@nice-code/util 0.5.4 → 0.6.0

package/build/index.js

@@ -1,9 +1,93 @@
-// src/storage_adapter/storage_adapter.types.ts
-var EStorageAdapterType;
-((EStorageAdapterType2) => {
-  EStorageAdapterType2["string"] = "string";
-  EStorageAdapterType2["json"] = "json";
-})(EStorageAdapterType ||= {});
+// src/data_type/string/nullEmpty.ts
+var notNullEmpty = (str) => {
+  return str != null && str.length > 0;
+};
+
+// src/crypto/x25519/createSharedBitsFromX25519.ts
+var createSharedBitsFromX25519 = async ({
+  privateKey,
+  publicKey
+}) => {
+  return new Uint8Array(await crypto.subtle.deriveBits({ name: "X25519", public: publicKey }, privateKey, 256));
+};
+
+// src/crypto/aes_gcm/createAesGcmKeyFromX25519Keys.ts
+var DEFAULT_INFO_STRING = "METEOR_BRIDGE_DEFAULT_INFO_STRING";
+var createAesGcmKeyFromX25519Keys = async ({
+  externalX25519PublicKey,
+  internalX25519PrivateKey,
+  infoString,
+  saltString
+}) => {
+  const sharedBits = await createSharedBitsFromX25519({
+    privateKey: internalX25519PrivateKey,
+    publicKey: externalX25519PublicKey
+  });
+  const ikm = await crypto.subtle.importKey("raw", new Uint8Array(sharedBits), "HKDF", false, [
+    "deriveKey"
+  ]);
+  const salt = notNullEmpty(saltString) ? new TextEncoder().encode(saltString) : new Uint8Array;
+  const info = new TextEncoder().encode(notNullEmpty(infoString) ? infoString : DEFAULT_INFO_STRING);
+  return await crypto.subtle.deriveKey({
+    name: "HKDF",
+    hash: "SHA-256",
+    salt,
+    info
+  }, ikm, { name: "AES-GCM", length: 256 }, false, ["encrypt", "decrypt"]);
+};
+// src/crypto/aes_gcm/decryptTextDataWithAesGcmKey.ts
+import { base64 } from "@scure/base";
+var decryptTextDataWithAesGcmKey = async ({
+  aesGcmKey,
+  dataToDecrypt
+}) => {
+  const decryptedData = await crypto.subtle.decrypt({
+    name: "AES-GCM",
+    iv: new Uint8Array(base64.decode(dataToDecrypt.nonce))
+  }, aesGcmKey, new Uint8Array(base64.decode(dataToDecrypt.ciphertext)));
+  return new TextDecoder().decode(decryptedData);
+};
+// src/crypto/aes_gcm/encryptTextDataWithAesGcmKey.ts
+import { base64 as base642 } from "@scure/base";
+var encryptTextDataWithAesGcmKey = async ({
+  aesGcmKey,
+  dataToEncrypt
+}) => {
+  const nonce = crypto.getRandomValues(new Uint8Array(12));
+  const encryptedData = await crypto.subtle.encrypt({
+    name: "AES-GCM",
+    iv: nonce
+  }, aesGcmKey, new TextEncoder().encode(dataToEncrypt));
+  return {
+    nonce: base642.encode(nonce),
+    ciphertext: base642.encode(new Uint8Array(encryptedData))
+  };
+};
+// src/crypto/ed25519/signTextDataWithKeyEd25519.ts
+var signTextDataWithKeyEd25519 = async (data, cryptoKey) => {
+  const dataBuffer = new TextEncoder().encode(data);
+  const signature = await crypto.subtle.sign({
+    name: "ED25519"
+  }, cryptoKey, dataBuffer);
+  return new Uint8Array(signature);
+};
+
+// src/crypto/ed25519/signCombinedTextDataWithKeyEd25519.ts
+var DEFAULT_COMBINED_TEXT_DATA_SEPARATOR = "::";
+var signCombinedTextDataWithKeyEd25519 = async (data, cryptoKey, separator = DEFAULT_COMBINED_TEXT_DATA_SEPARATOR) => {
+  return await signTextDataWithKeyEd25519(data.join(separator), cryptoKey);
+};
+
+// src/crypto/client_key_link/buildVerifyKeyBoundInfoString.ts
+var buildVerifyKeyBoundInfoString = ({
+  infoString,
+  verifyPublicKeys
+}) => {
+  const sortedKeys = [...verifyPublicKeys].sort();
+  return [...infoString != null ? [infoString] : [], ...sortedKeys].join(DEFAULT_COMBINED_TEXT_DATA_SEPARATOR);
+};
+// src/crypto/client_key_link/ClientCryptoKeyLink.ts
+import { base64 as base649 } from "@scure/base";
 
 // src/storage_adapter/typed_storage/createTypedStorage.ts
 function createTypedStorage({
@@ -40,6 +124,664 @@ function createTypedStorage({
   };
 }
 
+// src/crypto/ed25519/generateEd25519KeyPair.ts
+var generateEd25519KeyPair = async () => {
