@omnituum/pqc-shared 0.2.6

package/dist/vault/index.js

@@ -0,0 +1,677 @@
+import '@noble/hashes/sha256';
+import '@noble/hashes/hmac';
+import { argon2id } from 'hash-wasm';
+import nacl from 'tweetnacl';
+import '@noble/hashes/blake3';
+import '@noble/ciphers/chacha';
+import '@noble/hashes/hkdf';
+import '@noble/hashes/sha512';
+
+// src/vault/types.ts
+var DEFAULT_VAULT_SETTINGS = {
+  autoUnlock: false,
+  lockTimeout: 15,
+  showFingerprints: true
+};
+var PBKDF2_ITERATIONS = 6e5;
+new TextEncoder();
+new TextDecoder();
+function toB64(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function fromB64(str) {
+  const binary = atob(str);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+var b64 = toB64;
+
+// src/version.ts
+var VAULT_VERSION = "omnituum.vault.v1";
+var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
+var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
+var VAULT_KDF = "PBKDF2-SHA256";
+var VAULT_KDF_V2 = "Argon2id";
+var VAULT_ALGORITHM = "AES-256-GCM";
+var SUPPORTED_VAULT_VERSIONS = [
+  VAULT_VERSION
+];
+var SUPPORTED_VAULT_ENCRYPTED_VERSIONS = [
+  VAULT_ENCRYPTED_VERSION,
+  VAULT_ENCRYPTED_VERSION_V2
+];
+var VersionMismatchError = class extends Error {
+  constructor(type, expected, received) {
+    super(
+      `Version mismatch for ${type}: expected one of [${expected.join(", ")}], got "${received}". This may indicate data corruption or a newer format. See pqc-docs/specs/ for format specifications.`
+    );
+    this.type = type;
+    this.expected = expected;
+    this.received = received;
+    this.name = "VersionMismatchError";
+  }
+};
+function assertVaultVersion(version) {
+  if (!SUPPORTED_VAULT_VERSIONS.includes(version)) {
+    throw new VersionMismatchError("vault", SUPPORTED_VAULT_VERSIONS, version);
+  }
+}
+function assertVaultEncryptedVersion(version) {
+  if (!SUPPORTED_VAULT_ENCRYPTED_VERSIONS.includes(version)) {
+    throw new VersionMismatchError("vault_encrypted", SUPPORTED_VAULT_ENCRYPTED_VERSIONS, version);
+  }
+}
+var KDF_CONFIG_PBKDF2 = {
+  algorithm: "PBKDF2-SHA256",
+  pbkdf2Iterations: 6e5,
+  // OWASP 2023
+  saltLength: 32,
+  hashLength: 32
+};
+var KDF_CONFIG_ARGON2ID = {
+  algorithm: "Argon2id",
+  argon2MemoryCost: 65536,
+  // 64 MB
+  argon2TimeCost: 3,
+  argon2Parallelism: 4,
+  saltLength: 32,
+  hashLength: 32
+};
+var KDF_CONFIG_DEFAULT = KDF_CONFIG_PBKDF2;
+var textEncoder2 = new TextEncoder();
+async function derivePBKDF2(password, salt, iterations, hashLength) {
+  const passwordKey = await globalThis.crypto.subtle.importKey(
+    "raw",
+    textEncoder2.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const saltBuffer = new ArrayBuffer(salt.length);
+  new Uint8Array(saltBuffer).set(salt);
+  const bits = await globalThis.crypto.subtle.deriveBits(
+    {
+      name: "PBKDF2",
+      salt: saltBuffer,
+      iterations,
+      hash: "SHA-256"
+    },
+    passwordKey,
+    hashLength * 8
+  );
+  return new Uint8Array(bits);
+}
+async function deriveArgon2id(password, salt, memoryCost, timeCost, parallelism, hashLength) {
+  const hash = await argon2id({
+    password,
+    salt,
+    parallelism,
+    iterations: timeCost,
+    memorySize: memoryCost,
+    hashLength,
+    outputType: "binary"
+  });
+  return new Uint8Array(hash);
+}
+async function kdfDeriveKey(password, salt, config = KDF_CONFIG_DEFAULT) {
+  if (salt.length !== config.saltLength) {
+    throw new Error(`Salt must be ${config.saltLength} bytes, got ${salt.length}`);
+  }
+  if (config.algorithm === "PBKDF2-SHA256") {
+    return derivePBKDF2(
+      password,
+      salt,
+      config.pbkdf2Iterations ?? 6e5,
+      config.hashLength
+    );
+  } else if (config.algorithm === "Argon2id") {
+    return deriveArgon2id(
+      password,
+      salt,
+      config.argon2MemoryCost ?? 65536,
+      config.argon2TimeCost ?? 3,
+      config.argon2Parallelism ?? 4,
+      config.hashLength
+    );
+  } else {
+    throw new Error(`Unsupported KDF algorithm: ${config.algorithm}`);
+  }
+}
+function configFromParams(algorithm, params) {
+  {
+    return {
+      algorithm,
+      argon2MemoryCost: params.memoryCost,
+      argon2TimeCost: params.timeCost,
