@tgoliveira/vault-core 0.1.0

package/API_REFERENCE.md

@@ -0,0 +1,36 @@
+# API Reference
+
+See TypeScript exports from:
+
+- `@tgoliveira/vault-core`
+- `@tgoliveira/vault-core/browser`
+- `@tgoliveira/vault-core/testing`
+- `@tgoliveira/vault-core/react`
+
+## Core types
+
+- `VaultCryptoProfile`, `VaultCryptoVersion`
+- `EncryptedVaultPayload`, `VaultEnvelope`, `PasswordEnvelope`, `RecoveryPhraseEnvelope`, `PasskeyPrfEnvelope`
+- `RecoveryPhraseWordCount` (`12 | 24`)
+- `VaultUnlockResult<TPayload>`, `VaultCoreError`
+
+## Core functions
+
+- `createUserVaultKey()`
+- `encryptVaultPayload<T>(payload, key, scope, profile)`
+- `decryptVaultPayload<T>(encrypted, key)`
+- `createPasswordEnvelope` / `unlockWithPasswordEnvelope`
+- `createRecoveryPhrase` / `createRecoveryEnvelope` / `unlockWithRecoveryEnvelope`
+- `createPasskeyPrfEnvelope` / `unlockWithPasskeyPrfEnvelope`
+- `createRecoveryKitText(...)`
+- `assertVaultKeyAad` / `assertVaultPayloadAad`
+- `assertNoVaultPlaintextFields` / `validateNoPlaintextLeak`
+
+Deprecated aliases (`wrapVaultKeyForPassword`, etc.) remain for migration.
+
+## React entry (`@tgoliveira/vault-core/react`)
+
+- `useVaultUnlocked()`, `useVaultLockState()`
+- `useVaultSession()`, `VaultSessionProvider`
+- `resolveVaultClientStatus()`, `useVaultClientStatus()`
+- `VaultClientStatus`, `VaultServerStatusSnapshot`

package/ARCHITECTURE.md

@@ -0,0 +1,32 @@
+# Vault Core Architecture
+
+## User Vault Key (UVK)
+
+256-bit AES-GCM key generated client-side. Wrapped by envelopes; encrypts app payload JSON.
+
+## Envelopes
+
+| Method | KDF | Wraps |
+| --- | --- | --- |
+| Password | Argon2id | UVK |
+| Recovery phrase | Argon2id (BIP39 normalized phrase) | UVK |
+| Passkey PRF | PRF output → AES key | UVK |
+
+Envelope AAD field: `vault_key` with app `aadContextEnvelope`.
+
+## Encrypted payload
+
+Generic JSON encrypted under UVK. AAD field: `vault_payload` with app `aadContextVault`.
+
+Format: `enc-v1` / `AES-GCM` / `kdf-v1`.
+
+## Package layers
+
+```
+@tgoliveira/vault-core          crypto + envelopes + payload + validation
+@tgoliveira/vault-core/browser  session + auto-lock + PRF salt + kit DOM
+@tgoliveira/vault-core/testing  sentinels + scan helpers
+@tgoliveira/vault-core/react    headless React session/status hooks
+```
+
+Apps own: persistence, routes, product UI, product payload schema, WebAuthn ceremony.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Thiago Oliveira
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/MIGRATION_FROM_LIQSENSE.md

@@ -0,0 +1,42 @@
+# Migration from LiqSense
+
+## LiqSense profile (frozen)
+
+```ts
+export const LIQSENSE_VAULT_PROFILE = {
+  cryptoVersion: "vault-v1",
+  aadContextVault: "liqsense:vault:v1",
+  aadContextEnvelope: "liqsense:vault-envelope:v1",
+};
+export const LIQSENSE_PRF_SALT_PREFIX = "liqsense-passkey-prf-v1:";
+```
+
+## Import mapping
+
+| LiqSense (legacy) | vault-core |
+| --- | --- |
+| `generateUserVaultKey` | `createUserVaultKey` |
+| `wrapVaultKeyForPassword` | `createPasswordEnvelope` + profile |
+| `unwrapVaultKeyFromPassword` | `unlockWithPasswordEnvelope` |
+| `wrapVaultKeyForRecoveryPhrase` | `createRecoveryEnvelope` + profile |
+| `generateRecoveryPhrase` | `createRecoveryPhrase` |
+
+LiqSense keeps thin wrappers in `src/modules/vault/core/` binding `LIQSENSE_VAULT_PROFILE`.
+
+## Local dev
+
+```json
+"@tgoliveira/vault-core": "file:../vault-core"
+```
+
+Build vault-core first. LiqSense uses `next build --webpack` for local package resolution.
+
+## React hooks
+
+Import from `@tgoliveira/vault-core/react` (not a separate package):
+
+```ts
+import { useVaultUnlocked, resolveVaultClientStatus } from "@tgoliveira/vault-core/react";
+```
+
+The standalone `@tgoliveira/vault-react` package is deprecated.

