npm - @de-otio/chaoskb-client - Versions diffs - 0.2.0 - Mend

@de-otio/chaoskb-client 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (355) hide show

package/dist/cli/agent-registry/config-merger.d.ts +28 -0
package/dist/cli/agent-registry/config-merger.d.ts.map +1 -0
package/dist/cli/agent-registry/config-merger.js +90 -0
package/dist/cli/agent-registry/config-merger.js.map +1 -0
package/dist/cli/agent-registry/detector.d.ts +7 -0
package/dist/cli/agent-registry/detector.d.ts.map +1 -0
package/dist/cli/agent-registry/detector.js +100 -0
package/dist/cli/agent-registry/detector.js.map +1 -0
package/dist/cli/agent-registry/index.d.ts +26 -0
package/dist/cli/agent-registry/index.d.ts.map +1 -0
package/dist/cli/agent-registry/index.js +77 -0
package/dist/cli/agent-registry/index.js.map +1 -0
package/dist/cli/agent-registry/path-validator.d.ts +11 -0
package/dist/cli/agent-registry/path-validator.d.ts.map +1 -0
package/dist/cli/agent-registry/path-validator.js +69 -0
package/dist/cli/agent-registry/path-validator.js.map +1 -0
package/dist/cli/agent-registry/registry.json +108 -0
package/dist/cli/agent-registry/types.d.ts +29 -0
package/dist/cli/agent-registry/types.d.ts.map +1 -0
package/dist/cli/agent-registry/types.js +2 -0
package/dist/cli/agent-registry/types.js.map +1 -0
package/dist/cli/bootstrap-lock.d.ts +7 -0
package/dist/cli/bootstrap-lock.d.ts.map +1 -0
package/dist/cli/bootstrap-lock.js +62 -0
package/dist/cli/bootstrap-lock.js.map +1 -0
package/dist/cli/bootstrap.d.ts +23 -0
package/dist/cli/bootstrap.d.ts.map +1 -0
package/dist/cli/bootstrap.js +438 -0
package/dist/cli/bootstrap.js.map +1 -0
package/dist/cli/commands/config.d.ts +13 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +244 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/devices.d.ts +21 -0
package/dist/cli/commands/devices.d.ts.map +1 -0
package/dist/cli/commands/devices.js +229 -0
package/dist/cli/commands/devices.js.map +1 -0
package/dist/cli/commands/export.d.ts +12 -0
package/dist/cli/commands/export.d.ts.map +1 -0
package/dist/cli/commands/export.js +183 -0
package/dist/cli/commands/export.js.map +1 -0
package/dist/cli/commands/import.d.ts +26 -0
package/dist/cli/commands/import.d.ts.map +1 -0
package/dist/cli/commands/import.js +311 -0
package/dist/cli/commands/import.js.map +1 -0
package/dist/cli/commands/kb.d.ts +39 -0
package/dist/cli/commands/kb.d.ts.map +1 -0
package/dist/cli/commands/kb.js +138 -0
package/dist/cli/commands/kb.js.map +1 -0
package/dist/cli/commands/project.d.ts +6 -0
package/dist/cli/commands/project.d.ts.map +1 -0
package/dist/cli/commands/project.js +115 -0
package/dist/cli/commands/project.js.map +1 -0
package/dist/cli/commands/projects.d.ts +33 -0
package/dist/cli/commands/projects.d.ts.map +1 -0
package/dist/cli/commands/projects.js +189 -0
package/dist/cli/commands/projects.js.map +1 -0
package/dist/cli/commands/register.d.ts +8 -0
package/dist/cli/commands/register.d.ts.map +1 -0
package/dist/cli/commands/register.js +146 -0
package/dist/cli/commands/register.js.map +1 -0
package/dist/cli/commands/rotate-key.d.ts +16 -0
package/dist/cli/commands/rotate-key.d.ts.map +1 -0
package/dist/cli/commands/rotate-key.js +197 -0
package/dist/cli/commands/rotate-key.js.map +1 -0
package/dist/cli/commands/setup-sync.d.ts +2 -0
package/dist/cli/commands/setup-sync.d.ts.map +1 -0
package/dist/cli/commands/setup-sync.js +165 -0
package/dist/cli/commands/setup-sync.js.map +1 -0
package/dist/cli/commands/setup.d.ts +12 -0
package/dist/cli/commands/setup.d.ts.map +1 -0
package/dist/cli/commands/setup.js +39 -0
package/dist/cli/commands/setup.js.map +1 -0
package/dist/cli/commands/status.d.ts +5 -0
package/dist/cli/commands/status.d.ts.map +1 -0
package/dist/cli/commands/status.js +96 -0
package/dist/cli/commands/status.js.map +1 -0
package/dist/cli/commands/uninstall.d.ts +4 -0
package/dist/cli/commands/uninstall.d.ts.map +1 -0
package/dist/cli/commands/uninstall.js +85 -0
package/dist/cli/commands/uninstall.js.map +1 -0
package/dist/cli/commands/unregister.d.ts +2 -0
package/dist/cli/commands/unregister.d.ts.map +1 -0
package/dist/cli/commands/unregister.js +46 -0
package/dist/cli/commands/unregister.js.map +1 -0
package/dist/cli/device-metadata.d.ts +15 -0
package/dist/cli/device-metadata.d.ts.map +1 -0
package/dist/cli/device-metadata.js +58 -0
package/dist/cli/device-metadata.js.map +1 -0
package/dist/cli/github.d.ts +38 -0
package/dist/cli/github.d.ts.map +1 -0
package/dist/cli/github.js +159 -0
package/dist/cli/github.js.map +1 -0
package/dist/cli/guide-hashes.json +13 -0
package/dist/cli/index.d.ts +3 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +226 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/mcp-server.d.ts +205 -0
package/dist/cli/mcp-server.d.ts.map +1 -0
package/dist/cli/mcp-server.js +366 -0
package/dist/cli/mcp-server.js.map +1 -0
package/dist/cli/tools/kb-delete.d.ts +10 -0
package/dist/cli/tools/kb-delete.d.ts.map +1 -0
package/dist/cli/tools/kb-delete.js +28 -0
package/dist/cli/tools/kb-delete.js.map +1 -0
package/dist/cli/tools/kb-ingest.d.ts +13 -0
package/dist/cli/tools/kb-ingest.d.ts.map +1 -0
package/dist/cli/tools/kb-ingest.js +72 -0
package/dist/cli/tools/kb-ingest.js.map +1 -0
package/dist/cli/tools/kb-list.d.ts +20 -0
package/dist/cli/tools/kb-list.d.ts.map +1 -0
package/dist/cli/tools/kb-list.js +24 -0
package/dist/cli/tools/kb-list.js.map +1 -0
package/dist/cli/tools/kb-query-shared.d.ts +27 -0
package/dist/cli/tools/kb-query-shared.d.ts.map +1 -0
package/dist/cli/tools/kb-query-shared.js +28 -0
package/dist/cli/tools/kb-query-shared.js.map +1 -0
package/dist/cli/tools/kb-query.d.ts +20 -0
package/dist/cli/tools/kb-query.d.ts.map +1 -0
package/dist/cli/tools/kb-query.js +109 -0
package/dist/cli/tools/kb-query.js.map +1 -0
package/dist/cli/tools/kb-summary.d.ts +29 -0
package/dist/cli/tools/kb-summary.d.ts.map +1 -0
package/dist/cli/tools/kb-summary.js +89 -0
package/dist/cli/tools/kb-summary.js.map +1 -0
package/dist/cli/tools/kb-sync-status.d.ts +7 -0
package/dist/cli/tools/kb-sync-status.d.ts.map +1 -0
package/dist/cli/tools/kb-sync-status.js +48 -0
package/dist/cli/tools/kb-sync-status.js.map +1 -0
package/dist/crypto/aad.d.ts +8 -0
package/dist/crypto/aad.d.ts.map +1 -0
package/dist/crypto/aad.js +11 -0
package/dist/crypto/aad.js.map +1 -0
package/dist/crypto/aead.d.ts +21 -0
package/dist/crypto/aead.d.ts.map +1 -0
package/dist/crypto/aead.js +43 -0
package/dist/crypto/aead.js.map +1 -0
package/dist/crypto/argon2.d.ts +11 -0
package/dist/crypto/argon2.d.ts.map +1 -0
package/dist/crypto/argon2.js +33 -0
package/dist/crypto/argon2.js.map +1 -0
package/dist/crypto/blob-id.d.ts +6 -0
package/dist/crypto/blob-id.d.ts.map +1 -0
package/dist/crypto/blob-id.js +33 -0
package/dist/crypto/blob-id.js.map +1 -0
package/dist/crypto/canonical-json.d.ts +6 -0
package/dist/crypto/canonical-json.d.ts.map +1 -0
package/dist/crypto/canonical-json.js +88 -0
package/dist/crypto/canonical-json.js.map +1 -0
package/dist/crypto/commitment.d.ts +12 -0
package/dist/crypto/commitment.d.ts.map +1 -0
package/dist/crypto/commitment.js +37 -0
package/dist/crypto/commitment.js.map +1 -0
package/dist/crypto/encryption-service.d.ts +19 -0
package/dist/crypto/encryption-service.d.ts.map +1 -0
package/dist/crypto/encryption-service.js +38 -0
package/dist/crypto/encryption-service.js.map +1 -0
package/dist/crypto/envelope-cbor.d.ts +37 -0
package/dist/crypto/envelope-cbor.d.ts.map +1 -0
package/dist/crypto/envelope-cbor.js +124 -0
package/dist/crypto/envelope-cbor.js.map +1 -0
package/dist/crypto/envelope.d.ts +34 -0
package/dist/crypto/envelope.d.ts.map +1 -0
package/dist/crypto/envelope.js +160 -0
package/dist/crypto/envelope.js.map +1 -0
package/dist/crypto/hkdf.d.ts +16 -0
package/dist/crypto/hkdf.d.ts.map +1 -0
package/dist/crypto/hkdf.js +33 -0
package/dist/crypto/hkdf.js.map +1 -0
package/dist/crypto/index.d.ts +15 -0
package/dist/crypto/index.d.ts.map +1 -0
