npm - @tinycloud/sdk-services - Versions diffs - 2.2.0-beta.7 → 2.2.0 - Mend

@tinycloud/sdk-services 2.2.0-beta.7 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/dist/{BaseService-BiS6HRwE.d.cts → BaseService-C_iXlTeN.d.cts} +6 -1
package/dist/{BaseService-BiS6HRwE.d.ts → BaseService-C_iXlTeN.d.ts} +6 -1
package/dist/encryption/index.cjs +1340 -0
package/dist/encryption/index.cjs.map +1 -0
package/dist/encryption/index.d.cts +802 -0
package/dist/encryption/index.d.ts +802 -0
package/dist/encryption/index.js +1274 -0
package/dist/encryption/index.js.map +1 -0
package/dist/index.cjs +1555 -46
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +55 -12
package/dist/index.d.ts +55 -12
package/dist/index.js +1510 -46
package/dist/index.js.map +1 -1
package/dist/kv/index.cjs +116 -0
package/dist/kv/index.cjs.map +1 -1
package/dist/kv/index.d.cts +100 -2
package/dist/kv/index.d.ts +100 -2
package/dist/kv/index.js +115 -0
package/dist/kv/index.js.map +1 -1
package/dist/sql/index.cjs.map +1 -1
package/dist/sql/index.d.cts +1 -1
package/dist/sql/index.d.ts +1 -1
package/dist/sql/index.js.map +1 -1
package/package.json +7 -2

package/dist/encryption/index.js ADDED Viewed

@@ -0,0 +1,1274 @@
+// src/types.ts
+var ErrorCodes = {
+  // Common errors
+  NOT_FOUND: "NOT_FOUND",
+  AUTH_EXPIRED: "AUTH_EXPIRED",
+  AUTH_REQUIRED: "AUTH_REQUIRED",
+  AUTH_UNAUTHORIZED: "AUTH_UNAUTHORIZED",
+  NETWORK_ERROR: "NETWORK_ERROR",
+  TIMEOUT: "TIMEOUT",
+  ABORTED: "ABORTED",
+  INVALID_INPUT: "INVALID_INPUT",
+  PERMISSION_DENIED: "PERMISSION_DENIED",
+  // KV-specific errors
+  KV_NOT_FOUND: "KV_NOT_FOUND",
+  KV_WRITE_FAILED: "KV_WRITE_FAILED",
+  // SQL-specific errors
+  SQL_ERROR: "SQL_ERROR",
+  SQL_PERMISSION_DENIED: "SQL_PERMISSION_DENIED",
+  SQL_DATABASE_NOT_FOUND: "SQL_DATABASE_NOT_FOUND",
+  SQL_RESPONSE_TOO_LARGE: "SQL_RESPONSE_TOO_LARGE",
+  SQL_QUOTA_EXCEEDED: "SQL_QUOTA_EXCEEDED",
+  SQL_INVALID_STATEMENT: "SQL_INVALID_STATEMENT",
+  SQL_SCHEMA_ERROR: "SQL_SCHEMA_ERROR",
+  SQL_READONLY_VIOLATION: "SQL_READONLY_VIOLATION",
+  // Storage quota errors
+  STORAGE_QUOTA_EXCEEDED: "STORAGE_QUOTA_EXCEEDED",
+  STORAGE_LIMIT_REACHED: "STORAGE_LIMIT_REACHED",
+  // DuckDB-specific errors
+  DUCKDB_ERROR: "DUCKDB_ERROR",
+  DUCKDB_PERMISSION_DENIED: "DUCKDB_PERMISSION_DENIED",
+  DUCKDB_DATABASE_NOT_FOUND: "DUCKDB_DATABASE_NOT_FOUND",
+  DUCKDB_RESPONSE_TOO_LARGE: "DUCKDB_RESPONSE_TOO_LARGE",
+  DUCKDB_QUOTA_EXCEEDED: "DUCKDB_QUOTA_EXCEEDED",
+  DUCKDB_INVALID_STATEMENT: "DUCKDB_INVALID_STATEMENT",
+  DUCKDB_SCHEMA_ERROR: "DUCKDB_SCHEMA_ERROR",
+  DUCKDB_READONLY_VIOLATION: "DUCKDB_READONLY_VIOLATION"
+};
+var defaultRetryPolicy = {
+  maxAttempts: 3,
+  backoff: "exponential",
+  baseDelayMs: 1e3,
+  maxDelayMs: 1e4,
+  retryableErrors: [ErrorCodes.NETWORK_ERROR, ErrorCodes.TIMEOUT]
+};
+var TelemetryEvents = {
+  SERVICE_REQUEST: "service.request",
+  SERVICE_RESPONSE: "service.response",
+  SERVICE_ERROR: "service.error",
+  SERVICE_RETRY: "service.retry",
+  SESSION_CHANGED: "session.changed",
+  SESSION_EXPIRED: "session.expired"
+};
+function err(error) {
+  return { ok: false, error };
+}
+// src/errors.ts
+function timeoutError(service) {
+  return {
+    code: ErrorCodes.TIMEOUT,
+    message: "Request timed out.",
+    service
+  };
+}
+function abortedError(service) {
+  return {
+    code: ErrorCodes.ABORTED,
+    message: "Request was aborted.",
+    service
+  };
+}
+function wrapError(service, error, defaultCode = ErrorCodes.NETWORK_ERROR) {
+  if (error instanceof Error) {
+    if (error.name === "AbortError") {
+      return abortedError(service);
+    }
+    if (error.name === "TimeoutError" || error.message.toLowerCase().includes("timeout")) {
+      return timeoutError(service);
+    }
+    return {
+      code: defaultCode,
+      message: error.message,
+      service,
+      cause: error
+    };
+  }
+  return {
+    code: defaultCode,
+    message: String(error),
+    service
+  };
+}
+// src/base/BaseService.ts
+var BaseService = class {
+  constructor() {
+    /**
+     * Abort controller for this service's operations.
