@omnituum/pqc-shared 0.2.6

package/dist/integrity-CCYjrap3.d.ts

@@ -0,0 +1,31 @@
+import { H as HybridIdentityRecord } from './types-61c7Q9ri.js';
+
+/**
+ * Omnituum PQC Shared - Integrity Verification
+ *
+ * SHA-256 based integrity checking for vault contents.
+ */
+
+/**
+ * Compute SHA-256 integrity hash for a list of identities.
+ * Uses only the public keys and metadata to create a deterministic hash.
+ */
+declare function computeIntegrityHash(identities: HybridIdentityRecord[]): string;
+/**
+ * Compute SHA-256 hash asynchronously using Web Crypto or Node fallback.
+ */
+declare function computeHashAsync(data: string): Promise<string>;
+/**
+ * Verify vault integrity.
+ */
+declare function verifyIntegrity(identities: HybridIdentityRecord[], expectedHash: string): Promise<boolean>;
+/**
+ * Compute a short fingerprint for an identity's public keys.
+ */
+declare function computeKeyFingerprint(identity: HybridIdentityRecord): Promise<string>;
+/**
+ * Format a fingerprint for display (groups of 4).
+ */
+declare function formatFingerprint(fingerprint: string): string;
+
+export { computeHashAsync as a, computeKeyFingerprint as b, computeIntegrityHash as c, formatFingerprint as f, verifyIntegrity as v };

package/dist/integrity-Dx9jukMH.d.cts

@@ -0,0 +1,31 @@
+import { H as HybridIdentityRecord } from './types-Ch0y-n7K.cjs';
+
+/**
+ * Omnituum PQC Shared - Integrity Verification
+ *
+ * SHA-256 based integrity checking for vault contents.
+ */
+
+/**
+ * Compute SHA-256 integrity hash for a list of identities.
+ * Uses only the public keys and metadata to create a deterministic hash.
+ */
+declare function computeIntegrityHash(identities: HybridIdentityRecord[]): string;
+/**
+ * Compute SHA-256 hash asynchronously using Web Crypto or Node fallback.
+ */
+declare function computeHashAsync(data: string): Promise<string>;
+/**
+ * Verify vault integrity.
+ */
+declare function verifyIntegrity(identities: HybridIdentityRecord[], expectedHash: string): Promise<boolean>;
+/**
+ * Compute a short fingerprint for an identity's public keys.
+ */
+declare function computeKeyFingerprint(identity: HybridIdentityRecord): Promise<string>;
+/**
+ * Format a fingerprint for display (groups of 4).
+ */
+declare function formatFingerprint(fingerprint: string): string;
+
+export { computeHashAsync as a, computeKeyFingerprint as b, computeIntegrityHash as c, formatFingerprint as f, verifyIntegrity as v };

