@coder/mux-md-client 0.1.0-main.13 → 0.1.0-main.14

package/dist/index.d.cts

@@ -45,13 +45,27 @@ interface SignedPayload {
  * Works in both Node.js (with webcrypto) and browser environments.
  */
 
+/** Options for signing content during upload */
+interface SignOptions {
+    /** Private key bytes (32 bytes for Ed25519, variable for ECDSA) */
+    privateKey: Uint8Array;
+    /** SSH format public key string (e.g., "ssh-ed25519 AAAA...") */
+    publicKey: string;
+    /** Optional email for attribution */
+    email?: string;
+    /** Optional GitHub username for attribution */
+    githubUser?: string;
+}
 interface UploadOptions {
     /** Base URL of the mux.md service */
     baseUrl?: string;
     /** Expiration time (unix timestamp ms, ISO date string, or Date object) */
     expiresAt?: number | string | Date;
-    /** Signature envelope (will be encrypted with content) */
-    signature?: SignatureEnvelope;
+    /**
+     * Sign the content with the provided credentials.
+     * The library handles creating the signature envelope internally.
+     */
+    sign?: SignOptions;
 }
 interface UploadResult {
     /** Full URL with encryption key in fragment */
@@ -151,81 +165,6 @@ interface SetExpirationResult {
  */
 declare function setExpiration(id: string, mutateKey: string, expiresAt: number | string | Date | 'never', options?: SetExpirationOptions): Promise<SetExpirationResult>;
 
-/**
- * Signing and verification utilities for mux.md
- *
- * Supports Ed25519 and ECDSA (P-256, P-384, P-521) keys in SSH format.
- */
-
-/** Supported key types */
-type KeyType = 'ed25519' | 'ecdsa-p256' | 'ecdsa-p384' | 'ecdsa-p521';
-/** Parsed public key with type and raw bytes */
-interface ParsedPublicKey {
-    type: KeyType;
-    keyBytes: Uint8Array;
-}
-/**
- * Parse an SSH public key and extract the key bytes and type.
- * Supports formats:
- * - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... [comment]
- * - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTY... [comment]
- * - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQ... [comment]
- * - ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjE... [comment]
- * - Raw base64 (32 bytes when decoded = Ed25519)
- */
-declare function parsePublicKey(keyString: string): ParsedPublicKey;
-/**
- * Sign a message with Ed25519 private key.
- * @param message - The message bytes to sign
- * @param privateKey - 32-byte Ed25519 private key
- * @returns Base64-encoded signature (64 bytes)
- */
-declare function signEd25519(message: Uint8Array, privateKey: Uint8Array): Promise<string>;
-/**
- * Sign a message with ECDSA private key (P-256/384/521).
- * @param message - The message bytes to sign (will be hashed)
- * @param privateKey - ECDSA private key bytes
- * @param curve - Which curve to use
- * @returns Base64-encoded signature
- */
-declare function signECDSA(message: Uint8Array, privateKey: Uint8Array, curve: 'p256' | 'p384' | 'p521'): string;
-/**
- * Helper: Create a SignatureEnvelope from content + private key.
- * This is the high-level API for signing before upload.
- *
- * @param content - The content bytes to sign
- * @param privateKey - Private key bytes (32 bytes for Ed25519, variable for ECDSA)
- * @param publicKey - SSH format public key string (e.g., "ssh-ed25519 AAAA...")
- * @param options - Optional email or GitHub username for attribution
- * @returns SignatureEnvelope ready for upload
- */
-declare function createSignatureEnvelope(content: Uint8Array, privateKey: Uint8Array, publicKey: string, options?: {
-    email?: string;
-    githubUser?: string;
-}): Promise<SignatureEnvelope>;
-/**
- * Verify a signature using the appropriate algorithm based on key type.
- * For Ed25519: signature is raw 64 bytes
- * For ECDSA: signature is DER-encoded or raw r||s format
- *
- * @param parsedKey - Parsed public key (from parsePublicKey)
- * @param message - Original message bytes
- * @param signature - Signature bytes (not base64)
- * @returns true if signature is valid
- */
-declare function verifySignature(parsedKey: ParsedPublicKey, message: Uint8Array, signature: Uint8Array): Promise<boolean>;
-/**
- * Compute SHA256 fingerprint of a public key (matches ssh-keygen -l format)
- * @param publicKey - Raw public key bytes
- * @returns Fingerprint string like "SHA256:abc123..."
- */
-declare function computeFingerprint(publicKey: Uint8Array): Promise<string>;
-/**
- * Format a fingerprint for nice display.
- * Converts base64 fingerprint to uppercase hex groups like "DEAD BEEF 1234 5678"
- */
-declare function formatFingerprint(fingerprint: string): string;
-
 /**
  * Generate a random file ID (30 bits, 5 chars base62)
  */
@@ -280,4 +219,50 @@ declare function base64Encode(data: Uint8Array): string;
  */
 declare function base64Decode(str: string): Uint8Array;
 
