@haex-space/vault-sdk 2.5.107 → 2.5.109

package/dist/{client-CBCjziWo.d.mts → client-C3UTSqYM.d.mts}

@@ -1,4 +1,4 @@
-import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as ExternalRequestHandler, f as ExternalResponse, g as EventCallback } from './types-NWYbdRXr.mjs';
+import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as ExternalRequestHandler, f as ExternalResponse, g as EventCallback } from './types-DwLhX7mx.mjs';
 import { SqliteRemoteDatabase } from 'drizzle-orm/sqlite-proxy';
 
 declare class StorageAPI {

package/dist/{client-_FhZZse3.d.ts → client-CRWI0t-2.d.ts}

@@ -1,4 +1,4 @@
-import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as ExternalRequestHandler, f as ExternalResponse, g as EventCallback } from './types-NWYbdRXr.js';
+import { D as DatabaseQueryResult, M as Migration, b as MigrationResult, W as WebRequestOptions, c as WebResponse, H as HaexHubConfig, a as ExtensionInfo, A as ApplicationContext, d as DatabasePermissionRequest, P as PermissionResponse, S as SearchResult, e as ExternalRequestHandler, f as ExternalResponse, g as EventCallback } from './types-DwLhX7mx.js';
 import { SqliteRemoteDatabase } from 'drizzle-orm/sqlite-proxy';
 
