@storacha/encrypt-upload-client 0.0.39 → 1.0.0-0

package/dist/crypto/symmetric/node-aes-cbc-crypto.js

@@ -0,0 +1,110 @@
+import { randomBytes, createCipheriv, createDecipheriv } from 'crypto';
+import * as Type from '../../types.js';
+const ENCRYPTION_ALGORITHM = 'aes-256-cbc';
+const KEY_LENGTH = 256; // bits
+const IV_LENGTH = 16; // bytes (128 bits, used as initialization vector)
+/**
+ * NodeAesCbcCrypto implements AES-CBC symmetric encryption for Node.js environments.
+ * It uses AES-CBC mode for encryption via the Node.js crypto module.
+ * If you already encrypted a file with this class, you still need to use this class to decrypt it.
+ *
+ * @deprecated Use GenericAesCtrStreamingCrypto instead for new uploads
+ * @class
+ * @implements {Type.SymmetricCrypto}
+ */
+export class NodeAesCbcCrypto {
+    /** @param {Type.BlobLike} data  */
+    async encryptStream(data) {
+        const symmetricKey = randomBytes(KEY_LENGTH / 8); // KEY_LENGTH bits for AES
+        const initializationVector = randomBytes(IV_LENGTH); // IV_LENGTH bytes for AES
+        const cipher = createCipheriv(ENCRYPTION_ALGORITHM, symmetricKey, initializationVector);
+        const encryptStream = new TransformStream({
+            transform: async (chunk, controller) => {
+                const encryptedChunk = cipher.update(chunk);
+                if (encryptedChunk.length) {
+                    controller.enqueue(encryptedChunk);
+                }
+            },
+            flush: (controller) => {
+                const final = cipher.final();
+                if (final.length) {
+                    controller.enqueue(final);
+                }
+            },
+        });
+        return Promise.resolve({
+            key: symmetricKey,
+            iv: initializationVector,
+            encryptedStream: data.stream().pipeThrough(encryptStream),
+        });
+    }
+    /**
+     * @param {ReadableStream} encryptedData
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     */
+    async decryptStream(encryptedData, key, iv) {
+        const decipher = createDecipheriv(ENCRYPTION_ALGORITHM, key, iv);
+        const decryptor = new TransformStream({
+            async transform(chunk, controller) {
+                try {
+                    const decryptedChunk = decipher.update(chunk);
+                    if (decryptedChunk.length > 0) {
+                        controller.enqueue(decryptedChunk);
+                    }
+                }
+                catch (err) {
+                    controller.error(err);
+                }
+            },
+            flush(controller) {
+                try {
+                    const finalChunk = decipher.final();
+                    if (finalChunk.length > 0) {
+                        controller.enqueue(finalChunk);
+                    }
+                    controller.terminate();
+                }
+                catch (err) {
+                    controller.error(err);
+                }
+            },
+        });
+        return Promise.resolve(encryptedData.pipeThrough(decryptor));
+    }
+    /**
+     * Combine key and IV into a single array for AES-CBC
+     *
+     * @param {Uint8Array} key - The AES key (KEY_LENGTH/8 bytes)
+     * @param {Uint8Array} iv - The AES-CBC IV (IV_LENGTH bytes)
+     * @returns {Uint8Array} Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
+     */
+    combineKeyAndIV(key, iv) {
+        const keyBytes = KEY_LENGTH / 8;
+        if (key.length !== keyBytes) {
+            throw new Error(`AES-${KEY_LENGTH} key must be ${keyBytes} bytes, got ${key.length}`);
+        }
+        if (iv.length !== IV_LENGTH) {
+            throw new Error(`AES-CBC IV must be ${IV_LENGTH} bytes, got ${iv.length}`);
+        }
+        return new Uint8Array([...key, ...iv]);
+    }
+    /**
+     * Split combined key and IV for AES-CBC
+     *
+     * @param {Uint8Array} combined - Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
+     * @returns {{ key: Uint8Array, iv: Uint8Array }} Separated key and IV
+     */
+    splitKeyAndIV(combined) {
+        const keyBytes = KEY_LENGTH / 8;
+        const expectedLength = keyBytes + IV_LENGTH;
+        if (combined.length !== expectedLength) {
+            throw new Error(`AES-${KEY_LENGTH}-CBC combined key+IV must be ${expectedLength} bytes, got ${combined.length}`);
+        }
+        return {
+            key: combined.subarray(0, keyBytes),
+            iv: combined.subarray(keyBytes, keyBytes + IV_LENGTH),
+        };
+    }
+}
+//# sourceMappingURL=node-aes-cbc-crypto.js.map

