@reley/crypto 0.1.0

package/dist/cipher.d.ts

@@ -0,0 +1,16 @@
+export declare const NONCE_LENGTH = 12;
+export declare const TAG_LENGTH = 16;
+export declare const KEY_LENGTH = 32;
+/**
+ * Encrypt data with XChaCha20-Poly1305.
+ * @returns { nonce, ciphertext } where ciphertext includes the auth tag
+ */
+export declare function encrypt(plaintext: Uint8Array, key: Uint8Array, aad?: Uint8Array): Promise<{
+    nonce: Uint8Array;
+    ciphertext: Uint8Array;
+}>;
+/**
+ * Decrypt data with XChaCha20-Poly1305.
+ */
+export declare function decrypt(ciphertext: Uint8Array, nonce: Uint8Array, key: Uint8Array, aad?: Uint8Array): Promise<Uint8Array>;
+//# sourceMappingURL=cipher.d.ts.map

package/dist/cipher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cipher.d.ts","sourceRoot":"","sources":["../src/cipher.ts"],"names":[],"mappings":"AAsBA,eAAO,MAAM,YAAY,KAAK,CAAC;AAC/B,eAAO,MAAM,UAAU,KAAK,CAAC;AAC7B,eAAO,MAAM,UAAU,KAAK,CAAC;AAE7B;;;GAGG;AACH,wBAAsB,OAAO,CAC3B,SAAS,EAAE,UAAU,EACrB,GAAG,EAAE,UAAU,EACf,GAAG,GAAE,UAA8B,GAClC,OAAO,CAAC;IAAE,KAAK,EAAE,UAAU,CAAC;IAAC,UAAU,EAAE,UAAU,CAAA;CAAE,CAAC,CAkBxD;AAED;;GAEG;AACH,wBAAsB,OAAO,CAC3B,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,UAAU,EACjB,GAAG,EAAE,UAAU,EACf,GAAG,GAAE,UAA8B,GAClC,OAAO,CAAC,UAAU,CAAC,CAkBrB"}

package/dist/cipher.js

@@ -0,0 +1,44 @@
+import { ensureSodium } from './keys.js';
+export const NONCE_LENGTH = 12;
+export const TAG_LENGTH = 16;
+export const KEY_LENGTH = 32;
+/**
+ * Encrypt data with XChaCha20-Poly1305.
+ * @returns { nonce, ciphertext } where ciphertext includes the auth tag
+ */
+export async function encrypt(plaintext, key, aad = new Uint8Array(0)) {
+    const s = await ensureSodium();
+    if (key.length !== KEY_LENGTH) {
+        throw new Error(`Key must be ${KEY_LENGTH} bytes, got ${key.length}`);
+    }
+    const nonce = s.randombytes_buf(NONCE_LENGTH);
+    const ciphertext = s.crypto_aead_xchacha20poly1305_ietf_encrypt(plaintext, aad.length > 0 ? aad : null, null, // nsec (unused)
+    // xchacha uses 24-byte nonce, pad our 12-byte nonce
+    padNonce(nonce, s), key);
+    return { nonce, ciphertext };
+}
+/**
+ * Decrypt data with XChaCha20-Poly1305.
+ */
+export async function decrypt(ciphertext, nonce, key, aad = new Uint8Array(0)) {
+    const s = await ensureSodium();
+    if (key.length !== KEY_LENGTH) {
+        throw new Error(`Key must be ${KEY_LENGTH} bytes, got ${key.length}`);
+    }
+    try {
+        return s.crypto_aead_xchacha20poly1305_ietf_decrypt(null, // nsec (unused)
+        ciphertext, aad.length > 0 ? aad : null, padNonce(nonce, s), key);
+    }
+    catch {
+        throw new Error('Decryption failed: invalid ciphertext or key');
+    }
+}
+/**
+ * Pad a 12-byte nonce to 24 bytes for xchacha20poly1305.
+ */
+function padNonce(nonce, s) {
+    const padded = new Uint8Array(s.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES);
+    padded.set(nonce, 0);
+    return padded;
+}
+//# sourceMappingURL=cipher.js.map

package/dist/cipher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cipher.js","sourceRoot":"","sources":["../src/cipher.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC,MAAM,CAAC,MAAM,YAAY,GAAG,EAAE,CAAC;AAC/B,MAAM,CAAC,MAAM,UAAU,GAAG,EAAE,CAAC;AAC7B,MAAM,CAAC,MAAM,UAAU,GAAG,EAAE,CAAC;AAE7B;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,SAAqB,EACrB,GAAe,EACf,MAAkB,IAAI,UAAU,CAAC,CAAC,CAAC;IAEnC,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAE/B,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,eAAe,UAAU,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;IAC9C,MAAM,UAAU,GAAG,CAAC,CAAC,0CAA0C,CAC7D,SAAS,EACT,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAC3B,IAAI,EAAE,gBAAgB;IACtB,oDAAoD;IACpD,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,EAClB,GAAG,CACJ,CAAC;IAEF,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,UAAsB,EACtB,KAAiB,EACjB,GAAe,EACf,MAAkB,IAAI,UAAU,CAAC,CAAC,CAAC;IAEnC,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAE/B,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,eAAe,UAAU,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,IAAI,CAAC;QACH,OAAO,CAAC,CAAC,0CAA0C,CACjD,IAAI,EAAE,gBAAgB;QACtB,UAAU,EACV,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAC3B,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,EAClB,GAAG,CACJ,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,QAAQ,CAAC,KAAiB,EAAE,CAAiB;IACpD,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,4CAA4C,CAAC,CAAC;IAC9E,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrB,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/ecdh.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Compute X25519 ECDH shared secret from our secret key and their public key.
+ * Returns 32-byte raw shared secret.
+ */
+export declare function computeSharedSecret(ourSecretKey: Uint8Array, theirPublicKey: Uint8Array): Promise<Uint8Array>;
+//# sourceMappingURL=ecdh.d.ts.map

