@nexwage/crypto 0.1.0

package/dist/crypto/recovery-key.d.ts

@@ -0,0 +1,59 @@
+import type { AeadEnvelopeV1 } from "../types.js";
+/**
+ * Generate recovery key 32-byte secara acak.
+ *
+ * @returns Bytes recovery key.
+ *
+ * @example
+ * const recoveryKey = await generateRecoveryKey();
+ */
+export declare function generateRecoveryKey(): Promise<Uint8Array>;
+/**
+ * Bungkus master key menggunakan recovery key.
+ *
+ * @param masterKey - Master key 32-byte.
+ * @param recoveryKey - Recovery key 32-byte.
+ * @param aad - Additional authenticated data (opsional).
+ * @returns Envelope hasil wrap.
+ *
+ * @example
+ * const wrapped = await wrapMasterKeyWithRecoveryKey(masterKey, recoveryKey);
+ */
+export declare function wrapMasterKeyWithRecoveryKey(masterKey: Uint8Array, recoveryKey: Uint8Array, aad?: Uint8Array): Promise<AeadEnvelopeV1>;
+/**
+ * Buka master key menggunakan recovery key.
+ *
+ * @param recoveryKey - Recovery key 32-byte.
+ * @param wrapped - Envelope hasil wrap master key.
+ * @param aad - Additional authenticated data (opsional).
+ * @returns Bytes master key.
+ *
+ * @example
+ * const masterKey = await unwrapMasterKeyWithRecoveryKey(recoveryKey, wrapped);
+ */
+export declare function unwrapMasterKeyWithRecoveryKey(recoveryKey: Uint8Array, wrapped: AeadEnvelopeV1, aad?: Uint8Array): Promise<Uint8Array>;
+/**
+ * Bungkus recovery key menggunakan master key.
+ *
+ * @param recoveryKey - Recovery key 32-byte.
+ * @param masterKey - Master key 32-byte.
+ * @param aad - Additional authenticated data (opsional).
+ * @returns Envelope hasil wrap.
+ *
+ * @example
+ * const wrapped = await wrapRecoveryKeyWithMasterKey(recoveryKey, masterKey);
+ */
+export declare function wrapRecoveryKeyWithMasterKey(recoveryKey: Uint8Array, masterKey: Uint8Array, aad?: Uint8Array): Promise<AeadEnvelopeV1>;
+/**
+ * Buka recovery key menggunakan master key.
+ *
+ * @param masterKey - Master key 32-byte.
+ * @param wrapped - Envelope hasil wrap recovery key.
+ * @param aad - Additional authenticated data (opsional).
+ * @returns Bytes recovery key.
+ *
+ * @example
+ * const recoveryKey = await unwrapRecoveryKeyWithMasterKey(masterKey, wrapped);
+ */
+export declare function unwrapRecoveryKeyWithMasterKey(masterKey: Uint8Array, wrapped: AeadEnvelopeV1, aad?: Uint8Array): Promise<Uint8Array>;
+//# sourceMappingURL=recovery-key.d.ts.map

package/dist/crypto/recovery-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"recovery-key.d.ts","sourceRoot":"","sources":["../../src/crypto/recovery-key.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAwElD;;;;;;;GAOG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,UAAU,CAAC,CAG/D;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,4BAA4B,CAChD,SAAS,EAAE,UAAU,EACrB,WAAW,EAAE,UAAU,EACvB,GAAG,CAAC,EAAE,UAAU,GACf,OAAO,CAAC,cAAc,CAAC,CAIzB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,8BAA8B,CAClD,WAAW,EAAE,UAAU,EACvB,OAAO,EAAE,cAAc,EACvB,GAAG,CAAC,EAAE,UAAU,GACf,OAAO,CAAC,UAAU,CAAC,CAKrB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,4BAA4B,CAChD,WAAW,EAAE,UAAU,EACvB,SAAS,EAAE,UAAU,EACrB,GAAG,CAAC,EAAE,UAAU,GACf,OAAO,CAAC,cAAc,CAAC,CAIzB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,8BAA8B,CAClD,SAAS,EAAE,UAAU,EACrB,OAAO,EAAE,cAAc,EACvB,GAAG,CAAC,EAAE,UAAU,GACf,OAAO,CAAC,UAAU,CAAC,CAKrB"}

