@inkbox/sdk 0.1.4 → 0.2.0

package/dist/vault/crypto.js

@@ -0,0 +1,265 @@
+/**
+ * inkbox-vault/crypto.ts
+ *
+ * Client-side cryptography for the encrypted vault.
+ *
+ * Key derivation: Argon2id  (vault key → master key, via hash-wasm)
+ * Encryption:     AES-256-GCM (via Node.js crypto)
+ * Hashing:        SHA-256     (via Node.js crypto)
+ *
+ * Salt derivation:
+ *   The Argon2id salt is derived deterministically from the organisation ID
+ *   so that both the dashboard (vault init) and the SDK (vault unlock) can
+ *   compute the same master key from the same vault key:
+ *
+ *     salt = TextEncoder.encode(orgId)
+ */
+import { InkboxVaultKeyError } from "../_http.js";
+import { argon2id } from "hash-wasm";
+import { randomUUID, randomBytes, randomInt, createHash, createCipheriv, createDecipheriv, } from "node:crypto";
+import { VaultKeyType } from "./types.js";
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const ARGON2_TIME_COST = 3;
+const ARGON2_MEMORY_COST = 65536; // 64 MiB
+const ARGON2_PARALLELISM = 1;
+const ARGON2_HASH_LEN = 32;
+const AES_KEY_BYTES = 32;
+const AES_IV_BYTES = 12;
+const AES_TAG_BYTES = 16;
+// Recovery code alphabet (unambiguous uppercase + digits, no 0/O/1/I/L)
+const RC_ALPHABET = "23456789ABCDEFGHJKMNPQRSTUVWXYZ";
+const RC_GROUP_LEN = 4;
+const RC_GROUPS = 8; // 8 groups × 4 chars ≈ 120 bits of entropy
+// ---------------------------------------------------------------------------
+// Vault key validation
+// ---------------------------------------------------------------------------
+/**
+ * Validate that a vault key meets minimum strength requirements.
+ *
+ * Requirements: at least 16 characters, one uppercase letter, one
+ * lowercase letter, one digit, and one special character.
+ *
+ * @param vaultKey - The vault key string to validate.
+ * @throws {@link InkboxVaultKeyError} If the vault key does not meet requirements.
+ */
+export function validateVaultKey(vaultKey) {
+    if (vaultKey.length < 16)
+        throw new InkboxVaultKeyError("Vault key must be at least 16 characters");
+    if (!/[A-Z]/.test(vaultKey))
+        throw new InkboxVaultKeyError("Vault key must contain at least one uppercase letter");
+    if (!/[a-z]/.test(vaultKey))
+        throw new InkboxVaultKeyError("Vault key must contain at least one lowercase letter");
+    if (!/[0-9]/.test(vaultKey))
+        throw new InkboxVaultKeyError("Vault key must contain at least one digit");
+    if (!/[^A-Za-z0-9]/.test(vaultKey))
+        throw new InkboxVaultKeyError("Vault key must contain at least one special character");
+}
+// ---------------------------------------------------------------------------
+// Salt derivation
+// ---------------------------------------------------------------------------
+/**
+ * Derive the Argon2id salt from the organisation ID.
+ *
+ * @param organizationId - The organisation ID string.
+ * @returns The raw UTF-8 bytes of the organisation ID.
+ */
+export function deriveSalt(organizationId) {
+    return new TextEncoder().encode(organizationId);
+}
+// ---------------------------------------------------------------------------
+// Key derivation
+// ---------------------------------------------------------------------------
+/**
+ * Derive a 256-bit master key from a vault key using Argon2id.
+ *
+ * @param vaultKey - The vault key or recovery code string.
+ * @param salt - Salt bytes from {@link deriveSalt}.
+ * @returns 32-byte master key.
+ */
+export async function deriveMasterKey(vaultKey, salt) {
+    const hash = await argon2id({
+        password: vaultKey,
+        salt,
+        iterations: ARGON2_TIME_COST,
+        memorySize: ARGON2_MEMORY_COST,
+        parallelism: ARGON2_PARALLELISM,
+        hashLength: ARGON2_HASH_LEN,
+        outputType: "binary",
+    });
+    return new Uint8Array(hash);
+}
+/**
+ * Compute `SHA-256(masterKey)` as a hex digest.