package/dist/ecdh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecdh.d.ts","sourceRoot":"","sources":["../src/ecdh.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,YAAY,EAAE,UAAU,EACxB,cAAc,EAAE,UAAU,GACzB,OAAO,CAAC,UAAU,CAAC,CAGrB"}

package/dist/ecdh.js

@@ -0,0 +1,10 @@
+import { ensureSodium } from './keys.js';
+/**
+ * Compute X25519 ECDH shared secret from our secret key and their public key.
+ * Returns 32-byte raw shared secret.
+ */
+export async function computeSharedSecret(ourSecretKey, theirPublicKey) {
+    const s = await ensureSodium();
+    return s.crypto_scalarmult(ourSecretKey, theirPublicKey);
+}
+//# sourceMappingURL=ecdh.js.map

package/dist/ecdh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecdh.js","sourceRoot":"","sources":["../src/ecdh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,YAAwB,EACxB,cAA0B;IAE1B,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,OAAO,CAAC,CAAC,iBAAiB,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;AAC3D,CAAC"}

package/dist/hkdf.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Derive symmetric keys from ECDH shared secret.
+ * Returns { sendKey, recvKey } each 32 bytes for AEAD cipher.
+ */
+export declare function deriveSessionKeys(sharedSecret: Uint8Array, salt?: Uint8Array, info?: string): Promise<{
+    sendKey: Uint8Array;
+    recvKey: Uint8Array;
+}>;
+/**
+ * Derive a single chain key for ratchet progression.
+ */
+export declare function deriveChainKey(chainKey: Uint8Array, info?: string): Promise<{
+    messageKey: Uint8Array;
+    nextChainKey: Uint8Array;
+}>;
+//# sourceMappingURL=hkdf.d.ts.map

package/dist/hkdf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hkdf.d.ts","sourceRoot":"","sources":["../src/hkdf.ts"],"names":[],"mappings":"AAkCA;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,YAAY,EAAE,UAAU,EACxB,IAAI,GAAE,UAA8B,EACpC,IAAI,GAAE,MAAmB,GACxB,OAAO,CAAC;IAAE,OAAO,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,CAAC,CASvD;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,UAAU,EACpB,IAAI,GAAE,MAAsB,GAC3B,OAAO,CAAC;IAAE,UAAU,EAAE,UAAU,CAAC;IAAC,YAAY,EAAE,UAAU,CAAA;CAAE,CAAC,CAS/D"}

package/dist/hkdf.js

@@ -0,0 +1,54 @@
+import { ensureSodium } from './keys.js';
+const HKDF_HASH_LEN = 32; // SHA-256
+/**
+ * HKDF-Extract: PRK = HMAC-SHA256(salt, IKM)
+ */
+async function hkdfExtract(salt, ikm) {
+    const s = await ensureSodium();
+    const key = salt.length > 0 ? salt : new Uint8Array(HKDF_HASH_LEN);
+    return s.crypto_auth_hmacsha256(ikm, key);
+}
+/**
+ * HKDF-Expand: OKM = T(1) || T(2) || ... truncated to length
+ */
+async function hkdfExpand(prk, info, length) {
+    const s = await ensureSodium();
+    const n = Math.ceil(length / HKDF_HASH_LEN);
+    const okm = new Uint8Array(n * HKDF_HASH_LEN);
+    let prev = new Uint8Array(0);
+    for (let i = 1; i <= n; i++) {
+        const input = new Uint8Array(prev.length + info.length + 1);
+        input.set(prev, 0);
+        input.set(info, prev.length);
+        input[prev.length + info.length] = i;
+        prev = new Uint8Array(s.crypto_auth_hmacsha256(input, prk));
+        okm.set(prev, (i - 1) * HKDF_HASH_LEN);
+    }
+    return okm.slice(0, length);
+}
+/**
+ * Derive symmetric keys from ECDH shared secret.
+ * Returns { sendKey, recvKey } each 32 bytes for AEAD cipher.
+ */
+export async function deriveSessionKeys(sharedSecret, salt = new Uint8Array(0), info = 'reley-v1') {
+    const infoBytes = new TextEncoder().encode(info);
+    const prk = await hkdfExtract(salt, sharedSecret);
+    // 64 bytes: first 32 = send key, next 32 = recv key
+    const okm = await hkdfExpand(prk, infoBytes, 64);
+    return {
+        sendKey: okm.slice(0, 32),
+        recvKey: okm.slice(32, 64),
+    };
+}
+/**
+ * Derive a single chain key for ratchet progression.
+ */
+export async function deriveChainKey(chainKey, info = 'reley-chain') {
+    const s = await ensureSodium();
+    const msgKeyInput = new TextEncoder().encode(info + '-msg');
+    const chainKeyInput = new TextEncoder().encode(info + '-chain');
+    const messageKey = s.crypto_auth_hmacsha256(msgKeyInput, chainKey);
+    const nextChainKey = s.crypto_auth_hmacsha256(chainKeyInput, chainKey);
+    return { messageKey, nextChainKey };
+}
+//# sourceMappingURL=hkdf.js.map

