@storacha/encrypt-upload-client 1.0.1 → 1.1.0

package/dist/core/client.d.ts

@@ -34,11 +34,10 @@ export class EncryptedClient implements Type.EncryptedClient {
      * Retrieve and decrypt a file from the Storacha network
      *
      * @param {Type.AnyLink} cid - The link to the file to retrieve
-     * @param {Uint8Array} delegationCAR - The delegation that gives permission to decrypt (required for both strategies)
-     * @param {Type.DecryptionOptions} decryptionOptions - User-provided decryption options
-     * @returns {Promise<ReadableStream>} - The decrypted file
+     * @param {Type.DecryptionConfig} decryptionConfig - User-provided decryption config
+     * @returns {Promise<Type.DecryptionResult>} - The decrypted file with metadata
      */
-    retrieveAndDecryptFile(cid: Type.AnyLink, delegationCAR: Uint8Array, decryptionOptions: Type.DecryptionOptions): Promise<ReadableStream>;
+    retrieveAndDecryptFile(cid: Type.AnyLink, decryptionConfig: Type.DecryptionConfig): Promise<Type.DecryptionResult>;
 }
 export function create(options: Type.EncryptedClientOptions): Promise<EncryptedClient>;
 import * as Type from '../types.js';

package/dist/core/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/core/client.js"],"names":[],"mappings":"AAKA,yCAAyC;AACzC,wCADiB,IAAI,CAAC,eAAe;IAoBnC;;;;OAIG;IACH,4BAJW,OAAO,kBAAkB,EAAE,MAAM,iBACjC,IAAI,CAAC,aAAa,cAClB,GAAG,EAMb;IA3BD;;;OAGG;IACH,0BAHU,IAAI,CAAC,aAAa,CAGd;IAEd;;;OAGG;IACH,2BAHU,OAAO,kBAAkB,EAAE,MAAM,CAG5B;IAEf;;;OAGG;IACH,uBAHU,GAAG,CAGF;IAaX;;;;;;;OAOG;IACH,2BALW,IAAI,CAAC,QAAQ,oBACb,IAAI,CAAC,gBAAgB,kBACrB,IAAI,CAAC,aAAa,GAChB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAUjC;IAED;;;;;;;OAOG;IACH,4BALW,IAAI,CAAC,OAAO,iBACZ,UAAU,qBACV,IAAI,CAAC,iBAAiB,GACpB,OAAO,CAAC,cAAc,CAAC,CAWnC;CACF;AASM,gCAFI,IAAI,CAAC,sBAAsB,4BAQrC;sBAvFqB,aAAa"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/core/client.js"],"names":[],"mappings":"AAKA,yCAAyC;AACzC,wCADiB,IAAI,CAAC,eAAe;IAoBnC;;;;OAIG;IACH,4BAJW,OAAO,kBAAkB,EAAE,MAAM,iBACjC,IAAI,CAAC,aAAa,cAClB,GAAG,EAMb;IA3BD;;;OAGG;IACH,0BAHU,IAAI,CAAC,aAAa,CAGd;IAEd;;;OAGG;IACH,2BAHU,OAAO,kBAAkB,EAAE,MAAM,CAG5B;IAEf;;;OAGG;IACH,uBAHU,GAAG,CAGF;IAaX;;;;;;;OAOG;IACH,2BALW,IAAI,CAAC,QAAQ,oBACb,IAAI,CAAC,gBAAgB,kBACrB,IAAI,CAAC,aAAa,GAChB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAUjC;IAED;;;;;;OAMG;IACH,4BAJW,IAAI,CAAC,OAAO,oBACZ,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAU1C;CACF;AASM,gCAFI,IAAI,CAAC,sBAAsB,4BAQrC;sBArFqB,aAAa"}

package/dist/core/client.js

@@ -44,12 +44,11 @@ export class EncryptedClient {
      * Retrieve and decrypt a file from the Storacha network
      *
      * @param {Type.AnyLink} cid - The link to the file to retrieve
-     * @param {Uint8Array} delegationCAR - The delegation that gives permission to decrypt (required for both strategies)
-     * @param {Type.DecryptionOptions} decryptionOptions - User-provided decryption options
-     * @returns {Promise<ReadableStream>} - The decrypted file
+     * @param {Type.DecryptionConfig} decryptionConfig - User-provided decryption config
+     * @returns {Promise<Type.DecryptionResult>} - The decrypted file with metadata
      */
-    async retrieveAndDecryptFile(cid, delegationCAR, decryptionOptions) {
-        return retrieveAndDecrypt(this._storachaClient, this._cryptoAdapter, this._gatewayURL, cid, delegationCAR, decryptionOptions);
+    async retrieveAndDecryptFile(cid, decryptionConfig) {
+        return retrieveAndDecrypt(this._storachaClient, this._cryptoAdapter, this._gatewayURL, cid, decryptionConfig);
     }
 }
 /**

package/dist/crypto/adapters/kms-crypto-adapter.d.ts

@@ -48,17 +48,15 @@ export class KMSCryptoAdapter implements Type.CryptoAdapter {
     /**
      * @param {string} encryptedKey
      * @param {object} configs
-     * @param {Type.DecryptionOptions} configs.decryptionOptions
+     * @param {Type.DecryptionConfig} configs.decryptionConfig
      * @param {Type.ExtractedMetadata} configs.metadata
-     * @param {Uint8Array} configs.delegationCAR
      * @param {Type.AnyLink} configs.resourceCID
      * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} configs.issuer
      * @param {import('@storacha/client/types').DID} configs.audience
      */
     decryptSymmetricKey(encryptedKey: string, configs: {
-        decryptionOptions: Type.DecryptionOptions;
+        decryptionConfig: Type.DecryptionConfig;
         metadata: Type.ExtractedMetadata;
-        delegationCAR: Uint8Array;
         resourceCID: Type.AnyLink;
         issuer: import("@storacha/client/types").Signer<import("@storacha/client/types").DID, import("@storacha/client/types").SigAlg>;
         audience: import("@storacha/client/types").DID;
@@ -71,11 +69,12 @@ export class KMSCryptoAdapter implements Type.CryptoAdapter {
      *
      * @param {string} encryptedSymmetricKey - The encrypted symmetric key (base64-encoded)
      * @param {Type.SpaceDID} spaceDID - The space DID
-     * @param {import('@ucanto/interface').Proof} delegationProof - The delegation proof
+     * @param {import('@ucanto/interface').Proof} decryptionProof - The decryption delegation proof
+     * @param {import('@ucanto/interface').Proof[]} proofs - The proofs to access the space
      * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} issuer - The issuer
      * @returns {Promise<{decryptedSymmetricKey: string}>} - The decrypted symmetric key (base64-encoded)
      */
-    getDecryptedSymmetricKey(encryptedSymmetricKey: string, spaceDID: Type.SpaceDID, delegationProof: import("@ucanto/interface").Proof, issuer: import("@storacha/client/types").Signer<import("@storacha/client/types").DID, import("@storacha/client/types").SigAlg>): Promise<{
+    getDecryptedSymmetricKey(encryptedSymmetricKey: string, spaceDID: Type.SpaceDID, decryptionProof: import("@ucanto/interface").Proof, proofs: import("@ucanto/interface").Proof[], issuer: import("@storacha/client/types").Signer<import("@storacha/client/types").DID, import("@storacha/client/types").SigAlg>): Promise<{
         decryptedSymmetricKey: string;
     }>;
     /**

