npm - @fgv/ts-extras - Versions diffs - 5.1.0-31 → 5.1.0-33 - Mend

@fgv/ts-extras 5.1.0-31 → 5.1.0-33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/dist/packlets/crypto-utils/index.browser.js CHANGED Viewed

@@ -26,8 +26,9 @@
 export * from './model';
 // Constants
 export { AES_256_KEY_SIZE, DEFAULT_ALGORITHM, ENCRYPTED_FILE_FORMAT, GCM_AUTH_TAG_SIZE, GCM_IV_SIZE } from './constants';
-// KeyStore namespace
-import * as KeyStore from './keystore';
+// KeyStore namespace (browser-safe barrel — omits the Node-only
+// EncryptedFilePrivateKeyStorage so the browser entry stays free of node:crypto)
+import * as KeyStore from './keystore/index.browser';
 export { KeyStore };
 // Converters namespace
 import * as Converters from './converters';

package/dist/packlets/crypto-utils/index.browser.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.browser.js","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/index.browser.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;AAEZ;;;;GAIG;AAEH,iCAAiC;AACjC,cAAc,SAAS,CAAC;AAExB,YAAY;AACZ,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,WAAW,EACZ,MAAM,aAAa,CAAC;AAErB,~~qBAAqB~~;~~AACrB~~,OAAO,KAAK,QAAQ,MAAM,~~YAAY~~,CAAC;~~AACvC~~,OAAO,EAAE,QAAQ,EAAE,CAAC;AAEpB,uBAAuB;AACvB,OAAO,KAAK,UAAU,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,CAAC;AAEtB,6BAA6B;AAC7B,OAAO,EAAE,wBAAwB,EAAmC,MAAM,4BAA4B,CAAC;AAEvG,8DAA8D;AAC9D,OAAO,EAA2B,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAE3F,8DAA8D;AAC9D,4DAA4D;AAE5D,yBAAyB;AACzB,OAAO,EACL,mBAAmB,EACnB,WAAW,EACX,UAAU,EAEV,QAAQ,EACR,cAAc,EACf,MAAM,iBAAiB,CAAC;AAEzB,yBAAyB;AACzB,OAAO,EACL,8BAA8B,EAC9B,gCAAgC,EAChC,wBAAwB,EACxB,wBAAwB,EACzB,MAAM,eAAe,CAAC;AAEvB,qFAAqF;AACrF,uFAAuF;AACvF,OAAO,EAAE,YAAY,EAAmB,MAAM,gBAAgB,CAAC","sourcesContent":["// Copyright (c) 2024 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\n/*\n Crypto utilities for encrypted file handling and key management (browser version).\n * Note: For browser crypto provider, use \\@fgv/ts-web-extras.\n * @packageDocumentation\n /\n\n// Re-export all types from model\nexport from './model';\n\n// Constants\nexport {\n AES_256_KEY_SIZE,\n DEFAULT_ALGORITHM,\n ENCRYPTED_FILE_FORMAT,\n GCM_AUTH_TAG_SIZE,\n GCM_IV_SIZE\n} from './constants';\n\n// KeyStore namespace\nimport * as KeyStore from './keystore';\nexport { KeyStore };\n\n// Converters namespace\nimport * as Converters from './converters';\nexport { Converters };\n\n// Direct encryption provider\nexport { DirectEncryptionProvider, IDirectEncryptionProviderParams } from './directEncryptionProvider';\n\n// WebCrypto parameter table for asymmetric keypair algorithms\nexport { IKeyPairAlgorithmParams, keyPairAlgorithmParams } from './keyPairAlgorithmParams';\n\n// Note: NodeCryptoProvider is NOT exported in browser version\n// Use BrowserCryptoProvider from @fgv/ts-web-extras instead\n\n// Encrypted file helpers\nexport {\n createEncryptedFile,\n decryptFile,\n fromBase64,\n ICreateEncryptedFileParams,\n toBase64,\n tryDecryptFile\n} from './encryptedFile';\n\n// Multibase/SPKI helpers\nexport {\n exportPublicKeyAsMultibaseSpki,\n importPublicKeyFromMultibaseSpki,\n multibaseBase64UrlDecode,\n multibaseBase64UrlEncode\n} from './spkiHelpers';\n\n// HPKE base mode (RFC 9180) — DHKEM(X25519, HKDF-SHA256) + HKDF-SHA256 + AES-256-GCM\n// hpkeProvider.ts has no Node-specific imports and is safe in the browser entry point.\nexport { HpkeProvider, IHpkeSealResult } from './hpkeProvider';\n"]}
1	+ {"version":3,"file":"index.browser.js","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/index.browser.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;AAEZ;;;;GAIG;AAEH,iCAAiC;AACjC,cAAc,SAAS,CAAC;AAExB,YAAY;AACZ,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,WAAW,EACZ,MAAM,aAAa,CAAC;AAErB,gEAAgE;AAChE,iFAAiF;AACjF,OAAO,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,CAAC;AAEpB,uBAAuB;AACvB,OAAO,KAAK,UAAU,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,CAAC;AAEtB,6BAA6B;AAC7B,OAAO,EAAE,wBAAwB,EAAmC,MAAM,4BAA4B,CAAC;AAEvG,8DAA8D;AAC9D,OAAO,EAA2B,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAE3F,8DAA8D;AAC9D,4DAA4D;AAE5D,yBAAyB;AACzB,OAAO,EACL,mBAAmB,EACnB,WAAW,EACX,UAAU,EAEV,QAAQ,EACR,cAAc,EACf,MAAM,iBAAiB,CAAC;AAEzB,yBAAyB;AACzB,OAAO,EACL,8BAA8B,EAC9B,gCAAgC,EAChC,wBAAwB,EACxB,wBAAwB,EACzB,MAAM,eAAe,CAAC;AAEvB,qFAAqF;AACrF,uFAAuF;AACvF,OAAO,EAAE,YAAY,EAAmB,MAAM,gBAAgB,CAAC","sourcesContent":["// Copyright (c) 2024 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\n/*\n Crypto utilities for encrypted file handling and key management (browser version).\n * Note: For browser crypto provider, use \\@fgv/ts-web-extras.\n * @packageDocumentation\n /\n\n// Re-export all types from model\nexport from './model';\n\n// Constants\nexport {\n AES_256_KEY_SIZE,\n DEFAULT_ALGORITHM,\n ENCRYPTED_FILE_FORMAT,\n GCM_AUTH_TAG_SIZE,\n GCM_IV_SIZE\n} from './constants';\n\n// KeyStore namespace (browser-safe barrel — omits the Node-only\n// EncryptedFilePrivateKeyStorage so the browser entry stays free of node:crypto)\nimport * as KeyStore from './keystore/index.browser';\nexport { KeyStore };\n\n// Converters namespace\nimport * as Converters from './converters';\nexport { Converters };\n\n// Direct encryption provider\nexport { DirectEncryptionProvider, IDirectEncryptionProviderParams } from './directEncryptionProvider';\n\n// WebCrypto parameter table for asymmetric keypair algorithms\nexport { IKeyPairAlgorithmParams, keyPairAlgorithmParams } from './keyPairAlgorithmParams';\n\n// Note: NodeCryptoProvider is NOT exported in browser version\n// Use BrowserCryptoProvider from @fgv/ts-web-extras instead\n\n// Encrypted file helpers\nexport {\n createEncryptedFile,\n decryptFile,\n fromBase64,\n ICreateEncryptedFileParams,\n toBase64,\n tryDecryptFile\n} from './encryptedFile';\n\n// Multibase/SPKI helpers\nexport {\n exportPublicKeyAsMultibaseSpki,\n importPublicKeyFromMultibaseSpki,\n multibaseBase64UrlDecode,\n multibaseBase64UrlEncode\n} from './spkiHelpers';\n\n// HPKE base mode (RFC 9180) — DHKEM(X25519, HKDF-SHA256) + HKDF-SHA256 + AES-256-GCM\n// hpkeProvider.ts has no Node-specific imports and is safe in the browser entry point.\nexport { HpkeProvider, IHpkeSealResult } from './hpkeProvider';\n"]}

package/dist/packlets/crypto-utils/keystore/encryptedFilePrivateKeyStorage.js ADDED Viewed

@@ -0,0 +1,287 @@
+// Copyright (c) 2026 Erik Fortune
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+import * as crypto from 'crypto';
+import { captureAsyncResult, captureResult, Converters, fail, succeed } from '@fgv/ts-utils';
+import { FileTree } from '@fgv/ts-json-base';
+import { createEncryptedFile, tryDecryptFile } from '../encryptedFile';
+import { keyPairAlgorithmParams } from '../keyPairAlgorithmParams';
+import * as Constants from '../constants';
+import { jsonWebKeyShape, keyPairAlgorithm } from './converters';
+const envelopeConverter = Converters.object({
+    algorithm: keyPairAlgorithm,
+    jwk: Converters.string
+});
+// WebCrypto key usages that only ever apply to a public key. Filtering these
+// out of the keypair usages yields the usages valid for the private half, which
+// `crypto.subtle.importKey` requires when re-importing a private JWK.
