@vaultsandbox/client 0.5.0 → 0.6.0

package/README.md

@@ -4,10 +4,13 @@
   <img alt="VaultSandbox" src="./assets/logo-dark.svg">
 </picture>
 
+> **VaultSandbox is in Public Beta.** Join the journey to 1.0. Share feedback on [GitHub](https://github.com/vaultsandbox/gateway/discussions).
+
 # @vaultsandbox/client
 
 [![npm version](https://img.shields.io/npm/v/@vaultsandbox/client.svg)](https://www.npmjs.com/package/@vaultsandbox/client)
 [![CI](https://github.com/vaultsandbox/client-node/actions/workflows/ci.yml/badge.svg)](https://github.com/vaultsandbox/client-node/actions/workflows/ci.yml)
+[![codecov](https://codecov.io/gh/vaultsandbox/client-node/graph/badge.svg)](https://codecov.io/gh/vaultsandbox/client-node)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Node.js](https://img.shields.io/badge/node-%3E%3D20.0.0-brightgreen.svg)](https://nodejs.org/)
 
@@ -122,15 +125,15 @@ if (!validation.passed) {
   });
 }
 
-// Or check individual results. Statuses can vary based on the sending source.
-if (email.authResults.spf?.status) {
-  expect(email.authResults.spf.status).toMatch(/pass|fail|softfail|neutral|temperror|permerror/);
+// Or check individual results. Results can vary based on the sending source.
+if (email.authResults.spf?.result) {
+  expect(email.authResults.spf.result).toMatch(/pass|fail|softfail|neutral|temperror|permerror/);
 }
 if (email.authResults.dkim) {
   expect(email.authResults.dkim.length).toBeGreaterThan(0);
 }
-if (email.authResults.dmarc?.status) {
-  expect(email.authResults.dmarc.status).toMatch(/pass|fail|neutral|temperror|permerror/);
+if (email.authResults.dmarc?.result) {
+  expect(email.authResults.dmarc.result).toMatch(/pass|fail|neutral|temperror|permerror/);
 }
 ```
 
@@ -404,6 +407,15 @@ Represents a decrypted email.
 - `delete(): Promise<void>` - Deletes this email
 - `getRaw(): Promise<RawEmail>` - Gets raw email source
 
+### RawEmail
+
+Returned by `email.getRaw()` and `inbox.getRawEmail()`.
+
+**Properties:**
+
+- `id: string` - Email ID
+- `raw: string` - The raw email source (RFC 5322 format)
+
 ### AuthResults
 
 Returned by `email.authResults`, this object contains email authentication results (SPF, DKIM, DMARC) and a validation helper.
@@ -598,9 +610,9 @@ All cryptographic operations are performed transparently - developers never need
 
 ## Support
 
-- [Documentation](https://vaultsandbox.dev/client-node/installation)
+- [Documentation](https://vaultsandbox.dev/client-node/)
 - [Issue Tracker](https://github.com/vaultsandbox/client-node/issues)
-- [Discussions](https://github.com/vaultsandbox/client-node/discussions)
+- [Discussions](https://github.com/vaultsandbox/gateway/discussions)
 - [Website](https://www.vaultsandbox.com)
 
 ## Contributing

package/dist/client.d.ts

@@ -83,6 +83,13 @@ export declare class VaultSandboxClient {
      * @returns A promise that resolves to the number of inboxes deleted.
      */
     deleteAllInboxes(): Promise<number>;
+    /**
+     * Deletes a specific inbox by its email address.
+     *
+     * @param emailAddress - The email address of the inbox to delete.
+     * @returns A promise that resolves when the inbox is deleted.
+     */
+    deleteInbox(emailAddress: string): Promise<void>;
     /**
      * Retrieves information about the VaultSandbox server.
      *
@@ -116,6 +123,7 @@ export declare class VaultSandboxClient {
     exportInbox(inboxOrEmail: Inbox | string): ExportedInboxData;
     /**
      * Imports an inbox from exported data.
+     * See vaultsandbox-spec.md Section 10: Inbox Import Process
      *
      * @param data - The exported inbox data
      * @returns A promise that resolves to the imported Inbox instance
@@ -125,21 +133,41 @@ export declare class VaultSandboxClient {
      * const importedInbox = await client.importInbox(exportedData);
      */
     importInbox(data: ExportedInboxData): Promise<Inbox>;
+    /**
+     * Validates the export format version.
+     * @private
+     * @param data - The exported inbox data to validate
+     * @throws {InvalidImportDataError} If version is not supported
+     */
+    private validateVersion;
     /**
      * Validates that all required fields are present and non-empty in the exported inbox data.
      * @private
      * @param data - The exported inbox data to validate
-     * @throws {InvalidImportDataError} If any required field is missing, not a string, or empty
+     * @throws {InvalidImportDataError} If any required field is missing or empty
      */
     private validateRequiredFields;
     /**
-     * Ensures the public key is present in the exported data, deriving it from the secret key if necessary.
-     * In ML-KEM (Kyber), the public key is embedded in the secret key, so we can extract it if missing.
+     * Validates that the email address contains exactly one @ character.
+     * @private
+     * @param emailAddress - The email address to validate
+     * @throws {InvalidImportDataError} If email format is invalid
+     */
+    private validateEmailAddress;
+    /**
+     * Validates that the inbox hash is non-empty.
