npm - @drakkar.software/starfish-client - Versions diffs - 1.18.0 → 1.19.1 - Mend

@drakkar.software/starfish-client 1.18.0 → 1.19.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/bindings/legend.js +60 -60
package/dist/bindings/legend.js.map +7 -0
package/dist/bindings/zustand.d.ts +12 -3
package/dist/bindings/zustand.js +565 -256
package/dist/bindings/zustand.js.map +7 -0
package/dist/broadcast.js +69 -79
package/dist/broadcast.js.map +7 -0
package/dist/fetch.js +131 -156
package/dist/fetch.js.map +7 -0
package/dist/group-crypto.js +188 -213
package/dist/group-crypto.js.map +7 -0
package/dist/identity.js +346 -154
package/dist/identity.js.map +7 -0
package/dist/index.js +1344 -25
package/dist/index.js.map +7 -0
package/dist/testing.js +64 -83
package/dist/testing.js.map +7 -0
package/package.json +4 -3

package/dist/group-crypto.js CHANGED Viewed

@@ -1,230 +1,205 @@
-/**
- * Group encryption utilities for Starfish.
- *
- * Enables multiple users to share a common encrypted collection without sharing
- * a passphrase. Each member holds their own credentials; a Group Encryption Key
- * (GEK) is distributed per-member using X25519 ECDH key agreement.
- *
- * Typical flow:
- *   1. Each user calls `deriveCredentials(passphrase)` — now includes groupPublicKey / groupPrivateKey.
- *   2. Admin calls `createGroupKeyring(...)` to create a keyring document.
- *   3. Members call `createGroupEncryptor(keyringData, myIdentity, myPrivateKey)` to get an Encryptor.
- *   4. The Encryptor is passed to SyncManager via the `encryptor` option.
- */
+// src/group-crypto.ts
 import { x25519 } from "@noble/curves/ed25519.js";
-import { getCrypto, getBase64, IV_BYTES, deriveKey } from "@drakkar.software/starfish-protocol";
-import { createEncryptor } from "./crypto.js";
-// ── Internal helpers ──────────────────────────────────────────────────────────
+import { getCrypto as getCrypto2, getBase64 as getBase642, IV_BYTES as IV_BYTES2, deriveKey as deriveKey2 } from "@drakkar.software/starfish-protocol";
+// src/crypto.ts
+import { getCrypto, getBase64, IV_BYTES, ENCRYPTED_KEY, deriveKey } from "@drakkar.software/starfish-protocol";
+var ALGO = "AES-GCM";
+function createEncryptor(secret, salt, info = "starfish-e2e") {
+  if (!secret) throw new Error("encryptionSecret must not be empty");
+  if (!salt) throw new Error("encryptionSalt must not be empty");
+  const keyPromise = deriveKey(secret, salt, info);
+  return {
+    async encrypt(data) {
+      const key = await keyPromise;
+      const c = getCrypto();
+      const b64 = getBase64();
+      const plaintext = new TextEncoder().encode(JSON.stringify(data));
+      const iv = c.getRandomValues(new Uint8Array(IV_BYTES));
+      const ciphertext = await c.subtle.encrypt({ name: ALGO, iv }, key, plaintext);
+      const combined = new Uint8Array(iv.length + ciphertext.byteLength);
+      combined.set(iv);
+      combined.set(new Uint8Array(ciphertext), iv.length);
+      return { [ENCRYPTED_KEY]: b64.encode(combined) };
+    },
+    async decrypt(wrapper) {
+      const encoded = wrapper[ENCRYPTED_KEY];
+      if (typeof encoded !== "string") {
+        throw new Error("Expected encrypted data but received unencrypted document");
+      }
+      const key = await keyPromise;
+      const c = getCrypto();
+      const b64 = getBase64();
+      const combined = b64.decode(encoded);
+      if (combined.length < IV_BYTES) {
+        throw new Error("Encrypted data is too short");
+      }
+      const iv = combined.slice(0, IV_BYTES);
+      const ciphertext = combined.slice(IV_BYTES);
+      try {
+        const plaintext = await c.subtle.decrypt({ name: ALGO, iv }, key, ciphertext);
+        return JSON.parse(new TextDecoder().decode(plaintext));
+      } catch (err) {
+        throw new Error("Decryption failed: data may be tampered or key is incorrect", { cause: err });
+      }
+    }
+  };
+}
+// src/group-crypto.ts
 function bytesToHex(bytes) {
-    return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
 }
 function hexToBytes(hex) {
-    const bytes = new Uint8Array(hex.length / 2);
-    for (let i = 0; i < bytes.length; i++) {
-        bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
-    }
-    return bytes;
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < bytes.length; i++) {
+    bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes;
 }
-const ALGO = "AES-GCM";
-const GROUP_WRAP_SALT = "starfish-group-wrap";
-const GROUP_WRAP_INFO = "starfish-group-wrap";
-const GROUP_ECDH_DOMAIN = "starfish-group-ecdh";
-const GROUP_DATA_INFO = "starfish-group";
-const GEK_BYTES = 32;
-// ── Key derivation ────────────────────────────────────────────────────────────
-/**
- * Derives a deterministic X25519 key pair from a passphrase + userId.
- *
- * The derivation uses SHA-256 with a fixed domain separator so it is distinct
- * from the auth token and encryption key derivations. Same passphrase + userId
- * always produces the same key pair on any device (stateless).
- */
-export async function deriveGroupKeyPair(passphrase, userId) {
-    const c = getCrypto();
-    const enc = new TextEncoder();
-    const input = enc.encode(`${passphrase}:${userId}:${GROUP_ECDH_DOMAIN}`);
-    const hash = await c.subtle.digest("SHA-256", input);
-    const privateKeyBytes = new Uint8Array(hash);
-    const publicKeyBytes = x25519.getPublicKey(privateKeyBytes);
-    return { privateKey: bytesToHex(privateKeyBytes), publicKey: bytesToHex(publicKeyBytes) };
+var ALGO2 = "AES-GCM";
+var GROUP_WRAP_SALT = "starfish-group-wrap";
+var GROUP_WRAP_INFO = "starfish-group-wrap";
+var GROUP_ECDH_DOMAIN = "starfish-group-ecdh";
+var GROUP_DATA_INFO = "starfish-group";
+var GEK_BYTES = 32;
+async function deriveGroupKeyPair(passphrase, userId) {
+  const c = getCrypto2();
+  const enc = new TextEncoder();
+  const input = enc.encode(`${passphrase}:${userId}:${GROUP_ECDH_DOMAIN}`);
+  const hash = await c.subtle.digest("SHA-256", input);
+  const privateKeyBytes = new Uint8Array(hash);
+  const publicKeyBytes = x25519.getPublicKey(privateKeyBytes);
+  return { privateKey: bytesToHex(privateKeyBytes), publicKey: bytesToHex(publicKeyBytes) };
 }
-// ── GEK generation ────────────────────────────────────────────────────────────
-/** Generates a random 256-bit Group Encryption Key as a hex string. */
-export function generateGroupKey() {
-    const c = getCrypto();
-    return bytesToHex(c.getRandomValues(new Uint8Array(GEK_BYTES)));
+function generateGroupKey() {
+  const c = getCrypto2();
+  return bytesToHex(c.getRandomValues(new Uint8Array(GEK_BYTES)));
 }
-// ── Key wrapping / unwrapping ─────────────────────────────────────────────────
-/**
- * Wraps a GEK for a specific member using ECDH key agreement.
