@debros/network-ts-sdk 0.6.1 → 0.7.0

package/dist/index.js

@@ -909,7 +909,11 @@ var WSClient = class {
         this.ws.addEventListener("error", (event) => {
           console.error("[WSClient] WebSocket error:", event);
           clearTimeout(timeout);
-          const error = new SDKError("WebSocket error", 500, "WS_ERROR", event);
+          const details = { type: event.type };
+          if ("message" in event) {
+            details.message = event.message;
+          }
+          const error = new SDKError("WebSocket error", 0, "WS_ERROR", details);
           if (this.onNetworkError) {
             this.onNetworkError(error, {
               method: "WS",
@@ -921,10 +925,13 @@ var WSClient = class {
           this.errorHandlers.forEach((handler) => handler(error));
           reject(error);
         });
-        this.ws.addEventListener("close", () => {
+        this.ws.addEventListener("close", (event) => {
           clearTimeout(timeout);
-          console.log("[WSClient] Connection closed");
-          this.closeHandlers.forEach((handler) => handler());
+          const closeEvent = event;
+          const code = closeEvent.code ?? 1006;
+          const reason = closeEvent.reason ?? "";
+          console.log(`[WSClient] Connection closed (code: ${code}, reason: ${reason || "none"})`);
+          this.closeHandlers.forEach((handler) => handler(code, reason));
         });
       } catch (error) {
         reject(error);
@@ -995,7 +1002,7 @@ var WSClient = class {
    */
   send(data) {
     if (this.ws?.readyState !== WebSocket.OPEN) {
-      throw new SDKError("WebSocket is not connected", 500, "WS_NOT_CONNECTED");
+      throw new SDKError("WebSocket is not connected", 0, "WS_NOT_CONNECTED");
     }
     this.ws.send(data);
   }
@@ -1215,8 +1222,8 @@ var Subscription = class {
       this.errorHandlers.forEach((handler) => handler(error));
     };
     this.wsClient.onError(this.wsErrorHandler);
-    this.wsCloseHandler = () => {
-      this.closeHandlers.forEach((handler) => handler());
+    this.wsCloseHandler = (code, reason) => {
+      this.closeHandlers.forEach((handler) => handler(code, reason));
     };
     this.wsClient.onClose(this.wsCloseHandler);
   }
@@ -1689,6 +1696,746 @@ var FunctionsClient = class {
   }
 };
 
+// src/vault/transport/guardian.ts
+var GuardianError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+    this.name = "GuardianError";
+  }
+};
+var DEFAULT_TIMEOUT_MS = 1e4;
+var GuardianClient = class {
+  constructor(endpoint, timeoutMs = DEFAULT_TIMEOUT_MS) {
+    this.sessionToken = null;
+    this.baseUrl = `http://${endpoint.address}:${endpoint.port}`;
+    this.timeoutMs = timeoutMs;
+  }
+  /** Set a session token for authenticated V2 requests. */
+  setSessionToken(token) {
+    this.sessionToken = token;
+  }
+  /** Get the current session token. */
+  getSessionToken() {
+    return this.sessionToken;
+  }
+  /** Clear the session token. */
+  clearSessionToken() {
+    this.sessionToken = null;
+  }
+  // ── V1 endpoints ────────────────────────────────────────────────────
+  /** GET /v1/vault/health */
+  async health() {
+    return this.get("/v1/vault/health");
+  }
+  /** GET /v1/vault/status */
+  async status() {
+    return this.get("/v1/vault/status");
+  }
+  /** GET /v1/vault/guardians */
+  async guardians() {
+    return this.get("/v1/vault/guardians");
+  }
+  /** POST /v1/vault/push — store a share (V1). */
+  async push(identity, share) {
+    return this.post("/v1/vault/push", {
+      identity,
+      share: uint8ToBase64(share)
+    });
+  }
+  /** POST /v1/vault/pull — retrieve a share (V1). */
+  async pull(identity) {
+    const resp = await this.post("/v1/vault/pull", { identity });
+    return base64ToUint8(resp.share);
+  }
+  /** Check if this guardian is reachable. */
+  async isReachable() {
+    try {
+      await this.health();
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  // ── V2 auth endpoints ───────────────────────────────────────────────
+  /** POST /v2/vault/auth/challenge — request an auth challenge. */
+  async requestChallenge(identity) {
+    return this.post("/v2/vault/auth/challenge", { identity });
+  }
+  /** POST /v2/vault/auth/session — exchange challenge for session token. */
+  async createSession(identity, nonce, created_ns, tag) {
+    return this.post("/v2/vault/auth/session", {
+      identity,
+      nonce,
+      created_ns,
+      tag
+    });
+  }
+  // ── V2 secrets CRUD ─────────────────────────────────────────────────
