@hashtree/core 0.1.0

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,wCAAwC;AACxC,MAAM,MAAM,aAAa,GAAG,UAAU,CAAC;AAoBvC,+CAA+C;AAC/C,wBAAgB,WAAW,IAAI,aAAa,CAI3C;AAmDD;;GAEG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,CAE1E;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,UAAU,CAAC,SAAS,EAAE,UAAU,GAAG,OAAO,CAAC;IAAE,UAAU,EAAE,UAAU,CAAC;IAAC,GAAG,EAAE,aAAa,CAAA;CAAE,CAAC,CAyB/G;AAED;;;;;;;GAOG;AACH,wBAAsB,UAAU,CAAC,UAAU,EAAE,UAAU,EAAE,GAAG,EAAE,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,CAyBhG;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED;;;;;;;GAOG;AACH,wBAAsB,OAAO,CAAC,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,CA0B5F;AAED;;;;;;;GAOG;AACH,wBAAsB,OAAO,CAAC,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,CAoB5F;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAE1D;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED,gCAAgC;AAChC,wBAAgB,QAAQ,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAEnD;AAED,gCAAgC;AAChC,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,CASrD"}

package/dist/crypto.js

@@ -0,0 +1,212 @@
+/**
+ * Encryption utilities for HashTree
+ *
+ * CHK (Content Hash Key) encryption for deterministic encryption:
+ * - key = SHA256(plaintext) - content hash becomes decryption key
+ * - encryption_key = HKDF(key, salt="hashtree-chk", info="encryption-key")
+ * - ciphertext = AES-256-GCM(encryption_key, zero_nonce, plaintext)
+ *
+ * Zero nonce is safe because CHK guarantees: same key = same content.
+ * This enables deduplication: same content → same ciphertext → same hash.
+ *
+ * Format: [ciphertext][16-byte auth tag] (no IV needed with CHK)
+ *
+ * Also includes legacy functions with random IV for backward compatibility:
+ * Format: [12-byte IV][ciphertext][16-byte auth tag]
+ */
+import { sha256 } from './hash.js';
+/** IV/Nonce size for AES-GCM */
+const IV_SIZE = 12;
+/** Auth tag size for AES-GCM */
+const TAG_SIZE = 16;
+/** Minimum encrypted data size: IV + tag (for legacy format) */
+const MIN_ENCRYPTED_SIZE = IV_SIZE + TAG_SIZE;
+/** Minimum CHK encrypted size: just tag (no IV) */
+const MIN_CHK_ENCRYPTED_SIZE = TAG_SIZE;
+/** HKDF salt for CHK key derivation */
+const CHK_SALT = new TextEncoder().encode('hashtree-chk');
+/** HKDF info for CHK key derivation */
+const CHK_INFO = new TextEncoder().encode('encryption-key');
+/** Generate a random 32-byte encryption key */
+export function generateKey() {
+    const key = new Uint8Array(32);
+    crypto.getRandomValues(key);
+    return key;
+}
+/**
+ * Import raw key bytes as CryptoKey for AES-GCM
+ */
+async function importKey(key) {
+    // Copy to ensure we have a clean ArrayBuffer (not SharedArrayBuffer)
+    const keyBuffer = new ArrayBuffer(key.length);
+    new Uint8Array(keyBuffer).set(key);
+    return crypto.subtle.importKey('raw', keyBuffer, { name: 'AES-GCM', length: 256 }, false, ['encrypt', 'decrypt']);
+}
+/**
+ * Derive AES key from content hash using HKDF
+ * @param contentHash - 32-byte content hash (SHA256 of plaintext)
+ * @returns 32-byte derived encryption key
+ */
+async function deriveKey(contentHash) {
+    // Import content hash as HKDF key material
+    const keyBuffer = new ArrayBuffer(contentHash.length);
+    new Uint8Array(keyBuffer).set(contentHash);
+    const hkdfKey = await crypto.subtle.importKey('raw', keyBuffer, { name: 'HKDF' }, false, ['deriveKey']);
+    // Derive AES-GCM key using HKDF
+    return crypto.subtle.deriveKey({
+        name: 'HKDF',
+        salt: CHK_SALT,
+        info: CHK_INFO,
+        hash: 'SHA-256',
+    }, hkdfKey, { name: 'AES-GCM', length: 256 }, false, ['encrypt', 'decrypt']);
+}
+/**
+ * Compute content hash (SHA256) - this becomes the decryption key for CHK
+ */
+export async function contentHash(data) {
+    return sha256(data);
+}
+/**
+ * CHK encrypt: derive key from content, encrypt with zero nonce
+ *
+ * Returns: (ciphertext with auth tag, content_hash as decryption key)
+ *
+ * Zero nonce is safe because CHK guarantees: same key = same content.
