npm - joopjs - Versions diffs - 2.0.0 - Mend

joopjs 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (259) hide show

package/CHANGELOG.md +678 -0
package/README.md +583 -0
package/dist/a11y.service-C-DQQfgO.d.mts +143 -0
package/dist/a11y.service-CauEJrJe.d.ts +143 -0
package/dist/adapters-B6slG6hQ.d.mts +84 -0
package/dist/adapters-B6slG6hQ.d.ts +84 -0
package/dist/aes.service-CkoupAww.d.mts +95 -0
package/dist/aes.service-CkoupAww.d.ts +95 -0
package/dist/ai/index.d.mts +99 -0
package/dist/ai/index.d.ts +99 -0
package/dist/ai/index.js +307 -0
package/dist/ai/index.js.map +1 -0
package/dist/ai/index.mjs +304 -0
package/dist/ai/index.mjs.map +1 -0
package/dist/analytics/index.d.mts +42 -0
package/dist/analytics/index.d.ts +42 -0
package/dist/analytics/index.js +139 -0
package/dist/analytics/index.js.map +1 -0
package/dist/analytics/index.mjs +136 -0
package/dist/analytics/index.mjs.map +1 -0
package/dist/angular/index.d.mts +148 -0
package/dist/angular/index.d.ts +148 -0
package/dist/angular/index.js +122 -0
package/dist/angular/index.js.map +1 -0
package/dist/angular/index.mjs +101 -0
package/dist/angular/index.mjs.map +1 -0
package/dist/api/index.d.mts +128 -0
package/dist/api/index.d.ts +128 -0
package/dist/api/index.js +1358 -0
package/dist/api/index.js.map +1 -0
package/dist/api/index.mjs +1332 -0
package/dist/api/index.mjs.map +1 -0
package/dist/auth/index.d.mts +105 -0
package/dist/auth/index.d.ts +105 -0
package/dist/auth/index.js +989 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/index.mjs +979 -0
package/dist/auth/index.mjs.map +1 -0
package/dist/auth.service-DNVB-L4U.d.mts +16 -0
package/dist/auth.service-PjUUSUIt.d.ts +16 -0
package/dist/banking/index.d.mts +1530 -0
package/dist/banking/index.d.ts +1530 -0
package/dist/banking/index.js +4739 -0
package/dist/banking/index.js.map +1 -0
package/dist/banking/index.mjs +4661 -0
package/dist/banking/index.mjs.map +1 -0
package/dist/cache/index.d.mts +40 -0
package/dist/cache/index.d.ts +40 -0
package/dist/cache/index.js +174 -0
package/dist/cache/index.js.map +1 -0
package/dist/cache/index.mjs +172 -0
package/dist/cache/index.mjs.map +1 -0
package/dist/client-profile.service-BuPeXVp5.d.mts +28 -0
package/dist/client-profile.service-D5bRRYQp.d.ts +28 -0
package/dist/config.models-Cqg04fAQ.d.mts +84 -0
package/dist/config.models-Cqg04fAQ.d.ts +84 -0
package/dist/config.service-CrCvI-JS.d.ts +31 -0
package/dist/config.service-Cz4QQLlf.d.mts +31 -0
package/dist/core/index.d.mts +4 -0
package/dist/core/index.d.ts +4 -0
package/dist/core/index.js +631 -0
package/dist/core/index.js.map +1 -0
package/dist/core/index.mjs +619 -0
package/dist/core/index.mjs.map +1 -0
package/dist/crypto-utils-DriNhLdx.d.mts +30 -0
package/dist/crypto-utils-DriNhLdx.d.ts +30 -0
package/dist/data-storage.service-DT6xaTxE.d.ts +51 -0
package/dist/data-storage.service-LvhGRCmw.d.mts +51 -0
package/dist/deeplink/index.d.mts +39 -0
package/dist/deeplink/index.d.ts +39 -0
package/dist/deeplink/index.js +268 -0
package/dist/deeplink/index.js.map +1 -0
package/dist/deeplink/index.mjs +265 -0
package/dist/deeplink/index.mjs.map +1 -0
package/dist/deeplink.service-Ctd5u243.d.mts +35 -0
package/dist/deeplink.service-uUuTnY9_.d.ts +35 -0
package/dist/dev/index.d.mts +20 -0
package/dist/dev/index.d.ts +20 -0
package/dist/dev/index.js +51 -0
package/dist/dev/index.js.map +1 -0
package/dist/dev/index.mjs +49 -0
package/dist/dev/index.mjs.map +1 -0
package/dist/device/index.d.mts +108 -0
package/dist/device/index.d.ts +108 -0
package/dist/device/index.js +960 -0
package/dist/device/index.js.map +1 -0
package/dist/device/index.mjs +951 -0
package/dist/device/index.mjs.map +1 -0
package/dist/differential-privacy-BcAv1G80.d.mts +210 -0
package/dist/differential-privacy-C8mAUjZr.d.ts +210 -0
package/dist/encryption/index.d.mts +75 -0
package/dist/encryption/index.d.ts +75 -0
package/dist/encryption/index.js +605 -0
package/dist/encryption/index.js.map +1 -0
package/dist/encryption/index.mjs +598 -0
package/dist/encryption/index.mjs.map +1 -0
package/dist/form-validator-3tkmzr_o.d.mts +72 -0
package/dist/form-validator-3tkmzr_o.d.ts +72 -0
