npm - @plyaz/api - Versions diffs - 1.1.1 → 1.2.0 - Mend

@plyaz/api 1.1.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/dist/api/client/helpers/interceptors.d.ts +2 -2
package/dist/api/client/helpers/interceptors.d.ts.map +1 -1
package/dist/api/debugger/UnifiedDebugger.d.ts.map +1 -1
package/dist/api/encryption/crypto.d.ts +56 -0
package/dist/api/encryption/crypto.d.ts.map +1 -0
package/dist/api/encryption/field-path.d.ts +74 -0
package/dist/api/encryption/field-path.d.ts.map +1 -0
package/dist/api/encryption/index.d.ts +8 -0
package/dist/api/encryption/index.d.ts.map +1 -0
package/dist/api/encryption/interceptors.d.ts +103 -0
package/dist/api/encryption/interceptors.d.ts.map +1 -0
package/dist/api/index.d.ts +1 -0
package/dist/api/index.d.ts.map +1 -1
package/dist/api/queue/EventQueueManager.d.ts.map +1 -1
package/dist/index.cjs +727 -12
package/dist/index.cjs.map +1 -1
package/dist/index.mjs +700 -11
package/dist/index.mjs.map +1 -1
package/package.json +2 -2

package/dist/index.cjs CHANGED Viewed

@@ -7,7 +7,7 @@ var fetchff = require('fetchff');
 var async_hooks = require('async_hooks');
 var common = require('@nestjs/common');
 var rxjs = require('rxjs');
-var crypto = require('crypto');
+var crypto$1 = require('crypto');
 var reactQuery = require('@tanstack/react-query');
 var react = require('react');
@@ -610,7 +610,7 @@ function getCrypto() {
 }
 __name(getCrypto, "getCrypto");
 function generateUUID() {
-  const crypto = getCrypto();
+  const crypto2 = getCrypto();
   const UUID_CONSTANTS = {
     BYTES: 16,
     VERSION_POSITION: 6,
@@ -627,12 +627,12 @@ function generateUUID() {
     // eslint-disable-next-line no-magic-numbers
     POSITIONS: [8, 12, 16, 20, 32]
   };
-  if (crypto && typeof crypto.randomUUID === "function") {
-    return crypto.randomUUID();
+  if (crypto2 && typeof crypto2.randomUUID === "function") {
+    return crypto2.randomUUID();
   }
-  if (crypto?.getRandomValues) {
+  if (crypto2?.getRandomValues) {
     const bytes = new Uint8Array(UUID_CONSTANTS.BYTES);
-    crypto.getRandomValues(bytes);
+    crypto2.getRandomValues(bytes);
     bytes[UUID_CONSTANTS.VERSION_POSITION] = bytes[UUID_CONSTANTS.VERSION_POSITION] & UUID_CONSTANTS.VERSION_MASK | UUID_CONSTANTS.VERSION_VALUE;
     bytes[UUID_CONSTANTS.VARIANT_POSITION] = bytes[UUID_CONSTANTS.VARIANT_POSITION] & UUID_CONSTANTS.VARIANT_MASK | UUID_CONSTANTS.VARIANT_VALUE;
     const hex = Array.from(
@@ -10460,7 +10460,8 @@ var UnifiedDebugger = class _UnifiedDebugger {
       default: "default configuration",
       client: "client configuration",
       interceptor: "interceptor configuration",
-      contextHeaders: "context header configuration"
+      contextHeaders: "context header configuration",
+      encryption: "encryption configuration for sensitive data"
     };
     return reasons[winningSource] || `${winningSource} has higher precedence than ${losingSource}`;
   }
@@ -21847,7 +21848,7 @@ function getHeaderFingerprint(headers2) {
     return "no-cache-affecting-headers";
   }
   const content = parts.join("|");
-  return crypto.createHash("sha256").update(content).digest("hex").substring(0, FINGERPRINT_LENGTH);
+  return crypto$1.createHash("sha256").update(content).digest("hex").substring(0, FINGERPRINT_LENGTH);
 }
 __name(getHeaderFingerprint, "getHeaderFingerprint");
@@ -22183,6 +22184,669 @@ function createPreservedConfig(options) {
   } : void 0);
 }
 __name(createPreservedConfig, "createPreservedConfig");
+// src/api/encryption/crypto.ts
+var AES_256_KEY_SIZE_BYTES = 32;
+var BITS_PER_BYTE = 8;
+var ALGORITHM_PARAMS = {
+  "AES-GCM": {
+    name: "AES-GCM",
+    length: 256,
+    ivLength: 12,
+    // 96 bits recommended for GCM
+    tagLength: 128
+    // 128 bits authentication tag
+  },
+  "AES-CBC": {
+    name: "AES-CBC",
+    length: 256,
+    ivLength: 16
+    // 128 bits for CBC
+  },
+  "ChaCha20-Poly1305": {
+    name: "ChaCha20-Poly1305",
+    length: 256,
+    ivLength: 12
+    // 96 bits nonce
+  }
+};
+function isCryptoAvailable() {
+  return typeof crypto !== "undefined" && crypto.subtle !== void 0;
+}
+__name(isCryptoAvailable, "isCryptoAvailable");
+function generateIV(algorithm) {
+  if (!isCryptoAvailable()) {
+    throw new ApiPackageError("Web Crypto API not available");
+  }
+  const params = ALGORITHM_PARAMS[algorithm];
+  return crypto.getRandomValues(new Uint8Array(params.ivLength));
+}
