@msdis/shield 0.2.0

package/dist/encoding-B-cb7Duu.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Byte/string/base64 encoding helpers.
+ *
+ * These intentionally reproduce the exact base64 encoding used by Singra Vault
+ * and Singra Premium so that DIS is byte-compatible with already-stored
+ * ciphertext. Do not "optimise" the algorithm in a way that changes output.
+ */
+/**
+ * Encodes bytes to a standard (RFC 4648) base64 string.
+ *
+ * Uses a chunked loop over `String.fromCharCode` + `btoa` to stay identical to
+ * the legacy `uint8ArrayToBase64` implementation while avoiding call-stack
+ * overflows on large inputs.
+ */
+declare function bytesToBase64(bytes: Uint8Array): string;
+/** Decodes a standard base64 string to bytes. */
+declare function base64ToBytes(base64: string): Uint8Array;
+/** UTF-8 encodes a string to bytes. */
+declare function utf8ToBytes(text: string): Uint8Array;
+/** UTF-8 decodes bytes to a string. */
+declare function bytesToUtf8(bytes: Uint8Array): string;
+/**
+ * Encodes bytes to an unpadded base64url (RFC 4648 §5) string.
+ *
+ * Reproduces the exact transform used by Singra Vault's `encodeBase64Url`
+ * (standard base64 with `+`→`-`, `/`→`_`, trailing `=` stripped) so DIS is
+ * byte-compatible with stored op-log signatures, hashes and public keys.
+ */
+declare function bytesToBase64Url(bytes: Uint8Array): string;
+/** Decodes an unpadded base64url string to bytes. */
+declare function base64UrlToBytes(base64url: string): Uint8Array;
+/** Lower-case hex string of the given bytes. */
+declare function bytesToHex(bytes: Uint8Array): string;
+/** Concatenates byte arrays into a single new buffer. */
+declare function concatBytes(...parts: Uint8Array[]): Uint8Array;
+
+export { base64UrlToBytes as a, base64ToBytes as b, bytesToBase64 as c, bytesToBase64Url as d, bytesToHex as e, bytesToUtf8 as f, concatBytes as g, utf8ToBytes as u };

package/dist/errors-C79jA9vX.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Pluggable crypto provider abstraction.
+ *
+ * DIS does not invent cryptography. It binds to an audited primitive provider.
+ * The default provider is the platform WebCrypto implementation
+ * (`globalThis.crypto`), which is available in modern browsers and in Node >= 20.
+ *
+ * Exposing this as an interface keeps the door open for substituting a
+ * hardware-backed or test provider without touching call sites, and keeps the
+ * rest of DIS free of direct global access.
+ */
+/** Minimal subset of the WebCrypto API that DIS relies on. */
+interface CryptoProvider {
+    getRandomValues<T extends ArrayBufferView>(array: T): T;
+    readonly subtle: SubtleCrypto;
+}
+/** Returns the active crypto provider, falling back to platform WebCrypto. */
+declare function getCryptoProvider(): CryptoProvider;
+/**
+ * Overrides the active crypto provider. Intended for tests and for
+ * environments that supply a non-global WebCrypto implementation.
+ * Pass `null` to reset to platform auto-detection.
+ */
+declare function setCryptoProvider(provider: CryptoProvider | null): void;
+/** Convenience accessor for `SubtleCrypto`. */
+declare function subtle(): SubtleCrypto;
+
+/**
+ * Central, typed error hierarchy for DIS.
+ *
+ * Errors never include secret material (keys, plaintext, passwords) in their
+ * message or properties. Callers may safely log `error.code` and `error.message`.
+ */
+type DisErrorCode = 'INVALID_ARGUMENT' | 'UNSUPPORTED_FORMAT_VERSION' | 'DECRYPTION_FAILED' | 'INTEGRITY_CHECK_FAILED' | 'KEY_DERIVATION_FAILED' | 'UNSUPPORTED_KDF_VERSION' | 'LEGACY_PAYLOAD_REQUIRES_MIGRATION' | 'PROVIDER_UNAVAILABLE' | 'USE_AFTER_DESTROY';
+/** Base class for all errors thrown by DIS. */
+declare class DisError extends Error {
+    readonly code: DisErrorCode;
+    constructor(code: DisErrorCode, message: string);
+}
+/** Thrown when an argument is missing or structurally invalid. */
+declare class DisInvalidArgumentError extends DisError {
+    constructor(message: string);
+}
+/**
+ * Thrown when AEAD decryption or authentication fails. The cause (wrong key,
+ * tampered ciphertext, or AAD mismatch) is intentionally not distinguished to
+ * avoid leaking an oracle.
+ */
+declare class DisDecryptionError extends DisError {
+    constructor(message?: string);
+}
+/** Thrown when a versioned payload carries a version DIS cannot read. */
+declare class DisUnsupportedFormatVersionError extends DisError {
+    constructor(message: string);
+}
+/** Thrown when an integrity / hash verification fails. */
+declare class DisIntegrityError extends DisError {
+    constructor(message?: string);
+}
+/** Thrown when a legacy, non-migratable payload is read on a runtime path. */
+declare class DisLegacyPayloadError extends DisError {
+    constructor(message?: string);
+}
+
+export { type CryptoProvider as C, DisDecryptionError as D, DisError as a, type DisErrorCode as b, DisIntegrityError as c, DisInvalidArgumentError as d, DisLegacyPayloadError as e, DisUnsupportedFormatVersionError as f, getCryptoProvider as g, subtle as h, setCryptoProvider as s };

