cipher-kit 3.0.0-beta.0 → 3.0.0

package/README.md

@@ -137,6 +137,8 @@ if (result.success) {
 ```
 
 > **Wire format:** Both platforms output `iv.cipher.tag.` (3 dot-separated segments with trailing dot). The format is **cross-platform compatible** — data encrypted on Node can be decrypted on Web and vice versa.
+>
+> **Nonce exhaustion:** AES-GCM uses random 96-bit IVs. Rotate keys before ~2^32 encryptions with the same key to avoid nonce collision.
 
 ### `encryptObj` / `decryptObj` / `tryEncryptObj` / `tryDecryptObj`
 
@@ -245,7 +247,7 @@ isWebSecretKey(key); // true if key is WebSecretKey
 
 ### Regex Utilities
 
-Validate the structural shape of encrypted payloads before decryption.
+Validate the structural shape of encrypted payloads before decryption. This is a **structural** check only — it validates the dot-separated format but does not verify whether individual segments contain valid base64, base64url, or hex encoding.
 
 ```typescript
 import { ENCRYPTED_REGEX, matchEncryptedPattern } from "cipher-kit";

package/dist/{chunk-ZYX6MYHS.cjs → chunk-3A4RTUKO.cjs}

@@ -1,6 +1,6 @@
 'use strict';
 
-var chunkX7IPAA7B_cjs = require('./chunk-X7IPAA7B.cjs');
+var chunkVCBHSRCS_cjs = require('./chunk-VCBHSRCS.cjs');
 var nodeCrypto3 = require('crypto');
 var buffer = require('buffer');
 
@@ -10,7 +10,7 @@ var nodeCrypto3__default = /*#__PURE__*/_interopDefault(nodeCrypto3);
 
 // src/node/kit.ts
 var kit_exports = {};
-chunkX7IPAA7B_cjs.__export(kit_exports, {
+chunkVCBHSRCS_cjs.__export(kit_exports, {
   convertBytesToStr: () => convertBytesToStr,
   convertEncoding: () => convertEncoding,
   convertStrToBytes: () => convertStrToBytes,
@@ -39,13 +39,13 @@ chunkX7IPAA7B_cjs.__export(kit_exports, {
 });
 function $convertStrToBytes(data, inputEncoding = "utf8") {
   if (typeof data !== "string") {
-    return chunkX7IPAA7B_cjs.$err({
+    return chunkVCBHSRCS_cjs.$err({
       message: "node strToBytes: Data must be a string",
       description: `Expected a string value, received ${typeof data}`
     });
   }
-  if (!chunkX7IPAA7B_cjs.ENCODING.includes(inputEncoding)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.ENCODING.includes(inputEncoding)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: `node strToBytes: Unsupported encoding: ${inputEncoding}`,
       description: "Use base64, base64url, hex, utf8, or latin1"
     });
@@ -53,16 +53,16 @@ function $convertStrToBytes(data, inputEncoding = "utf8") {
   if (inputEncoding === "hex") {
     const clean = /^0x/i.test(data) ? data.slice(2) : data;
     if (clean.length % 2 !== 0 || !/^[0-9a-fA-F]*$/.test(clean)) {
-      return chunkX7IPAA7B_cjs.$err({
+      return chunkVCBHSRCS_cjs.$err({
         message: "node strToBytes: Invalid hex string",
         description: "Hex string contains non-hex characters or has odd length"
       });
     }
-    return chunkX7IPAA7B_cjs.$ok({ result: buffer.Buffer.from(clean, "hex") });
+    return chunkVCBHSRCS_cjs.$ok({ result: buffer.Buffer.from(clean, "hex") });
   }
   if (inputEncoding === "base64") {
     if (!/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}={2}|[A-Za-z0-9+/]{3}=)?$/.test(data)) {
-      return chunkX7IPAA7B_cjs.$err({
+      return chunkVCBHSRCS_cjs.$err({
         message: "node strToBytes: Invalid base64 string",
         description: "Base64 string contains invalid characters or has incorrect padding"
       });
