@gnufoo/envlp 0.1.1

package/envlp_wasm_bg.wasm.d.ts

@@ -0,0 +1,24 @@
+/* tslint:disable */
+/* eslint-disable */
+export const memory: WebAssembly.Memory;
+export const KEY_SIZE: () => number;
+export const NONCE_SIZE: () => number;
+export const SPEC_VERSION: () => number;
+export const TAG_SIZE: () => number;
+export const hasMagicPrefix: (a: number, b: number) => number;
+export const inspect: (a: number, b: number) => [number, number, number];
+export const keygen: () => [number, number];
+export const magicBytes: () => [number, number];
+export const openReconstructed: (a: number, b: number, c: number, d: number, e: number, f: number) => [number, number, number, number];
+export const openTransmitted: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+export const seal: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number, j: number) => [number, number, number, number];
+export const validate: (a: number, b: number) => [number, number, number];
+export const version: () => [number, number];
+export const __wbindgen_exn_store: (a: number) => void;
+export const __externref_table_alloc: () => number;
+export const __wbindgen_externrefs: WebAssembly.Table;
+export const __wbindgen_malloc: (a: number, b: number) => number;
+export const __externref_table_dealloc: (a: number) => void;
+export const __wbindgen_free: (a: number, b: number, c: number) => void;
+export const __wbindgen_realloc: (a: number, b: number, c: number, d: number) => number;
+export const __wbindgen_start: () => void;

package/init.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Initialize WASM. Call once before using any WASM functions.
+ *
+ * @param wasmModule - Pass the WebAssembly.Module in Workers, omit in browser
+ */
+export function initWasm(wasmModule?: WebAssembly.Module): Promise<void>;
+
+/**
+ * Check if WASM has been initialized.
+ */
+export function isInitialized(): boolean;

package/init.js

@@ -0,0 +1,24 @@
+import init from './envlp_wasm.js';
+
+let initialized = false;
+let initPromise = null;
+
+/**
+ * Initialize WASM. Call once before using any WASM functions.
+ *
+ * @param {WebAssembly.Module | undefined} wasmModule - Pass the Module in Workers, omit in browser
+ */
+export async function initWasm(wasmModule) {
+  if (initialized) return;
+  if (initPromise) return initPromise;
+
+  initPromise = init(wasmModule).then(() => {
+    initialized = true;
+  });
+
+  return initPromise;
+}
+
+export function isInitialized() {
+  return initialized;
+}

package/meta.d.ts

@@ -0,0 +1,85 @@
+import { z } from 'zod';
+
+export declare const inputSchema: z.ZodDiscriminatedUnion<'action', [
+  z.ZodObject<{
+    action: z.ZodLiteral<'seal'>;
+    key: z.ZodString;
+    plaintext: z.ZodString;
+    aad: z.ZodString;
+    keyId: z.ZodString;
+    options: z.ZodOptional<z.ZodObject<{
+      includeMagic: z.ZodDefault<z.ZodBoolean>;
+      includeAad: z.ZodDefault<z.ZodBoolean>;
+    }>>;
+  }>,
+  z.ZodObject<{
+    action: z.ZodLiteral<'openTransmitted'>;
+    key: z.ZodString;
+    envelope: z.ZodString;
+  }>,
+  z.ZodObject<{
+    action: z.ZodLiteral<'openReconstructed'>;
+    key: z.ZodString;
+    envelope: z.ZodString;
+    aad: z.ZodString;
+  }>,
+  z.ZodObject<{
+    action: z.ZodLiteral<'inspect'>;
+    envelope: z.ZodString;
+  }>,
+  z.ZodObject<{
+    action: z.ZodLiteral<'validate'>;
+    envelope: z.ZodString;
+  }>,
+  z.ZodObject<{
+    action: z.ZodLiteral<'keygen'>;
+  }>
+]>;
+
+export declare const outputSchema: z.ZodType;
+
+export type EnvlpInput = z.infer<typeof inputSchema>;
+export type EnvlpOutput = z.infer<typeof outputSchema>;
+
+export interface SealOptions {
+  includeMagic?: boolean;
+  includeAad?: boolean;
+}
+
+export interface InspectResult {
+  action: 'inspect';
+  version: number;
+  algorithm: string;
+  algorithmId: number;
+  keyId: string;
+  nonceHex: string;
+  ciphertextLen: number;
+  hasAad: boolean;
+  aadLen: number | null;
+  isWrappedMode: boolean;
+}
+
+export interface ValidateResult {
+  action: 'validate';
+  valid: boolean;
+  errors: string[];
+}
+
+export declare const meta: {
+  id: string;
+  name: string;
+  slug: string;
+  description: string;
+  category: 'crypto';
+  executionType: 'client';
+  inputSchema: typeof inputSchema;
+  outputSchema: typeof outputSchema;
+  positionalArgs: {
+    order: string[];
+    required: number;
+  };
+  packages: {
+    npm: string;
+    crates: string;
+  };
+};

