@syncular/client-plugin-encryption 0.0.1-100

package/dist/key-sharing.d.ts

@@ -0,0 +1,124 @@
+/**
+ * Key sharing utilities for human-friendly key exchange.
+ *
+ * Supports:
+ * - BIP39 mnemonic phrases (24 words for 32-byte keys)
+ * - URL-safe encoding for QR codes
+ * - X25519 keypairs for asymmetric key wrapping
+ */
+/**
+ * Generate a cryptographically secure 32-byte symmetric key.
+ */
+export declare function generateSymmetricKey(): Uint8Array;
+/**
+ * Convert a 32-byte key to a 24-word BIP39 mnemonic phrase.
+ *
+ * The same key always produces the same words (deterministic).
+ */
+export declare function keyToMnemonic(key: Uint8Array): string;
+/**
+ * Parse a BIP39 mnemonic phrase back to key bytes.
+ *
+ * @throws If the mnemonic is invalid or has wrong word count
+ */
+export declare function normalizeMnemonicInput(phrase: string): string;
+export declare function mnemonicToKey(phrase: string): Uint8Array;
+/**
+ * Encode a key as URL-safe base64 (for QR codes).
+ */
+export declare function keyToBase64Url(key: Uint8Array): string;
+/**
+ * Decode URL-safe base64 back to key bytes.
+ */
+export declare function base64UrlToKey(encoded: string): Uint8Array;
+interface KeyPair {
+    publicKey: Uint8Array;
+    privateKey: Uint8Array;
+}
+/**
+ * Generate an X25519 keypair for key exchange.
+ *
+ * Store privateKey securely. Share publicKey freely.
+ */
+export declare function generateKeypair(): KeyPair;
+/**
+ * Convert a 32-byte public key to a 24-word mnemonic.
+ */
+export declare function publicKeyToMnemonic(publicKey: Uint8Array): string;
+/**
+ * Parse a mnemonic back to a public key.
+ */
+export declare function mnemonicToPublicKey(phrase: string): Uint8Array;
+interface WrappedKey {
+    /** Sender's ephemeral public key (32 bytes) */
+    ephemeralPublic: Uint8Array;
+    /** Encrypted symmetric key + auth tag (48 bytes) */
+    ciphertext: Uint8Array;
+}
+/**
+ * Wrap a symmetric key for a recipient using their public key.
+ *
+ * Uses X25519 ECDH + HKDF + XChaCha20-Poly1305.
+ */
+export declare function wrapKeyForRecipient(recipientPublicKey: Uint8Array, symmetricKey: Uint8Array): WrappedKey;
+/**
+ * Unwrap a key using your private key.
+ */
+export declare function unwrapKey(myPrivateKey: Uint8Array, wrapped: WrappedKey): Uint8Array;
+/**
+ * Serialize a wrapped key for storage/transmission.
+ */
+export declare function encodeWrappedKey(wrapped: WrappedKey): string;
+/**
+ * Deserialize a wrapped key.
+ */
+export declare function decodeWrappedKey(encoded: string): WrappedKey;
+interface SymmetricKeyShare {
+    type: 'symmetric';
+    key: Uint8Array;
+    kid?: string;
+}
+interface PublicKeyShare {
+    type: 'publicKey';
+    publicKey: Uint8Array;
+}
+type ParsedShare = SymmetricKeyShare | PublicKeyShare;
+/**
+ * Encode a symmetric key as a shareable URL.
+ *
+ * Format: sync://k/1/<base64url>[/<kid>]
+ */
+export declare function keyToShareUrl(key: Uint8Array, kid?: string): string;
+/**
+ * Encode a public key as a shareable URL.
+ *
+ * Format: sync://pk/1/<base64url>
+ */
+export declare function publicKeyToShareUrl(publicKey: Uint8Array): string;
+/**
+ * Parse a share URL back to typed result.
