@msssystems/mss-link-sdk 0.1.8 → 0.1.10

package/dist/client/drive-key-wrapping.contracts.d.ts

@@ -0,0 +1,40 @@
+import type { DriveItemType, DriveWrappedItemKey } from './drive-sharing.contracts';
+export type DriveRecipientWrappingKeyAlgorithm = 'AES-256-GCM';
+export type DriveWrappedItemKeyAlgorithm = 'MSS-DRIVE-AES-256-GCM-WRAPPED-ITEM-KEY-v1';
+export interface DriveRecipientWrappingKey {
+    algorithm: DriveRecipientWrappingKeyAlgorithm;
+    keyId: string;
+    rawKeyBase64: string;
+}
+export interface DriveRecipientKeyTarget {
+    accountId?: string;
+    userId?: string;
+    username?: string;
+    wrappingKey: DriveRecipientWrappingKey;
+}
+export interface DriveItemContentKeyEnvelope {
+    algorithm?: 'AES-256-GCM' | string | null;
+    keyId?: string | null;
+    nonce?: string | null;
+    wrappedKey: string;
+}
+export interface CreateDriveWrappedItemKeyForRecipientInput {
+    itemId: string;
+    itemType: DriveItemType;
+    contentKey: DriveItemContentKeyEnvelope;
+    recipient: DriveRecipientKeyTarget;
+}
+export interface DriveWrappedItemKeyPayload {
+    contentAlgorithm: string;
+    contentKey: string;
+    contentKeyId?: string;
+    contentNonce?: string;
+    createdAt: string;
+    itemId: string;
+    itemType: DriveItemType;
+    schema: 'mss.link.drive.item-key.v1';
+}
+export interface DriveWrappedItemKeyForRecipientResult {
+    payload: DriveWrappedItemKeyPayload;
+    wrappedItemKey: DriveWrappedItemKey;
+}

package/dist/client/drive-key-wrapping.contracts.js

@@ -0,0 +1 @@
+export {};

package/dist/client/drive-key-wrapping.d.ts

@@ -0,0 +1,2 @@
+import type { CreateDriveWrappedItemKeyForRecipientInput, DriveWrappedItemKeyForRecipientResult } from './drive-key-wrapping.contracts';
+export declare function createDriveWrappedItemKeyForRecipient(input: CreateDriveWrappedItemKeyForRecipientInput): Promise<DriveWrappedItemKeyForRecipientResult>;

