e2ee-client-backend 0.1.1

package/dist/index.js

@@ -0,0 +1,1026 @@
+import { hkdf } from '@noble/hashes/hkdf.js';
+import { scryptAsync } from '@noble/hashes/scrypt.js';
+import { sha256 } from '@noble/hashes/sha2.js';
+import { utf8ToBytes as utf8ToBytes$1, bytesToHex } from '@noble/hashes/utils.js';
+import Loki from 'lokijs';
+import mlkem from 'mlkem-wasm';
+
+// src/adapters/graphql.ts
+var FunctionGraphqlTransport = class {
+  constructor(executor) {
+    this.executor = executor;
+  }
+  executor;
+  mutate(document, variables) {
+    return this.executor(
+      variables === void 0 ? {
+        document,
+        kind: "mutation"
+      } : {
+        document,
+        kind: "mutation",
+        variables
+      }
+    );
+  }
+  query(document, variables) {
+    return this.executor(
+      variables === void 0 ? {
+        document,
+        kind: "query"
+      } : {
+        document,
+        kind: "query",
+        variables
+      }
+    );
+  }
+};
+function resolveVariables(variables, result) {
+  if (!variables) {
+    return void 0;
+  }
+  return typeof variables === "function" ? variables(result) : variables;
+}
+var GraphqlCrudAdapter = class {
+  constructor(transport, config) {
+    this.transport = transport;
+    this.config = config;
+  }
+  transport;
+  config;
+  async create(input) {
+    const config = this.config.create;
+    if (!config) {
+      throw new Error("This GraphQL adapter does not implement create().");
+    }
+    const result = await this.transport.mutate(
+      config.document,
+      config.buildVariables(input)
+    );
+    return config.select(result);
+  }
+  async delete(id) {
+    const config = this.config.delete;
+    if (!config) {
+      throw new Error("This GraphQL adapter does not implement delete().");
+    }
+    await this.transport.mutate(config.document, config.buildVariables(id));
+  }
+  async getById(id) {
+    const config = this.config.getById;
+    if (!config) {
+      throw new Error("This GraphQL adapter does not implement getById().");
+    }
+    const result = await this.transport.query(
+      config.document,
+      config.buildVariables(id)
+    );
+    return config.select(result);
+  }
+  async list() {
+    const config = this.config.list;
+    if (!config) {
+      throw new Error("This GraphQL adapter does not implement list().");
+    }
+    const result = await this.transport.query(
+      config.document,
+      resolveVariables(config.variables)
+    );
+    return config.select(result);
+  }
+  async update(id, input) {
+    const config = this.config.update;
+    if (!config) {
+      throw new Error("This GraphQL adapter does not implement update().");
+    }
+    const result = await this.transport.mutate(
+      config.document,
+      config.buildVariables(id, input)
+    );
+    return config.select(result);
+  }
+};
+function createGraphqlTransport(executor) {
+  return new FunctionGraphqlTransport(executor);
+}
+
+// src/adapters/rest.ts
+function identity(value) {
+  return value;
+}
+function normalizeBaseUrl(baseUrl) {
+  return baseUrl.endsWith("/") ? baseUrl : `${baseUrl}/`;
+}
+function resolvePath(path) {
+  return typeof path === "function" ? path() : path;
+}
+function withBody(method, path, body) {
+  if (body === void 0) {
+    return {
+      method,
+      path
+    };
+  }
+  return {
+    body,
+    method,
+    path
+  };
+}
+var FetchRestTransport = class {
+  constructor(options) {
+    this.options = options;
+    this.baseUrl = normalizeBaseUrl(options.baseUrl);
+    this.fetchImpl = options.fetch ?? fetch;
