@enbox/auth 0.3.1

package/dist/types/types.d.ts

@@ -0,0 +1,312 @@
+/**
+ * @module @enbox/auth
+ * Public types for the authentication and identity management SDK.
+ */
+import type { ConnectPermissionRequest, EnboxUserAgent, HdIdentityVault, LocalDwnStrategy, PortableIdentity } from '@enbox/agent';
+export type { ConnectPermissionRequest, HdIdentityVault, IdentityVaultBackup, LocalDwnStrategy, PortableIdentity } from '@enbox/agent';
+export type { EnboxUserAgent } from '@enbox/agent';
+/**
+ * Controls DWN synchronisation behaviour.
+ *
+ * - `'off'`   — Sync disabled entirely.
+ * - An interval string such as `'30s'`, `'2m'`, `'1h'` — Poll mode at the
+ *   specified interval.
+ * - `undefined` (omitted) — Live WebSocket sync (default).
+ */
+export type SyncOption = 'off' | `${number}${'s' | 'm' | 'h'}`;
+/**
+ * The possible states of the auth manager.
+ *
+ * State transitions:
+ * ```
+ * uninitialized → locked → unlocked → connected
+ *                   ↑          ↑          │
+ *                   └──────────┴──────────┘ (disconnect / lock)
+ * ```
+ */
+export type AuthState = 'uninitialized' | 'locked' | 'unlocked' | 'connected';
+/** All event names emitted by the auth manager. */
+export type AuthEvent = 'state-change' | 'session-start' | 'session-end' | 'identity-added' | 'identity-removed' | 'vault-locked' | 'vault-unlocked' | 'local-dwn-available' | 'local-dwn-unavailable';
+/** Payload type for each event, keyed by event name. */
+export interface AuthEventMap {
+    'state-change': {
+        previous: AuthState;
+        current: AuthState;
+    };
+    'session-start': {
+        session: AuthSessionInfo;
+    };
+    'session-end': {
+        did: string;
+    };
+    'identity-added': {
+        identity: IdentityInfo;
+    };
+    'identity-removed': {
+        didUri: string;
+    };
+    'vault-locked': Record<string, never>;
+    'vault-unlocked': Record<string, never>;
+    /** Emitted when a local DWN server is discovered and validated. */
+    'local-dwn-available': {
+        endpoint: string;
+    };
+    /** Emitted when no local DWN server could be discovered or a previously known one is no longer reachable. */
+    'local-dwn-unavailable': Record<string, never>;
+}
+/** A type-safe event handler for a specific event. */
+export type AuthEventHandler<E extends AuthEvent = AuthEvent> = (payload: AuthEventMap[E]) => void;
+/** Lightweight metadata about a stored identity. */
+export interface IdentityInfo {
+    /** The DID URI for this identity. */
+    didUri: string;
+    /** Human-readable name. */
+    name: string;
+    /**
+     * Present when this identity is a delegate of another DID
+     * (i.e. connected via wallet connect).
+     */
+    connectedDid?: string;
+}
+/** Serializable session info for the `session-start` event. */
+export interface AuthSessionInfo {
+    did: string;
+    delegateDid?: string;
+    identity: IdentityInfo;
+}
+/** Parameters passed to the onProviderAuthRequired callback. */
+export interface ProviderAuthParams {
+    /** Full authorize URL to open in a browser (query params already appended). */
+    authorizeUrl: string;
+    /** The DWN endpoint URL this auth is for (informational). */
+    dwnEndpoint: string;
+    /** CSRF nonce — the provider will return this unchanged in the redirect. */
+    state: string;
+}
+/** Result returned by the app after the user completes provider auth. */
+export interface ProviderAuthResult {
+    /** Authorization code from the provider's redirect. */
+    code: string;
+    /** Must match the state from ProviderAuthParams (CSRF validation). */
+    state: string;
+}
+/** Persisted registration token data for a DWN endpoint. */
+export interface RegistrationTokenData {
+    /** Opaque registration token for POST /registration. */
+    registrationToken: string;
+    /** Refresh token for obtaining new registration tokens. */
+    refreshToken?: string;
+    /** Unix timestamp (ms) when the token expires. Undefined = never expires. */
+    expiresAt?: number;
+    /** Provider's token exchange URL (needed for code exchange). */
+    tokenUrl: string;
+    /** Provider's refresh URL (needed for token refresh). */
+    refreshUrl?: string;
+}
+/**
+ * DWN registration configuration.
