@dynamic-labs-wallet/browser 0.0.323 → 0.0.324

package/index.esm.js

@@ -373,6 +373,22 @@ const uploadFileToGoogleDrivePersonal = async ({ accessToken, fileName, jsonData
         ]
     });
 };
+/**
+ * Verifies that a file exists on Google Drive by fetching its metadata
+ */ const verifyUpload = async ({ accessToken, fileId })=>{
+    const verifyResponse = await fetch(`${GOOGLE_DRIVE_UPLOAD_API}/drive/v3/files/${fileId}?fields=id,name`, {
+        headers: {
+            Authorization: `Bearer ${accessToken}`
+        }
+    });
+    if (!verifyResponse.ok) {
+        throw new Error(`Upload verification failed: file ${fileId} not accessible after upload`);
+    }
+    const verifyResult = await verifyResponse.json();
+    if (verifyResult.id !== fileId) {
+        throw new Error(`Upload verification failed: expected file ID ${fileId}, got ${verifyResult.id}`);
+    }
+};
 const uploadFileToGoogleDrive = async ({ accessToken, fileName, jsonData, parents })=>{
     const metadata = {
         name: fileName,
@@ -401,6 +417,14 @@ const uploadFileToGoogleDrive = async ({ accessToken, fileName, jsonData, parent
         throw new Error('Error uploading file');
     }
     const result = await response.json();
+    const fileId = result.id;
+    if (!fileId) {
+        throw new Error('Upload response missing file ID');
+    }
+    await verifyUpload({
+        accessToken,
+        fileId
+    });
     return result; // Return file metadata, including file ID
 };
 const listFilesFromGoogleDrive = async ({ accessToken, fileName })=>{
@@ -555,6 +579,32 @@ const getClientKeyShareBackupInfo = (params)=>{
 const timeoutPromise = ({ timeInMs, activity = 'Ceremony' })=>{
     return new Promise((_, reject)=>setTimeout(()=>reject(new Error(`${activity} did not complete in ${timeInMs}ms`)), timeInMs));
 };
+const buildErrorContext = (error)=>{
+    var _error_response, _error_response1;
+    return {
+        error: error instanceof Error ? error.message : 'Unknown error',
+        errorStack: error instanceof Error ? error.stack : undefined,
+        axiosError: error instanceof AxiosError ? (_error_response = error.response) == null ? void 0 : _error_response.data : undefined,
+        axiosStatus: error instanceof AxiosError ? (_error_response1 = error.response) == null ? void 0 : _error_response1.status : undefined
+    };
+};
+const logRetrySuccess = (operationName, attempts, logContext)=>{
+    Logger.info(`Successfully executed ${operationName} after ${attempts + 1} attempts`, _extends({}, logContext, {
+        attemptsTaken: attempts + 1
+    }));
+};
+const logRetryFailure = (operationName, attempts, maxAttempts, errorContext, logContext)=>{
+    Logger.warn(`Failed to execute ${operationName} on attempt ${attempts}/${maxAttempts}`, _extends({}, logContext, errorContext, {
+        attempt: attempts,
+        maxAttempts,
+        willRetry: attempts < maxAttempts
+    }));
+};
+const logRetryExhausted = (operationName, maxAttempts, errorContext, logContext)=>{
+    Logger.error(`Failed to execute ${operationName} after ${maxAttempts} attempts - stopping retry`, _extends({}, logContext, errorContext, {
+        totalAttempts: maxAttempts
+    }));
+};
 /**
  * Generic helper function to retry a promise-based operations
  *
@@ -566,24 +616,24 @@ const timeoutPromise = ({ timeInMs, activity = 'Ceremony' })=>{
     let attempts = 0;
     while(attempts < maxAttempts){
         try {
-            return await operation();
+            const result = await operation();
+            if (attempts > 0) {
+                logRetrySuccess(operationName, attempts, logContext);
+            }
+            return result;
         } catch (error) {
-            var _error_response;
             attempts++;
-            Logger.warn(`Failed to execute ${operationName} on attempt ${attempts}`, _extends({}, logContext, {
-                error: error instanceof Error ? error.message : 'Unknown error',
-                axiosError: error instanceof AxiosError ? (_error_response = error.response) == null ? void 0 : _error_response.data : undefined
-            }));
+            const errorContext = buildErrorContext(error);
+            logRetryFailure(operationName, attempts, maxAttempts, errorContext, logContext);
             if (attempts === maxAttempts) {
-                var _error_response1;
-                Logger.error(`Failed to execute ${operationName} after ${maxAttempts} attempts`, _extends({}, logContext, {
-                    error: error instanceof Error ? error.message : 'Unknown error',
-                    axiosError: error instanceof AxiosError ? (_error_response1 = error.response) == null ? void 0 : _error_response1.data : undefined
-                }));
+                logRetryExhausted(operationName, maxAttempts, errorContext, logContext);
                 throw error;
             }
-            // Calculate exponential backoff delay
             const exponentialDelay = retryInterval * 2 ** (attempts - 1);
+            Logger.debug(`Retrying ${operationName} in ${exponentialDelay}ms`, _extends({}, logContext, {
+                nextAttempt: attempts + 1,
+                delayMs: exponentialDelay
+            }));
             await new Promise((resolve)=>setTimeout(resolve, exponentialDelay));
         }
     }
@@ -1063,49 +1113,81 @@ const initializeCloudKit = async (config, signInButtonId, onSignInRequired, onSi
     await ensureICloudAuth(onSignInRequired, onSignInComplete, onAuthStatusUpdate, authOptions);
 };
 
