@tuskydp/cli 0.3.0 → 0.4.0

package/dist/src/commands/decrypt.js

@@ -1,256 +0,0 @@
-/**
- * `tusky decrypt` — Decrypt a file downloaded from Walrus.
- *
- * Works in two modes:
- *   1. With --export <manifest.json> — reads wrappedKey/iv from the export
- *      manifest, derives master key from passphrase + salt. Fully offline.
- *   2. Without --export — fetches encryption params from the Tusky API and
- *      looks up the file metadata by ID. Requires API access.
- *
- * In both modes, the passphrase is resolved from:
- *   --passphrase flag > TUSKYDP_PASSWORD env var > interactive prompt
- */
-import { readFileSync, writeFileSync, existsSync } from 'fs';
-import { resolve, basename } from 'path';
-import chalk from 'chalk';
-import ora from 'ora';
-import inquirer from 'inquirer';
-import { getApiUrl, getApiKey } from '../config.js';
-import { createSDKClient } from '../sdk.js';
-import { loadMasterKey } from '../lib/keyring.js';
-import { deriveMasterKey, verifyPassphrase, unwrapMasterKey, decryptBuffer, } from '../crypto.js';
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-/**
- * Resolve the master key. Priority:
- *   1. Session keyring (~/.tusky/session.enc)
- *   2. Passphrase derivation (requires API or --salt/--encrypted-master-key)
- */
-async function resolveMasterKey(options) {
-    // Try session keyring first
-    const sessionKey = loadMasterKey();
-    if (sessionKey)
-        return sessionKey;
-    // Need passphrase
-    let passphrase = options.passphrase ?? process.env.TUSKYDP_PASSWORD;
-    if (!passphrase) {
-        const answers = await inquirer.prompt([{
-                type: 'password',
-                name: 'passphrase',
-                message: 'Enter encryption passphrase:',
-                mask: '*',
-            }]);
-        passphrase = answers.passphrase;
-    }
-    if (!options.salt) {
-        throw new Error('Cannot derive master key: salt is required. Use --export with an export manifest, or ensure the Tusky API is accessible.');
-    }
-    const salt = Buffer.from(options.salt, 'base64');
-    const wrappingKey = deriveMasterKey(passphrase, salt);
-    // Verify if we have a verifier
-    if (options.verifier) {
-        const verifierBuf = Buffer.from(options.verifier, 'base64');
-        if (!verifyPassphrase(wrappingKey, verifierBuf)) {
-            throw new Error('Invalid passphrase.');
-        }
-    }
-    // Unwrap master key if account has one
-    if (options.encryptedMasterKey) {
-        return unwrapMasterKey(Buffer.from(options.encryptedMasterKey, 'base64'), wrappingKey);
-    }
-    // Legacy: wrapping key IS the master key
-    return wrappingKey;
-}
-// ---------------------------------------------------------------------------
-// Command registration
-// ---------------------------------------------------------------------------
-async function readStdin() {
-    return new Promise((resolve, reject) => {
-        const chunks = [];
-        process.stdin.on('data', (chunk) => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
-        process.stdin.on('end', () => resolve(Buffer.concat(chunks)));
-        process.stdin.on('error', reject);
-    });
-}
-export function registerDecryptCommand(program) {
-    program
-        .command('decrypt [encrypted-file]')
-        .description('Decrypt a file downloaded from Walrus using your encryption passphrase')
-        .option('-o, --output <path>', 'Output path for decrypted file')
-        .option('--stdin', 'Read ciphertext from stdin (for sandboxed agents without filesystem access)')
-        .option('--stdout', 'Write plaintext to stdout instead of a file')
-        .option('--file-id <id>', 'Tusky file ID (to look up wrappedKey/iv from API)')
-        .option('--export <path>', 'Path to tusky-export.json manifest (for offline decryption)')
-        .option('--passphrase <passphrase>', 'Encryption passphrase (also reads TUSKYDP_PASSWORD env var)')
-        .option('--wrapped-key <key>', 'Per-file wrapped key (base64, from export manifest)')
-        .option('--iv <iv>', 'Per-file encryption IV (base64, from export manifest)')
-        .option('--checksum <sha256>', 'Expected plaintext SHA-256 checksum (hex)')
-        .action(async (encryptedFile, options) => {
-        // When piping to stdout, send spinner to stderr to avoid polluting the binary stream
-        const spinnerStream = options.stdout ? process.stderr : process.stdout;
-        const spinner = ora({ text: 'Preparing decryption...', stream: spinnerStream });
-        spinner.start();
-        try {
-            // Resolve ciphertext source: --stdin, or file path
-            let ciphertext;
-            let defaultFileName = 'decrypted';
-            if (options.stdin) {
-                spinner.text = 'Reading ciphertext from stdin...';
-                ciphertext = await readStdin();
-            }
-            else {
-                if (!encryptedFile) {
-                    spinner.fail('Provide an encrypted file path, or use --stdin to read from stdin.');
-                    return;
-                }
-                const inputPath = resolve(encryptedFile);
-                if (!existsSync(inputPath)) {
-                    spinner.fail(`File not found: ${inputPath}`);
-                    return;
-                }
-                defaultFileName = basename(inputPath).replace(/\.enc$/, '');
-                ciphertext = readFileSync(inputPath);
-            }
-            let wrappedKey;
-            let iv;
-            let checksum = options.checksum;
-            let fileName = defaultFileName;
-            let encryptionParams = {};
