@uglyunicorn/pie 0.1.0

package/.cursor/rules/use-bun-instead-of-node-vite-npm-pnpm.mdc

@@ -0,0 +1,111 @@
+---
+description: Use Bun instead of Node.js, npm, pnpm, or vite.
+globs: "*.ts, *.tsx, *.html, *.css, *.js, *.jsx, package.json"
+alwaysApply: false
+---
+
+Default to using Bun instead of Node.js.
+
+- Use `bun <file>` instead of `node <file>` or `ts-node <file>`
+- Use `bun test` instead of `jest` or `vitest`
+- Use `bun build <file.html|file.ts|file.css>` instead of `webpack` or `esbuild`
+- Use `bun install` instead of `npm install` or `yarn install` or `pnpm install`
+- Use `bun run <script>` instead of `npm run <script>` or `yarn run <script>` or `pnpm run <script>`
+- Use `bunx <package> <command>` instead of `npx <package> <command>`
+- Bun automatically loads .env, so don't use dotenv.
+
+## APIs
+
+- `Bun.serve()` supports WebSockets, HTTPS, and routes. Don't use `express`.
+- `bun:sqlite` for SQLite. Don't use `better-sqlite3`.
+- `Bun.redis` for Redis. Don't use `ioredis`.
+- `Bun.sql` for Postgres. Don't use `pg` or `postgres.js`.
+- `WebSocket` is built-in. Don't use `ws`.
+- Prefer `Bun.file` over `node:fs`'s readFile/writeFile
+- Bun.$`ls` instead of execa.
+
+## Testing
+
+Use `bun test` to run tests.
+
+```ts#index.test.ts
+import { test, expect } from "bun:test";
+
+test("hello world", () => {
+  expect(1).toBe(1);
+});
+```
+
+## Frontend
+
+Use HTML imports with `Bun.serve()`. Don't use `vite`. HTML imports fully support React, CSS, Tailwind.
+
+Server:
+
+```ts#index.ts
+import index from "./index.html"
+
+Bun.serve({
+  routes: {
+    "/": index,
+    "/api/users/:id": {
+      GET: (req) => {
+        return new Response(JSON.stringify({ id: req.params.id }));
+      },
+    },
+  },
+  // optional websocket support
+  websocket: {
+    open: (ws) => {
+      ws.send("Hello, world!");
+    },
+    message: (ws, message) => {
+      ws.send(message);
+    },
+    close: (ws) => {
+      // handle close
+    }
+  },
+  development: {
+    hmr: true,
+    console: true,
+  }
+})
+```
+
+HTML files can import .tsx, .jsx or .js files directly and Bun's bundler will transpile & bundle automatically. `<link>` tags can point to stylesheets and Bun's CSS bundler will bundle.
+
+```html#index.html
+<html>
+  <body>
+    <h1>Hello, world!</h1>
+    <script type="module" src="./frontend.tsx"></script>
+  </body>
+</html>
+```
+
+With the following `frontend.tsx`:
+
+```tsx#frontend.tsx
+import React from "react";
+import { createRoot } from "react-dom/client";
+
+// import .css files directly and it works
+import './index.css';
+
+const root = createRoot(document.body);
+
+export default function Frontend() {
+  return <h1>Hello, world!</h1>;
+}
+
+root.render(<Frontend />);
+```
+
+Then, run index.ts
+
+```sh
+bun --hot ./index.ts
+```
+
+For more information, read the Bun API docs in `node_modules/bun-types/docs/**.mdx`.

