npm - typesecure - Versions diffs - 0.1.0 - Mend

typesecure 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,720 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ConfigSchema: () => ConfigSchema,
+  EncryptionOptionsSchema: () => EncryptionOptionsSchema,
+  HashOptionsSchema: () => HashOptionsSchema,
+  PasswordHashOptionsSchema: () => PasswordHashOptionsSchema,
+  PasswordStrengthSchema: () => PasswordStrengthSchema,
+  SecurityLevel: () => SecurityLevel,
+  TimingSafeOptionsSchema: () => TimingSafeOptionsSchema,
+  analyzePasswordPatterns: () => analyzePasswordPatterns,
+  calculatePasswordEntropy: () => calculatePasswordEntropy,
+  checkPasswordStrength: () => checkPasswordStrength,
+  decrypt: () => decrypt,
+  encrypt: () => encrypt,
+  generateKey: () => generateKey,
+  generateRandomBytes: () => generateRandomBytes,
+  generateSecurePassword: () => generateSecurePassword,
+  getSecurityLevel: () => getSecurityLevel,
+  hash: () => hash,
+  hashPassword: () => hashPassword,
+  hmac: () => hmac,
+  timingSafeEqual: () => timingSafeEqual,
+  verifyHash: () => verifyHash,
+  verifyPassword: () => verifyPassword
+});
+module.exports = __toCommonJS(index_exports);
+// src/utils/hash.ts
+var import_crypto_js = __toESM(require("crypto-js"));
+// src/types/index.ts
+var import_zod = require("zod");
+var PasswordStrengthSchema = import_zod.z.object({
+  score: import_zod.z.number().min(0).max(4),
+  feedback: import_zod.z.object({
+    warning: import_zod.z.string().optional(),
+    suggestions: import_zod.z.array(import_zod.z.string()).optional()
+  }),
+  isStrong: import_zod.z.boolean()
+});
+var HashOptionsSchema = import_zod.z.object({
+  algorithm: import_zod.z.enum(["md5", "sha1", "sha256", "sha512", "sha3"]).default("sha256"),
+  encoding: import_zod.z.enum(["hex", "base64"]).default("hex")
+});
+var PasswordHashOptionsSchema = import_zod.z.object({
+  algorithm: import_zod.z.enum(["pbkdf2", "argon2", "bcrypt"]).default("pbkdf2"),
+  iterations: import_zod.z.number().min(1e3).default(1e4),
+  saltLength: import_zod.z.number().min(16).default(32),
+  keyLength: import_zod.z.number().min(16).default(64)
+});
+var TimingSafeOptionsSchema = import_zod.z.object({
+  encoding: import_zod.z.enum(["utf8", "hex", "base64"]).default("utf8")
+});
+var EncryptionOptionsSchema = import_zod.z.object({
+  mode: import_zod.z.enum(["aes-cbc", "aes-ctr", "aes-ecb", "aes-gcm"]).default("aes-cbc"),
+  padding: import_zod.z.enum(["Pkcs7", "NoPadding", "ZeroPadding"]).default("Pkcs7"),
+  iv: import_zod.z.string().optional(),
+  authTag: import_zod.z.string().optional(),
+  aad: import_zod.z.string().optional()
+  // Additional authenticated data for GCM mode
+});
+var ConfigSchema = import_zod.z.object({
+  minimumPasswordLength: import_zod.z.number().min(8).default(12),
+  requireNumbers: import_zod.z.boolean().default(true),
+  requireSymbols: import_zod.z.boolean().default(true),
+  requireUppercase: import_zod.z.boolean().default(true),
+  requireLowercase: import_zod.z.boolean().default(true)
+});
+// src/utils/hash.ts
+function hash(input, options) {
+  const validatedOptions = HashOptionsSchema.parse({
+    algorithm: options?.algorithm || "sha256",
+    encoding: options?.encoding || "hex"
+  });
+  let hashedValue;
+  switch (validatedOptions.algorithm) {
+    case "md5":
+      hashedValue = import_crypto_js.default.MD5(input);
+      break;
+    case "sha1":
+      hashedValue = import_crypto_js.default.SHA1(input);
+      break;
+    case "sha256":
+      hashedValue = import_crypto_js.default.SHA256(input);
+      break;
+    case "sha512":
+      hashedValue = import_crypto_js.default.SHA512(input);
+      break;
+    case "sha3":
+      hashedValue = import_crypto_js.default.SHA3(input);
