@de-otio/chaoskb-client 0.3.6 → 0.3.8

package/dist/crypto/keyring.js

@@ -1,219 +0,0 @@
-import { execFile } from 'node:child_process';
-import { promisify } from 'node:util';
-import { SecureBuffer } from './secure-buffer.js';
-const execFileAsync = promisify(execFile);
-/**
- * OS keyring integration via shell commands.
- * Uses execFile (not exec) to prevent shell injection.
- *
- * macOS:  security add-generic-password / find-generic-password / delete-generic-password
- * Linux:  secret-tool store / lookup / clear
- * Windows: cmdkey /add: / /list: / /delete:
- */
-export class KeyringService {
-    platform;
-    constructor(platform) {
-        this.platform = platform ?? process.platform;
-    }
-    /**
-     * Store a secret in the OS keyring.
-     */
-    async store(service, account, secret) {
-        const secretHex = secret.buffer.toString('hex');
-        try {
-            switch (this.platform) {
-                case 'darwin':
-                    await this.storeMacOS(service, account, secretHex);
-                    break;
-                case 'linux':
-                    await this.storeLinux(service, account, secretHex);
-                    break;
-                case 'win32':
-                    await this.storeWindows(service, account, secretHex);
-                    break;
-                default:
-                    throw new Error(`Unsupported platform: ${this.platform}`);
-            }
-        }
-        finally {
-            // We can't zero the hex string (JS strings are immutable),
-            // but we at least don't hold onto it.
-        }
-    }
-    /**
-     * Retrieve a secret from the OS keyring.
-     * Returns null if not found.
-     */
-    async retrieve(service, account) {
-        try {
-            let secretHex;
-            switch (this.platform) {
-                case 'darwin':
-                    secretHex = await this.retrieveMacOS(service, account);
-                    break;
-                case 'linux':
-                    secretHex = await this.retrieveLinux(service, account);
-                    break;
-                case 'win32':
-                    secretHex = await this.retrieveWindows(service, account);
-                    break;
-                default:
-                    throw new Error(`Unsupported platform: ${this.platform}`);
-            }
-            const bytes = Buffer.from(secretHex.trim(), 'hex');
-            return SecureBuffer.from(bytes);
-        }
-        catch {
-            return null;
-        }
-    }
-    /**
-     * Delete a secret from the OS keyring.
-     * Returns true if deleted, false if not found.
-     */
-    async delete(service, account) {
-        try {
-            switch (this.platform) {
-                case 'darwin':
-                    await this.deleteMacOS(service, account);
-                    break;
-                case 'linux':
-                    await this.deleteLinux(service, account);
-                    break;
-                case 'win32':
-                    await this.deleteWindows(service, account);
-                    break;
-                default:
-                    throw new Error(`Unsupported platform: ${this.platform}`);
-            }
-            return true;
-        }
-        catch {
-            return false;
-        }
-    }
-    // --- macOS ---
-    async storeMacOS(service, account, secret) {
-        // Delete existing entry first (update = delete + add)
-        try {
-            await execFileAsync('security', [
-                'delete-generic-password',
-                '-s', service,
-                '-a', account,
-            ]);
-        }
-        catch {
-            // Ignore if not found
-        }
-        await execFileAsync('security', [
-            'add-generic-password',
-            '-s', service,
-            '-a', account,
-            '-w', secret,
-            '-U', // update if exists
-        ]);
-    }
-    async retrieveMacOS(service, account) {
-        const { stdout } = await execFileAsync('security', [
-            'find-generic-password',
-            '-s', service,
-            '-a', account,
-            '-w', // output password only
-        ]);
-        return stdout.trim();
-    }
-    async deleteMacOS(service, account) {
-        await execFileAsync('security', [
-            'delete-generic-password',
-            '-s', service,
-            '-a', account,
-        ]);
-    }
-    // --- Linux ---
-    async storeLinux(service, account, secret) {
-        // secret-tool reads from stdin
-        const child = execFileAsync('secret-tool', [
-            'store',
-            '--label', `${service}/${account}`,
-            'service', service,
-            'account', account,
-        ]);
-        // Write secret to stdin
-        if (child.child.stdin) {
-            child.child.stdin.write(secret);
-            child.child.stdin.end();
-        }
-        await child;
-    }
-    async retrieveLinux(service, account) {
-        const { stdout } = await execFileAsync('secret-tool', [
-            'lookup',
-            'service', service,
-            'account', account,
-        ]);
-        return stdout;
-    }
-    async deleteLinux(service, account) {
-        await execFileAsync('secret-tool', [
-            'clear',
-            'service', service,
-            'account', account,
-        ]);
-    }
-    // --- Windows ---
-    async storeWindows(service, account, secret) {
-        const target = `${service}/${account}`;
-        // Use PowerShell with .NET CredentialManager API (no external modules required)
-        const script = `
-      Add-Type -AssemblyName System.Runtime.InteropServices
-      $cred = New-Object System.Management.Automation.PSCredential('${account.replace(/'/g, "''")}', (ConvertTo-SecureString '${secret.replace(/'/g, "''")}' -AsPlainText -Force))
-      cmdkey /add:${target} /user:${account} /pass:${secret}
-    `.trim();
-        await execFileAsync('powershell', ['-NoProfile', '-Command', script]);
-    }
-    async retrieveWindows(service, account) {
-        const target = `${service}/${account}`;
-        // Use PowerShell with native .NET Credential API (no external modules needed)
-        const script = `
-      Add-Type @"
-        using System;
-        using System.Runtime.InteropServices;
-        public class CredentialHelper {
-          [DllImport("advapi32.dll", CharSet=CharSet.Unicode, SetLastError=true)]
-          public static extern bool CredReadW(string target, int type, int flags, out IntPtr credential);
-          [DllImport("advapi32.dll")]
-          public static extern void CredFree(IntPtr credential);
-          [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
-          public struct CREDENTIAL {
-            public int Flags; public int Type;
-            public string TargetName; public string Comment;
-            public long LastWritten; public int CredentialBlobSize;
-            public IntPtr CredentialBlob; public int Persist;
-            public int AttributeCount; public IntPtr Attributes;
-            public string TargetAlias; public string UserName;
-          }
-          public static string Read(string target) {
-            IntPtr ptr;
-            if (!CredReadW(target, 1, 0, out ptr)) return "";
-            var cred = (CREDENTIAL)Marshal.PtrToStructure(ptr, typeof(CREDENTIAL));
-            var secret = Marshal.PtrToStringUni(cred.CredentialBlob, cred.CredentialBlobSize / 2);
-            CredFree(ptr);
-            return secret;
-          }
-        }
-"@
-      [CredentialHelper]::Read('${target.replace(/'/g, "''")}')
-    `.trim();
-        const { stdout } = await execFileAsync('powershell', ['-NoProfile', '-Command', script]);
-        const result = stdout.trim();
-        if (!result) {
-            throw new Error(`Credential not found: ${target}`);
-        }
-        return result;
-    }
-    async deleteWindows(service, account) {
-        const target = `${service}/${account}`;
-        await execFileAsync('cmdkey', ['/delete:' + target]);
-    }
-}
-//# sourceMappingURL=keyring.js.map

