cipher-kit 2.1.3 → 3.0.0

package/dist/node.cjs

@@ -1,129 +1,133 @@
 'use strict';
 
-var chunkZNM5M6RD_cjs = require('./chunk-ZNM5M6RD.cjs');
-var chunkHTRGOBZF_cjs = require('./chunk-HTRGOBZF.cjs');
+var chunk3A4RTUKO_cjs = require('./chunk-3A4RTUKO.cjs');
+var chunkVCBHSRCS_cjs = require('./chunk-VCBHSRCS.cjs');
 
 
 
 Object.defineProperty(exports, "convertBytesToStr", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.convertBytesToStr; }
+  get: function () { return chunk3A4RTUKO_cjs.convertBytesToStr; }
 });
 Object.defineProperty(exports, "convertEncoding", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.convertEncoding; }
+  get: function () { return chunk3A4RTUKO_cjs.convertEncoding; }
 });
 Object.defineProperty(exports, "convertStrToBytes", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.convertStrToBytes; }
+  get: function () { return chunk3A4RTUKO_cjs.convertStrToBytes; }
 });
 Object.defineProperty(exports, "createSecretKey", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.createSecretKey; }
+  get: function () { return chunk3A4RTUKO_cjs.createSecretKey; }
 });
 Object.defineProperty(exports, "decrypt", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.decrypt; }
+  get: function () { return chunk3A4RTUKO_cjs.decrypt; }
 });
 Object.defineProperty(exports, "decryptObj", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.decryptObj; }
+  get: function () { return chunk3A4RTUKO_cjs.decryptObj; }
 });
 Object.defineProperty(exports, "encrypt", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.encrypt; }
+  get: function () { return chunk3A4RTUKO_cjs.encrypt; }
 });
 Object.defineProperty(exports, "encryptObj", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.encryptObj; }
+  get: function () { return chunk3A4RTUKO_cjs.encryptObj; }
 });
 Object.defineProperty(exports, "generateUuid", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.generateUuid; }
+  get: function () { return chunk3A4RTUKO_cjs.generateUuid; }
 });
 Object.defineProperty(exports, "hash", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.hash; }
+  get: function () { return chunk3A4RTUKO_cjs.hash; }
 });
 Object.defineProperty(exports, "hashPassword", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.hashPassword; }
+  get: function () { return chunk3A4RTUKO_cjs.hashPassword; }
+});
+Object.defineProperty(exports, "isNodeSecretKey", {
+  enumerable: true,
+  get: function () { return chunk3A4RTUKO_cjs.isNodeSecretKey; }
 });
 Object.defineProperty(exports, "tryConvertBytesToStr", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.tryConvertBytesToStr; }
+  get: function () { return chunk3A4RTUKO_cjs.tryConvertBytesToStr; }
 });
 Object.defineProperty(exports, "tryConvertEncoding", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.tryConvertEncoding; }
+  get: function () { return chunk3A4RTUKO_cjs.tryConvertEncoding; }
 });
 Object.defineProperty(exports, "tryConvertStrToBytes", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.tryConvertStrToBytes; }
+  get: function () { return chunk3A4RTUKO_cjs.tryConvertStrToBytes; }
 });
 Object.defineProperty(exports, "tryCreateSecretKey", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.tryCreateSecretKey; }
