@time-file/browser-file-crypto 1.0.0

package/dist/index.d.ts

@@ -0,0 +1,726 @@
+/**
+ * browser-file-crypto
+ *
+ * Zero-dependency file encryption for browsers using Web Crypto API.
+ * Provides AES-256-GCM encryption with password or keyfile-based keys.
+ *
+ * @packageDocumentation
+ * @module browser-file-crypto
+ * @since 1.0.0
+ *
+ * @example
+ * ```typescript
+ * import {
+ *   encryptFile,
+ *   decryptFile,
+ *   generateKeyFile,
+ *   getEncryptionType
+ * } from '@time-file/browser-file-crypto';
+ *
+ * // Password-based encryption
+ * const encrypted = await encryptFile(file, {
+ *   password: 'my-secret',
+ *   onProgress: ({ phase, progress }) => console.log(`${phase}: ${progress}%`)
+ * });
+ *
+ * // Keyfile-based encryption
+ * const keyFile = generateKeyFile();
+ * const encrypted = await encryptFile(file, { keyData: keyFile.key });
+ *
+ * // Decryption
+ * const decrypted = await decryptFile(encrypted, { password: 'my-secret' });
+ * ```
+ */
+
+/**
+ * Algorithm identifier string for AES-GCM.
+ */
+export declare const ALGORITHM: "AES-GCM";
+
+/**
+ * AES-GCM authentication tag length in bytes.
+ * 16 bytes (128 bits) is the default and recommended tag size.
+ */
+export declare const AUTH_TAG_LENGTH = 16;
+
+/**
+ * Computes SHA-256 hash of a keyfile's key data.
+ *
+ * @description
+ * Generates a SHA-256 hash of the key data for server-side verification.
+ * This allows the server to verify that the client has the correct keyfile
+ * without ever seeing the actual key.
+ *
+ * Use case: Store the hash on the server, then verify client-provided
+ * hash matches before allowing access to encrypted content.
+ *
+ * @param keyData - Base64-encoded key string (from KeyFile.key)
+ * @returns Promise resolving to hex-encoded SHA-256 hash
+ *
+ * @example
+ * ```typescript
+ * const keyFile = generateKeyFile();
+ * const hash = await computeKeyFileHash(keyFile.key);
+ * console.log(hash); // '3a7bd3e2c1f8...' (64 hex characters)
+ *
+ * // Send hash to server for storage
+ * await fetch('/api/store-key-hash', {
+ *   method: 'POST',
+ *   body: JSON.stringify({ hash })
+ * });
+ *
+ * // Later, verify keyfile by comparing hashes
+ * const uploadedHash = await computeKeyFileHash(uploadedKeyFile.key);
+ * const isValid = uploadedHash === storedHash;
+ * ```
+ *
+ * @since 1.0.0
+ */
+export declare function computeKeyFileHash(keyData: string): Promise<string>;
+
+/**
+ * Custom error class for crypto operations.
+ *
+ * @description
+ * Provides structured error handling with error codes for programmatic handling.
+ * Each error includes a code that can be used for i18n or specific error handling.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await decryptFile(data, { password: 'wrong' });
+ * } catch (error) {
+ *   if (error instanceof CryptoError) {
+ *     console.log(error.code);    // 'INVALID_PASSWORD'
+ *     console.log(error.message); // 'Decryption failed: incorrect password.'
+ *
+ *     switch (error.code) {
+ *       case 'INVALID_PASSWORD':
+ *         showPasswordError();
+ *         break;
+ *       case 'INVALID_ENCRYPTED_DATA':
+ *         showCorruptedFileError();
+ *         break;
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * @see {@link CryptoErrorCode} for all available error codes
+ * @since 1.0.0
+ */
+export declare class CryptoError extends Error {
+    /** Error code for programmatic handling */
+    readonly code: CryptoErrorCode;
+    /**
+     * Creates a new CryptoError.
+     *
+     * @param code - Error code identifying the type of error
+     * @param message - Optional custom message (defaults to predefined message)
+     */
+    constructor(code: CryptoErrorCode, message?: string);
+}
+
+/**
+ * Error handling for browser-file-crypto.
+ *
+ * @module errors
+ * @since 1.0.0
+ */
+/**
+ * Error codes for CryptoError.