+  const keyPair = await crypto.subtle.generateKey({ name: "Ed25519" }, true, [
+    "sign",
+    "verify"
+  ]);
+  return keyPair;
+};
+
+// src/crypto/ed25519/importEd25519Key.ts
+import { base64 as base644 } from "@scure/base";
+
+// src/core/createDataStringConverter_stringToObject.ts
+var createDataStringConverter_stringToObject = ({
+  transformJsonForFormats = [],
+  transformJson = false
+} = {}) => (inputDataString) => {
+  const [type, format, dataString] = inputDataString.split("::");
+  let parsedData = dataString;
+  if (transformJson || transformJsonForFormats.includes(format)) {
+    try {
+      parsedData = JSON.parse(dataString);
+    } catch (error) {
+      const err = new Error(`Failed to parse type and format data string. Given input: "${inputDataString}", expected JSON parsable "data" value in the format "${type}::${format}::data" ${error instanceof Error ? error.message : String(error)}`);
+      err.cause = error;
+      throw err;
+    }
+  }
+  return {
+    formattedString: inputDataString,
+    type,
+    format,
+    data: parsedData
+  };
+};
+
+// src/crypto/crypto.schema.ts
+import * as v2 from "valibot";
+
+// src/core/core_valibot_schemas.ts
+import * as v from "valibot";
+var vBase64 = v.pipe(v.string(), v.base64());
+var vCreateSchema_TypeAndFormatPrefixedDataString = ({
+  type,
+  format,
+  typeKind,
+  formatKind
+}) => {
+  const _typeKind = typeKind ?? "data_type";
+  const _formatKind = formatKind ?? "data_format";
+  return v.pipe(v.custom((input) => {
+    if (typeof input !== "string")
+      return false;
+    const [typePart, formatPart, dataPart] = input.split("::");
+    return typePart === type && formatPart === format && typeof dataPart === "string";
+  }, `Invalid format, expected '<${_typeKind}>::<${_formatKind}>::<value>' where "${_typeKind}" is "${type}", "${_formatKind}" is "${format}", and "value" is a string in the specified format`));
+};
+
+// src/crypto/crypto.schema.ts
+var vSerializedCryptoKeyDataEd25519_Raw = vCreateSchema_TypeAndFormatPrefixedDataString({
+  format: "raw_base64" /* raw_base64 */,
+  type: "ed25519" /* ed25519 */,
+  typeKind: "algo"
+});
+var vSerializedCryptoKeyDataEd25519_Jwk = vCreateSchema_TypeAndFormatPrefixedDataString({
+  format: "jwk" /* jwk */,
+  type: "ed25519" /* ed25519 */,
+  typeKind: "algo",
+  transformJson: true
+});
+var vSerializedCryptoKeyDataX25519_Raw = vCreateSchema_TypeAndFormatPrefixedDataString({
+  format: "raw_base64" /* raw_base64 */,
+  type: "x25519" /* x25519 */,
+  typeKind: "algo"
+});
+var vSerializedCryptoKeyDataX25519_Jwk = vCreateSchema_TypeAndFormatPrefixedDataString({
+  format: "jwk" /* jwk */,
+  type: "x25519" /* x25519 */,
+  typeKind: "algo",
+  transformJson: true
+});
+var vCryptoKeyPairDataX25519 = v2.object({
+  publicKey: vSerializedCryptoKeyDataX25519_Raw,
+  privateKey: vSerializedCryptoKeyDataX25519_Jwk
+});
+var vCryptoKeyPairDataEd25519 = v2.object({
+  publicKey: vSerializedCryptoKeyDataEd25519_Raw,
+  privateKey: vSerializedCryptoKeyDataEd25519_Jwk
+});
+var vVerifyChallengeWithSignature_Input = v2.object({
+  challenge: v2.string(),
+  signatureBase64: vBase64
+});
+var vVerifyChallengeWithSignature_WithThrow_Input = v2.intersect([
+  vVerifyChallengeWithSignature_Input,
+  v2.object({
+    throwOnInvalid: v2.optional(v2.boolean())
+  })
+]);
+var vEncryptedAesGcmPayload = v2.object({
+  nonce: vBase64,
+  ciphertext: vBase64
+});
+
+// src/crypto/crypto.converters.ts
+var convertEd25519RawDataStringToObject = createDataStringConverter_stringToObject();
+var convertEd25519JwkDataStringToObject = createDataStringConverter_stringToObject({ transformJson: true });
+var convertEd25519FormattedStringToObject = createDataStringConverter_stringToObject({
+  transformJsonForFormats: ["jwk" /* jwk */]
+});
+var convertEd25519RawDataStringToSerializedKeyData = (input) => {