package/dist/crypto/adapters/kms-crypto-adapter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"kms-crypto-adapter.d.ts","sourceRoot":"","sources":["../../../src/crypto/adapters/kms-crypto-adapter.js"],"names":[],"mappings":"AAWA;;;;;;;GAOG;AACH,yCAFgB,IAAI,CAAC,aAAa;IAGhC;;;;;;;;OAQG;IACH,6BANW,IAAI,CAAC,eAAe,wBACpB,GAAG,GAAC,MAAM,wBACV,OAAO,MAAM,IAAI,MAAM,EAAE,YAEjC;QAA0B,iBAAiB;KAC7C,EA0BA;IAnBC,sCAAsC;IAiBtC,0BAA+B;IAC/B,wFAA2D;IAG7D;;;;OAIG;IACH,oBAFW,IAAI,CAAC,QAAQ,+BAIvB;IAED;;;;;;OAMG;IACH,6BAJW,cAAc,OACd,UAAU,MACV,UAAU,gCAIpB;IAED;;;;;;;OAOG;IACH,yBALW,UAAU,MACV,UAAU,oBACV,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CA4B5C;IAED;;;;;;;;;OASG;IACH,kCATW,MAAM,WAEd;QAAwC,iBAAiB,EAAjD,IAAI,CAAC,iBAAiB;QACU,QAAQ,EAAxC,IAAI,CAAC,iBAAiB;QACF,aAAa,EAAjC,UAAU;QACY,WAAW,EAAjC,IAAI,CAAC,OAAO;QACoH,MAAM,EAAtI,OAAO,wBAAwB,EAAE,MAAM,CAAC,OAAO,wBAAwB,EAAE,GAAG,EAAE,OAAO,wBAAwB,EAAE,MAAM,CAAC;QACxE,QAAQ,EAAtD,OAAO,wBAAwB,EAAE,GAAG;KAC9C;;;OA4BA;IAED;;;;;;;;OAQG;IACH,gDANW,MAAM,YACN,IAAI,CAAC,QAAQ,mBACb,OAAO,mBAAmB,EAAE,KAAK,UACjC,OAAO,wBAAwB,EAAE,MAAM,CAAC,OAAO,wBAAwB,EAAE,GAAG,EAAE,OAAO,wBAAwB,EAAE,MAAM,CAAC,GACpH,OAAO,CAAC;QAAC,qBAAqB,EAAE,MAAM,CAAA;KAAC,CAAC,CA4BpD;IAED;;;;;;OAMG;IACH,8BAHW,UAAU,GACR,IAAI,CAAC,iBAAiB,CAiClC;IAED;;;OAGG;IACH,0BAHW,IAAI,CAAC,iBAAiB,GACpB,MAAM,CASlB;IAED;;;;;;;OAOG;IACH,iCALW,MAAM,gBACN,MAAM,YACN,IAAI,CAAC,cAAc,GACjB,OAAO,CAAC;QAAE,GAAG,EAAE,OAAO,+BAA+B,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,UAAU,CAAA;KAAE,CAAC,CAoBhG;IAED;;;;;OAKG;IACH,oCAHW,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAyB/E;IAED;;;;OAIG;IACH,mBAFa,YAAY,CAWxB;IAED;;;;;;OAMG;IACH,8BAJW,UAAU,gBACV,MAAM,GACJ,OAAO,CAAC,UAAU,CAAC,CAyB/B;IAED;;;;;OAKG;IACH,sBAHW,MAAM,GACJ,WAAW,CA6BvB;IAED,kFASC;IAED;;;;;OAKG;IACH,sCAHW,IAAI,CAAC,QAAQ,GACX,MAAM,CAIlB;CACF;sBAhZqB,gBAAgB"}
+{"version":3,"file":"kms-crypto-adapter.d.ts","sourceRoot":"","sources":["../../../src/crypto/adapters/kms-crypto-adapter.js"],"names":[],"mappings":"AAWA;;;;;;;GAOG;AACH,yCAFgB,IAAI,CAAC,aAAa;IAGhC;;;;;;;;OAQG;IACH,6BANW,IAAI,CAAC,eAAe,wBACpB,GAAG,GAAC,MAAM,wBACV,OAAO,MAAM,IAAI,MAAM,EAAE,YAEjC;QAA0B,iBAAiB;KAC7C,EA0BA;IAnBC,sCAAsC;IAiBtC,0BAA+B;IAC/B,wFAA2D;IAG7D;;;;OAIG;IACH,oBAFW,IAAI,CAAC,QAAQ,+BAIvB;IAED;;;;;;OAMG;IACH,6BAJW,cAAc,OACd,UAAU,MACV,UAAU,gCAIpB;IAED;;;;;;;OAOG;IACH,yBALW,UAAU,MACV,UAAU,oBACV,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CA4B5C;IAED;;;;;;;;OAQG;IACH,kCARW,MAAM,WAEd;QAAuC,gBAAgB,EAA/C,IAAI,CAAC,gBAAgB;QACW,QAAQ,EAAxC,IAAI,CAAC,iBAAiB;QACA,WAAW,EAAjC,IAAI,CAAC,OAAO;QACoH,MAAM,EAAtI,OAAO,wBAAwB,EAAE,MAAM,CAAC,OAAO,wBAAwB,EAAE,GAAG,EAAE,OAAO,wBAAwB,EAAE,MAAM,CAAC;QACxE,QAAQ,EAAtD,OAAO,wBAAwB,EAAE,GAAG;KAC9C;;;OA6BA;IAED;;;;;;;;;OASG;IACH,gDAPW,MAAM,YACN,IAAI,CAAC,QAAQ,mBACb,OAAO,mBAAmB,EAAE,KAAK,UACjC,OAAO,mBAAmB,EAAE,KAAK,EAAE,UACnC,OAAO,wBAAwB,EAAE,MAAM,CAAC,OAAO,wBAAwB,EAAE,GAAG,EAAE,OAAO,wBAAwB,EAAE,MAAM,CAAC,GACpH,OAAO,CAAC;QAAC,qBAAqB,EAAE,MAAM,CAAA;KAAC,CAAC,CAgCpD;IAED;;;;;;OAMG;IACH,8BAHW,UAAU,GACR,IAAI,CAAC,iBAAiB,CAiClC;IAED;;;OAGG;IACH,0BAHW,IAAI,CAAC,iBAAiB,GACpB,MAAM,CASlB;IAED;;;;;;;OAOG;IACH,iCALW,MAAM,gBACN,MAAM,YACN,IAAI,CAAC,cAAc,GACjB,OAAO,CAAC;QAAE,GAAG,EAAE,OAAO,+BAA+B,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,UAAU,CAAA;KAAE,CAAC,CAoBhG;IAED;;;;;OAKG;IACH,oCAHW,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CA6B/E;IAED;;;;OAIG;IACH,mBAFa,YAAY,CAWxB;IAED;;;;;;OAMG;IACH,8BAJW,UAAU,gBACV,MAAM,GACJ,OAAO,CAAC,UAAU,CAAC,CAyB/B;IAED;;;;;OAKG;IACH,sBAHW,MAAM,GACJ,WAAW,CA6BvB;IAED,kFASC;IAED;;;;;OAKG;IACH,sCAHW,IAAI,CAAC,QAAQ,GACX,MAAM,CAIlB;CACF;sBAzZqB,gBAAgB"}

package/dist/crypto/adapters/kms-crypto-adapter.js

@@ -88,28 +88,27 @@ export class KMSCryptoAdapter {
     /**
      * @param {string} encryptedKey
      * @param {object} configs
-     * @param {Type.DecryptionOptions} configs.decryptionOptions
+     * @param {Type.DecryptionConfig} configs.decryptionConfig
      * @param {Type.ExtractedMetadata} configs.metadata
-     * @param {Uint8Array} configs.delegationCAR
      * @param {Type.AnyLink} configs.resourceCID
      * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} configs.issuer
      * @param {import('@storacha/client/types').DID} configs.audience
      */
     async decryptSymmetricKey(encryptedKey, configs) {
         // Step 1: Validate configs
-        const { decryptionOptions, metadata, issuer } = configs;
+        const { decryptionConfig, metadata, issuer } = configs;
         if (metadata.strategy !== 'kms') {
             throw new Error('KMSCryptoAdapter can only handle KMS metadata');
         }
-        const { spaceDID, delegationProof } = decryptionOptions;
-        if (!spaceDID || !delegationProof) {
-            throw new Error('SpaceDID and delegationProof are required');
+        const { spaceDID, decryptDelegation } = decryptionConfig;
+        if (!spaceDID || !decryptDelegation) {
+            throw new Error('SpaceDID and decryptDelegation are required');
         }
         if (!issuer) {
             throw new Error('Issuer is required');
         }
         // Step 2: Get the decrypted key from KMS via gateway
-        const { decryptedSymmetricKey } = await this.getDecryptedSymmetricKey(encryptedKey, spaceDID, delegationProof, issuer);
+        const { decryptedSymmetricKey } = await this.getDecryptedSymmetricKey(encryptedKey, spaceDID, decryptDelegation, configs.decryptionConfig.proofs || [], issuer);
         // Step 3: Decode and split the combined key and IV
         const combinedKeyAndIV = base64.decode(decryptedSymmetricKey);
         return this.symmetricCrypto.splitKeyAndIV(combinedKeyAndIV);
@@ -119,11 +118,12 @@ export class KMSCryptoAdapter {
      *
      * @param {string} encryptedSymmetricKey - The encrypted symmetric key (base64-encoded)
      * @param {Type.SpaceDID} spaceDID - The space DID
-     * @param {import('@ucanto/interface').Proof} delegationProof - The delegation proof
+     * @param {import('@ucanto/interface').Proof} decryptionProof - The decryption delegation proof
+     * @param {import('@ucanto/interface').Proof[]} proofs - The proofs to access the space
      * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} issuer - The issuer
      * @returns {Promise<{decryptedSymmetricKey: string}>} - The decrypted symmetric key (base64-encoded)
      */
-    async getDecryptedSymmetricKey(encryptedSymmetricKey, spaceDID, delegationProof, issuer) {
+    async getDecryptedSymmetricKey(encryptedSymmetricKey, spaceDID, decryptionProof, proofs, issuer) {
         // Step 1: Invoke the KeyDecrypt capability passing the decryption proof
         const result = await EncryptionKeyDecrypt.invoke({
             issuer,
@@ -132,13 +132,17 @@ export class KMSCryptoAdapter {
             nb: {
                 key: base64.decode(encryptedSymmetricKey), // Convert base64 string to bytes
             },
-            proofs: [delegationProof],
+            proofs: proofs ? [...proofs, decryptionProof] : [decryptionProof],
         }).execute(this.newKeyManagerServiceConnection());
         // Step 2: Handle the result
         if (result.out.error) {
-            throw new Error(`KMS decryption failed: ${JSON.stringify(result.out.error)}`);
+            // Only show the error message, not the full error object with stack trace
+            const errorMessage = result.out.error.message ||
+                result.out.error.name ||
+                'KMS decryption failed';
+            throw new Error(errorMessage);
         }
-        // Step 3: Return the base64-encoded decrypted key from the gateway response
+        // Step 3: Return the multibase-encoded decrypted key from the gateway response
         return /** @type {{decryptedSymmetricKey: string}} */ (result.out.ok);
     }
     /**
@@ -226,10 +230,15 @@ export class KMSCryptoAdapter {
                 location: encryptionConfig.location,
                 keyring: encryptionConfig.keyring,
             },
+            proofs: encryptionConfig.proofs,
         }).execute(this.newKeyManagerServiceConnection());
         // Step 2: Handle the result
         if (setupResult.out.error) {
-            throw new Error(`Failed to get public key: ${JSON.stringify(setupResult.out.error)}`);
+            // Only show the error message, not the full error object with stack trace to avoid leaking information
+            const errorMessage = setupResult.out.error.message ||
+                setupResult.out.error.name ||
+                'Encryption setup failed';
+            throw new Error(errorMessage);
         }
         // Step 3: Return the public key and key reference
         return /** @type {{ publicKey: string, provider: string, algorithm: string }} */ (setupResult.out.ok);

package/dist/crypto/adapters/lit-crypto-adapter.d.ts

@@ -46,18 +46,18 @@ export class LitCryptoAdapter implements Type.CryptoAdapter {
      *
      * @param {string} encryptedKey - The encrypted key to decrypt
      * @param {object} configs - The decryption configuration
-     * @param {Type.DecryptionOptions} configs.decryptionOptions - The decryption options
+     * @param {Type.DecryptionConfig} configs.decryptionConfig - The decryption config
      * @param {Type.ExtractedMetadata} configs.metadata - The extracted metadata
-     * @param {Uint8Array} configs.delegationCAR - The delegation CAR
+     * @param {import('@ucanto/interface').Proof} configs.decryptDelegation - The delegation that gives permission to decrypt (required for both strategies)
      * @param {Type.AnyLink} configs.resourceCID - The resource CID
      * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} configs.issuer - The issuer
      * @param {import('@storacha/client/types').DID} configs.audience - The audience
      * @returns {Promise<{ key: Uint8Array, iv: Uint8Array }>} - The decrypted key and IV
      */
     decryptSymmetricKey(encryptedKey: string, configs: {
-        decryptionOptions: Type.DecryptionOptions;
+        decryptionConfig: Type.DecryptionConfig;
         metadata: Type.ExtractedMetadata;
-        delegationCAR: Uint8Array;
+        decryptDelegation: import("@ucanto/interface").Proof;
         resourceCID: Type.AnyLink;
         issuer: import("@storacha/client/types").Signer<import("@storacha/client/types").DID, import("@storacha/client/types").SigAlg>;
         audience: import("@storacha/client/types").DID;

