@react-vault/core 0.1.0

package/dist/encryption/pbkdf2.js

@@ -0,0 +1,48 @@
+/**
+ * PBKDF2-SHA256 key derivation from passwords.
+ *
+ * Use for: deriving an encryption key from a user-supplied passphrase.
+ * Do NOT use for: server-side password storage (use bcrypt/argon2 on backend).
+ *
+ * Iteration count: 600,000 per OWASP 2025 recommendation for PBKDF2-SHA256.
+ */
+import { toBytes } from './util.js';
+const DEFAULT_ITERATIONS = 600_000;
+/**
+ * Derive an AES-GCM key from a password and salt.
+ * Salt must be stored alongside the ciphertext (it's not secret, but it's per-record).
+ */
+export async function deriveKey(password, salt, opts = {}) {
+    if (salt.length < 16) {
+        throw new Error(`salt must be >= 16 bytes, got ${salt.length}`);
+    }
+    const iterations = opts.iterations ?? DEFAULT_ITERATIONS;
+    const outputBits = opts.outputLengthBits ?? 256;
+    const algorithm = opts.algorithm ?? 'AES-GCM';
+    const passwordKey = await crypto.subtle.importKey('raw', toBytes(password), { name: 'PBKDF2' }, false, ['deriveKey']);
+    return crypto.subtle.deriveKey({
+        name: 'PBKDF2',
+        hash: 'SHA-256',
+        salt,
+        iterations,
+    }, passwordKey, { name: algorithm, length: outputBits }, true, algorithm === 'AES-GCM' ? ['encrypt', 'decrypt'] : ['sign', 'verify']);
+}
+/**
+ * Derive raw bytes (not a CryptoKey) — useful when you need to interoperate
+ * with code expecting a raw byte string.
+ */
+export async function deriveBytes(password, salt, opts = {}) {
+    if (salt.length < 16) {
+        throw new Error(`salt must be >= 16 bytes, got ${salt.length}`);
+    }
+    const iterations = opts.iterations ?? DEFAULT_ITERATIONS;
+    const outputBits = opts.outputLengthBits ?? 256;
+    const passwordKey = await crypto.subtle.importKey('raw', toBytes(password), { name: 'PBKDF2' }, false, ['deriveBits']);
+    return new Uint8Array(await crypto.subtle.deriveBits({
+        name: 'PBKDF2',
+        hash: 'SHA-256',
+        salt,
+        iterations,
+    }, passwordKey, outputBits));
+}
+//# sourceMappingURL=pbkdf2.js.map

package/dist/encryption/pbkdf2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pbkdf2.js","sourceRoot":"","sources":["../../src/encryption/pbkdf2.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,MAAM,kBAAkB,GAAG,OAAO,CAAC;AAUnC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,IAAgB,EAChB,OAAyB,EAAE;IAE3B,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,kBAAkB,CAAC;IACzD,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,IAAI,GAAG,CAAC;IAChD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC;IAE9C,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC/C,KAAK,EACL,OAAO,CAAC,QAAQ,CAAC,EACjB,EAAE,IAAI,EAAE,QAAQ,EAAE,EAClB,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;IAEF,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B;QACE,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,SAAS;QACf,IAAI;QACJ,UAAU;KACX,EACD,WAAW,EACX,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,EACvC,IAAI,EACJ,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CACtE,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAAgB,EAChB,IAAgB,EAChB,OAA2D,EAAE;IAE7D,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,kBAAkB,CAAC;IACzD,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,IAAI,GAAG,CAAC;IAEhD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC/C,KAAK,EACL,OAAO,CAAC,QAAQ,CAAC,EACjB,EAAE,IAAI,EAAE,QAAQ,EAAE,EAClB,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAC;IAEF,OAAO,IAAI,UAAU,CACnB,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC5B;QACE,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,SAAS;QACf,IAAI;QACJ,UAAU;KACX,EACD,WAAW,EACX,UAAU,CACX,CACF,CAAC;AACJ,CAAC"}

