@klickd/core 3.0.1

package/LICENSE

@@ -0,0 +1,107 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work"). Certain owners wish to
+permanently relinquish those rights to a Work for the purpose of
+contributing to a commons of creative, cultural and scientific works
+("Commons") that the public can reliably and without fear of later claims
+of infringement build upon, modify, incorporate in other works, convey
+and distribute. These owners may contribute to the Commons to promote the
+ideal of a free culture and the further production of creative, cultural
+and scientific works, or to gain reputation or greater distribution for
+their Work in part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or updated version of such directive);
+     and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, whether express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.

package/README.md

@@ -0,0 +1,118 @@
+# @klickd/core
+
+Official JavaScript/TypeScript library for reading and writing `.klickd` portable AI context files.
+
+**One soul. Any model. Any body.**
+
+[![npm version](https://img.shields.io/npm/v/@klickd/core)](https://www.npmjs.com/package/@klickd/core)
+[![License: CC0-1.0](https://img.shields.io/badge/License-CC0_1.0-lightgrey.svg)](https://creativecommons.org/publicdomain/zero/1.0/)
+[![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.20262530.svg)](https://doi.org/10.5281/zenodo.20262530)
+
+---
+
+## Install
+
+```bash
+npm install @klickd/core
+```
+
+### Argon2id dependency
+
+The v3 format uses **Argon2id** for key derivation. Install the appropriate package for your environment:
+
+- **Node.js**: `npm install argon2`
+- **Browser / bundler**: `npm install argon2-browser`
+
+---
+
+## Quick start
+
+### Load (decrypt) a `.klickd` file
+
+```typescript
+import { loadKlickd } from '@klickd/core';
+import { readFileSync } from 'node:fs';
+
+const fileBytes = readFileSync('context.klickd');
+const payload = await loadKlickd(fileBytes, { passphrase: 'my-passphrase' });
+
+console.log(payload.identity?.name);
+console.log(payload.memory);
+```
+
+### Save (encrypt) a `.klickd` file
+
+```typescript
+import { saveKlickd } from '@klickd/core';
+import { writeFileSync } from 'node:fs';
+import type { KlickdPayload } from '@klickd/core';
+
+const payload: KlickdPayload = {
+  payload_schema_version: '3.0.0',
+  domain_schema_version: '1.0.0',
+  identity: { name: 'Alice', language: 'en', timezone: 'Europe/Luxembourg' },
+  agent_instructions: 'Be concise.',
+  memory: [],
+};
+
+const envelope = await saveKlickd(payload, {
+  passphrase: 'my-passphrase',
+  domain: 'education',
+});
+
+writeFileSync('context.klickd', envelope, 'utf8');
+```
+
+### Legacy v2.x files (PBKDF2)
+
+To read files created with the v2.x PBKDF2-SHA256/600k KDF, pass `legacy: true`:
+
+```typescript
+const payload = await loadKlickd(fileBytes, {
+  passphrase: 'my-passphrase',
+  legacy: true,
+});
+```
+
+---
+
+## Cryptographic specification (v3.0)
+
+| Parameter     | Value                                   |
+|---------------|-----------------------------------------|
+| KDF (default) | Argon2id — m=65536, t=3, p=1           |
+| KDF (legacy)  | PBKDF2-SHA256 / 600 000 iterations      |
+| Cipher        | AES-256-GCM                             |
+| AAD           | RFC 8785 JCS over 6 canonical fields    |
+| Base64        | RFC 4648 §4 standard padded             |
+| Salt          | 16 bytes (CSPRNG)                       |
+| IV            | 12 bytes (CSPRNG)                       |
+
+---
+
+## Error codes
+
+| Code                | HTTP | Meaning                                  |
+|---------------------|------|------------------------------------------|
+| `KLICKD_E_AUTH`     | 401  | Wrong passphrase / GCM tag mismatch      |
+| `KLICKD_E_VERSION`  | 400  | Unsupported `klickd_version` major       |
+| `KLICKD_E_FORMAT`   | 400  | Malformed JSON envelope / missing fields |
+| `KLICKD_E_KDF`      | 400  | Unknown or unavailable KDF               |
+| `KLICKD_E_WEAK_PASS`| 422  | Passphrase shorter than 8 characters     |
+| `KLICKD_E_SCHEMA`   | 400  | Missing `payload_schema_version`         |
+
+---
+
+## Links
+
+- Specification: [SPEC.md](https://github.com/Davincc77/klickdskill/blob/main/SPEC.md)
+- Repository: [github.com/Davincc77/klickdskill](https://github.com/Davincc77/klickdskill)
+- DOI: [10.5281/zenodo.20262530](https://doi.org/10.5281/zenodo.20262530)
+- Homepage: [klickd.app](https://klickd.app)
+
+---
+
+## License
+
+[CC0 1.0 Universal](https://creativecommons.org/publicdomain/zero/1.0/) — Public Domain Dedication.  
