@de-otio/chaoskb-client 0.2.0

package/dist/crypto/canonical-json.js

@@ -0,0 +1,88 @@
+/**
+ * RFC 8785 Canonical JSON serialization.
+ * Sorted keys (recursive), no whitespace, proper Unicode escaping.
+ */
+export function canonicalJson(obj) {
+    return serializeValue(obj);
+}
+function serializeValue(value) {
+    if (value === null) {
+        return 'null';
+    }
+    switch (typeof value) {
+        case 'boolean':
+            return value ? 'true' : 'false';
+        case 'number':
+            return serializeNumber(value);
+        case 'string':
+            return serializeString(value);
+        case 'object':
+            if (Array.isArray(value)) {
+                return serializeArray(value);
+            }
+            return serializeObject(value);
+        default:
+            throw new TypeError(`Unsupported type: ${typeof value}`);
+    }
+}
+function serializeNumber(n) {
+    if (!Number.isFinite(n)) {
+        throw new TypeError(`Non-finite number: ${n}`);
+    }
+    // RFC 8785: use ES2015 Number serialization (which JSON.stringify uses)
+    // For integers, no decimal point. For floats, shortest representation.
+    if (Object.is(n, -0)) {
+        return '0';
+    }
+    return JSON.stringify(n);
+}
+function serializeString(s) {
+    // RFC 8785: escape control characters, backslash, double-quote.
+    // Characters U+0000..U+001F must be escaped with \uXXXX (except \b \f \n \r \t which use short form).
+    // All other characters (including non-BMP via surrogate pairs) are passed through literally.
+    let result = '"';
+    for (let i = 0; i < s.length; i++) {
+        const code = s.charCodeAt(i);
+        if (code === 0x08) {
+            result += '\\b';
+        }
+        else if (code === 0x09) {
+            result += '\\t';
+        }
+        else if (code === 0x0a) {
+            result += '\\n';
+        }
+        else if (code === 0x0c) {
+            result += '\\f';
+        }
+        else if (code === 0x0d) {
+            result += '\\r';
+        }
+        else if (code === 0x22) {
+            result += '\\"';
+        }
+        else if (code === 0x5c) {
+            result += '\\\\';
+        }
+        else if (code < 0x20) {
+            result += `\\u${code.toString(16).padStart(4, '0')}`;
+        }
+        else {
+            result += s[i];
+        }
+    }
+    result += '"';
+    return result;
+}
+function serializeArray(arr) {
+    const items = arr.map((item) => serializeValue(item));
+    return '[' + items.join(',') + ']';
+}
+function serializeObject(obj) {
+    const keys = Object.keys(obj).sort();
+    const pairs = keys
+        .filter((key) => obj[key] !== undefined)
+        .map((key) => serializeString(key) + ':' + serializeValue(obj[key]));
+    return '{' + pairs.join(',') + '}';
+}
+//# sourceMappingURL=canonical-json.js.map

package/dist/crypto/canonical-json.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical-json.js","sourceRoot":"","sources":["../../crypto/canonical-json.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,GAA4B;IACxD,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,QAAQ,OAAO,KAAK,EAAE,CAAC;QACrB,KAAK,SAAS;YACZ,OAAO,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;QAElC,KAAK,QAAQ;YACX,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;QAEhC,KAAK,QAAQ;YACX,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;QAEhC,KAAK,QAAQ;YACX,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,OAAO,cAAc,CAAC,KAAK,CAAC,CAAC;YAC/B,CAAC;YACD,OAAO,eAAe,CAAC,KAAgC,CAAC,CAAC;QAE3D;YACE,MAAM,IAAI,SAAS,CAAC,qBAAqB,OAAO,KAAK,EAAE,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,SAAS,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC;IACjD,CAAC;IACD,wEAAwE;IACxE,uEAAuE;IACvE,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACrB,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,gEAAgE;IAChE,sGAAsG;IACtG,6FAA6F;IAC7F,IAAI,MAAM,GAAG,GAAG,CAAC;IACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,IAAI,MAAM,CAAC;QACnB,CAAC;aAAM,IAAI,IAAI,GAAG,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,MAAM,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;QACvD,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IACD,MAAM,IAAI,GAAG,CAAC;IACd,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,GAAc;IACpC,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;IACtD,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;AACrC,CAAC;AAED,SAAS,eAAe,CAAC,GAA4B;IACnD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,MAAM,KAAK,GAAG,IAAI;SACf,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC;SACvC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACvE,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;AACrC,CAAC"}