package/dist/crypto/keyring.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../crypto/keyring.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGlD,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C;;;;;;;GAOG;AACH,MAAM,OAAO,cAAc;IACR,QAAQ,CAAkB;IAE3C,YAAY,QAA0B;QACpC,IAAI,CAAC,QAAQ,GAAG,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK,CAAC,OAAe,EAAE,OAAe,EAAE,MAAqB;QACjE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEhD,IAAI,CAAC;YACH,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACtB,KAAK,QAAQ;oBACX,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;oBACnD,MAAM;gBACR,KAAK,OAAO;oBACV,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;oBACnD,MAAM;gBACR,KAAK,OAAO;oBACV,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;oBACrD,MAAM;gBACR;oBACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;gBAAS,CAAC;YACT,2DAA2D;YAC3D,sCAAsC;QACxC,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,QAAQ,CAAC,OAAe,EAAE,OAAe;QAC7C,IAAI,CAAC;YACH,IAAI,SAAiB,CAAC;YAEtB,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACtB,KAAK,QAAQ;oBACX,SAAS,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;oBACvD,MAAM;gBACR,KAAK,OAAO;oBACV,SAAS,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;oBACvD,MAAM;gBACR,KAAK,OAAO;oBACV,SAAS,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;oBACzD,MAAM;gBACR;oBACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC9D,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,KAAK,CAAC,CAAC;YACnD,OAAO,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,OAAe;QAC3C,IAAI,CAAC;YACH,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACtB,KAAK,QAAQ;oBACX,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;oBACzC,MAAM;gBACR,KAAK,OAAO;oBACV,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;oBACzC,MAAM;gBACR,KAAK,OAAO;oBACV,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;oBAC3C,MAAM;gBACR;oBACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC9D,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,gBAAgB;IAER,KAAK,CAAC,UAAU,CAAC,OAAe,EAAE,OAAe,EAAE,MAAc;QACvE,sDAAsD;QACtD,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,UAAU,EAAE;gBAC9B,yBAAyB;gBACzB,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,OAAO;aACd,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,sBAAsB;QACxB,CAAC;QAED,MAAM,aAAa,CAAC,UAAU,EAAE;YAC9B,sBAAsB;YACtB,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,mBAAmB;SAC1B,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,OAAe;QAC1D,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE;YACjD,uBAAuB;YACvB,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,uBAAuB;SAC9B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;IACvB,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,OAAe,EAAE,OAAe;QACxD,MAAM,aAAa,CAAC,UAAU,EAAE;YAC9B,yBAAyB;YACzB,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;IACL,CAAC;IAED,gBAAgB;IAER,KAAK,CAAC,UAAU,CAAC,OAAe,EAAE,OAAe,EAAE,MAAc;QACvE,+BAA+B;QAC/B,MAAM,KAAK,GAAG,aAAa,CAAC,aAAa,EAAE;YACzC,OAAO;YACP,SAAS,EAAE,GAAG,OAAO,IAAI,OAAO,EAAE;YAClC,SAAS,EAAE,OAAO;YAClB,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC;QAEH,wBAAwB;QACxB,IAAI,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACtB,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAChC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QAC1B,CAAC;QAED,MAAM,KAAK,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,OAAe;QAC1D,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,aAAa,EAAE;YACpD,QAAQ;YACR,SAAS,EAAE,OAAO;YAClB,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,OAAe,EAAE,OAAe;QACxD,MAAM,aAAa,CAAC,aAAa,EAAE;YACjC,OAAO;YACP,SAAS,EAAE,OAAO;YAClB,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAEV,KAAK,CAAC,YAAY,CAAC,OAAe,EAAE,OAAe,EAAE,MAAc;QACzE,MAAM,MAAM,GAAG,GAAG,OAAO,IAAI,OAAO,EAAE,CAAC;QACvC,gFAAgF;QAChF,MAAM,MAAM,GAAG;;sEAEmD,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,+BAA+B,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC;oBACtI,MAAM,UAAU,OAAO,UAAU,MAAM;KACtD,CAAC,IAAI,EAAE,CAAC;QACT,MAAM,aAAa,CAAC,YAAY,EAAE,CAAC,YAAY,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;IACxE,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,OAAe,EAAE,OAAe;QAC5D,MAAM,MAAM,GAAG,GAAG,OAAO,IAAI,OAAO,EAAE,CAAC;QACvC,8EAA8E;QAC9E,MAAM,MAAM,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCA4Be,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC;KACvD,CAAC,IAAI,EAAE,CAAC;QAET,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,YAAY,EAAE,CAAC,YAAY,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;QACzF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAE7B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,yBAAyB,MAAM,EAAE,CAAC,CAAC;QACrD,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,OAAe;QAC1D,MAAM,MAAM,GAAG,GAAG,OAAO,IAAI,OAAO,EAAE,CAAC;QACvC,MAAM,aAAa,CAAC,QAAQ,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,CAAC,CAAC;IACvD,CAAC;CACF"}

