@inkbox/sdk 0.1.4 → 0.2.1

package/dist/vault/resources/vault.js

@@ -0,0 +1,396 @@
+/**
+ * inkbox-vault/resources/vault.ts
+ *
+ * VaultResource   — org-level vault operations.
+ * UnlockedVault   — crypto-enabled wrapper for secret CRUD after unlock.
+ */
+import { generateTotp, parseTotpUri } from "../totp.js";
+import { computeAuthHash, decryptPayload, deriveMasterKey, deriveSalt, encryptPayload, unwrapOrgKey, } from "../crypto.js";
+import { VaultSecretType, inferSecretType, parseAccessRule, parsePayload, parseVaultInfo, parseVaultKey, parseVaultSecret, parseVaultSecretDetail, serializePayload, } from "../types.js";
+/**
+ * Org-level vault operations.
+ *
+ * Access via `inkbox.vault`. Most read-only operations work without
+ * unlocking. To create, read, or update secret payloads, call
+ * {@link unlock} first.
+ */
+export class VaultResource {
+    /** @internal */
+    http;
+    /** @internal */
+    _unlocked = null;
+    /** @internal */
+    constructor(http) {
+        this.http = http;
+    }
+    // ------------------------------------------------------------------
+    // Vault metadata
+    // ------------------------------------------------------------------
+    /** Get vault metadata for the caller's organisation. */
+    async info() {
+        const data = await this.http.get("/info");
+        return parseVaultInfo(data);
+    }
+    // ------------------------------------------------------------------
+    // Keys (read-only via API key)
+    // ------------------------------------------------------------------
+    /**
+     * List vault keys (metadata only — no wrapped key material).
+     *
+     * @param options.keyType - Optional filter: `"primary"` or `"recovery"`.
+     */
+    async listKeys(options = {}) {
+        const params = {};
+        if (options.keyType !== undefined)
+            params["type"] = options.keyType;
+        const data = await this.http.get("/keys", params);
+        return data.map(parseVaultKey);
+    }
+    // ------------------------------------------------------------------
+    // Secrets (metadata-only operations)
+    // ------------------------------------------------------------------
+    /**
+     * List vault secrets (metadata only, no encrypted payload).
+     *
+     * @param options.secretType - Optional filter: `"login"`, `"ssh_key"`,
+     *   `"api_key"`, or `"other"`.
+     */
+    async listSecrets(options = {}) {
+        const params = {};
+        if (options.secretType !== undefined)
+            params["secret_type"] = options.secretType;
+        const data = await this.http.get("/secrets", params);
+        return data.map(parseVaultSecret);
+    }
+    /**
+     * Delete a vault secret.
+     *
+     * @param secretId - UUID of the secret to delete.
+     */
+    async deleteSecret(secretId) {
+        await this.http.delete(`/secrets/${secretId}`);
+    }
+    // ------------------------------------------------------------------
+    // Access rules
+    // ------------------------------------------------------------------
+    /**
+     * List identity access rules for a vault secret.
+     *
+     * @param secretId - UUID of the secret.
+     */
+    async listAccessRules(secretId) {
+        const data = await this.http.get(`/secrets/${secretId}/access`);
+        return data.map(parseAccessRule);
+    }
+    /**
+     * Grant an identity access to a vault secret.
+     *
+     * @param secretId - UUID of the secret.
+     * @param identityId - UUID of the identity to grant access to.
+     */
+    async grantAccess(secretId, identityId) {
+        const data = await this.http.post(`/secrets/${secretId}/access`, { identity_id: identityId });
+        return parseAccessRule(data);
+    }
+    /**
+     * Revoke an identity's access to a vault secret.
+     *
+     * @param secretId - UUID of the secret.
+     * @param identityId - UUID of the identity to revoke access from.
+     */
+    async revokeAccess(secretId, identityId) {
+        await this.http.delete(`/secrets/${secretId}/access/${identityId}`);
+    }
+    // ------------------------------------------------------------------
+    // Unlock
+    // ------------------------------------------------------------------
+    /**
+     * Unlock the vault with a vault key.
+     *
+     * Derives the encryption key from the provided vault key, fetches
+     * and decrypts all vault secrets.