+  get: function () { return chunk3A4RTUKO_cjs.tryCreateSecretKey; }
 });
 Object.defineProperty(exports, "tryDecrypt", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.tryDecrypt; }
+  get: function () { return chunk3A4RTUKO_cjs.tryDecrypt; }
 });
 Object.defineProperty(exports, "tryDecryptObj", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.tryDecryptObj; }
+  get: function () { return chunk3A4RTUKO_cjs.tryDecryptObj; }
 });
 Object.defineProperty(exports, "tryEncrypt", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.tryEncrypt; }
+  get: function () { return chunk3A4RTUKO_cjs.tryEncrypt; }
 });
 Object.defineProperty(exports, "tryEncryptObj", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.tryEncryptObj; }
+  get: function () { return chunk3A4RTUKO_cjs.tryEncryptObj; }
 });
 Object.defineProperty(exports, "tryGenerateUuid", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.tryGenerateUuid; }
+  get: function () { return chunk3A4RTUKO_cjs.tryGenerateUuid; }
 });
 Object.defineProperty(exports, "tryHash", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.tryHash; }
+  get: function () { return chunk3A4RTUKO_cjs.tryHash; }
 });
 Object.defineProperty(exports, "tryHashPassword", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.tryHashPassword; }
+  get: function () { return chunk3A4RTUKO_cjs.tryHashPassword; }
 });
-Object.defineProperty(exports, "verifyPassword", {
+Object.defineProperty(exports, "tryVerifyPassword", {
   enumerable: true,
-  get: function () { return chunkZNM5M6RD_cjs.verifyPassword; }
+  get: function () { return chunk3A4RTUKO_cjs.tryVerifyPassword; }
 });
-Object.defineProperty(exports, "ENCRYPTED_REGEX", {
+Object.defineProperty(exports, "verifyPassword", {
   enumerable: true,
-  get: function () { return chunkHTRGOBZF_cjs.ENCRYPTED_REGEX; }
+  get: function () { return chunk3A4RTUKO_cjs.verifyPassword; }
 });
-Object.defineProperty(exports, "isNodeSecretKey", {
+Object.defineProperty(exports, "ENCRYPTED_REGEX", {
   enumerable: true,
-  get: function () { return chunkHTRGOBZF_cjs.isNodeSecretKey; }
+  get: function () { return chunkVCBHSRCS_cjs.ENCRYPTED_REGEX; }
 });
 Object.defineProperty(exports, "matchEncryptedPattern", {
   enumerable: true,
-  get: function () { return chunkHTRGOBZF_cjs.matchEncryptedPattern; }
+  get: function () { return chunkVCBHSRCS_cjs.matchEncryptedPattern; }
 });
 Object.defineProperty(exports, "parseToObj", {
   enumerable: true,
-  get: function () { return chunkHTRGOBZF_cjs.parseToObj; }
+  get: function () { return chunkVCBHSRCS_cjs.parseToObj; }
 });
 Object.defineProperty(exports, "stringifyObj", {
   enumerable: true,
-  get: function () { return chunkHTRGOBZF_cjs.stringifyObj; }
+  get: function () { return chunkVCBHSRCS_cjs.stringifyObj; }
 });
 Object.defineProperty(exports, "tryParseToObj", {
   enumerable: true,
-  get: function () { return chunkHTRGOBZF_cjs.tryParseToObj; }
+  get: function () { return chunkVCBHSRCS_cjs.tryParseToObj; }
 });
 Object.defineProperty(exports, "tryStringifyObj", {
   enumerable: true,
-  get: function () { return chunkHTRGOBZF_cjs.tryStringifyObj; }
+  get: function () { return chunkVCBHSRCS_cjs.tryStringifyObj; }
 });
 //# sourceMappingURL=node.cjs.map
 //# sourceMappingURL=node.cjs.map

