@nice-code/util 0.8.0 → 0.9.0

package/build/index.js

@@ -1,1153 +1,1039 @@
-// src/data_type/string/nullEmpty.ts
-var notNullEmpty = (str) => {
-  return str != null && str.length > 0;
+import { base64 } from "@scure/base";
+import * as v from "valibot";
+//#region src/data_type/string/nullEmpty.ts
+const notNullEmpty = (str) => {
+	return str != null && str.length > 0;
 };
-
-// src/crypto/x25519/createSharedBitsFromX25519.ts
-var createSharedBitsFromX25519 = async ({
-  privateKey,
-  publicKey
-}) => {
-  return new Uint8Array(await crypto.subtle.deriveBits({ name: "X25519", public: publicKey }, privateKey, 256));
+//#endregion
+//#region src/crypto/x25519/createSharedBitsFromX25519.ts
+const createSharedBitsFromX25519 = async ({ privateKey, publicKey }) => {
+	return new Uint8Array(await crypto.subtle.deriveBits({
+		name: "X25519",
+		public: publicKey
+	}, privateKey, 256));
 };
-
-// src/crypto/aes_gcm/createAesGcmKeyFromX25519Keys.ts
-var DEFAULT_INFO_STRING = "METEOR_BRIDGE_DEFAULT_INFO_STRING";
-var createAesGcmKeyFromX25519Keys = async ({
-  externalX25519PublicKey,
-  internalX25519PrivateKey,
-  infoString,
-  saltString
-}) => {
-  const sharedBits = await createSharedBitsFromX25519({
-    privateKey: internalX25519PrivateKey,
-    publicKey: externalX25519PublicKey
-  });
-  const ikm = await crypto.subtle.importKey("raw", new Uint8Array(sharedBits), "HKDF", false, [
-    "deriveKey"
-  ]);
-  const salt = notNullEmpty(saltString) ? new TextEncoder().encode(saltString) : new Uint8Array;
-  const info = new TextEncoder().encode(notNullEmpty(infoString) ? infoString : DEFAULT_INFO_STRING);
-  return await crypto.subtle.deriveKey({
-    name: "HKDF",
-    hash: "SHA-256",
-    salt,
-    info
-  }, ikm, { name: "AES-GCM", length: 256 }, false, ["encrypt", "decrypt"]);
+//#endregion
+//#region src/crypto/aes_gcm/createAesGcmKeyFromX25519Keys.ts
+const DEFAULT_INFO_STRING = "METEOR_BRIDGE_DEFAULT_INFO_STRING";
+const createAesGcmKeyFromX25519Keys = async ({ externalX25519PublicKey, internalX25519PrivateKey, infoString, saltString }) => {
+	const sharedBits = await createSharedBitsFromX25519({
+		privateKey: internalX25519PrivateKey,
+		publicKey: externalX25519PublicKey
+	});
+	const ikm = await crypto.subtle.importKey("raw", new Uint8Array(sharedBits), "HKDF", false, ["deriveKey"]);
+	const salt = notNullEmpty(saltString) ? new TextEncoder().encode(saltString) : new Uint8Array();
+	const info = new TextEncoder().encode(notNullEmpty(infoString) ? infoString : DEFAULT_INFO_STRING);
+	return await crypto.subtle.deriveKey({
+		name: "HKDF",
+		hash: "SHA-256",
+		salt,
+		info
+	}, ikm, {
+		name: "AES-GCM",
+		length: 256
+	}, false, ["encrypt", "decrypt"]);
 };
-// src/crypto/aes_gcm/decryptBytesWithAesGcmKey.ts
-var decryptBytesWithAesGcmKey = async ({
-  aesGcmKey,
-  dataToDecrypt
-}) => {
-  const decryptedData = await crypto.subtle.decrypt({ name: "AES-GCM", iv: new Uint8Array(dataToDecrypt.nonce) }, aesGcmKey, new Uint8Array(dataToDecrypt.ciphertext));
-  return new Uint8Array(decryptedData);
+//#endregion
+//#region src/crypto/aes_gcm/decryptBytesWithAesGcmKey.ts
+/**
+* Decrypts a raw-bytes AES-GCM payload (binary nonce + ciphertext) back to bytes. The counterpart of
+* {@link decryptTextDataWithAesGcmKey}. AES-GCM verifies integrity, so a tampered ciphertext throws.
+*/
+const decryptBytesWithAesGcmKey = async ({ aesGcmKey, dataToDecrypt }) => {
+	const decryptedData = await crypto.subtle.decrypt({
+		name: "AES-GCM",
+		iv: new Uint8Array(dataToDecrypt.nonce)
+	}, aesGcmKey, new Uint8Array(dataToDecrypt.ciphertext));
+	return new Uint8Array(decryptedData);
 };
-// src/crypto/aes_gcm/decryptTextDataWithAesGcmKey.ts
-import { base64 } from "@scure/base";
-var decryptTextDataWithAesGcmKey = async ({
-  aesGcmKey,
-  dataToDecrypt
-}) => {
-  const decryptedData = await crypto.subtle.decrypt({
-    name: "AES-GCM",
-    iv: new Uint8Array(base64.decode(dataToDecrypt.nonce))
-  }, aesGcmKey, new Uint8Array(base64.decode(dataToDecrypt.ciphertext)));
-  return new TextDecoder().decode(decryptedData);
+//#endregion
+//#region src/crypto/aes_gcm/decryptTextDataWithAesGcmKey.ts
+const decryptTextDataWithAesGcmKey = async ({ aesGcmKey, dataToDecrypt }) => {
+	const decryptedData = await crypto.subtle.decrypt({
+		name: "AES-GCM",
+		iv: new Uint8Array(base64.decode(dataToDecrypt.nonce))
+	}, aesGcmKey, new Uint8Array(base64.decode(dataToDecrypt.ciphertext)));
+	return new TextDecoder().decode(decryptedData);
 };
-// src/crypto/aes_gcm/encryptBytesWithAesGcmKey.ts
-var encryptBytesWithAesGcmKey = async ({
-  aesGcmKey,
-  dataToEncrypt
-}) => {
-  const nonce = crypto.getRandomValues(new Uint8Array(12));
-  const encryptedData = await crypto.subtle.encrypt({ name: "AES-GCM", iv: nonce }, aesGcmKey, new Uint8Array(dataToEncrypt));
-  return { nonce, ciphertext: new Uint8Array(encryptedData) };
+//#endregion
+//#region src/crypto/aes_gcm/encryptBytesWithAesGcmKey.ts
+/**
+* Encrypts raw bytes with an AES-GCM key, returning the binary nonce + ciphertext. The bytes
+* counterpart of {@link encryptTextDataWithAesGcmKey} — use it for binary channels (msgpack frames)
+* to avoid base64 inflation. A fresh 12-byte nonce is generated per call (never reuse a nonce).
+*/
+const encryptBytesWithAesGcmKey = async ({ aesGcmKey, dataToEncrypt }) => {
+	const nonce = crypto.getRandomValues(new Uint8Array(12));
+	const encryptedData = await crypto.subtle.encrypt({
+		name: "AES-GCM",
+		iv: nonce
+	}, aesGcmKey, new Uint8Array(dataToEncrypt));
+	return {
+		nonce,
+		ciphertext: new Uint8Array(encryptedData)
+	};
 };
-// src/crypto/aes_gcm/encryptTextDataWithAesGcmKey.ts
-import { base64 as base642 } from "@scure/base";
-var encryptTextDataWithAesGcmKey = async ({
-  aesGcmKey,
-  dataToEncrypt
-}) => {
-  const nonce = crypto.getRandomValues(new Uint8Array(12));
-  const encryptedData = await crypto.subtle.encrypt({
-    name: "AES-GCM",
-    iv: nonce
-  }, aesGcmKey, new TextEncoder().encode(dataToEncrypt));
-  return {
-    nonce: base642.encode(nonce),
-    ciphertext: base642.encode(new Uint8Array(encryptedData))
-  };
+//#endregion
+//#region src/crypto/aes_gcm/encryptTextDataWithAesGcmKey.ts
+const encryptTextDataWithAesGcmKey = async ({ aesGcmKey, dataToEncrypt }) => {
+	const nonce = crypto.getRandomValues(new Uint8Array(12));
+	const encryptedData = await crypto.subtle.encrypt({
+		name: "AES-GCM",
+		iv: nonce
+	}, aesGcmKey, new TextEncoder().encode(dataToEncrypt));
+	return {
+		nonce: base64.encode(nonce),
+		ciphertext: base64.encode(new Uint8Array(encryptedData))
+	};
 };
-// src/crypto/ed25519/signTextDataWithKeyEd25519.ts
-var signTextDataWithKeyEd25519 = async (data, cryptoKey) => {
-  const dataBuffer = new TextEncoder().encode(data);
-  const signature = await crypto.subtle.sign({
-    name: "ED25519"
-  }, cryptoKey, dataBuffer);
-  return new Uint8Array(signature);
+//#endregion
+//#region src/crypto/ed25519/signTextDataWithKeyEd25519.ts
+const signTextDataWithKeyEd25519 = async (data, cryptoKey) => {
+	const dataBuffer = new TextEncoder().encode(data);
+	const signature = await crypto.subtle.sign({ name: "ED25519" }, cryptoKey, dataBuffer);
+	return new Uint8Array(signature);
 };
-
-// src/crypto/ed25519/signCombinedTextDataWithKeyEd25519.ts
-var DEFAULT_COMBINED_TEXT_DATA_SEPARATOR = "::";
-var signCombinedTextDataWithKeyEd25519 = async (data, cryptoKey, separator = DEFAULT_COMBINED_TEXT_DATA_SEPARATOR) => {
-  return await signTextDataWithKeyEd25519(data.join(separator), cryptoKey);
+//#endregion
+//#region src/crypto/ed25519/signCombinedTextDataWithKeyEd25519.ts
+const DEFAULT_COMBINED_TEXT_DATA_SEPARATOR = "::";
+const signCombinedTextDataWithKeyEd25519 = async (data, cryptoKey, separator = "::") => {
+	return await signTextDataWithKeyEd25519(data.join(separator), cryptoKey);
 };
-
-// src/crypto/client_key_link/buildVerifyKeyBoundInfoString.ts
-var buildVerifyKeyBoundInfoString = ({
-  infoString,
-  verifyPublicKeys
-}) => {
-  const sortedKeys = [...verifyPublicKeys].sort();
-  return [...infoString != null ? [infoString] : [], ...sortedKeys].join(DEFAULT_COMBINED_TEXT_DATA_SEPARATOR);
+//#endregion
+//#region src/crypto/client_key_link/buildVerifyKeyBoundInfoString.ts
+/**
+* The canonical HKDF `info` for a client-to-client shared key that binds both sides' verify
+* public keys into the derivation.
+*
+* When the two keys are relayed through an intermediary, a tampered key produces mismatched AES
+* keys on the two sides — the very first decryption fails, so key substitution is detected without
+* any extra signature ceremony.
+*
+* The keys are sorted lexicographically so the result is independent of which side is "local" —
+* both ends of a link compute the identical string without coordinating an order. Used internally
+* by ClientCryptoKeyLink (`bindVerifyKeysIntoDerivation`); exported for code that derives the same
+* key outside the link.
