@optimystic/quereus-plugin-crypto 0.2.0 → 0.3.1

package/dist/plugin.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/crypto.ts","../src/plugin.ts"],"names":["uint8ArrayFromString","uint8ArrayToString"],"mappings":";;;;;;;;;;AAwBA,SAAS,OAAA,CAAQ,KAAA,EAA+C,QAAA,GAAqB,WAAA,EAAyB;AAC7G,EAAA,IAAI,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,EAAW;AAC1C,IAAA,OAAO,IAAI,WAAW,CAAC,CAAA;AAAA,EACxB;AAEA,EAAA,IAAI,iBAAiB,UAAA,EAAY;AAChC,IAAA,OAAO,KAAA;AAAA,EACR;AAEA,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC9B,IAAA,QAAQ,QAAA;AAAU,MACjB,KAAK,WAAA;AACJ,QAAA,OAAOA,UAAA,CAAqB,OAAO,WAAW,CAAA;AAAA,MAC/C,KAAK,QAAA;AACJ,QAAA,OAAOA,UAAA,CAAqB,OAAO,QAAQ,CAAA;AAAA,MAC5C,KAAK,KAAA;AACJ,QAAA,OAAO,WAAW,KAAK,CAAA;AAAA,MACxB,KAAK,MAAA;AACJ,QAAA,OAAO,YAAY,KAAK,CAAA;AAAA,MACzB;AACC,QAAA,OAAOA,UAAA,CAAqB,OAAO,WAAW,CAAA;AAAA;AAChD,EACD;AAEA,EAAA,MAAM,IAAI,MAAM,oBAAoB,CAAA;AACrC;AAKA,SAAS,SAAA,CAAU,KAAA,EAAmB,QAAA,GAAqB,WAAA,EAAkC;AAC5F,EAAA,QAAQ,QAAA;AAAU,IACjB,KAAK,WAAA;AACJ,MAAA,OAAOC,QAAA,CAAmB,OAAO,WAAW,CAAA;AAAA,IAC7C,KAAK,QAAA;AACJ,MAAA,OAAOA,QAAA,CAAmB,OAAO,QAAQ,CAAA;AAAA,IAC1C,KAAK,KAAA;AACJ,MAAA,OAAO,WAAW,KAAK,CAAA;AAAA,IACxB,KAAK,MAAA;AACJ,MAAA,OAAOA,QAAA,CAAmB,OAAO,MAAM,CAAA;AAAA,IACxC,KAAK,OAAA;AACJ,MAAA,OAAO,KAAA;AAAA,IACR;AACC,MAAA,OAAOA,QAAA,CAAmB,OAAO,WAAW,CAAA;AAAA;AAE/C;AAuBO,SAAS,OACf,IAAA,EACA,SAAA,GAA2B,UAC3B,aAAA,GAA0B,WAAA,EAC1B,iBAA2B,WAAA,EACL;AACtB,EAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,IAAA,EAAM,aAAa,CAAA;AAEzC,EAAA,IAAI,SAAA;AACJ,EAAA,QAAQ,SAAA;AAAW,IAClB,KAAK,QAAA;AACJ,MAAA,SAAA,GAAY,OAAO,KAAK,CAAA;AACxB,MAAA;AAAA,IACD,KAAK,QAAA;AACJ,MAAA,SAAA,GAAY,OAAO,KAAK,CAAA;AACxB,MAAA;AAAA,IACD,KAAK,QAAA;AACJ,MAAA,SAAA,GAAY,OAAO,KAAK,CAAA;AACxB,MAAA;AAAA,IACD;AACC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,4BAAA,EAA+B,SAAS,CAAA,CAAE,CAAA;AAAA;AAG5D,EAAA,OAAO,SAAA,CAAU,WAAW,cAAc,CAAA;AAC3C;AAqBO,SAAS,QACf,IAAA,EACA,IAAA,EACA,SAAA,GAA2B,QAAA,EAC3B,gBAA0B,WAAA,EACjB;AACT,EAAA,IAAI,IAAA,IAAQ,CAAA,IAAK,IAAA,GAAO,EAAA,EAAI;AAC3B,IAAA,MAAM,IAAI,MAAM,+DAA+D,CAAA;AAAA,EAChF;AAEA,EAAA,MAAM,SAAA,GAAY,QAAQ,MAAA,CAAO,IAAA,EAAM,WAAW,aAAA,EAAe,WAAW,GAAa,WAAW,CAAA;AAGpG,EAAA,MAAM,IAAA,GAAO,IAAI,QAAA,CAAS,SAAA,CAAU,MAAA,EAAQ,SAAA,CAAU,UAAA,EAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,SAAA,CAAU,MAAM,CAAC,CAAA;AAC/F,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,YAAA,CAAa,CAAA,EAAG,KAAK,CAAA;AAG3C,EAAA,MAAM,OAAA,GAAU,MAAA,CAAO,CAAC,CAAA,IAAK,OAAO,IAAI,CAAA;AACxC,EAAA,MAAM,SAAS,QAAA,GAAW,OAAA;AAE1B,EAAA,OAAO,OAAO,MAAM,CAAA;AACrB;AAsBO,SAAS,IAAA,CACf,IAAA,EACA,UAAA,EACA,KAAA,GAAmB,WAAA,EACnB,gBAA0B,WAAA,EAC1B,WAAA,GAAwB,WAAA,EACxB,cAAA,GAA2B,WAAA,EACL;AACtB,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,IAAA,EAAM,aAAa,CAAA;AAC7C,EAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,UAAA,EAAY,WAAW,CAAA;AAEhD,EAAA,IAAI,QAAA;AAEJ,EAAA,QAAQ,KAAA;AAAO,IACd,KAAK,WAAA,EAAa;AACjB,MAAA,MAAM,GAAA,GAAM,UAAU,IAAA,CAAK,SAAA,EAAW,UAAU,EAAE,IAAA,EAAM,MAAM,CAAA;AAC9D,MAAA,QAAA,GAAW,IAAI,iBAAA,EAAkB;AACjC,MAAA;AAAA,IACD;AAAA,IACA,KAAK,MAAA,EAAQ;AACZ,MAAA,MAAM,GAAA,GAAM,KAAK,IAAA,CAAK,SAAA,EAAW,UAAU,EAAE,IAAA,EAAM,MAAM,CAAA;AACzD,MAAA,QAAA,GAAW,IAAI,iBAAA,EAAkB;AACjC,MAAA;AAAA,IACD;AAAA,IACA,KAAK,SAAA,EAAW;AACf,MAAA,QAAA,GAAW,OAAA,CAAQ,IAAA,CAAK,SAAA,EAAW,QAAQ,CAAA;AAC3C,MAAA;AAAA,IACD;AAAA,IACA;AACC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mBAAA,EAAsB,KAAK,CAAA,CAAE,CAAA;AAAA;AAG/C,EAAA,OAAO,SAAA,CAAU,UAAU,cAAc,CAAA;AAC1C;AAuBO,SAAS,MAAA,CACf,IAAA,EACA,SAAA,EACA,SAAA,EACA,KAAA,GAAmB,WAAA,EACnB,aAAA,GAA0B,WAAA,EAC1B,WAAA,GAAwB,WAAA,EACxB,WAAA,GAAwB,WAAA,EACd;AACV,EAAA,IAAI;AACH,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,IAAA,EAAM,aAAa,CAAA;AAC7C,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,SAAA,EAAW,WAAW,CAAA;AAC/C,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,SAAA,EAAW,WAAW,CAAA;AAE/C,IAAA,QAAQ,KAAA;AAAO,MACd,KAAK,WAAA,EAAa;AACjB,QAAA,OAAO,SAAA,CAAU,MAAA,CAAO,QAAA,EAAU,SAAA,EAAW,QAAQ,CAAA;AAAA,MACtD;AAAA,MACA,KAAK,MAAA,EAAQ;AACZ,QAAA,OAAO,IAAA,CAAK,MAAA,CAAO,QAAA,EAAU,SAAA,EAAW,QAAQ,CAAA;AAAA,MACjD;AAAA,MACA,KAAK,SAAA,EAAW;AACf,QAAA,OAAO,OAAA,CAAQ,MAAA,CAAO,QAAA,EAAU,SAAA,EAAW,QAAQ,CAAA;AAAA,MACpD;AAAA,MACA;AACC,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mBAAA,EAAsB,KAAK,CAAA,CAAE,CAAA;AAAA;AAC/C,EACD,CAAA,CAAA,MAAQ;AACP,IAAA,OAAO,KAAA;AAAA,EACR;AACD;AASO,SAAS,WAAA,CAAY,IAAA,GAAe,GAAA,EAAK,QAAA,GAAqB,WAAA,EAAkC;AACtG,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,IAAA,CAAK,IAAA,GAAO,CAAC,CAAA;AAChC,EAAA,MAAM,gBAAA,GAAmB,IAAI,UAAA,CAAW,KAAK,CAAA;AAC7C,EAAA,MAAA,CAAO,gBAAgB,gBAAgB,CAAA;AACvC,EAAA,OAAO,SAAA,CAAU,kBAAkB,QAAQ,CAAA;AAC5C;;;AC1Qe,SAAR,QAAA,CAA0B,GAAA,EAAe,OAAA,GAAoC,EAAC,EAAG;AAEvF,EAAA,MAAM,SAAA,GAAY;AAAA,IACjB;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,QAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,CAAA;AAAA;AAAA,QACP,UAAA,EAAY,EAAE,SAAA,EAAW,QAAA,EAAmB,SAAS,MAAA,EAAO;AAAA,QAC5D,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,MAAM,SAAA,GAAY,QAAA,EAAU,gBAAgB,WAAA,EAAa,cAAA,GAAiB,WAAW,CAAA,GAAI,IAAA;AAChG,UAAA,OAAO,MAAA,CAAO,IAAA,EAAgB,SAAA,EAAkB,aAAA,EAAsB,cAAqB,CAAA;AAAA,QAC5F;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,MAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,CAAA;AAAA,QACP,UAAA,EAAY,EAAE,SAAA,EAAW,QAAA,EAAmB,SAAS,MAAA,EAAO;AAAA,QAC5D,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,EAAM,UAAA,EAAY,KAAA,GAAQ,WAAA,EAAa,aAAA,GAAgB,WAAA,EAAa,WAAA,GAAc,WAAA,EAAa,cAAA,GAAiB,WAAW,CAAA,GAAI,IAAA;AACtI,UAAA,OAAO,KAAK,IAAA,EAAgB,UAAA,EAAsB,KAAA,EAAc,aAAA,EAAsB,aAAoB,cAAqB,CAAA;AAAA,QAChI;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,QAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,CAAA;AAAA,QACP,UAAA,EAAY,EAAE,SAAA,EAAW,QAAA,EAAmB,SAAS,SAAA,EAAU;AAAA,QAC/D,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,EAAM,SAAA,EAAW,SAAA,EAAW,KAAA,GAAQ,WAAA,EAAa,aAAA,GAAgB,WAAA,EAAa,WAAA,GAAc,WAAA,EAAa,WAAA,GAAc,WAAW,CAAA,GAAI,IAAA;AAC7I,UAAA,MAAM,MAAA,GAAS,OAAO,IAAA,EAAgB,SAAA,EAAqB,WAAqB,KAAA,EAAc,aAAA,EAAsB,aAAoB,WAAkB,CAAA;AAC1J,UAAA,OAAO,SAAS,CAAA,GAAI,CAAA;AAAA,QACrB;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,UAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,CAAA;AAAA,QACP,UAAA,EAAY,EAAE,SAAA,EAAW,QAAA,EAAmB,SAAS,SAAA,EAAU;AAAA,QAC/D,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,EAAM,IAAA,EAAM,YAAY,QAAA,EAAU,aAAA,GAAgB,WAAW,CAAA,GAAI,IAAA;AACxE,UAAA,OAAO,OAAA,CAAQ,IAAA,EAAgB,IAAA,EAAgB,SAAA,EAAkB,aAAoB,CAAA;AAAA,QACtF;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,cAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,CAAA;AAAA,QACP,UAAA,EAAY,EAAE,SAAA,EAAW,QAAA,EAAmB,SAAS,MAAA,EAAO;AAAA,QAC5D,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,GAAO,GAAA,EAAK,QAAA,GAAW,WAAW,CAAA,GAAI,IAAA;AAC7C,UAAA,OAAO,WAAA,CAAY,MAAgB,QAAe,CAAA;AAAA,QACnD;AAAA;AACD;AACD,GACD;AAEA,EAAA,OAAO;AAAA,IACN,SAAA;AAAA,IACA,SAAS,EAAC;AAAA,IACV,YAAY;AAAC,GACd;AACD","file":"plugin.js","sourcesContent":["/**\n * Cryptographic Functions for Quereus\n *\n * Idiomatic ES module exports with base64url as default encoding.