+  const transformed = convertEd25519RawDataStringToObject(input);
+  return {
+    prefixed: input,
+    transformed
+  };
+};
+var convertEd25519JwkDataStringToSerializedKeyData = (input) => {
+  const transformed = convertEd25519JwkDataStringToObject(input);
+  return {
+    prefixed: input,
+    transformed
+  };
+};
+var convertEd25519FormattedStringToSerializedKeyData = (input) => {
+  return convertEd25519FormattedStringToObject(input);
+};
+var convertX25519RawDataStringToObject = createDataStringConverter_stringToObject();
+var convertX25519JwkDataStringToObject = createDataStringConverter_stringToObject({ transformJson: true });
+var convertX25519FormattedStringToObject = createDataStringConverter_stringToObject({
+  transformJsonForFormats: ["jwk" /* jwk */]
+});
+var convertX25519RawDataStringToSerializedKeyData = (input) => {
+  const transformed = convertX25519RawDataStringToObject(input);
+  return {
+    prefixed: input,
+    transformed
+  };
+};
+var convertX25519JwkDataStringToSerializedKeyData = (input) => {
+  const transformed = convertX25519JwkDataStringToObject(input);
+  return {
+    prefixed: input,
+    transformed
+  };
+};
+var convertX25519FormattedStringToSerializedKeyData = (input) => {
+  return convertX25519FormattedStringToObject(input);
+};
+
+// src/crypto/ed25519/importEd25519Key.ts
+var fromBase64 = async (dataBase64, keyUsage, extractable) => {
+  const keyBuffer = Uint8Array.from(base644.decode(dataBase64));
+  return await crypto.subtle.importKey("raw", keyBuffer, { name: "Ed25519" }, extractable, keyUsage);
+};
+var fromJwk = async (jwk, keyUsage, extractable = true) => {
+  return await crypto.subtle.importKey("jwk", jwk, { name: "Ed25519" }, extractable, keyUsage);
+};
+var fromSerializedObject = async (serialized, keyUsage, extractable = true) => {
+  if (serialized.format === "jwk" /* jwk */) {
+    return await fromJwk(serialized.data, keyUsage, extractable);
+  }
+  return await fromBase64(serialized.data, keyUsage, extractable);
+};
+var fromFormattedString = async (dataString, keyUsage, extractable = true) => {
+  const transformed = convertEd25519FormattedStringToSerializedKeyData(dataString);
+  return await fromSerializedObject(transformed, keyUsage, extractable);
+};
+var extractableOrNonExtractable = (keyUsage, func) => ({
+  extractable: (input) => func(input, keyUsage, true),
+  nonExtractable: (input) => func(input, keyUsage, false)
+});
+var importEd25519Key = {
+  private: {
+    fromFormattedString: extractableOrNonExtractable(["sign"], fromFormattedString),
+    fromSerializedObject: extractableOrNonExtractable(["sign"], fromSerializedObject),
+    fromJwk: extractableOrNonExtractable(["sign"], fromJwk)
+  },
+  public: {
+    fromBase64: extractableOrNonExtractable(["verify"], fromBase64),
+    fromFormattedString: extractableOrNonExtractable(["verify"], fromFormattedString),
+    fromSerializedObject: extractableOrNonExtractable(["verify"], fromSerializedObject),
+    fromJwk: extractableOrNonExtractable(["verify"], fromJwk)
+  }
+};
+
+// src/crypto/ed25519/serializeEd25519Key_Jwk.ts
+var serializeEd25519Key_Jwk = async (key) => {
+  const keyJwk = await crypto.subtle.exportKey("jwk", key);
+  const prefixed = `${"ed25519" /* ed25519 */}::${"jwk" /* jwk */}::${JSON.stringify(keyJwk)}`;
+  const transformed = {
+    formattedString: prefixed,
+    type: "ed25519" /* ed25519 */,
+    data: keyJwk,
+    format: "jwk" /* jwk */
+  };
+  return { transformed, prefixed };
+};
+
+// src/crypto/ed25519/serializeEd25519Key_Raw.ts
+import { base64 as base645 } from "@scure/base";
+var serializeEd25519Key_Raw = async (publicKey) => {
+  const publicKeyBuffer = await crypto.subtle.exportKey("raw", publicKey);
+  const publicKeyBase64 = base645.encode(new Uint8Array(publicKeyBuffer));
