@haven-chat-org/core 1.0.0

package/README.md

@@ -0,0 +1,71 @@
+# haven-core
+
+Shared TypeScript library providing cryptographic primitives, API client, and type definitions used by the web frontend (and any future clients).
+
+## Structure
+
+```
+src/
+├── types.ts            # All shared TypeScript interfaces and types
+├── index.ts            # Public API re-exports
+├── crypto/
+│   ├── utils.ts        # libsodium init, base64 helpers, key generation
+│   ├── x3dh.ts         # X3DH key agreement (initiator + responder)
+│   ├── double-ratchet.ts  # Double Ratchet session (DM encryption)
+│   ├── sender-keys.ts  # Sender Keys protocol (group channel encryption)
+│   ├── file-crypto.ts  # XChaCha20-Poly1305 file encryption
+│   └── store.ts        # MemoryStore for key material (in-memory only)
+├── net/
+│   ├── api.ts          # HavenApi — type-safe REST client with JWT management
+│   └── ws.ts           # HavenWs — WebSocket client with auto-reconnect
+└── store/
+    └── memory-store.ts # In-memory key/session storage
+```
+
+## E2EE Model
+
+### DMs (X3DH + Double Ratchet)
+1. Initiator fetches recipient's key bundle (identity key + signed prekey + one-time prekey)
+2. X3DH key agreement produces a shared secret
+3. Double Ratchet session provides forward secrecy and break-in recovery
+4. Wire format: `[0x01 or 0x02][encrypted payload]`
+
+### Server Channels (Sender Keys)
+1. Each user generates a sender key per channel
+2. Sender Key Distribution Messages (SKDMs) are encrypted to each member's identity key via `crypto_box_seal`
+3. Wire format: `[0x03][distributionId:16][chainIndex:4 LE][nonce:24][ciphertext+tag]`
+
+### Files
+- XChaCha20-Poly1305 client-side encryption
+- Key and nonce embedded in the message payload (encrypted along with the message)
+- File sizes are padded to prevent type inference
+
+## Building
+
+```bash
+npm install
+npm run build    # Compiles to dist/ via tsc
+```
+
+**Important**: The web frontend imports from `dist/`, not `src/`. You must rebuild haven-core after any changes for the frontend to pick them up.
+
+## Testing
+
+```bash
+npx vitest run    # 78 tests
+```
+
+## API Client
+
+The `HavenApi` class handles JWT token management, automatic PoW solving for registration, and typed request/response for every endpoint:
+
+```typescript
+import { HavenApi } from '@haven/core';
+
+const api = new HavenApi({ baseUrl: 'https://chat.example.com' });
+await api.register({ username, password, ...keys });
+await api.login({ username, password });
+const servers = await api.listServers();
+```
+
+Covers all Haven API areas: auth, servers, channels, messages, sender keys, roles, friends, invites, voice (join/leave/participants/mute/deafen), attachments (upload/download), link previews, admin, and user management.

package/dist/crypto/backup.d.ts

@@ -0,0 +1,87 @@
+/**
+ * Encrypted key backup — derives a symmetric key from a security phrase
+ * using Argon2id, then encrypts all crypto state with XSalsa20-Poly1305.
+ */
+export interface BackupEncryptResult {
+    encrypted: Uint8Array;
+    nonce: Uint8Array;
+    salt: Uint8Array;
+}
+/**
+ * The plaintext JSON structure that gets encrypted into the backup blob.
+ */
+export interface BackupPayload {
+    version: 1;
+    identity: {
+        publicKey: string;
+        privateKey: string;
+    };
+    signedPreKey: {
+        publicKey: string;
+        privateKey: string;
+        signature: string;
+    };
+    sessions: Record<string, {
+        state: SerializedSessionState;
+        ad: string;
+    }>;
+    mySenderKeys: Record<string, {
+        distributionId: string;
+        chainKey: string;
+        chainIndex: number;
+    }>;
+    receivedSenderKeys: Record<string, {
+        fromUserId: string;
+        key: {
+            distributionId: string;
+            chainKey: string;
+            chainIndex: number;
+        };
+    }>;
+    distributedChannels: string[];
+    channelPeerMap: Record<string, string>;
+    timestamp: string;
+}
+/**
+ * SessionState with Uint8Arrays serialized to base64 strings for JSON safety.
+ */
+export interface SerializedSessionState {
+    dhSend: {
+        publicKey: string;
+        privateKey: string;
+    };
+    dhRecv: string | null;
+    rootKey: string;
+    chainKeySend: string | null;
+    chainKeyRecv: string | null;
+    sendCount: number;
+    recvCount: number;
+    prevSendCount: number;
+    skippedKeys: Array<{
+        dhPub: string;
+        n: number;
+        mk: string;
+    }>;
+}
+/**
+ * Derive a 32-byte symmetric key from a security phrase using Argon2id.
+ */
+export declare function deriveBackupKey(securityPhrase: string, salt: Uint8Array): Uint8Array;
+/**
+ * Encrypt a backup payload with a security phrase.
+ * Generates a fresh salt and nonce.
+ */
+export declare function encryptBackup(plaintext: Uint8Array, securityPhrase: string): BackupEncryptResult;
+/**
+ * Decrypt a backup payload using a security phrase, salt, and nonce.
+ * Throws if the phrase is wrong (authentication failure).
+ */
+export declare function decryptBackup(encrypted: Uint8Array, nonce: Uint8Array, salt: Uint8Array, securityPhrase: string): Uint8Array;
+/**
+ * Generate a cryptographically random recovery key as a human-readable
+ * string (groups of 4 base32 characters separated by dashes).
+ *
+ * Example: "ABCD-EFGH-IJKL-MNOP-QRST-UVWX-YZ23-4567"
+ * 20 random bytes = 160 bits of entropy.
+ */
+export declare function generateRecoveryKey(): string;

