@cedros/login-react 0.0.12 → 0.0.14

package/dist/crypto/aesGcm.d.ts

@@ -1,89 +0,0 @@
-import { EncryptionKey, AesNonce } from './types';
-/** Result of AES-GCM encryption */
-export interface AesGcmEncryptResult {
-    /** Ciphertext including authentication tag */
-    ciphertext: Uint8Array;
-    /** 12-byte nonce used */
-    nonce: AesNonce;
-}
-/**
- * Encrypt plaintext using AES-256-GCM
- *
- * @param plaintext - Data to encrypt
- * @param key - 32-byte encryption key
- * @param nonce - Optional 12-byte nonce (generated if not provided)
- * @returns Ciphertext and nonce
- * @throws Error if encryption fails
- */
-export declare function aesGcmEncrypt(plaintext: Uint8Array, key: EncryptionKey, nonce?: AesNonce): Promise<AesGcmEncryptResult>;
-/**
- * Decrypt ciphertext using AES-256-GCM
- *
- * @param ciphertext - Data to decrypt (includes auth tag)
- * @param key - 32-byte encryption key
- * @param nonce - 12-byte nonce used during encryption
- * @returns Decrypted plaintext
- * @throws Error if decryption or authentication fails
- */
-export declare function aesGcmDecrypt(ciphertext: Uint8Array, key: EncryptionKey, nonce: AesNonce): Promise<Uint8Array>;
-/**
- * Encrypt plaintext and return base64-encoded results
- *
- * @param plaintext - Data to encrypt
- * @param key - 32-byte encryption key
- * @returns Base64-encoded ciphertext and nonce
- */
-export declare function aesGcmEncryptToBase64(plaintext: Uint8Array, key: EncryptionKey): Promise<{
-    ciphertext: string;
-    nonce: string;
-}>;
-/**
- * Decrypt base64-encoded ciphertext
- *
- * @param ciphertextB64 - Base64-encoded ciphertext
- * @param nonceB64 - Base64-encoded nonce
- * @param key - 32-byte encryption key
- * @returns Decrypted plaintext
- */
-export declare function aesGcmDecryptFromBase64(ciphertextB64: string, nonceB64: string, key: EncryptionKey): Promise<Uint8Array>;
-/**
- * Encrypt with automatic key derivation from password
- *
- * This is a convenience wrapper that combines Argon2 KDF with AES-GCM.
- * For more control, use argon2 and aesGcmEncrypt separately.
- *
- * @param plaintext - Data to encrypt
- * @param passwordKey - Key derived from password via Argon2
- * @returns Encrypted result with nonce
- */
-export declare function encryptWithPasswordKey(plaintext: Uint8Array, passwordKey: Uint8Array): Promise<AesGcmEncryptResult>;
-/**
- * Decrypt with password-derived key
- *
- * @param ciphertext - Data to decrypt
- * @param nonce - Nonce used during encryption
- * @param passwordKey - Key derived from password via Argon2
- * @returns Decrypted plaintext
- */
-export declare function decryptWithPasswordKey(ciphertext: Uint8Array, nonce: AesNonce, passwordKey: Uint8Array): Promise<Uint8Array>;
-/**
- * Convert Uint8Array to base64 string
- *
- * MAINT-01: Uses chunked String.fromCharCode for O(n) performance.
- * Simple concatenation (`binary += char`) would be O(n²).
- */
-export declare function uint8ArrayToBase64(bytes: Uint8Array): string;
-/**
- * Convert base64 string to Uint8Array
- *
- * @throws Error if input is not valid base64
- */
-export declare function base64ToUint8Array(base64: string): Uint8Array;
-/**
- * Encrypt and securely wipe plaintext after encryption
- *
- * @param plaintext - Data to encrypt (will be wiped)
- * @param key - Encryption key
- * @returns Encrypted result
- */
-export declare function encryptAndWipe(plaintext: Uint8Array, key: EncryptionKey): Promise<AesGcmEncryptResult>;

