@raytio/core 11.5.0 → 11.7.0

package/dist/crypto/kdf/types.js

@@ -0,0 +1,50 @@
+"use strict";
+/* eslint-disable max-classes-per-file -- Error classes grouped in types module */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_ARGON2ID_PARAMS = exports.UnknownKdfAlgorithmError = exports.LocalSecretRequiredError = void 0;
+exports.isPbkdf2Config = isPbkdf2Config;
+exports.isArgon2idConfig = isArgon2idConfig;
+/**
+ * Error thrown when LocalSecret is required but not provided
+ */
+// eslint-disable-next-line fp/no-class -- Custom error class for specific error handling
+class LocalSecretRequiredError extends Error {
+    constructor(message = "This account requires a Local Secret for decryption") {
+        super(message);
+        // eslint-disable-next-line fp/no-this, fp/no-mutation -- Required for Error subclassing
+        this.name = "LocalSecretRequiredError";
+    }
+}
+exports.LocalSecretRequiredError = LocalSecretRequiredError;
+/**
+ * Error thrown when KDF algorithm is unknown
+ */
+// eslint-disable-next-line fp/no-class -- Custom error class for specific error handling
+class UnknownKdfAlgorithmError extends Error {
+    constructor(algorithm) {
+        super(`Unknown KDF algorithm: ${algorithm}`);
+        // eslint-disable-next-line fp/no-this, fp/no-mutation -- Required for Error subclassing
+        this.name = "UnknownKdfAlgorithmError";
+    }
+}
+exports.UnknownKdfAlgorithmError = UnknownKdfAlgorithmError;
+/**
+ * Default Argon2id parameters (matching Bitwarden recommendations)
+ */
+exports.DEFAULT_ARGON2ID_PARAMS = {
+    memory: 65536, // 64 MiB
+    iterations: 3,
+    parallelism: 4,
+};
+/**
+ * Type guard for PBKDF2 config
+ */
+function isPbkdf2Config(config) {
+    return config.algorithm_name === "PBKDF2";
+}
+/**
+ * Type guard for Argon2id config
+ */
+function isArgon2idConfig(config) {
+    return config.algorithm_name === "Argon2id";
+}

package/dist/crypto/kdf/utils.d.ts

@@ -0,0 +1,59 @@
+/**
+ * KDF Utility Functions
+ *
+ * Encoding, decoding, and cryptographic utilities for KDF operations.
+ * Issue #1649
+ */
+/**
+ * Convert a base64 string to Uint8Array
+ */
+export declare function base64ToUint8Array(base64: string): Uint8Array;
+/**
+ * Convert Uint8Array to base64 string
+ */
+export declare function uint8ArrayToBase64(bytes: Uint8Array): string;
+/**
+ * XOR two byte arrays of equal length
+ *
+ * Used for combining password-derived key with LocalSecret in 2SKD.
+ * This follows the 1Password approach of XOR combination.
+ *
+ * @param a - First byte array
+ * @param b - Second byte array
+ * @returns XOR result
+ * @throws Error if arrays are not the same length
+ */
+export declare function xorBytes(a: Uint8Array, b: Uint8Array): Uint8Array;
+/**
+ * Normalize password for key derivation
+ *
+ * Applies NFKD normalization and trims whitespace.
+ * This ensures consistent key derivation across platforms.
+ *
+ * @param password - Raw password input
+ * @returns Normalized password string
+ */
+export declare function normalizePassword(password: string): string;
+/**
+ * Generate cryptographically secure random bytes
+ *
+ * @param length - Number of bytes to generate
+ * @returns Random bytes
+ */
+export declare function generateRandomBytes(length: number): Uint8Array;
+/**
+ * Generate a random salt for key derivation
+ *
+ * @returns 16-byte random salt as base64 string
+ */
+export declare function generateSalt(): string;
+/**
+ * Constant-time comparison of two byte arrays
+ *
+ * Prevents timing attacks when comparing secrets.
+ *
+ * @param a - First byte array
+ * @param b - Second byte array
+ * @returns true if arrays are equal
+ */
+export declare function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean;

