wolfronix-sdk 1.0.0 → 1.2.0

package/README.md

@@ -7,13 +7,26 @@ Official JavaScript/TypeScript SDK for Wolfronix - Zero-knowledge encryption mad
 
 ## Features
 
-- 🔐 **Zero-Knowledge Encryption** - 4-layer enterprise-grade security
+- 🔐 **Zero-Knowledge Encryption** - Keys generated client-side, never leave your device
+- 🏢 **Enterprise Ready** - Seamless integration with your existing storage
+
 - 🚀 **Simple API** - Encrypt files in 2 lines of code
 - 📦 **TypeScript Native** - Full type definitions included
 - 🌐 **Universal** - Works in Node.js and browsers
 - ⚡ **Streaming** - Handle large files with progress tracking
 - 🔄 **Auto Retry** - Built-in retry logic with exponential backoff
 
+## Backend Integration (Enterprise Mode)
+
+To use this SDK, your backend API must implement 3 storage endpoints that Wolfronix will call:
+
+1.  **POST** `/wolfronix/files/upload` - Store encrypted file + metadata
+2.  **GET** `/wolfronix/files/{id}` - Retrieve metadata
+3.  **GET** `/wolfronix/files/{id}/data` - Retrieve encrypted file blob
+
+Wolfronix handles all encryption/decryption keys and logic; you only handle the encrypted blobs.
+
+
 ## Installation
 
 ```bash
@@ -32,10 +45,13 @@ import Wolfronix from '@wolfronix/sdk';
 // Initialize client
 const wfx = new Wolfronix({
   baseUrl: 'https://your-wolfronix-server:5002',
-  clientId: 'your-client-id' // Optional for enterprise mode
+  clientId: 'your-enterprise-client-id'
 });
 
-// Login
+// Register (First time only) - Generates keys client-side
+await wfx.register('user@example.com', 'password123');
+
+// Login (Subsequent visits)
 await wfx.login('user@example.com', 'password123');
 
 // Encrypt a file
@@ -61,8 +77,9 @@ const handleFileUpload = async (event: React.ChangeEvent<HTMLInputElement>) => {
   if (!file) return;
 
   try {
+    // Keys are automatically handled by the SDK
     const { file_id } = await wfx.encrypt(file);
-    console.log('File encrypted:', file_id);
+    console.log('File encrypted with your private key:', file_id);
   } catch (error) {
     console.error('Encryption failed:', error);
   }

package/dist/index.d.mts

@@ -3,7 +3,7 @@
  * Zero-knowledge encryption made simple
  *
  * @package @wolfronix/sdk
- * @version 1.0.0
+ * @version 1.2.0
  */
 interface WolfronixConfig {
     /** Wolfronix server base URL */
@@ -24,11 +24,10 @@ interface AuthResponse {
     message: string;
 }
 interface EncryptResponse {
-    success: boolean;
-    file_id: string;
-    original_name: string;
-    encrypted_size: number;
-    message: string;
+    status: string;
+    file_id: number;
+    file_size: number;
+    enc_time_ms: number;
 }
 interface FileInfo {
     file_id: string;
@@ -52,10 +51,6 @@ interface MetricsResponse {
     total_bytes_encrypted: number;
     total_bytes_decrypted: number;
 }
-interface StreamToken {
-    token: string;
-    expires_at: string;
-}
 declare class WolfronixError extends Error {
     readonly code: string;
     readonly statusCode?: number;
@@ -82,6 +77,9 @@ declare class Wolfronix {
     private token;
     private userId;
     private tokenExpiry;
+    private publicKey;
+    private privateKey;
+    private publicKeyPEM;
     /**
      * Create a new Wolfronix client
      *
@@ -152,17 +150,6 @@ declare class Wolfronix {
      * ```
      */
     encrypt(file: File | Blob | ArrayBuffer | Uint8Array, filename?: string): Promise<EncryptResponse>;
-    /**
-     * Encrypt a file using streaming (for large files)
-     *
-     * @example
-     * ```typescript
-     * const result = await wfx.encryptStream(largeFile, (progress) => {
-     *   console.log(`Progress: ${progress}%`);
-     * });
-     * ```
-     */
-    encryptStream(file: File | Blob, onProgress?: (percent: number) => void): Promise<EncryptResponse>;
     /**
      * Decrypt and retrieve a file
      *
@@ -182,10 +169,6 @@ declare class Wolfronix {