+ *
+ * @description
+ * - `INVALID_INPUT`: Input is not a valid File, Blob, or ArrayBuffer
+ * - `PASSWORD_REQUIRED`: Password is required but not provided
+ * - `KEYFILE_REQUIRED`: Keyfile is required but not provided
+ * - `INVALID_PASSWORD`: Decryption failed due to incorrect password
+ * - `INVALID_KEYFILE`: Decryption failed due to incorrect keyfile
+ * - `INVALID_ENCRYPTED_DATA`: Data is corrupted or not encrypted with this library
+ * - `ENCRYPTION_FAILED`: Encryption operation failed
+ * - `DECRYPTION_FAILED`: Decryption operation failed
+ * - `DOWNLOAD_FAILED`: File download failed
+ * - `UNSUPPORTED_FORMAT`: Encrypted file format is not supported
+ */
+export declare type CryptoErrorCode = 'INVALID_INPUT' | 'PASSWORD_REQUIRED' | 'KEYFILE_REQUIRED' | 'INVALID_PASSWORD' | 'INVALID_KEYFILE' | 'INVALID_ENCRYPTED_DATA' | 'ENCRYPTION_FAILED' | 'DECRYPTION_FAILED' | 'DOWNLOAD_FAILED' | 'UNSUPPORTED_FORMAT';
+
+/**
+ * Decrypts a file that was encrypted with encryptFile.
+ *
+ * @description
+ * Automatically detects whether the file was encrypted with password or keyfile
+ * based on the marker byte, then decrypts accordingly.
+ *
+ * For password-encrypted files:
+ * - Extracts salt and IV from header
+ * - Derives key using PBKDF2
+ * - Decrypts with AES-GCM
+ *
+ * For keyfile-encrypted files:
+ * - Extracts IV from header
+ * - Imports key directly
+ * - Decrypts with AES-GCM
+ *
+ * @param encrypted - The encrypted data (Blob or ArrayBuffer)
+ * @param options - Decryption options including password or keyData
+ * @returns Promise resolving to decrypted Blob
+ *
+ * @throws {CryptoError} When password is required but not provided (PASSWORD_REQUIRED)
+ * @throws {CryptoError} When keyfile is required but not provided (KEYFILE_REQUIRED)
+ * @throws {CryptoError} When password is incorrect (INVALID_PASSWORD)
+ * @throws {CryptoError} When keyfile is incorrect (INVALID_KEYFILE)
+ * @throws {CryptoError} When data is corrupted (INVALID_ENCRYPTED_DATA)
+ *
+ * @example
+ * ```typescript
+ * // Password-based decryption
+ * try {
+ *   const decrypted = await decryptFile(encryptedBlob, {
+ *     password: 'my-secret',
+ *     onProgress: ({ phase, progress }) => console.log(`${phase}: ${progress}%`)
+ *   });
+ * } catch (error) {
+ *   if (error instanceof CryptoError && error.code === 'INVALID_PASSWORD') {
+ *     console.log('Wrong password!');
+ *   }
+ * }
+ *
+ * // Keyfile-based decryption
+ * const decrypted = await decryptFile(encryptedBlob, {
+ *   keyData: keyFile.key
+ * });
+ * ```
+ *
+ * @see {@link encryptFile} for encryption
+ * @see {@link getEncryptionType} for detecting encryption method
+ * @since 1.0.0
+ */
+export declare function decryptFile(encrypted: Blob | ArrayBuffer, options: DecryptOptions): Promise<Blob>;
+
+/**
+ * Options for file decryption.
+ *
+ * @description
+ * The correct option (password or keyData) must match the encryption method used.
+ * Use `getEncryptionType()` to detect which method was used.
+ *
+ * @example
+ * ```typescript
+ * const options: DecryptOptions = {
+ *   password: 'my-secret-password',
+ *   onProgress: ({ phase, progress }) => {
+ *     if (phase === 'complete') console.log('Done!');
+ *   }
+ * };
+ * ```
+ */
+export declare interface DecryptOptions {
+    /** Password for decryption (required for password-encrypted files) */
+    password?: string;
+    /** Base64-encoded key data (required for keyfile-encrypted files) */
+    keyData?: string;
+    /** Progress callback for UI updates */
+    onProgress?: ProgressCallback;
+}
+
+/**
+ * Downloads an encrypted file from URL, decrypts it, and saves to disk.