+*/
+const buildVerifyKeyBoundInfoString = ({ infoString, verifyPublicKeys }) => {
+	const sortedKeys = [...verifyPublicKeys].sort();
+	return [...infoString != null ? [infoString] : [], ...sortedKeys].join("::");
 };
-// src/crypto/client_key_link/ClientCryptoKeyLink.ts
-import { base64 as base649 } from "@scure/base";
-
-// src/storage_adapter/typed_storage/createTypedStorage.ts
-function createTypedStorage({
-  storageAdapter
-}) {
-  const getJson = async (key) => {
-    return storageAdapter.getJson(key);
-  };
-  const getJsonOrDef = async (key, defVal) => {
-    return await storageAdapter.getJson(key) ?? defVal;
-  };
-  const setJson = async (key, val) => {
-    return storageAdapter.setJson(key, val);
-  };
-  const removeItem = async (key) => {
-    await storageAdapter.removeItem(key);
-  };
-  const updateJson = async (key, updater) => {
-    await storageAdapter.updateJson(key, updater);
-  };
-  const updateJsonWithDef = async (key, defaultVal, updater) => {
-    await storageAdapter.updateJsonOrDef(key, defaultVal, updater);
-  };
-  return {
-    getJson,
-    getJsonOrDef,
-    setJson,
-    removeItem,
-    updateJson,
-    updateJsonWithDef,
-    clearAll: async () => {
-      await storageAdapter.clearAll();
-    }
-  };
+//#endregion
+//#region src/storage_adapter/typed_storage/createTypedStorage.ts
+function createTypedStorage({ storageAdapter }) {
+	const getJson = async (key) => {
+		return storageAdapter.getJson(key);
+	};
+	const getJsonOrDef = async (key, defVal) => {
+		return await storageAdapter.getJson(key) ?? defVal;
+	};
+	const setJson = async (key, val) => {
+		return storageAdapter.setJson(key, val);
+	};
+	const removeItem = async (key) => {
+		await storageAdapter.removeItem(key);
+	};
+	const updateJson = async (key, updater) => {
+		await storageAdapter.updateJson(key, updater);
+	};
+	const updateJsonWithDef = async (key, defaultVal, updater) => {
+		await storageAdapter.updateJsonOrDef(key, defaultVal, updater);
+	};
+	return {
+		getJson,
+		getJsonOrDef,
+		setJson,
+		removeItem,
+		updateJson,
+		updateJsonWithDef,
+		clearAll: async () => {
+			await storageAdapter.clearAll();
+		}
+	};
 }
-
-// src/crypto/ed25519/generateEd25519KeyPair.ts
-var generateEd25519KeyPair = async () => {
-  const keyPair = await crypto.subtle.generateKey({ name: "Ed25519" }, true, [
-    "sign",
-    "verify"
-  ]);
-  return keyPair;
+//#endregion
+//#region src/crypto/ed25519/generateEd25519KeyPair.ts
+const generateEd25519KeyPair = async () => {
+	return await crypto.subtle.generateKey({ name: "Ed25519" }, true, ["sign", "verify"]);
 };
-
-// src/crypto/ed25519/importEd25519Key.ts
-import { base64 as base644 } from "@scure/base";
-
-// src/core/createDataStringConverter_stringToObject.ts
-var createDataStringConverter_stringToObject = ({
-  transformJsonForFormats = [],
-  transformJson = false
-} = {}) => (inputDataString) => {
-  const [type, format, dataString] = inputDataString.split("::");
-  let parsedData = dataString;
-  if (transformJson || transformJsonForFormats.includes(format)) {
-    try {
-      parsedData = JSON.parse(dataString);
-    } catch (error) {
-      const err = new Error(`Failed to parse type and format data string. Given input: "${inputDataString}", expected JSON parsable "data" value in the format "${type}::${format}::data" ${error instanceof Error ? error.message : String(error)}`);
-      err.cause = error;
-      throw err;
-    }
-  }
-  return {
-    formattedString: inputDataString,
-    type,
-    format,
-    data: parsedData
-  };
+//#endregion
+//#region src/core/createDataStringConverter_stringToObject.ts
+const createDataStringConverter_stringToObject = ({ transformJsonForFormats = [], transformJson = false } = {}) => (inputDataString) => {
+	const [type, format, dataString] = inputDataString.split("::");
+	let parsedData = dataString;
+	if (transformJson || transformJsonForFormats.includes(format)) try {
+		parsedData = JSON.parse(dataString);
+	} catch (error) {
+		const err = /* @__PURE__ */ new Error(`Failed to parse type and format data string. Given input: "${inputDataString}", expected JSON parsable "data" value in the format "${type}::${format}::data" ${error instanceof Error ? error.message : String(error)}`);
+		err.cause = error;
+		throw err;
+	}
+	return {
+		formattedString: inputDataString,
+		type,
+		format,
+		data: parsedData
+	};
 };
-
-// src/crypto/crypto.schema.ts
-import * as v2 from "valibot";
-
-// src/core/core_valibot_schemas.ts
-import * as v from "valibot";
-var vBase64 = v.pipe(v.string(), v.base64());
-var vCreateSchema_TypeAndFormatPrefixedDataString = ({
-  type,
-  format,
-  typeKind,
-  formatKind
-}) => {
-  const _typeKind = typeKind ?? "data_type";
-  const _formatKind = formatKind ?? "data_format";
-  return v.pipe(v.custom((input) => {
-    if (typeof input !== "string")
-      return false;
-    const [typePart, formatPart, dataPart] = input.split("::");
-    return typePart === type && formatPart === format && typeof dataPart === "string";
-  }, `Invalid format, expected '<${_typeKind}>::<${_formatKind}>::<value>' where "${_typeKind}" is "${type}", "${_formatKind}" is "${format}", and "value" is a string in the specified format`));
+//#endregion
+//#region src/core/core_valibot_schemas.ts
+const vBase64 = v.pipe(v.string(), v.base64());
+const vCreateSchema_TypeAndFormatPrefixedDataString = ({ type, format, typeKind, formatKind }) => {
+	const _typeKind = typeKind ?? "data_type";
+	const _formatKind = formatKind ?? "data_format";
+	return v.pipe(v.custom((input) => {
+		if (typeof input !== "string") return false;
+		const [typePart, formatPart, dataPart] = input.split("::");
+		return typePart === type && formatPart === format && typeof dataPart === "string";
+	}, `Invalid format, expected '<${_typeKind}>::<${_formatKind}>::<value>' where "${_typeKind}" is "${type}", "${_formatKind}" is "${format}", and "value" is a string in the specified format`));
 };
-
-// src/crypto/crypto.schema.ts
-var ECryptoKeyAlgo;
-((ECryptoKeyAlgo2) => {
-  ECryptoKeyAlgo2["ed25519"] = "ed25519";
-  ECryptoKeyAlgo2["x25519"] = "x25519";
-})(ECryptoKeyAlgo ||= {});
-var ECryptoKeyFormat;
-((ECryptoKeyFormat2) => {
-  ECryptoKeyFormat2["raw_base64"] = "raw_base64";
-  ECryptoKeyFormat2["jwk"] = "jwk";
-})(ECryptoKeyFormat ||= {});
-var vSerializedCryptoKeyDataEd25519_Raw = vCreateSchema_TypeAndFormatPrefixedDataString({
-  format: "raw_base64" /* raw_base64 */,
-  type: "ed25519" /* ed25519 */,
-  typeKind: "algo"
+//#endregion
+//#region src/crypto/crypto.schema.ts
+let ECryptoKeyAlgo = /* @__PURE__ */ function(ECryptoKeyAlgo) {
+	ECryptoKeyAlgo["ed25519"] = "ed25519";
+	ECryptoKeyAlgo["x25519"] = "x25519";
+	return ECryptoKeyAlgo;
+}({});
+let ECryptoKeyFormat = /* @__PURE__ */ function(ECryptoKeyFormat) {
+	ECryptoKeyFormat["raw_base64"] = "raw_base64";
+	ECryptoKeyFormat["jwk"] = "jwk";
+	return ECryptoKeyFormat;
+}({});
+const vSerializedCryptoKeyDataEd25519_Raw = vCreateSchema_TypeAndFormatPrefixedDataString({
+	format: "raw_base64",
+	type: "ed25519",
+	typeKind: "algo"
 });
-var vSerializedCryptoKeyDataEd25519_Jwk = vCreateSchema_TypeAndFormatPrefixedDataString({
-  format: "jwk" /* jwk */,
-  type: "ed25519" /* ed25519 */,
-  typeKind: "algo",
-  transformJson: true
+const vSerializedCryptoKeyDataEd25519_Jwk = vCreateSchema_TypeAndFormatPrefixedDataString({
+	format: "jwk",
+	type: "ed25519",
+	typeKind: "algo",
+	transformJson: true
 });
-var vSerializedCryptoKeyDataX25519_Raw = vCreateSchema_TypeAndFormatPrefixedDataString({
-  format: "raw_base64" /* raw_base64 */,
-  type: "x25519" /* x25519 */,
-  typeKind: "algo"
+const vSerializedCryptoKeyDataX25519_Raw = vCreateSchema_TypeAndFormatPrefixedDataString({
+	format: "raw_base64",
+	type: "x25519",
+	typeKind: "algo"
 });
-var vSerializedCryptoKeyDataX25519_Jwk = vCreateSchema_TypeAndFormatPrefixedDataString({
-  format: "jwk" /* jwk */,
-  type: "x25519" /* x25519 */,
-  typeKind: "algo",
-  transformJson: true
+const vSerializedCryptoKeyDataX25519_Jwk = vCreateSchema_TypeAndFormatPrefixedDataString({
+	format: "jwk",
+	type: "x25519",
+	typeKind: "algo",
+	transformJson: true
 });
-var vCryptoKeyPairDataX25519 = v2.object({
-  publicKey: vSerializedCryptoKeyDataX25519_Raw,
-  privateKey: vSerializedCryptoKeyDataX25519_Jwk
+const vCryptoKeyPairDataX25519 = v.object({
+	publicKey: vSerializedCryptoKeyDataX25519_Raw,
+	privateKey: vSerializedCryptoKeyDataX25519_Jwk
 });
-var vCryptoKeyPairDataEd25519 = v2.object({
-  publicKey: vSerializedCryptoKeyDataEd25519_Raw,
-  privateKey: vSerializedCryptoKeyDataEd25519_Jwk
+const vCryptoKeyPairDataEd25519 = v.object({
+	publicKey: vSerializedCryptoKeyDataEd25519_Raw,
+	privateKey: vSerializedCryptoKeyDataEd25519_Jwk
 });
-var vVerifyChallengeWithSignature_Input = v2.object({
-  challenge: v2.string(),
-  signatureBase64: vBase64
+const vVerifyChallengeWithSignature_Input = v.object({
+	challenge: v.string(),
+	signatureBase64: vBase64
 });
-var vVerifyChallengeWithSignature_WithThrow_Input = v2.intersect([
-  vVerifyChallengeWithSignature_Input,
-  v2.object({
-    throwOnInvalid: v2.optional(v2.boolean())
-  })
-]);
-var vEncryptedAesGcmPayload = v2.object({
-  nonce: vBase64,
-  ciphertext: vBase64
-});
-
-// src/crypto/crypto.converters.ts
-var convertEd25519RawDataStringToObject = createDataStringConverter_stringToObject();
-var convertEd25519JwkDataStringToObject = createDataStringConverter_stringToObject({ transformJson: true });
-var convertEd25519FormattedStringToObject = createDataStringConverter_stringToObject({
-  transformJsonForFormats: ["jwk" /* jwk */]
+const vVerifyChallengeWithSignature_WithThrow_Input = v.intersect([vVerifyChallengeWithSignature_Input, v.object({ throwOnInvalid: v.optional(v.boolean()) })]);
+const vEncryptedAesGcmPayload = v.object({
+	nonce: vBase64,
+	ciphertext: vBase64
 });
-var convertEd25519RawDataStringToSerializedKeyData = (input) => {
-  const transformed = convertEd25519RawDataStringToObject(input);
-  return {
-    prefixed: input,
-    transformed
-  };
+//#endregion
+//#region src/crypto/crypto.converters.ts
+/**
+*
+* [CRYPTO ALGO] ED25519
+*
+*/
+const convertEd25519RawDataStringToObject = createDataStringConverter_stringToObject();
+const convertEd25519JwkDataStringToObject = createDataStringConverter_stringToObject({ transformJson: true });
+const convertEd25519FormattedStringToObject = createDataStringConverter_stringToObject({ transformJsonForFormats: ["jwk"] });
+const convertEd25519RawDataStringToSerializedKeyData = (input) => {
+	return {
+		prefixed: input,
+		transformed: convertEd25519RawDataStringToObject(input)
+	};
 };
-var convertEd25519JwkDataStringToSerializedKeyData = (input) => {
-  const transformed = convertEd25519JwkDataStringToObject(input);
-  return {
-    prefixed: input,
-    transformed
-  };
