altcha-lib 1.4.0 → 2.0.0-beta.1

package/dist/esm/v2/frameworks/nestjs.js

@@ -0,0 +1,202 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var AltchaModule_1;
+import { Module, Controller, Get, Post, Req, Injectable, Inject, HttpException, HttpStatus, createParamDecorator, } from '@nestjs/common';
+import { randomInt } from '../helpers.js';
+import { createChallenge } from '../pow.js';
+import { deriveHmacKeySecret, verify } from './shared.js';
+import { CappedMap } from '../capped-map.js';
+export { CappedMap, deriveHmacKeySecret, randomInt };
+const ALTCHA_OPTIONS = Symbol('ALTCHA_OPTIONS');
+export const Altcha = createParamDecorator((_data, ctx) => {
+    const request = ctx.switchToHttp().getRequest();
+    return request.altcha;
+});
+export function createAltchaMiddleware(options = {}) {
+    const { throwOnFailure = true } = options;
+    let AltchaMiddleware = class AltchaMiddleware {
+        altchaService;
+        constructor(altchaService) {
+            this.altchaService = altchaService;
+        }
+        async use(req, res, next) {
+            const payload = this.altchaService.getPayloadFromRequest(req);
+            const { error, payload: resultPayload, verification, } = await this.altchaService.verify(payload);
+            req.altcha = {
+                error,
+                payload: resultPayload,
+                verification,
+            };
+            const setCookie = this.altchaService.setCookie;
+            if (setCookie) {
+                res.clearCookie(setCookie.name);
+            }
+            if (error && throwOnFailure) {
+                throw new HttpException(error, HttpStatus.BAD_REQUEST);
+            }
+            next();
+        }
+    };
+    AltchaMiddleware = __decorate([
+        Injectable(),
+        __metadata("design:paramtypes", [AltchaService])
+    ], AltchaMiddleware);
+    return AltchaMiddleware;
+}
+let AltchaService = class AltchaService {
+    hmacSignatureSecret;
+    hmacKeySignatureSecret;
+    createChallengeParameters;
+    deriveKey;
+    fieldName;
+    setCookieOptions;
+    store;
+    constructor(options) {
+        this.hmacSignatureSecret = options.hmacSignatureSecret;
+        this.hmacKeySignatureSecret = options.hmacKeySignatureSecret;
+        this.createChallengeParameters = options.createChallengeParameters;
+        this.deriveKey = options.deriveKey;
+        this.fieldName = options.fieldName || 'altcha';
+        this.setCookieOptions = options.setCookie;
+        this.store = options.store;
+    }
+    get setCookie() {
+        return this.setCookieOptions;
+    }
+    async getChallenge() {
+        const challenge = await createChallenge({
+            deriveKey: this.deriveKey,
+            hmacSignatureSecret: this.hmacSignatureSecret,
+            hmacKeySignatureSecret: this.hmacKeySignatureSecret,
+            ...this.createChallengeParameters(),
+        });
+        return {
+            configuration: this.setCookieOptions
+                ? { setCookie: this.setCookieOptions }
+                : undefined,
+            ...challenge,
+        };
+    }
+    getPayloadFromRequest(req, cookieName) {
+        if (cookieName) {
+            return req.cookies?.[cookieName];
+        }
+        return req.body?.[this.fieldName];
+    }
+    async verify(payload) {
+        return verify(payload, this.deriveKey, this.hmacSignatureSecret, this.hmacKeySignatureSecret, this.store);
+    }
+};
+AltchaService = __decorate([
+    Injectable(),
+    __param(0, Inject(ALTCHA_OPTIONS)),
+    __metadata("design:paramtypes", [Object])
+], AltchaService);
+export { AltchaService };
+let AltchaController = class AltchaController {
+    altchaService;
+    constructor(altchaService) {
+        this.altchaService = altchaService;
+    }
+    async getChallenge() {
+        return this.altchaService.getChallenge();
+    }
+    async verifySolution(req) {
+        const payload = this.altchaService.getPayloadFromRequest(req);
+        return this.altchaService.verify(payload);
+    }
+};
+__decorate([
+    Get('challenge'),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", Promise)
+], AltchaController.prototype, "getChallenge", null);
+__decorate([
+    Post('verify'),
+    __param(0, Req()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", Promise)
+], AltchaController.prototype, "verifySolution", null);
+AltchaController = __decorate([
+    Controller('altcha'),
+    __metadata("design:paramtypes", [AltchaService])
+], AltchaController);
+export { AltchaController };
+let AltchaMiddleware = class AltchaMiddleware {
+    altchaService;
+    constructor(altchaService) {
+        this.altchaService = altchaService;
+    }
+    async use(req, res, next) {
+        const payload = this.altchaService.getPayloadFromRequest(req, this.altchaService.setCookie?.name);
+        const { error, payload: resultPayload, verification, } = await this.altchaService.verify(payload);
+        req.altcha = {
+            error,
+            payload: resultPayload,
+            verification,
+        };
+        const setCookie = this.altchaService.setCookie;
+        if (setCookie) {
+            res.clearCookie(setCookie.name);
+        }
+        if (error) {
+            throw new HttpException(error, HttpStatus.BAD_REQUEST);
+        }
+        next();
+    }
+};
+AltchaMiddleware = __decorate([
+    Injectable(),
+    __metadata("design:paramtypes", [AltchaService])
+], AltchaMiddleware);
+export { AltchaMiddleware };
+let AltchaModule = AltchaModule_1 = class AltchaModule {
+    static register(options) {
+        return {
+            module: AltchaModule_1,
+            controllers: [AltchaController],
+            providers: [
+                {
+                    provide: ALTCHA_OPTIONS,
+                    useValue: options,
+                },
+                AltchaService,
+            ],
+            exports: [AltchaService, AltchaMiddleware],
+        };
+    }
+    static registerAsync(asyncOptions) {
+        return {
+            module: AltchaModule_1,
+            imports: asyncOptions.imports ?? [],
+            controllers: [AltchaController],
+            providers: [
+                {
+                    provide: ALTCHA_OPTIONS,
+                    useFactory: asyncOptions.useFactory,
+                    inject: asyncOptions.inject ?? [],
+                },
+                AltchaService,
+                AltchaMiddleware,
+            ],
+            exports: [AltchaService, AltchaMiddleware],
+        };
+    }
+};
+AltchaModule = AltchaModule_1 = __decorate([
+    Module({})
+], AltchaModule);
+export { AltchaModule };
+export default AltchaModule;

