@storacha/encrypt-upload-client 1.1.61 → 1.1.63

package/dist/test/crypto-counter-security.spec.js

@@ -0,0 +1,147 @@
+import './setup.js';
+import { test, describe } from 'node:test';
+import assert from 'node:assert';
+import { GenericAesCtrStreamingCrypto } from '../src/crypto/symmetric/generic-aes-ctr-streaming-crypto.js';
+/**
+ * Security tests for AES-CTR counter management
+ *
+ * These tests verify that the block-based counter implementation prevents keystream reuse,
+ * which is critical for AES-CTR security.
+ */
+await describe('AES-CTR Counter Security', async () => {
+    await test('should increment counter by blocks, not chunks', async () => {
+        const crypto = new GenericAesCtrStreamingCrypto();
+        // Test the incrementCounter function directly
+        const baseCounter = new Uint8Array(16).fill(0);
+        // Test counter increments for block counts
+        const counter1 = crypto.incrementCounter(baseCounter, 0); // First block
+        const counter2 = crypto.incrementCounter(baseCounter, 1); // Second block
+        const counter3 = crypto.incrementCounter(baseCounter, 2); // Third block
+        const counter4 = crypto.incrementCounter(baseCounter, 7); // Eighth block
+        // Verify each counter is unique
+        assert.notDeepEqual(counter1, counter2, 'Block 1 and 2 should have different counters');
+        assert.notDeepEqual(counter2, counter3, 'Block 2 and 3 should have different counters');
+        assert.notDeepEqual(counter3, counter4, 'Block 3 and 8 should have different counters');
+        // Verify counter progression is correct
+        assert.strictEqual(counter1[15], 0, 'First counter should be 0');
+        assert.strictEqual(counter2[15], 1, 'Second counter should be 1');
+        assert.strictEqual(counter3[15], 2, 'Third counter should be 2');
+        assert.strictEqual(counter4[15], 7, 'Eighth counter should be 7');
+        console.log('Counter increments by blocks correctly');
+    });
+    await test('should handle chunk sizes correctly', async () => {
+        const crypto = new GenericAesCtrStreamingCrypto();
+        // Test different chunk sizes and verify block calculations
+        const testData = new Uint8Array(100).fill(0xaa); // 7 blocks (100 bytes = ceil(100/16) = 7)
+        const blob = new Blob([testData]);
+        const { key, iv, encryptedStream } = await crypto.encryptStream(blob);
+        // Read encrypted data
+        const reader = encryptedStream.getReader();
+        let encryptedChunks = [];
+        let done = false;
+        while (!done) {
+            const result = await reader.read();
+            done = result.done;
+            if (result.value) {
+                encryptedChunks.push(result.value);
+            }
+        }
+        // Verify we got data
+        assert(encryptedChunks.length > 0, 'Should have encrypted chunks');
+        // Decrypt to verify correctness
+        const combinedEncrypted = new Uint8Array(encryptedChunks.reduce((sum, chunk) => sum + chunk.length, 0));
+        let offset = 0;
+        for (const chunk of encryptedChunks) {
+            combinedEncrypted.set(chunk, offset);
+            offset += chunk.length;
+        }
+        const encryptedStream2 = new ReadableStream({
+            start(controller) {
+                controller.enqueue(combinedEncrypted);
+                controller.close();
+            },
+        });
+        const decryptedStream = await crypto.decryptStream(encryptedStream2, key, iv);
+        const decryptedReader = decryptedStream.getReader();
+        let decryptedChunks = [];
+        done = false;
+        while (!done) {
+            const result = await decryptedReader.read();