package/dist/crypto/argon2.d.ts

@@ -1,65 +0,0 @@
-import { EncryptionKey, Argon2Salt, KdfParams } from './types';
-/**
- * Derive an encryption key from a password using Argon2id
- *
- * @security H-01: The password string cannot be wiped from memory after use.
- * For sensitive applications, prefer argon2DeriveFromBytes() which accepts
- * Uint8Array that CAN be securely wiped.
- *
- * @param password - User password or PIN
- * @param salt - Unique salt (16+ bytes)
- * @param params - KDF parameters (memory, time, parallelism)
- * @returns 32-byte encryption key
- */
-export declare function argon2Derive(password: string, salt: Argon2Salt, params?: KdfParams): Promise<EncryptionKey>;
-/**
- * Derive key from password bytes (for non-string passwords like PINs)
- *
- * @param passwordBytes - Password as bytes
- * @param salt - Unique salt
- * @param params - KDF parameters
- * @returns 32-byte encryption key
- */
-export declare function argon2DeriveFromBytes(passwordBytes: Uint8Array, salt: Argon2Salt, params?: KdfParams): Promise<EncryptionKey>;
-/**
- * Validate KDF parameters are within safe bounds
- *
- * Prevents DoS attacks via excessive resource consumption.
- *
- * @param params - Parameters to validate
- * @throws Error if parameters are out of bounds
- */
-export declare function validateKdfParams(params: KdfParams): void;
-/**
- * Check if Argon2 WASM is available and working
- *
- * @returns true if Argon2 can be used
- */
-export declare function isArgon2Supported(): Promise<boolean>;
-/**
- * Verify a password against stored parameters
- *
- * This is primarily for testing/validation, not for authentication
- * (the server handles authentication).
- *
- * M-06: Timing Leak Note
- * The length check at the start of comparison returns early on mismatch,
- * creating a timing side-channel. This is acceptable because:
- * 1. Server handles real authentication (not this client-side code)
- * 2. Key lengths are fixed (32 bytes), so mismatch indicates corruption not attack
- * 3. Argon2 derivation dominates timing regardless of comparison path
- *
- * @param password - Password to verify
- * @param salt - Salt used during original derivation
- * @param params - KDF parameters used
- * @param expectedKey - Expected derived key
- * @returns true if password produces the same key
- */
-export declare function verifyPassword(password: string, salt: Argon2Salt, params: KdfParams, expectedKey: Uint8Array): Promise<boolean>;
-/**
- * Get recommended KDF parameters based on target duration
- *
- * @param targetMs - Target duration in milliseconds (default: 500ms)
- * @returns Recommended parameters
- */
-export declare function getRecommendedParams(targetMs?: number): KdfParams;

package/dist/crypto/argon2Worker.d.ts

@@ -1 +0,0 @@
-export {};

package/dist/crypto/argon2WorkerClient.d.ts

@@ -1,28 +0,0 @@
-import { Argon2Salt, EncryptionKey, KdfParams } from './types';
-/**
- * Derive an encryption key from password using Argon2id in a Web Worker.
- *
- * Offloads CPU-intensive Argon2id KDF to a background thread to avoid
- * blocking the main thread. Falls back to synchronous derivation if
- * Web Workers are not available.
- *
- * @param password - User's password
- * @param salt - 16-byte random salt
- * @param params - KDF parameters (memory, iterations, parallelism)
- * @returns 32-byte encryption key
- *
- * @security **CALLER MUST WIPE RETURNED KEY AFTER USE**
- * The returned key contains sensitive cryptographic material.
- * Callers are responsible for wiping it when no longer needed:
- * ```ts
- * const key = await argon2DeriveInWorker(password, salt);
- * try {
- *   // use key for encryption/decryption
- * } finally {
- *   wipeBytes(key);
- * }
- * ```
- * Failure to wipe may leave key material in memory, vulnerable to memory
- * dump attacks.
- */
-export declare function argon2DeriveInWorker(password: string, salt: Argon2Salt, params?: KdfParams): Promise<EncryptionKey>;