-export { type DownloadResult, type FileInfo, type KeyType, type ParsedPublicKey, type SetExpirationOptions, type SetExpirationResult, type SignatureEnvelope, type SignedPayload, type UploadMeta, type UploadOptions, type UploadResult, base64Decode, base64Encode, base64UrlDecode, base64UrlEncode, buildUrl, computeFingerprint, createSignatureEnvelope, decrypt, deleteFile, deriveKey, download, encrypt, formatFingerprint, generateIV, generateId, generateKey, generateMutateKey, generateSalt, getMeta, parsePublicKey, parseUrl, setExpiration, signECDSA, signEd25519, upload, verifySignature };
+/**
+ * Signing and verification utilities for mux.md
+ *
+ * Supports Ed25519 and ECDSA (P-256, P-384, P-521) keys in SSH format.
+ */
+
+/** Supported key types */
+type KeyType = 'ed25519' | 'ecdsa-p256' | 'ecdsa-p384' | 'ecdsa-p521';
+/** Parsed public key with type and raw bytes */
+interface ParsedPublicKey {
+    type: KeyType;
+    keyBytes: Uint8Array;
+}
+/**
+ * Parse an SSH public key and extract the key bytes and type.
+ * Supports formats:
+ * - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... [comment]
+ * - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTY... [comment]
+ * - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQ... [comment]
+ * - ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjE... [comment]
+ * - Raw base64 (32 bytes when decoded = Ed25519)
+ */
+declare function parsePublicKey(keyString: string): ParsedPublicKey;
+/**
+ * Verify a signature using the appropriate algorithm based on key type.
+ * For Ed25519: signature is raw 64 bytes
+ * For ECDSA: signature is DER-encoded or raw r||s format
+ *
+ * @param parsedKey - Parsed public key (from parsePublicKey)
+ * @param message - Original message bytes
+ * @param signature - Signature bytes (not base64)
+ * @returns true if signature is valid
+ */
+declare function verifySignature(parsedKey: ParsedPublicKey, message: Uint8Array, signature: Uint8Array): Promise<boolean>;
+/**
+ * Compute SHA256 fingerprint of a public key (matches ssh-keygen -l format)
+ * @param publicKey - Raw public key bytes
+ * @returns Fingerprint string like "SHA256:abc123..."
+ */
+declare function computeFingerprint(publicKey: Uint8Array): Promise<string>;
+/**
+ * Format a fingerprint for nice display.
+ * Converts base64 fingerprint to uppercase hex groups like "DEAD BEEF 1234 5678"
+ */
+declare function formatFingerprint(fingerprint: string): string;
+
+export { type DownloadResult, type FileInfo, type KeyType, type ParsedPublicKey, type SetExpirationOptions, type SetExpirationResult, type SignOptions, type SignatureEnvelope, type SignedPayload, type UploadMeta, type UploadOptions, type UploadResult, base64Decode, base64Encode, base64UrlDecode, base64UrlEncode, buildUrl, computeFingerprint, decrypt, deleteFile, deriveKey, download, encrypt, formatFingerprint, generateIV, generateId, generateKey, generateMutateKey, generateSalt, getMeta, parsePublicKey, parseUrl, setExpiration, upload, verifySignature };

package/dist/index.d.ts

@@ -45,13 +45,27 @@ interface SignedPayload {
  * Works in both Node.js (with webcrypto) and browser environments.
  */
 