+__name(generateIV, "generateIV");
+function base64ToBytes(base64) {
+  const normalized = base64.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(normalized);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+__name(base64ToBytes, "base64ToBytes");
+function bytesToBase64(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+__name(bytesToBase64, "bytesToBase64");
+async function importJwkKey(key, algorithmParams) {
+  return await crypto.subtle.importKey(
+    "jwk",
+    key,
+    algorithmParams,
+    true,
+    // extractable for key rotation and backup
+    ["encrypt", "decrypt"]
+  );
+}
+__name(importJwkKey, "importJwkKey");
+async function importStringKey(key, format, algorithmParams) {
+  const keyBytes = format === "base64" ? base64ToBytes(key) : new TextEncoder().encode(key);
+  if (keyBytes.length !== AES_256_KEY_SIZE_BYTES) {
+    throw new ApiPackageError(
+      `Invalid key length: expected ${AES_256_KEY_SIZE_BYTES} bytes (256 bits), got ${keyBytes.length} bytes`
+    );
+  }
+  return await crypto.subtle.importKey(
+    "raw",
+    keyBytes,
+    algorithmParams,
+    true,
+    // extractable for key rotation and backup
+    ["encrypt", "decrypt"]
+  );
+}
+__name(importStringKey, "importStringKey");
+function isCryptoKey(key) {
+  return key instanceof CryptoKey || typeof key === "object" && key !== null && "type" in key;
+}
+__name(isCryptoKey, "isCryptoKey");
+async function importKey(key, algorithm, format = "raw") {
+  if (isCryptoKey(key)) {
+    return key;
+  }
+  if (!isCryptoAvailable()) {
+    throw new ApiPackageError("Web Crypto API not available");
+  }
+  const algorithmParams = {
+    name: ALGORITHM_PARAMS[algorithm].name,
+    length: ALGORITHM_PARAMS[algorithm].length
+  };
+  if (format === "jwk" && typeof key === "object") {
+    return await importJwkKey(key, algorithmParams);
+  }
+  if (typeof key === "string") {
+    return await importStringKey(key, format, algorithmParams);
+  }
+  throw new ApiPackageError(`Unsupported key format: ${format}`);
+}
+__name(importKey, "importKey");
+async function encrypt(data, encryptionKey) {
+  if (!isCryptoAvailable()) {
+    throw new ApiPackageError("Web Crypto API not available");
+  }
+  const { algorithm, key, format, id: keyId } = encryptionKey;
+  const params = ALGORITHM_PARAMS[algorithm];
+  const cryptoKey = await importKey(key, algorithm, format);
+  const iv = generateIV(algorithm);
+  const dataString = typeof data === "string" ? data : JSON.stringify(data);
+  const dataBytes = new TextEncoder().encode(dataString);
+  const algorithmParams = {
+    name: params.name,
+    iv,
+    ...algorithm === "AES-GCM" && "tagLength" in params && { tagLength: params.tagLength }
+  };
+  const encryptedBuffer = await crypto.subtle.encrypt(algorithmParams, cryptoKey, dataBytes);
+  const encryptedBytes = new Uint8Array(encryptedBuffer);
+  let authTag;
+  let ciphertext = encryptedBytes;
+  if (algorithm === "AES-GCM" && "tagLength" in params) {
+    const tagLength = params.tagLength / BITS_PER_BYTE;
+    const ciphertextLength = encryptedBytes.length - tagLength;
+    ciphertext = encryptedBytes.slice(0, ciphertextLength);
+    const tagBytes = encryptedBytes.slice(ciphertextLength);
+    authTag = bytesToBase64(tagBytes);
+  }
+  return {
+    encrypted: true,
+    algorithm,
+    keyId,
+    iv: bytesToBase64(iv),
+    value: bytesToBase64(ciphertext),
+    ...authTag && { authTag }
+  };
+}
+__name(encrypt, "encrypt");
+function parseDecryptedData(decryptedString) {
+  try {
+    return JSON.parse(decryptedString);
+  } catch {
+    return decryptedString;
+  }
+}
+__name(parseDecryptedData, "parseDecryptedData");
+function prepareCiphertextForDecryption(ciphertext, algorithm, authTag) {
+  if (algorithm === "AES-GCM" && authTag) {
+    const tagBytes = base64ToBytes(authTag);
+    const combined = new Uint8Array(ciphertext.length + tagBytes.length);
+    combined.set(ciphertext);
+    combined.set(tagBytes, ciphertext.length);
+    return combined;
+  }
+  return ciphertext;
+}
+__name(prepareCiphertextForDecryption, "prepareCiphertextForDecryption");
+async function decrypt(encrypted, encryptionKey) {
+  if (!isCryptoAvailable()) {
+    throw new ApiPackageError("Web Crypto API not available");
+  }
+  if (typeof encrypted === "string") {
+    throw new ApiPackageError(
+      "Cannot decrypt string without metadata. Use EncryptedFieldMetadata format."
