w3pk 0.9.3 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -52,6 +52,7 @@ const endpoints = await w3pk.getEndpoints(1)
52
52
  - EIP-1193 provider for ethers, viem, wagmi, RainbowKit (`getEIP1193Provider`)
53
53
  - ERC-5564 stealth addresses (opt-in)
54
54
  - ZK primitives (zero-knowledge proof generation and verification)
55
+ - Post-quantum encryption (ML-KEM-1024/Kyber NIST FIPS 203)
55
56
  - Chainlist support (2390+ networks)
56
57
  - EIP-7702 network detection (329+ networks)
57
58
  - External wallet integration (delegate MetaMask/Ledger to w3pk via EIP-7702)
@@ -337,6 +338,15 @@ if (result.isForUser) {
337
338
  const myPayments = await w3pk.stealth?.scanAnnouncements(announcements)
338
339
  ```
339
340
 
341
+ ### ML-KEM encryption
342
+
343
+ ```typescript
344
+ // Encrypt with post-quantum security (NIST FIPS 203)
345
+ const pubKey = await w3pk.deriveMLKemPublicKey()
346
+ const encrypted = await w3pk.mlkemEncrypt('secret', [pubKey])
347
+ const plaintext = await w3pk.mlkemDecrypt(encrypted)
348
+ ```
349
+
340
350
  ### Backup & Recovery
341
351
 
342
352
  ```typescript
@@ -418,6 +428,8 @@ console.log('Verified:', isValid ? '✅' : '❌')
418
428
 
419
429
  ### Security Inspection
420
430
 
431
+ > **⚠️ Privacy Notice:** This optional feature sends application source code to an external API (Rukh) for AI analysis. User IP address will be visible to the API server.
432
+
421
433
  Analyze web3 applications to understand their transaction and signing methods:
422
434
 
423
435
  **Browser (analyze current page):**
package/dist/index.d.mts CHANGED
@@ -1016,6 +1016,111 @@ declare class Web3Passkey {
1016
1016
  * @param hours - Duration in hours
1017
1017
  */
1018
1018
  setSessionDuration(hours: number): void;
1019
+ /**
1020
+ * Derive ML-KEM-1024 public key from the current wallet
1021
+ *
1022
+ * Returns the public key that can be shared with others for encryption.
1023
+ * The keypair is derived deterministically from the wallet's private key.
1024
+ *
1025
+ * @param options - Optional configuration
1026
+ * @param options.context - Context string for domain separation (default: 'mlkem-v1')
1027
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1028
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1029
+ * @param options.origin - Origin for derivation (default: current origin)
1030
+ * @param options.requireAuth - Force WebAuthn re-authentication
1031
+ * @returns Base64-encoded ML-KEM public key (1568 bytes)
1032
+ *
1033
+ * @example
1034
+ * ```typescript
1035
+ * const w3pk = createWeb3Passkey();
1036
+ * await w3pk.login();
1037
+ *
1038
+ * const publicKey = await w3pk.deriveMLKemPublicKey();
1039
+ * // Share publicKey with others so they can encrypt data for you
1040
+ * ```
1041
+ */
1042
+ deriveMLKemPublicKey(options?: {
1043
+ context?: string;
1044
+ mode?: SecurityMode;
1045
+ tag?: string;
1046
+ origin?: string;
1047
+ requireAuth?: boolean;
1048
+ }): Promise<string>;
1049
+ /**
1050
+ * Encrypt data using ML-KEM-1024 for self + additional recipients
1051
+ *
1052
+ * Encrypts data such that you (the sender) and specified recipients can decrypt.
1053
+ * Your ML-KEM keypair is derived from your wallet, so you can always decrypt later.