+      break;
+    default:
+      hashedValue = import_crypto_js.default.SHA256(input);
+  }
+  return validatedOptions.encoding === "base64" ? hashedValue.toString(import_crypto_js.default.enc.Base64) : hashedValue.toString(import_crypto_js.default.enc.Hex);
+}
+function verifyHash(input, hashedValue, options) {
+  const newHash = hash(input, options);
+  return newHash === hashedValue;
+}
+function hmac(input, key, options) {
+  const validatedOptions = HashOptionsSchema.parse({
+    algorithm: options?.algorithm || "sha256",
+    encoding: options?.encoding || "hex"
+  });
+  let hmacValue;
+  switch (validatedOptions.algorithm) {
+    case "md5":
+      hmacValue = import_crypto_js.default.HmacMD5(input, key);
+      break;
+    case "sha1":
+      hmacValue = import_crypto_js.default.HmacSHA1(input, key);
+      break;
+    case "sha256":
+      hmacValue = import_crypto_js.default.HmacSHA256(input, key);
+      break;
+    case "sha512":
+      hmacValue = import_crypto_js.default.HmacSHA512(input, key);
+      break;
+    case "sha3":
+      hmacValue = import_crypto_js.default.HmacSHA3(input, key);
+      break;
+    default:
+      hmacValue = import_crypto_js.default.HmacSHA256(input, key);
+  }
+  return validatedOptions.encoding === "base64" ? hmacValue.toString(import_crypto_js.default.enc.Base64) : hmacValue.toString(import_crypto_js.default.enc.Hex);
+}
+function hashPassword(password, options) {
+  const validatedOptions = PasswordHashOptionsSchema.parse({
+    algorithm: options?.algorithm || "pbkdf2",
+    iterations: options?.iterations || 1e4,
+    saltLength: options?.saltLength || 32,
+    keyLength: options?.keyLength || 64
+  });
+  const salt = import_crypto_js.default.lib.WordArray.random(validatedOptions.saltLength / 2).toString(
+    import_crypto_js.default.enc.Hex
+  );
+  let hashedPassword;
+  switch (validatedOptions.algorithm) {
+    case "pbkdf2":
+      hashedPassword = import_crypto_js.default.PBKDF2(password, salt, {
+        keySize: validatedOptions.keyLength / 4,
+        // keySize is in 32-bit words
+        iterations: validatedOptions.iterations
+      }).toString(import_crypto_js.default.enc.Hex);
+      break;
+    case "argon2":
+      hashedPassword = import_crypto_js.default.PBKDF2(password, salt, {
+        keySize: validatedOptions.keyLength / 4,
+        iterations: validatedOptions.iterations * 2
+        // Higher iterations to simulate Argon2 costs
+      }).toString(import_crypto_js.default.enc.Hex);
+      break;
+    case "bcrypt":
+      hashedPassword = import_crypto_js.default.PBKDF2(password, salt, {
+        keySize: validatedOptions.keyLength / 4,
+        iterations: 1024 + validatedOptions.iterations % 1024
+        // bcrypt simulation
+      }).toString(import_crypto_js.default.enc.Hex);
+      break;
+    default:
+      hashedPassword = import_crypto_js.default.PBKDF2(password, salt, {
+        keySize: validatedOptions.keyLength / 4,
+        iterations: validatedOptions.iterations
+      }).toString(import_crypto_js.default.enc.Hex);
+  }
+  return {
+    hash: hashedPassword,
+    salt,
+    params: validatedOptions
+  };
+}
+function verifyPassword(password, hash2, salt, options) {
+  const validatedOptions = PasswordHashOptionsSchema.parse({
+    algorithm: options?.algorithm || "pbkdf2",
+    iterations: options?.iterations || 1e4,
+    saltLength: options?.saltLength || 32,
+    keyLength: options?.keyLength || 64
+  });
+  const { hash: generatedHash } = hashPassword(password, validatedOptions);
+  return timingSafeEqual(generatedHash, hash2);
+}
+function timingSafeEqual(a, b, options) {
+  const validatedOptions = TimingSafeOptionsSchema.parse({
+    encoding: options?.encoding || "utf8"
