npm - @snaha/swarm-id - Versions diffs - 0.0.1 - Mend

@snaha/swarm-id 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (223) hide show

package/README.md +431 -0
package/dist/chunk/bmt.d.ts +17 -0
package/dist/chunk/bmt.d.ts.map +1 -0
package/dist/chunk/cac.d.ts +18 -0
package/dist/chunk/cac.d.ts.map +1 -0
package/dist/chunk/constants.d.ts +10 -0
package/dist/chunk/constants.d.ts.map +1 -0
package/dist/chunk/encrypted-cac.d.ts +48 -0
package/dist/chunk/encrypted-cac.d.ts.map +1 -0
package/dist/chunk/encryption.d.ts +86 -0
package/dist/chunk/encryption.d.ts.map +1 -0
package/dist/chunk/index.d.ts +6 -0
package/dist/chunk/index.d.ts.map +1 -0
package/dist/index.d.ts +46 -0
package/dist/index.d.ts.map +1 -0
package/dist/proxy/act/act.d.ts +78 -0
package/dist/proxy/act/act.d.ts.map +1 -0
package/dist/proxy/act/crypto.d.ts +44 -0
package/dist/proxy/act/crypto.d.ts.map +1 -0
package/dist/proxy/act/grantee-list.d.ts +82 -0
package/dist/proxy/act/grantee-list.d.ts.map +1 -0
package/dist/proxy/act/history.d.ts +183 -0
package/dist/proxy/act/history.d.ts.map +1 -0
package/dist/proxy/act/index.d.ts +104 -0
package/dist/proxy/act/index.d.ts.map +1 -0
package/dist/proxy/chunking-encrypted.d.ts +14 -0
package/dist/proxy/chunking-encrypted.d.ts.map +1 -0
package/dist/proxy/chunking.d.ts +15 -0
package/dist/proxy/chunking.d.ts.map +1 -0
package/dist/proxy/download-data.d.ts +16 -0
package/dist/proxy/download-data.d.ts.map +1 -0
package/dist/proxy/feed-manifest.d.ts +62 -0
package/dist/proxy/feed-manifest.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/async-finder.d.ts +77 -0
package/dist/proxy/feeds/epochs/async-finder.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/epoch.d.ts +88 -0
package/dist/proxy/feeds/epochs/epoch.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/finder.d.ts +67 -0
package/dist/proxy/feeds/epochs/finder.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/index.d.ts +35 -0
package/dist/proxy/feeds/epochs/index.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/test-utils.d.ts +93 -0
package/dist/proxy/feeds/epochs/test-utils.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/types.d.ts +109 -0
package/dist/proxy/feeds/epochs/types.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/updater.d.ts +68 -0
package/dist/proxy/feeds/epochs/updater.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/utils.d.ts +22 -0
package/dist/proxy/feeds/epochs/utils.d.ts.map +1 -0
package/dist/proxy/feeds/index.d.ts +5 -0
package/dist/proxy/feeds/index.d.ts.map +1 -0
package/dist/proxy/feeds/sequence/async-finder.d.ts +14 -0
package/dist/proxy/feeds/sequence/async-finder.d.ts.map +1 -0
package/dist/proxy/feeds/sequence/finder.d.ts +17 -0
package/dist/proxy/feeds/sequence/finder.d.ts.map +1 -0
package/dist/proxy/feeds/sequence/index.d.ts +23 -0
package/dist/proxy/feeds/sequence/index.d.ts.map +1 -0
package/dist/proxy/feeds/sequence/types.d.ts +80 -0
package/dist/proxy/feeds/sequence/types.d.ts.map +1 -0
package/dist/proxy/feeds/sequence/updater.d.ts +26 -0
package/dist/proxy/feeds/sequence/updater.d.ts.map +1 -0
package/dist/proxy/index.d.ts +6 -0
package/dist/proxy/index.d.ts.map +1 -0
package/dist/proxy/manifest-builder.d.ts +183 -0
package/dist/proxy/manifest-builder.d.ts.map +1 -0
package/dist/proxy/mantaray-encrypted.d.ts +27 -0
package/dist/proxy/mantaray-encrypted.d.ts.map +1 -0
package/dist/proxy/mantaray.d.ts +26 -0
package/dist/proxy/mantaray.d.ts.map +1 -0