package/dist/file-encryption/index.d.ts

@@ -0,0 +1,135 @@
+/**
+ * dis-file-encryption / dis-attachment-streams — chunked file & attachment
+ * encryption.
+ *
+ * Model (byte-compatible with Singra Premium):
+ *   - A fresh random per-file AES-256 key encrypts the file content.
+ *   - The file is split into fixed-size chunks; each chunk is sealed with
+ *     AES-256-GCM and a per-chunk AAD binding it to owner/item/file/revision/
+ *     manifest-root/index/count (defeats reorder, splice and cross-file swap).
+ *   - The file key is wrapped by an outer vault key (supplied as a callback),
+ *     bound by a file-key AAD.
+ *   - A manifest records chunk hashes and a manifest root; it is sealed with
+ *     the vault key under a manifest AAD and wrapped in `sv-file-manifest-v1:`.
+ *
+ * DIS owns the cryptography and the format. It is storage-agnostic: callers
+ * supply chunk read/write callbacks, so transport (e.g. object storage, local
+ * FS) stays in the application.
+ */
+/** Default chunk size (4 MiB), matching the Singra Premium format. */
+declare const DEFAULT_CHUNK_SIZE: number;
+declare const FILE_MANIFEST_V1_PREFIX = "sv-file-manifest-v1:";
+/** Opaque binding context for an attachment. Ids are treated as opaque strings. */
+interface AttachmentContext {
+    readonly ownerId: string;
+    readonly vaultItemId: string;
+    readonly fileId: string;
+}
+/** Encrypts text with the outer vault key (e.g. DIS aead.encryptString). */
+type VaultEncryptText = (plaintext: string, aad?: string) => Promise<string>;
+type VaultDecryptText = (encrypted: string, aad?: string) => Promise<string>;
+type VaultEncryptBytes = (plaintext: Uint8Array, aad?: string) => Promise<string>;
+type VaultDecryptBytes = (encrypted: string, aad?: string) => Promise<Uint8Array>;
+interface FileChunkManifest {
+    readonly index: number;
+    readonly plaintext_size: number;
+    readonly ciphertext_size: number;
+    readonly ciphertext_sha256: string;
+}
+interface FileManifestV1 {
+    readonly version: 1;
+    readonly algorithm: 'AES-256-GCM';
+    readonly file_id: string;
+    readonly file_revision: number;
+    readonly previous_manifest_hash: string | null;
+    readonly manifest_root: string;
+    readonly owner_id: string;
+    readonly vault_item_id: string;
+    readonly original_name: string;
+    readonly mime_type: string | null;
+    readonly original_size: number;
+    readonly last_modified: number | null;
+    readonly uploaded_at: string;
+    readonly chunk_size: number;
+    readonly chunk_count: number;
+    readonly wrapped_file_key: string;
+    readonly chunks: readonly FileChunkManifest[];
+    readonly preview: null;
+    readonly notes: null;
+}
+declare function manifestAad(ctx: AttachmentContext): string;
+declare function fileKeyAad(ctx: AttachmentContext): string;
+declare function chunkAad(ctx: AttachmentContext, fileRevision: number, manifestRoot: string, chunkIndex: number, chunkCount: number): string;
+/** Generates fresh per-file AES-256 key bytes (caller must wipe). */
+declare function generateFileKeyBytes(): Uint8Array;
+/** Imports raw file-key bytes as a non-extractable AES-GCM key. */
+declare function importFileKey(rawKey: Uint8Array): Promise<CryptoKey>;
+/** Seals one plaintext chunk. `plaintext` is wiped before returning. */
+declare function encryptChunk(plaintext: Uint8Array, fileKey: CryptoKey, aad: string): Promise<string>;
+/** Opens one chunk. Returned bytes are plaintext — caller must wipe. */
+declare function decryptChunk(encryptedBase64: string, fileKey: CryptoKey, aad: string): Promise<Uint8Array>;
+interface PlannedChunk {
+    readonly index: number;
+    readonly plaintext_size: number;
+}
+/**
+ * Computes the manifest root: a SHA-256 over the planned chunk layout. Binding
+ * each chunk's AAD to this root prevents chunk-count / size tampering.
+ */
+declare function computeManifestRoot(input: {
+    fileId: string;
+    fileRevision: number;
+    chunkSize: number;
+    chunkCount: number;
+    chunks: readonly PlannedChunk[];
+}): Promise<string>;
+/** SHA-256 (base64) of a ciphertext chunk, for the manifest. */
+declare function chunkCiphertextHash(ciphertextBase64: string): Promise<string>;
+interface EncryptAttachmentInput {
+    readonly context: AttachmentContext;
+    readonly fileRevision?: number;
+    readonly chunkSize?: number;
+    /** Total plaintext size in bytes (used to plan chunks). */
+    readonly totalSize: number;
+    /** Returns the plaintext bytes for chunk `[start, end)`. */
+    readonly readChunk: (start: number, end: number) => Promise<Uint8Array>;
+    /** Persists a sealed chunk; returns its stored ciphertext size in bytes. */
+    readonly writeChunk: (index: number, ciphertextBase64: string) => Promise<number>;
+    /** Wraps the per-file key with the outer vault key. */
+    readonly wrapFileKey: VaultEncryptBytes;
+    readonly metadata: {
+        readonly original_name: string;
+        readonly mime_type: string | null;
+        readonly last_modified: number | null;
+    };
+}
+interface EncryptAttachmentResult {
+    readonly manifest: FileManifestV1;
+    readonly manifestRoot: string;
+}
+/**
+ * Encrypts an attachment chunk-by-chunk and produces a sealed manifest.
+ * Storage is delegated to `readChunk`/`writeChunk`. The returned manifest's
+ * `wrapped_file_key` is bound to the file via {@link fileKeyAad}.
+ */
+declare function encryptAttachment(input: EncryptAttachmentInput): Promise<EncryptAttachmentResult>;
+interface DecryptAttachmentInput {
+    readonly context: AttachmentContext;
+    readonly manifest: FileManifestV1;
+    /** Reads a stored ciphertext chunk by index. */
+    readonly readChunk: (index: number, storedSha256: string) => Promise<string>;
+    /** Receives a decrypted plaintext chunk (caller may stream to disk). */
+    readonly writeChunk: (index: number, plaintext: Uint8Array) => Promise<void>;
+    /** Unwraps the per-file key using the outer vault key. */
+    readonly unwrapFileKey: VaultDecryptBytes;
+    /** If true (default), verify each chunk's stored ciphertext hash. */
+    readonly verifyChunkHashes?: boolean;
+}
+/**
+ * Decrypts an attachment by streaming chunks through `readChunk`/`writeChunk`.
+ * Each chunk is authenticated by its AAD; when `verifyChunkHashes` is set the
+ * stored ciphertext hash is additionally checked before decryption.
+ */
+declare function decryptAttachment(input: DecryptAttachmentInput): Promise<void>;
+
+export { type AttachmentContext, DEFAULT_CHUNK_SIZE, type DecryptAttachmentInput, type EncryptAttachmentInput, type EncryptAttachmentResult, FILE_MANIFEST_V1_PREFIX, type FileChunkManifest, type FileManifestV1, type VaultDecryptBytes, type VaultDecryptText, type VaultEncryptBytes, type VaultEncryptText, chunkAad, chunkCiphertextHash, computeManifestRoot, decryptAttachment, decryptChunk, encryptAttachment, encryptChunk, fileKeyAad, generateFileKeyBytes, importFileKey, manifestAad };

