@drakkar.software/starfish-client 1.14.0 → 1.17.0

package/dist/entitlements.d.ts

@@ -0,0 +1,39 @@
+import type { StarfishClient } from "./client.js";
+export interface PullEntitlementsOptions {
+    /**
+     * Path template for the entitlement document.
+     * `{userId}` is replaced with the `userId` argument.
+     * Defaults to `"/pull/users/{userId}/entitlements"`.
+     */
+    path?: string;
+    /**
+     * Field name in the document `data` object that holds the feature slug array.
+     * Defaults to `"features"`.
+     */
+    field?: string;
+}
+/**
+ * Fetches the list of feature slugs from a user's entitlement document.
+ *
+ * Returns an empty array if the document does not exist yet or the features
+ * field is absent — so callers never need to handle a 404.
+ *
+ * ```ts
+ * import { pullEntitlements } from "@drakkar.software/starfish-client"
+ *
+ * const features = await pullEntitlements(client, userId)
+ * // e.g. ["premium-package-1", "paid-cloud-sync"]
+ *
+ * if (features.includes("paid-cloud-sync")) {
+ *   // unlock cloud sync UI
+ * }
+ * ```
+ *
+ * The path template must match the server-side collection's `storagePath`.
+ * With the recommended default config:
+ * ```ts
+ * { storagePath: "users/{identity}/entitlements" }
+ * // → path: "/pull/users/{userId}/entitlements"  (default)
+ * ```
+ */
+export declare function pullEntitlements(client: StarfishClient, userId: string, opts?: PullEntitlementsOptions): Promise<string[]>;

package/dist/entitlements.js

@@ -0,0 +1,41 @@
+import { StarfishHttpError } from "./types.js";
+/**
+ * Fetches the list of feature slugs from a user's entitlement document.
+ *
+ * Returns an empty array if the document does not exist yet or the features
+ * field is absent — so callers never need to handle a 404.
+ *
+ * ```ts
+ * import { pullEntitlements } from "@drakkar.software/starfish-client"
+ *
+ * const features = await pullEntitlements(client, userId)
+ * // e.g. ["premium-package-1", "paid-cloud-sync"]
+ *
+ * if (features.includes("paid-cloud-sync")) {
+ *   // unlock cloud sync UI
+ * }
+ * ```
+ *
+ * The path template must match the server-side collection's `storagePath`.
+ * With the recommended default config:
+ * ```ts
+ * { storagePath: "users/{identity}/entitlements" }
+ * // → path: "/pull/users/{userId}/entitlements"  (default)
+ * ```
+ */
+export async function pullEntitlements(client, userId, opts) {
+    const path = (opts?.path ?? "/pull/users/{userId}/entitlements").replace("{userId}", userId);
+    const field = opts?.field ?? "features";
+    try {
+        const result = await client.pull(path);
+        const list = result.data?.[field];
+        if (!Array.isArray(list))
+            return [];
+        return list.filter((s) => typeof s === "string");
+    }
+    catch (err) {
+        if (err instanceof StarfishHttpError && err.status === 404)
+            return [];
+        throw err;
+    }
+}