package/dist/esm/v2/frameworks/nextjs.d.ts

@@ -0,0 +1,21 @@
+import { randomInt } from '../helpers.js';
+import { CappedMap } from '../capped-map.js';
+import { deriveHmacKeySecret, verify } from './shared.js';
+import type { AltchaMiddlewareOptions, AltchaOptions, AltchaResult } from './types.js';
+export { CappedMap, deriveHmacKeySecret, randomInt };
+export type { AltchaOptions, AltchaResult };
+export declare function create(options: AltchaOptions): {
+    challengeHandler: (_req: Request) => Promise<Response>;
+    withMiddleware: (handler: (req: Request) => Promise<Response> | Response, options?: AltchaMiddlewareOptions) => (req: Request) => Promise<Response>;
+    verifyHandler: (req: Request) => Promise<Response>;
+    getPayloadFromRequest: (req: Request, cookieName?: string) => Promise<string | undefined>;
+    middleware: (req: Request, throwOnFailure?: boolean) => Promise<Response | AltchaResult>;
+    verify: typeof verify;
+};
+declare const _default: {
+    CappedMap: typeof CappedMap;
+    create: typeof create;
+    deriveHmacKeySecret: typeof deriveHmacKeySecret;
+    randomInt: typeof randomInt;
+};
+export default _default;