package/PASSKEY_PRF_ENVELOPES.md

@@ -0,0 +1,9 @@
+# Passkey PRF Envelopes
+
+- Separate from account passkey login
+- App provides PRF output bytes (≥ 32 bytes) from WebAuthn ceremony
+- Package wraps UVK with PRF-derived AES key
+- API: `createPasskeyPrfEnvelope` / `unlockWithPasskeyPrfEnvelope`
+- Browser helpers: `buildPrfSaltBytes(prefix, userId)`, capability probes
+
+PRF output never sent to server. WebAuthn ceremony stays in the app.

package/PASSWORD_ENVELOPES.md

@@ -0,0 +1,7 @@
+# Password Envelopes
+
+- Vault password normalized with NFKC before Argon2id
+- Default params: memory 65536 KiB, iterations 3, parallelism 1, 32-byte hash, 16-byte salt
+- API: `createPasswordEnvelope` / `unlockWithPasswordEnvelope`
+
+Vault password never sent to server.

package/README.md

@@ -0,0 +1,78 @@
+# @tgoliveira/vault-core
+
+Framework-independent vault crypto primitives extracted from LiqSense.
+
+## Scope
+
+- User Vault Key (UVK) generation
+- AES-GCM encrypted payloads with canonical AAD
+- Argon2id password and recovery phrase envelopes
+- Passkey PRF envelope wrap/unwrap (PRF bytes only — no WebAuthn ceremony)
+- BIP39 12/24-word recovery phrases
+- No-plaintext validation helpers
+
+## Install
+
+```bash
+npm install @tgoliveira/vault-core
+```
+
+Local development with LiqSense:
+
+```json
+"@tgoliveira/vault-core": "file:../vault-core"
+```
+
+Build vault-core before consuming:
+
+```bash
+cd ../vault-core && npm run validate
+```
+
+## Quick start
+
+```ts
+import {
+  createUserVaultKey,
+  createPasswordEnvelope,
+  unlockWithPasswordEnvelope,
+  encryptVaultPayload,
+  decryptVaultPayload,
+  type VaultCryptoProfile,
+} from "@tgoliveira/vault-core";
+
+const profile: VaultCryptoProfile = {
+  cryptoVersion: "vault-v1",
+  aadContextVault: "myapp:vault:v1",
+  aadContextEnvelope: "myapp:vault-envelope:v1",
+};
+
+const userId = "00000000-0000-4000-8000-000000000001";
+const scope = { userId, resourceId: userId };
+const vaultKey = await createUserVaultKey();
+
+const { envelope } = await createPasswordEnvelope(
+  vaultKey,
+  userVaultPassword,
+  scope,
+  profile
+);
+```
+
+## Exports
+
+| Entry | Purpose |
+| --- | --- |
+| `@tgoliveira/vault-core` | Core crypto, envelopes, payload, validation |
+| `@tgoliveira/vault-core/browser` | In-memory session, auto-lock, PRF salt, recovery kit DOM helpers |
+| `@tgoliveira/vault-core/testing` | Sentinels and plaintext scan helpers |
+| `@tgoliveira/vault-core/react` | Headless React session/status hooks (optional peer: `react`) |
+
+## Boundaries
+
+- Does **not** include account authentication
+- Does **not** require React, Next.js, or product payload schemas on the default entry
+- `./react` is optional and requires `react >= 18`
+- Vault password, recovery phrase, UVK, PRF output, and decrypted payload must stay client-side
+
+See `SECURITY.md`, `ARCHITECTURE.md`, and `MIGRATION_FROM_LIQSENSE.md`.

package/RECOVERY_PHRASE.md

@@ -0,0 +1,9 @@
+# Recovery Phrase
+
+- BIP39 English wordlist via `@scure/bip39`
+- Supported lengths: **12 words** (128-bit) and **24 words** (256-bit, default)
+- Normalization: trim, lowercase, single-space separated
+- Confirmation helpers: deterministic word indices (3 for 12 words, 4 for 24)
+- Recovery kit text via `createRecoveryKitText({ productName, ... })`
+
+Recovery phrase never sent to server.

