@voyantjs/utils 0.1.0

package/dist/kms-crypto.js

@@ -0,0 +1,108 @@
+/**
+ * Edge-compatible GCP KMS encryption/decryption using Web Crypto API.
+ * No Node.js dependencies — works in Cloudflare Workers.
+ */
+// ---------- GCP Access Token (module-level cache) ----------
+let cachedToken = null;
+function base64UrlEncode(data) {
+    let binary = "";
+    for (const byte of data) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlEncodeString(str) {
+    return base64UrlEncode(new TextEncoder().encode(str));
+}
+/**
+ * Import a PEM-encoded RSA private key for signing JWTs.
+ */
+async function importPrivateKey(pem) {
+    const pemBody = pem
+        .replace(/-----BEGIN (?:RSA )?PRIVATE KEY-----/g, "")
+        .replace(/-----END (?:RSA )?PRIVATE KEY-----/g, "")
+        .replace(/[\n\r\s]/g, "");
+    const binaryString = atob(pemBody);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+    }
+    return crypto.subtle.importKey("pkcs8", bytes, { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" }, false, ["sign"]);
+}
+/**
+ * Creates a signed JWT assertion and exchanges it at Google's OAuth2 endpoint
+ * for a short-lived access token. Caches the token at module level.
+ */
+export async function getGcpAccessToken(email, privateKeyPem) {
+    const now = Math.floor(Date.now() / 1000);
+    if (cachedToken && cachedToken.expiresAt > now + 60) {
+        return cachedToken.token;
+    }
+    const header = base64UrlEncodeString(JSON.stringify({ alg: "RS256", typ: "JWT" }));
+    const exp = now + 3600;
+    const payload = base64UrlEncodeString(JSON.stringify({
+        iss: email,
+        scope: "https://www.googleapis.com/auth/cloudkms",
+        aud: "https://oauth2.googleapis.com/token",
+        iat: now,
+        exp,
+    }));
+    const signingInput = `${header}.${payload}`;
+    const key = await importPrivateKey(privateKeyPem);
+    const signature = await crypto.subtle.sign("RSASSA-PKCS1-v1_5", key, new TextEncoder().encode(signingInput));
+    const jwt = `${signingInput}.${base64UrlEncode(new Uint8Array(signature))}`;
+    const res = await fetch("https://oauth2.googleapis.com/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: `grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=${jwt}`,
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`GCP token exchange failed (${res.status}): ${body}`);
+    }
+    const data = (await res.json());
+    cachedToken = { token: data.access_token, expiresAt: now + data.expires_in };
+    return data.access_token;
+}
+/**
+ * Encrypt plaintext using GCP Cloud KMS.
+ * Returns base64 ciphertext string.
+ */
+export async function kmsEncrypt(plaintext, keyName, accessToken) {
+    const encoded = btoa(plaintext);
+    const res = await fetch(`https://cloudkms.googleapis.com/v1/${keyName}:encrypt`, {
+        method: "POST",
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({ plaintext: encoded }),
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`KMS encrypt failed (${res.status}): ${body}`);
+    }
+    const data = (await res.json());
+    return data.ciphertext;
+}
+/**
+ * Decrypt ciphertext using GCP Cloud KMS.
+ * Returns plaintext string.
+ */
+export async function kmsDecrypt(ciphertext, keyName, accessToken) {
+    const res = await fetch(`https://cloudkms.googleapis.com/v1/${keyName}:decrypt`, {
+        method: "POST",
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({ ciphertext }),
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`KMS decrypt failed (${res.status}): ${body}`);
+    }
+    const data = (await res.json());
+    return atob(data.plaintext);
+}
+//# sourceMappingURL=kms-crypto.js.map