+ */
+export declare function parseShareUrl(url: string): ParsedShare;
+interface SymmetricKeyJson {
+    type: 'symmetric';
+    kid?: string;
+    k: string;
+}
+interface PublicKeyJson {
+    type: 'publicKey';
+    pk: string;
+}
+/**
+ * Encode a symmetric key as JSON.
+ */
+export declare function keyToJson(key: Uint8Array, kid?: string): SymmetricKeyJson;
+/**
+ * Encode a public key as JSON.
+ */
+export declare function publicKeyToJson(publicKey: Uint8Array): PublicKeyJson;
+/**
+ * Parse a JSON key share string.
+ */
+export declare function parseKeyShareJson(json: string): ParsedShare;
+export {};
+//# sourceMappingURL=key-sharing.d.ts.map

package/dist/key-sharing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-sharing.d.ts","sourceRoot":"","sources":["../src/key-sharing.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAqDH;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,UAAU,CAEjD;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,UAAU,GAAG,MAAM,CAKrD;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAwB7D;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CASxD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,UAAU,GAAG,MAAM,CAEtD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,CAM1D;AAMD,UAAU,OAAO;IACf,SAAS,EAAE,UAAU,CAAC;IACtB,UAAU,EAAE,UAAU,CAAC;CACxB;AAED;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,OAAO,CAIzC;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,UAAU,GAAG,MAAM,CAKjE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAE9D;AAMD,UAAU,UAAU;IAClB,+CAA+C;IAC/C,eAAe,EAAE,UAAU,CAAC;IAC5B,oDAAoD;IACpD,UAAU,EAAE,UAAU,CAAC;CACxB;AAID;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,kBAAkB,EAAE,UAAU,EAC9B,YAAY,EAAE,UAAU,GACvB,UAAU,CAuCZ;AAED;;GAEG;AACH,wBAAgB,SAAS,CACvB,YAAY,EAAE,UAAU,EACxB,OAAO,EAAE,UAAU,GAClB,UAAU,CAsCZ;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,UAAU,GAAG,MAAM,CAG5D;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,CAW5D;AAQD,UAAU,iBAAiB;IACzB,IAAI,EAAE,WAAW,CAAC;IAClB,GAAG,EAAE,UAAU,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,UAAU,cAAc;IACtB,IAAI,EAAE,WAAW,CAAC;IAClB,SAAS,EAAE,UAAU,CAAC;CACvB;AAED,KAAK,WAAW,GAAG,iBAAiB,GAAG,cAAc,CAAC;AAEtD;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAInE;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,UAAU,GAAG,MAAM,CAGjE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAkCtD;AAMD,UAAU,gBAAgB;IACxB,IAAI,EAAE,WAAW,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,EAAE,MAAM,CAAC;CACX;AAED,UAAU,aAAa;IACrB,IAAI,EAAE,WAAW,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,gBAAgB,CAMzE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,UAAU,GAAG,aAAa,CAKpE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,CA0C3D"}

package/dist/key-sharing.js

@@ -0,0 +1,332 @@
+/**
+ * Key sharing utilities for human-friendly key exchange.
+ *
+ * Supports:
+ * - BIP39 mnemonic phrases (24 words for 32-byte keys)
+ * - URL-safe encoding for QR codes
+ * - X25519 keypairs for asymmetric key wrapping
+ */
+import { xchacha20poly1305 } from '@noble/ciphers/chacha.js';
+import { x25519 } from '@noble/curves/ed25519.js';
+import { hkdf } from '@noble/hashes/hkdf.js';
+import { sha256 } from '@noble/hashes/sha2.js';
+import { entropyToMnemonic, mnemonicToEntropy } from '@scure/bip39';
+import { wordlist } from '@scure/bip39/wordlists/english.js';
+import { isRecord } from '@syncular/core';
+import { base64UrlToBytes, bytesToBase64Url, randomBytes, } from './crypto-utils.js';
+const WORD_SET = new Set(wordlist);
+// ============================================================================
+// Utility Functions
+// ============================================================================
+function concatBytes(...arrays) {
+    const totalLength = arrays.reduce((sum, arr) => sum + arr.length, 0);
+    const result = new Uint8Array(totalLength);
+    let offset = 0;
+    for (const arr of arrays) {
+        result.set(arr, offset);
+        offset += arr.length;
+    }
+    return result;
+}
+function isAllZero(bytes) {
+    for (let i = 0; i < bytes.length; i++) {
+        if (bytes[i] !== 0)
+            return false;
+    }
+    return true;
+}
+function validateSharedSecret(sharedSecret) {
+    // Reject all-zero shared secrets which indicate a low-order point attack.