package/dist/encryption/rsaoaep.d.ts

@@ -0,0 +1,21 @@
+export type RsaPublicKey = CryptoKey;
+export type RsaPrivateKey = CryptoKey;
+export declare function generateKeyPair(modulusBits?: 2048 | 3072 | 4096): Promise<{
+    publicKey: RsaPublicKey;
+    privateKey: RsaPrivateKey;
+}>;
+/**
+ * Import a public key from SPKI (DER, base64) — common backend format.
+ */
+export declare function importPublicKey(spkiBase64: string): Promise<RsaPublicKey>;
+/**
+ * Import a public key from PEM format (`-----BEGIN PUBLIC KEY-----...`).
+ */
+export declare function importPublicKeyPem(pem: string): Promise<RsaPublicKey>;
+/**
+ * Encrypt a small payload (e.g. an AES key — 32 bytes). For 2048-bit RSA-OAEP-SHA256,
+ * max plaintext is 190 bytes. Don't try to bulk-encrypt with this.
+ */
+export declare function encrypt(pub: RsaPublicKey, bytes: Uint8Array): Promise<string>;
+export declare function decrypt(priv: RsaPrivateKey, blob: string): Promise<Uint8Array>;
+//# sourceMappingURL=rsaoaep.d.ts.map

package/dist/encryption/rsaoaep.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rsaoaep.d.ts","sourceRoot":"","sources":["../../src/encryption/rsaoaep.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,YAAY,GAAG,SAAS,CAAC;AACrC,MAAM,MAAM,aAAa,GAAG,SAAS,CAAC;AAEtC,wBAAsB,eAAe,CAAC,WAAW,GAAE,IAAI,GAAG,IAAI,GAAG,IAAW,GAAG,OAAO,CAAC;IACrF,SAAS,EAAE,YAAY,CAAC;IACxB,UAAU,EAAE,aAAa,CAAC;CAC3B,CAAC,CAYD;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAE/E;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAM3E;AAED;;;GAGG;AACH,wBAAsB,OAAO,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAGnF;AAED,wBAAsB,OAAO,CAAC,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAEpF"}

package/dist/encryption/rsaoaep.js

@@ -0,0 +1,43 @@
+/**
+ * RSA-OAEP encryption (for key-wrapping, not bulk data).
+ * Use AES-GCM for the data; RSA-OAEP for the key.
+ */
+import { toBase64, fromBase64 } from './util.js';
+const ALGO = { name: 'RSA-OAEP', hash: 'SHA-256' };
+export async function generateKeyPair(modulusBits = 2048) {
+    const { publicKey, privateKey } = await crypto.subtle.generateKey({
+        name: 'RSA-OAEP',
+        modulusLength: modulusBits,
+        publicExponent: new Uint8Array([1, 0, 1]),
+        hash: 'SHA-256',
+    }, true, ['encrypt', 'decrypt']);
+    return { publicKey, privateKey };
+}
+/**
+ * Import a public key from SPKI (DER, base64) — common backend format.
+ */
+export async function importPublicKey(spkiBase64) {
+    return crypto.subtle.importKey('spki', fromBase64(spkiBase64), ALGO, true, ['encrypt']);
+}
+/**
+ * Import a public key from PEM format (`-----BEGIN PUBLIC KEY-----...`).
+ */
+export async function importPublicKeyPem(pem) {
+    const body = pem
+        .replace(/-----BEGIN [^-]+-----/g, '')
+        .replace(/-----END [^-]+-----/g, '')
+        .replace(/\s+/g, '');
+    return importPublicKey(body);
+}
+/**
+ * Encrypt a small payload (e.g. an AES key — 32 bytes). For 2048-bit RSA-OAEP-SHA256,
+ * max plaintext is 190 bytes. Don't try to bulk-encrypt with this.
+ */
+export async function encrypt(pub, bytes) {
+    const ciphertext = new Uint8Array(await crypto.subtle.encrypt(ALGO, pub, bytes));
+    return toBase64(ciphertext);
+}
+export async function decrypt(priv, blob) {
+    return new Uint8Array(await crypto.subtle.decrypt(ALGO, priv, fromBase64(blob)));
+}
+//# sourceMappingURL=rsaoaep.js.map

