@crittora/sdk-js 2.0.0

package/CHANGELOG.md

@@ -0,0 +1,37 @@
+# Changelog
+
+All notable changes to this package will be documented in this file.
+
+## 2.0.0 - 2026-03-08
+
+This release introduces the new primary SDK architecture for `@crittora/sdk-js`.
+
+### Added
+
+- Added `CrittoraClient` as the new primary instance-based SDK client.
+- Added pluggable auth providers, including `bearerToken(...)` and `cognitoAuthProvider(...)`.
+- Added a transport layer with timeout handling, retry support, and response normalization.
+- Added a structured SDK error hierarchy for validation, auth, request, rate limit, encrypt, and decrypt failures.
+- Added principal-level documentation in `README.md`, `docs/API.md`, `docs/MIGRATION.md`, and `docs/ARCHITECTURE.md`.
+
+### Changed
+
+- Changed the primary public API from positional method arguments to typed object-based inputs.
+- Changed public JavaScript and TypeScript models to camelCase while keeping wire-format translation internal.
+- Changed runtime support to Node.js 18+.
+- Changed package verification so publish flows run full build and test verification.
+
+### Deprecated
+
+- Deprecated the legacy `Crittora` class as the preferred integration surface. It remains available as a compatibility shim for staged migrations.
+
+### Removed
+
+- Removed singleton-based internal services and hidden package-managed configuration loading.
+- Removed the package dependency on `dotenv`.
+
+### Migration notes
+
+- Existing integrations can continue using `Crittora` temporarily.
+- New integrations should use `CrittoraClient`.
+- See `docs/MIGRATION.md` for the v1 to v2 migration path.

