@stvor/sdk 2.4.0 → 3.0.0

package/dist/facade/crypto-session.d.ts

@@ -1,22 +1,15 @@
 /**
  * STVOR Crypto Session Manager
- * Integrates X3DH + Double Ratchet from ratchet module
+ * Uses ONLY Node.js built-in crypto module — zero external dependencies
  *
- * CRITICAL: Identity keys generated ONCE per userId
- * Currently in-memory only - keys lost on restart
- *
- * TODO: Add persistent storage (IndexedDB/Keychain)
+ * Manages identity keys (IK + SPK), ECDSA signatures,
+ * X3DH session establishment, and Double Ratchet encrypt/decrypt.
  */
+import { KeyPair } from '../ratchet/index.js';
 export interface IdentityKeys {
-    identityKeyPair: {
-        publicKey: Uint8Array;
-        privateKey: Uint8Array;
-    };
-    signedPreKeyPair: {
-        publicKey: Uint8Array;
-        privateKey: Uint8Array;
-    };
-    oneTimePreKeys: Uint8Array[];
+    identityKeyPair: KeyPair;
+    signedPreKeyPair: KeyPair;
+    signedPreKeySignature: Buffer;
 }
 export interface SerializedPublicKeys {
     identityKey: string;
@@ -24,53 +17,55 @@ export interface SerializedPublicKeys {
     signedPreKeySignature: string;
     oneTimePreKey: string;
 }
-/**
- * Manages cryptographic sessions for all peers
- */
+export interface IIdentityStore {
+    saveIdentityKeys(userId: string, keys: {
+        identityKeyPair: {
+            publicKey: string;
+            privateKey: string;
+        };
+        signedPreKeyPair: {
+            publicKey: string;
+            privateKey: string;
+        };
+        signedPreKeySignature: string;
+    }): Promise<void>;
+    loadIdentityKeys(userId: string): Promise<{
+        identityKeyPair: {
+            publicKey: string;
+            privateKey: string;
+        };
+        signedPreKeyPair: {
+            publicKey: string;
+            privateKey: string;
+        };
+        signedPreKeySignature: string;
+    } | null>;
+}
+export interface ISessionStore {
+    saveSession(userId: string, peerId: string, sessionData: Buffer): Promise<void>;
+    loadSession(userId: string, peerId: string): Promise<Buffer | null>;
+    deleteSession(userId: string, peerId: string): Promise<void>;
+    listSessions(userId: string): Promise<string[]>;
+}
 export declare class CryptoSessionManager {
     private userId;
     private identityKeys;
     private sessions;
     private initialized;
     private initPromise;
-    constructor(userId: string);
-    /**
-     * Initialize libsodium and generate identity keys
-     * RACE CONDITION SAFE: Returns same promise if called concurrently
-     */
+    private identityStore;
+    private sessionStore;
+    constructor(userId: string, identityStore?: IIdentityStore, sessionStore?: ISessionStore);
     initialize(): Promise<void>;
-    private _doInitialize;
-    /**
-     * Get serialized public keys for relay registration
-     */
+    private _doInit;
     getPublicKeys(): SerializedPublicKeys;
-    /**
-     * Establish session with peer (X3DH handshake)
-     */
-    establishSessionWithPeer(peerId: string, peerPublicKeys: SerializedPublicKeys): Promise<void>;
-    /**
-     * Encrypt message for peer using Double Ratchet
-     */
-    encryptForPeer(peerId: string, plaintext: string): Promise<{
-        ciphertext: Uint8Array;
-        header: {
-            publicKey: Uint8Array;
-            nonce: Uint8Array;
-        };
-    }>;
-    /**
-     * Decrypt message from peer using Double Ratchet
-     */
-    decryptFromPeer(peerId: string, ciphertext: Uint8Array, header: {
-        publicKey: Uint8Array;
-        nonce: Uint8Array;
-    }): Promise<string>;
-    /**
-     * Check if session exists with peer
-     */
+    establishSession(peerId: string, peerPublicKeys: SerializedPublicKeys): Promise<void>;
+    establishSessionWithPeer(peerId: string, pk: SerializedPublicKeys): Promise<void>;
     hasSession(peerId: string): boolean;
-    /**
-     * Destroy all sessions (cleanup)
-     */
-    destroy(): void;
+    encryptForPeer(peerId: string, plaintext: string): {
+        ciphertext: string;
+        header: string;
+    };
+    decryptFromPeer(peerId: string, ciphertext: string, header: string): string;
+    forceRatchet(peerId: string): Promise<void>;
 }

