@tinycloud/sdk-services 2.2.0-beta.13 → 2.2.0

package/dist/encryption/index.cjs

@@ -0,0 +1,1340 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/encryption/index.ts
+var encryption_exports = {};
+__export(encryption_exports, {
+  DECRYPT_ACTION: () => DECRYPT_ACTION,
+  DECRYPT_FACT_TYPE: () => DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE: () => DECRYPT_RESULT_TYPE,
+  DEFAULT_ENCRYPTION_ALG: () => DEFAULT_ENCRYPTION_ALG,
+  DEFAULT_KEY_VERSION: () => DEFAULT_KEY_VERSION,
+  ENCRYPTION_NETWORK_URN_PREFIX: () => ENCRYPTION_NETWORK_URN_PREFIX,
+  ENCRYPTION_SERVICE: () => ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT: () => ENCRYPTION_SERVICE_SHORT,
+  ENVELOPE_VERSION: () => ENVELOPE_VERSION,
+  EncryptionService: () => EncryptionService,
+  NETWORK_NAME_PATTERN: () => NETWORK_NAME_PATTERN,
+  NetworkIdError: () => NetworkIdError,
+  base64Decode: () => base64Decode,
+  base64Encode: () => base64Encode,
+  buildCanonicalDecryptRequest: () => buildCanonicalDecryptRequest,
+  buildDecryptAttenuation: () => buildDecryptAttenuation,
+  buildDecryptFacts: () => buildDecryptFacts,
+  buildDecryptInvocation: () => buildDecryptInvocation,
+  buildNetworkId: () => buildNetworkId,
+  canonicalHashHex: () => canonicalHashHex,
+  canonicalSignedResponse: () => canonicalSignedResponse,
+  canonicalize: () => canonicalize,
+  checkDecryptInvocationInput: () => checkDecryptInvocationInput,
+  decryptEnvelopeWithKey: () => decryptEnvelopeWithKey,
+  deriveSignedReceiverKey: () => deriveSignedReceiverKey,
+  discoverNetwork: () => discoverNetwork,
+  encryptToNetwork: () => encryptToNetwork,
+  encryptionError: () => encryptionError,
+  ensureNetworkUsableForDecrypt: () => ensureNetworkUsableForDecrypt,
+  generateRandomReceiverKey: () => generateRandomReceiverKey,
+  hexDecode: () => hexDecode,
+  hexEncode: () => hexEncode,
+  isNetworkId: () => isNetworkId,
+  networkDiscoveryKey: () => networkDiscoveryKey,
+  openWrappedKey: () => openWrappedKey,
+  parseNetworkId: () => parseNetworkId,
+  utf8Decode: () => utf8Decode,
+  utf8Encode: () => utf8Encode,
+  validateEnvelope: () => validateEnvelope,
+  verifyDecryptResponse: () => verifyDecryptResponse
+});
+module.exports = __toCommonJS(encryption_exports);
+
+// src/types.ts
+var ErrorCodes = {
+  // Common errors
+  NOT_FOUND: "NOT_FOUND",
+  AUTH_EXPIRED: "AUTH_EXPIRED",
+  AUTH_REQUIRED: "AUTH_REQUIRED",
+  AUTH_UNAUTHORIZED: "AUTH_UNAUTHORIZED",
+  NETWORK_ERROR: "NETWORK_ERROR",
+  TIMEOUT: "TIMEOUT",
+  ABORTED: "ABORTED",
+  INVALID_INPUT: "INVALID_INPUT",
+  PERMISSION_DENIED: "PERMISSION_DENIED",
+  // KV-specific errors
+  KV_NOT_FOUND: "KV_NOT_FOUND",
+  KV_WRITE_FAILED: "KV_WRITE_FAILED",
+  // SQL-specific errors
+  SQL_ERROR: "SQL_ERROR",
+  SQL_PERMISSION_DENIED: "SQL_PERMISSION_DENIED",
+  SQL_DATABASE_NOT_FOUND: "SQL_DATABASE_NOT_FOUND",
+  SQL_RESPONSE_TOO_LARGE: "SQL_RESPONSE_TOO_LARGE",
+  SQL_QUOTA_EXCEEDED: "SQL_QUOTA_EXCEEDED",
+  SQL_INVALID_STATEMENT: "SQL_INVALID_STATEMENT",
+  SQL_SCHEMA_ERROR: "SQL_SCHEMA_ERROR",
+  SQL_READONLY_VIOLATION: "SQL_READONLY_VIOLATION",
+  // Storage quota errors
+  STORAGE_QUOTA_EXCEEDED: "STORAGE_QUOTA_EXCEEDED",
+  STORAGE_LIMIT_REACHED: "STORAGE_LIMIT_REACHED",
+  // DuckDB-specific errors
+  DUCKDB_ERROR: "DUCKDB_ERROR",
+  DUCKDB_PERMISSION_DENIED: "DUCKDB_PERMISSION_DENIED",
+  DUCKDB_DATABASE_NOT_FOUND: "DUCKDB_DATABASE_NOT_FOUND",
+  DUCKDB_RESPONSE_TOO_LARGE: "DUCKDB_RESPONSE_TOO_LARGE",
+  DUCKDB_QUOTA_EXCEEDED: "DUCKDB_QUOTA_EXCEEDED",
+  DUCKDB_INVALID_STATEMENT: "DUCKDB_INVALID_STATEMENT",
+  DUCKDB_SCHEMA_ERROR: "DUCKDB_SCHEMA_ERROR",
+  DUCKDB_READONLY_VIOLATION: "DUCKDB_READONLY_VIOLATION"
+};
+var defaultRetryPolicy = {
+  maxAttempts: 3,
+  backoff: "exponential",
+  baseDelayMs: 1e3,
+  maxDelayMs: 1e4,
+  retryableErrors: [ErrorCodes.NETWORK_ERROR, ErrorCodes.TIMEOUT]
+};
+var TelemetryEvents = {
+  SERVICE_REQUEST: "service.request",
+  SERVICE_RESPONSE: "service.response",
+  SERVICE_ERROR: "service.error",
+  SERVICE_RETRY: "service.retry",
+  SESSION_CHANGED: "session.changed",
+  SESSION_EXPIRED: "session.expired"
+};
+function err(error) {
+  return { ok: false, error };
+}
+
+// src/errors.ts