1054
+ *
1055
+ * @param plaintext - The data to encrypt
1056
+ * @param recipientPublicKeys - Array of recipient ML-KEM public keys (base64 strings or Uint8Arrays)
1057
+ * @param options - Optional configuration
1058
+ * @param options.context - Context string for key derivation (default: 'mlkem-v1')
1059
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1060
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1061
+ * @param options.origin - Origin for derivation (default: current origin)
1062
+ * @param options.requireAuth - Force WebAuthn re-authentication
1063
+ * @returns Encrypted payload that can be decrypted by sender or recipients
1064
+ *
1065
+ * @example
1066
+ * ```typescript
1067
+ * const w3pk = createWeb3Passkey();
1068
+ * await w3pk.login();
1069
+ *
1070
+ * // Get server's public key
1071
+ * const serverPubKey = await fetch('/api/mlkem-public-key').then(r => r.text());
1072
+ *
1073
+ * // Encrypt for yourself + server
1074
+ * const encrypted = await w3pk.mlkemEncrypt(
1075
+ * 'my secret data',
1076
+ * [serverPubKey]
1077
+ * );
1078
+ *
1079
+ * // Later: decrypt with the same wallet
1080
+ * const decrypted = await w3pk.mlkemDecrypt(encrypted);
1081
+ * ```
1082
+ */
1083
+ mlkemEncrypt(plaintext: string, recipientPublicKeys: Array<string | Uint8Array>, options?: {
1084
+ context?: string;
1085
+ mode?: SecurityMode;
1086
+ tag?: string;
1087
+ origin?: string;
1088
+ requireAuth?: boolean;
1089
+ }): Promise<any>;
1090
+ /**
1091
+ * Decrypt ML-KEM encrypted data using current wallet
1092
+ *
1093
+ * Decrypts data that was encrypted for this wallet.
1094
+ * The ML-KEM keypair is derived from your wallet's private key.
1095
+ *
1096
+ * @param payload - The encrypted payload (from mlkemEncrypt)
1097
+ * @param options - Optional configuration
1098
+ * @param options.context - Context string for key derivation (default: 'mlkem-v1', must match encryption)
1099
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1100
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1101
+ * @param options.origin - Origin for derivation (default: current origin)
1102
+ * @param options.requireAuth - Force WebAuthn re-authentication
1103
+ * @returns Decrypted plaintext
1104
+ *
1105
+ * @example
1106
+ * ```typescript
1107
+ * const w3pk = createWeb3Passkey();
1108
+ * await w3pk.login();
1109
+ *
1110
+ * // Retrieve encrypted data
1111
+ * const encrypted = await fetch('/api/my-data').then(r => r.json());
1112
+ *
1113
+ * // Decrypt locally (server never sees plaintext!)
1114
+ * const plaintext = await w3pk.mlkemDecrypt(encrypted);
1115
+ * ```
1116
+ */
1117
+ mlkemDecrypt(payload: any, options?: {
1118
+ context?: string;
1119
+ mode?: SecurityMode;
1120
+ tag?: string;
1121
+ origin?: string;
1122
+ requireAuth?: boolean;
1123
+ }): Promise<string>;
1019
1124
  }
1020
1125
 
1021
1126
  /**
@@ -1209,6 +1314,14 @@ interface AuthenticationCredential {
1209
1314
  signature: ArrayBuffer;
1210
1315
  userHandle?: ArrayBuffer;
1211
1316
  };
1317
+ getClientExtensionResults(): {
1318
+ prf?: {
1319
+ results?: {
1320
+ first?: ArrayBuffer;
1321
+ second?: ArrayBuffer;
1322
+ };
1323
+ };
1324
+ };
1212
1325
  }
1213
1326
 
1214
1327
  /**
@@ -2008,6 +2121,11 @@ interface BrowserInspectOptions {
2008
2121
  * @default 'transactions'
2009
2122
  */
2010
2123
  focusMode?: "transactions" | "all";
2124
+ /**
2125
+ * Maximum total size in KB for all collected code (prevents exceeding API token limits)
2126
+ * @default 100
2127
+ */
2128
+ maxTotalSizeKB?: number;
2011
2129
  }
2012
2130
  /**
2013
2131
  * Result of a browser-based inspection
@@ -2067,6 +2185,105 @@ declare function inspect(options?: BrowserInspectOptions): Promise<BrowserInspec
2067
2185
  */
2068
2186
  declare function inspectNow(options?: BrowserInspectOptions): Promise<void>;
2069
2187
 
2188
+ interface MLKemKeypair {
2189
+ publicKey: Uint8Array;
2190
+ privateKey: Uint8Array;
2191
+ }
2192
+ interface EncryptedPayload {
2193
+ recipients: Array<{
2194
+ publicKey: string;
2195
+ ciphertext: string;
2196
+ }>;
2197
+ encryptedData: string;
2198
+ iv: string;
2199
+ authTag: string;
2200
+ }
2201
+ /**
2202
+ * Derive deterministic ML-KEM-1024 keypair from any private key material
2203
+ *
2204
+ * Uses HKDF-SHA256 to derive a 64-byte seed from the input key material,
2205
+ * then generates a reproducible ML-KEM-1024 keypair.