+const convertEd25519JwkDataStringToSerializedKeyData = (input) => {
+	return {
+		prefixed: input,
+		transformed: convertEd25519JwkDataStringToObject(input)
+	};
 };
-var convertEd25519FormattedStringToSerializedKeyData = (input) => {
-  return convertEd25519FormattedStringToObject(input);
+const convertEd25519FormattedStringToSerializedKeyData = (input) => {
+	return convertEd25519FormattedStringToObject(input);
 };
-var convertX25519RawDataStringToObject = createDataStringConverter_stringToObject();
-var convertX25519JwkDataStringToObject = createDataStringConverter_stringToObject({ transformJson: true });
-var convertX25519FormattedStringToObject = createDataStringConverter_stringToObject({
-  transformJsonForFormats: ["jwk" /* jwk */]
-});
-var convertX25519RawDataStringToSerializedKeyData = (input) => {
-  const transformed = convertX25519RawDataStringToObject(input);
-  return {
-    prefixed: input,
-    transformed
-  };
+/**
+*
+* [CRYPTO ALGO] X25519
+*
+*/
+const convertX25519RawDataStringToObject = createDataStringConverter_stringToObject();
+const convertX25519JwkDataStringToObject = createDataStringConverter_stringToObject({ transformJson: true });
+const convertX25519FormattedStringToObject = createDataStringConverter_stringToObject({ transformJsonForFormats: ["jwk"] });
+const convertX25519RawDataStringToSerializedKeyData = (input) => {
+	return {
+		prefixed: input,
+		transformed: convertX25519RawDataStringToObject(input)
+	};
 };
-var convertX25519JwkDataStringToSerializedKeyData = (input) => {
-  const transformed = convertX25519JwkDataStringToObject(input);
-  return {
-    prefixed: input,
-    transformed
-  };
+const convertX25519JwkDataStringToSerializedKeyData = (input) => {
+	return {
+		prefixed: input,
+		transformed: convertX25519JwkDataStringToObject(input)
+	};
 };
-var convertX25519FormattedStringToSerializedKeyData = (input) => {
-  return convertX25519FormattedStringToObject(input);
+const convertX25519FormattedStringToSerializedKeyData = (input) => {
+	return convertX25519FormattedStringToObject(input);
 };
-
-// src/crypto/ed25519/importEd25519Key.ts
-var fromBase64 = async (dataBase64, keyUsage, extractable) => {
-  const keyBuffer = Uint8Array.from(base644.decode(dataBase64));
-  return await crypto.subtle.importKey("raw", keyBuffer, { name: "Ed25519" }, extractable, keyUsage);
+//#endregion
+//#region src/crypto/ed25519/importEd25519Key.ts
+const fromBase64$1 = async (dataBase64, keyUsage, extractable) => {
+	const keyBuffer = Uint8Array.from(base64.decode(dataBase64));
+	return await crypto.subtle.importKey("raw", keyBuffer, { name: "Ed25519" }, extractable, keyUsage);
 };
-var fromJwk = async (jwk, keyUsage, extractable = true) => {
-  return await crypto.subtle.importKey("jwk", jwk, { name: "Ed25519" }, extractable, keyUsage);
+const fromJwk$1 = async (jwk, keyUsage, extractable = true) => {
+	return await crypto.subtle.importKey("jwk", jwk, { name: "Ed25519" }, extractable, keyUsage);
 };
-var fromSerializedObject = async (serialized, keyUsage, extractable = true) => {
-  if (serialized.format === "jwk" /* jwk */) {
-    return await fromJwk(serialized.data, keyUsage, extractable);
-  }
-  return await fromBase64(serialized.data, keyUsage, extractable);
+const fromSerializedObject$1 = async (serialized, keyUsage, extractable = true) => {
+	if (serialized.format === "jwk") return await fromJwk$1(serialized.data, keyUsage, extractable);
+	return await fromBase64$1(serialized.data, keyUsage, extractable);
 };
-var fromFormattedString = async (dataString, keyUsage, extractable = true) => {
-  const transformed = convertEd25519FormattedStringToSerializedKeyData(dataString);
-  return await fromSerializedObject(transformed, keyUsage, extractable);
+const fromFormattedString$1 = async (dataString, keyUsage, extractable = true) => {
+	return await fromSerializedObject$1(convertEd25519FormattedStringToSerializedKeyData(dataString), keyUsage, extractable);
 };
-var extractableOrNonExtractable = (keyUsage, func) => ({
-  extractable: (input) => func(input, keyUsage, true),
-  nonExtractable: (input) => func(input, keyUsage, false)
+const extractableOrNonExtractable$1 = (keyUsage, func) => ({
+	extractable: (input) => func(input, keyUsage, true),
+	nonExtractable: (input) => func(input, keyUsage, false)
 });
-var importEd25519Key = {
-  private: {
-    fromFormattedString: extractableOrNonExtractable(["sign"], fromFormattedString),
-    fromSerializedObject: extractableOrNonExtractable(["sign"], fromSerializedObject),
-    fromJwk: extractableOrNonExtractable(["sign"], fromJwk)
-  },
-  public: {
-    fromBase64: extractableOrNonExtractable(["verify"], fromBase64),
-    fromFormattedString: extractableOrNonExtractable(["verify"], fromFormattedString),
-    fromSerializedObject: extractableOrNonExtractable(["verify"], fromSerializedObject),
-    fromJwk: extractableOrNonExtractable(["verify"], fromJwk)
-  }
+const importEd25519Key = {
+	private: {
+		fromFormattedString: extractableOrNonExtractable$1(["sign"], fromFormattedString$1),
+		fromSerializedObject: extractableOrNonExtractable$1(["sign"], fromSerializedObject$1),
+		fromJwk: extractableOrNonExtractable$1(["sign"], fromJwk$1)
+	},
+	public: {
+		fromBase64: extractableOrNonExtractable$1(["verify"], fromBase64$1),
+		fromFormattedString: extractableOrNonExtractable$1(["verify"], fromFormattedString$1),
+		fromSerializedObject: extractableOrNonExtractable$1(["verify"], fromSerializedObject$1),
+		fromJwk: extractableOrNonExtractable$1(["verify"], fromJwk$1)
+	}
 };
-
-// src/crypto/ed25519/serializeEd25519Key_Jwk.ts
-var serializeEd25519Key_Jwk = async (key) => {
-  const keyJwk = await crypto.subtle.exportKey("jwk", key);
-  const prefixed = `${"ed25519" /* ed25519 */}::${"jwk" /* jwk */}::${JSON.stringify(keyJwk)}`;
-  const transformed = {
-    formattedString: prefixed,
-    type: "ed25519" /* ed25519 */,
-    data: keyJwk,
-    format: "jwk" /* jwk */
-  };
-  return { transformed, prefixed };
+//#endregion
+//#region src/crypto/ed25519/serializeEd25519Key_Jwk.ts
+const serializeEd25519Key_Jwk = async (key) => {
+	const keyJwk = await crypto.subtle.exportKey("jwk", key);
+	const prefixed = `ed25519::jwk::${JSON.stringify(keyJwk)}`;
+	return {
+		transformed: {
+			formattedString: prefixed,
+			type: "ed25519",
+			data: keyJwk,
+			format: "jwk"
+		},
+		prefixed
+	};
 };
-
-// src/crypto/ed25519/serializeEd25519Key_Raw.ts
-import { base64 as base645 } from "@scure/base";
-var serializeEd25519Key_Raw = async (publicKey) => {
-  const publicKeyBuffer = await crypto.subtle.exportKey("raw", publicKey);
-  const publicKeyBase64 = base645.encode(new Uint8Array(publicKeyBuffer));
-  const prefixed = `${"ed25519" /* ed25519 */}::${"raw_base64" /* raw_base64 */}::${publicKeyBase64}`;
-  const transformed = {
-    formattedString: prefixed,
-    type: "ed25519" /* ed25519 */,
-    data: publicKeyBase64,
-    format: "raw_base64" /* raw_base64 */
-  };
-  return { transformed, prefixed };
+//#endregion
+//#region src/crypto/ed25519/serializeEd25519Key_Raw.ts
+const serializeEd25519Key_Raw = async (publicKey) => {
+	const publicKeyBuffer = await crypto.subtle.exportKey("raw", publicKey);
+	const publicKeyBase64 = base64.encode(new Uint8Array(publicKeyBuffer));
+	const prefixed = `ed25519::raw_base64::${publicKeyBase64}`;
+	return {
+		transformed: {
+			formattedString: prefixed,
+			type: "ed25519",
+			data: publicKeyBase64,
+			format: "raw_base64"
+		},
+		prefixed
+	};
 };
-
-// src/crypto/ed25519/verifyWithKeyEd25519.ts
-import { base64 as base646 } from "@scure/base";
-var verifyWithKeyEd25519 = async ({
-  challenge,
-  signatureBase64,
-  publicKey
-}) => {
-  const signatureBuffer = Uint8Array.from(base646.decode(signatureBase64));
-  const challengeBuffer = new TextEncoder().encode(challenge);
-  return await crypto.subtle.verify({
-    name: "ED25519"
-  }, publicKey, signatureBuffer, challengeBuffer);
+//#endregion
+//#region src/crypto/ed25519/verifyWithKeyEd25519.ts
+const verifyWithKeyEd25519 = async ({ challenge, signatureBase64, publicKey }) => {
+	const signatureBuffer = Uint8Array.from(base64.decode(signatureBase64));
+	const challengeBuffer = new TextEncoder().encode(challenge);
+	return await crypto.subtle.verify({ name: "ED25519" }, publicKey, signatureBuffer, challengeBuffer);
 };
-
-// src/crypto/x25519/generateX25519KeyPair.ts
-var generateX25519KeyPair = async () => {
-  const keyPair = await crypto.subtle.generateKey({ name: "X25519" }, true, [
-    "deriveKey",
-    "deriveBits"
-  ]);
-  return keyPair;
+//#endregion
+//#region src/crypto/x25519/generateX25519KeyPair.ts
+const generateX25519KeyPair = async () => {
+	return await crypto.subtle.generateKey({ name: "X25519" }, true, ["deriveKey", "deriveBits"]);
 };
-
-// src/crypto/x25519/importX25519Key.ts
-import { base64 as base647 } from "@scure/base";
-var fromBase642 = async (dataBase64, keyUsage, extractable) => {
-  const keyBuffer = Uint8Array.from(base647.decode(dataBase64));
-  return await crypto.subtle.importKey("raw", keyBuffer, { name: "X25519" }, extractable, keyUsage);
+//#endregion
+//#region src/crypto/x25519/importX25519Key.ts
+const fromBase64 = async (dataBase64, keyUsage, extractable) => {
+	const keyBuffer = Uint8Array.from(base64.decode(dataBase64));
+	return await crypto.subtle.importKey("raw", keyBuffer, { name: "X25519" }, extractable, keyUsage);
 };
-var fromJwk2 = async (jwk, keyUsage, extractable = true) => {
-  return await crypto.subtle.importKey("jwk", jwk, { name: "X25519" }, extractable, keyUsage);
+const fromJwk = async (jwk, keyUsage, extractable = true) => {
+	return await crypto.subtle.importKey("jwk", jwk, { name: "X25519" }, extractable, keyUsage);
 };
-var fromSerializedObject2 = async (serialized, keyUsage, extractable = true) => {
-  if (serialized.format === "jwk" /* jwk */) {
-    return await fromJwk2(serialized.data, keyUsage, extractable);
-  }
-  return await fromBase642(serialized.data, keyUsage, extractable);
+const fromSerializedObject = async (serialized, keyUsage, extractable = true) => {
+	if (serialized.format === "jwk") return await fromJwk(serialized.data, keyUsage, extractable);
+	return await fromBase64(serialized.data, keyUsage, extractable);
 };
-var fromFormattedString2 = async (dataString, keyUsage, extractable = true) => {
-  const transformed = convertX25519FormattedStringToSerializedKeyData(dataString);
-  return await fromSerializedObject2(transformed, keyUsage, extractable);
+const fromFormattedString = async (dataString, keyUsage, extractable = true) => {
+	return await fromSerializedObject(convertX25519FormattedStringToSerializedKeyData(dataString), keyUsage, extractable);
 };
-var extractableOrNonExtractable2 = (keyUsage, func) => ({
-  extractable: (input) => func(input, keyUsage, true),
-  nonExtractable: (input) => func(input, keyUsage, false)