package/dist/crypto/adapters/lit-crypto-adapter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lit-crypto-adapter.d.ts","sourceRoot":"","sources":["../../../src/crypto/adapters/lit-crypto-adapter.js"],"names":[],"mappings":"AAMA;;;;;;;GAOG;AACH,yCAFgB,IAAI,CAAC,aAAa;IAGhC;;;;;OAKG;IACH,6BAHW,IAAI,CAAC,eAAe,aACpB,OAAO,+BAA+B,EAAE,aAAa,EAK/D;IAFC,sCAAsC;IACtC,iEAA0B;IAG5B;;;;;OAKG;IACH,oBAHW,IAAI,CAAC,QAAQ,GACX,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAIvC;IAED;;;;;;;OAOG;IACH,6BALW,cAAc,OACd,UAAU,MACV,UAAU,GACR,OAAO,CAAC,cAAc,CAAC,CAInC;IAED;;;;;;;OAOG;IACH,yBALW,UAAU,MACV,UAAU,oBACV,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAgC5C;IAED;;;;;;;;;;;;OAYG;IACH,kCAVW,MAAM,WAEd;QAAwC,iBAAiB,EAAjD,IAAI,CAAC,iBAAiB;QACU,QAAQ,EAAxC,IAAI,CAAC,iBAAiB;QACF,aAAa,EAAjC,UAAU;QACY,WAAW,EAAjC,IAAI,CAAC,OAAO;QACoH,MAAM,EAAtI,OAAO,wBAAwB,EAAE,MAAM,CAAC,OAAO,wBAAwB,EAAE,GAAG,EAAE,OAAO,wBAAwB,EAAE,MAAM,CAAC;QACxE,QAAQ,EAAtD,OAAO,wBAAwB,EAAE,GAAG;KAC5C,GAAU,OAAO,CAAC;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,EAAE,EAAE,UAAU,CAAA;KAAE,CAAC,CAsFxD;IAED;;;;;OAKG;IACH,8BAHW,UAAU,GACR,IAAI,CAAC,iBAAiB,CA4BlC;IAED;;;;;OAKG;IACH,0BAHW,IAAI,CAAC,iBAAiB,GACpB,MAAM,CAOlB;IAED;;;;;;;OAOG;IACH,iCALW,MAAM,gBACN,MAAM,YACN,IAAI,CAAC,cAAc,GACjB,OAAO,CAAC;QAAE,GAAG,EAAE,OAAO,+BAA+B,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,UAAU,CAAA;KAAE,CAAC,CAehG;CACF;sBA5PqB,gBAAgB"}
+{"version":3,"file":"lit-crypto-adapter.d.ts","sourceRoot":"","sources":["../../../src/crypto/adapters/lit-crypto-adapter.js"],"names":[],"mappings":"AAMA;;;;;;;GAOG;AACH,yCAFgB,IAAI,CAAC,aAAa;IAGhC;;;;;OAKG;IACH,6BAHW,IAAI,CAAC,eAAe,aACpB,OAAO,+BAA+B,EAAE,aAAa,EAK/D;IAFC,sCAAsC;IACtC,iEAA0B;IAG5B;;;;;OAKG;IACH,oBAHW,IAAI,CAAC,QAAQ,GACX,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAIvC;IAED;;;;;;;OAOG;IACH,6BALW,cAAc,OACd,UAAU,MACV,UAAU,GACR,OAAO,CAAC,cAAc,CAAC,CAInC;IAED;;;;;;;OAOG;IACH,yBALW,UAAU,MACV,UAAU,oBACV,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAgC5C;IAED;;;;;;;;;;;;OAYG;IACH,kCAVW,MAAM,WAEd;QAAuC,gBAAgB,EAA/C,IAAI,CAAC,gBAAgB;QACW,QAAQ,EAAxC,IAAI,CAAC,iBAAiB;QACqB,iBAAiB,EAA5D,OAAO,mBAAmB,EAAE,KAAK;QACX,WAAW,EAAjC,IAAI,CAAC,OAAO;QACoH,MAAM,EAAtI,OAAO,wBAAwB,EAAE,MAAM,CAAC,OAAO,wBAAwB,EAAE,GAAG,EAAE,OAAO,wBAAwB,EAAE,MAAM,CAAC;QACxE,QAAQ,EAAtD,OAAO,wBAAwB,EAAE,GAAG;KAC5C,GAAU,OAAO,CAAC;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,EAAE,EAAE,UAAU,CAAA;KAAE,CAAC,CAgFxD;IAED;;;;;OAKG;IACH,8BAHW,UAAU,GACR,IAAI,CAAC,iBAAiB,CA4BlC;IAED;;;;;OAKG;IACH,0BAHW,IAAI,CAAC,iBAAiB,GACpB,MAAM,CAOlB;IAED;;;;;;;OAOG;IACH,iCALW,MAAM,gBACN,MAAM,YACN,IAAI,CAAC,cAAc,GACjB,OAAO,CAAC;QAAE,GAAG,EAAE,OAAO,+BAA+B,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,UAAU,CAAA;KAAE,CAAC,CAehG;CACF;sBAtPqB,gBAAgB"}

package/dist/crypto/adapters/lit-crypto-adapter.js

@@ -78,16 +78,16 @@ export class LitCryptoAdapter {
      *
      * @param {string} encryptedKey - The encrypted key to decrypt
      * @param {object} configs - The decryption configuration
-     * @param {Type.DecryptionOptions} configs.decryptionOptions - The decryption options
+     * @param {Type.DecryptionConfig} configs.decryptionConfig - The decryption config
      * @param {Type.ExtractedMetadata} configs.metadata - The extracted metadata
-     * @param {Uint8Array} configs.delegationCAR - The delegation CAR
+     * @param {import('@ucanto/interface').Proof} configs.decryptDelegation - The delegation that gives permission to decrypt (required for both strategies)
      * @param {Type.AnyLink} configs.resourceCID - The resource CID
      * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} configs.issuer - The issuer
      * @param {import('@storacha/client/types').DID} configs.audience - The audience
      * @returns {Promise<{ key: Uint8Array, iv: Uint8Array }>} - The decrypted key and IV
      */
     async decryptSymmetricKey(encryptedKey, configs) {
-        const { decryptionOptions, metadata, delegationCAR, resourceCID, issuer, audience, } = configs;
+        const { decryptionConfig, metadata, resourceCID, issuer, audience } = configs;
         // Validate Lit metadata
         if (metadata.strategy !== 'lit') {
             throw new Error('LitCryptoAdapter can only handle Lit metadata');
@@ -96,26 +96,26 @@ export class LitCryptoAdapter {
         // Step 1. Extract spaceDID from access control conditions
         const spaceDID = /** @type {Type.SpaceDID} */ (accessControlConditions[0].parameters[1]);
         // Step 2. Create session signatures if not provided
-        let sessionSigs = decryptionOptions.sessionSigs;
+        let sessionSigs = decryptionConfig.sessionSigs;
         if (!sessionSigs) {
             const acc = 
             /** @type import('@lit-protocol/types').AccessControlConditions */ (
             /** @type {unknown} */ (accessControlConditions));
             const expiration = new Date(Date.now() + 1000 * 60 * 5).toISOString(); // 5 min
             // Step 2.1. Create session signatures for the wallet if provided
-            if (decryptionOptions.wallet) {
+            if (decryptionConfig.wallet) {
                 sessionSigs = await Lit.getSessionSigs(this.litClient, {
-                    wallet: decryptionOptions.wallet,
+                    wallet: decryptionConfig.wallet,
                     dataToEncryptHash: plaintextKeyHash,
                     expiration,
                     accessControlConditions: acc,
                 });
             }
             // Step 2.2. Otherwise, create session signatures for the PKP if provided
-            else if (decryptionOptions.pkpPublicKey && decryptionOptions.authMethod) {
+            else if (decryptionConfig.pkpPublicKey && decryptionConfig.authMethod) {
                 sessionSigs = await Lit.getPkpSessionSigs(this.litClient, {
-                    pkpPublicKey: decryptionOptions.pkpPublicKey,
-                    authMethod: decryptionOptions.authMethod,
+                    pkpPublicKey: decryptionConfig.pkpPublicKey,
+                    authMethod: decryptionConfig.authMethod,
                     dataToEncryptHash: plaintextKeyHash,
                     expiration,
                     accessControlConditions: acc,
@@ -127,7 +127,7 @@ export class LitCryptoAdapter {
         }
         // Step 3. Create wrapped UCAN invocation
         const wrappedInvocationJSON = await createDecryptWrappedInvocation({
-            delegationCAR,
+            decryptDelegation: decryptionConfig.decryptDelegation,
             spaceDID,
             resourceCID,
             issuer,

package/dist/crypto/factories.browser.d.ts

@@ -5,7 +5,11 @@
  *
  * @param {URL|string} keyManagerServiceURL
  * @param {string} keyManagerServiceDID
+ * @param {object} [options] - Optional configuration
+ * @param {boolean} [options.allowInsecureHttp] - Allow HTTP for testing (NOT for production)
  */
-export function createGenericKMSAdapter(keyManagerServiceURL: URL | string, keyManagerServiceDID: string): KMSCryptoAdapter;
+export function createGenericKMSAdapter(keyManagerServiceURL: URL | string, keyManagerServiceDID: string, options?: {
+    allowInsecureHttp?: boolean | undefined;
+}): KMSCryptoAdapter;
 import { KMSCryptoAdapter } from './adapters/kms-crypto-adapter.js';
 //# sourceMappingURL=factories.browser.d.ts.map

package/dist/crypto/factories.browser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"factories.browser.d.ts","sourceRoot":"","sources":["../../src/crypto/factories.browser.js"],"names":[],"mappings":"AAGA;;;;;;;GAOG;AACH,8DAHW,GAAG,GAAC,MAAM,wBACV,MAAM,oBAYhB;iCApBgC,kCAAkC"}
+{"version":3,"file":"factories.browser.d.ts","sourceRoot":"","sources":["../../src/crypto/factories.browser.js"],"names":[],"mappings":"AAGA;;;;;;;;;GASG;AACH,8DALW,GAAG,GAAC,MAAM,wBACV,MAAM,YAEd;IAA0B,iBAAiB;CAC7C,oBAaA;iCAxBgC,kCAAkC"}