+     *
+     * @param vaultKey - Vault key or recovery code.
+     * @param options.identityId - Optional agent identity UUID. When
+     *   provided, only secrets that this identity has been granted access
+     *   to are included in {@link UnlockedVault.secrets}.
+     * @returns {@link UnlockedVault} with decrypted secrets and methods for
+     *   secret CRUD.
+     * @throws If the vault key is incorrect or the vault key has been deleted.
+     */
+    async unlock(vaultKey, options = {}) {
+        // Step 1: get org_id for salt derivation
+        const vaultInfo = await this.info();
+        const salt = deriveSalt(vaultInfo.organizationId);
+        // Step 2: derive master key → auth hash
+        const masterKey = await deriveMasterKey(vaultKey, salt);
+        const authHash = computeAuthHash(masterKey);
+        // Step 3: fetch wrapped key + encrypted secrets
+        // We always send auth_hash, so the server returns the singular
+        // wrapped_org_encryption_key for the matching vault key.  The
+        // plural wrapped_org_encryption_keys is only returned when
+        // auth_hash is omitted (a recovery flow this SDK does not use,
+        // since recovery codes are derived the same way as vault keys).
+        const data = await this.http.get("/unlock", {
+            auth_hash: authHash,
+        });
+        const wrapped = data.wrapped_org_encryption_key;
+        if (!wrapped) {
+            throw new Error("No vault key matched. " +
+                "Check that the vault key is correct and has not been deleted.");
+        }
+        // Step 4: unwrap the org encryption key.
+        // The wrapped key was encrypted with the vault key UUID as AAD.
+        // Fetch all key IDs and try each as AAD until one works.
+        const keysData = await this.http.get("/keys");
+        const allKeyIds = keysData
+            .filter((k) => k.status === "active")
+            .map((k) => k.id);
+        let orgKey = null;
+        for (const keyId of allKeyIds) {
+            try {
+                orgKey = unwrapOrgKey(masterKey, wrapped, keyId);
+                break;
+            }
+            catch {
+                continue;
+            }
+        }
+        if (!orgKey) {
+            throw new Error("Failed to unwrap org encryption key. Check that the vault key is correct.");
+        }
+        // Step 5: decrypt all secrets from the unlock bundle
+        const decrypted = [];
+        for (const raw of data.encrypted_secrets ?? []) {
+            const detail = parseVaultSecretDetail(raw);
+            const payloadDict = decryptPayload(orgKey, detail.encryptedPayload, detail.id);
+            const payload = parsePayload(detail.secretType, payloadDict);
+            decrypted.push({
+                id: detail.id,
+                name: detail.name,
+                description: detail.description,
+                secretType: detail.secretType,
+                status: detail.status,
+                createdAt: detail.createdAt,
+                updatedAt: detail.updatedAt,
+                payload,
+            });
+        }
+        // Always store the unfiltered vault so identity.getCredentials()
+        // has the full set to filter from, even when identityId is provided.
+        this._unlocked = new UnlockedVault(this.http, orgKey, [...decrypted]);
+        // Step 6 (optional): filter by identity access rules
+        if (options.identityId !== undefined) {
+            const idStr = options.identityId;
+            const filtered = [];
+            for (const secret of decrypted) {
+                const rules = await this.http.get(`/secrets/${secret.id}/access`);
+                if (rules.some((r) => r.identity_id === idStr)) {
+                    filtered.push(secret);
+                }
+            }
+            return new UnlockedVault(this.http, orgKey, filtered);
+        }
+        return this._unlocked;
+    }
+}
+/**
+ * A vault unlocked with a valid vault key.
+ *
+ * Provides transparent encrypt/decrypt for secret CRUD operations.
+ *
+ * Obtain via {@link VaultResource.unlock}.
+ */
+export class UnlockedVault {
+    http;
+    orgKey;
+    secretsCache;
+    constructor(http, orgKey, secretsCache) {
+        this.http = http;
+        this.orgKey = orgKey;
+        this.secretsCache = secretsCache;
+    }
+    /** All vault secrets decrypted from the unlock response. */
+    get secrets() {
+        return [...this.secretsCache];
+    }
+    /**
+     * Re-fetch, decrypt, and update a single secret in the cache.