package/dist/handlers/decrypt-handler.d.ts

@@ -1,10 +1,15 @@
 /**
+ * Decrypt file content using the decrypted symmetric key and IV.
+ *
  * @param {Type.CryptoAdapter} cryptoAdapter - The crypto adapter responsible for performing
  * encryption and decryption operations.
- * @param {string} combinedKey
- * @param {Uint8Array} content
+ * @param {Uint8Array} key - The symmetric key
+ * @param {Uint8Array} iv - The initialization vector
+ * @param {Uint8Array} content - The encrypted file content
+ * @returns {Promise<ReadableStream>} The decrypted file stream
  */
-export function decryptFileWithKey(cryptoAdapter: Type.CryptoAdapter, combinedKey: string, content: Uint8Array): Promise<ReadableStream<any>>;
-export function retrieveAndDecrypt(storachaClient: import("@storacha/client").Client, litClient: import("@lit-protocol/lit-node-client").LitNodeClient, cryptoAdapter: Type.CryptoAdapter, gatewayURL: URL, signer: Type.LitWalletSigner | Type.LitPkpSigner, cid: Type.AnyLink, delegationCAR: Uint8Array): Promise<ReadableStream<any>>;
+export function decryptFileWithKey(cryptoAdapter: Type.CryptoAdapter, key: Uint8Array, iv: Uint8Array, content: Uint8Array): Promise<ReadableStream>;
+export function retrieveAndDecrypt(storachaClient: import("@storacha/client").Client, cryptoAdapter: Type.CryptoAdapter, gatewayURL: URL, cid: Type.AnyLink, delegationCAR: Uint8Array, decryptionOptions: Type.DecryptionOptions): Promise<ReadableStream>;
+export function getCarFileFromPublicGateway(gatewayURL: URL, cid: string): Promise<Uint8Array>;
 import * as Type from '../types.js';
 //# sourceMappingURL=decrypt-handler.d.ts.map

package/dist/handlers/decrypt-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"decrypt-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/decrypt-handler.js"],"names":[],"mappings":"AAuGA;;;;;GAKG;AACH,kDALW,IAAI,CAAC,aAAa,eAElB,MAAM,WACN,UAAU,gCAuBpB;AA3GM,mDATI,OAAO,kBAAkB,EAAE,MAAM,aACjC,OAAO,+BAA+B,EAAE,aAAa,iBACrD,IAAI,CAAC,aAAa,cAElB,GAAG,UACH,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,YAAY,OACxC,IAAI,CAAC,OAAO,iBACZ,UAAU,gCAgFpB;sBA9FqB,aAAa"}
+{"version":3,"file":"decrypt-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/decrypt-handler.js"],"names":[],"mappings":"AA4DA;;;;;;;;;GASG;AACH,kDAPW,IAAI,CAAC,aAAa,OAElB,UAAU,MACV,UAAU,WACV,UAAU,GACR,OAAO,CAAC,cAAc,CAAC,CAanC;AA9DM,mDATI,OAAO,kBAAkB,EAAE,MAAM,iBACjC,IAAI,CAAC,aAAa,cAElB,GAAG,OACH,IAAI,CAAC,OAAO,iBACZ,UAAU,qBACV,IAAI,CAAC,iBAAiB,GACpB,OAAO,CAAC,cAAc,CAAC,CAyCnC;AAoCM,wDAJI,GAAG,OACH,MAAM,GACJ,OAAO,CAAC,UAAU,CAAC,CA+B/B;sBAtHqB,aAAa"}