package/dist/crypto/kdf/utils.js

@@ -0,0 +1,110 @@
+"use strict";
+/* eslint-disable fp/no-mutation, no-plusplus, no-bitwise, @typescript-eslint/prefer-for-of -- Low-level byte manipulation utilities */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.base64ToUint8Array = base64ToUint8Array;
+exports.uint8ArrayToBase64 = uint8ArrayToBase64;
+exports.xorBytes = xorBytes;
+exports.normalizePassword = normalizePassword;
+exports.generateRandomBytes = generateRandomBytes;
+exports.generateSalt = generateSalt;
+exports.constantTimeEqual = constantTimeEqual;
+/**
+ * KDF Utility Functions
+ *
+ * Encoding, decoding, and cryptographic utilities for KDF operations.
+ * Issue #1649
+ */
+/**
+ * Convert a base64 string to Uint8Array
+ */
+function base64ToUint8Array(base64) {
+    const binaryString = atob(base64);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+    }
+    return bytes;
+}
+/**
+ * Convert Uint8Array to base64 string
+ */
+function uint8ArrayToBase64(bytes) {
+    let binaryString = "";
+    for (let i = 0; i < bytes.length; i++) {
+        binaryString += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binaryString);
+}
+/**
+ * XOR two byte arrays of equal length
+ *
+ * Used for combining password-derived key with LocalSecret in 2SKD.
+ * This follows the 1Password approach of XOR combination.
+ *
+ * @param a - First byte array
+ * @param b - Second byte array
+ * @returns XOR result
+ * @throws Error if arrays are not the same length
+ */
+function xorBytes(a, b) {
+    if (a.length !== b.length) {
+        throw new Error(`XOR inputs must be same length (got ${a.length} and ${b.length})`);
+    }
+    const result = new Uint8Array(a.length);
+    for (let i = 0; i < a.length; i++) {
+        result[i] = a[i] ^ b[i];
+    }
+    return result;
+}
+/**
+ * Normalize password for key derivation
+ *
+ * Applies NFKD normalization and trims whitespace.
+ * This ensures consistent key derivation across platforms.
+ *
+ * @param password - Raw password input
+ * @returns Normalized password string
+ */
+function normalizePassword(password) {
+    // Trim leading/trailing whitespace
+    const trimmed = password.trim();
+    // Apply NFKD normalization for Unicode consistency
+    return trimmed.normalize("NFKD");
+}
+/**
+ * Generate cryptographically secure random bytes
+ *
+ * @param length - Number of bytes to generate
+ * @returns Random bytes
+ */
+function generateRandomBytes(length) {
+    return crypto.getRandomValues(new Uint8Array(length));
+}
+/**
+ * Generate a random salt for key derivation
+ *
+ * @returns 16-byte random salt as base64 string
+ */
+function generateSalt() {
+    const salt = generateRandomBytes(16);
+    return uint8ArrayToBase64(salt);
+}
+/**
+ * Constant-time comparison of two byte arrays
+ *
+ * Prevents timing attacks when comparing secrets.
+ *
+ * @param a - First byte array
+ * @param b - Second byte array
+ * @returns true if arrays are equal
+ */
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a[i] ^ b[i];
+    }
+    return result === 0;
+}