+/**
+ * Extracts error message and stack from an unknown error value
+ */ const getErrorDetails = (error)=>{
+    const message = error instanceof Error ? error.message : String(error);
+    const stack = error instanceof Error ? error.stack : undefined;
+    return {
+        message,
+        stack
+    };
+};
+/**
+ * Processes a single upload result and logs appropriately
+ * @returns Error message if failed, undefined if successful
+ */ const processUploadResult = (result, locationName, logContext, logger)=>{
+    if (result.status === 'fulfilled') {
+        logger.info(`[DynamicWaasWalletClient] Successfully uploaded keyshares to ${locationName}`, logContext);
+        return undefined;
+    }
+    const { message, stack } = getErrorDetails(result.reason);
+    logger.error(`[DynamicWaasWalletClient] Failed to upload keyshares to ${locationName}`, _extends({}, logContext, {
+        error: message,
+        errorStack: stack
+    }));
+    return `Failed to backup keyshares to ${locationName}: ${message}`;
+};
 /**
  * Uploads a backup to Google Drive App
  * @param accessToken - The access token for the Google Drive API
  * @param fileName - The name of the file to upload
  * @param backupData - The data to upload
  * @param accountAddress - The account address associated with the backup
- */ const uploadBackupToGoogleDrive = async ({ accessToken, fileName, backupData, accountAddress })=>{
+ * @param walletId - The wallet ID for logging context
+ * @param environmentId - The environment ID for logging context
+ * @param chainName - The chain name for logging context
+ * @param logger - The logger instance to use for logging
+ */ const uploadBackupToGoogleDrive = async ({ accessToken, fileName, backupData, accountAddress, walletId, environmentId, chainName, logger })=>{
+    const logContext = {
+        accountAddress,
+        walletId,
+        environmentId,
+        chainName,
+        fileName
+    };
+    logger.info('[DynamicWaasWalletClient] Starting Google Drive backup upload', logContext);
     const uploadPromises = [
         retryPromise(()=>uploadFileToGoogleDriveAppStorage({
                 accessToken,
                 fileName,
                 jsonData: backupData
-            })),
+            }), {
+            operationName: 'Google Drive App Storage upload',
+            logContext
+        }),
         retryPromise(()=>uploadFileToGoogleDrivePersonal({
                 accessToken,
                 fileName,
                 jsonData: backupData
-            }))
+            }), {
+            operationName: 'Google Drive Personal upload',
+            logContext
+        })
     ];
     const results = await Promise.allSettled(uploadPromises);
-    const errors = [];
-    // Check App Storage result
-    if (results[0].status === 'rejected') {
-        const error = results[0].reason;
-        Logger.error('[DynamicWaasWalletClient] Failed to upload keyshares to Google Drive App Storage', {
-            accountAddress,
-            error
-        });
-        errors.push(`Failed to backup keyshares to Google Drive App Storage: ${error instanceof Error ? error.message : String(error)}`);
-    }
-    // Check Personal Drive result
-    if (results[1].status === 'rejected') {
-        const error = results[1].reason;
-        Logger.error('[DynamicWaasWalletClient] Failed to upload keyshares to Google Drive Personal', {
-            accountAddress,
-            error
-        });
-        errors.push(`Failed to backup keyshares to Google Drive Personal: ${error instanceof Error ? error.message : String(error)}`);
-    }
-    // Throw if any uploads failed
+    const errors = [
+        processUploadResult(results[0], 'Google Drive App Storage', logContext, logger),
+        processUploadResult(results[1], 'Google Drive Personal', logContext, logger)
+    ].filter((error)=>error !== undefined);
     if (errors.length > 0) {
+        logger.error('[DynamicWaasWalletClient] Google Drive backup failed', _extends({}, logContext, {
+            errorCount: errors.length,
+            errors
+        }));
         throw new Error(`[DynamicWaasWalletClient] ${errors.join('; ')}`);
     }
+    logger.info('[DynamicWaasWalletClient] Google Drive backup completed successfully', logContext);
 };
 
