@tgoliveira/vault-core 0.1.0

package/dist/testing/no-plaintext.js

@@ -0,0 +1,2 @@
+export * from "../validation/plaintext-reject.js";
+//# sourceMappingURL=no-plaintext.js.map

package/dist/testing/no-plaintext.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-plaintext.js","sourceRoot":"","sources":["../../src/testing/no-plaintext.ts"],"names":[],"mappings":"AAAA,cAAc,mCAAmC,CAAC"}

package/dist/testing.d.ts

@@ -0,0 +1,2 @@
+export * from "./validation/plaintext-reject.js";
+//# sourceMappingURL=testing.d.ts.map

package/dist/testing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testing.d.ts","sourceRoot":"","sources":["../src/testing.ts"],"names":[],"mappings":"AAAA,cAAc,kCAAkC,CAAC"}

package/dist/testing.js

@@ -0,0 +1,2 @@
+export * from "./validation/plaintext-reject.js";
+//# sourceMappingURL=testing.js.map

package/dist/testing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"testing.js","sourceRoot":"","sources":["../src/testing.ts"],"names":[],"mappings":"AAAA,cAAc,kCAAkC,CAAC"}

package/dist/validation/aad-assert.d.ts

@@ -0,0 +1,5 @@
+import type { EncryptedVaultPayload } from "./schemas.js";
+import type { VaultCryptoProfile } from "../profile.js";
+export declare function assertVaultKeyAad(userId: string, payload: EncryptedVaultPayload, profile: VaultCryptoProfile): void;
+export declare function assertVaultPayloadAad(userId: string, payload: EncryptedVaultPayload, profile: VaultCryptoProfile): void;
+//# sourceMappingURL=aad-assert.d.ts.map

package/dist/validation/aad-assert.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aad-assert.d.ts","sourceRoot":"","sources":["../../src/validation/aad-assert.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAExD,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,qBAAqB,EAC9B,OAAO,EAAE,kBAAkB,GAC1B,IAAI,CAaN;AAED,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,qBAAqB,EAC9B,OAAO,EAAE,kBAAkB,GAC1B,IAAI,CAaN"}

package/dist/validation/aad-assert.js

@@ -0,0 +1,29 @@
+export function assertVaultKeyAad(userId, payload, profile) {
+    if (payload.aad.userId !== userId) {
+        throw new Error("Vault key AAD userId mismatch");
+    }
+    if (payload.aad.resourceId !== userId) {
+        throw new Error("Vault key AAD resourceId mismatch");
+    }
+    if (payload.aad.field !== "vault_key") {
+        throw new Error("Vault key AAD field mismatch");
+    }
+    if (payload.aad.context && payload.aad.context !== profile.aadContextEnvelope) {
+        throw new Error("Vault key AAD context mismatch");
+    }
+}
+export function assertVaultPayloadAad(userId, payload, profile) {
+    if (payload.aad.userId !== userId) {
+        throw new Error("Vault payload AAD userId mismatch");
+    }
+    if (payload.aad.resourceId !== userId) {
+        throw new Error("Vault payload AAD resourceId mismatch");
+    }
+    if (payload.aad.field !== "vault_payload") {
+        throw new Error("Vault payload AAD field mismatch");
+    }
+    if (payload.aad.context && payload.aad.context !== profile.aadContextVault) {
+        throw new Error("Vault payload AAD context mismatch");
+    }
+}
+//# sourceMappingURL=aad-assert.js.map

package/dist/validation/aad-assert.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aad-assert.js","sourceRoot":"","sources":["../../src/validation/aad-assert.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,iBAAiB,CAC/B,MAAc,EACd,OAA8B,EAC9B,OAA2B;IAE3B,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,MAAM,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,MAAc,EACd,OAA8B,EAC9B,OAA2B;IAE3B,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,MAAM,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,OAAO,CAAC,eAAe,EAAE,CAAC;QAC3E,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;AACH,CAAC"}

