fileId context for debugging
+            throw CapsaraCapsaError.downloadFailed(capsaId, fileId, error);
+        }
+    }
+    /** Download file with retry logic. */
+    async downloadFileWithRetry(downloadUrl, retryCount) {
+        try {
+            const response = await this.blobDownloadClient.get(downloadUrl, {
+                responseType: 'arraybuffer',
+            });
+            return Buffer.from(response.data);
+        }
+        catch (error) {
+            const axiosError = error;
+            const status = axiosError.response?.status;
+            const isRetryable = status === 503 || status === 429;
+            if (isRetryable && retryCount < this.retryConfig.maxRetries) {
+                const retryDelay = this.calculateRetryDelay(axiosError, retryCount, status);
+                if (this.retryConfig.enableLogging) {
+                    this.logger.log(`[Capsara SDK] Retry attempt ${retryCount + 1}/${this.retryConfig.maxRetries} ` +
+                        `for ${status} error (file download) - waiting ${Math.floor(retryDelay)}ms`);
+                }
+                await new Promise(resolve => globalThis.setTimeout(resolve, retryDelay));
+                return this.downloadFileWithRetry(downloadUrl, retryCount + 1);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Calculate retry delay with exponential backoff
+     */
+    calculateRetryDelay(error, retryCount, _status) {
+        const responseData = error.response?.data;
+        const errorObj = responseData?.error;
+        const serverDelay = errorObj?.retryAfter;
+        if (typeof serverDelay === 'number') {
+            return Math.min(serverDelay * 1000, this.retryConfig.maxDelay);
+        }
+        // Exponential backoff with jitter
+        const exponentialDelay = this.retryConfig.baseDelay * Math.pow(2, retryCount);
+        const jitter = Math.random() * 0.3 * exponentialDelay;
+        return Math.min(exponentialDelay + jitter, this.retryConfig.maxDelay);
+    }
+}
+//# sourceMappingURL=download-service.js.map

package/dist/internal/services/download-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"download-service.js","sourceRoot":"","sources":["../../../src/internal/services/download-service.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAG5C,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAyBhE,MAAM,OAAO,eAAe;IAClB,IAAI,CAAgB;IACpB,kBAAkB,CAAgB;IAClC,WAAW,CAAwB;IACnC,MAAM,CAAc;IAE5B,YAAY,OAA+B;QACzC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC;QAClC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,UAAU,CAAC;QAC7C,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC/B,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,kBAAkB,CACtB,OAAe,EACf,MAAc,EACd,gBAAgB,GAAG,EAAE;QAErB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAIjC,eAAe,OAAO,UAAU,MAAM,WAAW,EAAE;gBACpD,MAAM,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE;aACtC,CAAC,CAAC;YAEH,OAAO;gBACL,WAAW,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW;gBACtC,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,SAAS;aACnC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,iBAAiB,CAAC,YAAY,CAAC,KAAuB,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,qBAAqB,CAAC,OAAe,EAAE,MAAc;QACzD,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACvE,OAAO,IAAI,CAAC,qBAAqB,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACpD,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,sBAAsB,CAC1B,OAAe,EACf,MAAc,EACd,SAAiB,EACjB,QAAsB;QAEtB,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAExE,oEAAoE;YACpE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;YACvD,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YACjE,IAAI,aAAa,GAAG,aAAa,CAAC,aAAa,EAAE,SAAS,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;YAErF,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;gBACxB,aAAa,GAAG,MAAM,cAAc,CAAC,aAAa,CAAC,CAAC;YACtD,CAAC;YAED,MAAM,QAAQ,GAAG,eAAe,CAC9B,QAAQ,CAAC,iBAAiB,EAC1B,SAAS,EACT,QAAQ,CAAC,UAAU,EACnB,QAAQ,CAAC,eAAe,CACzB,CAAC;YAEF,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,2DAA2D;YAC3D,MAAM,iBAAiB,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAED,sCAAsC;IAC9B,KAAK,CAAC,qBAAqB,CAAC,WAAmB,EAAE,UAAkB;QACzE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAc,WAAW,EAAE;gBAC3E,YAAY,EAAE,aAAa;aAC5B,CAAC,CAAC;YAEH,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,UAAU,GAAG,KAAuB,CAAC;YAC3C,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC;YAC3C,MAAM,WAAW,GAAG,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,CAAC;YAErD,IAAI,WAAW,IAAI,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;gBAC5D,MAAM,UAAU,GAAG,IAAI,CAAC,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;gBAE5E,IAAI,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;oBACnC,IAAI,CAAC,MAAM,CAAC,GAAG,CACb,+BAA+B,UAAU,GAAG,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,GAAG;wBAC/E,OAAO,MAAM,oCAAoC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAC5E,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC;gBACzE,OAAO,IAAI,CAAC,qBAAqB,CAAC,WAAW,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC;YACjE,CAAC;YAED,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,KAAqB,EAAE,UAAkB,EAAE,OAA2B;QAChG,MAAM,YAAY,GAAG,KAAK,CAAC,QAAQ,EAAE,IAA2C,CAAC;QACjF,MAAM,QAAQ,GAAG,YAAY,EAAE,KAA4C,CAAC;QAC5E,MAAM,WAAW,GAAG,QAAQ,EAAE,UAAU,CAAC;QAEzC,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC,GAAG,CAAC,WAAW,GAAG,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QACjE,CAAC;QAED,kCAAkC;QAClC,MAAM,gBAAgB,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;QAC9E,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,GAAG,gBAAgB,CAAC;QACtD,OAAO,IAAI,CAAC,GAAG,CAAC,gBAAgB,GAAG,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IACxE,CAAC;CACF"}