package/dist/kms-crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-crypto.js","sourceRoot":"","sources":["../src/kms-crypto.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,8DAA8D;AAE9D,IAAI,WAAW,GAAgD,IAAI,CAAA;AAEnE,SAAS,eAAe,CAAC,IAAgB;IACvC,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;QACxB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAA;IACrC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;AAChF,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAW;IACxC,OAAO,eAAe,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;AACvD,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAAC,GAAW;IACzC,MAAM,OAAO,GAAG,GAAG;SAChB,OAAO,CAAC,uCAAuC,EAAE,EAAE,CAAC;SACpD,OAAO,CAAC,qCAAqC,EAAE,EAAE,CAAC;SAClD,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAA;IAE3B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,CAAA;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,MAAM,CAAC,CAAA;IACjD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,KAAK,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IACvC,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,OAAO,EACP,KAAK,EACL,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE,EAC9C,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,KAAa,EAAE,aAAqB;IAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IAEzC,IAAI,WAAW,IAAI,WAAW,CAAC,SAAS,GAAG,GAAG,GAAG,EAAE,EAAE,CAAC;QACpD,OAAO,WAAW,CAAC,KAAK,CAAA;IAC1B,CAAC;IAED,MAAM,MAAM,GAAG,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAA;IAClF,MAAM,GAAG,GAAG,GAAG,GAAG,IAAI,CAAA;IACtB,MAAM,OAAO,GAAG,qBAAqB,CACnC,IAAI,CAAC,SAAS,CAAC;QACb,GAAG,EAAE,KAAK;QACV,KAAK,EAAE,0CAA0C;QACjD,GAAG,EAAE,qCAAqC;QAC1C,GAAG,EAAE,GAAG;QACR,GAAG;KACJ,CAAC,CACH,CAAA;IAED,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,OAAO,EAAE,CAAA;IAC3C,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,aAAa,CAAC,CAAA;IACjD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACxC,mBAAmB,EACnB,GAAG,EACH,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CACvC,CAAA;IACD,MAAM,GAAG,GAAG,GAAG,YAAY,IAAI,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAA;IAE3E,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;QAC7D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,8EAA8E,GAAG,EAAE;KAC1F,CAAC,CAAA;IAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;QAC7B,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAA;IACvE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAiD,CAAA;IAC/E,WAAW,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAA;IAC5E,OAAO,IAAI,CAAC,YAAY,CAAA;AAC1B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,SAAiB,EACjB,OAAe,EACf,WAAmB;IAEnB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,CAAA;IAE/B,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,sCAAsC,OAAO,UAAU,EAAE;QAC/E,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;KAC7C,CAAC,CAAA;IAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;QAC7B,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAA;IAChE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA2B,CAAA;IACzD,OAAO,IAAI,CAAC,UAAU,CAAA;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAAkB,EAClB,OAAe,EACf,WAAmB;IAEnB,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,sCAAsC,OAAO,UAAU,EAAE;QAC/E,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,CAAC;KACrC,CAAC,CAAA;IAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;QAC7B,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAA;IAChE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA0B,CAAA;IACxD,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC7B,CAAC"}

package/dist/kms-env.d.ts

@@ -0,0 +1,13 @@
+import { SymmetricAesGcmKmsProvider } from "./kms-symmetric.js";
+export interface EnvKmsConfig {
+    /** Base64-encoded 32-byte master key. */
+    key: string;
+}
+export declare function generateEnvKmsKey(): string;
+export declare class EnvKmsProvider extends SymmetricAesGcmKmsProvider {
+    readonly name: "env";
+    protected readonly prefix = "env:v1:";
+    protected readonly label = "EnvKmsProvider";
+    constructor(config: EnvKmsConfig);
+}
+//# sourceMappingURL=kms-env.d.ts.map

package/dist/kms-env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-env.d.ts","sourceRoot":"","sources":["../src/kms-env.ts"],"names":[],"mappings":"AAAA,OAAO,EAA2B,0BAA0B,EAAE,MAAM,oBAAoB,CAAA;AAExF,MAAM,WAAW,YAAY;IAC3B,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAA;CACZ;AAED,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,qBAAa,cAAe,SAAQ,0BAA0B;IAC5D,QAAQ,CAAC,IAAI,EAAG,KAAK,CAAS;IAC9B,SAAS,CAAC,QAAQ,CAAC,MAAM,aAAY;IACrC,SAAS,CAAC,QAAQ,CAAC,KAAK,oBAAmB;gBAE/B,MAAM,EAAE,YAAY;CAGjC"}

package/dist/kms-env.js

@@ -0,0 +1,13 @@
+import { generateSymmetricKmsKey, SymmetricAesGcmKmsProvider } from "./kms-symmetric.js";
+export function generateEnvKmsKey() {
+    return generateSymmetricKmsKey();
+}
+export class EnvKmsProvider extends SymmetricAesGcmKmsProvider {
+    name = "env";
+    prefix = "env:v1:";
+    label = "EnvKmsProvider";
+    constructor(config) {
+        super(config.key);
+    }
+}
+//# sourceMappingURL=kms-env.js.map