package/dist/crypto/recovery-key.js

@@ -0,0 +1,121 @@
+import sodium from "libsodium-wrappers-sumo";
+import { assertByteLength } from "../utils/bytes.js";
+import { decodeBase64, encodeBase64 } from "../utils/encoding.js";
+// Domain: recovery key and its wrapping with master key.
+/**
+ * Enkripsi payload dengan key menggunakan AEAD.
+ *
+ * @param key - Key 32-byte.
+ * @param plaintext - Data plaintext.
+ * @param aad - Additional authenticated data (opsional).
+ * @returns Envelope hasil enkripsi.
+ */
+async function encryptWithKey(key, plaintext, aad) {
+    await sodium.ready;
+    const nonce = sodium.randombytes_buf(sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES);
+    const ct = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(plaintext, aad ?? null, null, nonce, key);
+    return {
+        v: 1,
+        nonce: encodeBase64(nonce),
+        ct: encodeBase64(ct),
+    };
+}
+/**
+ * Dekripsi payload dengan key menggunakan AEAD.
+ *
+ * @param key - Key 32-byte.
+ * @param wrapped - Envelope hasil enkripsi.
+ * @param aad - Additional authenticated data (opsional).
+ * @returns Bytes hasil dekripsi.
+ */
+async function decryptWithKey(key, wrapped, aad) {
+    await sodium.ready;
+    const nonce = decodeBase64(wrapped.nonce);
+    assertByteLength("nonce", nonce, sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES);
+    const ct = decodeBase64(wrapped.ct);
+    try {
+        return sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(null, ct, aad ?? null, nonce, key);
+    }
+    catch {
+        throw new Error("Gagal membuka payload: ciphertext/AAD/keys tidak valid");
+    }
+}
+/**
+ * Generate recovery key 32-byte secara acak.
+ *
+ * @returns Bytes recovery key.
+ *
+ * @example
+ * const recoveryKey = await generateRecoveryKey();
+ */
+export async function generateRecoveryKey() {
+    await sodium.ready;
+    return sodium.randombytes_buf(32);
+}
+/**
+ * Bungkus master key menggunakan recovery key.
+ *
+ * @param masterKey - Master key 32-byte.
+ * @param recoveryKey - Recovery key 32-byte.
+ * @param aad - Additional authenticated data (opsional).
+ * @returns Envelope hasil wrap.
+ *
+ * @example
+ * const wrapped = await wrapMasterKeyWithRecoveryKey(masterKey, recoveryKey);
+ */
+export async function wrapMasterKeyWithRecoveryKey(masterKey, recoveryKey, aad) {
+    assertByteLength("masterKey", masterKey, 32);
+    assertByteLength("recoveryKey", recoveryKey, 32);
+    return encryptWithKey(recoveryKey, masterKey, aad);
+}
+/**
+ * Buka master key menggunakan recovery key.
+ *
+ * @param recoveryKey - Recovery key 32-byte.
+ * @param wrapped - Envelope hasil wrap master key.
+ * @param aad - Additional authenticated data (opsional).
+ * @returns Bytes master key.
+ *
+ * @example
+ * const masterKey = await unwrapMasterKeyWithRecoveryKey(recoveryKey, wrapped);
+ */
+export async function unwrapMasterKeyWithRecoveryKey(recoveryKey, wrapped, aad) {
+    assertByteLength("recoveryKey", recoveryKey, 32);
+    const masterKey = await decryptWithKey(recoveryKey, wrapped, aad);
+    assertByteLength("masterKey", masterKey, 32);
+    return masterKey;
+}
+/**
+ * Bungkus recovery key menggunakan master key.
+ *
+ * @param recoveryKey - Recovery key 32-byte.
+ * @param masterKey - Master key 32-byte.
+ * @param aad - Additional authenticated data (opsional).
+ * @returns Envelope hasil wrap.
+ *
+ * @example
+ * const wrapped = await wrapRecoveryKeyWithMasterKey(recoveryKey, masterKey);
+ */
+export async function wrapRecoveryKeyWithMasterKey(recoveryKey, masterKey, aad) {
+    assertByteLength("recoveryKey", recoveryKey, 32);
+    assertByteLength("masterKey", masterKey, 32);
+    return encryptWithKey(masterKey, recoveryKey, aad);
+}
+/**
+ * Buka recovery key menggunakan master key.
+ *
+ * @param masterKey - Master key 32-byte.
+ * @param wrapped - Envelope hasil wrap recovery key.
+ * @param aad - Additional authenticated data (opsional).
+ * @returns Bytes recovery key.
+ *
+ * @example
+ * const recoveryKey = await unwrapRecoveryKeyWithMasterKey(masterKey, wrapped);
+ */
+export async function unwrapRecoveryKeyWithMasterKey(masterKey, wrapped, aad) {
+    assertByteLength("masterKey", masterKey, 32);
+    const recoveryKey = await decryptWithKey(masterKey, wrapped, aad);
+    assertByteLength("recoveryKey", recoveryKey, 32);
+    return recoveryKey;
+}
+//# sourceMappingURL=recovery-key.js.map

