@nexusts/crypto 0.7.0

package/README.md

@@ -0,0 +1,41 @@
+# @nexusts/crypto
+
+> **NexusTS** — Bun-native fullstack framework
+
+## Description
+
+AES-256-GCM encryption + HMAC + scrypt/argon2.
+
+Authenticated encryption, HMAC sign/unsign, password hashing. Internally used by session cookies and CSRF tokens.
+
+## Install
+
+This module is part of the NexusTS monorepo. Each module is published as its own npm package under the `@nexusts/` scope.
+
+Most apps start with just the core:
+
+```bash
+bun add @nexusts/core reflect-metadata zod hono
+```
+
+Then add this module only if you need it:
+
+```bash
+bun add @nexusts/crypto
+```
+
+## Peer dependencies
+
+None. This module is fully self-contained.
+
+## Usage
+
+```typescript
+import { /* public API */ } from "@nexusts/crypto";
+```
+
+See the [user guide](../../docs/user-guide/crypto.md) and the [example app](../../examples/) for a working demo.
+
+## License
+
+MIT — see the root [LICENSE](../../LICENSE).

package/dist/index.js

@@ -0,0 +1,457 @@
+// @bun
+var __create = Object.create;
+var __getProtoOf = Object.getPrototypeOf;
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __toESM = (mod, isNodeMode, target) => {
+  target = mod != null ? __create(__getProtoOf(mod)) : {};
+  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
+  for (let key of __getOwnPropNames(mod))
+    if (!__hasOwnProp.call(to, key))
+      __defProp(to, key, {
+        get: () => mod[key],
+        enumerable: true
+      });
+  return to;
+};
+var __legacyDecorateClassTS = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function")
+    r = Reflect.decorate(decorators, target, key, desc);
+  else
+    for (var i = decorators.length - 1;i >= 0; i--)
+      if (d = decorators[i])
+        r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __require = import.meta.require;
+
+// packages/crypto/src/encryption.ts
+import {
+  createCipheriv,
+  createDecipheriv,
+  createHmac,
+  hkdfSync,
+  randomBytes,
+  timingSafeEqual
+} from "crypto";
+var VERSION = "v1";
+var IV_BYTES = 12;
+var TAG_BYTES = 16;
+
+class EncryptionService {
+  aesKey;
+  hmacKey;
+  constructor(masterKey) {
+    const derived = deriveKeys(masterKey);
+    this.aesKey = derived.aes;
+    this.hmacKey = derived.hmac;
+  }
+  encrypt(value, options = {}) {
+    const iv = randomBytes(IV_BYTES);
+    const cipher = createCipheriv("aes-256-gcm", this.aesKey, iv);
+    const plaintext = Buffer.from(value, "utf8");
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    const expiry = encodeExpiry(options.expiresAt);
+    const purposeBuf = Buffer.from(options.purpose ?? "", "utf8");
+    const mac = this.macOver([VERSION, iv, tag, ciphertext, expiry, purposeBuf]);
+    return [
+      VERSION,
+      b64(iv),
+      b64(tag),
+      b64(ciphertext),
+      b64(expiry),
+      b64(purposeBuf),
+      b64(mac)
+    ].join(".");
+  }
+  decrypt(payload) {
+    const parsed = parseV1(payload);
+    if (!parsed)
+      throw new Error("Encrypted payload is malformed");
+    const expectedMac = this.macOver([
+      VERSION,
+      parsed.iv,
+      parsed.tag,
+      parsed.ciphertext,
+      parsed.expiry,
+      parsed.purpose
+    ]);
+    if (!constantTimeEqual(expectedMac, parsed.mac)) {
+      throw new Error("Encrypted payload failed integrity check");
+    }
+    if (parsed.expiry.length > 0) {
+      const expiryMs = parseExpiry(parsed.expiry.toString("utf8"));
+      if (expiryMs > 0 && Date.now() > expiryMs) {
+        throw new Error("Encrypted payload has expired");
+      }
+    }
+    const decipher = createDecipheriv("aes-256-gcm", this.aesKey, parsed.iv);
+    decipher.setAuthTag(parsed.tag);
+    const plaintext = Buffer.concat([
+      decipher.update(parsed.ciphertext),
+      decipher.final()
+    ]);
+    return plaintext.toString("utf8");
+  }
+  isEncrypted(value) {
+    if (typeof value !== "string")
+      return false;
+    return value.startsWith(VERSION + ".");
+  }
+  sign(value, purpose = "") {
+    const mac = createHmac("sha256", this.hmacKey).update(purpose).update("|").update(value).digest();
+    return `${b64(Buffer.from(value, "utf8"))}.${b64(mac)}`;
+  }
+  signRaw(value, purpose = "") {
+    const mac = createHmac("sha256", this.hmacKey).update(purpose).update("|").update(value).digest();
+    return b64(mac);
+  }
+  verifyRaw(value, signature, purpose = "") {
+    const expected = createHmac("sha256", this.hmacKey).update(purpose).update("|").update(value).digest();
+    const given = fromB64(signature);
+    if (!given)
+      return false;
+    return constantTimeEqual(given, expected);
+  }
+  unsign(signed, purpose = "") {
+    const dot = signed.lastIndexOf(".");
+    if (dot < 1 || dot === signed.length - 1)
+      return null;
+    const valueB64 = signed.slice(0, dot);
+    const macB64 = signed.slice(dot + 1);
+    const value = fromB64(valueB64);
+    const mac = fromB64(macB64);
+    if (!value || !mac)
+      return null;
+    const expected = createHmac("sha256", this.hmacKey).update(purpose).update("|").update(value).digest();
+    if (!constantTimeEqual(mac, expected))
+      return null;
+    return value.toString("utf8");
+  }
+  macOver(parts) {
+    const h = createHmac("sha256", this.hmacKey);
+    for (const p of parts) {
+      h.update("|");
+      h.update(p);
+    }
+    return h.digest();
+  }
+}
+function b64(buf) {
+  return buf.toString("base64url");
+}
+function fromB64(s) {
+  try {
+    return Buffer.from(s, "base64url");
+  } catch {
+    return null;
+  }
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length)
+    return false;
+  return timingSafeEqual(a, b);
+}
+function encodeExpiry(expiresAt) {
+  if (expiresAt === undefined)
+    return Buffer.alloc(0);
+  let ms;
+  if (typeof expiresAt === "number") {
+    ms = expiresAt > 1000000000000 ? expiresAt : Date.now() + expiresAt * 1000;
+  } else if (typeof expiresAt === "string") {
+    const asNum = Number(expiresAt);
+    if (!isNaN(asNum) && asNum > 0) {
+      ms = asNum > 1000000000000 ? asNum : Date.now() + asNum * 1000;
+    } else {
+      ms = Date.parse(expiresAt);
+    }
+  } else {
+    ms = expiresAt.getTime();
+  }
+  if (!isFinite(ms))
+    return Buffer.alloc(0);
+  return Buffer.from(String(ms), "utf8");
+}
+function parseExpiry(s) {
+  const n = Number(s);
+  return isFinite(n) ? n : 0;
+}
+function parseV1(s) {
+  if (typeof s !== "string" || !s.startsWith(VERSION + "."))
