@p47h/vault-js 0.9.0

package/dist/index.d.ts

@@ -0,0 +1,598 @@
+/**
+ * Puerto para la persistencia de datos (Storage Port).
+ * Implementado por adaptadores de infraestructura (IndexedDB, InMemory, etc).
+ */
+interface IStorage {
+    /**
+     * Guarda un blob cifrado asociado a un ID (DID).
+     */
+    save(key: string, data: EncryptedVaultBlob): Promise<void>;
+    /**
+     * Recupera un blob cifrado por su ID.
+     * Retorna null si no existe.
+     */
+    get(key: string): Promise<EncryptedVaultBlob | null>;
+    /**
+     * Elimina un blob del almacenamiento.
+     */
+    remove(key: string): Promise<void>;
+    /**
+     * Lista todos los IDs (DIDs) almacenados.
+     */
+    listKeys(): Promise<string[]>;
+    /**
+     * Limpia todo el almacenamiento (Cuidado: destructivo).
+     */
+    clear(): Promise<void>;
+}
+
+/**
+ * @fileoverview P47H Vault Domain Types
+ *
+ * Core entities and value objects for the vault system.
+ *
+ * @module domain/types
+ * @license AGPL-3.0 OR Commercial
+ */
+
+/**
+ * Configuration options for initializing the P47H Vault.
+ */
+interface VaultConfig {
+    /**
+     * Path to the WASM binary file.
+     * @default '/wasm/p47h_wasm_core_bg.wasm'
+     */
+    wasmPath?: string;
+    /**
+     * Custom storage adapter implementation.
+     * If not provided, uses IndexedDB by default.
+     */
+    storage?: IStorage;
+    /**
+     * Commercial license key (format: PAYLOAD_B64.SIGNATURE_B64).
+     * If not provided or invalid, the SDK operates in AGPLv3 "nagware" mode.
+     * Get your commercial license at: https://p47h.com/licensing
+     */
+    licenseKey?: string;
+}
+/**
+ * Public information about a loaded cryptographic identity.
+ */
+interface IdentityInfo {
+    /** Decentralized Identifier (DID) for this identity */
+    did: string;
+    /** Raw Ed25519 public key bytes (32 bytes) */
+    publicKey: Uint8Array;
+}
+/**
+ * Result of a successful registration including the recovery code.
+ */
+interface RegistrationResult {
+    /** The newly created Decentralized Identifier */
+    did: string;
+    /**
+     * Emergency recovery code - MUST be stored securely by the user.
+     * Format: RK-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX
+     * This is the ONLY way to recover the vault if the password is lost.
+     */
+    recoveryCode: string;
+}
+/**
+ * Encrypted vault blob as persisted to storage.
+ * Contains both password-encrypted and recovery-encrypted copies.
+ */
+interface EncryptedVaultBlob {
+    /** Schema version for future migrations */
+    version: number;
+    /** DID associated with this vault */
+    did: string;
+    /** Salt used for password key derivation (Base64) */
+    salt: string;
+    /** Vault data encrypted with user password (Base64) */
+    wrappedData: string;
+    /**
+     * Vault data encrypted with recovery code (Base64).
+     * Used for password recovery without server involvement.
+     * @since v1.1
+     */
+    recoveryBlob?: string;
+    /** Timestamp of last update (Unix ms) */
+    updatedAt: number;
+}
+/**
+ * Options for account recovery using the emergency recovery code.
+ */
+interface RecoveryOptions {
+    /** The recovery code provided during registration */
+    recoveryCode: string;
+    /** The new password to set */
+    newPassword: string;
+    /** Optional specific DID to recover (uses first found if omitted) */
+    did?: string;
+    /**
+     * If true, generates a new recovery code after successful recovery.
+     * Recommended for security.
+     * @default false
+     */
+    rotateRecoveryCode?: boolean;
+}
+/**
+ * Result of a successful account recovery.
+ */
+interface RecoveryResult {
+    /** The recovered identity's DID */
+    did: string;
+    /**
+     * New recovery code (only present if rotateRecoveryCode was true).
+     * If present, the old recovery code is invalidated.
+     */
+    newRecoveryCode?: string;
+}
+
+/**
+ * @fileoverview P47H Vault Interface - Core Contract
+ *
+ * This interface defines the public API for the P47H Vault.