+  }
+  options;
+  baseUrl;
+  fetchImpl;
+  async request(request) {
+    const url = new URL(request.path.replace(/^\//, ""), this.baseUrl);
+    if (request.query) {
+      for (const [key, value] of Object.entries(request.query)) {
+        if (value === void 0 || value === null) {
+          continue;
+        }
+        url.searchParams.set(key, String(value));
+      }
+    }
+    const headers = new Headers(this.options.defaultHeaders);
+    if (request.headers) {
+      for (const [key, value] of Object.entries(request.headers)) {
+        headers.set(key, value);
+      }
+    }
+    const init = {
+      method: request.method,
+      headers
+    };
+    if (request.body !== void 0) {
+      if (!headers.has("Content-Type")) {
+        headers.set("Content-Type", "application/json");
+      }
+      init.body = JSON.stringify(request.body);
+    }
+    const response = await this.fetchImpl(url, init);
+    if (!response.ok) {
+      throw new Error(`REST request failed with ${response.status}.`);
+    }
+    if (response.status === 204) {
+      return void 0;
+    }
+    const contentType = response.headers.get("content-type") ?? "";
+    if (contentType.includes("application/json")) {
+      return await response.json();
+    }
+    return await response.text();
+  }
+};
+var RestCrudAdapter = class {
+  constructor(transport, config) {
+    this.transport = transport;
+    this.config = config;
+  }
+  transport;
+  config;
+  async create(input) {
+    const config = this.config.create;
+    if (!config) {
+      throw new Error("This REST adapter does not implement create().");
+    }
+    const result = await this.transport.request({
+      ...withBody(
+        "POST",
+        resolvePath(config.path),
+        (config.serialize ?? identity)(input)
+      )
+    });
+    return (config.select ?? identity)(result);
+  }
+  async delete(id) {
+    const config = this.config.delete;
+    if (!config) {
+      throw new Error("This REST adapter does not implement delete().");
+    }
+    await this.transport.request({
+      method: "DELETE",
+      path: config.path(id)
+    });
+  }
+  async getById(id) {
+    const config = this.config.getById;
+    if (!config) {
+      throw new Error("This REST adapter does not implement getById().");
+    }
+    const result = await this.transport.request({
+      method: "GET",
+      path: config.path(id)
+    });
+    return (config.select ?? identity)(result);
+  }
+  async list() {
+    const config = this.config.list;
+    if (!config) {
+      throw new Error("This REST adapter does not implement list().");
+    }
+    const result = await this.transport.request({
+      method: "GET",
+      path: resolvePath(config.path),
+      ...config.query ? { query: config.query } : {}
+    });
+    return (config.select ?? identity)(result);
+  }
+  async update(id, input) {
+    const config = this.config.update;
+    if (!config) {
+      throw new Error("This REST adapter does not implement update().");
+    }
+    const result = await this.transport.request({
+      ...withBody(
+        "PUT",
+        config.path(id),
+        (config.serialize ?? identity)(input)
+      )
+    });
+    return (config.select ?? identity)(result);
+  }
+};
+function createFetchRestTransport(options) {
+  return new FetchRestTransport(options);
+}
+
+// src/encoding/base64.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+function toUint8Array(value) {
+  if (value instanceof Uint8Array) {
+    return value;
+  }
+  if (ArrayBuffer.isView(value)) {
