@react-vault/core 0.1.0

package/dist/auth/idleTimer.js

@@ -0,0 +1,54 @@
+const DEFAULT_EVENTS = ['mousemove', 'keydown', 'touchstart', 'scroll', 'focus'];
+export class IdleTimer {
+    config;
+    timer = null;
+    isIdle = false;
+    handler;
+    events;
+    constructor(config) {
+        this.config = config;
+        this.events = config.events ?? DEFAULT_EVENTS;
+        this.handler = () => this.onActivity();
+    }
+    start() {
+        if (typeof window === 'undefined')
+            return;
+        for (const ev of this.events) {
+            window.addEventListener(ev, this.handler, { passive: true });
+        }
+        this.resetTimer();
+    }
+    stop() {
+        if (typeof window === 'undefined')
+            return;
+        for (const ev of this.events) {
+            window.removeEventListener(ev, this.handler);
+        }
+        if (this.timer)
+            clearTimeout(this.timer);
+        this.timer = null;
+    }
+    /**
+     * Manually report activity. Useful for events outside the default set
+     * (e.g. API success indicating server-side activity).
+     */
+    reportActivity() {
+        this.onActivity();
+    }
+    onActivity() {
+        if (this.isIdle) {
+            this.isIdle = false;
+            this.config.onResume?.();
+        }
+        this.resetTimer();
+    }
+    resetTimer() {
+        if (this.timer)
+            clearTimeout(this.timer);
+        this.timer = setTimeout(() => {
+            this.isIdle = true;
+            this.config.onIdle();
+        }, this.config.idleMs);
+    }
+}
+//# sourceMappingURL=idleTimer.js.map

package/dist/auth/idleTimer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"idleTimer.js","sourceRoot":"","sources":["../../src/auth/idleTimer.ts"],"names":[],"mappings":"AAiBA,MAAM,cAAc,GAAG,CAAC,WAAW,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,CAAU,CAAC;AAE1F,MAAM,OAAO,SAAS;IAMS;IALrB,KAAK,GAAyC,IAAI,CAAC;IACnD,MAAM,GAAG,KAAK,CAAC;IACN,OAAO,CAAa;IACpB,MAAM,CAAoB;IAE3C,YAA6B,MAAuB;QAAvB,WAAM,GAAN,MAAM,CAAiB;QAClD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,cAAc,CAAC;QAC9C,IAAI,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;IACzC,CAAC;IAED,KAAK;QACH,IAAI,OAAO,MAAM,KAAK,WAAW;YAAE,OAAO;QAC1C,KAAK,MAAM,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAC7B,MAAM,CAAC,gBAAgB,CAAC,EAAE,EAAE,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,CAAC,UAAU,EAAE,CAAC;IACpB,CAAC;IAED,IAAI;QACF,IAAI,OAAO,MAAM,KAAK,WAAW;YAAE,OAAO;QAC1C,KAAK,MAAM,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAC7B,MAAM,CAAC,mBAAmB,CAAC,EAAE,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,IAAI,CAAC,KAAK;YAAE,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACpB,CAAC;IAED;;;OAGG;IACH,cAAc;QACZ,IAAI,CAAC,UAAU,EAAE,CAAC;IACpB,CAAC;IAEO,UAAU;QAChB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAC3B,CAAC;QACD,IAAI,CAAC,UAAU,EAAE,CAAC;IACpB,CAAC;IAEO,UAAU;QAChB,IAAI,IAAI,CAAC,KAAK;YAAE,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC3B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzB,CAAC;CACF"}

package/dist/auth/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Auth — JWT token management with refresh race protection,
+ * idle timeout, and cross-tab logout sync.
+ */
+export * from './tokenManager.js';
+export * from './idleTimer.js';
+export * from './crossTabSync.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,cAAc,mBAAmB,CAAC;AAClC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,mBAAmB,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,8 @@
+/**
+ * Auth — JWT token management with refresh race protection,
+ * idle timeout, and cross-tab logout sync.
+ */
+export * from './tokenManager.js';
+export * from './idleTimer.js';
+export * from './crossTabSync.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,cAAc,mBAAmB,CAAC;AAClC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,mBAAmB,CAAC"}

