@opendatalabs/vana-sdk 0.1.0-alpha.7e71046 → 0.1.0-alpha.7ee7635

package/dist/crypto/ecies/interface.d.cts

@@ -0,0 +1,176 @@
+/**
+ * ECIES (Elliptic Curve Integrated Encryption Scheme) Interface
+ *
+ * @remarks
+ * Defines the contract for platform-specific ECIES implementations.
+ * All implementations maintain compatibility with the eccrypto format to ensure
+ * backward compatibility with existing encrypted data.
+ *
+ * **Format specification:**
+ * `[iv (16 bytes)][ephemPublicKey (65 bytes)][ciphertext (variable)][mac (32 bytes)]`
+ *
+ * @category Cryptography
+ */
+/**
+ * Represents ECIES encrypted data in eccrypto-compatible format.
+ *
+ * @remarks
+ * This structure maintains backward compatibility with data encrypted using
+ * the legacy eccrypto library.
+ */
+interface ECIESEncrypted {
+    /** Initialization vector (16 bytes) */
+    iv: Uint8Array;
+    /** Ephemeral public key (65 bytes uncompressed) */
+    ephemPublicKey: Uint8Array;
+    /** Encrypted data */
+    ciphertext: Uint8Array;
+    /** Message authentication code (32 bytes) */
+    mac: Uint8Array;
+}
+/**
+ * Provides ECIES encryption and decryption operations.
+ *
+ * @remarks
+ * Platform-specific implementations handle the underlying cryptographic primitives
+ * while maintaining consistent data format across environments.
+ *
+ * @category Cryptography
+ */
+interface ECIESProvider {
+    /**
+     * Encrypts data using ECIES with secp256k1.
+     *
+     * @param publicKey - Recipient's public key (65 bytes uncompressed or 33 bytes compressed).
+     *   Obtain via `vana.server.getIdentity(userAddress).public_key`.
+     * @param message - Data to encrypt.
+     * @returns Encrypted data structure compatible with eccrypto format.
+     * @throws {ECIESError} When public key is invalid.
+     *   Verify key format matches secp256k1 requirements.
+     *
+     * @example
+     * ```typescript
+     * const encrypted = await provider.encrypt(
+     *   hexToBytes(publicKey),
+     *   new TextEncoder().encode('sensitive data')
+     * );
+     * ```
+     */
+    encrypt(publicKey: Uint8Array, message: Uint8Array): Promise<ECIESEncrypted>;
+    /**
+     * Decrypts ECIES encrypted data.
+     *
+     * @param privateKey - Recipient's private key (32 bytes).
+     * @param encrypted - Encrypted data structure from `encrypt()` or legacy eccrypto.
+     * @returns Decrypted message as Uint8Array.
+     * @throws {ECIESError} When MAC verification fails.
+     *   Ensure the private key matches the public key used for encryption.
+     *
+     * @example
+     * ```typescript
+     * const decrypted = await provider.decrypt(
+     *   hexToBytes(privateKey),
+     *   encrypted
+     * );
+     * const message = new TextDecoder().decode(decrypted);
+     * ```
+     */
+    decrypt(privateKey: Uint8Array, encrypted: ECIESEncrypted): Promise<Uint8Array>;
+    /**
+     * Normalizes a public key to uncompressed format (65 bytes with 0x04 prefix).
+     *
+     * @remarks
+     * Strict policy: Only accepts properly formatted compressed (33 bytes) or
+     * uncompressed (65 bytes) public keys. Does not accept 64-byte raw coordinates
+     * to ensure data integrity and prevent masking of malformed inputs.
+     *
+     * @param publicKey - Public key in compressed or uncompressed format
+     * @returns Normalized uncompressed public key (65 bytes with 0x04 prefix)
+     * @throws {Error} When public key format is invalid, including raw coordinates (64 bytes)
+     * @throws {Error} When decompression of compressed key fails
+     *
+     * @example
+     * ```typescript
+     * // Compressed key (33 bytes)
+     * const compressed = new Uint8Array(33);
+     * compressed[0] = 0x02;
+     * const uncompressed = provider.normalizeToUncompressed(compressed);
+     * console.log(uncompressed.length); // 65
+     * console.log(uncompressed[0]); // 0x04
+     *
+     * // Already uncompressed (65 bytes)
+     * const already = provider.normalizeToUncompressed(uncompressedKey);
+     * console.log(already === uncompressedKey); // true (returns same reference)
+     *
+     * // Raw coordinates rejected (64 bytes)
+     * const raw = new Uint8Array(64);
+     * provider.normalizeToUncompressed(raw); // Throws error
+     * ```
+     */
+    normalizeToUncompressed(publicKey: Uint8Array): Uint8Array;
+}
+/**
+ * Configures ECIES operation behavior.
+ */
+interface ECIESOptions {
+    /** Use compressed public keys (33 bytes) instead of uncompressed (65 bytes) */
+    useCompressed?: boolean;
+}
+/**
+ * Represents failures in ECIES cryptographic operations.
+ *
+ * @remarks
+ * Provides specific error codes to help identify and recover from
+ * different failure scenarios.
+ *
+ * @category Errors
+ */
+declare class ECIESError extends Error {
+    readonly code: "INVALID_KEY" | "ENCRYPTION_FAILED" | "DECRYPTION_FAILED" | "MAC_MISMATCH" | "ECDH_FAILED";
+    readonly cause?: Error | undefined;
+    constructor(message: string, code: "INVALID_KEY" | "ENCRYPTION_FAILED" | "DECRYPTION_FAILED" | "MAC_MISMATCH" | "ECDH_FAILED", cause?: Error | undefined);
+}
+/**
+ * Validates if an object conforms to the ECIESEncrypted structure.
+ *
+ * @param obj - Object to validate.
+ * @returns `true` if object is a valid ECIESEncrypted structure.
+ *
+ * @example
+ * ```typescript
+ * if (isECIESEncrypted(data)) {
+ *   const decrypted = await provider.decrypt(privateKey, data);
+ * }
+ * ```
+ */
+declare function isECIESEncrypted(obj: unknown): obj is ECIESEncrypted;
+/**
+ * Serializes ECIESEncrypted to hex string for storage or transmission.
+ *
+ * @param encrypted - Encrypted data structure from `encrypt()`.
+ * @returns Hex string representation.
+ *
+ * @example
+ * ```typescript
+ * const hexString = serializeECIES(encrypted);
+ * // Store hexString in database or send over network
+ * ```
+ */
+declare function serializeECIES(encrypted: ECIESEncrypted): string;
+/**
+ * Deserializes hex string to ECIESEncrypted structure.