+const extractableOrNonExtractable = (keyUsage, func) => ({
+	extractable: (input) => func(input, keyUsage, true),
+	nonExtractable: (input) => func(input, keyUsage, false)
 });
-var importX25519Key = {
-  private: {
-    fromFormattedString: extractableOrNonExtractable2(["deriveKey", "deriveBits"], fromFormattedString2),
-    fromSerializedObject: extractableOrNonExtractable2(["deriveKey", "deriveBits"], fromSerializedObject2),
-    fromJwk: extractableOrNonExtractable2(["deriveKey", "deriveBits"], fromJwk2)
-  },
-  public: {
-    fromBase64: extractableOrNonExtractable2([], fromBase642),
-    fromFormattedString: extractableOrNonExtractable2([], fromFormattedString2),
-    fromSerializedObject: extractableOrNonExtractable2([], fromSerializedObject2),
-    fromJwk: extractableOrNonExtractable2([], fromJwk2)
-  }
+const importX25519Key = {
+	private: {
+		fromFormattedString: extractableOrNonExtractable(["deriveKey", "deriveBits"], fromFormattedString),
+		fromSerializedObject: extractableOrNonExtractable(["deriveKey", "deriveBits"], fromSerializedObject),
+		fromJwk: extractableOrNonExtractable(["deriveKey", "deriveBits"], fromJwk)
+	},
+	public: {
+		fromBase64: extractableOrNonExtractable([], fromBase64),
+		fromFormattedString: extractableOrNonExtractable([], fromFormattedString),
+		fromSerializedObject: extractableOrNonExtractable([], fromSerializedObject),
+		fromJwk: extractableOrNonExtractable([], fromJwk)
+	}
 };
-
-// src/crypto/x25519/serializeX25519Key_Jwk.ts
-var serializeX25519Key_Jwk = async (key) => {
-  const publicKeyJwk = await crypto.subtle.exportKey("jwk", key);
-  const prefixed = `${"x25519" /* x25519 */}::${"jwk" /* jwk */}::${JSON.stringify(publicKeyJwk)}`;
-  const transformed = {
-    formattedString: prefixed,
-    type: "x25519" /* x25519 */,
-    data: publicKeyJwk,
-    format: "jwk" /* jwk */
-  };
-  return { transformed, prefixed };
+//#endregion
+//#region src/crypto/x25519/serializeX25519Key_Jwk.ts
+const serializeX25519Key_Jwk = async (key) => {
+	const publicKeyJwk = await crypto.subtle.exportKey("jwk", key);
+	const prefixed = `x25519::jwk::${JSON.stringify(publicKeyJwk)}`;
+	return {
+		transformed: {
+			formattedString: prefixed,
+			type: "x25519",
+			data: publicKeyJwk,
+			format: "jwk"
+		},
+		prefixed
+	};
 };
-
-// src/crypto/x25519/serializeX25519Key_Raw.ts
-import { base64 as base648 } from "@scure/base";
-var serializeX25519Key_Raw = async (key) => {
-  const publicKeyBuffer = await crypto.subtle.exportKey("raw", key);
-  const publicKeyBase64 = base648.encode(new Uint8Array(publicKeyBuffer));
-  const prefixed = `${"x25519" /* x25519 */}::${"raw_base64" /* raw_base64 */}::${publicKeyBase64}`;
-  const transformed = {
-    formattedString: prefixed,
-    type: "x25519" /* x25519 */,
-    data: publicKeyBase64,
-    format: "raw_base64" /* raw_base64 */
-  };
-  return { transformed, prefixed };
+//#endregion
+//#region src/crypto/x25519/serializeX25519Key_Raw.ts
+const serializeX25519Key_Raw = async (key) => {
+	const publicKeyBuffer = await crypto.subtle.exportKey("raw", key);
+	const publicKeyBase64 = base64.encode(new Uint8Array(publicKeyBuffer));
+	const prefixed = `x25519::raw_base64::${publicKeyBase64}`;
+	return {
+		transformed: {
+			formattedString: prefixed,
+			type: "x25519",
+			data: publicKeyBase64,
+			format: "raw_base64"
+		},
+		prefixed
+	};
 };
-
-// src/crypto/client_key_link/ClientCryptoKeyLink.ts
-class ClientCryptoKeyLink {
-  localExchangeKeyPair;
-  localVerifyKeyPair;
-  linkedClientKeys = new Map;
-  storage;
-  initialized = false;
-  initializePromise;
-  localExchangeKeyPairPromise;
-  localVerifyKeyPairPromise;
-  constructor({ storageAdapter } = {}) {
-    if (storageAdapter != null) {
-      this.storage = createTypedStorage({ storageAdapter });
-    }
-  }
-  async initialize() {
-    if (this.initialized) {
-      return;
-    }
-    this.initializePromise ??= this.runInitialize();
-    try {
-      await this.initializePromise;
-    } finally {
-      this.initializePromise = undefined;
-    }
-  }
-  async runInitialize() {
-    await this.loadStoredLocalKeys();
-    await this.loadLinkedClients();
-    this.initialized = true;
-  }
-  async loadStoredLocalKeys() {
-    const storedExchange = await this.storage?.getJson("localExchangeKeyPair");
-    if (storedExchange != null) {
-      this.localExchangeKeyPair = {
-        privateKey: await importX25519Key.private.fromFormattedString.extractable(storedExchange.privateKey),
-        publicKey: await importX25519Key.public.fromFormattedString.extractable(storedExchange.publicKey)
-      };
-    }
-    const storedVerify = await this.storage?.getJson("localVerifyKeyPair");
-    if (storedVerify != null) {
-      this.localVerifyKeyPair = {
-        privateKey: await importEd25519Key.private.fromFormattedString.extractable(storedVerify.privateKey),
-        publicKey: await importEd25519Key.public.fromFormattedString.extractable(storedVerify.publicKey)
-      };
-    }
-  }
-  async ensureLocalExchangeKeyPair() {
-    if (this.localExchangeKeyPair != null) {
-      return this.localExchangeKeyPair;
-    }
-    this.localExchangeKeyPairPromise ??= (async () => {
-      const keyPair = await generateX25519KeyPair();
-      this.localExchangeKeyPair = keyPair;
-      if (this.storage != null) {
-        await this.storage.setJson("localExchangeKeyPair", await this.serializeExchangeKeyPair(keyPair));
-      }
-      return keyPair;
-    })();
-    try {
-      return await this.localExchangeKeyPairPromise;
-    } finally {
-      this.localExchangeKeyPairPromise = undefined;
-    }
-  }
-  async ensureLocalVerifyKeyPair() {
-    if (this.localVerifyKeyPair != null) {
-      return this.localVerifyKeyPair;
-    }
-    this.localVerifyKeyPairPromise ??= (async () => {
-      const keyPair = await generateEd25519KeyPair();
-      this.localVerifyKeyPair = keyPair;
-      if (this.storage != null) {
-        await this.storage.setJson("localVerifyKeyPair", await this.serializeVerifyKeyPair(keyPair));
-      }
-      return keyPair;
-    })();
-    try {
-      return await this.localVerifyKeyPairPromise;
-    } finally {
-      this.localVerifyKeyPairPromise = undefined;
-    }
-  }
-  async loadLinkedClients() {
-    const storedLinkedClients = await this.storage?.getJson("linkedClientPublicKeys");
-    if (storedLinkedClients == null) {
-      return;
-    }
-    for (const [linkedClientId, publicKeys] of Object.entries(storedLinkedClients)) {
-      await this.linkClient({
-        linkedClientId,
-        verifyPublicKey: publicKeys.verifyPublicKey,
-        exchangePublicKey: publicKeys.exchangePublicKey,
-        saltString: publicKeys.saltString,
-        infoString: publicKeys.infoString,
-        bindVerifyKeysIntoDerivation: publicKeys.bindVerifyKeysIntoDerivation
-      });
-    }
-  }
-  async serializeExchangeKeyPair(keyPair) {
-    return {
-      publicKey: (await serializeX25519Key_Raw(keyPair.publicKey)).prefixed,
-      privateKey: (await serializeX25519Key_Jwk(keyPair.privateKey)).prefixed
-    };
-  }
-  async serializeVerifyKeyPair(keyPair) {
-    return {
-      publicKey: (await serializeEd25519Key_Raw(keyPair.publicKey)).prefixed,
-      privateKey: (await serializeEd25519Key_Jwk(keyPair.privateKey)).prefixed
-    };
-  }
-  async getLocalPublicKeys() {
-    return {
-      verifyPublicKey: await this.getLocalVerifyPublicKey(),
-      exchangePublicKey: await this.getLocalExchangePublicKey()
-    };
-  }
-  async getLocalExchangePublicKey() {
-    const exchangeKeyPair = await this.ensureLocalExchangeKeyPair();
-    return (await serializeX25519Key_Raw(exchangeKeyPair.publicKey)).prefixed;
-  }
-  async getLocalVerifyPublicKey() {
-    const verifyKeyPair = await this.ensureLocalVerifyKeyPair();
-    return (await serializeEd25519Key_Raw(verifyKeyPair.publicKey)).prefixed;
-  }
-  async linkClient({
-    linkedClientId,
-    verifyPublicKey,
-    exchangePublicKey,
-    saltString,
-    infoString,
-    bindVerifyKeysIntoDerivation
-  }) {
-    const existing = this.linkedClientKeys.get(linkedClientId);
-    const verify = verifyPublicKey != null ? {
-      publicKey: await importEd25519Key.public.fromFormattedString.extractable(verifyPublicKey),
-      publicKeySerialized: verifyPublicKey
-    } : existing?.verify;
-    const verifyKeyChanged = verifyPublicKey != null && verifyPublicKey !== existing?.verify?.publicKeySerialized;
-    let exchange = existing?.exchange;
-    const exchangeParamsProvided = exchangePublicKey != null || saltString !== undefined || infoString !== undefined || bindVerifyKeysIntoDerivation !== undefined;
-    if (exchangeParamsProvided) {
-      const nextPublicKeySerialized = exchangePublicKey ?? existing?.exchange?.publicKeySerialized;
-      if (nextPublicKeySerialized == null) {
-        throw new Error(`ClientCryptoKeyLink: Cannot set salt/info for ${linkedClientId} without an exchange public key`);
-      }
-      const nextSalt = saltString !== undefined ? saltString : existing?.exchange?.saltString;
-      const nextInfo = infoString !== undefined ? infoString : existing?.exchange?.infoString;
-      const nextBind = bindVerifyKeysIntoDerivation !== undefined ? bindVerifyKeysIntoDerivation : existing?.exchange?.bindVerifyKeysIntoDerivation;
-      const publicKey = exchangePublicKey != null ? await importX25519Key.public.fromFormattedString.extractable(exchangePublicKey) : existing.exchange.publicKey;
-      const unchanged = nextPublicKeySerialized === existing?.exchange?.publicKeySerialized && nextSalt === existing?.exchange?.saltString && nextInfo === existing?.exchange?.infoString && nextBind === existing?.exchange?.bindVerifyKeysIntoDerivation && !(nextBind === true && verifyKeyChanged);
-      exchange = {
-        publicKey,
-        publicKeySerialized: nextPublicKeySerialized,
-        saltString: nextSalt,
-        infoString: nextInfo,
-        bindVerifyKeysIntoDerivation: nextBind,
-        sharedEncryptKey: unchanged ? existing?.exchange?.sharedEncryptKey : undefined
-      };
-    } else if (exchange?.bindVerifyKeysIntoDerivation === true && verifyKeyChanged && exchange.sharedEncryptKey != null) {
-      exchange = { ...exchange, sharedEncryptKey: undefined };
-    }
-    this.linkedClientKeys.set(linkedClientId, { verify, exchange });
-  }
-  async linkClientAndStore(input) {
-    await this.linkClient(input);
-    if (this.storage == null) {
-      return;
-    }
-    const {
-      linkedClientId,
-      verifyPublicKey,
-      exchangePublicKey,
-      saltString,
-      infoString,
-      bindVerifyKeysIntoDerivation
-    } = input;
-    await this.storage.updateJsonWithDef("linkedClientPublicKeys", {}, (current) => ({
-      ...current,
-      [linkedClientId]: {
-        ...current[linkedClientId],
-        ...verifyPublicKey != null ? { verifyPublicKey } : {},