package/dist/file-encryption/index.js

@@ -0,0 +1,11 @@
+export { DEFAULT_CHUNK_SIZE, FILE_MANIFEST_V1_PREFIX, chunkAad, chunkCiphertextHash, computeManifestRoot, decryptAttachment, decryptChunk, encryptAttachment, encryptChunk, fileKeyAad, generateFileKeyBytes, importFileKey, manifestAad } from '../chunk-EOXWR7DS.js';
+import '../chunk-MPWYZXW7.js';
+import '../chunk-3HCT6A2P.js';
+import '../chunk-OPHN2B3N.js';
+import '../chunk-U65A4HIY.js';
+import '../chunk-BUFRR5PB.js';
+import '../chunk-JSKIWIEC.js';
+import '../chunk-CYIGDF63.js';
+import '../chunk-MJO7IJZC.js';
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/file-encryption/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}

package/dist/format-versioning/index.d.ts

@@ -0,0 +1,37 @@
+/**
+ * dis-format-versioning — versioned, prefix-tagged cipher envelopes.
+ *
+ * Every persisted ciphertext carries an explicit, human-readable version
+ * prefix (e.g. `sv-vault-v1:`). Parsing dispatches strictly by prefix and
+ * fails closed for unknown versions in the same family, so a future format can
+ * never be silently misread as a legacy payload. Payloads with no recognised
+ * prefix are reported as `legacy`, letting callers decide whether to allow them
+ * (e.g. only on an explicit migration path).
+ */
+/** Describes a family of versioned envelopes and its current prefix. */
+interface VersionedCipherEnvelopeSpec {
+    /** The prefix written for the current version, e.g. `sv-vault-v1:`. */
+    readonly currentPrefix: string;
+    /** The shared family prefix, e.g. `sv-vault-`. */
+    readonly familyPrefix: string;
+    /** Human-readable subject used in error messages, e.g. `vault item`. */
+    readonly subject: string;
+}
+type VersionedCipherEnvelope = {
+    readonly version: 1;
+    readonly payload: string;
+} | {
+    readonly version: 'legacy';
+    readonly payload: string;
+};
+/** Wraps a base64 ciphertext in the spec's current version prefix. */
+declare function formatEnvelope(spec: VersionedCipherEnvelopeSpec, encryptedBase64: string): string;
+/**
+ * Parses an envelope. Returns `version: 1` for the current prefix, throws for
+ * an unknown in-family version, and returns `version: 'legacy'` otherwise.
+ */
+declare function parseEnvelope(spec: VersionedCipherEnvelopeSpec, encryptedData: string): VersionedCipherEnvelope;
+/** True if `encryptedData` is in the spec's current (v1) envelope format. */
+declare function isCurrentEnvelope(spec: VersionedCipherEnvelopeSpec, encryptedData: string): boolean;
+
+export { type VersionedCipherEnvelope, type VersionedCipherEnvelopeSpec, formatEnvelope, isCurrentEnvelope, parseEnvelope };