+  });
+  if (a.length !== b.length) {
+    return false;
+  }
+  let bufferA = a;
+  let bufferB = b;
+  if (validatedOptions.encoding === "hex") {
+    try {
+      bufferA = import_crypto_js.default.enc.Hex.parse(a).toString(import_crypto_js.default.enc.Utf8);
+      bufferB = import_crypto_js.default.enc.Hex.parse(b).toString(import_crypto_js.default.enc.Utf8);
+    } catch {
+      return false;
+    }
+  } else if (validatedOptions.encoding === "base64") {
+    try {
+      bufferA = import_crypto_js.default.enc.Base64.parse(a).toString(import_crypto_js.default.enc.Utf8);
+      bufferB = import_crypto_js.default.enc.Base64.parse(b).toString(import_crypto_js.default.enc.Utf8);
+    } catch {
+      return false;
+    }
+  }
+  let result = 0;
+  for (let i = 0; i < bufferA.length; i++) {
+    result |= bufferA.charCodeAt(i) ^ bufferB.charCodeAt(i);
+  }
+  return result === 0;
+}
+function generateRandomBytes(length = 32, encoding = "hex") {
+  const randomBytes = import_crypto_js.default.lib.WordArray.random(length);
+  return encoding === "base64" ? randomBytes.toString(import_crypto_js.default.enc.Base64) : randomBytes.toString(import_crypto_js.default.enc.Hex);
+}
+// src/utils/encryption.ts
+var import_crypto_js2 = __toESM(require("crypto-js"));
+var SecurityLevel = /* @__PURE__ */ ((SecurityLevel2) => {
+  SecurityLevel2["HIGH"] = "HIGH";
+  SecurityLevel2["MEDIUM"] = "MEDIUM";
+  SecurityLevel2["LOW"] = "LOW";
+  SecurityLevel2["INSECURE"] = "INSECURE";
+  return SecurityLevel2;
+})(SecurityLevel || {});
+function getSecurityLevel(options) {
+  if (options.mode === "aes-gcm") {
+    return "HIGH" /* HIGH */;
+  }
+  if (options.mode === "aes-cbc" || options.mode === "aes-ctr") {
+    return "HIGH" /* HIGH */;
+  }
+  if (options.mode === "aes-ecb") {
+    return "INSECURE" /* INSECURE */;
+  }
+  return "LOW" /* LOW */;
+}
+function logSecurityWarning(options) {
+  const securityLevel = getSecurityLevel(options);
+  switch (securityLevel) {
+    case "INSECURE" /* INSECURE */:
+      console.warn(
+        `\u26A0\uFE0F SECURITY WARNING: ${options.mode} mode is insecure and should not be used in production!`
+      );
+      break;
+    case "LOW" /* LOW */:
+      console.warn(
+        `\u26A0\uFE0F Security Warning: ${options.mode} with ${options.padding} padding provides low security.`
+      );
+      break;
+    case "MEDIUM" /* MEDIUM */:
+      console.info(
+        `\u2139\uFE0F Security Note: ${options.mode} with ${options.padding} padding provides adequate security for most use cases.`
+      );
+      break;
+    case "HIGH" /* HIGH */:
+      break;
+  }
+}
+function encrypt(text, key, options) {
+  const validatedOptions = EncryptionOptionsSchema.parse({
+    mode: options?.mode || "aes-cbc",
+    padding: options?.padding || "Pkcs7",
+    iv: options?.iv,
+    authTag: options?.authTag,
+    aad: options?.aad
+  });
+  logSecurityWarning(validatedOptions);
+  const keyWordArray = import_crypto_js2.default.enc.Utf8.parse(key);
+  let encrypted;
+  const paddingOption = import_crypto_js2.default.pad[validatedOptions.padding];
+  switch (validatedOptions.mode) {
+    case "aes-gcm": {
+      const iv = validatedOptions.iv ? import_crypto_js2.default.enc.Utf8.parse(validatedOptions.iv) : import_crypto_js2.default.lib.WordArray.random(12);
+      const aad = validatedOptions.aad ? import_crypto_js2.default.enc.Utf8.parse(validatedOptions.aad) : void 0;
+      encrypted = import_crypto_js2.default.AES.encrypt(text, keyWordArray, {
+        iv,
+        mode: import_crypto_js2.default.mode.CTR,
+        // Use CTR as a base for GCM simulation
+        padding: paddingOption
+      });
+      const authData = aad ? aad.concat(encrypted.ciphertext) : encrypted.ciphertext;