+    );
+  }
+  const { algorithm, value, iv: ivBase64, authTag } = encrypted;
+  const { key, format } = encryptionKey;
+  const params = ALGORITHM_PARAMS[algorithm];
+  if (encryptionKey.id !== encrypted.keyId) {
+    throw new ApiPackageError(
+      `Key ID mismatch: expected ${encrypted.keyId}, got ${encryptionKey.id}`
+    );
+  }
+  const cryptoKey = await importKey(key, algorithm, format);
+  const iv = base64ToBytes(ivBase64);
+  const ciphertext = prepareCiphertextForDecryption(base64ToBytes(value), algorithm, authTag);
+  const algorithmParams = {
+    name: params.name,
+    iv,
+    ...algorithm === "AES-GCM" && "tagLength" in params && { tagLength: params.tagLength }
+  };
+  try {
+    const decryptedBuffer = await crypto.subtle.decrypt(
+      algorithmParams,
+      cryptoKey,
+      ciphertext
+    );
+    const decryptedBytes = new Uint8Array(decryptedBuffer);
+    const decryptedString = new TextDecoder().decode(decryptedBytes);
+    return parseDecryptedData(decryptedString);
+  } catch (error) {
+    throw new ApiPackageError(
+      `Decryption failed: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+}
+__name(decrypt, "decrypt");
+function isEncryptedMetadata(value) {
+  return typeof value === "object" && value !== null && "encrypted" in value && value.encrypted === true && "algorithm" in value && "keyId" in value && "iv" in value && "value" in value;
+}
+__name(isEncryptedMetadata, "isEncryptedMetadata");
+function generateRandomKey() {
+  if (!isCryptoAvailable()) {
+    throw new ApiPackageError("Web Crypto API not available");
+  }
+  return crypto.getRandomValues(new Uint8Array(AES_256_KEY_SIZE_BYTES));
+}
+__name(generateRandomKey, "generateRandomKey");
+async function exportKeyToBase64(key) {
+  if (!isCryptoAvailable()) {
+    throw new ApiPackageError("Web Crypto API not available");
+  }
+  const exported = await crypto.subtle.exportKey("raw", key);
+  return bytesToBase64(new Uint8Array(exported));
+}
+__name(exportKeyToBase64, "exportKeyToBase64");
+// src/api/encryption/field-path.ts
+function parseFieldPath(path) {
+  return path.split(".").filter(Boolean);
+}
+__name(parseFieldPath, "parseFieldPath");
+function isWildcard(segment) {
+  return segment === "*";
+}
+__name(isWildcard, "isWildcard");
+function matchFieldPath(path, pattern) {
+  if (pattern.length !== path.length) {
+    return false;
+  }
+  for (let i = 0; i < pattern.length; i++) {
+    if (!isWildcard(pattern[i]) && pattern[i] !== path[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+__name(matchFieldPath, "matchFieldPath");
+function getAllFieldPaths(obj, prefix = "") {
+  if (typeof obj !== "object" || obj === null) {
+    return [];
+  }
+  const paths = [];
+  if (Array.isArray(obj)) {
+    obj.forEach((item, index) => {
+      const itemPrefix = prefix ? `${prefix}.${index}` : `${index}`;
+      paths.push(itemPrefix);
+      paths.push(...getAllFieldPaths(item, itemPrefix));
+    });
+  } else {
+    Object.keys(obj).forEach((key) => {
+      const fullPath = prefix ? `${prefix}.${key}` : key;
+      paths.push(fullPath);
+      paths.push(...getAllFieldPaths(obj[key], fullPath));
+    });
+  }
+  return paths;
+}
+__name(getAllFieldPaths, "getAllFieldPaths");
+function getFieldValue(obj, path) {
+  if (typeof obj !== "object" || obj === null) {
+    return void 0;
+  }
+  const segments = parseFieldPath(path);
+  let current = obj;
+  for (const segment of segments) {
+    if (typeof current !== "object" || current === null) {
+      return void 0;
+    }
+    current = current[segment];
+  }
+  return current;
+}
+__name(getFieldValue, "getFieldValue");
+function setFieldValue(obj, path, value) {
+  if (typeof obj !== "object" || obj === null) {
+    return;
+  }
+  const segments = parseFieldPath(path);
+  let current = obj;
+  for (let i = 0; i < segments.length - 1; i++) {
+    const segment = segments[i];
+    if (!(segment in current) || typeof current[segment] !== "object" || current[segment] === null) {
+      current[segment] = {};
+    }
+    current = current[segment];
+  }
+  const lastSegment = segments[segments.length - 1];
+  current[lastSegment] = value;
+}
+__name(setFieldValue, "setFieldValue");
+function findMatchingPaths(obj, pattern) {
+  const allPaths = getAllFieldPaths(obj);
+  const patternSegments = parseFieldPath(pattern);
+  return allPaths.filter((path) => {
+    const pathSegments = parseFieldPath(path);
+    return matchFieldPath(pathSegments, patternSegments);
+  });
+}
+__name(findMatchingPaths, "findMatchingPaths");
+async function transformFields(obj, patterns, transform, excludePatterns) {