2206
+ *
2207
+ * @param privateKey - Private key material (hex string with optional 0x prefix, or Uint8Array)
2208
+ * @param context - Context string for domain separation (default: 'mlkem-v1')
2209
+ * @returns ML-KEM-1024 keypair (publicKey: 1568 bytes, privateKey: 3168 bytes)
2210
+ *
2211
+ * @example
2212
+ * ```typescript
2213
+ * // Derive from Ethereum private key
2214
+ * const ethPrivateKey = '0x1234...';
2215
+ * const keypair = await deriveMLKemKeypair(ethPrivateKey, 'my-app');
2216
+ *
2217
+ * // Derive from any 32-byte key
2218
+ * const randomKey = crypto.getRandomValues(new Uint8Array(32));
2219
+ * const keypair2 = await deriveMLKemKeypair(randomKey);
2220
+ * ```
2221
+ */
2222
+ declare function deriveMLKemKeypair(privateKey: string | Uint8Array, context?: string): Promise<MLKemKeypair>;
2223
+ /**
2224
+ * Encrypt data using ML-KEM-1024 + AES-256-GCM for multiple recipients
2225
+ *
2226
+ * @param plaintext - The data to encrypt
2227
+ * @param publicKeys - Array of ML-KEM-1024 public keys (base64 strings or Uint8Arrays, 1568 bytes each)
2228
+ * @returns Encrypted payload with per-recipient ciphertexts and shared encrypted data
2229
+ */
2230
+ declare function mlkemEncrypt(plaintext: string, publicKeys: (string | Uint8Array) | Array<string | Uint8Array>): Promise<EncryptedPayload>;
2231
+ /**
2232
+ * Decrypt data encrypted with mlkemEncrypt()
2233
+ *
2234
+ * @param payload - The encrypted payload
2235
+ * @param privateKey - ML-KEM-1024 private key (base64 string or Uint8Array, 3168 bytes)
2236
+ * @param publicKey - Optional: Your public key to find the correct recipient entry (base64 string or Uint8Array, 1568 bytes)
2237
+ * @returns Decrypted plaintext
2238
+ */
2239
+ declare function mlkemDecrypt(payload: EncryptedPayload, privateKey: string | Uint8Array, publicKey?: string | Uint8Array): Promise<string>;
2240
+ /**
2241
+ * Encrypt data with ML-KEM using derived keypairs from private keys
2242
+ *
2243
+ * This is a convenience function that derives ML-KEM keypairs from private key material,
2244
+ * then encrypts the data for all recipients. The sender's keypair is derived and used
2245
+ * as one of the recipients.
2246
+ *
2247
+ * @param plaintext - The data to encrypt
2248
+ * @param senderPrivateKey - Sender's private key (hex string or Uint8Array)
2249
+ * @param recipientPublicKeys - Array of recipient ML-KEM public keys (from deriveMLKemKeypair)
2250
+ * @param senderContext - Context for sender's key derivation (default: 'mlkem-v1')
2251
+ * @returns Encrypted payload with sender + recipients
2252
+ *
2253
+ * @example
2254
+ * ```typescript
2255
+ * // Encrypt for yourself + server
2256
+ * const serverKeypair = await deriveMLKemKeypair(serverPrivateKey, 'server');
2257
+ * const encrypted = await mlkemEncryptWithKey(
2258
+ * 'secret data',
2259
+ * myEthPrivateKey,
2260
+ * [serverKeypair.publicKey]
2261
+ * );
2262
+ * ```
2263
+ */
2264
+ declare function mlkemEncryptWithKey(plaintext: string, senderPrivateKey: string | Uint8Array, recipientPublicKeys: Array<string | Uint8Array>, senderContext?: string): Promise<EncryptedPayload>;
2265
+ /**
2266
+ * Decrypt data with ML-KEM using a derived keypair from private key
2267
+ *
2268
+ * This is a convenience function that derives an ML-KEM keypair from private key material,
2269
+ * then decrypts the payload.