package/.github/workflows/coverage.yml

@@ -0,0 +1,36 @@
+name: Coverage
+
+on:
+  push:
+    branches: ["main", "feature/*"]
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  coverage:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Run tests with coverage (LCOV)
+        run: bun test --coverage --coverage-reporter=lcov
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          files: ./coverage/lcov.info
+          fail_ci_if_error: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: uglyunicorn-eh/pie

package/.github/workflows/release.yml

@@ -0,0 +1,79 @@
+name: Release
+
+on:
+  push:
+    branches: ["main"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install deps
+        run: bun install --frozen-lockfile
+
+      - name: Read version from package.json
+        id: pkg
+        run: |
+          VERSION=$(bun --print 'require("./package.json").version')
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "tag=v${VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Check if tag exists
+        id: tagcheck
+        run: |
+          if git rev-parse "${{ steps.pkg.outputs.tag }}" >/dev/null 2>&1; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build
+        if: steps.tagcheck.outputs.exists == 'false'
+        run: bun run build
+
+      - name: Create tag
+        if: steps.tagcheck.outputs.exists == 'false'
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git tag ${{ steps.pkg.outputs.tag }}
+          git push origin ${{ steps.pkg.outputs.tag }}
+
+      - name: Capture merge commit message
+        id: msg
+        run: |
+          TITLE=$(git log -1 --pretty=%s)
+          BODY=$(git log -1 --pretty=%b)
+          echo "title=${TITLE}" >> $GITHUB_OUTPUT
+          printf "%s" "$BODY" > body.txt
+
+      - name: Create GitHub Release
+        if: steps.tagcheck.outputs.exists == 'false'
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ steps.pkg.outputs.tag }}
+          name: ${{ steps.pkg.outputs.tag }}
+          body_path: body.txt
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish to npm
+        if: steps.tagcheck.outputs.exists == 'false'
+        env:
+          NPM_CONFIG_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          bun publish -p --access public

package/.github/workflows/test.yml

@@ -0,0 +1,62 @@
+name: Test
+
+on:
+  pull_request:
+    branches: ["**"]
+  push:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install
+
+      - name: Run tests with coverage
+        run: bun test --coverage > coverage.txt 2>&1
+
+      - name: Display coverage
+        run: cat coverage.txt
+
+      - name: Upload coverage results
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage.txt
+          retention-days: 1
+
+      - name: Build
+        run: bun run build
+
+  coverage:
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+      - name: Download coverage results
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage-report
+
+      - name: Check 100% coverage
+        run: |
+          cat coverage.txt
+
+          # Extract coverage percentage and check if it's 100%
+          if ! grep -E "All files\s+\|\s+.+\s+\|\s+100\.00" coverage.txt; then
+            echo "❌ Coverage is not 100%"
+            echo "Please ensure all code is covered by tests"
+            exit 1
+          fi
+
+          echo "✅ Coverage is 100%"

package/.prettierignore

@@ -0,0 +1,6 @@
+node_modules
+out
+dist
+coverage
+*.tgz
+bun.lock

package/.prettierrc

@@ -0,0 +1,7 @@
+{
+  "semi": true,
+  "singleQuote": false,
+  "tabWidth": 2,
+  "trailingComma": "es5",
+  "printWidth": 100
+}

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Ugly Unicorn
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,66 @@
+# π
+
+Protected Information Envelope — Schema-validated envelopes using [HPKE](https://www.rfc-editor.org/rfc/rfc9180.html).
+
+[![codecov](https://codecov.io/gh/uglyunicorn-eh/pie/graph/badge.svg?token=yBE5KPG0WI)](https://codecov.io/gh/uglyunicorn-eh/pie)
+
+Validate payloads with your schema, seal with a public key, and open with the matching private key. Supports retranslation (decrypt with one key, re-encrypt with another) so the original key cannot open the new envelope.
+
+## Install
+
+```bash
+bun add @uglyunicorn/pie valibot
+# or: npm install @uglyunicorn/pie valibot
+```
+
+## Example (Valibot)
+
+```ts
+import * as v from "valibot";
+
+import { envelope, type EnvelopeContext } from "@uglyunicorn/pie/valibot";
+import { createCipherSuite, envelopeContext } from "@uglyunicorn/pie/crypto";
+
+const userProfileSchema = (ctx: EnvelopeContext) =>
+  v.objectAsync({
+    identity: envelope(
+      v.object({
+        name: v.string(),
+        email: v.string(),
+      }),
+      ctx
+    ),
+    height: v.number(),
+    weight: v.number(),
+  });
+
+const userProfile = {
+  identity: {
+    name: "John Doe",
+    email: "john.doe@example.com",
+  },
+  height: 180,
+  weight: 70,
+};
+
+const suite = createCipherSuite();
+const keyPair = await suite.GenerateKeyPair(true);
+
+const encryptContext = envelopeContext({ out: keyPair });
+
+const sealed = await v.parseAsync(userProfileSchema(encryptContext), userProfile);
+console.log(sealed);
+```
+
+Output:
+
+```json
+{
+  "identity": {
+    "ct": "2DPxSEdZWSQo-C6vh3hlxUeGvZQmoDNW6vQt_Y5V9Gp1mu_MaVG7m4HKJ6OtTwxqGnQlv9ZThZkvUe6JVEZmmmug",
+    "enc": "BDQSbUX5SI9R70VMDnOHyNh9DEm5a9J4gvPNjD28-FHV45Q9z-C1JUReIE9llMaalakhvL_lV5gA-e8WIm_lv38"
+  },
+  "height": 180,
+  "weight": 70
+}
+```