package/README.md

@@ -0,0 +1,348 @@
+# Crittora JavaScript SDK
+
+The Crittora JavaScript SDK provides a typed client for encryption, decryption, and decrypt-verify operations against the Crittora API.
+
+This package now exposes a v2-style, instance-based client designed for predictable integration in production systems:
+
+- explicit client construction
+- explicit credentials and auth wiring
+- transport-level timeout and retry controls
+- typed request and response objects
+- stable SDK error classes
+
+The legacy `Crittora` class is still exported as a compatibility shim for existing consumers, but new integrations should use `CrittoraClient`.
+
+## Table of Contents
+
+- [Runtime Support](#runtime-support)
+- [Installation](#installation)
+- [Design Principles](#design-principles)
+- [Quick Start](#quick-start)
+- [Authentication](#authentication)
+- [Client Configuration](#client-configuration)
+- [Operations](#operations)
+- [Errors](#errors)
+- [Migration from v1](#migration-from-v1)
+- [Additional Documentation](#additional-documentation)
+
+## Runtime Support
+
+- Node.js 18 or later
+- Any runtime that provides a compatible `fetch` implementation, or where one is passed explicitly via the client options
+
+## Installation
+
+```bash
+npm install @crittora/sdk-js
+```
+
+## Design Principles
+
+The v2 client is built around a few constraints that matter for SDK consumers:
+
+- No hidden process-global configuration is required for the primary API.
+- Client instances are isolated, so one process can talk to multiple environments safely.
+- Public JavaScript and TypeScript types use camelCase, while wire-format translation stays internal.
+- Auth is composable rather than hard-coded into every request path.
+- Errors preserve transport and backend context so callers can make policy decisions.
+
+## Quick Start
+
+### Bearer token auth
+
+```ts
+import { CrittoraClient } from "@crittora/sdk-js";
+
+const client = new CrittoraClient({
+  baseUrl: "https://api.crittoraapis.com",
+  credentials: {
+    apiKey: process.env.CRITTORA_API_KEY!,
+    accessKey: process.env.CRITTORA_ACCESS_KEY!,
+    secretKey: process.env.CRITTORA_SECRET_KEY!,
+  },
+  auth: {
+    type: "bearer",
+    token: process.env.CRITTORA_ID_TOKEN!,
+  },
+  timeoutMs: 10_000,
+  retry: {
+    maxAttempts: 2,
+  },
+});
+
+const result = await client.encrypt({
+  data: "sensitive data",
+  permissions: [
+    {
+      partnerId: "partner-123",
+      actions: ["read"],
+    },
+  ],
+});
+
+console.log(result.encryptedData);
+```
+
+### Scoped auth
+
+If the same client configuration is reused across identities, create a base client and scope auth per request flow:
+
+```ts
+import { CrittoraClient } from "@crittora/sdk-js";
+
+const baseClient = new CrittoraClient({
+  credentials: {
+    apiKey: process.env.CRITTORA_API_KEY!,
+  },
+});
+
+const userClient = baseClient.withAuth({
+  type: "bearer",
+  token: userIdToken,
+});
+
+const decrypted = await userClient.decrypt({
+  encryptedData,
+});
+```
+
+## Authentication
+
+The SDK supports two primary auth patterns:
+
+### 1. Static bearer token
+
+Use this when your application already manages a token lifecycle:
+
+```ts
+const client = new CrittoraClient({
+  credentials: { apiKey: "..." },
+  auth: {
+    type: "bearer",
+    token: idToken,
+  },
+});
+```
+
+### 2. Cognito auth provider
+
+Use the built-in Cognito provider when the SDK should perform login and hold the returned tokens:
+
+```ts
+import { CrittoraClient, cognitoAuthProvider } from "@crittora/sdk-js";
+
+const auth = cognitoAuthProvider({
+  userPoolId: "us-east-1_Tmljk4Uiw",
+  clientId: "5cvaao4qgphfp38g433vi5e82u",
+});
+
+await auth.login({
+  username: process.env.CRITTORA_USERNAME!,
+  password: process.env.CRITTORA_PASSWORD!,
+});
+
+const client = new CrittoraClient({
+  credentials: {
+    apiKey: process.env.CRITTORA_API_KEY!,
+  },
+  auth,
+});
+```
+
+### Security note
+
