@haex-space/vault-sdk 2.5.106 → 2.5.108

package/dist/{client-CbYg_Bl8.d.mts → client-CBCjziWo.d.mts}

@@ -1,4 +1,4 @@
-import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as ExternalRequestHandler, f as ExternalResponse, g as EventCallback } from './types-CORIMooS.mjs';
+import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as ExternalRequestHandler, f as ExternalResponse, g as EventCallback } from './types-NWYbdRXr.mjs';
 import { SqliteRemoteDatabase } from 'drizzle-orm/sqlite-proxy';
 
 declare class StorageAPI {

package/dist/{client-0DvgO2Jf.d.ts → client-_FhZZse3.d.ts}

@@ -1,4 +1,4 @@
-import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as ExternalRequestHandler, f as ExternalResponse, g as EventCallback } from './types-CORIMooS.js';
+import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as ExternalRequestHandler, f as ExternalResponse, g as EventCallback } from './types-NWYbdRXr.js';
 import { SqliteRemoteDatabase } from 'drizzle-orm/sqlite-proxy';
 
 declare class StorageAPI {

package/dist/index.d.mts

@@ -1,7 +1,7 @@
-import { H as HaexVaultSdk } from './client-CbYg_Bl8.mjs';
-export { D as DatabaseAPI, a as Device, b as DeviceInfo, c as DeviceType, d as DirEntry, F as FileStat, e as FilesystemAPI, L as LOCALSEND_EVENTS, f as LocalSendAPI, g as LocalSendEvent, h as LocalSendFileInfo, i as LocalSendSettings, P as PendingTransfer, j as PermissionsAPI, A as RemoteAddBackendRequest, k as RemoteS3Config, l as RemoteS3PublicConfig, R as RemoteStorageAPI, m as RemoteStorageBackendInfo, n as RemoteStorageObjectInfo, U as RemoteUpdateBackendRequest, o as SelectFileOptions, p as SelectFolderOptions, q as ServerInfo, r as ServerStatus, T as TransferDirection, s as TransferProgress, t as TransferState, W as WebAPI } from './client-CbYg_Bl8.mjs';
-import { E as ExtensionManifest, H as HaexHubConfig } from './types-CORIMooS.mjs';
-export { A as ApplicationContext, h as AuthorizedClient, B as BlockedClient, C as ContextChangedEvent, i as DEFAULT_TIMEOUT, j as DatabaseColumnInfo, k as DatabaseExecuteParams, l as DatabasePermission, d as DatabasePermissionRequest, m as DatabaseQueryParams, D as DatabaseQueryResult, n as DatabaseTableInfo, o as EXTERNAL_EVENTS, p as ErrorCode, g as EventCallback, a as ExtensionInfo, q as ExtensionRuntimeMode, r as ExternalAuthDecision, s as ExternalConnection, t as ExternalConnectionErrorCode, u as ExternalConnectionState, v as ExternalEvent, w as ExternalRequest, x as ExternalRequestEvent, e as ExternalRequestHandler, y as ExternalRequestPayload, f as ExternalResponse, F as FileChangeEvent, z as FileChangePayload, G as FileChangeType, I as FilteredSyncTablesResult, J as HAEXTENSION_EVENTS, K as HaexHubEvent, L as HaexHubRequest, N as HaexHubResponse, O as HaexVaultSdkError, Q as HaextensionEvent, R as PendingAuthorization, T as PermissionDeniedError, U as PermissionErrorBase, V as PermissionErrorCode, X as PermissionPromptError, P as PermissionResponse, Y as PermissionStatus, Z as RequestedExtension, _ as SearchQuery, $ as SearchRequestEvent, S as SearchResult, a0 as SessionAuthorization, a1 as SyncTablesUpdatedEvent, a2 as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, a3 as canExternalClientSendRequests, a4 as getTableName, a5 as isExternalClientConnected, a6 as isPermissionDeniedError, a7 as isPermissionError, a8 as isPermissionPromptError } from './types-CORIMooS.mjs';
+import { H as HaexVaultSdk } from './client-CBCjziWo.mjs';
+export { D as DatabaseAPI, a as Device, b as DeviceInfo, c as DeviceType, d as DirEntry, F as FileStat, e as FilesystemAPI, L as LOCALSEND_EVENTS, f as LocalSendAPI, g as LocalSendEvent, h as LocalSendFileInfo, i as LocalSendSettings, P as PendingTransfer, j as PermissionsAPI, A as RemoteAddBackendRequest, k as RemoteS3Config, l as RemoteS3PublicConfig, R as RemoteStorageAPI, m as RemoteStorageBackendInfo, n as RemoteStorageObjectInfo, U as RemoteUpdateBackendRequest, o as SelectFileOptions, p as SelectFolderOptions, q as ServerInfo, r as ServerStatus, T as TransferDirection, s as TransferProgress, t as TransferState, W as WebAPI } from './client-CBCjziWo.mjs';
+import { h as SpaceRole, E as ExtensionManifest, H as HaexHubConfig } from './types-NWYbdRXr.mjs';
+export { A as ApplicationContext, i as AuthorizedClient, B as BlockedClient, C as ContextChangedEvent, j as DEFAULT_TIMEOUT, k as DatabaseColumnInfo, l as DatabaseExecuteParams, m as DatabasePermission, d as DatabasePermissionRequest, n as DatabaseQueryParams, D as DatabaseQueryResult, o as DatabaseTableInfo, p as EXTERNAL_EVENTS, q as ErrorCode, g as EventCallback, a as ExtensionInfo, r as ExtensionRuntimeMode, s as ExternalAuthDecision, t as ExternalConnection, u as ExternalConnectionErrorCode, v as ExternalConnectionState, w as ExternalEvent, x as ExternalRequest, y as ExternalRequestEvent, e as ExternalRequestHandler, z as ExternalRequestPayload, f as ExternalResponse, F as FileChangeEvent, G as FileChangePayload, I as FileChangeType, J as FilteredSyncTablesResult, K as HAEXTENSION_EVENTS, L as HaexHubEvent, N as HaexHubRequest, O as HaexHubResponse, Q as HaexVaultSdkError, R as HaextensionEvent, T as PendingAuthorization, U as PermissionDeniedError, V as PermissionErrorBase, X as PermissionErrorCode, Y as PermissionPromptError, P as PermissionResponse, Z as PermissionStatus, _ as RequestedExtension, $ as SearchQuery, a0 as SearchRequestEvent, S as SearchResult, a1 as SessionAuthorization, a2 as SharedSpace, a3 as SpaceAccessTokenInfo, a4 as SpaceInvite, a5 as SpaceKeyGrantInfo, a6 as SpaceMemberInfo, a7 as SyncTablesUpdatedEvent, a8 as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, a9 as canExternalClientSendRequests, aa as getTableName, ab as isExternalClientConnected, ac as isPermissionDeniedError, ad as isPermissionError, ae as isPermissionPromptError } from './types-NWYbdRXr.mjs';
 export { H as HaextensionConfig } from './config-D_HXjsEV.mjs';
 import 'drizzle-orm/sqlite-proxy';
 