package/dist/hkdf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hkdf.js","sourceRoot":"","sources":["../src/hkdf.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC,MAAM,aAAa,GAAG,EAAE,CAAC,CAAC,UAAU;AAEpC;;GAEG;AACH,KAAK,UAAU,WAAW,CAAC,IAAgB,EAAE,GAAe;IAC1D,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,aAAa,CAAC,CAAC;IACnE,OAAO,CAAC,CAAC,sBAAsB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,UAAU,CAAC,GAAe,EAAE,IAAgB,EAAE,MAAc;IACzE,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,aAAa,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,GAAG,aAAa,CAAC,CAAC;IAC9C,IAAI,IAAI,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAE7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC5D,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QACnB,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,sBAAsB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;QAC5D,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,aAAa,CAAC,CAAC;IACzC,CAAC;IAED,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,YAAwB,EACxB,OAAmB,IAAI,UAAU,CAAC,CAAC,CAAC,EACpC,OAAe,UAAU;IAEzB,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACjD,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;IAClD,oDAAoD;IACpD,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IACjD,OAAO;QACL,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;QACzB,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;KAC3B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAAoB,EACpB,OAAe,aAAa;IAE5B,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,GAAG,MAAM,CAAC,CAAC;IAC5D,MAAM,aAAa,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAC;IAEhE,MAAM,UAAU,GAAG,CAAC,CAAC,sBAAsB,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IACnE,MAAM,YAAY,GAAG,CAAC,CAAC,sBAAsB,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAEvE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;AACtC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+export { ensureSodium, generateIdentityKeyPair, generateEphemeralKeyPair, ed25519ToX25519Public, ed25519ToX25519Secret, generateOneTimeCode, sign, verify, type Ed25519KeyPair, type X25519KeyPair, } from './keys.js';
+export { computeSharedSecret } from './ecdh.js';
+export { deriveSessionKeys, deriveChainKey } from './hkdf.js';
+export { encrypt, decrypt, NONCE_LENGTH, TAG_LENGTH, KEY_LENGTH, } from './cipher.js';
+export { initRatchet, ratchetEncrypt, ratchetDecrypt, needsKeyRotation, KEY_ROTATION_INTERVAL, type RatchetState, } from './ratchet.js';
+export { encodeQRPayload, decodeQRPayload, hashOneTimeCode, type QRPayload, } from './qr-payload.js';
+export { computeFingerprint, toBase64Url, fromBase64Url, } from './utils.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,uBAAuB,EACvB,wBAAwB,EACxB,qBAAqB,EACrB,qBAAqB,EACrB,mBAAmB,EACnB,IAAI,EACJ,MAAM,EACN,KAAK,cAAc,EACnB,KAAK,aAAa,GACnB,MAAM,WAAW,CAAC;AAEnB,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAEhD,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAE9D,OAAO,EACL,OAAO,EACP,OAAO,EACP,YAAY,EACZ,UAAU,EACV,UAAU,GACX,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,WAAW,EACX,cAAc,EACd,cAAc,EACd,gBAAgB,EAChB,qBAAqB,EACrB,KAAK,YAAY,GAClB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,eAAe,EACf,eAAe,EACf,eAAe,EACf,KAAK,SAAS,GACf,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,kBAAkB,EAClB,WAAW,EACX,aAAa,GACd,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,8 @@
+export { ensureSodium, generateIdentityKeyPair, generateEphemeralKeyPair, ed25519ToX25519Public, ed25519ToX25519Secret, generateOneTimeCode, sign, verify, } from './keys.js';
+export { computeSharedSecret } from './ecdh.js';
+export { deriveSessionKeys, deriveChainKey } from './hkdf.js';
+export { encrypt, decrypt, NONCE_LENGTH, TAG_LENGTH, KEY_LENGTH, } from './cipher.js';
+export { initRatchet, ratchetEncrypt, ratchetDecrypt, needsKeyRotation, KEY_ROTATION_INTERVAL, } from './ratchet.js';
+export { encodeQRPayload, decodeQRPayload, hashOneTimeCode, } from './qr-payload.js';
+export { computeFingerprint, toBase64Url, fromBase64Url, } from './utils.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,uBAAuB,EACvB,wBAAwB,EACxB,qBAAqB,EACrB,qBAAqB,EACrB,mBAAmB,EACnB,IAAI,EACJ,MAAM,GAGP,MAAM,WAAW,CAAC;AAEnB,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAEhD,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAE9D,OAAO,EACL,OAAO,EACP,OAAO,EACP,YAAY,EACZ,UAAU,EACV,UAAU,GACX,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,WAAW,EACX,cAAc,EACd,cAAc,EACd,gBAAgB,EAChB,qBAAqB,GAEtB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,eAAe,EACf,eAAe,EACf,eAAe,GAEhB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,kBAAkB,EAClB,WAAW,EACX,aAAa,GACd,MAAM,YAAY,CAAC"}