+      const authTag = import_crypto_js2.default.HmacSHA256(authData, keyWordArray).toString().substring(0, 32);
+      const ivHex = iv.toString(import_crypto_js2.default.enc.Hex);
+      return `${ivHex}:${authTag}:${encrypted.toString()}`;
+    }
+    case "aes-cbc": {
+      const iv = validatedOptions.iv ? import_crypto_js2.default.enc.Utf8.parse(validatedOptions.iv) : import_crypto_js2.default.lib.WordArray.random(16);
+      encrypted = import_crypto_js2.default.AES.encrypt(text, keyWordArray, {
+        iv,
+        padding: paddingOption,
+        mode: import_crypto_js2.default.mode.CBC
+      });
+      if (!validatedOptions.iv) {
+        const ivHex = iv.toString(import_crypto_js2.default.enc.Hex);
+        return `${ivHex}:${encrypted.toString()}`;
+      }
+      break;
+    }
+    case "aes-ctr": {
+      const iv = validatedOptions.iv ? import_crypto_js2.default.enc.Utf8.parse(validatedOptions.iv) : import_crypto_js2.default.lib.WordArray.random(16);
+      encrypted = import_crypto_js2.default.AES.encrypt(text, keyWordArray, {
+        iv,
+        padding: paddingOption,
+        mode: import_crypto_js2.default.mode.CTR
+      });
+      if (!validatedOptions.iv) {
+        const ivHex = iv.toString(import_crypto_js2.default.enc.Hex);
+        return `${ivHex}:${encrypted.toString()}`;
+      }
+      break;
+    }
+    case "aes-ecb":
+      encrypted = import_crypto_js2.default.AES.encrypt(text, keyWordArray, {
+        padding: paddingOption,
+        mode: import_crypto_js2.default.mode.ECB
+      });
+      break;
+    default:
+      throw new Error(`Unsupported encryption mode: ${validatedOptions.mode}`);
+  }
+  return encrypted.toString();
+}
+function decrypt(encryptedText, key, options) {
+  const validatedOptions = EncryptionOptionsSchema.parse({
+    mode: options?.mode || "aes-cbc",
+    padding: options?.padding || "Pkcs7",
+    iv: options?.iv,
+    authTag: options?.authTag,
+    aad: options?.aad
+  });
+  const keyWordArray = import_crypto_js2.default.enc.Utf8.parse(key);
+  let cipherText = encryptedText;
+  let iv;
+  let authTag;
+  if (validatedOptions.mode === "aes-gcm" && encryptedText.includes(":")) {
+    const parts = encryptedText.split(":");
+    if (parts.length >= 3) {
+      const ivHex = parts[0];
+      authTag = parts[1];
+      cipherText = parts[2];
+      iv = import_crypto_js2.default.enc.Hex.parse(ivHex);
+    }
+  } else if (encryptedText.includes(":") && !validatedOptions.iv) {
+    const parts = encryptedText.split(":");
+    const ivHex = parts[0];
+    cipherText = parts[1];
+    iv = import_crypto_js2.default.enc.Hex.parse(ivHex);
+  } else if (validatedOptions.iv) {
+    iv = import_crypto_js2.default.enc.Utf8.parse(validatedOptions.iv);
+  }
+  const paddingOption = import_crypto_js2.default.pad[validatedOptions.padding];
+  let decrypted;
+  switch (validatedOptions.mode) {
+    case "aes-gcm": {
+      if (!iv) {
+        throw new Error("IV is required for GCM mode decryption");
+      }
+      if (!authTag && !validatedOptions.authTag) {
+        throw new Error("Authentication tag is required for GCM mode decryption");
+      }
+      const actualAuthTag = authTag || validatedOptions.authTag;
+      const aad = validatedOptions.aad ? import_crypto_js2.default.enc.Utf8.parse(validatedOptions.aad) : void 0;
+      decrypted = import_crypto_js2.default.AES.decrypt(cipherText, keyWordArray, {
+        iv,
+        mode: import_crypto_js2.default.mode.CTR,
+        padding: paddingOption
+      });
+      const cipherTextObj = import_crypto_js2.default.enc.Base64.parse(cipherText);
+      const authData = aad ? aad.concat(cipherTextObj) : cipherTextObj;
