npm - @haex-space/vault-sdk - Versions diffs - 2.3.8 → 2.3.12 - Mend

@haex-space/vault-sdk 2.3.8 → 2.3.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/dist/cli/index.mjs +0 -0
package/dist/{client-D4hDL-PR.d.ts → client-BdeVsDdi.d.mts} +28 -1
package/dist/{client-BIiJwbdW.d.mts → client-Ctv_qXuk.d.ts} +28 -1
package/dist/index.d.mts +66 -5
package/dist/index.d.ts +66 -5
package/dist/index.js +284 -1
package/dist/index.js.map +1 -1
package/dist/index.mjs +274 -2
package/dist/index.mjs.map +1 -1
package/dist/node.d.mts +1 -1
package/dist/node.d.ts +1 -1
package/dist/react.d.mts +2 -2
package/dist/react.d.ts +2 -2
package/dist/react.js +91 -1
package/dist/react.js.map +1 -1
package/dist/react.mjs +91 -1
package/dist/react.mjs.map +1 -1
package/dist/runtime/nuxt.plugin.client.d.mts +2 -2
package/dist/runtime/nuxt.plugin.client.d.ts +2 -2
package/dist/runtime/nuxt.plugin.client.js +91 -1
package/dist/runtime/nuxt.plugin.client.js.map +1 -1
package/dist/runtime/nuxt.plugin.client.mjs +91 -1
package/dist/runtime/nuxt.plugin.client.mjs.map +1 -1
package/dist/svelte.d.mts +2 -2
package/dist/svelte.d.ts +2 -2
package/dist/svelte.js +91 -1
package/dist/svelte.js.map +1 -1
package/dist/svelte.mjs +91 -1
package/dist/svelte.mjs.map +1 -1
package/dist/{types-FE9ewl3r.d.mts → types-DBF83o_W.d.mts} +41 -1
package/dist/{types-FE9ewl3r.d.ts → types-DBF83o_W.d.ts} +41 -1
package/dist/vue.d.mts +2 -2
package/dist/vue.d.ts +2 -2
package/dist/vue.js +91 -1
package/dist/vue.js.map +1 -1
package/dist/vue.mjs +91 -1
package/dist/vue.mjs.map +1 -1
package/package.json +15 -14

package/dist/cli/index.mjs CHANGED Viewed

File without changes

package/dist/{client-D4hDL-PR.d.ts → client-BdeVsDdi.d.mts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as EventCallback } from './types-FE9ewl3r.js';
+import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as ExternalRequestHandler, f as ExternalResponse, g as EventCallback } from './types-DBF83o_W.mjs';
 import { SqliteRemoteDatabase } from 'drizzle-orm/sqlite-proxy';
 declare class StorageAPI {
@@ -185,6 +185,7 @@ declare class HaexVaultClient {
     private config;
     private pendingRequests;
     private eventListeners;
+    private externalRequestHandlers;
     private messageHandler;
     private initialized;
     private requestCounter;
@@ -280,6 +281,31 @@ declare class HaexVaultClient {
     requestDatabasePermission(request: DatabasePermissionRequest): Promise<PermissionResponse>;
     checkDatabasePermission(resource: string, operation: "read" | "write"): Promise<boolean>;
     respondToSearch(requestId: string, results: SearchResult[]): Promise<void>;
+    /**
+     * Register a handler for external requests (from browser extensions, CLI, servers, etc.)