package/body.txt

@@ -0,0 +1,5 @@
+* Add CI workflows, build scripts, and schema/readme updates
+
+* fix: standardize YAML formatting and improve coverage check regex
+
+* docs: add Codecov badge to README for coverage tracking

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@uglyunicorn/pie",
+  "version": "0.1.0",
+  "module": "src/index.ts",
+  "type": "module",
+  "scripts": {
+    "build": "bun run scripts/build.ts && bun run build:types",
+    "build:types": "tsc --project tsconfig.build.json",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "test": "bun test",
+    "test:coverage": "bun test --coverage"
+  },
+  "exports": {
+    ".": "./src/index.ts",
+    "./crypto": "./src/crypto/index.ts",
+    "./valibot": "./src/schema/valibot.ts"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "@valibot/to-json-schema": "^1.5.0",
+    "prettier": "^3.8.1"
+  },
+  "peerDependencies": {
+    "typescript": "^5",
+    "valibot": "^1.2.0"
+  },
+  "dependencies": {
+    "@standard-schema/spec": "^1.1.0",
+    "hpke": "^1.0.3"
+  }
+}

package/scripts/build.ts

@@ -0,0 +1,20 @@
+#!/usr/bin/env bun
+
+const builds = [
+  { entry: "src/index.ts", outdir: "dist" },
+  { entry: "src/crypto/index.ts", outdir: "dist/crypto" },
+  { entry: "src/schema/valibot.ts", outdir: "dist/schema" },
+] as const;
+
+for (const { entry, outdir } of builds) {
+  const result = await Bun.build({
+    entrypoints: [entry],
+    outdir,
+    target: "node",
+  });
+
+  if (!result.success) {
+    console.error(`Failed to build ${entry}`);
+    process.exit(1);
+  }
+}