package/dist/client/drive-key-wrapping.js

@@ -0,0 +1,133 @@
+const CONTENT_KEY_SCHEMA = 'mss.link.drive.item-key.v1';
+const WRAPPED_ITEM_KEY_ALGORITHM = 'MSS-DRIVE-AES-256-GCM-WRAPPED-ITEM-KEY-v1';
+const AES_GCM_NONCE_LENGTH = 12;
+const AES_256_KEY_LENGTH = 32;
+export async function createDriveWrappedItemKeyForRecipient(input) {
+    const itemId = normalizeRequiredText(input.itemId, 'Drive item id is required for key wrapping.');
+    const itemType = input.itemType;
+    const recipient = normalizeRecipient(input.recipient);
+    const contentKey = normalizeContentKey(input.contentKey);
+    const wrappingKey = await importRecipientWrappingKey(recipient.wrappingKey);
+    const nonce = globalThis.crypto.getRandomValues(new Uint8Array(AES_GCM_NONCE_LENGTH));
+    const payload = buildWrappedItemKeyPayload({
+        contentKey,
+        itemId,
+        itemType,
+    });
+    const plaintext = new TextEncoder().encode(JSON.stringify(payload));
+    const additionalData = buildWrappingAdditionalData({
+        itemId,
+        itemType,
+        recipientId: recipient.wrappingKey.keyId,
+    });
+    const encrypted = await globalThis.crypto.subtle.encrypt({
+        additionalData: toArrayBuffer(additionalData),
+        iv: nonce,
+        name: 'AES-GCM',
+    }, wrappingKey, toArrayBuffer(plaintext));
+    return {
+        payload,
+        wrappedItemKey: {
+            encryptedItemKey: encodeBase64Url(new Uint8Array(encrypted)),
+            keyAlgorithm: WRAPPED_ITEM_KEY_ALGORITHM,
+            keyNonce: encodeBase64Url(nonce),
+            keyRecipientId: recipient.wrappingKey.keyId,
+        },
+    };
+}
+function buildWrappedItemKeyPayload({ contentKey, itemId, itemType, }) {
+    return {
+        schema: CONTENT_KEY_SCHEMA,
+        itemId,
+        itemType,
+        contentAlgorithm: contentKey.algorithm,
+        contentKey: contentKey.wrappedKey,
+        createdAt: new Date().toISOString(),
+        ...(contentKey.keyId ? { contentKeyId: contentKey.keyId } : {}),
+        ...(contentKey.nonce ? { contentNonce: contentKey.nonce } : {}),
+    };
+}
+function normalizeRecipient(recipient) {
+    const accountId = normalizeOptionalText(recipient.accountId) ?? '';
+    const userId = normalizeOptionalText(recipient.userId) ?? '';
+    const username = normalizeOptionalText(recipient.username)?.replace(/^@/, '') ?? '';
+    const wrappingKey = normalizeRecipientWrappingKey(recipient.wrappingKey);
+    if (!accountId && !userId && !username) {
+        throw new Error('Drive share recipient must include accountId, userId or username.');
+    }
+    return {
+        accountId,
+        userId,
+        username,
+        wrappingKey,
+    };
+}
+function normalizeRecipientWrappingKey(key) {
+    if (key.algorithm !== 'AES-256-GCM') {
+        throw new Error(`Unsupported Drive recipient wrapping key algorithm: ${key.algorithm}`);
+    }
+    return {
+        algorithm: key.algorithm,
+        keyId: normalizeRequiredText(key.keyId, 'Drive recipient wrapping key id is required.'),
+        rawKeyBase64: normalizeRequiredText(key.rawKeyBase64, 'Drive recipient wrapping key material is required.'),
+    };
+}
+function normalizeContentKey(contentKey) {
+    const algorithm = contentKey.algorithm?.trim() || 'AES-256-GCM';
+    if (algorithm !== 'AES-256-GCM') {
+        throw new Error(`Unsupported Drive item content key algorithm: ${algorithm}`);
+    }
+    return {
+        algorithm,
+        keyId: normalizeOptionalText(contentKey.keyId) ?? '',
+        nonce: normalizeOptionalText(contentKey.nonce) ?? '',
+        wrappedKey: normalizeRequiredText(contentKey.wrappedKey, 'Drive item content key is required.'),
+    };
+}
+async function importRecipientWrappingKey(key) {
+    const keyBytes = decodeBase64Url(key.rawKeyBase64);
+    if (keyBytes.byteLength !== AES_256_KEY_LENGTH) {
+        throw new Error('Drive recipient wrapping key must be 32 bytes for AES-256-GCM.');
+    }
+    return globalThis.crypto.subtle.importKey('raw', toArrayBuffer(keyBytes), {
+        name: 'AES-GCM',
+    }, false, ['encrypt']);
+}
+function buildWrappingAdditionalData({ itemId, itemType, recipientId, }) {
+    return new TextEncoder().encode(`${CONTENT_KEY_SCHEMA}:${itemType}:${itemId}:${recipientId}`);
+}
+function normalizeRequiredText(value, message) {
+    const normalized = normalizeOptionalText(value);
+    if (!normalized) {
+        throw new Error(message);
+    }
+    return normalized;
+}
+function normalizeOptionalText(value) {
+    const normalized = value?.trim();
+    return normalized ? normalized : undefined;
+}
+function decodeBase64Url(value) {
+    const normalized = value.trim().replace(/-/g, '+').replace(/_/g, '/');
+    const padded = normalized.padEnd(normalized.length + ((4 - (normalized.length % 4)) % 4), '=');
+    const decoded = globalThis.atob(padded);
+    const bytes = new Uint8Array(decoded.length);
+    for (let index = 0; index < decoded.length; index += 1) {
+        bytes[index] = decoded.charCodeAt(index);
+    }
+    return bytes;
+}
+function encodeBase64Url(bytes) {
+    let binary = '';
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return globalThis
+        .btoa(binary)
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/g, '');
+}
+function toArrayBuffer(bytes) {
+    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
+}

