@crittora/sdk-js 2.0.0 → 2.0.1

package/README.md

@@ -1,6 +1,11 @@
 # Crittora JavaScript SDK
 
-The Crittora JavaScript SDK provides a typed client for encryption, decryption, and decrypt-verify operations against the Crittora API.
+The Crittora JavaScript SDK is a typed secure-message client for the Crittora API.
+
+It supports exactly two application workflows:
+
+- confidentiality only: `encrypt()` -> `decrypt()`
+- confidentiality plus authenticity: `signEncrypt()` -> `decryptVerify()`
 
 This package now exposes a v2-style, instance-based client designed for predictable integration in production systems:
 
@@ -185,6 +190,36 @@ Operational guidance:
 - Keep retry counts conservative unless the backend contract explicitly supports aggressive retries.
 - Prefer a custom `userAgent` in services where request attribution matters.
 
+## Supported Workflows
+
+### Confidentiality only
+
+Use `encrypt()` when the recipient only needs to recover the plaintext later:
+
+```ts
+const encrypted = await client.encrypt({
+  data: "hello",
+});
+
+const decrypted = await client.decrypt({
+  encryptedData: encrypted.encryptedData,
+});
+```
+
+### Confidentiality plus authenticity
+
+Use `signEncrypt()` when the recipient must recover the plaintext and validate who signed it:
+
+```ts
+const envelope = await client.signEncrypt({
+  data: "hello",
+});
+
+const verified = await client.decryptVerify({
+  encryptedData: envelope.encryptedData,
+});
+```
+
 ## Operations
 
 ### Encrypt
@@ -201,9 +236,28 @@ const result = await client.encrypt({
 });
 
 console.log(result.encryptedData);
-console.log(result.transactionId);
 ```
 
+`encrypt()` returns a single org-protected `encryptedData` envelope. The intended follow-up operation is `decrypt()`, which unwraps and decrypts that envelope through the API.
+
+### Sign and encrypt
+
+```ts
+const result = await client.signEncrypt({
+  data: "hello",
+  permissions: [
+    {
+      partnerId: "partner-123",
+      actions: ["read", "write"],
+    },
+  ],
+});
+
+console.log(result.encryptedData);
+```
+
+`signEncrypt()` returns a single org-protected `encryptedData` envelope. The intended follow-up operation is `decryptVerify()`, which decrypts the envelope and validates the stored signature.
+
 ### Decrypt
 
 ```ts
@@ -214,6 +268,8 @@ const result = await client.decrypt({
 console.log(result.decryptedData);
 ```
 
+`decrypt()` is the intended follow-up to `encrypt()`. Pass it the exact `encryptedData` envelope returned by `encrypt()`, not the inner ciphertext payload.
+
 ### Decrypt and verify
 
 ```ts
@@ -223,8 +279,12 @@ const result = await client.decryptVerify({
 
 console.log(result.decryptedData);
 console.log(result.isValidSignature);
+console.log(result.signedBy);
+console.log(result.signedTimestamp);
 ```
 
+`decryptVerify()` is the intended follow-up to `signEncrypt()`. Pass it the exact `encryptedData` envelope returned by `signEncrypt()`, not any inner payload.
+
 Public request and response types:
 
 ```ts
@@ -240,7 +300,15 @@ type EncryptInput = {
 
 type EncryptResult = {
   encryptedData: string;
-  transactionId?: string;
+};
+
+type SignEncryptInput = {
+  data: string;
+  permissions?: Permission[];
+};
+
+type SignEncryptResult = {
+  encryptedData: string;
 };
 
 type DecryptInput = {
@@ -250,13 +318,14 @@ type DecryptInput = {
 
 type DecryptResult = {
   decryptedData: string;
-  transactionId?: string;
 };
 
