@storacha/encrypt-upload-client 1.1.55 → 1.1.57

package/dist/examples/decrypt-test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=decrypt-test.d.ts.map

package/dist/examples/decrypt-test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt-test.d.ts","sourceRoot":"","sources":["../../examples/decrypt-test.js"],"names":[],"mappings":""}

package/dist/examples/decrypt-test.js

@@ -0,0 +1,73 @@
+import * as fs from 'fs';
+import dotenv from 'dotenv';
+import { CID } from 'multiformats';
+import * as Client from '@storacha/client';
+import * as Signer from '@ucanto/principal/ed25519';
+import { StoreMemory } from '@storacha/client/stores/memory';
+import { create } from '../src/index.js';
+import { Wallet } from 'ethers';
+import { serviceConf, receiptsEndpoint } from '../src/config/service.js';
+import { createNodeLitAdapter } from '../src/crypto/factories.node.js';
+import { LitNodeClient } from '@lit-protocol/lit-node-client';
+import { extract } from '@ucanto/core/delegation';
+dotenv.config();
+async function main() {
+    // set up storacha client with a new agent
+    const cid = CID.parse('bafyreifhwqmspdjsy6rgcmcizgodv7bwskgiehjhdx7wukax3z5r7tz5ji');
+    const delegationCarBuffer = fs.readFileSync('delegation.car');
+    const wallet = new Wallet(process.env.WALLET_PK || '');
+    const principal = Signer.parse(process.env.DELEGATEE_AGENT_PK || '');
+    const store = new StoreMemory();
+    const client = await Client.create({
+        principal,
+        store,
+        serviceConf,
+        receiptsEndpoint,
+    });
+    // Set up Lit client
+    const litClient = new LitNodeClient({
+        litNetwork: 'datil-dev',
+    });
+    await litClient.connect();
+    const encryptedClient = await create({
+        storachaClient: client,
+        cryptoAdapter: createNodeLitAdapter(litClient),
+    });
+    const res = await extract(delegationCarBuffer);
+    if (res.error) {
+        throw new Error(`Failed to extract delegation: ${res.error.message}`);
+    }
+    const decryptDelegation = res.ok;
+    const decryptionCapability = decryptDelegation.capabilities.find((c) => c.can === 'space/content/decrypt');
+    if (!decryptionCapability) {
+        throw new Error('Failed to find decryption capability');
+    }
+    const spaceDID = /** @type {`did:key:${string}`} */ (decryptionCapability.with);
+    const decryptionConfig = {
+        wallet,
+        decryptDelegation,
+        spaceDID,
+    };
+    const decryptedContent = await encryptedClient.retrieveAndDecryptFile(cid, decryptionConfig);
+    const reader = decryptedContent.stream.getReader();
+    const decoder = new TextDecoder();
+    let result = '';
+    let done = false;
+    while (!done) {
+        const { value, done: isDone } = await reader.read();
+        done = isDone;
+        if (value) {
+            result += decoder.decode(value, { stream: true });
+        }
+    }
+    console.log('================ RESULT ===================');
+    console.log(result);
+    console.log('===========================================');
+}
+main()
+    .then(() => process.exit(0))
+    .catch((err) => {
+    console.error(err);
+    process.exit(1);
+});
+//# sourceMappingURL=decrypt-test.js.map

package/dist/examples/encrypt-test.d.ts

@@ -0,0 +1,4 @@
+/** @param {string} data Base64 encoded CAR file */
+export function parseProof(data: string): Promise<Signer.Delegation<Signer.Signer.Capabilities>>;
+import * as Signer from '@ucanto/principal/ed25519';
+//# sourceMappingURL=encrypt-test.d.ts.map

package/dist/examples/encrypt-test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt-test.d.ts","sourceRoot":"","sources":["../../examples/encrypt-test.js"],"names":[],"mappings":"AAeA,mDAAmD;AACnD,iCADY,MAAM,0DAQjB;wBAlBuB,2BAA2B"}