package/dist/crypto/known-keys.d.ts

@@ -1,34 +0,0 @@
-interface PinnedKey {
-    fingerprint: string;
-    publicKey: string;
-    source: string;
-    firstSeen: string;
-    verifiedAt: string;
-}
-/**
- * Pin a key for an identifier (e.g., "github:alice").
- * Throws if the identifier is already pinned with a different fingerprint.
- */
-export declare function pinKey(identifier: string, fingerprint: string, publicKey: string, source: string): void;
-/**
- * Get a pinned key by identifier.
- */
-export declare function getPinnedKey(identifier: string): PinnedKey | null;
-/**
- * Check a key against the pin store.
- */
-export declare function checkKeyPin(identifier: string, fingerprint: string): 'match' | 'mismatch' | 'new';
-/**
- * Update a pinned key after verified rotation (e.g., new key confirmed on GitHub).
- */
-export declare function updatePinnedKey(identifier: string, fingerprint: string, publicKey: string, source: string): void;
-export declare class KeyMismatchError extends Error {
-    readonly identifier: string;
-    readonly pinnedFingerprint: string;
-    readonly newFingerprint: string;
-    readonly pinnedSource: string;
-    readonly newSource: string;
-    constructor(identifier: string, pinnedFingerprint: string, newFingerprint: string, pinnedSource: string, newSource: string);
-}
-export {};
-//# sourceMappingURL=known-keys.d.ts.map

