npm - @de-otio/chaoskb-client - Versions diffs - 0.2.0 - Mend

@de-otio/chaoskb-client 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (355) hide show

package/dist/cli/agent-registry/config-merger.d.ts +28 -0
package/dist/cli/agent-registry/config-merger.d.ts.map +1 -0
package/dist/cli/agent-registry/config-merger.js +90 -0
package/dist/cli/agent-registry/config-merger.js.map +1 -0
package/dist/cli/agent-registry/detector.d.ts +7 -0
package/dist/cli/agent-registry/detector.d.ts.map +1 -0
package/dist/cli/agent-registry/detector.js +100 -0
package/dist/cli/agent-registry/detector.js.map +1 -0
package/dist/cli/agent-registry/index.d.ts +26 -0
package/dist/cli/agent-registry/index.d.ts.map +1 -0
package/dist/cli/agent-registry/index.js +77 -0
package/dist/cli/agent-registry/index.js.map +1 -0
package/dist/cli/agent-registry/path-validator.d.ts +11 -0
package/dist/cli/agent-registry/path-validator.d.ts.map +1 -0
package/dist/cli/agent-registry/path-validator.js +69 -0
package/dist/cli/agent-registry/path-validator.js.map +1 -0
package/dist/cli/agent-registry/registry.json +108 -0
package/dist/cli/agent-registry/types.d.ts +29 -0
package/dist/cli/agent-registry/types.d.ts.map +1 -0
package/dist/cli/agent-registry/types.js +2 -0
package/dist/cli/agent-registry/types.js.map +1 -0
package/dist/cli/bootstrap-lock.d.ts +7 -0
package/dist/cli/bootstrap-lock.d.ts.map +1 -0
package/dist/cli/bootstrap-lock.js +62 -0
package/dist/cli/bootstrap-lock.js.map +1 -0
package/dist/cli/bootstrap.d.ts +23 -0
package/dist/cli/bootstrap.d.ts.map +1 -0
package/dist/cli/bootstrap.js +438 -0
package/dist/cli/bootstrap.js.map +1 -0
package/dist/cli/commands/config.d.ts +13 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +244 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/devices.d.ts +21 -0
package/dist/cli/commands/devices.d.ts.map +1 -0
package/dist/cli/commands/devices.js +229 -0
package/dist/cli/commands/devices.js.map +1 -0
package/dist/cli/commands/export.d.ts +12 -0
package/dist/cli/commands/export.d.ts.map +1 -0
package/dist/cli/commands/export.js +183 -0
package/dist/cli/commands/export.js.map +1 -0
package/dist/cli/commands/import.d.ts +26 -0
package/dist/cli/commands/import.d.ts.map +1 -0
package/dist/cli/commands/import.js +311 -0
package/dist/cli/commands/import.js.map +1 -0
package/dist/cli/commands/kb.d.ts +39 -0
package/dist/cli/commands/kb.d.ts.map +1 -0
package/dist/cli/commands/kb.js +138 -0
package/dist/cli/commands/kb.js.map +1 -0
package/dist/cli/commands/project.d.ts +6 -0
package/dist/cli/commands/project.d.ts.map +1 -0
package/dist/cli/commands/project.js +115 -0
package/dist/cli/commands/project.js.map +1 -0
package/dist/cli/commands/projects.d.ts +33 -0
package/dist/cli/commands/projects.d.ts.map +1 -0
package/dist/cli/commands/projects.js +189 -0
package/dist/cli/commands/projects.js.map +1 -0
package/dist/cli/commands/register.d.ts +8 -0
package/dist/cli/commands/register.d.ts.map +1 -0
package/dist/cli/commands/register.js +146 -0
package/dist/cli/commands/register.js.map +1 -0
package/dist/cli/commands/rotate-key.d.ts +16 -0
package/dist/cli/commands/rotate-key.d.ts.map +1 -0
package/dist/cli/commands/rotate-key.js +197 -0
package/dist/cli/commands/rotate-key.js.map +1 -0
package/dist/cli/commands/setup-sync.d.ts +2 -0
package/dist/cli/commands/setup-sync.d.ts.map +1 -0
package/dist/cli/commands/setup-sync.js +165 -0
package/dist/cli/commands/setup-sync.js.map +1 -0
package/dist/cli/commands/setup.d.ts +12 -0
package/dist/cli/commands/setup.d.ts.map +1 -0
package/dist/cli/commands/setup.js +39 -0
package/dist/cli/commands/setup.js.map +1 -0
package/dist/cli/commands/status.d.ts +5 -0
package/dist/cli/commands/status.d.ts.map +1 -0
package/dist/cli/commands/status.js +96 -0
package/dist/cli/commands/status.js.map +1 -0
package/dist/cli/commands/uninstall.d.ts +4 -0
package/dist/cli/commands/uninstall.d.ts.map +1 -0
package/dist/cli/commands/uninstall.js +85 -0
package/dist/cli/commands/uninstall.js.map +1 -0
package/dist/cli/commands/unregister.d.ts +2 -0
package/dist/cli/commands/unregister.d.ts.map +1 -0
package/dist/cli/commands/unregister.js +46 -0
package/dist/cli/commands/unregister.js.map +1 -0
package/dist/cli/device-metadata.d.ts +15 -0
package/dist/cli/device-metadata.d.ts.map +1 -0
package/dist/cli/device-metadata.js +58 -0
package/dist/cli/device-metadata.js.map +1 -0
package/dist/cli/github.d.ts +38 -0
package/dist/cli/github.d.ts.map +1 -0
package/dist/cli/github.js +159 -0
package/dist/cli/github.js.map +1 -0
package/dist/cli/guide-hashes.json +13 -0
package/dist/cli/index.d.ts +3 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +226 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/mcp-server.d.ts +205 -0
package/dist/cli/mcp-server.d.ts.map +1 -0
package/dist/cli/mcp-server.js +366 -0
package/dist/cli/mcp-server.js.map +1 -0
package/dist/cli/tools/kb-delete.d.ts +10 -0
package/dist/cli/tools/kb-delete.d.ts.map +1 -0
package/dist/cli/tools/kb-delete.js +28 -0
package/dist/cli/tools/kb-delete.js.map +1 -0
package/dist/cli/tools/kb-ingest.d.ts +13 -0
package/dist/cli/tools/kb-ingest.d.ts.map +1 -0
package/dist/cli/tools/kb-ingest.js +72 -0
package/dist/cli/tools/kb-ingest.js.map +1 -0
package/dist/cli/tools/kb-list.d.ts +20 -0