package/dist/examples/encrypt-test.js

@@ -0,0 +1,61 @@
+import * as fs from 'fs';
+import dotenv from 'dotenv';
+import { CarReader } from '@ipld/car';
+import * as Client from '@storacha/client';
+import { importDAG } from '@ucanto/core/delegation';
+import * as Signer from '@ucanto/principal/ed25519';
+import { StoreMemory } from '@storacha/client/stores/memory';
+import * as EncryptClient from '../src/index.js';
+import { serviceConf, receiptsEndpoint } from '../src/config/service.js';
+import { createNodeLitAdapter } from '../src/crypto/factories.node.js';
+import { LitNodeClient } from '@lit-protocol/lit-node-client';
+dotenv.config();
+/** @param {string} data Base64 encoded CAR file */
+export async function parseProof(data) {
+    const blocks = [];
+    const reader = await CarReader.fromBytes(Buffer.from(data, 'base64'));
+    for await (const block of reader.blocks()) {
+        blocks.push(block);
+    }
+    return importDAG(blocks);
+}
+async function main() {
+    // set up storacha client with a new agent
+    const principal = Signer.parse(process.env.AGENT_PK || '');
+    const store = new StoreMemory();
+    const client = await Client.create({
+        principal,
+        store,
+        serviceConf,
+        receiptsEndpoint,
+    });
+    // now give Agent the delegation from the Space
+    const proof = await parseProof(process.env.PROOF || '');
+    const space = await client.addSpace(proof);
+    await client.setCurrentSpace(space.did());
+    // Set up Lit client
+    const litClient = new LitNodeClient({
+        litNetwork: 'datil-dev',
+    });
+    await litClient.connect();
+    const encryptedClient = await EncryptClient.create({
+        storachaClient: client,
+        cryptoAdapter: createNodeLitAdapter(litClient),
+    });
+    const fileContent = await fs.promises.readFile('./README.md');
+    const blob = new Blob([fileContent]);
+    // Create encryption config
+    const encryptionConfig = {
+        issuer: principal,
+        spaceDID: space.did(),
+    };
+    const link = await encryptedClient.encryptAndUploadFile(blob, encryptionConfig);
+    console.log(link);
+}
+main()
+    .then(() => process.exit(0))
+    .catch((err) => {
+    console.error(err);
+    process.exit(1);
+});
+//# sourceMappingURL=encrypt-test.js.map

package/dist/test/cid-verification.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cid-verification.spec.d.ts.map

package/dist/test/cid-verification.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cid-verification.spec.d.ts","sourceRoot":"","sources":["../../test/cid-verification.spec.js"],"names":[],"mappings":""}