+ *
+ * @param masterKey - The 32-byte master key.
+ * @returns 64-character hex string.
+ */
+export function computeAuthHash(masterKey) {
+    return createHash("sha256").update(masterKey).digest("hex");
+}
+// ---------------------------------------------------------------------------
+// AES-256-GCM
+// ---------------------------------------------------------------------------
+function aesGcmEncrypt(key, plaintext) {
+    const iv = randomBytes(AES_IV_BYTES);
+    const cipher = createCipheriv("aes-256-gcm", key, iv);
+    const encrypted = cipher.update(plaintext);
+    const final = cipher.final();
+    const tag = cipher.getAuthTag();
+    // ciphertext || nonce || tag
+    const result = new Uint8Array(encrypted.length + final.length + iv.length + tag.length);
+    result.set(encrypted, 0);
+    result.set(final, encrypted.length);
+    result.set(iv, encrypted.length + final.length);
+    result.set(tag, encrypted.length + final.length + iv.length);
+    return result;
+}
+function aesGcmDecrypt(key, blob) {
+    const tag = blob.slice(-AES_TAG_BYTES);
+    const nonce = blob.slice(-(AES_IV_BYTES + AES_TAG_BYTES), -AES_TAG_BYTES);
+    const ct = blob.slice(0, -(AES_IV_BYTES + AES_TAG_BYTES));
+    const decipher = createDecipheriv("aes-256-gcm", key, nonce);
+    decipher.setAuthTag(tag);
+    const decrypted = decipher.update(ct);
+    const final = decipher.final();
+    const result = new Uint8Array(decrypted.length + final.length);
+    result.set(decrypted, 0);
+    result.set(final, decrypted.length);
+    return result;
+}
+/**
+ * Wrap the org encryption key with a master key.
+ *
+ * @param masterKey - 32-byte master key.
+ * @param orgKey - 32-byte org encryption key to wrap.
+ * @returns Base64-encoded ciphertext blob.
+ */
+export function wrapOrgKey(masterKey, orgKey) {
+    const blob = aesGcmEncrypt(masterKey, orgKey);
+    return Buffer.from(blob).toString("base64");
+}
+/**
+ * Unwrap the org encryption key using a master key.
+ *
+ * @param masterKey - 32-byte master key.
+ * @param wrappedB64 - Base64-encoded ciphertext blob from the server.
+ * @returns 32-byte org encryption key.
+ */
+export function unwrapOrgKey(masterKey, wrappedB64) {
+    const blob = new Uint8Array(Buffer.from(wrappedB64, "base64"));
+    return aesGcmDecrypt(masterKey, blob);
+}
+// ---------------------------------------------------------------------------
+// Secret payload encryption / decryption
+// ---------------------------------------------------------------------------
+/**
+ * Serialize a payload to JSON and encrypt it with the org encryption key.
+ *
+ * @param orgKey - 32-byte org encryption key.
+ * @param payload - Plain object to encrypt.
+ * @returns Base64-encoded ciphertext blob.
+ */
+export function encryptPayload(orgKey, payload) {
+    const plaintext = new TextEncoder().encode(JSON.stringify(payload));
+    const blob = aesGcmEncrypt(orgKey, plaintext);
+    return Buffer.from(blob).toString("base64");
+}
+/**
+ * Decrypt a base64 ciphertext blob and parse the JSON payload.
+ *
+ * @param orgKey - 32-byte org encryption key.
+ * @param encryptedB64 - Base64-encoded ciphertext blob.
+ * @returns The decrypted payload as a plain object.
