@functionland/fula-client 0.2.23 → 0.2.25

package/fula_js.d.ts

@@ -47,12 +47,21 @@ export function deleteBucket(client: EncryptedClient, name: string): Promise<voi
 export function deleteEncrypted(client: EncryptedClient, bucket: string, key: string): Promise<void>;
 
 /**
- * Derive a 32-byte key from context and input
+ * Derive a 32-byte key from context and input using Argon2id (memory-hard KDF)
  *
- * Use this to derive encryption keys from Google credentials:
+ * Use this to derive encryption keys from Google credentials with brute-force resistance:
  * ```javascript
- * const key = deriveKey('my-app-v1', new TextEncoder().encode(userId + email));
+ * const key = deriveKey('fula-files-v1', new TextEncoder().encode(`google:${userId}:${email}`));
  * ```
+ *
+ * Parameters:
+ * - Memory: 64 MiB
+ * - Iterations: 3
+ * - Parallelism: 1 (for cross-platform consistency)
+ *
+ * @param context - Context string used as salt (e.g., "fula-files-v1")
+ * @param input - Input bytes (e.g., UTF-8 encoded credentials)
+ * @returns 32-byte derived key
  */
 export function deriveKey(context: string, input: Uint8Array): Uint8Array;
 
@@ -180,6 +189,61 @@ export function putEncrypted(client: EncryptedClient, bucket: string, key: strin
  */
 export function putEncryptedWithType(client: EncryptedClient, bucket: string, key: string, data: Uint8Array, content_type: string): Promise<any>;
 
+/**
+ * AES-256-GCM decrypt data with a DEK
+ *
+ * @param dekBytes - 32-byte DEK
+ * @param nonceBase64 - Base64 encoded 12-byte nonce
+ * @param ciphertextBase64 - Base64 encoded ciphertext
+ * @returns Decrypted plaintext
+ */
+export function testAesGcmDecrypt(dek_bytes: Uint8Array, nonce_base64: string, ciphertext_base64: string): Uint8Array;
+
+/**
+ * AES-256-GCM encrypt data with a DEK
+ *
+ * @param dekBytes - 32-byte DEK
+ * @param plaintext - Data to encrypt
+ * @returns JSON string with {nonce, ciphertext} (both base64 encoded)
+ */
+export function testAesGcmEncrypt(dek_bytes: Uint8Array, plaintext: Uint8Array): string;
+
+/**
+ * Full encryption round-trip test
+ *
+ * This tests the EXACT flow: derive key -> encrypt DEK with HPKE -> encrypt data with AES-GCM
+ * then decrypt in reverse order. If this works, the WASM crypto is correct.
+ *
+ * @param context - Key derivation context (e.g., "fula-files-v1")
+ * @param input - Key derivation input (e.g., credentials)
+ * @param plaintext - Data to encrypt and decrypt
+ * @returns Original plaintext if successful (proves round-trip works)
+ */
+export function testFullEncryptionRoundtrip(context: string, input: Uint8Array, plaintext: Uint8Array): Uint8Array;
+
+/**
+ * Decrypt a wrapped DEK using HPKE with the given secret key
+ *
+ * This simulates what WebUI WASM should do when decrypting a file.
+ *
+ * @param secretKeyBytes - 32-byte X25519 secret key
+ * @param wrappedDekJson - JSON string from testHpkeEncryptDek
+ * @returns 32-byte decrypted DEK
+ */
+export function testHpkeDecryptDek(secret_key_bytes: Uint8Array, wrapped_dek_json: string): Uint8Array;
+
+/**
+ * Encrypt a DEK using HPKE with the given public key
+ *
+ * This simulates what FxFiles does when encrypting a file.
+ * Returns JSON string containing the EncryptedData (wrapped DEK).
+ *
+ * @param publicKeyBytes - 32-byte X25519 public key
+ * @param dekBytes - 32-byte DEK to encrypt
+ * @returns JSON string with {version, encapsulated_key, ciphertext}
+ */
+export function testHpkeEncryptDek(public_key_bytes: Uint8Array, dek_bytes: Uint8Array): string;
+
 export type InitInput = RequestInfo | URL | Response | BufferSource | WebAssembly.Module;
 