+ *
+ * When provided, the agent DID and connected DID will be registered with
+ * DWN endpoints after identity creation. Supports two paths:
+ *
+ * 1. **Provider auth** (`provider-auth-v0`) — the DWN endpoint requires
+ *    OAuth-style auth. If {@link onProviderAuthRequired} is provided and
+ *    the server advertises provider auth, the app handles the auth flow.
+ * 2. **Proof of Work** (default fallback) — the DWN endpoint requires
+ *    solving a PoW challenge to register.
+ */
+export interface RegistrationOptions {
+    /** Called when all DWN registrations complete successfully. */
+    onSuccess: () => void;
+    /** Called when any DWN registration fails. */
+    onFailure: (error: unknown) => void;
+    /**
+     * Called when a DWN endpoint requires provider auth (`'provider-auth-v0'`).
+     *
+     * The app should open the `authorizeUrl` in a browser, capture the
+     * redirect with the auth code, and return the result. If not provided,
+     * endpoints requiring provider auth fall back to PoW registration.
+     */
+    onProviderAuthRequired?: (params: ProviderAuthParams) => Promise<ProviderAuthResult>;
+    /**
+     * Pre-existing registration tokens from a previous session, keyed by
+     * DWN endpoint URL. If a valid (non-expired) token exists for an
+     * endpoint, it is used directly without re-running the auth flow.
+     */
+    registrationTokens?: Record<string, RegistrationTokenData>;
+    /**
+     * Called when new or refreshed registration tokens are obtained.
+     * The app should persist these for future sessions.
+     */
+    onRegistrationTokens?: (tokens: Record<string, RegistrationTokenData>) => void;
+}
+/** Options for {@link AuthManager.create}. */
+export interface AuthManagerOptions {
+    /**
+     * Provide a pre-built {@link EnboxUserAgent} instance.
+     *
+     * When provided, `dataPath`, `agentVault`, and `localDwnStrategy` are
+     * ignored — the agent is used as-is. This is the escape hatch for
+     * advanced scenarios like custom DWN stores (e.g., SQLite-backed DWN).
+     *
+     * @example
+     * ```ts
+     * const agent = await EnboxUserAgent.create({ dwnApi: myCustomDwnApi });
+     * const auth = await AuthManager.create({ agent });
+     * ```
+     */
+    agent?: EnboxUserAgent;
+    /**
+     * Provide a custom {@link HdIdentityVault} implementation.
+     * Defaults to a LevelDB-backed vault with PBES2-HS512+A256KW encryption.
+     * Ignored when `agent` is provided.
+     */
+    agentVault?: HdIdentityVault;
+    /**
+     * Controls local DWN discovery behavior for remote-target DWN sends/sync.
+     * `'off'` (default) disables local probing, `'prefer'` tries local first
+     * then falls back to DID-document endpoints, `'only'` requires a local server.
+     * Ignored when `agent` is provided.
+     */
+    localDwnStrategy?: LocalDwnStrategy;
+    /**
+     * Data path for agent storage.
+     * - Browser default: `'DATA/AGENT'`
+     * - CLI default: `'~/.enbox'`
+     *
+     * Ignored when `agent` is provided.
+     */
+    dataPath?: string;
+    /** Storage adapter for session persistence. Auto-detected if not provided. */
+    storage?: StorageAdapter;
+    /**
+     * Default password for vault operations.
+     * If not provided, an insecure default is used (with a console warning).
+     */
+    password?: string;
+    /**
+     * Sync interval for DWN synchronization.
