agentlock-shared 0.1.0

package/.turbo/turbo-build.log

@@ -0,0 +1,4 @@
+
+> @agentlock/shared@0.1.0 build D:\agentlock\packages\shared
+> tsc
+

package/.turbo/turbo-test.log

@@ -0,0 +1,34 @@
+
+> @agentlock/shared@0.1.0 test D:\agentlock\packages\shared
+> vitest run
+
+▲ [WARNING] The condition "types" here will never be used as it comes after both "import" and "require" [package.json]
+
+    package.json:11:6:
+      11 │       "types": "./dist/index.d.ts"
+         ╵       ~~~~~~~
+
+  The "import" condition comes earlier and will be used for all "import" statements:
+
+    package.json:9:6:
+      9 │       "import": "./dist/index.js",
+        ╵       ~~~~~~~~
+
+  The "require" condition comes earlier and will be used for all "require" calls:
+
+    package.json:10:6:
+      10 │       "require": "./dist/index.js",
+         ╵       ~~~~~~~~~
+
+
+ RUN  v4.0.18 D:/agentlock/packages/shared
+
+ ✓ src/__tests__/redact.test.ts (5 tests) 4ms
+ ✓ src/__tests__/policy.test.ts (7 tests) 4ms
+ ✓ src/__tests__/signing.test.ts (7 tests) 68ms
+
+ Test Files  3 passed (3)
+      Tests  19 passed (19)
+   Start at  21:09:06
+   Duration  482ms (transform 192ms, setup 0ms, import 287ms, tests 75ms, environment 0ms)
+

package/dist/__tests__/content-crypto.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=content-crypto.test.d.ts.map

package/dist/__tests__/content-crypto.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-crypto.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/content-crypto.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/content-crypto.test.js