+  if (typeof obj !== "object" || obj === null) {
+    return obj;
+  }
+  const result = JSON.parse(JSON.stringify(obj));
+  const matchingPaths = [];
+  for (const pattern of patterns) {
+    matchingPaths.push(...findMatchingPaths(result, pattern));
+  }
+  let pathsToTransform = matchingPaths;
+  if (excludePatterns && excludePatterns.length > 0) {
+    const excludedPaths = /* @__PURE__ */ new Set();
+    for (const excludePattern of excludePatterns) {
+      findMatchingPaths(result, excludePattern).forEach((path) => excludedPaths.add(path));
+    }
+    pathsToTransform = matchingPaths.filter((path) => !excludedPaths.has(path));
+  }
+  for (const path of pathsToTransform) {
+    const value = getFieldValue(result, path);
+    const transformed = await transform(value, path);
+    setFieldValue(result, path, transformed);
+  }
+  return result;
+}
+__name(transformFields, "transformFields");
+function extractFields(obj, patterns) {
+  if (typeof obj !== "object" || obj === null) {
+    return obj;
+  }
+  const result = {};
+  for (const pattern of patterns) {
+    const matchingPaths = findMatchingPaths(obj, pattern);
+    for (const path of matchingPaths) {
+      const value = getFieldValue(obj, path);
+      setFieldValue(result, path, value);
+    }
+  }
+  return result;
+}
+__name(extractFields, "extractFields");
+function hasMatchingFields(obj, patterns) {
+  if (typeof obj !== "object" || obj === null) {
+    return false;
+  }
+  for (const pattern of patterns) {
+    const matching = findMatchingPaths(obj, pattern);
+    if (matching.length > 0) {
+      return true;
+    }
+  }
+  return false;
+}
+__name(hasMatchingFields, "hasMatchingFields");
+function isValidFieldPath(path) {
+  if (!path || typeof path !== "string") {
+    return false;
+  }
+  if (/[^a-zA-Z0-9._*-]/.test(path)) {
+    return false;
+  }
+  if (path.includes("..") || path.startsWith(".") || path.endsWith(".")) {
+    return false;
+  }
+  const segments = parseFieldPath(path);
+  if (segments.length === 0) {
+    return false;
+  }
+  return true;
+}
+__name(isValidFieldPath, "isValidFieldPath");
+// src/api/encryption/interceptors.ts
+async function resolveEncryptionKey(keyOrProvider, context) {
+  if (typeof keyOrProvider === "function") {
+    return await keyOrProvider(context);
+  }
+  return keyOrProvider;
+}
+__name(resolveEncryptionKey, "resolveEncryptionKey");
+function shouldEncryptTarget(target, targets) {
+  if (!targets) {
+    return true;
+  }
+  if (Array.isArray(targets)) {
+    return targets.includes(target);
+  }
+  return targets === target;
+}
+__name(shouldEncryptTarget, "shouldEncryptTarget");
+function handleEncryptionError(error, path, value, onError) {
+  const errorMessage = `Failed to encrypt field '${path}': ${error instanceof Error ? error.message : "Unknown error"}`;
+  if (onError === "throw") {
+    throw new ApiPackageError(errorMessage);
+  }
+  if (onError === "skip") {
+    return value;
+  }
+  return "[ENCRYPTION_FAILED]";
+}
+__name(handleEncryptionError, "handleEncryptionError");
+async function encryptFieldValue(value, path, config) {
+  try {
+    const encrypted = await encrypt(value, config.encryptionKey);
+    return config.includeMetadata ? encrypted : encrypted.value;
+  } catch (error) {
+    return handleEncryptionError(error, path, value, config.onError);
+  }
+}
+__name(encryptFieldValue, "encryptFieldValue");
+function shouldEncryptObject(obj, fields) {
+  if (!obj || typeof obj !== "object") {
+    return false;
+  }
+  if (!fields || fields.length === 0) {
+    return false;
+  }
+  return true;
+}
+__name(shouldEncryptObject, "shouldEncryptObject");
+async function encryptObject(obj, config, encryptionKey) {
+  if (!shouldEncryptObject(obj, config.fields)) {
+    return obj;
+  }
+  const { fields, excludeFields, onError = "throw", includeMetadata = true } = config;
+  try {
+    return transformFields(
+      obj,
+      fields,
+      async (value, path) => encryptFieldValue(value, path, { encryptionKey, includeMetadata, onError }),
+      excludeFields
+    );
+  } catch (error) {
+    if (onError === "throw") {
+      throw error;
+    }
+    return obj;
+  }
+}
+__name(encryptObject, "encryptObject");
+async function decryptObject(obj, config, encryptionKey) {
+  if (!obj || typeof obj !== "object") {
+    return obj;
+  }
+  const { onError = "throw" } = config;
+  try {
+    return await recursiveDecrypt(obj, encryptionKey, onError);
+  } catch (error) {
+    if (onError === "throw") {
+      throw error;
+    }