+ *
+ * @param hex - Hex string from `serializeECIES()` or storage.
+ * @returns ECIESEncrypted structure ready for decryption.
+ * @throws {ECIESError} When hex string format is invalid.
+ *   Verify the hex string is complete and uncorrupted.
+ *
+ * @example
+ * ```typescript
+ * const encrypted = deserializeECIES(hexString);
+ * const decrypted = await provider.decrypt(privateKey, encrypted);
+ * ```
+ */
+declare function deserializeECIES(hex: string): ECIESEncrypted;
+
+export { type ECIESEncrypted, ECIESError, type ECIESOptions, type ECIESProvider, deserializeECIES, isECIESEncrypted, serializeECIES };

package/dist/crypto/ecies/interface.d.ts

@@ -0,0 +1,176 @@
+/**
+ * ECIES (Elliptic Curve Integrated Encryption Scheme) Interface
+ *
+ * @remarks
+ * Defines the contract for platform-specific ECIES implementations.
+ * All implementations maintain compatibility with the eccrypto format to ensure
+ * backward compatibility with existing encrypted data.
+ *
+ * **Format specification:**
+ * `[iv (16 bytes)][ephemPublicKey (65 bytes)][ciphertext (variable)][mac (32 bytes)]`
+ *
+ * @category Cryptography
+ */
+/**
+ * Represents ECIES encrypted data in eccrypto-compatible format.
+ *
+ * @remarks
+ * This structure maintains backward compatibility with data encrypted using
+ * the legacy eccrypto library.
+ */
+interface ECIESEncrypted {
+    /** Initialization vector (16 bytes) */
+    iv: Uint8Array;
+    /** Ephemeral public key (65 bytes uncompressed) */
+    ephemPublicKey: Uint8Array;
+    /** Encrypted data */
+    ciphertext: Uint8Array;
+    /** Message authentication code (32 bytes) */
+    mac: Uint8Array;
+}
+/**
+ * Provides ECIES encryption and decryption operations.
+ *
+ * @remarks
+ * Platform-specific implementations handle the underlying cryptographic primitives
+ * while maintaining consistent data format across environments.
+ *
+ * @category Cryptography
+ */
+interface ECIESProvider {
+    /**
+     * Encrypts data using ECIES with secp256k1.
+     *
+     * @param publicKey - Recipient's public key (65 bytes uncompressed or 33 bytes compressed).
+     *   Obtain via `vana.server.getIdentity(userAddress).public_key`.
+     * @param message - Data to encrypt.
+     * @returns Encrypted data structure compatible with eccrypto format.
+     * @throws {ECIESError} When public key is invalid.
+     *   Verify key format matches secp256k1 requirements.
+     *
+     * @example
+     * ```typescript
+     * const encrypted = await provider.encrypt(
+     *   hexToBytes(publicKey),
+     *   new TextEncoder().encode('sensitive data')
+     * );
+     * ```
+     */
+    encrypt(publicKey: Uint8Array, message: Uint8Array): Promise<ECIESEncrypted>;
+    /**
+     * Decrypts ECIES encrypted data.
+     *
+     * @param privateKey - Recipient's private key (32 bytes).
+     * @param encrypted - Encrypted data structure from `encrypt()` or legacy eccrypto.
+     * @returns Decrypted message as Uint8Array.
+     * @throws {ECIESError} When MAC verification fails.
+     *   Ensure the private key matches the public key used for encryption.
+     *
+     * @example
+     * ```typescript
+     * const decrypted = await provider.decrypt(
+     *   hexToBytes(privateKey),
+     *   encrypted
+     * );
+     * const message = new TextDecoder().decode(decrypted);
+     * ```
+     */
+    decrypt(privateKey: Uint8Array, encrypted: ECIESEncrypted): Promise<Uint8Array>;
+    /**
+     * Normalizes a public key to uncompressed format (65 bytes with 0x04 prefix).
+     *
+     * @remarks
+     * Strict policy: Only accepts properly formatted compressed (33 bytes) or
+     * uncompressed (65 bytes) public keys. Does not accept 64-byte raw coordinates
+     * to ensure data integrity and prevent masking of malformed inputs.
+     *
+     * @param publicKey - Public key in compressed or uncompressed format
+     * @returns Normalized uncompressed public key (65 bytes with 0x04 prefix)
+     * @throws {Error} When public key format is invalid, including raw coordinates (64 bytes)
+     * @throws {Error} When decompression of compressed key fails
+     *
+     * @example
+     * ```typescript
+     * // Compressed key (33 bytes)
+     * const compressed = new Uint8Array(33);
+     * compressed[0] = 0x02;
+     * const uncompressed = provider.normalizeToUncompressed(compressed);
+     * console.log(uncompressed.length); // 65
+     * console.log(uncompressed[0]); // 0x04
+     *
+     * // Already uncompressed (65 bytes)
+     * const already = provider.normalizeToUncompressed(uncompressedKey);
+     * console.log(already === uncompressedKey); // true (returns same reference)
+     *
+     * // Raw coordinates rejected (64 bytes)
+     * const raw = new Uint8Array(64);
+     * provider.normalizeToUncompressed(raw); // Throws error
+     * ```
+     */
+    normalizeToUncompressed(publicKey: Uint8Array): Uint8Array;
+}
+/**
+ * Configures ECIES operation behavior.
+ */
+interface ECIESOptions {
+    /** Use compressed public keys (33 bytes) instead of uncompressed (65 bytes) */
+    useCompressed?: boolean;
+}
+/**
+ * Represents failures in ECIES cryptographic operations.
+ *
+ * @remarks
+ * Provides specific error codes to help identify and recover from
+ * different failure scenarios.
+ *
+ * @category Errors
+ */
+declare class ECIESError extends Error {
+    readonly code: "INVALID_KEY" | "ENCRYPTION_FAILED" | "DECRYPTION_FAILED" | "MAC_MISMATCH" | "ECDH_FAILED";
+    readonly cause?: Error | undefined;
+    constructor(message: string, code: "INVALID_KEY" | "ENCRYPTION_FAILED" | "DECRYPTION_FAILED" | "MAC_MISMATCH" | "ECDH_FAILED", cause?: Error | undefined);
+}
+/**
+ * Validates if an object conforms to the ECIESEncrypted structure.
+ *
+ * @param obj - Object to validate.
+ * @returns `true` if object is a valid ECIESEncrypted structure.