package/dist/types-61c7Q9ri.d.ts

@@ -0,0 +1,134 @@
+import { V as VAULT_VERSION, a as VAULT_ENCRYPTED_VERSION, b as VAULT_KDF, c as VAULT_ALGORITHM, d as VAULT_ENCRYPTED_VERSION_V2, e as VAULT_KDF_V2 } from './version-BygzPVGs.js';
+
+/**
+ * Omnituum PQC Shared - Vault Types
+ *
+ * Type definitions for the PQC identity vault.
+ * FROZEN CONTRACTS - see pqc-docs/specs/vault.v1.md
+ */
+
+interface HybridIdentityRecord {
+    /** Unique identity ID */
+    id: string;
+    /** Display name */
+    name: string;
+    /** X25519 public key (hex) */
+    x25519PubHex: string;
+    /** X25519 secret key (hex) - encrypted in vault */
+    x25519SecHex: string;
+    /** Kyber public key (base64) */
+    kyberPubB64: string;
+    /** Kyber secret key (base64) - encrypted in vault */
+    kyberSecB64: string;
+    /** Creation timestamp */
+    createdAt: string;
+    /** Last rotation timestamp */
+    lastRotatedAt?: string;
+    /** Device fingerprint */
+    deviceFingerprint?: string;
+    /** Key rotation count */
+    rotationCount: number;
+    /** Identity metadata */
+    metadata?: {
+        label?: string;
+        notes?: string;
+        tags?: string[];
+    };
+}
+interface VaultSettings {
+    /** Auto-unlock on return (session memory) */
+    autoUnlock: boolean;
+    /** Last used identity ID */
+    lastUsedIdentity?: string;
+    /** Lock timeout in minutes (0 = never auto-lock) */
+    lockTimeout: number;
+    /** Show key fingerprints in UI */
+    showFingerprints: boolean;
+}
+interface OmnituumVault {
+    /** Vault format version (FROZEN - see pqc-docs/specs/vault.v1.md) */
+    version: typeof VAULT_VERSION;
+    /** Stored identities */
+    identities: HybridIdentityRecord[];
+    /** Vault settings */
+    settings: VaultSettings;
+    /** SHA-256 hash of serialized identities (integrity check) */
+    integrityHash: string;
+    /** Vault creation timestamp */
+    createdAt: string;
+    /** Last modified timestamp */
+    modifiedAt: string;
+}
+/** V1 encrypted vault (PBKDF2) */
+interface EncryptedVaultFileV1 {
+    /** File format version (FROZEN - see pqc-docs/specs/vault.v1.md) */
+    version: typeof VAULT_ENCRYPTED_VERSION;
+    /** Key derivation function */
+    kdf: typeof VAULT_KDF;
+    /** PBKDF2 iterations */
+    iterations: number;
+    /** Salt (base64) */
+    salt: string;
+    /** AES-GCM IV (base64) */
+    iv: string;
+    /** Encrypted vault (base64) */
+    ciphertext: string;
+    /** Auth tag included in ciphertext (AES-GCM) */
+    algorithm: typeof VAULT_ALGORITHM;
+}
+/** V2 encrypted vault (Argon2id) */
+interface EncryptedVaultFileV2 {
+    /** File format version */
+    version: typeof VAULT_ENCRYPTED_VERSION_V2;
+    /** Key derivation function */
+    kdf: typeof VAULT_KDF_V2;
+    /** Argon2id memory cost (KiB) */
+    memoryCost: number;
+    /** Argon2id time cost (iterations) */
+    timeCost: number;
+    /** Argon2id parallelism */
+    parallelism: number;
+    /** Salt (base64) */
+    salt: string;
+    /** AES-GCM IV (base64) */
+    iv: string;
+    /** Encrypted vault (base64) */
+    ciphertext: string;
+    /** Auth tag included in ciphertext (AES-GCM) */
+    algorithm: typeof VAULT_ALGORITHM;
+}
+/** Union type for any encrypted vault version */
+type EncryptedVaultFile = EncryptedVaultFileV1 | EncryptedVaultFileV2;
+type HealthStatus = 'healthy' | 'needs-rotation' | 'warning' | 'error';
+interface IdentityHealth {
+    /** Overall health status */
+    status: HealthStatus;
+    /** Entropy score (0-100) */
+    entropyScore: number;
+    /** Integrity verified */
+    integrityValid: boolean;
+    /** SHA-256 fingerprint */
+    fingerprint: string;
+    /** Days since last rotation */
+    daysSinceRotation: number;
+    /** Kyber key valid */
+    kyberValid: boolean;
+    /** X25519 key valid */
+    x25519Valid: boolean;
+    /** Recommendations */
+    recommendations: string[];
+}
+interface VaultSession {
+    /** Session active */
+    unlocked: boolean;
+    /** Derived encryption key (in memory only) */
+    sessionKey: CryptoKey | null;
+    /** Unlock timestamp */
+    unlockedAt: number | null;
+    /** Active identity ID */
+    activeIdentityId: string | null;
+}
+declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
+declare const PBKDF2_ITERATIONS = 600000;
+
+export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, type VaultSettings as V, type EncryptedVaultFileV2 as a, type VaultSession as b, type EncryptedVaultFileV1 as c, type HealthStatus as d };