package/dist/crypto/commitment.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Compute HMAC-SHA256 key commitment.
+ * commitment = HMAC-SHA256(commitKey, blobIdBytes || rawCt)
+ * where blobIdBytes is the UTF-8 encoding of the blob ID string.
+ */
+export declare function computeCommitment(commitKey: Uint8Array, blobId: string, rawCt: Uint8Array): Uint8Array;
+/**
+ * Verify a key commitment using constant-time comparison.
+ * Returns true if the commitment is valid.
+ */
+export declare function verifyCommitment(commitKey: Uint8Array, blobId: string, rawCt: Uint8Array, expected: Uint8Array): boolean;
+//# sourceMappingURL=commitment.d.ts.map

package/dist/crypto/commitment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"commitment.d.ts","sourceRoot":"","sources":["../../crypto/commitment.ts"],"names":[],"mappings":"AAGA;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,UAAU,EACrB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,UAAU,GAChB,UAAU,CAMZ;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,SAAS,EAAE,UAAU,EACrB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,UAAU,EACjB,QAAQ,EAAE,UAAU,GACnB,OAAO,CAGT"}

package/dist/crypto/commitment.js

@@ -0,0 +1,37 @@
+import { hmac } from '@noble/hashes/hmac.js';
+import { sha256 } from '@noble/hashes/sha2.js';
+/**
+ * Compute HMAC-SHA256 key commitment.
+ * commitment = HMAC-SHA256(commitKey, blobIdBytes || rawCt)
+ * where blobIdBytes is the UTF-8 encoding of the blob ID string.
+ */
+export function computeCommitment(commitKey, blobId, rawCt) {
+    const blobIdBytes = new TextEncoder().encode(blobId);
+    const message = new Uint8Array(blobIdBytes.length + rawCt.length);
+    message.set(blobIdBytes, 0);
+    message.set(rawCt, blobIdBytes.length);
+    return hmac(sha256, commitKey, message);
+}
+/**
+ * Verify a key commitment using constant-time comparison.
+ * Returns true if the commitment is valid.
+ */
+export function verifyCommitment(commitKey, blobId, rawCt, expected) {
+    const computed = computeCommitment(commitKey, blobId, rawCt);
+    return constantTimeEqual(computed, expected);
+}
+/**
+ * Constant-time comparison of two byte arrays.
+ * Always compares the full length to prevent timing side-channels.
+ */
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    let diff = 0;
+    for (let i = 0; i < a.length; i++) {
+        diff |= a[i] ^ b[i];
+    }
+    return diff === 0;
+}
+//# sourceMappingURL=commitment.js.map

package/dist/crypto/commitment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"commitment.js","sourceRoot":"","sources":["../../crypto/commitment.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAC;AAC7C,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE/C;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAAqB,EACrB,MAAc,EACd,KAAiB;IAEjB,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IAClE,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC5B,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACvC,OAAO,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,SAAqB,EACrB,MAAc,EACd,KAAiB,EACjB,QAAoB;IAEpB,MAAM,QAAQ,GAAG,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IAC7D,OAAO,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CAAC,CAAa,EAAE,CAAa;IACrD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC"}

package/dist/crypto/encryption-service.d.ts

@@ -0,0 +1,19 @@
+import type { DerivedKeySet, DecryptResult, EncryptResult, Envelope, IEncryptionService, ISecureBuffer, KeyId, Payload } from './types.js';
+/**
+ * Concrete implementation of IEncryptionService.
+ *
+ * Wraps the standalone crypto functions into a single injectable service.
+ */
+export declare class EncryptionService implements IEncryptionService {
+    /** Generate a new random 32-byte master key in a SecureBuffer. */
+    generateMasterKey(): ISecureBuffer;
+    /** Derive all subkeys from a master key via HKDF-SHA256. */
+    deriveKeys(masterKey: ISecureBuffer, salt?: Uint8Array): DerivedKeySet;
+    /** Encrypt a payload into an envelope. */
+    encrypt(payload: Payload, keys: DerivedKeySet, kid?: KeyId): EncryptResult;
+    /** Decrypt an envelope into a payload. */
+    decrypt(envelope: Envelope, keys: DerivedKeySet): DecryptResult;
+    /** Generate a CSPRNG blob ID (b_ prefix + base62). */
+    generateBlobId(): string;
+}
+//# sourceMappingURL=encryption-service.d.ts.map

package/dist/crypto/encryption-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption-service.d.ts","sourceRoot":"","sources":["../../crypto/encryption-service.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EACV,aAAa,EACb,aAAa,EACb,aAAa,EACb,QAAQ,EACR,kBAAkB,EAClB,aAAa,EACb,KAAK,EACL,OAAO,EACR,MAAM,YAAY,CAAC;AAEpB;;;;GAIG;AACH,qBAAa,iBAAkB,YAAW,kBAAkB;IAC1D,kEAAkE;IAClE,iBAAiB,IAAI,aAAa;IASlC,4DAA4D;IAC5D,UAAU,CAAC,SAAS,EAAE,aAAa,EAAE,IAAI,CAAC,EAAE,UAAU,GAAG,aAAa;IAItE,0CAA0C;IAC1C,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,CAAC,EAAE,KAAK,GAAG,aAAa;IAI1E,0CAA0C;IAC1C,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,aAAa,GAAG,aAAa;IAI/D,sDAAsD;IACtD,cAAc,IAAI,MAAM;CAGzB"}