package/SECURITY.md

@@ -0,0 +1,31 @@
+# Vault Core Security Model
+
+## Separation from account auth
+
+Account login, password reset, TOTP, OAuth, and passkey **login** must not unlock the vault.
+
+Vault unlock requires a separate vault password, recovery phrase, or passkey PRF envelope.
+
+## Server must never receive
+
+- Vault password
+- Recovery phrase (plaintext)
+- User Vault Key
+- PRF output
+- Decrypted vault payload
+
+Use `assertNoVaultPlaintextFields()` on API request bodies.
+
+## Client must never persist
+
+- Decrypted vault payload in localStorage or IndexedDB
+
+Browser session helpers clear UVK on lock and `pagehide`.
+
+## Crypto constants (per app profile)
+
+Apps define `VaultCryptoProfile` with stable AAD contexts. Existing ciphertext breaks if contexts change.
+
+## Logging
+
+Never log vault secrets, request bodies containing envelopes, or decrypted payloads.

package/dist/browser.d.ts

@@ -0,0 +1,11 @@
+import { extractPasskeyPrfOutput, isPasskeySupported, isPrfExtensionSupported } from "./envelopes/passkey-prf.js";
+export declare function buildPrfSaltBytes(prefix: string, userId: string): Promise<ArrayBuffer>;
+export declare function createRecoveryKitDownload(content: string, filename: string): void;
+export declare function printRecoveryKitContent(content: string): void;
+export declare function assertNoDecryptedVaultInLocalStorage(storagePrefix: string): boolean;
+export declare function assertNoDecryptedVaultInIndexedDB(storagePrefix: string): Promise<boolean>;
+export declare function persistVaultRecordLocally(): never;
+export { extractPasskeyPrfOutput, isPasskeySupported, isPrfExtensionSupported, };
+export { configureVaultSession, subscribeVaultSession, isVaultManuallyLocked, clearVaultAutoLockTimer, scheduleVaultAutoLock, touchVaultSession, unlockVaultSession, lockVaultSession, lockVaultSessionManually, resetVaultSessionLockState, registerVaultUnloadGuard, getVaultAutoLockRemainingMs, getSessionVaultKey, setSessionVaultKey, lockVault, isVaultUnlocked, clearVaultClientState, type VaultSessionConfig, } from "./session/auto-lock.js";
+export { createRecoveryKitText, buildRecoveryKitContent } from "./recovery/kit.js";
+//# sourceMappingURL=browser.d.ts.map

package/dist/browser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../src/browser.ts"],"names":[],"mappings":"AACA,OAAO,EACL,uBAAuB,EACvB,kBAAkB,EAClB,uBAAuB,EACxB,MAAM,4BAA4B,CAAC;AAEpC,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAG5F;AAED,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CASN;AAED,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAU7D;AASD,wBAAgB,oCAAoC,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAWnF;AAED,wBAAsB,iCAAiC,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAgB/F;AAED,wBAAgB,yBAAyB,IAAI,KAAK,CAEjD;AAED,OAAO,EACL,uBAAuB,EACvB,kBAAkB,EAClB,uBAAuB,GACxB,CAAC;AAEF,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,qBAAqB,EACrB,uBAAuB,EACvB,qBAAqB,EACrB,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,wBAAwB,EACxB,0BAA0B,EAC1B,wBAAwB,EACxB,2BAA2B,EAC3B,kBAAkB,EAClB,kBAAkB,EAClB,SAAS,EACT,eAAe,EACf,qBAAqB,EACrB,KAAK,kBAAkB,GACxB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/browser.js

