@fgv/ts-extras 5.1.0-17 → 5.1.0-18

package/lib/packlets/crypto-utils/index.browser.d.ts

@@ -10,5 +10,6 @@ export { KeyStore };
 import * as Converters from './converters';
 export { Converters };
 export { DirectEncryptionProvider, IDirectEncryptionProviderParams } from './directEncryptionProvider';
+export { IKeyPairAlgorithmParams, keyPairAlgorithmParams } from './keyPairAlgorithmParams';
 export { createEncryptedFile, decryptFile, fromBase64, ICreateEncryptedFileParams, toBase64, tryDecryptFile } from './encryptedFile';
 //# sourceMappingURL=index.browser.d.ts.map

package/lib/packlets/crypto-utils/index.browser.js

@@ -55,7 +55,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.tryDecryptFile = exports.toBase64 = exports.fromBase64 = exports.decryptFile = exports.createEncryptedFile = exports.DirectEncryptionProvider = exports.Converters = exports.KeyStore = exports.GCM_IV_SIZE = exports.GCM_AUTH_TAG_SIZE = exports.ENCRYPTED_FILE_FORMAT = exports.DEFAULT_ALGORITHM = exports.AES_256_KEY_SIZE = void 0;
+exports.tryDecryptFile = exports.toBase64 = exports.fromBase64 = exports.decryptFile = exports.createEncryptedFile = exports.keyPairAlgorithmParams = exports.DirectEncryptionProvider = exports.Converters = exports.KeyStore = exports.GCM_IV_SIZE = exports.GCM_AUTH_TAG_SIZE = exports.ENCRYPTED_FILE_FORMAT = exports.DEFAULT_ALGORITHM = exports.AES_256_KEY_SIZE = void 0;
 /**
  * Crypto utilities for encrypted file handling and key management (browser version).
  * Note: For browser crypto provider, use \@fgv/ts-web-extras.
@@ -79,6 +79,9 @@ exports.Converters = Converters;
 // Direct encryption provider
 var directEncryptionProvider_1 = require("./directEncryptionProvider");
 Object.defineProperty(exports, "DirectEncryptionProvider", { enumerable: true, get: function () { return directEncryptionProvider_1.DirectEncryptionProvider; } });
+// WebCrypto parameter table for asymmetric keypair algorithms
+var keyPairAlgorithmParams_1 = require("./keyPairAlgorithmParams");
+Object.defineProperty(exports, "keyPairAlgorithmParams", { enumerable: true, get: function () { return keyPairAlgorithmParams_1.keyPairAlgorithmParams; } });
 // Note: NodeCryptoProvider is NOT exported in browser version
 // Use BrowserCryptoProvider from @fgv/ts-web-extras instead
 // Encrypted file helpers

package/lib/packlets/crypto-utils/index.d.ts

@@ -10,6 +10,7 @@ export { KeyStore };
 import * as Converters from './converters';
 export { Converters };
 export { DirectEncryptionProvider, IDirectEncryptionProviderParams } from './directEncryptionProvider';
+export { IKeyPairAlgorithmParams, keyPairAlgorithmParams } from './keyPairAlgorithmParams';
 export { NodeCryptoProvider, nodeCryptoProvider } from './nodeCryptoProvider';
 export { createEncryptedFile, decryptFile, fromBase64, ICreateEncryptedFileParams, toBase64, tryDecryptFile } from './encryptedFile';
 //# sourceMappingURL=index.d.ts.map