+            done = result.done;
+            if (result.value) {
+                decryptedChunks.push(result.value);
+            }
+        }
+        // Combine decrypted chunks
+        const combinedDecrypted = new Uint8Array(decryptedChunks.reduce((sum, chunk) => sum + chunk.length, 0));
+        offset = 0;
+        for (const chunk of decryptedChunks) {
+            combinedDecrypted.set(chunk, offset);
+            offset += chunk.length;
+        }
+        // Verify perfect round-trip
+        assert.deepStrictEqual(combinedDecrypted, testData, 'Decrypt must produce exact original data');
+        console.log('Chunk handling with block-based counters works correctly');
+    });
+    await test('should prevent keystream reuse in different chunk sizes', async () => {
+        const crypto = new GenericAesCtrStreamingCrypto();
+        // Test with different chunk sizes that would have caused reuse with old implementation
+        const testSizes = [15, 16, 17, 32, 33, 64, 65];
+        for (const size of testSizes) {
+            const testData = new Uint8Array(size).fill(0xbb);
+            const blob = new Blob([testData]);
+            const { key, iv, encryptedStream } = await crypto.encryptStream(blob);
+            // Read encrypted data
+            const reader = encryptedStream.getReader();
+            let encryptedData = new Uint8Array(0);
+            let done = false;
+            while (!done) {
+                const result = await reader.read();
+                done = result.done;
+                if (result.value) {
+                    const combined = new Uint8Array(encryptedData.length + result.value.length);
+                    combined.set(encryptedData);
+                    combined.set(result.value, encryptedData.length);
+                    encryptedData = combined;
+                }
+            }
+            // Decrypt and verify
+            const encryptedStream2 = new ReadableStream({
+                start(controller) {
+                    controller.enqueue(encryptedData);
+                    controller.close();
+                },
+            });
+            const decryptedStream = await crypto.decryptStream(encryptedStream2, key, iv);
+            const decryptedReader = decryptedStream.getReader();
+            let decryptedData = new Uint8Array(0);
+            done = false;
+            while (!done) {
+                const result = await decryptedReader.read();
+                done = result.done;
+                if (result.value) {
+                    const combined = new Uint8Array(decryptedData.length + result.value.length);
+                    combined.set(decryptedData);
+                    combined.set(result.value, decryptedData.length);
+                    decryptedData = combined;
+                }
+            }
+            assert.deepStrictEqual(decryptedData, testData, `Encryption/decryption failed for ${size}-byte chunk`);
+        }
+        console.log('No keystream reuse detected across different chunk sizes');
+    });
+    await test('should throw a clear error if Web Crypto API is not available', async () => {
+        // Save and remove globalThis.crypto
+        const originalCrypto = globalThis.crypto;
+        try {
+            // @ts-expect-error
+            delete globalThis.crypto;
+            assert.throws(() => new GenericAesCtrStreamingCrypto(), /Web Crypto API|crypto( is)? not available/i, 'Should throw if Web Crypto API is missing');
+        }
+        finally {
+            // Restore globalThis.crypto
+            globalThis.crypto = originalCrypto;
+        }
+    });
+});
+//# sourceMappingURL=crypto-counter-security.spec.js.map