package/dist/types-Ch0y-n7K.d.cts

@@ -0,0 +1,134 @@
+import { V as VAULT_VERSION, a as VAULT_ENCRYPTED_VERSION, b as VAULT_KDF, c as VAULT_ALGORITHM, d as VAULT_ENCRYPTED_VERSION_V2, e as VAULT_KDF_V2 } from './version-BygzPVGs.cjs';
+
+/**
+ * Omnituum PQC Shared - Vault Types
+ *
+ * Type definitions for the PQC identity vault.
+ * FROZEN CONTRACTS - see pqc-docs/specs/vault.v1.md
+ */
+
+interface HybridIdentityRecord {
+    /** Unique identity ID */
+    id: string;
+    /** Display name */
+    name: string;
+    /** X25519 public key (hex) */
+    x25519PubHex: string;
+    /** X25519 secret key (hex) - encrypted in vault */
+    x25519SecHex: string;
+    /** Kyber public key (base64) */
+    kyberPubB64: string;
+    /** Kyber secret key (base64) - encrypted in vault */
+    kyberSecB64: string;
+    /** Creation timestamp */
+    createdAt: string;
+    /** Last rotation timestamp */
+    lastRotatedAt?: string;
+    /** Device fingerprint */
+    deviceFingerprint?: string;
+    /** Key rotation count */
+    rotationCount: number;
+    /** Identity metadata */
+    metadata?: {
+        label?: string;
+        notes?: string;
+        tags?: string[];
+    };
+}
+interface VaultSettings {
+    /** Auto-unlock on return (session memory) */
+    autoUnlock: boolean;
+    /** Last used identity ID */
+    lastUsedIdentity?: string;
+    /** Lock timeout in minutes (0 = never auto-lock) */
+    lockTimeout: number;
+    /** Show key fingerprints in UI */
+    showFingerprints: boolean;
+}
+interface OmnituumVault {
+    /** Vault format version (FROZEN - see pqc-docs/specs/vault.v1.md) */
+    version: typeof VAULT_VERSION;
+    /** Stored identities */
+    identities: HybridIdentityRecord[];
+    /** Vault settings */
+    settings: VaultSettings;
+    /** SHA-256 hash of serialized identities (integrity check) */
+    integrityHash: string;
+    /** Vault creation timestamp */
+    createdAt: string;
+    /** Last modified timestamp */
+    modifiedAt: string;
+}
+/** V1 encrypted vault (PBKDF2) */
+interface EncryptedVaultFileV1 {
+    /** File format version (FROZEN - see pqc-docs/specs/vault.v1.md) */
+    version: typeof VAULT_ENCRYPTED_VERSION;
+    /** Key derivation function */
+    kdf: typeof VAULT_KDF;
+    /** PBKDF2 iterations */
+    iterations: number;
+    /** Salt (base64) */
+    salt: string;
+    /** AES-GCM IV (base64) */
+    iv: string;
+    /** Encrypted vault (base64) */
+    ciphertext: string;
+    /** Auth tag included in ciphertext (AES-GCM) */
+    algorithm: typeof VAULT_ALGORITHM;
+}
+/** V2 encrypted vault (Argon2id) */
+interface EncryptedVaultFileV2 {
+    /** File format version */
+    version: typeof VAULT_ENCRYPTED_VERSION_V2;
+    /** Key derivation function */
+    kdf: typeof VAULT_KDF_V2;
+    /** Argon2id memory cost (KiB) */
+    memoryCost: number;
+    /** Argon2id time cost (iterations) */
+    timeCost: number;
+    /** Argon2id parallelism */
+    parallelism: number;
+    /** Salt (base64) */
+    salt: string;
+    /** AES-GCM IV (base64) */
+    iv: string;
+    /** Encrypted vault (base64) */
+    ciphertext: string;
+    /** Auth tag included in ciphertext (AES-GCM) */
+    algorithm: typeof VAULT_ALGORITHM;
+}
+/** Union type for any encrypted vault version */
+type EncryptedVaultFile = EncryptedVaultFileV1 | EncryptedVaultFileV2;
+type HealthStatus = 'healthy' | 'needs-rotation' | 'warning' | 'error';
+interface IdentityHealth {
+    /** Overall health status */
+    status: HealthStatus;
+    /** Entropy score (0-100) */
+    entropyScore: number;
+    /** Integrity verified */
+    integrityValid: boolean;
+    /** SHA-256 fingerprint */
+    fingerprint: string;
+    /** Days since last rotation */
+    daysSinceRotation: number;
+    /** Kyber key valid */
+    kyberValid: boolean;
+    /** X25519 key valid */
+    x25519Valid: boolean;
+    /** Recommendations */
+    recommendations: string[];
+}
+interface VaultSession {
+    /** Session active */
+    unlocked: boolean;
+    /** Derived encryption key (in memory only) */
+    sessionKey: CryptoKey | null;
+    /** Unlock timestamp */
+    unlockedAt: number | null;
+    /** Active identity ID */
+    activeIdentityId: string | null;
+}
+declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
+declare const PBKDF2_ITERATIONS = 600000;
+
+export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, type VaultSettings as V, type EncryptedVaultFileV2 as a, type VaultSession as b, type EncryptedVaultFileV1 as c, type HealthStatus as d };