package/meta.js

@@ -0,0 +1,129 @@
+import { z } from 'zod';
+
+// ============================================================================
+// Input Schemas (discriminated union by action)
+// ============================================================================
+
+const sealOptionsSchema = z.object({
+  includeMagic: z.boolean().default(true),
+  includeAad: z.boolean().default(true),
+}).optional();
+
+const sealAction = z.object({
+  action: z.literal('seal'),
+  key: z.string().min(1).describe('256-bit key as hex or base64'),
+  plaintext: z.string().min(1).describe('Plaintext as base64'),
+  aad: z.string().min(1).describe('AAD as JSON string'),
+  keyId: z.string().min(1).max(256).describe('Key identifier for envelope header'),
+  options: sealOptionsSchema,
+});
+
+const openTransmittedAction = z.object({
+  action: z.literal('openTransmitted'),
+  key: z.string().min(1).describe('256-bit key as hex or base64'),
+  envelope: z.string().min(1).describe('Envelope as base64'),
+});
+
+const openReconstructedAction = z.object({
+  action: z.literal('openReconstructed'),
+  key: z.string().min(1).describe('256-bit key as hex or base64'),
+  envelope: z.string().min(1).describe('Envelope as base64'),
+  aad: z.string().min(1).describe('AAD as JSON string'),
+});
+
+const inspectAction = z.object({
+  action: z.literal('inspect'),
+  envelope: z.string().min(1).describe('Envelope as base64'),
+});
+
+const validateAction = z.object({
+  action: z.literal('validate'),
+  envelope: z.string().min(1).describe('Envelope as base64'),
+});
+
+const keygenAction = z.object({
+  action: z.literal('keygen'),
+});
+
+export const inputSchema = z.discriminatedUnion('action', [
+  sealAction,
+  openTransmittedAction,
+  openReconstructedAction,
+  inspectAction,
+  validateAction,
+  keygenAction,
+]);
+
+// ============================================================================
+// Output Schemas (discriminated union by action)
+// ============================================================================
+
+const sealOutput = z.object({
+  action: z.literal('seal'),
+  envelope: z.string().describe('Envelope as base64'),
+});
+
+const openOutput = z.object({
+  action: z.enum(['openTransmitted', 'openReconstructed']),
+  plaintext: z.string().describe('Decrypted plaintext as base64'),
+});
+
+const inspectOutput = z.object({
+  action: z.literal('inspect'),
+  version: z.number().int(),
+  algorithm: z.string(),
+  algorithmId: z.number().int(),
+  keyId: z.string(),
+  nonceHex: z.string(),
+  ciphertextLen: z.number().int(),
+  hasAad: z.boolean(),
+  aadLen: z.number().int().nullable(),
+  isWrappedMode: z.boolean(),
+});
+
+const validateOutput = z.object({
+  action: z.literal('validate'),
+  valid: z.boolean(),
+  errors: z.array(z.string()),
+});
+
+const keygenOutput = z.object({
+  action: z.literal('keygen'),
+  key: z.string().describe('256-bit key as hex'),
+});
+
+export const outputSchema = z.discriminatedUnion('action', [
+  sealOutput,
+  openOutput.extend({ action: z.literal('openTransmitted') }),
+  openOutput.extend({ action: z.literal('openReconstructed') }),
+  inspectOutput,
+  validateOutput,
+  keygenOutput,
+]);
+
+// ============================================================================
+// Tool Metadata
+// ============================================================================
+
+export const meta = {
+  id: 'envlp',
+  name: 'envlp',
+  slug: 'envlp',
+  description: 'AEAD envelope encryption with XChaCha20-Poly1305 per AAED wire format spec',
+
+  category: 'crypto',
+  executionType: 'client',
+
+  inputSchema,
+  outputSchema,
+
+  positionalArgs: {
+    order: ['action', 'envelope'],
+    required: 1,
+  },
+
+  packages: {
+    npm: '@gnufoo/envlp',
+    crates: 'envlp-cli',
+  },
+};

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@gnufoo/envlp",
+  "version": "0.1.1",
+  "type": "module",
+  "main": "envlp_wasm.js",
+  "types": "envlp_wasm.d.ts",
+  "exports": {
+    ".": {
+      "types": "./envlp_wasm.d.ts",
+      "import": "./envlp_wasm.js"
+    },
+    "./meta": {
+      "types": "./meta.d.ts",
+      "import": "./meta.js"
+    },
+    "./tool": {
+      "types": "./tool.d.ts",
+      "import": "./tool.js"
+    },
+    "./init": {
+      "types": "./init.d.ts",
+      "import": "./init.js"
+    }
+  },
+  "dependencies": {
+    "zod": "^3.24.0"
+  },
+  "files": [
+    "*.js",
+    "*.d.ts",
+    "*.wasm"
+  ],
+  "sideEffects": false,
+  "keywords": [
+    "aead",
+    "envelope",
+    "encryption",
+    "xchacha20",
+    "poly1305",
+    "cbor",
+    "wasm"
+  ],
+  "license": "MIT OR Apache-2.0",
+  "description": "AEAD envelope encryption library (AAED wire format spec)"
+}