package/dist/format-versioning/index.js

@@ -0,0 +1,4 @@
+export { formatEnvelope, isCurrentEnvelope, parseEnvelope } from '../chunk-SCHZI6YY.js';
+import '../chunk-MJO7IJZC.js';
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/format-versioning/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+export { VAULT_ITEM_ENVELOPE_V1_PREFIX, VaultEntryData, VaultEntryMigrationResult, decryptVaultEntry, decryptVaultEntryForMigration, encryptVaultEntry, isCurrentVaultEntryEnvelope } from './vault-encryption/index.js';
+export { AttachmentContext, DEFAULT_CHUNK_SIZE, DecryptAttachmentInput, EncryptAttachmentInput, FILE_MANIFEST_V1_PREFIX, FileChunkManifest, FileManifestV1, decryptAttachment, decryptChunk, encryptAttachment, encryptChunk, generateFileKeyBytes, importFileKey } from './file-encryption/index.js';
+export { Argon2idRawParams, CURRENT_KDF_VERSION, DEFAULT_KDF_PARAMS, DeriveRawKeyOptions, KdfParams, argon2idRaw, deriveHkdfAesGcmKey, deriveHkdfSha256Bits, deriveAesGcmKey as deriveMasterKey, deriveRawKey, generateSalt, importAesGcmKey } from './kdf/index.js';
+export { DEFAULT_KEY_WRAP_SCHEME, KeyWrapScheme, UserKeyBundle, createWrappedUserKey, generateContentKeyBytes, rotateWrappedKey as rotateEncryptionKeys, unwrapUserKey, unwrapUserKeyBytes } from './key-management/index.js';
+export { HYBRID_VERSION, HybridKeyPair, PQKeyPair, SECURITY_STANDARD_VERSION, SharedKeyWrapAadInput, buildSharedKeyWrapAad, generateHybridKeyPair, generatePQKeyPair, hybridDecrypt, hybridEncrypt, hybridUnwrapKey, hybridWrapKey, isCurrentStandardEncrypted, isHybridEncrypted, migrateToHybrid } from './post-quantum/index.js';
+export { constantTimeEqual, hmacSha256, hmacSha256WithKey, importHmacSha256Key, sha1Hex, sha256Base64, sha256Base64Url, sha256Bytes, sha256Hex, sha256JsonBase64, verifyPayloadIntegrity } from './integrity/index.js';
+export { ECDSA_P256_SIGNATURE_LENGTH, EcdsaP256KeyPair, generateEcdsaP256KeyPair, importEcdsaP256PublicKeySpki, signEcdsaP256, verifyEcdsaP256 } from './signing/index.js';
+export { TotpParams, buildTotpUri, generateTotpSecret, verifyTotpCode } from './totp/index.js';
+export { Migration, MigrationContext, MigrationRegistry, VersionDetector } from './migrations/index.js';
+export { aesGcmDecrypt, aesGcmEncrypt, decryptBytes, decryptString, encryptBytes, encryptString, generateAesGcmKey, importAesGcmRawKey } from './aead/index.js';
+export { SecureBuffer, withSecureBuffer, zeroBuffers } from './secure-memory/index.js';
+export { fillRandom, randomBytes, randomInt, randomUuid } from './random/index.js';
+export { VersionedCipherEnvelope, VersionedCipherEnvelopeSpec, formatEnvelope, isCurrentEnvelope, parseEnvelope } from './format-versioning/index.js';
+export { C as CryptoProvider, D as DisDecryptionError, a as DisError, b as DisErrorCode, c as DisIntegrityError, d as DisInvalidArgumentError, e as DisLegacyPayloadError, f as DisUnsupportedFormatVersionError, g as getCryptoProvider, s as setCryptoProvider } from './errors-C79jA9vX.js';
+
+/**
+ * DIS — Defensive Integration Shield
+ * Powered by DIS — Defensive Integration Shield.
+ *
+ * Stable public SDK facade. Applications should depend on this surface (or the
+ * individual `@dis/shield/<module>` entry points) and never call low-level
+ * WebCrypto directly. Internal cryptographic changes are designed not to break
+ * these signatures.
+ */
+declare const DIS_BRANDING: "Powered by DIS \u2014 Defensive Integration Shield";
+
+export { DIS_BRANDING };