+const PUBLIC_ONLY_USAGES = ['verify', 'encrypt', 'wrapKey'];
+// Safe-filename id production. The keystore mints UUIDv4 handles, which match;
+// arbitrary consumer-supplied ids that could escape the storage directory are
+// rejected rather than silently mangled.
+const SAFE_ID = /^[A-Za-z0-9._-]+$/;
+const FILE_SUFFIX = '.json';
+/**
+ * {@link CryptoUtils.KeyStore.IPrivateKeyStorage | IPrivateKeyStorage}
+ * implementation that persists each private key as its own AES-256-GCM-encrypted
+ * file in a directory. The file content is the key's JWK, encrypted with a
+ * consumer-supplied 32-byte key via the supplied
+ * {@link CryptoUtils.ICryptoProvider | crypto provider}.
+ *
+ * `supportsNonExtractable` is `false`: persisting to disk requires exporting the
+ * private key to JWK, which only works for `extractable: true` keys. The
+ * keystore generates extractable keys when a backend reports `false` here.
+ *
+ * I/O goes through the {@link FileTree.FileTree | FileTree} abstraction (default
+ * `FsTree`), so the same implementation works against an in-memory tree (tests)
+ * or any other Node-compatible backend.
+ *
+ * This backend is **Node-only**: it round-trips private keys through
+ * `node:crypto` (`crypto.webcrypto.subtle`), so it is intentionally excluded
+ * from the browser entry point. Browser consumers should use
+ * `IdbPrivateKeyStorage` from `@fgv/ts-web-extras` instead.
+ *
+ * Single-process assumption: there is no inter-process locking. Concurrent
+ * writers to the same directory may race.
+ *
+ * @public
+ */
+export class EncryptedFilePrivateKeyStorage {
+    constructor(directory, encryptionKey, cryptoProvider) {
+        /**
+         * `false` — disk persistence round-trips via JWK, which requires extractable
+         * keys.
+         */
+        this.supportsNonExtractable = false;
+        this._directory = directory;
+        // Clone so the instance holds an immutable snapshot — callers that later
+        // reuse or zero their buffer must not be able to mutate our key.
+        this._encryptionKey = Uint8Array.from(encryptionKey);
+        this._cryptoProvider = cryptoProvider;
+    }
+    /**
+     * Creates a new {@link CryptoUtils.KeyStore.EncryptedFilePrivateKeyStorage}.
+     * @param params - {@link CryptoUtils.KeyStore.IEncryptedFilePrivateKeyStorageCreateParams}.
+     * @returns `Success` with the new instance, or `Failure` if the encryption
+     * key is the wrong size or the storage directory cannot be opened.
+     */
+    static create(params) {
+        const { directory, encryptionKey, cryptoProvider, tree } = params;
+        if (encryptionKey.length !== Constants.AES_256_KEY_SIZE) {
+            return fail(`EncryptedFilePrivateKeyStorage: encryptionKey must be ${Constants.AES_256_KEY_SIZE} bytes, got ${encryptionKey.length}`);
+        }
+        if (tree !== undefined) {
+            return succeed(new EncryptedFilePrivateKeyStorage(tree, encryptionKey, cryptoProvider));
+        }
+        return FileTree.forFilesystem({ mutable: true })
+            .onSuccess((ft) => ft.getDirectory(directory))
+            .withErrorFormat((msg) => `EncryptedFilePrivateKeyStorage: failed to open '${directory}': ${msg}`)
+            .onSuccess((dir) => succeed(new EncryptedFilePrivateKeyStorage(dir, encryptionKey, cryptoProvider)));
+    }
+    /**
+     * Stores `key` under `id` as an encrypted JWK file.
+     * @param id - Storage handle. Must be a safe filename token
+     * (`[A-Za-z0-9._-]+`, not `.`/`..`).
+     * @param key - The extractable private `CryptoKey` to persist.
+     */
+    async store(id, key) {
+        return this._validateKeyToStore(id, key).thenOnSuccess(({ fileName, algorithm }) => this._encryptAndWrite(algorithm, key, id, fileName));
+    }
+    /**
+     * Loads the private key stored under `id`, decrypting and re-importing it from
+     * JWK.
+     * @param id - Storage handle.
+     */
+    async load(id) {
+        return this._fileNameFor(id)
+            .onSuccess((fileName) => this._findFile(fileName))
+            .onSuccess((file) => file === undefined ? fail(`key not found: '${id}'`) : succeed(file))
+            .thenOnSuccess((file) => this._decryptEnvelope(file, id))
+            .thenOnSuccess((envelope) => this._importPrivateKey(envelope, id));
+    }
+    /**
+     * Deletes the entry stored under `id`. Missing ids fail (the read path is
+     * keystore-driven and never asks to delete an id it did not store).
+     * @param id - Storage handle.
+     */
+    async delete(id) {
+        const fileResult = this._fileNameFor(id).onSuccess((fileName) => this._findFile(fileName).onSuccess((file) => succeed({ fileName, file })));
+        if (fileResult.isFailure()) {
+            return fail(fileResult.message);
+        }
+        if (fileResult.value.file === undefined) {
+            return fail(`key not found: '${id}'`);
+        }
+        /* c8 ignore next 3 - defensive: directory items from read-only adapters lack mutation methods */
+        if (!FileTree.isMutableDirectoryItem(this._directory)) {
+            return fail(`failed to delete private key '${id}': storage directory is not mutable`);
+        }
+        return Promise.resolve(this._directory
+            .deleteChild(fileResult.value.fileName)
+            .withErrorFormat((msg) => `failed to delete private key '${id}': ${msg}`)
+            .onSuccess(() => succeed(id)));
+    }
+    /**
+     * Lists every stored id.