+     *
+     * @param action - The action/method name to handle (e.g., "get-logins", "get-totp")
+     * @param handler - Function that processes the request and returns a response
+     * @returns Unsubscribe function to remove the handler
+     *
+     * @example
+     * ```typescript
+     * client.onExternalRequest("get-logins", async (request) => {
+     *   const entries = await getMatchingEntries(request.payload.url);
+     *   return {
+     *     requestId: request.requestId,
+     *     success: true,
+     *     data: { entries }
+     *   };
+     * });
+     * ```
+     */
+    onExternalRequest(action: string, handler: ExternalRequestHandler): () => void;
+    /**
+     * Send a response to an external request back to haex-vault
+     * This is called internally after a handler processes a request
+     */
+    respondToExternalRequest(response: ExternalResponse): Promise<void>;
     request<T = unknown>(method: string, params?: Record<string, unknown>): Promise<T>;
     private postMessage;
     private invoke;
@@ -289,6 +315,7 @@ declare class HaexVaultClient {
     private init;
     private handleMessage;
     private handleEvent;
+    private handleExternalRequest;
     private emitEvent;
     private generateRequestId;
     private validatePublicKey;

package/dist/{client-BIiJwbdW.d.mts → client-Ctv_qXuk.d.ts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as EventCallback } from './types-FE9ewl3r.mjs';
+import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as ExternalRequestHandler, f as ExternalResponse, g as EventCallback } from './types-DBF83o_W.js';
 import { SqliteRemoteDatabase } from 'drizzle-orm/sqlite-proxy';
 declare class StorageAPI {
@@ -185,6 +185,7 @@ declare class HaexVaultClient {
     private config;
     private pendingRequests;
     private eventListeners;
+    private externalRequestHandlers;
     private messageHandler;
     private initialized;
     private requestCounter;
@@ -280,6 +281,31 @@ declare class HaexVaultClient {
     requestDatabasePermission(request: DatabasePermissionRequest): Promise<PermissionResponse>;
     checkDatabasePermission(resource: string, operation: "read" | "write"): Promise<boolean>;
     respondToSearch(requestId: string, results: SearchResult[]): Promise<void>;
+    /**
+     * Register a handler for external requests (from browser extensions, CLI, servers, etc.)
+     *
+     * @param action - The action/method name to handle (e.g., "get-logins", "get-totp")
+     * @param handler - Function that processes the request and returns a response
+     * @returns Unsubscribe function to remove the handler
+     *
+     * @example
+     * ```typescript
+     * client.onExternalRequest("get-logins", async (request) => {
+     *   const entries = await getMatchingEntries(request.payload.url);
+     *   return {
+     *     requestId: request.requestId,
+     *     success: true,
+     *     data: { entries }
+     *   };
+     * });
+     * ```
+     */
+    onExternalRequest(action: string, handler: ExternalRequestHandler): () => void;
+    /**
+     * Send a response to an external request back to haex-vault
+     * This is called internally after a handler processes a request
+     */
+    respondToExternalRequest(response: ExternalResponse): Promise<void>;
     request<T = unknown>(method: string, params?: Record<string, unknown>): Promise<T>;
     private postMessage;
     private invoke;
@@ -289,6 +315,7 @@ declare class HaexVaultClient {
     private init;
     private handleMessage;
     private handleEvent;
+    private handleExternalRequest;
     private emitEvent;
     private generateRequestId;
     private validatePublicKey;

package/dist/index.d.mts CHANGED Viewed

@@ -1,7 +1,7 @@
-import { H as HaexVaultClient } from './client-BIiJwbdW.mjs';
-export { D as DatabaseAPI, F as FilesystemAPI, P as PermissionsAPI, W as WebAPI } from './client-BIiJwbdW.mjs';