@@ -88,6 +88,7 @@ declare function installPolyfills(): void;
  * Types for communicating with the haex-sync-server authentication endpoints.
  * Used by haex-vault and extensions that need to interact with the sync server.
  */
+
 /**
  * S3-compatible storage configuration provided by the sync server.
  *
@@ -187,6 +188,32 @@ interface ErrorResponse {
     /** Error message */
     error: string;
 }
+interface CreateSpaceRequest {
+    id: string;
+    encryptedName: string;
+    nameNonce: string;
+    keyGrant: {
+        encryptedSpaceKey: string;
+        keyNonce: string;
+        ephemeralPublicKey: string;
+    };
+}
+interface InviteMemberRequest {
+    userId: string;
+    role: SpaceRole;
+    keyGrant: {
+        encryptedSpaceKey: string;
+        keyNonce: string;
+        ephemeralPublicKey: string;
+        generation: number;
+    };
+}
+interface RegisterKeypairRequest {
+    publicKey: string;
+    encryptedPrivateKey: string;
+    privateKeyNonce: string;
+    privateKeySalt: string;
+}
 
 /**
  * Central message type definitions for HaexSpace SDK
@@ -666,7 +693,7 @@ declare function deriveKeyFromPassword(password: string, salt: Uint8Array): Prom
 /**
  * Generates a random vault key (32 bytes)
  */
-declare function generateVaultKey(): Uint8Array;
+declare function generateVaultKey(): Uint8Array<ArrayBuffer>;
 /**
  * Encrypts a string (like vault name) with a password-derived key
  * Returns: { encryptedData, nonce } as Base64 strings
@@ -720,7 +747,74 @@ declare function unwrapKey(wrappedKey: Uint8Array, wrappingKey: Uint8Array): Pro
  */
 declare function decryptCrdtData<T = object>(encryptedData: string, nonce: string, vaultKey: Uint8Array): Promise<T>;
 declare function arrayBufferToBase64(buffer: ArrayBuffer | Uint8Array): string;
-declare function base64ToArrayBuffer(base64: string): Uint8Array;
+declare function base64ToArrayBuffer(base64: string): Uint8Array<ArrayBuffer>;
+
+declare const SIGNING_ALGO: {
+    name: string;
+    namedCurve: string;
+};
+declare const KEY_AGREEMENT_ALGO: {
+    name: string;
+    namedCurve: string;
+};
+interface UserKeypair {
+    publicKey: CryptoKey;
+    privateKey: CryptoKey;
+}
+interface ExportedUserKeypair {
+    publicKey: string;
+    privateKey: string;
+}
+declare function generateUserKeypairAsync(): Promise<UserKeypair>;
+declare function exportUserKeypairAsync(keypair: UserKeypair): Promise<ExportedUserKeypair>;
+declare function importUserPublicKeyAsync(base64: string): Promise<CryptoKey>;
+declare function importUserPrivateKeyAsync(base64: string): Promise<CryptoKey>;
+declare function importPublicKeyForKeyAgreementAsync(base64: string): Promise<CryptoKey>;
+declare function importPrivateKeyForKeyAgreementAsync(base64: string): Promise<CryptoKey>;
+declare function encryptPrivateKeyAsync(privateKeyBase64: string, password: string): Promise<{
+    encryptedPrivateKey: string;
+    nonce: string;
+    salt: string;
+}>;
+declare function decryptPrivateKeyAsync(encryptedPrivateKey: string, nonce: string, salt: string, password: string): Promise<string>;
+
+interface EncryptedSpaceKey {
+    encryptedSpaceKey: string;
+    keyNonce: string;
+    ephemeralPublicKey: string;
+}
+declare function generateSpaceKey(): Uint8Array<ArrayBuffer>;
+declare function encryptSpaceKeyForRecipientAsync(spaceKey: Uint8Array<ArrayBuffer>, recipientPublicKeyBase64: string): Promise<EncryptedSpaceKey>;
+declare function decryptSpaceKeyAsync(encrypted: EncryptedSpaceKey, ownPrivateKeyBase64: string): Promise<Uint8Array>;
+
+interface SignableRecord {
+    tableName: string;
+    rowPks: string;
+    columnName: string | null;
+    encryptedValue: string | null;
+    hlcTimestamp: string;
+}
+declare function signRecordAsync(record: SignableRecord, privateKeyBase64: string): Promise<string>;
+declare function verifyRecordSignatureAsync(record: SignableRecord, signatureBase64: string, publicKeyBase64: string): Promise<boolean>;
+/**
+ * Sign a space challenge to prove private key possession.
+ * Generates a fresh timestamp internally to prevent misuse.
+ *
+ * @returns signature (Base64) + timestamp (ISO 8601) to send as
+ *          X-Space-Signature / X-Space-Timestamp headers.
+ */
+declare function signSpaceChallengeAsync(spaceId: string, privateKeyBase64: string): Promise<{
+    signature: string;
+    timestamp: string;
+}>;
+/**
+ * Verify a space challenge signature (server-side).
+ * Checks both cryptographic validity and timestamp freshness (max 30s).
+ */
+declare function verifySpaceChallengeAsync(spaceId: string, timestamp: string, signatureBase64: string, publicKeyBase64: string): Promise<{
+    valid: boolean;
+    error?: string;
+}>;
 