package/dist/proxy/types.d.ts +29 -0
package/dist/proxy/types.d.ts.map +1 -0
package/dist/proxy/upload-data.d.ts +17 -0
package/dist/proxy/upload-data.d.ts.map +1 -0
package/dist/proxy/upload-encrypted-data.d.ts +103 -0
package/dist/proxy/upload-encrypted-data.d.ts.map +1 -0
package/dist/schemas.d.ts +240 -0
package/dist/schemas.d.ts.map +1 -0
package/dist/storage/debounced-uploader.d.ts +62 -0
package/dist/storage/debounced-uploader.d.ts.map +1 -0
package/dist/storage/utilization-store.d.ts +108 -0
package/dist/storage/utilization-store.d.ts.map +1 -0
package/dist/swarm-id-auth.d.ts +74 -0
package/dist/swarm-id-auth.d.ts.map +1 -0
package/dist/swarm-id-auth.js +2 -0
package/dist/swarm-id-auth.js.map +1 -0
package/dist/swarm-id-client.d.ts +878 -0
package/dist/swarm-id-client.d.ts.map +1 -0
package/dist/swarm-id-client.js +2 -0
package/dist/swarm-id-client.js.map +1 -0
package/dist/swarm-id-proxy.d.ts +236 -0
package/dist/swarm-id-proxy.d.ts.map +1 -0
package/dist/swarm-id-proxy.js +2 -0
package/dist/swarm-id-proxy.js.map +1 -0
package/dist/swarm-id.esm.js +2 -0
package/dist/swarm-id.esm.js.map +1 -0
package/dist/swarm-id.umd.js +2 -0
package/dist/swarm-id.umd.js.map +1 -0
package/dist/sync/index.d.ts +9 -0
package/dist/sync/index.d.ts.map +1 -0
package/dist/sync/key-derivation.d.ts +25 -0
package/dist/sync/key-derivation.d.ts.map +1 -0
package/dist/sync/restore-account.d.ts +28 -0
package/dist/sync/restore-account.d.ts.map +1 -0
package/dist/sync/serialization.d.ts +16 -0
package/dist/sync/serialization.d.ts.map +1 -0
package/dist/sync/store-interfaces.d.ts +53 -0
package/dist/sync/store-interfaces.d.ts.map +1 -0
package/dist/sync/sync-account.d.ts +44 -0
package/dist/sync/sync-account.d.ts.map +1 -0
package/dist/sync/types.d.ts +13 -0
package/dist/sync/types.d.ts.map +1 -0
package/dist/test-fixtures.d.ts +17 -0
package/dist/test-fixtures.d.ts.map +1 -0
package/dist/types-BD_VkNn0.js +2 -0
package/dist/types-BD_VkNn0.js.map +1 -0
package/dist/types-lJCaT-50.js +2 -0
package/dist/types-lJCaT-50.js.map +1 -0
package/dist/types.d.ts +2157 -0
package/dist/types.d.ts.map +1 -0
package/dist/utils/account-payload.d.ts +94 -0
package/dist/utils/account-payload.d.ts.map +1 -0
package/dist/utils/account-state-snapshot.d.ts +38 -0
package/dist/utils/account-state-snapshot.d.ts.map +1 -0
package/dist/utils/backup-encryption.d.ts +127 -0
package/dist/utils/backup-encryption.d.ts.map +1 -0
package/dist/utils/batch-utilization.d.ts +432 -0
package/dist/utils/batch-utilization.d.ts.map +1 -0
package/dist/utils/constants.d.ts +11 -0
package/dist/utils/constants.d.ts.map +1 -0
package/dist/utils/hex.d.ts +17 -0
package/dist/utils/hex.d.ts.map +1 -0
package/dist/utils/key-derivation.d.ts +92 -0
package/dist/utils/key-derivation.d.ts.map +1 -0
package/dist/utils/storage-managers.d.ts +65 -0
package/dist/utils/storage-managers.d.ts.map +1 -0
package/dist/utils/swarm-id-export.d.ts +24 -0
package/dist/utils/swarm-id-export.d.ts.map +1 -0
package/dist/utils/ttl.d.ts +49 -0
package/dist/utils/ttl.d.ts.map +1 -0
package/dist/utils/url.d.ts +41 -0
package/dist/utils/url.d.ts.map +1 -0
package/dist/utils/versioned-storage.d.ts +131 -0
package/dist/utils/versioned-storage.d.ts.map +1 -0
package/package.json +78 -0
package/src/chunk/bmt.test.ts +217 -0
package/src/chunk/bmt.ts +57 -0
package/src/chunk/cac.test.ts +214 -0
package/src/chunk/cac.ts +65 -0
package/src/chunk/constants.ts +18 -0