-import { E as ExtensionManifest, H as HaexHubConfig } from './types-FE9ewl3r.mjs';
-export { A as ApplicationContext, C as ContextChangedEvent, r as DEFAULT_TIMEOUT, m as DatabaseColumnInfo, k as DatabaseExecuteParams, i as DatabasePermission, d as DatabasePermissionRequest, j as DatabaseQueryParams, D as DatabaseQueryResult, l as DatabaseTableInfo, q as ErrorCode, e as EventCallback, a as ExtensionInfo, u as HAEXTENSION_EVENTS, t as HaexHubError, h as HaexHubEvent, f as HaexHubRequest, g as HaexHubResponse, v as HaextensionEvent, P as PermissionResponse, p as PermissionStatus, n as SearchQuery, o as SearchRequestEvent, S as SearchResult, T as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, s as getTableName } from './types-FE9ewl3r.mjs';
+import { H as HaexVaultClient } from './client-BdeVsDdi.mjs';
+export { D as DatabaseAPI, F as FilesystemAPI, P as PermissionsAPI, W as WebAPI } from './client-BdeVsDdi.mjs';
+import { E as ExtensionManifest, H as HaexHubConfig } from './types-DBF83o_W.mjs';
+export { A as ApplicationContext, C as ContextChangedEvent, v as DEFAULT_TIMEOUT, o as DatabaseColumnInfo, m as DatabaseExecuteParams, k as DatabasePermission, d as DatabasePermissionRequest, l as DatabaseQueryParams, D as DatabaseQueryResult, n as DatabaseTableInfo, u as ErrorCode, g as EventCallback, a as ExtensionInfo, s as ExternalRequest, r as ExternalRequestEvent, e as ExternalRequestHandler, f as ExternalResponse, y as HAEXTENSION_EVENTS, x as HaexHubError, j as HaexHubEvent, h as HaexHubRequest, i as HaexHubResponse, z as HaextensionEvent, P as PermissionResponse, t as PermissionStatus, p as SearchQuery, q as SearchRequestEvent, S as SearchResult, T as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, w as getTableName } from './types-DBF83o_W.mjs';
 export { H as HaextensionConfig } from './config-D_HXjsEV.mjs';
 import 'drizzle-orm/sqlite-proxy';
@@ -190,6 +190,67 @@ declare function hexToBytes(hex: string): ArrayBuffer;
  */
 declare function verifyExtensionSignature(files: ZipFileEntry[], manifest: ExtensionManifest): Promise<VerifyResult>;
+/**
+ * Crypto utilities for Vault Key Management
+ * Implements PBKDF2 + AES-GCM encryption/decryption
+ *
+ * Used for:
+ * - Encrypting/decrypting vault names with server password
+ * - Encrypting/decrypting vault keys with vault password
+ * - Encrypting/decrypting CRDT data with vault key
+ */
+/**
+ * Derives a cryptographic key from a password using PBKDF2
+ */
+declare function deriveKeyFromPassword(password: string, salt: Uint8Array): Promise<CryptoKey>;
+/**
+ * Generates a random vault key (32 bytes)
+ */
+declare function generateVaultKey(): Uint8Array;
+/**
+ * Encrypts a string (like vault name) with a password-derived key
+ * Returns: { encryptedData, nonce } as Base64 strings
+ */
+declare function encryptString(data: string, derivedKey: CryptoKey): Promise<{
+    encryptedData: string;
+    nonce: string;
+}>;
+/**
+ * Decrypts a string (like vault name) with a password-derived key
+ */
+declare function decryptString(encryptedData: string, nonce: string, derivedKey: CryptoKey): Promise<string>;
+/**
+ * Encrypts the vault key with a password-derived key
+ * Returns: { encryptedVaultKey, salt, vaultKeyNonce } all as Base64 strings
+ */
+declare function encryptVaultKey(vaultKey: Uint8Array, password: string): Promise<{
+    encryptedVaultKey: string;
+    salt: string;
+    vaultKeyNonce: string;
+}>;
+/**
+ * Decrypts the vault key using the password
+ */
+declare function decryptVaultKey(encryptedVaultKey: string, salt: string, vaultKeyNonce: string, password: string): Promise<Uint8Array>;
+/**
+ * Decrypts a vault name using the server password
+ * Convenience function that combines key derivation and decryption
+ */
+declare function decryptVaultName(encryptedVaultName: string, vaultNameNonce: string, vaultNameSalt: string, password: string): Promise<string>;
+/**
+ * Encrypts CRDT log data with the vault key
+ */