package/dist/auth/tokenManager.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Token manager with refresh race protection.
+ *
+ * Key invariants:
+ *   - Tokens live in MEMORY, not localStorage (which is XSS-readable)
+ *   - One refresh in-flight at a time, others await it
+ *   - Refresh failure clears tokens and fires `onLoggedOut`
+ */
+export interface TokenPair {
+    accessToken: string;
+    refreshToken: string;
+    /** Unix ms when accessToken expires. Use to proactively refresh. */
+    accessExpiresAt: number;
+}
+export interface TokenManagerConfig {
+    /** Function that exchanges a refresh token for a new TokenPair. */
+    refresh: (refreshToken: string) => Promise<TokenPair>;
+    /** Called when tokens become unavailable (refresh failed). */
+    onLoggedOut?: () => void;
+    /** Proactively refresh when accessToken expires within this many ms. Default 30s. */
+    proactiveRefreshLeadMs?: number;
+}
+export declare class TokenManager {
+    private readonly config;
+    private tokens;
+    private refreshPromise;
+    constructor(config: TokenManagerConfig);
+    setTokens(pair: TokenPair): void;
+    clear(): void;
+    hasTokens(): boolean;
+    /**
+     * Get a valid access token. Triggers refresh if expired or near-expiry.
+     * Returns null if not logged in.
+     */
+    getAccessToken(): Promise<string | null>;
+    /**
+     * Synchronous access token getter for interceptor usage. May return an
+     * expired token if no refresh has been triggered yet; the 401 handler
+     * will catch and retry.
+     */
+    getAccessTokenSync(): string | null;
+    /**
+     * Force a refresh now. Subsequent calls share the same in-flight promise.
+     */
+    refreshOnce(): Promise<TokenPair | null>;
+}
+//# sourceMappingURL=tokenManager.d.ts.map

package/dist/auth/tokenManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenManager.d.ts","sourceRoot":"","sources":["../../src/auth/tokenManager.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,WAAW,SAAS;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,oEAAoE;IACpE,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC,mEAAmE;IACnE,OAAO,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC;IACtD,8DAA8D;IAC9D,WAAW,CAAC,EAAE,MAAM,IAAI,CAAC;IACzB,qFAAqF;IACrF,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAED,qBAAa,YAAY;IAIX,OAAO,CAAC,QAAQ,CAAC,MAAM;IAHnC,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,cAAc,CAAmC;gBAE5B,MAAM,EAAE,kBAAkB;IAEvD,SAAS,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAIhC,KAAK,IAAI,IAAI;IAKb,SAAS,IAAI,OAAO;IAIpB;;;OAGG;IACG,cAAc,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAU9C;;;;OAIG;IACH,kBAAkB,IAAI,MAAM,GAAG,IAAI;IAInC;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;CAoB/C"}

package/dist/auth/tokenManager.js

@@ -0,0 +1,75 @@
+/**
+ * Token manager with refresh race protection.
+ *
+ * Key invariants:
+ *   - Tokens live in MEMORY, not localStorage (which is XSS-readable)
+ *   - One refresh in-flight at a time, others await it
+ *   - Refresh failure clears tokens and fires `onLoggedOut`
+ */
+export class TokenManager {
+    config;
+    tokens = null;
+    refreshPromise = null;
+    constructor(config) {
+        this.config = config;
+    }
+    setTokens(pair) {
+        this.tokens = pair;
+    }
+    clear() {
+        this.tokens = null;
+        this.config.onLoggedOut?.();
+    }
+    hasTokens() {
+        return this.tokens !== null;
+    }
+    /**
+     * Get a valid access token. Triggers refresh if expired or near-expiry.
+     * Returns null if not logged in.
+     */
+    async getAccessToken() {
+        if (!this.tokens)
+            return null;
+        const leadMs = this.config.proactiveRefreshLeadMs ?? 30_000;
+        if (this.tokens.accessExpiresAt - Date.now() <= leadMs) {
+            const refreshed = await this.refreshOnce();
+            return refreshed?.accessToken ?? null;
+        }
+        return this.tokens.accessToken;
+    }
+    /**
+     * Synchronous access token getter for interceptor usage. May return an
+     * expired token if no refresh has been triggered yet; the 401 handler
+     * will catch and retry.
+     */
+    getAccessTokenSync() {
+        return this.tokens?.accessToken ?? null;
+    }
+    /**
+     * Force a refresh now. Subsequent calls share the same in-flight promise.
+     */
+    async refreshOnce() {
+        if (this.refreshPromise) {
+            return this.refreshPromise.catch(() => null);
+        }
+        if (!this.tokens)
+            return null;
+        const refreshToken = this.tokens.refreshToken;
+        this.refreshPromise = (async () => {
+            try {
+                const fresh = await this.config.refresh(refreshToken);
+                this.tokens = fresh;
+                return fresh;
+            }
+            catch (err) {
+                this.clear();
+                throw err;
+            }
+            finally {
+                this.refreshPromise = null;
+            }
+        })();
+        return this.refreshPromise.catch(() => null);
+    }
+}
+//# sourceMappingURL=tokenManager.js.map