\n * All functions accept and return base64url strings by default for SQL compatibility.\n */\n\nimport { sha256, sha512 } from '@noble/hashes/sha2';\nimport { blake3 } from '@noble/hashes/blake3';\nimport { concatBytes, utf8ToBytes } from '@noble/hashes/utils';\nimport { secp256k1 } from '@noble/curves/secp256k1';\nimport { p256 } from '@noble/curves/nist';\nimport { ed25519 } from '@noble/curves/ed25519';\nimport { hexToBytes, bytesToHex } from '@noble/curves/abstract/utils';\nimport { toString as uint8ArrayToString, fromString as uint8ArrayFromString } from 'uint8arrays';\n\n// Type definitions\nexport type HashAlgorithm = 'sha256' | 'sha512' | 'blake3';\nexport type CurveType = 'secp256k1' | 'p256' | 'ed25519';\nexport type Encoding = 'base64url' | 'base64' | 'hex' | 'utf8' | 'bytes';\n\n/**\n * Convert input to Uint8Array, handling various encodings\n */\nfunction toBytes(input: string | Uint8Array | null | undefined, encoding: Encoding = 'base64url'): Uint8Array {\n\tif (input === null || input === undefined) {\n\t\treturn new Uint8Array(0);\n\t}\n\n\tif (input instanceof Uint8Array) {\n\t\treturn input;\n\t}\n\n\tif (typeof input === 'string') {\n\t\tswitch (encoding) {\n\t\t\tcase 'base64url':\n\t\t\t\treturn uint8ArrayFromString(input, 'base64url');\n\t\t\tcase 'base64':\n\t\t\t\treturn uint8ArrayFromString(input, 'base64');\n\t\t\tcase 'hex':\n\t\t\t\treturn hexToBytes(input);\n\t\t\tcase 'utf8':\n\t\t\t\treturn utf8ToBytes(input);\n\t\t\tdefault:\n\t\t\t\treturn uint8ArrayFromString(input, 'base64url');\n\t\t}\n\t}\n\n\tthrow new Error('Invalid input type');\n}\n\n/**\n * Convert Uint8Array to string in specified encoding\n */\nfunction fromBytes(bytes: Uint8Array, encoding: Encoding = 'base64url'): string | Uint8Array {\n\tswitch (encoding) {\n\t\tcase 'base64url':\n\t\t\treturn uint8ArrayToString(bytes, 'base64url');\n\t\tcase 'base64':\n\t\t\treturn uint8ArrayToString(bytes, 'base64');\n\t\tcase 'hex':\n\t\t\treturn bytesToHex(bytes);\n\t\tcase 'utf8':\n\t\t\treturn uint8ArrayToString(bytes, 'utf8');\n\t\tcase 'bytes':\n\t\t\treturn bytes;\n\t\tdefault:\n\t\t\treturn uint8ArrayToString(bytes, 'base64url');\n\t}\n}\n\n/**\n * Compute hash digest of input data\n *\n * @param data - Data to hash (base64url string or Uint8Array)\n * @param algorithm - Hash algorithm (default: 'sha256')\n * @param inputEncoding - Encoding of input string (default: 'base64url')\n * @param outputEncoding - Encoding of output (default: 'base64url')\n * @returns Hash digest in specified encoding\n *\n * @example\n * ```typescript\n * // Hash UTF-8 text, output as base64url\n * const hash = digest('hello world', 'sha256', 'utf8');\n *\n * // Hash base64url data with SHA-512\n * const hash2 = digest('SGVsbG8', 'sha512');\n *\n * // Get raw bytes\n * const bytes = digest('data', 'blake3', 'utf8', 'bytes');\n * ```\n */\nexport function digest(\n\tdata: string | Uint8Array,\n\talgorithm: HashAlgorithm = 'sha256',\n\tinputEncoding: Encoding = 'base64url',\n\toutputEncoding: Encoding = 'base64url'\n): string | Uint8Array {\n\tconst bytes = toBytes(data, inputEncoding);\n\n\tlet hashBytes: Uint8Array;\n\tswitch (algorithm) {\n\t\tcase 'sha256':\n\t\t\thashBytes = sha256(bytes);\n\t\t\tbreak;\n\t\tcase 'sha512':\n\t\t\thashBytes = sha512(bytes);\n\t\t\tbreak;\n\t\tcase 'blake3':\n\t\t\thashBytes = blake3(bytes);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported hash algorithm: ${algorithm}`);\n\t}\n\n\treturn fromBytes(hashBytes, outputEncoding);\n}\n\n/**\n * Hash data and return modulo of specified bit length\n * Useful for generating fixed-size hash values (e.g., 16-bit, 32-bit)\n *\n * @param data - Data to hash\n * @param bits - Number of bits for the result (e.g., 16 for 16-bit hash)\n * @param algorithm - Hash algorithm (default: 'sha256')\n * @param inputEncoding - Encoding of input string (default: 'base64url')\n * @returns Integer hash value modulo 2^bits\n *\n * @example\n * ```typescript\n * // Get 16-bit hash (0-65535)\n * const hash16 = hashMod('hello', 16, 'sha256', 'utf8');\n *\n * // Get 32-bit hash\n * const hash32 = hashMod('world', 32, 'sha256', 'utf8');\n * ```\n */\nexport function hashMod(\n\tdata: string | Uint8Array,\n\tbits: number,\n\talgorithm: HashAlgorithm = 'sha256',\n\tinputEncoding: Encoding = 'base64url'\n): number {\n\tif (bits <= 0 || bits > 53) {\n\t\tthrow new Error('Bits must be between 1 and 53 (JavaScript safe integer limit)');\n\t}\n\n\tconst hashBytes = toBytes(digest(data, algorithm, inputEncoding, 'base64url') as string, 'base64url');\n\n\t// Take first 8 bytes and convert to number\n\tconst view = new DataView(hashBytes.buffer, hashBytes.byteOffset, Math.min(8, hashBytes.length));\n\tconst fullHash = view.getBigUint64(0, false); // big-endian\n\n\t// Modulo by 2^bits\n\tconst modulus = BigInt(2) ** BigInt(bits);\n\tconst result = fullHash % modulus;\n\n\treturn Number(result);\n}\n\n/**\n * Sign data with a private key\n *\n * @param data - Data to sign (typically a hash)\n * @param privateKey - Private key (base64url string or Uint8Array)\n * @param curve - Elliptic curve (default: 'secp256k1')\n * @param inputEncoding - Encoding of data input (default: 'base64url')\n * @param keyEncoding - Encoding of private key (default: 'base64url')\n * @param outputEncoding - Encoding of signature output (default: 'base64url')\n * @returns Signature in specified encoding\n *\n * @example\n * ```typescript\n * // Sign a hash with secp256k1\n * const sig = sign(hashData, privateKey);\n *\n * // Sign with Ed25519\n * const sig2 = sign(hashData, privateKey, 'ed25519');\n * ```\n */\nexport function sign(\n\tdata: string | Uint8Array,\n\tprivateKey: string | Uint8Array,\n\tcurve: CurveType = 'secp256k1',\n\tinputEncoding: Encoding = 'base64url',\n\tkeyEncoding: Encoding = 'base64url',\n\toutputEncoding: Encoding = 'base64url'\n): string | Uint8Array {\n\tconst dataBytes = toBytes(data, inputEncoding);\n\tconst keyBytes = toBytes(privateKey, keyEncoding);\n\n\tlet sigBytes: Uint8Array;\n\n\tswitch (curve) {\n\t\tcase 'secp256k1': {\n\t\t\tconst sig = secp256k1.sign(dataBytes, keyBytes, { lowS: true });\n\t\t\tsigBytes = sig.toCompactRawBytes();\n\t\t\tbreak;\n\t\t}\n\t\tcase 'p256': {\n\t\t\tconst sig = p256.sign(dataBytes, keyBytes, { lowS: true });\n\t\t\tsigBytes = sig.toCompactRawBytes();\n\t\t\tbreak;\n\t\t}\n\t\tcase 'ed25519': {\n\t\t\tsigBytes = ed25519.sign(dataBytes, keyBytes);\n\t\t\tbreak;\n\t\t}\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t}\n\n\treturn fromBytes(sigBytes, outputEncoding);\n}\n\n/**\n * Verify a signature\n *\n * @param data - Data that was signed\n * @param signature - Signature to verify\n * @param publicKey - Public key\n * @param curve - Elliptic curve (default: 'secp256k1')\n * @param inputEncoding - Encoding of data input (default: 'base64url')\n * @param sigEncoding - Encoding of signature (default: 'base64url')\n * @param