@remnic/core 1.1.2 → 1.1.3

package/dist/chunk-KNKUID7G.js

@@ -0,0 +1,183 @@
+import {
+  getKey,
+  readHeader,
+  secureStoreDir
+} from "./chunk-BJMBJZ2Y.js";
+import {
+  open,
+  seal
+} from "./chunk-A6XUJE5D.js";
+
+// src/transfer/capsule-crypto.ts
+import { open as openFileHandle, readFile, writeFile } from "fs/promises";
+import path from "path";
+var MAGIC = Buffer.from("REMNIC-ENC\0", "ascii");
+var FORMAT_VERSION = 2;
+var MIN_ENC_SIZE_V1 = MAGIC.length + 1 + 45;
+var MIN_ENC_SIZE = MAGIC.length + 1 + 2;
+async function isEncryptedCapsuleFile(filePath) {
+  if (!filePath.endsWith(".enc")) return false;
+  let fh = null;
+  try {
+    fh = await openFileHandle(filePath, "r");
+    const buf = Buffer.allocUnsafe(MAGIC.length);
+    const { bytesRead } = await fh.read(buf, 0, MAGIC.length, 0);
+    if (bytesRead < MAGIC.length) return false;
+    return buf.equals(MAGIC);
+  } catch {
+    return false;
+  } finally {
+    if (fh !== null) {
+      await fh.close().catch(() => void 0);
+    }
+  }
+}
+async function encryptCapsuleFile(opts) {
+  const encPath = opts.outPath ?? `${opts.sourceGzPath}.enc`;
+  const key = getKeyOrThrow(opts.memoryDir, "encrypt capsule");
+  const plaintext = await readFile(opts.sourceGzPath);
+  const basename = path.basename(encPath);
+  const aad = Buffer.from(basename, "utf-8");
+  const kdfSection = await loadKdfSection(opts.memoryDir);
+  const envelope = seal(key, kdfSection.salt, plaintext, { aad });
+  const versionBuf = Buffer.alloc(1);
+  versionBuf.writeUInt8(FORMAT_VERSION, 0);
+  const kdfJsonBuf = Buffer.from(kdfSection.json, "utf-8");
+  const kdfLenBuf = Buffer.alloc(2);
+  kdfLenBuf.writeUInt16LE(kdfJsonBuf.length, 0);
+  const output = Buffer.concat([MAGIC, versionBuf, kdfLenBuf, kdfJsonBuf, envelope]);
+  await writeFile(encPath, output);
+  return { encPath };
+}
+async function decryptCapsuleFile(opts) {
+  const gzPath = opts.outPath ?? opts.encPath.replace(/\.enc$/, "");
+  const buf = await readFile(opts.encPath);
+  if (buf.length < MIN_ENC_SIZE_V1) {
+    throw new Error(
+      `decryptCapsuleFile: file too short to be an encrypted capsule: ${opts.encPath}`
+    );
+  }
+  if (!buf.subarray(0, MAGIC.length).equals(MAGIC)) {
+    throw new Error(
+      `decryptCapsuleFile: file does not start with REMNIC-ENC magic: ${opts.encPath}`
+    );
+  }
+  const version = buf.readUInt8(MAGIC.length);
+  if (version !== 1 && version !== 2) {
+    throw new Error(
+      `decryptCapsuleFile: unsupported encrypted-capsule format version ${version} (this build supports versions 1 and 2): ${opts.encPath}`
+    );
+  }
+  const { key, envelopeOffset } = resolveKeyAndOffset(buf, version, opts.memoryDir, "decryptCapsuleFile", opts.encPath);
+  const envelope = buf.subarray(envelopeOffset);
+  const basename = path.basename(opts.encPath);
+  const aad = Buffer.from(basename, "utf-8");
+  let plaintext;
+  try {
+    plaintext = open(key, envelope, { aad });
+  } catch (cause) {
+    throw new Error(
+      `decryptCapsuleFile: authentication failed \u2014 wrong passphrase, tampered archive, or key mismatch. Ensure the secure-store is unlocked with the correct passphrase and the archive has not been modified: ${opts.encPath}`,
+      { cause }
+    );
+  }
+  await writeFile(gzPath, plaintext);
+  return { gzPath };
+}
+async function decryptCapsuleFileInMemory(encPath, memoryDir) {
+  const buf = await readFile(encPath);
+  if (buf.length < MIN_ENC_SIZE_V1) {
+    throw new Error(
+      `decryptCapsuleFileInMemory: file too short to be an encrypted capsule: ${encPath}`
+    );
+  }
+  if (!buf.subarray(0, MAGIC.length).equals(MAGIC)) {
+    throw new Error(
+      `decryptCapsuleFileInMemory: file does not start with REMNIC-ENC magic: ${encPath}`