+    return obj;
+  }
+}
+__name(decryptObject, "decryptObject");
+function handleDecryptionError(error, obj, onError) {
+  const errorMessage = `Failed to decrypt field: ${error instanceof Error ? error.message : "Unknown error"}`;
+  if (onError === "throw") {
+    throw new ApiPackageError(errorMessage);
+  }
+  if (onError === "skip") {
+    return obj;
+  }
+  return "[DECRYPTION_FAILED]";
+}
+__name(handleDecryptionError, "handleDecryptionError");
+async function decryptEncryptedValue(obj, encryptionKey, onError) {
+  try {
+    return await decrypt(obj, encryptionKey);
+  } catch (error) {
+    return handleDecryptionError(error, obj, onError);
+  }
+}
+__name(decryptEncryptedValue, "decryptEncryptedValue");
+async function decryptArray(arr, encryptionKey, onError) {
+  const decrypted = await Promise.all(
+    arr.map((item) => recursiveDecrypt(item, encryptionKey, onError))
+  );
+  return decrypted;
+}
+__name(decryptArray, "decryptArray");
+async function decryptObjectRecursively(obj, encryptionKey, onError) {
+  const result = {};
+  for (const [key, value] of Object.entries(obj)) {
+    result[key] = await recursiveDecrypt(value, encryptionKey, onError);
+  }
+  return result;
+}
+__name(decryptObjectRecursively, "decryptObjectRecursively");
+async function recursiveDecrypt(obj, encryptionKey, onError) {
+  if (obj === null || obj === void 0) {
+    return obj;
+  }
+  if (isEncryptedMetadata(obj)) {
+    return await decryptEncryptedValue(obj, encryptionKey, onError);
+  }
+  if (Array.isArray(obj)) {
+    return await decryptArray(obj, encryptionKey, onError);
+  }
+  if (typeof obj === "object") {
+    const decrypted = await decryptObjectRecursively(
+      obj,
+      encryptionKey,
+      onError
+    );
+    return decrypted;
+  }
+  return obj;
+}
+__name(recursiveDecrypt, "recursiveDecrypt");
+function createEncryptionInterceptor(config) {
+  return async (requestConfig) => {
+    if (!config.enabled) {
+      return requestConfig;
+    }
+    const encryptionKey = await resolveEncryptionKey(config.key, {
+      url: requestConfig.url,
+      method: requestConfig.method
+    });
+    if (shouldEncryptTarget("body", config.target) && requestConfig.body) {
+      requestConfig.body = await encryptObject(
+        requestConfig.body,
+        config,
+        encryptionKey
+      );
+    }
+    if (shouldEncryptTarget("params", config.target) && requestConfig.params) {
+      requestConfig.params = await encryptObject(
+        requestConfig.params,
+        config,
+        encryptionKey
+      );
+    }
+    if (shouldEncryptTarget("headers", config.target) && requestConfig.headers) {
+      requestConfig.headers = await encryptObject(
+        requestConfig.headers,
+        config,
+        encryptionKey
+      );
+    }
+    return requestConfig;
+  };
+}
+__name(createEncryptionInterceptor, "createEncryptionInterceptor");
+function createDecryptionInterceptor(config) {
+  return async (response) => {
+    if (!config.enabled || !config.autoDecrypt) {
+      return response;
+    }
+    if (!response.data) {
+      return response;
+    }
+    const encryptionKey = await resolveEncryptionKey(config.key, {
+      url: response.config?.url,
+      method: response.config?.method
+    });
+    response.data = await decryptObject(response.data, config, encryptionKey);
+    return response;
+  };
+}
+__name(createDecryptionInterceptor, "createDecryptionInterceptor");
+function createEncryptionInterceptors(config) {
+  return {
+    onRequest: createEncryptionInterceptor(config),
+    onResponse: createDecryptionInterceptor(config)
+  };
+}
+__name(createEncryptionInterceptors, "createEncryptionInterceptors");
+function validateEncryptionKey(key) {
+  if (!key) {
+    throw new ApiPackageError("Encryption key is required when encryption is enabled");
+  }
+}
+__name(validateEncryptionKey, "validateEncryptionKey");
+function validateAlgorithm(algorithm) {
+  if (!algorithm) {
+    return;
+  }
+  const validAlgorithms = ["AES-GCM", "AES-CBC", "ChaCha20-Poly1305"];
+  if (!validAlgorithms.includes(algorithm)) {
+    throw new ApiPackageError(
+      `Invalid encryption algorithm: ${algorithm}. Must be one of: ${validAlgorithms.join(", ")}`
+    );
+  }
+}
+__name(validateAlgorithm, "validateAlgorithm");
+function validateErrorStrategy(onError) {
+  if (!onError) {
+    return;
+  }
+  const validStrategies = ["throw", "skip", "placeholder"];
+  if (!validStrategies.includes(onError)) {
+    throw new ApiPackageError(
+      `Invalid error handling strategy: ${onError}. Must be one of: ${validStrategies.join(", ")}`