 declare class StorageAPI {

package/dist/index.d.mts

@@ -1,7 +1,7 @@
-import { H as HaexVaultSdk } from './client-CBCjziWo.mjs';
-export { D as DatabaseAPI, a as Device, b as DeviceInfo, c as DeviceType, d as DirEntry, F as FileStat, e as FilesystemAPI, L as LOCALSEND_EVENTS, f as LocalSendAPI, g as LocalSendEvent, h as LocalSendFileInfo, i as LocalSendSettings, P as PendingTransfer, j as PermissionsAPI, A as RemoteAddBackendRequest, k as RemoteS3Config, l as RemoteS3PublicConfig, R as RemoteStorageAPI, m as RemoteStorageBackendInfo, n as RemoteStorageObjectInfo, U as RemoteUpdateBackendRequest, o as SelectFileOptions, p as SelectFolderOptions, q as ServerInfo, r as ServerStatus, T as TransferDirection, s as TransferProgress, t as TransferState, W as WebAPI } from './client-CBCjziWo.mjs';
-import { h as SpaceRole, E as ExtensionManifest, H as HaexHubConfig } from './types-NWYbdRXr.mjs';
-export { A as ApplicationContext, i as AuthorizedClient, B as BlockedClient, C as ContextChangedEvent, j as DEFAULT_TIMEOUT, k as DatabaseColumnInfo, l as DatabaseExecuteParams, m as DatabasePermission, d as DatabasePermissionRequest, n as DatabaseQueryParams, D as DatabaseQueryResult, o as DatabaseTableInfo, p as EXTERNAL_EVENTS, q as ErrorCode, g as EventCallback, a as ExtensionInfo, r as ExtensionRuntimeMode, s as ExternalAuthDecision, t as ExternalConnection, u as ExternalConnectionErrorCode, v as ExternalConnectionState, w as ExternalEvent, x as ExternalRequest, y as ExternalRequestEvent, e as ExternalRequestHandler, z as ExternalRequestPayload, f as ExternalResponse, F as FileChangeEvent, G as FileChangePayload, I as FileChangeType, J as FilteredSyncTablesResult, K as HAEXTENSION_EVENTS, L as HaexHubEvent, N as HaexHubRequest, O as HaexHubResponse, Q as HaexVaultSdkError, R as HaextensionEvent, T as PendingAuthorization, U as PermissionDeniedError, V as PermissionErrorBase, X as PermissionErrorCode, Y as PermissionPromptError, P as PermissionResponse, Z as PermissionStatus, _ as RequestedExtension, $ as SearchQuery, a0 as SearchRequestEvent, S as SearchResult, a1 as SessionAuthorization, a2 as SharedSpace, a3 as SpaceAccessTokenInfo, a4 as SpaceInvite, a5 as SpaceKeyGrantInfo, a6 as SpaceMemberInfo, a7 as SyncTablesUpdatedEvent, a8 as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, a9 as canExternalClientSendRequests, aa as getTableName, ab as isExternalClientConnected, ac as isPermissionDeniedError, ad as isPermissionError, ae as isPermissionPromptError } from './types-NWYbdRXr.mjs';
+import { H as HaexVaultSdk } from './client-C3UTSqYM.mjs';
+export { D as DatabaseAPI, a as Device, b as DeviceInfo, c as DeviceType, d as DirEntry, F as FileStat, e as FilesystemAPI, L as LOCALSEND_EVENTS, f as LocalSendAPI, g as LocalSendEvent, h as LocalSendFileInfo, i as LocalSendSettings, P as PendingTransfer, j as PermissionsAPI, A as RemoteAddBackendRequest, k as RemoteS3Config, l as RemoteS3PublicConfig, R as RemoteStorageAPI, m as RemoteStorageBackendInfo, n as RemoteStorageObjectInfo, U as RemoteUpdateBackendRequest, o as SelectFileOptions, p as SelectFolderOptions, q as ServerInfo, r as ServerStatus, T as TransferDirection, s as TransferProgress, t as TransferState, W as WebAPI } from './client-C3UTSqYM.mjs';
+import { E as ExtensionManifest, H as HaexHubConfig } from './types-DwLhX7mx.mjs';
+export { A as ApplicationContext, h as AuthorizedClient, B as BlockedClient, C as ContextChangedEvent, i as DEFAULT_TIMEOUT, j as DatabaseColumnInfo, k as DatabaseExecuteParams, l as DatabasePermission, d as DatabasePermissionRequest, m as DatabaseQueryParams, D as DatabaseQueryResult, n as DatabaseTableInfo, o as EXTERNAL_EVENTS, p as ErrorCode, g as EventCallback, a as ExtensionInfo, q as ExtensionRuntimeMode, r as ExternalAuthDecision, s as ExternalConnection, t as ExternalConnectionErrorCode, u as ExternalConnectionState, v as ExternalEvent, w as ExternalRequest, x as ExternalRequestEvent, e as ExternalRequestHandler, y as ExternalRequestPayload, f as ExternalResponse, F as FileChangeEvent, z as FileChangePayload, G as FileChangeType, I as FilteredSyncTablesResult, J as HAEXTENSION_EVENTS, K as HaexHubEvent, L as HaexHubRequest, N as HaexHubResponse, O as HaexVaultSdkError, Q as HaextensionEvent, R as PendingAuthorization, T as PermissionDeniedError, U as PermissionErrorBase, V as PermissionErrorCode, X as PermissionPromptError, P as PermissionResponse, Y as PermissionStatus, Z as RequestedExtension, _ as SearchQuery, $ as SearchRequestEvent, S as SearchResult, a0 as SessionAuthorization, a1 as SharedSpace, a2 as SpaceAccessTokenInfo, a3 as SpaceInvite, a4 as SpaceKeyGrantInfo, a5 as SpaceMemberInfo, a6 as SpaceRole, a7 as SyncTablesUpdatedEvent, a8 as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, a9 as canExternalClientSendRequests, aa as getTableName, ab as isExternalClientConnected, ac as isPermissionDeniedError, ad as isPermissionError, ae as isPermissionPromptError } from './types-DwLhX7mx.mjs';
 export { H as HaextensionConfig } from './config-D_HXjsEV.mjs';
 import 'drizzle-orm/sqlite-proxy';
 