keyEncoding - Encoding of public key (default: 'base64url')\n * @returns true if signature is valid, false otherwise\n *\n * @example\n * ```typescript\n * // Verify a signature\n * const isValid = verify(hashData, signature, publicKey);\n *\n * // Verify with Ed25519\n * const isValid2 = verify(hashData, signature, publicKey, 'ed25519');\n * ```\n */\nexport function verify(\n\tdata: string | Uint8Array,\n\tsignature: string | Uint8Array,\n\tpublicKey: string | Uint8Array,\n\tcurve: CurveType = 'secp256k1',\n\tinputEncoding: Encoding = 'base64url',\n\tsigEncoding: Encoding = 'base64url',\n\tkeyEncoding: Encoding = 'base64url'\n): boolean {\n\ttry {\n\t\tconst dataBytes = toBytes(data, inputEncoding);\n\t\tconst sigBytes = toBytes(signature, sigEncoding);\n\t\tconst keyBytes = toBytes(publicKey, keyEncoding);\n\n\t\tswitch (curve) {\n\t\t\tcase 'secp256k1': {\n\t\t\t\treturn secp256k1.verify(sigBytes, dataBytes, keyBytes);\n\t\t\t}\n\t\t\tcase 'p256': {\n\t\t\t\treturn p256.verify(sigBytes, dataBytes, keyBytes);\n\t\t\t}\n\t\t\tcase 'ed25519': {\n\t\t\t\treturn ed25519.verify(sigBytes, dataBytes, keyBytes);\n\t\t\t}\n\t\t\tdefault:\n\t\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t\t}\n\t} catch {\n\t\treturn false;\n\t}\n}\n\n/**\n * Generate cryptographically secure random bytes\n *\n * @param bits - Number of bits to generate (default: 256)\n * @param encoding - Output encoding (default: 'base64url')\n * @returns Random bytes in the specified encoding\n */\nexport function randomBytes(bits: number = 256, encoding: Encoding = 'base64url'): string | Uint8Array {\n\tconst bytes = Math.ceil(bits / 8);\n\tconst randomBytesArray = new Uint8Array(bytes);\n\tcrypto.getRandomValues(randomBytesArray);\n\treturn fromBytes(randomBytesArray, encoding);\n}\n\n/**\n * Generate a random private key\n */\nexport function generatePrivateKey(curve: CurveType = 'secp256k1', encoding: Encoding = 'base64url'): string | Uint8Array {\n\tlet keyBytes: Uint8Array;\n\n\tswitch (curve) {\n\t\tcase 'secp256k1':\n\t\t\tkeyBytes = secp256k1.utils.randomPrivateKey();\n\t\t\tbreak;\n\t\tcase 'p256':\n\t\t\tkeyBytes = p256.utils.randomPrivateKey();\n\t\t\tbreak;\n\t\tcase 'ed25519':\n\t\t\tkeyBytes = ed25519.utils.randomPrivateKey();\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t}\n\n\treturn fromBytes(keyBytes, encoding);\n}\n\n/**\n * Get public key from private key\n */\nexport function getPublicKey(\n\tprivateKey: string | Uint8Array,\n\tcurve: CurveType = 'secp256k1',\n\tkeyEncoding: Encoding = 'base64url',\n\toutputEncoding: Encoding = 'base64url'\n): string | Uint8Array {\n\tconst keyBytes = toBytes(privateKey, keyEncoding);\n\n\tlet pubBytes: Uint8Array;\n\n\tswitch (curve) {\n\t\tcase 'secp256k1':\n\t\t\tpubBytes = secp256k1.getPublicKey(keyBytes);\n\t\t\tbreak;\n\t\tcase 'p256':\n\t\t\tpubBytes = p256.getPublicKey(keyBytes);\n\t\t\tbreak;\n\t\tcase 'ed25519':\n\t\t\tpubBytes = ed25519.getPublicKey(keyBytes);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t}\n\n\treturn fromBytes(pubBytes, outputEncoding);\n}\n\n","/**\n * Quereus Plugin Entry Point for Crypto Functions\n *\n * This module provides the plugin registration following Quereus 0.4.5 format.\n * All metadata is in package.json - no manifest export needed.\n */\n\nimport type { Database, FunctionFlags, SqlValue } from '@quereus/quereus';\nimport { digest, sign, verify, hashMod, randomBytes } from './crypto.js';\n\n/**\n * Plugin registration function\n * This is called by Quereus when the plugin is loaded\n */\nexport default function register(_db: Database, _config: Record<string, SqlValue> = {}) {\n\t// Register crypto functions with Quereus\n\tconst functions = [\n\t\t{\n\t\t\tschema: {\n\t\t\t\tname: 'digest',\n\t\t\t\tnumArgs: -1, // Variable arguments: data, algorithm?, inputEncoding?, outputEncoding?\n\t\t\t\tflags: 1 as FunctionFlags, // UTF8\n\t\t\t\treturnType: { typeClass: 'scalar' as const, sqlType: 'TEXT' },\n\t\t\t\timplementation: (...args: SqlValue[]) => {\n\t\t\t\t\tconst [data, algorithm = 'sha256', inputEncoding = 'base64url', outputEncoding = 'base64url'] = args;\n\t\t\t\t\treturn digest(data as string, algorithm as any, inputEncoding as any, outputEncoding as any);\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tschema: {\n\t\t\t\tname: 'sign',\n\t\t\t\tnumArgs: -1, // Variable arguments: data, privateKey, curve?, inputEncoding?, keyEncoding?, outputEncoding?\n\t\t\t\tflags: 1 as FunctionFlags,\n\t\t\t\treturnType: { typeClass: 'scalar' as const, sqlType: 'TEXT' },\n\t\t\t\timplementation: (...args: SqlValue[]) => {\n\t\t\t\t\tconst [data, privateKey, curve = 'secp256k1', inputEncoding = 'base64url', keyEncoding = 'base64url', outputEncoding = 'base64url'] = args;\n\t\t\t\t\treturn sign(data as string, privateKey as string, curve as any, inputEncoding as any, keyEncoding as any, outputEncoding as any);\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tschema: {\n\t\t\t\tname: 'verify',\n\t\t\t\tnumArgs: -1, // Variable arguments: data, signature, publicKey, curve?, inputEncoding?, sigEncoding?, keyEncoding?\n\t\t\t\tflags: 1 as FunctionFlags,\n\t\t\t\treturnType: { typeClass: 'scalar' as const, sqlType: 'INTEGER' },\n\t\t\t\timplementation: (...args: SqlValue[]) => {\n\t\t\t\t\tconst [data, signature, publicKey, curve = 'secp256k1', inputEncoding = 'base64url', sigEncoding = 'base64url', keyEncoding = 'base64url'] = args;\n\t\t\t\t\tconst result = verify(data as string, signature as string, publicKey as string, curve as any, inputEncoding as any, sigEncoding as any, keyEncoding as any);\n\t\t\t\t\treturn result ? 1 : 0;\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tschema: {\n\t\t\t\tname: 'hash_mod',\n\t\t\t\tnumArgs: -1, // Variable arguments: data, bits, algorithm?, inputEncoding?\n\t\t\t\tflags: 1 as FunctionFlags,\n\t\t\t\treturnType: { typeClass: 'scalar' as const, sqlType: 'INTEGER' },\n\t\t\t\timplementation: (...args: SqlValue[]) => {\n\t\t\t\t\tconst [data, bits, algorithm = 'sha256', inputEncoding = 'base64url'] = args;\n\t\t\t\t\treturn hashMod(data as string, bits as number, algorithm as any, inputEncoding as any);\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tschema: {\n\t\t\t\tname: 'random_bytes',\n\t\t\t\tnumArgs: -1, // Variable arguments: bits?, encoding?\n\t\t\t\tflags: 1 as FunctionFlags,\n\t\t\t\treturnType: { typeClass: 'scalar' as const, sqlType: 'TEXT' },\n\t\t\t\timplementation: (...args: SqlValue[]) => {\n\t\t\t\t\tconst [bits = 256, encoding = 'base64url'] = args;\n\t\t\t\t\treturn randomBytes(bits as number, encoding as any);\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t];\n\n\treturn {\n\t\tfunctions,\n\t\tvtables: [],\n\t\tcollations: [],\n\t};\n}\n\n"]}