package/dist/crypto/backup.js

@@ -0,0 +1,62 @@
+/**
+ * Encrypted key backup — derives a symmetric key from a security phrase
+ * using Argon2id, then encrypts all crypto state with XSalsa20-Poly1305.
+ */
+import { getSodium, randomBytes } from "./utils.js";
+// Argon2id parameters — OWASP recommended for interactive hashing
+const ARGON2_OPSLIMIT = 3; // crypto_pwhash_OPSLIMIT_MODERATE
+const ARGON2_MEMLIMIT = 67108864; // 64 MB — safe for browsers (256MB can OOM on mobile)
+const SALT_BYTES = 16; // crypto_pwhash_SALTBYTES
+/**
+ * Derive a 32-byte symmetric key from a security phrase using Argon2id.
+ */
+export function deriveBackupKey(securityPhrase, salt) {
+    const sodium = getSodium();
+    return sodium.crypto_pwhash(sodium.crypto_secretbox_KEYBYTES, // 32
+    securityPhrase, salt, ARGON2_OPSLIMIT, ARGON2_MEMLIMIT, sodium.crypto_pwhash_ALG_ARGON2ID13);
+}
+/**
+ * Encrypt a backup payload with a security phrase.
+ * Generates a fresh salt and nonce.
+ */
+export function encryptBackup(plaintext, securityPhrase) {
+    const sodium = getSodium();
+    const salt = randomBytes(SALT_BYTES);
+    const key = deriveBackupKey(securityPhrase, salt);
+    const nonce = randomBytes(sodium.crypto_secretbox_NONCEBYTES); // 24 bytes
+    const encrypted = sodium.crypto_secretbox_easy(plaintext, nonce, key);
+    return { encrypted, nonce, salt };
+}
+/**
+ * Decrypt a backup payload using a security phrase, salt, and nonce.
+ * Throws if the phrase is wrong (authentication failure).
+ */
+export function decryptBackup(encrypted, nonce, salt, securityPhrase) {
+    const sodium = getSodium();
+    const key = deriveBackupKey(securityPhrase, salt);
+    return sodium.crypto_secretbox_open_easy(encrypted, nonce, key);
+}
+/**
+ * Generate a cryptographically random recovery key as a human-readable
+ * string (groups of 4 base32 characters separated by dashes).
+ *
+ * Example: "ABCD-EFGH-IJKL-MNOP-QRST-UVWX-YZ23-4567"
+ * 20 random bytes = 160 bits of entropy.
+ */
+export function generateRecoveryKey() {
+    const bytes = randomBytes(20);
+    // Encode as base32 for human readability
+    const base32Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+    let bits = "";
+    for (const b of bytes) {
+        bits += b.toString(2).padStart(8, "0");
+    }
+    let encoded = "";
+    for (let i = 0; i + 5 <= bits.length; i += 5) {
+        encoded += base32Chars[parseInt(bits.slice(i, i + 5), 2)];
+    }
+    // Format into groups of 4
+    const groups = encoded.match(/.{1,4}/g) || [];
+    return groups.join("-");
+}
+//# sourceMappingURL=backup.js.map