+ * All vault implementations must conform to this contract.
+ *
+ * @module domain/IVault
+ * @license AGPL-3.0 OR Commercial
+ */
+
+/**
+ * Core interface for the P47H Vault.
+ *
+ * Defines all cryptographic and identity management operations
+ * that a vault implementation must provide.
+ */
+interface IVault {
+    /**
+     * Initializes the cryptographic environment (WASM module).
+     * Must be called before any other operation.
+     *
+     * @param config - Optional configuration object
+     * @throws {InitializationError} If WASM loading fails
+     */
+    init(config?: VaultConfig): Promise<void>;
+    /**
+     * Creates a new cryptographic identity (DID) and persists it encrypted.
+     * Generates Ed25519 keys and encrypts them with the provided password.
+     *
+     * **IMPORTANT**: The returned `recoveryCode` is the ONLY way to recover
+     * the vault if the password is lost. It must be stored securely by the user.
+     *
+     * @param password - Master password for key derivation
+     * @returns The generated DID and emergency recovery code
+     * @throws {InitializationError} If vault not initialized
+     * @throws {CryptoError} If key generation fails
+     */
+    register(password: string): Promise<RegistrationResult>;
+    /**
+     * Unlocks an existing identity with the master password.
+     * Decrypts the private keys and establishes an authenticated session.
+     *
+     * @param password - Master password
+     * @param did - Optional specific DID to unlock (uses first found if omitted)
+     * @throws {AuthenticationError} If password is wrong or identity not found
+     * @throws {VaultError} If vault data is corrupted
+     */
+    login(password: string, did?: string): Promise<IdentityInfo>;
+    /**
+     * Recovers account access using the emergency recovery code.
+     *
+     * Use this when the user has forgotten their password but has their
+     * recovery code. This will:
+     * 1. Decrypt the vault using the recovery code
+     * 2. Re-encrypt with the new password
+     * 3. Optionally generate a new recovery code
+     *
+     * @param options - Recovery options including recovery code and new password
+     * @returns Recovery result with optional new recovery code
+     * @throws {AuthenticationError} If recovery code is invalid
+     * @throws {VaultError} If recovery is not available for this identity
+     */
+    recoverAccount(options: RecoveryOptions): Promise<RecoveryResult>;
+    /**
+     * Locks the vault and clears all sensitive data from memory.
+     * Frees WASM memory, session keys, and cached secrets.
+     */
+    lock(): void;
+    /**
+     * Checks if the vault is currently unlocked.
+     *
+     * @returns True if an identity is loaded and session is active
+     */
+    isAuthenticated(): boolean;
+    /**
+     * Gets the DID of the currently authenticated identity.
+     *
+     * @returns The current Decentralized Identifier
+     * @throws {NotAuthenticatedError} If vault is locked
+     */
+    getDid(): string;
+    /**
+     * Returns a list of DIDs (identities) that exist in local storage.
+     * Useful for UI to decide whether to show Login or Register.
+     *
+     * @returns Array of DID strings stored locally
+     * @throws {InitializationError} If vault not initialized
+     */
+    getStoredIdentities(): Promise<string[]>;
+    /**
+     * Signs data with the current identity's private key (Ed25519).
+     *
+     * @param data - Data to sign
+     * @returns 64-byte Ed25519 signature
+     * @throws {NotAuthenticatedError} If vault is locked
+     */
+    sign(data: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Saves an encrypted secret to the vault.
+     *
+     * @param key - Unique identifier for the secret
+     * @param secret - The secret value to store
+     * @throws {NotAuthenticatedError} If vault is locked
+     * @throws {VaultError} If storage operation fails
+     */
+    saveSecret(key: string, secret: string): Promise<void>;
+    /**
+     * Retrieves a decrypted secret from the vault.
+     *
+     * @param key - The secret identifier
+     * @returns The decrypted value, or null if not found
+     * @throws {NotAuthenticatedError} If vault is locked
+     */
+    getSecret(key: string): Promise<string | null>;
+    /**
+     * Checks if running with a valid commercial license.
+     * When false, the SDK operates in AGPLv3 "nagware" mode.
+     *
+     * @returns True if commercial license is active
+     */
+    isCommercialLicense(): boolean;
+    /**
+     * Gets the licensee name if commercial license is active.