package/dist/utils/index.cjs

@@ -0,0 +1,129 @@
+'use strict';
+
+require('@noble/hashes/sha256');
+require('@noble/hashes/hmac');
+
+// src/utils/entropy.ts
+function generateId() {
+  const bytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function generateShortId() {
+  const bytes = globalThis.crypto.getRandomValues(new Uint8Array(4));
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function calculateShannonEntropy(bytes) {
+  if (bytes.length === 0) return 0;
+  const freq = /* @__PURE__ */ new Map();
+  for (const byte of bytes) {
+    freq.set(byte, (freq.get(byte) || 0) + 1);
+  }
+  let entropy = 0;
+  const len = bytes.length;
+  for (const count of freq.values()) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function calculateEntropyScore(hexKey) {
+  const clean = hexKey.startsWith("0x") ? hexKey.slice(2) : hexKey;
+  const bytes = new Uint8Array(clean.length / 2);
+  for (let i = 0; i < bytes.length; i++) {
+    bytes[i] = parseInt(clean.slice(i * 2, i * 2 + 2), 16);
+  }
+  const entropy = calculateShannonEntropy(bytes);
+  return Math.min(100, Math.round(entropy / 8 * 100));
+}
+function hasGoodEntropy(hexKey, threshold = 70) {
+  return calculateEntropyScore(hexKey) >= threshold;
+}
+function isValidX25519Key(hexKey) {
+  const clean = hexKey.startsWith("0x") ? hexKey.slice(2) : hexKey;
+  return /^[0-9a-fA-F]{64}$/.test(clean);
+}
+function isValidKyberKey(b64Key) {
+  try {
+    const decoded = atob(b64Key);
+    return decoded.length >= 1e3 && decoded.length <= 1500;
+  } catch {
+    return false;
+  }
+}
+function daysSinceRotation(lastRotatedAt, createdAt) {
+  const dateStr = lastRotatedAt || createdAt;
+  if (!dateStr) return 0;
+  const date = new Date(dateStr);
+  const now = /* @__PURE__ */ new Date();
+  const diffMs = now.getTime() - date.getTime();
+  return Math.floor(diffMs / (1e3 * 60 * 60 * 24));
+}
+function shouldRotate(lastRotatedAt, createdAt, maxDays = 90) {
+  return daysSinceRotation(lastRotatedAt, createdAt) >= maxDays;
+}
+new TextEncoder();
+new TextDecoder();
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/utils/integrity.ts
+function computeIntegrityHash(identities) {
+  const canonical = identities.map((i) => ({
+    id: i.id,
+    name: i.name,
+    x25519PubHex: i.x25519PubHex,
+    kyberPubB64: i.kyberPubB64,
+    createdAt: i.createdAt,
+    rotationCount: i.rotationCount
+  }));
+  const serialized = JSON.stringify(canonical, Object.keys(canonical[0] || {}).sort());
+  return computeStringHash(serialized);
+}
+function computeStringHash(str) {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = (hash << 5) - hash + char;
+    hash = hash & hash;
+  }
+  return Math.abs(hash).toString(16).padStart(16, "0");
+}
+async function computeHashAsync(data) {
+  const encoder = new TextEncoder();
+  const bytes = encoder.encode(data);
+  const subtle = globalThis.crypto?.subtle;
+  if (subtle) {
+    const hashBuffer = await subtle.digest("SHA-256", bytes);
+    return toHex(new Uint8Array(hashBuffer));
+  }
+  const { createHash } = await import('crypto');
+  return toHex(new Uint8Array(createHash("sha256").update(bytes).digest()));
+}
+async function verifyIntegrity(identities, expectedHash) {
+  const computed = computeIntegrityHash(identities);
+  return computed === expectedHash;
+}
+async function computeKeyFingerprint(identity) {
+  const combined = identity.x25519PubHex + identity.kyberPubB64;
+  const hash = await computeHashAsync(combined);
+  return hash.slice(0, 16).toUpperCase();
+}
+function formatFingerprint(fingerprint) {
+  return fingerprint.match(/.{1,4}/g)?.join(" ") || fingerprint;
+}
+
+exports.calculateEntropyScore = calculateEntropyScore;
+exports.calculateShannonEntropy = calculateShannonEntropy;
+exports.computeHashAsync = computeHashAsync;
+exports.computeIntegrityHash = computeIntegrityHash;
+exports.computeKeyFingerprint = computeKeyFingerprint;
+exports.daysSinceRotation = daysSinceRotation;
+exports.formatFingerprint = formatFingerprint;
+exports.generateId = generateId;
+exports.generateShortId = generateShortId;
+exports.hasGoodEntropy = hasGoodEntropy;
+exports.isValidKyberKey = isValidKyberKey;
+exports.isValidX25519Key = isValidX25519Key;
+exports.shouldRotate = shouldRotate;
+exports.verifyIntegrity = verifyIntegrity;