+    );
+  }
+}
+__name(validateErrorStrategy, "validateErrorStrategy");
+function validateTargets(target) {
+  if (!target) {
+    return;
+  }
+  const validTargets = ["body", "params", "headers"];
+  const targets = Array.isArray(target) ? target : [target];
+  for (const t of targets) {
+    if (!validTargets.includes(t)) {
+      throw new ApiPackageError(
+        `Invalid encryption target: ${t}. Must be one of: ${validTargets.join(", ")}`
+      );
+    }
+  }
+}
+__name(validateTargets, "validateTargets");
+function validateEncryptionConfig(config) {
+  if (!config.enabled) {
+    return;
+  }
+  validateEncryptionKey(config.key);
+  validateAlgorithm(config.algorithm);
+  validateErrorStrategy(config.onError);
+  validateTargets(config.target);
+}
+__name(validateEncryptionConfig, "validateEncryptionConfig");
+function getTargetData(target, requestConfig) {
+  if (target === "body") {
+    return requestConfig.body;
+  }
+  if (target === "params") {
+    return requestConfig.params;
+  }
+  if (target === "headers") {
+    return requestConfig.headers;
+  }
+  return void 0;
+}
+__name(getTargetData, "getTargetData");
+function hasMatchingFieldsInTarget(target, requestConfig, config) {
+  if (!shouldEncryptTarget(target, config.target)) {
+    return false;
+  }
+  const targetData = getTargetData(target, requestConfig);
+  if (!targetData) {
+    return false;
+  }
+  return hasMatchingFields(targetData, config.fields ?? []);
+}
+__name(hasMatchingFieldsInTarget, "hasMatchingFieldsInTarget");
+function hasEncryptableFields(requestConfig, config) {
+  if (!config.enabled || !config.fields || config.fields.length === 0) {
+    return false;
+  }
+  const targets = ["body", "params", "headers"];
+  return targets.some((target) => hasMatchingFieldsInTarget(target, requestConfig, config));
+}
+__name(hasEncryptableFields, "hasEncryptableFields");
+// src/api/client/helpers/interceptors.ts
 var DEFAULT_MAX_RETRIES = 3;
 var DEFAULT_SUCCESS_STATUS = config.HTTP_STATUS.OK;
 function trackHeaderChanges(beforeHeaders, afterHeaders, interceptorIndex) {
@@ -22244,7 +22908,7 @@ function createOnRetryHandler(handlers) {
   };
 }
 __name(createOnRetryHandler, "createOnRetryHandler");
-function createOnRequestHandler(handlers, enrichedHeadersConfig) {
+function createOnRequestHandler(handlers, enrichedHeadersConfig, encryptionConfig) {
   return async (config) => {
     const performanceFactory = getPerformanceEventFactory();
     const requestId = generateRequestId();
@@ -22276,6 +22940,16 @@ function createOnRequestHandler(handlers, enrichedHeadersConfig) {
         console.error("Failed to enrich headers:", error);
       }
     }
+    if (encryptionConfig?.enabled) {
+      try {
+        validateEncryptionConfig(encryptionConfig);
+        const encryptionInterceptor = createEncryptionInterceptor(encryptionConfig);
+        processedConfig = await encryptionInterceptor(processedConfig);
+        UnifiedDebugger.getInstance().trackConfigChange({ encryption: "applied" }, "encryption");
+      } catch (error) {
+        console.error("Failed to encrypt request:", error);
+      }
+    }
     if (handlers && handlers.length > 0) {
       for (let i = 0; i < handlers.length; i++) {
         const handler = handlers[i];
@@ -22288,7 +22962,7 @@ function createOnRequestHandler(handlers, enrichedHeadersConfig) {
   };
 }
 __name(createOnRequestHandler, "createOnRequestHandler");
-function createOnResponseHandler(handlers, clearTemporaryOverrides2, clearOnComplete) {
+function createOnResponseHandler(handlers, clearTemporaryOverrides2, clearOnComplete, encryptionConfig) {
   return async (response) => {
     const performanceFactory = getPerformanceEventFactory();
     performanceFactory.emitRequestComplete({
@@ -22307,6 +22981,15 @@ function createOnResponseHandler(handlers, clearTemporaryOverrides2, clearOnComp
         }
       }
     }
+    if (encryptionConfig?.enabled && encryptionConfig?.autoDecrypt) {
+      try {
+        const decryptionInterceptor = createDecryptionInterceptor(encryptionConfig);
+        processedResponse = await decryptionInterceptor(processedResponse);
+        UnifiedDebugger.getInstance().trackConfigChange({ decryption: "applied" }, "encryption");
+      } catch (error) {
+        console.error("Failed to decrypt response:", error);
+      }
+    }
     if (clearOnComplete && clearTemporaryOverrides2) {
       clearTemporaryOverrides2();
     }
@@ -22400,9 +23083,15 @@ function setupUnifiedHandlers(params) {
     clientOptions?.onRetry
   );