package/dist/auth/tokenManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenManager.js","sourceRoot":"","sources":["../../src/auth/tokenManager.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAkBH,MAAM,OAAO,YAAY;IAIM;IAHrB,MAAM,GAAqB,IAAI,CAAC;IAChC,cAAc,GAA8B,IAAI,CAAC;IAEzD,YAA6B,MAA0B;QAA1B,WAAM,GAAN,MAAM,CAAoB;IAAG,CAAC;IAE3D,SAAS,CAAC,IAAe;QACvB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACrB,CAAC;IAED,KAAK;QACH,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;IAC9B,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,sBAAsB,IAAI,MAAM,CAAC;QAC5D,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,EAAE,CAAC;YACvD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;YAC3C,OAAO,SAAS,EAAE,WAAW,IAAI,IAAI,CAAC;QACxC,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;IACjC,CAAC;IAED;;;;OAIG;IACH,kBAAkB;QAChB,OAAO,IAAI,CAAC,MAAM,EAAE,WAAW,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAC9B,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;QAC9C,IAAI,CAAC,cAAc,GAAG,CAAC,KAAK,IAAI,EAAE;YAChC,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;gBACtD,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;gBACpB,OAAO,KAAK,CAAC;YACf,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,KAAK,EAAE,CAAC;gBACb,MAAM,GAAG,CAAC;YACZ,CAAC;oBAAS,CAAC;gBACT,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;YAC7B,CAAC;QACH,CAAC,CAAC,EAAE,CAAC;QACL,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC;CACF"}

package/dist/compliance/csp.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Generate a fresh nonce. Use once per page load, embed in CSP header AND
+ * `<script nonce="...">`, `<style nonce="...">`.
+ */
+export declare function generateCspNonce(): string;
+/**
+ * Build a recommended baseline CSP header value for BFSI apps.
+ * The caller can tighten further per their backend / CDN.
+ */
+export interface CspOptions {
+    nonce: string;
+    /** Allowed API origins, e.g. ['https://api.example.com']. */
+    connectSrc?: string[];
+    /** Allowed image origins. Default 'self' + 'data:'. */
+    imgSrc?: string[];
+    /** Where to send violation reports. */
+    reportUri?: string;
+}
+export declare function buildCsp(opts: CspOptions): string;
+//# sourceMappingURL=csp.d.ts.map

package/dist/compliance/csp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp.d.ts","sourceRoot":"","sources":["../../src/compliance/csp.ts"],"names":[],"mappings":"AAMA;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,6DAA6D;IAC7D,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,uDAAuD;IACvD,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,uCAAuC;IACvC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,CAoBjD"}

package/dist/compliance/csp.js

@@ -0,0 +1,34 @@
+/**
+ * CSP (Content Security Policy) helpers.
+ * Generates per-request nonces for inline scripts/styles where unavoidable.
+ */
+import { toBase64, randomBytes } from '../encryption/util.js';
+/**
+ * Generate a fresh nonce. Use once per page load, embed in CSP header AND
+ * `<script nonce="...">`, `<style nonce="...">`.
+ */
+export function generateCspNonce() {
+    return toBase64(randomBytes(16));
+}
+export function buildCsp(opts) {
+    const connectSrc = ["'self'", ...(opts.connectSrc ?? [])].join(' ');
+    const imgSrc = ["'self'", "data:", ...(opts.imgSrc ?? [])].join(' ');
+    const directives = [
+        `default-src 'self'`,
+        `script-src 'self' 'nonce-${opts.nonce}'`,
+        `style-src 'self' 'nonce-${opts.nonce}'`,
+        `img-src ${imgSrc}`,
+        `font-src 'self' data:`,
+        `connect-src ${connectSrc}`,
+        `object-src 'none'`,
+        `base-uri 'self'`,
+        `form-action 'self'`,
+        `frame-ancestors 'none'`,
+        `upgrade-insecure-requests`,
+    ];
+    if (opts.reportUri) {
+        directives.push(`report-uri ${opts.reportUri}`);
+    }
+    return directives.join('; ');
+}
+//# sourceMappingURL=csp.js.map

