@efsf/typescript 0.1.0

package/dist/index.js

@@ -0,0 +1,1382 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AttestationAuthority: () => AttestationAuthority,
+  AttestationError: () => AttestationError,
+  BackendError: () => BackendError,
+  ChainOfCustody: () => ChainOfCustody,
+  CryptoError: () => CryptoError,
+  CryptoProvider: () => CryptoProvider,
+  DataClassification: () => DataClassification,
+  DataEncryptionKey: () => DataEncryptionKey,
+  DestructionCertificate: () => DestructionCertificate,
+  DestructionMethod: () => DestructionMethod,
+  EFSFError: () => EFSFError,
+  EncryptedPayload: () => EncryptedPayload,
+  EphemeralRecord: () => EphemeralRecord,
+  EphemeralStore: () => EphemeralStore,
+  MemoryBackend: () => MemoryBackend,
+  RecordExpiredError: () => RecordExpiredError,
+  RecordNotFoundError: () => RecordNotFoundError,
+  RedisBackend: () => RedisBackend,
+  ResourceInfo: () => ResourceInfo,
+  SealedContext: () => SealedContext,
+  SealedExecution: () => SealedExecution,
+  TTLViolationError: () => TTLViolationError,
+  VERSION: () => VERSION,
+  ValidationError: () => ValidationError,
+  constantTimeCompare: () => constantTimeCompare,
+  createBackend: () => createBackend,
+  getDefaultTTL: () => getDefaultTTL,
+  getMaxTTL: () => getMaxTTL,
+  parseTTL: () => parseTTL,
+  sealed: () => sealed,
+  secureZeroMemory: () => secureZeroMemory
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/certificate.ts
+var crypto = __toESM(require("crypto"));
+var import_uuid = require("uuid");
+
+// src/exceptions.ts
+var EFSFError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "EFSFError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+};
+var RecordNotFoundError = class extends EFSFError {
+  constructor(recordId, message) {
+    super(message ?? `Record not found: ${recordId}`);
+    this.recordId = recordId;
+    this.name = "RecordNotFoundError";
+  }
+};
+var RecordExpiredError = class extends EFSFError {
+  constructor(recordId, expiredAt) {
+    const msg = expiredAt ? `Record expired: ${recordId} (expired at ${expiredAt})` : `Record expired: ${recordId}`;
+    super(msg);
+    this.recordId = recordId;
+    this.expiredAt = expiredAt;
+    this.name = "RecordExpiredError";
+  }
+};
+var CryptoError = class extends EFSFError {
+  constructor(operation, message) {
+    super(message ?? `Cryptographic operation failed: ${operation}`);
+    this.operation = operation;
+    this.name = "CryptoError";
+  }
+};
+var AttestationError = class extends EFSFError {
+  constructor(message) {
+    super(message ?? "Attestation failed");
+    this.name = "AttestationError";
+  }
+};
+var BackendError = class extends EFSFError {
+  constructor(backend, message) {
+    super(message ?? `Backend error: ${backend}`);
+    this.backend = backend;
+    this.name = "BackendError";
+  }
+};
+var ValidationError = class extends EFSFError {
+  constructor(field, message) {
+    super(message ?? `Validation error: ${field}`);
+    this.field = field;
+    this.name = "ValidationError";
+  }
+};
+var TTLViolationError = class extends EFSFError {
+  constructor(recordId, expectedTTL, actualTTL) {
+    const msg = actualTTL ? `TTL violation for record ${recordId}: expected ${expectedTTL}, got ${actualTTL}` : `TTL violation for record ${recordId}: expected ${expectedTTL}`;
+    super(msg);
+    this.recordId = recordId;
+    this.expectedTTL = expectedTTL;
+    this.actualTTL = actualTTL;
+    this.name = "TTLViolationError";
+  }
+};
+
+// src/certificate.ts
+var DestructionMethod = /* @__PURE__ */ ((DestructionMethod2) => {
+  DestructionMethod2["CRYPTO_SHRED"] = "crypto_shred";
+  DestructionMethod2["MEMORY_ZERO"] = "memory_zero";
+  DestructionMethod2["SECURE_DELETE"] = "secure_delete";
+  DestructionMethod2["TEE_EXIT"] = "tee_exit";
+  DestructionMethod2["TTL_EXPIRE"] = "ttl_expire";
+  DestructionMethod2["MANUAL"] = "manual";
+  return DestructionMethod2;
+})(DestructionMethod || {});
+var ResourceInfo = class {
+  constructor(resourceType, resourceId, classification, metadata = {}) {
+    this.resourceType = resourceType;
+    this.resourceId = resourceId;
+    this.classification = classification;
+    this.metadata = metadata;
+  }
+  /**
+   * Convert to a plain object for serialization.
+   */
+  toDict() {
+    return {
+      type: this.resourceType,
+      id: this.resourceId,
+      classification: this.classification,
+      metadata: this.metadata
+    };
+  }
+};
+var ChainOfCustody = class {
+  constructor(createdAt, createdBy = null) {
+    this.createdAt = createdAt;
+    this.createdBy = createdBy;
+  }
+  accessLog = [];
+  hashChain = [];
+  /**
+   * Record an access event and extend the hash chain.
+   *
+   * @param accessor - Identity of the accessor
+   * @param action - Action performed (create, read, destroy, etc.)