+  const prefixed = `${"ed25519" /* ed25519 */}::${"raw_base64" /* raw_base64 */}::${publicKeyBase64}`;
+  const transformed = {
+    formattedString: prefixed,
+    type: "ed25519" /* ed25519 */,
+    data: publicKeyBase64,
+    format: "raw_base64" /* raw_base64 */
+  };
+  return { transformed, prefixed };
+};
+
+// src/crypto/ed25519/verifyWithKeyEd25519.ts
+import { base64 as base646 } from "@scure/base";
+var verifyWithKeyEd25519 = async ({
+  challenge,
+  signatureBase64,
+  publicKey
+}) => {
+  const signatureBuffer = Uint8Array.from(base646.decode(signatureBase64));
+  const challengeBuffer = new TextEncoder().encode(challenge);
+  return await crypto.subtle.verify({
+    name: "ED25519"
+  }, publicKey, signatureBuffer, challengeBuffer);
+};
+
+// src/crypto/x25519/generateX25519KeyPair.ts
+var generateX25519KeyPair = async () => {
+  const keyPair = await crypto.subtle.generateKey({ name: "X25519" }, true, [
+    "deriveKey",
+    "deriveBits"
+  ]);
+  return keyPair;
+};
+
+// src/crypto/x25519/importX25519Key.ts
+import { base64 as base647 } from "@scure/base";
+var fromBase642 = async (dataBase64, keyUsage, extractable) => {
+  const keyBuffer = Uint8Array.from(base647.decode(dataBase64));
+  return await crypto.subtle.importKey("raw", keyBuffer, { name: "X25519" }, extractable, keyUsage);
+};
+var fromJwk2 = async (jwk, keyUsage, extractable = true) => {
+  return await crypto.subtle.importKey("jwk", jwk, { name: "X25519" }, extractable, keyUsage);
+};
+var fromSerializedObject2 = async (serialized, keyUsage, extractable = true) => {
+  if (serialized.format === "jwk" /* jwk */) {
+    return await fromJwk2(serialized.data, keyUsage, extractable);
+  }
+  return await fromBase642(serialized.data, keyUsage, extractable);
+};
+var fromFormattedString2 = async (dataString, keyUsage, extractable = true) => {
+  const transformed = convertX25519FormattedStringToSerializedKeyData(dataString);
+  return await fromSerializedObject2(transformed, keyUsage, extractable);
+};
+var extractableOrNonExtractable2 = (keyUsage, func) => ({
+  extractable: (input) => func(input, keyUsage, true),
+  nonExtractable: (input) => func(input, keyUsage, false)
+});
+var importX25519Key = {
+  private: {
+    fromFormattedString: extractableOrNonExtractable2(["deriveKey", "deriveBits"], fromFormattedString2),
+    fromSerializedObject: extractableOrNonExtractable2(["deriveKey", "deriveBits"], fromSerializedObject2),
+    fromJwk: extractableOrNonExtractable2(["deriveKey", "deriveBits"], fromJwk2)
+  },
+  public: {
+    fromBase64: extractableOrNonExtractable2([], fromBase642),
+    fromFormattedString: extractableOrNonExtractable2([], fromFormattedString2),
+    fromSerializedObject: extractableOrNonExtractable2([], fromSerializedObject2),
+    fromJwk: extractableOrNonExtractable2([], fromJwk2)
+  }
+};
+
+// src/crypto/x25519/serializeX25519Key_Jwk.ts
+var serializeX25519Key_Jwk = async (key) => {
+  const publicKeyJwk = await crypto.subtle.exportKey("jwk", key);
+  const prefixed = `${"x25519" /* x25519 */}::${"jwk" /* jwk */}::${JSON.stringify(publicKeyJwk)}`;
+  const transformed = {
+    formattedString: prefixed,
+    type: "x25519" /* x25519 */,
+    data: publicKeyJwk,
+    format: "jwk" /* jwk */
+  };
+  return { transformed, prefixed };
+};
+
+// src/crypto/x25519/serializeX25519Key_Raw.ts
+import { base64 as base648 } from "@scure/base";
+var serializeX25519Key_Raw = async (key) => {
+  const publicKeyBuffer = await crypto.subtle.exportKey("raw", key);
+  const publicKeyBase64 = base648.encode(new Uint8Array(publicKeyBuffer));
+  const prefixed = `${"x25519" /* x25519 */}::${"raw_base64" /* raw_base64 */}::${publicKeyBase64}`;
+  const transformed = {
+    formattedString: prefixed,
+    type: "x25519" /* x25519 */,
+    data: publicKeyBase64,
+    format: "raw_base64" /* raw_base64 */
+  };