package/dist/test/cid-verification.spec.js

@@ -0,0 +1,314 @@
+import assert from 'node:assert';
+import { describe, test } from 'node:test';
+import { getCarFileFromPublicGateway } from '../src/handlers/decrypt-handler.js';
+import { createTestCar } from './helpers/test-file-utils.js';
+await describe('CID Verification', async () => {
+    await describe('getCarFileFromPublicGateway', async () => {
+        await test('should construct correct gateway URL format', async () => {
+            // This is a basic test to verify the function exists and can be called
+            // Integration tests with real network calls would test full functionality
+            const gatewayURL = new URL('https://example.com');
+            const testCID = 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq';
+            // Mock fetch to avoid network calls in unit tests
+            const originalFetch = globalThis.fetch;
+            let capturedURL = '';
+            // @ts-ignore - Mock fetch for testing
+            globalThis.fetch = async (url) => {
+                capturedURL = url.toString();
+                // Return a mock response that looks like a failed fetch
+                return {
+                    ok: false,
+                    status: 404,
+                    statusText: 'Not Found',
+                    arrayBuffer: async () => {
+                        throw new Error('Mock 404');
+                    },
+                };
+            };
+            try {
+                await getCarFileFromPublicGateway(gatewayURL, testCID);
+            }
+            catch (error) {
+                // We expect this to fail with our mock, that's fine
+            }
+            finally {
+                globalThis.fetch = originalFetch;
+            }
+            // Verify the URL was constructed correctly
+            const expectedURL = `https://example.com/ipfs/${testCID}?format=car`;
+            assert.strictEqual(capturedURL, expectedURL, 'Should construct correct gateway URL');
+        });
+        await test('should be exported and callable', async () => {
+            // Basic smoke test
+            assert.strictEqual(typeof getCarFileFromPublicGateway, 'function', 'Should be a function');
+            // Verify it requires proper parameters
+            try {
+                // @ts-ignore - intentionally testing invalid input
+                await getCarFileFromPublicGateway(null, 'test');
+                assert.fail('Should throw error for null gateway URL');
+            }
+            catch (error) {
+                // Expected to fail - good
+                assert(error instanceof Error, 'Should throw an Error');
+            }
+        });
+        await test('should validate CID format', async () => {
+            const gatewayURL = new URL('https://example.com');
+            // Mock fetch to return valid CAR response
+            const originalFetch = globalThis.fetch;
+            // @ts-ignore - Mock fetch for testing
+            globalThis.fetch = async (url) => ({
+                ok: true,
+                status: 200,
+                statusText: 'OK',
+                arrayBuffer: async () => new ArrayBuffer(100), // Mock CAR data
+            });
+            try {
+                await getCarFileFromPublicGateway(gatewayURL, 'invalid-cid');
+                assert.fail('Should throw error for invalid CID');
+            }
+            catch (error) {
+                // Expected to fail due to invalid CID format
+                assert(error instanceof Error, 'Should throw an Error for invalid CID');
+            }
+            finally {
+                globalThis.fetch = originalFetch;
+            }
+        });
+        await test('should accept valid CAR file with matching root CID', async () => {
+            const gatewayURL = new URL('https://example.com');
+            // Create a valid KMS metadata CAR file
+            const testContent = {
+                encryptedDataCID: 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq',
+                encryptedSymmetricKey: 'test-encrypted-key',
+                space: 'did:key:z6MkwDK3M4PxU1FqcSt6quBH1xRBSGnPRdQYP9B13h3Wq5X1',
+                kms: {
+                    provider: 'google-kms',
+                    keyId: 'test-key-id',
+                    algorithm: 'RSA-OAEP-2048-SHA256',
+                },
+            };
+            const { car, actualRootCID } = await createTestCar(testContent);
+            // Mock fetch to return the valid CAR
+            const originalFetch = globalThis.fetch;
+            // @ts-ignore - Mock fetch for testing
+            globalThis.fetch = async (url) => ({
+                ok: true,
+                status: 200,
+                statusText: 'OK',
+                arrayBuffer: async () => car.buffer,
+            });
+            try {
+                const result = await getCarFileFromPublicGateway(gatewayURL, actualRootCID.toString());
+                assert(result instanceof Uint8Array, 'Should return Uint8Array');
+                assert.deepStrictEqual(result, car, 'Should return the exact CAR file');
+            }
+            finally {