+     * - `'off'` — disable sync
+     * - `'15s'`, `'1m'`, etc. — poll at interval
+     * - `undefined` — live WebSocket sync
+     */
+    sync?: SyncOption;
+    /** Default DWN endpoints for new identities. */
+    dwnEndpoints?: string[];
+    /** DWN registration configuration. */
+    registration?: RegistrationOptions;
+}
+/** Options for {@link AuthManager.connect}. */
+export interface LocalConnectOptions {
+    /** Vault password (overrides manager default). */
+    password?: string;
+    /** Re-derive identity from an existing BIP-39 recovery phrase. */
+    recoveryPhrase?: string;
+    /** Override manager default sync interval. */
+    sync?: SyncOption;
+    /** Override manager default DWN endpoints. */
+    dwnEndpoints?: string[];
+    /** Identity metadata. */
+    metadata?: {
+        name?: string;
+    };
+}
+/** Options for {@link AuthManager.walletConnect}. */
+export interface WalletConnectOptions {
+    /** Display name shown in the wallet during the connect flow. */
+    displayName: string;
+    /** URL of the connect relay server. */
+    connectServerUrl: string;
+    /** Wallet URI scheme. Defaults to `'web5://connect'`. */
+    walletUri?: string;
+    /**
+     * Protocol permission requests for the wallet connect flow.
+     *
+     * Each entry is a `ConnectPermissionRequest` from `@enbox/agent` containing
+     * a `protocolDefinition` and `permissionScopes`. Use
+     * `WalletConnect.createPermissionRequestForProtocol()` to build these.
+     */
+    permissionRequests: ConnectPermissionRequest[];
+    /** Called when the wallet URI is ready (render as QR code). */
+    onWalletUriReady: (uri: string) => void;
+    /** Called to collect the PIN from the user. */
+    validatePin: () => Promise<string>;
+    /** Override manager default sync interval. */
+    sync?: SyncOption;
+}
+/** Options for {@link AuthManager.importFromPhrase}. */
+export interface ImportFromPhraseOptions {
+    /** The BIP-39 recovery phrase. */
+    recoveryPhrase: string;
+    /** Password to protect the vault. */
+    password: string;
+    /** Override manager default sync interval. */
+    sync?: SyncOption;
+    /** Override manager default DWN endpoints. */
+    dwnEndpoints?: string[];
+}
+/** Options for {@link AuthManager.importFromPortable}. */
+export interface ImportFromPortableOptions {
+    /** The portable identity JSON to import. */
+    portableIdentity: PortableIdentity;
+    /** Override manager default sync interval. */
+    sync?: SyncOption;
+}
+/** Options for {@link AuthManager.restoreSession}. */
+export interface RestoreSessionOptions {
+    /** Password to unlock the vault (needed if vault is locked). */
+    password?: string;
+}
+/** Options for {@link AuthManager.disconnect}. */
+export interface DisconnectOptions {
+    /**
+     * If `true`, performs a nuclear wipe: clears all localStorage keys,
+     * deletes all IndexedDB databases, and removes persisted session data.
+     * Default: `false` (clean disconnect — keeps vault and identities).
+     */
+    clearStorage?: boolean;
+    /**
+     * Milliseconds to wait for pending sync operations before disconnecting.
+     * Default: `2000`.
+     */
+    timeout?: number;
+}
+/**
+ * Platform-agnostic key-value storage adapter for session persistence.
+ * Implementations are provided for browser (localStorage) and CLI (file system).
+ */
+export interface StorageAdapter {
+    /** Get a value by key. Returns `null` if not found. */
+    get(key: string): Promise<string | null>;
+    /** Set a key-value pair. */
+    set(key: string, value: string): Promise<void>;
+    /** Remove a key. */
+    remove(key: string): Promise<void>;
+    /** Clear all stored data. */
+    clear(): Promise<void>;
+}
+/** The insecure default password used when none is provided. */
+export declare const INSECURE_DEFAULT_PASSWORD = "insecure-static-phrase";
+/**
+ * Storage keys used by the auth manager for session persistence.