+ * We never encrypt different content with the same key.
+ *
+ * The content_hash is both:
+ * - The decryption key (store securely, share with authorized users)
+ * - Enables dedup: same content → same ciphertext
+ *
+ * @param plaintext - Data to encrypt
+ * @returns Object with encrypted data and content hash (decryption key)
+ */
+export async function encryptChk(plaintext) {
+    // 1. Compute content hash - this is the "key" we return
+    const chash = await contentHash(plaintext);
+    // 2. Derive actual encryption key from content hash via HKDF
+    const cryptoKey = await deriveKey(chash);
+    // 3. Zero nonce - safe because same key = same content with CHK
+    const zeroNonce = new Uint8Array(IV_SIZE);
+    // 4. Copy plaintext to clean ArrayBuffer for WebCrypto
+    const plaintextBuffer = new ArrayBuffer(plaintext.length);
+    new Uint8Array(plaintextBuffer).set(plaintext);
+    // 5. Encrypt
+    const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: zeroNonce }, cryptoKey, plaintextBuffer);
+    return {
+        ciphertext: new Uint8Array(ciphertext),
+        key: chash
+    };
+}
+/**
+ * CHK decrypt: derive key from content_hash, decrypt with zero nonce
+ *
+ * @param ciphertext - Encrypted data (includes auth tag)
+ * @param key - Content hash returned from encryptChk
+ * @returns Decrypted plaintext
+ * @throws Error if decryption fails (wrong key or tampered data)
+ */
+export async function decryptChk(ciphertext, key) {
+    if (key.length !== 32) {
+        throw new Error('CHK key must be 32 bytes');
+    }
+    if (ciphertext.length < MIN_CHK_ENCRYPTED_SIZE) {
+        throw new Error('CHK encrypted data too short');
+    }
+    // Derive encryption key from content hash
+    const cryptoKey = await deriveKey(key);
+    // Zero nonce
+    const zeroNonce = new Uint8Array(IV_SIZE);
+    // Copy ciphertext to clean ArrayBuffer for WebCrypto
+    const ciphertextBuffer = new ArrayBuffer(ciphertext.length);
+    new Uint8Array(ciphertextBuffer).set(ciphertext);
+    const plaintext = await crypto.subtle.decrypt({ name: 'AES-GCM', iv: zeroNonce }, cryptoKey, ciphertextBuffer);
+    return new Uint8Array(plaintext);
+}
+/**
+ * Calculate encrypted size for CHK (no nonce prefix, just ciphertext + auth tag)
+ */
+export function encryptedSizeChk(plaintextSize) {
+    return plaintextSize + TAG_SIZE;
+}
+/**
+ * Encrypt data using AES-256-GCM with random IV
+ * @deprecated Use encryptChk for deterministic CHK encryption
+ *
+ * @param plaintext - Data to encrypt
+ * @param key - 32-byte encryption key
+ * @returns Encrypted data: [12-byte IV][ciphertext + 16-byte auth tag]
+ */
+export async function encrypt(plaintext, key) {
+    if (key.length !== 32) {
+        throw new Error('Encryption key must be 32 bytes');
+    }
+    const iv = new Uint8Array(IV_SIZE);
+    crypto.getRandomValues(iv);
+    const cryptoKey = await importKey(key);
+    // Copy plaintext to clean ArrayBuffer for WebCrypto
+    const plaintextBuffer = new ArrayBuffer(plaintext.length);
+    new Uint8Array(plaintextBuffer).set(plaintext);
+    const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, cryptoKey, plaintextBuffer);
+    // Prepend IV to ciphertext
+    const result = new Uint8Array(IV_SIZE + ciphertext.byteLength);
+    result.set(iv, 0);
+    result.set(new Uint8Array(ciphertext), IV_SIZE);
+    return result;
+}
+/**
+ * Decrypt data using AES-256-GCM
+ *
+ * @param encrypted - Encrypted data: [12-byte IV][ciphertext + auth tag]
+ * @param key - 32-byte encryption key
+ * @returns Decrypted plaintext
+ * @throws Error if decryption fails (wrong key or tampered data)
+ */
+export async function decrypt(encrypted, key) {
+    if (key.length !== 32) {
+        throw new Error('Encryption key must be 32 bytes');
+    }
+    if (encrypted.length < MIN_ENCRYPTED_SIZE) {
+        throw new Error('Encrypted data too short');
+    }
+    const iv = encrypted.slice(0, IV_SIZE);
+    const ciphertext = encrypted.slice(IV_SIZE);
+    const cryptoKey = await importKey(key);
+    const plaintext = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, cryptoKey, ciphertext);
+    return new Uint8Array(plaintext);
+}
+/**
+ * Check if data could be encrypted (based on minimum size).