+declare function encryptCrdtData(data: object, vaultKey: Uint8Array): Promise<{
+    encryptedData: string;
+    nonce: string;
+}>;
+/**
+ * Decrypts CRDT log data with the vault key
+ */
+declare function decryptCrdtData<T = object>(encryptedData: string, nonce: string, vaultKey: Uint8Array): Promise<T>;
+declare function arrayBufferToBase64(buffer: ArrayBuffer | Uint8Array): string;
+declare function base64ToArrayBuffer(base64: string): Uint8Array;
 declare function createHaexVaultClient(config?: HaexHubConfig): HaexVaultClient;
-export { ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HAEXTENSION_METHODS, HaexHubConfig, HaexVaultClient, type HaexspaceMessageType, type HaextensionMethod, type VerifyResult, type ZipFileEntry, createHaexVaultClient, hexToBytes, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, sortObjectKeysRecursively, verifyExtensionSignature };
+export { ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HAEXTENSION_METHODS, HaexHubConfig, HaexVaultClient, type HaexspaceMessageType, type HaextensionMethod, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultClient, decryptCrdtData, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptString, encryptVaultKey, generateVaultKey, hexToBytes, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, sortObjectKeysRecursively, verifyExtensionSignature };

package/dist/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
-import { H as HaexVaultClient } from './client-D4hDL-PR.js';
-export { D as DatabaseAPI, F as FilesystemAPI, P as PermissionsAPI, W as WebAPI } from './client-D4hDL-PR.js';
-import { E as ExtensionManifest, H as HaexHubConfig } from './types-FE9ewl3r.js';
-export { A as ApplicationContext, C as ContextChangedEvent, r as DEFAULT_TIMEOUT, m as DatabaseColumnInfo, k as DatabaseExecuteParams, i as DatabasePermission, d as DatabasePermissionRequest, j as DatabaseQueryParams, D as DatabaseQueryResult, l as DatabaseTableInfo, q as ErrorCode, e as EventCallback, a as ExtensionInfo, u as HAEXTENSION_EVENTS, t as HaexHubError, h as HaexHubEvent, f as HaexHubRequest, g as HaexHubResponse, v as HaextensionEvent, P as PermissionResponse, p as PermissionStatus, n as SearchQuery, o as SearchRequestEvent, S as SearchResult, T as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, s as getTableName } from './types-FE9ewl3r.js';
+import { H as HaexVaultClient } from './client-Ctv_qXuk.js';
+export { D as DatabaseAPI, F as FilesystemAPI, P as PermissionsAPI, W as WebAPI } from './client-Ctv_qXuk.js';
+import { E as ExtensionManifest, H as HaexHubConfig } from './types-DBF83o_W.js';
+export { A as ApplicationContext, C as ContextChangedEvent, v as DEFAULT_TIMEOUT, o as DatabaseColumnInfo, m as DatabaseExecuteParams, k as DatabasePermission, d as DatabasePermissionRequest, l as DatabaseQueryParams, D as DatabaseQueryResult, n as DatabaseTableInfo, u as ErrorCode, g as EventCallback, a as ExtensionInfo, s as ExternalRequest, r as ExternalRequestEvent, e as ExternalRequestHandler, f as ExternalResponse, y as HAEXTENSION_EVENTS, x as HaexHubError, j as HaexHubEvent, h as HaexHubRequest, i as HaexHubResponse, z as HaextensionEvent, P as PermissionResponse, t as PermissionStatus, p as SearchQuery, q as SearchRequestEvent, S as SearchResult, T as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, w as getTableName } from './types-DBF83o_W.js';
 export { H as HaextensionConfig } from './config-D_HXjsEV.js';
 import 'drizzle-orm/sqlite-proxy';
@@ -190,6 +190,67 @@ declare function hexToBytes(hex: string): ArrayBuffer;
  */
 declare function verifyExtensionSignature(files: ZipFileEntry[], manifest: ExtensionManifest): Promise<VerifyResult>;
+/**
+ * Crypto utilities for Vault Key Management
+ * Implements PBKDF2 + AES-GCM encryption/decryption
+ *
+ * Used for:
+ * - Encrypting/decrypting vault names with server password
+ * - Encrypting/decrypting vault keys with vault password
+ * - Encrypting/decrypting CRDT data with vault key