package/dist/crypto/factories.browser.js

@@ -7,10 +7,12 @@ import { KMSCryptoAdapter } from './adapters/kms-crypto-adapter.js';
  *
  * @param {URL|string} keyManagerServiceURL
  * @param {string} keyManagerServiceDID
+ * @param {object} [options] - Optional configuration
+ * @param {boolean} [options.allowInsecureHttp] - Allow HTTP for testing (NOT for production)
  */
-export function createGenericKMSAdapter(keyManagerServiceURL, keyManagerServiceDID) {
+export function createGenericKMSAdapter(keyManagerServiceURL, keyManagerServiceDID, options = {}) {
     const symmetricCrypto = new GenericAesCtrStreamingCrypto();
     return new KMSCryptoAdapter(symmetricCrypto, keyManagerServiceURL, 
-    /** @type {`did:${string}:${string}`} */ (keyManagerServiceDID));
+    /** @type {`did:${string}:${string}`} */ (keyManagerServiceDID), options);
 }
 //# sourceMappingURL=factories.browser.js.map

package/dist/crypto/symmetric/generic-aes-ctr-streaming-crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"generic-aes-ctr-streaming-crypto.d.ts","sourceRoot":"","sources":["../../../src/crypto/symmetric/generic-aes-ctr-streaming-crypto.js"],"names":[],"mappings":"AAOA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qDAFgB,IAAI,CAAC,eAAe;IASlC;;;;OAIG;IACH,eAFa,OAAO,CAAC,UAAU,CAAC,CAI/B;IAED;;;;;;OAMG;IACH,0BAJW,UAAU,aACV,MAAM,GACJ,UAAU,CAsBtB;IAED;;;;;OAKG;IACH,oBAHW,IAAI,GACF,OAAO,CAAC;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,EAAE,EAAE,UAAU,CAAC;QAAC,eAAe,EAAE,cAAc,CAAA;KAAE,CAAC,CAsDzF;IAED;;;;;;;OAOG;IACH,6BALW,cAAc,OACd,UAAU,MACV,UAAU,GACR,OAAO,CAAC,cAAc,CAAC,CAiDnC;IAED;;;;;;OAMG;IACH,qBAJW,UAAU,MACV,UAAU,GACR,UAAU,CAatB;IAED;;;;;OAKG;IACH,wBAHW,UAAU,GACR;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,EAAE,EAAE,UAAU,CAAA;KAAE,CAc/C;CACF;sBApOqB,gBAAgB"}
+{"version":3,"file":"generic-aes-ctr-streaming-crypto.d.ts","sourceRoot":"","sources":["../../../src/crypto/symmetric/generic-aes-ctr-streaming-crypto.js"],"names":[],"mappings":"AAOA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qDAFgB,IAAI,CAAC,eAAe;IASlC;;;;OAIG;IACH,eAFa,OAAO,CAAC,UAAU,CAAC,CAI/B;IAED;;;;;;OAMG;IACH,0BAJW,UAAU,aACV,MAAM,GACJ,UAAU,CAsBtB;IAED;;;;;OAKG;IACH,oBAHW,IAAI,GACF,OAAO,CAAC;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,EAAE,EAAE,UAAU,CAAC;QAAC,eAAe,EAAE,cAAc,CAAA;KAAE,CAAC,CAsDzF;IAED;;;;;;;OAOG;IACH,6BALW,cAAc,OACd,UAAU,MACV,UAAU,GACR,OAAO,CAAC,cAAc,CAAC,CA+CnC;IAED;;;;;;OAMG;IACH,qBAJW,UAAU,MACV,UAAU,GACR,UAAU,CAatB;IAED;;;;;OAKG;IACH,wBAHW,UAAU,GACR;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,EAAE,EAAE,UAAU,CAAA;KAAE,CAc/C;CACF;sBAlOqB,gBAAgB"}

package/dist/crypto/symmetric/generic-aes-ctr-streaming-crypto.js

@@ -114,7 +114,6 @@ export class GenericAesCtrStreamingCrypto {
         // State for AES-CTR counter management
         let counter = new Uint8Array(iv);
         let totalBlocks = 0; // Track total blocks processed (CRITICAL for security)
-        // Create TransformStream (inspired by Node.js approach)
         const decryptTransform = new TransformStream({
             transform: async (chunk, controller) => {
                 try {

package/dist/handlers/decrypt-handler.d.ts

@@ -5,11 +5,11 @@
  * encryption and decryption operations.
  * @param {Uint8Array} key - The symmetric key
  * @param {Uint8Array} iv - The initialization vector
- * @param {Uint8Array} content - The encrypted file content
+ * @param {AsyncIterable<Uint8Array>|Uint8Array} content - The encrypted file content
  * @returns {Promise<ReadableStream>} The decrypted file stream
  */
-export function decryptFileWithKey(cryptoAdapter: Type.CryptoAdapter, key: Uint8Array, iv: Uint8Array, content: Uint8Array): Promise<ReadableStream>;
-export function retrieveAndDecrypt(storachaClient: import("@storacha/client").Client, cryptoAdapter: Type.CryptoAdapter, gatewayURL: URL, cid: Type.AnyLink, delegationCAR: Uint8Array, decryptionOptions: Type.DecryptionOptions): Promise<ReadableStream>;
+export function decryptFileWithKey(cryptoAdapter: Type.CryptoAdapter, key: Uint8Array, iv: Uint8Array, content: AsyncIterable<Uint8Array> | Uint8Array): Promise<ReadableStream>;
+export function retrieveAndDecrypt(storachaClient: import("@storacha/client").Client, cryptoAdapter: Type.CryptoAdapter, gatewayURL: URL, cid: Type.AnyLink, decryptionConfig: Type.DecryptionConfig): Promise<Type.DecryptionResult>;
 export function getCarFileFromPublicGateway(gatewayURL: URL, cid: string): Promise<Uint8Array>;
 import * as Type from '../types.js';
 //# sourceMappingURL=decrypt-handler.d.ts.map

package/dist/handlers/decrypt-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"decrypt-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/decrypt-handler.js"],"names":[],"mappings":"AA4DA;;;;;;;;;GASG;AACH,kDAPW,IAAI,CAAC,aAAa,OAElB,UAAU,MACV,UAAU,WACV,UAAU,GACR,OAAO,CAAC,cAAc,CAAC,CAanC;AA9DM,mDATI,OAAO,kBAAkB,EAAE,MAAM,iBACjC,IAAI,CAAC,aAAa,cAElB,GAAG,OACH,IAAI,CAAC,OAAO,iBACZ,UAAU,qBACV,IAAI,CAAC,iBAAiB,GACpB,OAAO,CAAC,cAAc,CAAC,CAyCnC;AAoCM,wDAJI,GAAG,OACH,MAAM,GACJ,OAAO,CAAC,UAAU,CAAC,CA+B/B;sBAtHqB,aAAa"}
+{"version":3,"file":"decrypt-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/decrypt-handler.js"],"names":[],"mappings":"AAyEA;;;;;;;;;GASG;AACH,kDAPW,IAAI,CAAC,aAAa,OAElB,UAAU,MACV,UAAU,WACV,aAAa,CAAC,UAAU,CAAC,GAAC,UAAU,GAClC,OAAO,CAAC,cAAc,CAAC,CAiDnC;AA/GM,mDARI,OAAO,kBAAkB,EAAE,MAAM,iBACjC,IAAI,CAAC,aAAa,cAElB,GAAG,OACH,IAAI,CAAC,OAAO,oBACZ,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAsD1C;AAwEM,wDAJI,GAAG,OACH,MAAM,GACJ,OAAO,CAAC,UAAU,CAAC,CA+B/B;sBAvKqB,aAAa"}