+/** Options for signing content during upload */
+interface SignOptions {
+    /** Private key bytes (32 bytes for Ed25519, variable for ECDSA) */
+    privateKey: Uint8Array;
+    /** SSH format public key string (e.g., "ssh-ed25519 AAAA...") */
+    publicKey: string;
+    /** Optional email for attribution */
+    email?: string;
+    /** Optional GitHub username for attribution */
+    githubUser?: string;
+}
 interface UploadOptions {
     /** Base URL of the mux.md service */
     baseUrl?: string;
     /** Expiration time (unix timestamp ms, ISO date string, or Date object) */
     expiresAt?: number | string | Date;
-    /** Signature envelope (will be encrypted with content) */
-    signature?: SignatureEnvelope;
+    /**
+     * Sign the content with the provided credentials.
+     * The library handles creating the signature envelope internally.
+     */
+    sign?: SignOptions;
 }
 interface UploadResult {
     /** Full URL with encryption key in fragment */
@@ -151,81 +165,6 @@ interface SetExpirationResult {
  */
 declare function setExpiration(id: string, mutateKey: string, expiresAt: number | string | Date | 'never', options?: SetExpirationOptions): Promise<SetExpirationResult>;
 
-/**
- * Signing and verification utilities for mux.md
- *
- * Supports Ed25519 and ECDSA (P-256, P-384, P-521) keys in SSH format.
- */
-
-/** Supported key types */
-type KeyType = 'ed25519' | 'ecdsa-p256' | 'ecdsa-p384' | 'ecdsa-p521';
-/** Parsed public key with type and raw bytes */
-interface ParsedPublicKey {
-    type: KeyType;
-    keyBytes: Uint8Array;
-}
-/**
- * Parse an SSH public key and extract the key bytes and type.
- * Supports formats:
- * - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... [comment]
- * - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTY... [comment]
- * - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQ... [comment]
- * - ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjE... [comment]
- * - Raw base64 (32 bytes when decoded = Ed25519)
- */
-declare function parsePublicKey(keyString: string): ParsedPublicKey;
-/**
- * Sign a message with Ed25519 private key.
- * @param message - The message bytes to sign
- * @param privateKey - 32-byte Ed25519 private key
- * @returns Base64-encoded signature (64 bytes)
- */
-declare function signEd25519(message: Uint8Array, privateKey: Uint8Array): Promise<string>;
-/**
- * Sign a message with ECDSA private key (P-256/384/521).
- * @param message - The message bytes to sign (will be hashed)
- * @param privateKey - ECDSA private key bytes
- * @param curve - Which curve to use
- * @returns Base64-encoded signature
- */
-declare function signECDSA(message: Uint8Array, privateKey: Uint8Array, curve: 'p256' | 'p384' | 'p521'): string;
-/**
- * Helper: Create a SignatureEnvelope from content + private key.
- * This is the high-level API for signing before upload.
- *
- * @param content - The content bytes to sign
- * @param privateKey - Private key bytes (32 bytes for Ed25519, variable for ECDSA)
- * @param publicKey - SSH format public key string (e.g., "ssh-ed25519 AAAA...")
- * @param options - Optional email or GitHub username for attribution
- * @returns SignatureEnvelope ready for upload
- */
-declare function createSignatureEnvelope(content: Uint8Array, privateKey: Uint8Array, publicKey: string, options?: {
-    email?: string;
-    githubUser?: string;
-}): Promise<SignatureEnvelope>;
-/**
- * Verify a signature using the appropriate algorithm based on key type.
- * For Ed25519: signature is raw 64 bytes
- * For ECDSA: signature is DER-encoded or raw r||s format
- *
- * @param parsedKey - Parsed public key (from parsePublicKey)
- * @param message - Original message bytes
- * @param signature - Signature bytes (not base64)
- * @returns true if signature is valid
- */
-declare function verifySignature(parsedKey: ParsedPublicKey, message: Uint8Array, signature: Uint8Array): Promise<boolean>;
-/**
- * Compute SHA256 fingerprint of a public key (matches ssh-keygen -l format)
- * @param publicKey - Raw public key bytes
- * @returns Fingerprint string like "SHA256:abc123..."
- */
-declare function computeFingerprint(publicKey: Uint8Array): Promise<string>;
-/**
- * Format a fingerprint for nice display.
- * Converts base64 fingerprint to uppercase hex groups like "DEAD BEEF 1234 5678"
- */
-declare function formatFingerprint(fingerprint: string): string;
-
 /**
  * Generate a random file ID (30 bits, 5 chars base62)
  */
@@ -280,4 +219,50 @@ declare function base64Encode(data: Uint8Array): string;
  */
 declare function base64Decode(str: string): Uint8Array;
 
