@drakkar.software/starfish-client 3.0.0-alpha.2 → 3.0.0-alpha.4

package/dist/debounced-sync.js

@@ -1,120 +0,0 @@
-// ── Implementation ────────────────────────────────────────────────────────────
-const DEFAULT_DELAY_MS = 2000;
-const DEFAULT_WARN_BYTES = 900 * 1024; // 900 KB
-const DEFAULT_MAX_BYTES = 1024 * 1024; // 1 MB
-/** Returns true if the push should be blocked. */
-function checkPayloadSize(doc, opts) {
-    // Estimate encrypted payload size. AES-GCM output is similar to input size;
-    // base64 encoding adds ~33% overhead, plus a small IV/tag overhead.
-    const estimatedBytes = Math.ceil(JSON.stringify(doc).length * 1.34);
-    if (estimatedBytes > opts.maxBytes) {
-        if (opts.onSizeExceeded) {
-            opts.onSizeExceeded(estimatedBytes);
-        }
-        else {
-            console.error(`[starfish] Push blocked: estimated payload ${(estimatedBytes / 1024).toFixed(0)} KB ` +
-                `exceeds limit of ${(opts.maxBytes / 1024).toFixed(0)} KB. Prune your data before syncing.`);
-        }
-        return true;
-    }
-    if (estimatedBytes > opts.warnBytes) {
-        if (opts.onSizeWarning) {
-            opts.onSizeWarning(estimatedBytes);
-        }
-        else {
-            console.warn(`[starfish] Payload approaching limit: estimated ${(estimatedBytes / 1024).toFixed(0)} KB ` +
-                `(warn threshold: ${(opts.warnBytes / 1024).toFixed(0)} KB).`);
-        }
-    }
-    return false;
-}
-/**
- * Creates a debounced push helper that coalesces rapid mutations into a single sync.
- *
- * Designed to be called on every domain store mutation (e.g., every keystroke).
- * The push is delayed by `delayMs` after the **last** call, so typing quickly
- * results in one push, not one per character.
- *
- * Also estimates the encrypted payload size before pushing and warns / blocks
- * if it approaches the server's body size limit.
- *
- * ```ts
- * const { notify } = createDebouncedSync(starfishStore, {
- *   serialize: () => ({ tasks: taskStore.getState().tasks }),
- * })
- *
- * // Call on every domain store mutation:
- * taskStore.subscribe(() => notify())
- * ```
- */
-export function createDebouncedSync(store, options = {}) {
-    const { delayMs = DEFAULT_DELAY_MS, warnBytes = DEFAULT_WARN_BYTES, maxBytes = DEFAULT_MAX_BYTES, serialize, onSizeWarning, onSizeExceeded, } = options;
-    let timer = null;
-    function cancel() {
-        if (timer !== null) {
-            clearTimeout(timer);
-            timer = null;
-        }
-    }
-    function notify() {
-        cancel();
-        timer = setTimeout(() => {
-            timer = null;
-            const current = store.getState().data;
-            const doc = serialize ? serialize(current) : current;
-            if (checkPayloadSize(doc, { warnBytes, maxBytes, onSizeWarning, onSizeExceeded }))
-                return;
-            store.getState().set(() => doc);
-        }, delayMs);
-    }
-    return { notify, cancel };
-}
-/**
- * Creates a debounced push helper that calls `syncManager.push()` directly,
- * without requiring a Zustand store.
- *
- * Use this for one-way publishing workflows: public pages, derived snapshots,
- * or any case where you want to push data without a full `createStarfishStore` setup.