package/dist/handlers/decrypt-handler.js

@@ -3,6 +3,7 @@ import { CarIndexer, CarReader } from '@ipld/car';
 import { exporter } from 'ipfs-unixfs-exporter';
 import { MemoryBlockstore } from 'blockstore-core';
 import * as Type from '../types.js';
+import { extractFileMetadata } from '../utils/file-metadata.js';
 /**
  * Retrieve and decrypt a file from the IPFS gateway using any supported encryption strategy.
  *
@@ -11,11 +12,10 @@ import * as Type from '../types.js';
  * encryption and decryption operations.
  * @param {URL} gatewayURL - The IPFS gateway URL
  * @param {Type.AnyLink} cid - The link to the file to retrieve
- * @param {Uint8Array} delegationCAR - The delegation that gives permission to decrypt (required for both strategies)
- * @param {Type.DecryptionOptions} decryptionOptions - User-provided decryption options
- * @returns {Promise<ReadableStream>} The decrypted file stream
+ * @param {Type.DecryptionConfig} decryptionConfig - User-provided decryption config
+ * @returns {Promise<Type.DecryptionResult>} The decrypted file stream with metadata
  */
-export const retrieveAndDecrypt = async (storachaClient, cryptoAdapter, gatewayURL, cid, delegationCAR, decryptionOptions) => {
+export const retrieveAndDecrypt = async (storachaClient, cryptoAdapter, gatewayURL, cid, decryptionConfig) => {
     // Step 1: Get the encrypted metadata from the public gateway
     const encryptedMetadataCar = await getCarFileFromPublicGateway(gatewayURL, cid.toString());
     // Step 2: Extract encrypted metadata from the CAR file
@@ -25,15 +25,20 @@ export const retrieveAndDecrypt = async (storachaClient, cryptoAdapter, gatewayU
     // Step 4: Decrypt the encrypted symmetric key
     const encryptedSymmetricKey = cryptoAdapter.getEncryptedKey(metadata);
     const { key, iv } = await cryptoAdapter.decryptSymmetricKey(encryptedSymmetricKey, {
-        decryptionOptions,
+        decryptionConfig,
         metadata,
-        delegationCAR,
         resourceCID: cid,
         issuer: storachaClient.agent.issuer,
         audience: storachaClient.defaultProvider(),
     });
     // Step 5: Decrypt the encrypted file content using the decrypted symmetric key and IV
-    return decryptFileWithKey(cryptoAdapter, key, iv, encryptedData);
+    const decryptedStreamWithMetadata = await decryptFileWithKey(cryptoAdapter, key, iv, encryptedData);
+    // Step 6: Extract file content and metadata
+    const { fileStream, fileMetadata } = await extractFileMetadata(decryptedStreamWithMetadata);
+    return {
+        stream: fileStream,
+        fileMetadata,
+    };
 };
 /**
  * Decrypt file content using the decrypted symmetric key and IV.
@@ -42,17 +47,53 @@ export const retrieveAndDecrypt = async (storachaClient, cryptoAdapter, gatewayU
  * encryption and decryption operations.
  * @param {Uint8Array} key - The symmetric key
  * @param {Uint8Array} iv - The initialization vector
- * @param {Uint8Array} content - The encrypted file content
+ * @param {AsyncIterable<Uint8Array>|Uint8Array} content - The encrypted file content
  * @returns {Promise<ReadableStream>} The decrypted file stream
  */
-export function decryptFileWithKey(cryptoAdapter, key, iv, content) {
+export async function decryptFileWithKey(cryptoAdapter, key, iv, content) {
+    // Convert content to ReadableStream with true on-demand streaming
+    /** @type {AsyncIterator<Uint8Array> | null} */
+    let iterator = null;
     const contentStream = new ReadableStream({
-        start(controller) {
-            controller.enqueue(content);
-            controller.close();
+        start() {
+            // Initialize iterator for async iterable (no memory loading here)
+            if (!(content instanceof Uint8Array)) {
+                iterator = content[Symbol.asyncIterator]();
+            }
+        },
+        async pull(controller) {
+            try {
+                if (content instanceof Uint8Array) {
+                    // Handle single Uint8Array (legacy case)
+                    controller.enqueue(content);
+                    controller.close();
+                }
+                else if (iterator) {
+                    // Handle async iterable - get next chunk on-demand
+                    const { value, done } = await iterator.next();
+                    if (done) {
+                        controller.close();
+                    }
+                    else {
+                        controller.enqueue(value); // Only load one chunk at a time
+                    }
+                }
+                else {
+                    controller.close();
+                }
+            }
+            catch (error) {
+                controller.error(error);
+            }
+        },
+        cancel() {
+            // Clean up iterator if stream is cancelled
+            if (iterator && typeof iterator.return === 'function') {
+                void iterator.return();
+            }
         },
     });
-    const decryptedStream = cryptoAdapter.decryptStream(contentStream, key, iv);
+    const decryptedStream = await cryptoAdapter.decryptStream(contentStream, key, iv);
     return decryptedStream;
 }
 /**
@@ -107,7 +148,7 @@ const getEncryptedDataFromCar = async (car, encryptedDataCID) => {
     await blockstore.put(CID.parse(encryptedDataCID), blockBytes);
     // Step 4: Get the encrypted data from the CAR file
     const encryptedDataEntry = await exporter(CID.parse(encryptedDataCID), blockstore);
-    // Step 5: Return the async iterable (stream of chunks)
-    return encryptedDataEntry.content(); // async iterable of Uint8Array
+    // Step 5: Return the async iterable for streaming
+    return encryptedDataEntry.content();
 };
 //# sourceMappingURL=decrypt-handler.js.map

package/dist/handlers/encrypt-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encrypt-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/encrypt-handler.js"],"names":[],"mappings":"AAgBO,iDARI,OAAO,kBAAkB,EAAE,MAAM,iBACjC,IAAI,CAAC,aAAa,QAElB,IAAI,CAAC,QAAQ,oBACb,IAAI,CAAC,gBAAgB,kBACrB,IAAI,CAAC,aAAa,GAChB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CA6BjC;sBAxCqB,aAAa"}
+{"version":3,"file":"encrypt-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/encrypt-handler.js"],"names":[],"mappings":"AAiBO,iDARI,OAAO,kBAAkB,EAAE,MAAM,iBACjC,IAAI,CAAC,aAAa,QAElB,IAAI,CAAC,QAAQ,oBACb,IAAI,CAAC,gBAAgB,kBACrB,IAAI,CAAC,aAAa,GAChB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CA6BjC;sBAzCqB,aAAa"}

package/dist/handlers/encrypt-handler.js

@@ -1,6 +1,7 @@
 import { CARWriterStream } from 'carstream';
 import { createFileEncoderStream } from '@storacha/upload-client/unixfs';
 import * as Type from '../types.js';
+import { createFileWithMetadata } from '../utils/file-metadata.js';
 /**
  * Encrypt and upload a file to the Storacha network
  *
@@ -60,7 +61,7 @@ const buildAndUploadEncryptedMetadata = async (storachaClient, encryptedPayload,
     });
 };
 /**
- * Encrypt a file using the crypto adapter and return the encrypted payload.
+ * Encrypt a file with embedded metadata using the crypto adapter and return the encrypted payload.
  * The encrypted payload contains the encrypted file, the encrypted symmetric key, and the metadata.
  *
  * @param {Type.CryptoAdapter} cryptoAdapter - The crypto adapter responsible for performing
@@ -70,11 +71,13 @@ const buildAndUploadEncryptedMetadata = async (storachaClient, encryptedPayload,
  * @returns {Promise<Type.EncryptionPayload>} - The encrypted file
  */
 const encryptFile = async (cryptoAdapter, file, encryptionConfig) => {
-    // Step 1: Encrypt the file using the crypto adapter
-    const { key, iv, encryptedStream } = await cryptoAdapter.encryptStream(file);
-    // Step 2: Use crypto adapter to encrypt the symmetric key
+    // Step 1: Embed metadata in file content if provided
+    const fileWithMetadata = createFileWithMetadata(file, encryptionConfig.fileMetadata);
+    // Step 2: Encrypt the file (with embedded metadata) using the crypto adapter
+    const { key, iv, encryptedStream } = await cryptoAdapter.encryptStream(fileWithMetadata);
+    // Step 3: Use crypto adapter to encrypt the symmetric key
     const keyResult = await cryptoAdapter.encryptSymmetricKey(key, iv, encryptionConfig);
-    // Step 3: Return the encrypted payload
+    // Step 4: Return the encrypted payload (no separate metadata needed)
     return {
         strategy: keyResult.strategy,
         encryptedKey: keyResult.encryptedKey,

package/dist/types.d.ts

@@ -11,9 +11,19 @@ export type { Result, UnknownLink };
 export type { BlobLike, AnyLink };
 export type { UploadOptions } from '@storacha/client/types';
 import type { SpaceDID } from '@storacha/capabilities/types';
+export interface FileMetadata {
+    name: string;
+    type: string;
+    extension: string;
+    metadata?: Record<string, unknown>;
+}
+export interface DecryptionResult {
+    stream: ReadableStream;
+    fileMetadata?: FileMetadata;
+}
 export interface EncryptedClient {
     encryptAndUploadFile(file: BlobLike, config: EncryptionConfig, uploadOptions?: UploadOptions): Promise<AnyLink>;
-    retrieveAndDecryptFile(cid: AnyLink, delegationCAR: Uint8Array, decryptionOptions: DecryptionOptions): Promise<ReadableStream>;
+    retrieveAndDecryptFile(cid: AnyLink, decryptionConfig: DecryptionConfig): Promise<DecryptionResult>;
 }
 export type EncryptedClientOptions = {
     storachaClient: StorachaClient;
@@ -39,9 +49,8 @@ export interface CryptoAdapter {
     decryptStream(encryptedData: ReadableStream, key: Uint8Array, iv: Uint8Array): Promise<ReadableStream>;
     encryptSymmetricKey(key: Uint8Array, iv: Uint8Array, encryptionConfig: EncryptionConfig): Promise<EncryptedKeyResult>;
     decryptSymmetricKey(encryptedKey: string, configs: {
-        decryptionOptions: DecryptionOptions;
+        decryptionConfig: DecryptionConfig;
         metadata: ExtractedMetadata;
-        delegationCAR: Uint8Array;
         resourceCID: AnyLink;
         issuer: Signer<DID, SigAlg>;
         audience: DID;
@@ -65,6 +74,10 @@ export interface EncryptionConfig {
      * The DID of the space to encrypt the file for
      */
     spaceDID: SpaceDID;
+    /**
+     * Proofs to access the space
+     */
+    proofs?: Proof[];
     /**
      * The location of the KMS key to use for encryption
      */
@@ -73,14 +86,22 @@ export interface EncryptionConfig {
      * The keyring of the KMS key to use for encryption
      */
     keyring?: string;
+    /**
+     * File metadata to embed in encrypted file
+     */
+    fileMetadata?: FileMetadata;
 }
-export interface DecryptionOptions {
+export interface DecryptionConfig {
+    decryptDelegation: Proof;
+    spaceDID: SpaceDID;
+    /**
+     * Proofs to access the space
+     */
+    proofs?: Proof[];
     wallet?: Wallet;
     sessionSigs?: SessionSigsMap;
     pkpPublicKey?: string;
     authMethod?: AuthMethod;
-    spaceDID?: SpaceDID;
-    delegationProof?: Proof;
 }
 export interface EncryptedKeyResult {
     strategy: EncryptionStrategy;
@@ -175,7 +196,7 @@ export interface LitWalletSigner {
     wallet: Wallet;
 }
 export interface CreateDecryptWrappedInvocationOptions {
-    delegationCAR: Uint8Array;
+    decryptDelegation: Proof;
     issuer: Signer<DID, SigAlg>;
     audience: `did:${string}:${string}`;
     spaceDID: `did:key:${string}`;