+      const calculatedAuthTag = import_crypto_js2.default.HmacSHA256(authData, keyWordArray).toString().substring(0, 32);
+      if (calculatedAuthTag !== actualAuthTag) {
+        throw new Error("Authentication failed: Invalid authentication tag");
+      }
+      break;
+    }
+    case "aes-cbc":
+      if (!iv && validatedOptions.mode === "aes-cbc") {
+        throw new Error("IV is required for CBC mode decryption");
+      }
+      decrypted = import_crypto_js2.default.AES.decrypt(cipherText, keyWordArray, {
+        iv,
+        padding: paddingOption,
+        mode: import_crypto_js2.default.mode.CBC
+      });
+      break;
+    case "aes-ctr":
+      if (!iv && validatedOptions.mode === "aes-ctr") {
+        throw new Error("IV is required for CTR mode decryption");
+      }
+      decrypted = import_crypto_js2.default.AES.decrypt(cipherText, keyWordArray, {
+        iv,
+        padding: paddingOption,
+        mode: import_crypto_js2.default.mode.CTR
+      });
+      break;
+    case "aes-ecb":
+      console.warn(
+        "\u26A0\uFE0F WARNING: ECB mode does not provide semantic security and should not be used in most applications"
+      );
+      decrypted = import_crypto_js2.default.AES.decrypt(cipherText, keyWordArray, {
+        padding: paddingOption,
+        mode: import_crypto_js2.default.mode.ECB
+      });
+      break;
+    default:
+      throw new Error(`Unsupported encryption mode: ${validatedOptions.mode}`);
+  }
+  try {
+    return decrypted.toString(import_crypto_js2.default.enc.Utf8);
+  } catch {
+    throw new Error("Failed to decrypt: Invalid key or corrupted data");
+  }
+}
+function generateKey(length = 32) {
+  return import_crypto_js2.default.lib.WordArray.random(length).toString(import_crypto_js2.default.enc.Hex);
+}
+// src/utils/password.ts
+function calculatePasswordEntropy(password) {
+  if (!password || password.length === 0) return 0;
+  let poolSize = 0;
+  const hasLowercase = /[a-z]/.test(password);
+  const hasUppercase = /[A-Z]/.test(password);
+  const hasDigits = /\d/.test(password);
+  const hasSymbols = /[^A-Za-z0-9]/.test(password);
+  if (hasLowercase) poolSize += 26;
+  if (hasUppercase) poolSize += 26;
+  if (hasDigits) poolSize += 10;
+  if (hasSymbols) poolSize += 33;
+  const entropy = password.length * Math.log2(poolSize);
+  return Math.round(entropy * 100) / 100;
+}
+function analyzePasswordPatterns(password) {
+  const patterns = [];
+  let entropyReduction = 0;
+  const keyboardPatterns = [
+    "qwerty",
+    "asdfgh",
+    "zxcvbn",
+    "qwertz",
+    "azerty",
+    "123456",
+    "654321"
+  ];
+  const sequentialCheck = (pwd) => {
+    for (let i = 0; i < pwd.length - 2; i++) {
+      const c1 = pwd.charCodeAt(i);
+      const c2 = pwd.charCodeAt(i + 1);
+      const c3 = pwd.charCodeAt(i + 2);
+      if (c1 + 1 === c2 && c2 + 1 === c3 || c1 - 1 === c2 && c2 - 1 === c3) {
+        return true;
+      }
+    }
+    return false;
+  };
+  const repeatedPatternCheck = (pwd) => {
+    if (pwd.length <= 2) return false;
+    for (let len = 2; len <= pwd.length / 2; len++) {
+      for (let i = 0; i <= pwd.length - len * 2; i++) {
+        const pattern = pwd.substring(i, i + len);
+        const nextPart = pwd.substring(i + len, i + len * 2);
+        if (pattern === nextPart) {
+          return true;
+        }
+      }
+    }
+    return false;
+  };
+  for (const pattern of keyboardPatterns) {
+    if (password.toLowerCase().includes(pattern)) {
+      patterns.push("Contains keyboard pattern");
+      entropyReduction += 0.2;
+      break;
+    }
+  }
+  if (sequentialCheck(password)) {
+    patterns.push("Contains sequential characters");
+    entropyReduction += 0.15;
+  }
+  if (repeatedPatternCheck(password)) {