+  return { transformed, prefixed };
+};
+
+// src/crypto/client_key_link/ClientCryptoKeyLink.ts
+class ClientCryptoKeyLink {
+  localExchangeKeyPair;
+  localVerifyKeyPair;
+  linkedClientKeys = new Map;
+  storage;
+  initialized = false;
+  initializePromise;
+  localExchangeKeyPairPromise;
+  localVerifyKeyPairPromise;
+  constructor({ storageAdapter } = {}) {
+    if (storageAdapter != null) {
+      this.storage = createTypedStorage({ storageAdapter });
+    }
+  }
+  async initialize() {
+    if (this.initialized) {
+      return;
+    }
+    this.initializePromise ??= this.runInitialize();
+    try {
+      await this.initializePromise;
+    } finally {
+      this.initializePromise = undefined;
+    }
+  }
+  async runInitialize() {
+    await this.loadStoredLocalKeys();
+    await this.loadLinkedClients();
+    this.initialized = true;
+  }
+  async loadStoredLocalKeys() {
+    const storedExchange = await this.storage?.getJson("localExchangeKeyPair");
+    if (storedExchange != null) {
+      this.localExchangeKeyPair = {
+        privateKey: await importX25519Key.private.fromFormattedString.extractable(storedExchange.privateKey),
+        publicKey: await importX25519Key.public.fromFormattedString.extractable(storedExchange.publicKey)
+      };
+    }
+    const storedVerify = await this.storage?.getJson("localVerifyKeyPair");
+    if (storedVerify != null) {
+      this.localVerifyKeyPair = {
+        privateKey: await importEd25519Key.private.fromFormattedString.extractable(storedVerify.privateKey),
+        publicKey: await importEd25519Key.public.fromFormattedString.extractable(storedVerify.publicKey)
+      };
+    }
+  }
+  async ensureLocalExchangeKeyPair() {
+    if (this.localExchangeKeyPair != null) {
+      return this.localExchangeKeyPair;
+    }
+    this.localExchangeKeyPairPromise ??= (async () => {
+      const keyPair = await generateX25519KeyPair();
+      this.localExchangeKeyPair = keyPair;
+      if (this.storage != null) {
+        await this.storage.setJson("localExchangeKeyPair", await this.serializeExchangeKeyPair(keyPair));
+      }
+      return keyPair;
+    })();
+    try {
+      return await this.localExchangeKeyPairPromise;
+    } finally {
+      this.localExchangeKeyPairPromise = undefined;
+    }
+  }
+  async ensureLocalVerifyKeyPair() {
+    if (this.localVerifyKeyPair != null) {
+      return this.localVerifyKeyPair;
+    }
+    this.localVerifyKeyPairPromise ??= (async () => {
+      const keyPair = await generateEd25519KeyPair();
+      this.localVerifyKeyPair = keyPair;
+      if (this.storage != null) {
+        await this.storage.setJson("localVerifyKeyPair", await this.serializeVerifyKeyPair(keyPair));
+      }
+      return keyPair;
+    })();
+    try {
+      return await this.localVerifyKeyPairPromise;
+    } finally {
+      this.localVerifyKeyPairPromise = undefined;
+    }
+  }
+  async loadLinkedClients() {
+    const storedLinkedClients = await this.storage?.getJson("linkedClientPublicKeys");
+    if (storedLinkedClients == null) {
+      return;
+    }
+    for (const [linkedClientId, publicKeys] of Object.entries(storedLinkedClients)) {
+      await this.linkClient({
+        linkedClientId,
+        verifyPublicKey: publicKeys.verifyPublicKey,
+        exchangePublicKey: publicKeys.exchangePublicKey,
+        saltString: publicKeys.saltString,
+        infoString: publicKeys.infoString,
+        bindVerifyKeysIntoDerivation: publicKeys.bindVerifyKeysIntoDerivation
+      });
+    }
+  }
+  async serializeExchangeKeyPair(keyPair) {
+    return {
+      publicKey: (await serializeX25519Key_Raw(keyPair.publicKey)).prefixed,
+      privateKey: (await serializeX25519Key_Jwk(keyPair.privateKey)).prefixed
+    };
+  }
+  async serializeVerifyKeyPair(keyPair) {
+    return {
+      publicKey: (await serializeEd25519Key_Raw(keyPair.publicKey)).prefixed,