+ */
+/**
+ * Derives a cryptographic key from a password using PBKDF2
+ */
+declare function deriveKeyFromPassword(password: string, salt: Uint8Array): Promise<CryptoKey>;
+/**
+ * Generates a random vault key (32 bytes)
+ */
+declare function generateVaultKey(): Uint8Array;
+/**
+ * Encrypts a string (like vault name) with a password-derived key
+ * Returns: { encryptedData, nonce } as Base64 strings
+ */
+declare function encryptString(data: string, derivedKey: CryptoKey): Promise<{
+    encryptedData: string;
+    nonce: string;
+}>;
+/**
+ * Decrypts a string (like vault name) with a password-derived key
+ */
+declare function decryptString(encryptedData: string, nonce: string, derivedKey: CryptoKey): Promise<string>;
+/**
+ * Encrypts the vault key with a password-derived key
+ * Returns: { encryptedVaultKey, salt, vaultKeyNonce } all as Base64 strings
+ */
+declare function encryptVaultKey(vaultKey: Uint8Array, password: string): Promise<{
+    encryptedVaultKey: string;
+    salt: string;
+    vaultKeyNonce: string;
+}>;
+/**
+ * Decrypts the vault key using the password
+ */
+declare function decryptVaultKey(encryptedVaultKey: string, salt: string, vaultKeyNonce: string, password: string): Promise<Uint8Array>;
+/**
+ * Decrypts a vault name using the server password
+ * Convenience function that combines key derivation and decryption
+ */
+declare function decryptVaultName(encryptedVaultName: string, vaultNameNonce: string, vaultNameSalt: string, password: string): Promise<string>;
+/**
+ * Encrypts CRDT log data with the vault key
+ */
+declare function encryptCrdtData(data: object, vaultKey: Uint8Array): Promise<{
+    encryptedData: string;
+    nonce: string;
+}>;
+/**
+ * Decrypts CRDT log data with the vault key
+ */
+declare function decryptCrdtData<T = object>(encryptedData: string, nonce: string, vaultKey: Uint8Array): Promise<T>;
+declare function arrayBufferToBase64(buffer: ArrayBuffer | Uint8Array): string;
+declare function base64ToArrayBuffer(base64: string): Uint8Array;
 declare function createHaexVaultClient(config?: HaexHubConfig): HaexVaultClient;
-export { ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HAEXTENSION_METHODS, HaexHubConfig, HaexVaultClient, type HaexspaceMessageType, type HaextensionMethod, type VerifyResult, type ZipFileEntry, createHaexVaultClient, hexToBytes, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, sortObjectKeysRecursively, verifyExtensionSignature };
+export { ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HAEXTENSION_METHODS, HaexHubConfig, HaexVaultClient, type HaexspaceMessageType, type HaextensionMethod, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultClient, decryptCrdtData, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptString, encryptVaultKey, generateVaultKey, hexToBytes, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, sortObjectKeysRecursively, verifyExtensionSignature };

package/dist/index.js CHANGED Viewed

@@ -375,7 +375,9 @@ var HAEXTENSION_EVENTS = {
   /** Context (theme, locale, platform) has changed */
   CONTEXT_CHANGED: "haextension:context:changed",
   /** Search request from HaexHub */
-  SEARCH_REQUEST: "haextension:search:request"
+  SEARCH_REQUEST: "haextension:search:request",
+  /** External request from authorized client (browser extension, CLI, server, etc.) */
+  EXTERNAL_REQUEST: "haextension:external:request"
 };
 // src/methods.ts
@@ -818,6 +820,7 @@ var HaexVaultClient = class {
   constructor(config = {}) {
     this.pendingRequests = /* @__PURE__ */ new Map();
     this.eventListeners = /* @__PURE__ */ new Map();
+    this.externalRequestHandlers = /* @__PURE__ */ new Map();
     this.messageHandler = null;
     this.initialized = false;
     this.requestCounter = 0;
@@ -1080,6 +1083,40 @@ var HaexVaultClient = class {
       results
     });
   }
+  /**
+   * Register a handler for external requests (from browser extensions, CLI, servers, etc.)