package/dist/esm/v2/frameworks/nextjs.js

@@ -0,0 +1,106 @@
+import { randomInt } from '../helpers.js';
+import { createChallenge } from '../pow.js';
+import { CappedMap } from '../capped-map.js';
+import { deriveHmacKeySecret, verify } from './shared.js';
+export { CappedMap, deriveHmacKeySecret, randomInt };
+function getCookieFromRequest(req, name) {
+    const header = req.headers.get('cookie');
+    if (!header) {
+        return undefined;
+    }
+    const match = header.match(new RegExp(`(?:^|;\\s*)${name}=([^;]*)`));
+    return match ? decodeURIComponent(match[1]) : undefined;
+}
+function deleteCookie(res, name, path) {
+    res.headers.append('Set-Cookie', `${name}=; Path=${path ?? '/'}; Max-Age=0`);
+}
+export function create(options) {
+    const { createChallengeParameters, deriveKey, fieldName = 'altcha', hmacSignatureSecret, hmacKeySignatureSecret, setCookie, store, } = options;
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    async function challengeHandler(_req) {
+        const challenge = await createChallenge({
+            deriveKey,
+            hmacSignatureSecret,
+            hmacKeySignatureSecret,
+            ...createChallengeParameters(),
+        });
+        const body = {
+            configuration: setCookie
+                ? {
+                    setCookie,
+                }
+                : undefined,
+            ...challenge,
+        };
+        const response = Response.json(body);
+        return response;
+    }
+    async function verifyHandler(req) {
+        const payload = await getPayloadFromRequest(req);
+        const result = await verify(payload, deriveKey, hmacSignatureSecret, hmacKeySignatureSecret, store);
+        return Response.json(result);
+    }
+    async function getPayloadFromRequest(req, cookieName) {
+        let payload = undefined;
+        if (cookieName) {
+            payload = getCookieFromRequest(req, cookieName);
+        }
+        else {
+            const contentType = req.headers.get('content-type') ?? '';
+            let body = null;
+            if (contentType.includes('application/json')) {
+                body = await req.json();
+            }
+            else if (contentType.includes('multipart/form-data') ||
+                contentType.includes('application/x-www-form-urlencoded')) {
+                body = Object.fromEntries((await req.formData()).entries());
+            }
+            payload = body?.[fieldName];
+        }
+        return payload;
+    }
+    async function middleware(req, throwOnFailure = true) {
+        const payload = await getPayloadFromRequest(req, setCookie?.name);
+        const { error, payload: verifiedPayload, verification, } = await verify(payload, deriveKey, hmacSignatureSecret, hmacKeySignatureSecret, store);
+        const result = {
+            error,
+            payload: verifiedPayload,
+            verification,
+        };
+        const response = Response.json(result);
+        if (setCookie) {
+            deleteCookie(response, setCookie.name, setCookie.path);
+        }
+        if (error && throwOnFailure) {
+            return Response.json({ error }, { status: 403 });
+        }
+        return response;
+    }
+    function withMiddleware(handler, options = {}) {
+        const { throwOnFailure = true } = options;
+        return async (req) => {
+            const result = await middleware(req, throwOnFailure);
+            // If middleware returned a Response, it means verification failed
+            if (result instanceof Response) {
+                return result;
+            }
+            // Attach the result to the request for the handler to access
+            req.__altcha = result;
+            return handler(req);
+        };
+    }
+    return {
+        challengeHandler,
+        withMiddleware,
+        verifyHandler,
+        getPayloadFromRequest,
+        middleware,
+        verify,
+    };
+}
+export default {
+    CappedMap,
+    create,
+    deriveHmacKeySecret,
+    randomInt,
+};

package/dist/esm/v2/frameworks/shared.d.ts

@@ -0,0 +1,8 @@
+import { DeriveKeyFunction, Payload, ServerSignaturePayload, VerifySolutionResult } from '../types.js';
+import type { Store } from './types.js';
+export declare function deriveHmacKeySecret(masterSecret: string): Promise<string>;
+export declare function verify(payload: unknown, deriveKey: DeriveKeyFunction, hmacSignatureSecret: string, hmacKeySignatureSecret?: string, store?: Store): Promise<{
+    error: string | null;
+    payload: Payload | ServerSignaturePayload | null;
+    verification: VerifySolutionResult | null;
+}>;