package/src/chunk/encrypted-cac.test.ts +385 -0
package/src/chunk/encrypted-cac.ts +131 -0
package/src/chunk/encryption.test.ts +352 -0
package/src/chunk/encryption.ts +300 -0
package/src/chunk/index.ts +47 -0
package/src/index.ts +430 -0
package/src/proxy/act/act.test.ts +278 -0
package/src/proxy/act/act.ts +158 -0
package/src/proxy/act/bee-compat.test.ts +948 -0
package/src/proxy/act/crypto.test.ts +436 -0
package/src/proxy/act/crypto.ts +376 -0
package/src/proxy/act/grantee-list.test.ts +393 -0
package/src/proxy/act/grantee-list.ts +239 -0
package/src/proxy/act/history.test.ts +360 -0
package/src/proxy/act/history.ts +413 -0
package/src/proxy/act/index.test.ts +748 -0
package/src/proxy/act/index.ts +853 -0
package/src/proxy/chunking-encrypted.ts +95 -0
package/src/proxy/chunking.ts +65 -0
package/src/proxy/download-data.ts +448 -0
package/src/proxy/feed-manifest.ts +174 -0
package/src/proxy/feeds/epochs/async-finder.ts +372 -0
package/src/proxy/feeds/epochs/epoch.test.ts +249 -0
package/src/proxy/feeds/epochs/epoch.ts +181 -0
package/src/proxy/feeds/epochs/finder.ts +282 -0
package/src/proxy/feeds/epochs/index.ts +73 -0
package/src/proxy/feeds/epochs/integration.test.ts +1336 -0
package/src/proxy/feeds/epochs/test-utils.ts +274 -0
package/src/proxy/feeds/epochs/types.ts +128 -0
package/src/proxy/feeds/epochs/updater.ts +192 -0
package/src/proxy/feeds/epochs/utils.ts +62 -0
package/src/proxy/feeds/index.ts +5 -0
package/src/proxy/feeds/sequence/async-finder.ts +31 -0
package/src/proxy/feeds/sequence/finder.ts +73 -0
package/src/proxy/feeds/sequence/index.ts +54 -0
package/src/proxy/feeds/sequence/integration.test.ts +966 -0
package/src/proxy/feeds/sequence/types.ts +103 -0
package/src/proxy/feeds/sequence/updater.ts +71 -0
package/src/proxy/index.ts +5 -0
package/src/proxy/manifest-builder.test.ts +427 -0
package/src/proxy/manifest-builder.ts +679 -0
package/src/proxy/mantaray-encrypted.ts +78 -0
package/src/proxy/mantaray.ts +104 -0
package/src/proxy/types.ts +32 -0
package/src/proxy/upload-data.ts +189 -0
package/src/proxy/upload-encrypted-data.ts +658 -0
package/src/schemas.ts +299 -0
package/src/storage/debounced-uploader.ts +192 -0
package/src/storage/utilization-store.ts +397 -0
package/src/swarm-id-client.test.ts +99 -0
package/src/swarm-id-client.ts +3095 -0
package/src/swarm-id-proxy.ts +3891 -0
package/src/sync/index.ts +28 -0
package/src/sync/restore-account.ts +90 -0
package/src/sync/serialization.ts +39 -0
package/src/sync/store-interfaces.ts +62 -0
package/src/sync/sync-account.test.ts +302 -0
package/src/sync/sync-account.ts +396 -0
package/src/sync/types.ts +11 -0
package/src/test-fixtures.ts +109 -0
package/src/types.ts +1651 -0
package/src/utils/account-state-snapshot.test.ts +595 -0
package/src/utils/account-state-snapshot.ts +94 -0
package/src/utils/backup-encryption.test.ts +442 -0
package/src/utils/backup-encryption.ts +352 -0
package/src/utils/batch-utilization.ts +1309 -0
package/src/utils/constants.ts +20 -0
package/src/utils/hex.ts +27 -0
package/src/utils/key-derivation.ts +197 -0
package/src/utils/storage-managers.ts +365 -0
package/src/utils/ttl.ts +129 -0
package/src/utils/url.test.ts +136 -0
package/src/utils/url.ts +71 -0
package/src/utils/versioned-storage.ts +323 -0

package/src/utils/backup-encryption.ts ADDED Viewed

@@ -0,0 +1,352 @@
+/**
+ * Backup Encryption Module
+ *
+ * Provides AES-GCM-256 encryption for .swarmid backup files.