package/dist/crypto/localSecret/format.d.ts

@@ -0,0 +1,48 @@
+/**
+ * LocalSecret Formatter
+ *
+ * Formats LocalSecrets for human-readable display and parses them back.
+ * Uses an unambiguous character set (no 0, 1, I, O) for easy transcription.
+ *
+ * Format: A7K2M9-X4P8N3-B5J1L6-Q9W2R8-T3Y7U0-V6Z4C1-...
+ *
+ * Issue #1649
+ */
+import type { FormattedLocalSecret } from "./types";
+/**
+ * Format a LocalSecret for human-readable display
+ *
+ * @param secret - The 32-byte LocalSecret
+ * @returns Formatted LocalSecret with grouped characters
+ */
+export declare function formatLocalSecret(secret: Uint8Array): FormattedLocalSecret;
+/**
+ * Parse a formatted LocalSecret back to bytes
+ *
+ * Handles various input formats:
+ * - With dashes: A7K2M9-X4P8N3-...
+ * - Without dashes: A7K2M9X4P8N3...
+ * - With spaces: A7K2M9 X4P8N3 ...
+ * - Lowercase: a7k2m9-x4p8n3-...
+ *
+ * @param formatted - The formatted LocalSecret string
+ * @returns The 32-byte LocalSecret
+ */
+export declare function parseLocalSecret(formatted: string): Uint8Array;
+/**
+ * Validate a formatted LocalSecret string
+ *
+ * @param formatted - The formatted LocalSecret string
+ * @returns true if valid, false otherwise
+ */
+export declare function isValidFormattedLocalSecret(formatted: string): boolean;
+/**
+ * Mask a LocalSecret for partial display
+ *
+ * Shows only the first and last groups, masking the middle.
+ * Example: A7K2M9-******-******-******-******-V6Z4C1
+ *
+ * @param formatted - The formatted LocalSecret
+ * @returns Masked version for display
+ */
+export declare function maskLocalSecret(formatted: string): string;