+   * @param timestamp - Optional timestamp (defaults to now)
+   */
+  addAccess(accessor, action, timestamp) {
+    const ts = timestamp ?? /* @__PURE__ */ new Date();
+    const event = {
+      timestamp: ts.toISOString(),
+      accessor,
+      action
+    };
+    this.accessLog.push(event);
+    const eventHash = crypto.createHash("sha256").update(JSON.stringify(event)).digest("hex");
+    let chained;
+    if (this.hashChain.length > 0) {
+      chained = crypto.createHash("sha256").update(this.hashChain[this.hashChain.length - 1] + eventHash).digest("hex");
+    } else {
+      chained = eventHash;
+    }
+    this.hashChain.push(chained);
+  }
+  /**
+   * Convert to a plain object for serialization.
+   * Returns only the last 5 hashes for brevity.
+   */
+  toDict() {
+    return {
+      created_at: this.createdAt.toISOString(),
+      created_by: this.createdBy,
+      access_count: this.accessLog.length,
+      hash_chain: this.hashChain.slice(-5)
+      // Last 5 hashes
+    };
+  }
+};
+var DestructionCertificate = class _DestructionCertificate {
+  constructor(certificateId, version, resource, destructionMethod, destructionTimestamp, verifiedBy, chainOfCustody = null, signature = null) {
+    this.certificateId = certificateId;
+    this.version = version;
+    this.resource = resource;
+    this.destructionMethod = destructionMethod;
+    this.destructionTimestamp = destructionTimestamp;
+    this.verifiedBy = verifiedBy;
+    this.chainOfCustody = chainOfCustody;
+    this.signature = signature;
+  }
+  /**
+   * Factory method to create a new destruction certificate.
+   *
+   * @param resource - The destroyed resource info
+   * @param destructionMethod - How the data was destroyed
+   * @param verifiedBy - Authority that verified the destruction
+   * @param chainOfCustody - Optional chain of custody
+   */
+  static create(resource, destructionMethod, verifiedBy = "efsf-local-authority", chainOfCustody = null) {
+    return new _DestructionCertificate(
+      (0, import_uuid.v4)(),
+      "1.0",
+      resource,
+      destructionMethod,
+      /* @__PURE__ */ new Date(),
+      verifiedBy,
+      chainOfCustody
+    );
+  }
+  /**
+   * Convert to a plain object for serialization.
+   *
+   * @param includeSignature - Whether to include the signature field
+   */
+  toDict(includeSignature = true) {
+    const data = {
+      version: this.version,
+      certificate_id: this.certificateId,
+      resource: this.resource.toDict(),
+      destruction: {
+        method: this.destructionMethod,
+        timestamp: this.destructionTimestamp.toISOString(),
+        verified_by: this.verifiedBy
+      }
+    };
+    if (this.chainOfCustody) {
+      data.chain_of_custody = this.chainOfCustody.toDict();
+    }
+    if (includeSignature && this.signature) {
+      data.signature = this.signature;
+    }
+    return data;
+  }
+  /**
+   * Convert to JSON string.
+   */
+  toJSON(indent) {
+    return JSON.stringify(this.toDict(), null, indent);
+  }
+  /**
+   * Get canonical byte representation for signing.
+   *
+   * Uses deterministic JSON serialization (sorted keys, no whitespace)
+   * to ensure consistent signatures.
+   */
+  canonicalBytes() {
+    const data = this.toDict(false);
+    const sortedJson = JSON.stringify(data, Object.keys(data).sort());
+    return Buffer.from(sortedJson, "utf-8");
+  }
+  /**
+   * Compute SHA-256 hash of the certificate.
+   */
+  computeHash() {
+    return crypto.createHash("sha256").update(this.canonicalBytes()).digest("hex");
+  }
+};
+var AttestationAuthority = class {
+  /**
+   * Create a new AttestationAuthority.
+   *
+   * @param authorityId - Identifier for this authority
+   */
+  constructor(authorityId = "efsf-local-authority") {
+    this.authorityId = authorityId;
+    const { privateKey, publicKey } = crypto.generateKeyPairSync("ed25519");
+    this.privateKey = privateKey;
+    this.publicKey = publicKey;
+  }
+  privateKey;
+  publicKey;
+  issuedCertificates = /* @__PURE__ */ new Map();
+  /**
+   * Get the public key as raw bytes.
+   */
+  get publicKeyBytes() {
+    return this.publicKey.export({ type: "spki", format: "der" });
+  }
+  /**
+   * Get the public key as base64-encoded string.
+   */
+  get publicKeyB64() {
+    return this.publicKeyBytes.toString("base64");
+  }
+  /**
+   * Sign a destruction certificate.
+   *
+   * @param certificate - The certificate to sign
+   * @returns The signed certificate
+   */
+  signCertificate(certificate) {
+    const message = certificate.canonicalBytes();
+    const signature = crypto.sign(null, message, this.privateKey);
+    certificate.signature = signature.toString("base64");
+    certificate.verifiedBy = this.authorityId;
+    this.issuedCertificates.set(certificate.certificateId, certificate);
+    return certificate;
+  }
+  /**
+   * Verify a certificate's signature.
+   *
+   * @param certificate - The certificate to verify
+   * @returns true if the signature is valid
+   * @throws AttestationError if verification fails
+   */
+  verifyCertificate(certificate) {
+    if (!certificate.signature) {
+      throw new AttestationError("Certificate has no signature");
+    }
+    try {
+      const message = certificate.canonicalBytes();
+      const signature = Buffer.from(certificate.signature, "base64");
+      return crypto.verify(null, message, this.publicKey, signature);
+    } catch (e) {
+      throw new AttestationError(`Signature verification failed: ${e}`);
+    }
+  }
+  /**
+   * Issue a new signed destruction certificate.
