e2ee-client-backend 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/LICENSE +202 -0
  2. package/README.md +94 -0
  3. package/dist/index.d.ts +408 -0
  4. package/dist/index.js +1026 -0
  5. package/dist/index.js.map +1 -0
  6. package/package.json +59 -0
package/dist/index.d.ts ADDED
@@ -0,0 +1,408 @@
1
+ interface CrudAdapter<TRemote, TId = string> {
2
+ create(input: TRemote): Promise<TRemote>;
3
+ delete(id: TId): Promise<void>;
4
+ getById(id: TId): Promise<TRemote | null>;
5
+ list(): Promise<TRemote[]>;
6
+ update(id: TId, input: TRemote): Promise<TRemote>;
7
+ }
8
+ interface GraphqlTransport {
9
+ mutate<TResult, TVariables = Record<string, unknown>>(document: unknown, variables?: TVariables): Promise<TResult>;
10
+ query<TResult, TVariables = Record<string, unknown>>(document: unknown, variables?: TVariables): Promise<TResult>;
11
+ }
12
+ type RestMethod = "DELETE" | "GET" | "PATCH" | "POST" | "PUT";
13
+ interface RestRequest<TBody = unknown> {
14
+ body?: TBody;
15
+ headers?: Record<string, string>;
16
+ method: RestMethod;
17
+ path: string;
18
+ query?: Record<string, boolean | number | string | null | undefined>;
19
+ }
20
+ interface RestTransport {
21
+ request<TResult, TBody = unknown>(request: RestRequest<TBody>): Promise<TResult>;
22
+ }
23
+
24
+ type GraphqlOperationKind = "mutation" | "query";
25
+ interface GraphqlExecutorInput<TVariables = Record<string, unknown>> {
26
+ document: unknown;
27
+ kind: GraphqlOperationKind;
28
+ variables?: TVariables;
29
+ }
30
+ type GraphqlExecutor = <TResult, TVariables = Record<string, unknown>>(input: GraphqlExecutorInput<TVariables>) => Promise<TResult>;
31
+ declare class FunctionGraphqlTransport implements GraphqlTransport {
32
+ private readonly executor;
33
+ constructor(executor: GraphqlExecutor);
34
+ mutate<TResult, TVariables = Record<string, unknown>>(document: unknown, variables?: TVariables): Promise<TResult>;
35
+ query<TResult, TVariables = Record<string, unknown>>(document: unknown, variables?: TVariables): Promise<TResult>;
36
+ }
37
+ type VariablesFactory<TResult> = Record<string, unknown> | ((result?: TResult) => Record<string, unknown> | undefined);
38
+ interface GraphqlCrudAdapterConfig<TRemote, TId = string> {
39
+ create?: {
40
+ buildVariables: (input: TRemote) => Record<string, unknown>;
41
+ document: unknown;
42
+ select: (result: unknown) => TRemote;
43
+ };
44
+ delete?: {
45
+ buildVariables: (id: TId) => Record<string, unknown>;
46
+ document: unknown;
47
+ };
48
+ getById?: {
49
+ buildVariables: (id: TId) => Record<string, unknown>;
50
+ document: unknown;
51
+ select: (result: unknown) => TRemote | null;
52
+ };
53
+ list?: {
54
+ document: unknown;
55
+ select: (result: unknown) => TRemote[];
56
+ variables?: VariablesFactory<TRemote[]>;
57
+ };
58
+ update?: {
59
+ buildVariables: (id: TId, input: TRemote) => Record<string, unknown>;
60
+ document: unknown;
61
+ select: (result: unknown) => TRemote;
62
+ };
63
+ }
64
+ declare class GraphqlCrudAdapter<TRemote, TId = string> implements CrudAdapter<TRemote, TId> {
65
+ private readonly transport;
66
+ private readonly config;
67
+ constructor(transport: GraphqlTransport, config: GraphqlCrudAdapterConfig<TRemote, TId>);
68
+ create(input: TRemote): Promise<TRemote>;
69
+ delete(id: TId): Promise<void>;
70