package/dist/crypto/recovery-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"recovery-key.js","sourceRoot":"","sources":["../../src/crypto/recovery-key.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,yBAAyB,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAGlE,yDAAyD;AACzD;;;;;;;GAOG;AACH,KAAK,UAAU,cAAc,CAC3B,GAAe,EACf,SAAqB,EACrB,GAAgB;IAEhB,MAAM,MAAM,CAAC,KAAK,CAAC;IACnB,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAClC,MAAM,CAAC,4CAA4C,CACpD,CAAC;IAEF,MAAM,EAAE,GAAG,MAAM,CAAC,0CAA0C,CAC1D,SAAS,EACT,GAAG,IAAI,IAAI,EACX,IAAI,EACJ,KAAK,EACL,GAAG,CACJ,CAAC;IAEF,OAAO;QACL,CAAC,EAAE,CAAC;QACJ,KAAK,EAAE,YAAY,CAAC,KAAK,CAAC;QAC1B,EAAE,EAAE,YAAY,CAAC,EAAE,CAAC;KACrB,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,cAAc,CAC3B,GAAe,EACf,OAAuB,EACvB,GAAgB;IAEhB,MAAM,MAAM,CAAC,KAAK,CAAC;IAEnB,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC1C,gBAAgB,CACd,OAAO,EACP,KAAK,EACL,MAAM,CAAC,4CAA4C,CACpD,CAAC;IACF,MAAM,EAAE,GAAG,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAEpC,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,0CAA0C,CACtD,IAAI,EACJ,EAAE,EACF,GAAG,IAAI,IAAI,EACX,KAAK,EACL,GAAG,CACJ,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,MAAM,CAAC,KAAK,CAAC;IACnB,OAAO,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;AACpC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,SAAqB,EACrB,WAAuB,EACvB,GAAgB;IAEhB,gBAAgB,CAAC,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAC7C,gBAAgB,CAAC,aAAa,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;IACjD,OAAO,cAAc,CAAC,WAAW,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;AACrD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,WAAuB,EACvB,OAAuB,EACvB,GAAgB;IAEhB,gBAAgB,CAAC,aAAa,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;IAClE,gBAAgB,CAAC,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAC7C,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,WAAuB,EACvB,SAAqB,EACrB,GAAgB;IAEhB,gBAAgB,CAAC,aAAa,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;IACjD,gBAAgB,CAAC,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAC7C,OAAO,cAAc,CAAC,SAAS,EAAE,WAAW,EAAE,GAAG,CAAC,CAAC;AACrD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,SAAqB,EACrB,OAAuB,EACvB,GAAgB;IAEhB,gBAAgB,CAAC,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,SAAS,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;IAClE,gBAAgB,CAAC,aAAa,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;IACjD,OAAO,WAAW,CAAC;AACrB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+export type { AeadEnvelopeV1, PasswordKdfParamsV1, PasswordWrappedKeyV1 } from "./types.js";
+export { generateFileKey, wrapFileKeyWithMasterKey, unwrapFileKeyWithMasterKey, encryptFileData, decryptFileData, } from "./crypto/file-encryption.js";
+export { generateMasterKey, generateMasterKeyWithPassword, wrapMasterKeyWithPassword, unwrapMasterKeyWithPassword, } from "./crypto/master-key.js";
+export { generateRecoveryKey, wrapMasterKeyWithRecoveryKey, unwrapMasterKeyWithRecoveryKey, wrapRecoveryKeyWithMasterKey, unwrapRecoveryKeyWithMasterKey, } from "./crypto/recovery-key.js";
