@snaha/swarm-id 0.0.1

package/README.md

@@ -0,0 +1,431 @@
+# Swarm ID Client Library
+
+A TypeScript library for integrating Swarm ID authentication and Bee API operations into dApps.
+
+## Overview
+
+The Swarm ID library provides a secure, iframe-based authentication system for Swarm applications. It consists of three main components:
+
+1. **SwarmIdClient** - For parent windows/dApps to interact with the authentication system
+2. **SwarmIdProxy** - Runs in the iframe, handles authentication and proxies Bee API calls
+3. **SwarmIdAuth** - Runs in the popup window for user authentication
+
+## Installation
+
+From the monorepo root:
+
+```bash
+pnpm install
+```
+
+Or directly in the lib folder:
+
+```bash
+cd lib
+pnpm install
+```
+
+## Building
+
+From the monorepo root:
+
+```bash
+# Build the library
+pnpm build
+
+# Watch mode
+pnpm build:watch
+
+# Lint code
+pnpm lint
+
+# Auto-fix linting issues
+pnpm lint:fix
+```
+
+Or directly in the lib folder:
+
+```bash
+cd lib
+
+# Build once
+pnpm build
+
+# Watch mode
+pnpm build:watch
+
+# Lint code
+pnpm lint
+
+# Auto-fix linting issues
+pnpm lint:fix
+```
+
+## Project Structure
+
+```
+lib/
+├── index.ts                    # Main library exports
+├── types.ts                    # Zod schemas & TypeScript interfaces
+├── swarm-id-client.ts         # Client for parent windows
+├── swarm-id-proxy.ts          # Proxy logic for iframe
+├── swarm-id-auth.ts           # Auth popup logic
+├── utils/
+│   ├── key-derivation.ts      # Cryptographic utilities
+│   ├── backup-encryption.ts   # AES-GCM-256 encryption for .swarmid files
+│   └── account-state-snapshot.ts # Shared serialization for export & sync
+├── sync/
+│   └── restore-account.ts     # Swarm-based account restoration
+└── tsconfig.json              # TypeScript configuration
+
+dist/                           # Built output (generated)
+├── swarm-id.esm.js            # ESM bundle
+├── swarm-id.umd.js            # UMD bundle
+├── swarm-id-client.js         # Individual module (ESM)
+├── swarm-id-proxy.js          # Individual module (ESM)
+├── swarm-id-auth.js           # Individual module (ESM)
+└── *.d.ts                     # TypeScript declarations
+```
+
+## Usage
+
+### In a Parent dApp
+
+```typescript
+import { SwarmIdClient } from "swarm-id"
+
+// Initialize the client
+const client = new SwarmIdClient({
+  iframeOrigin: "https://swarm-id.local:8081",
+  beeApiUrl: "http://localhost:1633",
+  timeout: 30000,
+  onAuthChange: (authenticated) => {
+    console.log("Auth status changed:", authenticated)
+  },
+})
+
+// Initialize and wait for ready
+await client.initialize()
+
+// Get the auth iframe (positioned fixed in bottom-right corner)
+const iframe = client.getAuthIframe()
+
+// Check auth status
+const status = await client.checkAuthStatus()
+console.log("Authenticated:", status.authenticated)
+
+// Upload data
+const result = await client.uploadData(
+  "your-postage-batch-id",
+  new Uint8Array([1, 2, 3, 4, 5]),
+  { pin: true },
+)
+console.log("Uploaded:", result.reference)
+
+// Download data
+const data = await client.downloadData(result.reference)
+console.log("Downloaded:", data)
+
+// Upload file
+const file = new File(["Hello World"], "hello.txt")
+const fileResult = await client.uploadFile("your-postage-batch-id", file)
+console.log("File uploaded:", fileResult.reference)
+
+// Download file
+const downloadedFile = await client.downloadFile(fileResult.reference)
+console.log("File name:", downloadedFile.name)
+console.log("File data:", downloadedFile.data)
+
+// Cleanup
+client.destroy()
+```
+
+### In the Iframe (SvelteKit `/proxy` route)
+
+```typescript
+import { initProxy } from "swarm-id/proxy"
+
+const proxy = initProxy({
+  beeApiUrl: "http://localhost:1633",
+})
+```
+
+### In the Auth Popup (SvelteKit `/connect` route)
+
+```typescript
+import { initAuth } from "swarm-id/auth"
+
+try {
+  const auth = await initAuth()
+
+  // Display app origin
+  console.log("App requesting access:", auth.getAppOrigin())
+
+  // Check if user has master key
+  if (!auth.hasMasterKey()) {
+    // Setup new identity
+    const masterKey = await auth.setupNewIdentity()
+    console.log("New identity created")
+  }
+
+  // Authenticate
+  await auth.authenticate()
+  console.log("Authentication successful")
+
+  // Close popup
+  auth.close(1500)
+} catch (error) {
+  console.error("Auth failed:", error)
+}
+```
+
+## API Reference
+
+### SwarmIdClient
+
+#### Constructor
+
+```typescript