+    return new Uint8Array(value.buffer, value.byteOffset, value.byteLength);
+  }
+  return new Uint8Array(value);
+}
+function toArrayBuffer(value) {
+  const bytes = toUint8Array(value);
+  return bytes.buffer.slice(
+    bytes.byteOffset,
+    bytes.byteOffset + bytes.byteLength
+  );
+}
+function bytesToBase64(value) {
+  const bytes = toUint8Array(value);
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCodePoint(byte);
+  }
+  return btoa(binary);
+}
+function base64ToBytes(base64) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  }
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.codePointAt(index) ?? 0;
+  }
+  return bytes;
+}
+function utf8ToBytes(value) {
+  return encoder.encode(value);
+}
+function bytesToUtf8(value) {
+  return decoder.decode(toUint8Array(value));
+}
+
+// src/crypto/key-derivation.ts
+var AUTH_INFO = utf8ToBytes$1("dashboard.auth.v1");
+var DEFAULT_SCRYPT_PARAMS = {
+  N: 1 << 15,
+  r: 8,
+  p: 1,
+  dkLen: 32,
+  maxmem: 128 * 1024 * 1024
+};
+function kdfSaltFromBase64(kdfSaltBase64) {
+  return base64ToBytes(kdfSaltBase64.trim());
+}
+async function deriveAes256KeyFromPassword(password, salt) {
+  return scryptAsync(utf8ToBytes$1(password), salt, DEFAULT_SCRYPT_PARAMS);
+}
+function deriveAuthKeyMaterial(kEnc) {
+  return hkdf(sha256, kEnc, new Uint8Array(0), AUTH_INFO, 32);
+}
+async function deriveClientKeyMaterial(password, kdfSaltBase64) {
+  const salt = kdfSaltFromBase64(kdfSaltBase64);
+  const kEnc = await deriveAes256KeyFromPassword(password, salt);
+  return {
+    kAuthHex: bytesToHex(deriveAuthKeyMaterial(kEnc)),
+    kEnc
+  };
+}
+async function authKeyMaterialHex(password, kdfSaltBase64) {
+  const { kAuthHex } = await deriveClientKeyMaterial(password, kdfSaltBase64);
+  return kAuthHex;
+}
+
+// src/auth/password-auth-client.ts
+function normalizeAuthEmail(email) {
+  return email.trim().toLowerCase();
+}
+var PasswordAuthClient = class {
+  constructor(adapter) {
+    this.adapter = adapter;
+  }
+  adapter;
+  async beginRegistration(email) {
+    const response = await this.adapter.registerBegin(normalizeAuthEmail(email));
+    return response.kdfSaltBase64;
+  }
+  async completeRegistrationWithPassword(email, password, kdfSaltBase64) {
+    const normalizedEmail = normalizeAuthEmail(email);
+    const { kAuthHex, kEnc } = await deriveClientKeyMaterial(
+      password,
+      kdfSaltBase64
+    );
+    return {
+      kAuthHex,
+      kEnc,
+      normalizedEmail,
+      result: await this.adapter.registerComplete(normalizedEmail, kAuthHex)
+    };
+  }
+  async loginWithPassword(email, password) {
+    const normalizedEmail = normalizeAuthEmail(email);
+    const kdfSaltBase64 = await this.adapter.getKdfSalt(normalizedEmail);
+    const { kAuthHex, kEnc } = await deriveClientKeyMaterial(
+      password,
+      kdfSaltBase64
+    );
+    return {
+      kAuthHex,
+      kEnc,
+      normalizedEmail,
+      result: await this.adapter.login(normalizedEmail, kAuthHex)
+    };
+  }
+  logout() {
+    return this.adapter.logout();
+  }
+  refreshSession() {
+    return this.adapter.refresh();
+  }
+  async registerWithPassword(email, password) {
+    const kdfSaltBase64 = await this.beginRegistration(email);
+    return this.completeRegistrationWithPassword(email, password, kdfSaltBase64);
+  }
+};
+function createPasswordAuthClient(adapter) {
+  return new PasswordAuthClient(adapter);
+}
+function cloneValue(value) {
+  if (value === null || value === void 0) {
+    return value;
+  }
+  if (typeof value !== "object") {
+    return value;
+  }
+  return structuredClone(value);
+}