+ *
+ * @description
+ * Combines file download, decryption, and save into a single operation.
+ * Progress callback reports both download and decryption phases.
+ *
+ * Phases:
+ * 1. `downloading` (0-50%): Fetching file from URL
+ * 2. `deriving_key` (50-60%): Key derivation (password mode only)
+ * 3. `decrypting` (60-95%): AES-GCM decryption
+ * 4. `complete` (100%): File saved
+ *
+ * Note: This function uses browser APIs (fetch, URL.createObjectURL, document.createElement)
+ * and will not work in Node.js environments.
+ *
+ * @param url - URL of the encrypted file to download
+ * @param options - Options including password/keyData and fileName
+ * @returns Promise that resolves when file is saved
+ *
+ * @throws {CryptoError} When download fails (DOWNLOAD_FAILED)
+ * @throws {CryptoError} When decryption fails (see decryptFile errors)
+ *
+ * @example
+ * ```typescript
+ * await downloadAndDecrypt('https://example.com/secret.enc', {
+ *   password: 'my-secret',
+ *   fileName: 'document.pdf',
+ *   onProgress: ({ phase, progress }) => {
+ *     console.log(`${phase}: ${progress}%`);
+ *     // downloading: 25%
+ *     // downloading: 50%
+ *     // deriving_key: 55%
+ *     // decrypting: 80%
+ *     // complete: 100%
+ *   }
+ * });
+ * ```
+ *
+ * @see {@link decryptFile} for decryption only
+ * @since 1.0.0
+ */
+export declare function downloadAndDecrypt(url: string, options: DownloadDecryptOptions): Promise<void>;
+
+/**
+ * Options for download and decrypt operation.
+ *
+ * @description
+ * Extends DecryptOptions with fileName for the downloaded file.
+ *
+ * @example
+ * ```typescript
+ * await downloadAndDecrypt('https://example.com/file.enc', {
+ *   password: 'secret',
+ *   fileName: 'document.pdf',
+ *   onProgress: ({ phase, progress }) => console.log(`${phase}: ${progress}%`)
+ * });
+ * ```
+ */
+export declare interface DownloadDecryptOptions extends DecryptOptions {
+    /** File name to use when saving the decrypted file */
+    fileName: string;
+}
+
+/**
+ * Downloads a keyfile as a JSON file with customizable extension.
+ *
+ * @description
+ * Creates a downloadable JSON file containing the keyfile data.
+ * The file extension can be customized (default: .key).
+ *
+ * Note: This function uses browser APIs (URL.createObjectURL, document.createElement)
+ * and will not work in Node.js or Web Worker environments.
+ *
+ * @param keyData - Base64-encoded key string (from KeyFile.key)
+ * @param fileName - Name for the downloaded file (without extension)
+ * @param extension - File extension without dot (default: 'key')
+ *
+ * @example
+ * ```typescript
+ * const keyFile = generateKeyFile();
+ *
+ * // Downloads as 'my-secret-key.key' (default)
+ * downloadKeyFile(keyFile.key, 'my-secret-key');
+ *
+ * // Downloads as 'my-secret-key.tfkey' (custom extension)
+ * downloadKeyFile(keyFile.key, 'my-secret-key', 'tfkey');
+ *
+ * // The downloaded file contains:
+ * // {
+ * //   "version": 1,
+ * //   "algorithm": "AES-256-GCM",
+ * //   "key": "base64...",
+ * //   "createdAt": "2025-01-01T00:00:00.000Z"
+ * // }
+ * ```
+ *
+ * @since 1.0.0
+ */
+export declare function downloadKeyFile(keyData: string, fileName: string, extension?: string): void;
+
+/**
+ * Encrypts a file using AES-256-GCM with password-based key derivation.
+ *
+ * @description
+ * Uses PBKDF2 with 100,000 iterations to derive a 256-bit key from the password.
+ * Each encryption generates a unique random salt (16 bytes) and IV (12 bytes).
+ * The output format is: [marker(1)] + [salt(16)] + [iv(12)] + [ciphertext + auth tag].
+ *
+ * For keyfile-based encryption, the key is used directly without derivation.
+ * The output format is: [marker(1)] + [iv(12)] + [ciphertext + auth tag].