@@ -88,7 +88,6 @@ declare function installPolyfills(): void;
  * Types for communicating with the haex-sync-server authentication endpoints.
  * Used by haex-vault and extensions that need to interact with the sync server.
  */
-
 /**
  * S3-compatible storage configuration provided by the sync server.
  *
@@ -192,6 +191,7 @@ interface CreateSpaceRequest {
     id: string;
     encryptedName: string;
     nameNonce: string;
+    label: string;
     keyGrant: {
         encryptedSpaceKey: string;
         keyNonce: string;
@@ -199,8 +199,10 @@ interface CreateSpaceRequest {
     };
 }
 interface InviteMemberRequest {
-    userId: string;
-    role: SpaceRole;
+    publicKey: string;
+    label: string;
+    role: 'member' | 'viewer';
+    canInvite?: boolean;
     keyGrant: {
         encryptedSpaceKey: string;
         keyNonce: string;
@@ -796,6 +798,25 @@ interface SignableRecord {
 }
 declare function signRecordAsync(record: SignableRecord, privateKeyBase64: string): Promise<string>;
 declare function verifyRecordSignatureAsync(record: SignableRecord, signatureBase64: string, publicKeyBase64: string): Promise<boolean>;
+/**
+ * Sign a space challenge to prove private key possession.
+ * Generates a fresh timestamp internally to prevent misuse.
+ *
+ * @returns signature (Base64) + timestamp (ISO 8601) to send as
+ *          X-Space-Signature / X-Space-Timestamp headers.
+ */
+declare function signSpaceChallengeAsync(spaceId: string, privateKeyBase64: string): Promise<{
+    signature: string;
+    timestamp: string;
+}>;
+/**
+ * Verify a space challenge signature (server-side).
+ * Checks both cryptographic validity and timestamp freshness (max 30s).
+ */
+declare function verifySpaceChallengeAsync(spaceId: string, timestamp: string, signatureBase64: string, publicKeyBase64: string): Promise<{
+    valid: boolean;
+    error?: string;
+}>;
 
 /**
  * Crypto utilities for WebAuthn/Passkey operations
@@ -871,4 +892,4 @@ declare function exportKeyPairAsync(keyPair: PasskeyKeyPair): Promise<ExportedPa
 
 declare function createHaexVaultSdk(config?: HaexHubConfig): HaexVaultSdk;
 
-export { type AuthUser, COSE_ALGORITHM, type CoseAlgorithm, type CreateSpaceRequest, type EncryptedSpaceKey, type ExportedPasskeyKeyPair, type ExportedUserKeypair, ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HaexHubConfig, HaexVaultSdk, type HaexspaceMessageType, type InviteMemberRequest, KEY_AGREEMENT_ALGO, type PasskeyKeyPair, type RegisterKeypairRequest, SIGNING_ALGO, type SignableRecord, SpaceRole, type StorageConfig, type ErrorResponse as SyncServerErrorResponse, type ServerInfo as SyncServerInfo, type LoginRequest as SyncServerLoginRequest, type LoginResponse as SyncServerLoginResponse, type RefreshRequest as SyncServerRefreshRequest, TAURI_COMMANDS, type TauriCommand, type UserKeypair, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultSdk, decryptCrdtData, decryptPrivateKeyAsync, decryptSpaceKeyAsync, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptPrivateKeyAsync, encryptSpaceKeyForRecipientAsync, encryptString, encryptVaultKey, exportKeyPairAsync, exportPrivateKeyAsync, exportPublicKeyAsync, exportPublicKeyCoseAsync, exportUserKeypairAsync, generateCredentialId, generatePasskeyPairAsync, generateSpaceKey, generateUserKeypairAsync, generateVaultKey, hexToBytes, importPrivateKeyAsync, importPrivateKeyForKeyAgreementAsync, importPublicKeyAsync, importPublicKeyForKeyAgreementAsync, importUserPrivateKeyAsync, importUserPublicKeyAsync, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, signRecordAsync, signWithPasskeyAsync, sortObjectKeysRecursively, unwrapKey, verifyExtensionSignature, verifyRecordSignatureAsync, verifyWithPasskeyAsync, wrapKey };
+export { type AuthUser, COSE_ALGORITHM, type CoseAlgorithm, type CreateSpaceRequest, type EncryptedSpaceKey, type ExportedPasskeyKeyPair, type ExportedUserKeypair, ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HaexHubConfig, HaexVaultSdk, type HaexspaceMessageType, type InviteMemberRequest, KEY_AGREEMENT_ALGO, type PasskeyKeyPair, type RegisterKeypairRequest, SIGNING_ALGO, type SignableRecord, type StorageConfig, type ErrorResponse as SyncServerErrorResponse, type ServerInfo as SyncServerInfo, type LoginRequest as SyncServerLoginRequest, type LoginResponse as SyncServerLoginResponse, type RefreshRequest as SyncServerRefreshRequest, TAURI_COMMANDS, type TauriCommand, type UserKeypair, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultSdk, decryptCrdtData, decryptPrivateKeyAsync, decryptSpaceKeyAsync, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptPrivateKeyAsync, encryptSpaceKeyForRecipientAsync, encryptString, encryptVaultKey, exportKeyPairAsync, exportPrivateKeyAsync, exportPublicKeyAsync, exportPublicKeyCoseAsync, exportUserKeypairAsync, generateCredentialId, generatePasskeyPairAsync, generateSpaceKey, generateUserKeypairAsync, generateVaultKey, hexToBytes, importPrivateKeyAsync, importPrivateKeyForKeyAgreementAsync, importPublicKeyAsync, importPublicKeyForKeyAgreementAsync, importUserPrivateKeyAsync, importUserPublicKeyAsync, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, signRecordAsync, signSpaceChallengeAsync, signWithPasskeyAsync, sortObjectKeysRecursively, unwrapKey, verifyExtensionSignature, verifyRecordSignatureAsync, verifySpaceChallengeAsync, verifyWithPasskeyAsync, wrapKey };