package/dist/crypto/known-keys.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"known-keys.d.ts","sourceRoot":"","sources":["../../crypto/known-keys.ts"],"names":[],"mappings":"AASA,UAAU,SAAS;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAkCD;;;GAGG;AACH,wBAAgB,MAAM,CACpB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,IAAI,CA8BN;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAGjE;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,GAAG,UAAU,GAAG,KAAK,CAO9B;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,IAAI,CAUN;AAED,qBAAa,gBAAiB,SAAQ,KAAK;aAEvB,UAAU,EAAE,MAAM;aAClB,iBAAiB,EAAE,MAAM;aACzB,cAAc,EAAE,MAAM;aACtB,YAAY,EAAE,MAAM;aACpB,SAAS,EAAE,MAAM;gBAJjB,UAAU,EAAE,MAAM,EAClB,iBAAiB,EAAE,MAAM,EACzB,cAAc,EAAE,MAAM,EACtB,YAAY,EAAE,MAAM,EACpB,SAAS,EAAE,MAAM;CAUpC"}

package/dist/crypto/known-keys.js

@@ -1,114 +0,0 @@
-import * as crypto from 'node:crypto';
-import * as fs from 'node:fs';
-import * as path from 'node:path';
-import * as os from 'node:os';
-function getKnownKeysPath() {
-    return path.join(os.homedir(), '.chaoskb', 'known_keys.json');
-}
-function fingerprintsEqual(a, b) {
-    const aBuf = Buffer.from(a);
-    const bBuf = Buffer.from(b);
-    if (aBuf.length !== bBuf.length)
-        return false;
-    return crypto.timingSafeEqual(aBuf, bBuf);
-}
-/**
- * Trust on First Use (TOFU) key pinning for invite recipients.
- *
- * When we first see a recipient's public key (from GitHub, GitLab, or direct),
- * we pin it. On subsequent invites, we check if the key has changed.
- * A key mismatch triggers a warning; a conflict with an independent source
- * is a hard block.
- */
-function loadStore() {
-    try {
-        return JSON.parse(fs.readFileSync(getKnownKeysPath(), 'utf-8'));
-    }
-    catch {
-        return {};
-    }
-}
-function saveStore(store) {
-    const dir = path.dirname(getKnownKeysPath());
-    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
-    fs.writeFileSync(getKnownKeysPath(), JSON.stringify(store, null, 2), { mode: 0o600 });
-}
-/**
- * Pin a key for an identifier (e.g., "github:alice").
- * Throws if the identifier is already pinned with a different fingerprint.
- */
-export function pinKey(identifier, fingerprint, publicKey, source) {
-    const store = loadStore();
-    const existing = store[identifier];
-    if (existing && !fingerprintsEqual(existing.fingerprint, fingerprint)) {
-        throw new KeyMismatchError(identifier, existing.fingerprint, fingerprint, existing.source, source);
-    }
-    if (existing && fingerprintsEqual(existing.fingerprint, fingerprint)) {
-        // Same key — update verifiedAt
-        existing.verifiedAt = new Date().toISOString();
-        saveStore(store);
-        return;
-    }
-    // New key — pin it
-    store[identifier] = {
-        fingerprint,
-        publicKey,
-        source,
-        firstSeen: new Date().toISOString(),
-        verifiedAt: new Date().toISOString(),
-    };
-    saveStore(store);
-}
-/**
- * Get a pinned key by identifier.
- */
-export function getPinnedKey(identifier) {
-    const store = loadStore();
-    return store[identifier] ?? null;
-}
-/**
- * Check a key against the pin store.
- */
-export function checkKeyPin(identifier, fingerprint) {
-    const store = loadStore();
-    const existing = store[identifier];
-    if (!existing)
-        return 'new';
-    if (fingerprintsEqual(existing.fingerprint, fingerprint))
-        return 'match';
-    return 'mismatch';
-}
-/**
- * Update a pinned key after verified rotation (e.g., new key confirmed on GitHub).
- */
-export function updatePinnedKey(identifier, fingerprint, publicKey, source) {
-    const store = loadStore();
-    store[identifier] = {
-        fingerprint,
-        publicKey,
-        source,
-        firstSeen: store[identifier]?.firstSeen ?? new Date().toISOString(),
-        verifiedAt: new Date().toISOString(),
-    };
-    saveStore(store);
-}
-export class KeyMismatchError extends Error {
-    identifier;
-    pinnedFingerprint;
-    newFingerprint;
-    pinnedSource;
-    newSource;
-    constructor(identifier, pinnedFingerprint, newFingerprint, pinnedSource, newSource) {
-        super(`Key mismatch for ${identifier}:\n` +
-            `  Pinned:   ${pinnedFingerprint} (source: ${pinnedSource})\n` +
-            `  Received: ${newFingerprint} (source: ${newSource})\n` +
-            `This may indicate a compromised key source. The operation was blocked.`);
-        this.identifier = identifier;
-        this.pinnedFingerprint = pinnedFingerprint;
-        this.newFingerprint = newFingerprint;
-        this.pinnedSource = pinnedSource;
-        this.newSource = newSource;
-        this.name = 'KeyMismatchError';
-    }
-}
-//# sourceMappingURL=known-keys.js.map