package/lib/packlets/crypto-utils/index.js

@@ -55,7 +55,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.tryDecryptFile = exports.toBase64 = exports.fromBase64 = exports.decryptFile = exports.createEncryptedFile = exports.nodeCryptoProvider = exports.NodeCryptoProvider = exports.DirectEncryptionProvider = exports.Converters = exports.KeyStore = exports.Constants = void 0;
+exports.tryDecryptFile = exports.toBase64 = exports.fromBase64 = exports.decryptFile = exports.createEncryptedFile = exports.nodeCryptoProvider = exports.NodeCryptoProvider = exports.keyPairAlgorithmParams = exports.DirectEncryptionProvider = exports.Converters = exports.KeyStore = exports.Constants = void 0;
 /**
  * Crypto utilities for encrypted file handling and key management.
  * @packageDocumentation
@@ -74,6 +74,9 @@ exports.Converters = Converters;
 // Direct encryption provider
 var directEncryptionProvider_1 = require("./directEncryptionProvider");
 Object.defineProperty(exports, "DirectEncryptionProvider", { enumerable: true, get: function () { return directEncryptionProvider_1.DirectEncryptionProvider; } });
+// WebCrypto parameter table for asymmetric keypair algorithms
+var keyPairAlgorithmParams_1 = require("./keyPairAlgorithmParams");
+Object.defineProperty(exports, "keyPairAlgorithmParams", { enumerable: true, get: function () { return keyPairAlgorithmParams_1.keyPairAlgorithmParams; } });
 // Node.js crypto provider (Node.js environment only)
 var nodeCryptoProvider_1 = require("./nodeCryptoProvider");
 Object.defineProperty(exports, "NodeCryptoProvider", { enumerable: true, get: function () { return nodeCryptoProvider_1.NodeCryptoProvider; } });

package/lib/packlets/crypto-utils/keyPairAlgorithmParams.d.ts

@@ -0,0 +1,39 @@
+import { KeyPairAlgorithm } from './model';
+/**
+ * WebCrypto parameters for a single {@link CryptoUtils.KeyPairAlgorithm}.
+ * Implementations of {@link CryptoUtils.ICryptoProvider} use this table to
+ * translate the small public algorithm enum into the WebCrypto algorithm
+ * objects and key-usage arrays expected by `crypto.subtle`.
+ * @public
+ */
+export interface IKeyPairAlgorithmParams {
+    /**
+     * Algorithm parameters for `crypto.subtle.generateKey`. Always an asymmetric
+     * variant — these algorithms produce a `CryptoKeyPair`, not a single key.
+     */
+    readonly generateKey: RsaHashedKeyGenParams | EcKeyGenParams;
+    /**
+     * Algorithm parameters for `crypto.subtle.importKey('jwk', ...)` when
+     * importing the public half of a keypair.
+     */
+    readonly importPublicKey: RsaHashedImportParams | EcKeyImportParams;
+    /**
+     * Default key usages for the generated `CryptoKeyPair`. Both halves receive
+     * the usages WebCrypto considers valid for their role; the platform filters.
+     */
+    readonly keyPairUsages: ReadonlyArray<KeyUsage>;
+    /**
+     * Key usages applied when re-importing only the public key.
+     */
+    readonly publicKeyUsages: ReadonlyArray<KeyUsage>;
+}
+/**
+ * Lookup table from {@link CryptoUtils.KeyPairAlgorithm} to the WebCrypto
+ * parameters needed to drive `crypto.subtle`. Shared between every
+ * {@link CryptoUtils.ICryptoProvider} implementation since both Node and
+ * browser providers speak the same WebCrypto API. Exposed for downstream
+ * provider implementations (e.g. browser-side providers in `@fgv/ts-web-extras`).
+ * @public
+ */
+export declare const keyPairAlgorithmParams: Readonly<Record<KeyPairAlgorithm, IKeyPairAlgorithmParams>>;
+//# sourceMappingURL=keyPairAlgorithmParams.d.ts.map

