@storacha/encrypt-upload-client 0.0.8-0

package/README.md

@@ -0,0 +1,82 @@
+<h1 align="center">🐔 + 🔑<br/>Encrypt Upload Client</h1>
+<p align="center">Use Lit Protocol and Storacha Network to enable private decentralized hot storage.</a></p>
+
+## About
+
+This library leverages @storacha/cli and @lit-protocol/lit-node-client to provide a simple interface for encrypting files with Lit Protocol and uploading them to the Storacha Network. It also enables anyone with a valid space/content/decrypt UCAN delegation to decrypt the file. With Lit Protocol, encryption keys are managed in a decentralized way, so you don’t have to handle them yourself.
+
+## Install
+
+You can add the `@storacha/encrypt-upload-client` package to your JavaScript or TypeScript project with `npm`:
+
+```sh
+npm @storacha/encrypt-upload-client
+```
+
+## Usage
+
+To use this library, you'll need to install `@storacha/cli` and `@lit-protocol/lit-node-client`, as they are required for initialization—though the Lit client is optional. You must also provide a crypto adapter that implements the `CryptoAdapter` interface. A ready-to-use Node.js crypto adapter is already available.
+
+#### CryptoAdapter Interface
+
+```js
+interface CryptoAdapter {
+  encryptStream(data: BlobLike): EncryptOutput
+  decryptStream(encryptedData: ReadableStream, key: Uint8Array, iv: Uint8Array): ReadableStream
+}
+
+interface EncryptOutput {
+  key: Uint8Array,
+  iv: Uint8Array,
+  encryptedStream: ReadableStream
+}
+```
+
+#### Example Usage
+
+```js
+const encryptedClient = await EncryptClient.create({
+  storachaClient,
+  cryptoAdapter: new NodeCryptoAdapter(),
+})
+```
+
+### Encryption
+
+The encryption process automatically generates a custom Access Control Condition (ACC) based on the current space setup in your Storacha client. It then creates a symmetric key to encrypt the file and uses Lit Protocol to encrypt that key, so you don’t have to manage it yourself. Once encrypted, both the file and the generated encrypted metadata are uploaded to Storacha.
+
+#### Example Usage
+
+```js
+const fileContent = await fs.promises.readFile('./README.md')
+const blob = new Blob([fileContent])
+const cid = await encryptedClient.uploadEncryptedFile(blob)
+```
+
+You can find a full example in `examples/encrypt-test.js`.
+
+### Decryption
+
+To decrypt a file, you'll need the CID returned from `uploadEncryptedFile`, a UCAN delegation CAR with the `space/content/decrypt` capability (proving that the file owner has granted you decryption access), and an Ethereum wallet with available Capacity Credits on the Lit Network to cover the decryption cost.
+
+For details on minting Capacity Credits, check out the [official documentation](https://developer.litprotocol.com/concepts/capacity-credits-concept).
+
+#### Example Usage
+
+```js
+const decryptedContent = await encryptedClient.retrieveAndDecryptFile(
+  wallet,
+  cid,
+  delegationCarBuffer
+)
+```
+
+You can find a full example in `examples/decrypt-test.js`.
+
+## Contributing
+
+Feel free to join in. All welcome. Please [open an issue](https://github.com/storacha/upload-service/issues)!
+
+## License
+
+Dual-licensed under [MIT + Apache 2.0](https://github.com/storacha/upload-service/blob/main/license.md)

package/dist/config/constants.d.ts

@@ -0,0 +1,3 @@
+export const STORACHA_LIT_ACTION_CID: "QmPS28E5jcwn3GDs5heNkE2w84nKdYYkaimJHCisHiBc7C";
+export const GATEWAY_URL: URL;
+//# sourceMappingURL=constants.d.ts.map

package/dist/config/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/config/constants.js"],"names":[],"mappings":"AAAA,sCACE,gDAAgD,CAAA;AAClD,8BAAsD"}

package/dist/config/constants.js

@@ -0,0 +1,3 @@
+export const STORACHA_LIT_ACTION_CID = 'QmPS28E5jcwn3GDs5heNkE2w84nKdYYkaimJHCisHiBc7C';
+export const GATEWAY_URL = new URL('https://w3s.link');
+//# sourceMappingURL=constants.js.map