+     * Reset on sign-out.
+     */
+    this.abortController = new AbortController();
+    /**
+     * Service-specific configuration.
+     */
+    this._config = {};
+  }
+  /**
+   * Get the service configuration.
+   */
+  get config() {
+    return this._config;
+  }
+  /**
+   * Initialize the service with context.
+   * Called by the SDK after instantiation.
+   *
+   * @param context - The service context
+   */
+  initialize(context) {
+    this.context = context;
+  }
+  /**
+   * Called when session changes (sign-in, sign-out, refresh).
+   * Override in subclasses to handle session changes.
+   *
+   * @param session - The new session, or null if signed out
+   */
+  onSessionChange(session) {
+  }
+  /**
+   * Called when SDK signs out.
+   * Aborts all pending operations.
+   */
+  onSignOut() {
+    this.abortController.abort();
+    this.abortController = new AbortController();
+  }
+  /**
+   * Get the abort signal for this service.
+   * Combines the service-level abort with context-level abort.
+   */
+  get abortSignal() {
+    return this.abortController.signal;
+  }
+  /**
+   * Check if the service is authenticated.
+   */
+  get isAuthenticated() {
+    return this.context?.isAuthenticated ?? false;
+  }
+  /**
+   * Get the current session.
+   * Throws if not authenticated.
+   */
+  get session() {
+    if (!this.context?.session) {
+      throw new Error("Not authenticated");
+    }
+    return this.context.session;
+  }
+  /**
+   * Check authentication and return error result if not authenticated.
+   * Use this at the start of methods that require authentication.
+   *
+   * @returns true if authenticated, false otherwise
+   */
+  requireAuth() {
+    return this.isAuthenticated;
+  }
+  /**
+   * Emit a telemetry event.
+   *
+   * @param event - Event name
+   * @param data - Event data
+   */
+  emit(event, data) {
+    this.context?.emit(event, data);
+  }
+  /**
+   * Emit a service request event.
+   *
+   * @param action - The action being performed
+   * @param key - Optional key/path being accessed
+   */
+  emitRequest(action, key) {
+    this.emit(TelemetryEvents.SERVICE_REQUEST, {
+      service: this.getServiceName(),
+      action,
+      key,
+      timestamp: Date.now()
+    });
+  }
+  /**
+   * Emit a service response event.
+   *
+   * @param action - The action that was performed
+   * @param ok - Whether the request was successful
+   * @param startTime - Start time for duration calculation
+   * @param status - Optional HTTP status code
+   */
+  emitResponse(action, ok, startTime, status) {
+    this.emit(TelemetryEvents.SERVICE_RESPONSE, {
+      service: this.getServiceName(),
+      action,
+      ok,
+      duration: Date.now() - startTime,
+      status
+    });
+  }
+  /**
+   * Emit a service error event.
+   *
+   * @param error - The service error
+   */
+  emitError(error) {
+    this.emit(TelemetryEvents.SERVICE_ERROR, {
+      service: this.getServiceName(),
+      error
+    });
+  }
+  /**
+   * Get the service name from the static property.
+   * Subclasses must define static serviceName.
+   */
+  getServiceName() {
+    return this.constructor.serviceName;
+  }
+  /**
+   * Create a combined abort signal from multiple sources.
+   *
+   * @param signals - Additional abort signals to combine
+   * @returns A combined abort signal
+   */
+  combineSignals(...signals) {
+    const controller = new AbortController();
+    const allSignals = [this.abortSignal, ...signals.filter(Boolean)];
+    for (const signal of allSignals) {
+      if (signal.aborted) {
+        controller.abort(signal.reason);
+        return controller.signal;
+      }
+      signal.addEventListener("abort", () => controller.abort(signal.reason), {
+        once: true
+      });
+    }
+    return controller.signal;
+  }
+  /**
+   * Wrap an operation with error handling and telemetry.