+new SwarmIdClient(options: ClientOptions)
+```
+
+Options:
+
+- `iframeOrigin` (string, required) - Origin of the Swarm ID iframe
+- `beeApiUrl` (string, optional) - Bee node API URL (default: 'http://localhost:1633')
+- `timeout` (number, optional) - Request timeout in ms (default: 30000)
+- `onAuthChange` (function, optional) - Callback for auth status changes
+
+#### Methods
+
+**Authentication**
+
+- `initialize()` - Initialize the client and embed iframe
+- `getAuthIframe()` - Get the auth iframe element
+- `checkAuthStatus()` - Check authentication status
+- `connect()` - Open authentication popup programmatically (see [Browser Compatibility](#browser-compatibility-and-storage-access))
+- `disconnect()` - Disconnect and clear authentication data
+- `getConnectionInfo()` - Get connection info including upload capability
+
+**Data Operations**
+
+- `uploadData(batchId, data, options?)` - Upload raw data
+- `downloadData(reference, options?)` - Download raw data
+
+**File Operations**
+
+- `uploadFile(batchId, file, name?, options?)` - Upload file
+- `downloadFile(reference, path?, options?)` - Download file
+
+**Chunk Operations**
+
+- `uploadChunk(batchId, data, options?)` - Upload chunk
+- `downloadChunk(reference, options?)` - Download chunk
+
+**Postage Operations**
+
+- `createPostageBatch(amount, depth, options?)` - Create postage batch
+- `getPostageBatch(batchId)` - Get postage batch info
+
+**Cleanup**
+
+- `destroy()` - Destroy client and clean up resources
+
+### SwarmIdProxy
+
+#### Constructor
+
+```typescript
+new SwarmIdProxy(options: ProxyOptions)
+```
+
+Options:
+
+- `beeApiUrl` (string, required) - Bee node API URL
+
+### SwarmIdAuth
+
+#### Constructor
+
+```typescript
+new SwarmIdAuth(options?: AuthOptions)
+```
+
+Options:
+
+- `masterKeyStorageKey` (string, optional) - LocalStorage key for master key (default: 'swarm-master-key')
+
+#### Methods
+
+- `initialize()` - Initialize auth popup
+- `getAppOrigin()` - Get the requesting app's origin
+- `getMasterKey()` - Get the master key (truncated for display)
+- `hasMasterKey()` - Check if master key exists
+- `setupNewIdentity()` - Generate and store new master key
+- `authenticate()` - Authenticate and send secret to iframe
+- `close(delay?)` - Close popup window (default delay: 1500ms)
+
+## Message Protocol
+
+The library uses postMessage for secure cross-origin communication with Zod schema validation.
+
+### Parent → Iframe Messages
+
+- `parentIdentify` - Identify parent to iframe
+- `checkAuth` - Check authentication status
+- `requestAuth` - Request authentication (open popup)
+- `uploadData` - Upload data request
+- `downloadData` - Download data request
+- (and other Bee API operations)
+
+### Iframe → Parent Messages
+
+- `proxyReady` - Iframe is ready
+- `authStatusResponse` - Auth status response
+- `authSuccess` - Authentication succeeded
+- `uploadDataResponse` - Upload response with reference
+- `downloadDataResponse` - Download response with data
+- `error` - Error message
+
+### Popup → Iframe Messages
+
+- `setSecret` - Send derived secret to iframe
+
+## Import & Export
+
+Accounts can be exported to encrypted `.swarmid` backup files and restored via import or from Swarm.
+
+### .swarmid File Format
+
+Each file contains a plaintext JSON header (account metadata, type-specific fields) plus an AES-GCM-256 encrypted payload containing the account state snapshot.
+
+```typescript
+import {
+  createEncryptedExport,
+  decryptEncryptedExport,
+  parseEncryptedExportHeader,
+} from "@snaha/swarm-id"
+
+// Export (no re-auth needed — uses stored swarmEncryptionKey)
+const exported = await createEncryptedExport(
+  account,
+  identities,
+  connectedApps,
+  postageStamps,
+  swarmEncryptionKeyHex,
+)
+
+// Read header metadata without decrypting
+const header = parseEncryptedExportHeader(fileData)
+
+// Import (requires auth to re-derive key)
+const result = await decryptEncryptedExport(fileData, swarmEncryptionKeyHex)
+if (result.success) {
+  console.log(result.data) // AccountStateSnapshot
+}
+```
+
+### Account State Snapshots
+
+The `serializeAccountStateSnapshot()` and `deserializeAccountStateSnapshot()` functions provide shared serialization used by both file export and Swarm sync. Connected app secrets are included in snapshots so that backups preserve app connections without requiring re-authentication.
+
+### Swarm Sync & Restore
+
+When a passkey auth succeeds on a new device with no local account, `restoreAccountFromSwarm()` derives the necessary keys, finds the epoch feed in Swarm, downloads and decrypts the latest account snapshot.