-export { type DownloadResult, type FileInfo, type KeyType, type ParsedPublicKey, type SetExpirationOptions, type SetExpirationResult, type SignatureEnvelope, type SignedPayload, type UploadMeta, type UploadOptions, type UploadResult, base64Decode, base64Encode, base64UrlDecode, base64UrlEncode, buildUrl, computeFingerprint, createSignatureEnvelope, decrypt, deleteFile, deriveKey, download, encrypt, formatFingerprint, generateIV, generateId, generateKey, generateMutateKey, generateSalt, getMeta, parsePublicKey, parseUrl, setExpiration, signECDSA, signEd25519, upload, verifySignature };
+/**
+ * Signing and verification utilities for mux.md
+ *
+ * Supports Ed25519 and ECDSA (P-256, P-384, P-521) keys in SSH format.
+ */
+
+/** Supported key types */
+type KeyType = 'ed25519' | 'ecdsa-p256' | 'ecdsa-p384' | 'ecdsa-p521';
+/** Parsed public key with type and raw bytes */
+interface ParsedPublicKey {
+    type: KeyType;
+    keyBytes: Uint8Array;
+}
+/**
+ * Parse an SSH public key and extract the key bytes and type.
+ * Supports formats:
+ * - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... [comment]
+ * - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTY... [comment]
+ * - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQ... [comment]
+ * - ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjE... [comment]
+ * - Raw base64 (32 bytes when decoded = Ed25519)
+ */
+declare function parsePublicKey(keyString: string): ParsedPublicKey;
+/**
+ * Verify a signature using the appropriate algorithm based on key type.
+ * For Ed25519: signature is raw 64 bytes
+ * For ECDSA: signature is DER-encoded or raw r||s format
+ *
+ * @param parsedKey - Parsed public key (from parsePublicKey)
+ * @param message - Original message bytes
+ * @param signature - Signature bytes (not base64)
+ * @returns true if signature is valid
+ */
+declare function verifySignature(parsedKey: ParsedPublicKey, message: Uint8Array, signature: Uint8Array): Promise<boolean>;
+/**
+ * Compute SHA256 fingerprint of a public key (matches ssh-keygen -l format)
+ * @param publicKey - Raw public key bytes
+ * @returns Fingerprint string like "SHA256:abc123..."
+ */
+declare function computeFingerprint(publicKey: Uint8Array): Promise<string>;
+/**
+ * Format a fingerprint for nice display.
+ * Converts base64 fingerprint to uppercase hex groups like "DEAD BEEF 1234 5678"
+ */
+declare function formatFingerprint(fingerprint: string): string;
+
+export { type DownloadResult, type FileInfo, type KeyType, type ParsedPublicKey, type SetExpirationOptions, type SetExpirationResult, type SignOptions, type SignatureEnvelope, type SignedPayload, type UploadMeta, type UploadOptions, type UploadResult, base64Decode, base64Encode, base64UrlDecode, base64UrlEncode, buildUrl, computeFingerprint, decrypt, deleteFile, deriveKey, download, encrypt, formatFingerprint, generateIV, generateId, generateKey, generateMutateKey, generateSalt, getMeta, parsePublicKey, parseUrl, setExpiration, upload, verifySignature };