+   *
+   * @param resourceType - Type of resource (ephemeral_data, sealed_compute, etc.)
+   * @param resourceId - Unique identifier of the resource
+   * @param classification - Data classification level
+   * @param destructionMethod - How the data was destroyed
+   * @param chainOfCustody - Optional chain of custody
+   * @param metadata - Optional additional metadata
+   * @returns The signed certificate
+   */
+  issueCertificate(resourceType, resourceId, classification, destructionMethod, chainOfCustody = null, metadata = {}) {
+    const resource = new ResourceInfo(resourceType, resourceId, classification, metadata);
+    const certificate = DestructionCertificate.create(
+      resource,
+      destructionMethod,
+      this.authorityId,
+      chainOfCustody
+    );
+    return this.signCertificate(certificate);
+  }
+  /**
+   * Retrieve a previously issued certificate by ID.
+   *
+   * @param certificateId - The certificate ID
+   * @returns The certificate or null if not found
+   */
+  getCertificate(certificateId) {
+    return this.issuedCertificates.get(certificateId) ?? null;
+  }
+  /**
+   * List issued certificates with optional filtering.
+   *
+   * @param resourceId - Optional resource ID to filter by
+   * @param since - Optional date to filter certificates issued after
+   * @returns List of certificates sorted by destruction timestamp (newest first)
+   */
+  listCertificates(resourceId, since) {
+    let certs = Array.from(this.issuedCertificates.values());
+    if (resourceId) {
+      certs = certs.filter((c) => c.resource.resourceId === resourceId);
+    }
+    if (since) {
+      certs = certs.filter((c) => c.destructionTimestamp >= since);
+    }
+    return certs.sort(
+      (a, b) => b.destructionTimestamp.getTime() - a.destructionTimestamp.getTime()
+    );
+  }
+};
+
+// src/crypto.ts
+var crypto2 = __toESM(require("crypto"));
+var ALGORITHM = "aes-256-gcm";
+var KEY_LENGTH = 32;
+var NONCE_LENGTH = 12;
+var TAG_LENGTH = 16;
+var EncryptedPayload = class _EncryptedPayload {
+  constructor(ciphertext, nonce, keyId, algorithm = "AES-256-GCM") {
+    this.ciphertext = ciphertext;
+    this.nonce = nonce;
+    this.keyId = keyId;
+    this.algorithm = algorithm;
+  }
+  /**
+   * Convert to a plain object for serialization.
+   */
+  toDict() {
+    return {
+      ciphertext: this.ciphertext,
+      nonce: this.nonce,
+      key_id: this.keyId,
+      algorithm: this.algorithm
+    };
+  }
+  /**
+   * Reconstruct from serialized data.
+   */
+  static fromDict(data) {
+    return new _EncryptedPayload(
+      data.ciphertext,
+      data.nonce,
+      data.key_id,
+      data.algorithm ?? "AES-256-GCM"
+    );
+  }
+};
+var DataEncryptionKey = class _DataEncryptionKey {
+  constructor(keyId, _keyMaterial, createdAt, expiresAt) {
+    this.keyId = keyId;
+    this._keyMaterial = _keyMaterial;
+    this.createdAt = createdAt;
+    this.expiresAt = expiresAt;
+  }
+  _destroyed = false;
+  _destroyedAt = null;
+  /**
+   * Generate a new DEK with the specified TTL.
+   *
+   * @param ttlMs - Time-to-live in milliseconds
+   * @param keyId - Optional key identifier (auto-generated if not provided)
+   */
+  static generate(ttlMs, keyId) {
+    const now = /* @__PURE__ */ new Date();
+    return new _DataEncryptionKey(
+      keyId ?? crypto2.randomBytes(16).toString("hex"),
+      crypto2.randomBytes(KEY_LENGTH),
+      now,
+      new Date(now.getTime() + ttlMs)
+    );
+  }
+  /**
+   * Get the key material for cryptographic operations.
+   * @throws CryptoError if the key has been destroyed
+   */
+  get keyMaterial() {
+    if (this._destroyed) {
+      throw new CryptoError("access", "Key has been destroyed");
+    }
+    return this._keyMaterial;
+  }
+  /**
+   * Check if the key has been destroyed.
+   */
+  get destroyed() {
+    return this._destroyed;
+  }
+  /**
+   * Get the timestamp when the key was destroyed, if applicable.
+   */
+  get destroyedAt() {
+    return this._destroyedAt;
+  }
+  /**
+   * Check if the key is expired or destroyed.
+   */
+  get isExpired() {
+    return /* @__PURE__ */ new Date() >= this.expiresAt || this._destroyed;
+  }
+  /**
+   * Securely destroy the key material (crypto-shredding).
+   *
+   * This overwrites the key material with random data then zeros,
+   * making any data encrypted with this key permanently unrecoverable.
+   *
+   * Note: In JavaScript/Node.js, we cannot guarantee memory is fully
+   * zeroed due to garbage collection. This is best-effort. For true
+   * security guarantees, use hardware security modules (HSM).
+   */
+  destroy() {
+    crypto2.randomFillSync(this._keyMaterial);
+    this._keyMaterial.fill(0);
+    this._destroyed = true;
+    this._destroyedAt = /* @__PURE__ */ new Date();
+  }
+};
+var CryptoProvider = class {
+  masterKey;
+  keys = /* @__PURE__ */ new Map();
+  /**
+   * Create a new CryptoProvider.
+   *
+   * @param masterKey - Optional master key for key derivation.
+   *                    If not provided, a random key is generated.
+   *                    In production, this should come from a KMS.
