@omnituum/pqc-shared 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/dist/crypto/index.cjs +29 -71
  2. package/dist/crypto/index.d.cts +38 -45
  3. package/dist/crypto/index.d.ts +38 -45
  4. package/dist/crypto/index.js +28 -72
  5. package/dist/crypto/safe/index.cjs +556 -0
  6. package/dist/crypto/safe/index.d.cts +341 -0
  7. package/dist/crypto/safe/index.d.ts +341 -0
  8. package/dist/crypto/safe/index.js +524 -0
  9. package/dist/fs/index.cjs +6 -34
  10. package/dist/fs/index.js +6 -34
  11. package/dist/index.cjs +29 -71
  12. package/dist/index.d.cts +4 -4
  13. package/dist/index.d.ts +4 -4
  14. package/dist/index.js +28 -72
  15. package/dist/{integrity-CCYjrap3.d.ts → integrity-BPvNsC50.d.ts} +1 -1
  16. package/dist/{integrity-Dx9jukMH.d.cts → integrity-ByMp24VA.d.cts} +1 -1
  17. package/dist/{types-61c7Q9ri.d.ts → types-Dx_AFqow.d.cts} +54 -2
  18. package/dist/{types-Ch0y-n7K.d.cts → types-Dx_AFqow.d.ts} +54 -2
  19. package/dist/utils/index.d.cts +2 -3
  20. package/dist/utils/index.d.ts +2 -3
  21. package/dist/vault/index.cjs +13 -41
  22. package/dist/vault/index.d.cts +2 -3
  23. package/dist/vault/index.d.ts +2 -3
  24. package/dist/vault/index.js +13 -41
  25. package/package.json +27 -13
  26. package/src/crypto/dilithium.ts +8 -4
  27. package/src/crypto/hybrid.ts +13 -29
  28. package/src/crypto/index.ts +3 -0
  29. package/src/crypto/kyber.ts +63 -121
  30. package/src/crypto/safe/adapters.ts +306 -0
  31. package/src/crypto/safe/dilithium.ts +74 -0
  32. package/src/crypto/safe/index.ts +97 -0
  33. package/src/crypto/safe/kyber.ts +47 -0
  34. package/src/crypto/safe/manifests.ts +192 -0
  35. package/src/crypto/safe/secretbox.ts +24 -0
  36. package/src/crypto/safe/types.ts +88 -0
  37. package/src/crypto/safe/x25519.ts +31 -0
  38. package/src/index.ts +7 -4
  39. package/src/version.ts +9 -4
  40. package/dist/version-BygzPVGs.d.cts +0 -55
  41. package/dist/version-BygzPVGs.d.ts +0 -55
@@ -0,0 +1,192 @@
1
+ /**
2
+ * Primitive identity manifests.
3
+ *
4
+ * Each manifest declares the expected algorithm name and byte sizes.
5
+ * Used by assertPrimitiveIdentity() to verify that the underlying library
6
+ * is the exact primitive we intended to wrap — not a swapped, compromised,
7
+ * or silently upgraded implementation.
8
+ *
9
+ * This catches:
10
+ * - wrong algorithm resolved behind the same import
11
+ * - changed encoding or key format after a dependency update
12
+ * - supply-chain substitution of a different primitive
13
+ * - silent API drift in key/signature sizes
14
+ */
15
+
16
+ export interface SignatureManifest {
17
+ readonly algorithm: string
18
+ readonly publicKeyBytes: number
19
+ readonly secretKeyBytes: number
20
+ readonly signatureBytes: number
21
+ }
22
+
23
+ export interface KemManifest {
24
+ readonly algorithm: string
25
+ readonly encapsulationKeyBytes: number
26
+ readonly decapsulationKeyBytes: number
27
+ readonly ciphertextBytes: number
28
+ readonly sharedSecretBytes: number
29
+ }
30
+
31
+ export interface DhManifest {
32
+ readonly algorithm: string
33
+ readonly publicKeyBytes: number
34
+ readonly secretKeyBytes: number
35
+ readonly sharedSecretBytes: number
36
