npm - @debros/network-ts-sdk - Versions diffs - 0.6.2 → 0.7.0 - Mend

@debros/network-ts-sdk 0.6.2 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +191 -0
package/dist/index.d.ts +455 -3
package/dist/index.js +776 -2
package/dist/index.js.map +1 -1
package/package.json +9 -2
package/src/index.ts +66 -0
package/src/vault/auth.ts +98 -0
package/src/vault/client.ts +197 -0
package/src/vault/crypto/aes.ts +271 -0
package/src/vault/crypto/hkdf.ts +42 -0
package/src/vault/crypto/index.ts +27 -0
package/src/vault/crypto/shamir.ts +173 -0
package/src/vault/index.ts +65 -0
package/src/vault/quorum.ts +16 -0
package/src/vault/transport/fanout.ts +94 -0
package/src/vault/transport/guardian.ts +285 -0
package/src/vault/transport/index.ts +19 -0
package/src/vault/transport/types.ts +101 -0
package/src/vault/types.ts +62 -0

package/README.md CHANGED Viewed

@@ -388,6 +388,197 @@ const client = createClient({
 });
 ```
+### Cache Operations
+The SDK provides a distributed cache client backed by Olric. Data is organized into distributed maps (dmaps).
+#### Put a Value
+```typescript
+// Put with optional TTL
+await client.cache.put("sessions", "user:alice", { role: "admin" }, "1h");
+```
+#### Get a Value
+```typescript
+// Returns null on cache miss (not an error)
+const result = await client.cache.get("sessions", "user:alice");
+if (result) {
+  console.log(result.value); // { role: "admin" }
+}
+```
+#### Delete a Value
+```typescript
+await client.cache.delete("sessions", "user:alice");
+```
+#### Multi-Get
+```typescript
+const results = await client.cache.multiGet("sessions", [
+  "user:alice",
+  "user:bob",
+]);
+// Returns Map<string, any | null> — null for misses
+results.forEach((value, key) => {
+  console.log(key, value);
+});
+```
+#### Scan Keys
+```typescript
+// Scan all keys in a dmap, optionally matching a regex
+const scan = await client.cache.scan("sessions", "user:.*");
+console.log(scan.keys); // ["user:alice", "user:bob"]
+console.log(scan.count); // 2
+```
+#### Health Check
+```typescript
+const health = await client.cache.health();
+console.log(health.status); // "ok"
+```
+### Storage (IPFS)
+Upload, pin, and retrieve files from decentralized IPFS storage.
+#### Upload a File
+```typescript
+// Browser
+const fileInput = document.querySelector('input[type="file"]');
+const file = fileInput.files[0];
+const result = await client.storage.upload(file, file.name);
+console.log(result.cid); // "Qm..."
+// Node.js
+import { readFileSync } from "fs";
+const buffer = readFileSync("image.jpg");
+const result = await client.storage.upload(buffer, "image.jpg", { pin: true });
+```
+#### Retrieve Content
+```typescript
+// Get as ReadableStream
+const stream = await client.storage.get(cid);
+const reader = stream.getReader();
+while (true) {
+  const { done, value } = await reader.read();
+  if (done) break;
+  // Process chunk
+}
+// Get full Response (for headers like content-length)
+const response = await client.storage.getBinary(cid);
+const contentLength = response.headers.get("content-length");
+```
+#### Pin / Unpin / Status
+```typescript
+// Pin an existing CID
+await client.storage.pin("QmExampleCid", "my-file");
+// Check pin status
+const status = await client.storage.status("QmExampleCid");
+console.log(status.status); // "pinned", "pinning", "queued", "unpinned", "error"
+// Unpin
+await client.storage.unpin("QmExampleCid");
+```
+### Serverless Functions (WASM)
+Invoke WebAssembly serverless functions deployed on the network.
