@fgv/ts-web-extras 5.1.0-21 → 5.1.0-22

package/dist/packlets/crypto-utils/browserCryptoProvider.js

@@ -248,6 +248,21 @@ export class BrowserCryptoProvider {
             return Failure.with(`Random bytes generation failed: ${message}`);
         }
     }
+    /* c8 ignore stop */
+    /**
+     * Generates a cryptographically random UUIDv4 using the injected
+     * `Crypto` instance.
+     * @returns `Success` with the generated UUID, or `Failure` if the underlying
+     * `Crypto` instance does not expose `randomUUID`.
+     */
+    generateUuid() {
+        /* c8 ignore next 3 - randomUUID is always available in supported runtimes (Node 22+, modern browsers) */
+        if (typeof this._crypto.randomUUID !== 'function') {
+            return Failure.with('Crypto instance does not expose randomUUID');
+        }
+        return captureResult(() => this._crypto.randomUUID());
+    }
+    /* c8 ignore start - browser-only methods continue */
     /**
      * Encodes binary data to base64 string.
      * @param data - Binary data to encode

package/dist/packlets/crypto-utils/browserCryptoProvider.js.map

@@ -1 +1 @@
-{"version":3,"file":"browserCryptoProvider.js","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/browserCryptoProvider.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;AAEZ,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,IAAI,EAAE,OAAO,EAAU,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC3G,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,sGAAsG;AACtG;;;;GAIG;AACH,SAAS,aAAa,CAAC,GAAe;IACpC,mGAAmG;IACnG,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/C,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,OAAO,MAAM,CAAC;AAChB,CAAC;AACD,oBAAoB;AAEpB;;;;;;;;;;GAUG;AACH,SAAS,YAAY,CAAC,GAAe;IACnC,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACd,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,OAAO,qBAAqB;IAGhC,6FAA6F;IAC7F;;;OAGG;IACH,YAAmB,SAAkB;QACnC,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;QAC3B,CAAC;aAAM,IAAI,OAAO,UAAU,KAAK,WAAW,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;YAClE,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC;QACnC,CAAC;aAAM,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAC1D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,OAAO,CAAC,SAAiB,EAAE,GAAe;QACrD,IAAI,GAAG,CAAC,MAAM,KAAK,WAAW,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAC,IAAI,CAAC,eAAe,WAAW,CAAC,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACxG,CAAC;QAED,IAAI,CAAC;YACH,qBAAqB;YACrB,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;YAE3F,iBAAiB;YACjB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CACnD,KAAK,EACL,aAAa,CAAC,GAAG,CAAC,EAClB,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YAEF,4BAA4B;YAC5B,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAEjD,sDAAsD;YACtD,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CACxD;gBACE,IAAI,EAAE,SAAS;gBACf,EAAE,EAAE,EAAE;gBACN,SAAS,EAAE,WAAW,CAAC,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,OAAO;aAC/D,EACD,SAAS,EACT,cAAc,CACf,CAAC;YAEF,4DAA4D;YAC5D,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,gBAAgB,CAAC,CAAC;YACxD,MAAM,aAAa,GAAG,cAAc,CAAC,KAAK,CACxC,CAAC,EACD,cAAc,CAAC,MAAM,GAAG,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAChE,CAAC;YACF,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,GAAG,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;YACtG,OAAO,OAAO,CAAC,IAAI,CAAC;gBAClB,EAAE;gBACF,OAAO;gBACP,aAAa;aACd,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,OAAO,CAAC,IAAI,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAClB,aAAyB,EACzB,GAAe,EACf,EAAc,EACd,OAAmB;QAEnB,IAAI,GAAG,CAAC,MAAM,KAAK,WAAW,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAC,IAAI,CAAC,eAAe,WAAW,CAAC,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACxG,CAAC;QACD,IAAI,EAAE,CAAC,MAAM,KAAK,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YACpD,OAAO,OAAO,CAAC,IAAI,CAAC,cAAc,WAAW,CAAC,SAAS,CAAC,WAAW,eAAe,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;QACjG,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;YAC/D,OAAO,OAAO,CAAC,IAAI,CACjB,oBAAoB,WAAW,CAAC,SAAS,CAAC,iBAAiB,eAAe,OAAO,CAAC,MAAM,EAAE,CAC3F,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,iBAAiB;YACjB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CACnD,KAAK,EACL,aAAa,CAAC,GAAG,CAAC,EAClB,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YAEF,wDAAwD;YACxD,MAAM,gBAAgB,GAAG,IAAI,UAAU,CAAC,aAAa,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YAC/E,gBAAgB,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YACpC,gBAAgB,CAAC,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;YAEpD,UAAU;YACV,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CACjD;gBACE,IAAI,EAAE,SAAS;gBACf,EAAE,EAAE,aAAa,CAAC,EAAE,CAAC;gBACrB,SAAS,EAAE,WAAW,CAAC,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,OAAO;aAC/D,EACD,SAAS,EACT,gBAAgB,CACjB,CAAC;YAEF,mBAAmB;YACnB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,OAAO,CAAC,IAAI,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,WAAW;QACtB,IAAI,CAAC;YACH,OAAO,OAAO,CAAC,IAAI,CACjB,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CACrF,CAAC;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,OAAO,CAAC,IAAI,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,SAAS,CACpB,QAAgB,EAChB,IAAgB,EAChB,UAAkB;QAElB,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,OAAO,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,OAAO,OAAO,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,CAAC;YACH,kBAAkB;YAClB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAE/C,kCAAkC;YAClC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,EAAE;gBAC7F,YAAY;aACb,CAAC,CAAC;YAEH,kBAAkB;YAClB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CACtD;gBACE,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,aAAa,CAAC,IAAI,CAAC;gBACzB,UAAU,EAAE,UAAU;gBACtB,IAAI,EAAE,SAAS;aAChB,EACD,WAAW,EACX,WAAW,CAAC,SAAS,CAAC,gBAAgB,GAAG,CAAC,CAAC,OAAO;aACnD,CAAC;YAEF,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;QACnD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,OAAO,CAAC,IAAI,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,MAAM,CAAC,IAAY;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;YAC3E,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;YAC7C,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;iBAClC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;iBAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;YACZ,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,IAAI,CAAC,wBAAwB,OAAO,EAAE,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,2BAA2B;IAC3B,+EAA+E;IAE/E;;;;OAIG;IACI,mBAAmB,CAAC,MAAc;QACvC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,OAAO,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,CAAC;YACH,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC5E,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,OAAO,CAAC,IAAI,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IAED;;;;OAIG;IACI,QAAQ,CAAC,IAAgB;QAC9B,sDAAsD;QACtD,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IAED;;;;OAIG;IACI,UAAU,CAAC,MAAc;QAC9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAClC,CAAC;YACD,OAAO,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,4BAA4B;IAC5B,+EAA+E;IAE/E;;;;;OAKG;IACI,KAAK,CAAC,eAAe,CAC1B,SAAuC,EACvC,WAAoB;QAEpB,MAAM,MAAM,GAAG,WAAW,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC7D,6EAA6E;QAC7E,4EAA4E;QAC5E,6EAA6E;QAC7E,kEAAkE;QAClE,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CACrD,MAAM,CAAC,WAAkC,EACzC,WAAW,EACX,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,CAC1B,CAAC;YACF,IAAI,YAAY,IAAI,SAAS,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;gBAC1D,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,4FAA4F;YAC5F,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,2CAA2C,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,SAAS,aAAa,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IAED;;;;;;;;;OASG;IACI,KAAK,CAAC,kBAAkB,CAAC,SAAoB;QAClD,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,OAAO,CAAC,IAAI,CAAC,wDAAwD,SAAS,CAAC,IAAI,GAAG,CAAC,CAAC;QACjG,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC;QAC/F,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uCAAuC,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,kBAAkB,CAC7B,GAAe,EACf,SAAuC;QAEvC,MAAM,MAAM,GAAG,WAAW,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC7D,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,CAC3C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,eAAe,EAAE,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,CAChG,CAAC;QACF,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,SAAS,yBAAyB,CAAC,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,oBAAoB;IAEpB;;;;;;;;OAQG;IACI,KAAK,CAAC,SAAS,CACpB,SAAqB,EACrB,kBAA6B,EAC7B,OAAsC;QAEtC,MAAM,cAAc,GAAG,aAAa,CAAC,kBAAkB,EAAE,QAAQ,EAAE,sBAAsB,CAAC,CAAC;QAC3F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,OAAO,CAAC,IAAI,CAAC,qBAAqB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,CAAC,MAAM,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE;gBACvF,WAAW;aACZ,CAAC,CAAkB,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAC5C,SAAS,CAAC,UAAU,EACpB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EACrG,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;YAC9F,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;YACrG,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;YAC9E,OAAO;gBACL,kBAAkB;gBAClB,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC3B,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;aACjD,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IACjE,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,WAAW,CACtB,OAAkC,EAClC,mBAA8B,EAC9B,OAAsC;QAEtC,MAAM,cAAc,GAAG,aAAa,CAAC,mBAAmB,EAAE,SAAS,EAAE,uBAAuB,CAAC,CAAC;QAC9F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,OAAO,CAAC,IAAI,CAAC,uBAAuB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACnD,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC;YAC5B,OAAO,OAAO,CAAC,IAAI,CAAC,8BAA8B,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,WAAW,CAAC,KAAK,CAAC,MAAM,KAAK,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YACnE,OAAO,OAAO,CAAC,IAAI,CACjB,qCAAqC,WAAW,CAAC,SAAS,CAAC,WAAW,eAAe,WAAW,CAAC,KAAK,CAAC,MAAM,GAAG,CACjH,CAAC;QACJ,CAAC;QACD,MAAM,gBAAgB,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC7D,IAAI,gBAAgB,CAAC,SAAS,EAAE,EAAE,CAAC;YACjC,OAAO,OAAO,CAAC,IAAI,CAAC,mCAAmC,gBAAgB,CAAC,OAAO,EAAE,CAAC,CAAC;QACrF,CAAC;QACD,IAAI,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,WAAW,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;YAC5E,OAAO,OAAO,CAAC,IAAI,CACjB,mDAAmD,WAAW,CAAC,SAAS,CAAC,iBAAiB,eAAe,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,CAC1I,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,SAAS,CACzC,KAAK,EACL,OAAO,CAAC,kBAAkB,EAC1B,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,KAAK,EACL,EAAE,CACH,CAAC;YACF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,EACtC,mBAAmB,EACnB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EACrG,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAChC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,YAAY,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,EACxD,OAAO,EACP,YAAY,CAAC,gBAAgB,CAAC,KAAK,CAAC,CACrC,CAAC;YACF,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC;IACnE,CAAC;CACF;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,aAAa,CAAC,GAAc,EAAE,OAA6B,EAAE,KAAa;IACjF,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAClC,OAAO,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,uCAAuC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,CAAC;IAC7F,CAAC;IACD,MAAM,UAAU,GAAI,GAAG,CAAC,SAA4B,CAAC,UAAU,CAAC;IAChE,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,mCAAmC,UAAU,IAAI,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,cAAc,OAAO,oBAAoB,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC;AACtB,CAAC;AAED,4FAA4F;AAC5F;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B;IACzC,OAAO,aAAa,CAAC,GAAG,EAAE,CAAC,IAAI,qBAAqB,EAAE,CAAC,CAAC;AAC1D,CAAC;AACD,oBAAoB","sourcesContent":["// Copyright (c) 2024 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\nimport { captureAsyncResult, captureResult, fail, Failure, Result, succeed, Success } from '@fgv/ts-utils';\nimport { CryptoUtils } from '@fgv/ts-extras';\n\n/* c8 ignore start - Used only by browser-only methods that cannot be tested in Node.js environment */\n/**\n * Extracts an `ArrayBuffer` from a Uint8Array, handling the potential SharedArrayBuffer case.\n * @param arr - The Uint8Array to extract from\n * @returns An `ArrayBuffer` containing a copy of the data.\n */\nfunction toArrayBuffer(arr: Uint8Array): ArrayBuffer {\n  // Create a new ArrayBuffer and copy the data - this handles both ArrayBuffer and SharedArrayBuffer\n  const buffer = new ArrayBuffer(arr.byteLength);\n  new Uint8Array(buffer).set(arr);\n  return buffer;\n}\n/* c8 ignore stop */\n\n/**\n * Returns a fresh Uint8Array view over a non-shared ArrayBuffer copy of `arr`.\n * Used by {@link BrowserCryptoProvider.wrapBytes | wrapBytes} and\n * {@link BrowserCryptoProvider.unwrapBytes | unwrapBytes}: Node 20's\n * webcrypto.subtle rejects raw `ArrayBuffer` for several `BufferSource`\n * parameters with \"is not instance of ArrayBuffer, Buffer, TypedArray, or\n * DataView\" even though `ArrayBuffer` should be valid per the spec; a\n * TypedArray view is accepted on Node 20+ and on browsers, and the explicit\n * `Uint8Array<ArrayBuffer>` return type also satisfies TypeScript's `BufferSource`\n * (which excludes the `SharedArrayBuffer` branch of `Uint8Array`'s buffer type).\n */\nfunction toBufferView(arr: Uint8Array): Uint8Array<ArrayBuffer> {\n  const buffer = new ArrayBuffer(arr.byteLength);\n  const view = new Uint8Array(buffer);\n  view.set(arr);\n  return view;\n}\n\n/**\n * Browser implementation of `ICryptoProvider` using the Web Crypto API.\n * Uses AES-256-GCM for authenticated encryption.\n *\n * Note: This provider requires a browser environment with Web Crypto API support.\n * In Node.js 15+, Web Crypto is available via globalThis.crypto or require('crypto').webcrypto.\n *\n * @public\n */\nexport class BrowserCryptoProvider implements CryptoUtils.ICryptoProvider {\n  private readonly _crypto: Crypto;\n\n  /* c8 ignore start - Existing browser-only methods cannot be tested in Node.js environment */\n  /**\n   * Creates a new {@link CryptoUtils.BrowserCryptoProvider | BrowserCryptoProvider}.\n   * @param cryptoApi - Optional Crypto instance (defaults to globalThis.crypto)\n   */\n  public constructor(cryptoApi?: Crypto) {\n    if (cryptoApi) {\n      this._crypto = cryptoApi;\n    } else if (typeof globalThis !== 'undefined' && globalThis.crypto) {\n      this._crypto = globalThis.crypto;\n    } else if (typeof window !== 'undefined' && window.crypto) {\n      this._crypto = window.crypto;\n    } else {\n      throw new Error('Web Crypto API not available');\n    }\n  }\n\n  /**\n   * Encrypts plaintext using AES-256-GCM.\n   * @param plaintext - UTF-8 string to encrypt\n   * @param key - 32-byte encryption key\n   * @returns `Success` with encryption result, or `Failure` with an error.\n   */\n  public async encrypt(plaintext: string, key: Uint8Array): Promise<Result<CryptoUtils.IEncryptionResult>> {\n    if (key.length !== CryptoUtils.Constants.AES_256_KEY_SIZE) {\n      return Failure.with(`Key must be ${CryptoUtils.Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n    }\n\n    try {\n      // Generate random IV\n      const iv = this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.GCM_IV_SIZE));\n\n      // Import the key\n      const cryptoKey = await this._crypto.subtle.importKey(\n        'raw',\n        toArrayBuffer(key),\n        { name: 'AES-GCM' },\n        false,\n        ['encrypt']\n      );\n\n      // Encode plaintext to bytes\n      const encoder = new TextEncoder();\n      const plaintextBytes = encoder.encode(plaintext);\n\n      // Encrypt (Web Crypto appends auth tag to ciphertext)\n      const encryptedWithTag = await this._crypto.subtle.encrypt(\n        {\n          name: 'AES-GCM',\n          iv: iv,\n          tagLength: CryptoUtils.Constants.GCM_AUTH_TAG_SIZE * 8 // bits\n        },\n        cryptoKey,\n        plaintextBytes\n      );\n\n      // Split ciphertext and auth tag (auth tag is last 16 bytes)\n      const encryptedArray = new Uint8Array(encryptedWithTag);\n      const encryptedData = encryptedArray.slice(\n        0,\n        encryptedArray.length - CryptoUtils.Constants.GCM_AUTH_TAG_SIZE\n      );\n      const authTag = encryptedArray.slice(encryptedArray.length - CryptoUtils.Constants.GCM_AUTH_TAG_SIZE);\n      return Success.with({\n        iv,\n        authTag,\n        encryptedData\n      });\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Encryption failed: ${message}`);\n    }\n  }\n\n  /**\n   * Decrypts ciphertext using AES-256-GCM.\n   * @param encryptedData - Encrypted bytes\n   * @param key - 32-byte decryption key\n   * @param iv - Initialization vector (12 bytes)\n   * @param authTag - GCM authentication tag (16 bytes)\n   * @returns `Success` with decrypted UTF-8 string, or `Failure` with an error.\n   */\n  public async decrypt(\n    encryptedData: Uint8Array,\n    key: Uint8Array,\n    iv: Uint8Array,\n    authTag: Uint8Array\n  ): Promise<Result<string>> {\n    if (key.length !== CryptoUtils.Constants.AES_256_KEY_SIZE) {\n      return Failure.with(`Key must be ${CryptoUtils.Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n    }\n    if (iv.length !== CryptoUtils.Constants.GCM_IV_SIZE) {\n      return Failure.with(`IV must be ${CryptoUtils.Constants.GCM_IV_SIZE} bytes, got ${iv.length}`);\n    }\n    if (authTag.length !