package/dist/crypto/bip39.d.ts

@@ -1,106 +0,0 @@
-import { Seed, ShamirShare } from './types';
-/** Number of words in recovery phrase (12 = 128 bits, standard Solana format) */
-export declare const MNEMONIC_WORD_COUNT = 12;
-/**
- * Encode a Shamir share as a BIP-39 mnemonic phrase
- *
- * @param share - 16-byte share to encode
- * @returns Array of 12 mnemonic words
- */
-export declare function shareToMnemonic(share: ShamirShare): string[];
-/**
- * Decode a BIP-39 mnemonic phrase back to a Shamir share
- *
- * @param words - Array of 12 mnemonic words
- * @returns 16-byte share
- * @throws Error if mnemonic is invalid
- */
-export declare function mnemonicToShare(words: string[]): ShamirShare;
-/**
- * Encode a 16-byte seed as a BIP-39 mnemonic phrase
- *
- * This is used for the recovery phrase which encodes the FULL SEED
- * (not a Shamir share) to allow complete wallet recovery.
- *
- * @param seed - 16-byte seed to encode
- * @returns Array of 12 mnemonic words
- */
-export declare function seedToMnemonic(seed: Seed): string[];
-/**
- * Decode a BIP-39 mnemonic phrase back to a seed
- *
- * This is used during recovery to restore the full wallet seed.
- *
- * @param words - Array of 12 mnemonic words
- * @returns 16-byte seed
- * @throws Error if mnemonic is invalid
- */
-export declare function mnemonicToSeed(words: string[]): Seed;
-/**
- * Validate a mnemonic phrase without decoding
- *
- * @param words - Array of words to validate
- * @returns true if valid BIP-39 mnemonic
- */
-export declare function isValidMnemonic(words: string[]): boolean;
-/**
- * Check if a single word is in the BIP-39 wordlist
- *
- * @param word - Word to check
- * @returns true if word is in the wordlist
- */
-export declare function isValidWord(word: string): boolean;
-/**
- * Get word suggestions for autocomplete
- *
- * @param prefix - Partial word input
- * @param limit - Maximum number of suggestions
- * @returns Array of matching words from wordlist
- */
-export declare function getWordSuggestions(prefix: string, limit?: number): string[];
-/**
- * Generate a random mnemonic for testing purposes
- *
- * WARNING: Do not use this for actual wallet generation.
- * Use the proper enrollment flow which generates a seed and splits it.
- *
- * @returns Array of 12 random words
- */
-export declare function generateRandomMnemonic(): string[];
-/**
- * Format mnemonic words for display (groups of 4)
- *
- * @param words - Array of mnemonic words
- * @returns Array of word groups
- */
-export declare function formatMnemonicForDisplay(words: string[]): string[][];
-/**
- * Parse user input into word array, handling various formats
- *
- * @param input - User input (space/comma/newline separated)
- * @returns Array of normalized words
- */
-export declare function parseMnemonicInput(input: string): string[];
-/**
- * Securely wipe mnemonic array
- *
- * @security CRYPTO-2: This is BEST-EFFORT only. JavaScript strings are immutable
- * and the original word values WILL persist in memory until garbage collected.
- * See secureWipe.ts wipeString() for details on JS string wiping limitations.
- *
- * @param words - Array of words to wipe
- */
-export declare function wipeMnemonic(words: string[]): void;
-/**
- * Get the BIP-39 wordlist for UI purposes (e.g., validation indicators)
- *
- * @returns Copy of the wordlist
- */
-export declare function getWordlist(): readonly string[];
-/**
- * Calculate the index of a word in the wordlist
- *
- * @param word - Word to look up
- * @returns Index (0-2047) or -1 if not found
- */
-export declare function getWordIndex(word: string): number;