 /**
  * Crypto utilities for WebAuthn/Passkey operations
@@ -796,4 +890,4 @@ declare function exportKeyPairAsync(keyPair: PasskeyKeyPair): Promise<ExportedPa
 
 declare function createHaexVaultSdk(config?: HaexHubConfig): HaexVaultSdk;
 
-export { type AuthUser, COSE_ALGORITHM, type CoseAlgorithm, type ExportedPasskeyKeyPair, ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HaexHubConfig, HaexVaultSdk, type HaexspaceMessageType, type PasskeyKeyPair, type StorageConfig, type ErrorResponse as SyncServerErrorResponse, type ServerInfo as SyncServerInfo, type LoginRequest as SyncServerLoginRequest, type LoginResponse as SyncServerLoginResponse, type RefreshRequest as SyncServerRefreshRequest, TAURI_COMMANDS, type TauriCommand, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultSdk, decryptCrdtData, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptString, encryptVaultKey, exportKeyPairAsync, exportPrivateKeyAsync, exportPublicKeyAsync, exportPublicKeyCoseAsync, generateCredentialId, generatePasskeyPairAsync, generateVaultKey, hexToBytes, importPrivateKeyAsync, importPublicKeyAsync, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, signWithPasskeyAsync, sortObjectKeysRecursively, unwrapKey, verifyExtensionSignature, verifyWithPasskeyAsync, wrapKey };
+export { type AuthUser, COSE_ALGORITHM, type CoseAlgorithm, type CreateSpaceRequest, type EncryptedSpaceKey, type ExportedPasskeyKeyPair, type ExportedUserKeypair, ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HaexHubConfig, HaexVaultSdk, type HaexspaceMessageType, type InviteMemberRequest, KEY_AGREEMENT_ALGO, type PasskeyKeyPair, type RegisterKeypairRequest, SIGNING_ALGO, type SignableRecord, SpaceRole, type StorageConfig, type ErrorResponse as SyncServerErrorResponse, type ServerInfo as SyncServerInfo, type LoginRequest as SyncServerLoginRequest, type LoginResponse as SyncServerLoginResponse, type RefreshRequest as SyncServerRefreshRequest, TAURI_COMMANDS, type TauriCommand, type UserKeypair, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultSdk, decryptCrdtData, decryptPrivateKeyAsync, decryptSpaceKeyAsync, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptPrivateKeyAsync, encryptSpaceKeyForRecipientAsync, encryptString, encryptVaultKey, exportKeyPairAsync, exportPrivateKeyAsync, exportPublicKeyAsync, exportPublicKeyCoseAsync, exportUserKeypairAsync, generateCredentialId, generatePasskeyPairAsync, generateSpaceKey, generateUserKeypairAsync, generateVaultKey, hexToBytes, importPrivateKeyAsync, importPrivateKeyForKeyAgreementAsync, importPublicKeyAsync, importPublicKeyForKeyAgreementAsync, importUserPrivateKeyAsync, importUserPublicKeyAsync, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, signRecordAsync, signSpaceChallengeAsync, signWithPasskeyAsync, sortObjectKeysRecursively, unwrapKey, verifyExtensionSignature, verifyRecordSignatureAsync, verifySpaceChallengeAsync, verifyWithPasskeyAsync, wrapKey };