package/dist/compliance/csp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp.js","sourceRoot":"","sources":["../../src/compliance/csp.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAE9D;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;AACnC,CAAC;AAgBD,MAAM,UAAU,QAAQ,CAAC,IAAgB;IACvC,MAAM,UAAU,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACrE,MAAM,UAAU,GAAG;QACjB,oBAAoB;QACpB,4BAA4B,IAAI,CAAC,KAAK,GAAG;QACzC,2BAA2B,IAAI,CAAC,KAAK,GAAG;QACxC,WAAW,MAAM,EAAE;QACnB,uBAAuB;QACvB,eAAe,UAAU,EAAE;QAC3B,mBAAmB;QACnB,iBAAiB;QACjB,oBAAoB;QACpB,wBAAwB;QACxB,2BAA2B;KAC5B,CAAC;IACF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,UAAU,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC"}

package/dist/compliance/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Compliance helpers — CSP nonce, safe-error envelope, locale-aware utilities.
+ *
+ * v0.1: minimal scaffolding. Full implementation in a follow-up.
+ */
+export * from './csp.js';
+export * from './safeError.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/compliance/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/compliance/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,cAAc,UAAU,CAAC;AACzB,cAAc,gBAAgB,CAAC"}

package/dist/compliance/index.js

@@ -0,0 +1,8 @@
+/**
+ * Compliance helpers — CSP nonce, safe-error envelope, locale-aware utilities.
+ *
+ * v0.1: minimal scaffolding. Full implementation in a follow-up.
+ */
+export * from './csp.js';
+export * from './safeError.js';
+//# sourceMappingURL=index.js.map

package/dist/compliance/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/compliance/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,cAAc,UAAU,CAAC;AACzB,cAAc,gBAAgB,CAAC"}

package/dist/compliance/safeError.d.ts

@@ -0,0 +1,12 @@
+export interface SafeErrorView {
+    title: string;
+    description: string;
+    /** Short ref code to show user; correlate to log entry. */
+    ref: string;
+}
+/**
+ * Translate an ApiError into a user-safe view. Caller passes a `t()` function
+ * so messages can be i18n'd.
+ */
+export declare function toSafeView(err: unknown, t: (key: string, params?: Record<string, unknown>) => string): SafeErrorView;
+//# sourceMappingURL=safeError.d.ts.map

package/dist/compliance/safeError.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safeError.d.ts","sourceRoot":"","sources":["../../src/compliance/safeError.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,2DAA2D;IAC3D,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,MAAM,GAAG,aAAa,CAyBpH"}

package/dist/compliance/safeError.js

@@ -0,0 +1,39 @@
+/**
+ * Safe error envelope. Maps internal errors to user-facing messages.
+ * See packages/claude-toolkit/skills/bfsi-error-message/SKILL.md for rationale.
+ */
+import { generateErrorRef } from '../audit/auditClient.js';
+/**
+ * Translate an ApiError into a user-safe view. Caller passes a `t()` function
+ * so messages can be i18n'd.
+ */
+export function toSafeView(err, t) {
+    const ref = generateErrorRef();
+    if (isApiError(err)) {
+        switch (err.kind) {
+            case 'network':
+                return { title: t('errors.network.title'), description: t('errors.network.description'), ref };
+            case 'timeout':
+                return { title: t('errors.timeout.title'), description: t('errors.timeout.description'), ref };
+            case 'unauthorized':
+                return { title: t('errors.session_expired.title'), description: t('errors.session_expired.description'), ref };
+            case 'forbidden':
+                return { title: t('errors.forbidden.title'), description: t('errors.forbidden.description'), ref };
+            case 'not_found':
+                return { title: t('errors.not_found.title'), description: t('errors.not_found.description'), ref };
+            case 'validation':
+                return { title: t('errors.validation.title'), description: t('errors.validation.description'), ref };
+            case 'rate_limited':
+                return { title: t('errors.rate_limited.title'), description: t('errors.rate_limited.description'), ref };
+            case 'server_error':
+                return { title: t('errors.server.title'), description: t('errors.server.description', { ref }), ref };
+            default:
+                return { title: t('errors.generic.title'), description: t('errors.generic.description', { ref }), ref };
+        }
+    }
+    return { title: t('errors.generic.title'), description: t('errors.generic.description', { ref }), ref };
+}
+function isApiError(err) {
+    return !!err && typeof err === 'object' && err.name === 'ApiError';
+}
+//# sourceMappingURL=safeError.js.map