package/dist/esm/v2/frameworks/shared.js

@@ -0,0 +1,117 @@
+import { verifySolution } from '../pow.js';
+import { verifyServerSignature } from '../server-signature.js';
+import { bufferToHex, hmac } from '../helpers.js';
+import { HmacAlgorithm, } from '../types.js';
+export async function deriveHmacKeySecret(masterSecret) {
+    return bufferToHex(await hmac(HmacAlgorithm.SHA_256, masterSecret, 'derived-secret'));
+}
+export async function verify(payload, deriveKey, hmacSignatureSecret, hmacKeySignatureSecret, store) {
+    if (!payload) {
+        return {
+            error: 'ALTCHA payload is missing.',
+            payload: null,
+            verification: null,
+        };
+    }
+    if (typeof payload === 'string') {
+        payload = parsePayload(payload);
+    }
+    if (!payload) {
+        return {
+            error: 'ALTCHA payload is invalid.',
+            payload: null,
+            verification: null,
+        };
+    }
+    const type = getPayloadType(payload);
+    let verification = null;
+    let challengeId = null;
+    try {
+        switch (type) {
+            case 'client':
+                challengeId = getChallengeId(payload);
+                if (store && challengeId) {
+                    await checkChallengeId(store, challengeId);
+                }
+                verification = await verifyClientPayload(payload, deriveKey, hmacSignatureSecret, hmacKeySignatureSecret);
+                break;
+            case 'server':
+                challengeId = payload.id;
+                if (store && challengeId) {
+                    await checkChallengeId(store, challengeId);
+                }
+                verification = await verifyServerSignaturePayload(payload, hmacSignatureSecret);
+                break;
+            default:
+                throw new Error('ALTCHA payload is invalid.');
+        }
+    }
+    catch (err) {
+        return {
+            error: err instanceof Error ? err.message : 'Unknown error',
+            payload: payload,
+            verification: null,
+        };
+    }
+    if (!verification?.verified) {
+        return {
+            error: 'ALTCHA verification failed.',
+            payload: payload,
+            verification,
+        };
+    }
+    return {
+        error: null,
+        payload: payload,
+        verification,
+    };
+}
+async function checkChallengeId(store, challengeId) {
+    if (await store.get(challengeId)) {
+        throw new Error('ALTCHA payload has been already used.');
+    }
+    await store.set(challengeId, true);
+}
+function getChallengeId(payload) {
+    const { challenge } = payload;
+    const data = challenge.parameters.data;
+    return data?.challengeId
+        ? String(data.challengeId)
+        : challenge.parameters.nonce;
+}
+function getPayloadType(payload) {
+    if (!payload || typeof payload !== 'object') {
+        return null;
+    }
+    if ('verificationData' in payload) {
+        return 'server';
+    }
+    if ('challenge' in payload && 'solution' in payload) {
+        return 'client';
+    }
+    return null;
+}
+function parsePayload(payload) {
+    try {
+        return JSON.parse(atob(payload));
+    }
+    catch {
+        return null;
+    }
+}
+function verifyClientPayload(payload, deriveKey, hmacSignatureSecret, hmacKeySignatureSecret) {
+    const { challenge, solution } = payload;
+    return verifySolution({
+        challenge,
+        deriveKey,
+        hmacSignatureSecret,
+        hmacKeySignatureSecret,
+        solution,
+    });
+}
+async function verifyServerSignaturePayload(payload, hmacSecret) {
+    return verifyServerSignature({
+        payload,
+        hmacSecret,
+    });
+}

package/dist/esm/v2/frameworks/sveltekit.d.ts

@@ -0,0 +1,29 @@
+import { type RequestEvent, type Handle } from '@sveltejs/kit';
+import { randomInt } from '../helpers.js';
+import { CappedMap } from '../capped-map.js';
+import { deriveHmacKeySecret, verify } from './shared.js';
+import type { AltchaMiddlewareOptions, AltchaOptions, AltchaResult } from './types.js';
+export { CappedMap, deriveHmacKeySecret, randomInt };
+export type { AltchaOptions, AltchaResult };
+declare global {
+    namespace App {
+        interface Locals {
+            altcha?: AltchaResult;
+        }
+    }
+}
+export declare function create(options: AltchaOptions): {
+    challengeHandler: () => Promise<Response>;
+    verifyHandler: (event: RequestEvent) => Promise<Response>;
+    verifyEvent: (event: RequestEvent) => Promise<AltchaResult>;
+    createHandle: (middlewareOptions?: AltchaMiddlewareOptions) => Handle;
+    getPayloadFromEvent: (event: RequestEvent, cookieName?: string) => Promise<string | undefined>;
+    verify: typeof verify;
+};
+declare const _default: {
+    CappedMap: typeof CappedMap;
+    create: typeof create;
+    deriveHmacKeySecret: typeof deriveHmacKeySecret;
+    randomInt: typeof randomInt;
+};
+export default _default;