+var LokiCacheStore = class {
+  collections = /* @__PURE__ */ new Map();
+  db = new Loki("e2ee-client-backend", {
+    autoload: false,
+    autosave: false,
+    persistenceMethod: "memory"
+  });
+  clear() {
+    for (const name of this.collections.keys()) {
+      this.clearCollection(name);
+    }
+  }
+  clearCollection(collectionName) {
+    this.collections.delete(collectionName);
+    if (this.db.getCollection(collectionName)) {
+      this.db.removeCollection(collectionName);
+    }
+  }
+  get(collectionName, id) {
+    const collection = this.ensureCollection(collectionName);
+    const entry = collection.findOne({ id: String(id) });
+    return entry ? cloneValue(entry.value) : null;
+  }
+  list(collectionName) {
+    const collection = this.ensureCollection(collectionName);
+    return collection.chain().simplesort("updatedAt").data().map((entry) => cloneValue(entry.value));
+  }
+  put(collectionName, id, value) {
+    const collection = this.ensureCollection(collectionName);
+    const normalizedId = String(id);
+    const existing = collection.findOne({ id: normalizedId });
+    if (existing) {
+      existing.updatedAt = Date.now();
+      existing.value = cloneValue(value);
+      collection.update(existing);
+      return;
+    }
+    collection.insert({
+      id: normalizedId,
+      updatedAt: Date.now(),
+      value: cloneValue(value)
+    });
+  }
+  remove(collectionName, id) {
+    const collection = this.ensureCollection(collectionName);
+    const existing = collection.findOne({ id: String(id) });
+    if (existing) {
+      collection.remove(existing);
+    }
+  }
+  ensureCollection(collectionName) {
+    const existing = this.collections.get(collectionName);
+    if (existing) {
+      return existing;
+    }
+    const created = this.db.addCollection(collectionName, {
+      indices: ["updatedAt"],
+      unique: ["id"]
+    });
+    this.collections.set(collectionName, created);
+    return created;
+  }
+};
+function createLokiCacheStore() {
+  return new LokiCacheStore();
+}
+
+// src/crypto/aes-gcm-strategy.ts
+var Aes256GcmStrategy = class {
+  id = "aes-256-gcm";
+  nonceLength = 12;
+  async encrypt(plaintext, context) {
+    const key = await this.importKey(context.key);
+    const nonce = crypto.getRandomValues(new Uint8Array(this.nonceLength));
+    const params = {
+      iv: toArrayBuffer(nonce),
+      name: "AES-GCM"
+    };
+    if (context.additionalData) {
+      params.additionalData = toArrayBuffer(context.additionalData);
+    }
+    const ciphertext = await crypto.subtle.encrypt(
+      params,
+      key,
+      toArrayBuffer(plaintext)
+    );
+    return {
+      version: 1,
+      algorithm: this.id,
+      ciphertextBase64: bytesToBase64(ciphertext),
+      nonceBase64: bytesToBase64(nonce)
+    };
+  }
+  async decrypt(payload, context) {
+    if (!payload.nonceBase64) {
+      throw new Error("AES-GCM payload is missing nonceBase64.");
+    }
+    const key = await this.importKey(context.key);
+    const params = {
+      iv: toArrayBuffer(base64ToBytes(payload.nonceBase64)),
+      name: "AES-GCM"
+    };
+    if (context.additionalData) {
+      params.additionalData = toArrayBuffer(context.additionalData);
+    }
+    const plaintext = await crypto.subtle.decrypt(
+      params,
+      key,
+      toArrayBuffer(base64ToBytes(payload.ciphertextBase64))
+    );
+    return new Uint8Array(plaintext);
+  }
+  async importKey(keyBytes) {
+    if (keyBytes.length !== 32) {
+      throw new Error("AES-256-GCM expects a 32-byte key.");
+    }
+    return crypto.subtle.importKey(