@@ -0,0 +1,71 @@
+import { stringToBytes, toBufferSource } from "./crypto/encoding.js";
+import { extractPasskeyPrfOutput, isPasskeySupported, isPrfExtensionSupported, } from "./envelopes/passkey-prf.js";
+export async function buildPrfSaltBytes(prefix, userId) {
+    const input = toBufferSource(stringToBytes(`${prefix}${userId}`));
+    return crypto.subtle.digest("SHA-256", input);
+}
+export function createRecoveryKitDownload(content, filename) {
+    if (typeof window === "undefined")
+        return;
+    const blob = new Blob([content], { type: "text/plain;charset=utf-8" });
+    const url = URL.createObjectURL(blob);
+    const anchor = document.createElement("a");
+    anchor.href = url;
+    anchor.download = filename;
+    anchor.click();
+    URL.revokeObjectURL(url);
+}
+export function printRecoveryKitContent(content) {
+    if (typeof window === "undefined")
+        return;
+    const printWindow = window.open("", "_blank", "noopener,noreferrer,width=640,height=720");
+    if (!printWindow)
+        return;
+    printWindow.document.write(`<pre style="font-family:monospace;white-space:pre-wrap;padding:24px;">${escapeHtml(content)}</pre>`);
+    printWindow.document.close();
+    printWindow.focus();
+    printWindow.print();
+}
+function escapeHtml(value) {
+    return value
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;");
+}
+export function assertNoDecryptedVaultInLocalStorage(storagePrefix) {
+    if (typeof window === "undefined")
+        return true;
+    for (let i = 0; i < localStorage.length; i++) {
+        const key = localStorage.key(i);
+        if (!key)
+            continue;
+        if (key.startsWith(storagePrefix)) {
+            return false;
+        }
+    }
+    return true;
+}
+export async function assertNoDecryptedVaultInIndexedDB(storagePrefix) {
+    if (typeof window === "undefined" || typeof indexedDB === "undefined")
+        return true;
+    return new Promise((resolve) => {
+        const request = indexedDB.databases?.();
+        if (!request) {
+            resolve(true);
+            return;
+        }
+        void request
+            .then((databases) => {
+            const hasVaultDb = databases.some((db) => db.name?.startsWith(storagePrefix));
+            resolve(!hasVaultDb);
+        })
+            .catch(() => resolve(true));
+    });
+}
+export function persistVaultRecordLocally() {
+    throw new Error("Decrypted vault state must not be persisted to localStorage or IndexedDB");
+}
+export { extractPasskeyPrfOutput, isPasskeySupported, isPrfExtensionSupported, };
+export { configureVaultSession, subscribeVaultSession, isVaultManuallyLocked, clearVaultAutoLockTimer, scheduleVaultAutoLock, touchVaultSession, unlockVaultSession, lockVaultSession, lockVaultSessionManually, resetVaultSessionLockState, registerVaultUnloadGuard, getVaultAutoLockRemainingMs, getSessionVaultKey, setSessionVaultKey, lockVault, isVaultUnlocked, clearVaultClientState, } from "./session/auto-lock.js";
+export { createRecoveryKitText, buildRecoveryKitContent } from "./recovery/kit.js";
+//# sourceMappingURL=browser.js.map

package/dist/browser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.js","sourceRoot":"","sources":["../src/browser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACrE,OAAO,EACL,uBAAuB,EACvB,kBAAkB,EAClB,uBAAuB,GACxB,MAAM,4BAA4B,CAAC;AAEpC,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,KAAK,GAAG,cAAc,CAAC,aAAa,CAAC,GAAG,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,OAAe,EACf,QAAgB;IAEhB,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO;IAC1C,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE,0BAA0B,EAAE,CAAC,CAAC;IACvE,MAAM,GAAG,GAAG,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,QAAQ,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,CAAC,IAAI,GAAG,GAAG,CAAC;IAClB,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,MAAM,CAAC,KAAK,EAAE,CAAC;IACf,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,OAAe;IACrD,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO;IAC1C,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,0CAA0C,CAAC,CAAC;IAC1F,IAAI,CAAC,WAAW;QAAE,OAAO;IACzB,WAAW,CAAC,QAAQ,CAAC,KAAK,CACxB,yEAAyE,UAAU,CAAC,OAAO,CAAC,QAAQ,CACrG,CAAC;IACF,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;IAC7B,WAAW,CAAC,KAAK,EAAE,CAAC;IACpB,WAAW,CAAC,KAAK,EAAE,CAAC;AACtB,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,oCAAoC,CAAC,aAAqB;IACxE,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IAE/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAChC,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,IAAI,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iCAAiC,CAAC,aAAqB;IAC3E,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,SAAS,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IAEnF,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,OAAO,GAAG,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,CAAC;YACd,OAAO;QACT,CAAC;QACD,KAAK,OAAO;aACT,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;YAClB,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC;YAC9E,OAAO,CAAC,CAAC,UAAU,CAAC,CAAC;QACvB,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;AAC9F,CAAC;AAED,OAAO,EACL,uBAAuB,EACvB,kBAAkB,EAClB,uBAAuB,GACxB,CAAC;AAEF,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,qBAAqB,EACrB,uBAAuB,EACvB,qBAAqB,EACrB,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,wBAAwB,EACxB,0BAA0B,EAC1B,wBAAwB,EACxB,2BAA2B,EAC3B,kBAAkB,EAClB,kBAAkB,EAClB,SAAS,EACT,eAAe,EACf,qBAAqB,GAEtB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/constants.d.ts