+   *
+   * @param action - The action name for telemetry
+   * @param key - Optional key for telemetry
+   * @param operation - The operation to execute
+   * @returns Result of the operation
+   */
+  async withTelemetry(action, key, operation) {
+    const startTime = Date.now();
+    this.emitRequest(action, key);
+    try {
+      const result = await operation();
+      if (result.ok) {
+        this.emitResponse(action, true, startTime);
+      } else {
+        this.emitResponse(action, false, startTime);
+        this.emitError(result.error);
+      }
+      return result;
+    } catch (error) {
+      const serviceError2 = wrapError(this.getServiceName(), error);
+      this.emitResponse(action, false, startTime);
+      this.emitError(serviceError2);
+      return err(serviceError2);
+    }
+  }
+};
+// src/encryption/canonical.ts
+function canonicalize(value) {
+  if (value === void 0) {
+    return "";
+  }
+  return stringify(value);
+}
+function stringify(value) {
+  if (value === null) return "null";
+  switch (typeof value) {
+    case "boolean":
+    case "number":
+      return JSON.stringify(value);
+    case "string":
+      return JSON.stringify(value);
+    case "object": {
+      if (Array.isArray(value)) {
+        return `[${value.map(stringify).join(",")}]`;
+      }
+      const keys = Object.keys(value).sort();
+      const parts = [];
+      for (const k of keys) {
+        const v = value[k];
+        if (v === void 0) continue;
+        parts.push(`${JSON.stringify(k)}:${stringify(v)}`);
+      }
+      return `{${parts.join(",")}}`;
+    }
+    default:
+      throw new TypeError(
+        `canonicalize: unsupported value type ${typeof value}`
+      );
+  }
+}
+var HEX = "0123456789abcdef";
+function hexEncode(bytes) {
+  let out = "";
+  for (let i = 0; i < bytes.length; i++) {
+    const b = bytes[i];
+    out += HEX[b >> 4 & 15] + HEX[b & 15];
+  }
+  return out;
+}
+function hexDecode(hex) {
+  if (hex.length % 2 !== 0) {
+    throw new Error("hex string must have even length");
+  }
+  const out = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < out.length; i++) {
+    const hi = parseInt(hex[i * 2], 16);
+    const lo = parseInt(hex[i * 2 + 1], 16);
+    if (Number.isNaN(hi) || Number.isNaN(lo)) {
+      throw new Error("invalid hex character");
+    }
+    out[i] = hi << 4 | lo;
+  }
+  return out;
+}
+function base64Encode(bytes) {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+  let out = "";
+  for (let i = 0; i < bytes.length; i += 3) {
+    const b0 = bytes[i];
+    const b1 = i + 1 < bytes.length ? bytes[i + 1] : 0;
+    const b2 = i + 2 < bytes.length ? bytes[i + 2] : 0;
+    out += chars[b0 >> 2 & 63];
+    out += chars[(b0 << 4 | b1 >> 4) & 63];
+    out += i + 1 < bytes.length ? chars[(b1 << 2 | b2 >> 6) & 63] : "=";
+    out += i + 2 < bytes.length ? chars[b2 & 63] : "=";
+  }
+  return out;
+}
+function base64Decode(s) {
+  const clean = s.replace(/[^A-Za-z0-9+/=]/g, "");
+  const len = clean.length;
+  if (len % 4 !== 0) {
+    throw new Error("invalid base64 input");
+  }
+  const padding = clean.endsWith("==") ? 2 : clean.endsWith("=") ? 1 : 0;
+  const outLen = len / 4 * 3 - padding;
+  const out = new Uint8Array(outLen);
+  const lookup = {};
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+  for (let i = 0; i < chars.length; i++) lookup[chars[i]] = i;
+  let outIdx = 0;
+  for (let i = 0; i < len; i += 4) {
+    const v0 = lookup[clean[i]] ?? 0;
+    const v1 = lookup[clean[i + 1]] ?? 0;
+    const v2 = clean[i + 2] === "=" ? 0 : lookup[clean[i + 2]] ?? 0;
+    const v3 = clean[i + 3] === "=" ? 0 : lookup[clean[i + 3]] ?? 0;
+    const b0 = v0 << 2 | v1 >> 4;
+    const b1 = (v1 & 15) << 4 | v2 >> 2;
+    const b2 = (v2 & 3) << 6 | v3;
+    if (outIdx < outLen) out[outIdx++] = b0;
+    if (outIdx < outLen) out[outIdx++] = b1;
+    if (outIdx < outLen) out[outIdx++] = b2;
+  }
+  return out;
+}
+function utf8Encode(s) {
+  return new TextEncoder().encode(s);
+}
+function utf8Decode(b) {
+  return new TextDecoder().decode(b);
+}
+function canonicalHashHex(sha256, value) {
+  const canonical = canonicalize(value);
+  return hexEncode(sha256(utf8Encode(canonical)));
+}
+// src/encryption/networkId.ts
+var URN_PREFIX = "urn:tinycloud:encryption:";
+var NETWORK_NAME_RE = /^[a-z0-9][a-z0-9-]*$/;
+var NetworkIdError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "NetworkIdError";
+  }
+};
+function parseNetworkId(networkId) {
+  if (typeof networkId !== "string" || networkId.length === 0) {
+    throw new NetworkIdError("networkId must be a non-empty string");
+  }
+  if (!networkId.startsWith(URN_PREFIX)) {
+    throw new NetworkIdError(
+      `networkId must start with ${URN_PREFIX} (got ${JSON.stringify(networkId)})`
+    );
+  }
+  const body = networkId.slice(URN_PREFIX.length);
+  const lastColon = body.lastIndexOf(":");
+  if (lastColon <= 0 || lastColon === body.length - 1) {