== CryptoUtils.Constants.GCM_AUTH_TAG_SIZE) {\n      return Failure.with(\n        `Auth tag must be ${CryptoUtils.Constants.GCM_AUTH_TAG_SIZE} bytes, got ${authTag.length}`\n      );\n    }\n\n    try {\n      // Import the key\n      const cryptoKey = await this._crypto.subtle.importKey(\n        'raw',\n        toArrayBuffer(key),\n        { name: 'AES-GCM' },\n        false,\n        ['decrypt']\n      );\n\n      // Web Crypto expects ciphertext + auth tag concatenated\n      const encryptedWithTag = new Uint8Array(encryptedData.length + authTag.length);\n      encryptedWithTag.set(encryptedData);\n      encryptedWithTag.set(authTag, encryptedData.length);\n\n      // Decrypt\n      const decrypted = await this._crypto.subtle.decrypt(\n        {\n          name: 'AES-GCM',\n          iv: toArrayBuffer(iv),\n          tagLength: CryptoUtils.Constants.GCM_AUTH_TAG_SIZE * 8 // bits\n        },\n        cryptoKey,\n        encryptedWithTag\n      );\n\n      // Decode to string\n      const decoder = new TextDecoder();\n      return Success.with(decoder.decode(decrypted));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Decryption failed: ${message}`);\n    }\n  }\n\n  /**\n   * Generates a random 32-byte key suitable for AES-256.\n   * @returns Success with generated key, or Failure with error\n   */\n  public async generateKey(): Promise<Result<Uint8Array>> {\n    try {\n      return Success.with(\n        this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.AES_256_KEY_SIZE))\n      );\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Key generation failed: ${message}`);\n    }\n  }\n\n  /**\n   * Derives a key from a password using PBKDF2.\n   * @param password - Password string\n   * @param salt - Salt bytes (should be at least 16 bytes)\n   * @param iterations - Number of iterations (recommend 100000+)\n   * @returns Success with derived 32-byte key, or Failure with error\n   */\n  public async deriveKey(\n    password: string,\n    salt: Uint8Array,\n    iterations: number\n  ): Promise<Result<Uint8Array>> {\n    if (iterations < 1) {\n      return Failure.with('Iterations must be at least 1');\n    }\n    if (salt.length < 8) {\n      return Failure.with('Salt should be at least 8 bytes');\n    }\n\n    try {\n      // Encode password\n      const encoder = new TextEncoder();\n      const passwordBytes = encoder.encode(password);\n\n      // Import password as key material\n      const keyMaterial = await this._crypto.subtle.importKey('raw', passwordBytes, 'PBKDF2', false, [\n        'deriveBits'\n      ]);\n\n      // Derive key bits\n      const derivedBits = await this._crypto.subtle.deriveBits(\n        {\n          name: 'PBKDF2',\n          salt: toArrayBuffer(salt),\n          iterations: iterations,\n          hash: 'SHA-256'\n        },\n        keyMaterial,\n        CryptoUtils.Constants.AES_256_KEY_SIZE * 8 // bits\n      );\n\n      return Success.with(new Uint8Array(derivedBits));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Key derivation failed: ${message}`);\n    }\n  }\n\n  /**\n   * Computes a SHA-256 hash of the given data.\n   * @param data - UTF-8 string to hash\n   * @returns `Success` with hex-encoded hash string, or `Failure` with an error.\n   */\n  public async sha256(data: string): Promise<Result<string>> {\n    try {\n      const encoder = new TextEncoder();\n      const dataBuffer = encoder.encode(data);\n      const hashBuffer = await this._crypto.subtle.digest('SHA-256', dataBuffer);\n      const hashArray = new Uint8Array(hashBuffer);\n      const hashHex = Array.from(hashArray)\n        .map((b) => b.toString(16).padStart(2, '0'))\n        .join('');\n      return succeed(hashHex);\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return fail(`SHA-256 hash failed: ${message}`);\n    }\n  }\n\n  // ============================================================================\n  // Platform Utility Methods\n  // ============================================================================\n\n  /**\n   * Generates cryptographically secure random bytes.\n   * @param length - Number of bytes to generate\n   * @returns Success with random bytes, or Failure with error\n   */\n  public generateRandomBytes(length: number): Result<Uint8Array> {\n    if (length < 1) {\n      return Failure.with('Length must be at least 1');\n    }\n    try {\n      return Success.with(this._crypto.getRandomValues(new Uint8Array(length)));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Random bytes generation failed: ${message}`);\n    }\n  }\n\n  /**\n   * Encodes binary data to base64 string.\n   * @param data - Binary data to encode\n   * @returns Base64-encoded string\n   */\n  public toBase64(data: Uint8Array): string {\n    // Convert Uint8Array to binary string, then to base64\n    let binary = '';\n    for (let i = 0; i < data.length; i++) {\n      binary += String.fromCharCode(data[i]);\n    }\n    return btoa(binary);\n  }\n\n  /**\n   * Decodes base64 string to binary data.\n   * @param base64 - Base64-encoded string\n   * @returns Success with decoded bytes, or Failure if invalid base64\n   */\n  public fromBase64(base64: string): Result<Uint8Array> {\n    try {\n      const binary = atob(base64);\n      const bytes = new Uint8Array(binary.length);\n      for (let i = 0; i < binary.length; i++) {\n        bytes[i] = binary.charCodeAt(i);\n      }\n      return Success.with(bytes);\n    } catch (e) {\n      return Failure.with('Invalid base64 string');\n    }\n  }\n\n  // ============================================================================\n  // Asymmetric Key Operations\n  // ============================================================================\n\n  /**\n   * Generates a new asymmetric keypair via Web Crypto.\n   * @param algorithm - The algorithm to use.\n   * @param extractable - Whether the resulting keys may be exported.\n   * @returns `Success` with the generated `CryptoKeyPair`, or `Failure` with an error.\n   */\n  public async generateKeyPair(\n    algorithm: CryptoUtils.KeyPairAlgorithm,\n    extractable: boolean\n  ): Promise<Result<CryptoKeyPair>> {\n    const params = CryptoUtils.keyPairAlgorithmParams[algorithm];\n    // Widening upcast to `AlgorithmIdentifier` steers TS to subtle.generateKey's\n    // broad overload, which accepts the Ed25519 `{ name: 'Ed25519' }` shape and\n    // returns `CryptoKey | CryptoKeyPair`. The narrowing back to `CryptoKeyPair`\n    // is a runtime check via the `in` operator, not a type assertion.\n    const result = await captureAsyncResult(async () => {\n      const generated = await this._crypto.subtle.generateKey(\n        params.generateKey as AlgorithmIdentifier,\n        extractable,\n        [...params.keyPairUsages]\n      );\n      if ('privateKey' in generated && 'publicKey' in generated) {\n        return generated;\n      }\n      /* c8 ignore next - unreachable: every entry in keyPairAlgorithmParams produces a keypair */\n      throw new Error(`${algorithm} unexpectedly produced a single CryptoKey`);\n    });\n    return result.withErrorFormat((e) => `Failed to generate ${algorithm} keypair: ${e}`);\n  }\n\n  /**\n   * Exports a public `CryptoKey` as a JSON Web Key.\n   * @remarks\n   * Rejects non-public keys at runtime. WebCrypto's `exportKey('jwk', ...)`\n   * does not enforce public-vs-private; without this guard a caller that\n   * passed an extractable private key would receive its private fields\n   * (`d`, `p`, `q`, ...) as JWK, defeating the method's name.\n   * @param publicKey - Extractable public key to export.\n   * @returns `Success` with the JWK, or `Failure` if not a public key or if export fails.\n   */\n  public async exportPublicKeyJwk(publicKey: CryptoKey): Promise<Result<JsonWebKey>> {\n    if (publicKey.type !== 'public') {\n      return Failure.with(`exportPublicKeyJwk requires a public CryptoKey, got '${publicKey.type}'`);\n    }\n    const result = await captureAsyncResult(() => this._crypto.subtle.exportKey('jwk', publicKey));\n    return result.withErrorFormat((e) => `Failed to export public key as JWK: ${e}`);\n  }\n\n  /**\n   * Imports a public-key JWK as a `CryptoKey` for the requested algorithm.\n   * @param jwk - The JSON Web Key produced by a prior export.\n   * @param algorithm - The algorithm the key was generated for.\n   * @returns `Success` with the imported public `CryptoKey`, or `Failure` with an error.\n   */\n  public async importPublicKeyJwk(\n    jwk: JsonWebKey,\n    algorithm: CryptoUtils.KeyPairAlgorithm\n  ): Promise<Result<CryptoKey>> {\n    const params = CryptoUtils.keyPairAlgorithmParams[algorithm];\n    const result = await captureAsyncResult(() =>\n      this._crypto.subtle.importKey('jwk', jwk, params.importPublicKey, true, params.publicKeyUsages)\n    );\n    return result.withErrorFormat((e) => `Failed to import ${algorithm} public key from JWK: ${e}`);\n  }\n  /* c8 ignore stop */\n\n  /**\n   * Wraps `plaintext` for the holder of `recipientPublicKey` using\n   * ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256). See\n   * {@link CryptoUtils.ICryptoProvider.wrapBytes | ICryptoProvider.wrapBytes}.\n   * @param plaintext - The bytes to wrap.\n   * @param recipientPublicKey - The recipient's ECDH P-256 public `CryptoKey`.\n   * @param options - HKDF salt and info; see {@link CryptoUtils.IWrapBytesOptions | IWrapBytesOptions}.\n   * @returns `Success` with the wrapped payload, or `Failure` with an error.\n   */\n  public async wrapBytes(\n    plaintext: Uint8Array,\n    recipientPublicKey: CryptoKey,\n    options: CryptoUtils.IWrapBytesOptions\n  ): Promise<Result<CryptoUtils.IWrappedBytes>> {\n    const recipientCheck = checkEcdhP256(recipientPublicKey, 'public', 'recipient public key');\n    if (recipientCheck.isFailure()) {\n      return Failure.with(`wrapBytes failed: ${recipientCheck.message}`);\n    }\n    const subtle = this._crypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeral = (await subtle.generateKey({ name: 'ECDH', namedCurve: 'P-256' }, true, [\n        'deriveKey'\n      ])) as CryptoKeyPair;\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: recipientPublicKey },\n        ephemeral.privateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: toBufferView(options.salt), info: toBufferView(options.info), hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['encrypt']\n      );\n      const nonce = this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.GCM_IV_SIZE));\n      const ctBuf = await subtle.encrypt({ name: 'AES-GCM', iv: nonce }, wrapKey, toBufferView(plaintext));\n      const ephemeralPublicKey = await subtle.exportKey('jwk', ephemeral.publicKey);\n      return {\n        ephemeralPublicKey,\n        nonce: this.toBase64(nonce),\n        ciphertext: this.toBase64(new Uint8Array(ctBuf))\n      };\n    });\n    return result.withErrorFormat((e) => `wrapBytes failed: ${e}`);\n  }\n\n  /**\n   * Unwraps a payload produced by `wrapBytes` using the recipient's private\n   * key. See {@link CryptoUtils.ICryptoProvider.unwrapBytes | ICryptoProvider.unwrapBytes}.\n   * @param wrapped - The wrapped payload.\n   * @param recipientPrivateKey - The recipient's ECDH P-256 private `CryptoKey`.\n   * @param options - HKDF salt and info matching the wrap call.\n   * @returns `Success` with the original `plaintext`, or `Failure` with an error.\n   */\n  public async unwrapBytes(\n    wrapped: CryptoUtils.IWrappedBytes,\n    recipientPrivateKey: CryptoKey,\n    options: CryptoUtils.IWrapBytesOptions\n  ): Promise<Result<Uint8Array>> {\n    const recipientCheck = checkEcdhP256(recipientPrivateKey, 'private', 'recipient private key');\n    if (recipientCheck.isFailure()) {\n      return Failure.with(`unwrapBytes failed: ${recipientCheck.message}`);\n    }\n    const nonceResult = this.fromBase64(wrapped.nonce);\n    if (nonceResult.isFailure()) {\n      return Failure.with(`unwrapBytes failed: nonce: ${nonceResult.message}`);\n    }\n    if (nonceResult.value.length !== CryptoUtils.Constants.GCM_IV_SIZE) {\n      return Failure.with(\n        `unwrapBytes failed: nonce must be ${CryptoUtils.Constants.GCM_IV_SIZE} bytes (got ${nonceResult.value.length})`\n      );\n    }\n    const ciphertextResult = this.fromBase64(wrapped.ciphertext);\n    if (ciphertextResult.isFailure()) {\n      return Failure.with(`unwrapBytes failed: ciphertext: ${ciphertextResult.message}`);\n    }\n    if (ciphertextResult.value.length < CryptoUtils.Constants.GCM_AUTH_TAG_SIZE) {\n      return Failure.with(\n        `unwrapBytes failed: ciphertext must be at least ${CryptoUtils.Constants.GCM_AUTH_TAG_SIZE} bytes (got ${ciphertextResult.value.length})`\n      );\n    }\n    const subtle = this._crypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeralPub = await subtle.importKey(\n        'jwk',\n        wrapped.ephemeralPublicKey,\n        { name: 'ECDH', namedCurve: 'P-256' },\n        false,\n        []\n      );\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: ephemeralPub },\n        recipientPrivateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: toBufferView(options.salt), info: toBufferView(options.info), hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['decrypt']\n      );\n      const ptBuf = await subtle.decrypt(\n        { name: 'AES-GCM', iv: toBufferView(nonceResult.value) },\n        wrapKey,\n        toBufferView(ciphertextResult.value)\n      );\n      return new Uint8Array(ptBuf);\n    });\n    return result.withErrorFormat((e) => `unwrapBytes failed: ${e}`);\n  }\n}\n\n/**\n * Verifies that `key` is an ECDH P-256 `CryptoKey` of the expected `keyType`\n * (public or private). Used by the wrap/unwrap methods to surface a clean\n * `Failure` instead of letting the WebCrypto deriveKey call throw a less\n * informative error later in the pipeline. Key usages are intentionally not\n * checked here: WebCrypto already produces a specific error if `deriveKey` is\n * not in `usages`, and `deriveBits` is an equally valid alternative usage that\n * an explicit check would have to track.\n * @param key - The CryptoKey to validate.\n * @param keyType - The required `key.type` ('public' for wrap, 'private' for unwrap).\n * @param label - Human-readable role label included in the failure message.\n * @returns `Success` with the key (unchanged) when the algorithm, curve, and\n * type all match; otherwise `Failure` with `<label> must be ECDH P-256 (...)`.\n */\nfunction checkEcdhP256(key: CryptoKey, keyType: 'public' | 'private', label: string): Result<CryptoKey> {\n  if (key.algorithm.name !== 'ECDH') {\n    return Failure.with(`${label} must be ECDH P-256 (got algorithm '${key.algorithm.name}')`);\n  }\n  const namedCurve = (key.algorithm as EcKeyAlgorithm).namedCurve;\n  if (namedCurve !== 'P-256') {\n    return Failure.with(`${label} must be ECDH P-256 (got curve '${namedCurve}')`);\n  }\n  if (key.type !== keyType) {\n    return Failure.with(`${label} must be a ${keyType} CryptoKey (got '${key.type}')`);\n  }\n  return succeed(key);\n}\n\n/* c8 ignore start - Constructs a provider; only meaningful in a real browser environment */\n/**\n * Creates a {@link CryptoUtils.BrowserCryptoProvider | BrowserCryptoProvider} if Web\n * Crypto API is available.\n * @returns `Success` with provider, or `Failure` if not available\n * @public\n */\nexport function createBrowserCryptoProvider(): Result<BrowserCryptoProvider> {\n  return captureResult(() => new BrowserCryptoProvider());\n}\n/* c8 ignore stop */\n"]}
+{"version":3,"file":"browserCryptoProvider.js","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/browserCryptoProvider.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;AAEZ,OAAO,EACL,kBAAkB,EAClB,aAAa,EACb,IAAI,EACJ,OAAO,EAEP,OAAO,EACP,OAAO,EAER,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,sGAAsG;AACtG;;;;GAIG;AACH,SAAS,aAAa,CAAC,GAAe;IACpC,mGAAmG;IACnG,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/C,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,OAAO,MAAM,CAAC;AAChB,CAAC;AACD,oBAAoB;AAEpB;;;;;;;;;;GAUG;AACH,SAAS,YAAY,CAAC,GAAe;IACnC,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACd,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,OAAO,qBAAqB;IAGhC,6FAA6F;IAC7F;;;OAGG;IACH,YAAmB,SAAkB;QACnC,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;QAC3B,CAAC;aAAM,IAAI,OAAO,UAAU,KAAK,WAAW,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;YAClE,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC;QACnC,CAAC;aAAM,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAC1D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,OAAO,CAAC,SAAiB,EAAE,GAAe;QACrD,IAAI,GAAG,CAAC,MAAM,KAAK,WAAW,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAC,IAAI,CAAC,eAAe,WAAW,CAAC,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACxG,CAAC;QAED,IAAI,CAAC;YACH,qBAAqB;YACrB,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;YAE3F,iBAAiB;YACjB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CACnD,KAAK,EACL,aAAa,CAAC,GAAG,CAAC,EAClB,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YAEF,4BAA4B;YAC5B,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAEjD,sDAAsD;YACtD,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CACxD;gBACE,IAAI,EAAE,SAAS;gBACf,EAAE,EAAE,EAAE;gBACN,SAAS,EAAE,WAAW,CAAC,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,OAAO;aAC/D,EACD,SAAS,EACT,cAAc,CACf,CAAC;YAEF,4DAA4D;YAC5D,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,gBAAgB,CAAC,CAAC;YACxD,MAAM,aAAa,GAAG,cAAc,CAAC,KAAK,CACxC,CAAC,EACD,cAAc,CAAC,MAAM,GAAG,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAChE,CAAC;YACF,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,GAAG,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;YACtG,OAAO,OAAO,CAAC,IAAI,CAAC;gBAClB,EAAE;gBACF,OAAO;gBACP,aAAa;aACd,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,OAAO,CAAC,IAAI,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAClB,aAAyB,EACzB,GAAe,EACf,EAAc,EACd,OAAmB;QAEnB,IAAI,GAAG,CAAC,MAAM,KAAK,WAAW,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAC,IAAI,CAAC,eAAe,WAAW,CAAC,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACxG,CAAC;QACD,IAAI,EAAE,CAAC,MAAM,KAAK,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YACpD,OAAO,OAAO,CAAC,IAAI,CAAC,cAAc,WAAW,CAAC,SAAS,CAAC,WAAW,eAAe,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;QACjG,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;YAC/D,OAAO,OAAO,CAAC,IAAI,CACjB,oBAAoB,WAAW,CAAC,SAAS,CAAC,iBAAiB,eAAe,OAAO,CAAC,MAAM,EAAE,CAC3F,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