+                globalThis.fetch = originalFetch;
+            }
+        });
+        await test('should reject CAR file with wrong root CID (tampering detection)', async () => {
+            const gatewayURL = new URL('https://example.com');
+            // Create a CAR file with content A
+            const originalContent = {
+                encryptedDataCID: 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq',
+                encryptedSymmetricKey: 'original-encrypted-key',
+                space: 'did:key:z6MkwDK3M4PxU1FqcSt6quBH1xRBSGnPRdQYP9B13h3Wq5X1',
+                kms: {
+                    provider: 'google-kms',
+                    keyId: 'original-key-id',
+                    algorithm: 'RSA-OAEP-2048-SHA256',
+                },
+            };
+            const { actualRootCID: originalCID } = await createTestCar(originalContent);
+            // Create a different CAR file with content B
+            const tamperedContent = {
+                encryptedDataCID: 'bafkreidb6v6sjfnpnf6lqkh7p4w7zfzqfuzn2lqhp5x6zkojfuzwzlhpny',
+                encryptedSymmetricKey: 'tampered-encrypted-key',
+                space: 'did:key:z6MkMaliciousSpaceDIDThatShouldNotBeAccepted',
+                kms: {
+                    provider: 'google-kms',
+                    keyId: 'tampered-key-id',
+                    algorithm: 'RSA-OAEP-2048-SHA256',
+                },
+            };
+            const { car: tamperedCar } = await createTestCar(tamperedContent);
+            // Mock fetch to return the tampered CAR when requesting the original CID
+            const originalFetch = globalThis.fetch;
+            // @ts-ignore - Mock fetch for testing
+            globalThis.fetch = async (url) => ({
+                ok: true,
+                status: 200,
+                statusText: 'OK',
+                arrayBuffer: async () => tamperedCar.buffer, // Return wrong CAR!
+            });
+            try {
+                await getCarFileFromPublicGateway(gatewayURL, originalCID.toString());
+                assert.fail('Should throw error for CID verification failure');
+            }
+            catch (error) {
+                assert(error instanceof Error, 'Should throw an Error');
+                assert(error.message.includes('CID verification failed'), `Should mention CID verification failure. Got: ${error.message}`);
+            }
+            finally {
+                globalThis.fetch = originalFetch;
+            }
+        });
+        await test('should detect when malicious gateway serves completely different CAR', async () => {
+            const gatewayURL = new URL('https://example.com');
+            // CID we're requesting
+            const requestedCID = 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq';
+            // Create a completely different CAR file
+            const maliciousContent = {
+                encryptedDataCID: 'bafkreig6h5fimhfvj3wmlsf4fzj2d2ndqxd7qnugcgcmkn6dcqzxcq5zdu',
+                encryptedSymmetricKey: 'malicious-encrypted-key',
+                space: 'did:key:z6MkMaliciousSpaceDIDControlledByAttacker',
+                kms: {
+                    provider: 'google-kms',
+                    keyId: 'attacker-controlled-key',
+                    algorithm: 'RSA-OAEP-2048-SHA256',
+                },
+            };
+            const { car: maliciousCar } = await createTestCar(maliciousContent);
+            // Mock fetch to return the malicious CAR
+            const originalFetch = globalThis.fetch;
+            // @ts-ignore - Mock fetch for testing
+            globalThis.fetch = async (url) => ({
+                ok: true,
+                status: 200,
+                statusText: 'OK',
+                arrayBuffer: async () => maliciousCar.buffer,
+            });
+            try {
+                await getCarFileFromPublicGateway(gatewayURL, requestedCID);
+                assert.fail('Should throw error when gateway serves wrong CAR');
+            }
+            catch (error) {
+                assert(error instanceof Error, 'Should throw an Error');
+                assert(error.message.includes('CID verification failed'), `Should mention CID verification failure. Got: ${error.message}`);
+            }
+            finally {
+                globalThis.fetch = originalFetch;
+            }
+        });
+        await test('should handle network errors gracefully', async () => {
+            const gatewayURL = new URL('https://example.com');
+            const testCID = 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq';
+            // Mock fetch to return network error
+            const originalFetch = globalThis.fetch;
+            // @ts-ignore - Mock fetch for testing
+            globalThis.fetch = async (url) => ({
+                ok: false,
+                status: 500,
+                statusText: 'Internal Server Error',
+                arrayBuffer: async () => {
+                    throw new Error('Network error');
+                },
+            });
+            try {
+                await getCarFileFromPublicGateway(gatewayURL, testCID);
+                assert.fail('Should throw error for network errors');
+            }