package/dist/handlers/decrypt-handler.js

@@ -1,144 +1,113 @@
 import { CID } from 'multiformats';
-import { CarIndexer } from '@ipld/car';
+import { CarIndexer, CarReader } from '@ipld/car';
 import { exporter } from 'ipfs-unixfs-exporter';
 import { MemoryBlockstore } from 'blockstore-core';
-import { base64 } from 'multiformats/bases/base64';
-import * as Lit from '../protocols/lit.js';
 import * as Type from '../types.js';
-import * as EncryptedMetadata from '../core/encrypted-metadata.js';
-import { createDecryptWrappedInvocation } from '../utils.js';
 /**
- * Retrieve and decrypt a file from the IPFS gateway.
+ * Retrieve and decrypt a file from the IPFS gateway using any supported encryption strategy.
  *
  * @param {import('@storacha/client').Client} storachaClient - The Storacha client
- * @param {import('@lit-protocol/lit-node-client').LitNodeClient} litClient - The Lit client
  * @param {Type.CryptoAdapter} cryptoAdapter - The crypto adapter responsible for performing
  * encryption and decryption operations.
  * @param {URL} gatewayURL - The IPFS gateway URL
- * @param {Type.LitWalletSigner | Type.LitPkpSigner} signer - The wallet or PKP key signer to decrypt the file
  * @param {Type.AnyLink} cid - The link to the file to retrieve
- * @param {Uint8Array} delegationCAR - The delegation that gives permission to decrypt the file
+ * @param {Uint8Array} delegationCAR - The delegation that gives permission to decrypt (required for both strategies)
+ * @param {Type.DecryptionOptions} decryptionOptions - User-provided decryption options
+ * @returns {Promise<ReadableStream>} The decrypted file stream
  */
-export const retrieveAndDecrypt = async (storachaClient, litClient, cryptoAdapter, gatewayURL, signer, cid, delegationCAR) => {
-    const encryptedMetadataCar = await getCarFileFromGateway(gatewayURL, cid.toString());
-    const { encryptedDataCID, identityBoundCiphertext, plaintextKeyHash, accessControlConditions, } = extractEncryptedMetadata(encryptedMetadataCar);
-    const spaceDID = /** @type {`did:key:${string}`} */ (accessControlConditions[0].parameters[1]);
-    const encryptedData = await getEncryptedDataFromCar(encryptedMetadataCar, encryptedDataCID);
-    if (!signer) {
-        throw new Error('Signer is required');
-    }
-    /**
-     * TODO: check if the wallet has capacity credits, if not get it
-     */
-    const acc = 
-    /** @type import('@lit-protocol/types').AccessControlConditions */ (
-    /** @type {unknown} */ (accessControlConditions));
-    const expiration = new Date(Date.now() + 1000 * 60 * 5).toISOString(); // 5 min
-    // TODO: store the session signature (https://developer.litprotocol.com/intro/first-request/generating-session-sigs#nodejs)
-    let sessionSigs;
-    if ('wallet' in signer) {
-        sessionSigs = await Lit.getSessionSigs(litClient, {
-            wallet: signer.wallet,
-            dataToEncryptHash: plaintextKeyHash,
-            expiration,
-            accessControlConditions: acc,
-        });
-    }
-    else {
-        sessionSigs = await Lit.getPkpSessionSigs(litClient, {
-            pkpPublicKey: signer.pkpPublicKey,
-            authMethod: signer.authMethod,
-            dataToEncryptHash: plaintextKeyHash,
-            expiration,
-            accessControlConditions: acc,
-        });
-    }
-    const wrappedInvocationJSON = await createDecryptWrappedInvocation({
+export const retrieveAndDecrypt = async (storachaClient, cryptoAdapter, gatewayURL, cid, delegationCAR, decryptionOptions) => {
+    // Step 1: Get the encrypted metadata from the public gateway
+    const encryptedMetadataCar = await getCarFileFromPublicGateway(gatewayURL, cid.toString());
+    // Step 2: Extract encrypted metadata from the CAR file
+    const metadata = cryptoAdapter.extractEncryptedMetadata(encryptedMetadataCar);
+    // Step 3: Get the encrypted data from the CAR file
+    const encryptedData = await getEncryptedDataFromCar(encryptedMetadataCar, metadata.encryptedDataCID);
+    // Step 4: Decrypt the encrypted symmetric key
+    const encryptedSymmetricKey = cryptoAdapter.getEncryptedKey(metadata);
+    const { key, iv } = await cryptoAdapter.decryptSymmetricKey(encryptedSymmetricKey, {
+        decryptionOptions,
+        metadata,
         delegationCAR,
-        spaceDID,
         resourceCID: cid,
         issuer: storachaClient.agent.issuer,
         audience: storachaClient.defaultProvider(),
-        expiration: new Date(Date.now() + 1000 * 60 * 10).getTime(), // 10 min
     });
-    const decryptKey = await Lit.executeUcanValidationAction(litClient, {
-        sessionSigs,
-        spaceDID,
-        identityBoundCiphertext,
-        plaintextKeyHash,
-        accessControlConditions,
-        wrappedInvocationJSON,
-    });
-    return decryptFileWithKey(cryptoAdapter, decryptKey, encryptedData);
+    // Step 5: Decrypt the encrypted file content using the decrypted symmetric key and IV
+    return decryptFileWithKey(cryptoAdapter, key, iv, encryptedData);
 };
 /**
+ * Decrypt file content using the decrypted symmetric key and IV.
+ *