package/dist/forms/index.d.mts +59 -0
package/dist/forms/index.d.ts +59 -0
package/dist/forms/index.js +446 -0
package/dist/forms/index.js.map +1 -0
package/dist/forms/index.mjs +442 -0
package/dist/forms/index.mjs.map +1 -0
package/dist/i18n/index.d.mts +37 -0
package/dist/i18n/index.d.ts +37 -0
package/dist/i18n/index.js +147 -0
package/dist/i18n/index.js.map +1 -0
package/dist/i18n/index.mjs +145 -0
package/dist/i18n/index.mjs.map +1 -0
package/dist/idempotency.service-_6LqhivP.d.mts +372 -0
package/dist/idempotency.service-eOKoISRD.d.ts +372 -0
package/dist/index-B_ksKpS1.d.mts +202 -0
package/dist/index-CqDKWTUP.d.mts +28 -0
package/dist/index-CqDKWTUP.d.ts +28 -0
package/dist/index-DFqEoX_l.d.ts +202 -0
package/dist/index-Dz0gOur2.d.mts +36 -0
package/dist/index-Dz0gOur2.d.ts +36 -0
package/dist/index.d.mts +1336 -0
package/dist/index.d.ts +1336 -0
package/dist/index.js +19464 -0
package/dist/index.js.map +1 -0
package/dist/index.mjs +19155 -0
package/dist/index.mjs.map +1 -0
package/dist/india/index.d.mts +75 -0
package/dist/india/index.d.ts +75 -0
package/dist/india/index.js +325 -0
package/dist/india/index.js.map +1 -0
package/dist/india/index.mjs +303 -0
package/dist/india/index.mjs.map +1 -0
package/dist/joop-Bx7Iwj5p.d.mts +155 -0
package/dist/joop-CA3DMeOO.d.ts +155 -0
package/dist/native-bridge/index.d.mts +27 -0
package/dist/native-bridge/index.d.ts +27 -0
package/dist/native-bridge/index.js +98 -0
package/dist/native-bridge/index.js.map +1 -0
package/dist/native-bridge/index.mjs +96 -0
package/dist/native-bridge/index.mjs.map +1 -0
package/dist/network/index.d.mts +85 -0
package/dist/network/index.d.ts +85 -0
package/dist/network/index.js +454 -0
package/dist/network/index.js.map +1 -0
package/dist/network/index.mjs +451 -0
package/dist/network/index.mjs.map +1 -0
package/dist/network-monitor-BIwPSXme.d.mts +179 -0
package/dist/network-monitor-Bqp2hvZr.d.ts +179 -0
package/dist/notification.service-Dm4fvfZf.d.mts +25 -0
package/dist/notification.service-tEMKatWJ.d.ts +25 -0
package/dist/observability/index.d.mts +179 -0
package/dist/observability/index.d.ts +179 -0
package/dist/observability/index.js +559 -0
package/dist/observability/index.js.map +1 -0
package/dist/observability/index.mjs +552 -0
package/dist/observability/index.mjs.map +1 -0
package/dist/oidc-client-DIJcClmB.d.mts +190 -0
package/dist/oidc-client-DxhyE59t.d.ts +190 -0
package/dist/platform/index.d.mts +73 -0
package/dist/platform/index.d.ts +73 -0
package/dist/platform/index.js +127 -0
package/dist/platform/index.js.map +1 -0
package/dist/platform/index.mjs +125 -0
package/dist/platform/index.mjs.map +1 -0
package/dist/pwa/index.d.mts +31 -0
package/dist/pwa/index.d.ts +31 -0
package/dist/pwa/index.js +247 -0
package/dist/pwa/index.js.map +1 -0
package/dist/pwa/index.mjs +244 -0
package/dist/pwa/index.mjs.map +1 -0
package/dist/react/index.d.mts +133 -0
package/dist/react/index.d.ts +133 -0
package/dist/react/index.js +632 -0
package/dist/react/index.js.map +1 -0
package/dist/react/index.mjs +630 -0
package/dist/react/index.mjs.map +1 -0
package/dist/router/index.d.mts +39 -0
package/dist/router/index.d.ts +39 -0
package/dist/router/index.js +168 -0
package/dist/router/index.js.map +1 -0
package/dist/router/index.mjs +166 -0
package/dist/router/index.mjs.map +1 -0
package/dist/security/index.d.mts +206 -0
package/dist/security/index.d.ts +206 -0
package/dist/security/index.js +1297 -0
package/dist/security/index.js.map +1 -0
package/dist/security/index.mjs +1285 -0
package/dist/security/index.mjs.map +1 -0
package/dist/session/index.d.mts +115 -0
package/dist/session/index.d.ts +115 -0
package/dist/session/index.js +297 -0
package/dist/session/index.js.map +1 -0
package/dist/session/index.mjs +292 -0
package/dist/session/index.mjs.map +1 -0
package/dist/state/index.d.mts +43 -0
package/dist/state/index.d.ts +43 -0
package/dist/state/index.js +156 -0
package/dist/state/index.js.map +1 -0
package/dist/state/index.mjs +152 -0
package/dist/state/index.mjs.map +1 -0
package/dist/statement-parser-BHQtXwCM.d.ts +260 -0
package/dist/statement-parser-C2qNmb49.d.mts +260 -0
package/dist/storage/index.d.mts +40 -0