+ * @internal
+ */
+export declare const STORAGE_KEYS: {
+    /** Whether a session was previously established. */
+    readonly PREVIOUSLY_CONNECTED: "enbox:auth:previouslyConnected";
+    /** The DID URI of the last active identity. */
+    readonly ACTIVE_IDENTITY: "enbox:auth:activeIdentity";
+    /** The delegate DID URI (for wallet-connected sessions). */
+    readonly DELEGATE_DID: "enbox:auth:delegateDid";
+    /** The connected DID (for wallet-connected sessions). */
+    readonly CONNECTED_DID: "enbox:auth:connectedDid";
+    /**
+     * The base URL of the local DWN server discovered via the `dwn://register`
+     * browser redirect flow. Persisted so subsequent page loads can skip the
+     * redirect and inject the endpoint directly.
+     *
+     * @see https://github.com/enboxorg/enbox/issues/589
+     */
+    readonly LOCAL_DWN_ENDPOINT: "enbox:auth:localDwnEndpoint";
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/types/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,cAAc,EAAE,eAAe,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGlI,YAAY,EAAE,wBAAwB,EAAE,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGvI,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAInD;;;;;;;GAOG;AACH,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,EAAE,CAAC;AAI/D;;;;;;;;;GASG;AACH,MAAM,MAAM,SAAS,GACjB,eAAe,GACf,QAAQ,GACR,UAAU,GACV,WAAW,CAAC;AAIhB,mDAAmD;AACnD,MAAM,MAAM,SAAS,GACjB,cAAc,GACd,eAAe,GACf,aAAa,GACb,gBAAgB,GAChB,kBAAkB,GAClB,cAAc,GACd,gBAAgB,GAChB,qBAAqB,GACrB,uBAAuB,CAAC;AAE5B,wDAAwD;AACxD,MAAM,WAAW,YAAY;IAC3B,cAAc,EAAE;QAAE,QAAQ,EAAE,SAAS,CAAC;QAAC,OAAO,EAAE,SAAS,CAAA;KAAE,CAAC;IAC5D,eAAe,EAAE;QAAE,OAAO,EAAE,eAAe,CAAA;KAAE,CAAC;IAC9C,aAAa,EAAE;QAAE,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/B,gBAAgB,EAAE;QAAE,QAAQ,EAAE,YAAY,CAAA;KAAE,CAAC;IAC7C,kBAAkB,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACtC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACxC,mEAAmE;IACnE,qBAAqB,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5C,6GAA6G;IAC7G,uBAAuB,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;CAChD;AAED,sDAAsD;AACtD,MAAM,MAAM,gBAAgB,CAAC,CAAC,SAAS,SAAS,GAAG,SAAS,IAC1D,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;AAIrC,oDAAoD;AACpD,MAAM,WAAW,YAAY;IAC3B,qCAAqC;IACrC,MAAM,EAAE,MAAM,CAAC;IAEf,2BAA2B;IAC3B,IAAI,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,+DAA+D;AAC/D,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,YAAY,CAAC;CACxB;AAID,gEAAgE;AAChE,MAAM,WAAW,kBAAkB;IACjC,+EAA+E;IAC/E,YAAY,EAAE,MAAM,CAAC;IACrB,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAC;IACpB,4EAA4E;IAC5E,KAAK,EAAE,MAAM,CAAC;CACf;AAED,yEAAyE;AACzE,MAAM,WAAW,kBAAkB;IACjC,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,sEAAsE;IACtE,KAAK,EAAE,MAAM,CAAC;CACf;AAED,4DAA4D;AAC5D,MAAM,WAAW,qBAAqB;IACpC,wDAAwD;IACxD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,2DAA2D;IAC3D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gEAAgE;IAChE,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAID;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,mBAAmB;IAClC,+DAA+D;IAC/D,SAAS,EAAE,MAAM,IAAI,CAAC;IAEtB,8CAA8C;IAC9C,SAAS,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;IAEpC;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,CAAC,MAAM,EAAE,kBAAkB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAErF;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;IAE3D;;;OAGG;IACH,oBAAoB,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