package/dist/crypto/encryption-service.js

@@ -0,0 +1,38 @@
+import { randomBytes } from 'node:crypto';
+import { generateBlobId } from './blob-id.js';
+import { encryptPayload, decryptEnvelope } from './envelope.js';
+import { deriveKeySet } from './hkdf.js';
+import { SecureBuffer } from './secure-buffer.js';
+/**
+ * Concrete implementation of IEncryptionService.
+ *
+ * Wraps the standalone crypto functions into a single injectable service.
+ */
+export class EncryptionService {
+    /** Generate a new random 32-byte master key in a SecureBuffer. */
+    generateMasterKey() {
+        const sb = SecureBuffer.alloc(32);
+        const tmp = randomBytes(32);
+        tmp.copy(sb.buffer);
+        // Zero the temporary buffer
+        tmp.fill(0);
+        return sb;
+    }
+    /** Derive all subkeys from a master key via HKDF-SHA256. */
+    deriveKeys(masterKey, salt) {
+        return deriveKeySet(new Uint8Array(masterKey.buffer), salt);
+    }
+    /** Encrypt a payload into an envelope. */
+    encrypt(payload, keys, kid) {
+        return encryptPayload(payload, keys, kid);
+    }
+    /** Decrypt an envelope into a payload. */
+    decrypt(envelope, keys) {
+        return decryptEnvelope(envelope, keys);
+    }
+    /** Generate a CSPRNG blob ID (b_ prefix + base62). */
+    generateBlobId() {
+        return generateBlobId();
+    }
+}
+//# sourceMappingURL=encryption-service.js.map

package/dist/crypto/encryption-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption-service.js","sourceRoot":"","sources":["../../crypto/encryption-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChE,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAYlD;;;;GAIG;AACH,MAAM,OAAO,iBAAiB;IAC5B,kEAAkE;IAClE,iBAAiB;QACf,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAC5B,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC;QACpB,4BAA4B;QAC5B,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACZ,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,4DAA4D;IAC5D,UAAU,CAAC,SAAwB,EAAE,IAAiB;QACpD,OAAO,YAAY,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC;IAC9D,CAAC;IAED,0CAA0C;IAC1C,OAAO,CAAC,OAAgB,EAAE,IAAmB,EAAE,GAAW;QACxD,OAAO,cAAc,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED,0CAA0C;IAC1C,OAAO,CAAC,QAAkB,EAAE,IAAmB;QAC7C,OAAO,eAAe,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACzC,CAAC;IAED,sDAAsD;IACtD,cAAc;QACZ,OAAO,cAAc,EAAE,CAAC;IAC1B,CAAC;CACF"}

package/dist/crypto/envelope-cbor.d.ts

@@ -0,0 +1,37 @@
+/**
+ * CBOR serialization for ChaosKB envelopes (v2 wire format).
+ *
+ * v2 envelopes store ciphertext and commitment as raw binary (Uint8Array)
+ * instead of base64, saving ~33% size overhead on the ciphertext field.
+ *
+ * Backward compatibility: can read both v1 (JSON) and v2 (CBOR) envelopes.
+ */
+import type { Envelope, EnvelopeV2, AnyEnvelope } from './types.js';
+/**
+ * Serialize an envelope to CBOR binary format (v2).
+ *
+ * @param envelope - A v2 envelope with raw binary ct and commit.
+ * @returns CBOR-encoded bytes.
+ */
+export declare function serializeEnvelopeCBOR(envelope: EnvelopeV2): Uint8Array;
+/**
+ * Deserialize bytes into an envelope, auto-detecting the format.
+ *
+ * - If bytes start with "CKB" magic header, decode as CBOR (v2)
+ * - If bytes start with '{', decode as JSON (v1)
+ *
+ * @param bytes - Raw envelope bytes.
+ * @returns Parsed envelope (v1 or v2).
+ */
+export declare function deserializeEnvelope(bytes: Uint8Array): AnyEnvelope;
+/**
+ * Convert a v1 (JSON) envelope to a v2 (CBOR) envelope.
+ * Decodes base64 fields to raw binary.
+ */
+export declare function upgradeToV2(v1: Envelope): EnvelopeV2;
+/**
+ * Convert a v2 (CBOR) envelope back to v1 (JSON) format.
+ * Encodes binary fields as base64.
+ */
+export declare function downgradeToV1(v2: EnvelopeV2): Envelope;
+//# sourceMappingURL=envelope-cbor.d.ts.map