package/dist/validation/plaintext-reject.d.ts

@@ -0,0 +1,23 @@
+export declare const PLAINTEXT_FORBIDDEN_VAULT_FIELDS: readonly ["vaultPassword", "confirmVaultPassword", "password", "recoveryPhrase", "recoveryWords", "userVaultKey", "prfOutput", "decryptedPayload", "displayName", "walletLabel", "strategyNote", "subscriptionToken", "title", "body", "content", "message"];
+export type PlaintextForbiddenField = (typeof PLAINTEXT_FORBIDDEN_VAULT_FIELDS)[number];
+export declare function rejectVaultPlaintextFields(body: Record<string, unknown>): string | null;
+export declare function assertNoVaultPlaintextFields(body: Record<string, unknown>): void;
+export declare function validateNoPlaintextLeak(data: unknown): {
+    ok: boolean;
+    found: string[];
+};
+export declare function scanForSentinels(data: unknown, sentinels?: readonly string[]): string[];
+export declare function containsSentinel(value: string, sentinels?: readonly string[]): boolean;
+export declare const SENTINEL_VAULT_PASSWORD = "SENTINEL_VAULT_PASSWORD_DO_NOT_STORE";
+export declare const SENTINEL_RECOVERY_PHRASE = "SENTINEL_RECOVERY_PHRASE_DO_NOT_STORE";
+export declare const SENTINEL_12_WORD_RECOVERY_PHRASE = "SENTINEL_12_WORD_RECOVERY_PHRASE_DO_NOT_STORE";
+export declare const SENTINEL_24_WORD_RECOVERY_PHRASE = "SENTINEL_24_WORD_RECOVERY_PHRASE_DO_NOT_STORE";
+export declare const SENTINEL_PRIVATE_LABEL = "SENTINEL_PRIVATE_LABEL_DO_NOT_STORE";
+export declare const SENTINEL_STRATEGY_NOTE = "SENTINEL_STRATEGY_NOTE_DO_NOT_STORE";
+export declare const SENTINEL_SUBSCRIPTION_TOKEN = "SENTINEL_SUBSCRIPTION_TOKEN_DO_NOT_STORE";
+export declare const SENTINEL_MANAGEMENT_TOKEN = "SENTINEL_MANAGEMENT_TOKEN_DO_NOT_STORE";
+export declare const SENTINEL_PRIVATE_NOTE = "SENTINEL_PRIVATE_NOTE_DO_NOT_STORE";
+export declare const SENTINEL_USER_VAULT_KEY = "SENTINEL_USER_VAULT_KEY_DO_NOT_STORE";
+export declare const SENTINEL_PRF_OUTPUT = "SENTINEL_PRF_OUTPUT_DO_NOT_STORE";
+export declare const ALL_SENTINELS: readonly ["SENTINEL_VAULT_PASSWORD_DO_NOT_STORE", "SENTINEL_RECOVERY_PHRASE_DO_NOT_STORE", "SENTINEL_12_WORD_RECOVERY_PHRASE_DO_NOT_STORE", "SENTINEL_24_WORD_RECOVERY_PHRASE_DO_NOT_STORE", "SENTINEL_PRIVATE_LABEL_DO_NOT_STORE", "SENTINEL_STRATEGY_NOTE_DO_NOT_STORE", "SENTINEL_SUBSCRIPTION_TOKEN_DO_NOT_STORE", "SENTINEL_MANAGEMENT_TOKEN_DO_NOT_STORE", "SENTINEL_PRIVATE_NOTE_DO_NOT_STORE", "SENTINEL_USER_VAULT_KEY_DO_NOT_STORE", "SENTINEL_PRF_OUTPUT_DO_NOT_STORE"];
+//# sourceMappingURL=plaintext-reject.d.ts.map