package/dist/facade/crypto-session.js

@@ -1,175 +1,152 @@
 /**
  * STVOR Crypto Session Manager
- * Integrates X3DH + Double Ratchet from ratchet module
+ * Uses ONLY Node.js built-in crypto module — zero external dependencies
  *
- * CRITICAL: Identity keys generated ONCE per userId
- * Currently in-memory only - keys lost on restart
- *
- * TODO: Add persistent storage (IndexedDB/Keychain)
- */
-import sodium from 'libsodium-wrappers';
-import { ensureSodiumReady } from './sodium-singleton.js';
-import { encryptMessage as ratchetEncrypt, decryptMessage as ratchetDecrypt, incrementMessageCounter, } from '../ratchet/index.js';
-/**
- * Manages cryptographic sessions for all peers
+ * Manages identity keys (IK + SPK), ECDSA signatures,
+ * X3DH session establishment, and Double Ratchet encrypt/decrypt.
  */
+import { generateKeyPair, encryptMessage as ratchetEncrypt, decryptMessage as ratchetDecrypt, establishSession as ratchetEstablishSession, serializeSession, initializeCrypto, ecSign, ecVerify, } from '../ratchet/index.js';
+/* ================================================================
+ * Helpers
+ * ================================================================ */
+function toB64(buf) { return buf.toString('base64url'); }
+function fromB64(s) { return Buffer.from(s, 'base64url'); }
+/* ================================================================
+ * CryptoSessionManager
+ * ================================================================ */
 export class CryptoSessionManager {
-    constructor(userId) {
+    constructor(userId, identityStore, sessionStore) {
         this.identityKeys = null;
         this.sessions = new Map();
         this.initialized = false;
         this.initPromise = null;
+        this.identityStore = null;
+        this.sessionStore = null;
         this.userId = userId;
+        this.identityStore = identityStore || null;
+        this.sessionStore = sessionStore || null;
     }
-    /**
-     * Initialize libsodium and generate identity keys
-     * RACE CONDITION SAFE: Returns same promise if called concurrently
-     */
+    /* ---- Initialisation ---- */
     async initialize() {
-        // Already initialized
-        if (this.initialized && this.identityKeys) {
+        if (this.initialized && this.identityKeys)
             return;
-        }
-        // Initialization in progress - return existing promise
-        if (this.initPromise) {
+        if (this.initPromise)
             return this.initPromise;
-        }
-        // Start initialization
-        this.initPromise = this._doInitialize();
+        this.initPromise = this._doInit();
         return this.initPromise;
     }
-    async _doInitialize() {
-        // Ensure libsodium ready (singleton - safe to call multiple times)
-        await ensureSodiumReady();
-        // CRITICAL: Check again after await (another call might have completed)
-        if (this.initialized && this.identityKeys) {
-            return;
-        }
-        // Generate long-term identity key pair (Ed25519 for signing)
-        const identityKeyPair = sodium.crypto_sign_keypair();
-        // Generate semi-ephemeral signed pre-key (X25519 for DH)
-        const signedPreKeyPair = sodium.crypto_kx_keypair();
-        // Generate pool of one-time pre-keys
-        const oneTimePreKeys = [];
-        for (let i = 0; i < 10; i++) {
-            const keypair = sodium.crypto_kx_keypair();
-            oneTimePreKeys.push(keypair.publicKey);
+    async _doInit() {
+        await initializeCrypto();
+        if (this.identityStore) {
+            try {
+                const stored = await this.identityStore.loadIdentityKeys(this.userId);
+                if (stored) {
+                    this.identityKeys = {
+                        identityKeyPair: {
+                            publicKey: fromB64(stored.identityKeyPair.publicKey),
+                            privateKey: fromB64(stored.identityKeyPair.privateKey),
+                        },
+                        signedPreKeyPair: {
+                            publicKey: fromB64(stored.signedPreKeyPair.publicKey),
+                            privateKey: fromB64(stored.signedPreKeyPair.privateKey),
+                        },
+                        signedPreKeySignature: fromB64(stored.signedPreKeySignature),