package/dist/keys.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Key generation, signing, and libsodium initialization.
+ *
+ * Uses a default import of libsodium-wrappers-sumo which works across
+ * environments:
+ *  - Node.js: vitest alias / bundler resolves to the CJS module
+ *  - Browser: bundlers (webpack/vite) handle ESM resolution
+ */
+import _sodium from 'libsodium-wrappers-sumo';
+/**
+ * Ensure libsodium is loaded and ready.
+ */
+export declare function ensureSodium(): Promise<typeof _sodium>;
+export interface Ed25519KeyPair {
+    publicKey: Uint8Array;
+    secretKey: Uint8Array;
+    keyType: 'ed25519';
+}
+export interface X25519KeyPair {
+    publicKey: Uint8Array;
+    secretKey: Uint8Array;
+    keyType: 'x25519';
+}
+/**
+ * Generate an Ed25519 identity key pair (long-term, per-device).
+ */
+export declare function generateIdentityKeyPair(): Promise<Ed25519KeyPair>;
+/**
+ * Generate an X25519 ephemeral key pair (per-session).
+ */
+export declare function generateEphemeralKeyPair(): Promise<X25519KeyPair>;
+/**
+ * Convert an Ed25519 public key to X25519 for ECDH.
+ */
+export declare function ed25519ToX25519Public(ed25519Pk: Uint8Array): Promise<Uint8Array>;
+/**
+ * Convert an Ed25519 secret key to X25519 for ECDH.
+ */
+export declare function ed25519ToX25519Secret(ed25519Sk: Uint8Array): Promise<Uint8Array>;
+/**
+ * Generate a cryptographically secure random one-time code.
+ */
+export declare function generateOneTimeCode(length?: number): Promise<Uint8Array>;
+/**
+ * Sign a message with an Ed25519 secret key.
+ */
+export declare function sign(message: Uint8Array, secretKey: Uint8Array): Promise<Uint8Array>;
+/**
+ * Verify an Ed25519 signature.
+ */
+export declare function verify(signature: Uint8Array, message: Uint8Array, publicKey: Uint8Array): Promise<boolean>;
+//# sourceMappingURL=keys.d.ts.map

package/dist/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../src/keys.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,OAAO,MAAM,yBAAyB,CAAC;AAI9C;;GAEG;AACH,wBAAsB,YAAY,IAAI,OAAO,CAAC,OAAO,OAAO,CAAC,CAM5D;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,UAAU,CAAC;IACtB,SAAS,EAAE,UAAU,CAAC;IACtB,OAAO,EAAE,SAAS,CAAC;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,UAAU,CAAC;IACtB,SAAS,EAAE,UAAU,CAAC;IACtB,OAAO,EAAE,QAAQ,CAAC;CACnB;AAED;;GAEG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,cAAc,CAAC,CAQvE;AAED;;GAEG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,aAAa,CAAC,CAQvE;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CAAC,SAAS,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAGtF;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CAAC,SAAS,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAGtF;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,MAAM,GAAE,MAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAGlF;AAED;;GAEG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAG1F;AAED;;GAEG;AACH,wBAAsB,MAAM,CAC1B,SAAS,EAAE,UAAU,EACrB,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,OAAO,CAAC,CAGlB"}