+    throw new NetworkIdError(
+      `networkId missing principal or name segment (got ${JSON.stringify(networkId)})`
+    );
+  }
+  const principal = body.slice(0, lastColon);
+  const name = body.slice(lastColon + 1);
+  if (!principal.startsWith("did:")) {
+    throw new NetworkIdError(
+      `networkId principal must be a DID (got ${JSON.stringify(principal)})`
+    );
+  }
+  const didParts = principal.split(":");
+  if (didParts.length < 3 || didParts.some((p) => p.length === 0)) {
+    throw new NetworkIdError(
+      `networkId principal is not a well-formed DID (got ${JSON.stringify(principal)})`
+    );
+  }
+  if (!NETWORK_NAME_RE.test(name)) {
+    throw new NetworkIdError(
+      `networkId name ${JSON.stringify(name)} must match ${NETWORK_NAME_RE.source}`
+    );
+  }
+  return { networkId, principal, name };
+}
+function buildNetworkId(principal, name) {
+  if (typeof principal !== "string" || !principal.startsWith("did:")) {
+    throw new NetworkIdError("principal must be a DID");
+  }
+  if (typeof name !== "string" || !NETWORK_NAME_RE.test(name)) {
+    throw new NetworkIdError(
+      `network name ${JSON.stringify(name)} must match ${NETWORK_NAME_RE.source}`
+    );
+  }
+  const networkId = `${URN_PREFIX}${principal}:${name}`;
+  parseNetworkId(networkId);
+  return networkId;
+}
+function isNetworkId(networkId) {
+  if (typeof networkId !== "string") {
+    return false;
+  }
+  try {
+    parseNetworkId(networkId);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function networkDiscoveryKey(name) {
+  if (!NETWORK_NAME_RE.test(name)) {
+    throw new NetworkIdError(
+      `network name ${JSON.stringify(name)} must match ${NETWORK_NAME_RE.source}`
+    );
+  }
+  return `.well-known/encryption/network/${name}`;
+}
+var ENCRYPTION_NETWORK_URN_PREFIX = URN_PREFIX;
+var NETWORK_NAME_PATTERN = NETWORK_NAME_RE;
+// src/encryption/types.ts
+var DEFAULT_ENCRYPTION_ALG = "x25519-aes256gcm/v1";
+var ENVELOPE_VERSION = 1;
+var DEFAULT_KEY_VERSION = 1;
+var DECRYPT_FACT_TYPE = "tinycloud.encryption.decrypt/v1";
+var DECRYPT_RESULT_TYPE = "tinycloud.encryption.decrypt-result/v1";
+var ENCRYPTION_SERVICE = "tinycloud.encryption";
+var ENCRYPTION_SERVICE_SHORT = "encryption";
+var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
+function defaultEncryptionMessage(input) {
+  switch (input.code) {
+    case "NETWORK_NOT_FOUND":
+      return input.message ?? `Network not found: ${input.networkId ?? input.name ?? "<unknown>"}`;
+    case "NETWORK_NOT_ACTIVE":
+      return input.message ?? `Network not active (state=${input.state})`;
+    case "INVALID_NETWORK_ID":
+      return input.message;
+    case "INVALID_ENVELOPE":
+      return input.message;
+    case "DECRYPT_DENIED":
+      return input.message;
+    case "INVALID_RESPONSE":
+      return input.message;
+    case "RESPONSE_SIGNATURE_INVALID":
+      return input.message ?? "Node response signature failed to verify";
+    case "RESPONSE_BINDING_MISMATCH":
+      return input.message ?? `Node response binding mismatch on field ${JSON.stringify(input.field)}`;
+    case "TRANSPORT_ERROR":
+      return input.message ?? input.cause.message;
+    case "INVALID_INPUT":
+      return input.message;
+  }
+}
+function encryptionError(input) {
+  return {
+    ...input,
+    service: "encryption",
+    message: defaultEncryptionMessage(input)
+  };
+}
+function toError(error) {
+  if (error instanceof Error) return error;
+  if (typeof error === "object" && error !== null) {
+    return new Error(JSON.stringify(error));
+  }
+  return new Error(String(error));
+}
+// src/encryption/discovery.ts
+async function discoverNetwork(input) {
+  let networkId;
+  let principal;
+  let name;
+  try {
+    if (input.identifier.startsWith("urn:tinycloud:encryption:")) {
+      const parsed = parseNetworkId(input.identifier);
+      networkId = parsed.networkId;
+      principal = parsed.principal;
+      name = parsed.name;
+    } else {
+      if (input.principal === void 0) {
+        return {
+          ok: false,
+          error: encryptionError({
+            code: "INVALID_INPUT",
+            message: "discoverNetwork requires `principal` when identifier is a bare network name"
+          })
+        };
+      }
+      networkId = `urn:tinycloud:encryption:${input.principal}:${input.identifier}`;
+      const parsed = parseNetworkId(networkId);
+      principal = parsed.principal;
+      name = parsed.name;
+    }
+  } catch (err2) {
+    if (err2 instanceof NetworkIdError) {
+      return {
+        ok: false,
+        error: encryptionError({
+          code: "INVALID_NETWORK_ID",
+          message: err2.message
+        })
+      };
+    }
+    throw err2;
+  }
+  if (input.node !== void 0) {
+    try {
+      const descriptor = await input.node.fetchByNetworkId(networkId);
+      if (descriptor !== null) {