+      "raw",
+      toArrayBuffer(keyBytes),
+      "AES-GCM",
+      false,
+      ["encrypt", "decrypt"]
+    );
+  }
+};
+function createAes256GcmStrategy() {
+  return new Aes256GcmStrategy();
+}
+
+// src/compat/legacy-json-blob.ts
+var legacyAesStrategy = createAes256GcmStrategy();
+async function decryptJsonFromLegacyBlob(blob, key) {
+  const plaintext = await legacyAesStrategy.decrypt(
+    legacyBlobToEncryptedField(blob),
+    { key }
+  );
+  return JSON.parse(bytesToUtf8(plaintext));
+}
+function encryptedFieldToLegacyBlob(payload) {
+  if (!payload.nonceBase64) {
+    throw new Error("Legacy blob conversion requires nonceBase64.");
+  }
+  return {
+    ciphertextBase64: payload.ciphertextBase64,
+    nonceBase64: payload.nonceBase64
+  };
+}
+async function encryptJsonToLegacyBlob(value, key) {
+  const payload = await legacyAesStrategy.encrypt(
+    utf8ToBytes(JSON.stringify(value)),
+    { key }
+  );
+  return encryptedFieldToLegacyBlob(payload);
+}
+function legacyBlobToEncryptedField(blob, algorithm = "aes-256-gcm") {
+  return {
+    algorithm,
+    ciphertextBase64: blob.ciphertextBase64,
+    nonceBase64: blob.nonceBase64,
+    version: 1
+  };
+}
+var ML_KEM_ALGORITHM = { name: "ML-KEM-768" };
+var SHARED_KEY_ALGORITHM = { name: "AES-GCM", length: 256 };
+async function importPublicKey(publicKey) {
+  return mlkem.importKey(
+    "raw-public",
+    toArrayBuffer(publicKey),
+    ML_KEM_ALGORITHM,
+    false,
+    ["encapsulateKey"]
+  );
+}
+async function importPrivateKey(privateKeySeed) {
+  return mlkem.importKey(
+    "raw-seed",
+    toArrayBuffer(privateKeySeed),
+    ML_KEM_ALGORITHM,
+    false,
+    ["decapsulateKey"]
+  );
+}
+async function generateMlKemKeyPair() {
+  const { privateKey, publicKey } = await mlkem.generateKey(ML_KEM_ALGORITHM, true, [
+    "encapsulateKey",
+    "decapsulateKey"
+  ]);
+  const exportedPublicKey = await mlkem.exportKey("raw-public", publicKey);
+  const exportedPrivateKeySeed = await mlkem.exportKey("raw-seed", privateKey);
+  return {
+    publicKey: new Uint8Array(exportedPublicKey),
+    privateKeySeed: new Uint8Array(exportedPrivateKeySeed)
+  };
+}
+var MlKemAes256GcmStrategy = class {
+  id = "ml-kem-768-aes-256-gcm";
+  nonceLength = 12;
+  async encrypt(plaintext, context) {
+    const recipientPublicKey = await importPublicKey(context.recipientPublicKey);
+    const encapsulated = await mlkem.encapsulateKey(
+      ML_KEM_ALGORITHM,
+      recipientPublicKey,
+      SHARED_KEY_ALGORITHM,
+      false,
+      ["encrypt", "decrypt"]
+    );
+    const nonce = crypto.getRandomValues(new Uint8Array(this.nonceLength));
+    const params = {
+      iv: toArrayBuffer(nonce),
+      name: "AES-GCM"
+    };
+    if (context.additionalData) {
+      params.additionalData = toArrayBuffer(context.additionalData);
+    }
+    const ciphertext = await crypto.subtle.encrypt(
+      params,
+      encapsulated.sharedKey,
+      toArrayBuffer(plaintext)
+    );
+    return {
+      version: 1,
+      algorithm: this.id,
+      ciphertextBase64: bytesToBase64(ciphertext),
+      nonceBase64: bytesToBase64(nonce),
+      encapsulatedKeyCiphertextBase64: bytesToBase64(encapsulated.ciphertext),
+      metadata: {
+        kem: "ML-KEM-768"
+      }
+    };
+  }
+  async decrypt(payload, context) {
+    if (!payload.nonceBase64) {
+      throw new Error("ML-KEM AES payload is missing nonceBase64.");
+    }
+    if (!payload.encapsulatedKeyCiphertextBase64) {
+      throw new Error(
+        "ML-KEM AES payload is missing encapsulatedKeyCiphertextBase64."