package/dist/encryption/rsaoaep.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rsaoaep.js","sourceRoot":"","sources":["../../src/encryption/rsaoaep.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAEjD,MAAM,IAAI,GAAG,EAAE,IAAI,EAAE,UAAmB,EAAE,IAAI,EAAE,SAAkB,EAAE,CAAC;AAKrE,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,cAAkC,IAAI;IAI1E,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAC/D;QACE,IAAI,EAAE,UAAU;QAChB,aAAa,EAAE,WAAW;QAC1B,cAAc,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;QACzC,IAAI,EAAE,SAAS;KAChB,EACD,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;IACF,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,UAAkB;IACtD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,UAAU,CAAC,UAAU,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;AAC1F,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAClD,MAAM,IAAI,GAAG,GAAG;SACb,OAAO,CAAC,wBAAwB,EAAE,EAAE,CAAC;SACrC,OAAO,CAAC,sBAAsB,EAAE,EAAE,CAAC;SACnC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,GAAiB,EAAE,KAAiB;IAChE,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IACjF,OAAO,QAAQ,CAAC,UAAU,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAmB,EAAE,IAAY;IAC7D,OAAO,IAAI,UAAU,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACnF,CAAC"}

package/dist/encryption/util.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Encoding utilities. All ciphertext is transported as base64 strings.
+ */
+export declare function toBytes(text: string): Uint8Array;
+export declare function fromBytes(bytes: Uint8Array): string;
+export declare function toBase64(bytes: Uint8Array): string;
+export declare function fromBase64(b64: string): Uint8Array;
+/**
+ * Cryptographically secure random bytes.
+ * NEVER use Math.random() — see references/bfsi-encrypt-helper.
+ */
+export declare function randomBytes(n: number): Uint8Array;
+/**
+ * Concat byte arrays. Useful for IV-prefixed ciphertext.
+ */
+export declare function concatBytes(...arrays: Uint8Array[]): Uint8Array;
+//# sourceMappingURL=util.d.ts.map

package/dist/encryption/util.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../src/encryption/util.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,CAEhD;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAEnD;AAED,wBAAgB,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAIlD;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAKlD;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,MAAM,GAAG,UAAU,CAIjD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,UAAU,CAS/D"}

package/dist/encryption/util.js

@@ -0,0 +1,47 @@
+/**
+ * Encoding utilities. All ciphertext is transported as base64 strings.
+ */
+const enc = new TextEncoder();
+const dec = new TextDecoder();
+export function toBytes(text) {
+    return enc.encode(text);
+}
+export function fromBytes(bytes) {
+    return dec.decode(bytes);
+}
+export function toBase64(bytes) {
+    let binary = '';
+    for (const b of bytes)
+        binary += String.fromCharCode(b);
+    return btoa(binary);
+}
+export function fromBase64(b64) {
+    const binary = atob(b64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++)
+        bytes[i] = binary.charCodeAt(i);
+    return bytes;
+}
+/**
+ * Cryptographically secure random bytes.
+ * NEVER use Math.random() — see references/bfsi-encrypt-helper.
+ */
+export function randomBytes(n) {
+    const buf = new Uint8Array(n);
+    crypto.getRandomValues(buf);
+    return buf;
+}
+/**
+ * Concat byte arrays. Useful for IV-prefixed ciphertext.
+ */
+export function concatBytes(...arrays) {
+    const total = arrays.reduce((sum, a) => sum + a.length, 0);
+    const out = new Uint8Array(total);
+    let offset = 0;
+    for (const a of arrays) {
+        out.set(a, offset);
+        offset += a.length;
+    }
+    return out;
+}
+//# sourceMappingURL=util.js.map