+function timeoutError(service) {
+  return {
+    code: ErrorCodes.TIMEOUT,
+    message: "Request timed out.",
+    service
+  };
+}
+function abortedError(service) {
+  return {
+    code: ErrorCodes.ABORTED,
+    message: "Request was aborted.",
+    service
+  };
+}
+function wrapError(service, error, defaultCode = ErrorCodes.NETWORK_ERROR) {
+  if (error instanceof Error) {
+    if (error.name === "AbortError") {
+      return abortedError(service);
+    }
+    if (error.name === "TimeoutError" || error.message.toLowerCase().includes("timeout")) {
+      return timeoutError(service);
+    }
+    return {
+      code: defaultCode,
+      message: error.message,
+      service,
+      cause: error
+    };
+  }
+  return {
+    code: defaultCode,
+    message: String(error),
+    service
+  };
+}
+
+// src/base/BaseService.ts
+var BaseService = class {
+  constructor() {
+    /**
+     * Abort controller for this service's operations.
+     * Reset on sign-out.
+     */
+    this.abortController = new AbortController();
+    /**
+     * Service-specific configuration.
+     */
+    this._config = {};
+  }
+  /**
+   * Get the service configuration.
+   */
+  get config() {
+    return this._config;
+  }
+  /**
+   * Initialize the service with context.
+   * Called by the SDK after instantiation.
+   *
+   * @param context - The service context
+   */
+  initialize(context) {
+    this.context = context;
+  }
+  /**
+   * Called when session changes (sign-in, sign-out, refresh).
+   * Override in subclasses to handle session changes.
+   *
+   * @param session - The new session, or null if signed out
+   */
+  onSessionChange(session) {
+  }
+  /**
+   * Called when SDK signs out.
+   * Aborts all pending operations.
+   */
+  onSignOut() {
+    this.abortController.abort();
+    this.abortController = new AbortController();
+  }
+  /**
+   * Get the abort signal for this service.
+   * Combines the service-level abort with context-level abort.
+   */
+  get abortSignal() {
+    return this.abortController.signal;
+  }
+  /**
+   * Check if the service is authenticated.
+   */
+  get isAuthenticated() {
+    return this.context?.isAuthenticated ?? false;
+  }
+  /**
+   * Get the current session.
+   * Throws if not authenticated.
+   */
+  get session() {
+    if (!this.context?.session) {
+      throw new Error("Not authenticated");
+    }
+    return this.context.session;
+  }
+  /**
+   * Check authentication and return error result if not authenticated.
+   * Use this at the start of methods that require authentication.
+   *
+   * @returns true if authenticated, false otherwise
+   */
+  requireAuth() {
+    return this.isAuthenticated;
+  }
+  /**
+   * Emit a telemetry event.
+   *
+   * @param event - Event name
+   * @param data - Event data
+   */
+  emit(event, data) {
+    this.context?.emit(event, data);
+  }
+  /**
+   * Emit a service request event.
+   *
+   * @param action - The action being performed
+   * @param key - Optional key/path being accessed
+   */
+  emitRequest(action, key) {
+    this.emit(TelemetryEvents.SERVICE_REQUEST, {
+      service: this.getServiceName(),
+      action,
+      key,
+      timestamp: Date.now()
+    });
+  }
+  /**
+   * Emit a service response event.
+   *
+   * @param action - The action that was performed
+   * @param ok - Whether the request was successful
+   * @param startTime - Start time for duration calculation
+   * @param status - Optional HTTP status code
+   */
+  emitResponse(action, ok, startTime, status) {
+    this.emit(TelemetryEvents.SERVICE_RESPONSE, {
+      service: this.getServiceName(),
+      action,
+      ok,
+      duration: Date.now() - startTime,
+      status
+    });
+  }
+  /**
+   * Emit a service error event.
+   *
+   * @param error - The service error
+   */
+  emitError(error) {
+    this.emit(TelemetryEvents.SERVICE_ERROR, {
+      service: this.getServiceName(),
+      error
+    });
+  }
+  /**
+   * Get the service name from the static property.
+   * Subclasses must define static serviceName.
+   */
+  getServiceName() {
+    return this.constructor.serviceName;
+  }
+  /**
+   * Create a combined abort signal from multiple sources.