@@ -0,0 +1,117 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const content_crypto_1 = require("../content-crypto");
+const crypto_1 = require("../crypto");
+const tweetnacl_1 = __importDefault(require("tweetnacl"));
+const tweetnacl_util_1 = require("tweetnacl-util");
+(0, vitest_1.describe)('content-crypto', () => {
+    (0, vitest_1.describe)('generateWCK', () => {
+        (0, vitest_1.it)('returns a 32-byte key', () => {
+            const wck = (0, content_crypto_1.generateWCK)();
+            (0, vitest_1.expect)(wck).toBeInstanceOf(Uint8Array);
+            (0, vitest_1.expect)(wck.length).toBe(32);
+        });
+        (0, vitest_1.it)('generates unique keys', () => {
+            const a = (0, content_crypto_1.generateWCK)();
+            const b = (0, content_crypto_1.generateWCK)();
+            (0, vitest_1.expect)(Buffer.from(a).equals(Buffer.from(b))).toBe(false);
+        });
+    });
+    (0, vitest_1.describe)('wrapKey / unwrapKey (server roundtrip)', () => {
+        (0, vitest_1.it)('wraps and unwraps a WCK with MASTER_KEY', () => {
+            const masterKey = (0, crypto_1.generateKey)();
+            const wck = (0, content_crypto_1.generateWCK)();
+            const { ciphertext, nonce } = (0, content_crypto_1.wrapKey)(wck, masterKey);
+            (0, vitest_1.expect)(typeof ciphertext).toBe('string');
+            (0, vitest_1.expect)(typeof nonce).toBe('string');
+            const unwrapped = (0, content_crypto_1.unwrapKey)(ciphertext, nonce, masterKey);
+            (0, vitest_1.expect)(Buffer.from(unwrapped).equals(Buffer.from(wck))).toBe(true);
+        });
+        (0, vitest_1.it)('throws with wrong wrapping key', () => {
+            const masterKey = (0, crypto_1.generateKey)();
+            const wrongKey = (0, crypto_1.generateKey)();
+            const wck = (0, content_crypto_1.generateWCK)();
+            const { ciphertext, nonce } = (0, content_crypto_1.wrapKey)(wck, masterKey);
+            (0, vitest_1.expect)(() => (0, content_crypto_1.unwrapKey)(ciphertext, nonce, wrongKey)).toThrow('unwrapKey failed');
+        });
+        (0, vitest_1.it)('throws with corrupted ciphertext', () => {
+            const masterKey = (0, crypto_1.generateKey)();
+            const wck = (0, content_crypto_1.generateWCK)();
+            const { ciphertext, nonce } = (0, content_crypto_1.wrapKey)(wck, masterKey);
+            // Corrupt ciphertext
+            const bytes = (0, tweetnacl_util_1.decodeBase64)(ciphertext);
+            bytes[0] ^= 0xff;
+            const corrupted = Buffer.from(bytes).toString('base64');
+            (0, vitest_1.expect)(() => (0, content_crypto_1.unwrapKey)(corrupted, nonce, masterKey)).toThrow();
+        });
+    });
+    (0, vitest_1.describe)('wrapWCKForUser / unwrapWCKFromUser (passphrase roundtrip)', () => {
+        (0, vitest_1.it)('wraps and unwraps with passphrase', () => {
+            const wck = (0, content_crypto_1.generateWCK)();
+            const passphrase = 'my-strong-passphrase-2024!';
+            const { ciphertext, nonce, salt } = (0, content_crypto_1.wrapWCKForUser)(wck, passphrase);
+            (0, vitest_1.expect)(typeof ciphertext).toBe('string');
+            (0, vitest_1.expect)(typeof nonce).toBe('string');
+            (0, vitest_1.expect)(typeof salt).toBe('string');
+            const unwrapped = (0, content_crypto_1.unwrapWCKFromUser)(ciphertext, nonce, salt, passphrase);
+            (0, vitest_1.expect)(Buffer.from(unwrapped).equals(Buffer.from(wck))).toBe(true);
+        });
+        (0, vitest_1.it)('throws with wrong passphrase', () => {
+            const wck = (0, content_crypto_1.generateWCK)();
+            const { ciphertext, nonce, salt } = (0, content_crypto_1.wrapWCKForUser)(wck, 'correct-pass');
+            (0, vitest_1.expect)(() => (0, content_crypto_1.unwrapWCKFromUser)(ciphertext, nonce, salt, 'wrong-pass')).toThrow();
+        });
+    });
+    (0, vitest_1.describe)('deriveKEK', () => {
+        (0, vitest_1.it)('is deterministic for same passphrase+salt', () => {
+            const salt = tweetnacl_1.default.randomBytes(32);
+            const kek1 = (0, content_crypto_1.deriveKEK)('test-passphrase', salt);
+            const kek2 = (0, content_crypto_1.deriveKEK)('test-passphrase', salt);
+            (0, vitest_1.expect)(Buffer.from(kek1).equals(Buffer.from(kek2))).toBe(true);
+        });
+        (0, vitest_1.it)('produces different keys for different passphrases', () => {
+            const salt = tweetnacl_1.default.randomBytes(32);
+            const kek1 = (0, content_crypto_1.deriveKEK)('pass-1', salt);
+            const kek2 = (0, content_crypto_1.deriveKEK)('pass-2', salt);
+            (0, vitest_1.expect)(Buffer.from(kek1).equals(Buffer.from(kek2))).toBe(false);
+        });
+        (0, vitest_1.it)('produces different keys for different salts', () => {
+            const salt1 = tweetnacl_1.default.randomBytes(32);
+            const salt2 = tweetnacl_1.default.randomBytes(32);
+            const kek1 = (0, content_crypto_1.deriveKEK)('same-pass', salt1);
+            const kek2 = (0, content_crypto_1.deriveKEK)('same-pass', salt2);
+            (0, vitest_1.expect)(Buffer.from(kek1).equals(Buffer.from(kek2))).toBe(false);
+        });
+        (0, vitest_1.it)('returns a 32-byte key', () => {
+            const salt = tweetnacl_1.default.randomBytes(32);
+            const kek = (0, content_crypto_1.deriveKEK)('test', salt);
+            (0, vitest_1.expect)(kek.length).toBe(32);
+        });
+    });
+    (0, vitest_1.describe)('cross-compatibility with existing encrypt/decrypt', () => {
+        (0, vitest_1.it)('WCK works as a key with existing encrypt/decrypt', () => {
+            const wck = (0, content_crypto_1.generateWCK)();
+            const data = JSON.stringify({ tool: 'demo.write', action_type: 'write' });
+            const encrypted = (0, crypto_1.encrypt)(data, wck);
+            const decrypted = (0, crypto_1.decrypt)(encrypted, wck);
+            (0, vitest_1.expect)(decrypted).toBe(data);
+        });
+        (0, vitest_1.it)('data encrypted with WCK cannot be decrypted with MASTER_KEY', () => {
+            const wck = (0, content_crypto_1.generateWCK)();
+            const masterKey = (0, crypto_1.generateKey)();
+            const encrypted = (0, crypto_1.encrypt)('sensitive data', wck);
+            (0, vitest_1.expect)(() => (0, crypto_1.decrypt)(encrypted, masterKey)).toThrow();
+        });
+    });
+    (0, vitest_1.describe)('version constants', () => {
+        (0, vitest_1.it)('has correct version values', () => {
+            (0, vitest_1.expect)(content_crypto_1.PAYLOAD_VERSION_LEGACY).toBe(0);
+            (0, vitest_1.expect)(content_crypto_1.PAYLOAD_VERSION_WCK).toBe(1);
+        });
+    });
+});
+//# sourceMappingURL=content-crypto.test.js.map