package/dist/cli/tools/kb-list.d.ts.map +1 -0
package/dist/cli/tools/kb-list.js +24 -0
package/dist/cli/tools/kb-list.js.map +1 -0
package/dist/cli/tools/kb-query-shared.d.ts +27 -0
package/dist/cli/tools/kb-query-shared.d.ts.map +1 -0
package/dist/cli/tools/kb-query-shared.js +28 -0
package/dist/cli/tools/kb-query-shared.js.map +1 -0
package/dist/cli/tools/kb-query.d.ts +20 -0
package/dist/cli/tools/kb-query.d.ts.map +1 -0
package/dist/cli/tools/kb-query.js +109 -0
package/dist/cli/tools/kb-query.js.map +1 -0
package/dist/cli/tools/kb-summary.d.ts +29 -0
package/dist/cli/tools/kb-summary.d.ts.map +1 -0
package/dist/cli/tools/kb-summary.js +89 -0
package/dist/cli/tools/kb-summary.js.map +1 -0
package/dist/cli/tools/kb-sync-status.d.ts +7 -0
package/dist/cli/tools/kb-sync-status.d.ts.map +1 -0
package/dist/cli/tools/kb-sync-status.js +48 -0
package/dist/cli/tools/kb-sync-status.js.map +1 -0
package/dist/crypto/aad.d.ts +8 -0
package/dist/crypto/aad.d.ts.map +1 -0
package/dist/crypto/aad.js +11 -0
package/dist/crypto/aad.js.map +1 -0
package/dist/crypto/aead.d.ts +21 -0
package/dist/crypto/aead.d.ts.map +1 -0
package/dist/crypto/aead.js +43 -0
package/dist/crypto/aead.js.map +1 -0
package/dist/crypto/argon2.d.ts +11 -0
package/dist/crypto/argon2.d.ts.map +1 -0
package/dist/crypto/argon2.js +33 -0
package/dist/crypto/argon2.js.map +1 -0
package/dist/crypto/blob-id.d.ts +6 -0
package/dist/crypto/blob-id.d.ts.map +1 -0
package/dist/crypto/blob-id.js +33 -0
package/dist/crypto/blob-id.js.map +1 -0
package/dist/crypto/canonical-json.d.ts +6 -0
package/dist/crypto/canonical-json.d.ts.map +1 -0
package/dist/crypto/canonical-json.js +88 -0
package/dist/crypto/canonical-json.js.map +1 -0
package/dist/crypto/commitment.d.ts +12 -0
package/dist/crypto/commitment.d.ts.map +1 -0
package/dist/crypto/commitment.js +37 -0
package/dist/crypto/commitment.js.map +1 -0
package/dist/crypto/encryption-service.d.ts +19 -0
package/dist/crypto/encryption-service.d.ts.map +1 -0
package/dist/crypto/encryption-service.js +38 -0
package/dist/crypto/encryption-service.js.map +1 -0
package/dist/crypto/envelope-cbor.d.ts +37 -0
package/dist/crypto/envelope-cbor.d.ts.map +1 -0
package/dist/crypto/envelope-cbor.js +124 -0
package/dist/crypto/envelope-cbor.js.map +1 -0
package/dist/crypto/envelope.d.ts +34 -0
package/dist/crypto/envelope.d.ts.map +1 -0
package/dist/crypto/envelope.js +160 -0
package/dist/crypto/envelope.js.map +1 -0
package/dist/crypto/hkdf.d.ts +16 -0
package/dist/crypto/hkdf.d.ts.map +1 -0
package/dist/crypto/hkdf.js +33 -0
package/dist/crypto/hkdf.js.map +1 -0
package/dist/crypto/index.d.ts +15 -0
package/dist/crypto/index.d.ts.map +1 -0
package/dist/crypto/index.js +15 -0
package/dist/crypto/index.js.map +1 -0
package/dist/crypto/invite.d.ts +31 -0
package/dist/crypto/invite.d.ts.map +1 -0
package/dist/crypto/invite.js +137 -0
package/dist/crypto/invite.js.map +1 -0
package/dist/crypto/keyring.d.ts +37 -0
package/dist/crypto/keyring.d.ts.map +1 -0
package/dist/crypto/keyring.js +219 -0
package/dist/crypto/keyring.js.map +1 -0
package/dist/crypto/known-keys.d.ts +34 -0
package/dist/crypto/known-keys.d.ts.map +1 -0
package/dist/crypto/known-keys.js +106 -0
package/dist/crypto/known-keys.js.map +1 -0
package/dist/crypto/project-keys.d.ts +26 -0
package/dist/crypto/project-keys.d.ts.map +1 -0
package/dist/crypto/project-keys.js +69 -0
package/dist/crypto/project-keys.js.map +1 -0
package/dist/crypto/secure-buffer.d.ts +31 -0
package/dist/crypto/secure-buffer.d.ts.map +1 -0
package/dist/crypto/secure-buffer.js +61 -0
package/dist/crypto/secure-buffer.js.map +1 -0
package/dist/crypto/ssh-agent.d.ts +16 -0
package/dist/crypto/ssh-agent.d.ts.map +1 -0
package/dist/crypto/ssh-agent.js +225 -0
package/dist/crypto/ssh-agent.js.map +1 -0
package/dist/crypto/ssh-keys.d.ts +19 -0
package/dist/crypto/ssh-keys.d.ts.map +1 -0
package/dist/crypto/ssh-keys.js +121 -0
package/dist/crypto/ssh-keys.js.map +1 -0
package/dist/crypto/tiers/enhanced.d.ts +25 -0
package/dist/crypto/tiers/enhanced.d.ts.map +1 -0
package/dist/crypto/tiers/enhanced.js +56 -0
package/dist/crypto/tiers/enhanced.js.map +1 -0
package/dist/crypto/tiers/maximum.d.ts +19 -0
package/dist/crypto/tiers/maximum.d.ts.map +1 -0
package/dist/crypto/tiers/maximum.js +25 -0
package/dist/crypto/tiers/maximum.js.map +1 -0
package/dist/crypto/tiers/standard.d.ts +27 -0
package/dist/crypto/tiers/standard.d.ts.map +1 -0
package/dist/crypto/tiers/standard.js +147 -0
package/dist/crypto/tiers/standard.js.map +1 -0
package/dist/crypto/types.d.ts +169 -0
package/dist/crypto/types.d.ts.map +1 -0
package/dist/crypto/types.js +11 -0
package/dist/crypto/types.js.map +1 -0
package/dist/pipeline/chunker.d.ts +27 -0
package/dist/pipeline/chunker.d.ts.map +1 -0
package/dist/pipeline/chunker.js +96 -0
package/dist/pipeline/chunker.js.map +1 -0
package/dist/pipeline/content-pipeline.d.ts +24 -0
package/dist/pipeline/content-pipeline.d.ts.map +1 -0
package/dist/pipeline/content-pipeline.js +49 -0
package/dist/pipeline/content-pipeline.js.map +1 -0
package/dist/pipeline/embedder.d.ts +49 -0
package/dist/pipeline/embedder.d.ts.map +1 -0
package/dist/pipeline/embedder.js +195 -0
package/dist/pipeline/embedder.js.map +1 -0
package/dist/pipeline/extract.d.ts +17 -0
package/dist/pipeline/extract.d.ts.map +1 -0