package/dist/crypto/capabilities.d.ts

@@ -1,35 +0,0 @@
-import { CryptoCapabilities } from './types';
-/**
- * Check all required crypto capabilities
- *
- * @returns Capability check results
- */
-export declare function checkCryptoCapabilities(): Promise<CryptoCapabilities>;
-/**
- * Get a human-readable message about missing capabilities
- *
- * @param capabilities - Capability check results
- * @returns Error message describing what's missing, or null if all supported
- */
-export declare function getMissingCapabilitiesMessage(capabilities: CryptoCapabilities): string | null;
-/**
- * Check if the browser is known to support all required features
- *
- * @returns Object with browser info and support status
- */
-export declare function getBrowserSupportInfo(): {
-    browser: string;
-    version: string;
-    likelySupported: boolean;
-};
-/**
- * Get cached capabilities or check if not cached
- *
- * @param forceRefresh - If true, bypass cache and recheck
- * @returns Capability check results
- */
-export declare function getCryptoCapabilities(forceRefresh?: boolean): Promise<CryptoCapabilities>;
-/**
- * Clear the capability cache (useful for testing)
- */
-export declare function clearCapabilityCache(): void;

package/dist/crypto/entropy.d.ts

@@ -1,56 +0,0 @@
-import { Seed, AesNonce, Argon2Salt, PrfSalt } from './types';
-/**
- * Get cryptographically secure random bytes
- *
- * @param length - Number of bytes to generate
- * @returns Random bytes
- * @throws Error if WebCrypto is not available
- */
-export declare function getRandomBytes(length: number): Uint8Array;
-/**
- * Generate a cryptographically secure 16-byte seed for wallet derivation
- *
- * Note: 16 bytes (128 bits) matches standard Solana wallet format.
- *
- * @returns 16-byte seed
- * @throws Error if WebCrypto is not available
- */
-export declare function generateSeed(): Seed;
-/**
- * Generate a 12-byte nonce for AES-GCM encryption
- *
- * Security: AES-GCM requires a unique nonce per encryption with the same key.
- * Using random nonces is safe for reasonable message counts (< 2^32).
- *
- * CRYPTO-03: For high-volume encryption scenarios (>2^30 messages with same key),
- * the birthday bound risk of nonce collision increases. Recommendations:
- * 1. Rotate encryption keys periodically (e.g., every 2^20 encryptions)
- * 2. Use counter-based nonces instead of random for sequential encryption
- * 3. Monitor encryption count and trigger re-keying before limits are reached
- *
- * For typical wallet use cases (encrypting seed once), random nonces are safe.
- *
- * @returns 12-byte nonce
- * @throws Error if WebCrypto is not available
- */
-export declare function generateNonce(): AesNonce;
-/**
- * Generate a 16-byte salt for Argon2id KDF
- *
- * Security: Salt must be unique per user/password combination.
- * 16 bytes provides sufficient uniqueness.
- *
- * @returns 16-byte salt
- * @throws Error if WebCrypto is not available
- */
-export declare function generateArgon2Salt(): Argon2Salt;
-/**
- * Generate a 32-byte salt for WebAuthn PRF extension
- *
- * Security: PRF salt is used as input to the PRF to derive unique
- * per-credential keys. Must be stored alongside encrypted share.
- *
- * @returns 32-byte PRF salt
- * @throws Error if WebCrypto is not available
- */
-export declare function generatePrfSalt(): PrfSalt;