package/dist/node.d.cts

@@ -1,4 +1,4 @@
-export { C as CipherEncoding, e as CreateSecretKeyOptions, g as DecryptOptions, D as DigestAlgorithm, E as ENCRYPTED_REGEX, c as Encoding, f as EncryptOptions, d as EncryptionAlgorithm, H as HashOptions, h as HashPasswordOptions, N as NodeSecretKey, V as VerifyPasswordOptions, W as WebSecretKey, i as isNodeSecretKey, m as matchEncryptedPattern, p as parseToObj, s as stringifyObj, t as tryParseToObj, a as tryStringifyObj } from './validate-lkJAHCeJ.cjs';
-export { u as convertBytesToStr, x as convertEncoding, r as convertStrToBytes, c as createSecretKey, f as decrypt, k as decryptObj, e as encrypt, i as encryptObj, g as generateUuid, m as hash, p as hashPassword, s as tryConvertBytesToStr, w as tryConvertEncoding, q as tryConvertStrToBytes, a as tryCreateSecretKey, d as tryDecrypt, j as tryDecryptObj, b as tryEncrypt, h as tryEncryptObj, t as tryGenerateUuid, l as tryHash, o as tryHashPassword, v as verifyPassword } from './export-KFT0YyMg.cjs';
-import 'node:crypto';
+export { C as CipherEncoding, a as CreateSecretKeyOptions, D as DecryptOptions, b as DigestAlgorithm, E as ENCRYPTED_REGEX, c as Encoding, d as EncryptOptions, e as EncryptionAlgorithm, f as ErrorStruct, H as HashOptions, g as HashPasswordOptions, R as Result, V as VerifyPasswordOptions, m as matchEncryptedPattern, p as parseToObj, s as stringifyObj, t as tryParseToObj, h as tryStringifyObj } from './validate-vDTesb-X.cjs';
+export { N as NodeSecretKey, c as convertBytesToStr, a as convertEncoding, b as convertStrToBytes, d as createSecretKey, e as decrypt, f as decryptObj, g as encrypt, h as encryptObj, i as generateUuid, j as hash, k as hashPassword, l as isNodeSecretKey, t as tryConvertBytesToStr, m as tryConvertEncoding, o as tryConvertStrToBytes, p as tryCreateSecretKey, q as tryDecrypt, r as tryDecryptObj, s as tryEncrypt, u as tryEncryptObj, v as tryGenerateUuid, w as tryHash, x as tryHashPassword, y as tryVerifyPassword, z as verifyPassword } from './export-DPuocAr3.cjs';
 import 'node:buffer';
+import 'node:crypto';

package/dist/node.d.ts

@@ -1,4 +1,4 @@
-export { C as CipherEncoding, e as CreateSecretKeyOptions, g as DecryptOptions, D as DigestAlgorithm, E as ENCRYPTED_REGEX, c as Encoding, f as EncryptOptions, d as EncryptionAlgorithm, H as HashOptions, h as HashPasswordOptions, N as NodeSecretKey, V as VerifyPasswordOptions, W as WebSecretKey, i as isNodeSecretKey, m as matchEncryptedPattern, p as parseToObj, s as stringifyObj, t as tryParseToObj, a as tryStringifyObj } from './validate-lkJAHCeJ.js';
-export { u as convertBytesToStr, x as convertEncoding, r as convertStrToBytes, c as createSecretKey, f as decrypt, k as decryptObj, e as encrypt, i as encryptObj, g as generateUuid, m as hash, p as hashPassword, s as tryConvertBytesToStr, w as tryConvertEncoding, q as tryConvertStrToBytes, a as tryCreateSecretKey, d as tryDecrypt, j as tryDecryptObj, b as tryEncrypt, h as tryEncryptObj, t as tryGenerateUuid, l as tryHash, o as tryHashPassword, v as verifyPassword } from './export-BaM_OTFk.js';
-import 'node:crypto';
+export { C as CipherEncoding, a as CreateSecretKeyOptions, D as DecryptOptions, b as DigestAlgorithm, E as ENCRYPTED_REGEX, c as Encoding, d as EncryptOptions, e as EncryptionAlgorithm, f as ErrorStruct, H as HashOptions, g as HashPasswordOptions, R as Result, V as VerifyPasswordOptions, m as matchEncryptedPattern, p as parseToObj, s as stringifyObj, t as tryParseToObj, h as tryStringifyObj } from './validate-vDTesb-X.js';
+export { N as NodeSecretKey, c as convertBytesToStr, a as convertEncoding, b as convertStrToBytes, d as createSecretKey, e as decrypt, f as decryptObj, g as encrypt, h as encryptObj, i as generateUuid, j as hash, k as hashPassword, l as isNodeSecretKey, t as tryConvertBytesToStr, m as tryConvertEncoding, o as tryConvertStrToBytes, p as tryCreateSecretKey, q as tryDecrypt, r as tryDecryptObj, s as tryEncrypt, u as tryEncryptObj, v as tryGenerateUuid, w as tryHash, x as tryHashPassword, y as tryVerifyPassword, z as verifyPassword } from './export-C0_UEEg8.js';
 import 'node:buffer';
+import 'node:crypto';