- *
- * ```ts
- * const syncManager = new SyncManager({ client, pullPath, pushPath })
- *
- * const { notify, cancel } = createDebouncedPush(syncManager, {
- *   serialize: () => buildPublicPageDocument(),
- * })
- *
- * // Push after every relevant store mutation:
- * planningStore.subscribe(() => notify())
- *
- * // Clean up on teardown:
- * cancel()
- * ```
- */
-export function createDebouncedPush(syncManager, options) {
-    const { delayMs = DEFAULT_DELAY_MS, warnBytes = DEFAULT_WARN_BYTES, maxBytes = DEFAULT_MAX_BYTES, serialize, onSizeWarning, onSizeExceeded, onError, } = options;
-    let timer = null;
-    function cancel() {
-        if (timer !== null) {
-            clearTimeout(timer);
-            timer = null;
-        }
-    }
-    function notify() {
-        cancel();
-        timer = setTimeout(() => {
-            timer = null;
-            const doc = serialize();
-            if (checkPayloadSize(doc, { warnBytes, maxBytes, onSizeWarning, onSizeExceeded }))
-                return;
-            syncManager.push(doc).catch((err) => {
-                if (onError) {
-                    onError(err);
-                }
-                else {
-                    console.warn("[starfish] Push failed:", err);
-                }
-            });
-        }, delayMs);
-    }
-    return { notify, cancel };
-}

package/dist/dedup.js

@@ -1,35 +0,0 @@
-/**
- * Request deduplication: prevents multiple concurrent identical GET requests.
- * If a GET request is in-flight for a URL, subsequent identical GET requests
- * return the same Promise. POST/PUT/DELETE/PATCH are never deduped.
- */
-export function createDedupFetch(baseFetch = globalThis.fetch.bind(globalThis)) {
-    const inflightGets = new Map();
-    return (async (input, init) => {
-        const method = (init?.method ?? "GET").toUpperCase();
-        // Only dedup GET requests
-        if (method !== "GET") {
-            return baseFetch(input, init);
-        }
-        const url = typeof input === "string"
-            ? input
-            : input instanceof URL
-                ? input.toString()
-                : input.url;
-        const existing = inflightGets.get(url);
-        if (existing) {
-            // Return a clone — the original is reserved for cloning only
-            return existing.then((res) => res.clone());
-        }
-        // Store a promise that resolves to a response we keep solely for cloning.
-        // The first caller also gets a clone, ensuring the "master" body is never consumed.
-        const promise = baseFetch(input, init)
-            .then((res) => res)
-            .finally(() => {
-            inflightGets.delete(url);
-        });
-        inflightGets.set(url, promise);
-        // First caller also gets a clone so the cached response body stays unconsumed
-        return promise.then((res) => res.clone());
-    });
-}

package/dist/entitlements.js

@@ -1,41 +0,0 @@
-import { StarfishHttpError } from "./types.js";
-/**
- * Fetches the list of feature slugs from a user's entitlement document.
- *
- * Returns an empty array if the document does not exist yet or the features
- * field is absent — so callers never need to handle a 404.
- *
- * ```ts
- * import { pullEntitlements } from "@drakkar.software/starfish-client"
- *
- * const features = await pullEntitlements(client, userId)
- * // e.g. ["premium-package-1", "paid-cloud-sync"]
- *
- * if (features.includes("paid-cloud-sync")) {
- *   // unlock cloud sync UI
- * }
- * ```
- *
- * The path template must match the server-side collection's `storagePath`.
- * With the recommended default config:
- * ```ts
- * { storagePath: "users/{identity}/entitlements" }
- * // → path: "/pull/users/{userId}/entitlements"  (default)
- * ```
- */
-export async function pullEntitlements(client, userId, opts) {
-    const path = (opts?.path ?? "/pull/users/{userId}/entitlements").replace("{userId}", userId);
-    const field = opts?.field ?? "features";
-    try {
-        const result = await client.pull(path);
-        const list = result.data?.[field];
-        if (!Array.isArray(list))
-            return [];
-        return list.filter((s) => typeof s === "string");
-    }
-    catch (err) {
-        if (err instanceof StarfishHttpError && err.status === 404)
-            return [];
-        throw err;
-    }
-}

package/dist/export.js

@@ -1,115 +0,0 @@
-/**
- * Data export/import helpers for Starfish sync data.