+      argon2Parallelism: params.parallelism,
+      saltLength: 32,
+      hashLength: 32
+    };
+  }
+}
+
+// src/vault/encrypt.ts
+var textEncoder3 = new TextEncoder();
+async function deriveKey(password, salt, iterations = PBKDF2_ITERATIONS) {
+  const passwordKey = await globalThis.crypto.subtle.importKey(
+    "raw",
+    textEncoder3.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits", "deriveKey"]
+  );
+  const saltArrayBuffer = new ArrayBuffer(salt.length);
+  new Uint8Array(saltArrayBuffer).set(salt);
+  return globalThis.crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt: saltArrayBuffer,
+      iterations,
+      hash: "SHA-256"
+    },
+    passwordKey,
+    { name: "AES-GCM", length: 256 },
+    false,
+    // not extractable
+    ["encrypt", "decrypt"]
+  );
+}
+async function encryptVault(vault, password) {
+  const salt = globalThis.crypto.getRandomValues(new Uint8Array(32));
+  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  const key = await deriveKey(password, salt);
+  const plaintext = textEncoder3.encode(JSON.stringify(vault));
+  const ciphertext = await globalThis.crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    plaintext
+  );
+  return {
+    version: VAULT_ENCRYPTED_VERSION,
+    kdf: VAULT_KDF,
+    iterations: PBKDF2_ITERATIONS,
+    salt: toB64(salt),
+    iv: toB64(iv),
+    ciphertext: toB64(new Uint8Array(ciphertext)),
+    algorithm: VAULT_ALGORITHM
+  };
+}
+async function encryptVaultToBlob(vault, password) {
+  const encrypted = await encryptVault(vault, password);
+  const json = JSON.stringify(encrypted, null, 2);
+  return new Blob([json], { type: "application/json" });
+}
+async function encryptVaultToDataURL(vault, password) {
+  const encrypted = await encryptVault(vault, password);
+  const json = JSON.stringify(encrypted, null, 2);
+  return "data:application/json;charset=utf-8," + encodeURIComponent(json);
+}
+async function encryptVaultV2(vault, password) {
+  const salt = globalThis.crypto.getRandomValues(new Uint8Array(32));
+  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  const keyBytes = await kdfDeriveKey(password, salt, KDF_CONFIG_ARGON2ID);
+  const keyBuffer = new ArrayBuffer(keyBytes.length);
+  new Uint8Array(keyBuffer).set(keyBytes);
+  const key = await globalThis.crypto.subtle.importKey(
+    "raw",
+    keyBuffer,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt"]
+  );
+  const plaintext = textEncoder3.encode(JSON.stringify(vault));
+  const ciphertext = await globalThis.crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    plaintext
+  );
+  return {
+    version: VAULT_ENCRYPTED_VERSION_V2,
+    kdf: VAULT_KDF_V2,
+    memoryCost: KDF_CONFIG_ARGON2ID.argon2MemoryCost,
+    timeCost: KDF_CONFIG_ARGON2ID.argon2TimeCost,
+    parallelism: KDF_CONFIG_ARGON2ID.argon2Parallelism,
+    salt: toB64(salt),
+    iv: toB64(iv),
+    ciphertext: toB64(new Uint8Array(ciphertext)),
+    algorithm: VAULT_ALGORITHM
+  };
+}
+
+// src/vault/decrypt.ts
+var textDecoder2 = new TextDecoder();
+async function decryptVault(encryptedFile, password) {
+  assertVaultEncryptedVersion(encryptedFile.version);
+  const salt = fromB64(encryptedFile.salt);
+  const iv = fromB64(encryptedFile.iv);
+  const ciphertext = fromB64(encryptedFile.ciphertext);
+  let key;
+  if (encryptedFile.version === VAULT_ENCRYPTED_VERSION_V2) {
+    const v2File = encryptedFile;
+    const kdfConfig = configFromParams("Argon2id", {
+      memoryCost: v2File.memoryCost,
+      timeCost: v2File.timeCost,
+      parallelism: v2File.parallelism
+    });
+    const keyBytes = await kdfDeriveKey(password, salt, kdfConfig);
+    const keyBuffer = new ArrayBuffer(keyBytes.length);
+    new Uint8Array(keyBuffer).set(keyBytes);
+    key = await globalThis.crypto.subtle.importKey(
+      "raw",
+      keyBuffer,
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["decrypt"]
+    );
+  } else {
+    key = await deriveKey(password, salt, encryptedFile.iterations);
+  }
+  try {
+    const ivArrayBuffer = new ArrayBuffer(iv.length);
+    new Uint8Array(ivArrayBuffer).set(iv);
+    const ciphertextArrayBuffer = new ArrayBuffer(ciphertext.length);