+  /** PUT /v2/vault/secrets/{name} — store a secret. Requires session token. */
+  async putSecret(name, share, version) {
+    return this.authedRequest("PUT", `/v2/vault/secrets/${encodeURIComponent(name)}`, {
+      share: uint8ToBase64(share),
+      version
+    });
+  }
+  /** GET /v2/vault/secrets/{name} — retrieve a secret. Requires session token. */
+  async getSecret(name) {
+    const resp = await this.authedRequest("GET", `/v2/vault/secrets/${encodeURIComponent(name)}`);
+    return {
+      share: base64ToUint8(resp.share),
+      name: resp.name,
+      version: resp.version,
+      created_ns: resp.created_ns,
+      updated_ns: resp.updated_ns
+    };
+  }
+  /** DELETE /v2/vault/secrets/{name} — delete a secret. Requires session token. */
+  async deleteSecret(name) {
+    return this.authedRequest("DELETE", `/v2/vault/secrets/${encodeURIComponent(name)}`);
+  }
+  /** GET /v2/vault/secrets — list all secrets. Requires session token. */
+  async listSecrets() {
+    return this.authedRequest("GET", "/v2/vault/secrets");
+  }
+  // ── Internal HTTP methods ───────────────────────────────────────────
+  async authedRequest(method, path, body) {
+    if (!this.sessionToken) {
+      throw new GuardianError("AUTH", "No session token set. Call authenticate() first.");
+    }
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const headers = {
+        "X-Session-Token": this.sessionToken
+      };
+      const init = {
+        method,
+        headers,
+        signal: controller.signal
+      };
+      if (body !== void 0) {
+        headers["Content-Type"] = "application/json";
+        init.body = JSON.stringify(body);
+      }
+      const resp = await fetch(`${this.baseUrl}${path}`, init);
+      if (!resp.ok) {
+        const errBody = await resp.json().catch(() => ({}));
+        const msg = errBody.error || `HTTP ${resp.status}`;
+        throw new GuardianError(classifyHttpStatus(resp.status), msg);
+      }
+      return await resp.json();
+    } catch (err) {
+      throw classifyError(err);
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  async get(path) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const resp = await fetch(`${this.baseUrl}${path}`, {
+        method: "GET",
+        signal: controller.signal
+      });
+      if (!resp.ok) {
+        const body = await resp.json().catch(() => ({}));
+        const msg = body.error || `HTTP ${resp.status}`;
+        throw new GuardianError(classifyHttpStatus(resp.status), msg);
+      }
+      return await resp.json();
+    } catch (err) {
+      throw classifyError(err);
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  async post(path, body) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const resp = await fetch(`${this.baseUrl}${path}`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+        signal: controller.signal
+      });
+      if (!resp.ok) {
+        const errBody = await resp.json().catch(() => ({}));
+        const msg = errBody.error || `HTTP ${resp.status}`;
+        throw new GuardianError(classifyHttpStatus(resp.status), msg);
+      }
+      return await resp.json();
+    } catch (err) {
+      throw classifyError(err);
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+};
+function classifyHttpStatus(status) {
+  if (status === 404) return "NOT_FOUND";
+  if (status === 401 || status === 403) return "AUTH";
+  if (status === 409) return "CONFLICT";
+  if (status >= 500) return "SERVER_ERROR";
+  return "NETWORK";
+}
+function classifyError(err) {
+  if (err instanceof GuardianError) return err;
+  if (err instanceof Error) {
+    if (err.name === "AbortError") {
+      return new GuardianError("TIMEOUT", `Request timed out: ${err.message}`);
+    }
+    if (err.name === "TypeError" || err.message.includes("fetch")) {
+      return new GuardianError("NETWORK", `Network error: ${err.message}`);
+    }
+    return new GuardianError("NETWORK", err.message);
+  }
+  return new GuardianError("NETWORK", String(err));
+}
+function uint8ToBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function base64ToUint8(b64) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(b64, "base64"));
+  }
+  const binary = atob(b64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+// src/vault/auth.ts
+var AuthClient2 = class {
+  constructor(identityHex, timeoutMs = 1e4) {
+    this.sessions = /* @__PURE__ */ new Map();
+    this.identityHex = identityHex;
+    this.timeoutMs = timeoutMs;
+  }
+  /**
+   * Authenticate with a guardian and cache the session token.