@@ -0,0 +1,5 @@
+export declare const ENCRYPTION_VERSION: "enc-v1";
+export declare const ENCRYPTION_ALG: "AES-GCM";
+export declare const VAULT_CRYPTO_VERSION: "vault-v1";
+export declare const DEFAULT_VAULT_AUTO_LOCK_MINUTES = 15;
+//# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,kBAAkB,EAAG,QAAiB,CAAC;AACpD,eAAO,MAAM,cAAc,EAAG,SAAkB,CAAC;AACjD,eAAO,MAAM,oBAAoB,EAAG,UAAmB,CAAC;AACxD,eAAO,MAAM,+BAA+B,KAAK,CAAC"}

package/dist/constants.js

@@ -0,0 +1,5 @@
+export const ENCRYPTION_VERSION = "enc-v1";
+export const ENCRYPTION_ALG = "AES-GCM";
+export const VAULT_CRYPTO_VERSION = "vault-v1";
+export const DEFAULT_VAULT_AUTO_LOCK_MINUTES = 15;
+//# sourceMappingURL=constants.js.map

package/dist/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,kBAAkB,GAAG,QAAiB,CAAC;AACpD,MAAM,CAAC,MAAM,cAAc,GAAG,SAAkB,CAAC;AACjD,MAAM,CAAC,MAAM,oBAAoB,GAAG,UAAmB,CAAC;AACxD,MAAM,CAAC,MAAM,+BAA+B,GAAG,EAAE,CAAC"}

package/dist/crypto/aad.d.ts

@@ -0,0 +1,4 @@
+import type { EncryptedVaultPayload } from "../validation/schemas.js";
+export declare function canonicalAadString(aad: EncryptedVaultPayload["aad"]): string;
+export declare function aadByteCandidates(aad: EncryptedVaultPayload["aad"]): Uint8Array[];
+//# sourceMappingURL=aad.d.ts.map

package/dist/crypto/aad.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aad.d.ts","sourceRoot":"","sources":["../../src/crypto/aad.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAGtE,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,qBAAqB,CAAC,KAAK,CAAC,GAAG,MAAM,CAO5E;AAED,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,qBAAqB,CAAC,KAAK,CAAC,GAAG,UAAU,EAAE,CAajF"}

package/dist/crypto/aad.js

@@ -0,0 +1,23 @@
+import { stringToBytes } from "./encoding.js";
+export function canonicalAadString(aad) {
+    return JSON.stringify({
+        context: aad.context,
+        field: aad.field,
+        resourceId: aad.resourceId,
+        userId: aad.userId,
+    });
+}
+export function aadByteCandidates(aad) {
+    const variants = new Set([
+        canonicalAadString(aad),
+        JSON.stringify({
+            userId: aad.userId,
+            resourceId: aad.resourceId,
+            field: aad.field,
+            context: aad.context,
+        }),
+        JSON.stringify(aad),
+    ]);
+    return Array.from(variants).map((value) => stringToBytes(value));
+}
+//# sourceMappingURL=aad.js.map

package/dist/crypto/aad.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aad.js","sourceRoot":"","sources":["../../src/crypto/aad.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9C,MAAM,UAAU,kBAAkB,CAAC,GAAiC;IAClE,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,MAAM,EAAE,GAAG,CAAC,MAAM;KACnB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,GAAiC;IACjE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAS;QAC/B,kBAAkB,CAAC,GAAG,CAAC;QACvB,IAAI,CAAC,SAAS,CAAC;YACb,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC;KACpB,CAAC,CAAC;IAEH,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;AACnE,CAAC"}

package/dist/crypto/aes-gcm.d.ts

@@ -0,0 +1,9 @@
+import type { VaultCryptoProfile, VaultAadScope } from "../profile.js";
+import type { EncryptedVaultPayload } from "../validation/schemas.js";
+export declare function generateAesKey(): Promise<CryptoKey>;
+export declare function importAesKey(rawKey: Uint8Array): Promise<CryptoKey>;
+export declare function exportAesKey(key: CryptoKey): Promise<Uint8Array>;
+export type EncryptFieldAad = VaultAadScope;
+export declare function encryptField(plaintext: string, key: CryptoKey, aad: EncryptFieldAad, profile: VaultCryptoProfile): Promise<EncryptedVaultPayload>;
+export declare function decryptField(payload: EncryptedVaultPayload, key: CryptoKey): Promise<string>;
+//# sourceMappingURL=aes-gcm.d.ts.map