package/dist/keys.js

@@ -0,0 +1,80 @@
+/**
+ * Key generation, signing, and libsodium initialization.
+ *
+ * Uses a default import of libsodium-wrappers-sumo which works across
+ * environments:
+ *  - Node.js: vitest alias / bundler resolves to the CJS module
+ *  - Browser: bundlers (webpack/vite) handle ESM resolution
+ */
+import _sodium from 'libsodium-wrappers-sumo';
+let initialized = false;
+/**
+ * Ensure libsodium is loaded and ready.
+ */
+export async function ensureSodium() {
+    if (!initialized) {
+        await _sodium.ready;
+        initialized = true;
+    }
+    return _sodium;
+}
+/**
+ * Generate an Ed25519 identity key pair (long-term, per-device).
+ */
+export async function generateIdentityKeyPair() {
+    const s = await ensureSodium();
+    const kp = s.crypto_sign_keypair();
+    return {
+        publicKey: kp.publicKey,
+        secretKey: kp.privateKey,
+        keyType: 'ed25519',
+    };
+}
+/**
+ * Generate an X25519 ephemeral key pair (per-session).
+ */
+export async function generateEphemeralKeyPair() {
+    const s = await ensureSodium();
+    const kp = s.crypto_kx_keypair();
+    return {
+        publicKey: kp.publicKey,
+        secretKey: kp.privateKey,
+        keyType: 'x25519',
+    };
+}
+/**
+ * Convert an Ed25519 public key to X25519 for ECDH.
+ */
+export async function ed25519ToX25519Public(ed25519Pk) {
+    const s = await ensureSodium();
+    return s.crypto_sign_ed25519_pk_to_curve25519(ed25519Pk);
+}
+/**
+ * Convert an Ed25519 secret key to X25519 for ECDH.
+ */
+export async function ed25519ToX25519Secret(ed25519Sk) {
+    const s = await ensureSodium();
+    return s.crypto_sign_ed25519_sk_to_curve25519(ed25519Sk);
+}
+/**
+ * Generate a cryptographically secure random one-time code.
+ */
+export async function generateOneTimeCode(length = 32) {
+    const s = await ensureSodium();
+    return s.randombytes_buf(length);
+}
+/**
+ * Sign a message with an Ed25519 secret key.
+ */
+export async function sign(message, secretKey) {
+    const s = await ensureSodium();
+    return s.crypto_sign_detached(message, secretKey);
+}
+/**
+ * Verify an Ed25519 signature.
+ */
+export async function verify(signature, message, publicKey) {
+    const s = await ensureSodium();
+    return s.crypto_sign_verify_detached(signature, message, publicKey);
+}
+//# sourceMappingURL=keys.js.map

package/dist/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../src/keys.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,OAAO,MAAM,yBAAyB,CAAC;AAE9C,IAAI,WAAW,GAAG,KAAK,CAAC;AAExB;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,OAAO,CAAC,KAAK,CAAC;QACpB,WAAW,GAAG,IAAI,CAAC;IACrB,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAcD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB;IAC3C,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,MAAM,EAAE,GAAG,CAAC,CAAC,mBAAmB,EAAE,CAAC;IACnC,OAAO;QACL,SAAS,EAAE,EAAE,CAAC,SAAS;QACvB,SAAS,EAAE,EAAE,CAAC,UAAU;QACxB,OAAO,EAAE,SAAS;KACnB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,MAAM,EAAE,GAAG,CAAC,CAAC,iBAAiB,EAAE,CAAC;IACjC,OAAO;QACL,SAAS,EAAE,EAAE,CAAC,SAAS;QACvB,SAAS,EAAE,EAAE,CAAC,UAAU;QACxB,OAAO,EAAE,QAAQ;KAClB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,SAAqB;IAC/D,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,OAAO,CAAC,CAAC,oCAAoC,CAAC,SAAS,CAAC,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,SAAqB;IAC/D,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,OAAO,CAAC,CAAC,oCAAoC,CAAC,SAAS,CAAC,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,SAAiB,EAAE;IAC3D,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,OAAO,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,OAAmB,EAAE,SAAqB;IACnE,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,OAAO,CAAC,CAAC,oBAAoB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,SAAqB,EACrB,OAAmB,EACnB,SAAqB;IAErB,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,OAAO,CAAC,CAAC,2BAA2B,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;AACtE,CAAC"}

package/dist/qr-payload.d.ts

@@ -0,0 +1,19 @@
+export interface QRPayload {
+    releyUrl: string;
+    publicKey: Uint8Array;
+    oneTimeCode: Uint8Array;
+    jwt: string;
+}
+/**
+ * Encode a QR payload to a base64url string.
+ */
+export declare function encodeQRPayload(payload: QRPayload): Promise<string>;
+/**
+ * Decode a QR payload from a base64url string.
+ */
+export declare function decodeQRPayload(encoded: string): Promise<QRPayload>;
+/**
+ * Hash a one-time code (for safe transmission to reley).
+ */
+export declare function hashOneTimeCode(otc: Uint8Array): Promise<Uint8Array>;
+//# sourceMappingURL=qr-payload.d.ts.map

package/dist/qr-payload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"qr-payload.d.ts","sourceRoot":"","sources":["../src/qr-payload.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,UAAU,CAAC;IACtB,WAAW,EAAE,UAAU,CAAC;IACxB,GAAG,EAAE,MAAM,CAAC;CACb;AAID;;GAEG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAqCzE;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CA+CzE;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAG1E"}