package/dist/__tests__/content-crypto.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-crypto.test.js","sourceRoot":"","sources":["../../src/__tests__/content-crypto.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAA8C;AAC9C,sDAS2B;AAC3B,sCAA0D;AAC1D,0DAA6B;AAC7B,mDAA8C;AAE9C,IAAA,iBAAQ,EAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,IAAA,iBAAQ,EAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;YAC/B,MAAM,GAAG,GAAG,IAAA,4BAAW,GAAE,CAAC;YAC1B,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;YACvC,IAAA,eAAM,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;YAC/B,MAAM,CAAC,GAAG,IAAA,4BAAW,GAAE,CAAC;YACxB,MAAM,CAAC,GAAG,IAAA,4BAAW,GAAE,CAAC;YACxB,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,wCAAwC,EAAE,GAAG,EAAE;QACtD,IAAA,WAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;YACjD,MAAM,SAAS,GAAG,IAAA,oBAAW,GAAE,CAAC;YAChC,MAAM,GAAG,GAAG,IAAA,4BAAW,GAAE,CAAC;YAC1B,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,IAAA,wBAAO,EAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YAEtD,IAAA,eAAM,EAAC,OAAO,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzC,IAAA,eAAM,EAAC,OAAO,KAAK,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAEpC,MAAM,SAAS,GAAG,IAAA,0BAAS,EAAC,UAAU,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;YAC1D,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,MAAM,SAAS,GAAG,IAAA,oBAAW,GAAE,CAAC;YAChC,MAAM,QAAQ,GAAG,IAAA,oBAAW,GAAE,CAAC;YAC/B,MAAM,GAAG,GAAG,IAAA,4BAAW,GAAE,CAAC;YAC1B,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,IAAA,wBAAO,EAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YAEtD,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAS,EAAC,UAAU,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAC1D,kBAAkB,CACnB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,SAAS,GAAG,IAAA,oBAAW,GAAE,CAAC;YAChC,MAAM,GAAG,GAAG,IAAA,4BAAW,GAAE,CAAC;YAC1B,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,IAAA,wBAAO,EAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YAEtD,qBAAqB;YACrB,MAAM,KAAK,GAAG,IAAA,6BAAY,EAAC,UAAU,CAAC,CAAC;YACvC,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAExD,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAS,EAAC,SAAS,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QACjE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,2DAA2D,EAAE,GAAG,EAAE;QACzE,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,MAAM,GAAG,GAAG,IAAA,4BAAW,GAAE,CAAC;YAC1B,MAAM,UAAU,GAAG,4BAA4B,CAAC;YAChD,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,IAAA,+BAAc,EAAC,GAAG,EAAE,UAAU,CAAC,CAAC;YAEpE,IAAA,eAAM,EAAC,OAAO,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzC,IAAA,eAAM,EAAC,OAAO,KAAK,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACpC,IAAA,eAAM,EAAC,OAAO,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAEnC,MAAM,SAAS,GAAG,IAAA,kCAAiB,EAAC,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;YACzE,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;YACtC,MAAM,GAAG,GAAG,IAAA,4BAAW,GAAE,CAAC;YAC1B,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,IAAA,+BAAc,EAAC,GAAG,EAAE,cAAc,CAAC,CAAC;YAExE,IAAA,eAAM,EAAC,GAAG,EAAE,CACV,IAAA,kCAAiB,EAAC,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,YAAY,CAAC,CACzD,CAAC,OAAO,EAAE,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;QACzB,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;YACnD,MAAM,IAAI,GAAG,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAClC,MAAM,IAAI,GAAG,IAAA,0BAAS,EAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC;YAChD,MAAM,IAAI,GAAG,IAAA,0BAAS,EAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC;YAChD,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,mDAAmD,EAAE,GAAG,EAAE;YAC3D,MAAM,IAAI,GAAG,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAClC,MAAM,IAAI,GAAG,IAAA,0BAAS,EAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACvC,MAAM,IAAI,GAAG,IAAA,0BAAS,EAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACvC,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,6CAA6C,EAAE,GAAG,EAAE;YACrD,MAAM,KAAK,GAAG,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YACnC,MAAM,KAAK,GAAG,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YACnC,MAAM,IAAI,GAAG,IAAA,0BAAS,EAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,IAAA,0BAAS,EAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC3C,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;YAC/B,MAAM,IAAI,GAAG,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAClC,MAAM,GAAG,GAAG,IAAA,0BAAS,EAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YACpC,IAAA,eAAM,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,mDAAmD,EAAE,GAAG,EAAE;QACjE,IAAA,WAAE,EAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,MAAM,GAAG,GAAG,IAAA,4BAAW,GAAE,CAAC;YAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1E,MAAM,SAAS,GAAG,IAAA,gBAAO,EAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YACrC,MAAM,SAAS,GAAG,IAAA,gBAAO,EAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YAC1C,IAAA,eAAM,EAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,6DAA6D,EAAE,GAAG,EAAE;YACrE,MAAM,GAAG,GAAG,IAAA,4BAAW,GAAE,CAAC;YAC1B,MAAM,SAAS,GAAG,IAAA,oBAAW,GAAE,CAAC;YAChC,MAAM,SAAS,GAAG,IAAA,gBAAO,EAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;YACjD,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,gBAAO,EAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QACxD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,mBAAmB,EAAE,GAAG,EAAE;QACjC,IAAA,WAAE,EAAC,4BAA4B,EAAE,GAAG,EAAE;YACpC,IAAA,eAAM,EAAC,uCAAsB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACvC,IAAA,eAAM,EAAC,oCAAmB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/crypto.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=crypto.test.d.ts.map