+ * The encryption key is derived from the account's swarmEncryptionKey
+ * (which is always persisted on all account types), so export requires
+ * NO re-authentication. Import requires auth to re-derive the key.
+ *
+ * Key chain: masterKey → swarmEncryptionKey (stored) → backupKey (HMAC-SHA256)
+ */
+import { z } from "zod"
+import { deriveSecret, hexToUint8Array } from "./key-derivation"
+import {
+  serializeAccountStateSnapshot,
+  deserializeAccountStateSnapshot,
+} from "./account-state-snapshot"
+import type { AccountStateSnapshotResult } from "./account-state-snapshot"
+import type { Account, Identity, ConnectedApp, PostageStamp } from "../schemas"
+// ============================================================================
+// Constants
+// ============================================================================
+const BACKUP_KEY_DERIVATION_CONTEXT = "swarm-id-backup-encryption-v1"
+const BACKUP_VERSION = 1
+const IV_LENGTH_BYTES = 12
+// ============================================================================
+// Schemas
+// ============================================================================
+const BackupHeaderBaseSchemaV1 = z.object({
+  version: z.literal(BACKUP_VERSION),
+  accountName: z.string(),
+  exportedAt: z.number(),
+  ciphertext: z.string(),
+})
+export const PasskeyBackupHeaderSchemaV1 = BackupHeaderBaseSchemaV1.extend({
+  accountType: z.literal("passkey"),
+  credentialId: z.string(),
+})
+/**
+ * Ethereum backup header fields (plaintext, not encrypted):
+ *
+ * - `ethereumAddress` — validates the user is connecting the correct wallet
+ *   before attempting decryption.
+ *
+ * Key material is NOT stored in the export header. During import the user
+ * must enter their secret seed, and the master key is re-derived from
+ * `secretSeed + publicKey` via `deriveMasterKey()`.
+ */
+export const EthereumBackupHeaderSchemaV1 = BackupHeaderBaseSchemaV1.extend({
+  accountType: z.literal("ethereum"),
+  ethereumAddress: z.string(),
+})
+export const AgentBackupHeaderSchemaV1 = BackupHeaderBaseSchemaV1.extend({
+  accountType: z.literal("agent"),
+})
+export const EncryptedSwarmIdExportSchemaV1 = z.discriminatedUnion(
+  "accountType",
+  [
+    PasskeyBackupHeaderSchemaV1,
+    EthereumBackupHeaderSchemaV1,
+    AgentBackupHeaderSchemaV1,
+  ],
+)
+// ============================================================================
+// Types
+// ============================================================================
+export type PasskeyBackupHeader = z.infer<typeof PasskeyBackupHeaderSchemaV1>
+export type EthereumBackupHeader = z.infer<typeof EthereumBackupHeaderSchemaV1>
+export type AgentBackupHeader = z.infer<typeof AgentBackupHeaderSchemaV1>
+export type EncryptedSwarmIdExport = z.infer<
+  typeof EncryptedSwarmIdExportSchemaV1
+>
+export type ParseHeaderResult =
+  | { success: true; header: EncryptedSwarmIdExport }
+  | { success: false; error: string }
+// ============================================================================
+// Key Derivation
+// ============================================================================
+/**
+ * Derive an AES-GCM-256 CryptoKey for backup encryption from the stored
+ * swarmEncryptionKey. Uses HMAC-SHA256 with a fixed context string.