+ *
+ * @example
+ * ```typescript
+ * if (isECIESEncrypted(data)) {
+ *   const decrypted = await provider.decrypt(privateKey, data);
+ * }
+ * ```
+ */
+declare function isECIESEncrypted(obj: unknown): obj is ECIESEncrypted;
+/**
+ * Serializes ECIESEncrypted to hex string for storage or transmission.
+ *
+ * @param encrypted - Encrypted data structure from `encrypt()`.
+ * @returns Hex string representation.
+ *
+ * @example
+ * ```typescript
+ * const hexString = serializeECIES(encrypted);
+ * // Store hexString in database or send over network
+ * ```
+ */
+declare function serializeECIES(encrypted: ECIESEncrypted): string;
+/**
+ * Deserializes hex string to ECIESEncrypted structure.
+ *
+ * @param hex - Hex string from `serializeECIES()` or storage.
+ * @returns ECIESEncrypted structure ready for decryption.
+ * @throws {ECIESError} When hex string format is invalid.
+ *   Verify the hex string is complete and uncorrupted.
+ *
+ * @example
+ * ```typescript
+ * const encrypted = deserializeECIES(hexString);
+ * const decrypted = await provider.decrypt(privateKey, encrypted);
+ * ```
+ */
+declare function deserializeECIES(hex: string): ECIESEncrypted;
+
+export { type ECIESEncrypted, ECIESError, type ECIESOptions, type ECIESProvider, deserializeECIES, isECIESEncrypted, serializeECIES };

package/dist/crypto/ecies/interface.js

@@ -0,0 +1,61 @@
+import { CIPHER, CURVE, MAC, FORMAT } from "./constants";
+class ECIESError extends Error {
+  constructor(message, code, cause) {
+    super(message);
+    this.code = code;
+    this.cause = cause;
+    this.name = "ECIESError";
+  }
+}
+function isECIESEncrypted(obj) {
+  if (!obj || typeof obj !== "object") return false;
+  const enc = obj;
+  const isUint8Array = (value) => {
+    return value instanceof Uint8Array || typeof Buffer !== "undefined" && Buffer.isBuffer(value);
+  };
+  return isUint8Array(enc.iv) && enc.iv.length === CIPHER.IV_LENGTH && isUint8Array(enc.ephemPublicKey) && (enc.ephemPublicKey.length === CURVE.UNCOMPRESSED_PUBLIC_KEY_LENGTH || enc.ephemPublicKey.length === CURVE.COMPRESSED_PUBLIC_KEY_LENGTH) && isUint8Array(enc.ciphertext) && enc.ciphertext.length > 0 && isUint8Array(enc.mac) && enc.mac.length === MAC.LENGTH;
+}
+function serializeECIES(encrypted) {
+  const combined = new Uint8Array(
+    encrypted.iv.length + encrypted.ephemPublicKey.length + encrypted.ciphertext.length + encrypted.mac.length
+  );
+  let offset = 0;
+  combined.set(encrypted.iv, offset);
+  offset += encrypted.iv.length;
+  combined.set(encrypted.ephemPublicKey, offset);
+  offset += encrypted.ephemPublicKey.length;
+  combined.set(encrypted.ciphertext, offset);
+  offset += encrypted.ciphertext.length;
+  combined.set(encrypted.mac, offset);
+  return Array.from(combined).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function deserializeECIES(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substr(i, 2), 16);
+  }
+  const ephemKeySize = bytes[FORMAT.EPHEMERAL_KEY_OFFSET] === CURVE.PREFIX.UNCOMPRESSED ? CURVE.UNCOMPRESSED_PUBLIC_KEY_LENGTH : CURVE.COMPRESSED_PUBLIC_KEY_LENGTH;
+  const minLength = FORMAT.IV_LENGTH + ephemKeySize + MAC.LENGTH + 1;
+  if (bytes.length < minLength) {
+    throw new ECIESError("Invalid ECIES data: too short", "DECRYPTION_FAILED");
+  }
+  return {
+    iv: bytes.subarray(FORMAT.IV_OFFSET, FORMAT.IV_OFFSET + FORMAT.IV_LENGTH),
+    ephemPublicKey: bytes.subarray(
+      FORMAT.EPHEMERAL_KEY_OFFSET,
+      FORMAT.EPHEMERAL_KEY_OFFSET + ephemKeySize
+    ),
+    ciphertext: bytes.subarray(
+      FORMAT.EPHEMERAL_KEY_OFFSET + ephemKeySize,
+      bytes.length - MAC.LENGTH
+    ),
+    mac: bytes.subarray(bytes.length - MAC.LENGTH)
+  };
+}
+export {
+  ECIESError,
+  deserializeECIES,
+  isECIESEncrypted,
+  serializeECIES
+};
+//# sourceMappingURL=interface.js.map

package/dist/crypto/ecies/interface.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/crypto/ecies/interface.ts"],"sourcesContent":["/**\n * ECIES (Elliptic Curve Integrated Encryption Scheme) Interface\n *\n * @remarks\n * Defines the contract for platform-specific ECIES implementations.\n * All implementations maintain compatibility with the eccrypto format to ensure\n * backward compatibility with existing encrypted data.\n *\n * **Format specification:**\n * `[iv (16 bytes)][ephemPublicKey (65 bytes)][ciphertext (variable)][mac (32 bytes)]`\n *\n * @category Cryptography\n */\n\nimport { CIPHER, CURVE, MAC, FORMAT } from \"./constants\";\n\n/**\n * Represents ECIES encrypted data in eccrypto-compatible format.\n *\n * @remarks\n * This structure maintains backward compatibility with data encrypted using\n * the legacy eccrypto library.\n */\nexport interface ECIESEncrypted {\n  /** Initialization vector (16 bytes) */\n  iv: Uint8Array;\n  /** Ephemeral public key (65 bytes uncompressed) */\n  ephemPublicKey: Uint8Array;\n  /** Encrypted data */\n  ciphertext: Uint8Array;\n  /** Message authentication code (32 bytes) */\n  mac: Uint8Array;\n}\n\n/**\n * Provides ECIES encryption and decryption operations.