+     * @private
+     * @param inboxHash - The inbox hash to validate
+     * @throws {InvalidImportDataError} If inbox hash is empty
+     */
+    private validateInboxHash;
+    /**
+     * Validates that the server signature public key has the correct size.
      * @private
-     * @param data - The exported inbox data (will be mutated to add publicKeyB64 if missing)
-     * @throws {InvalidImportDataError} If the secret key is invalid or derivation fails
+     * @param serverSigPk - The server public key (base64url encoded)
+     * @throws {InvalidImportDataError} If server public key has invalid size
      */
-    private ensurePublicKeyPresent;
+    private validateServerSigPkSize;
     /**
      * Validates that the timestamp fields contain valid ISO 8601 date strings.
      * @private
@@ -163,22 +191,23 @@ export declare class VaultSandboxClient {
      */
     private validateServerPublicKey;
     /**
-     * Decodes the cryptographic keys from base64 and validates their lengths.
+     * Decodes the cryptographic keys from base64url and validates their lengths.
+     * Public key is derived from secret key per spec Section 10.2.
      * @private
-     * @param data - The exported inbox data containing base64-encoded keys
+     * @param data - The exported inbox data containing base64url-encoded keys
      * @returns A keypair object with decoded keys and base64url-encoded public key
      * @throws {InvalidImportDataError} If keys cannot be decoded or have invalid lengths
      */
     private decodeAndValidateKeys;
     /**
-     * Decodes a base64-encoded cryptographic key to a byte array.
+     * Decodes a base64url-encoded cryptographic key to a byte array.
      * @private
-     * @param keyB64 - The base64-encoded key string
+     * @param keyB64Url - The base64url-encoded key string
      * @param keyType - The type of key (e.g., 'public', 'secret') for error messages
      * @returns The decoded key as a Uint8Array
-     * @throws {InvalidImportDataError} If the base64 string is malformed
+     * @throws {InvalidImportDataError} If the base64url string is malformed
      */
-    private decodeBase64Key;
+    private decodeBase64UrlKey;
     /**
      * Validates that a cryptographic key has the expected byte length.
      * @private

package/dist/client.js

@@ -6,8 +6,9 @@ import { readFile, writeFile } from 'fs/promises';
 import createDebug from 'debug';
 import { ApiClient } from './http/api-client.js';
 import { Inbox } from './inbox.js';
-import { generateKeypair, PUBLIC_KEY_SIZE, SECRET_KEY_SIZE, derivePublicKeyFromSecret } from './crypto/keypair.js';
-import { toBase64Url, toBase64, fromBase64 } from './crypto/utils.js';
+import { generateKeypair, SECRET_KEY_SIZE, derivePublicKeyFromSecret } from './crypto/keypair.js';
+import { toBase64Url, fromBase64Url } from './crypto/utils.js';
+import { EXPORT_VERSION, MLDSA_PUBLIC_KEY_SIZE } from './crypto/constants.js';
 import { SSEStrategy } from './strategies/sse-strategy.js';
 import { PollingStrategy } from './strategies/polling-strategy.js';
 import { InboxNotFoundError, InboxAlreadyExistsError, InvalidImportDataError, StrategyError } from './types/index.js';
@@ -151,6 +152,16 @@ export class VaultSandboxClient {
         this.inboxes.clear();
         return result.deleted;
     }
+    /**
+     * Deletes a specific inbox by its email address.
+     *
+     * @param emailAddress - The email address of the inbox to delete.
+     * @returns A promise that resolves when the inbox is deleted.
+     */
+    async deleteInbox(emailAddress) {
+        await this.apiClient.deleteInbox(emailAddress);
+        this.inboxes.delete(emailAddress);
+    }
     /**
      * Retrieves information about the VaultSandbox server.
      *
@@ -209,6 +220,7 @@ export class VaultSandboxClient {
     }
     /**
      * Imports an inbox from exported data.
+     * See vaultsandbox-spec.md Section 10: Inbox Import Process
      *
      * @param data - The exported inbox data
      * @returns A promise that resolves to the imported Inbox instance
@@ -218,56 +230,100 @@ export class VaultSandboxClient {
      * const importedInbox = await client.importInbox(exportedData);
      */
     async importInbox(data) {
+        // Step 2: Validate version
+        this.validateVersion(data);
+        // Step 3: Validate required fields
         this.validateRequiredFields(data);
-        this.ensurePublicKeyPresent(data);
+        // Step 4: Validate emailAddress
+        this.validateEmailAddress(data.emailAddress);
+        // Step 5: Validate inboxHash
+        this.validateInboxHash(data.inboxHash);
+        // Step 8: Validate timestamps
         this.validateTimestamps(data);
+        // Check for duplicates
         this.checkInboxDoesNotExist(data.emailAddress);
         await this.ensureInitialized();
+        // Step 7: Validate and decode serverSigPk
+        this.validateServerSigPkSize(data.serverSigPk);
         this.validateServerPublicKey(data.serverSigPk);
+        // Step 6: Validate and decode secretKey
         const keypair = this.decodeAndValidateKeys(data);
         const inboxData = this.buildInboxData(data);
         return this.createAndTrackInbox(inboxData, keypair);
     }
+    /**
+     * Validates the export format version.