@@ -70,58 +70,58 @@ function $convertStrToBytes(data, inputEncoding = "utf8") {
   }
   if (inputEncoding === "base64url") {
     if (!/^[A-Za-z0-9_-]*={0,2}$/.test(data) || data.replace(/=+$/, "").length % 4 === 1) {
-      return chunkX7IPAA7B_cjs.$err({
+      return chunkVCBHSRCS_cjs.$err({
         message: "node strToBytes: Invalid base64url string",
         description: "Base64url string contains invalid characters or has incorrect length"
       });
     }
   }
   try {
-    return chunkX7IPAA7B_cjs.$ok({ result: buffer.Buffer.from(data, inputEncoding) });
+    return chunkVCBHSRCS_cjs.$ok({ result: buffer.Buffer.from(data, inputEncoding) });
   } catch (error) {
-    return chunkX7IPAA7B_cjs.$err({ message: "node strToBytes: Failed to convert data", description: chunkX7IPAA7B_cjs.$fmtError(error) });
+    return chunkVCBHSRCS_cjs.$err({ message: "node strToBytes: Failed to convert data", description: chunkVCBHSRCS_cjs.$fmtError(error) });
   }
 }
 function $convertBytesToStr(data, outputEncoding = "utf8") {
   if (!(data instanceof buffer.Buffer)) {
-    return chunkX7IPAA7B_cjs.$err({
+    return chunkVCBHSRCS_cjs.$err({
       message: "node bytesToStr: Data must be a Buffer",
       description: "Received a non-Buffer value"
     });
   }
-  if (!chunkX7IPAA7B_cjs.ENCODING.includes(outputEncoding)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.ENCODING.includes(outputEncoding)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: `node bytesToStr: Unsupported encoding: ${outputEncoding}`,
       description: "Use base64, base64url, hex, utf8, or latin1"
     });
   }
   try {
-    return chunkX7IPAA7B_cjs.$ok(data.toString(outputEncoding));
+    return chunkVCBHSRCS_cjs.$ok(data.toString(outputEncoding));
   } catch (error) {
-    return chunkX7IPAA7B_cjs.$err({ message: "node bytesToStr: Failed to convert data", description: chunkX7IPAA7B_cjs.$fmtError(error) });
+    return chunkVCBHSRCS_cjs.$err({ message: "node bytesToStr: Failed to convert data", description: chunkVCBHSRCS_cjs.$fmtError(error) });
   }
 }
 function $convertEncoding(data, from, to) {
-  if (!chunkX7IPAA7B_cjs.$isStr(data)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.$isStr(data)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: "node convertEncoding: Data must be a non-empty string",
       description: "Received empty or non-string value"
     });
   }
-  if (!chunkX7IPAA7B_cjs.ENCODING.includes(from) || !chunkX7IPAA7B_cjs.ENCODING.includes(to)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.ENCODING.includes(from) || !chunkVCBHSRCS_cjs.ENCODING.includes(to)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: `node convertEncoding: Unsupported encoding: from ${from} to ${to}`,
       description: "Use base64, base64url, hex, utf8, or latin1"
     });
   }
   const bytes = $convertStrToBytes(data, from);
-  if (bytes.error) return chunkX7IPAA7B_cjs.$err(bytes.error);
+  if (bytes.error) return chunkVCBHSRCS_cjs.$err(bytes.error);
   const str = $convertBytesToStr(bytes.result, to);
-  if (str.error) return chunkX7IPAA7B_cjs.$err(str.error);
-  return chunkX7IPAA7B_cjs.$ok(str.result);
+  if (str.error) return chunkVCBHSRCS_cjs.$err(str.error);
+  return chunkVCBHSRCS_cjs.$ok(str.result);
 }
 function $isNodeSecretKey(x) {
-  const base = chunkX7IPAA7B_cjs.$validateSecretKeyBase(x, "node");
+  const base = chunkVCBHSRCS_cjs.$validateSecretKeyBase(x, "node");
   if (!base) return null;