package/dist/group-crypto.d.ts

@@ -0,0 +1,111 @@
+/**
+ * Group encryption utilities for Starfish.
+ *
+ * Enables multiple users to share a common encrypted collection without sharing
+ * a passphrase. Each member holds their own credentials; a Group Encryption Key
+ * (GEK) is distributed per-member using X25519 ECDH key agreement.
+ *
+ * Typical flow:
+ *   1. Each user calls `deriveCredentials(passphrase)` — now includes groupPublicKey / groupPrivateKey.
+ *   2. Admin calls `createGroupKeyring(...)` to create a keyring document.
+ *   3. Members call `createGroupEncryptor(keyringData, myIdentity, myPrivateKey)` to get an Encryptor.
+ *   4. The Encryptor is passed to SyncManager via the `encryptor` option.
+ */
+import type { Encryptor } from "./crypto.js";
+/** An ECDH key pair used for group encryption. Hex-encoded for easy serialization. */
+export interface GroupKeyPair {
+    /** Hex-encoded X25519 private key (32 bytes). Keep secret — never store on server. */
+    privateKey: string;
+    /** Hex-encoded X25519 public key (32 bytes). Safe to publish. */
+    publicKey: string;
+}
+/** One epoch's wrapped keys: each member's GEK encrypted to their public key. */
+export interface EpochKeyring {
+    /** The admin's hex-encoded X25519 public key (used for ECDH by members). */
+    adminPublicKey: string;
+    /** Map from member identity (userId) → base64(IV || AES-GCM(GEK)) */
+    wrappedKeys: Record<string, string>;
+}
+/** The full keyring document stored in a Starfish collection. Push this with any SyncManager. */
+export interface GroupKeyring {
+    /** The epoch number currently used for new encryptions. */
+    currentEpoch: number;
+    /** All epochs. Members unwrap the GEK for whichever epoch a document was encrypted with. */
+    epochs: Record<string, EpochKeyring>;
+}
+/**
+ * Derives a deterministic X25519 key pair from a passphrase + userId.
+ *
+ * The derivation uses SHA-256 with a fixed domain separator so it is distinct
+ * from the auth token and encryption key derivations. Same passphrase + userId
+ * always produces the same key pair on any device (stateless).
+ */
+export declare function deriveGroupKeyPair(passphrase: string, userId: string): Promise<GroupKeyPair>;
+/** Generates a random 256-bit Group Encryption Key as a hex string. */
+export declare function generateGroupKey(): string;
+/**
+ * Wraps a GEK for a specific member using ECDH key agreement.
+ *
+ * The wrapper (admin) and member each have an X25519 key pair. ECDH between
+ * `wrapperPrivateKey` and `memberPublicKey` produces a shared secret, which is
+ * used to derive an AES-256-GCM key that encrypts the GEK.
+ *
+ * @returns base64(IV || AES-GCM-ciphertext)
+ */
+export declare function wrapGroupKey(gek: string, memberPublicKey: string, wrapperPrivateKey: string): Promise<string>;
+/**
+ * Unwraps a GEK using the member's own private key and the admin's public key.
+ *
+ * ECDH between `memberPrivateKey` and `adminPublicKey` yields the same shared
+ * secret as the wrapping step, so the same AES key is derived and the GEK is
+ * recovered.
+ *
+ * @returns GEK as a hex string
+ */
+export declare function unwrapGroupKey(wrapped: string, memberPrivateKey: string, adminPublicKey: string): Promise<string>;
+/**
+ * Creates a new group keyring document with epoch 1.
+ *
+ * @param adminKeyPair  The admin's key pair (from `deriveGroupKeyPair` or `deriveCredentials`)
+ * @param members       Map from member identity (userId) → hex public key
+ * @param gek           Optional GEK to use; generated randomly if omitted
+ * @returns             The keyring document and the raw GEK (admin keeps the GEK to add future members)
+ */
+export declare function createGroupKeyring(adminKeyPair: GroupKeyPair, members: Record<string, string>, gek?: string): Promise<{
+    keyring: GroupKeyring;
+    gek: string;
+}>;
+/**
+ * Adds a new member to the current epoch of an existing keyring.
+ *
+ * The admin supplies the current GEK (returned by `createGroupKeyring` or
+ * `rotateGroupKey`) and their key pair to wrap it for the new member.
+ * This does NOT rotate the GEK — the new member can read all existing
+ * documents encrypted with the current epoch key.
+ *
+ * Only the admin (whose `publicKey` matches `epochKeyring.adminPublicKey`) can
+ * add members, because all wrapped entries must use the same ECDH key pair.
+ */
+export declare function addGroupMember(keyring: GroupKeyring, adminKeyPair: GroupKeyPair, currentGek: string, newMemberId: string, newMemberPublicKey: string): Promise<GroupKeyring>;
+/**
+ * Rotates the group key, creating a new epoch.
+ *
+ * Used when removing a member. The removed member retains their old epoch key
+ * (and can still read old documents), but cannot read new documents.
+ *
+ * @param remainingMembers  Map from identity → hex public key for members who keep access
+ */
+export declare function rotateGroupKey(keyring: GroupKeyring, adminKeyPair: GroupKeyPair, remainingMembers: Record<string, string>, newGek?: string): Promise<{
+    keyring: GroupKeyring;
+    gek: string;
+}>;
+/**
+ * Creates an Encryptor that can decrypt any epoch and encrypts with the current epoch.
+ *
+ * Wire format: `{ _encrypted: "base64(IV || ciphertext)", _epoch: N }`
+ *
+ * @param keyring         The keyring document fetched from Starfish
+ * @param myIdentity      The caller's userId (to locate their wrapped key in each epoch)
+ * @param myPrivateKey    The caller's hex-encoded X25519 private key
+ */
+export declare function createGroupEncryptor(keyring: GroupKeyring, myIdentity: string, myPrivateKey: string): Promise<Encryptor>;