package/dist/kms-env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-env.js","sourceRoot":"","sources":["../src/kms-env.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAA;AAOxF,MAAM,UAAU,iBAAiB;IAC/B,OAAO,uBAAuB,EAAE,CAAA;AAClC,CAAC;AAED,MAAM,OAAO,cAAe,SAAQ,0BAA0B;IACnD,IAAI,GAAG,KAAc,CAAA;IACX,MAAM,GAAG,SAAS,CAAA;IAClB,KAAK,GAAG,gBAAgB,CAAA;IAE3C,YAAY,MAAoB;QAC9B,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC;CACF"}

package/dist/kms-gcp.d.ts

@@ -0,0 +1,32 @@
+/**
+ * GCP Cloud KMS provider.
+ *
+ * Edge-compatible: uses Web Crypto API for JWT signing and fetch() for GCP API
+ * calls. No Node.js dependencies — works in Cloudflare Workers.
+ */
+import type { KeyRef, KmsKeyType, KmsProvider } from "./kms.js";
+export interface GcpKmsConfig {
+    projectId: string;
+    serviceAccountEmail: string;
+    privateKeyPem: string;
+    /** GCP keyring name. Keyrings are location-bound — one provider, one keyring. */
+    keyRing: string;
+    /** GCP location the keyring lives in, e.g. "europe", "us", "global", "europe-west1". */
+    location: string;
+    cryptoKeyByType: Record<KmsKeyType, string>;
+}
+export declare class GcpKmsProvider implements KmsProvider {
+    private readonly config;
+    readonly name: "gcp";
+    private cachedToken;
+    constructor(config: GcpKmsConfig);
+    private getKeyName;
+    /**
+     * Creates a signed JWT assertion and exchanges it at Google's OAuth2
+     * endpoint for a short-lived access token. Caches the token per instance.
+     */
+    private getAccessToken;
+    encrypt(plaintext: string, key: KeyRef): Promise<string>;
+    decrypt(ciphertext: string, key: KeyRef): Promise<string>;
+}
+//# sourceMappingURL=kms-gcp.d.ts.map

package/dist/kms-gcp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-gcp.d.ts","sourceRoot":"","sources":["../src/kms-gcp.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,UAAU,CAAA;AAE/D,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAA;IACjB,mBAAmB,EAAE,MAAM,CAAA;IAC3B,aAAa,EAAE,MAAM,CAAA;IACrB,iFAAiF;IACjF,OAAO,EAAE,MAAM,CAAA;IACf,wFAAwF;IACxF,QAAQ,EAAE,MAAM,CAAA;IAChB,eAAe,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CAAA;CAC5C;AAsCD,qBAAa,cAAe,YAAW,WAAW;IAKpC,OAAO,CAAC,QAAQ,CAAC,MAAM;IAJnC,QAAQ,CAAC,IAAI,EAAG,KAAK,CAAS;IAE9B,OAAO,CAAC,WAAW,CAAoD;gBAE1C,MAAM,EAAE,YAAY;IAEjD,OAAO,CAAC,UAAU;IAKlB;;;OAGG;YACW,cAAc;IA4CtB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAuBxD,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAqBhE"}