 export interface InitOutput {
@@ -208,12 +272,17 @@ export interface InitOutput {
   readonly listDirectory: (a: number, b: number, c: number, d: number, e: number) => any;
   readonly putEncrypted: (a: number, b: number, c: number, d: number, e: number, f: number, g: number) => any;
   readonly putEncryptedWithType: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number) => any;
+  readonly testAesGcmDecrypt: (a: number, b: number, c: number, d: number, e: number, f: number) => [number, number, number, number];
+  readonly testAesGcmEncrypt: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+  readonly testFullEncryptionRoundtrip: (a: number, b: number, c: number, d: number, e: number, f: number) => [number, number, number, number];
+  readonly testHpkeDecryptDek: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+  readonly testHpkeEncryptDek: (a: number, b: number, c: number, d: number) => [number, number, number, number];
   readonly init: () => void;
-  readonly wasm_bindgen__convert__closures_____invoke__h137a7db9bfc1a698: (a: number, b: number) => void;
-  readonly wasm_bindgen__closure__destroy__h175e7795724731f3: (a: number, b: number) => void;
-  readonly wasm_bindgen__convert__closures_____invoke__hfca1d4c99c3f4fb2: (a: number, b: number, c: any) => void;
-  readonly wasm_bindgen__closure__destroy__hf1f5673d74edd4c1: (a: number, b: number) => void;
-  readonly wasm_bindgen__convert__closures_____invoke__h480ba7e91e420106: (a: number, b: number, c: any, d: any) => void;
+  readonly wasm_bindgen__convert__closures_____invoke__hb49647253b2911c5: (a: number, b: number) => void;
+  readonly wasm_bindgen__closure__destroy__hde34fe38f5ae6975: (a: number, b: number) => void;
+  readonly wasm_bindgen__convert__closures_____invoke__h7e10992c477d6050: (a: number, b: number, c: any) => void;
+  readonly wasm_bindgen__closure__destroy__h40a33609ceb56b6e: (a: number, b: number) => void;
+  readonly wasm_bindgen__convert__closures_____invoke__h4b8cebda0a70f497: (a: number, b: number, c: any, d: any) => void;
   readonly __wbindgen_malloc: (a: number, b: number) => number;
   readonly __wbindgen_realloc: (a: number, b: number, c: number, d: number) => number;
   readonly __wbindgen_exn_store: (a: number) => void;

package/fula_js.js

@@ -227,16 +227,16 @@ if (!('encodeInto' in cachedTextEncoder)) {
 
 let WASM_VECTOR_LEN = 0;
 
-function wasm_bindgen__convert__closures_____invoke__h137a7db9bfc1a698(arg0, arg1) {
-    wasm.wasm_bindgen__convert__closures_____invoke__h137a7db9bfc1a698(arg0, arg1);
+function wasm_bindgen__convert__closures_____invoke__hb49647253b2911c5(arg0, arg1) {
+    wasm.wasm_bindgen__convert__closures_____invoke__hb49647253b2911c5(arg0, arg1);
 }
 
-function wasm_bindgen__convert__closures_____invoke__hfca1d4c99c3f4fb2(arg0, arg1, arg2) {
-    wasm.wasm_bindgen__convert__closures_____invoke__hfca1d4c99c3f4fb2(arg0, arg1, arg2);
+function wasm_bindgen__convert__closures_____invoke__h7e10992c477d6050(arg0, arg1, arg2) {
+    wasm.wasm_bindgen__convert__closures_____invoke__h7e10992c477d6050(arg0, arg1, arg2);
 }
 
-function wasm_bindgen__convert__closures_____invoke__h480ba7e91e420106(arg0, arg1, arg2, arg3) {
-    wasm.wasm_bindgen__convert__closures_____invoke__h480ba7e91e420106(arg0, arg1, arg2, arg3);
+function wasm_bindgen__convert__closures_____invoke__h4b8cebda0a70f497(arg0, arg1, arg2, arg3) {
+    wasm.wasm_bindgen__convert__closures_____invoke__h4b8cebda0a70f497(arg0, arg1, arg2, arg3);
 }
 
 const __wbindgen_enum_RequestCache = ["default", "no-store", "reload", "no-cache", "force-cache", "only-if-cached"];
@@ -380,12 +380,21 @@ export function deleteEncrypted(client, bucket, key) {
 }
 
 /**
- * Derive a 32-byte key from context and input
+ * Derive a 32-byte key from context and input using Argon2id (memory-hard KDF)
  *
- * Use this to derive encryption keys from Google credentials:
+ * Use this to derive encryption keys from Google credentials with brute-force resistance:
  * ```javascript
- * const key = deriveKey('my-app-v1', new TextEncoder().encode(userId + email));
+ * const key = deriveKey('fula-files-v1', new TextEncoder().encode(`google:${userId}:${email}`));
  * ```
+ *
+ * Parameters:
+ * - Memory: 64 MiB
+ * - Iterations: 3
+ * - Parallelism: 1 (for cross-platform consistency)
+ *
+ * @param context - Context string used as salt (e.g., "fula-files-v1")
+ * @param input - Input bytes (e.g., UTF-8 encoded credentials)
+ * @returns 32-byte derived key
  * @param {string} context
  * @param {Uint8Array} input
  * @returns {Uint8Array}
@@ -698,6 +707,160 @@ export function putEncryptedWithType(client, bucket, key, data, content_type) {
     return ret;
 }
 