 const ERROR_PASSWORD_MISMATCH = '[DynamicWaasWalletClient]: Password does not match the password used for existing wallets. All wallets must use the same password for encrypted backups.';
@@ -2477,6 +2559,17 @@ class DynamicWalletClient {
                     }, this.getTraceContext(traceContext)));
                 }
             }
+            // Create a rejection handler that will be wired up synchronously below.
+            // Promise executors run synchronously, so rejectOnSSEError is guaranteed
+            // to be assigned before serverSign is called.
+            let rejectOnSSEError;
+            const sseErrorPromise = new Promise((_, reject)=>{
+                rejectOnSSEError = reject;
+            });
+            // Prevent unhandled rejection if SSE errors before serverSignPromise resolves
+            // (sseErrorPromise would never reach Promise.race in that path)
+            // eslint-disable-next-line @typescript-eslint/no-empty-function
+            sseErrorPromise.catch(()=>{});
             // Perform the server sign
             const serverSignPromise = this.serverSign({
                 walletId: wallet.walletId,
@@ -2486,7 +2579,10 @@ class DynamicWalletClient {
                 elevatedAccessToken,
                 roomId,
                 context,
-                onError,
+                onError: (error)=>{
+                    onError == null ? void 0 : onError(error);
+                    rejectOnSSEError(error);
+                },
                 dynamicRequestId,
                 traceContext,
                 bitcoinConfig
@@ -2504,7 +2600,10 @@ class DynamicWalletClient {
             }, this.getTraceContext(traceContext)));
             let signature;
             try {
-                signature = await this.clientSign({
+                // Race clientSign against SSE errors so that server-side failures
+                // (e.g. policy violations) immediately reject instead of hanging
+                // until viem's task queue timeout.
+                const clientSignPromise = this.clientSign({
                     chainName,
                     message,
                     roomId,
@@ -2515,6 +2614,15 @@ class DynamicWalletClient {
                     traceContext,
                     bitcoinConfig
                 });
+                // Prevent unhandled rejection from the losing promise in the race:
+                // if sseErrorPromise wins, clientSign keeps running and will eventually
+                // reject (MPC timeout); if clientSign wins, sseErrorPromise may never settle.
+                // eslint-disable-next-line @typescript-eslint/no-empty-function
+                clientSignPromise.catch(()=>{});
+                signature = await Promise.race([
+                    clientSignPromise,
+                    sseErrorPromise
+                ]);
             } catch (signError) {
                 // If public key mismatch and haven't tried recovery yet, recover and retry entire operation
                 if (!hasAttemptedKeyShareRecovery) {
@@ -3570,11 +3678,28 @@ class DynamicWalletClient {
     }
     async backupSharesWithDistribution({ accountAddress, password, signedSessionId, distribution, preserveDelegatedLocation = false, passwordUpdateBatchId }) {
         const dynamicRequestId = v4();
+        // Get wallet data early for logging context (also used in catch block)
+        const walletData = this.getWalletFromMap(accountAddress);
+        // Common context for all logs in this method
+        const logContext = {
+            accountAddress,
+            dynamicRequestId,
+            walletId: walletData == null ? void 0 : walletData.walletId,
+            userId: this.userId,
+            environmentId: this.environmentId
+        };
+        this.logger.info('[backupSharesWithDistribution] Starting backup', _extends({}, logContext, {
+            hasPassword: !!password,
+            preserveDelegatedLocation,
+            passwordUpdateBatchId,
+            dynamicShareCount: distribution.clientShares.length,
+            cloudProviders: Object.keys(distribution.cloudProviderShares),
+            hasDelegatedShare: !!distribution.delegatedShare