package/dist/crypto/known-keys.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"known-keys.js","sourceRoot":"","sources":["../../crypto/known-keys.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,SAAS,gBAAgB;IACvB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,iBAAiB,CAAC,CAAC;AAChE,CAAC;AAYD,SAAS,iBAAiB,CAAC,CAAS,EAAE,CAAS;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC9C,OAAO,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;;GAOG;AAEH,SAAS,SAAS;IAChB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,gBAAgB,EAAE,EAAE,OAAO,CAAC,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,KAAqB;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAAC;IAC7C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACpD,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACxF,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,MAAM,CACpB,UAAkB,EAClB,WAAmB,EACnB,SAAiB,EACjB,MAAc;IAEd,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC;IAEnC,IAAI,QAAQ,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,gBAAgB,CACxB,UAAU,EACV,QAAQ,CAAC,WAAW,EACpB,WAAW,EACX,QAAQ,CAAC,MAAM,EACf,MAAM,CACP,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,IAAI,iBAAiB,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;QACrE,+BAA+B;QAC/B,QAAQ,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC/C,SAAS,CAAC,KAAK,CAAC,CAAC;QACjB,OAAO;IACT,CAAC;IAED,mBAAmB;IACnB,KAAK,CAAC,UAAU,CAAC,GAAG;QAClB,WAAW;QACX,SAAS;QACT,MAAM;QACN,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IACF,SAAS,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,OAAO,KAAK,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,UAAkB,EAClB,WAAmB;IAEnB,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC;IAEnC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,iBAAiB,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;QAAE,OAAO,OAAO,CAAC;IACzE,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,UAAkB,EAClB,WAAmB,EACnB,SAAiB,EACjB,MAAc;IAEd,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,KAAK,CAAC,UAAU,CAAC,GAAG;QAClB,WAAW;QACX,SAAS;QACT,MAAM;QACN,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnE,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IACF,SAAS,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAEvB;IACA;IACA;IACA;IACA;IALlB,YACkB,UAAkB,EAClB,iBAAyB,EACzB,cAAsB,EACtB,YAAoB,EACpB,SAAiB;QAEjC,KAAK,CACH,oBAAoB,UAAU,KAAK;YACnC,eAAe,iBAAiB,aAAa,YAAY,KAAK;YAC9D,eAAe,cAAc,aAAa,SAAS,KAAK;YACxD,wEAAwE,CACzE,CAAC;QAXc,eAAU,GAAV,UAAU,CAAQ;QAClB,sBAAiB,GAAjB,iBAAiB,CAAQ;QACzB,mBAAc,GAAd,cAAc,CAAQ;QACtB,iBAAY,GAAZ,YAAY,CAAQ;QACpB,cAAS,GAAT,SAAS,CAAQ;QAQjC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF"}

package/dist/crypto/project-keys.d.ts

@@ -1,26 +0,0 @@
-import type { ISecureBuffer } from './types.js';
-/**
- * Create a new random project key and wrap it with the personal master key.
- *
- * Uses HKDF to derive a wrapping key from the master key, then encrypts
- * the project key with XChaCha20-Poly1305. AAD can include a project name
- * for binding.
- *
- * @param personalMasterKey - The user's personal master key
- * @param projectName - Optional project name for AAD binding
- * @returns The project key (SecureBuffer) and the wrapped (encrypted) form
- */
-export declare function createProjectKey(personalMasterKey: ISecureBuffer, projectName?: string): {
-    projectKey: ISecureBuffer;
-    wrappedKey: Uint8Array;
-};
-/**
- * Unwrap a project key using the personal master key.
- *
- * @param wrappedKey - The wrapped project key (nonce || ciphertext || tag)
- * @param personalMasterKey - The user's personal master key
- * @param projectName - Optional project name for AAD binding (must match what was used during wrapping)
- * @returns The unwrapped project key as a SecureBuffer
- */
-export declare function unwrapProjectKey(wrappedKey: Uint8Array, personalMasterKey: ISecureBuffer, projectName?: string): ISecureBuffer;
-//# sourceMappingURL=project-keys.d.ts.map