+   * Returns a GuardianClient with the session token set.
+   */
+  async authenticate(endpoint) {
+    const key = `${endpoint.address}:${endpoint.port}`;
+    const cached = this.sessions.get(key);
+    if (cached) {
+      const nowNs = Date.now() * 1e6;
+      if (cached.expiryNs > nowNs + 3e10) {
+        const client2 = new GuardianClient(endpoint, this.timeoutMs);
+        client2.setSessionToken(cached.token);
+        return client2;
+      }
+      this.sessions.delete(key);
+    }
+    const client = new GuardianClient(endpoint, this.timeoutMs);
+    const challenge = await client.requestChallenge(this.identityHex);
+    const session = await client.createSession(
+      this.identityHex,
+      challenge.nonce,
+      challenge.created_ns,
+      challenge.tag
+    );
+    const token = `${session.identity}:${session.expiry_ns}:${session.tag}`;
+    client.setSessionToken(token);
+    this.sessions.set(key, { token, expiryNs: session.expiry_ns });
+    return client;
+  }
+  /**
+   * Authenticate with multiple guardians in parallel.
+   * Returns authenticated GuardianClients for all that succeed.
+   */
+  async authenticateAll(endpoints) {
+    const results = await Promise.allSettled(
+      endpoints.map(async (ep) => {
+        const client = await this.authenticate(ep);
+        return { client, endpoint: ep };
+      })
+    );
+    const authenticated = [];
+    for (const r of results) {
+      if (r.status === "fulfilled") {
+        authenticated.push(r.value);
+      }
+    }
+    return authenticated;
+  }
+  /** Clear all cached sessions. */
+  clearSessions() {
+    this.sessions.clear();
+  }
+  /** Get the identity hex string. */
+  getIdentityHex() {
+    return this.identityHex;
+  }
+};
+
+// src/vault/transport/fanout.ts
+async function fanOut(guardians, operation) {
+  const results = await Promise.allSettled(
+    guardians.map(async (endpoint) => {
+      const client = new GuardianClient(endpoint);
+      const result = await operation(client);
+      return { endpoint, result, error: null };
+    })
+  );
+  return results.map((r, i) => {
+    if (r.status === "fulfilled") return r.value;
+    const reason = r.reason;
+    const errorCode = reason instanceof GuardianError ? reason.code : void 0;
+    return {
+      endpoint: guardians[i],
+      result: null,
+      error: reason.message,
+      errorCode
+    };
+  });
+}
+async function fanOutIndexed(guardians, operation) {
+  const results = await Promise.allSettled(
+    guardians.map(async (endpoint, i) => {
+      const client = new GuardianClient(endpoint);
+      const result = await operation(client, i);
+      return { endpoint, result, error: null };
+    })
+  );
+  return results.map((r, i) => {
+    if (r.status === "fulfilled") return r.value;
+    const reason = r.reason;
+    const errorCode = reason instanceof GuardianError ? reason.code : void 0;
+    return {
+      endpoint: guardians[i],
+      result: null,
+      error: reason.message,
+      errorCode
+    };
+  });
+}
+function withTimeout(promise, ms) {
+  return Promise.race([
+    promise,
+    new Promise(
+      (_, reject) => setTimeout(() => reject(new Error(`timeout after ${ms}ms`)), ms)
+    )
+  ]);
+}
+async function withRetry(fn, attempts = 3) {
+  let lastError;
+  for (let i = 0; i < attempts; i++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (err instanceof GuardianError && (err.code === "AUTH" || err.code === "NOT_FOUND")) {
+        throw err;
+      }
+      if (i < attempts - 1) {
+        await new Promise((r) => setTimeout(r, 200 * Math.pow(2, i)));