+ * Note: This is a heuristic - actual encrypted data might be larger.
+ */
+export function couldBeEncrypted(data) {
+    return data.length >= MIN_ENCRYPTED_SIZE;
+}
+/**
+ * Calculate encrypted size for given plaintext size
+ */
+export function encryptedSize(plaintextSize) {
+    return IV_SIZE + plaintextSize + TAG_SIZE;
+}
+/**
+ * Calculate plaintext size from encrypted size
+ */
+export function plaintextSize(encryptedSize) {
+    return Math.max(0, encryptedSize - IV_SIZE - TAG_SIZE);
+}
+/** Convert key to hex string */
+export function keyToHex(key) {
+    return Array.from(key).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+/** Convert hex string to key */
+export function keyFromHex(hex) {
+    if (hex.length !== 64) {
+        throw new Error('Key hex must be 64 characters (32 bytes)');
+    }
+    const key = new Uint8Array(32);
+    for (let i = 0; i < 32; i++) {
+        key[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    }
+    return key;
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AAKnC,gCAAgC;AAChC,MAAM,OAAO,GAAG,EAAE,CAAC;AAEnB,gCAAgC;AAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;AAEpB,gEAAgE;AAChE,MAAM,kBAAkB,GAAG,OAAO,GAAG,QAAQ,CAAC;AAE9C,mDAAmD;AACnD,MAAM,sBAAsB,GAAG,QAAQ,CAAC;AAExC,uCAAuC;AACvC,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;AAE1D,uCAAuC;AACvC,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;AAE5D,+CAA+C;AAC/C,MAAM,UAAU,WAAW;IACzB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAC/B,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,SAAS,CAAC,GAAkB;IACzC,qEAAqE;IACrE,MAAM,SAAS,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,SAAS,EACT,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,SAAS,CAAC,WAA0B;IACjD,2CAA2C;IAC3C,MAAM,SAAS,GAAG,IAAI,WAAW,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACtD,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAE3C,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC3C,KAAK,EACL,SAAS,EACT,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;IAEF,gCAAgC;IAChC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B;QACE,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,SAAS;KAChB,EACD,OAAO,EACP,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAgB;IAChD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC;AACtB,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,SAAqB;IACpD,wDAAwD;IACxD,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,CAAC;IAE3C,6DAA6D;IAC7D,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;IAEzC,gEAAgE;IAChE,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;IAE1C,uDAAuD;IACvD,MAAM,eAAe,GAAG,IAAI,WAAW,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1D,IAAI,UAAU,CAAC,eAAe,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/C,aAAa;IACb,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,EAClC,SAAS,EACT,eAAe,CAChB,CAAC;IAEF,OAAO;QACL,UAAU,EAAE,IAAI,UAAU,CAAC,UAAU,CAAC;QACtC,GAAG,EAAE,KAAK;KACX,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,UAAsB,EAAE,GAAkB;IACzE,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,GAAG,sBAAsB,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,0CAA0C;IAC1C,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;IAEvC,aAAa;IACb,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;IAE1C,qDAAqD;IACrD,MAAM,gBAAgB,GAAG,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC5D,IAAI,UAAU,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAEjD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,EAClC,SAAS,EACT,gBAAgB,CACjB,CAAC;IAEF,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,aAAqB;IACpD,OAAO,aAAa,GAAG,QAAQ,CAAC;AAClC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,SAAqB,EAAE,GAAkB;IACrE,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,EAAE,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;IAE3B,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;IAEvC,oDAAoD;IACpD,MAAM,eAAe,GAAG,IAAI,WAAW,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1D,IAAI,UAAU,CAAC,eAAe,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/C,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EACvB,SAAS,EACT,eAAe,CAChB,CAAC;IAEF,2BAA2B;IAC3B,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,OAAO,