+   *
+   * @param action - The action/method name to handle (e.g., "get-logins", "get-totp")
+   * @param handler - Function that processes the request and returns a response
+   * @returns Unsubscribe function to remove the handler
+   *
+   * @example
+   * ```typescript
+   * client.onExternalRequest("get-logins", async (request) => {
+   *   const entries = await getMatchingEntries(request.payload.url);
+   *   return {
+   *     requestId: request.requestId,
+   *     success: true,
+   *     data: { entries }
+   *   };
+   * });
+   * ```
+   */
+  onExternalRequest(action, handler) {
+    this.externalRequestHandlers.set(action, handler);
+    this.log(`[ExternalRequest] Registered handler for action: ${action}`);
+    return () => {
+      this.externalRequestHandlers.delete(action);
+      this.log(`[ExternalRequest] Unregistered handler for action: ${action}`);
+    };
+  }
+  /**
+   * Send a response to an external request back to haex-vault
+   * This is called internally after a handler processes a request
+   */
+  async respondToExternalRequest(response) {
+    await this.request("external.respond", response);
+  }
   async request(method, params = {}) {
     if (this.isNativeWindow && typeof window.__TAURI__ !== "undefined") {
       return this.invoke(method, params);
@@ -1177,6 +1214,13 @@ var HaexVaultClient = class {
           extensionVersion: params.extensionVersion,
           migrations: params.migrations
         });
+      case "external.respond":
+        return invoke("webview_extension_external_respond", {
+          requestId: params.requestId,
+          success: params.success,
+          data: params.data,
+          error: params.error
+        });
       default:
         throw new HaexHubError(
           "METHOD_NOT_FOUND" /* METHOD_NOT_FOUND */,
@@ -1245,6 +1289,22 @@ var HaexVaultClient = class {
             console.error("[HaexSpace SDK] Failed to setup context change listener:", error);
             this.log("Failed to setup context change listener:", error);
           }
+          try {
+            await listen(HAEXTENSION_EVENTS.EXTERNAL_REQUEST, (event) => {
+              this.log("Received external request event:", event);
+              if (event.payload) {
+                this.handleEvent({
+                  type: HAEXTENSION_EVENTS.EXTERNAL_REQUEST,
+                  data: event.payload,
+                  timestamp: Date.now()
+                });
+              }
+            });
+            console.log("[HaexSpace SDK] External request listener registered successfully");
+          } catch (error) {
+            console.error("[HaexSpace SDK] Failed to setup external request listener:", error);
+            this.log("Failed to setup external request listener:", error);
+          }
           this.resolveReady();
           return;
         }
@@ -1366,8 +1426,38 @@ postMessage error: ${e}`);
       this.log("Context updated:", this._context);
       this.notifySubscribers();
     }
+    if (event.type === HAEXTENSION_EVENTS.EXTERNAL_REQUEST) {
+      const externalEvent = event;
+      this.handleExternalRequest(externalEvent.data);
+      return;
+    }
     this.emitEvent(event);
   }
+  async handleExternalRequest(request) {
+    this.log(`[ExternalRequest] Received request: ${request.action} from ${request.publicKey.substring(0, 20)}...`);
+    const handler = this.externalRequestHandlers.get(request.action);
+    if (!handler) {
+      this.log(`[ExternalRequest] No handler for action: ${request.action}`);