package/dist/validation/plaintext-reject.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plaintext-reject.d.ts","sourceRoot":"","sources":["../../src/validation/plaintext-reject.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,gCAAgC,8PAiBnC,CAAC;AAEX,MAAM,MAAM,uBAAuB,GAAG,CAAC,OAAO,gCAAgC,CAAC,CAAC,MAAM,CAAC,CAAC;AAExF,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,GAAG,IAAI,CAOvF;AAED,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAKhF;AAED,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,OAAO,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,MAAM,EAAE,CAAA;CAAE,CAGvF;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,GAAE,SAAS,MAAM,EAAkB,GAAG,MAAM,EAAE,CAWtG;AAED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,GAAE,SAAS,MAAM,EAAkB,GAAG,OAAO,CAErG;AAED,eAAO,MAAM,uBAAuB,yCAAyC,CAAC;AAC9E,eAAO,MAAM,wBAAwB,0CAA0C,CAAC;AAChF,eAAO,MAAM,gCAAgC,kDACI,CAAC;AAClD,eAAO,MAAM,gCAAgC,kDACI,CAAC;AAClD,eAAO,MAAM,sBAAsB,wCAAwC,CAAC;AAC5E,eAAO,MAAM,sBAAsB,wCAAwC,CAAC;AAC5E,eAAO,MAAM,2BAA2B,6CAA6C,CAAC;AACtF,eAAO,MAAM,yBAAyB,2CAA2C,CAAC;AAClF,eAAO,MAAM,qBAAqB,uCAAuC,CAAC;AAC1E,eAAO,MAAM,uBAAuB,yCAAyC,CAAC;AAC9E,eAAO,MAAM,mBAAmB,qCAAqC,CAAC;AAEtE,eAAO,MAAM,aAAa,odAYhB,CAAC"}

package/dist/validation/plaintext-reject.js

@@ -0,0 +1,75 @@
+import { VaultPlaintextRejectionError } from "../errors/vault-errors.js";
+export const PLAINTEXT_FORBIDDEN_VAULT_FIELDS = [
+    "vaultPassword",
+    "confirmVaultPassword",
+    "password",
+    "recoveryPhrase",
+    "recoveryWords",
+    "userVaultKey",
+    "prfOutput",
+    "decryptedPayload",
+    "displayName",
+    "walletLabel",
+    "strategyNote",
+    "subscriptionToken",
+    "title",
+    "body",
+    "content",
+    "message",
+];
+export function rejectVaultPlaintextFields(body) {
+    for (const field of PLAINTEXT_FORBIDDEN_VAULT_FIELDS) {
+        if (field in body && body[field] !== undefined) {
+            return `Plaintext field '${field}' is not allowed`;
+        }
+    }
+    return null;
+}
+export function assertNoVaultPlaintextFields(body) {
+    const error = rejectVaultPlaintextFields(body);
+    if (error) {
+        throw new VaultPlaintextRejectionError(error);
+    }
+}
+export function validateNoPlaintextLeak(data) {
+    const found = scanForSentinels(data);
+    return { ok: found.length === 0, found };
+}
+export function scanForSentinels(data, sentinels = ALL_SENTINELS) {
+    const found = [];
+    const json = JSON.stringify(data);
+    for (const sentinel of sentinels) {
+        if (json.includes(sentinel)) {
+            found.push(sentinel);
+        }
+    }
+    return found;
+}
+export function containsSentinel(value, sentinels = ALL_SENTINELS) {
+    return sentinels.some((sentinel) => value.includes(sentinel));
+}
+export const SENTINEL_VAULT_PASSWORD = "SENTINEL_VAULT_PASSWORD_DO_NOT_STORE";
+export const SENTINEL_RECOVERY_PHRASE = "SENTINEL_RECOVERY_PHRASE_DO_NOT_STORE";
+export const SENTINEL_12_WORD_RECOVERY_PHRASE = "SENTINEL_12_WORD_RECOVERY_PHRASE_DO_NOT_STORE";
+export const SENTINEL_24_WORD_RECOVERY_PHRASE = "SENTINEL_24_WORD_RECOVERY_PHRASE_DO_NOT_STORE";
+export const SENTINEL_PRIVATE_LABEL = "SENTINEL_PRIVATE_LABEL_DO_NOT_STORE";
+export const SENTINEL_STRATEGY_NOTE = "SENTINEL_STRATEGY_NOTE_DO_NOT_STORE";
+export const SENTINEL_SUBSCRIPTION_TOKEN = "SENTINEL_SUBSCRIPTION_TOKEN_DO_NOT_STORE";
+export const SENTINEL_MANAGEMENT_TOKEN = "SENTINEL_MANAGEMENT_TOKEN_DO_NOT_STORE";
+export const SENTINEL_PRIVATE_NOTE = "SENTINEL_PRIVATE_NOTE_DO_NOT_STORE";
+export const SENTINEL_USER_VAULT_KEY = "SENTINEL_USER_VAULT_KEY_DO_NOT_STORE";
+export const SENTINEL_PRF_OUTPUT = "SENTINEL_PRF_OUTPUT_DO_NOT_STORE";
+export const ALL_SENTINELS = [
+    SENTINEL_VAULT_PASSWORD,
+    SENTINEL_RECOVERY_PHRASE,
+    SENTINEL_12_WORD_RECOVERY_PHRASE,
+    SENTINEL_24_WORD_RECOVERY_PHRASE,
+    SENTINEL_PRIVATE_LABEL,
+    SENTINEL_STRATEGY_NOTE,
+    SENTINEL_SUBSCRIPTION_TOKEN,
+    SENTINEL_MANAGEMENT_TOKEN,
+    SENTINEL_PRIVATE_NOTE,
+    SENTINEL_USER_VAULT_KEY,
+    SENTINEL_PRF_OUTPUT,
+];
+//# sourceMappingURL=plaintext-reject.js.map