- * Supports JSON and CSV formats.
- */
-/**
- * Export data to a string representation.
- * JSON: serializes the full object.
- * CSV: flattens top-level keys into columns. Array values are JSON-encoded.
- */
-export function exportData(data, opts) {
-    const format = opts?.format ?? "json";
-    if (format === "json") {
-        return opts?.pretty
-            ? JSON.stringify(data, null, 2)
-            : JSON.stringify(data);
-    }
-    // CSV export: each top-level key becomes a column
-    return toCsv(data);
-}
-/**
- * Import data from a string representation.
- */
-export function importData(raw, format = "json") {
-    if (format === "json") {
-        const parsed = JSON.parse(raw);
-        if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
-            throw new Error("Expected a JSON object");
-        }
-        return parsed;
-    }
-    return fromCsv(raw);
-}
-/**
- * Export data to a Blob suitable for download.
- */
-export function exportToBlob(data, opts) {
-    const format = opts?.format ?? "json";
-    const content = exportData(data, opts);
-    const mimeType = format === "csv" ? "text/csv;charset=utf-8" : "application/json;charset=utf-8";
-    return new Blob([content], { type: mimeType });
-}
-function toCsv(data) {
-    const keys = Object.keys(data);
-    const header = keys.map(escapeCsvField).join(",");
-    const values = keys.map((k) => {
-        const v = data[k];
-        if (v === null || v === undefined)
-            return "";
-        if (typeof v === "object")
-            return escapeCsvField(JSON.stringify(v));
-        return escapeCsvField(String(v));
-    });
-    return `${header}\n${values.join(",")}`;
-}
-function fromCsv(raw) {
-    const lines = raw.trim().split("\n");
-    if (lines.length < 2) {
-        throw new Error("CSV must have at least a header row and a data row");
-    }
-    const headers = parseCsvLine(lines[0]);
-    const values = parseCsvLine(lines[1]);
-    const result = {};
-    for (let i = 0; i < headers.length; i++) {
-        const key = headers[i];
-        const val = values[i] ?? "";
-        // Try to parse JSON values
-        try {
-            result[key] = JSON.parse(val);
-        }
-        catch {
-            result[key] = val;
-        }
-    }
-    return result;
-}
-function escapeCsvField(field) {
-    if (field.includes(",") || field.includes('"') || field.includes("\n")) {
-        return `"${field.replace(/"/g, '""')}"`;
-    }
-    return field;
-}
-function parseCsvLine(line) {
-    const result = [];
-    let current = "";
-    let inQuotes = false;
-    for (let i = 0; i < line.length; i++) {
-        const ch = line[i];
-        if (inQuotes) {
-            if (ch === '"' && line[i + 1] === '"') {
-                current += '"';
-                i++;
-            }
-            else if (ch === '"') {
-                inQuotes = false;
-            }
-            else {
-                current += ch;
-            }
-        }
-        else {
-            if (ch === '"') {
-                inQuotes = true;
-            }
-            else if (ch === ",") {
-                result.push(current);
-                current = "";
-            }
-            else {
-                current += ch;
-            }
-        }
-    }
-    result.push(current);
-    return result;
-}

package/dist/group-crypto.d.ts

@@ -1,111 +0,0 @@
-/**
- * Group encryption utilities for Starfish.
- *
- * Enables multiple users to share a common encrypted collection without sharing
- * a passphrase. Each member holds their own credentials; a Group Encryption Key
- * (GEK) is distributed per-member using X25519 ECDH key agreement.
- *
- * Typical flow:
- *   1. Each user calls `deriveCredentials(passphrase)` — now includes groupPublicKey / groupPrivateKey.
- *   2. Admin calls `createGroupKeyring(...)` to create a keyring document.