+```typescript
+// Configure functions namespace
+const client = createClient({
+  baseURL: "http://localhost:6001",
+  apiKey: "ak_your_key:namespace",
+  functionsConfig: {
+    namespace: "my-namespace",
+  },
+});
+// Invoke a function with typed input/output
+interface PushInput {
+  token: string;
+  message: string;
+}
+interface PushOutput {
+  success: boolean;
+  messageId: string;
+}
+const result = await client.functions.invoke<PushInput, PushOutput>(
+  "send-push",
+  { token: "device-token", message: "Hello!" }
+);
+console.log(result.messageId);
+```
+### Vault (Distributed Secrets)
+The vault client provides Shamir-split secret storage across guardian nodes. Secrets are split into shares, distributed to guardians, and reconstructed only when enough shares are collected (quorum).
+```typescript
+const client = createClient({
+  baseURL: "http://localhost:6001",
+  apiKey: "ak_your_key:namespace",
+  vaultConfig: {
+    guardians: [
+      { address: "10.0.0.1", port: 8443 },
+      { address: "10.0.0.2", port: 8443 },
+      { address: "10.0.0.3", port: 8443 },
+    ],
+    identityHex: "your-identity-hex",
+  },
+});
+// Store a secret (Shamir-split across guardians)
+const data = new TextEncoder().encode("my-secret-data");
+const storeResult = await client.vault.store("api-key", data, 1);
+console.log(storeResult.quorumMet); // true if enough guardians ACKed
+// Retrieve and reconstruct a secret
+const retrieved = await client.vault.retrieve("api-key");
+console.log(new TextDecoder().decode(retrieved.data)); // "my-secret-data"
+// List all secrets for this identity
+const secrets = await client.vault.list();
+console.log(secrets.secrets);
+// Delete a secret from all guardians
+await client.vault.delete("api-key");
+```
+### Wallet-Based Authentication
+For wallet-based auth (challenge-response flow):
+```typescript
+// 1. Request a challenge
+const challenge = await client.auth.challenge();
+// 2. Sign the challenge with your wallet (external)
+const signature = await wallet.signMessage(challenge.message);
+// 3. Verify signature and get JWT
+const session = await client.auth.verify(challenge.id, signature);
+console.log(session.token);
+// 4. Get an API key for long-lived access
+const apiKey = await client.auth.getApiKey();
+```
 ## Error Handling
 The SDK throws `SDKError` for all errors:

package/dist/index.d.ts CHANGED Viewed

@@ -121,7 +121,7 @@ declare class LocalStorageAdapter implements StorageAdapter {
     clear(): Promise<void>;
 }
-declare class AuthClient {
+declare class AuthClient$1 {
     private httpClient;
     private storage;
     private currentApiKey?;
@@ -823,6 +823,189 @@ declare class FunctionsClient {
     invoke<TInput = any, TOutput = any>(functionName: string, input: TInput): Promise<TOutput>;
 }
+/** A guardian node endpoint. */
+interface GuardianEndpoint {
+    address: string;
+    port: number;
+}
+/** V1 push response. */
+interface PushResponse {
+    status: string;
+}
+/** V1 pull response. */
+interface PullResponse {
+    share: string;
+}
+/** V2 store response. */
+interface StoreSecretResponse {
+    status: string;
+    name: string;
+    version: number;
+}
+/** V2 get response. */
+interface GetSecretResponse {
+    share: string;
+    name: string;
+    version: number;
+    created_ns: number;
+    updated_ns: number;
+}
+/** V2 delete response. */
+interface DeleteSecretResponse {
+    status: string;
+    name: string;
+}
+/** V2 list response. */
+interface ListSecretsResponse {
+    secrets: SecretEntry[];
+}
+/** An entry in the list secrets response. */
+interface SecretEntry {
+    name: string;
+    version: number;
+    size: number;
+}
+/** Health check response. */
+interface HealthResponse {