   if (!(base.obj.key instanceof nodeCrypto3__default.default.KeyObject) || typeof base.obj.key.symmetricKeySize === "number" && base.obj.key.symmetricKeySize !== base.algorithm.keyBytes) {
     return null;
@@ -129,8 +129,8 @@ function $isNodeSecretKey(x) {
   return x;
 }
 function $createSecretKey(secret, options) {
-  const validated = chunkX7IPAA7B_cjs.$validateCreateSecretKeyOptions(secret, options, "node");
-  if (validated.error) return chunkX7IPAA7B_cjs.$err(validated.error);
+  const validated = chunkVCBHSRCS_cjs.$validateCreateSecretKeyOptions(secret, options, "node");
+  if (validated.error) return chunkVCBHSRCS_cjs.$err(validated.error);
   const { algorithm, digest, salt, info, encryptAlgo, digestAlgo } = validated;
   try {
     const derivedKey = Buffer.from(
@@ -151,47 +151,47 @@ function $createSecretKey(secret, options) {
         key,
         injected: encryptAlgo
       });
-      return chunkX7IPAA7B_cjs.$ok({ result: secretKey });
+      return chunkVCBHSRCS_cjs.$ok({ result: secretKey });
     } finally {
       derivedKey.fill(0);
     }
   } catch (error) {
-    return chunkX7IPAA7B_cjs.$err({ message: "node createSecretKey: Failed to derive key", description: chunkX7IPAA7B_cjs.$fmtError(error) });
+    return chunkVCBHSRCS_cjs.$err({ message: "node createSecretKey: Failed to derive key", description: chunkVCBHSRCS_cjs.$fmtError(error) });
   }
 }
 
 // src/node/node-encrypt.ts
 function $encrypt(data, secretKey, options) {
-  if (!chunkX7IPAA7B_cjs.$isStr(data)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.$isStr(data)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: "node encrypt: Data must be a non-empty string",
       description: "Received empty or non-string value"
     });
   }
-  if (!chunkX7IPAA7B_cjs.$isPlainObj(options)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.$isPlainObj(options)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: "node encrypt: Options must be a plain object",
       description: 'Pass an object like { outputEncoding: "base64url" }'
     });
   }
   const outputEncoding = options.outputEncoding ?? "base64url";
-  if (!chunkX7IPAA7B_cjs.CIPHER_ENCODING.includes(outputEncoding)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.CIPHER_ENCODING.includes(outputEncoding)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: `node encrypt: Unsupported output encoding: ${outputEncoding}`,
       description: "Use base64, base64url, or hex"
     });
   }
   const injectedKey = $isNodeSecretKey(secretKey);
   if (!injectedKey) {
-    return chunkX7IPAA7B_cjs.$err({
+    return chunkVCBHSRCS_cjs.$err({
       message: "node encrypt: Invalid secret key",
       description: "Expected a NodeSecretKey created by nodeKit.createSecretKey()"
     });
   }
   const { result, error } = $convertStrToBytes(data, "utf8");
-  if (error) return chunkX7IPAA7B_cjs.$err(error);
+  if (error) return chunkVCBHSRCS_cjs.$err(error);
   try {
-    const iv = nodeCrypto3__default.default.randomBytes(chunkX7IPAA7B_cjs.GCM_IV_LENGTH);
+    const iv = nodeCrypto3__default.default.randomBytes(chunkVCBHSRCS_cjs.GCM_IV_LENGTH);
     const cipher = nodeCrypto3__default.default.createCipheriv(injectedKey.injected.node, injectedKey.key, iv);
     const encrypted = buffer.Buffer.concat([cipher.update(result), cipher.final()]);
     const tag = cipher.getAuthTag();
@@ -199,34 +199,34 @@ function $encrypt(data, secretKey, options) {