+        const validated = validateDescriptor(descriptor, networkId, principal, name);
+        if (!validated.ok) return validated;
+        return { ok: true, data: { descriptor: validated.data, source: "node" } };
+      }
+    } catch (err2) {
+    }
+  }
+  if (input.wellKnown !== void 0) {
+    try {
+      const descriptor = await input.wellKnown.fetchWellKnown(
+        principal,
+        networkDiscoveryKey(name)
+      );
+      if (descriptor !== null) {
+        const validated = validateDescriptor(descriptor, networkId, principal, name);
+        if (!validated.ok) return validated;
+        return {
+          ok: true,
+          data: { descriptor: validated.data, source: "well-known" }
+        };
+      }
+    } catch (err2) {
+    }
+  }
+  return {
+    ok: false,
+    error: encryptionError({
+      code: "NETWORK_NOT_FOUND",
+      networkId,
+      name
+    })
+  };
+}
+function validateDescriptor(descriptor, networkId, principal, name) {
+  if (descriptor.networkId !== networkId) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_NETWORK_ID",
+        message: `descriptor networkId ${JSON.stringify(descriptor.networkId)} does not match expected ${JSON.stringify(networkId)}`
+      })
+    };
+  }
+  if (descriptor.principal !== principal) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_NETWORK_ID",
+        message: "descriptor principal does not match networkId principal"
+      })
+    };
+  }
+  if (descriptor.name !== name) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_NETWORK_ID",
+        message: "descriptor name does not match networkId name"
+      })
+    };
+  }
+  if (typeof descriptor.publicEncryptionKey !== "string" || descriptor.publicEncryptionKey.length === 0) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_NETWORK_ID",
+        message: "descriptor publicEncryptionKey must be a non-empty string"
+      })
+    };
+  }
+  return { ok: true, data: descriptor };
+}
+function ensureNetworkUsableForDecrypt(descriptor) {
+  if (descriptor.state === "active" || descriptor.state === "rotating") {
+    return { ok: true, data: descriptor };
+  }
+  return {
+    ok: false,
+    error: encryptionError({
+      code: "NETWORK_NOT_ACTIVE",
+      state: descriptor.state
+    })
+  };
+}
+// src/encryption/envelope.ts
+function encryptToNetwork(crypto, input) {
+  parseNetworkId(input.networkId);
+  const alg = input.alg ?? DEFAULT_ENCRYPTION_ALG;
+  const keyVersion = input.keyVersion ?? DEFAULT_KEY_VERSION;
+  const symmetricKey = crypto.randomBytes(32);
+  const ciphertext = crypto.authEncrypt(symmetricKey, input.plaintext, input.aad);
+  const wrapped = crypto.sealToNetworkKey(input.networkPublicKey, symmetricKey);
+  const encryptedSymmetricKey = base64Encode(wrapped);
+  const encryptedSymmetricKeyHash = canonicalHashHex(
+    crypto.sha256,
+    encryptedSymmetricKey
+  );
+  const envelope = {
+    v: ENVELOPE_VERSION,
+    networkId: input.networkId,
+    alg,
+    keyVersion,
+    encryptedSymmetricKey,
+    encryptedSymmetricKeyHash,
+    ciphertext: base64Encode(ciphertext),
+    ...input.aad !== void 0 ? { aad: base64Encode(input.aad) } : {},
+    ...input.metadata !== void 0 ? { metadata: input.metadata } : {}
+  };
+  return { envelope, symmetricKey };
+}
+function validateEnvelope(crypto, envelope) {
+  if (envelope === null || typeof envelope !== "object") {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_ENVELOPE",
+        message: "envelope must be an object"
+      })
+    };
+  }
+  const e = envelope;
+  if (e.v !== ENVELOPE_VERSION) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_ENVELOPE",
+        message: `envelope.v must be ${ENVELOPE_VERSION} (got ${e.v})`
+      })
+    };
+  }
+  try {
+    parseNetworkId(e.networkId);
+  } catch (err2) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_ENVELOPE",
+        message: `envelope.networkId is malformed: ${err2 instanceof Error ? err2.message : String(err2)}`
+      })
+    };
+  }
+  for (const field of [
+    "alg",
+    "encryptedSymmetricKey",
+    "encryptedSymmetricKeyHash",
+    "ciphertext"
+  ]) {
+    if (typeof e[field] !== "string" || e[field].length === 0) {
+      return {
+        ok: false,
+        error: encryptionError({
+          code: "INVALID_ENVELOPE",
+          message: `envelope.${field} must be a non-empty string`
+        })
+      };
+    }
+  }
+  if (typeof e.keyVersion !== "number" || !Number.isInteger(e.keyVersion)) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_ENVELOPE",
+        message: "envelope.keyVersion must be an integer"
+      })
+    };
+  }
+  const expectedHash = canonicalHashHex(crypto.sha256, e.encryptedSymmetricKey);
+  if (expectedHash !== e.encryptedSymmetricKeyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_ENVELOPE",
+        message: "envelope.encryptedSymmetricKeyHash does not match canonical hash of encryptedSymmetricKey"
+      })
+    };
+  }