package/dist/config/env.d.ts

@@ -0,0 +1,8 @@
+export default env;
+declare const env: Schema.InferStruct<{
+    WALLET_PK: Schema.StringSchema<string, unknown>;
+    LIT_NETWORK: Schema.DefaultSchema<"custom" | "datil" | "datil-dev" | "datil-test", unknown>;
+    LIT_DEBUG: Schema.DefaultSchema<boolean, unknown>;
+}>;
+import { Schema } from '@ucanto/core';
+//# sourceMappingURL=env.d.ts.map

package/dist/config/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/config/env.js"],"names":[],"mappings":";AAuBA;;;;GAAsC;uBAtBf,cAAc"}

package/dist/config/env.js

@@ -0,0 +1,22 @@
+import dotenv from 'dotenv';
+import { Schema } from '@ucanto/core';
+import { LIT_NETWORK } from '@lit-protocol/constants';
+dotenv.config();
+const envSchema = Schema.struct({
+    WALLET_PK: Schema.text(),
+    LIT_NETWORK: Schema.enum([
+        LIT_NETWORK.Custom,
+        LIT_NETWORK.Datil,
+        LIT_NETWORK.DatilDev,
+        LIT_NETWORK.DatilTest,
+    ]).default(LIT_NETWORK.DatilTest),
+    LIT_DEBUG: Schema.boolean().default(false),
+});
+const processEnv = {
+    LIT_DEBUG: process.env.LIT_DEBUG,
+    LIT_NETWORK: process.env.LIT_NETWORK,
+    WALLET_PK: process.env.WALLET_PK,
+};
+const env = envSchema.from(processEnv);
+export default env;
+//# sourceMappingURL=env.js.map

package/dist/config/service.d.ts

@@ -0,0 +1,14 @@
+export const accessServiceURL: URL;
+export const accessServicePrincipal: client.UCAN.PrincipalView<"did:web:web3.storage">;
+export const accessServiceConnection: client.ConnectionView<any>;
+export const uploadServiceURL: URL;
+export const uploadServicePrincipal: client.UCAN.PrincipalView<"did:web:web3.storage">;
+export const uploadServiceConnection: client.ConnectionView<any>;
+export const filecoinServiceURL: URL;
+export const filecoinServicePrincipal: client.UCAN.PrincipalView<"did:web:web3.storage">;
+export const filecoinServiceConnection: client.ConnectionView<any>;
+/** @type {import('@storacha/client/types').ServiceConf} */
+export const serviceConf: import("@storacha/client/types").ServiceConf;
+export const receiptsEndpoint: URL;
+import * as client from '@ucanto/client';
+//# sourceMappingURL=service.d.ts.map

package/dist/config/service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../../src/config/service.js"],"names":[],"mappings":"AAOA,mCAA2D;AAC3D,uFAAqE;AAErE,iEAIE;AAEF,mCAA2D;AAC3D,uFAAqE;AAErE,iEAIE;AAEF,qCAA6D;AAC7D,yFAAuE;AAEvE,mEAIE;AAEF,2DAA2D;AAC3D,0BADW,OAAO,wBAAwB,EAAE,WAAW,CAKtD;AAED,mCAAyE;wBAzCjD,gBAAgB"}

package/dist/config/service.js

@@ -0,0 +1,34 @@
+import * as client from '@ucanto/client';
+import { CAR, HTTP } from '@ucanto/transport';
+import * as DID from '@ipld/dag-ucan/did';
+const storachaServiceURL = 'https://up.web3.storage';
+const storachaPrincipalDID = 'did:web:web3.storage';
+export const accessServiceURL = new URL(storachaServiceURL);
+export const accessServicePrincipal = DID.parse(storachaPrincipalDID);
+export const accessServiceConnection = client.connect({
+    id: accessServicePrincipal,
+    codec: CAR.outbound,
+    channel: HTTP.open({ url: accessServiceURL, method: 'POST' }),
+});
+export const uploadServiceURL = new URL(storachaServiceURL);
+export const uploadServicePrincipal = DID.parse(storachaPrincipalDID);
+export const uploadServiceConnection = client.connect({
+    id: uploadServicePrincipal,
+    codec: CAR.outbound,
+    channel: HTTP.open({ url: accessServiceURL, method: 'POST' }),
+});
+export const filecoinServiceURL = new URL(storachaServiceURL);
+export const filecoinServicePrincipal = DID.parse(storachaPrincipalDID);
+export const filecoinServiceConnection = client.connect({
+    id: filecoinServicePrincipal,
+    codec: CAR.outbound,
+    channel: HTTP.open({ url: accessServiceURL, method: 'POST' }),
+});
+/** @type {import('@storacha/client/types').ServiceConf} */
+export const serviceConf = {
+    access: accessServiceConnection,
+    upload: uploadServiceConnection,
+    filecoin: filecoinServiceConnection,
+};
+export const receiptsEndpoint = new URL(`${storachaServiceURL}/receipt/`);
+//# sourceMappingURL=service.js.map