+            catch (error) {
+                assert(error instanceof Error, 'Should throw an Error');
+                assert(error.message.includes('Failed to fetch'), `Should mention fetch failure. Got: ${error.message}`);
+            }
+            finally {
+                globalThis.fetch = originalFetch;
+            }
+        });
+    });
+    await describe('Metadata Tampering Detection', async () => {
+        await test('should prevent modification of space DID in metadata', async () => {
+            const gatewayURL = new URL('https://example.com');
+            // Original metadata with legitimate space DID
+            const originalMetadata = {
+                encryptedDataCID: 'bafkreie2hvzhqzj3ixnmjh7h3nkhdyp6qxhqltkq6qxf3wxq7hqxd6nzde',
+                encryptedSymmetricKey: 'encrypted-key-data',
+                space: 'did:key:z6MkwDK3M4PxU1FqcSt6quBH1xRBSGnPRdQYP9B13h3Wq5X1', // Original space
+                kms: {
+                    provider: 'google-kms',
+                    keyId: 'test-key-id',
+                    algorithm: 'RSA-OAEP-2048-SHA256',
+                },
+            };
+            // Tampered metadata with different space DID
+            const tamperedMetadata = {
+                ...originalMetadata,
+                space: 'did:key:z6MkMaliciousSpaceDIDThatShouldNotBeAccepted', // Malicious space!
+            };
+            // Create CAR files for both
+            const { actualRootCID: originalCID } = await createTestCar(originalMetadata);
+            const { car: tamperedCar } = await createTestCar(tamperedMetadata);
+            // Mock fetch to return tampered CAR when requesting original CID
+            const originalFetch = globalThis.fetch;
+            // @ts-ignore - Mock fetch for testing
+            globalThis.fetch = async (url) => ({
+                ok: true,
+                status: 200,
+                statusText: 'OK',
+                arrayBuffer: async () => tamperedCar.buffer, // Returns tampered metadata!
+            });
+            try {
+                await getCarFileFromPublicGateway(gatewayURL, originalCID.toString());
+                assert.fail('Should detect space DID tampering via CID verification');
+            }
+            catch (error) {
+                assert(error instanceof Error, 'Should throw an Error');
+                assert(error.message.includes('CID verification failed'), `Should catch tampering via CID verification. Got: ${error.message}`);
+            }
+            finally {
+                globalThis.fetch = originalFetch;
+            }
+        });
+        await test('should prevent complete metadata substitution attacks', async () => {
+            const gatewayURL = new URL('https://example.com');
+            // Original legitimate metadata
+            const originalMetadata = {
+                encryptedDataCID: 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq',
+                encryptedSymmetricKey: 'original-encrypted-key',
+                space: 'did:key:z6MkwDK3M4PxU1FqcSt6quBH1xRBSGnPRdQYP9B13h3Wq5X1',
+                kms: {
+                    provider: 'google-kms',
+                    keyId: 'legitimate-key-id',
+                    algorithm: 'RSA-OAEP-2048-SHA256',
+                },
+            };
+            // Completely different malicious metadata (using same CID but different content)
+            const maliciousMetadata = {
+                encryptedDataCID: 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq',
+                encryptedSymmetricKey: 'malicious-encrypted-key',
+                space: 'did:key:z6MkMaliciousSpaceDIDControlledByAttacker',
+                kms: {
+                    provider: 'google-kms',
+                    keyId: 'attacker-controlled-key',
+                    algorithm: 'RSA-OAEP-2048-SHA256',
+                },
+            };
+            // Create CAR files for both
+            const { actualRootCID: originalCID } = await createTestCar(originalMetadata);
+            const { car: maliciousCar } = await createTestCar(maliciousMetadata);
+            // Mock fetch to return completely different metadata
+            const originalFetch = globalThis.fetch;
+            // @ts-ignore - Mock fetch for testing
+            globalThis.fetch = async (url) => ({
+                ok: true,
+                status: 200,
+                statusText: 'OK',
+                arrayBuffer: async () => maliciousCar.buffer, // Complete substitution attack!
+            });
+            try {
+                await getCarFileFromPublicGateway(gatewayURL, originalCID.toString());
+                assert.fail('Should detect complete metadata substitution via CID verification');
+            }
+            catch (error) {
+                assert(error instanceof Error, 'Should throw an Error');
+                assert(error.message.includes('CID verification failed'), `Should catch complete substitution via CID verification. Got: ${error.message}`);
+            }
+            finally {
+                globalThis.fetch = originalFetch;
+            }
+        });
+    });
+});
+//# sourceMappingURL=cid-verification.spec.js.map

