npm - @omnituum/pqc-shared - Versions diffs - 0.2.6 - Mend

@omnituum/pqc-shared 0.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

package/LICENSE +22 -0
package/README.md +543 -0
package/dist/crypto/index.cjs +807 -0
package/dist/crypto/index.d.cts +641 -0
package/dist/crypto/index.d.ts +641 -0
package/dist/crypto/index.js +716 -0
package/dist/decrypt-eSHlbh1j.d.cts +321 -0
package/dist/decrypt-eSHlbh1j.d.ts +321 -0
package/dist/fs/index.cjs +1168 -0
package/dist/fs/index.d.cts +400 -0
package/dist/fs/index.d.ts +400 -0
package/dist/fs/index.js +1091 -0
package/dist/index.cjs +2160 -0
package/dist/index.d.cts +282 -0
package/dist/index.d.ts +282 -0
package/dist/index.js +2031 -0
package/dist/integrity-CCYjrap3.d.ts +31 -0
package/dist/integrity-Dx9jukMH.d.cts +31 -0
package/dist/types-61c7Q9ri.d.ts +134 -0
package/dist/types-Ch0y-n7K.d.cts +134 -0
package/dist/utils/index.cjs +129 -0
package/dist/utils/index.d.cts +49 -0
package/dist/utils/index.d.ts +49 -0
package/dist/utils/index.js +114 -0
package/dist/vault/index.cjs +713 -0
package/dist/vault/index.d.cts +237 -0
package/dist/vault/index.d.ts +237 -0
package/dist/vault/index.js +677 -0
package/dist/version-BygzPVGs.d.cts +55 -0
package/dist/version-BygzPVGs.d.ts +55 -0
package/package.json +86 -0
package/src/crypto/dilithium.ts +233 -0
package/src/crypto/hybrid.ts +358 -0
package/src/crypto/index.ts +181 -0
package/src/crypto/kyber.ts +199 -0
package/src/crypto/nacl.ts +204 -0
package/src/crypto/primitives/blake3.ts +141 -0
package/src/crypto/primitives/chacha.ts +211 -0
package/src/crypto/primitives/hkdf.ts +192 -0
package/src/crypto/primitives/index.ts +54 -0
package/src/crypto/primitives.ts +144 -0
package/src/crypto/x25519.ts +134 -0
package/src/fs/aes.ts +343 -0
package/src/fs/argon2.ts +184 -0
package/src/fs/browser.ts +408 -0
package/src/fs/decrypt.ts +320 -0
package/src/fs/encrypt.ts +324 -0
package/src/fs/format.ts +425 -0
package/src/fs/index.ts +144 -0
package/src/fs/types.ts +304 -0
package/src/index.ts +414 -0
package/src/kdf/index.ts +311 -0
package/src/runtime/crypto.ts +16 -0
package/src/security/index.ts +345 -0
package/src/tunnel/index.ts +39 -0
package/src/tunnel/session.ts +229 -0
package/src/tunnel/types.ts +115 -0
package/src/utils/entropy.ts +128 -0
package/src/utils/index.ts +25 -0
package/src/utils/integrity.ts +95 -0
package/src/vault/decrypt.ts +167 -0
package/src/vault/encrypt.ts +207 -0
package/src/vault/index.ts +71 -0
package/src/vault/manager.ts +327 -0
package/src/vault/migrate.ts +190 -0
package/src/vault/types.ts +177 -0
package/src/version.ts +304 -0

package/dist/vault/index.d.cts ADDED Viewed

@@ -0,0 +1,237 @@
+import { O as OmnituumVault, E as EncryptedVaultFile, a as EncryptedVaultFileV2, H as HybridIdentityRecord, V as VaultSettings, b as VaultSession } from '../types-Ch0y-n7K.cjs';
+export { D as DEFAULT_VAULT_SETTINGS, c as EncryptedVaultFileV1, d as HealthStatus, I as IdentityHealth, P as PBKDF2_ITERATIONS } from '../types-Ch0y-n7K.cjs';
+import '../version-BygzPVGs.cjs';
+/**
+ * Omnituum PQC Shared - Vault Encryption
+ *
+ * Password-based encryption using PBKDF2 or Argon2id + AES-256-GCM.
+ * All operations use the Web Crypto API for browser compatibility.
+ */
+/**
+ * Derive an AES-256 key from a password using PBKDF2-SHA256.
+ *
+ * @param password - User password
+ * @param salt - 32-byte salt
+ * @param iterations - PBKDF2 iterations (default: 600,000)
+ * @returns CryptoKey for AES-GCM
+ */
+declare function deriveKey(password: string, salt: Uint8Array, iterations?: number): Promise<CryptoKey>;
+/**
+ * Encrypt a vault with a password.