package/dist/crypto/index.js +15 -0
package/dist/crypto/index.js.map +1 -0
package/dist/crypto/invite.d.ts +31 -0
package/dist/crypto/invite.d.ts.map +1 -0
package/dist/crypto/invite.js +137 -0
package/dist/crypto/invite.js.map +1 -0
package/dist/crypto/keyring.d.ts +37 -0
package/dist/crypto/keyring.d.ts.map +1 -0
package/dist/crypto/keyring.js +219 -0
package/dist/crypto/keyring.js.map +1 -0
package/dist/crypto/known-keys.d.ts +34 -0
package/dist/crypto/known-keys.d.ts.map +1 -0
package/dist/crypto/known-keys.js +106 -0
package/dist/crypto/known-keys.js.map +1 -0
package/dist/crypto/project-keys.d.ts +26 -0
package/dist/crypto/project-keys.d.ts.map +1 -0
package/dist/crypto/project-keys.js +69 -0
package/dist/crypto/project-keys.js.map +1 -0
package/dist/crypto/secure-buffer.d.ts +31 -0
package/dist/crypto/secure-buffer.d.ts.map +1 -0
package/dist/crypto/secure-buffer.js +61 -0
package/dist/crypto/secure-buffer.js.map +1 -0
package/dist/crypto/ssh-agent.d.ts +16 -0
package/dist/crypto/ssh-agent.d.ts.map +1 -0
package/dist/crypto/ssh-agent.js +225 -0
package/dist/crypto/ssh-agent.js.map +1 -0
package/dist/crypto/ssh-keys.d.ts +19 -0
package/dist/crypto/ssh-keys.d.ts.map +1 -0
package/dist/crypto/ssh-keys.js +121 -0
package/dist/crypto/ssh-keys.js.map +1 -0
package/dist/crypto/tiers/enhanced.d.ts +25 -0
package/dist/crypto/tiers/enhanced.d.ts.map +1 -0
package/dist/crypto/tiers/enhanced.js +56 -0
package/dist/crypto/tiers/enhanced.js.map +1 -0
package/dist/crypto/tiers/maximum.d.ts +19 -0
package/dist/crypto/tiers/maximum.d.ts.map +1 -0
package/dist/crypto/tiers/maximum.js +25 -0
package/dist/crypto/tiers/maximum.js.map +1 -0
package/dist/crypto/tiers/standard.d.ts +27 -0
package/dist/crypto/tiers/standard.d.ts.map +1 -0
package/dist/crypto/tiers/standard.js +147 -0
package/dist/crypto/tiers/standard.js.map +1 -0
package/dist/crypto/types.d.ts +169 -0
package/dist/crypto/types.d.ts.map +1 -0
package/dist/crypto/types.js +11 -0
package/dist/crypto/types.js.map +1 -0
package/dist/pipeline/chunker.d.ts +27 -0
package/dist/pipeline/chunker.d.ts.map +1 -0
package/dist/pipeline/chunker.js +96 -0
package/dist/pipeline/chunker.js.map +1 -0
package/dist/pipeline/content-pipeline.d.ts +24 -0
package/dist/pipeline/content-pipeline.d.ts.map +1 -0
package/dist/pipeline/content-pipeline.js +49 -0
package/dist/pipeline/content-pipeline.js.map +1 -0
package/dist/pipeline/embedder.d.ts +49 -0
package/dist/pipeline/embedder.d.ts.map +1 -0
package/dist/pipeline/embedder.js +195 -0
package/dist/pipeline/embedder.js.map +1 -0
package/dist/pipeline/extract.d.ts +17 -0
package/dist/pipeline/extract.d.ts.map +1 -0
package/dist/pipeline/extract.js +70 -0
package/dist/pipeline/extract.js.map +1 -0
package/dist/pipeline/fetch.d.ts +26 -0
package/dist/pipeline/fetch.d.ts.map +1 -0
package/dist/pipeline/fetch.js +91 -0
package/dist/pipeline/fetch.js.map +1 -0
package/dist/pipeline/index.d.ts +10 -0
package/dist/pipeline/index.d.ts.map +1 -0
package/dist/pipeline/index.js +10 -0
package/dist/pipeline/index.js.map +1 -0
package/dist/pipeline/model-manager.d.ts +57 -0
package/dist/pipeline/model-manager.d.ts.map +1 -0
package/dist/pipeline/model-manager.js +234 -0
package/dist/pipeline/model-manager.js.map +1 -0
package/dist/pipeline/search.d.ts +37 -0
package/dist/pipeline/search.d.ts.map +1 -0
package/dist/pipeline/search.js +65 -0
package/dist/pipeline/search.js.map +1 -0
package/dist/pipeline/tokenizer.d.ts +29 -0
package/dist/pipeline/tokenizer.d.ts.map +1 -0
package/dist/pipeline/tokenizer.js +54 -0
package/dist/pipeline/tokenizer.js.map +1 -0
package/dist/pipeline/types.d.ts +86 -0
package/dist/pipeline/types.d.ts.map +1 -0
package/dist/pipeline/types.js +2 -0
package/dist/pipeline/types.js.map +1 -0
package/dist/pipeline/wordpiece-tokenizer.d.ts +60 -0
package/dist/pipeline/wordpiece-tokenizer.d.ts.map +1 -0
package/dist/pipeline/wordpiece-tokenizer.js +251 -0
package/dist/pipeline/wordpiece-tokenizer.js.map +1 -0
package/dist/storage/chunk-repo.d.ts +29 -0
package/dist/storage/chunk-repo.d.ts.map +1 -0
package/dist/storage/chunk-repo.js +115 -0
package/dist/storage/chunk-repo.js.map +1 -0
package/dist/storage/database-manager.d.ts +17 -0
package/dist/storage/database-manager.d.ts.map +1 -0
package/dist/storage/database-manager.js +100 -0
package/dist/storage/database-manager.js.map +1 -0
package/dist/storage/database.d.ts +10 -0
package/dist/storage/database.d.ts.map +1 -0
package/dist/storage/database.js +34 -0
package/dist/storage/database.js.map +1 -0
package/dist/storage/embedding-index.d.ts +22 -0
package/dist/storage/embedding-index.d.ts.map +1 -0
package/dist/storage/embedding-index.js +78 -0
package/dist/storage/embedding-index.js.map +1 -0
package/dist/storage/index.d.ts +10 -0
package/dist/storage/index.d.ts.map +1 -0
package/dist/storage/index.js +10 -0
package/dist/storage/index.js.map +1 -0
package/dist/storage/kb-database.d.ts +11 -0
package/dist/storage/kb-database.d.ts.map +1 -0
package/dist/storage/kb-database.js +24 -0
package/dist/storage/kb-database.js.map +1 -0
package/dist/storage/schema.d.ts +6 -0
package/dist/storage/schema.d.ts.map +1 -0
package/dist/storage/schema.js +122 -0
package/dist/storage/schema.js.map +1 -0
package/dist/storage/source-repo.d.ts +20 -0
package/dist/storage/source-repo.d.ts.map +1 -0
package/dist/storage/source-repo.js +120 -0
package/dist/storage/source-repo.js.map +1 -0
package/dist/storage/sync-status-repo.d.ts +15 -0
package/dist/storage/sync-status-repo.d.ts.map +1 -0
package/dist/storage/sync-status-repo.js +40 -0
package/dist/storage/sync-status-repo.js.map +1 -0
package/dist/storage/types.d.ts +139 -0
package/dist/storage/types.d.ts.map +1 -0
package/dist/storage/types.js +9 -0
package/dist/storage/types.js.map +1 -0
package/dist/sync/canary.d.ts +14 -0
package/dist/sync/canary.d.ts.map +1 -0
package/dist/sync/canary.js +53 -0
package/dist/sync/canary.js.map +1 -0
package/dist/sync/full-sync.d.ts +16 -0
package/dist/sync/full-sync.d.ts.map +1 -0
package/dist/sync/full-sync.js +91 -0
package/dist/sync/full-sync.js.map +1 -0
package/dist/sync/http-client.d.ts +28 -0
package/dist/sync/http-client.d.ts.map +1 -0
package/dist/sync/http-client.js +90 -0
package/dist/sync/http-client.js.map +1 -0
package/dist/sync/incremental-sync.d.ts +17 -0
package/dist/sync/incremental-sync.d.ts.map +1 -0
package/dist/sync/incremental-sync.js +155 -0
package/dist/sync/incremental-sync.js.map +1 -0
package/dist/sync/index.d.ts +12 -0
package/dist/sync/index.d.ts.map +1 -0
package/dist/sync/index.js +12 -0
package/dist/sync/index.js.map +1 -0
package/dist/sync/quota.d.ts +17 -0
package/dist/sync/quota.d.ts.map +1 -0
package/dist/sync/quota.js +48 -0
package/dist/sync/quota.js.map +1 -0
package/dist/sync/sequence.d.ts +21 -0
package/dist/sync/sequence.d.ts.map +1 -0
package/dist/sync/sequence.js +49 -0
package/dist/sync/sequence.js.map +1 -0
package/dist/sync/ssh-signer.d.ts +59 -0
package/dist/sync/ssh-signer.d.ts.map +1 -0
package/dist/sync/ssh-signer.js +241 -0
package/dist/sync/ssh-signer.js.map +1 -0
package/dist/sync/sync-service.d.ts +48 -0
package/dist/sync/sync-service.d.ts.map +1 -0
package/dist/sync/sync-service.js +116 -0
package/dist/sync/sync-service.js.map +1 -0
package/dist/sync/types.d.ts +106 -0
package/dist/sync/types.d.ts.map +1 -0
package/dist/sync/types.js +2 -0
package/dist/sync/types.js.map +1 -0
package/dist/sync/upload-queue.d.ts +40 -0
package/dist/sync/upload-queue.d.ts.map +1 -0
package/dist/sync/upload-queue.js +148 -0
package/dist/sync/upload-queue.js.map +1 -0
package/dist/sync/verification.d.ts +17 -0
package/dist/sync/verification.d.ts.map +1 -0
package/dist/sync/verification.js +25 -0
package/dist/sync/verification.js.map +1 -0
package/dist/vitest.config.d.ts +3 -0
package/dist/vitest.config.d.ts.map +1 -0
package/dist/vitest.config.js +16 -0
package/dist/vitest.config.js.map +1 -0
package/package.json +68 -0