package/dist/__tests__/crypto.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/crypto.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/crypto.test.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const crypto_1 = require("../crypto");
+(0, vitest_1.describe)('crypto', () => {
+    (0, vitest_1.describe)('encrypt / decrypt', () => {
+        (0, vitest_1.it)('roundtrips plaintext', () => {
+            const key = (0, crypto_1.generateKey)();
+            const plaintext = 'Hello, world!';
+            const encrypted = (0, crypto_1.encrypt)(plaintext, key);
+            (0, vitest_1.expect)((0, crypto_1.decrypt)(encrypted, key)).toBe(plaintext);
+        });
+        (0, vitest_1.it)('throws with wrong key', () => {
+            const key = (0, crypto_1.generateKey)();
+            const wrongKey = (0, crypto_1.generateKey)();
+            const encrypted = (0, crypto_1.encrypt)('secret', key);
+            (0, vitest_1.expect)(() => (0, crypto_1.decrypt)(encrypted, wrongKey)).toThrow('Decryption failed');
+        });
+        (0, vitest_1.it)('handles JSON payloads', () => {
+            const key = (0, crypto_1.generateKey)();
+            const data = JSON.stringify({ foo: 'bar', num: 42, arr: [1, 2, 3] });
+            const encrypted = (0, crypto_1.encrypt)(data, key);
+            (0, vitest_1.expect)(JSON.parse((0, crypto_1.decrypt)(encrypted, key))).toEqual(JSON.parse(data));
+        });
+    });
+    (0, vitest_1.describe)('encryptDEK / decryptDEK', () => {
+        (0, vitest_1.it)('roundtrips a DEK through master key', () => {
+            const masterKey = (0, crypto_1.generateKey)();
+            const dek = (0, crypto_1.generateKey)();
+            const encrypted = (0, crypto_1.encryptDEK)(dek, masterKey);
+            const decrypted = (0, crypto_1.decryptDEK)(encrypted, masterKey);
+            (0, vitest_1.expect)(Buffer.from(decrypted).equals(Buffer.from(dek))).toBe(true);
+        });
+    });
+    (0, vitest_1.describe)('encryptCredential / decryptCredential', () => {
+        (0, vitest_1.it)('roundtrips a credential payload', () => {
+            const masterKey = (0, crypto_1.generateKey)();
+            const payload = { api_key: 'sk-test-123', endpoint: 'https://api.example.com' };
+            const { encryptedDEK, encryptedPayload } = (0, crypto_1.encryptCredential)(payload, masterKey);
+            (0, vitest_1.expect)(typeof encryptedDEK).toBe('string');
+            (0, vitest_1.expect)(typeof encryptedPayload).toBe('string');
+            const decrypted = (0, crypto_1.decryptCredential)(encryptedDEK, encryptedPayload, masterKey);
+            (0, vitest_1.expect)(decrypted).toEqual(payload);
+        });
+        (0, vitest_1.it)('fails with wrong master key', () => {
+            const masterKey = (0, crypto_1.generateKey)();
+            const wrongKey = (0, crypto_1.generateKey)();
+            const { encryptedDEK, encryptedPayload } = (0, crypto_1.encryptCredential)({ secret: 'value' }, masterKey);
+            (0, vitest_1.expect)(() => (0, crypto_1.decryptCredential)(encryptedDEK, encryptedPayload, wrongKey)).toThrow();
+        });
+    });
+});
+//# sourceMappingURL=crypto.test.js.map

package/dist/__tests__/crypto.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.test.js","sourceRoot":"","sources":["../../src/__tests__/crypto.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,sCAQmB;AAEnB,IAAA,iBAAQ,EAAC,QAAQ,EAAE,GAAG,EAAE;IACtB,IAAA,iBAAQ,EAAC,mBAAmB,EAAE,GAAG,EAAE;QACjC,IAAA,WAAE,EAAC,sBAAsB,EAAE,GAAG,EAAE;YAC9B,MAAM,GAAG,GAAG,IAAA,oBAAW,GAAE,CAAC;YAC1B,MAAM,SAAS,GAAG,eAAe,CAAC;YAClC,MAAM,SAAS,GAAG,IAAA,gBAAO,EAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YAC1C,IAAA,eAAM,EAAC,IAAA,gBAAO,EAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;YAC/B,MAAM,GAAG,GAAG,IAAA,oBAAW,GAAE,CAAC;YAC1B,MAAM,QAAQ,GAAG,IAAA,oBAAW,GAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,IAAA,gBAAO,EAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YACzC,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,gBAAO,EAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;YAC/B,MAAM,GAAG,GAAG,IAAA,oBAAW,GAAE,CAAC;YAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;YACrE,MAAM,SAAS,GAAG,IAAA,gBAAO,EAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YACrC,IAAA,eAAM,EAAC,IAAI,CAAC,KAAK,CAAC,IAAA,gBAAO,EAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QACxE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,yBAAyB,EAAE,GAAG,EAAE;QACvC,IAAA,WAAE,EAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,MAAM,SAAS,GAAG,IAAA,oBAAW,GAAE,CAAC;YAChC,MAAM,GAAG,GAAG,IAAA,oBAAW,GAAE,CAAC;YAC1B,MAAM,SAAS,GAAG,IAAA,mBAAU,EAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YAC7C,MAAM,SAAS,GAAG,IAAA,mBAAU,EAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YACnD,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,uCAAuC,EAAE,GAAG,EAAE;QACrD,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;YACzC,MAAM,SAAS,GAAG,IAAA,oBAAW,GAAE,CAAC;YAChC,MAAM,OAAO,GAAG,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,yBAAyB,EAAE,CAAC;YAChF,MAAM,EAAE,YAAY,EAAE,gBAAgB,EAAE,GAAG,IAAA,0BAAiB,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YAEjF,IAAA,eAAM,EAAC,OAAO,YAAY,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC3C,IAAA,eAAM,EAAC,OAAO,gBAAgB,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAE/C,MAAM,SAAS,GAAG,IAAA,0BAAiB,EAAC,YAAY,EAAE,gBAAgB,EAAE,SAAS,CAAC,CAAC;YAC/E,IAAA,eAAM,EAAC,SAAS,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,SAAS,GAAG,IAAA,oBAAW,GAAE,CAAC;YAChC,MAAM,QAAQ,GAAG,IAAA,oBAAW,GAAE,CAAC;YAC/B,MAAM,EAAE,YAAY,EAAE,gBAAgB,EAAE,GAAG,IAAA,0BAAiB,EAC1D,EAAE,MAAM,EAAE,OAAO,EAAE,EACnB,SAAS,CACV,CAAC;YACF,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAiB,EAAC,YAAY,EAAE,gBAAgB,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QACtF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/policy.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=policy.test.d.ts.map

package/dist/__tests__/policy.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/policy.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/policy.test.js