\n *\n * @remarks\n * Platform-specific implementations handle the underlying cryptographic primitives\n * while maintaining consistent data format across environments.\n *\n * @category Cryptography\n */\nexport interface ECIESProvider {\n  /**\n   * Encrypts data using ECIES with secp256k1.\n   *\n   * @param publicKey - Recipient's public key (65 bytes uncompressed or 33 bytes compressed).\n   *   Obtain via `vana.server.getIdentity(userAddress).public_key`.\n   * @param message - Data to encrypt.\n   * @returns Encrypted data structure compatible with eccrypto format.\n   * @throws {ECIESError} When public key is invalid.\n   *   Verify key format matches secp256k1 requirements.\n   *\n   * @example\n   * ```typescript\n   * const encrypted = await provider.encrypt(\n   *   hexToBytes(publicKey),\n   *   new TextEncoder().encode('sensitive data')\n   * );\n   * ```\n   */\n  encrypt(publicKey: Uint8Array, message: Uint8Array): Promise<ECIESEncrypted>;\n\n  /**\n   * Decrypts ECIES encrypted data.\n   *\n   * @param privateKey - Recipient's private key (32 bytes).\n   * @param encrypted - Encrypted data structure from `encrypt()` or legacy eccrypto.\n   * @returns Decrypted message as Uint8Array.\n   * @throws {ECIESError} When MAC verification fails.\n   *   Ensure the private key matches the public key used for encryption.\n   *\n   * @example\n   * ```typescript\n   * const decrypted = await provider.decrypt(\n   *   hexToBytes(privateKey),\n   *   encrypted\n   * );\n   * const message = new TextDecoder().decode(decrypted);\n   * ```\n   */\n  decrypt(\n    privateKey: Uint8Array,\n    encrypted: ECIESEncrypted,\n  ): Promise<Uint8Array>;\n\n  /**\n   * Normalizes a public key to uncompressed format (65 bytes with 0x04 prefix).\n   *\n   * @remarks\n   * Strict policy: Only accepts properly formatted compressed (33 bytes) or\n   * uncompressed (65 bytes) public keys. Does not accept 64-byte raw coordinates\n   * to ensure data integrity and prevent masking of malformed inputs.\n   *\n   * @param publicKey - Public key in compressed or uncompressed format\n   * @returns Normalized uncompressed public key (65 bytes with 0x04 prefix)\n   * @throws {Error} When public key format is invalid, including raw coordinates (64 bytes)\n   * @throws {Error} When decompression of compressed key fails\n   *\n   * @example\n   * ```typescript\n   * // Compressed key (33 bytes)\n   * const compressed = new Uint8Array(33);\n   * compressed[0] = 0x02;\n   * const uncompressed = provider.normalizeToUncompressed(compressed);\n   * console.log(uncompressed.length); // 65\n   * console.log(uncompressed[0]); // 0x04\n   *\n   * // Already uncompressed (65 bytes)\n   * const already = provider.normalizeToUncompressed(uncompressedKey);\n   * console.log(already === uncompressedKey); // true (returns same reference)\n   *\n   * // Raw coordinates rejected (64 bytes)\n   * const raw = new Uint8Array(64);\n   * provider.normalizeToUncompressed(raw); // Throws error\n   * ```\n   */\n  normalizeToUncompressed(publicKey: Uint8Array): Uint8Array;\n}\n\n/**\n * Configures ECIES operation behavior.\n */\nexport interface ECIESOptions {\n  /** Use compressed public keys (33 bytes) instead of uncompressed (65 bytes) */\n  useCompressed?: boolean;\n}\n\n/**\n * Represents failures in ECIES cryptographic operations.\n *\n * @remarks\n * Provides specific error codes to help identify and recover from\n * different failure scenarios.\n *\n * @category Errors\n */\nexport class ECIESError extends Error {\n  constructor(\n    message: string,\n    public readonly code:\n      | \"INVALID_KEY\"\n      | \"ENCRYPTION_FAILED\"\n      | \"DECRYPTION_FAILED\"\n      | \"MAC_MISMATCH\"\n      | \"ECDH_FAILED\",\n    public override readonly cause?: Error,\n  ) {\n    super(message);\n    this.name = \"ECIESError\";\n  }\n}\n\n/**\n * Validates if an object conforms to the ECIESEncrypted structure.\n *\n * @param obj - Object to validate.\n * @returns `true` if object is a valid ECIESEncrypted structure.\n *\n * @example\n * ```typescript\n * if (isECIESEncrypted(data)) {\n *   const decrypted = await provider.decrypt(privateKey, data);\n * }\n * ```\n */\nexport function isECIESEncrypted(obj: unknown): obj is ECIESEncrypted {\n  if (!obj || typeof obj !== \"object\") return false;\n  const enc = obj as Record<string, unknown>;\n\n  const isUint8Array = (value: unknown): value is Uint8Array => {\n    return (\n      value instanceof Uint8Array ||\n      (typeof Buffer !== \"undefined\" && Buffer.isBuffer(value))\n    );\n  };\n\n  return (\n    isUint8Array(enc.iv) &&\n    enc.iv.length === CIPHER.IV_LENGTH &&\n    isUint8Array(enc.ephemPublicKey) &&\n    (enc.ephemPublicKey.length === CURVE.UNCOMPRESSED_PUBLIC_KEY_LENGTH ||\n      enc.ephemPublicKey.length === CURVE.COMPRESSED_PUBLIC_KEY_LENGTH) &&\n    isUint8Array(enc.ciphertext) &&\n    enc.ciphertext.length > 0 &&\n    isUint8Array(enc.mac) &&\n    enc.mac.length === MAC.LENGTH\n  );\n}\n\n/**\n * Serializes ECIESEncrypted to hex string for storage or transmission.\n *\n * @param encrypted - Encrypted data structure from `encrypt()`.