package/dist/storage/index.d.ts +40 -0
package/dist/storage/index.js +256 -0
package/dist/storage/index.js.map +1 -0
package/dist/storage/index.mjs +252 -0
package/dist/storage/index.mjs.map +1 -0
package/dist/sync/index.d.mts +69 -0
package/dist/sync/index.d.ts +69 -0
package/dist/sync/index.js +330 -0
package/dist/sync/index.js.map +1 -0
package/dist/sync/index.mjs +323 -0
package/dist/sync/index.mjs.map +1 -0
package/dist/sync-engine-DCIMRG5s.d.ts +61 -0
package/dist/sync-engine-DZqyKHkK.d.mts +61 -0
package/dist/theme/index.d.mts +53 -0
package/dist/theme/index.d.ts +53 -0
package/dist/theme/index.js +169 -0
package/dist/theme/index.js.map +1 -0
package/dist/theme/index.mjs +167 -0
package/dist/theme/index.mjs.map +1 -0
package/dist/ui/index.d.mts +66 -0
package/dist/ui/index.d.ts +66 -0
package/dist/ui/index.js +811 -0
package/dist/ui/index.js.map +1 -0
package/dist/ui/index.mjs +803 -0
package/dist/ui/index.mjs.map +1 -0
package/dist/utilities/index.d.mts +199 -0
package/dist/utilities/index.d.ts +199 -0
package/dist/utilities/index.js +1991 -0
package/dist/utilities/index.js.map +1 -0
package/dist/utilities/index.mjs +1923 -0
package/dist/utilities/index.mjs.map +1 -0
package/dist/validation/index.d.mts +60 -0
package/dist/validation/index.d.ts +60 -0
package/dist/validation/index.js +460 -0
package/dist/validation/index.js.map +1 -0
package/dist/validation/index.mjs +455 -0
package/dist/validation/index.mjs.map +1 -0
package/dist/vue/index.d.mts +135 -0
package/dist/vue/index.d.ts +135 -0
package/dist/vue/index.js +621 -0
package/dist/vue/index.js.map +1 -0
package/dist/vue/index.mjs +619 -0
package/dist/vue/index.mjs.map +1 -0
package/dist/watermark.service-Detur5tq.d.ts +235 -0
package/dist/watermark.service-QNegMeQZ.d.mts +235 -0
package/dist/workers/index.d.mts +42 -0
package/dist/workers/index.d.ts +42 -0
package/dist/workers/index.js +359 -0
package/dist/workers/index.js.map +1 -0
package/dist/workers/index.mjs +356 -0
package/dist/workers/index.mjs.map +1 -0
package/dist/workflow/index.d.mts +99 -0
package/dist/workflow/index.d.ts +99 -0
package/dist/workflow/index.js +282 -0
package/dist/workflow/index.js.map +1 -0
package/dist/workflow/index.mjs +279 -0
package/dist/workflow/index.mjs.map +1 -0
package/package.json +226 -0

package/dist/encryption/index.mjs ADDED Viewed

@@ -0,0 +1,598 @@
+import { encode, decode } from 'base64-arraybuffer';
+import { x25519 } from '@noble/curves/ed25519.js';
+import { chacha20poly1305 } from '@noble/ciphers/chacha.js';
+// src/utilities/common.utility.ts
+function randomString(length, charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ") {
+  let result = "";
+  for (let i = 0; i < length; i++) {
+    result += charset[Math.floor(Math.random() * charset.length)];
+  }
+  return result;
+}
+function stringToHex(input) {
+  let result = "";
+  for (let i = 0; i < input.length; i++) {
+    result += input.charCodeAt(i).toString(16).slice(-4);
+  }
+  return result;
+}
+function bufferToHex(buffer) {
+  return [...new Uint8Array(buffer)].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+// src/models/error.models.ts
+var JoopEncryptionError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "JoopEncryptionError";
+  }
+};
+// src/encryption/gcm.service.ts
+var JoopGcmService = class {
+  async encrypt(data, aesKey) {
+    const keyBuffer = this._keyToBuffer(aesKey);
+    const iv = await this._deriveIV(aesKey, data);
+    const cryptoKey = await crypto.subtle.importKey("raw", keyBuffer, { name: "AES-GCM" }, false, ["encrypt"]);
+    const encrypted = await crypto.subtle.encrypt(
+      { name: "AES-GCM", iv: this._toSafeUint8Array(iv), tagLength: 128 },
+      cryptoKey,
+      new TextEncoder().encode(data)
+    );
+    const ivBytes = Array.from(iv);
+    const encBytes = Array.from(new Uint8Array(encrypted));
+    return bufferToHex(new Uint8Array([...ivBytes, ...encBytes]));
+  }
+  async decrypt(hexData, aesKey) {
+    const parsedIV = hexData.substring(0, 24);
+    const keyBuffer = this._keyToBuffer(aesKey);
+    const iv = this._toSafeUint8Array(this._hexToUint8(parsedIV));