package/dist/index.d.ts

@@ -1,7 +1,7 @@
-import { H as HaexVaultSdk } from './client-_FhZZse3.js';
-export { D as DatabaseAPI, a as Device, b as DeviceInfo, c as DeviceType, d as DirEntry, F as FileStat, e as FilesystemAPI, L as LOCALSEND_EVENTS, f as LocalSendAPI, g as LocalSendEvent, h as LocalSendFileInfo, i as LocalSendSettings, P as PendingTransfer, j as PermissionsAPI, A as RemoteAddBackendRequest, k as RemoteS3Config, l as RemoteS3PublicConfig, R as RemoteStorageAPI, m as RemoteStorageBackendInfo, n as RemoteStorageObjectInfo, U as RemoteUpdateBackendRequest, o as SelectFileOptions, p as SelectFolderOptions, q as ServerInfo, r as ServerStatus, T as TransferDirection, s as TransferProgress, t as TransferState, W as WebAPI } from './client-_FhZZse3.js';
-import { h as SpaceRole, E as ExtensionManifest, H as HaexHubConfig } from './types-NWYbdRXr.js';
-export { A as ApplicationContext, i as AuthorizedClient, B as BlockedClient, C as ContextChangedEvent, j as DEFAULT_TIMEOUT, k as DatabaseColumnInfo, l as DatabaseExecuteParams, m as DatabasePermission, d as DatabasePermissionRequest, n as DatabaseQueryParams, D as DatabaseQueryResult, o as DatabaseTableInfo, p as EXTERNAL_EVENTS, q as ErrorCode, g as EventCallback, a as ExtensionInfo, r as ExtensionRuntimeMode, s as ExternalAuthDecision, t as ExternalConnection, u as ExternalConnectionErrorCode, v as ExternalConnectionState, w as ExternalEvent, x as ExternalRequest, y as ExternalRequestEvent, e as ExternalRequestHandler, z as ExternalRequestPayload, f as ExternalResponse, F as FileChangeEvent, G as FileChangePayload, I as FileChangeType, J as FilteredSyncTablesResult, K as HAEXTENSION_EVENTS, L as HaexHubEvent, N as HaexHubRequest, O as HaexHubResponse, Q as HaexVaultSdkError, R as HaextensionEvent, T as PendingAuthorization, U as PermissionDeniedError, V as PermissionErrorBase, X as PermissionErrorCode, Y as PermissionPromptError, P as PermissionResponse, Z as PermissionStatus, _ as RequestedExtension, $ as SearchQuery, a0 as SearchRequestEvent, S as SearchResult, a1 as SessionAuthorization, a2 as SharedSpace, a3 as SpaceAccessTokenInfo, a4 as SpaceInvite, a5 as SpaceKeyGrantInfo, a6 as SpaceMemberInfo, a7 as SyncTablesUpdatedEvent, a8 as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, a9 as canExternalClientSendRequests, aa as getTableName, ab as isExternalClientConnected, ac as isPermissionDeniedError, ad as isPermissionError, ae as isPermissionPromptError } from './types-NWYbdRXr.js';
+import { H as HaexVaultSdk } from './client-CRWI0t-2.js';