,KAAK,IAAI,CAAC;CAChF;AAED,8CAA8C;AAC9C,MAAM,WAAW,kBAAkB;IACjC;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,EAAE,cAAc,CAAC;IAEvB;;;;OAIG;IACH,UAAU,CAAC,EAAE,eAAe,CAAC;IAE7B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,8EAA8E;IAC9E,OAAO,CAAC,EAAE,cAAc,CAAC;IAEzB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,gDAAgD;IAChD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAExB,sCAAsC;IACtC,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC;AAED,+CAA+C;AAC/C,MAAM,WAAW,mBAAmB;IAClC,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,kEAAkE;IAClE,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,8CAA8C;IAC9C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAExB,yBAAyB;IACzB,QAAQ,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAC9B;AAED,qDAAqD;AACrD,MAAM,WAAW,oBAAoB;IACnC,gEAAgE;IAChE,WAAW,EAAE,MAAM,CAAC;IAEpB,uCAAuC;IACvC,gBAAgB,EAAE,MAAM,CAAC;IAEzB,yDAAyD;IACzD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;;;;OAMG;IACH,kBAAkB,EAAE,wBAAwB,EAAE,CAAC;IAE/C,+DAA+D;IAC/D,gBAAgB,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAExC,+CAA+C;IAC/C,WAAW,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAEnC,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED,wDAAwD;AACxD,MAAM,WAAW,uBAAuB;IACtC,kCAAkC;IAClC,cAAc,EAAE,MAAM,CAAC;IAEvB,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IAEjB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,8CAA8C;IAC9C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,0DAA0D;AAC1D,MAAM,WAAW,yBAAyB;IACxC,4CAA4C;IAC5C,gBAAgB,EAAE,gBAAgB,CAAC;IAEnC,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED,sDAAsD;AACtD,MAAM,WAAW,qBAAqB;IACpC,gEAAgE;IAChE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,kDAAkD;AAClD,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,uDAAuD;IACvD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAEzC,4BAA4B;IAC5B,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE/C,oBAAoB;IACpB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnC,6BAA6B;IAC7B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAID,gEAAgE;AAChE,eAAO,MAAM,yBAAyB,2BAA2B,CAAC;AAElE;;;GAGG;AACH,eAAO,MAAM,YAAY;IACvB,oDAAoD;;IAGpD,+CAA+C;;IAG/C,4DAA4D;;IAG5D,yDAAyD;;IAGzD;;;;;;OAMG;;CAEK,CAAC"}

package/dist/types/vault/vault-manager.d.ts

@@ -0,0 +1,57 @@
+/**
+ * VaultManager wraps {@link HdIdentityVault} with a high-level API
+ * and emits events on lock/unlock.
+ * @module
+ */
+import type { HdIdentityVault, IdentityVaultBackup } from '@enbox/agent';
+import type { AuthEventEmitter } from '../events.js';
+/**
+ * Manages the encrypted identity vault lifecycle.
+ *
+ * The vault stores the agent's DID and content encryption key (CEK),
+ * protected by a user password using PBES2-HS512+A256KW with a 210K
+ * iteration work factor. The vault supports HD key derivation from
+ * a BIP-39 mnemonic for recovery.
+ */
+export declare class VaultManager {
+    private readonly _vault;
+    private readonly _emitter;
+    constructor(vault: HdIdentityVault, emitter: AuthEventEmitter);
+    /** The underlying vault instance (for advanced usage). */
+    get raw(): HdIdentityVault;
+    /** Whether the vault has been initialized (has encrypted data). */
+    isInitialized(): Promise<boolean>;
+    /** Whether the vault is currently locked (synchronous check). */
+    get isLocked(): boolean;
+    /**
+     * Unlock the vault with the given password.
+     * Decrypts the CEK into memory so the agent DID can be retrieved.