  * @param {Type.CryptoAdapter} cryptoAdapter - The crypto adapter responsible for performing
  * encryption and decryption operations.
- * @param {string} combinedKey
- * @param {Uint8Array} content
+ * @param {Uint8Array} key - The symmetric key
+ * @param {Uint8Array} iv - The initialization vector
+ * @param {Uint8Array} content - The encrypted file content
+ * @returns {Promise<ReadableStream>} The decrypted file stream
  */
-export function decryptFileWithKey(cryptoAdapter, combinedKey, content) {
-    // Split the decrypted data back into key and initializationVector
-    const decryptedKeyData = base64.decode(combinedKey);
-    const symmetricKey = decryptedKeyData.subarray(0, 32);
-    const initializationVector = decryptedKeyData.subarray(32);
-    // Create a ReadableStream from the Uint8Array
+export function decryptFileWithKey(cryptoAdapter, key, iv, content) {
     const contentStream = new ReadableStream({
         start(controller) {
             controller.enqueue(content);
             controller.close();
         },
     });
-    const decryptedStream = cryptoAdapter.decryptStream(contentStream, symmetricKey, initializationVector);
+    const decryptedStream = cryptoAdapter.decryptStream(contentStream, key, iv);
     return decryptedStream;
 }
 /**
+ * Fetch a CAR file from the public IPFS gateway with root CID verification.
  *
- * @param {URL} gatewayURL
- * @param {string} cid
+ * SECURITY: This function provides metadata integrity protection (P0.2).
+ * Verifies the returned CAR matches the requested CID to prevent metadata tampering.
+ * Content integrity (P2.2) is handled by existing IPFS tools in getEncryptedDataFromCar.
+ *
+ * @param {URL} gatewayURL - The IPFS gateway URL
+ * @param {string} cid - The CID to fetch
+ * @returns {Promise<Uint8Array>} The verified CAR file bytes
  */
-const getCarFileFromGateway = async (gatewayURL, cid) => {
+export const getCarFileFromPublicGateway = async (gatewayURL, cid) => {
     const url = new URL(`/ipfs/${cid}?format=car`, gatewayURL);
     const response = await fetch(url);
     if (!response.ok) {
         throw new Error(`Failed to fetch: ${response.status} ${response.statusText}`);
     }
     const car = new Uint8Array(await response.arrayBuffer());
-    return car;
-};
-/**
- *
- * @param {Uint8Array} car
- */
-const extractEncryptedMetadata = (car) => {
-    const encryptedContentResult = EncryptedMetadata.extract(car);
-    if (encryptedContentResult.error) {
-        throw encryptedContentResult.error;
+    // SECURITY: Verify the CAR's root CID matches what we requested
+    const reader = await CarReader.fromBytes(car);
+    const roots = await reader.getRoots();
+    const expectedCID = CID.parse(cid);
+    if (roots.length !== 1) {
+        throw new Error(`CAR file must have exactly one root CID, found ${roots.length}`);
+    }
+    if (!roots[0].equals(expectedCID)) {
+        throw new Error(`CID verification failed: expected ${expectedCID} but CAR contains ${roots[0]}`);
     }
-    let encryptedContent = encryptedContentResult.ok.toJSON();
-    return encryptedContent;
+    return car;
 };
 /**
+ * Extract encrypted data from a CAR file.
  *
- * @param {Uint8Array} car
- * @param {string} encryptedDataCID
+ * @param {Uint8Array} car - The CAR file bytes
+ * @param {string} encryptedDataCID - The CID of the encrypted data
+ * @returns {Promise<Uint8Array>} The encrypted data bytes
  */
 const getEncryptedDataFromCar = async (car, encryptedDataCID) => {
-    // NOTE: convert CAR to a block store
+    // Step 1: Index the CAR file for efficient block lookup
     const iterable = await CarIndexer.fromBytes(car);
-    const blockstore = new MemoryBlockstore();
+    const blockIndex = new Map();
     for await (const { cid, blockLength, blockOffset } of iterable) {
-        const blockBytes = car.slice(blockOffset, blockOffset + blockLength);
-        await blockstore.put(cid, blockBytes);
+        blockIndex.set(cid.toString(), { blockOffset, blockLength });
     }
-    // NOTE: get the encrypted Data from the CAR file
+    // Step 2: Use the index to extract the encrypted data block bytes as needed
+    const { blockOffset, blockLength } = blockIndex.get(encryptedDataCID);
+    const blockBytes = car.subarray(blockOffset, blockOffset + blockLength);
+    // Step 3: Put the block in a blockstore for exporter compatibility
+    const blockstore = new MemoryBlockstore();
+    await blockstore.put(CID.parse(encryptedDataCID), blockBytes);
+    // Step 4: Get the encrypted data from the CAR file
     const encryptedDataEntry = await exporter(CID.parse(encryptedDataCID), blockstore);
-    const encryptedDataBytes = new Uint8Array(Number(encryptedDataEntry.size));
-    let offset = 0;
-    for await (const chunk of encryptedDataEntry.content()) {
-        encryptedDataBytes.set(chunk, offset);
-        offset += chunk.length;
-    }
-    return encryptedDataBytes;
+    // Step 5: Return the async iterable (stream of chunks)
+    return encryptedDataEntry.content(); // async iterable of Uint8Array
 };
 //# sourceMappingURL=decrypt-handler.js.map