+    return null;
+  const parts = s.split(".");
+  if (parts.length !== 7)
+    return null;
+  const [, ivB64, tagB64, ctB64, expB64, purposeB64, macB64] = parts;
+  const iv = fromB64(ivB64);
+  const tag = fromB64(tagB64);
+  const ct = fromB64(ctB64);
+  const exp = fromB64(expB64);
+  const purpose = fromB64(purposeB64);
+  const mac = fromB64(macB64);
+  if (!iv || !tag || !ct || !exp || !purpose || !mac)
+    return null;
+  if (iv.length !== IV_BYTES)
+    return null;
+  if (tag.length !== TAG_BYTES)
+    return null;
+  return { iv, tag, ciphertext: ct, expiry: exp, purpose, mac };
+}
+function deriveKeys(masterKey) {
+  let input;
+  try {
+    const decoded = Buffer.from(masterKey, "base64");
+    if (decoded.length >= 32 && masterKey.length % 4 === 0) {
+      input = decoded;
+    } else {
+      input = Buffer.from(masterKey, "utf8");
+    }
+  } catch {
+    input = Buffer.from(masterKey, "utf8");
+  }
+  const ikm = input.length < 32 ? padKey(input) : input;
+  const out = hkdfSync("sha256", ikm, Buffer.alloc(0), "nexus:crypto:v1", 64);
+  const outBuf = Buffer.from(out);
+  return {
+    aes: Buffer.from(outBuf.subarray(0, 32)),
+    hmac: Buffer.from(outBuf.subarray(32, 64))
+  };
+}
+function padKey(input) {
+  const hash = createHmac("sha256", "nexus:crypto:pad").update(input).digest();
+  const out = Buffer.alloc(32);
+  input.copy(out, 0, 0, Math.min(input.length, 32));
+  hash.copy(out, input.length < 32 ? input.length : 0, 0, 32 - Math.min(input.length, 32));
+  return out;
+}
+// packages/crypto/src/hash.ts
+import { scrypt as scryptCb, randomBytes as randomBytes2, timingSafeEqual as timingSafeEqual2 } from "crypto";
+function scrypt(password, salt, keylen, options) {
+  return new Promise((resolve, reject) => {
+    scryptCb(password, salt, keylen, options, (err, derived) => {
+      if (err)
+        reject(err);
+      else
+        resolve(derived);
+    });
+  });
+}
+var PREFIX_SCRYPT = "$scrypt$";
+var PREFIX_ARGON2 = "$argon2";
+
+class HashService {
+  algorithm;
+  scryptCost;
+  scryptBlockSize;
+  scryptParallelization;
+  scryptKeyLength;
+  argon2MemoryCost;
+  argon2TimeCost;
+  argon2Parallelism;
+  constructor(config = {}) {
+    this.algorithm = config.algorithm ?? "scrypt";
+    this.scryptCost = config.scryptCost ?? 16384;
+    this.scryptBlockSize = config.scryptBlockSize ?? 8;
+    this.scryptParallelization = config.scryptParallelization ?? 1;
+    this.scryptKeyLength = config.scryptKeyLength ?? 64;
+    this.argon2MemoryCost = config.argon2MemoryCost ?? 65536;
+    this.argon2TimeCost = config.argon2TimeCost ?? 3;
+    this.argon2Parallelism = config.argon2Parallelism ?? 4;
+  }
+  async hash(password, options = {}) {
+    const algo = options.algorithm ?? this.algorithm;
+    if (algo === "scrypt")
+      return this.hashScrypt(password);
+    if (algo === "argon2")
+      return this.hashArgon2(password);
+    throw new Error(`Unknown hash algorithm: ${algo}`);
+  }
+  async verify(hashed, password) {
+    if (typeof hashed !== "string" || hashed.length === 0)
+      return false;
+    if (hashed.startsWith(PREFIX_SCRYPT))
+      return this.verifyScrypt(hashed, password);
+    if (hashed.startsWith(PREFIX_ARGON2))
+      return this.verifyArgon2(hashed, password);
+    return false;
+  }
+  needsRehash(hashed) {
+    if (typeof hashed !== "string" || !hashed.startsWith(PREFIX_SCRYPT)) {
+      return true;
+    }
+    const params = parseScryptParams(hashed);
+    if (!params)
+      return true;
+    if (params.N < this.scryptCost)
+      return true;
+    if (params.r < this.scryptBlockSize)
+      return true;
+    if (params.p < this.scryptParallelization)
+      return true;
+    if (params.keyLen < this.scryptKeyLength)
+      return true;
+    return false;
+  }
+  async hashScrypt(password) {
+    const salt = randomBytes2(16);
+    const derived = await scrypt(password, salt, this.scryptKeyLength, {
+      N: this.scryptCost,
+      r: this.scryptBlockSize,
+      p: this.scryptParallelization,
+      maxmem: 256 * 1024 * 1024
+    });
+    return [
+      PREFIX_SCRYPT,
+      `N=${this.scryptCost},r=${this.scryptBlockSize},p=${this.scryptParallelization},keyLen=${this.scryptKeyLength}`,
+      `$${salt.toString("base64url")}`,
+      `$${derived.toString("base64url")}`
+    ].join("");
+  }
+  async verifyScrypt(hashed, password) {
+    const params = parseScryptParams(hashed);
+    if (!params)
+      return false;
+    const [, , , saltB64, hashB64] = hashed.split("$");
+    if (!saltB64 || !hashB64)
+      return false;
+    const salt = Buffer.from(saltB64, "base64url");
+    const expected = Buffer.from(hashB64, "base64url");
+    const derived = await scrypt(password, salt, expected.length, {
+      N: params.N,
+      r: params.r,
+      p: params.p,
+      maxmem: 256 * 1024 * 1024
+    });
+    if (derived.length !== expected.length)
+      return false;
+    return timingSafeEqual2(derived, expected);
+  }
+  async hashArgon2(password) {
+    const mod = await loadArgon2();
+    const hash = await mod.hash(password, {
+      memoryCost: this.argon2MemoryCost,
+      timeCost: this.argon2TimeCost,
+      parallelism: this.argon2Parallelism
+    });
+    return hash;
+  }
+  async verifyArgon2(hashed, password) {
+    const mod = await loadArgon2();
+    try {
+      return await mod.verify(hashed, password);
+    } catch {
+      return false;
+    }
+  }
+}
+function parseScryptParams(hashed) {
+  const parts = hashed.split("$");
+  if (parts.length !== 5)
+    return null;
+  const paramsPart = parts[2];
+  if (!paramsPart)
+    return null;
+  const m = {};
+  for (const kv of paramsPart.split(",")) {
+    const [k, v] = kv.split("=");
+    if (k && v)
+      m[k] = Number(v);
+  }
+  if (!m.N || !m.r || !m.p || !m.keyLen)