-        ...exchangePublicKey != null ? { exchangePublicKey } : {},
-        ...saltString !== undefined ? { saltString } : {},
-        ...infoString !== undefined ? { infoString } : {},
-        ...bindVerifyKeysIntoDerivation !== undefined ? { bindVerifyKeysIntoDerivation } : {}
-      }
-    }));
-  }
-  hasLinkedClient(linkedClientId) {
-    return this.linkedClientKeys.has(linkedClientId);
-  }
-  getLinkedClientPublicKeys(linkedClientId) {
-    const linkedClient = this.linkedClientKeys.get(linkedClientId);
-    if (linkedClient == null) {
-      return;
-    }
-    return {
-      verifyPublicKey: linkedClient.verify?.publicKeySerialized,
-      exchangePublicKey: linkedClient.exchange?.publicKeySerialized
-    };
-  }
-  async unlinkClient(linkedClientId) {
-    this.linkedClientKeys.delete(linkedClientId);
-    if (this.storage != null) {
-      await this.storage.updateJson("linkedClientPublicKeys", (current) => {
-        if (current == null) {
-          return {};
-        }
-        const { [linkedClientId]: _removed, ...rest } = current;
-        return rest;
-      });
-    }
-  }
-  async unlinkAllClients() {
-    this.linkedClientKeys.clear();
-    if (this.storage != null) {
-      await this.storage.setJson("linkedClientPublicKeys", {});
-    }
-  }
-  async reset() {
-    this.linkedClientKeys.clear();
-    this.localExchangeKeyPair = undefined;
-    this.localVerifyKeyPair = undefined;
-    this.initialized = false;
-    if (this.storage != null) {
-      await this.storage.removeItem("linkedClientPublicKeys");
-      await this.storage.removeItem("localExchangeKeyPair");
-      await this.storage.removeItem("localVerifyKeyPair");
-    }
-  }
-  getLinkedClient(linkedClientId) {
-    const linkedClient = this.linkedClientKeys.get(linkedClientId);
-    if (linkedClient == null) {
-      throw new Error(`ClientCryptoKeyLink: No linked client for ${linkedClientId}`);
-    }
-    return linkedClient;
-  }
-  async getAesGcmKeyForLinkedClient(externalClientSourceId) {
-    const linkedClient = this.getLinkedClient(externalClientSourceId);
-    if (linkedClient.exchange?.sharedEncryptKey != null) {
-      return linkedClient.exchange.sharedEncryptKey;
-    }
-    if (linkedClient.exchange?.publicKey == null) {
-      throw new Error(`ClientCryptoKeyLink: No public exchange key set for ${externalClientSourceId}`);
-    }
-    const localExchangeKeyPair = await this.ensureLocalExchangeKeyPair();
-    let infoString = linkedClient.exchange.infoString;
-    if (linkedClient.exchange.bindVerifyKeysIntoDerivation === true) {
-      const linkedVerifyPublicKey = linkedClient.verify?.publicKeySerialized;
-      if (linkedVerifyPublicKey == null) {
-        throw new Error(`ClientCryptoKeyLink: Link for ${externalClientSourceId} binds verify keys into the derivation, but no verify public key is set`);
-      }
-      infoString = buildVerifyKeyBoundInfoString({
-        infoString: linkedClient.exchange.infoString,
-        verifyPublicKeys: [await this.getLocalVerifyPublicKey(), linkedVerifyPublicKey]
-      });
-    }
-    const sharedEncryptKey = await createAesGcmKeyFromX25519Keys({
-      internalX25519PrivateKey: localExchangeKeyPair.privateKey,
-      externalX25519PublicKey: linkedClient.exchange.publicKey,
-      saltString: linkedClient.exchange.saltString,
-      infoString
-    });
-    this.linkedClientKeys.set(externalClientSourceId, {
-      ...linkedClient,
-      exchange: {
-        ...linkedClient.exchange,
-        sharedEncryptKey
-      }
-    });
-    return sharedEncryptKey;
-  }
-  async encryptDataForLinkedClient({
-    dataToEncrypt,
-    linkedClientId
-  }) {
-    const key = await this.getAesGcmKeyForLinkedClient(linkedClientId);
-    return await encryptTextDataWithAesGcmKey({
-      dataToEncrypt,
-      aesGcmKey: key
-    });
-  }
-  async decryptDataFromLinkedClient({
-    dataToDecrypt,
-    linkedClientId
-  }) {
-    const key = await this.getAesGcmKeyForLinkedClient(linkedClientId);
-    return await decryptTextDataWithAesGcmKey({
-      dataToDecrypt,
-      aesGcmKey: key
-    });
-  }
-  async encryptBytesForLinkedClient({
-    dataToEncrypt,
-    linkedClientId
-  }) {
-    const key = await this.getAesGcmKeyForLinkedClient(linkedClientId);
-    return await encryptBytesWithAesGcmKey({
-      dataToEncrypt,
-      aesGcmKey: key
-    });
-  }
-  async decryptBytesFromLinkedClient({
-    dataToDecrypt,
-    linkedClientId
-  }) {
-    const key = await this.getAesGcmKeyForLinkedClient(linkedClientId);
-    return await decryptBytesWithAesGcmKey({
-      dataToDecrypt,
-      aesGcmKey: key
-    });
-  }
-  async signAndEncryptDataForLinkedClient({
-    dataToEncrypt,
-    linkedClientId
-  }) {
-    const { signatureBase64 } = await this.signChallenge([dataToEncrypt]);
-    const encryptedData = await this.encryptDataForLinkedClient({
-      dataToEncrypt,
-      linkedClientId
-    });
-    return {
-      encryptedData,
-      signatureBase64
-    };
-  }
-  async decryptAndVerifyDataFromLinkedClient({
-    dataToDecrypt,
-    linkedClientId,
-    signatureBase64
-  }) {
-    const data = await this.decryptDataFromLinkedClient({
-      dataToDecrypt,
-      linkedClientId
-    });
-    const isValid = await this.verifyChallengeFromLinkedClient({
-      linkedClientId,
-      challenge: data,
-      signatureBase64
-    });
-    return { data, isValid };
-  }
-  async signChallenge(challenge) {
-    if (challenge.length === 0) {
-      throw new Error("Challenge must contain at least one string");
-    }
-    const localVerifyKeyPair = await this.ensureLocalVerifyKeyPair();
-    const signature = challenge.length > 1 ? await signCombinedTextDataWithKeyEd25519(challenge, localVerifyKeyPair.privateKey) : await signTextDataWithKeyEd25519(challenge[0], localVerifyKeyPair.privateKey);
-    return {
-      signatureBase64: base649.encode(signature)
-    };
-  }
-  async verifyChallengeFromLinkedClient({
-    linkedClientId,
-    challenge,
-    signatureBase64
-  }) {
-    const linkedClient = this.getLinkedClient(linkedClientId);
-    if (linkedClient.verify?.publicKey == null) {
-      throw new Error(`ClientCryptoKeyLink: No verify public key set for ${linkedClientId}`);
-    }
-    return await verifyWithKeyEd25519({
-      challenge,
-      signatureBase64,
-      publicKey: linkedClient.verify.publicKey
-    });
-  }
-}
-// src/storage_adapter/storage_adapter.types.ts
-var EStorageAdapterType;
-((EStorageAdapterType2) => {
-  EStorageAdapterType2["string"] = "string";
-  EStorageAdapterType2["json"] = "json";
-})(EStorageAdapterType ||= {});
-
-// src/storage_adapter/StorageAdapter.ts
-class StorageAdapter {
-  implementation;
-  keyPrefix;
-  adapterStorage;
-  constructor({ methods, keyPrefix, trackKeysForClearing: trackKeys }) {
-    this.implementation = methods;
-    this.keyPrefix = keyPrefix ?? "";
-    const _trackKeys = trackKeys ?? true;
-    this.adapterStorage = _trackKeys ? createTypedStorage({
-      storageAdapter: new StorageAdapter({ methods, keyPrefix, trackKeysForClearing: false })
-    }) : undefined;
-  }
-  getPrefixedKey(rawKey) {
-    return `${this.keyPrefix}${rawKey}`;
-  }
-  async trackUsedKey(rawKey) {
-    if (!this.adapterStorage)
-      return;
-    await this.adapterStorage.updateJsonWithDef("__usedKeys__", [], (currentKeys) => {
-      if (!currentKeys.includes(rawKey)) {
-        return [...currentKeys, rawKey];
-      }
-      return currentKeys;
-    });
-  }
-  async untrackUsedKey(rawKey) {
-    if (!this.adapterStorage)
-      return;
-    await this.adapterStorage.updateJsonWithDef("__usedKeys__", [], (currentKeys) => {
-      return currentKeys.filter((k) => k !== rawKey);
-    });
-  }
-  async clearAll() {
-    if (!this.adapterStorage)
-      return;
-    const allKeys = await this.adapterStorage.getJsonOrDef("__usedKeys__", []) ?? [];
-    await Promise.all(allKeys.map(async (key) => {
-      await this.removeItem(key);
-    }));
-    await this.adapterStorage.setJson("__usedKeys__", []);
-  }
-  async removeItem(rawKey) {
-    await this.implementation.removeItem(this.getPrefixedKey(rawKey));
-    await this.untrackUsedKey(rawKey);
-  }
-  async setJson(rawKey, value) {
-    const key = this.getPrefixedKey(rawKey);
-    if (this.implementation.type === "string" /* string */) {
-      await this.implementation.setItem(key, JSON.stringify(value));
-    } else {
-      await this.implementation.setItem(key, value);
-    }
-    await this.trackUsedKey(rawKey);
-  }
-  async getJson(rawKey) {
-    const key = this.getPrefixedKey(rawKey);
-    if (this.implementation.type === "string" /* string */) {
-      const val = await this.implementation.getItem(key);
-      if (val == null || val === "undefined" || val === "null") {
-        return;
-      }
-      return JSON.parse(val);
-    } else {
-      const val = await this.implementation.getItem(key);
-      if (val == null || val === "undefined" || val === "null") {
-        return;
-      }
-      return val;
-    }
-  }
-  async getJsonOrDef(rawKey, defVal) {
-    if (this.implementation.type === "string" /* string */) {
-      const val2 = await this.implementation.getItem(this.getPrefixedKey(rawKey));
-      if (val2 == null || val2 === "undefined" || val2 === "null") {
-        return defVal;
-      }
-      return JSON.parse(val2);
-    }
-    const val = await this.implementation.getItem(this.getPrefixedKey(rawKey));
-    if (val == null || val === "undefined" || val === "null") {
-      return defVal;
-    }
-    return val;
-  }
-  async updateJson(rawKey, updater) {
-    const currentVal = await this.getJson(rawKey);
-    const newVal = updater(currentVal);
-    await this.setJson(rawKey, newVal);
-    return newVal;
-  }
-  async updateJsonOrDef(rawKey, defVal, updater) {
-    const currentVal = await this.getJsonOrDef(rawKey, defVal);
-    const newVal = updater(currentVal);
-    await this.setJson(rawKey, newVal);
-    return newVal;
-  }
-  createJsonGetterSetter(rawKey) {
-    return {
-      get: () => this.getJson(rawKey),
-      set: (value) => this.setJson(rawKey, value)
-    };
-  }
-}
-// src/storage_adapter/specific/browser/browser_storage.ts
+//#endregion
+//#region src/crypto/client_key_link/ClientCryptoKeyLink.ts
+var ClientCryptoKeyLink = class {
+	localExchangeKeyPair;
+	localVerifyKeyPair;
+	linkedClientKeys = /* @__PURE__ */ new Map();
+	storage;
+	initialized = false;
+	initializePromise;
+	localExchangeKeyPairPromise;
+	localVerifyKeyPairPromise;
+	constructor({ storageAdapter } = {}) {
+		if (storageAdapter != null) this.storage = createTypedStorage({ storageAdapter });
+	}
+	/**
+	* Loads the local key pairs and any linked client public keys from storage (when a storage
+	* adapter was provided), generating and persisting fresh local key pairs if none exist yet.