     const cipherStr = $convertBytesToStr(encrypted, outputEncoding);
     const tagStr = $convertBytesToStr(tag, outputEncoding);
     if (ivStr.error || cipherStr.error || tagStr.error) {
-      return chunkX7IPAA7B_cjs.$err({
+      return chunkVCBHSRCS_cjs.$err({
         message: "node encrypt: Failed to encode output",
-        description: `Conversion error: ${chunkX7IPAA7B_cjs.$fmtResultErr(ivStr.error || cipherStr.error || tagStr.error)}`
+        description: `Conversion error: ${chunkVCBHSRCS_cjs.$fmtResultErr(ivStr.error || cipherStr.error || tagStr.error)}`
       });
     }
-    return chunkX7IPAA7B_cjs.$ok(`${ivStr.result}.${cipherStr.result}.${tagStr.result}.`);
+    return chunkVCBHSRCS_cjs.$ok(`${ivStr.result}.${cipherStr.result}.${tagStr.result}.`);
   } catch (error2) {
-    return chunkX7IPAA7B_cjs.$err({ message: "node encrypt: Failed to encrypt data", description: chunkX7IPAA7B_cjs.$fmtError(error2) });
+    return chunkVCBHSRCS_cjs.$err({ message: "node encrypt: Failed to encrypt data", description: chunkVCBHSRCS_cjs.$fmtError(error2) });
   } finally {
     result.fill(0);
   }
 }
 function $decrypt(encrypted, secretKey, options) {
-  if (!chunkX7IPAA7B_cjs.matchEncryptedPattern(encrypted)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.matchEncryptedPattern(encrypted)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: "node decrypt: Invalid encrypted data format",
       description: 'Encrypted data must be in the format "iv.cipher.tag."'
     });
   }
-  if (!chunkX7IPAA7B_cjs.$isPlainObj(options)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.$isPlainObj(options)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: "node decrypt: Options must be a plain object",
       description: 'Pass an object like { inputEncoding: "base64url" }'
     });
   }
   const inputEncoding = options.inputEncoding ?? "base64url";
-  if (!chunkX7IPAA7B_cjs.CIPHER_ENCODING.includes(inputEncoding)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.CIPHER_ENCODING.includes(inputEncoding)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: `node decrypt: Unsupported input encoding: ${inputEncoding}`,
       description: "Use base64, base64url, or hex"
     });
@@ -234,7 +234,7 @@ function $decrypt(encrypted, secretKey, options) {
   const [iv, cipher, tag] = encrypted.split(".", 4);
   const injectedKey = $isNodeSecretKey(secretKey);
   if (!injectedKey) {
-    return chunkX7IPAA7B_cjs.$err({
+    return chunkVCBHSRCS_cjs.$err({
       message: "node decrypt: Invalid secret key",
       description: "Expected a NodeSecretKey created by nodeKit.createSecretKey()"
     });
@@ -243,21 +243,21 @@ function $decrypt(encrypted, secretKey, options) {
   const cipherBytes = $convertStrToBytes(cipher, inputEncoding);
   const tagBytes = $convertStrToBytes(tag, inputEncoding);
   if (ivBytes.error || cipherBytes.error || tagBytes.error) {
-    return chunkX7IPAA7B_cjs.$err({
+    return chunkVCBHSRCS_cjs.$err({
       message: "node decrypt: Failed to decode input",
-      description: `Conversion error: ${chunkX7IPAA7B_cjs.$fmtResultErr(ivBytes.error || cipherBytes.error || tagBytes.error)}`
+      description: `Conversion error: ${chunkVCBHSRCS_cjs.$fmtResultErr(ivBytes.error || cipherBytes.error || tagBytes.error)}`
     });
   }
-  if (ivBytes.result.byteLength !== chunkX7IPAA7B_cjs.GCM_IV_LENGTH) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (ivBytes.result.byteLength !== chunkVCBHSRCS_cjs.GCM_IV_LENGTH) {