+      await this.respondToExternalRequest({
+        requestId: request.requestId,
+        success: false,
+        error: `No handler registered for action: ${request.action}`
+      });
+      return;
+    }
+    try {
+      const response = await handler(request);
+      await this.respondToExternalRequest(response);
+      this.log(`[ExternalRequest] Response sent for: ${request.action}`);
+    } catch (error) {
+      this.log(`[ExternalRequest] Handler error:`, error);
+      await this.respondToExternalRequest({
+        requestId: request.requestId,
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      });
+    }
+  }
   emitEvent(event) {
     this.log("Event received:", event);
     const listeners = this.eventListeners.get(event.type);
@@ -1528,6 +1618,188 @@ async function verifyExtensionSignature(files, manifest) {
   }
 }
+// src/crypto/vaultKey.ts
+var PBKDF2_ITERATIONS = 6e5;
+var KEY_LENGTH = 256;
+var ALGORITHM = "AES-GCM";
+async function deriveKeyFromPassword(password, salt) {
+  const encoder = new TextEncoder();
+  const passwordBuffer = encoder.encode(password);
+  const saltBuffer = new Uint8Array(salt);
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    passwordBuffer,
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return await crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt: saltBuffer,
+      iterations: PBKDF2_ITERATIONS,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    { name: ALGORITHM, length: KEY_LENGTH },
+    false,
+    // not extractable
+    ["encrypt", "decrypt"]
+  );
+}
+function generateVaultKey() {
+  return crypto.getRandomValues(new Uint8Array(32));
+}
+async function encryptString(data, derivedKey) {
+  const nonce = crypto.getRandomValues(new Uint8Array(12));
+  const encoder = new TextEncoder();
+  const dataBuffer = encoder.encode(data);
+  const encryptedBuffer = await crypto.subtle.encrypt(
+    {
+      name: ALGORITHM,
+      iv: nonce
+    },
+    derivedKey,
+    dataBuffer
+  );
+  return {
+    encryptedData: arrayBufferToBase64(encryptedBuffer),
+    nonce: arrayBufferToBase64(nonce)
+  };
+}
+async function decryptString(encryptedData, nonce, derivedKey) {
+  const encryptedBuffer = base64ToArrayBuffer(encryptedData);
+  const nonceBuffer = base64ToArrayBuffer(nonce);
+  const encryptedDataBuffer = new Uint8Array(encryptedBuffer);
+  const iv = new Uint8Array(nonceBuffer);
+  const decryptedBuffer = await crypto.subtle.decrypt(
+    {
+      name: ALGORITHM,
+      iv
+    },
+    derivedKey,
+    encryptedDataBuffer
+  );
+  const decoder = new TextDecoder();
+  return decoder.decode(decryptedBuffer);
+}
+async function encryptVaultKey(vaultKey, password) {
+  const salt = crypto.getRandomValues(new Uint8Array(32));
+  const derivedKey = await deriveKeyFromPassword(password, salt);
+  const nonce = crypto.getRandomValues(new Uint8Array(12));
+  const vaultKeyBuffer = new Uint8Array(vaultKey);
+  const encryptedBuffer = await crypto.subtle.encrypt(
+    {
+      name: ALGORITHM,
+      iv: nonce
+    },
+    derivedKey,
+    vaultKeyBuffer
+  );
+  return {
+    encryptedVaultKey: arrayBufferToBase64(encryptedBuffer),
+    salt: arrayBufferToBase64(salt),
+    vaultKeyNonce: arrayBufferToBase64(nonce)
+  };
+}
+async function decryptVaultKey(encryptedVaultKey, salt, vaultKeyNonce, password) {
+  const encryptedBuffer = base64ToArrayBuffer(encryptedVaultKey);
+  const saltBuffer = base64ToArrayBuffer(salt);