+ getById(id: TId): Promise<TRemote | null>;
71
+ list(): Promise<TRemote[]>;
72
+ update(id: TId, input: TRemote): Promise<TRemote>;
73
+ }
74
+ declare function createGraphqlTransport(executor: GraphqlExecutor): FunctionGraphqlTransport;
75
+
76
+ interface FetchRestTransportOptions {
77
+ baseUrl: string;
78
+ defaultHeaders?: Record<string, string>;
79
+ fetch?: typeof fetch;
80
+ }
81
+ declare class FetchRestTransport implements RestTransport {
82
+ private readonly options;
83
+ private readonly baseUrl;
84
+ private readonly fetchImpl;
85
+ constructor(options: FetchRestTransportOptions);
86
+ request<TResult, TBody = unknown>(request: RestRequest<TBody>): Promise<TResult>;
87
+ }
88
+ interface RestCrudAdapterConfig<TRemote, TId = string> {
89
+ create?: {
90
+ path: string | (() => string);
91
+ select?: (result: unknown) => TRemote;
92
+ serialize?: (input: TRemote) => unknown;
93
+ };
94
+ delete?: {
95
+ path: (id: TId) => string;
96
+ };
97
+ getById?: {
98
+ path: (id: TId) => string;
99
+ select?: (result: unknown) => TRemote | null;
100
+ };
101
+ list?: {
102
+ path: string | (() => string);
103
+ query?: Record<string, boolean | number | string | null | undefined>;
104
+ select?: (result: unknown) => TRemote[];
105
+ };
106
+ update?: {
107
+ path: (id: TId) => string;
108
+ select?: (result: unknown) => TRemote;
109
+ serialize?: (input: TRemote) => unknown;
110
+ };
111
+ }
112
+ declare class RestCrudAdapter<TRemote, TId = string> implements CrudAdapter<TRemote, TId> {
113
+ private readonly transport;
114
+ private readonly config;
115
+ constructor(transport: RestTransport, config: RestCrudAdapterConfig<TRemote, TId>);
116
+ create(input: TRemote): Promise<TRemote>;
117
+ delete(id: TId): Promise<void>;
118
+ getById(id: TId): Promise<TRemote | null>;
119
+ list(): Promise<TRemote[]>;
120
+ update(id: TId, input: TRemote): Promise<TRemote>;
121
+ }
122
+ declare function createFetchRestTransport(options: FetchRestTransportOptions): FetchRestTransport;
123
+
124
+ interface PasswordAuthResult<TUser> {
125
+ message?: string | null;
126
+ ok: boolean;
127
+ user?: TUser | null;
128
+ }
129
+ interface PasswordAuthAdapter<TUser> {
130
+ getKdfSalt(email: string): Promise<string>;
131
+ login(email: string, authKeyMaterialHex: string): Promise<PasswordAuthResult<TUser>>;
132
+ logout(): Promise<boolean | void>;
133
+ refresh(): Promise<PasswordAuthResult<TUser>>;
134
+ registerBegin(email: string): Promise<{
135
+ kdfSaltBase64: string;
136
+ }>;
137
+ registerComplete(email: string, authKeyMaterialHex: string): Promise<PasswordAuthResult<TUser>>;
138
+ }
139
+ interface PasswordAuthAttempt<TUser> {
140
+ kAuthHex: string;
141
+ kEnc: Uint8Array;
142
+ normalizedEmail: string;
143
+ result: PasswordAuthResult<TUser>;
144
+ }
145
+ declare function normalizeAuthEmail(email: string): string;
146
+ declare class PasswordAuthClient<TUser> {
147
+ private readonly adapter;
148
+ constructor(adapter: PasswordAuthAdapter<TUser>);
149
+ beginRegistration(email: string): Promise<string>;
150
+ completeRegistrationWithPassword(email: string, password: string, kdfSaltBase64: string): Promise<PasswordAuthAttempt<TUser>>;
151
+ loginWithPassword(email: string, password: string): Promise<PasswordAuthAttempt<TUser>>;
152
+ logout(): Promise<boolean | void>;
153
+ refreshSession(): Promise<PasswordAuthResult<TUser>>;