package/dist/kms-gcp.js

@@ -0,0 +1,116 @@
+/**
+ * GCP Cloud KMS provider.
+ *
+ * Edge-compatible: uses Web Crypto API for JWT signing and fetch() for GCP API
+ * calls. No Node.js dependencies — works in Cloudflare Workers.
+ */
+function base64UrlEncode(data) {
+    let binary = "";
+    for (const byte of data) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlEncodeString(str) {
+    return base64UrlEncode(new TextEncoder().encode(str));
+}
+/**
+ * Import a PEM-encoded RSA private key for signing JWTs.
+ */
+async function importPrivateKey(pem) {
+    const pemBody = pem
+        .replace(/-----BEGIN (?:RSA )?PRIVATE KEY-----/g, "")
+        .replace(/-----END (?:RSA )?PRIVATE KEY-----/g, "")
+        .replace(/[\n\r\s]/g, "");
+    const binaryString = atob(pemBody);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+    }
+    return crypto.subtle.importKey("pkcs8", bytes, { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" }, false, ["sign"]);
+}
+export class GcpKmsProvider {
+    config;
+    name = "gcp";
+    cachedToken = null;
+    constructor(config) {
+        this.config = config;
+    }
+    getKeyName(key) {
+        const cryptoKey = this.config.cryptoKeyByType[key.keyType];
+        return `projects/${this.config.projectId}/locations/${this.config.location}/keyRings/${this.config.keyRing}/cryptoKeys/${cryptoKey}`;
+    }
+    /**
+     * Creates a signed JWT assertion and exchanges it at Google's OAuth2
+     * endpoint for a short-lived access token. Caches the token per instance.
+     */
+    async getAccessToken() {
+        const now = Math.floor(Date.now() / 1000);
+        if (this.cachedToken && this.cachedToken.expiresAt > now + 60) {
+            return this.cachedToken.token;
+        }
+        const header = base64UrlEncodeString(JSON.stringify({ alg: "RS256", typ: "JWT" }));
+        const exp = now + 3600;
+        const payload = base64UrlEncodeString(JSON.stringify({
+            iss: this.config.serviceAccountEmail,
+            scope: "https://www.googleapis.com/auth/cloudkms",
+            aud: "https://oauth2.googleapis.com/token",
+            iat: now,
+            exp,
+        }));
+        const signingInput = `${header}.${payload}`;
+        const key = await importPrivateKey(this.config.privateKeyPem);
+        const signature = await crypto.subtle.sign("RSASSA-PKCS1-v1_5", key, new TextEncoder().encode(signingInput));
+        const jwt = `${signingInput}.${base64UrlEncode(new Uint8Array(signature))}`;
+        const res = await fetch("https://oauth2.googleapis.com/token", {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: `grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=${jwt}`,
+        });
+        if (!res.ok) {
+            const body = await res.text();
+            throw new Error(`GCP token exchange failed (${res.status}): ${body}`);
+        }
+        const data = (await res.json());
+        this.cachedToken = { token: data.access_token, expiresAt: now + data.expires_in };
+        return data.access_token;
+    }
+    async encrypt(plaintext, key) {
+        const keyName = this.getKeyName(key);
+        const accessToken = await this.getAccessToken();
+        const encoded = btoa(plaintext);
+        const res = await fetch(`https://cloudkms.googleapis.com/v1/${keyName}:encrypt`, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ plaintext: encoded }),
+        });
+        if (!res.ok) {
+            const body = await res.text();
+            throw new Error(`KMS encrypt failed (${res.status}): ${body}`);
+        }
+        const data = (await res.json());
+        return data.ciphertext;
+    }
+    async decrypt(ciphertext, key) {
+        const keyName = this.getKeyName(key);
+        const accessToken = await this.getAccessToken();
+        const res = await fetch(`https://cloudkms.googleapis.com/v1/${keyName}:decrypt`, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ ciphertext }),
+        });
+        if (!res.ok) {
+            const body = await res.text();
+            throw new Error(`KMS decrypt failed (${res.status}): ${body}`);
+        }
+        const data = (await res.json());
+        return atob(data.plaintext);
+    }
+}
+//# sourceMappingURL=kms-gcp.js.map