+ */
+export async function deriveBackupEncryptionKey(
+  swarmEncryptionKeyHex: string,
+): Promise<CryptoKey> {
+  const backupKeyHex = await deriveSecret(
+    swarmEncryptionKeyHex,
+    BACKUP_KEY_DERIVATION_CONTEXT,
+  )
+  const keyBytes = hexToUint8Array(backupKeyHex)
+  return crypto.subtle.importKey("raw", keyBytes, "AES-GCM", false, [
+    "encrypt",
+    "decrypt",
+  ])
+}
+// ============================================================================
+// Encrypt / Decrypt Payload
+// ============================================================================
+/**
+ * Encrypt a plaintext JSON string with AES-GCM-256.
+ * Returns base64-encoded [IV (12 bytes) || ciphertext+tag].
+ */
+export async function encryptBackupPayload(
+  plaintextJson: string,
+  key: CryptoKey,
+): Promise<string> {
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH_BYTES))
+  const encoded = new TextEncoder().encode(plaintextJson)
+  const ciphertextBuffer = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    encoded,
+  )
+  // Concatenate IV + ciphertext+tag
+  const combined = new Uint8Array(iv.length + ciphertextBuffer.byteLength)
+  combined.set(iv, 0)
+  combined.set(new Uint8Array(ciphertextBuffer), iv.length)
+  return uint8ArrayToBase64(combined)
+}
+/**
+ * Decrypt a base64-encoded [IV (12 bytes) || ciphertext+tag] with AES-GCM-256.
+ * Returns the plaintext JSON string.
+ */
+export async function decryptBackupPayload(
+  ciphertextBase64: string,
+  key: CryptoKey,
+): Promise<string> {
+  const combined = base64ToUint8Array(ciphertextBase64)
+  const iv = combined.slice(0, IV_LENGTH_BYTES)
+  const ciphertext = combined.slice(IV_LENGTH_BYTES)
+  const plaintextBuffer = await crypto.subtle.decrypt(
+    { name: "AES-GCM", iv },
+    key,
+    ciphertext,
+  )
+  return new TextDecoder().decode(plaintextBuffer)
+}
+// ============================================================================
+// Header Construction
+// ============================================================================
+/**
+ * Build the plaintext header fields for an encrypted backup,
+ * based on the account type.
+ *
+ * `accountName` and `exportedAt` are deliberately kept in the plaintext
+ * header: accountName helps the user identify which credential to use,
+ * and exportedAt lets them assess backup recency.
+ */
+export type BackupHeaderWithoutCiphertext =
+  | Omit<PasskeyBackupHeader, "ciphertext">
+  | Omit<EthereumBackupHeader, "ciphertext">
+  | Omit<AgentBackupHeader, "ciphertext">
+export function buildBackupHeader(
+  account: Account,
+): BackupHeaderWithoutCiphertext {
+  const base = {
+    version: BACKUP_VERSION as typeof BACKUP_VERSION,
+    accountName: account.name,
+    exportedAt: Date.now(),
+  }
+  if (account.type === "passkey") {
+    return {
+      ...base,
+      accountType: "passkey" as const,
+      credentialId: account.credentialId,
+    }
+  }
+  if (account.type === "ethereum") {
+    return {
+      ...base,
+      accountType: "ethereum" as const,
+      ethereumAddress: account.ethereumAddress.toHex(),
+    }
+  }
+  // agent — no extra fields
+  return { ...base, accountType: "agent" as const }
+}
+// ============================================================================
+// High-Level API
+// ============================================================================
+/**
+ * Create a fully encrypted .swarmid export object.