+export type { PasswordKdfOptions } from "./crypto/password-kdf.js";
+export { deriveKeyFromPassword, wrapKeyWithPassword, unwrapKeyWithPassword, } from "./crypto/password-kdf.js";
+export { encodeBase64, decodeBase64 } from "./utils/encoding.js";
+export { sodium, ready as sodiumReady, randombytesBuf, cryptoPwhash, cryptoPwhashSaltBytes, cryptoPwhashOpslimitModerate, cryptoPwhashMemlimitModerate, aeadXChaCha20Poly1305IetfEncrypt, aeadXChaCha20Poly1305IetfDecrypt, aeadXChaCha20Poly1305IetfNpubBytes, toBase64, fromBase64, base64VariantOriginal, fromString, toString, memcmp, } from "./sodium.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,cAAc,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAE5F,OAAO,EACL,eAAe,EACf,wBAAwB,EACxB,0BAA0B,EAC1B,eAAe,EACf,eAAe,GAChB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,iBAAiB,EACjB,6BAA6B,EAC7B,yBAAyB,EACzB,2BAA2B,GAC5B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,mBAAmB,EACnB,4BAA4B,EAC5B,8BAA8B,EAC9B,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,0BAA0B,CAAC;AAElC,YAAY,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EACL,qBAAqB,EACrB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEjE,OAAO,EACL,MAAM,EACN,KAAK,IAAI,WAAW,EACpB,cAAc,EACd,YAAY,EACZ,qBAAqB,EACrB,4BAA4B,EAC5B,4BAA4B,EAC5B,gCAAgC,EAChC,gCAAgC,EAChC,kCAAkC,EAClC,QAAQ,EACR,UAAU,EACV,qBAAqB,EACrB,UAAU,EACV,QAAQ,EACR,MAAM,GACP,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -0,0 +1,7 @@
+export { generateFileKey, wrapFileKeyWithMasterKey, unwrapFileKeyWithMasterKey, encryptFileData, decryptFileData, } from "./crypto/file-encryption.js";
+export { generateMasterKey, generateMasterKeyWithPassword, wrapMasterKeyWithPassword, unwrapMasterKeyWithPassword, } from "./crypto/master-key.js";
+export { generateRecoveryKey, wrapMasterKeyWithRecoveryKey, unwrapMasterKeyWithRecoveryKey, wrapRecoveryKeyWithMasterKey, unwrapRecoveryKeyWithMasterKey, } from "./crypto/recovery-key.js";
+export { deriveKeyFromPassword, wrapKeyWithPassword, unwrapKeyWithPassword, } from "./crypto/password-kdf.js";
+export { encodeBase64, decodeBase64 } from "./utils/encoding.js";
+export { sodium, ready as sodiumReady, randombytesBuf, cryptoPwhash, cryptoPwhashSaltBytes, cryptoPwhashOpslimitModerate, cryptoPwhashMemlimitModerate, aeadXChaCha20Poly1305IetfEncrypt, aeadXChaCha20Poly1305IetfDecrypt, aeadXChaCha20Poly1305IetfNpubBytes, toBase64, fromBase64, base64VariantOriginal, fromString, toString, memcmp, } from "./sodium.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,eAAe,EACf,wBAAwB,EACxB,0BAA0B,EAC1B,eAAe,EACf,eAAe,GAChB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,iBAAiB,EACjB,6BAA6B,EAC7B,yBAAyB,EACzB,2BAA2B,GAC5B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,mBAAmB,EACnB,4BAA4B,EAC5B,8BAA8B,EAC9B,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,qBAAqB,EACrB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEjE,OAAO,EACL,MAAM,EACN,KAAK,IAAI,WAAW,EACpB,cAAc,EACd,YAAY,EACZ,qBAAqB,EACrB,4BAA4B,EAC5B,4BAA4B,EAC5B,gCAAgC,EAChC,gCAAgC,EAChC,kCAAkC,EAClC,QAAQ,EACR,UAAU,EACV,qBAAqB,EACrB,UAAU,EACV,QAAQ,EACR,MAAM,GACP,MAAM,aAAa,CAAC"}