154
+ registerWithPassword(email: string, password: string): Promise<PasswordAuthAttempt<TUser>>;
155
+ }
156
+ declare function createPasswordAuthClient<TUser>(adapter: PasswordAuthAdapter<TUser>): PasswordAuthClient<TUser>;
157
+
158
+ interface CacheStore<TEntity, TId = string> {
159
+ clear(): void;
160
+ clearCollection(collectionName: string): void;
161
+ get(collectionName: string, id: TId): TEntity | null;
162
+ list(collectionName: string): TEntity[];
163
+ put(collectionName: string, id: TId, value: TEntity): void;
164
+ remove(collectionName: string, id: TId): void;
165
+ }
166
+ declare class LokiCacheStore<TEntity, TId = string> implements CacheStore<TEntity, TId> {
167
+ private readonly collections;
168
+ private readonly db;
169
+ clear(): void;
170
+ clearCollection(collectionName: string): void;
171
+ get(collectionName: string, id: TId): TEntity | null;
172
+ list(collectionName: string): TEntity[];
173
+ put(collectionName: string, id: TId, value: TEntity): void;
174
+ remove(collectionName: string, id: TId): void;
175
+ private ensureCollection;
176
+ }
177
+ declare function createLokiCacheStore<TEntity, TId = string>(): LokiCacheStore<TEntity, TId>;
178
+
179
+ type EncryptionAlgorithmId = "aes-256-gcm" | "ml-kem-768-aes-256-gcm";
180
+ type EncryptedFieldMetadata = Record<string, boolean | number | string | null>;
181
+ interface EncryptedFieldValue {
182
+ version: 1;
183
+ algorithm: string;
184
+ ciphertextBase64: string;
185
+ nonceBase64?: string;
186
+ encapsulatedKeyCiphertextBase64?: string;
187
+ metadata?: EncryptedFieldMetadata;
188
+ }
189
+ interface EncryptionStrategy<TEncryptContext = unknown, TDecryptContext = TEncryptContext> {
190
+ readonly id: string;
191
+ encrypt(plaintext: Uint8Array, context: TEncryptContext): Promise<EncryptedFieldValue>;
192
+ decrypt(payload: EncryptedFieldValue, context: TDecryptContext): Promise<Uint8Array>;
193
+ }
194
+ declare function isEncryptedFieldValue(value: unknown): value is EncryptedFieldValue;
195
+
196
+ interface LegacyEncryptedJsonBlob {
197
+ ciphertextBase64: string;
198
+ nonceBase64: string;
199
+ }
200
+ declare function decryptJsonFromLegacyBlob<TValue>(blob: LegacyEncryptedJsonBlob, key: Uint8Array): Promise<TValue>;
201
+ declare function encryptedFieldToLegacyBlob(payload: EncryptedFieldValue): LegacyEncryptedJsonBlob;
202
+ declare function encryptJsonToLegacyBlob<TValue>(value: TValue, key: Uint8Array): Promise<LegacyEncryptedJsonBlob>;
203
+ declare function legacyBlobToEncryptedField(blob: LegacyEncryptedJsonBlob, algorithm?: string): EncryptedFieldValue;
204
+
205
+ interface Aes256GcmContext {
206
+ additionalData?: Uint8Array;
207
+ key: Uint8Array;
208
+ }
209
+ declare class Aes256GcmStrategy implements EncryptionStrategy<Aes256GcmContext, Aes256GcmContext> {
210
+ readonly id = "aes-256-gcm";
211
+ readonly nonceLength = 12;
212
+ encrypt(plaintext: Uint8Array, context: Aes256GcmContext): Promise<{
213
+ version: 1;
214
+ algorithm: string;
215
+ ciphertextBase64: string;
216
+ nonceBase64: string;
217
+ }>;
218
+ decrypt(payload: {
219
+ ciphertextBase64: string;
220
+ nonceBase64?: string;
221
+ }, context: Aes256GcmContext): Promise<Uint8Array<ArrayBuffer>>;
222
+ private importKey;
223
+ }
224
+ declare function createAes256GcmStrategy(): Aes256GcmStrategy;