package/dist/crypto/backup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"backup.js","sourceRoot":"","sources":["../../src/crypto/backup.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,SAAS,EAAwB,WAAW,EAAE,MAAM,YAAY,CAAC;AAE1E,kEAAkE;AAClE,MAAM,eAAe,GAAG,CAAC,CAAC,CAAO,kCAAkC;AACnE,MAAM,eAAe,GAAG,QAAQ,CAAC,CAAC,sDAAsD;AACxF,MAAM,UAAU,GAAG,EAAE,CAAC,CAAY,0BAA0B;AA2D5D;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,cAAsB,EACtB,IAAgB;IAEhB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,OAAO,MAAM,CAAC,aAAa,CACzB,MAAM,CAAC,yBAAyB,EAAE,KAAK;IACvC,cAAc,EACd,IAAI,EACJ,eAAe,EACf,eAAe,EACf,MAAM,CAAC,4BAA4B,CACpC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,SAAqB,EACrB,cAAsB;IAEtB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,IAAI,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,eAAe,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;IAClD,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC,WAAW;IAC1E,MAAM,SAAS,GAAG,MAAM,CAAC,qBAAqB,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;IACtE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,SAAqB,EACrB,KAAiB,EACjB,IAAgB,EAChB,cAAsB;IAEtB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,eAAe,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;IAClD,OAAO,MAAM,CAAC,0BAA0B,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;AAClE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC9B,yCAAyC;IACzC,MAAM,WAAW,GAAG,kCAAkC,CAAC;IACvD,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IACD,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC5D,CAAC;IACD,0BAA0B;IAC1B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;IAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC"}

package/dist/crypto/double-ratchet.d.ts

@@ -0,0 +1,104 @@
+/**
+ * Signal Protocol Double Ratchet implementation.
+ *
+ * Provides forward secrecy and break-in recovery for 1-on-1 DM sessions.
+ * After X3DH establishes a shared secret, this module handles all subsequent
+ * message encryption and decryption.
+ *
+ * References:
+ *   - https://signal.org/docs/specifications/doubleratchet/
+ *   - https://signal.org/docs/specifications/x3dh/
+ */
+import { type DHKeyPair } from "./keys.js";
+/** Message header sent in the clear (alongside ciphertext). */
+export interface MessageHeader {
+    dhPublicKey: Uint8Array;
+    pn: number;
+    n: number;
+}
+/** An encrypted Double Ratchet message ready for the wire. */
+export interface EncryptedMessage {
+    header: MessageHeader;
+    nonce: Uint8Array;
+    ciphertext: Uint8Array;
+}
+/** Serializable session state for persistence. */
+export interface SessionState {
+    dhSend: {
+        publicKey: Uint8Array;
+        privateKey: Uint8Array;
+    };
+    dhRecv: Uint8Array | null;
+    rootKey: Uint8Array;
+    chainKeySend: Uint8Array | null;
+    chainKeyRecv: Uint8Array | null;
+    sendCount: number;
+    recvCount: number;
+    prevSendCount: number;
+    skippedKeys: Array<{
+        dhPub: Uint8Array;
+        n: number;
+        mk: Uint8Array;
+    }>;
+}
+export declare class DoubleRatchetSession {
+    private dhSend;
+    private dhRecv;
+    private rootKey;
+    private chainKeySend;
+    private chainKeyRecv;
+    private sendCount;
+    private recvCount;
+    private prevSendCount;
+    private skippedKeys;
+    private associatedData;
+    private constructor();
+    /**
+     * Initialize as the INITIATOR (Alice).
+     * Called after X3DH produces a shared key.
+     *
+     * @param sharedKey       The SK from X3DH (32 bytes)
+     * @param associatedData  AD = IK_A || IK_B (64 bytes)
+     * @param bobSignedPreKeyPub  Bob's signed prekey public key (the one from X3DH)
+     */
+    static initAlice(sharedKey: Uint8Array, associatedData: Uint8Array, bobSignedPreKeyPub: Uint8Array): DoubleRatchetSession;
+    /**
+     * Initialize as the RESPONDER (Bob).
+     * Called after X3DH when Bob receives Alice's initial message.
+     *
+     * @param sharedKey       The SK from X3DH (32 bytes)
+     * @param associatedData  AD = IK_A || IK_B (64 bytes)
+     * @param bobSignedPreKeyPair  Bob's signed prekey pair (used in X3DH)
+     */
+    static initBob(sharedKey: Uint8Array, associatedData: Uint8Array, bobSignedPreKeyPair: DHKeyPair): DoubleRatchetSession;
+    /**
+     * Encrypt a plaintext message.
+     */
+    encrypt(plaintext: Uint8Array): EncryptedMessage;
+    /**
+     * Decrypt a received message.
+     */
+    decrypt(message: EncryptedMessage): Uint8Array;
+    private dhRatchet;
+    private skipKeys;
+    private trySkippedKeys;
+    private aedEncrypt;
+    private aedDecrypt;
+    /**
+     * Export session state for persistent storage.
+     */
+    serialize(): SessionState;
+    /**
+     * Restore a session from serialized state.
+     */
+    static deserialize(state: SessionState, associatedData: Uint8Array): DoubleRatchetSession;
+}
+/**
+ * Serialize an encrypted message to bytes for transmission.
+ * Format: [dh_pub:32][pn:4 LE][n:4 LE][nonce:24][ciphertext:rest]
+ */
+export declare function serializeMessage(msg: EncryptedMessage): Uint8Array;
+/**
+ * Deserialize bytes back into an encrypted message.
+ */
+export declare function deserializeMessage(buf: Uint8Array): EncryptedMessage;