 type DecryptVerifyResult = {
   decryptedData: string;
   isValidSignature: boolean;
-  transactionId?: string;
+  signedBy?: string;
+  signedTimestamp?: string;
+  repudiator?: string;
 };
 ```
 
@@ -346,3 +415,4 @@ await client.withAuth({ type: "bearer", token: idToken }).encrypt({
 - [API Reference](./docs/API.md)
 - [Migration Guide](./docs/MIGRATION.md)
 - [Architecture Notes](./docs/ARCHITECTURE.md)
+- [Release Process](./docs/RELEASING.md)

package/dist/client.d.ts

@@ -1,5 +1,5 @@
 import { AuthProvider } from "./auth/types";
-import { CrittoraClientOptions, DecryptInput, DecryptResult, DecryptVerifyInput, DecryptVerifyResult, EncryptInput, EncryptResult } from "./types";
+import { CrittoraClientOptions, DecryptInput, DecryptResult, DecryptVerifyInput, DecryptVerifyResult, EncryptInput, EncryptResult, SignEncryptInput, SignEncryptResult } from "./types";
 export declare class CrittoraClient {
     private readonly options;
     private readonly transport;
@@ -12,6 +12,7 @@ export declare class CrittoraClient {
         token: string;
     }): CrittoraClient;
     encrypt(input: EncryptInput): Promise<EncryptResult>;
+    signEncrypt(input: SignEncryptInput): Promise<SignEncryptResult>;
     decrypt(input: DecryptInput): Promise<DecryptResult>;
     decryptVerify(input: DecryptVerifyInput): Promise<DecryptVerifyResult>;
     private resolveAuthProvider;

package/dist/client.js

@@ -34,6 +34,9 @@ class CrittoraClient {
     async encrypt(input) {
         return this.cryptoResource.encrypt(input);
     }
+    async signEncrypt(input) {
+        return this.cryptoResource.signEncrypt(input);
+    }
     async decrypt(input) {
         return this.cryptoResource.decrypt(input);
     }

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":";;;AAAA,0CAA4C;AAW5C,+CAAoD;AACpD,6DAA0D;AAE1D,MAAM,gBAAgB,GAAG,8BAA8B,CAAC;AACxD,MAAM,kBAAkB,GAAG,KAAM,CAAC;AAElC,MAAa,cAAc;IAKzB,YAA6B,UAAiC,EAAE;QAAnC,YAAO,GAAP,OAAO,CAA4B;QAC9D,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC3D,IAAI,CAAC,SAAS,GAAG,IAAI,6BAAa,CAChC;YACE,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,gBAAgB;YAC5C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,kBAAkB;YAClD,SAAS,EAAE,OAAO,CAAC,SAAS;SAC7B,EACD;YACE,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CACF,CAAC;QACF,IAAI,CAAC,cAAc,GAAG,IAAI,uBAAc,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,QAAQ,CACN,IAAsD;QAEtD,OAAO,IAAI,cAAc,CAAC;YACxB,GAAG,IAAI,CAAC,OAAO;YACf,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAmB;QAC/B,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAmB;QAC/B,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,KAAyB;QAEzB,OAAO,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC;IAEO,mBAAmB,CACzB,IAAoC;QAEpC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,MAAM,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7C,OAAO,IAAA,oBAAW,EAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;QAED,IAAI,wBAAwB,IAAI,IAAI,EAAE,CAAC;YACrC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AAnED,wCAmEC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":";;;AAAA,0CAA4C;AAa5C,+CAAoD;AACpD,6DAA0D;AAE1D,MAAM,gBAAgB,GAAG,8BAA8B,CAAC;AACxD,MAAM,kBAAkB,GAAG,KAAM,CAAC;AAElC,MAAa,cAAc;IAKzB,YAA6B,UAAiC,EAAE;QAAnC,YAAO,GAAP,OAAO,CAA4B;QAC9D,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC3D,IAAI,CAAC,SAAS,GAAG,IAAI,6BAAa,CAChC;YACE,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,gBAAgB;YAC5C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,kBAAkB;YAClD,SAAS,EAAE,OAAO,CAAC,SAAS;SAC7B,EACD;YACE,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CACF,CAAC;QACF,IAAI,CAAC,cAAc,GAAG,IAAI,uBAAc,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,QAAQ,CACN,IAAsD;QAEtD,OAAO,IAAI,cAAc,CAAC;YACxB,GAAG,IAAI,CAAC,OAAO;YACf,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAmB;QAC/B,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAuB;QACvC,OAAO,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAmB;QAC/B,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,KAAyB;QAEzB,OAAO,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC;IAEO,mBAAmB,CACzB,IAAoC;QAEpC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,MAAM,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7C,OAAO,IAAA,oBAAW,EAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;QAED,IAAI,wBAAwB,IAAI,IAAI,EAAE,CAAC;YACrC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AAvED,wCAuEC"}

package/dist/crittora.d.ts

@@ -9,10 +9,14 @@ export declare class Crittora {
     constructor(options?: LegacyCrittoraOptions);
     authenticate(username: string, password: string): Promise<LegacyAuthResponse>;
     encrypt(idToken: string, data: string, permissions?: string[]): Promise<string>;
+    signEncrypt(idToken: string, data: string, permissions?: string[]): Promise<string>;
     decrypt(idToken: string, encryptedData: string, permissions?: string[]): Promise<string>;
     decryptVerify(idToken: string, encryptedData: string, permissions?: string[]): Promise<{
         decrypted_data: string;
         is_valid_signature: boolean;
+        signed_by?: string;
+        signed_timestamp?: string;
+        repudiator?: string;
     }>;
     private toLegacyPermissions;
 }

package/dist/crittora.js

@@ -42,6 +42,15 @@ class Crittora {
         });
         return result.encryptedData;
     }
+    async signEncrypt(idToken, data, permissions) {
+        const result = await this.client
+            .withAuth({ type: "bearer", token: idToken })