package/dist/test/crypto-streaming.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=crypto-streaming.spec.d.ts.map

package/dist/test/crypto-streaming.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-streaming.spec.d.ts","sourceRoot":"","sources":["../../test/crypto-streaming.spec.js"],"names":[],"mappings":""}

package/dist/test/crypto-streaming.spec.js

@@ -0,0 +1,129 @@
+import './setup.js';
+import { test, describe } from 'node:test';
+import assert from 'node:assert';
+import { GenericAesCtrStreamingCrypto } from '../src/crypto/symmetric/generic-aes-ctr-streaming-crypto.js';
+import { createTestFile, streamToUint8Array, } from './helpers/test-file-utils.js';
+// FIXME (fforbeck) - Remove this skip when ready to run streaming crypto tests. It is failing on CI.
+await describe.skip('Streaming Crypto - Core Functionality', async () => {
+    await test('should encrypt and decrypt small files correctly', async () => {
+        const crypto = new GenericAesCtrStreamingCrypto();
+        const testFile = createTestFile(0.01); // 10KB (ultra-small for memory safety)
+        // Encrypt
+        const { key, iv, encryptedStream } = await crypto.encryptStream(testFile);
+        assert(key instanceof Uint8Array, 'Key should be Uint8Array');
+        assert.strictEqual(key.length, 32, 'Key should be 32 bytes');
+        assert(iv instanceof Uint8Array, 'IV should be Uint8Array');
+        assert.strictEqual(iv.length, 16, 'IV should be 16 bytes');
+        // Convert stream to bytes
+        const encryptedBytes = await streamToUint8Array(encryptedStream);
+        assert.strictEqual(encryptedBytes.length, testFile.size, 'Encrypted size should match original');
+        // Decrypt
+        const encryptedForDecrypt = new ReadableStream({
+            start(controller) {
+                controller.enqueue(encryptedBytes);
+                controller.close();
+            },
+        });
+        const decryptedStream = await crypto.decryptStream(encryptedForDecrypt, key, iv);
+        const decryptedBytes = await streamToUint8Array(decryptedStream);
+        // Verify round-trip
+        const originalBytes = new Uint8Array(await testFile.arrayBuffer());
+        assert.deepStrictEqual(decryptedBytes, originalBytes, 'Decrypted should match original');
+        console.log(`✓ Successfully encrypted/decrypted ${testFile.size} bytes`);
+    });
+    await test('should handle edge cases', async () => {
+        const crypto = new GenericAesCtrStreamingCrypto();
+        // Empty file
+        const emptyFile = new Blob([]);
+        const { encryptedStream: emptyEncrypted } = await crypto.encryptStream(emptyFile);
+        const emptyBytes = await streamToUint8Array(emptyEncrypted);
+        assert.strictEqual(emptyBytes.length, 0, 'Empty file should produce empty encrypted data');
+        // Single byte
+        const singleByteFile = new Blob([new Uint8Array([42])]);
+        const { key, iv, encryptedStream } = await crypto.encryptStream(singleByteFile);
+        const encryptedBytes = await streamToUint8Array(encryptedStream);
+        assert.strictEqual(encryptedBytes.length, 1, 'Single byte should produce single encrypted byte');
+        // Decrypt single byte
+        const encryptedForDecrypt = new ReadableStream({
+            start(controller) {
+                controller.enqueue(encryptedBytes);
+                controller.close();
+            },
+        });
+        const decryptedStream = await crypto.decryptStream(encryptedForDecrypt, key, iv);
+        const decryptedBytes = await streamToUint8Array(decryptedStream);
+        assert.deepStrictEqual(decryptedBytes, new Uint8Array([42]), 'Should decrypt to original byte');
+        console.log('✓ Edge cases handled correctly');
+    });
+    await test('should handle medium-sized files without issues', async () => {
+        try {
+            const crypto = new GenericAesCtrStreamingCrypto();
+            // Test with progressively larger files to show streaming works consistently
+            // Reduced sizes for CI stability while still testing streaming functionality
+            const testSizes = [0.5, 1, 2]; // MB