+    const encrypted = this._toSafeUint8Array(this._hexToUint8(hexData.substring(24)));
+    const importedKey = await crypto.subtle.importKey("raw", keyBuffer, "AES-GCM", true, ["decrypt"]);
+    try {
+      const plaintext = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, importedKey, encrypted);
+      return new TextDecoder().decode(new Uint8Array(plaintext));
+    } catch {
+      throw new JoopEncryptionError("AES-GCM decryption failed \u2014 wrong key or corrupted data");
+    }
+  }
+  async _deriveIV(key, data) {
+    const randomData = btoa(String.fromCharCode(...Array.from(crypto.getRandomValues(new Uint8Array(12)))));
+    return this._pbkdf2(key + randomData, data + Date.now().toString(), 1, 12, "SHA-256");
+  }
+  async _pbkdf2(message, salt, iterations, keyLen, algorithm) {
+    const enc = new TextEncoder();
+    const keyMaterial = await crypto.subtle.importKey("raw", enc.encode(message), { name: "PBKDF2" }, false, ["deriveBits"]);
+    const bits = await crypto.subtle.deriveBits(
+      { name: "PBKDF2", salt: enc.encode(salt), iterations, hash: algorithm },
+      keyMaterial,
+      keyLen * 8
+    );
+    return new Uint8Array(bits);
+  }
+  _keyToBuffer(key) {
+    const enc = new TextEncoder();
+    const bytes = enc.encode(key);
+    const hex = bufferToHex(bytes);
+    return this._toSafeUint8Array(this._hexToUint8(hex)).buffer;
+  }
+  _hexToUint8(hex) {
+    hex = hex.replace(/^0x/, "");
+    const pairs = hex.match(/[\dA-F]{2}/gi) ?? [];
+    return new Uint8Array(pairs.map((s) => parseInt(s, 16)));
+  }
+  /** Copy Uint8Array into a fresh ArrayBuffer to satisfy TS5.3+ BufferSource constraints. */
+  _toSafeUint8Array(src) {
+    const buf = new ArrayBuffer(src.length);
+    new Uint8Array(buf).set(src);
+    return new Uint8Array(buf);
+  }
+};
+// src/encryption/rsa.service.ts
+var JoopRsaService = class {
+  async encrypt(data, keys) {
+    let { modulus, exponent } = keys;
+    if (modulus.length === 514) {
+      modulus = modulus.slice(2);
+    }
+    let encBuffer = "";
+    try {
+      const cryptoKey = await crypto.subtle.importKey(
+        "jwk",
+        {
+          kty: "RSA",
+          e: this._b64ToB64Url(this._hexToBase64(exponent)),
+          n: this._b64ToB64Url(this._hexToBase64(modulus)),
+          alg: "RSA-OAEP-256",
+          ext: true
+        },
+        { name: "RSA-OAEP", hash: { name: "SHA-256" } },
+        true,
+        ["encrypt"]
+      );
+      const encoded = new TextEncoder().encode(data);
+      const encData = await crypto.subtle.encrypt({ name: "RSA-OAEP" }, cryptoKey, encoded);
+      encBuffer = bufferToHex(encData);
+    } catch (err) {
+      throw new JoopEncryptionError(`RSA-OAEP encryption failed: ${err}`);
+    }
+    return encBuffer;
+  }
+  _hexToBase64(hex) {
+    return btoa(
+      (hex.match(/\w{2}/g) ?? []).map((a) => String.fromCodePoint(parseInt(a, 16) || 0)).join("")
+    );
+  }
+  _b64ToB64Url(b64) {
+    return b64.replaceAll("=", "").replaceAll("+", "-").replaceAll("/", "_");
+  }
+};
+// src/encryption/aes.service.ts
+var JoopAesService = class {
+  constructor(_gcm, _rsa) {
+    this._gcm = _gcm;
+    this._rsa = _rsa;
+  }
+  _gcm;
+  _rsa;
+  _e2eRsaStatus = "";
+  _e2eStatus = "";
+  _modulus = "";
+  _exponent = "";
+  _random = "";
+  _genKey = "";
+  _genKeyHex = "";
+  get e2eRsaStatus() {
+    return this._e2eRsaStatus;
+  }
+  set e2eRsaStatus(v) {
+    this._e2eRsaStatus = v;
+  }
+  get e2eStatus() {
+    return this._e2eStatus;
+  }
+  set e2eStatus(v) {
+    this._e2eStatus = v;
+  }
+  get modulus() {
+    return this._modulus;
+  }
+  set modulus(v) {
+    this._modulus = v;
+  }
+  get exponent() {
+    return this._exponent;
+  }
+  set exponent(v) {
+    this._exponent = v;
+  }
+  get random() {
+    return this._random;
+  }
+  set random(v) {
+    this._random = v;
+  }
+  get genKey() {
+    return this._genKey;
+  }
+  set genKey(v) {
+    this._genKey = v;
+  }
+  /** Returns true when E2E encryption is active (not on the initial request). */
+  isE2EEnabled(isInitialRequest) {
+    return !isInitialRequest && this._e2eStatus === "1";
+  }
+  /**
+   * Encrypt serialised request data.