package/dist/crypto/envelope-cbor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope-cbor.d.ts","sourceRoot":"","sources":["../../crypto/envelope-cbor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAKpE;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,UAAU,GAAG,UAAU,CAqBtE;AAED;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,UAAU,GAAG,WAAW,CAalE;AAiDD;;;GAGG;AACH,wBAAgB,WAAW,CAAC,EAAE,EAAE,QAAQ,GAAG,UAAU,CAYpD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,EAAE,EAAE,UAAU,GAAG,QAAQ,CActD"}

package/dist/crypto/envelope-cbor.js

@@ -0,0 +1,124 @@
+/**
+ * CBOR serialization for ChaosKB envelopes (v2 wire format).
+ *
+ * v2 envelopes store ciphertext and commitment as raw binary (Uint8Array)
+ * instead of base64, saving ~33% size overhead on the ciphertext field.
+ *
+ * Backward compatibility: can read both v1 (JSON) and v2 (CBOR) envelopes.
+ */
+import { encode, decode } from 'cborg';
+/** CBOR tag used to identify ChaosKB envelopes (arbitrary, in private range). */
+const CHAOSKB_CBOR_MAGIC = new Uint8Array([0x43, 0x4b, 0x42]); // "CKB"
+/**
+ * Serialize an envelope to CBOR binary format (v2).
+ *
+ * @param envelope - A v2 envelope with raw binary ct and commit.
+ * @returns CBOR-encoded bytes.
+ */
+export function serializeEnvelopeCBOR(envelope) {
+    const cborPayload = {
+        v: envelope.v,
+        id: envelope.id,
+        ts: envelope.ts,
+        enc: {
+            alg: envelope.enc.alg,
+            kid: envelope.enc.kid,
+            ct: envelope.enc.ct,
+            commit: envelope.enc.commit,
+        },
+    };
+    const cborBytes = encode(cborPayload);
+    // Prepend magic header so we can distinguish CBOR from JSON
+    const result = new Uint8Array(CHAOSKB_CBOR_MAGIC.length + cborBytes.length);
+    result.set(CHAOSKB_CBOR_MAGIC, 0);
+    result.set(cborBytes, CHAOSKB_CBOR_MAGIC.length);
+    return result;
+}
+/**
+ * Deserialize bytes into an envelope, auto-detecting the format.
+ *
+ * - If bytes start with "CKB" magic header, decode as CBOR (v2)
+ * - If bytes start with '{', decode as JSON (v1)
+ *
+ * @param bytes - Raw envelope bytes.
+ * @returns Parsed envelope (v1 or v2).
+ */
+export function deserializeEnvelope(bytes) {
+    // Check for CBOR magic header
+    if (bytes.length >= CHAOSKB_CBOR_MAGIC.length &&
+        bytes[0] === CHAOSKB_CBOR_MAGIC[0] &&
+        bytes[1] === CHAOSKB_CBOR_MAGIC[1] &&
+        bytes[2] === CHAOSKB_CBOR_MAGIC[2]) {
+        return deserializeCBOR(bytes.subarray(CHAOSKB_CBOR_MAGIC.length));
+    }
+    // Try JSON (v1)
+    return deserializeJSON(bytes);
+}
+/**
+ * Decode CBOR bytes into a v2 envelope.
+ */
+function deserializeCBOR(cborBytes) {
+    const parsed = decode(cborBytes);
+    if (parsed.v !== 2) {
+        throw new Error(`CBOR envelope has unexpected version: ${parsed.v}`);
+    }
+    return {
+        v: 2,
+        id: parsed.id,
+        ts: parsed.ts,
+        enc: {
+            alg: parsed.enc.alg,
+            kid: parsed.enc.kid,
+            ct: new Uint8Array(parsed.enc.ct),
+            commit: new Uint8Array(parsed.enc.commit),
+        },
+    };
+}
+/**
+ * Decode JSON bytes into a v1 envelope.
+ */
+function deserializeJSON(bytes) {
+    const json = new TextDecoder().decode(bytes);
+    const parsed = JSON.parse(json);
+    if (parsed.v !== 1) {
+        throw new Error(`JSON envelope has unexpected version: ${parsed.v}`);
+    }
+    return parsed;
+}
+/**
+ * Convert a v1 (JSON) envelope to a v2 (CBOR) envelope.
+ * Decodes base64 fields to raw binary.
+ */
+export function upgradeToV2(v1) {
+    return {
+        v: 2,
+        id: v1.id,
+        ts: v1.ts,
+        enc: {
+            alg: v1.enc.alg,
+            kid: v1.enc.kid,
+            ct: new Uint8Array(Buffer.from(v1.enc.ct, 'base64')),
+            commit: new Uint8Array(Buffer.from(v1.enc.commit, 'base64')),
+        },
+    };
+}
+/**
+ * Convert a v2 (CBOR) envelope back to v1 (JSON) format.
+ * Encodes binary fields as base64.
+ */
+export function downgradeToV1(v2) {
+    const ctBase64 = Buffer.from(v2.enc.ct).toString('base64');
+    return {
+        v: 1,
+        id: v2.id,
+        ts: v2.ts,
+        enc: {
+            alg: v2.enc.alg,
+            kid: v2.enc.kid,
+            ct: ctBase64,
+            'ct.len': v2.enc.ct.length,
+            commit: Buffer.from(v2.enc.commit).toString('base64'),
+        },
+    };
+}
+//# sourceMappingURL=envelope-cbor.js.map