+      }
+    }
+  }
+  throw lastError;
+}
+
+// src/vault/crypto/shamir.ts
+import { randomBytes } from "@noble/ciphers/webcrypto";
+var IRREDUCIBLE = 283;
+var EXP_TABLE = new Uint8Array(512);
+var LOG_TABLE = new Uint8Array(256);
+(function buildTables() {
+  let x = 1;
+  for (let i = 0; i < 255; i++) {
+    EXP_TABLE[i] = x;
+    LOG_TABLE[x] = i;
+    x = x ^ x << 1;
+    if (x >= 256) x ^= IRREDUCIBLE;
+  }
+  for (let i = 255; i < 512; i++) {
+    EXP_TABLE[i] = EXP_TABLE[i - 255];
+  }
+})();
+function gfAdd(a, b) {
+  return a ^ b;
+}
+function gfMul(a, b) {
+  if (a === 0 || b === 0) return 0;
+  return EXP_TABLE[LOG_TABLE[a] + LOG_TABLE[b]];
+}
+function gfDiv(a, b) {
+  if (b === 0) throw new Error("GF(2^8): division by zero");
+  if (a === 0) return 0;
+  return EXP_TABLE[(LOG_TABLE[a] - LOG_TABLE[b] + 255) % 255];
+}
+function split(secret, n, k) {
+  if (k < 2) throw new Error("Threshold K must be at least 2");
+  if (n < k) throw new Error("Share count N must be >= threshold K");
+  if (n > 255) throw new Error("Maximum 255 shares (GF(2^8) limit)");
+  if (secret.length === 0) throw new Error("Secret must not be empty");
+  const coefficients = new Array(secret.length);
+  for (let i = 0; i < secret.length; i++) {
+    const poly = new Uint8Array(k);
+    poly[0] = secret[i];
+    const rand = randomBytes(k - 1);
+    poly.set(rand, 1);
+    coefficients[i] = poly;
+  }
+  const shares = [];
+  for (let xi = 1; xi <= n; xi++) {
+    const y = new Uint8Array(secret.length);
+    for (let byteIdx = 0; byteIdx < secret.length; byteIdx++) {
+      y[byteIdx] = evaluatePolynomial(coefficients[byteIdx], xi);
+    }
+    shares.push({ x: xi, y });
+  }
+  for (const poly of coefficients) {
+    poly.fill(0);
+  }
+  return shares;
+}
+function evaluatePolynomial(coeffs, x) {
+  let result = 0;
+  for (let i = coeffs.length - 1; i >= 0; i--) {
+    result = gfAdd(gfMul(result, x), coeffs[i]);
+  }
+  return result;
+}
+function combine(shares) {
+  if (shares.length < 2) throw new Error("Need at least 2 shares");
+  const secretLength = shares[0].y.length;
+  for (const share of shares) {
+    if (share.y.length !== secretLength) {
+      throw new Error("All shares must have the same data length");
+    }
+    if (share.x === 0) {
+      throw new Error("Share index must not be 0");
+    }
+  }
+  const xValues = new Set(shares.map((s) => s.x));
+  if (xValues.size !== shares.length) {
+    throw new Error("Duplicate share indices");
+  }
+  const secret = new Uint8Array(secretLength);
+  for (let byteIdx = 0; byteIdx < secretLength; byteIdx++) {
+    let value = 0;
+    for (let i = 0; i < shares.length; i++) {
+      const xi = shares[i].x;
+      const yi = shares[i].y[byteIdx];
+      let basis = 1;
+      for (let j = 0; j < shares.length; j++) {
+        if (i === j) continue;
+        const xj = shares[j].x;
+        basis = gfMul(basis, gfDiv(xj, gfAdd(xi, xj)));
+      }
+      value = gfAdd(value, gfMul(yi, basis));
+    }
+    secret[byteIdx] = value;
+  }
+  return secret;
+}
+
+// src/vault/quorum.ts
+function adaptiveThreshold(n) {
+  return Math.max(3, Math.floor(n / 3));
+}
+function writeQuorum(n) {
+  if (n === 0) return 0;
+  if (n <= 2) return n;
+  return Math.ceil(2 * n / 3);
+}
+
+// src/vault/client.ts
+var PULL_TIMEOUT_MS = 1e4;
+var VaultClient = class {
+  constructor(config) {
+    this.config = config;
+    this.auth = new AuthClient2(config.identityHex, config.timeoutMs);
+  }
+  /**
+   * Store a secret across guardian nodes using Shamir splitting.