+     * @private
+     * @param data - The exported inbox data to validate
+     * @throws {InvalidImportDataError} If version is not supported
+     */
+    validateVersion(data) {
+        if (data.version !== EXPORT_VERSION) {
+            throw new InvalidImportDataError(`Unsupported version: ${data.version}, expected ${EXPORT_VERSION}`);
+        }
+    }
     /**
      * Validates that all required fields are present and non-empty in the exported inbox data.
      * @private
      * @param data - The exported inbox data to validate
-     * @throws {InvalidImportDataError} If any required field is missing, not a string, or empty
+     * @throws {InvalidImportDataError} If any required field is missing or empty
      */
     validateRequiredFields(data) {
-        const requiredFields = [
+        const requiredStringFields = [
             'emailAddress',
             'expiresAt',
             'inboxHash',
             'serverSigPk',
-            'secretKeyB64',
+            'secretKey',
             'exportedAt',
         ];
-        for (const field of requiredFields) {
-            if (!data[field] || typeof data[field] !== 'string' || data[field].trim() === '') {
+        for (const field of requiredStringFields) {
+            const value = data[field];
+            if (value === undefined || value === null || (typeof value === 'string' && value.trim() === '')) {
                 throw new InvalidImportDataError(`Missing or invalid field: ${field}`);
             }
         }
     }
     /**
-     * Ensures the public key is present in the exported data, deriving it from the secret key if necessary.
-     * In ML-KEM (Kyber), the public key is embedded in the secret key, so we can extract it if missing.
+     * Validates that the email address contains exactly one @ character.
      * @private
-     * @param data - The exported inbox data (will be mutated to add publicKeyB64 if missing)
-     * @throws {InvalidImportDataError} If the secret key is invalid or derivation fails
+     * @param emailAddress - The email address to validate
+     * @throws {InvalidImportDataError} If email format is invalid
      */
-    ensurePublicKeyPresent(data) {
-        if (data.publicKeyB64) {
-            return;
+    validateEmailAddress(emailAddress) {
+        const atCount = (emailAddress.match(/@/g) || []).length;
+        if (atCount !== 1) {
+            throw new InvalidImportDataError('Invalid email address: must contain exactly one @ character');
         }
+    }
+    /**
+     * Validates that the inbox hash is non-empty.
+     * @private
+     * @param inboxHash - The inbox hash to validate
+     * @throws {InvalidImportDataError} If inbox hash is empty
+     */
+    validateInboxHash(inboxHash) {
+        if (!inboxHash || inboxHash.trim() === '') {
+            throw new InvalidImportDataError('Invalid inbox hash: must be non-empty');
+        }
+    }
+    /**
+     * Validates that the server signature public key has the correct size.
+     * @private
+     * @param serverSigPk - The server public key (base64url encoded)
+     * @throws {InvalidImportDataError} If server public key has invalid size
+     */
+    validateServerSigPkSize(serverSigPk) {
         try {
-            const secretKeyBytes = fromBase64(data.secretKeyB64);
-            const publicKeyBytes = derivePublicKeyFromSecret(secretKeyBytes);
-            data.publicKeyB64 = toBase64(publicKeyBytes);
+            const decoded = fromBase64Url(serverSigPk);
+            if (decoded.length !== MLDSA_PUBLIC_KEY_SIZE) {
+                throw new InvalidImportDataError(`Invalid server public key size: expected ${MLDSA_PUBLIC_KEY_SIZE}, got ${decoded.length}`);
+            }
         }
         catch (error) {
-            const message = error instanceof Error ? error.message : String(error);
-            throw new InvalidImportDataError(`Failed to derive public key from secret key: ${message}`);
+            if (error instanceof InvalidImportDataError)
+                throw error;
+            throw new InvalidImportDataError(`Invalid server public key encoding: ${error instanceof Error ? error.message : String(error)}`);
         }
     }
     /**
@@ -309,17 +365,19 @@ export class VaultSandboxClient {
         }
     }
     /**
-     * Decodes the cryptographic keys from base64 and validates their lengths.
+     * Decodes the cryptographic keys from base64url and validates their lengths.
+     * Public key is derived from secret key per spec Section 10.2.
      * @private
-     * @param data - The exported inbox data containing base64-encoded keys
+     * @param data - The exported inbox data containing base64url-encoded keys
      * @returns A keypair object with decoded keys and base64url-encoded public key
      * @throws {InvalidImportDataError} If keys cannot be decoded or have invalid lengths
      */
     decodeAndValidateKeys(data) {
-        const publicKey = this.decodeBase64Key(data.publicKeyB64, 'public');
-        const secretKey = this.decodeBase64Key(data.secretKeyB64, 'secret');
-        this.validateKeyLength(publicKey, PUBLIC_KEY_SIZE, 'public');
+        // Decode and validate secret key
+        const secretKey = this.decodeBase64UrlKey(data.secretKey, 'secret');
         this.validateKeyLength(secretKey, SECRET_KEY_SIZE, 'secret');
+        // Derive public key from secret key per spec Section 10.2
+        const publicKey = derivePublicKeyFromSecret(secretKey);
         return {
             publicKey,
             secretKey,
@@ -327,19 +385,19 @@ export class VaultSandboxClient {
         };
     }
     /**
-     * Decodes a base64-encoded cryptographic key to a byte array.
+     * Decodes a base64url-encoded cryptographic key to a byte array.