+                    };
+                    this.initialized = true;
+                    return;
+                }
+            }
+            catch (e) {
+                console.warn('Failed to load identity keys:', e);
+            }
         }
+        const ik = generateKeyPair();
+        const spk = generateKeyPair();
+        const sig = ecSign(spk.publicKey, ik);
         this.identityKeys = {
-            identityKeyPair: {
-                publicKey: identityKeyPair.publicKey,
-                privateKey: identityKeyPair.privateKey,
-            },
-            signedPreKeyPair: {
-                publicKey: signedPreKeyPair.publicKey,
-                privateKey: signedPreKeyPair.privateKey,
-            },
-            oneTimePreKeys,
+            identityKeyPair: ik,
+            signedPreKeyPair: spk,
+            signedPreKeySignature: sig,
         };
+        if (this.identityStore) {
+            try {
+                await this.identityStore.saveIdentityKeys(this.userId, {
+                    identityKeyPair: { publicKey: toB64(ik.publicKey), privateKey: toB64(ik.privateKey) },
+                    signedPreKeyPair: { publicKey: toB64(spk.publicKey), privateKey: toB64(spk.privateKey) },
+                    signedPreKeySignature: toB64(sig),
+                });
+            }
+            catch (e) {
+                console.warn('Failed to save identity keys:', e);
+            }
+        }
         this.initialized = true;
-        this.initPromise = null;
-        console.log(`[Crypto] Identity keys generated for ${this.userId}`);
     }
-    /**
-     * Get serialized public keys for relay registration
-     */
+    /* ---- Public keys ---- */
     getPublicKeys() {
-        if (!this.identityKeys) {
-            throw new Error('CryptoSessionManager not initialized');
-        }
-        // Sign the pre-key
-        const signedPreKeySignature = sodium.crypto_sign_detached(this.identityKeys.signedPreKeyPair.publicKey, this.identityKeys.identityKeyPair.privateKey);
+        if (!this.identityKeys)
+            throw new Error('Not initialized');
         return {
-            identityKey: sodium.to_base64(this.identityKeys.identityKeyPair.publicKey),
-            signedPreKey: sodium.to_base64(this.identityKeys.signedPreKeyPair.publicKey),
-            signedPreKeySignature: sodium.to_base64(signedPreKeySignature),
-            oneTimePreKey: sodium.to_base64(this.identityKeys.oneTimePreKeys[0] || new Uint8Array(32)),
+            identityKey: toB64(this.identityKeys.identityKeyPair.publicKey),
+            signedPreKey: toB64(this.identityKeys.signedPreKeyPair.publicKey),
+            signedPreKeySignature: toB64(this.identityKeys.signedPreKeySignature),
+            oneTimePreKey: '',
         };
     }
-    /**
-     * Establish session with peer (X3DH handshake)
-     */
-    async establishSessionWithPeer(peerId, peerPublicKeys) {
-        if (!this.identityKeys) {
-            throw new Error('CryptoSessionManager not initialized');
-        }
-        // Skip if session already exists
-        if (this.sessions.has(peerId)) {
-            return;
-        }
-        // Deserialize peer's public keys
-        const recipientIdentityKey = sodium.from_base64(peerPublicKeys.identityKey);
-        const recipientSignedPreKey = sodium.from_base64(peerPublicKeys.signedPreKey);
-        const recipientSPKSignature = sodium.from_base64(peerPublicKeys.signedPreKeySignature);
-        const recipientOneTimePreKey = sodium.from_base64(peerPublicKeys.oneTimePreKey);
-        // Verify SPK signature
-        const isValid = sodium.crypto_sign_verify_detached(recipientSPKSignature, recipientSignedPreKey, recipientIdentityKey);
-        if (!isValid) {
-            throw new Error(`Invalid SPK signature for peer ${peerId}`);
+    /* ---- Session establishment ---- */
+    async establishSession(peerId, peerPublicKeys) {
+        if (!this.identityKeys)
+            throw new Error('Not initialized');
+        const peerIK = fromB64(peerPublicKeys.identityKey);
+        const peerSPK = fromB64(peerPublicKeys.signedPreKey);
+        const peerSig = peerPublicKeys.signedPreKeySignature
+            ? fromB64(peerPublicKeys.signedPreKeySignature)
+            : Buffer.alloc(0);
+        if (peerSig.length > 0 && !ecVerify(peerSPK, peerSig, peerIK)) {