@@ -0,0 +1,80 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const policy_js_1 = require("../policy.js");
+(0, vitest_1.describe)('Policy Engine', () => {
+    (0, vitest_1.it)('should ALLOW read actions by default', () => {
+        const action = { action_type: 'read', tool: 'http', payload: {} };
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES).decision).toBe('ALLOW');
+    });
+    (0, vitest_1.it)('should REQUIRE_APPROVAL for write actions', () => {
+        const action = { action_type: 'write', tool: 'demo', payload: {} };
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES).decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('should BLOCK admin actions', () => {
+        const action = { action_type: 'admin', tool: 'system', payload: {} };
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('should REQUIRE_APPROVAL for financial actions', () => {
+        const action = { action_type: 'financial', tool: 'stripe', payload: {} };
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, policy_js_1.DEFAULT_POLICY_RULES).decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('should BLOCK disallowed HTTP domains', () => {
+        const action = {
+            action_type: 'read',
+            tool: 'http',
+            payload: { url: 'https://evil.com/data', method: 'GET' },
+        };
+        const rules = {
+            ...policy_js_1.DEFAULT_POLICY_RULES,
+            http: { allowedDomains: ['trusted.com'], allowedMethods: ['GET'], blockList: [] },
+        };
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('should BLOCK explicitly blocklisted domains', () => {
+        const action = {
+            action_type: 'read',
+            tool: 'http',
+            payload: { url: 'https://evil.com/data', method: 'GET' },
+        };
+        const rules = {
+            ...policy_js_1.DEFAULT_POLICY_RULES,
+            http: { allowedDomains: [], allowedMethods: ['GET'], blockList: ['evil.com'] },
+        };
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('should ALLOW admin actions when defaultMode is allow and no matching rule', () => {
+        const action = { action_type: 'admin', tool: 'system', payload: {} };
+        const rules = { ...policy_js_1.DEFAULT_POLICY_RULES, defaultMode: 'allow', rules: [] };
+        const result = (0, policy_js_1.evaluatePolicy)(action, rules);
+        (0, vitest_1.expect)(result.decision).toBe('ALLOW');
+        (0, vitest_1.expect)(result.reason).toBe('Default policy');
+    });
+    (0, vitest_1.it)('should ALLOW financial actions when defaultMode is allow and no matching rule', () => {
+        const action = { action_type: 'financial', tool: 'stripe', payload: {} };
+        const rules = { ...policy_js_1.DEFAULT_POLICY_RULES, defaultMode: 'allow', rules: [] };
+        const result = (0, policy_js_1.evaluatePolicy)(action, rules);
+        (0, vitest_1.expect)(result.decision).toBe('ALLOW');
+        (0, vitest_1.expect)(result.reason).toBe('Default policy');
+    });
+    (0, vitest_1.it)('should still respect explicit rules for admin even with defaultMode allow', () => {
+        const action = { action_type: 'admin', tool: 'system', payload: {} };
+        const rules = {
+            ...policy_js_1.DEFAULT_POLICY_RULES,
+            defaultMode: 'allow',
+            rules: [{ action_type: 'admin', decision: 'BLOCK' }],
+        };
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('should BLOCK when cost exceeds limit', () => {
+        const action = {
+            action_type: 'financial',
+            tool: 'stripe',
+            payload: {},
+            cost_estimate: 1000,
+        };
+        const rules = { ...policy_js_1.DEFAULT_POLICY_RULES, limits: { maxCostPerAction: 100 } };
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(action, rules).decision).toBe('BLOCK');
+    });
+});
+//# sourceMappingURL=policy.test.js.map

package/dist/__tests__/policy.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.test.js","sourceRoot":"","sources":["../../src/__tests__/policy.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,4CAAoE;AAGpE,IAAA,iBAAQ,EAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACtF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACvF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC7F,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,gCAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,EAAE,GAAG,EAAE,uBAAuB,EAAE,MAAM,EAAE,KAAK,EAAE;SACzD,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,IAAI,EAAE,EAAE,cAAc,EAAE,CAAC,aAAa,CAAC,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE;SAClF,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,MAAM;YACnB,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,EAAE,GAAG,EAAE,uBAAuB,EAAE,MAAM,EAAE,KAAK,EAAE;SACzD,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,IAAI,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC,UAAU,CAAC,EAAE;SAC/E,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2EAA2E,EAAE,GAAG,EAAE;QACnF,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzF,MAAM,KAAK,GAAG,EAAE,GAAG,gCAAoB,EAAE,WAAW,EAAE,OAAgB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACpF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+EAA+E,EAAE,GAAG,EAAE;QACvF,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC7F,MAAM,KAAK,GAAG,EAAE,GAAG,gCAAoB,EAAE,WAAW,EAAE,OAAgB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACpF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7C,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2EAA2E,EAAE,GAAG,EAAE;QACnF,MAAM,MAAM,GAAuB,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzF,MAAM,KAAK,GAAG;YACZ,GAAG,gCAAoB;YACvB,WAAW,EAAE,OAAgB;YAC7B,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,OAAgB,EAAE,QAAQ,EAAE,OAAgB,EAAE,CAAC;SACvE,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,MAAM,GAAuB;YACjC,WAAW,EAAE,WAAW;YACxB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,EAAE;YACX,aAAa,EAAE,IAAI;SACpB,CAAC;QACF,MAAM,KAAK,GAAG,EAAE,GAAG,gCAAoB,EAAE,MAAM,EAAE,EAAE,gBAAgB,EAAE,GAAG,EAAE,EAAE,CAAC;QAC7E,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/redact.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=redact.test.d.ts.map