package/dist/crypto/aes-gcm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aes-gcm.d.ts","sourceRoot":"","sources":["../../src/crypto/aes-gcm.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEvE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAYtE,wBAAsB,cAAc,IAAI,OAAO,CAAC,SAAS,CAAC,CAKzD;AAED,wBAAsB,YAAY,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAQzE;AAED,wBAAsB,YAAY,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAGtE;AAED,MAAM,MAAM,eAAe,GAAG,aAAa,CAAC;AAE5C,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,SAAS,EACd,GAAG,EAAE,eAAe,EACpB,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,qBAAqB,CAAC,CAyBhC;AAED,wBAAsB,YAAY,CAChC,OAAO,EAAE,qBAAqB,EAC9B,GAAG,EAAE,SAAS,GACb,OAAO,CAAC,MAAM,CAAC,CAuBjB"}

package/dist/crypto/aes-gcm.js

@@ -0,0 +1,58 @@
+import { ENCRYPTION_ALG, ENCRYPTION_VERSION } from "../constants.js";
+import { resolveAadContext } from "../profile.js";
+import { canonicalAadString, aadByteCandidates } from "./aad.js";
+import { bytesToBase64Url, base64UrlToBytes, stringToBytes, bytesToString, toBufferSource, } from "./encoding.js";
+const IV_LENGTH = 12;
+export async function generateAesKey() {
+    return crypto.subtle.generateKey({ name: ENCRYPTION_ALG, length: 256 }, true, [
+        "encrypt",
+        "decrypt",
+    ]);
+}
+export async function importAesKey(rawKey) {
+    return crypto.subtle.importKey("raw", toBufferSource(rawKey), { name: ENCRYPTION_ALG, length: 256 }, true, ["encrypt", "decrypt"]);
+}
+export async function exportAesKey(key) {
+    const raw = await crypto.subtle.exportKey("raw", key);
+    return new Uint8Array(raw);
+}
+export async function encryptField(plaintext, key, aad, profile) {
+    const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+    const aadWithContext = {
+        ...aad,
+        context: resolveAadContext(aad, profile),
+    };
+    const aadBytes = stringToBytes(canonicalAadString(aadWithContext));
+    const ciphertextBuffer = await crypto.subtle.encrypt({
+        name: ENCRYPTION_ALG,
+        iv: toBufferSource(iv),
+        additionalData: toBufferSource(aadBytes),
+    }, key, toBufferSource(stringToBytes(plaintext)));
+    return {
+        version: ENCRYPTION_VERSION,
+        alg: ENCRYPTION_ALG,
+        iv: bytesToBase64Url(iv),
+        ciphertext: bytesToBase64Url(new Uint8Array(ciphertextBuffer)),
+        aad: aadWithContext,
+    };
+}
+export async function decryptField(payload, key) {
+    const iv = base64UrlToBytes(payload.iv);
+    const ciphertext = base64UrlToBytes(payload.ciphertext);
+    let lastError;
+    for (const aadBytes of aadByteCandidates(payload.aad)) {
+        try {
+            const plaintextBuffer = await crypto.subtle.decrypt({
+                name: ENCRYPTION_ALG,
+                iv: toBufferSource(iv),
+                additionalData: toBufferSource(aadBytes),
+            }, key, toBufferSource(ciphertext));
+            return bytesToString(new Uint8Array(plaintextBuffer));
+        }
+        catch (error) {
+            lastError = error;
+        }
+    }
+    throw lastError instanceof Error ? lastError : new Error("Decryption failed");
+}
+//# sourceMappingURL=aes-gcm.js.map

package/dist/crypto/aes-gcm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aes-gcm.js","sourceRoot":"","sources":["../../src/crypto/aes-gcm.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAErE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAElD,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AACjE,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,aAAa,EACb,aAAa,EACb,cAAc,GACf,MAAM,eAAe,CAAC;AAEvB,MAAM,SAAS,GAAG,EAAE,CAAC;AAErB,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE;QAC5E,SAAS;QACT,SAAS;KACV,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAAkB;IACnD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,cAAc,CAAC,MAAM,CAAC,EACtB,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,EAAE,EACrC,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAc;IAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtD,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAID,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,GAAc,EACd,GAAoB,EACpB,OAA2B;IAE3B,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;IAC7D,MAAM,cAAc,GAAG;QACrB,GAAG,GAAG;QACN,OAAO,EAAE,iBAAiB,CAAC,GAAG,EAAE,OAAO,CAAC;KACzC,CAAC;IACF,MAAM,QAAQ,GAAG,aAAa,CAAC,kBAAkB,CAAC,cAAc,CAAC,CAAC,CAAC;IAEnE,MAAM,gBAAgB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAClD;QACE,IAAI,EAAE,cAAc;QACpB,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;QACtB,cAAc,EAAE,cAAc,CAAC,QAAQ,CAAC;KACzC,EACD,GAAG,EACH,cAAc,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CACzC,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,kBAAkB;QAC3B,GAAG,EAAE,cAAc;QACnB,EAAE,EAAE,gBAAgB,CAAC,EAAE,CAAC;QACxB,UAAU,EAAE,gBAAgB,CAAC,IAAI,UAAU,CAAC,gBAAgB,CAAC,CAAC;QAC9D,GAAG,EAAE,cAAc;KACpB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAA8B,EAC9B,GAAc;IAEd,MAAM,EAAE,GAAG,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACxD,IAAI,SAAkB,CAAC;IAEvB,KAAK,MAAM,QAAQ,IAAI,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACtD,IAAI,CAAC;YACH,MAAM,eAAe,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CACjD;gBACE,IAAI,EAAE,cAAc;gBACpB,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;gBACtB,cAAc,EAAE,cAAc,CAAC,QAAQ,CAAC;aACzC,EACD,GAAG,EACH,cAAc,CAAC,UAAU,CAAC,CAC3B,CAAC;YACF,OAAO,aAAa,CAAC,IAAI,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,SAAS,GAAG,KAAK,CAAC;QACpB,CAAC;IACH,CAAC;IAED,MAAM,SAAS,YAAY,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;AAChF,CAAC"}