+            throw new Error('Invalid signed pre-key signature — possible MITM attack');
         }
-        // Perform X3DH to derive shared secret
-        const dh1 = sodium.crypto_scalarmult(this.identityKeys.signedPreKeyPair.privateKey, recipientSignedPreKey);
-        const dh2 = sodium.crypto_scalarmult(this.identityKeys.identityKeyPair.privateKey, recipientOneTimePreKey);
-        const dh3 = sodium.crypto_scalarmult(this.identityKeys.signedPreKeyPair.privateKey, recipientOneTimePreKey);
-        // Combine DH outputs
-        const sharedSecret = sodium.crypto_generichash(32, new Uint8Array([...dh1, ...dh2, ...dh3]));
-        // Derive root key
-        const rootKey = sodium.crypto_generichash(32, new Uint8Array([
-            ...sharedSecret,
-            ...sodium.from_string('x3dh-root-key-v1'),
-        ]));
-        // Create initial session state
-        const session = {
-            identityKey: this.identityKeys.identityKeyPair.publicKey,
-            signedPreKey: this.identityKeys.signedPreKeyPair.publicKey,
-            oneTimePreKey: this.identityKeys.oneTimePreKeys[0] || new Uint8Array(32),
-            rootKey,
-            sendingChainKey: rootKey,
-            receivingChainKey: rootKey,
-            skippedMessageKeys: new Map(),
-            isPostCompromise: false,
-        };
+        const session = ratchetEstablishSession(this.identityKeys.identityKeyPair, this.identityKeys.signedPreKeyPair, peerIK, peerSPK);
         this.sessions.set(peerId, session);
-    }
-    /**
-     * Encrypt message for peer using Double Ratchet
-     */
-    async encryptForPeer(peerId, plaintext) {
-        const session = this.sessions.get(peerId);
-        if (!session) {
-            throw new Error(`No session with peer ${peerId}`);
+        if (this.sessionStore) {
+            try {
+                await this.sessionStore.saveSession(this.userId, peerId, serializeSession(session));
+            }
+            catch (e) {
+                console.warn('Failed to save session:', e);
+            }
         }
-        // Encrypt using Double Ratchet
-        const result = ratchetEncrypt(plaintext, session);
-        // Enforce DH ratchet policy (Forward Secrecy + PCS)
-        const recipientKey = session.identityKey;
-        incrementMessageCounter(session, recipientKey);
-        return result;
     }
-    /**
-     * Decrypt message from peer using Double Ratchet
-     */
-    async decryptFromPeer(peerId, ciphertext, header) {
-        const session = this.sessions.get(peerId);
-        if (!session) {
-            throw new Error(`No session with peer ${peerId}`);
-        }
-        // Decrypt using Double Ratchet
-        const plaintext = ratchetDecrypt(ciphertext, header, session);
-        return plaintext;
+    async establishSessionWithPeer(peerId, pk) {
+        return this.establishSession(peerId, pk);
     }
-    /**
-     * Check if session exists with peer
-     */
     hasSession(peerId) {
         return this.sessions.has(peerId);
     }
-    /**
-     * Destroy all sessions (cleanup)
-     */
-    destroy() {
-        this.sessions.clear();
-        this.identityKeys = null;
-        this.initialized = false;
+    /* ---- Encrypt ---- */
+    encryptForPeer(peerId, plaintext) {
+        const session = this.sessions.get(peerId);
+        if (!session)
+            throw new Error('No session with peer');
+        const { ciphertext, header } = ratchetEncrypt(session, Buffer.from(plaintext, 'utf-8'));
+        return { ciphertext: toB64(ciphertext), header: toB64(header) };
+    }
+    /* ---- Decrypt ---- */
+    decryptFromPeer(peerId, ciphertext, header) {
+        const session = this.sessions.get(peerId);
+        if (!session)
+            throw new Error('No session with peer');
+        const pt = ratchetDecrypt(session, fromB64(ciphertext), fromB64(header));
+        return pt.toString('utf-8');
+    }
+    /* ---- Post-compromise ---- */
+    async forceRatchet(peerId) {
+        const session = this.sessions.get(peerId);
+        if (session) {
+            session.myRatchetKeyPair = generateKeyPair();
+            session.sendCount = 0;
+            session.recvCount = 0;
+            session.prevSendCount = 0;
+            session.isPostCompromise = true;
+        }
     }
 }