package/dist/pipeline/extract.js +70 -0
package/dist/pipeline/extract.js.map +1 -0
package/dist/pipeline/fetch.d.ts +26 -0
package/dist/pipeline/fetch.d.ts.map +1 -0
package/dist/pipeline/fetch.js +91 -0
package/dist/pipeline/fetch.js.map +1 -0
package/dist/pipeline/index.d.ts +10 -0
package/dist/pipeline/index.d.ts.map +1 -0
package/dist/pipeline/index.js +10 -0
package/dist/pipeline/index.js.map +1 -0
package/dist/pipeline/model-manager.d.ts +57 -0
package/dist/pipeline/model-manager.d.ts.map +1 -0
package/dist/pipeline/model-manager.js +234 -0
package/dist/pipeline/model-manager.js.map +1 -0
package/dist/pipeline/search.d.ts +37 -0
package/dist/pipeline/search.d.ts.map +1 -0
package/dist/pipeline/search.js +65 -0
package/dist/pipeline/search.js.map +1 -0
package/dist/pipeline/tokenizer.d.ts +29 -0
package/dist/pipeline/tokenizer.d.ts.map +1 -0
package/dist/pipeline/tokenizer.js +54 -0
package/dist/pipeline/tokenizer.js.map +1 -0
package/dist/pipeline/types.d.ts +86 -0
package/dist/pipeline/types.d.ts.map +1 -0
package/dist/pipeline/types.js +2 -0
package/dist/pipeline/types.js.map +1 -0
package/dist/pipeline/wordpiece-tokenizer.d.ts +60 -0
package/dist/pipeline/wordpiece-tokenizer.d.ts.map +1 -0
package/dist/pipeline/wordpiece-tokenizer.js +251 -0
package/dist/pipeline/wordpiece-tokenizer.js.map +1 -0
package/dist/storage/chunk-repo.d.ts +29 -0
package/dist/storage/chunk-repo.d.ts.map +1 -0
package/dist/storage/chunk-repo.js +115 -0
package/dist/storage/chunk-repo.js.map +1 -0
package/dist/storage/database-manager.d.ts +17 -0
package/dist/storage/database-manager.d.ts.map +1 -0
package/dist/storage/database-manager.js +100 -0
package/dist/storage/database-manager.js.map +1 -0
package/dist/storage/database.d.ts +10 -0
package/dist/storage/database.d.ts.map +1 -0
package/dist/storage/database.js +34 -0
package/dist/storage/database.js.map +1 -0
package/dist/storage/embedding-index.d.ts +22 -0
package/dist/storage/embedding-index.d.ts.map +1 -0
package/dist/storage/embedding-index.js +78 -0
package/dist/storage/embedding-index.js.map +1 -0
package/dist/storage/index.d.ts +10 -0
package/dist/storage/index.d.ts.map +1 -0
package/dist/storage/index.js +10 -0
package/dist/storage/index.js.map +1 -0
package/dist/storage/kb-database.d.ts +11 -0
package/dist/storage/kb-database.d.ts.map +1 -0
package/dist/storage/kb-database.js +24 -0
package/dist/storage/kb-database.js.map +1 -0
package/dist/storage/schema.d.ts +6 -0
package/dist/storage/schema.d.ts.map +1 -0
package/dist/storage/schema.js +122 -0
package/dist/storage/schema.js.map +1 -0
package/dist/storage/source-repo.d.ts +20 -0
package/dist/storage/source-repo.d.ts.map +1 -0
package/dist/storage/source-repo.js +120 -0
package/dist/storage/source-repo.js.map +1 -0
package/dist/storage/sync-status-repo.d.ts +15 -0
package/dist/storage/sync-status-repo.d.ts.map +1 -0
package/dist/storage/sync-status-repo.js +40 -0
package/dist/storage/sync-status-repo.js.map +1 -0
package/dist/storage/types.d.ts +139 -0
package/dist/storage/types.d.ts.map +1 -0
package/dist/storage/types.js +9 -0
package/dist/storage/types.js.map +1 -0
package/dist/sync/canary.d.ts +14 -0
package/dist/sync/canary.d.ts.map +1 -0
package/dist/sync/canary.js +53 -0
package/dist/sync/canary.js.map +1 -0
package/dist/sync/full-sync.d.ts +16 -0
package/dist/sync/full-sync.d.ts.map +1 -0
package/dist/sync/full-sync.js +91 -0
package/dist/sync/full-sync.js.map +1 -0
package/dist/sync/http-client.d.ts +28 -0
package/dist/sync/http-client.d.ts.map +1 -0
package/dist/sync/http-client.js +90 -0
package/dist/sync/http-client.js.map +1 -0
package/dist/sync/incremental-sync.d.ts +17 -0
package/dist/sync/incremental-sync.d.ts.map +1 -0
package/dist/sync/incremental-sync.js +155 -0
package/dist/sync/incremental-sync.js.map +1 -0
package/dist/sync/index.d.ts +12 -0
package/dist/sync/index.d.ts.map +1 -0
package/dist/sync/index.js +12 -0
package/dist/sync/index.js.map +1 -0
package/dist/sync/quota.d.ts +17 -0
package/dist/sync/quota.d.ts.map +1 -0
package/dist/sync/quota.js +48 -0
package/dist/sync/quota.js.map +1 -0
package/dist/sync/sequence.d.ts +21 -0
package/dist/sync/sequence.d.ts.map +1 -0
package/dist/sync/sequence.js +49 -0
package/dist/sync/sequence.js.map +1 -0
package/dist/sync/ssh-signer.d.ts +59 -0
package/dist/sync/ssh-signer.d.ts.map +1 -0
package/dist/sync/ssh-signer.js +241 -0
package/dist/sync/ssh-signer.js.map +1 -0
package/dist/sync/sync-service.d.ts +48 -0
package/dist/sync/sync-service.d.ts.map +1 -0
package/dist/sync/sync-service.js +116 -0
package/dist/sync/sync-service.js.map +1 -0
package/dist/sync/types.d.ts +106 -0
package/dist/sync/types.d.ts.map +1 -0
package/dist/sync/types.js +2 -0
package/dist/sync/types.js.map +1 -0
package/dist/sync/upload-queue.d.ts +40 -0
package/dist/sync/upload-queue.d.ts.map +1 -0
package/dist/sync/upload-queue.js +148 -0
package/dist/sync/upload-queue.js.map +1 -0
package/dist/sync/verification.d.ts +17 -0
package/dist/sync/verification.d.ts.map +1 -0
package/dist/sync/verification.js +25 -0
package/dist/sync/verification.js.map +1 -0
package/dist/vitest.config.d.ts +3 -0
package/dist/vitest.config.d.ts.map +1 -0
package/dist/vitest.config.js +16 -0
package/dist/vitest.config.js.map +1 -0
package/package.json +68 -0