+     *
+     * Best-effort — if the re-fetch fails the cache is left unchanged.
+     */
+    async refreshCachedSecret(secretId) {
+        try {
+            const updated = await this.getSecret(secretId);
+            this.secretsCache = this.secretsCache.map((s) => s.id === secretId ? updated : s);
+        }
+        catch {
+            // Cache refresh is best-effort.
+        }
+    }
+    // ------------------------------------------------------------------
+    // Encrypted CRUD
+    // ------------------------------------------------------------------
+    /**
+     * Fetch and decrypt a single vault secret.
+     *
+     * @param secretId - UUID of the secret.
+     */
+    async getSecret(secretId) {
+        const data = await this.http.get(`/secrets/${secretId}`);
+        const detail = parseVaultSecretDetail(data);
+        const payloadDict = decryptPayload(this.orgKey, detail.encryptedPayload, detail.id);
+        const payload = parsePayload(detail.secretType, payloadDict);
+        return {
+            id: detail.id,
+            name: detail.name,
+            description: detail.description,
+            secretType: detail.secretType,
+            status: detail.status,
+            createdAt: detail.createdAt,
+            updatedAt: detail.updatedAt,
+            payload,
+        };
+    }
+    /**
+     * Encrypt and store a new secret.
+     *
+     * The `secretType` is inferred from the payload shape.
+     *
+     * @param options.name - Display name (max 255 characters).
+     * @param options.description - Optional description.
+     * @param options.payload - One of {@link LoginPayload}, {@link SSHKeyPayload},
+     *   {@link APIKeyPayload}, or {@link OtherPayload}.
+     */
+    async createSecret(options) {
+        const secretType = inferSecretType(options.payload);
+        const serialized = serializePayload(secretType, options.payload);
+        // Generate the UUID client-side so we can use it as AAD for
+        // encryption in the same request.
+        const secretId = crypto.randomUUID();
+        const encrypted = encryptPayload(this.orgKey, serialized, secretId);
+        const body = {
+            id: secretId,
+            name: options.name,
+            secret_type: secretType,
+            encrypted_payload: encrypted,
+        };
+        if (options.description !== undefined)
+            body["description"] = options.description;
+        const data = await this.http.post("/secrets", body);
+        const result = parseVaultSecret(data);
+        // Append the new secret to the cache so it's immediately visible.
+        try {
+            const decrypted = await this.getSecret(result.id);
+            this.secretsCache.push(decrypted);
+        }
+        catch {
+            // best-effort
+        }
+        return result;
+    }
+    /**
+     * Update a vault secret's name, description, and/or encrypted payload.
+     *
+     * Only provided fields are sent to the server.
+     *
+     * **Note:** The `secretType` is immutable after creation.  If a payload
+     * is provided it must be the **same type** as the original (e.g. update
+     * a `login` secret with a new {@link LoginPayload}).  To change the
+     * type, delete the secret and create a new one.
+     *
+     * @param secretId - UUID of the secret to update.
+     * @param options.name - New display name.
+     * @param options.description - New description.
+     * @param options.payload - New payload of the **same type** as the
+     *   original (will be re-encrypted).
+     */
+    async updateSecret(secretId, options) {
+        const body = {};
+        if ("name" in options)
+            body["name"] = options.name;
+        if ("description" in options)
+            body["description"] = options.description;
+        if (options.payload !== undefined) {
+            // Enforce secret_type immutability — the server treats the
+            // payload as opaque ciphertext and cannot check this itself.
+            const current = parseVaultSecret(await this.http.get(`/secrets/${secretId}`));
+            const newType = inferSecretType(options.payload);
+            if (newType !== current.secretType) {
+                throw new TypeError(`Cannot update a '${current.secretType}' secret with a '${newType}' payload. Delete and recreate instead.`);
+            }
+            const serialized = serializePayload(newType, options.payload);
+            body["encrypted_payload"] = encryptPayload(this.orgKey, serialized, secretId);
+        }
+        const data = await this.http.patch(`/secrets/${secretId}`, body);
+        // Refresh the cache so subsequent reads are consistent.