+    // This can happen if a malicious party provides a small-order public key.
+    if (isAllZero(sharedSecret)) {
+        throw new Error('X25519 shared secret is all zeros - possible low-order point attack');
+    }
+}
+// ============================================================================
+// Symmetric Key Utilities
+// ============================================================================
+/**
+ * Generate a cryptographically secure 32-byte symmetric key.
+ */
+export function generateSymmetricKey() {
+    return randomBytes(32);
+}
+/**
+ * Convert a 32-byte key to a 24-word BIP39 mnemonic phrase.
+ *
+ * The same key always produces the same words (deterministic).
+ */
+export function keyToMnemonic(key) {
+    if (key.length !== 32) {
+        throw new Error(`Key must be 32 bytes, got ${key.length}`);
+    }
+    return entropyToMnemonic(key, wordlist);
+}
+/**
+ * Parse a BIP39 mnemonic phrase back to key bytes.
+ *
+ * @throws If the mnemonic is invalid or has wrong word count
+ */
+export function normalizeMnemonicInput(phrase) {
+    const normalized = phrase.trim().toLowerCase().replace(/\s+/g, ' ');
+    if (!normalized)
+        return normalized;
+    // Keep valid word tokens only so pasted numbered lists like
+    // "1 word 2 word ..." still recover cleanly.
+    const tokenizedWords = (normalized.match(/[a-z]+/g) ?? []).filter((word) => WORD_SET.has(word));
+    if (tokenizedWords.length === 24)
+        return tokenizedWords.join(' ');
+    if (tokenizedWords.length > 24) {
+        for (let i = 0; i <= tokenizedWords.length - 24; i++) {
+            const candidate = tokenizedWords.slice(i, i + 24).join(' ');
+            try {
+                mnemonicToEntropy(candidate, wordlist);
+                return candidate;
+            }
+            catch {
+                // Continue scanning for a valid 24-word window.
+            }
+        }
+    }
+    return normalized;
+}
+export function mnemonicToKey(phrase) {
+    const normalized = normalizeMnemonicInput(phrase);
+    const entropy = mnemonicToEntropy(normalized, wordlist);
+    if (entropy.length !== 32) {
+        throw new Error(`Expected 24-word mnemonic (32 bytes), got ${entropy.length} bytes`);
+    }
+    return entropy;
+}
+/**
+ * Encode a key as URL-safe base64 (for QR codes).
+ */
+export function keyToBase64Url(key) {
+    return bytesToBase64Url(key);
+}
+/**
+ * Decode URL-safe base64 back to key bytes.
+ */
+export function base64UrlToKey(encoded) {
+    const key = base64UrlToBytes(encoded);
+    if (key.length !== 32) {
+        throw new Error(`Invalid key length: expected 32 bytes, got ${key.length}`);
+    }
+    return key;
+}
+/**
+ * Generate an X25519 keypair for key exchange.
+ *
+ * Store privateKey securely. Share publicKey freely.
+ */
+export function generateKeypair() {
+    const privateKey = randomBytes(32);
+    const publicKey = x25519.getPublicKey(privateKey);
+    return { publicKey, privateKey };
+}
+/**
+ * Convert a 32-byte public key to a 24-word mnemonic.