+     */
+    async list() {
+        return Promise.resolve(this._directory.getChildren().onSuccess((children) => {
+            const ids = children
+                .filter((child) => child.type === 'file' && child.name.endsWith(FILE_SUFFIX))
+                .map((child) => child.name.slice(0, -FILE_SUFFIX.length));
+            return succeed(ids);
+        }));
+    }
+    _fileNameFor(id) {
+        if (id === '.' || id === '..' || !SAFE_ID.test(id)) {
+            return fail(`invalid storage id '${id}': must match ${SAFE_ID.source}`);
+        }
+        return succeed(`${id}${FILE_SUFFIX}`);
+    }
+    /**
+     * Validates the synchronous preconditions for a store: the id is filename-safe,
+     * the key is actually a private key, and its algorithm is one we support.
+     * Returns the resolved filename and algorithm so the async pipeline can run
+     * without re-deriving them.
+     */
+    _validateKeyToStore(id, key) {
+        return this._fileNameFor(id).onSuccess((fileName) => {
+            if (key.type !== 'private') {
+                return fail(`failed to store private key '${id}': expected a private key, got '${key.type}'`);
+            }
+            return this._algorithmOf(key)
+                .withErrorFormat((msg) => `failed to store private key '${id}': ${msg}`)
+                .onSuccess((algorithm) => succeed({ fileName, algorithm }));
+        });
+    }
+    /**
+     * Exports `key` to JWK, wraps it in the stored envelope, encrypts it with
+     * AES-256-GCM, and writes the resulting file as serialized JSON to `fileName`.
+     * Returns the stored `id` on success.
+     */
+    async _encryptAndWrite(algorithm, key, id, fileName) {
+        return captureAsyncResult(() => crypto.webcrypto.subtle.exportKey('jwk', key))
+            .withErrorFormat((msg) => `failed to export private key '${id}' to JWK: ${msg}`)
+            .onSuccess((jwk) => succeed({ algorithm, jwk: JSON.stringify(jwk) }))
+            .thenOnSuccess(async (envelope) => (await createEncryptedFile({
+            content: envelope,
+            secretName: id,
+            key: this._encryptionKey,
+            cryptoProvider: this._cryptoProvider
+        })).withErrorFormat((msg) => `failed to encrypt private key '${id}': ${msg}`))
+            .onSuccess((encrypted) => this._writeFile(fileName, JSON.stringify(encrypted)))
+            .onSuccess(() => succeed(id));
+    }
+    _algorithmOf(key) {
+        const alg = key.algorithm;
+        switch (alg.name) {
+            case 'ECDSA':
+            case 'ECDH': {
+                const curve = alg.namedCurve;
+                if (curve !== 'P-256') {
+                    return fail(`unsupported ${alg.name} curve '${curve}' (only P-256 is supported)`);
+                }
+                return succeed(alg.name === 'ECDSA' ? 'ecdsa-p256' : 'ecdh-p256');
+            }
+            case 'RSA-OAEP': {
+                // Only the hash affects the JWK re-import params, so it is the field
+                // that must match; the modulus length is recovered from the key data.
+                const hash = alg.hash.name;
+                if (hash !== 'SHA-256') {
+                    return fail(`unsupported RSA-OAEP hash '${hash}' (only SHA-256 is supported)`);
+                }
+                return succeed('rsa-oaep-2048');
+            }
+            case 'Ed25519':
+                return succeed('ed25519');
+            case 'X25519':
+                return succeed('x25519');
+            default:
+                return fail(`unsupported key algorithm '${alg.name}'`);
+        }
+    }
+    _findFile(fileName) {
+        return this._directory.getChildren().onSuccess((children) => {
+            const found = children.find((child) => child.type === 'file' && child.name === fileName);
+            return succeed(found);
+        });
+    }
+    _writeFile(fileName, text) {
+        return this._findFile(fileName).onSuccess((existing) => {
+            if (existing !== undefined) {
+                /* c8 ignore next 3 - defensive: file items from read-only adapters lack mutation methods */
+                if (!FileTree.isMutableFileItem(existing)) {
+                    return fail(`${existing.absolutePath}: not mutable`);
+                }
+                return existing.setRawContents(text);
+            }
+            /* c8 ignore next 3 - defensive: directory items from read-only adapters lack mutation methods */
+            if (!FileTree.isMutableDirectoryItem(this._directory)) {
+                return fail(`${this._directory.absolutePath}: not mutable`);
+            }
+            return this._directory.createChildFile(fileName, text).onSuccess(() => succeed(text));
+        });
+    }
+    /**
+     * Reads `file`, decrypts the AES-256-GCM envelope, and validates it into the
+     * typed `IStoredPrivateKeyEnvelope`. Read, decrypt, and shape failures
+     * all surface as a decrypt failure for `id`.
+     */
+    async _decryptEnvelope(file, id) {
+        return file
+            .getContents()
+            .thenOnSuccess((json) => tryDecryptFile(json, this._encryptionKey, this._cryptoProvider))
+            .onSuccess((decrypted) => envelopeConverter.convert(decrypted))
+            .withErrorFormat((msg) => `failed to decrypt private key '${id}': ${msg}`);
+    }
+    /**
+     * Parses and shape-validates the stored JWK, then re-imports it as a private
+     * `CryptoKey` for the envelope's algorithm. The WebCrypto JWK-import algorithm
+     * descriptor is shared between public and private keys for every supported
+     * algorithm, so `IKeyPairAlgorithmParams.importPublicKey` is reused here;
+     * the public/private distinction is carried by the requested `usages`.
+     */
+    async _importPrivateKey(envelope, id) {
+        const params = keyPairAlgorithmParams[envelope.algorithm];
+        return captureResult(() => JSON.parse(envelope.jwk))
+            .onSuccess((parsed) => jsonWebKeyShape.validate(parsed))
+            .withErrorFormat((msg) => `malformed JWK: ${msg}`)
+            .thenOnSuccess((jwk) => captureAsyncResult(() => crypto.webcrypto.subtle.importKey('jwk', jwk, params.importPublicKey, true, this._importUsagesFor(jwk, params))))
+            .withErrorFormat((msg) => `failed to import private key '${id}': ${msg}`);
+    }
+    /**
+     * Computes the key usages to request when re-importing a stored private key.
+     * WebCrypto rejects `importKey` if the requested usages include operations
+     * absent from the JWK's `key_ops`, so a key originally created with a narrower
+     * usage set than the algorithm default (e.g. an ECDH key with only
+     * `deriveBits`) would fail to load against the algorithm-wide defaults.
+     * Intersect the algorithm's private usages with the JWK's recorded `key_ops`
+     * so we request exactly the operations the stored key actually supports;
+     * fall back to the algorithm's private usages when `key_ops` is absent.