+export { D as DatabaseAPI, a as Device, b as DeviceInfo, c as DeviceType, d as DirEntry, F as FileStat, e as FilesystemAPI, L as LOCALSEND_EVENTS, f as LocalSendAPI, g as LocalSendEvent, h as LocalSendFileInfo, i as LocalSendSettings, P as PendingTransfer, j as PermissionsAPI, A as RemoteAddBackendRequest, k as RemoteS3Config, l as RemoteS3PublicConfig, R as RemoteStorageAPI, m as RemoteStorageBackendInfo, n as RemoteStorageObjectInfo, U as RemoteUpdateBackendRequest, o as SelectFileOptions, p as SelectFolderOptions, q as ServerInfo, r as ServerStatus, T as TransferDirection, s as TransferProgress, t as TransferState, W as WebAPI } from './client-CRWI0t-2.js';
+import { E as ExtensionManifest, H as HaexHubConfig } from './types-DwLhX7mx.js';
+export { A as ApplicationContext, h as AuthorizedClient, B as BlockedClient, C as ContextChangedEvent, i as DEFAULT_TIMEOUT, j as DatabaseColumnInfo, k as DatabaseExecuteParams, l as DatabasePermission, d as DatabasePermissionRequest, m as DatabaseQueryParams, D as DatabaseQueryResult, n as DatabaseTableInfo, o as EXTERNAL_EVENTS, p as ErrorCode, g as EventCallback, a as ExtensionInfo, q as ExtensionRuntimeMode, r as ExternalAuthDecision, s as ExternalConnection, t as ExternalConnectionErrorCode, u as ExternalConnectionState, v as ExternalEvent, w as ExternalRequest, x as ExternalRequestEvent, e as ExternalRequestHandler, y as ExternalRequestPayload, f as ExternalResponse, F as FileChangeEvent, z as FileChangePayload, G as FileChangeType, I as FilteredSyncTablesResult, J as HAEXTENSION_EVENTS, K as HaexHubEvent, L as HaexHubRequest, N as HaexHubResponse, O as HaexVaultSdkError, Q as HaextensionEvent, R as PendingAuthorization, T as PermissionDeniedError, U as PermissionErrorBase, V as PermissionErrorCode, X as PermissionPromptError, P as PermissionResponse, Y as PermissionStatus, Z as RequestedExtension, _ as SearchQuery, $ as SearchRequestEvent, S as SearchResult, a0 as SessionAuthorization, a1 as SharedSpace, a2 as SpaceAccessTokenInfo, a3 as SpaceInvite, a4 as SpaceKeyGrantInfo, a5 as SpaceMemberInfo, a6 as SpaceRole, a7 as SyncTablesUpdatedEvent, a8 as TABLE_SEPARATOR, W as WebRequestOptions, c as WebResponse, a9 as canExternalClientSendRequests, aa as getTableName, ab as isExternalClientConnected, ac as isPermissionDeniedError, ad as isPermissionError, ae as isPermissionPromptError } from './types-DwLhX7mx.js';
 export { H as HaextensionConfig } from './config-D_HXjsEV.js';
 import 'drizzle-orm/sqlite-proxy';
 