package/dist/kms-gcp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-gcp.js","sourceRoot":"","sources":["../src/kms-gcp.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAeH,SAAS,eAAe,CAAC,IAAgB;IACvC,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;QACxB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAA;IACrC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;AAChF,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAW;IACxC,OAAO,eAAe,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;AACvD,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAAC,GAAW;IACzC,MAAM,OAAO,GAAG,GAAG;SAChB,OAAO,CAAC,uCAAuC,EAAE,EAAE,CAAC;SACpD,OAAO,CAAC,qCAAqC,EAAE,EAAE,CAAC;SAClD,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAA;IAE3B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,CAAA;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,MAAM,CAAC,CAAA;IACjD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,KAAK,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IACvC,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,OAAO,EACP,KAAK,EACL,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE,EAC9C,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAA;AACH,CAAC;AAED,MAAM,OAAO,cAAc;IAKI;IAJpB,IAAI,GAAG,KAAc,CAAA;IAEtB,WAAW,GAAgD,IAAI,CAAA;IAEvE,YAA6B,MAAoB;QAApB,WAAM,GAAN,MAAM,CAAc;IAAG,CAAC;IAE7C,UAAU,CAAC,GAAW;QAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QAC1D,OAAO,YAAY,IAAI,CAAC,MAAM,CAAC,SAAS,cAAc,IAAI,CAAC,MAAM,CAAC,QAAQ,aAAa,IAAI,CAAC,MAAM,CAAC,OAAO,eAAe,SAAS,EAAE,CAAA;IACtI,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,cAAc;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;QAEzC,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,CAAC,SAAS,GAAG,GAAG,GAAG,EAAE,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAA;QAC/B,CAAC;QAED,MAAM,MAAM,GAAG,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAA;QAClF,MAAM,GAAG,GAAG,GAAG,GAAG,IAAI,CAAA;QACtB,MAAM,OAAO,GAAG,qBAAqB,CACnC,IAAI,CAAC,SAAS,CAAC;YACb,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,mBAAmB;YACpC,KAAK,EAAE,0CAA0C;YACjD,GAAG,EAAE,qCAAqC;YAC1C,GAAG,EAAE,GAAG;YACR,GAAG;SACJ,CAAC,CACH,CAAA;QAED,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,OAAO,EAAE,CAAA;QAC3C,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAA;QAC7D,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACxC,mBAAmB,EACnB,GAAG,EACH,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CACvC,CAAA;QACD,MAAM,GAAG,GAAG,GAAG,YAAY,IAAI,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAA;QAE3E,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;YAC7D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,8EAA8E,GAAG,EAAE;SAC1F,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;YAC7B,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAA;QACvE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAiD,CAAA;QAC/E,IAAI,CAAC,WAAW,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAA;QACjF,OAAO,IAAI,CAAC,YAAY,CAAA;IAC1B,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,SAAiB,EAAE,GAAW;QAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QACpC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAA;QAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,CAAA;QAE/B,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,sCAAsC,OAAO,UAAU,EAAE;YAC/E,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,WAAW,EAAE;gBACtC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;SAC7C,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;YAC7B,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAA;QAChE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA2B,CAAA;QACzD,OAAO,IAAI,CAAC,UAAU,CAAA;IACxB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,UAAkB,EAAE,GAAW;QAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QACpC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAA;QAE/C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,sCAAsC,OAAO,UAAU,EAAE;YAC/E,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,WAAW,EAAE;gBACtC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,CAAC;SACrC,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;YAC7B,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAA;QAChE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA0B,CAAA;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IAC7B,CAAC;CACF"}

package/dist/kms-local.d.ts

@@ -0,0 +1,13 @@
+import { SymmetricAesGcmKmsProvider } from "./kms-symmetric.js";
+export interface LocalKmsConfig {
+    /** Base64-encoded 32-byte master key. */
+    key: string;
+}
+export declare function generateLocalKmsKey(): string;
+export declare class LocalKmsProvider extends SymmetricAesGcmKmsProvider {
+    readonly name: "local";
+    protected readonly prefix = "local:v1:";
+    protected readonly label = "LocalKmsProvider";
+    constructor(config: LocalKmsConfig);
+}
+//# sourceMappingURL=kms-local.d.ts.map

package/dist/kms-local.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-local.d.ts","sourceRoot":"","sources":["../src/kms-local.ts"],"names":[],"mappings":"AAAA,OAAO,EAA2B,0BAA0B,EAAE,MAAM,oBAAoB,CAAA;AAExF,MAAM,WAAW,cAAc;IAC7B,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAA;CACZ;AAED,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C;AAED,qBAAa,gBAAiB,SAAQ,0BAA0B;IAC9D,QAAQ,CAAC,IAAI,EAAG,OAAO,CAAS;IAChC,SAAS,CAAC,QAAQ,CAAC,MAAM,eAAc;IACvC,SAAS,CAAC,QAAQ,CAAC,KAAK,sBAAqB;gBAEjC,MAAM,EAAE,cAAc;CAGnC"}

package/dist/kms-local.js

@@ -0,0 +1,13 @@
+import { generateSymmetricKmsKey, SymmetricAesGcmKmsProvider } from "./kms-symmetric.js";
+export function generateLocalKmsKey() {
+    return generateSymmetricKmsKey();
+}
+export class LocalKmsProvider extends SymmetricAesGcmKmsProvider {
+    name = "local";
+    prefix = "local:v1:";
+    label = "LocalKmsProvider";
+    constructor(config) {
+        super(config.key);
+    }
+}
+//# sourceMappingURL=kms-local.js.map