package/dist/core/client.d.ts

@@ -0,0 +1,50 @@
+/** @implements {Type.EncryptedClient} */
+export class EncryptedClient implements Type.EncryptedClient {
+    /**
+     * @param {import('@storacha/client').Client} storachaClient
+     * @param {Type.CryptoAdapter} cryptoAdapter
+     * @param {import('@lit-protocol/lit-node-client').LitNodeClient} litClient
+     * @param {URL} gatewayURL
+     */
+    constructor(storachaClient: import("@storacha/client").Client, cryptoAdapter: Type.CryptoAdapter, litClient: import("@lit-protocol/lit-node-client").LitNodeClient, gatewayURL: URL);
+    /**
+     * @type {Type.CryptoAdapter}
+     * @protected
+     */
+    protected _cryptoAdapter: Type.CryptoAdapter;
+    /**
+     * @type {import('@storacha/client').Client}
+     * @protected
+     */
+    protected _storachaClient: import("@storacha/client").Client;
+    /**
+     * @type {import('@lit-protocol/lit-node-client').LitNodeClient}
+     * @protected
+     */
+    protected _litClient: import("@lit-protocol/lit-node-client").LitNodeClient;
+    /**
+     * @type {URL}
+     * @protected
+     */
+    protected _gatewayURL: URL;
+    /**
+     * Upload an encrypted file to the Storacha network
+     *
+     * @param {Type.BlobLike} file - The file to upload
+     * @returns {Promise<Type.AnyLink>} - The link to the uploaded file
+     */
+    uploadEncryptedFile(file: Type.BlobLike): Promise<Type.AnyLink>;
+    /**
+     * Retrieve and decrypt a file from the Storacha network
+     *
+     * @param {Wallet} wallet - The wallet to use to decrypt the file
+     * @param {Type.AnyLink} cid - The link to the file to retrieve
+     * @param {Uint8Array} delegationCAR - The delegation that gives permission to decrypt the file
+     * @returns {Promise<ReadableStream>} - The decrypted file
+     */
+    retrieveAndDecryptFile(wallet: Wallet, cid: Type.AnyLink, delegationCAR: Uint8Array): Promise<ReadableStream>;
+}
+export function create(options: Type.EncryptedClientOptions): Promise<EncryptedClient>;
+import * as Type from '../types.js';
+import { Wallet } from 'ethers';
+//# sourceMappingURL=client.d.ts.map

package/dist/core/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/core/client.js"],"names":[],"mappings":"AAQA,yCAAyC;AACzC,wCADiB,IAAI,CAAC,eAAe;IA0BnC;;;;;OAKG;IACH,4BALW,OAAO,kBAAkB,EAAE,MAAM,iBACjC,IAAI,CAAC,aAAa,aAClB,OAAO,+BAA+B,EAAE,aAAa,cACrD,GAAG,EAOb;IAnCD;;;OAGG;IACH,0BAHU,IAAI,CAAC,aAAa,CAGd;IAEd;;;OAGG;IACH,2BAHU,OAAO,kBAAkB,EAAE,MAAM,CAG5B;IAEf;;;OAGG;IACH,sBAHU,OAAO,+BAA+B,EAAE,aAAa,CAGrD;IAEV;;;OAGG;IACH,uBAHU,GAAG,CAGF;IAeX;;;;;OAKG;IACH,0BAHW,IAAI,CAAC,QAAQ,GACX,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CASjC;IAED;;;;;;;OAOG;IACH,+BALW,MAAM,OACN,IAAI,CAAC,OAAO,iBACZ,UAAU,GACR,OAAO,CAAC,cAAc,CAAC,CAYnC;CACF;AAWM,gCAFI,IAAI,CAAC,sBAAsB,4BAcrC;sBAtGqB,aAAa;uBAFZ,QAAQ"}