package/dist/esm/v2/frameworks/sveltekit.js

@@ -0,0 +1,95 @@
+import { error, json } from '@sveltejs/kit';
+import { createChallenge } from '../pow.js';
+import { randomInt } from '../helpers.js';
+import { CappedMap } from '../capped-map.js';
+import { deriveHmacKeySecret, verify } from './shared.js';
+export { CappedMap, deriveHmacKeySecret, randomInt };
+async function getPayloadFromEvent(event, fieldName, cookieName) {
+    if (cookieName) {
+        return event.cookies.get(cookieName);
+    }
+    const contentType = event.request.headers.get('content-type') ?? '';
+    let body = null;
+    if (contentType.includes('application/json')) {
+        body = await event.request.json();
+    }
+    else if (contentType.includes('multipart/form-data') ||
+        contentType.includes('application/x-www-form-urlencoded')) {
+        const formData = await event.request.formData();
+        body = Object.fromEntries(formData.entries());
+    }
+    return body?.[fieldName];
+}
+export function create(options) {
+    const { createChallengeParameters, deriveKey, fieldName = 'altcha', hmacSignatureSecret, hmacKeySignatureSecret, setCookie, store, } = options;
+    async function challengeHandler() {
+        const challenge = await createChallenge({
+            deriveKey,
+            hmacSignatureSecret,
+            hmacKeySignatureSecret,
+            ...createChallengeParameters(),
+        });
+        return json({
+            configuration: setCookie
+                ? {
+                    setCookie,
+                }
+                : undefined,
+            ...challenge,
+        });
+    }
+    async function verifyHandler(event) {
+        const payload = await getPayloadFromEvent(event, fieldName);
+        const result = await verify(payload, deriveKey, hmacSignatureSecret, hmacKeySignatureSecret, store);
+        return json(result);
+    }
+    function createHandle(middlewareOptions = {}) {
+        const { throwOnFailure = true } = middlewareOptions;
+        return async ({ event, resolve }) => {
+            const payload = await getPayloadFromEvent(event, fieldName, setCookie?.name);
+            const { error: verifyError, payload: resultPayload, verification, } = await verify(payload, deriveKey, hmacSignatureSecret, hmacKeySignatureSecret, store);
+            event.locals.altcha = {
+                error: verifyError,
+                payload: resultPayload,
+                verification,
+            };
+            if (setCookie) {
+                event.cookies.delete(setCookie.name, {
+                    path: setCookie.path ?? '/',
+                });
+            }
+            if (verifyError && throwOnFailure) {
+                error(403, verifyError);
+            }
+            return resolve(event);
+        };
+    }
+    async function verifyEvent(event) {
+        const payload = await getPayloadFromEvent(event, fieldName, setCookie?.name);
+        const { error: verifyError, payload: resultPayload, verification, } = await verify(payload, deriveKey, hmacSignatureSecret, hmacKeySignatureSecret, store);
+        if (setCookie) {
+            event.cookies.delete(setCookie.name, {
+                path: setCookie.path ?? '/',
+            });
+        }
+        return {
+            error: verifyError,
+            payload: resultPayload,
+            verification,
+        };
+    }
+    return {
+        challengeHandler,
+        verifyHandler,
+        verifyEvent,
+        createHandle,
+        getPayloadFromEvent: (event, cookieName) => getPayloadFromEvent(event, fieldName, cookieName),
+        verify,
+    };
+}
+export default {
+    CappedMap,
+    create,
+    deriveHmacKeySecret,
+    randomInt,
+};