+   *
+   * @param signals - Additional abort signals to combine
+   * @returns A combined abort signal
+   */
+  combineSignals(...signals) {
+    const controller = new AbortController();
+    const allSignals = [this.abortSignal, ...signals.filter(Boolean)];
+    for (const signal of allSignals) {
+      if (signal.aborted) {
+        controller.abort(signal.reason);
+        return controller.signal;
+      }
+      signal.addEventListener("abort", () => controller.abort(signal.reason), {
+        once: true
+      });
+    }
+    return controller.signal;
+  }
+  /**
+   * Wrap an operation with error handling and telemetry.
+   *
+   * @param action - The action name for telemetry
+   * @param key - Optional key for telemetry
+   * @param operation - The operation to execute
+   * @returns Result of the operation
+   */
+  async withTelemetry(action, key, operation) {
+    const startTime = Date.now();
+    this.emitRequest(action, key);
+    try {
+      const result = await operation();
+      if (result.ok) {
+        this.emitResponse(action, true, startTime);
+      } else {
+        this.emitResponse(action, false, startTime);
+        this.emitError(result.error);
+      }
+      return result;
+    } catch (error) {
+      const serviceError2 = wrapError(this.getServiceName(), error);
+      this.emitResponse(action, false, startTime);
+      this.emitError(serviceError2);
+      return err(serviceError2);
+    }
+  }
+};
+
+// src/encryption/canonical.ts
+function canonicalize(value) {
+  if (value === void 0) {
+    return "";
+  }
+  return stringify(value);
+}
+function stringify(value) {
+  if (value === null) return "null";
+  switch (typeof value) {
+    case "boolean":
+    case "number":
+      return JSON.stringify(value);
+    case "string":
+      return JSON.stringify(value);
+    case "object": {
+      if (Array.isArray(value)) {
+        return `[${value.map(stringify).join(",")}]`;
+      }
+      const keys = Object.keys(value).sort();
+      const parts = [];
+      for (const k of keys) {
+        const v = value[k];
+        if (v === void 0) continue;
+        parts.push(`${JSON.stringify(k)}:${stringify(v)}`);
+      }
+      return `{${parts.join(",")}}`;
+    }
+    default:
+      throw new TypeError(
+        `canonicalize: unsupported value type ${typeof value}`
+      );
+  }
+}
+var HEX = "0123456789abcdef";
+function hexEncode(bytes) {
+  let out = "";
+  for (let i = 0; i < bytes.length; i++) {
+    const b = bytes[i];
+    out += HEX[b >> 4 & 15] + HEX[b & 15];
+  }
+  return out;
+}
+function hexDecode(hex) {
+  if (hex.length % 2 !== 0) {
+    throw new Error("hex string must have even length");
+  }
+  const out = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < out.length; i++) {
+    const hi = parseInt(hex[i * 2], 16);
+    const lo = parseInt(hex[i * 2 + 1], 16);
+    if (Number.isNaN(hi) || Number.isNaN(lo)) {
+      throw new Error("invalid hex character");
+    }
+    out[i] = hi << 4 | lo;
+  }
+  return out;
+}
+function base64Encode(bytes) {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+  let out = "";
+  for (let i = 0; i < bytes.length; i += 3) {
+    const b0 = bytes[i];
+    const b1 = i + 1 < bytes.length ? bytes[i + 1] : 0;
+    const b2 = i + 2 < bytes.length ? bytes[i + 2] : 0;
+    out += chars[b0 >> 2 & 63];
+    out += chars[(b0 << 4 | b1 >> 4) & 63];
+    out += i + 1 < bytes.length ? chars[(b1 << 2 | b2 >> 6) & 63] : "=";
+    out += i + 2 < bytes.length ? chars[b2 & 63] : "=";
+  }
+  return out;
+}
+function base64Decode(s) {
+  const clean = s.replace(/[^A-Za-z0-9+/=]/g, "");
+  const len = clean.length;
+  if (len % 4 !== 0) {
+    throw new Error("invalid base64 input");
+  }
+  const padding = clean.endsWith("==") ? 2 : clean.endsWith("=") ? 1 : 0;
+  const outLen = len / 4 * 3 - padding;
+  const out = new Uint8Array(outLen);
+  const lookup = {};
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+  for (let i = 0; i < chars.length; i++) lookup[chars[i]] = i;
+  let outIdx = 0;
+  for (let i = 0; i < len; i += 4) {
+    const v0 = lookup[clean[i]] ?? 0;
+    const v1 = lookup[clean[i + 1]] ?? 0;
+    const v2 = clean[i + 2] === "=" ? 0 : lookup[clean[i + 2]] ?? 0;
+    const v3 = clean[i + 3] === "=" ? 0 : lookup[clean[i + 3]] ?? 0;
+    const b0 = v0 << 2 | v1 >> 4;
+    const b1 = (v1 & 15) << 4 | v2 >> 2;
+    const b2 = (v2 & 3) << 6 | v3;
+    if (outIdx < outLen) out[outIdx++] = b0;
+    if (outIdx < outLen) out[outIdx++] = b1;
+    if (outIdx < outLen) out[outIdx++] = b2;
+  }
+  return out;
+}
+function utf8Encode(s) {
+  return new TextEncoder().encode(s);
+}
+function utf8Decode(b) {
+  return new TextDecoder().decode(b);
+}
+function canonicalHashHex(sha256, value) {
+  const canonical = canonicalize(value);
+  return hexEncode(sha256(utf8Encode(canonical)));
+}
+
+// src/encryption/networkId.ts
+var URN_PREFIX = "urn:tinycloud:encryption:";
+var NETWORK_NAME_RE = /^[a-z0-9][a-z0-9-]*$/;