+     *
+     * @returns The licensed entity name, or null if AGPLv3 mode
+     */
+    getLicensee(): string | null;
+    /**
+     * Disposes of the vault and releases all resources.
+     * After calling dispose(), the vault cannot be used again.
+     */
+    dispose(): void;
+}
+
+/**
+ * @fileoverview P47H Vault Service - Core Identity and Secret Management
+ *
+ * This is the main facade for the P47H Vault SDK. It provides a high-level,
+ * type-safe API for:
+ * - Creating and managing cryptographic identities (DIDs)
+ * - Securely storing and retrieving encrypted secrets
+ * - Emergency recovery using Recovery Codes (PUK)
+ * - Session management with automatic memory cleanup
+ *
+ * @module logic/VaultService
+ * @license AGPL-3.0 OR Commercial
+ */
+
+/**
+ * P47H Vault Service - Secure local-first identity and secret management.
+ *
+ * This service provides:
+ * - **Identity Management**: Create and restore Ed25519 cryptographic identities
+ * - **Secret Storage**: Encrypt and persist arbitrary secrets locally
+ * - **Emergency Recovery**: Recover access using Recovery Codes (like 1Password)
+ * - **Memory Safety**: Automatic cleanup of sensitive data from RAM
+ * - **Commercial Licensing**: Optional license key for proprietary use
+ *
+ * ## Security Model
+ *
+ * - All cryptographic operations are performed in WASM (Rust)
+ * - Private keys never leave WASM memory as plaintext
+ * - Session keys are derived using Argon2id (OWASP recommended)
+ * - Data is encrypted using XChaCha20-Poly1305 (AEAD)
+ * - Dual encryption: password + recovery code for emergency access
+ *
+ * @example
+ * ```typescript
+ * import { P47hVault } from '@p47h/vault-js';
+ *
+ * const vault = new P47hVault();
+ * await vault.init({ wasmPath: '/wasm/p47h_wasm_core_bg.wasm' });
+ *
+ * // Create new identity - SAVE THE RECOVERY CODE!
+ * const { did, recoveryCode } = await vault.register('my-secure-password');
+ * console.log('Created:', did);
+ * console.log('⚠️ Save this recovery code:', recoveryCode);
+ *
+ * // If password is forgotten:
+ * await vault.recoverAccount({
+ *   recoveryCode: 'RK-A1B2C3D4...',
+ *   newPassword: 'new-secure-password'
+ * });
+ * ```
+ *
+ * @implements {IVault}
+ */
+declare class VaultService implements IVault {
+    private readonly _storage;
+    private _crypto;
+    private _client;
+    private _sessionKey;
+    private _currentDid;
+    private _secretsCache;
+    private _passwordCache;
+    private _isInitialized;
+    private _isDisposed;
+    /**
+     * Creates a new VaultService instance with default adapters.
+     *
+     * @param storage - Optional custom storage adapter (defaults to IndexedDB)
+     */
+    constructor(storage?: IStorage);
+    /**
+     * Initializes the vault with WASM module and optional configuration.
+     *
+     * This method must be called before any other operations. It:
+     * 1. Loads the WASM cryptographic core
+     * 2. Verifies the commercial license (if provided)
+     * 3. Prepares the storage adapter
+     *
+     * @param config - Optional configuration object
+     * @returns Promise that resolves when initialization is complete
+     * @throws {InitializationError} If WASM loading fails
+     */
+    init(config?: VaultConfig): Promise<void>;
+    /**
+     * Checks if the vault is running with a valid commercial license.
+     *
+     * @returns True if commercial license is active, false if AGPLv3 mode
+     */
+    isCommercialLicense(): boolean;
+    /**
+     * Gets the name of the licensed entity.
+     *
+     * @returns The licensee name, or null if running in AGPLv3 mode
+     */
+    getLicensee(): string | null;
+    /**
+     * Creates a new cryptographic identity and persists it encrypted.
+     *
+     * This method:
+     * 1. Generates a new Ed25519 keypair in WASM
+     * 2. Derives a session key from the password using Argon2id
+     * 3. Generates a high-entropy Recovery Code
+     * 4. Encrypts the vault twice: once with password, once with recovery code
+     * 5. Persists both encrypted copies to storage
+     * 6. Establishes an authenticated session
+     *
+     * **CRITICAL**: The returned `recoveryCode` is the ONLY way to recover
+     * the vault if the password is lost. It must be stored securely by the user
+     * (e.g., printed and stored in a safe, password manager, etc.).