\n * @returns Hex string representation.\n *\n * @example\n * ```typescript\n * const hexString = serializeECIES(encrypted);\n * // Store hexString in database or send over network\n * ```\n */\nexport function serializeECIES(encrypted: ECIESEncrypted): string {\n  const combined = new Uint8Array(\n    encrypted.iv.length +\n      encrypted.ephemPublicKey.length +\n      encrypted.ciphertext.length +\n      encrypted.mac.length,\n  );\n\n  let offset = 0;\n  combined.set(encrypted.iv, offset);\n  offset += encrypted.iv.length;\n  combined.set(encrypted.ephemPublicKey, offset);\n  offset += encrypted.ephemPublicKey.length;\n  combined.set(encrypted.ciphertext, offset);\n  offset += encrypted.ciphertext.length;\n  combined.set(encrypted.mac, offset);\n\n  return Array.from(combined)\n    .map((b) => b.toString(16).padStart(2, \"0\"))\n    .join(\"\");\n}\n\n/**\n * Deserializes hex string to ECIESEncrypted structure.\n *\n * @param hex - Hex string from `serializeECIES()` or storage.\n * @returns ECIESEncrypted structure ready for decryption.\n * @throws {ECIESError} When hex string format is invalid.\n *   Verify the hex string is complete and uncorrupted.\n *\n * @example\n * ```typescript\n * const encrypted = deserializeECIES(hexString);\n * const decrypted = await provider.decrypt(privateKey, encrypted);\n * ```\n */\nexport function deserializeECIES(hex: string): ECIESEncrypted {\n  const bytes = new Uint8Array(hex.length / 2);\n  for (let i = 0; i < hex.length; i += 2) {\n    bytes[i / 2] = parseInt(hex.substr(i, 2), 16);\n  }\n\n  // Determine ephemPublicKey size based on prefix\n  const ephemKeySize =\n    bytes[FORMAT.EPHEMERAL_KEY_OFFSET] === CURVE.PREFIX.UNCOMPRESSED\n      ? CURVE.UNCOMPRESSED_PUBLIC_KEY_LENGTH\n      : CURVE.COMPRESSED_PUBLIC_KEY_LENGTH;\n\n  const minLength = FORMAT.IV_LENGTH + ephemKeySize + MAC.LENGTH + 1; // +1 for at least 1 byte of ciphertext\n  if (bytes.length < minLength) {\n    throw new ECIESError(\"Invalid ECIES data: too short\", \"DECRYPTION_FAILED\");\n  }\n\n  return {\n    iv: bytes.subarray(FORMAT.IV_OFFSET, FORMAT.IV_OFFSET + FORMAT.IV_LENGTH),\n    ephemPublicKey: bytes.subarray(\n      FORMAT.EPHEMERAL_KEY_OFFSET,\n      FORMAT.EPHEMERAL_KEY_OFFSET + ephemKeySize,\n    ),\n    ciphertext: bytes.subarray(\n      FORMAT.EPHEMERAL_KEY_OFFSET + ephemKeySize,\n      bytes.length - MAC.LENGTH,\n    ),\n    mac: bytes.subarray(bytes.length - MAC.LENGTH),\n  };\n}\n"],"mappings":"AAcA,SAAS,QAAQ,OAAO,KAAK,cAAc;AA4HpC,MAAM,mBAAmB,MAAM;AAAA,EACpC,YACE,SACgB,MAMS,OACzB;AACA,UAAM,OAAO;AARG;AAMS;AAGzB,SAAK,OAAO;AAAA,EACd;AACF;AAeO,SAAS,iBAAiB,KAAqC;AACpE,MAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;AAC5C,QAAM,MAAM;AAEZ,QAAM,eAAe,CAAC,UAAwC;AAC5D,WACE,iBAAiB,cAChB,OAAO,WAAW,eAAe,OAAO,SAAS,KAAK;AAAA,EAE3D;AAEA,SACE,aAAa,IAAI,EAAE,KACnB,IAAI,GAAG,WAAW,OAAO,aACzB,aAAa,IAAI,cAAc,MAC9B,IAAI,eAAe,WAAW,MAAM,kCACnC,IAAI,eAAe,WAAW,MAAM,iCACtC,aAAa,IAAI,UAAU,KAC3B,IAAI,WAAW,SAAS,KACxB,aAAa,IAAI,GAAG,KACpB,IAAI,IAAI,WAAW,IAAI;AAE3B;AAcO,SAAS,eAAe,WAAmC;AAChE,QAAM,WAAW,IAAI;AAAA,IACnB,UAAU,GAAG,SACX,UAAU,eAAe,SACzB,UAAU,WAAW,SACrB,UAAU,IAAI;AAAA,EAClB;AAEA,MAAI,SAAS;AACb,WAAS,IAAI,UAAU,IAAI,MAAM;AACjC,YAAU,UAAU,GAAG;AACvB,WAAS,IAAI,UAAU,gBAAgB,MAAM;AAC7C,YAAU,UAAU,eAAe;AACnC,WAAS,IAAI,UAAU,YAAY,MAAM;AACzC,YAAU,UAAU,WAAW;AAC/B,WAAS,IAAI,UAAU,KAAK,MAAM;AAElC,SAAO,MAAM,KAAK,QAAQ,EACvB,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAgBO,SAAS,iBAAiB,KAA6B;AAC5D,QAAM,QAAQ,IAAI,WAAW,IAAI,SAAS,CAAC;AAC3C,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK,GAAG;AACtC,UAAM,IAAI,CAAC,IAAI,SAAS,IAAI,OAAO,GAAG,CAAC,GAAG,EAAE;AAAA,EAC9C;AAGA,QAAM,eACJ,MAAM,OAAO,oBAAoB,MAAM,MAAM,OAAO,eAChD,MAAM,iCACN,MAAM;AAEZ,QAAM,YAAY,OAAO,YAAY,eAAe,IAAI,SAAS;AACjE,MAAI,MAAM,SAAS,WAAW;AAC5B,UAAM,IAAI,WAAW,iCAAiC,mBAAmB;AAAA,EAC3E;AAEA,SAAO;AAAA,IACL,IAAI,MAAM,SAAS,OAAO,WAAW,OAAO,YAAY,OAAO,SAAS;AAAA,IACxE,gBAAgB,MAAM;AAAA,MACpB,OAAO;AAAA,MACP,OAAO,uBAAuB;AAAA,IAChC;AAAA,IACA,YAAY,MAAM;AAAA,MAChB,OAAO,uBAAuB;AAAA,MAC9B,MAAM,SAAS,IAAI;AAAA,IACrB;AAAA,IACA,KAAK,MAAM,SAAS,MAAM,SAAS,IAAI,MAAM;AAAA,EAC/C;AACF;","names":[]}

package/dist/crypto/ecies/node.cjs

@@ -0,0 +1,166 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var node_exports = {};
+__export(node_exports, {
+  NodeECIESUint8Provider: () => NodeECIESUint8Provider
+});
+module.exports = __toCommonJS(node_exports);
+var import_crypto = require("crypto");
+var import_secp256k1 = __toESM(require("secp256k1"), 1);
+var import_base = require("./base");
+const secp256k1 = import_secp256k1.default;
+class NodeECIESUint8Provider extends import_base.BaseECIESUint8 {
+  // Identity hash function for ECDH - returns raw X coordinate
+  // CRITICAL: Must handle (x, y, output) signature correctly
+  identityHashFn = (x, y, output) => {
+    if (output && output.length >= 32) {
+      output.set(x);
+      return output;
+    }
+    return x;
+  };
+  generateRandomBytes(length) {
+    return new Uint8Array((0, import_crypto.randomBytes)(length));
+  }
+  verifyPrivateKey(privateKey) {
+    return secp256k1.privateKeyVerify(Buffer.from(privateKey)) === true;
+  }