package/dist/encryption/util.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../../src/encryption/util.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAC9B,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAE9B,MAAM,UAAU,OAAO,CAAC,IAAY;IAClC,OAAO,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAiB;IACzC,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,KAAiB;IACxC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,CAAS;IACnC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9B,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,GAAG,MAAoB;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACnB,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC;IACrB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/http/createAxios.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Configurable axios factory. Apps create one (or more) instances by
+ * composing the interceptors they need.
+ *
+ * Auth model: tokens are set ONCE on the instance via {@link setAuthToken} at
+ * login time, not injected per-request. This is the rsense-react-org pattern
+ * — cheaper than reading from localStorage on every call. Call {@link clearAuthToken}
+ * on logout / 401.
+ */
+import { type AxiosInstance } from 'axios';
+export interface CreateAxiosOptions {
+    baseURL: string;
+    timeoutMs?: number;
+    /** Header name for the auth token. Default `Authorization` (sends `Bearer <token>`). */
+    authHeaderName?: string;
+    /** Callback for 401 responses (typically: clear auth + redirect to login). */
+    onUnauthorized?: () => void;
+    /**
+     * Whether backend uses snake_case. If true, response keys are converted to
+     * camelCase and request bodies converted to snake_case.
+     */
+    snakeCaseBackend?: boolean;
+    /** Disable auto idempotency-key + correlation-id headers if you handle them yourself. */
+    disableRequestIds?: boolean;
+}
+export declare function createAxios(opts: CreateAxiosOptions): AxiosInstance;
+/**
+ * Set the auth token on an axios instance — call once at login.
+ *
+ * If the header name is `Authorization`, the value is automatically prefixed
+ * with `Bearer `. For any other header name (e.g. `X-Auth-Token`), the value
+ * is set verbatim.
+ */
+export declare function setAuthToken(instance: AxiosInstance, token: string): void;
+/**
+ * Remove the auth token from an axios instance — call on logout / 401.
+ */
+export declare function clearAuthToken(instance: AxiosInstance): void;
+//# sourceMappingURL=createAxios.d.ts.map

package/dist/http/createAxios.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"createAxios.d.ts","sourceRoot":"","sources":["../../src/http/createAxios.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAc,EAAE,KAAK,aAAa,EAAE,MAAM,OAAO,CAAC;AAQlD,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wFAAwF;IACxF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,IAAI,CAAC;IAC5B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,yFAAyF;IACzF,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,wBAAgB,WAAW,CAAC,IAAI,EAAE,kBAAkB,GAAG,aAAa,CA+BnE;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAKzE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI,CAI5D"}

package/dist/http/createAxios.js

@@ -0,0 +1,58 @@
+/**
+ * Configurable axios factory. Apps create one (or more) instances by
+ * composing the interceptors they need.
+ *
+ * Auth model: tokens are set ONCE on the instance via {@link setAuthToken} at
+ * login time, not injected per-request. This is the rsense-react-org pattern
+ * — cheaper than reading from localStorage on every call. Call {@link clearAuthToken}
+ * on logout / 401.
+ */
+import axios from 'axios';
+import { attachCamelToSnake, attachErrorMapping, attachRequestIds, attachSnakeToCamel, } from './interceptors.js';
+export function createAxios(opts) {
+    const instance = axios.create({
+        baseURL: opts.baseURL,
+        timeout: opts.timeoutMs ?? 30_000,
+        headers: {
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+        },
+    });
+    // Stash the auth header name on the instance for set/clear helpers.
+    instance.__authHeaderName =
+        opts.authHeaderName ?? 'Authorization';
+    if (!opts.disableRequestIds) {
+        attachRequestIds(instance);
+    }
+    if (opts.snakeCaseBackend) {
+        attachSnakeToCamel(instance);
+        attachCamelToSnake(instance);
+    }
+    attachErrorMapping(instance, {
+        onUnauthorized: () => {
+            clearAuthToken(instance);
+            opts.onUnauthorized?.();
+        },
+    });
+    return instance;
+}
+/**
+ * Set the auth token on an axios instance — call once at login.
+ *
+ * If the header name is `Authorization`, the value is automatically prefixed
+ * with `Bearer `. For any other header name (e.g. `X-Auth-Token`), the value
+ * is set verbatim.
+ */
+export function setAuthToken(instance, token) {
+    const headerName = instance.__authHeaderName ?? 'Authorization';
+    const value = headerName === 'Authorization' ? `Bearer ${token}` : token;
+    instance.defaults.headers.common[headerName] = value;
+}
+/**
+ * Remove the auth token from an axios instance — call on logout / 401.
+ */
+export function clearAuthToken(instance) {
+    const headerName = instance.__authHeaderName ?? 'Authorization';
+    delete instance.defaults.headers.common[headerName];
+}
+//# sourceMappingURL=createAxios.js.map