+ *
+ * Uses PBKDF2-SHA256 for key derivation and AES-256-GCM for encryption.
+ * The salt and IV are randomly generated and included in the output.
+ *
+ * @param vault - Vault to encrypt
+ * @param password - User password
+ * @returns Encrypted vault file structure
+ */
+declare function encryptVault(vault: OmnituumVault, password: string): Promise<EncryptedVaultFile>;
+/**
+ * Encrypt vault to a downloadable blob.
+ *
+ * @param vault - Vault to encrypt
+ * @param password - User password
+ * @returns Blob for download
+ */
+declare function encryptVaultToBlob(vault: OmnituumVault, password: string): Promise<Blob>;
+/**
+ * Encrypt vault to a data URL for download.
+ *
+ * @param vault - Vault to encrypt
+ * @param password - User password
+ * @returns Data URL
+ */
+declare function encryptVaultToDataURL(vault: OmnituumVault, password: string): Promise<string>;
+/**
+ * Encrypt a vault with a password using Argon2id (v2 format).
+ *
+ * Uses Argon2id for key derivation (64MB memory, 3 iterations) and AES-256-GCM.
+ * This is the recommended format for new vaults.
+ *
+ * @param vault - Vault to encrypt
+ * @param password - User password
+ * @returns Encrypted vault file structure (v2)
+ */
+declare function encryptVaultV2(vault: OmnituumVault, password: string): Promise<EncryptedVaultFileV2>;
+/**
+ * Omnituum PQC Shared - Vault Decryption
+ *
+ * Password-based decryption using PBKDF2 or Argon2id + AES-256-GCM.
+ * Includes integrity verification.
+ */
+/**
+ * Decrypt an encrypted vault file with a password.
+ * Supports both v1 (PBKDF2) and v2 (Argon2id) formats.
+ *
+ * @param encryptedFile - Encrypted vault file structure
+ * @param password - User password
+ * @returns Decrypted vault
+ * @throws Error if decryption fails (wrong password or corrupted data)
+ */
+declare function decryptVault(encryptedFile: EncryptedVaultFile, password: string): Promise<OmnituumVault>;
+/**
+ * Decrypt a vault from a JSON string.
+ *
+ * @param json - Encrypted vault JSON string
+ * @param password - User password
+ * @returns Decrypted vault
+ */
+declare function decryptVaultFromJson(json: string, password: string): Promise<OmnituumVault>;
+/**
+ * Decrypt a vault from a File object.
+ *
+ * @param file - File object (from file input)
+ * @param password - User password
+ * @returns Decrypted vault
+ */
+declare function decryptVaultFromFile(file: File, password: string): Promise<OmnituumVault>;
+/**
+ * Validate an encrypted vault file without decrypting.
+ *
+ * @param json - JSON string to validate
+ * @returns true if valid encrypted vault file structure
+ */
+declare function isValidEncryptedVaultFile(json: string): boolean;
+/**
+ * Omnituum PQC Shared - Vault Manager
+ *
+ * High-level operations for managing the PQC identity vault.
+ * Handles identity creation, rotation, import/export, and session management.
+ */
+/**
+ * Create a new empty vault.
+ */
+declare function createEmptyVault(): OmnituumVault;
+/**
+ * Create a new hybrid identity.
+ */
+declare function createIdentity(name: string): Promise<HybridIdentityRecord | null>;
+/**
+ * Add an identity to the vault.
+ */
+declare function addIdentity(vault: OmnituumVault, identity: HybridIdentityRecord): OmnituumVault;
+/**
+ * Remove an identity from the vault.
+ */
+declare function removeIdentity(vault: OmnituumVault, identityId: string): OmnituumVault;
+/**
+ * Rotate keys for an identity (regenerate Kyber + X25519).
+ */
+declare function rotateIdentityKeys(vault: OmnituumVault, identityId: string): Promise<OmnituumVault | null>;
+/**
+ * Update identity metadata.
+ */
+declare function updateIdentityMetadata(vault: OmnituumVault, identityId: string, updates: Partial<Pick<HybridIdentityRecord, 'name' | 'metadata'>>): OmnituumVault;
+/**
+ * Update vault settings.
+ */
+declare function updateSettings(vault: OmnituumVault, settings: Partial<VaultSettings>): OmnituumVault;
+/**
+ * Set the active identity.
+ */
+declare function setActiveIdentity(vault: OmnituumVault, identityId: string): OmnituumVault;
+/**
+ * Export vault to encrypted file.