      * Decrypt and return as ArrayBuffer
      */
     decryptToBuffer(fileId: string): Promise<ArrayBuffer>;
-    /**
-     * Decrypt using streaming (for large files)
-     */
-    decryptStream(fileId: string, onProgress?: (percent: number) => void): Promise<Blob>;
     /**
      * List all encrypted files for current user
      *
@@ -235,4 +218,4 @@ declare class Wolfronix {
  */
 declare function createClient(config: WolfronixConfig | string): Wolfronix;
 
-export { type AuthResponse, AuthenticationError, type DeleteResponse, type EncryptResponse, type FileInfo, FileNotFoundError, type ListFilesResponse, type MetricsResponse, NetworkError, PermissionDeniedError, type StreamToken, ValidationError, Wolfronix, type WolfronixConfig, WolfronixError, createClient, Wolfronix as default };
+export { type AuthResponse, AuthenticationError, type DeleteResponse, type EncryptResponse, type FileInfo, FileNotFoundError, type ListFilesResponse, type MetricsResponse, NetworkError, PermissionDeniedError, ValidationError, Wolfronix, type WolfronixConfig, WolfronixError, createClient, Wolfronix as default };

package/dist/index.d.ts

@@ -3,7 +3,7 @@
  * Zero-knowledge encryption made simple
  *
  * @package @wolfronix/sdk
- * @version 1.0.0
+ * @version 1.2.0
  */
 interface WolfronixConfig {
     /** Wolfronix server base URL */
@@ -24,11 +24,10 @@ interface AuthResponse {
     message: string;
 }
 interface EncryptResponse {
-    success: boolean;
-    file_id: string;
-    original_name: string;
-    encrypted_size: number;
-    message: string;
+    status: string;
+    file_id: number;
+    file_size: number;
+    enc_time_ms: number;
 }
 interface FileInfo {
     file_id: string;
@@ -52,10 +51,6 @@ interface MetricsResponse {
     total_bytes_encrypted: number;
     total_bytes_decrypted: number;
 }
-interface StreamToken {
-    token: string;
-    expires_at: string;
-}
 declare class WolfronixError extends Error {
     readonly code: string;
     readonly statusCode?: number;
@@ -82,6 +77,9 @@ declare class Wolfronix {
     private token;
     private userId;
     private tokenExpiry;
+    private publicKey;
+    private privateKey;
+    private publicKeyPEM;
     /**
      * Create a new Wolfronix client
      *
@@ -152,17 +150,6 @@ declare class Wolfronix {
      * ```
      */
     encrypt(file: File | Blob | ArrayBuffer | Uint8Array, filename?: string): Promise<EncryptResponse>;
-    /**
-     * Encrypt a file using streaming (for large files)
-     *
-     * @example
-     * ```typescript
-     * const result = await wfx.encryptStream(largeFile, (progress) => {
-     *   console.log(`Progress: ${progress}%`);
-     * });
-     * ```
-     */
-    encryptStream(file: File | Blob, onProgress?: (percent: number) => void): Promise<EncryptResponse>;
     /**
      * Decrypt and retrieve a file
      *
@@ -182,10 +169,6 @@ declare class Wolfronix {
      * Decrypt and return as ArrayBuffer
      */
     decryptToBuffer(fileId: string): Promise<ArrayBuffer>;
-    /**
-     * Decrypt using streaming (for large files)
-     */
-    decryptStream(fileId: string, onProgress?: (percent: number) => void): Promise<Blob>;
     /**
      * List all encrypted files for current user
      *
@@ -235,4 +218,4 @@ declare class Wolfronix {
  */
 declare function createClient(config: WolfronixConfig | string): Wolfronix;
 
-export { type AuthResponse, AuthenticationError, type DeleteResponse, type EncryptResponse, type FileInfo, FileNotFoundError, type ListFilesResponse, type MetricsResponse, NetworkError, PermissionDeniedError, type StreamToken, ValidationError, Wolfronix, type WolfronixConfig, WolfronixError, createClient, Wolfronix as default };
+export { type AuthResponse, AuthenticationError, type DeleteResponse, type EncryptResponse, type FileInfo, FileNotFoundError, type ListFilesResponse, type MetricsResponse, NetworkError, PermissionDeniedError, ValidationError, Wolfronix, type WolfronixConfig, WolfronixError, createClient, Wolfronix as default };