package/dist/crypto/envelope-cbor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope-cbor.js","sourceRoot":"","sources":["../../crypto/envelope-cbor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,OAAO,CAAC;AAGvC,iFAAiF;AACjF,MAAM,kBAAkB,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ;AAEvE;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAoB;IACxD,MAAM,WAAW,GAAG;QAClB,CAAC,EAAE,QAAQ,CAAC,CAAC;QACb,EAAE,EAAE,QAAQ,CAAC,EAAE;QACf,EAAE,EAAE,QAAQ,CAAC,EAAE;QACf,GAAG,EAAE;YACH,GAAG,EAAE,QAAQ,CAAC,GAAG,CAAC,GAAG;YACrB,GAAG,EAAE,QAAQ,CAAC,GAAG,CAAC,GAAG;YACrB,EAAE,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE;YACnB,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,MAAM;SAC5B;KACF,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC;IAEtC,4DAA4D;IAC5D,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,kBAAkB,CAAC,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IAC5E,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC;IAClC,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAEjD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAiB;IACnD,8BAA8B;IAC9B,IACE,KAAK,CAAC,MAAM,IAAI,kBAAkB,CAAC,MAAM;QACzC,KAAK,CAAC,CAAC,CAAC,KAAK,kBAAkB,CAAC,CAAC,CAAC;QAClC,KAAK,CAAC,CAAC,CAAC,KAAK,kBAAkB,CAAC,CAAC,CAAC;QAClC,KAAK,CAAC,CAAC,CAAC,KAAK,kBAAkB,CAAC,CAAC,CAAC,EAClC,CAAC;QACD,OAAO,eAAe,CAAC,KAAK,CAAC,QAAQ,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,gBAAgB;IAChB,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,SAAqB;IAC5C,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAU9B,CAAC;IAEF,IAAI,MAAM,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,yCAAyC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,OAAO;QACL,CAAC,EAAE,CAAC;QACJ,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,GAAG,EAAE;YACH,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,GAA+B;YAC/C,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,GAA+B;YAC/C,EAAE,EAAE,IAAI,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,MAAM,EAAE,IAAI,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC;SAC1C;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,KAAiB;IACxC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAa,CAAC;IAE5C,IAAI,MAAM,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,yCAAyC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,EAAY;IACtC,OAAO;QACL,CAAC,EAAE,CAAC;QACJ,EAAE,EAAE,EAAE,CAAC,EAAE;QACT,EAAE,EAAE,EAAE,CAAC,EAAE;QACT,GAAG,EAAE;YACH,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG;YACf,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG;YACf,EAAE,EAAE,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;YACpD,MAAM,EAAE,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;SAC7D;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,EAAc;IAC1C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC3D,OAAO;QACL,CAAC,EAAE,CAAC;QACJ,EAAE,EAAE,EAAE,CAAC,EAAE;QACT,EAAE,EAAE,EAAE,CAAC,EAAE;QACT,GAAG,EAAE;YACH,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG;YACf,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG;YACf,EAAE,EAAE,QAAQ;YACZ,QAAQ,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM;YAC1B,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;SACtD;KACF,CAAC;AACJ,CAAC"}