package/dist/node.js

@@ -1,4 +1,4 @@
-export { convertBytesToStr, convertEncoding, convertStrToBytes, createSecretKey, decrypt, decryptObj, encrypt, encryptObj, generateUuid, hash, hashPassword, tryConvertBytesToStr, tryConvertEncoding, tryConvertStrToBytes, tryCreateSecretKey, tryDecrypt, tryDecryptObj, tryEncrypt, tryEncryptObj, tryGenerateUuid, tryHash, tryHashPassword, verifyPassword } from './chunk-S6SNCTU6.js';
-export { ENCRYPTED_REGEX, isNodeSecretKey, matchEncryptedPattern, parseToObj, stringifyObj, tryParseToObj, tryStringifyObj } from './chunk-LU7QOSQH.js';
+export { convertBytesToStr, convertEncoding, convertStrToBytes, createSecretKey, decrypt, decryptObj, encrypt, encryptObj, generateUuid, hash, hashPassword, isNodeSecretKey, tryConvertBytesToStr, tryConvertEncoding, tryConvertStrToBytes, tryCreateSecretKey, tryDecrypt, tryDecryptObj, tryEncrypt, tryEncryptObj, tryGenerateUuid, tryHash, tryHashPassword, tryVerifyPassword, verifyPassword } from './chunk-X6MX4NDE.js';
+export { ENCRYPTED_REGEX, matchEncryptedPattern, parseToObj, stringifyObj, tryParseToObj, tryStringifyObj } from './chunk-IY6XGUYO.js';
 //# sourceMappingURL=node.js.map
 //# sourceMappingURL=node.js.map