package/dist/handlers/encrypt-handler.d.ts

@@ -1,3 +1,3 @@
-export function encryptAndUpload(storachaClient: import("@storacha/client").Client, litClient: import("@lit-protocol/lit-node-client").LitNodeClient, cryptoAdapter: Type.CryptoAdapter, file: Type.BlobLike): Promise<Type.AnyLink>;
+export function encryptAndUpload(storachaClient: import("@storacha/client").Client, cryptoAdapter: Type.CryptoAdapter, file: Type.BlobLike, encryptionConfig: Type.EncryptionConfig, uploadOptions?: Type.UploadOptions): Promise<Type.AnyLink>;
 import * as Type from '../types.js';
 //# sourceMappingURL=encrypt-handler.d.ts.map

package/dist/handlers/encrypt-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encrypt-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/encrypt-handler.js"],"names":[],"mappings":"AAkBO,iDAPI,OAAO,kBAAkB,EAAE,MAAM,aACjC,OAAO,+BAA+B,EAAE,aAAa,iBACrD,IAAI,CAAC,aAAa,QAElB,IAAI,CAAC,QAAQ,GACX,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CA4BjC;sBAxCqB,aAAa"}
+{"version":3,"file":"encrypt-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/encrypt-handler.js"],"names":[],"mappings":"AAgBO,iDARI,OAAO,kBAAkB,EAAE,MAAM,iBACjC,IAAI,CAAC,aAAa,QAElB,IAAI,CAAC,QAAQ,oBACb,IAAI,CAAC,gBAAgB,kBACrB,IAAI,CAAC,aAAa,GAChB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CA6BjC;sBAxCqB,aAAa"}