@@ -88,7 +88,6 @@ declare function installPolyfills(): void;
  * Types for communicating with the haex-sync-server authentication endpoints.
  * Used by haex-vault and extensions that need to interact with the sync server.
  */
-
 /**
  * S3-compatible storage configuration provided by the sync server.
  *
@@ -192,6 +191,7 @@ interface CreateSpaceRequest {
     id: string;
     encryptedName: string;
     nameNonce: string;
+    label: string;
     keyGrant: {
         encryptedSpaceKey: string;
         keyNonce: string;
@@ -199,8 +199,10 @@ interface CreateSpaceRequest {
     };
 }
 interface InviteMemberRequest {
-    userId: string;
-    role: SpaceRole;
+    publicKey: string;
+    label: string;
+    role: 'member' | 'viewer';
+    canInvite?: boolean;
     keyGrant: {
         encryptedSpaceKey: string;
         keyNonce: string;
@@ -796,6 +798,25 @@ interface SignableRecord {
 }
 declare function signRecordAsync(record: SignableRecord, privateKeyBase64: string): Promise<string>;
 declare function verifyRecordSignatureAsync(record: SignableRecord, signatureBase64: string, publicKeyBase64: string): Promise<boolean>;
+/**
+ * Sign a space challenge to prove private key possession.
+ * Generates a fresh timestamp internally to prevent misuse.
+ *
+ * @returns signature (Base64) + timestamp (ISO 8601) to send as
+ *          X-Space-Signature / X-Space-Timestamp headers.
+ */
+declare function signSpaceChallengeAsync(spaceId: string, privateKeyBase64: string): Promise<{
+    signature: string;
+    timestamp: string;
+}>;
+/**
+ * Verify a space challenge signature (server-side).
+ * Checks both cryptographic validity and timestamp freshness (max 30s).
+ */
+declare function verifySpaceChallengeAsync(spaceId: string, timestamp: string, signatureBase64: string, publicKeyBase64: string): Promise<{
+    valid: boolean;
+    error?: string;
+}>;
 
 /**
  * Crypto utilities for WebAuthn/Passkey operations
@@ -871,4 +892,4 @@ declare function exportKeyPairAsync(keyPair: PasskeyKeyPair): Promise<ExportedPa
 
 declare function createHaexVaultSdk(config?: HaexHubConfig): HaexVaultSdk;
 
-export { type AuthUser, COSE_ALGORITHM, type CoseAlgorithm, type CreateSpaceRequest, type EncryptedSpaceKey, type ExportedPasskeyKeyPair, type ExportedUserKeypair, ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HaexHubConfig, HaexVaultSdk, type HaexspaceMessageType, type InviteMemberRequest, KEY_AGREEMENT_ALGO, type PasskeyKeyPair, type RegisterKeypairRequest, SIGNING_ALGO, type SignableRecord, SpaceRole, type StorageConfig, type ErrorResponse as SyncServerErrorResponse, type ServerInfo as SyncServerInfo, type LoginRequest as SyncServerLoginRequest, type LoginResponse as SyncServerLoginResponse, type RefreshRequest as SyncServerRefreshRequest, TAURI_COMMANDS, type TauriCommand, type UserKeypair, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultSdk, decryptCrdtData, decryptPrivateKeyAsync, decryptSpaceKeyAsync, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptPrivateKeyAsync, encryptSpaceKeyForRecipientAsync, encryptString, encryptVaultKey, exportKeyPairAsync, exportPrivateKeyAsync, exportPublicKeyAsync, exportPublicKeyCoseAsync, exportUserKeypairAsync, generateCredentialId, generatePasskeyPairAsync, generateSpaceKey, generateUserKeypairAsync, generateVaultKey, hexToBytes, importPrivateKeyAsync, importPrivateKeyForKeyAgreementAsync, importPublicKeyAsync, importPublicKeyForKeyAgreementAsync, importUserPrivateKeyAsync, importUserPublicKeyAsync, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, signRecordAsync, signWithPasskeyAsync, sortObjectKeysRecursively, unwrapKey, verifyExtensionSignature, verifyRecordSignatureAsync, verifyWithPasskeyAsync, wrapKey };
+export { type AuthUser, COSE_ALGORITHM, type CoseAlgorithm, type CreateSpaceRequest, type EncryptedSpaceKey, type ExportedPasskeyKeyPair, type ExportedUserKeypair, ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HaexHubConfig, HaexVaultSdk, type HaexspaceMessageType, type InviteMemberRequest, KEY_AGREEMENT_ALGO, type PasskeyKeyPair, type RegisterKeypairRequest, SIGNING_ALGO, type SignableRecord, type StorageConfig, type ErrorResponse as SyncServerErrorResponse, type ServerInfo as SyncServerInfo, type LoginRequest as SyncServerLoginRequest, type LoginResponse as SyncServerLoginResponse, type RefreshRequest as SyncServerRefreshRequest, TAURI_COMMANDS, type TauriCommand, type UserKeypair, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultSdk, decryptCrdtData, decryptPrivateKeyAsync, decryptSpaceKeyAsync, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptPrivateKeyAsync, encryptSpaceKeyForRecipientAsync, encryptString, encryptVaultKey, exportKeyPairAsync, exportPrivateKeyAsync, exportPublicKeyAsync, exportPublicKeyCoseAsync, exportUserKeypairAsync, generateCredentialId, generatePasskeyPairAsync, generateSpaceKey, generateUserKeypairAsync, generateVaultKey, hexToBytes, importPrivateKeyAsync, importPrivateKeyForKeyAgreementAsync, importPublicKeyAsync, importPublicKeyForKeyAgreementAsync, importUserPrivateKeyAsync, importUserPublicKeyAsync, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, signRecordAsync, signSpaceChallengeAsync, signWithPasskeyAsync, sortObjectKeysRecursively, unwrapKey, verifyExtensionSignature, verifyRecordSignatureAsync, verifySpaceChallengeAsync, verifyWithPasskeyAsync, wrapKey };