package/dist/qr-payload.js

@@ -0,0 +1,84 @@
+import { ensureSodium } from './keys.js';
+const MAGIC = 'CB1'; // Reley v1
+/**
+ * Encode a QR payload to a base64url string.
+ */
+export async function encodeQRPayload(payload) {
+    const s = await ensureSodium();
+    const releyBytes = new TextEncoder().encode(payload.releyUrl);
+    const jwtBytes = new TextEncoder().encode(payload.jwt);
+    // Format: MAGIC(3) + releyLen(2 BE) + reley + pubKey(32) + otc(32) + jwtLen(2 BE) + jwt
+    const totalLen = 3 + 2 + releyBytes.length + 32 + 32 + 2 + jwtBytes.length;
+    const buf = new Uint8Array(totalLen);
+    let offset = 0;
+    // Magic
+    buf[offset++] = MAGIC.charCodeAt(0);
+    buf[offset++] = MAGIC.charCodeAt(1);
+    buf[offset++] = MAGIC.charCodeAt(2);
+    // Reley URL length + data
+    buf[offset++] = (releyBytes.length >>> 8) & 0xff;
+    buf[offset++] = releyBytes.length & 0xff;
+    buf.set(releyBytes, offset);
+    offset += releyBytes.length;
+    // Public key (32 bytes)
+    buf.set(payload.publicKey, offset);
+    offset += 32;
+    // One-time code (32 bytes)
+    buf.set(payload.oneTimeCode, offset);
+    offset += 32;
+    // JWT length + data
+    buf[offset++] = (jwtBytes.length >>> 8) & 0xff;
+    buf[offset++] = jwtBytes.length & 0xff;
+    buf.set(jwtBytes, offset);
+    return s.to_base64(buf, s.base64_variants.URLSAFE_NO_PADDING);
+}
+/**
+ * Decode a QR payload from a base64url string.
+ */
+export async function decodeQRPayload(encoded) {
+    const s = await ensureSodium();
+    const buf = s.from_base64(encoded, s.base64_variants.URLSAFE_NO_PADDING);
+    // Minimum: MAGIC(3) + releyLen(2) + pubKey(32) + otc(32) + jwtLen(2) = 71 bytes
+    if (buf.length < 71) {
+        throw new Error(`QR payload too short: ${buf.length} bytes (minimum 71)`);
+    }
+    let offset = 0;
+    // Verify magic
+    const magic = String.fromCharCode(buf[offset++], buf[offset++], buf[offset++]);
+    if (magic !== MAGIC) {
+        throw new Error(`Invalid QR payload magic: ${magic}`);
+    }
+    // Reley URL
+    const releyLen = (buf[offset] << 8) | buf[offset + 1];
+    offset += 2;
+    if (offset + releyLen + 32 + 32 + 2 > buf.length) {
+        throw new Error('QR payload truncated: reley URL overflows buffer');
+    }
+    const releyUrl = new TextDecoder().decode(buf.slice(offset, offset + releyLen));
+    offset += releyLen;
+    // Public key (32 bytes)
+    const publicKey = buf.slice(offset, offset + 32);
+    offset += 32;
+    // One-time code (32 bytes)
+    const oneTimeCode = buf.slice(offset, offset + 32);
+    offset += 32;
+    // JWT
+    if (offset + 2 > buf.length) {
+        throw new Error('QR payload truncated: missing JWT length');
+    }
+    const jwtLen = (buf[offset] << 8) | buf[offset + 1];
+    offset += 2;
+    if (offset + jwtLen > buf.length) {
+        throw new Error('QR payload truncated: JWT overflows buffer');
+    }
+    const jwt = new TextDecoder().decode(buf.slice(offset, offset + jwtLen));
+    return { releyUrl, publicKey, oneTimeCode, jwt };
+}
+/**
+ * Hash a one-time code (for safe transmission to reley).
+ */
+export async function hashOneTimeCode(otc) {
+    const s = await ensureSodium();
+    return s.crypto_generichash(32, otc, null);
+}
+//# sourceMappingURL=qr-payload.js.map

package/dist/qr-payload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"qr-payload.js","sourceRoot":"","sources":["../src/qr-payload.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AASzC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,WAAW;AAEhC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAAkB;IACtD,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAE/B,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAEvD,wFAAwF;IACxF,MAAM,QAAQ,GACZ,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,MAAM,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC;IAC5D,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,QAAQ;IACR,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACpC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACpC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEpC,0BAA0B;IAC1B,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC;IACjD,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC;IACzC,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC5B,MAAM,IAAI,UAAU,CAAC,MAAM,CAAC;IAE5B,wBAAwB;IACxB,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACnC,MAAM,IAAI,EAAE,CAAC;IAEb,2BAA2B;IAC3B,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACrC,MAAM,IAAI,EAAE,CAAC;IAEb,oBAAoB;IACpB,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC;IAC/C,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC;IACvC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAE1B,OAAO,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC,CAAC,eAAe,CAAC,kBAAkB,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAAe;IACnD,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAE/B,MAAM,GAAG,GAAG,CAAC,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC,eAAe,CAAC,kBAAkB,CAAC,CAAC;IAEzE,gFAAgF;IAChF,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,qBAAqB,CAAC,CAAC;IAC5E,CAAC;IAED,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,eAAe;IACf,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC/E,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,6BAA6B,KAAK,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,YAAY;IACZ,MAAM,QAAQ,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACtD,MAAM,IAAI,CAAC,CAAC;IACZ,IAAI,MAAM,GAAG,QAAQ,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC;IAChF,MAAM,IAAI,QAAQ,CAAC;IAEnB,wBAAwB;IACxB,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,EAAE,CAAC,CAAC;IACjD,MAAM,IAAI,EAAE,CAAC;IAEb,2BAA2B;IAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,EAAE,CAAC,CAAC;IACnD,MAAM,IAAI,EAAE,CAAC;IAEb,MAAM;IACN,IAAI,MAAM,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACpD,MAAM,IAAI,CAAC,CAAC;IACZ,IAAI,MAAM,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC;IAEzE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAe;IACnD,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;IAC/B,OAAO,CAAC,CAAC,kBAAkB,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;AAC7C,CAAC"}