+	*
+	* Must be called (and awaited) before any sign/verify/encrypt/decrypt operation.
+	*/
+	async initialize() {
+		if (this.initialized) return;
+		this.initializePromise ??= this.runInitialize();
+		try {
+			await this.initializePromise;
+		} finally {
+			this.initializePromise = void 0;
+		}
+	}
+	async runInitialize() {
+		await this.loadStoredLocalKeys();
+		await this.loadLinkedClients();
+		this.initialized = true;
+	}
+	/**
+	* Loads the local key pairs from storage if they were previously persisted. Does NOT generate
+	* fresh keys — local identity is created lazily on first use (see {@link ensureLocalExchangeKeyPair}
+	* / {@link ensureLocalVerifyKeyPair}), so a verify-only or otherwise key-less consumer never
+	* generates or stores keys it does not need.
+	*/
+	async loadStoredLocalKeys() {
+		const storedExchange = await this.storage?.getJson("localExchangeKeyPair");
+		if (storedExchange != null) this.localExchangeKeyPair = {
+			privateKey: await importX25519Key.private.fromFormattedString.extractable(storedExchange.privateKey),
+			publicKey: await importX25519Key.public.fromFormattedString.extractable(storedExchange.publicKey)
+		};
+		const storedVerify = await this.storage?.getJson("localVerifyKeyPair");
+		if (storedVerify != null) this.localVerifyKeyPair = {
+			privateKey: await importEd25519Key.private.fromFormattedString.extractable(storedVerify.privateKey),
+			publicKey: await importEd25519Key.public.fromFormattedString.extractable(storedVerify.publicKey)
+		};
+	}
+	/**
+	* Returns the local exchange (X25519) key pair, generating and persisting it on first use.
+	* Concurrent callers share a single generation.
+	*/
+	async ensureLocalExchangeKeyPair() {
+		if (this.localExchangeKeyPair != null) return this.localExchangeKeyPair;
+		this.localExchangeKeyPairPromise ??= (async () => {
+			const keyPair = await generateX25519KeyPair();
+			this.localExchangeKeyPair = keyPair;
+			if (this.storage != null) await this.storage.setJson("localExchangeKeyPair", await this.serializeExchangeKeyPair(keyPair));
+			return keyPair;
+		})();
+		try {
+			return await this.localExchangeKeyPairPromise;
+		} finally {
+			this.localExchangeKeyPairPromise = void 0;
+		}
+	}
+	/**
+	* Returns the local verify (Ed25519) key pair, generating and persisting it on first use.
+	* Concurrent callers share a single generation.
+	*/
+	async ensureLocalVerifyKeyPair() {
+		if (this.localVerifyKeyPair != null) return this.localVerifyKeyPair;
+		this.localVerifyKeyPairPromise ??= (async () => {
+			const keyPair = await generateEd25519KeyPair();
+			this.localVerifyKeyPair = keyPair;
+			if (this.storage != null) await this.storage.setJson("localVerifyKeyPair", await this.serializeVerifyKeyPair(keyPair));
+			return keyPair;
+		})();
+		try {
+			return await this.localVerifyKeyPairPromise;
+		} finally {
+			this.localVerifyKeyPairPromise = void 0;
+		}
+	}
+	async loadLinkedClients() {
+		const storedLinkedClients = await this.storage?.getJson("linkedClientPublicKeys");
+		if (storedLinkedClients == null) return;
+		for (const [linkedClientId, publicKeys] of Object.entries(storedLinkedClients)) await this.linkClient({
+			linkedClientId,
+			verifyPublicKey: publicKeys.verifyPublicKey,
+			exchangePublicKey: publicKeys.exchangePublicKey,
+			saltString: publicKeys.saltString,
+			infoString: publicKeys.infoString,
+			bindVerifyKeysIntoDerivation: publicKeys.bindVerifyKeysIntoDerivation
+		});
+	}
+	async serializeExchangeKeyPair(keyPair) {
+		return {
+			publicKey: (await serializeX25519Key_Raw(keyPair.publicKey)).prefixed,
+			privateKey: (await serializeX25519Key_Jwk(keyPair.privateKey)).prefixed
+		};
+	}
+	async serializeVerifyKeyPair(keyPair) {
+		return {
+			publicKey: (await serializeEd25519Key_Raw(keyPair.publicKey)).prefixed,
+			privateKey: (await serializeEd25519Key_Jwk(keyPair.privateKey)).prefixed
+		};
+	}
+	/**
+	* The local public keys that should be shared with a linked client so that it can verify this
+	* client's signatures and derive a shared encryption key. Generates the local identity on first
+	* use.
+	*/
+	async getLocalPublicKeys() {
+		return {
+			verifyPublicKey: await this.getLocalVerifyPublicKey(),
+			exchangePublicKey: await this.getLocalExchangePublicKey()
+		};
+	}
+	/**
+	* The local exchange (X25519) public key, generating the exchange key pair on first use. Does not
+	* touch the verify key pair — useful for an exchange-only consumer (e.g. a bridge) that never
+	* signs.
+	*/
+	async getLocalExchangePublicKey() {
+		return (await serializeX25519Key_Raw((await this.ensureLocalExchangeKeyPair()).publicKey)).prefixed;
+	}
+	/**
+	* The local verify (Ed25519) public key, generating the verify key pair on first use. Does not
+	* touch the exchange key pair.
+	*/
+	async getLocalVerifyPublicKey() {
+		return (await serializeEd25519Key_Raw((await this.ensureLocalVerifyKeyPair()).publicKey)).prefixed;
+	}
+	/**
+	* Registers (or updates) the public keys of a linked client in memory only — nothing is written
+	* to storage. Use this for ephemeral links (e.g. a per-session bridge or end-to-end peer keyed by
+	* a session salt/info), so the derived shared key never outlives the process.
+	*
+	* Re-linking with a new exchange public key, salt, or info invalidates any previously cached
+	* shared key for the link.
+	*/
+	async linkClient({ linkedClientId, verifyPublicKey, exchangePublicKey, saltString, infoString, bindVerifyKeysIntoDerivation }) {
+		const existing = this.linkedClientKeys.get(linkedClientId);
+		const verify = verifyPublicKey != null ? {
+			publicKey: await importEd25519Key.public.fromFormattedString.extractable(verifyPublicKey),
+			publicKeySerialized: verifyPublicKey
+		} : existing?.verify;
+		const verifyKeyChanged = verifyPublicKey != null && verifyPublicKey !== existing?.verify?.publicKeySerialized;
+		let exchange = existing?.exchange;
+		if (exchangePublicKey != null || saltString !== void 0 || infoString !== void 0 || bindVerifyKeysIntoDerivation !== void 0) {
+			const nextPublicKeySerialized = exchangePublicKey ?? existing?.exchange?.publicKeySerialized;
+			if (nextPublicKeySerialized == null) throw new Error(`ClientCryptoKeyLink: Cannot set salt/info for ${linkedClientId} without an exchange public key`);
+			const nextSalt = saltString !== void 0 ? saltString : existing?.exchange?.saltString;
+			const nextInfo = infoString !== void 0 ? infoString : existing?.exchange?.infoString;
+			const nextBind = bindVerifyKeysIntoDerivation !== void 0 ? bindVerifyKeysIntoDerivation : existing?.exchange?.bindVerifyKeysIntoDerivation;
+			exchange = {
+				publicKey: exchangePublicKey != null ? await importX25519Key.public.fromFormattedString.extractable(exchangePublicKey) : existing.exchange.publicKey,
+				publicKeySerialized: nextPublicKeySerialized,
+				saltString: nextSalt,
+				infoString: nextInfo,
+				bindVerifyKeysIntoDerivation: nextBind,
+				sharedEncryptKey: nextPublicKeySerialized === existing?.exchange?.publicKeySerialized && nextSalt === existing?.exchange?.saltString && nextInfo === existing?.exchange?.infoString && nextBind === existing?.exchange?.bindVerifyKeysIntoDerivation && !(nextBind === true && verifyKeyChanged) ? existing?.exchange?.sharedEncryptKey : void 0
+			};
+		} else if (exchange?.bindVerifyKeysIntoDerivation === true && verifyKeyChanged && exchange.sharedEncryptKey != null) exchange = {
+			...exchange,
+			sharedEncryptKey: void 0
+		};
+		this.linkedClientKeys.set(linkedClientId, {
+			verify,
+			exchange
+		});
+	}
+	/**
+	* Like {@link linkClient}, but also persists the linked client's public keys (and salt/info) to
+	* storage so the link survives a reload.
+	*
+	* NOTE: salt/info are written in plaintext. When they are session secrets (e.g. a partner secret
+	* or bridge salt), prefer {@link linkClient} and re-establish the link per session instead.
+	*/
+	async linkClientAndStore(input) {
+		await this.linkClient(input);
+		if (this.storage == null) return;
+		const { linkedClientId, verifyPublicKey, exchangePublicKey, saltString, infoString, bindVerifyKeysIntoDerivation } = input;
+		await this.storage.updateJsonWithDef("linkedClientPublicKeys", {}, (current) => ({
+			...current,
+			[linkedClientId]: {
+				...current[linkedClientId],
+				...verifyPublicKey != null ? { verifyPublicKey } : {},
+				...exchangePublicKey != null ? { exchangePublicKey } : {},
+				...saltString !== void 0 ? { saltString } : {},
+				...infoString !== void 0 ? { infoString } : {},
+				...bindVerifyKeysIntoDerivation !== void 0 ? { bindVerifyKeysIntoDerivation } : {}
+			}
+		}));
+	}
+	/**
+	* Whether a linked client is currently registered (in memory) under this id.
+	*/
+	hasLinkedClient(linkedClientId) {
+		return this.linkedClientKeys.has(linkedClientId);
+	}
+	/**
+	* The serialized public keys registered for a linked client, or undefined when the client is not
+	* linked. Useful when a holder needs to relay a linked client's keys onward (e.g. a backend
+	* relaying a wallet's verify key to a partner).
+	*/
+	getLinkedClientPublicKeys(linkedClientId) {
+		const linkedClient = this.linkedClientKeys.get(linkedClientId);
+		if (linkedClient == null) return;
+		return {
+			verifyPublicKey: linkedClient.verify?.publicKeySerialized,
+			exchangePublicKey: linkedClient.exchange?.publicKeySerialized
+		};
+	}
+	/**
+	* Removes a single linked client from memory and, when storage is available, from persisted
+	* state. Any cached shared key for the link is dropped with it.
+	*/
+	async unlinkClient(linkedClientId) {
+		this.linkedClientKeys.delete(linkedClientId);
+		if (this.storage != null) await this.storage.updateJson("linkedClientPublicKeys", (current) => {
+			if (current == null) return {};
+			const { [linkedClientId]: _removed, ...rest } = current;
+			return rest;
+		});
+	}
+	/**
+	* Removes all linked clients from memory and persisted state, while keeping the local identity
+	* key pairs intact.
+	*/
+	async unlinkAllClients() {
+		this.linkedClientKeys.clear();
+		if (this.storage != null) await this.storage.setJson("linkedClientPublicKeys", {});
+	}
+	/**
+	* Wipes everything this instance owns — local identity key pairs and all linked clients, in
+	* memory and in storage. After a reset, {@link initialize} must be called again before use (it
+	* will generate a fresh local identity).
+	*
+	* Only the keys owned by this util are removed, so a shared storage adapter's other data is left
+	* untouched.