- *
- * The wrapper (admin) and member each have an X25519 key pair. ECDH between
- * `wrapperPrivateKey` and `memberPublicKey` produces a shared secret, which is
- * used to derive an AES-256-GCM key that encrypts the GEK.
- *
- * @returns base64(IV || AES-GCM-ciphertext)
- */
-export async function wrapGroupKey(gek, memberPublicKey, wrapperPrivateKey) {
-    const sharedSecret = x25519.getSharedSecret(hexToBytes(wrapperPrivateKey), hexToBytes(memberPublicKey));
-    const wrappingKey = await deriveKey(bytesToHex(sharedSecret), GROUP_WRAP_SALT, GROUP_WRAP_INFO);
-    const c = getCrypto();
-    const b64 = getBase64();
-    const iv = c.getRandomValues(new Uint8Array(IV_BYTES));
-    const encrypted = await c.subtle.encrypt({ name: ALGO, iv }, wrappingKey, hexToBytes(gek).buffer);
-    const combined = new Uint8Array(IV_BYTES + encrypted.byteLength);
-    combined.set(iv);
-    combined.set(new Uint8Array(encrypted), IV_BYTES);
-    return b64.encode(combined);
+async function wrapGroupKey(gek, memberPublicKey, wrapperPrivateKey) {
+  const sharedSecret = x25519.getSharedSecret(hexToBytes(wrapperPrivateKey), hexToBytes(memberPublicKey));
+  const wrappingKey = await deriveKey2(bytesToHex(sharedSecret), GROUP_WRAP_SALT, GROUP_WRAP_INFO);
+  const c = getCrypto2();
+  const b64 = getBase642();
+  const iv = c.getRandomValues(new Uint8Array(IV_BYTES2));
+  const encrypted = await c.subtle.encrypt({ name: ALGO2, iv }, wrappingKey, hexToBytes(gek).buffer);
+  const combined = new Uint8Array(IV_BYTES2 + encrypted.byteLength);
+  combined.set(iv);
+  combined.set(new Uint8Array(encrypted), IV_BYTES2);
+  return b64.encode(combined);
 }
-/**
- * Unwraps a GEK using the member's own private key and the admin's public key.
- *
- * ECDH between `memberPrivateKey` and `adminPublicKey` yields the same shared
- * secret as the wrapping step, so the same AES key is derived and the GEK is
- * recovered.
- *
- * @returns GEK as a hex string
- */
-export async function unwrapGroupKey(wrapped, memberPrivateKey, adminPublicKey) {
-    const sharedSecret = x25519.getSharedSecret(hexToBytes(memberPrivateKey), hexToBytes(adminPublicKey));
-    const wrappingKey = await deriveKey(bytesToHex(sharedSecret), GROUP_WRAP_SALT, GROUP_WRAP_INFO);
-    const b64 = getBase64();
-    const c = getCrypto();
-    const combined = b64.decode(wrapped);
-    const iv = combined.slice(0, IV_BYTES);
-    const ciphertext = combined.slice(IV_BYTES);
-    try {
-        const decrypted = await c.subtle.decrypt({ name: ALGO, iv }, wrappingKey, ciphertext);
-        return bytesToHex(new Uint8Array(decrypted));
-    }
-    catch {
-        throw new Error("Failed to unwrap group key: decryption failed (wrong keys or corrupted data)");
-    }
+async function unwrapGroupKey(wrapped, memberPrivateKey, adminPublicKey) {
+  const sharedSecret = x25519.getSharedSecret(hexToBytes(memberPrivateKey), hexToBytes(adminPublicKey));
+  const wrappingKey = await deriveKey2(bytesToHex(sharedSecret), GROUP_WRAP_SALT, GROUP_WRAP_INFO);
+  const b64 = getBase642();
+  const c = getCrypto2();
+  const combined = b64.decode(wrapped);
+  const iv = combined.slice(0, IV_BYTES2);
+  const ciphertext = combined.slice(IV_BYTES2);
+  try {
+    const decrypted = await c.subtle.decrypt({ name: ALGO2, iv }, wrappingKey, ciphertext);
+    return bytesToHex(new Uint8Array(decrypted));
+  } catch {
+    throw new Error("Failed to unwrap group key: decryption failed (wrong keys or corrupted data)");
+  }
 }
-// ── Keyring management ────────────────────────────────────────────────────────
-/**
- * Creates a new group keyring document with epoch 1.
- *
- * @param adminKeyPair  The admin's key pair (from `deriveGroupKeyPair` or `deriveCredentials`)
- * @param members       Map from member identity (userId) → hex public key
- * @param gek           Optional GEK to use; generated randomly if omitted
- * @returns             The keyring document and the raw GEK (admin keeps the GEK to add future members)
- */
-export async function createGroupKeyring(adminKeyPair, members, gek) {
-    const resolvedGek = gek ?? generateGroupKey();
-    const wrappedKeys = {};
-    for (const [memberId, memberPublicKey] of Object.entries(members)) {
-        wrappedKeys[memberId] = await wrapGroupKey(resolvedGek, memberPublicKey, adminKeyPair.privateKey);
+async function createGroupKeyring(adminKeyPair, members, gek) {
+  const resolvedGek = gek ?? generateGroupKey();
+  const wrappedKeys = {};
+  for (const [memberId, memberPublicKey] of Object.entries(members)) {
+    wrappedKeys[memberId] = await wrapGroupKey(resolvedGek, memberPublicKey, adminKeyPair.privateKey);
+  }
+  const keyring = {
+    currentEpoch: 1,
+    epochs: {
+      "1": { adminPublicKey: adminKeyPair.publicKey, wrappedKeys }
     }
-    const keyring = {
-        currentEpoch: 1,
-        epochs: {
-            "1": { adminPublicKey: adminKeyPair.publicKey, wrappedKeys },
-        },
-    };
-    return { keyring, gek: resolvedGek };
+  };
+  return { keyring, gek: resolvedGek };
 }
-/**
- * Adds a new member to the current epoch of an existing keyring.