2270
+ *
2271
+ * @param payload - The encrypted payload
2272
+ * @param privateKey - Private key material (hex string or Uint8Array)
2273
+ * @param context - Context for key derivation (default: 'mlkem-v1')
2274
+ * @returns Decrypted plaintext
2275
+ *
2276
+ * @example
2277
+ * ```typescript
2278
+ * // Decrypt with your Ethereum private key
2279
+ * const plaintext = await mlkemDecryptWithKey(
2280
+ * encryptedPayload,
2281
+ * myEthPrivateKey
2282
+ * );
2283
+ * ```
2284
+ */
2285
+ declare function mlkemDecryptWithKey(payload: EncryptedPayload, privateKey: string | Uint8Array, context?: string): Promise<string>;
2286
+
2070
2287
  declare function createWeb3Passkey(config?: Web3PasskeyConfig): Web3Passkey;
2071
2288
 
2072
- export { ApiError, AuthenticationError, type BackupStatus, type BrowserInspectOptions, type BrowserInspectResult, CryptoError, DEFAULT_MODE, DEFAULT_TAG, type DeviceInfo, type EIP1193Provider, type EIP7702Authorization, type EncryptedBackupInfo, type Guardian, type GuardianInvite, type PasskeySelectionResult, type QRBackupOptions, type RecoveryProgress, type RecoveryScenario, type RecoveryShare, RecoverySimulator, RegistrationError, type SecurityScore, type SignAuthorizationParams, type SimulationResult, type SiweMessage, type SocialRecoveryConfig, SocialRecoveryManager, type StealthAddressConfig, StealthAddressModule, type StealthAddressResult, type StealthKeys, StorageError, type SyncCapabilities, type SyncStatus, type SyncVault, type UserInfo, WalletError, type WalletInfo, Web3Passkey, type Web3PasskeyConfig, Web3PasskeyError, arrayBufferToBase64Url, assertEthereumAddress, assertMnemonic, assertUsername, authenticateWithPasskey, base64ToArrayBuffer, base64UrlDecode, base64UrlToArrayBuffer, canControlStealthAddress, checkStealthAddress, clearCache, computeStealthPrivateKey, createSiweMessage, createWalletFromMnemonic, createWeb3Passkey, createWeb3Passkey as default, deriveAddressFromP256PublicKey, deriveIndexFromOriginModeAndTag, deriveStealthKeys, deriveWalletFromMnemonic, detectWalletProvider, encodeEIP7702AuthorizationMessage, extractRS, generateBIP39Wallet, generateSiweNonce, generateStealthAddress, getAllChains, getAllTopics, getChainById, getCurrentBuildHash, getCurrentOrigin, getDefaultProvider, getEndpoints, getExplainer, getOriginSpecificAddress, getPackageVersion, getW3pkBuildHash, hashEIP7702AuthorizationMessage, inspect, inspectNow, isStrongPassword, normalizeOrigin, parseSiweMessage, promptPasskeySelection, requestExternalWalletAuthorization, safeAtob, safeBtoa, searchExplainers, supportsEIP7702Authorization, validateEthereumAddress, validateMnemonic, validateSiweMessage, validateUsername, verifyBuildHash, verifyEIP7702Authorization, verifySiweSignature };
2289
+ export { ApiError, AuthenticationError, type BackupStatus, type BrowserInspectOptions, type BrowserInspectResult, CryptoError, DEFAULT_MODE, DEFAULT_TAG, type DeviceInfo, type EIP1193Provider, type EIP7702Authorization, type EncryptedBackupInfo, type EncryptedPayload, type Guardian, type GuardianInvite, type MLKemKeypair, type PasskeySelectionResult, type QRBackupOptions, type RecoveryProgress, type RecoveryScenario, type RecoveryShare, RecoverySimulator, RegistrationError, type SecurityScore, type SignAuthorizationParams, type SimulationResult, type SiweMessage, type SocialRecoveryConfig, SocialRecoveryManager, type StealthAddressConfig, StealthAddressModule, type StealthAddressResult, type StealthKeys, StorageError, type SyncCapabilities, type SyncStatus, type SyncVault, type UserInfo, WalletError, type WalletInfo, Web3Passkey, type Web3PasskeyConfig, Web3PasskeyError, arrayBufferToBase64Url, assertEthereumAddress, assertMnemonic, assertUsername, authenticateWithPasskey, base64ToArrayBuffer, base64UrlDecode, base64UrlToArrayBuffer, canControlStealthAddress, checkStealthAddress, clearCache, computeStealthPrivateKey, createSiweMessage, createWalletFromMnemonic, createWeb3Passkey, createWeb3Passkey as