package/dist/validate-vDTesb-X.d.cts

@@ -0,0 +1,195 @@
+interface ErrorStruct {
+    readonly message: string;
+    readonly description: string;
+}
+type ReservedResultKeys = "success" | "error";
+type ShouldWrapObject<T extends object> = Extract<keyof T, ReservedResultKeys> extends never ? false : true;
+type OkType<T> = {
+    readonly success: true;
+    readonly error?: undefined;
+} & (T extends object ? ShouldWrapObject<T> extends true ? {
+    readonly result: T;
+} : {
+    readonly [K in keyof T]: T[K];
+} : {
+    readonly result: T;
+});
+type ErrType<T> = {
+    readonly success: false;
+    readonly error: ErrorStruct;
+} & (T extends object ? ShouldWrapObject<T> extends true ? {
+    readonly result?: undefined;
+} : {
+    readonly [K in keyof T]?: undefined;
+} : {
+    readonly result?: undefined;
+});
+type Result<T> = OkType<T> | ErrType<T>;
+declare const ENCODING: readonly ["base64", "base64url", "hex", "utf8", "latin1"];
+declare const CIPHER_ENCODING: readonly ["base64", "base64url", "hex"];
+
+declare const DIGEST_ALGORITHMS: Readonly<{
+    readonly sha256: {
+        readonly node: "sha256";
+        readonly web: "SHA-256";
+    };
+    readonly sha384: {
+        readonly node: "sha384";
+        readonly web: "SHA-384";
+    };
+    readonly sha512: {
+        readonly node: "sha512";
+        readonly web: "SHA-512";
+    };
+}>;
+declare const ENCRYPTION_ALGORITHMS: Readonly<{
+    readonly aes256gcm: {
+        readonly keyBytes: 32;
+        readonly node: "aes-256-gcm";
+        readonly web: "AES-GCM";
+    };
+    readonly aes192gcm: {
+        readonly keyBytes: 24;
+        readonly node: "aes-192-gcm";
+        readonly web: "AES-GCM";
+    };
+    readonly aes128gcm: {
+        readonly keyBytes: 16;
+        readonly node: "aes-128-gcm";
+        readonly web: "AES-GCM";
+    };
+}>;
+
+type CipherEncoding = (typeof CIPHER_ENCODING)[number];
+type Encoding = (typeof ENCODING)[number];
+type EncryptionAlgorithm = keyof typeof ENCRYPTION_ALGORITHMS;
+type DigestAlgorithm = keyof typeof DIGEST_ALGORITHMS;
+/**
+ * Options for creating a secret key (`NodeSecretKey` / `WebSecretKey`) via HKDF derivation.
+ *
+ * **Security note:** HKDF is a key expansion function, not a key stretching function.
+ * It provides no brute-force resistance. The `secret` parameter must be high-entropy
+ * (e.g., a 256-bit random key or a cryptographically strong passphrase).
+ * For human-chosen passwords, use {@link HashPasswordOptions | PBKDF2} instead.
+ */
+interface CreateSecretKeyOptions {
+    /** Encryption algorithm to use (default: `'aes256gcm'`). */
+    algorithm?: EncryptionAlgorithm;
+    /** Digest algorithm for HKDF (default: `'sha256'`). */
+    digest?: DigestAlgorithm;
+    /**
+     * Salt for HKDF (default: `'cipher-kit'`, must be ≥ 8 characters).
+     *
+     * For per-user or per-deployment uniqueness, provide your own unique random salt.
+     */
+    salt?: string;
+    /** Optional context info for HKDF (default: `'cipher-kit'`). */
+    info?: string;
+    /**
+     * Whether the derived Web CryptoKey is extractable (default: `false`).
+     * Set to `true` only if you need to export the raw key material via `crypto.subtle.exportKey()`.
+     * Has no effect on Node.js keys.
+     */
+    extractable?: boolean;
+}
+/** Options for encryption. */
+interface EncryptOptions {
+    /** Encoding format for the output ciphertext (default: `'base64url'`). */
+    outputEncoding?: CipherEncoding;
+}
+/** Options for decryption. */
+interface DecryptOptions {
+    /** Encoding format for the input ciphertext (default: `'base64url'`). */
+    inputEncoding?: CipherEncoding;
+}
+/** Options for hashing arbitrary data. */
+interface HashOptions {
+    /** Digest algorithm to use (default: `'sha256'`). */
+    digest?: DigestAlgorithm;
+    /** Encoding format for the output hash (default: `'base64url'`). */