+            .signEncrypt({
+            data,
+            permissions: this.toLegacyPermissions(permissions),
+        });
+        return result.encryptedData;
+    }
     async decrypt(idToken, encryptedData, permissions) {
         const result = await this.client
             .withAuth({ type: "bearer", token: idToken })
@@ -61,6 +70,9 @@ class Crittora {
         return {
             decrypted_data: result.decryptedData,
             is_valid_signature: result.isValidSignature,
+            signed_by: result.signedBy,
+            signed_timestamp: result.signedTimestamp,
+            repudiator: result.repudiator,
         };
     }
     toLegacyPermissions(permissions) {

package/dist/crittora.js.map

@@ -1 +1 @@
-{"version":3,"file":"crittora.js","sourceRoot":"","sources":["../src/crittora.ts"],"names":[],"mappings":";;;AAAA,4CAAqD;AACrD,qCAA0C;AAY1C,MAAa,QAAQ;IAInB,YAA6B,UAAiC,EAAE;QAAnC,YAAO,GAAP,OAAO,CAA4B;QAC9D,IAAI,CAAC,OAAO,GAAG,IAAA,6BAAmB,EAAC;YACjC,UAAU,EAAE,OAAO,CAAC,OAAO,EAAE,UAAU,IAAI,qBAAqB;YAChE,QAAQ,EAAE,OAAO,CAAC,OAAO,EAAE,QAAQ,IAAI,4BAA4B;YACnE,QAAQ,EAAE,OAAO,CAAC,OAAO,EAAE,QAAQ;YACnC,QAAQ,EAAE,OAAO,CAAC,OAAO,EAAE,QAAQ;SACpC,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,IAAI,uBAAc,CAAC;YAC/B,GAAG,OAAO;YACV,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,8BAA8B;YAC1D,WAAW,EACT,OAAO,CAAC,WAAW;gBACnB,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO;oBAClB,CAAC,CAAC;wBACE,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO;wBAC3B,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;wBACjC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;qBAClC;oBACH,CAAC,CAAC,SAAS,CAAC;SACjB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,QAAgB;QAEhB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;QAChE,OAAO;YACL,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;SAClC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAAe,EACf,IAAY,EACZ,WAAsB;QAEtB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM;aAC7B,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;aAC5C,OAAO,CAAC;YACP,IAAI;YACJ,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC;SACnD,CAAC,CAAC;QAEL,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAAe,EACf,aAAqB,EACrB,WAAsB;QAEtB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM;aAC7B,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;aAC5C,OAAO,CAAC;YACP,aAAa;YACb,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC;SACnD,CAAC,CAAC;QAEL,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,OAAe,EACf,aAAqB,EACrB,WAAsB;QAEtB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM;aAC7B,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;aAC5C,aAAa,CAAC;YACb,aAAa;YACb,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC;SACnD,CAAC,CAAC;QAEL,OAAO;YACL,cAAc,EAAE,MAAM,CAAC,aAAa;YACpC,kBAAkB,EAAE,MAAM,CAAC,gBAAgB;SAC5C,CAAC;IACJ,CAAC;IAEO,mBAAmB,CAAC,WAAsB;QAChD,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC;YACzB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO;YACL;gBACE,SAAS,EAAE,SAAS;gBACpB,OAAO,EAAE,WAAW;aACrB;SACF,CAAC;IACJ,CAAC;CACF;AAlGD,4BAkGC"}
+{"version":3,"file":"crittora.js","sourceRoot":"","sources":["../src/crittora.ts"],"names":[],"mappings":";;;AAAA,4CAAqD;AACrD,qCAA0C;AAY1C,MAAa,QAAQ;IAInB,YAA6B,UAAiC,EAAE;QAAnC,YAAO,GAAP,OAAO,CAA4B;QAC9D,IAAI,CAAC,OAAO,GAAG,IAAA,6BAAmB,EAAC;YACjC,UAAU,EAAE,OAAO,CAAC,OAAO,EAAE,UAAU,IAAI,qBAAqB;YAChE,QAAQ,EAAE,OAAO,CAAC,OAAO,EAAE,QAAQ,IAAI,4BAA4B;YACnE,QAAQ,EAAE,OAAO,CAAC,OAAO,EAAE,QAAQ;YACnC,QAAQ,EAAE,OAAO,CAAC,OAAO,EAAE,QAAQ;SACpC,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,IAAI,uBAAc,CAAC;YAC/B,GAAG,OAAO;YACV,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,8BAA8B;YAC1D,WAAW,EACT,OAAO,CAAC,WAAW;gBACnB,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO;oBAClB,CAAC,CAAC;wBACE,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO;wBAC3B,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;wBACjC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;qBAClC;oBACH,CAAC,CAAC,SAAS,CAAC;SACjB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,QAAgB;QAEhB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;QAChE,OAAO;YACL,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;SAClC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAAe,EACf,IAAY,EACZ,WAAsB;QAEtB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM;aAC7B,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;aAC5C,OAAO,CAAC;YACP,IAAI;YACJ,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC;SACnD,CAAC,CAAC;QAEL,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,WAAW,CACf,OAAe,EACf,IAAY,EACZ,WAAsB;QAEtB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM;aAC7B,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;aAC5C,WAAW,CAAC;YACX,IAAI;YACJ,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC;SACnD,CAAC,CAAC;QAEL,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAAe,EACf,aAAqB,EACrB,WAAsB;QAEtB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM;aAC7B,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;aAC5C,OAAO,CAAC;YACP,aAAa;YACb,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC;SACnD,CAAC,CAAC;QAEL,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,OAAe,EACf,aAAqB,EACrB,WAAsB;QAQtB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM;aAC7B,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;aAC5C,aAAa,CAAC;YACb,aAAa;YACb,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC;SACnD,CAAC,CAAC;QAEL,OAAO;YACL,cAAc,EAAE,MAAM,CAAC,aAAa;YACpC,kBAAkB,EAAE,MAAM,CAAC,gBAAgB;YAC3C,SAAS,EAAE,MAAM,CAAC,QAAQ;YAC1B,gBAAgB,EAAE,MAAM,CAAC,eAAe;YACxC,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC;IACJ,CAAC;IAEO,mBAAmB,CAAC,WAAsB;QAChD,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC;YACzB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO;YACL;gBACE,SAAS,EAAE,SAAS;gBACpB,OAAO,EAAE,WAAW;aACrB;SACF,CAAC;IACJ,CAAC;CACF;AA1HD,4BA0HC"}