+Author: Vince C. (Luxlearn, Luxembourg)

package/dist/index.cjs

@@ -0,0 +1,326 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  HTTP_STATUS: () => HTTP_STATUS,
+  KlickdError: () => KlickdError,
+  loadKlickd: () => loadKlickd,
+  saveKlickd: () => saveKlickd
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/errors.ts
+var KlickdError = class _KlickdError extends Error {
+  constructor(code, message, httpStatus) {
+    super(`${code}: ${message}`);
+    this.code = code;
+    this.httpStatus = httpStatus;
+    this.name = "KlickdError";
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, _KlickdError);
+    }
+  }
+};
+var HTTP_STATUS = {
+  KLICKD_E_AUTH: 401,
+  KLICKD_E_VERSION: 400,
+  KLICKD_E_FORMAT: 400,
+  KLICKD_E_KDF: 400,
+  KLICKD_E_WEAK_PASS: 422,
+  KLICKD_E_SCHEMA: 400
+};
+
+// src/encode.ts
+var import_node_crypto = require("crypto");
+var import_canonicalize = __toESM(require("canonicalize"), 1);
+var KLICKD_VERSION = "3.0";
+function toBase64(buf) {
+  return Buffer.from(buf).toString("base64");
+}
+async function deriveKeyArgon2id(passphrase, salt, m, t, p) {
+  try {
+    const argon2 = await import("argon2");
+    const hash = await argon2.hash(passphrase, {
+      type: argon2.argon2id,
+      memoryCost: m,
+      timeCost: t,
+      parallelism: p,
+      salt: Buffer.from(salt),
+      hashLength: 32,
+      raw: true
+    });
+    return new Uint8Array(hash);
+  } catch {
+    try {
+      const argon2browser = await import("argon2-browser");
+      const result = await argon2browser.hash({
+        pass: passphrase,
+        salt,
+        type: argon2browser.ArgonType.Argon2id,
+        mem: m,
+        time: t,
+        parallelism: p,
+        hashLen: 32
+      });
+      return result.hash;
+    } catch {
+      throw new KlickdError(
+        "KLICKD_E_KDF",
+        'Argon2id is unavailable. Install "argon2" (Node.js) or "argon2-browser" (browser).',
+        HTTP_STATUS["KLICKD_E_KDF"]
+      );
+    }
+  }
+}
+async function saveKlickd(payload, options) {
+  const { passphrase, domain = "education", kdfParams = { m: 65536, t: 3, p: 1 } } = options;
+  if (!passphrase || passphrase.length < 8) {
+    throw new KlickdError(
+      "KLICKD_E_WEAK_PASS",
+      "Passphrase must be at least 8 characters.",
+      HTTP_STATUS["KLICKD_E_WEAK_PASS"]
+    );
+  }
+  if (!payload.payload_schema_version) {
+    throw new KlickdError(
+      "KLICKD_E_SCHEMA",
+      "payload.payload_schema_version is required.",
+      HTTP_STATUS["KLICKD_E_SCHEMA"]
+    );
+  }
+  const salt = (0, import_node_crypto.randomBytes)(16);
+  const iv = (0, import_node_crypto.randomBytes)(12);
+  const keyBytes = await deriveKeyArgon2id(passphrase, salt, kdfParams.m, kdfParams.t, kdfParams.p);
+  const created_at = (/* @__PURE__ */ new Date()).toISOString().replace(/\.\d{3}Z$/, "Z");
+  const envelopeForAad = {
+    klickd_version: KLICKD_VERSION,
+    encrypted: true,
+    domain,
+    created_at,
+    kdf: {
+      name: "argon2id",
+      params: kdfParams,
+      salt: toBase64(salt)
+    },
+    cipher: {
+      name: "AES-256-GCM",
+      iv: toBase64(iv)
+    }
+  };
+  const aadString = (0, import_canonicalize.default)(envelopeForAad);
+  if (!aadString) {
+    throw new KlickdError("KLICKD_E_FORMAT", "Failed to canonicalize AAD.", 400);
+  }
+  const aad = Buffer.from(aadString, "utf8");
+  const plaintext = Buffer.from(JSON.stringify(payload), "utf8");
+  const cipher = (0, import_node_crypto.createCipheriv)("aes-256-gcm", (0, import_node_crypto.createSecretKey)(keyBytes), iv);
+  cipher.setAAD(aad);
+  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const ciphertext = toBase64(Buffer.concat([encrypted, authTag]));
+  const envelope = {
+    ...envelopeForAad,
+    ciphertext
+  };
+  return JSON.stringify(envelope);
+}
+
+// src/decode.ts
+var import_node_crypto2 = require("crypto");
+var import_node_util = require("util");
+var import_canonicalize2 = __toESM(require("canonicalize"), 1);
+var pbkdf2 = (0, import_node_util.promisify)(import_node_crypto2.pbkdf2);
+var SUPPORTED_MAJOR = 3;
+function fromBase64(s) {
+  return Buffer.from(s, "base64");
+}
+async function deriveKeyArgon2id2(passphrase, salt, m, t, p) {
+  try {
+    const argon2 = await import("argon2");
+    const hash = await argon2.hash(passphrase, {
+      type: argon2.argon2id,
+      memoryCost: m,
+      timeCost: t,
+      parallelism: p,