+      );
+    }
+    const recipientPrivateKey = await importPrivateKey(context.recipientPrivateKey);
+    const sharedKey = await mlkem.decapsulateKey(
+      ML_KEM_ALGORITHM,
+      recipientPrivateKey,
+      toArrayBuffer(base64ToBytes(payload.encapsulatedKeyCiphertextBase64)),
+      SHARED_KEY_ALGORITHM,
+      false,
+      ["decrypt"]
+    );
+    const params = {
+      iv: toArrayBuffer(base64ToBytes(payload.nonceBase64)),
+      name: "AES-GCM"
+    };
+    if (context.additionalData) {
+      params.additionalData = toArrayBuffer(context.additionalData);
+    }
+    const plaintext = await crypto.subtle.decrypt(
+      params,
+      sharedKey,
+      toArrayBuffer(base64ToBytes(payload.ciphertextBase64))
+    );
+    return new Uint8Array(plaintext);
+  }
+};
+function createMlKemAes256GcmStrategy() {
+  return new MlKemAes256GcmStrategy();
+}
+
+// src/crypto/strategy-registry.ts
+var StrategyRegistry = class {
+  strategies = /* @__PURE__ */ new Map();
+  constructor(strategies = []) {
+    for (const strategy of strategies) {
+      this.register(strategy);
+    }
+  }
+  register(strategy) {
+    this.strategies.set(strategy.id, strategy);
+  }
+  get(id) {
+    const strategy = this.strategies.get(id);
+    if (!strategy) {
+      throw new Error(`No encryption strategy registered for "${id}".`);
+    }
+    return strategy;
+  }
+  encrypt(id, plaintext, context) {
+    return this.get(id).encrypt(plaintext, context);
+  }
+  decrypt(payload, context) {
+    return this.get(payload.algorithm).decrypt(
+      payload,
+      context
+    );
+  }
+};
+function createStrategyRegistry(...strategies) {
+  return new StrategyRegistry(strategies);
+}
+
+// src/crypto/types.ts
+function isEncryptedFieldValue(value) {
+  if (!value || typeof value !== "object") {
+    return false;
+  }
+  const candidate = value;
+  return candidate.version === 1 && typeof candidate.algorithm === "string" && typeof candidate.ciphertextBase64 === "string";
+}
+
+// src/external-e2ee/client.ts
+var ExternalE2eeApiClient = class {
+  constructor(provider) {
+    this.provider = provider;
+  }
+  provider;
+  authenticate(config) {
+    return this.provider.authenticate(config);
+  }
+  async ensureAccess(config) {
+    const session = await this.provider.authenticate(config);
+    if (this.provider.validateAccess) {
+      await this.provider.validateAccess(config, session);
+    }
+  }
+  async listProjects(config, query) {
+    const session = await this.provider.authenticate(config);
+    return this.provider.listProjects(config, session, query);
+  }
+  async listTasks(config, query) {
+    const session = await this.provider.authenticate(config);
+    return this.provider.listTasks(config, session, query);
+  }
+};
+function createExternalE2eeApiClient(provider) {
+  return new ExternalE2eeApiClient(provider);
+}
+
+// src/repositories/entity-repository.ts
+function cloneValue2(value) {
+  if (value === null || value === void 0) {
+    return value;
+  }
+  if (typeof value !== "object") {
+    return value;
+  }
+  return structuredClone(value);
+}
+function getByPath(target, path) {
+  return path.split(".").reduce((current, segment) => {
+    if (!current || typeof current !== "object") {
+      return void 0;
+    }
+    return current[segment];
+  }, target);
+}
+function setByPath(target, path, value) {
+  const segments = path.split(".");
+  const lastSegment = segments.at(-1);
+  if (!lastSegment) {
+    return;
+  }
+  let current = target;
+  for (const segment of segments.slice(0, -1)) {
+    const existing = current[segment];
+    if (!existing || typeof existing !== "object" || Array.isArray(existing)) {
+      current[segment] = {};
+    }
+    current = current[segment];
+  }
+  current[lastSegment] = value;
+}
+function deleteByPath(target, path) {
+  const segments = path.split(".");
+  const lastSegment = segments.at(-1);
+  if (!lastSegment) {
+    return;
+  }
+  let current = target;
+  for (const segment of segments.slice(0, -1)) {
+    const next = current[segment];
+    if (!next || typeof next !== "object" || Array.isArray(next)) {
+      return;
+    }
+    current = next;
+  }
+  delete current[lastSegment];
+}
+function stringifyValue(value) {
+  return utf8ToBytes(JSON.stringify(value));
+}
+function parseValue(bytes) {