package/dist/index.d.ts

@@ -1,7 +1,7 @@
-import { H as HaexVaultSdk } from './client-0DvgO2Jf.js';
-export { D as DatabaseAPI, a as Device, b as DeviceInfo, c as DeviceType, d as DirEntry, F as FileStat, e as FilesystemAPI, L as LOCALSEND_EVENTS, f as LocalSendAPI, g as LocalSendEvent, h as LocalSendFileInfo, i as LocalSendSettings, P as PendingTransfer, j as PermissionsAPI, A as RemoteAddBackendRequest, k as RemoteS3Config, l as RemoteS3PublicConfig, R as RemoteStorageAPI, m as RemoteStorageBackendInfo, n as RemoteStorageObjectInfo, U as RemoteUpdateBackendRequest, o as SelectFileOptions, p as SelectFolderOptions, q as ServerInfo, r as ServerStatus, T as TransferDirection, s as TransferProgress, t as TransferState, W as WebAPI } from './client-0DvgO2Jf.js';
-import { E as ExtensionManifest, H as HaexHubConfig } from './types-CORIMooS.js';
-export { A as ApplicationContext, h as AuthorizedClient, B as BlockedClient, C as ContextChangedEvent, i as DEFAULT_TIMEOUT, j as DatabaseColumnInfo, k as DatabaseExecuteParams, l as DatabasePermission, d as DatabasePermissionRequest, m as DatabaseQueryParams, D as DatabaseQueryResult, n as DatabaseTableInfo, o as EXTERNAL_EVENTS, p as ErrorCode, g as EventCallback, a as ExtensionInfo, q as ExtensionRuntimeMode, r as ExternalAuthDecision, s as ExternalConnection, t as ExternalConnectionErrorCode, u as ExternalConnectionState, v as ExternalEvent, w as ExternalRequest, x as ExternalRequestEvent, e as ExternalRequestHandler, y as ExternalRequestPayload, f as ExternalResponse, F as FileChangeEvent, z as FileChangePayload, G as FileChangeType, I as FilteredSyncTablesResult, J as HAEXTENSION_EVENTS, K as HaexHubEvent, L as HaexHubRequest, N as HaexHubResponse, O as HaexVaultSdkError, Q as HaextensionEvent, R as PendingAuthorization, T as PermissionDeniedError, U as PermissionErrorBase, V as PermissionErrorCode, X as PermissionPromptError, P as PermissionResponse, Y as PermissionStatus, Z as RequestedExtension, _ as SearchQuery, $ as SearchRequestEvent, S as SearchResult, a0 as SessionAuthorization, a1 as SyncTablesUpdatedEvent, a2 as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, a3 as canExternalClientSendRequests, a4 as getTableName, a5 as isExternalClientConnected, a6 as isPermissionDeniedError, a7 as isPermissionError, a8 as isPermissionPromptError } from './types-CORIMooS.js';
+import { H as HaexVaultSdk } from './client-_FhZZse3.js';
+export { D as DatabaseAPI, a as Device, b as DeviceInfo, c as DeviceType, d as DirEntry, F as FileStat, e as FilesystemAPI, L as LOCALSEND_EVENTS, f as LocalSendAPI, g as LocalSendEvent, h as LocalSendFileInfo, i as LocalSendSettings, P as PendingTransfer, j as PermissionsAPI, A as RemoteAddBackendRequest, k as RemoteS3Config, l as RemoteS3PublicConfig, R as RemoteStorageAPI, m as RemoteStorageBackendInfo, n as RemoteStorageObjectInfo, U as RemoteUpdateBackendRequest, o as SelectFileOptions, p as SelectFolderOptions, q as ServerInfo, r as ServerStatus, T as TransferDirection, s as TransferProgress, t as TransferState, W as WebAPI } from './client-_FhZZse3.js';
+import { h as SpaceRole, E as ExtensionManifest, H as HaexHubConfig } from './types-NWYbdRXr.js';
+export { A as ApplicationContext, i as AuthorizedClient, B as BlockedClient, C as ContextChangedEvent, j as DEFAULT_TIMEOUT, k as DatabaseColumnInfo, l as DatabaseExecuteParams, m as DatabasePermission, d as DatabasePermissionRequest, n as DatabaseQueryParams, D as DatabaseQueryResult, o as DatabaseTableInfo, p as EXTERNAL_EVENTS, q as ErrorCode, g as EventCallback, a as ExtensionInfo, r as ExtensionRuntimeMode, s as ExternalAuthDecision, t as ExternalConnection, u as ExternalConnectionErrorCode, v as ExternalConnectionState, w as ExternalEvent, x as ExternalRequest, y as ExternalRequestEvent, e as ExternalRequestHandler, z as ExternalRequestPayload, f as ExternalResponse, F as FileChangeEvent, G as FileChangePayload, I as FileChangeType, J as FilteredSyncTablesResult, K as HAEXTENSION_EVENTS, L as HaexHubEvent, N as HaexHubRequest, O as HaexHubResponse, Q as HaexVaultSdkError, R as HaextensionEvent, T as PendingAuthorization, U as PermissionDeniedError, V as PermissionErrorBase, X as PermissionErrorCode, Y as PermissionPromptError, P as PermissionResponse, Z as PermissionStatus, _ as RequestedExtension, $ as SearchQuery, a0 as SearchRequestEvent, S as SearchResult, a1 as SessionAuthorization, a2 as SharedSpace, a3 as SpaceAccessTokenInfo, a4 as SpaceInvite, a5 as SpaceKeyGrantInfo, a6 as SpaceMemberInfo, a7 as SyncTablesUpdatedEvent, a8 as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, a9 as canExternalClientSendRequests, aa as getTableName, ab as isExternalClientConnected, ac as isPermissionDeniedError, ad as isPermissionError, ae as isPermissionPromptError } from './types-NWYbdRXr.js';
 export { H as HaextensionConfig } from './config-D_HXjsEV.js';
 import 'drizzle-orm/sqlite-proxy';
 