package/dist/ratchet.d.ts

@@ -0,0 +1,34 @@
+export declare const KEY_ROTATION_INTERVAL = 50;
+export interface RatchetState {
+    sendChainKey: Uint8Array;
+    recvChainKey: Uint8Array;
+    sendCounter: number;
+    recvCounter: number;
+    /** Highest received counter for replay protection */
+    maxRecvCounter: number;
+}
+/**
+ * Initialize a ratchet state from derived session keys.
+ */
+export declare function initRatchet(sendKey: Uint8Array, recvKey: Uint8Array): RatchetState;
+/**
+ * Encrypt a message and advance the send ratchet.
+ */
+export declare function ratchetEncrypt(state: RatchetState, plaintext: Uint8Array): Promise<{
+    ciphertext: Uint8Array;
+    nonce: Uint8Array;
+    counter: number;
+    state: RatchetState;
+}>;
+/**
+ * Decrypt a message and advance the receive ratchet.
+ */
+export declare function ratchetDecrypt(state: RatchetState, ciphertext: Uint8Array, nonce: Uint8Array, counter: number): Promise<{
+    plaintext: Uint8Array;
+    state: RatchetState;
+}>;
+/**
+ * Check if key rotation is needed.
+ */
+export declare function needsKeyRotation(state: RatchetState): boolean;
+//# sourceMappingURL=ratchet.d.ts.map

package/dist/ratchet.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ratchet.d.ts","sourceRoot":"","sources":["../src/ratchet.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,qBAAqB,KAAK,CAAC;AAExC,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,UAAU,CAAC;IACzB,YAAY,EAAE,UAAU,CAAC;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,GAAG,YAAY,CAQlF;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,YAAY,EACnB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC;IAAE,UAAU,EAAE,UAAU,CAAC;IAAC,KAAK,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,YAAY,CAAA;CAAE,CAAC,CAgB9F;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,YAAY,EACnB,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,UAAU,EACjB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,SAAS,EAAE,UAAU,CAAC;IAAC,KAAK,EAAE,YAAY,CAAA;CAAE,CAAC,CA2CzD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAE7D"}

package/dist/ratchet.js

@@ -0,0 +1,91 @@
+import { deriveChainKey } from './hkdf.js';
+import { encrypt, decrypt } from './cipher.js';
+export const KEY_ROTATION_INTERVAL = 50;
+/**
+ * Initialize a ratchet state from derived session keys.
+ */
+export function initRatchet(sendKey, recvKey) {
+    return {
+        sendChainKey: sendKey,
+        recvChainKey: recvKey,
+        sendCounter: 0,
+        recvCounter: 0,
+        maxRecvCounter: -1,
+    };
+}
+/**
+ * Encrypt a message and advance the send ratchet.
+ */
+export async function ratchetEncrypt(state, plaintext) {
+    const { messageKey, nextChainKey } = await deriveChainKey(state.sendChainKey);
+    const counter = state.sendCounter;
+    // Build AAD: counter as 4-byte big-endian
+    const aad = buildAAD(1, counter);
+    const { nonce, ciphertext } = await encrypt(plaintext, messageKey, aad);
+    const newState = {
+        ...state,
+        sendChainKey: nextChainKey,
+        sendCounter: counter + 1,
+    };
+    return { ciphertext, nonce, counter, state: newState };
+}
+/**
+ * Decrypt a message and advance the receive ratchet.
+ */
+export async function ratchetDecrypt(state, ciphertext, nonce, counter) {
+    // Replay protection: reject messages with counter <= maxRecvCounter
+    if (counter <= state.maxRecvCounter) {
+        throw new Error(`Replay attack detected: counter ${counter} <= ${state.maxRecvCounter}`);
+    }
+    // Prevent DoS via excessively large counter gaps.
+    // Over a WebSocket (TCP-ordered), gaps should never exceed a few messages.
+    const MAX_COUNTER_GAP = 1000;
+    const gap = counter - state.recvCounter;
+    if (gap > MAX_COUNTER_GAP) {
+        throw new Error(`Counter gap too large: ${gap} (max ${MAX_COUNTER_GAP})`);
+    }
+    // Advance the recv chain to the correct counter
+    let chainKey = state.recvChainKey;
+    let currentCounter = state.recvCounter;
+    let messageKey;
+    while (currentCounter <= counter) {
+        const derived = await deriveChainKey(chainKey);
+        if (currentCounter === counter) {
+            messageKey = derived.messageKey;
+        }
+        chainKey = derived.nextChainKey;
+        currentCounter++;
+    }
+    if (!messageKey) {
+        throw new Error('Failed to derive message key');
+    }
+    const aad = buildAAD(1, counter);
+    const plaintext = await decrypt(ciphertext, nonce, messageKey, aad);
+    const newState = {
+        ...state,
+        recvChainKey: chainKey,
+        recvCounter: currentCounter,
+        maxRecvCounter: counter,
+    };
+    return { plaintext, state: newState };
+}
+/**
+ * Check if key rotation is needed.
+ */
+export function needsKeyRotation(state) {
+    return state.sendCounter > 0 && state.sendCounter % KEY_ROTATION_INTERVAL === 0;
+}
+/**
+ * Build AAD bytes: version (1 byte) + type (1 byte) + counter (4 bytes BE)
+ */
+function buildAAD(version, counter) {
+    const aad = new Uint8Array(6);
+    aad[0] = version;
+    aad[1] = 0x01; // message type
+    aad[2] = (counter >>> 24) & 0xff;
+    aad[3] = (counter >>> 16) & 0xff;
+    aad[4] = (counter >>> 8) & 0xff;
+    aad[5] = counter & 0xff;
+    return aad;
+}
+//# sourceMappingURL=ratchet.js.map