+      salt,
+      hashLength: 32,
+      raw: true
+    });
+    return new Uint8Array(hash);
+  } catch {
+    try {
+      const argon2browser = await import("argon2-browser");
+      const result = await argon2browser.hash({
+        pass: passphrase,
+        salt: new Uint8Array(salt),
+        type: argon2browser.ArgonType.Argon2id,
+        mem: m,
+        time: t,
+        parallelism: p,
+        hashLen: 32
+      });
+      return result.hash;
+    } catch {
+      throw new KlickdError(
+        "KLICKD_E_KDF",
+        'Argon2id is unavailable. Install "argon2" (Node.js) or "argon2-browser" (browser).',
+        HTTP_STATUS["KLICKD_E_KDF"]
+      );
+    }
+  }
+}
+async function deriveKeyPbkdf2(passphrase, salt, iterations) {
+  const key = await pbkdf2(passphrase, salt, iterations, 32, "sha256");
+  return new Uint8Array(key);
+}
+async function loadKlickd(input, options = {}) {
+  const { passphrase, legacy = false } = options;
+  let envelope;
+  try {
+    const raw = typeof input === "string" ? input : new TextDecoder().decode(input);
+    envelope = JSON.parse(raw);
+  } catch {
+    throw new KlickdError("KLICKD_E_FORMAT", "Invalid JSON envelope.", HTTP_STATUS["KLICKD_E_FORMAT"]);
+  }
+  const requiredFields = ["klickd_version", "encrypted", "domain", "created_at", "kdf", "cipher", "ciphertext"];
+  for (const field of requiredFields) {
+    if (!(field in envelope)) {
+      throw new KlickdError(
+        "KLICKD_E_FORMAT",
+        `Missing required envelope field: ${field}`,
+        HTTP_STATUS["KLICKD_E_FORMAT"]
+      );
+    }
+  }
+  const major = parseInt(envelope.klickd_version.split(".")[0], 10);
+  if (isNaN(major) || major !== SUPPORTED_MAJOR) {
+    throw new KlickdError(
+      "KLICKD_E_VERSION",
+      `Unsupported klickd_version major: ${envelope.klickd_version}. This library supports v${SUPPORTED_MAJOR}.x.`,
+      HTTP_STATUS["KLICKD_E_VERSION"]
+    );
+  }
+  const envelopeForAad = {
+    klickd_version: envelope.klickd_version,
+    encrypted: envelope.encrypted,
+    domain: envelope.domain,
+    created_at: envelope.created_at,
+    kdf: envelope.kdf,
+    cipher: envelope.cipher
+  };
+  const aadString = (0, import_canonicalize2.default)(envelopeForAad);
+  if (!aadString) {
+    throw new KlickdError("KLICKD_E_FORMAT", "Failed to canonicalize AAD.", 400);
+  }
+  const aad = Buffer.from(aadString, "utf8");
+  if (!passphrase) {
+    throw new KlickdError(
+      "KLICKD_E_AUTH",
+      "A passphrase is required to decrypt this file.",
+      HTTP_STATUS["KLICKD_E_AUTH"]
+    );
+  }
+  let keyBytes;
+  const kdf = envelope.kdf;
+  if (kdf.name === "argon2id") {
+    const salt = fromBase64(kdf.salt);
+    const { m, t, p } = kdf.params;
+    if (!m || m < 65536) throw new KlickdError("KLICKD_E_KDF", `kdf.params.m=${m} below minimum 65536`, HTTP_STATUS["KLICKD_E_KDF"]);
+    if (!t || t < 3) throw new KlickdError("KLICKD_E_KDF", `kdf.params.t=${t} below minimum 3`, HTTP_STATUS["KLICKD_E_KDF"]);
+    if (!p || p < 1) throw new KlickdError("KLICKD_E_KDF", `kdf.params.p=${p} below minimum 1`, HTTP_STATUS["KLICKD_E_KDF"]);
+    keyBytes = await deriveKeyArgon2id2(passphrase, salt, m, t, p);
+  } else if (kdf.name === "pbkdf2-sha256") {
+    if (!legacy) {
+      throw new KlickdError(
+        "KLICKD_E_KDF",
+        "Legacy PBKDF2 KDF detected. Set options.legacy = true to enable reading legacy v2.x files.",
+        HTTP_STATUS["KLICKD_E_KDF"]
+      );
+    }
+    const salt = fromBase64(kdf.salt);
+    keyBytes = await deriveKeyPbkdf2(passphrase, salt, kdf.params.iterations);
+  } else {
+    throw new KlickdError(
+      "KLICKD_E_KDF",
+      `Unknown KDF: ${kdf.name}`,
+      HTTP_STATUS["KLICKD_E_KDF"]
+    );
+  }
+  const cipherName = envelope.cipher.name;
+  if (cipherName !== "AES-256-GCM") {
+    throw new KlickdError(
+      "KLICKD_E_FORMAT",
+      `Unsupported cipher: ${cipherName}. Only AES-256-GCM is supported in v3.0.`,
+      HTTP_STATUS["KLICKD_E_FORMAT"]
+    );
+  }
+  const ciphertextWithTag = fromBase64(envelope.ciphertext);
+  if (ciphertextWithTag.length < 16) {
+    throw new KlickdError("KLICKD_E_FORMAT", "Ciphertext too short.", HTTP_STATUS["KLICKD_E_FORMAT"]);
+  }
+  const authTag = ciphertextWithTag.subarray(ciphertextWithTag.length - 16);
+  const ciphertextBytes = ciphertextWithTag.subarray(0, ciphertextWithTag.length - 16);