package/dist/internal/services/key-service.d.ts

@@ -0,0 +1,28 @@
+/** Party key management for fetching public keys. */
+import type { PartyKey } from '../../types/index.js';
+import { type HttpTimeoutConfig } from '../config/http-client.js';
+import type { RetryConfig } from '../config/retry-interceptor.js';
+export interface KeyManagerOptions {
+    timeout?: Partial<HttpTimeoutConfig>;
+    retry?: RetryConfig;
+}
+export declare class KeyManager {
+    private axiosInstance;
+    constructor(baseUrl: string, getToken: () => string | null, options?: KeyManagerOptions);
+    /**
+     * Fetch a single party key by exact ID (excludes delegates)
+     * Always fetches fresh from API to handle remote key rotations
+     * @param partyId - Party ID to fetch
+     * @returns Party key or undefined if not found
+     */
+    fetchExplicitPartyKey(partyId: string): Promise<PartyKey | undefined>;
+    /**
+     * Fetch party keys from API (includes delegates)
+     * Always fetches fresh from API to handle remote key rotations
+     * Uses POST to avoid URL length limits with large batches
+     * @param partyIds - Array of party IDs
+     * @returns Array of party keys with public keys and fingerprints (includes delegates)
+     */
+    fetchPartyKeys(partyIds: string[]): Promise<PartyKey[]>;
+}
+//# sourceMappingURL=key-service.d.ts.map

package/dist/internal/services/key-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-service.d.ts","sourceRoot":"","sources":["../../../src/internal/services/key-service.ts"],"names":[],"mappings":"AAAA,qDAAqD;AAGrD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAIL,KAAK,iBAAiB,EACvB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAElE,MAAM,WAAW,iBAAiB;IAChC,OAAO,CAAC,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACrC,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,aAAa,CAAgB;gBAGnC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,MAAM,GAAG,IAAI,EAC7B,OAAO,CAAC,EAAE,iBAAiB;IAyB7B;;;;;OAKG;IACG,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC;IAU3E;;;;;;OAMG;IACG,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;CAQ9D"}

package/dist/internal/services/key-service.js

@@ -0,0 +1,45 @@
+/** Party key management for fetching public keys. */
+import axios from 'axios';
+import { createAxiosConfig, configureRetryInterceptor, DEFAULT_TIMEOUT_CONFIG, } from '../config/http-client.js';
+export class KeyManager {
+    axiosInstance;
+    constructor(baseUrl, getToken, options) {
+        const timeoutConfig = {
+            ...DEFAULT_TIMEOUT_CONFIG,
+            ...options?.timeout,
+        };
+        const axiosConfig = createAxiosConfig(baseUrl, timeoutConfig.apiTimeout, timeoutConfig);
+        this.axiosInstance = axios.create(axiosConfig);
+        configureRetryInterceptor(this.axiosInstance, options?.retry);
+        this.axiosInstance.interceptors.request.use((config) => {
+            const token = getToken();
+            if (token) {
+                config.headers.Authorization = `Bearer ${token}`;
+            }
+            return config;
+        });
+    }
+    /**
+     * Fetch a single party key by exact ID (excludes delegates)
+     * Always fetches fresh from API to handle remote key rotations
+     * @param partyId - Party ID to fetch
+     * @returns Party key or undefined if not found
+     */
+    async fetchExplicitPartyKey(partyId) {
+        const response = await this.axiosInstance.post('/api/party/keys', { ids: [partyId] });
+        // Return only the explicitly requested party (API may include delegates)
+        return response.data.parties.find((p) => p.id === partyId);
+    }
+    /**
+     * Fetch party keys from API (includes delegates)
+     * Always fetches fresh from API to handle remote key rotations
+     * Uses POST to avoid URL length limits with large batches
+     * @param partyIds - Array of party IDs
+     * @returns Array of party keys with public keys and fingerprints (includes delegates)
+     */
+    async fetchPartyKeys(partyIds) {
+        const response = await this.axiosInstance.post('/api/party/keys', { ids: partyIds });
+        return response.data.parties;
+    }
+}
+//# sourceMappingURL=key-service.js.map