package/dist/kms-local.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-local.js","sourceRoot":"","sources":["../src/kms-local.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAA;AAOxF,MAAM,UAAU,mBAAmB;IACjC,OAAO,uBAAuB,EAAE,CAAA;AAClC,CAAC;AAED,MAAM,OAAO,gBAAiB,SAAQ,0BAA0B;IACrD,IAAI,GAAG,OAAgB,CAAA;IACb,MAAM,GAAG,WAAW,CAAA;IACpB,KAAK,GAAG,kBAAkB,CAAA;IAE7C,YAAY,MAAsB;QAChC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC;CACF"}

package/dist/kms-symmetric.d.ts

@@ -0,0 +1,14 @@
+import type { KeyRef, KmsProvider } from "./kms.js";
+export declare function generateSymmetricKmsKey(): string;
+export declare abstract class SymmetricAesGcmKmsProvider implements KmsProvider {
+    private readonly keyB64;
+    abstract readonly name: KmsProvider["name"];
+    protected abstract readonly prefix: string;
+    protected abstract readonly label: string;
+    private keyPromise;
+    protected constructor(keyB64: string);
+    private getKey;
+    encrypt(plaintext: string, _key: KeyRef): Promise<string>;
+    decrypt(ciphertext: string, _key: KeyRef): Promise<string>;
+}
+//# sourceMappingURL=kms-symmetric.d.ts.map

package/dist/kms-symmetric.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-symmetric.d.ts","sourceRoot":"","sources":["../src/kms-symmetric.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,UAAU,CAAA;AA+BnD,wBAAgB,uBAAuB,IAAI,MAAM,CAIhD;AAED,8BAAsB,0BAA2B,YAAW,WAAW;IAO/C,OAAO,CAAC,QAAQ,CAAC,MAAM;IAN7C,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,CAAA;IAC3C,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IAC1C,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IAEzC,OAAO,CAAC,UAAU,CAAkC;IAEpD,SAAS,aAA8B,MAAM,EAAE,MAAM;IAErD,OAAO,CAAC,MAAM;IAOR,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBzD,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAmBjE"}

package/dist/kms-symmetric.js

@@ -0,0 +1,67 @@
+const IV_BYTES = 12;
+function base64ToBytes(b64) {
+    const binary = atob(b64);
+    const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+function bytesToBase64(bytes) {
+    let binary = "";
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary);
+}
+function importMasterKey(keyB64, label) {
+    const raw = base64ToBytes(keyB64);
+    if (raw.length !== 32) {
+        throw new Error(`${label}: key must decode to 32 bytes (got ${raw.length}). Generate one with: openssl rand -base64 32`);
+    }
+    return crypto.subtle.importKey("raw", raw, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
+}
+export function generateSymmetricKmsKey() {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    return bytesToBase64(bytes);
+}
+export class SymmetricAesGcmKmsProvider {
+    keyB64;
+    keyPromise = null;
+    constructor(keyB64) {
+        this.keyB64 = keyB64;
+    }
+    getKey() {
+        if (!this.keyPromise) {
+            this.keyPromise = importMasterKey(this.keyB64, this.label);
+        }
+        return this.keyPromise;
+    }
+    async encrypt(plaintext, _key) {
+        const masterKey = await this.getKey();
+        const iv = new Uint8Array(IV_BYTES);
+        crypto.getRandomValues(iv);
+        const data = new TextEncoder().encode(plaintext);
+        const ciphertext = new Uint8Array(await crypto.subtle.encrypt({ name: "AES-GCM", iv }, masterKey, data));
+        const combined = new Uint8Array(IV_BYTES + ciphertext.length);
+        combined.set(iv, 0);
+        combined.set(ciphertext, IV_BYTES);
+        return `${this.prefix}${bytesToBase64(combined)}`;
+    }
+    async decrypt(ciphertext, _key) {
+        if (!ciphertext.startsWith(this.prefix)) {
+            throw new Error(`${this.label}: ciphertext missing "${this.prefix}" prefix — was it encrypted by a different provider?`);
+        }
+        const combined = base64ToBytes(ciphertext.slice(this.prefix.length));
+        if (combined.length <= IV_BYTES) {
+            throw new Error(`${this.label}: ciphertext is too short to contain IV + data`);
+        }
+        const iv = combined.slice(0, IV_BYTES);
+        const encrypted = combined.slice(IV_BYTES);
+        const masterKey = await this.getKey();
+        const plaintext = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, masterKey, encrypted);
+        return new TextDecoder().decode(plaintext);
+    }
+}
+//# sourceMappingURL=kms-symmetric.js.map