package/dist/crypto/ssh-keys.js ADDED Viewed

@@ -0,0 +1,121 @@
+import { createHash } from 'node:crypto';
+import sodium from 'sodium-native';
+/**
+ * Parse an OpenSSH public key from authorized_keys / .pub file format.
+ * Supports ssh-ed25519 and ssh-rsa key types.
+ *
+ * Format: <key-type> <base64-blob> [comment]
+ */
+export function parseSSHPublicKey(keyString) {
+    const trimmed = keyString.trim();
+    const parts = trimmed.split(/\s+/);
+    if (parts.length < 2) {
+        throw new Error('Invalid SSH public key format: expected "<type> <base64> [comment]"');
+    }
+    const typeStr = parts[0];
+    const base64Blob = parts[1];
+    const comment = parts.length > 2 ? parts.slice(2).join(' ') : undefined;
+    let type;
+    if (typeStr === 'ssh-ed25519') {
+        type = 'ed25519';
+    }
+    else if (typeStr === 'ssh-rsa') {
+        type = 'rsa';
+    }
+    else {
+        throw new Error(`Unsupported SSH key type: ${typeStr}`);
+    }
+    // Base64-decode the key blob
+    const blob = Buffer.from(base64Blob, 'base64');
+    // Parse the SSH wire format: length-prefixed strings
+    const publicKeyBytes = extractPublicKeyFromBlob(blob, type);
+    // Compute SHA-256 fingerprint
+    const hash = createHash('sha256').update(blob).digest();
+    const fingerprint = 'SHA256:' + hash.toString('base64').replace(/=+$/, '');
+    return {
+        type,
+        publicKeyBytes,
+        fingerprint,
+        ...(comment !== undefined && { comment }),
+    };
+}
+/**
+ * Parse the SSH wire format blob and extract the raw public key bytes.
+ *
+ * SSH wire format: repeated [4-byte big-endian length][data]
+ * - For ed25519: [type string][32-byte public key]
+ * - For RSA: [type string][exponent][modulus]
+ */
+function extractPublicKeyFromBlob(blob, type) {
+    let offset = 0;
+    function readString() {
+        if (offset + 4 > blob.length) {
+            throw new Error('SSH key blob: unexpected end of data reading length');
+        }
+        const len = blob.readUInt32BE(offset);
+        offset += 4;
+        if (offset + len > blob.length) {
+            throw new Error('SSH key blob: unexpected end of data reading string');
+        }
+        const data = blob.subarray(offset, offset + len);
+        offset += len;
+        return data;
+    }
+    // First field: key type string
+    const typeField = readString().toString('ascii');
+    if (type === 'ed25519') {
+        if (typeField !== 'ssh-ed25519') {
+            throw new Error(`SSH key type mismatch: expected ssh-ed25519, got ${typeField}`);
+        }
+        // Second field: 32-byte public key
+        const pubkey = readString();
+        if (pubkey.length !== 32) {
+            throw new Error(`Ed25519 public key must be 32 bytes, got ${pubkey.length}`);
+        }
+        return new Uint8Array(pubkey);
+    }
+    else if (type === 'rsa') {
+        if (typeField !== 'ssh-rsa') {
+            throw new Error(`SSH key type mismatch: expected ssh-rsa, got ${typeField}`);
+        }
+        // RSA blob: [exponent][modulus]
+        // For RSA we return the full blob (exponent + modulus) since RSA operations
+        // need the full public key structure. The raw blob minus type prefix.
+        const exponent = readString();
+        const modulus = readString();
+        // Build a buffer with the exponent and modulus in SSH wire format
+        // This is what Node.js crypto needs for RSA operations
+        const result = Buffer.alloc(4 + exponent.length + 4 + modulus.length);
+        let pos = 0;
+        result.writeUInt32BE(exponent.length, pos);
+        pos += 4;
+        exponent.copy(result, pos);
+        pos += exponent.length;
+        result.writeUInt32BE(modulus.length, pos);
+        pos += 4;
+        modulus.copy(result, pos);
+        return new Uint8Array(result);
+    }
+    throw new Error(`Unsupported key type: ${type}`);
+}
+/**
+ * Convert an Ed25519 public key to X25519 (Curve25519) public key.
+ * Uses sodium crypto_sign_ed25519_pk_to_curve25519.
+ */
+export function ed25519ToX25519PublicKey(ed25519PublicKey) {
+    const x25519PublicKey = Buffer.alloc(sodium.crypto_box_PUBLICKEYBYTES);
+    const ed25519Buffer = Buffer.from(ed25519PublicKey);
+    sodium.crypto_sign_ed25519_pk_to_curve25519(x25519PublicKey, ed25519Buffer);
+    return new Uint8Array(x25519PublicKey);
+}
+/**
+ * Convert an Ed25519 secret key to X25519 (Curve25519) secret key.
+ * Uses sodium crypto_sign_ed25519_sk_to_curve25519.
+ */
+export function ed25519ToX25519SecretKey(ed25519SecretKey) {
+    const x25519SecretKey = Buffer.alloc(sodium.crypto_box_SECRETKEYBYTES);
+    const ed25519Buffer = Buffer.from(ed25519SecretKey);
+    sodium.crypto_sign_ed25519_sk_to_curve25519(x25519SecretKey, ed25519Buffer);
+    return new Uint8Array(x25519SecretKey);
+}
+//# sourceMappingURL=ssh-keys.js.map