+    return chunkVCBHSRCS_cjs.$err({
       message: "node decrypt: Invalid IV length",
-      description: `Expected ${chunkX7IPAA7B_cjs.GCM_IV_LENGTH} bytes, got ${ivBytes.result.byteLength}`
+      description: `Expected ${chunkVCBHSRCS_cjs.GCM_IV_LENGTH} bytes, got ${ivBytes.result.byteLength}`
     });
   }
-  if (tagBytes.result.byteLength !== chunkX7IPAA7B_cjs.GCM_TAG_BYTES) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (tagBytes.result.byteLength !== chunkVCBHSRCS_cjs.GCM_TAG_BYTES) {
+    return chunkVCBHSRCS_cjs.$err({
       message: "node decrypt: Invalid auth tag length",
-      description: `Expected ${chunkX7IPAA7B_cjs.GCM_TAG_BYTES} bytes, got ${tagBytes.result.byteLength}`
+      description: `Expected ${chunkVCBHSRCS_cjs.GCM_TAG_BYTES} bytes, got ${tagBytes.result.byteLength}`
     });
   }
   let decrypted;
@@ -267,86 +267,86 @@ function $decrypt(encrypted, secretKey, options) {
     decrypted = buffer.Buffer.concat([decipher.update(cipherBytes.result), decipher.final()]);
     return $convertBytesToStr(decrypted, "utf8");
   } catch (error) {
-    return chunkX7IPAA7B_cjs.$err({ message: "node decrypt: Failed to decrypt data", description: chunkX7IPAA7B_cjs.$fmtError(error) });
+    return chunkVCBHSRCS_cjs.$err({ message: "node decrypt: Failed to decrypt data", description: chunkVCBHSRCS_cjs.$fmtError(error) });
   } finally {
     decrypted?.fill(0);
   }
 }
 function $encryptObj(data, secretKey, options) {
-  const { result, error } = chunkX7IPAA7B_cjs.$stringifyObj(data);
-  if (error) return chunkX7IPAA7B_cjs.$err(error);
+  const { result, error } = chunkVCBHSRCS_cjs.$stringifyObj(data);
+  if (error) return chunkVCBHSRCS_cjs.$err(error);
   return $encrypt(result, secretKey, options);
 }
 function $decryptObj(encrypted, secretKey, options) {
   const { result, error } = $decrypt(encrypted, secretKey, options);
-  if (error) return chunkX7IPAA7B_cjs.$err(error);
-  return chunkX7IPAA7B_cjs.$parseToObj(result);
+  if (error) return chunkVCBHSRCS_cjs.$err(error);
+  return chunkVCBHSRCS_cjs.$parseToObj(result);
 }
 function $hash(data, options = {}) {
-  if (!chunkX7IPAA7B_cjs.$isStr(data)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.$isStr(data)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: "node hash: Data must be a non-empty string",
       description: "Received empty or non-string value"
     });
   }
-  if (!chunkX7IPAA7B_cjs.$isPlainObj(options)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.$isPlainObj(options)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: "node hash: Options must be a plain object",
       description: 'Pass an object like { digest: "sha256" }'
     });
   }
   const outputEncoding = options.outputEncoding ?? "base64url";
-  if (!chunkX7IPAA7B_cjs.CIPHER_ENCODING.includes(outputEncoding)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!chunkVCBHSRCS_cjs.CIPHER_ENCODING.includes(outputEncoding)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: `node hash: Unsupported output encoding: ${outputEncoding}`,
       description: "Use base64, base64url, or hex"
     });
   }
   const digest = options.digest ?? "sha256";
-  if (!(digest in chunkX7IPAA7B_cjs.DIGEST_ALGORITHMS)) {
-    return chunkX7IPAA7B_cjs.$err({
+  if (!(digest in chunkVCBHSRCS_cjs.DIGEST_ALGORITHMS)) {
+    return chunkVCBHSRCS_cjs.$err({