+  const iv = fromBase64(envelope.cipher.iv);
+  let plaintext;
+  try {
+    const decipher = (0, import_node_crypto2.createDecipheriv)("aes-256-gcm", (0, import_node_crypto2.createSecretKey)(keyBytes), iv);
+    decipher.setAAD(aad);
+    decipher.setAuthTag(authTag);
+    plaintext = Buffer.concat([decipher.update(ciphertextBytes), decipher.final()]);
+  } catch {
+    throw new KlickdError(
+      "KLICKD_E_AUTH",
+      "Decryption failed: wrong passphrase or corrupted file.",
+      HTTP_STATUS["KLICKD_E_AUTH"]
+    );
+  }
+  let payload;
+  try {
+    payload = JSON.parse(plaintext.toString("utf8"));
+  } catch {
+    throw new KlickdError("KLICKD_E_FORMAT", "Decrypted data is not valid JSON.", HTTP_STATUS["KLICKD_E_FORMAT"]);
+  }
+  if (!payload.payload_schema_version) {
+    throw new KlickdError(
+      "KLICKD_E_SCHEMA",
+      "Decrypted payload is missing payload_schema_version.",
+      HTTP_STATUS["KLICKD_E_SCHEMA"]
+    );
+  }
+  return payload;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  HTTP_STATUS,
+  KlickdError,
+  loadKlickd,
+  saveKlickd
+});

package/dist/index.d.cts

@@ -0,0 +1,127 @@
+type KdfName = 'argon2id' | 'pbkdf2-sha256';
+type CipherName = 'AES-256-GCM';
+type KlickdDomain = 'education' | 'work' | 'finance' | 'legal' | 'creative' | 'health' | 'research' | 'robotics' | string;
+type MemoryRole = 'user' | 'assistant' | 'system';
+type MemoryModality = 'text' | 'image' | 'audio' | 'tool_call';
+interface KlickdKdfArgon2id {
+    name: 'argon2id';
+    /** Argon2id memory (KiB), time, parallelism params */
+    params: {
+        m: number;
+        t: number;
+        p: number;
+    };
+    /** RFC 4648 §4 standard base64-padded 16-byte salt */
+    salt: string;
+}
+interface KlickdKdfPbkdf2 {
+    name: 'pbkdf2-sha256';
+    /** PBKDF2 iteration count */
+    params: {
+        iterations: number;
+    };
+    /** RFC 4648 §4 standard base64-padded 16-byte salt */
+    salt: string;
+}
+type KlickdKdf = KlickdKdfArgon2id | KlickdKdfPbkdf2;
+interface KlickdCipher {
+    name: CipherName;
+    /** RFC 4648 §4 standard base64-padded 12-byte IV */
+    iv: string;
+}
+/**
+ * The outer .klickd envelope (JSON root object).
+ * AAD is JCS (RFC 8785) over the 6 canonical fields:
+ *   klickd_version, encrypted, domain, created_at, kdf, cipher
+ */
+interface KlickdEnvelope {
+    klickd_version: string;
+    encrypted: boolean;
+    domain: KlickdDomain;
+    created_at: string;
+    kdf: KlickdKdf;
+    cipher: KlickdCipher;
+    ciphertext: string;
+}
+interface KlickdMemoryEntry {
+    /** UUID v4 */
+    id: string;
+    /** RFC 3339 UTC with Z suffix */
+    ts: string;
+    role: MemoryRole;
+    content: string;
+    modality: MemoryModality;
+    tags?: string[];
+}
+interface KlickdIdentity {
+    name?: string;
+    language?: string;
+    timezone?: string;
+    communication_style?: string;
+}
+interface KlickdContext {
+    current_state?: string;
+    decisions_locked?: string[];
+    artifacts?: unknown[];
+    summary?: string;
+}
+interface KlickdKnowledge {
+    mastered?: string[];
+    gaps?: string[];
+    next_steps?: string[];
+}
+interface KlickdPayload {
+    payload_schema_version: string;
+    domain_schema_version: string;
+    identity?: KlickdIdentity;
+    agent_instructions?: string;
+    user_preferences?: Record<string, unknown>;
+    context?: KlickdContext;
+    knowledge?: KlickdKnowledge;
+    memory?: KlickdMemoryEntry[];
+    /** Domain extension fields */
+    [key: string]: unknown;
+}
+interface LoadKlickdOptions {
+    passphrase?: string;
+    /** Enable legacy v2.x PBKDF2-SHA256/600k reading. Default: false */
+    legacy?: boolean;
+}
+interface SaveKlickdOptions {
+    passphrase: string;
+    domain?: KlickdDomain;
+    /** Argon2id params override. Default: { m: 65536, t: 3, p: 1 } */
+    kdfParams?: {
+        m: number;
+        t: number;
+        p: number;
+    };
+}
+
+type KlickdErrorCode = 'KLICKD_E_AUTH' | 'KLICKD_E_VERSION' | 'KLICKD_E_FORMAT' | 'KLICKD_E_KDF' | 'KLICKD_E_WEAK_PASS' | 'KLICKD_E_SCHEMA';
+declare class KlickdError extends Error {
+    readonly code: KlickdErrorCode;
+    readonly httpStatus?: number | undefined;
+    constructor(code: KlickdErrorCode, message: string, httpStatus?: number | undefined);
+}
+declare const HTTP_STATUS: Record<KlickdErrorCode, number>;
+
+/**
+ * Save a KlickdPayload as an encrypted .klickd envelope JSON string.