+   */
+  constructor(masterKey) {
+    this.masterKey = masterKey ?? crypto2.randomBytes(KEY_LENGTH);
+  }
+  /**
+   * Generate a new Data Encryption Key with the specified TTL.
+   *
+   * @param ttlMs - Time-to-live in milliseconds
+   * @returns The generated DEK
+   */
+  generateDEK(ttlMs) {
+    const dek = DataEncryptionKey.generate(ttlMs);
+    this.keys.set(dek.keyId, dek);
+    return dek;
+  }
+  /**
+   * Retrieve a DEK by its identifier.
+   *
+   * @param keyId - The key identifier
+   * @returns The DEK if found and valid, null otherwise
+   */
+  getDEK(keyId) {
+    const dek = this.keys.get(keyId);
+    if (!dek || dek.destroyed || dek.isExpired) {
+      return null;
+    }
+    return dek;
+  }
+  /**
+   * Destroy a DEK (crypto-shredding).
+   *
+   * After destruction, any data encrypted with this key becomes
+   * permanently unrecoverable.
+   *
+   * @param keyId - The key identifier
+   * @returns true if the key was found and destroyed, false otherwise
+   */
+  destroyDEK(keyId) {
+    const dek = this.keys.get(keyId);
+    if (dek) {
+      dek.destroy();
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Encrypt plaintext using AES-256-GCM.
+   *
+   * @param plaintext - The data to encrypt
+   * @param dek - The Data Encryption Key to use
+   * @param associatedData - Optional additional authenticated data (AAD)
+   * @returns The encrypted payload
+   * @throws CryptoError if the key is destroyed or expired
+   */
+  encrypt(plaintext, dek, associatedData) {
+    if (dek.destroyed || dek.isExpired) {
+      throw new CryptoError("encrypt", "Key is destroyed or expired");
+    }
+    try {
+      const nonce = crypto2.randomBytes(NONCE_LENGTH);
+      const cipher = crypto2.createCipheriv(ALGORITHM, dek.keyMaterial, nonce, {
+        authTagLength: TAG_LENGTH
+      });
+      if (associatedData) {
+        cipher.setAAD(associatedData);
+      }
+      const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+      const authTag = cipher.getAuthTag();
+      const combined = Buffer.concat([encrypted, authTag]);
+      return new EncryptedPayload(
+        combined.toString("base64"),
+        nonce.toString("base64"),
+        dek.keyId
+      );
+    } catch (e) {
+      throw new CryptoError("encrypt", String(e));
+    }
+  }
+  /**
+   * Decrypt an encrypted payload.
+   *
+   * @param payload - The encrypted payload to decrypt
+   * @param associatedData - Optional additional authenticated data (must match encryption)
+   * @returns The decrypted plaintext
+   * @throws CryptoError if decryption fails or key is unavailable
+   */
+  decrypt(payload, associatedData) {
+    const dek = this.getDEK(payload.keyId);
+    if (!dek) {
+      throw new CryptoError(
+        "decrypt",
+        `Key ${payload.keyId} not found or destroyed (data is unrecoverable)`
+      );
+    }
+    try {
+      const combined = Buffer.from(payload.ciphertext, "base64");
+      const nonce = Buffer.from(payload.nonce, "base64");
+      const ciphertext = combined.subarray(0, combined.length - TAG_LENGTH);
+      const authTag = combined.subarray(combined.length - TAG_LENGTH);
+      const decipher = crypto2.createDecipheriv(ALGORITHM, dek.keyMaterial, nonce, {
+        authTagLength: TAG_LENGTH
+      });
+      decipher.setAuthTag(authTag);
+      if (associatedData) {
+        decipher.setAAD(associatedData);
+      }
+      return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    } catch (e) {
+      throw new CryptoError("decrypt", String(e));
+    }
+  }
+  /**
+   * Encrypt a JSON-serializable object.
+   *
+   * @param data - The object to encrypt
+   * @param dek - The Data Encryption Key to use
+   * @returns The encrypted payload
+   */
+  encryptJSON(data, dek) {
+    const plaintext = Buffer.from(JSON.stringify(data), "utf-8");
+    return this.encrypt(plaintext, dek);
+  }
+  /**
+   * Decrypt a payload and parse as JSON.
+   *
+   * @param payload - The encrypted payload
+   * @returns The decrypted object
+   */
+  decryptJSON(payload) {
+    const plaintext = this.decrypt(payload);
+    return JSON.parse(plaintext.toString("utf-8"));
+  }
+  /**
+   * Derive a key from the master key using HKDF.