+      privateKey: (await serializeEd25519Key_Jwk(keyPair.privateKey)).prefixed
+    };
+  }
+  async getLocalPublicKeys() {
+    return {
+      verifyPublicKey: await this.getLocalVerifyPublicKey(),
+      exchangePublicKey: await this.getLocalExchangePublicKey()
+    };
+  }
+  async getLocalExchangePublicKey() {
+    const exchangeKeyPair = await this.ensureLocalExchangeKeyPair();
+    return (await serializeX25519Key_Raw(exchangeKeyPair.publicKey)).prefixed;
+  }
+  async getLocalVerifyPublicKey() {
+    const verifyKeyPair = await this.ensureLocalVerifyKeyPair();
+    return (await serializeEd25519Key_Raw(verifyKeyPair.publicKey)).prefixed;
+  }
+  async linkClient({
+    linkedClientId,
+    verifyPublicKey,
+    exchangePublicKey,
+    saltString,
+    infoString,
+    bindVerifyKeysIntoDerivation
+  }) {
+    const existing = this.linkedClientKeys.get(linkedClientId);
+    const verify = verifyPublicKey != null ? {
+      publicKey: await importEd25519Key.public.fromFormattedString.extractable(verifyPublicKey),
+      publicKeySerialized: verifyPublicKey
+    } : existing?.verify;
+    const verifyKeyChanged = verifyPublicKey != null && verifyPublicKey !== existing?.verify?.publicKeySerialized;
+    let exchange = existing?.exchange;
+    const exchangeParamsProvided = exchangePublicKey != null || saltString !== undefined || infoString !== undefined || bindVerifyKeysIntoDerivation !== undefined;
+    if (exchangeParamsProvided) {
+      const nextPublicKeySerialized = exchangePublicKey ?? existing?.exchange?.publicKeySerialized;
+      if (nextPublicKeySerialized == null) {
+        throw new Error(`ClientCryptoKeyLink: Cannot set salt/info for ${linkedClientId} without an exchange public key`);
+      }
+      const nextSalt = saltString !== undefined ? saltString : existing?.exchange?.saltString;
+      const nextInfo = infoString !== undefined ? infoString : existing?.exchange?.infoString;
+      const nextBind = bindVerifyKeysIntoDerivation !== undefined ? bindVerifyKeysIntoDerivation : existing?.exchange?.bindVerifyKeysIntoDerivation;
+      const publicKey = exchangePublicKey != null ? await importX25519Key.public.fromFormattedString.extractable(exchangePublicKey) : existing.exchange.publicKey;
+      const unchanged = nextPublicKeySerialized === existing?.exchange?.publicKeySerialized && nextSalt === existing?.exchange?.saltString && nextInfo === existing?.exchange?.infoString && nextBind === existing?.exchange?.bindVerifyKeysIntoDerivation && !(nextBind === true && verifyKeyChanged);
+      exchange = {
+        publicKey,
+        publicKeySerialized: nextPublicKeySerialized,
+        saltString: nextSalt,
+        infoString: nextInfo,
+        bindVerifyKeysIntoDerivation: nextBind,
+        sharedEncryptKey: unchanged ? existing?.exchange?.sharedEncryptKey : undefined
+      };
+    } else if (exchange?.bindVerifyKeysIntoDerivation === true && verifyKeyChanged && exchange.sharedEncryptKey != null) {
+      exchange = { ...exchange, sharedEncryptKey: undefined };
+    }
+    this.linkedClientKeys.set(linkedClientId, { verify, exchange });
+  }
+  async linkClientAndStore(input) {
+    await this.linkClient(input);
+    if (this.storage == null) {
+      return;
+    }
+    const {
+      linkedClientId,
+      verifyPublicKey,
+      exchangePublicKey,
+      saltString,
+      infoString,
+      bindVerifyKeysIntoDerivation
+    } = input;
+    await this.storage.updateJsonWithDef("linkedClientPublicKeys", {}, (current) => ({
+      ...current,
+      [linkedClientId]: {
+        ...current[linkedClientId],
+        ...verifyPublicKey != null ? { verifyPublicKey } : {},
+        ...exchangePublicKey != null ? { exchangePublicKey } : {},
+        ...saltString !== undefined ? { saltString } : {},
+        ...infoString !== undefined ? { infoString } : {},
