@secrecy/lib 1.74.2 → 1.75.0-feat-groups-identity.1

package/dist/lib/client/index.js

@@ -11,7 +11,9 @@ import { SecrecyPseudonymClient } from './SecrecyPseudonymClient.js';
 import { decryptAnonymous } from '../crypto/index.js';
 import { SecrecyOrganizationClient } from './SecrecyOrganizationClient.js';
 export class SecrecyClient extends BaseClient {
-    #keys;
+    #groupIdentities;
+    #uaIdentity;
+    #keyPairs;
     cloud;
     mail;
     app;
@@ -36,22 +38,53 @@ export class SecrecyClient extends BaseClient {
                 }
             },
         });
-        this.#keys = opts.uaKeys;
-        this.cloud = new SecrecyCloudClient(this, this.#keys, this.client);
-        this.mail = new SecrecyMailClient(this, this.#keys, this.client);
-        this.app = new SecrecyAppClient(opts.uaJwt, this, this.#keys, this.client);
-        this.db = new SecrecyDbClient(this, this.#keys, this.client);
-        this.organization = new SecrecyOrganizationClient(this, this.#keys, this.client);
+        this.#keyPairs = opts.keyPairs;
+        this.#groupIdentities = opts.identities.filter((i) => i.kind === 'GROUP');
+        const uaIdentities = opts.identities.filter((i) => i.kind === 'USER_APP');
+        if (uaIdentities.length !== 1) {
+            throw new Error('One USER_APP identity is required');
+        }
+        this.#uaIdentity = uaIdentities[0];
+        this.cloud = new SecrecyCloudClient(this);
+        this.mail = new SecrecyMailClient(this);
+        this.app = new SecrecyAppClient(opts.uaJwt, this);
+        this.db = new SecrecyDbClient(this);
+        this.organization = new SecrecyOrganizationClient(this);
         this.wallet = new SecrecyWalletClient(this);
-        this.pay = new SecrecyPayClient(this, this.#keys, this.client);
-        this.user = new SecrecyUserClient(this, this.#keys, this.client);
-        this.pseudonym = new SecrecyPseudonymClient(this, this.#keys, this.client);
+        this.pay = new SecrecyPayClient(this);
+        this.user = new SecrecyUserClient(this);
+        this.pseudonym = new SecrecyPseudonymClient(this);
     }
     get publicKey() {
-        return this.#keys.publicKey;
+        return this.#uaIdentity.identityPubKey;
+    }
+    get apiClient() {
+        return this.client;
+    }
+    get keyPairs() {
+        return this.#keyPairs;
+    }
+    getPrivateKey(pubKey) {
+        const privateKey = this.#keyPairs[pubKey];
+        if (privateKey === undefined) {
+            throw new Error(`Missing private key for public key ${pubKey}`);
+        }
+        return privateKey;
+    }
+    get uaPrivateKey() {
+        return this.getPrivateKey(this.#uaIdentity.identityPubKey);
+    }
+    get groupIdentities() {
+        return this.#groupIdentities;
+    }
+    get uaIdentity() {
+        return this.#uaIdentity;
     }
     decryptAnonymous(data) {
-        return decryptAnonymous(data, this.#keys);
+        return decryptAnonymous(data, {
+            publicKey: this.#uaIdentity.identityPubKey,
+            privateKey: this.uaPrivateKey,
+        });
     }
     async logout(sessionId) {
         nodesCache.clear();
@@ -59,4 +92,7 @@ export class SecrecyClient extends BaseClient {
         publicKeysCache.clear();
         await super.logout(sessionId);
     }
+    async getIdentities(input) {
+        return await this.client.identity.getMany.query(input);
+    }
 }

package/dist/lib/client/storage.js

@@ -1,7 +1,8 @@
 import { storeBuddy } from '../utils/store-buddy.js';
 export function getStorage(session) {
     const userAppSession = storeBuddy(`secrecy.user_app_session`, session).init(null);
-    const userAppKeys = storeBuddy(`secrecy.user_app_keys`, session).init(null);
+    const identities = storeBuddy(`secrecy.identities`, session).init(null);
+    const keyPairs = storeBuddy(`secrecy.key_pairs`, session).init(null);
     const jwt = storeBuddy(`secrecy.jwt`, session).init(null);
-    return { userAppKeys, userAppSession, jwt };
+    return { identities, keyPairs, userAppSession, jwt };
 }