+{"version":3,"sources":["../src/crypto.ts","../src/plugin.ts"],"names":["uint8ArrayFromString","uint8ArrayToString"],"mappings":";;;;;;;;;;;AAwBA,SAAS,OAAA,CAAQ,KAAA,EAA+C,QAAA,GAAqB,WAAA,EAAyB;AAC7G,EAAA,IAAI,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,EAAW;AAC1C,IAAA,OAAO,IAAI,WAAW,CAAC,CAAA;AAAA,EACxB;AAEA,EAAA,IAAI,iBAAiB,UAAA,EAAY;AAChC,IAAA,OAAO,KAAA;AAAA,EACR;AAEA,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC9B,IAAA,QAAQ,QAAA;AAAU,MACjB,KAAK,WAAA;AACJ,QAAA,OAAOA,UAAA,CAAqB,OAAO,WAAW,CAAA;AAAA,MAC/C,KAAK,QAAA;AACJ,QAAA,OAAOA,UAAA,CAAqB,OAAO,QAAQ,CAAA;AAAA,MAC5C,KAAK,KAAA;AACJ,QAAA,OAAO,WAAW,KAAK,CAAA;AAAA,MACxB,KAAK,MAAA;AACJ,QAAA,OAAO,YAAY,KAAK,CAAA;AAAA,MACzB;AACC,QAAA,OAAOA,UAAA,CAAqB,OAAO,WAAW,CAAA;AAAA;AAChD,EACD;AAEA,EAAA,MAAM,IAAI,MAAM,oBAAoB,CAAA;AACrC;AAKA,SAAS,SAAA,CAAU,KAAA,EAAmB,QAAA,GAAqB,WAAA,EAAkC;AAC5F,EAAA,QAAQ,QAAA;AAAU,IACjB,KAAK,WAAA;AACJ,MAAA,OAAOC,QAAA,CAAmB,OAAO,WAAW,CAAA;AAAA,IAC7C,KAAK,QAAA;AACJ,MAAA,OAAOA,QAAA,CAAmB,OAAO,QAAQ,CAAA;AAAA,IAC1C,KAAK,KAAA;AACJ,MAAA,OAAO,WAAW,KAAK,CAAA;AAAA,IACxB,KAAK,MAAA;AACJ,MAAA,OAAOA,QAAA,CAAmB,OAAO,MAAM,CAAA;AAAA,IACxC,KAAK,OAAA;AACJ,MAAA,OAAO,KAAA;AAAA,IACR;AACC,MAAA,OAAOA,QAAA,CAAmB,OAAO,WAAW,CAAA;AAAA;AAE/C;AAuBO,SAAS,OACf,IAAA,EACA,SAAA,GAA2B,UAC3B,aAAA,GAA0B,WAAA,EAC1B,iBAA2B,WAAA,EACL;AACtB,EAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,IAAA,EAAM,aAAa,CAAA;AAEzC,EAAA,IAAI,SAAA;AACJ,EAAA,QAAQ,SAAA;AAAW,IAClB,KAAK,QAAA;AACJ,MAAA,SAAA,GAAY,OAAO,KAAK,CAAA;AACxB,MAAA;AAAA,IACD,KAAK,QAAA;AACJ,MAAA,SAAA,GAAY,OAAO,KAAK,CAAA;AACxB,MAAA;AAAA,IACD,KAAK,QAAA;AACJ,MAAA,SAAA,GAAY,OAAO,KAAK,CAAA;AACxB,MAAA;AAAA,IACD;AACC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,4BAAA,EAA+B,SAAS,CAAA,CAAE,CAAA;AAAA;AAG5D,EAAA,OAAO,SAAA,CAAU,WAAW,cAAc,CAAA;AAC3C;AAqBO,SAAS,QACf,IAAA,EACA,IAAA,EACA,SAAA,GAA2B,QAAA,EAC3B,gBAA0B,WAAA,EACjB;AACT,EAAA,IAAI,IAAA,IAAQ,CAAA,IAAK,IAAA,GAAO,EAAA,EAAI;AAC3B,IAAA,MAAM,IAAI,MAAM,+DAA+D,CAAA;AAAA,EAChF;AAEA,EAAA,MAAM,SAAA,GAAY,QAAQ,MAAA,CAAO,IAAA,EAAM,WAAW,aAAA,EAAe,WAAW,GAAa,WAAW,CAAA;AAGpG,EAAA,MAAM,IAAA,GAAO,IAAI,QAAA,CAAS,SAAA,CAAU,MAAA,EAAQ,SAAA,CAAU,UAAA,EAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,SAAA,CAAU,MAAM,CAAC,CAAA;AAC/F,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,YAAA,CAAa,CAAA,EAAG,KAAK,CAAA;AAG3C,EAAA,MAAM,OAAA,GAAU,MAAA,CAAO,CAAC,CAAA,IAAK,OAAO,IAAI,CAAA;AACxC,EAAA,MAAM,SAAS,QAAA,GAAW,OAAA;AAE1B,EAAA,OAAO,OAAO,MAAM,CAAA;AACrB;AAsBO,SAAS,IAAA,CACf,IAAA,EACA,UAAA,EACA,KAAA,GAAmB,WAAA,EACnB,gBAA0B,WAAA,EAC1B,WAAA,GAAwB,WAAA,EACxB,cAAA,GAA2B,WAAA,EACL;AACtB,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,IAAA,EAAM,aAAa,CAAA;AAC7C,EAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,UAAA,EAAY,WAAW,CAAA;AAEhD,EAAA,IAAI,QAAA;AAEJ,EAAA,QAAQ,KAAA;AAAO,IACd,KAAK,WAAA;AACJ,MAAA,QAAA,GAAW,UAAU,IAAA,CAAK,SAAA,EAAW,UAAU,EAAE,IAAA,EAAM,MAAM,CAAA;AAC7D,MAAA;AAAA,IACD,KAAK,MAAA;AACJ,MAAA,QAAA,GAAW,KAAK,IAAA,CAAK,SAAA,EAAW,UAAU,EAAE,IAAA,EAAM,MAAM,CAAA;AACxD,MAAA;AAAA,IACD,KAAK,SAAA;AACJ,MAAA,QAAA,GAAW,OAAA,CAAQ,IAAA,CAAK,SAAA,EAAW,QAAQ,CAAA;AAC3C,MAAA;AAAA,IACD;AACC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mBAAA,EAAsB,KAAK,CAAA,CAAE,CAAA;AAAA;AAG/C,EAAA,OAAO,SAAA,CAAU,UAAU,cAAc,CAAA;AAC1C;AAuBO,SAAS,MAAA,CACf,IAAA,EACA,SAAA,EACA,SAAA,EACA,KAAA,GAAmB,WAAA,EACnB,aAAA,GAA0B,WAAA,EAC1B,WAAA,GAAwB,WAAA,EACxB,WAAA,GAAwB,WAAA,EACd;AACV,EAAA,IAAI;AACH,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,IAAA,EAAM,aAAa,CAAA;AAC7C,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,SAAA,EAAW,WAAW,CAAA;AAC/C,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,SAAA,EAAW,WAAW,CAAA;AAE/C,IAAA,QAAQ,KAAA;AAAO,MACd,KAAK,WAAA,EAAa;AACjB,QAAA,OAAO,SAAA,CAAU,MAAA,CAAO,QAAA,EAAU,SAAA,EAAW,QAAQ,CAAA;AAAA,MACtD;AAAA,MACA,KAAK,MAAA,EAAQ;AACZ,QAAA,OAAO,IAAA,CAAK,MAAA,CAAO,QAAA,EAAU,SAAA,EAAW,QAAQ,CAAA;AAAA,MACjD;AAAA,MACA,KAAK,SAAA,EAAW;AACf,QAAA,OAAO,OAAA,CAAQ,MAAA,CAAO,QAAA,EAAU,SAAA,EAAW,QAAQ,CAAA;AAAA,MACpD;AAAA,MACA;AACC,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mBAAA,EAAsB,KAAK,CAAA,CAAE,CAAA;AAAA;AAC/C,EACD,CAAA,CAAA,MAAQ;AACP,IAAA,OAAO,KAAA;AAAA,EACR;AACD;AASO,SAAS,WAAA,CAAY,IAAA,GAAe,GAAA,EAAK,QAAA,GAAqB,WAAA,EAAkC;AACtG,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,IAAA,CAAK,IAAA,GAAO,CAAC,CAAA;AAChC,EAAA,MAAM,gBAAA,GAAmB,IAAI,UAAA,CAAW,KAAK,CAAA;AAC7C,EAAA,MAAA,CAAO,gBAAgB,gBAAgB,CAAA;AACvC,EAAA,OAAO,SAAA,CAAU,kBAAkB,QAAQ,CAAA;AAC5C;;;ACvQA,IAAM,mBAAA,GAAsB,aAAA,CAAc,IAAA,GAAO,aAAA,CAAc,aAAA;AAE/D,IAAM,0BAA0B,aAAA,CAAc,IAAA;AAM/B,SAAR,QAAA,CAA0B,GAAA,EAAe,OAAA,GAAoC,EAAC,EAAG;AAEvF,EAAA,MAAM,SAAA,GAAY;AAAA,IACjB;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,QAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,mBAAA;AAAA;AAAA,QACP,YAAY,EAAE,SAAA,EAAW,UAAmB,WAAA,EAAa,SAAA,EAAW,UAAU,KAAA,EAAM;AAAA,QACpF,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,MAAM,SAAA,GAAY,QAAA,EAAU,gBAAgB,WAAA,EAAa,cAAA,GAAiB,WAAW,CAAA,GAAI,IAAA;AAChG,UAAA,OAAO,MAAA,CAAO,IAAA,EAAgB,SAAA,EAAkB,aAAA,EAAsB,cAAqB,CAAA;AAAA,QAC5F;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,MAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,mBAAA;AAAA;AAAA,QACP,YAAY,EAAE,SAAA,EAAW,UAAmB,WAAA,EAAa,SAAA,EAAW,UAAU,KAAA,EAAM;AAAA,QACpF,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,EAAM,UAAA,EAAY,KAAA,GAAQ,WAAA,EAAa,aAAA,GAAgB,WAAA,EAAa,WAAA,GAAc,WAAA,EAAa,cAAA,GAAiB,WAAW,CAAA,GAAI,IAAA;AACtI,UAAA,OAAO,KAAK,IAAA,EAAgB,UAAA,EAAsB,KAAA,EAAc,aAAA,EAAsB,aAAoB,cAAqB,CAAA;AAAA,QAChI;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,QAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,mBAAA;AAAA;AAAA,QACP,YAAY,EAAE,SAAA,EAAW,UAAmB,WAAA,EAAa,YAAA,EAAc,UAAU,KAAA,EAAM;AAAA,QACvF,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,EAAM,SAAA,EAAW,SAAA,EAAW,KAAA,GAAQ,WAAA,EAAa,aAAA,GAAgB,WAAA,EAAa,WAAA,GAAc,WAAA,EAAa,WAAA,GAAc,WAAW,CAAA,GAAI,IAAA;AAC7I,UAAA,MAAM,MAAA,GAAS,OAAO,IAAA,EAAgB,SAAA,EAAqB,WAAqB,KAAA,EAAc,aAAA,EAAsB,aAAoB,WAAkB,CAAA;AAC1J,UAAA,OAAO,MAAA;AAAA,QACR;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,UAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,mBAAA;AAAA;AAAA,QACP,YAAY,EAAE,SAAA,EAAW,UAAmB,WAAA,EAAa,YAAA,EAAc,UAAU,KAAA,EAAM;AAAA,QACvF,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,EAAM,IAAA,EAAM,YAAY,QAAA,EAAU,aAAA,GAAgB,WAAW,CAAA,GAAI,IAAA;AACxE,UAAA,OAAO,OAAA,CAAQ,IAAA,EAAgB,IAAA,EAAgB,SAAA,EAAkB,aAAoB,CAAA;AAAA,QACtF;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,cAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,uBAAA;AAAA;AAAA,QACP,YAAY,EAAE,SAAA,EAAW,UAAmB,WAAA,EAAa,SAAA,EAAW,UAAU,KAAA,EAAM;AAAA,QACpF,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,GAAO,GAAA,EAAK,QAAA,GAAW,WAAW,CAAA,GAAI,IAAA;AAC7C,UAAA,OAAO,WAAA,CAAY,MAAgB,QAAe,CAAA;AAAA,QACnD;AAAA;AACD;AACD,GACD;AAEA,EAAA,OAAO;AAAA,IACN,SAAA;AAAA,IACA,SAAS,EAAC;AAAA,IACV,YAAY;AAAC,GACd;AACD","file":"plugin.js","sourcesContent":["/**\n * Cryptographic Functions for Quereus\n *\n * Idiomatic ES module exports with base64url as default encoding.\n * All functions accept and return base64url strings by default for SQL compatibility.