package/dist/validation/plaintext-reject.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plaintext-reject.js","sourceRoot":"","sources":["../../src/validation/plaintext-reject.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,4BAA4B,EAAE,MAAM,2BAA2B,CAAC;AAEzE,MAAM,CAAC,MAAM,gCAAgC,GAAG;IAC9C,eAAe;IACf,sBAAsB;IACtB,UAAU;IACV,gBAAgB;IAChB,eAAe;IACf,cAAc;IACd,WAAW;IACX,kBAAkB;IAClB,aAAa;IACb,aAAa;IACb,cAAc;IACd,mBAAmB;IACnB,OAAO;IACP,MAAM;IACN,SAAS;IACT,SAAS;CACD,CAAC;AAIX,MAAM,UAAU,0BAA0B,CAAC,IAA6B;IACtE,KAAK,MAAM,KAAK,IAAI,gCAAgC,EAAE,CAAC;QACrD,IAAI,KAAK,IAAI,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YAC/C,OAAO,oBAAoB,KAAK,kBAAkB,CAAC;QACrD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,IAA6B;IACxE,MAAM,KAAK,GAAG,0BAA0B,CAAC,IAAI,CAAC,CAAC;IAC/C,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,IAAI,4BAA4B,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,IAAa;IACnD,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,IAAa,EAAE,YAA+B,aAAa;IAC1F,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,KAAa,EAAE,YAA+B,aAAa;IAC1F,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,MAAM,uBAAuB,GAAG,sCAAsC,CAAC;AAC9E,MAAM,CAAC,MAAM,wBAAwB,GAAG,uCAAuC,CAAC;AAChF,MAAM,CAAC,MAAM,gCAAgC,GAC3C,+CAA+C,CAAC;AAClD,MAAM,CAAC,MAAM,gCAAgC,GAC3C,+CAA+C,CAAC;AAClD,MAAM,CAAC,MAAM,sBAAsB,GAAG,qCAAqC,CAAC;AAC5E,MAAM,CAAC,MAAM,sBAAsB,GAAG,qCAAqC,CAAC;AAC5E,MAAM,CAAC,MAAM,2BAA2B,GAAG,0CAA0C,CAAC;AACtF,MAAM,CAAC,MAAM,yBAAyB,GAAG,wCAAwC,CAAC;AAClF,MAAM,CAAC,MAAM,qBAAqB,GAAG,oCAAoC,CAAC;AAC1E,MAAM,CAAC,MAAM,uBAAuB,GAAG,sCAAsC,CAAC;AAC9E,MAAM,CAAC,MAAM,mBAAmB,GAAG,kCAAkC,CAAC;AAEtE,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,uBAAuB;IACvB,wBAAwB;IACxB,gCAAgC;IAChC,gCAAgC;IAChC,sBAAsB;IACtB,sBAAsB;IACtB,2BAA2B;IAC3B,yBAAyB;IACzB,qBAAqB;IACrB,uBAAuB;IACvB,mBAAmB;CACX,CAAC"}