package/dist/index.js

@@ -104,6 +104,142 @@ function base64Decode(str) {
   return bytes;
 }
 
+// src/signing.ts
+import { p256, p384, p521 } from "@noble/curves/nist.js";
+import * as ed from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha2.js";
+ed.etc.sha512Sync = (...m) => sha512(ed.etc.concatBytes(...m));
+var SSH_KEY_TYPES = {
+  "ssh-ed25519": "ed25519",
+  "ecdsa-sha2-nistp256": "ecdsa-p256",
+  "ecdsa-sha2-nistp384": "ecdsa-p384",
+  "ecdsa-sha2-nistp521": "ecdsa-p521"
+};
+function readSSHString(data, offset) {
+  const view = new DataView(data.buffer, data.byteOffset);
+  const len = view.getUint32(offset);
+  const value = data.slice(offset + 4, offset + 4 + len);
+  return { value, nextOffset: offset + 4 + len };
+}
+function base64Decode2(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4) {
+    base64 += "=";
+  }
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function parsePublicKey(keyString) {
+  const trimmed = keyString.trim();
+  for (const [sshType, keyType] of Object.entries(SSH_KEY_TYPES)) {
+    if (trimmed.startsWith(`${sshType} `)) {
+      const parts = trimmed.split(" ");
+      if (parts.length < 2) {
+        throw new Error("Invalid SSH key format");
+      }
+      const keyData = base64Decode2(parts[1]);
+      const { value: typeBytes, nextOffset: afterType } = readSSHString(
+        keyData,
+        0
+      );
+      const typeStr = new TextDecoder().decode(typeBytes);
+      if (typeStr !== sshType) {
+        throw new Error(
+          `Key type mismatch: expected ${sshType}, got ${typeStr}`
+        );
+      }
+      if (keyType === "ed25519") {
+        const { value: rawKey } = readSSHString(keyData, afterType);
+        if (rawKey.length !== 32) {
+          throw new Error("Invalid Ed25519 key length");
+        }
+        return { type: "ed25519", keyBytes: rawKey };
+      }
+      const { nextOffset: afterCurve } = readSSHString(keyData, afterType);
+      const { value: point } = readSSHString(keyData, afterCurve);
+      return { type: keyType, keyBytes: point };
+    }
+  }
+  const decoded = base64Decode2(trimmed);
+  if (decoded.length === 32) {
+    return { type: "ed25519", keyBytes: decoded };
+  }
+  throw new Error("Unsupported public key format");
+}
+async function signEd25519(message, privateKey) {
+  const sig = await ed.signAsync(message, privateKey);
+  return btoa(String.fromCharCode(...sig));
+}
+function signECDSA(message, privateKey, curve) {
+  const curves = { p256, p384, p521 };
+  const sigBytes = curves[curve].sign(message, privateKey, { prehash: true });
+  return btoa(String.fromCharCode(...sigBytes));
+}
+async function createSignatureEnvelope(content, privateKey, publicKey, options) {
+  const parsed = parsePublicKey(publicKey);
+  let sig;
+  if (parsed.type === "ed25519") {
+    sig = await signEd25519(content, privateKey);
+  } else {
+    const curve = parsed.type.replace("ecdsa-", "");
+    sig = signECDSA(content, privateKey, curve);
+  }
+  return {
+    sig,
+    publicKey,
+    email: options?.email,
+    githubUser: options?.githubUser
+  };
+}
+async function verifySignature(parsedKey, message, signature) {
+  try {
+    switch (parsedKey.type) {
+      case "ed25519":
+        return await ed.verifyAsync(signature, message, parsedKey.keyBytes);
+      case "ecdsa-p256":
+        return p256.verify(signature, message, parsedKey.keyBytes, {
+          prehash: true
+        });
+      case "ecdsa-p384":
+        return p384.verify(signature, message, parsedKey.keyBytes, {