+  return { ok: true, data: e };
+}
+function decryptEnvelopeWithKey(crypto, envelope, symmetricKey) {
+  const ciphertext = base64Decode(envelope.ciphertext);
+  const aad = envelope.aad !== void 0 ? base64Decode(envelope.aad) : void 0;
+  return crypto.authDecrypt(symmetricKey, ciphertext, aad);
+}
+// src/encryption/invocation.ts
+function buildCanonicalDecryptRequest(input) {
+  const canonicalBody = canonicalize(input.body);
+  const bodyHash = canonicalHashHex(
+    input.crypto.sha256,
+    input.body
+  );
+  const receiverPublicKeyHash = canonicalHashHex(
+    input.crypto.sha256,
+    input.body.receiverPublicKey
+  );
+  return { canonicalBody, bodyHash, receiverPublicKeyHash };
+}
+function buildDecryptFacts(input) {
+  const bodyHash = input.canonicalBody !== void 0 ? hexEncode(input.crypto.sha256(utf8Encode(input.canonicalBody))) : canonicalHashHex(
+    input.crypto.sha256,
+    input.body
+  );
+  const receiverPublicKeyHash = canonicalHashHex(
+    input.crypto.sha256,
+    input.body.receiverPublicKey
+  );
+  return {
+    type: DECRYPT_FACT_TYPE,
+    targetNode: input.body.targetNode,
+    networkId: input.body.networkId,
+    bodyHash,
+    encryptedSymmetricKeyHash: input.encryptedSymmetricKeyHash,
+    receiverPublicKeyHash,
+    alg: input.body.alg,
+    keyVersion: input.body.keyVersion
+  };
+}
+function buildDecryptAttenuation(networkId) {
+  parseNetworkId(networkId);
+  return {
+    [networkId]: {
+      [DECRYPT_ACTION]: {}
+    }
+  };
+}
+function checkDecryptInvocationInput(crypto, input) {
+  if (input.body.type !== DECRYPT_FACT_TYPE) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: `body.type must be ${DECRYPT_FACT_TYPE}`
+      })
+    };
+  }
+  if (input.facts.type !== DECRYPT_FACT_TYPE) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: `facts.type must be ${DECRYPT_FACT_TYPE}`
+      })
+    };
+  }
+  if (input.facts.targetNode !== input.targetNode) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.targetNode must equal targetNode \u2014 the UCAN audience binds the request to a single node"
+      })
+    };
+  }
+  if (input.body.targetNode !== input.targetNode) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "body.targetNode must equal targetNode"
+      })
+    };
+  }
+  if (input.facts.networkId !== input.networkId) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.networkId must equal networkId"
+      })
+    };
+  }
+  if (input.body.networkId !== input.networkId) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "body.networkId must equal networkId"
+      })
+    };
+  }
+  if (input.facts.alg !== input.body.alg) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.alg must equal body.alg"
+      })
+    };
+  }
+  if (input.facts.keyVersion !== input.body.keyVersion) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.keyVersion must equal body.keyVersion"
+      })
+    };
+  }
+  if (input.facts.encryptedSymmetricKeyHash !== input.body.encryptedSymmetricKeyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.encryptedSymmetricKeyHash must equal body.encryptedSymmetricKeyHash"
+      })
+    };
+  }
+  if (input.facts.receiverPublicKeyHash !== input.body.receiverPublicKeyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.receiverPublicKeyHash must equal body.receiverPublicKeyHash"
+      })
+    };
+  }
+  try {
+    parseNetworkId(input.networkId);
+  } catch (err2) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_NETWORK_ID",
+        message: err2 instanceof Error ? err2.message : String(err2)
+      })
+    };
+  }
+  const canonicalBody = canonicalize(
+    input.body
+  );
+  const expectedBodyHash = canonicalHashHex(crypto.sha256, input.body);
+  if (expectedBodyHash !== input.facts.bodyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_INPUT",
+        message: "facts.bodyHash does not match the canonical body hash"
+      })
+    };
+  }
+  return { ok: true, data: input, canonicalBody };
+}
+async function buildDecryptInvocation(crypto, signer, input) {
+  const checked = checkDecryptInvocationInput(crypto, input);
+  if (!checked.ok) {
+    return checked;
+  }
+  try {
+    const built = await signer.signDecryptInvocation(checked.data);
+    if (!built.authorization || !built.invocationCid) {
+      return {
+        ok: false,
+        error: encryptionError({
+          code: "INVALID_INPUT",
+          message: "decrypt-invocation signer returned an empty authorization or invocationCid"
+        })
+      };
+    }
+    if (built.canonicalBody !== checked.canonicalBody) {
+      return {
+        ok: false,
+        error: encryptionError({
+          code: "INVALID_INPUT",
+          message: "decrypt-invocation signer returned a canonicalBody that does not match the SDK's canonicalization \u2014 signer must use the SDK-provided body"
+        })
+      };
+    }
+    return { ok: true, data: built };