package/dist/http/createAxios.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createAxios.js","sourceRoot":"","sources":["../../src/http/createAxios.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAA6B,MAAM,OAAO,CAAC;AAClD,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAkB3B,MAAM,UAAU,WAAW,CAAC,IAAwB;IAClD,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC;QAC5B,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,IAAI,CAAC,SAAS,IAAI,MAAM;QACjC,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,kBAAkB;SAC3B;KACF,CAAC,CAAC;IAEH,oEAAoE;IACnE,QAA0D,CAAC,gBAAgB;QAC1E,IAAI,CAAC,cAAc,IAAI,eAAe,CAAC;IAEzC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC5B,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC7B,CAAC;IAED,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC1B,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC7B,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAED,kBAAkB,CAAC,QAAQ,EAAE;QAC3B,cAAc,EAAE,GAAG,EAAE;YACnB,cAAc,CAAC,QAAQ,CAAC,CAAC;YACzB,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;QAC1B,CAAC;KACF,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,QAAuB,EAAE,KAAa;IACjE,MAAM,UAAU,GACb,QAA0D,CAAC,gBAAgB,IAAI,eAAe,CAAC;IAClG,MAAM,KAAK,GAAG,UAAU,KAAK,eAAe,CAAC,CAAC,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;IACzE,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAAuB;IACpD,MAAM,UAAU,GACb,QAA0D,CAAC,gBAAgB,IAAI,eAAe,CAAC;IAClG,OAAO,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;AACtD,CAAC"}

package/dist/http/errors.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Typed HTTP errors. Use these instead of raw `AxiosError` in app code.
+ */
+export type ApiErrorKind = 'network' | 'timeout' | 'unauthorized' | 'forbidden' | 'not_found' | 'conflict' | 'validation' | 'rate_limited' | 'server_error' | 'cancelled' | 'unknown';
+export interface ApiErrorOptions {
+    kind: ApiErrorKind;
+    /** HTTP status if available. */
+    status?: number;
+    /** Server-generated ref code or our own short ref for support. */
+    ref?: string;
+    /** Field-level errors from 422. Map of field path → message. */
+    fieldErrors?: Record<string, string>;
+    /** Original error (not exposed via toJSON). */
+    cause?: unknown;
+}
+export declare class ApiError extends Error {
+    readonly kind: ApiErrorKind;
+    readonly status?: number;
+    readonly ref?: string;
+    readonly fieldErrors?: Record<string, string>;
+    constructor(message: string, opts: ApiErrorOptions);
+    /**
+     * User-safe representation. Does NOT include `cause` (stack/PII risk).
+     */
+    toJSON(): Record<string, unknown>;
+}
+export declare function fromStatus(status: number): ApiErrorKind;
+//# sourceMappingURL=errors.d.ts.map

package/dist/http/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/http/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,MAAM,YAAY,GACpB,SAAS,GACT,SAAS,GACT,cAAc,GACd,WAAW,GACX,WAAW,GACX,UAAU,GACV,YAAY,GACZ,cAAc,GACd,cAAc,GACd,WAAW,GACX,SAAS,CAAC;AAEd,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,YAAY,CAAC;IACnB,gCAAgC;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kEAAkE;IAClE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,+CAA+C;IAC/C,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,qBAAa,QAAS,SAAQ,KAAK;IACjC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAElC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe;IAYlD;;OAEG;IACH,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CASlC;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,CASvD"}

package/dist/http/errors.js

@@ -0,0 +1,57 @@
+/**
+ * Typed HTTP errors. Use these instead of raw `AxiosError` in app code.
+ */
+export class ApiError extends Error {
+    kind;
+    status;
+    ref;
+    fieldErrors;
+    constructor(message, opts) {
+        super(message);
+        this.name = 'ApiError';
+        this.kind = opts.kind;
+        this.status = opts.status;
+        this.ref = opts.ref;
+        this.fieldErrors = opts.fieldErrors;
+        if (opts.cause !== undefined) {
+            this.cause = opts.cause;
+        }
+    }
+    /**
+     * User-safe representation. Does NOT include `cause` (stack/PII risk).
+     */
+    toJSON() {
+        return {
+            name: this.name,
+            kind: this.kind,
+            status: this.status,
+            ref: this.ref,
+            fieldErrors: this.fieldErrors,
+        };
+    }
+}
+export function fromStatus(status) {
+    if (status === 401) {
+        return 'unauthorized';
+    }
+    if (status === 403) {
+        return 'forbidden';
+    }
+    if (status === 404) {
+        return 'not_found';
+    }
+    if (status === 409) {
+        return 'conflict';
+    }
+    if (status === 422) {
+        return 'validation';
+    }
+    if (status === 429) {
+        return 'rate_limited';
+    }
+    if (status >= 500 && status < 600) {
+        return 'server_error';
+    }
+    return 'unknown';
+}
+//# sourceMappingURL=errors.js.map