+            for (const sizeMB of testSizes) {
+                console.log(`Testing ${sizeMB}MB file...`);
+                const testFile = createTestFile(sizeMB);
+                const { key, iv, encryptedStream } = await crypto.encryptStream(testFile);
+                // Convert encrypted stream to bytes first
+                const encryptedBytes = await streamToUint8Array(encryptedStream);
+                // Create a new stream from the encrypted bytes for decryption
+                const encryptedForDecrypt = new ReadableStream({
+                    start(controller) {
+                        controller.enqueue(encryptedBytes);
+                        controller.close();
+                    },
+                });
+                const decryptedStream = await crypto.decryptStream(encryptedForDecrypt, key, iv);
+                const decryptedBytes = await streamToUint8Array(decryptedStream);
+                assert.strictEqual(decryptedBytes.length, sizeMB * 1024 * 1024, `Decrypted file size mismatch for ${sizeMB}MB`);
+                console.log(`✓ ${sizeMB}MB file encrypted and decrypted successfully`);
+            }
+            console.log('✓ Medium-sized files handled without issues');
+        }
+        catch (err) {
+            console.error('Test error (type):', typeof err, err && err.constructor && err.constructor.name);
+            console.error('Test error (keys):', err && Object.keys(err));
+            console.error('Test error (string):', String(err));
+            console.log(err);
+            assert.fail('Unable to test medium-sized files');
+        }
+    });
+    await test('should use proper counter arithmetic', async () => {
+        const crypto = new GenericAesCtrStreamingCrypto();
+        // Test counter increment function directly
+        const baseCounter = new Uint8Array([
+            0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        ]);
+        // Increment by 1
+        const counter1 = crypto.incrementCounter(baseCounter, 1);
+        assert.deepStrictEqual(counter1, new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1]), 'Should increment last byte by 1');
+        // Increment by 255
+        const counter255 = crypto.incrementCounter(baseCounter, 255);
+        assert.deepStrictEqual(counter255, new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255]), 'Should increment last byte by 255');
+        // Increment by 256 (should carry)
+        const counter256 = crypto.incrementCounter(baseCounter, 256);
+        assert.deepStrictEqual(counter256, new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0]), 'Should carry to second-to-last byte');
+        console.log('✓ Counter arithmetic works correctly');
+    });
+    await test('should implement complete interface', async () => {
+        const crypto = new GenericAesCtrStreamingCrypto();
+        // Check all required methods exist
+        assert(typeof crypto.generateKey === 'function', 'Should have generateKey method');
+        assert(typeof crypto.encryptStream === 'function', 'Should have encryptStream method');
+        assert(typeof crypto.decryptStream === 'function', 'Should have decryptStream method');
+        assert(typeof crypto.combineKeyAndIV === 'function', 'Should have combineKeyAndIV method');
+        assert(typeof crypto.splitKeyAndIV === 'function', 'Should have splitKeyAndIV method');
+        assert(typeof crypto.incrementCounter === 'function', 'Should have incrementCounter method');
+        // Test combine/split methods
+        const key = await crypto.generateKey();
+        const iv = globalThis.crypto.getRandomValues(new Uint8Array(16));
+        const combined = crypto.combineKeyAndIV(key, iv);
+        assert.strictEqual(combined.length, 48, 'Combined should be 48 bytes (32 key + 16 IV)');
+        const { key: splitKey, iv: splitIV } = crypto.splitKeyAndIV(combined);
+        assert.deepStrictEqual(splitKey, key, 'Split key should match original');
+        assert.deepStrictEqual(splitIV, iv, 'Split IV should match original');
+        console.log('Complete interface implemented correctly');
+    });
+});
+//# sourceMappingURL=crypto-streaming.spec.js.map