,iBAAiB;YACjB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CACnD,KAAK,EACL,aAAa,CAAC,GAAG,CAAC,EAClB,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YAEF,wDAAwD;YACxD,MAAM,gBAAgB,GAAG,IAAI,UAAU,CAAC,aAAa,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YAC/E,gBAAgB,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YACpC,gBAAgB,CAAC,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;YAEpD,UAAU;YACV,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CACjD;gBACE,IAAI,EAAE,SAAS;gBACf,EAAE,EAAE,aAAa,CAAC,EAAE,CAAC;gBACrB,SAAS,EAAE,WAAW,CAAC,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,OAAO;aAC/D,EACD,SAAS,EACT,gBAAgB,CACjB,CAAC;YAEF,mBAAmB;YACnB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,OAAO,CAAC,IAAI,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,WAAW;QACtB,IAAI,CAAC;YACH,OAAO,OAAO,CAAC,IAAI,CACjB,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CACrF,CAAC;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,OAAO,CAAC,IAAI,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,SAAS,CACpB,QAAgB,EAChB,IAAgB,EAChB,UAAkB;QAElB,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,OAAO,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,OAAO,OAAO,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,CAAC;YACH,kBAAkB;YAClB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAE/C,kCAAkC;YAClC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,EAAE;gBAC7F,YAAY;aACb,CAAC,CAAC;YAEH,kBAAkB;YAClB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CACtD;gBACE,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,aAAa,CAAC,IAAI,CAAC;gBACzB,UAAU,EAAE,UAAU;gBACtB,IAAI,EAAE,SAAS;aAChB,EACD,WAAW,EACX,WAAW,CAAC,SAAS,CAAC,gBAAgB,GAAG,CAAC,CAAC,OAAO;aACnD,CAAC;YAEF,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;QACnD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,OAAO,CAAC,IAAI,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,MAAM,CAAC,IAAY;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;YAC3E,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;YAC7C,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;iBAClC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;iBAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;YACZ,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,IAAI,CAAC,wBAAwB,OAAO,EAAE,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,2BAA2B;IAC3B,+EAA+E;IAE/E;;;;OAIG;IACI,mBAAmB,CAAC,MAAc;QACvC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,OAAO,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,CAAC;YACH,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC5E,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,OAAO,CAAC,IAAI,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IACD,oBAAoB;IAEpB;;;;;OAKG;IACI,YAAY;QACjB,yGAAyG;QACzG,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;YAClD,OAAO,OAAO,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QACpE,CAAC;QACD,OAAO,aAAa,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAU,CAAC,CAAC;IAChE,CAAC;IAED,qDAAqD;IAErD;;;;OAIG;IACI,QAAQ,CAAC,IAAgB;QAC9B,sDAAsD;QACtD,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IAED;;;;OAIG;IACI,UAAU,CAAC,MAAc;QAC9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAClC,CAAC;YACD,OAAO,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,4BAA4B;IAC5B,+EAA+E;IAE/E;;;;;OAKG;IACI,KAAK,CAAC,eAAe,CAC1B,SAAuC,EACvC,WAAoB;QAEpB,MAAM,MAAM,GAAG,WAAW,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC7D,6EAA6E;QAC7E,4EAA4E;QAC5E,6EAA6E;QAC7E,kEAAkE;QAClE,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CACrD,MAAM,CAAC,WAAkC,EACzC,WAAW,EACX,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,CAC1B,CAAC;YACF,IAAI,YAAY,IAAI,SAAS,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;gBAC1D,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,4FAA4F;YAC5F,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,2CAA2C,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,SAAS,aAAa,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IAED;;;;;;;;;OASG;IACI,KAAK,CAAC,kBAAkB,CAAC,SAAoB;QAClD,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,OAAO,CAAC,IAAI,CAAC,wDAAwD,SAAS,CAAC,IAAI,GAAG,CAAC,CAAC;QACjG,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC;QAC/F,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uCAAuC,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,kBAAkB,CAC7B,GAAe,EACf,SAAuC;QAEvC,MAAM,MAAM,GAAG,WAAW,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC7D,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,CAC3C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,eAAe,EAAE,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,CAChG,CAAC;QACF,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,SAAS,yBAAyB,CAAC,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,oBAAoB;IAEpB;;;;;;;;OAQG;IACI,KAAK,CAAC,SAAS,CACpB,SAAqB,EACrB,kBAA6B,EAC7B,OAAsC;QAEtC,MAAM,cAAc,GAAG,aAAa,CAAC,kBAAkB,EAAE,QAAQ,EAAE,sBAAsB,CAAC,CAAC;QAC3F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,OAAO,CAAC,IAAI,CAAC,qBAAqB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,CAAC,MAAM,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE;gBACvF,WAAW;aACZ,CAAC,CAAkB,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAC5C,SAAS,CAAC,UAAU,EACpB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EACrG,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;YAC9F,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;YACrG,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;YAC9E,OAAO;gBACL,kBAAkB;gBAClB,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC3B,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;aACjD,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IACjE,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,WAAW,CACtB,OAAkC,EAClC,mBAA8B,EAC9B,OAAsC;QAEtC,MAAM,cAAc,GAAG,aAAa,CAAC,mBAAmB,EAAE,SAAS,EAAE,uBAAuB,CAAC,CAAC;QAC9F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,OAAO,CAAC,IAAI,CAAC,uBAAuB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACnD,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC;YAC5B,OAAO,OAAO,CAAC,IAAI,CAAC,8BAA8B,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,WAAW,CAAC,KAAK,CAAC,MAAM,KAAK,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YACnE,OAAO,OAAO,CAAC,IAAI,CACjB,qCAAqC,WAAW,CAAC,SAAS,CAAC,WAAW,eAAe,WAAW,CAAC,KAAK,CAAC,MAAM,GAAG,CACjH,CAAC;QACJ,CAAC;QACD,MAAM,gBAAgB,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC7D,IAAI,gBAAgB,CAAC,SAAS,EAAE,EAAE,CAAC;YACjC,OAAO,OAAO,CAAC,IAAI,CAAC,mCAAmC,gBAAgB,CAAC,OAAO,EAAE,CAAC,CAAC;QACrF,CAAC;QACD,IAAI,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,WAAW,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;YAC5E,OAAO,OAAO,CAAC,IAAI,CACjB,mDAAmD,WAAW,CAAC,SAAS,CAAC,iBAAiB,eAAe,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,CAC1I,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,IAAI,EAAE;YACjD,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,SAAS,CACzC,KAAK,EACL,OAAO,CAAC,kBAAkB,EAC1B,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,KAAK,EACL,EAAE,CACH,CAAC;YACF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,EACtC,mBAAmB,EACnB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EACrG,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAChC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,YAAY,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,EACxD,OAAO,EACP,YAAY,CAAC,gBAAgB,CAAC,KAAK,CAAC,CACrC,CAAC;YACF,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC;IACnE,CAAC;CACF;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,aAAa,CAAC,GAAc,EAAE,OAA6B,EAAE,KAAa;IACjF,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAClC,OAAO,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,uCAAuC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,CAAC;IAC7F,CAAC;IACD,MAAM,UAAU,GAAI,GAAG,CAAC,SAA4B,CAAC,UAAU,CAAC;IAChE,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,mCAAmC,UAAU,IAAI,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,cAAc,OAAO,oBAAoB,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC;AACtB,CAAC;AAED,4FAA4F;AAC5F;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B;IACzC,OAAO,aAAa,CAAC,GAAG,EAAE,CAAC,IAAI,qBAAqB,EAAE,CAAC,CAAC;AAC1D,CAAC;AACD,oBAAoB","sourcesContent":["// Copyright (c) 2024 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\nimport {\n  captureAsyncResult,\n  captureResult,\n  fail,\n  Failure,\n  Result,\n  succeed,\n  Success,\n  Uuid\n} from '@fgv/ts-utils';\nimport { CryptoUtils } from '@fgv/ts-extras';\n\n/* c8 ignore start - Used only by browser-only methods that cannot be tested in Node.js environment */\n/**\n * Extracts an `ArrayBuffer` from a Uint8Array, handling the potential SharedArrayBuffer case.\n * @param arr - The Uint8Array to extract from\n * @returns An `ArrayBuffer` containing a copy of the data.\n */\nfunction toArrayBuffer(arr: Uint8Array): ArrayBuffer {\n  // Create a new ArrayBuffer and copy the data - this handles both ArrayBuffer and SharedArrayBuffer\n  const buffer = new ArrayBuffer(arr.byteLength);\n  new Uint8Array(buffer).set(arr);\n  return buffer;\n}\n/* c8 ignore stop */\n\n/**\n * Returns a fresh Uint8Array view over a non-shared ArrayBuffer copy of `arr`.\n * Used by {@link BrowserCryptoProvider.wrapBytes | wrapBytes} and\n * {@link BrowserCryptoProvider.unwrapBytes | unwrapBytes}: Node 20's\n * webcrypto.subtle rejects raw `ArrayBuffer` for several `BufferSource`\n * parameters with \"is not instance of ArrayBuffer, Buffer, TypedArray, or\n * DataView\" even though `ArrayBuffer` should be valid per the spec; a\n * TypedArray view is accepted on Node 20+ and on browsers, and the explicit\n * `Uint8Array<ArrayBuffer>` return type also satisfies TypeScript's `BufferSource`\n * (which excludes the `SharedArrayBuffer` branch of `Uint8Array`'s buffer type).\n */\nfunction toBufferView(arr: Uint8Array): Uint8Array<ArrayBuffer> {\n  const buffer = new ArrayBuffer(arr.byteLength);\n  const view = new Uint8Array(buffer);\n  view.set(arr);\n  return view;\n}\n\n/**\n * Browser implementation of `ICryptoProvider` using the Web Crypto API.\n * Uses AES-256-GCM for authenticated encryption.\n *\n * Note: This provider requires a browser environment with Web Crypto API support.\n * In Node.js 15+, Web Crypto is available via globalThis.crypto or require('crypto').webcrypto.\n *\n * @public\n */\nexport class BrowserCryptoProvider implements CryptoUtils.ICryptoProvider {\n  private readonly _crypto: Crypto;\n\n  /* c8 ignore start - Existing browser-only methods cannot be tested in Node.js environment */\n  /**\n   * Creates a new {@link CryptoUtils.BrowserCryptoProvider | BrowserCryptoProvider}.\n   * @param cryptoApi - Optional Crypto instance (defaults to globalThis.crypto)\n   */\n  public constructor(cryptoApi?: Crypto) {\n    if (cryptoApi) {\n      this._crypto = cryptoApi;\n    } else if (typeof globalThis !== 'undefined' && globalThis.crypto) {\n      this._crypto = globalThis.crypto;\n    } else if (typeof window !== 'undefined' && window.crypto) {\n      this._crypto = window.crypto;\n    } else {\n      throw new Error('Web Crypto API not available');\n    }\n  }\n\n  /**\n   * Encrypts plaintext using AES-256-GCM.\n   * @param plaintext - UTF-8 string to encrypt\n   * @param key - 32-byte encryption key\n   * @returns `Success` with encryption result, or `Failure` with an error.\n   */\n  public async encrypt(plaintext: string, key: Uint8Array): Promise<Result<CryptoUtils.IEncryptionResult>> {\n    if (key.length !== CryptoUtils.Constants.AES_256_KEY_SIZE) {\n      return Failure.with(`Key must be ${CryptoUtils.Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n    }\n\n    try {\n      // Generate random IV\n      const iv = this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.GCM_IV_SIZE));\n\n      // Import the key\n      const cryptoKey = await this._crypto.subtle.importKey(\n        'raw',\n        toArrayBuffer(key),\n        { name: 'AES-GCM' },\n        false,\n        ['encrypt']\n      );\n\n      // Encode plaintext to bytes\n      const encoder = new TextEncoder();\n      const plaintextBytes = encoder.encode(plaintext);\n\n      // Encrypt (Web Crypto appends auth tag to ciphertext)\n      const encryptedWithTag = await this._crypto.subtle.encrypt(\n        {\n          name: 'AES-GCM',\n          iv: iv,\n          tagLength: CryptoUtils.Constants.GCM_AUTH_TAG_SIZE * 8 // bits\n        },\n        cryptoKey,\n        plaintextBytes\n      );\n\n      // Split ciphertext and auth tag (auth tag is last 16 bytes)\n      const encryptedArray = new Uint8Array(encryptedWithTag);\n      const encryptedData = encryptedArray.slice(\n        0,\n        encryptedArray.length - CryptoUtils.Constants.GCM_AUTH_TAG_SIZE\n      );\n      const authTag = encryptedArray.slice(encryptedArray.length - CryptoUtils.Constants.GCM_AUTH_TAG_SIZE);\n      return Success.with({\n        iv,\n        authTag,\n        encryptedData\n      });\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Encryption failed: ${message}`);\n    }\n  }\n\n  /**\n   * Decrypts ciphertext using AES-256-GCM.\n   * @param encryptedData - Encrypted bytes\n   * @param key - 32-byte decryption key\n   * @param iv - Initialization vector (12 bytes)\n   * @param authTag - GCM authentication tag (16 bytes)\n   * @returns `Success` with decrypted UTF-8 string, or `Failure` with an error.\n   */\n  public async decrypt(\n    encryptedData: Uint8Array,\n    key: Uint8Array,\n    iv: Uint8Array,\n    authTag: Uint8Array\n  ): Promise<Result<string>> {\n    if (key.length !== CryptoUtils.Constants.AES_256_KEY_SIZE) {\n      return Failure.with(`Key must be ${CryptoUtils.Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n    }\n    if (iv.length !== CryptoUtils.Constants.GCM_IV_SIZE) {\n      return Failure.with(`IV must be ${CryptoUtils.Constants.GCM_IV_SIZE} bytes, got ${iv.length}`);\n    }\n    if (authTag.length !== CryptoUtils.Constants.GCM_AUTH_TAG_SIZE) {\n      return Failure.with(\n        `Auth tag must be ${CryptoUtils.Constants.GCM_AUTH_TAG_SIZE} bytes, got ${authTag.length}`\n      );\n    }\n\n    try {\n      // Import the key\n      const cryptoKey = await this._crypto.subtle.importKey(\n        'raw',\n        toArrayBuffer(key),\n        { name: 'AES-GCM' },\n        false,\n        ['decrypt']\n      );\n\n      // Web Crypto expects ciphertext + auth tag concatenated\n      const encryptedWithTag = new Uint8Array(encryptedData.length + authTag.length);\n      encryptedWithTag.set(encryptedData);\n      encryptedWithTag.set(authTag, encryptedData.length);\n\n      // Decrypt\n      const decrypted = await this._crypto.subtle.decrypt(\n        {\n          name: 'AES-GCM',\n          iv: toArrayBuffer(iv),\n          tagLength: CryptoUtils.Constants.GCM_AUTH_TAG_SIZE * 8 // bits\n        },\n        cryptoKey,\n        encryptedWithTag\n      );\n\n      // Decode to string\n      const decoder = new TextDecoder();\n      return Success.with(decoder.decode(decrypted));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Decryption failed: ${message}`);\n    }\n  }\n\n  /**\n   * Generates a random 32-byte key suitable for AES-256.\n   * @returns Success with generated key, or Failure with error\n   */\n  public async generateKey(): Promise<Result<Uint8Array>> {\n    try {\n      return Success.with(\n        this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.AES_256_KEY_SIZE))\n      );\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Key generation failed: ${message}`);\n    }\n  }\n\n  /**\n   * Derives a key from a password using PBKDF2.\n   * @param password - Password string\n   * @param salt - Salt bytes (should be at least 16 bytes)\n   * @param iterations - Number of iterations (recommend 100000+)\n   * @returns Success with derived 32-byte key, or Failure with error\n   */\n  public async deriveKey(\n    password: string,\n    salt: Uint8Array,\n    iterations: number\n  ): Promise<Result<Uint8Array>> {\n    if (iterations < 1) {\n      return Failure.with('Iterations must be at least 1');\n    }\n    if (salt.length < 8) {\n      return Failure.with('Salt should be at least 8 bytes');\n    }\n\n    try {\n      // Encode password\n      const encoder = new TextEncoder();\n      const passwordBytes = encoder.encode(password);\n\n      // Import password as key material\n      const keyMaterial = await this._crypto.subtle.importKey('raw', passwordBytes, 'PBKDF2', false, [\n        'deriveBits'\n      ]);\n\n      // Derive key bits\n      const derivedBits = await this._crypto.subtle.deriveBits(\n        {\n          name: 'PBKDF2',\n          salt: toArrayBuffer(salt),\n          iterations: iterations,\n          hash: 'SHA-256'\n        },\n        keyMaterial,\n        CryptoUtils.Constants.AES_256_KEY_SIZE * 8 // bits\n      );\n\n      return Success.with(new Uint8Array(derivedBits));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Key derivation failed: ${message}`);\n    }\n  }\n\n  /**\n   * Computes a SHA-256 hash of the given data.\n   * @param data - UTF-8 string to hash\n   * @returns `Success` with hex-encoded hash string, or `Failure` with an error.\n   */\n  public async sha256(data: string): Promise<Result<string>> {\n    try {\n      const encoder = new TextEncoder();\n      const dataBuffer = encoder.encode(data);\n      const hashBuffer = await this._crypto.subtle.digest('SHA-256', dataBuffer);\n      const hashArray = new Uint8Array(hashBuffer);\n      const hashHex = Array.from(hashArray)\n        .map((b) => b.toString(16).padStart(2, '0'))\n        .join('');\n      return succeed(hashHex);\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return fail(`SHA-256 hash failed: ${message}`);\n    }\n  }\n\n  // ============================================================================\n  // Platform Utility Methods\n  // ============================================================================\n\n  /**\n   * Generates cryptographically secure random bytes.