package/dist/lib/client/types/identity.js

@@ -0,0 +1,18 @@
+import { z } from 'zod/v4';
+export const userAppSchema = z.object({
+    kind: z.literal('USER_APP'),
+    identityPubKey: z.string(),
+    userId: z.string(),
+    appId: z.string(),
+});
+export const groupSchema = z.object({
+    kind: z.literal('GROUP'),
+    identityPubKey: z.string(),
+    groupId: z.string(),
+    sharedByPubKey: z.string(),
+    groupOwnerPubKey: z.string(),
+});
+export const accessIdentitySchema = z.discriminatedUnion('kind', [
+    userAppSchema,
+    groupSchema,
+]);

package/dist/lib/client/types/index.js

@@ -1,13 +1,9 @@
 import { z } from 'zod';
-const keyPair = z
-    .object({
-    publicKey: z.string(),
-    privateKey: z.string(),
-})
-    .strict();
+import { accessIdentitySchema } from './identity.js';
 export const secrecyUserApp = z
     .object({
-    keys: keyPair,
+    identities: accessIdentitySchema.array(),
+    keyPairs: z.record(z.string(), z.string()),
     jwt: z.string(),
     uaSession: z.string(),
 })

package/dist/lib/client/upload.js

@@ -11,11 +11,11 @@ import { promiseAllLimit } from '../utils/promise.js';
 import { encryptDataAndKey } from '../crypto/domain.js';
 import { derivePassword, generatePassword } from '../crypto/helpers.js';
 import { decryptCryptoBox, encryptSecretBox } from '../crypto/index.js';
-export async function uploadData({ storageType, data, password, forcePassword = false, encrypted = true, encryptProgress, uploadProgress, signal, meta, keyPair, apiClient, }) {
+export async function uploadData({ storageType, data, password, forcePassword = false, encrypted = true, encryptProgress, uploadProgress, signal, meta, uaIdentity, keyPairs, apiClient, }) {
     if (!encrypted && (password || forcePassword)) {
         throw new Error('Cannot share unencrypted data with a password!');
     }
-    if (encrypted && !password && !forcePassword && !keyPair) {
+    if (encrypted && !password && !forcePassword && !uaIdentity) {
         throw new Error('Cannot share encrypted data without a password!');
     }
     apiClient ??= getTrpcGuestClient();
@@ -37,7 +37,7 @@ export async function uploadData({ storageType, data, password, forcePassword =
     if (storageType === 'lite' && dataBuffer.byteLength > kiloToBytes(1024)) {
         throw new Error('The data is too big for lite upload!');
     }
-    if (!keyPair && storageType === 'cold') {
+    if (!uaIdentity && storageType === 'cold') {
         throw new Error('Cold storage is only for logged users!');
     }
     const compressed = encrypted ? compress(dataBuffer) : dataBuffer;
@@ -45,7 +45,8 @@ export async function uploadData({ storageType, data, password, forcePassword =
         ? await encryptDataAndKey({
             data: compressed,
             progress: encryptProgress,
-            keyPair,
+            uaIdentity,
+            keyPairs,
             signal,
         })
         : {
@@ -73,13 +74,17 @@ export async function uploadData({ storageType, data, password, forcePassword =
                 key = dataKey;
             }
             else {
-                if (!keyPair) {
+                if (!uaIdentity) {
                     throw new Error('Unable to encrypt data without keyPair!');
                 }
                 if (!data.key) {
                     throw new Error('Unable to encrypt data without key!');
                 }
-                key = decryptCryptoBox(sodium.from_hex(data.key), data.keyPair.pub, keyPair.privateKey);
+                const priv = keyPairs?.[data.keyPair.pub];
+                if (typeof priv !== 'string') {
+                    throw new Error('Unable to encrypt data without keyPair!');
+                }
+                key = decryptCryptoBox(sodium.from_hex(data.key), data.keyPair.pub, priv);
             }
             // NOTE: Process to create a sharing for a auth client (todo: endpoint)
             return {
@@ -105,7 +110,6 @@ export async function uploadData({ storageType, data, password, forcePassword =
                 type: 'unencrypted',
                 content: Buffer.from(encryptedData),
                 md5: md5Data,
-                sizeEncrypted: undefined,
                 size: BigInt(dataBuffer.byteLength),