package/dist/crypto/hkdf.d.ts

@@ -1,38 +0,0 @@
-import { EncryptionKey } from './types';
-/**
- * Derive an encryption key using HKDF-SHA256
- *
- * @param inputKeyMaterial - Raw key material (e.g., from PRF)
- * @param salt - Optional salt (if not provided, uses zero-filled buffer)
- * @param info - Context/application-specific info string
- * @param outputLength - Desired output key length in bytes (default: 32)
- * @returns Derived key
- */
-export declare function hkdfDerive(inputKeyMaterial: Uint8Array, salt: Uint8Array | undefined, info: string, outputLength?: number): Promise<Uint8Array>;
-/**
- * Derive a 256-bit encryption key from PRF output
- *
- * @param prfOutput - Output from WebAuthn PRF extension (typically 32 bytes)
- * @param prfSalt - Salt used with PRF (stored with encrypted share)
- * @returns 32-byte encryption key suitable for AES-256-GCM
- */
-export declare function deriveKeyFromPrf(prfOutput: Uint8Array, prfSalt: Uint8Array): Promise<EncryptionKey>;
-/**
- * Derive a key with domain separation for different purposes
- *
- * @param inputKeyMaterial - Base key material
- * @param domain - Domain separator string (e.g., 'signing', 'encryption')
- * @param salt - Optional salt
- * @returns Derived key
- *
- * @security Domain strings MUST be unique across the codebase. Using the same
- * domain with the same input key material will produce identical keys, which
- * could lead to key reuse vulnerabilities. See module-level docs for reserved domains.
- */
-export declare function deriveKeyWithDomain(inputKeyMaterial: Uint8Array, domain: string, salt?: Uint8Array): Promise<Uint8Array>;
-/**
- * Check if HKDF is supported in the current environment
- *
- * @returns true if HKDF is available
- */
-export declare function isHkdfSupported(): Promise<boolean>;

package/dist/crypto/index.d.ts

@@ -1,30 +0,0 @@
-/**
- * Crypto module exports for SSS wallet implementation
- *
- * This module provides all cryptographic primitives needed for the
- * non-custodial Solana wallet feature using Shamir Secret Sharing.
- *
- * Key components:
- * - Entropy: Secure random number generation
- * - Shamir: Secret splitting and reconstruction
- * - AES-GCM: Authenticated encryption
- * - Argon2: Password-based key derivation
- * - HKDF: Key derivation from PRF output
- * - BIP-39: Mnemonic encoding for recovery phrase
- * - WebAuthn PRF: Device key derivation via passkeys
- * - Solana Keypair: Ed25519 keypair derivation
- * - Secure Wipe: Memory cleanup utilities
- * - Capabilities: Feature detection
- */
-export * from './types';
-export { getRandomBytes, generateSeed, generateNonce, generateArgon2Salt, generatePrfSalt, } from './entropy';
-export { wipeBytes, wipeAll, withSecureCleanup, withSecureCleanupSync, createSecureContainer, type SecureContainer, } from './secureWipe';
-export { aesGcmEncrypt, aesGcmDecrypt, aesGcmEncryptToBase64, aesGcmDecryptFromBase64, encryptWithPasswordKey, decryptWithPasswordKey, encryptAndWipe, uint8ArrayToBase64, base64ToUint8Array, type AesGcmEncryptResult, } from './aesGcm';
-export { hkdfDerive, deriveKeyFromPrf, deriveKeyWithDomain, isHkdfSupported } from './hkdf';
-export { argon2Derive, argon2DeriveFromBytes, validateKdfParams, isArgon2Supported, verifyPassword, getRecommendedParams, } from './argon2';
-export { argon2DeriveInWorker } from './argon2WorkerClient';
-export { splitSecret, combineShares, verifyShares, getShareIndex, padToLength, SHAMIR_THRESHOLD, SHAMIR_TOTAL, type ShareId, type ShamirSplitResult, } from './shamir';
-export { shareToMnemonic, mnemonicToShare, seedToMnemonic, mnemonicToSeed, isValidMnemonic, isValidWord, getWordSuggestions, generateRandomMnemonic, formatMnemonicForDisplay, parseMnemonicInput, wipeMnemonic, getWordlist, getWordIndex, MNEMONIC_WORD_COUNT, } from './bip39';
-export { isWebAuthnAvailable, isPrfSupported, registerPasskeyWithPrf, authenticateWithPrf, authenticateWithDiscoverablePrf, getEncryptionKeyFromPasskey, isCredentialAvailable, type PasskeyRegistrationResult, type PasskeyAuthResult, } from './webauthnPrf';
-export { deriveKeypairFromSeed, getPublicKeyFromSeed, publicKeyToBase58, base58ToPublicKey, isValidSolanaAddress, type SolanaKeypair, } from './solanaKeypair';
-export { checkCryptoCapabilities, getMissingCapabilitiesMessage, getBrowserSupportInfo, getCryptoCapabilities, clearCapabilityCache, } from './capabilities';