package/dist/crypto/envelope.d.ts

@@ -0,0 +1,34 @@
+import type { DerivedKeySet, DecryptResult, EncryptResult, Envelope, KeyId, Payload } from './types.js';
+/**
+ * Encrypt a payload into an envelope (v1).
+ *
+ * Steps per the envelope spec:
+ *  1. Serialize payload to canonical JSON, convert to UTF-8 bytes
+ *  2. Generate blob ID
+ *  3. Select key by kid (default CEK)
+ *  4. Construct AAD
+ *  5. Encrypt with AEAD
+ *  6. Concatenate: rawCt = nonce || ciphertext || tag
+ *  7. Compute commitment: HMAC-SHA256(commitKey, blobId || rawCt)
+ *  8. Verify-after-encrypt: decrypt rawCt, compare with original plaintext
+ *  9. Base64-encode ct and commit
+ * 10. Assemble Envelope object
+ * 11. Return EncryptResult with envelope and serialized JSON bytes
+ */
+export declare function encryptPayload(payload: Payload, keys: DerivedKeySet, kid?: KeyId): EncryptResult;
+/**
+ * Decrypt an envelope into a payload.
+ *
+ * Steps per the envelope spec:
+ *  1. Check v == 1
+ *  2. Base64-decode ct
+ *  3. Verify ct.len matches decoded length
+ *  4. Verify key commitment
+ *  5. Construct AAD
+ *  6. Split rawCt into nonce, ciphertext, tag
+ *  7. Decrypt
+ *  8. Parse plaintext as JSON, validate type field
+ *  9. Return DecryptResult
+ */
+export declare function decryptEnvelope(envelope: Envelope, keys: DerivedKeySet): DecryptResult;
+//# sourceMappingURL=envelope.d.ts.map

package/dist/crypto/envelope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope.d.ts","sourceRoot":"","sources":["../../crypto/envelope.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAEV,aAAa,EACb,aAAa,EACb,aAAa,EACb,QAAQ,EACR,KAAK,EACL,OAAO,EACR,MAAM,YAAY,CAAC;AAwBpB;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,aAAa,EACnB,GAAG,GAAE,KAAa,GACjB,aAAa,CA0Df;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,aAAa,GAAG,aAAa,CA0DtF"}