package/src/crypto/hpke.ts

@@ -0,0 +1,126 @@
+import type { StandardSchemaV1 } from "@standard-schema/spec";
+import {
+  type Key,
+  type KeyPair,
+  CipherSuite,
+  KEM_DHKEM_P256_HKDF_SHA256,
+  KDF_HKDF_SHA256,
+  AEAD_AES_128_GCM,
+} from "hpke";
+
+import { decodeBuffer, deserialize, encodeBuffer, serialize } from "../lib/utils";
+import type { CipherContext, DecipherContext, RetranslateContext } from "..";
+
+export class HpkeEnvelopeError extends Error {}
+
+export interface Envelope {
+  ct: string;
+  enc: string;
+}
+
+export function createCipherSuite(): CipherSuite {
+  return new CipherSuite(KEM_DHKEM_P256_HKDF_SHA256, KDF_HKDF_SHA256, AEAD_AES_128_GCM);
+}
+
+/**
+ * Encrypts data using HPKE.
+ *
+ * The function validates the data against the schema
+ * and then encrypts the data using the public key.
+ *
+ * @param data - The data to encrypt.
+ * @param publicKey - The public key to use for encryption.
+ * @returns The encrypted envelope.
+ */
+export async function sealEnvelope<T>(
+  schema: StandardSchemaV1<T>,
+  data: T,
+  publicKey: Key
+): Promise<Envelope> {
+  const suite = createCipherSuite();
+
+  const validated = await schema["~standard"].validate(data);
+  if (validated.issues) {
+    throw new HpkeEnvelopeError("Unable to seal envelope: invalid payload", {
+      cause: validated.issues,
+    });
+  }
+
+  const { ciphertext, encapsulatedSecret } = await suite.Seal(
+    publicKey,
+    serialize(validated.value)
+  );
+
+  return { ct: encodeBuffer(ciphertext), enc: encodeBuffer(encapsulatedSecret) };
+}
+
+/**
+ * Decrypts data using HPKE.
+ *
+ * The function decrypts the data using the private key and then validates the
+ * data against the schema.
+ *
+ * @param envelope - The envelope to decrypt.
+ * @param privateKey - The private key to use for decryption.
+ * @returns The decrypted data.
+ */
+export async function openEnvelope<T>(
+  schema: StandardSchemaV1<T>,
+  envelope: Envelope,
+  privateKey: Key
+): Promise<T> {
+  const suite = createCipherSuite();
+
+  const plaintext = await suite.Open(
+    privateKey,
+    decodeBuffer(envelope.enc),
+    decodeBuffer(envelope.ct)
+  );
+
+  const payload = deserialize(plaintext);
+
+  const validated = await schema["~standard"].validate(payload);
+  if (validated.issues) {
+    throw new HpkeEnvelopeError("Unable to open envelope: invalid payload", {
+      cause: validated.issues,
+    });
+  }
+
+  return validated.value;
+}
+
+export function envelopeContext(opts: { out: Pick<KeyPair, "publicKey"> }): CipherContext<Envelope>;
+
+export function envelopeContext(opts: {
+  in: Pick<KeyPair, "privateKey">;
+}): DecipherContext<Envelope>;
+
+export function envelopeContext(opts: {
+  in: Pick<KeyPair, "privateKey">;
+  out: Pick<KeyPair, "publicKey">;
+}): RetranslateContext<Envelope>;
+
+export function envelopeContext(): undefined;
+
+export function envelopeContext(opts?: any) {
+  if (opts?.in && opts?.out) {
+    return {
+      open: (schema, envelope) => openEnvelope(schema, envelope, opts.in.privateKey),
+      seal: (schema, data) => sealEnvelope(schema, data, opts.out.publicKey),
+    } as RetranslateContext<Envelope>;
+  }
+
+  if (opts?.in) {
+    return {
+      open: (schema, envelope) => openEnvelope(schema, envelope, opts.in.privateKey),
+    } as DecipherContext<Envelope>;
+  }
+
+  if (opts?.out) {
+    return {
+      seal: (schema, data) => sealEnvelope(schema, data, opts.out.publicKey),
+    } as CipherContext<Envelope>;
+  }
+
+  return undefined;
+}

package/src/crypto/index.ts

@@ -0,0 +1 @@
+export { createCipherSuite, envelopeContext } from "./hpke";