package/dist/crypto/double-ratchet.js

@@ -0,0 +1,274 @@
+/**
+ * Signal Protocol Double Ratchet implementation.
+ *
+ * Provides forward secrecy and break-in recovery for 1-on-1 DM sessions.
+ * After X3DH establishes a shared secret, this module handles all subsequent
+ * message encryption and decryption.
+ *
+ * References:
+ *   - https://signal.org/docs/specifications/doubleratchet/
+ *   - https://signal.org/docs/specifications/x3dh/
+ */
+import { dh, generateDHKeyPair } from "./keys.js";
+import { getSodium, kdfRK, kdfCK, randomBytes } from "./utils.js";
+// ─── Constants ─────────────────────────────────────────
+const MAX_SKIP = 256;
+const NONCE_LEN = 24; // XChaCha20-Poly1305
+const TAG_LEN = 16; // Poly1305 auth tag
+// ─── Session ───────────────────────────────────────────
+export class DoubleRatchetSession {
+    dhSend;
+    dhRecv;
+    rootKey;
+    chainKeySend;
+    chainKeyRecv;
+    sendCount;
+    recvCount;
+    prevSendCount;
+    skippedKeys; // "hex(dhPub):n" -> messageKey
+    associatedData;
+    constructor(ad) {
+        this.dhSend = { publicKey: new Uint8Array(32), privateKey: new Uint8Array(32) };
+        this.dhRecv = null;
+        this.rootKey = new Uint8Array(32);
+        this.chainKeySend = null;
+        this.chainKeyRecv = null;
+        this.sendCount = 0;
+        this.recvCount = 0;
+        this.prevSendCount = 0;
+        this.skippedKeys = new Map();
+        this.associatedData = ad;
+    }
+    /**
+     * Initialize as the INITIATOR (Alice).
+     * Called after X3DH produces a shared key.
+     *
+     * @param sharedKey       The SK from X3DH (32 bytes)
+     * @param associatedData  AD = IK_A || IK_B (64 bytes)
+     * @param bobSignedPreKeyPub  Bob's signed prekey public key (the one from X3DH)
+     */
+    static initAlice(sharedKey, associatedData, bobSignedPreKeyPub) {
+        const session = new DoubleRatchetSession(associatedData);
+        session.dhSend = generateDHKeyPair();
+        session.dhRecv = bobSignedPreKeyPub;
+        // First ratchet step: derive initial sending chain key
+        const [rk, cks] = kdfRK(sharedKey, dh(session.dhSend.privateKey, session.dhRecv));
+        session.rootKey = rk;
+        session.chainKeySend = cks;
+        return session;
+    }
+    /**
+     * Initialize as the RESPONDER (Bob).
+     * Called after X3DH when Bob receives Alice's initial message.
+     *
+     * @param sharedKey       The SK from X3DH (32 bytes)
+     * @param associatedData  AD = IK_A || IK_B (64 bytes)
+     * @param bobSignedPreKeyPair  Bob's signed prekey pair (used in X3DH)
+     */
+    static initBob(sharedKey, associatedData, bobSignedPreKeyPair) {
+        const session = new DoubleRatchetSession(associatedData);
+        session.dhSend = bobSignedPreKeyPair;
+        session.rootKey = sharedKey;
+        // CKs and CKr are null — will be derived on first message
+        return session;
+    }
+    // ─── Encrypt ───────────────────────────────────────
+    /**
+     * Encrypt a plaintext message.
+     */
+    encrypt(plaintext) {
+        if (!this.chainKeySend) {
+            throw new Error("Sending chain not initialized");
+        }
+        const [newCK, mk] = kdfCK(this.chainKeySend);
+        this.chainKeySend = newCK;
+        const header = {
+            dhPublicKey: this.dhSend.publicKey,
+            pn: this.prevSendCount,
+            n: this.sendCount,
+        };
+        this.sendCount++;
+        const { nonce, ciphertext } = this.aedEncrypt(mk, plaintext, header);
+        return { header, nonce, ciphertext };
+    }
+    // ─── Decrypt ───────────────────────────────────────
+    /**
+     * Decrypt a received message.
+     */
+    decrypt(message) {
+        // Try skipped message keys first (out-of-order delivery)
+        const skippedResult = this.trySkippedKeys(message);
+        if (skippedResult)
+            return skippedResult;
+        // Check if we need a DH ratchet step (new DH key from sender)
+        const needsRatchet = !this.dhRecv || !uint8Eq(message.header.dhPublicKey, this.dhRecv);
+        if (needsRatchet) {
+            this.skipKeys(message.header.pn);
+            this.dhRatchet(message.header.dhPublicKey);
+        }
+        this.skipKeys(message.header.n);
+        if (!this.chainKeyRecv) {
+            throw new Error("Receiving chain not initialized");
+        }
+        const [newCK, mk] = kdfCK(this.chainKeyRecv);
+        this.chainKeyRecv = newCK;
+        this.recvCount++;
+        return this.aedDecrypt(mk, message.ciphertext, message.nonce, message.header);
+    }
+    // ─── DH Ratchet Step ──────────────────────────────
+    dhRatchet(newDhPub) {
+        this.prevSendCount = this.sendCount;
+        this.sendCount = 0;
+        this.recvCount = 0;
+        this.dhRecv = newDhPub;
+        // Derive new receiving chain
+        const [rk1, ckr] = kdfRK(this.rootKey, dh(this.dhSend.privateKey, this.dhRecv));
+        this.rootKey = rk1;
+        this.chainKeyRecv = ckr;
+        // Generate new DH keypair and derive new sending chain
+        this.dhSend = generateDHKeyPair();
+        const [rk2, cks] = kdfRK(this.rootKey, dh(this.dhSend.privateKey, this.dhRecv));
+        this.rootKey = rk2;
+        this.chainKeySend = cks;