package/dist/validation/schemas.d.ts

@@ -0,0 +1,203 @@
+import { z } from "zod";
+export declare const encryptedPayloadSchema: z.ZodObject<{
+    version: z.ZodLiteral<"enc-v1">;
+    alg: z.ZodLiteral<"AES-GCM">;
+    iv: z.ZodString;
+    ciphertext: z.ZodString;
+    aad: z.ZodObject<{
+        userId: z.ZodString;
+        resourceId: z.ZodString;
+        field: z.ZodEnum<{
+            vault_key: "vault_key";
+            vault_payload: "vault_payload";
+            vault_index: "vault_index";
+        }>;
+        context: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+}, z.core.$strip>;
+export type EncryptedVaultPayload = z.infer<typeof encryptedPayloadSchema>;
+/** @deprecated Use EncryptedVaultPayload */
+export type EncryptedPayload = EncryptedVaultPayload;
+export declare const argon2idKdfMetadataSchema: z.ZodObject<{
+    kdf: z.ZodLiteral<"argon2id">;
+    version: z.ZodLiteral<"kdf-v1">;
+    salt: z.ZodString;
+    memory: z.ZodNumber;
+    iterations: z.ZodNumber;
+    parallelism: z.ZodNumber;
+}, z.core.$strip>;
+export type Argon2idKdfMetadata = z.infer<typeof argon2idKdfMetadataSchema>;
+export declare const kdfMetadataSchema: z.ZodObject<{
+    kdf: z.ZodLiteral<"argon2id">;
+    version: z.ZodLiteral<"kdf-v1">;
+    salt: z.ZodString;
+    memory: z.ZodNumber;
+    iterations: z.ZodNumber;
+    parallelism: z.ZodNumber;
+}, z.core.$strip>;
+export type KdfMetadata = Argon2idKdfMetadata;
+export type VaultEnvelopeMethod = "password" | "recovery_phrase" | "passkey_prf";
+export declare const storedEnvelopeSchema: z.ZodObject<{
+    method: z.ZodEnum<{
+        password: "password";
+        recovery_phrase: "recovery_phrase";
+        passkey_prf: "passkey_prf";
+    }>;
+    encryptedVaultKey: z.ZodObject<{
+        version: z.ZodLiteral<"enc-v1">;
+        alg: z.ZodLiteral<"AES-GCM">;
+        iv: z.ZodString;
+        ciphertext: z.ZodString;
+        aad: z.ZodObject<{
+            userId: z.ZodString;
+            resourceId: z.ZodString;
+            field: z.ZodEnum<{
+                vault_key: "vault_key";
+                vault_payload: "vault_payload";
+                vault_index: "vault_index";
+            }>;
+            context: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>;
+    }, z.core.$strip>;
+    kdfMetadata: z.ZodNullable<z.ZodObject<{
+        kdf: z.ZodLiteral<"argon2id">;
+        version: z.ZodLiteral<"kdf-v1">;
+        salt: z.ZodString;
+        memory: z.ZodNumber;
+        iterations: z.ZodNumber;
+        parallelism: z.ZodNumber;
+    }, z.core.$strip>>;
+    publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strip>;
+export type VaultEnvelope = z.infer<typeof storedEnvelopeSchema>;
+/** @deprecated Use VaultEnvelope */
+export type StoredEnvelope = VaultEnvelope;
+export type PasswordEnvelope = VaultEnvelope & {
+    method: "password";
+    kdfMetadata: Argon2idKdfMetadata;
+};
+export type RecoveryPhraseEnvelope = VaultEnvelope & {
+    method: "recovery_phrase";
+    kdfMetadata: Argon2idKdfMetadata;
+};
+export type PasskeyPrfEnvelope = VaultEnvelope & {
+    method: "passkey_prf";
+    kdfMetadata: null;
+};
+export { VAULT_CRYPTO_VERSION } from "../constants.js";
+export declare const vaultSetupEnvelopeFieldsSchema: z.ZodObject<{
+    cryptoVersion: z.ZodLiteral<"vault-v1">;
+    encryptedBlob: z.ZodObject<{
+        version: z.ZodLiteral<"enc-v1">;
+        alg: z.ZodLiteral<"AES-GCM">;
+        iv: z.ZodString;
+        ciphertext: z.ZodString;
+        aad: z.ZodObject<{
+            userId: z.ZodString;
+            resourceId: z.ZodString;
+            field: z.ZodEnum<{
+                vault_key: "vault_key";
+                vault_payload: "vault_payload";
+                vault_index: "vault_index";
+            }>;