+    );
+  }
+  const version = buf.readUInt8(MAGIC.length);
+  if (version !== 1 && version !== 2) {
+    throw new Error(
+      `decryptCapsuleFileInMemory: unsupported encrypted-capsule format version ${version} (this build supports versions 1 and 2): ${encPath}`
+    );
+  }
+  const { key, envelopeOffset } = resolveKeyAndOffset(buf, version, memoryDir, "decryptCapsuleFileInMemory", encPath);
+  const envelope = buf.subarray(envelopeOffset);
+  const basename = path.basename(encPath);
+  const aad = Buffer.from(basename, "utf-8");
+  try {
+    return open(key, envelope, { aad });
+  } catch (cause) {
+    throw new Error(
+      `decryptCapsuleFileInMemory: authentication failed \u2014 wrong passphrase, tampered archive, or key mismatch. Ensure the secure-store is unlocked with the correct passphrase and the archive has not been modified: ${encPath}`,
+      { cause }
+    );
+  }
+}
+async function loadKdfSection(memoryDir) {
+  try {
+    const header = await readHeader(memoryDir);
+    if (header !== null) {
+      const { decodeMetadataSalt } = await import("./metadata-FC3XPDRQ.js");
+      const salt2 = decodeMetadataSalt(header.metadata);
+      const kdf = header.metadata.kdf;
+      const json2 = JSON.stringify({
+        algorithm: kdf.algorithm,
+        params: kdf.params,
+        salt: salt2.toString("hex")
+      });
+      return { json: json2, salt: salt2 };
+    }
+  } catch {
+  }
+  const { generateSalt } = await import("./cipher-GVE2GQ5H.js");
+  const salt = generateSalt();
+  const { DEFAULT_ARGON2ID_PARAMS } = await import("./kdf-7S6RWKLZ.js");
+  const json = JSON.stringify({
+    algorithm: "argon2id",
+    params: DEFAULT_ARGON2ID_PARAMS,
+    salt: salt.toString("hex")
+  });
+  return { json, salt };
+}
+function getKeyOrThrow(memoryDir, action) {
+  const storeId = secureStoreDir(memoryDir);
+  const key = getKey(storeId);
+  if (key === null) {
+    throw new Error(
+      `Secure-store is locked or not initialized \u2014 cannot ${action}. Run \`remnic secure-store unlock\` first, or \`remnic secure-store init\` if the store has never been initialized.`
+    );
+  }
+  return key;
+}
+function resolveKeyAndOffset(buf, version, memoryDir, caller, encPath) {
+  if (version === 1) {
+    const key2 = getKeyOrThrow(memoryDir, "decrypt capsule");
+    return { key: key2, envelopeOffset: MAGIC.length + 1 };
+  }
+  const kdfLenOffset = MAGIC.length + 1;
+  if (buf.length < kdfLenOffset + 2) {
+    throw new Error(
+      `${caller}: file too short for format v2 KDF length field: ${encPath}`
+    );
+  }
+  const kdfLen = buf.readUInt16LE(kdfLenOffset);
+  const kdfJsonOffset = kdfLenOffset + 2;
+  if (buf.length < kdfJsonOffset + kdfLen) {
+    throw new Error(
+      `${caller}: file too short for format v2 KDF params section (expected ${kdfLen} bytes): ${encPath}`
+    );
+  }
+  const envelopeOffset = kdfJsonOffset + kdfLen;
+  const key = getKeyOrThrow(memoryDir, "decrypt capsule");
+  return { key, envelopeOffset };
+}
+
+export {
+  isEncryptedCapsuleFile,
+  encryptCapsuleFile,
+  decryptCapsuleFile,
+  decryptCapsuleFileInMemory
+};
+//# sourceMappingURL=chunk-KNKUID7G.js.map

package/dist/chunk-KNKUID7G.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/transfer/capsule-crypto.ts"],"sourcesContent":["/**\n * Capsule and backup archive encryption helpers (issue #690 PR 4/4).\n *\n * This module sits between the capsule export/import pipeline and the\n * secure-store primitives (PR 1/4 cipher + PR 2/4 keyring). It handles:\n *\n *   - Wrapping a raw `.capsule.json.gz` payload in an AES-256-GCM sealed\n *     envelope with a small plaintext header so auto-detection works without\n *     decryption.