+ *
+ * @param payload  - The plaintext payload to encrypt.
+ * @param options  - Passphrase, domain, and optional Argon2id param overrides.
+ * @returns        - The complete .klickd JSON string (UTF-8).
+ */
+declare function saveKlickd(payload: KlickdPayload, options: SaveKlickdOptions): Promise<string>;
+
+/**
+ * Load and decrypt a .klickd envelope.
+ *
+ * @param input      - Raw .klickd JSON (string or UTF-8 bytes).
+ * @param options    - Passphrase and optional legacy mode.
+ * @returns          - The decrypted KlickdPayload.
+ */
+declare function loadKlickd(input: string | Uint8Array, options?: LoadKlickdOptions): Promise<KlickdPayload>;
+
+export { type CipherName, HTTP_STATUS, type KdfName, type KlickdCipher, type KlickdContext, type KlickdDomain, type KlickdEnvelope, KlickdError, type KlickdErrorCode, type KlickdIdentity, type KlickdKdf, type KlickdKdfArgon2id, type KlickdKdfPbkdf2, type KlickdKnowledge, type KlickdMemoryEntry, type KlickdPayload, type LoadKlickdOptions, type MemoryModality, type MemoryRole, type SaveKlickdOptions, loadKlickd, saveKlickd };

package/dist/index.d.ts

@@ -0,0 +1,127 @@
+type KdfName = 'argon2id' | 'pbkdf2-sha256';
+type CipherName = 'AES-256-GCM';
+type KlickdDomain = 'education' | 'work' | 'finance' | 'legal' | 'creative' | 'health' | 'research' | 'robotics' | string;
+type MemoryRole = 'user' | 'assistant' | 'system';
+type MemoryModality = 'text' | 'image' | 'audio' | 'tool_call';
+interface KlickdKdfArgon2id {
+    name: 'argon2id';
+    /** Argon2id memory (KiB), time, parallelism params */
+    params: {
+        m: number;
+        t: number;
+        p: number;
+    };
+    /** RFC 4648 §4 standard base64-padded 16-byte salt */
+    salt: string;
+}
+interface KlickdKdfPbkdf2 {
+    name: 'pbkdf2-sha256';
+    /** PBKDF2 iteration count */
+    params: {
+        iterations: number;
+    };
+    /** RFC 4648 §4 standard base64-padded 16-byte salt */
+    salt: string;
+}
+type KlickdKdf = KlickdKdfArgon2id | KlickdKdfPbkdf2;
+interface KlickdCipher {
+    name: CipherName;
+    /** RFC 4648 §4 standard base64-padded 12-byte IV */
+    iv: string;
+}
+/**
+ * The outer .klickd envelope (JSON root object).
+ * AAD is JCS (RFC 8785) over the 6 canonical fields:
+ *   klickd_version, encrypted, domain, created_at, kdf, cipher
+ */
+interface KlickdEnvelope {
+    klickd_version: string;
+    encrypted: boolean;
+    domain: KlickdDomain;
+    created_at: string;
+    kdf: KlickdKdf;
+    cipher: KlickdCipher;
+    ciphertext: string;
+}
+interface KlickdMemoryEntry {
+    /** UUID v4 */
+    id: string;
+    /** RFC 3339 UTC with Z suffix */
+    ts: string;
+    role: MemoryRole;
+    content: string;
+    modality: MemoryModality;
+    tags?: string[];
+}
+interface KlickdIdentity {
+    name?: string;
+    language?: string;
+    timezone?: string;
+    communication_style?: string;
+}
+interface KlickdContext {
+    current_state?: string;
+    decisions_locked?: string[];
+    artifacts?: unknown[];
+    summary?: string;
+}
+interface KlickdKnowledge {
+    mastered?: string[];
+    gaps?: string[];
+    next_steps?: string[];
+}
+interface KlickdPayload {
+    payload_schema_version: string;
+    domain_schema_version: string;
+    identity?: KlickdIdentity;
+    agent_instructions?: string;
+    user_preferences?: Record<string, unknown>;
+    context?: KlickdContext;
+    knowledge?: KlickdKnowledge;
+    memory?: KlickdMemoryEntry[];
+    /** Domain extension fields */
+    [key: string]: unknown;
+}
+interface LoadKlickdOptions {
+    passphrase?: string;
+    /** Enable legacy v2.x PBKDF2-SHA256/600k reading. Default: false */
+    legacy?: boolean;
+}
+interface SaveKlickdOptions {
+    passphrase: string;
+    domain?: KlickdDomain;
+    /** Argon2id params override. Default: { m: 65536, t: 3, p: 1 } */
+    kdfParams?: {
+        m: number;
+        t: number;
+        p: number;
+    };
+}
+
+type KlickdErrorCode = 'KLICKD_E_AUTH' | 'KLICKD_E_VERSION' | 'KLICKD_E_FORMAT' | 'KLICKD_E_KDF' | 'KLICKD_E_WEAK_PASS' | 'KLICKD_E_SCHEMA';
+declare class KlickdError extends Error {
+    readonly code: KlickdErrorCode;
+    readonly httpStatus?: number | undefined;
+    constructor(code: KlickdErrorCode, message: string, httpStatus?: number | undefined);
+}
+declare const HTTP_STATUS: Record<KlickdErrorCode, number>;
+
+/**
+ * Save a KlickdPayload as an encrypted .klickd envelope JSON string.