+    status: string;
+    version: string;
+}
+/** Status response. */
+interface StatusResponse {
+    status: string;
+    version: string;
+    data_dir: string;
+    client_port: number;
+    peer_port: number;
+}
+/** Guardian info response. */
+interface GuardianInfo {
+    guardians: Array<{
+        address: string;
+        port: number;
+    }>;
+    threshold: number;
+    total: number;
+}
+/** Challenge response from auth endpoint. */
+interface ChallengeResponse {
+    nonce: string;
+    created_ns: number;
+    tag: string;
+}
+/** Session token response from auth endpoint. */
+interface SessionResponse {
+    identity: string;
+    expiry_ns: number;
+    tag: string;
+}
+/** Error classification codes. */
+type GuardianErrorCode = 'TIMEOUT' | 'NOT_FOUND' | 'AUTH' | 'SERVER_ERROR' | 'NETWORK' | 'CONFLICT';
+/** Fan-out result for a single guardian. */
+interface FanOutResult<T> {
+    endpoint: GuardianEndpoint;
+    result: T | null;
+    error: string | null;
+    errorCode?: GuardianErrorCode;
+}
+/** Configuration for VaultClient. */
+interface VaultConfig {
+    /** Guardian endpoints to connect to. */
+    guardians: GuardianEndpoint[];
+    /** HMAC key for authentication (derived from user's secret). */
+    hmacKey: Uint8Array;
+    /** Identity hash (hex string, 64 chars). */
+    identityHex: string;
+    /** Request timeout in ms (default: 10000). */
+    timeoutMs?: number;
+}
+/** Metadata for a stored secret. */
+interface SecretMeta {
+    name: string;
+    version: number;
+    size: number;
+}
+/** Result of a store operation. */
+interface StoreResult {
+    /** Number of guardians that acknowledged. */
+    ackCount: number;
+    /** Total guardians contacted. */
+    totalContacted: number;
+    /** Number of failures. */
+    failCount: number;
+    /** Whether write quorum was met. */
+    quorumMet: boolean;
+    /** Per-guardian results. */
+    guardianResults: GuardianResult[];
+}
+/** Result of a retrieve operation. */
+interface RetrieveResult {
+    /** The reconstructed secret data. */
+    data: Uint8Array;
+    /** Number of shares collected. */
+    sharesCollected: number;
+}
+/** Result of a list operation. */
+interface ListResult {
+    secrets: SecretMeta[];
+}
+/** Result of a delete operation. */
+interface DeleteResult {
+    /** Number of guardians that acknowledged. */
+    ackCount: number;
+    totalContacted: number;
+    quorumMet: boolean;
+}
+/** Per-guardian operation result. */
+interface GuardianResult {
+    endpoint: string;
+    success: boolean;
+    error?: string;
+}
+/**
+ * High-level client for the orama-vault distributed secrets store.
+ *
+ * Handles:
+ * - Authentication with guardian nodes
+ * - Shamir split/combine for data distribution
+ * - Quorum-based writes and reads
+ * - V2 CRUD operations (store, retrieve, list, delete)
+ */
+declare class VaultClient {
+    private config;
+    private auth;
+    constructor(config: VaultConfig);
+    /**
+     * Store a secret across guardian nodes using Shamir splitting.
+     *
+     * @param name - Secret name (alphanumeric, _, -, max 128 chars)
+     * @param data - Secret data to store
+     * @param version - Monotonic version number (must be > previous)
+     */
+    store(name: string, data: Uint8Array, version: number): Promise<StoreResult>;
+    /**
+     * Retrieve and reconstruct a secret from guardian nodes.
+     *
+     * @param name - Secret name
+     */
+    retrieve(name: string): Promise<RetrieveResult>;
+    /**
+     * List all secrets for this identity.
+     * Queries the first reachable guardian (metadata is replicated).
+     */
+    list(): Promise<ListResult>;
+    /**
+     * Delete a secret from all guardian nodes.