package/dist/crypto/encoding.d.ts

@@ -0,0 +1,6 @@
+export declare function bytesToBase64Url(bytes: Uint8Array): string;
+export declare function base64UrlToBytes(base64url: string): Uint8Array;
+export declare function stringToBytes(str: string): Uint8Array;
+export declare function toBufferSource(bytes: Uint8Array): Uint8Array<ArrayBuffer>;
+export declare function bytesToString(bytes: Uint8Array): string;
+//# sourceMappingURL=encoding.d.ts.map

package/dist/crypto/encoding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.d.ts","sourceRoot":"","sources":["../../src/crypto/encoding.ts"],"names":[],"mappings":"AAAA,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAM1D;AAED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,UAAU,CAS9D;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAErD;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,CAAC,WAAW,CAAC,CAEzE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAEvD"}

package/dist/crypto/encoding.js

@@ -0,0 +1,27 @@
+export function bytesToBase64Url(bytes) {
+    let binary = "";
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+export function base64UrlToBytes(base64url) {
+    const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = base64 + "=".repeat((4 - (base64.length % 4)) % 4);
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+export function stringToBytes(str) {
+    return new TextEncoder().encode(str);
+}
+export function toBufferSource(bytes) {
+    return new Uint8Array(bytes);
+}
+export function bytesToString(bytes) {
+    return new TextDecoder().decode(bytes);
+}
+//# sourceMappingURL=encoding.js.map

package/dist/crypto/encoding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.js","sourceRoot":"","sources":["../../src/crypto/encoding.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,gBAAgB,CAAC,KAAiB;IAChD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACjF,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAChD,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAiB;IAC9C,OAAO,IAAI,UAAU,CAAC,KAAK,CAA4B,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAiB;IAC7C,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC"}

package/dist/crypto/random.d.ts

@@ -0,0 +1,2 @@
+export declare function randomBytes(length: number): Uint8Array;
+//# sourceMappingURL=random.d.ts.map

package/dist/crypto/random.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"random.d.ts","sourceRoot":"","sources":["../../src/crypto/random.ts"],"names":[],"mappings":"AAAA,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAEtD"}

package/dist/crypto/random.js

@@ -0,0 +1,4 @@
+export function randomBytes(length) {
+    return crypto.getRandomValues(new Uint8Array(length));
+}
+//# sourceMappingURL=random.js.map

package/dist/crypto/random.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"random.js","sourceRoot":"","sources":["../../src/crypto/random.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,WAAW,CAAC,MAAc;IACxC,OAAO,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AACxD,CAAC"}

package/dist/crypto/serialization.d.ts

@@ -0,0 +1,3 @@
+export declare function serializeVaultPayload(payload: unknown): string;
+export declare function parseVaultPayload<T>(json: string): T;
+//# sourceMappingURL=serialization.d.ts.map

package/dist/crypto/serialization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"serialization.d.ts","sourceRoot":"","sources":["../../src/crypto/serialization.ts"],"names":[],"mappings":"AAAA,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAE9D;AAED,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,CAAC,CAEpD"}

package/dist/crypto/serialization.js

@@ -0,0 +1,7 @@
+export function serializeVaultPayload(payload) {
+    return JSON.stringify(payload);
+}
+export function parseVaultPayload(json) {
+    return JSON.parse(json);
+}
+//# sourceMappingURL=serialization.js.map