package/lib/packlets/crypto-utils/keyPairAlgorithmParams.js

@@ -0,0 +1,50 @@
+"use strict";
+// Copyright (c) 2026 Erik Fortune
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.keyPairAlgorithmParams = void 0;
+/**
+ * Lookup table from {@link CryptoUtils.KeyPairAlgorithm} to the WebCrypto
+ * parameters needed to drive `crypto.subtle`. Shared between every
+ * {@link CryptoUtils.ICryptoProvider} implementation since both Node and
+ * browser providers speak the same WebCrypto API. Exposed for downstream
+ * provider implementations (e.g. browser-side providers in `@fgv/ts-web-extras`).
+ * @public
+ */
+exports.keyPairAlgorithmParams = {
+    'ecdsa-p256': {
+        generateKey: { name: 'ECDSA', namedCurve: 'P-256' },
+        importPublicKey: { name: 'ECDSA', namedCurve: 'P-256' },
+        keyPairUsages: ['sign', 'verify'],
+        publicKeyUsages: ['verify']
+    },
+    'rsa-oaep-2048': {
+        generateKey: {
+            name: 'RSA-OAEP',
+            modulusLength: 2048,
+            publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+            hash: 'SHA-256'
+        },
+        importPublicKey: { name: 'RSA-OAEP', hash: 'SHA-256' },
+        keyPairUsages: ['encrypt', 'decrypt'],
+        publicKeyUsages: ['encrypt']
+    }
+};
+//# sourceMappingURL=keyPairAlgorithmParams.js.map

package/lib/packlets/crypto-utils/keystore/converters.d.ts

@@ -1,21 +1,83 @@
-import { Converter } from '@fgv/ts-utils';
-import { IKeyStoreFile, IKeyStoreSecretEntryJson, IKeyStoreVaultContents, KeyStoreFormat, KeyStoreSecretType } from './model';
+import { Converter, Validator } from '@fgv/ts-utils';
+import { IKeyStoreAsymmetricEntryJson, IKeyStoreEntryJson, IKeyStoreFile, IKeyStoreSymmetricEntryJson, IKeyStoreVaultContents, KeyPairAlgorithm, KeyStoreAsymmetricSecretType, KeyStoreFormat, KeyStoreSecretType, KeyStoreSymmetricSecretType } from './model';
 /**
  * Converter for {@link CryptoUtils.KeyStore.KeyStoreFormat | key store format} version.
  * @public
  */
 export declare const keystoreFormat: Converter<KeyStoreFormat>;
 /**
- * Converter for {@link CryptoUtils.KeyStore.KeyStoreSecretType | key store secret type} discriminator.
+ * Converter for {@link CryptoUtils.KeyStore.KeyStoreSecretType | any key store secret type} discriminator.
+ * Accepts both symmetric and asymmetric type values.
  * @public
  */
 export declare const keystoreSecretType: Converter<KeyStoreSecretType>;
 /**
- * Converter for {@link CryptoUtils.KeyStore.IKeyStoreSecretEntryJson | key store secret entry} in JSON format.
- * The `type` field is optional for backwards compatibility — missing means `'encryption-key'`.
+ * Converter for {@link CryptoUtils.KeyStore.KeyStoreSymmetricSecretType | symmetric secret type} discriminator.
+ * Accepts only `'encryption-key'` and `'api-key'`.
  * @public
  */
-export declare const keystoreSecretEntryJson: Converter<IKeyStoreSecretEntryJson>;
+export declare const keystoreSymmetricSecretType: Converter<KeyStoreSymmetricSecretType>;
+/**
+ * Converter for {@link CryptoUtils.KeyStore.KeyStoreAsymmetricSecretType | asymmetric secret type} discriminator.
+ * Accepts only `'asymmetric-keypair'`.
+ * @public
+ */