+ */
+export function publicKeyToMnemonic(publicKey) {
+    if (publicKey.length !== 32) {
+        throw new Error(`Public key must be 32 bytes, got ${publicKey.length}`);
+    }
+    return entropyToMnemonic(publicKey, wordlist);
+}
+/**
+ * Parse a mnemonic back to a public key.
+ */
+export function mnemonicToPublicKey(phrase) {
+    return mnemonicToKey(phrase);
+}
+const HKDF_INFO = new TextEncoder().encode('syncular-key-wrap-v1');
+/**
+ * Wrap a symmetric key for a recipient using their public key.
+ *
+ * Uses X25519 ECDH + HKDF + XChaCha20-Poly1305.
+ */
+export function wrapKeyForRecipient(recipientPublicKey, symmetricKey) {
+    if (recipientPublicKey.length !== 32) {
+        throw new Error('Recipient public key must be 32 bytes');
+    }
+    if (symmetricKey.length !== 32) {
+        throw new Error('Symmetric key must be 32 bytes');
+    }
+    // Generate ephemeral keypair
+    const ephemeralPrivate = randomBytes(32);
+    const ephemeralPublic = x25519.getPublicKey(ephemeralPrivate);
+    // ECDH shared secret
+    const sharedSecret = x25519.getSharedSecret(ephemeralPrivate, recipientPublicKey);
+    // Reject low-order points that would result in all-zero shared secret
+    validateSharedSecret(sharedSecret);
+    // Derive wrapping key using HKDF
+    const wrappingKey = hkdf(sha256, sharedSecret, ephemeralPublic, HKDF_INFO, 32);
+    // Encrypt the symmetric key
+    const nonce = randomBytes(24);
+    const aead = xchacha20poly1305(wrappingKey, nonce);
+    const encrypted = aead.encrypt(symmetricKey);
+    // Ciphertext = nonce + encrypted (24 + 32 + 16 = 72 bytes)
+    const ciphertext = concatBytes(nonce, encrypted);
+    return { ephemeralPublic, ciphertext };
+}
+/**
+ * Unwrap a key using your private key.
+ */
+export function unwrapKey(myPrivateKey, wrapped) {
+    if (myPrivateKey.length !== 32) {
+        throw new Error('Private key must be 32 bytes');
+    }
+    if (wrapped.ephemeralPublic.length !== 32) {
+        throw new Error('Ephemeral public key must be 32 bytes');
+    }
+    if (wrapped.ciphertext.length !== 72) {
+        throw new Error('Ciphertext must be 72 bytes (nonce + encrypted key + tag)');
+    }
+    // ECDH shared secret
+    const sharedSecret = x25519.getSharedSecret(myPrivateKey, wrapped.ephemeralPublic);
+    // Reject low-order points that would result in all-zero shared secret
+    validateSharedSecret(sharedSecret);
+    // Derive wrapping key using HKDF
+    const wrappingKey = hkdf(sha256, sharedSecret, wrapped.ephemeralPublic, HKDF_INFO, 32);
+    // Extract nonce and encrypted data
+    const nonce = wrapped.ciphertext.slice(0, 24);
+    const encrypted = wrapped.ciphertext.slice(24);
+    // Decrypt
+    const aead = xchacha20poly1305(wrappingKey, nonce);
+    return aead.decrypt(encrypted);
+}
+/**
+ * Serialize a wrapped key for storage/transmission.
+ */
+export function encodeWrappedKey(wrapped) {
+    const combined = concatBytes(wrapped.ephemeralPublic, wrapped.ciphertext);
+    return bytesToBase64Url(combined);
+}
+/**
+ * Deserialize a wrapped key.