+ *
+ * @param file - The file to encrypt (File, Blob, or ArrayBuffer)
+ * @param options - Encryption options including password or keyData
+ * @returns Promise resolving to encrypted Blob with 'application/octet-stream' MIME type
+ *
+ * @throws {CryptoError} When neither password nor keyData is provided (PASSWORD_REQUIRED)
+ * @throws {CryptoError} When input is invalid (INVALID_INPUT)
+ * @throws {CryptoError} When encryption fails (ENCRYPTION_FAILED)
+ *
+ * @example
+ * ```typescript
+ * // Password-based encryption
+ * const encrypted = await encryptFile(file, {
+ *   password: 'my-secret',
+ *   onProgress: ({ phase, progress }) => console.log(`${phase}: ${progress}%`)
+ * });
+ *
+ * // Keyfile-based encryption
+ * const keyFile = generateKeyFile();
+ * const encrypted = await encryptFile(file, {
+ *   keyData: keyFile.key,
+ *   onProgress: ({ progress }) => updateProgressBar(progress)
+ * });
+ * ```
+ *
+ * @see {@link decryptFile} for decryption
+ * @see {@link generateKeyFile} for creating keyfiles
+ * @since 1.0.0
+ */
+export declare function encryptFile(file: File | Blob | ArrayBuffer, options: EncryptOptions): Promise<Blob>;
+
+/**
+ * Encryption marker byte for keyfile-based encryption.
+ * Used to identify the encryption method when decrypting.
+ */
+export declare const ENCRYPTION_MARKER_KEYFILE = 2;
+
+/**
+ * Encryption marker byte for password-based encryption.
+ * Used to identify the encryption method when decrypting.
+ */
+export declare const ENCRYPTION_MARKER_PASSWORD = 1;
+
+/**
+ * Encryption type detected from encrypted data.
+ *
+ * @description
+ * - `password`: File was encrypted with a password (marker byte 0x01)
+ * - `keyfile`: File was encrypted with a keyfile (marker byte 0x02)
+ * - `unknown`: Unrecognized format or not encrypted with this library
+ */
+export declare type EncryptionType = 'password' | 'keyfile' | 'unknown';
+
+/**
+ * Options for file encryption.
+ *
+ * @description
+ * Either `password` or `keyData` must be provided, but not both.
+ *
+ * @example
+ * ```typescript
+ * // Password-based encryption
+ * const options: EncryptOptions = {
+ *   password: 'my-secret-password',
+ *   onProgress: ({ progress }) => console.log(`${progress}%`)
+ * };
+ *
+ * // Keyfile-based encryption
+ * const options: EncryptOptions = {
+ *   keyData: keyFile.key,
+ *   onProgress: ({ progress }) => console.log(`${progress}%`)
+ * };
+ * ```
+ */
+export declare interface EncryptOptions {
+    /** Password for encryption (required if keyData not provided) */
+    password?: string;
+    /** Base64-encoded key data from keyfile (required if password not provided) */
+    keyData?: string;
+    /** Progress callback for UI updates */
+    onProgress?: ProgressCallback;
+}
+
+/**
+ * Generates a new keyfile with a 256-bit random key.
+ *
+ * @description
+ * Creates a cryptographically secure 256-bit (32 bytes) random key
+ * using crypto.getRandomValues(). The key is returned as a KeyFile
+ * object with metadata including version, algorithm, and creation timestamp.
+ *
+ * The generated key can be used directly with encryptFile() and decryptFile()
+ * without any key derivation (unlike password-based encryption).
+ *
+ * @returns KeyFile object containing the generated key
+ *
+ * @example
+ * ```typescript
+ * const keyFile = generateKeyFile();
+ * console.log(keyFile);
+ * // {
+ * //   version: 1,
+ * //   algorithm: 'AES-256-GCM',
+ * //   key: 'base64-encoded-32-bytes...',
+ * //   createdAt: '2025-01-01T12:00:00.000Z'
+ * // }
+ *
+ * // Use for encryption
+ * const encrypted = await encryptFile(file, { keyData: keyFile.key });
+ *
+ * // Save keyfile for later
+ * downloadKeyFile(keyFile.key, 'my-encryption-key');
+ * ```
+ *
+ * @see {@link downloadKeyFile} for saving the keyfile
+ * @see {@link parseKeyFile} for loading a saved keyfile
+ * @since 1.0.0
+ */
+export declare function generateKeyFile(): KeyFile;
+
+/**
+ * Generates a cryptographically secure random password.