                 ...filetype,
             };
@@ -120,7 +124,9 @@ export async function uploadData({ storageType, data, password, forcePassword =
             id: uploadData.id,
             storageType: 'lite',
             size: uploadDataArgs.size,
-            sizeEncrypted: uploadDataArgs.sizeEncrypted ?? null,
+            sizeEncrypted: uploadDataArgs.type === 'encrypted'
+                ? uploadDataArgs.sizeEncrypted
+                : null,
             data: dataBuffer,
             ...filetype,
         };
@@ -145,7 +151,6 @@ export async function uploadData({ storageType, data, password, forcePassword =
                 type: 'unencrypted',
                 md5: md5Data,
                 size: BigInt(dataBuffer.byteLength),
-                sizeEncrypted: undefined,
                 ...filetype,
             };
         const uploadDataCaller = storageType === 's3'
@@ -155,12 +160,15 @@ export async function uploadData({ storageType, data, password, forcePassword =
             signal,
         });
         if (uploadData.parts.length === 0) {
-            if (uploadData.type === 'authed' &&
-                (typeof keyPair === 'undefined' ||
-                    typeof keyPair === 'string' ||
-                    uploadData.keyPair.pub !== keyPair.publicKey)) {
-                throw new Error('The public key does not match with cached key!');
-            }
+            // TODO why?
+            // if (
+            //   uploadData.type === 'authed' &&
+            //   (typeof uaIdentity === 'undefined' ||
+            //     typeof uaIdentity === 'string' ||
+            //     uploadData.keyPair.pub !== keyPair.publicKey)
+            // ) {
+            //   throw new Error('The public key does not match with cached key!')
+            // }
             await uploadProgress?.({
                 total: encryptedData.byteLength,
                 current: encryptedData.byteLength,
@@ -171,7 +179,9 @@ export async function uploadData({ storageType, data, password, forcePassword =
                 id: uploadData.id,
                 storageType: storageType,
                 size: uploadDataArgs.size,
-                sizeEncrypted: uploadDataArgs.sizeEncrypted ?? null,
+                sizeEncrypted: uploadDataArgs.type === 'encrypted'
+                    ? uploadDataArgs.sizeEncrypted
+                    : null,
                 data: dataBuffer,
                 ...filetype,
             };
@@ -231,7 +241,9 @@ export async function uploadData({ storageType, data, password, forcePassword =
             id: uploadData.id,
             storageType: storageType,
             size: uploadDataArgs.size,
-            sizeEncrypted: uploadDataArgs.sizeEncrypted ?? null,
+            sizeEncrypted: uploadDataArgs.type === 'encrypted'
+                ? uploadDataArgs.sizeEncrypted
+                : null,
             data: dataBuffer,
             ...filetype,
         };

package/dist/lib/crypto/domain.js

@@ -10,10 +10,10 @@ import { concatenate } from '../utils/array.js';
  * If a string is provided as keypair, it should be considered as guest with password case.
  * If keypair is not provided, then we generate a key to be used as password for guest too.
  */
-export async function encryptDataAndKey({ data, keyPair, progress, signal, }) {
+export async function encryptDataAndKey({ data, uaIdentity, keyPairs, progress, signal, }) {
     const dataKey = secretStreamKeygen();
     const { data: encryptedData, md5: md5Data, md5Encrypted, } = await encrypt(dataKey, data, progress, signal);
-    if (!keyPair) {
+    if (!uaIdentity || !keyPairs) {
         return {
             encryptedData,
             dataKey,
@@ -21,7 +21,11 @@ export async function encryptDataAndKey({ data, keyPair, progress, signal, }) {
             md5Encrypted,
         };
     }
-    const encDataKey = encryptCryptoBox(dataKey, keyPair.publicKey, keyPair.privateKey);
+    const priv = keyPairs[uaIdentity.identityPubKey];
+    if (!priv) {
+        throw new Error('No private key found for user app identity');
+    }
+    const encDataKey = encryptCryptoBox(dataKey, uaIdentity.identityPubKey, priv);
     return {
         encryptedDataKey: encDataKey,
         encryptedData,