+var NetworkIdError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "NetworkIdError";
+  }
+};
+function parseNetworkId(networkId) {
+  if (typeof networkId !== "string" || networkId.length === 0) {
+    throw new NetworkIdError("networkId must be a non-empty string");
+  }
+  if (!networkId.startsWith(URN_PREFIX)) {
+    throw new NetworkIdError(
+      `networkId must start with ${URN_PREFIX} (got ${JSON.stringify(networkId)})`
+    );
+  }
+  const body = networkId.slice(URN_PREFIX.length);
+  const lastColon = body.lastIndexOf(":");
+  if (lastColon <= 0 || lastColon === body.length - 1) {
+    throw new NetworkIdError(
+      `networkId missing principal or name segment (got ${JSON.stringify(networkId)})`
+    );
+  }
+  const principal = body.slice(0, lastColon);
+  const name = body.slice(lastColon + 1);
+  if (!principal.startsWith("did:")) {
+    throw new NetworkIdError(
+      `networkId principal must be a DID (got ${JSON.stringify(principal)})`
+    );
+  }
+  const didParts = principal.split(":");
+  if (didParts.length < 3 || didParts.some((p) => p.length === 0)) {
+    throw new NetworkIdError(
+      `networkId principal is not a well-formed DID (got ${JSON.stringify(principal)})`
+    );
+  }
+  if (!NETWORK_NAME_RE.test(name)) {
+    throw new NetworkIdError(
+      `networkId name ${JSON.stringify(name)} must match ${NETWORK_NAME_RE.source}`
+    );
+  }
+  return { networkId, principal, name };
+}
+function buildNetworkId(principal, name) {
+  if (typeof principal !== "string" || !principal.startsWith("did:")) {
+    throw new NetworkIdError("principal must be a DID");
+  }
+  if (typeof name !== "string" || !NETWORK_NAME_RE.test(name)) {
+    throw new NetworkIdError(
+      `network name ${JSON.stringify(name)} must match ${NETWORK_NAME_RE.source}`
+    );
+  }
+  const networkId = `${URN_PREFIX}${principal}:${name}`;
+  parseNetworkId(networkId);
+  return networkId;
+}
+function isNetworkId(networkId) {
+  if (typeof networkId !== "string") {
+    return false;
+  }
+  try {
+    parseNetworkId(networkId);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function networkDiscoveryKey(name) {
+  if (!NETWORK_NAME_RE.test(name)) {
+    throw new NetworkIdError(
+      `network name ${JSON.stringify(name)} must match ${NETWORK_NAME_RE.source}`
+    );
+  }
+  return `.well-known/encryption/network/${name}`;
+}
+var ENCRYPTION_NETWORK_URN_PREFIX = URN_PREFIX;
+var NETWORK_NAME_PATTERN = NETWORK_NAME_RE;
+
+// src/encryption/types.ts
+var DEFAULT_ENCRYPTION_ALG = "x25519-aes256gcm/v1";
+var ENVELOPE_VERSION = 1;
+var DEFAULT_KEY_VERSION = 1;
+var DECRYPT_FACT_TYPE = "tinycloud.encryption.decrypt/v1";
+var DECRYPT_RESULT_TYPE = "tinycloud.encryption.decrypt-result/v1";
+var ENCRYPTION_SERVICE = "tinycloud.encryption";
+var ENCRYPTION_SERVICE_SHORT = "encryption";
+var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
+function defaultEncryptionMessage(input) {
+  switch (input.code) {
+    case "NETWORK_NOT_FOUND":
+      return input.message ?? `Network not found: ${input.networkId ?? input.name ?? "<unknown>"}`;
+    case "NETWORK_NOT_ACTIVE":
+      return input.message ?? `Network not active (state=${input.state})`;
+    case "INVALID_NETWORK_ID":
+      return input.message;
+    case "INVALID_ENVELOPE":
+      return input.message;
+    case "DECRYPT_DENIED":
+      return input.message;
+    case "INVALID_RESPONSE":
+      return input.message;
+    case "RESPONSE_SIGNATURE_INVALID":
+      return input.message ?? "Node response signature failed to verify";
+    case "RESPONSE_BINDING_MISMATCH":
+      return input.message ?? `Node response binding mismatch on field ${JSON.stringify(input.field)}`;
+    case "TRANSPORT_ERROR":
+      return input.message ?? input.cause.message;
+    case "INVALID_INPUT":
+      return input.message;
+  }
+}
+function encryptionError(input) {
+  return {
+    ...input,
+    service: "encryption",
+    message: defaultEncryptionMessage(input)
+  };
+}
+function toError(error) {
+  if (error instanceof Error) return error;
+  if (typeof error === "object" && error !== null) {
+    return new Error(JSON.stringify(error));
+  }
+  return new Error(String(error));
+}
+
+// src/encryption/discovery.ts
+async function discoverNetwork(input) {
+  let networkId;
+  let principal;
+  let name;
+  try {
+    if (input.identifier.startsWith("urn:tinycloud:encryption:")) {
+      const parsed = parseNetworkId(input.identifier);
+      networkId = parsed.networkId;
+      principal = parsed.principal;
+      name = parsed.name;
+    } else {
+      if (input.principal === void 0) {
+        return {
+          ok: false,
+          error: encryptionError({
+            code: "INVALID_INPUT",
+            message: "discoverNetwork requires `principal` when identifier is a bare network name"
+          })
+        };
+      }
+      networkId = `urn:tinycloud:encryption:${input.principal}:${input.identifier}`;
+      const parsed = parseNetworkId(networkId);
+      principal = parsed.principal;