package/dist/crypto/serialization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"serialization.js","sourceRoot":"","sources":["../../src/crypto/serialization.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,qBAAqB,CAAC,OAAgB;IACpD,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAI,IAAY;IAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAM,CAAC;AAC/B,CAAC"}

package/dist/envelopes/passkey-prf.d.ts

@@ -0,0 +1,21 @@
+import type { EncryptedVaultPayload, PasskeyPrfEnvelope } from "../validation/schemas.js";
+import type { VaultCryptoProfile, VaultAadScope } from "../profile.js";
+export declare function isPasskeySupported(): boolean;
+export declare function isPrfExtensionSupported(): boolean;
+export declare function extractPasskeyPrfOutput(clientExtensionResults: Record<string, unknown>): Uint8Array | null;
+type WrapScope = Pick<VaultAadScope, "userId" | "resourceId">;
+export declare function createPasskeyPrfEnvelope(vaultKey: CryptoKey, prfOutput: Uint8Array, scope: WrapScope, profile: VaultCryptoProfile, publicMetadata?: Record<string, unknown>): Promise<PasskeyPrfEnvelope>;
+export declare function unwrapVaultKeyFromPasskey(encryptedVaultKey: EncryptedVaultPayload, prfOutput: Uint8Array): Promise<CryptoKey>;
+export declare function unlockWithPasskeyPrfEnvelope(envelope: PasskeyPrfEnvelope | {
+    encryptedVaultKey: EncryptedVaultPayload;
+}, prfOutput: Uint8Array | null, options?: {
+    prfRequired?: boolean;
+}): Promise<CryptoKey>;
+/** @deprecated Use unlockWithPasskeyPrfEnvelope */
+export declare function unlockVaultFromPasskeyEnvelope(encryptedVaultKeyOrEnvelope: EncryptedVaultPayload | PasskeyPrfEnvelope, prfOutput: Uint8Array | null, options?: {
+    prfRequired?: boolean;
+}): Promise<CryptoKey>;
+/** @deprecated Use createPasskeyPrfEnvelope */
+export declare function wrapVaultKeyForPasskey(vaultKey: CryptoKey, prfOutput: Uint8Array, userId: string, resourceId: string, profile: VaultCryptoProfile, publicMetadata?: Record<string, unknown>): Promise<EncryptedVaultPayload>;
+export { PasskeyPrfRequiredError, PasskeyUnlockError } from "../errors/vault-errors.js";
+//# sourceMappingURL=passkey-prf.d.ts.map

package/dist/envelopes/passkey-prf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"passkey-prf.d.ts","sourceRoot":"","sources":["../../src/envelopes/passkey-prf.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC1F,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAavE,wBAAgB,kBAAkB,IAAI,OAAO,CAG5C;AAED,wBAAgB,uBAAuB,IAAI,OAAO,CAIjD;AAED,wBAAgB,uBAAuB,CACrC,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9C,UAAU,GAAG,IAAI,CAKnB;AAaD,KAAK,SAAS,GAAG,IAAI,CAAC,aAAa,EAAE,QAAQ,GAAG,YAAY,CAAC,CAAC;AAE9D,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,SAAS,EACnB,SAAS,EAAE,UAAU,EACrB,KAAK,EAAE,SAAS,EAChB,OAAO,EAAE,kBAAkB,EAC3B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACvC,OAAO,CAAC,kBAAkB,CAAC,CAqB7B;AAED,wBAAsB,yBAAyB,CAC7C,iBAAiB,EAAE,qBAAqB,EACxC,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,SAAS,CAAC,CAOpB;AAED,wBAAsB,4BAA4B,CAChD,QAAQ,EAAE,kBAAkB,GAAG;IAAE,iBAAiB,EAAE,qBAAqB,CAAA;CAAE,EAC3E,SAAS,EAAE,UAAU,GAAG,IAAI,EAC5B,OAAO,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,OAAO,CAAA;CAAE,GAClC,OAAO,CAAC,SAAS,CAAC,CAsBpB;AAED,mDAAmD;AACnD,wBAAsB,8BAA8B,CAClD,2BAA2B,EAAE,qBAAqB,GAAG,kBAAkB,EACvE,SAAS,EAAE,UAAU,GAAG,IAAI,EAC5B,OAAO,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,OAAO,CAAA;CAAE,GAClC,OAAO,CAAC,SAAS,CAAC,CAMpB;AAED,+CAA+C;AAC/C,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,SAAS,EACnB,SAAS,EAAE,UAAU,EACrB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,kBAAkB,EAC3B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACvC,OAAO,CAAC,qBAAqB,CAAC,CAShC;AAED,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC"}