package/dist/crypto/envelope.js

@@ -0,0 +1,160 @@
+import { aeadDecrypt, aeadEncrypt } from './aead.js';
+import { constructAAD } from './aad.js';
+import { generateBlobId } from './blob-id.js';
+import { canonicalJson } from './canonical-json.js';
+import { computeCommitment, verifyCommitment } from './commitment.js';
+// Algorithm parameters: nonce size and tag size
+const ALG_PARAMS = {
+    'XChaCha20-Poly1305': { nonceSize: 24, tagSize: 16 },
+    'AES-256-GCM': { nonceSize: 12, tagSize: 16 },
+};
+/**
+ * Look up the encryption key for a given key identifier.
+ */
+function getKey(keys, kid) {
+    switch (kid) {
+        case 'CEK':
+            return new Uint8Array(keys.contentKey.buffer);
+        case 'MEK':
+            return new Uint8Array(keys.metadataKey.buffer);
+        case 'EEK':
+            return new Uint8Array(keys.embeddingKey.buffer);
+        default:
+            throw new Error(`Unknown key identifier: ${kid}`);
+    }
+}
+/**
+ * Encrypt a payload into an envelope (v1).
+ *
+ * Steps per the envelope spec:
+ *  1. Serialize payload to canonical JSON, convert to UTF-8 bytes
+ *  2. Generate blob ID
+ *  3. Select key by kid (default CEK)
+ *  4. Construct AAD
+ *  5. Encrypt with AEAD
+ *  6. Concatenate: rawCt = nonce || ciphertext || tag
+ *  7. Compute commitment: HMAC-SHA256(commitKey, blobId || rawCt)
+ *  8. Verify-after-encrypt: decrypt rawCt, compare with original plaintext
+ *  9. Base64-encode ct and commit
+ * 10. Assemble Envelope object
+ * 11. Return EncryptResult with envelope and serialized JSON bytes
+ */
+export function encryptPayload(payload, keys, kid = 'CEK') {
+    const alg = 'XChaCha20-Poly1305';
+    // 1. Serialize to canonical JSON
+    const json = canonicalJson(payload);
+    const plaintextBytes = new TextEncoder().encode(json);
+    // 2. Generate blob ID
+    const blobId = generateBlobId();
+    // 3. Select encryption key
+    const encKey = getKey(keys, kid);
+    // 4. Construct AAD
+    const aad = constructAAD(alg, blobId, kid, 1);
+    // 5. Encrypt
+    const { nonce, ciphertext, tag } = aeadEncrypt(encKey, plaintextBytes, aad);
+    // 6. Concatenate: rawCt = nonce || ciphertext || tag
+    const rawCt = new Uint8Array(nonce.length + ciphertext.length + tag.length);
+    rawCt.set(nonce, 0);
+    rawCt.set(ciphertext, nonce.length);
+    rawCt.set(tag, nonce.length + ciphertext.length);
+    // 7. Compute key commitment
+    const commitKey = new Uint8Array(keys.commitKey.buffer);
+    const commitment = computeCommitment(commitKey, blobId, rawCt);
+    // 8. Verify-after-encrypt: decrypt and compare
+    const recovered = aeadDecrypt(encKey, nonce, ciphertext, tag, aad);
+    if (!constantTimeEqual(recovered, plaintextBytes)) {
+        throw new Error('Verify-after-encrypt failed: decrypted plaintext does not match original');
+    }
+    // 9. Base64-encode
+    const ctBase64 = Buffer.from(rawCt).toString('base64');
+    const commitBase64 = Buffer.from(commitment).toString('base64');
+    // 10. Assemble envelope
+    const envelope = {
+        v: 1,
+        id: blobId,
+        ts: new Date().toISOString(),
+        enc: {
+            alg,
+            kid,
+            ct: ctBase64,
+            'ct.len': rawCt.length,
+            commit: commitBase64,
+        },
+    };
+    // 11. Serialize envelope to bytes
+    const envelopeJson = JSON.stringify(envelope);
+    const bytes = new TextEncoder().encode(envelopeJson);
+    return { envelope, bytes };
+}
+/**
+ * Decrypt an envelope into a payload.
+ *
+ * Steps per the envelope spec:
+ *  1. Check v == 1
+ *  2. Base64-decode ct
+ *  3. Verify ct.len matches decoded length
+ *  4. Verify key commitment
+ *  5. Construct AAD
+ *  6. Split rawCt into nonce, ciphertext, tag
+ *  7. Decrypt
+ *  8. Parse plaintext as JSON, validate type field
+ *  9. Return DecryptResult
+ */
+export function decryptEnvelope(envelope, keys) {
+    // 1. Check version
+    if (envelope.v !== 1) {
+        throw new Error(`Unsupported envelope version: ${envelope.v}. Please update the app.`);
+    }
+    const alg = envelope.enc.alg;
+    const params = ALG_PARAMS[alg];
+    if (!params) {
+        throw new Error(`Unsupported algorithm: ${alg}`);
+    }
+    // 2. Base64-decode ct
+    const rawCt = new Uint8Array(Buffer.from(envelope.enc.ct, 'base64'));
+    // Verify minimum length
+    const minLength = params.nonceSize + params.tagSize + 1;
+    if (rawCt.length < minLength) {
+        throw new Error(`Truncated ciphertext: expected at least ${minLength} bytes, got ${rawCt.length}`);
+    }
+    // 3. Verify ct.len
+    if (envelope.enc['ct.len'] !== undefined && rawCt.length !== envelope.enc['ct.len']) {
+        throw new Error(`Ciphertext length mismatch: ct.len=${envelope.enc['ct.len']}, actual=${rawCt.length}`);
+    }
+    // 4. Verify key commitment
+    const commitKey = new Uint8Array(keys.commitKey.buffer);
+    const expectedCommit = new Uint8Array(Buffer.from(envelope.enc.commit, 'base64'));
+    if (!verifyCommitment(commitKey, envelope.id, rawCt, expectedCommit)) {
+        throw new Error('Key commitment verification failed');
+    }
+    // 5. Construct AAD
+    const aad = constructAAD(alg, envelope.id, envelope.enc.kid, envelope.v);
+    // 6. Split rawCt into nonce, ciphertext, tag
+    const nonce = rawCt.slice(0, params.nonceSize);
+    const ciphertext = rawCt.slice(params.nonceSize, rawCt.length - params.tagSize);
+    const tag = rawCt.slice(rawCt.length - params.tagSize);
+    // 7. Decrypt
+    const encKey = getKey(keys, envelope.enc.kid);
+    const plaintext = aeadDecrypt(encKey, nonce, ciphertext, tag, aad);
+    // 8. Parse plaintext as JSON
+    const json = new TextDecoder().decode(plaintext);
+    const payload = JSON.parse(json);
+    // Validate type field exists
+    if (!payload.type || !['source', 'chunk', 'canary'].includes(payload.type)) {
+        throw new Error(`Invalid payload type: ${payload.type}`);
+    }
+    // 9. Return result
+    return { payload, envelope };
+}
+/** Constant-time comparison of two byte arrays. */
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    let diff = 0;
+    for (let i = 0; i < a.length; i++) {
+        diff |= a[i] ^ b[i];
+    }
+    return diff === 0;
+}
+//# sourceMappingURL=envelope.js.map