package/dist/core/client.js

@@ -0,0 +1,78 @@
+import { Wallet } from 'ethers';
+import * as Type from '../types.js';
+import { getLitClient } from '../protocols/lit.js';
+import { GATEWAY_URL } from '../config/constants.js';
+import { encryptAndUpload } from '../handlers/encrypt-handler.js';
+import { retrieveAndDecrypt } from '../handlers/decrypt-handler.js';
+/** @implements {Type.EncryptedClient} */
+export class EncryptedClient {
+    /**
+     * @type {Type.CryptoAdapter}
+     * @protected
+     */
+    _cryptoAdapter;
+    /**
+     * @type {import('@storacha/client').Client}
+     * @protected
+     */
+    _storachaClient;
+    /**
+     * @type {import('@lit-protocol/lit-node-client').LitNodeClient}
+     * @protected
+     */
+    _litClient;
+    /**
+     * @type {URL}
+     * @protected
+     */
+    _gatewayURL;
+    /**
+     * @param {import('@storacha/client').Client} storachaClient
+     * @param {Type.CryptoAdapter} cryptoAdapter
+     * @param {import('@lit-protocol/lit-node-client').LitNodeClient} litClient
+     * @param {URL} gatewayURL
+     */
+    constructor(storachaClient, cryptoAdapter, litClient, gatewayURL) {
+        this._storachaClient = storachaClient;
+        this._cryptoAdapter = cryptoAdapter;
+        this._litClient = litClient;
+        this._gatewayURL = gatewayURL;
+    }
+    /**
+     * Upload an encrypted file to the Storacha network
+     *
+     * @param {Type.BlobLike} file - The file to upload
+     * @returns {Promise<Type.AnyLink>} - The link to the uploaded file
+     */
+    async uploadEncryptedFile(file) {
+        return encryptAndUpload(this._storachaClient, this._litClient, this._cryptoAdapter, file);
+    }
+    /**
+     * Retrieve and decrypt a file from the Storacha network
+     *
+     * @param {Wallet} wallet - The wallet to use to decrypt the file
+     * @param {Type.AnyLink} cid - The link to the file to retrieve
+     * @param {Uint8Array} delegationCAR - The delegation that gives permission to decrypt the file
+     * @returns {Promise<ReadableStream>} - The decrypted file
+     */
+    async retrieveAndDecryptFile(wallet, cid, delegationCAR) {
+        return retrieveAndDecrypt(this._storachaClient, this._litClient, this._cryptoAdapter, this._gatewayURL, wallet, cid, delegationCAR);
+    }
+}
+/**
+ * Creates a new EncryptClient.
+ *
+ * If no Lit Client is provided, one will be created based on the LIT_NETWORK environment variable, defaulting to "DatilTest" if not set.
+ *
+ * If no Gateway URL is provided, the default value of 'https://w3s.link' will be used.
+ *
+ * @param {Type.EncryptedClientOptions} options
+ */
+export const create = async (options) => {
+    const litClient = options.litClient ?? (await getLitClient());
+    const cryptoAdapter = options.cryptoAdapter;
+    const gatewayURL = options.gatewayURL ?? GATEWAY_URL;
+    const storachaClient = options.storachaClient;
+    return new EncryptedClient(storachaClient, cryptoAdapter, litClient, gatewayURL);
+};
+//# sourceMappingURL=client.js.map