+	*/
+	async reset() {
+		this.linkedClientKeys.clear();
+		this.localExchangeKeyPair = void 0;
+		this.localVerifyKeyPair = void 0;
+		this.initialized = false;
+		if (this.storage != null) {
+			await this.storage.removeItem("linkedClientPublicKeys");
+			await this.storage.removeItem("localExchangeKeyPair");
+			await this.storage.removeItem("localVerifyKeyPair");
+		}
+	}
+	getLinkedClient(linkedClientId) {
+		const linkedClient = this.linkedClientKeys.get(linkedClientId);
+		if (linkedClient == null) throw new Error(`ClientCryptoKeyLink: No linked client for ${linkedClientId}`);
+		return linkedClient;
+	}
+	async getAesGcmKeyForLinkedClient(externalClientSourceId) {
+		const linkedClient = this.getLinkedClient(externalClientSourceId);
+		if (linkedClient.exchange?.sharedEncryptKey != null) return linkedClient.exchange.sharedEncryptKey;
+		if (linkedClient.exchange?.publicKey == null) throw new Error(`ClientCryptoKeyLink: No public exchange key set for ${externalClientSourceId}`);
+		const localExchangeKeyPair = await this.ensureLocalExchangeKeyPair();
+		let infoString = linkedClient.exchange.infoString;
+		if (linkedClient.exchange.bindVerifyKeysIntoDerivation === true) {
+			const linkedVerifyPublicKey = linkedClient.verify?.publicKeySerialized;
+			if (linkedVerifyPublicKey == null) throw new Error(`ClientCryptoKeyLink: Link for ${externalClientSourceId} binds verify keys into the derivation, but no verify public key is set`);
+			infoString = buildVerifyKeyBoundInfoString({
+				infoString: linkedClient.exchange.infoString,
+				verifyPublicKeys: [await this.getLocalVerifyPublicKey(), linkedVerifyPublicKey]
+			});
+		}
+		const sharedEncryptKey = await createAesGcmKeyFromX25519Keys({
+			internalX25519PrivateKey: localExchangeKeyPair.privateKey,
+			externalX25519PublicKey: linkedClient.exchange.publicKey,
+			saltString: linkedClient.exchange.saltString,
+			infoString
+		});
+		this.linkedClientKeys.set(externalClientSourceId, {
+			...linkedClient,
+			exchange: {
+				...linkedClient.exchange,
+				sharedEncryptKey
+			}
+		});
+		return sharedEncryptKey;
+	}
+	async encryptDataForLinkedClient({ dataToEncrypt, linkedClientId }) {
+		return await encryptTextDataWithAesGcmKey({
+			dataToEncrypt,
+			aesGcmKey: await this.getAesGcmKeyForLinkedClient(linkedClientId)
+		});
+	}
+	async decryptDataFromLinkedClient({ dataToDecrypt, linkedClientId }) {
+		return await decryptTextDataWithAesGcmKey({
+			dataToDecrypt,
+			aesGcmKey: await this.getAesGcmKeyForLinkedClient(linkedClientId)
+		});
+	}
+	/**
+	* Bytes counterpart of {@link encryptDataForLinkedClient} — encrypts raw bytes with the shared
+	* AES-GCM key, returning a binary nonce + ciphertext. Use it for binary channels (e.g. msgpack
+	* WebSocket frames) to avoid base64 inflation.
+	*/
+	async encryptBytesForLinkedClient({ dataToEncrypt, linkedClientId }) {
+		return await encryptBytesWithAesGcmKey({
+			dataToEncrypt,
+			aesGcmKey: await this.getAesGcmKeyForLinkedClient(linkedClientId)
+		});
+	}
+	/** Bytes counterpart of {@link decryptDataFromLinkedClient}. */
+	async decryptBytesFromLinkedClient({ dataToDecrypt, linkedClientId }) {
+		return await decryptBytesWithAesGcmKey({
+			dataToDecrypt,
+			aesGcmKey: await this.getAesGcmKeyForLinkedClient(linkedClientId)
+		});
+	}
+	async signAndEncryptDataForLinkedClient({ dataToEncrypt, linkedClientId }) {
+		const { signatureBase64 } = await this.signChallenge([dataToEncrypt]);
+		return {
+			encryptedData: await this.encryptDataForLinkedClient({
+				dataToEncrypt,
+				linkedClientId
+			}),
+			signatureBase64
+		};
+	}
+	/**
+	* Decrypts a payload from a linked client and verifies that the decrypted plaintext was signed
+	* by that client. Counterpart to {@link signAndEncryptDataForLinkedClient}.
+	*
+	* Returns the decrypted `data` alongside `isValid` — the caller decides how to handle an invalid
+	* signature. (A tampered ciphertext fails earlier at AES-GCM decryption.)
+	*/
+	async decryptAndVerifyDataFromLinkedClient({ dataToDecrypt, linkedClientId, signatureBase64 }) {
+		const data = await this.decryptDataFromLinkedClient({
+			dataToDecrypt,
+			linkedClientId
+		});
+		return {
+			data,
+			isValid: await this.verifyChallengeFromLinkedClient({
+				linkedClientId,
+				challenge: data,
+				signatureBase64
+			})
+		};
+	}
+	async signChallenge(challenge) {
+		if (challenge.length === 0) throw new Error("Challenge must contain at least one string");
+		const localVerifyKeyPair = await this.ensureLocalVerifyKeyPair();
+		const signature = challenge.length > 1 ? await signCombinedTextDataWithKeyEd25519(challenge, localVerifyKeyPair.privateKey) : await signTextDataWithKeyEd25519(challenge[0], localVerifyKeyPair.privateKey);
+		return { signatureBase64: base64.encode(signature) };
+	}
+	/**
+	* Verifies a signature over `challenge` against the linked client's verify (Ed25519) public key.
+	*/
+	async verifyChallengeFromLinkedClient({ linkedClientId, challenge, signatureBase64 }) {
+		const linkedClient = this.getLinkedClient(linkedClientId);
+		if (linkedClient.verify?.publicKey == null) throw new Error(`ClientCryptoKeyLink: No verify public key set for ${linkedClientId}`);
+		return await verifyWithKeyEd25519({
+			challenge,
+			signatureBase64,
+			publicKey: linkedClient.verify.publicKey
+		});
+	}
+};
+//#endregion
+//#region src/storage_adapter/storage_adapter.types.ts
+let EStorageAdapterType = /* @__PURE__ */ function(EStorageAdapterType) {
+	EStorageAdapterType["string"] = "string";
+	EStorageAdapterType["json"] = "json";
+	return EStorageAdapterType;
+}({});
+//#endregion
+//#region src/storage_adapter/StorageAdapter.ts
+var StorageAdapter = class StorageAdapter {
+	implementation;
+	keyPrefix;
+	adapterStorage;
+	constructor({ methods, keyPrefix, trackKeysForClearing: trackKeys }) {
+		this.implementation = methods;
+		this.keyPrefix = keyPrefix ?? "";
+		const _trackKeys = trackKeys ?? true;
+		this.adapterStorage = _trackKeys ? createTypedStorage({ storageAdapter: new StorageAdapter({
+			methods,
+			keyPrefix,
+			trackKeysForClearing: false
+		}) }) : void 0;
+	}
+	getPrefixedKey(rawKey) {
+		return `${this.keyPrefix}${rawKey}`;
+	}
+	async trackUsedKey(rawKey) {
+		if (!this.adapterStorage) return;
+		await this.adapterStorage.updateJsonWithDef("__usedKeys__", [], (currentKeys) => {
+			if (!currentKeys.includes(rawKey)) return [...currentKeys, rawKey];
+			return currentKeys;
+		});
+	}
+	async untrackUsedKey(rawKey) {
+		if (!this.adapterStorage) return;
+		await this.adapterStorage.updateJsonWithDef("__usedKeys__", [], (currentKeys) => {
+			return currentKeys.filter((k) => k !== rawKey);
+		});
+	}
+	async clearAll() {
+		if (!this.adapterStorage) return;
+		const allKeys = await this.adapterStorage.getJsonOrDef("__usedKeys__", []) ?? [];
+		await Promise.all(allKeys.map(async (key) => {
+			await this.removeItem(key);
+		}));
+		await this.adapterStorage.setJson("__usedKeys__", []);
+	}
+	async removeItem(rawKey) {
+		await this.implementation.removeItem(this.getPrefixedKey(rawKey));
+		await this.untrackUsedKey(rawKey);
+	}
+	async setJson(rawKey, value) {
+		const key = this.getPrefixedKey(rawKey);
+		if (this.implementation.type === "string") await this.implementation.setItem(key, JSON.stringify(value));
+		else await this.implementation.setItem(key, value);
+		await this.trackUsedKey(rawKey);
+	}
+	async getJson(rawKey) {
+		const key = this.getPrefixedKey(rawKey);
+		if (this.implementation.type === "string") {
+			const val = await this.implementation.getItem(key);
+			if (val == null || val === "undefined" || val === "null") return;
+			return JSON.parse(val);
+		} else {
+			const val = await this.implementation.getItem(key);
+			if (val == null || val === "undefined" || val === "null") return;
+			return val;
+		}
+	}
+	async getJsonOrDef(rawKey, defVal) {
+		if (this.implementation.type === "string") {
+			const val = await this.implementation.getItem(this.getPrefixedKey(rawKey));
+			if (val == null || val === "undefined" || val === "null") return defVal;
+			return JSON.parse(val);
+		}
+		const val = await this.implementation.getItem(this.getPrefixedKey(rawKey));
+		if (val == null || val === "undefined" || val === "null") return defVal;
+		return val;
+	}
+	async updateJson(rawKey, updater) {
+		const newVal = updater(await this.getJson(rawKey));
+		await this.setJson(rawKey, newVal);
+		return newVal;
+	}
+	async updateJsonOrDef(rawKey, defVal, updater) {
+		const newVal = updater(await this.getJsonOrDef(rawKey, defVal));
+		await this.setJson(rawKey, newVal);
+		return newVal;
+	}
+	createJsonGetterSetter(rawKey) {
+		return {
+			get: () => this.getJson(rawKey),
+			set: (value) => this.setJson(rawKey, value)
+		};
+	}
+};
+//#endregion
+//#region src/storage_adapter/specific/browser/browser_storage.ts
 function createWebLocalStorageMethods(_localStorage) {
-  return {
-    type: "string" /* string */,
-    getItem: async (key) => _localStorage.getItem(key),
-    setItem: async (key, value) => {
-      _localStorage.setItem(key, value);
-    },
-    removeItem: async (key) => {
-      _localStorage.removeItem(key);
-    }
-  };
+	return {
+		type: "string",
+		getItem: async (key) => _localStorage.getItem(key),
+		setItem: async (key, value) => {
+			_localStorage.setItem(key, value);
+		},
+		removeItem: async (key) => {
+			_localStorage.removeItem(key);
+		}
+	};
 }
-var createWebLocalStorageAdapter = ({
-  localStorage: _localStorage,
-  ...options
-}) => {
-  return new StorageAdapter({
-    methods: createWebLocalStorageMethods(_localStorage),
-    ...options
-  });
+const createWebLocalStorageAdapter = ({ localStorage: _localStorage, ...options }) => {
+	return new StorageAdapter({
+		methods: createWebLocalStorageMethods(_localStorage),
+		...options
+	});
 };
 function createTypedWebLocalStorage(options) {
-  return createTypedStorage({
-    storageAdapter: createWebLocalStorageAdapter(options)
-  });
+	return createTypedStorage({ storageAdapter: createWebLocalStorageAdapter(options) });
 }
 function createWebSessionStorageMethods(_sessionStorage) {
-  return {
-    type: "string" /* string */,
-    getItem: async (key) => _sessionStorage.getItem(key),
-    setItem: async (key, value) => {
-      _sessionStorage.setItem(key, value);
-    },
-    removeItem: async (key) => {
-      _sessionStorage.removeItem(key);
-    }
-  };
+	return {
+		type: "string",
+		getItem: async (key) => _sessionStorage.getItem(key),
+		setItem: async (key, value) => {
+			_sessionStorage.setItem(key, value);
+		},
+		removeItem: async (key) => {
+			_sessionStorage.removeItem(key);
+		}
+	};
 }
-var createWebSessionStorageAdapter = ({
-  sessionStorage: _sessionStorage,
-  ...options
-}) => {
-  return new StorageAdapter({
-    methods: createWebSessionStorageMethods(_sessionStorage),
-    ...options
-  });
+const createWebSessionStorageAdapter = ({ sessionStorage: _sessionStorage, ...options }) => {
+	return new StorageAdapter({
+		methods: createWebSessionStorageMethods(_sessionStorage),
+		...options
+	});
 };
 function createTypedWebSessionStorage(options) {
-  return createTypedStorage({
-    storageAdapter: createWebSessionStorageAdapter(options)
-  });
+	return createTypedStorage({ storageAdapter: createWebSessionStorageAdapter(options) });
 }
-// src/storage_adapter/specific/cloudflare/durable_object/durable_object_storage.ts
+//#endregion
+//#region src/storage_adapter/specific/cloudflare/durable_object/durable_object_storage.ts
 function createDurableObjectStorageMethods(durableObjectStorage) {
-  return {
-    type: "json" /* json */,
-    getItem: (key) => durableObjectStorage.get(key),
-    setItem: (key, value) => durableObjectStorage.put(key, value),
-    removeItem: async (key) => {
-      await durableObjectStorage.delete(key);
-    }
-  };
+	return {
+		type: "json",
+		getItem: (key) => durableObjectStorage.get(key),
+		setItem: (key, value) => durableObjectStorage.put(key, value),
+		removeItem: async (key) => {
+			await durableObjectStorage.delete(key);
+		}
+	};
 }
-var createDurableObjectStorageAdapter = ({
-  durableObjectStorage,
-  ...options
-}) => {
-  return new StorageAdapter({
-    methods: createDurableObjectStorageMethods(durableObjectStorage),
-    ...options
-  });
+/**
+* Wraps a Durable Object's storage in the generic StorageAdapter interface, e.g. for handing to a
+* ClientCryptoKeyLink so it can persist its keys inside the DO's own storage.