\n   * @param length - Number of bytes to generate\n   * @returns Success with random bytes, or Failure with error\n   */\n  public generateRandomBytes(length: number): Result<Uint8Array> {\n    if (length < 1) {\n      return Failure.with('Length must be at least 1');\n    }\n    try {\n      return Success.with(this._crypto.getRandomValues(new Uint8Array(length)));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Random bytes generation failed: ${message}`);\n    }\n  }\n  /* c8 ignore stop */\n\n  /**\n   * Generates a cryptographically random UUIDv4 using the injected\n   * `Crypto` instance.\n   * @returns `Success` with the generated UUID, or `Failure` if the underlying\n   * `Crypto` instance does not expose `randomUUID`.\n   */\n  public generateUuid(): Result<Uuid> {\n    /* c8 ignore next 3 - randomUUID is always available in supported runtimes (Node 22+, modern browsers) */\n    if (typeof this._crypto.randomUUID !== 'function') {\n      return Failure.with('Crypto instance does not expose randomUUID');\n    }\n    return captureResult(() => this._crypto.randomUUID() as Uuid);\n  }\n\n  /* c8 ignore start - browser-only methods continue */\n\n  /**\n   * Encodes binary data to base64 string.\n   * @param data - Binary data to encode\n   * @returns Base64-encoded string\n   */\n  public toBase64(data: Uint8Array): string {\n    // Convert Uint8Array to binary string, then to base64\n    let binary = '';\n    for (let i = 0; i < data.length; i++) {\n      binary += String.fromCharCode(data[i]);\n    }\n    return btoa(binary);\n  }\n\n  /**\n   * Decodes base64 string to binary data.\n   * @param base64 - Base64-encoded string\n   * @returns Success with decoded bytes, or Failure if invalid base64\n   */\n  public fromBase64(base64: string): Result<Uint8Array> {\n    try {\n      const binary = atob(base64);\n      const bytes = new Uint8Array(binary.length);\n      for (let i = 0; i < binary.length; i++) {\n        bytes[i] = binary.charCodeAt(i);\n      }\n      return Success.with(bytes);\n    } catch (e) {\n      return Failure.with('Invalid base64 string');\n    }\n  }\n\n  // ============================================================================\n  // Asymmetric Key Operations\n  // ============================================================================\n\n  /**\n   * Generates a new asymmetric keypair via Web Crypto.\n   * @param algorithm - The algorithm to use.\n   * @param extractable - Whether the resulting keys may be exported.\n   * @returns `Success` with the generated `CryptoKeyPair`, or `Failure` with an error.\n   */\n  public async generateKeyPair(\n    algorithm: CryptoUtils.KeyPairAlgorithm,\n    extractable: boolean\n  ): Promise<Result<CryptoKeyPair>> {\n    const params = CryptoUtils.keyPairAlgorithmParams[algorithm];\n    // Widening upcast to `AlgorithmIdentifier` steers TS to subtle.generateKey's\n    // broad overload, which accepts the Ed25519 `{ name: 'Ed25519' }` shape and\n    // returns `CryptoKey | CryptoKeyPair`. The narrowing back to `CryptoKeyPair`\n    // is a runtime check via the `in` operator, not a type assertion.\n    const result = await captureAsyncResult(async () => {\n      const generated = await this._crypto.subtle.generateKey(\n        params.generateKey as AlgorithmIdentifier,\n        extractable,\n        [...params.keyPairUsages]\n      );\n      if ('privateKey' in generated && 'publicKey' in generated) {\n        return generated;\n      }\n      /* c8 ignore next - unreachable: every entry in keyPairAlgorithmParams produces a keypair */\n      throw new Error(`${algorithm} unexpectedly produced a single CryptoKey`);\n    });\n    return result.withErrorFormat((e) => `Failed to generate ${algorithm} keypair: ${e}`);\n  }\n\n  /**\n   * Exports a public `CryptoKey` as a JSON Web Key.\n   * @remarks\n   * Rejects non-public keys at runtime. WebCrypto's `exportKey('jwk', ...)`\n   * does not enforce public-vs-private; without this guard a caller that\n   * passed an extractable private key would receive its private fields\n   * (`d`, `p`, `q`, ...) as JWK, defeating the method's name.\n   * @param publicKey - Extractable public key to export.\n   * @returns `Success` with the JWK, or `Failure` if not a public key or if export fails.\n   */\n  public async exportPublicKeyJwk(publicKey: CryptoKey): Promise<Result<JsonWebKey>> {\n    if (publicKey.type !== 'public') {\n      return Failure.with(`exportPublicKeyJwk requires a public CryptoKey, got '${publicKey.type}'`);\n    }\n    const result = await captureAsyncResult(() => this._crypto.subtle.exportKey('jwk', publicKey));\n    return result.withErrorFormat((e) => `Failed to export public key as JWK: ${e}`);\n  }\n\n  /**\n   * Imports a public-key JWK as a `CryptoKey` for the requested algorithm.\n   * @param jwk - The JSON Web Key produced by a prior export.\n   * @param algorithm - The algorithm the key was generated for.\n   * @returns `Success` with the imported public `CryptoKey`, or `Failure` with an error.\n   */\n  public async importPublicKeyJwk(\n    jwk: JsonWebKey,\n    algorithm: CryptoUtils.KeyPairAlgorithm\n  ): Promise<Result<CryptoKey>> {\n    const params = CryptoUtils.keyPairAlgorithmParams[algorithm];\n    const result = await captureAsyncResult(() =>\n      this._crypto.subtle.importKey('jwk', jwk, params.importPublicKey, true, params.publicKeyUsages)\n    );\n    return result.withErrorFormat((e) => `Failed to import ${algorithm} public key from JWK: ${e}`);\n  }\n  /* c8 ignore stop */\n\n  /**\n   * Wraps `plaintext` for the holder of `recipientPublicKey` using\n   * ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256). See\n   * {@link CryptoUtils.ICryptoProvider.wrapBytes | ICryptoProvider.wrapBytes}.\n   * @param plaintext - The bytes to wrap.\n   * @param recipientPublicKey - The recipient's ECDH P-256 public `CryptoKey`.\n   * @param options - HKDF salt and info; see {@link CryptoUtils.IWrapBytesOptions | IWrapBytesOptions}.\n   * @returns `Success` with the wrapped payload, or `Failure` with an error.\n   */\n  public async wrapBytes(\n    plaintext: Uint8Array,\n    recipientPublicKey: CryptoKey,\n    options: CryptoUtils.IWrapBytesOptions\n  ): Promise<Result<CryptoUtils.IWrappedBytes>> {\n    const recipientCheck = checkEcdhP256(recipientPublicKey, 'public', 'recipient public key');\n    if (recipientCheck.isFailure()) {\n      return Failure.with(`wrapBytes failed: ${recipientCheck.message}`);\n    }\n    const subtle = this._crypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeral = (await subtle.generateKey({ name: 'ECDH', namedCurve: 'P-256' }, true, [\n        'deriveKey'\n      ])) as CryptoKeyPair;\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: recipientPublicKey },\n        ephemeral.privateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: toBufferView(options.salt), info: toBufferView(options.info), hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['encrypt']\n      );\n      const nonce = this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.GCM_IV_SIZE));\n      const ctBuf = await subtle.encrypt({ name: 'AES-GCM', iv: nonce }, wrapKey, toBufferView(plaintext));\n      const ephemeralPublicKey = await subtle.exportKey('jwk', ephemeral.publicKey);\n      return {\n        ephemeralPublicKey,\n        nonce: this.toBase64(nonce),\n        ciphertext: this.toBase64(new Uint8Array(ctBuf))\n      };\n    });\n    return result.withErrorFormat((e) => `wrapBytes failed: ${e}`);\n  }\n\n  /**\n   * Unwraps a payload produced by `wrapBytes` using the recipient's private\n   * key. See {@link CryptoUtils.ICryptoProvider.unwrapBytes | ICryptoProvider.unwrapBytes}.\n   * @param wrapped - The wrapped payload.\n   * @param recipientPrivateKey - The recipient's ECDH P-256 private `CryptoKey`.\n   * @param options - HKDF salt and info matching the wrap call.\n   * @returns `Success` with the original `plaintext`, or `Failure` with an error.\n   */\n  public async unwrapBytes(\n    wrapped: CryptoUtils.IWrappedBytes,\n    recipientPrivateKey: CryptoKey,\n    options: CryptoUtils.IWrapBytesOptions\n  ): Promise<Result<Uint8Array>> {\n    const recipientCheck = checkEcdhP256(recipientPrivateKey, 'private', 'recipient private key');\n    if (recipientCheck.isFailure()) {\n      return Failure.with(`unwrapBytes failed: ${recipientCheck.message}`);\n    }\n    const nonceResult = this.fromBase64(wrapped.nonce);\n    if (nonceResult.isFailure()) {\n      return Failure.with(`unwrapBytes failed: nonce: ${nonceResult.message}`);\n    }\n    if (nonceResult.value.length !== CryptoUtils.Constants.GCM_IV_SIZE) {\n      return Failure.with(\n        `unwrapBytes failed: nonce must be ${CryptoUtils.Constants.GCM_IV_SIZE} bytes (got ${nonceResult.value.length})`\n      );\n    }\n    const ciphertextResult = this.fromBase64(wrapped.ciphertext);\n    if (ciphertextResult.isFailure()) {\n      return Failure.with(`unwrapBytes failed: ciphertext: ${ciphertextResult.message}`);\n    }\n    if (ciphertextResult.value.length < CryptoUtils.Constants.GCM_AUTH_TAG_SIZE) {\n      return Failure.with(\n        `unwrapBytes failed: ciphertext must be at least ${CryptoUtils.Constants.GCM_AUTH_TAG_SIZE} bytes (got ${ciphertextResult.value.length})`\n      );\n    }\n    const subtle = this._crypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeralPub = await subtle.importKey(\n        'jwk',\n        wrapped.ephemeralPublicKey,\n        { name: 'ECDH', namedCurve: 'P-256' },\n        false,\n        []\n      );\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: ephemeralPub },\n        recipientPrivateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: toBufferView(options.salt), info: toBufferView(options.info), hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['decrypt']\n      );\n      const ptBuf = await subtle.decrypt(\n        { name: 'AES-GCM', iv: toBufferView(nonceResult.value) },\n        wrapKey,\n        toBufferView(ciphertextResult.value)\n      );\n      return new Uint8Array(ptBuf);\n    });\n    return result.withErrorFormat((e) => `unwrapBytes failed: ${e}`);\n  }\n}\n\n/**\n * Verifies that `key` is an ECDH P-256 `CryptoKey` of the expected `keyType`\n * (public or private). Used by the wrap/unwrap methods to surface a clean\n * `Failure` instead of letting the WebCrypto deriveKey call throw a less\n * informative error later in the pipeline. Key usages are intentionally not\n * checked here: WebCrypto already produces a specific error if `deriveKey` is\n * not in `usages`, and `deriveBits` is an equally valid alternative usage that\n * an explicit check would have to track.\n * @param key - The CryptoKey to validate.\n * @param keyType - The required `key.type` ('public' for wrap, 'private' for unwrap).\n * @param label - Human-readable role label included in the failure message.\n * @returns `Success` with the key (unchanged) when the algorithm, curve, and\n * type all match; otherwise `Failure` with `<label> must be ECDH P-256 (...)`.\n */\nfunction checkEcdhP256(key: CryptoKey, keyType: 'public' | 'private', label: string): Result<CryptoKey> {\n  if (key.algorithm.name !== 'ECDH') {\n    return Failure.with(`${label} must be ECDH P-256 (got algorithm '${key.algorithm.name}')`);\n  }\n  const namedCurve = (key.algorithm as EcKeyAlgorithm).namedCurve;\n  if (namedCurve !== 'P-256') {\n    return Failure.with(`${label} must be ECDH P-256 (got curve '${namedCurve}')`);\n  }\n  if (key.type !== keyType) {\n    return Failure.with(`${label} must be a ${keyType} CryptoKey (got '${key.type}')`);\n  }\n  return succeed(key);\n}\n\n/* c8 ignore start - Constructs a provider; only meaningful in a real browser environment */\n/**\n * Creates a {@link CryptoUtils.BrowserCryptoProvider | BrowserCryptoProvider} if Web\n * Crypto API is available.\n * @returns `Success` with provider, or `Failure` if not available\n * @public\n */\nexport function createBrowserCryptoProvider(): Result<BrowserCryptoProvider> {\n  return captureResult(() => new BrowserCryptoProvider());\n}\n/* c8 ignore stop */\n"]}

package/dist/ts-web-extras.d.ts

@@ -14,6 +14,7 @@ import { DetailedResult } from '@fgv/ts-utils';
 import { FileTree } from '@fgv/ts-json-base';
 import { Logging } from '@fgv/ts-utils';
 import { Result } from '@fgv/ts-utils';
+import { Uuid } from '@fgv/ts-utils';
 
 /**
  * Browser implementation of `ICryptoProvider` using the Web Crypto API.
@@ -72,6 +73,13 @@ declare class BrowserCryptoProvider implements CryptoUtils_2.ICryptoProvider {
      * @returns Success with random bytes, or Failure with error
      */
     generateRandomBytes(length: number): Result<Uint8Array>;
+    /**
+     * Generates a cryptographically random UUIDv4 using the injected
+     * `Crypto` instance.
+     * @returns `Success` with the generated UUID, or `Failure` if the underlying
+     * `Crypto` instance does not expose `randomUUID`.
+     */
+    generateUuid(): Result<Uuid>;
     /**
      * Encodes binary data to base64 string.
      * @param data - Binary data to encode

package/lib/packlets/crypto-utils/browserCryptoProvider.d.ts

@@ -1,4 +1,4 @@
-import { Result } from '@fgv/ts-utils';
+import { Result, Uuid } from '@fgv/ts-utils';
 import { CryptoUtils } from '@fgv/ts-extras';
 /**
  * Browser implementation of `ICryptoProvider` using the Web Crypto API.
@@ -57,6 +57,13 @@ export declare class BrowserCryptoProvider implements CryptoUtils.ICryptoProvide
      * @returns Success with random bytes, or Failure with error
      */
     generateRandomBytes(length: number): Result<Uint8Array>;
+    /**
+     * Generates a cryptographically random UUIDv4 using the injected
+     * `Crypto` instance.
+     * @returns `Success` with the generated UUID, or `Failure` if the underlying
+     * `Crypto` instance does not expose `randomUUID`.
+     */
+    generateUuid(): Result<Uuid>;
     /**
      * Encodes binary data to base64 string.
      * @param data - Binary data to encode

package/lib/packlets/crypto-utils/browserCryptoProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"browserCryptoProvider.d.ts","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/browserCryptoProvider.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAoD,MAAM,EAAoB,MAAM,eAAe,CAAC;AAC3G,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAkC7C;;;;;;;;GAQG;AACH,qBAAa,qBAAsB,YAAW,WAAW,CAAC,eAAe;IACvE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAGjC;;;OAGG;gBACgB,SAAS,CAAC,EAAE,MAAM;IAYrC;;;;;OAKG;IACU,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;IAmDxG;;;;;;;OAOG;IACU,OAAO,CAClB,aAAa,EAAE,UAAU,EACzB,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,EACd,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAgD1B;;;OAGG;IACU,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAWvD;;;;;;OAMG;IACU,SAAS,CACpB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAqC9B;;;;OAIG;IACU,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAoB1D;;;;OAIG;IACI,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC;IAY9D;;;;OAIG;IACI,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM;IASzC;;;;OAIG;IACI,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC;IAiBrD;;;;;OAKG;IACU,eAAe,CAC1B,SAAS,EAAE,WAAW,CAAC,gBAAgB,EACvC,WAAW,EAAE,OAAO,GACnB,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAqBjC;;;;;;;;;OASG;IACU,kBAAkB,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAQlF;;;;;OAKG;IACU,kBAAkB,CAC7B,GAAG,EAAE,UAAU,EACf,SAAS,EAAE,WAAW,CAAC,gBAAgB,GACtC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAS7B;;;;;;;;OAQG;IACU,SAAS,CACpB,SAAS,EAAE,UAAU,EACrB,kBAAkB,EAAE,SAAS,EAC7B,OAAO,EAAE,WAAW,CAAC,iBAAiB,GACrC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IAoC7C;;;;;;;OAOG;IACU,WAAW,CACtB,OAAO,EAAE,WAAW,CAAC,aAAa,EAClC,mBAAmB,EAAE,SAAS,EAC9B,OAAO,EAAE,WAAW,CAAC,iBAAiB,GACrC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;CAuD/B;AA+BD;;;;;GAKG;AACH,wBAAgB,2BAA2B,IAAI,MAAM,CAAC,qBAAqB,CAAC,CAE3E"}
+{"version":3,"file":"browserCryptoProvider.d.ts","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/browserCryptoProvider.ts"],"names":[],"mappings":"AAoBA,OAAO,EAKL,MAAM,EAGN,IAAI,EACL,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAkC7C;;;;;;;;GAQG;AACH,qBAAa,qBAAsB,YAAW,WAAW,CAAC,eAAe;IACvE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAGjC;;;OAGG;gBACgB,SAAS,CAAC,EAAE,MAAM;IAYrC;;;;;OAKG;IACU,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;IAmDxG;;;;;;;OAOG;IACU,OAAO,CAClB,aAAa,EAAE,UAAU,EACzB,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,EACd,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAgD1B;;;OAGG;IACU,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAWvD;;;;;;OAMG;IACU,SAAS,CACpB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAqC9B;;;;OAIG;IACU,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAoB1D;;;;OAIG;IACI,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC;IAa9D;;;;;OAKG;IACI,YAAY,IAAI,MAAM,CAAC,IAAI,CAAC;IAUnC;;;;OAIG;IACI,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM;IASzC;;;;OAIG;IACI,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC;IAiBrD;;;;;OAKG;IACU,eAAe,CAC1B,SAAS,EAAE,WAAW,CAAC,gBAAgB,EACvC,WAAW,EAAE,OAAO,GACnB,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAqBjC;;;;;;;;;OASG;IACU,kBAAkB,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAQlF;;;;;OAKG;IACU,kBAAkB,CAC7B,GAAG,EAAE,UAAU,EACf,SAAS,EAAE,WAAW,CAAC,gBAAgB,GACtC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAS7B;;;;;;;;OAQG;IACU,SAAS,CACpB,SAAS,EAAE,UAAU,EACrB,kBAAkB,EAAE,SAAS,EAC7B,OAAO,EAAE,WAAW,CAAC,iBAAiB,GACrC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IAoC7C;;;;;;;OAOG;IACU,WAAW,CACtB,OAAO,EAAE,WAAW,CAAC,aAAa,EAClC,mBAAmB,EAAE,SAAS,EAC9B,OAAO,EAAE,WAAW,CAAC,iBAAiB,GACrC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;CAuD/B;AA+BD;;;;;GAKG;AACH,wBAAgB,2BAA2B,IAAI,MAAM,CAAC,qBAAqB,CAAC,CAE3E"}

package/lib/packlets/crypto-utils/browserCryptoProvider.js

@@ -252,6 +252,21 @@ class BrowserCryptoProvider {
             return ts_utils_1.Failure.with(`Random bytes generation failed: ${message}`);
         }
     }
+    /* c8 ignore stop */
+    /**
+     * Generates a cryptographically random UUIDv4 using the injected
+     * `Crypto` instance.