+            context: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>;
+    }, z.core.$strip>;
+    passwordEnvelope: z.ZodObject<{
+        method: z.ZodEnum<{
+            password: "password";
+            recovery_phrase: "recovery_phrase";
+            passkey_prf: "passkey_prf";
+        }>;
+        encryptedVaultKey: z.ZodObject<{
+            version: z.ZodLiteral<"enc-v1">;
+            alg: z.ZodLiteral<"AES-GCM">;
+            iv: z.ZodString;
+            ciphertext: z.ZodString;
+            aad: z.ZodObject<{
+                userId: z.ZodString;
+                resourceId: z.ZodString;
+                field: z.ZodEnum<{
+                    vault_key: "vault_key";
+                    vault_payload: "vault_payload";
+                    vault_index: "vault_index";
+                }>;
+                context: z.ZodOptional<z.ZodString>;
+            }, z.core.$strip>;
+        }, z.core.$strip>;
+        kdfMetadata: z.ZodNullable<z.ZodObject<{
+            kdf: z.ZodLiteral<"argon2id">;
+            version: z.ZodLiteral<"kdf-v1">;
+            salt: z.ZodString;
+            memory: z.ZodNumber;
+            iterations: z.ZodNumber;
+            parallelism: z.ZodNumber;
+        }, z.core.$strip>>;
+        publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strip>;
+    recoveryEnvelope: z.ZodObject<{
+        method: z.ZodEnum<{
+            password: "password";
+            recovery_phrase: "recovery_phrase";
+            passkey_prf: "passkey_prf";
+        }>;
+        encryptedVaultKey: z.ZodObject<{
+            version: z.ZodLiteral<"enc-v1">;
+            alg: z.ZodLiteral<"AES-GCM">;
+            iv: z.ZodString;
+            ciphertext: z.ZodString;
+            aad: z.ZodObject<{
+                userId: z.ZodString;
+                resourceId: z.ZodString;
+                field: z.ZodEnum<{
+                    vault_key: "vault_key";
+                    vault_payload: "vault_payload";
+                    vault_index: "vault_index";
+                }>;
+                context: z.ZodOptional<z.ZodString>;
+            }, z.core.$strip>;
+        }, z.core.$strip>;
+        kdfMetadata: z.ZodNullable<z.ZodObject<{
+            kdf: z.ZodLiteral<"argon2id">;
+            version: z.ZodLiteral<"kdf-v1">;
+            salt: z.ZodString;
+            memory: z.ZodNumber;
+            iterations: z.ZodNumber;
+            parallelism: z.ZodNumber;
+        }, z.core.$strip>>;
+        publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strip>;
+    passkeyPrfEnvelope: z.ZodOptional<z.ZodNullable<z.ZodObject<{
+        method: z.ZodEnum<{
+            password: "password";
+            recovery_phrase: "recovery_phrase";
+            passkey_prf: "passkey_prf";
+        }>;
+        encryptedVaultKey: z.ZodObject<{
+            version: z.ZodLiteral<"enc-v1">;
+            alg: z.ZodLiteral<"AES-GCM">;
+            iv: z.ZodString;
+            ciphertext: z.ZodString;
+            aad: z.ZodObject<{
+                userId: z.ZodString;
+                resourceId: z.ZodString;
+                field: z.ZodEnum<{
+                    vault_key: "vault_key";
+                    vault_payload: "vault_payload";
+                    vault_index: "vault_index";
+                }>;
+                context: z.ZodOptional<z.ZodString>;
+            }, z.core.$strip>;
+        }, z.core.$strip>;
+        kdfMetadata: z.ZodNullable<z.ZodObject<{
+            kdf: z.ZodLiteral<"argon2id">;
+            version: z.ZodLiteral<"kdf-v1">;
+            salt: z.ZodString;
+            memory: z.ZodNumber;
+            iterations: z.ZodNumber;
+            parallelism: z.ZodNumber;
+        }, z.core.$strip>>;
+        publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;
+//# sourceMappingURL=schemas.d.ts.map