package/dist/resources/crypto.d.ts

@@ -1,4 +1,4 @@
-import { DecryptInput, DecryptResult, DecryptVerifyInput, DecryptVerifyResult, EncryptInput, EncryptResult } from "../types";
+import { DecryptInput, DecryptResult, DecryptVerifyInput, DecryptVerifyResult, EncryptInput, EncryptResult, SignEncryptInput, SignEncryptResult } from "../types";
 import { AuthProvider } from "../auth/types";
 import { HttpTransport } from "../transport/httpTransport";
 export declare class CryptoResource {
@@ -6,6 +6,7 @@ export declare class CryptoResource {
     private readonly authProvider?;
     constructor(transport: HttpTransport, authProvider?: AuthProvider | undefined);
     encrypt(input: EncryptInput): Promise<EncryptResult>;
+    signEncrypt(input: SignEncryptInput): Promise<SignEncryptResult>;
     decrypt(input: DecryptInput): Promise<DecryptResult>;
     decryptVerify(input: DecryptVerifyInput): Promise<DecryptVerifyResult>;
     private serializePermissions;

package/dist/resources/crypto.js

@@ -21,13 +21,32 @@ class CryptoResource {
             }, this.authProvider);
             return {
                 encryptedData: result.encrypted_data,
-                transactionId: result.transactionId,
             };
         }
         catch (error) {
             throw this.wrapEncryptError("Encryption failed", error);
         }
     }
+    async signEncrypt(input) {
+        try {
+            const result = await this.transport.request({
+                path: "/sign-encrypt",
+                body: {
+                    data: input.data,
+                    requested_actions: ["e", "s"],
+                    ...(input.permissions && {
+                        permissions: this.serializePermissions(input.permissions),
+                    }),
+                },
+            }, this.authProvider);
+            return {
+                encryptedData: result.encrypted_data,
+            };
+        }
+        catch (error) {
+            throw this.wrapEncryptError("Sign-encrypt failed", error);
+        }
+    }
     async decrypt(input) {
         try {
             const result = await this.transport.request({
@@ -41,7 +60,6 @@ class CryptoResource {
             }, this.authProvider);
             return {
                 decryptedData: result.decrypted_data,
-                transactionId: result.transactionId,
             };
         }
         catch (error) {
@@ -62,7 +80,9 @@ class CryptoResource {
             return {
                 decryptedData: result.decrypted_data,
                 isValidSignature: result.is_valid_signature,
-                transactionId: result.transactionId,
+                signedBy: result.signed_by,
+                signedTimestamp: result.signed_timestamp,
+                repudiator: result.repudiator,
             };
         }
         catch (error) {

package/dist/resources/crypto.js.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/resources/crypto.ts"],"names":[],"mappings":";;;AAcA,sCAAqE;AAErE,MAAa,cAAc;IACzB,YACmB,SAAwB,EACxB,YAA2B;QAD3B,cAAS,GAAT,SAAS,CAAe;QACxB,iBAAY,GAAZ,YAAY,CAAe;IAC3C,CAAC;IAEJ,KAAK,CAAC,OAAO,CAAC,KAAmB;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CACzC;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE;oBACJ,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,iBAAiB,EAAE,CAAC,GAAG,CAAC;oBACxB,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI;wBACvB,WAAW,EAAE,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,WAAW,CAAC;qBAC1D,CAAC;iBACH;aACF,EACD,IAAI,CAAC,YAAY,CAClB,CAAC;YAEF,OAAO;gBACL,aAAa,EAAE,MAAM,CAAC,cAAc;gBACpC,aAAa,EAAE,MAAM,CAAC,aAAa;aACpC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAmB;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CACzC;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE;oBACJ,cAAc,EAAE,KAAK,CAAC,aAAa;oBACnC,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI;wBACvB,WAAW,EAAE,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,WAAW,CAAC;qBAC1D,CAAC;iBACH;aACF,EACD,IAAI,CAAC,YAAY,CAClB,CAAC;YAEF,OAAO;gBACL,aAAa,EAAE,MAAM,CAAC,cAAc;gBACpC,aAAa,EAAE,MAAM,CAAC,aAAa;aACpC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,KAAyB;QAEzB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CACzC;gBACE,IAAI,EAAE,iBAAiB;gBACvB,IAAI,EAAE;oBACJ,cAAc,EAAE,KAAK,CAAC,aAAa;oBACnC,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI;wBACvB,WAAW,EAAE,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,WAAW,CAAC;qBAC1D,CAAC;iBACH;aACF,EACD,IAAI,CAAC,YAAY,CAClB,CAAC;YAEF,OAAO;gBACL,aAAa,EAAE,MAAM,CAAC,cAAc;gBACpC,gBAAgB,EAAE,MAAM,CAAC,kBAAkB;gBAC3C,aAAa,EAAE,MAAM,CAAC,aAAa;aACpC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,CAAC,gBAAgB,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAEO,oBAAoB,CAC1B,WAAwC;QAExC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YAC9C,UAAU,EAAE,UAAU,CAAC,SAAS;YAChC,WAAW,EAAE,UAAU,CAAC,OAAO;SAChC,CAAC,CAAC,CAAC;IACN,CAAC;IAEO,gBAAgB,CAAC,OAAe,EAAE,KAAc;QACtD,IAAI,KAAK,YAAY,qBAAY,EAAE,CAAC;YAClC,OAAO,IAAI,qBAAY,CAAC,OAAO,EAAE;gBAC/B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,qBAAY,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC;IAEO,gBAAgB,CAAC,OAAe,EAAE,KAAc;QACtD,IAAI,KAAK,YAAY,qBAAY,EAAE,CAAC;YAClC,OAAO,IAAI,qBAAY,CAAC,OAAO,EAAE;gBAC/B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,qBAAY,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC;CACF;AApHD,wCAoHC"}