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC/B,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAAE,MAAM,IAAI,cAAc,EAAE,MAAM,kBAAkB,CAAA;AAC3D,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAA;AACjE,OAAO,EACL,uBAAuB,EACvB,UAAU,EACV,OAAO,EACP,cAAc,EACf,MAAM,qBAAqB,CAAA;AAC5B,OAAO,KAAK,EACV,QAAQ,EACR,OAAO,EACP,MAAM,EACN,GAAG,EACH,MAAM,EACN,aAAa,EACd,MAAM,wBAAwB,CAAA;AAE/B,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAA;AAClD,YAAY,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAA;AAC5D,YAAY,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAA;AACjE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;AACnC,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAA;AACjC,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AAG3D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAA;AAE5D,MAAM,WAAW,eAAe;IAC9B,oBAAoB,CAClB,IAAI,EAAE,QAAQ,EACd,MAAM,EAAE,gBAAgB,EACxB,aAAa,CAAC,EAAE,aAAa,GAC5B,OAAO,CAAC,OAAO,CAAC,CAAA;IACnB,sBAAsB,CACpB,GAAG,EAAE,OAAO,EACZ,aAAa,EAAE,UAAU,EACzB,iBAAiB,EAAE,iBAAiB,GACnC,OAAO,CAAC,cAAc,CAAC,CAAA;CAC3B;AAED,MAAM,MAAM,sBAAsB,GAAG;IACnC,cAAc,EAAE,cAAc,CAAA;IAC9B,aAAa,EAAE,aAAa,CAAA;IAC5B,UAAU,CAAC,EAAE,GAAG,CAAA;CACjB,CAAA;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,UAAU,CAAA;IACf,EAAE,EAAE,UAAU,CAAA;IACd,eAAe,EAAE,cAAc,CAAA;CAChC;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;IACrD,aAAa,CACX,aAAa,EAAE,cAAc,EAC7B,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,GACb,OAAO,CAAC,cAAc,CAAC,CAAA;IAG1B,eAAe,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,GAAG,UAAU,CAAA;IAC5D,aAAa,CAAC,QAAQ,EAAE,UAAU,GAAG;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,EAAE,EAAE,UAAU,CAAA;KAAE,CAAA;CACzE;AAED,MAAM,WAAW,aAAa;IAE5B,aAAa,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;IACrD,aAAa,CACX,aAAa,EAAE,cAAc,EAC7B,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,GACb,OAAO,CAAC,cAAc,CAAC,CAAA;IAG1B,mBAAmB,CACjB,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,EACd,gBAAgB,EAAE,gBAAgB,GACjC,OAAO,CAAC,kBAAkB,CAAC,CAAA;IAC9B,mBAAmB,CACjB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE;QACP,iBAAiB,EAAE,iBAAiB,CAAA;QACpC,QAAQ,EAAE,iBAAiB,CAAA;QAC3B,aAAa,EAAE,UAAU,CAAA;QACzB,WAAW,EAAE,OAAO,CAAA;QACpB,MAAM,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;QAC3B,QAAQ,EAAE,GAAG,CAAA;KACd,GACA,OAAO,CAAC;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,EAAE,EAAE,UAAU,CAAA;KAAE,CAAC,CAAA;IAC/C,wBAAwB,CAAC,GAAG,EAAE,UAAU,GAAG,iBAAiB,CAAA;IAC5D,eAAe,CAAC,QAAQ,EAAE,iBAAiB,GAAG,MAAM,CAAA;IACpD,cAAc,CACZ,gBAAgB,EAAE,MAAM,EACxB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,cAAc,GAAG,cAAc,GACxC,OAAO,CAAC;QAAE,GAAG,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,UAAU,CAAA;KAAE,CAAC,CAAA;CAChD;AAGD,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IAE3B;;OAEG;IACH,QAAQ,EAAE,QAAQ,CAAA;IAElB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,iBAAiB;IAGhC,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,WAAW,CAAC,EAAE,cAAc,CAAA;IAE5B,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,UAAU,CAAC,EAAE,UAAU,CAAA;IAEvB,QAAQ,CAAC,EAAE,QAAQ,CAAA;IACnB,eAAe,CAAC,EAAE,KAAK,CAAA;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,QAAQ,EAAE,cAAc,GAAG,cAAc,CAAA;CAC1C;AAED,MAAM,MAAM,kBAAkB,GAAG,KAAK,GAAG,KAAK,CAAA;AAE9C,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,uBAAuB,CAAA;CACjD;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,QAAQ,CAAA;IACf,GAAG,EAAE;QACH,QAAQ,EAAE,MAAM,CAAA;QAChB,KAAK,EAAE,MAAM,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,CAAA;CACF;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,QAAQ,EAAE,cAAc,GAAG,cAAc,CAAA;IACzC,iBAAiB,EAAE,QAAQ,CAAA;CAC5B,CAAA;AAED,MAAM,MAAM,6BAA6B,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAA;AAEjE,MAAM,WAAW,gBAAgB;IAC/B,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,MAAM,CAAA;IAC/B,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,uBAAuB,CAAA;CACjD;AAED,MAAM,WAAW,WAAW;IAC1B,gBAAgB,EAAE,WAAW,CAAA;IAC7B,uBAAuB,EAAE,UAAU,CAAA;IACnC,gBAAgB,EAAE,UAAU,CAAA;IAC5B,uBAAuB,EAAE,uBAAuB,CAAA;CACjD;AAED,MAAM,WAAW,eAAgB,SAAQ,WAAW;IAClD,+BAA+B;IAC/B,YAAY,IAAI,OAAO,CAAC,KAAK,CAAC,CAAA;IAC9B,MAAM,IAAI,gBAAgB,CAAA;CAC3B;AAGD,MAAM,WAAW,WAAW;IAC1B,gBAAgB,EAAE,WAAW,CAAA;IAC7B,qBAAqB,EAAE,MAAM,CAAA;IAC7B,KAAK,EAAE,QAAQ,CAAA;IACf,GAAG,EAAE;QACH,QAAQ,EAAE,MAAM,CAAA;QAChB,KAAK,EAAE,MAAM,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,CAAA;CACF;AAED,MAAM,WAAW,gBAAgB;IAC/B,gBAAgB,EAAE,MAAM,CAAA;IACxB,qBAAqB,EAAE,MAAM,CAAA;IAC7B,KAAK,EAAE,MAAM,CAAA;IACb,GAAG,EAAE;QACH,QAAQ,EAAE,MAAM,CAAA;QAChB,KAAK,EAAE,MAAM,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,CAAA;CACF;AAED,MAAM,WAAW,eAAgB,SAAQ,WAAW;IAClD,+BAA+B;IAC/B,YAAY,IAAI,OAAO,CAAC,KAAK,CAAC,CAAA;IAC9B,MAAM,IAAI,gBAAgB,CAAA;CAC3B;AAED,MAAM,WAAW,aAAc,SAAQ,OAAO;IAC5C,IAAI,EAAE,eAAe,CAAA;CACtB;AAED,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,MAAM,CAAA;IACd,uBAAuB,EAAE,uBAAuB,CAAA;IAChD,iBAAiB,EAAE,MAAM,CAAA;IACzB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,kBAAkB,CAAC,EAAE,OAAO,EAAE,CAAA;CAC/B;AAED,MAAM,WAAW,0BAA0B;IACzC,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,EAAE,UAAU,CAAA;IACtB,uBAAuB,EAAE,uBAAuB,CAAA;IAChD,iBAAiB,EAAE,MAAM,CAAA;IACzB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,kBAAkB,CAAC,EAAE,OAAO,EAAE,CAAA;CAC/B;AAED,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,EAAE,UAAU,CAAA;CACvB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,qCAAqC;IACpD,aAAa,EAAE,UAAU,CAAA;IACzB,MAAM,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IAC3B,QAAQ,EAAE,OAAO,MAAM,IAAI,MAAM,EAAE,CAAA;IACnC,QAAQ,EAAE,WAAW,MAAM,EAAE,CAAA;IAC7B,WAAW,EAAE,OAAO,CAAA;IACpB,UAAU,EAAE,MAAM,CAAA;CACnB;AAED,MAAM,WAAW,4BAA4B;IAC3C,WAAW,EAAE,cAAc,CAAA;IAC3B,QAAQ,EAAE,WAAW,MAAM,EAAE,CAAA;IAC7B,uBAAuB,EAAE,MAAM,CAAA;IAC/B,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,uBAAuB,CAAA;IAChD,qBAAqB,EAAE,MAAM,CAAA;CAC9B;AAGD,MAAM,MAAM,iBAAiB,GAAG,oBAAoB,GAAG,oBAAoB,CAAA;AAE3E,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,KAAK,CAAA;IACf,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,MAAM,CAAA;IAC/B,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,uBAAuB,CAAA;CACjD;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,KAAK,CAAA;IACf,gBAAgB,EAAE,MAAM,CAAA;IACxB,qBAAqB,EAAE,MAAM,CAAA;IAC7B,KAAK,EAAE,QAAQ,CAAA;IACf,GAAG,EAAE;QACH,QAAQ,EAAE,MAAM,CAAA;QAChB,KAAK,EAAE,MAAM,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,CAAA;CACF"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC/B,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAAE,MAAM,IAAI,cAAc,EAAE,MAAM,kBAAkB,CAAA;AAC3D,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAA;AACjE,OAAO,EACL,uBAAuB,EACvB,UAAU,EACV,OAAO,EACP,cAAc,EACf,MAAM,qBAAqB,CAAA;AAC5B,OAAO,KAAK,EACV,QAAQ,EACR,OAAO,EACP,MAAM,EACN,GAAG,EACH,MAAM,EACN,aAAa,EACd,MAAM,wBAAwB,CAAA;AAE/B,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAA;AAClD,YAAY,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAA;AAC5D,YAAY,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAA;AACjE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;AACnC,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAA;AACjC,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AAG3D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAA;AAE5D,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACnC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,cAAc,CAAA;IACtB,YAAY,CAAC,EAAE,YAAY,CAAA;CAC5B;AAED,MAAM,WAAW,eAAe;IAC9B,oBAAoB,CAClB,IAAI,EAAE,QAAQ,EACd,MAAM,EAAE,gBAAgB,EACxB,aAAa,CAAC,EAAE,aAAa,GAC5B,OAAO,CAAC,OAAO,CAAC,CAAA;IACnB,sBAAsB,CACpB,GAAG,EAAE,OAAO,EACZ,gBAAgB,EAAE,gBAAgB,GACjC,OAAO,CAAC,gBAAgB,CAAC,CAAA;CAC7B;AAED,MAAM,MAAM,sBAAsB,GAAG;IACnC,cAAc,EAAE,cAAc,CAAA;IAC9B,aAAa,EAAE,aAAa,CAAA;IAC5B,UAAU,CAAC,EAAE,GAAG,CAAA;CACjB,CAAA;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,UAAU,CAAA;IACf,EAAE,EAAE,UAAU,CAAA;IACd,eAAe,EAAE,cAAc,CAAA;CAChC;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;IACrD,aAAa,CACX,aAAa,EAAE,cAAc,EAC7B,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,GACb,OAAO,CAAC,cAAc,CAAC,CAAA;IAG1B,eAAe,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,GAAG,UAAU,CAAA;IAC5D,aAAa,CAAC,QAAQ,EAAE,UAAU,GAAG;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,EAAE,EAAE,UAAU,CAAA;KAAE,CAAA;CACzE;AAED,MAAM,WAAW,aAAa;IAE5B,aAAa,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;IACrD,aAAa,CACX,aAAa,EAAE,cAAc,EAC7B,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,GACb,OAAO,CAAC,cAAc,CAAC,CAAA;IAG1B,mBAAmB,CACjB,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,EACd,gBAAgB,EAAE,gBAAgB,GACjC,OAAO,CAAC,kBAAkB,CAAC,CAAA;IAC9B,mBAAmB,CACjB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE;QACP,gBAAgB,EAAE,gBAAgB,CAAA;QAClC,QAAQ,EAAE,iBAAiB,CAAA;QAC3B,WAAW,EAAE,OAAO,CAAA;QACpB,MAAM,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;QAC3B,QAAQ,EAAE,GAAG,CAAA;KACd,GACA,OAAO,CAAC;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,EAAE,EAAE,UAAU,CAAA;KAAE,CAAC,CAAA;IAC/C,wBAAwB,CAAC,GAAG,EAAE,UAAU,GAAG,iBAAiB,CAAA;IAC5D,eAAe,CAAC,QAAQ,EAAE,iBAAiB,GAAG,MAAM,CAAA;IACpD,cAAc,CACZ,gBAAgB,EAAE,MAAM,EACxB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,cAAc,GAAG,cAAc,GACxC,OAAO,CAAC;QAAE,GAAG,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,UAAU,CAAA;KAAE,CAAC,CAAA;CAChD;AAGD,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IAE3B;;OAEG;IACH,QAAQ,EAAE,QAAQ,CAAA;IAElB;;OAEG;IACH,MAAM,CAAC,EAAE,KAAK,EAAE,CAAA;IAEhB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,YAAY,CAAC,EAAE,YAAY,CAAA;CAC5B;AAED,MAAM,WAAW,gBAAgB;IAE/B,iBAAiB,EAAE,KAAK,CAAA;IACxB,QAAQ,EAAE,QAAQ,CAAA;IAClB;;OAEG;IACH,MAAM,CAAC,EAAE,KAAK,EAAE,CAAA;IAGhB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,WAAW,CAAC,EAAE,cAAc,CAAA;IAE5B,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,UAAU,CAAC,EAAE,UAAU,CAAA;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,QAAQ,EAAE,cAAc,GAAG,cAAc,CAAA;CAC1C;AAED,MAAM,MAAM,kBAAkB,GAAG,KAAK,GAAG,KAAK,CAAA;AAE9C,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,uBAAuB,CAAA;CACjD;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,QAAQ,CAAA;IACf,GAAG,EAAE;QACH,QAAQ,EAAE,MAAM,CAAA;QAChB,KAAK,EAAE,MAAM,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,CAAA;CACF;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,QAAQ,EAAE,cAAc,GAAG,cAAc,CAAA;IACzC,iBAAiB,EAAE,QAAQ,CAAA;CAC5B,CAAA;AAED,MAAM,MAAM,6BAA6B,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAA;AAEjE,MAAM,WAAW,gBAAgB;IAC/B,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,MAAM,CAAA;IAC/B,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,uBAAuB,CAAA;CACjD;AAED,MAAM,WAAW,WAAW;IAC1B,gBAAgB,EAAE,WAAW,CAAA;IAC7B,uBAAuB,EAAE,UAAU,CAAA;IACnC,gBAAgB,EAAE,UAAU,CAAA;IAC5B,uBAAuB,EAAE,uBAAuB,CAAA;CACjD;AAED,MAAM,WAAW,eAAgB,SAAQ,WAAW;IAClD,+BAA+B;IAC/B,YAAY,IAAI,OAAO,CAAC,KAAK,CAAC,CAAA;IAC9B,MAAM,IAAI,gBAAgB,CAAA;CAC3B;AAGD,MAAM,WAAW,WAAW;IAC1B,gBAAgB,EAAE,WAAW,CAAA;IAC7B,qBAAqB,EAAE,MAAM,CAAA;IAC7B,KAAK,EAAE,QAAQ,CAAA;IACf,GAAG,EAAE;QACH,QAAQ,EAAE,MAAM,CAAA;QAChB,KAAK,EAAE,MAAM,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,CAAA;CACF;AAED,MAAM,WAAW,gBAAgB;IAC/B,gBAAgB,EAAE,MAAM,CAAA;IACxB,qBAAqB,EAAE,MAAM,CAAA;IAC7B,KAAK,EAAE,MAAM,CAAA;IACb,GAAG,EAAE;QACH,QAAQ,EAAE,MAAM,CAAA;QAChB,KAAK,EAAE,MAAM,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,CAAA;CACF;AAED,MAAM,WAAW,eAAgB,SAAQ,WAAW;IAClD,+BAA+B;IAC/B,YAAY,IAAI,OAAO,CAAC,KAAK,CAAC,CAAA;IAC9B,MAAM,IAAI,gBAAgB,CAAA;CAC3B;AAED,MAAM,WAAW,aAAc,SAAQ,OAAO;IAC5C,IAAI,EAAE,eAAe,CAAA;CACtB;AAED,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,MAAM,CAAA;IACd,uBAAuB,EAAE,uBAAuB,CAAA;IAChD,iBAAiB,EAAE,MAAM,CAAA;IACzB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,kBAAkB,CAAC,EAAE,OAAO,EAAE,CAAA;CAC/B;AAED,MAAM,WAAW,0BAA0B;IACzC,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,EAAE,UAAU,CAAA;IACtB,uBAAuB,EAAE,uBAAuB,CAAA;IAChD,iBAAiB,EAAE,MAAM,CAAA;IACzB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,kBAAkB,CAAC,EAAE,OAAO,EAAE,CAAA;CAC/B;AAED,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,EAAE,UAAU,CAAA;CACvB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,qCAAqC;IACpD,iBAAiB,EAAE,KAAK,CAAA;IACxB,MAAM,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IAC3B,QAAQ,EAAE,OAAO,MAAM,IAAI,MAAM,EAAE,CAAA;IACnC,QAAQ,EAAE,WAAW,MAAM,EAAE,CAAA;IAC7B,WAAW,EAAE,OAAO,CAAA;IACpB,UAAU,EAAE,MAAM,CAAA;CACnB;AAED,MAAM,WAAW,4BAA4B;IAC3C,WAAW,EAAE,cAAc,CAAA;IAC3B,QAAQ,EAAE,WAAW,MAAM,EAAE,CAAA;IAC7B,uBAAuB,EAAE,MAAM,CAAA;IAC/B,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,uBAAuB,CAAA;IAChD,qBAAqB,EAAE,MAAM,CAAA;CAC9B;AAGD,MAAM,MAAM,iBAAiB,GAAG,oBAAoB,GAAG,oBAAoB,CAAA;AAE3E,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,KAAK,CAAA;IACf,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,MAAM,CAAA;IAC/B,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,uBAAuB,CAAA;CACjD;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,KAAK,CAAA;IACf,gBAAgB,EAAE,MAAM,CAAA;IACxB,qBAAqB,EAAE,MAAM,CAAA;IAC7B,KAAK,EAAE,QAAQ,CAAA;IACf,GAAG,EAAE;QACH,QAAQ,EAAE,MAAM,CAAA;QAChB,KAAK,EAAE,MAAM,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,CAAA;CACF"}