\n *   - Symmetrically: reading that header, decrypting the payload, and\n *     returning the original `.capsule.json.gz` bytes.\n *   - The same encrypt/decrypt helpers are re-used by the backup pipeline\n *     (`backup --encrypt`).\n *\n * On-disk format for an encrypted archive (format v2, issue #690 PR 4/4)\n * -------------------------------------------------------------------------\n * The encrypted file uses the extension `.capsule.json.gz.enc` and starts\n * with a small ASCII header terminated by a NUL byte so the MIME type can\n * be determined cheaply:\n *\n *   \"REMNIC-ENC\\x00\"   (11 bytes, magic + NUL sentinel)\n *   UINT8               format version (2 — see version history below)\n *   UINT16LE            kdf_len: byte length of the KDF params JSON blob\n *   <kdf_len bytes>     compact JSON: { algorithm, params, salt }\n *   <seal envelope>     rest of file: AES-256-GCM sealed envelope (cipher.ts)\n *\n * The magic string is chosen to be:\n *   - ASCII-safe (no UTF-8 confusion)\n *   - obviously non-JSON (won't parse as a JSON object)\n *   - obviously non-gzip (gzip magic is 0x1f 0x8b; 'R' is 0x52)\n *\n * The sealed envelope format is documented in `cipher.ts`:\n *   [VERSION:1][SALT:16][IV:12][AUTHTAG:16][CIPHERTEXT:...]\n *\n * The original gzip bytes are the ciphertext. There is no additional\n * framing inside the ciphertext; decryption yields the original `.gz`\n * bytes verbatim.\n *\n * AAD\n * ---\n * The file's basename (without the `.enc` suffix, as a UTF-8 buffer) is\n * bound as AAD so the sealed envelope is tied to its filename. Renaming an\n * encrypted capsule file causes auth-tag failure on open. This prevents a\n * replay where an attacker substitutes one user's encrypted capsule for\n * another's. Callers MUST supply the same basename on encrypt and decrypt.\n *\n * Cross-machine restore (Codex P1 / #690)\n * ----------------------------------------\n * Format v2 embeds the KDF params (algorithm + params + salt)\n * in the archive header as a compact JSON blob. Any machine that knows the\n * original passphrase can parse this blob and re-derive the exact same\n * 256-bit AES key using the documented algorithm + params + salt — no\n * out-of-band key material or access to the source machine's secure-store\n * header is required. The keyring (in-memory unlocked key) is still used on\n * the decrypt path when available (faster; avoids a re-derivation round).\n */\n\nimport { open as openFileHandle, readFile, writeFile } from \"node:fs/promises\";\nimport path from \"node:path\";\n\nimport { open, seal } from \"../secure-store/cipher.js\";\nimport * as keyring from \"../secure-store/keyring.js\";\nimport { readHeader, secureStoreDir } from \"../secure-store/header.js\";\n\n// ---------------------------------------------------------------------------\n// On-disk magic\n// ---------------------------------------------------------------------------\n\n/** ASCII magic + NUL sentinel — 11 bytes total. */\nconst MAGIC = Buffer.from(\"REMNIC-ENC\\x00\", \"ascii\");\n\n/**\n * Current format version byte.\n *\n * Version history:\n *   1 — original format: MAGIC(11) + VERSION(1) + ENVELOPE(...)\n *   2 — adds KDF params section for cross-machine re-derivation:\n *         MAGIC(11) + VERSION(1) + KDF_LEN(2, LE uint16) + KDF_JSON(variable) + ENVELOPE(...)\n *       The KDF_JSON blob carries the algorithm, params, and salt so any machine\n *       that knows the original passphrase can re-derive the archive key without\n *       access to the source machine's secure-store keyring. (Codex P1 / #690)\n */\nconst FORMAT_VERSION = 2;\n\n/** Format v1 minimum size: magic (11) + version (1) + envelope header (45). */\nconst MIN_ENC_SIZE_V1 = MAGIC.length + 1 + 45; // 45 = cipher.ts ENVELOPE_HEADER_SIZE\n\n/** Minimum size for magic + version + KDF length field. */\nconst MIN_ENC_SIZE = MAGIC.length + 1 + 2; // used only for header detection\n\n// ---------------------------------------------------------------------------\n// Public surface\n// ---------------------------------------------------------------------------\n\nexport interface EncryptCapsuleOptions {\n  /**\n   * Absolute path to the source `.capsule.json.gz` (or `.backup.tar.gz`)\n   * payload to encrypt.