+   *
+   * @param context - Context bytes for domain separation
+   * @param length - Desired key length in bytes (default: 32)
+   * @returns The derived key material
+   */
+  deriveKey(context, length = KEY_LENGTH) {
+    return Buffer.from(
+      crypto2.hkdfSync("sha256", this.masterKey, Buffer.alloc(0), context, length)
+    );
+  }
+};
+function constantTimeCompare(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  return crypto2.timingSafeEqual(a, b);
+}
+
+// src/record.ts
+var import_uuid2 = require("uuid");
+var DataClassification = /* @__PURE__ */ ((DataClassification2) => {
+  DataClassification2["TRANSIENT"] = "TRANSIENT";
+  DataClassification2["SHORT_LIVED"] = "SHORT_LIVED";
+  DataClassification2["RETENTION_BOUND"] = "RETENTION_BOUND";
+  DataClassification2["PERSISTENT"] = "PERSISTENT";
+  return DataClassification2;
+})(DataClassification || {});
+var CLASSIFICATION_DEFAULTS = {
+  ["TRANSIENT" /* TRANSIENT */]: 60 * 60 * 1e3,
+  // 1 hour
+  ["SHORT_LIVED" /* SHORT_LIVED */]: 24 * 60 * 60 * 1e3,
+  // 1 day
+  ["RETENTION_BOUND" /* RETENTION_BOUND */]: 90 * 24 * 60 * 60 * 1e3,
+  // 90 days
+  ["PERSISTENT" /* PERSISTENT */]: null
+};
+var CLASSIFICATION_MAX = {
+  ["TRANSIENT" /* TRANSIENT */]: 24 * 60 * 60 * 1e3,
+  // 24 hours
+  ["SHORT_LIVED" /* SHORT_LIVED */]: 7 * 24 * 60 * 60 * 1e3,
+  // 7 days
+  ["RETENTION_BOUND" /* RETENTION_BOUND */]: 7 * 365 * 24 * 60 * 60 * 1e3,
+  // 7 years
+  ["PERSISTENT" /* PERSISTENT */]: null
+};
+function getDefaultTTL(classification) {
+  return CLASSIFICATION_DEFAULTS[classification];
+}
+function getMaxTTL(classification) {
+  return CLASSIFICATION_MAX[classification];
+}
+var EphemeralRecord = class _EphemeralRecord {
+  constructor(id, classification, createdAt, expiresAt, ttl, encrypted = true, keyId = null, accessCount = 0, metadata = {}) {
+    this.id = id;
+    this.classification = classification;
+    this.createdAt = createdAt;
+    this.expiresAt = expiresAt;
+    this.ttl = ttl;
+    this.encrypted = encrypted;
+    this.keyId = keyId;
+    this.accessCount = accessCount;
+    this.metadata = metadata;
+  }
+  /**
+   * Factory method to create a new ephemeral record.
+   *
+   * @param options - Configuration options for the record
+   * @returns A new EphemeralRecord instance
+   * @throws Error if TTL exceeds the classification's maximum
+   */
+  static create(options = {}) {
+    const classification = options.classification ?? "TRANSIENT" /* TRANSIENT */;
+    const now = /* @__PURE__ */ new Date();
+    let effectiveTTL = options.ttl ?? getDefaultTTL(classification);
+    if (effectiveTTL === null) {
+      throw new Error(
+        `TTL required for ${classification} classification (no default available)`
+      );
+    }
+    const maxTTL = getMaxTTL(classification);
+    if (maxTTL !== null && effectiveTTL > maxTTL) {
+      throw new Error(
+        `TTL ${effectiveTTL}ms exceeds maximum ${maxTTL}ms for ${classification} classification`
+      );
+    }
+    const expiresAt = new Date(now.getTime() + effectiveTTL);
+    return new _EphemeralRecord(
+      (0, import_uuid2.v4)(),
+      classification,
+      now,
+      expiresAt,
+      effectiveTTL,
+      true,
+      (0, import_uuid2.v4)(),
+      // Generate key ID for crypto-shredding
+      0,
+      options.metadata ?? {}
+    );
+  }
+  /**
+   * Check if the record has expired.
+   */
+  get isExpired() {
+    return /* @__PURE__ */ new Date() >= this.expiresAt;
+  }
+  /**
+   * Get remaining time until expiration in milliseconds.
+   */
+  get timeRemaining() {
+    const remaining = this.expiresAt.getTime() - Date.now();
+    return Math.max(remaining, 0);
+  }
+  /**
+   * Convert to a plain object for serialization.
+   */
+  toDict() {
+    return {
+      id: this.id,
+      classification: this.classification,
+      created_at: this.createdAt.toISOString(),
+      expires_at: this.expiresAt.toISOString(),
+      ttl_seconds: this.ttl / 1e3,
+      encrypted: this.encrypted,
+      key_id: this.keyId,
+      access_count: this.accessCount,
+      metadata: this.metadata
+    };
+  }
+  /**
+   * Reconstruct an EphemeralRecord from serialized data.