package/dist/crypto/ssh-keys.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ssh-keys.js","sourceRoot":"","sources":["../../crypto/ssh-keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,MAAM,MAAM,eAAe,CAAC;AAInC;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,SAAiB;IACjD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;IACjC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAEnC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;IACzF,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACzB,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAExE,IAAI,IAAgB,CAAC;IACrB,IAAI,OAAO,KAAK,aAAa,EAAE,CAAC;QAC9B,IAAI,GAAG,SAAS,CAAC;IACnB,CAAC;SAAM,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QACjC,IAAI,GAAG,KAAK,CAAC;IACf,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,6BAA6B;IAC7B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAE/C,qDAAqD;IACrD,MAAM,cAAc,GAAG,wBAAwB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAE5D,8BAA8B;IAC9B,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;IACxD,MAAM,WAAW,GAAG,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAE3E,OAAO;QACL,IAAI;QACJ,cAAc;QACd,WAAW;QACX,GAAG,CAAC,OAAO,KAAK,SAAS,IAAI,EAAE,OAAO,EAAE,CAAC;KAC1C,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,wBAAwB,CAAC,IAAY,EAAE,IAAgB;IAC9D,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,SAAS,UAAU;QACjB,IAAI,MAAM,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QACtC,MAAM,IAAI,CAAC,CAAC;QACZ,IAAI,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC,CAAC;QACjD,MAAM,IAAI,GAAG,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+BAA+B;IAC/B,MAAM,SAAS,GAAG,UAAU,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAEjD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,IAAI,SAAS,KAAK,aAAa,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,oDAAoD,SAAS,EAAE,CAAC,CAAC;QACnF,CAAC;QACD,mCAAmC;QACnC,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,4CAA4C,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/E,CAAC;QACD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;SAAM,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QAC1B,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,gDAAgD,SAAS,EAAE,CAAC,CAAC;QAC/E,CAAC;QACD,gCAAgC;QAChC,4EAA4E;QAC5E,sEAAsE;QACtE,MAAM,QAAQ,GAAG,UAAU,EAAE,CAAC;QAC9B,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;QAE7B,kEAAkE;QAClE,uDAAuD;QACvD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;QACtE,IAAI,GAAG,GAAG,CAAC,CAAC;QACZ,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC3C,GAAG,IAAI,CAAC,CAAC;QACT,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC3B,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC;QACvB,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,GAAG,IAAI,CAAC,CAAC;QACT,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1B,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;AACnD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,gBAA4B;IACnE,MAAM,eAAe,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC;IACvE,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACpD,MAAM,CAAC,oCAAoC,CAAC,eAAe,EAAE,aAAa,CAAC,CAAC;IAC5E,OAAO,IAAI,UAAU,CAAC,eAAe,CAAC,CAAC;AACzC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,gBAA4B;IACnE,MAAM,eAAe,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC;IACvE,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACpD,MAAM,CAAC,oCAAoC,CAAC,eAAe,EAAE,aAAa,CAAC,CAAC;IAC5E,OAAO,IAAI,UAAU,CAAC,eAAe,CAAC,CAAC;AACzC,CAAC"}

package/dist/crypto/tiers/enhanced.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import type { ISecureBuffer } from '../types.js';
+export { wrapMasterKey, unwrapMasterKeyEd25519, unwrapMasterKeyRSA } from './standard.js';
+/**
+ * @deprecated Enhanced tier is deprecated. New installations use Standard or Maximum only.
+ *
+ * Enhanced tier: BIP39 24-word recovery key.
+ *
+ * The master key is a 256-bit random value which maps directly to a 24-word
+ * BIP39 mnemonic. Either the mnemonic or the SSH-wrapped key can recover.
+ */
+/**
+ * @deprecated Use Standard tier (SSH key wrapping) instead.
+ *
+ * Encode a 256-bit master key as a 24-word BIP39 mnemonic.
+ * The master key bytes are used directly as the entropy.
+ */
+export declare function generateRecoveryKey(masterKey: ISecureBuffer): string;
+/**
+ * @deprecated Use Standard tier (SSH key wrapping) instead.
+ *
+ * Decode a 24-word BIP39 mnemonic back to the 256-bit master key.
+ * Returns a SecureBuffer containing the recovered key.
+ */
+export declare function recoverFromMnemonic(mnemonic: string): ISecureBuffer;
+//# sourceMappingURL=enhanced.d.ts.map

package/dist/crypto/tiers/enhanced.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"enhanced.d.ts","sourceRoot":"","sources":["../../../crypto/tiers/enhanced.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGjD,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAE1F;;;;;;;GAOG;AAEH;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,aAAa,GAAG,MAAM,CAQpE;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,CAoBnE"}

package/dist/crypto/tiers/enhanced.js ADDED Viewed

@@ -0,0 +1,56 @@
+// Enhanced tier removed — see doc/analysis/zero-config-sync/security-tiers.md
+// This file is deprecated. The zero-config sync implementation uses only two tiers:
+//   - Standard: SSH key wrapping (automatic, zero-config)
+//   - Maximum: Argon2id passphrase derivation
+// The Enhanced (BIP39 mnemonic) tier added complexity without meaningful security
+// benefit over the Standard tier's SSH-based recovery. Retained for backward
+// compatibility with existing Enhanced-tier users.
+import * as bip39 from 'bip39';
+import { SecureBuffer } from '../secure-buffer.js';
+// Re-export standard tier wrapping for dual-path recovery
+export { wrapMasterKey, unwrapMasterKeyEd25519, unwrapMasterKeyRSA } from './standard.js';
+/**
+ * @deprecated Enhanced tier is deprecated. New installations use Standard or Maximum only.
+ *
+ * Enhanced tier: BIP39 24-word recovery key.
+ *
+ * The master key is a 256-bit random value which maps directly to a 24-word
+ * BIP39 mnemonic. Either the mnemonic or the SSH-wrapped key can recover.
+ */
+/**
+ * @deprecated Use Standard tier (SSH key wrapping) instead.
+ *
+ * Encode a 256-bit master key as a 24-word BIP39 mnemonic.
+ * The master key bytes are used directly as the entropy.
+ */
+export function generateRecoveryKey(masterKey) {
+    if (masterKey.length !== 32) {
+        throw new Error(`Master key must be 32 bytes (256 bits), got ${masterKey.length}`);
+    }
+    const entropy = Buffer.from(masterKey.buffer).toString('hex');
+    const mnemonic = bip39.entropyToMnemonic(entropy);
+    return mnemonic;
+}
+/**
+ * @deprecated Use Standard tier (SSH key wrapping) instead.
+ *
+ * Decode a 24-word BIP39 mnemonic back to the 256-bit master key.
+ * Returns a SecureBuffer containing the recovered key.
+ */
+export function recoverFromMnemonic(mnemonic) {
+    const trimmed = mnemonic.trim().toLowerCase();
+    if (!bip39.validateMnemonic(trimmed)) {
+        throw new Error('Invalid BIP39 mnemonic');
+    }
+    const words = trimmed.split(/\s+/);
+    if (words.length !== 24) {
+        throw new Error(`Expected 24-word mnemonic, got ${words.length} words`);
+    }
+    const entropyHex = bip39.mnemonicToEntropy(trimmed);
+    const entropyBytes = Buffer.from(entropyHex, 'hex');
+    if (entropyBytes.length !== 32) {
+        throw new Error(`Recovered entropy must be 32 bytes, got ${entropyBytes.length}`);
+    }
+    return SecureBuffer.from(entropyBytes);
+}
+//# sourceMappingURL=enhanced.js.map