@@ -88,6 +88,7 @@ declare function installPolyfills(): void;
  * Types for communicating with the haex-sync-server authentication endpoints.
  * Used by haex-vault and extensions that need to interact with the sync server.
  */
+
 /**
  * S3-compatible storage configuration provided by the sync server.
  *
@@ -187,6 +188,32 @@ interface ErrorResponse {
     /** Error message */
     error: string;
 }
+interface CreateSpaceRequest {
+    id: string;
+    encryptedName: string;
+    nameNonce: string;
+    keyGrant: {
+        encryptedSpaceKey: string;
+        keyNonce: string;
+        ephemeralPublicKey: string;
+    };
+}
+interface InviteMemberRequest {
+    userId: string;
+    role: SpaceRole;
+    keyGrant: {
+        encryptedSpaceKey: string;
+        keyNonce: string;
+        ephemeralPublicKey: string;
+        generation: number;
+    };
+}
+interface RegisterKeypairRequest {
+    publicKey: string;
+    encryptedPrivateKey: string;
+    privateKeyNonce: string;
+    privateKeySalt: string;
+}
 
 /**
  * Central message type definitions for HaexSpace SDK
@@ -666,7 +693,7 @@ declare function deriveKeyFromPassword(password: string, salt: Uint8Array): Prom
 /**
  * Generates a random vault key (32 bytes)
  */
-declare function generateVaultKey(): Uint8Array;
+declare function generateVaultKey(): Uint8Array<ArrayBuffer>;
 /**
  * Encrypts a string (like vault name) with a password-derived key
  * Returns: { encryptedData, nonce } as Base64 strings
@@ -720,7 +747,74 @@ declare function unwrapKey(wrappedKey: Uint8Array, wrappingKey: Uint8Array): Pro
  */
 declare function decryptCrdtData<T = object>(encryptedData: string, nonce: string, vaultKey: Uint8Array): Promise<T>;
 declare function arrayBufferToBase64(buffer: ArrayBuffer | Uint8Array): string;
-declare function base64ToArrayBuffer(base64: string): Uint8Array;
+declare function base64ToArrayBuffer(base64: string): Uint8Array<ArrayBuffer>;
+
+declare const SIGNING_ALGO: {
+    name: string;
+    namedCurve: string;
+};
+declare const KEY_AGREEMENT_ALGO: {
+    name: string;
+    namedCurve: string;
+};
+interface UserKeypair {
+    publicKey: CryptoKey;
+    privateKey: CryptoKey;
+}
+interface ExportedUserKeypair {
+    publicKey: string;
+    privateKey: string;
+}
+declare function generateUserKeypairAsync(): Promise<UserKeypair>;
+declare function exportUserKeypairAsync(keypair: UserKeypair): Promise<ExportedUserKeypair>;
+declare function importUserPublicKeyAsync(base64: string): Promise<CryptoKey>;
+declare function importUserPrivateKeyAsync(base64: string): Promise<CryptoKey>;
+declare function importPublicKeyForKeyAgreementAsync(base64: string): Promise<CryptoKey>;
+declare function importPrivateKeyForKeyAgreementAsync(base64: string): Promise<CryptoKey>;
+declare function encryptPrivateKeyAsync(privateKeyBase64: string, password: string): Promise<{
+    encryptedPrivateKey: string;
+    nonce: string;
+    salt: string;
+}>;
+declare function decryptPrivateKeyAsync(encryptedPrivateKey: string, nonce: string, salt: string, password: string): Promise<string>;
+
+interface EncryptedSpaceKey {
+    encryptedSpaceKey: string;
+    keyNonce: string;
+    ephemeralPublicKey: string;
+}
+declare function generateSpaceKey(): Uint8Array<ArrayBuffer>;
+declare function encryptSpaceKeyForRecipientAsync(spaceKey: Uint8Array<ArrayBuffer>, recipientPublicKeyBase64: string): Promise<EncryptedSpaceKey>;
+declare function decryptSpaceKeyAsync(encrypted: EncryptedSpaceKey, ownPrivateKeyBase64: string): Promise<Uint8Array>;
+
+interface SignableRecord {
+    tableName: string;
+    rowPks: string;
+    columnName: string | null;
+    encryptedValue: string | null;
+    hlcTimestamp: string;
+}
+declare function signRecordAsync(record: SignableRecord, privateKeyBase64: string): Promise<string>;
+declare function verifyRecordSignatureAsync(record: SignableRecord, signatureBase64: string, publicKeyBase64: string): Promise<boolean>;
+/**
+ * Sign a space challenge to prove private key possession.
+ * Generates a fresh timestamp internally to prevent misuse.
+ *
+ * @returns signature (Base64) + timestamp (ISO 8601) to send as
+ *          X-Space-Signature / X-Space-Timestamp headers.
+ */
+declare function signSpaceChallengeAsync(spaceId: string, privateKeyBase64: string): Promise<{
+    signature: string;
+    timestamp: string;
+}>;
+/**
+ * Verify a space challenge signature (server-side).
+ * Checks both cryptographic validity and timestamp freshness (max 30s).
+ */
+declare function verifySpaceChallengeAsync(spaceId: string, timestamp: string, signatureBase64: string, publicKeyBase64: string): Promise<{
+    valid: boolean;
+    error?: string;
+}>;
 