package/dist/core/encrypted-metadata.d.ts

@@ -0,0 +1,28 @@
+export const version: "encrypted-metadata@0.1";
+export const EncryptedMetadataSchema: Schema.VariantSchema<{
+    "encrypted-metadata@0.1": Schema.StructSchema<{
+        encryptedDataCID: Schema.Schema<Link.Link<unknown, number, number, 0 | 1>, any>;
+        identityBoundCiphertext: Schema.Schema<Uint8Array<ArrayBufferLike>, unknown>;
+        plaintextKeyHash: Schema.Schema<Uint8Array<ArrayBufferLike>, unknown>;
+        accessControlConditions: Schema.Schema<Schema.Dictionary<string, unknown>[], unknown>;
+    }, unknown>;
+}, unknown>;
+export const EncryptedMetadataInputSchema: Schema.StructSchema<{
+    encryptedDataCID: Schema.StringSchema<string, unknown>;
+    identityBoundCiphertext: Schema.StringSchema<string, unknown>;
+    plaintextKeyHash: Schema.StringSchema<string, unknown>;
+    accessControlConditions: Schema.Schema<Schema.Dictionary<string, unknown>[], unknown>;
+}, unknown>;
+export function create(encryptedMetadataInput: Types.EncryptedMetadata | Types.EncryptedMetadataInput): Types.EncryptedMetadataView;
+export function toJSON(encryptedMetadata: Types.EncryptedMetadataView): Types.EncryptedMetadataInput;
+export function parse(encryptedMetadataInput: Types.EncryptedMetadataInput): Types.EncryptedMetadata;
+export function archiveBlock(encryptedMetadataInput: Types.EncryptedMetadata): Promise<import("@ucanto/interface").Block>;
+export function archive(encryptedMetadataInput: Types.EncryptedMetadata): Promise<Types.Result<Uint8Array>>;
+export function extract(archive: Uint8Array): Types.Result<Types.EncryptedMetadataView, Types.UnknownFormat>;
+export function view({ root }: {
+    root: Types.IPLDBlock;
+}): Types.Result<Types.EncryptedMetadataView, Types.UnknownFormat>;
+import * as Link from 'multiformats/link';
+import { Schema } from '@ucanto/core';
+import * as Types from '../types.js';
+//# sourceMappingURL=encrypted-metadata.d.ts.map

package/dist/core/encrypted-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-metadata.d.ts","sourceRoot":"","sources":["../../src/core/encrypted-metadata.js"],"names":[],"mappings":"AAUA,sBAAuB,wBAAwB,CAAA;AAE/C;;;;;;;YAUE;AAEF;;;;;YAQE;AA8EK,+CAHI,KAAK,CAAC,iBAAiB,GAAC,KAAK,CAAC,sBAAsB,GAClD,KAAK,CAAC,qBAAqB,CAGO;AAMxC,0CAHI,KAAK,CAAC,qBAAqB,GACzB,KAAK,CAAC,sBAAsB,CASvC;AAMK,8CAHI,KAAK,CAAC,sBAAsB,GAC1B,KAAK,CAAC,iBAAiB,CASlC;AAMK,qDAHI,KAAK,CAAC,iBAAiB,GACrB,OAAO,CAAC,OAAO,mBAAmB,EAAE,KAAK,CAAC,CAOtD;AAMM,gDAHI,KAAK,CAAC,iBAAiB,GACrB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAK7C;AAMM,iCAHI,UAAU,GACR,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,aAAa,CAAC,CAiB1E;AAOM,+BAHJ;IAAgC,IAAI,EAA5B,KAAK,CAAC,SAAS;CACvB,GAAU,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,aAAa,CAAC,CAe1E;sBApMqB,mBAAmB;uBAEF,cAAc;uBAE9B,aAAa"}