+ */
+declare function exportVault(vault: OmnituumVault, password: string): Promise<Blob>;
+/**
+ * Import vault from encrypted file.
+ */
+declare function importVault(file: File, password: string): Promise<OmnituumVault>;
+/**
+ * Trigger download of encrypted vault.
+ */
+declare function downloadVault(vault: OmnituumVault, password: string): Promise<void>;
+/**
+ * Get current session state.
+ */
+declare function getSession(): VaultSession;
+/**
+ * Unlock vault and store session key in memory.
+ */
+declare function unlockSession(password: string, vault: OmnituumVault): Promise<boolean>;
+/**
+ * Lock the session.
+ */
+declare function lockSession(): void;
+/**
+ * Set active identity in session.
+ */
+declare function setSessionActiveIdentity(identityId: string): void;
+/**
+ * Omnituum PQC Shared - Vault Migration
+ *
+ * One-way migration from v1 (PBKDF2) to v2 (Argon2id) encrypted vaults.
+ * Includes memory hygiene for sensitive data.
+ */
+interface MigrationOptions {
+    /** Source encrypted vault */
+    encryptedVault: EncryptedVaultFile;
+    /** Vault password */
+    password: string;
+    /** Keep backup of original vault data (default: false) */
+    keepBackup?: boolean;
+}
+interface MigrationResult {
+    /** New v2 encrypted vault */
+    encryptedVault: EncryptedVaultFileV2;
+    /** Original vault (only if keepBackup was true) */
+    backup?: EncryptedVaultFile;
+    /** Source version */
+    sourceVersion: string;
+    /** Target version */
+    targetVersion: string;
+    /** Migration timestamp */
+    migratedAt: string;
+}
+/**
+ * Check if vault needs migration (is v1 format).
+ */
+declare function needsMigration(encryptedVault: EncryptedVaultFile): boolean;
+/**
+ * Check if vault is already v2 format.
+ */
+declare function isV2Vault(encryptedVault: EncryptedVaultFile): boolean;
+/**
+ * Get vault KDF info for display.
+ */
+declare function getVaultKdfInfo(encryptedVault: EncryptedVaultFile): {
+    kdf: string;
+    version: string;
+    isSecure: boolean;
+    recommendation?: string;
+};
+/**
+ * Migrate an encrypted vault from v1 (PBKDF2) to v2 (Argon2id).
+ *
+ * This is a ONE-WAY migration. The original vault remains unchanged,
+ * but a new v2 encrypted vault is returned.
+ *
+ * Memory hygiene: Sensitive data (decrypted vault) is zeroed after use.
+ *
+ * @param options - Migration options
+ * @returns Migration result with new v2 vault
+ * @throws Error if decryption fails or vault is already v2
+ */
+declare function migrateEncryptedVault(options: MigrationOptions): Promise<MigrationResult>;
+/**
+ * Validate migration by decrypting both versions and comparing.
+ * Used for testing migration integrity.
+ *
+ * @param original - Original encrypted vault
+ * @param migrated - Migrated encrypted vault
+ * @param password - Vault password
+ * @returns true if vaults contain identical data
+ */
+declare function validateMigration(original: EncryptedVaultFile, migrated: EncryptedVaultFileV2, password: string): Promise<boolean>;
+export { EncryptedVaultFile, EncryptedVaultFileV2, HybridIdentityRecord, type MigrationOptions, type MigrationResult, OmnituumVault, VaultSession, VaultSettings, addIdentity, createEmptyVault, createIdentity, decryptVault, decryptVaultFromFile, decryptVaultFromJson, deriveKey, downloadVault, encryptVault, encryptVaultToBlob, encryptVaultToDataURL, encryptVaultV2, exportVault, getSession, getVaultKdfInfo, importVault, isV2Vault, isValidEncryptedVaultFile, lockSession, migrateEncryptedVault, needsMigration, removeIdentity, rotateIdentityKeys, setActiveIdentity, setSessionActiveIdentity, unlockSession, updateIdentityMetadata, updateSettings, validateMigration };

package/dist/vault/index.d.ts ADDED Viewed

@@ -0,0 +1,237 @@
+import { O as OmnituumVault, E as EncryptedVaultFile, a as EncryptedVaultFileV2, H as HybridIdentityRecord, V as VaultSettings, b as VaultSession } from '../types-61c7Q9ri.js';
+export { D as DEFAULT_VAULT_SETTINGS, c as EncryptedVaultFileV1, d as HealthStatus, I as IdentityHealth, P as PBKDF2_ITERATIONS } from '../types-61c7Q9ri.js';
+import '../version-BygzPVGs.js';
+/**
+ * Omnituum PQC Shared - Vault Encryption
+ *
+ * Password-based encryption using PBKDF2 or Argon2id + AES-256-GCM.