package/src/index.ts

@@ -0,0 +1,82 @@
+import type { StandardSchemaV1 } from "@standard-schema/spec";
+
+export interface CipherContext<E> {
+  seal: SealEnvelope<E>;
+}
+
+export interface DecipherContext<E> {
+  open: OpenEnvelope<E>;
+}
+
+export interface RetranslateContext<E> {
+  open: OpenEnvelope<E>;
+  seal: SealEnvelope<E>;
+}
+
+export interface RepeatContext {}
+
+export type EnvelopeContext<E> =
+  | CipherContext<E>
+  | DecipherContext<E>
+  | RetranslateContext<E>
+  | RepeatContext;
+
+/**
+ * Envelope schema field.
+ */
+export interface Envelope<T, E> {
+  /**
+   * Seals data into an envelope.
+   * @param schema - The schema of the data.
+   * @param ctx - The options for the envelope.
+   * @returns The sealed envelope.
+   */
+  (schema: StandardSchemaV1<T>, ctx: CipherContext<E>): StandardSchemaV1<T, E>;
+
+  /**
+   * Unseals data from an envelope.
+   * @param schema - The schema of the data.
+   * @param ctx - The options for the envelope.
+   * @returns The unsealed data.
+   */
+  (schema: StandardSchemaV1<T>, ctx: DecipherContext<E>): StandardSchemaV1<E, T>;
+
+  /**
+   * Retranslates data between two envelopes. Decrypts the data with the decipher
+   * and re-encrypts the data with the cipher.
+   * @param schema - The schema of the data.
+   * @param ctx - The options for the envelope.
+   * @returns The retranslated data.
+   */
+  (schema: StandardSchemaV1<T>, ctx: RetranslateContext<E>): StandardSchemaV1<E>;
+
+  /**
+   * Repeats the envelope without modifying the data.
+   *
+   * @param schema - The schema of the data.
+   * @param ctx - The options for the envelope.
+   * @returns The repeated envelope.
+   */
+  (schema: StandardSchemaV1<T>, ctx: RepeatContext): StandardSchemaV1<E>;
+
+  /**
+   * Returns the schema without modifying the data.
+   * @param schema - The schema of the data.
+   * @returns The schema without modifying the data.
+   */
+  (schema: StandardSchemaV1<T>, ctx?: undefined): StandardSchemaV1<T>;
+}
+
+/**
+ * Seals data into an envelope.
+ */
+export interface SealEnvelope<E> {
+  <T>(schema: StandardSchemaV1<T>, data: T): Promise<E>;
+}
+
+/**
+ * Opens an envelope.
+ */
+export interface OpenEnvelope<E> {
+  <T>(schema: StandardSchemaV1<T>, envelope: E): Promise<T>;
+}

package/src/lib/utils.ts

@@ -0,0 +1,42 @@
+/**
+ * Encodes a Uint8Array to a base64url string.
+ *
+ * @param data - The data to encode.
+ * @returns The encoded data.
+ */
+export function encodeBuffer(data: Uint8Array): string {
+  return data.toBase64({
+    alphabet: "base64url",
+    omitPadding: true,
+  });
+}
+
+/**
+ * Decodes a base64url string to Uint8Array.
+ *
+ * @param encoded - The encoded data.
+ * @returns The decoded data.
+ */
+export function decodeBuffer(encoded: string): Uint8Array {
+  return new Uint8Array(Buffer.from(encoded, "base64url"));
+}
+
+/**
+ * Serializes data to a Uint8Array.
+ *
+ * @param data - The data to serialize.
+ * @returns The serialized data.
+ */
+export function serialize(data: unknown): Uint8Array {
+  return new TextEncoder().encode(JSON.stringify(data));
+}
+
+/**
+ * Deserializes data from a Uint8Array.
+ *
+ * @param data - The data to deserialize.
+ * @returns The deserialized data.
+ */
+export function deserialize(data: Uint8Array): unknown {
+  return JSON.parse(new TextDecoder().decode(data));
+}