+        }));
         try {
-            var _backupData_locationsWithKeyShares;
+            var _backupData_locationsWithKeyShares, _backupData_locationsWithKeyShares1;
             // Resolve signed session ID lazily once, so all downstream calls receive a string.
             const resolvedSignedSessionId = await this.resolveSignedSessionId(signedSessionId);
-            const walletData = this.getWalletFromMap(accountAddress);
             if (!(walletData == null ? void 0 : walletData.walletId)) {
                 const error = new Error(`WalletId not found for accountAddress ${accountAddress}`);
                 logError({
@@ -3598,13 +3723,11 @@ class DynamicWalletClient {
                     maxAttempts: 3,
                     operationName: 'encrypt key share'
                 });
-            this.logger.debug('[backupSharesWithDistribution] Pre-encrypting shares', {
+            this.logger.debug('[backupSharesWithDistribution] Pre-encrypting shares', _extends({}, logContext, {
                 dynamicShareCount: distribution.clientShares.length,
                 cloudProviders: Object.keys(distribution.cloudProviderShares),
-                hasDelegatedShare: !!distribution.delegatedShare,
-                accountAddress,
-                dynamicRequestId
-            });
+                hasDelegatedShare: !!distribution.delegatedShare
+            }));
             const preEncryptedDynamicShares = distribution.clientShares.length > 0 ? await Promise.all(distribution.clientShares.map(encryptWithRetry)) : [];
             const cloudEntries = Object.entries(distribution.cloudProviderShares).filter(([, shares])=>shares && shares.length > 0);
             const preEncryptedCloudShares = await Promise.all(cloudEntries.map(async ([provider, shares])=>({
@@ -3612,12 +3735,10 @@ class DynamicWalletClient {
                     shares: shares,
                     encrypted: await Promise.all(shares.map(encryptWithRetry))
                 })));
-            this.logger.debug('[backupSharesWithDistribution] Encryption complete, starting uploads', {
+            this.logger.debug('[backupSharesWithDistribution] Encryption complete, starting uploads', _extends({}, logContext, {
                 dynamicShareCount: preEncryptedDynamicShares.length,
-                cloudProviderCount: preEncryptedCloudShares.length,
-                accountAddress,
-                dynamicRequestId
-            });
+                cloudProviderCount: preEncryptedCloudShares.length
+            }));
             // Step 1: Upload shares in parallel, each with its own retry
             const uploadPromises = [];
             if (distribution.clientShares.length > 0) {
@@ -3666,12 +3787,10 @@ class DynamicWalletClient {
             }
             const uploadResults = await Promise.all(uploadPromises);
             const locations = uploadResults.filter((loc)=>loc !== undefined);
-            this.logger.debug('[backupSharesWithDistribution] Uploads complete, activating shares', {
+            this.logger.info('[backupSharesWithDistribution] Uploads complete, activating shares on server', _extends({}, logContext, {
                 locationCount: locations.length,
-                locations: locations.map((l)=>l.location),
-                accountAddress,
-                dynamicRequestId
-            });
+                locations: locations.map((l)=>l.location)
+            }));
             // Preserve existing delegated location
             if (preserveDelegatedLocation && !distribution.delegatedShare) {
                 const location = this.createPreservedDelegatedLocation({
@@ -3691,10 +3810,7 @@ class DynamicWalletClient {
             });
             // For password update pending responses, skip walletMap update — shares aren't active yet
             if (backupData.passwordUpdateStatus === 'pending') {
-                this.logger.debug('[backupSharesWithDistribution] Password update pending, skipping walletMap update', {
-                    accountAddress,
-                    dynamicRequestId
-                });
+                this.logger.debug('[backupSharesWithDistribution] Password update pending, skipping walletMap update', logContext);