+    }
+    // ─── Skipped Keys ─────────────────────────────────
+    skipKeys(until) {
+        if (!this.chainKeyRecv)
+            return;
+        if (until - this.recvCount > MAX_SKIP) {
+            throw new Error("Too many skipped messages");
+        }
+        while (this.recvCount < until) {
+            const [newCK, mk] = kdfCK(this.chainKeyRecv);
+            this.chainKeyRecv = newCK;
+            const key = skippedKeyId(this.dhRecv, this.recvCount);
+            this.skippedKeys.set(key, mk);
+            this.recvCount++;
+        }
+    }
+    trySkippedKeys(message) {
+        const key = skippedKeyId(message.header.dhPublicKey, message.header.n);
+        const mk = this.skippedKeys.get(key);
+        if (!mk)
+            return null;
+        this.skippedKeys.delete(key);
+        return this.aedDecrypt(mk, message.ciphertext, message.nonce, message.header);
+    }
+    // ─── AEAD Encryption ──────────────────────────────
+    aedEncrypt(mk, plaintext, header) {
+        const nonce = randomBytes(NONCE_LEN);
+        const ad = buildAD(this.associatedData, header);
+        const ciphertext = getSodium().crypto_aead_xchacha20poly1305_ietf_encrypt(plaintext, ad, null, // nsec (unused in this AEAD)
+        nonce, mk);
+        return { nonce, ciphertext };
+    }
+    aedDecrypt(mk, ciphertext, nonce, header) {
+        const ad = buildAD(this.associatedData, header);
+        return getSodium().crypto_aead_xchacha20poly1305_ietf_decrypt(null, // nsec
+        ciphertext, ad, nonce, mk);
+    }
+    // ─── Serialization ────────────────────────────────
+    /**
+     * Export session state for persistent storage.
+     */
+    serialize() {
+        return {
+            dhSend: { publicKey: this.dhSend.publicKey, privateKey: this.dhSend.privateKey },
+            dhRecv: this.dhRecv,
+            rootKey: this.rootKey,
+            chainKeySend: this.chainKeySend,
+            chainKeyRecv: this.chainKeyRecv,
+            sendCount: this.sendCount,
+            recvCount: this.recvCount,
+            prevSendCount: this.prevSendCount,
+            skippedKeys: Array.from(this.skippedKeys.entries()).map(([id, mk]) => {
+                const [hexPub, nStr] = id.split(":");
+                return { dhPub: hexToBytes(hexPub), n: parseInt(nStr, 10), mk };
+            }),
+        };
+    }
+    /**
+     * Restore a session from serialized state.
+     */
+    static deserialize(state, associatedData) {
+        const session = new DoubleRatchetSession(associatedData);
+        session.dhSend = state.dhSend;
+        session.dhRecv = state.dhRecv;
+        session.rootKey = state.rootKey;
+        session.chainKeySend = state.chainKeySend;
+        session.chainKeyRecv = state.chainKeyRecv;
+        session.sendCount = state.sendCount;
+        session.recvCount = state.recvCount;
+        session.prevSendCount = state.prevSendCount;
+        for (const { dhPub, n, mk } of state.skippedKeys) {
+            session.skippedKeys.set(skippedKeyId(dhPub, n), mk);
+        }
+        return session;
+    }
+}
+// ─── Wire Format ───────────────────────────────────────
+/**
+ * Serialize an encrypted message to bytes for transmission.
+ * Format: [dh_pub:32][pn:4 LE][n:4 LE][nonce:24][ciphertext:rest]
+ */
+export function serializeMessage(msg) {
+    const buf = new Uint8Array(32 + 4 + 4 + NONCE_LEN + msg.ciphertext.length);
+    const view = new DataView(buf.buffer);
+    buf.set(msg.header.dhPublicKey, 0);
+    view.setUint32(32, msg.header.pn, true);
+    view.setUint32(36, msg.header.n, true);
+    buf.set(msg.nonce, 40);
+    buf.set(msg.ciphertext, 40 + NONCE_LEN);
+    return buf;
+}
+/**
+ * Deserialize bytes back into an encrypted message.
+ */
+export function deserializeMessage(buf) {
+    if (buf.length < 40 + NONCE_LEN + TAG_LEN) {
+        throw new Error("Message too short");
+    }
+    const view = new DataView(buf.buffer, buf.byteOffset, buf.byteLength);
+    return {
+        header: {
+            dhPublicKey: buf.slice(0, 32),
+            pn: view.getUint32(32, true),
+            n: view.getUint32(36, true),
+        },
+        nonce: buf.slice(40, 40 + NONCE_LEN),
+        ciphertext: buf.slice(40 + NONCE_LEN),
+    };
+}
+// ─── Helpers ───────────────────────────────────────────
+function buildAD(sessionAD, header) {
+    const ad = new Uint8Array(sessionAD.length + 32 + 4 + 4);
+    const view = new DataView(ad.buffer);
+    ad.set(sessionAD, 0);
+    ad.set(header.dhPublicKey, sessionAD.length);
+    view.setUint32(sessionAD.length + 32, header.pn, true);
+    view.setUint32(sessionAD.length + 36, header.n, true);
+    return ad;
+}
+function skippedKeyId(dhPub, n) {
+    return `${bytesToHex(dhPub)}:${n}`;
+}
+function uint8Eq(a, b) {
+    if (a.length !== b.length)
+        return false;
+    for (let i = 0; i < a.length; i++) {
+        if (a[i] !== b[i])
+            return false;
+    }
+    return true;
+}
+function bytesToHex(bytes) {
+    return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function hexToBytes(hex) {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < bytes.length; i++) {
+        bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    }
+    return bytes;
+}
+//# sourceMappingURL=double-ratchet.js.map