+      name = parsed.name;
+    }
+  } catch (err2) {
+    if (err2 instanceof NetworkIdError) {
+      return {
+        ok: false,
+        error: encryptionError({
+          code: "INVALID_NETWORK_ID",
+          message: err2.message
+        })
+      };
+    }
+    throw err2;
+  }
+  if (input.node !== void 0) {
+    try {
+      const descriptor = await input.node.fetchByNetworkId(networkId);
+      if (descriptor !== null) {
+        const validated = validateDescriptor(descriptor, networkId, principal, name);
+        if (!validated.ok) return validated;
+        return { ok: true, data: { descriptor: validated.data, source: "node" } };
+      }
+    } catch (err2) {
+    }
+  }
+  if (input.wellKnown !== void 0) {
+    try {
+      const descriptor = await input.wellKnown.fetchWellKnown(
+        principal,
+        networkDiscoveryKey(name)
+      );
+      if (descriptor !== null) {
+        const validated = validateDescriptor(descriptor, networkId, principal, name);
+        if (!validated.ok) return validated;
+        return {
+          ok: true,
+          data: { descriptor: validated.data, source: "well-known" }
+        };
+      }
+    } catch (err2) {
+    }
+  }
+  return {
+    ok: false,
+    error: encryptionError({
+      code: "NETWORK_NOT_FOUND",
+      networkId,
+      name
+    })
+  };
+}
+function validateDescriptor(descriptor, networkId, principal, name) {
+  if (descriptor.networkId !== networkId) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_NETWORK_ID",
+        message: `descriptor networkId ${JSON.stringify(descriptor.networkId)} does not match expected ${JSON.stringify(networkId)}`
+      })
+    };
+  }
+  if (descriptor.principal !== principal) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_NETWORK_ID",
+        message: "descriptor principal does not match networkId principal"
+      })
+    };
+  }
+  if (descriptor.name !== name) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_NETWORK_ID",
+        message: "descriptor name does not match networkId name"
+      })
+    };
+  }
+  if (typeof descriptor.publicEncryptionKey !== "string" || descriptor.publicEncryptionKey.length === 0) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_NETWORK_ID",
+        message: "descriptor publicEncryptionKey must be a non-empty string"
+      })
+    };
+  }
+  return { ok: true, data: descriptor };
+}
+function ensureNetworkUsableForDecrypt(descriptor) {
+  if (descriptor.state === "active" || descriptor.state === "rotating") {
+    return { ok: true, data: descriptor };
+  }
+  return {
+    ok: false,
+    error: encryptionError({
+      code: "NETWORK_NOT_ACTIVE",
+      state: descriptor.state
+    })
+  };
+}
+
+// src/encryption/envelope.ts
+function encryptToNetwork(crypto, input) {
+  parseNetworkId(input.networkId);
+  const alg = input.alg ?? DEFAULT_ENCRYPTION_ALG;
+  const keyVersion = input.keyVersion ?? DEFAULT_KEY_VERSION;
+  const symmetricKey = crypto.randomBytes(32);
+  const ciphertext = crypto.authEncrypt(symmetricKey, input.plaintext, input.aad);
+  const wrapped = crypto.sealToNetworkKey(input.networkPublicKey, symmetricKey);
+  const encryptedSymmetricKey = base64Encode(wrapped);
+  const encryptedSymmetricKeyHash = canonicalHashHex(
+    crypto.sha256,
+    encryptedSymmetricKey
+  );
+  const envelope = {
+    v: ENVELOPE_VERSION,
+    networkId: input.networkId,
+    alg,
+    keyVersion,
+    encryptedSymmetricKey,
+    encryptedSymmetricKeyHash,
+    ciphertext: base64Encode(ciphertext),
+    ...input.aad !== void 0 ? { aad: base64Encode(input.aad) } : {},
+    ...input.metadata !== void 0 ? { metadata: input.metadata } : {}
+  };
+  return { envelope, symmetricKey };
+}
+function validateEnvelope(crypto, envelope) {
+  if (envelope === null || typeof envelope !== "object") {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_ENVELOPE",
+        message: "envelope must be an object"
+      })
+    };
+  }
+  const e = envelope;
+  if (e.v !== ENVELOPE_VERSION) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_ENVELOPE",
+        message: `envelope.v must be ${ENVELOPE_VERSION} (got ${e.v})`
+      })
+    };
+  }
+  try {
+    parseNetworkId(e.networkId);
+  } catch (err2) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_ENVELOPE",
+        message: `envelope.networkId is malformed: ${err2 instanceof Error ? err2.message : String(err2)}`
+      })
+    };
+  }
+  for (const field of [
+    "alg",
+    "encryptedSymmetricKey",
+    "encryptedSymmetricKeyHash",
+    "ciphertext"
+  ]) {
+    if (typeof e[field] !== "string" || e[field].length === 0) {
+      return {
+        ok: false,
+        error: encryptionError({
+          code: "INVALID_ENVELOPE",
+          message: `envelope.${field} must be a non-empty string`
+        })
+      };
+    }
+  }
+  if (typeof e.keyVersion !== "number" || !Number.isInteger(e.keyVersion)) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_ENVELOPE",
+        message: "envelope.keyVersion must be an integer"