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/resources/crypto.ts"],"names":[],"mappings":";;;AAiBA,sCAAqE;AAErE,MAAa,cAAc;IACzB,YACmB,SAAwB,EACxB,YAA2B;QAD3B,cAAS,GAAT,SAAS,CAAe;QACxB,iBAAY,GAAZ,YAAY,CAAe;IAC3C,CAAC;IAEJ,KAAK,CAAC,OAAO,CAAC,KAAmB;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CACzC;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE;oBACJ,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,iBAAiB,EAAE,CAAC,GAAG,CAAC;oBACxB,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI;wBACvB,WAAW,EAAE,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,WAAW,CAAC;qBAC1D,CAAC;iBACH;aACF,EACD,IAAI,CAAC,YAAY,CAClB,CAAC;YAEF,OAAO;gBACL,aAAa,EAAE,MAAM,CAAC,cAAc;aACrC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAuB;QACvC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CACzC;gBACE,IAAI,EAAE,eAAe;gBACrB,IAAI,EAAE;oBACJ,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,iBAAiB,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC;oBAC7B,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI;wBACvB,WAAW,EAAE,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,WAAW,CAAC;qBAC1D,CAAC;iBACH;aACF,EACD,IAAI,CAAC,YAAY,CAClB,CAAC;YAEF,OAAO;gBACL,aAAa,EAAE,MAAM,CAAC,cAAc;aACrC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,CAAC,gBAAgB,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAmB;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CACzC;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE;oBACJ,cAAc,EAAE,KAAK,CAAC,aAAa;oBACnC,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI;wBACvB,WAAW,EAAE,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,WAAW,CAAC;qBAC1D,CAAC;iBACH;aACF,EACD,IAAI,CAAC,YAAY,CAClB,CAAC;YAEF,OAAO;gBACL,aAAa,EAAE,MAAM,CAAC,cAAc;aACrC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,KAAyB;QAEzB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CACzC;gBACE,IAAI,EAAE,iBAAiB;gBACvB,IAAI,EAAE;oBACJ,cAAc,EAAE,KAAK,CAAC,aAAa;oBACnC,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI;wBACvB,WAAW,EAAE,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,WAAW,CAAC;qBAC1D,CAAC;iBACH;aACF,EACD,IAAI,CAAC,YAAY,CAClB,CAAC;YAEF,OAAO;gBACL,aAAa,EAAE,MAAM,CAAC,cAAc;gBACpC,gBAAgB,EAAE,MAAM,CAAC,kBAAkB;gBAC3C,QAAQ,EAAE,MAAM,CAAC,SAAS;gBAC1B,eAAe,EAAE,MAAM,CAAC,gBAAgB;gBACxC,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,CAAC,gBAAgB,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAEO,oBAAoB,CAC1B,WAAwC;QAExC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YAC9C,UAAU,EAAE,UAAU,CAAC,SAAS;YAChC,WAAW,EAAE,UAAU,CAAC,OAAO;SAChC,CAAC,CAAC,CAAC;IACN,CAAC;IAEO,gBAAgB,CAAC,OAAe,EAAE,KAAc;QACtD,IAAI,KAAK,YAAY,qBAAY,EAAE,CAAC;YAClC,OAAO,IAAI,qBAAY,CAAC,OAAO,EAAE;gBAC/B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,qBAAY,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC;IAEO,gBAAgB,CAAC,OAAe,EAAE,KAAc;QACtD,IAAI,KAAK,YAAY,qBAAY,EAAE,CAAC;YAClC,OAAO,IAAI,qBAAY,CAAC,OAAO,EAAE;gBAC/B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,qBAAY,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC;CACF;AA5ID,wCA4IC"}

package/dist/types.d.ts

@@ -23,7 +23,13 @@ export interface EncryptInput {
 }
 export interface EncryptResult {
     encryptedData: string;
-    transactionId?: string;
+}
+export interface SignEncryptInput {
+    data: string;
+    permissions?: Permission[];
+}
+export interface SignEncryptResult {
+    encryptedData: string;
 }
 export interface DecryptInput {
     encryptedData: string;
@@ -31,7 +37,6 @@ export interface DecryptInput {
 }
 export interface DecryptResult {
     decryptedData: string;
-    transactionId?: string;
 }
 export interface DecryptVerifyInput {
     encryptedData: string;
@@ -40,7 +45,9 @@ export interface DecryptVerifyInput {
 export interface DecryptVerifyResult {
     decryptedData: string;
     isValidSignature: boolean;
-    transactionId?: string;
+    signedBy?: string;
+    signedTimestamp?: string;
+    repudiator?: string;
 }
 export interface AuthTokens {
     idToken: string;
@@ -83,16 +90,19 @@ export interface WirePermission {
 }
 export interface WireEncryptResult {
     encrypted_data: string;
-    transactionId?: string;
+}
+export interface WireSignEncryptResult {
+    encrypted_data: string;
 }
 export interface WireDecryptResult {
     decrypted_data: string;
-    transactionId?: string;
 }
 export interface WireDecryptVerifyResult {
     decrypted_data: string;
     is_valid_signature: boolean;
-    transactionId?: string;
+    signed_by?: string;
+    signed_timestamp?: string;
+    repudiator?: string;
 }
 export interface LegacyAuthResponse {
     IdToken: string;

package/docs/API.md

@@ -2,6 +2,11 @@
 
 This document describes the public SDK surface exposed by `@crittora/sdk-js`.
 
+The public API is intentionally limited to two workflows:
+
+- `encrypt(...)` -> `decrypt(...)`
+- `signEncrypt(...)` -> `decryptVerify(...)`
+
 ## Exports
 
 Primary exports:
@@ -63,10 +68,15 @@ Result:
 ```ts
 type EncryptResult = {
   encryptedData: string;
-  transactionId?: string;
 };
 ```
 
+Behavior notes:
+
+- The SDK sends `requested_actions: ["e"]` on the wire.
+- The API returns a single org-encrypted envelope as `encrypted_data`.
+- The intended follow-up operation is `decrypt(...)`.
+
 #### `decrypt(input)`
 