+   * Returns an object with `encryptedText` (and optionally `pageToken` already embedded in data).
+   */
+  async processEncryption(serializedData, pageToken) {
+    if (serializedData && pageToken) {
+      serializedData = `${serializedData}&pageToken=${pageToken}`;
+    }
+    const isSessionMode = this._e2eRsaStatus === "1";
+    if (isSessionMode) {
+      if (!serializedData) return {};
+      const encText2 = await this._gcm.encrypt(serializedData, this._genKey);
+      return { encryptedText: encText2 };
+    }
+    this._generateKey();
+    const rsaEncryptedKey = await this._encryptAesKey();
+    if (!serializedData) return { encryptedText: rsaEncryptedKey };
+    const encText = await this._gcm.encrypt(serializedData, this._genKey);
+    return { encryptedText: rsaEncryptedKey + encText };
+  }
+  /** Decrypt an encrypted response payload. */
+  async decryptResponse(encryptedData) {
+    return this._gcm.decrypt(encryptedData, this._genKey);
+  }
+  clearKeys() {
+    this._e2eStatus = "";
+    this._e2eRsaStatus = "";
+    this._genKey = "";
+    this._genKeyHex = "";
+    this._modulus = "";
+    this._exponent = "";
+    this._random = "";
+  }
+  _generateKey() {
+    this._genKey = randomString(16, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ");
+    this._genKeyHex = stringToHex(this._genKey);
+  }
+  _encryptAesKey() {
+    const keys = {
+      modulus: this._modulus,
+      exponent: this._exponent,
+      randomNumber: this._random
+    };
+    return this._rsa.encrypt(this._genKeyHex, keys);
+  }
+};
+var JoopX25519Service = class _JoopX25519Service {
+  static INFO_ENC_KEY = "enc-key";
+  static INFO_ENC_IV = "enc-iv";
+  static INFO_MAC_KEY = "mac-iv";
+  _privateKey = null;
+  _publicKey = null;
+  _encKey = null;
+  _nonce = null;
+  _macKey = null;
+  _ready = false;
+  /** Generate key pair; returns base64-encoded X.509 public key to send to the server. */
+  async init() {
+    try {
+      const priv = x25519.utils.randomSecretKey();
+      const pub = x25519.getPublicKey(priv);
+      this._privateKey = priv;
+      this._publicKey = pub;
+      const x509 = this._encodeX509(pub);
+      const buf = new ArrayBuffer(x509.byteLength);
+      new Uint8Array(buf).set(x509);
+      this._ready = true;
+      return encode(buf);
+    } catch (err) {
+      this._reset();
+      throw new JoopEncryptionError(`X25519 init failed: ${err}`);
+    }
+  }
+  /** Perform DH key exchange and derive ChaCha20-Poly1305 keys. */
+  async keyExchange(serverPublicKeyBase64, serverRandomBase64) {
+    this._assertReady();
+    try {
+      const serverPubRaw = this._base64UrlDecode(serverPublicKeyBase64);
+      const serverPub = this._decodeX509(serverPubRaw);
+      const salt = this._base64UrlDecode(serverRandomBase64);
+      const shared = x25519.getSharedSecret(this._privateKey, serverPub);
+      const prk = await this._hkdfExtract(salt, shared);
+      this._nonce = await this._hkdfExpand(prk, _JoopX25519Service.INFO_ENC_IV, 12);
+      this._encKey = await this._hkdfExpand(prk, _JoopX25519Service.INFO_ENC_KEY, 32);
+      this._macKey = await this._hkdfExpand(prk, _JoopX25519Service.INFO_MAC_KEY, 16);
+    } catch (err) {
+      this._reset();
+      throw new JoopEncryptionError(`Key exchange failed: ${err}`);
+    }
+  }
+  async encrypt(plainText) {
+    this._assertReady();
+    this._assertKeysReady();
+    try {
+      const data = new TextEncoder().encode(plainText);
+      const cipher = chacha20poly1305(this._encKey, this._nonce);
+      const ct = cipher.encrypt(data);
+      const buf = new ArrayBuffer(ct.byteLength);
+      new Uint8Array(buf).set(ct);
+      return encode(buf);
+    } catch (err) {
+      throw new JoopEncryptionError(`Encryption failed: ${err}`);
+    }
+  }
+  async decrypt(cipherBase64) {
+    this._assertReady();
+    this._assertKeysReady();
+    try {
+      const ct = new Uint8Array(decode(cipherBase64));
+      const cipher = chacha20poly1305(this._encKey, this._nonce);
+      return new TextDecoder().decode(cipher.decrypt(ct));
+    } catch (err) {
+      throw new JoopEncryptionError(`Decryption failed: ${err}`);
+    }
+  }
+  reset() {
+    this._reset();
+  }
+  // ──────────────── private helpers ────────────────
+  _assertReady() {