package/dist/client/drive-sharing.contracts.d.ts

@@ -0,0 +1,64 @@
+export type DrivePermissionRole = 'editor' | 'owner' | 'viewer';
+export type DriveEditablePermissionRole = Exclude<DrivePermissionRole, 'owner'>;
+export type DriveVisibility = 'private' | 'shared';
+export type DriveItemType = 'file' | 'folder';
+export type DriveShareTargetType = 'user';
+export interface DriveShareTarget {
+    type: DriveShareTargetType;
+    userId?: string;
+    username?: string;
+}
+export interface DriveWrappedItemKey {
+    encryptedItemKey: string;
+    keyAlgorithm?: string;
+    keyNonce?: string;
+    keyRecipientId?: string;
+}
+export interface CreateDriveShareGrantInput {
+    role: DriveEditablePermissionRole;
+    target: DriveShareTarget;
+    wrappedItemKey: DriveWrappedItemKey;
+}
+export interface DriveShareGrantPayload {
+    encryptedItemKey: string;
+    keyAlgorithm?: string;
+    keyNonce?: string;
+    keyRecipientId?: string;
+    role: 'EDITOR' | 'VIEWER';
+    target: {
+        type: 'user';
+        userId?: string;
+        username?: string;
+    };
+}
+export interface DriveAccessPrincipal {
+    accountId: string;
+    avatarUrl: string | null;
+    displayName: string | null;
+    userId: string | null;
+    username: string | null;
+}
+export interface DriveAccessGrant {
+    createdAt: string;
+    encryptedItemKey: string;
+    fileId: string | null;
+    folderId: string | null;
+    grantee: DriveAccessPrincipal;
+    granteeAccountId: string;
+    id: string;
+    itemType: 'FILE' | 'FOLDER';
+    keyAlgorithm: string;
+    keyNonce: string | null;
+    keyRecipientId: string | null;
+    ownerAccountId: string;
+    role: 'EDITOR' | 'OWNER' | 'VIEWER';
+    updatedAt: string;
+}
+export interface DriveAccessResponse {
+    currentUserRole: 'EDITOR' | 'OWNER' | 'VIEWER';
+    grants: DriveAccessGrant[];
+    itemId: string;
+    itemType: 'FILE' | 'FOLDER';
+    owner: DriveAccessPrincipal;
+    visibility: 'PRIVATE' | 'SHARED';
+}

package/dist/client/drive-sharing.contracts.js

@@ -0,0 +1 @@
+export {};

package/dist/client/drive-sharing.d.ts

@@ -0,0 +1,5 @@
+import type { CreateDriveShareGrantInput, DriveEditablePermissionRole, DriveShareGrantPayload, DriveShareTarget, DriveWrappedItemKey } from './drive-sharing.contracts';
+export declare function createDriveShareGrantPayload(input: CreateDriveShareGrantInput): DriveShareGrantPayload;
+export declare function normalizeDriveShareTarget(target: DriveShareTarget): DriveShareGrantPayload['target'];
+export declare function normalizeWrappedItemKey(key: DriveWrappedItemKey): Omit<DriveShareGrantPayload, 'role' | 'target'>;
+export declare function toApiDrivePermissionRole(role: DriveEditablePermissionRole): DriveShareGrantPayload['role'];

package/dist/client/drive-sharing.js

@@ -0,0 +1,51 @@
+const DEFAULT_KEY_ALGORITHM = 'X25519-AES-256-GCM';
+export function createDriveShareGrantPayload(input) {
+    return {
+        ...normalizeWrappedItemKey(input.wrappedItemKey),
+        role: toApiDrivePermissionRole(input.role),
+        target: normalizeDriveShareTarget(input.target),
+    };
+}
+export function normalizeDriveShareTarget(target) {
+    if (target.type !== 'user') {
+        throw new Error('Drive sharing supports only selected users in v1.');
+    }
+    const userId = target.userId?.trim();
+    const username = target.username?.trim().replace(/^@/, '').toLowerCase();
+    if (!userId && !username) {
+        throw new Error('Drive share target must include userId or username.');
+    }
+    return {
+        type: 'user',
+        ...(userId ? { userId } : {}),
+        ...(username ? { username } : {}),
+    };
+}
+export function normalizeWrappedItemKey(key) {
+    const encryptedItemKey = key.encryptedItemKey.trim();
+    const keyAlgorithm = (key.keyAlgorithm?.trim() || DEFAULT_KEY_ALGORITHM).trim();
+    const keyNonce = key.keyNonce?.trim();
+    const keyRecipientId = key.keyRecipientId?.trim();
+    if (!encryptedItemKey) {
+        throw new Error('Drive share requires encrypted wrapped item key.');
+    }
+    if (!keyAlgorithm) {
+        throw new Error('Drive share key algorithm is required.');
+    }
+    return {
+        encryptedItemKey,
+        keyAlgorithm,
+        ...(keyNonce ? { keyNonce } : {}),
+        ...(keyRecipientId ? { keyRecipientId } : {}),
+    };
+}
+export function toApiDrivePermissionRole(role) {
+    switch (role) {
+        case 'editor':
+            return 'EDITOR';
+        case 'viewer':
+            return 'VIEWER';
+        default:
+            throw new Error('Drive owner role cannot be granted through sharing.');
+    }
+}