package/dist/__tests__/redact.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/redact.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/redact.test.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const redact_js_1 = require("../redact.js");
+(0, vitest_1.describe)('Redaction', () => {
+    (0, vitest_1.it)('should redact api_key fields', () => {
+        const obj = { name: 'test', api_key: 'super-secret-123', data: { token: 'abc' } };
+        const result = (0, redact_js_1.redact)(obj);
+        (0, vitest_1.expect)(result.api_key).toBe('[REDACTED]');
+        (0, vitest_1.expect)(result.data.token).toBe('[REDACTED]');
+        (0, vitest_1.expect)(result.name).toBe('test');
+    });
+    (0, vitest_1.it)('should redact Authorization headers', () => {
+        const headers = { Authorization: 'Bearer secret', 'Content-Type': 'application/json' };
+        const result = (0, redact_js_1.redactHeaders)(headers);
+        (0, vitest_1.expect)(result['Authorization']).toBe('[REDACTED]');
+        (0, vitest_1.expect)(result['Content-Type']).toBe('application/json');
+    });
+    (0, vitest_1.it)('should handle nested objects', () => {
+        const obj = { level1: { level2: { password: 'secret', safe: 'ok' } } };
+        const result = (0, redact_js_1.redact)(obj);
+        (0, vitest_1.expect)(result.level1.level2.password).toBe('[REDACTED]');
+        (0, vitest_1.expect)(result.level1.level2.safe).toBe('ok');
+    });
+    (0, vitest_1.it)('should handle arrays', () => {
+        const obj = { items: [{ token: 'secret1' }, { token: 'secret2' }] };
+        const result = (0, redact_js_1.redact)(obj);
+        (0, vitest_1.expect)(result.items[0].token).toBe('[REDACTED]');
+        (0, vitest_1.expect)(result.items[1].token).toBe('[REDACTED]');
+    });
+    (0, vitest_1.it)('should not redact safe fields', () => {
+        const obj = { name: 'test', url: 'https://example.com', status: 200 };
+        const result = (0, redact_js_1.redact)(obj);
+        (0, vitest_1.expect)(result.name).toBe('test');
+        (0, vitest_1.expect)(result.url).toBe('https://example.com');
+        (0, vitest_1.expect)(result.status).toBe(200);
+    });
+});
+//# sourceMappingURL=redact.test.js.map

package/dist/__tests__/redact.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.test.js","sourceRoot":"","sources":["../../src/__tests__/redact.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,4CAAqD;AAErD,IAAA,iBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;IACzB,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC;QAClF,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAA4B,CAAC;QACtD,IAAA,eAAM,EAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1C,IAAA,eAAM,EAAE,MAAM,CAAC,IAAgC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1E,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,OAAO,GAAG,EAAE,aAAa,EAAE,eAAe,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;QACvF,MAAM,MAAM,GAAG,IAAA,yBAAa,EAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACnD,IAAA,eAAM,EAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QACvE,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAA+D,CAAC;QACzF,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzD,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,GAAG,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;QACpE,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAAmC,CAAC;QAC7D,IAAA,eAAM,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACjD,IAAA,eAAM,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,qBAAqB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACtE,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAAe,CAAC;QACzC,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACjC,IAAA,eAAM,EAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAC/C,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/signing.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=signing.test.d.ts.map

package/dist/__tests__/signing.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/signing.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/signing.test.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const signing_js_1 = require("../signing.js");
+(0, vitest_1.describe)('Ed25519 Signing', () => {
+    (0, vitest_1.it)('should generate valid keypair', () => {
+        const kp = (0, signing_js_1.generateKeypair)();
+        (0, vitest_1.expect)(kp.publicKey).toBeTruthy();
+        (0, vitest_1.expect)(kp.privateKey).toBeTruthy();
+        (0, vitest_1.expect)(kp.publicKey.length).toBeGreaterThan(0);
+    });
+    (0, vitest_1.it)('should sign and verify a request', () => {
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'write', tool: 'demo', payload: { key: 'value' } };
+        const headers = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headers, kp.publicKey)).not.toThrow();
+    });
+    (0, vitest_1.it)('should reject tampered body (top-level field)', () => {
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'write', tool: 'demo', payload: { key: 'value' } };
+        const headers = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        const tampered = { ...body, tool: 'admin' };
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(tampered, headers, kp.publicKey)).toThrow('Invalid signature');
+    });
+    (0, vitest_1.it)('should reject tampered nested payload field', () => {
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'write', tool: 'demo', payload: { key: 'value', amount: 100 } };
+        const headers = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        const tampered = { ...body, payload: { key: 'value', amount: 999999 } };
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(tampered, headers, kp.publicKey)).toThrow('Invalid signature');
+    });
+    (0, vitest_1.it)('canonicalStringify should sort keys recursively at all nesting levels', () => {
+        const obj = { z: 1, a: { y: 2, b: 3 }, m: [{ q: 4, c: 5 }] };
+        const result = (0, signing_js_1.canonicalStringify)(obj);
+        // All object levels must have sorted keys
+        (0, vitest_1.expect)(result).toBe('{"a":{"b":3,"y":2},"m":[{"c":5,"q":4}],"z":1}');
+    });
+    (0, vitest_1.it)('should reject missing headers', () => {
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'write', tool: 'demo', payload: {} };
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, {}, kp.publicKey)).toThrow('Missing required signature headers');
+    });
+    (0, vitest_1.it)('should reject stale timestamp', () => {
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'write', tool: 'demo', payload: {} };
+        const headers = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        headers['x-timestamp'] = String(Date.now() - 10 * 60 * 1000);
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headers, kp.publicKey)).toThrow('Timestamp skew');
+    });
+});
+//# sourceMappingURL=signing.test.js.map