 ```ts
@@ -87,10 +97,44 @@ Result:
 ```ts
 type DecryptResult = {
   decryptedData: string;
-  transactionId?: string;
 };
 ```
 
+Behavior notes:
+
+- Pass the exact `encryptedData` string returned by `encrypt(...)`.
+- The router unwraps the org-encrypted envelope before the Lambda performs decrypt.
+- Successful responses return plaintext only.
+
+#### `signEncrypt(input)`
+
+```ts
+signEncrypt(input: SignEncryptInput): Promise<SignEncryptResult>
+```
+
+Input:
+
+```ts
+type SignEncryptInput = {
+  data: string;
+  permissions?: Permission[];
+};
+```
+
+Result:
+
+```ts
+type SignEncryptResult = {
+  encryptedData: string;
+};
+```
+
+Behavior notes:
+
+- The SDK sends `requested_actions: ["e", "s"]` on the wire.
+- The API returns a single org-encrypted envelope as `encrypted_data`.
+- The intended follow-up operation is `decryptVerify(...)`.
+
 #### `decryptVerify(input)`
 
 ```ts
@@ -112,10 +156,19 @@ Result:
 type DecryptVerifyResult = {
   decryptedData: string;
   isValidSignature: boolean;
-  transactionId?: string;
+  signedBy?: string;
+  signedTimestamp?: string;
+  repudiator?: string;
 };
 ```
 