package/dist/core/encrypted-metadata.js

@@ -0,0 +1,166 @@
+import { CID } from 'multiformats';
+import * as dagCBOR from '@ipld/dag-cbor';
+import * as Link from 'multiformats/link';
+import { sha256 } from 'multiformats/hashes/sha2';
+import { CAR, ok, error, Schema } from '@ucanto/core';
+import * as Types from '../types.js';
+import { UnknownFormat } from './errors.js';
+import { stringToBytes, bytesToString } from '../utils.js';
+export const version = 'encrypted-metadata@0.1';
+export const EncryptedMetadataSchema = Schema.variant({
+    [version]: Schema.struct({
+        encryptedDataCID: Schema.link(),
+        identityBoundCiphertext: Schema.bytes(),
+        plaintextKeyHash: Schema.bytes(),
+        accessControlConditions: Schema.dictionary({
+            key: Schema.text(),
+            value: Schema.unknown(),
+        }).array(),
+    }),
+});
+export const EncryptedMetadataInputSchema = Schema.struct({
+    encryptedDataCID: Schema.string(),
+    identityBoundCiphertext: Schema.string(),
+    plaintextKeyHash: Schema.string(),
+    accessControlConditions: Schema.dictionary({
+        key: Schema.text(),
+        value: Schema.unknown(),
+    }).array(),
+});
+/** @implements {Types.EncryptedMetadataView} */
+class EncryptedMetadata {
+    #encryptedDataCID;
+    #identityBoundCiphertext;
+    #plaintextKeyHash;
+    #accessControlConditions;
+    /** @param {Types.EncryptedMetadata|Types.EncryptedMetadataInput} encryptedMetadataInput */
+    constructor(encryptedMetadataInput) {
+        /** @type {Types.EncryptedMetadata} */
+        let encryptedMetadata;
+        if (EncryptedMetadataInputSchema.is(encryptedMetadataInput)) {
+            encryptedMetadata = parse(
+            /** @type {Types.EncryptedMetadataInput} */ (encryptedMetadataInput));
+        }
+        else {
+            encryptedMetadata = /** @type {Types.EncryptedMetadata} */ (encryptedMetadataInput);
+        }
+        this.#encryptedDataCID = encryptedMetadata.encryptedDataCID;
+        this.#identityBoundCiphertext = encryptedMetadata.identityBoundCiphertext;
+        this.#plaintextKeyHash = encryptedMetadata.plaintextKeyHash;
+        this.#accessControlConditions =
+            encryptedMetadataInput.accessControlConditions;
+    }
+    get encryptedDataCID() {
+        return this.#encryptedDataCID;
+    }
+    get identityBoundCiphertext() {
+        return this.#identityBoundCiphertext;
+    }
+    get plaintextKeyHash() {
+        return this.#plaintextKeyHash;
+    }
+    get accessControlConditions() {
+        return this.#accessControlConditions;
+    }
+    archive() {
+        /** @type {Types.EncryptedMetadata} */
+        const input = {
+            encryptedDataCID: this.encryptedDataCID,
+            identityBoundCiphertext: this.identityBoundCiphertext,
+            plaintextKeyHash: this.plaintextKeyHash,
+            accessControlConditions: this.accessControlConditions,
+        };
+        return archive(input);
+    }
+    archiveBlock() {
+        /** @type {Types.EncryptedMetadata} */
+        const input = {
+            encryptedDataCID: this.encryptedDataCID,
+            identityBoundCiphertext: this.identityBoundCiphertext,
+            plaintextKeyHash: this.plaintextKeyHash,
+            accessControlConditions: this.accessControlConditions,
+        };
+        return archiveBlock(input);
+    }
+    /** @returns {Types.EncryptedMetadataInput} */
+    toJSON() {
+        return toJSON(this);
+    }
+}
+/**
+ * @param {Types.EncryptedMetadata|Types.EncryptedMetadataInput} encryptedMetadataInput
+ * @returns {Types.EncryptedMetadataView}
+ */
+export const create = (encryptedMetadataInput) => new EncryptedMetadata(encryptedMetadataInput);
+/**
+ * @param {Types.EncryptedMetadataView} encryptedMetadata
+ * @returns {Types.EncryptedMetadataInput}
+ */
+export const toJSON = (encryptedMetadata) => ({
+    encryptedDataCID: encryptedMetadata.encryptedDataCID.toString(),
+    identityBoundCiphertext: bytesToString(encryptedMetadata.identityBoundCiphertext),
+    plaintextKeyHash: bytesToString(encryptedMetadata.plaintextKeyHash),
+    accessControlConditions: encryptedMetadata.accessControlConditions,
+});
+/**
+ * @param {Types.EncryptedMetadataInput} encryptedMetadataInput
+ * @returns {Types.EncryptedMetadata}
+ */
+export const parse = (encryptedMetadataInput) => ({
+    encryptedDataCID: CID.parse(encryptedMetadataInput.encryptedDataCID),
+    identityBoundCiphertext: stringToBytes(encryptedMetadataInput.identityBoundCiphertext),
+    plaintextKeyHash: stringToBytes(encryptedMetadataInput.plaintextKeyHash),
+    accessControlConditions: encryptedMetadataInput.accessControlConditions,
+});
+/**
+ * @param {Types.EncryptedMetadata} encryptedMetadataInput
+ * @returns {Promise<import('@ucanto/interface').Block>}
+ */
+export const archiveBlock = async (encryptedMetadataInput) => {
+    const bytes = dagCBOR.encode({ [version]: encryptedMetadataInput });
+    const digest = await sha256.digest(bytes);
+    const cid = Link.create(dagCBOR.code, digest);
+    return { cid, bytes };
+};
+/**
+ * @param {Types.EncryptedMetadata} encryptedMetadataInput
+ * @returns {Promise<Types.Result<Uint8Array>>}
+ */
+export const archive = async (encryptedMetadataInput) => {
+    const block = await archiveBlock(encryptedMetadataInput);
+    return ok(CAR.encode({ roots: [block] }));
+};
+/**
+ * @param {Uint8Array} archive
+ * @returns {Types.Result<Types.EncryptedMetadataView, Types.UnknownFormat>}
+ */
+export const extract = (archive) => {
+    const { roots } = CAR.decode(archive);
+    if (!roots.length) {
+        return error(new UnknownFormat('missing root block'));
+    }
+    const { code } = roots[0].cid;
+    if (code !== dagCBOR.code) {
+        return error(new UnknownFormat(`unexpected root CID codec: 0x${code.toString(16)}`));
+    }
+    return view({ root: roots[0] });
+};
+/**
+ * @param {object} source
+ * @param {Types.IPLDBlock} source.root
+ * @returns {Types.Result<Types.EncryptedMetadataView, Types.UnknownFormat>}
+ */
+export const view = ({ root }) => {
+    const value = dagCBOR.decode(root.bytes);
+    const [version, encryptedMetadataData] = EncryptedMetadataSchema.match(value);
+    switch (version) {
+        case version: {
+            const encryptedMetadata = create(
+            /** @type {Types.EncryptedMetadata}*/ (encryptedMetadataData));
+            return ok(encryptedMetadata);
+        }
+        default:
+            return error(new UnknownFormat(`unknown index version: ${version}`));
+    }
+};
+//# sourceMappingURL=encrypted-metadata.js.map