+     *
+     * @param password - Master password for key derivation (min 8 chars recommended)
+     * @returns Promise resolving to the DID and recovery code
+     * @throws {InitializationError} If vault not initialized
+     * @throws {CryptoError} If key generation fails
+     * @throws {StorageError} If persistence fails
+     *
+     * @example
+     * ```typescript
+     * const { did, recoveryCode } = await vault.register('my-secure-password');
+     * console.log('New identity:', did);
+     * console.log('⚠️ SAVE THIS CODE:', recoveryCode);
+     * // recoveryCode format: RK-A1B2C3D4-E5F6G7H8-I9J0K1L2-M3N4O5P6
+     * ```
+     */
+    register(password: string): Promise<RegistrationResult>;
+    /**
+     * Unlocks an existing identity with the master password.
+     *
+     * This method:
+     * 1. Retrieves the encrypted identity from storage
+     * 2. Decrypts and validates the vault data
+     * 3. Restores the Ed25519 keypair in WASM
+     * 4. Establishes an authenticated session
+     *
+     * @param password - Master password used during registration
+     * @param did - Optional specific DID to unlock (uses first found if omitted)
+     * @returns Promise resolving to the identity info
+     * @throws {InitializationError} If vault not initialized
+     * @throws {AuthenticationError} If password is wrong or identity not found
+     * @throws {VaultError} If vault data is corrupted
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   const identity = await vault.login('my-password');
+     *   console.log('Unlocked:', identity.did);
+     * } catch (e) {
+     *   if (e instanceof AuthenticationError) {
+     *     console.error('Wrong password - use recovery code?');
+     *   }
+     * }
+     * ```
+     */
+    login(password: string, did?: string): Promise<IdentityInfo>;
+    /**
+     * Recovers account access using the emergency recovery code.
+     *
+     * Use this when the user has forgotten their password but has their
+     * Recovery Code (Emergency Kit). This will:
+     * 1. Decrypt the vault using the recovery code
+     * 2. Re-encrypt with the new password
+     * 3. Optionally generate a new recovery code (recommended)
+     * 4. Auto-login with the new credentials
+     *
+     * @param options - Recovery options including recovery code and new password
+     * @returns Recovery result with optional new recovery code
+     * @throws {AuthenticationError} If recovery code is invalid
+     * @throws {VaultError} If recovery is not available for this identity
+     *
+     * @example
+     * ```typescript
+     * // Basic recovery
+     * const result = await vault.recoverAccount({
+     *   recoveryCode: 'RK-A1B2C3D4-E5F6G7H8-I9J0K1L2-M3N4O5P6',
+     *   newPassword: 'my-new-secure-password'
+     * });
+     *
+     * // Recovery with code rotation (recommended)
+     * const result = await vault.recoverAccount({
+     *   recoveryCode: 'RK-A1B2C3D4-...',
+     *   newPassword: 'my-new-secure-password',
+     *   rotateRecoveryCode: true
+     * });
+     * console.log('⚠️ NEW recovery code:', result.newRecoveryCode);
+     * ```
+     */
+    recoverAccount(options: RecoveryOptions): Promise<RecoveryResult>;
+    /**
+     * Locks the vault and clears all sensitive data from memory.
+     *
+     * This method:
+     * 1. Frees WASM memory holding the private key
+     * 2. Clears the session key from JavaScript heap
+     * 3. Clears the password cache
+     * 4. Clears the secrets cache
+     *
+     * Always call this when the user logs out or the app is backgrounded.
+     */
+    lock(): void;
+    /**
+     * Checks if the vault is currently unlocked with an active session.
+     *
+     * @returns True if an identity is loaded and session is active
+     */
+    isAuthenticated(): boolean;
+    /**
+     * Gets the DID of the currently authenticated identity.
+     *
+     * @returns The current Decentralized Identifier
+     * @throws {NotAuthenticatedError} If vault is locked
+     */
+    getDid(): string;
+    /**
+     * Returns a list of DIDs (identities) that exist in local storage.