- *
- * The admin supplies the current GEK (returned by `createGroupKeyring` or
- * `rotateGroupKey`) and their key pair to wrap it for the new member.
- * This does NOT rotate the GEK — the new member can read all existing
- * documents encrypted with the current epoch key.
- *
- * Only the admin (whose `publicKey` matches `epochKeyring.adminPublicKey`) can
- * add members, because all wrapped entries must use the same ECDH key pair.
- */
-export async function addGroupMember(keyring, adminKeyPair, currentGek, newMemberId, newMemberPublicKey) {
-    const epochKey = String(keyring.currentEpoch);
-    const epochKeyring = keyring.epochs[epochKey];
-    if (!epochKeyring)
-        throw new Error(`Epoch ${keyring.currentEpoch} not found in keyring`);
-    if (epochKeyring.adminPublicKey !== adminKeyPair.publicKey) {
-        throw new Error(`Provided key pair does not match the admin public key stored in epoch ${keyring.currentEpoch}`);
+async function addGroupMember(keyring, adminKeyPair, currentGek, newMemberId, newMemberPublicKey) {
+  const epochKey = String(keyring.currentEpoch);
+  const epochKeyring = keyring.epochs[epochKey];
+  if (!epochKeyring) throw new Error(`Epoch ${keyring.currentEpoch} not found in keyring`);
+  if (epochKeyring.adminPublicKey !== adminKeyPair.publicKey) {
+    throw new Error(`Provided key pair does not match the admin public key stored in epoch ${keyring.currentEpoch}`);
+  }
+  const wrapped = await wrapGroupKey(currentGek, newMemberPublicKey, adminKeyPair.privateKey);
+  return {
+    ...keyring,
+    epochs: {
+      ...keyring.epochs,
+      [epochKey]: {
+        ...epochKeyring,
+        wrappedKeys: { ...epochKeyring.wrappedKeys, [newMemberId]: wrapped }
+      }
     }
-    const wrapped = await wrapGroupKey(currentGek, newMemberPublicKey, adminKeyPair.privateKey);
-    return {
-        ...keyring,
-        epochs: {
-            ...keyring.epochs,
-            [epochKey]: {
-                ...epochKeyring,
-                wrappedKeys: { ...epochKeyring.wrappedKeys, [newMemberId]: wrapped },
-            },
-        },
-    };
+  };
 }
-/**
- * Rotates the group key, creating a new epoch.
- *
- * Used when removing a member. The removed member retains their old epoch key
- * (and can still read old documents), but cannot read new documents.
- *
- * @param remainingMembers  Map from identity → hex public key for members who keep access
- */
-export async function rotateGroupKey(keyring, adminKeyPair, remainingMembers, newGek) {
-    const epochKey = String(keyring.currentEpoch);
-    const epochKeyring = keyring.epochs[epochKey];
-    if (epochKeyring && epochKeyring.adminPublicKey !== adminKeyPair.publicKey) {
-        throw new Error(`Provided key pair does not match the admin public key stored in epoch ${keyring.currentEpoch}`);
-    }
-    const resolvedGek = newGek ?? generateGroupKey();
-    const newEpoch = keyring.currentEpoch + 1;
-    const wrappedKeys = {};
-    for (const [memberId, memberPublicKey] of Object.entries(remainingMembers)) {
-        wrappedKeys[memberId] = await wrapGroupKey(resolvedGek, memberPublicKey, adminKeyPair.privateKey);
+async function rotateGroupKey(keyring, adminKeyPair, remainingMembers, newGek) {
+  const epochKey = String(keyring.currentEpoch);
+  const epochKeyring = keyring.epochs[epochKey];
+  if (epochKeyring && epochKeyring.adminPublicKey !== adminKeyPair.publicKey) {
+    throw new Error(
+      `Provided key pair does not match the admin public key stored in epoch ${keyring.currentEpoch}`
+    );
+  }
+  const resolvedGek = newGek ?? generateGroupKey();
+  const newEpoch = keyring.currentEpoch + 1;
+  const wrappedKeys = {};
+  for (const [memberId, memberPublicKey] of Object.entries(remainingMembers)) {
+    wrappedKeys[memberId] = await wrapGroupKey(resolvedGek, memberPublicKey, adminKeyPair.privateKey);
+  }
+  const newKeyring = {
+    currentEpoch: newEpoch,
+    epochs: {
+      ...keyring.epochs,
+      [String(newEpoch)]: { adminPublicKey: adminKeyPair.publicKey, wrappedKeys }
     }
-    const newKeyring = {
-        currentEpoch: newEpoch,
-        epochs: {
-            ...keyring.epochs,
-            [String(newEpoch)]: { adminPublicKey: adminKeyPair.publicKey, wrappedKeys },
-        },
-    };
-    return { keyring: newKeyring, gek: resolvedGek };
+  };
+  return { keyring: newKeyring, gek: resolvedGek };
 }
-// ── Encryptor factory ─────────────────────────────────────────────────────────
-/**
- * Creates an Encryptor that can decrypt any epoch and encrypts with the current epoch.