+  createPublicKey(privateKey, compressed) {
+    try {
+      return new Uint8Array(
+        secp256k1.publicKeyCreate(Buffer.from(privateKey), compressed)
+      );
+    } catch {
+      return null;
+    }
+  }
+  validatePublicKey(publicKey) {
+    return secp256k1.publicKeyVerify(Buffer.from(publicKey)) === true;
+  }
+  decompressPublicKey(publicKey) {
+    try {
+      return new Uint8Array(
+        secp256k1.publicKeyConvert(Buffer.from(publicKey), false)
+      );
+    } catch {
+      return null;
+    }
+  }
+  performECDH(publicKey, privateKey) {
+    try {
+      const output = Buffer.alloc(32);
+      secp256k1.ecdh(
+        Buffer.from(publicKey),
+        Buffer.from(privateKey),
+        { hashfn: this.identityHashFn },
+        output
+      );
+      return new Uint8Array(output);
+    } catch (error) {
+      throw new Error(
+        `ECDH failed: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  sha512(data) {
+    return new Uint8Array(
+      (0, import_crypto.createHash)("sha512").update(Buffer.from(data)).digest()
+    );
+  }
+  hmacSha256(key, data) {
+    return new Uint8Array(
+      (0, import_crypto.createHmac)("sha256", Buffer.from(key)).update(Buffer.from(data)).digest()
+    );
+  }
+  async aesEncrypt(key, iv, plaintext) {
+    const cipher = (0, import_crypto.createCipheriv)(
+      "aes-256-cbc",
+      Buffer.from(key),
+      Buffer.from(iv)
+    );
+    const encrypted = Buffer.concat([
+      cipher.update(Buffer.from(plaintext)),
+      cipher.final()
+    ]);
+    return new Uint8Array(encrypted);
+  }
+  async aesDecrypt(key, iv, ciphertext) {
+    const decipher = (0, import_crypto.createDecipheriv)(
+      "aes-256-cbc",
+      Buffer.from(key),
+      Buffer.from(iv)
+    );
+    const decrypted = Buffer.concat([
+      decipher.update(Buffer.from(ciphertext)),
+      decipher.final()
+    ]);
+    return new Uint8Array(decrypted);
+  }
+  // No Buffer compatibility methods - Uint8Array only public API
+  /**
+   * Normalizes a public key to uncompressed format (65 bytes with 0x04 prefix).
+   * Handles compressed (33 bytes) and uncompressed (65 bytes) formats only.
+   *
+   * @remarks
+   * Strict policy: Does not accept 64-byte raw coordinates to avoid masking
+   * malformed data. Callers must provide properly formatted keys.
+   *
+   * @param publicKey - The public key to normalize (33 or 65 bytes)
+   * @returns The normalized uncompressed public key (65 bytes)
+   * @throws {Error} When public key format is invalid or decompression fails
+   */
+  normalizeToUncompressed(publicKey) {
+    const len = publicKey.length;
+    if (len === 65 && publicKey[0] === 4) {
+      return publicKey;
+    }
+    if (len === 33 && (publicKey[0] === 2 || publicKey[0] === 3)) {
+      const decompressed = this.decompressPublicKey(publicKey);
+      if (!decompressed) {
+        throw new Error(
+          `Failed to decompress public key with prefix 0x${publicKey[0].toString(16).padStart(2, "0")}`
+        );
+      }
+      return decompressed;
+    }
+    if (len === 64) {
+      throw new Error(
+        "Raw public key coordinates (64 bytes) are not accepted. Please provide a properly formatted compressed (33 bytes) or uncompressed (65 bytes) public key."
+      );
+    }
+    throw new Error(
+      `Invalid public key format: expected compressed (33 bytes) or uncompressed (65 bytes), got ${len} bytes`
+    );
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  NodeECIESUint8Provider
+});
+//# sourceMappingURL=node.cjs.map

package/dist/crypto/ecies/node.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/crypto/ecies/node.ts"],"sourcesContent":["/**\n * Node.js implementation of ECIES using native secp256k1 for performance\n *\n * @remarks\n * Uses native secp256k1 bindings for all elliptic curve operations.\n * Uses Node.js crypto module for hashing and AES operations.\n * Provides Uint8Array-only interface with no Buffer exposure.\n */\n\nimport {\n  randomBytes,\n  createHash,\n  createHmac,\n  createCipheriv,\n  createDecipheriv,\n} from \"crypto\";\nimport secp256k1Import from \"secp256k1\";\nimport { BaseECIESUint8 } from \"./base\";\n\n// Type definition for secp256k1 module\ninterface Secp256k1Module {\n  privateKeyVerify(privateKey: Buffer): boolean;\n  publicKeyCreate(privateKey: Buffer, compressed: boolean): Buffer;\n  publicKeyVerify(publicKey: Buffer): boolean;\n  publicKeyConvert(publicKey: Buffer, compressed: boolean): Buffer;\n  ecdh(\n    publicKey: Buffer,\n    privateKey: Buffer,\n    options: {\n      hashfn: (x: Uint8Array, y: Uint8Array, output?: Uint8Array) => Uint8Array;\n    },\n    output: Buffer,\n  ): Buffer;\n}\n\n// Use the imported secp256k1 module\nconst secp256k1 = secp256k1Import as unknown as Secp256k1Module;\n\n/**\n * Node.js-specific ECIES provider using native secp256k1\n *\n * @remarks\n * This implementation:\n * - Uses native secp256k1 for all EC operations (optimal performance)\n * - Uses Node.js crypto for SHA-512, HMAC, and AES operations\n * - Internally works with Uint8Array\n * - Only uses Buffer at crypto API