package/dist/test/encrypted-metadata.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=encrypted-metadata.spec.d.ts.map

package/dist/test/encrypted-metadata.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-metadata.spec.d.ts","sourceRoot":"","sources":["../../test/encrypted-metadata.spec.js"],"names":[],"mappings":""}

package/dist/test/encrypted-metadata.spec.js

@@ -0,0 +1,68 @@
+import assert from 'node:assert';
+import { describe, it } from 'node:test';
+import * as Result from '@storacha/client/result';
+import * as Types from '../src/types.js';
+import { create, extract } from '../src/core/metadata/encrypted-metadata.js';
+import { CID } from 'multiformats';
+/** @type {Types.LitMetadataInput} */
+const encryptedMetadataInput = {
+    encryptedDataCID: 'bafkreids275u5ex6xfw7d4k67afej43c6rhm2kzdox2z6or4jxrndgevae',
+    identityBoundCiphertext: 'mF3OPa9dQ0wO4B1/XylmAV/eaHhLtM3JUPIbS175bvmqGaJUYroyDbsytV29q0cLD4XCpCRfCinntASNg9s730FIM7f4Mw2hVWeJ5g4akFA6BoZoaKgDC5Ln6MOQK5Ymb1y6No7um7Bn4uIIJTYNuUukDQvVxzY8LcRBc2ySR1Md+VSGzmyEgyvHtAI=',
+    plaintextKeyHash: '15f39e9a977cca43f16f3cd25237d711cd8130ff9763197b29df52a198607206',
+    accessControlConditions: [
+        {
+            contractAddress: '',
+            standardContractType: '',
+            chain: 'ethereum',
+            method: '',
+            parameters: [
+                ':currentActionIpfsId',
+                'did:key:z6MktfnQz8Kcz5nsC65oyXWFXhbbAZQavjg6LYuHgv4YbxzN',
+            ],
+            returnValueTest: {
+                comparator: '=',
+                value: 'QmPFrQGo5RAtdSTZ4bkaeDHVGrmy2TeEUwTu4LuVAPHiMd',
+            },
+        },
+    ],
+};
+/** @type {Types.KMSMetadata} */
+const kmsMetadataInput = {
+    encryptedDataCID: CID.parse('bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku'),
+    encryptedSymmetricKey: 'bXlLTVNLZXlCeXRlcw==', // 'myKMSKeyBytes' in base64 for example
+    space: 'did:key:z6MktfnQz8Kcz5nsC65oyXWFXhbbAZQavjg6LYuHgv4YbxzN',
+    kms: {
+        provider: 'google-kms',
+        keyId: 'test-key',
+        algorithm: 'RSA-OAEP-2048-SHA256',
+    },
+};
+await describe('LitEncrypted Metadata', async () => {
+    await it('should create a valid block content', async () => {
+        const encryptedMetadata = create('lit', encryptedMetadataInput);
+        const block = await encryptedMetadata.archiveBlock();
+        // Encode the block into a CAR file
+        const car = await import('@ucanto/core').then((m) => m.CAR.encode({ roots: [block] }));
+        // Use the extract function to get the JSON object
+        const extractedData = Result.unwrap(extract(car));
+        const extractedDataJson = extractedData.toJSON();
+        assert.equal(extractedDataJson.identityBoundCiphertext, encryptedMetadataInput.identityBoundCiphertext);
+        assert.equal(extractedDataJson.plaintextKeyHash, encryptedMetadataInput.plaintextKeyHash);
+        assert.equal(extractedDataJson.encryptedDataCID, encryptedMetadataInput.encryptedDataCID);
+        assert.deepEqual(extractedDataJson.accessControlConditions, encryptedMetadataInput.accessControlConditions);
+    });
+});
+await describe('KMS Encrypted Metadata', async () => {
+    await it('should create a valid block content', async () => {
+        const kmsMetadata = create('kms', kmsMetadataInput);
+        const block = await kmsMetadata.archiveBlock();
+        const car = await import('@ucanto/core').then((m) => m.CAR.encode({ roots: [block] }));
+        const extractedData = Result.unwrap(extract(car));
+        const extractedDataJson = extractedData.toJSON();
+        assert.equal(extractedDataJson.encryptedSymmetricKey, kmsMetadataInput.encryptedSymmetricKey);
+        assert.equal(extractedDataJson.encryptedDataCID, kmsMetadataInput.encryptedDataCID);
+        assert.equal(extractedDataJson.space, kmsMetadataInput.space);
+        assert.deepEqual(extractedDataJson.kms, kmsMetadataInput.kms);
+    });
+});
+//# sourceMappingURL=encrypted-metadata.spec.js.map

package/dist/test/factories.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=factories.spec.d.ts.map

package/dist/test/factories.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"factories.spec.d.ts","sourceRoot":"","sources":["../../test/factories.spec.js"],"names":[],"mappings":""}