   const clearOnComplete = mergedConfig.configOverride?.clearOnComplete ?? globalConfig?.configOverride?.clearOnComplete ?? clientOptions?.configOverride?.clearOnComplete;
+  const encryptionConfig = mergedConfig.encryption ?? globalConfig?.encryption ?? clientOptions?.encryption;
   return {
-    onRequest: createOnRequestHandler(mergedOnRequest, enrichedHeadersConfig),
-    onResponse: createOnResponseHandler(mergedOnResponse, clearTemporaryOverrides2, clearOnComplete),
+    onRequest: createOnRequestHandler(mergedOnRequest, enrichedHeadersConfig, encryptionConfig),
+    onResponse: createOnResponseHandler(
+      mergedOnResponse,
+      clearTemporaryOverrides2,
+      clearOnComplete,
+      encryptionConfig
+    ),
     onError: createOnErrorHandler(mergedOnError, clearTemporaryOverrides2, clearOnComplete),
     onRetry: createOnRetryHandler(mergedOnRetry)
   };
@@ -25150,7 +25839,9 @@ exports.applyTemporaryNetworkOverride = applyTemporaryNetworkOverride;
 exports.applyUnifiedStrategy = applyUnifiedStrategy;
 exports.arrayOf = arrayOf;
 exports.average = average;
+exports.base64ToBytes = base64ToBytes;
 exports.buildCacheKey = buildCacheKey;
+exports.bytesToBase64 = bytesToBase64;
 exports.cacheKeyPatterns = cacheKeyPatterns;
 exports.cacheStrategies = cacheStrategies;
 exports.calculateCacheDuration = calculateCacheDuration;
@@ -25188,7 +25879,10 @@ exports.createCustomUnifiedStrategy = createCustomUnifiedStrategy;
 exports.createDate = createDate;
 exports.createDebouncedAbort = createDebouncedAbort;
 exports.createDebugReport = createDebugReport;
+exports.createDecryptionInterceptor = createDecryptionInterceptor;
 exports.createDelay = createDelay;
+exports.createEncryptionInterceptor = createEncryptionInterceptor;
+exports.createEncryptionInterceptors = createEncryptionInterceptors;
 exports.createEventEmitter = createEventEmitter;
 exports.createHistoryEntry = createHistoryEntry;
 exports.createHistorySummary = createHistorySummary;
@@ -25214,6 +25908,7 @@ exports.createTypedSubscription = createTypedSubscription;
 exports.createVisibilityAwarePolling = createVisibilityAwarePolling;
 exports.dateDiff = dateDiff;
 exports.debounce = debounce;
+exports.decrypt = decrypt;
 exports.deepMerge = deepMerge;
 exports.deleteCache = deleteCache;
 exports.deleteCampaign = deleteCampaign;
@@ -25223,13 +25918,16 @@ exports.detectPlatform = detectPlatform;
 exports.determinePrecedenceReason = determinePrecedenceReason;
 exports.disableNetworkConfigDebug = disableNetworkConfigDebug;
 exports.enableNetworkConfigDebug = enableNetworkConfigDebug;
+exports.encrypt = encrypt;
 exports.endOfDay = endOfDay;
 exports.eventManager = eventManager;
+exports.exportKeyToBase64 = exportKeyToBase64;
 exports.extendRevalidationPresets = extendPresets;
 exports.extractBaseCorrelationId = extractBaseCorrelationId;
 exports.extractBaseId = extractBaseId;
 exports.extractBaseRequestId = extractBaseRequestId;
 exports.extractCorrelationType = extractCorrelationType;
+exports.extractFields = extractFields;
 exports.extractLinkedCorrelationIds = extractLinkedCorrelationIds;
 exports.fetchCampaign = fetchCampaign;
 exports.fetchCampaignParticipants = fetchCampaignParticipants;
@@ -25237,6 +25935,7 @@ exports.fetchCampaignStats = fetchCampaignStats;
 exports.fetchCampaigns = fetchCampaigns;
 exports.filterHistory = filterHistory;
 exports.filterObject = filterObject;
+exports.findMatchingPaths = findMatchingPaths;
 exports.flattenObject = flattenObject;
 exports.formatDuration = formatDuration;
 exports.formatReportForConsole = formatReportForConsole;
@@ -25251,8 +25950,10 @@ exports.generateContextualCorrelationId = generateContextualCorrelationId;
 exports.generateContextualId = generateContextualId;
 exports.generateContextualRequestId = generateContextualRequestId;
 exports.generateCorrelationId = generateCorrelationId;
+exports.generateIV = generateIV;
 exports.generateIssueBreakdown = generateIssueBreakdown;
 exports.generateNetworkCorrelationId = generateNetworkCorrelationId;
+exports.generateRandomKey = generateRandomKey;
 exports.generateRecommendations = generateRecommendations;
 exports.generateRequestId = generateRequestId;
 exports.generateSessionCorrelationId = generateSessionCorrelationId;
@@ -25266,6 +25967,7 @@ exports.getAdaptiveCacheDuration = getAdaptiveCacheDuration;
 exports.getAdaptiveConfig = getAdaptiveConfig;
 exports.getAdaptivePageSize = getAdaptivePageSize;
 exports.getAdaptiveTimeout = getAdaptiveTimeout;
+exports.getAllFieldPaths = getAllFieldPaths;
 exports.getAllMediaExtensions = getAllMediaExtensions;
 exports.getAppVersion = getAppVersion;