+    if (!this._ready || !this._privateKey || !this._publicKey) {
+      throw new JoopEncryptionError("X25519Service not initialised \u2014 call init() first.");
+    }
+  }
+  _assertKeysReady() {
+    if (!this._encKey || !this._nonce || !this._macKey) {
+      throw new JoopEncryptionError("X25519Service keys not derived \u2014 call keyExchange() first.");
+    }
+  }
+  _reset() {
+    this._privateKey = this._publicKey = this._encKey = this._nonce = this._macKey = null;
+    this._ready = false;
+  }
+  _encodeX509(raw) {
+    if (raw.length !== 32) throw new JoopEncryptionError("Invalid X25519 public key length");
+    const prefix = new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 110, 3, 33, 0]);
+    return new Uint8Array([...prefix, ...raw]);
+  }
+  _decodeX509(x509) {
+    if (x509.length < 44) throw new JoopEncryptionError("Invalid X.509 key format");
+    return x509.slice(12);
+  }
+  _base64UrlDecode(s) {
+    let b64 = s.replaceAll("-", "+").replaceAll("_", "/");
+    while (b64.length % 4 !== 0) b64 += "=";
+    return new Uint8Array(decode(b64));
+  }
+  async _hkdfExtract(salt, ikm) {
+    const saltBuf = new ArrayBuffer(salt.byteLength);
+    new Uint8Array(saltBuf).set(salt);
+    const key = await crypto.subtle.importKey("raw", saltBuf, { name: "HMAC", hash: "SHA-512" }, false, ["sign"]);
+    const ikmBuf = new ArrayBuffer(ikm.byteLength);
+    new Uint8Array(ikmBuf).set(ikm);
+    return new Uint8Array(await crypto.subtle.sign("HMAC", key, ikmBuf));
+  }
+  async _hkdfExpand(prk, info, length) {
+    const enc = new TextEncoder();
+    const infoBytes = enc.encode(info);
+    const prkBuf = new ArrayBuffer(prk.byteLength);
+    new Uint8Array(prkBuf).set(prk);
+    const key = await crypto.subtle.importKey("raw", prkBuf, { name: "HMAC", hash: "SHA-512" }, false, ["sign"]);
+    let T = new Uint8Array(0);
+    let output = new Uint8Array(0);
+    let counter = 0;
+    while (output.length < length) {
+      counter++;
+      const input = new Uint8Array([...T, ...infoBytes, counter]);
+      T = new Uint8Array(await crypto.subtle.sign("HMAC", key, input));
+      output = new Uint8Array([...output, ...T]);
+    }
+    return output.slice(0, length);
+  }
+};
+// src/encryption/e2e.service.ts
+var _oaepGen = (bits) => ({
+  name: "RSA-OAEP",
+  modulusLength: bits,
+  publicExponent: new Uint8Array([1, 0, 1]),
+  hash: "SHA-256"
+});
+var _pssGen = (bits) => ({
+  name: "RSA-PSS",
+  modulusLength: bits,
+  publicExponent: new Uint8Array([1, 0, 1]),
+  hash: "SHA-256"
+});
+var OAEP_IMP = { name: "RSA-OAEP", hash: { name: "SHA-256" } };
+var PSS_IMP = { name: "RSA-PSS", hash: { name: "SHA-256" } };
+function _b64(buf) {
+  const bytes = ArrayBuffer.isView(buf) ? new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength) : new Uint8Array(buf);
+  return btoa(String.fromCharCode(...bytes));
+}
+function _unb64(s) {
+  return new Uint8Array(Array.from(atob(s), (c) => c.charCodeAt(0)));
+}
+function _pemToBytes(pem) {
+  return _unb64(pem.replace(/-----[^-]+-----/g, "").replace(/\s/g, ""));
+}
+function _bytesToPem(bytes, type) {
+  const b64 = _b64(bytes);
+  const lines = b64.match(/.{1,64}/g)?.join("\n") ?? b64;
+  return `-----BEGIN ${type}-----
+${lines}
+-----END ${type}-----`;
+}
+var JoopE2EService = class {
+  // ── Key generation ─────────────────────────────────────────────────────────
+  async generateKeyPair(bits = 2048) {
+    const pair = await crypto.subtle.generateKey(_oaepGen(bits), true, ["encrypt", "decrypt"]);
+    return pair;
+  }
+  async generateSigningKeyPair(bits = 2048) {
+    const pair = await crypto.subtle.generateKey(_pssGen(bits), true, ["sign", "verify"]);
+    return pair;
+  }
+  // ── PEM export/import ──────────────────────────────────────────────────────
+  async exportPublicKeyPem(key) {
+    return _bytesToPem(await crypto.subtle.exportKey("spki", key), "PUBLIC KEY");
+  }
+  async exportPrivateKeyPem(key) {
+    return _bytesToPem(await crypto.subtle.exportKey("pkcs8", key), "PRIVATE KEY");
+  }
+  async importPublicKeyPem(pem, usage = "encrypt") {
+    const algo = usage === "encrypt" ? OAEP_IMP : PSS_IMP;
+    return crypto.subtle.importKey("spki", _pemToBytes(pem), algo, true, [usage]);
+  }
+  async importPrivateKeyPem(pem, usage = "decrypt") {