- *
- * Wire format: `{ _encrypted: "base64(IV || ciphertext)", _epoch: N }`
- *
- * @param keyring         The keyring document fetched from Starfish
- * @param myIdentity      The caller's userId (to locate their wrapped key in each epoch)
- * @param myPrivateKey    The caller's hex-encoded X25519 private key
- */
-export async function createGroupEncryptor(keyring, myIdentity, myPrivateKey) {
-    // Unwrap GEK for each epoch we have a key for
-    const epochEncryptors = new Map();
-    for (const [epochStr, epochKeyring] of Object.entries(keyring.epochs)) {
-        const epoch = parseInt(epochStr, 10);
-        const wrapped = epochKeyring.wrappedKeys[myIdentity];
-        if (!wrapped)
-            continue;
-        const gek = await unwrapGroupKey(wrapped, myPrivateKey, epochKeyring.adminPublicKey);
-        epochEncryptors.set(epoch, createEncryptor(gek, `epoch-${epoch}`, GROUP_DATA_INFO));
-    }
-    const currentEpoch = keyring.currentEpoch;
-    const currentEncryptor = epochEncryptors.get(currentEpoch);
-    if (!currentEncryptor) {
-        throw new Error(`No wrapped key found for identity "${myIdentity}" in epoch ${currentEpoch}. ` +
-            `Ensure the admin has added this member to the keyring.`);
+async function createGroupEncryptor(keyring, myIdentity, myPrivateKey) {
+  const epochEncryptors = /* @__PURE__ */ new Map();
+  for (const [epochStr, epochKeyring] of Object.entries(keyring.epochs)) {
+    const epoch = parseInt(epochStr, 10);
+    const wrapped = epochKeyring.wrappedKeys[myIdentity];
+    if (!wrapped) continue;
+    const gek = await unwrapGroupKey(wrapped, myPrivateKey, epochKeyring.adminPublicKey);
+    epochEncryptors.set(epoch, createEncryptor(gek, `epoch-${epoch}`, GROUP_DATA_INFO));
+  }
+  const currentEpoch = keyring.currentEpoch;
+  const currentEncryptor = epochEncryptors.get(currentEpoch);
+  if (!currentEncryptor) {
+    throw new Error(
+      `No wrapped key found for identity "${myIdentity}" in epoch ${currentEpoch}. Ensure the admin has added this member to the keyring.`
+    );
+  }
+  return {
+    async encrypt(data) {
+      const encrypted = await currentEncryptor.encrypt(data);
+      return { ...encrypted, _epoch: currentEpoch };
+    },
+    async decrypt(wrapper) {
+      const epoch = typeof wrapper._epoch === "number" ? wrapper._epoch : currentEpoch;
+      const encryptor = epochEncryptors.get(epoch);
+      if (!encryptor) {
+        throw new Error(
+          `No key available for epoch ${epoch}. This document was encrypted in a different epoch. Ensure your keyring is up to date.`
+        );
+      }
+      return encryptor.decrypt(wrapper);
     }
-    return {
-        async encrypt(data) {
-            const encrypted = await currentEncryptor.encrypt(data);
-            return { ...encrypted, _epoch: currentEpoch };
-        },
-        async decrypt(wrapper) {
-            const epoch = typeof wrapper._epoch === "number" ? wrapper._epoch : currentEpoch;
-            const encryptor = epochEncryptors.get(epoch);
-            if (!encryptor) {
-                throw new Error(`No key available for epoch ${epoch}. ` +
-                    `This document was encrypted in a different epoch. ` +
-                    `Ensure your keyring is up to date.`);
-            }
-            return encryptor.decrypt(wrapper);
-        },
-    };
+  };
 }
+export {
+  addGroupMember,
+  createGroupEncryptor,
+  createGroupKeyring,
+  deriveGroupKeyPair,
+  generateGroupKey,
+  rotateGroupKey,
+  unwrapGroupKey,
+  wrapGroupKey
+};
+//# sourceMappingURL=group-crypto.js.map

package/dist/group-crypto.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/group-crypto.ts", "../src/crypto.ts"],
+  "sourcesContent": ["/**\n * Group encryption utilities for Starfish.\n *\n * Enables multiple users to share a common encrypted collection without sharing\n * a passphrase. Each member holds their own credentials; a Group Encryption Key\n * (GEK) is distributed per-member using X25519 ECDH key agreement.\n *\n * Typical flow:\n *   1. Each user calls `deriveCredentials(passphrase)` \u2014 now includes groupPublicKey / groupPrivateKey.\n *   2. Admin calls `createGroupKeyring(...)` to create a keyring document.\n *   3. Members call `createGroupEncryptor(keyringData, myIdentity, myPrivateKey)` to get an Encryptor.\n *   4. The Encryptor is passed to SyncManager via the `encryptor` option.