+/**
+ * AES-256-GCM decrypt data with a DEK
+ *
+ * @param dekBytes - 32-byte DEK
+ * @param nonceBase64 - Base64 encoded 12-byte nonce
+ * @param ciphertextBase64 - Base64 encoded ciphertext
+ * @returns Decrypted plaintext
+ * @param {Uint8Array} dek_bytes
+ * @param {string} nonce_base64
+ * @param {string} ciphertext_base64
+ * @returns {Uint8Array}
+ */
+export function testAesGcmDecrypt(dek_bytes, nonce_base64, ciphertext_base64) {
+    const ptr0 = passArray8ToWasm0(dek_bytes, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(nonce_base64, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passStringToWasm0(ciphertext_base64, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ret = wasm.testAesGcmDecrypt(ptr0, len0, ptr1, len1, ptr2, len2);
+    if (ret[3]) {
+        throw takeFromExternrefTable0(ret[2]);
+    }
+    var v4 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+    wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    return v4;
+}
+
+/**
+ * AES-256-GCM encrypt data with a DEK
+ *
+ * @param dekBytes - 32-byte DEK
+ * @param plaintext - Data to encrypt
+ * @returns JSON string with {nonce, ciphertext} (both base64 encoded)
+ * @param {Uint8Array} dek_bytes
+ * @param {Uint8Array} plaintext
+ * @returns {string}
+ */
+export function testAesGcmEncrypt(dek_bytes, plaintext) {
+    let deferred4_0;
+    let deferred4_1;
+    try {
+        const ptr0 = passArray8ToWasm0(dek_bytes, wasm.__wbindgen_malloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passArray8ToWasm0(plaintext, wasm.__wbindgen_malloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm.testAesGcmEncrypt(ptr0, len0, ptr1, len1);
+        var ptr3 = ret[0];
+        var len3 = ret[1];
+        if (ret[3]) {
+            ptr3 = 0; len3 = 0;
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        deferred4_0 = ptr3;
+        deferred4_1 = len3;
+        return getStringFromWasm0(ptr3, len3);
+    } finally {
+        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
+    }
+}
+
+/**
+ * Full encryption round-trip test
+ *
+ * This tests the EXACT flow: derive key -> encrypt DEK with HPKE -> encrypt data with AES-GCM
+ * then decrypt in reverse order. If this works, the WASM crypto is correct.
+ *
+ * @param context - Key derivation context (e.g., "fula-files-v1")
+ * @param input - Key derivation input (e.g., credentials)
+ * @param plaintext - Data to encrypt and decrypt
+ * @returns Original plaintext if successful (proves round-trip works)
+ * @param {string} context
+ * @param {Uint8Array} input
+ * @param {Uint8Array} plaintext
+ * @returns {Uint8Array}
+ */
+export function testFullEncryptionRoundtrip(context, input, plaintext) {
+    const ptr0 = passStringToWasm0(context, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passArray8ToWasm0(input, wasm.__wbindgen_malloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passArray8ToWasm0(plaintext, wasm.__wbindgen_malloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ret = wasm.testFullEncryptionRoundtrip(ptr0, len0, ptr1, len1, ptr2, len2);
+    if (ret[3]) {
+        throw takeFromExternrefTable0(ret[2]);
+    }
+    var v4 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+    wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    return v4;
+}
+
+/**
+ * Decrypt a wrapped DEK using HPKE with the given secret key
+ *
+ * This simulates what WebUI WASM should do when decrypting a file.
+ *
+ * @param secretKeyBytes - 32-byte X25519 secret key
+ * @param wrappedDekJson - JSON string from testHpkeEncryptDek
+ * @returns 32-byte decrypted DEK
+ * @param {Uint8Array} secret_key_bytes
+ * @param {string} wrapped_dek_json
+ * @returns {Uint8Array}
+ */
+export function testHpkeDecryptDek(secret_key_bytes, wrapped_dek_json) {
+    const ptr0 = passArray8ToWasm0(secret_key_bytes, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(wrapped_dek_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ret = wasm.testHpkeDecryptDek(ptr0, len0, ptr1, len1);
+    if (ret[3]) {
+        throw takeFromExternrefTable0(ret[2]);
+    }
+    var v3 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+    wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    return v3;
+}
+
+/**
+ * Encrypt a DEK using HPKE with the given public key
+ *
+ * This simulates what FxFiles does when encrypting a file.
+ * Returns JSON string containing the EncryptedData (wrapped DEK).
+ *
+ * @param publicKeyBytes - 32-byte X25519 public key
+ * @param dekBytes - 32-byte DEK to encrypt
+ * @returns JSON string with {version, encapsulated_key, ciphertext}
+ * @param {Uint8Array} public_key_bytes
+ * @param {Uint8Array} dek_bytes
+ * @returns {string}
+ */
+export function testHpkeEncryptDek(public_key_bytes, dek_bytes) {
+    let deferred4_0;
+    let deferred4_1;
+    try {
+        const ptr0 = passArray8ToWasm0(public_key_bytes, wasm.__wbindgen_malloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passArray8ToWasm0(dek_bytes, wasm.__wbindgen_malloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm.testHpkeEncryptDek(ptr0, len0, ptr1, len1);
+        var ptr3 = ret[0];
+        var len3 = ret[1];
+        if (ret[3]) {
+            ptr3 = 0; len3 = 0;
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        deferred4_0 = ptr3;
+        deferred4_1 = len3;
+        return getStringFromWasm0(ptr3, len3);
+    } finally {
+        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
+    }
+}
+
 const EXPECTED_RESPONSE_TYPES = new Set(['basic', 'cors', 'default']);
 