+ * All operations use the Web Crypto API for browser compatibility.
+ */
+/**
+ * Derive an AES-256 key from a password using PBKDF2-SHA256.
+ *
+ * @param password - User password
+ * @param salt - 32-byte salt
+ * @param iterations - PBKDF2 iterations (default: 600,000)
+ * @returns CryptoKey for AES-GCM
+ */
+declare function deriveKey(password: string, salt: Uint8Array, iterations?: number): Promise<CryptoKey>;
+/**
+ * Encrypt a vault with a password.
+ *
+ * Uses PBKDF2-SHA256 for key derivation and AES-256-GCM for encryption.
+ * The salt and IV are randomly generated and included in the output.
+ *
+ * @param vault - Vault to encrypt
+ * @param password - User password
+ * @returns Encrypted vault file structure
+ */
+declare function encryptVault(vault: OmnituumVault, password: string): Promise<EncryptedVaultFile>;
+/**
+ * Encrypt vault to a downloadable blob.
+ *
+ * @param vault - Vault to encrypt
+ * @param password - User password
+ * @returns Blob for download
+ */
+declare function encryptVaultToBlob(vault: OmnituumVault, password: string): Promise<Blob>;
+/**
+ * Encrypt vault to a data URL for download.
+ *
+ * @param vault - Vault to encrypt
+ * @param password - User password
+ * @returns Data URL
+ */
+declare function encryptVaultToDataURL(vault: OmnituumVault, password: string): Promise<string>;
+/**
+ * Encrypt a vault with a password using Argon2id (v2 format).
+ *
+ * Uses Argon2id for key derivation (64MB memory, 3 iterations) and AES-256-GCM.
+ * This is the recommended format for new vaults.
+ *
+ * @param vault - Vault to encrypt
+ * @param password - User password
+ * @returns Encrypted vault file structure (v2)
+ */
+declare function encryptVaultV2(vault: OmnituumVault, password: string): Promise<EncryptedVaultFileV2>;
+/**
+ * Omnituum PQC Shared - Vault Decryption
+ *
+ * Password-based decryption using PBKDF2 or Argon2id + AES-256-GCM.
+ * Includes integrity verification.
+ */
+/**
+ * Decrypt an encrypted vault file with a password.
+ * Supports both v1 (PBKDF2) and v2 (Argon2id) formats.
+ *
+ * @param encryptedFile - Encrypted vault file structure
+ * @param password - User password
+ * @returns Decrypted vault
+ * @throws Error if decryption fails (wrong password or corrupted data)
+ */
+declare function decryptVault(encryptedFile: EncryptedVaultFile, password: string): Promise<OmnituumVault>;
+/**
+ * Decrypt a vault from a JSON string.
+ *
+ * @param json - Encrypted vault JSON string
+ * @param password - User password
+ * @returns Decrypted vault
+ */
+declare function decryptVaultFromJson(json: string, password: string): Promise<OmnituumVault>;
+/**
+ * Decrypt a vault from a File object.
+ *
+ * @param file - File object (from file input)
+ * @param password - User password
+ * @returns Decrypted vault
+ */
+declare function decryptVaultFromFile(file: File, password: string): Promise<OmnituumVault>;
+/**
+ * Validate an encrypted vault file without decrypting.
+ *
+ * @param json - JSON string to validate
+ * @returns true if valid encrypted vault file structure
+ */
+declare function isValidEncryptedVaultFile(json: string): boolean;
+/**
+ * Omnituum PQC Shared - Vault Manager
+ *
+ * High-level operations for managing the PQC identity vault.
+ * Handles identity creation, rotation, import/export, and session management.
+ */
+/**
+ * Create a new empty vault.
+ */
+declare function createEmptyVault(): OmnituumVault;
+/**
+ * Create a new hybrid identity.
+ */
+declare function createIdentity(name: string): Promise<HybridIdentityRecord | null>;
+/**
+ * Add an identity to the vault.
+ */
+declare function addIdentity(vault: OmnituumVault, identity: HybridIdentityRecord): OmnituumVault;
+/**
+ * Remove an identity from the vault.
+ */
+declare function removeIdentity(vault: OmnituumVault, identityId: string): OmnituumVault;
+/**
+ * Rotate keys for an identity (regenerate Kyber + X25519).
+ */
+declare function rotateIdentityKeys(vault: OmnituumVault, identityId: string): Promise<OmnituumVault | null>;
+/**
+ * Update identity metadata.