package/dist/group-crypto.js

@@ -0,0 +1,230 @@
+/**
+ * Group encryption utilities for Starfish.
+ *
+ * Enables multiple users to share a common encrypted collection without sharing
+ * a passphrase. Each member holds their own credentials; a Group Encryption Key
+ * (GEK) is distributed per-member using X25519 ECDH key agreement.
+ *
+ * Typical flow:
+ *   1. Each user calls `deriveCredentials(passphrase)` — now includes groupPublicKey / groupPrivateKey.
+ *   2. Admin calls `createGroupKeyring(...)` to create a keyring document.
+ *   3. Members call `createGroupEncryptor(keyringData, myIdentity, myPrivateKey)` to get an Encryptor.
+ *   4. The Encryptor is passed to SyncManager via the `encryptor` option.
+ */
+import { x25519 } from "@noble/curves/ed25519.js";
+import { getCrypto, getBase64, IV_BYTES, deriveKey } from "@drakkar.software/starfish-protocol";
+import { createEncryptor } from "./crypto.js";
+// ── Internal helpers ──────────────────────────────────────────────────────────
+function bytesToHex(bytes) {
+    return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function hexToBytes(hex) {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < bytes.length; i++) {
+        bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    }
+    return bytes;
+}
+const ALGO = "AES-GCM";
+const GROUP_WRAP_SALT = "starfish-group-wrap";
+const GROUP_WRAP_INFO = "starfish-group-wrap";
+const GROUP_ECDH_DOMAIN = "starfish-group-ecdh";
+const GROUP_DATA_INFO = "starfish-group";
+const GEK_BYTES = 32;
+// ── Key derivation ────────────────────────────────────────────────────────────
+/**
+ * Derives a deterministic X25519 key pair from a passphrase + userId.
+ *
+ * The derivation uses SHA-256 with a fixed domain separator so it is distinct
+ * from the auth token and encryption key derivations. Same passphrase + userId
+ * always produces the same key pair on any device (stateless).
+ */
+export async function deriveGroupKeyPair(passphrase, userId) {
+    const c = getCrypto();
+    const enc = new TextEncoder();
+    const input = enc.encode(`${passphrase}:${userId}:${GROUP_ECDH_DOMAIN}`);
+    const hash = await c.subtle.digest("SHA-256", input);
+    const privateKeyBytes = new Uint8Array(hash);
+    const publicKeyBytes = x25519.getPublicKey(privateKeyBytes);
+    return { privateKey: bytesToHex(privateKeyBytes), publicKey: bytesToHex(publicKeyBytes) };
+}
+// ── GEK generation ────────────────────────────────────────────────────────────
+/** Generates a random 256-bit Group Encryption Key as a hex string. */
+export function generateGroupKey() {
+    const c = getCrypto();
+    return bytesToHex(c.getRandomValues(new Uint8Array(GEK_BYTES)));
+}
+// ── Key wrapping / unwrapping ─────────────────────────────────────────────────
+/**
+ * Wraps a GEK for a specific member using ECDH key agreement.
+ *
+ * The wrapper (admin) and member each have an X25519 key pair. ECDH between
+ * `wrapperPrivateKey` and `memberPublicKey` produces a shared secret, which is
+ * used to derive an AES-256-GCM key that encrypts the GEK.
+ *
+ * @returns base64(IV || AES-GCM-ciphertext)
+ */
+export async function wrapGroupKey(gek, memberPublicKey, wrapperPrivateKey) {
+    const sharedSecret = x25519.getSharedSecret(hexToBytes(wrapperPrivateKey), hexToBytes(memberPublicKey));
+    const wrappingKey = await deriveKey(bytesToHex(sharedSecret), GROUP_WRAP_SALT, GROUP_WRAP_INFO);
+    const c = getCrypto();
+    const b64 = getBase64();
+    const iv = c.getRandomValues(new Uint8Array(IV_BYTES));
+    const encrypted = await c.subtle.encrypt({ name: ALGO, iv }, wrappingKey, hexToBytes(gek).buffer);
+    const combined = new Uint8Array(IV_BYTES + encrypted.byteLength);
+    combined.set(iv);
+    combined.set(new Uint8Array(encrypted), IV_BYTES);
+    return b64.encode(combined);
+}
+/**
+ * Unwraps a GEK using the member's own private key and the admin's public key.
+ *
+ * ECDH between `memberPrivateKey` and `adminPublicKey` yields the same shared
+ * secret as the wrapping step, so the same AES key is derived and the GEK is
+ * recovered.
+ *
+ * @returns GEK as a hex string
+ */
+export async function unwrapGroupKey(wrapped, memberPrivateKey, adminPublicKey) {
+    const sharedSecret = x25519.getSharedSecret(hexToBytes(memberPrivateKey), hexToBytes(adminPublicKey));
+    const wrappingKey = await deriveKey(bytesToHex(sharedSecret), GROUP_WRAP_SALT, GROUP_WRAP_INFO);
+    const b64 = getBase64();
+    const c = getCrypto();
+    const combined = b64.decode(wrapped);
+    const iv = combined.slice(0, IV_BYTES);
+    const ciphertext = combined.slice(IV_BYTES);
+    try {
+        const decrypted = await c.subtle.decrypt({ name: ALGO, iv }, wrappingKey, ciphertext);
+        return bytesToHex(new Uint8Array(decrypted));
+    }
+    catch {
+        throw new Error("Failed to unwrap group key: decryption failed (wrong keys or corrupted data)");
+    }
+}
+// ── Keyring management ────────────────────────────────────────────────────────
+/**
+ * Creates a new group keyring document with epoch 1.
+ *
+ * @param adminKeyPair  The admin's key pair (from `deriveGroupKeyPair` or `deriveCredentials`)
+ * @param members       Map from member identity (userId) → hex public key
+ * @param gek           Optional GEK to use; generated randomly if omitted
+ * @returns             The keyring document and the raw GEK (admin keeps the GEK to add future members)