package/dist/crypto/double-ratchet.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"double-ratchet.js","sourceRoot":"","sources":["../../src/crypto/double-ratchet.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAkB,EAAE,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAClE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAElE,0DAA0D;AAE1D,MAAM,QAAQ,GAAG,GAAG,CAAC;AACrB,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,qBAAqB;AAC3C,MAAM,OAAO,GAAG,EAAE,CAAC,CAAG,oBAAoB;AA+B1C,0DAA0D;AAE1D,MAAM,OAAO,oBAAoB;IACvB,MAAM,CAAY;IAClB,MAAM,CAAoB;IAC1B,OAAO,CAAa;IACpB,YAAY,CAAoB;IAChC,YAAY,CAAoB;IAChC,SAAS,CAAS;IAClB,SAAS,CAAS;IAClB,aAAa,CAAS;IACtB,WAAW,CAA0B,CAAC,+BAA+B;IACrE,cAAc,CAAa;IAEnC,YAAoB,EAAc;QAChC,IAAI,CAAC,MAAM,GAAG,EAAE,SAAS,EAAE,IAAI,UAAU,CAAC,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,UAAU,CAAC,EAAE,CAAC,EAAE,CAAC;QAChF,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,IAAI,CAAC,OAAO,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAClC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;QACnB,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;QACnB,IAAI,CAAC,aAAa,GAAG,CAAC,CAAC;QACvB,IAAI,CAAC,WAAW,GAAG,IAAI,GAAG,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,GAAG,EAAE,CAAC;IAC3B,CAAC;IAED;;;;;;;OAOG;IACH,MAAM,CAAC,SAAS,CACd,SAAqB,EACrB,cAA0B,EAC1B,kBAA8B;QAE9B,MAAM,OAAO,GAAG,IAAI,oBAAoB,CAAC,cAAc,CAAC,CAAC;QAEzD,OAAO,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;QACrC,OAAO,CAAC,MAAM,GAAG,kBAAkB,CAAC;QAEpC,uDAAuD;QACvD,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,SAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;QAClF,OAAO,CAAC,OAAO,GAAG,EAAE,CAAC;QACrB,OAAO,CAAC,YAAY,GAAG,GAAG,CAAC;QAE3B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;OAOG;IACH,MAAM,CAAC,OAAO,CACZ,SAAqB,EACrB,cAA0B,EAC1B,mBAA8B;QAE9B,MAAM,OAAO,GAAG,IAAI,oBAAoB,CAAC,cAAc,CAAC,CAAC;QAEzD,OAAO,CAAC,MAAM,GAAG,mBAAmB,CAAC;QACrC,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC;QAC5B,0DAA0D;QAE1D,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,sDAAsD;IAEtD;;OAEG;IACH,OAAO,CAAC,SAAqB;QAC3B,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC7C,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC;QAE1B,MAAM,MAAM,GAAkB;YAC5B,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAClC,EAAE,EAAE,IAAI,CAAC,aAAa;YACtB,CAAC,EAAE,IAAI,CAAC,SAAS;SAClB,CAAC;QACF,IAAI,CAAC,SAAS,EAAE,CAAC;QAEjB,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QACrE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IACvC,CAAC;IAED,sDAAsD;IAEtD;;OAEG;IACH,OAAO,CAAC,OAAyB;QAC/B,yDAAyD;QACzD,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACnD,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,8DAA8D;QAC9D,MAAM,YAAY,GAChB,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAEpE,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACjC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAEhC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC7C,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC;QAC1B,IAAI,CAAC,SAAS,EAAE,CAAC;QAEjB,OAAO,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAChF,CAAC;IAED,qDAAqD;IAE7C,SAAS,CAAC,QAAoB;QACpC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC;QACpC,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;QACnB,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;QACnB,IAAI,CAAC,MAAM,GAAG,QAAQ,CAAC;QAEvB,6BAA6B;QAC7B,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAChF,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC;QACnB,IAAI,CAAC,YAAY,GAAG,GAAG,CAAC;QAExB,uDAAuD;QACvD,IAAI,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAChF,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC;QACnB,IAAI,CAAC,YAAY,GAAG,GAAG,CAAC;IAC1B,CAAC;IAED,qDAAqD;IAE7C,QAAQ,CAAC,KAAa;QAC5B,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,OAAO;QAE/B,IAAI,KAAK,GAAG,IAAI,CAAC,SAAS,GAAG,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,GAAG,KAAK,EAAE,CAAC;YAC9B,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC7C,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC;YAC1B,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,MAAO,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YACvD