+     *
+     * @throws If the password is incorrect or vault is not initialized.
+     */
+    unlock(password: string): Promise<void>;
+    /**
+     * Lock the vault, clearing the CEK from memory.
+     * After locking, the password must be provided again to unlock.
+     */
+    lock(): Promise<void>;
+    /**
+     * Change the vault password. Re-encrypts the CEK with the new password.
+     *
+     * @throws If the old password is incorrect or vault is locked.
+     */
+    changePassword(oldPassword: string, newPassword: string): Promise<void>;
+    /**
+     * Create a backup of the vault.
+     *
+     * @throws If the vault is not initialized or is locked.
+     */
+    backup(): Promise<IdentityVaultBackup>;
+    /**
+     * Restore the vault from a backup.
+     *
+     * @throws If the password doesn't match the backup's encryption.
+     */
+    restore(backup: IdentityVaultBackup, password: string): Promise<void>;
+}
+//# sourceMappingURL=vault-manager.d.ts.map

package/dist/types/vault/vault-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-manager.d.ts","sourceRoot":"","sources":["../../../src/vault/vault-manager.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAEzE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAErD;;;;;;;GAOG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAkB;IACzC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAmB;gBAEhC,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,gBAAgB;IAK7D,0DAA0D;IAC1D,IAAI,GAAG,IAAI,eAAe,CAEzB;IAED,mEAAmE;IAC7D,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC;IAIvC,iEAAiE;IACjE,IAAI,QAAQ,IAAI,OAAO,CAEtB;IAED;;;;;OAKG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAK7C;;;OAGG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAK3B;;;;OAIG;IACG,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI7E;;;;OAIG;IACG,MAAM,IAAI,OAAO,CAAC,mBAAmB,CAAC;IAI5C;;;;OAIG;IACG,OAAO,CAAC,MAAM,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG5E"}

package/package.json

@@ -0,0 +1,71 @@
+{
+  "name": "@enbox/auth",
+  "version": "0.3.1",
+  "description": "Headless authentication and identity management SDK for Enbox",
+  "type": "module",
+  "main": "./dist/esm/index.js",
+  "module": "./dist/esm/index.js",
+  "types": "./dist/types/index.d.ts",
+  "scripts": {
+    "clean": "rimraf dist",
+    "build:esm": "rimraf dist/esm dist/types && bun tsc -p tsconfig.json",
+    "build": "bun run clean && bun run build:esm",
+    "lint": "eslint . --max-warnings 0",
+    "lint:fix": "eslint . --fix",
+    "test:node": "bun test --timeout 10000 .spec.ts",
+    "test:node:coverage": "bun test --coverage --coverage-reporter=text --coverage-reporter=lcov --coverage-dir=coverage .spec.ts"
+  },
+  "homepage": "https://github.com/enboxorg/enbox/tree/main/packages/auth#readme",
+  "bugs": "https://github.com/enboxorg/enbox/issues",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/enboxorg/enbox.git",
+    "directory": "packages/auth"
+  },
+  "license": "Apache-2.0",
+  "contributors": [
+    {
+      "name": "Liran Cohen",
+      "url": "https://github.com/LiranCohen"
+    }
+  ],
+  "files": [
+    "dist",
+    "src"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/types/index.d.ts",
+      "import": "./dist/esm/index.js"
+    }
+  },
+  "keywords": [
+    "auth",
+    "authentication",
+    "identity",
+    "decentralized",
+    "decentralized-identity",
+    "DID",
+    "web5",
+    "enbox"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "bun": ">=1.0.0"
+  },
+  "dependencies": {
+    "@enbox/agent": "0.3.1",
+    "@enbox/common": "0.0.7",
+    "@enbox/dids": "0.0.9",
+    "@enbox/dwn-clients": "0.1.0",
+    "level": "8.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "20.14.8",
+    "bun-types": "latest",
+    "rimraf": "4.4.0",
+    "typescript": "5.5.4"
+  }
+}