package/dist/compliance/safeError.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safeError.js","sourceRoot":"","sources":["../../src/compliance/safeError.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAU3D;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,GAAY,EAAE,CAA4D;IACnG,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;IAC/B,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACpB,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC;YACjB,KAAK,SAAS;gBACZ,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,sBAAsB,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,4BAA4B,CAAC,EAAE,GAAG,EAAE,CAAC;YACjG,KAAK,SAAS;gBACZ,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,sBAAsB,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,4BAA4B,CAAC,EAAE,GAAG,EAAE,CAAC;YACjG,KAAK,cAAc;gBACjB,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,8BAA8B,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,oCAAoC,CAAC,EAAE,GAAG,EAAE,CAAC;YACjH,KAAK,WAAW;gBACd,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,wBAAwB,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,8BAA8B,CAAC,EAAE,GAAG,EAAE,CAAC;YACrG,KAAK,WAAW;gBACd,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,wBAAwB,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,8BAA8B,CAAC,EAAE,GAAG,EAAE,CAAC;YACrG,KAAK,YAAY;gBACf,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,yBAAyB,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,+BAA+B,CAAC,EAAE,GAAG,EAAE,CAAC;YACvG,KAAK,cAAc;gBACjB,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,2BAA2B,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,iCAAiC,CAAC,EAAE,GAAG,EAAE,CAAC;YAC3G,KAAK,cAAc;gBACjB,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,qBAAqB,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,2BAA2B,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;YACxG;gBACE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,sBAAsB,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,4BAA4B,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;QAC5G,CAAC;IACH,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,sBAAsB,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,4BAA4B,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;AAC1G,CAAC;AAED,SAAS,UAAU,CAAC,GAAY;IAC9B,OAAO,CAAC,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAK,GAAyB,CAAC,IAAI,KAAK,UAAU,CAAC;AAC5F,CAAC"}

package/dist/encryption/aesgcm.d.ts

@@ -0,0 +1,22 @@
+export type AesGcmKey = CryptoKey;
+export declare function generateKey(): Promise<AesGcmKey>;
+/**
+ * Import a raw 32-byte key. Use when you've derived a key (e.g. from PBKDF2)
+ * or received one securely from the backend.
+ */
+export declare function importRawKey(rawBytes: Uint8Array): Promise<AesGcmKey>;
+export declare function exportRawKey(key: AesGcmKey): Promise<Uint8Array>;
+/**
+ * Encrypt a string. Returns base64( IV || ciphertext+tag ).
+ */
+export declare function encrypt(key: AesGcmKey, plaintext: string): Promise<string>;
+/**
+ * Decrypt a base64 string produced by `encrypt`. Throws on tamper.
+ */
+export declare function decrypt(key: AesGcmKey, blob: string): Promise<string>;
+/**
+ * Encrypt arbitrary bytes (e.g. another key, file content).
+ */
+export declare function encryptBytes(key: AesGcmKey, plaintext: Uint8Array): Promise<string>;
+export declare function decryptBytes(key: AesGcmKey, blob: string): Promise<Uint8Array>;
+//# sourceMappingURL=aesgcm.d.ts.map

package/dist/encryption/aesgcm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aesgcm.d.ts","sourceRoot":"","sources":["../../src/encryption/aesgcm.ts"],"names":[],"mappings":"AAcA,MAAM,MAAM,SAAS,GAAG,SAAS,CAAC;AAElC,wBAAsB,WAAW,IAAI,OAAO,CAAC,SAAS,CAAC,CAEtD;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAAC,QAAQ,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAK3E;AAED,wBAAsB,YAAY,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAEtE;AAED;;GAEG;AACH,wBAAsB,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAMhF;AAED;;GAEG;AACH,wBAAsB,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAW3E;AAED;;GAEG;AACH,wBAAsB,YAAY,CAAC,GAAG,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAMzF;AAED,wBAAsB,YAAY,CAAC,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAQpF"}