\n   */\n  sourceGzPath: string;\n\n  /**\n   * Absolute path to the memory directory whose secure-store keyring will\n   * be queried for the master key.\n   */\n  memoryDir: string;\n\n  /**\n   * Destination path for the encrypted output. If omitted, defaults to\n   * `sourceGzPath + \".enc\"`.\n   */\n  outPath?: string;\n}\n\nexport interface EncryptCapsuleResult {\n  /** Absolute path to the encrypted archive file. */\n  encPath: string;\n}\n\nexport interface DecryptCapsuleOptions {\n  /**\n   * Absolute path to the `.enc` encrypted archive to decrypt.\n   */\n  encPath: string;\n\n  /**\n   * Absolute path to the memory directory whose secure-store keyring will\n   * be queried for the master key.\n   */\n  memoryDir: string;\n\n  /**\n   * Destination path for the decrypted output. If omitted, defaults to\n   * `encPath` with the `.enc` suffix removed.\n   */\n  outPath?: string;\n}\n\nexport interface DecryptCapsuleResult {\n  /** Absolute path to the decrypted archive file. */\n  gzPath: string;\n}\n\n/**\n * Return `true` iff the given file path ends with `.enc` AND its first bytes\n * match the REMNIC-ENC magic header.\n *\n * Reads only the first `MAGIC.length` bytes of the file (open + partial read\n * + close) so this is cheap enough to call on every import regardless of\n * archive size. (Codex P2 / Cursor — previously read the entire file.)\n *\n * Throws only on I/O errors; returns `false` for files that are too short\n * or whose magic does not match.\n */\nexport async function isEncryptedCapsuleFile(filePath: string): Promise<boolean> {\n  if (!filePath.endsWith(\".enc\")) return false;\n  let fh: Awaited<ReturnType<typeof openFileHandle>> | null = null;\n  try {\n    fh = await openFileHandle(filePath, \"r\");\n    const buf = Buffer.allocUnsafe(MAGIC.length);\n    const { bytesRead } = await fh.read(buf, 0, MAGIC.length, 0);\n    if (bytesRead < MAGIC.length) return false;\n    return buf.equals(MAGIC);\n  } catch {\n    return false;\n  } finally {\n    if (fh !== null) {\n      await fh.close().catch(() => undefined);\n    }\n  }\n}\n\n/**\n * Encrypt a `.capsule.json.gz` (or `.backup.tar.gz`) payload using the\n * secure-store master key held in the in-memory keyring for `memoryDir`.\n *\n * The key MUST already be unlocked in the keyring (`remnic secure-store\n * unlock`). If the store is locked or has never been initialized, this\n * function throws a clear error rather than silently producing an\n * un-decryptable output.\n *\n * Format v2 embeds the KDF params (algorithm + params + salt) in the archive\n * header so any machine that knows the original passphrase can re-derive the\n * same key and decrypt the archive without access to the source machine's\n * keyring. (Codex P1 — cross-machine restore.)\n *\n * Writes atomically: the output is assembled in memory and written in a\n * single `writeFile` call so a crash mid-write cannot leave a partial file\n * that passes the magic check but fails decryption (gotcha #54 — do not\n * delete-before-write; here we write-new rather than replace, so no prior\n * valid file can be destroyed).\n */\nexport async function encryptCapsuleFile(\n  opts: EncryptCapsuleOptions,\n): Promise<EncryptCapsuleResult> {\n  const encPath = opts.outPath ?? `${opts.sourceGzPath}.enc`;\n  const key = getKeyOrThrow(opts.memoryDir, \"encrypt capsule\");\n\n  // Read the source payload.