+   */
+  static fromDict(data) {
+    return new _EphemeralRecord(
+      data.id,
+      data.classification,
+      new Date(data.created_at),
+      new Date(data.expires_at),
+      data.ttl_seconds * 1e3,
+      data.encrypted ?? true,
+      data.key_id ?? null,
+      data.access_count ?? 0,
+      data.metadata ?? {}
+    );
+  }
+};
+function parseTTL(ttlString) {
+  const pattern = /^(\d+)\s*(s|sec|seconds?|m|min|minutes?|h|hr|hours?|d|days?)$/i;
+  const match = ttlString.trim().match(pattern);
+  if (!match) {
+    throw new Error(`Cannot parse TTL string: ${ttlString}`);
+  }
+  const value = parseInt(match[1], 10);
+  const unit = match[2].toLowerCase();
+  if (unit.startsWith("s")) {
+    return value * 1e3;
+  } else if (unit.startsWith("m")) {
+    return value * 60 * 1e3;
+  } else if (unit.startsWith("h")) {
+    return value * 60 * 60 * 1e3;
+  } else if (unit.startsWith("d")) {
+    return value * 24 * 60 * 60 * 1e3;
+  }
+  throw new Error(`Unknown time unit: ${unit}`);
+}
+
+// src/store.ts
+var MemoryBackend = class {
+  data = /* @__PURE__ */ new Map();
+  async set(key, value, ttlSeconds) {
+    this.data.set(key, {
+      value,
+      expiresAt: Date.now() + ttlSeconds * 1e3
+    });
+    return true;
+  }
+  async get(key) {
+    const entry = this.data.get(key);
+    if (!entry) {
+      return null;
+    }
+    if (Date.now() >= entry.expiresAt) {
+      this.data.delete(key);
+      return null;
+    }
+    return entry.value;
+  }
+  async delete(key) {
+    return this.data.delete(key);
+  }
+  async exists(key) {
+    const value = await this.get(key);
+    return value !== null;
+  }
+  async ttl(key) {
+    const entry = this.data.get(key);
+    if (!entry) {
+      return null;
+    }
+    const remaining = Math.floor((entry.expiresAt - Date.now()) / 1e3);
+    return Math.max(0, remaining);
+  }
+  async close() {
+    this.data.clear();
+  }
+};
+var RedisBackend = class {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  client;
+  prefix = "efsf:";
+  constructor(url, options) {
+    try {
+      const Redis = require("ioredis");
+      this.client = new Redis(url, options);
+    } catch {
+      throw new BackendError(
+        "redis",
+        "ioredis package not installed. Install with: npm install ioredis"
+      );
+    }
+  }
+  key(k) {
+    return `${this.prefix}${k}`;
+  }
+  async set(key, value, ttlSeconds) {
+    try {
+      await this.client.setex(this.key(key), ttlSeconds, value);
+      return true;
+    } catch (e) {
+      throw new BackendError("redis", `Failed to set: ${e}`);
+    }
+  }
+  async get(key) {
+    try {
+      return await this.client.get(this.key(key));
+    } catch (e) {
+      throw new BackendError("redis", `Failed to get: ${e}`);
+    }
+  }
+  async delete(key) {
+    try {
+      const result = await this.client.del(this.key(key));
+      return result > 0;
+    } catch (e) {
+      throw new BackendError("redis", `Failed to delete: ${e}`);
+    }
+  }
+  async exists(key) {
+    try {
+      const result = await this.client.exists(this.key(key));
+      return result > 0;
+    } catch (e) {
+      throw new BackendError("redis", `Failed to check exists: ${e}`);
+    }
+  }
+  async ttl(key) {
+    try {
+      const result = await this.client.ttl(this.key(key));
+      return result > 0 ? result : null;
+    } catch (e) {
+      throw new BackendError("redis", `Failed to get TTL: ${e}`);
+    }
+  }
+  async close() {
+    await this.client.quit();
+  }
+};
+function createBackend(backendUrl) {
+  if (backendUrl === "memory://" || backendUrl === "memory") {
+    return new MemoryBackend();
+  }
+  const url = new URL(backendUrl);
+  if (url.protocol === "redis:" || url.protocol === "rediss:") {
+    return new RedisBackend(backendUrl);
+  }
+  throw new ValidationError("backend", `Unsupported backend scheme: ${url.protocol}`);
+}
+var EphemeralStore = class {
+  backend;
+  defaultTTL;
+  // ms
+  crypto;
+  attestationEnabled;
+  authority;
+  records = /* @__PURE__ */ new Map();
+  custody = /* @__PURE__ */ new Map();
+  certificates = /* @__PURE__ */ new Map();
+  constructor(options = {}) {
+    if (typeof options.backend === "string") {
+      this.backend = createBackend(options.backend);
+    } else if (options.backend) {
+      this.backend = options.backend;
+    } else {
+      this.backend = new MemoryBackend();
+    }
+    if (typeof options.defaultTTL === "string") {
+      this.defaultTTL = parseTTL(options.defaultTTL);
+    } else if (typeof options.defaultTTL === "number") {
+      this.defaultTTL = options.defaultTTL;
+    } else {
+      this.defaultTTL = 60 * 60 * 1e3;
+    }
+    this.crypto = options.cryptoProvider ?? new CryptoProvider();
+    this.attestationEnabled = options.attestation ?? true;
+    if (this.attestationEnabled) {
+      this.authority = options.attestationAuthority ?? new AttestationAuthority();
+    } else {
+      this.authority = null;
+    }
+  }
+  /**
+   * Store data with automatic encryption and TTL.
+   *
+   * @param data - Data to store (must be JSON-serializable)
+   * @param options - Storage options (TTL, classification, metadata)
+   * @returns The ephemeral record metadata
+   */
+  async put(data, options = {}) {
+    let classification;
+    if (typeof options.classification === "string") {
+      classification = options.classification;
+    } else {
+      classification = options.classification ?? "TRANSIENT" /* TRANSIENT */;
+    }
+    let effectiveTTL;
+    if (options.ttl === void 0) {
+      effectiveTTL = this.defaultTTL;
+    } else if (typeof options.ttl === "string") {
+      effectiveTTL = parseTTL(options.ttl);
+    } else {
+      effectiveTTL = options.ttl;
+    }
+    const record = EphemeralRecord.create({
+      classification,
+      ttl: effectiveTTL,
+      metadata: options.metadata
+    });
+    const dek = this.crypto.generateDEK(effectiveTTL);
+    record.keyId = dek.keyId;
+    const encrypted = this.crypto.encryptJSON(data, dek);
+    const storagePayload = {
+      record: record.toDict(),
+      encrypted: encrypted.toDict()
+    };
+    const ttlSeconds = Math.ceil(effectiveTTL / 1e3);
+    await this.backend.set(record.id, JSON.stringify(storagePayload), ttlSeconds);
+    this.records.set(record.id, record);
+    if (this.attestationEnabled) {
+      const custody = new ChainOfCustody(record.createdAt, "ephemeral_store");
+      custody.addAccess("ephemeral_store", "create");
+      this.custody.set(record.id, custody);
+    }
+    return record;
+  }
+  /**
+   * Retrieve data by record ID.