                 return backupData;
             }
             if (passwordUpdateBatchId) {
@@ -3708,11 +3824,11 @@ class DynamicWalletClient {
                     preEncryptedDynamicShares
                 });
             }
-            var _backupData_locationsWithKeyShares1;
+            var _backupData_locationsWithKeyShares2;
             const updatedBackupInfo = getClientKeyShareBackupInfo({
                 walletProperties: {
                     derivationPath: walletData.derivationPath,
-                    keyShares: ((_backupData_locationsWithKeyShares1 = backupData.locationsWithKeyShares) != null ? _backupData_locationsWithKeyShares1 : []).map((ks)=>({
+                    keyShares: ((_backupData_locationsWithKeyShares2 = backupData.locationsWithKeyShares) != null ? _backupData_locationsWithKeyShares2 : []).map((ks)=>({
                             id: ks.id,
                             keygenId: ks.keygenId,
                             backupLocation: ks.location,
@@ -3726,21 +3842,20 @@ class DynamicWalletClient {
                 clientKeySharesBackupInfo: updatedBackupInfo
             });
             await this.storage.setItem(this.storageKey, JSON.stringify(this.walletMap));
-            var _backupData_locationsWithKeyShares_length;
-            this.logger.debug('[backupSharesWithDistribution] Backup complete', {
-                accountAddress,
-                dynamicRequestId,
-                locationCount: (_backupData_locationsWithKeyShares_length = (_backupData_locationsWithKeyShares = backupData.locationsWithKeyShares) == null ? void 0 : _backupData_locationsWithKeyShares.length) != null ? _backupData_locationsWithKeyShares_length : 0
-            });
+            var _backupData_locationsWithKeyShares_length, _backupData_locationsWithKeyShares_map;
+            this.logger.info('[backupSharesWithDistribution] Backup complete', _extends({}, logContext, {
+                locationCount: (_backupData_locationsWithKeyShares_length = (_backupData_locationsWithKeyShares = backupData.locationsWithKeyShares) == null ? void 0 : _backupData_locationsWithKeyShares.length) != null ? _backupData_locationsWithKeyShares_length : 0,
+                locations: (_backupData_locationsWithKeyShares_map = (_backupData_locationsWithKeyShares1 = backupData.locationsWithKeyShares) == null ? void 0 : _backupData_locationsWithKeyShares1.map((ks)=>ks.location)) != null ? _backupData_locationsWithKeyShares_map : []
+            }));
             return backupData;
         } catch (error) {
             logError({
                 message: 'Error in backupSharesWithDistribution',
                 error: error,
-                context: {
-                    accountAddress,
-                    dynamicRequestId
-                }
+                context: _extends({}, logContext, {
+                    chainName: walletData == null ? void 0 : walletData.chainName,
+                    errorStack: error instanceof Error ? error.stack : undefined
+                })
             });
             throw error;
         }
@@ -4351,7 +4466,8 @@ class DynamicWalletClient {
             const accessToken = await this.apiClient.getAccessToken({
                 oauthAccountId
             });
-            const thresholdSignatureScheme = this.getWalletFromMap(accountAddress).thresholdSignatureScheme;
+            const walletData = this.getWalletFromMap(accountAddress);
+            const thresholdSignatureScheme = walletData.thresholdSignatureScheme;
             const fileName = getClientKeyShareExportFileName({
                 thresholdSignatureScheme,
                 accountAddress,
@@ -4366,7 +4482,11 @@ class DynamicWalletClient {
                 accessToken,
                 fileName,
                 backupData,
-                accountAddress
+                accountAddress,
+                walletId: walletData == null ? void 0 : walletData.walletId,
+                environmentId: this.environmentId,
+                chainName: walletData == null ? void 0 : walletData.chainName,
+                logger: this.logger
             });
             return;
         } catch (error) {