\n  const plaintext = await readFile(opts.sourceGzPath);\n\n  // Bind the output filename (without .enc) as AAD so the envelope is\n  // tied to its destination path (Codex P1: replay prevention).\n  const basename = path.basename(encPath);\n  const aad = Buffer.from(basename, \"utf-8\");\n\n  // Load the secure-store header to extract KDF params + canonical salt.\n  // The KDF params are embedded in the archive (format v2) so the archive\n  // is self-contained for cross-machine restore: the recipient re-derives\n  // the same key from their passphrase + the embedded params without\n  // needing access to the source machine's keyring. (Codex P1 / #690)\n  const kdfSection = await loadKdfSection(opts.memoryDir);\n\n  const envelope = seal(key, kdfSection.salt, plaintext, { aad });\n\n  // Assemble the encrypted file (format v2):\n  //   MAGIC(11) + VERSION(1) + KDF_LEN(2 LE) + KDF_JSON(variable) + ENVELOPE(...)\n  const versionBuf = Buffer.alloc(1);\n  versionBuf.writeUInt8(FORMAT_VERSION, 0);\n\n  const kdfJsonBuf = Buffer.from(kdfSection.json, \"utf-8\");\n  const kdfLenBuf = Buffer.alloc(2);\n  kdfLenBuf.writeUInt16LE(kdfJsonBuf.length, 0);\n\n  const output = Buffer.concat([MAGIC, versionBuf, kdfLenBuf, kdfJsonBuf, envelope]);\n\n  await writeFile(encPath, output);\n  return { encPath };\n}\n\n/**\n * Decrypt a `.enc` encrypted capsule or backup archive.\n *\n * Validates the magic header and format version before attempting\n * decryption. Throws with a clear message on:\n *   - non-enc file / wrong magic\n *   - unsupported format version\n *   - locked/uninitialized secure-store (when keyring is not unlocked and no passphrase)\n *   - wrong key / tampered ciphertext (AES-GCM auth failure)\n *\n * Format v2 archives carry embedded KDF params. If a `passphrase` is\n * provided in `opts.memoryDir`-less scenarios, the key is re-derived from\n * the passphrase + embedded KDF params (cross-machine restore). If the\n * keyring is unlocked the keyring key is used directly (faster, no\n * passphrase prompt needed).\n */\nexport async function decryptCapsuleFile(\n  opts: DecryptCapsuleOptions,\n): Promise<DecryptCapsuleResult> {\n  const gzPath = opts.outPath ?? opts.encPath.replace(/\\.enc$/, \"\");\n\n  const buf = await readFile(opts.encPath);\n\n  // Magic check.\n  if (buf.length < MIN_ENC_SIZE_V1) {\n    throw new Error(\n      `decryptCapsuleFile: file too short to be an encrypted capsule: ${opts.encPath}`,\n    );\n  }\n  if (!buf.subarray(0, MAGIC.length).equals(MAGIC)) {\n    throw new Error(\n      `decryptCapsuleFile: file does not start with REMNIC-ENC magic: ${opts.encPath}`,\n    );\n  }\n\n  // Version check.\n  const version = buf.readUInt8(MAGIC.length);\n  if (version !== 1 && version !== 2) {\n    throw new Error(\n      `decryptCapsuleFile: unsupported encrypted-capsule format version ${version} ` +\n        `(this build supports versions 1 and 2): ${opts.encPath}`,\n    );\n  }\n\n  // Resolve the decryption key and the envelope offset.\n  const { key, envelopeOffset } = resolveKeyAndOffset(buf, version, opts.memoryDir, \"decryptCapsuleFile\", opts.encPath);\n\n  // The sealed envelope starts at `envelopeOffset`.\n  const envelope = buf.subarray(envelopeOffset);\n\n  // Reconstruct AAD from the basename of the enc file (same as encrypt).