+    patterns.push("Contains repeated patterns");
+    entropyReduction += 0.2;
+  }
+  const l33tMap = {
+    "4": "a",
+    "@": "a",
+    "8": "b",
+    "3": "e",
+    "6": "g",
+    "1": "i",
+    "!": "i",
+    "0": "o",
+    "9": "g",
+    $: "s",
+    "5": "s",
+    "+": "t",
+    "7": "t",
+    "%": "x",
+    "2": "z"
+  };
+  let transformedPassword = password.toLowerCase();
+  for (const [digit, letter] of Object.entries(l33tMap)) {
+    const safeDigit = digit.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    transformedPassword = transformedPassword.replace(
+      new RegExp(safeDigit, "g"),
+      letter
+    );
+  }
+  const commonWords = [
+    "password",
+    "admin",
+    "user",
+    "login",
+    "welcome",
+    "secure",
+    "secret"
+  ];
+  for (const word of commonWords) {
+    if (transformedPassword.includes(word)) {
+      patterns.push("Contains common word with substitutions");
+      entropyReduction += 0.25;
+      break;
+    }
+  }
+  if (/^[a-z]+$/.test(password) || /^[A-Z]+$/.test(password) || /^[0-9]+$/.test(password) || /^[^A-Za-z0-9]+$/.test(password)) {
+    patterns.push("Uses only one character type");
+    entropyReduction += 0.3;
+  }
+  entropyReduction = Math.min(entropyReduction, 0.9);
+  return { entropyReduction, patterns };
+}
+function checkPasswordStrength(password, config) {
+  const validatedConfig = ConfigSchema.parse({
+    minimumPasswordLength: config?.minimumPasswordLength || 12,
+    requireNumbers: config?.requireNumbers !== void 0 ? config.requireNumbers : true,
+    requireSymbols: config?.requireSymbols !== void 0 ? config.requireSymbols : true,
+    requireUppercase: config?.requireUppercase !== void 0 ? config.requireUppercase : true,
+    requireLowercase: config?.requireLowercase !== void 0 ? config.requireLowercase : true
+  });
+  const hasMinLength = password.length >= validatedConfig.minimumPasswordLength;
+  const hasNumbers = /\d/.test(password);
+  const hasSymbols = /[^A-Za-z0-9]/.test(password);
+  const hasUppercase = /[A-Z]/.test(password);
+  const hasLowercase = /[a-z]/.test(password);
+  const suggestions = [];
+  let warning = "";
+  let criteriaCount = 0;
+  if (hasMinLength) criteriaCount++;
+  if (hasNumbers && validatedConfig.requireNumbers) criteriaCount++;
+  if (hasSymbols && validatedConfig.requireSymbols) criteriaCount++;
+  if (hasUppercase && validatedConfig.requireUppercase) criteriaCount++;
+  if (hasLowercase && validatedConfig.requireLowercase) criteriaCount++;
+  if (!hasMinLength) {
+    warning = "Password is too short";
+    suggestions.push(
+      `Password should be at least ${validatedConfig.minimumPasswordLength} characters long`
+    );
+  }
+  if (validatedConfig.requireNumbers && !hasNumbers) {
+    suggestions.push("Add numbers to make your password stronger");
+  }
+  if (validatedConfig.requireSymbols && !hasSymbols) {
+    suggestions.push("Add symbols to make your password stronger");
+  }
+  if (validatedConfig.requireUppercase && !hasUppercase) {
+    suggestions.push("Add uppercase letters to make your password stronger");
+  }
+  if (validatedConfig.requireLowercase && !hasLowercase) {
+    suggestions.push("Add lowercase letters to make your password stronger");
+  }
+  const entropy = calculatePasswordEntropy(password);
+  const { entropyReduction, patterns } = analyzePasswordPatterns(password);
+  const effectiveEntropy = entropy * (1 - entropyReduction);
+  suggestions.push(
+    ...patterns.map((p) => `${p}: Consider a more random pattern`)
+  );
+  let score;
+  if (effectiveEntropy < 28) {
+    score = 0;
+    if (!warning) warning = "Very weak password";
+  } else if (effectiveEntropy < 36) {
+    score = 1;
+    if (!warning) warning = "Weak password";