+export declare const keystoreAsymmetricSecretType: Converter<KeyStoreAsymmetricSecretType>;
+/**
+ * Converter for {@link CryptoUtils.KeyStore.KeyPairAlgorithm | key pair algorithm}.
+ * @public
+ */
+export declare const keyPairAlgorithm: Converter<KeyPairAlgorithm>;
+/**
+ * In-place shape check for a JSON Web Key. Asserts only that the input is a
+ * non-array object whose `kty` discriminator is a string; every other JWK
+ * field passes through untouched. This is intentionally **not** a true JWK
+ * validator — per-algorithm correctness (RSA `n`/`e`, EC `crv`/`x`/`y`,
+ * key-size constraints, etc.) is delegated to `crypto.subtle.importKey` at
+ * first use, which is the authoritative checker. The "shape" suffix in the
+ * name is the warning sign for readers expecting full validation.
+ * @remarks
+ * Built with `Validators.object` (in-place, non-strict) so unknown JWK fields
+ * survive the round-trip; the cast to `FieldValidators<JsonWebKey>` is required
+ * only because TypeScript's mapped type demands an entry for every key in
+ * `JsonWebKey`. At runtime the `ObjectValidator` only inspects keys present in
+ * the field-validators map.
+ * @public
+ */
+export declare const jsonWebKeyShape: Validator<JsonWebKey>;
+/**
+ * Converter for {@link CryptoUtils.KeyStore.IKeyStoreSymmetricEntryJson | symmetric secret entry} in JSON form.
+ *
+ * @remarks
+ * Backwards compatibility with vaults written before asymmetric-keypair
+ * support: those entries may lack the `type` discriminator on the wire. To
+ * keep the model type honest (`type` is required on
+ * {@link CryptoUtils.KeyStore.IKeyStoreSymmetricEntryJson}, see its docs),
+ * we declare `type` in `optionalFields` so the inner `Converters.object` will
+ * accept input without it, then `.map()` injects the default
+ * `'encryption-key'` when missing. The output therefore always carries the
+ * discriminator and downstream code never sees the legacy missing-type form.
+ *
+ * @public
+ */
+export declare const keystoreSymmetricEntryJson: Converter<IKeyStoreSymmetricEntryJson>;
+/**
+ * Converter for {@link CryptoUtils.KeyStore.IKeyStoreAsymmetricEntryJson | asymmetric keypair entry} in JSON form.
+ * The `publicKeyJwk` field passes through {@link CryptoUtils.KeyStore.Converters.jsonWebKeyShape | jsonWebKeyShape}
+ * (shape check only — see its docs); cryptographic correctness is enforced by
+ * `crypto.subtle.importKey` at use.
+ * @public
+ */
+export declare const keystoreAsymmetricEntryJson: Converter<IKeyStoreAsymmetricEntryJson>;
+/**
+ * Discriminated-union converter for any {@link CryptoUtils.KeyStore.IKeyStoreEntryJson | key store entry} in JSON form.
+ * Routes by the `type` field: `'asymmetric-keypair'` is parsed by
+ * {@link CryptoUtils.KeyStore.Converters.keystoreAsymmetricEntryJson | keystoreAsymmetricEntryJson},
+ * anything else (including a missing `type` field for backwards compatibility) by
+ * {@link CryptoUtils.KeyStore.Converters.keystoreSymmetricEntryJson | keystoreSymmetricEntryJson}.
+ * @public
+ */
+export declare const keystoreSecretEntryJson: Converter<IKeyStoreEntryJson>;
 /**
  * Converter for {@link CryptoUtils.KeyStore.IKeyStoreVaultContents | key store vault contents} (decrypted state).
  * @public