package/dist/handlers/encrypt-handler.js

@@ -1,42 +1,39 @@
 import { CARWriterStream } from 'carstream';
-import { base64 } from 'multiformats/bases/base64';
 import { createFileEncoderStream } from '@storacha/upload-client/unixfs';
 import * as Type from '../types.js';
-import * as Lit from '../protocols/lit.js';
-import * as EncryptedMetadata from '../core/encrypted-metadata.js';
 /**
  * Encrypt and upload a file to the Storacha network
  *
  * @param {import('@storacha/client').Client} storachaClient - The Storacha client
- * @param {import('@lit-protocol/lit-node-client').LitNodeClient} litClient - The Lit client
  * @param {Type.CryptoAdapter} cryptoAdapter - The crypto adapter responsible for performing
  * encryption and decryption operations.
  * @param {Type.BlobLike} file - The file to upload
+ * @param {Type.EncryptionConfig} encryptionConfig - User-provided encryption configuration
+ * @param {Type.UploadOptions} [uploadOptions] - User-provided upload options
  * @returns {Promise<Type.AnyLink>} - The link to the uploaded file
  */
-export const encryptAndUpload = async (storachaClient, litClient, cryptoAdapter, file) => {
-    const spaceDID = /** @type {Type.SpaceDID | undefined} */ (storachaClient.agent.currentSpace());
-    if (!spaceDID)
+export const encryptAndUpload = async (storachaClient, cryptoAdapter, file, encryptionConfig, uploadOptions = {}) => {
+    // Step 1: Validate required configuration
+    if (!encryptionConfig.spaceDID)
         throw new Error('No space selected!');
-    const accessControlConditions = Lit.getAccessControlConditions(spaceDID);
-    const encryptedPayload = await encryptFile(litClient, cryptoAdapter, file, accessControlConditions);
-    const rootCid = await uploadEncryptedMetadata(storachaClient, encryptedPayload, accessControlConditions);
+    // Step 2: Encrypt the file using the crypto adapter
+    const encryptedPayload = await encryptFile(cryptoAdapter, file, encryptionConfig);
+    // Step 3: Build and upload the encrypted metadata to the Storacha network
+    const rootCid = await buildAndUploadEncryptedMetadata(storachaClient, encryptedPayload, cryptoAdapter, uploadOptions);
+    // Step 4: Return the root CID of the encrypted metadata
     return rootCid;
 };
 /**
  * Upload encrypted metadata to the Storacha network
  *
  * @param {import('@storacha/client').Client} storachaClient - The Storacha client
- * @param {Type.EncryptedPayload} encryptedPayload - The encrypted payload
- * @param {import('@lit-protocol/types').AccessControlConditions} accessControlConditions - The access control conditions
- * @param {object} [options] - The upload options
- * @param {boolean} [options.publishToFilecoin] - Whether to publish the data to Filecoin
+ * @param {Type.EncryptionPayload} encryptedPayload - The encrypted payload
+ * @param {Type.CryptoAdapter} cryptoAdapter - The crypto adapter for formatting metadata
+ * @param {Type.UploadOptions} [uploadOptions] - The upload options
  * @returns {Promise<Type.AnyLink>} - The link to the uploaded metadata
  */
-const uploadEncryptedMetadata = async (storachaClient, encryptedPayload, accessControlConditions, options = {
-    publishToFilecoin: false,
-}) => {
-    const { identityBoundCiphertext, plaintextKeyHash, encryptedBlobLike } = encryptedPayload;
+const buildAndUploadEncryptedMetadata = async (storachaClient, encryptedPayload, cryptoAdapter, uploadOptions) => {
+    const { encryptedKey, metadata, encryptedBlobLike } = encryptedPayload;
     return storachaClient.uploadCAR({