+    new Uint8Array(ciphertextArrayBuffer).set(ciphertext);
+    const plaintext = await globalThis.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv: ivArrayBuffer },
+      key,
+      ciphertextArrayBuffer
+    );
+    const json = textDecoder2.decode(plaintext);
+    const vault = JSON.parse(json);
+    assertVaultVersion(vault.version);
+    if (!Array.isArray(vault.identities)) {
+      throw new Error("Invalid vault structure: missing identities array");
+    }
+    return vault;
+  } catch (error) {
+    if (error instanceof DOMException && error.name === "OperationError") {
+      throw new Error("Incorrect password or corrupted vault");
+    }
+    throw error;
+  }
+}
+async function decryptVaultFromJson(json, password) {
+  const encryptedFile = JSON.parse(json);
+  return decryptVault(encryptedFile, password);
+}
+async function decryptVaultFromFile(file, password) {
+  const text = await file.text();
+  return decryptVaultFromJson(text, password);
+}
+function isValidEncryptedVaultFile(json) {
+  try {
+    const parsed = JSON.parse(json);
+    return parsed.version === VAULT_ENCRYPTED_VERSION && parsed.kdf === VAULT_KDF && typeof parsed.iterations === "number" && typeof parsed.salt === "string" && typeof parsed.iv === "string" && typeof parsed.ciphertext === "string" && parsed.algorithm === VAULT_ALGORITHM;
+  } catch {
+    return false;
+  }
+}
+
+// src/utils/integrity.ts
+function computeIntegrityHash(identities) {
+  const canonical = identities.map((i) => ({
+    id: i.id,
+    name: i.name,
+    x25519PubHex: i.x25519PubHex,
+    kyberPubB64: i.kyberPubB64,
+    createdAt: i.createdAt,
+    rotationCount: i.rotationCount
+  }));
+  const serialized = JSON.stringify(canonical, Object.keys(canonical[0] || {}).sort());
+  return computeStringHash(serialized);
+}
+function computeStringHash(str) {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = (hash << 5) - hash + char;
+    hash = hash & hash;
+  }
+  return Math.abs(hash).toString(16).padStart(16, "0");
+}
+
+// src/utils/entropy.ts
+function generateId() {
+  const bytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+nacl.secretbox.keyLength;
+nacl.secretbox.nonceLength;
+nacl.secretbox.overheadLength;
+nacl.box.publicKeyLength;
+nacl.box.nonceLength;
+function generateX25519Keypair() {
+  const kp = nacl.box.keyPair();
+  return {
+    publicHex: "0x" + toHex(kp.publicKey),
+    secretHex: "0x" + toHex(kp.secretKey),
+    publicBytes: kp.publicKey,
+    secretBytes: kp.secretKey
+  };
+}
+var kyberModule = null;
+async function loadKyber() {
+  if (kyberModule) return kyberModule;
+  try {
+    const m = await import('kyber-crystals');
+    const k = m.default ?? m;
+    kyberModule = k.kyber ?? k;
+    return kyberModule;
+  } catch (e) {
+    console.warn("[Kyber] Failed to load kyber-crystals:", e);
+    return null;
+  }
+}
+async function generateKyberKeypair() {
+  try {
+    const mod = await loadKyber();
+    if (!mod) return null;
+    if (mod?.ready?.then) {
+      await mod.ready;
+    }
+    const fn = mod?.keypair ?? mod?.keyPair ?? mod?.generateKeyPair ?? null;
+    if (typeof fn !== "function") {
+      console.warn("[Kyber] No keypair function found");
+      return null;
+    }
+    const kp = await fn.call(mod);
+    const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
+    const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
+    if (!pub || !priv) {
+      console.warn("[Kyber] Invalid keypair result");
+      return null;
+    }
+    return {
+      publicB64: b64(new Uint8Array(pub)),
+      secretB64: b64(new Uint8Array(priv))
+    };
+  } catch (e) {
+    console.warn("[Kyber] Key generation failed:", e);
+    return null;
+  }
+}
+
+// src/vault/manager.ts
+function createEmptyVault() {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return {
+    version: VAULT_VERSION,
+    identities: [],
+    settings: {
+      autoUnlock: false,
+      lockTimeout: 15,
+      showFingerprints: true
+    },
+    integrityHash: computeIntegrityHash([]),
+    createdAt: now,
+    modifiedAt: now
+  };
+}
+async function createIdentity(name) {
+  const x25519 = generateX25519Keypair();