package/dist/crypto/known-keys.js ADDED Viewed

@@ -0,0 +1,106 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+function getKnownKeysPath() {
+    return path.join(os.homedir(), '.chaoskb', 'known_keys.json');
+}
+/**
+ * Trust on First Use (TOFU) key pinning for invite recipients.
+ *
+ * When we first see a recipient's public key (from GitHub, GitLab, or direct),
+ * we pin it. On subsequent invites, we check if the key has changed.
+ * A key mismatch triggers a warning; a conflict with an independent source
+ * is a hard block.
+ */
+function loadStore() {
+    try {
+        return JSON.parse(fs.readFileSync(getKnownKeysPath(), 'utf-8'));
+    }
+    catch {
+        return {};
+    }
+}
+function saveStore(store) {
+    const dir = path.dirname(getKnownKeysPath());
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+    fs.writeFileSync(getKnownKeysPath(), JSON.stringify(store, null, 2), { mode: 0o600 });
+}
+/**
+ * Pin a key for an identifier (e.g., "github:alice").
+ * Throws if the identifier is already pinned with a different fingerprint.
+ */
+export function pinKey(identifier, fingerprint, publicKey, source) {
+    const store = loadStore();
+    const existing = store[identifier];
+    if (existing && existing.fingerprint !== fingerprint) {
+        throw new KeyMismatchError(identifier, existing.fingerprint, fingerprint, existing.source, source);
+    }
+    if (existing && existing.fingerprint === fingerprint) {
+        // Same key — update verifiedAt
+        existing.verifiedAt = new Date().toISOString();
+        saveStore(store);
+        return;
+    }
+    // New key — pin it
+    store[identifier] = {
+        fingerprint,
+        publicKey,
+        source,
+        firstSeen: new Date().toISOString(),
+        verifiedAt: new Date().toISOString(),
+    };
+    saveStore(store);
+}
+/**
+ * Get a pinned key by identifier.
+ */
+export function getPinnedKey(identifier) {
+    const store = loadStore();
+    return store[identifier] ?? null;
+}
+/**
+ * Check a key against the pin store.
+ */
+export function checkKeyPin(identifier, fingerprint) {
+    const store = loadStore();
+    const existing = store[identifier];
+    if (!existing)
+        return 'new';
+    if (existing.fingerprint === fingerprint)
+        return 'match';
+    return 'mismatch';
+}
+/**
+ * Update a pinned key after verified rotation (e.g., new key confirmed on GitHub).
+ */
+export function updatePinnedKey(identifier, fingerprint, publicKey, source) {
+    const store = loadStore();
+    store[identifier] = {
+        fingerprint,
+        publicKey,
+        source,
+        firstSeen: store[identifier]?.firstSeen ?? new Date().toISOString(),
+        verifiedAt: new Date().toISOString(),
+    };
+    saveStore(store);
+}
+export class KeyMismatchError extends Error {
+    identifier;
+    pinnedFingerprint;
+    newFingerprint;
+    pinnedSource;
+    newSource;
+    constructor(identifier, pinnedFingerprint, newFingerprint, pinnedSource, newSource) {
+        super(`Key mismatch for ${identifier}:\n` +
+            `  Pinned:   ${pinnedFingerprint} (source: ${pinnedSource})\n` +
+            `  Received: ${newFingerprint} (source: ${newSource})\n` +
+            `This may indicate a compromised key source. The operation was blocked.`);
+        this.identifier = identifier;
+        this.pinnedFingerprint = pinnedFingerprint;
+        this.newFingerprint = newFingerprint;
+        this.pinnedSource = pinnedSource;
+        this.newSource = newSource;
+        this.name = 'KeyMismatchError';
+    }
+}
+//# sourceMappingURL=known-keys.js.map

package/dist/crypto/known-keys.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"known-keys.js","sourceRoot":"","sources":["../../crypto/known-keys.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,SAAS,gBAAgB;IACvB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,iBAAiB,CAAC,CAAC;AAChE,CAAC;AAYD;;;;;;;GAOG;AAEH,SAAS,SAAS;IAChB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,gBAAgB,EAAE,EAAE,OAAO,CAAC,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,KAAqB;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAAC;IAC7C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACpD,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACxF,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,MAAM,CACpB,UAAkB,EAClB,WAAmB,EACnB,SAAiB,EACjB,MAAc;IAEd,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC;IAEnC,IAAI,QAAQ,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;QACrD,MAAM,IAAI,gBAAgB,CACxB,UAAU,EACV,QAAQ,CAAC,WAAW,EACpB,WAAW,EACX,QAAQ,CAAC,MAAM,EACf,MAAM,CACP,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;QACrD,+BAA+B;QAC/B,QAAQ,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC/C,SAAS,CAAC,KAAK,CAAC,CAAC;QACjB,OAAO;IACT,CAAC;IAED,mBAAmB;IACnB,KAAK,CAAC,UAAU,CAAC,GAAG;QAClB,WAAW;QACX,SAAS;QACT,MAAM;QACN,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IACF,SAAS,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,OAAO,KAAK,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,UAAkB,EAClB,WAAmB;IAEnB,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC;IAEnC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW;QAAE,OAAO,OAAO,CAAC;IACzD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,UAAkB,EAClB,WAAmB,EACnB,SAAiB,EACjB,MAAc;IAEd,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,KAAK,CAAC,UAAU,CAAC,GAAG;QAClB,WAAW;QACX,SAAS;QACT,MAAM;QACN,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnE,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IACF,SAAS,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAEvB;IACA;IACA;IACA;IACA;IALlB,YACkB,UAAkB,EAClB,iBAAyB,EACzB,cAAsB,EACtB,YAAoB,EACpB,SAAiB;QAEjC,KAAK,CACH,oBAAoB,UAAU,KAAK;YACnC,eAAe,iBAAiB,aAAa,YAAY,KAAK;YAC9D,eAAe,cAAc,aAAa,SAAS,KAAK;YACxD,wEAAwE,CACzE,CAAC;QAXc,eAAU,GAAV,UAAU,CAAQ;QAClB,sBAAiB,GAAjB,iBAAiB,CAAQ;QACzB,mBAAc,GAAd,cAAc,CAAQ;QACtB,iBAAY,GAAZ,YAAY,CAAQ;QACpB,cAAS,GAAT,SAAS,CAAQ;QAQjC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF"}

package/dist/crypto/project-keys.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import type { ISecureBuffer } from './types.js';
+/**
+ * Create a new random project key and wrap it with the personal master key.
+ *
+ * Uses HKDF to derive a wrapping key from the master key, then encrypts
+ * the project key with XChaCha20-Poly1305. AAD can include a project name
+ * for binding.
+ *
+ * @param personalMasterKey - The user's personal master key
+ * @param projectName - Optional project name for AAD binding
+ * @returns The project key (SecureBuffer) and the wrapped (encrypted) form
+ */
+export declare function createProjectKey(personalMasterKey: ISecureBuffer, projectName?: string): {
+    projectKey: ISecureBuffer;
+    wrappedKey: Uint8Array;
+};
+/**
+ * Unwrap a project key using the personal master key.
+ *
+ * @param wrappedKey - The wrapped project key (nonce || ciphertext || tag)
+ * @param personalMasterKey - The user's personal master key
+ * @param projectName - Optional project name for AAD binding (must match what was used during wrapping)
+ * @returns The unwrapped project key as a SecureBuffer
+ */
+export declare function unwrapProjectKey(wrappedKey: Uint8Array, personalMasterKey: ISecureBuffer, projectName?: string): ISecureBuffer;
+//# sourceMappingURL=project-keys.d.ts.map

package/dist/crypto/project-keys.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"project-keys.d.ts","sourceRoot":"","sources":["../../crypto/project-keys.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKhD;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAC9B,iBAAiB,EAAE,aAAa,EAChC,WAAW,CAAC,EAAE,MAAM,GACnB;IAAE,UAAU,EAAE,aAAa,CAAC;IAAC,UAAU,EAAE,UAAU,CAAA;CAAE,CA8BvD;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,aAAa,EAChC,WAAW,CAAC,EAAE,MAAM,GACnB,aAAa,CA+Bf"}