+ }
37
+
38
+ export interface SecretboxManifest {
39
+ readonly algorithm: string
40
+ readonly keyBytes: number
41
+ readonly nonceBytes: number
42
+ readonly tagBytes: number
43
+ }
44
+
45
+ // ---- Concrete manifests for Omnituum's primitives ----
46
+
47
+ export const ML_DSA_65: SignatureManifest = {
48
+ algorithm: 'ML-DSA-65',
49
+ publicKeyBytes: 1952,
50
+ secretKeyBytes: 4032,
51
+ signatureBytes: 3309,
52
+ } as const
53
+
54
+ export const ML_KEM_768: KemManifest = {
55
+ algorithm: 'ML-KEM-768',
56
+ encapsulationKeyBytes: 1184,
57
+ decapsulationKeyBytes: 2400,
58
+ ciphertextBytes: 1088,
59
+ sharedSecretBytes: 32,
60
+ } as const
61
+
62
+ export const X25519: DhManifest = {
63
+ algorithm: 'X25519',
64
+ publicKeyBytes: 32,
65
+ secretKeyBytes: 32,
66
+ sharedSecretBytes: 32,
67
+ } as const
68
+
69
+ export const XSALSA20_POLY1305: SecretboxManifest = {
70
+ algorithm: 'XSalsa20-Poly1305',
71
+ keyBytes: 32,
72
+ nonceBytes: 24,
73
+ tagBytes: 16,
74
+ } as const
75
+
76
+ // ---- Assertion helpers ----
77
+
78
+ export function assertSignaturePrimitive(
79
+ noble: {
80
+ keygen(seed?: Uint8Array): { publicKey: Uint8Array; secretKey: Uint8Array }
81
+ sign(message: Uint8Array, secretKey: Uint8Array): Uint8Array
82
+ verify(signature: Uint8Array, message: Uint8Array, publicKey: Uint8Array): boolean
83
+ },
84
+ manifest: SignatureManifest,
85
+ ): void {
86
+ const msg = new Uint8Array([0xde, 0xad, 0xbe, 0xef])
87
+ const { publicKey, secretKey } = noble.keygen()
88
+ const sig = noble.sign(msg, secretKey)
89
+
90
+ if (publicKey.length !== manifest.publicKeyBytes) {
91
+ throw new Error(
92
+ `${manifest.algorithm}: publicKey ${publicKey.length} bytes, expected ${manifest.publicKeyBytes}`,
93
+ )
94
+ }
95
+ if (secretKey.length !== manifest.secretKeyBytes) {
96
+ throw new Error(
97
+ `${manifest.algorithm}: secretKey ${secretKey.length} bytes, expected ${manifest.secretKeyBytes}`,
98
+ )
99
+ }
100
+ if (sig.length !== manifest.signatureBytes) {
101
+ throw new Error(
102
+ `${manifest.algorithm}: signature ${sig.length} bytes, expected ${manifest.signatureBytes}`,
103
+ )
104
+ }
105
+ if (!noble.verify(sig, msg, publicKey)) {
106
+ throw new Error(`${manifest.algorithm}: sign/verify roundtrip failed`)
107
+ }
108
+ }
109
+
110
+ export function assertKemPrimitive(
111
+ noble: {
112
+ keygen(): { publicKey: Uint8Array; secretKey: Uint8Array }
113
+ encapsulate(publicKey: Uint8Array): { ciphertext: Uint8Array; sharedSecret: Uint8Array }
114
+ decapsulate(ciphertext: Uint8Array, secretKey: Uint8Array): Uint8Array
115
+ },
116
+ manifest: KemManifest,
117
+ ): void {
118
+ const { publicKey, secretKey } = noble.keygen()
119
+ const { ciphertext, sharedSecret: ss1 } = noble.encapsulate(publicKey)
120
+ const ss2 = noble.decapsulate(ciphertext, secretKey)
121
+
122
+ if (publicKey.length !== manifest.encapsulationKeyBytes) {
123
+ throw new Error(
124
+ `${manifest.algorithm}: encapsulationKey ${publicKey.length} bytes, expected ${manifest.encapsulationKeyBytes}`,
125
+ )
126
+ }
127
+ if (secretKey.length !== manifest.decapsulationKeyBytes) {
128
+ throw new Error(
129