package/dist/sodium.d.ts

@@ -0,0 +1,115 @@
+import sodium from "libsodium-wrappers-sumo";
+/**
+ * Tunggu libsodium siap dipakai.
+ */
+/**
+ * Panjang salt untuk KDF.
+ * Nilai di-set setelah `ready()`.
+ */
+export declare let cryptoPwhashSaltBytes: number;
+/**
+ * Default opslimit KDF (moderate).
+ * Nilai di-set setelah `ready()`.
+ */
+export declare let cryptoPwhashOpslimitModerate: number;
+/**
+ * Default memlimit KDF (moderate).
+ * Nilai di-set setelah `ready()`.
+ */
+export declare let cryptoPwhashMemlimitModerate: number;
+/**
+ * Panjang nonce AEAD XChaCha20-Poly1305.
+ * Nilai di-set setelah `ready()`.
+ */
+export declare let aeadXChaCha20Poly1305IetfNpubBytes: number;
+/**
+ * Variant base64 ORIGINAL (libsodium).
+ * Nilai di-set setelah `ready()`.
+ */
+export declare let base64VariantOriginal: number;
+/**
+ * Tunggu libsodium siap dipakai.
+ */
+export declare function ready(): Promise<void>;
+/**
+ * Generate bytes acak.
+ *
+ * @param size - Panjang output (bytes).
+ * @returns Bytes acak.
+ */
+export declare function randombytesBuf(size: number): Uint8Array;
+/**
+ * Derivasi key dari password (Argon2).
+ *
+ * @param outLen - Panjang output key (bytes).
+ * @param password - Password input.
+ * @param salt - Salt KDF.
+ * @param opslimit - Batas operasi KDF.
+ * @param memlimit - Batas memori KDF.
+ * @param alg - Algoritma KDF.
+ * @returns Key hasil derivasi.
+ */
+export declare function cryptoPwhash(outLen: number, password: string, salt: Uint8Array, opslimit: number, memlimit: number, alg: number): Uint8Array;
+/**
+ * Enkripsi AEAD XChaCha20-Poly1305 (IETF).
+ *
+ * @param message - Plaintext.
+ * @param aad - Additional authenticated data.
+ * @param secretNonce - Secret nonce (null untuk tidak dipakai).
+ * @param publicNonce - Public nonce.
+ * @param key - Key 32-byte.
+ * @returns Ciphertext + tag.
+ */
+export declare function aeadXChaCha20Poly1305IetfEncrypt(message: Uint8Array, aad: Uint8Array | null, secretNonce: Uint8Array | null, publicNonce: Uint8Array, key: Uint8Array): Uint8Array;
+/**
+ * Dekripsi AEAD XChaCha20-Poly1305 (IETF).
+ *
+ * @param secretNonce - Secret nonce (null untuk tidak dipakai).
+ * @param ciphertext - Ciphertext + tag.
+ * @param aad - Additional authenticated data.
+ * @param publicNonce - Public nonce.
+ * @param key - Key 32-byte.
+ * @returns Plaintext.
+ */
+export declare function aeadXChaCha20Poly1305IetfDecrypt(secretNonce: Uint8Array | null, ciphertext: Uint8Array, aad: Uint8Array | null, publicNonce: Uint8Array, key: Uint8Array): Uint8Array;
+/**
+ * Encode bytes ke base64 (variant default sodium).
+ *
+ * @param data - Bytes input.
+ * @returns String base64.
+ */
+export declare function toBase64(data: Uint8Array): string;
+/**
+ * Decode string base64 ke bytes (variant default sodium).
+ *
+ * @param data - String base64.
+ * @returns Bytes hasil decode.
+ */
+export declare function fromBase64(data: string): Uint8Array;
+/**
+ * Encode string ke bytes (UTF-8).
+ *
+ * @param data - String input.
+ * @returns Bytes UTF-8.
+ */
+export declare function fromString(data: string): Uint8Array;
+/**
+ * Decode bytes ke string (UTF-8).
+ *
+ * @param data - Bytes input.
+ * @returns String hasil decode.
+ */
+export declare function toString(data: Uint8Array): string;
+/**
+ * Bandingkan bytes secara aman (constant-time).
+ *
+ * @param a - Bytes pertama.
+ * @param b - Bytes kedua.
+ * @returns True jika sama.
+ */
+export declare function memcmp(a: Uint8Array, b: Uint8Array): boolean;
+/**
+ * Akses penuh ke instance libsodium.
+ */
+export { sodium };
+//# sourceMappingURL=sodium.d.ts.map

package/dist/sodium.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sodium.d.ts","sourceRoot":"","sources":["../src/sodium.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,yBAAyB,CAAC;AAE7C;;GAEG;AACH;;;GAGG;AACH,eAAO,IAAI,qBAAqB,QAAI,CAAC;AAErC;;;GAGG;AACH,eAAO,IAAI,4BAA4B,QAAI,CAAC;AAE5C;;;GAGG;AACH,eAAO,IAAI,4BAA4B,QAAI,CAAC;AAE5C;;;GAGG;AACH,eAAO,IAAI,kCAAkC,QAAI,CAAC;AAElD;;;GAGG;AACH,eAAO,IAAI,qBAAqB,QAAI,CAAC;AAErC;;GAEG;AACH,wBAAsB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAQ3C;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,CAEvD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAC1B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,GACV,UAAU,CAEZ;AAED;;;;;;;;;GASG;AACH,wBAAgB,gCAAgC,CAC9C,OAAO,EAAE,UAAU,EACnB,GAAG,EAAE,UAAU,GAAG,IAAI,EACtB,WAAW,EAAE,UAAU,GAAG,IAAI,EAC9B,WAAW,EAAE,UAAU,EACvB,GAAG,EAAE,UAAU,GACd,UAAU,CAQZ;AAED;;;;;;;;;GASG;AACH,wBAAgB,gCAAgC,CAC9C,WAAW,EAAE,UAAU,GAAG,IAAI,EAC9B,UAAU,EAAE,UAAU,EACtB,GAAG,EAAE,UAAU,GAAG,IAAI,EACtB,WAAW,EAAE,UAAU,EACvB,GAAG,EAAE,UAAU,GACd,UAAU,CAQZ;AAED;;;;;GAKG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,CAEjD;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,CAEnD;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,CAEnD;AAED;;;;;GAKG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,CAEjD;AAED;;;;;;GAMG;AACH,wBAAgB,MAAM,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CAE5D;AAED;;GAEG;AACH,OAAO,EAAE,MAAM,EAAE,CAAC"}