+ */
+export function decryptPayload(orgKey, encryptedB64) {
+    const blob = new Uint8Array(Buffer.from(encryptedB64, "base64"));
+    const plaintext = aesGcmDecrypt(orgKey, blob);
+    return JSON.parse(new TextDecoder().decode(plaintext));
+}
+// ---------------------------------------------------------------------------
+// Vault key material generation (used by dashboard / init code)
+// ---------------------------------------------------------------------------
+/**
+ * Generate a random 256-bit org encryption key.
+ *
+ * @returns 32 cryptographically random bytes.
+ */
+export function generateOrgEncryptionKey() {
+    return randomBytes(AES_KEY_BYTES);
+}
+/**
+ * Convert {@link VaultKeyMaterial} to a JSON-ready object matching the API's
+ * expected snake_case schema.
+ */
+export function vaultKeyMaterialToWire(m) {
+    return {
+        id: m.id,
+        wrapped_org_encryption_key: m.wrappedOrgEncryptionKey,
+        auth_hash: m.authHash,
+        key_type: m.keyType,
+    };
+}
+/**
+ * Generate vault key material from a vault key.
+ *
+ * Derives a master key via Argon2id and wraps the org encryption key.
+ *
+ * @param vaultKey - The vault key string.
+ * @param organizationId - Organisation ID (used as Argon2id salt).
+ * @param orgEncryptionKey - 32-byte org encryption key to wrap.
+ * @param options.keyType - `"primary"` (default) or `"recovery"`.
+ * @returns Material ready to send to the server.
+ * @throws {@link InkboxVaultKeyError} If the vault key fails validation.
+ */
+export async function generateVaultKeyMaterial(vaultKey, organizationId, orgEncryptionKey, options = {}) {
+    validateVaultKey(vaultKey);
+    const salt = deriveSalt(organizationId);
+    const masterKey = await deriveMasterKey(vaultKey, salt);
+    const authHash = computeAuthHash(masterKey);
+    const wrapped = wrapOrgKey(masterKey, orgEncryptionKey);
+    return {
+        id: randomUUID(),
+        wrappedOrgEncryptionKey: wrapped,
+        authHash,
+        keyType: options.keyType ?? VaultKeyType.PRIMARY,
+    };
+}
+/**
+ * Generate a random recovery code and its vault key material.
+ *
+ * The recovery code is a human-readable string of the form
+ * `XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX` (~120 bits of entropy).
+ *
+ * @param organizationId - Organisation ID (used as Argon2id salt).
+ * @param orgEncryptionKey - 32-byte org encryption key to wrap.
+ * @returns `[codeString, material]` tuple. The code string must be stored
+ *   securely — it cannot be recovered.
+ */
+export async function generateRecoveryCode(organizationId, orgEncryptionKey) {
+    const groups = [];
+    for (let g = 0; g < RC_GROUPS; g++) {
+        let group = "";
+        for (let c = 0; c < RC_GROUP_LEN; c++) {
+            const idx = randomInt(RC_ALPHABET.length);
+            group += RC_ALPHABET[idx];
+        }
+        groups.push(group);
+    }
+    const code = groups.join("-");
+    // Recovery codes bypass validateVaultKey — they are auto-generated
+    // and don't follow vault key rules.  Derive directly.