+ `${manifest.algorithm}: decapsulationKey ${secretKey.length} bytes, expected ${manifest.decapsulationKeyBytes}`,
130
+ )
131
+ }
132
+ if (ciphertext.length !== manifest.ciphertextBytes) {
133
+ throw new Error(
134
+ `${manifest.algorithm}: ciphertext ${ciphertext.length} bytes, expected ${manifest.ciphertextBytes}`,
135
+ )
136
+ }
137
+ if (ss1.length !== manifest.sharedSecretBytes) {
138
+ throw new Error(
139
+ `${manifest.algorithm}: sharedSecret ${ss1.length} bytes, expected ${manifest.sharedSecretBytes}`,
140
+ )
141
+ }
142
+ if (ss2.length !== manifest.sharedSecretBytes) {
143
+ throw new Error(
144
+ `${manifest.algorithm}: decapsulated sharedSecret ${ss2.length} bytes, expected ${manifest.sharedSecretBytes}`,
145
+ )
146
+ }
147
+ for (let i = 0; i < ss1.length; i++) {
148
+ if (ss1[i] !== ss2[i]) {
149
+ throw new Error(`${manifest.algorithm}: encap/decap shared secrets differ at byte ${i}`)
150
+ }
151
+ }
152
+ }
153
+
154
+ export function assertDhPrimitive(
155
+ noble: {
156
+ getPublicKey(secretKey: Uint8Array): Uint8Array
157
+ getSharedSecret(secretKey: Uint8Array, publicKey: Uint8Array): Uint8Array
158
+ utils: { randomPrivateKey(): Uint8Array }
159
+ },
160
+ manifest: DhManifest,
161
+ ): void {
162
+ const sk = noble.utils.randomPrivateKey()
163
+ const pk = noble.getPublicKey(sk)
164
+
165
+ if (pk.length !== manifest.publicKeyBytes) {
166
+ throw new Error(
167
+ `${manifest.algorithm}: publicKey ${pk.length} bytes, expected ${manifest.publicKeyBytes}`,
168
+ )
169
+ }
170
+ if (sk.length !== manifest.secretKeyBytes) {
171
+ throw new Error(
172
+ `${manifest.algorithm}: secretKey ${sk.length} bytes, expected ${manifest.secretKeyBytes}`,
173
+ )
174
+ }
175
+
176
+ // Generate second keypair, compute shared secret both ways
177
+ const sk2 = noble.utils.randomPrivateKey()
178
+ const pk2 = noble.getPublicKey(sk2)
179
+ const ss1 = noble.getSharedSecret(sk, pk2)
180
+ const ss2 = noble.getSharedSecret(sk2, pk)
181
+
182
+ if (ss1.length !== manifest.sharedSecretBytes) {
183
+ throw new Error(
184
+ `${manifest.algorithm}: sharedSecret ${ss1.length} bytes, expected ${manifest.sharedSecretBytes}`,
185
+ )
186
+ }
187
+ for (let i = 0; i < ss1.length; i++) {
188
+ if (ss1[i] !== ss2[i]) {
189
+ throw new Error(`${manifest.algorithm}: DH commutativity check failed at byte ${i}`)
190
+ }
191
+ }
192
+ }
@@ -0,0 +1,24 @@
1
+ /**
2
+ * Safe secretbox (xsalsa20-poly1305) adapter.
3
+ *
4
+ * Object parameters + branded types.
5
+ */
6
+
7
+ import { secretboxRaw, secretboxOpenRaw } from '../nacl'
8
+ import type { SymmetricKey, Nonce } from './types'
9
+
10
+ export function seal(params: {
11
+ key: SymmetricKey
12
+ plaintext: Uint8Array
13
+ nonce: Nonce
14
+ }): Uint8Array {
15
+ return secretboxRaw(params.key, params.plaintext, params.nonce)
16
+ }
17
+
18
+ export function open(params: {
19
+ key: SymmetricKey
20
+ ciphertext: Uint8Array
21
+ nonce: Nonce
22
+ }): Uint8Array | null {
23
+ return secretboxOpenRaw(params.key, params.ciphertext, params.nonce)
24
+ }
@@ -0,0 +1,88 @@
1
+ /**
2
+ * Branded cryptographic types.
3
+ *
4
+ * Raw Uint8Array must never cross module boundaries without type branding.
5
+ * These types make argument inversion a compile-time error.