default, deriveAddressFromP256PublicKey, deriveIndexFromOriginModeAndTag, deriveMLKemKeypair, deriveStealthKeys, deriveWalletFromMnemonic, detectWalletProvider, encodeEIP7702AuthorizationMessage, extractRS, generateBIP39Wallet, generateSiweNonce, generateStealthAddress, getAllChains, getAllTopics, getChainById, getCurrentBuildHash, getCurrentOrigin, getDefaultProvider, getEndpoints, getExplainer, getOriginSpecificAddress, getPackageVersion, getW3pkBuildHash, hashEIP7702AuthorizationMessage, inspect, inspectNow, isStrongPassword, mlkemDecrypt, mlkemDecryptWithKey, mlkemEncrypt, mlkemEncryptWithKey, normalizeOrigin, parseSiweMessage, promptPasskeySelection, requestExternalWalletAuthorization, safeAtob, safeBtoa, searchExplainers, supportsEIP7702Authorization, validateEthereumAddress, validateMnemonic, validateSiweMessage, validateUsername, verifyBuildHash, verifyEIP7702Authorization, verifySiweSignature };
package/dist/index.d.ts CHANGED
@@ -1016,6 +1016,111 @@ declare class Web3Passkey {
1016
1016
  * @param hours - Duration in hours
1017
1017
  */
1018
1018
  setSessionDuration(hours: number): void;
1019
+ /**
1020
+ * Derive ML-KEM-1024 public key from the current wallet
1021
+ *
1022
+ * Returns the public key that can be shared with others for encryption.
1023
+ * The keypair is derived deterministically from the wallet's private key.
1024
+ *
1025
+ * @param options - Optional configuration
1026
+ * @param options.context - Context string for domain separation (default: 'mlkem-v1')
1027
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1028
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1029
+ * @param options.origin - Origin for derivation (default: current origin)
1030
+ * @param options.requireAuth - Force WebAuthn re-authentication
1031
+ * @returns Base64-encoded ML-KEM public key (1568 bytes)
1032
+ *
1033
+ * @example
1034
+ * ```typescript
1035
+ * const w3pk = createWeb3Passkey();
1036
+ * await w3pk.login();
1037
+ *
1038
+ * const publicKey = await w3pk.deriveMLKemPublicKey();
1039
+ * // Share publicKey with others so they can encrypt data for you
1040
+ * ```
1041
+ */
1042
+ deriveMLKemPublicKey(options?: {
1043
+ context?: string;
1044
+ mode?: SecurityMode;
1045
+ tag?: string;
1046
+ origin?: string;
1047
+ requireAuth?: boolean;
1048
+ }): Promise<string>;
1049
+ /**
1050
+ * Encrypt data using ML-KEM-1024 for self + additional recipients
1051
+ *
1052
+ * Encrypts data such that you (the sender) and specified recipients can decrypt.
1053
+ * Your ML-KEM keypair is derived from your wallet, so you can always decrypt later.
1054
+ *
1055
+ * @param plaintext - The data to encrypt
1056
+ * @param recipientPublicKeys - Array of recipient ML-KEM public keys (base64 strings or Uint8Arrays)
1057
+ * @param options - Optional configuration
1058
+ * @param options.context - Context string for key derivation (default: 'mlkem-v1')
1059
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1060
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1061
+ * @param options.origin - Origin for derivation (default: current origin)
1062
+ * @param options.requireAuth - Force WebAuthn re-authentication
1063
+ * @returns Encrypted payload that can be decrypted by sender or recipients
1064
+ *
1065
+ * @example
1066
+ * ```typescript
1067
+ * const w3pk = createWeb3Passkey();
1068
+ * await w3pk.login();
1069
+ *
1070
+ * // Get server's public key
1071
+ * const serverPubKey = await fetch('/api/mlkem-public-key').then(r => r.text());
1072
+ *
1073
+ * // Encrypt for yourself + server
1074
+ * const encrypted = await w3pk.mlkemEncrypt(
1075
+ * 'my secret data',
1076
+ * [serverPubKey]
1077
+ * );
1078
+ *
1079
+ * // Later: decrypt with the same wallet
1080
+ * const decrypted = await w3pk.mlkemDecrypt(encrypted);
1081
+ * ```
1082
+ */
1083
+ mlkemEncrypt(plaintext: string, recipientPublicKeys: Array<string | Uint8Array>, options?: {
1084
+ context?: string;
1085
+ mode?: SecurityMode;
1086
+ tag?: string;
1087
+ origin?: string;
1088
+ requireAuth?: boolean;
1089
+ }): Promise<any>;
1090
+ /**
1091
+ * Decrypt ML-KEM encrypted data using current wallet
1092
+ *
1093
+ * Decrypts data that was encrypted for this wallet.