\n */\n\nimport { x25519 } from \"@noble/curves/ed25519.js\"\nimport { getCrypto, getBase64, IV_BYTES, deriveKey } from \"@drakkar.software/starfish-protocol\"\nimport type { Encryptor } from \"./crypto.js\"\nimport { createEncryptor } from \"./crypto.js\"\n\n// \u2500\u2500 Internal helpers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nfunction bytesToHex(bytes: Uint8Array): string {\n  return Array.from(bytes, (b) => b.toString(16).padStart(2, \"0\")).join(\"\")\n}\n\nfunction hexToBytes(hex: string): Uint8Array {\n  const bytes = new Uint8Array(hex.length / 2)\n  for (let i = 0; i < bytes.length; i++) {\n    bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16)\n  }\n  return bytes\n}\n\nconst ALGO = \"AES-GCM\"\nconst GROUP_WRAP_SALT = \"starfish-group-wrap\"\nconst GROUP_WRAP_INFO = \"starfish-group-wrap\"\nconst GROUP_ECDH_DOMAIN = \"starfish-group-ecdh\"\nconst GROUP_DATA_INFO = \"starfish-group\"\nconst GEK_BYTES = 32\n\n// \u2500\u2500 Types \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n/** An ECDH key pair used for group encryption. Hex-encoded for easy serialization. */\nexport interface GroupKeyPair {\n  /** Hex-encoded X25519 private key (32 bytes). Keep secret \u2014 never store on server. */\n  privateKey: string\n  /** Hex-encoded X25519 public key (32 bytes). Safe to publish. */\n  publicKey: string\n}\n\n/** One epoch's wrapped keys: each member's GEK encrypted to their public key. */\nexport interface EpochKeyring {\n  /** The admin's hex-encoded X25519 public key (used for ECDH by members). */\n  adminPublicKey: string\n  /** Map from member identity (userId) \u2192 base64(IV || AES-GCM(GEK)) */\n  wrappedKeys: Record<string, string>\n}\n\n/** The full keyring document stored in a Starfish collection. Push this with any SyncManager. */\nexport interface GroupKeyring {\n  /** The epoch number currently used for new encryptions. */\n  currentEpoch: number\n  /** All epochs. Members unwrap the GEK for whichever epoch a document was encrypted with. */\n  epochs: Record<string, EpochKeyring>\n}\n\n// \u2500\u2500 Key derivation \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n/**\n * Derives a deterministic X25519 key pair from a passphrase + userId.\n *\n * The derivation uses SHA-256 with a fixed domain separator so it is distinct\n * from the auth token and encryption key derivations. Same passphrase + userId\n * always produces the same key pair on any device (stateless).\n */\nexport async function deriveGroupKeyPair(passphrase: string, userId: string): Promise<GroupKeyPair> {\n  const c = getCrypto()\n  const enc = new TextEncoder()\n  const input = enc.encode(`${passphrase}:${userId}:${GROUP_ECDH_DOMAIN}`)\n  const hash = await c.subtle.digest(\"SHA-256\", input)\n  const privateKeyBytes = new Uint8Array(hash)\n  const publicKeyBytes = x25519.getPublicKey(privateKeyBytes)\n  return { privateKey: bytesToHex(privateKeyBytes), publicKey: bytesToHex(publicKeyBytes) }\n}\n\n// \u2500\u2500 GEK generation \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n/** Generates a random 256-bit Group Encryption Key as a hex string. */\nexport function generateGroupKey(): string {\n  const c = getCrypto()\n  return bytesToHex(c.getRandomValues(new Uint8Array(GEK_BYTES)))\n}\n\n// \u2500\u2500 Key wrapping / unwrapping \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n/**\n * Wraps a GEK for a specific member using ECDH key agreement.\n *\n * The wrapper (admin) and member each have an X25519 key pair. ECDH between\n * `wrapperPrivateKey` and `memberPublicKey` produces a shared secret, which is\n * used to derive an AES-256-GCM key that encrypts the GEK.\n *\n * @returns base64(IV || AES-GCM-ciphertext)\n */\nexport async function wrapGroupKey(\n  gek: string,\n  memberPublicKey: string,\n  wrapperPrivateKey: string,\n): Promise<string> {\n  const sharedSecret = x25519.getSharedSecret(hexToBytes(wrapperPrivateKey), hexToBytes(memberPublicKey))\n  const wrappingKey = await deriveKey(bytesToHex(sharedSecret), GROUP_WRAP_SALT, GROUP_WRAP_INFO)\n\n  const c = getCrypto()\n  const b64 = getBase64()\n  const iv = c.getRandomValues(new Uint8Array(IV_BYTES))\n  const encrypted = await c.subtle.encrypt({ name: ALGO, iv }, wrappingKey, hexToBytes(gek).buffer as ArrayBuffer)\n\n  const combined = new Uint8Array(IV_BYTES + encrypted.byteLength)\n  combined.set(iv)\n  combined.set(new Uint8Array(encrypted), IV_BYTES)\n  return b64.encode(combined)\n}\n\n/**\n * Unwraps a GEK using the member's own private key and the admin's public key.\n *\n * ECDH between `memberPrivateKey` and `adminPublicKey` yields the same shared\n * secret as the wrapping step, so the same AES key is derived and the GEK is\n * recovered.\n *\n * @returns GEK as a hex string\n */\nexport async function unwrapGroupKey(\n  wrapped: string,\n  memberPrivateKey: string,\n  adminPublicKey: string,\n): Promise<string> {\n  const sharedSecret = x25519.getSharedSecret(hexToBytes(memberPrivateKey), hexToBytes(adminPublicKey))\n  const wrappingKey = await deriveKey(bytesToHex(sharedSecret), GROUP_WRAP_SALT, GROUP_WRAP_INFO)\n\n  const b64 = getBase64()\n  const c = getCrypto()\n  const combined = b64.decode(wrapped)\n  const iv = combined.slice(0, IV_BYTES)\n  const ciphertext = combined.slice(IV_BYTES)\n  try {\n    const decrypted = await c.subtle.decrypt({ name: ALGO, iv }, wrappingKey, ciphertext)\n    return bytesToHex(new Uint8Array(decrypted))\n  } catch {\n    throw new Error(\"Failed to unwrap group key: decryption failed (wrong keys or corrupted data)\")\n  }\n}\n\n// \u2500\u2500 Keyring management \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n/**\n * Creates a new group keyring document with epoch 1.