+     *
+     * @param name - Secret name to delete
+     */
+    delete(name: string): Promise<DeleteResult>;
+    /** Clear all cached auth sessions. */
+    clearSessions(): void;
+}
 /**
  * Serverless Functions Types
  * Type definitions for calling serverless functions on the Orama Network
@@ -843,6 +1026,272 @@ interface SuccessResponse {
     error?: string;
 }
+declare class GuardianError extends Error {
+    readonly code: GuardianErrorCode;
+    constructor(code: GuardianErrorCode, message: string);
+}
+/**
+ * HTTP client for a single orama-vault guardian node.
+ * Supports V1 (push/pull) and V2 (CRUD secrets) endpoints.
+ */
+declare class GuardianClient {
+    private baseUrl;
+    private timeoutMs;
+    private sessionToken;
+    constructor(endpoint: GuardianEndpoint, timeoutMs?: number);
+    /** Set a session token for authenticated V2 requests. */
+    setSessionToken(token: string): void;
+    /** Get the current session token. */
+    getSessionToken(): string | null;
+    /** Clear the session token. */
+    clearSessionToken(): void;
+    /** GET /v1/vault/health */
+    health(): Promise<HealthResponse>;
+    /** GET /v1/vault/status */
+    status(): Promise<StatusResponse>;
+    /** GET /v1/vault/guardians */
+    guardians(): Promise<GuardianInfo>;
+    /** POST /v1/vault/push — store a share (V1). */
+    push(identity: string, share: Uint8Array): Promise<PushResponse>;
+    /** POST /v1/vault/pull — retrieve a share (V1). */
+    pull(identity: string): Promise<Uint8Array>;
+    /** Check if this guardian is reachable. */
+    isReachable(): Promise<boolean>;
+    /** POST /v2/vault/auth/challenge — request an auth challenge. */
+    requestChallenge(identity: string): Promise<ChallengeResponse>;
+    /** POST /v2/vault/auth/session — exchange challenge for session token. */
+    createSession(identity: string, nonce: string, created_ns: number, tag: string): Promise<SessionResponse>;
+    /** PUT /v2/vault/secrets/{name} — store a secret. Requires session token. */
+    putSecret(name: string, share: Uint8Array, version: number): Promise<StoreSecretResponse>;
+    /** GET /v2/vault/secrets/{name} — retrieve a secret. Requires session token. */
+    getSecret(name: string): Promise<{
+        share: Uint8Array;
+        name: string;
+        version: number;
+        created_ns: number;
+        updated_ns: number;
+    }>;
+    /** DELETE /v2/vault/secrets/{name} — delete a secret. Requires session token. */
+    deleteSecret(name: string): Promise<DeleteSecretResponse>;
+    /** GET /v2/vault/secrets — list all secrets. Requires session token. */
+    listSecrets(): Promise<ListSecretsResponse>;
+    private authedRequest;
+    private get;
+    private post;
+}
+/**
+ * Handles challenge-response authentication with guardian nodes.
+ * Caches session tokens per guardian endpoint.
+ *
+ * Auth flow:
+ * 1. POST /v2/vault/auth/challenge with identity → get {nonce, created_ns, tag}
+ * 2. POST /v2/vault/auth/session with identity + challenge fields → get session token
+ * 3. Use session token as X-Session-Token header for V2 requests
+ *
+ * The session token format is: `<identity_hex>:<expiry_ns>:<tag_hex>`
+ */
+declare class AuthClient {
+    private sessions;
+    private identityHex;
+    private timeoutMs;
+    constructor(identityHex: string, timeoutMs?: number);
+    /**
+     * Authenticate with a guardian and cache the session token.
+     * Returns a GuardianClient with the session token set.
+     */
+    authenticate(endpoint: GuardianEndpoint): Promise<GuardianClient>;
+    /**
+     * Authenticate with multiple guardians in parallel.
+     * Returns authenticated GuardianClients for all that succeed.