package/dist/index.js

@@ -31,6 +31,146 @@ __export(index_exports, {
   default: () => index_default
 });
 module.exports = __toCommonJS(index_exports);
+
+// src/crypto.ts
+var RSA_ALG = {
+  name: "RSA-OAEP",
+  modulusLength: 2048,
+  publicExponent: new Uint8Array([1, 0, 1]),
+  hash: "SHA-256"
+};
+var WRAP_ALG = "AES-GCM";
+var PBKDF2_ITERATIONS = 1e5;
+async function generateKeyPair() {
+  return await window.crypto.subtle.generateKey(
+    RSA_ALG,
+    true,
+    // extractable
+    ["encrypt", "decrypt", "wrapKey", "unwrapKey"]
+  );
+}
+async function exportKeyToPEM(key, type) {
+  const format = type === "public" ? "spki" : "pkcs8";
+  const exported = await window.crypto.subtle.exportKey(format, key);
+  const exportedAsBase64 = arrayBufferToBase64(exported);
+  const pemHeader = type === "public" ? "-----BEGIN PUBLIC KEY-----" : "-----BEGIN PRIVATE KEY-----";
+  const pemFooter = type === "public" ? "-----END PUBLIC KEY-----" : "-----END PRIVATE KEY-----";
+  return `${pemHeader}
+${exportedAsBase64}
+${pemFooter}`;
+}
+async function importKeyFromPEM(pem, type) {
+  const pemHeader = type === "public" ? "-----BEGIN PUBLIC KEY-----" : "-----BEGIN PRIVATE KEY-----";
+  const pemFooter = type === "public" ? "-----END PUBLIC KEY-----" : "-----END PRIVATE KEY-----";
+  const pemContents = pem.replace(pemHeader, "").replace(pemFooter, "").replace(/\s/g, "");
+  const binaryDer = base64ToArrayBuffer(pemContents);
+  const format = type === "public" ? "spki" : "pkcs8";
+  const usage = type === "public" ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
+  return await window.crypto.subtle.importKey(
+    format,
+    binaryDer,
+    RSA_ALG,
+    true,
+    usage
+  );
+}
+async function deriveWrappingKey(password, saltHex) {
+  const enc = new TextEncoder();
+  const passwordKey = await window.crypto.subtle.importKey(
+    "raw",
+    enc.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  const salt = hexToArrayBuffer(saltHex);
+  return await window.crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: PBKDF2_ITERATIONS,
+      hash: "SHA-256"
+    },
+    passwordKey,
+    { name: WRAP_ALG, length: 256 },
+    false,
+    ["encrypt", "decrypt", "wrapKey", "unwrapKey"]
+  );
+}
+async function wrapPrivateKey(privateKey, password) {
+  const salt = window.crypto.getRandomValues(new Uint8Array(16));
+  const saltHex = arrayBufferToHex(salt.buffer);
+  const wrappingKey = await deriveWrappingKey(password, saltHex);
+  const exportedKey = await window.crypto.subtle.exportKey("pkcs8", privateKey);
+  const iv = window.crypto.getRandomValues(new Uint8Array(12));
+  const encryptedContent = await window.crypto.subtle.encrypt(
+    {
+      name: WRAP_ALG,
+      iv
+    },
+    wrappingKey,
+    exportedKey
+  );
+  const combined = new Uint8Array(iv.length + encryptedContent.byteLength);
+  combined.set(iv);
+  combined.set(new Uint8Array(encryptedContent), iv.length);
+  return {
+    encryptedKey: arrayBufferToBase64(combined.buffer),
+    salt: saltHex
+  };
+}
+async function unwrapPrivateKey(encryptedKeyBase64, password, saltHex) {
+  const combined = base64ToArrayBuffer(encryptedKeyBase64);
+  const combinedArray = new Uint8Array(combined);
+  const iv = combinedArray.slice(0, 12);
+  const data = combinedArray.slice(12);
+  const wrappingKey = await deriveWrappingKey(password, saltHex);
+  const decryptedKeyData = await window.crypto.subtle.decrypt(
+    {
+      name: WRAP_ALG,
+      iv
+    },
+    wrappingKey,
+    data
+  );
+  return await window.crypto.subtle.importKey(
+    "pkcs8",
+    decryptedKeyData,
+    RSA_ALG,
+    true,
+    ["decrypt", "unwrapKey"]
+  );
+}
+function arrayBufferToBase64(buffer) {
+  let binary = "";
+  const bytes = new Uint8Array(buffer);