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "@dynamic-labs-wallet/browser",
-  "version": "0.0.323",
+  "version": "0.0.324",
   "license": "Licensed under the Dynamic Labs, Inc. Terms Of Service (https://www.dynamic.xyz/terms-conditions)",
   "type": "module",
   "dependencies": {
-    "@dynamic-labs-wallet/core": "0.0.323",
+    "@dynamic-labs-wallet/core": "0.0.324",
     "@dynamic-labs/sdk-api-core": "^0.0.900",
     "argon2id": "1.0.1",
-    "axios": "1.13.5",
+    "axios": "1.15.0",
     "p-queue": "9.1.0",
     "semver": "^7.7.2",
     "tsl-apple-cloudkit": "0.2.34",

package/src/backup/encryption/argon2.d.ts

@@ -0,0 +1,10 @@
+import type { EncryptionConfig } from './config.js';
+import type { KeyDerivationParams } from './types.js';
+/**
+ * Derives a key using Argon2id algorithm
+ * @param params - Key derivation parameters
+ * @param encryptionConfig - Encryption configuration
+ * @returns Promise<CryptoKey>
+ */
+export declare const deriveArgon2Key: ({ password, salt }: KeyDerivationParams, encryptionConfig: EncryptionConfig) => Promise<CryptoKey>;
+//# sourceMappingURL=argon2.d.ts.map

package/src/backup/encryption/argon2.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"argon2.d.ts","sourceRoot":"","sources":["../../../src/backup/encryption/argon2.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,OAAO,KAAK,EAA0B,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAE9E;;;;;GAKG;AACH,eAAO,MAAM,eAAe,uBACN,mBAAmB,oBACrB,gBAAgB,KACjC,OAAO,CAAC,SAAS,CAyBnB,CAAC"}

package/src/backup/encryption/config.d.ts

@@ -0,0 +1,39 @@
+import { EncryptionVersion } from './constants.js';
+import type { Argon2EncryptionConfig, BaseEncryptionConfig } from './types.js';
+/**
+ * Encryption configuration for each version
+ */
+export declare const ENCRYPTION_VERSIONS: {
+    readonly v1: {
+        readonly version: EncryptionVersion.V1_LEGACY;
+        readonly algorithm: "AES-GCM";
+        readonly keyDerivation: "PBKDF2";
+        readonly iterations: 100000;
+        readonly hashAlgorithm: "SHA-256";
+        readonly algorithmLength: 256;
+    };
+    readonly v2: {
+        readonly version: EncryptionVersion.V2_PBKDF2;
+        readonly algorithm: "AES-GCM";
+        readonly keyDerivation: "PBKDF2";
+        readonly iterations: 1000000;
+        readonly hashAlgorithm: "SHA-256";
+        readonly algorithmLength: 256;
+    };
+    readonly v3: Argon2EncryptionConfig;
+};
+/**
+ * Type for the encryption configuration
+ */
+export type EncryptionConfig = BaseEncryptionConfig | Argon2EncryptionConfig;
+/**
+ * Helper function to get encryption configuration by version string
+ * @param version - The version string (e.g., 'v1', 'v2', 'v3')
+ * @returns The encryption configuration for the specified version
+ */
+export declare const getEncryptionConfig: (version?: string) => EncryptionConfig;
+/**
+ * Check if a configuration uses Argon2
+ */
+export declare const isArgon2Config: (config: EncryptionConfig) => config is Argon2EncryptionConfig;
+//# sourceMappingURL=config.d.ts.map

package/src/backup/encryption/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/backup/encryption/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAQL,iBAAiB,EAKlB,MAAM,gBAAgB,CAAC;AACxB,OAAO,KAAK,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAE/E;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;iBA2BzB,sBAAsB;CACnB,CAAC;AAEX;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,oBAAoB,GAAG,sBAAsB,CAAC;AAE7E;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,aAAc,MAAM,KAAG,gBAYtD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,cAAc,WAAY,gBAAgB,KAAG,MAAM,IAAI,sBAEnE,CAAC"}