package/dist/utils/index.d.cts

@@ -0,0 +1,49 @@
+export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-Dx9jukMH.cjs';
+import '../types-Ch0y-n7K.cjs';
+import '../version-BygzPVGs.cjs';
+
+/**
+ * Omnituum PQC Shared - Entropy & Randomness Utilities
+ *
+ * Functions for generating secure random values and measuring entropy.
+ */
+/**
+ * Generate a cryptographically secure random ID.
+ */
+declare function generateId(): string;
+/**
+ * Generate a short random ID (8 characters).
+ */
+declare function generateShortId(): string;
+/**
+ * Calculate Shannon entropy of a byte array.
+ * Returns bits per byte (max 8.0 for perfect randomness).
+ */
+declare function calculateShannonEntropy(bytes: Uint8Array): number;
+/**
+ * Calculate entropy score (0-100) for key material.
+ * 100 = perfect entropy, 0 = no entropy.
+ */
+declare function calculateEntropyScore(hexKey: string): number;
+/**
+ * Check if a key has sufficient entropy.
+ */
+declare function hasGoodEntropy(hexKey: string, threshold?: number): boolean;
+/**
+ * Validate X25519 public key format.
+ */
+declare function isValidX25519Key(hexKey: string): boolean;
+/**
+ * Validate Kyber public key format (base64, ~1568 bytes for ML-KEM-768).
+ */
+declare function isValidKyberKey(b64Key: string): boolean;
+/**
+ * Calculate days since last rotation.
+ */
+declare function daysSinceRotation(lastRotatedAt?: string, createdAt?: string): number;
+/**
+ * Check if keys should be rotated (default: 90 days).
+ */
+declare function shouldRotate(lastRotatedAt?: string, createdAt?: string, maxDays?: number): boolean;
+
+export { calculateEntropyScore, calculateShannonEntropy, daysSinceRotation, generateId, generateShortId, hasGoodEntropy, isValidKyberKey, isValidX25519Key, shouldRotate };

package/dist/utils/index.d.ts

@@ -0,0 +1,49 @@
+export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-CCYjrap3.js';
+import '../types-61c7Q9ri.js';
+import '../version-BygzPVGs.js';
+
+/**
+ * Omnituum PQC Shared - Entropy & Randomness Utilities
+ *
+ * Functions for generating secure random values and measuring entropy.
+ */
+/**
+ * Generate a cryptographically secure random ID.
+ */
+declare function generateId(): string;
+/**
+ * Generate a short random ID (8 characters).
+ */
+declare function generateShortId(): string;
+/**
+ * Calculate Shannon entropy of a byte array.
+ * Returns bits per byte (max 8.0 for perfect randomness).
+ */
+declare function calculateShannonEntropy(bytes: Uint8Array): number;
+/**
+ * Calculate entropy score (0-100) for key material.
+ * 100 = perfect entropy, 0 = no entropy.
+ */
+declare function calculateEntropyScore(hexKey: string): number;
+/**
+ * Check if a key has sufficient entropy.
+ */
+declare function hasGoodEntropy(hexKey: string, threshold?: number): boolean;
+/**
+ * Validate X25519 public key format.
+ */
+declare function isValidX25519Key(hexKey: string): boolean;
+/**
+ * Validate Kyber public key format (base64, ~1568 bytes for ML-KEM-768).
+ */
+declare function isValidKyberKey(b64Key: string): boolean;
+/**
+ * Calculate days since last rotation.
+ */
+declare function daysSinceRotation(lastRotatedAt?: string, createdAt?: string): number;
+/**
+ * Check if keys should be rotated (default: 90 days).
+ */
+declare function shouldRotate(lastRotatedAt?: string, createdAt?: string, maxDays?: number): boolean;
+
+export { calculateEntropyScore, calculateShannonEntropy, daysSinceRotation, generateId, generateShortId, hasGoodEntropy, isValidKyberKey, isValidX25519Key, shouldRotate };