+     */
+    _importUsagesFor(jwk, params) {
+        const privateUsages = params.keyPairUsages.filter((usage) => !PUBLIC_ONLY_USAGES.includes(usage));
+        const keyOps = jwk.key_ops;
+        if (keyOps === undefined) {
+            return [...privateUsages];
+        }
+        return privateUsages.filter((usage) => keyOps.includes(usage));
+    }
+}
+//# sourceMappingURL=encryptedFilePrivateKeyStorage.js.map

package/dist/packlets/crypto-utils/keystore/encryptedFilePrivateKeyStorage.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"encryptedFilePrivateKeyStorage.js","sourceRoot":"","sources":["../../../../src/packlets/crypto-utils/keystore/encryptedFilePrivateKeyStorage.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;AAEZ,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,EACL,kBAAkB,EAClB,aAAa,EAEb,UAAU,EACV,IAAI,EAEJ,OAAO,EACR,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,QAAQ,EAAc,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EAA2B,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAE5F,OAAO,KAAK,SAAS,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAqDjE,MAAM,iBAAiB,GAAyC,UAAU,CAAC,MAAM,CAA4B;IAC3G,SAAS,EAAE,gBAAgB;IAC3B,GAAG,EAAE,UAAU,CAAC,MAAM;CACvB,CAAC,CAAC;AAEH,6EAA6E;AAC7E,gFAAgF;AAChF,sEAAsE;AACtE,MAAM,kBAAkB,GAA4B,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;AAErF,+EAA+E;AAC/E,8EAA8E;AAC9E,yCAAyC;AACzC,MAAM,OAAO,GAAW,mBAAmB,CAAC;AAE5C,MAAM,WAAW,GAAW,OAAO,CAAC;AAEpC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,OAAO,8BAA8B;IAWzC,YACE,SAA0C,EAC1C,aAAyB,EACzB,cAA+B;QAbjC;;;WAGG;QACa,2BAAsB,GAAU,KAAK,CAAC;QAWpD,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;QAC5B,yEAAyE;QACzE,iEAAiE;QACjE,IAAI,CAAC,cAAc,GAAG,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACrD,IAAI,CAAC,eAAe,GAAG,cAAc,CAAC;IACxC,CAAC;IAED;;;;;OAKG;IACI,MAAM,CAAC,MAAM,CAClB,MAAmD;QAEnD,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC;QAClE,IAAI,aAAa,CAAC,MAAM,KAAK,SAAS,CAAC,gBAAgB,EAAE,CAAC;YACxD,OAAO,IAAI,CACT,yDAAyD,SAAS,CAAC,gBAAgB,eAAe,aAAa,CAAC,MAAM,EAAE,CACzH,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,OAAO,OAAO,CAAC,IAAI,8BAA8B,CAAC,IAAI,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC,CAAC;QAC1F,CAAC;QACD,OAAO,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;aAC7C,SAAS,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;aAC7C,eAAe,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,mDAAmD,SAAS,MAAM,GAAG,EAAE,CAAC;aACjG,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,8BAA8B,CAAC,GAAG,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC;IACzG,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,KAAK,CAAC,EAAU,EAAE,GAAc;QAC3C,OAAO,IAAI,CAAC,mBAAmB,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC,aAAa,CAAC,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,CACjF,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,QAAQ,CAAC,CACpD,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,IAAI,CAAC,EAAU;QAC1B,OAAO,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;aACzB,SAAS,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;aACjD,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,CAClB,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAA6B,mBAAmB,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAChG;aACA,aAAa,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;aACxD,aAAa,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC;IACvE,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,MAAM,CAAC,EAAU;QAC5B,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,EAAE,CAC9D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAC1E,CAAC;QACF,IAAI,UAAU,CAAC,SAAS,EAAE,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;QACxC,CAAC;QACD,iGAAiG;QACjG,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YACtD,OAAO,IAAI,CAAC,iCAAiC,EAAE,qCAAqC,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CACpB,IAAI,CAAC,UAAU;aACZ,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC;aACtC,eAAe,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,iCAAiC,EAAE,MAAM,GAAG,EAAE,CAAC;aACxE,SAAS,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAChC,CAAC;IACJ,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,IAAI;QACf,OAAO,OAAO,CAAC,OAAO,CACpB,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,EAAE;YACnD,MAAM,GAAG,GAAG,QAAQ;iBACjB,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;iBAC5E,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5D,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAEO,YAAY,CAAC,EAAU;QAC7B,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YACnD,OAAO,IAAI,CAAC,uBAAuB,EAAE,iBAAiB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1E,CAAC;QACD,OAAO,OAAO,CAAC,GAAG,EAAE,GAAG,WAAW,EAAE,CAAC,CAAC;IACxC,CAAC;IAED;;;;;OAKG;IACK,mBAAmB,CACzB,EAAU,EACV,GAAc;QAEd,OAAO,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,EAAE;YAClD,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC3B,OAAO,IAAI,CAAC,gCAAgC,EAAE,mCAAmC,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC;YAChG,CAAC;YACD,OAAO,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC;iBAC1B,eAAe,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,gCAAgC,EAAE,MAAM,GAAG,EAAE,CAAC;iBACvE,SAAS,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,gBAAgB,CAC5B,SAA2B,EAC3B,GAAc,EACd,EAAU,EACV,QAAgB;QAEhB,OAAO,kBAAkB,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;aAC3E,eAAe,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,iCAAiC,EAAE,aAAa,GAAG,EAAE,CAAC;aAC/E,SAAS,CAAa,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;aAChF,aAAa,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAChC,CACE,MAAM,mBAAmB,CAAC;YACxB,OAAO,EAAE,QAAQ;YACjB,UAAU,EAAE,EAAE;YACd,GAAG,EAAE,IAAI,CAAC,cAAc;YACxB,cAAc,EAAE,IAAI,CAAC,eAAe;SACrC,CAAC,CACH,CAAC,eAAe,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,kCAAkC,EAAE,MAAM,GAAG,EAAE,CAAC,CAC5E;aACA,SAAS,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC;aAC9E,SAAS,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;IAClC,CAAC;IAEO,YAAY,CAAC,GAAc;QACjC,MAAM,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC;QAC1B,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC;YACjB,KAAK,OAAO,CAAC;YACb,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,KAAK,GAAI,GAAsB,CAAC,UAAU,CAAC;gBACjD,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;oBACtB,OAAO,IAAI,CAAC,eAAe,GAAG,CAAC,IAAI,WAAW,KAAK,6BAA6B,CAAC,CAAC;gBACpF,CAAC;gBACD,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;YACpE,CAAC;YACD,KAAK,UAAU,CAAC,CAAC,CAAC;gBAChB,qEAAqE;gBACrE,sEAAsE;gBACtE,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC,IAAI,CAAC;gBACtD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;oBACvB,OAAO,IAAI,CAAC,8BAA8B,IAAI,+BAA+B,CAAC,CAAC;gBACjF,CAAC;gBACD,OAAO,OAAO,CAAC,eAAe,CAAC,CAAC;YAClC,CAAC;YACD,KAAK,SAAS;gBACZ,OAAO,OAAO,CAAC,SAAS,CAAC,CAAC;YAC5B,KAAK,QAAQ;gBACX,OAAO,OAAO,CAAC,QAAQ,CAAC,CAAC;YAC3B;gBACE,OAAO,IAAI,CAAC,8BAA8B,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAEO,SAAS,CAAC,QAAgB;QAChC,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,EAAE;YAC1D,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,MAAM,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;YACzF,OAAO,OAAO,CAAC,KAA+C,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,UAAU,CAAC,QAAgB,EAAE,IAAY;QAC/C,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,EAAE;YACrD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC3B,4FAA4F;gBAC5F,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC1C,OAAO,IAAI,CAAC,GAAG,QAAQ,CAAC,YAAY,eAAe,CAAC,CAAC;gBACvD,CAAC;gBACD,OAAO,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YACvC,CAAC;YACD,iGAAiG;YACjG,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,YAAY,eAAe,CAAC,CAAC;YAC9D,CAAC;YACD,OAAO,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACxF,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,gBAAgB,CAC5B,IAAgC,EAChC,EAAU;QAEV,OAAO,IAAI;aACR,WAAW,EAAE;aACb,aAAa,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;aACxF,SAAS,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;aAC9D,eAAe,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,kCAAkC,EAAE,MAAM,GAAG,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,iBAAiB,CAC7B,QAAmC,EACnC,EAAU;QAEV,MAAM,MAAM,GAAG,sBAAsB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC1D,OAAO,aAAa,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAY,CAAC;aAC5D,SAAS,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;aACvD,eAAe,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,kBAAkB,GAAG,EAAE,CAAC;aACjD,aAAa,CAAC,CAAC,GAAG,EAAE,EAAE,CACrB,kBAAkB,CAAC,GAAG,EAAE,CACtB,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAC/B,KAAK,EACL,GAAG,EACH,MAAM,CAAC,eAAe,EACtB,IAAI,EACJ,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,CACnC,CACF,CACF;aACA,eAAe,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,iCAAiC,EAAE,MAAM,GAAG,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED;;;;;;;;;OASG;IACK,gBAAgB,CAAC,GAAe,EAAE,MAA+B;QACvE,MAAM,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;QAClG,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC;QAC3B,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,aAAa,CAAC,CAAC;QAC5B,CAAC;QACD,OAAO,aAAa,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;IACjE,CAAC;CACF","sourcesContent":["// Copyright (c) 2026 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\nimport * as crypto from 'crypto';\nimport {\n captureAsyncResult,\n captureResult,\n Converter,\n Converters,\n fail,\n Result,\n succeed\n} from '@fgv/ts-utils';\nimport { FileTree, JsonObject } from '@fgv/ts-json-base';\nimport { createEncryptedFile, tryDecryptFile } from '../encryptedFile';\nimport { IKeyPairAlgorithmParams, keyPairAlgorithmParams } from '../keyPairAlgorithmParams';\nimport { ICryptoProvider, KeyPairAlgorithm } from '../model';\nimport * as Constants from '../constants';\nimport { jsonWebKeyShape, keyPairAlgorithm } from './converters';\nimport { IPrivateKeyStorage } from './privateKeyStorage';\n\n/**\n * Parameters for {@link CryptoUtils.KeyStore.EncryptedFilePrivateKeyStorage.create}.\n * @public\n */\nexport interface IEncryptedFilePrivateKeyStorageCreateParams {\n /**\n * Filesystem path to the directory that holds the encrypted private-key\n * files. Used only when {@link CryptoUtils.KeyStore.IEncryptedFilePrivateKeyStorageCreateParams.tree}\n * is omitted (the default `FsTree` backing). The directory must already\n * exist.\n */\n readonly directory: string;\n\n /**\n * Raw AES-256-GCM key (32 bytes) used to encrypt each file's JWK content.\n * Consumer-supplied and decoupled from the keystore's password lifecycle —\n * derive it however the application sees fit (typically the same\n * password-derived key material the keystore vault uses).\n */\n readonly encryptionKey: Uint8Array;\n\n /**\n * {@link CryptoUtils.ICryptoProvider | Crypto provider} used for the\n * AES-256-GCM encrypt/decrypt of each file's contents.\n */\n readonly cryptoProvider: ICryptoProvider;\n\n /**\n * Optional {@link FileTree.IFileTreeDirectoryItem | FileTree directory}\n * override. When supplied it is used as the storage directory directly and\n * {@link CryptoUtils.KeyStore.IEncryptedFilePrivateKeyStorageCreateParams.directory} is ignored —\n * pass an in-memory tree for tests, or another Node-compatible backend. When\n * omitted, a mutable `FsTree` rooted at `directory` is used. (This backend is\n * Node-only — it round-trips keys through `node:crypto` — so a browser file\n * tree is not a supported target.)\n */\n readonly tree?: FileTree.IFileTreeDirectoryItem;\n}\n\n/**\n * Decrypted on-disk envelope for a single stored private key. The JWK is held\n * as a serialized JSON string so the whole envelope is a flat record of\n * strings, which round-trips through {@link CryptoUtils.createEncryptedFile}\n * without ambiguity.\n */\ninterface IStoredPrivateKeyEnvelope {\n readonly algorithm: KeyPairAlgorithm;\n readonly jwk: string;\n}\n\nconst envelopeConverter: Converter<IStoredPrivateKeyEnvelope> = Converters.object<IStoredPrivateKeyEnvelope>({\n algorithm: keyPairAlgorithm,\n jwk: Converters.string\n});\n\n// WebCrypto key usages that only ever apply to a public key. Filtering these\n// out of the keypair usages yields the usages valid for the private half, which\n// `crypto.subtle.importKey` requires when re-importing a private JWK.\nconst PUBLIC_ONLY_USAGES: ReadonlyArray<KeyUsage> = ['verify', 'encrypt', 'wrapKey'];\n\n// Safe-filename id production. The keystore mints UUIDv4 handles, which match;\n// arbitrary consumer-supplied ids that could escape the storage directory are\n// rejected rather than silently mangled.\nconst SAFE_ID: RegExp = /^[A-Za-z0-9._-]+$/;\n\nconst FILE_SUFFIX: string = '.json';\n\n/**\n * {@link CryptoUtils.KeyStore.IPrivateKeyStorage | IPrivateKeyStorage}\n * implementation that persists each private key as its own AES-256-GCM-encrypted\n * file in a directory. The file content is the key's JWK, encrypted with a\n * consumer-supplied 32-byte key via the supplied\n * {@link CryptoUtils.ICryptoProvider | crypto provider}.