+If `accessKey` and `secretKey` represent privileged backend credentials, do not expose them in untrusted browser code. In that model, use this SDK server-side and front it with your own backend boundary.
+
+## Client Configuration
+
+`CrittoraClient` accepts the following options:
+
+```ts
+type CrittoraClientOptions = {
+  baseUrl?: string;
+  credentials?: {
+    apiKey: string;
+    accessKey?: string;
+    secretKey?: string;
+  };
+  auth?: BearerAuthConfig | AuthProvider;
+  fetch?: typeof globalThis.fetch;
+  timeoutMs?: number;
+  retry?: {
+    maxAttempts?: number;
+    backoffMs?: number;
+    retryOn?: number[];
+  };
+  headers?: Record<string, string>;
+  userAgent?: string;
+};
+```
+
+Operational guidance:
+
+- Set `baseUrl` explicitly in non-production environments.
+- Use `fetch` injection in runtimes where global `fetch` is absent or wrapped.
+- Keep retry counts conservative unless the backend contract explicitly supports aggressive retries.
+- Prefer a custom `userAgent` in services where request attribution matters.
+
+## Operations
+
+### Encrypt
+
+```ts
+const result = await client.encrypt({
+  data: "hello",
+  permissions: [
+    {
+      partnerId: "partner-123",
+      actions: ["read", "write"],
+    },
+  ],
+});
+
+console.log(result.encryptedData);
+console.log(result.transactionId);
+```
+
+### Decrypt
+
+```ts
+const result = await client.decrypt({
+  encryptedData,
+});
+
+console.log(result.decryptedData);
+```
+
+### Decrypt and verify
+
+```ts
+const result = await client.decryptVerify({
+  encryptedData,
+});
+
+console.log(result.decryptedData);
+console.log(result.isValidSignature);
+```
+
+Public request and response types:
+
+```ts
+type Permission = {
+  partnerId: string;
+  actions: string[];
+};
+
+type EncryptInput = {
+  data: string;
+  permissions?: Permission[];
+};
+
+type EncryptResult = {
+  encryptedData: string;
+  transactionId?: string;
+};
+
+type DecryptInput = {
+  encryptedData: string;
+  permissions?: Permission[];
+};
+
+type DecryptResult = {
+  decryptedData: string;
+  transactionId?: string;
+};
+
+type DecryptVerifyResult = {
+  decryptedData: string;
+  isValidSignature: boolean;
+  transactionId?: string;
+};
+```
+
+## Errors
+
+The SDK exports a stable error hierarchy:
+
+- `CrittoraError`
+- `ValidationError`
+- `AuthError`
+- `RequestError`
+- `RateLimitError`
+- `EncryptError`
+- `DecryptError`
+
+All errors may carry the following diagnostic fields:
+
+- `code`
+- `status`
+- `requestId`
+- `details`
+- `cause`
+
+Example:
+
+```ts
+import {
+  CrittoraClient,
+  DecryptError,
+  RateLimitError,
+  RequestError,
+} from "@crittora/sdk-js";
+
+try {
+  await client.decrypt({ encryptedData });
+} catch (error) {
+  if (error instanceof RateLimitError) {
+    // retry later or trigger backpressure
+  } else if (error instanceof DecryptError) {
+    // operation-specific failure
+  } else if (error instanceof RequestError) {
+    // non-2xx or transport-level issue
+  } else {
+    throw error;
+  }
+}
+```
+
+## Migration from v1
+
+The package still exports the legacy `Crittora` class:
+
+```ts
+import { Crittora } from "@crittora/sdk-js";
+```
+
+That class exists to reduce migration friction, but it should be treated as transitional.
+
+Key differences in v2:
+
+- `new CrittoraClient({...})` replaces implicit singleton construction
+- object-shaped inputs replace positional method arguments
+- camelCase public types replace wire-format snake_case
+- explicit auth providers replace hard-coded request token arguments
+- stable typed errors replace broad wrapping
+
+Simple mapping:
+
+```ts
+// v1
+await sdk.encrypt(idToken, data, ["read"]);
+
+// v2
+await client.withAuth({ type: "bearer", token: idToken }).encrypt({
+  data,
+  permissions: [
+    {
+      partnerId: "default",
+      actions: ["read"],
+    },
+  ],
+});
+```
+
+## Additional Documentation
+
+- [API Reference](./docs/API.md)
+- [Migration Guide](./docs/MIGRATION.md)
+- [Architecture Notes](./docs/ARCHITECTURE.md)