package/src/backup/encryption/constants.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Encryption version identifiers
+ */
+export declare enum EncryptionVersion {
+    V1_LEGACY = "v1",
+    V2_PBKDF2 = "v2",
+    V3_ARGON2 = "v3"
+}
+/**
+ * Current default version for new encryptions
+ */
+export declare const ENCRYPTION_VERSION_CURRENT = EncryptionVersion.V3_ARGON2;
+/**
+ * Algorithm constants
+ */
+export declare const PBKDF2_ALGORITHM = "PBKDF2";
+export declare const PBKDF2_HASH_ALGORITHM = "SHA-256";
+export declare const HASH_ALGORITHM = "SHA-256";
+export declare const ARGON2_ALGORITHM = "Argon2id";
+export declare const AES_GCM_ALGORITHM = "AES-GCM";
+export declare const AES_GCM_LENGTH = 256;
+/**
+ * Argon2 configuration constants, values were chosen based on RFC (https://www.rfc-editor.org/rfc/rfc9106.html#name-parameter-choice)
+ * taking into account that this runs in the client, possibly in smartphones with limited resources
+ */
+export declare const ARGON2_MEMORY_SIZE = 65536;
+export declare const ARGON2_ITERATIONS = 3;
+export declare const ARGON2_PARALLELISM = 2;
+export declare const ARGON2_HASH_LENGTH = 32;
+/**
+ * PBKDF2 configuration constants
+ */
+export declare const PBKDF2_ITERATIONS_V1 = 100000;
+export declare const PBKDF2_ITERATIONS_V2 = 1000000;
+//# sourceMappingURL=constants.d.ts.map

package/src/backup/encryption/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../src/backup/encryption/constants.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,oBAAY,iBAAiB;IAC3B,SAAS,OAAO;IAChB,SAAS,OAAO;IAChB,SAAS,OAAO;CACjB;AAED;;GAEG;AACH,eAAO,MAAM,0BAA0B,8BAA8B,CAAC;AAEtE;;GAEG;AACH,eAAO,MAAM,gBAAgB,WAAW,CAAC;AACzC,eAAO,MAAM,qBAAqB,YAAY,CAAC;AAC/C,eAAO,MAAM,cAAc,YAAY,CAAC;AACxC,eAAO,MAAM,gBAAgB,aAAa,CAAC;AAC3C,eAAO,MAAM,iBAAiB,YAAY,CAAC;AAC3C,eAAO,MAAM,cAAc,MAAM,CAAC;AAElC;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QAAQ,CAAC;AACxC,eAAO,MAAM,iBAAiB,IAAI,CAAC;AACnC,eAAO,MAAM,kBAAkB,IAAI,CAAC;AACpC,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;GAEG;AACH,eAAO,MAAM,oBAAoB,SAAS,CAAC;AAC3C,eAAO,MAAM,oBAAoB,UAAU,CAAC"}

package/src/backup/encryption/core.d.ts

@@ -0,0 +1,31 @@
+import type { EncryptionMetadata } from '@dynamic-labs-wallet/core';
+import type { DecryptionData, EncryptedData } from './types.js';
+export declare const INVALID_PASSWORD_ERROR = "Decryption failed: Invalid password. Please check your password and try again.";
+export declare class InvalidPasswordError extends Error {
+    constructor();
+}
+/**
+ * Encrypts data using the specified encryption version.
+ * Always uses the latest encryption configuration for new encryptions by default.
+ */
+export declare const encryptData: ({ data, password, version, }: {
+    data: string;
+    password: string;
+    version?: string;
+}) => Promise<EncryptedData>;
+/**
+ * Decrypts data with version-based configuration.
+ * Uses the version field from the data to determine encryption parameters.
+ * Falls back to legacy version for backward compatibility if no version is specified.
+ * For v3 (Argon2), retries with parallelism=1 if an OperationError occurs.
+ */
+export declare const decryptData: ({ data, password }: {
+    data: DecryptionData;
+    password: string;
+}) => Promise<string>;
+/**
+ * Gets encryption metadata for a specific version.
+ * Used when we need to include metadata in legacy systems or APIs that require it.
+ */
+export declare const getEncryptionMetadataForVersion: (version: string) => EncryptionMetadata;
+//# sourceMappingURL=core.d.ts.map