\n *\n * @param adminKeyPair  The admin's key pair (from `deriveGroupKeyPair` or `deriveCredentials`)\n * @param members       Map from member identity (userId) \u2192 hex public key\n * @param gek           Optional GEK to use; generated randomly if omitted\n * @returns             The keyring document and the raw GEK (admin keeps the GEK to add future members)\n */\nexport async function createGroupKeyring(\n  adminKeyPair: GroupKeyPair,\n  members: Record<string, string>,\n  gek?: string,\n): Promise<{ keyring: GroupKeyring; gek: string }> {\n  const resolvedGek = gek ?? generateGroupKey()\n  const wrappedKeys: Record<string, string> = {}\n  for (const [memberId, memberPublicKey] of Object.entries(members)) {\n    wrappedKeys[memberId] = await wrapGroupKey(resolvedGek, memberPublicKey, adminKeyPair.privateKey)\n  }\n  const keyring: GroupKeyring = {\n    currentEpoch: 1,\n    epochs: {\n      \"1\": { adminPublicKey: adminKeyPair.publicKey, wrappedKeys },\n    },\n  }\n  return { keyring, gek: resolvedGek }\n}\n\n/**\n * Adds a new member to the current epoch of an existing keyring.\n *\n * The admin supplies the current GEK (returned by `createGroupKeyring` or\n * `rotateGroupKey`) and their key pair to wrap it for the new member.\n * This does NOT rotate the GEK \u2014 the new member can read all existing\n * documents encrypted with the current epoch key.\n *\n * Only the admin (whose `publicKey` matches `epochKeyring.adminPublicKey`) can\n * add members, because all wrapped entries must use the same ECDH key pair.\n */\nexport async function addGroupMember(\n  keyring: GroupKeyring,\n  adminKeyPair: GroupKeyPair,\n  currentGek: string,\n  newMemberId: string,\n  newMemberPublicKey: string,\n): Promise<GroupKeyring> {\n  const epochKey = String(keyring.currentEpoch)\n  const epochKeyring = keyring.epochs[epochKey]\n  if (!epochKeyring) throw new Error(`Epoch ${keyring.currentEpoch} not found in keyring`)\n  if (epochKeyring.adminPublicKey !== adminKeyPair.publicKey) {\n    throw new Error(`Provided key pair does not match the admin public key stored in epoch ${keyring.currentEpoch}`)\n  }\n\n  const wrapped = await wrapGroupKey(currentGek, newMemberPublicKey, adminKeyPair.privateKey)\n\n  return {\n    ...keyring,\n    epochs: {\n      ...keyring.epochs,\n      [epochKey]: {\n        ...epochKeyring,\n        wrappedKeys: { ...epochKeyring.wrappedKeys, [newMemberId]: wrapped },\n      },\n    },\n  }\n}\n\n/**\n * Rotates the group key, creating a new epoch.\n *\n * Used when removing a member. The removed member retains their old epoch key\n * (and can still read old documents), but cannot read new documents.\n *\n * @param remainingMembers  Map from identity \u2192 hex public key for members who keep access\n */\nexport async function rotateGroupKey(\n  keyring: GroupKeyring,\n  adminKeyPair: GroupKeyPair,\n  remainingMembers: Record<string, string>,\n  newGek?: string,\n): Promise<{ keyring: GroupKeyring; gek: string }> {\n  const epochKey = String(keyring.currentEpoch)\n  const epochKeyring = keyring.epochs[epochKey]\n  if (epochKeyring && epochKeyring.adminPublicKey !== adminKeyPair.publicKey) {\n    throw new Error(\n      `Provided key pair does not match the admin public key stored in epoch ${keyring.currentEpoch}`,\n    )\n  }\n  const resolvedGek = newGek ?? generateGroupKey()\n  const newEpoch = keyring.currentEpoch + 1\n  const wrappedKeys: Record<string, string> = {}\n  for (const [memberId, memberPublicKey] of Object.entries(remainingMembers)) {\n    wrappedKeys[memberId] = await wrapGroupKey(resolvedGek, memberPublicKey, adminKeyPair.privateKey)\n  }\n  const newKeyring: GroupKeyring = {\n    currentEpoch: newEpoch,\n    epochs: {\n      ...keyring.epochs,\n      [String(newEpoch)]: { adminPublicKey: adminKeyPair.publicKey, wrappedKeys },\n    },\n  }\n  return { keyring: newKeyring, gek: resolvedGek }\n}\n\n// \u2500\u2500 Encryptor factory \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n/**\n * Creates an Encryptor that can decrypt any epoch and encrypts with the current epoch.