package/dist/crypto/project-keys.js ADDED Viewed

@@ -0,0 +1,69 @@
+import { randomBytes } from 'node:crypto';
+import { aeadEncrypt, aeadDecrypt } from './aead.js';
+import { deriveKey } from './hkdf.js';
+import { SecureBuffer } from './secure-buffer.js';
+const PROJECT_KEY_LENGTH = 32;
+const WRAP_INFO = 'chaoskb-project-wrap';
+/**
+ * Create a new random project key and wrap it with the personal master key.
+ *
+ * Uses HKDF to derive a wrapping key from the master key, then encrypts
+ * the project key with XChaCha20-Poly1305. AAD can include a project name
+ * for binding.
+ *
+ * @param personalMasterKey - The user's personal master key
+ * @param projectName - Optional project name for AAD binding
+ * @returns The project key (SecureBuffer) and the wrapped (encrypted) form
+ */
+export function createProjectKey(personalMasterKey, projectName) {
+    // Generate random 32-byte project key
+    const projectKeyBytes = randomBytes(PROJECT_KEY_LENGTH);
+    // Derive a wrapping key via HKDF
+    const wrappingKey = deriveKey(new Uint8Array(personalMasterKey.buffer), WRAP_INFO);
+    // AAD: project name if available, otherwise empty
+    const aad = projectName
+        ? new TextEncoder().encode(projectName)
+        : new Uint8Array(0);
+    // Encrypt project key with XChaCha20-Poly1305
+    const { nonce, ciphertext, tag } = aeadEncrypt(wrappingKey, projectKeyBytes, aad);
+    // Zero wrapping key and plaintext project key bytes
+    wrappingKey.fill(0);
+    // Serialize: nonce(24) || ciphertext || tag(16)
+    const wrappedKey = new Uint8Array(nonce.length + ciphertext.length + tag.length);
+    wrappedKey.set(nonce, 0);
+    wrappedKey.set(ciphertext, nonce.length);
+    wrappedKey.set(tag, nonce.length + ciphertext.length);
+    const projectKey = SecureBuffer.from(projectKeyBytes);
+    return { projectKey, wrappedKey };
+}
+/**
+ * Unwrap a project key using the personal master key.
+ *
+ * @param wrappedKey - The wrapped project key (nonce || ciphertext || tag)
+ * @param personalMasterKey - The user's personal master key
+ * @param projectName - Optional project name for AAD binding (must match what was used during wrapping)
+ * @returns The unwrapped project key as a SecureBuffer
+ */
+export function unwrapProjectKey(wrappedKey, personalMasterKey, projectName) {
+    const NONCE_SIZE = 24;
+    const TAG_SIZE = 16;
+    if (wrappedKey.length < NONCE_SIZE + TAG_SIZE + 1) {
+        throw new Error('Wrapped key is too short');
+    }
+    // Derive the same wrapping key
+    const wrappingKey = deriveKey(new Uint8Array(personalMasterKey.buffer), WRAP_INFO);
+    // Split wrapped key into nonce, ciphertext, tag
+    const nonce = wrappedKey.slice(0, NONCE_SIZE);
+    const ciphertext = wrappedKey.slice(NONCE_SIZE, wrappedKey.length - TAG_SIZE);
+    const tag = wrappedKey.slice(wrappedKey.length - TAG_SIZE);
+    // AAD: project name if available, otherwise empty
+    const aad = projectName
+        ? new TextEncoder().encode(projectName)
+        : new Uint8Array(0);
+    // Decrypt
+    const projectKeyBytes = aeadDecrypt(wrappingKey, nonce, ciphertext, tag, aad);
+    // Zero wrapping key
+    wrappingKey.fill(0);
+    return SecureBuffer.from(Buffer.from(projectKeyBytes));
+}
+//# sourceMappingURL=project-keys.js.map

package/dist/crypto/project-keys.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"project-keys.js","sourceRoot":"","sources":["../../crypto/project-keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGlD,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAC9B,MAAM,SAAS,GAAG,sBAAsB,CAAC;AAEzC;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAC9B,iBAAgC,EAChC,WAAoB;IAEpB,sCAAsC;IACtC,MAAM,eAAe,GAAG,WAAW,CAAC,kBAAkB,CAAC,CAAC;IAExD,iCAAiC;IACjC,MAAM,WAAW,GAAG,SAAS,CAC3B,IAAI,UAAU,CAAC,iBAAiB,CAAC,MAAM,CAAC,EACxC,SAAS,CACV,CAAC;IAEF,kDAAkD;IAClD,MAAM,GAAG,GAAG,WAAW;QACrB,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;QACvC,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAEtB,8CAA8C;IAC9C,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,WAAW,CAAC,WAAW,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC;IAElF,oDAAoD;IACpD,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEpB,gDAAgD;IAChD,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IACjF,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACzB,UAAU,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACzC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAEtD,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAEtD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC;AACpC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAC9B,UAAsB,EACtB,iBAAgC,EAChC,WAAoB;IAEpB,MAAM,UAAU,GAAG,EAAE,CAAC;IACtB,MAAM,QAAQ,GAAG,EAAE,CAAC;IAEpB,IAAI,UAAU,CAAC,MAAM,GAAG,UAAU,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,+BAA+B;IAC/B,MAAM,WAAW,GAAG,SAAS,CAC3B,IAAI,UAAU,CAAC,iBAAiB,CAAC,MAAM,CAAC,EACxC,SAAS,CACV,CAAC;IAEF,gDAAgD;IAChD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IAC9C,MAAM,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,UAAU,EAAE,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IAE3D,kDAAkD;IAClD,MAAM,GAAG,GAAG,WAAW;QACrB,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;QACvC,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAEtB,UAAU;IACV,MAAM,eAAe,GAAG,WAAW,CAAC,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAE9E,oBAAoB;IACpB,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEpB,OAAO,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC;AACzD,CAAC"}

package/dist/crypto/secure-buffer.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import type { ISecureBuffer } from './types.js';
+/**
+ * Memory-locked buffer for sensitive key material.
+ * Uses sodium_malloc (mlock'd pages) and sodium_memzero on dispose.
+ */
+export declare class SecureBuffer implements ISecureBuffer {
+    private _buffer;
+    private _disposed;
+    private constructor();
+    /** Read the buffer contents. Throws if disposed. */
+    get buffer(): Buffer;
+    /** Byte length of the buffer. */
+    get length(): number;
+    /** Whether the buffer has been zeroed and disposed. */
+    get isDisposed(): boolean;
+    /**
+     * Zero the buffer contents and mark as disposed.
+     * Safe to call multiple times (idempotent).
+     */
+    dispose(): void;
+    /** Support `using` keyword (TC39 Explicit Resource Management). */
+    [Symbol.dispose](): void;
+    /**
+     * Copy data into a new SecureBuffer and zero the source.
+     * The source buffer is zeroed after copying regardless of type.
+     */
+    static from(data: Buffer | Uint8Array): SecureBuffer;
+    /** Allocate a new zeroed SecureBuffer of the given length. */
+    static alloc(length: number): SecureBuffer;
+}
+//# sourceMappingURL=secure-buffer.d.ts.map