+     * @returns `Success` with the generated UUID, or `Failure` if the underlying
+     * `Crypto` instance does not expose `randomUUID`.
+     */
+    generateUuid() {
+        /* c8 ignore next 3 - randomUUID is always available in supported runtimes (Node 22+, modern browsers) */
+        if (typeof this._crypto.randomUUID !== 'function') {
+            return ts_utils_1.Failure.with('Crypto instance does not expose randomUUID');
+        }
+        return (0, ts_utils_1.captureResult)(() => this._crypto.randomUUID());
+    }
+    /* c8 ignore start - browser-only methods continue */
     /**
      * Encodes binary data to base64 string.
      * @param data - Binary data to encode

package/lib/packlets/crypto-utils/browserCryptoProvider.js.map

@@ -1 +1 @@
-{"version":3,"file":"browserCryptoProvider.js","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/browserCryptoProvider.ts"],"names":[],"mappings":";AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;;;AAgiBZ,kEAEC;AAhiBD,4CAA2G;AAC3G,8CAA6C;AAE7C,sGAAsG;AACtG;;;;GAIG;AACH,SAAS,aAAa,CAAC,GAAe;IACpC,mGAAmG;IACnG,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/C,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,OAAO,MAAM,CAAC;AAChB,CAAC;AACD,oBAAoB;AAEpB;;;;;;;;;;GAUG;AACH,SAAS,YAAY,CAAC,GAAe;IACnC,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACd,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,MAAa,qBAAqB;IAGhC,6FAA6F;IAC7F;;;OAGG;IACH,YAAmB,SAAkB;QACnC,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;QAC3B,CAAC;aAAM,IAAI,OAAO,UAAU,KAAK,WAAW,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;YAClE,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC;QACnC,CAAC;aAAM,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAC1D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,OAAO,CAAC,SAAiB,EAAE,GAAe;QACrD,IAAI,GAAG,CAAC,MAAM,KAAK,uBAAW,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAC1D,OAAO,kBAAO,CAAC,IAAI,CAAC,eAAe,uBAAW,CAAC,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACxG,CAAC;QAED,IAAI,CAAC;YACH,qBAAqB;YACrB,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,uBAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;YAE3F,iBAAiB;YACjB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CACnD,KAAK,EACL,aAAa,CAAC,GAAG,CAAC,EAClB,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YAEF,4BAA4B;YAC5B,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAEjD,sDAAsD;YACtD,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CACxD;gBACE,IAAI,EAAE,SAAS;gBACf,EAAE,EAAE,EAAE;gBACN,SAAS,EAAE,uBAAW,CAAC,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,OAAO;aAC/D,EACD,SAAS,EACT,cAAc,CACf,CAAC;YAEF,4DAA4D;YAC5D,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,gBAAgB,CAAC,CAAC;YACxD,MAAM,aAAa,GAAG,cAAc,CAAC,KAAK,CACxC,CAAC,EACD,cAAc,CAAC,MAAM,GAAG,uBAAW,CAAC,SAAS,CAAC,iBAAiB,CAChE,CAAC;YACF,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,GAAG,uBAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;YACtG,OAAO,kBAAO,CAAC,IAAI,CAAC;gBAClB,EAAE;gBACF,OAAO;gBACP,aAAa;aACd,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,kBAAO,CAAC,IAAI,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAClB,aAAyB,EACzB,GAAe,EACf,EAAc,EACd,OAAmB;QAEnB,IAAI,GAAG,CAAC,MAAM,KAAK,uBAAW,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAC1D,OAAO,kBAAO,CAAC,IAAI,CAAC,eAAe,uBAAW,CAAC,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACxG,CAAC;QACD,IAAI,EAAE,CAAC,MAAM,KAAK,uBAAW,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YACpD,OAAO,kBAAO,CAAC,IAAI,CAAC,cAAc,uBAAW,CAAC,SAAS,CAAC,WAAW,eAAe,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;QACjG,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,KAAK,uBAAW,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;YAC/D,OAAO,kBAAO,CAAC,IAAI,CACjB,oBAAoB,uBAAW,CAAC,SAAS,CAAC,iBAAiB,eAAe,OAAO,CAAC,MAAM,EAAE,CAC3F,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,iBAAiB;YACjB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CACnD,KAAK,EACL,aAAa,CAAC,GAAG,CAAC,EAClB,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YAEF,wDAAwD;YACxD,MAAM,gBAAgB,GAAG,IAAI,UAAU,CAAC,aAAa,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YAC/E,gBAAgB,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YACpC,gBAAgB,CAAC,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;YAEpD,UAAU;YACV,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CACjD;gBACE,IAAI,EAAE,SAAS;gBACf,EAAE,EAAE,aAAa,CAAC,EAAE,CAAC;gBACrB,SAAS,EAAE,uBAAW,CAAC,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,OAAO;aAC/D,EACD,SAAS,EACT,gBAAgB,CACjB,CAAC;YAEF,mBAAmB;YACnB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,OAAO,kBAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,kBAAO,CAAC,IAAI,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,WAAW;QACtB,IAAI,CAAC;YACH,OAAO,kBAAO,CAAC,IAAI,CACjB,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,uBAAW,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CACrF,CAAC;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,kBAAO,CAAC,IAAI,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,SAAS,CACpB,QAAgB,EAChB,IAAgB,EAChB,UAAkB;QAElB,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,OAAO,kBAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,OAAO,kBAAO,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,CAAC;YACH,kBAAkB;YAClB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAE/C,kCAAkC;YAClC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,EAAE;gBAC7F,YAAY;aACb,CAAC,CAAC;YAEH,kBAAkB;YAClB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CACtD;gBACE,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,aAAa,CAAC,IAAI,CAAC;gBACzB,UAAU,EAAE,UAAU;gBACtB,IAAI,EAAE,SAAS;aAChB,EACD,WAAW,EACX,uBAAW,CAAC,SAAS,CAAC,gBAAgB,GAAG,CAAC,CAAC,OAAO;aACnD,CAAC;YAEF,OAAO,kBAAO,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;QACnD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,kBAAO,CAAC,IAAI,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,MAAM,CAAC,IAAY;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;YAC3E,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;YAC7C,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;iBAClC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;iBAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;YACZ,OAAO,IAAA,kBAAO,EAAC,OAAO,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,IAAA,eAAI,EAAC,wBAAwB,OAAO,EAAE,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,2BAA2B;IAC3B,+EAA+E;IAE/E;;;;OAIG;IACI,mBAAmB,CAAC,MAAc;QACvC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,OAAO,kBAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,CAAC;YACH,OAAO,kBAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC5E,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,kBAAO,CAAC,IAAI,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IAED;;;;OAIG;IACI,QAAQ,CAAC,IAAgB;QAC9B,sDAAsD;QACtD,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IAED;;;;OAIG;IACI,UAAU,CAAC,MAAc;QAC9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAClC,CAAC;YACD,OAAO,kBAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,kBAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,4BAA4B;IAC5B,+EAA+E;IAE/E;;;;;OAKG;IACI,KAAK,CAAC,eAAe,CAC1B,SAAuC,EACvC,WAAoB;QAEpB,MAAM,MAAM,GAAG,uBAAW,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC7D,6EAA6E;QAC7E,4EAA4E;QAC5E,6EAA6E;QAC7E,kEAAkE;QAClE,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAkB,EAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CACrD,MAAM,CAAC,WAAkC,EACzC,WAAW,EACX,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,CAC1B,CAAC;YACF,IAAI,YAAY,IAAI,SAAS,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;gBAC1D,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,4FAA4F;YAC5F,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,2CAA2C,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,SAAS,aAAa,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IAED;;;;;;;;;OASG;IACI,KAAK,CAAC,kBAAkB,CAAC,SAAoB;QAClD,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,kBAAO,CAAC,IAAI,CAAC,wDAAwD,SAAS,CAAC,IAAI,GAAG,CAAC,CAAC;QACjG,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAkB,EAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC;QAC/F,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uCAAuC,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,kBAAkB,CAC7B,GAAe,EACf,SAAuC;QAEvC,MAAM,MAAM,GAAG,uBAAW,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC7D,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAkB,EAAC,GAAG,EAAE,CAC3C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,eAAe,EAAE,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,CAChG,CAAC;QACF,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,SAAS,yBAAyB,CAAC,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,oBAAoB;IAEpB;;;;;;;;OAQG;IACI,KAAK,CAAC,SAAS,CACpB,SAAqB,EACrB,kBAA6B,EAC7B,OAAsC;QAEtC,MAAM,cAAc,GAAG,aAAa,CAAC,kBAAkB,EAAE,QAAQ,EAAE,sBAAsB,CAAC,CAAC;QAC3F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,kBAAO,CAAC,IAAI,CAAC,qBAAqB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAkB,EAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,CAAC,MAAM,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE;gBACvF,WAAW;aACZ,CAAC,CAAkB,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAC5C,SAAS,CAAC,UAAU,EACpB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EACrG,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,uBAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;YAC9F,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;YACrG,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;YAC9E,OAAO;gBACL,kBAAkB;gBAClB,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC3B,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;aACjD,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IACjE,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,WAAW,CACtB,OAAkC,EAClC,mBAA8B,EAC9B,OAAsC;QAEtC,MAAM,cAAc,GAAG,aAAa,CAAC,mBAAmB,EAAE,SAAS,EAAE,uBAAuB,CAAC,CAAC;QAC9F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,kBAAO,CAAC,IAAI,CAAC,uBAAuB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACnD,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC;YAC5B,OAAO,kBAAO,CAAC,IAAI,CAAC,8BAA8B,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,WAAW,CAAC,KAAK,CAAC,MAAM,KAAK,uBAAW,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YACnE,OAAO,kBAAO,CAAC,IAAI,CACjB,qCAAqC,uBAAW,CAAC,SAAS,CAAC,WAAW,eAAe,WAAW,CAAC,KAAK,CAAC,MAAM,GAAG,CACjH,CAAC;QACJ,CAAC;QACD,MAAM,gBAAgB,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC7D,IAAI,gBAAgB,CAAC,SAAS,EAAE,EAAE,CAAC;YACjC,OAAO,kBAAO,CAAC,IAAI,CAAC,mCAAmC,gBAAgB,CAAC,OAAO,EAAE,CAAC,CAAC;QACrF,CAAC;QACD,IAAI,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,uBAAW,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;YAC5E,OAAO,kBAAO,CAAC,IAAI,CACjB,mDAAmD,uBAAW,CAAC,SAAS,CAAC,iBAAiB,eAAe,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,CAC1I,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAkB,EAAC,KAAK,IAAI,EAAE;YACjD,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,SAAS,CACzC,KAAK,EACL,OAAO,CAAC,kBAAkB,EAC1B,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,KAAK,EACL,EAAE,CACH,CAAC;YACF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,EACtC,mBAAmB,EACnB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EACrG,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAChC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,YAAY,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,EACxD,OAAO,EACP,YAAY,CAAC,gBAAgB,CAAC,KAAK,CAAC,CACrC,CAAC;YACF,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC;IACnE,CAAC;CACF;AA7cD,sDA6cC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,aAAa,CAAC,GAAc,EAAE,OAA6B,EAAE,KAAa;IACjF,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAClC,OAAO,kBAAO,CAAC,IAAI,CAAC,GAAG,KAAK,uCAAuC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,CAAC;IAC7F,CAAC;IACD,MAAM,UAAU,GAAI,GAAG,CAAC,SAA4B,CAAC,UAAU,CAAC;IAChE,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,kBAAO,CAAC,IAAI,CAAC,GAAG,KAAK,mCAAmC,UAAU,IAAI,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,kBAAO,CAAC,IAAI,CAAC,GAAG,KAAK,cAAc,OAAO,oBAAoB,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,IAAA,kBAAO,EAAC,GAAG,CAAC,CAAC;AACtB,CAAC;AAED,4FAA4F;AAC5F;;;;;GAKG;AACH,SAAgB,2BAA2B;IACzC,OAAO,IAAA,wBAAa,EAAC,GAAG,EAAE,CAAC,IAAI,qBAAqB,EAAE,CAAC,CAAC;AAC1D,CAAC;AACD,oBAAoB","sourcesContent":["// Copyright (c) 2024 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\nimport { captureAsyncResult, captureResult, fail, Failure, Result, succeed, Success } from '@fgv/ts-utils';\nimport { CryptoUtils } from '@fgv/ts-extras';\n\n/* c8 ignore start - Used only by browser-only methods that cannot be tested in Node.js environment */\n/**\n * Extracts an `ArrayBuffer` from a Uint8Array, handling the potential SharedArrayBuffer case.\n * @param arr - The Uint8Array to extract from\n * @returns An `ArrayBuffer` containing a copy of the data.\n */\nfunction toArrayBuffer(arr: Uint8Array): ArrayBuffer {\n  // Create a new ArrayBuffer and copy the data - this handles both ArrayBuffer and SharedArrayBuffer\n  const buffer = new ArrayBuffer(arr.byteLength);\n  new Uint8Array(buffer).set(arr);\n  return buffer;\n}\n/* c8 ignore stop */\n\n/**\n * Returns a fresh Uint8Array view over a non-shared ArrayBuffer copy of `arr`.\n * Used by {@link BrowserCryptoProvider.wrapBytes | wrapBytes} and\n * {@link BrowserCryptoProvider.unwrapBytes | unwrapBytes}: Node 20's\n * webcrypto.subtle rejects raw `ArrayBuffer` for several `BufferSource`\n * parameters with \"is not instance of ArrayBuffer, Buffer, TypedArray, or\n * DataView\" even though `ArrayBuffer` should be valid per the spec; a\n * TypedArray view is accepted on Node 20+ and on browsers, and the explicit\n * `Uint8Array<ArrayBuffer>` return type also satisfies TypeScript's `BufferSource`\n * (which excludes the `SharedArrayBuffer` branch of `Uint8Array`'s buffer type).\n */\nfunction toBufferView(arr: Uint8Array): Uint8Array<ArrayBuffer> {\n  const buffer = new ArrayBuffer(arr.byteLength);\n  const view = new Uint8Array(buffer);\n  view.set(arr);\n  return view;\n}\n\n/**\n * Browser implementation of `ICryptoProvider` using the Web Crypto API.\n * Uses AES-256-GCM for authenticated encryption.\n *\n * Note: This provider requires a browser environment with Web Crypto API support.\n * In Node.js 15+, Web Crypto is available via globalThis.crypto or require('crypto').webcrypto.\n *\n * @public\n */\nexport class BrowserCryptoProvider implements CryptoUtils.ICryptoProvider {\n  private readonly _crypto: Crypto;\n\n  /* c8 ignore start - Existing browser-only methods cannot be tested in Node.js environment */\n  /**\n   * Creates a new {@link CryptoUtils.BrowserCryptoProvider | BrowserCryptoProvider}.\n   * @param cryptoApi - Optional Crypto instance (defaults to globalThis.crypto)\n   */\n  public constructor(cryptoApi?: Crypto) {\n    if (cryptoApi) {\n      this._crypto = cryptoApi;\n    } else if (typeof globalThis !== 'undefined' && globalThis.crypto) {\n      this._crypto = globalThis.crypto;\n    } else if (typeof window !== 'undefined' && window.crypto) {\n      this._crypto = window.crypto;\n    } else {\n      throw new Error('Web Crypto API not available');\n    }\n  }\n\n  /**\n   * Encrypts plaintext using AES-256-GCM.\n   * @param plaintext - UTF-8 string to encrypt\n   * @param key - 32-byte encryption key\n   * @returns `Success` with encryption result, or `Failure` with an error.\n   */\n  public async encrypt(plaintext: string, key: Uint8Array): Promise<Result<CryptoUtils.IEncryptionResult>> {\n    if (key.length !== CryptoUtils.Constants.AES_256_KEY_SIZE) {\n      return Failure.with(`Key must be ${CryptoUtils.Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n    }\n\n    try {\n      // Generate random IV\n      const iv = this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.GCM_IV_SIZE));\n\n      // Import the key\n      const cryptoKey = await this._crypto.subtle.importKey(\n        'raw',\n        toArrayBuffer(key),\n        { name: 'AES-GCM' },\n        false,\n        ['encrypt']\n      );\n\n      // Encode plaintext to bytes\n      const encoder = new TextEncoder();\n      const plaintextBytes = encoder.encode(plaintext);\n\n      // Encrypt (Web Crypto appends auth tag to ciphertext)\n      const encryptedWithTag = await this._crypto.subtle.encrypt(\n        {\n          name: 'AES-GCM',\n          iv: iv,\n          tagLength: CryptoUtils.Constants.GCM_AUTH_TAG_SIZE * 8 // bits\n        },\n        cryptoKey,\n        plaintextBytes\n      );\n\n      // Split ciphertext and auth tag (auth tag is last 16 bytes)\n      const encryptedArray = new Uint8Array(encryptedWithTag);\n      const encryptedData = encryptedArray.slice(\n        0,\n        encryptedArray.length - CryptoUtils.Constants.GCM_AUTH_TAG_SIZE\n      );\n      const authTag = encryptedArray.slice(encryptedArray.length - CryptoUtils.Constants.GCM_AUTH_TAG_SIZE);\n      return Success.with({\n        iv,\n        authTag,\n        encryptedData\n      });\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Encryption failed: ${message}`);\n    }\n  }\n\n  /**\n   * Decrypts ciphertext using AES-256-GCM.