      * @private
-     * @param keyB64 - The base64-encoded key string
+     * @param keyB64Url - The base64url-encoded key string
      * @param keyType - The type of key (e.g., 'public', 'secret') for error messages
      * @returns The decoded key as a Uint8Array
-     * @throws {InvalidImportDataError} If the base64 string is malformed
+     * @throws {InvalidImportDataError} If the base64url string is malformed
      */
-    decodeBase64Key(keyB64, keyType) {
+    decodeBase64UrlKey(keyB64Url, keyType) {
         try {
-            return fromBase64(keyB64);
+            return fromBase64Url(keyB64Url);
         }
         catch {
-            throw new InvalidImportDataError(`Invalid base64 encoding in ${keyType} key`);
+            throw new InvalidImportDataError(`Invalid base64url encoding in ${keyType} key`);
         }
     }
     /**

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,WAAW,MAAM,OAAO,CAAC;AAChC,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACnH,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAYnE,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEtH,MAAM,KAAK,GAAG,WAAW,CAAC,qBAAqB,CAAC,CAAC;AAEjD;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,YAAa,SAAQ,YAAY;IACpC,aAAa,GAAmB,EAAE,CAAC;IAE3C;;;;OAIG;IACH,eAAe,CAAC,YAA0B;QACxC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,WAAW;QACT,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,aAAa,GAAG,EAAE,CAAC;QACxB,IAAI,CAAC,kBAAkB,EAAE,CAAC;IAC5B,CAAC;IAED;;;;;OAKG;IACH,SAAS,CAAC,KAAY,EAAE,KAAa;QACnC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IACnC,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,OAAO,kBAAkB;IACrB,SAAS,CAAY;IACrB,MAAM,CAAe;IACrB,eAAe,GAAkB,IAAI,CAAC;IACtC,OAAO,GAAuB,IAAI,GAAG,EAAE,CAAC;IACxC,QAAQ,GAA4B,IAAI,CAAC;IAEjD;;;OAGG;IACH,YAAY,MAAoB;QAC9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,iBAAiB;QAC7B,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC;QACxD,IAAI,CAAC,eAAe,GAAG,UAAU,CAAC,WAAW,CAAC;QAE9C,2CAA2C;QAC3C,+DAA+D;QAC/D,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;IACxC,CAAC;IAED;;;;OAIG;IACK,cAAc;QACpB,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC;QAEpD,8CAA8C;QAC9C,IAAI,YAAY,KAAK,KAAK,IAAI,YAAY,KAAK,MAAM,EAAE,CAAC;YACtD,KAAK,CAAC,2CAA2C,CAAC,CAAC;YACnD,OAAO,IAAI,WAAW,CAAC,IAAI,CAAC,SAAS,EAAE;gBACrC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;gBACpB,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;gBAC1B,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,IAAI;gBAC3D,oBAAoB,EAAE,IAAI,CAAC,MAAM,CAAC,uBAAuB,IAAI,EAAE;gBAC/D,iBAAiB,EAAE,CAAC;aACrB,CAAC,CAAC;QACL,CAAC;QAED,mCAAmC;QACnC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAChC,OAAO,IAAI,eAAe,CAAC,IAAI,CAAC,SAAS,EAAE;YACzC,eAAe,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,IAAI;YACpD,UAAU,EAAE,KAAK;YACjB,iBAAiB,EAAE,GAAG;YACtB,YAAY,EAAE,GAAG;SAClB,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,WAAW,CAAC,UAA8B,EAAE;QAChD,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE/B,mBAAmB;QACnB,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAElC,yBAAyB;QACzB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QAE5G,wDAAwD;QACxD,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,WAAW,CAAC,CAAC;QAEnF,wBAAwB;QACxB,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,CAAC;QAED,cAAc;QACd,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QAE5C,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,gBAAgB;QACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC;QACvD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,aAAa;QACjB,OAAO,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC;IACxC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,QAAQ;QACZ,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;IACnC,CAAC;IAED;;;;;OAKG;IACH,cAAc,CAAC,OAAgB;QAC7B,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,aAAa,CAAC,yDAAyD,CAAC,CAAC;QACrF,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,YAAY,EAAE,CAAC;QAEnC,0BAA0B;QAC1B,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,YAAY,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC9C,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YAClC,CAAC,CAAC,CAAC;YACH,OAAO,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;;;;OAUG;IACH,WAAW,CAAC,YAA4B;QACtC,yBAAyB;QACzB,MAAM,YAAY,GAAG,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,YAAY,CAAC;QACjG,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAE7C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,kBAAkB,CAAC,oBAAoB,YAAY,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,OAAO,KAAK,CAAC,MAAM,EAAE,CAAC;IACxB,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,WAAW,CAAC,IAAuB;QACvC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC;QAC9B,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAE/C,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC/B,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAE/C,MAAM,OAAO,GAAG,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE5C,OAAO,IAAI,CAAC,mBAAmB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IAED;;;;;OAKG;IACK,sBAAsB,CAAC,IAAuB;QACpD,MAAM,cAAc,GAAgC;YAClD,cAAc;YACd,WAAW;YACX,WAAW;YACX,aAAa;YACb,cAAc;YACd,YAAY;SACb,CAAC;QAEF,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBACjF,MAAM,IAAI,sBAAsB,CAAC,6BAA6B,KAAK,EAAE,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACK,sBAAsB,CAAC,IAAuB;QACpD,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACrD,MAAM,cAAc,GAAG,yBAAyB,CAAC,cAAc,CAAC,CAAC;YACjE,IAAI,CAAC,YAAY,GAAG,QAAQ,CAAC,cAAc,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,IAAI,sBAAsB,CAAC,gDAAgD,OAAO,EAAE,CAAC,CAAC;QAC9F,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,kBAAkB,CAAC,IAAuB;QAChD,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;YACvC,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,sBAAsB,CAAC,0BAA0B,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,sBAAsB,CAAC,YAAoB;QACjD,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,uBAAuB,CAAC,yBAAyB,YAAY,EAAE,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACK,uBAAuB,CAAC,WAAmB;QACjD,IAAI,WAAW,KAAK,IAAI,CAAC,eAAe,EAAE,CAAC;YACzC,MAAM,IAAI,sBAAsB,CAAC,4EAA4E,CAAC,CAAC;QACjH,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACK,qBAAqB,CAAC,IAAuB;QACnD,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;QACpE,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;QAEpE,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,eAAe,EAAE,QAAQ,CAAC,CAAC;QAC7D,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,eAAe,EAAE,QAAQ,CAAC,CAAC;QAE7D,OAAO;YACL,SAAS;YACT,SAAS;YACT,YAAY,EAAE,WAAW,CAAC,SAAS,CAAC;SACrC,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACK,eAAe,CAAC,MAAc,EAAE,OAAe;QACrD,IAAI,CAAC;YACH,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,sBAAsB,CAAC,8BAA8B,OAAO,MAAM,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,iBAAiB,CAAC,GAAe,EAAE,cAAsB,EAAE,OAAe;QAChF,IAAI,GAAG,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;YAClC,MAAM,IAAI,sBAAsB,CAAC,WAAW,OAAO,yBAAyB,cAAc,SAAS,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACnH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,cAAc,CAAC,IAAuB;QAC5C,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACK,mBAAmB,CAAC,SAAoB,EAAE,OAAgB;QAChE,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,WAAW,CAAC,CAAC;QAEnF,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QAC5C,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,iBAAiB,CAAC,YAA4B,EAAE,QAAgB;QACpE,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC3C,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,mBAAmB,CAAC,QAAgB;QACxC,IAAI,IAAuB,CAAC;QAE5B,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACvD,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAClC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,sBAAsB,CAC9B,iCAAiC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAC5F,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;CACF"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,WAAW,MAAM,OAAO,CAAC;AAChC,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAClG,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAYnE,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEtH,MAAM,KAAK,GAAG,WAAW,CAAC,qBAAqB,CAAC,CAAC;AAEjD;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,YAAa,SAAQ,YAAY;IACpC,aAAa,GAAmB,EAAE,CAAC;IAE3C;;;;OAIG;IACH,eAAe,CAAC,YAA0B;QACxC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,WAAW;QACT,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,aAAa,GAAG,EAAE,CAAC;QACxB,IAAI,CAAC,kBAAkB,EAAE,CAAC;IAC5B,CAAC;IAED;;;;;OAKG;IACH,SAAS,CAAC,KAAY,EAAE,KAAa;QACnC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IACnC,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,OAAO,kBAAkB;IACrB,SAAS,CAAY;IACrB,MAAM,CAAe;IACrB,eAAe,GAAkB,IAAI,CAAC;IACtC,OAAO,GAAuB,IAAI,GAAG,EAAE,CAAC;IACxC,QAAQ,GAA4B,IAAI,CAAC;IAEjD;;;OAGG;IACH,YAAY,MAAoB;QAC9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,iBAAiB;QAC7B,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC;QACxD,IAAI,CAAC,eAAe,GAAG,UAAU,CAAC,WAAW,CAAC;QAE9C,2CAA2C;QAC3C,+DAA+D;QAC/D,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;IACxC,CAAC;IAED;;;;OAIG;IACK,cAAc;QACpB,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC;QAEpD,8CAA8C;QAC9C,IAAI,YAAY,KAAK,KAAK,IAAI,YAAY,KAAK,MAAM,EAAE,CAAC;YACtD,KAAK,CAAC,2CAA2C,CAAC,CAAC;YACnD,OAAO,IAAI,WAAW,CAAC,IAAI,CAAC,SAAS,EAAE;gBACrC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;gBACpB,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;gBAC1B,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,IAAI;gBAC3D,oBAAoB,EAAE,IAAI,CAAC,MAAM,CAAC,uBAAuB,IAAI,EAAE;gBAC/D,iBAAiB,EAAE,CAAC;aACrB,CAAC,CAAC;QACL,CAAC;QAED,mCAAmC;QACnC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAChC,OAAO,IAAI,eAAe,CAAC,IAAI,CAAC,SAAS,EAAE;YACzC,eAAe,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,IAAI;YACpD,UAAU,EAAE,KAAK;YACjB,iBAAiB,EAAE,GAAG;YACtB,YAAY,EAAE,GAAG;SAClB,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,WAAW,CAAC,UAA8B,EAAE;QAChD,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE/B,mBAAmB;QACnB,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAElC,yBAAyB;QACzB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