package/dist/core/errors.d.ts

@@ -0,0 +1,8 @@
+export class UnknownFormat extends Failure {
+    /** @param {string} [reason] */
+    constructor(reason?: string);
+    name: "UnknownFormat";
+    #private;
+}
+import { Failure } from '@ucanto/core';
+//# sourceMappingURL=errors.d.ts.map

package/dist/core/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/core/errors.js"],"names":[],"mappings":"AAEA;IAGE,+BAA+B;IAC/B,qBADY,MAAM,EAKjB;IAFC,sBAAkD;;CAOrD;wBAfuB,cAAc"}

package/dist/core/errors.js

@@ -0,0 +1,14 @@
+import { Failure } from '@ucanto/core';
+export class UnknownFormat extends Failure {
+    #reason;
+    /** @param {string} [reason] */
+    constructor(reason) {
+        super();
+        this.name = /** @type {const} */ ('UnknownFormat');
+        this.#reason = reason;
+    }
+    describe() {
+        return this.#reason ?? 'unknown format';
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/crypto-adapters/node-crypto-adapter.d.ts

@@ -0,0 +1,17 @@
+/** @implements {Type.CryptoAdapter} */
+export class NodeCryptoAdapter implements Type.CryptoAdapter {
+    /** @param {Type.BlobLike} data  */
+    encryptStream(data: Type.BlobLike): {
+        key: Buffer<ArrayBufferLike>;
+        iv: Buffer<ArrayBufferLike>;
+        encryptedStream: ReadableStream<any>;
+    };
+    /**
+     * @param {ReadableStream} encryptedData
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     */
+    decryptStream(encryptedData: ReadableStream, key: Uint8Array, iv: Uint8Array): ReadableStream<any>;
+}
+import * as Type from '../types.js';
+//# sourceMappingURL=node-crypto-adapter.d.ts.map

package/dist/crypto-adapters/node-crypto-adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-crypto-adapter.d.ts","sourceRoot":"","sources":["../../src/crypto-adapters/node-crypto-adapter.js"],"names":[],"mappings":"AAMA,uCAAuC;AACvC,0CADiB,IAAI,CAAC,aAAa;IAEjC,mCAAmC;IACnC,oBADY,IAAI,CAAC,QAAQ;;;;MA+BxB;IAED;;;;OAIG;IACH,6BAJW,cAAc,OACd,UAAU,MACV,UAAU,uBA8BpB;CACF;sBAzEqB,aAAa"}