package/dist/crypto/project-keys.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"project-keys.d.ts","sourceRoot":"","sources":["../../crypto/project-keys.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKhD;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAC9B,iBAAiB,EAAE,aAAa,EAChC,WAAW,CAAC,EAAE,MAAM,GACnB;IAAE,UAAU,EAAE,aAAa,CAAC;IAAC,UAAU,EAAE,UAAU,CAAA;CAAE,CA8BvD;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,aAAa,EAChC,WAAW,CAAC,EAAE,MAAM,GACnB,aAAa,CA+Bf"}

package/dist/crypto/project-keys.js

@@ -1,69 +0,0 @@
-import { randomBytes } from 'node:crypto';
-import { aeadEncrypt, aeadDecrypt } from './aead.js';
-import { deriveKey } from './hkdf.js';
-import { SecureBuffer } from './secure-buffer.js';
-const PROJECT_KEY_LENGTH = 32;
-const WRAP_INFO = 'chaoskb-project-wrap';
-/**
- * Create a new random project key and wrap it with the personal master key.
- *
- * Uses HKDF to derive a wrapping key from the master key, then encrypts
- * the project key with XChaCha20-Poly1305. AAD can include a project name
- * for binding.
- *
- * @param personalMasterKey - The user's personal master key
- * @param projectName - Optional project name for AAD binding
- * @returns The project key (SecureBuffer) and the wrapped (encrypted) form
- */
-export function createProjectKey(personalMasterKey, projectName) {
-    // Generate random 32-byte project key
-    const projectKeyBytes = randomBytes(PROJECT_KEY_LENGTH);
-    // Derive a wrapping key via HKDF
-    const wrappingKey = deriveKey(new Uint8Array(personalMasterKey.buffer), WRAP_INFO);
-    // AAD: project name if available, otherwise empty
-    const aad = projectName
-        ? new TextEncoder().encode(projectName)
-        : new Uint8Array(0);
-    // Encrypt project key with XChaCha20-Poly1305
-    const { nonce, ciphertext, tag } = aeadEncrypt(wrappingKey, projectKeyBytes, aad);
-    // Zero wrapping key and plaintext project key bytes
-    wrappingKey.fill(0);
-    // Serialize: nonce(24) || ciphertext || tag(16)
-    const wrappedKey = new Uint8Array(nonce.length + ciphertext.length + tag.length);
-    wrappedKey.set(nonce, 0);
-    wrappedKey.set(ciphertext, nonce.length);
-    wrappedKey.set(tag, nonce.length + ciphertext.length);
-    const projectKey = SecureBuffer.from(projectKeyBytes);
-    return { projectKey, wrappedKey };
-}
-/**
- * Unwrap a project key using the personal master key.
- *
- * @param wrappedKey - The wrapped project key (nonce || ciphertext || tag)
- * @param personalMasterKey - The user's personal master key
- * @param projectName - Optional project name for AAD binding (must match what was used during wrapping)
- * @returns The unwrapped project key as a SecureBuffer
- */
-export function unwrapProjectKey(wrappedKey, personalMasterKey, projectName) {
-    const NONCE_SIZE = 24;
-    const TAG_SIZE = 16;
-    if (wrappedKey.length < NONCE_SIZE + TAG_SIZE + 1) {
-        throw new Error('Wrapped key is too short');
-    }
-    // Derive the same wrapping key
-    const wrappingKey = deriveKey(new Uint8Array(personalMasterKey.buffer), WRAP_INFO);
-    // Split wrapped key into nonce, ciphertext, tag
-    const nonce = wrappedKey.slice(0, NONCE_SIZE);
-    const ciphertext = wrappedKey.slice(NONCE_SIZE, wrappedKey.length - TAG_SIZE);
-    const tag = wrappedKey.slice(wrappedKey.length - TAG_SIZE);
-    // AAD: project name if available, otherwise empty
-    const aad = projectName
-        ? new TextEncoder().encode(projectName)
-        : new Uint8Array(0);
-    // Decrypt
-    const projectKeyBytes = aeadDecrypt(wrappingKey, nonce, ciphertext, tag, aad);
-    // Zero wrapping key
-    wrappingKey.fill(0);
-    return SecureBuffer.from(Buffer.from(projectKeyBytes));
-}
-//# sourceMappingURL=project-keys.js.map