 /**
  * Crypto utilities for WebAuthn/Passkey operations
@@ -796,4 +890,4 @@ declare function exportKeyPairAsync(keyPair: PasskeyKeyPair): Promise<ExportedPa
 
 declare function createHaexVaultSdk(config?: HaexHubConfig): HaexVaultSdk;
 
-export { type AuthUser, COSE_ALGORITHM, type CoseAlgorithm, type ExportedPasskeyKeyPair, ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HaexHubConfig, HaexVaultSdk, type HaexspaceMessageType, type PasskeyKeyPair, type StorageConfig, type ErrorResponse as SyncServerErrorResponse, type ServerInfo as SyncServerInfo, type LoginRequest as SyncServerLoginRequest, type LoginResponse as SyncServerLoginResponse, type RefreshRequest as SyncServerRefreshRequest, TAURI_COMMANDS, type TauriCommand, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultSdk, decryptCrdtData, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptString, encryptVaultKey, exportKeyPairAsync, exportPrivateKeyAsync, exportPublicKeyAsync, exportPublicKeyCoseAsync, generateCredentialId, generatePasskeyPairAsync, generateVaultKey, hexToBytes, importPrivateKeyAsync, importPublicKeyAsync, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, signWithPasskeyAsync, sortObjectKeysRecursively, unwrapKey, verifyExtensionSignature, verifyWithPasskeyAsync, wrapKey };
+export { type AuthUser, COSE_ALGORITHM, type CoseAlgorithm, type CreateSpaceRequest, type EncryptedSpaceKey, type ExportedPasskeyKeyPair, type ExportedUserKeypair, ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HaexHubConfig, HaexVaultSdk, type HaexspaceMessageType, type InviteMemberRequest, KEY_AGREEMENT_ALGO, type PasskeyKeyPair, type RegisterKeypairRequest, SIGNING_ALGO, type SignableRecord, SpaceRole, type StorageConfig, type ErrorResponse as SyncServerErrorResponse, type ServerInfo as SyncServerInfo, type LoginRequest as SyncServerLoginRequest, type LoginResponse as SyncServerLoginResponse, type RefreshRequest as SyncServerRefreshRequest, TAURI_COMMANDS, type TauriCommand, type UserKeypair, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultSdk, decryptCrdtData, decryptPrivateKeyAsync, decryptSpaceKeyAsync, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptPrivateKeyAsync, encryptSpaceKeyForRecipientAsync, encryptString, encryptVaultKey, exportKeyPairAsync, exportPrivateKeyAsync, exportPublicKeyAsync, exportPublicKeyCoseAsync, exportUserKeypairAsync, generateCredentialId, generatePasskeyPairAsync, generateSpaceKey, generateUserKeypairAsync, generateVaultKey, hexToBytes, importPrivateKeyAsync, importPrivateKeyForKeyAgreementAsync, importPublicKeyAsync, importPublicKeyForKeyAgreementAsync, importUserPrivateKeyAsync, importUserPublicKeyAsync, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, signRecordAsync, signSpaceChallengeAsync, signWithPasskeyAsync, sortObjectKeysRecursively, unwrapKey, verifyExtensionSignature, verifyRecordSignatureAsync, verifySpaceChallengeAsync, verifyWithPasskeyAsync, wrapKey };

package/dist/index.js

@@ -2744,6 +2744,184 @@ async function verifyExtensionSignature(files, manifest) {
   }
 }
 