+ *
+ * 1. Serializes account data to plaintext JSON via serializeAccountStateSnapshot
+ * 2. Derives an AES-GCM-256 key from swarmEncryptionKey
+ * 3. Encrypts the JSON payload
+ * 4. Builds a header with account metadata + ciphertext
+ */
+export async function createEncryptedExport(
+  account: Account,
+  identities: Identity[],
+  connectedApps: ConnectedApp[],
+  postageStamps: PostageStamp[],
+  swarmEncryptionKeyHex: string,
+): Promise<EncryptedSwarmIdExport> {
+  const now = Date.now()
+  const exportData = serializeAccountStateSnapshot({
+    accountId: account.id.toHex(),
+    metadata: {
+      accountName: account.name,
+      defaultPostageStampBatchID: account.defaultPostageStampBatchID?.toHex(),
+      createdAt: account.createdAt,
+      lastModified: now,
+    },
+    identities,
+    connectedApps,
+    postageStamps,
+    timestamp: now,
+  })
+  const plaintextJson = JSON.stringify(exportData)
+  const key = await deriveBackupEncryptionKey(swarmEncryptionKeyHex)
+  const ciphertext = await encryptBackupPayload(plaintextJson, key)
+  const header = buildBackupHeader(account)
+  return EncryptedSwarmIdExportSchemaV1.parse({ ...header, ciphertext })
+}
+/**
+ * Decrypt an encrypted .swarmid export and return the parsed inner data.
+ *
+ * 1. Validates the encrypted header with Zod
+ * 2. Derives the AES-GCM-256 key from swarmEncryptionKey
+ * 3. Decrypts the ciphertext
+ * 4. Parses the inner plaintext via deserializeAccountStateSnapshot
+ */
+export async function decryptEncryptedExport(
+  encryptedData: unknown,
+  swarmEncryptionKeyHex: string,
+): Promise<AccountStateSnapshotResult> {
+  const headerResult = parseEncryptedExportHeader(encryptedData)
+  if (!headerResult.success) {
+    return {
+      success: false,
+      error: new z.ZodError([
+        {
+          code: "custom",
+          message: headerResult.error,
+          path: [],
+        },
+      ]),
+    }
+  }
+  const key = await deriveBackupEncryptionKey(swarmEncryptionKeyHex)
+  let plaintextJson: string
+  try {
+    plaintextJson = await decryptBackupPayload(
+      headerResult.header.ciphertext,
+      key,
+    )
+  } catch {
+    return {
+      success: false,
+      error: new z.ZodError([
+        {
+          code: "custom",
+          message: "Decryption failed: wrong key or corrupted data",
+          path: ["ciphertext"],
+        },
+      ]),
+    }
+  }
+  let innerData: unknown
+  try {
+    innerData = JSON.parse(plaintextJson)
+  } catch {
+    return {
+      success: false,
+      error: new z.ZodError([
+        {
+          code: "custom",
+          message: "Decrypted data is not valid JSON",
+          path: ["ciphertext"],
+        },
+      ]),
+    }
+  }
+  return deserializeAccountStateSnapshot(innerData)
+}
+/**
+ * Parse and validate just the encrypted export header (without decrypting).
+ * Useful for reading account metadata before attempting decryption.
+ */
+export function parseEncryptedExportHeader(data: unknown): ParseHeaderResult {
+  if (typeof data !== "object" || data === null) {
+    return { success: false, error: "Input must be a non-null object" }
+  }
+  const result = EncryptedSwarmIdExportSchemaV1.safeParse(data)
+  if (!result.success) {
+    return {
+      success: false,
+      error: result.error.issues.map((i) => i.message).join("; "),
+    }
+  }
+  return { success: true, header: result.data }
+}
+// ============================================================================
+// Base64 Helpers
+// ============================================================================
+function uint8ArrayToBase64(bytes: Uint8Array): string {
+  let binary = ""
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte)
+  }
+  return btoa(binary)
+}
+function base64ToUint8Array(base64: string): Uint8Array {
+  const binary = atob(base64)
+  const bytes = new Uint8Array(binary.length)
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i)
+  }
+  return bytes
+}