package/dist/test/factories.spec.js

@@ -0,0 +1,142 @@
+import './setup.js';
+import { test, describe } from 'node:test';
+import assert from 'node:assert';
+import { createGenericKMSAdapter, createGenericLitAdapter, createNodeLitAdapter, } from '../src/crypto/factories.node.js';
+import { GenericAesCtrStreamingCrypto } from '../src/crypto/symmetric/generic-aes-ctr-streaming-crypto.js';
+import { NodeAesCbcCrypto } from '../src/crypto/symmetric/node-aes-cbc-crypto.js';
+import { LitCryptoAdapter } from '../src/crypto/adapters/lit-crypto-adapter.js';
+import { KMSCryptoAdapter } from '../src/crypto/adapters/kms-crypto-adapter.js';
+// Mock Lit client for testing
+const mockLitClient = /** @type {any} */ ({
+    connect: () => Promise.resolve(),
+    disconnect: () => Promise.resolve(),
+});
+await describe('Crypto Factory Functions', async () => {
+    await describe('createBrowserLitAdapter', async () => {
+        await test('should create LitCryptoAdapter with streaming crypto', async () => {
+            const adapter = createGenericLitAdapter(mockLitClient);
+            // Verify adapter type
+            assert(adapter instanceof LitCryptoAdapter, 'Should create LitCryptoAdapter instance');
+            // Verify symmetric crypto implementation
+            assert(adapter.symmetricCrypto instanceof GenericAesCtrStreamingCrypto, 'Should use GenericAesCtrStreamingCrypto for browser environment');
+            // Verify lit client is passed through
+            assert.strictEqual(adapter.litClient, mockLitClient, 'Should pass through the lit client');
+        });
+        await test('should create adapter with required interface methods', async () => {
+            const adapter = createGenericLitAdapter(mockLitClient);
+            // Verify adapter has all required methods
+            assert(typeof adapter.encryptStream === 'function', 'Should have encryptStream method');
+            assert(typeof adapter.decryptStream === 'function', 'Should have decryptStream method');
+            assert(typeof adapter.encryptSymmetricKey === 'function', 'Should have encryptSymmetricKey method');
+            assert(typeof adapter.decryptSymmetricKey === 'function', 'Should have decryptSymmetricKey method');
+            assert(typeof adapter.extractEncryptedMetadata === 'function', 'Should have extractEncryptedMetadata method');
+            assert(typeof adapter.getEncryptedKey === 'function', 'Should have getEncryptedKey method');
+        });
+        await test('should handle null or undefined lit client gracefully', async () => {
+            // This should still create the adapter (validation happens at runtime)
+            const adapter = createGenericLitAdapter(/** @type {any} */ (null));
+            assert(adapter instanceof LitCryptoAdapter, 'Should create adapter even with null client');
+        });
+    });
+    await describe('createNodeLitAdapter', async () => {
+        await test('should create LitCryptoAdapter with Node crypto', async () => {
+            const adapter = createNodeLitAdapter(mockLitClient);
+            // Verify adapter type
+            assert(adapter instanceof LitCryptoAdapter, 'Should create LitCryptoAdapter instance');
+            // Verify symmetric crypto implementation
+            assert(adapter.symmetricCrypto instanceof NodeAesCbcCrypto, 'Should use NodeAesCbcCrypto for Node.js environment');
+            // Verify lit client is passed through
+            assert.strictEqual(adapter.litClient, mockLitClient, 'Should pass through the lit client');
+        });
+    });
+    await describe('createBrowserKMSAdapter', async () => {
+        await test('should create KMSCryptoAdapter with streaming crypto', async () => {
+            const keyManagerServiceURL = 'https://gateway.example.com';
+            const keyManagerServiceDID = 'did:web:gateway.example.com';
+            const adapter = createGenericKMSAdapter(keyManagerServiceURL, keyManagerServiceDID);
+            // Verify adapter type
+            assert(adapter instanceof KMSCryptoAdapter, 'Should create KMSCryptoAdapter instance');
+            // Verify symmetric crypto implementation
+            assert(adapter.symmetricCrypto instanceof GenericAesCtrStreamingCrypto, 'Should use GenericAesCtrStreamingCrypto for browser environment');
+            // Verify configuration is passed through
+            assert.strictEqual(adapter.keyManagerServiceURL.toString(), keyManagerServiceURL + '/', 'Should set the key manager service URL');
+            assert.strictEqual(adapter.keyManagerServiceDID.did(), keyManagerServiceDID, 'Should set the key manager service DID');
+        });
+        await test('should accept URL object for gateway URL', async () => {
+            const keyManagerServiceURL = new URL('https://gateway.example.com');
+            const keyManagerServiceDID = 'did:web:gateway.example.com';
+            const adapter = createGenericKMSAdapter(keyManagerServiceURL, keyManagerServiceDID);
+            assert(adapter instanceof KMSCryptoAdapter, 'Should create KMSCryptoAdapter with URL object');
+            assert.strictEqual(adapter.keyManagerServiceURL.toString(), keyManagerServiceURL.toString(), 'Should handle URL object input');