boundaries\n */\nexport class NodeECIESUint8Provider extends BaseECIESUint8 {\n  // Identity hash function for ECDH - returns raw X coordinate\n  // CRITICAL: Must handle (x, y, output) signature correctly\n  private readonly identityHashFn = (\n    x: Uint8Array,\n    y: Uint8Array,\n    output?: Uint8Array,\n  ): Uint8Array => {\n    // Copy x into output buffer if provided (prevents allocations)\n    if (output && output.length >= 32) {\n      output.set(x);\n      return output;\n    }\n    return x;\n  };\n  protected generateRandomBytes(length: number): Uint8Array {\n    return new Uint8Array(randomBytes(length));\n  }\n\n  protected verifyPrivateKey(privateKey: Uint8Array): boolean {\n    // Native secp256k1 returns true for valid, false for invalid\n    return secp256k1.privateKeyVerify(Buffer.from(privateKey)) === true;\n  }\n\n  protected createPublicKey(\n    privateKey: Uint8Array,\n    compressed: boolean,\n  ): Uint8Array | null {\n    try {\n      return new Uint8Array(\n        secp256k1.publicKeyCreate(Buffer.from(privateKey), compressed),\n      );\n    } catch {\n      return null;\n    }\n  }\n\n  protected validatePublicKey(publicKey: Uint8Array): boolean {\n    // Native secp256k1 returns true for valid, false for invalid\n    return secp256k1.publicKeyVerify(Buffer.from(publicKey)) === true;\n  }\n\n  protected decompressPublicKey(publicKey: Uint8Array): Uint8Array | null {\n    try {\n      // Convert to uncompressed format (65 bytes)\n      return new Uint8Array(\n        secp256k1.publicKeyConvert(Buffer.from(publicKey), false),\n      );\n    } catch {\n      return null;\n    }\n  }\n\n  protected performECDH(\n    publicKey: Uint8Array,\n    privateKey: Uint8Array,\n  ): Uint8Array {\n    try {\n      // Use pre-allocated buffer for output (32 bytes)\n      const output = Buffer.alloc(32);\n\n      // CRITICAL: Use identity hash to get raw X coordinate\n      // Default would apply SHA256 and break compatibility\n      secp256k1.ecdh(\n        Buffer.from(publicKey),\n        Buffer.from(privateKey),\n        { hashfn: this.identityHashFn },\n        output,\n      );\n\n      return new Uint8Array(output);\n    } catch (error) {\n      throw new Error(\n        `ECDH failed: ${error instanceof Error ? error.message : \"Unknown error\"}`,\n      );\n    }\n  }\n\n  protected sha512(data: Uint8Array): Uint8Array {\n    // Use Node.js crypto for native performance\n    return new Uint8Array(\n      createHash(\"sha512\").update(Buffer.from(data)).digest(),\n    );\n  }\n\n  protected hmacSha256(key: Uint8Array, data: Uint8Array): Uint8Array {\n    // Use Node.js crypto for native performance\n    return new Uint8Array(\n      createHmac(\"sha256\", Buffer.from(key)).update(Buffer.from(data)).digest(),\n    );\n  }\n\n  protected async aesEncrypt(\n    key: Uint8Array,\n    iv: Uint8Array,\n    plaintext: Uint8Array,\n  ): Promise<Uint8Array> {\n    const cipher = createCipheriv(\n      \"aes-256-cbc\",\n      Buffer.from(key),\n      Buffer.from(iv),\n    );\n    const encrypted = Buffer.concat([\n      cipher.update(Buffer.from(plaintext)),\n      cipher.final(),\n    ]);\n    return new Uint8Array(encrypted);\n  }\n\n  protected async aesDecrypt(\n    key: Uint8Array,\n    iv: Uint8Array,\n    ciphertext: Uint8Array,\n  ): Promise<Uint8Array> {\n    const decipher = createDecipheriv(\n      \"aes-256-cbc\",\n      Buffer.from(key),\n      Buffer.from(iv),\n    );\n    const decrypted = Buffer.concat([\n      decipher.update(Buffer.from(ciphertext)),\n      decipher.final(),\n    ]);\n    return new Uint8Array(decrypted);\n  }\n\n  // No Buffer compatibility methods - Uint8Array only public API\n\n  /**\n   * Normalizes a public key to uncompressed format (65 bytes with 0x04 prefix).\n   * Handles compressed (33 bytes) and uncompressed (65 bytes) formats only.\n   *\n   * @remarks\n   * Strict policy: Does not accept 64-byte raw coordinates to avoid masking\n   * malformed data. Callers must provide properly formatted keys.\n   *\n   * @param publicKey - The public key to normalize (33 or 65 bytes)\n   * @returns The normalized uncompressed public key (65 bytes)\n   * @throws {Error} When public key format is invalid or decompression fails\n   */\n  normalizeToUncompressed(publicKey: Uint8Array): Uint8Array {\n    const len = publicKey.length;\n\n    // Already uncompressed\n    if (len === 65 && publicKey[0] === 0x04) {\n      return publicKey;\n    }\n\n    // Compressed - decompress using secp256k1\n    if (len === 33 && (publicKey[0] === 0x02 || publicKey[0] === 0x03)) {\n      const decompressed = this.decompressPublicKey(publicKey);\n      if (!decompressed) {\n        throw new Error(\n          `Failed to decompress public key with prefix 0x${publicKey[0].toString(16).padStart(2, \"0\")}`,\n        );\n      }\n      return decompressed;\n    }\n\n    // Reject raw coordinates (64 bytes) - require proper formatting\n    if (len === 64) {\n      throw new Error(\n        \"Raw public key coordinates (64 bytes) are not accepted. \" +\n          \"Please provide a properly formatted compressed (33 bytes) or uncompressed (65 bytes) public key.