package/dist/crypto/secureWipe.d.ts

@@ -1,71 +0,0 @@
-/**
- * Secure memory wiping utilities
- *
- * Security: JavaScript does not guarantee memory clearing due to GC and
- * JIT optimization. These functions provide best-effort clearing of
- * sensitive data. For truly sensitive operations, consider using
- * WebAssembly with explicit memory management.
- *
- * IMPORTANT - String vs Uint8Array:
- * - Uint8Array CAN be wiped (wipeBytes) - use for keys, seeds, passwords
- * - Strings CANNOT be wiped in JavaScript - they are immutable
- * - Always prefer Uint8Array for sensitive cryptographic material
- *
- * Best practices:
- * - Call wipe functions as soon as sensitive data is no longer needed
- * - Use try/finally blocks to ensure wiping on errors
- * - Keep sensitive data lifetime as short as possible
- * - Convert sensitive strings to Uint8Array immediately, wipe after use
- */
-/**
- * Best-effort wipe of a Uint8Array by zeroing all bytes
- *
- * Warning: JavaScript JIT may optimize away this operation. This provides
- * defense-in-depth but is not a guarantee against memory inspection.
- *
- * @param data - Array to wipe
- */
-export declare function wipeBytes(data: Uint8Array): void;
-/**
- * Wipe multiple byte arrays
- *
- * @param arrays - Arrays to wipe
- */
-export declare function wipeAll(...arrays: (Uint8Array | undefined | null)[]): void;
-/**
- * Execute a function with automatic cleanup of byte arrays
- *
- * @param arrays - Arrays to wipe after function completes
- * @param fn - Function to execute
- * @returns Result of function
- */
-export declare function withSecureCleanup<T>(arrays: Uint8Array[], fn: () => Promise<T>): Promise<T>;
-/**
- * Execute a synchronous function with automatic cleanup of byte arrays
- *
- * @param arrays - Arrays to wipe after function completes
- * @param fn - Function to execute
- * @returns Result of function
- */
-export declare function withSecureCleanupSync<T>(arrays: Uint8Array[], fn: () => T): T;
-/**
- * Create a scoped container for sensitive byte data with automatic cleanup
- *
- * Usage:
- * ```typescript
- * const container = createSecureContainer();
- * try {
- *   const key = container.track(generateKey());
- *   // use key...
- * } finally {
- *   container.wipeAll();
- * }
- * ```
- */
-export declare function createSecureContainer(): SecureContainer;
-export interface SecureContainer {
-    /** Track a byte array for later cleanup */
-    track<T extends Uint8Array>(data: T): T;
-    /** Wipe all tracked arrays */
-    wipeAll(): void;
-}