+    const salt = deriveSalt(organizationId);
+    const masterKey = await deriveMasterKey(code, salt);
+    const authHash = computeAuthHash(masterKey);
+    const wrapped = wrapOrgKey(masterKey, orgEncryptionKey);
+    const material = {
+        id: randomUUID(),
+        wrappedOrgEncryptionKey: wrapped,
+        authHash,
+        keyType: VaultKeyType.RECOVERY,
+    };
+    return [code, material];
+}
+//# sourceMappingURL=crypto.js.map

package/dist/vault/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/vault/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,EACL,UAAU,EACV,WAAW,EACX,SAAS,EACT,UAAU,EACV,cAAc,EACd,gBAAgB,GACjB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE1C,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAC3B,MAAM,kBAAkB,GAAG,KAAK,CAAC,CAAC,SAAS;AAC3C,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAC7B,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B,MAAM,aAAa,GAAG,EAAE,CAAC;AACzB,MAAM,YAAY,GAAG,EAAE,CAAC;AACxB,MAAM,aAAa,GAAG,EAAE,CAAC;AAEzB,wEAAwE;AACxE,MAAM,WAAW,GAAG,iCAAiC,CAAC;AACtD,MAAM,YAAY,GAAG,CAAC,CAAC;AACvB,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,2CAA2C;AAEhE,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,IAAI,QAAQ,CAAC,MAAM,GAAG,EAAE;QACtB,MAAM,IAAI,mBAAmB,CAAC,0CAA0C,CAAC,CAAC;IAC5E,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QACzB,MAAM,IAAI,mBAAmB,CAAC,sDAAsD,CAAC,CAAC;IACxF,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QACzB,MAAM,IAAI,mBAAmB,CAAC,sDAAsD,CAAC,CAAC;IACxF,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QACzB,MAAM,IAAI,mBAAmB,CAAC,2CAA2C,CAAC,CAAC;IAC7E,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC;QAChC,MAAM,IAAI,mBAAmB,CAAC,uDAAuD,CAAC,CAAC;AAC3F,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,cAAsB;IAC/C,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;AAClD,CAAC;AAED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,IAAgB;IAEhB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC;QAC1B,QAAQ,EAAE,QAAQ;QAClB,IAAI;QACJ,UAAU,EAAE,gBAAgB;QAC5B,UAAU,EAAE,kBAAkB;QAC9B,WAAW,EAAE,kBAAkB;QAC/B,UAAU,EAAE,eAAe;QAC3B,UAAU,EAAE,QAAQ;KACrB,CAAC,CAAC;IACH,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,SAAqB;IACnD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC9D,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,SAAS,aAAa,CAAC,GAAe,EAAE,SAAqB;IAC3D,MAAM,EAAE,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,6BAA6B;IAC7B,MAAM,MAAM,GAAG,IAAI,UAAU,CAC3B,SAAS,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CACzD,CAAC;IACF,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,SAAS,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IAChD,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;IAC7D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,aAAa,CAAC,GAAe,EAAE,IAAgB;IACtD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,aAAa,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,YAAY,GAAG,aAAa,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC;IAC1E,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC;IAC1D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAC7D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC;IAC/B,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/D,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CACxB,SAAqB,EACrB,MAAkB;IAElB,MAAM,IAAI,GAAG,aAAa,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAC1B,SAAqB,EACrB,UAAkB;IAElB,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC/D,OAAO,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;AACxC,CAAC;AAED,8EAA8E;AAC9E,yCAAyC;AACzC,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,MAAkB,EAClB,OAAgC;IAEhC,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IACpE,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,MAAkB,EAClB,YAAoB;IAEpB,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,8EAA8E;AAC9E,gEAAgE;AAChE,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,WAAW,CAAC,aAAa,CAAC,CAAC;AACpC,CAAC;AAmBD;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,CAAmB;IACxD,OAAO;QACL,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,0BAA0B,EAAE,CAAC,CAAC,uBAAuB;QACrD,SAAS,EAAE,CAAC,CAAC,QAAQ;QACrB,QAAQ,EAAE,CAAC,CAAC,OAAO;KACpB,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,QAAgB,EAChB,cAAsB,EACtB,gBAA4B,EAC5B,UAAsC,EAAE;IAExC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC3B,MAAM,IAAI,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC;IACxC,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,UAAU,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;IAExD,OAAO;QACL,EAAE,EAAE,UAAU,EAAE;QAChB,uBAAuB,EAAE,OAAO;QAChC,QAAQ;QACR,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,OAAO;KACjD,CAAC;AACJ,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,cAAsB,EACtB,gBAA4B;IAE5B,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,IAAI,KAAK,GAAG,EAAE,CAAC;QACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;YAC1C,KAAK,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC;QAC5B,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAE9B,mEAAmE;IACnE,sDAAsD;IACtD,MAAM,IAAI,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC;IACxC,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,UAAU,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;IAExD,MAAM,QAAQ,GAAqB;QACjC,EAAE,EAAE,UAAU,EAAE;QAChB,uBAAuB,EAAE,OAAO;QAChC,QAAQ;QACR,OAAO,EAAE,YAAY,CAAC,QAAQ;KAC/B,CAAC;IACF,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AAC1B,CAAC"}

package/dist/vault/resources/vault.d.ts

@@ -0,0 +1,149 @@
+/**
+ * inkbox-vault/resources/vault.ts
+ *
+ * VaultResource   — org-level vault operations.