- *   3. Members call `createGroupEncryptor(keyringData, myIdentity, myPrivateKey)` to get an Encryptor.
- *   4. The Encryptor is passed to SyncManager via the `encryptor` option.
- */
-import type { Encryptor } from "./crypto.js";
-/** An ECDH key pair used for group encryption. Hex-encoded for easy serialization. */
-export interface GroupKeyPair {
-    /** Hex-encoded X25519 private key (32 bytes). Keep secret — never store on server. */
-    privateKey: string;
-    /** Hex-encoded X25519 public key (32 bytes). Safe to publish. */
-    publicKey: string;
-}
-/** One epoch's wrapped keys: each member's GEK encrypted to their public key. */
-export interface EpochKeyring {
-    /** The admin's hex-encoded X25519 public key (used for ECDH by members). */
-    adminPublicKey: string;
-    /** Map from member identity (userId) → base64(IV || AES-GCM(GEK)) */
-    wrappedKeys: Record<string, string>;
-}
-/** The full keyring document stored in a Starfish collection. Push this with any SyncManager. */
-export interface GroupKeyring {
-    /** The epoch number currently used for new encryptions. */
-    currentEpoch: number;
-    /** All epochs. Members unwrap the GEK for whichever epoch a document was encrypted with. */
-    epochs: Record<string, EpochKeyring>;
-}
-/**
- * Derives a deterministic X25519 key pair from a passphrase + userId.
- *
- * The derivation uses SHA-256 with a fixed domain separator so it is distinct
- * from the auth token and encryption key derivations. Same passphrase + userId
- * always produces the same key pair on any device (stateless).
- */
-export declare function deriveGroupKeyPair(passphrase: string, userId: string): Promise<GroupKeyPair>;
-/** Generates a random 256-bit Group Encryption Key as a hex string. */
-export declare function generateGroupKey(): string;
-/**
- * Wraps a GEK for a specific member using ECDH key agreement.
- *
- * The wrapper (admin) and member each have an X25519 key pair. ECDH between
- * `wrapperPrivateKey` and `memberPublicKey` produces a shared secret, which is
- * used to derive an AES-256-GCM key that encrypts the GEK.
- *
- * @returns base64(IV || AES-GCM-ciphertext)
- */
-export declare function wrapGroupKey(gek: string, memberPublicKey: string, wrapperPrivateKey: string): Promise<string>;
-/**
- * Unwraps a GEK using the member's own private key and the admin's public key.
- *
- * ECDH between `memberPrivateKey` and `adminPublicKey` yields the same shared
- * secret as the wrapping step, so the same AES key is derived and the GEK is
- * recovered.
- *
- * @returns GEK as a hex string
- */
-export declare function unwrapGroupKey(wrapped: string, memberPrivateKey: string, adminPublicKey: string): Promise<string>;
-/**
- * Creates a new group keyring document with epoch 1.
- *
- * @param adminKeyPair  The admin's key pair (from `deriveGroupKeyPair` or `deriveCredentials`)
- * @param members       Map from member identity (userId) → hex public key
- * @param gek           Optional GEK to use; generated randomly if omitted
- * @returns             The keyring document and the raw GEK (admin keeps the GEK to add future members)
- */
-export declare function createGroupKeyring(adminKeyPair: GroupKeyPair, members: Record<string, string>, gek?: string): Promise<{
-    keyring: GroupKeyring;
-    gek: string;
-}>;
-/**
- * Adds a new member to the current epoch of an existing keyring.
- *
- * The admin supplies the current GEK (returned by `createGroupKeyring` or
- * `rotateGroupKey`) and their key pair to wrap it for the new member.
- * This does NOT rotate the GEK — the new member can read all existing
- * documents encrypted with the current epoch key.
- *
- * Only the admin (whose `publicKey` matches `epochKeyring.adminPublicKey`) can
- * add members, because all wrapped entries must use the same ECDH key pair.