+    const algo = usage === "decrypt" ? OAEP_IMP : PSS_IMP;
+    return crypto.subtle.importKey("pkcs8", _pemToBytes(pem), algo, true, [usage]);
+  }
+  // ── JWK export/import ──────────────────────────────────────────────────────
+  async exportPublicKeyJwk(key) {
+    return crypto.subtle.exportKey("jwk", key);
+  }
+  async importPublicKeyJwk(jwk, usage = "encrypt") {
+    const algo = usage === "encrypt" ? OAEP_IMP : PSS_IMP;
+    return crypto.subtle.importKey("jwk", jwk, algo, true, [usage]);
+  }
+  async exportPrivateKeyJwk(key) {
+    return crypto.subtle.exportKey("jwk", key);
+  }
+  // ── Hybrid encryption (RSA wraps AES key) ─────────────────────────────────
+  async encryptForRecipient(plaintext, publicKey) {
+    const pk = typeof publicKey === "string" ? await this.importPublicKeyPem(publicKey, "encrypt") : publicKey;
+    const aesKey = await crypto.subtle.generateKey({ name: "AES-GCM", length: 256 }, true, ["encrypt"]);
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const cipherBuf = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, aesKey, new TextEncoder().encode(plaintext));
+    const rawAes = await crypto.subtle.exportKey("raw", aesKey);
+    const wrappedBuf = await crypto.subtle.encrypt({ name: "RSA-OAEP" }, pk, rawAes);
+    return { wrappedKey: _b64(wrappedBuf), iv: _b64(iv), ciphertext: _b64(cipherBuf), algorithm: "RSA-OAEP+AES-GCM" };
+  }
+  async decryptFromSender(payload, privateKey) {
+    const sk = typeof privateKey === "string" ? await this.importPrivateKeyPem(privateKey, "decrypt") : privateKey;
+    const rawAes = await crypto.subtle.decrypt({ name: "RSA-OAEP" }, sk, _unb64(payload.wrappedKey));
+    const aesKey = await crypto.subtle.importKey("raw", rawAes, "AES-GCM", false, ["decrypt"]);
+    const plainBuf = await crypto.subtle.decrypt({ name: "AES-GCM", iv: _unb64(payload.iv) }, aesKey, _unb64(payload.ciphertext));
+    return new TextDecoder().decode(plainBuf);
+  }
+  // ── Digital signatures (RSA-PSS) ──────────────────────────────────────────
+  async sign(data, privateKey) {
+    const sk = typeof privateKey === "string" ? await this.importPrivateKeyPem(privateKey, "sign") : privateKey;
+    const buf = await crypto.subtle.sign({ name: "RSA-PSS", saltLength: 32 }, sk, new TextEncoder().encode(data));
+    return _b64(buf);
+  }
+  async verify(data, signature, publicKey) {
+    try {
+      const pk = typeof publicKey === "string" ? await this.importPublicKeyPem(publicKey, "verify") : publicKey;
+      return crypto.subtle.verify({ name: "RSA-PSS", saltLength: 32 }, pk, _unb64(signature), new TextEncoder().encode(data));
+    } catch {
+      return false;
+    }
+  }
+  // ── Session key utilities ─────────────────────────────────────────────────
+  async generateSessionKey() {
+    const key = await crypto.subtle.generateKey({ name: "AES-GCM", length: 256 }, true, ["encrypt", "decrypt"]);
+    return { key, exported: _b64(await crypto.subtle.exportKey("raw", key)) };
+  }
+  async wrapSessionKey(sessionKey, recipientPublicKey) {
+    const raw = await crypto.subtle.exportKey("raw", sessionKey);
+    return _b64(await crypto.subtle.encrypt({ name: "RSA-OAEP" }, recipientPublicKey, raw));
+  }
+  async unwrapSessionKey(wrappedKey, privateKey) {
+    const raw = await crypto.subtle.decrypt({ name: "RSA-OAEP" }, privateKey, _unb64(wrappedKey));
+    return crypto.subtle.importKey("raw", raw, "AES-GCM", false, ["encrypt", "decrypt"]);
+  }
+  // ── Direct RSA encrypt/decrypt (small payloads only, <190 bytes for 2048-bit key) ──
+  async encryptRaw(data, publicKey) {
+    const pk = typeof publicKey === "string" ? await this.importPublicKeyPem(publicKey, "encrypt") : publicKey;
+    return _b64(await crypto.subtle.encrypt({ name: "RSA-OAEP" }, pk, new TextEncoder().encode(data)));
+  }
+  async decryptRaw(ciphertext, privateKey) {
+    const sk = typeof privateKey === "string" ? await this.importPrivateKeyPem(privateKey, "decrypt") : privateKey;
+    return new TextDecoder().decode(await crypto.subtle.decrypt({ name: "RSA-OAEP" }, sk, _unb64(ciphertext)));
+  }
+  // ── Key fingerprint ───────────────────────────────────────────────────────
+  async fingerprint(publicKey) {
+    const spki = await crypto.subtle.exportKey("spki", publicKey);
+    const hash = await crypto.subtle.digest("SHA-256", spki);