package/dist/kms-symmetric.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-symmetric.js","sourceRoot":"","sources":["../src/kms-symmetric.ts"],"names":[],"mappings":"AAEA,MAAM,QAAQ,GAAG,EAAE,CAAA;AAEnB,SAAS,aAAa,CAAC,GAAW;IAChC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAA;IACxB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAA;IAC5D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IACjC,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,aAAa,CAAC,KAAiB;IACtC,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAA;IACrC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAA;AACrB,CAAC;AAED,SAAS,eAAe,CAAC,MAAc,EAAE,KAAa;IACpD,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,CAAA;IACjC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,GAAG,KAAK,sCAAsC,GAAG,CAAC,MAAM,+CAA+C,CACxG,CAAA;IACH,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAA;AAChG,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAA;IAChC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAA;IAC7B,OAAO,aAAa,CAAC,KAAK,CAAC,CAAA;AAC7B,CAAC;AAED,MAAM,OAAgB,0BAA0B;IAOP;IAF/B,UAAU,GAA8B,IAAI,CAAA;IAEpD,YAAuC,MAAc;QAAd,WAAM,GAAN,MAAM,CAAQ;IAAG,CAAC;IAEjD,MAAM;QACZ,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,IAAI,CAAC,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;QAC5D,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAA;IACxB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,SAAiB,EAAE,IAAY;QAC3C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAA;QACrC,MAAM,EAAE,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAA;QACnC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAA;QAE1B,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QAChD,MAAM,UAAU,GAAG,IAAI,UAAU,CAC/B,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,CACtE,CAAA;QAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC,CAAA;QAC7D,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAA;QACnB,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;QAElC,OAAO,GAAG,IAAI,CAAC,MAAM,GAAG,aAAa,CAAC,QAAQ,CAAC,EAAE,CAAA;IACnD,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,UAAkB,EAAE,IAAY;QAC5C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CACb,GAAG,IAAI,CAAC,KAAK,yBAAyB,IAAI,CAAC,MAAM,sDAAsD,CACxG,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,aAAa,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAA;QACpE,IAAI,QAAQ,CAAC,MAAM,IAAI,QAAQ,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,KAAK,gDAAgD,CAAC,CAAA;QAChF,CAAC;QAED,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAA;QACtC,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAA;QAC1C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAA;QACrC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,SAAS,CAAC,CAAA;QAE5F,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;IAC5C,CAAC;CACF"}

package/dist/kms.d.ts

@@ -0,0 +1,66 @@
+/**
+ * KMS provider interface and factory.
+ *
+ * Callers encrypt/decrypt opaque strings via a `KmsProvider` implementation.
+ * The returned ciphertext is paired with the `{ enc: "..." }` envelope from
+ * `@voyantjs/types/schemas/kms/envelope` when persisted.
+ */
+import type { KmsEncryptedEnvelope } from "@voyantjs/types/schemas/kms/envelope";
+import { z } from "zod";
+import { type AwsKmsConfig, AwsKmsProvider } from "./kms-aws.js";
+import { type EnvKmsConfig, EnvKmsProvider, generateEnvKmsKey } from "./kms-env.js";
+import { type GcpKmsConfig, GcpKmsProvider } from "./kms-gcp.js";
+import { generateLocalKmsKey, type LocalKmsConfig, LocalKmsProvider } from "./kms-local.js";
+export type KmsKeyType = "people" | "integrations";
+export interface KeyRef {
+    keyType: KmsKeyType;
+}
+export interface KmsProvider {
+    /**
+     * Provider identifier. Known values are "gcp", "aws", "env", and "local"; custom providers
+     * may use any string (the `(string & {})` pattern keeps autocomplete for the
+     * known values without forbidding others).
+     */
+    readonly name: "gcp" | "aws" | "env" | "local" | (string & {});
+    encrypt(plaintext: string, key: KeyRef): Promise<string>;
+    decrypt(ciphertext: string, key: KeyRef): Promise<string>;
+}
+export type KmsConfig = {
+    provider: "gcp";
+    gcp: GcpKmsConfig;
+} | {
+    provider: "aws";
+    aws: AwsKmsConfig;
+} | {
+    provider: "env";
+    env: EnvKmsConfig;
+} | {
+    provider: "local";
+    local: LocalKmsConfig;
+} | {
+    provider: "custom";
+    custom: KmsProvider;
+};
+/**
+ * Build a provider instance from a validated config object.
+ *
+ * Supply `{ provider: "custom", custom: <your KmsProvider> }` to plug in an
+ * implementation that isn't built in (e.g. AWS KMS, HashiCorp Vault).
+ */
+export declare function createKmsProvider(config: KmsConfig): KmsProvider;
+/**
+ * Build a `KmsConfig` from an env-like object. Accepts CF Workers `c.env`,
+ * Node `process.env`, or any plain object.
+ *
+ * Throws with a clear message if `KMS_PROVIDER` is unset/invalid or required
+ * provider-specific vars are missing.
+ */
+export declare function kmsConfigFromEnv(env: Record<string, string | undefined>): KmsConfig;
+export declare function createKmsProviderFromEnv(env: Record<string, string | undefined>): KmsProvider;
+export declare function encryptJsonEnvelope<T>(provider: KmsProvider, key: KeyRef, value: T): Promise<KmsEncryptedEnvelope>;
+export declare function decryptJsonEnvelope<T>(provider: KmsProvider, key: KeyRef, envelope: KmsEncryptedEnvelope, schema: z.ZodType<T>): Promise<T>;
+export declare function encryptOptionalJsonEnvelope<T>(provider: KmsProvider, key: KeyRef, value: T | null | undefined): Promise<KmsEncryptedEnvelope | null>;
+export declare function decryptOptionalJsonEnvelope<T>(provider: KmsProvider, key: KeyRef, envelope: KmsEncryptedEnvelope | null | undefined, schema: z.ZodType<T>): Promise<T | null>;
+export type { AwsKmsConfig, EnvKmsConfig, GcpKmsConfig, LocalKmsConfig };
+export { AwsKmsProvider, EnvKmsProvider, GcpKmsProvider, generateEnvKmsKey, generateLocalKmsKey, LocalKmsProvider, };
+//# sourceMappingURL=kms.d.ts.map