package/dist/facade/errors.cjs

@@ -0,0 +1,29 @@
+'use strict';
+
+// Auto-generated CommonJS wrapper for facade/errors.js
+// This allows `require('@stvor/sdk')` to work alongside ESM `import`.
+
+const mod = require('module');
+const url = require('url');
+
+// Use dynamic import to load the ESM module
+let _cached;
+async function _load() {
+  if (!_cached) {
+    _cached = await import(url.pathToFileURL(__filename.replace(/\.cjs$/, '.js')).href);
+  }
+  return _cached;
+}
+
+// For simple CJS usage, expose a promise-based loader
+module.exports = new Proxy({ load: _load }, {
+  get(target, prop) {
+    if (prop === '__esModule') return true;
+    if (prop === 'then') return undefined; // prevent treating as thenable
+    if (prop === 'load') return _load;
+    if (prop === 'default') {
+      return _load().then(m => m.default);
+    }
+    return _load().then(m => m[prop]);
+  }
+});

package/dist/facade/errors.d.ts

@@ -1,19 +1,36 @@
-export declare const Errors: {
+/**
+ * STVOR DX Facade - Error Handling
+ */
+export declare const ErrorCode: {
+    readonly AUTH_FAILED: "AUTH_FAILED";
     readonly INVALID_APP_TOKEN: "INVALID_APP_TOKEN";
-    readonly INVALID_API_KEY: "INVALID_API_KEY";
     readonly RELAY_UNAVAILABLE: "RELAY_UNAVAILABLE";
-    readonly DELIVERY_FAILED: "DELIVERY_FAILED";
     readonly RECIPIENT_NOT_FOUND: "RECIPIENT_NOT_FOUND";
     readonly RECIPIENT_TIMEOUT: "RECIPIENT_TIMEOUT";
-    readonly MESSAGE_INTEGRITY_FAILED: "MESSAGE_INTEGRITY_FAILED";
-    readonly RECEIVE_TIMEOUT: "RECEIVE_TIMEOUT";
-    readonly RECEIVE_IN_PROGRESS: "RECEIVE_IN_PROGRESS";
-    readonly NOT_CONNECTED: "NOT_CONNECTED";
+    readonly CLIENT_NOT_READY: "CLIENT_NOT_READY";
+    readonly DELIVERY_FAILED: "DELIVERY_FAILED";
+    readonly QUOTA_EXCEEDED: "QUOTA_EXCEEDED";
+    readonly RATE_LIMITED: "RATE_LIMITED";
 };
-export type ErrorCode = (typeof Errors)[keyof typeof Errors];
+export type ErrorCode = typeof ErrorCode[keyof typeof ErrorCode];
 export declare class StvorError extends Error {
-    code: ErrorCode;
-    action?: string | undefined;
-    retryable?: boolean | undefined;
-    constructor(code: ErrorCode, message: string, action?: string | undefined, retryable?: boolean | undefined);
+    code: string;
+    action?: string;
+    retryable?: boolean;
+    constructor(code: string, message: string, action?: string, retryable?: boolean);
 }
+export declare const Errors: {
+    authFailed(): StvorError;
+    invalidAppToken(): StvorError;
+    relayUnavailable(): StvorError;
+    recipientNotFound(userId: string): StvorError;
+    messageIntegrityFailed(): StvorError;
+    keystoreCorrupted(): StvorError;
+    deviceCompromised(): StvorError;
+    protocolMismatch(): StvorError;
+    recipientTimeout(userId: string, timeoutMs: number): StvorError;
+    clientNotReady(): StvorError;
+    deliveryFailed(recipientId: string): StvorError;
+    quotaExceeded: () => StvorError;
+    rateLimited: () => StvorError;
+};