+  } else if (effectiveEntropy < 60) {
+    score = 2;
+  } else if (effectiveEntropy < 80) {
+    score = 3;
+  } else {
+    score = 4;
+  }
+  const criteriaBoost = criteriaCount >= 5 ? 1 : 0;
+  score = Math.min(4, score + criteriaBoost);
+  if (!hasMinLength || validatedConfig.requireNumbers && !hasNumbers || validatedConfig.requireSymbols && !hasSymbols || validatedConfig.requireUppercase && !hasUppercase || validatedConfig.requireLowercase && !hasLowercase) {
+    score = Math.min(score, 2);
+  }
+  if (effectiveEntropy < 50) {
+    suggestions.push(
+      `Increase password entropy (currently ~${Math.round(
+        effectiveEntropy
+      )} bits)`
+    );
+  }
+  const isStrong = hasMinLength && (!validatedConfig.requireNumbers || hasNumbers) && (!validatedConfig.requireSymbols || hasSymbols) && (!validatedConfig.requireUppercase || hasUppercase) && (!validatedConfig.requireLowercase || hasLowercase) && score >= 3;
+  return PasswordStrengthSchema.parse({
+    score,
+    feedback: {
+      warning,
+      suggestions: suggestions.length > 0 ? suggestions : void 0
+    },
+    isStrong
+  });
+}
+function generateSecurePassword(config) {
+  const validatedConfig = ConfigSchema.parse({
+    minimumPasswordLength: config?.minimumPasswordLength || 12,
+    requireNumbers: config?.requireNumbers !== void 0 ? config.requireNumbers : true,
+    requireSymbols: config?.requireSymbols !== void 0 ? config.requireSymbols : true,
+    requireUppercase: config?.requireUppercase !== void 0 ? config.requireUppercase : true,
+    requireLowercase: config?.requireLowercase !== void 0 ? config.requireLowercase : true
+  });
+  const length = validatedConfig.minimumPasswordLength;
+  const lowercaseChars = "abcdefghijklmnopqrstuvwxyz";
+  const uppercaseChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+  const numbers = "0123456789";
+  const symbols = "!@#$%^&*()_+-=[]{}|;:,.<>?";
+  let characters = "";
+  let password = "";
+  if (validatedConfig.requireLowercase) characters += lowercaseChars;
+  if (validatedConfig.requireUppercase) characters += uppercaseChars;
+  if (validatedConfig.requireNumbers) characters += numbers;
+  if (validatedConfig.requireSymbols) characters += symbols;
+  if (validatedConfig.requireLowercase) {
+    password += lowercaseChars.charAt(
+      Math.floor(Math.random() * lowercaseChars.length)
+    );
+  }
+  if (validatedConfig.requireUppercase) {
+    password += uppercaseChars.charAt(
+      Math.floor(Math.random() * uppercaseChars.length)
+    );
+  }
+  if (validatedConfig.requireNumbers) {
+    password += numbers.charAt(Math.floor(Math.random() * numbers.length));
+  }
+  if (validatedConfig.requireSymbols) {
+    password += symbols.charAt(Math.floor(Math.random() * symbols.length));
+  }
+  for (let i = password.length; i < length; i++) {
+    password += characters.charAt(
+      Math.floor(Math.random() * characters.length)
+    );
+  }
+  return shuffleString(password);
+}
+function shuffleString(str) {
+  const array = str.split("");
+  for (let i = array.length - 1; i > 0; i--) {
+    const j = Math.floor(Math.random() * (i + 1));
+    [array[i], array[j]] = [array[j], array[i]];
+  }
+  return array.join("");
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ConfigSchema,
+  EncryptionOptionsSchema,
+  HashOptionsSchema,
+  PasswordHashOptionsSchema,
+  PasswordStrengthSchema,
+  SecurityLevel,
+  TimingSafeOptionsSchema,
+  analyzePasswordPatterns,
+  calculatePasswordEntropy,
+  checkPasswordStrength,
+  decrypt,
+  encrypt,
+  generateKey,
+  generateRandomBytes,
+  generateSecurePassword,
+  getSecurityLevel,
+  hash,
+  hashPassword,
+  hmac,
+  timingSafeEqual,
+  verifyHash,
+  verifyPassword
+});