\n   * @param encryptedData - Encrypted bytes\n   * @param key - 32-byte decryption key\n   * @param iv - Initialization vector (12 bytes)\n   * @param authTag - GCM authentication tag (16 bytes)\n   * @returns `Success` with decrypted UTF-8 string, or `Failure` with an error.\n   */\n  public async decrypt(\n    encryptedData: Uint8Array,\n    key: Uint8Array,\n    iv: Uint8Array,\n    authTag: Uint8Array\n  ): Promise<Result<string>> {\n    if (key.length !== CryptoUtils.Constants.AES_256_KEY_SIZE) {\n      return Failure.with(`Key must be ${CryptoUtils.Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n    }\n    if (iv.length !== CryptoUtils.Constants.GCM_IV_SIZE) {\n      return Failure.with(`IV must be ${CryptoUtils.Constants.GCM_IV_SIZE} bytes, got ${iv.length}`);\n    }\n    if (authTag.length !== CryptoUtils.Constants.GCM_AUTH_TAG_SIZE) {\n      return Failure.with(\n        `Auth tag must be ${CryptoUtils.Constants.GCM_AUTH_TAG_SIZE} bytes, got ${authTag.length}`\n      );\n    }\n\n    try {\n      // Import the key\n      const cryptoKey = await this._crypto.subtle.importKey(\n        'raw',\n        toArrayBuffer(key),\n        { name: 'AES-GCM' },\n        false,\n        ['decrypt']\n      );\n\n      // Web Crypto expects ciphertext + auth tag concatenated\n      const encryptedWithTag = new Uint8Array(encryptedData.length + authTag.length);\n      encryptedWithTag.set(encryptedData);\n      encryptedWithTag.set(authTag, encryptedData.length);\n\n      // Decrypt\n      const decrypted = await this._crypto.subtle.decrypt(\n        {\n          name: 'AES-GCM',\n          iv: toArrayBuffer(iv),\n          tagLength: CryptoUtils.Constants.GCM_AUTH_TAG_SIZE * 8 // bits\n        },\n        cryptoKey,\n        encryptedWithTag\n      );\n\n      // Decode to string\n      const decoder = new TextDecoder();\n      return Success.with(decoder.decode(decrypted));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Decryption failed: ${message}`);\n    }\n  }\n\n  /**\n   * Generates a random 32-byte key suitable for AES-256.\n   * @returns Success with generated key, or Failure with error\n   */\n  public async generateKey(): Promise<Result<Uint8Array>> {\n    try {\n      return Success.with(\n        this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.AES_256_KEY_SIZE))\n      );\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Key generation failed: ${message}`);\n    }\n  }\n\n  /**\n   * Derives a key from a password using PBKDF2.\n   * @param password - Password string\n   * @param salt - Salt bytes (should be at least 16 bytes)\n   * @param iterations - Number of iterations (recommend 100000+)\n   * @returns Success with derived 32-byte key, or Failure with error\n   */\n  public async deriveKey(\n    password: string,\n    salt: Uint8Array,\n    iterations: number\n  ): Promise<Result<Uint8Array>> {\n    if (iterations < 1) {\n      return Failure.with('Iterations must be at least 1');\n    }\n    if (salt.length < 8) {\n      return Failure.with('Salt should be at least 8 bytes');\n    }\n\n    try {\n      // Encode password\n      const encoder = new TextEncoder();\n      const passwordBytes = encoder.encode(password);\n\n      // Import password as key material\n      const keyMaterial = await this._crypto.subtle.importKey('raw', passwordBytes, 'PBKDF2', false, [\n        'deriveBits'\n      ]);\n\n      // Derive key bits\n      const derivedBits = await this._crypto.subtle.deriveBits(\n        {\n          name: 'PBKDF2',\n          salt: toArrayBuffer(salt),\n          iterations: iterations,\n          hash: 'SHA-256'\n        },\n        keyMaterial,\n        CryptoUtils.Constants.AES_256_KEY_SIZE * 8 // bits\n      );\n\n      return Success.with(new Uint8Array(derivedBits));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Key derivation failed: ${message}`);\n    }\n  }\n\n  /**\n   * Computes a SHA-256 hash of the given data.\n   * @param data - UTF-8 string to hash\n   * @returns `Success` with hex-encoded hash string, or `Failure` with an error.\n   */\n  public async sha256(data: string): Promise<Result<string>> {\n    try {\n      const encoder = new TextEncoder();\n      const dataBuffer = encoder.encode(data);\n      const hashBuffer = await this._crypto.subtle.digest('SHA-256', dataBuffer);\n      const hashArray = new Uint8Array(hashBuffer);\n      const hashHex = Array.from(hashArray)\n        .map((b) => b.toString(16).padStart(2, '0'))\n        .join('');\n      return succeed(hashHex);\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return fail(`SHA-256 hash failed: ${message}`);\n    }\n  }\n\n  // ============================================================================\n  // Platform Utility Methods\n  // ============================================================================\n\n  /**\n   * Generates cryptographically secure random bytes.\n   * @param length - Number of bytes to generate\n   * @returns Success with random bytes, or Failure with error\n   */\n  public generateRandomBytes(length: number): Result<Uint8Array> {\n    if (length < 1) {\n      return Failure.with('Length must be at least 1');\n    }\n    try {\n      return Success.with(this._crypto.getRandomValues(new Uint8Array(length)));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Random bytes generation failed: ${message}`);\n    }\n  }\n\n  /**\n   * Encodes binary data to base64 string.\n   * @param data - Binary data to encode\n   * @returns Base64-encoded string\n   */\n  public toBase64(data: Uint8Array): string {\n    // Convert Uint8Array to binary string, then to base64\n    let binary = '';\n    for (let i = 0; i < data.length; i++) {\n      binary += String.fromCharCode(data[i]);\n    }\n    return btoa(binary);\n  }\n\n  /**\n   * Decodes base64 string to binary data.\n   * @param base64 - Base64-encoded string\n   * @returns Success with decoded bytes, or Failure if invalid base64\n   */\n  public fromBase64(base64: string): Result<Uint8Array> {\n    try {\n      const binary = atob(base64);\n      const bytes = new Uint8Array(binary.length);\n      for (let i = 0; i < binary.length; i++) {\n        bytes[i] = binary.charCodeAt(i);\n      }\n      return Success.with(bytes);\n    } catch (e) {\n      return Failure.with('Invalid base64 string');\n    }\n  }\n\n  // ============================================================================\n  // Asymmetric Key Operations\n  // ============================================================================\n\n  /**\n   * Generates a new asymmetric keypair via Web Crypto.\n   * @param algorithm - The algorithm to use.\n   * @param extractable - Whether the resulting keys may be exported.\n   * @returns `Success` with the generated `CryptoKeyPair`, or `Failure` with an error.\n   */\n  public async generateKeyPair(\n    algorithm: CryptoUtils.KeyPairAlgorithm,\n    extractable: boolean\n  ): Promise<Result<CryptoKeyPair>> {\n    const params = CryptoUtils.keyPairAlgorithmParams[algorithm];\n    // Widening upcast to `AlgorithmIdentifier` steers TS to subtle.generateKey's\n    // broad overload, which accepts the Ed25519 `{ name: 'Ed25519' }` shape and\n    // returns `CryptoKey | CryptoKeyPair`. The narrowing back to `CryptoKeyPair`\n    // is a runtime check via the `in` operator, not a type assertion.\n    const result = await captureAsyncResult(async () => {\n      const generated = await this._crypto.subtle.generateKey(\n        params.generateKey as AlgorithmIdentifier,\n        extractable,\n        [...params.keyPairUsages]\n      );\n      if ('privateKey' in generated && 'publicKey' in generated) {\n        return generated;\n      }\n      /* c8 ignore next - unreachable: every entry in keyPairAlgorithmParams produces a keypair */\n      throw new Error(`${algorithm} unexpectedly produced a single CryptoKey`);\n    });\n    return result.withErrorFormat((e) => `Failed to generate ${algorithm} keypair: ${e}`);\n  }\n\n  /**\n   * Exports a public `CryptoKey` as a JSON Web Key.\n   * @remarks\n   * Rejects non-public keys at runtime. WebCrypto's `exportKey('jwk', ...)`\n   * does not enforce public-vs-private; without this guard a caller that\n   * passed an extractable private key would receive its private fields\n   * (`d`, `p`, `q`, ...) as JWK, defeating the method's name.\n   * @param publicKey - Extractable public key to export.\n   * @returns `Success` with the JWK, or `Failure` if not a public key or if export fails.\n   */\n  public async exportPublicKeyJwk(publicKey: CryptoKey): Promise<Result<JsonWebKey>> {\n    if (publicKey.type !== 'public') {\n      return Failure.with(`exportPublicKeyJwk requires a public CryptoKey, got '${publicKey.type}'`);\n    }\n    const result = await captureAsyncResult(() => this._crypto.subtle.exportKey('jwk', publicKey));\n    return result.withErrorFormat((e) => `Failed to export public key as JWK: ${e}`);\n  }\n\n  /**\n   * Imports a public-key JWK as a `CryptoKey` for the requested algorithm.\n   * @param jwk - The JSON Web Key produced by a prior export.\n   * @param algorithm - The algorithm the key was generated for.\n   * @returns `Success` with the imported public `CryptoKey`, or `Failure` with an error.\n   */\n  public async importPublicKeyJwk(\n    jwk: JsonWebKey,\n    algorithm: CryptoUtils.KeyPairAlgorithm\n  ): Promise<Result<CryptoKey>> {\n    const params = CryptoUtils.keyPairAlgorithmParams[algorithm];\n    const result = await captureAsyncResult(() =>\n      this._crypto.subtle.importKey('jwk', jwk, params.importPublicKey, true, params.publicKeyUsages)\n    );\n    return result.withErrorFormat((e) => `Failed to import ${algorithm} public key from JWK: ${e}`);\n  }\n  /* c8 ignore stop */\n\n  /**\n   * Wraps `plaintext` for the holder of `recipientPublicKey` using\n   * ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256). See\n   * {@link CryptoUtils.ICryptoProvider.wrapBytes | ICryptoProvider.wrapBytes}.\n   * @param plaintext - The bytes to wrap.\n   * @param recipientPublicKey - The recipient's ECDH P-256 public `CryptoKey`.\n   * @param options - HKDF salt and info; see {@link CryptoUtils.IWrapBytesOptions | IWrapBytesOptions}.\n   * @returns `Success` with the wrapped payload, or `Failure` with an error.\n   */\n  public async wrapBytes(\n    plaintext: Uint8Array,\n    recipientPublicKey: CryptoKey,\n    options: CryptoUtils.IWrapBytesOptions\n  ): Promise<Result<CryptoUtils.IWrappedBytes>> {\n    const recipientCheck = checkEcdhP256(recipientPublicKey, 'public', 'recipient public key');\n    if (recipientCheck.isFailure()) {\n      return Failure.with(`wrapBytes failed: ${recipientCheck.message}`);\n    }\n    const subtle = this._crypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeral = (await subtle.generateKey({ name: 'ECDH', namedCurve: 'P-256' }, true, [\n        'deriveKey'\n      ])) as CryptoKeyPair;\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: recipientPublicKey },\n        ephemeral.privateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: toBufferView(options.salt), info: toBufferView(options.info), hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['encrypt']\n      );\n      const nonce = this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.GCM_IV_SIZE));\n      const ctBuf = await subtle.encrypt({ name: 'AES-GCM', iv: nonce }, wrapKey, toBufferView(plaintext));\n      const ephemeralPublicKey = await subtle.exportKey('jwk', ephemeral.publicKey);\n      return {\n        ephemeralPublicKey,\n        nonce: this.toBase64(nonce),\n        ciphertext: this.toBase64(new Uint8Array(ctBuf))\n      };\n    });\n    return result.withErrorFormat((e) => `wrapBytes failed: ${e}`);\n  }\n\n  /**\n   * Unwraps a payload produced by `wrapBytes` using the recipient's private\n   * key. See {@link CryptoUtils.ICryptoProvider.unwrapBytes | ICryptoProvider.unwrapBytes}.\n   * @param wrapped - The wrapped payload.\n   * @param recipientPrivateKey - The recipient's ECDH P-256 private `CryptoKey`.\n   * @param options - HKDF salt and info matching the wrap call.\n   * @returns `Success` with the original `plaintext`, or `Failure` with an error.\n   */\n  public async unwrapBytes(\n    wrapped: CryptoUtils.IWrappedBytes,\n    recipientPrivateKey: CryptoKey,\n    options: CryptoUtils.IWrapBytesOptions\n  ): Promise<Result<Uint8Array>> {\n    const recipientCheck = checkEcdhP256(recipientPrivateKey, 'private', 'recipient private key');\n    if (recipientCheck.isFailure()) {\n      return Failure.with(`unwrapBytes failed: ${recipientCheck.message}`);\n    }\n    const nonceResult = this.fromBase64(wrapped.nonce);\n    if (nonceResult.isFailure()) {\n      return Failure.with(`unwrapBytes failed: nonce: ${nonceResult.message}`);\n    }\n    if (nonceResult.value.length !== CryptoUtils.Constants.GCM_IV_SIZE) {\n      return Failure.with(\n        `unwrapBytes failed: nonce must be ${CryptoUtils.Constants.GCM_IV_SIZE} bytes (got ${nonceResult.value.length})`\n      );\n    }\n    const ciphertextResult = this.fromBase64(wrapped.ciphertext);\n    if (ciphertextResult.isFailure()) {\n      return Failure.with(`unwrapBytes failed: ciphertext: ${ciphertextResult.message}`);\n    }\n    if (ciphertextResult.value.length < CryptoUtils.Constants.GCM_AUTH_TAG_SIZE) {\n      return Failure.with(\n        `unwrapBytes failed: ciphertext must be at least ${CryptoUtils.Constants.GCM_AUTH_TAG_SIZE} bytes (got ${ciphertextResult.value.length})`\n      );\n    }\n    const subtle = this._crypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeralPub = await subtle.importKey(\n        'jwk',\n        wrapped.ephemeralPublicKey,\n        { name: 'ECDH', namedCurve: 'P-256' },\n        false,\n        []\n      );\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: ephemeralPub },\n        recipientPrivateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: toBufferView(options.salt), info: toBufferView(options.info), hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['decrypt']\n      );\n      const ptBuf = await subtle.decrypt(\n        { name: 'AES-GCM', iv: toBufferView(nonceResult.value) },\n        wrapKey,\n        toBufferView(ciphertextResult.value)\n      );\n      return new Uint8Array(ptBuf);\n    });\n    return result.withErrorFormat((e) => `unwrapBytes failed: ${e}`);\n  }\n}\n\n/**\n * Verifies that `key` is an ECDH P-256 `CryptoKey` of the expected `keyType`\n * (public or private). Used by the wrap/unwrap methods to surface a clean\n * `Failure` instead of letting the WebCrypto deriveKey call throw a less\n * informative error later in the pipeline. Key usages are intentionally not\n * checked here: WebCrypto already produces a specific error if `deriveKey` is\n * not in `usages`, and `deriveBits` is an equally valid alternative usage that\n * an explicit check would have to track.\n * @param key - The CryptoKey to validate.\n * @param keyType - The required `key.type` ('public' for wrap, 'private' for unwrap).\n * @param label - Human-readable role label included in the failure message.\n * @returns `Success` with the key (unchanged) when the algorithm, curve, and\n * type all match; otherwise `Failure` with `<label> must be ECDH P-256 (...)`.\n */\nfunction checkEcdhP256(key: CryptoKey, keyType: 'public' | 'private', label: string): Result<CryptoKey> {\n  if (key.algorithm.name !== 'ECDH') {\n    return Failure.with(`${label} must be ECDH P-256 (got algorithm '${key.algorithm.name}')`);\n  }\n  const namedCurve = (key.algorithm as EcKeyAlgorithm).namedCurve;\n  if (namedCurve !== 'P-256') {\n    return Failure.with(`${label} must be ECDH P-256 (got curve '${namedCurve}')`);\n  }\n  if (key.type !== keyType) {\n    return Failure.with(`${label} must be a ${keyType} CryptoKey (got '${key.type}')`);\n  }\n  return succeed(key);\n}\n\n/* c8 ignore start - Constructs a provider; only meaningful in a real browser environment */\n/**\n * Creates a {@link CryptoUtils.BrowserCryptoProvider | BrowserCryptoProvider} if Web\n * Crypto API is available.\n * @returns `Success` with provider, or `Failure` if not available\n * @public\n */\nexport function createBrowserCryptoProvider(): Result<BrowserCryptoProvider> {\n  return captureResult(() => new BrowserCryptoProvider());\n}\n/* c8 ignore stop */\n"]}