1094
+ * The ML-KEM keypair is derived from your wallet's private key.
1095
+ *
1096
+ * @param payload - The encrypted payload (from mlkemEncrypt)
1097
+ * @param options - Optional configuration
1098
+ * @param options.context - Context string for key derivation (default: 'mlkem-v1', must match encryption)
1099
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1100
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1101
+ * @param options.origin - Origin for derivation (default: current origin)
1102
+ * @param options.requireAuth - Force WebAuthn re-authentication
1103
+ * @returns Decrypted plaintext
1104
+ *
1105
+ * @example
1106
+ * ```typescript
1107
+ * const w3pk = createWeb3Passkey();
1108
+ * await w3pk.login();
1109
+ *
1110
+ * // Retrieve encrypted data
1111
+ * const encrypted = await fetch('/api/my-data').then(r => r.json());
1112
+ *
1113
+ * // Decrypt locally (server never sees plaintext!)
1114
+ * const plaintext = await w3pk.mlkemDecrypt(encrypted);
1115
+ * ```
1116
+ */
1117
+ mlkemDecrypt(payload: any, options?: {
1118
+ context?: string;
1119
+ mode?: SecurityMode;
1120
+ tag?: string;
1121
+ origin?: string;
1122
+ requireAuth?: boolean;
1123
+ }): Promise<string>;
1019
1124
  }
1020
1125
 
1021
1126
  /**
@@ -1209,6 +1314,14 @@ interface AuthenticationCredential {
1209
1314
  signature: ArrayBuffer;
1210
1315
  userHandle?: ArrayBuffer;
1211
1316
  };
1317
+ getClientExtensionResults(): {
1318
+ prf?: {
1319
+ results?: {
1320
+ first?: ArrayBuffer;
1321
+ second?: ArrayBuffer;
1322
+ };
1323
+ };
1324
+ };
1212
1325
  }
1213
1326
 
1214
1327
  /**
@@ -2008,6 +2121,11 @@ interface BrowserInspectOptions {
2008
2121
  * @default 'transactions'
2009
2122
  */
2010
2123
  focusMode?: "transactions" | "all";
2124
+ /**
2125
+ * Maximum total size in KB for all collected code (prevents exceeding API token limits)
2126
+ * @default 100
2127
+ */
2128
+ maxTotalSizeKB?: number;
2011
2129
  }
2012
2130
  /**
2013
2131
  * Result of a browser-based inspection
@@ -2067,6 +2185,105 @@ declare function inspect(options?: BrowserInspectOptions): Promise<BrowserInspec
2067
2185
  */
2068
2186
  declare function inspectNow(options?: BrowserInspectOptions): Promise<void>;
2069
2187
 
2188
+ interface MLKemKeypair {
2189
+ publicKey: Uint8Array;
2190
+ privateKey: Uint8Array;
2191
+ }
2192
+ interface EncryptedPayload {
2193
+ recipients: Array<{
2194
+ publicKey: string;
2195
+ ciphertext: string;
2196
+ }>;
2197
+ encryptedData: string;
2198
+ iv: string;
2199
+ authTag: string;
2200
+ }
2201
+ /**
2202
+ * Derive deterministic ML-KEM-1024 keypair from any private key material
2203
+ *
2204
+ * Uses HKDF-SHA256 to derive a 64-byte seed from the input key material,
2205
+ * then generates a reproducible ML-KEM-1024 keypair.