+ */
+export function decodeWrappedKey(encoded) {
+    const combined = base64UrlToBytes(encoded);
+    if (combined.length !== 104) {
+        throw new Error(`Invalid wrapped key length: expected 104 bytes, got ${combined.length}`);
+    }
+    return {
+        ephemeralPublic: combined.slice(0, 32),
+        ciphertext: combined.slice(32),
+    };
+}
+// ============================================================================
+// Share URL Format
+// ============================================================================
+const SHARE_URL_PREFIX = 'sync://';
+/**
+ * Encode a symmetric key as a shareable URL.
+ *
+ * Format: sync://k/1/<base64url>[/<kid>]
+ */
+export function keyToShareUrl(key, kid) {
+    const encoded = bytesToBase64Url(key);
+    const kidPart = kid ? `/${encodeURIComponent(kid)}` : '';
+    return `${SHARE_URL_PREFIX}k/1/${encoded}${kidPart}`;
+}
+/**
+ * Encode a public key as a shareable URL.
+ *
+ * Format: sync://pk/1/<base64url>
+ */
+export function publicKeyToShareUrl(publicKey) {
+    const encoded = bytesToBase64Url(publicKey);
+    return `${SHARE_URL_PREFIX}pk/1/${encoded}`;
+}
+/**
+ * Parse a share URL back to typed result.
+ */
+export function parseShareUrl(url) {
+    if (!url.startsWith(SHARE_URL_PREFIX)) {
+        throw new Error(`Invalid share URL: must start with ${SHARE_URL_PREFIX}`);
+    }
+    const rest = url.slice(SHARE_URL_PREFIX.length);
+    const parts = rest.split('/');
+    if (parts.length < 3) {
+        throw new Error('Invalid share URL format');
+    }
+    const [type, version, encoded, kidEncoded] = parts;
+    if (version !== '1') {
+        throw new Error(`Unsupported share URL version: ${version}`);
+    }
+    if (!encoded) {
+        throw new Error('Invalid share URL: missing encoded key data');
+    }
+    if (type === 'k') {
+        const key = base64UrlToKey(encoded);
+        const kid = kidEncoded ? decodeURIComponent(kidEncoded) : undefined;
+        return { type: 'symmetric', key, kid };
+    }
+    if (type === 'pk') {
+        const publicKey = base64UrlToKey(encoded);
+        return { type: 'publicKey', publicKey };
+    }
+    throw new Error(`Unknown share URL type: ${type}`);
+}
+/**
+ * Encode a symmetric key as JSON.
+ */
+export function keyToJson(key, kid) {
+    return {
+        type: 'symmetric',
+        ...(kid && { kid }),
+        k: bytesToBase64Url(key),
+    };
+}
+/**
+ * Encode a public key as JSON.
+ */
+export function publicKeyToJson(publicKey) {
+    return {
+        type: 'publicKey',
+        pk: bytesToBase64Url(publicKey),
+    };
+}
+/**
+ * Parse a JSON key share string.