package/dist/__tests__/signing.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.test.js","sourceRoot":"","sources":["../../src/__tests__/signing.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,8CAAgG;AAEhG,IAAA,iBAAQ,EAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,IAAA,eAAM,EAAC,EAAE,CAAC,SAAS,CAAC,CAAC,UAAU,EAAE,CAAC;QAClC,IAAA,eAAM,EAAC,EAAE,CAAC,UAAU,CAAC,CAAC,UAAU,EAAE,CAAC;QACnC,IAAA,eAAM,EAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC;QAC/E,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC;QAC/E,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAC5C,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,CAAC;QAC5F,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC;QACxE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,GAAG,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAA,+BAAkB,EAAC,GAAG,CAAC,CAAC;QACvC,0CAA0C;QAC1C,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;IACpG,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,OAAO,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/content-crypto.d.ts

@@ -0,0 +1,24 @@
+/** Payload encrypted with MASTER_KEY (legacy) */
+export declare const PAYLOAD_VERSION_LEGACY = 0;
+/** Payload encrypted with per-workspace WCK */
+export declare const PAYLOAD_VERSION_WCK = 1;
+/** Generate a random 32-byte Workspace Content Key */
+export declare function generateWCK(): Uint8Array;
+/** Wrap a WCK using a wrapping key (e.g. MASTER_KEY). Returns base64 ciphertext + nonce. */
+export declare function wrapKey(wck: Uint8Array, wrappingKey: Uint8Array): {
+    ciphertext: string;
+    nonce: string;
+};
+/** Unwrap a WCK using a wrapping key. Returns the raw 32-byte WCK. */
+export declare function unwrapKey(ciphertext: string, nonce: string, wrappingKey: Uint8Array): Uint8Array;
+/** Derive a Key Encryption Key from a passphrase using scrypt. */
+export declare function deriveKEK(passphrase: string, salt: Uint8Array): Uint8Array;
+/** Wrap a WCK for a user using their passphrase. Returns base64 strings. */
+export declare function wrapWCKForUser(wck: Uint8Array, passphrase: string): {
+    ciphertext: string;
+    nonce: string;
+    salt: string;
+};
+/** Unwrap a WCK using a user's passphrase. Returns the raw 32-byte WCK. */
+export declare function unwrapWCKFromUser(ciphertext: string, nonce: string, salt: string, passphrase: string): Uint8Array;
+//# sourceMappingURL=content-crypto.d.ts.map

package/dist/content-crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-crypto.d.ts","sourceRoot":"","sources":["../src/content-crypto.ts"],"names":[],"mappings":"AAIA,iDAAiD;AACjD,eAAO,MAAM,sBAAsB,IAAI,CAAC;AACxC,+CAA+C;AAC/C,eAAO,MAAM,mBAAmB,IAAI,CAAC;AAErC,sDAAsD;AACtD,wBAAgB,WAAW,IAAI,UAAU,CAExC;AAED,4FAA4F;AAC5F,wBAAgB,OAAO,CACrB,GAAG,EAAE,UAAU,EACf,WAAW,EAAE,UAAU,GACtB;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAIvC;AAED,sEAAsE;AACtE,wBAAgB,SAAS,CACvB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,UAAU,GACtB,UAAU,CAQZ;AAED,kEAAkE;AAClE,wBAAgB,SAAS,CACvB,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,UAAU,GACf,UAAU,CAGZ;AAED,4EAA4E;AAC5E,wBAAgB,cAAc,CAC5B,GAAG,EAAE,UAAU,EACf,UAAU,EAAE,MAAM,GACjB;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAKrD;AAED,2EAA2E;AAC3E,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,GACjB,UAAU,CAIZ"}

package/dist/content-crypto.js

@@ -0,0 +1,58 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PAYLOAD_VERSION_WCK = exports.PAYLOAD_VERSION_LEGACY = void 0;
+exports.generateWCK = generateWCK;
+exports.wrapKey = wrapKey;
+exports.unwrapKey = unwrapKey;
+exports.deriveKEK = deriveKEK;
+exports.wrapWCKForUser = wrapWCKForUser;
+exports.unwrapWCKFromUser = unwrapWCKFromUser;
+const tweetnacl_1 = __importDefault(require("tweetnacl"));
+const tweetnacl_util_1 = require("tweetnacl-util");
+const scrypt_1 = require("@noble/hashes/scrypt");
+/** Payload encrypted with MASTER_KEY (legacy) */
+exports.PAYLOAD_VERSION_LEGACY = 0;
+/** Payload encrypted with per-workspace WCK */
+exports.PAYLOAD_VERSION_WCK = 1;
+/** Generate a random 32-byte Workspace Content Key */
+function generateWCK() {
+    return tweetnacl_1.default.randomBytes(32);
+}
+/** Wrap a WCK using a wrapping key (e.g. MASTER_KEY). Returns base64 ciphertext + nonce. */
+function wrapKey(wck, wrappingKey) {
+    const nonce = tweetnacl_1.default.randomBytes(tweetnacl_1.default.secretbox.nonceLength);
+    const box = tweetnacl_1.default.secretbox(wck, nonce, wrappingKey);
+    return { ciphertext: (0, tweetnacl_util_1.encodeBase64)(box), nonce: (0, tweetnacl_util_1.encodeBase64)(nonce) };
+}
+/** Unwrap a WCK using a wrapping key. Returns the raw 32-byte WCK. */
+function unwrapKey(ciphertext, nonce, wrappingKey) {
+    const box = (0, tweetnacl_util_1.decodeBase64)(ciphertext);
+    const n = (0, tweetnacl_util_1.decodeBase64)(nonce);
+    const result = tweetnacl_1.default.secretbox.open(box, n, wrappingKey);
+    if (!result) {
+        throw new Error('unwrapKey failed: invalid wrapping key or corrupted data');
+    }
+    return result;
+}
+/** Derive a Key Encryption Key from a passphrase using scrypt. */
+function deriveKEK(passphrase, salt) {
+    const pw = new TextEncoder().encode(passphrase);
+    return (0, scrypt_1.scrypt)(pw, salt, { N: 2 ** 15, r: 8, p: 1, dkLen: 32 });
+}
+/** Wrap a WCK for a user using their passphrase. Returns base64 strings. */
+function wrapWCKForUser(wck, passphrase) {
+    const salt = tweetnacl_1.default.randomBytes(32);
+    const kek = deriveKEK(passphrase, salt);
+    const { ciphertext, nonce } = wrapKey(wck, kek);
+    return { ciphertext, nonce, salt: (0, tweetnacl_util_1.encodeBase64)(salt) };
+}
+/** Unwrap a WCK using a user's passphrase. Returns the raw 32-byte WCK. */
+function unwrapWCKFromUser(ciphertext, nonce, salt, passphrase) {
+    const saltBytes = (0, tweetnacl_util_1.decodeBase64)(salt);
+    const kek = deriveKEK(passphrase, saltBytes);
+    return unwrapKey(ciphertext, nonce, kek);
+}
+//# sourceMappingURL=content-crypto.js.map