2206
+ *
2207
+ * @param privateKey - Private key material (hex string with optional 0x prefix, or Uint8Array)
2208
+ * @param context - Context string for domain separation (default: 'mlkem-v1')
2209
+ * @returns ML-KEM-1024 keypair (publicKey: 1568 bytes, privateKey: 3168 bytes)
2210
+ *
2211
+ * @example
2212
+ * ```typescript
2213
+ * // Derive from Ethereum private key
2214
+ * const ethPrivateKey = '0x1234...';
2215
+ * const keypair = await deriveMLKemKeypair(ethPrivateKey, 'my-app');
2216
+ *
2217
+ * // Derive from any 32-byte key
2218
+ * const randomKey = crypto.getRandomValues(new Uint8Array(32));
2219
+ * const keypair2 = await deriveMLKemKeypair(randomKey);
2220
+ * ```
2221
+ */
2222
+ declare function deriveMLKemKeypair(privateKey: string | Uint8Array, context?: string): Promise<MLKemKeypair>;
2223
+ /**
2224
+ * Encrypt data using ML-KEM-1024 + AES-256-GCM for multiple recipients
2225
+ *
2226
+ * @param plaintext - The data to encrypt
2227
+ * @param publicKeys - Array of ML-KEM-1024 public keys (base64 strings or Uint8Arrays, 1568 bytes each)
2228
+ * @returns Encrypted payload with per-recipient ciphertexts and shared encrypted data
2229
+ */
2230
+ declare function mlkemEncrypt(plaintext: string, publicKeys: (string | Uint8Array) | Array<string | Uint8Array>): Promise<EncryptedPayload>;
2231
+ /**
2232
+ * Decrypt data encrypted with mlkemEncrypt()
2233
+ *
2234
+ * @param payload - The encrypted payload
2235
+ * @param privateKey - ML-KEM-1024 private key (base64 string or Uint8Array, 3168 bytes)
2236
+ * @param publicKey - Optional: Your public key to find the correct recipient entry (base64 string or Uint8Array, 1568 bytes)
2237
+ * @returns Decrypted plaintext
2238
+ */
2239
+ declare function mlkemDecrypt(payload: EncryptedPayload, privateKey: string | Uint8Array, publicKey?: string | Uint8Array): Promise<string>;
2240
+ /**
2241
+ * Encrypt data with ML-KEM using derived keypairs from private keys
2242
+ *
2243
+ * This is a convenience function that derives ML-KEM keypairs from private key material,
2244
+ * then encrypts the data for all recipients. The sender's keypair is derived and used
2245
+ * as one of the recipients.
2246
+ *
2247
+ * @param plaintext - The data to encrypt
2248
+ * @param senderPrivateKey - Sender's private key (hex string or Uint8Array)
2249
+ * @param recipientPublicKeys - Array of recipient ML-KEM public keys (from deriveMLKemKeypair)
2250
+ * @param senderContext - Context for sender's key derivation (default: 'mlkem-v1')
2251
+ * @returns Encrypted payload with sender + recipients
2252
+ *
2253
+ * @example
2254
+ * ```typescript
2255
+ * // Encrypt for yourself + server
2256
+ * const serverKeypair = await deriveMLKemKeypair(serverPrivateKey, 'server');
2257
+ * const encrypted = await mlkemEncryptWithKey(
2258
+ * 'secret data',
2259
+ * myEthPrivateKey,
2260
+ * [serverKeypair.publicKey]
2261
+ * );
2262
+ * ```
2263
+ */
2264
+ declare function mlkemEncryptWithKey(plaintext: string, senderPrivateKey: string | Uint8Array, recipientPublicKeys: Array<string | Uint8Array>, senderContext?: string): Promise<EncryptedPayload>;
2265
+ /**
2266
+ * Decrypt data with ML-KEM using a derived keypair from private key
2267
+ *
2268
+ * This is a convenience function that derives an ML-KEM keypair from private key material,
2269
+ * then decrypts the payload.
2270
+ *
2271
+ * @param payload - The encrypted payload
2272
+ * @param privateKey - Private key material (hex string or Uint8Array)
2273
+ * @param context - Context for key derivation (default: 'mlkem-v1')
2274
+ * @returns Decrypted plaintext
2275
+ *
2276
+ * @example
2277
+ * ```typescript
2278
+ * // Decrypt with your Ethereum private key
2279
+ * const plaintext = await mlkemDecryptWithKey(
2280
+ * encryptedPayload,
2281
+ * myEthPrivateKey
2282
+ * );
2283
+ * ```
2284
+ */
2285
+ declare function mlkemDecryptWithKey(payload: EncryptedPayload, privateKey: string | Uint8Array, context?: string): Promise<string>;
2286
+
2070
2287
  declare function createWeb3Passkey(config?: Web3PasskeyConfig): Web3Passkey;
2071
2288
 
2072