package/dist/test/crypto-compatibility.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=crypto-compatibility.spec.d.ts.map

package/dist/test/crypto-compatibility.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-compatibility.spec.d.ts","sourceRoot":"","sources":["../../test/crypto-compatibility.spec.js"],"names":[],"mappings":""}

package/dist/test/crypto-compatibility.spec.js

@@ -0,0 +1,124 @@
+import './setup.js';
+import { test, describe } from 'node:test';
+import assert from 'node:assert';
+import { GenericAesCtrStreamingCrypto } from '../src/crypto/symmetric/generic-aes-ctr-streaming-crypto.js';
+import { NodeAesCbcCrypto } from '../src/crypto/symmetric/node-aes-cbc-crypto.js';
+import { createTestFile, streamToUint8Array, } from './helpers/test-file-utils.js';
+/**
+ * These tests verify cross-environment compatibility and consistency of crypto implementations.
+ */
+await describe('Cross-Environment Crypto Compatibility', async () => {
+    await test('should work consistently across multiple instances', async () => {
+        const crypto1 = new GenericAesCtrStreamingCrypto();
+        const crypto2 = new GenericAesCtrStreamingCrypto();
+        const testFile = createTestFile(0.01); // 10KB test (ultra-small for memory safety)
+        console.log('Testing consistency across instances...');
+        // Use SAME key and IV for both instances
+        const sharedKey = globalThis.crypto.getRandomValues(new Uint8Array(32));
+        const sharedIV = globalThis.crypto.getRandomValues(new Uint8Array(16));
+        // Override generateKey to return our shared key
+        crypto1.generateKey = async () => sharedKey;
+        crypto2.generateKey = async () => sharedKey;
+        // Override IV generation to return our shared IV
+        const originalRandomValues = globalThis.crypto.getRandomValues;
+        let ivCallCount = 0;
+        // @ts-ignore - Overriding for test purposes
+        globalThis.crypto.getRandomValues = (array) => {
+            // @ts-ignore - TypeScript is confused about the array type
+            if (array && array.length === 16 && ivCallCount < 2) {
+                ivCallCount++;
+                // @ts-ignore - TypeScript is confused about the array type
+                array.set(sharedIV);
+                return array;
+            }
+            return originalRandomValues.call(globalThis.crypto, array);
+        };
+        try {
+            // Get encryption results from both instances
+            const result1 = await crypto1.encryptStream(testFile);
+            const result2 = await crypto2.encryptStream(testFile);
+            // Verify keys and IVs are identical
+            assert.deepStrictEqual(result1.key, result2.key, 'Keys should be identical');
+            assert.deepStrictEqual(result1.iv, result2.iv, 'IVs should be identical');
+            // Convert streams to bytes for comparison
+            const encrypted1 = await streamToUint8Array(result1.encryptedStream);
+            const encrypted2 = await streamToUint8Array(result2.encryptedStream);
+            // Verify encrypted outputs are byte-for-byte identical
+            assert.strictEqual(encrypted1.length, encrypted2.length, 'Encrypted lengths should match');
+            assert.deepStrictEqual(encrypted1, encrypted2, 'Encrypted data should be identical');
+            console.log('Multiple instances produce identical results');
+        }
+        finally {
+            // Restore original methods
+            globalThis.crypto.getRandomValues = originalRandomValues;
+        }
+    });
+    await test('should support cross-instance decrypt', async () => {
+        const crypto1 = new GenericAesCtrStreamingCrypto();
+        const crypto2 = new GenericAesCtrStreamingCrypto();
+        const testFile = createTestFile(0.01); // 10KB test (ultra-small for memory safety)
+        console.log('Testing cross-instance decryption...');
+        // Encrypt with first instance
+        const { key, iv, encryptedStream } = await crypto1.encryptStream(testFile);
+        const encryptedBytes = await streamToUint8Array(encryptedStream);