\n *\n * Wire format: `{ _encrypted: \"base64(IV || ciphertext)\", _epoch: N }`\n *\n * @param keyring         The keyring document fetched from Starfish\n * @param myIdentity      The caller's userId (to locate their wrapped key in each epoch)\n * @param myPrivateKey    The caller's hex-encoded X25519 private key\n */\nexport async function createGroupEncryptor(\n  keyring: GroupKeyring,\n  myIdentity: string,\n  myPrivateKey: string,\n): Promise<Encryptor> {\n  // Unwrap GEK for each epoch we have a key for\n  const epochEncryptors = new Map<number, Encryptor>()\n  for (const [epochStr, epochKeyring] of Object.entries(keyring.epochs)) {\n    const epoch = parseInt(epochStr, 10)\n    const wrapped = epochKeyring.wrappedKeys[myIdentity]\n    if (!wrapped) continue\n    const gek = await unwrapGroupKey(wrapped, myPrivateKey, epochKeyring.adminPublicKey)\n    epochEncryptors.set(epoch, createEncryptor(gek, `epoch-${epoch}`, GROUP_DATA_INFO))\n  }\n\n  const currentEpoch = keyring.currentEpoch\n  const currentEncryptor = epochEncryptors.get(currentEpoch)\n  if (!currentEncryptor) {\n    throw new Error(\n      `No wrapped key found for identity \"${myIdentity}\" in epoch ${currentEpoch}. ` +\n        `Ensure the admin has added this member to the keyring.`,\n    )\n  }\n\n  return {\n    async encrypt(data: Record<string, unknown>): Promise<Record<string, unknown>> {\n      const encrypted = await currentEncryptor.encrypt(data)\n      return { ...encrypted, _epoch: currentEpoch }\n    },\n\n    async decrypt(wrapper: Record<string, unknown>): Promise<Record<string, unknown>> {\n      const epoch = typeof wrapper._epoch === \"number\" ? wrapper._epoch : currentEpoch\n      const encryptor = epochEncryptors.get(epoch)\n      if (!encryptor) {\n        throw new Error(\n          `No key available for epoch ${epoch}. ` +\n            `This document was encrypted in a different epoch. ` +\n            `Ensure your keyring is up to date.`,\n        )\n      }\n      return encryptor.decrypt(wrapper)\n    },\n  }\n}\n", "import { getCrypto, getBase64, IV_BYTES, ENCRYPTED_KEY, deriveKey } from \"@drakkar.software/starfish-protocol\"\n\nconst ALGO = \"AES-GCM\"\n\nexport { ENCRYPTED_KEY }\n\n/** Encrypt/decrypt interface for client-side E2E encryption. */\nexport interface Encryptor {\n  encrypt(data: Record<string, unknown>): Promise<Record<string, unknown>>\n  decrypt(wrapper: Record<string, unknown>): Promise<Record<string, unknown>>\n}\n\n/**\n * Creates an Encryptor that uses AES-256-GCM with HKDF-derived keys.\n */\nexport function createEncryptor(secret: string, salt: string, info: string = \"starfish-e2e\"): Encryptor {\n  if (!secret) throw new Error(\"encryptionSecret must not be empty\")\n  if (!salt) throw new Error(\"encryptionSalt must not be empty\")\n  const keyPromise = deriveKey(secret, salt, info)\n\n  return {\n    async encrypt(data: Record<string, unknown>): Promise<Record<string, unknown>> {\n      const key = await keyPromise\n      const c = getCrypto()\n      const b64 = getBase64()\n      const plaintext = new TextEncoder().encode(JSON.stringify(data))\n      const iv = c.getRandomValues(new Uint8Array(IV_BYTES))\n      const ciphertext = await c.subtle.encrypt({ name: ALGO, iv }, key, plaintext)\n\n      const combined = new Uint8Array(iv.length + ciphertext.byteLength)\n      combined.set(iv)\n      combined.set(new Uint8Array(ciphertext), iv.length)\n\n      return { [ENCRYPTED_KEY]: b64.encode(combined) }\n    },\n\n    async decrypt(wrapper: Record<string, unknown>): Promise<Record<string, unknown>> {\n      const encoded = wrapper[ENCRYPTED_KEY]\n      if (typeof encoded !== \"string\") {\n        throw new Error(\"Expected encrypted data but received unencrypted document\")\n      }\n\n      const key = await keyPromise\n      const c = getCrypto()\n      const b64 = getBase64()\n      const combined = b64.decode(encoded)\n      if (combined.length < IV_BYTES) {\n        throw new Error(\"Encrypted data is too short\")\n      }\n      const iv = combined.slice(0, IV_BYTES)\n      const ciphertext = combined.slice(IV_BYTES)\n      try {\n        const plaintext = await c.subtle.decrypt({ name: ALGO, iv }, key, ciphertext)\n        return JSON.parse(new TextDecoder().decode(plaintext))\n      } catch (err) {\n        throw new Error(\"Decryption failed: data may be tampered or key is incorrect\", { cause: err })\n      }\n    },\n  }\n}\n"],
+  "mappings": ";AAcA,SAAS,cAAc;AACvB,SAAS,aAAAA,YAAW,aAAAC,YAAW,YAAAC,WAAU,aAAAC,kBAAiB;;;ACf1D,SAAS,WAAW,WAAW,UAAU,eAAe,iBAAiB;AAEzE,IAAM,OAAO;AAaN,SAAS,gBAAgB,QAAgB,MAAc,OAAe,gBAA2B;AACtG,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,oCAAoC;AACjE,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM,kCAAkC;AAC7D,QAAM,aAAa,UAAU,QAAQ,MAAM,IAAI;AAE/C,SAAO;AAAA,IACL,MAAM,QAAQ,MAAiE;AAC7E,YAAM,MAAM,MAAM;AAClB,YAAM,IAAI,UAAU;AACpB,YAAM,MAAM,UAAU;AACtB,YAAM,YAAY,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,IAAI,CAAC;AAC/D,YAAM,KAAK,EAAE,gBAAgB,IAAI,WAAW,QAAQ,CAAC;AACrD,YAAM,aAAa,MAAM,EAAE,OAAO,QAAQ,EAAE,MAAM,MAAM,GAAG,GAAG,KAAK,SAAS;AAE5E,YAAM,WAAW,IAAI,WAAW,GAAG,SAAS,WAAW,UAAU;AACjE,eAAS,IAAI,EAAE;AACf,eAAS,IAAI,IAAI,WAAW,UAAU,GAAG,GAAG,MAAM;AAElD,aAAO,EAAE,CAAC,aAAa,GAAG,IAAI,OAAO,QAAQ,EAAE;AAAA,IACjD;AAAA,IAEA,MAAM,QAAQ,SAAoE;AAChF,YAAM,UAAU,QAAQ,aAAa;AACrC,UAAI,OAAO,YAAY,UAAU;AAC/B,cAAM,IAAI,MAAM,2DAA2D;AAAA,MAC7E;AAEA,YAAM,MAAM,MAAM;AAClB,YAAM,IAAI,UAAU;AACpB,YAAM,MAAM,UAAU;AACtB,YAAM,WAAW,IAAI,OAAO,OAAO;AACnC,UAAI,SAAS,SAAS,UAAU;AAC9B,cAAM,IAAI,MAAM,6BAA6B;AAAA,MAC/C;AACA,YAAM,KAAK,SAAS,MAAM,GAAG,QAAQ;AACrC,YAAM,aAAa,SAAS,MAAM,QAAQ;AAC1C,UAAI;AACF,cAAM,YAAY,MAAM,EAAE,OAAO,QAAQ,EAAE,MAAM,MAAM,GAAG,GAAG,KAAK,UAAU;AAC5E,eAAO,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAAA,MACvD,SAAS,KAAK;AACZ,cAAM,IAAI,MAAM,+DAA+D,EAAE,OAAO,IAAI,CAAC;AAAA,MAC/F;AAAA,IACF;AAAA,EACF;AACF;;;ADtCA,SAAS,WAAW,OAA2B;AAC7C,SAAO,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,EAAE;AAC1E;AAEA,SAAS,WAAW,KAAyB;AAC3C,QAAM,QAAQ,IAAI,WAAW,IAAI,SAAS,CAAC;AAC3C,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,UAAM,CAAC,IAAI,SAAS,IAAI,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE;AAAA,EACrD;AACA,SAAO;AACT;AAEA,IAAMC,QAAO;AACb,IAAM,kBAAkB;AACxB,IAAM,kBAAkB;AACxB,IAAM,oBAAoB;AAC1B,IAAM,kBAAkB;AACxB,IAAM,YAAY;AAqClB,eAAsB,mBAAmB,YAAoB,QAAuC;AAClG,QAAM,IAAIC,WAAU;AACpB,QAAM,MAAM,IAAI,YAAY;AAC5B,QAAM,QAAQ,IAAI,OAAO,GAAG,UAAU,IAAI,MAAM,IAAI,iBAAiB,EAAE;AACvE,QAAM,OAAO,MAAM,EAAE,OAAO,OAAO,WAAW,KAAK;AACnD,QAAM,kBAAkB,IAAI,WAAW,IAAI;AAC3C,QAAM,iBAAiB,OAAO,aAAa,eAAe;AAC1D,SAAO,EAAE,YAAY,WAAW,eAAe,GAAG,WAAW,WAAW,cAAc,EAAE;AAC1F;AAKO,SAAS,mBAA2B;AACzC,QAAM,IAAIA,WAAU;AACpB,SAAO,WAAW,EAAE,gBAAgB,IAAI,WAAW,SAAS,CAAC,CAAC;AAChE;AAaA,eAAsB,aACpB,KACA,iBACA,mBACiB;AACjB,QAAM,eAAe,OAAO,gBAAgB,WAAW,iBAAiB,GAAG,WAAW,eAAe,CAAC;AACtG,QAAM,cAAc,MAAMC,WAAU,WAAW,YAAY,GAAG,iBAAiB,eAAe;AAE9F,QAAM,IAAID,WAAU;AACpB,QAAM,MAAME,WAAU;AACtB,QAAM,KAAK,EAAE,gBAAgB,IAAI,WAAWC,SAAQ,CAAC;AACrD,QAAM,YAAY,MAAM,EAAE,OAAO,QAAQ,EAAE,MAAMJ,OAAM,GAAG,GAAG,aAAa,WAAW,GAAG,EAAE,MAAqB;AAE/G,QAAM,WAAW,IAAI,WAAWI,YAAW,UAAU,UAAU;AAC/D,WAAS,IAAI,EAAE;AACf,WAAS,IAAI,IAAI,WAAW,SAAS,GAAGA,SAAQ;AAChD,SAAO,IAAI,OAAO,QAAQ;AAC5B;AAWA,eAAsB,eACpB,SACA,kBACA,gBACiB;AACjB,QAAM,eAAe,OAAO,gBAAgB,WAAW,gBAAgB,GAAG,WAAW,cAAc,CAAC;AACpG,QAAM,cAAc,MAAMF,WAAU,WAAW,YAAY,GAAG,iBAAiB,eAAe;AAE9F,QAAM,MAAMC,WAAU;AACtB,QAAM,IAAIF,WAAU;AACpB,QAAM,WAAW,IAAI,OAAO,OAAO;AACnC,QAAM,KAAK,SAAS,MAAM,GAAGG,SAAQ;AACrC,QAAM,aAAa,SAAS,MAAMA,SAAQ;AAC1C,MAAI;AACF,UAAM,YAAY,MAAM,EAAE,OAAO,QAAQ,EAAE,MAAMJ,OAAM,GAAG,GAAG,aAAa,UAAU;AACpF,WAAO,WAAW,IAAI,WAAW,SAAS,CAAC;AAAA,EAC7C,QAAQ;AACN,UAAM,IAAI,MAAM,8EAA8E;AAAA,EAChG;AACF;AAYA,eAAsB,mBACpB,cACA,SACA,KACiD;AACjD,QAAM,cAAc,OAAO,iBAAiB;AAC5C,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,UAAU,eAAe,KAAK,OAAO,QAAQ,OAAO,GAAG;AACjE,gBAAY,QAAQ,IAAI,MAAM,aAAa,aAAa,iBAAiB,aAAa,UAAU;AAAA,EAClG;AACA,QAAM,UAAwB;AAAA,IAC5B,cAAc;AAAA,IACd,QAAQ;AAAA,MACN,KAAK,EAAE,gBAAgB,aAAa,WAAW,YAAY;AAAA,IAC7D;AAAA,EACF;AACA,SAAO,EAAE,SAAS,KAAK,YAAY;AACrC;AAaA,eAAsB,eACpB,SACA,cACA,YACA,aACA,oBACuB;AACvB,QAAM,WAAW,OAAO,QAAQ,YAAY;AAC5C,QAAM,eAAe,QAAQ,OAAO,QAAQ;AAC5C,MAAI,CAAC,aAAc,OAAM,IAAI,MAAM,SAAS,QAAQ,YAAY,uBAAuB;AACvF,MAAI,aAAa,mBAAmB,aAAa,WAAW;AAC1D,UAAM,IAAI,MAAM,yEAAyE,QAAQ,YAAY,EAAE;AAAA,EACjH;AAEA,QAAM,UAAU,MAAM,aAAa,YAAY,oBAAoB,aAAa,UAAU;AAE1F,SAAO;AAAA,IACL,GAAG;AAAA,IACH,QAAQ;AAAA,MACN,GAAG,QAAQ;AAAA,MACX,CAAC,QAAQ,GAAG;AAAA,QACV,GAAG;AAAA,QACH,aAAa,EAAE,GAAG,aAAa,aAAa,CAAC,WAAW,GAAG,QAAQ;AAAA,MACrE;AAAA,IACF;AAAA,EACF;AACF;AAUA,eAAsB,eACpB,SACA,cACA,kBACA,QACiD;AACjD,QAAM,WAAW,OAAO,QAAQ,YAAY;AAC5C,QAAM,eAAe,QAAQ,OAAO,QAAQ;AAC5C,MAAI,gBAAgB,aAAa,mBAAmB,aAAa,WAAW;AAC1E,UAAM,IAAI;AAAA,MACR,yEAAyE,QAAQ,YAAY;AAAA,IAC/F;AAAA,EACF;AACA,QAAM,cAAc,UAAU,iBAAiB;AAC/C,QAAM,WAAW,QAAQ,eAAe;AACxC,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,UAAU,eAAe,KAAK,OAAO,QAAQ,gBAAgB,GAAG;AAC1E,gBAAY,QAAQ,IAAI,MAAM,aAAa,aAAa,iBAAiB,aAAa,UAAU;AAAA,EAClG;AACA,QAAM,aAA2B;AAAA,IAC/B,cAAc;AAAA,IACd,QAAQ;AAAA,MACN,GAAG,QAAQ;AAAA,MACX,CAAC,OAAO,QAAQ,CAAC,GAAG,EAAE,gBAAgB,aAAa,WAAW,YAAY;AAAA,IAC5E;AAAA,EACF;AACA,SAAO,EAAE,SAAS,YAAY,KAAK,YAAY;AACjD;AAaA,eAAsB,qBACpB,SACA,YACA,cACoB;AAEpB,QAAM,kBAAkB,oBAAI,IAAuB;AACnD,aAAW,CAAC,UAAU,YAAY,KAAK,OAAO,QAAQ,QAAQ,MAAM,GAAG;AACrE,UAAM,QAAQ,SAAS,UAAU,EAAE;AACnC,UAAM,UAAU,aAAa,YAAY,UAAU;AACnD,QAAI,CAAC,QAAS;AACd,UAAM,MAAM,MAAM,eAAe,SAAS,cAAc,aAAa,cAAc;AACnF,oBAAgB,IAAI,OAAO,gBAAgB,KAAK,SAAS,KAAK,IAAI,eAAe,CAAC;AAAA,EACpF;AAEA,QAAM,eAAe,QAAQ;AAC7B,QAAM,mBAAmB,gBAAgB,IAAI,YAAY;AACzD,MAAI,CAAC,kBAAkB;AACrB,UAAM,IAAI;AAAA,MACR,sCAAsC,UAAU,cAAc,YAAY;AAAA,IAE5E;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM,QAAQ,MAAiE;AAC7E,YAAM,YAAY,MAAM,iBAAiB,QAAQ,IAAI;AACrD,aAAO,EAAE,GAAG,WAAW,QAAQ,aAAa;AAAA,IAC9C;AAAA,IAEA,MAAM,QAAQ,SAAoE;AAChF,YAAM,QAAQ,OAAO,QAAQ,WAAW,WAAW,QAAQ,SAAS;AACpE,YAAM,YAAY,gBAAgB,IAAI,KAAK;AAC3C,UAAI,CAAC,WAAW;AACd,cAAM,IAAI;AAAA,UACR,8BAA8B,KAAK;AAAA,QAGrC;AAAA,MACF;AACA,aAAO,UAAU,QAAQ,OAAO;AAAA,IAClC;AAAA,EACF;AACF;",
+  "names": ["getCrypto", "getBase64", "IV_BYTES", "deriveKey", "ALGO", "getCrypto", "deriveKey", "getBase64", "IV_BYTES"]
+}