-            // ── Mode 1: Export manifest ──────────────────────────────────
-            if (options.export) {
-                spinner.text = 'Reading export manifest...';
-                const manifestPath = resolve(options.export);
-                if (!existsSync(manifestPath)) {
-                    spinner.fail(`Export manifest not found: ${manifestPath}`);
-                    return;
-                }
-                const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
-                let exportedFile;
-                if (options.fileId) {
-                    exportedFile = manifest.files.find((f) => f.fileId === options.fileId);
-                }
-                else {
-                    exportedFile = manifest.files.find((f) => f.name === defaultFileName || f.name === encryptedFile);
-                    if (!exportedFile && manifest.files.length === 1) {
-                        exportedFile = manifest.files[0];
-                    }
-                }
-                if (!exportedFile) {
-                    spinner.fail(options.fileId
-                        ? `File ID ${options.fileId} not found in export manifest.`
-                        : `Could not match "${defaultFileName}" to a file in the export manifest. Use --file-id to specify.`);
-                    return;
-                }
-                if (!exportedFile.encrypted) {
-                    spinner.fail(`File "${exportedFile.name}" is not encrypted (public vault). No decryption needed.`);
-                    return;
-                }
-                if (!exportedFile.wrappedKey || !exportedFile.encryptionIv) {
-                    spinner.fail(`File "${exportedFile.name}" is missing encryption metadata in the export.`);
-                    return;
-                }
-                wrappedKey = exportedFile.wrappedKey;
-                iv = exportedFile.encryptionIv;
-                checksum = checksum ?? exportedFile.plaintextChecksumSha256 ?? undefined;
-                fileName = exportedFile.name;
-                // Read account-level encryption params from manifest
-                if (manifest.encryption) {
-                    encryptionParams = {
-                        salt: manifest.encryption.salt ?? undefined,
-                        verifier: manifest.encryption.verifier ?? undefined,
-                        encryptedMasterKey: manifest.encryption.encryptedMasterKey ?? undefined,
-                    };
-                }
-                // ── Mode 2: Direct flags ─────────────────────────────────────
-            }
-            else if (options.wrappedKey && options.iv) {
-                wrappedKey = options.wrappedKey;
-                iv = options.iv;
-                // ── Mode 3: Fetch from API ───────────────────────────────────
-            }
-            else if (options.fileId) {
-                spinner.text = 'Fetching file metadata from API...';
-                const apiUrl = getApiUrl(program.opts().apiUrl);
-                const apiKey = getApiKey(program.opts().apiKey);
-                const sdk = createSDKClient(apiUrl, apiKey);
-                const file = await sdk.files.get(options.fileId);
-                if (!file.encrypted) {
-                    spinner.fail('This file is not encrypted. No decryption needed.');
-                    return;
-                }
-                if (!file.wrappedKey || !file.encryptionIv) {
-                    spinner.fail('File is missing encryption metadata.');
-                    return;
-                }
-                wrappedKey = file.wrappedKey;
-                iv = file.encryptionIv;
-                checksum = checksum ?? file.plaintextChecksumSha256 ?? undefined;
-                fileName = file.name;
-                // Also fetch encryption params for master key derivation
-                const params = await sdk.account.getEncryptionParams();
-                encryptionParams = {
-                    salt: params.salt ?? undefined,
-                    verifier: params.verifier ?? undefined,
-                    encryptedMasterKey: params.encryptedMasterKey ?? undefined,
-                };
-            }
-            else {
-                spinner.fail('Need encryption metadata. Use one of:\n' +
-                    '  --export <manifest.json>          (offline, from tusky export)\n' +
-                    '  --file-id <id>                    (online, fetches from API)\n' +
-                    '  --wrapped-key <key> --iv <iv>     (manual, base64 values)');
-                return;
-            }
-            // If we don't have encryption params yet, try API
-            if (!encryptionParams.salt) {
-                try {
-                    const apiUrl = getApiUrl(program.opts().apiUrl);
-                    const apiKey = getApiKey(program.opts().apiKey);
-                    const sdk = createSDKClient(apiUrl, apiKey);
-                    const params = await sdk.account.getEncryptionParams();
-                    encryptionParams = {
-                        salt: params.salt ?? undefined,
-                        verifier: params.verifier ?? undefined,
-                        encryptedMasterKey: params.encryptedMasterKey ?? undefined,
-                    };
-                }
-                catch {
-                    // API unavailable — that's ok if we have a session key
-                }
-            }
-            // Resolve master key
-            spinner.text = 'Deriving encryption key...';
-            const masterKey = await resolveMasterKey({
-                passphrase: options.passphrase,
-                ...encryptionParams,
-            });