+{"version":3,"file":"browserCryptoProvider.js","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/browserCryptoProvider.ts"],"names":[],"mappings":";AAAA,kCAAkC;AAClC,EAAE;AACF,+EAA+E;AAC/E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AACxE,2DAA2D;AAC3D,EAAE;AACF,iFAAiF;AACjF,kDAAkD;AAClD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,gFAAgF;AAChF,gFAAgF;AAChF,YAAY;;;AA0jBZ,kEAEC;AA1jBD,4CASuB;AACvB,8CAA6C;AAE7C,sGAAsG;AACtG;;;;GAIG;AACH,SAAS,aAAa,CAAC,GAAe;IACpC,mGAAmG;IACnG,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/C,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,OAAO,MAAM,CAAC;AAChB,CAAC;AACD,oBAAoB;AAEpB;;;;;;;;;;GAUG;AACH,SAAS,YAAY,CAAC,GAAe;IACnC,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACd,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,MAAa,qBAAqB;IAGhC,6FAA6F;IAC7F;;;OAGG;IACH,YAAmB,SAAkB;QACnC,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;QAC3B,CAAC;aAAM,IAAI,OAAO,UAAU,KAAK,WAAW,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;YAClE,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC;QACnC,CAAC;aAAM,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAC1D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,OAAO,CAAC,SAAiB,EAAE,GAAe;QACrD,IAAI,GAAG,CAAC,MAAM,KAAK,uBAAW,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAC1D,OAAO,kBAAO,CAAC,IAAI,CAAC,eAAe,uBAAW,CAAC,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACxG,CAAC;QAED,IAAI,CAAC;YACH,qBAAqB;YACrB,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,uBAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;YAE3F,iBAAiB;YACjB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CACnD,KAAK,EACL,aAAa,CAAC,GAAG,CAAC,EAClB,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YAEF,4BAA4B;YAC5B,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAEjD,sDAAsD;YACtD,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CACxD;gBACE,IAAI,EAAE,SAAS;gBACf,EAAE,EAAE,EAAE;gBACN,SAAS,EAAE,uBAAW,CAAC,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,OAAO;aAC/D,EACD,SAAS,EACT,cAAc,CACf,CAAC;YAEF,4DAA4D;YAC5D,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,gBAAgB,CAAC,CAAC;YACxD,MAAM,aAAa,GAAG,cAAc,CAAC,KAAK,CACxC,CAAC,EACD,cAAc,CAAC,MAAM,GAAG,uBAAW,CAAC,SAAS,CAAC,iBAAiB,CAChE,CAAC;YACF,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,GAAG,uBAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;YACtG,OAAO,kBAAO,CAAC,IAAI,CAAC;gBAClB,EAAE;gBACF,OAAO;gBACP,aAAa;aACd,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,kBAAO,CAAC,IAAI,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAClB,aAAyB,EACzB,GAAe,EACf,EAAc,EACd,OAAmB;QAEnB,IAAI,GAAG,CAAC,MAAM,KAAK,uBAAW,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC;YAC1D,OAAO,kBAAO,CAAC,IAAI,CAAC,eAAe,uBAAW,CAAC,SAAS,CAAC,gBAAgB,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACxG,CAAC;QACD,IAAI,EAAE,CAAC,MAAM,KAAK,uBAAW,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YACpD,OAAO,kBAAO,CAAC,IAAI,CAAC,cAAc,uBAAW,CAAC,SAAS,CAAC,WAAW,eAAe,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;QACjG,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,KAAK,uBAAW,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;YAC/D,OAAO,kBAAO,CAAC,IAAI,CACjB,oBAAoB,uBAAW,CAAC,SAAS,CAAC,iBAAiB,eAAe,OAAO,CAAC,MAAM,EAAE,CAC3F,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,iBAAiB;YACjB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CACnD,KAAK,EACL,aAAa,CAAC,GAAG,CAAC,EAClB,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YAEF,wDAAwD;YACxD,MAAM,gBAAgB,GAAG,IAAI,UAAU,CAAC,aAAa,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YAC/E,gBAAgB,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YACpC,gBAAgB,CAAC,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;YAEpD,UAAU;YACV,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CACjD;gBACE,IAAI,EAAE,SAAS;gBACf,EAAE,EAAE,aAAa,CAAC,EAAE,CAAC;gBACrB,SAAS,EAAE,uBAAW,CAAC,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,OAAO;aAC/D,EACD,SAAS,EACT,gBAAgB,CACjB,CAAC;YAEF,mBAAmB;YACnB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,OAAO,kBAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,kBAAO,CAAC,IAAI,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,WAAW;QACtB,IAAI,CAAC;YACH,OAAO,kBAAO,CAAC,IAAI,CACjB,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,uBAAW,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CACrF,CAAC;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,kBAAO,CAAC,IAAI,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,SAAS,CACpB,QAAgB,EAChB,IAAgB,EAChB,UAAkB;QAElB,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,OAAO,kBAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,OAAO,kBAAO,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,CAAC;YACH,kBAAkB;YAClB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAE/C,kCAAkC;YAClC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,EAAE;gBAC7F,YAAY;aACb,CAAC,CAAC;YAEH,kBAAkB;YAClB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CACtD;gBACE,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,aAAa,CAAC,IAAI,CAAC;gBACzB,UAAU,EAAE,UAAU;gBACtB,IAAI,EAAE,SAAS;aAChB,EACD,WAAW,EACX,uBAAW,CAAC,SAAS,CAAC,gBAAgB,GAAG,CAAC,CAAC,OAAO;aACnD,CAAC;YAEF,OAAO,kBAAO,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;QACnD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,kBAAO,CAAC,IAAI,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,MAAM,CAAC,IAAY;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;YAC3E,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;YAC7C,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;iBAClC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;iBAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;YACZ,OAAO,IAAA,kBAAO,EAAC,OAAO,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,IAAA,eAAI,EAAC,wBAAwB,OAAO,EAAE,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,2BAA2B;IAC3B,+EAA+E;IAE/E;;;;OAIG;IACI,mBAAmB,CAAC,MAAc;QACvC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,OAAO,kBAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,CAAC;YACH,OAAO,kBAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC5E,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,OAAO,kBAAO,CAAC,IAAI,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IACD,oBAAoB;IAEpB;;;;;OAKG;IACI,YAAY;QACjB,yGAAyG;QACzG,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;YAClD,OAAO,kBAAO,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QACpE,CAAC;QACD,OAAO,IAAA,wBAAa,EAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAU,CAAC,CAAC;IAChE,CAAC;IAED,qDAAqD;IAErD;;;;OAIG;IACI,QAAQ,CAAC,IAAgB;QAC9B,sDAAsD;QACtD,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IAED;;;;OAIG;IACI,UAAU,CAAC,MAAc;QAC9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAClC,CAAC;YACD,OAAO,kBAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,kBAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,4BAA4B;IAC5B,+EAA+E;IAE/E;;;;;OAKG;IACI,KAAK,CAAC,eAAe,CAC1B,SAAuC,EACvC,WAAoB;QAEpB,MAAM,MAAM,GAAG,uBAAW,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC7D,6EAA6E;QAC7E,4EAA4E;QAC5E,6EAA6E;QAC7E,kEAAkE;QAClE,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAkB,EAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CACrD,MAAM,CAAC,WAAkC,EACzC,WAAW,EACX,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,CAC1B,CAAC;YACF,IAAI,YAAY,IAAI,SAAS,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;gBAC1D,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,4FAA4F;YAC5F,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,2CAA2C,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,SAAS,aAAa,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IAED;;;;;;;;;OASG;IACI,KAAK,CAAC,kBAAkB,CAAC,SAAoB;QAClD,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,kBAAO,CAAC,IAAI,CAAC,wDAAwD,SAAS,CAAC,IAAI,GAAG,CAAC,CAAC;QACjG,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAkB,EAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC;QAC/F,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uCAAuC,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,kBAAkB,CAC7B,GAAe,EACf,SAAuC;QAEvC,MAAM,MAAM,GAAG,uBAAW,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC7D,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAkB,EAAC,GAAG,EAAE,CAC3C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,eAAe,EAAE,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,CAChG,CAAC;QACF,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,SAAS,yBAAyB,CAAC,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,oBAAoB;IAEpB;;;;;;;;OAQG;IACI,KAAK,CAAC,SAAS,CACpB,SAAqB,EACrB,kBAA6B,EAC7B,OAAsC;QAEtC,MAAM,cAAc,GAAG,aAAa,CAAC,kBAAkB,EAAE,QAAQ,EAAE,sBAAsB,CAAC,CAAC;QAC3F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,kBAAO,CAAC,IAAI,CAAC,qBAAqB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAkB,EAAC,KAAK,IAAI,EAAE;YACjD,MAAM,SAAS,GAAG,CAAC,MAAM,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE;gBACvF,WAAW;aACZ,CAAC,CAAkB,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAC5C,SAAS,CAAC,UAAU,EACpB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EACrG,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,uBAAW,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;YAC9F,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;YACrG,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;YAC9E,OAAO;gBACL,kBAAkB;gBAClB,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC3B,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;aACjD,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IACjE,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,WAAW,CACtB,OAAkC,EAClC,mBAA8B,EAC9B,OAAsC;QAEtC,MAAM,cAAc,GAAG,aAAa,CAAC,mBAAmB,EAAE,SAAS,EAAE,uBAAuB,CAAC,CAAC;QAC9F,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,CAAC;YAC/B,OAAO,kBAAO,CAAC,IAAI,CAAC,uBAAuB,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACnD,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC;YAC5B,OAAO,kBAAO,CAAC,IAAI,CAAC,8BAA8B,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,WAAW,CAAC,KAAK,CAAC,MAAM,KAAK,uBAAW,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YACnE,OAAO,kBAAO,CAAC,IAAI,CACjB,qCAAqC,uBAAW,CAAC,SAAS,CAAC,WAAW,eAAe,WAAW,CAAC,KAAK,CAAC,MAAM,GAAG,CACjH,CAAC;QACJ,CAAC;QACD,MAAM,gBAAgB,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC7D,IAAI,gBAAgB,CAAC,SAAS,EAAE,EAAE,CAAC;YACjC,OAAO,kBAAO,CAAC,IAAI,CAAC,mCAAmC,gBAAgB,CAAC,OAAO,EAAE,CAAC,CAAC;QACrF,CAAC;QACD,IAAI,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,uBAAW,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;YAC5E,OAAO,kBAAO,CAAC,IAAI,CACjB,mDAAmD,uBAAW,CAAC,SAAS,CAAC,iBAAiB,eAAe,gBAAgB,CAAC,KAAK,CAAC,MAAM,GAAG,CAC1I,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAkB,EAAC,KAAK,IAAI,EAAE;YACjD,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,SAAS,CACzC,KAAK,EACL,OAAO,CAAC,kBAAkB,EAC1B,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,KAAK,EACL,EAAE,CACH,CAAC;YACF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CACrC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,EACtC,mBAAmB,EACnB,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,CACpC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EACrG,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,OAAO,CAChC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,YAAY,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,EACxD,OAAO,EACP,YAAY,CAAC,gBAAgB,CAAC,KAAK,CAAC,CACrC,CAAC;YACF,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC;IACnE,CAAC;CACF;AA9dD,sDA8dC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,aAAa,CAAC,GAAc,EAAE,OAA6B,EAAE,KAAa;IACjF,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAClC,OAAO,kBAAO,CAAC,IAAI,CAAC,GAAG,KAAK,uCAAuC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,CAAC;IAC7F,CAAC;IACD,MAAM,UAAU,GAAI,GAAG,CAAC,SAA4B,CAAC,UAAU,CAAC;IAChE,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,kBAAO,CAAC,IAAI,CAAC,GAAG,KAAK,mCAAmC,UAAU,IAAI,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,kBAAO,CAAC,IAAI,CAAC,GAAG,KAAK,cAAc,OAAO,oBAAoB,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,IAAA,kBAAO,EAAC,GAAG,CAAC,CAAC;AACtB,CAAC;AAED,4FAA4F;AAC5F;;;;;GAKG;AACH,SAAgB,2BAA2B;IACzC,OAAO,IAAA,wBAAa,EAAC,GAAG,EAAE,CAAC,IAAI,qBAAqB,EAAE,CAAC,CAAC;AAC1D,CAAC;AACD,oBAAoB","sourcesContent":["// Copyright (c) 2024 Erik Fortune\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all\n// copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n// SOFTWARE.\n\nimport {\n  captureAsyncResult,\n  captureResult,\n  fail,\n  Failure,\n  Result,\n  succeed,\n  Success,\n  Uuid\n} from '@fgv/ts-utils';\nimport { CryptoUtils } from '@fgv/ts-extras';\n\n/* c8 ignore start - Used only by browser-only methods that cannot be tested in Node.js environment */\n/**\n * Extracts an `ArrayBuffer` from a Uint8Array, handling the potential SharedArrayBuffer case.\n * @param arr - The Uint8Array to extract from\n * @returns An `ArrayBuffer` containing a copy of the data.\n */\nfunction toArrayBuffer(arr: Uint8Array): ArrayBuffer {\n  // Create a new ArrayBuffer and copy the data - this handles both ArrayBuffer and SharedArrayBuffer\n  const buffer = new ArrayBuffer(arr.byteLength);\n  new Uint8Array(buffer).set(arr);\n  return buffer;\n}\n/* c8 ignore stop */\n\n/**\n * Returns a fresh Uint8Array view over a non-shared ArrayBuffer copy of `arr`.\n * Used by {@link BrowserCryptoProvider.wrapBytes | wrapBytes} and\n * {@link BrowserCryptoProvider.unwrapBytes | unwrapBytes}: Node 20's\n * webcrypto.subtle rejects raw `ArrayBuffer` for several `BufferSource`\n * parameters with \"is not instance of ArrayBuffer, Buffer, TypedArray, or\n * DataView\" even though `ArrayBuffer` should be valid per the spec; a\n * TypedArray view is accepted on Node 20+ and on browsers, and the explicit\n * `Uint8Array<ArrayBuffer>` return type also satisfies TypeScript's `BufferSource`\n * (which excludes the `SharedArrayBuffer` branch of `Uint8Array`'s buffer type).\n */\nfunction toBufferView(arr: Uint8Array): Uint8Array<ArrayBuffer> {\n  const buffer = new ArrayBuffer(arr.byteLength);\n  const view = new Uint8Array(buffer);\n  view.set(arr);\n  return view;\n}\n\n/**\n * Browser implementation of `ICryptoProvider` using the Web Crypto API.\n * Uses AES-256-GCM for authenticated encryption.\n *\n * Note: This provider requires a browser environment with Web Crypto API support.\n * In Node.js 15+, Web Crypto is available via globalThis.crypto or require('crypto').webcrypto.\n *\n * @public\n */\nexport class BrowserCryptoProvider implements CryptoUtils.ICryptoProvider {\n  private readonly _crypto: Crypto;\n\n  /* c8 ignore start - Existing browser-only methods cannot be tested in Node.js environment */\n  /**\n   * Creates a new {@link CryptoUtils.BrowserCryptoProvider | BrowserCryptoProvider}.\n   * @param cryptoApi - Optional Crypto instance (defaults to globalThis.crypto)\n   */\n  public constructor(cryptoApi?: Crypto) {\n    if (cryptoApi) {\n      this._crypto = cryptoApi;\n    } else if (typeof globalThis !== 'undefined' && globalThis.crypto) {\n      this._crypto = globalThis.crypto;\n    } else if (typeof window !== 'undefined' && window.crypto) {\n      this._crypto = window.crypto;\n    } else {\n      throw new Error('Web Crypto API not available');\n    }\n  }\n\n  /**\n   * Encrypts plaintext using AES-256-GCM.\n   * @param plaintext - UTF-8 string to encrypt\n   * @param key - 32-byte encryption key\n   * @returns `Success` with encryption result, or `Failure` with an error.\n   */\n  public async encrypt(plaintext: string, key: Uint8Array): Promise<Result<CryptoUtils.IEncryptionResult>> {\n    if (key.length !== CryptoUtils.Constants.AES_256_KEY_SIZE) {\n      return Failure.with(`Key must be ${CryptoUtils.Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n    }\n\n    try {\n      // Generate random IV\n      const iv = this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.GCM_IV_SIZE));\n\n      // Import the key\n      const cryptoKey = await this._crypto.subtle.importKey(\n        'raw',\n        toArrayBuffer(key),\n        { name: 'AES-GCM' },\n        false,\n        ['encrypt']\n      );\n\n      // Encode plaintext to bytes\n      const encoder = new TextEncoder();\n      const plaintextBytes = encoder.encode(plaintext);\n\n      // Encrypt (Web Crypto appends auth tag to ciphertext)\n      const encryptedWithTag = await this._crypto.subtle.encrypt(\n        {\n          name: 'AES-GCM',\n          iv: iv,\n          tagLength: CryptoUtils.Constants.GCM_AUTH_TAG_SIZE * 8 // bits\n        },\n        cryptoKey,\n        plaintextBytes\n      );\n\n      // Split ciphertext and auth tag (auth tag is last 16 bytes)\n      const encryptedArray = new Uint8Array(encryptedWithTag);\n      const encryptedData = encryptedArray.slice(\n        0,\n        encryptedArray.length - CryptoUtils.Constants.GCM_AUTH_TAG_SIZE\n      );\n      const authTag = encryptedArray.slice(encryptedArray.length - CryptoUtils.Constants.GCM_AUTH_TAG_SIZE);\n      return Success.with({\n        iv,\n        authTag,\n        encryptedData\n      });\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Encryption failed: ${message}`);\n    }\n  }\n\n  /**\n   * Decrypts ciphertext using AES-256-GCM.\n   * @param encryptedData - Encrypted bytes\n   * @param key - 32-byte decryption key\n   * @param iv - Initialization vector (12 bytes)\n   * @param authTag - GCM authentication tag (16 bytes)\n   * @returns `Success` with decrypted UTF-8 string, or `Failure` with an error.\n   */\n  public async decrypt(\n    encryptedData: Uint8Array,\n    key: Uint8Array,\n    iv: Uint8Array,\n    authTag: Uint8Array\n  ): Promise<Result<string>> {\n    if (key.length !== CryptoUtils.Constants.AES_256_KEY_SIZE) {\n      return Failure.with(`Key must be ${CryptoUtils.Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);\n    }\n    if (iv.length !== CryptoUtils.Constants.GCM_IV_SIZE) {\n      return Failure.with(`IV must be ${CryptoUtils.Constants.GCM_IV_SIZE} bytes, got ${iv.length}`);\n    }\n    if (authTag.length !