package/dist/http/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/http/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AA2BH,MAAM,OAAO,QAAS,SAAQ,KAAK;IACxB,IAAI,CAAe;IACnB,MAAM,CAAU;IAChB,GAAG,CAAU;IACb,WAAW,CAA0B;IAE9C,YAAY,OAAe,EAAE,IAAqB;QAChD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;QACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACtB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;QACpB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;QACpC,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC5B,IAAc,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACrC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM;QACJ,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;IACJ,CAAC;CACF;AAED,MAAM,UAAU,UAAU,CAAC,MAAc;IACvC,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QAAA,OAAO,cAAc,CAAC;IAAA,CAAC;IAC5C,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QAAA,OAAO,WAAW,CAAC;IAAA,CAAC;IACzC,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QAAA,OAAO,WAAW,CAAC;IAAA,CAAC;IACzC,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QAAA,OAAO,UAAU,CAAC;IAAA,CAAC;IACxC,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QAAA,OAAO,YAAY,CAAC;IAAA,CAAC;IAC1C,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QAAA,OAAO,cAAc,CAAC;IAAA,CAAC;IAC5C,IAAI,MAAM,IAAI,GAAG,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAAA,OAAO,cAAc,CAAC;IAAA,CAAC;IAC3D,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/http/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * HTTP — axios factory with composable BFSI-grade interceptors.
+ *
+ * Pattern: instead of one monolithic axios instance, expose composable
+ * interceptors. Each app composes the ones it needs.
+ */
+export * from './createAxios.js';
+export * from './interceptors.js';
+export * from './errors.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/http/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/http/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC"}

package/dist/http/index.js

@@ -0,0 +1,10 @@
+/**
+ * HTTP — axios factory with composable BFSI-grade interceptors.
+ *
+ * Pattern: instead of one monolithic axios instance, expose composable
+ * interceptors. Each app composes the ones it needs.
+ */
+export * from './createAxios.js';
+export * from './interceptors.js';
+export * from './errors.js';
+//# sourceMappingURL=index.js.map

package/dist/http/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/http/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC"}

package/dist/http/interceptors.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Composable axios interceptors. Each function takes an instance and attaches
+ * itself. App code chooses which to add.
+ *
+ * Note: auth-header injection is NOT here. Tokens are set once on the instance
+ * via setAuthToken() in createAxios.ts (rsense-style, set-at-login). Avoids
+ * reading from localStorage on every request.
+ */
+import type { AxiosInstance } from 'axios';
+/**
+ * Request interceptor: add a correlation ID and idempotency key.
+ * Idempotency key applied only to mutating methods.
+ */
+export declare function attachRequestIds(instance: AxiosInstance): void;
+/**
+ * Response transformer: convert snake_case keys to camelCase.
+ * Applied if your backend uses snake_case (e.g. Rails/Python).
+ */
+export declare function attachSnakeToCamel(instance: AxiosInstance): void;
+/**
+ * Request transformer: convert camelCase request bodies to snake_case.
+ */
+export declare function attachCamelToSnake(instance: AxiosInstance): void;
+/**
+ * Response interceptor: convert raw axios errors into typed `ApiError`.
+ */
+export declare function attachErrorMapping(instance: AxiosInstance, opts?: {
+    onUnauthorized?: () => void;
+}): void;
+//# sourceMappingURL=interceptors.d.ts.map

package/dist/http/interceptors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interceptors.d.ts","sourceRoot":"","sources":["../../src/http/interceptors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,aAAa,EAA8B,MAAM,OAAO,CAAC;AAIvE;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI,CAW9D;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI,CAKhE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI,CAOhE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,aAAa,EACvB,IAAI,GAAE;IAAE,cAAc,CAAC,EAAE,MAAM,IAAI,CAAA;CAAO,GACzC,IAAI,CAWN"}