+
+```typescript
+import { restoreAccountFromSwarm } from "@snaha/swarm-id"
+
+const result = await restoreAccountFromSwarm(
+  bee,
+  masterKey,
+  ethereumAddress,
+  credentialId,
+)
+if (result) {
+  console.log(result.snapshot) // AccountStateSnapshot
+}
+```
+
+## Security Features
+
+- **Origin Validation** - All postMessage calls validate sender origin
+- **Parent Origin Locking** - Parent can only identify itself once
+- **HMAC-SHA256 Key Derivation** - App-specific secrets derived from master key
+- **Partitioned Storage** - Secrets isolated per (iframe-origin, parent-origin) pair
+- **Master Key Protection** - Master key never leaves first-party context
+- **Type-safe Messages** - Zod schema validation on all messages
+- **Backup Encryption** - AES-GCM-256 with random IV for .swarmid files
+- **appSecret Exclusion** - App secrets are never included in exports or sync snapshots
+
+## Browser Compatibility and Storage Access
+
+There are two ways to trigger authentication:
+
+1. **Iframe button** - User clicks the button rendered inside the iframe (`getAuthIframe()`)
+2. **Custom button** - App calls `client.connect()` from its own button
+
+### Storage Access API
+
+The iframe needs access to shared localStorage to read accounts, identities, and postage stamps. Browsers may partition iframe storage, requiring the [Storage Access API](https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API) to access unpartitioned storage. This API **requires a user gesture inside the iframe**.
+
+### Environment Compatibility
+
+| Environment                           | Iframe button | Custom button       | Notes                                                                        |
+| ------------------------------------- | ------------- | ------------------- | ---------------------------------------------------------------------------- |
+| **Production (Chrome/Firefox)**       | Yes           | Yes                 | Secure context, storage not partitioned                                      |
+| **Localhost (Chrome, Firefox, etc.)** | Yes           | After iframe button | Iframe button requests Storage Access first                                  |
+| **Safari (any)**                      | Yes           | Yes                 | Download-only mode: auth works, uploads disabled (ITP storage partitioning)  |
+| **Safari private mode**               | Yes           | Yes                 | Download-only mode; sessions are ephemeral (lost when private window closes) |
+
+### How It Works
+
+**Production (Chrome/Firefox)**: In a secure context (HTTPS), browsers don't partition iframe storage, so both authentication methods work immediately.
+
+**Localhost (Chrome/Firefox)**: Browsers partition iframe storage, requiring the [Storage Access API](https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API). The iframe button triggers a user gesture inside the iframe, allowing it to request Storage Access. Once granted, the custom button also works.
+
+**Safari**: Safari's Intelligent Tracking Prevention (ITP) partitions all storage for third-party iframes, preventing access to signing keys and postage stamps. Safari operates in download-only mode: authentication and downloads work, but uploads are not available. See [#167](https://github.com/snaha/swarm-id/issues/167) for details.
+
+**Safari private mode**: Download-only mode applies; sessions are also ephemeral — all storage is cleared when the private window closes.
+
+### Recommendation
+
+- **Production (Chrome/Firefox)**: Either button works immediately
+- **Development**: Use Chrome/Firefox with iframe button first, then custom button works
+- **Safari**: Download-only mode (auth works, uploads disabled); private mode sessions are ephemeral
+
+## Development
+
+### Code Style
+
+- Use `undefined` instead of `null`
+- No semicolons
+- TypeScript strict mode
+- ESLint with @typescript-eslint
+
+### Testing
+
+```bash
+# Run linter
+pnpm lint
+
+# Auto-fix issues
+pnpm lint:fix
+```
+
+## TODO
+
+- [ ] Integrate real Bee API calls (currently simulated)
+- [ ] Add unit tests
+- [ ] Add integration tests
+- [ ] Update HTML files to use library
+- [ ] Browser compatibility testing
+- [ ] Add error recovery and retry logic
+- [ ] Add request cancellation support
+- [ ] Add progress callbacks for uploads/downloads
+- [ ] Document security model
+- [ ] Publish to npm
+
+## License
+
+ISC