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;IAC/D,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAClB,MAAM,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC;IAEhD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,SAAqB,EAAE,GAAkB;IACrE,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IACD,IAAI,SAAS,CAAC,MAAM,GAAG,kBAAkB,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAE5C,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;IAEvC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EACvB,SAAS,EACT,UAAU,CACX,CAAC;IAEF,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;AACnC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAgB;IAC/C,OAAO,IAAI,CAAC,MAAM,IAAI,kBAAkB,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,aAAqB;IACjD,OAAO,OAAO,GAAG,aAAa,GAAG,QAAQ,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,aAAqB;IACjD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,aAAa,GAAG,OAAO,GAAG,QAAQ,CAAC,CAAC;AACzD,CAAC;AAED,gCAAgC;AAChC,MAAM,UAAU,QAAQ,CAAC,GAAkB;IACzC,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED,gCAAgC;AAChC,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,GAAG,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/encrypted.d.ts

@@ -0,0 +1,114 @@
+/**
+ * CHK (Content Hash Key) encrypted file operations for HashTree
+ *
+ * Everything uses CHK encryption:
+ * - Chunks: key = SHA256(plaintext)
+ * - Tree nodes: key = SHA256(msgpack_encoded_node)
+ *
+ * Same content → same ciphertext → deduplication works at all levels.
+ * The root key is deterministic: same file = same CID (hash + key).
+ */
+import { Store, Hash, TreeNode, LinkType } from './types.js';
+import { type EncryptionKey } from './crypto.js';
+export interface EncryptedTreeConfig {
+    store: Store;
+    chunkSize: number;
+}
+/**
+ * Result of encrypted file storage
+ */
+export interface EncryptedPutResult {
+    /** Root hash of encrypted tree */
+    hash: Hash;
+    /** Original plaintext size */
+    size: number;
+    /** Encryption key for the root (content hash for CHK) */
+    key: EncryptionKey;
+}
+/**
+ * Store a file with CHK encryption
+ *
+ * Everything is CHK encrypted - deterministic, enables full deduplication.
+ * Returns hash + key, both derived from content.
+ *
+ * @param config - Tree configuration
+ * @param data - File data to encrypt and store
+ * @returns Hash of encrypted root and the encryption key (content hash)
+ */
+export declare function putFileEncrypted(config: EncryptedTreeConfig, data: Uint8Array): Promise<EncryptedPutResult>;
+/**
+ * Read an encrypted file
+ *
+ * Key is always the CHK key (content hash of plaintext)
+ *
+ * @param store - Storage backend
+ * @param hash - Root hash of encrypted file
+ * @param key - CHK decryption key (content hash)
+ * @returns Decrypted file data
+ */
+export declare function readFileEncrypted(store: Store, hash: Hash, key: EncryptionKey): Promise<Uint8Array | null>;
+export interface StreamOptions {
+    /** Byte offset to start streaming from (default: 0) */
+    offset?: number;
+    /** Number of chunks to prefetch ahead (default: 1 = no prefetch) */
+    prefetch?: number;
+}
+/**
+ * Stream an encrypted file
+ * @param store - Storage backend
+ * @param hash - Root hash of encrypted file
+ * @param key - CHK decryption key (content hash)
+ * @param options - Streaming options
+ */
+export declare function readFileEncryptedStream(store: Store, hash: Hash, key: EncryptionKey, options?: StreamOptions): AsyncGenerator<Uint8Array>;
+/**
+ * Read a range of bytes from an encrypted file
+ */
+export declare function readFileEncryptedRange(store: Store, hash: Hash, key: EncryptionKey, start: number, end?: number): Promise<Uint8Array | null>;
+/**
+ * Directory entry with optional encryption key
+ */
+export interface EncryptedDirEntry {
+    name: string;
+    hash: Hash;
+    size: number;
+    /** CHK key for encrypted children */
+    key?: Uint8Array;
+    /** Type of this entry: Blob, File, or Dir */
+    type: LinkType;
+    /** Optional metadata (createdAt, mimeType, thumbnail, etc.) */
+    meta?: Record<string, unknown>;
+}
+/**
+ * Store a directory with CHK encryption
+ *
+ * The directory node itself is encrypted. Child entries already have their own keys.