+Behavior notes:
+
+- Pass the exact `encryptedData` string returned by `signEncrypt(...)`.
+- The router unwraps the org-encrypted envelope before the Lambda performs decrypt and verify.
+- Successful verification may include `signedBy` and `signedTimestamp`.
+- Failed verification may still return `decryptedData`, with `isValidSignature: false` and `repudiator`.
+
 #### `withAuth(auth)`
 
 ```ts
@@ -187,12 +240,23 @@ Methods:
 ```ts
 authenticate(username: string, password: string): Promise<LegacyAuthResponse>
 encrypt(idToken: string, data: string, permissions?: string[]): Promise<string>
+signEncrypt(
+  idToken: string,
+  data: string,
+  permissions?: string[]
+): Promise<string>
 decrypt(idToken: string, encryptedData: string, permissions?: string[]): Promise<string>
 decryptVerify(
   idToken: string,
   encryptedData: string,
   permissions?: string[]
-): Promise<{ decrypted_data: string; is_valid_signature: boolean }>
+): Promise<{
+  decrypted_data: string;
+  is_valid_signature: boolean;
+  signed_by?: string;
+  signed_timestamp?: string;
+  repudiator?: string;
+}>
 ```
 
 This interface is transitional. New integrations should use `CrittoraClient`.

package/docs/ARCHITECTURE.md

@@ -10,6 +10,18 @@ The SDK is designed to be:
 - safe to run in multi-tenant or multi-environment processes
 - adaptable to different auth models
 - operationally predictable under failure
+- intentionally narrow in surface area
+
+## Product scope
+
+This package is not positioned as a general-purpose cryptography toolkit.
+
+It supports exactly four high-level operations arranged into two workflows:
+
+- confidentiality only: `encrypt()` and `decrypt()`
+- confidentiality plus authenticity: `signEncrypt()` and `decryptVerify()`
+
+That narrow surface is intentional. The SDK mirrors the backend product contract rather than exposing lower-level standalone sign or verify primitives.
 
 ## Layering
 

package/docs/MIGRATION.md

@@ -82,6 +82,35 @@ const encrypted = await client
       },
     ],
   });
+
+console.log(encrypted.encryptedData);
+```
+
+### Sign and encrypt
+
+Before:
+
+```ts
+const result = await sdk.signEncrypt(idToken, data, ["read"]);
+console.log(result);
+```
+
+After:
+
+```ts
+const result = await client
+  .withAuth({ type: "bearer", token: idToken })
+  .signEncrypt({
+    data,
+    permissions: [
+      {
+        partnerId: "default",
+        actions: ["read"],
+      },
+    ],
+  });
+
+console.log(result.encryptedData);
 ```
 