package/dist/chunk/bmt.d.ts

@@ -0,0 +1,17 @@
+import { Reference } from "@ethersphere/bee-js";
+/**
+ * Calculate a Binary Merkle Tree hash for a chunk
+ *
+ * The BMT chunk address is the hash of the 8 byte span and the root
+ * hash of a binary Merkle tree (BMT) built on the 32-byte segments
+ * of the underlying data.
+ *
+ * If the chunk content is less than 4k, the hash is calculated as
+ * if the chunk was padded with all zeros up to 4096 bytes.
+ *
+ * @param chunkContent Chunk data including span and payload as well
+ *
+ * @returns the keccak256 hash in a byte array
+ */
+export declare function calculateChunkAddress(chunkContent: Uint8Array): Reference;
+//# sourceMappingURL=bmt.d.ts.map

package/dist/chunk/bmt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bmt.d.ts","sourceRoot":"","sources":["../../src/chunk/bmt.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAQ,MAAM,qBAAqB,CAAA;AAKrD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,UAAU,GAAG,SAAS,CAOzE"}

package/dist/chunk/cac.d.ts

@@ -0,0 +1,18 @@
+import { Bytes, Reference, Span } from "@ethersphere/bee-js";
+/**
+ * Content addressed chunk interface
+ */
+export interface ContentAddressedChunk {
+    readonly data: Uint8Array;
+    readonly span: Span;
+    readonly payload: Bytes;
+    readonly address: Reference;
+}
+/**
+ * Creates a content addressed chunk from payload data
+ *
+ * @param payloadBytes the data to be stored in the chunk (1-4096 bytes)
+ * @param spanOverride optional span value to use instead of payload length
+ */
+export declare function makeContentAddressedChunk(payloadBytes: Uint8Array | string, spanOverride?: Span | bigint): ContentAddressedChunk;
+//# sourceMappingURL=cac.d.ts.map

package/dist/chunk/cac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cac.d.ts","sourceRoot":"","sources":["../../src/chunk/cac.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAA;AAM5D;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;IACzB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAA;IACnB,QAAQ,CAAC,OAAO,EAAE,KAAK,CAAA;IACvB,QAAQ,CAAC,OAAO,EAAE,SAAS,CAAA;CAC5B;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CACvC,YAAY,EAAE,UAAU,GAAG,MAAM,EACjC,YAAY,CAAC,EAAE,IAAI,GAAG,MAAM,GAC3B,qBAAqB,CAoCvB"}