package/dist/crypto/secure-buffer.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"secure-buffer.d.ts","sourceRoot":"","sources":["../../crypto/secure-buffer.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD;;;GAGG;AACH,qBAAa,YAAa,YAAW,aAAa;IAChD,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,SAAS,CAAS;IAE1B,OAAO;IAIP,oDAAoD;IACpD,IAAI,MAAM,IAAI,MAAM,CAKnB;IAED,iCAAiC;IACjC,IAAI,MAAM,IAAI,MAAM,CAEnB;IAED,uDAAuD;IACvD,IAAI,UAAU,IAAI,OAAO,CAExB;IAED;;;OAGG;IACH,OAAO,IAAI,IAAI;IAQf,mEAAmE;IACnE,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI;IAIxB;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,YAAY;IASpD,8DAA8D;IAC9D,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY;CAK3C"}

package/dist/crypto/secure-buffer.js ADDED Viewed

@@ -0,0 +1,61 @@
+import sodium from 'sodium-native';
+/**
+ * Memory-locked buffer for sensitive key material.
+ * Uses sodium_malloc (mlock'd pages) and sodium_memzero on dispose.
+ */
+export class SecureBuffer {
+    _buffer;
+    _disposed = false;
+    constructor(length) {
+        this._buffer = sodium.sodium_malloc(length);
+    }
+    /** Read the buffer contents. Throws if disposed. */
+    get buffer() {
+        if (this._disposed) {
+            throw new Error('SecureBuffer has been disposed');
+        }
+        return this._buffer;
+    }
+    /** Byte length of the buffer. */
+    get length() {
+        return this._buffer.byteLength;
+    }
+    /** Whether the buffer has been zeroed and disposed. */
+    get isDisposed() {
+        return this._disposed;
+    }
+    /**
+     * Zero the buffer contents and mark as disposed.
+     * Safe to call multiple times (idempotent).
+     */
+    dispose() {
+        if (this._disposed) {
+            return;
+        }
+        sodium.sodium_memzero(this._buffer);
+        this._disposed = true;
+    }
+    /** Support `using` keyword (TC39 Explicit Resource Management). */
+    [Symbol.dispose]() {
+        this.dispose();
+    }
+    /**
+     * Copy data into a new SecureBuffer and zero the source.
+     * The source buffer is zeroed after copying regardless of type.
+     */
+    static from(data) {
+        const sb = new SecureBuffer(data.byteLength);
+        const buf = Buffer.isBuffer(data) ? data : Buffer.from(data.buffer, data.byteOffset, data.byteLength);
+        buf.copy(sb._buffer);
+        // Zero the source
+        sodium.sodium_memzero(buf);
+        return sb;
+    }
+    /** Allocate a new zeroed SecureBuffer of the given length. */
+    static alloc(length) {
+        const sb = new SecureBuffer(length);
+        sodium.sodium_memzero(sb._buffer);
+        return sb;
+    }
+}
+//# sourceMappingURL=secure-buffer.js.map

package/dist/crypto/secure-buffer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"secure-buffer.js","sourceRoot":"","sources":["../../crypto/secure-buffer.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,eAAe,CAAC;AAInC;;;GAGG;AACH,MAAM,OAAO,YAAY;IACf,OAAO,CAAS;IAChB,SAAS,GAAG,KAAK,CAAC;IAE1B,YAAoB,MAAc;QAChC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC;IAED,oDAAoD;IACpD,IAAI,MAAM;QACR,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,iCAAiC;IACjC,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;IACjC,CAAC;IAED,uDAAuD;IACvD,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;OAGG;IACH,OAAO;QACL,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO;QACT,CAAC;QACD,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;IACxB,CAAC;IAED,mEAAmE;IACnE,CAAC,MAAM,CAAC,OAAO,CAAC;QACd,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAC,IAAyB;QACnC,MAAM,EAAE,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACtG,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC;QACrB,kBAAkB;QAClB,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,8DAA8D;IAC9D,MAAM,CAAC,KAAK,CAAC,MAAc;QACzB,MAAM,EAAE,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;QACpC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC;QAClC,OAAO,EAAE,CAAC;IACZ,CAAC;CACF"}

package/dist/crypto/ssh-agent.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import type { SSHKeyInfo } from './types.js';
+/**
+ * List all keys available in the SSH agent.
+ */
+export declare function listSSHAgentKeys(): Promise<SSHKeyInfo[]>;
+/**
+ * Sign data using a key available in the SSH agent.
+ * Returns the raw signature bytes (Ed25519: 64 bytes, RSA: variable).
+ */
+export declare function signWithSSHAgent(data: Uint8Array, publicKeyBlob: Uint8Array): Promise<Uint8Array>;
+/**
+ * Sign data using a private key file directly.
+ * Supports OpenSSH private key format.
+ */
+export declare function signWithKeyFile(data: Uint8Array, keyPath: string, passphrase?: string): Promise<Uint8Array>;
+//# sourceMappingURL=ssh-agent.d.ts.map

package/dist/crypto/ssh-agent.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ssh-agent.d.ts","sourceRoot":"","sources":["../../crypto/ssh-agent.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAc,MAAM,YAAY,CAAC;AA4GzD;;GAEG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC,CA8E9D;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,UAAU,EAChB,aAAa,EAAE,UAAU,GACxB,OAAO,CAAC,UAAU,CAAC,CAoCrB;AAED;;;GAGG;AACH,wBAAsB,eAAe,CACnC,IAAI,EAAE,UAAU,EAChB,OAAO,EAAE,MAAM,EACf,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,UAAU,CAAC,CAuBrB"}