package/dist/crypto-adapters/node-crypto-adapter.js

@@ -0,0 +1,66 @@
+import { randomBytes, createCipheriv, createDecipheriv } from 'crypto';
+import * as Type from '../types.js';
+const ENCRYPTION_ALGORITHM = 'aes-256-cbc';
+/** @implements {Type.CryptoAdapter} */
+export class NodeCryptoAdapter {
+    /** @param {Type.BlobLike} data  */
+    encryptStream(data) {
+        const symmetricKey = randomBytes(32); // 256 bits for AES-256
+        const initializationVector = randomBytes(16); // 16 bytes for AES
+        const cipher = createCipheriv(ENCRYPTION_ALGORITHM, symmetricKey, initializationVector);
+        const encryptStream = new TransformStream({
+            transform: async (chunk, controller) => {
+                const encryptedChunk = cipher.update(chunk);
+                if (encryptedChunk.length) {
+                    controller.enqueue(encryptedChunk);
+                }
+            },
+            flush: (controller) => {
+                const final = cipher.final();
+                if (final.length) {
+                    controller.enqueue(final);
+                }
+            },
+        });
+        return {
+            key: symmetricKey,
+            iv: initializationVector,
+            encryptedStream: data.stream().pipeThrough(encryptStream),
+        };
+    }
+    /**
+     * @param {ReadableStream} encryptedData
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     */
+    decryptStream(encryptedData, key, iv) {
+        const decipher = createDecipheriv(ENCRYPTION_ALGORITHM, key, iv);
+        const decryptor = new TransformStream({
+            async transform(chunk, controller) {
+                try {
+                    const decryptedChunk = decipher.update(chunk);
+                    if (decryptedChunk.length > 0) {
+                        controller.enqueue(decryptedChunk);
+                    }
+                }
+                catch (err) {
+                    controller.error(err);
+                }
+            },
+            flush(controller) {
+                try {
+                    const finalChunk = decipher.final();
+                    if (finalChunk.length > 0) {
+                        controller.enqueue(finalChunk);
+                    }
+                    controller.terminate();
+                }
+                catch (err) {
+                    controller.error(err);
+                }
+            },
+        });
+        return encryptedData.pipeThrough(decryptor);
+    }
+}
+//# sourceMappingURL=node-crypto-adapter.js.map

package/dist/handlers/decrypt-handler.d.ts

@@ -0,0 +1,11 @@
+/**
+ * @param {Type.CryptoAdapter} cryptoAdapter - The crypto adapter responsible for performing
+ * encryption and decryption operations.
+ * @param {string} combinedKey
+ * @param {Uint8Array} content
+ */
+export function decryptFileWithKey(cryptoAdapter: Type.CryptoAdapter, combinedKey: string, content: Uint8Array): ReadableStream<any>;
+export function retrieveAndDecrypt(storachaClient: import("@storacha/client").Client, litClient: import("@lit-protocol/lit-node-client").LitNodeClient, cryptoAdapter: Type.CryptoAdapter, gatewayURL: URL, wallet: Wallet, cid: Type.AnyLink, delegationCAR: Uint8Array): Promise<ReadableStream<any>>;
+import * as Type from '../types.js';
+import { Wallet } from 'ethers';
+//# sourceMappingURL=decrypt-handler.d.ts.map

package/dist/handlers/decrypt-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/decrypt-handler.js"],"names":[],"mappings":"AAsFA;;;;;GAKG;AACH,kDALW,IAAI,CAAC,aAAa,eAElB,MAAM,WACN,UAAU,uBAuBpB;AA1FM,mDATI,OAAO,kBAAkB,EAAE,MAAM,aACjC,OAAO,+BAA+B,EAAE,aAAa,iBACrD,IAAI,CAAC,aAAa,cAElB,GAAG,UACH,MAAM,OACN,IAAI,CAAC,OAAO,iBACZ,UAAU,gCA+DpB;sBA5EqB,aAAa;uBARZ,QAAQ"}