+    return null;
+  return { N: m.N, r: m.r, p: m.p, keyLen: m.keyLen };
+}
+var _argon2;
+async function loadArgon2() {
+  if (_argon2 !== undefined) {
+    if (_argon2 === null) {
+      throw new Error("argon2 is not installed. Install with: bun add @node-rs/argon2");
+    }
+    return _argon2;
+  }
+  try {
+    const mod = await import("@node-rs/argon2");
+    _argon2 = mod.default ?? mod;
+    if (!_argon2)
+      throw new Error("invalid argon2 module");
+    return _argon2;
+  } catch {
+    _argon2 = null;
+    throw new Error("argon2 is not installed. Install with: bun add @node-rs/argon2");
+  }
+}
+// packages/crypto/src/module.ts
+import { Module } from "@nexusts/core/decorators/module.js";
+var ENCRYPTION_SERVICE_TOKEN = Symbol.for("nexus:EncryptionService");
+var HASH_SERVICE_TOKEN = Symbol.for("nexus:HashService");
+
+class CryptoModule {
+  static forRoot(config = { key: "" }) {
+    const fullEncryptionConfig = {
+      key: config.key,
+      algorithm: config.algorithm ?? "aes-256-gcm",
+      defaultExpiresIn: config.defaultExpiresIn
+    };
+    const fullHashConfig = config.hash ?? {};
+
+    class ConfiguredCryptoModule {
+    }
+    ConfiguredCryptoModule = __legacyDecorateClassTS([
+      Module({
+        providers: [
+          { provide: "ENCRYPTION_CONFIG", useValue: fullEncryptionConfig },
+          { provide: "HASH_CONFIG", useValue: fullHashConfig },
+          {
+            provide: EncryptionService,
+            useFactory: () => new EncryptionService(fullEncryptionConfig.key)
+          },
+          {
+            provide: HashService,
+            useFactory: () => new HashService(fullHashConfig)
+          },
+          { provide: ENCRYPTION_SERVICE_TOKEN, useExisting: EncryptionService },
+          { provide: HASH_SERVICE_TOKEN, useExisting: HashService }
+        ],
+        exports: [
+          EncryptionService,
+          HashService,
+          ENCRYPTION_SERVICE_TOKEN,
+          HASH_SERVICE_TOKEN
+        ]
+      })
+    ], ConfiguredCryptoModule);
+    Object.defineProperty(ConfiguredCryptoModule, "name", {
+      value: "ConfiguredCryptoModule"
+    });
+    return ConfiguredCryptoModule;
+  }
+}
+CryptoModule = __legacyDecorateClassTS([
+  Module({
+    providers: [
+      EncryptionService,
+      HashService,
+      { provide: ENCRYPTION_SERVICE_TOKEN, useExisting: EncryptionService },
+      { provide: HASH_SERVICE_TOKEN, useExisting: HashService }
+    ],
+    exports: [
+      EncryptionService,
+      HashService,
+      ENCRYPTION_SERVICE_TOKEN,
+      HASH_SERVICE_TOKEN
+    ]
+  })
+], CryptoModule);
+export {
+  HashService,
+  HASH_SERVICE_TOKEN,
+  EncryptionService,
+  ENCRYPTION_SERVICE_TOKEN,
+  CryptoModule
+};
+
+//# debugId=68D8BB427FD50CFB64756E2164756E21
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1,12 @@
+{
+  "version": 3,
+  "sources": ["../src/encryption.ts", "../src/hash.ts", "../src/module.ts"],
+  "sourcesContent": [
+    "/**\n * `EncryptionService` — AES-256-GCM symmetric encryption + HMAC\n * sign/unsign helpers.\n *\n * Use cases:\n * - **Encrypt** sensitive data before storing it (e.g. session\n *   blobs in cookies or DB).\n * - **Sign** stateless values that need to be tamper-proof (e.g.\n *   session IDs, CSRF tokens, password-reset links, signed URLs).\n *\n * The service derives two 32-byte keys from the user's master\n * `key` config: one for AES-GCM, one for HMAC. The keys are\n * distinct (HKDF-SHA256 with a per-purpose salt) so a leak of one\n * doesn't compromise the other.\n *\n * Encrypted format (v1):\n *   `v1.<base64url(iv)>.<base64url(tag)>.<base64url(ciphertext)>`\n *   where `iv` is 12 bytes and `tag` is 16 bytes (GCM auth tag).\n *\n * Signed format:\n *   `<base64url(value)>.<base64url(hmac)>`\n */\n\nimport {\n\tcreateCipheriv,\n\tcreateDecipheriv,\n\tcreateHmac,\n\thkdfSync,\n\trandomBytes,\n\ttimingSafeEqual,\n} from \"node:crypto\";\nimport type { EncryptedValue, EncryptOptions, SignedValue } from \"./types.js\";\n\nconst VERSION = \"v1\";\nconst IV_BYTES = 12;\nconst TAG_BYTES = 16;\n\nexport class EncryptionService {\n\tprivate readonly aesKey: Buffer;\n\tprivate readonly hmacKey: Buffer;\n\n\tconstructor(masterKey: string) {\n\t\tconst derived = deriveKeys(masterKey);\n\t\tthis.aesKey = derived.aes;\n\t\tthis.hmacKey = derived.hmac;\n\t}\n\n\t/* ---------------- encrypt / decrypt ---------------- */\n\n\t/**\n\t * Encrypt a string. The output is self-describing and includes\n\t * the IV, auth tag, expiry, and purpose (if any) in the MAC.\n\t *\n\t * Format: `v1.<iv>.<tag>.<ciphertext>.<mac>`\n\t */\n\tencrypt(value: string, options: EncryptOptions = {}): EncryptedValue {\n\t\tconst iv = randomBytes(IV_BYTES);\n\t\tconst cipher = createCipheriv(\"aes-256-gcm\", this.aesKey, iv);\n\t\tconst plaintext = Buffer.from(value, \"utf8\");\n\t\tconst ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);\n\t\tconst tag = cipher.getAuthTag();\n\n\t\tconst expiry = encodeExpiry(options.expiresAt);\n\t\tconst purposeBuf = Buffer.from(options.purpose ?? \"\", \"utf8\");\n\t\tconst mac = this.macOver([VERSION, iv, tag, ciphertext, expiry, purposeBuf]);\n\n\t\treturn [\n\t\t\tVERSION,\n\t\t\tb64(iv),\n\t\t\tb64(tag),\n\t\t\tb64(ciphertext),\n\t\t\tb64(expiry),\n\t\t\tb64(purposeBuf),\n\t\t\tb64(mac),\n\t\t].join(\".\");\n\t}\n\n\t/**\n\t * Decrypt a value previously produced by `encrypt()`. Throws\n\t * if the value is malformed, the MAC doesn't match, the\n\t * purpose doesn't match, or the expiry has passed.\n\t */\n\tdecrypt<T = string>(payload: string): T {\n\t\tconst parsed = parseV1(payload);\n\t\tif (!parsed) throw new Error(\"Encrypted payload is malformed\");\n\n\t\t// Verify MAC over the canonical (VERSION, IV, tag, ct, expiry, purpose) tuple.