package/src/schema/valibot.ts

@@ -0,0 +1,77 @@
+import * as v from "valibot";
+
+import { type EnvelopeContext as EnvelopeContextType } from "..";
+
+import type { CipherContext, DecipherContext, RetranslateContext, RepeatContext } from "..";
+
+type AnySchema<I> =
+  | v.BaseSchema<I, unknown, v.BaseIssue<I>>
+  | v.BaseSchemaAsync<I, unknown, v.BaseIssue<I>>;
+
+const envelopeSchema = v.object({
+  ct: v.string(),
+  enc: v.string(),
+});
+
+export type Envelope = v.InferOutput<typeof envelopeSchema>;
+
+export type EnvelopeContext = EnvelopeContextType<Envelope>;
+
+export function envelope<T>(
+  schema: AnySchema<T>,
+  ctx: CipherContext<Envelope>
+): v.BaseSchema<T, Envelope, v.BaseIssue<T>>;
+
+export function envelope<T>(
+  schema: AnySchema<T>,
+  ctx: DecipherContext<Envelope>
+): v.BaseSchema<Envelope, T, v.BaseIssue<Envelope>>;
+
+export function envelope<T>(
+  schema: AnySchema<T>,
+  ctx: RetranslateContext<Envelope>
+): v.BaseSchema<Envelope, Envelope, v.BaseIssue<Envelope>>;
+
+export function envelope<T>(
+  schema: AnySchema<T>,
+  ctx: RepeatContext
+): v.BaseSchema<Envelope, Envelope, v.BaseIssue<Envelope>>;
+
+export function envelope<T>(schema: AnySchema<T>): v.BaseSchema<T, T, v.BaseIssue<T>>;
+
+export function envelope<T>(
+  schema: AnySchema<T>,
+  ctx?:
+    | CipherContext<Envelope>
+    | DecipherContext<Envelope>
+    | RetranslateContext<Envelope>
+    | RepeatContext
+) {
+  if (ctx === undefined) {
+    return schema;
+  }
+
+  if ("open" in ctx && "seal" in ctx) {
+    return v.pipeAsync(
+      envelopeSchema,
+      v.transformAsync((envelope) => ctx.open(schema, envelope)),
+      v.transformAsync((payload) => ctx.seal(schema, payload))
+    );
+  }
+
+  if ("open" in ctx) {
+    return v.pipeAsync(
+      envelopeSchema,
+      v.transformAsync((envelope) => ctx.open(schema, envelope))
+    );
+  }
+
+  if ("seal" in ctx) {
+    return v.pipeAsync(
+      schema,
+      v.transformAsync((message) => ctx.seal(schema, message))
+    );
+  }
+
+  return envelopeSchema;
+}

package/tests/crypto/hpke.test.ts

@@ -0,0 +1,78 @@
+import { describe, expect, test } from "bun:test";
+import * as v from "valibot";
+import { toJsonSchema } from "@valibot/to-json-schema";
+import {
+  createCipherSuite,
+  envelopeContext,
+  HpkeEnvelopeError,
+  openEnvelope,
+  sealEnvelope,
+} from "../../src/crypto/hpke";
+import { envelope } from "../../src/schema/valibot";
+import { decodeBuffer } from "../../src/lib/utils";
+
+const KEY_MATERIAL = "ylQcrQJlfa-BxdTtWZDLpGKZ3X0XwxCuVBeiCG2q06U";
+const payloadSchema = v.object({ message: v.string() });
+type Payload = v.InferOutput<typeof payloadSchema>;
+
+const suite = createCipherSuite();
+const keyPair = await suite.DeriveKeyPair(decodeBuffer(KEY_MATERIAL), true);
+
+describe("hpke", () => {
+  test("seal/open and validation branches", async () => {
+    const sealed = await sealEnvelope(payloadSchema, { message: "hi" }, keyPair.publicKey);
+    expect(await openEnvelope(payloadSchema, sealed, keyPair.privateKey)).toEqual({
+      message: "hi",
+    });
+    await expect(
+      sealEnvelope(payloadSchema, { message: 123 } as unknown as Payload, keyPair.publicKey)
+    ).rejects.toThrow(HpkeEnvelopeError);
+    const strictSchema = v.object({ message: v.pipe(v.string(), v.minLength(100)) });
+    await expect(openEnvelope(strictSchema, sealed, keyPair.privateKey)).rejects.toThrow(
+      HpkeEnvelopeError
+    );
+  });
+  test("envelopeContext with no opts returns undefined", () => {
+    expect(envelopeContext()).toBeUndefined();
+  });
+  test("envelopeContext and envelope() branches", () => {
+    const decipher = envelopeContext({ in: keyPair });
+    const cipher = envelopeContext({ out: keyPair });
+    const retranslate = envelopeContext({ in: keyPair, out: keyPair });
+    expect(envelope(payloadSchema, decipher)).toBeDefined();
+    expect(envelope(payloadSchema, cipher)).toBeDefined();
+    expect(envelope(payloadSchema, retranslate)).toBeDefined();
+    expect(toJsonSchema(envelope(payloadSchema))).toMatchInlineSnapshot(`
+      {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "properties": {
+          "message": {
+            "type": "string",
+          },
+        },
+        "required": [
+          "message",
+        ],
+        "type": "object",
+      }
+    `);
+    expect(toJsonSchema(envelope(payloadSchema, {}))).toMatchInlineSnapshot(`
+      {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "properties": {
+          "ct": {
+            "type": "string",
+          },
+          "enc": {
+            "type": "string",
+          },
+        },
+        "required": [
+          "ct",
+          "enc",
+        ],
+        "type": "object",
+      }
+    `);
+  });
+});