- export { ApiError, AuthenticationError, type BackupStatus, type BrowserInspectOptions, type BrowserInspectResult, CryptoError, DEFAULT_MODE, DEFAULT_TAG, type DeviceInfo, type EIP1193Provider, type EIP7702Authorization, type EncryptedBackupInfo, type Guardian, type GuardianInvite, type PasskeySelectionResult, type QRBackupOptions, type RecoveryProgress, type RecoveryScenario, type RecoveryShare, RecoverySimulator, RegistrationError, type SecurityScore, type SignAuthorizationParams, type SimulationResult, type SiweMessage, type SocialRecoveryConfig, SocialRecoveryManager, type StealthAddressConfig, StealthAddressModule, type StealthAddressResult, type StealthKeys, StorageError, type SyncCapabilities, type SyncStatus, type SyncVault, type UserInfo, WalletError, type WalletInfo, Web3Passkey, type Web3PasskeyConfig, Web3PasskeyError, arrayBufferToBase64Url, assertEthereumAddress, assertMnemonic, assertUsername, authenticateWithPasskey, base64ToArrayBuffer, base64UrlDecode, base64UrlToArrayBuffer, canControlStealthAddress, checkStealthAddress, clearCache, computeStealthPrivateKey, createSiweMessage, createWalletFromMnemonic, createWeb3Passkey, createWeb3Passkey as default, deriveAddressFromP256PublicKey, deriveIndexFromOriginModeAndTag, deriveStealthKeys, deriveWalletFromMnemonic, detectWalletProvider, encodeEIP7702AuthorizationMessage, extractRS, generateBIP39Wallet, generateSiweNonce, generateStealthAddress, getAllChains, getAllTopics, getChainById, getCurrentBuildHash, getCurrentOrigin, getDefaultProvider, getEndpoints, getExplainer, getOriginSpecificAddress, getPackageVersion, getW3pkBuildHash, hashEIP7702AuthorizationMessage, inspect, inspectNow, isStrongPassword, normalizeOrigin, parseSiweMessage, promptPasskeySelection, requestExternalWalletAuthorization, safeAtob, safeBtoa, searchExplainers, supportsEIP7702Authorization, validateEthereumAddress, validateMnemonic, validateSiweMessage, validateUsername, verifyBuildHash, verifyEIP7702Authorization, verifySiweSignature };
2289
+ export { ApiError, AuthenticationError, type BackupStatus, type BrowserInspectOptions, type BrowserInspectResult, CryptoError, DEFAULT_MODE, DEFAULT_TAG, type DeviceInfo, type EIP1193Provider, type EIP7702Authorization, type EncryptedBackupInfo, type EncryptedPayload, type Guardian, type GuardianInvite, type MLKemKeypair, type PasskeySelectionResult, type QRBackupOptions, type RecoveryProgress, type RecoveryScenario, type RecoveryShare, RecoverySimulator, RegistrationError, type SecurityScore, type SignAuthorizationParams, type SimulationResult, type SiweMessage, type SocialRecoveryConfig, SocialRecoveryManager, type StealthAddressConfig, StealthAddressModule, type StealthAddressResult, type StealthKeys, StorageError, type SyncCapabilities, type SyncStatus, type SyncVault, type UserInfo, WalletError, type WalletInfo, Web3Passkey, type Web3PasskeyConfig, Web3PasskeyError, arrayBufferToBase64Url, assertEthereumAddress, assertMnemonic, assertUsername, authenticateWithPasskey, base64ToArrayBuffer, base64UrlDecode, base64UrlToArrayBuffer, canControlStealthAddress, checkStealthAddress, clearCache, computeStealthPrivateKey, createSiweMessage, createWalletFromMnemonic, createWeb3Passkey, createWeb3Passkey as default, deriveAddressFromP256PublicKey, deriveIndexFromOriginModeAndTag, deriveMLKemKeypair, deriveStealthKeys, deriveWalletFromMnemonic, detectWalletProvider, encodeEIP7702AuthorizationMessage, extractRS, generateBIP39Wallet, generateSiweNonce, generateStealthAddress, getAllChains, getAllTopics, getChainById, getCurrentBuildHash, getCurrentOrigin, getDefaultProvider, getEndpoints, getExplainer, getOriginSpecificAddress, getPackageVersion, getW3pkBuildHash, hashEIP7702AuthorizationMessage, inspect, inspectNow, isStrongPassword, mlkemDecrypt, mlkemDecryptWithKey, mlkemEncrypt, mlkemEncryptWithKey, normalizeOrigin, parseSiweMessage, promptPasskeySelection, requestExternalWalletAuthorization, safeAtob, safeBtoa, searchExplainers, supportsEIP7702Authorization, validateEthereumAddress, validateMnemonic, validateSiweMessage, validateUsername, verifyBuildHash, verifyEIP7702Authorization, verifySiweSignature };