         stream() {
             /** @type {any} */
@@ -50,45 +47,38 @@ const uploadEncryptedMetadata = async (storachaClient, encryptedPayload, accessC
                 async flush(controller) {
                     if (!root)
                         throw new Error('missing root block');
-                    /** @type {Type.EncryptedMetadataInput} */
-                    const uploadData = {
-                        encryptedDataCID: root.cid.toString(),
-                        identityBoundCiphertext,
-                        plaintextKeyHash,
-                        accessControlConditions: 
-                        /** @type {[Record<string, any>]} */ (
-                        /** @type {unknown} */ (accessControlConditions)),
-                    };
-                    const encryptedMetadata = EncryptedMetadata.create(uploadData);
-                    const { cid, bytes } = await encryptedMetadata.archiveBlock();
+                    const { cid, bytes } = await cryptoAdapter.encodeMetadata(root.cid.toString(), encryptedKey, metadata);
                     controller.enqueue({ cid, bytes });
                 },
             }))
                 .pipeThrough(new CARWriterStream());
         },
     }, {
-        // if publishToFilecoin is false, the data won't be published to Filecoin, so we need to set pieceHasher to undefined
-        ...(options.publishToFilecoin === true ? {} : { pieceHasher: undefined }),
+        ...uploadOptions,
+        // the encrypted data won't be published to Filecoin, so we need to set pieceHasher to undefined
+        pieceHasher: undefined,
     });
 };
 /**
- * Encrypt a file
+ * Encrypt a file using the crypto adapter and return the encrypted payload.
+ * The encrypted payload contains the encrypted file, the encrypted symmetric key, and the metadata.
  *
- * @param {import('@lit-protocol/lit-node-client').LitNodeClient} litClient - The Lit client
  * @param {Type.CryptoAdapter} cryptoAdapter - The crypto adapter responsible for performing
  * encryption and decryption operations.
  * @param {Type.BlobLike} file - The file to encrypt
- * @param {import('@lit-protocol/types').AccessControlConditions} accessControlConditions - The access control conditions
- * @returns {Promise<Type.EncryptedPayload>} - The encrypted file
+ * @param {Type.EncryptionConfig} encryptionConfig - The encryption configuration
+ * @returns {Promise<Type.EncryptionPayload>} - The encrypted file
  */
-const encryptFile = async (litClient, cryptoAdapter, file, accessControlConditions) => {
+const encryptFile = async (cryptoAdapter, file, encryptionConfig) => {
+    // Step 1: Encrypt the file using the crypto adapter
     const { key, iv, encryptedStream } = await cryptoAdapter.encryptStream(file);
-    // Combine key and initializationVector for Lit encryption
-    const dataToEncrypt = base64.encode(new Uint8Array([...key, ...iv]));
-    const { ciphertext, dataToEncryptHash } = await Lit.encryptString({ dataToEncrypt, accessControlConditions }, litClient);
+    // Step 2: Use crypto adapter to encrypt the symmetric key
+    const keyResult = await cryptoAdapter.encryptSymmetricKey(key, iv, encryptionConfig);
+    // Step 3: Return the encrypted payload
     return {
-        identityBoundCiphertext: ciphertext,
-        plaintextKeyHash: dataToEncryptHash,
+        strategy: keyResult.strategy,
+        encryptedKey: keyResult.encryptedKey,
+        metadata: keyResult.metadata,
         encryptedBlobLike: { stream: () => encryptedStream },
     };
 };