package/dist/utils/index.js

@@ -0,0 +1,114 @@
+import '@noble/hashes/sha256';
+import '@noble/hashes/hmac';
+
+// src/utils/entropy.ts
+function generateId() {
+  const bytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function generateShortId() {
+  const bytes = globalThis.crypto.getRandomValues(new Uint8Array(4));
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function calculateShannonEntropy(bytes) {
+  if (bytes.length === 0) return 0;
+  const freq = /* @__PURE__ */ new Map();
+  for (const byte of bytes) {
+    freq.set(byte, (freq.get(byte) || 0) + 1);
+  }
+  let entropy = 0;
+  const len = bytes.length;
+  for (const count of freq.values()) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function calculateEntropyScore(hexKey) {
+  const clean = hexKey.startsWith("0x") ? hexKey.slice(2) : hexKey;
+  const bytes = new Uint8Array(clean.length / 2);
+  for (let i = 0; i < bytes.length; i++) {
+    bytes[i] = parseInt(clean.slice(i * 2, i * 2 + 2), 16);
+  }
+  const entropy = calculateShannonEntropy(bytes);
+  return Math.min(100, Math.round(entropy / 8 * 100));
+}
+function hasGoodEntropy(hexKey, threshold = 70) {
+  return calculateEntropyScore(hexKey) >= threshold;
+}
+function isValidX25519Key(hexKey) {
+  const clean = hexKey.startsWith("0x") ? hexKey.slice(2) : hexKey;
+  return /^[0-9a-fA-F]{64}$/.test(clean);
+}
+function isValidKyberKey(b64Key) {
+  try {
+    const decoded = atob(b64Key);
+    return decoded.length >= 1e3 && decoded.length <= 1500;
+  } catch {
+    return false;
+  }
+}
+function daysSinceRotation(lastRotatedAt, createdAt) {
+  const dateStr = lastRotatedAt || createdAt;
+  if (!dateStr) return 0;
+  const date = new Date(dateStr);
+  const now = /* @__PURE__ */ new Date();
+  const diffMs = now.getTime() - date.getTime();
+  return Math.floor(diffMs / (1e3 * 60 * 60 * 24));
+}
+function shouldRotate(lastRotatedAt, createdAt, maxDays = 90) {
+  return daysSinceRotation(lastRotatedAt, createdAt) >= maxDays;
+}
+new TextEncoder();
+new TextDecoder();
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/utils/integrity.ts
+function computeIntegrityHash(identities) {
+  const canonical = identities.map((i) => ({
+    id: i.id,
+    name: i.name,
+    x25519PubHex: i.x25519PubHex,
+    kyberPubB64: i.kyberPubB64,
+    createdAt: i.createdAt,
+    rotationCount: i.rotationCount
+  }));
+  const serialized = JSON.stringify(canonical, Object.keys(canonical[0] || {}).sort());
+  return computeStringHash(serialized);
+}
+function computeStringHash(str) {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = (hash << 5) - hash + char;
+    hash = hash & hash;
+  }
+  return Math.abs(hash).toString(16).padStart(16, "0");
+}
+async function computeHashAsync(data) {
+  const encoder = new TextEncoder();
+  const bytes = encoder.encode(data);
+  const subtle = globalThis.crypto?.subtle;
+  if (subtle) {
+    const hashBuffer = await subtle.digest("SHA-256", bytes);
+    return toHex(new Uint8Array(hashBuffer));
+  }
+  const { createHash } = await import('crypto');
+  return toHex(new Uint8Array(createHash("sha256").update(bytes).digest()));
+}
+async function verifyIntegrity(identities, expectedHash) {
+  const computed = computeIntegrityHash(identities);
+  return computed === expectedHash;
+}
+async function computeKeyFingerprint(identity) {
+  const combined = identity.x25519PubHex + identity.kyberPubB64;
+  const hash = await computeHashAsync(combined);
+  return hash.slice(0, 16).toUpperCase();
+}
+function formatFingerprint(fingerprint) {
+  return fingerprint.match(/.{1,4}/g)?.join(" ") || fingerprint;
+}
+
+export { calculateEntropyScore, calculateShannonEntropy, computeHashAsync, computeIntegrityHash, computeKeyFingerprint, daysSinceRotation, formatFingerprint, generateId, generateShortId, hasGoodEntropy, isValidKyberKey, isValidX25519Key, shouldRotate, verifyIntegrity };