package/tests/lib/utils.test.ts

@@ -0,0 +1,21 @@
+import { describe, expect, test } from "bun:test";
+import { decodeBuffer, deserialize, encodeBuffer, serialize } from "../../src/lib/utils";
+
+describe("utils", () => {
+  test("encode/decode roundtrip", () => {
+    expect(encodeBuffer(new Uint8Array())).toBe("");
+    expect(encodeBuffer(new TextEncoder().encode("hello"))).toBe("aGVsbG8");
+    expect(decodeBuffer("")).toEqual(new Uint8Array());
+    expect(new TextDecoder().decode(decodeBuffer("aGVsbG8"))).toBe("hello");
+    expect(decodeBuffer(encodeBuffer(new Uint8Array([1, 2, 3])))).toEqual(
+      new Uint8Array([1, 2, 3])
+    );
+  });
+  test("serialize/deserialize roundtrip", () => {
+    expect(new TextDecoder().decode(serialize({ message: "hello" }))).toBe('{"message":"hello"}');
+    expect(deserialize(new TextEncoder().encode('{"message":"hello"}'))).toEqual({
+      message: "hello",
+    });
+    expect(deserialize(serialize({ message: "hi", n: 42 }))).toEqual({ message: "hi", n: 42 });
+  });
+});

package/tests/schema/valibot.test.ts

@@ -0,0 +1,96 @@
+import { describe, expect, test } from "bun:test";
+import * as v from "valibot";
+import { toJsonSchema } from "@valibot/to-json-schema";
+
+import {
+  createCipherSuite,
+  envelopeContext,
+  openEnvelope,
+  sealEnvelope,
+} from "../../src/crypto/hpke";
+import { envelope } from "../../src/schema/valibot";
+import { decodeBuffer } from "../../src/lib/utils";
+
+const KEY_MATERIAL = "ylQcrQJlfa-BxdTtWZDLpGKZ3X0XwxCuVBeiCG2q06U";
+const payloadSchema = v.object({ message: v.string() });
+
+const suite = createCipherSuite();
+const keyPair = await suite.DeriveKeyPair(decodeBuffer(KEY_MATERIAL), true);
+const keyPair2 = await suite.GenerateKeyPair(true);
+
+describe("envelope (valibot)", () => {
+  test("no ctx returns schema as-is", () => {
+    const result = envelope(payloadSchema);
+    expect(result).toBe(payloadSchema);
+    expect(toJsonSchema(result)).toMatchObject({
+      type: "object",
+      properties: { message: { type: "string" } },
+      required: ["message"],
+    });
+  });
+
+  test("empty ctx (repeat) returns envelope schema", () => {
+    const result = envelope(payloadSchema, {});
+    expect(toJsonSchema(result)).toMatchObject({
+      type: "object",
+      properties: { ct: { type: "string" }, enc: { type: "string" } },
+      required: ["ct", "enc"],
+    });
+  });
+
+  test("cipher context: schema seals payload to envelope", async () => {
+    const cipher = envelopeContext({ out: keyPair });
+    const sealedSchema = envelope(payloadSchema, cipher);
+    const payload = { message: "secret" };
+    const sealed = await v.parseAsync(sealedSchema, payload);
+    expect(sealed).toHaveProperty("ct");
+    expect(sealed).toHaveProperty("enc");
+    expect(sealed.ct).toBeTruthy();
+    expect(sealed.enc).toBeTruthy();
+    const plain = { ct: String(sealed.ct), enc: String(sealed.enc) };
+    const opened = await openEnvelope(payloadSchema, plain, keyPair.privateKey);
+    expect(opened).toEqual(payload);
+  });
+
+  test("decipher context: schema opens envelope to payload", async () => {