- */
-export declare function addGroupMember(keyring: GroupKeyring, adminKeyPair: GroupKeyPair, currentGek: string, newMemberId: string, newMemberPublicKey: string): Promise<GroupKeyring>;
-/**
- * Rotates the group key, creating a new epoch.
- *
- * Used when removing a member. The removed member retains their old epoch key
- * (and can still read old documents), but cannot read new documents.
- *
- * @param remainingMembers  Map from identity → hex public key for members who keep access
- */
-export declare function rotateGroupKey(keyring: GroupKeyring, adminKeyPair: GroupKeyPair, remainingMembers: Record<string, string>, newGek?: string): Promise<{
-    keyring: GroupKeyring;
-    gek: string;
-}>;
-/**
- * Creates an Encryptor that can decrypt any epoch and encrypts with the current epoch.
- *
- * Wire format: `{ _encrypted: "base64(IV || ciphertext)", _epoch: N }`
- *
- * @param keyring         The keyring document fetched from Starfish
- * @param myIdentity      The caller's userId (to locate their wrapped key in each epoch)
- * @param myPrivateKey    The caller's hex-encoded X25519 private key
- */
-export declare function createGroupEncryptor(keyring: GroupKeyring, myIdentity: string, myPrivateKey: string): Promise<Encryptor>;

package/dist/group-crypto.js

@@ -1,205 +0,0 @@
-// src/group-crypto.ts
-import { x25519 } from "@noble/curves/ed25519.js";
-import { getCrypto as getCrypto2, getBase64 as getBase642, IV_BYTES as IV_BYTES2, deriveKey as deriveKey2 } from "@drakkar.software/starfish-protocol";
-
-// src/crypto.ts
-import { getCrypto, getBase64, IV_BYTES, ENCRYPTED_KEY, deriveKey } from "@drakkar.software/starfish-protocol";
-var ALGO = "AES-GCM";
-function createEncryptor(secret, salt, info = "starfish-e2e") {
-  if (!secret) throw new Error("encryptionSecret must not be empty");
-  if (!salt) throw new Error("encryptionSalt must not be empty");
-  const keyPromise = deriveKey(secret, salt, info);
-  return {
-    async encrypt(data) {
-      const key = await keyPromise;
-      const c = getCrypto();
-      const b64 = getBase64();
-      const plaintext = new TextEncoder().encode(JSON.stringify(data));
-      const iv = c.getRandomValues(new Uint8Array(IV_BYTES));
-      const ciphertext = await c.subtle.encrypt({ name: ALGO, iv }, key, plaintext);
-      const combined = new Uint8Array(iv.length + ciphertext.byteLength);
-      combined.set(iv);
-      combined.set(new Uint8Array(ciphertext), iv.length);
-      return { [ENCRYPTED_KEY]: b64.encode(combined) };
-    },
-    async decrypt(wrapper) {
-      const encoded = wrapper[ENCRYPTED_KEY];
-      if (typeof encoded !== "string") {
-        throw new Error("Expected encrypted data but received unencrypted document");
-      }
-      const key = await keyPromise;
-      const c = getCrypto();
-      const b64 = getBase64();
-      const combined = b64.decode(encoded);
-      if (combined.length < IV_BYTES) {
-        throw new Error("Encrypted data is too short");
-      }
-      const iv = combined.slice(0, IV_BYTES);
-      const ciphertext = combined.slice(IV_BYTES);
-      try {
-        const plaintext = await c.subtle.decrypt({ name: ALGO, iv }, key, ciphertext);
-        return JSON.parse(new TextDecoder().decode(plaintext));
-      } catch (err) {