package/dist/client/index.d.ts

@@ -3,6 +3,10 @@ export * from './client-options';
 export * from './decryption-errors';
 export * from './drive-file-runtime';
 export * from './drive-file-runtime.contracts';
+export * from './drive-key-wrapping';
+export * from './drive-key-wrapping.contracts';
+export * from './drive-sharing';
+export * from './drive-sharing.contracts';
 export * from './local-crypto-health';
 export * from './local-crypto-health.contracts';
 export * from './media-crypto.contracts';

package/dist/client/index.js

@@ -3,6 +3,10 @@ export * from './client-options';
 export * from './decryption-errors';
 export * from './drive-file-runtime';
 export * from './drive-file-runtime.contracts';
+export * from './drive-key-wrapping';
+export * from './drive-key-wrapping.contracts';
+export * from './drive-sharing';
+export * from './drive-sharing.contracts';
 export * from './local-crypto-health';
 export * from './local-crypto-health.contracts';
 export * from './media-crypto.contracts';

package/dist/client/mss-link-browser-client.d.ts

@@ -4,6 +4,7 @@ import type { DecryptMediaBlobInput, DecryptedMediaBlobResult, EncryptedMediaBlo
 import type { SendMediaMessageParams } from './media-message.contracts';
 import type { DecryptedMessage } from './message.contracts';
 import type { DecryptDriveFileMetadataInput, DecryptDriveFolderMetadataInput, DecryptedDriveFileMetadata, DecryptedDriveFolderMetadata, EncryptedDriveFileMetadata, EncryptedDriveFolderMetadata, EncryptDriveFileMetadataInput, EncryptDriveFolderMetadataInput } from './storage-metadata-crypto.contracts';
+import type { CreateDriveWrappedItemKeyForRecipientInput, DriveWrappedItemKeyForRecipientResult } from './drive-key-wrapping.contracts';
 export declare class MssLinkBrowserClient {
     private readonly userId;
     private readonly apiBaseUrl;
@@ -34,6 +35,7 @@ export declare class MssLinkBrowserClient {
     decryptDriveFolderMetadata(input: DecryptDriveFolderMetadataInput): Promise<DecryptedDriveFolderMetadata>;
     encryptDriveFileMetadata(input: EncryptDriveFileMetadataInput): Promise<EncryptedDriveFileMetadata>;
     decryptDriveFileMetadata(input: DecryptDriveFileMetadataInput): Promise<DecryptedDriveFileMetadata>;
+    createDriveWrappedItemKeyForRecipient(input: CreateDriveWrappedItemKeyForRecipientInput): Promise<DriveWrappedItemKeyForRecipientResult>;
     syncMessages(): Promise<void>;
     getLocalMessages(chatId: string): Promise<DecryptedMessage[]>;
     reset(): void;

package/dist/client/mss-link-browser-client.js

@@ -4,6 +4,7 @@ import { checkLocalCryptoHealth } from './local-crypto-health';
 import { buildMediaMessageMetadataPayload, extractMediaAssetIds, serializeMediaMessageMetadata, } from './media-message-metadata';
 import { mapLocalSdkMessage } from './message.mapper';
 import { buildDecryptedDriveFileMetadata, buildDecryptedDriveFolderMetadata, buildEncryptedDriveFileMetadata, buildEncryptedDriveFolderMetadata, normalizeDriveFileMetadataInput, normalizeDriveFolderMetadataInput, normalizeEncryptedDriveFileMetadataInput, normalizeEncryptedDriveFolderMetadataInput, } from './storage-metadata-crypto';
+import { createDriveWrappedItemKeyForRecipient } from './drive-key-wrapping';
 import { WasmCallQueue } from './wasm-call-queue';
 const DEFAULT_DEVICE_ID = 1;
 const DEFAULT_REGISTRATION_ID = 1;
@@ -209,6 +210,9 @@ export class MssLinkBrowserClient {
             throw normalizeLocalCryptoError(error);
         }
     }
+    createDriveWrappedItemKeyForRecipient(input) {
+        return createDriveWrappedItemKeyForRecipient(input);
+    }
     async syncMessages() {
         try {
             await this.runWithClient((client) => client.syncMessages());

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@msssystems/mss-link-sdk",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "description": "Official managed application SDK for MSS ecosystem",
   "type": "module",
   "main": "./dist/index.js",