+   *
+   * @param recordId - The record identifier
+   * @returns The decrypted data
+   * @throws RecordNotFoundError if the record doesn't exist
+   * @throws RecordExpiredError if the record has expired
+   */
+  async get(recordId) {
+    const raw = await this.backend.get(recordId);
+    if (raw === null) {
+      if (this.certificates.has(recordId)) {
+        throw new RecordExpiredError(recordId);
+      }
+      throw new RecordNotFoundError(recordId);
+    }
+    const storagePayload = JSON.parse(raw);
+    const record = EphemeralRecord.fromDict(storagePayload.record);
+    const encrypted = EncryptedPayload.fromDict(storagePayload.encrypted);
+    if (record.isExpired) {
+      await this.handleExpiration(recordId);
+      throw new RecordExpiredError(recordId, record.expiresAt.toISOString());
+    }
+    const data = this.crypto.decryptJSON(encrypted);
+    const trackedRecord = this.records.get(recordId);
+    if (trackedRecord) {
+      trackedRecord.accessCount++;
+    }
+    const custody = this.custody.get(recordId);
+    if (custody) {
+      custody.addAccess("ephemeral_store", "read");
+    }
+    return data;
+  }
+  /**
+   * Check if a record exists and is not expired.
+   *
+   * @param recordId - The record identifier
+   */
+  async exists(recordId) {
+    return this.backend.exists(recordId);
+  }
+  /**
+   * Get remaining TTL for a record in milliseconds.
+   *
+   * @param recordId - The record identifier
+   * @returns Remaining TTL in milliseconds, or null if not found
+   */
+  async ttl(recordId) {
+    const seconds = await this.backend.ttl(recordId);
+    if (seconds === null) {
+      return null;
+    }
+    return seconds * 1e3;
+  }
+  /**
+   * Manually destroy a record immediately (crypto-shredding).
+   *
+   * This destroys the encryption key, making the data permanently
+   * unrecoverable, and generates a destruction certificate.
+   *
+   * @param recordId - The record identifier
+   * @returns The destruction certificate, or null if attestation is disabled
+   */
+  async destroy(recordId) {
+    return this.handleExpiration(recordId, "manual" /* MANUAL */);
+  }
+  /**
+   * Handle record expiration or destruction.
+   */
+  async handleExpiration(recordId, method = "crypto_shred" /* CRYPTO_SHRED */) {
+    const record = this.records.get(recordId);
+    const custody = this.custody.get(recordId);
+    await this.backend.delete(recordId);
+    if (record?.keyId) {
+      this.crypto.destroyDEK(record.keyId);
+    }
+    let certificate = null;
+    if (this.attestationEnabled && this.authority && record) {
+      if (custody) {
+        custody.addAccess("ephemeral_store", "destroy");
+      }
+      certificate = this.authority.issueCertificate(
+        "ephemeral_data",
+        recordId,
+        record.classification,
+        method,
+        custody ?? null,
+        {
+          ttl_seconds: record.ttl / 1e3,
+          access_count: record.accessCount,
+          ...record.metadata
+        }
+      );
+      this.certificates.set(recordId, certificate);
+    }
+    this.records.delete(recordId);
+    this.custody.delete(recordId);
+    return certificate;
+  }
+  /**
+   * Get the destruction certificate for a destroyed record.
+   *
+   * @param recordId - The record identifier
+   * @returns The certificate or null if not found
+   */
+  getDestructionCertificate(recordId) {
+    return this.certificates.get(recordId) ?? null;
+  }
+  /**
+   * List all destruction certificates.
+   *
+   * @param since - Optional date to filter certificates issued after
+   * @returns List of certificates sorted by destruction timestamp (newest first)
+   */
+  listCertificates(since) {
+    let certs = Array.from(this.certificates.values());
+    if (since) {
+      certs = certs.filter((c) => c.destructionTimestamp >= since);
+    }
+    return certs.sort(
+      (a, b) => b.destructionTimestamp.getTime() - a.destructionTimestamp.getTime()
+    );
+  }
+  /**
+   * Get store statistics.
+   */
+  stats() {
+    return {
+      activeRecords: this.records.size,
+      certificatesIssued: this.certificates.size,
+      attestationEnabled: this.attestationEnabled
+    };
+  }
+  /**
+   * Close the store and release resources.
+   */
+  async close() {
+    await this.backend.close();
+  }
+  // ============================================================
+  // Internal accessors for testing
+  // ============================================================
+  /** @internal */
+  get _crypto() {
+    return this.crypto;
+  }
+  /** @internal */
+  get _authority() {
+    return this.authority;
+  }
+  /** @internal */
+  get _records() {
+    return this.records;
+  }
+};
+
+// src/sealed.ts
+var import_uuid3 = require("uuid");
+function secureZeroMemory(data) {
+  if (data instanceof Uint8Array || Buffer.isBuffer(data)) {
+    data.fill(0);
+  } else if (Array.isArray(data)) {
+    for (let i = 0; i < data.length; i++) {
+      secureZeroMemory(data[i]);
+    }
+    data.length = 0;
+  } else if (data && typeof data === "object") {
+    for (const key of Object.keys(data)) {
+      secureZeroMemory(data[key]);
+      delete data[key];
+    }
+  }
+}
+var SealedContext = class {
+  executionId;
+  startedAt;
+  sensitiveRefs = [];
+  cleanupCallbacks = [];
+  constructor(options = {}) {
+    this.executionId = options.executionId ?? (0, import_uuid3.v4)();
+    this.startedAt = /* @__PURE__ */ new Date();
+  }
+  /**
+   * Track an object for cleanup on context exit.