+ * Large directories are chunked by bytes like files using putFileEncrypted.
+ *
+ * @param config - Tree configuration
+ * @param entries - Directory entries (with keys for encrypted children)
+ * @returns Hash of encrypted directory and the encryption key
+ */
+export declare function putDirectoryEncrypted(config: EncryptedTreeConfig, entries: EncryptedDirEntry[]): Promise<EncryptedPutResult>;
+/**
+ * List directory entries from an encrypted directory
+ *
+ * Handles both small directories (single node) and large directories
+ * (chunked by bytes like files).
+ *
+ * @param store - Storage backend
+ * @param hash - Hash of encrypted directory
+ * @param key - CHK decryption key
+ * @returns Directory entries with their encryption keys
+ */
+export declare function listDirectoryEncrypted(store: Store, hash: Hash, key: EncryptionKey): Promise<EncryptedDirEntry[]>;
+/**
+ * Get a tree node from encrypted storage
+ *
+ * @param store - Storage backend
+ * @param hash - Hash of encrypted node
+ * @param key - CHK decryption key
+ * @returns Decrypted tree node
+ */
+export declare function getTreeNodeEncrypted(store: Store, hash: Hash, key: EncryptionKey): Promise<TreeNode | null>;
+//# sourceMappingURL=encrypted.d.ts.map

package/dist/encrypted.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted.d.ts","sourceRoot":"","sources":["../src/encrypted.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAQ,QAAQ,EAAS,MAAM,YAAY,CAAC;AAG1E,OAAO,EAA0B,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAEzE,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,KAAK,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,kCAAkC;IAClC,IAAI,EAAE,IAAI,CAAC;IACX,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,GAAG,EAAE,aAAa,CAAC;CACpB;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,mBAAmB,EAC3B,IAAI,EAAE,UAAU,GACf,OAAO,CAAC,kBAAkB,CAAC,CAqC7B;AAiCD;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,KAAK,EACZ,IAAI,EAAE,IAAI,EACV,GAAG,EAAE,aAAa,GACjB,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAe5B;AAmFD,MAAM,WAAW,aAAa;IAC5B,uDAAuD;IACvD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAuB,uBAAuB,CAC5C,KAAK,EAAE,KAAK,EACZ,IAAI,EAAE,IAAI,EACV,GAAG,EAAE,aAAa,EAClB,OAAO,GAAE,aAAkB,GAC1B,cAAc,CAAC,UAAU,CAAC,CAiB5B;AA4GD;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,KAAK,EACZ,IAAI,EAAE,IAAI,EACV,GAAG,EAAE,aAAa,EAClB,KAAK,EAAE,MAAM,EACb,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAe5B;AAmFD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,IAAI,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,GAAG,CAAC,EAAE,UAAU,CAAC;IACjB,6CAA6C;IAC7C,IAAI,EAAE,QAAQ,CAAC;IACf,+DAA+D;IAC/D,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AAED;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,mBAAmB,EAC3B,OAAO,EAAE,iBAAiB,EAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CA+B7B;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,KAAK,EACZ,IAAI,EAAE,IAAI,EACV,GAAG,EAAE,aAAa,GACjB,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAoB9B;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,KAAK,EACZ,IAAI,EAAE,IAAI,EACV,GAAG,EAAE,aAAa,GACjB,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAO1B"}