+  } catch (err2) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "TRANSPORT_ERROR",
+        cause: err2 instanceof Error ? err2 : new Error(String(err2)),
+        message: `failed to sign decrypt invocation: ${err2 instanceof Error ? err2.message : String(err2)}`
+      })
+    };
+  }
+}
+// src/encryption/receiverKey.ts
+function generateRandomReceiverKey(input) {
+  const seed = input.crypto.randomBytes(32);
+  return input.crypto.x25519FromSeed(seed);
+}
+async function deriveSignedReceiverKey(input) {
+  const message = `tinycloud.encryption.receiver-key/v1:${input.networkId}:${input.context ?? ""}`;
+  const sig = await input.signer.signMessage(message);
+  const sigBytes = utf8Encode(sig);
+  const seed = input.crypto.sha256(sigBytes);
+  return input.crypto.x25519FromSeed(seed);
+}
+// src/encryption/response.ts
+function canonicalSignedResponse(response) {
+  const { nodeSignature: _drop, ...rest } = response;
+  return canonicalize(rest);
+}
+function verifyDecryptResponse(input) {
+  const { crypto, request, facts, invocationCid, requestBodyHash, response } = input;
+  if (response.type !== DECRYPT_RESULT_TYPE) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "INVALID_RESPONSE",
+        message: `response.type must be ${DECRYPT_RESULT_TYPE}`
+      })
+    };
+  }
+  if (response.targetNode !== request.targetNode) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "targetNode"
+      })
+    };
+  }
+  if (response.networkId !== request.networkId) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "networkId"
+      })
+    };
+  }
+  if (response.alg !== request.alg) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "alg"
+      })
+    };
+  }
+  if (response.keyVersion !== request.keyVersion) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "keyVersion"
+      })
+    };
+  }
+  if (response.encryptedSymmetricKeyHash !== request.encryptedSymmetricKeyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "encryptedSymmetricKeyHash"
+      })
+    };
+  }
+  if (response.receiverPublicKeyHash !== request.receiverPublicKeyHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "receiverPublicKeyHash"
+      })
+    };
+  }
+  if (response.invocationCid !== invocationCid) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "invocationCid"
+      })
+    };
+  }
+  const expectedRequestHash = hexEncode(
+    crypto.sha256(utf8Encode(`${invocationCid}${requestBodyHash}`))
+  );
+  if (response.requestHash !== expectedRequestHash) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "requestHash"
+      })
+    };
+  }
+  if (facts.encryptedSymmetricKeyHash !== response.encryptedSymmetricKeyHash || facts.receiverPublicKeyHash !== response.receiverPublicKeyHash || facts.networkId !== response.networkId || facts.targetNode !== response.targetNode || facts.alg !== response.alg || facts.keyVersion !== response.keyVersion) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_BINDING_MISMATCH",
+        field: "facts"
+      })
+    };
+  }
+  const signedBytes = new TextEncoder().encode(
+    canonicalSignedResponse(response)
+  );
+  const signatureBytes = base64Decode(response.nodeSignature);
+  if (!crypto.verifyNodeSignature(response.nodeId, signedBytes, signatureBytes)) {
+    return {
+      ok: false,
+      error: encryptionError({
+        code: "RESPONSE_SIGNATURE_INVALID"
+      })
+    };
+  }
+  return { ok: true, data: response };
+}
+function openWrappedKey(crypto, receiverPrivateKey, response) {
+  const wrapped = base64Decode(response.wrappedKey);
+  return crypto.openWithReceiverKey(receiverPrivateKey, wrapped);
+}
+// src/encryption/EncryptionService.ts
+function encOk(data) {
+  return { ok: true, data };
+}
+function encErr(error) {
+  return { ok: false, error };
+}
+var EncryptionService = class extends BaseService {
+  constructor(config) {
+    super();
+    this._config = config;
+  }
+  get config() {
+    return this._config;
+  }
+  get crypto() {
+    return this._config.crypto;
+  }
+  async discoverNetwork(identifier, principal) {
+    const result = await discoverNetwork({
+      identifier,
+      ...principal !== void 0 ? { principal } : {},
+      ...this._config.node !== void 0 ? { node: this._config.node } : {},
+      ...this._config.wellKnown !== void 0 ? { wellKnown: this._config.wellKnown } : {}
+    });
+    if (!result.ok) return result;
+    return encOk(result.data.descriptor);
+  }
+  async encryptToNetwork(networkId, plaintext, options) {
+    try {
+      const discovered = await this.discoverNetwork(networkId);
+      if (!discovered.ok) return discovered;
+      const usable = ensureNetworkUsableForDecrypt(discovered.data);
+      if (!usable.ok) return usable;
+      const descriptor = usable.data;
+      const networkPublicKey = base64Decode(descriptor.publicEncryptionKey);
+      const result = encryptToNetwork(this.crypto, {
+        networkId,
+        networkPublicKey,
+        plaintext,