\n */\n\nimport { sha256, sha512 } from '@noble/hashes/sha2.js';\nimport { blake3 } from '@noble/hashes/blake3.js';\nimport { concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';\nimport { secp256k1 } from '@noble/curves/secp256k1.js';\nimport { p256 } from '@noble/curves/nist.js';\nimport { ed25519 } from '@noble/curves/ed25519.js';\nimport { hexToBytes, bytesToHex } from '@noble/curves/utils.js';\nimport { toString as uint8ArrayToString, fromString as uint8ArrayFromString } from 'uint8arrays';\n\n// Type definitions\nexport type HashAlgorithm = 'sha256' | 'sha512' | 'blake3';\nexport type CurveType = 'secp256k1' | 'p256' | 'ed25519';\nexport type Encoding = 'base64url' | 'base64' | 'hex' | 'utf8' | 'bytes';\n\n/**\n * Convert input to Uint8Array, handling various encodings\n */\nfunction toBytes(input: string | Uint8Array | null | undefined, encoding: Encoding = 'base64url'): Uint8Array {\n\tif (input === null || input === undefined) {\n\t\treturn new Uint8Array(0);\n\t}\n\n\tif (input instanceof Uint8Array) {\n\t\treturn input;\n\t}\n\n\tif (typeof input === 'string') {\n\t\tswitch (encoding) {\n\t\t\tcase 'base64url':\n\t\t\t\treturn uint8ArrayFromString(input, 'base64url');\n\t\t\tcase 'base64':\n\t\t\t\treturn uint8ArrayFromString(input, 'base64');\n\t\t\tcase 'hex':\n\t\t\t\treturn hexToBytes(input);\n\t\t\tcase 'utf8':\n\t\t\t\treturn utf8ToBytes(input);\n\t\t\tdefault:\n\t\t\t\treturn uint8ArrayFromString(input, 'base64url');\n\t\t}\n\t}\n\n\tthrow new Error('Invalid input type');\n}\n\n/**\n * Convert Uint8Array to string in specified encoding\n */\nfunction fromBytes(bytes: Uint8Array, encoding: Encoding = 'base64url'): string | Uint8Array {\n\tswitch (encoding) {\n\t\tcase 'base64url':\n\t\t\treturn uint8ArrayToString(bytes, 'base64url');\n\t\tcase 'base64':\n\t\t\treturn uint8ArrayToString(bytes, 'base64');\n\t\tcase 'hex':\n\t\t\treturn bytesToHex(bytes);\n\t\tcase 'utf8':\n\t\t\treturn uint8ArrayToString(bytes, 'utf8');\n\t\tcase 'bytes':\n\t\t\treturn bytes;\n\t\tdefault:\n\t\t\treturn uint8ArrayToString(bytes, 'base64url');\n\t}\n}\n\n/**\n * Compute hash digest of input data\n *\n * @param data - Data to hash (base64url string or Uint8Array)\n * @param algorithm - Hash algorithm (default: 'sha256')\n * @param inputEncoding - Encoding of input string (default: 'base64url')\n * @param outputEncoding - Encoding of output (default: 'base64url')\n * @returns Hash digest in specified encoding\n *\n * @example\n * ```typescript\n * // Hash UTF-8 text, output as base64url\n * const hash = digest('hello world', 'sha256', 'utf8');\n *\n * // Hash base64url data with SHA-512\n * const hash2 = digest('SGVsbG8', 'sha512');\n *\n * // Get raw bytes\n * const bytes = digest('data', 'blake3', 'utf8', 'bytes');\n * ```\n */\nexport function digest(\n\tdata: string | Uint8Array,\n\talgorithm: HashAlgorithm = 'sha256',\n\tinputEncoding: Encoding = 'base64url',\n\toutputEncoding: Encoding = 'base64url'\n): string | Uint8Array {\n\tconst bytes = toBytes(data, inputEncoding);\n\n\tlet hashBytes: Uint8Array;\n\tswitch (algorithm) {\n\t\tcase 'sha256':\n\t\t\thashBytes = sha256(bytes);\n\t\t\tbreak;\n\t\tcase 'sha512':\n\t\t\thashBytes = sha512(bytes);\n\t\t\tbreak;\n\t\tcase 'blake3':\n\t\t\thashBytes = blake3(bytes);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported hash algorithm: ${algorithm}`);\n\t}\n\n\treturn fromBytes(hashBytes, outputEncoding);\n}\n\n/**\n * Hash data and return modulo of specified bit length\n * Useful for generating fixed-size hash values (e.g., 16-bit, 32-bit)\n *\n * @param data - Data to hash\n * @param bits - Number of bits for the result (e.g., 16 for 16-bit hash)\n * @param algorithm - Hash algorithm (default: 'sha256')\n * @param inputEncoding - Encoding of input string (default: 'base64url')\n * @returns Integer hash value modulo 2^bits\n *\n * @example\n * ```typescript\n * // Get 16-bit hash (0-65535)\n * const hash16 = hashMod('hello', 16, 'sha256', 'utf8');\n *\n * // Get 32-bit hash\n * const hash32 = hashMod('world', 32, 'sha256', 'utf8');\n * ```\n */\nexport function hashMod(\n\tdata: string | Uint8Array,\n\tbits: number,\n\talgorithm: HashAlgorithm = 'sha256',\n\tinputEncoding: Encoding = 'base64url'\n): number {\n\tif (bits <= 0 || bits > 53) {\n\t\tthrow new Error('Bits must be between 1 and 53 (JavaScript safe integer limit)');\n\t}\n\n\tconst hashBytes = toBytes(digest(data, algorithm, inputEncoding, 'base64url') as string, 'base64url');\n\n\t// Take first 8 bytes and convert to number\n\tconst view = new DataView(hashBytes.buffer, hashBytes.byteOffset, Math.min(8, hashBytes.length));\n\tconst fullHash = view.getBigUint64(0, false); // big-endian\n\n\t// Modulo by 2^bits\n\tconst modulus = BigInt(2) ** BigInt(bits);\n\tconst result = fullHash % modulus;\n\n\treturn Number(result);\n}\n\n/**\n * Sign data with a private key\n *\n * @param data - Data to sign (typically a hash)\n * @param privateKey - Private key (base64url string or Uint8Array)\n * @param curve - Elliptic curve (default: 'secp256k1')\n * @param inputEncoding - Encoding of data input (default: 'base64url')\n * @param keyEncoding - Encoding of private key (default: 'base64url')\n * @param outputEncoding - Encoding of signature output (default: 'base64url')\n * @returns Signature in specified encoding\n *\n * @example\n * ```typescript\n * // Sign a hash with secp256k1\n * const sig = sign(hashData, privateKey);\n *\n * // Sign with Ed25519\n * const sig2 = sign(hashData, privateKey, 'ed25519');\n * ```\n */\nexport function sign(\n\tdata: string | Uint8Array,\n\tprivateKey: string | Uint8Array,\n\tcurve: CurveType = 'secp256k1',\n\tinputEncoding: Encoding = 'base64url',\n\tkeyEncoding: Encoding = 'base64url',\n\toutputEncoding: Encoding = 'base64url'\n): string | Uint8Array {\n\tconst dataBytes = toBytes(data, inputEncoding);\n\tconst keyBytes = toBytes(privateKey, keyEncoding);\n\n\tlet sigBytes: Uint8Array;\n\n\tswitch (curve) {\n\t\tcase 'secp256k1':\n\t\t\tsigBytes = secp256k1.sign(dataBytes, keyBytes, { lowS: true });\n\t\t\tbreak;\n\t\tcase 'p256':\n\t\t\tsigBytes = p256.sign(dataBytes, keyBytes, { lowS: true });\n\t\t\tbreak;\n\t\tcase 'ed25519':\n\t\t\tsigBytes = ed25519.sign(dataBytes, keyBytes);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t}\n\n\treturn fromBytes(sigBytes, outputEncoding);\n}\n\n/**\n * Verify a signature\n *\n * @param data - Data that was signed\n * @param signature - Signature to verify\n * @param publicKey - Public key\n * @param curve - Elliptic curve (default: 'secp256k1')\n * @param inputEncoding - Encoding of data input (default: 'base64url')\n * @param sigEncoding - Encoding of signature (default: 'base64url')\n * @param keyEncoding - Encoding of public key (default: 'base64url')\n * @returns true if signature is valid, false otherwise\n *\n * @example\n * ```typescript\n * // Verify a signature\n * const isValid = verify(hashData, signature, publicKey);\n *\n * // Verify with Ed25519\n * const isValid2 = verify(hashData, signature, publicKey, 'ed25519');\n * ```\n */\nexport function verify(\n\tdata: string | Uint8Array,\n\tsignature: string | Uint8Array,\n\tpublicKey: string | Uint8Array,\n\tcurve: CurveType = 'secp256k1',\n\tinputEncoding: Encoding = 'base64url',\n\tsigEncoding: Encoding = 'base64url',\n\tkeyEncoding: Encoding = 'base64url'\n): boolean {\n\ttry {\n\t\tconst dataBytes = toBytes(data, inputEncoding);\n\t\tconst sigBytes = toBytes(signature, sigEncoding);\n\t\tconst keyBytes = toBytes(publicKey, keyEncoding);\n\n\t\tswitch (curve) {\n\t\t\tcase 'secp256k1': {\n\t\t\t\treturn secp256k1.verify(sigBytes, dataBytes, keyBytes);\n\t\t\t}\n\t\t\tcase 'p256': {\n\t\t\t\treturn p256.verify(sigBytes, dataBytes, keyBytes);\n\t\t\t}\n\t\t\tcase 'ed25519': {\n\t\t\t\treturn ed25519.verify(sigBytes, dataBytes, keyBytes);\n\t\t\t}\n\t\t\tdefault:\n\t\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t\t}\n\t} catch {\n\t\treturn false;\n\t}\n}\n\n/**\n * Generate cryptographically secure random bytes\n *\n * @param bits - Number of bits to generate (default: 256)\n * @param encoding - Output encoding (default: 'base64url')\n * @returns Random bytes in the specified encoding\n */\nexport function randomBytes(bits: number = 256, encoding: Encoding = 'base64url'): string | Uint8Array {\n\tconst bytes = Math.ceil(bits / 8);\n\tconst randomBytesArray = new Uint8Array(bytes);\n\tcrypto.getRandomValues(randomBytesArray);\n\treturn fromBytes(randomBytesArray, encoding);\n}\n\n/**\n * Generate a random private key\n */\nexport function generatePrivateKey(curve: CurveType = 'secp256k1', encoding: Encoding = 'base64url'): string | Uint8Array {\n\tlet keyBytes: Uint8Array;\n\n\tswitch (curve) {\n\t\tcase 'secp256k1':\n\t\t\tkeyBytes = secp256k1.utils.randomSecretKey();\n\t\t\tbreak;\n\t\tcase 'p256':\n\t\t\tkeyBytes = p256.utils.randomSecretKey();\n\t\t\tbreak;\n\t\tcase 'ed25519':\n\t\t\tkeyBytes = ed25519.utils.randomSecretKey();\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t}\n\n\treturn fromBytes(keyBytes, encoding);\n}\n\n/**\n * Get public key from private key\n */\nexport function getPublicKey(\n\tprivateKey: string | Uint8Array,\n\tcurve: CurveType = 'secp256k1',\n\tkeyEncoding: Encoding = 'base64url',\n\toutputEncoding: Encoding = 'base64url'\n): string | Uint8Array {\n\tconst keyBytes = toBytes(privateKey, keyEncoding);\n\n\tlet pubBytes: Uint8Array;\n\n\tswitch (curve) {\n\t\tcase 'secp256k1':\n\t\t\tpubBytes = secp256k1.getPublicKey(keyBytes);\n\t\t\tbreak;\n\t\tcase 'p256':\n\t\t\tpubBytes = p256.getPublicKey(keyBytes);\n\t\t\tbreak;\n\t\tcase 'ed25519':\n\t\t\tpubBytes = ed25519.getPublicKey(keyBytes);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t}\n\n\treturn fromBytes(pubBytes, outputEncoding);\n}\n\n","/**\r\n * Quereus Plugin Entry Point for Crypto Functions\r\n *\r\n * This module provides the plugin registration following Quereus 0.4.5 format.\r\n * All metadata is in package.json - no manifest export needed.\r\n */\r\n\r\nimport type { Database, SqlValue } from '@quereus/quereus';\r\nimport { FunctionFlags, TEXT_TYPE, INTEGER_TYPE, BOOLEAN_TYPE } from '@quereus/quereus';\r\nimport { digest, sign, verify, hashMod, randomBytes } from './crypto.js';\r\n\r\n// Flags for deterministic functions (UTF8 + DETERMINISTIC)\r\nconst DETERMINISTIC_FLAGS = FunctionFlags.UTF8 | FunctionFlags.DETERMINISTIC;\r\n// Flags for non-deterministic functions (UTF8 only)\r\nconst NON_DETERMINISTIC_FLAGS = FunctionFlags.UTF8;\r\n\r\n/**\r\n * Plugin registration function\r\n * This is called by Quereus when the plugin is loaded\r\n */\r\nexport default function register(_db: Database, _config: Record<string, SqlValue> = {}) {\r\n\t// Register crypto functions with Quereus\r\n\tconst functions = [\r\n\t\t{\r\n\t\t\tschema: {\r\n\t\t\t\tname: 'digest',\r\n\t\t\t\tnumArgs: -1, // Variable arguments: data, algorithm?, inputEncoding?, outputEncoding?\r\n\t\t\t\tflags: DETERMINISTIC_FLAGS, // digest is deterministic\r\n\t\t\t\treturnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },\r\n\t\t\t\timplementation: (...args: SqlValue[]) => {\r\n\t\t\t\t\tconst [data, algorithm = 'sha256', inputEncoding = 'base64url', outputEncoding = 'base64url'] = args;\r\n\t\t\t\t\treturn digest(data as string, algorithm as any, inputEncoding as any, outputEncoding as any);\r\n\t\t\t\t},\r\n\t\t\t},\r\n\t\t},\r\n\t\t{\r\n\t\t\tschema: {\r\n\t\t\t\tname: 'sign',\r\n\t\t\t\tnumArgs: -1, // Variable arguments: data, privateKey, curve?, inputEncoding?, keyEncoding?, outputEncoding?\r\n\t\t\t\tflags: DETERMINISTIC_FLAGS, // sign is deterministic (same key + data = same signature)\r\n\t\t\t\treturnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },\r\n\t\t\t\timplementation: (...args: SqlValue[]) => {\r\n\t\t\t\t\tconst [data, privateKey, curve = 'secp256k1', inputEncoding = 'base64url', keyEncoding = 'base64url', outputEncoding = 'base64url'] = args;\r\n\t\t\t\t\treturn sign(data as string, privateKey as string, curve as any, inputEncoding as any, keyEncoding as any, outputEncoding as any);\r\n\t\t\t\t},\r\n\t\t\t},\r\n\t\t},\r\n\t\t{\r\n\t\t\tschema: {\r\n\t\t\t\tname: 'verify',\r\n\t\t\t\tnumArgs: -1, // Variable arguments: data, signature, publicKey, curve?, inputEncoding?, sigEncoding?, keyEncoding?\r\n\t\t\t\tflags: DETERMINISTIC_FLAGS, // verify is deterministic\r\n\t\t\t\treturnType: { typeClass: 'scalar' as const, logicalType: BOOLEAN_TYPE, nullable: false },\r\n\t\t\t\timplementation: (...args: SqlValue[]) => {\r\n\t\t\t\t\tconst [data, signature, publicKey, curve = 'secp256k1', inputEncoding = 'base64url', sigEncoding = 'base64url', keyEncoding = 'base64url'] = args;\r\n\t\t\t\t\tconst result = verify(data as string, signature as string, publicKey as string, curve as any, inputEncoding as any, sigEncoding as any, keyEncoding as any);\r\n\t\t\t\t\treturn result;\r\n\t\t\t\t},\r\n\t\t\t},\r\n\t\t},\r\n\t\t{\r\n\t\t\tschema: {\r\n\t\t\t\tname: 'hash_mod',\r\n\t\t\t\tnumArgs: -1, // Variable arguments: data, bits, algorithm?, inputEncoding?\r\n\t\t\t\tflags: DETERMINISTIC_FLAGS, // hash_mod is deterministic\r\n\t\t\t\treturnType: { typeClass: 'scalar' as const, logicalType: INTEGER_TYPE, nullable: false },\r\n\t\t\t\timplementation: (...args: SqlValue[]) => {\r\n\t\t\t\t\tconst [data, bits, algorithm = 'sha256', inputEncoding = 'base64url'] = args;\r\n\t\t\t\t\treturn hashMod(data as string, bits as number, algorithm as any, inputEncoding as any);\r\n\t\t\t\t},\r\n\t\t\t},\r\n\t\t},\r\n\t\t{\r\n\t\t\tschema: {\r\n\t\t\t\tname: 'random_bytes',\r\n\t\t\t\tnumArgs: -1, // Variable arguments: bits?, encoding?\r\n\t\t\t\tflags: NON_DETERMINISTIC_FLAGS, // random_bytes is NOT deterministic\r\n\t\t\t\treturnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },\r\n\t\t\t\timplementation: (...args: SqlValue[]) => {\r\n\t\t\t\t\tconst [bits = 256, encoding = 'base64url'] = args;\r\n\t\t\t\t\treturn randomBytes(bits as number, encoding as any);\r\n\t\t\t\t},\r\n\t\t\t},\r\n\t\t},\r\n\t];\r\n\r\n\treturn {\r\n\t\tfunctions,\r\n\t\tvtables: [],\r\n\t\tcollations: [],\r\n\t};\r\n}\r\n\r\n"]}