+        ...bindVerifyKeysIntoDerivation !== undefined ? { bindVerifyKeysIntoDerivation } : {}
+      }
+    }));
+  }
+  hasLinkedClient(linkedClientId) {
+    return this.linkedClientKeys.has(linkedClientId);
+  }
+  getLinkedClientPublicKeys(linkedClientId) {
+    const linkedClient = this.linkedClientKeys.get(linkedClientId);
+    if (linkedClient == null) {
+      return;
+    }
+    return {
+      verifyPublicKey: linkedClient.verify?.publicKeySerialized,
+      exchangePublicKey: linkedClient.exchange?.publicKeySerialized
+    };
+  }
+  async unlinkClient(linkedClientId) {
+    this.linkedClientKeys.delete(linkedClientId);
+    if (this.storage != null) {
+      await this.storage.updateJson("linkedClientPublicKeys", (current) => {
+        if (current == null) {
+          return {};
+        }
+        const { [linkedClientId]: _removed, ...rest } = current;
+        return rest;
+      });
+    }
+  }
+  async unlinkAllClients() {
+    this.linkedClientKeys.clear();
+    if (this.storage != null) {
+      await this.storage.setJson("linkedClientPublicKeys", {});
+    }
+  }
+  async reset() {
+    this.linkedClientKeys.clear();
+    this.localExchangeKeyPair = undefined;
+    this.localVerifyKeyPair = undefined;
+    this.initialized = false;
+    if (this.storage != null) {
+      await this.storage.removeItem("linkedClientPublicKeys");
+      await this.storage.removeItem("localExchangeKeyPair");
+      await this.storage.removeItem("localVerifyKeyPair");
+    }
+  }
+  getLinkedClient(linkedClientId) {
+    const linkedClient = this.linkedClientKeys.get(linkedClientId);
+    if (linkedClient == null) {
+      throw new Error(`ClientCryptoKeyLink: No linked client for ${linkedClientId}`);
+    }
+    return linkedClient;
+  }
+  async getAesGcmKeyForLinkedClient(externalClientSourceId) {
+    const linkedClient = this.getLinkedClient(externalClientSourceId);
+    if (linkedClient.exchange?.sharedEncryptKey != null) {
+      return linkedClient.exchange.sharedEncryptKey;
+    }
+    if (linkedClient.exchange?.publicKey == null) {
+      throw new Error(`ClientCryptoKeyLink: No public exchange key set for ${externalClientSourceId}`);
+    }
+    const localExchangeKeyPair = await this.ensureLocalExchangeKeyPair();
+    let infoString = linkedClient.exchange.infoString;
+    if (linkedClient.exchange.bindVerifyKeysIntoDerivation === true) {
+      const linkedVerifyPublicKey = linkedClient.verify?.publicKeySerialized;
+      if (linkedVerifyPublicKey == null) {
+        throw new Error(`ClientCryptoKeyLink: Link for ${externalClientSourceId} binds verify keys into the derivation, but no verify public key is set`);
+      }
+      infoString = buildVerifyKeyBoundInfoString({
+        infoString: linkedClient.exchange.infoString,
+        verifyPublicKeys: [await this.getLocalVerifyPublicKey(), linkedVerifyPublicKey]
+      });
+    }
+    const sharedEncryptKey = await createAesGcmKeyFromX25519Keys({
+      internalX25519PrivateKey: localExchangeKeyPair.privateKey,
+      externalX25519PublicKey: linkedClient.exchange.publicKey,
+      saltString: linkedClient.exchange.saltString,
+      infoString
+    });
+    this.linkedClientKeys.set(externalClientSourceId, {
+      ...linkedClient,
+      exchange: {
+        ...linkedClient.exchange,
+        sharedEncryptKey
+      }
+    });
+    return sharedEncryptKey;
+  }
+  async encryptDataForLinkedClient({
+    dataToEncrypt,
+    linkedClientId
+  }) {
+    const key = await this.getAesGcmKeyForLinkedClient(linkedClientId);
+    return await encryptTextDataWithAesGcmKey({
+      dataToEncrypt,
+      aesGcmKey: key
+    });
+  }
+  async decryptDataFromLinkedClient({
+    dataToDecrypt,
+    linkedClientId
+  }) {
+    const key = await this.getAesGcmKeyForLinkedClient(linkedClientId);
+    return await decryptTextDataWithAesGcmKey({