+  const len = bytes.byteLength;
+  for (let i = 0; i < len; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return window.btoa(binary);
+}
+function base64ToArrayBuffer(base64) {
+  const binary_string = window.atob(base64);
+  const len = binary_string.length;
+  const bytes = new Uint8Array(len);
+  for (let i = 0; i < len; i++) {
+    bytes[i] = binary_string.charCodeAt(i);
+  }
+  return bytes.buffer;
+}
+function arrayBufferToHex(buffer) {
+  return [...new Uint8Array(buffer)].map((x) => x.toString(16).padStart(2, "0")).join("");
+}
+function hexToArrayBuffer(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  return bytes.buffer;
+}
+
+// src/index.ts
 var WolfronixError = class extends Error {
   constructor(message, code, statusCode, details) {
     super(message);
@@ -86,6 +226,10 @@ var Wolfronix = class {
     this.token = null;
     this.userId = null;
     this.tokenExpiry = null;
+    // Client-side keys (never stored on server in raw form)
+    this.publicKey = null;
+    this.privateKey = null;
+    this.publicKeyPEM = null;
     if (typeof config === "string") {
       this.config = {
         baseUrl: config,
@@ -117,13 +261,16 @@ var Wolfronix = class {
     }
     if (includeAuth && this.token) {
       headers["Authorization"] = `Bearer ${this.token}`;
+      if (this.userId) {
+        headers["X-User-ID"] = this.userId;
+      }
     }
     return headers;
   }
   async request(method, endpoint, options = {}) {
-    const { body, formData, includeAuth = true, responseType = "json" } = options;
+    const { body, formData, includeAuth = true, responseType = "json", headers: extraHeaders } = options;
     const url = `${this.config.baseUrl}${endpoint}`;
-    const headers = this.getHeaders(includeAuth);
+    const headers = { ...this.getHeaders(includeAuth), ...extraHeaders };
     if (body && !formData) {
       headers["Content-Type"] = "application/json";
     }
@@ -205,14 +352,26 @@ var Wolfronix = class {
     if (!email || !password) {
       throw new ValidationError("Email and password are required");
     }
-    const response = await this.request("POST", "/api/v1/register", {
-      body: { email, password },
+    const keyPair = await generateKeyPair();
+    const publicKeyPEM = await exportKeyToPEM(keyPair.publicKey, "public");
+    const { encryptedKey, salt } = await wrapPrivateKey(keyPair.privateKey, password);
+    const response = await this.request("POST", "/api/v1/keys/register", {
+      body: {
+        client_id: this.config.clientId,
+        user_id: email,
+        // Using email as user_id for simplicity
+        public_key_pem: publicKeyPEM,
+        encrypted_private_key: encryptedKey,
+        salt
+      },
       includeAuth: false
     });
     if (response.success) {
-      this.token = response.token;
-      this.userId = response.user_id;
-      this.tokenExpiry = new Date(Date.now() + 24 * 60 * 60 * 1e3);
+      this.userId = email;
+      this.publicKey = keyPair.publicKey;
+      this.privateKey = keyPair.privateKey;
+      this.publicKeyPEM = publicKeyPEM;
+      this.token = "session_" + Date.now();
     }
     return response;
   }
@@ -228,16 +387,35 @@ var Wolfronix = class {
     if (!email || !password) {
       throw new ValidationError("Email and password are required");
     }
-    const response = await this.request("POST", "/api/v1/login", {
-      body: { email, password },
+    const response = await this.request("POST", "/api/v1/keys/login", {
+      body: {
+        client_id: this.config.clientId,
+        user_id: email
+      },
       includeAuth: false
     });
-    if (response.success) {
-      this.token = response.token;
-      this.userId = response.user_id;
-      this.tokenExpiry = new Date(Date.now() + 24 * 60 * 60 * 1e3);
+    if (!response.encrypted_private_key || !response.salt) {
+      throw new AuthenticationError("Invalid credentials or keys not found");