+     */
+    authenticateAll(endpoints: GuardianEndpoint[]): Promise<{
+        client: GuardianClient;
+        endpoint: GuardianEndpoint;
+    }[]>;
+    /** Clear all cached sessions. */
+    clearSessions(): void;
+    /** Get the identity hex string. */
+    getIdentityHex(): string;
+}
+/**
+ * Fan out an operation to multiple guardians in parallel.
+ * Returns results from all guardians (both successes and failures).
+ */
+declare function fanOut<T>(guardians: GuardianEndpoint[], operation: (client: GuardianClient) => Promise<T>): Promise<FanOutResult<T>[]>;
+/**
+ * Fan out an indexed operation to multiple guardians in parallel.
+ * The operation receives the index so each guardian can get a different share.
+ */
+declare function fanOutIndexed<T>(guardians: GuardianEndpoint[], operation: (client: GuardianClient, index: number) => Promise<T>): Promise<FanOutResult<T>[]>;
+/**
+ * Race a promise against a timeout.
+ */
+declare function withTimeout<T>(promise: Promise<T>, ms: number): Promise<T>;
+/**
+ * Retry a function with exponential backoff.
+ * Does not retry auth or not-found errors.
+ */
+declare function withRetry<T>(fn: () => Promise<T>, attempts?: number): Promise<T>;
+/**
+ * Quorum calculations for distributed vault operations.
+ * Must match orama-vault (Zig side).
+ */
+/** Adaptive Shamir threshold: max(3, floor(N/3)). */
+declare function adaptiveThreshold(n: number): number;
+/** Write quorum: ceil(2N/3). Requires majority for consistency. */
+declare function writeQuorum(n: number): number;
+/**
+ * AES-256-GCM Encryption
+ *
+ * Implements authenticated encryption using AES-256 in Galois/Counter Mode.
+ * Uses @noble/ciphers for platform-agnostic, audited cryptographic operations.
+ *
+ * Features:
+ * - Authenticated encryption (confidentiality + integrity)
+ * - 256-bit keys for strong security
+ * - 96-bit nonces (randomly generated)
+ * - 128-bit authentication tags
+ *
+ * Security considerations:
+ * - Never reuse a nonce with the same key
+ * - Nonces are randomly generated and prepended to ciphertext
+ * - Authentication tags are verified before decryption
+ */
+/**
+ * Size constants
+ */
+declare const KEY_SIZE = 32;
+declare const NONCE_SIZE = 12;
+declare const TAG_SIZE = 16;
+/**
+ * Encrypted data structure
+ */
+interface EncryptedData {
+    /** Ciphertext including authentication tag */
+    ciphertext: Uint8Array;
+    /** Nonce used for encryption */
+    nonce: Uint8Array;
+    /** Additional authenticated data (optional) */
+    aad?: Uint8Array;
+}
+/**
+ * Serialized encrypted data (nonce prepended to ciphertext)
+ */
+interface SerializedEncryptedData {
+    /** Combined nonce + ciphertext + tag */
+    data: Uint8Array;
+    /** Additional authenticated data (optional) */
+    aad?: Uint8Array;
+}
+/**
+ * Encrypts data using AES-256-GCM
+ */
+declare function encrypt(plaintext: Uint8Array, key: Uint8Array, aad?: Uint8Array): EncryptedData;
+/**
+ * Decrypts data using AES-256-GCM
+ */
+declare function decrypt(encryptedData: EncryptedData, key: Uint8Array): Uint8Array;
+/**
+ * Encrypts a string message
+ */
+declare function encryptString(message: string, key: Uint8Array, aad?: Uint8Array): EncryptedData;
+/**
+ * Decrypts to a string message
+ */
+declare function decryptString(encryptedData: EncryptedData, key: Uint8Array): string;