package/lib/packlets/crypto-utils/keystore/converters.js

@@ -19,7 +19,7 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 // SOFTWARE.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.keystoreFile = exports.keystoreVaultContents = exports.keystoreSecretEntryJson = exports.keystoreSecretType = exports.keystoreFormat = void 0;
+exports.keystoreFile = exports.keystoreVaultContents = exports.keystoreSecretEntryJson = exports.keystoreAsymmetricEntryJson = exports.keystoreSymmetricEntryJson = exports.jsonWebKeyShape = exports.keyPairAlgorithm = exports.keystoreAsymmetricSecretType = exports.keystoreSymmetricSecretType = exports.keystoreSecretType = exports.keystoreFormat = void 0;
 const ts_utils_1 = require("@fgv/ts-utils");
 const converters_1 = require("../converters");
 const model_1 = require("./model");
@@ -34,31 +34,123 @@ exports.keystoreFormat = ts_utils_1.Converters.enumeratedValue([
     model_1.KEYSTORE_FORMAT
 ]);
 // ============================================================================
-// Secret Type Converter
+// Secret Type Converters
 // ============================================================================
 /**
- * Converter for {@link CryptoUtils.KeyStore.KeyStoreSecretType | key store secret type} discriminator.
+ * Converter for {@link CryptoUtils.KeyStore.KeyStoreSecretType | any key store secret type} discriminator.
+ * Accepts both symmetric and asymmetric type values.
  * @public
  */
 exports.keystoreSecretType = ts_utils_1.Converters.enumeratedValue(model_1.allKeyStoreSecretTypes);
+/**
+ * Converter for {@link CryptoUtils.KeyStore.KeyStoreSymmetricSecretType | symmetric secret type} discriminator.
+ * Accepts only `'encryption-key'` and `'api-key'`.
+ * @public
+ */
+exports.keystoreSymmetricSecretType = ts_utils_1.Converters.enumeratedValue(model_1.allKeyStoreSymmetricSecretTypes);
+/**
+ * Converter for {@link CryptoUtils.KeyStore.KeyStoreAsymmetricSecretType | asymmetric secret type} discriminator.
+ * Accepts only `'asymmetric-keypair'`.
+ * @public
+ */
+exports.keystoreAsymmetricSecretType = ts_utils_1.Converters.enumeratedValue(model_1.allKeyStoreAsymmetricSecretTypes);
+// ============================================================================
+// Key Pair Algorithm Converter
+// ============================================================================
+/**
+ * Converter for {@link CryptoUtils.KeyStore.KeyPairAlgorithm | key pair algorithm}.
+ * @public
+ */
+exports.keyPairAlgorithm = ts_utils_1.Converters.enumeratedValue(model_1.allKeyPairAlgorithms);
 // ============================================================================
-// Secret Entry Converters
+// JWK Shape Validator
 // ============================================================================
 /**
- * Converter for {@link CryptoUtils.KeyStore.IKeyStoreSecretEntryJson | key store secret entry} in JSON format.
- * The `type` field is optional for backwards compatibility — missing means `'encryption-key'`.
+ * In-place shape check for a JSON Web Key. Asserts only that the input is a
+ * non-array object whose `kty` discriminator is a string; every other JWK
+ * field passes through untouched. This is intentionally **not** a true JWK
+ * validator — per-algorithm correctness (RSA `n`/`e`, EC `crv`/`x`/`y`,
+ * key-size constraints, etc.) is delegated to `crypto.subtle.importKey` at
+ * first use, which is the authoritative checker. The "shape" suffix in the
+ * name is the warning sign for readers expecting full validation.
+ * @remarks
+ * Built with `Validators.object` (in-place, non-strict) so unknown JWK fields
+ * survive the round-trip; the cast to `FieldValidators<JsonWebKey>` is required
+ * only because TypeScript's mapped type demands an entry for every key in
+ * `JsonWebKey`. At runtime the `ObjectValidator` only inspects keys present in
+ * the field-validators map.