package/dist/index.js

@@ -2885,6 +2885,42 @@ async function verifyRecordSignatureAsync(record, signatureBase64, publicKeyBase
     canonicalize(record)
   );
 }
+var CHALLENGE_MAX_AGE_MS = 3e4;
+function canonicalizeChallenge(spaceId, timestamp) {
+  return new TextEncoder().encode(`${spaceId}\0${timestamp}`).buffer;
+}
+async function signSpaceChallengeAsync(spaceId, privateKeyBase64) {
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const key = await importUserPrivateKeyAsync(privateKeyBase64);
+  const sig = await crypto.subtle.sign(
+    { name: "ECDSA", hash: "SHA-256" },
+    key,
+    canonicalizeChallenge(spaceId, timestamp)
+  );
+  return { signature: arrayBufferToBase64(sig), timestamp };
+}
+async function verifySpaceChallengeAsync(spaceId, timestamp, signatureBase64, publicKeyBase64) {
+  const tsMs = new Date(timestamp).getTime();
+  if (Number.isNaN(tsMs)) {
+    return { valid: false, error: "Invalid timestamp format" };
+  }
+  const age = Date.now() - tsMs;
+  if (age < 0 || age > CHALLENGE_MAX_AGE_MS) {
+    return { valid: false, error: "Challenge timestamp expired or in the future" };
+  }
+  try {
+    const key = await importUserPublicKeyAsync(publicKeyBase64);
+    const isValid = await crypto.subtle.verify(
+      { name: "ECDSA", hash: "SHA-256" },
+      key,
+      base64ToArrayBuffer(signatureBase64),
+      canonicalizeChallenge(spaceId, timestamp)
+    );
+    return isValid ? { valid: true } : { valid: false, error: "Invalid challenge signature" };
+  } catch {
+    return { valid: false, error: "Challenge verification failed" };
+  }
+}
 
 // src/crypto/passkey.ts
 function toArrayBuffer(data) {
@@ -3124,11 +3160,13 @@ exports.isPermissionDeniedError = isPermissionDeniedError;
 exports.isPermissionError = isPermissionError;
 exports.isPermissionPromptError = isPermissionPromptError;
 exports.signRecordAsync = signRecordAsync;
+exports.signSpaceChallengeAsync = signSpaceChallengeAsync;
 exports.signWithPasskeyAsync = signWithPasskeyAsync;
 exports.sortObjectKeysRecursively = sortObjectKeysRecursively;
 exports.unwrapKey = unwrapKey;
 exports.verifyExtensionSignature = verifyExtensionSignature;
 exports.verifyRecordSignatureAsync = verifyRecordSignatureAsync;
+exports.verifySpaceChallengeAsync = verifySpaceChallengeAsync;
 exports.verifyWithPasskeyAsync = verifyWithPasskeyAsync;
 exports.wrapKey = wrapKey;
 //# sourceMappingURL=index.js.map