+ *
+ * @description
+ * Creates a random password using crypto.getRandomValues() for
+ * cryptographic randomness. The password includes:
+ * - Uppercase letters (A-Z)
+ * - Lowercase letters (a-z)
+ * - Numbers (0-9)
+ * - Special characters (!@#$%^&*)
+ *
+ * @param length - Password length (default: 16, min: 8, max: 128)
+ * @returns Random password string
+ *
+ * @example
+ * ```typescript
+ * const password = generateRandomPassword();
+ * console.log(password); // e.g., 'Kx9#mP2$vL5@nQ8!'
+ *
+ * const longPassword = generateRandomPassword(32);
+ * console.log(longPassword.length); // 32
+ * ```
+ *
+ * @since 1.0.0
+ */
+export declare function generateRandomPassword(length?: number): string;
+
+/**
+ * Detects the encryption type of encrypted data.
+ *
+ * @description
+ * Reads the first byte (marker) of the encrypted data to determine
+ * whether it was encrypted with a password or keyfile.
+ *
+ * - Marker 0x01: Password-based encryption
+ * - Marker 0x02: Keyfile-based encryption
+ * - Other: Unknown format
+ *
+ * @param data - The encrypted data (Blob or ArrayBuffer)
+ * @returns Promise resolving to encryption type
+ *
+ * @example
+ * ```typescript
+ * const type = await getEncryptionType(encryptedBlob);
+ *
+ * switch (type) {
+ *   case 'password':
+ *     // Show password input
+ *     break;
+ *   case 'keyfile':
+ *     // Show keyfile picker
+ *     break;
+ *   case 'unknown':
+ *     // Show error: not encrypted with this library
+ *     break;
+ * }
+ * ```
+ *
+ * @see {@link isEncryptedFile} for simple encryption check
+ * @since 1.0.0
+ */
+export declare function getEncryptionType(data: Blob | ArrayBuffer): Promise<EncryptionType>;
+
+/**
+ * Hash algorithm used in PBKDF2 key derivation.
+ */
+export declare const HASH_ALGORITHM: "SHA-256";
+
+/**
+ * Type guard to check if an error is a CryptoError.
+ *
+ * @param error - The error to check
+ * @returns True if the error is a CryptoError
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await decryptFile(data, options);
+ * } catch (error) {
+ *   if (isCryptoError(error)) {
+ *     console.log(error.code);
+ *   }
+ * }
+ * ```
+ */
+export declare function isCryptoError(error: unknown): error is CryptoError;
+
+/**
+ * Checks if data appears to be encrypted with this library.
+ *
+ * @description
+ * Performs a quick check to determine if the data was likely encrypted
+ * with browser-file-crypto. This checks:
+ * 1. The marker byte is valid (0x01 or 0x02)
+ * 2. The data meets minimum size requirements
+ *
+ * Note: This is not a cryptographic verification. It only checks
+ * the format markers and size constraints.
+ *
+ * @param data - The data to check (Blob or ArrayBuffer)
+ * @returns Promise resolving to true if data appears to be encrypted
+ *
+ * @example
+ * ```typescript
+ * const file = event.target.files[0];
+ * const isEncrypted = await isEncryptedFile(file);
+ *
+ * if (isEncrypted) {
+ *   showDecryptionUI();
+ * } else {
+ *   showEncryptionUI();
+ * }
+ * ```
+ *
+ * @since 1.0.0
+ */
+export declare function isEncryptedFile(data: Blob | ArrayBuffer): Promise<boolean>;
+
+/**
+ * Initialization vector length in bytes for AES-GCM.
+ * 12 bytes (96 bits) is the recommended IV size for AES-GCM per NIST SP 800-38D.
+ */
+export declare const IV_LENGTH = 12;
+
+/**
+ * AES key length in bits.
+ * 256 bits provides the highest security level for AES.
+ */
+export declare const KEY_LENGTH = 256;
+
+/**
+ * Key file structure for keyfile-based encryption.
+ *
+ * @description
+ * Contains a 256-bit random key for direct AES-256-GCM encryption.
+ * No key derivation is needed - the key is used directly.