package/dist/lib/index.js

@@ -1,6 +1,7 @@
 export * from './client/index.js';
 export * from './crypto/index.js';
 export { BaseClient } from './base-client.js';
+export * from './client/types/identity.js';
 export * from './client/helpers.js';
 export * from './sodium.js';
 export * from './utils/store-buddy.js';
@@ -8,3 +9,4 @@ export * from './error/index.js';
 export * from './client/download.js';
 export * from './client/upload.js';
 export { generatePassword } from './crypto/helpers.js';
+export * from './client/data-link.js';

package/dist/types/base-client.d.ts

@@ -24,6 +24,8 @@ export declare class BaseClient {
     me(): Promise<SelfUser>;
     static getUser(userId: string, opts?: CreateTrpcClientOptions): Promise<PublicUser>;
     getUser(userId: string): Promise<PublicUser>;
+    static getUsers(userIds: string[], opts?: CreateTrpcClientOptions): Promise<PublicUser[]>;
+    getUsers(userIds: string[]): Promise<PublicUser[]>;
     searchUsers(search: string): Promise<PublicUser[]>;
     updateProfile(data: RouterInputs['user']['updateProfile']): Promise<RouterOutputs['user']['updateProfile']>;
     static isCryptoTransactionDone({ idOrHash, network, opts, }: {

package/dist/types/client/SecrecyAppClient.d.ts

@@ -1,12 +1,11 @@
 import type { SecrecyClient, UserAppNotifications, UserAppSettings } from '../index.js';
 import type { JwtPayload } from 'jsonwebtoken';
-import { type RouterOutputs, type ApiClient, type RouterInputs } from '../client.js';
-import { type KeyPair } from './types/index.js';
+import { type RouterOutputs, type RouterInputs } from '../client.js';
 export declare class SecrecyAppClient {
     #private;
     jwt: string;
     jwtDecoded: JwtPayload;
-    constructor(uaJwt: string, _client: SecrecyClient, _keys: KeyPair, apiClient: ApiClient);
+    constructor(uaJwt: string, client: SecrecyClient);
     get userId(): string;
     get appId(): string;
     getJwt(): Promise<string>;