package/dist/http/interceptors.js

@@ -0,0 +1,112 @@
+import { ApiError, fromStatus } from './errors.js';
+import { generateEventId } from '../audit/auditClient.js';
+/**
+ * Request interceptor: add a correlation ID and idempotency key.
+ * Idempotency key applied only to mutating methods.
+ */
+export function attachRequestIds(instance) {
+    instance.interceptors.request.use((config) => {
+        config.headers.set('X-Request-Id', generateEventId());
+        const method = (config.method ?? 'get').toUpperCase();
+        if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
+            if (!config.headers.has('Idempotency-Key')) {
+                config.headers.set('Idempotency-Key', generateEventId());
+            }
+        }
+        return config;
+    });
+}
+/**
+ * Response transformer: convert snake_case keys to camelCase.
+ * Applied if your backend uses snake_case (e.g. Rails/Python).
+ */
+export function attachSnakeToCamel(instance) {
+    instance.interceptors.response.use((response) => {
+        response.data = deepSnakeToCamel(response.data);
+        return response;
+    });
+}
+/**
+ * Request transformer: convert camelCase request bodies to snake_case.
+ */
+export function attachCamelToSnake(instance) {
+    instance.interceptors.request.use((config) => {
+        if (config.data && typeof config.data === 'object' && !(config.data instanceof FormData)) {
+            config.data = deepCamelToSnake(config.data);
+        }
+        return config;
+    });
+}
+/**
+ * Response interceptor: convert raw axios errors into typed `ApiError`.
+ */
+export function attachErrorMapping(instance, opts = {}) {
+    instance.interceptors.response.use((r) => r, (err) => {
+        const apiErr = mapError(err);
+        if (apiErr.kind === 'unauthorized') {
+            opts.onUnauthorized?.();
+        }
+        return Promise.reject(apiErr);
+    });
+}
+function mapError(err) {
+    if (err instanceof ApiError) {
+        return err;
+    }
+    // We don't import AxiosError type directly because we don't want a hard runtime dep
+    // on axios internals — duck-type instead.
+    const e = err;
+    if (e?.code === 'ECONNABORTED' || e?.code === 'ERR_CANCELED') {
+        return new ApiError('Request cancelled', { kind: 'cancelled', cause: err });
+    }
+    if (!e?.response) {
+        return new ApiError('Network error', { kind: 'network', cause: err });
+    }
+    const status = e.response.status ?? 0;
+    const kind = fromStatus(status);
+    const data = e.response.data;
+    return new ApiError(data?.message ?? `HTTP ${status}`, {
+        kind,
+        status,
+        ref: data?.ref,
+        fieldErrors: data?.field_errors ?? data?.errors,
+        cause: err,
+    });
+}
+// --- key transformation helpers ---
+function camelToSnakeKey(key) {
+    return key.replace(/([A-Z])/g, '_$1').toLowerCase();
+}
+function snakeToCamelKey(key) {
+    return key.replace(/_([a-z])/g, (_, c) => c.toUpperCase());
+}
+function deepSnakeToCamel(value) {
+    if (Array.isArray(value)) {
+        return value.map(deepSnakeToCamel);
+    }
+    if (value && typeof value === 'object' && !(value instanceof Date)) {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            out[snakeToCamelKey(k)] = deepSnakeToCamel(v);
+        }
+        return out;
+    }
+    return value;
+}
+function deepCamelToSnake(value) {
+    if (Array.isArray(value)) {
+        return value.map(deepCamelToSnake);
+    }
+    if (value &&
+        typeof value === 'object' &&
+        !(value instanceof Date) &&
+        !(value instanceof FormData)) {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            out[camelToSnakeKey(k)] = deepCamelToSnake(v);
+        }
+        return out;
+    }
+    return value;
+}
+//# sourceMappingURL=interceptors.js.map