package/dist/internal/services/key-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-service.js","sourceRoot":"","sources":["../../../src/internal/services/key-service.ts"],"names":[],"mappings":"AAAA,qDAAqD;AAErD,OAAO,KAAwB,MAAM,OAAO,CAAC;AAE7C,OAAO,EACL,iBAAiB,EACjB,yBAAyB,EACzB,sBAAsB,GAEvB,MAAM,0BAA0B,CAAC;AAQlC,MAAM,OAAO,UAAU;IACb,aAAa,CAAgB;IAErC,YACE,OAAe,EACf,QAA6B,EAC7B,OAA2B;QAE3B,MAAM,aAAa,GAAG;YACpB,GAAG,sBAAsB;YACzB,GAAG,OAAO,EAAE,OAAO;SACpB,CAAC;QAEF,MAAM,WAAW,GAAG,iBAAiB,CACnC,OAAO,EACP,aAAa,CAAC,UAAU,EACxB,aAAa,CACd,CAAC;QACF,IAAI,CAAC,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAE/C,yBAAyB,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;QAE9D,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE;YACrD,MAAM,KAAK,GAAG,QAAQ,EAAE,CAAC;YACzB,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,OAAO,CAAC,aAAa,GAAG,UAAU,KAAK,EAAE,CAAC;YACnD,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,qBAAqB,CAAC,OAAe;QACzC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAC5C,iBAAiB,EACjB,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,CACnB,CAAC;QAEF,yEAAyE;QACzE,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,OAAO,CAAC,CAAC;IAC7D,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,cAAc,CAAC,QAAkB;QACrC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAC5C,iBAAiB,EACjB,EAAE,GAAG,EAAE,QAAQ,EAAE,CAClB,CAAC;QAEF,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC;IAC/B,CAAC;CACF"}

package/dist/internal/services/limits-service.d.ts

@@ -0,0 +1,30 @@
+/** System limits management with caching. */
+import type { SystemLimits } from '../../types/index.js';
+import { type HttpTimeoutConfig } from '../config/http-client.js';
+import type { RetryConfig } from '../config/retry-interceptor.js';
+export declare class LimitsManager {
+    private axiosInstance;
+    private cachedLimits;
+    private readonly cacheTTL;
+    constructor(baseUrl: string, timeout?: Partial<HttpTimeoutConfig>, retry?: RetryConfig);
+    /**
+     * Fetch system limits from API
+     * @returns System limits
+     */
+    private fetchLimits;
+    /**
+     * Get system limits (from cache or fetch from API)
+     * @returns System limits
+     */
+    getLimits(): Promise<SystemLimits>;
+    /**
+     * Clear the limits cache (useful for testing or forcing refresh)
+     */
+    clearCache(): void;
+    /**
+     * Get fallback limits (for reference)
+     * @returns Hardcoded fallback limits
+     */
+    static getFallbackLimits(): SystemLimits;
+}
+//# sourceMappingURL=limits-service.d.ts.map

package/dist/internal/services/limits-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"limits-service.d.ts","sourceRoot":"","sources":["../../../src/internal/services/limits-service.ts"],"names":[],"mappings":"AAAA,6CAA6C;AAG7C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAIL,KAAK,iBAAiB,EACvB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAiBlE,qBAAa,aAAa;IACxB,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,YAAY,CAA6B;IACjD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAmC;gBAEhD,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,EAAE,WAAW;IAgBtF;;;OAGG;YACW,WAAW;IAUzB;;;OAGG;IACG,SAAS,IAAI,OAAO,CAAC,YAAY,CAAC;IAqBxC;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;;OAGG;IACH,MAAM,CAAC,iBAAiB,IAAI,YAAY;CAGzC"}