package/dist/auth/bearer.d.ts

@@ -0,0 +1,2 @@
+import { AuthProvider } from "./types";
+export declare function bearerToken(token: string): AuthProvider;

package/dist/auth/bearer.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bearerToken = bearerToken;
+function bearerToken(token) {
+    return {
+        async getAuthorizationHeader() {
+            return `Bearer ${token}`;
+        },
+    };
+}
+//# sourceMappingURL=bearer.js.map

package/dist/auth/bearer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bearer.js","sourceRoot":"","sources":["../../src/auth/bearer.ts"],"names":[],"mappings":";;AAEA,kCAMC;AAND,SAAgB,WAAW,CAAC,KAAa;IACvC,OAAO;QACL,KAAK,CAAC,sBAAsB;YAC1B,OAAO,UAAU,KAAK,EAAE,CAAC;QAC3B,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/auth/cognito.d.ts

@@ -0,0 +1,14 @@
+import { AuthProvider } from "./types";
+import { AuthTokens, CognitoAuthConfig } from "../types";
+export declare class CognitoAuthProvider implements AuthProvider {
+    private readonly config;
+    private readonly userPool;
+    private tokens?;
+    constructor(config: CognitoAuthConfig);
+    getAuthorizationHeader(): Promise<string | undefined>;
+    login(credentials?: {
+        username: string;
+        password: string;
+    }): Promise<AuthTokens>;
+}
+export declare function cognitoAuthProvider(config: CognitoAuthConfig): CognitoAuthProvider;

package/dist/auth/cognito.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CognitoAuthProvider = void 0;
+exports.cognitoAuthProvider = cognitoAuthProvider;
+const amazon_cognito_identity_js_1 = require("amazon-cognito-identity-js");
+const errors_1 = require("../errors");
+class CognitoAuthProvider {
+    constructor(config) {
+        this.config = config;
+        this.userPool = new amazon_cognito_identity_js_1.CognitoUserPool({
+            UserPoolId: config.userPoolId,
+            ClientId: config.clientId,
+        });
+    }
+    async getAuthorizationHeader() {
+        return this.tokens?.idToken ? `Bearer ${this.tokens.idToken}` : undefined;
+    }
+    async login(credentials) {
+        const username = credentials?.username ?? this.config.username;
+        const password = credentials?.password ?? this.config.password;
+        if (!username || !password) {
+            throw new errors_1.ValidationError("Username and password are required for Cognito login.");
+        }
+        const authDetails = new amazon_cognito_identity_js_1.AuthenticationDetails({
+            Username: username,
+            Password: password,
+        });
+        const cognitoUser = new amazon_cognito_identity_js_1.CognitoUser({
+            Username: username,
+            Pool: this.userPool,
+        });
+        return new Promise((resolve, reject) => {
+            cognitoUser.authenticateUser(authDetails, {
+                onSuccess: (result) => {
+                    this.tokens = {
+                        idToken: result.getIdToken().getJwtToken(),
+                        accessToken: result.getAccessToken().getJwtToken(),
+                        refreshToken: result.getRefreshToken().getToken(),
+                    };
+                    resolve(this.tokens);
+                },
+                onFailure: (error) => {
+                    reject(new errors_1.AuthError(error.message, undefined, error));
+                },
+            });
+        });
+    }
+}
+exports.CognitoAuthProvider = CognitoAuthProvider;
+function cognitoAuthProvider(config) {
+    return new CognitoAuthProvider(config);
+}
+//# sourceMappingURL=cognito.js.map

package/dist/auth/cognito.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognito.js","sourceRoot":"","sources":["../../src/auth/cognito.ts"],"names":[],"mappings":";;;AAiEA,kDAIC;AArED,2EAIoC;AACpC,sCAAuD;AAIvD,MAAa,mBAAmB;IAI9B,YAA6B,MAAyB;QAAzB,WAAM,GAAN,MAAM,CAAmB;QACpD,IAAI,CAAC,QAAQ,GAAG,IAAI,4CAAe,CAAC;YAClC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,sBAAsB;QAC1B,OAAO,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5E,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,WAGX;QACC,MAAM,QAAQ,GAAG,WAAW,EAAE,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC/D,MAAM,QAAQ,GAAG,WAAW,EAAE,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAE/D,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC3B,MAAM,IAAI,wBAAe,CACvB,uDAAuD,CACxD,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,kDAAqB,CAAC;YAC5C,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,IAAI,wCAAW,CAAC;YAClC,QAAQ,EAAE,QAAQ;YAClB,IAAI,EAAE,IAAI,CAAC,QAAQ;SACpB,CAAC,CAAC;QAEH,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,WAAW,CAAC,gBAAgB,CAAC,WAAW,EAAE;gBACxC,SAAS,EAAE,CAAC,MAAM,EAAE,EAAE;oBACpB,IAAI,CAAC,MAAM,GAAG;wBACZ,OAAO,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,WAAW,EAAE;wBAC1C,WAAW,EAAE,MAAM,CAAC,cAAc,EAAE,CAAC,WAAW,EAAE;wBAClD,YAAY,EAAE,MAAM,CAAC,eAAe,EAAE,CAAC,QAAQ,EAAE;qBAClD,CAAC;oBACF,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACvB,CAAC;gBACD,SAAS,EAAE,CAAC,KAAK,EAAE,EAAE;oBACnB,MAAM,CAAC,IAAI,kBAAS,CAAC,KAAK,CAAC,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;gBACzD,CAAC;aACF,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAtDD,kDAsDC;AAED,SAAgB,mBAAmB,CACjC,MAAyB;IAEzB,OAAO,IAAI,mBAAmB,CAAC,MAAM,CAAC,CAAC;AACzC,CAAC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,9 @@
+import { AuthTokens } from "../types";
+export interface AuthProvider {
+    getAuthorizationHeader(): Promise<string | undefined>;
+    login?(credentials: {
+        username: string;
+        password: string;
+    }): Promise<AuthTokens>;
+    refresh?(): Promise<void>;
+}