+   *
+   * @param obj - Object to track
+   * @returns The same object for chaining
+   */
+  track(obj) {
+    try {
+      this.sensitiveRefs.push(new WeakRef(obj));
+    } catch {
+    }
+    return obj;
+  }
+  /**
+   * Register a cleanup callback to run on context exit.
+   *
+   * @param callback - Function to call during cleanup
+   */
+  onCleanup(callback) {
+    this.cleanupCallbacks.push(callback);
+  }
+  /**
+   * Internal: Run cleanup routines.
+   */
+  _cleanup() {
+    for (const callback of this.cleanupCallbacks) {
+      try {
+        callback();
+      } catch {
+      }
+    }
+    for (const ref of this.sensitiveRefs) {
+      const obj = ref.deref();
+      if (obj !== void 0) {
+        secureZeroMemory(obj);
+      }
+    }
+    this.sensitiveRefs.length = 0;
+    this.cleanupCallbacks.length = 0;
+    const g = global;
+    if (typeof g.gc === "function") {
+      g.gc();
+    }
+  }
+};
+var SealedExecution = class _SealedExecution {
+  static defaultAuthority = null;
+  attestation;
+  authority;
+  metadata;
+  context = null;
+  certificate = null;
+  chainOfCustody = null;
+  constructor(options = {}) {
+    this.attestation = options.attestation ?? false;
+    this.metadata = options.metadata ?? {};
+    if (this.attestation) {
+      if (options.authority) {
+        this.authority = options.authority;
+      } else {
+        if (!_SealedExecution.defaultAuthority) {
+          _SealedExecution.defaultAuthority = new AttestationAuthority();
+        }
+        this.authority = _SealedExecution.defaultAuthority;
+      }
+    } else {
+      this.authority = options.authority ?? null;
+    }
+  }
+  /**
+   * Enter the sealed execution context.
+   *
+   * Use with try/finally or the run() method for automatic cleanup.
+   *
+   * @returns The sealed context for tracking objects
+   */
+  enter() {
+    this.context = new SealedContext();
+    if (this.attestation) {
+      this.chainOfCustody = new ChainOfCustody(/* @__PURE__ */ new Date(), "sealed_execution");
+      this.chainOfCustody.addAccess("sealed_execution", "context_enter");
+    }
+    return this.context;
+  }
+  /**
+   * Exit the sealed execution context and destroy all state.
+   *
+   * @param error - Optional error if exiting due to an exception
+   */
+  exit(error) {
+    if (!this.context) {
+      return;
+    }
+    if (this.chainOfCustody) {
+      const action = error ? "context_exit_error" : "context_exit_normal";
+      this.chainOfCustody.addAccess("sealed_execution", action);
+    }
+    this.context._cleanup();
+    if (this.attestation && this.authority) {
+      const resource = new ResourceInfo(
+        "sealed_compute",
+        this.context.executionId,
+        "TRANSIENT",
+        {
+          started_at: this.context.startedAt.toISOString(),
+          duration_ms: Date.now() - this.context.startedAt.getTime(),
+          error: error ? String(error) : null,
+          ...this.metadata
+        }
+      );
+      const cert = DestructionCertificate.create(
+        resource,
+        "memory_zero" /* MEMORY_ZERO */,
+        this.authority.authorityId,
+        this.chainOfCustody
+      );
+      this.certificate = this.authority.signCertificate(cert);
+    }
+    this.context = null;
+  }
+  /**
+   * Run a function within the sealed context.
+   *
+   * Automatically handles enter/exit and cleanup.
+   *
+   * @param fn - Function to execute within the sealed context
+   * @returns The function's return value
+   */
+  async run(fn) {
+    const ctx = this.enter();
+    try {
+      const result = await fn(ctx);
+      this.exit();
+      return result;
+    } catch (error) {
+      this.exit(error);
+      throw error;
+    }
+  }
+};
+function sealed(options = {}) {
+  return function(fn) {
+    return async function(...args) {
+      const seal = new SealedExecution({
+        attestation: options.attestation,
+        authority: options.authority,
+        metadata: {
+          function: fn.name || "anonymous",
+          ...options.metadata
+        }
+      });
+      const result = await seal.run(async (ctx) => {
+        for (const arg of args) {
+          if (arg && typeof arg === "object") {
+            ctx.track(arg);
+          }
+        }
+        return fn(...args);
+      });
+      if (options.attestation && seal.certificate && result && typeof result === "object") {
+        result["_destruction_certificate"] = seal.certificate.toDict();
+      }
+      return result;
+    };
+  };
+}
+
+// src/index.ts
+var VERSION = "0.1.0";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AttestationAuthority,
+  AttestationError,
+  BackendError,
+  ChainOfCustody,
+  CryptoError,
+  CryptoProvider,
+  DataClassification,
+  DataEncryptionKey,
+  DestructionCertificate,
+  DestructionMethod,
+  EFSFError,
+  EncryptedPayload,
+  EphemeralRecord,
+  EphemeralStore,
+  MemoryBackend,
+  RecordExpiredError,
+  RecordNotFoundError,
+  RedisBackend,
+  ResourceInfo,
+  SealedContext,
+  SealedExecution,
+  TTLViolationError,
+  VERSION,
+  ValidationError,
+  constantTimeCompare,
+  createBackend,
+  getDefaultTTL,
+  getMaxTTL,
+  parseTTL,
+  sealed,
+  secureZeroMemory
+});