package/dist/encryption/aesgcm.js

@@ -0,0 +1,67 @@
+/**
+ * AES-GCM 256 symmetric encryption.
+ *
+ * Output format: base64( IV || ciphertext || authTag )
+ * IV is 12 bytes (96 bits, GCM standard).
+ * AuthTag is appended by Web Crypto (16 bytes).
+ *
+ * Decryption verifies the authTag — tampering produces a thrown error.
+ */
+import { toBase64, fromBase64, toBytes, fromBytes, randomBytes, concatBytes } from './util.js';
+const ALGO = { name: 'AES-GCM', length: 256 };
+const IV_LENGTH = 12;
+export async function generateKey() {
+    return crypto.subtle.generateKey(ALGO, true, ['encrypt', 'decrypt']);
+}
+/**
+ * Import a raw 32-byte key. Use when you've derived a key (e.g. from PBKDF2)
+ * or received one securely from the backend.
+ */
+export async function importRawKey(rawBytes) {
+    if (rawBytes.length !== 32) {
+        throw new Error(`AES-GCM 256 requires 32 bytes, got ${rawBytes.length}`);
+    }
+    return crypto.subtle.importKey('raw', rawBytes, ALGO, true, ['encrypt', 'decrypt']);
+}
+export async function exportRawKey(key) {
+    return new Uint8Array(await crypto.subtle.exportKey('raw', key));
+}
+/**
+ * Encrypt a string. Returns base64( IV || ciphertext+tag ).
+ */
+export async function encrypt(key, plaintext) {
+    const iv = randomBytes(IV_LENGTH);
+    const ciphertext = new Uint8Array(await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, toBytes(plaintext)));
+    return toBase64(concatBytes(iv, ciphertext));
+}
+/**
+ * Decrypt a base64 string produced by `encrypt`. Throws on tamper.
+ */
+export async function decrypt(key, blob) {
+    const bytes = fromBase64(blob);
+    if (bytes.length < IV_LENGTH + 16) {
+        throw new Error('ciphertext too short');
+    }
+    const iv = bytes.slice(0, IV_LENGTH);
+    const ciphertext = bytes.slice(IV_LENGTH);
+    const plaintext = new Uint8Array(await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext));
+    return fromBytes(plaintext);
+}
+/**
+ * Encrypt arbitrary bytes (e.g. another key, file content).
+ */
+export async function encryptBytes(key, plaintext) {
+    const iv = randomBytes(IV_LENGTH);
+    const ciphertext = new Uint8Array(await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, plaintext));
+    return toBase64(concatBytes(iv, ciphertext));
+}
+export async function decryptBytes(key, blob) {
+    const bytes = fromBase64(blob);
+    if (bytes.length < IV_LENGTH + 16) {
+        throw new Error('ciphertext too short');
+    }
+    const iv = bytes.slice(0, IV_LENGTH);
+    const ciphertext = bytes.slice(IV_LENGTH);
+    return new Uint8Array(await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext));
+}
+//# sourceMappingURL=aesgcm.js.map

package/dist/encryption/aesgcm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aesgcm.js","sourceRoot":"","sources":["../../src/encryption/aesgcm.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAE/F,MAAM,IAAI,GAAG,EAAE,IAAI,EAAE,SAAkB,EAAE,MAAM,EAAE,GAAY,EAAE,CAAC;AAChE,MAAM,SAAS,GAAG,EAAE,CAAC;AAIrB,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;AACvE,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAoB;IACrD,IAAI,QAAQ,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,sCAAsC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;AACtF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAc;IAC/C,OAAO,IAAI,UAAU,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;AACnE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,GAAc,EAAE,SAAiB;IAC7D,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,UAAU,GAAG,IAAI,UAAU,CAC/B,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAC9E,CAAC;IACF,OAAO,QAAQ,CAAC,WAAW,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,GAAc,EAAE,IAAY;IACxD,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,GAAG,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,EAAE,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IACrC,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,UAAU,CAC9B,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,UAAU,CAAC,CACtE,CAAC;IACF,OAAO,SAAS,CAAC,SAAS,CAAC,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAc,EAAE,SAAqB;IACtE,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,UAAU,GAAG,IAAI,UAAU,CAC/B,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CACrE,CAAC;IACF,OAAO,QAAQ,CAAC,WAAW,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAc,EAAE,IAAY;IAC7D,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,GAAG,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,EAAE,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IACrC,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1C,OAAO,IAAI,UAAU,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC;AAC/F,CAAC"}