6
+ */
7
+
8
+ // ---- Dilithium ML-DSA-65 ----
9
+
10
+ export type DilithiumSecretKey = Uint8Array & { readonly __brand: 'DilithiumSecretKey' }
11
+ export type DilithiumPublicKey = Uint8Array & { readonly __brand: 'DilithiumPublicKey' }
12
+ export type DilithiumSignature = Uint8Array & { readonly __brand: 'DilithiumSignature' }
13
+
14
+ export interface DilithiumKeyPair {
15
+ publicKey: DilithiumPublicKey
16
+ secretKey: DilithiumSecretKey
17
+ }
18
+
19
+ // ---- Kyber ML-KEM-768 ----
20
+
21
+ export type KyberEncapsulationKey = Uint8Array & { readonly __brand: 'KyberEncapsulationKey' }
22
+ export type KyberDecapsulationKey = Uint8Array & { readonly __brand: 'KyberDecapsulationKey' }
23
+ export type KyberCiphertext = Uint8Array & { readonly __brand: 'KyberCiphertext' }
24
+ export type SharedSecret = Uint8Array & { readonly __brand: 'SharedSecret' }
25
+
26
+ export interface KyberKeyPair {
27
+ encapsulationKey: KyberEncapsulationKey
28
+ decapsulationKey: KyberDecapsulationKey
29
+ }
30
+
31
+ export interface KyberEncapsulation {
32
+ ciphertext: KyberCiphertext
33
+ sharedSecret: SharedSecret
34
+ }
35
+
36
+ // ---- X25519 ----
37
+
38
+ export type X25519PublicKey = Uint8Array & { readonly __brand: 'X25519PublicKey' }
39
+ export type X25519SecretKey = Uint8Array & { readonly __brand: 'X25519SecretKey' }
40
+
41
+ export interface X25519KeyPair {
42
+ publicKey: X25519PublicKey
43
+ secretKey: X25519SecretKey
44
+ }
45
+
46
+ // ---- Symmetric ----
47
+
48
+ export type SymmetricKey = Uint8Array & { readonly __brand: 'SymmetricKey' }
49
+ export type Nonce = Uint8Array & { readonly __brand: 'Nonce' }
50
+ export type Message = Uint8Array & { readonly __brand: 'Message' }
51
+
52
+ // ---- Branding helpers ----
53
+
54
+ export function asMessage(data: Uint8Array): Message {
55
+ return data as Message
56
+ }
57
+
58
+ export function asDilithiumSecretKey(data: Uint8Array): DilithiumSecretKey {
59
+ return data as DilithiumSecretKey
60
+ }
61
+
62
+ export function asDilithiumPublicKey(data: Uint8Array): DilithiumPublicKey {
63
+ return data as DilithiumPublicKey
64
+ }
65
+
66
+ export function asKyberEncapsulationKey(data: Uint8Array): KyberEncapsulationKey {
67
+ return data as KyberEncapsulationKey
68
+ }
69
+
70
+ export function asKyberDecapsulationKey(data: Uint8Array): KyberDecapsulationKey {
71
+ return data as KyberDecapsulationKey
72
+ }
73
+
74
+ export function asX25519PublicKey(data: Uint8Array): X25519PublicKey {
75
+ return data as X25519PublicKey
76
+ }
77
+
78
+ export function asX25519SecretKey(data: Uint8Array): X25519SecretKey {
79
+ return data as X25519SecretKey
80
+ }
81
+
82
+ export function asSymmetricKey(data: Uint8Array): SymmetricKey {
83
+ return data as SymmetricKey
84
+ }
85
+
86
+ export function asNonce(data: Uint8Array): Nonce {
87
+ return data as Nonce
88
+ }
@@ -0,0 +1,31 @@
1
+ /**
2
+ * Safe X25519 adapter.
3
+ *
4
+ * Object parameters + branded types.
5
+ */
6
+
7
+ import {
8
+ generateX25519Keypair as rawKeygen,
9
+ x25519SharedSecret as rawEcdh,
10
+ } from '../x25519'
11
+ import type {
12
+ X25519KeyPair,
13
+ X25519PublicKey,
14
+ X25519SecretKey,
15
+ SharedSecret,
16
+ } from './types'
17
+
18
+ export function keygen(): X25519KeyPair {
19
+ const kp = rawKeygen()
20
+ return {
21
+ publicKey: kp.publicBytes as X25519PublicKey,
22
+ secretKey: kp.secretBytes as X25519SecretKey,
23
+ }
24
+ }
25
+
26
+ export function sharedSecret(params: {
27
+ ourSecretKey: X25519SecretKey
28
+ theirPublicKey: X25519PublicKey
29
+ }): SharedSecret {
30
+ return rawEcdh(params.ourSecretKey, params.theirPublicKey) as SharedSecret
31
+ }
package/src/index.ts CHANGED
@@ -5,7 +5,7 @@ import './runtime/crypto';
5
5
  * Omnituum PQC Shared
6
6
  *
7
7
  * Unified cryptographic and vault utilities for PQC applications.