package/dist/chunk/constants.d.ts

@@ -0,0 +1,10 @@
+export declare const MIN_PAYLOAD_SIZE = 1;
+export declare const MAX_PAYLOAD_SIZE = 4096;
+export declare const SPAN_SIZE = 8;
+export declare const UNENCRYPTED_REF_SIZE = 32;
+export declare const ENCRYPTED_REF_SIZE = 64;
+export declare const IDENTIFIER_SIZE = 32;
+export declare const SIGNATURE_SIZE = 65;
+export declare const SOC_HEADER_SIZE: number;
+export declare const DEFAULT_DOWNLOAD_CONCURRENCY = 64;
+//# sourceMappingURL=constants.d.ts.map

package/dist/chunk/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/chunk/constants.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,gBAAgB,IAAI,CAAA;AACjC,eAAO,MAAM,gBAAgB,OAAO,CAAA;AAGpC,eAAO,MAAM,SAAS,IAAI,CAAA;AAG1B,eAAO,MAAM,oBAAoB,KAAK,CAAA;AACtC,eAAO,MAAM,kBAAkB,KAAK,CAAA;AAGpC,eAAO,MAAM,eAAe,KAAK,CAAA;AACjC,eAAO,MAAM,cAAc,KAAK,CAAA;AAChC,eAAO,MAAM,eAAe,QAAmC,CAAA;AAG/D,eAAO,MAAM,4BAA4B,KAAK,CAAA"}

package/dist/chunk/encrypted-cac.d.ts

@@ -0,0 +1,48 @@
+import { Bytes, Reference, Span } from "@ethersphere/bee-js";
+import { type Key } from "./encryption";
+/**
+ * Encrypted chunk interface
+ *
+ * The reference includes both the chunk address and the encryption key (64 bytes total)
+ */
+export interface EncryptedChunk {
+    readonly data: Uint8Array;
+    readonly encryptionKey: Key;
+    readonly span: Span;
+    readonly payload: Bytes;
+    readonly address: Reference;
+    readonly reference: Reference;
+}
+/**
+ * Creates an encrypted content addressed chunk
+ *
+ * Process:
+ * 1. Create chunk with span + payload
+ * 2. Encrypt the chunk data
+ * 3. Calculate BMT hash on encrypted data
+ * 4. Return reference = address + encryption key (64 bytes)
+ *
+ * @param payloadBytes the data to be stored in the chunk
+ * @param encryptionKey optional encryption key (if not provided, a random key will be generated)
+ */
+export declare function makeEncryptedContentAddressedChunk(payloadBytes: Uint8Array | string, encryptionKey?: Key): EncryptedChunk;
+/**
+ * Decrypts an encrypted chunk given the encryption key
+ *
+ * @param encryptedChunkData The encrypted chunk data (span + payload)
+ * @param encryptionKey The 32-byte encryption key
+ */
+export declare function decryptEncryptedChunk(encryptedChunkData: Uint8Array, encryptionKey: Key): Uint8Array;
+/**
+ * Extracts encryption key from a 64-byte encrypted reference
+ *
+ * @param reference 64-byte reference (address + key)
+ */
+export declare function extractEncryptionKey(reference: Reference): Key;
+/**
+ * Extracts the chunk address from a 64-byte encrypted reference
+ *
+ * @param reference 64-byte reference (address + key)
+ */
+export declare function extractChunkAddress(reference: Reference): Reference;
+//# sourceMappingURL=encrypted-cac.d.ts.map