+      })
+    };
+  }
+  const expectedHash = canonicalHashHex(crypto.sha256, e.encryptedSymmetricKey);
+  if (expectedHash !== e.encryptedSymmetricKeyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_ENVELOPE",
+        message: "envelope.encryptedSymmetricKeyHash does not match canonical hash of encryptedSymmetricKey"
+      })
+    };
+  }
+  return { ok: true, data: e };
+}
+function decryptEnvelopeWithKey(crypto, envelope, symmetricKey) {
+  const ciphertext = base64Decode(envelope.ciphertext);
+  const aad = envelope.aad !== void 0 ? base64Decode(envelope.aad) : void 0;
+  return crypto.authDecrypt(symmetricKey, ciphertext, aad);
+}
+
+// src/encryption/invocation.ts
+function buildCanonicalDecryptRequest(input) {
+  const canonicalBody = canonicalize(input.body);
+  const bodyHash = canonicalHashHex(
+    input.crypto.sha256,
+    input.body
+  );
+  const receiverPublicKeyHash = canonicalHashHex(
+    input.crypto.sha256,
+    input.body.receiverPublicKey
+  );
+  return { canonicalBody, bodyHash, receiverPublicKeyHash };
+}
+function buildDecryptFacts(input) {
+  const bodyHash = input.canonicalBody !== void 0 ? hexEncode(input.crypto.sha256(utf8Encode(input.canonicalBody))) : canonicalHashHex(
+    input.crypto.sha256,
+    input.body
+  );
+  const receiverPublicKeyHash = canonicalHashHex(
+    input.crypto.sha256,
+    input.body.receiverPublicKey
+  );
+  return {
+    type: DECRYPT_FACT_TYPE,
+    targetNode: input.body.targetNode,
+    networkId: input.body.networkId,
+    bodyHash,
+    encryptedSymmetricKeyHash: input.encryptedSymmetricKeyHash,
+    receiverPublicKeyHash,
+    alg: input.body.alg,
+    keyVersion: input.body.keyVersion
+  };
+}
+function buildDecryptAttenuation(networkId) {
+  parseNetworkId(networkId);
+  return {
+    [networkId]: {
+      [DECRYPT_ACTION]: {}
+    }
+  };
+}
+function checkDecryptInvocationInput(crypto, input) {
+  if (input.body.type !== DECRYPT_FACT_TYPE) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: `body.type must be ${DECRYPT_FACT_TYPE}`
+      })
+    };
+  }
+  if (input.facts.type !== DECRYPT_FACT_TYPE) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: `facts.type must be ${DECRYPT_FACT_TYPE}`
+      })
+    };
+  }
+  if (input.facts.targetNode !== input.targetNode) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.targetNode must equal targetNode \u2014 the UCAN audience binds the request to a single node"
+      })
+    };
+  }
+  if (input.body.targetNode !== input.targetNode) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "body.targetNode must equal targetNode"
+      })
+    };
+  }
+  if (input.facts.networkId !== input.networkId) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.networkId must equal networkId"
+      })
+    };
+  }
+  if (input.body.networkId !== input.networkId) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "body.networkId must equal networkId"
+      })
+    };
+  }
+  if (input.facts.alg !== input.body.alg) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.alg must equal body.alg"
+      })
+    };
+  }
+  if (input.facts.keyVersion !== input.body.keyVersion) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.keyVersion must equal body.keyVersion"
+      })
+    };
+  }
+  if (input.facts.encryptedSymmetricKeyHash !== input.body.encryptedSymmetricKeyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.encryptedSymmetricKeyHash must equal body.encryptedSymmetricKeyHash"
+      })
+    };
+  }
+  if (input.facts.receiverPublicKeyHash !== input.body.receiverPublicKeyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.receiverPublicKeyHash must equal body.receiverPublicKeyHash"
+      })
+    };
+  }
+  try {
+    parseNetworkId(input.networkId);
+  } catch (err2) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_NETWORK_ID",
+        message: err2 instanceof Error ? err2.message : String(err2)
+      })
+    };
+  }
+  const canonicalBody = canonicalize(
+    input.body
+  );
+  const expectedBodyHash = canonicalHashHex(crypto.sha256, input.body);
+  if (expectedBodyHash !== input.facts.bodyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.bodyHash does not match the canonical body hash"
+      })
+    };
+  }
+  return { ok: true, data: input, canonicalBody };
+}
+async function buildDecryptInvocation(crypto, signer, input) {
+  const checked = checkDecryptInvocationInput(crypto, input);
+  if (!checked.ok) {
+    return checked;
+  }
+  try {
+    const built = await signer.signDecryptInvocation(checked.data);
+    if (!built.authorization || !built.invocationCid) {
+      return {
+        ok: false,
+        error: encryptionError({
+          code: "INVALID_INPUT",
+          message: "decrypt-invocation signer returned an empty authorization or invocationCid"
+        })
+      };
+    }
+    if (built.canonicalBody !== checked.canonicalBody) {
+      return {
+        ok: false,
+        error: encryptionError({
+          code: "INVALID_INPUT",