package/dist/validation/schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../src/validation/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAKxB,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;iBAWjC,CAAC;AAEH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAC3E,4CAA4C;AAC5C,MAAM,MAAM,gBAAgB,GAAG,qBAAqB,CAAC;AAErD,eAAO,MAAM,yBAAyB;;;;;;;iBAOpC,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E,eAAO,MAAM,iBAAiB;;;;;;;iBAA4B,CAAC;AAC3D,MAAM,MAAM,WAAW,GAAG,mBAAmB,CAAC;AAE9C,MAAM,MAAM,mBAAmB,GAAG,UAAU,GAAG,iBAAiB,GAAG,aAAa,CAAC;AAEjF,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAK/B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AACjE,oCAAoC;AACpC,MAAM,MAAM,cAAc,GAAG,aAAa,CAAC;AAE3C,MAAM,MAAM,gBAAgB,GAAG,aAAa,GAAG;IAC7C,MAAM,EAAE,UAAU,CAAC;IACnB,WAAW,EAAE,mBAAmB,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG,aAAa,GAAG;IACnD,MAAM,EAAE,iBAAiB,CAAC;IAC1B,WAAW,EAAE,mBAAmB,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG,aAAa,GAAG;IAC/C,MAAM,EAAE,aAAa,CAAC;IACtB,WAAW,EAAE,IAAI,CAAC;CACnB,CAAC;AAEF,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEvD,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAMzC,CAAC"}

package/dist/validation/schemas.js

@@ -0,0 +1,39 @@
+import { z } from "zod";
+import { ENCRYPTION_ALG, ENCRYPTION_VERSION } from "../constants.js";
+const aadFieldSchema = z.enum(["vault_key", "vault_payload", "vault_index"]);
+export const encryptedPayloadSchema = z.object({
+    version: z.literal(ENCRYPTION_VERSION),
+    alg: z.literal(ENCRYPTION_ALG),
+    iv: z.string().min(1),
+    ciphertext: z.string().min(1),
+    aad: z.object({
+        userId: z.string().uuid(),
+        resourceId: z.string().uuid(),
+        field: aadFieldSchema,
+        context: z.string().optional(),
+    }),
+});
+export const argon2idKdfMetadataSchema = z.object({
+    kdf: z.literal("argon2id"),
+    version: z.literal("kdf-v1"),
+    salt: z.string().min(1),
+    memory: z.number().int().positive(),
+    iterations: z.number().int().positive(),
+    parallelism: z.number().int().positive(),
+});
+export const kdfMetadataSchema = argon2idKdfMetadataSchema;
+export const storedEnvelopeSchema = z.object({
+    method: z.enum(["password", "recovery_phrase", "passkey_prf"]),
+    encryptedVaultKey: encryptedPayloadSchema,
+    kdfMetadata: kdfMetadataSchema.nullable(),
+    publicMetadata: z.record(z.string(), z.unknown()).optional(),
+});
+export { VAULT_CRYPTO_VERSION } from "../constants.js";
+export const vaultSetupEnvelopeFieldsSchema = z.object({
+    cryptoVersion: z.literal("vault-v1"),
+    encryptedBlob: encryptedPayloadSchema,
+    passwordEnvelope: storedEnvelopeSchema,
+    recoveryEnvelope: storedEnvelopeSchema,
+    passkeyPrfEnvelope: storedEnvelopeSchema.nullable().optional(),
+});
+//# sourceMappingURL=schemas.js.map