 ### Decrypt
@@ -100,6 +129,8 @@ const decrypted = await client
   .decrypt({
     encryptedData,
   });
+
+console.log(decrypted.decryptedData);
 ```
 
 ### Decrypt and verify
@@ -108,7 +139,12 @@ Before:
 
 ```ts
 const result = await sdk.decryptVerify(idToken, encryptedData);
-console.log(result.decrypted_data, result.is_valid_signature);
+console.log(
+  result.decrypted_data,
+  result.is_valid_signature,
+  result.signed_by,
+  result.signed_timestamp
+);
 ```
 
 After:
@@ -121,6 +157,7 @@ const result = await client
   });
 
 console.log(result.decryptedData, result.isValidSignature);
+console.log(result.signedBy, result.signedTimestamp);
 ```
 
 ## Type changes
@@ -130,6 +167,8 @@ Main public naming changes:
 - `encrypted_data` -> `encryptedData`
 - `decrypted_data` -> `decryptedData`
 - `is_valid_signature` -> `isValidSignature`
+- `signed_by` -> `signedBy`
+- `signed_timestamp` -> `signedTimestamp`
 
 Permission changes:
 

package/docs/RELEASING.md

@@ -0,0 +1,98 @@
+# Release Process
+
+This document outlines the release process for `@crittora/sdk-js`.
+
+## Release posture
+
+The package ships a v2-style client architecture and a temporary legacy compatibility shim. Versioning should reflect that reality:
+
+- use `major` for breaking API changes, removal of the legacy `Crittora` shim, or runtime contract changes
+- use `minor` for additive API surface such as new methods, auth providers, or response fields
+- use `patch` for bug fixes, packaging fixes, and documentation corrections
+
+## Prerequisites
+
+1. Ensure you have NPM access to the `@crittora` organization.
+2. Make sure you are logged in with `npm login`.
+3. Confirm local verification passes.
+4. Confirm README and docs match the shipped API.
+
+## Runtime and packaging assumptions
+
+The published package currently targets:
+
+- Node.js 18 or later
+- CommonJS output with TypeScript declarations
+- explicit client configuration rather than package-managed `.env` loading
+
+Published package contents:
+
+- `dist/`
+- `docs/`
+- `README.md`
+- `CHANGELOG.md`
+- `LICENSE`
+
+## Standard release commands
+
+```bash
+npm run verify
+npm run release:patch
+npm run release:minor
+npm run release:major
+```
+
+Each release command performs:
+
+1. clean build artifacts
+2. TypeScript build
+3. test execution
+4. semantic version bump
+5. `npm publish`
+
+## Recommended release flow
+
+1. Verify locally:
+
+   ```bash
+   npm run verify
+   ```
+
+2. Inspect the package payload:
+
+   ```bash
+   npm pack --dry-run
+   ```
+
+3. Choose the correct semantic version bump:
+
+   ```bash
+   npm run release:patch
+   npm run release:minor
+   npm run release:major
+   ```
+
+4. Verify the published package:
+
+   ```bash
+   npm view @crittora/sdk-js versions
+   npm install @crittora/sdk-js@latest
+   ```
+
+## Pre-release checklist
+
+- README examples match the current code
+- `docs/API.md` matches the exported surface
+- `docs/MIGRATION.md` matches any deprecation and breaking-change policy
+- Node engine requirement is accurate
+- tests pass without warnings indicating broken configuration
+
+## Troubleshooting
+
+If a release fails:
+
+1. run `npm run build`
+2. run `npm test`
+3. inspect `npm pack --dry-run`
+4. confirm NPM auth with `npm whoami`
+5. confirm package metadata in `package.json`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@crittora/sdk-js",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Crittora JavaScript SDK",
   "main": "./dist/index.js",
   "module": "./dist/index.js",
@@ -28,9 +28,9 @@
   },
   "keywords": [
     "encryption",
-    "signing",
     "sdk",
-    "cryptography",
+    "secure-messaging",
+    "data-protection",
     "crittora"
   ],
   "author": "Erik Rowan <erik@crittora.com>, Gerardo I. Ornelas <gerardo@crittora.com>",