+ */
+export function parseKeyShareJson(json) {
+    let parsedValue;
+    try {
+        parsedValue = JSON.parse(json);
+    }
+    catch {
+        throw new Error('Invalid key share JSON');
+    }
+    if (!isRecord(parsedValue)) {
+        throw new Error('Invalid key share JSON');
+    }
+    const parsedType = parsedValue.type;
+    if (parsedType === 'symmetric') {
+        const keyMaterial = parsedValue.k;
+        if (typeof keyMaterial !== 'string') {
+            throw new Error('Invalid symmetric key share JSON');
+        }
+        const kidValue = parsedValue.kid;
+        if (kidValue !== undefined && typeof kidValue !== 'string') {
+            throw new Error('Invalid symmetric key share JSON');
+        }
+        return {
+            type: 'symmetric',
+            key: base64UrlToKey(keyMaterial),
+            kid: kidValue,
+        };
+    }
+    if (parsedType === 'publicKey') {
+        const publicKeyMaterial = parsedValue.pk;
+        if (typeof publicKeyMaterial !== 'string') {
+            throw new Error('Invalid public key share JSON');
+        }
+        return {
+            type: 'publicKey',
+            publicKey: base64UrlToKey(publicKeyMaterial),
+        };
+    }
+    throw new Error(`Unknown key share type: ${String(parsedType)}`);
+}
+//# sourceMappingURL=key-sharing.js.map

package/dist/key-sharing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-sharing.js","sourceRoot":"","sources":["../src/key-sharing.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,MAAM,EAAE,MAAM,0BAA0B,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAC;AAC7C,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,QAAQ,EAAE,MAAM,mCAAmC,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,WAAW,GACZ,MAAM,gBAAgB,CAAC;AAExB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;AAEnC,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E,SAAS,WAAW,CAAC,GAAG,MAAoB,EAAc;IACxD,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACrE,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC;IAC3C,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACxB,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC;AAAA,CACf;AAED,SAAS,SAAS,CAAC,KAAiB,EAAW;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACnC,CAAC;IACD,OAAO,IAAI,CAAC;AAAA,CACb;AAED,SAAS,oBAAoB,CAAC,YAAwB,EAAQ;IAC5D,0EAA0E;IAC1E,0EAA0E;IAC1E,IAAI,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;IACJ,CAAC;AAAA,CACF;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,oBAAoB,GAAe;IACjD,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC;AAAA,CACxB;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,GAAe,EAAU;IACrD,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;AAAA,CACzC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAc,EAAU;IAC7D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACpE,IAAI,CAAC,UAAU;QAAE,OAAO,UAAU,CAAC;IAEnC,4DAA4D;IAC5D,6CAA6C;IAC7C,MAAM,cAAc,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CACzE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CACnB,CAAC;IAEF,IAAI,cAAc,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClE,IAAI,cAAc,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,cAAc,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YACrD,MAAM,SAAS,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC5D,IAAI,CAAC;gBACH,iBAAiB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;gBACvC,OAAO,SAAS,CAAC;YACnB,CAAC;YAAC,MAAM,CAAC;gBACP,gDAAgD;YAClD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AAAA,CACnB;AAED,MAAM,UAAU,aAAa,CAAC,MAAc,EAAc;IACxD,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,6CAA6C,OAAO,CAAC,MAAM,QAAQ,CACpE,CAAC;IACJ,CAAC;IACD,OAAO,OAAO,CAAC;AAAA,CAChB;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,GAAe,EAAU;IACtD,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC;AAAA,CAC9B;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe,EAAc;IAC1D,MAAM,GAAG,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,8CAA8C,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,GAAG,CAAC;AAAA,CACZ;AAWD;;;;GAIG;AACH,MAAM,UAAU,eAAe,GAAY;IACzC,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IACnC,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;IAClD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;AAAA