package/dist/chunk/encrypted-cac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-cac.d.ts","sourceRoot":"","sources":["../../src/chunk/encrypted-cac.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAA;AAG5D,OAAO,EAAuC,KAAK,GAAG,EAAE,MAAM,cAAc,CAAA;AAI5E;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;IACzB,QAAQ,CAAC,aAAa,EAAE,GAAG,CAAA;IAC3B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAA;IACnB,QAAQ,CAAC,OAAO,EAAE,KAAK,CAAA;IACvB,QAAQ,CAAC,OAAO,EAAE,SAAS,CAAA;IAC3B,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAA;CAC9B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,kCAAkC,CAChD,YAAY,EAAE,UAAU,GAAG,MAAM,EACjC,aAAa,CAAC,EAAE,GAAG,GAClB,cAAc,CA4ChB;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,kBAAkB,EAAE,UAAU,EAC9B,aAAa,EAAE,GAAG,GACjB,UAAU,CAEZ;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,SAAS,GAAG,GAAG,CAS9D;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,SAAS,GAAG,SAAS,CASnE"}

package/dist/chunk/encryption.d.ts

@@ -0,0 +1,86 @@
+export declare const KEY_LENGTH = 32;
+export declare const REFERENCE_SIZE = 64;
+export type Key = Uint8Array;
+export interface Encrypter {
+    key(): Key;
+    encrypt(data: Uint8Array): Uint8Array;
+}
+export interface Decrypter {
+    key(): Key;
+    decrypt(data: Uint8Array): Uint8Array;
+}
+export interface EncryptionInterface extends Encrypter, Decrypter {
+    reset(): void;
+}
+/**
+ * Core encryption class implementing CTR-mode encryption with Keccak256
+ * This matches the Go implementation in bee/pkg/encryption/encryption.go
+ */
+export declare class Encryption implements EncryptionInterface {
+    private readonly encryptionKey;
+    private readonly keyLen;
+    private readonly padding;
+    private index;
+    private readonly initCtr;
+    constructor(key: Key, padding: number, initCtr: number);
+    key(): Key;
+    /**
+     * Encrypts data with optional padding
+     */
+    encrypt(data: Uint8Array): Uint8Array;
+    /**
+     * Decrypts data (caller must know original length if padding was used)
+     */
+    decrypt(data: Uint8Array): Uint8Array;
+    /**
+     * Resets the counter - only safe to call after encryption/decryption is completed
+     */
+    reset(): void;
+    /**
+     * Transforms data by splitting into key-length segments and encrypting sequentially
+     */
+    private transform;
+    /**
+     * Segment-wise transformation using XOR with Keccak256-derived keys
+     * Matches the Go implementation's Transcrypt function
+     */
+    private transcrypt;
+}
+/**
+ * Generates a cryptographically secure random key
+ */
+export declare function generateRandomKey(length?: number): Key;
+/**
+ * Creates encryption interface for chunk span (first 8 bytes)
+ */
+export declare function newSpanEncryption(key: Key): EncryptionInterface;
+/**
+ * Creates encryption interface for chunk data
+ */
+export declare function newDataEncryption(key: Key): EncryptionInterface;
+export interface ChunkEncrypter {
+    encryptChunk(chunkData: Uint8Array, key?: Key): {
+        key: Key;
+        encryptedSpan: Uint8Array;
+        encryptedData: Uint8Array;
+    };
+}
+/**
+ * Default chunk encrypter implementation
+ */
+export declare class DefaultChunkEncrypter implements ChunkEncrypter {
+    encryptChunk(chunkData: Uint8Array, key?: Key): {
+        key: Key;
+        encryptedSpan: Uint8Array;
+        encryptedData: Uint8Array;
+    };
+}
+/**
+ * Creates a new chunk encrypter
+ */
+export declare function newChunkEncrypter(): ChunkEncrypter;
+/**
+ * Decrypts encrypted chunk data using the provided encryption key
+ */
+export declare function decryptChunkData(key: Key, encryptedChunkData: Uint8Array): Uint8Array;
+//# sourceMappingURL=encryption.d.ts.map