package/dist/crypto/tiers/enhanced.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"enhanced.js","sourceRoot":"","sources":["../../../crypto/tiers/enhanced.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,oFAAoF;AACpF,0DAA0D;AAC1D,8CAA8C;AAC9C,kFAAkF;AAClF,6EAA6E;AAC7E,mDAAmD;AAEnD,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAE/B,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGnD,0DAA0D;AAC1D,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAE1F;;;;;;;GAOG;AAEH;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAwB;IAC1D,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,+CAA+C,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,KAAK,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAClD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB;IAClD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAE9C,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kCAAkC,KAAK,CAAC,MAAM,QAAQ,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAEpD,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,2CAA2C,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,OAAO,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AACzC,CAAC"}

package/dist/crypto/tiers/maximum.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { ISecureBuffer } from '../types.js';
+/**
+ * Maximum tier: Argon2id passphrase derivation.
+ *
+ * The master key is derived from a user-chosen passphrase.
+ * No recovery path — if the passphrase is lost, data is lost.
+ */
+/**
+ * Derive a master key from a passphrase using Argon2id.
+ *
+ * @param passphrase - User passphrase
+ * @param salt - Optional 16-byte salt. If not provided, a random one is generated.
+ * @returns Object with the derived master key and the salt (for server storage)
+ */
+export declare function deriveFromPassphrase(passphrase: string, salt?: Uint8Array): {
+    masterKey: ISecureBuffer;
+    salt: Uint8Array;
+};
+//# sourceMappingURL=maximum.d.ts.map

package/dist/crypto/tiers/maximum.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"maximum.d.ts","sourceRoot":"","sources":["../../../crypto/tiers/maximum.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAIjD;;;;;GAKG;AAEH;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,IAAI,CAAC,EAAE,UAAU,GAChB;IAAE,SAAS,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,UAAU,CAAA;CAAE,CAUhD"}

package/dist/crypto/tiers/maximum.js ADDED Viewed

@@ -0,0 +1,25 @@
+import { randomBytes } from 'node:crypto';
+import { deriveFromPassphrase as argon2Derive } from '../argon2.js';
+const SALT_LENGTH = 16;
+/**
+ * Maximum tier: Argon2id passphrase derivation.
+ *
+ * The master key is derived from a user-chosen passphrase.
+ * No recovery path — if the passphrase is lost, data is lost.
+ */
+/**
+ * Derive a master key from a passphrase using Argon2id.
+ *
+ * @param passphrase - User passphrase
+ * @param salt - Optional 16-byte salt. If not provided, a random one is generated.
+ * @returns Object with the derived master key and the salt (for server storage)
+ */
+export function deriveFromPassphrase(passphrase, salt) {
+    const actualSalt = salt ?? new Uint8Array(randomBytes(SALT_LENGTH));
+    if (actualSalt.length !== SALT_LENGTH) {
+        throw new Error(`Salt must be ${SALT_LENGTH} bytes, got ${actualSalt.length}`);
+    }
+    const masterKey = argon2Derive(passphrase, actualSalt);
+    return { masterKey, salt: actualSalt };
+}
+//# sourceMappingURL=maximum.js.map

package/dist/crypto/tiers/maximum.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"maximum.js","sourceRoot":"","sources":["../../../crypto/tiers/maximum.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,EAAE,oBAAoB,IAAI,YAAY,EAAE,MAAM,cAAc,CAAC;AAGpE,MAAM,WAAW,GAAG,EAAE,CAAC;AAEvB;;;;;GAKG;AAEH;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAAkB,EAClB,IAAiB;IAEjB,MAAM,UAAU,GAAG,IAAI,IAAI,IAAI,UAAU,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,CAAC;IAEpE,IAAI,UAAU,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,gBAAgB,WAAW,eAAe,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,SAAS,GAAG,YAAY,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAEvD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AACzC,CAAC"}

package/dist/crypto/tiers/standard.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import * as crypto from 'node:crypto';
+import type { ISecureBuffer, SSHKeyInfo } from '../types.js';
+/**
+ * Standard tier: SSH key wrapping.
+ *
+ * For Ed25519 keys: crypto_box_seal (ephemeral X25519 ECDH + XSalsa20-Poly1305)
+ * For RSA keys: RSA-OAEP-SHA256 KEM + XChaCha20-Poly1305 DEM
+ */
+/**
+ * Wrap a master key with an SSH public key.
+ * Ed25519: uses crypto_box_seal after converting to X25519.
+ * RSA: uses RSA-OAEP KEM + XChaCha20-Poly1305 DEM.
+ */
+export declare function wrapMasterKey(masterKey: ISecureBuffer, sshPublicKey: SSHKeyInfo): Uint8Array;
+/**
+ * Unwrap a master key with an SSH private key (Ed25519).
+ * @param wrappedKey - The sealed box
+ * @param ed25519SecretKey - The 64-byte Ed25519 secret key
+ */
+export declare function unwrapMasterKeyEd25519(wrappedKey: Uint8Array, ed25519SecretKey: Uint8Array, ed25519PublicKey: Uint8Array): ISecureBuffer;
+/**
+ * Unwrap a master key wrapped with RSA-OAEP KEM + DEM.
+ * @param wrappedKey - Serialized [4-byte wrappedWKLen][wrappedWK][nonce][ct][tag]
+ * @param rsaPrivateKey - RSA private key in PEM or DER format
+ */
+export declare function unwrapMasterKeyRSA(wrappedKey: Uint8Array, rsaPrivateKey: crypto.KeyObject): ISecureBuffer;
+//# sourceMappingURL=standard.d.ts.map

package/dist/crypto/tiers/standard.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"standard.d.ts","sourceRoot":"","sources":["../../../crypto/tiers/standard.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAMtC,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAI7D;;;;;GAKG;AAEH;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,GAAG,UAAU,CAO5F;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,UAAU,EACtB,gBAAgB,EAAE,UAAU,EAC5B,gBAAgB,EAAE,UAAU,GAC3B,aAAa,CAaf;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,MAAM,CAAC,SAAS,GAC9B,aAAa,CA0Cf"}