\n *\n * `supportsNonExtractable` is `false`: persisting to disk requires exporting the\n * private key to JWK, which only works for `extractable: true` keys. The\n * keystore generates extractable keys when a backend reports `false` here.\n *\n * I/O goes through the {@link FileTree.FileTree | FileTree} abstraction (default\n * `FsTree`), so the same implementation works against an in-memory tree (tests)\n * or any other Node-compatible backend.\n *\n * This backend is **Node-only**: it round-trips private keys through\n * `node:crypto` (`crypto.webcrypto.subtle`), so it is intentionally excluded\n * from the browser entry point. Browser consumers should use\n * `IdbPrivateKeyStorage` from `@fgv/ts-web-extras` instead.\n *\n * Single-process assumption: there is no inter-process locking. Concurrent\n * writers to the same directory may race.\n *\n * @public\n */\nexport class EncryptedFilePrivateKeyStorage implements IPrivateKeyStorage {\n /**\n * `false` — disk persistence round-trips via JWK, which requires extractable\n * keys.\n */\n public readonly supportsNonExtractable: false = false;\n\n private readonly _directory: FileTree.IFileTreeDirectoryItem;\n private readonly _encryptionKey: Uint8Array;\n private readonly _cryptoProvider: ICryptoProvider;\n\n private constructor(\n directory: FileTree.IFileTreeDirectoryItem,\n encryptionKey: Uint8Array,\n cryptoProvider: ICryptoProvider\n ) {\n this._directory = directory;\n // Clone so the instance holds an immutable snapshot — callers that later\n // reuse or zero their buffer must not be able to mutate our key.\n this._encryptionKey = Uint8Array.from(encryptionKey);\n this._cryptoProvider = cryptoProvider;\n }\n\n /**\n * Creates a new {@link CryptoUtils.KeyStore.EncryptedFilePrivateKeyStorage}.\n * @param params - {@link CryptoUtils.KeyStore.IEncryptedFilePrivateKeyStorageCreateParams}.\n * @returns `Success` with the new instance, or `Failure` if the encryption\n * key is the wrong size or the storage directory cannot be opened.\n */\n public static create(\n params: IEncryptedFilePrivateKeyStorageCreateParams\n ): Result<EncryptedFilePrivateKeyStorage> {\n const { directory, encryptionKey, cryptoProvider, tree } = params;\n if (encryptionKey.length !== Constants.AES_256_KEY_SIZE) {\n return fail(\n `EncryptedFilePrivateKeyStorage: encryptionKey must be ${Constants.AES_256_KEY_SIZE} bytes, got ${encryptionKey.length}`\n );\n }\n if (tree !== undefined) {\n return succeed(new EncryptedFilePrivateKeyStorage(tree, encryptionKey, cryptoProvider));\n }\n return FileTree.forFilesystem({ mutable: true })\n .onSuccess((ft) => ft.getDirectory(directory))\n .withErrorFormat((msg) => `EncryptedFilePrivateKeyStorage: failed to open '${directory}': ${msg}`)\n .onSuccess((dir) => succeed(new EncryptedFilePrivateKeyStorage(dir, encryptionKey, cryptoProvider)));\n }\n\n /**\n * Stores `key` under `id` as an encrypted JWK file.\n * @param id - Storage handle. Must be a safe filename token\n * (`[A-Za-z0-9._-]+`, not `.`/`..`).\n * @param key - The extractable private `CryptoKey` to persist.\n */\n public async store(id: string, key: CryptoKey): Promise<Result<string>> {\n return this._validateKeyToStore(id, key).thenOnSuccess(({ fileName, algorithm }) =>\n this._encryptAndWrite(algorithm, key, id, fileName)\n );\n }\n\n /**\n * Loads the private key stored under `id`, decrypting and re-importing it from\n * JWK.\n * @param id - Storage handle.\n */\n public async load(id: string): Promise<Result<CryptoKey>> {\n return this._fileNameFor(id)\n .onSuccess((fileName) => this._findFile(fileName))\n .onSuccess((file) =>\n file === undefined ? fail<FileTree.IFileTreeFileItem>(`key not found: '${id}'`) : succeed(file)\n )\n .thenOnSuccess((file) => this._decryptEnvelope(file, id))\n .thenOnSuccess((envelope) => this._importPrivateKey(envelope, id));\n }\n\n /**\n * Deletes the entry stored under `id`. Missing ids fail (the read path is\n * keystore-driven and never asks to delete an id it did not store).\n * @param id - Storage handle.\n */\n public async delete(id: string): Promise<Result<string>> {\n const fileResult = this._fileNameFor(id).onSuccess((fileName) =>\n this._findFile(fileName).onSuccess((file) => succeed({ fileName, file }))\n );\n if (fileResult.isFailure()) {\n return fail(fileResult.message);\n }\n if (fileResult.value.file === undefined) {\n return fail(`key not found: '${id}'`);\n }\n /* c8 ignore next 3 - defensive: directory items from read-only adapters lack mutation methods */\n if (!FileTree.isMutableDirectoryItem(this._directory)) {\n return fail(`failed to delete private key '${id}': storage directory is not mutable`);\n }\n return Promise.resolve(\n this._directory\n .deleteChild(fileResult.value.fileName)\n .withErrorFormat((msg) => `failed to delete private key '${id}': ${msg}`)\n .onSuccess(() => succeed(id))\n );\n }\n\n /**\n * Lists every stored id.\n */\n public async list(): Promise<Result<readonly string[]>> {\n return Promise.resolve(\n this._directory.getChildren().onSuccess((children) => {\n const ids = children\n .filter((child) => child.type === 'file' && child.name.endsWith(FILE_SUFFIX))\n .map((child) => child.name.slice(0, -FILE_SUFFIX.length));\n return succeed(ids);\n })\n );\n }\n\n private _fileNameFor(id: string): Result<string> {\n if (id === '.' || id === '..' || !SAFE_ID.test(id)) {\n return fail(`invalid storage id '${id}': must match ${SAFE_ID.source}`);\n }\n return succeed(`${id}${FILE_SUFFIX}`);\n }\n\n /**\n * Validates the synchronous preconditions for a store: the id is filename-safe,\n * the key is actually a private key, and its algorithm is one we support.\n * Returns the resolved filename and algorithm so the async pipeline can run\n * without re-deriving them.\n */\n private _validateKeyToStore(\n id: string,\n key: CryptoKey\n ): Result<{ fileName: string; algorithm: KeyPairAlgorithm }> {\n return this._fileNameFor(id).onSuccess((fileName) => {\n if (key.type !== 'private') {\n return fail(`failed to store private key '${id}': expected a private key, got '${key.type}'`);\n }\n return this._algorithmOf(key)\n .withErrorFormat((msg) => `failed to store private key '${id}': ${msg}`)\n .onSuccess((algorithm) => succeed({ fileName, algorithm }));\n });\n }\n\n /**\n * Exports `key` to JWK, wraps it in the stored envelope, encrypts it with\n * AES-256-GCM, and writes the resulting file as serialized JSON to `fileName`.