package/dist/types/client/SecrecyCloudClient.d.ts

@@ -1,11 +1,11 @@
 import type { ProgressCallback, SecrecyClient, UploadDataOptions } from '../index.js';
-import type { DataMetadata, DataStorageType, KeyPair, LocalData, Node, NodeFull, NodeType } from './types/index.js';
-import { type RouterInputs, type ApiClient, type RouterOutputs } from '../client.js';
+import type { DataMetadata, DataStorageType, LocalData, Node, NodeFull, NodeType } from './types/index.js';
 import { type Progress } from '../types.js';
+import { type RouterInputs, type RouterOutputs } from '../client.js';
 import { DownloadDataFromLinkOptions } from './data-link.js';
 export declare class SecrecyCloudClient {
     #private;
-    constructor(client: SecrecyClient, keys: KeyPair, apiClient: ApiClient);
+    constructor(client: SecrecyClient);
     addDataToHistory({ dataId, nodeId, }: {
         dataId: string;
         nodeId: string;
@@ -28,9 +28,9 @@ export declare class SecrecyCloudClient {
     deletedNodes(): Promise<Node[]>;
     sharedNodes(): Promise<Node[]>;
     nodesSharedWithMe(type?: NodeType): Promise<Node[]>;
-    deleteNodeSharing({ nodeId, userId, }: {
+    deleteNodeSharing({ nodeId, destPubKey, }: {
         nodeId: string;
-        userId: string;
+        destPubKey: string;
     }): Promise<boolean>;
     duplicateNode({ nodeId, folderId, name, }: {
         nodeId: string;
@@ -51,7 +51,7 @@ export declare class SecrecyCloudClient {
     dataMetadata({ id }: {
         id: string;
     }): Promise<DataMetadata>;
-    shareNode(input: RouterInputs['cloud']['shareNode'], progress?: ProgressCallback): Promise<RouterOutputs['cloud']['shareNodeFinish']>;
+    shareNode(accesses: RouterInputs['cloud']['shareNode']['accesses'], progress?: ProgressCallback): Promise<RouterOutputs['cloud']['shareNodeFinish']>;
     updateNode({ nodeId, name, isFavorite, deletedAt, }: {
         nodeId: string;
         name?: string | null | undefined;
@@ -93,7 +93,7 @@ export declare class SecrecyCloudClient {
         name: string;
         nodeId?: string;
     }): Promise<NodeFull>;
-    private readonly encryptNodesForUsers;
+    private readonly encryptNodesForIdentities;
     reportData({ id, reasons, }: Omit<RouterInputs['cloud']['reportData'], 'encryptedDataKey'>): Promise<RouterOutputs['cloud']['reportData']>;
     updateDataStorageType(input: RouterInputs['cloud']['moveToStorageType']): Promise<{
         isMoved: boolean;
@@ -126,32 +126,32 @@ export declare class SecrecyCloudClient {
         isMatching: false;
         details: {
             missingNodeAccesses: {
-                userId: string;
+                pubKey: string;
                 nodeId: string;
             }[];
             missingDataAccesses: {
-                userId: string;
+                pubKey: string;
                 nodeId: string;
                 dataId: string;
             }[];
             invalidRightsAccesses: {
-                userId: string;
+                pubKey: string;
                 nodeId: string;
                 expect: {
                     rights: "delete" | "read" | "write";
                 } & {
-                    addAccess?: "delete" | "read" | "write" | null | undefined;
-                    sharingAddAccess?: "delete" | "read" | "write" | null | undefined;
-                    delAccess?: "delete" | "read" | "write" | null | undefined;
-                    sharingDelAccess?: "delete" | "read" | "write" | null | undefined;
+                    addAccess: "delete" | "read" | "write" | null;
+                    sharingAddAccess: "delete" | "read" | "write" | null;
+                    delAccess: "delete" | "read" | "write" | null;
+                    sharingDelAccess: "delete" | "read" | "write" | null;
                 };
                 current: {
                     rights: "delete" | "read" | "write";
                 } & {
-                    addAccess?: "delete" | "read" | "write" | null | undefined;
-                    sharingAddAccess?: "delete" | "read" | "write" | null | undefined;
-                    delAccess?: "delete" | "read" | "write" | null | undefined;
-                    sharingDelAccess?: "delete" | "read" | "write" | null | undefined;
+                    addAccess: "delete" | "read" | "write" | null;
+                    sharingAddAccess: "delete" | "read" | "write" | null;
+                    delAccess: "delete" | "read" | "write" | null;
+                    sharingDelAccess: "delete" | "read" | "write" | null;
                 };
             }[];
         };

package/dist/types/client/SecrecyDbClient.d.ts

@@ -1,7 +1,5 @@
-import { type ApiClient } from '../client.js';
 import type { SecrecyClient } from '../index.js';
-import { type KeyPair } from './types/index.js';
 export declare class SecrecyDbClient {
     #private;
-    constructor(_client: SecrecyClient, _keys: KeyPair, apiClient: ApiClient);
+    constructor(client: SecrecyClient);
 }

package/dist/types/client/SecrecyMailClient.d.ts

@@ -1,10 +1,9 @@
-import { type ApiClient, type RouterInputs } from '../client.js';
+import { type RouterInputs } from '../client.js';
 import type { DraftMail, Mail, NewMail, ReceivedMail, SecrecyClient, SentMail, WaitingReceivedMail } from '../index.js';
-import { type KeyPair } from './types/index.js';
 import { type ApiMail } from './types/mail.js';
 export declare class SecrecyMailClient {
     #private;
-    constructor(client: SecrecyClient, keys: KeyPair, apiClient: ApiClient);
+    constructor(client: SecrecyClient);
     get({ id }: {
         id: string;
     }): Promise<Mail>;