  * @public
  */
-exports.keystoreSecretEntryJson = ts_utils_1.Converters.object({
+exports.jsonWebKeyShape = ts_utils_1.Validators.object({
+    kty: ts_utils_1.Validators.string
+});
+// ============================================================================
+// Symmetric Secret Entry Converter
+// ============================================================================
+/**
+ * Converter for {@link CryptoUtils.KeyStore.IKeyStoreSymmetricEntryJson | symmetric secret entry} in JSON form.
+ *
+ * @remarks
+ * Backwards compatibility with vaults written before asymmetric-keypair
+ * support: those entries may lack the `type` discriminator on the wire. To
+ * keep the model type honest (`type` is required on
+ * {@link CryptoUtils.KeyStore.IKeyStoreSymmetricEntryJson}, see its docs),
+ * we declare `type` in `optionalFields` so the inner `Converters.object` will
+ * accept input without it, then `.map()` injects the default
+ * `'encryption-key'` when missing. The output therefore always carries the
+ * discriminator and downstream code never sees the legacy missing-type form.
+ *
+ * @public
+ */
+exports.keystoreSymmetricEntryJson = ts_utils_1.Converters.object({
     name: ts_utils_1.Converters.string,
-    type: exports.keystoreSecretType,
+    type: exports.keystoreSymmetricSecretType,
     key: converters_1.base64String,
     description: ts_utils_1.Converters.string,
     createdAt: ts_utils_1.Converters.string
 }, {
+    // `type` is optional at the input layer for legacy-vault compatibility;
+    // the .map() below normalizes by injecting the default.
     optionalFields: ['type', 'description']
+}).map((entry) => {
+    var _a;
+    return (0, ts_utils_1.succeed)(Object.assign(Object.assign({}, entry), { type: (_a = entry.type) !== null && _a !== void 0 ? _a : 'encryption-key' }));
 });
 // ============================================================================
+// Asymmetric Keypair Entry Converter
+// ============================================================================
+/**
+ * Converter for {@link CryptoUtils.KeyStore.IKeyStoreAsymmetricEntryJson | asymmetric keypair entry} in JSON form.
+ * The `publicKeyJwk` field passes through {@link CryptoUtils.KeyStore.Converters.jsonWebKeyShape | jsonWebKeyShape}
+ * (shape check only — see its docs); cryptographic correctness is enforced by
+ * `crypto.subtle.importKey` at use.
+ * @public
+ */
+exports.keystoreAsymmetricEntryJson = ts_utils_1.Converters.object({
+    name: ts_utils_1.Converters.string,
+    type: exports.keystoreAsymmetricSecretType,
+    id: ts_utils_1.Converters.string,
+    algorithm: exports.keyPairAlgorithm,
+    publicKeyJwk: exports.jsonWebKeyShape,
+    description: ts_utils_1.Converters.string.optional(),
+    createdAt: ts_utils_1.Converters.string
+});
+// ============================================================================
+// Discriminated-Union Entry Converter
+// ============================================================================
+/**
+ * Discriminated-union converter for any {@link CryptoUtils.KeyStore.IKeyStoreEntryJson | key store entry} in JSON form.
+ * Routes by the `type` field: `'asymmetric-keypair'` is parsed by
+ * {@link CryptoUtils.KeyStore.Converters.keystoreAsymmetricEntryJson | keystoreAsymmetricEntryJson},
+ * anything else (including a missing `type` field for backwards compatibility) by
+ * {@link CryptoUtils.KeyStore.Converters.keystoreSymmetricEntryJson | keystoreSymmetricEntryJson}.
+ * @public
+ */
+exports.keystoreSecretEntryJson = ts_utils_1.Converters.oneOf([
+    exports.keystoreAsymmetricEntryJson,
+    exports.keystoreSymmetricEntryJson
+]);
+// ============================================================================
 // Vault Contents Converter
 // ============================================================================
 /**