package/dist/kms.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms.d.ts","sourceRoot":"","sources":["../src/kms.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAA;AAChF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,EAAE,KAAK,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAA;AAChE,OAAO,EAAE,KAAK,YAAY,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AACnF,OAAO,EAAE,KAAK,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAA;AAChE,OAAO,EAAE,mBAAmB,EAAE,KAAK,cAAc,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAE3F,MAAM,MAAM,UAAU,GAAG,QAAQ,GAAG,cAAc,CAAA;AAElD,MAAM,WAAW,MAAM;IACrB,OAAO,EAAE,UAAU,CAAA;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,QAAQ,CAAC,IAAI,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,OAAO,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAA;IAC9D,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IACxD,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;CAC1D;AAED,MAAM,MAAM,SAAS,GACjB;IAAE,QAAQ,EAAE,KAAK,CAAC;IAAC,GAAG,EAAE,YAAY,CAAA;CAAE,GACtC;IAAE,QAAQ,EAAE,KAAK,CAAC;IAAC,GAAG,EAAE,YAAY,CAAA;CAAE,GACtC;IAAE,QAAQ,EAAE,KAAK,CAAC;IAAC,GAAG,EAAE,YAAY,CAAA;CAAE,GACtC;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,cAAc,CAAA;CAAE,GAC5C;IAAE,QAAQ,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,WAAW,CAAA;CAAE,CAAA;AAE/C;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,SAAS,GAAG,WAAW,CAchE;AAID;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GAAG,SAAS,CA6GnF;AAED,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,eAE/E;AAED,wBAAsB,mBAAmB,CAAC,CAAC,EACzC,QAAQ,EAAE,WAAW,EACrB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,CAAC,GACP,OAAO,CAAC,oBAAoB,CAAC,CAI/B;AAED,wBAAsB,mBAAmB,CAAC,CAAC,EACzC,QAAQ,EAAE,WAAW,EACrB,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,oBAAoB,EAC9B,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GACnB,OAAO,CAAC,CAAC,CAAC,CAGZ;AAED,wBAAsB,2BAA2B,CAAC,CAAC,EACjD,QAAQ,EAAE,WAAW,EACrB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,CAAC,GAAG,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAKtC;AAED,wBAAsB,2BAA2B,CAAC,CAAC,EACjD,QAAQ,EAAE,WAAW,EACrB,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,oBAAoB,GAAG,IAAI,GAAG,SAAS,EACjD,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GACnB,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAKnB;AAED,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,CAAA;AACxE,OAAO,EACL,cAAc,EACd,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,mBAAmB,EACnB,gBAAgB,GACjB,CAAA"}