+   *
+   * @param name - Secret name (alphanumeric, _, -, max 128 chars)
+   * @param data - Secret data to store
+   * @param version - Monotonic version number (must be > previous)
+   */
+  async store(name, data, version) {
+    const guardians = this.config.guardians;
+    const n = guardians.length;
+    const k = adaptiveThreshold(n);
+    const shares = split(data, n, k);
+    const authed = await this.auth.authenticateAll(guardians);
+    const results = await Promise.allSettled(
+      authed.map(async ({ client, endpoint }, _i) => {
+        const guardianIdx = guardians.indexOf(endpoint);
+        const share = shares[guardianIdx];
+        if (!share) throw new Error("share index out of bounds");
+        const shareBytes = new Uint8Array(1 + share.y.length);
+        shareBytes[0] = share.x;
+        shareBytes.set(share.y, 1);
+        return withRetry(() => client.putSecret(name, shareBytes, version));
+      })
+    );
+    for (const share of shares) {
+      share.y.fill(0);
+    }
+    const guardianResults = authed.map(({ endpoint }, i) => {
+      const ep = `${endpoint.address}:${endpoint.port}`;
+      const r = results[i];
+      if (r.status === "fulfilled") {
+        return { endpoint: ep, success: true };
+      }
+      return { endpoint: ep, success: false, error: r.reason.message };
+    });
+    const ackCount = results.filter((r) => r.status === "fulfilled").length;
+    const failCount = results.filter((r) => r.status === "rejected").length;
+    const w = writeQuorum(n);
+    return {
+      ackCount,
+      totalContacted: authed.length,
+      failCount,
+      quorumMet: ackCount >= w,
+      guardianResults
+    };
+  }
+  /**
+   * Retrieve and reconstruct a secret from guardian nodes.
+   *
+   * @param name - Secret name
+   */
+  async retrieve(name) {
+    const guardians = this.config.guardians;
+    const n = guardians.length;
+    const k = adaptiveThreshold(n);
+    const authed = await this.auth.authenticateAll(guardians);
+    const pullResults = await Promise.allSettled(
+      authed.map(async ({ client }) => {
+        const resp = await withTimeout(client.getSecret(name), PULL_TIMEOUT_MS);
+        const shareBytes = resp.share;
+        if (shareBytes.length < 2) throw new Error("Share too short");
+        return {
+          x: shareBytes[0],
+          y: shareBytes.slice(1)
+        };
+      })
+    );
+    const shares = [];
+    for (const r of pullResults) {
+      if (r.status === "fulfilled") {
+        shares.push(r.value);
+      }
+    }
+    if (shares.length < k) {
+      throw new Error(
+        `Not enough shares: collected ${shares.length} of ${k} required (contacted ${authed.length} guardians)`
+      );
+    }
+    const data = combine(shares);
+    for (const share of shares) {
+      share.y.fill(0);
+    }
+    return {
+      data,
+      sharesCollected: shares.length
+    };
+  }
+  /**
+   * List all secrets for this identity.
+   * Queries the first reachable guardian (metadata is replicated).
+   */
+  async list() {
+    const guardians = this.config.guardians;
+    const authed = await this.auth.authenticateAll(guardians);
+    if (authed.length === 0) {
+      throw new Error("No guardians reachable");
+    }
+    const resp = await authed[0].client.listSecrets();
+    return { secrets: resp.secrets };
+  }
+  /**
+   * Delete a secret from all guardian nodes.