+        // Decrypt with second instance
+        const encryptedForDecrypt = new ReadableStream({
+            start(controller) {
+                controller.enqueue(encryptedBytes);
+                controller.close();
+            },
+        });
+        const decryptedStream = await crypto2.decryptStream(encryptedForDecrypt, key, iv);
+        const decryptedBytes = await streamToUint8Array(decryptedStream);
+        // Verify decrypted data matches original
+        const originalBytes = new Uint8Array(await testFile.arrayBuffer());
+        assert.deepStrictEqual(decryptedBytes, originalBytes, 'Cross-instance decryption should work');
+        console.log('Cross-instance decryption verified');
+    });
+    await test('should handle edge cases consistently', async () => {
+        const crypto = new GenericAesCtrStreamingCrypto();
+        console.log('Testing edge case consistency...');
+        // Test empty file
+        const emptyFile = new Blob([]);
+        const emptyResult = await crypto.encryptStream(emptyFile);
+        const emptyEncrypted = await streamToUint8Array(emptyResult.encryptedStream);
+        assert.strictEqual(emptyEncrypted.length, 0, 'Empty file should encrypt to 0 bytes');
+        // Test single byte file
+        const singleByteFile = new Blob([new Uint8Array([42])]);
+        const singleResult = await crypto.encryptStream(singleByteFile);
+        const singleEncrypted = await streamToUint8Array(singleResult.encryptedStream);
+        assert.strictEqual(singleEncrypted.length, 1, 'Single byte file should encrypt to 1 byte');
+        // Test round-trip of single byte
+        const singleDecryptStream = new ReadableStream({
+            start(controller) {
+                controller.enqueue(singleEncrypted);
+                controller.close();
+            },
+        });
+        const singleDecrypted = await crypto.decryptStream(singleDecryptStream, singleResult.key, singleResult.iv);
+        const singleDecryptedBytes = await streamToUint8Array(singleDecrypted);
+        assert.deepStrictEqual(singleDecryptedBytes, new Uint8Array([42]), 'Single byte round-trip should work');
+        console.log('Edge cases handled consistently');
+    });
+    await test('should demonstrate algorithm differences with NodeAesCbcCrypto', async () => {
+        const genericCrypto = new GenericAesCtrStreamingCrypto();
+        const nodeCrypto = new NodeAesCbcCrypto();
+        const testFile = createTestFile(0.01); // 10KB test (ultra-small for memory safety)
+        console.log('Testing algorithm differences...');
+        // Encrypt with both implementations
+        const genericResult = await genericCrypto.encryptStream(testFile);
+        const nodeResult = await nodeCrypto.encryptStream(testFile);
+        // Convert streams to bytes
+        const genericEncrypted = await streamToUint8Array(genericResult.encryptedStream);
+        const nodeEncrypted = await streamToUint8Array(nodeResult.encryptedStream);
+        // Verify they produce different results (different algorithms)
+        assert.notDeepEqual(genericEncrypted, nodeEncrypted, 'AES-CTR and AES-CBC should produce different results');
+        // Verify they have different key/IV formats
+        assert.strictEqual(genericResult.key.length, 32, 'Generic crypto should use 32-byte keys');
+        assert.strictEqual(genericResult.iv.length, 16, 'Generic crypto should use 16-byte IVs');
+        assert.strictEqual(nodeResult.key.length, 32, 'Node crypto should use 32-byte keys');
+        assert.strictEqual(nodeResult.iv.length, 16, 'Node crypto should use 16-byte IVs');
+        console.log('Algorithm differences confirmed - use consistent crypto for encrypt/decrypt');
+    });
+});
+//# sourceMappingURL=crypto-compatibility.spec.js.map

package/dist/test/crypto-counter-security.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=crypto-counter-security.spec.d.ts.map

package/dist/test/crypto-counter-security.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-counter-security.spec.d.ts","sourceRoot":"","sources":["../../test/crypto-counter-security.spec.js"],"names":[],"mappings":""}