package/dist/protocols/lit.d.ts

@@ -18,9 +18,7 @@ export function getSessionSigs(litClient: LitNodeClient, { wallet, accessControl
  */
 export function getPkpSessionSigs(litClient: LitNodeClient, { pkpPublicKey, authMethod, accessControlConditions, dataToEncryptHash, expiration, capabilityAuthSigs, }: Type.PkpSessionSignatureOptions): Promise<import("@lit-protocol/types").SessionSigsMap>;
 export { encryptString } from "@lit-protocol/encryption";
-export function getAccessControlConditions(spaceDID: import("@ucanto/core/schema").Schema<`did:key:${string}` & `did:${string}` & import("multiformats").Phantom<{
-    protocol: "did:";
-}>, any>): import("@lit-protocol/types").AccessControlConditions;
+export function getAccessControlConditions(spaceDID: Type.SpaceDID): import("@lit-protocol/types").AccessControlConditions;
 export function executeUcanValidationAction(litClient: LitNodeClient, options: Type.ExecuteUcanValidationOptions): Promise<any>;
 import { LitNodeClient } from '@lit-protocol/lit-node-client';
 import * as Type from '../types.js';

package/dist/protocols/lit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lit.d.ts","sourceRoot":"","sources":["../../src/protocols/lit.js"],"names":[],"mappings":"AAsCA;;GAEG;AACH,uDAQC;AAED;;;;GAIG;AACH,0CAJW,aAAa,2FACb,IAAI,CAAC,uBAAuB,GAC1B,OAAO,CAAC,OAAO,qBAAqB,EAAE,cAAc,CAAC,CAsDjE;AAED;;;;;;;GAOG;AACH,6CAJW,aAAa,6GACb,IAAI,CAAC,0BAA0B,GAC7B,OAAO,CAAC,OAAO,qBAAqB,EAAE,cAAc,CAAC,CAqCjE;;AAnIM;;WAFM,OAAO,qBAAqB,EAAE,uBAAuB,CAgBjE;AA6HM,uDAJI,aAAa,WACb,IAAI,CAAC,4BAA4B,gBA4B3C;8BA1L6B,+BAA+B;sBAUvC,aAAa"}
+{"version":3,"file":"lit.d.ts","sourceRoot":"","sources":["../../src/protocols/lit.js"],"names":[],"mappings":"AAsCA;;GAEG;AACH,uDAQC;AAED;;;;GAIG;AACH,0CAJW,aAAa,2FACb,IAAI,CAAC,uBAAuB,GAC1B,OAAO,CAAC,OAAO,qBAAqB,EAAE,cAAc,CAAC,CAsDjE;AAED;;;;;;;GAOG;AACH,6CAJW,aAAa,6GACb,IAAI,CAAC,0BAA0B,GAC7B,OAAO,CAAC,OAAO,qBAAqB,EAAE,cAAc,CAAC,CAqCjE;;AAnIM,qDAHI,IAAI,CAAC,QAAQ,GACX,OAAO,qBAAqB,EAAE,uBAAuB,CAgBjE;AA6HM,uDAJI,aAAa,WACb,IAAI,CAAC,4BAA4B,gBA4B3C;8BA1L6B,+BAA+B;sBAUvC,aAAa"}