package/package.json

@@ -1,71 +1,83 @@
 {
-	"name": "@optimystic/quereus-plugin-crypto",
-	"version": "0.2.0",
-	"description": "Quereus plugin providing cryptographic functions (digest, sign, verify)",
-	"type": "module",
-	"main": "dist/index.js",
-	"types": "dist/index.d.ts",
-	"exports": {
-		".": {
-			"import": "./dist/index.js",
-			"types": "./dist/index.d.ts"
-		},
-		"./plugin": {
-			"import": "./dist/plugin.js",
-			"types": "./dist/plugin.d.ts"
-		}
-	},
-	"files": [
-		"dist",
-		"src",
-		"README.md"
-	],
-	"scripts": {
-		"build": "tsup",
-		"dev": "tsup --watch",
-		"clean": "rm -rf dist",
-		"typecheck": "tsc --noEmit"
-	},
-	"devDependencies": {
-		"@quereus/quereus": "^0.4.5",
-		"@types/node": "^24.0.12",
-		"aegir": "^47.0.20",
-		"tsup": "^8.5.0",
-		"typescript": "^5.8.3"
-	},
-	"dependencies": {
-		"@noble/curves": "^1.9.6",
-		"@noble/hashes": "^1.8.0",
-		"uint8arrays": "^5.1.0"
-	},
-	"peerDependencies": {
-		"@quereus/quereus": "^0.4.5"
-	},
-	"engines": {
-		"quereus": "^0.4.5"
-	},
-	"keywords": [
-		"quereus-plugin",
-		"quereus",
-		"crypto",
-		"cryptography",
-		"digest",
-		"hash",
-		"signature",
-		"sign",
-		"verify",
-		"secp256k1",
-		"ed25519",
-		"p256"
-	],
-	"author": "Optimystic Team",
-	"license": "MIT",
-	"quereus": {
-		"provides": {
-			"functions": ["digest", "sign", "verify", "hash_mod", "random_bytes"],
-			"vtables": [],
-			"collations": []
-		},
-		"settings": []
-	}
-}
+  "name": "@optimystic/quereus-plugin-crypto",
+  "version": "0.3.1",
+  "description": "Quereus plugin providing cryptographic functions (digest, sign, verify)",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./plugin": {
+      "import": "./dist/plugin.js",
+      "types": "./dist/plugin.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "src",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "clean": "rimraf dist",
+    "typecheck": "tsc --noEmit"
+  },
+  "devDependencies": {
+    "@quereus/quereus": "^0.16.2",
+    "@types/node": "^25.2.0",
+    "aegir": "^47.0.26",
+    "rimraf": "^6.1.2",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
+  },
+  "dependencies": {
+    "@noble/curves": "^2.0.1",
+    "@noble/hashes": "^2.0.1",
+    "uint8arrays": "^5.1.0"
+  },
+  "peerDependencies": {
+    "@quereus/quereus": "^0.16.2"
+  },
+  "engines": {
+    "quereus": "^0.16.2"
+  },
+  "keywords": [
+    "quereus-plugin",
+    "quereus",
+    "crypto",
+    "cryptography",
+    "digest",
+    "hash",
+    "signature",
+    "sign",
+    "verify",
+    "secp256k1",
+    "ed25519",
+    "p256"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/gotchoices/optimystic.git",
+    "directory": "packages/quereus-plugin-crypto"
+  },
+  "author": "Got Choices Foundation",
+  "license": "MIT",
+  "quereus": {
+    "provides": {
+      "functions": [
+        "digest",
+        "sign",
+        "verify",
+        "hash_mod",
+        "random_bytes"
+      ],
+      "vtables": [],
+      "collations": []
+    },
+    "settings": []
+  }
+}

package/src/crypto.ts

@@ -5,13 +5,13 @@
  * All functions accept and return base64url strings by default for SQL compatibility.
  */
 
-import { sha256, sha512 } from '@noble/hashes/sha2';
-import { blake3 } from '@noble/hashes/blake3';
-import { concatBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { secp256k1 } from '@noble/curves/secp256k1';
-import { p256 } from '@noble/curves/nist';
-import { ed25519 } from '@noble/curves/ed25519';
-import { hexToBytes, bytesToHex } from '@noble/curves/abstract/utils';
+import { sha256, sha512 } from '@noble/hashes/sha2.js';
+import { blake3 } from '@noble/hashes/blake3.js';
+import { concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
+import { secp256k1 } from '@noble/curves/secp256k1.js';
+import { p256 } from '@noble/curves/nist.js';
+import { ed25519 } from '@noble/curves/ed25519.js';
+import { hexToBytes, bytesToHex } from '@noble/curves/utils.js';
 import { toString as uint8ArrayToString, fromString as uint8ArrayFromString } from 'uint8arrays';
 
 // Type definitions
@@ -192,20 +192,15 @@ export function sign(
 	let sigBytes: Uint8Array;
 
 	switch (curve) {
-		case 'secp256k1': {
-			const sig = secp256k1.sign(dataBytes, keyBytes, { lowS: true });
-			sigBytes = sig.toCompactRawBytes();
+		case 'secp256k1':
+			sigBytes = secp256k1.sign(dataBytes, keyBytes, { lowS: true });
 			break;
-		}
-		case 'p256': {
-			const sig = p256.sign(dataBytes, keyBytes, { lowS: true });
-			sigBytes = sig.toCompactRawBytes();
+		case 'p256':
+			sigBytes = p256.sign(dataBytes, keyBytes, { lowS: true });
 			break;
-		}
-		case 'ed25519': {
+		case 'ed25519':
 			sigBytes = ed25519.sign(dataBytes, keyBytes);
 			break;
-		}
 		default:
 			throw new Error(`Unsupported curve: ${curve}`);
 	}
@@ -288,13 +283,13 @@ export function generatePrivateKey(curve: CurveType = 'secp256k1', encoding: Enc
 
 	switch (curve) {
 		case 'secp256k1':
-			keyBytes = secp256k1.utils.randomPrivateKey();
+			keyBytes = secp256k1.utils.randomSecretKey();
 			break;
 		case 'p256':
-			keyBytes = p256.utils.randomPrivateKey();
+			keyBytes = p256.utils.randomSecretKey();
 			break;
 		case 'ed25519':
-			keyBytes = ed25519.utils.randomPrivateKey();
+			keyBytes = ed25519.utils.randomSecretKey();
 			break;
 		default:
 			throw new Error(`Unsupported curve: ${curve}`);

package/src/digest.ts

@@ -6,10 +6,10 @@
  * Compatible with React Native and all JS environments.
  */
 
-import { sha256 } from '@noble/hashes/sha2';
-import { sha512 } from '@noble/hashes/sha2';
-import { blake3 } from '@noble/hashes/blake3';
-import { concatBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { sha256 } from '@noble/hashes/sha2.js';
+import { sha512 } from '@noble/hashes/sha2.js';
+import { blake3 } from '@noble/hashes/blake3.js';
+import { concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
 