       message: `node hash: Unsupported digest: ${digest}`,
-      description: `Supported digests are: ${Object.keys(chunkX7IPAA7B_cjs.DIGEST_ALGORITHMS).join(", ")}`
+      description: `Supported digests are: ${Object.keys(chunkVCBHSRCS_cjs.DIGEST_ALGORITHMS).join(", ")}`
     });
   }
-  const digestAlgo = chunkX7IPAA7B_cjs.DIGEST_ALGORITHMS[digest];
+  const digestAlgo = chunkVCBHSRCS_cjs.DIGEST_ALGORITHMS[digest];
   const { result, error } = $convertStrToBytes(data, "utf8");
-  if (error) return chunkX7IPAA7B_cjs.$err(error);
+  if (error) return chunkVCBHSRCS_cjs.$err(error);
   try {
     const hashed = nodeCrypto3__default.default.createHash(digestAlgo.node).update(result).digest();
     return $convertBytesToStr(hashed, outputEncoding);
   } catch (error2) {
-    return chunkX7IPAA7B_cjs.$err({ message: "node hash: Failed to hash data", description: chunkX7IPAA7B_cjs.$fmtError(error2) });
+    return chunkVCBHSRCS_cjs.$err({ message: "node hash: Failed to hash data", description: chunkVCBHSRCS_cjs.$fmtError(error2) });
   }
 }
 function $hashPassword(password, options) {
-  const validated = chunkX7IPAA7B_cjs.$validateHashPasswordOptions(password, options, "node");
-  if (validated.error) return chunkX7IPAA7B_cjs.$err(validated.error);
+  const validated = chunkVCBHSRCS_cjs.$validateHashPasswordOptions(password, options, "node");
+  if (validated.error) return chunkVCBHSRCS_cjs.$err(validated.error);
   const { digestAlgo, outputEncoding, saltLength, iterations, keyLength } = validated;
   const salt = nodeCrypto3__default.default.randomBytes(saltLength);
   const hash2 = nodeCrypto3__default.default.pbkdf2Sync(password.normalize("NFKC"), salt, iterations, keyLength, digestAlgo.node);
   try {
     const saltStr = $convertBytesToStr(salt, outputEncoding);
-    if (saltStr.error) return chunkX7IPAA7B_cjs.$err(saltStr.error);
+    if (saltStr.error) return chunkVCBHSRCS_cjs.$err(saltStr.error);
     const hashStr = $convertBytesToStr(hash2, outputEncoding);
-    if (hashStr.error) return chunkX7IPAA7B_cjs.$err(hashStr.error);
-    return chunkX7IPAA7B_cjs.$ok({ result: hashStr.result, salt: saltStr.result });
+    if (hashStr.error) return chunkVCBHSRCS_cjs.$err(hashStr.error);
+    return chunkVCBHSRCS_cjs.$ok({ result: hashStr.result, salt: saltStr.result });
   } catch (error) {
-    return chunkX7IPAA7B_cjs.$err({ message: "node hashPassword: Failed to hash password", description: chunkX7IPAA7B_cjs.$fmtError(error) });
+    return chunkVCBHSRCS_cjs.$err({ message: "node hashPassword: Failed to hash password", description: chunkVCBHSRCS_cjs.$fmtError(error) });
   } finally {
     salt.fill(0);
     hash2.fill(0);
   }
 }
 function $verifyPassword(password, hashedPassword, salt, options) {
-  const validated = chunkX7IPAA7B_cjs.$validateVerifyPasswordOptions(password, hashedPassword, salt, options, "node");
-  if (validated.error) return chunkX7IPAA7B_cjs.$err(validated.error);
+  const validated = chunkVCBHSRCS_cjs.$validateVerifyPasswordOptions(password, hashedPassword, salt, options, "node");
+  if (validated.error) return chunkVCBHSRCS_cjs.$err(validated.error);
   const { digestAlgo, inputEncoding, iterations, keyLength } = validated;
   const saltBytes = $convertStrToBytes(salt, inputEncoding);
-  if (saltBytes.error) return chunkX7IPAA7B_cjs.$err(saltBytes.error);
+  if (saltBytes.error) return chunkVCBHSRCS_cjs.$err(saltBytes.error);