+ * UnlockedVault   — crypto-enabled wrapper for secret CRUD after unlock.
+ */
+import { HttpTransport } from "../../_http.js";
+import type { AccessRule, DecryptedVaultSecret, SecretPayload, VaultInfo, VaultKey, VaultSecret } from "../types.js";
+/**
+ * Org-level vault operations.
+ *
+ * Access via `inkbox.vault`. Most read-only operations work without
+ * unlocking. To create, read, or update secret payloads, call
+ * {@link unlock} first.
+ */
+export declare class VaultResource {
+    /** @internal */
+    readonly http: HttpTransport;
+    /** @internal */
+    _unlocked: UnlockedVault | null;
+    /** @internal */
+    constructor(http: HttpTransport);
+    /** Get vault metadata for the caller's organisation. */
+    info(): Promise<VaultInfo>;
+    /**
+     * List vault keys (metadata only — no wrapped key material).
+     *
+     * @param options.keyType - Optional filter: `"primary"` or `"recovery"`.
+     */
+    listKeys(options?: {
+        keyType?: string;
+    }): Promise<VaultKey[]>;
+    /**
+     * List vault secrets (metadata only, no encrypted payload).
+     *
+     * @param options.secretType - Optional filter: `"login"`, `"ssh_key"`,
+     *   `"api_key"`, or `"other"`.
+     */
+    listSecrets(options?: {
+        secretType?: string;
+    }): Promise<VaultSecret[]>;
+    /**
+     * Delete a vault secret.
+     *
+     * @param secretId - UUID of the secret to delete.
+     */
+    deleteSecret(secretId: string): Promise<void>;
+    /**
+     * List identity access rules for a vault secret.
+     *
+     * @param secretId - UUID of the secret.
+     */
+    listAccessRules(secretId: string): Promise<AccessRule[]>;
+    /**
+     * Grant an identity access to a vault secret.
+     *
+     * @param secretId - UUID of the secret.
+     * @param identityId - UUID of the identity to grant access to.
+     */
+    grantAccess(secretId: string, identityId: string): Promise<AccessRule>;
+    /**
+     * Revoke an identity's access to a vault secret.
+     *
+     * @param secretId - UUID of the secret.
+     * @param identityId - UUID of the identity to revoke access from.
+     */
+    revokeAccess(secretId: string, identityId: string): Promise<void>;
+    /**
+     * Unlock the vault with a vault key.
+     *
+     * Derives the encryption key from the provided vault key, fetches
+     * and decrypts all vault secrets.
+     *
+     * @param vaultKey - Vault key or recovery code.
+     * @param options.identityId - Optional agent identity UUID. When
+     *   provided, only secrets that this identity has been granted access
+     *   to are included in {@link UnlockedVault.secrets}.
+     * @returns {@link UnlockedVault} with decrypted secrets and methods for
+     *   secret CRUD.
+     * @throws If the vault key is incorrect or the vault key has been deleted.
+     */
+    unlock(vaultKey: string, options?: {
+        identityId?: string;
+    }): Promise<UnlockedVault>;
+}
+/**
+ * A vault unlocked with a valid vault key.
+ *
+ * Provides transparent encrypt/decrypt for secret CRUD operations.
+ *
+ * Obtain via {@link VaultResource.unlock}.
+ */
+export declare class UnlockedVault {
+    private readonly http;
+    private readonly orgKey;
+    private readonly secretsCache;
+    constructor(http: HttpTransport, orgKey: Uint8Array, secretsCache: DecryptedVaultSecret[]);
+    /** All vault secrets decrypted from the unlock response. */
+    get secrets(): DecryptedVaultSecret[];
+    /**
+     * Fetch and decrypt a single vault secret.