\n\t\tconst expectedMac = this.macOver([\n\t\t\tVERSION,\n\t\t\tparsed.iv,\n\t\t\tparsed.tag,\n\t\t\tparsed.ciphertext,\n\t\t\tparsed.expiry,\n\t\t\tparsed.purpose,\n\t\t]);\n\t\tif (!constantTimeEqual(expectedMac, parsed.mac)) {\n\t\t\tthrow new Error(\"Encrypted payload failed integrity check\");\n\t\t}\n\n\t\t// Check expiry.\n\t\tif (parsed.expiry.length > 0) {\n\t\t\tconst expiryMs = parseExpiry(parsed.expiry.toString(\"utf8\"));\n\t\t\tif (expiryMs > 0 && Date.now() > expiryMs) {\n\t\t\t\tthrow new Error(\"Encrypted payload has expired\");\n\t\t\t}\n\t\t}\n\n\t\tconst decipher = createDecipheriv(\"aes-256-gcm\", this.aesKey, parsed.iv);\n\t\tdecipher.setAuthTag(parsed.tag);\n\t\tconst plaintext = Buffer.concat([\n\t\t\tdecipher.update(parsed.ciphertext),\n\t\t\tdecipher.final(),\n\t\t]);\n\t\treturn plaintext.toString(\"utf8\") as unknown as T;\n\t}\n\n\t/** True if the string was produced by `encrypt()`. */\n\tisEncrypted(value: string): boolean {\n\t\tif (typeof value !== \"string\") return false;\n\t\treturn value.startsWith(VERSION + \".\");\n\t}\n\n\t/* ---------------- HMAC sign / unsign ---------------- */\n\n\t/**\n\t * Sign a string with the framework's HMAC key. The output is\n\t * `<base64url(value)>.<base64url(hmac)>`.\n\t *\n\t * Useful for stateless session cookies, CSRF tokens, etc.\n\t */\n\tsign(value: string, purpose = \"\"): SignedValue {\n\t\tconst mac = createHmac(\"sha256\", this.hmacKey)\n\t\t\t.update(purpose)\n\t\t\t.update(\"|\")\n\t\t\t.update(value)\n\t\t\t.digest();\n\t\treturn `${b64(Buffer.from(value, \"utf8\"))}.${b64(mac)}`;\n\t}\n\n\t/**\n\t * Sign a pre-encoded value (no extra b64-encoding). The output\n\t * is just the base64url MAC. Useful for cookie / token formats\n\t * where the value is already b64-encoded.\n\t *\n\t * The caller is responsible for joining the value and signature.\n\t */\n\tsignRaw(value: string, purpose = \"\"): string {\n\t\tconst mac = createHmac(\"sha256\", this.hmacKey)\n\t\t\t.update(purpose)\n\t\t\t.update(\"|\")\n\t\t\t.update(value)\n\t\t\t.digest();\n\t\treturn b64(mac);\n\t}\n\n\t/**\n\t * Verify a raw signature (from `signRaw`) against a pre-encoded\n\t * value. Returns `true` on match, `false` otherwise.\n\t */\n\tverifyRaw(value: string, signature: string, purpose = \"\"): boolean {\n\t\tconst expected = createHmac(\"sha256\", this.hmacKey)\n\t\t\t.update(purpose)\n\t\t\t.update(\"|\")\n\t\t\t.update(value)\n\t\t\t.digest();\n\t\tconst given = fromB64(signature);\n\t\tif (!given) return false;\n\t\treturn constantTimeEqual(given, expected);\n\t}\n\n\t/**\n\t * Verify and extract a previously signed value. Returns the\n\t * original value on success, `null` on failure (malformed,\n\t * wrong purpose, MAC mismatch).\n\t */\n\tunsign(signed: string, purpose = \"\"): string | null {\n\t\tconst dot = signed.lastIndexOf(\".\");\n\t\tif (dot < 1 || dot === signed.length - 1) return null;\n\t\tconst valueB64 = signed.slice(0, dot);\n\t\tconst macB64 = signed.slice(dot + 1);\n\t\tconst value = fromB64(valueB64);\n\t\tconst mac = fromB64(macB64);\n\t\tif (!value || !mac) return null;\n\t\tconst expected = createHmac(\"sha256\", this.hmacKey)\n\t\t\t.update(purpose)\n\t\t\t.update(\"|\")\n\t\t\t.update(value)\n\t\t\t.digest();\n\t\tif (!constantTimeEqual(mac, expected)) return null;\n\t\treturn value.toString(\"utf8\");\n\t}\n\n\t/* ---------------- internals ---------------- */\n\n\tprivate macOver(parts: Array<Buffer | string>): Buffer {\n\t\tconst h = createHmac(\"sha256\", this.hmacKey);\n\t\tfor (const p of parts) {\n\t\t\th.update(\"|\");\n\t\t\th.update(p as Buffer);\n\t\t}\n\t\treturn h.digest();\n\t}\n}\n\n/* ------------------------------------------------------------------ *\n * Helpers\n * ------------------------------------------------------------------ */\n\nfunction b64(buf: Buffer): string {\n\treturn buf.toString(\"base64url\");\n}\n\nfunction fromB64(s: string): Buffer | null {\n\ttry {\n\t\treturn Buffer.from(s, \"base64url\");\n\t} catch {\n\t\treturn null;\n\t}\n}\n\nfunction constantTimeEqual(a: Buffer, b: Buffer): boolean {\n\tif (a.length !== b.length) return false;\n\treturn timingSafeEqual(a, b);\n}\n\nfunction encodeExpiry(expiresAt: number | string | Date | undefined): Buffer {\n\tif (expiresAt === undefined) return Buffer.alloc(0);\n\tlet ms: number;\n\tif (typeof expiresAt === \"number\") {\n\t\tms = expiresAt > 1e12 ? expiresAt : Date.now() + expiresAt * 1000;\n\t} else if (typeof expiresAt === \"string\") {\n\t\t// Numeric string = seconds from now\n\t\tconst asNum = Number(expiresAt);\n\t\tif (!isNaN(asNum) && asNum > 0) {\n\t\t\tms = asNum > 1e12 ? asNum : Date.now() + asNum * 1000;\n\t\t} else {\n\t\t\tms = Date.parse(expiresAt);\n\t\t}\n\t} else {\n\t\tms = expiresAt.getTime();\n\t}\n\tif (!isFinite(ms)) return Buffer.alloc(0);\n\treturn Buffer.from(String(ms), \"utf8\");\n}\n\nfunction parseExpiry(s: string): number {\n\tconst n = Number(s);\n\treturn isFinite(n) ? n : 0;\n}\n\ninterface ParsedV1 {\n\tiv: Buffer;\n\ttag: Buffer;\n\tciphertext: Buffer;\n\texpiry: Buffer;\n\tpurpose: Buffer;\n\tmac: Buffer;\n}\n\nfunction parseV1(s: string): ParsedV1 | null {\n\tif (typeof s !== \"string\" || !s.startsWith(VERSION + \".\")) return null;\n\tconst parts = s.split(\".\");\n\t// v1, iv, tag, ct, expiry, purpose, mac = 7 parts\n\tif (parts.length !== 7) return null;\n\tconst [, ivB64, tagB64, ctB64, expB64, purposeB64, macB64] = parts;\n\tconst iv = fromB64(ivB64);\n\tconst tag = fromB64(tagB64);\n\tconst ct = fromB64(ctB64);\n\tconst exp = fromB64(expB64);\n\tconst purpose = fromB64(purposeB64);\n\tconst mac = fromB64(macB64);\n\tif (!iv || !tag || !ct || !exp || !purpose || !mac) return null;\n\tif (iv.length !== IV_BYTES) return null;\n\tif (tag.length !