+    outputEncoding?: CipherEncoding;
+}
+/** Options for password hashing (PBKDF2). */
+interface HashPasswordOptions {
+    /** Digest algorithm to use (default: `'sha512'`). */
+    digest?: DigestAlgorithm;
+    /** Encoding format for the output hash (default: `'base64url'`). */
+    outputEncoding?: CipherEncoding;
+    /** Length of the salt in bytes (default: `16`; min: `8`; max: `1024`). */
+    saltLength?: number;
+    /** Number of iterations for key derivation (default: `320000`; min: `100000`; max: `10000000`). */
+    iterations?: number;
+    /** Length of the derived key in bytes (default: `64`; min: `16`; max: `1024`). */
+    keyLength?: number;
+}
+/** Options for verifying a password hash (must match the parameters used to hash). */
+interface VerifyPasswordOptions {
+    /** Digest algorithm to use (default: `'sha512'`). */
+    digest?: DigestAlgorithm;
+    /** Encoding format of the input hash (default: `'base64url'`). */
+    inputEncoding?: CipherEncoding;
+    /** Number of iterations for key derivation (default: `320000`; min: `100000`; max: `10000000`). */
+    iterations?: number;
+    /** Length of the derived key in bytes (default: `64`; min: `16`; max: `1024`). */
+    keyLength?: number;
+}
+
+/**
+ * Serializes a plain object to JSON (non-throwing).
+ *
+ * @returns `Result<string>` with the JSON string or error.
+ * @see {@link stringifyObj} For full parameter/behavior docs.
+ */
+declare function tryStringifyObj<T extends object = Record<string, unknown>>(obj: T): Result<string>;
+/**
+ * Serializes a plain object to JSON.
+ *
+ * @remarks
+ * Only plain objects (POJOs) are accepted; class instances, Maps, Sets, etc. are rejected.
+ *
+ * @param obj - The object to stringify.
+ * @returns JSON string representation of the object.
+ * @throws {Error} If `obj` is not a plain object or serialization fails.
+ *
+ * @example
+ * ```ts
+ * const json = stringifyObj({ a: 1 }); // '{"a":1}'
+ * ```
+ *
+ * @see {@link tryStringifyObj} Non-throwing variant returning `Result<string>`.
+ */
+declare function stringifyObj<T extends object = Record<string, unknown>>(obj: T): string;
+/**
+ * Parses a JSON string to a plain object (non-throwing).
+ *
+ * @returns `Result<{ result: T }>` with the parsed object or error.
+ * @see {@link parseToObj} For full parameter/behavior docs.
+ */
+declare function tryParseToObj<T extends object = Record<string, unknown>>(str: string): Result<{
+    result: T;
+}>;
+/**
+ * Parses a JSON string to a plain object.
+ *
+ * @param str - The JSON string to parse.
+ * @returns The parsed plain object.
+ * @throws {Error} If the string can't be parsed or doesn't represent a plain object.
+ *
+ * @example
+ * ```ts
+ * const obj = parseToObj<{ a: number }>('{"a":1}'); // obj.a === 1
+ * ```
+ *
+ * @see {@link tryParseToObj} Non-throwing variant returning `Result<{ result: T }>`.
+ */
+declare function parseToObj<T extends object = Record<string, unknown>>(str: string): T;
+
+/** Matches the `"iv.cipher.tag."` encrypted payload format. */
+declare const ENCRYPTED_REGEX: RegExp;
+/**
+ * Structural check only — validates the dot-separated `"iv.cipher.tag."` format
+ * but does NOT verify that individual segments contain valid base64, base64url, or hex encoding.
+ */
+declare function matchEncryptedPattern(data: string): boolean;
+
+export { type CipherEncoding as C, type DecryptOptions as D, ENCRYPTED_REGEX as E, type HashOptions as H, type Result as R, type VerifyPasswordOptions as V, type CreateSecretKeyOptions as a, type DigestAlgorithm as b, type Encoding as c, type EncryptOptions as d, type EncryptionAlgorithm as e, type ErrorStruct as f, type HashPasswordOptions as g, tryStringifyObj as h, DIGEST_ALGORITHMS as i, ENCRYPTION_ALGORITHMS as j, matchEncryptedPattern as m, parseToObj as p, stringifyObj as s, tryParseToObj as t };