QAE5G,wDAAwD;QACxD,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,WAAW,CAAC,CAAC;QAEnF,wBAAwB;QACxB,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,CAAC;QAED,cAAc;QACd,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QAE5C,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,gBAAgB;QACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC;QACvD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,YAAoB;QACpC,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACpC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,aAAa;QACjB,OAAO,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC;IACxC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,QAAQ;QACZ,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;IACnC,CAAC;IAED;;;;;OAKG;IACH,cAAc,CAAC,OAAgB;QAC7B,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,aAAa,CAAC,yDAAyD,CAAC,CAAC;QACrF,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,YAAY,EAAE,CAAC;QAEnC,0BAA0B;QAC1B,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,YAAY,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC9C,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YAClC,CAAC,CAAC,CAAC;YACH,OAAO,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;;;;OAUG;IACH,WAAW,CAAC,YAA4B;QACtC,yBAAyB;QACzB,MAAM,YAAY,GAAG,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,YAAY,CAAC;QACjG,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAE7C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,kBAAkB,CAAC,oBAAoB,YAAY,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,OAAO,KAAK,CAAC,MAAM,EAAE,CAAC;IACxB,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,WAAW,CAAC,IAAuB;QACvC,2BAA2B;QAC3B,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QAE3B,mCAAmC;QACnC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC;QAElC,gCAAgC;QAChC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAE7C,6BAA6B;QAC7B,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAEvC,8BAA8B;QAC9B,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC;QAE9B,uBAAuB;QACvB,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAE/C,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE/B,0CAA0C;QAC1C,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC/C,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAE/C,wCAAwC;QACxC,MAAM,OAAO,GAAG,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE5C,OAAO,IAAI,CAAC,mBAAmB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IAED;;;;;OAKG;IACK,eAAe,CAAC,IAAuB;QAC7C,IAAI,IAAI,CAAC,OAAO,KAAK,cAAc,EAAE,CAAC;YACpC,MAAM,IAAI,sBAAsB,CAAC,wBAAwB,IAAI,CAAC,OAAO,cAAc,cAAc,EAAE,CAAC,CAAC;QACvG,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,sBAAsB,CAAC,IAAuB;QACpD,MAAM,oBAAoB,GAAgC;YACxD,cAAc;YACd,WAAW;YACX,WAAW;YACX,aAAa;YACb,WAAW;YACX,YAAY;SACb,CAAC;QAEF,KAAK,MAAM,KAAK,IAAI,oBAAoB,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;YAC1B,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;gBAChG,MAAM,IAAI,sBAAsB,CAAC,6BAA6B,KAAK,EAAE,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,oBAAoB,CAAC,YAAoB;QAC/C,MAAM,OAAO,GAAG,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QACxD,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;YAClB,MAAM,IAAI,sBAAsB,CAAC,6DAA6D,CAAC,CAAC;QAClG,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,iBAAiB,CAAC,SAAiB;QACzC,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAC1C,MAAM,IAAI,sBAAsB,CAAC,uCAAuC,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,uBAAuB,CAAC,WAAmB;QACjD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;YAC3C,IAAI,OAAO,CAAC,MAAM,KAAK,qBAAqB,EAAE,CAAC;gBAC7C,MAAM,IAAI,sBAAsB,CAC9B,4CAA4C,qBAAqB,SAAS,OAAO,CAAC,MAAM,EAAE,CAC3F,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,sBAAsB;gBAAE,MAAM,KAAK,CAAC;YACzD,MAAM,IAAI,sBAAsB,CAC9B,uCAAuC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAChG,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,kBAAkB,CAAC,IAAuB;QAChD,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;YACvC,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,sBAAsB,CAAC,0BAA0B,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,sBAAsB,CAAC,YAAoB;QACjD,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,uBAAuB,CAAC,yBAAyB,YAAY,EAAE,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACK,uBAAuB,CAAC,WAAmB;QACjD,IAAI,WAAW,KAAK,IAAI,CAAC,eAAe,EAAE,CAAC;YACzC,MAAM,IAAI,sBAAsB,CAAC,4EAA4E,CAAC,CAAC;QACjH,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,qBAAqB,CAAC,IAAuB;QACnD,iCAAiC;QACjC,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACpE,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,eAAe,EAAE,QAAQ,CAAC,CAAC;QAE7D,0DAA0D;QAC1D,MAAM,SAAS,GAAG,yBAAyB,CAAC,SAAS,CAAC,CAAC;QAEvD,OAAO;YACL,SAAS;YACT,SAAS;YACT,YAAY,EAAE,WAAW,CAAC,SAAS,CAAC;SACrC,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACK,kBAAkB,CAAC,SAAiB,EAAE,OAAe;QAC3D,IAAI,CAAC;YACH,OAAO,aAAa,CAAC,SAAS,CAAC,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,sBAAsB,CAAC,iCAAiC,OAAO,MAAM,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,iBAAiB,CAAC,GAAe,EAAE,cAAsB,EAAE,OAAe;QAChF,IAAI,GAAG,