+// src/crypto/userKeypair.ts
+var SIGNING_ALGO = { name: "ECDSA", namedCurve: "P-256" };
+var KEY_AGREEMENT_ALGO = { name: "ECDH", namedCurve: "P-256" };
+async function generateUserKeypairAsync() {
+  const keypair = await crypto.subtle.generateKey(SIGNING_ALGO, true, ["sign", "verify"]);
+  return { publicKey: keypair.publicKey, privateKey: keypair.privateKey };
+}
+async function exportUserKeypairAsync(keypair) {
+  const pub = await crypto.subtle.exportKey("spki", keypair.publicKey);
+  const priv = await crypto.subtle.exportKey("pkcs8", keypair.privateKey);
+  return { publicKey: arrayBufferToBase64(pub), privateKey: arrayBufferToBase64(priv) };
+}
+async function importUserPublicKeyAsync(base64) {
+  return crypto.subtle.importKey("spki", base64ToArrayBuffer(base64), SIGNING_ALGO, true, ["verify"]);
+}
+async function importUserPrivateKeyAsync(base64) {
+  return crypto.subtle.importKey("pkcs8", base64ToArrayBuffer(base64), SIGNING_ALGO, true, ["sign"]);
+}
+async function importPublicKeyForKeyAgreementAsync(base64) {
+  return crypto.subtle.importKey("spki", base64ToArrayBuffer(base64), KEY_AGREEMENT_ALGO, true, []);
+}
+async function importPrivateKeyForKeyAgreementAsync(base64) {
+  return crypto.subtle.importKey("pkcs8", base64ToArrayBuffer(base64), KEY_AGREEMENT_ALGO, true, ["deriveBits"]);
+}
+async function encryptPrivateKeyAsync(privateKeyBase64, password) {
+  const salt = crypto.getRandomValues(new Uint8Array(32));
+  const derivedKey = await deriveKeyFromPassword(password, salt);
+  const nonce = crypto.getRandomValues(new Uint8Array(12));
+  const encrypted = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv: nonce },
+    derivedKey,
+    new TextEncoder().encode(privateKeyBase64)
+  );
+  return {
+    encryptedPrivateKey: arrayBufferToBase64(encrypted),
+    nonce: arrayBufferToBase64(nonce),
+    salt: arrayBufferToBase64(salt)
+  };
+}
+async function decryptPrivateKeyAsync(encryptedPrivateKey, nonce, salt, password) {
+  const derivedKey = await deriveKeyFromPassword(password, base64ToArrayBuffer(salt));
+  const decrypted = await crypto.subtle.decrypt(
+    { name: "AES-GCM", iv: base64ToArrayBuffer(nonce) },
+    derivedKey,
+    base64ToArrayBuffer(encryptedPrivateKey)
+  );
+  return new TextDecoder().decode(decrypted);
+}
+
+// src/crypto/spaceKey.ts
+function generateSpaceKey() {
+  return generateVaultKey();
+}
+async function encryptSpaceKeyForRecipientAsync(spaceKey, recipientPublicKeyBase64) {
+  const ephemeral = await crypto.subtle.generateKey(KEY_AGREEMENT_ALGO, true, ["deriveBits"]);
+  const recipientKey = await importPublicKeyForKeyAgreementAsync(recipientPublicKeyBase64);
+  const sharedBits = await crypto.subtle.deriveBits(
+    { name: "ECDH", public: recipientKey },
+    ephemeral.privateKey,
+    256
+  );
+  const aesKey = await crypto.subtle.deriveKey(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: new Uint8Array(0),
+      info: new TextEncoder().encode("haex-space-key")
+    },
+    await crypto.subtle.importKey("raw", sharedBits, "HKDF", false, ["deriveKey"]),
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt"]
+  );
+  const nonce = crypto.getRandomValues(new Uint8Array(12));
+  const encrypted = await crypto.subtle.encrypt({ name: "AES-GCM", iv: nonce }, aesKey, spaceKey);
+  const ephPub = await crypto.subtle.exportKey("spki", ephemeral.publicKey);
+  return {
+    encryptedSpaceKey: arrayBufferToBase64(encrypted),
+    keyNonce: arrayBufferToBase64(nonce),
+    ephemeralPublicKey: arrayBufferToBase64(ephPub)
+  };
+}
+async function decryptSpaceKeyAsync(encrypted, ownPrivateKeyBase64) {
+  const ephPubKey = await crypto.subtle.importKey(
+    "spki",
+    base64ToArrayBuffer(encrypted.ephemeralPublicKey),
+    KEY_AGREEMENT_ALGO,
+    true,
+    []
+  );
+  const ownPrivKey = await importPrivateKeyForKeyAgreementAsync(ownPrivateKeyBase64);
+  const sharedBits = await crypto.subtle.deriveBits(
+    { name: "ECDH", public: ephPubKey },
+    ownPrivKey,
+    256
+  );
+  const aesKey = await crypto.subtle.deriveKey(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: new Uint8Array(0),
+      info: new TextEncoder().encode("haex-space-key")
+    },
+    await crypto.subtle.importKey("raw", sharedBits, "HKDF", false, ["deriveKey"]),
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["decrypt"]
+  );
+  const decrypted = await crypto.subtle.decrypt(
+    { name: "AES-GCM", iv: base64ToArrayBuffer(encrypted.keyNonce) },
+    aesKey,
+    base64ToArrayBuffer(encrypted.encryptedSpaceKey)
+  );
+  return new Uint8Array(decrypted);
+}
+
+// src/crypto/recordSigning.ts
+function canonicalize(record) {
+  const parts = [
+    record.tableName,
+    record.rowPks,
+    record.columnName === null ? "
NULL" : record.columnName,
+    record.encryptedValue === null ? "
NULL" : record.encryptedValue,
+    record.hlcTimestamp
+  ].join("\0");
+  return new TextEncoder().encode(parts);
+}
+async function signRecordAsync(record, privateKeyBase64) {
+  const key = await importUserPrivateKeyAsync(privateKeyBase64);
+  const sig = await crypto.subtle.sign({ name: "ECDSA", hash: "SHA-256" }, key, canonicalize(record));
+  return arrayBufferToBase64(sig);
+}
+async function verifyRecordSignatureAsync(record, signatureBase64, publicKeyBase64) {