+     * Useful for UI to decide whether to show Login or Register.
+     *
+     * @returns Promise resolving to array of DID strings
+     * @throws {InitializationError} If vault not initialized
+     */
+    getStoredIdentities(): Promise<string[]>;
+    /**
+     * Signs arbitrary data with the current identity's private key.
+     *
+     * Uses Ed25519 signatures. The private key never leaves WASM memory.
+     *
+     * @param data - Data to sign
+     * @returns Promise resolving to the 64-byte Ed25519 signature
+     * @throws {NotAuthenticatedError} If vault is locked
+     */
+    sign(data: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Saves an encrypted secret to the vault.
+     *
+     * The secret is:
+     * 1. Stored in the in-memory cache
+     * 2. Re-encrypted with the vault's master key
+     * 3. Persisted to storage (both password and recovery copies)
+     *
+     * @param key - Unique identifier for the secret
+     * @param secret - The secret value to store
+     * @throws {NotAuthenticatedError} If vault is locked
+     * @throws {VaultError} If storage operation fails
+     */
+    saveSecret(key: string, secret: string): Promise<void>;
+    /**
+     * Retrieves a decrypted secret from the vault.
+     *
+     * @param key - The secret identifier
+     * @returns The decrypted secret value, or null if not found
+     * @throws {NotAuthenticatedError} If vault is locked
+     */
+    getSecret(key: string): Promise<string | null>;
+    /**
+     * Disposes of the vault and releases all resources.
+     *
+     * After calling dispose():
+     * - All sensitive data is cleared from memory
+     * - The vault cannot be used again
+     * - A new VaultService instance must be created
+     */
+    dispose(): void;
+    /**
+     * Generates a high-entropy recovery code.
+     * Format: RK-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX (32 hex chars)
+     */
+    private generateRecoveryCode;
+    private ensureNotDisposed;
+    private ensureInitialized;
+    private ensureAuthenticated;
+    private setSession;
+    private toBase64;
+    private fromBase64;
+}
+
+/**
+ * License verification status returned after WASM initialization.
+ */
+interface LicenseStatus {
+    /** True if a valid commercial license was verified */
+    readonly isCommercial: boolean;
+    /** The licensed entity name, or null if AGPLv3 mode */
+    readonly licensee: string | null;
+}
+
+/**
+* Domain error definitions for P47H Vault JS.
+* Basis for handling typed exceptions.
+ */
+declare class VaultError extends Error {
+    code: string;
+    cause?: unknown | undefined;
+    constructor(message: string, code: string, cause?: unknown | undefined);
+}
+declare class InitializationError extends VaultError {
+    constructor(message: string, cause?: unknown);
+}
+declare class AuthenticationError extends VaultError {
+    constructor(message?: string);
+}
+declare class NotAuthenticatedError extends VaultError {
+    constructor();
+}
+declare class StorageError extends VaultError {
+    constructor(message: string, cause?: unknown);
+}
+declare class CryptoError extends VaultError {
+    constructor(message: string, cause?: unknown);
+}
+
+declare class BrowserStorage implements IStorage {
+    private readonly dbName;
+    private readonly storeName;
+    private readonly version;
+    /**
+     * Promisify IndexedDB request helper
+     */
+    private request;
+    /**
+     * Open database connection with migration logic
+     */
+    private getDB;
+    /**
+     * Execute a transaction
+     */
+    private withStore;
+    save(key: string, data: EncryptedVaultBlob): Promise<void>;
+    get(key: string): Promise<EncryptedVaultBlob | null>;
+    remove(key: string): Promise<void>;
+    listKeys(): Promise<string[]>;