package/dist/utils/file-metadata.d.ts

@@ -0,0 +1,14 @@
+export const FileMetadataSchema: Schema.StructSchema<{
+    name: Schema.StringSchema<string, unknown>;
+    type: Schema.StringSchema<string, unknown>;
+    extension: Schema.StringSchema<string, unknown>;
+    metadata: Schema.Schema<unknown, any>;
+}, unknown>;
+export function createFileWithMetadata(file: Type.BlobLike, metadata?: Type.FileMetadata): Blob;
+export function extractFileMetadata(decryptedStream: ReadableStream): Promise<{
+    fileStream: ReadableStream;
+    fileMetadata?: Type.FileMetadata;
+}>;
+import { Schema } from '@ucanto/core';
+import * as Type from '../types.js';
+//# sourceMappingURL=file-metadata.d.ts.map

package/dist/utils/file-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-metadata.d.ts","sourceRoot":"","sources":["../../src/utils/file-metadata.js"],"names":[],"mappings":"AAUA;;;;;YAKE;AASK,6CAJI,IAAI,CAAC,QAAQ,aACb,IAAI,CAAC,YAAY,GACf,IAAI,CAmDhB;AAQM,qDAHI,cAAc,GACZ,OAAO,CAAC;IAAC,UAAU,EAAE,cAAc,CAAC;IAAC,YAAY,CAAC,EAAE,IAAI,CAAC,YAAY,CAAA;CAAC,CAAC,CA8DnF;uBA5IsB,cAAc;sBADf,aAAa"}