 exports.getAuthenticationType = getAuthenticationType;
@@ -25296,6 +25998,7 @@ exports.getErrorDefinition = getErrorDefinition;
 exports.getErrorHandlers = getErrorHandlers;
 exports.getEventManager = getEventManager;
 exports.getExtendedEnvironmentInfo = getExtendedEnvironmentInfo;
+exports.getFieldValue = getFieldValue;
 exports.getFileExtension = getFileExtension;
 exports.getFrameworkAdaptiveBatchSize = getFrameworkAdaptiveBatchSize;
 exports.getFrameworkAdaptiveTimeout = getFrameworkAdaptiveTimeout;
@@ -25356,9 +26059,11 @@ exports.handleArrayMerge = handleArrayMerge;
 exports.handleObjectMerge = handleObjectMerge;
 exports.hasAnyExtension = hasAnyExtension;
 exports.hasAuthentication = hasAuthentication;
+exports.hasEncryptableFields = hasEncryptableFields;
 exports.hasGlobal = hasGlobal;
 exports.hasIndexedDB = hasIndexedDB;
 exports.hasLocalStorage = hasLocalStorage;
+exports.hasMatchingFields = hasMatchingFields;
 exports.hasNavigator = hasNavigator;
 exports.hasNetworkInfoExpress = hasNetworkInfo2;
 exports.hasNetworkInfoNextjs = hasNetworkInfo;
@@ -25370,6 +26075,7 @@ exports.hasWebPSupport = hasWebPSupport;
 exports.headerPresets = headerPresets;
 exports.headers = headers;
 exports.headersContext = headersContext;
+exports.importKey = importKey;
 exports.inBrowser = inBrowser;
 exports.inRange = inRange;
 exports.inServer = inServer;
@@ -25383,6 +26089,7 @@ exports.isBun = isBun;
 exports.isCI = isCI;
 exports.isCacheValid = isCacheValid;
 exports.isCellularConnection = isCellularConnection;
+exports.isCryptoAvailable = isCryptoAvailable;
 exports.isDataFresh = isDataFresh;
 exports.isDataSaverEnabled = isDataSaverEnabled;
 exports.isDataSaverEnabledFromHeaders = isDataSaverEnabledFromHeaders;
@@ -25393,6 +26100,7 @@ exports.isDocumentVisible = isDocumentVisible;
 exports.isElectron = isElectron;
 exports.isEmpty = isEmpty;
 exports.isEmptyObject = isEmptyObject;
+exports.isEncryptedMetadata = isEncryptedMetadata;
 exports.isError = isError;
 exports.isFunction = isFunction;
 exports.isFuture = isFuture;
@@ -25437,6 +26145,7 @@ exports.isUnifiedStrategyName = isUnifiedStrategyName;
 exports.isValidCorrelationId = isValidCorrelationId;
 exports.isValidDate = isValidDate;
 exports.isValidEnumValue = isValidEnumValue;
+exports.isValidFieldPath = isValidFieldPath;
 exports.isValidId = isValidId;
 exports.isValidJSON = isValidJSON;
 exports.isValidNumber = isValidNumber2;
@@ -25445,6 +26154,7 @@ exports.isValidRequestId = isValidRequestId;
 exports.isValidRevalidationStrategyName = isValidStrategyName;
 exports.isWebWorker = isWebWorker;
 exports.isWifiConnection = isWifiConnection;
+exports.isWildcard = isWildcard;
 exports.isWithinDedupeWindow = isWithinDedupeWindow;
 exports.joinCampaign = joinCampaign;
 exports.jsonClone = jsonClone;
@@ -25457,6 +26167,7 @@ exports.logNetworkConfigReport = logNetworkConfigReport;
 exports.mapKeys = mapKeys;
 exports.mapObject = mapObject;
 exports.mapRange = mapRange;
+exports.matchFieldPath = matchFieldPath;
 exports.matchesAny = matchesAny;
 exports.max = max;
 exports.median = median;
@@ -25486,6 +26197,7 @@ exports.onOnline = onOnline;
 exports.onceErrorHandler = onceErrorHandler;
 exports.oneOf = oneOf;
 exports.parseAndValidateNumber = parseAndValidateNumber;
+exports.parseFieldPath = parseFieldPath;
 exports.parseId = parseId;
 exports.percentage = percentage;
 exports.pick = pick;
@@ -25524,6 +26236,7 @@ exports.setCache = setCache;
 exports.setConfigWarnings = setConfigWarnings;
 exports.setDefaultApiClient = setDefaultApiClient;
 exports.setErrorHandlers = setErrorHandlers;
+exports.setFieldValue = setFieldValue;
 exports.setGlobalConfig = setGlobalConfig;
 exports.setupClientEvents = setupClientEvents;
 exports.setupRouteChangeCleanup = setupRouteChangeCleanup;
@@ -25561,6 +26274,7 @@ exports.toISOString = toISOString;
 exports.trackConfig = trackConfig;
 exports.trackNetworkOverride = trackNetworkOverride;
 exports.trackableSpread = trackableSpread;
+exports.transformFields = transformFields;
 exports.truncateJSON = truncateJSON;
 exports.unifiedStrategies = unifiedStrategies;
 exports.unregisterErrorHandlers = unregisterErrorHandlers;
@@ -25591,6 +26305,7 @@ exports.useSubscription = useSubscription;
 exports.useSubscriptionState = useSubscriptionState;
 exports.useUpdateCampaign = useUpdateCampaign;
 exports.validateConfigUpdate = validateConfigUpdate;
+exports.validateEncryptionConfig = validateEncryptionConfig;
 exports.validateHeaders = validateHeaders2;
 exports.validatePreset = validatePreset;
 exports.waitForOnline = waitForOnline;