+  return JSON.parse(bytesToUtf8(bytes));
+}
+var EntityRepository = class {
+  constructor(options) {
+    this.options = options;
+    this.cacheCollection = options.schema.cacheCollection ?? options.schema.name;
+    this.idPath = options.schema.idPath ?? "id";
+  }
+  options;
+  cacheCollection;
+  idPath;
+  async create(entity) {
+    const remote = await this.serializeEntity(entity);
+    const created = await this.options.adapter.create(remote);
+    return this.hydrateRemote(created, true);
+  }
+  async delete(id) {
+    await this.options.adapter.delete(id);
+    this.options.cache?.remove(this.cacheCollection, id);
+  }
+  async getById(id, options = {}) {
+    const cacheMode = options.cacheMode ?? "network-first";
+    if (cacheMode === "cache-first") {
+      const cached = this.options.cache?.get(this.cacheCollection, id) ?? null;
+      if (cached) {
+        return cached;
+      }
+    }
+    if (cacheMode === "no-cache") {
+      const remote2 = await this.options.adapter.getById(id);
+      return remote2 ? this.hydrateRemote(remote2, false) : null;
+    }
+    const remote = await this.options.adapter.getById(id);
+    return remote ? this.hydrateRemote(remote, true) : null;
+  }
+  async list(options = {}) {
+    const cacheMode = options.cacheMode ?? "network-first";
+    if (cacheMode === "cache-first") {
+      const cached = this.options.cache?.list(this.cacheCollection) ?? [];
+      if (cached.length > 0) {
+        return cached;
+      }
+    }
+    const remoteItems = await this.options.adapter.list();
+    const items = await Promise.all(
+      remoteItems.map((remote) => this.hydrateRemote(remote, cacheMode !== "no-cache"))
+    );
+    if (cacheMode !== "no-cache" && this.options.cache) {
+      this.options.cache.clearCollection(this.cacheCollection);
+      for (const entity of items) {
+        this.options.cache.put(
+          this.cacheCollection,
+          this.resolveEntityId(entity),
+          entity
+        );
+      }
+    }
+    return items;
+  }
+  async update(id, entity) {
+    const remote = await this.serializeEntity(entity);
+    const updated = await this.options.adapter.update(id, remote);
+    return this.hydrateRemote(updated, true);
+  }
+  async hydrateRemote(remote, storeInCache) {
+    const workingRemote = cloneValue2(remote);
+    for (const field of this.options.schema.fields) {
+      await this.hydrateField(remote, workingRemote, field);
+    }
+    const entity = this.options.schema.createEntity(workingRemote);
+    if (storeInCache && this.options.cache) {
+      this.options.cache.put(
+        this.cacheCollection,
+        this.resolveEntityId(entity),
+        entity
+      );
+    }
+    return entity;
+  }
+  resolveEntityId(entity) {
+    return getByPath(entity, this.idPath);
+  }
+  async hydrateField(remote, workingRemote, field) {
+    const remotePath = field.remotePath ?? field.entityPath;
+    const currentValue = getByPath(workingRemote, remotePath);
+    if (field.encrypted) {
+      if (currentValue === null || currentValue === void 0) {
+        return;
+      }
+      if (!isEncryptedFieldValue(currentValue)) {
+        throw new Error(
+          `Field "${remotePath}" on entity "${this.options.schema.name}" is not an encrypted payload.`
+        );
+      }
+      const context = await this.options.contextResolver.resolve({
+        field,
+        payload: currentValue,
+        phase: "decrypt",
+        remote,
+        schema: this.options.schema
+      });
+      const plaintext = await this.options.strategies.decrypt(currentValue, context);
+      const parsed = parseValue(plaintext);
+      const nextValue = field.deserialize ? field.deserialize(parsed, remote) : parsed;
+      setByPath(workingRemote, remotePath, nextValue);
+      return;
+    }
+    if (field.deserialize) {
+      setByPath(workingRemote, remotePath, field.deserialize(currentValue, remote));
+    }
+  }
+  async serializeEntity(entity) {
+    const remote = cloneValue2(this.options.schema.createRemote(entity));
+    for (const field of this.options.schema.fields) {
+      const entityValue = getByPath(entity, field.entityPath);
+      const remotePath = field.remotePath ?? field.entityPath;
+      const serializedValue = field.serialize ? field.serialize(entityValue, entity) : cloneValue2(entityValue);