 async function __wbg_load(module, imports) {
@@ -999,7 +1162,7 @@ function __wbg_get_imports() {
                 const a = state0.a;
                 state0.a = 0;
                 try {
-                    return wasm_bindgen__convert__closures_____invoke__h480ba7e91e420106(a, state0.b, arg0, arg1);
+                    return wasm_bindgen__convert__closures_____invoke__h4b8cebda0a70f497(a, state0.b, arg0, arg1);
                 } finally {
                     state0.a = a;
                 }
@@ -1169,9 +1332,9 @@ function __wbg_get_imports() {
         const ret = getStringFromWasm0(arg0, arg1);
         return ret;
     };
-    imports.wbg.__wbindgen_cast_293162629359ccc7 = function(arg0, arg1) {
-        // Cast intrinsic for `Closure(Closure { dtor_idx: 284, function: Function { arguments: [], shim_idx: 285, ret: Unit, inner_ret: Some(Unit) }, mutable: true }) -> Externref`.
-        const ret = makeMutClosure(arg0, arg1, wasm.wasm_bindgen__closure__destroy__h175e7795724731f3, wasm_bindgen__convert__closures_____invoke__h137a7db9bfc1a698);
+    imports.wbg.__wbindgen_cast_3ef92b33ccb01780 = function(arg0, arg1) {
+        // Cast intrinsic for `Closure(Closure { dtor_idx: 323, function: Function { arguments: [Externref], shim_idx: 324, ret: Unit, inner_ret: Some(Unit) }, mutable: true }) -> Externref`.
+        const ret = makeMutClosure(arg0, arg1, wasm.wasm_bindgen__closure__destroy__h40a33609ceb56b6e, wasm_bindgen__convert__closures_____invoke__h7e10992c477d6050);
         return ret;
     };
     imports.wbg.__wbindgen_cast_4625c577ab2ec9ee = function(arg0) {
@@ -1179,9 +1342,9 @@ function __wbg_get_imports() {
         const ret = BigInt.asUintN(64, arg0);
         return ret;
     };
-    imports.wbg.__wbindgen_cast_7418e77c9d43951b = function(arg0, arg1) {
-        // Cast intrinsic for `Closure(Closure { dtor_idx: 319, function: Function { arguments: [Externref], shim_idx: 320, ret: Unit, inner_ret: Some(Unit) }, mutable: true }) -> Externref`.
-        const ret = makeMutClosure(arg0, arg1, wasm.wasm_bindgen__closure__destroy__hf1f5673d74edd4c1, wasm_bindgen__convert__closures_____invoke__hfca1d4c99c3f4fb2);
+    imports.wbg.__wbindgen_cast_6b8383c0ec1ae211 = function(arg0, arg1) {
+        // Cast intrinsic for `Closure(Closure { dtor_idx: 289, function: Function { arguments: [], shim_idx: 290, ret: Unit, inner_ret: Some(Unit) }, mutable: true }) -> Externref`.
+        const ret = makeMutClosure(arg0, arg1, wasm.wasm_bindgen__closure__destroy__hde34fe38f5ae6975, wasm_bindgen__convert__closures_____invoke__hb49647253b2911c5);
         return ret;
     };
     imports.wbg.__wbindgen_cast_77bc3e92745e9a35 = function(arg0, arg1) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@functionland/fula-client",
-  "version": "0.2.23",
+  "version": "0.2.25",
   "type": "module",
   "description": "JavaScript/TypeScript SDK for Fula decentralized storage - client-side encryption with cross-platform key compatibility",
   "main": "fula_js.js",