+ */
+declare function updateIdentityMetadata(vault: OmnituumVault, identityId: string, updates: Partial<Pick<HybridIdentityRecord, 'name' | 'metadata'>>): OmnituumVault;
+/**
+ * Update vault settings.
+ */
+declare function updateSettings(vault: OmnituumVault, settings: Partial<VaultSettings>): OmnituumVault;
+/**
+ * Set the active identity.
+ */
+declare function setActiveIdentity(vault: OmnituumVault, identityId: string): OmnituumVault;
+/**
+ * Export vault to encrypted file.
+ */
+declare function exportVault(vault: OmnituumVault, password: string): Promise<Blob>;
+/**
+ * Import vault from encrypted file.
+ */
+declare function importVault(file: File, password: string): Promise<OmnituumVault>;
+/**
+ * Trigger download of encrypted vault.
+ */
+declare function downloadVault(vault: OmnituumVault, password: string): Promise<void>;
+/**
+ * Get current session state.
+ */
+declare function getSession(): VaultSession;
+/**
+ * Unlock vault and store session key in memory.
+ */
+declare function unlockSession(password: string, vault: OmnituumVault): Promise<boolean>;
+/**
+ * Lock the session.
+ */
+declare function lockSession(): void;
+/**
+ * Set active identity in session.
+ */
+declare function setSessionActiveIdentity(identityId: string): void;
+/**
+ * Omnituum PQC Shared - Vault Migration
+ *
+ * One-way migration from v1 (PBKDF2) to v2 (Argon2id) encrypted vaults.
+ * Includes memory hygiene for sensitive data.
+ */
+interface MigrationOptions {
+    /** Source encrypted vault */
+    encryptedVault: EncryptedVaultFile;
+    /** Vault password */
+    password: string;
+    /** Keep backup of original vault data (default: false) */
+    keepBackup?: boolean;
+}
+interface MigrationResult {
+    /** New v2 encrypted vault */
+    encryptedVault: EncryptedVaultFileV2;
+    /** Original vault (only if keepBackup was true) */
+    backup?: EncryptedVaultFile;
+    /** Source version */
+    sourceVersion: string;
+    /** Target version */
+    targetVersion: string;
+    /** Migration timestamp */
+    migratedAt: string;
+}
+/**
+ * Check if vault needs migration (is v1 format).
+ */
+declare function needsMigration(encryptedVault: EncryptedVaultFile): boolean;
+/**
+ * Check if vault is already v2 format.
+ */
+declare function isV2Vault(encryptedVault: EncryptedVaultFile): boolean;
+/**
+ * Get vault KDF info for display.
+ */
+declare function getVaultKdfInfo(encryptedVault: EncryptedVaultFile): {
+    kdf: string;
+    version: string;
+    isSecure: boolean;
+    recommendation?: string;
+};
+/**
+ * Migrate an encrypted vault from v1 (PBKDF2) to v2 (Argon2id).
+ *
+ * This is a ONE-WAY migration. The original vault remains unchanged,
+ * but a new v2 encrypted vault is returned.
+ *
+ * Memory hygiene: Sensitive data (decrypted vault) is zeroed after use.
+ *
+ * @param options - Migration options
+ * @returns Migration result with new v2 vault
+ * @throws Error if decryption fails or vault is already v2
+ */
+declare function migrateEncryptedVault(options: MigrationOptions): Promise<MigrationResult>;
+/**
+ * Validate migration by decrypting both versions and comparing.
+ * Used for testing migration integrity.
+ *
+ * @param original - Original encrypted vault
+ * @param migrated - Migrated encrypted vault
+ * @param password - Vault password
+ * @returns true if vaults contain identical data
+ */
+declare function validateMigration(original: EncryptedVaultFile, migrated: EncryptedVaultFileV2, password: string): Promise<boolean>;
+export { EncryptedVaultFile, EncryptedVaultFileV2, HybridIdentityRecord, type MigrationOptions, type MigrationResult, OmnituumVault, VaultSession, VaultSettings, addIdentity, createEmptyVault, createIdentity, decryptVault, decryptVaultFromFile, decryptVaultFromJson, deriveKey, downloadVault, encryptVault, encryptVaultToBlob, encryptVaultToDataURL, encryptVaultV2, exportVault, getSession, getVaultKdfInfo, importVault, isV2Vault, isValidEncryptedVaultFile, lockSession, migrateEncryptedVault, needsMigration, removeIdentity, rotateIdentityKeys, setActiveIdentity, setSessionActiveIdentity, unlockSession, updateIdentityMetadata, updateSettings, validateMigration };