package/dist/index.js

@@ -0,0 +1,24 @@
+export { MigrationRegistry } from './chunk-FUDDBD2G.js';
+export { DEFAULT_CHUNK_SIZE, FILE_MANIFEST_V1_PREFIX, decryptAttachment, decryptChunk, encryptAttachment, encryptChunk, generateFileKeyBytes, importFileKey } from './chunk-EOXWR7DS.js';
+export { DEFAULT_KEY_WRAP_SCHEME, createWrappedUserKey, generateContentKeyBytes, rotateWrappedKey as rotateEncryptionKeys, unwrapUserKey, unwrapUserKeyBytes } from './chunk-3DQPQCAR.js';
+export { HYBRID_VERSION, SECURITY_STANDARD_VERSION, buildSharedKeyWrapAad, generateHybridKeyPair, generatePQKeyPair, hybridDecrypt, hybridEncrypt, hybridUnwrapKey, hybridWrapKey, isCurrentStandardEncrypted, isHybridEncrypted, migrateToHybrid } from './chunk-T3IV7SHD.js';
+export { constantTimeEqual, hmacSha256, hmacSha256WithKey, importHmacSha256Key, sha1Hex, sha256Base64, sha256Base64Url, sha256Bytes, sha256Hex, sha256JsonBase64, verifyPayloadIntegrity } from './chunk-MPWYZXW7.js';
+export { ECDSA_P256_SIGNATURE_LENGTH, generateEcdsaP256KeyPair, importEcdsaP256PublicKeySpki, signEcdsaP256, verifyEcdsaP256 } from './chunk-AB2WZ7Y2.js';
+export { buildTotpUri, generateTotpSecret, verifyTotpCode } from './chunk-OA5ARYJM.js';
+export { fillRandom, randomBytes, randomInt, randomUuid } from './chunk-3HCT6A2P.js';
+export { SecureBuffer, withSecureBuffer, zeroBuffers } from './chunk-RTAJJZKO.js';
+export { CURRENT_KDF_VERSION, DEFAULT_KDF_PARAMS, argon2idRaw, deriveHkdfAesGcmKey, deriveHkdfSha256Bits, deriveAesGcmKey as deriveMasterKey, deriveRawKey, generateSalt, importAesGcmKey } from './chunk-OPHN2B3N.js';
+export { VAULT_ITEM_ENVELOPE_V1_PREFIX, decryptVaultEntry, decryptVaultEntryForMigration, encryptVaultEntry, isCurrentVaultEntryEnvelope } from './chunk-JVFP2GAO.js';
+export { aesGcmDecrypt, aesGcmEncrypt, decryptBytes, decryptString, encryptBytes, encryptString, generateAesGcmKey, importAesGcmRawKey } from './chunk-U65A4HIY.js';
+import './chunk-BUFRR5PB.js';
+import './chunk-JSKIWIEC.js';
+export { getCryptoProvider, setCryptoProvider } from './chunk-CYIGDF63.js';
+export { formatEnvelope, isCurrentEnvelope, parseEnvelope } from './chunk-SCHZI6YY.js';
+export { DisDecryptionError, DisError, DisIntegrityError, DisInvalidArgumentError, DisLegacyPayloadError, DisUnsupportedFormatVersionError } from './chunk-MJO7IJZC.js';
+
+// src/index.ts
+var DIS_BRANDING = "Powered by DIS \u2014 Defensive Integration Shield";
+
+export { DIS_BRANDING };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;AAUO,IAAM,YAAA,GAAe","file":"index.js","sourcesContent":["/**\r\n * DIS — Defensive Integration Shield\r\n * Powered by DIS — Defensive Integration Shield.\r\n *\r\n * Stable public SDK facade. Applications should depend on this surface (or the\r\n * individual `@dis/shield/<module>` entry points) and never call low-level\r\n * WebCrypto directly. Internal cryptographic changes are designed not to break\r\n * these signatures.\r\n */\r\n\r\nexport const DIS_BRANDING = 'Powered by DIS — Defensive Integration Shield' as const;\r\n\r\n// ---- Stable high-level API ------------------------------------------------\r\n\r\n// Vault entries\r\nexport {\r\n    encryptVaultEntry,\r\n    decryptVaultEntry,\r\n    decryptVaultEntryForMigration,\r\n    isCurrentVaultEntryEnvelope,\r\n    VAULT_ITEM_ENVELOPE_V1_PREFIX,\r\n    type VaultEntryData,\r\n    type VaultEntryMigrationResult,\r\n} from './vault-encryption/index.js';\r\n\r\n// Attachments / files\r\nexport {\r\n    encryptAttachment,\r\n    decryptAttachment,\r\n    encryptChunk,\r\n    decryptChunk,\r\n    generateFileKeyBytes,\r\n    importFileKey,\r\n    DEFAULT_CHUNK_SIZE,\r\n    FILE_MANIFEST_V1_PREFIX,\r\n    type AttachmentContext,\r\n    type FileManifestV1,\r\n    type FileChunkManifest,\r\n    type EncryptAttachmentInput,\r\n    type DecryptAttachmentInput,\r\n} from './file-encryption/index.js';\r\n\r\n// Key derivation (deriveMasterKey == deriveAesGcmKey)\r\nexport {\r\n    deriveAesGcmKey as deriveMasterKey,\r\n    deriveRawKey,\r\n    importAesGcmKey,\r\n    generateSalt,\r\n    CURRENT_KDF_VERSION,\r\n    DEFAULT_KDF_PARAMS,\r\n    type KdfParams,\r\n    type DeriveRawKeyOptions,\r\n} from './kdf/index.js';\r\n\r\n// Key management / rotation (rotateEncryptionKeys == rotateWrappedKey)\r\nexport {\r\n    createWrappedUserKey,\r\n    unwrapUserKey,\r\n    unwrapUserKeyBytes,\r\n    rotateWrappedKey as rotateEncryptionKeys,\r\n    generateContentKeyBytes,\r\n    DEFAULT_KEY_WRAP_SCHEME,\r\n    type UserKeyBundle,\r\n    type KeyWrapScheme,\r\n} from './key-management/index.js';\r\n\r\n// Post-quantum hybrid key wrapping (ML-KEM-768 + RSA-4096) for sharing /\r\n// emergency-access keys. Optional: requires the `@noble/post-quantum` peer.\r\nexport {\r\n    generatePQKeyPair,\r\n    generateHybridKeyPair,\r\n    hybridEncrypt,\r\n    hybridDecrypt,\r\n    hybridWrapKey,\r\n    hybridUnwrapKey,\r\n    isHybridEncrypted,\r\n    isCurrentStandardEncrypted,\r\n    migrateToHybrid,\r\n    buildSharedKeyWrapAad,\r\n    HYBRID_VERSION,\r\n    SECURITY_STANDARD_VERSION,\r\n    type PQKeyPair,\r\n    type HybridKeyPair,\r\n    type SharedKeyWrapAadInput,\r\n} from './post-quantum/index.js';\r\n\r\n// Integrity & hashing\r\nexport {\r\n    verifyPayloadIntegrity,\r\n    sha256Bytes,\r\n    sha256Base64,\r\n    sha256Base64Url,\r\n    sha256Hex,\r\n    sha1Hex,\r\n    sha256JsonBase64,\r\n    hmacSha256,\r\n    hmacSha256WithKey,\r\n    importHmacSha256Key,\r\n    constantTimeEqual,\r\n} from './integrity/index.js';\r\n\r\n// Digital signatures (ECDSA P-256)\r\nexport {\r\n    generateEcdsaP256KeyPair,\r\n    importEcdsaP256PublicKeySpki,\r\n    signEcdsaP256,\r\n    verifyEcdsaP256,\r\n    ECDSA_P256_SIGNATURE_LENGTH,\r\n    type EcdsaP256KeyPair,\r\n} from './signing/index.js';\r\n\r\n// Time-based one-time passwords (TOTP)\r\nexport {\r\n    generateTotpSecret,\r\n    buildTotpUri,\r\n    verifyTotpCode,\r\n    type TotpParams,\r\n} from './totp/index.js';\r\n\r\n// Migrations (migrateEncryptedPayload via the registry)\r\nexport {\r\n    MigrationRegistry,\r\n    type Migration,\r\n    type MigrationContext,\r\n    type VersionDetector,\r\n} from './migrations/index.js';\r\n\r\n// ---- Lower-level building blocks (re-exported for advanced use) -----------\r\n\r\nexport {\r\n    encryptBytes,\r\n    decryptBytes,\r\n    encryptString,\r\n    decryptString,\r\n    aesGcmEncrypt,\r\n    aesGcmDecrypt,\r\n    importAesGcmRawKey,\r\n    generateAesGcmKey,\r\n} from './aead/index.js';\r\n\r\nexport {\r\n    argon2idRaw,\r\n    deriveHkdfSha256Bits,\r\n    deriveHkdfAesGcmKey,\r\n    type Argon2idRawParams,\r\n} from './kdf/index.js';\r\n\r\nexport {\r\n    SecureBuffer,\r\n    withSecureBuffer,\r\n    zeroBuffers,\r\n} from './secure-memory/index.js';\r\n\r\nexport { randomBytes, randomInt, fillRandom, randomUuid } from './random/index.js';\r\n\r\nexport {\r\n    formatEnvelope,\r\n    parseEnvelope,\r\n    isCurrentEnvelope,\r\n    type VersionedCipherEnvelopeSpec,\r\n    type VersionedCipherEnvelope,\r\n} from './format-versioning/index.js';\r\n\r\nexport {\r\n    setCryptoProvider,\r\n    getCryptoProvider,\r\n    type CryptoProvider,\r\n} from './core/provider.js';\r\n\r\nexport {\r\n    DisError,\r\n    DisInvalidArgumentError,\r\n    DisDecryptionError,\r\n    DisUnsupportedFormatVersionError,\r\n    DisIntegrityError,\r\n    DisLegacyPayloadError,\r\n    type DisErrorCode,\r\n} from './core/errors.js';\r\n"]}