package/dist/facade/errors.js

@@ -1,21 +1,62 @@
-export const Errors = {
+/**
+ * STVOR DX Facade - Error Handling
+ */
+export const ErrorCode = {
+    AUTH_FAILED: 'AUTH_FAILED',
     INVALID_APP_TOKEN: 'INVALID_APP_TOKEN',
-    INVALID_API_KEY: 'INVALID_API_KEY',
     RELAY_UNAVAILABLE: 'RELAY_UNAVAILABLE',
-    DELIVERY_FAILED: 'DELIVERY_FAILED',
     RECIPIENT_NOT_FOUND: 'RECIPIENT_NOT_FOUND',
     RECIPIENT_TIMEOUT: 'RECIPIENT_TIMEOUT',
-    MESSAGE_INTEGRITY_FAILED: 'MESSAGE_INTEGRITY_FAILED',
-    RECEIVE_TIMEOUT: 'RECEIVE_TIMEOUT',
-    RECEIVE_IN_PROGRESS: 'RECEIVE_IN_PROGRESS',
-    NOT_CONNECTED: 'NOT_CONNECTED',
+    CLIENT_NOT_READY: 'CLIENT_NOT_READY',
+    DELIVERY_FAILED: 'DELIVERY_FAILED',
+    QUOTA_EXCEEDED: 'QUOTA_EXCEEDED',
+    RATE_LIMITED: 'RATE_LIMITED',
 };
 export class StvorError extends Error {
     constructor(code, message, action, retryable) {
         super(message);
+        this.name = 'StvorError';
         this.code = code;
         this.action = action;
         this.retryable = retryable;
-        this.name = 'StvorError';
     }
 }
+export const Errors = {
+    authFailed() {
+        return new StvorError(ErrorCode.AUTH_FAILED, 'The AppToken is invalid or has been revoked.', 'Check your dashboard and regenerate a new AppToken.', false);
+    },
+    invalidAppToken() {
+        return new StvorError(ErrorCode.INVALID_APP_TOKEN, 'Invalid AppToken format. AppToken must start with "stvor_".', 'Get your AppToken from the developer dashboard.', false);
+    },
+    relayUnavailable() {
+        return new StvorError(ErrorCode.RELAY_UNAVAILABLE, 'Cannot connect to STVOR relay server.', 'Check your internet connection.', true);
+    },
+    recipientNotFound(userId) {
+        return new StvorError(ErrorCode.RECIPIENT_NOT_FOUND, `User "${userId}" not found. They may not have registered with STVOR.`, 'Ask the recipient to initialize STVOR first, or verify the userId is correct.', false);
+    },
+    messageIntegrityFailed() {
+        return new StvorError(ErrorCode.DELIVERY_FAILED, 'Message integrity check failed or decryption failed.', 'Request the message again from the sender.', false);
+    },
+    keystoreCorrupted() {
+        return new StvorError(ErrorCode.DELIVERY_FAILED, 'Local keystore error (not supported in v0.1).', 'Investigate local storage configuration.', false);
+    },
+    deviceCompromised() {
+        return new StvorError(ErrorCode.DELIVERY_FAILED, 'Device compromise detected (placeholder).', 'Investigate and revoke credentials.', false);
+    },
+    protocolMismatch() {
+        return new StvorError(ErrorCode.DELIVERY_FAILED, 'Protocol version mismatch.', 'Update the SDK to the latest version.', false);
+    },
+    recipientTimeout(userId, timeoutMs) {
+        return new StvorError(ErrorCode.RECIPIENT_TIMEOUT, `Timed out waiting for user "${userId}" after ${timeoutMs}ms. ` +
+            `The user may not have registered with STVOR yet.`, 'Ensure the recipient has called connect() and is online, or increase the timeout.', true);
+    },
+    clientNotReady() {
+        return new StvorError(ErrorCode.CLIENT_NOT_READY, 'Client is not ready. Call connect() first and await it.', 'Make sure to await app.connect() before sending messages.', false);
+    },
+    deliveryFailed(recipientId) {
+        return new StvorError(ErrorCode.DELIVERY_FAILED, `Failed to deliver message to ${recipientId}.`, 'Check that the recipient exists and try again.', true);
+    },
+    quotaExceeded: () => new StvorError(ErrorCode.QUOTA_EXCEEDED, 'Message quota exceeded for this AppToken.', 'UPGRADE_PLAN', false),
+    rateLimited: () => new StvorError(ErrorCode.RATE_LIMITED, 'Rate limit exceeded. Please try again later.', 'WAIT', true),
+    // receive()/timeout APIs are not part of SDK v0.1 facade; use onMessage().
+};