package/dist/sodium.js

@@ -0,0 +1,141 @@
+import sodium from "libsodium-wrappers-sumo";
+/**
+ * Tunggu libsodium siap dipakai.
+ */
+/**
+ * Panjang salt untuk KDF.
+ * Nilai di-set setelah `ready()`.
+ */
+export let cryptoPwhashSaltBytes = 0;
+/**
+ * Default opslimit KDF (moderate).
+ * Nilai di-set setelah `ready()`.
+ */
+export let cryptoPwhashOpslimitModerate = 0;
+/**
+ * Default memlimit KDF (moderate).
+ * Nilai di-set setelah `ready()`.
+ */
+export let cryptoPwhashMemlimitModerate = 0;
+/**
+ * Panjang nonce AEAD XChaCha20-Poly1305.
+ * Nilai di-set setelah `ready()`.
+ */
+export let aeadXChaCha20Poly1305IetfNpubBytes = 0;
+/**
+ * Variant base64 ORIGINAL (libsodium).
+ * Nilai di-set setelah `ready()`.
+ */
+export let base64VariantOriginal = 0;
+/**
+ * Tunggu libsodium siap dipakai.
+ */
+export async function ready() {
+    await sodium.ready;
+    cryptoPwhashSaltBytes = sodium.crypto_pwhash_SALTBYTES;
+    cryptoPwhashOpslimitModerate = sodium.crypto_pwhash_OPSLIMIT_MODERATE;
+    cryptoPwhashMemlimitModerate = sodium.crypto_pwhash_MEMLIMIT_MODERATE;
+    aeadXChaCha20Poly1305IetfNpubBytes =
+        sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES;
+    base64VariantOriginal = sodium.base64_variants.ORIGINAL;
+}
+/**
+ * Generate bytes acak.
+ *
+ * @param size - Panjang output (bytes).
+ * @returns Bytes acak.
+ */
+export function randombytesBuf(size) {
+    return sodium.randombytes_buf(size);
+}
+/**
+ * Derivasi key dari password (Argon2).
+ *
+ * @param outLen - Panjang output key (bytes).
+ * @param password - Password input.
+ * @param salt - Salt KDF.
+ * @param opslimit - Batas operasi KDF.
+ * @param memlimit - Batas memori KDF.
+ * @param alg - Algoritma KDF.
+ * @returns Key hasil derivasi.
+ */
+export function cryptoPwhash(outLen, password, salt, opslimit, memlimit, alg) {
+    return sodium.crypto_pwhash(outLen, password, salt, opslimit, memlimit, alg);
+}
+/**
+ * Enkripsi AEAD XChaCha20-Poly1305 (IETF).
+ *
+ * @param message - Plaintext.
+ * @param aad - Additional authenticated data.
+ * @param secretNonce - Secret nonce (null untuk tidak dipakai).
+ * @param publicNonce - Public nonce.
+ * @param key - Key 32-byte.
+ * @returns Ciphertext + tag.
+ */
+export function aeadXChaCha20Poly1305IetfEncrypt(message, aad, secretNonce, publicNonce, key) {
+    return sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(message, aad, secretNonce, publicNonce, key);
+}
+/**
+ * Dekripsi AEAD XChaCha20-Poly1305 (IETF).
+ *
+ * @param secretNonce - Secret nonce (null untuk tidak dipakai).
+ * @param ciphertext - Ciphertext + tag.
+ * @param aad - Additional authenticated data.
+ * @param publicNonce - Public nonce.
+ * @param key - Key 32-byte.
+ * @returns Plaintext.
+ */
+export function aeadXChaCha20Poly1305IetfDecrypt(secretNonce, ciphertext, aad, publicNonce, key) {
+    return sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(secretNonce, ciphertext, aad, publicNonce, key);
+}
+/**
+ * Encode bytes ke base64 (variant default sodium).
+ *
+ * @param data - Bytes input.
+ * @returns String base64.
+ */
+export function toBase64(data) {
+    return sodium.to_base64(data);
+}
+/**
+ * Decode string base64 ke bytes (variant default sodium).
+ *
+ * @param data - String base64.
+ * @returns Bytes hasil decode.
+ */
+export function fromBase64(data) {
+    return sodium.from_base64(data);
+}
+/**
+ * Encode string ke bytes (UTF-8).
+ *
+ * @param data - String input.
+ * @returns Bytes UTF-8.
+ */
+export function fromString(data) {
+    return sodium.from_string(data);
+}
+/**
+ * Decode bytes ke string (UTF-8).
+ *
+ * @param data - Bytes input.
+ * @returns String hasil decode.
+ */
+export function toString(data) {
+    return sodium.to_string(data);
+}
+/**
+ * Bandingkan bytes secara aman (constant-time).
+ *
+ * @param a - Bytes pertama.
+ * @param b - Bytes kedua.
+ * @returns True jika sama.
+ */
+export function memcmp(a, b) {
+    return sodium.memcmp(a, b);
+}
+/**
+ * Akses penuh ke instance libsodium.
+ */
+export { sodium };
+//# sourceMappingURL=sodium.js.map