package/dist/integrity/index.d.ts

@@ -0,0 +1,46 @@
+/**
+ * dis-integrity — hashing and verification helpers.
+ *
+ * Provides SHA-256 digests (base64) and constant-time comparison. Used for
+ * file-chunk integrity, manifest roots, and any place that must verify a
+ * payload has not been altered. Confidential payloads still rely on AEAD;
+ * these helpers cover integrity of already-encrypted / public material.
+ */
+/** SHA-256 of raw bytes, returned as a fresh `Uint8Array` digest. */
+declare function sha256Bytes(data: Uint8Array): Promise<Uint8Array>;
+/** SHA-256 of raw bytes, base64-encoded. */
+declare function sha256Base64(data: Uint8Array): Promise<string>;
+/** SHA-256 of raw bytes, unpadded-base64url-encoded. */
+declare function sha256Base64Url(data: Uint8Array): Promise<string>;
+/** SHA-256 of raw bytes, lower-case hex-encoded. */
+declare function sha256Hex(data: Uint8Array): Promise<string>;
+/**
+ * SHA-1 of raw bytes, lower-case hex-encoded.
+ *
+ * SHA-1 is collision-broken and MUST NOT be used for any security decision.
+ * It is provided solely for legacy interop where a remote protocol mandates
+ * it — specifically the HaveIBeenPwned k-anonymity range API, which keys on
+ * the SHA-1 of the password. Callers uppercase the hex as the API requires.
+ */
+declare function sha1Hex(data: Uint8Array): Promise<string>;
+/** Imports raw bytes as an HMAC-SHA-256 key. */
+declare function importHmacSha256Key(keyBytes: Uint8Array, usages?: KeyUsage[]): Promise<CryptoKey>;
+/** Computes HMAC-SHA-256 over `data` with an already-imported key. */
+declare function hmacSha256WithKey(key: CryptoKey, data: Uint8Array): Promise<Uint8Array>;
+/** Computes HMAC-SHA-256 over `data` with raw key bytes. */
+declare function hmacSha256(keyBytes: Uint8Array, data: Uint8Array): Promise<Uint8Array>;
+/** SHA-256 of a UTF-8 string, base64-encoded. */
+declare function sha256StringBase64(data: string): Promise<string>;
+/** SHA-256 of the JSON serialisation of `value`, base64-encoded. */
+declare function sha256JsonBase64(value: unknown): Promise<string>;
+/** Constant-time equality of two byte arrays. */
+declare function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean;
+/** Constant-time equality of two base64 strings (compared as decoded bytes). */
+declare function constantTimeEqualBase64(a: string, b: string): boolean;
+/**
+ * Verifies that `data` hashes (SHA-256) to `expectedBase64`, throwing
+ * {@link DisIntegrityError} on mismatch. Comparison is constant-time.
+ */
+declare function verifyPayloadIntegrity(data: Uint8Array, expectedBase64: string): Promise<void>;
+
+export { constantTimeEqual, constantTimeEqualBase64, hmacSha256, hmacSha256WithKey, importHmacSha256Key, sha1Hex, sha256Base64, sha256Base64Url, sha256Bytes, sha256Hex, sha256JsonBase64, sha256StringBase64, verifyPayloadIntegrity };

package/dist/integrity/index.js

@@ -0,0 +1,6 @@
+export { constantTimeEqual, constantTimeEqualBase64, hmacSha256, hmacSha256WithKey, importHmacSha256Key, sha1Hex, sha256Base64, sha256Base64Url, sha256Bytes, sha256Hex, sha256JsonBase64, sha256StringBase64, verifyPayloadIntegrity } from '../chunk-MPWYZXW7.js';
+import '../chunk-JSKIWIEC.js';
+import '../chunk-CYIGDF63.js';
+import '../chunk-MJO7IJZC.js';
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/integrity/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}