package/dist/crypto/ssh-agent.js ADDED Viewed

@@ -0,0 +1,225 @@
+import * as net from 'node:net';
+import * as fs from 'node:fs';
+import * as crypto from 'node:crypto';
+// SSH agent protocol constants
+const SSH2_AGENTC_REQUEST_IDENTITIES = 11;
+const SSH2_AGENT_IDENTITIES_ANSWER = 12;
+const SSH_AGENTC_SIGN_REQUEST = 13;
+const SSH_AGENT_SIGN_RESPONSE = 14;
+const SSH_AGENT_FAILURE = 5;
+// Signature flags
+const SSH_AGENT_FLAG_ED25519 = 0; // no special flags for ed25519
+/**
+ * Connect to the SSH agent and send a message, returning the response.
+ */
+function agentRequest(message) {
+    return new Promise((resolve, reject) => {
+        const socketPath = process.env['SSH_AUTH_SOCK'];
+        if (!socketPath) {
+            reject(new Error('SSH_AUTH_SOCK environment variable is not set'));
+            return;
+        }
+        const client = net.createConnection(socketPath);
+        const chunks = [];
+        let expectedLength = -1;
+        client.on('connect', () => {
+            // Send message with 4-byte length prefix
+            const lengthPrefix = Buffer.alloc(4);
+            lengthPrefix.writeUInt32BE(message.length, 0);
+            client.write(Buffer.concat([lengthPrefix, message]));
+        });
+        client.on('data', (data) => {
+            chunks.push(data);
+            const combined = Buffer.concat(chunks);
+            // Read the response length from the first 4 bytes
+            if (expectedLength === -1 && combined.length >= 4) {
+                expectedLength = combined.readUInt32BE(0);
+            }
+            // Check if we have the full response
+            if (expectedLength !== -1 && combined.length >= expectedLength + 4) {
+                client.end();
+                resolve(combined.subarray(4, 4 + expectedLength));
+            }
+        });
+        client.on('error', (err) => {
+            reject(new Error(`SSH agent connection error: ${err.message}`));
+        });
+        client.on('end', () => {
+            const combined = Buffer.concat(chunks);
+            if (combined.length >= 4) {
+                const len = combined.readUInt32BE(0);
+                resolve(combined.subarray(4, 4 + len));
+            }
+            else {
+                reject(new Error('SSH agent returned empty response'));
+            }
+        });
+        // Timeout after 10 seconds
+        client.setTimeout(10_000, () => {
+            client.destroy();
+            reject(new Error('SSH agent connection timed out'));
+        });
+    });
+}
+/**
+ * Write a string (length-prefixed bytes) into a buffer at an offset.
+ * Returns new offset.
+ */
+function writeString(buf, data, offset) {
+    buf.writeUInt32BE(data.length, offset);
+    offset += 4;
+    Buffer.from(data).copy(buf, offset);
+    return offset + data.length;
+}
+/**
+ * Read a length-prefixed string from a buffer at offset.
+ * Returns [data, newOffset].
+ */
+function readString(buf, offset) {
+    if (offset + 4 > buf.length) {
+        throw new Error('Unexpected end of SSH agent response reading string length');
+    }
+    const len = buf.readUInt32BE(offset);
+    offset += 4;
+    if (offset + len > buf.length) {
+        throw new Error('Unexpected end of SSH agent response reading string data');
+    }
+    return [buf.subarray(offset, offset + len), offset + len];
+}
+/**
+ * Determine SSH key type from a type string.
+ */
+function parseKeyType(typeStr) {
+    if (typeStr === 'ssh-ed25519')
+        return 'ed25519';
+    if (typeStr === 'ssh-rsa')
+        return 'rsa';
+    return null;
+}
+/**
+ * List all keys available in the SSH agent.
+ */
+export async function listSSHAgentKeys() {
+    const request = Buffer.alloc(1);
+    request[0] = SSH2_AGENTC_REQUEST_IDENTITIES;
+    const response = await agentRequest(request);
+    if (response[0] === SSH_AGENT_FAILURE) {
+        throw new Error('SSH agent returned failure');
+    }
+    if (response[0] !== SSH2_AGENT_IDENTITIES_ANSWER) {
+        throw new Error(`Unexpected SSH agent response type: ${response[0]}`);
+    }
+    let offset = 1;
+    if (offset + 4 > response.length) {
+        throw new Error('Truncated identities response');
+    }
+    const numKeys = response.readUInt32BE(offset);
+    offset += 4;
+    const keys = [];
+    for (let i = 0; i < numKeys; i++) {
+        // Read key blob
+        const [keyBlob, afterBlob] = readString(response, offset);
+        offset = afterBlob;
+        // Read comment
+        const [commentBuf, afterComment] = readString(response, offset);
+        offset = afterComment;
+        const comment = commentBuf.toString('utf-8');
+        // Parse key blob to get type and public key
+        let blobOffset = 0;
+        const [typeField, afterType] = readString(keyBlob, blobOffset);
+        blobOffset = afterType;
+        const typeStr = typeField.toString('ascii');
+        const keyType = parseKeyType(typeStr);
+        if (!keyType) {
+            continue; // skip unsupported key types
+        }
+        let publicKeyBytes;
+        if (keyType === 'ed25519') {
+            const [pubkey] = readString(keyBlob, blobOffset);
+            publicKeyBytes = new Uint8Array(pubkey);
+        }
+        else {
+            // RSA: exponent + modulus
+            const [exponent, afterExp] = readString(keyBlob, blobOffset);
+            const [modulus] = readString(keyBlob, afterExp);
+            const result = Buffer.alloc(4 + exponent.length + 4 + modulus.length);
+            let pos = 0;
+            result.writeUInt32BE(exponent.length, pos);
+            pos += 4;
+            exponent.copy(result, pos);
+            pos += exponent.length;
+            result.writeUInt32BE(modulus.length, pos);
+            pos += 4;
+            modulus.copy(result, pos);
+            publicKeyBytes = new Uint8Array(result);
+        }
+        // Compute fingerprint
+        const hash = crypto.createHash('sha256').update(keyBlob).digest();
+        const fingerprint = 'SHA256:' + hash.toString('base64').replace(/=+$/, '');
+        keys.push({
+            type: keyType,
+            publicKeyBytes,
+            fingerprint,
+            ...(comment ? { comment } : {}),
+        });
+    }
+    return keys;
+}
+/**
+ * Sign data using a key available in the SSH agent.
+ * Returns the raw signature bytes (Ed25519: 64 bytes, RSA: variable).
+ */
+export async function signWithSSHAgent(data, publicKeyBlob) {
+    // Build the sign request
+    // Format: byte SSH_AGENTC_SIGN_REQUEST, string key_blob, string data, uint32 flags
+    const totalLen = 1 + 4 + publicKeyBlob.length + 4 + data.length + 4;
+    const request = Buffer.alloc(totalLen);
+    let offset = 0;
+    request[offset] = SSH_AGENTC_SIGN_REQUEST;
+    offset += 1;
+    offset = writeString(request, publicKeyBlob, offset);
+    offset = writeString(request, data, offset);
+    // Flags (0 for default)
+    request.writeUInt32BE(SSH_AGENT_FLAG_ED25519, offset);
+    const response = await agentRequest(request);
+    if (response[0] === SSH_AGENT_FAILURE) {
+        throw new Error('SSH agent refused to sign (key not found or agent denied request)');
+    }
+    if (response[0] !== SSH_AGENT_SIGN_RESPONSE) {
+        throw new Error(`Unexpected SSH agent response type: ${response[0]}`);
+    }
+    // Parse signature: string signature_blob
+    const [sigBlob] = readString(response, 1);
+    // Signature blob format: string sig_type, string sig_data
+    let sigOffset = 0;
+    const [, afterSigType] = readString(sigBlob, sigOffset);
+    sigOffset = afterSigType;
+    const [sigData] = readString(sigBlob, sigOffset);
+    return new Uint8Array(sigData);
+}
+/**
+ * Sign data using a private key file directly.
+ * Supports OpenSSH private key format.
+ */
+export async function signWithKeyFile(data, keyPath, passphrase) {
+    const keyContent = fs.readFileSync(keyPath, 'utf-8');
+    const privateKey = crypto.createPrivateKey({
+        key: keyContent,
+        format: 'pem',
+        ...(passphrase ? { passphrase } : {}),
+    });
+    const keyType = privateKey.asymmetricKeyType;
+    if (keyType === 'ed25519') {
+        const sign = crypto.sign(null, Buffer.from(data), privateKey);
+        return new Uint8Array(sign);
+    }
+    else if (keyType === 'rsa') {
+        const sign = crypto.sign('sha256', Buffer.from(data), {
+            key: privateKey,
+            padding: crypto.constants.RSA_PKCS1_PADDING,
+        });
+        return new Uint8Array(sign);
+    }
+    throw new Error(`Unsupported key type: ${keyType}`);
+}
+//# sourceMappingURL=ssh-agent.js.map