+     *
+     * @param secretId - UUID of the secret.
+     */
+    getSecret(secretId: string): Promise<DecryptedVaultSecret>;
+    /**
+     * Encrypt and store a new secret.
+     *
+     * The `secretType` is inferred from the payload shape.
+     *
+     * @param options.name - Display name (max 255 characters).
+     * @param options.description - Optional description.
+     * @param options.payload - One of {@link LoginPayload}, {@link SSHKeyPayload},
+     *   {@link APIKeyPayload}, or {@link OtherPayload}.
+     */
+    createSecret(options: {
+        name: string;
+        description?: string;
+        payload: SecretPayload;
+    }): Promise<VaultSecret>;
+    /**
+     * Update a vault secret's name, description, and/or encrypted payload.
+     *
+     * Only provided fields are sent to the server.
+     *
+     * **Note:** The `secretType` is immutable after creation.  If a payload
+     * is provided it must be the **same type** as the original (e.g. update
+     * a `login` secret with a new {@link LoginPayload}).  To change the
+     * type, delete the secret and create a new one.
+     *
+     * @param secretId - UUID of the secret to update.
+     * @param options.name - New display name.
+     * @param options.description - New description.
+     * @param options.payload - New payload of the **same type** as the
+     *   original (will be re-encrypted).
+     */
+    updateSecret(secretId: string, options: {
+        name?: string;
+        description?: string;
+        payload?: SecretPayload;
+    }): Promise<VaultSecret>;
+    /**
+     * Delete a vault secret.
+     *
+     * @param secretId - UUID of the secret to delete.
+     */
+    deleteSecret(secretId: string): Promise<void>;
+}
+//# sourceMappingURL=vault.d.ts.map

package/dist/vault/resources/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../../src/vault/resources/vault.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAS/C,OAAO,KAAK,EACV,UAAU,EACV,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,QAAQ,EACR,WAAW,EAEZ,MAAM,aAAa,CAAC;AAoBrB;;;;;;GAMG;AACH,qBAAa,aAAa;IACxB,gBAAgB;IAChB,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAE7B,gBAAgB;IAChB,SAAS,EAAE,aAAa,GAAG,IAAI,CAAQ;IAEvC,gBAAgB;gBACJ,IAAI,EAAE,aAAa;IAQ/B,wDAAwD;IAClD,IAAI,IAAI,OAAO,CAAC,SAAS,CAAC;IAShC;;;;OAIG;IACG,QAAQ,CAAC,OAAO,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;IAWvE;;;;;OAKG;IACG,WAAW,CAAC,OAAO,GAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAA;KAAO,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAOhF;;;;OAIG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQnD;;;;OAIG;IACG,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAO9D;;;;;OAKG;IACG,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAQ5E;;;;;OAKG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQvE;;;;;;;;;;;;;OAaG;IACG,MAAM,CACV,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAA;KAAO,GACpC,OAAO,CAAC,aAAa,CAAC;CAwE1B;AAED;;;;;;GAMG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAgB;IACrC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;IACpC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAyB;gBAGpD,IAAI,EAAE,aAAa,EACnB,MAAM,EAAE,UAAU,EAClB,YAAY,EAAE,oBAAoB,EAAE;IAOtC,4DAA4D;IAC5D,IAAI,OAAO,IAAI,oBAAoB,EAAE,CAEpC;IAMD;;;;OAIG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAsBhE;;;;;;;;;OASG;IACG,YAAY,CAAC,OAAO,EAAE;QAC1B,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,OAAO,EAAE,aAAa,CAAC;KACxB,GAAG,OAAO,CAAC,WAAW,CAAC;IAcxB;;;;;;;;;;;;;;;OAeG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE;QACP,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,OAAO,CAAC,EAAE,aAAa,CAAC;KACzB,GACA,OAAO,CAAC,WAAW,CAAC;IA0BvB;;;;OAIG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGpD"}