+ */
+export async function createGroupKeyring(adminKeyPair, members, gek) {
+    const resolvedGek = gek ?? generateGroupKey();
+    const wrappedKeys = {};
+    for (const [memberId, memberPublicKey] of Object.entries(members)) {
+        wrappedKeys[memberId] = await wrapGroupKey(resolvedGek, memberPublicKey, adminKeyPair.privateKey);
+    }
+    const keyring = {
+        currentEpoch: 1,
+        epochs: {
+            "1": { adminPublicKey: adminKeyPair.publicKey, wrappedKeys },
+        },
+    };
+    return { keyring, gek: resolvedGek };
+}
+/**
+ * Adds a new member to the current epoch of an existing keyring.
+ *
+ * The admin supplies the current GEK (returned by `createGroupKeyring` or
+ * `rotateGroupKey`) and their key pair to wrap it for the new member.
+ * This does NOT rotate the GEK — the new member can read all existing
+ * documents encrypted with the current epoch key.
+ *
+ * Only the admin (whose `publicKey` matches `epochKeyring.adminPublicKey`) can
+ * add members, because all wrapped entries must use the same ECDH key pair.
+ */
+export async function addGroupMember(keyring, adminKeyPair, currentGek, newMemberId, newMemberPublicKey) {
+    const epochKey = String(keyring.currentEpoch);
+    const epochKeyring = keyring.epochs[epochKey];
+    if (!epochKeyring)
+        throw new Error(`Epoch ${keyring.currentEpoch} not found in keyring`);
+    if (epochKeyring.adminPublicKey !== adminKeyPair.publicKey) {
+        throw new Error(`Provided key pair does not match the admin public key stored in epoch ${keyring.currentEpoch}`);
+    }
+    const wrapped = await wrapGroupKey(currentGek, newMemberPublicKey, adminKeyPair.privateKey);
+    return {
+        ...keyring,
+        epochs: {
+            ...keyring.epochs,
+            [epochKey]: {
+                ...epochKeyring,
+                wrappedKeys: { ...epochKeyring.wrappedKeys, [newMemberId]: wrapped },
+            },
+        },
+    };
+}
+/**
+ * Rotates the group key, creating a new epoch.
+ *
+ * Used when removing a member. The removed member retains their old epoch key
+ * (and can still read old documents), but cannot read new documents.
+ *
+ * @param remainingMembers  Map from identity → hex public key for members who keep access
+ */
+export async function rotateGroupKey(keyring, adminKeyPair, remainingMembers, newGek) {
+    const epochKey = String(keyring.currentEpoch);
+    const epochKeyring = keyring.epochs[epochKey];
+    if (epochKeyring && epochKeyring.adminPublicKey !== adminKeyPair.publicKey) {
+        throw new Error(`Provided key pair does not match the admin public key stored in epoch ${keyring.currentEpoch}`);
+    }
+    const resolvedGek = newGek ?? generateGroupKey();
+    const newEpoch = keyring.currentEpoch + 1;
+    const wrappedKeys = {};
+    for (const [memberId, memberPublicKey] of Object.entries(remainingMembers)) {
+        wrappedKeys[memberId] = await wrapGroupKey(resolvedGek, memberPublicKey, adminKeyPair.privateKey);
+    }
+    const newKeyring = {
+        currentEpoch: newEpoch,
+        epochs: {
+            ...keyring.epochs,
+            [String(newEpoch)]: { adminPublicKey: adminKeyPair.publicKey, wrappedKeys },
+        },
+    };
+    return { keyring: newKeyring, gek: resolvedGek };
+}
+// ── Encryptor factory ─────────────────────────────────────────────────────────
+/**
+ * Creates an Encryptor that can decrypt any epoch and encrypts with the current epoch.
+ *
+ * Wire format: `{ _encrypted: "base64(IV || ciphertext)", _epoch: N }`
+ *
+ * @param keyring         The keyring document fetched from Starfish
+ * @param myIdentity      The caller's userId (to locate their wrapped key in each epoch)
+ * @param myPrivateKey    The caller's hex-encoded X25519 private key
+ */
+export async function createGroupEncryptor(keyring, myIdentity, myPrivateKey) {
+    // Unwrap GEK for each epoch we have a key for
+    const epochEncryptors = new Map();
+    for (const [epochStr, epochKeyring] of Object.entries(keyring.epochs)) {
+        const epoch = parseInt(epochStr, 10);
+        const wrapped = epochKeyring.wrappedKeys[myIdentity];
+        if (!wrapped)
+            continue;
+        const gek = await unwrapGroupKey(wrapped, myPrivateKey, epochKeyring.adminPublicKey);
+        epochEncryptors.set(epoch, createEncryptor(gek, `epoch-${epoch}`, GROUP_DATA_INFO));
+    }
+    const currentEpoch = keyring.currentEpoch;
+    const currentEncryptor = epochEncryptors.get(currentEpoch);
+    if (!currentEncryptor) {
+        throw new Error(`No wrapped key found for identity "${myIdentity}" in epoch ${currentEpoch}. ` +
+            `Ensure the admin has added this member to the keyring.`);
+    }
+    return {
+        async encrypt(data) {
+            const encrypted = await currentEncryptor.encrypt(data);
+            return { ...encrypted, _epoch: currentEpoch };
+        },
+        async decrypt(wrapper) {
+            const epoch = typeof wrapper._epoch === "number" ? wrapper._epoch : currentEpoch;
+            const encryptor = epochEncryptors.get(epoch);
+            if (!encryptor) {
+                throw new Error(`No key available for epoch ${epoch}. ` +
+                    `This document was encrypted in a different epoch. ` +
+                    `Ensure your keyring is up to date.`);
+            }
+            return encryptor.decrypt(wrapper);
+        },
+    };
+}