+        await this.refreshCachedSecret(secretId);
+        return parseVaultSecret(data);
+    }
+    /**
+     * Delete a vault secret.
+     *
+     * @param secretId - UUID of the secret to delete.
+     */
+    async deleteSecret(secretId) {
+        await this.http.delete(`/secrets/${secretId}`);
+        this.secretsCache = this.secretsCache.filter((s) => s.id !== secretId);
+    }
+    // ------------------------------------------------------------------
+    // TOTP helpers
+    // ------------------------------------------------------------------
+    /**
+     * Add or replace the TOTP configuration on a login secret.
+     *
+     * @param secretId - UUID of the login secret.
+     * @param totp - A {@link TOTPConfig} object or an `otpauth://totp/...` URI string.
+     * @returns Updated {@link VaultSecret} metadata.
+     * @throws TypeError if the secret is not a login type.
+     * @throws Error if a URI string is invalid or not TOTP.
+     */
+    async setTotp(secretId, totp) {
+        const config = typeof totp === "string" ? parseTotpUri(totp) : totp;
+        const secret = await this.getSecret(secretId);
+        if (secret.secretType !== VaultSecretType.LOGIN) {
+            throw new TypeError(`Cannot set TOTP on a '${secret.secretType}' secret — only login secrets support TOTP`);
+        }
+        const payload = { ...secret.payload, totp: config };
+        return this.updateSecret(secretId, { payload });
+    }
+    /**
+     * Remove TOTP configuration from a login secret.
+     *
+     * @param secretId - UUID of the login secret.
+     * @returns Updated {@link VaultSecret} metadata.
+     * @throws TypeError if the secret is not a login type.
+     */
+    async removeTotp(secretId) {
+        const secret = await this.getSecret(secretId);
+        if (secret.secretType !== VaultSecretType.LOGIN) {
+            throw new TypeError(`Cannot remove TOTP from a '${secret.secretType}' secret — only login secrets support TOTP`);
+        }
+        const loginPayload = secret.payload;
+        const { totp: _, ...rest } = loginPayload;
+        return this.updateSecret(secretId, { payload: rest });
+    }
+    /**
+     * Generate the current TOTP code for a login secret.
+     *
+     * @param secretId - UUID of the login secret.
+     * @returns A {@link TOTPCode}.
+     * @throws TypeError if the secret is not a login type.
+     * @throws Error if the login has no TOTP configured.
+     */
+    async getTotpCode(secretId) {
+        const secret = await this.getSecret(secretId);
+        if (secret.secretType !== VaultSecretType.LOGIN) {
+            throw new TypeError(`Cannot generate TOTP for a '${secret.secretType}' secret — only login secrets support TOTP`);
+        }
+        const loginPayload = secret.payload;
+        if (!loginPayload.totp) {
+            throw new Error(`Login secret '${secretId}' has no TOTP configured`);
+        }
+        return generateTotp(loginPayload.totp);
+    }
+}
+//# sourceMappingURL=vault.js.map

package/dist/vault/resources/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../../src/vault/resources/vault.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AACxD,OAAO,EACL,eAAe,EACf,cAAc,EACd,eAAe,EACf,UAAU,EACV,cAAc,EACd,YAAY,GACb,MAAM,cAAc,CAAC;AAUtB,OAAO,EACL,eAAe,EACf,eAAe,EACf,eAAe,EACf,YAAY,EACZ,cAAc,EACd,aAAa,EACb,gBAAgB,EAChB,sBAAsB,EACtB,gBAAgB,GACjB,MAAM,aAAa,CAAC;AAUrB;;;;;;GAMG;AACH,MAAM,OAAO,aAAa;IACxB,gBAAgB;IACP,IAAI,CAAgB;IAE7B,gBAAgB;IAChB,SAAS,GAAyB,IAAI,CAAC;IAEvC,gBAAgB;IAChB,YAAY,IAAmB;QAC7B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;IAED,qEAAqE;IACrE,iBAAiB;IACjB,qEAAqE;IAErE,wDAAwD;IACxD,KAAK,CAAC,IAAI;QACR,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAAe,OAAO,CAAC,CAAC;QACxD,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAED,qEAAqE;IACrE,+BAA+B;IAC/B,qEAAqE;IAErE;;;;OAIG;IACH,KAAK,CAAC,QAAQ,CAAC,UAAgC,EAAE;QAC/C,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS;YAAE,MAAM,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;QACpE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAAgB,OAAO,EAAE,MAAM,CAAC,CAAC;QACjE,OAAO,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IACjC,CAAC;IAED,qEAAqE;IACrE,qCAAqC;IACrC,qEAAqE;IAErE;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,UAAmC,EAAE;QACrD,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS;YAAE,MAAM,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC;QACjF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAAmB,UAAU,EAAE,MAAM,CAAC,CAAC;QACvE,OAAO,IAAI,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IACpC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,QAAQ,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,qEAAqE;IACrE,eAAe;IACf,qEAAqE;IAErE;;;;OAIG;IACH,KAAK,CAAC,eAAe,CAAC,QAAgB;QACpC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAC9B,YAAY,QAAQ,SAAS,CAC9B,CAAC;QACF,OAAO,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACnC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,QAAgB,EAAE,UAAkB;QACpD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAC/B,YAAY,QAAQ,SAAS,EAC7B,EAAE,WAAW,EAAE,UAAU,EAAE,CAC5B,CAAC;QACF,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,YAAY,CAAC,QAAgB,EAAE,UAAkB;QACrD,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,QAAQ,WAAW,UAAU,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,qEAAqE;IACrE,SAAS;IACT,qEAAqE;IAErE;;;;;;;;;;;;;OAaG;IACH,KAAK,CAAC,MAAM,CACV,QAAgB,EAChB,UAAmC,EAAE;QAErC,yCAAyC;QACzC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QACpC,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QAElD,wCAAwC;QACxC,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACxD,MAAM,QAAQ,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;QAE5C,gDAAgD;QAChD,+DAA+D;QAC/D,8DAA8D;QAC9D,2DAA2D;QAC3D,+DAA+D;QAC/D,gEAAgE;QAChE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAAyB,SAAS,EAAE;YAClE,SAAS,EAAE,QAAQ;SACpB,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,CAAC,0BAA0B,CAAC;QAChD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,wBAAwB;gBACtB,+DAA+D,CAClE,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,gEAAgE;QAChE,yDAAyD;QACzD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAAgB,OAAO,CAAC,CAAC;QAC7D,MAAM,SAAS,GAAG,QAAQ;aACvB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC;aACpC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAEpB,IAAI,MAAM,GAAsB,IAAI,CAAC;QACrC,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,GAAG,YAAY,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;gBACjD,MAAM;YACR,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;QACJ,CAAC;QAED,qDAAqD;QACrD,MAAM,SAAS,GAA2B,EAAE,CAAC;QAC7C,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,iBAAiB,IAAI,EAAE,EAAE,CAAC;YAC/C,MAAM,MAAM,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YAC3C,MAAM,WAAW,GAAG,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;YAC/E,MAAM,OAAO,GAAG,YAAY,CAC1B,MAAM,CAAC,UAAU,EACjB,WAAsC,CACvC,CAAC;YACF,SAAS,CAAC,IAAI,CAAC;gBACb,EAAE,EAAE,MAAM,CAAC,EAAE;gBACb,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,OAAO;aACR,CAAC,CAAC;QACL,CAAC;QAED,iEAAiE;QACjE,qEAAqE;QACrE,IAAI,CAAC,SAAS,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC;QAEtE,qDAAqD;QACrD,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACrC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC;YACjC,MAAM,QAAQ,GAA2B,EAAE,CAAC;YAC5C,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;gBAC/B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAE/B,YAAY,MAAM,CAAC,EAAE,SAAS,CAAC,CAAC;gBAClC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,KAAK,CAAC,EAAE,CAAC;oBAC/C,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACxB,CAAC;YACH,CAAC;YACD,OAAO,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QACxD,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,OAAO,aAAa;IACP,IAAI,CAAgB;IACpB,MAAM,CAAa;IAC5B,YAAY,CAAyB;IAE7C,YACE,IAAmB,EACnB,MAAkB,EAClB,YAAoC;QAEpC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;IAED,4DAA4D;IAC5D,IAAI,OAAO;QACT,OAAO,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;IAChC,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,mBAAmB,CAAC,QAAgB;QAChD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAC/C,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAC9C,CAAC,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAChC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,gCAAgC;QAClC,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,iBAAiB;IACjB,qEAAqE;IAErE;;;;OAIG;IACH,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAC9B,YAAY,QAAQ,EAAE,CACvB,CAAC;QACF,MAAM,MAAM,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QACpF,MAAM,OAAO,GAAG,YAAY,CAC1B,MAAM,CAAC,UAAU,EACjB,WAAsC,CACvC,CAAC;QACF,OAAO;YACL,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,OAAO;SACR,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAAC,OAIlB;QACC,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACpD,MAAM,UAAU,GAAG,gBAAgB,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QACjE,4DAA4D;QAC5D,kCAAkC;QAClC,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACrC,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACpE,MAAM,IAAI,GAA4B;YACpC,EAAE,EAAE,QAAQ;YACZ,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,WAAW,EAAE,UAAU;YACvB,iBAAiB,EAAE,SAAS;SAC7B,CAAC;QACF,IAAI,OAAO,CAAC,WAAW,KAAK,SAAS;YAAE,IAAI,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;QACjF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAiB,UAAU,EAAE,IAAI,CAAC,CAAC;QACpE,MAAM,MAAM,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QACtC,kEAAkE;QAClE,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAClD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,cAAc;QAChB,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,OAIC;QAED,MAAM,IAAI,GAA4B,EAAE,CAAC;QACzC,IAAI,MAAM,IAAI,OAAO;YAAE,IAAI,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;QACnD,IAAI,aAAa,IAAI,OAAO;YAAE,IAAI,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;QACxE,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAClC,2DAA2D;YAC3D,6DAA6D;YAC7D,MAAM,OAAO,GAAG,gBAAgB,CAC9B,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAAiB,YAAY,QAAQ,EAAE,CAAC,CAC5D,CAAC;YACF,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YACjD,IAAI,OAAO,KAAK,OAAO,CAAC,UAAU,EAAE,CAAC;gBACnC,MAAM,IAAI,SAAS,CACjB,oBAAoB,OAAO,CAAC,UAAU,oBAAoB,OAAO,yCAAyC,CAC3G,CAAC;YACJ,CAAC;YACD,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;YAC9D,IAAI,CAAC,mBAAmB,CAAC,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QAChF,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAChC,YAAY,QAAQ,EAAE,EACtB,IAAI,CACL,CAAC;QACF,wDAAwD;QACxD,MAAM,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QACzC,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,QAAQ,EAAE,CAAC,CAAC;QAC/C,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC;IACzE,CAAC;IAED,qEAAqE;IACrE,eAAe;IACf,qEAAqE;IAErE;;;;;;;;OAQG;IACH,KAAK,CAAC,OAAO,CACX,QAAgB,EAChB,IAAyB;QAEzB,MAAM,MAAM,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACpE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,MAAM,CAAC,UAAU,KAAK,eAAe,CAAC,KAAK,EAAE,CAAC;YAChD,MAAM,IAAI,SAAS,CACjB,yBAAyB,MAAM,CAAC,UAAU,4CAA4C,CACvF,CAAC;QACJ,CAAC;QACD,MAAM,OAAO,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IAClD,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,UAAU,CAAC,QAAgB;QAC/B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,MAAM,CAAC,UAAU,KAAK,eAAe,CAAC,KAAK,EAAE,CAAC;YAChD,MAAM,IAAI,SAAS,CACjB,8BAA8B,MAAM,CAAC,UAAU,4CAA4C,CAC5F,CAAC;QACJ,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,CAAC,OAA6C,CAAC;QAC1E,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,IAAI,EAAE,GAAG,YAAY,CAAC;QAC1C,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,WAAW,CAAC,QAAgB;QAChC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,MAAM,CAAC,UAAU,KAAK,eAAe,CAAC,KAAK,EAAE,CAAC;YAChD,MAAM,IAAI,SAAS,CACjB,+BAA+B,MAAM,CAAC,UAAU,4CAA4C,CAC7F,CAAC;QACJ,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,CAAC,OAA6C,CAAC;QAC1E,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,iBAAiB,QAAQ,0BAA0B,CAAC,CAAC;QACvE,CAAC;QACD,OAAO,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACzC,CAAC;CACF"}

package/dist/vault/totp.d.ts

@@ -0,0 +1,73 @@
+/**
+ * inkbox-vault/totp.ts
+ *
+ * Client-side TOTP (RFC 6238) implementation.