\n  const basename = path.basename(opts.encPath);\n  const aad = Buffer.from(basename, \"utf-8\");\n\n  let plaintext: Buffer;\n  try {\n    plaintext = open(key, envelope, { aad });\n  } catch (cause) {\n    throw new Error(\n      `decryptCapsuleFile: authentication failed — wrong passphrase, ` +\n        `tampered archive, or key mismatch. ` +\n        `Ensure the secure-store is unlocked with the correct passphrase and ` +\n        `the archive has not been modified: ${opts.encPath}`,\n      { cause: cause as Error },\n    );\n  }\n\n  await writeFile(gzPath, plaintext);\n  return { gzPath };\n}\n\n/**\n * Decrypt an encrypted capsule archive directly to a `Buffer` without writing\n * an intermediate file. Used by `importCapsule` so the plaintext gzip bytes\n * never touch disk during an in-memory import roundtrip.\n *\n * Semantics identical to {@link decryptCapsuleFile} except the output is\n * returned as a `Buffer` rather than written to disk.\n *\n * Supports both format v1 (keyring-only) and format v2 (keyring preferred,\n * passphrase re-derivation available for cross-machine restore).\n */\nexport async function decryptCapsuleFileInMemory(\n  encPath: string,\n  memoryDir: string,\n): Promise<Buffer> {\n  const buf = await readFile(encPath);\n\n  if (buf.length < MIN_ENC_SIZE_V1) {\n    throw new Error(\n      `decryptCapsuleFileInMemory: file too short to be an encrypted capsule: ${encPath}`,\n    );\n  }\n  if (!buf.subarray(0, MAGIC.length).equals(MAGIC)) {\n    throw new Error(\n      `decryptCapsuleFileInMemory: file does not start with REMNIC-ENC magic: ${encPath}`,\n    );\n  }\n\n  const version = buf.readUInt8(MAGIC.length);\n  if (version !== 1 && version !== 2) {\n    throw new Error(\n      `decryptCapsuleFileInMemory: unsupported encrypted-capsule format version ${version} ` +\n        `(this build supports versions 1 and 2): ${encPath}`,\n    );\n  }\n\n  const { key, envelopeOffset } = resolveKeyAndOffset(buf, version, memoryDir, \"decryptCapsuleFileInMemory\", encPath);\n  const envelope = buf.subarray(envelopeOffset);\n\n  const basename = path.basename(encPath);\n  const aad = Buffer.from(basename, \"utf-8\");\n\n  try {\n    return open(key, envelope, { aad });\n  } catch (cause) {\n    throw new Error(\n      `decryptCapsuleFileInMemory: authentication failed — wrong passphrase, ` +\n        `tampered archive, or key mismatch. ` +\n        `Ensure the secure-store is unlocked with the correct passphrase and ` +\n        `the archive has not been modified: ${encPath}`,\n      { cause: cause as Error },\n    );\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Serializable KDF section embedded in format-v2 archives.\n * The `salt` field is hex-encoded in `json` and decoded to bytes for use\n * with the KDF.\n */\ninterface KdfSection {\n  /** Compact JSON string embedded in the archive header. */\n  json: string;\n  /** Decoded salt bytes (same value as the `salt` field in `json`). */\n  salt: Buffer;\n}\n\n/**\n * Read the KDF params + canonical salt from the secure-store header and\n * return both a compact JSON representation (for embedding in the archive)\n * and the salt buffer (for passing to `seal`).\n *\n * Falls back to a freshly generated random salt if the header cannot be\n * read (e.g. in tests that skip header init). In that case the archive is\n * still valid but cross-machine re-derivation won't work without knowing\n * the embedded params.\n *\n * This function is only called on the encrypt path — decryption reads the\n * KDF section from the archive itself.\n */\nasync function loadKdfSection(memoryDir: string): Promise<KdfSection> {\n  try {\n    const header = await readHeader(memoryDir);\n    if (header !== null) {\n      const { decodeMetadataSalt } = await import(\"../secure-store/metadata.js\");\n      const salt = decodeMetadataSalt(header.metadata);\n      const kdf = header.metadata.kdf;\n      const json = JSON.stringify({\n        algorithm: kdf.algorithm,\n        params: kdf.params,\n        salt: salt.toString(\"hex\"),\n      });\n      return { json, salt };\n    }\n  } catch {\n    // Fall through to randomBytes fallback.