package/dist/crypto/envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope.js","sourceRoot":"","sources":["../../crypto/envelope.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAWtE,gDAAgD;AAChD,MAAM,UAAU,GAA8D;IAC5E,oBAAoB,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;IACpD,aAAa,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;CAC9C,CAAC;AAEF;;GAEG;AACH,SAAS,MAAM,CAAC,IAAmB,EAAE,GAAU;IAC7C,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,KAAK;YACR,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAChD,KAAK,KAAK;YACR,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QACjD,KAAK,KAAK;YACR,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAClD;YACE,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,EAAE,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,cAAc,CAC5B,OAAgB,EAChB,IAAmB,EACnB,MAAa,KAAK;IAElB,MAAM,GAAG,GAAc,oBAAoB,CAAC;IAE5C,iCAAiC;IACjC,MAAM,IAAI,GAAG,aAAa,CAAC,OAA6C,CAAC,CAAC;IAC1E,MAAM,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAEtD,sBAAsB;IACtB,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAEhC,2BAA2B;IAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAEjC,mBAAmB;IACnB,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IAE9C,aAAa;IACb,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,WAAW,CAAC,MAAM,EAAE,cAAc,EAAE,GAAG,CAAC,CAAC;IAE5E,qDAAqD;IACrD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5E,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpB,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACpC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAEjD,4BAA4B;IAC5B,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACxD,MAAM,UAAU,GAAG,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IAE/D,+CAA+C;IAC/C,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IACnE,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,cAAc,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;IAC9F,CAAC;IAED,mBAAmB;IACnB,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAEhE,wBAAwB;IACxB,MAAM,QAAQ,GAAa;QACzB,CAAC,EAAE,CAAC;QACJ,EAAE,EAAE,MAAM;QACV,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,GAAG,EAAE;YACH,GAAG;YACH,GAAG;YACH,EAAE,EAAE,QAAQ;YACZ,QAAQ,EAAE,KAAK,CAAC,MAAM;YACtB,MAAM,EAAE,YAAY;SACrB;KACF,CAAC;IAEF,kCAAkC;IAClC,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAErD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AAC7B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,eAAe,CAAC,QAAkB,EAAE,IAAmB;IACrE,mBAAmB;IACnB,IAAI,QAAQ,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,iCAAiC,QAAQ,CAAC,CAAC,0BAA0B,CAAC,CAAC;IACzF,CAAC;IAED,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;IAC7B,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,sBAAsB;IACtB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;IAErE,wBAAwB;IACxB,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IACxD,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,2CAA2C,SAAS,eAAe,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACrG,CAAC;IAED,mBAAmB;IACnB,IAAI,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpF,MAAM,IAAI,KAAK,CACb,sCAAsC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY,KAAK,CAAC,MAAM,EAAE,CACvF,CAAC;IACJ,CAAC;IAED,2BAA2B;IAC3B,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACxD,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IAClF,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE,EAAE,KAAK,EAAE,cAAc,CAAC,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,mBAAmB;IACnB,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC;IAEzE,6CAA6C;IAC7C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IAChF,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IAEvD,aAAa;IACb,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAEnE,6BAA6B;IAC7B,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAY,CAAC;IAE5C,6BAA6B;IAC7B,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3E,MAAM,IAAI,KAAK,CAAC,yBAA0B,OAA8C,CAAC,IAAI,EAAE,CAAC,CAAC;IACnG,CAAC;IAED,mBAAmB;IACnB,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;AAC/B,CAAC;AAED,mDAAmD;AACnD,SAAS,iBAAiB,CAAC,CAAa,EAAE,CAAa;IACrD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC"}

package/dist/crypto/hkdf.d.ts

@@ -0,0 +1,16 @@
+import type { DerivedKeySet } from './types.js';
+/**
+ * Derive a key using HKDF-SHA256 (Extract+Expand per RFC 5869).
+ * @param ikm - Input keying material
+ * @param info - Context/application-specific info string
+ * @param salt - Optional salt (defaults to empty Uint8Array)
+ * @param length - Output key length in bytes (default 32)
+ */
+export declare function deriveKey(ikm: Uint8Array, info: string, salt?: Uint8Array, length?: number): Uint8Array;
+/**
+ * Derive the complete set of subkeys from a master key.
+ * Returns SecureBuffer-wrapped keys for:
+ *   CEK (content), MEK (metadata), EEK (embedding), CKY (commit)
+ */
+export declare function deriveKeySet(masterKey: Uint8Array, salt?: Uint8Array): DerivedKeySet;
+//# sourceMappingURL=hkdf.d.ts.map

package/dist/crypto/hkdf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hkdf.d.ts","sourceRoot":"","sources":["../../crypto/hkdf.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAIhD;;;;;;GAMG;AACH,wBAAgB,SAAS,CACvB,GAAG,EAAE,UAAU,EACf,IAAI,EAAE,MAAM,EACZ,IAAI,CAAC,EAAE,UAAU,EACjB,MAAM,CAAC,EAAE,MAAM,GACd,UAAU,CAGZ;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,UAAU,EAAE,IAAI,CAAC,EAAE,UAAU,GAAG,aAAa,CAYpF"}