package/dist/esm/v2/frameworks/types.d.ts

@@ -0,0 +1,47 @@
+import type { CreateChallengeOptions, DeriveKeyFunction, Payload, ServerSignaturePayload, SetCookieOptions, VerifySolutionResult } from '../types.js';
+export interface AltchaOptions {
+    /**
+     * Returns configuration options passed to `createChallenge`.
+     * Must include `algorithm` and `cost`; all other `CreateChallengeOptions` fields are optional.
+     */
+    createChallengeParameters: () => Pick<CreateChallengeOptions, 'algorithm' | 'cost'> & Partial<CreateChallengeOptions>;
+    /**
+     * Algorithm-specific key derivation function used to generate challenge keys.
+     */
+    deriveKey: DeriveKeyFunction;
+    /**
+     * Name of the form field that carries the ALTCHA payload.
+     * Defaults to `'altcha'` if not specified.
+     */
+    fieldName?: string;
+    /**
+     * HMAC secret used to sign and verify challenge signatures.
+     */
+    hmacSignatureSecret: string;
+    /**
+     * HMAC secret used to sign keys in deterministic mode.
+     */
+    hmacKeySignatureSecret?: string;
+    /**
+     * Cookie configuration for sending the payload via a cookie.
+     * The `name` field is required; all other `SetCookieOptions` fields are optional.
+     */
+    setCookie?: RequireField<SetCookieOptions, 'name'>;
+    /**
+     * Store implementation for tracking used challenges and preventing replay attacks.
+     */
+    store?: Store;
+}
+export interface AltchaMiddlewareOptions {
+    throwOnFailure?: boolean;
+}
+export interface AltchaResult {
+    error: string | null;
+    payload: Payload | ServerSignaturePayload | null;
+    verification: VerifySolutionResult | null;
+}
+export type RequireField<T, K extends keyof T> = Omit<T, K> & Required<Pick<T, K>>;
+export interface Store {
+    get: (key: string) => Promise<unknown> | unknown;
+    set: (key: string, value: boolean) => Promise<unknown> | unknown;
+}

package/dist/esm/v2/frameworks/types.js

@@ -0,0 +1 @@
+export {};

package/dist/esm/v2/helpers.d.ts

@@ -0,0 +1,27 @@
+import type { HmacAlgorithm } from './types.js';
+/** Checks if a buffer starts with the given prefix bytes. */
+export declare function bufferStartsWith(buffer: Uint8Array, prefix: Uint8Array): boolean;
+/** Converts a byte buffer to a lowercase hex string. */
+export declare function bufferToHex(buffer: Uint8Array | ArrayBuffer): string;
+/** Returns a canonical (sorted-key) JSON string for consistent hashing/signing. */
+export declare function canonicalJSON(obj: unknown): string;
+/** Concatenates two Uint8Arrays into a new buffer. */
+export declare function concatBuffers(a: Uint8Array, b: Uint8Array): Uint8Array<ArrayBuffer>;
+/** Converts a hex string to a Uint8Array. Throws if the string has odd length. */
+export declare function hexToBuffer(hex: string): Uint8Array;
+/** Checks if two strings are equal in constant time. */
+export declare function constantTimeEqual(a: string, b: string): boolean;
+/** Yields to the event loop after the given milliseconds. */
+export declare function delay(ms: number): Promise<void>;
+/** Generate a SHA hash */
+export declare function hash(algorithm: string, data: ArrayBuffer | string): Promise<Uint8Array>;
+/** Computes an HMAC signature using the Web Crypto API. */
+export declare function hmac(algorithm: HmacAlgorithm, data: string | Uint8Array, keyStr: string): Promise<Uint8Array>;
+/** Inject CSS tag into the document */
+export declare function injectCss(css: string, id?: string): void;
+/** Generates a random integer between the specified minimum and maximum values (inclusive). */
+export declare function randomInt(max: number, min?: number): number;
+/** Recursively sorts object keys alphabetically for deterministic serialization. */
+export declare function sortKeys<T = unknown>(obj: T): T;
+/** Returns elapsed time in milliseconds since `start`, rounded to one decimal. */
+export declare function timeDuration(start: number): number;