package/dist/crypto/localSecret/format.js

@@ -0,0 +1,157 @@
+"use strict";
+/**
+ * LocalSecret Formatter
+ *
+ * Formats LocalSecrets for human-readable display and parses them back.
+ * Uses an unambiguous character set (no 0, 1, I, O) for easy transcription.
+ *
+ * Format: A7K2M9-X4P8N3-B5J1L6-Q9W2R8-T3Y7U0-V6Z4C1-...
+ *
+ * Issue #1649
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatLocalSecret = formatLocalSecret;
+exports.parseLocalSecret = parseLocalSecret;
+exports.isValidFormattedLocalSecret = isValidFormattedLocalSecret;
+exports.maskLocalSecret = maskLocalSecret;
+const types_1 = require("./types");
+/**
+ * Encode bytes to the LocalSecret character set
+ *
+ * Uses base32-like encoding with our custom character set.
+ * Note: This function uses mutation for performance in BigInt arithmetic.
+ */
+function encodeToCharset(bytes) {
+    const charset = types_1.LOCAL_SECRET_CHARSET;
+    const base = BigInt(charset.length); // 32
+    // Convert bytes to a big integer using reduce (functional approach)
+    const value = bytes.reduce(
+    // eslint-disable-next-line no-bitwise -- Required for byte-to-BigInt conversion
+    (acc, byte) => (acc << BigInt(8)) | BigInt(byte), BigInt(0));
+    // Convert to base-32 string using recursive approach
+    const toChars = (v, acc) => {
+        if (v <= BigInt(0))
+            return acc;
+        const remainder = Number(v % base);
+        return toChars(v / base, [charset[remainder], ...acc]);
+    };
+    const chars = toChars(value, []);
+    // Pad to consistent length (ceil(256 bits / 5 bits per char) = 52 chars)
+    const expectedLength = Math.ceil((types_1.LOCAL_SECRET_SIZE * 8) / 5);
+    const padding = Array.from({
+        length: Math.max(0, expectedLength - chars.length),
+    }).fill(charset[0]);
+    return [...padding, ...chars].join("");
+}
+/**
+ * Decode a string from the LocalSecret character set to bytes
+ * Note: This function uses mutation for performance in BigInt arithmetic.
+ */
+function decodeFromCharset(encoded) {
+    const charset = types_1.LOCAL_SECRET_CHARSET;
+    const base = BigInt(charset.length); // 32
+    // Convert string to big integer using reduce (functional approach)
+    const value = [...encoded.toUpperCase()].reduce((acc, char) => {
+        const index = charset.indexOf(char);
+        if (index === -1) {
+            throw new Error(`Invalid character in LocalSecret: ${char}`);
+        }
+        return acc * base + BigInt(index);
+    }, BigInt(0));
+    // Convert big integer to bytes using recursive approach
+    const toBytes = (v, count, acc) => {
+        if (count <= 0)
+            return acc;
+        /* eslint-disable no-bitwise -- Required for BigInt-to-byte conversion */
+        return toBytes(v >> BigInt(8), count - 1, [
+            Number(v & BigInt(0xff)),
+            ...acc,
+        ]);
+        /* eslint-enable no-bitwise */
+    };
+    return new Uint8Array(toBytes(value, types_1.LOCAL_SECRET_SIZE, []));
+}
+/**
+ * Format a LocalSecret for human-readable display
+ *
+ * @param secret - The 32-byte LocalSecret
+ * @returns Formatted LocalSecret with grouped characters
+ */
+function formatLocalSecret(secret) {
+    if (secret.length !== types_1.LOCAL_SECRET_SIZE) {
+        throw new Error(`LocalSecret must be ${types_1.LOCAL_SECRET_SIZE} bytes (got ${secret.length})`);
+    }
+    const encoded = encodeToCharset(secret);
+    // Split into groups using functional approach
+    const numGroups = Math.ceil(encoded.length / types_1.LOCAL_SECRET_GROUP_SIZE);
+    const groups = Array.from({ length: numGroups }, (_, i) => encoded.slice(i * types_1.LOCAL_SECRET_GROUP_SIZE, (i + 1) * types_1.LOCAL_SECRET_GROUP_SIZE));
+    return {
+        formatted: groups.join("-"),
+        groups,
+    };
+}
+/**
+ * Parse a formatted LocalSecret back to bytes
+ *
+ * Handles various input formats:
+ * - With dashes: A7K2M9-X4P8N3-...
+ * - Without dashes: A7K2M9X4P8N3...
+ * - With spaces: A7K2M9 X4P8N3 ...
+ * - Lowercase: a7k2m9-x4p8n3-...
+ *
+ * @param formatted - The formatted LocalSecret string
+ * @returns The 32-byte LocalSecret
+ */
+function parseLocalSecret(formatted) {
+    // Remove dashes, spaces, and convert to uppercase
+    const cleaned = formatted.replace(/[-\s]/g, "").toUpperCase();
+    // Validate characters
+    for (const char of cleaned) {
+        if (!types_1.LOCAL_SECRET_CHARSET.includes(char)) {
+            throw new Error(`Invalid character in LocalSecret: ${char}`);
+        }
+    }
+    // Expected length after encoding
+    const expectedLength = Math.ceil((types_1.LOCAL_SECRET_SIZE * 8) / 5);
+    if (cleaned.length !== expectedLength) {
+        throw new Error(`Invalid LocalSecret length: expected ${expectedLength} characters, got ${cleaned.length}`);
+    }
+    return decodeFromCharset(cleaned);
+}
+/**
+ * Validate a formatted LocalSecret string
+ *
+ * @param formatted - The formatted LocalSecret string
+ * @returns true if valid, false otherwise
+ */
+function isValidFormattedLocalSecret(formatted) {
+    try {
+        parseLocalSecret(formatted);
+        return true;
+    }
+    catch (_a) {
+        return false;
+    }
+}
+/**
+ * Mask a LocalSecret for partial display
+ *
+ * Shows only the first and last groups, masking the middle.
+ * Example: A7K2M9-******-******-******-******-V6Z4C1
+ *
+ * @param formatted - The formatted LocalSecret
+ * @returns Masked version for display
+ */
+function maskLocalSecret(formatted) {
+    const groups = formatted.split("-");
+    if (groups.length <= 2) {
+        return formatted;
+    }
+    const masked = groups.map((group, index) => {
+        if (index === 0 || index === groups.length - 1) {
+            return group;
+        }
+        return "*".repeat(group.length);
+    });
+    return masked.join("-");
+}