-            // Decrypt
-            spinner.text = 'Decrypting...';
-            const plaintext = decryptBuffer(ciphertext, wrappedKey, iv, masterKey, checksum);
-            if (options.stdout) {
-                spinner.stop();
-                process.stdout.write(plaintext);
-                if (checksum) {
-                    process.stderr.write(chalk.dim('  Integrity check passed (SHA-256)\n'));
-                }
-            }
-            else {
-                // Write to disk
-                const outputPath = options.output ? resolve(options.output) : resolve(fileName);
-                writeFileSync(outputPath, plaintext);
-                spinner.succeed(`Decrypted -> ${outputPath} (${plaintext.length} bytes)`);
-                if (checksum) {
-                    console.log(chalk.dim('  Integrity check passed (SHA-256)'));
-                }
-            }
-        }
-        catch (err) {
-            spinner.fail(`Decryption failed: ${err.message}`);
-            if (err.message.includes('Unsupported state') || err.message.includes('auth tag')) {
-                console.log(chalk.dim('  This usually means the passphrase is incorrect or the file is corrupted.'));
-            }
-        }
-    });
-}
-//# sourceMappingURL=decrypt.js.map

package/dist/src/commands/decrypt.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../../../src/commands/decrypt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,MAAM,CAAC;AACzC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAE5C,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,aAAa,GACd,MAAM,cAAc,CAAC;AAGtB,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E;;;;GAIG;AACH,KAAK,UAAU,gBAAgB,CAAC,OAK/B;IACC,4BAA4B;IAC5B,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IACnC,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC;IAElC,kBAAkB;IAClB,IAAI,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IACpE,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;gBACrC,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,8BAA8B;gBACvC,IAAI,EAAE,GAAG;aACV,CAAC,CAAC,CAAC;QACJ,UAAU,GAAG,OAAO,CAAC,UAAoB,CAAC;IAC5C,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,0HAA0H,CAAC,CAAC;IAC9I,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACjD,MAAM,WAAW,GAAG,eAAe,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAEtD,+BAA+B;IAC/B,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC5D,IAAI,CAAC,gBAAgB,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED,uCAAuC;IACvC,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC/B,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,QAAQ,CAAC,EAAE,WAAW,CAAC,CAAC;IACzF,CAAC;IAED,yCAAyC;IACzC,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,KAAK,UAAU,SAAS;IACtB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACtG,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC9D,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,OAAgB;IACrD,OAAO;SACJ,OAAO,CAAC,0BAA0B,CAAC;SACnC,WAAW,CAAC,wEAAwE,CAAC;SACrF,MAAM,CAAC,qBAAqB,EAAE,gCAAgC,CAAC;SAC/D,MAAM,CAAC,SAAS,EAAE,6EAA6E,CAAC;SAChG,MAAM,CAAC,UAAU,EAAE,6CAA6C,CAAC;SACjE,MAAM,CAAC,gBAAgB,EAAE,mDAAmD,CAAC;SAC7E,MAAM,CAAC,iBAAiB,EAAE,6DAA6D,CAAC;SACxF,MAAM,CAAC,2BAA2B,EAAE,6DAA6D,CAAC;SAClG,MAAM,CAAC,qBAAqB,EAAE,qDAAqD,CAAC;SACpF,MAAM,CAAC,WAAW,EAAE,uDAAuD,CAAC;SAC5E,MAAM,CAAC,qBAAqB,EAAE,2CAA2C,CAAC;SAC1E,MAAM,CAAC,KAAK,EAAE,aAAiC,EAAE,OAUjD,EAAE,EAAE;QACH,qFAAqF;QACrF,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACvE,MAAM,OAAO,GAAG,GAAG,CAAC,EAAE,IAAI,EAAE,yBAAyB,EAAE,MAAM,EAAE,aAAsC,EAAE,CAAC,CAAC;QACzG,OAAO,CAAC,KAAK,EAAE,CAAC;QAEhB,IAAI,CAAC;YACH,mDAAmD;YACnD,IAAI,UAAkB,CAAC;YACvB,IAAI,eAAe,GAAG,WAAW,CAAC;YAElC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,IAAI,GAAG,kCAAkC,CAAC;gBAClD,UAAU,GAAG,MAAM,SAAS,EAAE,CAAC;YACjC,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,OAAO,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAC;oBACnF,OAAO;gBACT,CAAC;gBACD,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;gBACzC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;oBAC3B,OAAO,CAAC,IAAI,CAAC,mBAAmB,SAAS,EAAE,CAAC,CAAC;oBAC7C,OAAO;gBACT,CAAC;gBACD,eAAe,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;gBAC5D,UAAU,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;YACvC,CAAC;YAED,IAAI,UAAkB,CAAC;YACvB,IAAI,EAAU,CAAC;YACf,IAAI,QAAQ,GAAuB,OAAO,CAAC,QAAQ,CAAC;YACpD,IAAI,QAAQ,GAAW,eAAe,CAAC;YACvC,IAAI,gBAAgB,GAAsE,EAAE,CAAC;YAE7F,gEAAgE;YAChE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,OAAO,CAAC,IAAI,GAAG,4BAA4B,CAAC;gBAC5C,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBAC7C,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC9B,OAAO,CAAC,IAAI,CAAC,8BAA8B,YAAY,EAAE,CAAC,CAAC;oBAC3D,OAAO;gBACT,CAAC;gBAED,MAAM,QAAQ,GAAmB,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;gBACjF,IAAI,YAAsC,CAAC;gBAE3C,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;oBACnB,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;gBACzE,CAAC;qBAAM,CAAC;oBACN,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACvC,CAAC,CAAC,IAAI,KAAK,eAAe,IAAI,CAAC,CAAC,IAAI,KAAK,aAAa,CACvD,CAAC;oBAEF,IAAI,CAAC,YAAY,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACjD,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;oBACnC,CAAC;gBACH,CAAC;gBAED,IAAI,CAAC,YAAY,EAAE,CAAC;oBAClB,OAAO,CAAC,IAAI,CACV,OAAO,CAAC,MAAM;wBACZ,CAAC,CAAC,WAAW,OAAO,CAAC,MAAM,gCAAgC;wBAC3D,CAAC,CAAC,oBAAoB,eAAe,+DAA+D,CACvG,CAAC;oBACF,OAAO;gBACT,CAAC;gBAED,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;oBAC5B,OAAO,CAAC,IAAI,CAAC,SAAS,YAAY,CAAC,IAAI,0DAA0D,CAAC,CAAC;oBACnG,OAAO;gBACT,CAAC;gBAED,IAAI,CAAC,YAAY,CAAC,UAAU,IAAI,CAAC,YAAY,CAAC,YAAY,EAAE,CAAC;oBAC3D,OAAO,CAAC,IAAI,CAAC,SAAS,YAAY,CAAC,IAAI,iDAAiD,CAAC,CAAC;oBAC1F,OAAO;gBACT,CAAC;gBAED,UAAU,GAAG,YAAY,CAAC,UAAU,CAAC;gBACrC,EAAE,GAAG,YAAY,CAAC,YAAY,CAAC;gBAC/B,QAAQ,GAAG,QAAQ,IAAI,YAAY,CAAC,uBAAuB,IAAI,SAAS,CAAC;gBACzE,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC;gBAE7B,qDAAqD;gBACrD,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;oBACxB,gBAAgB,GAAG;wBACjB,IAAI,EAAE,QAAQ,CAAC,UAAU,CAAC,IAAI,IAAI,SAAS;wBAC3C,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,QAAQ,IAAI,SAAS;wBACnD,kBAAkB,EAAE,QAAQ,CAAC,UAAU,CAAC,kBAAkB,IAAI,SAAS;qBACxE,CAAC;gBACJ,CAAC;gBAEH,gEAAgE;YAChE,CAAC;iBAAM,IAAI,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,EAAE,EAAE,CAAC;gBAC5C,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;gBAChC,EAAE,GAAG,OAAO,CAAC,EAAE,CAAC;gBAElB,gEAAgE;YAChE,CAAC;iBAAM,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBAC1B,OAAO,CAAC,IAAI,GAAG,oCAAoC,CAAC;gBACpD,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;gBAChD,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;gBAChD,MAAM,GAAG,GAAG,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAE5C,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBACjD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;oBACpB,OAAO,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;oBAClE,OAAO;gBACT,CAAC;gBACD,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;oBAC3C,OAAO,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;oBACrD,OAAO;gBACT,CAAC;gBAED,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;gBAC7B,EAAE,GAAG,IAAI,CAAC,YAAY,CAAC;gBACvB,QAAQ,GAAG,QAAQ,IAAI,IAAI,CAAC,uBAAuB,IAAI,SAAS,CAAC;gBACjE,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC;gBAErB,yDAAyD;gBACzD,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC;gBACvD,gBAAgB,GAAG;oBACjB,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,SAAS;oBAC9B,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,SAAS;oBACtC,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,SAAS;iBAC3D,CAAC;YAEJ,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,IAAI,CACV,yCAAyC;oBACzC,oEAAoE;oBACpE,kEAAkE;oBAClE,6DAA6D,CAC9D,CAAC;gBACF,OAAO;YACT,CAAC;YAED,kDAAkD;YAClD,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;oBAChD,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;oBAChD,MAAM,GAAG,GAAG,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;oBAC5C,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC;oBACvD,gBAAgB,GAAG;wBACjB,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,SAAS;wBAC9B,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,SAAS;wBACtC,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,SAAS;qBAC3D,CAAC;gBACJ,CAAC;gBAAC,MAAM,CAAC;oBACP,uDAAuD;gBACzD,CAAC;YACH,CAAC;YAED,qBAAqB;YACrB,OAAO,CAAC,IAAI,GAAG,4BAA4B,CAAC;YAC5C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC;gBACvC,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,GAAG,gBAAgB;aACpB,CAAC,CAAC;YAEH,UAAU;YACV,OAAO,CAAC,IAAI,GAAG,eAAe,CAAC;YAC/B,MAAM,SAAS,GAAG,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;YAEjF,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,OAAO,CAAC,IAAI,EAAE,CAAC;gBACf,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;gBAChC,IAAI,QAAQ,EAAE,CAAC;oBACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC,CAAC;gBAC1E,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,gBAAgB;gBAChB,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;gBAChF,aAAa,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;gBACrC,OAAO,CAAC,OAAO,CAAC,gBAAgB,UAAU,KAAK,SAAS,CAAC,MAAM,SAAS,CAAC,CAAC;gBAC1E,IAAI,QAAQ,EAAE,CAAC;oBACb,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC,CAAC;gBAC/D,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CAAC,sBAAsB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YAClD,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAClF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC,CAAC;YACvG,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/src/commands/encryption.d.ts

@@ -1,3 +0,0 @@
-import type { Command } from 'commander';
-export declare function registerEncryptionCommands(program: Command): void;
-//# sourceMappingURL=encryption.d.ts.map

package/dist/src/commands/encryption.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"encryption.d.ts","sourceRoot":"","sources":["../../../src/commands/encryption.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAgBzC,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,OAAO,QAgS1D"}

package/dist/src/commands/encryption.js

@@ -1,254 +0,0 @@
-import chalk from 'chalk';
-import inquirer from 'inquirer';
-import { getSDKClientFromParent } from '../sdk.js';
-import { deriveMasterKey, computeVerifier, verifyPassphrase, generateSalt, generateMasterKey, generateRecoveryKey, wrapMasterKey, unwrapMasterKey, } from '../crypto.js';
-import { storeMasterKey, loadMasterKey } from '../lib/keyring.js';
-export function registerEncryptionCommands(program) {
-    const encryption = program.command('encryption').description('Manage E2E encryption');
-    encryption.command('setup')
-        .description('Set encryption passphrase (first time only)')
-        .action(async () => {
-        const sdk = getSDKClientFromParent(encryption);
-        // Check if already set up
-        const { setupComplete } = await sdk.account.getEncryptionParams();
-        if (setupComplete) {
-            console.log(chalk.yellow('Encryption is already set up.'));
-            console.log(chalk.dim('Use: tusky encryption change-passphrase'));
-            return;
-        }
-        // Get passphrase
-        const answers = await inquirer.prompt([
-            {
-                type: 'password',
-                name: 'passphrase',
-                message: 'Enter encryption passphrase:',