+    const decipher = envelopeContext({ in: keyPair });
+    const openedSchema = envelope(payloadSchema, decipher);
+    const sealed = await sealEnvelope(payloadSchema, { message: "hello" }, keyPair.publicKey);
+    const opened = await v.parseAsync(openedSchema, sealed);
+    expect(opened).toEqual({ message: "hello" });
+  });
+
+  test("retranslate context: envelope to envelope", async () => {
+    const retranslate = envelopeContext({ in: keyPair, out: keyPair });
+    const retranslateSchema = envelope(payloadSchema, retranslate);
+    const sealed = await sealEnvelope(payloadSchema, { message: "relay" }, keyPair.publicKey);
+    const result = await v.parseAsync(retranslateSchema, sealed);
+    expect(result).toHaveProperty("ct");
+    expect(result).toHaveProperty("enc");
+    const plain = { ct: String(result.ct), enc: String(result.enc) };
+    const opened = await openEnvelope(payloadSchema, plain, keyPair.privateKey);
+    expect(opened).toEqual({ message: "relay" });
+  });
+
+  test("retranslate: result is encrypted with out key, not original key", async () => {
+    const sealed = await sealEnvelope(payloadSchema, { message: "secret" }, keyPair.publicKey);
+    const retranslate = envelopeContext({ in: keyPair, out: keyPair2 });
+    const retranslateSchema = envelope(payloadSchema, retranslate);
+    const result = await v.parseAsync(retranslateSchema, sealed);
+    const plain = { ct: String(result.ct), enc: String(result.enc) };
+    expect(await openEnvelope(payloadSchema, plain, keyPair2.privateKey)).toEqual({
+      message: "secret",
+    });
+    await expect(openEnvelope(payloadSchema, plain, keyPair.privateKey)).rejects.toThrow();
+  });
+
+  test("envelope schema validates ct and enc", async () => {
+    const repeatSchema = envelope(payloadSchema, {});
+    await expect(v.parseAsync(repeatSchema, { ct: "x", enc: "y" })).resolves.toEqual({
+      ct: "x",
+      enc: "y",
+    });
+    await expect(v.parseAsync(repeatSchema, { ct: 1, enc: "y" })).rejects.toThrow();
+    await expect(v.parseAsync(repeatSchema, {})).rejects.toThrow();
+  });
+});

package/tsconfig.build.json

@@ -0,0 +1,13 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "declaration": true,
+    "declarationMap": true,
+    "emitDeclarationOnly": true,
+    "outDir": "./dist",
+    "noEmit": false
+  },
+  "include": ["src/**/*"],
+  "exclude": ["tests", "dist", "node_modules"]
+}
+

package/tsconfig.json

@@ -0,0 +1,29 @@
+{
+  "compilerOptions": {
+    // Environment setup & latest features
+    "lib": ["ESNext"],
+    "target": "ESNext",
+    "module": "Preserve",
+    "moduleDetection": "force",
+    "jsx": "react-jsx",
+    "allowJs": true,
+
+    // Bundler mode
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "noEmit": true,
+
+    // Best practices
+    "strict": true,
+    "skipLibCheck": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedIndexedAccess": true,
+    "noImplicitOverride": true,
+
+    // Some stricter flags (disabled by default)
+    "noUnusedLocals": false,
+    "noUnusedParameters": false,
+    "noPropertyAccessFromIndexSignature": false
+  }
+}