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YAC9B,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,cAAc,CAAC,OAAyB;QAC9C,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvE,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAErB,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7B,OAAO,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAChF,CAAC;IAED,qDAAqD;IAE7C,UAAU,CAChB,EAAc,EACd,SAAqB,EACrB,MAAqB;QAErB,MAAM,KAAK,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;QACrC,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;QAEhD,MAAM,UAAU,GAAG,SAAS,EAAE,CAAC,0CAA0C,CACvE,SAAS,EACT,EAAE,EACF,IAAI,EAAE,6BAA6B;QACnC,KAAK,EACL,EAAE,CACH,CAAC;QAEF,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IAC/B,CAAC;IAEO,UAAU,CAChB,EAAc,EACd,UAAsB,EACtB,KAAiB,EACjB,MAAqB;QAErB,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;QAEhD,OAAO,SAAS,EAAE,CAAC,0CAA0C,CAC3D,IAAI,EAAE,OAAO;QACb,UAAU,EACV,EAAE,EACF,KAAK,EACL,EAAE,CACH,CAAC;IACJ,CAAC;IAED,qDAAqD;IAErD;;OAEG;IACH,SAAS;QACP,OAAO;YACL,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE;YAChF,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE;gBACnE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACrC,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC;YAClE,CAAC,CAAC;SACH,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,KAAmB,EAAE,cAA0B;QAChE,MAAM,OAAO,GAAG,IAAI,oBAAoB,CAAC,cAAc,CAAC,CAAC;QACzD,OAAO,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;QAC9B,OAAO,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;QAC9B,OAAO,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;QAChC,OAAO,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;QAC1C,OAAO,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;QAC1C,OAAO,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC;QACpC,OAAO,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC;QACpC,OAAO,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC;QAC5C,KAAK,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;YACjD,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED,0DAA0D;AAE1D;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAqB;IACpD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,SAAS,GAAG,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC3E,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAEtC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACnC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IACxC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;IACvC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACvB,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,EAAE,GAAG,SAAS,CAAC,CAAC;IAExC,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAe;IAChD,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,GAAG,SAAS,GAAG,OAAO,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC;IAEtE,OAAO;QACL,MAAM,EAAE;YACN,WAAW,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAC7B,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC;YAC5B,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC;SAC5B;QACD,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,GAAG,SAAS,CAAC;QACpC,UAAU,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,SAAS,CAAC;KACtC,CAAC;AACJ,CAAC;AAED,0DAA0D;AAE1D,SAAS,OAAO,CAAC,SAAqB,EAAE,MAAqB;IAC3D,MAAM,EAAE,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,GAAG,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACzD,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC;IAErC,EAAE,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;IACrB,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IACvD,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;IAEtD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,YAAY,CAAC,KAAiB,EAAE,CAAS;IAChD,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;AACrC,CAAC;AAED,SAAS,OAAO,CAAC,CAAa,EAAE,CAAa;IAC3C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IAClC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,UAAU,CAAC,KAAiB;IACnC,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,UAAU,CAAC,GAAW;IAC7B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,KAAK,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/crypto/file.d.ts