package/dist/facade/index.cjs

@@ -0,0 +1,29 @@
+'use strict';
+
+// Auto-generated CommonJS wrapper for facade/index.js
+// This allows `require('@stvor/sdk')` to work alongside ESM `import`.
+
+const mod = require('module');
+const url = require('url');
+
+// Use dynamic import to load the ESM module
+let _cached;
+async function _load() {
+  if (!_cached) {
+    _cached = await import(url.pathToFileURL(__filename.replace(/\.cjs$/, '.js')).href);
+  }
+  return _cached;
+}
+
+// For simple CJS usage, expose a promise-based loader
+module.exports = new Proxy({ load: _load }, {
+  get(target, prop) {
+    if (prop === '__esModule') return true;
+    if (prop === 'then') return undefined; // prevent treating as thenable
+    if (prop === 'load') return _load;
+    if (prop === 'default') {
+      return _load().then(m => m.default);
+    }
+    return _load().then(m => m[prop]);
+  }
+});

package/dist/facade/index.d.ts

@@ -1,8 +1,27 @@
-export * from './app.js';
-export * from './errors.js';
-export * from './types.js';
-export type { DecryptedMessage, SealedPayload } from './types.js';
-export type { StvorAppConfig, AppToken, UserId, MessageContent } from './types.js';
-export { StvorError } from './errors.js';
-export { StvorApp, StvorFacadeClient, Stvor, init, createApp } from './app.js';
-export { ErrorCode as STVOR_ERRORS } from './errors.js';
+/**
+ * STVOR DX Facade SDK
+ * High-level developer experience layer for STVOR E2E encryption
+ *
+ * Design goals:
+ * - Minimal API surface
+ * - Zero crypto knowledge required
+ * - Secure by default
+ * - Opinionated (no configuration)
+ */
+export type { DecryptedMessage, SealedPayload } from './app';
+export type { StvorAppConfig, AppToken, UserId, MessageContent } from './types';
+export type { ErrorCode } from './errors';
+export type { Metrics, SignedMetrics } from './metrics-engine';
+export { StvorError } from './errors';
+export { StvorApp, StvorFacadeClient, Stvor, init, createApp } from './app';
+export { ErrorCode as STVOR_ERRORS } from './errors';
+export { verifyMetricsSignature, MetricsEngine } from './metrics-engine';
+export { CryptoSessionManager } from './crypto-session';
+export type { IdentityKeys, SerializedPublicKeys, IIdentityStore, ISessionStore } from './crypto-session';
+export { LocalStorageIdentityStore, LocalStorageSessionStore } from './local-storage-identity-store';
+export { isReplay, validateMessage, validateMessageWithNonce, getCacheStats, cleanupExpiredNonces, initializeReplayProtection, startAutoCleanup, stopAutoCleanup, } from './replay-manager';
+export type { IReplayCache } from './replay-manager';
+export { RedisReplayCache } from './redis-replay-cache';
+export type { RedisClient, RedisReplayCacheConfig } from './redis-replay-cache';
+export { generateFingerprint, storeFingerprint, verifyFingerprint, isFingerprintTrusted, getFingerprint, revokeTrust, trustNewFingerprint, listTrustedFingerprints, getFingerprintInfo, initializeTofu, } from './tofu-manager';
+export type { ITofuStore } from './tofu-manager';