package/dist/types/client/SecrecyOrganizationClient.d.ts

@@ -1,9 +1,8 @@
-import { RouterInputs, RouterOutputs, type ApiClient } from '../client.js';
+import { RouterInputs, RouterOutputs } from '../client.js';
 import type { SecrecyClient } from '../index.js';
-import { type KeyPair } from './types/index.js';
 export declare class SecrecyOrganizationClient {
     #private;
-    constructor(_client: SecrecyClient, _keys: KeyPair, apiClient: ApiClient);
+    constructor(client: SecrecyClient);
     create(input: RouterInputs['org']['create']): Promise<RouterOutputs['org']['create']>;
     update(input: Omit<RouterInputs['org']['update'], 'billingProfileStripeCustomerId'>): Promise<RouterOutputs['org']['update']>;
     addMember(input: RouterInputs['org']['addMember']): Promise<RouterOutputs['org']['addMember']>;

package/dist/types/client/SecrecyPayClient.d.ts

@@ -1,6 +1,4 @@
 import type { SecrecyClient } from '../index.js';
-import { type ApiClient } from '../client.js';
-import { type KeyPair } from './types/index.js';
 interface SuccessPayResponse<T> {
     success: true;
     data: T;
@@ -12,7 +10,7 @@ interface ErrorPayResponse {
 export type SecrecyPayResponse<T> = SuccessPayResponse<T> | ErrorPayResponse;
 export declare class SecrecyPayClient {
     #private;
-    constructor(client: SecrecyClient, _keys: KeyPair, _apiClient: ApiClient);
+    constructor(client: SecrecyClient);
     confirmPaymentIntent({ paymentIntentId, secrecyIdWhoCreatedPaymentIntent, secrecyIdWhoNeedToConfirmPaymentIntent, amount, currency, }: {
         paymentIntentId: string;
         secrecyIdWhoCreatedPaymentIntent: string;

package/dist/types/client/SecrecyPseudonymClient.d.ts

@@ -1,9 +1,8 @@
-import { type RouterInputs, type RouterOutputs, type ApiClient } from '../client.js';
+import { type RouterInputs, type RouterOutputs } from '../client.js';
 import type { SecrecyClient } from '../index.js';
-import { type KeyPair } from './types/index.js';
 export declare class SecrecyPseudonymClient {
     #private;
-    constructor(client: SecrecyClient, keys: KeyPair, apiClient: ApiClient);
+    constructor(client: SecrecyClient);
     askForLabel(input: RouterInputs['pseudonym']['askForLabel']): Promise<RouterOutputs['pseudonym']['askForLabel']>;
     askForUser(input: RouterInputs['pseudonym']['askForUser']): Promise<RouterOutputs['pseudonym']['askForUser']>;
     cross(input: RouterInputs['pseudonym']['cross']): Promise<RouterOutputs['pseudonym']['cross']>;

package/dist/types/client/SecrecyUserClient.d.ts

@@ -1,9 +1,8 @@
-import type { RouterInputs, ApiClient, RouterOutputs } from '../client.js';
+import type { RouterInputs, RouterOutputs } from '../client.js';
 import type { SecrecyClient } from '../index.js';
-import type { KeyPair } from './types/index.js';
 export declare class SecrecyUserClient {
     #private;
-    constructor(_client: SecrecyClient, _keys: KeyPair, apiClient: ApiClient);
+    constructor(client: SecrecyClient);
     answerInvitation(input: RouterInputs['contacts']['answerInvitation']): Promise<RouterOutputs['contacts']['answerInvitation']>;
     cancelInvitation(input: RouterInputs['contacts']['cancelInvitation']): Promise<RouterOutputs['contacts']['cancelInvitation']>;
     createInvitation(input: RouterInputs['contacts']['createInvitation']): Promise<RouterOutputs['contacts']['createInvitation']>;

package/dist/types/client/convert/data.d.ts

@@ -1,4 +1,4 @@
-import type { ApiData, InternalData, DataMetadata, KeyPair } from '../types/index.js';
-export declare function apiDataToInternal(apiData: ApiData, keyPair: KeyPair): InternalData;
+import type { ApiData, InternalData, DataMetadata } from '../types/index.js';
+export declare function apiDataToInternal(apiData: ApiData, keyPairs: Record<string, string>): InternalData;
 export declare function internalDataToExternalData(internal: InternalData): DataMetadata;
-export declare function apiDataToExternal(apiData: ApiData, keyPair: KeyPair): DataMetadata;
+export declare function apiDataToExternal(apiData: ApiData, keyPairs: Record<string, string>): DataMetadata;