-        throw new Error("Decryption failed: data may be tampered or key is incorrect", { cause: err });
-      }
-    }
-  };
-}
-
-// src/group-crypto.ts
-function bytesToHex(bytes) {
-  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
-}
-function hexToBytes(hex) {
-  const bytes = new Uint8Array(hex.length / 2);
-  for (let i = 0; i < bytes.length; i++) {
-    bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
-  }
-  return bytes;
-}
-var ALGO2 = "AES-GCM";
-var GROUP_WRAP_SALT = "starfish-group-wrap";
-var GROUP_WRAP_INFO = "starfish-group-wrap";
-var GROUP_ECDH_DOMAIN = "starfish-group-ecdh";
-var GROUP_DATA_INFO = "starfish-group";
-var GEK_BYTES = 32;
-async function deriveGroupKeyPair(passphrase, userId) {
-  const c = getCrypto2();
-  const enc = new TextEncoder();
-  const input = enc.encode(`${passphrase}:${userId}:${GROUP_ECDH_DOMAIN}`);
-  const hash = await c.subtle.digest("SHA-256", input);
-  const privateKeyBytes = new Uint8Array(hash);
-  const publicKeyBytes = x25519.getPublicKey(privateKeyBytes);
-  return { privateKey: bytesToHex(privateKeyBytes), publicKey: bytesToHex(publicKeyBytes) };
-}
-function generateGroupKey() {
-  const c = getCrypto2();
-  return bytesToHex(c.getRandomValues(new Uint8Array(GEK_BYTES)));
-}
-async function wrapGroupKey(gek, memberPublicKey, wrapperPrivateKey) {
-  const sharedSecret = x25519.getSharedSecret(hexToBytes(wrapperPrivateKey), hexToBytes(memberPublicKey));
-  const wrappingKey = await deriveKey2(bytesToHex(sharedSecret), GROUP_WRAP_SALT, GROUP_WRAP_INFO);
-  const c = getCrypto2();
-  const b64 = getBase642();
-  const iv = c.getRandomValues(new Uint8Array(IV_BYTES2));
-  const encrypted = await c.subtle.encrypt({ name: ALGO2, iv }, wrappingKey, hexToBytes(gek).buffer);
-  const combined = new Uint8Array(IV_BYTES2 + encrypted.byteLength);
-  combined.set(iv);
-  combined.set(new Uint8Array(encrypted), IV_BYTES2);
-  return b64.encode(combined);
-}
-async function unwrapGroupKey(wrapped, memberPrivateKey, adminPublicKey) {
-  const sharedSecret = x25519.getSharedSecret(hexToBytes(memberPrivateKey), hexToBytes(adminPublicKey));
-  const wrappingKey = await deriveKey2(bytesToHex(sharedSecret), GROUP_WRAP_SALT, GROUP_WRAP_INFO);
-  const b64 = getBase642();
-  const c = getCrypto2();
-  const combined = b64.decode(wrapped);
-  const iv = combined.slice(0, IV_BYTES2);
-  const ciphertext = combined.slice(IV_BYTES2);
-  try {
-    const decrypted = await c.subtle.decrypt({ name: ALGO2, iv }, wrappingKey, ciphertext);
-    return bytesToHex(new Uint8Array(decrypted));
-  } catch {
-    throw new Error("Failed to unwrap group key: decryption failed (wrong keys or corrupted data)");
-  }
-}
-async function createGroupKeyring(adminKeyPair, members, gek) {
-  const resolvedGek = gek ?? generateGroupKey();
-  const wrappedKeys = {};
-  for (const [memberId, memberPublicKey] of Object.entries(members)) {
-    wrappedKeys[memberId] = await wrapGroupKey(resolvedGek, memberPublicKey, adminKeyPair.privateKey);
-  }
-  const keyring = {
-    currentEpoch: 1,
-    epochs: {
-      "1": { adminPublicKey: adminKeyPair.publicKey, wrappedKeys }
-    }
-  };
-  return { keyring, gek: resolvedGek };
-}
-async function addGroupMember(keyring, adminKeyPair, currentGek, newMemberId, newMemberPublicKey) {