,CAClC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAqB,EAAU;IACjE,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,oCAAoC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO,iBAAiB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAAA,CAC/C;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAc,EAAc;IAC9D,OAAO,aAAa,CAAC,MAAM,CAAC,CAAC;AAAA,CAC9B;AAaD,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;AAEnE;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,kBAA8B,EAC9B,YAAwB,EACZ;IACZ,IAAI,kBAAkB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IAED,6BAA6B;IAC7B,MAAM,gBAAgB,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IACzC,MAAM,eAAe,GAAG,MAAM,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC;IAE9D,qBAAqB;IACrB,MAAM,YAAY,GAAG,MAAM,CAAC,eAAe,CACzC,gBAAgB,EAChB,kBAAkB,CACnB,CAAC;IAEF,sEAAsE;IACtE,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAEnC,iCAAiC;IACjC,MAAM,WAAW,GAAG,IAAI,CACtB,MAAM,EACN,YAAY,EACZ,eAAe,EACf,SAAS,EACT,EAAE,CACH,CAAC;IAEF,4BAA4B;IAC5B,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG,iBAAiB,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAE7C,2DAA2D;IAC3D,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAEjD,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,CAAC;AAAA,CACxC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CACvB,YAAwB,EACxB,OAAmB,EACP;IACZ,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,OAAO,CAAC,eAAe,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IAED,qBAAqB;IACrB,MAAM,YAAY,GAAG,MAAM,CAAC,eAAe,CACzC,YAAY,EACZ,OAAO,CAAC,eAAe,CACxB,CAAC;IAEF,sEAAsE;IACtE,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAEnC,iCAAiC;IACjC,MAAM,WAAW,GAAG,IAAI,CACtB,MAAM,EACN,YAAY,EACZ,OAAO,CAAC,eAAe,EACvB,SAAS,EACT,EAAE,CACH,CAAC;IAEF,mCAAmC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAE/C,UAAU;IACV,MAAM,IAAI,GAAG,iBAAiB,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IACnD,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAAA,CAChC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAmB,EAAU;IAC5D,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,eAAe,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IAC1E,OAAO,gBAAgB,CAAC,QAAQ,CAAC,CAAC;AAAA,CACnC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAc;IAC5D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CACb,uDAAuD,QAAQ,CAAC,MAAM,EAAE,CACzE,CAAC;IACJ,CAAC;IACD,OAAO;QACL,eAAe,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;QACtC,UAAU,EAAE,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;KAC/B,CAAC;AAAA,CACH;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,MAAM,gBAAgB,GAAG,SAAS,CAAC;AAenC;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,GAAe,EAAE,GAAY,EAAU;IACnE,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACzD,OAAO,GAAG,gBAAgB,OAAO,OAAO,GAAG,OAAO,EAAE,CAAC;AAAA,CACtD;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAqB,EAAU;IACjE,MAAM,OAAO,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAC5C,OAAO,GAAG,gBAAgB,QAAQ,OAAO,EAAE,CAAC;AAAA,CAC7C;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW,EAAe;IACtD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,sCAAsC,gBAAgB,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAChD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAE9B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC,GAAG,KAAK,CAAC;IAEnD,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,kCAAkC,OAAO,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;QACjB,MAAM,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,GAAG,GAAG,UAAU,CAAC,CAAC,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACpE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;IACzC,CAAC;IAED,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,EAAE,CAAC,CAAC;AAAA,CACpD;AAiBD;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,GAAe,EAAE,GAAY,EAAoB;IACzE,OAAO;QACL,IAAI,EAAE,WAAW;QACjB,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC;QACnB,CAAC,EAAE,gBAAgB,CAAC,GAAG,CAAC;KACzB,CAAC;AAAA,CACH;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,SAAqB,EAAiB;IACpE,OAAO;QACL,IAAI,EAAE,WAAW;QACjB,EAAE,EAAE,gBAAgB,CAAC,SAAS,CAAC;KAChC,CAAC;AAAA,CACH;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAY,EAAe;IAC3D,IAAI,WAAoB,CAAC;IACzB,IAAI,CAAC;QACH,