package/dist/types/client/convert/mail.d.ts

@@ -1,8 +1,6 @@
-import { type Mail, type SecrecyClient } from '../../index.js';
-import { type KeyPair } from '../types/index.js';
+import { type Mail } from '../../index.js';
 import { type ApiMail } from '../types/mail.js';
-export declare function convertInternalMailToExternal({ client, mail, keyPair, }: {
+export declare function convertInternalMailToExternal({ mail, keyPairs, }: {
     mail: ApiMail;
-    client: SecrecyClient;
-    keyPair: KeyPair;
+    keyPairs: Record<string, string>;
 }): Promise<Mail>;

package/dist/types/client/convert/node.d.ts

@@ -1,6 +1,6 @@
-import type { Node, ApiNode, ApiNodeFull, InternalNodeFull, NodeFull, KeyPair, ApiNodeParent, ApiNodeForEncryption, InternalMinimalNodeForEncryption } from '../types/index.js';
-export declare function apiNodeFullToInternalFull(apiNodeFull: ApiNodeFull, keyPair: KeyPair): Promise<InternalNodeFull>;
+import type { Node, ApiNode, ApiNodeFull, InternalNodeFull, NodeFull, ApiNodeParent, ApiNodeForEncryption, InternalMinimalNodeForEncryption } from '../types/index.js';
+export declare function apiNodeFullToInternalFull(apiNodeFull: ApiNodeFull, keyPairs: Record<string, string>): Promise<InternalNodeFull>;
 export declare function internalNodeFullToNodeFull(internal: InternalNodeFull): NodeFull;
-export declare function apiNodeToExternalNodeFull(apiNodeFull: ApiNodeFull, keyPair: KeyPair): Promise<NodeFull>;
-export declare function apiNodeToExternal(apiNode: ApiNode | ApiNodeParent, keyPair: KeyPair): Promise<Node>;
-export declare function apiNodeForEncryptionToInternal(apiNode: ApiNodeForEncryption, keyPair: KeyPair): Promise<InternalMinimalNodeForEncryption>;
+export declare function apiNodeToExternalNodeFull(apiNodeFull: ApiNodeFull, keyPairs: Record<string, string>): Promise<NodeFull>;
+export declare function apiNodeToExternal(apiNode: ApiNode | ApiNodeParent, keyPairs: Record<string, string>): Promise<Node>;
+export declare function apiNodeForEncryptionToInternal(apiNode: ApiNodeForEncryption, keyPairs: Record<string, string>): Promise<InternalMinimalNodeForEncryption>;

package/dist/types/client/index.d.ts

@@ -6,16 +6,17 @@ import { SecrecyAppClient } from './SecrecyAppClient.js';
 import { SecrecyDbClient } from './SecrecyDbClient.js';
 import { SecrecyWalletClient } from './SecrecyWalletClient.js';
 import { SecrecyPayClient } from './SecrecyPayClient.js';
-import { ApiClient, type RouterInputs } from '../client.js';
-import { type KeyPair } from './types/index.js';
+import { ApiClient, type RouterInputs, type RouterOutputs } from '../client.js';
 import { SecrecyUserClient } from './SecrecyUserClient.js';
 import { SecrecyPseudonymClient } from './SecrecyPseudonymClient.js';
 import { SecrecyOrganizationClient } from './SecrecyOrganizationClient.js';
+import type { AccessIdentity, GroupIdentity, UserAppIdentity } from './types/identity.js';
 export type NewMail = Pick<RouterInputs['mail']['createDraft'], 'body' | 'subject' | 'senderFiles' | 'recipients' | 'replyToId'>;
 export type ProgressCallback = (progress: SecretStreamProgress) => Promise<void>;
 export interface SecrecyClientOptions {
     uaSession: string;
-    uaKeys: KeyPair;
+    identities: AccessIdentity[];
+    keyPairs: Record<string, string>;
     uaJwt: string;
     apiClient?: ApiClient;
     secrecyUrls?: Partial<SecrecyUrls>;
@@ -33,6 +34,13 @@ export declare class SecrecyClient extends BaseClient {
     pseudonym: SecrecyPseudonymClient;
     constructor(opts: SecrecyClientOptions);
     get publicKey(): string;
+    get apiClient(): Readonly<ApiClient>;
+    get keyPairs(): Readonly<Record<string, string>>;
+    getPrivateKey(pubKey: string): string;
+    get uaPrivateKey(): string;
+    get groupIdentities(): ReadonlyArray<Readonly<GroupIdentity>>;
+    get uaIdentity(): Readonly<UserAppIdentity>;
     decryptAnonymous(data: Uint8Array): Uint8Array;
     logout(sessionId?: string | null | undefined): Promise<void>;
+    getIdentities(input: RouterInputs['identity']['getMany']): Promise<RouterOutputs['identity']['getMany']>;
 }