225
+
226
+ declare const DEFAULT_SCRYPT_PARAMS: {
227
+ readonly N: number;
228
+ readonly r: 8;
229
+ readonly p: 1;
230
+ readonly dkLen: 32;
231
+ readonly maxmem: number;
232
+ };
233
+ declare function kdfSaltFromBase64(kdfSaltBase64: string): Uint8Array;
234
+ declare function deriveAes256KeyFromPassword(password: string, salt: Uint8Array): Promise<Uint8Array>;
235
+ declare function deriveAuthKeyMaterial(kEnc: Uint8Array): Uint8Array;
236
+ declare function deriveClientKeyMaterial(password: string, kdfSaltBase64: string): Promise<{
237
+ kAuthHex: string;
238
+ kEnc: Uint8Array;
239
+ }>;
240
+ declare function authKeyMaterialHex(password: string, kdfSaltBase64: string): Promise<string>;
241
+
242
+ interface MlKemAes256GcmEncryptContext {
243
+ additionalData?: Uint8Array;
244
+ recipientPublicKey: Uint8Array;
245
+ }
246
+ interface MlKemAes256GcmDecryptContext {
247
+ additionalData?: Uint8Array;
248
+ recipientPrivateKey: Uint8Array;
249
+ }
250
+ interface MlKemKeyPair {
251
+ privateKeySeed: Uint8Array;
252
+ publicKey: Uint8Array;
253
+ }
254
+ declare function generateMlKemKeyPair(): Promise<MlKemKeyPair>;
255
+ declare class MlKemAes256GcmStrategy implements EncryptionStrategy<MlKemAes256GcmEncryptContext, MlKemAes256GcmDecryptContext> {
256
+ readonly id = "ml-kem-768-aes-256-gcm";
257
+ readonly nonceLength = 12;
258
+ encrypt(plaintext: Uint8Array, context: MlKemAes256GcmEncryptContext): Promise<{
259
+ version: 1;
260
+ algorithm: string;
261
+ ciphertextBase64: string;
262
+ nonceBase64: string;
263
+ encapsulatedKeyCiphertextBase64: string;
264
+ metadata: {
265
+ kem: string;
266
+ };
267
+ }>;
268
+ decrypt(payload: {
269
+ ciphertextBase64: string;
270
+ encapsulatedKeyCiphertextBase64?: string;
271
+ nonceBase64?: string;
272
+ }, context: MlKemAes256GcmDecryptContext): Promise<Uint8Array>;
273
+ }
274
+ declare function createMlKemAes256GcmStrategy(): MlKemAes256GcmStrategy;
275
+
276
+ declare class StrategyRegistry {
277
+ private readonly strategies;
278
+ constructor(strategies?: EncryptionStrategy<any, any>[]);
279
+ register(strategy: EncryptionStrategy<any, any>): void;
280
+ get<TEncryptContext, TDecryptContext>(id: string): EncryptionStrategy<TEncryptContext, TDecryptContext>;
281
+ encrypt<TEncryptContext>(id: string, plaintext: Uint8Array, context: TEncryptContext): Promise<EncryptedFieldValue>;
282
+ decrypt<TDecryptContext>(payload: EncryptedFieldValue, context: TDecryptContext): Promise<Uint8Array>;
283
+ }
284
+ declare function createStrategyRegistry(...strategies: EncryptionStrategy<any, any>[]): StrategyRegistry;
285
+
286
+ declare function toUint8Array(value: ArrayBuffer | ArrayBufferView): Uint8Array;
287
+ declare function toArrayBuffer(value: ArrayBuffer | ArrayBufferView): ArrayBuffer;
288
+ declare function bytesToBase64(value: ArrayBuffer | ArrayBufferView): string;
289
+ declare function base64ToBytes(base64: string): Uint8Array;
290
+ declare function utf8ToBytes(value: string): Uint8Array;
291
+ declare function bytesToUtf8(value: ArrayBuffer | ArrayBufferView): string;
292
+
293
+ interface ExternalE2eeApiProvider<TConfig, TSession, TProject, TTask, TProjectQuery = undefined, TTaskQuery = undefined> {
294
+ authenticate(config: TConfig): Promise<TSession>;
295
+ listProjects(config: TConfig, session: TSession, query?: TProjectQuery): Promise<TProject[]>;