package/dist/encryption/envelope.d.ts

@@ -0,0 +1,30 @@
+import type { RsaPublicKey, RsaPrivateKey } from './rsaoaep.js';
+export interface EnvelopeCiphertext {
+    /** AES-GCM ciphertext of the data, base64. */
+    ciphertext: string;
+    /** RSA-OAEP-encrypted DEK, base64. */
+    encryptedDek: string;
+}
+/**
+ * Encrypt plaintext with envelope encryption.
+ *
+ * Flow:
+ *   1. Generate a fresh AES-GCM key (the DEK)
+ *   2. Encrypt the plaintext with the DEK
+ *   3. Export the DEK as raw bytes
+ *   4. Encrypt the DEK bytes with the master RSA public key (the KEK)
+ *   5. Return both ciphertexts; throw away the DEK
+ */
+export declare function encrypt(masterPublicKey: RsaPublicKey, plaintext: string): Promise<EnvelopeCiphertext>;
+/**
+ * Decrypt envelope ciphertext. Requires the master private key.
+ * In production, this typically happens on the backend (HSM); the client
+ * gets either the decrypted plaintext or a temporarily-issued DEK.
+ */
+export declare function decrypt(masterPrivateKey: RsaPrivateKey, envelope: EnvelopeCiphertext): Promise<string>;
+/**
+ * Decrypt with a pre-unwrapped DEK (when the backend has unwrapped the DEK
+ * and given it to the client to do bulk decryption locally).
+ */
+export declare function decryptWithDek(dekBytes: Uint8Array, ciphertext: string): Promise<string>;
+//# sourceMappingURL=envelope.d.ts.map

package/dist/encryption/envelope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope.d.ts","sourceRoot":"","sources":["../../src/encryption/envelope.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAEhE,MAAM,WAAW,kBAAkB;IACjC,8CAA8C;IAC9C,UAAU,EAAE,MAAM,CAAC;IACnB,sCAAsC;IACtC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;GASG;AACH,wBAAsB,OAAO,CAC3B,eAAe,EAAE,YAAY,EAC7B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,kBAAkB,CAAC,CAM7B;AAED;;;;GAIG;AACH,wBAAsB,OAAO,CAC3B,gBAAgB,EAAE,aAAa,EAC/B,QAAQ,EAAE,kBAAkB,GAC3B,OAAO,CAAC,MAAM,CAAC,CAIjB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,UAAU,EACpB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAGjB"}

package/dist/encryption/envelope.js

@@ -0,0 +1,46 @@
+/**
+ * Envelope encryption: encrypt data with a per-record DEK, then encrypt
+ * the DEK with a master KEK (RSA-OAEP). This is the BFSI-standard pattern
+ * because:
+ *   - Rotating the KEK only requires re-encrypting tiny DEKs, not large data
+ *   - Each record has its own data key — compromise of one doesn't expose others
+ *   - The master private KEK never leaves the HSM/KMS on the backend
+ */
+import * as aesgcm from './aesgcm.js';
+import * as rsaoaep from './rsaoaep.js';
+/**
+ * Encrypt plaintext with envelope encryption.
+ *
+ * Flow:
+ *   1. Generate a fresh AES-GCM key (the DEK)
+ *   2. Encrypt the plaintext with the DEK
+ *   3. Export the DEK as raw bytes
+ *   4. Encrypt the DEK bytes with the master RSA public key (the KEK)
+ *   5. Return both ciphertexts; throw away the DEK
+ */
+export async function encrypt(masterPublicKey, plaintext) {
+    const dek = await aesgcm.generateKey();
+    const ciphertext = await aesgcm.encrypt(dek, plaintext);
+    const dekBytes = await aesgcm.exportRawKey(dek);
+    const encryptedDek = await rsaoaep.encrypt(masterPublicKey, dekBytes);
+    return { ciphertext, encryptedDek };
+}
+/**
+ * Decrypt envelope ciphertext. Requires the master private key.
+ * In production, this typically happens on the backend (HSM); the client
+ * gets either the decrypted plaintext or a temporarily-issued DEK.
+ */
+export async function decrypt(masterPrivateKey, envelope) {
+    const dekBytes = await rsaoaep.decrypt(masterPrivateKey, envelope.encryptedDek);
+    const dek = await aesgcm.importRawKey(dekBytes);
+    return aesgcm.decrypt(dek, envelope.ciphertext);
+}
+/**
+ * Decrypt with a pre-unwrapped DEK (when the backend has unwrapped the DEK
+ * and given it to the client to do bulk decryption locally).
+ */
+export async function decryptWithDek(dekBytes, ciphertext) {
+    const dek = await aesgcm.importRawKey(dekBytes);
+    return aesgcm.decrypt(dek, ciphertext);
+}
+//# sourceMappingURL=envelope.js.map