+    }
+    try {
+      this.privateKey = await unwrapPrivateKey(
+        response.encrypted_private_key,
+        password,
+        response.salt
+      );
+      this.publicKeyPEM = response.public_key_pem;
+      this.publicKey = await importKeyFromPEM(response.public_key_pem, "public");
+      this.userId = email;
+      this.token = "session_" + Date.now();
+      return {
+        success: true,
+        user_id: email,
+        token: this.token,
+        message: "Logged in successfully"
+      };
+    } catch (err) {
+      throw new AuthenticationError("Invalid password (decryption failed)");
     }
-    return response;
   }
   /**
    * Set authentication token directly (useful for server-side apps)
@@ -259,6 +437,9 @@ var Wolfronix = class {
     this.token = null;
     this.userId = null;
     this.tokenExpiry = null;
+    this.publicKey = null;
+    this.privateKey = null;
+    this.publicKeyPEM = null;
   }
   /**
    * Check if client is authenticated
@@ -307,57 +488,11 @@ var Wolfronix = class {
       throw new ValidationError("Invalid file type. Expected File, Blob, Buffer, or ArrayBuffer");
     }
     formData.append("user_id", this.userId || "");
-    return this.request("POST", "/api/v1/encrypt", {
-      formData
-    });
-  }
-  /**
-   * Encrypt a file using streaming (for large files)
-   * 
-   * @example
-   * ```typescript
-   * const result = await wfx.encryptStream(largeFile, (progress) => {
-   *   console.log(`Progress: ${progress}%`);
-   * });
-   * ```
-   */
-  async encryptStream(file, onProgress) {
-    this.ensureAuthenticated();
-    const tokenResponse = await this.request("POST", "/api/v1/stream/token", {
-      body: {
-        user_id: this.userId,
-        client_id: this.config.clientId
-      }
-    });
-    const formData = new FormData();
-    formData.append("file", file);
-    formData.append("user_id", this.userId || "");
-    formData.append("stream_token", tokenResponse.token);
-    if (onProgress && typeof XMLHttpRequest !== "undefined") {
-      return new Promise((resolve, reject) => {
-        const xhr = new XMLHttpRequest();
-        xhr.upload.onprogress = (event) => {
-          if (event.lengthComputable) {
-            onProgress(Math.round(event.loaded / event.total * 100));
-          }
-        };
-        xhr.onload = () => {
-          if (xhr.status >= 200 && xhr.status < 300) {
-            resolve(JSON.parse(xhr.responseText));
-          } else {
-            reject(new WolfronixError("Upload failed", "UPLOAD_ERROR", xhr.status));
-          }
-        };
-        xhr.onerror = () => reject(new NetworkError("Upload failed"));
-        xhr.open("POST", `${this.config.baseUrl}/api/v1/stream/encrypt`);
-        const headers = this.getHeaders();
-        Object.entries(headers).forEach(([key, value]) => {
-          xhr.setRequestHeader(key, value);
-        });
-        xhr.send(formData);
-      });
+    if (!this.publicKeyPEM) {
+      throw new Error("Public key not available. Is user logged in?");
     }
-    return this.request("POST", "/api/v1/stream/encrypt", {
+    formData.append("client_public_key", this.publicKeyPEM);
+    return this.request("POST", "/api/v1/encrypt", {
       formData
     });
   }
@@ -380,8 +515,16 @@ var Wolfronix = class {
     if (!fileId) {
       throw new ValidationError("File ID is required");
     }
-    return this.request("GET", `/api/v1/decrypt/${fileId}`, {
-      responseType: "blob"
+    if (!this.privateKey) {
+      throw new Error("Private key not available. Is user logged in?");
+    }
+    const privateKeyPEM = await exportKeyToPEM(this.privateKey, "private");
+    return this.request("POST", `/api/v1/files/${fileId}/decrypt`, {
+      responseType: "blob",
+      headers: {
+        "X-Private-Key": privateKeyPEM,
+        "X-User-Role": "owner"
+      }