package/dist/validate-vDTesb-X.d.ts

@@ -0,0 +1,195 @@
+interface ErrorStruct {
+    readonly message: string;
+    readonly description: string;
+}
+type ReservedResultKeys = "success" | "error";
+type ShouldWrapObject<T extends object> = Extract<keyof T, ReservedResultKeys> extends never ? false : true;
+type OkType<T> = {
+    readonly success: true;
+    readonly error?: undefined;
+} & (T extends object ? ShouldWrapObject<T> extends true ? {
+    readonly result: T;
+} : {
+    readonly [K in keyof T]: T[K];
+} : {
+    readonly result: T;
+});
+type ErrType<T> = {
+    readonly success: false;
+    readonly error: ErrorStruct;
+} & (T extends object ? ShouldWrapObject<T> extends true ? {
+    readonly result?: undefined;
+} : {
+    readonly [K in keyof T]?: undefined;
+} : {
+    readonly result?: undefined;
+});
+type Result<T> = OkType<T> | ErrType<T>;
+declare const ENCODING: readonly ["base64", "base64url", "hex", "utf8", "latin1"];
+declare const CIPHER_ENCODING: readonly ["base64", "base64url", "hex"];
+
+declare const DIGEST_ALGORITHMS: Readonly<{
+    readonly sha256: {
+        readonly node: "sha256";
+        readonly web: "SHA-256";
+    };
+    readonly sha384: {
+        readonly node: "sha384";
+        readonly web: "SHA-384";
+    };
+    readonly sha512: {
+        readonly node: "sha512";
+        readonly web: "SHA-512";
+    };
+}>;
+declare const ENCRYPTION_ALGORITHMS: Readonly<{
+    readonly aes256gcm: {
+        readonly keyBytes: 32;
+        readonly node: "aes-256-gcm";
+        readonly web: "AES-GCM";
+    };
+    readonly aes192gcm: {
+        readonly keyBytes: 24;
+        readonly node: "aes-192-gcm";
+        readonly web: "AES-GCM";
+    };
+    readonly aes128gcm: {
+        readonly keyBytes: 16;
+        readonly node: "aes-128-gcm";
+        readonly web: "AES-GCM";
+    };
+}>;
+
+type CipherEncoding = (typeof CIPHER_ENCODING)[number];
+type Encoding = (typeof ENCODING)[number];
+type EncryptionAlgorithm = keyof typeof ENCRYPTION_ALGORITHMS;
+type DigestAlgorithm = keyof typeof DIGEST_ALGORITHMS;
+/**
+ * Options for creating a secret key (`NodeSecretKey` / `WebSecretKey`) via HKDF derivation.
+ *
+ * **Security note:** HKDF is a key expansion function, not a key stretching function.
+ * It provides no brute-force resistance. The `secret` parameter must be high-entropy
+ * (e.g., a 256-bit random key or a cryptographically strong passphrase).
+ * For human-chosen passwords, use {@link HashPasswordOptions | PBKDF2} instead.
+ */
+interface CreateSecretKeyOptions {
+    /** Encryption algorithm to use (default: `'aes256gcm'`). */
+    algorithm?: EncryptionAlgorithm;
+    /** Digest algorithm for HKDF (default: `'sha256'`). */
+    digest?: DigestAlgorithm;
+    /**
+     * Salt for HKDF (default: `'cipher-kit'`, must be ≥ 8 characters).
+     *
+     * For per-user or per-deployment uniqueness, provide your own unique random salt.
+     */
+    salt?: string;
+    /** Optional context info for HKDF (default: `'cipher-kit'`). */
+    info?: string;
+    /**
+     * Whether the derived Web CryptoKey is extractable (default: `false`).
+     * Set to `true` only if you need to export the raw key material via `crypto.subtle.exportKey()`.
+     * Has no effect on Node.js keys.
+     */
+    extractable?: boolean;
+}
+/** Options for encryption. */
+interface EncryptOptions {
+    /** Encoding format for the output ciphertext (default: `'base64url'`). */
+    outputEncoding?: CipherEncoding;
+}
+/** Options for decryption. */
+interface DecryptOptions {
+    /** Encoding format for the input ciphertext (default: `'base64url'`). */
+    inputEncoding?: CipherEncoding;
+}
+/** Options for hashing arbitrary data. */
+interface HashOptions {
+    /** Digest algorithm to use (default: `'sha256'`). */
+    digest?: DigestAlgorithm;
+    /** Encoding format for the output hash (default: `'base64url'`). */