   const hashedPasswordBytes = $convertStrToBytes(hashedPassword, inputEncoding);
-  if (hashedPasswordBytes.error) return chunkX7IPAA7B_cjs.$err(hashedPasswordBytes.error);
-  if (hashedPasswordBytes.result.byteLength !== keyLength) return chunkX7IPAA7B_cjs.$ok(false);
+  if (hashedPasswordBytes.error) return chunkVCBHSRCS_cjs.$err(hashedPasswordBytes.error);
+  if (hashedPasswordBytes.result.byteLength !== keyLength) return chunkVCBHSRCS_cjs.$ok(false);
   try {
     const derived = nodeCrypto3__default.default.pbkdf2Sync(
       password.normalize("NFKC"),
@@ -362,14 +362,14 @@ function $verifyPassword(password, hashedPassword, salt, options) {
     expected.copy(right);
     try {
       const matches = nodeCrypto3__default.default.timingSafeEqual(left, right);
-      return chunkX7IPAA7B_cjs.$ok(matches);
+      return chunkVCBHSRCS_cjs.$ok(matches);
     } finally {
       left.fill(0);
       right.fill(0);
       derived.fill(0);
     }
   } catch (error) {
-    return chunkX7IPAA7B_cjs.$err({ message: "node verifyPassword: Verification failed", description: chunkX7IPAA7B_cjs.$fmtError(error) });
+    return chunkVCBHSRCS_cjs.$err({ message: "node verifyPassword: Verification failed", description: chunkVCBHSRCS_cjs.$fmtError(error) });
   } finally {
     saltBytes.result.fill(0);
     hashedPasswordBytes.result.fill(0);
@@ -382,9 +382,9 @@ function isNodeSecretKey(x) {
 }
 function tryGenerateUuid() {
   try {
-    return chunkX7IPAA7B_cjs.$ok(nodeCrypto3__default.default.randomUUID());
+    return chunkVCBHSRCS_cjs.$ok(nodeCrypto3__default.default.randomUUID());
   } catch (error) {
-    return chunkX7IPAA7B_cjs.$err({ message: "node generateUuid: Failed to generate UUID", description: chunkX7IPAA7B_cjs.$fmtError(error) });
+    return chunkVCBHSRCS_cjs.$err({ message: "node generateUuid: Failed to generate UUID", description: chunkVCBHSRCS_cjs.$fmtError(error) });
   }
 }
 function generateUuid() {
@@ -395,7 +395,7 @@ function tryCreateSecretKey(secret, options = {}) {
 }
 function createSecretKey(secret, options = {}) {
   const { result, error } = $createSecretKey(secret, options);
-  if (error) throw new Error(chunkX7IPAA7B_cjs.$fmtResultErr(error));
+  if (error) throw new Error(chunkVCBHSRCS_cjs.$fmtResultErr(error));
   return result;
 }
 function tryEncrypt(data, secretKey, options = {}) {
@@ -403,7 +403,7 @@ function tryEncrypt(data, secretKey, options = {}) {
 }
 function encrypt(data, secretKey, options = {}) {
   const { result, error } = $encrypt(data, secretKey, options);
-  if (error) throw new Error(chunkX7IPAA7B_cjs.$fmtResultErr(error));
+  if (error) throw new Error(chunkVCBHSRCS_cjs.$fmtResultErr(error));
   return result;
 }
 function tryDecrypt(encrypted, secretKey, options = {}) {
@@ -411,7 +411,7 @@ function tryDecrypt(encrypted, secretKey, options = {}) {
 }
 function decrypt(encrypted, secretKey, options = {}) {
   const { result, error } = $decrypt(encrypted, secretKey, options);
-  if (error) throw new Error(chunkX7IPAA7B_cjs.$fmtResultErr(error));
+  if (error) throw new Error(chunkVCBHSRCS_cjs.$fmtResultErr(error));
   return result;
 }
 function tryEncryptObj(obj, secretKey, options = {}) {
@@ -419,7 +419,7 @@ function tryEncryptObj(obj, secretKey, options = {}) {
 }
 function encryptObj(obj, secretKey, options = {}) {
   const { result, error } = $encryptObj(obj, secretKey, options);
-  if (error) throw new Error(chunkX7IPAA7B_cjs.$fmtResultErr(error));