+          message: "decrypt-invocation signer returned a canonicalBody that does not match the SDK's canonicalization \u2014 signer must use the SDK-provided body"
+        })
+      };
+    }
+    return { ok: true, data: built };
+  } catch (err2) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "TRANSPORT_ERROR",
+        cause: err2 instanceof Error ? err2 : new Error(String(err2)),
+        message: `failed to sign decrypt invocation: ${err2 instanceof Error ? err2.message : String(err2)}`
+      })
+    };
+  }
+}
+
+// src/encryption/receiverKey.ts
+function generateRandomReceiverKey(input) {
+  const seed = input.crypto.randomBytes(32);
+  return input.crypto.x25519FromSeed(seed);
+}
+async function deriveSignedReceiverKey(input) {
+  const message = `tinycloud.encryption.receiver-key/v1:${input.networkId}:${input.context ?? ""}`;
+  const sig = await input.signer.signMessage(message);
+  const sigBytes = utf8Encode(sig);
+  const seed = input.crypto.sha256(sigBytes);
+  return input.crypto.x25519FromSeed(seed);
+}
+
+// src/encryption/response.ts
+function canonicalSignedResponse(response) {
+  const { nodeSignature: _drop, ...rest } = response;
+  return canonicalize(rest);
+}
+function verifyDecryptResponse(input) {
+  const { crypto, request, facts, invocationCid, requestBodyHash, response } = input;
+  if (response.type !== DECRYPT_RESULT_TYPE) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_RESPONSE",
+        message: `response.type must be ${DECRYPT_RESULT_TYPE}`
+      })
+    };
+  }
+  if (response.targetNode !== request.targetNode) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "targetNode"
+      })
+    };
+  }
+  if (response.networkId !== request.networkId) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "networkId"
+      })
+    };
+  }
+  if (response.alg !== request.alg) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "alg"
+      })
+    };
+  }
+  if (response.keyVersion !== request.keyVersion) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "keyVersion"
+      })
+    };
+  }
+  if (response.encryptedSymmetricKeyHash !== request.encryptedSymmetricKeyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "encryptedSymmetricKeyHash"
+      })
+    };
+  }
+  if (response.receiverPublicKeyHash !== request.receiverPublicKeyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "receiverPublicKeyHash"
+      })
+    };
+  }
+  if (response.invocationCid !== invocationCid) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "invocationCid"
+      })
+    };
+  }
+  const expectedRequestHash = hexEncode(
+    crypto.sha256(utf8Encode(`${invocationCid}${requestBodyHash}`))
+  );
+  if (response.requestHash !== expectedRequestHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "requestHash"
+      })
+    };
+  }
+  if (facts.encryptedSymmetricKeyHash !== response.encryptedSymmetricKeyHash || facts.receiverPublicKeyHash !== response.receiverPublicKeyHash || facts.networkId !== response.networkId || facts.targetNode !== response.targetNode || facts.alg !== response.alg || facts.keyVersion !== response.keyVersion) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "facts"
+      })
+    };
+  }
+  const signedBytes = new TextEncoder().encode(
+    canonicalSignedResponse(response)
+  );
+  const signatureBytes = base64Decode(response.nodeSignature);
+  if (!crypto.verifyNodeSignature(response.nodeId, signedBytes, signatureBytes)) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_SIGNATURE_INVALID"
+      })
+    };
+  }
+  return { ok: true, data: response };
+}
+function openWrappedKey(crypto, receiverPrivateKey, response) {
+  const wrapped = base64Decode(response.wrappedKey);
+  return crypto.openWithReceiverKey(receiverPrivateKey, wrapped);
+}
+
+// src/encryption/EncryptionService.ts
+function encOk(data) {
+  return { ok: true, data };
+}
+function encErr(error) {
+  return { ok: false, error };
+}
+var EncryptionService = class extends BaseService {
+  constructor(config) {
+    super();
+    this._config = config;
+  }
+  get config() {
+    return this._config;
+  }
+  get crypto() {
+    return this._config.crypto;
+  }
+  async discoverNetwork(identifier, principal) {
+    const result = await discoverNetwork({
+      identifier,
+      ...principal !== void 0 ? { principal } : {},
+      ...this._config.node !== void 0 ? { node: this._config.node } : {},
+      ...this._config.wellKnown !== void 0 ? { wellKnown: this._config.wellKnown } : {}
+    });
+    if (!result.ok) return result;
+    return encOk(result.data.descriptor);
+  }
+  async encryptToNetwork(networkId, plaintext, options) {
+    try {
+      const discovered = await this.discoverNetwork(networkId);
+      if (!discovered.ok) return discovered;
+      const usable = ensureNetworkUsableForDecrypt(discovered.data);
+      if (!usable.ok) return usable;
+      const descriptor = usable.data;
+      const networkPublicKey = base64Decode(descriptor.publicEncryptionKey);
+      const result = encryptToNetwork(this.crypto, {
+        networkId,