package/dist/auth/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":""}

package/dist/client.d.ts

@@ -0,0 +1,18 @@
+import { AuthProvider } from "./auth/types";
+import { CrittoraClientOptions, DecryptInput, DecryptResult, DecryptVerifyInput, DecryptVerifyResult, EncryptInput, EncryptResult } from "./types";
+export declare class CrittoraClient {
+    private readonly options;
+    private readonly transport;
+    private readonly authProvider?;
+    private readonly cryptoResource;
+    constructor(options?: CrittoraClientOptions);
+    get auth(): AuthProvider | undefined;
+    withAuth(auth: AuthProvider | {
+        type: "bearer";
+        token: string;
+    }): CrittoraClient;
+    encrypt(input: EncryptInput): Promise<EncryptResult>;
+    decrypt(input: DecryptInput): Promise<DecryptResult>;
+    decryptVerify(input: DecryptVerifyInput): Promise<DecryptVerifyResult>;
+    private resolveAuthProvider;
+}

package/dist/client.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CrittoraClient = void 0;
+const bearer_1 = require("./auth/bearer");
+const crypto_1 = require("./resources/crypto");
+const httpTransport_1 = require("./transport/httpTransport");
+const DEFAULT_BASE_URL = "https://api.crittoraapis.com";
+const DEFAULT_TIMEOUT_MS = 10000;
+class CrittoraClient {
+    constructor(options = {}) {
+        this.options = options;
+        this.authProvider = this.resolveAuthProvider(options.auth);
+        this.transport = new httpTransport_1.HttpTransport({
+            baseUrl: options.baseUrl ?? DEFAULT_BASE_URL,
+            credentials: options.credentials,
+            headers: options.headers,
+            timeoutMs: options.timeoutMs ?? DEFAULT_TIMEOUT_MS,
+            userAgent: options.userAgent,
+        }, {
+            fetch: options.fetch,
+            retry: options.retry,
+        });
+        this.cryptoResource = new crypto_1.CryptoResource(this.transport, this.authProvider);
+    }
+    get auth() {
+        return this.authProvider;
+    }
+    withAuth(auth) {
+        return new CrittoraClient({
+            ...this.options,
+            auth,
+        });
+    }
+    async encrypt(input) {
+        return this.cryptoResource.encrypt(input);
+    }
+    async decrypt(input) {
+        return this.cryptoResource.decrypt(input);
+    }
+    async decryptVerify(input) {
+        return this.cryptoResource.decryptVerify(input);
+    }
+    resolveAuthProvider(auth) {
+        if (!auth) {
+            return undefined;
+        }
+        if ("type" in auth && auth.type === "bearer") {
+            return (0, bearer_1.bearerToken)(auth.token);
+        }
+        if ("getAuthorizationHeader" in auth) {
+            return auth;
+        }
+        return undefined;
+    }
+}
+exports.CrittoraClient = CrittoraClient;
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":";;;AAAA,0CAA4C;AAW5C,+CAAoD;AACpD,6DAA0D;AAE1D,MAAM,gBAAgB,GAAG,8BAA8B,CAAC;AACxD,MAAM,kBAAkB,GAAG,KAAM,CAAC;AAElC,MAAa,cAAc;IAKzB,YAA6B,UAAiC,EAAE;QAAnC,YAAO,GAAP,OAAO,CAA4B;QAC9D,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC3D,IAAI,CAAC,SAAS,GAAG,IAAI,6BAAa,CAChC;YACE,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,gBAAgB;YAC5C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,kBAAkB;YAClD,SAAS,EAAE,OAAO,CAAC,SAAS;SAC7B,EACD;YACE,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CACF,CAAC;QACF,IAAI,CAAC,cAAc,GAAG,IAAI,uBAAc,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,QAAQ,CACN,IAAsD;QAEtD,OAAO,IAAI,cAAc,CAAC;YACxB,GAAG,IAAI,CAAC,OAAO;YACf,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAmB;QAC/B,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAmB;QAC/B,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,KAAyB;QAEzB,OAAO,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC;IAEO,mBAAmB,CACzB,IAAoC;QAEpC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,MAAM,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7C,OAAO,IAAA,oBAAW,EAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;QAED,IAAI,wBAAwB,IAAI,IAAI,EAAE,CAAC;YACrC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AAnED,wCAmEC"}