+  if (error) throw new Error(chunkVCBHSRCS_cjs.$fmtResultErr(error));
   return result;
 }
 function tryDecryptObj(encrypted, secretKey, options = {}) {
@@ -427,7 +427,7 @@ function tryDecryptObj(encrypted, secretKey, options = {}) {
 }
 function decryptObj(encrypted, secretKey, options = {}) {
   const { result, error } = $decryptObj(encrypted, secretKey, options);
-  if (error) throw new Error(chunkX7IPAA7B_cjs.$fmtResultErr(error));
+  if (error) throw new Error(chunkVCBHSRCS_cjs.$fmtResultErr(error));
   return result;
 }
 function tryHash(data, options = {}) {
@@ -435,7 +435,7 @@ function tryHash(data, options = {}) {
 }
 function hash(data, options = {}) {
   const { result, error } = $hash(data, options);
-  if (error) throw new Error(chunkX7IPAA7B_cjs.$fmtResultErr(error));
+  if (error) throw new Error(chunkVCBHSRCS_cjs.$fmtResultErr(error));
   return result;
 }
 function tryHashPassword(password, options = {}) {
@@ -443,7 +443,7 @@ function tryHashPassword(password, options = {}) {
 }
 function hashPassword(password, options = {}) {
   const { result, salt, error } = $hashPassword(password, options);
-  if (error) throw new Error(chunkX7IPAA7B_cjs.$fmtResultErr(error));
+  if (error) throw new Error(chunkVCBHSRCS_cjs.$fmtResultErr(error));
   return { result, salt };
 }
 function tryVerifyPassword(password, hashedPassword, salt, options = {}) {
@@ -451,7 +451,7 @@ function tryVerifyPassword(password, hashedPassword, salt, options = {}) {
 }
 function verifyPassword(password, hashedPassword, salt, options = {}) {
   const { result, error } = $verifyPassword(password, hashedPassword, salt, options);
-  if (error) throw new Error(chunkX7IPAA7B_cjs.$fmtResultErr(error));
+  if (error) throw new Error(chunkVCBHSRCS_cjs.$fmtResultErr(error));
   return result;
 }
 function tryConvertStrToBytes(data, inputEncoding = "utf8") {
@@ -459,7 +459,7 @@ function tryConvertStrToBytes(data, inputEncoding = "utf8") {
 }
 function convertStrToBytes(data, inputEncoding = "utf8") {
   const { result, error } = $convertStrToBytes(data, inputEncoding);
-  if (error) throw new Error(chunkX7IPAA7B_cjs.$fmtResultErr(error));
+  if (error) throw new Error(chunkVCBHSRCS_cjs.$fmtResultErr(error));
   return result;
 }
 function tryConvertBytesToStr(data, outputEncoding = "utf8") {
@@ -467,7 +467,7 @@ function tryConvertBytesToStr(data, outputEncoding = "utf8") {
 }
 function convertBytesToStr(data, outputEncoding = "utf8") {
   const { result, error } = $convertBytesToStr(data, outputEncoding);
-  if (error) throw new Error(chunkX7IPAA7B_cjs.$fmtResultErr(error));
+  if (error) throw new Error(chunkVCBHSRCS_cjs.$fmtResultErr(error));
   return result;
 }
 function tryConvertEncoding(data, from, to) {
@@ -475,7 +475,7 @@ function tryConvertEncoding(data, from, to) {
 }
 function convertEncoding(data, from, to) {
   const { result, error } = $convertEncoding(data, from, to);
-  if (error) throw new Error(chunkX7IPAA7B_cjs.$fmtResultErr(error));
+  if (error) throw new Error(chunkVCBHSRCS_cjs.$fmtResultErr(error));
   return result;
 }
 
@@ -505,5 +505,5 @@ exports.tryHash = tryHash;
 exports.tryHashPassword = tryHashPassword;
 exports.tryVerifyPassword = tryVerifyPassword;
 exports.verifyPassword = verifyPassword;
-//# sourceMappingURL=chunk-ZYX6MYHS.cjs.map
-//# sourceMappingURL=chunk-ZYX6MYHS.cjs.map
+//# sourceMappingURL=chunk-3A4RTUKO.cjs.map
+//# sourceMappingURL=chunk-3A4RTUKO.cjs.map