package/dist/encryption/envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope.js","sourceRoot":"","sources":["../../src/encryption/envelope.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,OAAO,MAAM,cAAc,CAAC;AAUxC;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,eAA6B,EAC7B,SAAiB;IAEjB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;IACvC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;IAChD,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;IACtE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;AACtC,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,gBAA+B,EAC/B,QAA4B;IAE5B,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,gBAAgB,EAAE,QAAQ,CAAC,YAAY,CAAC,CAAC;IAChF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAChD,OAAO,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAAoB,EACpB,UAAkB;IAElB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAChD,OAAO,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;AACzC,CAAC"}

package/dist/encryption/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Encryption module — Web Crypto wrappers for AES-GCM, RSA-OAEP, PBKDF2.
+ *
+ * Always use these wrappers rather than calling `crypto.subtle` directly.
+ * They handle IV/nonce generation, framing, and base64 transport correctly.
+ *
+ * Anti-patterns to avoid (see references/bfsi-encrypt-helper):
+ *   - Math.random() for IVs / keys
+ *   - Reusing IVs across messages
+ *   - AES-ECB
+ *   - md5 / sha1 for security
+ *   - btoa() / XOR / custom "scrambling" as encryption
+ */
+export * as aesgcm from './aesgcm.js';
+export * as rsaoaep from './rsaoaep.js';
+export * as pbkdf2 from './pbkdf2.js';
+export * as envelope from './envelope.js';
+export * from './util.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/encryption/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/encryption/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,OAAO,MAAM,cAAc,CAAC;AACxC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,QAAQ,MAAM,eAAe,CAAC;AAC1C,cAAc,WAAW,CAAC"}

package/dist/encryption/index.js

@@ -0,0 +1,19 @@
+/**
+ * Encryption module — Web Crypto wrappers for AES-GCM, RSA-OAEP, PBKDF2.
+ *
+ * Always use these wrappers rather than calling `crypto.subtle` directly.
+ * They handle IV/nonce generation, framing, and base64 transport correctly.
+ *
+ * Anti-patterns to avoid (see references/bfsi-encrypt-helper):
+ *   - Math.random() for IVs / keys
+ *   - Reusing IVs across messages
+ *   - AES-ECB
+ *   - md5 / sha1 for security
+ *   - btoa() / XOR / custom "scrambling" as encryption
+ */
+export * as aesgcm from './aesgcm.js';
+export * as rsaoaep from './rsaoaep.js';
+export * as pbkdf2 from './pbkdf2.js';
+export * as envelope from './envelope.js';
+export * from './util.js';
+//# sourceMappingURL=index.js.map

package/dist/encryption/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/encryption/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,OAAO,MAAM,cAAc,CAAC;AACxC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,QAAQ,MAAM,eAAe,CAAC;AAC1C,cAAc,WAAW,CAAC"}

package/dist/encryption/pbkdf2.d.ts

@@ -0,0 +1,21 @@
+export interface DeriveKeyOptions {
+    iterations?: number;
+    /** Output length in bits. Default 256 (32 bytes). */
+    outputLengthBits?: number;
+    /** Algorithm key will be used for. Default AES-GCM 256. */
+    algorithm?: 'AES-GCM' | 'HMAC';
+}
+/**
+ * Derive an AES-GCM key from a password and salt.
+ * Salt must be stored alongside the ciphertext (it's not secret, but it's per-record).
+ */
+export declare function deriveKey(password: string, salt: Uint8Array, opts?: DeriveKeyOptions): Promise<CryptoKey>;
+/**
+ * Derive raw bytes (not a CryptoKey) — useful when you need to interoperate
+ * with code expecting a raw byte string.
+ */
+export declare function deriveBytes(password: string, salt: Uint8Array, opts?: {
+    iterations?: number;
+    outputLengthBits?: number;
+}): Promise<Uint8Array>;
+//# sourceMappingURL=pbkdf2.d.ts.map

package/dist/encryption/pbkdf2.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pbkdf2.d.ts","sourceRoot":"","sources":["../../src/encryption/pbkdf2.ts"],"names":[],"mappings":"AAYA,MAAM,WAAW,gBAAgB;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,2DAA2D;IAC3D,SAAS,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;CAChC;AAED;;;GAGG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,IAAI,GAAE,gBAAqB,GAC1B,OAAO,CAAC,SAAS,CAAC,CA4BpB;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,IAAI,GAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAAO,GAC5D,OAAO,CAAC,UAAU,CAAC,CA2BrB"}