 /**
  * Hash algorithm options

package/src/plugin.ts

@@ -1,87 +1,93 @@
-/**
- * Quereus Plugin Entry Point for Crypto Functions
- *
- * This module provides the plugin registration following Quereus 0.4.5 format.
- * All metadata is in package.json - no manifest export needed.
- */
-
-import type { Database, FunctionFlags, SqlValue } from '@quereus/quereus';
-import { digest, sign, verify, hashMod, randomBytes } from './crypto.js';
-
-/**
- * Plugin registration function
- * This is called by Quereus when the plugin is loaded
- */
-export default function register(_db: Database, _config: Record<string, SqlValue> = {}) {
-	// Register crypto functions with Quereus
-	const functions = [
-		{
-			schema: {
-				name: 'digest',
-				numArgs: -1, // Variable arguments: data, algorithm?, inputEncoding?, outputEncoding?
-				flags: 1 as FunctionFlags, // UTF8
-				returnType: { typeClass: 'scalar' as const, sqlType: 'TEXT' },
-				implementation: (...args: SqlValue[]) => {
-					const [data, algorithm = 'sha256', inputEncoding = 'base64url', outputEncoding = 'base64url'] = args;
-					return digest(data as string, algorithm as any, inputEncoding as any, outputEncoding as any);
-				},
-			},
-		},
-		{
-			schema: {
-				name: 'sign',
-				numArgs: -1, // Variable arguments: data, privateKey, curve?, inputEncoding?, keyEncoding?, outputEncoding?
-				flags: 1 as FunctionFlags,
-				returnType: { typeClass: 'scalar' as const, sqlType: 'TEXT' },
-				implementation: (...args: SqlValue[]) => {
-					const [data, privateKey, curve = 'secp256k1', inputEncoding = 'base64url', keyEncoding = 'base64url', outputEncoding = 'base64url'] = args;
-					return sign(data as string, privateKey as string, curve as any, inputEncoding as any, keyEncoding as any, outputEncoding as any);
-				},
-			},
-		},
-		{
-			schema: {
-				name: 'verify',
-				numArgs: -1, // Variable arguments: data, signature, publicKey, curve?, inputEncoding?, sigEncoding?, keyEncoding?
-				flags: 1 as FunctionFlags,
-				returnType: { typeClass: 'scalar' as const, sqlType: 'INTEGER' },
-				implementation: (...args: SqlValue[]) => {
-					const [data, signature, publicKey, curve = 'secp256k1', inputEncoding = 'base64url', sigEncoding = 'base64url', keyEncoding = 'base64url'] = args;
-					const result = verify(data as string, signature as string, publicKey as string, curve as any, inputEncoding as any, sigEncoding as any, keyEncoding as any);
-					return result ? 1 : 0;
-				},
-			},
-		},
-		{
-			schema: {
-				name: 'hash_mod',
-				numArgs: -1, // Variable arguments: data, bits, algorithm?, inputEncoding?
-				flags: 1 as FunctionFlags,
-				returnType: { typeClass: 'scalar' as const, sqlType: 'INTEGER' },
-				implementation: (...args: SqlValue[]) => {
-					const [data, bits, algorithm = 'sha256', inputEncoding = 'base64url'] = args;
-					return hashMod(data as string, bits as number, algorithm as any, inputEncoding as any);
-				},
-			},
-		},
-		{
-			schema: {
-				name: 'random_bytes',
-				numArgs: -1, // Variable arguments: bits?, encoding?
-				flags: 1 as FunctionFlags,
-				returnType: { typeClass: 'scalar' as const, sqlType: 'TEXT' },
-				implementation: (...args: SqlValue[]) => {
-					const [bits = 256, encoding = 'base64url'] = args;
-					return randomBytes(bits as number, encoding as any);
-				},
-			},
-		},
-	];
-
-	return {
-		functions,
-		vtables: [],
-		collations: [],
-	};
-}
-
+/**
+ * Quereus Plugin Entry Point for Crypto Functions
+ *
+ * This module provides the plugin registration following Quereus 0.4.5 format.
+ * All metadata is in package.json - no manifest export needed.
+ */
+
+import type { Database, SqlValue } from '@quereus/quereus';
+import { FunctionFlags, TEXT_TYPE, INTEGER_TYPE, BOOLEAN_TYPE } from '@quereus/quereus';
+import { digest, sign, verify, hashMod, randomBytes } from './crypto.js';
+
+// Flags for deterministic functions (UTF8 + DETERMINISTIC)
+const DETERMINISTIC_FLAGS = FunctionFlags.UTF8 | FunctionFlags.DETERMINISTIC;
+// Flags for non-deterministic functions (UTF8 only)
+const NON_DETERMINISTIC_FLAGS = FunctionFlags.UTF8;
+
+/**
+ * Plugin registration function
+ * This is called by Quereus when the plugin is loaded
+ */
+export default function register(_db: Database, _config: Record<string, SqlValue> = {}) {
+	// Register crypto functions with Quereus
+	const functions = [
+		{
+			schema: {
+				name: 'digest',
+				numArgs: -1, // Variable arguments: data, algorithm?, inputEncoding?, outputEncoding?
+				flags: DETERMINISTIC_FLAGS, // digest is deterministic
+				returnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },
+				implementation: (...args: SqlValue[]) => {
+					const [data, algorithm = 'sha256', inputEncoding = 'base64url', outputEncoding = 'base64url'] = args;
+					return digest(data as string, algorithm as any, inputEncoding as any, outputEncoding as any);
+				},
+			},
+		},
+		{
+			schema: {
+				name: 'sign',
+				numArgs: -1, // Variable arguments: data, privateKey, curve?, inputEncoding?, keyEncoding?, outputEncoding?
+				flags: DETERMINISTIC_FLAGS, // sign is deterministic (same key + data = same signature)
+				returnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },
+				implementation: (...args: SqlValue[]) => {
+					const [data, privateKey, curve = 'secp256k1', inputEncoding = 'base64url', keyEncoding = 'base64url', outputEncoding = 'base64url'] = args;
+					return sign(data as string, privateKey as string, curve as any, inputEncoding as any, keyEncoding as any, outputEncoding as any);
+				},
+			},
+		},
+		{
+			schema: {
+				name: 'verify',
+				numArgs: -1, // Variable arguments: data, signature, publicKey, curve?, inputEncoding?, sigEncoding?, keyEncoding?
+				flags: DETERMINISTIC_FLAGS, // verify is deterministic
+				returnType: { typeClass: 'scalar' as const, logicalType: BOOLEAN_TYPE, nullable: false },
+				implementation: (...args: SqlValue[]) => {
+					const [data, signature, publicKey, curve = 'secp256k1', inputEncoding = 'base64url', sigEncoding = 'base64url', keyEncoding = 'base64url'] = args;
+					const result = verify(data as string, signature as string, publicKey as string, curve as any, inputEncoding as any, sigEncoding as any, keyEncoding as any);
+					return result;
+				},
+			},
+		},
+		{
+			schema: {
+				name: 'hash_mod',
+				numArgs: -1, // Variable arguments: data, bits, algorithm?, inputEncoding?
+				flags: DETERMINISTIC_FLAGS, // hash_mod is deterministic
+				returnType: { typeClass: 'scalar' as const, logicalType: INTEGER_TYPE, nullable: false },
+				implementation: (...args: SqlValue[]) => {
+					const [data, bits, algorithm = 'sha256', inputEncoding = 'base64url'] = args;
+					return hashMod(data as string, bits as number, algorithm as any, inputEncoding as any);
+				},
+			},
+		},
+		{
+			schema: {
+				name: 'random_bytes',
+				numArgs: -1, // Variable arguments: bits?, encoding?
+				flags: NON_DETERMINISTIC_FLAGS, // random_bytes is NOT deterministic
+				returnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },
+				implementation: (...args: SqlValue[]) => {
+					const [bits = 256, encoding = 'base64url'] = args;
+					return randomBytes(bits as number, encoding as any);
+				},
+			},
+		},
+	];
+
+	return {
+		functions,
+		vtables: [],
+		collations: [],
+	};
+}
+

package/src/sign.ts

@@ -6,10 +6,10 @@
  * Compatible with React Native and all JS environments.
  */
 
-import { secp256k1 } from '@noble/curves/secp256k1';
-import { p256 } from '@noble/curves/nist';
-import { ed25519 } from '@noble/curves/ed25519';
-import { bytesToHex, hexToBytes } from '@noble/curves/abstract/utils';
+import { secp256k1 } from '@noble/curves/secp256k1.js';
+import { p256 } from '@noble/curves/nist.js';
+import { ed25519 } from '@noble/curves/ed25519.js';
+import { bytesToHex, hexToBytes } from '@noble/curves/utils.js';
 
 /**
  * Supported elliptic curve types
@@ -83,35 +83,25 @@ function normalizeDigest(digest: DigestInput): Uint8Array {
 }
 
 /**
- * Format signature based on requested format
+ * Format signature based on requested format.
+ * In @noble/curves v2.0.1, sign() returns Uint8Array directly.
  */
-function formatSignature(signature: any, format: SignatureFormat, curve: CurveType): Uint8Array | string {
+function formatSignature(signature: Uint8Array, format: SignatureFormat, curve: CurveType): Uint8Array | string {
   switch (format) {
     case 'uint8array':
-      if (curve === 'ed25519') {
-        return signature;
-      }
-      return signature.toCompactRawBytes();
+    case 'compact':
+      return signature;
 
     case 'hex':
-      if (curve === 'ed25519') {
-        return bytesToHex(signature);
-      }
-      return signature.toCompactHex();
-
-    case 'compact':
-      if (curve === 'ed25519') {
-        return signature;
-      }
-      return signature.toCompactRawBytes();
+      return bytesToHex(signature);
 
     case 'der':
       if (curve === 'ed25519') {
         throw new Error('DER format not supported for ed25519');
       }
-      // Note: DER encoding would require additional implementation
-      // For now, fall back to compact
-      return signature.toCompactRawBytes();
+      // DER format requires the sign() call to request it via format option
+      // For now, return compact format as fallback
+      return signature;
 
     default:
       throw new Error(`Unsupported signature format: ${format}`);
@@ -214,11 +204,11 @@ Sign.ed25519 = (digest: DigestInput, privateKey: PrivateKeyInput, options: Omit<
 Sign.generatePrivateKey = (curve: CurveType = 'secp256k1'): Uint8Array => {
   switch (curve) {
     case 'secp256k1':
-      return secp256k1.utils.randomPrivateKey();
+      return secp256k1.utils.randomSecretKey();
     case 'p256':
-      return p256.utils.randomPrivateKey();
+      return p256.utils.randomSecretKey();
     case 'ed25519':
-      return ed25519.utils.randomPrivateKey();
+      return ed25519.utils.randomSecretKey();
     default:
       throw new Error(`Unsupported curve: ${curve}`);
   }