296
+ listTasks(config: TConfig, session: TSession, query?: TTaskQuery): Promise<TTask[]>;
297
+ validateAccess?(config: TConfig, session: TSession): Promise<void>;
298
+ }
299
+ declare class ExternalE2eeApiClient<TConfig, TSession, TProject, TTask, TProjectQuery = undefined, TTaskQuery = undefined> {
300
+ private readonly provider;
301
+ constructor(provider: ExternalE2eeApiProvider<TConfig, TSession, TProject, TTask, TProjectQuery, TTaskQuery>);
302
+ authenticate(config: TConfig): Promise<TSession>;
303
+ ensureAccess(config: TConfig): Promise<void>;
304
+ listProjects(config: TConfig, query?: TProjectQuery): Promise<TProject[]>;
305
+ listTasks(config: TConfig, query?: TTaskQuery): Promise<TTask[]>;
306
+ }
307
+ declare function createExternalE2eeApiClient<TConfig, TSession, TProject, TTask, TProjectQuery = undefined, TTaskQuery = undefined>(provider: ExternalE2eeApiProvider<TConfig, TSession, TProject, TTask, TProjectQuery, TTaskQuery>): ExternalE2eeApiClient<TConfig, TSession, TProject, TTask, TProjectQuery, TTaskQuery>;
308
+
309
+ interface FieldPolicy<TEntity, TRemote> {
310
+ deserialize?: (value: unknown, remote: TRemote) => unknown;
311
+ encrypted?: boolean;
312
+ entityPath: string;
313
+ remotePath?: string;
314
+ serialize?: (value: unknown, entity: TEntity) => unknown;
315
+ strategyId?: string;
316
+ }
317
+ interface EntitySchema<TEntity, TRemote, TId = string> {
318
+ cacheCollection?: string;
319
+ createEntity(remote: TRemote): TEntity;
320
+ createRemote(entity: TEntity): TRemote;
321
+ defaultStrategyId?: string;
322
+ fields: FieldPolicy<TEntity, TRemote>[];
323
+ idPath?: string;
324
+ name: string;
325
+ }
326
+ interface StrategyContextResolver<TEntity, TRemote> {
327
+ resolve(args: {
328
+ entity?: TEntity;
329
+ field: FieldPolicy<TEntity, TRemote>;
330
+ payload?: EncryptedFieldValue;
331
+ phase: "decrypt" | "encrypt";
332
+ remote?: TRemote;
333
+ schema: EntitySchema<TEntity, TRemote, any>;
334
+ }): Promise<unknown>;
335
+ }
336
+ interface RepositoryReadOptions {
337
+ cacheMode?: "cache-first" | "network-first" | "no-cache";
338
+ }
339
+ interface EntityRepositoryOptions<TEntity, TRemote, TId = string> {
340
+ adapter: CrudAdapter<TRemote, TId>;
341
+ cache?: CacheStore<TEntity, TId>;
342
+ contextResolver: StrategyContextResolver<TEntity, TRemote>;
343
+ schema: EntitySchema<TEntity, TRemote, TId>;
344
+ strategies: StrategyRegistry;
345
+ }
346
+ declare class EntityRepository<TEntity, TRemote, TId = string> {
347
+ private readonly options;
348
+ private readonly cacheCollection;
349
+ private readonly idPath;
350
+ constructor(options: EntityRepositoryOptions<TEntity, TRemote, TId>);
351
+ create(entity: TEntity): Promise<TEntity>;
352
+ delete(id: TId): Promise<void>;
353
+ getById(id: TId, options?: RepositoryReadOptions): Promise<TEntity | null>;
354
+ list(options?: RepositoryReadOptions): Promise<TEntity[]>;
355
+ update(id: TId, entity: TEntity): Promise<TEntity>;
356
+ private hydrateRemote;
357
+ private resolveEntityId;
358
+ private hydrateField;
359
+ private serializeEntity;
360
+ }
361
+ declare function createEntityRepository<TEntity, TRemote, TId = string>(options: EntityRepositoryOptions<TEntity, TRemote, TId>): EntityRepository<TEntity, TRemote, TId>;
362
+
363