package/dist/utils/file-metadata.js

@@ -0,0 +1,231 @@
+import * as Type from '../types.js';
+import { Schema } from '@ucanto/core';
+const METADATA_HEADER_SIZE = 1024;
+const MAX_JSON_DEPTH = 5;
+const MAX_JSON_OBJECTS = 20;
+const MAX_FIELD_LENGTH = 200;
+const MAX_CUSTOM_METADATA_SIZE = 10000;
+// Schema for file metadata validation
+export const FileMetadataSchema = Schema.struct({
+    name: Schema.string(),
+    type: Schema.string(),
+    extension: Schema.string(),
+    metadata: Schema.optional(Schema.unknown()),
+});
+/**
+ * Embed file metadata in a fixed-size header at the beginning of file content
+ *
+ * @param {Type.BlobLike} file - The file to embed metadata in
+ * @param {Type.FileMetadata} [metadata] - Optional file metadata
+ * @returns {Blob} File with embedded metadata header
+ */
+export const createFileWithMetadata = (file, metadata) => {
+    if (metadata === undefined) {
+        // No metadata - just return original file as Blob
+        if (file instanceof Blob) {
+            return file;
+        }
+        // Handle known BlobLike types that are valid BlobParts
+        if (file instanceof Uint8Array || file instanceof ArrayBuffer) {
+            return new Blob([file]);
+        }
+        throw new Error('Unsupported BlobLike type - must be Blob, Uint8Array, or ArrayBuffer');
+    }
+    // Validate and serialize metadata
+    validateMetadataStructure(metadata);
+    const metadataJson = JSON.stringify(metadata);
+    const metadataBytes = new TextEncoder().encode(metadataJson);
+    if (metadataBytes.length > METADATA_HEADER_SIZE - 4) {
+        throw new Error(`Metadata too large: ${metadataBytes.length} bytes (max ${METADATA_HEADER_SIZE - 4})`);
+    }
+    // Create fixed-size header: [4 bytes length][metadata][padding]
+    const header = new Uint8Array(METADATA_HEADER_SIZE);
+    const lengthBytes = new Uint8Array(new Uint32Array([metadataBytes.length]).buffer);
+    header.set(lengthBytes, 0); // First 4 bytes = length
+    header.set(metadataBytes, 4); // Metadata starts at byte 4
+    // Rest remains zero-filled
+    let originalFile;
+    if (file instanceof Blob) {
+        originalFile = file;
+    }
+    else if (file instanceof Uint8Array || file instanceof ArrayBuffer) {
+        originalFile = new Blob([file]);
+    }
+    else {
+        throw new Error('Unsupported BlobLike type - must be Blob, Uint8Array, or ArrayBuffer');
+    }
+    return new Blob([header, originalFile]);
+};
+/**
+ * Extract file metadata from encrypted file stream
+ *
+ * @param {ReadableStream} decryptedStream - The decrypted file stream
+ * @returns {Promise<{fileStream: ReadableStream, fileMetadata?: Type.FileMetadata}>}
+ */
+export const extractFileMetadata = async (decryptedStream) => {
+    const reader = decryptedStream.getReader();
+    try {
+        // Read fixed-size header
+        const { bytes: header, remainder } = await readExactBytes(reader, METADATA_HEADER_SIZE);
+        if (!header) {
+            return { fileStream: createStreamFromReader(reader) };
+        }
+        // Read metadata length from first 4 bytes
+        const lengthView = new DataView(header.buffer, 0, 4);
+        const metadataLength = lengthView.getUint32(0, true);
+        // Validate length
+        if (metadataLength < 0 || metadataLength > METADATA_HEADER_SIZE - 4) {
+            throw new Error('Invalid metadata length');
+        }
+        let fileMetadata = undefined;
+        if (metadataLength > 0) {
+            // Extract and parse metadata
+            const metadataBytes = header.slice(4, 4 + metadataLength);
+            const metadataJson = new TextDecoder('utf-8', { fatal: true }).decode(metadataBytes);
+            fileMetadata = secureJsonParse(metadataJson);
+            validateMetadataStructure(fileMetadata);
+        }
+        // Create file stream (header is consumed, continue with rest)
+        // Include any remainder bytes from the header read first
+        let remainderEnqueued = false;
+        const fileStream = new ReadableStream({
+            async pull(controller) {
+                // First, enqueue any remainder bytes from header read
+                if (!remainderEnqueued && remainder) {
+                    controller.enqueue(remainder);
+                    remainderEnqueued = true;
+                    return;
+                }
+                // Then continue with the reader
+                const { done, value } = await reader.read();
+                if (done) {
+                    controller.close();
+                }
+                else {
+                    controller.enqueue(value);
+                }
+            },
+        });
+        return { fileStream, fileMetadata };
+    }
+    catch (error) {
+        console.warn('Metadata extraction failed:', error);
+        return { fileStream: createStreamFromReader(reader) };
+    }
+};
+/**
+ * Read exact number of bytes from a stream reader
+ *
+ * @param {ReadableStreamDefaultReader} reader - Stream reader
+ * @param {number} size - Number of bytes to read
+ * @returns {Promise<{bytes: Uint8Array|null, remainder: Uint8Array|null}>} The bytes and any remainder
+ */
+async function readExactBytes(reader, size) {
+    const chunks = [];
+    let totalRead = 0;
+    while (totalRead < size) {
+        const { done, value } = await reader.read();
+        if (done) {
+            return { bytes: null, remainder: null }; // Not enough data
+        }
+        chunks.push(value);
+        totalRead += value.length;
+    }
+    // Combine chunks and extract exact size
+    const combined = new Uint8Array(totalRead);
+    let offset = 0;
+    for (const chunk of chunks) {
+        combined.set(chunk, offset);
+        offset += chunk.length;
+    }
+    const bytes = combined.slice(0, size);
+    const remainder = totalRead > size ? combined.slice(size) : null;
+    return { bytes, remainder };
+}
+/**
+ * Parse JSON with security validations
+ *
+ * @param {string} jsonString - JSON string to parse
+ * @returns {Type.FileMetadata} Parsed metadata
+ */
+function secureJsonParse(jsonString) {
+    // Validate JSON structure before parsing
+    if (jsonString.length > 800) {
+        // Leave room for encoding overhead
+        throw new Error('JSON too large');
+    }
+    // Check nesting depth
+    const depth = calculateJsonDepth(jsonString);
+    if (depth > MAX_JSON_DEPTH) {
+        throw new Error('JSON too deeply nested');
+    }
+    // Check object count
+    const objectCount = (jsonString.match(/[{[]/g) || []).length;
+    if (objectCount > MAX_JSON_OBJECTS) {
+        throw new Error('Too many JSON objects');
+    }
+    return JSON.parse(jsonString);
+}
+/**
+ * Calculate maximum nesting depth of JSON string
+ *
+ * @param {string} jsonString - JSON string
+ * @returns {number} Maximum depth
+ */
+function calculateJsonDepth(jsonString) {
+    let depth = 0;
+    let maxDepth = 0;
+    for (const char of jsonString) {
+        if (char === '{' || char === '[') {
+            depth++;
+            maxDepth = Math.max(maxDepth, depth);
+        }
+        else if (char === '}' || char === ']') {
+            depth--;
+        }
+    }
+    return maxDepth;
+}
+/**
+ * Validate file metadata structure using schema
+ *
+ * @param {Type.FileMetadata} metadata - Metadata to validate
+ */
+function validateMetadataStructure(metadata) {
+    if (!FileMetadataSchema.is(metadata)) {
+        throw new Error('Invalid metadata structure');
+    }
+    // Additional length validations
+    if (metadata.name.length > MAX_FIELD_LENGTH ||
+        metadata.type.length > MAX_FIELD_LENGTH ||
+        metadata.extension.length > MAX_FIELD_LENGTH) {
+        throw new Error('Metadata field too long');
+    }
+    // Validate optional metadata size
+    if (metadata.metadata !== undefined) {
+        const metadataStr = JSON.stringify(metadata.metadata);
+        if (metadataStr.length > MAX_CUSTOM_METADATA_SIZE) {
+            throw new Error('Custom metadata too large');
+        }
+    }
+}
+/**
+ * Create a readable stream from an existing reader
+ *
+ * @param {ReadableStreamDefaultReader} reader - Stream reader
+ * @returns {ReadableStream} New readable stream
+ */
+function createStreamFromReader(reader) {
+    return new ReadableStream({
+        async pull(controller) {
+            const { done, value } = await reader.read();
+            if (done) {
+                controller.close();
+            }
+            else {
+                controller.enqueue(value);
+            }
+        },
+    });
+}
+//# sourceMappingURL=file-metadata.js.map

package/dist/utils.d.ts

@@ -10,6 +10,6 @@ export function stringToBytes(str: string): Uint8Array;
  * @returns {string}
  */
 export function bytesToString(bytes: Uint8Array): string;
-export function createDecryptWrappedInvocation({ delegationCAR, issuer, spaceDID, resourceCID, audience, expiration, }: Type.CreateDecryptWrappedInvocationOptions): Promise<import("@ucanto/server").ToString<Uint8Array<ArrayBufferLike>, string>>;
+export function createDecryptWrappedInvocation({ decryptDelegation, issuer, spaceDID, resourceCID, audience, expiration, }: Type.CreateDecryptWrappedInvocationOptions): Promise<import("@ucanto/server").ToString<Uint8Array<ArrayBufferLike>, string>>;
 import * as Type from './types.js';
 //# sourceMappingURL=utils.d.ts.map

package/dist/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.js"],"names":[],"mappings":"AA+CA;;;;GAIG;AACH,mCAHW,MAAM,GACJ,UAAU,CAItB;AAED;;;;GAIG;AACH,qCAHW,UAAU,GACR,MAAM,CAIlB;AApDM,wHAFI,IAAI,CAAC,qCAAqC,mFAoCpD;sBAxCqB,YAAY"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.js"],"names":[],"mappings":"AA4CA;;;;GAIG;AACH,mCAHW,MAAM,GACJ,UAAU,CAItB;AAED;;;;GAIG;AACH,qCAHW,UAAU,GACR,MAAM,CAIlB;AAnDM,4HAFI,IAAI,CAAC,qCAAqC,mFAmCpD;sBAvCqB,YAAY"}

package/dist/utils.js

@@ -1,16 +1,14 @@
 import { DID } from '@ucanto/server';
 import * as dagJSON from '@ipld/dag-json';
-import { extract } from '@ucanto/core/delegation';
 import * as Space from '@storacha/capabilities/space';
 import * as Type from './types.js';
 /**
  *
  * @param {Type.CreateDecryptWrappedInvocationOptions} param0
  */
-export const createDecryptWrappedInvocation = async ({ delegationCAR, issuer, spaceDID, resourceCID, audience, expiration, }) => {
-    const delegation = await extract(delegationCAR);
-    if (delegation.error) {
-        throw delegation.error;
+export const createDecryptWrappedInvocation = async ({ decryptDelegation, issuer, spaceDID, resourceCID, audience, expiration, }) => {
+    if (!decryptDelegation) {
+        throw new Error('Decrypt delegation is required');
     }
     const invocationOptions = {
         issuer,
@@ -20,7 +18,7 @@ export const createDecryptWrappedInvocation = async ({ delegationCAR, issuer, sp
             resource: resourceCID,
         },
         expiration: expiration,
-        proofs: [delegation.ok],
+        proofs: [decryptDelegation],
     };
     const decryptWrappedInvocation = await Space.decrypt
         .invoke(invocationOptions)

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@storacha/encrypt-upload-client",
   "type": "module",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "license": "Apache-2.0 OR MIT",
   "description": "Client for upload and download encrypted files",
   "author": "Storacha",
@@ -80,9 +80,9 @@
     "ethers": "5.7.1",
     "ipfs-unixfs-exporter": "^10.0.0",
     "multiformats": "^13.3.3",
-    "@storacha/capabilities": "^1.8.0",
-    "@storacha/client": "^1.6.0",
-    "@storacha/upload-client": "^1.3.0"
+    "@storacha/client": "^1.7.0",
+    "@storacha/upload-client": "^1.3.0",
+    "@storacha/capabilities": "^1.8.0"
   },
   "devDependencies": {
     "@lit-protocol/types": "^7.0.8",