package/dist/sodium.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sodium.js","sourceRoot":"","sources":["../src/sodium.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,yBAAyB,CAAC;AAE7C;;GAEG;AACH;;;GAGG;AACH,MAAM,CAAC,IAAI,qBAAqB,GAAG,CAAC,CAAC;AAErC;;;GAGG;AACH,MAAM,CAAC,IAAI,4BAA4B,GAAG,CAAC,CAAC;AAE5C;;;GAGG;AACH,MAAM,CAAC,IAAI,4BAA4B,GAAG,CAAC,CAAC;AAE5C;;;GAGG;AACH,MAAM,CAAC,IAAI,kCAAkC,GAAG,CAAC,CAAC;AAElD;;;GAGG;AACH,MAAM,CAAC,IAAI,qBAAqB,GAAG,CAAC,CAAC;AAErC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,KAAK;IACzB,MAAM,MAAM,CAAC,KAAK,CAAC;IACnB,qBAAqB,GAAG,MAAM,CAAC,uBAAuB,CAAC;IACvD,4BAA4B,GAAG,MAAM,CAAC,+BAA+B,CAAC;IACtE,4BAA4B,GAAG,MAAM,CAAC,+BAA+B,CAAC;IACtE,kCAAkC;QAChC,MAAM,CAAC,4CAA4C,CAAC;IACtD,qBAAqB,GAAG,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC;AAC1D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,OAAO,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;AACtC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,YAAY,CAC1B,MAAc,EACd,QAAgB,EAChB,IAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,GAAW;IAEX,OAAO,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;AAC/E,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,gCAAgC,CAC9C,OAAmB,EACnB,GAAsB,EACtB,WAA8B,EAC9B,WAAuB,EACvB,GAAe;IAEf,OAAO,MAAM,CAAC,0CAA0C,CACtD,OAAO,EACP,GAAG,EACH,WAAW,EACX,WAAW,EACX,GAAG,CACJ,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,gCAAgC,CAC9C,WAA8B,EAC9B,UAAsB,EACtB,GAAsB,EACtB,WAAuB,EACvB,GAAe;IAEf,OAAO,MAAM,CAAC,0CAA0C,CACtD,WAAW,EACX,UAAU,EACV,GAAG,EACH,WAAW,EACX,GAAG,CACJ,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAgB;IACvC,OAAO,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,OAAO,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,OAAO,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAgB;IACvC,OAAO,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,MAAM,CAAC,CAAa,EAAE,CAAa;IACjD,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,OAAO,EAAE,MAAM,EAAE,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,18 @@
+export type AeadEnvelopeV1 = {
+    v: 1;
+    nonce: string;
+    ct: string;
+};
+export type PasswordKdfParamsV1 = {
+    v: 1;
+    salt: string;
+    opslimit: number;
+    memlimit: number;
+};
+export type PasswordWrappedKeyV1 = {
+    v: 1;
+    kdf: PasswordKdfParamsV1;
+    nonce: string;
+    ct: string;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,cAAc,GAAG;IAC3B,CAAC,EAAE,CAAC,CAAC;IACL,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;CACZ,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,CAAC,EAAE,CAAC,CAAC;IACL,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,CAAC,EAAE,CAAC,CAAC;IACL,GAAG,EAAE,mBAAmB,CAAC;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;CACZ,CAAC"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/utils/bytes.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Validasi panjang buffer sesuai ekspektasi.
+ *
+ * @param name - Label untuk pesan error.
+ * @param u8 - Bytes input.
+ * @param len - Panjang yang diharapkan (bytes).
+ *
+ * @example
+ * assertByteLength("masterKey", key, 32);
+ */
+export declare function assertByteLength(name: string, u8: Uint8Array, len: number): void;
+//# sourceMappingURL=bytes.d.ts.map