@@ -0,0 +1,14 @@
+export interface EncryptedFile {
+    encrypted: Uint8Array;
+    key: Uint8Array;
+    nonce: Uint8Array;
+}
+/**
+ * Encrypt a file using XSalsa20-Poly1305 (crypto_secretbox).
+ * Generates a random key and nonce.
+ */
+export declare function encryptFile(plaintext: Uint8Array): EncryptedFile;
+/**
+ * Decrypt a file encrypted with encryptFile.
+ */
+export declare function decryptFile(encrypted: Uint8Array, key: Uint8Array, nonce: Uint8Array): Uint8Array;

package/dist/crypto/file.js

@@ -0,0 +1,20 @@
+import { getSodium, randomBytes } from "./utils.js";
+/**
+ * Encrypt a file using XSalsa20-Poly1305 (crypto_secretbox).
+ * Generates a random key and nonce.
+ */
+export function encryptFile(plaintext) {
+    const sodium = getSodium();
+    const key = randomBytes(sodium.crypto_secretbox_KEYBYTES);
+    const nonce = randomBytes(sodium.crypto_secretbox_NONCEBYTES);
+    const encrypted = sodium.crypto_secretbox_easy(plaintext, nonce, key);
+    return { encrypted, key, nonce };
+}
+/**
+ * Decrypt a file encrypted with encryptFile.
+ */
+export function decryptFile(encrypted, key, nonce) {
+    const sodium = getSodium();
+    return sodium.crypto_secretbox_open_easy(encrypted, nonce, key);
+}
+//# sourceMappingURL=file.js.map

package/dist/crypto/file.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file.js","sourceRoot":"","sources":["../../src/crypto/file.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAQpD;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,SAAqB;IAC/C,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,WAAW,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC;IAC1D,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,2BAA2B,CAAC,CAAC;IAC9D,MAAM,SAAS,GAAG,MAAM,CAAC,qBAAqB,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;IACtE,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,SAAqB,EAAE,GAAe,EAAE,KAAiB;IACnF,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,OAAO,MAAM,CAAC,0BAA0B,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;AAClE,CAAC"}

package/dist/crypto/index.d.ts

@@ -0,0 +1,9 @@
+export { initSodium, getSodium, toBase64, fromBase64, randomBytes } from "./utils.js";
+export { encryptFile, decryptFile, type EncryptedFile } from "./file.js";
+export { type IdentityKeyPair, type DHKeyPair, type SignedPreKey, generateIdentityKeyPair, generateDHKeyPair, generateSignedPreKey, generateOneTimePreKeys, prepareRegistrationKeys, verifySignature, } from "./keys.js";
+export { type X3DHResult, x3dhInitiate, x3dhRespond } from "./x3dh.js";
+export { DoubleRatchetSession, type EncryptedMessage, type MessageHeader, type SessionState, serializeMessage, deserializeMessage, } from "./double-ratchet.js";
+export { type SenderKeyState, type ReceivedSenderKey, type SenderKeyDistributionPayload, GROUP_MSG_TYPE, generateSenderKey, createSkdmPayload, parseSkdmPayload, encryptSkdm, decryptSkdm, senderKeyEncrypt, senderKeyDecrypt, } from "./sender-keys.js";
+export { generateProfileKey, encryptProfile, decryptProfile, encryptProfileKeyFor, decryptProfileKey, encryptProfileToBase64, decryptProfileFromBase64, } from "./profile.js";
+export { encryptBackup, decryptBackup, deriveBackupKey, generateRecoveryKey, type BackupEncryptResult, type BackupPayload, type SerializedSessionState, } from "./backup.js";
+export { generatePassphrase } from "./passphrase.js";