+ *
+ * @param payload  - The plaintext payload to encrypt.
+ * @param options  - Passphrase, domain, and optional Argon2id param overrides.
+ * @returns        - The complete .klickd JSON string (UTF-8).
+ */
+declare function saveKlickd(payload: KlickdPayload, options: SaveKlickdOptions): Promise<string>;
+
+/**
+ * Load and decrypt a .klickd envelope.
+ *
+ * @param input      - Raw .klickd JSON (string or UTF-8 bytes).
+ * @param options    - Passphrase and optional legacy mode.
+ * @returns          - The decrypted KlickdPayload.
+ */
+declare function loadKlickd(input: string | Uint8Array, options?: LoadKlickdOptions): Promise<KlickdPayload>;
+
+export { type CipherName, HTTP_STATUS, type KdfName, type KlickdCipher, type KlickdContext, type KlickdDomain, type KlickdEnvelope, KlickdError, type KlickdErrorCode, type KlickdIdentity, type KlickdKdf, type KlickdKdfArgon2id, type KlickdKdfPbkdf2, type KlickdKnowledge, type KlickdMemoryEntry, type KlickdPayload, type LoadKlickdOptions, type MemoryModality, type MemoryRole, type SaveKlickdOptions, loadKlickd, saveKlickd };

package/dist/index.js

@@ -0,0 +1,286 @@
+// src/errors.ts
+var KlickdError = class _KlickdError extends Error {
+  constructor(code, message, httpStatus) {
+    super(`${code}: ${message}`);
+    this.code = code;
+    this.httpStatus = httpStatus;
+    this.name = "KlickdError";
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, _KlickdError);
+    }
+  }
+};
+var HTTP_STATUS = {
+  KLICKD_E_AUTH: 401,
+  KLICKD_E_VERSION: 400,
+  KLICKD_E_FORMAT: 400,
+  KLICKD_E_KDF: 400,
+  KLICKD_E_WEAK_PASS: 422,
+  KLICKD_E_SCHEMA: 400
+};
+
+// src/encode.ts
+import { randomBytes, createCipheriv, createSecretKey } from "crypto";
+import canonicalize from "canonicalize";
+var KLICKD_VERSION = "3.0";
+function toBase64(buf) {
+  return Buffer.from(buf).toString("base64");
+}
+async function deriveKeyArgon2id(passphrase, salt, m, t, p) {
+  try {
+    const argon2 = await import("argon2");
+    const hash = await argon2.hash(passphrase, {
+      type: argon2.argon2id,
+      memoryCost: m,
+      timeCost: t,
+      parallelism: p,
+      salt: Buffer.from(salt),
+      hashLength: 32,
+      raw: true
+    });
+    return new Uint8Array(hash);
+  } catch {
+    try {
+      const argon2browser = await import("argon2-browser");
+      const result = await argon2browser.hash({
+        pass: passphrase,
+        salt,
+        type: argon2browser.ArgonType.Argon2id,
+        mem: m,
+        time: t,
+        parallelism: p,
+        hashLen: 32
+      });
+      return result.hash;
+    } catch {
+      throw new KlickdError(
+        "KLICKD_E_KDF",
+        'Argon2id is unavailable. Install "argon2" (Node.js) or "argon2-browser" (browser).',
+        HTTP_STATUS["KLICKD_E_KDF"]
+      );
+    }
+  }
+}
+async function saveKlickd(payload, options) {
+  const { passphrase, domain = "education", kdfParams = { m: 65536, t: 3, p: 1 } } = options;
+  if (!passphrase || passphrase.length < 8) {
+    throw new KlickdError(
+      "KLICKD_E_WEAK_PASS",
+      "Passphrase must be at least 8 characters.",
+      HTTP_STATUS["KLICKD_E_WEAK_PASS"]
+    );
+  }
+  if (!payload.payload_schema_version) {
+    throw new KlickdError(
+      "KLICKD_E_SCHEMA",
+      "payload.payload_schema_version is required.",
+      HTTP_STATUS["KLICKD_E_SCHEMA"]
+    );
+  }
+  const salt = randomBytes(16);
+  const iv = randomBytes(12);
+  const keyBytes = await deriveKeyArgon2id(passphrase, salt, kdfParams.m, kdfParams.t, kdfParams.p);
+  const created_at = (/* @__PURE__ */ new Date()).toISOString().replace(/\.\d{3}Z$/, "Z");
+  const envelopeForAad = {
+    klickd_version: KLICKD_VERSION,
+    encrypted: true,
+    domain,
+    created_at,
+    kdf: {
+      name: "argon2id",
+      params: kdfParams,
+      salt: toBase64(salt)
+    },
+    cipher: {