== TAG_BYTES) return null;\n\treturn { iv, tag, ciphertext: ct, expiry: exp, purpose, mac };\n}\n\n/* ------------------------------------------------------------------ *\n * Key derivation — HKDF-SHA256, two sub-keys\n * ------------------------------------------------------------------ */\n\nfunction deriveKeys(masterKey: string): { aes: Buffer; hmac: Buffer } {\n\t// Convert the master to bytes. We accept any string; if it\n\t// happens to be base64 and is at least 32 bytes, decode it.\n\tlet input: Buffer;\n\ttry {\n\t\tconst decoded = Buffer.from(masterKey, \"base64\");\n\t\tif (\n\t\t\tdecoded.length >= 32 &&\n\t\t\t// The \"decoded\" path is valid only if the string is\n\t\t\t// actually base64 (would be a real try/catch).\n\t\t\tmasterKey.length % 4 === 0\n\t\t) {\n\t\t\tinput = decoded;\n\t\t} else {\n\t\t\tinput = Buffer.from(masterKey, \"utf8\");\n\t\t}\n\t} catch {\n\t\tinput = Buffer.from(masterKey, \"utf8\");\n\t}\n\n\tconst ikm = input.length < 32 ? padKey(input) : input;\n\tconst out = hkdfSync(\"sha256\", ikm, Buffer.alloc(0), \"nexus:crypto:v1\", 64);\n\tconst outBuf = Buffer.from(out);\n\treturn {\n\t\taes: Buffer.from(outBuf.subarray(0, 32)),\n\t\thmac: Buffer.from(outBuf.subarray(32, 64)),\n\t};\n}\n\nfunction padKey(input: Buffer): Buffer {\n\t// Pad to 32 bytes by appending SHA-256 of the key (so the\n\t// result is deterministic and at least 32 bytes long).\n\tconst hash = createHmac(\"sha256\", \"nexus:crypto:pad\").update(input).digest();\n\tconst out = Buffer.alloc(32);\n\tinput.copy(out, 0, 0, Math.min(input.length, 32));\n\thash.copy(out, input.length < 32 ? input.length : 0, 0, 32 - Math.min(input.length, 32));\n\treturn out;\n}\n",
+    "/**\n * `HashService` — secure password hashing.\n *\n * Algorithms:\n * - `scrypt` (default) — built into Node, no extra deps. Memory-\n *   hard and CPU-hard. Recommended for new apps.\n * - `argon2` (optional) — the @node-rs/argon2 package is the\n *   reference implementation. Install it as a peer dep:\n *\n *     bun add @node-rs/argon2\n *\n *   When installed, the service auto-detects it.\n *\n * Output format (scrypt): a base64 string with the cost parameters\n * encoded: `$scrypt$N=16384,r=8,p=1$<saltB64>$<hashB64>`.\n * This is similar to the well-known `passlib` / PHC format and\n * lets us verify hashes that were generated with different\n * parameters.\n */\n\nimport { scrypt as scryptCb, randomBytes, timingSafeEqual } from \"node:crypto\";\n\n// scrypt's callback signature is (err, derivedKey) but it takes\n// (password, salt, keylen, options) before the callback, so we\n// can't use util.promisify directly. Wrap manually.\nfunction scrypt(\n\tpassword: string | Buffer,\n\tsalt: Buffer,\n\tkeylen: number,\n\toptions: { N: number; r: number; p: number; maxmem?: number },\n): Promise<Buffer> {\n\treturn new Promise((resolve, reject) => {\n\t\tscryptCb(password, salt, keylen, options, (err, derived) => {\n\t\t\tif (err) reject(err);\n\t\t\telse resolve(derived);\n\t\t});\n\t});\n}\nimport type { HashConfig, HashOptions, HashedPassword } from \"./types.js\";\n\nconst PREFIX_SCRYPT = \"$scrypt$\";\nconst PREFIX_ARGON2 = \"$argon2\";\n\nexport class HashService {\n\treadonly algorithm: \"scrypt\" | \"argon2\";\n\tprivate readonly scryptCost: number;\n\tprivate readonly scryptBlockSize: number;\n\tprivate readonly scryptParallelization: number;\n\tprivate readonly scryptKeyLength: number;\n\tprivate readonly argon2MemoryCost: number;\n\tprivate readonly argon2TimeCost: number;\n\tprivate readonly argon2Parallelism: number;\n\n\tconstructor(config: HashConfig = {}) {\n\t\tthis.algorithm = config.algorithm ?? \"scrypt\";\n\t\tthis.scryptCost = config.scryptCost ?? 16384;\n\t\tthis.scryptBlockSize = config.scryptBlockSize ?? 8;\n\t\tthis.scryptParallelization = config.scryptParallelization ?? 1;\n\t\tthis.scryptKeyLength = config.scryptKeyLength ?? 64;\n\t\tthis.argon2MemoryCost = config.argon2MemoryCost ?? 65536;\n\t\tthis.argon2TimeCost = config.argon2TimeCost ?? 3;\n\t\tthis.argon2Parallelism = config.argon2Parallelism ?? 4;\n\t}\n\n\t/**\n\t * Hash a password. Returns a self-describing string that\n\t * includes the algorithm and cost parameters.\n\t */\n\tasync hash(password: string, options: HashOptions = {}): Promise<HashedPassword> {\n\t\tconst algo = options.algorithm ?? this.algorithm;\n\t\tif (algo === \"scrypt\") return this.hashScrypt(password);\n\t\tif (algo === \"argon2\") return this.hashArgon2(password);\n\t\tthrow new Error(`Unknown hash algorithm: ${algo}`);\n\t}\n\n\t/**\n\t * Verify a password against a previously generated hash.\n\t * Returns `true` on match, `false` otherwise.\n\t */\n\tasync verify(hashed: HashedPassword, password: string): Promise<boolean> {\n\t\tif (typeof hashed !== \"string\" || hashed.length === 0) return false;\n\t\tif (hashed.startsWith(PREFIX_SCRYPT)) return this.verifyScrypt(hashed, password);\n\t\tif (hashed.startsWith(PREFIX_ARGON2)) return this.verifyArgon2(hashed, password);\n\t\t// Unknown format — try scrypt with default params for backward-compat\n\t\t// (e.g. raw SHA-256 / bcrypt / etc. — caller should migrate).\n\t\treturn false;\n\t}\n\n\t/**\n\t * True if a hash was generated with parameters that are below\n\t * the current security floor. The caller should re-hash and\n\t * update the stored value.\n\t */\n\tneedsRehash(hashed: HashedPassword): boolean {\n\t\tif (typeof hashed !== \"string\" || !hashed.startsWith(PREFIX_SCRYPT)) {\n\t\t\t// Foreign hash format — always re-hash to bring in the\n\t\t\t// canonical scrypt format.