package/src/backup/encryption/core.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"core.d.ts","sourceRoot":"","sources":["../../../src/backup/encryption/core.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAMpE,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAuB,MAAM,YAAY,CAAC;AAGrF,eAAO,MAAM,sBAAsB,mFAAmF,CAAC;AAEvH,qBAAa,oBAAqB,SAAQ,KAAK;;CAK9C;AAoBD;;;GAGG;AACH,eAAO,MAAM,WAAW,iCAIrB;IACD,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,KAAG,OAAO,CAAC,aAAa,CA2BxB,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,WAAW,uBAA8B;IAAE,IAAI,EAAE,cAAc,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAAG,OAAO,CAAC,MAAM,CAyDhH,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B,YAAa,MAAM,KAAG,kBAmBjE,CAAC"}

package/src/backup/encryption/pbkdf2.d.ts

@@ -0,0 +1,10 @@
+import type { EncryptionConfig } from './config.js';
+import type { KeyDerivationParams } from './types.js';
+/**
+ * Derives a key using PBKDF2 algorithm
+ * @param params - Key derivation parameters
+ * @param encryptionConfig - Encryption configuration
+ * @returns Promise<CryptoKey>
+ */
+export declare const derivePBKDF2Key: ({ password, salt }: KeyDerivationParams, encryptionConfig: EncryptionConfig) => Promise<CryptoKey>;
+//# sourceMappingURL=pbkdf2.d.ts.map

package/src/backup/encryption/pbkdf2.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pbkdf2.d.ts","sourceRoot":"","sources":["../../../src/backup/encryption/pbkdf2.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAGtD;;;;;GAKG;AACH,eAAO,MAAM,eAAe,uBACN,mBAAmB,oBACrB,gBAAgB,KACjC,OAAO,CAAC,SAAS,CAoBnB,CAAC"}

package/src/backup/encryption/types.d.ts

@@ -0,0 +1,46 @@
+import type { EncryptionVersion } from './constants.js';
+/**
+ * Base encryption configuration
+ */
+export interface BaseEncryptionConfig {
+    version: EncryptionVersion;
+    algorithm: string;
+    keyDerivation: string;
+    iterations: number;
+    hashAlgorithm: string;
+    algorithmLength: number;
+}
+/**
+ * Argon2-specific encryption configuration
+ */
+export interface Argon2EncryptionConfig extends BaseEncryptionConfig {
+    memorySize: number;
+    parallelism: number;
+    hashLength: number;
+}
+/**
+ * Encrypted data structure
+ */
+export interface EncryptedData {
+    salt: string;
+    iv: string;
+    cipher: string;
+    version: string;
+}
+/**
+ * Decryption input data structure
+ */
+export interface DecryptionData {
+    salt: string;
+    iv: string;
+    cipher: string;
+    version?: string;
+}
+/**
+ * Key derivation parameters
+ */
+export interface KeyDerivationParams {
+    password: string;
+    salt: Uint8Array;
+}
+//# sourceMappingURL=types.d.ts.map

package/src/backup/encryption/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/backup/encryption/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAExD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,iBAAiB,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAuB,SAAQ,oBAAoB;IAClE,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,UAAU,CAAC;CAClB"}

package/src/backup/encryption/utils.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Utility functions for encryption operations
+ * These functions are separated to avoid circular dependencies
+ */
+export declare const bytesToBase64: (arr: Uint8Array) => string;
+export declare const stringToBytes: (str: string) => Uint8Array;
+export declare const base64ToBytes: (base64: string) => Uint8Array;
+export declare const ensureBase64Padding: (str: string) => string;
+//# sourceMappingURL=utils.d.ts.map