+  const nonceBuffer = base64ToArrayBuffer(vaultKeyNonce);
+  const derivedKey = await deriveKeyFromPassword(password, saltBuffer);
+  const encryptedData = new Uint8Array(encryptedBuffer);
+  const iv = new Uint8Array(nonceBuffer);
+  const decryptedBuffer = await crypto.subtle.decrypt(
+    {
+      name: ALGORITHM,
+      iv
+    },
+    derivedKey,
+    encryptedData
+  );
+  return new Uint8Array(decryptedBuffer);
+}
+async function decryptVaultName(encryptedVaultName, vaultNameNonce, vaultNameSalt, password) {
+  const saltBuffer = base64ToArrayBuffer(vaultNameSalt);
+  const derivedKey = await deriveKeyFromPassword(password, saltBuffer);
+  return decryptString(encryptedVaultName, vaultNameNonce, derivedKey);
+}
+async function encryptCrdtData(data, vaultKey) {
+  const vaultKeyBuffer = new Uint8Array(vaultKey);
+  const cryptoKey = await crypto.subtle.importKey(
+    "raw",
+    vaultKeyBuffer,
+    { name: ALGORITHM },
+    false,
+    ["encrypt"]
+  );
+  const nonce = crypto.getRandomValues(new Uint8Array(12));
+  const encoder = new TextEncoder();
+  const dataBuffer = encoder.encode(JSON.stringify(data));
+  const encryptedBuffer = await crypto.subtle.encrypt(
+    {
+      name: ALGORITHM,
+      iv: nonce
+    },
+    cryptoKey,
+    dataBuffer
+  );
+  return {
+    encryptedData: arrayBufferToBase64(encryptedBuffer),
+    nonce: arrayBufferToBase64(nonce)
+  };
+}
+async function decryptCrdtData(encryptedData, nonce, vaultKey) {
+  const vaultKeyBuffer = new Uint8Array(vaultKey);
+  const cryptoKey = await crypto.subtle.importKey(
+    "raw",
+    vaultKeyBuffer,
+    { name: ALGORITHM },
+    false,
+    ["decrypt"]
+  );
+  const encryptedBuffer = base64ToArrayBuffer(encryptedData);
+  const nonceBuffer = base64ToArrayBuffer(nonce);
+  const encryptedDataBuffer = new Uint8Array(encryptedBuffer);
+  const iv = new Uint8Array(nonceBuffer);
+  const decryptedBuffer = await crypto.subtle.decrypt(
+    {
+      name: ALGORITHM,
+      iv
+    },
+    cryptoKey,
+    encryptedDataBuffer
+  );
+  const decoder = new TextDecoder();
+  const jsonString = decoder.decode(decryptedBuffer);
+  return JSON.parse(jsonString);
+}
+function arrayBufferToBase64(buffer) {
+  const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    const byte = bytes[i];
+    if (byte !== void 0) {
+      binary += String.fromCharCode(byte);
+    }
+  }
+  return btoa(binary);
+}
+function base64ToArrayBuffer(base64) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  }
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
 // src/index.ts
 function createHaexVaultClient(config = {}) {
   return new HaexVaultClient(config);
@@ -1546,7 +1818,18 @@ exports.PermissionStatus = PermissionStatus;
 exports.PermissionsAPI = PermissionsAPI;
 exports.TABLE_SEPARATOR = TABLE_SEPARATOR;
 exports.WebAPI = WebAPI;
+exports.arrayBufferToBase64 = arrayBufferToBase64;
+exports.base64ToArrayBuffer = base64ToArrayBuffer;
 exports.createHaexVaultClient = createHaexVaultClient;
+exports.decryptCrdtData = decryptCrdtData;
+exports.decryptString = decryptString;
+exports.decryptVaultKey = decryptVaultKey;
+exports.decryptVaultName = decryptVaultName;
+exports.deriveKeyFromPassword = deriveKeyFromPassword;
+exports.encryptCrdtData = encryptCrdtData;
+exports.encryptString = encryptString;
+exports.encryptVaultKey = encryptVaultKey;
+exports.generateVaultKey = generateVaultKey;
 exports.getTableName = getTableName;
 exports.hexToBytes = hexToBytes;
 exports.installBaseTag = installBaseTag;