package/dist/crittora.d.ts

@@ -0,0 +1,18 @@
+import { CognitoAuthConfig, CrittoraClientOptions, LegacyAuthResponse } from "./types";
+export interface LegacyCrittoraOptions extends CrittoraClientOptions {
+    cognito?: CognitoAuthConfig;
+}
+export declare class Crittora {
+    private readonly options;
+    private readonly client;
+    private readonly cognito;
+    constructor(options?: LegacyCrittoraOptions);
+    authenticate(username: string, password: string): Promise<LegacyAuthResponse>;
+    encrypt(idToken: string, data: string, permissions?: string[]): Promise<string>;
+    decrypt(idToken: string, encryptedData: string, permissions?: string[]): Promise<string>;
+    decryptVerify(idToken: string, encryptedData: string, permissions?: string[]): Promise<{
+        decrypted_data: string;
+        is_valid_signature: boolean;
+    }>;
+    private toLegacyPermissions;
+}

package/dist/crittora.js

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Crittora = void 0;
+const cognito_1 = require("./auth/cognito");
+const client_1 = require("./client");
+class Crittora {
+    constructor(options = {}) {
+        this.options = options;
+        this.cognito = (0, cognito_1.cognitoAuthProvider)({
+            userPoolId: options.cognito?.userPoolId ?? "us-east-1_Tmljk4Uiw",
+            clientId: options.cognito?.clientId ?? "5cvaao4qgphfp38g433vi5e82u",
+            username: options.cognito?.username,
+            password: options.cognito?.password,
+        });
+        this.client = new client_1.CrittoraClient({
+            ...options,
+            baseUrl: options.baseUrl ?? "https://api.crittoraapis.com",
+            credentials: options.credentials ??
+                (process.env.API_KEY
+                    ? {
+                        apiKey: process.env.API_KEY,
+                        accessKey: process.env.ACCESS_KEY,
+                        secretKey: process.env.SECRET_KEY,
+                    }
+                    : undefined),
+        });
+    }
+    async authenticate(username, password) {
+        const tokens = await this.cognito.login({ username, password });
+        return {
+            IdToken: tokens.idToken,
+            AccessToken: tokens.accessToken,
+            RefreshToken: tokens.refreshToken,
+        };
+    }
+    async encrypt(idToken, data, permissions) {
+        const result = await this.client
+            .withAuth({ type: "bearer", token: idToken })
+            .encrypt({
+            data,
+            permissions: this.toLegacyPermissions(permissions),
+        });
+        return result.encryptedData;
+    }
+    async decrypt(idToken, encryptedData, permissions) {
+        const result = await this.client
+            .withAuth({ type: "bearer", token: idToken })
+            .decrypt({
+            encryptedData,
+            permissions: this.toLegacyPermissions(permissions),
+        });
+        return result.decryptedData;
+    }
+    async decryptVerify(idToken, encryptedData, permissions) {
+        const result = await this.client
+            .withAuth({ type: "bearer", token: idToken })
+            .decryptVerify({
+            encryptedData,
+            permissions: this.toLegacyPermissions(permissions),
+        });
+        return {
+            decrypted_data: result.decryptedData,
+            is_valid_signature: result.isValidSignature,
+        };
+    }
+    toLegacyPermissions(permissions) {
+        if (!permissions?.length) {
+            return undefined;
+        }
+        return [
+            {
+                partnerId: "default",
+                actions: permissions,
+            },
+        ];
+    }
+}
+exports.Crittora = Crittora;
+//# sourceMappingURL=crittora.js.map