+   *
+   * @param name - Secret name to delete
+   */
+  async delete(name) {
+    const guardians = this.config.guardians;
+    const n = guardians.length;
+    const authed = await this.auth.authenticateAll(guardians);
+    const results = await Promise.allSettled(
+      authed.map(async ({ client }) => {
+        return withRetry(() => client.deleteSecret(name));
+      })
+    );
+    const ackCount = results.filter((r) => r.status === "fulfilled").length;
+    const w = writeQuorum(n);
+    return {
+      ackCount,
+      totalContacted: authed.length,
+      quorumMet: ackCount >= w
+    };
+  }
+  /** Clear all cached auth sessions. */
+  clearSessions() {
+    this.auth.clearSessions();
+  }
+};
+
+// src/vault/crypto/aes.ts
+import { gcm } from "@noble/ciphers/aes";
+import { randomBytes as randomBytes2 } from "@noble/ciphers/webcrypto";
+import { bytesToHex, hexToBytes, concatBytes } from "@noble/hashes/utils";
+var KEY_SIZE = 32;
+var NONCE_SIZE = 12;
+var TAG_SIZE = 16;
+function encrypt(plaintext, key, aad) {
+  validateKey(key);
+  const nonce = randomBytes2(NONCE_SIZE);
+  const cipher = gcm(key, nonce, aad);
+  const ciphertext = cipher.encrypt(plaintext);
+  return {
+    ciphertext,
+    nonce,
+    aad
+  };
+}
+function decrypt(encryptedData, key) {
+  validateKey(key);
+  validateNonce(encryptedData.nonce);
+  const cipher = gcm(key, encryptedData.nonce, encryptedData.aad);
+  try {
+    return cipher.decrypt(encryptedData.ciphertext);
+  } catch (error) {
+    throw new Error("Decryption failed: invalid ciphertext or authentication tag");
+  }
+}
+function encryptString(message, key, aad) {
+  const plaintext = new TextEncoder().encode(message);
+  try {
+    return encrypt(plaintext, key, aad);
+  } finally {
+    plaintext.fill(0);
+  }
+}
+function decryptString(encryptedData, key) {
+  const plaintext = decrypt(encryptedData, key);
+  try {
+    return new TextDecoder().decode(plaintext);
+  } finally {
+    plaintext.fill(0);
+  }
+}
+function serialize(encryptedData) {
+  const data = concatBytes(encryptedData.nonce, encryptedData.ciphertext);
+  return {
+    data,
+    aad: encryptedData.aad
+  };
+}
+function deserialize(serialized) {
+  if (serialized.data.length < NONCE_SIZE + TAG_SIZE) {
+    throw new Error("Invalid serialized data: too short");
+  }
+  const nonce = serialized.data.slice(0, NONCE_SIZE);
+  const ciphertext = serialized.data.slice(NONCE_SIZE);
+  return {
+    ciphertext,
+    nonce,
+    aad: serialized.aad
+  };
+}
+function encryptAndSerialize(plaintext, key, aad) {
+  const encrypted = encrypt(plaintext, key, aad);
+  return serialize(encrypted);
+}
+function deserializeAndDecrypt(serialized, key) {
+  const encrypted = deserialize(serialized);
+  return decrypt(encrypted, key);
+}
+function toHex(encryptedData) {
+  const serialized = serialize(encryptedData);
+  return bytesToHex(serialized.data);
+}
+function fromHex(hex, aad) {
+  const normalized = hex.startsWith("0x") ? hex.slice(2) : hex;
+  const data = hexToBytes(normalized);
+  return deserialize({ data, aad });
+}
+function toBase64(encryptedData) {
+  const serialized = serialize(encryptedData);
+  if (typeof btoa === "function") {
+    return btoa(String.fromCharCode(...serialized.data));
+  } else {
+    return Buffer.from(serialized.data).toString("base64");
+  }
+}
+function fromBase64(base64, aad) {
+  let data;
+  if (typeof atob === "function") {
+    const binary = atob(base64);