+/**
+ * Serializes encrypted data (prepends nonce to ciphertext)
+ */
+declare function serialize(encryptedData: EncryptedData): SerializedEncryptedData;
+/**
+ * Deserializes encrypted data
+ */
+declare function deserialize(serialized: SerializedEncryptedData): EncryptedData;
+/**
+ * Encrypts and serializes data in one step
+ */
+declare function encryptAndSerialize(plaintext: Uint8Array, key: Uint8Array, aad?: Uint8Array): SerializedEncryptedData;
+/**
+ * Deserializes and decrypts data in one step
+ */
+declare function deserializeAndDecrypt(serialized: SerializedEncryptedData, key: Uint8Array): Uint8Array;
+/**
+ * Converts encrypted data to hex string
+ */
+declare function toHex(encryptedData: EncryptedData): string;
+/**
+ * Parses encrypted data from hex string
+ */
+declare function fromHex(hex: string, aad?: Uint8Array): EncryptedData;
+/**
+ * Converts encrypted data to base64 string
+ */
+declare function toBase64(encryptedData: EncryptedData): string;
+/**
+ * Parses encrypted data from base64 string
+ */
+declare function fromBase64(base64: string, aad?: Uint8Array): EncryptedData;
+/**
+ * Generates a random encryption key
+ */
+declare function generateKey(): Uint8Array;
+/**
+ * Generates a random nonce
+ */
+declare function generateNonce(): Uint8Array;
+/**
+ * Securely clears a key from memory
+ */
+declare function clearKey(key: Uint8Array): void;
+/**
+ * Checks if encrypted data appears valid (basic structure check)
+ */
+declare function isValidEncryptedData(data: EncryptedData): boolean;
+/**
+ * HKDF Key Derivation
+ *
+ * Derives deterministic sub-keys from a master secret using HKDF-SHA256 (RFC 5869).
+ */
+/**
+ * Derives a sub-key from input key material using HKDF-SHA256.
+ *
+ * @param ikm - Input key material (e.g., wallet private key). MUST be high-entropy.
+ * @param salt - Domain separation salt. Can be a string or bytes.
+ * @param info - Context-specific info. Can be a string or bytes.
+ * @param length - Output key length in bytes (default: 32).
+ * @returns Derived key as Uint8Array. Caller MUST zero this after use.
+ */
+declare function deriveKeyHKDF(ikm: Uint8Array, salt: string | Uint8Array, info: string | Uint8Array, length?: number): Uint8Array;
+/** A single Shamir share */
+interface Share {
+    /** Share index (1..N, never 0) */
+    x: number;
+    /** Share data (same length as secret) */
+    y: Uint8Array;
+}
+/**
+ * Splits a secret into N shares with threshold K.
+ *
+ * @param secret - Secret bytes to split (any length)
+ * @param n - Total number of shares to create (2..255)
+ * @param k - Minimum shares needed for reconstruction (2..n)
+ * @returns Array of N shares
+ */
+declare function split(secret: Uint8Array, n: number, k: number): Share[];
+/**
+ * Reconstructs a secret from K or more shares using Lagrange interpolation.
+ *
+ * @param shares - Array of K or more shares (must all have same y.length)
+ * @returns Reconstructed secret
+ */
+declare function combine(shares: Share[]): Uint8Array;
 interface ClientConfig extends Omit<HttpClientConfig, "fetch"> {
     apiKey?: string;
     jwt?: string;
@@ -855,16 +1304,19 @@ interface ClientConfig extends Omit<HttpClientConfig, "fetch"> {
      * Use this to trigger gateway failover at the application layer.