\n * Returns the stored `id` on success.\n */\n private async _encryptAndWrite(\n algorithm: KeyPairAlgorithm,\n key: CryptoKey,\n id: string,\n fileName: string\n ): Promise<Result<string>> {\n return captureAsyncResult(() => crypto.webcrypto.subtle.exportKey('jwk', key))\n .withErrorFormat((msg) => `failed to export private key '${id}' to JWK: ${msg}`)\n .onSuccess<JsonObject>((jwk) => succeed({ algorithm, jwk: JSON.stringify(jwk) }))\n .thenOnSuccess(async (envelope) =>\n (\n await createEncryptedFile({\n content: envelope,\n secretName: id,\n key: this._encryptionKey,\n cryptoProvider: this._cryptoProvider\n })\n ).withErrorFormat((msg) => `failed to encrypt private key '${id}': ${msg}`)\n )\n .onSuccess((encrypted) => this._writeFile(fileName, JSON.stringify(encrypted)))\n .onSuccess(() => succeed(id));\n }\n\n private _algorithmOf(key: CryptoKey): Result<KeyPairAlgorithm> {\n const alg = key.algorithm;\n switch (alg.name) {\n case 'ECDSA':\n case 'ECDH': {\n const curve = (alg as EcKeyAlgorithm).namedCurve;\n if (curve !== 'P-256') {\n return fail(`unsupported ${alg.name} curve '${curve}' (only P-256 is supported)`);\n }\n return succeed(alg.name === 'ECDSA' ? 'ecdsa-p256' : 'ecdh-p256');\n }\n case 'RSA-OAEP': {\n // Only the hash affects the JWK re-import params, so it is the field\n // that must match; the modulus length is recovered from the key data.\n const hash = (alg as RsaHashedKeyAlgorithm).hash.name;\n if (hash !== 'SHA-256') {\n return fail(`unsupported RSA-OAEP hash '${hash}' (only SHA-256 is supported)`);\n }\n return succeed('rsa-oaep-2048');\n }\n case 'Ed25519':\n return succeed('ed25519');\n case 'X25519':\n return succeed('x25519');\n default:\n return fail(`unsupported key algorithm '${alg.name}'`);\n }\n }\n\n private _findFile(fileName: string): Result<FileTree.IFileTreeFileItem | undefined> {\n return this._directory.getChildren().onSuccess((children) => {\n const found = children.find((child) => child.type === 'file' && child.name === fileName);\n return succeed(found as FileTree.IFileTreeFileItem | undefined);\n });\n }\n\n private _writeFile(fileName: string, text: string): Result<string> {\n return this._findFile(fileName).onSuccess((existing) => {\n if (existing !== undefined) {\n /* c8 ignore next 3 - defensive: file items from read-only adapters lack mutation methods */\n if (!FileTree.isMutableFileItem(existing)) {\n return fail(`${existing.absolutePath}: not mutable`);\n }\n return existing.setRawContents(text);\n }\n /* c8 ignore next 3 - defensive: directory items from read-only adapters lack mutation methods */\n if (!FileTree.isMutableDirectoryItem(this._directory)) {\n return fail(`${this._directory.absolutePath}: not mutable`);\n }\n return this._directory.createChildFile(fileName, text).onSuccess(() => succeed(text));\n });\n }\n\n /**\n * Reads `file`, decrypts the AES-256-GCM envelope, and validates it into the\n * typed `IStoredPrivateKeyEnvelope`. Read, decrypt, and shape failures\n * all surface as a decrypt failure for `id`.\n */\n private async _decryptEnvelope(\n file: FileTree.IFileTreeFileItem,\n id: string\n ): Promise<Result<IStoredPrivateKeyEnvelope>> {\n return file\n .getContents()\n .thenOnSuccess((json) => tryDecryptFile(json, this._encryptionKey, this._cryptoProvider))\n .onSuccess((decrypted) => envelopeConverter.convert(decrypted))\n .withErrorFormat((msg) => `failed to decrypt private key '${id}': ${msg}`);\n }\n\n /**\n * Parses and shape-validates the stored JWK, then re-imports it as a private\n * `CryptoKey` for the envelope's algorithm. The WebCrypto JWK-import algorithm\n * descriptor is shared between public and private keys for every supported\n * algorithm, so `IKeyPairAlgorithmParams.importPublicKey` is reused here;\n * the public/private distinction is carried by the requested `usages`.\n */\n private async _importPrivateKey(\n envelope: IStoredPrivateKeyEnvelope,\n id: string\n ): Promise<Result<CryptoKey>> {\n const params = keyPairAlgorithmParams[envelope.algorithm];\n return captureResult(() => JSON.parse(envelope.jwk) as unknown)\n .onSuccess((parsed) => jsonWebKeyShape.validate(parsed))\n .withErrorFormat((msg) => `malformed JWK: ${msg}`)\n .thenOnSuccess((jwk) =>\n captureAsyncResult(() =>\n crypto.webcrypto.subtle.importKey(\n 'jwk',\n jwk,\n params.importPublicKey,\n true,\n this._importUsagesFor(jwk, params)\n )\n )\n )\n .withErrorFormat((msg) => `failed to import private key '${id}': ${msg}`);\n }\n\n /**\n * Computes the key usages to request when re-importing a stored private key.\n * WebCrypto rejects `importKey` if the requested usages include operations\n * absent from the JWK's `key_ops`, so a key originally created with a narrower\n * usage set than the algorithm default (e.g. an ECDH key with only\n * `deriveBits`) would fail to load against the algorithm-wide defaults.\n * Intersect the algorithm's private usages with the JWK's recorded `key_ops`\n * so we request exactly the operations the stored key actually supports;\n * fall back to the algorithm's private usages when `key_ops` is absent.\n */\n private _importUsagesFor(jwk: JsonWebKey, params: IKeyPairAlgorithmParams): KeyUsage[] {\n const privateUsages = params.keyPairUsages.filter((usage) => !PUBLIC_ONLY_USAGES.includes(usage));\n const keyOps = jwk.key_ops;\n if (keyOps === undefined) {\n return [...privateUsages];\n }\n return privateUsages.filter((usage) => keyOps.includes(usage));\n }\n}\n"]}

package/dist/packlets/crypto-utils/keystore/index.browser.js ADDED Viewed

@@ -0,0 +1,36 @@
+// Copyright (c) 2026 Erik Fortune
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+/**
+ * Key store module for password-protected secret management (browser version).
+ * @packageDocumentation
+ */
+// Types and interfaces
+export * from './model';
+export * from './privateKeyStorage';
+// Converters namespace
+import * as Converters from './converters';
+export { Converters };
+// Key store class
+export { KeyStore } from './keyStore';
+// Note: EncryptedFilePrivateKeyStorage is Node-only — it uses `node:crypto`
+// (via `crypto.webcrypto.subtle`) for the private-key JWK round-trip — so it is
+// intentionally NOT exported in the browser entry. Use `IdbPrivateKeyStorage`
+// from `@fgv/ts-web-extras` for browser private-key storage.