package/dist/crypto/tiers/standard.js ADDED Viewed

@@ -0,0 +1,147 @@
+import * as crypto from 'node:crypto';
+import sodium from 'sodium-native';
+import { aeadEncrypt, aeadDecrypt } from '../aead.js';
+import { SecureBuffer } from '../secure-buffer.js';
+import { ed25519ToX25519PublicKey, ed25519ToX25519SecretKey } from '../ssh-keys.js';
+const RSA_MIN_BITS = 2048;
+/**
+ * Standard tier: SSH key wrapping.
+ *
+ * For Ed25519 keys: crypto_box_seal (ephemeral X25519 ECDH + XSalsa20-Poly1305)
+ * For RSA keys: RSA-OAEP-SHA256 KEM + XChaCha20-Poly1305 DEM
+ */
+/**
+ * Wrap a master key with an SSH public key.
+ * Ed25519: uses crypto_box_seal after converting to X25519.
+ * RSA: uses RSA-OAEP KEM + XChaCha20-Poly1305 DEM.
+ */
+export function wrapMasterKey(masterKey, sshPublicKey) {
+    if (sshPublicKey.type === 'ed25519') {
+        return wrapWithEd25519(masterKey, sshPublicKey.publicKeyBytes);
+    }
+    else if (sshPublicKey.type === 'rsa') {
+        return wrapWithRSA(masterKey, sshPublicKey.publicKeyBytes);
+    }
+    throw new Error(`Unsupported SSH key type: ${sshPublicKey.type}`);
+}
+/**
+ * Unwrap a master key with an SSH private key (Ed25519).
+ * @param wrappedKey - The sealed box
+ * @param ed25519SecretKey - The 64-byte Ed25519 secret key
+ */
+export function unwrapMasterKeyEd25519(wrappedKey, ed25519SecretKey, ed25519PublicKey) {
+    const x25519Sk = ed25519ToX25519SecretKey(ed25519SecretKey);
+    const x25519Pk = ed25519ToX25519PublicKey(ed25519PublicKey);
+    const plaintext = Buffer.alloc(wrappedKey.length - sodium.crypto_box_SEALBYTES);
+    sodium.crypto_box_seal_open(plaintext, Buffer.from(wrappedKey), Buffer.from(x25519Pk), Buffer.from(x25519Sk));
+    return SecureBuffer.from(plaintext);
+}
+/**
+ * Unwrap a master key wrapped with RSA-OAEP KEM + DEM.
+ * @param wrappedKey - Serialized [4-byte wrappedWKLen][wrappedWK][nonce][ct][tag]
+ * @param rsaPrivateKey - RSA private key in PEM or DER format
+ */
+export function unwrapMasterKeyRSA(wrappedKey, rsaPrivateKey) {
+    const buf = Buffer.from(wrappedKey);
+    let offset = 0;
+    // Read wrapped wrapping key length
+    const wrappedWKLen = buf.readUInt32BE(offset);
+    offset += 4;
+    // Read wrapped wrapping key
+    const wrappedWK = buf.subarray(offset, offset + wrappedWKLen);
+    offset += wrappedWKLen;
+    // Remaining is AEAD encrypted master key: nonce(24) || ciphertext || tag(16)
+    const aeadPayload = buf.subarray(offset);
+    const nonce = aeadPayload.subarray(0, 24);
+    const ciphertext = aeadPayload.subarray(24, aeadPayload.length - 16);
+    const tag = aeadPayload.subarray(aeadPayload.length - 16);
+    // Decrypt wrapping key with RSA-OAEP
+    const wrappingKey = crypto.privateDecrypt({
+        key: rsaPrivateKey,
+        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+        oaepHash: 'sha256',
+    }, wrappedWK);
+    // Decrypt master key with XChaCha20-Poly1305
+    const emptyAAD = new Uint8Array(0);
+    const masterKeyBytes = aeadDecrypt(new Uint8Array(wrappingKey), new Uint8Array(nonce), new Uint8Array(ciphertext), new Uint8Array(tag), emptyAAD);
+    // Zero the wrapping key
+    wrappingKey.fill(0);
+    return SecureBuffer.from(Buffer.from(masterKeyBytes));
+}
+// --- Internal helpers ---
+function wrapWithEd25519(masterKey, ed25519PublicKey) {
+    const x25519Pk = ed25519ToX25519PublicKey(ed25519PublicKey);
+    const sealed = Buffer.alloc(masterKey.length + sodium.crypto_box_SEALBYTES);
+    sodium.crypto_box_seal(sealed, masterKey.buffer, Buffer.from(x25519Pk));
+    return new Uint8Array(sealed);
+}
+function wrapWithRSA(masterKey, rsaPublicKeyBytes) {
+    // Parse the RSA public key bytes (SSH wire format: exponent + modulus)
+    const rsaPubKey = rsaPublicKeyBytesToKeyObject(rsaPublicKeyBytes);
+    // Check minimum key size
+    const keyDetail = rsaPubKey.asymmetricKeySize;
+    if (keyDetail !== undefined && keyDetail * 8 < RSA_MIN_BITS) {
+        throw new Error(`RSA key too small: ${keyDetail * 8} bits (minimum ${RSA_MIN_BITS})`);
+    }
+    // Generate random 32-byte wrapping key
+    const wrappingKey = crypto.randomBytes(32);
+    // RSA-OAEP encrypt the wrapping key
+    const wrappedWK = crypto.publicEncrypt({
+        key: rsaPubKey,
+        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+        oaepHash: 'sha256',
+    }, wrappingKey);
+    // XChaCha20-Poly1305 encrypt the master key with the wrapping key
+    const emptyAAD = new Uint8Array(0);
+    const { nonce, ciphertext, tag } = aeadEncrypt(new Uint8Array(wrappingKey), new Uint8Array(masterKey.buffer), emptyAAD);
+    // Zero the wrapping key
+    wrappingKey.fill(0);
+    // Serialize: [4-byte wrappedWK length][wrappedWK][nonce][ciphertext][tag]
+    const totalLen = 4 + wrappedWK.length + nonce.length + ciphertext.length + tag.length;
+    const result = Buffer.alloc(totalLen);
+    let offset = 0;
+    result.writeUInt32BE(wrappedWK.length, offset);
+    offset += 4;
+    wrappedWK.copy(result, offset);
+    offset += wrappedWK.length;
+    Buffer.from(nonce).copy(result, offset);
+    offset += nonce.length;
+    Buffer.from(ciphertext).copy(result, offset);
+    offset += ciphertext.length;
+    Buffer.from(tag).copy(result, offset);
+    return new Uint8Array(result);
+}
+/**
+ * Convert SSH wire format RSA public key bytes to a Node.js KeyObject.
+ * Input: [4-byte exponent length][exponent][4-byte modulus length][modulus]
+ */
+function rsaPublicKeyBytesToKeyObject(rsaBytes) {
+    const buf = Buffer.from(rsaBytes);
+    let offset = 0;
+    const eLen = buf.readUInt32BE(offset);
+    offset += 4;
+    const e = buf.subarray(offset, offset + eLen);
+    offset += eLen;
+    const nLen = buf.readUInt32BE(offset);
+    offset += 4;
+    const n = buf.subarray(offset, offset + nLen);
+    // Build a DER-encoded RSA public key (PKCS#1)
+    // Use Node.js crypto to create from JWK
+    const jwk = {
+        kty: 'RSA',
+        n: bufferToBase64Url(stripLeadingZero(n)),
+        e: bufferToBase64Url(stripLeadingZero(e)),
+    };
+    return crypto.createPublicKey({ key: jwk, format: 'jwk' });
+}
+function stripLeadingZero(buf) {
+    // SSH wire format may have a leading zero byte for sign
+    if (buf[0] === 0 && buf.length > 1) {
+        return buf.subarray(1);
+    }
+    return buf;
+}
+function bufferToBase64Url(buf) {
+    return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+//# sourceMappingURL=standard.js.map