+    outputEncoding?: CipherEncoding;
+}
+/** Options for password hashing (PBKDF2). */
+interface HashPasswordOptions {
+    /** Digest algorithm to use (default: `'sha512'`). */
+    digest?: DigestAlgorithm;
+    /** Encoding format for the output hash (default: `'base64url'`). */
+    outputEncoding?: CipherEncoding;
+    /** Length of the salt in bytes (default: `16`; min: `8`; max: `1024`). */
+    saltLength?: number;
+    /** Number of iterations for key derivation (default: `320000`; min: `100000`; max: `10000000`). */
+    iterations?: number;
+    /** Length of the derived key in bytes (default: `64`; min: `16`; max: `1024`). */
+    keyLength?: number;
+}
+/** Options for verifying a password hash (must match the parameters used to hash). */
+interface VerifyPasswordOptions {
+    /** Digest algorithm to use (default: `'sha512'`). */
+    digest?: DigestAlgorithm;
+    /** Encoding format of the input hash (default: `'base64url'`). */
+    inputEncoding?: CipherEncoding;
+    /** Number of iterations for key derivation (default: `320000`; min: `100000`; max: `10000000`). */
+    iterations?: number;
+    /** Length of the derived key in bytes (default: `64`; min: `16`; max: `1024`). */
+    keyLength?: number;
+}
+
+/**
+ * Serializes a plain object to JSON (non-throwing).
+ *
+ * @returns `Result<string>` with the JSON string or error.
+ * @see {@link stringifyObj} For full parameter/behavior docs.
+ */
+declare function tryStringifyObj<T extends object = Record<string, unknown>>(obj: T): Result<string>;
+/**
+ * Serializes a plain object to JSON.
+ *
+ * @remarks
+ * Only plain objects (POJOs) are accepted; class instances, Maps, Sets, etc. are rejected.
+ *
+ * @param obj - The object to stringify.
+ * @returns JSON string representation of the object.
+ * @throws {Error} If `obj` is not a plain object or serialization fails.
+ *
+ * @example
+ * ```ts
+ * const json = stringifyObj({ a: 1 }); // '{"a":1}'
+ * ```
+ *
+ * @see {@link tryStringifyObj} Non-throwing variant returning `Result<string>`.
+ */
+declare function stringifyObj<T extends object = Record<string, unknown>>(obj: T): string;
+/**
+ * Parses a JSON string to a plain object (non-throwing).
+ *
+ * @returns `Result<{ result: T }>` with the parsed object or error.
+ * @see {@link parseToObj} For full parameter/behavior docs.
+ */
+declare function tryParseToObj<T extends object = Record<string, unknown>>(str: string): Result<{
+    result: T;
+}>;
+/**
+ * Parses a JSON string to a plain object.
+ *
+ * @param str - The JSON string to parse.
+ * @returns The parsed plain object.
+ * @throws {Error} If the string can't be parsed or doesn't represent a plain object.
+ *
+ * @example
+ * ```ts
+ * const obj = parseToObj<{ a: number }>('{"a":1}'); // obj.a === 1
+ * ```
+ *
+ * @see {@link tryParseToObj} Non-throwing variant returning `Result<{ result: T }>`.
+ */
+declare function parseToObj<T extends object = Record<string, unknown>>(str: string): T;
+
+/** Matches the `"iv.cipher.tag."` encrypted payload format. */
+declare const ENCRYPTED_REGEX: RegExp;
+/**
+ * Structural check only — validates the dot-separated `"iv.cipher.tag."` format
+ * but does NOT verify that individual segments contain valid base64, base64url, or hex encoding.
+ */
+declare function matchEncryptedPattern(data: string): boolean;
+
+export { type CipherEncoding as C, type DecryptOptions as D, ENCRYPTED_REGEX as E, type HashOptions as H, type Result as R, type VerifyPasswordOptions as V, type CreateSecretKeyOptions as a, type DigestAlgorithm as b, type Encoding as c, type EncryptOptions as d, type EncryptionAlgorithm as e, type ErrorStruct as f, type HashPasswordOptions as g, tryStringifyObj as h, DIGEST_ALGORITHMS as i, ENCRYPTION_ALGORITHMS as j, matchEncryptedPattern as m, parseToObj as p, stringifyObj as s, tryParseToObj as t };