-                mask: '*',
-                validate: (input) => input.length >= 8 || 'Passphrase must be at least 8 characters',
-            },
-            {
-                type: 'password',
-                name: 'confirm',
-                message: 'Confirm passphrase:',
-                mask: '*',
-            },
-        ]);
-        if (answers.passphrase !== answers.confirm) {
-            console.error(chalk.red('Passphrases do not match.'));
-            return;
-        }
-        // Generate random master key and derive wrapping key from passphrase
-        const masterKey = generateMasterKey();
-        const salt = generateSalt();
-        const wrappingKey = deriveMasterKey(answers.passphrase, salt);
-        const verifier = computeVerifier(wrappingKey);
-        // Wrap master key with wrapping key (for passphrase unlock)
-        const encryptedMasterKey = wrapMasterKey(masterKey, wrappingKey);
-        // Wrap master key with recovery key (for recovery flow)
-        const recoveryKeyRaw = generateRecoveryKey();
-        const wrappedMasterKeyBackup = wrapMasterKey(masterKey, recoveryKeyRaw);
-        const recoveryKeyBase64 = recoveryKeyRaw.toString('base64');
-        // Send to server
-        await sdk.account.setupEncryption({
-            salt: salt.toString('base64'),
-            verifier: verifier.toString('base64'),
-            encryptedMasterKey: encryptedMasterKey.toString('base64'),
-            wrappedMasterKeyBackup: wrappedMasterKeyBackup.toString('base64'),
-        });
-        // Store master key in session
-        storeMasterKey(masterKey);
-        // Display recovery key
-        console.log('');
-        console.log(chalk.yellow.bold('SAVE YOUR RECOVERY KEY — it will not be shown again:'));
-        console.log('');
-        console.log(chalk.bold(`  ${recoveryKeyBase64}`));
-        console.log('');
-        const confirmSaved = await inquirer.prompt([{
-                type: 'confirm',
-                name: 'saved',
-                message: 'Have you saved your recovery key?',
-                default: false,
-            }]);
-        if (!confirmSaved.saved) {
-            console.log(chalk.yellow('Please save your recovery key before continuing!'));
-            console.log(chalk.bold(`  ${recoveryKeyBase64}`));
-        }
-        console.log(chalk.green('Encryption configured successfully.'));
-    });
-    encryption.command('unlock')
-        .description('Unlock encryption for this session')
-        .option('--passphrase <passphrase>', 'Passphrase (non-interactive; also reads TUSKYDP_PASSWORD env var)')
-        .action(async (options) => {
-        const sdk = getSDKClientFromParent(encryption);
-        const { setupComplete, salt, verifier, encryptedMasterKey } = await sdk.account.getEncryptionParams();
-        if (!setupComplete) {
-            console.error(chalk.red('Encryption not set up. Run: tusky encryption setup'));
-            return;
-        }
-        // Resolve passphrase: flag > env var > interactive prompt
-        let passphrase = options.passphrase ?? process.env.TUSKYDP_PASSWORD;
-        if (!passphrase) {
-            const answers = await inquirer.prompt([{
-                    type: 'password',
-                    name: 'passphrase',
-                    message: 'Enter encryption passphrase:',
-                    mask: '*',
-                }]);
-            passphrase = answers.passphrase;
-        }
-        const saltBuffer = Buffer.from(salt, 'base64');
-        const verifierBuffer = Buffer.from(verifier, 'base64');
-        const wrappingKey = deriveMasterKey(passphrase, saltBuffer);
-        if (!verifyPassphrase(wrappingKey, verifierBuffer)) {
-            console.error(chalk.red('Invalid passphrase.'));
-            process.exit(1);
-        }
-        // Unwrap the real master key (or fall back to legacy where wrapping key = master key)
-        let masterKey;
-        if (encryptedMasterKey) {
-            masterKey = unwrapMasterKey(Buffer.from(encryptedMasterKey, 'base64'), wrappingKey);
-        }
-        else {
-            masterKey = wrappingKey;
-        }
-        storeMasterKey(masterKey);
-        console.log(chalk.green('Encryption session unlocked.'));
-    });
-    encryption.command('status')
-        .description('Show encryption status')
-        .action(async () => {
-        const sdk = getSDKClientFromParent(encryption);
-        const { setupComplete } = await sdk.account.getEncryptionParams();
-        const sessionActive = loadMasterKey() !== null;
-        console.log(`Encryption setup:   ${setupComplete ? chalk.green('Complete') : chalk.yellow('Not set up')}`);
-        console.log(`Session unlocked:   ${sessionActive ? chalk.green('Yes') : chalk.yellow('No')}`);
-    });
-    encryption.command('change-passphrase')
-        .description('Change encryption passphrase')
-        .action(async () => {
-        const sdk = getSDKClientFromParent(encryption);
-        const { setupComplete, salt, verifier, encryptedMasterKey } = await sdk.account.getEncryptionParams();
-        if (!setupComplete) {
-            console.error(chalk.red('Encryption not set up. Run: tusky encryption setup'));
-            return;
-        }
-        const answers = await inquirer.prompt([
-            {
-                type: 'password',
-                name: 'currentPassphrase',
-                message: 'Enter current passphrase:',
-                mask: '*',
-            },
-            {
-                type: 'password',
-                name: 'newPassphrase',
-                message: 'Enter new passphrase:',
-                mask: '*',