\n\t\t\treturn true;\n\t\t}\n\t\tconst params = parseScryptParams(hashed);\n\t\tif (!params) return true;\n\t\tif (params.N < this.scryptCost) return true;\n\t\tif (params.r < this.scryptBlockSize) return true;\n\t\tif (params.p < this.scryptParallelization) return true;\n\t\tif (params.keyLen < this.scryptKeyLength) return true;\n\t\treturn false;\n\t}\n\n\t/* ---------------- scrypt ---------------- */\n\n\tprivate async hashScrypt(password: string): Promise<string> {\n\t\tconst salt = randomBytes(16);\n\t\tconst derived = (await scrypt(password, salt, this.scryptKeyLength, {\n\t\t\tN: this.scryptCost,\n\t\t\tr: this.scryptBlockSize,\n\t\t\tp: this.scryptParallelization,\n\t\t\tmaxmem: 256 * 1024 * 1024,\n\t\t})) as Buffer;\n\t\treturn [\n\t\t\tPREFIX_SCRYPT,\n\t\t\t`N=${this.scryptCost},r=${this.scryptBlockSize},p=${this.scryptParallelization},keyLen=${this.scryptKeyLength}`,\n\t\t\t`$${salt.toString(\"base64url\")}`,\n\t\t\t`$${derived.toString(\"base64url\")}`,\n\t\t].join(\"\");\n\t}\n\n\tprivate async verifyScrypt(hashed: string, password: string): Promise<boolean> {\n\t\tconst params = parseScryptParams(hashed);\n\t\tif (!params) return false;\n\t\t// Format: \\\\ (split by \\$ gives 5 parts)\n\t\tconst [, , , saltB64, hashB64] = hashed.split(\"$\");\n\t\tif (!saltB64 || !hashB64) return false;\n\t\tconst salt = Buffer.from(saltB64, \"base64url\");\n\t\tconst expected = Buffer.from(hashB64, \"base64url\");\n\t\tconst derived = (await scrypt(password, salt, expected.length, {\n\t\t\tN: params.N,\n\t\t\tr: params.r,\n\t\t\tp: params.p,\n\t\t\tmaxmem: 256 * 1024 * 1024,\n\t\t})) as Buffer;\n\t\tif (derived.length !== expected.length) return false;\n\t\treturn timingSafeEqual(derived, expected);\n\t}\n\n\t/* ---------------- argon2 ---------------- */\n\n\tprivate async hashArgon2(password: string): Promise<string> {\n\t\tconst mod = await loadArgon2();\n\t\tconst hash = await mod.hash(password, {\n\t\t\tmemoryCost: this.argon2MemoryCost,\n\t\t\ttimeCost: this.argon2TimeCost,\n\t\t\tparallelism: this.argon2Parallelism,\n\t\t});\n\t\treturn hash; // argon2 already returns a self-describing string\n\t}\n\n\tprivate async verifyArgon2(hashed: string, password: string): Promise<boolean> {\n\t\tconst mod = await loadArgon2();\n\t\ttry {\n\t\t\treturn await mod.verify(hashed, password);\n\t\t} catch {\n\t\t\treturn false;\n\t\t}\n\t}\n}\n\n/* ------------------------------------------------------------------ *\n * Parsing\n * ------------------------------------------------------------------ */\n\nfunction parseScryptParams(hashed: string): {\n\tN: number;\n\tr: number;\n\tp: number;\n\tkeyLen: number;\n} | null {\n\t// $scrypt$N=16384,r=8,p=1,keyLen=64$<salt>$<hash>\n\tconst parts = hashed.split(\"$\");\n\tif (parts.length !== 5) return null;\n\tconst paramsPart = parts[2];\n\tif (!paramsPart) return null;\n\tconst m: Record<string, number> = {};\n\tfor (const kv of paramsPart.split(\",\")) {\n\t\tconst [k, v] = kv.split(\"=\");\n\t\tif (k && v) m[k] = Number(v);\n\t}\n\tif (!m.N || !m.r || !m.p || !m.keyLen) return null;\n\treturn { N: m.N, r: m.r, p: m.p, keyLen: m.keyLen };\n}\n\n/* ------------------------------------------------------------------ *\n * Optional argon2 peer dep\n * ------------------------------------------------------------------ */\n\ninterface Argon2Module {\n\thash(password: string, opts: { memoryCost: number; timeCost: number; parallelism: number }): Promise<string>;\n\tverify(hash: string, password: string): Promise<boolean>;\n}\n\nlet _argon2: Argon2Module | null | undefined; // undefined = not yet loaded\n\nasync function loadArgon2(): Promise<Argon2Module> {\n\tif (_argon2 !== undefined) {\n\t\tif (_argon2 === null) {\n\t\t\tthrow new Error(\n\t\t\t\t\"argon2 is not installed. Install with: bun add @node-rs/argon2\",\n\t\t\t);\n\t\t}\n\t\treturn _argon2;\n\t}\n\ttry {\n\t\t// @ts-ignore - optional peer dep\n\t\tconst mod = await import(\"@node-rs/argon2\");\n\t\t_argon2 = (mod as any).default ?? (mod as any);\n\t\tif (!_argon2) throw new Error(\"invalid argon2 module\");\n\t\treturn _argon2!;\n\t} catch {\n\t\t_argon2 = null;\n\t\tthrow new Error(\n\t\t\t\"argon2 is not installed. Install with: bun add @node-rs/argon2\",\n\t\t);\n\t}\n}\n",
+    "/**\n * `CryptoModule` — wires `EncryptionService` and `HashService`\n * into the DI container.\n *\n *   @Module({\n *     imports: [CryptoModule.forRoot({ key: process.env.APP_KEY! })],\n *   })\n *   class AppModule {}\n *\n * The `key` is required for `EncryptionService` (32 bytes). For\n * `HashService` only the algorithm config is required — there's no\n * shared key.\n *\n * If you only need `HashService` (and don't use encryption), you\n * can pass an empty config:\n *\n *   CryptoModule.forRoot({ key: \\\"x\\\" })\n *   // Encryption will pad the key to 32 bytes via HKDF.\n */\n\nimport { Module } from \"@nexusts/core/decorators/module.js\";\nimport { EncryptionService } from \"./encryption.js\";\nimport { HashService } from \"./hash.js\";\nimport type { EncryptionConfig, HashConfig } from \"./types.js\";\n\nexport const ENCRYPTION_SERVICE_TOKEN = Symbol.for(\"nexus:EncryptionService\");\nexport const HASH_SERVICE_TOKEN = Symbol.for(\"nexus:HashService\");\n\n@Module({\n\tproviders: [\n\t\tEncryptionService,\n\t\tHashService,\n\t\t{ provide: ENCRYPTION_SERVICE_TOKEN, useExisting: EncryptionService },\n\t\t{ provide: HASH_SERVICE_TOKEN, useExisting: HashService },\n\t],\n\texports: [\n\t\tEncryptionService,\n\t\tHashService,\n\t\tENCRYPTION_SERVICE_TOKEN,\n\t\tHASH_SERVICE_TOKEN,\n\t],\n})\nexport class CryptoModule {\n\tstatic forRoot(config: EncryptionConfig & { hash?: HashConfig } = { key: \"\" }) {\n\t\tconst fullEncryptionConfig = {\n\t\t\tkey: config.key,\n\t\t\talgorithm: config.algorithm ?? \"aes-256-gcm\",\n\t\t\tdefaultExpiresIn: config.defaultExpiresIn,\n\t\t} as Required<EncryptionConfig>;\n\t\tconst fullHashConfig = config.hash ?? {};\n\n\t\t@Module({\n\t\t\tproviders: [\n\t\t\t\t{ provide: \"ENCRYPTION_CONFIG\", useValue: fullEncryptionConfig },\n\t\t\t\t{ provide: \"HASH_CONFIG\", useValue: fullHashConfig },\n\t\t\t\t{\n\t\t\t\t\tprovide: EncryptionService,\n\t\t\t\t\tuseFactory: () => new EncryptionService(fullEncryptionConfig.key),\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tprovide: HashService,\n\t\t\t\t\tuseFactory: () => new HashService(fullHashConfig),\n\t\t\t\t},\n\t\t\t\t{ provide: ENCRYPTION_SERVICE_TOKEN, useExisting: EncryptionService },\n\t\t\t\t{ provide: HASH_SERVICE_TOKEN, useExisting: HashService },\n\t\t\t],\n\t\t\texports: [\n\t\t\t\tEncryptionService,\n\t\t\t\tHashService,\n\t\t\t\tENCRYPTION_SERVICE_TOKEN,\n\t\t\t\tHASH_SERVICE_TOKEN,\n\t\t\t],\n\t\t})\n\t\tclass ConfiguredCryptoModule {}\n\t\tObject.defineProperty(ConfiguredCryptoModule, \"name\", {\n\t\t\tvalue: \"ConfiguredCryptoModule\",\n\t\t});\n\n\t\treturn ConfiguredCryptoModule as unknown as typeof CryptoModule;\n\t}\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuBA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAUA,IAAM,UAAU;AAChB,IAAM,WAAW;AACjB,IAAM,YAAY;AAAA;AAEX,MAAM,kBAAkB;AAAA,EACb;AAAA,EACA;AAAA,EAEjB,WAAW,CAAC,WAAmB;AAAA,IAC9B,MAAM,UAAU,WAAW,SAAS;AAAA,IACpC,KAAK,SAAS,QAAQ;AAAA,IACtB,KAAK,UAAU,QAAQ;AAAA;AAAA,EAWxB,OAAO,CAAC,OAAe,UAA0B,CAAC,GAAmB;AAAA,IACpE,MAAM,KAAK,YAAY,QAAQ;AAAA,IAC/B,MAAM,SAAS,eAAe,eAAe,KAAK,QAAQ,EAAE;AAAA,IAC5D,MAAM,YAAY,OAAO,KAAK,OAAO,MAAM;AAAA,IAC3C,MAAM,aAAa,OAAO,OAAO,CAAC,OAAO,OAAO,SAAS,GAAG,OAAO,MAAM,CAAC,CAAC;AAAA,IAC3E,MAAM,MAAM,OAAO,WAAW;AAAA,IAE9B,MAAM,SAAS,aAAa,QAAQ,SAAS;AAAA,IAC7C,MAAM,aAAa,OAAO,KAAK,QAAQ,WAAW,IAAI,MAAM;AAAA,IAC5D,MAAM,MAAM,KAAK,QAAQ,CAAC,SAAS,IAAI,KAAK,YAAY,QAAQ,UAAU,CAAC;AAAA,IAE3E,OAAO;AAAA,MACN;AAAA,MACA,IAAI,EAAE;AAAA,MACN,IAAI,GAAG;AAAA,MACP,IAAI,UAAU;AAAA,MACd,IAAI,MAAM;AAAA,MACV,IAAI,UAAU;AAAA,MACd,IAAI,GAAG;AAAA,IACR,EAAE,KAAK,GAAG;AAAA;AAAA,EAQX,OAAmB,CAAC,SAAoB;AAAA,IACvC,MAAM,SAAS,QAAQ,OAAO;AAAA,IAC9B,IAAI,CAAC;AAAA,MAAQ,MAAM,IAAI,MAAM,gCAAgC;AAAA,IAG7D,MAAM,cAAc,KAAK,QAAQ;AAAA,MAChC;AAAA,MACA,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACR,CAAC;AAAA,IACD,IAAI,CAAC,kBAAkB,aAAa,OAAO,GAAG,GAAG;AAAA,MAChD,MAAM,IAAI,MAAM,0CAA0C;AAAA,IAC3D;AAAA,IAGA,IAAI,OAAO,OAAO,SAAS,GAAG;AAAA,MAC7B,MAAM,WAAW,YAAY,OAAO,OAAO,SAAS,MAAM,CAAC;AAAA,MAC3D,IAAI,WAAW,KAAK,KAAK,IAAI,IAAI,UAAU;AAAA,QAC1C,MAAM,IAAI,MAAM,+BAA+B;AAAA,MAChD;AAAA,IACD;AAAA,IAEA,MAAM,WAAW,iBAAiB,eAAe,KAAK,QAAQ,OAAO,EAAE;AAAA,IACvE,SAAS,WAAW,OAAO,GAAG;AAAA,IAC9B,MAAM,YAAY,OAAO,OAAO;AAAA,MAC/B,SAAS,OAAO,OAAO,UAAU;AAAA,MACjC,SAAS,MAAM;AAAA,IAChB,CAAC;AAAA,IACD,OAAO,UAAU,SAAS,MAAM;AAAA;AAAA,EAIjC,WAAW,CAAC,OAAwB;AAAA,IACnC,IAAI,OAAO,UAAU;AAAA,MAAU,OAAO;AAAA,IACtC,OAAO,MAAM,WAAW,UAAU,GAAG;AAAA;AAAA,EAWtC,IAAI,CAAC,OAAe,UAAU,IAAiB;AAAA,IAC9C,MAAM,MAAM,WAAW,UAAU,KAAK,OAAO,EAC3C,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,OAAO,GAAG,IAAI,OAAO,KAAK,OAAO,MAAM,CAAC,KAAK,IAAI,GAAG;AAAA;AAAA,EAUrD,OAAO,CAAC,OAAe,UAAU,IAAY;AAAA,IAC5C,MAAM,MAAM,WAAW,UAAU,KAAK,OAAO,EAC3C,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,OAAO,IAAI,GAAG;AAAA;AAAA,EAOf,SAAS,CAAC,OAAe,WAAmB,UAAU,IAAa;AAAA,IAClE,MAAM,WAAW,WAAW,UAAU,KAAK,OAAO,EAChD,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,MAAM,QAAQ,QAAQ,SAAS;AAAA,IAC/B,IAAI,CAAC;AAAA,MAAO,OAAO;AAAA,IACnB,OAAO,kBAAkB,OAAO,QAAQ;AAAA;AAAA,EAQzC,MAAM,CAAC,QAAgB,UAAU,IAAmB;AAAA,IACnD,MAAM,MAAM,OAAO,YAAY,GAAG;AAAA,IAClC,IAAI,MAAM,KAAK,QAAQ,OAAO,SAAS;AAAA,MAAG,OAAO;AAAA,IACjD,MAAM,WAAW,OAAO,MAAM,GAAG,GAAG;AAAA,IACpC,MAAM,SAAS,OAAO,MAAM,MAAM,CAAC;AAAA,IACnC,MAAM,QAAQ,QAAQ,QAAQ;AAAA,IAC9B,MAAM,MAAM,QAAQ,MAAM;AAAA,IAC1B,IAAI,CAAC,SAAS,CAAC;AAAA,MAAK,OAAO;AAAA,IAC3B,MAAM,WAAW,WAAW,UAAU,KAAK,OAAO,EAChD,OAAO,OAAO,EACd,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,OAAO;AAAA,IACT,IAAI,CAAC,kBAAkB,KAAK,QAAQ;AAAA,MAAG,OAAO;AAAA,IAC9C,OAAO,MAAM,SAAS,MAAM;AAAA;AAAA,EAKrB,OAAO,CAAC,OAAuC;AAAA,IACtD,MAAM,IAAI,WAAW,UAAU,KAAK,OAAO;AAAA,IAC3C,WAAW,KAAK,OAAO;AAAA,MACtB,EAAE,OAAO,GAAG;AAAA,MACZ,EAAE,OAAO,CAAW;AAAA,IACrB;AAAA,IACA,OAAO,EAAE,OAAO;AAAA;AAElB;AAMA,SAAS,GAAG,CAAC,KAAqB;AAAA,EACjC,OAAO,IAAI,SAAS,WAAW;AAAA;AAGhC,SAAS,OAAO,CAAC,GAA0B;AAAA,EAC1C,IAAI;AAAA,IACH,OAAO,OAAO,KAAK,GAAG,WAAW;AAAA,IAChC,MAAM;AAAA,IACP,OAAO;AAAA;AAAA;AAIT,SAAS,iBAAiB,CAAC,GAAW,GAAoB;AAAA,EACzD,IAAI,EAAE,WAAW,EAAE;AAAA,IAAQ,OAAO;AAAA,EAClC,OAAO,gBAAgB,GAAG,CAAC;AAAA;AAG5B,SAAS,YAAY,CAAC,WAAuD;AAAA,EAC5E,IAAI,cAAc;AAAA,IAAW,OAAO,OAAO,MAAM,CAAC;AAAA,EAClD,IAAI;AAAA,EACJ,IAAI,OAAO,cAAc,UAAU;AAAA,IAClC,KAAK,YAAY,gBAAO,YAAY,KAAK,IAAI,IAAI,YAAY;AAAA,EAC9D,EAAO,SAAI,OAAO,cAAc,UAAU;AAAA,IAEzC,MAAM,QAAQ,OAAO,SAAS;AAAA,IAC9B,IAAI,CAAC,MAAM,KAAK,KAAK,QAAQ,GAAG;AAAA,MAC/B,KAAK,QAAQ,gBAAO,QAAQ,KAAK,IAAI,IAAI,QAAQ;AAAA,IAClD,EAAO;AAAA,MACN,KAAK,KAAK,MAAM,SAAS;AAAA;AAAA,EAE3B,EAAO;AAAA,IACN,KAAK,UAAU,QAAQ;AAAA;AAAA,EAExB,IAAI,CAAC,SAAS,EAAE;AAAA,IAAG,OAAO,OAAO,MAAM,CAAC;AAAA,EACxC,OAAO,OAAO,KAAK,OAAO,EAAE,GAAG,MAAM;AAAA;AAGtC,SAAS,WAAW,CAAC,GAAmB;AAAA,EACvC,MAAM,IAAI,OAAO,CAAC;AAAA,EAClB,OAAO,SAAS,CAAC,IAAI,IAAI;AAAA;AAY1B,SAAS,OAAO,CAAC,GAA4B;AAAA,EAC5C,IAAI,OAAO,MAAM,YAAY,CAAC,EAAE,WAAW,UAAU,GAAG;AAAA,IAAG,OAAO;AAAA,EAClE,MAAM,QAAQ,EAAE,MAAM,GAAG;AAAA,EAEzB,IAAI,MAAM,WAAW;AAAA,IAAG,OAAO;AAAA,EAC/B,SAAS,OAAO,QAAQ,OAAO,QAAQ,YAAY,UAAU;AAAA,EAC7D,MAAM,KAAK,QAAQ,KAAK;AAAA,EACxB,MAAM,MAAM,QAAQ,MAAM;AAAA,EAC1B,MAAM,KAAK,QAAQ,KAAK;AAAA,EACxB,MAAM,MAAM,QAAQ,MAAM;AAAA,EAC1B,MAAM,UAAU,QAAQ,UAAU;AAAA,EAClC,MAAM,MAAM,QAAQ,MAAM;AAAA,EAC1B,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;AAAA,IAAK,OAAO;AAAA,EAC3D,IAAI,GAAG,WAAW;AAAA,IAAU,OAAO;AAAA,EACnC,IAAI,IAAI,WAAW;AAAA,IAAW,OAAO;AAAA,EACrC,OAAO,EAAE,IAAI,KAAK,YAAY,IAAI,QAAQ,KAAK,SAAS,IAAI;AAAA;AAO7D,SAAS,UAAU,CAAC,WAAkD;AAAA,EAGrE,IAAI;AAAA,EACJ,IAAI;AAAA,IACH,MAAM,UAAU,OAAO,KAAK,WAAW,QAAQ;AAAA,IAC/C,IACC,QAAQ,UAAU,MAGlB,UAAU,SAAS,MAAM,GACxB;AAAA,MACD,QAAQ;AAAA,IACT,EAAO;AAAA,MACN,QAAQ,OAAO,KAAK,WAAW,MAAM;AAAA;AAAA,IAErC,MAAM;AAAA,IACP,QAAQ,OAAO,KAAK,WAAW,MAAM;AAAA;AAAA,EAGtC,MAAM,MAAM,MAAM,SAAS,KAAK,OAAO,KAAK,IAAI;AAAA,EAChD,MAAM,MAAM,SAAS,UAAU,KAAK,OAAO,MAAM,CAAC,GAAG,mBAAmB,EAAE;AAAA,EAC1E,MAAM,SAAS,OAAO,KAAK,GAAG;AAAA,EAC9B,OAAO;AAAA,IACN,KAAK,OAAO,KAAK,OAAO,SAAS,GAAG,EAAE,CAAC;AAAA,IACvC,MAAM,OAAO,KAAK,OAAO,SAAS,IAAI,EAAE,CAAC;AAAA,EAC1C;AAAA;AAGD,SAAS,MAAM,CAAC,OAAuB;AAAA,EAGtC,MAAM,OAAO,WAAW,UAAU,kBAAkB,EAAE,OAAO,KAAK,EAAE,OAAO;AAAA,EAC3E,MAAM,MAAM,OAAO,MAAM,EAAE;AAAA,EAC3B,MAAM,KAAK,KAAK,GAAG,GAAG,KAAK,IAAI,MAAM,QAAQ,EAAE,CAAC;AAAA,EAChD,KAAK,KAAK,KAAK,MAAM,SAAS,KAAK,MAAM,SAAS,GAAG,GAAG,KAAK,KAAK,IAAI,MAAM,QAAQ,EAAE,CAAC;AAAA,EACvF,OAAO;AAAA;;ACzSR,mBAAS,yBAAoB,iCAAa;AAK1C,SAAS,MAAM,CACd,UACA,MACA,QACA,SACkB;AAAA,EAClB,OAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AAAA,IACvC,SAAS,UAAU,MAAM,QAAQ,SAAS,CAAC,KAAK,YAAY;AAAA,MAC3D,IAAI;AAAA,QAAK,OAAO,GAAG;AAAA,MACd;AAAA,gBAAQ,OAAO;AAAA,KACpB;AAAA,GACD;AAAA;AAIF,IAAM,gBAAgB;AACtB,IAAM,gBAAgB;AAAA;AAEf,MAAM,YAAY;AAAA,EACf;AAAA,EACQ;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,WAAW,CAAC,SAAqB,CAAC,GAAG;AAAA,IACpC,KAAK,YAAY,OAAO,aAAa;AAAA,IACrC,KAAK,aAAa,OAAO,cAAc;AAAA,IACvC,KAAK,kBAAkB,OAAO,mBAAmB;AAAA,IACjD,KAAK,wBAAwB,OAAO,yBAAyB;AAAA,IAC7D,KAAK,kBAAkB,OAAO,mBAAmB;AAAA,IACjD,KAAK,mBAAmB,OAAO,oBAAoB;AAAA,IACnD,KAAK,iBAAiB,OAAO,kBAAkB;AAAA,IAC/C,KAAK,oBAAoB,OAAO,qBAAqB;AAAA;AAAA,OAOhD,KAAI,CAAC,UAAkB,UAAuB,CAAC,GAA4B;AAAA,IAChF,MAAM,OAAO,QAAQ,aAAa,KAAK;AAAA,IACvC,IAAI,SAAS;AAAA,MAAU,OAAO,KAAK,WAAW,QAAQ;AAAA,IACtD,IAAI,SAAS;AAAA,MAAU,OAAO,KAAK,WAAW,QAAQ;AAAA,IACtD,MAAM,IAAI,MAAM,2BAA2B,MAAM;AAAA;AAAA,OAO5C,OAAM,CAAC,QAAwB,UAAoC;AAAA,IACxE,IAAI,OAAO,WAAW,YAAY,OAAO,WAAW;AAAA,MAAG,OAAO;AAAA,IAC9D,IAAI,OAAO,WAAW,aAAa;AAAA,MAAG,OAAO,KAAK,aAAa,QAAQ,QAAQ;AAAA,IAC/E,IAAI,OAAO,WAAW,aAAa;AAAA,MAAG,OAAO,KAAK,aAAa,QAAQ,QAAQ;AAAA,IAG/E,OAAO;AAAA;AAAA,EAQR,WAAW,CAAC,QAAiC;AAAA,IAC5C,IAAI,OAAO,WAAW,YAAY,CAAC,OAAO,WAAW,aAAa,GAAG;AAAA,MAGpE,OAAO;AAAA,IACR;AAAA,IACA,MAAM,SAAS,kBAAkB,MAAM;AAAA,IACvC,IAAI,CAAC;AAAA,MAAQ,OAAO;AAAA,IACpB,IAAI,OAAO,IAAI,KAAK;AAAA,MAAY,OAAO;AAAA,IACvC,IAAI,OAAO,IAAI,KAAK;AAAA,MAAiB,OAAO;AAAA,IAC5C,IAAI,OAAO,IAAI,KAAK;AAAA,MAAuB,OAAO;AAAA,IAClD,IAAI,OAAO,SAAS,KAAK;AAAA,MAAiB,OAAO;AAAA,IACjD,OAAO;AAAA;AAAA,OAKM,WAAU,CAAC,UAAmC;AAAA,IAC3D,MAAM,OAAO,aAAY,EAAE;AAAA,IAC3B,MAAM,UAAW,MAAM,OAAO,UAAU,MAAM,KAAK,iBAAiB;AAAA,MACnE,GAAG,KAAK;AAAA,MACR,GAAG,KAAK;AAAA,MACR,GAAG,KAAK;AAAA,MACR,QAAQ,MAAM,OAAO;AAAA,IACtB,CAAC;AAAA,IACD,OAAO;AAAA,MACN;AAAA,MACA,KAAK,KAAK,gBAAgB,KAAK,qBAAqB,KAAK,gCAAgC,KAAK;AAAA,MAC9F,IAAI,KAAK,SAAS,WAAW;AAAA,MAC7B,IAAI,QAAQ,SAAS,WAAW;AAAA,IACjC,EAAE,KAAK,EAAE;AAAA;AAAA,OAGI,aAAY,CAAC,QAAgB,UAAoC;AAAA,IAC9E,MAAM,SAAS,kBAAkB,MAAM;AAAA,IACvC,IAAI,CAAC;AAAA,MAAQ,OAAO;AAAA,IAEpB,aAAa,SAAS,WAAW,OAAO,MAAM,GAAG;AAAA,IACjD,IAAI,CAAC,WAAW,CAAC;AAAA,MAAS,OAAO;AAAA,IACjC,MAAM,OAAO,OAAO,KAAK,SAAS,WAAW;AAAA,IAC7C,MAAM,WAAW,OAAO,KAAK,SAAS,WAAW;AAAA,IACjD,MAAM,UAAW,MAAM,OAAO,UAAU,MAAM,SAAS,QAAQ;AAAA,MAC9D,GAAG,OAAO;AAAA,MACV,GAAG,OAAO;AAAA,MACV,GAAG,OAAO;AAAA,MACV,QAAQ,MAAM,OAAO;AAAA,IACtB,CAAC;AAAA,IACD,IAAI,QAAQ,WAAW,SAAS;AAAA,MAAQ,OAAO;AAAA,IAC/C,OAAO,iBAAgB,SAAS,QAAQ;AAAA;AAAA,OAK3B,WAAU,CAAC,UAAmC;AAAA,IAC3D,MAAM,MAAM,MAAM,WAAW;AAAA,IAC7B,MAAM,OAAO,MAAM,IAAI,KAAK,UAAU;AAAA,MACrC,YAAY,KAAK;AAAA,MACjB,UAAU,KAAK;AAAA,MACf,aAAa,KAAK;AAAA,IACnB,CAAC;AAAA,IACD,OAAO;AAAA;AAAA,OAGM,aAAY,CAAC,QAAgB,UAAoC;AAAA,IAC9E,MAAM,MAAM,MAAM,WAAW;AAAA,IAC7B,IAAI;AAAA,MACH,OAAO,MAAM,IAAI,OAAO,QAAQ,QAAQ;AAAA,MACvC,MAAM;AAAA,MACP,OAAO;AAAA;AAAA;AAGV;AAMA,SAAS,iBAAiB,CAAC,QAKlB;AAAA,EAER,MAAM,QAAQ,OAAO,MAAM,GAAG;AAAA,EAC9B,IAAI,MAAM,WAAW;AAAA,IAAG,OAAO;AAAA,EAC/B,MAAM,aAAa,MAAM;AAAA,EACzB,IAAI,CAAC;AAAA,IAAY,OAAO;AAAA,EACxB,MAAM,IAA4B,CAAC;AAAA,EACnC,WAAW,MAAM,WAAW,MAAM,GAAG,GAAG;AAAA,IACvC,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG;AAAA,IAC3B,IAAI,KAAK;AAAA,MAAG,EAAE,KAAK,OAAO,CAAC;AAAA,EAC5B;AAAA,EACA,IAAI,CAAC,EAAE,KAAK,CAAC,EAAE,KAAK,CAAC,EAAE,KAAK,CAAC,EAAE;AAAA,IAAQ,OAAO;AAAA,EAC9C,OAAO,EAAE,GAAG,EAAE,GAAG,GAAG,EAAE,GAAG,GAAG,EAAE,GAAG,QAAQ,EAAE,OAAO;AAAA;AAYnD,IAAI;AAEJ,eAAe,UAAU,GAA0B;AAAA,EAClD,IAAI,YAAY,WAAW;AAAA,IAC1B,IAAI,YAAY,MAAM;AAAA,MACrB,MAAM,IAAI,MACT,gEACD;AAAA,IACD;AAAA,IACA,OAAO;AAAA,EACR;AAAA,EACA,IAAI;AAAA,IAEH,MAAM,MAAM,MAAa;AAAA,IACzB,UAAW,IAAY,WAAY;AAAA,IACnC,IAAI,CAAC;AAAA,MAAS,MAAM,IAAI,MAAM,uBAAuB;AAAA,IACrD,OAAO;AAAA,IACN,MAAM;AAAA,IACP,UAAU;AAAA,IACV,MAAM,IAAI,MACT,gEACD;AAAA;AAAA;;ACxMF;AAKO,IAAM,2BAA2B,OAAO,IAAI,yBAAyB;AACrE,IAAM,qBAAqB,OAAO,IAAI,mBAAmB;AAAA;AAgBzD,MAAM,aAAa;AAAA,SAClB,OAAO,CAAC,SAAmD,EAAE,KAAK,GAAG,GAAG;AAAA,IAC9E,MAAM,uBAAuB;AAAA,MAC5B,KAAK,OAAO;AAAA,MACZ,WAAW,OAAO,aAAa;AAAA,MAC/B,kBAAkB,OAAO;AAAA,IAC1B;AAAA,IACA,MAAM,iBAAiB,OAAO,QAAQ,CAAC;AAAA;AAAA,IAwBvC,MAAM,uBAAuB;AAAA,IAAC;AAAA,IAAxB,yBAAN;AAAA,MAtBC,OAAO;AAAA,QACP,WAAW;AAAA,UACV,EAAE,SAAS,qBAAqB,UAAU,qBAAqB;AAAA,UAC/D,EAAE,SAAS,eAAe,UAAU,eAAe;AAAA,UACnD;AAAA,YACC,SAAS;AAAA,YACT,YAAY,MAAM,IAAI,kBAAkB,qBAAqB,GAAG;AAAA,UACjE;AAAA,UACA;AAAA,YACC,SAAS;AAAA,YACT,YAAY,MAAM,IAAI,YAAY,cAAc;AAAA,UACjD;AAAA,UACA,EAAE,SAAS,0BAA0B,aAAa,kBAAkB;AAAA,UACpE,EAAE,SAAS,oBAAoB,aAAa,YAAY;AAAA,QACzD;AAAA,QACA,SAAS;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACD;AAAA,MACD,CAAC;AAAA,OACK;AAAA,IACN,OAAO,eAAe,wBAAwB,QAAQ;AAAA,MACrD,OAAO;AAAA,IACR,CAAC;AAAA,IAED,OAAO;AAAA;AAET;AAtCa,eAAN;AAAA,EAdN,OAAO;AAAA,IACP,WAAW;AAAA,MACV;AAAA,MACA;AAAA,MACA,EAAE,SAAS,0BAA0B,aAAa,kBAAkB;AAAA,MACpE,EAAE,SAAS,oBAAoB,aAAa,YAAY;AAAA,IACzD;AAAA,IACA,SAAS;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACD;AAAA,EACD,CAAC;AAAA,GACY;",
+  "debugId": "68D8BB427FD50CFB64756E2164756E21",
+  "names": []
+}

package/package.json

@@ -0,0 +1,31 @@
+{
+  "name": "@nexusts/crypto",
+  "version": "0.7.0",
+  "description": "AES-256-GCM encryption + HMAC + scrypt/argon2",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "bun run ../../build.ts"
+  },
+  "keywords": [
+    "nexusts",
+    "framework",
+    "bun"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "@nexusts/core": "^0.7.0"
+  }
+}