package/dist/crypto/shamir.d.ts

@@ -1,52 +0,0 @@
-import { Seed, ShamirShare } from './types';
-/** Shamir threshold (minimum shares to reconstruct) */
-export declare const SHAMIR_THRESHOLD = 2;
-/** Total number of shares */
-export declare const SHAMIR_TOTAL = 3;
-/** Share identifiers */
-export type ShareId = 'A' | 'B' | 'C';
-/** Result of splitting a secret into shares */
-export interface ShamirSplitResult {
-    /** Share A (for password encryption) */
-    shareA: ShamirShare;
-    /** Share B (for device PRF encryption) */
-    shareB: ShamirShare;
-    /** Share C (for recovery phrase) */
-    shareC: ShamirShare;
-}
-/**
- * Split a 16-byte seed into 3 shares using Shamir's Secret Sharing
- *
- * @param seed - 16-byte seed to split
- * @returns Three shares (any 2 can reconstruct the seed)
- */
-export declare function splitSecret(seed: Seed): ShamirSplitResult;
-/**
- * Combine 2 shares to reconstruct the original seed
- *
- * @param share1 - First share
- * @param share2 - Second share (must be different from first)
- * @returns Reconstructed 16-byte seed (MAINT-03: fixed from incorrect "32-byte")
- * @throws Error if shares are invalid or cannot reconstruct
- */
-export declare function combineShares(share1: ShamirShare, share2: ShamirShare): Seed;
-/**
- * Verify that shares can successfully reconstruct a seed
- *
- * @param share1 - First share
- * @param share2 - Second share
- * @param expectedSeed - Expected seed after reconstruction
- * @returns true if shares reconstruct to expected seed
- */
-export declare function verifyShares(share1: ShamirShare, share2: ShamirShare, expectedSeed: Seed): boolean;
-/**
- * Extract share index from a share (useful for debugging)
- *
- * @param share - Share to inspect
- * @returns Share index (1-based)
- */
-export declare function getShareIndex(share: ShamirShare): number;
-/**
- * Pad a Uint8Array to a specific length
- */
-export declare function padToLength(data: Uint8Array, targetLength: number): Uint8Array;

package/dist/crypto/solanaKeypair.d.ts

@@ -1,63 +0,0 @@
-import { Seed } from './types';
-/** Solana keypair with public and secret key */
-export interface SolanaKeypair {
-    /** 32-byte Ed25519 public key */
-    publicKey: Uint8Array;
-    /** 64-byte Ed25519 secret key (32-byte expanded seed + 32-byte public key) */
-    secretKey: Uint8Array;
-}
-/**
- * Derive an Ed25519 keypair from a 16-byte seed
- *
- * The 16-byte seed is expanded to 32 bytes using SHA-256, then used for
- * Ed25519 derivation which internally:
- * - Hashes expanded seed with SHA-512
- * - Clamps lower 32 bytes to form scalar
- * - Multiplies by Ed25519 base point
- *
- * @param seed - 16-byte seed (128-bit entropy)
- * @returns Keypair with 32-byte public key and 64-byte secret key
- *
- * @security **CALLER MUST WIPE secretKey AFTER USE**
- * The returned `secretKey` contains sensitive cryptographic material.
- * Callers are responsible for wiping it when no longer needed:
- * ```ts
- * const keypair = deriveKeypairFromSeed(seed);
- * try {
- *   // use keypair.secretKey for signing
- * } finally {
- *   wipeBytes(keypair.secretKey);
- * }
- * ```
- * Failure to wipe may leave key material in memory, vulnerable to memory
- * dump attacks. The internal `expandedSeed` is automatically wiped.
- */
-export declare function deriveKeypairFromSeed(seed: Seed): SolanaKeypair;
-/**
- * Get the public key from a seed without returning the secret key
- *
- * @param seed - 32-byte seed
- * @returns 32-byte Ed25519 public key
- */
-export declare function getPublicKeyFromSeed(seed: Seed): Uint8Array;
-/**
- * Encode a public key as a Base58 Solana address
- *
- * @param publicKey - 32-byte public key
- * @returns Base58-encoded address string
- */
-export declare function publicKeyToBase58(publicKey: Uint8Array): string;
-/**
- * Decode a Base58 Solana address to public key bytes
- *
- * @param address - Base58-encoded address
- * @returns 32-byte public key
- */
-export declare function base58ToPublicKey(address: string): Uint8Array;
-/**
- * Validate a Solana address format
- *
- * @param address - Address string to validate
- * @returns true if valid Base58 and correct length
- */
-export declare function isValidSolanaAddress(address: string): boolean;