+    data = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      data[i] = binary.charCodeAt(i);
+    }
+  } else {
+    data = new Uint8Array(Buffer.from(base64, "base64"));
+  }
+  return deserialize({ data, aad });
+}
+function validateKey(key) {
+  if (!(key instanceof Uint8Array)) {
+    throw new Error("Key must be a Uint8Array");
+  }
+  if (key.length !== KEY_SIZE) {
+    throw new Error(`Invalid key length: expected ${KEY_SIZE}, got ${key.length}`);
+  }
+}
+function validateNonce(nonce) {
+  if (!(nonce instanceof Uint8Array)) {
+    throw new Error("Nonce must be a Uint8Array");
+  }
+  if (nonce.length !== NONCE_SIZE) {
+    throw new Error(`Invalid nonce length: expected ${NONCE_SIZE}, got ${nonce.length}`);
+  }
+}
+function generateKey() {
+  return randomBytes2(KEY_SIZE);
+}
+function generateNonce() {
+  return randomBytes2(NONCE_SIZE);
+}
+function clearKey(key) {
+  key.fill(0);
+}
+function isValidEncryptedData(data) {
+  return data.nonce instanceof Uint8Array && data.nonce.length === NONCE_SIZE && data.ciphertext instanceof Uint8Array && data.ciphertext.length >= TAG_SIZE;
+}
+
+// src/vault/crypto/hkdf.ts
+import { hkdf } from "@noble/hashes/hkdf";
+import { sha256 } from "@noble/hashes/sha256";
+var DEFAULT_KEY_LENGTH = 32;
+var MAX_KEY_LENGTH = 255 * 32;
+function deriveKeyHKDF(ikm, salt, info, length = DEFAULT_KEY_LENGTH) {
+  if (!ikm || ikm.length === 0) {
+    throw new Error("HKDF: input key material must not be empty");
+  }
+  if (length <= 0 || length > MAX_KEY_LENGTH) {
+    throw new Error(`HKDF: output length must be between 1 and ${MAX_KEY_LENGTH}`);
+  }
+  const saltBytes = typeof salt === "string" ? new TextEncoder().encode(salt) : salt;
+  const infoBytes = typeof info === "string" ? new TextEncoder().encode(info) : info;
+  return hkdf(sha256, ikm, saltBytes, infoBytes, length);
+}
+
 // src/index.ts
 function createClient(config) {
   const httpClient = new HttpClient({
@@ -1717,6 +2464,7 @@ function createClient(config) {
   const cache = new CacheClient(httpClient);
   const storage = new StorageClient(httpClient);
   const functions = new FunctionsClient(httpClient, config.functionsConfig);
+  const vault = config.vaultConfig ? new VaultClient(config.vaultConfig) : null;
   return {
     auth,
     db,
@@ -1724,7 +2472,8 @@ function createClient(config) {
     network,
     cache,
     storage,
-    functions
+    functions,
+    vault
   };
 }
 export {
@@ -1732,9 +2481,13 @@ export {
   CacheClient,
   DBClient,
   FunctionsClient,
+  GuardianClient,
+  GuardianError,
   HttpClient,
+  KEY_SIZE,
   LocalStorageAdapter,
   MemoryStorage,
+  NONCE_SIZE,
   NetworkClient,
   PubSubClient,
   QueryBuilder,
@@ -1742,7 +2495,35 @@ export {
   SDKError,
   StorageClient,
   Subscription,
+  TAG_SIZE,
+  AuthClient2 as VaultAuthClient,
+  VaultClient,
   WSClient,
-  createClient
+  adaptiveThreshold,
+  clearKey,
+  createClient,
+  decrypt,
+  decryptString,
+  deriveKeyHKDF,
+  deserializeAndDecrypt,
+  deserialize as deserializeEncrypted,
+  encrypt,
+  encryptAndSerialize,
+  encryptString,
+  fromBase64 as encryptedFromBase64,
+  fromHex as encryptedFromHex,
+  toBase64 as encryptedToBase64,
+  toHex as encryptedToHex,
+  fanOut,
+  fanOutIndexed,
+  generateKey,
+  generateNonce,
+  isValidEncryptedData,
+  serialize as serializeEncrypted,
+  combine as shamirCombine,
+  split as shamirSplit,
+  withRetry,
+  withTimeout,
+  writeQuorum
 };
 //# sourceMappingURL=index.js.map