+      dataToDecrypt,
+      aesGcmKey: key
+    });
+  }
+  async signAndEncryptDataForLinkedClient({
+    dataToEncrypt,
+    linkedClientId
+  }) {
+    const { signatureBase64 } = await this.signChallenge([dataToEncrypt]);
+    const encryptedData = await this.encryptDataForLinkedClient({
+      dataToEncrypt,
+      linkedClientId
+    });
+    return {
+      encryptedData,
+      signatureBase64
+    };
+  }
+  async decryptAndVerifyDataFromLinkedClient({
+    dataToDecrypt,
+    linkedClientId,
+    signatureBase64
+  }) {
+    const data = await this.decryptDataFromLinkedClient({
+      dataToDecrypt,
+      linkedClientId
+    });
+    const isValid = await this.verifyChallengeFromLinkedClient({
+      linkedClientId,
+      challenge: data,
+      signatureBase64
+    });
+    return { data, isValid };
+  }
+  async signChallenge(challenge) {
+    if (challenge.length === 0) {
+      throw new Error("Challenge must contain at least one string");
+    }
+    const localVerifyKeyPair = await this.ensureLocalVerifyKeyPair();
+    const signature = challenge.length > 1 ? await signCombinedTextDataWithKeyEd25519(challenge, localVerifyKeyPair.privateKey) : await signTextDataWithKeyEd25519(challenge[0], localVerifyKeyPair.privateKey);
+    return {
+      signatureBase64: base649.encode(signature)
+    };
+  }
+  async verifyChallengeFromLinkedClient({
+    linkedClientId,
+    challenge,
+    signatureBase64
+  }) {
+    const linkedClient = this.getLinkedClient(linkedClientId);
+    if (linkedClient.verify?.publicKey == null) {
+      throw new Error(`ClientCryptoKeyLink: No verify public key set for ${linkedClientId}`);
+    }
+    return await verifyWithKeyEd25519({
+      challenge,
+      signatureBase64,
+      publicKey: linkedClient.verify.publicKey
+    });
+  }
+}
+// src/storage_adapter/storage_adapter.types.ts
+var EStorageAdapterType;
+((EStorageAdapterType2) => {
+  EStorageAdapterType2["string"] = "string";
+  EStorageAdapterType2["json"] = "json";
+})(EStorageAdapterType ||= {});
+
 // src/storage_adapter/StorageAdapter.ts
 class StorageAdapter {
   implementation;
@@ -268,6 +1010,19 @@ function createTypedMemoryStorage_json(options) {
   });
 }
 export {
+  verifyWithKeyEd25519,
+  signTextDataWithKeyEd25519,
+  signCombinedTextDataWithKeyEd25519,
+  serializeX25519Key_Raw,
+  serializeX25519Key_Jwk,
+  serializeEd25519Key_Raw,
+  serializeEd25519Key_Jwk,
+  importX25519Key,
+  importEd25519Key,
+  generateX25519KeyPair,
+  generateEd25519KeyPair,
+  encryptTextDataWithAesGcmKey,
+  decryptTextDataWithAesGcmKey,
   createWebSessionStorageMethods,
   createWebSessionStorageAdapter,
   createWebLocalStorageMethods,
@@ -277,6 +1032,7 @@ export {
   createTypedStorage,
   createTypedMemoryStorage_string,
   createTypedMemoryStorage_json,
+  createSharedBitsFromX25519,
   createMemoryStorageMethods_string,
   createMemoryStorageMethods_json,
   createMemoryStorageAdapter_string,
@@ -284,6 +1040,22 @@ export {
   createDurableObjectTypedStorage,
   createDurableObjectStorageMethods,
   createDurableObjectStorageAdapter,
+  createAesGcmKeyFromX25519Keys,
+  convertX25519RawDataStringToSerializedKeyData,
+  convertX25519RawDataStringToObject,
+  convertX25519JwkDataStringToSerializedKeyData,
+  convertX25519JwkDataStringToObject,
+  convertX25519FormattedStringToSerializedKeyData,
+  convertX25519FormattedStringToObject,
+  convertEd25519RawDataStringToSerializedKeyData,
+  convertEd25519RawDataStringToObject,
+  convertEd25519JwkDataStringToSerializedKeyData,
+  convertEd25519JwkDataStringToObject,
+  convertEd25519FormattedStringToSerializedKeyData,
+  convertEd25519FormattedStringToObject,
+  buildVerifyKeyBoundInfoString,
   StorageAdapter,
-  EStorageAdapterType
+  EStorageAdapterType,
+  DEFAULT_COMBINED_TEXT_DATA_SEPARATOR,
+  ClientCryptoKeyLink
 };