== CryptoUtils.Constants.GCM_AUTH_TAG_SIZE) {\n      return Failure.with(\n        `Auth tag must be ${CryptoUtils.Constants.GCM_AUTH_TAG_SIZE} bytes, got ${authTag.length}`\n      );\n    }\n\n    try {\n      // Import the key\n      const cryptoKey = await this._crypto.subtle.importKey(\n        'raw',\n        toArrayBuffer(key),\n        { name: 'AES-GCM' },\n        false,\n        ['decrypt']\n      );\n\n      // Web Crypto expects ciphertext + auth tag concatenated\n      const encryptedWithTag = new Uint8Array(encryptedData.length + authTag.length);\n      encryptedWithTag.set(encryptedData);\n      encryptedWithTag.set(authTag, encryptedData.length);\n\n      // Decrypt\n      const decrypted = await this._crypto.subtle.decrypt(\n        {\n          name: 'AES-GCM',\n          iv: toArrayBuffer(iv),\n          tagLength: CryptoUtils.Constants.GCM_AUTH_TAG_SIZE * 8 // bits\n        },\n        cryptoKey,\n        encryptedWithTag\n      );\n\n      // Decode to string\n      const decoder = new TextDecoder();\n      return Success.with(decoder.decode(decrypted));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Decryption failed: ${message}`);\n    }\n  }\n\n  /**\n   * Generates a random 32-byte key suitable for AES-256.\n   * @returns Success with generated key, or Failure with error\n   */\n  public async generateKey(): Promise<Result<Uint8Array>> {\n    try {\n      return Success.with(\n        this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.AES_256_KEY_SIZE))\n      );\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Key generation failed: ${message}`);\n    }\n  }\n\n  /**\n   * Derives a key from a password using PBKDF2.\n   * @param password - Password string\n   * @param salt - Salt bytes (should be at least 16 bytes)\n   * @param iterations - Number of iterations (recommend 100000+)\n   * @returns Success with derived 32-byte key, or Failure with error\n   */\n  public async deriveKey(\n    password: string,\n    salt: Uint8Array,\n    iterations: number\n  ): Promise<Result<Uint8Array>> {\n    if (iterations < 1) {\n      return Failure.with('Iterations must be at least 1');\n    }\n    if (salt.length < 8) {\n      return Failure.with('Salt should be at least 8 bytes');\n    }\n\n    try {\n      // Encode password\n      const encoder = new TextEncoder();\n      const passwordBytes = encoder.encode(password);\n\n      // Import password as key material\n      const keyMaterial = await this._crypto.subtle.importKey('raw', passwordBytes, 'PBKDF2', false, [\n        'deriveBits'\n      ]);\n\n      // Derive key bits\n      const derivedBits = await this._crypto.subtle.deriveBits(\n        {\n          name: 'PBKDF2',\n          salt: toArrayBuffer(salt),\n          iterations: iterations,\n          hash: 'SHA-256'\n        },\n        keyMaterial,\n        CryptoUtils.Constants.AES_256_KEY_SIZE * 8 // bits\n      );\n\n      return Success.with(new Uint8Array(derivedBits));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Key derivation failed: ${message}`);\n    }\n  }\n\n  /**\n   * Computes a SHA-256 hash of the given data.\n   * @param data - UTF-8 string to hash\n   * @returns `Success` with hex-encoded hash string, or `Failure` with an error.\n   */\n  public async sha256(data: string): Promise<Result<string>> {\n    try {\n      const encoder = new TextEncoder();\n      const dataBuffer = encoder.encode(data);\n      const hashBuffer = await this._crypto.subtle.digest('SHA-256', dataBuffer);\n      const hashArray = new Uint8Array(hashBuffer);\n      const hashHex = Array.from(hashArray)\n        .map((b) => b.toString(16).padStart(2, '0'))\n        .join('');\n      return succeed(hashHex);\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return fail(`SHA-256 hash failed: ${message}`);\n    }\n  }\n\n  // ============================================================================\n  // Platform Utility Methods\n  // ============================================================================\n\n  /**\n   * Generates cryptographically secure random bytes.\n   * @param length - Number of bytes to generate\n   * @returns Success with random bytes, or Failure with error\n   */\n  public generateRandomBytes(length: number): Result<Uint8Array> {\n    if (length < 1) {\n      return Failure.with('Length must be at least 1');\n    }\n    try {\n      return Success.with(this._crypto.getRandomValues(new Uint8Array(length)));\n    } catch (e) {\n      const message = e instanceof Error ? e.message : String(e);\n      return Failure.with(`Random bytes generation failed: ${message}`);\n    }\n  }\n  /* c8 ignore stop */\n\n  /**\n   * Generates a cryptographically random UUIDv4 using the injected\n   * `Crypto` instance.\n   * @returns `Success` with the generated UUID, or `Failure` if the underlying\n   * `Crypto` instance does not expose `randomUUID`.\n   */\n  public generateUuid(): Result<Uuid> {\n    /* c8 ignore next 3 - randomUUID is always available in supported runtimes (Node 22+, modern browsers) */\n    if (typeof this._crypto.randomUUID !== 'function') {\n      return Failure.with('Crypto instance does not expose randomUUID');\n    }\n    return captureResult(() => this._crypto.randomUUID() as Uuid);\n  }\n\n  /* c8 ignore start - browser-only methods continue */\n\n  /**\n   * Encodes binary data to base64 string.\n   * @param data - Binary data to encode\n   * @returns Base64-encoded string\n   */\n  public toBase64(data: Uint8Array): string {\n    // Convert Uint8Array to binary string, then to base64\n    let binary = '';\n    for (let i = 0; i < data.length; i++) {\n      binary += String.fromCharCode(data[i]);\n    }\n    return btoa(binary);\n  }\n\n  /**\n   * Decodes base64 string to binary data.\n   * @param base64 - Base64-encoded string\n   * @returns Success with decoded bytes, or Failure if invalid base64\n   */\n  public fromBase64(base64: string): Result<Uint8Array> {\n    try {\n      const binary = atob(base64);\n      const bytes = new Uint8Array(binary.length);\n      for (let i = 0; i < binary.length; i++) {\n        bytes[i] = binary.charCodeAt(i);\n      }\n      return Success.with(bytes);\n    } catch (e) {\n      return Failure.with('Invalid base64 string');\n    }\n  }\n\n  // ============================================================================\n  // Asymmetric Key Operations\n  // ============================================================================\n\n  /**\n   * Generates a new asymmetric keypair via Web Crypto.\n   * @param algorithm - The algorithm to use.\n   * @param extractable - Whether the resulting keys may be exported.\n   * @returns `Success` with the generated `CryptoKeyPair`, or `Failure` with an error.\n   */\n  public async generateKeyPair(\n    algorithm: CryptoUtils.KeyPairAlgorithm,\n    extractable: boolean\n  ): Promise<Result<CryptoKeyPair>> {\n    const params = CryptoUtils.keyPairAlgorithmParams[algorithm];\n    // Widening upcast to `AlgorithmIdentifier` steers TS to subtle.generateKey's\n    // broad overload, which accepts the Ed25519 `{ name: 'Ed25519' }` shape and\n    // returns `CryptoKey | CryptoKeyPair`. The narrowing back to `CryptoKeyPair`\n    // is a runtime check via the `in` operator, not a type assertion.\n    const result = await captureAsyncResult(async () => {\n      const generated = await this._crypto.subtle.generateKey(\n        params.generateKey as AlgorithmIdentifier,\n        extractable,\n        [...params.keyPairUsages]\n      );\n      if ('privateKey' in generated && 'publicKey' in generated) {\n        return generated;\n      }\n      /* c8 ignore next - unreachable: every entry in keyPairAlgorithmParams produces a keypair */\n      throw new Error(`${algorithm} unexpectedly produced a single CryptoKey`);\n    });\n    return result.withErrorFormat((e) => `Failed to generate ${algorithm} keypair: ${e}`);\n  }\n\n  /**\n   * Exports a public `CryptoKey` as a JSON Web Key.\n   * @remarks\n   * Rejects non-public keys at runtime. WebCrypto's `exportKey('jwk', ...)`\n   * does not enforce public-vs-private; without this guard a caller that\n   * passed an extractable private key would receive its private fields\n   * (`d`, `p`, `q`, ...) as JWK, defeating the method's name.\n   * @param publicKey - Extractable public key to export.\n   * @returns `Success` with the JWK, or `Failure` if not a public key or if export fails.\n   */\n  public async exportPublicKeyJwk(publicKey: CryptoKey): Promise<Result<JsonWebKey>> {\n    if (publicKey.type !== 'public') {\n      return Failure.with(`exportPublicKeyJwk requires a public CryptoKey, got '${publicKey.type}'`);\n    }\n    const result = await captureAsyncResult(() => this._crypto.subtle.exportKey('jwk', publicKey));\n    return result.withErrorFormat((e) => `Failed to export public key as JWK: ${e}`);\n  }\n\n  /**\n   * Imports a public-key JWK as a `CryptoKey` for the requested algorithm.\n   * @param jwk - The JSON Web Key produced by a prior export.\n   * @param algorithm - The algorithm the key was generated for.\n   * @returns `Success` with the imported public `CryptoKey`, or `Failure` with an error.\n   */\n  public async importPublicKeyJwk(\n    jwk: JsonWebKey,\n    algorithm: CryptoUtils.KeyPairAlgorithm\n  ): Promise<Result<CryptoKey>> {\n    const params = CryptoUtils.keyPairAlgorithmParams[algorithm];\n    const result = await captureAsyncResult(() =>\n      this._crypto.subtle.importKey('jwk', jwk, params.importPublicKey, true, params.publicKeyUsages)\n    );\n    return result.withErrorFormat((e) => `Failed to import ${algorithm} public key from JWK: ${e}`);\n  }\n  /* c8 ignore stop */\n\n  /**\n   * Wraps `plaintext` for the holder of `recipientPublicKey` using\n   * ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256). See\n   * {@link CryptoUtils.ICryptoProvider.wrapBytes | ICryptoProvider.wrapBytes}.\n   * @param plaintext - The bytes to wrap.\n   * @param recipientPublicKey - The recipient's ECDH P-256 public `CryptoKey`.\n   * @param options - HKDF salt and info; see {@link CryptoUtils.IWrapBytesOptions | IWrapBytesOptions}.\n   * @returns `Success` with the wrapped payload, or `Failure` with an error.\n   */\n  public async wrapBytes(\n    plaintext: Uint8Array,\n    recipientPublicKey: CryptoKey,\n    options: CryptoUtils.IWrapBytesOptions\n  ): Promise<Result<CryptoUtils.IWrappedBytes>> {\n    const recipientCheck = checkEcdhP256(recipientPublicKey, 'public', 'recipient public key');\n    if (recipientCheck.isFailure()) {\n      return Failure.with(`wrapBytes failed: ${recipientCheck.message}`);\n    }\n    const subtle = this._crypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeral = (await subtle.generateKey({ name: 'ECDH', namedCurve: 'P-256' }, true, [\n        'deriveKey'\n      ])) as CryptoKeyPair;\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: recipientPublicKey },\n        ephemeral.privateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: toBufferView(options.salt), info: toBufferView(options.info), hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['encrypt']\n      );\n      const nonce = this._crypto.getRandomValues(new Uint8Array(CryptoUtils.Constants.GCM_IV_SIZE));\n      const ctBuf = await subtle.encrypt({ name: 'AES-GCM', iv: nonce }, wrapKey, toBufferView(plaintext));\n      const ephemeralPublicKey = await subtle.exportKey('jwk', ephemeral.publicKey);\n      return {\n        ephemeralPublicKey,\n        nonce: this.toBase64(nonce),\n        ciphertext: this.toBase64(new Uint8Array(ctBuf))\n      };\n    });\n    return result.withErrorFormat((e) => `wrapBytes failed: ${e}`);\n  }\n\n  /**\n   * Unwraps a payload produced by `wrapBytes` using the recipient's private\n   * key. See {@link CryptoUtils.ICryptoProvider.unwrapBytes | ICryptoProvider.unwrapBytes}.\n   * @param wrapped - The wrapped payload.\n   * @param recipientPrivateKey - The recipient's ECDH P-256 private `CryptoKey`.\n   * @param options - HKDF salt and info matching the wrap call.\n   * @returns `Success` with the original `plaintext`, or `Failure` with an error.\n   */\n  public async unwrapBytes(\n    wrapped: CryptoUtils.IWrappedBytes,\n    recipientPrivateKey: CryptoKey,\n    options: CryptoUtils.IWrapBytesOptions\n  ): Promise<Result<Uint8Array>> {\n    const recipientCheck = checkEcdhP256(recipientPrivateKey, 'private', 'recipient private key');\n    if (recipientCheck.isFailure()) {\n      return Failure.with(`unwrapBytes failed: ${recipientCheck.message}`);\n    }\n    const nonceResult = this.fromBase64(wrapped.nonce);\n    if (nonceResult.isFailure()) {\n      return Failure.with(`unwrapBytes failed: nonce: ${nonceResult.message}`);\n    }\n    if (nonceResult.value.length !== CryptoUtils.Constants.GCM_IV_SIZE) {\n      return Failure.with(\n        `unwrapBytes failed: nonce must be ${CryptoUtils.Constants.GCM_IV_SIZE} bytes (got ${nonceResult.value.length})`\n      );\n    }\n    const ciphertextResult = this.fromBase64(wrapped.ciphertext);\n    if (ciphertextResult.isFailure()) {\n      return Failure.with(`unwrapBytes failed: ciphertext: ${ciphertextResult.message}`);\n    }\n    if (ciphertextResult.value.length < CryptoUtils.Constants.GCM_AUTH_TAG_SIZE) {\n      return Failure.with(\n        `unwrapBytes failed: ciphertext must be at least ${CryptoUtils.Constants.GCM_AUTH_TAG_SIZE} bytes (got ${ciphertextResult.value.length})`\n      );\n    }\n    const subtle = this._crypto.subtle;\n    const result = await captureAsyncResult(async () => {\n      const ephemeralPub = await subtle.importKey(\n        'jwk',\n        wrapped.ephemeralPublicKey,\n        { name: 'ECDH', namedCurve: 'P-256' },\n        false,\n        []\n      );\n      const hkdfBase = await subtle.deriveKey(\n        { name: 'ECDH', public: ephemeralPub },\n        recipientPrivateKey,\n        { name: 'HKDF' },\n        false,\n        ['deriveKey']\n      );\n      const wrapKey = await subtle.deriveKey(\n        { name: 'HKDF', salt: toBufferView(options.salt), info: toBufferView(options.info), hash: 'SHA-256' },\n        hkdfBase,\n        { name: 'AES-GCM', length: 256 },\n        false,\n        ['decrypt']\n      );\n      const ptBuf = await subtle.decrypt(\n        { name: 'AES-GCM', iv: toBufferView(nonceResult.value) },\n        wrapKey,\n        toBufferView(ciphertextResult.value)\n      );\n      return new Uint8Array(ptBuf);\n    });\n    return result.withErrorFormat((e) => `unwrapBytes failed: ${e}`);\n  }\n}\n\n/**\n * Verifies that `key` is an ECDH P-256 `CryptoKey` of the expected `keyType`\n * (public or private). Used by the wrap/unwrap methods to surface a clean\n * `Failure` instead of letting the WebCrypto deriveKey call throw a less\n * informative error later in the pipeline. Key usages are intentionally not\n * checked here: WebCrypto already produces a specific error if `deriveKey` is\n * not in `usages`, and `deriveBits` is an equally valid alternative usage that\n * an explicit check would have to track.\n * @param key - The CryptoKey to validate.\n * @param keyType - The required `key.type` ('public' for wrap, 'private' for unwrap).\n * @param label - Human-readable role label included in the failure message.\n * @returns `Success` with the key (unchanged) when the algorithm, curve, and\n * type all match; otherwise `Failure` with `<label> must be ECDH P-256 (...)`.\n */\nfunction checkEcdhP256(key: CryptoKey, keyType: 'public' | 'private', label: string): Result<CryptoKey> {\n  if (key.algorithm.name !== 'ECDH') {\n    return Failure.with(`${label} must be ECDH P-256 (got algorithm '${key.algorithm.name}')`);\n  }\n  const namedCurve = (key.algorithm as EcKeyAlgorithm).namedCurve;\n  if (namedCurve !== 'P-256') {\n    return Failure.with(`${label} must be ECDH P-256 (got curve '${namedCurve}')`);\n  }\n  if (key.type !== keyType) {\n    return Failure.with(`${label} must be a ${keyType} CryptoKey (got '${key.type}')`);\n  }\n  return succeed(key);\n}\n\n/* c8 ignore start - Constructs a provider; only meaningful in a real browser environment */\n/**\n * Creates a {@link CryptoUtils.BrowserCryptoProvider | BrowserCryptoProvider} if Web\n * Crypto API is available.\n * @returns `Success` with provider, or `Failure` if not available\n * @public\n */\nexport function createBrowserCryptoProvider(): Result<BrowserCryptoProvider> {\n  return captureResult(() => new BrowserCryptoProvider());\n}\n/* c8 ignore stop */\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fgv/ts-web-extras",
-  "version": "5.1.0-21",
+  "version": "5.1.0-22",
   "description": "Browser-compatible utilities and FileTree implementations",
   "main": "lib/index.js",
   "types": "dist/ts-web-extras.d.ts",
@@ -46,19 +46,19 @@
     "@types/react": "~19.2.8",
     "typedoc": "~0.28.16",
     "typedoc-plugin-markdown": "~4.9.0",
-    "@fgv/heft-dual-rig": "5.1.0-21",
-    "@fgv/typedoc-compact-theme": "5.1.0-21",
-    "@fgv/ts-extras": "5.1.0-21",
-    "@fgv/ts-utils": "5.1.0-21",
-    "@fgv/ts-json-base": "5.1.0-21",
-    "@fgv/ts-utils-jest": "5.1.0-21"
+    "@fgv/heft-dual-rig": "5.1.0-22",
+    "@fgv/typedoc-compact-theme": "5.1.0-22",
+    "@fgv/ts-extras": "5.1.0-22",
+    "@fgv/ts-utils": "5.1.0-22",
+    "@fgv/ts-json-base": "5.1.0-22",
+    "@fgv/ts-utils-jest": "5.1.0-22"
   },
   "peerDependencies": {
     "react": ">=18 <20",
     "react-dom": ">=18 <20",
-    "@fgv/ts-extras": "5.1.0-21",
-    "@fgv/ts-utils": "5.1.0-21",
-    "@fgv/ts-json-base": "5.1.0-21"
+    "@fgv/ts-extras": "5.1.0-22",
+    "@fgv/ts-utils": "5.1.0-22",
+    "@fgv/ts-json-base": "5.1.0-22"
   },
   "exports": {
     ".": {