+      name: "AES-256-GCM",
+      iv: toBase64(iv)
+    }
+  };
+  const aadString = canonicalize(envelopeForAad);
+  if (!aadString) {
+    throw new KlickdError("KLICKD_E_FORMAT", "Failed to canonicalize AAD.", 400);
+  }
+  const aad = Buffer.from(aadString, "utf8");
+  const plaintext = Buffer.from(JSON.stringify(payload), "utf8");
+  const cipher = createCipheriv("aes-256-gcm", createSecretKey(keyBytes), iv);
+  cipher.setAAD(aad);
+  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const ciphertext = toBase64(Buffer.concat([encrypted, authTag]));
+  const envelope = {
+    ...envelopeForAad,
+    ciphertext
+  };
+  return JSON.stringify(envelope);
+}
+
+// src/decode.ts
+import { createDecipheriv, createSecretKey as createSecretKey2, pbkdf2 as pbkdf2Cb } from "crypto";
+import { promisify } from "util";
+import canonicalize2 from "canonicalize";
+var pbkdf2 = promisify(pbkdf2Cb);
+var SUPPORTED_MAJOR = 3;
+function fromBase64(s) {
+  return Buffer.from(s, "base64");
+}
+async function deriveKeyArgon2id2(passphrase, salt, m, t, p) {
+  try {
+    const argon2 = await import("argon2");
+    const hash = await argon2.hash(passphrase, {
+      type: argon2.argon2id,
+      memoryCost: m,
+      timeCost: t,
+      parallelism: p,
+      salt,
+      hashLength: 32,
+      raw: true
+    });
+    return new Uint8Array(hash);
+  } catch {
+    try {
+      const argon2browser = await import("argon2-browser");
+      const result = await argon2browser.hash({
+        pass: passphrase,
+        salt: new Uint8Array(salt),
+        type: argon2browser.ArgonType.Argon2id,
+        mem: m,
+        time: t,
+        parallelism: p,
+        hashLen: 32
+      });
+      return result.hash;
+    } catch {
+      throw new KlickdError(
+        "KLICKD_E_KDF",
+        'Argon2id is unavailable. Install "argon2" (Node.js) or "argon2-browser" (browser).',
+        HTTP_STATUS["KLICKD_E_KDF"]
+      );
+    }
+  }
+}
+async function deriveKeyPbkdf2(passphrase, salt, iterations) {
+  const key = await pbkdf2(passphrase, salt, iterations, 32, "sha256");
+  return new Uint8Array(key);
+}
+async function loadKlickd(input, options = {}) {
+  const { passphrase, legacy = false } = options;
+  let envelope;
+  try {
+    const raw = typeof input === "string" ? input : new TextDecoder().decode(input);
+    envelope = JSON.parse(raw);
+  } catch {
+    throw new KlickdError("KLICKD_E_FORMAT", "Invalid JSON envelope.", HTTP_STATUS["KLICKD_E_FORMAT"]);
+  }
+  const requiredFields = ["klickd_version", "encrypted", "domain", "created_at", "kdf", "cipher", "ciphertext"];
+  for (const field of requiredFields) {
+    if (!(field in envelope)) {
+      throw new KlickdError(
+        "KLICKD_E_FORMAT",
+        `Missing required envelope field: ${field}`,
+        HTTP_STATUS["KLICKD_E_FORMAT"]
+      );
+    }
+  }
+  const major = parseInt(envelope.klickd_version.split(".")[0], 10);
+  if (isNaN(major) || major !== SUPPORTED_MAJOR) {
+    throw new KlickdError(
+      "KLICKD_E_VERSION",
+      `Unsupported klickd_version major: ${envelope.klickd_version}. This library supports v${SUPPORTED_MAJOR}.x.`,
+      HTTP_STATUS["KLICKD_E_VERSION"]
+    );
+  }
+  const envelopeForAad = {
+    klickd_version: envelope.klickd_version,
+    encrypted: envelope.encrypted,
+    domain: envelope.domain,
+    created_at: envelope.created_at,
+    kdf: envelope.kdf,
+    cipher: envelope.cipher
+  };
+  const aadString = canonicalize2(envelopeForAad);
+  if (!aadString) {
+    throw new KlickdError("KLICKD_E_FORMAT", "Failed to canonicalize AAD.", 400);
+  }
+  const aad = Buffer.from(aadString, "utf8");
+  if (!passphrase) {
+    throw new KlickdError(
+      "KLICKD_E_AUTH",
+      "A passphrase is required to decrypt this file.",
+      HTTP_STATUS["KLICKD_E_AUTH"]
+    );
+  }
+  let keyBytes;
+  const kdf = envelope.kdf;