+*/
+const createDurableObjectStorageAdapter = ({ durableObjectStorage, ...options }) => {
+	return new StorageAdapter({
+		methods: createDurableObjectStorageMethods(durableObjectStorage),
+		...options
+	});
 };
 function createDurableObjectTypedStorage(options) {
-  return createTypedStorage({
-    storageAdapter: createDurableObjectStorageAdapter(options)
-  });
+	return createTypedStorage({ storageAdapter: createDurableObjectStorageAdapter(options) });
 }
-// src/storage_adapter/specific/cloudflare/kv/kv_storage.ts
-function createKVStorageMethods({
-  kvNamespace,
-  defaultPutOptions
-}) {
-  return {
-    type: "string" /* string */,
-    getItem: (key) => kvNamespace.get(key),
-    setItem: (key, value) => kvNamespace.put(key, value, defaultPutOptions),
-    removeItem: (key) => kvNamespace.delete(key)
-  };
+//#endregion
+//#region src/storage_adapter/specific/cloudflare/kv/kv_storage.ts
+function createKVStorageMethods({ kvNamespace, defaultPutOptions }) {
+	return {
+		type: "string",
+		getItem: (key) => kvNamespace.get(key),
+		setItem: (key, value) => kvNamespace.put(key, value, defaultPutOptions),
+		removeItem: (key) => kvNamespace.delete(key)
+	};
 }
-var createKVStorageAdapter = ({
-  kvNamespace,
-  defaultPutOptions,
-  ...options
-}) => {
-  return new StorageAdapter({
-    methods: createKVStorageMethods({ kvNamespace, defaultPutOptions }),
-    ...options
-  });
+/**
+* Wraps a Cloudflare KV namespace binding in the generic StorageAdapter interface, e.g. for handing
+* to a ClientCryptoKeyLink so it can persist its keys inside KV.
+*/
+const createKVStorageAdapter = ({ kvNamespace, defaultPutOptions, ...options }) => {
+	return new StorageAdapter({
+		methods: createKVStorageMethods({
+			kvNamespace,
+			defaultPutOptions
+		}),
+		...options
+	});
 };
 function createKVTypedStorage(options) {
-  return createTypedStorage({
-    storageAdapter: createKVStorageAdapter(options)
-  });
+	return createTypedStorage({ storageAdapter: createKVStorageAdapter(options) });
 }
-// src/storage_adapter/specific/memory/memory_storage.ts
-function createMemoryStorageMethods_string(memoryStorageMap = new Map) {
-  return {
-    type: "string" /* string */,
-    getItem: async (key) => memoryStorageMap.get(key) ?? null,
-    setItem: async (key, value) => {
-      memoryStorageMap.set(key, value);
-    },
-    removeItem: async (key) => {
-      memoryStorageMap.delete(key);
-    }
-  };
+//#endregion
+//#region src/storage_adapter/specific/memory/memory_storage.ts
+function createMemoryStorageMethods_string(memoryStorageMap = /* @__PURE__ */ new Map()) {
+	return {
+		type: "string",
+		getItem: async (key) => memoryStorageMap.get(key) ?? null,
+		setItem: async (key, value) => {
+			memoryStorageMap.set(key, value);
+		},
+		removeItem: async (key) => {
+			memoryStorageMap.delete(key);
+		}
+	};
 }
-var createMemoryStorageAdapter_string = (options) => {
-  return new StorageAdapter({
-    methods: createMemoryStorageMethods_string(options?.memoryStorageMap),
-    ...options
-  });
+const createMemoryStorageAdapter_string = (options) => {
+	return new StorageAdapter({
+		methods: createMemoryStorageMethods_string(options?.memoryStorageMap),
+		...options
+	});
 };
 function createTypedMemoryStorage_string(options) {
-  return createTypedStorage({
-    storageAdapter: createMemoryStorageAdapter_string(options)
-  });
+	return createTypedStorage({ storageAdapter: createMemoryStorageAdapter_string(options) });
 }
-function createMemoryStorageMethods_json(memoryStorageMap = new Map) {
-  return {
-    type: "json" /* json */,
-    getItem: async (key) => memoryStorageMap.get(key),
-    setItem: async (key, value) => {
-      memoryStorageMap.set(key, value);
-    },
-    removeItem: async (key) => {
-      memoryStorageMap.delete(key);
-    }
-  };
+function createMemoryStorageMethods_json(memoryStorageMap = /* @__PURE__ */ new Map()) {
+	return {
+		type: "json",
+		getItem: async (key) => memoryStorageMap.get(key),
+		setItem: async (key, value) => {
+			memoryStorageMap.set(key, value);
+		},
+		removeItem: async (key) => {
+			memoryStorageMap.delete(key);
+		}
+	};
 }
-var createMemoryStorageAdapter_json = (options) => {
-  return new StorageAdapter({
-    methods: createMemoryStorageMethods_json(options?.memoryStorageMap),
-    ...options
-  });
+const createMemoryStorageAdapter_json = (options) => {
+	return new StorageAdapter({
+		methods: createMemoryStorageMethods_json(options?.memoryStorageMap),
+		...options
+	});
 };
 function createTypedMemoryStorage_json(options) {
-  return createTypedStorage({
-    storageAdapter: createMemoryStorageAdapter_json(options)
-  });
+	return createTypedStorage({ storageAdapter: createMemoryStorageAdapter_json(options) });
 }
-export {
-  verifyWithKeyEd25519,
-  vVerifyChallengeWithSignature_WithThrow_Input,
-  vVerifyChallengeWithSignature_Input,
-  vSerializedCryptoKeyDataX25519_Raw,
-  vSerializedCryptoKeyDataX25519_Jwk,
-  vSerializedCryptoKeyDataEd25519_Raw,
-  vSerializedCryptoKeyDataEd25519_Jwk,
-  vEncryptedAesGcmPayload,
-  vCryptoKeyPairDataX25519,
-  vCryptoKeyPairDataEd25519,
-  signTextDataWithKeyEd25519,
-  signCombinedTextDataWithKeyEd25519,
-  serializeX25519Key_Raw,
-  serializeX25519Key_Jwk,
-  serializeEd25519Key_Raw,
-  serializeEd25519Key_Jwk,
-  importX25519Key,
-  importEd25519Key,
-  generateX25519KeyPair,
-  generateEd25519KeyPair,
-  encryptTextDataWithAesGcmKey,
-  encryptBytesWithAesGcmKey,
-  decryptTextDataWithAesGcmKey,
-  decryptBytesWithAesGcmKey,
-  createWebSessionStorageMethods,
-  createWebSessionStorageAdapter,
-  createWebLocalStorageMethods,
-  createWebLocalStorageAdapter,
-  createTypedWebSessionStorage,
-  createTypedWebLocalStorage,
-  createTypedStorage,
-  createTypedMemoryStorage_string,
-  createTypedMemoryStorage_json,
-  createSharedBitsFromX25519,
-  createMemoryStorageMethods_string,
-  createMemoryStorageMethods_json,
-  createMemoryStorageAdapter_string,
-  createMemoryStorageAdapter_json,
-  createKVTypedStorage,
-  createKVStorageMethods,
-  createKVStorageAdapter,
-  createDurableObjectTypedStorage,
-  createDurableObjectStorageMethods,
-  createDurableObjectStorageAdapter,
-  createAesGcmKeyFromX25519Keys,
-  convertX25519RawDataStringToSerializedKeyData,
-  convertX25519RawDataStringToObject,
-  convertX25519JwkDataStringToSerializedKeyData,
-  convertX25519JwkDataStringToObject,
-  convertX25519FormattedStringToSerializedKeyData,
-  convertX25519FormattedStringToObject,
-  convertEd25519RawDataStringToSerializedKeyData,
-  convertEd25519RawDataStringToObject,
-  convertEd25519JwkDataStringToSerializedKeyData,
-  convertEd25519JwkDataStringToObject,
-  convertEd25519FormattedStringToSerializedKeyData,
-  convertEd25519FormattedStringToObject,
-  buildVerifyKeyBoundInfoString,
-  StorageAdapter,
-  EStorageAdapterType,
-  ECryptoKeyFormat,
-  ECryptoKeyAlgo,
-  DEFAULT_COMBINED_TEXT_DATA_SEPARATOR,
-  ClientCryptoKeyLink
-};
+//#endregion
+export { ClientCryptoKeyLink, DEFAULT_COMBINED_TEXT_DATA_SEPARATOR, ECryptoKeyAlgo, ECryptoKeyFormat, EStorageAdapterType, StorageAdapter, buildVerifyKeyBoundInfoString, convertEd25519FormattedStringToObject, convertEd25519FormattedStringToSerializedKeyData, convertEd25519JwkDataStringToObject, convertEd25519JwkDataStringToSerializedKeyData, convertEd25519RawDataStringToObject, convertEd25519RawDataStringToSerializedKeyData, convertX25519FormattedStringToObject, convertX25519FormattedStringToSerializedKeyData, convertX25519JwkDataStringToObject, convertX25519JwkDataStringToSerializedKeyData, convertX25519RawDataStringToObject, convertX25519RawDataStringToSerializedKeyData, createAesGcmKeyFromX25519Keys, createDurableObjectStorageAdapter, createDurableObjectStorageMethods, createDurableObjectTypedStorage, createKVStorageAdapter, createKVStorageMethods, createKVTypedStorage, createMemoryStorageAdapter_json, createMemoryStorageAdapter_string, createMemoryStorageMethods_json, createMemoryStorageMethods_string, createSharedBitsFromX25519, createTypedMemoryStorage_json, createTypedMemoryStorage_string, createTypedStorage, createTypedWebLocalStorage, createTypedWebSessionStorage, createWebLocalStorageAdapter, createWebLocalStorageMethods, createWebSessionStorageAdapter, createWebSessionStorageMethods, decryptBytesWithAesGcmKey, decryptTextDataWithAesGcmKey, encryptBytesWithAesGcmKey, encryptTextDataWithAesGcmKey, generateEd25519KeyPair, generateX25519KeyPair, importEd25519Key, importX25519Key, serializeEd25519Key_Jwk, serializeEd25519Key_Raw, serializeX25519Key_Jwk, serializeX25519Key_Raw, signCombinedTextDataWithKeyEd25519, signTextDataWithKeyEd25519, vCryptoKeyPairDataEd25519, vCryptoKeyPairDataX25519, vEncryptedAesGcmPayload, vSerializedCryptoKeyDataEd25519_Jwk, vSerializedCryptoKeyDataEd25519_Raw, vSerializedCryptoKeyDataX25519_Jwk, vSerializedCryptoKeyDataX25519_Raw, vVerifyChallengeWithSignature_Input, vVerifyChallengeWithSignature_WithThrow_Input, verifyWithKeyEd25519 };
+
+//# sourceMappingURL=index.js.map