+    clear(): Promise<void>;
+}
+
+export { AuthenticationError, BrowserStorage, CryptoError, type EncryptedVaultBlob, type IStorage, type IVault, type IdentityInfo, InitializationError, type LicenseStatus, NotAuthenticatedError, VaultService as P47hVault, type RecoveryOptions, type RecoveryResult, type RegistrationResult, StorageError, type VaultConfig, VaultError };

package/dist/index.js

@@ -0,0 +1,36 @@
+/**
+ * P47H Vault JS - Secure local-first cryptographic storage
+ * @license AGPL-3.0 OR Commercial (https://p47h.com/licensing)
+ */
+var a=class extends Error{constructor(r,e,i){super(r);this.code=e;this.cause=i;this.name="VaultError";}},m=class extends a{constructor(t,r){super(t,"VAULT_INIT_ERROR",r),this.name="InitializationError";}},u=class extends a{constructor(t="Invalid password or corrupted vault"){super(t,"AUTH_FAILED"),this.name="AuthenticationError";}},g=class extends a{constructor(){super("Vault is locked. Unlock it first.","VAULT_LOCKED"),this.name="NotAuthenticatedError";}},d=class extends a{constructor(t,r){super(t,"STORAGE_ERROR",r),this.name="StorageError";}},h=class extends a{constructor(t,r){super(t,"CRYPTO_ERROR",r),this.name="CryptoError";}};var v=class{constructor(t="/wasm/p47h_wasm_core_bg.wasm"){this.module=null;this._licenseStatus={isCommercial:false,licensee:null};this._isInitialized=false;this._wasmPath=t;}async init(t){if(this._isInitialized&&this.module)return this._licenseStatus;try{let r=await this.loadWasmModule();return await this.initializeWasmInstance(r),this.initializeLicenseSession(r,t),this.module=r,this._isInitialized=!0,this._licenseStatus}catch(r){throw new m("Failed to load P47H WASM core",r)}}async loadWasmModule(){let t=await fetch("/wasm/p47h_wasm_core.js");if(!t.ok)throw new Error(`Failed to load WASM module: HTTP ${t.status}. Ensure p47h_wasm_core.js is available at /wasm/p47h_wasm_core.js`);let r=await t.text(),e=new Blob([r],{type:"application/javascript"}),i=URL.createObjectURL(e);try{return await import(i)}finally{URL.revokeObjectURL(i);}}async initializeWasmInstance(t){try{await t.default({module_or_path:this._wasmPath});}catch{await t.default(this._wasmPath);}typeof t.init=="function"&&t.init();}initializeLicenseSession(t,r){if(typeof t.init_session!="function"){this._licenseStatus={isCommercial:false,licensee:null};return}let e=t.init_session(r||null),i=null;e&&typeof t.get_licensee=="function"&&(i=t.get_licensee()??null),this._licenseStatus=Object.freeze({isCommercial:e,licensee:i});}getModule(){if(!this.module||!this._isInitialized)throw new m("WasmCryptoAdapter not initialized. Call init() first.");return this.module}deriveSessionKey(t,r){try{return this.getModule().VaultCrypto.derive_session_key(t,r)}catch(e){throw new h("Failed to derive session key",e)}}encryptVault(t,r){try{return this.getModule().VaultCrypto.encrypt_vault(t,r)}catch(e){throw new h("Vault encryption failed",e)}}decryptVault(t,r){try{return this.getModule().VaultCrypto.decrypt_vault(t,r)}catch(e){throw new h("Vault decryption failed: Invalid password or corrupted data",e)}}createIdentity(){try{let t=this.getModule();return new t.P47hClient}catch(t){throw new h("Failed to generate new identity",t)}}restoreIdentity(t,r){try{return this.getModule().P47hClient.from_wrapped_secret(t,r)}catch(e){throw new h("Failed to restore identity from wrapped secret",e)}}getRandomValues(t){return crypto.getRandomValues(new Uint8Array(t))}getLicenseStatus(){return this._licenseStatus}isCommercial(){return this._licenseStatus.isCommercial}isInitialized(){return this._isInitialized}};var I=class{constructor(){this.dbName="p47h-vault";this.storeName="keystores";this.version=2;}request(t){return new Promise((r,e)=>{t.onsuccess=()=>r(t.result),t.onerror=()=>e(t.error);})}async getDB(){return new Promise((t,r)=>{if(typeof