+    return Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join(":");
+  }
+};
+// src/encryption/crypto-utils.ts
+function _hex(buf) {
+  return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function _hexToBytes(hex) {
+  return new Uint8Array(hex.match(/.{2}/g).map((h) => parseInt(h, 16)));
+}
+var JoopCryptoUtils = class {
+  // ── Hashing ──────────────────────────────────────────────────────────────
+  async sha256(data) {
+    const buf = typeof data === "string" ? new TextEncoder().encode(data) : data;
+    return _hex(await crypto.subtle.digest("SHA-256", buf));
+  }
+  async sha512(data) {
+    const buf = typeof data === "string" ? new TextEncoder().encode(data) : data;
+    return _hex(await crypto.subtle.digest("SHA-512", buf));
+  }
+  async sha1(data) {
+    const buf = typeof data === "string" ? new TextEncoder().encode(data) : data;
+    return _hex(await crypto.subtle.digest("SHA-1", buf));
+  }
+  // ── HMAC ─────────────────────────────────────────────────────────────────
+  async hmac(data, secret, algo = "SHA-256") {
+    const key = await crypto.subtle.importKey(
+      "raw",
+      new TextEncoder().encode(secret),
+      { name: "HMAC", hash: algo },
+      false,
+      ["sign"]
+    );
+    return _hex(await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(data)));
+  }
+  async hmacVerify(data, secret, signature, algo = "SHA-256") {
+    const expected = await this.hmac(data, secret, algo);
+    return this.timingSafeEqual(expected, signature);
+  }
+  // ── PBKDF2 ───────────────────────────────────────────────────────────────
+  async pbkdf2(password, salt, iterations = 1e5, keyLen = 32, hash = "SHA-256") {
+    const key = await crypto.subtle.importKey("raw", new TextEncoder().encode(password), "PBKDF2", false, ["deriveBits"]);
+    const bits = await crypto.subtle.deriveBits(
+      { name: "PBKDF2", salt: new TextEncoder().encode(salt), iterations, hash },
+      key,
+      keyLen * 8
+    );
+    return _hex(bits);
+  }
+  // ── Password hashing ──────────────────────────────────────────────────────
+  async hashPassword(password, salt, iterations = 1e5) {
+    const s = salt ?? this.generateSalt();
+    const hash = await this.pbkdf2(password, s, iterations);
+    return { hash, salt: s, iterations, keyLen: 32 };
+  }
+  async verifyPassword(password, record) {
+    const { hash } = await this.hashPassword(password, record.salt, record.iterations);
+    return this.timingSafeEqual(hash, record.hash);
+  }
+  // ── Utilities ──────────────────────────────────────────────────────────────
+  generateSalt(bytes = 32) {
+    return _hex(crypto.getRandomValues(new Uint8Array(bytes)).buffer);
+  }
+  randomBytes(length) {
+    return new Uint8Array(crypto.getRandomValues(new Uint8Array(length)));
+  }
+  randomHex(bytes = 16) {
+    return _hex(this.randomBytes(bytes).buffer);
+  }
+  uuid() {
+    const bytes = crypto.getRandomValues(new Uint8Array(16));
+    bytes[6] = bytes[6] & 15 | 64;
+    bytes[8] = bytes[8] & 63 | 128;
+    const hex = _hex(bytes.buffer);
+    return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+  }
+  /** Constant-time string comparison to prevent timing attacks */
+  timingSafeEqual(a, b) {
+    if (a.length !== b.length) return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    return diff === 0;
+  }
+  hexToBytes(hex) {
+    return _hexToBytes(hex);
+  }
+  bytesToHex(bytes) {
+    return _hex(bytes.buffer);
+  }
+  base64ToHex(b64) {
+    return this.bytesToHex(new Uint8Array(Array.from(atob(b64), (c) => c.charCodeAt(0))));
+  }
+  hexToBase64(hex) {
+    return btoa(String.fromCharCode(..._hexToBytes(hex)));
+  }
+  /** Derive an AES-GCM key from a password via PBKDF2 */
+  async deriveKey(password, salt, iterations = 1e5) {
+    const base = await crypto.subtle.importKey("raw", new TextEncoder().encode(password), "PBKDF2", false, ["deriveKey"]);
+    return crypto.subtle.deriveKey(
+      { name: "PBKDF2", salt: new TextEncoder().encode(salt), iterations, hash: "SHA-256" },
+      base,
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["encrypt", "decrypt"]
+    );
+  }
+};
+export { JoopAesService, JoopCryptoUtils, JoopE2EService, JoopGcmService, JoopRsaService, JoopX25519Service };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map