-                validate: (input) => input.length >= 8 || 'Passphrase must be at least 8 characters',
-            },
-            {
-                type: 'password',
-                name: 'confirmNew',
-                message: 'Confirm new passphrase:',
-                mask: '*',
-            },
-        ]);
-        if (answers.newPassphrase !== answers.confirmNew) {
-            console.error(chalk.red('New passphrases do not match.'));
-            return;
-        }
-        // Verify current passphrase
-        const currentSalt = Buffer.from(salt, 'base64');
-        const currentVerifier = Buffer.from(verifier, 'base64');
-        const currentWrappingKey = deriveMasterKey(answers.currentPassphrase, currentSalt);
-        if (!verifyPassphrase(currentWrappingKey, currentVerifier)) {
-            console.error(chalk.red('Invalid current passphrase.'));
-            return;
-        }
-        // Unwrap the real master key (or use wrapping key as legacy fallback)
-        let masterKey;
-        if (encryptedMasterKey) {
-            masterKey = unwrapMasterKey(Buffer.from(encryptedMasterKey, 'base64'), currentWrappingKey);
-        }
-        else {
-            masterKey = currentWrappingKey;
-        }
-        // Derive new wrapping key, re-wrap master key
-        const newSalt = generateSalt();
-        const newWrappingKey = deriveMasterKey(answers.newPassphrase, newSalt);
-        const newVerifier = computeVerifier(newWrappingKey);
-        const newEncryptedMasterKey = wrapMasterKey(masterKey, newWrappingKey);
-        // Generate new recovery key and wrap master key with it
-        const newRecoveryKey = generateRecoveryKey();
-        const newWrappedBackup = wrapMasterKey(masterKey, newRecoveryKey);
-        await sdk.account.resetEncryption({
-            salt: newSalt.toString('base64'),
-            verifier: newVerifier.toString('base64'),
-            encryptedMasterKey: newEncryptedMasterKey.toString('base64'),
-            wrappedMasterKeyBackup: newWrappedBackup.toString('base64'),
-        });
-        storeMasterKey(masterKey);
-        console.log(chalk.yellow.bold('NEW RECOVERY KEY (save it!):'));
-        console.log(chalk.bold(`  ${newRecoveryKey.toString('base64')}`));
-        console.log(chalk.green('Passphrase changed successfully.'));
-    });
-    encryption.command('recover')
-        .description('Recover master key with recovery key')
-        .action(async () => {
-        const sdk = getSDKClientFromParent(encryption);
-        const answers = await inquirer.prompt([
-            {
-                type: 'input',
-                name: 'recoveryKey',
-                message: 'Enter your recovery key (base64):',
-            },
-            {
-                type: 'password',
-                name: 'newPassphrase',
-                message: 'Enter new passphrase:',
-                mask: '*',
-                validate: (input) => input.length >= 8 || 'Passphrase must be at least 8 characters',
-            },
-            {
-                type: 'password',
-                name: 'confirmNew',
-                message: 'Confirm new passphrase:',
-                mask: '*',
-            },
-        ]);
-        if (answers.newPassphrase !== answers.confirmNew) {
-            console.error(chalk.red('Passphrases do not match.'));
-            return;
-        }
-        // Get wrapped master key backup from server
-        const { wrappedMasterKeyBackup } = await sdk.account.getRecoveryData();
-        const wrappedData = Buffer.from(wrappedMasterKeyBackup, 'base64');
-        const recoveryKeyRaw = Buffer.from(answers.recoveryKey, 'base64');
-        let masterKey;
-        try {
-            masterKey = unwrapMasterKey(wrappedData, recoveryKeyRaw);
-        }
-        catch {
-            console.error(chalk.red('Invalid recovery key.'));
-            return;
-        }
-        // Derive new wrapping key from new passphrase, wrap the RECOVERED master key
-        const newSalt = generateSalt();
-        const newWrappingKey = deriveMasterKey(answers.newPassphrase, newSalt);
-        const newVerifier = computeVerifier(newWrappingKey);
-        const newEncryptedMasterKey = wrapMasterKey(masterKey, newWrappingKey);
-        // Generate new recovery key and wrap master key with it
-        const newRecoveryKey = generateRecoveryKey();
-        const newWrappedBackup = wrapMasterKey(masterKey, newRecoveryKey);
-        await sdk.account.resetEncryption({
-            salt: newSalt.toString('base64'),
-            verifier: newVerifier.toString('base64'),
-            encryptedMasterKey: newEncryptedMasterKey.toString('base64'),
-            wrappedMasterKeyBackup: newWrappedBackup.toString('base64'),
-        });
-        storeMasterKey(masterKey);
-        console.log(chalk.yellow.bold('NEW RECOVERY KEY (save it!):'));
-        console.log(chalk.bold(`  ${newRecoveryKey.toString('base64')}`));
-        console.log(chalk.green('Recovery successful. Passphrase reset.'));
-    });
-}
-//# sourceMappingURL=encryption.js.map