+  if (kdf.name === "argon2id") {
+    const salt = fromBase64(kdf.salt);
+    const { m, t, p } = kdf.params;
+    if (!m || m < 65536) throw new KlickdError("KLICKD_E_KDF", `kdf.params.m=${m} below minimum 65536`, HTTP_STATUS["KLICKD_E_KDF"]);
+    if (!t || t < 3) throw new KlickdError("KLICKD_E_KDF", `kdf.params.t=${t} below minimum 3`, HTTP_STATUS["KLICKD_E_KDF"]);
+    if (!p || p < 1) throw new KlickdError("KLICKD_E_KDF", `kdf.params.p=${p} below minimum 1`, HTTP_STATUS["KLICKD_E_KDF"]);
+    keyBytes = await deriveKeyArgon2id2(passphrase, salt, m, t, p);
+  } else if (kdf.name === "pbkdf2-sha256") {
+    if (!legacy) {
+      throw new KlickdError(
+        "KLICKD_E_KDF",
+        "Legacy PBKDF2 KDF detected. Set options.legacy = true to enable reading legacy v2.x files.",
+        HTTP_STATUS["KLICKD_E_KDF"]
+      );
+    }
+    const salt = fromBase64(kdf.salt);
+    keyBytes = await deriveKeyPbkdf2(passphrase, salt, kdf.params.iterations);
+  } else {
+    throw new KlickdError(
+      "KLICKD_E_KDF",
+      `Unknown KDF: ${kdf.name}`,
+      HTTP_STATUS["KLICKD_E_KDF"]
+    );
+  }
+  const cipherName = envelope.cipher.name;
+  if (cipherName !== "AES-256-GCM") {
+    throw new KlickdError(
+      "KLICKD_E_FORMAT",
+      `Unsupported cipher: ${cipherName}. Only AES-256-GCM is supported in v3.0.`,
+      HTTP_STATUS["KLICKD_E_FORMAT"]
+    );
+  }
+  const ciphertextWithTag = fromBase64(envelope.ciphertext);
+  if (ciphertextWithTag.length < 16) {
+    throw new KlickdError("KLICKD_E_FORMAT", "Ciphertext too short.", HTTP_STATUS["KLICKD_E_FORMAT"]);
+  }
+  const authTag = ciphertextWithTag.subarray(ciphertextWithTag.length - 16);
+  const ciphertextBytes = ciphertextWithTag.subarray(0, ciphertextWithTag.length - 16);
+  const iv = fromBase64(envelope.cipher.iv);
+  let plaintext;
+  try {
+    const decipher = createDecipheriv("aes-256-gcm", createSecretKey2(keyBytes), iv);
+    decipher.setAAD(aad);
+    decipher.setAuthTag(authTag);
+    plaintext = Buffer.concat([decipher.update(ciphertextBytes), decipher.final()]);
+  } catch {
+    throw new KlickdError(
+      "KLICKD_E_AUTH",
+      "Decryption failed: wrong passphrase or corrupted file.",
+      HTTP_STATUS["KLICKD_E_AUTH"]
+    );
+  }
+  let payload;
+  try {
+    payload = JSON.parse(plaintext.toString("utf8"));
+  } catch {
+    throw new KlickdError("KLICKD_E_FORMAT", "Decrypted data is not valid JSON.", HTTP_STATUS["KLICKD_E_FORMAT"]);
+  }
+  if (!payload.payload_schema_version) {
+    throw new KlickdError(
+      "KLICKD_E_SCHEMA",
+      "Decrypted payload is missing payload_schema_version.",
+      HTTP_STATUS["KLICKD_E_SCHEMA"]
+    );
+  }
+  return payload;
+}
+export {
+  HTTP_STATUS,
+  KlickdError,
+  loadKlickd,
+  saveKlickd
+};

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@klickd/core",
+  "version": "3.0.1",
+  "description": "Official JavaScript/TypeScript library for reading and writing .klickd portable AI context files",
+  "keywords": [
+    "klickd",
+    "ai-context",
+    "portable",
+    "memory",
+    "encrypted"
+  ],
+  "homepage": "https://klickd.app",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Davincc77/klickdskill"
+  },
+  "license": "CC0-1.0",
+  "author": "Vince C. <Luxlearn@pm.me> (https://klickd.app)",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts --format esm,cjs --dts --external argon2 --external argon2-browser",
+    "test": "node --experimental-vm-modules node_modules/.bin/jest",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "canonicalize": "^2.0.0",
+    "hash-wasm": "^4.11.0"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.0.0",
+    "@types/node": "^20.0.0",
+    "argon2": "^0.44.0",
+    "argon2-browser": "^1.18.0",
+    "jest": "^29.0.0",
+    "ts-jest": "^29.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}