      */
     onNetworkError?: NetworkErrorCallback;
+    /** Configuration for the vault (distributed secrets store). */
+    vaultConfig?: VaultConfig;
 }
 interface Client {
-    auth: AuthClient;
+    auth: AuthClient$1;
     db: DBClient;
     pubsub: PubSubClient;
     network: NetworkClient;
     cache: CacheClient;
     storage: StorageClient;
     functions: FunctionsClient;
+    vault: VaultClient | null;
 }
 declare function createClient(config: ClientConfig): Client;
-export { AuthClient, type AuthConfig, CacheClient, type CacheDeleteRequest, type CacheDeleteResponse, type CacheGetRequest, type CacheGetResponse, type CacheHealthResponse, type CacheMultiGetRequest, type CacheMultiGetResponse, type CachePutRequest, type CachePutResponse, type CacheScanRequest, type CacheScanResponse, type Client, type ClientConfig, type CloseHandler, type ColumnDefinition, DBClient, type Entity, type ErrorHandler, type FindOptions, type FunctionResponse, FunctionsClient, type FunctionsClientConfig, HttpClient, LocalStorageAdapter, MemoryStorage, type MessageHandler, NetworkClient, type NetworkErrorCallback, type NetworkErrorContext, type NetworkStatus, type PeerInfo, type PresenceMember, type PresenceOptions, type PresenceResponse, type ProxyRequest, type ProxyResponse, PubSubClient, type PubSubMessage, QueryBuilder, type QueryResponse, Repository, SDKError, type SelectOptions, type StorageAdapter, StorageClient, type StoragePinRequest, type StoragePinResponse, type StorageStatus, type StorageUploadResponse, type SubscribeOptions, Subscription, type SuccessResponse, type TransactionOp, type TransactionRequest, WSClient, type WhoAmI, createClient, extractPrimaryKey, extractTableName };
+export { AuthClient$1 as AuthClient, type AuthConfig, CacheClient, type CacheDeleteRequest, type CacheDeleteResponse, type CacheGetRequest, type CacheGetResponse, type CacheHealthResponse, type CacheMultiGetRequest, type CacheMultiGetResponse, type CachePutRequest, type CachePutResponse, type CacheScanRequest, type CacheScanResponse, type Client, type ClientConfig, type CloseHandler, type ColumnDefinition, DBClient, type DeleteResult, type DeleteSecretResponse, type EncryptedData, type Entity, type ErrorHandler, type FanOutResult, type FindOptions, type FunctionResponse, FunctionsClient, type FunctionsClientConfig, type GetSecretResponse, type ChallengeResponse as GuardianChallengeResponse, GuardianClient, type GuardianEndpoint, GuardianError, type GuardianErrorCode, type HealthResponse as GuardianHealthResponse, type GuardianInfo, type SessionResponse as GuardianSessionResponse, type StatusResponse as GuardianStatusResponse, HttpClient, KEY_SIZE, type ListResult, type ListSecretsResponse, LocalStorageAdapter, MemoryStorage, type MessageHandler, NONCE_SIZE, NetworkClient, type NetworkErrorCallback, type NetworkErrorContext, type NetworkStatus, type PeerInfo, type PresenceMember, type PresenceOptions, type PresenceResponse, type ProxyRequest, type ProxyResponse, PubSubClient, type PubSubMessage, type PullResponse, type PushResponse, QueryBuilder, type QueryResponse, Repository, type RetrieveResult, SDKError, type SecretEntry, type SecretMeta, type SelectOptions, type SerializedEncryptedData, type Share as ShamirShare, type StorageAdapter, StorageClient, type StoragePinRequest, type StoragePinResponse, type StorageStatus, type StorageUploadResponse, type StoreResult, type StoreSecretResponse, type SubscribeOptions, Subscription, type SuccessResponse, TAG_SIZE, type TransactionOp, type TransactionRequest, AuthClient as VaultAuthClient, VaultClient, type VaultConfig, type GuardianResult as VaultGuardianResult, WSClient, type WhoAmI, adaptiveThreshold, clearKey, createClient, decrypt, decryptString, deriveKeyHKDF, deserializeAndDecrypt, deserialize as deserializeEncrypted, encrypt, encryptAndSerialize, encryptString, fromBase64 as encryptedFromBase64, fromHex as encryptedFromHex, toBase64 as encryptedToBase64, toHex as encryptedToHex, extractPrimaryKey, extractTableName, fanOut, fanOutIndexed, generateKey, generateNonce, isValidEncryptedData, serialize as serializeEncrypted, combine as shamirCombine, split as shamirSplit, withRetry, withTimeout, writeQuorum };