package/dist/crypto/localSecret/generator.d.ts

@@ -0,0 +1,23 @@
+/**
+ * LocalSecret Generator
+ *
+ * Generates cryptographically secure LocalSecrets.
+ * Issue #1649
+ */
+/**
+ * Generate a new LocalSecret
+ *
+ * Uses the Web Crypto API's getRandomValues for cryptographically
+ * secure random number generation.
+ *
+ * @returns 32-byte (256-bit) random LocalSecret
+ */
+export declare function generateLocalSecret(): Uint8Array;
+/**
+ * Generate a unique device ID
+ *
+ * Used to identify devices for LocalSecret management.
+ *
+ * @returns UUID v4 string
+ */
+export declare function generateDeviceId(): string;

package/dist/crypto/localSecret/generator.js

@@ -0,0 +1,53 @@
+"use strict";
+/**
+ * LocalSecret Generator
+ *
+ * Generates cryptographically secure LocalSecrets.
+ * Issue #1649
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateLocalSecret = generateLocalSecret;
+exports.generateDeviceId = generateDeviceId;
+const types_1 = require("./types");
+/**
+ * Generate a new LocalSecret
+ *
+ * Uses the Web Crypto API's getRandomValues for cryptographically
+ * secure random number generation.
+ *
+ * @returns 32-byte (256-bit) random LocalSecret
+ */
+function generateLocalSecret() {
+    return crypto.getRandomValues(new Uint8Array(types_1.LOCAL_SECRET_SIZE));
+}
+/**
+ * Generate a unique device ID
+ *
+ * Used to identify devices for LocalSecret management.
+ *
+ * @returns UUID v4 string
+ */
+function generateDeviceId() {
+    // Use crypto.randomUUID if available (modern browsers)
+    if (typeof crypto.randomUUID === "function") {
+        return crypto.randomUUID();
+    }
+    // Fallback for older browsers
+    const bytes = crypto.getRandomValues(new Uint8Array(16));
+    // Set version (4) and variant (8, 9, A, or B)
+    // eslint-disable-next-line no-bitwise, fp/no-mutation -- UUID v4 specification requires bitwise operations
+    bytes[6] = (bytes[6] & 0x0f) | 0x40;
+    // eslint-disable-next-line no-bitwise, fp/no-mutation -- UUID v4 specification requires bitwise operations
+    bytes[8] = (bytes[8] & 0x3f) | 0x80;
+    // Convert to hex string with dashes
+    const hex = Array.from(bytes)
+        .map(b => b.toString(16).padStart(2, "0"))
+        .join("");
+    return [
+        hex.slice(0, 8),
+        hex.slice(8, 12),
+        hex.slice(12, 16),
+        hex.slice(16, 20),
+        hex.slice(20, 32),
+    ].join("-");
+}

package/dist/crypto/localSecret/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * LocalSecret Module
+ *
+ * Provides generation, formatting, storage, and management of
+ * device-bound LocalSecrets for Two-Secret Key Derivation (2SKD).
+ *
+ * Issue #1649
+ */
+export * from "./types";
+export { generateLocalSecret, generateDeviceId } from "./generator";
+export { formatLocalSecret, parseLocalSecret, isValidFormattedLocalSecret, maskLocalSecret, } from "./format";
+export { storeLocalSecret, getLocalSecret, deleteLocalSecret, hasLocalSecret, getLocalSecretRecord, getOrCreateDeviceId, createIndexedDBStorage, } from "./storage";