8
- * Combines X25519 (classical) + Kyber ML-KEM-768 (post-quantum) encryption.
8
+ * Combines X25519 (classical) + Kyber ML-KEM-1024 (FIPS 203, post-quantum) encryption.
9
9
  *
10
10
  * FROZEN CONTRACTS - see pqc-docs/specs/ for format specifications.
11
11
  *
@@ -34,7 +34,7 @@ import './runtime/crypto';
34
34
  // ═══════════════════════════════════════════════════════════════════════════
35
35
 
36
36
  /**
37
- * @stable Hybrid X25519 + Kyber-768 encryption primitives.
37
+ * @stable Hybrid X25519 + Kyber ML-KEM-1024 (FIPS 203) encryption primitives.
38
38
  * The core post-quantum encryption interface.
39
39
  */
40
40
  export {
@@ -54,25 +54,28 @@ export type {
54
54
  } from './crypto/hybrid';
55
55
 
56
56
  // ═══════════════════════════════════════════════════════════════════════════
57
- // KYBER (ML-KEM-768) (@stable)
57
+ // KYBER (ML-KEM-1024, FIPS 203) (@stable)
58
58
  // ═══════════════════════════════════════════════════════════════════════════
59
59
 
60
60
  /**
61
- * @stable Kyber ML-KEM-768 post-quantum KEM primitives.
61
+ * @stable Kyber ML-KEM-1024 (FIPS 203) post-quantum KEM primitives.
62
62
  */
63
63
  export {
64
64
  isKyberAvailable,
65
65
  generateKyberKeypair,
66
+ generateKyberKeypairFromSeed,
66
67
  kyberEncapsulate,
67
68
  kyberDecapsulate,
68
69
  kyberWrapKey,
69
70
  kyberUnwrapKey,
71
+ KYBER_SUITE,
70
72
  } from './crypto/kyber';
71
73
 
72
74
  export type {
73
75
  KyberKeypair,
74
76
  KyberKeypairB64,
75
77
  KyberEncapsulation,
78
+ KyberSuite,
76
79
  } from './crypto/kyber';
77
80
 
78
81
  // ═══════════════════════════════════════════════════════════════════════════
package/src/version.ts CHANGED
@@ -9,15 +9,20 @@
9
9
  * @see pqc-docs/specs/identity.v1.md
10
10
  */
11
11
 
12
+ import {
13
+ OMNI_VERSIONS,
14
+ DEPRECATED_VERSIONS,
15
+ } from '@omnituum/envelope-registry';
16
+
12
17
  // ═══════════════════════════════════════════════════════════════════════════
13
18
  // VERSION CONSTANTS (FROZEN)
14
19
  // ═══════════════════════════════════════════════════════════════════════════
15
20
 
16
- /** HybridEnvelope version - hybrid encryption format */
17
- export const ENVELOPE_VERSION = 'omnituum.hybrid.v1' as const;
21
+ /** HybridEnvelope version - hybrid encryption format (from registry) */
22
+ export const ENVELOPE_VERSION = OMNI_VERSIONS.HYBRID_V1;
18
23
 
19
- /** Legacy envelope version for backwards compatibility */
20
- export const ENVELOPE_VERSION_LEGACY = 'pqc-demo.hybrid.v1' as const;
24
+ /** Legacy envelope version for backwards compatibility (from registry) */
25
+ export const ENVELOPE_VERSION_LEGACY = DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
21
26
 
22
27
  /** OmnituumVault version - decrypted vault format */
23
28
  export const VAULT_VERSION = 'omnituum.vault.v1' as const;
@@ -1,55 +0,0 @@
1
- /**
2
- * Omnituum PQC Shared - Version Constants & Guards
3
- *
4
- * FROZEN CONTRACTS: These version strings define the wire format.
5
- * Breaking changes require a version bump.