package/dist/http/interceptors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interceptors.js","sourceRoot":"","sources":["../../src/http/interceptors.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAE1D;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAuB;IACtD,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAkC,EAAE,EAAE;QACvE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,eAAe,EAAE,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACtD,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACxD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBAC3C,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,eAAe,EAAE,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAuB;IACxD,QAAQ,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE;QAC9C,QAAQ,CAAC,IAAI,GAAG,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAChD,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAuB;IACxD,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAkC,EAAE,EAAE;QACvE,IAAI,MAAM,CAAC,IAAI,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,YAAY,QAAQ,CAAC,EAAE,CAAC;YACzF,MAAM,CAAC,IAAI,GAAG,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAuB,EACvB,OAAwC,EAAE;IAE1C,QAAQ,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EACR,CAAC,GAAY,EAAE,EAAE;QACf,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YACnC,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;QAC1B,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC,CACF,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,GAAY;IAC5B,IAAI,GAAG,YAAY,QAAQ,EAAE,CAAC;QAAA,OAAO,GAAG,CAAC;IAAA,CAAC;IAC1C,oFAAoF;IACpF,0CAA0C;IAC1C,MAAM,CAAC,GAAG,GAIT,CAAC;IAEF,IAAI,CAAC,EAAE,IAAI,KAAK,cAAc,IAAI,CAAC,EAAE,IAAI,KAAK,cAAc,EAAE,CAAC;QAC7D,OAAO,IAAI,QAAQ,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC;QACjB,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,IAOX,CAAC;IAEd,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,OAAO,IAAI,QAAQ,MAAM,EAAE,EAAE;QACrD,IAAI;QACJ,MAAM;QACN,GAAG,EAAE,IAAI,EAAE,GAAG;QACd,WAAW,EAAE,IAAI,EAAE,YAAY,IAAI,IAAI,EAAE,MAAM;QAC/C,KAAK,EAAE,GAAG;KACX,CAAC,CAAC;AACL,CAAC;AAED,qCAAqC;AAErC,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;AACtD,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAAA,OAAO,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAAA,CAAC;IAC/D,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,KAAK,YAAY,IAAI,CAAC,EAAE,CAAC;QACnE,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAAA,OAAO,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAAA,CAAC;IAC/D,IACE,KAAK;QACL,OAAO,KAAK,KAAK,QAAQ;QACzB,CAAC,CAAC,KAAK,YAAY,IAAI,CAAC;QACxB,CAAC,CAAC,KAAK,YAAY,QAAQ,CAAC,EAC5B,CAAC;QACD,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * @react-vault/core — barrel export.
+ *
+ * Prefer importing from sub-paths for tree-shaking:
+ *   import { aesgcm } from '@react-vault/core/encryption';
+ *   import { maskPan } from '@react-vault/core/pii';
+ *
+ * Only re-exports for convenience.
+ */
+export * as encryption from './encryption/index.js';
+export * as pii from './pii/index.js';
+export * as audit from './audit/index.js';
+export * as http from './http/index.js';
+export * as auth from './auth/index.js';
+export * as storage from './storage/index.js';
+export * as compliance from './compliance/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,UAAU,MAAM,uBAAuB,CAAC;AACpD,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AACtC,OAAO,KAAK,KAAK,MAAM,kBAAkB,CAAC;AAC1C,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,OAAO,MAAM,oBAAoB,CAAC;AAC9C,OAAO,KAAK,UAAU,MAAM,uBAAuB,CAAC"}

package/dist/index.js

@@ -0,0 +1,17 @@
+/**
+ * @react-vault/core — barrel export.
+ *
+ * Prefer importing from sub-paths for tree-shaking:
+ *   import { aesgcm } from '@react-vault/core/encryption';
+ *   import { maskPan } from '@react-vault/core/pii';
+ *
+ * Only re-exports for convenience.
+ */
+export * as encryption from './encryption/index.js';
+export * as pii from './pii/index.js';
+export * as audit from './audit/index.js';
+export * as http from './http/index.js';
+export * as auth from './auth/index.js';
+export * as storage from './storage/index.js';
+export * as compliance from './compliance/index.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,UAAU,MAAM,uBAAuB,CAAC;AACpD,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AACtC,OAAO,KAAK,KAAK,MAAM,kBAAkB,CAAC;AAC1C,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,OAAO,MAAM,oBAAoB,CAAC;AAC9C,OAAO,KAAK,UAAU,MAAM,uBAAuB,CAAC"}