package/dist/identity.d.ts

@@ -19,6 +19,18 @@ export interface DerivedCredentials {
      * their encryption keys are different.
      */
     encryptionSalt: string;
+    /**
+     * Hex-encoded X25519 public key for group encryption.
+     * Publish this so group admins can wrap the Group Encryption Key (GEK) for you.
+     * Safe to store in a public Starfish document.
+     */
+    groupPublicKey: string;
+    /**
+     * Hex-encoded X25519 private key for group encryption.
+     * Used to unwrap the GEK from a keyring document.
+     * Never transmit this — keep it in memory or derive it from the passphrase.
+     */
+    groupPrivateKey: string;
 }
 /**
  * Generates a cryptographically random passphrase from the built-in 256-word list.

package/dist/identity.js

@@ -1,4 +1,5 @@
 import { getCrypto, getBase64 } from "@drakkar.software/starfish-protocol";
+import { deriveGroupKeyPair } from "./group-crypto.js";
 // ── Word list ─────────────────────────────────────────────────────────────────
 // 256 common English words, one per index (0-255). One byte of entropy per word.
 // 12 words = 96 bits of entropy (stronger than a random UUID).
@@ -114,11 +115,15 @@ export async function deriveCredentials(passphrase) {
     // encryptionSecret = SHA-256(passphrase + ":" + userId)
     // Domain separation from authToken ensures they cannot be recovered from each other.
     const encryptionSecret = await sha256Hex(`${passphrase}:${userId}`);
+    // X25519 key pair for group encryption — deterministically derived from passphrase.
+    const { publicKey: groupPublicKey, privateKey: groupPrivateKey } = await deriveGroupKeyPair(passphrase, userId);
     return {
         authToken,
         userId,
         encryptionSecret,
         encryptionSalt: userId,
+        groupPublicKey,
+        groupPrivateKey,
     };
 }
 /**