+          prehash: true
+        });
+      case "ecdsa-p521":
+        return p521.verify(signature, message, parsedKey.keyBytes, {
+          prehash: true
+        });
+      default:
+        return false;
+    }
+  } catch {
+    return false;
+  }
+}
+async function computeFingerprint(publicKey) {
+  const hash = await crypto.subtle.digest(
+    "SHA-256",
+    publicKey.buffer
+  );
+  const hashArray = new Uint8Array(hash);
+  const base64 = btoa(String.fromCharCode(...hashArray));
+  return `SHA256:${base64.replace(/=+$/, "")}`;
+}
+function formatFingerprint(fingerprint) {
+  const base64Part = fingerprint.startsWith("SHA256:") ? fingerprint.slice(7) : fingerprint;
+  try {
+    const binary = atob(base64Part);
+    const hex = Array.from(binary).map((c) => c.charCodeAt(0).toString(16).padStart(2, "0")).join("").toUpperCase();
+    const short = hex.slice(0, 16);
+    return short.match(/.{4}/g)?.join(" ") || short;
+  } catch {
+    return fingerprint.slice(0, 16).toUpperCase();
+  }
+}
+
 // src/client.ts
 var DEFAULT_BASE_URL = "https://mux.md";
 async function upload(data, fileInfo, options = {}) {
@@ -112,11 +248,20 @@ async function upload(data, fileInfo, options = {}) {
   const salt = generateSalt();
   const iv = generateIV();
   const cryptoKey = await deriveKey(keyMaterial, salt);
+  let signatureEnvelope;
+  if (options.sign) {
+    signatureEnvelope = await createSignatureEnvelope(
+      data,
+      options.sign.privateKey,
+      options.sign.publicKey,
+      { email: options.sign.email, githubUser: options.sign.githubUser }
+    );
+  }
   let plaintext;
-  if (options.signature) {
+  if (signatureEnvelope) {
     const signed = {
       content: new TextDecoder().decode(data),
-      sig: options.signature
+      sig: signatureEnvelope
     };
     plaintext = new TextEncoder().encode(JSON.stringify(signed));
   } else {
@@ -308,143 +453,6 @@ async function setExpiration(id, mutateKey, expiresAt, options = {}) {
   }
   return response.json();
 }
-
-// src/signing.ts
-import * as ed from "@noble/ed25519";
-import { p256, p384, p521 } from "@noble/curves/nist.js";
-import { sha512 } from "@noble/hashes/sha2.js";
-ed.etc.sha512Sync = (...m) => sha512(ed.etc.concatBytes(...m));
-var SSH_KEY_TYPES = {
-  "ssh-ed25519": "ed25519",
-  "ecdsa-sha2-nistp256": "ecdsa-p256",
-  "ecdsa-sha2-nistp384": "ecdsa-p384",
-  "ecdsa-sha2-nistp521": "ecdsa-p521"
-};
-function readSSHString(data, offset) {
-  const view = new DataView(data.buffer, data.byteOffset);
-  const len = view.getUint32(offset);
-  const value = data.slice(offset + 4, offset + 4 + len);
-  return { value, nextOffset: offset + 4 + len };
-}
-function base64Decode2(str) {
-  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
-  while (base64.length % 4) {
-    base64 += "=";
-  }
-  const binary = atob(base64);
-  const bytes = new Uint8Array(binary.length);
-  for (let i = 0; i < binary.length; i++) {
-    bytes[i] = binary.charCodeAt(i);
-  }
-  return bytes;
-}
-function parsePublicKey(keyString) {
-  const trimmed = keyString.trim();
-  for (const [sshType, keyType] of Object.entries(SSH_KEY_TYPES)) {
-    if (trimmed.startsWith(`${sshType} `)) {
-      const parts = trimmed.split(" ");
-      if (parts.length < 2) {
-        throw new Error("Invalid SSH key format");
-      }
-      const keyData = base64Decode2(parts[1]);
-      const { value: typeBytes, nextOffset: afterType } = readSSHString(
-        keyData,
-        0
-      );