indexedDB>"u")return r(new d("IndexedDB not supported in this environment"));let e=indexedDB.open(this.dbName,this.version);e.onerror=()=>r(new d("Failed to open database",e.error)),e.onsuccess=()=>t(e.result),e.onupgradeneeded=i=>{let n=e.result;i.oldVersion<2&&(n.objectStoreNames.contains(this.storeName)&&n.deleteObjectStore(this.storeName),n.createObjectStore(this.storeName,{keyPath:"did"}));};})}async withStore(t,r){try{let i=(await this.getDB()).transaction(this.storeName,t),n=i.objectStore(this.storeName),s=r(n);return new Promise((o,c)=>{i.oncomplete=()=>{s instanceof IDBRequest?o(s.result):o(void 0);},i.onerror=()=>c(new d("Transaction failed",i.error)),s instanceof IDBRequest&&(s.onerror=()=>c(new d("Request failed",s.error)));})}catch(e){throw e instanceof d?e:new d("Database operation failed",e)}}async save(t,r){if(r.did!==t)throw new d(`Integrity check: Key ${t} does not match DID ${r.did}`);await this.withStore("readwrite",e=>e.put(r));}async get(t){return await this.withStore("readonly",e=>e.get(t))||null}async remove(t){await this.withStore("readwrite",r=>r.delete(t));}async listKeys(){return this.withStore("readonly",t=>t.getAllKeys())}async clear(){await this.withStore("readwrite",t=>t.clear());}};var S="RK",A=16,R=class{constructor(t){this._client=null;this._sessionKey=null;this._currentDid=null;this._secretsCache=null;this._passwordCache=null;this._isInitialized=false;this._isDisposed=false;this._crypto=new v,this._storage=t??new I;}async init(t){this.ensureNotDisposed(),!this._isInitialized&&(t?.wasmPath&&(this._crypto=new v(t.wasmPath)),await this._crypto.init(t?.licenseKey),this._isInitialized=true);}isCommercialLicense(){return this._crypto.isCommercial()}getLicensee(){return this._crypto.getLicenseStatus().licensee}async register(t){this.ensureInitialized();let r=this._crypto.createIdentity(),e=r.get_did(),i=this._crypto.getRandomValues(16),n=this._crypto.deriveSessionKey(t,i),s=r.export_wrapped_secret(n),o={did:e,wrappedSecret:this.toBase64(s),salt:this.toBase64(i),secrets:{},createdAt:Date.now()},c=JSON.stringify(o),w=new TextEncoder().encode(c),_=this._crypto.encryptVault(w,t),l=this.generateRecoveryCode(),f=this._crypto.encryptVault(w,l),y={version:1,did:e,salt:this.toBase64(i),wrappedData:this.toBase64(_),recoveryBlob:this.toBase64(f),updatedAt:Date.now()};return await this._storage.save(e,y),this.setSession(r,n,e,t,{}),{did:e,recoveryCode:l}}async login(t,r){this.ensureInitialized();let e=r;if(!e){let l=await this._storage.listKeys();if(l.length===0)throw new u("No identities found in storage");e=l[0];}let i=await this._storage.get(e);if(!i)throw new u(`Identity ${e} not found`);let n;try{n=this._crypto.decryptVault(this.fromBase64(i.wrappedData),t);}catch{throw new u("Invalid password or corrupted vault")}let s;try{let l=new TextDecoder().decode(n);s=JSON.parse(l);}catch{throw new a("Vault data corruption: Invalid JSON","CORRUPT_DATA")}if(s.did!==e)throw new a("Integrity error: DID mismatch inside vault","INTEGRITY_ERROR");let o=this.fromBase64(s.salt),c=this._crypto.deriveSessionKey(t,o),w=this.fromBase64(s.wrappedSecret),_=this._crypto.restoreIdentity(w,c);return this.setSession(_,c,e,t,s.secrets),{did:e,publicKey:_.get_public_key()}}async recoverAccount(t){this.ensureInitialized();let{recoveryCode:r,newPassword:e,did:i,rotateRecoveryCode:n=false}=t,s=i;if(!s){let y=await this._storage.listKeys();if(y.length===0)throw new u("No vaults found");s=y[0];}let o=await this._storage.get(s);if(!o)throw new u(`Identity ${s} not found`);if(!o.recoveryBlob)throw new a("Recovery not available for this identity. It may have been created with an older SDK version.","RECOVERY_UNAVAILABLE");let c;try{c=this._crypto.decryptVault(this.fromBase64(o.recoveryBlob),r);}catch{throw new u("Invalid Recovery Code")}let w;try{let y=new