6
- *
7
- * @see pqc-docs/specs/envelope.v1.md
8
- * @see pqc-docs/specs/vault.v1.md
9
- * @see pqc-docs/specs/identity.v1.md
10
- */
11
- /** HybridEnvelope version - hybrid encryption format */
12
- declare const ENVELOPE_VERSION: "omnituum.hybrid.v1";
13
- /** OmnituumVault version - decrypted vault format */
14
- declare const VAULT_VERSION: "omnituum.vault.v1";
15
- /** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
16
- declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
17
- /** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
18
- declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
19
- /** Algorithm suite for hybrid encryption */
20
- declare const ENVELOPE_SUITE: "x25519+kyber768";
21
- /** AEAD algorithm for envelope content */
22
- declare const ENVELOPE_AEAD: "xsalsa20poly1305";
23
- /** KDF for vault encryption (v1) */
24
- declare const VAULT_KDF: "PBKDF2-SHA256";
25
- /** KDF for vault encryption (v2) */
26
- declare const VAULT_KDF_V2: "Argon2id";
27
- /** Encryption algorithm for vault */
28
- declare const VAULT_ALGORITHM: "AES-256-GCM";
29
- /**
30
- * Validate envelope structure and version.
31
- * Returns detailed validation result.
32
- */
33
- declare function validateEnvelope(envelope: unknown): {
34
- valid: boolean;
35
- version?: string;
36
- errors: string[];
37
- };
38
- /**
39
- * Validate vault structure and version.
40
- */
41
- declare function validateVault(vault: unknown): {
42
- valid: boolean;
43
- version?: string;
44
- errors: string[];
45
- };
46
- /**
47
- * Validate encrypted vault structure and version.
48
- */
49
- declare function validateEncryptedVault(encVault: unknown): {
50
- valid: boolean;
51
- version?: string;
52
- errors: string[];
53
- };
54
-
55
- export { ENVELOPE_VERSION as E, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_KDF as b, VAULT_ALGORITHM as c, VAULT_ENCRYPTED_VERSION_V2 as d, VAULT_KDF_V2 as e, ENVELOPE_SUITE as f, ENVELOPE_AEAD as g, validateEnvelope as h, validateEncryptedVault as i, validateVault as v };
@@ -1,55 +0,0 @@
1
- /**
2
- * Omnituum PQC Shared - Version Constants & Guards
3
- *
4
- * FROZEN CONTRACTS: These version strings define the wire format.
5
- * Breaking changes require a version bump.
6
- *
7
- * @see pqc-docs/specs/envelope.v1.md
8
- * @see pqc-docs/specs/vault.v1.md
9
- * @see pqc-docs/specs/identity.v1.md
10
- */
11
- /** HybridEnvelope version - hybrid encryption format */
12
- declare const ENVELOPE_VERSION: "omnituum.hybrid.v1";
13
- /** OmnituumVault version - decrypted vault format */
14
- declare const VAULT_VERSION: "omnituum.vault.v1";
15
- /** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
16
- declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
17
- /** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
18
- declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
19
- /** Algorithm suite for hybrid encryption */
20
- declare const ENVELOPE_SUITE: "x25519+kyber768";
21
- /** AEAD algorithm for envelope content */
22
- declare const ENVELOPE_AEAD: "xsalsa20poly1305";
23
- /** KDF for vault encryption (v1) */
24
- declare const VAULT_KDF: "PBKDF2-SHA256";
25
- /** KDF for vault encryption (v2) */
26
- declare const VAULT_KDF_V2: "Argon2id";
27
- /** Encryption algorithm for vault */
28
- declare const VAULT_ALGORITHM: "AES-256-GCM";
29
- /**
30
- * Validate envelope structure and version.
31
- * Returns detailed validation result.
32
- */
33
- declare function validateEnvelope(envelope: unknown): {
34
- valid: boolean;
35
- version?: string;
36
- errors: string[];
37
- };
38
- /**
39
- * Validate vault structure and version.
40
- */
41
- declare function validateVault(vault: unknown): {
42
- valid: boolean;
43
- version?: string;
44
- errors: string[];
45
- };
46
- /**
47
- * Validate encrypted vault structure and version.
48
- */
49
- declare function validateEncryptedVault(encVault: unknown): {
50
- valid: boolean;
51
- version?: string;
52
- errors: string[];
53
- };
54
-
55
- export { ENVELOPE_VERSION as E, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_KDF as b, VAULT_ALGORITHM as c, VAULT_ENCRYPTED_VERSION_V2 as d, VAULT_KDF_V2 as e, ENVELOPE_SUITE as f, ENVELOPE_AEAD as g, validateEnvelope as h, validateEncryptedVault as i, validateVault as v };