+  const kyber = await generateKyberKeypair();
+  if (!kyber) {
+    console.error("Kyber key generation failed");
+    return null;
+  }
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const deviceFingerprint = await getDeviceFingerprint();
+  return {
+    id: generateId(),
+    name,
+    x25519PubHex: x25519.publicHex,
+    x25519SecHex: x25519.secretHex,
+    kyberPubB64: kyber.publicB64,
+    kyberSecB64: kyber.secretB64,
+    createdAt: now,
+    rotationCount: 0,
+    deviceFingerprint
+  };
+}
+function addIdentity(vault, identity) {
+  const identities = [...vault.identities, identity];
+  return {
+    ...vault,
+    identities,
+    integrityHash: computeIntegrityHash(identities),
+    modifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function removeIdentity(vault, identityId) {
+  const identities = vault.identities.filter((i) => i.id !== identityId);
+  return {
+    ...vault,
+    identities,
+    integrityHash: computeIntegrityHash(identities),
+    modifiedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    settings: {
+      ...vault.settings,
+      lastUsedIdentity: vault.settings.lastUsedIdentity === identityId ? void 0 : vault.settings.lastUsedIdentity
+    }
+  };
+}
+async function rotateIdentityKeys(vault, identityId) {
+  const index = vault.identities.findIndex((i) => i.id === identityId);
+  if (index === -1) return null;
+  const existing = vault.identities[index];
+  const x25519 = generateX25519Keypair();
+  const kyber = await generateKyberKeypair();
+  if (!kyber) return null;
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const updated = {
+    ...existing,
+    x25519PubHex: x25519.publicHex,
+    x25519SecHex: x25519.secretHex,
+    kyberPubB64: kyber.publicB64,
+    kyberSecB64: kyber.secretB64,
+    lastRotatedAt: now,
+    rotationCount: existing.rotationCount + 1
+  };
+  const identities = [...vault.identities];
+  identities[index] = updated;
+  return {
+    ...vault,
+    identities,
+    integrityHash: computeIntegrityHash(identities),
+    modifiedAt: now
+  };
+}
+function updateIdentityMetadata(vault, identityId, updates) {
+  const identities = vault.identities.map(
+    (i) => i.id === identityId ? { ...i, ...updates } : i
+  );
+  return {
+    ...vault,
+    identities,
+    integrityHash: computeIntegrityHash(identities),
+    modifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function updateSettings(vault, settings) {
+  return {
+    ...vault,
+    settings: { ...vault.settings, ...settings },
+    modifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function setActiveIdentity(vault, identityId) {
+  return updateSettings(vault, { lastUsedIdentity: identityId });
+}
+async function exportVault(vault, password) {
+  return encryptVaultToBlob(vault, password);
+}
+async function importVault(file, password) {
+  return decryptVaultFromFile(file, password);
+}
+async function downloadVault(vault, password) {
+  const blob = await exportVault(vault, password);
+  const url = URL.createObjectURL(blob);
+  const a = document.createElement("a");
+  a.href = url;
+  a.download = `omnituum_vault_${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}.enc`;
+  document.body.appendChild(a);
+  a.click();
+  document.body.removeChild(a);
+  URL.revokeObjectURL(url);
+}
+var currentSession = {
+  unlocked: false,
+  sessionKey: null,
+  unlockedAt: null,
+  activeIdentityId: null
+};
+function getSession() {
+  return { ...currentSession };
+}
+async function unlockSession(password, vault) {
+  try {
+    const salt = globalThis.crypto.getRandomValues(new Uint8Array(32));
+    const passwordKey = await globalThis.crypto.subtle.importKey(
+      "raw",
+      new TextEncoder().encode(password),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const sessionKey = await globalThis.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt,
+        iterations: 1e5,
+        // Faster for session key
+        hash: "SHA-256"
+      },
+      passwordKey,
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["encrypt", "decrypt"]
+    );
+    currentSession = {
+      unlocked: true,
+      sessionKey,