package/dist/utils/bytes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bytes.d.ts","sourceRoot":"","sources":["../../src/utils/bytes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,QAIzE"}

package/dist/utils/bytes.js

@@ -0,0 +1,16 @@
+/**
+ * Validasi panjang buffer sesuai ekspektasi.
+ *
+ * @param name - Label untuk pesan error.
+ * @param u8 - Bytes input.
+ * @param len - Panjang yang diharapkan (bytes).
+ *
+ * @example
+ * assertByteLength("masterKey", key, 32);
+ */
+export function assertByteLength(name, u8, len) {
+    if (u8.length !== len) {
+        throw new Error(`${name} harus ${len} bytes, dapat ${u8.length}`);
+    }
+}
+//# sourceMappingURL=bytes.js.map

package/dist/utils/bytes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bytes.js","sourceRoot":"","sources":["../../src/utils/bytes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY,EAAE,EAAc,EAAE,GAAW;IACxE,IAAI,EAAE,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,UAAU,GAAG,iBAAiB,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;IACpE,CAAC;AACH,CAAC"}

package/dist/utils/encoding.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Encode bytes ke base64 (variant original).
+ *
+ * @param u8 - Bytes input.
+ * @returns String base64.
+ *
+ * @example
+ * const s = encodeBase64(new Uint8Array([1, 2, 3]));
+ */
+export declare function encodeBase64(u8: Uint8Array): string;
+/**
+ * Decode string base64 ke bytes (variant original).
+ *
+ * @param s - String base64.
+ * @returns Bytes hasil decode.
+ *
+ * @example
+ * const u8 = decodeBase64("AQID");
+ */
+export declare function decodeBase64(s: string): Uint8Array;
+//# sourceMappingURL=encoding.d.ts.map

package/dist/utils/encoding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.d.ts","sourceRoot":"","sources":["../../src/utils/encoding.ts"],"names":[],"mappings":"AAGA;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,EAAE,EAAE,UAAU,GAAG,MAAM,CAEnD;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,UAAU,CAElD"}

package/dist/utils/encoding.js

@@ -0,0 +1,27 @@
+import sodium from "libsodium-wrappers-sumo";
+// Shared low-level helpers for core crypto modules.
+/**
+ * Encode bytes ke base64 (variant original).
+ *
+ * @param u8 - Bytes input.
+ * @returns String base64.
+ *
+ * @example
+ * const s = encodeBase64(new Uint8Array([1, 2, 3]));
+ */
+export function encodeBase64(u8) {
+    return sodium.to_base64(u8, sodium.base64_variants.ORIGINAL);
+}
+/**
+ * Decode string base64 ke bytes (variant original).
+ *
+ * @param s - String base64.
+ * @returns Bytes hasil decode.
+ *
+ * @example
+ * const u8 = decodeBase64("AQID");
+ */
+export function decodeBase64(s) {
+    return sodium.from_base64(s, sodium.base64_variants.ORIGINAL);
+}
+//# sourceMappingURL=encoding.js.map

package/dist/utils/encoding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.js","sourceRoot":"","sources":["../../src/utils/encoding.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,yBAAyB,CAAC;AAE7C,oDAAoD;AACpD;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY,CAAC,EAAc;IACzC,OAAO,MAAM,CAAC,SAAS,CAAC,EAAE,EAAE,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY,CAAC,CAAS;IACpC,OAAO,MAAM,CAAC,WAAW,CAAC,CAAC,EAAE,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;AAChE,CAAC"}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@nexwage/crypto",
+  "version": "0.1.0",
+  "description": "Minimal crypto building blocks using libsodium (XChaCha20-Poly1305 + Argon2).",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "test": "NODE_OPTIONS=--experimental-vm-modules jest --coverage",
+    "start": "tsx examples/basic-flow.ts",
+    "build": "tsc -p tsconfig.json"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "type": "module",
+  "sideEffects": false,
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/nexwage/crypto.git"
+  },
+  "bugs": {
+    "url": "https://github.com/nexwage/crypto.git/issues"
+  },
+  "homepage": "https://github.com/nexwage/crypto.git#readme",
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "libsodium-wrappers-sumo": "^0.7.15"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.14",
+    "@types/libsodium-wrappers": "^0.7.14",
+    "@types/libsodium-wrappers-sumo": "^0.7.8",
+    "@types/node": "^25.0.3",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.2.5",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3"
+  }
+}