+//# sourceMappingURL=index.browser.js.map

package/dist/packlets/crypto-utils/keystore/index.browser.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.browser.js","sourceRoot":"","sources":["../../../../src/packlets/crypto-utils/keystore/index.browser.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;AAEZ;;;GAGG;AAEH,uBAAuB;AACvB,cAAc,SAAS,CAAC;AACxB,cAAc,qBAAqB,CAAC;AAEpC,uBAAuB;AACvB,OAAO,KAAK,UAAU,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,CAAC;AAEtB,kBAAkB;AAClB,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEtC,4EAA4E;AAC5E,gFAAgF;AAChF,8EAA8E;AAC9E,6DAA6D","sourcesContent":["// Copyright (c) 2026 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\n/**\n * Key store module for password-protected secret management (browser version).\n * @packageDocumentation\n */\n\n// Types and interfaces\nexport * from './model';\nexport * from './privateKeyStorage';\n\n// Converters namespace\nimport * as Converters from './converters';\nexport { Converters };\n\n// Key store class\nexport { KeyStore } from './keyStore';\n\n// Note: EncryptedFilePrivateKeyStorage is Node-only — it uses `node:crypto`\n// (via `crypto.webcrypto.subtle`) for the private-key JWK round-trip — so it is\n// intentionally NOT exported in the browser entry. Use `IdbPrivateKeyStorage`\n// from `@fgv/ts-web-extras` for browser private-key storage.\n"]}

package/dist/packlets/crypto-utils/keystore/index.js CHANGED Viewed

@@ -29,4 +29,6 @@ import * as Converters from './converters';
 export { Converters };
 // Key store class
 export { KeyStore } from './keyStore';
+// Private-key storage implementations
+export { EncryptedFilePrivateKeyStorage } from './encryptedFilePrivateKeyStorage';
 //# sourceMappingURL=index.js.map

package/dist/packlets/crypto-utils/keystore/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/packlets/crypto-utils/keystore/index.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;AAEZ;;;GAGG;AAEH,uBAAuB;AACvB,cAAc,SAAS,CAAC;AACxB,cAAc,qBAAqB,CAAC;AAEpC,uBAAuB;AACvB,OAAO,KAAK,UAAU,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,CAAC;AAEtB,kBAAkB;AAClB,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC","sourcesContent":["// Copyright (c) 2026 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\n/*\n Key store module for password-protected secret management.\n * @packageDocumentation\n /\n\n// Types and interfaces\nexport from './model';\nexport * from './privateKeyStorage';\n\n// Converters namespace\nimport * as Converters from './converters';\nexport { Converters };\n\n// Key store class\nexport { KeyStore } from './keyStore';\n"]}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/packlets/crypto-utils/keystore/index.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;AAEZ;;;GAGG;AAEH,uBAAuB;AACvB,cAAc,SAAS,CAAC;AACxB,cAAc,qBAAqB,CAAC;AAEpC,uBAAuB;AACvB,OAAO,KAAK,UAAU,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,CAAC;AAEtB,kBAAkB;AAClB,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEtC,sCAAsC;AACtC,OAAO,EACL,8BAA8B,EAE/B,MAAM,kCAAkC,CAAC","sourcesContent":["// Copyright (c) 2026 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\n/*\n Key store module for password-protected secret management.\n * @packageDocumentation\n /\n\n// Types and interfaces\nexport from './model';\nexport * from './privateKeyStorage';\n\n// Converters namespace\nimport * as Converters from './converters';\nexport { Converters };\n\n// Key store class\nexport { KeyStore } from './keyStore';\n\n// Private-key storage implementations\nexport {\n EncryptedFilePrivateKeyStorage,\n IEncryptedFilePrivateKeyStorageCreateParams\n} from './encryptedFilePrivateKeyStorage';\n"]}

package/dist/packlets/crypto-utils/keystore/privateKeyStorage.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"privateKeyStorage.js","sourceRoot":"","sources":["../../../../src/packlets/crypto-utils/keystore/privateKeyStorage.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY","sourcesContent":["// Copyright (c) 2026 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\nimport { Result } from '@fgv/ts-utils';\n\n/*\n Pluggable backend that persists raw asymmetric private keys outside of the\n * encrypted keystore vault. Concrete implementations ~~live~~ in ~~platform~~-~~specific~~\n * ~~packages~~ ~~(e.g.~~ an ~~IndexedDB~~-~~backed~~ ~~implementation~~ in `@fgv/ts-web-extras` or\n * an ~~encrypted-file~~ ~~implementation~~ in ~~`@fgv/ts-chocolate~~`).\n \n The keystore writes storage-first: a private key is always stored here\n * before the corresponding public-key vault entry is committed. Conversely,\n * deletes hit the vault first and then this storage best-effort. As a result,\n * crashes or skipped saves can leave orphaned blobs here; callers are expected\n * to reconcile via {@link CryptoUtils.KeyStore.IPrivateKeyStorage.list} cross-referenced\n * against the keystore's asymmetric entries.\n \n @public\n /\nexport interface IPrivateKeyStorage {\n /\n Whether keys generated for this backend may be marked\n * `extractable: false`. `true` on backends that store `CryptoKey`\n * objects directly (e.g. IndexedDB). `false` on backends that must\n * round-trip via JWK (e.g. encrypted-file backends).\n /\n readonly supportsNonExtractable: boolean;\n\n /\n Stores `key` under `id`. Returns the stored `id` on success so the\n * call can compose into a Result chain.\n * @param id - Storage handle to write under.\n * @param key - The private `CryptoKey` to persist.\n /\n store(id: string, key: CryptoKey): Promise<Result<string>>;\n\n /\n Loads the private key previously stored under `id`.\n * @param id - Storage handle to look up.\n /\n load(id: string): Promise<Result<CryptoKey>>;\n\n /\n Deletes the entry stored under `id`. Returns the deleted `id` on\n * success so the call can compose into a Result chain.\n * @param id - Storage handle to remove.\n /\n delete(id: string): Promise<Result<string>>;\n\n /\n Lists every `id` currently held by the backend. Used by consumers to\n * garbage-collect orphans left by crashes or aborted sessions; the\n * keystore itself does not invoke this automatically.\n */\n list(): Promise<Result<readonly string[]>>;\n}\n"]}
1	+ {"version":3,"file":"privateKeyStorage.js","sourceRoot":"","sources":["../../../../src/packlets/crypto-utils/keystore/privateKeyStorage.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY","sourcesContent":["// Copyright (c) 2026 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\nimport { Result } from '@fgv/ts-utils';\n\n/*\n Pluggable backend that persists raw asymmetric private keys outside of the\n * encrypted keystore vault. Concrete implementations:\n * - {@link CryptoUtils.KeyStore.EncryptedFilePrivateKeyStorage} in\n * `@fgv/ts-extras` — directory-on-disk, AES-256-GCM-encrypted JWK per key\n * (Node; `supportsNonExtractable: false`).\n * - `IdbPrivateKeyStorage` in `@fgv/ts-web-extras` — IndexedDB-backed, stores\n * `CryptoKey` objects directly (browser; `supportsNonExtractable: true`).\n \n The keystore writes storage-first: a private key is always stored here\n * before the corresponding public-key vault entry is committed. Conversely,\n * deletes hit the vault first and then this storage best-effort. As a result,\n * crashes or skipped saves can leave orphaned blobs here; callers are expected\n * to reconcile via {@link CryptoUtils.KeyStore.IPrivateKeyStorage.list} cross-referenced\n * against the keystore's asymmetric entries.\n \n @public\n /\nexport interface IPrivateKeyStorage {\n /\n Whether keys generated for this backend may be marked\n * `extractable: false`. `true` on backends that store `CryptoKey`\n * objects directly (e.g. IndexedDB). `false` on backends that must\n * round-trip via JWK (e.g. encrypted-file backends).\n /\n readonly supportsNonExtractable: boolean;\n\n /\n Stores `key` under `id`. Returns the stored `id` on success so the\n * call can compose into a Result chain.\n * @param id - Storage handle to write under.\n * @param key - The private `CryptoKey` to persist.\n /\n store(id: string, key: CryptoKey): Promise<Result<string>>;\n\n /\n Loads the private key previously stored under `id`.\n * @param id - Storage handle to look up.\n /\n load(id: string): Promise<Result<CryptoKey>>;\n\n /\n Deletes the entry stored under `id`. Returns the deleted `id` on\n * success so the call can compose into a Result chain.\n * @param id - Storage handle to remove.\n /\n delete(id: string): Promise<Result<string>>;\n\n /\n Lists every `id` currently held by the backend. Used by consumers to\n * garbage-collect orphans left by crashes or aborted sessions; the\n * keystore itself does not invoke this automatically.\n */\n list(): Promise<Result<readonly string[]>>;\n}\n"]}