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;YAClC,MAAM,IAAI,sBAAsB,CAAC,WAAW,OAAO,yBAAyB,cAAc,SAAS,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACnH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,cAAc,CAAC,IAAuB;QAC5C,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACK,mBAAmB,CAAC,SAAoB,EAAE,OAAgB;QAChE,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,WAAW,CAAC,CAAC;QAEnF,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QAC5C,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,iBAAiB,CAAC,YAA4B,EAAE,QAAgB;QACpE,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC3C,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,mBAAmB,CAAC,QAAgB;QACxC,IAAI,IAAuB,CAAC;QAE5B,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACvD,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAClC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,sBAAsB,CAC9B,iCAAiC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAC5F,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;CACF"}

package/dist/crypto/constants.d.ts

@@ -1,5 +1,6 @@
 /**
  * Centralized cryptographic constants for the VaultSandbox client
+ * See vaultsandbox-spec.md Appendix B: Size Constants
  */
 /**
  * HKDF context string used for key derivation
@@ -7,7 +8,55 @@
  */
 export declare const HKDF_CONTEXT = "vaultsandbox:email:v1";
 /**
- * ML-DSA-65 (Dilithium3) public key size in bytes
- * This is the standard size for ML-DSA-65 public keys
+ * Algorithm suite identifier string
  */
-export declare const MLDSA65_PUBLIC_KEY_SIZE = 1952;
+export declare const ALGORITHM_SUITE = "ML-KEM-768:ML-DSA-65:AES-256-GCM:HKDF-SHA-512";
+/**
+ * ML-KEM-768 public key size in bytes
+ */
+export declare const MLKEM_PUBLIC_KEY_SIZE = 1184;
+/**
+ * ML-KEM-768 secret key size in bytes
+ */
+export declare const MLKEM_SECRET_KEY_SIZE = 2400;
+/**
+ * ML-KEM-768 ciphertext size in bytes
+ */
+export declare const MLKEM_CIPHERTEXT_SIZE = 1088;
+/**
+ * ML-KEM-768 shared secret size in bytes
+ */
+export declare const MLKEM_SHARED_SECRET_SIZE = 32;
+/**
+ * Offset of public key within secret key in bytes
+ * The public key is embedded in the secret key at this offset
+ */
+export declare const MLKEM_PUBLIC_KEY_OFFSET = 1152;
+/**
+ * ML-DSA-65 public key size in bytes
+ */
+export declare const MLDSA_PUBLIC_KEY_SIZE = 1952;
+/**
+ * ML-DSA-65 signature size in bytes
+ */
+export declare const MLDSA_SIGNATURE_SIZE = 3309;
+/**
+ * AES-256 key size in bytes
+ */
+export declare const AES_KEY_SIZE = 32;
+/**
+ * AES-GCM nonce size in bytes
+ */
+export declare const AES_NONCE_SIZE = 12;
+/**
+ * AES-GCM authentication tag size in bytes
+ */
+export declare const AES_TAG_SIZE = 16;
+/**
+ * Current export format version
+ */
+export declare const EXPORT_VERSION = 1;
+/**
+ * Current protocol version
+ */
+export declare const PROTOCOL_VERSION = 1;

package/dist/crypto/constants.js

@@ -1,5 +1,6 @@
 /**
  * Centralized cryptographic constants for the VaultSandbox client
+ * See vaultsandbox-spec.md Appendix B: Size Constants
  */
 /**
  * HKDF context string used for key derivation
@@ -7,8 +8,60 @@
  */
 export const HKDF_CONTEXT = 'vaultsandbox:email:v1';
 /**
- * ML-DSA-65 (Dilithium3) public key size in bytes
- * This is the standard size for ML-DSA-65 public keys
+ * Algorithm suite identifier string
  */
-export const MLDSA65_PUBLIC_KEY_SIZE = 1952;
+export const ALGORITHM_SUITE = 'ML-KEM-768:ML-DSA-65:AES-256-GCM:HKDF-SHA-512';
+// ===== ML-KEM-768 Constants =====
+/**
+ * ML-KEM-768 public key size in bytes
+ */
+export const MLKEM_PUBLIC_KEY_SIZE = 1184;
+/**
+ * ML-KEM-768 secret key size in bytes
+ */
+export const MLKEM_SECRET_KEY_SIZE = 2400;
+/**
+ * ML-KEM-768 ciphertext size in bytes
+ */
+export const MLKEM_CIPHERTEXT_SIZE = 1088;
+/**
+ * ML-KEM-768 shared secret size in bytes
+ */
+export const MLKEM_SHARED_SECRET_SIZE = 32;
+/**
+ * Offset of public key within secret key in bytes
+ * The public key is embedded in the secret key at this offset
+ */
+export const MLKEM_PUBLIC_KEY_OFFSET = 1152;
+// ===== ML-DSA-65 Constants =====
+/**
+ * ML-DSA-65 public key size in bytes
+ */
+export const MLDSA_PUBLIC_KEY_SIZE = 1952;
+/**
+ * ML-DSA-65 signature size in bytes
+ */
+export const MLDSA_SIGNATURE_SIZE = 3309;
+// ===== AES-256-GCM Constants =====
+/**
+ * AES-256 key size in bytes
+ */
+export const AES_KEY_SIZE = 32;
+/**
+ * AES-GCM nonce size in bytes
+ */
+export const AES_NONCE_SIZE = 12;
+/**
+ * AES-GCM authentication tag size in bytes
+ */
+export const AES_TAG_SIZE = 16;
+// ===== Export Format Constants =====
+/**
+ * Current export format version
+ */
+export const EXPORT_VERSION = 1;
+/**
+ * Current protocol version
+ */
+export const PROTOCOL_VERSION = 1;
 //# sourceMappingURL=constants.js.map