package/dist/crypto/localSecret/index.js

@@ -0,0 +1,46 @@
+"use strict";
+/**
+ * LocalSecret Module
+ *
+ * Provides generation, formatting, storage, and management of
+ * device-bound LocalSecrets for Two-Secret Key Derivation (2SKD).
+ *
+ * Issue #1649
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createIndexedDBStorage = exports.getOrCreateDeviceId = exports.getLocalSecretRecord = exports.hasLocalSecret = exports.deleteLocalSecret = exports.getLocalSecret = exports.storeLocalSecret = exports.maskLocalSecret = exports.isValidFormattedLocalSecret = exports.parseLocalSecret = exports.formatLocalSecret = exports.generateDeviceId = exports.generateLocalSecret = void 0;
+// Re-export types
+__exportStar(require("./types"), exports);
+// Re-export generator
+var generator_1 = require("./generator");
+Object.defineProperty(exports, "generateLocalSecret", { enumerable: true, get: function () { return generator_1.generateLocalSecret; } });
+Object.defineProperty(exports, "generateDeviceId", { enumerable: true, get: function () { return generator_1.generateDeviceId; } });
+// Re-export formatter
+var format_1 = require("./format");
+Object.defineProperty(exports, "formatLocalSecret", { enumerable: true, get: function () { return format_1.formatLocalSecret; } });
+Object.defineProperty(exports, "parseLocalSecret", { enumerable: true, get: function () { return format_1.parseLocalSecret; } });
+Object.defineProperty(exports, "isValidFormattedLocalSecret", { enumerable: true, get: function () { return format_1.isValidFormattedLocalSecret; } });
+Object.defineProperty(exports, "maskLocalSecret", { enumerable: true, get: function () { return format_1.maskLocalSecret; } });
+// Re-export storage
+var storage_1 = require("./storage");
+Object.defineProperty(exports, "storeLocalSecret", { enumerable: true, get: function () { return storage_1.storeLocalSecret; } });
+Object.defineProperty(exports, "getLocalSecret", { enumerable: true, get: function () { return storage_1.getLocalSecret; } });
+Object.defineProperty(exports, "deleteLocalSecret", { enumerable: true, get: function () { return storage_1.deleteLocalSecret; } });
+Object.defineProperty(exports, "hasLocalSecret", { enumerable: true, get: function () { return storage_1.hasLocalSecret; } });
+Object.defineProperty(exports, "getLocalSecretRecord", { enumerable: true, get: function () { return storage_1.getLocalSecretRecord; } });
+Object.defineProperty(exports, "getOrCreateDeviceId", { enumerable: true, get: function () { return storage_1.getOrCreateDeviceId; } });
+Object.defineProperty(exports, "createIndexedDBStorage", { enumerable: true, get: function () { return storage_1.createIndexedDBStorage; } });

package/dist/crypto/localSecret/storage.d.ts

@@ -0,0 +1,53 @@
+/**
+ * LocalSecret Storage
+ *
+ * IndexedDB-based storage for LocalSecrets.
+ * The LocalSecret is stored locally on the device and never sent to servers.
+ *
+ * Issue #1649
+ */
+import type { LocalSecretStorage, StoredLocalSecret } from "./types";
+/**
+ * Get or create a unique device ID
+ *
+ * The device ID is stored in localStorage for persistence.
+ */
+export declare function getOrCreateDeviceId(): Promise<string>;
+/**
+ * Store a LocalSecret in IndexedDB
+ *
+ * @param userId - User's Cognito sub
+ * @param secret - The 32-byte LocalSecret
+ */
+export declare function storeLocalSecret(userId: string, secret: Uint8Array): Promise<void>;
+/**
+ * Retrieve a LocalSecret from IndexedDB
+ *
+ * @param userId - User's Cognito sub
+ * @returns The LocalSecret or null if not found
+ */
+export declare function getLocalSecret(userId: string): Promise<Uint8Array | null>;
+/**
+ * Delete a LocalSecret from IndexedDB
+ *
+ * @param userId - User's Cognito sub
+ */
+export declare function deleteLocalSecret(userId: string): Promise<void>;
+/**
+ * Check if a LocalSecret exists for a user
+ *
+ * @param userId - User's Cognito sub
+ * @returns true if a LocalSecret exists
+ */
+export declare function hasLocalSecret(userId: string): Promise<boolean>;
+/**
+ * Get the stored LocalSecret record (including metadata)
+ *
+ * @param userId - User's Cognito sub
+ * @returns The full storage record or null
+ */
+export declare function getLocalSecretRecord(userId: string): Promise<StoredLocalSecret | null>;
+/**
+ * Create a LocalSecretStorage implementation using IndexedDB
+ */
+export declare function createIndexedDBStorage(): LocalSecretStorage;