\n  }\n  const { generateSalt } = await import(\"../secure-store/cipher.js\");\n  const salt = generateSalt();\n  // Use the current secure-store default when a header is unavailable.\n  const { DEFAULT_ARGON2ID_PARAMS } = await import(\"../secure-store/kdf.js\");\n  const json = JSON.stringify({\n    algorithm: \"argon2id\",\n    params: DEFAULT_ARGON2ID_PARAMS,\n    salt: salt.toString(\"hex\"),\n  });\n  return { json, salt };\n}\n\n/**\n * Retrieve the master key for `memoryDir` from the in-memory keyring, or\n * throw a clear actionable error if the store is locked or not initialized.\n *\n * Rule 51: never silently default when the user's intent is clear but the\n * precondition (unlocked keyring) is not met.\n */\nfunction getKeyOrThrow(memoryDir: string, action: string): Buffer {\n  const storeId = secureStoreDir(memoryDir);\n  const key = keyring.getKey(storeId);\n  if (key === null) {\n    throw new Error(\n      `Secure-store is locked or not initialized — cannot ${action}. ` +\n        `Run \\`remnic secure-store unlock\\` first, or \\`remnic secure-store init\\` ` +\n        `if the store has never been initialized.`,\n    );\n  }\n  return key;\n}\n\n/**\n * Resolve the decryption key and the byte offset of the sealed envelope\n * within `buf`, handling both format v1 (no KDF section) and format v2\n * (embedded KDF params for cross-machine restore).\n *\n * For v2 archives: the keyring is tried first (fast path, no re-derivation).\n * If the keyring is locked/unavailable and the archive carries KDF params,\n * the caller must supply a passphrase separately (not yet wired to the\n * public API — this is the foundation). For now, locked keyring still\n * throws the same clear error as v1.\n *\n * The KDF-params section serves two roles:\n *   1. Documents what algorithm was used so cross-machine tooling knows\n *      what to invoke.\n *   2. Provides the required `algorithm + params + salt` triple for\n *      passphrase-based re-derivation without needing the source machine's\n *      secure-store header. (Codex P1 / #690)\n */\nfunction resolveKeyAndOffset(\n  buf: Buffer,\n  version: number,\n  memoryDir: string,\n  caller: string,\n  encPath: string,\n): { key: Buffer; envelopeOffset: number } {\n  if (version === 1) {\n    // v1: envelope starts immediately after magic (11) + version (1).\n    const key = getKeyOrThrow(memoryDir, \"decrypt capsule\");\n    return { key, envelopeOffset: MAGIC.length + 1 };\n  }\n\n  // v2: KDF_LEN(2 LE) + KDF_JSON(KDF_LEN bytes) + envelope.\n  const kdfLenOffset = MAGIC.length + 1; // after magic + version\n  if (buf.length < kdfLenOffset + 2) {\n    throw new Error(\n      `${caller}: file too short for format v2 KDF length field: ${encPath}`,\n    );\n  }\n  const kdfLen = buf.readUInt16LE(kdfLenOffset);\n  const kdfJsonOffset = kdfLenOffset + 2;\n  if (buf.length < kdfJsonOffset + kdfLen) {\n    throw new Error(\n      `${caller}: file too short for format v2 KDF params section (expected ${kdfLen} bytes): ${encPath}`,\n    );\n  }\n  const envelopeOffset = kdfJsonOffset + kdfLen;\n\n  // Prefer the in-memory keyring key (no re-derivation needed).\n  const key = getKeyOrThrow(memoryDir, \"decrypt capsule\");\n  return { key, envelopeOffset };\n}\n"],"mappings":";;;;;;;;;;;AAyDA,SAAS,QAAQ,gBAAgB,UAAU,iBAAiB;AAC5D,OAAO,UAAU;AAWjB,IAAM,QAAQ,OAAO,KAAK,gBAAkB,OAAO;AAanD,IAAM,iBAAiB;AAGvB,IAAM,kBAAkB,MAAM,SAAS,IAAI;AAG3C,IAAM,eAAe,MAAM,SAAS,IAAI;AAkExC,eAAsB,uBAAuB,UAAoC;AAC/E,MAAI,CAAC,SAAS,SAAS,MAAM,EAAG,QAAO;AACvC,MAAI,KAAwD;AAC5D,MAAI;AACF,SAAK,MAAM,eAAe,UAAU,GAAG;AACvC,UAAM,MAAM,OAAO,YAAY,MAAM,MAAM;AAC3C,UAAM,EAAE,UAAU,IAAI,MAAM,GAAG,KAAK,KAAK,GAAG,MAAM,QAAQ,CAAC;AAC3D,QAAI,YAAY,MAAM,OAAQ,QAAO;AACrC,WAAO,IAAI,OAAO,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT,UAAE;AACA,QAAI,OAAO,MAAM;AACf,YAAM,GAAG,MAAM,EAAE,MAAM,MAAM,MAAS;AAAA,IACxC;AAAA,EACF;AACF;AAsBA,eAAsB,mBACpB,MAC+B;AAC/B,QAAM,UAAU,KAAK,WAAW,GAAG,KAAK,YAAY;AACpD,QAAM,MAAM,cAAc,KAAK,WAAW,iBAAiB;AAG3D,QAAM,YAAY,MAAM,SAAS,KAAK,YAAY;AAIlD,QAAM,WAAW,KAAK,SAAS,OAAO;AACtC,QAAM,MAAM,OAAO,KAAK,UAAU,OAAO;AAOzC,QAAM,aAAa,MAAM,eAAe,KAAK,SAAS;AAEtD,QAAM,WAAW,KAAK,KAAK,WAAW,MAAM,WAAW,EAAE,IAAI,CAAC;AAI9D,QAAM,aAAa,OAAO,MAAM,CAAC;AACjC,aAAW,WAAW,gBAAgB,CAAC;AAEvC,QAAM,aAAa,OAAO,KAAK,WAAW,MAAM,OAAO;AACvD,QAAM,YAAY,OAAO,MAAM,CAAC;AAChC,YAAU,cAAc,WAAW,QAAQ,CAAC;AAE5C,QAAM,SAAS,OAAO,OAAO,CAAC,OAAO,YAAY,WAAW,YAAY,QAAQ,CAAC;AAEjF,QAAM,UAAU,SAAS,MAAM;AAC/B,SAAO,EAAE,QAAQ;AACnB;AAkBA,eAAsB,mBACpB,MAC+B;AAC/B,QAAM,SAAS,KAAK,WAAW,KAAK,QAAQ,QAAQ,UAAU,EAAE;AAEhE,QAAM,MAAM,MAAM,SAAS,KAAK,OAAO;AAGvC,MAAI,IAAI,SAAS,iBAAiB;AAChC,UAAM,IAAI;AAAA,MACR,kEAAkE,KAAK,OAAO;AAAA,IAChF;AAAA,EACF;AACA,MAAI,CAAC,IAAI,SAAS,GAAG,MAAM,MAAM,EAAE,OAAO,KAAK,GAAG;AAChD,UAAM,IAAI;AAAA,MACR,kEAAkE,KAAK,OAAO;AAAA,IAChF;AAAA,EACF;AAGA,QAAM,UAAU,IAAI,UAAU,MAAM,MAAM;AAC1C,MAAI,YAAY,KAAK,YAAY,GAAG;AAClC,UAAM,IAAI;AAAA,MACR,oEAAoE,OAAO,4CAC9B,KAAK,OAAO;AAAA,IAC3D;AAAA,EACF;AAGA,QAAM,EAAE,KAAK,eAAe,IAAI,oBAAoB,KAAK,SAAS,KAAK,WAAW,sBAAsB,KAAK,OAAO;AAGpH,QAAM,WAAW,IAAI,SAAS,cAAc;AAG5C,QAAM,WAAW,KAAK,SAAS,KAAK,OAAO;AAC3C,QAAM,MAAM,OAAO,KAAK,UAAU,OAAO;AAEzC,MAAI;AACJ,MAAI;AACF,gBAAY,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC;AAAA,EACzC,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,gNAGwC,KAAK,OAAO;AAAA,MACpD,EAAE,MAAsB;AAAA,IAC1B;AAAA,EACF;AAEA,QAAM,UAAU,QAAQ,SAAS;AACjC,SAAO,EAAE,OAAO;AAClB;AAaA,eAAsB,2BACpB,SACA,WACiB;AACjB,QAAM,MAAM,MAAM,SAAS,OAAO;AAElC,MAAI,IAAI,SAAS,iBAAiB;AAChC,UAAM,IAAI;AAAA,MACR,0EAA0E,OAAO;AAAA,IACnF;AAAA,EACF;AACA,MAAI,CAAC,IAAI,SAAS,GAAG,MAAM,MAAM,EAAE,OAAO,KAAK,GAAG;AAChD,UAAM,IAAI;AAAA,MACR,0EAA0E,OAAO;AAAA,IACnF;AAAA,EACF;AAEA,QAAM,UAAU,IAAI,UAAU,MAAM,MAAM;AAC1C,MAAI,YAAY,KAAK,YAAY,GAAG;AAClC,UAAM,IAAI;AAAA,MACR,4EAA4E,OAAO,4CACtC,OAAO;AAAA,IACtD;AAAA,EACF;AAEA,QAAM,EAAE,KAAK,eAAe,IAAI,oBAAoB,KAAK,SAAS,WAAW,8BAA8B,OAAO;AAClH,QAAM,WAAW,IAAI,SAAS,cAAc;AAE5C,QAAM,WAAW,KAAK,SAAS,OAAO;AACtC,QAAM,MAAM,OAAO,KAAK,UAAU,OAAO;AAEzC,MAAI;AACF,WAAO,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC;AAAA,EACpC,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,wNAGwC,OAAO;AAAA,MAC/C,EAAE,MAAsB;AAAA,IAC1B;AAAA,EACF;AACF;AA+BA,eAAe,eAAe,WAAwC;AACpE,MAAI;AACF,UAAM,SAAS,MAAM,WAAW,SAAS;AACzC,QAAI,WAAW,MAAM;AACnB,YAAM,EAAE,mBAAmB,IAAI,MAAM,OAAO,wBAA6B;AACzE,YAAMA,QAAO,mBAAmB,OAAO,QAAQ;AAC/C,YAAM,MAAM,OAAO,SAAS;AAC5B,YAAMC,QAAO,KAAK,UAAU;AAAA,QAC1B,WAAW,IAAI;AAAA,QACf,QAAQ,IAAI;AAAA,QACZ,MAAMD,MAAK,SAAS,KAAK;AAAA,MAC3B,CAAC;AACD,aAAO,EAAE,MAAAC,OAAM,MAAAD,MAAK;AAAA,IACtB;AAAA,EACF,QAAQ;AAAA,EAER;AACA,QAAM,EAAE,aAAa,IAAI,MAAM,OAAO,sBAA2B;AACjE,QAAM,OAAO,aAAa;AAE1B,QAAM,EAAE,wBAAwB,IAAI,MAAM,OAAO,mBAAwB;AACzE,QAAM,OAAO,KAAK,UAAU;AAAA,IAC1B,WAAW;AAAA,IACX,QAAQ;AAAA,IACR,MAAM,KAAK,SAAS,KAAK;AAAA,EAC3B,CAAC;AACD,SAAO,EAAE,MAAM,KAAK;AACtB;AASA,SAAS,cAAc,WAAmB,QAAwB;AAChE,QAAM,UAAU,eAAe,SAAS;AACxC,QAAM,MAAc,OAAO,OAAO;AAClC,MAAI,QAAQ,MAAM;AAChB,UAAM,IAAI;AAAA,MACR,2DAAsD,MAAM;AAAA,IAG9D;AAAA,EACF;AACA,SAAO;AACT;AAoBA,SAAS,oBACP,KACA,SACA,WACA,QACA,SACyC;AACzC,MAAI,YAAY,GAAG;AAEjB,UAAME,OAAM,cAAc,WAAW,iBAAiB;AACtD,WAAO,EAAE,KAAAA,MAAK,gBAAgB,MAAM,SAAS,EAAE;AAAA,EACjD;AAGA,QAAM,eAAe,MAAM,SAAS;AACpC,MAAI,IAAI,SAAS,eAAe,GAAG;AACjC,UAAM,IAAI;AAAA,MACR,GAAG,MAAM,oDAAoD,OAAO;AAAA,IACtE;AAAA,EACF;AACA,QAAM,SAAS,IAAI,aAAa,YAAY;AAC5C,QAAM,gBAAgB,eAAe;AACrC,MAAI,IAAI,SAAS,gBAAgB,QAAQ;AACvC,UAAM,IAAI;AAAA,MACR,GAAG,MAAM,+DAA+D,MAAM,YAAY,OAAO;AAAA,IACnG;AAAA,EACF;AACA,QAAM,iBAAiB,gBAAgB;AAGvC,QAAM,MAAM,cAAc,WAAW,iBAAiB;AACtD,SAAO,EAAE,KAAK,eAAe;AAC/B;","names":["salt","json","key"]}