package/dist/chunk/encryption.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.d.ts","sourceRoot":"","sources":["../../src/chunk/encryption.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,UAAU,KAAK,CAAA;AAC5B,eAAO,MAAM,cAAc,KAAK,CAAA;AAEhC,MAAM,MAAM,GAAG,GAAG,UAAU,CAAA;AAE5B,MAAM,WAAW,SAAS;IACxB,GAAG,IAAI,GAAG,CAAA;IACV,OAAO,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU,CAAA;CACtC;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,IAAI,GAAG,CAAA;IACV,OAAO,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU,CAAA;CACtC;AAED,MAAM,WAAW,mBAAoB,SAAQ,SAAS,EAAE,SAAS;IAC/D,KAAK,IAAI,IAAI,CAAA;CACd;AAED;;;GAGG;AACH,qBAAa,UAAW,YAAW,mBAAmB;IACpD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAK;IACnC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAQ;IAC/B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAQ;IAChC,OAAO,CAAC,KAAK,CAAQ;IACrB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAQ;gBAEpB,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAQtD,GAAG,IAAI,GAAG;IAIV;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU;IAoBrC;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU;IAerC;;OAEG;IACH,KAAK,IAAI,IAAI;IAIb;;OAEG;IACH,OAAO,CAAC,SAAS;IAoBjB;;;OAGG;IACH,OAAO,CAAC,UAAU;CA8BnB;AAgDD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,MAAmB,GAAG,GAAG,CAKlE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,GAAG,GAAG,mBAAmB,CAK/D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,GAAG,GAAG,mBAAmB,CAI/D;AAED,MAAM,WAAW,cAAc;IAC7B,YAAY,CACV,SAAS,EAAE,UAAU,EACrB,GAAG,CAAC,EAAE,GAAG,GACR;QACD,GAAG,EAAE,GAAG,CAAA;QACR,aAAa,EAAE,UAAU,CAAA;QACzB,aAAa,EAAE,UAAU,CAAA;KAC1B,CAAA;CACF;AAED;;GAEG;AACH,qBAAa,qBAAsB,YAAW,cAAc;IAC1D,YAAY,CACV,SAAS,EAAE,UAAU,EACrB,GAAG,CAAC,EAAE,GAAG,GACR;QACD,GAAG,EAAE,GAAG,CAAA;QACR,aAAa,EAAE,UAAU,CAAA;QACzB,aAAa,EAAE,UAAU,CAAA;KAC1B;CAiBF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,CAElD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,GAAG,EACR,kBAAkB,EAAE,UAAU,GAC7B,UAAU,CAeZ"}

package/dist/chunk/index.d.ts

@@ -0,0 +1,6 @@
+export { MIN_PAYLOAD_SIZE, MAX_PAYLOAD_SIZE, SPAN_SIZE, UNENCRYPTED_REF_SIZE, ENCRYPTED_REF_SIZE, IDENTIFIER_SIZE, SIGNATURE_SIZE, SOC_HEADER_SIZE, DEFAULT_DOWNLOAD_CONCURRENCY, } from "./constants";
+export { type Key, type ChunkEncrypter, type Encrypter, type Decrypter, type EncryptionInterface, KEY_LENGTH, REFERENCE_SIZE, newChunkEncrypter, decryptChunkData, generateRandomKey, newSpanEncryption, newDataEncryption, Encryption, DefaultChunkEncrypter, } from "./encryption";
+export { calculateChunkAddress } from "./bmt";
+export { type ContentAddressedChunk, makeContentAddressedChunk } from "./cac";
+export { type EncryptedChunk, makeEncryptedContentAddressedChunk, decryptEncryptedChunk, extractEncryptionKey, extractChunkAddress, } from "./encrypted-cac";
+//# sourceMappingURL=index.d.ts.map

package/dist/chunk/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/chunk/index.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,SAAS,EACT,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,cAAc,EACd,eAAe,EACf,4BAA4B,GAC7B,MAAM,aAAa,CAAA;AAGpB,OAAO,EACL,KAAK,GAAG,EACR,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,SAAS,EACd,KAAK,mBAAmB,EACxB,UAAU,EACV,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,qBAAqB,GACtB,MAAM,cAAc,CAAA;AAGrB,OAAO,EAAE,qBAAqB,EAAE,MAAM,OAAO,CAAA;AAG7C,OAAO,EAAE,KAAK,qBAAqB,EAAE,yBAAyB,EAAE,MAAM,OAAO,CAAA;AAG7E,OAAO,EACL,KAAK,cAAc,EACnB,kCAAkC,EAClC,qBAAqB,EACrB,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,iBAAiB,CAAA"}