TextDecoder().decode(c);w=JSON.parse(y);}catch{throw new a("Vault data corruption during recovery","CORRUPT_DATA")}let _=this._crypto.encryptVault(c,e),l,f;if(n){l=this.generateRecoveryCode();let y=this._crypto.encryptVault(c,l);f=this.toBase64(y);}else f=o.recoveryBlob;return o.wrappedData=this.toBase64(_),o.recoveryBlob=f,o.updatedAt=Date.now(),await this._storage.save(s,o),await this.login(e,s),{did:s,newRecoveryCode:l}}lock(){if(this._client){try{this._client.free();}catch{}this._client=null;}this._sessionKey=null,this._currentDid=null,this._secretsCache=null,this._passwordCache=null;}isAuthenticated(){return this._client!==null&&!this._isDisposed}getDid(){return this.ensureAuthenticated(),this._currentDid}async getStoredIdentities(){return this.ensureInitialized(),this._storage.listKeys()}async sign(t){return this.ensureAuthenticated(),this._client.sign_data(t)}async saveSecret(t,r){if(this.ensureAuthenticated(),!this._secretsCache||!this._passwordCache||!this._currentDid)throw new g;this._secretsCache[t]=r;let e=await this._storage.get(this._currentDid);if(!e)throw new a("Storage corruption during save","STORAGE_ERROR");let i=this._crypto.decryptVault(this.fromBase64(e.wrappedData),this._passwordCache),n=JSON.parse(new TextDecoder().decode(i));n.secrets={...this._secretsCache},n.createdAt=Date.now();let s=new TextEncoder().encode(JSON.stringify(n)),o=this._crypto.encryptVault(s,this._passwordCache);e.wrappedData=this.toBase64(o),e.recoveryBlob,e.updatedAt=Date.now(),await this._storage.save(this._currentDid,e);}async getSecret(t){return this.ensureAuthenticated(),this._secretsCache?.[t]??null}dispose(){this._isDisposed||(this.lock(),this._isInitialized=false,this._isDisposed=true);}generateRecoveryCode(){let t=this._crypto.getRandomValues(A),r=Array.from(t).map(e=>e.toString(16).padStart(2,"0").toUpperCase()).join("");return `${S}-${r.slice(0,8)}-${r.slice(8,16)}-${r.slice(16,24)}-${r.slice(24,32)}`}ensureNotDisposed(){if(this._isDisposed)throw new a("VaultService has been disposed","DISPOSED")}ensureInitialized(){if(this.ensureNotDisposed(),!this._isInitialized)throw new m("VaultService not initialized. Call init() first.")}ensureAuthenticated(){if(this.ensureInitialized(),!this._client)throw new g}setSession(t,r,e,i,n){this._client=t,this._sessionKey=r,this._currentDid=e,this._passwordCache=i,this._secretsCache={...n};}toBase64(t){let r=Array.from(t,e=>String.fromCharCode(e)).join("");return btoa(r)}fromBase64(t){let r=atob(t);return Uint8Array.from(r,e=>e.codePointAt(0))}};/**
+ * @fileoverview WASM Crypto Adapter for P47H Vault
+ * 
+ * This module provides the bridge between TypeScript and the Rust/WASM
+ * cryptographic core. It handles module loading, initialization, and
+ * provides type-safe wrappers for all WASM operations.
+ * 
+ * @module adapters/WasmCryptoAdapter
+ * @license AGPL-3.0 OR Commercial
+ */
+/**
+ * @fileoverview P47H Vault Service - Core Identity and Secret Management
+ * 
+ * This is the main facade for the P47H Vault SDK. It provides a high-level,
+ * type-safe API for:
+ * - Creating and managing cryptographic identities (DIDs)
+ * - Securely storing and retrieving encrypted secrets
+ * - Emergency recovery using Recovery Codes (PUK)
+ * - Session management with automatic memory cleanup
+ * 
+ * @module logic/VaultService
+ * @license AGPL-3.0 OR Commercial
+ */
+/**
+ * @fileoverview P47H Vault JS SDK - Entry Point
+ * 
+ * Secure local-first cryptographic vault for the browser.
+ * 
+ * @module @p47h/vault-js
+ * @license AGPL-3.0 OR Commercial (https://p47h.com/licensing)
+ */export{u as AuthenticationError,I as BrowserStorage,h as CryptoError,m as InitializationError,g as NotAuthenticatedError,R as P47hVault,d as StorageError,a as VaultError};//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map