package/dist/src/commands/encryption.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../../src/commands/encryption.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EACL,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,iBAAiB,EACjB,mBAAmB,EACnB,aAAa,EACb,eAAe,GAChB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAgB,MAAM,mBAAmB,CAAC;AAEhF,MAAM,UAAU,0BAA0B,CAAC,OAAgB;IACzD,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,WAAW,CAAC,uBAAuB,CAAC,CAAC;IAEtF,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC;SACxB,WAAW,CAAC,6CAA6C,CAAC;SAC1D,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,GAAG,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;QAE/C,0BAA0B;QAC1B,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC;QAClE,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,+BAA+B,CAAC,CAAC,CAAC;YAC3D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC,CAAC;YAClE,OAAO;QACT,CAAC;QAED,iBAAiB;QACjB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;YACpC;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,8BAA8B;gBACvC,IAAI,EAAE,GAAG;gBACT,QAAQ,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,0CAA0C;aAC7F;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,qBAAqB;gBAC9B,IAAI,EAAE,GAAG;aACV;SACF,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,UAAU,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC;YAC3C,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC,CAAC;YACtD,OAAO;QACT,CAAC;QAED,qEAAqE;QACrE,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;QAC5B,MAAM,WAAW,GAAG,eAAe,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,eAAe,CAAC,WAAW,CAAC,CAAC;QAE9C,4DAA4D;QAC5D,MAAM,kBAAkB,GAAG,aAAa,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAEjE,wDAAwD;QACxD,MAAM,cAAc,GAAG,mBAAmB,EAAE,CAAC;QAC7C,MAAM,sBAAsB,GAAG,aAAa,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QACxE,MAAM,iBAAiB,GAAG,cAAc,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAE5D,iBAAiB;QACjB,MAAM,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC;YAChC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC7B,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACrC,kBAAkB,EAAE,kBAAkB,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACzD,sBAAsB,EAAE,sBAAsB,CAAC,QAAQ,CAAC,QAAQ,CAAC;SAClE,CAAC,CAAC;QAEH,8BAA8B;QAC9B,cAAc,CAAC,SAAS,CAAC,CAAC;QAE1B,uBAAuB;QACvB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC,CAAC;QACvF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,iBAAiB,EAAE,CAAC,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;gBAC1C,IAAI,EAAE,SAAS;gBACf,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,mCAAmC;gBAC5C,OAAO,EAAE,KAAK;aACf,CAAC,CAAC,CAAC;QAEJ,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,kDAAkD,CAAC,CAAC,CAAC;YAC9E,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,iBAAiB,EAAE,CAAC,CAAC,CAAC;QACpD,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEL,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC;SACzB,WAAW,CAAC,oCAAoC,CAAC;SACjD,MAAM,CAAC,2BAA2B,EAAE,mEAAmE,CAAC;SACxG,MAAM,CAAC,KAAK,EAAE,OAAgC,EAAE,EAAE;QACjD,MAAM,GAAG,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;QAE/C,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,kBAAkB,EAAE,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC;QACtG,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC,CAAC;YAC/E,OAAO;QACT,CAAC;QAED,0DAA0D;QAC1D,IAAI,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACpE,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;oBACrC,IAAI,EAAE,UAAU;oBAChB,IAAI,EAAE,YAAY;oBAClB,OAAO,EAAE,8BAA8B;oBACvC,IAAI,EAAE,GAAG;iBACV,CAAC,CAAC,CAAC;YACJ,UAAU,GAAG,OAAO,CAAC,UAAoB,CAAC;QAC5C,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAK,EAAE,QAAQ,CAAC,CAAC;QAChD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,QAAS,EAAE,QAAQ,CAAC,CAAC;QACxD,MAAM,WAAW,GAAG,eAAe,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QAE5D,IAAI,CAAC,gBAAgB,CAAC,WAAW,EAAE,cAAc,CAAC,EAAE,CAAC;YACnD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;YAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,sFAAsF;QACtF,IAAI,SAAiB,CAAC;QACtB,IAAI,kBAAkB,EAAE,CAAC;YACvB,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE,QAAQ,CAAC,EAAE,WAAW,CAAC,CAAC;QACtF,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,WAAW,CAAC;QAC1B,CAAC;QAED,cAAc,CAAC,SAAS,CAAC,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEL,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC;SACzB,WAAW,CAAC,wBAAwB,CAAC;SACrC,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,GAAG,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;QAC/C,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC;QAClE,MAAM,aAAa,GAAG,aAAa,EAAE,KAAK,IAAI,CAAC;QAE/C,OAAO,CAAC,GAAG,CAAC,uBAAuB,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QAC3G,OAAO,CAAC,GAAG,CAAC,uBAAuB,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChG,CAAC,CAAC,CAAC;IAEL,UAAU,CAAC,OAAO,CAAC,mBAAmB,CAAC;SACpC,WAAW,CAAC,8BAA8B,CAAC;SAC3C,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,GAAG,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;QAE/C,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,kBAAkB,EAAE,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC;QACtG,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC,CAAC;YAC/E,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;YACpC;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,2BAA2B;gBACpC,IAAI,EAAE,GAAG;aACV;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,uBAAuB;gBAChC,IAAI,EAAE,GAAG;gBACT,QAAQ,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,0CAA0C;aAC7F;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,yBAAyB;gBAClC,IAAI,EAAE,GAAG;aACV;SACF,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,aAAa,KAAK,OAAO,CAAC,UAAU,EAAE,CAAC;YACjD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,4BAA4B;QAC5B,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,IAAK,EAAE,QAAQ,CAAC,CAAC;QACjD,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,QAAS,EAAE,QAAQ,CAAC,CAAC;QACzD,MAAM,kBAAkB,GAAG,eAAe,CAAC,OAAO,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;QAEnF,IAAI,CAAC,gBAAgB,CAAC,kBAAkB,EAAE,eAAe,CAAC,EAAE,CAAC;YAC3D,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC,CAAC;YACxD,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,IAAI,SAAiB,CAAC;QACtB,IAAI,kBAAkB,EAAE,