package/dist/kdf/index.d.ts

@@ -0,0 +1,104 @@
+/**
+ * dis-kdf — password-based key derivation.
+ *
+ * Primitive: Argon2id (via the audited `hash-wasm` implementation), with
+ * versioned, immutable parameter sets so accounts can be transparently
+ * upgraded to stronger parameters over time. Optional HKDF-Expand strengthening
+ * binds the derived key to a second factor (e.g. a device key) without
+ * weakening the password-derived material.
+ *
+ * DIS does not invent a KDF. Parameters follow OWASP Argon2id guidance.
+ */
+/** Argon2id parameter set. Once released, a version's params are immutable. */
+interface KdfParams {
+    /** Memory cost in KiB. */
+    readonly memory: number;
+    /** Iteration (time) cost. */
+    readonly iterations: number;
+    /** Degree of parallelism. */
+    readonly parallelism: number;
+    /** Output length in bytes. */
+    readonly hashLength: number;
+}
+/**
+ * Default versioned parameter registry. Byte-compatible with Singra Vault:
+ *   v1: 64 MiB  (original baseline)
+ *   v2: 128 MiB (current; exceeds OWASP Argon2id minimum)
+ *
+ * IMPORTANT: never change an existing version's parameters — only add versions.
+ */
+declare const DEFAULT_KDF_PARAMS: Readonly<Record<number, KdfParams>>;
+/** The latest KDF version. New accounts derive with this version. */
+declare const CURRENT_KDF_VERSION = 2;
+/** Optional second-factor strengthening via HKDF-Expand (SHA-256). */
+interface KdfStrengthenOptions {
+    /** Salt for HKDF (e.g. a 256-bit device key). */
+    readonly hkdfSalt: Uint8Array;
+    /** Domain-separation `info` string for HKDF. Caller-owned (format contract). */
+    readonly info: string;
+}
+interface DeriveRawKeyOptions {
+    /** KDF version to look up in `params`. Defaults to {@link CURRENT_KDF_VERSION}. */
+    readonly version?: number;
+    /** Parameter registry. Defaults to {@link DEFAULT_KDF_PARAMS}. */
+    readonly params?: Readonly<Record<number, KdfParams>>;
+    /** Optional HKDF strengthening (e.g. device-key binding). */
+    readonly strengthen?: KdfStrengthenOptions;
+}
+/** Generates a cryptographically secure, base64-encoded salt. */
+declare function generateSalt(): string;
+/**
+ * Derives raw key bytes from a password using Argon2id (+ optional HKDF).
+ *
+ * The caller owns the returned buffer and MUST wipe it (`.fill(0)`).
+ */
+declare function deriveRawKey(password: string, saltBase64: string, options?: DeriveRawKeyOptions): Promise<Uint8Array>;
+/** Imports raw 256-bit key bytes as a non-extractable AES-GCM CryptoKey. */
+declare function importAesGcmKey(keyBytes: Uint8Array | BufferSource): Promise<CryptoKey>;
+/**
+ * Derives a non-extractable AES-GCM key from a password. Raw key bytes are
+ * wiped as soon as the CryptoKey is imported.
+ */
+declare function deriveAesGcmKey(password: string, saltBase64: string, options?: DeriveRawKeyOptions): Promise<CryptoKey>;
+/** Explicit Argon2id parameters for a single ad-hoc derivation. */
+interface Argon2idRawParams {
+    readonly password: string;
+    readonly salt: Uint8Array;
+    /** Memory cost in KiB. */
+    readonly memorySize: number;
+    readonly iterations: number;
+    readonly parallelism: number;
+    readonly hashLength: number;
+}
+/**
+ * Low-level Argon2id derivation returning raw key bytes. This is the audited
+ * `hash-wasm` Argon2id with caller-chosen parameters and a raw byte salt — for
+ * call sites that derive a key with a context-specific salt/param set (device
+ * key transfer wrapping, integrity HMAC key) rather than the versioned account
+ * KDF registry used by {@link deriveRawKey}.
+ */
+declare function argon2idRaw(params: Argon2idRawParams): Promise<Uint8Array>;
+/**
+ * HKDF-SHA-256 expand/extract producing `lengthBits` of key material.
+ *
+ * `ikm` is the input keying material, `salt` defaults to the empty salt (the
+ * op-log record/snapshot derivations use an empty salt and put all context in
+ * `info`; the device-key derivation uses the device key as salt).
+ */
+declare function deriveHkdfSha256Bits(ikm: Uint8Array, options: {
+    info: Uint8Array;
+    salt?: Uint8Array;
+    lengthBits?: number;
+}): Promise<Uint8Array>;
+/**
+ * HKDF-SHA-256 deriving directly into a non-extractable AES-256-GCM key,
+ * mirroring `crypto.subtle.deriveKey` (used by passkey PRF wrapping and the
+ * legacy device-key wrapping path).
+ */
+declare function deriveHkdfAesGcmKey(ikm: Uint8Array, options: {
+    info: Uint8Array;
+    salt?: Uint8Array;
+    usages?: KeyUsage[];
+}): Promise<CryptoKey>;
+
+export { type Argon2idRawParams, CURRENT_KDF_VERSION, DEFAULT_KDF_PARAMS, type DeriveRawKeyOptions, type KdfParams, type KdfStrengthenOptions, argon2idRaw, deriveAesGcmKey, deriveHkdfAesGcmKey, deriveHkdfSha256Bits, deriveRawKey, generateSalt, importAesGcmKey };