+      if (serializedValue === void 0) {
+        deleteByPath(remote, remotePath);
+        continue;
+      }
+      if (field.encrypted) {
+        const strategyId = field.strategyId ?? this.options.schema.defaultStrategyId;
+        if (!strategyId) {
+          throw new Error(
+            `Field "${field.entityPath}" requires an encryption strategy, but none was configured.`
+          );
+        }
+        const context = await this.options.contextResolver.resolve({
+          entity,
+          field,
+          phase: "encrypt",
+          remote,
+          schema: this.options.schema
+        });
+        const payload = await this.options.strategies.encrypt(
+          strategyId,
+          stringifyValue(serializedValue),
+          context
+        );
+        setByPath(remote, remotePath, payload);
+        continue;
+      }
+      setByPath(remote, remotePath, serializedValue);
+    }
+    return remote;
+  }
+};
+function createEntityRepository(options) {
+  return new EntityRepository(options);
+}
+
+// src/schemas/dashboard.ts
+function createDashboardSchema(strategyId = "aes-256-gcm") {
+  return {
+    cacheCollection: "dashboards",
+    createEntity(remote) {
+      return {
+        config: remote.configEnvelope ?? null,
+        createdAt: remote.createdAt,
+        id: remote.id,
+        name: remote.name,
+        updatedAt: remote.updatedAt
+      };
+    },
+    createRemote(entity) {
+      return {
+        configEnvelope: entity.config,
+        createdAt: entity.createdAt,
+        id: entity.id,
+        name: entity.name,
+        updatedAt: entity.updatedAt
+      };
+    },
+    defaultStrategyId: strategyId,
+    fields: [
+      {
+        encrypted: true,
+        entityPath: "config",
+        remotePath: "configEnvelope"
+      }
+    ],
+    name: "dashboard"
+  };
+}
+
+// src/schemas/integration.ts
+function createIntegrationSchema(strategyId = "aes-256-gcm") {
+  return {
+    cacheCollection: "integrations",
+    createEntity(remote) {
+      return {
+        apiUrl: remote.apiUrl,
+        authHash: remote.authHash ?? null,
+        credentialMode: remote.credentialMode,
+        displayName: remote.displayName,
+        encryptionKey: remote.encryptionKey ?? null,
+        id: remote.id,
+        lastSyncedAt: remote.lastSyncedAt,
+        provider: remote.provider,
+        providerSecret: remote.providerSecret ?? null,
+        status: remote.status,
+        username: remote.username
+      };
+    },
+    createRemote(entity) {
+      return {
+        apiUrl: entity.apiUrl,
+        authHash: entity.authHash,
+        credentialMode: entity.credentialMode,
+        displayName: entity.displayName,
+        encryptionKey: entity.encryptionKey,
+        id: entity.id,
+        lastSyncedAt: entity.lastSyncedAt,
+        provider: entity.provider,
+        providerSecret: entity.providerSecret,
+        status: entity.status,
+        username: entity.username
+      };
+    },
+    defaultStrategyId: strategyId,
+    fields: [
+      {
+        encrypted: true,
+        entityPath: "authHash"
+      },
+      {
+        encrypted: true,
+        entityPath: "providerSecret"
+      },
+      {
+        encrypted: true,
+        entityPath: "encryptionKey"
+      }
+    ],
+    name: "integration"
+  };
+}
+
+export { Aes256GcmStrategy, DEFAULT_SCRYPT_PARAMS, EntityRepository, ExternalE2eeApiClient, FetchRestTransport, FunctionGraphqlTransport, GraphqlCrudAdapter, LokiCacheStore, MlKemAes256GcmStrategy, PasswordAuthClient, RestCrudAdapter, StrategyRegistry, authKeyMaterialHex, base64ToBytes, bytesToBase64, bytesToUtf8, createAes256GcmStrategy, createDashboardSchema, createEntityRepository, createExternalE2eeApiClient, createFetchRestTransport, createGraphqlTransport, createIntegrationSchema, createLokiCacheStore, createMlKemAes256GcmStrategy, createPasswordAuthClient, createStrategyRegistry, decryptJsonFromLegacyBlob, deriveAes256KeyFromPassword, deriveAuthKeyMaterial, deriveClientKeyMaterial, encryptJsonToLegacyBlob, encryptedFieldToLegacyBlob, generateMlKemKeyPair, isEncryptedFieldValue, kdfSaltFromBase64, legacyBlobToEncryptedField, normalizeAuthEmail, toArrayBuffer, toUint8Array, utf8ToBytes };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map