+ *
+ * @example
+ * ```typescript
+ * const keyFile = generateKeyFile();
+ * // {
+ * //   version: 1,
+ * //   algorithm: 'AES-256-GCM',
+ * //   key: 'base64-encoded-32-bytes',
+ * //   createdAt: '2025-01-01T00:00:00.000Z'
+ * // }
+ * ```
+ */
+export declare interface KeyFile {
+    /** Key file format version */
+    version: 1;
+    /** Encryption algorithm identifier */
+    algorithm: 'AES-256-GCM';
+    /** Base64-encoded 256-bit key */
+    key: string;
+    /** ISO 8601 timestamp of key creation */
+    createdAt: string;
+}
+
+/**
+ * Key file raw key length in bytes (256-bit).
+ * Matches the AES-256 key size requirement.
+ */
+export declare const KEYFILE_KEY_LENGTH = 32;
+
+/**
+ * Minimum encrypted file size for keyfile-based encryption.
+ * Header (1 + 12 = 13 bytes) + Auth tag (16 bytes) = 29 bytes.
+ */
+export declare const MIN_ENCRYPTED_SIZE_KEYFILE: number;
+
+/**
+ * Minimum encrypted file size for password-based encryption.
+ * Header (1 + 16 + 12 = 29 bytes) + Auth tag (16 bytes) = 45 bytes.
+ */
+export declare const MIN_ENCRYPTED_SIZE_PASSWORD: number;
+
+/**
+ * Parses a keyfile from JSON string content.
+ *
+ * @description
+ * Validates and parses a JSON string into a KeyFile object.
+ * Performs validation to ensure:
+ * - Valid JSON format
+ * - Required fields present (version, algorithm, key)
+ * - Correct version (1)
+ * - Correct algorithm ('AES-256-GCM')
+ * - Key is a non-empty string
+ *
+ * @param content - JSON string content of the keyfile
+ * @returns KeyFile object if valid, null if invalid
+ *
+ * @example
+ * ```typescript
+ * // From file input
+ * const fileInput = document.querySelector('input[type="file"]');
+ * fileInput.addEventListener('change', async (e) => {
+ *   const file = e.target.files[0];
+ *   const content = await file.text();
+ *   const keyFile = parseKeyFile(content);
+ *
+ *   if (keyFile) {
+ *     const decrypted = await decryptFile(encrypted, { keyData: keyFile.key });
+ *   } else {
+ *     console.error('Invalid keyfile format');
+ *   }
+ * });
+ * ```
+ *
+ * @see {@link generateKeyFile} for creating keyfiles
+ * @since 1.0.0
+ */
+export declare function parseKeyFile(content: string): KeyFile | null;
+
+/**
+ * PBKDF2 iteration count for key derivation.
+ * 100,000 iterations balance security and performance.
+ * Higher values increase resistance to brute-force attacks.
+ */
+export declare const PBKDF2_ITERATIONS = 100000;
+
+/**
+ * Progress information for encryption/decryption operations.
+ *
+ * @example
+ * ```typescript
+ * onProgress: ({ phase, progress }) => {
+ *   console.log(`${phase}: ${progress}%`);
+ * }
+ * ```
+ */
+export declare interface Progress {
+    /** Current phase of the operation */
+    phase: ProgressPhase;
+    /** Progress percentage (0-100) */
+    progress: number;
+}
+
+/**
+ * Callback function for progress updates.
+ *
+ * @param progress - Current progress information
+ */
+export declare type ProgressCallback = (progress: Progress) => void;
+
+/**
+ * Core type definitions for browser-file-crypto.
+ *
+ * @module types
+ * @since 1.0.0
+ */
+/**
+ * Progress phase during encryption/decryption operations.
+ *
+ * @description
+ * - `deriving_key`: PBKDF2 key derivation in progress (password mode)
+ * - `encrypting`: AES-GCM encryption in progress
+ * - `decrypting`: AES-GCM decryption in progress
+ * - `downloading`: File download in progress (downloadAndDecrypt)
+ * - `complete`: Operation finished successfully
+ */
+export declare type ProgressPhase = 'deriving_key' | 'encrypting' | 'decrypting' | 'downloading' | 'complete';
+
+/**
+ * Salt length in bytes for PBKDF2 key derivation.
+ * 16 bytes (128 bits) provides sufficient randomness to prevent rainbow table attacks.
+ */
+export declare const SALT_LENGTH = 16;
+
+export { }