+ */
+/**
+ * Hash algorithm for TOTP code generation.
+ *
+ * Values are lowercase to match `otpauth://` URI convention.
+ */
+export declare const TOTPAlgorithm: {
+    readonly SHA1: "sha1";
+    readonly SHA256: "sha256";
+    readonly SHA512: "sha512";
+};
+export type TOTPAlgorithm = (typeof TOTPAlgorithm)[keyof typeof TOTPAlgorithm];
+/** A generated TOTP code with timing metadata. */
+export interface TOTPCode {
+    /** The OTP code string (e.g. `"482901"`). */
+    code: string;
+    /** Unix timestamp when this code became valid. */
+    periodStart: number;
+    /** Unix timestamp when this code expires. */
+    periodEnd: number;
+    /** Seconds left until expiry. */
+    secondsRemaining: number;
+}
+/**
+ * TOTP configuration stored inside a {@link LoginPayload}.
+ */
+export interface TOTPConfig {
+    /** Base32-encoded shared secret. */
+    secret: string;
+    /** Hash algorithm (default `"sha1"`). */
+    algorithm?: TOTPAlgorithm;
+    /** Number of digits in the OTP code (6 or 8, default 6). */
+    digits?: number;
+    /** Time step in seconds (30 or 60, default 30). */
+    period?: number;
+    /** Optional issuer name (e.g. `"GitHub"`). */
+    issuer?: string;
+    /** Optional account identifier (e.g. `"user@example.com"`). */
+    accountName?: string;
+}
+/**
+ * Validate a TOTPConfig's fields.
+ *
+ * @throws Error if any field is invalid.
+ */
+export declare function validateTotpConfig(config: TOTPConfig): void;
+/**
+ * Generate the current TOTP code per RFC 6238.
+ *
+ * @param config - TOTP configuration with the shared secret and parameters.
+ * @returns A {@link TOTPCode} with the code and timing metadata.
+ */
+export declare function generateTotp(config: TOTPConfig): TOTPCode;
+/**
+ * Parse an `otpauth://totp/...` URI into a {@link TOTPConfig}.
+ *
+ * Supports the Google Authenticator Key URI format.
+ * Rejects HOTP URIs with an error.
+ *
+ * @param uri - The full `otpauth://` URI string.
+ * @returns A validated {@link TOTPConfig}.
+ * @throws Error on invalid scheme, HOTP type, missing secret, or invalid parameters.
+ */
+export declare function parseTotpUri(uri: string): TOTPConfig;
+/** Serialize a TOTPConfig to the snake_case wire format. @internal */
+export declare function serializeTotpConfig(config: TOTPConfig): Record<string, unknown>;
+/** Parse a TOTPConfig from the snake_case wire format. @internal */
+export declare function parseTotpConfig(raw: Record<string, unknown>): TOTPConfig;
+//# sourceMappingURL=totp.d.ts.map

package/dist/vault/totp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp.d.ts","sourceRoot":"","sources":["../../src/vault/totp.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH;;;;GAIG;AACH,eAAO,MAAM,aAAa;;;;CAIhB,CAAC;AACX,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,OAAO,aAAa,CAAC,CAAC;AAI/E,kDAAkD;AAClD,MAAM,WAAW,QAAQ;IACvB,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAC;IACb,kDAAkD;IAClD,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,iCAAiC;IACjC,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,oCAAoC;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,4DAA4D;IAC5D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,8CAA8C;IAC9C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+DAA+D;IAC/D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAQD;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,CAiB3D;AA+DD;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,UAAU,GAAG,QAAQ,CAgBzD;AAED;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAsFpD;AAID,sEAAsE;AACtE,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,UAAU,GACjB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAUzB;AAED,oEAAoE;AACpE,wBAAgB,eAAe,CAC7B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC3B,UAAU,CAWZ"}