package/dist/crypto/tiers/standard.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"standard.js","sourceRoot":"","sources":["../../../crypto/tiers/standard.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,MAAM,MAAM,eAAe,CAAC;AAEnC,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAGpF,MAAM,YAAY,GAAG,IAAI,CAAC;AAE1B;;;;;GAKG;AAEH;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,SAAwB,EAAE,YAAwB;IAC9E,IAAI,YAAY,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACpC,OAAO,eAAe,CAAC,SAAS,EAAE,YAAY,CAAC,cAAc,CAAC,CAAC;IACjE,CAAC;SAAM,IAAI,YAAY,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QACvC,OAAO,WAAW,CAAC,SAAS,EAAE,YAAY,CAAC,cAAc,CAAC,CAAC;IAC7D,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,6BAA6B,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC;AACpE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CACpC,UAAsB,EACtB,gBAA4B,EAC5B,gBAA4B;IAE5B,MAAM,QAAQ,GAAG,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;IAC5D,MAAM,QAAQ,GAAG,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;IAE5D,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,GAAG,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAChF,MAAM,CAAC,oBAAoB,CACzB,SAAS,EACT,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EACvB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EACrB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CACtB,CAAC;IAEF,OAAO,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;AACtC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,UAAsB,EACtB,aAA+B;IAE/B,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACpC,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,mCAAmC;IACnC,MAAM,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC9C,MAAM,IAAI,CAAC,CAAC;IAEZ,4BAA4B;IAC5B,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,CAAC,CAAC;IAC9D,MAAM,IAAI,YAAY,CAAC;IAEvB,6EAA6E;IAC7E,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAG,WAAW,CAAC,QAAQ,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IACrE,MAAM,GAAG,GAAG,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAE1D,qCAAqC;IACrC,MAAM,WAAW,GAAG,MAAM,CAAC,cAAc,CACvC;QACE,GAAG,EAAE,aAAa;QAClB,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,sBAAsB;QAChD,QAAQ,EAAE,QAAQ;KACnB,EACD,SAAS,CACV,CAAC;IAEF,6CAA6C;IAC7C,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IACnC,MAAM,cAAc,GAAG,WAAW,CAChC,IAAI,UAAU,CAAC,WAAW,CAAC,EAC3B,IAAI,UAAU,CAAC,KAAK,CAAC,EACrB,IAAI,UAAU,CAAC,UAAU,CAAC,EAC1B,IAAI,UAAU,CAAC,GAAG,CAAC,EACnB,QAAQ,CACT,CAAC;IAEF,wBAAwB;IACxB,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEpB,OAAO,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,2BAA2B;AAE3B,SAAS,eAAe,CAAC,SAAwB,EAAE,gBAA4B;IAC7E,MAAM,QAAQ,GAAG,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;IAE5D,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC5E,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAExE,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,WAAW,CAAC,SAAwB,EAAE,iBAA6B;IAC1E,uEAAuE;IACvE,MAAM,SAAS,GAAG,4BAA4B,CAAC,iBAAiB,CAAC,CAAC;IAElE,yBAAyB;IACzB,MAAM,SAAS,GAAI,SAAuD,CAAC,iBAAiB,CAAC;IAC7F,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,GAAG,CAAC,GAAG,YAAY,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,sBAAsB,SAAS,GAAG,CAAC,kBAAkB,YAAY,GAAG,CAAC,CAAC;IACxF,CAAC;IAED,uCAAuC;IACvC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAE3C,oCAAoC;IACpC,MAAM,SAAS,GAAG,MAAM,CAAC,aAAa,CACpC;QACE,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,sBAAsB;QAChD,QAAQ,EAAE,QAAQ;KACnB,EACD,WAAW,CACZ,CAAC;IAEF,kEAAkE;IAClE,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IACnC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,WAAW,CAC5C,IAAI,UAAU,CAAC,WAAW,CAAC,EAC3B,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,EAChC,QAAQ,CACT,CAAC;IAEF,wBAAwB;IACxB,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEpB,0EAA0E;IAC1E,MAAM,QAAQ,GAAG,CAAC,GAAG,SAAS,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;IACtF,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACtC,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/C,MAAM,IAAI,CAAC,CAAC;IACZ,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,MAAM,IAAI,SAAS,CAAC,MAAM,CAAC;IAC3B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC;IACvB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7C,MAAM,IAAI,UAAU,CAAC,MAAM,CAAC;IAC5B,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEtC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,SAAS,4BAA4B,CAAC,QAAoB;IACxD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC;IAC9C,MAAM,IAAI,IAAI,CAAC;IAEf,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC;IAE9C,8CAA8C;IAC9C,wCAAwC;IACxC,MAAM,GAAG,GAAG;QACV,GAAG,EAAE,KAAK;QACV,CAAC,EAAE,iBAAiB,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC,EAAE,iBAAiB,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;KAC1C,CAAC;IAEF,OAAO,MAAM,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW;IACnC,wDAAwD;IACxD,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC3F,CAAC"}