package/dist/crypto/project-keys.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"project-keys.js","sourceRoot":"","sources":["../../crypto/project-keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGlD,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAC9B,MAAM,SAAS,GAAG,sBAAsB,CAAC;AAEzC;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAC9B,iBAAgC,EAChC,WAAoB;IAEpB,sCAAsC;IACtC,MAAM,eAAe,GAAG,WAAW,CAAC,kBAAkB,CAAC,CAAC;IAExD,iCAAiC;IACjC,MAAM,WAAW,GAAG,SAAS,CAC3B,IAAI,UAAU,CAAC,iBAAiB,CAAC,MAAM,CAAC,EACxC,SAAS,CACV,CAAC;IAEF,kDAAkD;IAClD,MAAM,GAAG,GAAG,WAAW;QACrB,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;QACvC,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAEtB,8CAA8C;IAC9C,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,WAAW,CAAC,WAAW,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC;IAElF,oDAAoD;IACpD,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEpB,gDAAgD;IAChD,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IACjF,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACzB,UAAU,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACzC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAEtD,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAEtD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC;AACpC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAC9B,UAAsB,EACtB,iBAAgC,EAChC,WAAoB;IAEpB,MAAM,UAAU,GAAG,EAAE,CAAC;IACtB,MAAM,QAAQ,GAAG,EAAE,CAAC;IAEpB,IAAI,UAAU,CAAC,MAAM,GAAG,UAAU,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,+BAA+B;IAC/B,MAAM,WAAW,GAAG,SAAS,CAC3B,IAAI,UAAU,CAAC,iBAAiB,CAAC,MAAM,CAAC,EACxC,SAAS,CACV,CAAC;IAEF,gDAAgD;IAChD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IAC9C,MAAM,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,UAAU,EAAE,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IAE3D,kDAAkD;IAClD,MAAM,GAAG,GAAG,WAAW;QACrB,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;QACvC,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAEtB,UAAU;IACV,MAAM,eAAe,GAAG,WAAW,CAAC,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAE9E,oBAAoB;IACpB,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEpB,OAAO,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC;AACzD,CAAC"}

package/dist/crypto/secure-buffer.d.ts

@@ -1,31 +0,0 @@
-import type { ISecureBuffer } from './types.js';
-/**
- * Memory-locked buffer for sensitive key material.
- * Uses sodium_malloc (mlock'd pages) and sodium_memzero on dispose.
- */
-export declare class SecureBuffer implements ISecureBuffer {
-    private _buffer;
-    private _disposed;
-    private constructor();
-    /** Read the buffer contents. Throws if disposed. */
-    get buffer(): Buffer;
-    /** Byte length of the buffer. */
-    get length(): number;
-    /** Whether the buffer has been zeroed and disposed. */
-    get isDisposed(): boolean;
-    /**
-     * Zero the buffer contents and mark as disposed.
-     * Safe to call multiple times (idempotent).
-     */
-    dispose(): void;
-    /** Support `using` keyword (TC39 Explicit Resource Management). */
-    [Symbol.dispose](): void;
-    /**
-     * Copy data into a new SecureBuffer and zero the source.
-     * The source buffer is zeroed after copying regardless of type.
-     */
-    static from(data: Buffer | Uint8Array): SecureBuffer;
-    /** Allocate a new zeroed SecureBuffer of the given length. */
-    static alloc(length: number): SecureBuffer;
-}
-//# sourceMappingURL=secure-buffer.d.ts.map

package/dist/crypto/secure-buffer.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"secure-buffer.d.ts","sourceRoot":"","sources":["../../crypto/secure-buffer.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD;;;GAGG;AACH,qBAAa,YAAa,YAAW,aAAa;IAChD,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,SAAS,CAAS;IAE1B,OAAO;IAIP,oDAAoD;IACpD,IAAI,MAAM,IAAI,MAAM,CAKnB;IAED,iCAAiC;IACjC,IAAI,MAAM,IAAI,MAAM,CAEnB;IAED,uDAAuD;IACvD,IAAI,UAAU,IAAI,OAAO,CAExB;IAED;;;OAGG;IACH,OAAO,IAAI,IAAI;IAQf,mEAAmE;IACnE,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI;IAIxB;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,YAAY;IASpD,8DAA8D;IAC9D,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY;CAK3C"}