package/dist/crypto/ssh-agent.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ssh-agent.js","sourceRoot":"","sources":["../../crypto/ssh-agent.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAChC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAItC,+BAA+B;AAC/B,MAAM,8BAA8B,GAAG,EAAE,CAAC;AAC1C,MAAM,4BAA4B,GAAG,EAAE,CAAC;AACxC,MAAM,uBAAuB,GAAG,EAAE,CAAC;AACnC,MAAM,uBAAuB,GAAG,EAAE,CAAC;AACnC,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAE5B,kBAAkB;AAClB,MAAM,sBAAsB,GAAG,CAAC,CAAC,CAAC,+BAA+B;AAEjE;;GAEG;AACH,SAAS,YAAY,CAAC,OAAe;IACnC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,CAAC,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,cAAc,GAAG,CAAC,CAAC,CAAC;QAExB,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACxB,yCAAyC;YACzC,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACrC,YAAY,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YAC9C,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACjC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAEvC,kDAAkD;YAClD,IAAI,cAAc,KAAK,CAAC,CAAC,IAAI,QAAQ,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBAClD,cAAc,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC;YAED,qCAAqC;YACrC,IAAI,cAAc,KAAK,CAAC,CAAC,IAAI,QAAQ,CAAC,MAAM,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;gBACnE,MAAM,CAAC,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC;YACpD,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAChC,MAAM,CAAC,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACpB,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACvC,IAAI,QAAQ,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBACzB,MAAM,GAAG,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;gBACrC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC,CAAC;YACzD,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,2BAA2B;QAC3B,MAAM,CAAC,UAAU,CAAC,MAAM,EAAE,GAAG,EAAE;YAC7B,MAAM,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAAC,GAAW,EAAE,IAAyB,EAAE,MAAc;IACzE,GAAG,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CAAC,GAAW,EAAE,MAAc;IAC7C,IAAI,MAAM,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;IAChF,CAAC;IACD,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,IAAI,CAAC,CAAC;IACZ,IAAI,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC,EAAE,MAAM,GAAG,GAAG,CAAC,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,OAAe;IACnC,IAAI,OAAO,KAAK,aAAa;QAAE,OAAO,SAAS,CAAC;IAChD,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAChC,OAAO,CAAC,CAAC,CAAC,GAAG,8BAA8B,CAAC;IAE5C,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;IAE7C,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,iBAAiB,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,4BAA4B,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CAAC,uCAAuC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,OAAO,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC9C,MAAM,IAAI,CAAC,CAAC;IAEZ,MAAM,IAAI,GAAiB,EAAE,CAAC;IAE9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;QACjC,gBAAgB;QAChB,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC1D,MAAM,GAAG,SAAS,CAAC;QAEnB,eAAe;QACf,MAAM,CAAC,UAAU,EAAE,YAAY,CAAC,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAChE,MAAM,GAAG,YAAY,CAAC;QAEtB,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAE7C,4CAA4C;QAC5C,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,GAAG,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAC/D,UAAU,GAAG,SAAS,CAAC;QACvB,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QAEtC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,SAAS,CAAC,6BAA6B;QACzC,CAAC;QAED,IAAI,cAA0B,CAAC;QAC/B,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;YAC1B,MAAM,CAAC,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACjD,cAAc,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,0BAA0B;YAC1B,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,GAAG,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YAC7D,MAAM,CAAC,OAAO,CAAC,GAAG,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAChD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YACtE,IAAI,GAAG,GAAG,CAAC,CAAC;YACZ,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAC3C,GAAG,IAAI,CAAC,CAAC;YACT,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAC3B,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC;YACvB,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAC1C,GAAG,IAAI,CAAC,CAAC;YACT,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAC1B,cAAc,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;QAED,sBAAsB;QACtB,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;QAClE,MAAM,WAAW,GAAG,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAE3E,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,OAAO;YACb,cAAc;YACd,WAAW;YACX,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAgB,EAChB,aAAyB;IAEzB,yBAAyB;IACzB,mFAAmF;IACnF,MAAM,QAAQ,GAAG,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,MAAM,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;IACpE,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,OAAO,CAAC,MAAM,CAAC,GAAG,uBAAuB,CAAC;IAC1C,MAAM,IAAI,CAAC,CAAC;IAEZ,MAAM,GAAG,WAAW,CAAC,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,GAAG,WAAW,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IAE5C,wBAAwB;IACxB,OAAO,CAAC,aAAa,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC;IAEtD,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;IAE7C,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,iBAAiB,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACvF,CAAC;IAED,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,uBAAuB,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,uCAAuC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,yCAAyC;IACzC,MAAM,CAAC,OAAO,CAAC,GAAG,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IAE1C,0DAA0D;IAC1D,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,MAAM,CAAC,EAAE,YAAY,CAAC,GAAG,UAAU,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACxD,SAAS,GAAG,YAAY,CAAC;IACzB,MAAM,CAAC,OAAO,CAAC,GAAG,UAAU,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAEjD,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAgB,EAChB,OAAe,EACf,UAAmB;IAEnB,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAErD,MAAM,UAAU,GAAG,MAAM,CAAC,gBAAgB,CAAC;QACzC,GAAG,EAAE,UAAU;QACf,MAAM,EAAE,KAAK;QACb,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACtC,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,UAAU,CAAC,iBAAiB,CAAC;IAE7C,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,UAAU,CAAC,CAAC;QAC9D,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;SAAM,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACpD,GAAG,EAAE,UAAU;YACf,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,iBAAiB;SAC5C,CAAC,CAAC;QACH,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,yBAAyB,OAAO,EAAE,CAAC,CAAC;AACtD,CAAC"}

package/dist/crypto/ssh-keys.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { SSHKeyInfo } from './types.js';
+/**
+ * Parse an OpenSSH public key from authorized_keys / .pub file format.
+ * Supports ssh-ed25519 and ssh-rsa key types.
+ *
+ * Format: <key-type> <base64-blob> [comment]
+ */
+export declare function parseSSHPublicKey(keyString: string): SSHKeyInfo;
+/**
+ * Convert an Ed25519 public key to X25519 (Curve25519) public key.
+ * Uses sodium crypto_sign_ed25519_pk_to_curve25519.
+ */
+export declare function ed25519ToX25519PublicKey(ed25519PublicKey: Uint8Array): Uint8Array;
+/**
+ * Convert an Ed25519 secret key to X25519 (Curve25519) secret key.
+ * Uses sodium crypto_sign_ed25519_sk_to_curve25519.
+ */
+export declare function ed25519ToX25519SecretKey(ed25519SecretKey: Uint8Array): Uint8Array;
+//# sourceMappingURL=ssh-keys.d.ts.map

package/dist/crypto/ssh-keys.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"ssh-keys.d.ts","sourceRoot":"","sources":["../../crypto/ssh-keys.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAc,MAAM,YAAY,CAAC;AAEzD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,UAAU,CAqC/D;AAkED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,gBAAgB,EAAE,UAAU,GAAG,UAAU,CAKjF;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,gBAAgB,EAAE,UAAU,GAAG,UAAU,CAKjF"}