package/tool.d.ts

@@ -0,0 +1,8 @@
+import type { meta, EnvlpInput, EnvlpOutput } from './meta.js';
+import type { initWasm, isInitialized } from './init.js';
+
+export declare const toolDefinition: typeof meta & {
+  initWasm: typeof initWasm;
+  isInitialized: typeof isInitialized;
+  execute(input: EnvlpInput): Promise<EnvlpOutput>;
+};

package/tool.js

@@ -0,0 +1,169 @@
+import { meta, inputSchema } from './meta.js';
+import { initWasm, isInitialized } from './init.js';
+import {
+  keygen,
+  seal,
+  openTransmitted,
+  openReconstructed,
+  inspect,
+  validate,
+} from './envlp_wasm.js';
+
+// ============================================================================
+// Encoding utilities
+// ============================================================================
+
+const hexToBytes = (hex) => {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < bytes.length; i++) {
+    bytes[i] = parseInt(hex.substr(i * 2, 2), 16);
+  }
+  return bytes;
+};
+
+const bytesToHex = (bytes) =>
+  Array.from(bytes)
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('');
+
+const base64ToBytes = (base64) => {
+  const binary = globalThis.atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+};
+
+const bytesToBase64 = (bytes) =>
+  globalThis.btoa(String.fromCharCode(...bytes));
+
+/**
+ * Parse a key from hex or base64 format.
+ * Hex keys are 64 chars, base64 keys are 44 chars (with padding).
+ */
+const parseKey = (keyStr) => {
+  // Check for hex (64 chars for 32 bytes)
+  if (/^[0-9a-fA-F]{64}$/.test(keyStr)) {
+    return hexToBytes(keyStr);
+  }
+  // Assume base64
+  return base64ToBytes(keyStr);
+};
+
+// ============================================================================
+// Tool Definition
+// ============================================================================
+
+export const toolDefinition = {
+  ...meta,
+
+  /**
+   * Initialize WASM. Must be called before execute() in Workers.
+   * In browsers with vite-plugin-wasm, this is optional.
+   */
+  initWasm,
+  isInitialized,
+
+  /**
+   * Execute an envlp action.
+   *
+   * @param {import('./meta.js').EnvlpInput} rawInput
+   * @returns {Promise<import('./meta.js').EnvlpOutput>}
+   */
+  async execute(rawInput) {
+    if (!isInitialized()) {
+      throw new Error('WASM not initialized. Call initWasm() first.');
+    }
+
+    const input = inputSchema.parse(rawInput);
+
+    switch (input.action) {
+      case 'keygen': {
+        const keyBytes = keygen();
+        return {
+          action: 'keygen',
+          key: bytesToHex(keyBytes),
+        };
+      }
+
+      case 'seal': {
+        const keyBytes = parseKey(input.key);
+        const plaintextBytes = base64ToBytes(input.plaintext);
+        const includeAad = input.options?.includeAad ?? true;
+        const includeMagic = input.options?.includeMagic ?? true;
+
+        const envelopeBytes = seal(
+          keyBytes,
+          plaintextBytes,
+          input.aad,
+          input.keyId,
+          includeAad,
+          includeMagic
+        );
+
+        return {
+          action: 'seal',
+          envelope: bytesToBase64(envelopeBytes),
+        };
+      }
+
+      case 'openTransmitted': {
+        const keyBytes = parseKey(input.key);
+        const envelopeBytes = base64ToBytes(input.envelope);
+
+        const plaintextBytes = openTransmitted(keyBytes, envelopeBytes);
+
+        return {
+          action: 'openTransmitted',
+          plaintext: bytesToBase64(plaintextBytes),
+        };
+      }
+
+      case 'openReconstructed': {
+        const keyBytes = parseKey(input.key);
+        const envelopeBytes = base64ToBytes(input.envelope);
+
+        const plaintextBytes = openReconstructed(
+          keyBytes,
+          envelopeBytes,
+          input.aad
+        );
+
+        return {
+          action: 'openReconstructed',
+          plaintext: bytesToBase64(plaintextBytes),
+        };
+      }
+
+      case 'inspect': {
+        const envelopeBytes = base64ToBytes(input.envelope);
+        const metadata = inspect(envelopeBytes);
+
+        return {
+          action: 'inspect',
+          version: metadata.version,
+          algorithm: metadata.algorithm,
+          algorithmId: metadata.algorithmId,
+          keyId: metadata.keyId,
+          nonceHex: metadata.nonceHex,
+          ciphertextLen: metadata.ciphertextLen,
+          hasAad: metadata.hasAad,
+          aadLen: metadata.aadLen,
+          isWrappedMode: metadata.isWrappedMode,
+        };
+      }
+
+      case 'validate': {
+        const envelopeBytes = base64ToBytes(input.envelope);
+        const result = validate(envelopeBytes);
+
+        return {
+          action: 'validate',
+          valid: result.valid,
+          errors: Array.from(result.errors || []),
+        };
+      }
+    }
+  },
+};