+        networkPublicKey,
+        plaintext,
+        ...options?.aad !== void 0 ? { aad: options.aad } : {},
+        alg: options?.alg ?? descriptor.alg,
+        keyVersion: options?.keyVersion ?? descriptor.keyVersion,
+        ...options?.metadata !== void 0 ? { metadata: options.metadata } : {}
+      });
+      return encOk(result.envelope);
+    } catch (error) {
+      return encErr(
+        encryptionError({
+          code: "TRANSPORT_ERROR",
+          cause: toError(error)
+        })
+      );
+    }
+  }
+  async decryptEnvelope(envelope, capabilityProof, options) {
+    try {
+      const validated = validateEnvelope(this.crypto, envelope);
+      if (!validated.ok) return validated;
+      let descriptor;
+      if (options?.descriptor !== void 0) {
+        descriptor = options.descriptor;
+      } else {
+        const discovered = await this.discoverNetwork(envelope.networkId);
+        if (!discovered.ok) return discovered;
+        descriptor = discovered.data;
+      }
+      const usable = ensureNetworkUsableForDecrypt(descriptor);
+      if (!usable.ok) return usable;
+      const targetNode = options?.targetNode ?? descriptor.members[0]?.nodeId;
+      if (targetNode === void 0) {
+        return encErr(
+          encryptionError({
+            code: "INVALID_INPUT",
+            message: "no target node available from descriptor"
+          })
+        );
+      }
+      const receiverKey = generateRandomReceiverKey({ crypto: this.crypto });
+      const receiverPublicKey = base64Encode(receiverKey.publicKey);
+      const receiverPublicKeyHash = canonicalHashHex(
+        this.crypto.sha256,
+        receiverPublicKey
+      );
+      const body = {
+        type: DECRYPT_FACT_TYPE,
+        targetNode,
+        networkId: envelope.networkId,
+        alg: envelope.alg,
+        keyVersion: envelope.keyVersion,
+        encryptedSymmetricKey: envelope.encryptedSymmetricKey,
+        encryptedSymmetricKeyHash: envelope.encryptedSymmetricKeyHash,
+        receiverPublicKey,
+        receiverPublicKeyHash
+      };
+      const canonicalRequest = buildCanonicalDecryptRequest({
+        crypto: this.crypto,
+        body,
+        receiverPublicKey: receiverKey.publicKey
+      });
+      const facts = buildDecryptFacts({
+        crypto: this.crypto,
+        body,
+        encryptedSymmetricKeyHash: envelope.encryptedSymmetricKeyHash,
+        receiverPublicKey: receiverKey.publicKey,
+        canonicalBody: canonicalRequest.canonicalBody
+      });
+      const built = await buildDecryptInvocation(this.crypto, this._config.signer, {
+        targetNode,
+        networkId: envelope.networkId,
+        body,
+        facts,
+        proof: capabilityProof
+      });
+      if (!built.ok) return built;
+      let response;
+      try {
+        response = await this._config.transport.postDecrypt({
+          targetNode,
+          networkId: envelope.networkId,
+          authorization: built.data.authorization,
+          canonicalBody: built.data.canonicalBody
+        });
+      } catch (error) {
+        return encErr(
+          encryptionError({
+            code: "TRANSPORT_ERROR",
+            cause: toError(error)
+          })
+        );
+      }
+      const verified = verifyDecryptResponse({
+        crypto: this.crypto,
+        request: body,
+        facts,
+        invocationCid: built.data.invocationCid,
+        requestBodyHash: facts.bodyHash,
+        response
+      });
+      if (!verified.ok) return verified;
+      const symmetricKey = openWrappedKey(
+        this.crypto,
+        receiverKey.privateKey,
+        verified.data
+      );
+      const plaintext = decryptEnvelopeWithKey(
+        this.crypto,
+        envelope,
+        symmetricKey
+      );
+      return encOk(plaintext);
+    } catch (error) {
+      return encErr(
+        encryptionError({
+          code: "TRANSPORT_ERROR",
+          cause: toError(error)
+        })
+      );
+    }
+  }
+};
+EncryptionService.serviceName = "encryption";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DECRYPT_ACTION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
+  DEFAULT_ENCRYPTION_ALG,
+  DEFAULT_KEY_VERSION,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  ENVELOPE_VERSION,
+  EncryptionService,
+  NETWORK_NAME_PATTERN,
+  NetworkIdError,
+  base64Decode,
+  base64Encode,
+  buildCanonicalDecryptRequest,
+  buildDecryptAttenuation,
+  buildDecryptFacts,
+  buildDecryptInvocation,
+  buildNetworkId,
+  canonicalHashHex,
+  canonicalSignedResponse,
+  canonicalize,
+  checkDecryptInvocationInput,
+  decryptEnvelopeWithKey,
+  deriveSignedReceiverKey,
+  discoverNetwork,
+  encryptToNetwork,
+  encryptionError,
+  ensureNetworkUsableForDecrypt,
+  generateRandomReceiverKey,
+  hexDecode,
+  hexEncode,
+  isNetworkId,
+  networkDiscoveryKey,
+  openWrappedKey,
+  parseNetworkId,
+  utf8Decode,
+  utf8Encode,
+  validateEnvelope,
+  verifyDecryptResponse
+});
+//# sourceMappingURL=index.cjs.map