package/dist/crypto/secure-buffer.js

@@ -1,61 +0,0 @@
-import sodium from 'sodium-native';
-/**
- * Memory-locked buffer for sensitive key material.
- * Uses sodium_malloc (mlock'd pages) and sodium_memzero on dispose.
- */
-export class SecureBuffer {
-    _buffer;
-    _disposed = false;
-    constructor(length) {
-        this._buffer = sodium.sodium_malloc(length);
-    }
-    /** Read the buffer contents. Throws if disposed. */
-    get buffer() {
-        if (this._disposed) {
-            throw new Error('SecureBuffer has been disposed');
-        }
-        return this._buffer;
-    }
-    /** Byte length of the buffer. */
-    get length() {
-        return this._buffer.byteLength;
-    }
-    /** Whether the buffer has been zeroed and disposed. */
-    get isDisposed() {
-        return this._disposed;
-    }
-    /**
-     * Zero the buffer contents and mark as disposed.
-     * Safe to call multiple times (idempotent).
-     */
-    dispose() {
-        if (this._disposed) {
-            return;
-        }
-        sodium.sodium_memzero(this._buffer);
-        this._disposed = true;
-    }
-    /** Support `using` keyword (TC39 Explicit Resource Management). */
-    [Symbol.dispose]() {
-        this.dispose();
-    }
-    /**
-     * Copy data into a new SecureBuffer and zero the source.
-     * The source buffer is zeroed after copying regardless of type.
-     */
-    static from(data) {
-        const sb = new SecureBuffer(data.byteLength);
-        const buf = Buffer.isBuffer(data) ? data : Buffer.from(data.buffer, data.byteOffset, data.byteLength);
-        buf.copy(sb._buffer);
-        // Zero the source
-        sodium.sodium_memzero(buf);
-        return sb;
-    }
-    /** Allocate a new zeroed SecureBuffer of the given length. */
-    static alloc(length) {
-        const sb = new SecureBuffer(length);
-        sodium.sodium_memzero(sb._buffer);
-        return sb;
-    }
-}
-//# sourceMappingURL=secure-buffer.js.map

package/dist/crypto/secure-buffer.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"secure-buffer.js","sourceRoot":"","sources":["../../crypto/secure-buffer.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,eAAe,CAAC;AAInC;;;GAGG;AACH,MAAM,OAAO,YAAY;IACf,OAAO,CAAS;IAChB,SAAS,GAAG,KAAK,CAAC;IAE1B,YAAoB,MAAc;QAChC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC;IAED,oDAAoD;IACpD,IAAI,MAAM;QACR,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,iCAAiC;IACjC,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;IACjC,CAAC;IAED,uDAAuD;IACvD,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;OAGG;IACH,OAAO;QACL,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO;QACT,CAAC;QACD,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;IACxB,CAAC;IAED,mEAAmE;IACnE,CAAC,MAAM,CAAC,OAAO,CAAC;QACd,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAC,IAAyB;QACnC,MAAM,EAAE,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACtG,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC;QACrB,kBAAkB;QAClB,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,8DAA8D;IAC9D,MAAM,CAAC,KAAK,CAAC,MAAc;QACzB,MAAM,EAAE,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;QACpC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC;QAClC,OAAO,EAAE,CAAC;IACZ,CAAC;CACF"}

package/dist/crypto/tiers/enhanced.d.ts

@@ -1,25 +0,0 @@
-import type { ISecureBuffer } from '../types.js';
-export { wrapMasterKey, unwrapMasterKeyEd25519, unwrapMasterKeyRSA } from './standard.js';
-/**
- * @deprecated Enhanced tier is deprecated. New installations use Standard or Maximum only.
- *
- * Enhanced tier: BIP39 24-word recovery key.
- *
- * The master key is a 256-bit random value which maps directly to a 24-word
- * BIP39 mnemonic. Either the mnemonic or the SSH-wrapped key can recover.
- */
-/**
- * @deprecated Use Standard tier (SSH key wrapping) instead.
- *
- * Encode a 256-bit master key as a 24-word BIP39 mnemonic.
- * The master key bytes are used directly as the entropy.
- */
-export declare function generateRecoveryKey(masterKey: ISecureBuffer): string;
-/**
- * @deprecated Use Standard tier (SSH key wrapping) instead.
- *
- * Decode a 24-word BIP39 mnemonic back to the 256-bit master key.
- * Returns a SecureBuffer containing the recovered key.
- */
-export declare function recoverFromMnemonic(mnemonic: string): ISecureBuffer;
-//# sourceMappingURL=enhanced.d.ts.map

package/dist/crypto/tiers/enhanced.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"enhanced.d.ts","sourceRoot":"","sources":["../../../crypto/tiers/enhanced.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGjD,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAE1F;;;;;;;GAOG;AAEH;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,aAAa,GAAG,MAAM,CAQpE;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,CAoBnE"}