package/dist/crittora.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crittora.js","sourceRoot":"","sources":["../src/crittora.ts"],"names":[],"mappings":";;;AAAA,4CAAqD;AACrD,qCAA0C;AAY1C,MAAa,QAAQ;IAInB,YAA6B,UAAiC,EAAE;QAAnC,YAAO,GAAP,OAAO,CAA4B;QAC9D,IAAI,CAAC,OAAO,GAAG,IAAA,6BAAmB,EAAC;YACjC,UAAU,EAAE,OAAO,CAAC,OAAO,EAAE,UAAU,IAAI,qBAAqB;YAChE,QAAQ,EAAE,OAAO,CAAC,OAAO,EAAE,QAAQ,IAAI,4BAA4B;YACnE,QAAQ,EAAE,OAAO,CAAC,OAAO,EAAE,QAAQ;YACnC,QAAQ,EAAE,OAAO,CAAC,OAAO,EAAE,QAAQ;SACpC,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,IAAI,uBAAc,CAAC;YAC/B,GAAG,OAAO;YACV,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,8BAA8B;YAC1D,WAAW,EACT,OAAO,CAAC,WAAW;gBACnB,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO;oBAClB,CAAC,CAAC;wBACE,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO;wBAC3B,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;wBACjC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;qBAClC;oBACH,CAAC,CAAC,SAAS,CAAC;SACjB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,QAAgB;QAEhB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;QAChE,OAAO;YACL,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;SAClC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAAe,EACf,IAAY,EACZ,WAAsB;QAEtB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM;aAC7B,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;aAC5C,OAAO,CAAC;YACP,IAAI;YACJ,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC;SACnD,CAAC,CAAC;QAEL,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAAe,EACf,aAAqB,EACrB,WAAsB;QAEtB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM;aAC7B,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;aAC5C,OAAO,CAAC;YACP,aAAa;YACb,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC;SACnD,CAAC,CAAC;QAEL,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,OAAe,EACf,aAAqB,EACrB,WAAsB;QAEtB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM;aAC7B,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;aAC5C,aAAa,CAAC;YACb,aAAa;YACb,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC;SACnD,CAAC,CAAC;QAEL,OAAO;YACL,cAAc,EAAE,MAAM,CAAC,aAAa;YACpC,kBAAkB,EAAE,MAAM,CAAC,gBAAgB;SAC5C,CAAC;IACJ,CAAC;IAEO,mBAAmB,CAAC,WAAsB;QAChD,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC;YACzB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO;YACL;gBACE,SAAS,EAAE,SAAS;gBACpB,OAAO,EAAE,WAAW;aACrB;SACF,CAAC;IACJ,CAAC;CACF;AAlGD,4BAkGC"}

package/dist/errors/authenticationError.d.ts

@@ -0,0 +1 @@
+export { AuthError as AuthenticationError } from "../errors";