+ interface DashboardEntity<TConfig = Record<string, unknown>> {
364
+ config: TConfig | null;
365
+ createdAt: string;
366
+ id: string;
367
+ name: string;
368
+ updatedAt: string;
369
+ }
370
+ interface DashboardRemoteRecord<TConfig = Record<string, unknown>> {
371
+ configEnvelope: EncryptedFieldValue | TConfig | null;
372
+ createdAt: string;
373
+ id: string;
374
+ name: string;
375
+ updatedAt: string;
376
+ }
377
+ declare function createDashboardSchema<TConfig = Record<string, unknown>>(strategyId?: string): EntitySchema<DashboardEntity<TConfig>, DashboardRemoteRecord<TConfig>, string>;
378
+
379
+ type IntegrationRemoteFieldValue = EncryptedFieldValue | string | null;
380
+ interface IntegrationEntity {
381
+ apiUrl: string;
382
+ authHash: string | null;
383
+ credentialMode: string;
384
+ displayName: string;
385
+ encryptionKey: string | null;
386
+ id: string;
387
+ lastSyncedAt: string | null;
388
+ provider: string;
389
+ providerSecret: string | null;
390
+ status: string;
391
+ username: string;
392
+ }
393
+ interface IntegrationRemoteRecord {
394
+ apiUrl: string;
395
+ authHash: IntegrationRemoteFieldValue;
396
+ credentialMode: string;
397
+ displayName: string;
398
+ encryptionKey: IntegrationRemoteFieldValue;
399
+ id: string;
400
+ lastSyncedAt: string | null;
401
+ provider: string;
402
+ providerSecret: IntegrationRemoteFieldValue;
403
+ status: string;
404
+ username: string;
405
+ }
406
+ declare function createIntegrationSchema(strategyId?: string): EntitySchema<IntegrationEntity, IntegrationRemoteRecord, string>;
407
+
408
+ export { type Aes256GcmContext, Aes256GcmStrategy, type CacheStore, type CrudAdapter, DEFAULT_SCRYPT_PARAMS, type DashboardEntity, type DashboardRemoteRecord, type EncryptedFieldMetadata, type EncryptedFieldValue, type EncryptionAlgorithmId, type EncryptionStrategy, EntityRepository, type EntityRepositoryOptions, type EntitySchema, ExternalE2eeApiClient, type ExternalE2eeApiProvider, FetchRestTransport, type FetchRestTransportOptions, type FieldPolicy, FunctionGraphqlTransport, GraphqlCrudAdapter, type GraphqlCrudAdapterConfig, type GraphqlExecutor, type GraphqlExecutorInput, type GraphqlOperationKind, type GraphqlTransport, type IntegrationEntity, type IntegrationRemoteRecord, type LegacyEncryptedJsonBlob, LokiCacheStore, type MlKemAes256GcmDecryptContext, type MlKemAes256GcmEncryptContext, MlKemAes256GcmStrategy, type MlKemKeyPair, type PasswordAuthAdapter, type PasswordAuthAttempt, PasswordAuthClient, type PasswordAuthResult, type RepositoryReadOptions, RestCrudAdapter, type RestCrudAdapterConfig, type RestMethod, type RestRequest, type RestTransport, type StrategyContextResolver, StrategyRegistry, authKeyMaterialHex, base64ToBytes, bytesToBase64, bytesToUtf8, createAes256GcmStrategy, createDashboardSchema, createEntityRepository, createExternalE2eeApiClient, createFetchRestTransport, createGraphqlTransport, createIntegrationSchema, createLokiCacheStore, createMlKemAes256GcmStrategy, createPasswordAuthClient, createStrategyRegistry, decryptJsonFromLegacyBlob, deriveAes256KeyFromPassword, deriveAuthKeyMaterial, deriveClientKeyMaterial, encryptJsonToLegacyBlob, encryptedFieldToLegacyBlob, generateMlKemKeyPair, isEncryptedFieldValue, kdfSaltFromBase64, legacyBlobToEncryptedField, normalizeAuthEmail, toArrayBuffer, toUint8Array, utf8ToBytes };