CAAC;YACvB,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE,QAAQ,CAAC,EAAE,kBAAkB,CAAC,CAAC;QAC7F,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,kBAAkB,CAAC;QACjC,CAAC;QAED,8CAA8C;QAC9C,MAAM,OAAO,GAAG,YAAY,EAAE,CAAC;QAC/B,MAAM,cAAc,GAAG,eAAe,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,WAAW,GAAG,eAAe,CAAC,cAAc,CAAC,CAAC;QACpD,MAAM,qBAAqB,GAAG,aAAa,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAEvE,wDAAwD;QACxD,MAAM,cAAc,GAAG,mBAAmB,EAAE,CAAC;QAC7C,MAAM,gBAAgB,GAAG,aAAa,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAElE,MAAM,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC;YAChC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAChC,QAAQ,EAAE,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACxC,kBAAkB,EAAE,qBAAqB,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC5D,sBAAsB,EAAE,gBAAgB,CAAC,QAAQ,CAAC,QAAQ,CAAC;SAC5D,CAAC,CAAC;QAEH,cAAc,CAAC,SAAS,CAAC,CAAC;QAE1B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,cAAc,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEL,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC;SAC1B,WAAW,CAAC,sCAAsC,CAAC;SACnD,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,GAAG,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;QAE/C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;YACpC;gBACE,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,aAAa;gBACnB,OAAO,EAAE,mCAAmC;aAC7C;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,uBAAuB;gBAChC,IAAI,EAAE,GAAG;gBACT,QAAQ,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,0CAA0C;aAC7F;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,yBAAyB;gBAClC,IAAI,EAAE,GAAG;aACV;SACF,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,aAAa,KAAK,OAAO,CAAC,UAAU,EAAE,CAAC;YACjD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC,CAAC;YACtD,OAAO;QACT,CAAC;QAED,4CAA4C;QAC5C,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;QACvE,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,sBAAuB,EAAE,QAAQ,CAAC,CAAC;QACnE,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAElE,IAAI,SAAiB,CAAC;QACtB,IAAI,CAAC;YACH,SAAS,GAAG,eAAe,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC,CAAC;YAClD,OAAO;QACT,CAAC;QAED,6EAA6E;QAC7E,MAAM,OAAO,GAAG,YAAY,EAAE,CAAC;QAC/B,MAAM,cAAc,GAAG,eAAe,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,WAAW,GAAG,eAAe,CAAC,cAAc,CAAC,CAAC;QACpD,MAAM,qBAAqB,GAAG,aAAa,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAEvE,wDAAwD;QACxD,MAAM,cAAc,GAAG,mBAAmB,EAAE,CAAC;QAC7C,MAAM,gBAAgB,GAAG,aAAa,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAElE,MAAM,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC;YAChC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAChC,QAAQ,EAAE,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACxC,kBAAkB,EAAE,qBAAqB,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC5D,sBAAsB,EAAE,gBAAgB,CAAC,QAAQ,CAAC,QAAQ,CAAC;SAC5D,CAAC,CAAC;QAEH,cAAc,CAAC,SAAS,CAAC,CAAC;QAE1B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,cAAc,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/src/crypto.d.ts

@@ -1,32 +0,0 @@
-export interface FileMeta {
-    /** Original filename */
-    n: string;
-    /** Original MIME type */
-    m: string;
-}
-export declare function deriveMasterKey(passphrase: string, salt: Buffer): Buffer;
-export declare function computeVerifier(masterKey: Buffer): Buffer;
-export declare function verifyPassphrase(masterKey: Buffer, expectedVerifier: Buffer): boolean;
-export declare function generateSalt(): Buffer;
-export declare function generateRecoveryKey(): Buffer;
-export declare function generateMasterKey(): Buffer;
-export declare function wrapMasterKey(masterKey: Buffer, recoveryKey: Buffer): Buffer;
-export declare function unwrapMasterKey(wrappedData: Buffer, recoveryKey: Buffer): Buffer;
-export declare function encryptBuffer(plaintext: Buffer, masterKey: Buffer): {
-    ciphertext: Buffer;
-    wrappedKey: string;
-    iv: string;
-    plaintextChecksum: string;
-};
-/**
- * Encrypt filename + MIME type together using master key (AES-256-GCM).
- * Format: base64([iv(12) | ciphertext | authTag(16)])
- */
-export declare function encryptMetadata(name: string, mimeType: string, masterKey: Buffer): string;
-/**
- * Decrypt an encryptedName blob produced by encryptMetadata.
- * Returns the original { name, mimeType }.
- */
-export declare function decryptMetadata(encryptedBase64: string, masterKey: Buffer): FileMeta;
-export declare function decryptBuffer(ciphertext: Buffer, wrappedKeyBase64: string, ivBase64: string, masterKey: Buffer, expectedChecksum?: string): Buffer;
-//# sourceMappingURL=crypto.d.ts.map

package/dist/src/crypto.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/crypto.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,QAAQ;IACvB,wBAAwB;IACxB,CAAC,EAAE,MAAM,CAAC;IACV,yBAAyB;IACzB,CAAC,EAAE,MAAM,CAAC;CACX;AAMD,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAExE;AAED,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAIzD;AAED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAMrF;AAED,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C;AAED,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,CAM5E;AAED,wBAAgB,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,CAOhF;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG;IACnE,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,iBAAiB,EAAE,MAAM,CAAC;CAC3B,CA2BA;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAOzF;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,QAAQ,CASpF;AAED,wBAAgB,aAAa,CAC3B,UAAU,EAAE,MAAM,EAClB,gBAAgB,EAAE,MAAM,EACxB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,gBAAgB,CAAC,EAAE,MAAM,GACxB,MAAM,CA6BR"}