package/dist/index.d.ts

@@ -42,3 +42,7 @@ export { createMobileLifecycle } from "./mobile-lifecycle.js";
 export type { AppStateModule, NetInfoModule, MobileLifecycleDeps, MobileLifecycleOptions } from "./mobile-lifecycle.js";
 export { createMultiStoreSync } from "./multi-store.js";
 export type { StoreSlice, BackupDocument, MultiStoreMigrationFn, MultiStoreSyncOptions, MultiStoreSync, } from "./multi-store.js";
+export { deriveGroupKeyPair, generateGroupKey, wrapGroupKey, unwrapGroupKey, createGroupKeyring, addGroupMember, rotateGroupKey, createGroupEncryptor, } from "./group-crypto.js";
+export type { GroupKeyPair, EpochKeyring, GroupKeyring } from "./group-crypto.js";
+export { pullEntitlements } from "./entitlements.js";
+export type { PullEntitlementsOptions } from "./entitlements.js";

package/dist/index.js

@@ -21,3 +21,5 @@ export { createSuspenseResource } from "./bindings/suspense.js";
 export { createDebouncedSync, createDebouncedPush } from "./debounced-sync.js";
 export { createMobileLifecycle } from "./mobile-lifecycle.js";
 export { createMultiStoreSync } from "./multi-store.js";
+export { deriveGroupKeyPair, generateGroupKey, wrapGroupKey, unwrapGroupKey, createGroupKeyring, addGroupMember, rotateGroupKey, createGroupEncryptor, } from "./group-crypto.js";
+export { pullEntitlements } from "./entitlements.js";

package/dist/sync.d.ts

@@ -1,6 +1,7 @@
 import type { PullResult } from "@drakkar.software/starfish-protocol";
 import type { ConflictResolver } from "./types.js";
 import { StarfishClient } from "./client.js";
+import type { Encryptor } from "./crypto.js";
 import type { SyncLogger } from "./logger.js";
 import type { Validator } from "./validate.js";
 export interface SyncManagerOptions {
@@ -14,6 +15,11 @@ export interface SyncManagerOptions {
     encryptionSecret?: string;
     encryptionSalt?: string;
     encryptionInfo?: string;
+    /**
+     * Pre-created Encryptor. Use this with `createGroupEncryptor` for group encryption.
+     * Takes precedence over `encryptionSecret` / `encryptionSalt` if both are provided.
+     */
+    encryptor?: Encryptor;
     signData?: (data: string) => Promise<string>;
     /** Structured logger for sync events. */
     logger?: SyncLogger;

package/dist/sync.js

@@ -27,9 +27,10 @@ export class SyncManager {
         this.loggerName = options.loggerName ?? options.pullPath.split("/").filter(Boolean).pop() ?? options.pullPath;
         this.validate = options.validate;
         this.encryptor =
-            options.encryptionSecret && options.encryptionSalt
-                ? createEncryptor(options.encryptionSecret, options.encryptionSalt, options.encryptionInfo)
-                : null;
+            options.encryptor ??
+                (options.encryptionSecret && options.encryptionSalt
+                    ? createEncryptor(options.encryptionSecret, options.encryptionSalt, options.encryptionInfo)
+                    : null);
     }
     getData() {
         return { ...this.localData };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@drakkar.software/starfish-client",
-  "version": "1.14.0",
+  "version": "1.17.0",
   "repository": {
     "type": "git",
     "url": "https://github.com/Drakkar-Software/starfish.git",
@@ -41,6 +41,10 @@
     "./identity": {
       "types": "./dist/identity.d.ts",
       "import": "./dist/identity.js"
+    },
+    "./group": {
+      "types": "./dist/group-crypto.d.ts",
+      "import": "./dist/group-crypto.js"
     }
   },
   "peerDependencies": {
@@ -64,7 +68,8 @@
     }
   },
   "dependencies": {
-    "@drakkar.software/starfish-protocol": "1.14.0"
+    "@noble/curves": "^2.2.0",
+    "@drakkar.software/starfish-protocol": "1.17.0"
   },
   "devDependencies": {
     "@legendapp/state": "^2.0.0",