+      unlockedAt: Date.now(),
+      activeIdentityId: vault.settings.lastUsedIdentity || vault.identities[0]?.id || null
+    };
+    return true;
+  } catch {
+    return false;
+  }
+}
+function lockSession() {
+  currentSession = {
+    unlocked: false,
+    sessionKey: null,
+    unlockedAt: null,
+    activeIdentityId: null
+  };
+}
+function setSessionActiveIdentity(identityId) {
+  if (currentSession.unlocked) {
+    currentSession.activeIdentityId = identityId;
+  }
+}
+async function getDeviceFingerprint() {
+  const data = [
+    navigator.userAgent,
+    navigator.language,
+    screen.width,
+    screen.height,
+    (/* @__PURE__ */ new Date()).getTimezoneOffset()
+  ].join("|");
+  const hash = await globalThis.crypto.subtle.digest("SHA-256", new TextEncoder().encode(data));
+  return toHex(new Uint8Array(hash)).slice(0, 16);
+}
+
+// src/security/index.ts
+function zeroMemory(arr) {
+  if (!arr || arr.length === 0) return;
+  arr.fill(0);
+  if (arr[0] !== 0) {
+    throw new Error("Memory zeroing failed");
+  }
+}
+
+// src/vault/migrate.ts
+function needsMigration(encryptedVault) {
+  return encryptedVault.version === VAULT_ENCRYPTED_VERSION;
+}
+function isV2Vault(encryptedVault) {
+  return encryptedVault.version === VAULT_ENCRYPTED_VERSION_V2;
+}
+function getVaultKdfInfo(encryptedVault) {
+  if (encryptedVault.version === VAULT_ENCRYPTED_VERSION_V2) {
+    const v2 = encryptedVault;
+    return {
+      kdf: `Argon2id (${v2.memoryCost / 1024}MB, ${v2.timeCost} iterations)`,
+      version: "v2",
+      isSecure: true
+    };
+  } else {
+    const v1 = encryptedVault;
+    return {
+      kdf: `PBKDF2-SHA256 (${v1.iterations.toLocaleString()} iterations)`,
+      version: "v1",
+      isSecure: true,
+      // Still secure, just not as modern
+      recommendation: "Consider upgrading to Argon2id for stronger protection"
+    };
+  }
+}
+async function migrateEncryptedVault(options) {
+  const { encryptedVault, password, keepBackup = false } = options;
+  if (isV2Vault(encryptedVault)) {
+    throw new Error("Vault is already v2 format, no migration needed");
+  }
+  let decryptedVaultJson = null;
+  try {
+    const vault = await decryptVault(encryptedVault, password);
+    const vaultJson = JSON.stringify(vault);
+    decryptedVaultJson = new TextEncoder().encode(vaultJson);
+    const newEncryptedVault = await encryptVaultV2(vault, password);
+    return {
+      encryptedVault: newEncryptedVault,
+      backup: keepBackup ? encryptedVault : void 0,
+      sourceVersion: encryptedVault.version,
+      targetVersion: VAULT_ENCRYPTED_VERSION_V2,
+      migratedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  } finally {
+    if (decryptedVaultJson) {
+      zeroMemory(decryptedVaultJson);
+    }
+  }
+}
+async function validateMigration(original, migrated, password) {
+  let originalVaultJson = null;
+  let migratedVaultJson = null;
+  try {
+    const originalVault = await decryptVault(original, password);
+    const migratedVault = await decryptVault(migrated, password);
+    originalVaultJson = new TextEncoder().encode(JSON.stringify(originalVault));
+    migratedVaultJson = new TextEncoder().encode(JSON.stringify(migratedVault));
+    if (originalVaultJson.length !== migratedVaultJson.length) {
+      return false;
+    }
+    for (let i = 0; i < originalVaultJson.length; i++) {
+      if (originalVaultJson[i] !== migratedVaultJson[i]) {
+        return false;
+      }
+    }
+    return true;
+  } finally {
+    if (originalVaultJson) zeroMemory(originalVaultJson);
+    if (migratedVaultJson) zeroMemory(migratedVaultJson);
+  }
+}
+
+export { DEFAULT_VAULT_SETTINGS, PBKDF2_ITERATIONS, addIdentity, createEmptyVault, createIdentity, decryptVault, decryptVaultFromFile, decryptVaultFromJson, deriveKey, downloadVault, encryptVault, encryptVaultToBlob, encryptVaultToDataURL, encryptVaultV2, exportVault, getSession, getVaultKdfInfo, importVault, isV2Vault, isValidEncryptedVaultFile, lockSession, migrateEncryptedVault, needsMigration, removeIdentity, rotateIdentityKeys, setActiveIdentity, setSessionActiveIdentity, unlockSession, updateIdentityMetadata, updateSettings, validateMigration };