+  const key = await importUserPublicKeyAsync(publicKeyBase64);
+  return crypto.subtle.verify(
+    { name: "ECDSA", hash: "SHA-256" },
+    key,
+    base64ToArrayBuffer(signatureBase64),
+    canonicalize(record)
+  );
+}
+var CHALLENGE_MAX_AGE_MS = 3e4;
+function canonicalizeChallenge(spaceId, timestamp) {
+  return new TextEncoder().encode(`${spaceId}\0${timestamp}`).buffer;
+}
+async function signSpaceChallengeAsync(spaceId, privateKeyBase64) {
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const key = await importUserPrivateKeyAsync(privateKeyBase64);
+  const sig = await crypto.subtle.sign(
+    { name: "ECDSA", hash: "SHA-256" },
+    key,
+    canonicalizeChallenge(spaceId, timestamp)
+  );
+  return { signature: arrayBufferToBase64(sig), timestamp };
+}
+async function verifySpaceChallengeAsync(spaceId, timestamp, signatureBase64, publicKeyBase64) {
+  const tsMs = new Date(timestamp).getTime();
+  if (Number.isNaN(tsMs)) {
+    return { valid: false, error: "Invalid timestamp format" };
+  }
+  const age = Date.now() - tsMs;
+  if (age < 0 || age > CHALLENGE_MAX_AGE_MS) {
+    return { valid: false, error: "Challenge timestamp expired or in the future" };
+  }
+  try {
+    const key = await importUserPublicKeyAsync(publicKeyBase64);
+    const isValid = await crypto.subtle.verify(
+      { name: "ECDSA", hash: "SHA-256" },
+      key,
+      base64ToArrayBuffer(signatureBase64),
+      canonicalizeChallenge(spaceId, timestamp)
+    );
+    return isValid ? { valid: true } : { valid: false, error: "Invalid challenge signature" };
+  } catch {
+    return { valid: false, error: "Challenge verification failed" };
+  }
+}
+
 // src/crypto/passkey.ts
 function toArrayBuffer(data) {
   if (data instanceof ArrayBuffer) {
@@ -2926,12 +3104,14 @@ exports.HAEXSPACE_MESSAGE_TYPES = HAEXSPACE_MESSAGE_TYPES;
 exports.HAEXTENSION_EVENTS = HAEXTENSION_EVENTS;
 exports.HaexVaultSdk = HaexVaultSdk;
 exports.HaexVaultSdkError = HaexVaultSdkError;
+exports.KEY_AGREEMENT_ALGO = KEY_AGREEMENT_ALGO;
 exports.LOCALSEND_EVENTS = LOCALSEND_EVENTS;
 exports.LocalSendAPI = LocalSendAPI;
 exports.PermissionErrorCode = PermissionErrorCode;
 exports.PermissionStatus = PermissionStatus;
 exports.PermissionsAPI = PermissionsAPI;
 exports.RemoteStorageAPI = RemoteStorageAPI;
+exports.SIGNING_ALGO = SIGNING_ALGO;
 exports.TABLE_SEPARATOR = TABLE_SEPARATOR;
 exports.TAURI_COMMANDS = TAURI_COMMANDS;
 exports.WebAPI = WebAPI;
@@ -2940,24 +3120,35 @@ exports.base64ToArrayBuffer = base64ToArrayBuffer;
 exports.canExternalClientSendRequests = canExternalClientSendRequests;
 exports.createHaexVaultSdk = createHaexVaultSdk;
 exports.decryptCrdtData = decryptCrdtData;
+exports.decryptPrivateKeyAsync = decryptPrivateKeyAsync;
+exports.decryptSpaceKeyAsync = decryptSpaceKeyAsync;
 exports.decryptString = decryptString;
 exports.decryptVaultKey = decryptVaultKey;
 exports.decryptVaultName = decryptVaultName;
 exports.deriveKeyFromPassword = deriveKeyFromPassword;
 exports.encryptCrdtData = encryptCrdtData;
+exports.encryptPrivateKeyAsync = encryptPrivateKeyAsync;
+exports.encryptSpaceKeyForRecipientAsync = encryptSpaceKeyForRecipientAsync;
 exports.encryptString = encryptString;
 exports.encryptVaultKey = encryptVaultKey;
 exports.exportKeyPairAsync = exportKeyPairAsync;
 exports.exportPrivateKeyAsync = exportPrivateKeyAsync;
 exports.exportPublicKeyAsync = exportPublicKeyAsync;
 exports.exportPublicKeyCoseAsync = exportPublicKeyCoseAsync;
+exports.exportUserKeypairAsync = exportUserKeypairAsync;
 exports.generateCredentialId = generateCredentialId;
 exports.generatePasskeyPairAsync = generatePasskeyPairAsync;
+exports.generateSpaceKey = generateSpaceKey;
+exports.generateUserKeypairAsync = generateUserKeypairAsync;
 exports.generateVaultKey = generateVaultKey;
 exports.getTableName = getTableName;
 exports.hexToBytes = hexToBytes;
 exports.importPrivateKeyAsync = importPrivateKeyAsync;
+exports.importPrivateKeyForKeyAgreementAsync = importPrivateKeyForKeyAgreementAsync;
 exports.importPublicKeyAsync = importPublicKeyAsync;
+exports.importPublicKeyForKeyAgreementAsync = importPublicKeyForKeyAgreementAsync;
+exports.importUserPrivateKeyAsync = importUserPrivateKeyAsync;
+exports.importUserPublicKeyAsync = importUserPublicKeyAsync;
 exports.installBaseTag = installBaseTag;
 exports.installCookiePolyfill = installCookiePolyfill;
 exports.installHistoryPolyfill = installHistoryPolyfill;
@@ -2968,10 +3159,14 @@ exports.isExternalClientConnected = isExternalClientConnected;
 exports.isPermissionDeniedError = isPermissionDeniedError;
 exports.isPermissionError = isPermissionError;
 exports.isPermissionPromptError = isPermissionPromptError;
+exports.signRecordAsync = signRecordAsync;
+exports.signSpaceChallengeAsync = signSpaceChallengeAsync;
 exports.signWithPasskeyAsync = signWithPasskeyAsync;
 exports.sortObjectKeysRecursively = sortObjectKeysRecursively;
 exports.unwrapKey = unwrapKey;
 exports.verifyExtensionSignature = verifyExtensionSignature;
+exports.verifyRecordSignatureAsync = verifyRecordSignatureAsync;
+exports.verifySpaceChallengeAsync = verifySpaceChallengeAsync;
 exports.verifyWithPasskeyAsync = verifyWithPasskeyAsync;
 exports.wrapKey = wrapKey;
 //# sourceMappingURL=index.js.map