package/dist/validation/schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../src/validation/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAErE,MAAM,cAAc,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,eAAe,EAAE,aAAa,CAAC,CAAC,CAAC;AAE7E,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7C,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC;IACtC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC9B,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC;QACZ,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;QACzB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;QAC7B,KAAK,EAAE,cAAc;QACrB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC/B,CAAC;CACH,CAAC,CAAC;AAMH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAC1B,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACnC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACvC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CACzC,CAAC,CAAC;AAIH,MAAM,CAAC,MAAM,iBAAiB,GAAG,yBAAyB,CAAC;AAK3D,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC9D,iBAAiB,EAAE,sBAAsB;IACzC,WAAW,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IACzC,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC7D,CAAC,CAAC;AAqBH,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEvD,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC,CAAC,MAAM,CAAC;IACrD,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IACpC,aAAa,EAAE,sBAAsB;IACrC,gBAAgB,EAAE,oBAAoB;IACtC,gBAAgB,EAAE,oBAAoB;IACtC,kBAAkB,EAAE,oBAAoB,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CAC/D,CAAC,CAAC"}

package/package.json

@@ -0,0 +1,100 @@
+{
+  "name": "@tgoliveira/vault-core",
+  "version": "0.1.0",
+  "description": "Framework-independent vault crypto primitives with optional React session helpers",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/tgoliveira11/vault-core.git"
+  },
+  "bugs": {
+    "url": "https://github.com/tgoliveira11/vault-core/issues"
+  },
+  "homepage": "https://github.com/tgoliveira11/vault-core#readme",
+  "keywords": [
+    "vault",
+    "encryption",
+    "aes-gcm",
+    "argon2id",
+    "recovery-phrase",
+    "bip39",
+    "passkey-prf",
+    "webcrypto",
+    "zero-knowledge",
+    "client-side-encryption"
+  ],
+  "license": "MIT",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./browser": {
+      "types": "./dist/browser.d.ts",
+      "import": "./dist/browser.js"
+    },
+    "./testing": {
+      "types": "./dist/testing.d.ts",
+      "import": "./dist/testing.js"
+    },
+    "./react": {
+      "types": "./dist/react/index.d.ts",
+      "import": "./dist/react/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE",
+    "SECURITY.md",
+    "ARCHITECTURE.md",
+    "RECOVERY_PHRASE.md",
+    "PASSWORD_ENVELOPES.md",
+    "PASSKEY_PRF_ENVELOPES.md",
+    "MIGRATION_FROM_LIQSENSE.md",
+    "API_REFERENCE.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "validate": "npm run typecheck && npm run test && npm run build",
+    "prepublishOnly": "npm run validate",
+    "prepare": "npm run build"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "peerDependencies": {
+    "react": ">=18"
+  },
+  "peerDependenciesMeta": {
+    "react": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "@scure/bip39": "^2.2.0",
+    "hash-wasm": "^4.12.0",
+    "zod": "^4.4.3"
+  },
+  "devDependencies": {
+    "@testing-library/react": "^16.3.2",
+    "@types/node": "^20",
+    "@types/react": "^19",
+    "@types/react-dom": "^19",
+    "@vitejs/plugin-react": "^6.0.2",
+    "jsdom": "^29.1.1",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "typescript": "^5",
+    "vitest": "^4.1.9"
+  },
+  "private": false
+}