package/dist/kdf/index.js

@@ -0,0 +1,7 @@
+export { CURRENT_KDF_VERSION, DEFAULT_KDF_PARAMS, argon2idRaw, deriveAesGcmKey, deriveHkdfAesGcmKey, deriveHkdfSha256Bits, deriveRawKey, generateSalt, importAesGcmKey } from '../chunk-OPHN2B3N.js';
+import '../chunk-BUFRR5PB.js';
+import '../chunk-JSKIWIEC.js';
+import '../chunk-CYIGDF63.js';
+import '../chunk-MJO7IJZC.js';
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/kdf/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}

package/dist/key-management/index.d.ts

@@ -0,0 +1,69 @@
+export { importAesGcmKey } from '../kdf/index.js';
+
+/**
+ * dis-key-management — key hierarchy, wrapping, and rotation.
+ *
+ * Implements the two-tier key model used by Singra Vault:
+ *   - A high-entropy random *content key* (the "UserKey") encrypts vault data.
+ *   - The content key is wrapped under a *key-encryption key* (KEK) that is
+ *     derived from the KDF output via HKDF-Expand (domain-separated `info`).
+ *
+ * Because the content key is independent of the password, changing the master
+ * password only re-wraps the content key — no vault data is re-encrypted. This
+ * is what makes {@link rotateWrappedKey} cheap and safe.
+ *
+ * Wrapped keys carry a stable, versioned prefix. The default scheme is byte
+ * compatible with Singra's `usk-wrap-v2:` envelope.
+ */
+
+/** Describes how a content key is wrapped: envelope prefix + HKDF domain. */
+interface KeyWrapScheme {
+    /** Stable envelope prefix written for new wraps, e.g. `usk-wrap-v2:`. */
+    readonly prefix: string;
+    /** HKDF-Expand `info` for deriving the KEK from KDF output. */
+    readonly hkdfInfo: string;
+}
+/**
+ * Default wrap scheme. Byte-compatible with Singra Vault so existing
+ * `encrypted_user_key` values decrypt unchanged. The `info` label is part of
+ * the format contract and must not be renamed without a new scheme version.
+ */
+declare const DEFAULT_KEY_WRAP_SCHEME: KeyWrapScheme;
+
+interface UserKeyBundle {
+    /** Wrapped content key: `<prefix><base64(IV||CT||tag)>`. */
+    readonly encryptedUserKey: string;
+    /** Non-extractable AES-GCM content key, ready for vault operations. */
+    readonly userKey: CryptoKey;
+}
+/** Generates fresh random content-key bytes (caller must wipe). */
+declare function generateContentKeyBytes(): Uint8Array;
+/**
+ * Creates a new random content key and wraps it under the KEK derived from
+ * `kdfOutputBytes`. For new accounts. The caller still owns `kdfOutputBytes`.
+ */
+declare function createWrappedUserKey(kdfOutputBytes: Uint8Array, scheme?: KeyWrapScheme): Promise<UserKeyBundle>;
+/** Unwraps a wrapped content key to raw bytes (caller must wipe). */
+declare function unwrapUserKeyBytes(encryptedUserKey: string, kdfOutputBytes: Uint8Array, scheme?: KeyWrapScheme): Promise<Uint8Array>;
+/** Unwraps a wrapped content key and imports it as an AES-GCM CryptoKey. */
+declare function unwrapUserKey(encryptedUserKey: string, kdfOutputBytes: Uint8Array, scheme?: KeyWrapScheme): Promise<CryptoKey>;
+/**
+ * Wraps a *deterministic* content key derived directly from `kdfOutputBytes`,
+ * for EXISTING accounts migrating to the two-tier key model. The content key
+ * equals the raw KDF output, so vault data previously encrypted directly under
+ * that output remains readable without re-encryption. The KEK is still
+ * domain-separated (HKDF `info`), so the wrapper is independent of the key.
+ */
+declare function createDeterministicWrappedUserKey(kdfOutputBytes: Uint8Array, scheme?: KeyWrapScheme): Promise<UserKeyBundle>;
+/** Generates a fresh AES-256-GCM key and returns it as a JWK JSON string. */
+declare function generateAesGcmKeyJwk(): Promise<string>;
+/** Imports an AES-256-GCM key from a JWK JSON string for the given usages. */
+declare function importAesGcmKeyFromJwk(jwkString: string, usages: ReadonlyArray<KeyUsage>): Promise<CryptoKey>;
+/**
+ * Re-wraps an existing content key under a new KDF output (new master password
+ * / new salt). The content key itself is unchanged, so NO vault data is
+ * re-encrypted — only the wrapper string changes.
+ */
+declare function rotateWrappedKey(encryptedUserKey: string, oldKdfOutputBytes: Uint8Array, newKdfOutputBytes: Uint8Array, scheme?: KeyWrapScheme): Promise<string>;
+
+export { DEFAULT_KEY_WRAP_SCHEME, type KeyWrapScheme, type UserKeyBundle, createDeterministicWrappedUserKey, createWrappedUserKey, generateAesGcmKeyJwk, generateContentKeyBytes, importAesGcmKeyFromJwk, rotateWrappedKey, unwrapUserKey, unwrapUserKeyBytes };

package/dist/key-management/index.js

@@ -0,0 +1,10 @@
+export { DEFAULT_KEY_WRAP_SCHEME, createDeterministicWrappedUserKey, createWrappedUserKey, generateAesGcmKeyJwk, generateContentKeyBytes, importAesGcmKeyFromJwk, rotateWrappedKey, unwrapUserKey, unwrapUserKeyBytes } from '../chunk-3DQPQCAR.js';
+import '../chunk-3HCT6A2P.js';
+export { importAesGcmKey } from '../chunk-OPHN2B3N.js';
+import '../chunk-U65A4HIY.js';
+import '../chunk-BUFRR5PB.js';
+import '../chunk-JSKIWIEC.js';
+import '../chunk-CYIGDF63.js';
+import '../chunk-MJO7IJZC.js';
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/key-management/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}