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC;IAEpC,IAAI,UAAU,KAAK,WAAW,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAG,WAAW,CAAC,CAAC,CAAC;QAClC,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QACD,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC;QACjC,IAAI,QAAQ,KAAK,SAAS,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QACD,OAAO;YACL,IAAI,EAAE,WAAW;YACjB,GAAG,EAAE,cAAc,CAAC,WAAW,CAAC;YAChC,GAAG,EAAE,QAAQ;SACd,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,KAAK,WAAW,EAAE,CAAC;QAC/B,MAAM,iBAAiB,GAAG,WAAW,CAAC,EAAE,CAAC;QACzC,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QACD,OAAO;YACL,IAAI,EAAE,WAAW;YACjB,SAAS,EAAE,cAAc,CAAC,iBAAiB,CAAC;SAC7C,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,2BAA2B,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;AAAA,CAClE"}

package/package.json

@@ -0,0 +1,65 @@
+{
+  "name": "@syncular/client-plugin-encryption",
+  "version": "0.0.1-100",
+  "description": "End-to-end encryption plugin for the Syncular client",
+  "license": "MIT",
+  "author": "Benjamin Kniffler",
+  "homepage": "https://syncular.dev",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/syncular/syncular.git",
+    "directory": "packages/client-plugin-encryption"
+  },
+  "bugs": {
+    "url": "https://github.com/syncular/syncular/issues"
+  },
+  "keywords": [
+    "sync",
+    "offline-first",
+    "realtime",
+    "database",
+    "typescript",
+    "encryption",
+    "e2ee",
+    "security"
+  ],
+  "private": false,
+  "publishConfig": {
+    "access": "public"
+  },
+  "type": "module",
+  "exports": {
+    ".": {
+      "bun": "./src/index.ts",
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      }
+    }
+  },
+  "scripts": {
+    "test": "bun test --pass-with-no-tests",
+    "tsgo": "tsgo --noEmit",
+    "build": "tsgo",
+    "release": "bunx syncular-publish"
+  },
+  "dependencies": {
+    "@noble/ciphers": "^2.1.1",
+    "@noble/curves": "^2.0.1",
+    "@noble/hashes": "^2.0.1",
+    "@scure/bip39": "^2.0.1",
+    "@syncular/client": "0.0.1",
+    "@syncular/core": "0.0.1"
+  },
+  "devDependencies": {
+    "@syncular/config": "0.0.0",
+    "kysely-bun-sqlite": "^0.4.0"
+  },
+  "peerDependencies": {
+    "kysely": "^0.28.0"
+  },
+  "files": [
+    "dist",
+    "src"
+  ]
+}

package/src/__tests__/field-encryption-keys.test.ts

@@ -0,0 +1,68 @@
+import { afterEach, describe, expect, test } from 'bun:test';
+import { createStaticFieldEncryptionKeys } from '../index';
+
+const VALID_ZERO_KEY_BASE64URL = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';
+
+let originalBuffer: typeof Buffer | undefined;
+let bufferOverridden = false;
+
+function disableBufferRuntime(): void {
+  originalBuffer = globalThis.Buffer;
+  Object.defineProperty(globalThis, 'Buffer', {
+    value: undefined,
+    writable: true,
+    configurable: true,
+  });
+  bufferOverridden = true;
+}
+
+function restoreBufferRuntime(): void {
+  if (!bufferOverridden) return;
+  Object.defineProperty(globalThis, 'Buffer', {
+    value: originalBuffer,
+    writable: true,
+    configurable: true,
+  });
+  bufferOverridden = false;
+}
+
+afterEach(() => {
+  restoreBufferRuntime();
+});
+
+describe('createStaticFieldEncryptionKeys', () => {
+  test('rejects malformed base64url key material in non-Buffer runtimes', async () => {
+    disableBufferRuntime();
+
+    const keys = createStaticFieldEncryptionKeys({
+      keys: { default: '@@@@' },
+    });
+
+    await expect(keys.getKey('default')).rejects.toThrow(
+      'Invalid base64url string'
+    );
+  });
+
+  test('rejects wrong-length decoded key material in non-Buffer runtimes', async () => {
+    disableBufferRuntime();
+
+    const keys = createStaticFieldEncryptionKeys({
+      keys: { default: 'QQ' },
+    });
+
+    await expect(keys.getKey('default')).rejects.toThrow(
+      'Encryption key for kid "default" must be 32 bytes (got 1)'
+    );
+  });
+
+  test('accepts valid 32-byte base64url keys in non-Buffer runtimes', async () => {
+    disableBufferRuntime();
+
+    const keys = createStaticFieldEncryptionKeys({
+      keys: { default: VALID_ZERO_KEY_BASE64URL },
+    });
+
+    const decoded = await keys.getKey('default');
+    expect(decoded.length).toBe(32);
+  });
+});