package/lib/packlets/crypto-utils/keystore/index.d.ts

@@ -3,6 +3,7 @@
  * @packageDocumentation
  */
 export * from './model';
+export * from './privateKeyStorage';
 import * as Converters from './converters';
 export { Converters };
 export { KeyStore } from './keyStore';

package/lib/packlets/crypto-utils/keystore/index.js

@@ -62,6 +62,7 @@ exports.KeyStore = exports.Converters = void 0;
  */
 // Types and interfaces
 __exportStar(require("./model"), exports);
+__exportStar(require("./privateKeyStorage"), exports);
 // Converters namespace
 const Converters = __importStar(require("./converters"));
 exports.Converters = Converters;

package/lib/packlets/crypto-utils/keystore/keyStore.d.ts

@@ -1,7 +1,7 @@
 import { JsonValue } from '@fgv/ts-json-base';
 import { Result } from '@fgv/ts-utils';
 import { ICryptoProvider, IEncryptedFile, IEncryptionConfig, IEncryptionProvider, SecretProvider } from '../model';
-import { IAddSecretFromPasswordOptions, IAddSecretFromPasswordResult, IAddSecretOptions, IAddSecretResult, IImportKeyOptions, IImportSecretOptions, IKeyStoreCreateParams, IKeyStoreFile, IKeyStoreOpenParams, IKeyStoreSecretEntry, KeyStoreLockState, KeyStoreSecretType } from './model';
+import { IAddKeyPairOptions, IAddKeyPairResult, IAddSecretFromPasswordOptions, IAddSecretFromPasswordResult, IAddSecretOptions, IAddSecretResult, IImportKeyOptions, IImportSecretOptions, IKeyStoreCreateParams, IKeyStoreEntry, IKeyStoreFile, IKeyStoreOpenParams, IRemoveSecretResult, KeyStoreLockState, KeyStoreSecretType } from './model';
 /**
  * Password-protected key store for managing encryption secrets.
  *
@@ -35,6 +35,7 @@ import { IAddSecretFromPasswordOptions, IAddSecretFromPasswordResult, IAddSecret
  */
 export declare class KeyStore implements IEncryptionProvider {
     private readonly _cryptoProvider;
+    private readonly _privateKeyStorage;
     private readonly _iterations;
     private _keystoreFile;
     private _salt;
@@ -133,12 +134,23 @@ export declare class KeyStore implements IEncryptionProvider {
      */
     listSecrets(): Result<readonly string[]>;
     /**
-     * Gets a secret by name.
+     * Gets a secret by name. Returns the {@link CryptoUtils.KeyStore.IKeyStoreEntry | discriminated union}
+     * — callers must check `entry.type` before accessing `key`/`id` since asymmetric
+     * entries carry no raw key material.
      * @param name - Name of the secret
      * @returns Success with secret entry, Failure if not found or locked
      * @public
      */
-    getSecret(name: string): Result<IKeyStoreSecretEntry>;
+    getSecret(name: string): Result<IKeyStoreEntry>;
+    /**
+     * Returns the public-key JWK for an asymmetric-keypair entry.
+     * Available without {@link CryptoUtils.KeyStore.IPrivateKeyStorage} since the
+     * public key lives in the vault metadata directly.
+     * @param name - Name of the entry
+     * @returns Success with the JWK, Failure if not found, locked, or wrong type
+     * @public
+     */
+    getPublicKeyJwk(name: string): Result<JsonWebKey>;
     /**
      * Checks if a secret exists.
      * @param name - Name of the secret
@@ -168,7 +180,7 @@ export declare class KeyStore implements IEncryptionProvider {
      * @returns Success with entry, Failure if locked, key invalid, or exists and !replace
      * @public
      */
-    importSecret(name: string, key: Uint8Array, options?: IImportKeyOptions): Result<IAddSecretResult>;
+    importSecret(name: string, key: Uint8Array, options?: IImportKeyOptions): Promise<Result<IAddSecretResult>>;
     /**
      * Adds a secret derived from a password using PBKDF2.
      *
@@ -185,12 +197,16 @@ export declare class KeyStore implements IEncryptionProvider {
      */
     addSecretFromPassword(name: string, password: string, options?: IAddSecretFromPasswordOptions): Promise<Result<IAddSecretFromPasswordResult>>;
     /**
-     * Removes a secret by name.
+     * Removes a secret by name. Vault-first: the in-memory vault entry is dropped
+     * before any storage cleanup runs. For asymmetric-keypair entries, best-effort
+     * calls {@link CryptoUtils.KeyStore.IPrivateKeyStorage}.delete on the entry's
+     * `id`; a failure is reported via `warning` on the result but does not roll
+     * back the vault removal.
      * @param name - Name of the secret to remove
-     * @returns Success with removed entry, Failure if not found or locked
+     * @returns Success with removed entry (and optional warning), Failure if not found or locked