package/dist/content-crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-crypto.js","sourceRoot":"","sources":["../src/content-crypto.ts"],"names":[],"mappings":";;;;;;AAUA,kCAEC;AAGD,0BAOC;AAGD,8BAYC;AAGD,8BAMC;AAGD,wCAQC;AAGD,8CASC;AArED,0DAA6B;AAC7B,mDAA4D;AAC5D,iDAA8C;AAE9C,iDAAiD;AACpC,QAAA,sBAAsB,GAAG,CAAC,CAAC;AACxC,+CAA+C;AAClC,QAAA,mBAAmB,GAAG,CAAC,CAAC;AAErC,sDAAsD;AACtD,SAAgB,WAAW;IACzB,OAAO,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;AAC9B,CAAC;AAED,4FAA4F;AAC5F,SAAgB,OAAO,CACrB,GAAe,EACf,WAAuB;IAEvB,MAAM,KAAK,GAAG,mBAAI,CAAC,WAAW,CAAC,mBAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,mBAAI,CAAC,SAAS,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;IACpD,OAAO,EAAE,UAAU,EAAE,IAAA,6BAAY,EAAC,GAAG,CAAC,EAAE,KAAK,EAAE,IAAA,6BAAY,EAAC,KAAK,CAAC,EAAE,CAAC;AACvE,CAAC;AAED,sEAAsE;AACtE,SAAgB,SAAS,CACvB,UAAkB,EAClB,KAAa,EACb,WAAuB;IAEvB,MAAM,GAAG,GAAG,IAAA,6BAAY,EAAC,UAAU,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,IAAA,6BAAY,EAAC,KAAK,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,mBAAI,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,WAAW,CAAC,CAAC;IACxD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,kEAAkE;AAClE,SAAgB,SAAS,CACvB,UAAkB,EAClB,IAAgB;IAEhB,MAAM,EAAE,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAChD,OAAO,IAAA,eAAM,EAAC,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,4EAA4E;AAC5E,SAAgB,cAAc,CAC5B,GAAe,EACf,UAAkB;IAElB,MAAM,IAAI,GAAG,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IACxC,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,IAAA,6BAAY,EAAC,IAAI,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,2EAA2E;AAC3E,SAAgB,iBAAiB,CAC/B,UAAkB,EAClB,KAAa,EACb,IAAY,EACZ,UAAkB;IAElB,MAAM,SAAS,GAAG,IAAA,6BAAY,EAAC,IAAI,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAC7C,OAAO,SAAS,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;AAC3C,CAAC"}

package/dist/crypto.d.ts

@@ -0,0 +1,13 @@
+export declare function generateKey(): Uint8Array;
+export declare function encrypt(data: string, key: Uint8Array): string;
+export declare function decrypt(encryptedData: string, key: Uint8Array): string;
+export declare function encryptDEK(dek: Uint8Array, masterKey: Uint8Array): string;
+export declare function decryptDEK(encryptedDEK: string, masterKey: Uint8Array): Uint8Array;
+export declare function getMasterKey(): Uint8Array;
+export declare function generateMasterKey(): string;
+export declare function encryptCredential(payload: Record<string, unknown>, masterKey: Uint8Array): {
+    encryptedDEK: string;
+    encryptedPayload: string;
+};
+export declare function decryptCredential(encryptedDEK: string, encryptedPayload: string, masterKey: Uint8Array): Record<string, unknown>;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAGA,wBAAgB,WAAW,IAAI,UAAU,CAExC;AAED,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,CAU7D;AAED,wBAAgB,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,CAWtE;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAEzE;AAED,wBAAgB,UAAU,CAAC,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,UAAU,CAGlF;AAMD,wBAAgB,YAAY,IAAI,UAAU,CAMzC;AAED,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,SAAS,EAAE,UAAU,GACpB;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAA;CAAE,CAUpD;AAED,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,gBAAgB,EAAE,MAAM,EACxB,SAAS,EAAE,UAAU,GACpB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAUzB"}