package/dist/crypto/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/crypto/constants.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,uBAAuB,CAAC;AAEpD;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,IAAI,CAAC"}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/crypto/constants.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,uBAAuB,CAAC;AAEpD;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,+CAA+C,CAAC;AAE/E,mCAAmC;AAEnC;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAE1C;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAE1C;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAE1C;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAE3C;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,IAAI,CAAC;AAE5C,kCAAkC;AAElC;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAE1C;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,IAAI,CAAC;AAEzC,oCAAoC;AAEpC;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,EAAE,CAAC;AAE/B;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,EAAE,CAAC;AAEjC;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,EAAE,CAAC;AAE/B,sCAAsC;AAEtC;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC;AAEhC;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC"}

package/dist/crypto/decrypt.d.ts

@@ -5,6 +5,7 @@
 import type { Keypair, EncryptedData } from '../types/index.js';
 /**
  * Decrypts an encrypted payload using the complete reference implementation flow
+ * See vaultsandbox-spec.md Section 8: Decryption Process
  *
  * @param encryptedData - The encrypted data from the server
  * @param keypair - The recipient's keypair

package/dist/crypto/decrypt.js

@@ -7,9 +7,58 @@ import { fromBase64Url, ensureOwnBuffer, fromBase64 } from './utils.js';
 import { DecryptionError, SignatureVerificationError } from '../types/index.js';
 import { verifySignature } from './signature.js';
 import { deriveKey } from './keypair.js';
-import { HKDF_CONTEXT } from './constants.js';
+import { HKDF_CONTEXT, PROTOCOL_VERSION, MLKEM_CIPHERTEXT_SIZE, AES_NONCE_SIZE, MLDSA_SIGNATURE_SIZE, MLDSA_PUBLIC_KEY_SIZE, } from './constants.js';
+/**
+ * Validates the encrypted payload structure and sizes per spec Section 8.1
+ * @throws DecryptionError if validation fails
+ */
+function validatePayload(encryptedData) {
+    // Step 2: Validate version
+    if (encryptedData.v !== PROTOCOL_VERSION) {
+        throw new DecryptionError(`Unsupported protocol version: ${encryptedData.v}, expected ${PROTOCOL_VERSION}`);
+    }
+    // Step 3: Validate algorithms
+    const { algs } = encryptedData;
+    if (algs.kem !== 'ML-KEM-768') {
+        throw new DecryptionError(`Unsupported KEM algorithm: ${algs.kem}`);
+    }
+    if (algs.sig !== 'ML-DSA-65') {
+        throw new DecryptionError(`Unsupported signature algorithm: ${algs.sig}`);
+    }
+    if (algs.aead !== 'AES-256-GCM') {
+        throw new DecryptionError(`Unsupported AEAD algorithm: ${algs.aead}`);
+    }
+    if (algs.kdf !== 'HKDF-SHA-512') {
+        throw new DecryptionError(`Unsupported KDF algorithm: ${algs.kdf}`);
+    }
+    // Step 4: Validate decoded sizes (decode first, then check)
+    try {
+        const ctKem = fromBase64Url(encryptedData.ct_kem);
+        if (ctKem.length !== MLKEM_CIPHERTEXT_SIZE) {
+            throw new DecryptionError(`Invalid ct_kem size: expected ${MLKEM_CIPHERTEXT_SIZE}, got ${ctKem.length}`);
+        }
+        const nonce = fromBase64Url(encryptedData.nonce);
+        if (nonce.length !== AES_NONCE_SIZE) {
+            throw new DecryptionError(`Invalid nonce size: expected ${AES_NONCE_SIZE}, got ${nonce.length}`);
+        }
+        const sig = fromBase64Url(encryptedData.sig);
+        if (sig.length !== MLDSA_SIGNATURE_SIZE) {
+            throw new DecryptionError(`Invalid signature size: expected ${MLDSA_SIGNATURE_SIZE}, got ${sig.length}`);
+        }
+        const serverSigPk = fromBase64Url(encryptedData.server_sig_pk);
+        if (serverSigPk.length !== MLDSA_PUBLIC_KEY_SIZE) {
+            throw new DecryptionError(`Invalid server public key size: expected ${MLDSA_PUBLIC_KEY_SIZE}, got ${serverSigPk.length}`);
+        }
+    }
+    catch (error) {
+        if (error instanceof DecryptionError)
+            throw error;
+        throw new DecryptionError(`Failed to decode payload: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
 /**
  * Decrypts an encrypted payload using the complete reference implementation flow
+ * See vaultsandbox-spec.md Section 8: Decryption Process
  *
  * @param encryptedData - The encrypted data from the server
  * @param keypair - The recipient's keypair
@@ -18,9 +67,11 @@ import { HKDF_CONTEXT } from './constants.js';
  */
 export async function decrypt(encryptedData, keypair) {
     try {
-        // 0. SECURITY: Verify signature BEFORE decryption (prevent tampering)
+        // Steps 1-4: Parse and validate payload (version, algorithms, sizes)
+        validatePayload(encryptedData);
+        // Step 6: SECURITY: Verify signature BEFORE decryption (prevent tampering)
         verifySignature(encryptedData);
-        // 1. Decode all components
+        // Step 7-9: Decode, decapsulate, derive key, decrypt
         const ctKem = fromBase64Url(encryptedData.ct_kem);
         const nonceBytes = fromBase64Url(encryptedData.nonce);
         const aadBytes = fromBase64Url(encryptedData.aad);