package/dist/crypto/types.d.ts ADDED Viewed

@@ -0,0 +1,169 @@
+/**
+ * Memory-locked buffer for sensitive key material.
+ * Wraps sodium_malloc() with mlock and auto-zeroing on dispose.
+ */
+export interface ISecureBuffer {
+    /** Read the buffer contents. Throws if disposed. */
+    readonly buffer: Buffer;
+    /** Byte length of the buffer */
+    readonly length: number;
+    /** Whether the buffer has been zeroed and disposed */
+    readonly isDisposed: boolean;
+    /** Zero the buffer contents and release memory */
+    dispose(): void;
+}
+/** Supported encryption algorithms */
+export type Algorithm = 'XChaCha20-Poly1305' | 'AES-256-GCM';
+/** Key identifier for derived keys */
+export type KeyId = 'CEK' | 'MEK' | 'EEK';
+/** Security tier for key management */
+export declare enum SecurityTier {
+    /** SSH key wrapping (crypto_box_seal for Ed25519, RSA-OAEP KEM+DEM for RSA) */
+    Standard = "standard",
+    /** @deprecated BIP39 24-word recovery key + SSH key. Use Standard or Maximum instead. */
+    Enhanced = "enhanced",
+    /** Argon2id passphrase derivation, no recovery */
+    Maximum = "maximum"
+}
+/** Set of derived keys from the master key */
+export interface DerivedKeySet {
+    /** Content encryption key (HKDF info: "chaoskb-content") */
+    contentKey: ISecureBuffer;
+    /** Metadata encryption key (HKDF info: "chaoskb-metadata") */
+    metadataKey: ISecureBuffer;
+    /** Embedding encryption key (HKDF info: "chaoskb-embedding", reserved) */
+    embeddingKey: ISecureBuffer;
+    /** Commitment key for HMAC (HKDF info: "chaoskb-commit") */
+    commitKey: ISecureBuffer;
+}
+/** SSH key type */
+export type SSHKeyType = 'ed25519' | 'rsa';
+/** Parsed SSH key information */
+export interface SSHKeyInfo {
+    type: SSHKeyType;
+    publicKeyBytes: Uint8Array;
+    fingerprint: string;
+    comment?: string;
+}
+/** Encryption envelope v1 wire format */
+export interface Envelope {
+    /** Envelope version (must be 1) */
+    v: 1;
+    /** Opaque blob identifier (b_ prefix + base62) */
+    id: string;
+    /** ISO 8601 timestamp (server-generated) */
+    ts: string;
+    /** Encryption envelope */
+    enc: {
+        /** Algorithm identifier */
+        alg: Algorithm;
+        /** Key identifier */
+        kid: KeyId;
+        /** Base64-encoded: nonce || ciphertext || auth_tag */
+        ct: string;
+        /** Byte length of decoded ct */
+        'ct.len': number;
+        /** Base64-encoded HMAC-SHA256 key commitment */
+        commit: string;
+    };
+}
+/**
+ * Envelope v2 CBOR wire format — stores ct and commit as raw binary
+ * instead of base64, saving ~33% size on ciphertext.
+ */
+export interface EnvelopeV2 {
+    /** Envelope version (must be 2) */
+    v: 2;
+    /** Opaque blob identifier */
+    id: string;
+    /** ISO 8601 timestamp */
+    ts: string;
+    /** Encryption envelope */
+    enc: {
+        alg: Algorithm;
+        kid: KeyId;
+        /** Raw binary: nonce || ciphertext || auth_tag */
+        ct: Uint8Array;
+        /** HMAC-SHA256 key commitment (raw binary) */
+        commit: Uint8Array;
+    };
+}
+/** Union type for any supported envelope version */
+export type AnyEnvelope = Envelope | EnvelopeV2;
+/** Plaintext payload types */
+export type PayloadType = 'source' | 'chunk' | 'canary';
+/** Source payload (decrypted) */
+export interface SourcePayload {
+    type: 'source';
+    url: string;
+    title?: string;
+    tags?: string[];
+    chunkCount: number;
+    chunkIds: string[];
+}
+/** Chunk payload (decrypted) */
+export interface ChunkPayload {
+    type: 'chunk';
+    sourceId: string;
+    index: number;
+    model: string;
+    content: string;
+    tokenCount: number;
+    embedding: number[];
+}
+/** Canary payload for key verification */
+export interface CanaryPayload {
+    type: 'canary';
+    value: 'chaoskb-canary-v1';
+}
+/** Any decrypted payload */
+export type Payload = SourcePayload | ChunkPayload | CanaryPayload;
+/** Result of encryption */
+export interface EncryptResult {
+    envelope: Envelope;
+    /** Raw JSON bytes for upload */
+    bytes: Uint8Array;
+}
+/** Result of decryption */
+export interface DecryptResult {
+    payload: Payload;
+    envelope: Envelope;
+}
+/** OS keyring service interface */
+export interface IKeyringService {
+    store(service: string, account: string, secret: ISecureBuffer): Promise<void>;
+    retrieve(service: string, account: string): Promise<ISecureBuffer | null>;
+    delete(service: string, account: string): Promise<boolean>;
+}
+/** Encryption service interface */
+export interface IEncryptionService {
+    /** Generate a new random master key */
+    generateMasterKey(): ISecureBuffer;
+    /** Derive all subkeys from master key */
+    deriveKeys(masterKey: ISecureBuffer, salt?: Uint8Array): DerivedKeySet;
+    /** Encrypt a payload into an envelope */
+    encrypt(payload: Payload, keys: DerivedKeySet, kid?: KeyId): EncryptResult;
+    /** Decrypt an envelope into a payload */
+    decrypt(envelope: Envelope, keys: DerivedKeySet): DecryptResult;
+    /** Generate a blob ID */
+    generateBlobId(): string;
+}
+/** Key management service for a specific security tier */
+export interface IKeyManager {
+    tier: SecurityTier;
+    /** Wrap master key for storage */
+    wrapMasterKey(masterKey: ISecureBuffer): Promise<Uint8Array>;
+    /** Unwrap master key from storage */
+    unwrapMasterKey(wrappedKey: Uint8Array): Promise<ISecureBuffer>;
+}
+/** Project key management */
+export interface IProjectKeyManager {
+    /** Generate a new project key and wrap with personal master key */
+    createProjectKey(masterKey: ISecureBuffer): Promise<{
+        projectKey: ISecureBuffer;
+        wrappedKey: Uint8Array;
+    }>;
+    /** Unwrap a project key using personal master key */
+    unwrapProjectKey(wrappedKey: Uint8Array, masterKey: ISecureBuffer): Promise<ISecureBuffer>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/crypto/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../crypto/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,oDAAoD;IACpD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,gCAAgC;IAChC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,sDAAsD;IACtD,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,kDAAkD;IAClD,OAAO,IAAI,IAAI,CAAC;CACjB;AAED,sCAAsC;AACtC,MAAM,MAAM,SAAS,GAAG,oBAAoB,GAAG,aAAa,CAAC;AAE7D,sCAAsC;AACtC,MAAM,MAAM,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC;AAE1C,uCAAuC;AACvC,oBAAY,YAAY;IACtB,+EAA+E;IAC/E,QAAQ,aAAa;IACrB,yFAAyF;IACzF,QAAQ,aAAa;IACrB,kDAAkD;IAClD,OAAO,YAAY;CACpB;AAED,8CAA8C;AAC9C,MAAM,WAAW,aAAa;IAC5B,4DAA4D;IAC5D,UAAU,EAAE,aAAa,CAAC;IAC1B,8DAA8D;IAC9D,WAAW,EAAE,aAAa,CAAC;IAC3B,0EAA0E;IAC1E,YAAY,EAAE,aAAa,CAAC;IAC5B,4DAA4D;IAC5D,SAAS,EAAE,aAAa,CAAC;CAC1B;AAED,mBAAmB;AACnB,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,KAAK,CAAC;AAE3C,iCAAiC;AACjC,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,UAAU,CAAC;IACjB,cAAc,EAAE,UAAU,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,yCAAyC;AACzC,MAAM,WAAW,QAAQ;IACvB,mCAAmC;IACnC,CAAC,EAAE,CAAC,CAAC;IACL,kDAAkD;IAClD,EAAE,EAAE,MAAM,CAAC;IACX,4CAA4C;IAC5C,EAAE,EAAE,MAAM,CAAC;IACX,0BAA0B;IAC1B,GAAG,EAAE;QACH,2BAA2B;QAC3B,GAAG,EAAE,SAAS,CAAC;QACf,qBAAqB;QACrB,GAAG,EAAE,KAAK,CAAC;QACX,sDAAsD;QACtD,EAAE,EAAE,MAAM,CAAC;QACX,gCAAgC;QAChC,QAAQ,EAAE,MAAM,CAAC;QACjB,gDAAgD;QAChD,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,mCAAmC;IACnC,CAAC,EAAE,CAAC,CAAC;IACL,6BAA6B;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,yBAAyB;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,0BAA0B;IAC1B,GAAG,EAAE;QACH,GAAG,EAAE,SAAS,CAAC;QACf,GAAG,EAAE,KAAK,CAAC;QACX,kDAAkD;QAClD,EAAE,EAAE,UAAU,CAAC;QACf,8CAA8C;QAC9C,MAAM,EAAE,UAAU,CAAC;KACpB,CAAC;CACH;AAED,oDAAoD;AACpD,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEhD,8BAA8B;AAC9B,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,OAAO,GAAG,QAAQ,CAAC;AAExD,iCAAiC;AACjC,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,QAAQ,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,gCAAgC;AAChC,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,OAAO,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,0CAA0C;AAC1C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,QAAQ,CAAC;IACf,KAAK,EAAE,mBAAmB,CAAC;CAC5B;AAED,4BAA4B;AAC5B,MAAM,MAAM,OAAO,GAAG,aAAa,GAAG,YAAY,GAAG,aAAa,CAAC;AAEnE,2BAA2B;AAC3B,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,QAAQ,CAAC;IACnB,gCAAgC;IAChC,KAAK,EAAE,UAAU,CAAC;CACnB;AAED,2BAA2B;AAC3B,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,mCAAmC;AACnC,MAAM,WAAW,eAAe;IAC9B,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAC1E,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC5D;AAED,mCAAmC;AACnC,MAAM,WAAW,kBAAkB;IACjC,uCAAuC;IACvC,iBAAiB,IAAI,aAAa,CAAC;IACnC,yCAAyC;IACzC,UAAU,CAAC,SAAS,EAAE,aAAa,EAAE,IAAI,CAAC,EAAE,UAAU,GAAG,aAAa,CAAC;IACvE,yCAAyC;IACzC,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,CAAC,EAAE,KAAK,GAAG,aAAa,CAAC;IAC3E,yCAAyC;IACzC,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,aAAa,GAAG,aAAa,CAAC;IAChE,yBAAyB;IACzB,cAAc,IAAI,MAAM,CAAC;CAC1B;AAED,0DAA0D;AAC1D,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,YAAY,CAAC;IACnB,kCAAkC;IAClC,aAAa,CAAC,SAAS,EAAE,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC7D,qCAAqC;IACrC,eAAe,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;CACjE;AAED,6BAA6B;AAC7B,MAAM,WAAW,kBAAkB;IACjC,mEAAmE;IACnE,gBAAgB,CACd,SAAS,EAAE,aAAa,GACvB,OAAO,CAAC;QAAE,UAAU,EAAE,aAAa,CAAC;QAAC,UAAU,EAAE,UAAU,CAAA;KAAE,CAAC,CAAC;IAClE,qDAAqD;IACrD,gBAAgB,CAAC,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;CAC5F"}

package/dist/crypto/types.js ADDED Viewed

@@ -0,0 +1,11 @@
+/** Security tier for key management */
+export var SecurityTier;
+(function (SecurityTier) {
+    /** SSH key wrapping (crypto_box_seal for Ed25519, RSA-OAEP KEM+DEM for RSA) */
+    SecurityTier["Standard"] = "standard";
+    /** @deprecated BIP39 24-word recovery key + SSH key. Use Standard or Maximum instead. */
+    SecurityTier["Enhanced"] = "enhanced";
+    /** Argon2id passphrase derivation, no recovery */
+    SecurityTier["Maximum"] = "maximum";
+})(SecurityTier || (SecurityTier = {}));
+//# sourceMappingURL=types.js.map