      * @public
      */
-    removeSecret(name: string): Result<IKeyStoreSecretEntry>;
+    removeSecret(name: string): Promise<Result<IRemoveSecretResult>>;
     /**
      * Imports an API key string into the vault.
      * The string is UTF-8 encoded and stored with type `'api-key'`.
@@ -200,7 +216,7 @@ export declare class KeyStore implements IEncryptionProvider {
      * @returns Success with entry, Failure if locked, empty, or exists and !replace
      * @public
      */
-    importApiKey(name: string, apiKey: string, options?: IImportSecretOptions): Result<IAddSecretResult>;
+    importApiKey(name: string, apiKey: string, options?: IImportSecretOptions): Promise<Result<IAddSecretResult>>;
     /**
      * Retrieves an API key string by name.
      * Only works for secrets with type `'api-key'`.
@@ -209,6 +225,41 @@ export declare class KeyStore implements IEncryptionProvider {
      * @public
      */
     getApiKey(name: string): Result<string>;
+    /**
+     * Adds a new asymmetric keypair to the vault. Storage-first: the private key
+     * is stored under a freshly-minted `id` before the public-key vault entry is
+     * committed. If the storage call fails, no vault entry is written and the
+     * operation returns Failure.
+     *
+     * When `replace: true` displaces an existing entry (asymmetric or symmetric),
+     * a fresh `id` is minted; the displaced entry's resources are released
+     * best-effort. Failure of the storage delete is reported via `warning` on the
+     * result but does not roll back the replacement.
+     *
+     * Requires a {@link CryptoUtils.KeyStore.IPrivateKeyStorage} backend
+     * supplied at construction.
+     *
+     * @param name - Unique name for the entry
+     * @param options - Algorithm, optional description, replace flag
+     * @returns Success with the new entry, Failure if locked, no provider, or storage write failed
+     * @public
+     */
+    addKeyPair(name: string, options: IAddKeyPairOptions): Promise<Result<IAddKeyPairResult>>;
+    /**
+     * Retrieves the keypair for an asymmetric-keypair entry. The private key is
+     * loaded from {@link CryptoUtils.KeyStore.IPrivateKeyStorage} on every call —
+     * the keystore never caches private `CryptoKey` references between calls.
+     * The public key is re-imported from the vault's JWK so callers always
+     * receive a `CryptoKey` rather than the JWK form.
+     * @param name - Name of the entry
+     * @returns Success with `{ publicKey, privateKey }`, Failure if not found,
+     * locked, wrong type, no provider, or storage load failed.
+     * @public
+     */
+    getKeyPair(name: string): Promise<Result<{
+        publicKey: CryptoKey;
+        privateKey: CryptoKey;
+    }>>;
     /**
      * Lists secret names filtered by type.
      * @param type - The secret type to filter by
@@ -223,7 +274,7 @@ export declare class KeyStore implements IEncryptionProvider {
      * @returns Success with updated entry, Failure if source not found, target exists, or locked
      * @public
      */
-    renameSecret(oldName: string, newName: string): Result<IKeyStoreSecretEntry>;
+    renameSecret(oldName: string, newName: string): Result<IKeyStoreEntry>;
     /**
      * Saves the key store, returning the encrypted file content.
      * Requires the master password to encrypt.
@@ -280,5 +331,22 @@ export declare class KeyStore implements IEncryptionProvider {
      * Shared by `unlock()` and `unlockWithKey()`.
      */
     private _decryptVault;
+    /**
+     * Releases the resources held by an entry being displaced from the vault.
+     * Symmetric entries get their key buffer zeroed in place. Asymmetric entries
+     * have their private-key blob best-effort deleted from
+     * {@link CryptoUtils.KeyStore.IPrivateKeyStorage}; if the storage call fails,
+     * a warning string is returned but the displacement still proceeds — the
+     * orphaned blob is left for consumer-side GC. Without a configured provider,
+     * asymmetric cleanup is silently skipped.
+     * @returns A warning string if storage cleanup failed, otherwise undefined.
+     */
+    private _releaseEntryResources;
+    /**
+     * Mints a fresh UUID v4 storage handle using the crypto provider's
+     * {@link CryptoUtils.ICryptoProvider.generateRandomBytes | generateRandomBytes}.
+     * Random-bytes failures propagate as Failure.
+     */
+    private _generateId;
 }
 //# sourceMappingURL=keyStore.d.ts.map