-      const typeStr = new TextDecoder().decode(typeBytes);
-      if (typeStr !== sshType) {
-        throw new Error(
-          `Key type mismatch: expected ${sshType}, got ${typeStr}`
-        );
-      }
-      if (keyType === "ed25519") {
-        const { value: rawKey } = readSSHString(keyData, afterType);
-        if (rawKey.length !== 32) {
-          throw new Error("Invalid Ed25519 key length");
-        }
-        return { type: "ed25519", keyBytes: rawKey };
-      }
-      const { nextOffset: afterCurve } = readSSHString(keyData, afterType);
-      const { value: point } = readSSHString(keyData, afterCurve);
-      return { type: keyType, keyBytes: point };
-    }
-  }
-  const decoded = base64Decode2(trimmed);
-  if (decoded.length === 32) {
-    return { type: "ed25519", keyBytes: decoded };
-  }
-  throw new Error("Unsupported public key format");
-}
-async function signEd25519(message, privateKey) {
-  const sig = await ed.signAsync(message, privateKey);
-  return btoa(String.fromCharCode(...sig));
-}
-function signECDSA(message, privateKey, curve) {
-  const curves = { p256, p384, p521 };
-  const sig = curves[curve].sign(message, privateKey, { prehash: true });
-  const sigBytes = sig.toCompactRawBytes();
-  return btoa(String.fromCharCode(...sigBytes));
-}
-async function createSignatureEnvelope(content, privateKey, publicKey, options) {
-  const parsed = parsePublicKey(publicKey);
-  let sig;
-  if (parsed.type === "ed25519") {
-    sig = await signEd25519(content, privateKey);
-  } else {
-    const curve = parsed.type.replace("ecdsa-", "");
-    sig = signECDSA(content, privateKey, curve);
-  }
-  return {
-    sig,
-    publicKey,
-    email: options?.email,
-    githubUser: options?.githubUser
-  };
-}
-async function verifySignature(parsedKey, message, signature) {
-  try {
-    switch (parsedKey.type) {
-      case "ed25519":
-        return await ed.verifyAsync(signature, message, parsedKey.keyBytes);
-      case "ecdsa-p256":
-        return p256.verify(signature, message, parsedKey.keyBytes, {
-          prehash: true
-        });
-      case "ecdsa-p384":
-        return p384.verify(signature, message, parsedKey.keyBytes, {
-          prehash: true
-        });
-      case "ecdsa-p521":
-        return p521.verify(signature, message, parsedKey.keyBytes, {
-          prehash: true
-        });
-      default:
-        return false;
-    }
-  } catch {
-    return false;
-  }
-}
-async function computeFingerprint(publicKey) {
-  const hash = await crypto.subtle.digest(
-    "SHA-256",
-    publicKey.buffer
-  );
-  const hashArray = new Uint8Array(hash);
-  const base64 = btoa(String.fromCharCode(...hashArray));
-  return `SHA256:${base64.replace(/=+$/, "")}`;
-}
-function formatFingerprint(fingerprint) {
-  const base64Part = fingerprint.startsWith("SHA256:") ? fingerprint.slice(7) : fingerprint;
-  try {
-    const binary = atob(base64Part);
-    const hex = Array.from(binary).map((c) => c.charCodeAt(0).toString(16).padStart(2, "0")).join("").toUpperCase();
-    const short = hex.slice(0, 16);
-    return short.match(/.{4}/g)?.join(" ") || short;
-  } catch {
-    return fingerprint.slice(0, 16).toUpperCase();
-  }
-}
 export {
   base64Decode,
   base64Encode,
@@ -452,7 +460,6 @@ export {
   base64UrlEncode,
   buildUrl,
   computeFingerprint,
-  createSignatureEnvelope,
   decrypt,
   deleteFile,
   deriveKey,
@@ -468,8 +475,6 @@ export {
   parsePublicKey,
   parseUrl,
   setExpiration,
-  signECDSA,
-  signEd25519,
   upload,
   verifySignature
 };