+        ...options?.aad !== void 0 ? { aad: options.aad } : {},
+        alg: options?.alg ?? descriptor.alg,
+        keyVersion: options?.keyVersion ?? descriptor.keyVersion,
+        ...options?.metadata !== void 0 ? { metadata: options.metadata } : {}
+      });
+      return encOk(result.envelope);
+    } catch (error) {
+      return encErr(
+        encryptionError({
+          code: "TRANSPORT_ERROR",
+          cause: toError(error)
+        })
+      );
+    }
+  }
+  async decryptEnvelope(envelope, capabilityProof, options) {
+    try {
+      const validated = validateEnvelope(this.crypto, envelope);
+      if (!validated.ok) return validated;
+      let descriptor;
+      if (options?.descriptor !== void 0) {
+        descriptor = options.descriptor;
+      } else {
+        const discovered = await this.discoverNetwork(envelope.networkId);
+        if (!discovered.ok) return discovered;
+        descriptor = discovered.data;
+      }
+      const usable = ensureNetworkUsableForDecrypt(descriptor);
+      if (!usable.ok) return usable;
+      const targetNode = options?.targetNode ?? descriptor.members[0]?.nodeId;
+      if (targetNode === void 0) {
+        return encErr(
+          encryptionError({
+            code: "INVALID_INPUT",
+            message: "no target node available from descriptor"
+          })
+        );
+      }
+      const receiverKey = generateRandomReceiverKey({ crypto: this.crypto });
+      const receiverPublicKey = base64Encode(receiverKey.publicKey);
+      const receiverPublicKeyHash = canonicalHashHex(
+        this.crypto.sha256,
+        receiverPublicKey
+      );
+      const body = {
+        type: DECRYPT_FACT_TYPE,
+        targetNode,
+        networkId: envelope.networkId,
+        alg: envelope.alg,
+        keyVersion: envelope.keyVersion,
+        encryptedSymmetricKey: envelope.encryptedSymmetricKey,
+        encryptedSymmetricKeyHash: envelope.encryptedSymmetricKeyHash,
+        receiverPublicKey,
+        receiverPublicKeyHash
+      };
+      const canonicalRequest = buildCanonicalDecryptRequest({
+        crypto: this.crypto,
+        body,
+        receiverPublicKey: receiverKey.publicKey
+      });
+      const facts = buildDecryptFacts({
+        crypto: this.crypto,
+        body,
+        encryptedSymmetricKeyHash: envelope.encryptedSymmetricKeyHash,
+        receiverPublicKey: receiverKey.publicKey,
+        canonicalBody: canonicalRequest.canonicalBody
+      });
+      const built = await buildDecryptInvocation(this.crypto, this._config.signer, {
+        targetNode,
+        networkId: envelope.networkId,
+        body,
+        facts,
+        proof: capabilityProof
+      });
+      if (!built.ok) return built;
+      let response;
+      try {
+        response = await this._config.transport.postDecrypt({
+          targetNode,
+          networkId: envelope.networkId,
+          authorization: built.data.authorization,
+          canonicalBody: built.data.canonicalBody
+        });
+      } catch (error) {
+        return encErr(
+          encryptionError({
+            code: "TRANSPORT_ERROR",
+            cause: toError(error)
+          })
+        );
+      }
+      const verified = verifyDecryptResponse({
+        crypto: this.crypto,
+        request: body,
+        facts,
+        invocationCid: built.data.invocationCid,
+        requestBodyHash: facts.bodyHash,
+        response
+      });
+      if (!verified.ok) return verified;
+      const symmetricKey = openWrappedKey(
+        this.crypto,
+        receiverKey.privateKey,
+        verified.data
+      );
+      const plaintext = decryptEnvelopeWithKey(
+        this.crypto,
+        envelope,
+        symmetricKey
+      );
+      return encOk(plaintext);
+    } catch (error) {
+      return encErr(
+        encryptionError({
+          code: "TRANSPORT_ERROR",
+          cause: toError(error)
+        })
+      );
+    }
+  }
+};
+EncryptionService.serviceName = "encryption";
+export {
+  DECRYPT_ACTION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
+  DEFAULT_ENCRYPTION_ALG,
+  DEFAULT_KEY_VERSION,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  ENVELOPE_VERSION,
+  EncryptionService,
+  NETWORK_NAME_PATTERN,
+  NetworkIdError,
+  base64Decode,
+  base64Encode,
+  buildCanonicalDecryptRequest,
+  buildDecryptAttenuation,
+  buildDecryptFacts,
+  buildDecryptInvocation,
+  buildNetworkId,
+  canonicalHashHex,
+  canonicalSignedResponse,
+  canonicalize,
+  checkDecryptInvocationInput,
+  decryptEnvelopeWithKey,
+  deriveSignedReceiverKey,
+  discoverNetwork,
+  encryptToNetwork,
+  encryptionError,
+  ensureNetworkUsableForDecrypt,
+  generateRandomReceiverKey,
+  hexDecode,
+  hexEncode,
+  isNetworkId,
+  networkDiscoveryKey,
+  openWrappedKey,
+  parseNetworkId,
+  utf8Decode,
+  utf8Encode,
+  validateEnvelope,
+  verifyDecryptResponse
+};
+//# sourceMappingURL=index.js.map