\",\n      );\n    }\n\n    throw new Error(\n      `Invalid public key format: expected compressed (33 bytes) or uncompressed (65 bytes), got ${len} bytes`,\n    );\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AASA,oBAMO;AACP,uBAA4B;AAC5B,kBAA+B;AAmB/B,MAAM,YAAY,iBAAAA;AAYX,MAAM,+BAA+B,2BAAe;AAAA;AAAA;AAAA,EAGxC,iBAAiB,CAChC,GACA,GACA,WACe;AAEf,QAAI,UAAU,OAAO,UAAU,IAAI;AACjC,aAAO,IAAI,CAAC;AACZ,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT;AAAA,EACU,oBAAoB,QAA4B;AACxD,WAAO,IAAI,eAAW,2BAAY,MAAM,CAAC;AAAA,EAC3C;AAAA,EAEU,iBAAiB,YAAiC;AAE1D,WAAO,UAAU,iBAAiB,OAAO,KAAK,UAAU,CAAC,MAAM;AAAA,EACjE;AAAA,EAEU,gBACR,YACA,YACmB;AACnB,QAAI;AACF,aAAO,IAAI;AAAA,QACT,UAAU,gBAAgB,OAAO,KAAK,UAAU,GAAG,UAAU;AAAA,MAC/D;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEU,kBAAkB,WAAgC;AAE1D,WAAO,UAAU,gBAAgB,OAAO,KAAK,SAAS,CAAC,MAAM;AAAA,EAC/D;AAAA,EAEU,oBAAoB,WAA0C;AACtE,QAAI;AAEF,aAAO,IAAI;AAAA,QACT,UAAU,iBAAiB,OAAO,KAAK,SAAS,GAAG,KAAK;AAAA,MAC1D;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEU,YACR,WACA,YACY;AACZ,QAAI;AAEF,YAAM,SAAS,OAAO,MAAM,EAAE;AAI9B,gBAAU;AAAA,QACR,OAAO,KAAK,SAAS;AAAA,QACrB,OAAO,KAAK,UAAU;AAAA,QACtB,EAAE,QAAQ,KAAK,eAAe;AAAA,QAC9B;AAAA,MACF;AAEA,aAAO,IAAI,WAAW,MAAM;AAAA,IAC9B,SAAS,OAAO;AACd,YAAM,IAAI;AAAA,QACR,gBAAgB,iBAAiB,QAAQ,MAAM,UAAU,eAAe;AAAA,MAC1E;AAAA,IACF;AAAA,EACF;AAAA,EAEU,OAAO,MAA8B;AAE7C,WAAO,IAAI;AAAA,UACT,0BAAW,QAAQ,EAAE,OAAO,OAAO,KAAK,IAAI,CAAC,EAAE,OAAO;AAAA,IACxD;AAAA,EACF;AAAA,EAEU,WAAW,KAAiB,MAA8B;AAElE,WAAO,IAAI;AAAA,UACT,0BAAW,UAAU,OAAO,KAAK,GAAG,CAAC,EAAE,OAAO,OAAO,KAAK,IAAI,CAAC,EAAE,OAAO;AAAA,IAC1E;AAAA,EACF;AAAA,EAEA,MAAgB,WACd,KACA,IACA,WACqB;AACrB,UAAM,aAAS;AAAA,MACb;AAAA,MACA,OAAO,KAAK,GAAG;AAAA,MACf,OAAO,KAAK,EAAE;AAAA,IAChB;AACA,UAAM,YAAY,OAAO,OAAO;AAAA,MAC9B,OAAO,OAAO,OAAO,KAAK,SAAS,CAAC;AAAA,MACpC,OAAO,MAAM;AAAA,IACf,CAAC;AACD,WAAO,IAAI,WAAW,SAAS;AAAA,EACjC;AAAA,EAEA,MAAgB,WACd,KACA,IACA,YACqB;AACrB,UAAM,eAAW;AAAA,MACf;AAAA,MACA,OAAO,KAAK,GAAG;AAAA,MACf,OAAO,KAAK,EAAE;AAAA,IAChB;AACA,UAAM,YAAY,OAAO,OAAO;AAAA,MAC9B,SAAS,OAAO,OAAO,KAAK,UAAU,CAAC;AAAA,MACvC,SAAS,MAAM;AAAA,IACjB,CAAC;AACD,WAAO,IAAI,WAAW,SAAS;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,wBAAwB,WAAmC;AACzD,UAAM,MAAM,UAAU;AAGtB,QAAI,QAAQ,MAAM,UAAU,CAAC,MAAM,GAAM;AACvC,aAAO;AAAA,IACT;AAGA,QAAI,QAAQ,OAAO,UAAU,CAAC,MAAM,KAAQ,UAAU,CAAC,MAAM,IAAO;AAClE,YAAM,eAAe,KAAK,oBAAoB,SAAS;AACvD,UAAI,CAAC,cAAc;AACjB,cAAM,IAAI;AAAA,UACR,iDAAiD,UAAU,CAAC,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC;AAAA,QAC7F;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAGA,QAAI,QAAQ,IAAI;AACd,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AAEA,UAAM,IAAI;AAAA,MACR,6FAA6F,GAAG;AAAA,IAClG;AAAA,EACF;AACF;","names":["secp256k1Import"]}

package/dist/crypto/ecies/node.d.cts

@@ -0,0 +1,50 @@
+import { BaseECIESUint8 } from './base.cjs';
+import './interface.cjs';
+
+/**
+ * Node.js implementation of ECIES using native secp256k1 for performance
+ *
+ * @remarks
+ * Uses native secp256k1 bindings for all elliptic curve operations.
+ * Uses Node.js crypto module for hashing and AES operations.
+ * Provides Uint8Array-only interface with no Buffer exposure.
+ */
+
+/**
+ * Node.js-specific ECIES provider using native secp256k1
+ *
+ * @remarks
+ * This implementation:
+ * - Uses native secp256k1 for all EC operations (optimal performance)
+ * - Uses Node.js crypto for SHA-512, HMAC, and AES operations
+ * - Internally works with Uint8Array
+ * - Only uses Buffer at crypto API boundaries
+ */
+declare class NodeECIESUint8Provider extends BaseECIESUint8 {
+    private readonly identityHashFn;
+    protected generateRandomBytes(length: number): Uint8Array;
+    protected verifyPrivateKey(privateKey: Uint8Array): boolean;
+    protected createPublicKey(privateKey: Uint8Array, compressed: boolean): Uint8Array | null;
+    protected validatePublicKey(publicKey: Uint8Array): boolean;
+    protected decompressPublicKey(publicKey: Uint8Array): Uint8Array | null;
+    protected performECDH(publicKey: Uint8Array, privateKey: Uint8Array): Uint8Array;
+    protected sha512(data: Uint8Array): Uint8Array;
+    protected hmacSha256(key: Uint8Array, data: Uint8Array): Uint8Array;
+    protected aesEncrypt(key: Uint8Array, iv: Uint8Array, plaintext: Uint8Array): Promise<Uint8Array>;
+    protected aesDecrypt(key: Uint8Array, iv: Uint8Array, ciphertext: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Normalizes a public key to uncompressed format (65 bytes with 0x04 prefix).
+     * Handles compressed (33 bytes) and uncompressed (65 bytes) formats only.
+     *
+     * @remarks
+     * Strict policy: Does not accept 64-byte raw coordinates to avoid masking
+     * malformed data. Callers must provide properly formatted keys.
+     *
+     * @param publicKey - The public key to normalize (33 or 65 bytes)
+     * @returns The normalized uncompressed public key (65 bytes)
+     * @throws {Error} When public key format is invalid or decompression fails
+     */
+    normalizeToUncompressed(publicKey: Uint8Array): Uint8Array;
+}
+
+export { NodeECIESUint8Provider };