package/dist/ratchet.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ratchet.js","sourceRoot":"","sources":["../src/ratchet.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE/C,MAAM,CAAC,MAAM,qBAAqB,GAAG,EAAE,CAAC;AAWxC;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,OAAmB,EAAE,OAAmB;IAClE,OAAO;QACL,YAAY,EAAE,OAAO;QACrB,YAAY,EAAE,OAAO;QACrB,WAAW,EAAE,CAAC;QACd,WAAW,EAAE,CAAC;QACd,cAAc,EAAE,CAAC,CAAC;KACnB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAmB,EACnB,SAAqB;IAErB,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IAC9E,MAAM,OAAO,GAAG,KAAK,CAAC,WAAW,CAAC;IAElC,0CAA0C;IAC1C,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAEjC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,MAAM,OAAO,CAAC,SAAS,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAExE,MAAM,QAAQ,GAAiB;QAC7B,GAAG,KAAK;QACR,YAAY,EAAE,YAAY;QAC1B,WAAW,EAAE,OAAO,GAAG,CAAC;KACzB,CAAC;IAEF,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;AACzD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAmB,EACnB,UAAsB,EACtB,KAAiB,EACjB,OAAe;IAEf,oEAAoE;IACpE,IAAI,OAAO,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,mCAAmC,OAAO,OAAO,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC;IAC3F,CAAC;IAED,kDAAkD;IAClD,2EAA2E;IAC3E,MAAM,eAAe,GAAG,IAAI,CAAC;IAC7B,MAAM,GAAG,GAAG,OAAO,GAAG,KAAK,CAAC,WAAW,CAAC;IACxC,IAAI,GAAG,GAAG,eAAe,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,SAAS,eAAe,GAAG,CAAC,CAAC;IAC5E,CAAC;IAED,gDAAgD;IAChD,IAAI,QAAQ,GAAG,KAAK,CAAC,YAAY,CAAC;IAClC,IAAI,cAAc,GAAG,KAAK,CAAC,WAAW,CAAC;IACvC,IAAI,UAAkC,CAAC;IAEvC,OAAO,cAAc,IAAI,OAAO,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,cAAc,KAAK,OAAO,EAAE,CAAC;YAC/B,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QAClC,CAAC;QACD,QAAQ,GAAG,OAAO,CAAC,YAAY,CAAC;QAChC,cAAc,EAAE,CAAC;IACnB,CAAC;IAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAEpE,MAAM,QAAQ,GAAiB;QAC7B,GAAG,KAAK;QACR,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,cAAc;QAC3B,cAAc,EAAE,OAAO;KACxB,CAAC;IAEF,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAmB;IAClD,OAAO,KAAK,CAAC,WAAW,GAAG,CAAC,IAAI,KAAK,CAAC,WAAW,GAAG,qBAAqB,KAAK,CAAC,CAAC;AAClF,CAAC;AAED;;GAEG;AACH,SAAS,QAAQ,CAAC,OAAe,EAAE,OAAe;IAChD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9B,GAAG,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC;IACjB,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,eAAe;IAC9B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC;IACjC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC;IACjC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC;IAChC,GAAG,CAAC,CAAC,CAAC,GAAG,OAAO,GAAG,IAAI,CAAC;IACxB,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/utils.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Compute a human-readable fingerprint from two public keys for MITM verification.
+ * Keys are sorted lexicographically to ensure both parties produce the same fingerprint.
+ * Uses Blake2b-128 hash, formatted as uppercase hex groups: "XXXX-XXXX-..."
+ */
+export declare function computeFingerprint(pk1: Uint8Array, pk2: Uint8Array): Promise<string>;
+/**
+ * Encode a Uint8Array to a base64url string (no padding).
+ */
+export declare function toBase64Url(data: Uint8Array): Promise<string>;
+/**
+ * Decode a base64url string to a Uint8Array.
+ */
+export declare function fromBase64Url(str: string): Promise<Uint8Array>;
+//# sourceMappingURL=utils.d.ts.map

package/dist/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,UAAU,EACf,GAAG,EAAE,UAAU,GACd,OAAO,CAAC,MAAM,CAAC,CAcjB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAGnE;AAED;;GAEG;AACH,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAGpE"}