+        });
+        await test('should enforce HTTPS for security', async () => {
+            const httpKeyManagerServiceURL = 'http://insecure.example.com';
+            const keyManagerServiceDID = 'did:web:example.com';
+            assert.throws(() => createGenericKMSAdapter(httpKeyManagerServiceURL, keyManagerServiceDID), /Key manager service must use HTTPS protocol for security/, 'Should reject HTTP URLs for security');
+        });
+        await test('should allow HTTP with explicit insecure option', async () => {
+            // Note: The current implementation doesn't expose options in the factory
+            // but we can test this through direct adapter construction
+            const httpKeyManagerServiceURL = 'http://localhost:3000';
+            const keyManagerServiceDID = 'did:web:localhost';
+            assert.throws(() => createGenericKMSAdapter(httpKeyManagerServiceURL, keyManagerServiceDID), /Key manager service must use HTTPS protocol for security/, 'Should reject HTTP URLs even for localhost by default');
+        });
+        await test('should have all required KMS adapter methods', async () => {
+            const adapter = createGenericKMSAdapter('https://gateway.example.com', 'did:web:gateway.example.com');
+            // Verify adapter has all required methods
+            assert(typeof adapter.encryptStream === 'function', 'Should have encryptStream method');
+            assert(typeof adapter.decryptStream === 'function', 'Should have decryptStream method');
+            assert(typeof adapter.encryptSymmetricKey === 'function', 'Should have encryptSymmetricKey method');
+            assert(typeof adapter.decryptSymmetricKey === 'function', 'Should have decryptSymmetricKey method');
+        });
+    });
+    await describe('Factory Function Consistency', async () => {
+        await test('browser factories should use streaming crypto', async () => {
+            const litAdapter = createGenericLitAdapter(mockLitClient);
+            const kmsAdapter = createGenericKMSAdapter('https://gateway.example.com', 'did:web:gateway.example.com');
+            assert(litAdapter.symmetricCrypto.constructor.name ===
+                'GenericAesCtrStreamingCrypto', 'Browser Lit adapter should use streaming crypto');
+            assert(kmsAdapter.symmetricCrypto.constructor.name ===
+                'GenericAesCtrStreamingCrypto', 'Browser KMS adapter should use streaming crypto');
+        });
+        await test('node factories should use Node crypto', async () => {
+            const litAdapter = createNodeLitAdapter(mockLitClient);
+            assert(litAdapter.symmetricCrypto.constructor.name === 'NodeAesCbcCrypto', 'Node Lit adapter should use Node crypto');
+        });
+        await test('all adapters should implement the same interface', async () => {
+            const adapters = [
+                createGenericLitAdapter(mockLitClient),
+                createNodeLitAdapter(mockLitClient),
+                createGenericKMSAdapter('https://gateway.example.com', 'did:web:gateway.example.com'),
+                createGenericKMSAdapter('https://gateway.example.com', 'did:web:gateway.example.com'),
+            ];
+            const requiredMethods = [
+                'encryptStream',
+                'decryptStream',
+                'encryptSymmetricKey',
+                'decryptSymmetricKey',
+                'extractEncryptedMetadata',
+                'getEncryptedKey',
+            ];
+            for (const adapter of adapters) {
+                for (const method of requiredMethods) {
+                    assert(typeof ( /** @type {any} */(adapter)[method]) === 'function', `${adapter.constructor.name} should have ${method} method`);
+                }
+            }
+        });
+    });
+    await describe('Memory Usage Verification', async () => {
+        await test('browser adapters should use memory-efficient streaming crypto', async () => {
+            const litAdapter = createGenericLitAdapter(mockLitClient);
+            const kmsAdapter = createGenericKMSAdapter('https://gateway.example.com', 'did:web:gateway.example.com');
+            // Verify both use the streaming implementation
+            assert(litAdapter.symmetricCrypto instanceof GenericAesCtrStreamingCrypto, 'Lit adapter should use streaming crypto for memory efficiency');
+            assert(kmsAdapter.symmetricCrypto instanceof GenericAesCtrStreamingCrypto, 'KMS adapter should use streaming crypto for memory efficiency');
+            // Verify they have the streaming characteristics
+            const testBlob = new Blob([new Uint8Array(1024)]); // 1KB test
+            const litResult = await litAdapter.encryptStream(testBlob);
+            assert(litResult.encryptedStream instanceof ReadableStream, 'Should return ReadableStream for streaming');
+        });
+    });
+});
+//# sourceMappingURL=factories.spec.js.map

package/dist/test/file-metadata.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=file-metadata.spec.d.ts.map

package/dist/test/file-metadata.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-metadata.spec.d.ts","sourceRoot":"","sources":["../../test/file-metadata.spec.js"],"names":[],"mappings":""}