package/dist/types/client/storage.d.ts

@@ -1,7 +1,8 @@
 import type { StoreBuddy } from '../utils/store-buddy.js';
-import { type KeyPair } from './types/index.js';
+import type { AccessIdentity } from './types/identity.js';
 export declare function getStorage(session?: boolean | undefined): {
-    userAppKeys: StoreBuddy<KeyPair | null>;
+    identities: StoreBuddy<AccessIdentity[] | null>;
+    keyPairs: StoreBuddy<Record<string, string> | null>;
     userAppSession: StoreBuddy<string | null>;
     jwt: StoreBuddy<string | null>;
 };

package/dist/types/client/types/identity.d.ts

@@ -0,0 +1,29 @@
+import { z } from 'zod/v4';
+export declare const userAppSchema: z.ZodObject<{
+    kind: z.ZodLiteral<"USER_APP">;
+    identityPubKey: z.ZodString;
+    userId: z.ZodString;
+    appId: z.ZodString;
+}, z.core.$strip>;
+export declare const groupSchema: z.ZodObject<{
+    kind: z.ZodLiteral<"GROUP">;
+    identityPubKey: z.ZodString;
+    groupId: z.ZodString;
+    sharedByPubKey: z.ZodString;
+    groupOwnerPubKey: z.ZodString;
+}, z.core.$strip>;
+export declare const accessIdentitySchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    kind: z.ZodLiteral<"USER_APP">;
+    identityPubKey: z.ZodString;
+    userId: z.ZodString;
+    appId: z.ZodString;
+}, z.core.$strip>, z.ZodObject<{
+    kind: z.ZodLiteral<"GROUP">;
+    identityPubKey: z.ZodString;
+    groupId: z.ZodString;
+    sharedByPubKey: z.ZodString;
+    groupOwnerPubKey: z.ZodString;
+}, z.core.$strip>], "kind">;
+export type AccessIdentity = z.infer<typeof accessIdentitySchema>;
+export type UserAppIdentity = z.infer<typeof userAppSchema>;
+export type GroupIdentity = z.infer<typeof groupSchema>;

package/dist/types/client/types/index.d.ts

@@ -4,16 +4,20 @@ export type * from './data.js';
 export type * from './node.js';
 export type * from './mail.js';
 export type * from './user.js';
-declare const keyPair: z.ZodObject<{
-    publicKey: z.ZodString;
-    privateKey: z.ZodString;
-}, z.core.$strict>;
-export type KeyPair = z.infer<typeof keyPair>;
 export declare const secrecyUserApp: z.ZodReadonly<z.ZodObject<{
-    keys: z.ZodObject<{
-        publicKey: z.ZodString;
-        privateKey: z.ZodString;
-    }, z.core.$strict>;
+    identities: z.ZodArray<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        kind: z.ZodLiteral<"USER_APP">;
+        identityPubKey: z.ZodString;
+        userId: z.ZodString;
+        appId: z.ZodString;
+    }, z.core.$strip>, z.ZodObject<{
+        kind: z.ZodLiteral<"GROUP">;
+        identityPubKey: z.ZodString;
+        groupId: z.ZodString;
+        sharedByPubKey: z.ZodString;
+        groupOwnerPubKey: z.ZodString;
+    }, z.core.$strip>], "kind">>;
+    keyPairs: z.ZodRecord<z.ZodString, z.ZodString>;
     jwt: z.ZodString;
     uaSession: z.ZodString;
 }, z.core.$strict>>;