-  const epochKey = String(keyring.currentEpoch);
-  const epochKeyring = keyring.epochs[epochKey];
-  if (!epochKeyring) throw new Error(`Epoch ${keyring.currentEpoch} not found in keyring`);
-  if (epochKeyring.adminPublicKey !== adminKeyPair.publicKey) {
-    throw new Error(`Provided key pair does not match the admin public key stored in epoch ${keyring.currentEpoch}`);
-  }
-  const wrapped = await wrapGroupKey(currentGek, newMemberPublicKey, adminKeyPair.privateKey);
-  return {
-    ...keyring,
-    epochs: {
-      ...keyring.epochs,
-      [epochKey]: {
-        ...epochKeyring,
-        wrappedKeys: { ...epochKeyring.wrappedKeys, [newMemberId]: wrapped }
-      }
-    }
-  };
-}
-async function rotateGroupKey(keyring, adminKeyPair, remainingMembers, newGek) {
-  const epochKey = String(keyring.currentEpoch);
-  const epochKeyring = keyring.epochs[epochKey];
-  if (epochKeyring && epochKeyring.adminPublicKey !== adminKeyPair.publicKey) {
-    throw new Error(
-      `Provided key pair does not match the admin public key stored in epoch ${keyring.currentEpoch}`
-    );
-  }
-  const resolvedGek = newGek ?? generateGroupKey();
-  const newEpoch = keyring.currentEpoch + 1;
-  const wrappedKeys = {};
-  for (const [memberId, memberPublicKey] of Object.entries(remainingMembers)) {
-    wrappedKeys[memberId] = await wrapGroupKey(resolvedGek, memberPublicKey, adminKeyPair.privateKey);
-  }
-  const newKeyring = {
-    currentEpoch: newEpoch,
-    epochs: {
-      ...keyring.epochs,
-      [String(newEpoch)]: { adminPublicKey: adminKeyPair.publicKey, wrappedKeys }
-    }
-  };
-  return { keyring: newKeyring, gek: resolvedGek };
-}
-async function createGroupEncryptor(keyring, myIdentity, myPrivateKey) {
-  const epochEncryptors = /* @__PURE__ */ new Map();
-  for (const [epochStr, epochKeyring] of Object.entries(keyring.epochs)) {
-    const epoch = parseInt(epochStr, 10);
-    const wrapped = epochKeyring.wrappedKeys[myIdentity];
-    if (!wrapped) continue;
-    const gek = await unwrapGroupKey(wrapped, myPrivateKey, epochKeyring.adminPublicKey);
-    epochEncryptors.set(epoch, createEncryptor(gek, `epoch-${epoch}`, GROUP_DATA_INFO));
-  }
-  const currentEpoch = keyring.currentEpoch;
-  const currentEncryptor = epochEncryptors.get(currentEpoch);
-  if (!currentEncryptor) {
-    throw new Error(
-      `No wrapped key found for identity "${myIdentity}" in epoch ${currentEpoch}. Ensure the admin has added this member to the keyring.`
-    );
-  }
-  return {
-    async encrypt(data) {
-      const encrypted = await currentEncryptor.encrypt(data);
-      return { ...encrypted, _epoch: currentEpoch };
-    },
-    async decrypt(wrapper) {
-      const epoch = typeof wrapper._epoch === "number" ? wrapper._epoch : currentEpoch;
-      const encryptor = epochEncryptors.get(epoch);
-      if (!encryptor) {
-        throw new Error(
-          `No key available for epoch ${epoch}. This document was encrypted in a different epoch. Ensure your keyring is up to date.`
-        );
-      }
-      return encryptor.decrypt(wrapper);
-    }
-  };
-}
-export {
-  addGroupMember,
-  createGroupEncryptor,
-  createGroupKeyring,
-  deriveGroupKeyPair,
-  generateGroupKey,
-  rotateGroupKey,
-  unwrapGroupKey,
-  wrapGroupKey
-};
-//# sourceMappingURL=group-crypto.js.map