     });
   }
   /**
@@ -392,42 +535,16 @@ var Wolfronix = class {
     if (!fileId) {
       throw new ValidationError("File ID is required");
     }
-    return this.request("GET", `/api/v1/decrypt/${fileId}`, {
-      responseType: "arraybuffer"
-    });
-  }
-  /**
-   * Decrypt using streaming (for large files)
-   */
-  async decryptStream(fileId, onProgress) {
-    this.ensureAuthenticated();
-    if (onProgress && typeof XMLHttpRequest !== "undefined") {
-      return new Promise((resolve, reject) => {
-        const xhr = new XMLHttpRequest();
-        xhr.responseType = "blob";
-        xhr.onprogress = (event) => {
-          if (event.lengthComputable) {
-            onProgress(Math.round(event.loaded / event.total * 100));
-          }
-        };
-        xhr.onload = () => {
-          if (xhr.status >= 200 && xhr.status < 300) {
-            resolve(xhr.response);
-          } else {
-            reject(new WolfronixError("Download failed", "DOWNLOAD_ERROR", xhr.status));
-          }
-        };
-        xhr.onerror = () => reject(new NetworkError("Download failed"));
-        xhr.open("GET", `${this.config.baseUrl}/api/v1/stream/decrypt/${fileId}`);
-        const headers = this.getHeaders();
-        Object.entries(headers).forEach(([key, value]) => {
-          xhr.setRequestHeader(key, value);
-        });
-        xhr.send();
-      });
+    if (!this.privateKey) {
+      throw new Error("Private key not available. Is user logged in?");
     }
-    return this.request("GET", `/api/v1/stream/decrypt/${fileId}`, {
-      responseType: "blob"
+    const privateKeyPEM = await exportKeyToPEM(this.privateKey, "private");
+    return this.request("POST", `/api/v1/files/${fileId}/decrypt`, {
+      responseType: "arraybuffer",
+      headers: {
+        "X-Private-Key": privateKeyPEM,
+        "X-User-Role": "owner"
+      }
     });
   }
   /**
@@ -441,7 +558,17 @@ var Wolfronix = class {
    */
   async listFiles() {
     this.ensureAuthenticated();
-    return this.request("GET", "/api/v1/files");
+    const files = await this.request("GET", "/api/v1/files");
+    return {
+      success: true,
+      files: (files || []).map((f) => ({
+        file_id: f.id,
+        original_name: f.name,
+        encrypted_size: f.size_bytes,
+        created_at: f.date
+      })),
+      total: (files || []).length
+    };
   }
   /**
    * Delete an encrypted file
@@ -472,7 +599,7 @@ var Wolfronix = class {
    */
   async getMetrics() {
     this.ensureAuthenticated();
-    return this.request("GET", "/api/v1/metrics");
+    return this.request("GET", "/api/v1/metrics/summary");
   }
   /**
    * Check if server is healthy

package/dist/index.mjs

@@ -1,3 +1,141 @@
+// src/crypto.ts
+var RSA_ALG = {
+  name: "RSA-OAEP",
+  modulusLength: 2048,
+  publicExponent: new Uint8Array([1, 0, 1]),
+  hash: "SHA-256"
+};
+var WRAP_ALG = "AES-GCM";
+var PBKDF2_ITERATIONS = 1e5;
+async function generateKeyPair() {
+  return await window.crypto.subtle.generateKey(
+    RSA_ALG,
+    true,
+    // extractable
+    ["encrypt", "decrypt", "wrapKey", "unwrapKey"]
+  );
+}
+async function exportKeyToPEM(key, type) {
+  const format = type === "public" ? "spki" : "pkcs8";
+  const exported = await window.crypto.subtle.exportKey(format, key);
+  const exportedAsBase64 = arrayBufferToBase64(exported);
+  const pemHeader = type === "public" ? "-----BEGIN PUBLIC KEY-----" : "-----BEGIN PRIVATE KEY-----";
+  const pemFooter = type === "public" ? "-----END PUBLIC KEY-----" : "-----END PRIVATE KEY-----";
+  return `${pemHeader}
+${exportedAsBase64}
+${pemFooter}`;
+}
+async function importKeyFromPEM(pem, type) {
+  const pemHeader = type === "public" ? "-----BEGIN PUBLIC KEY-----" : "-----BEGIN PRIVATE KEY-----";
+  const pemFooter = type === "public" ? "-----END PUBLIC KEY-----" : "-----END PRIVATE KEY-----";
+  const pemContents = pem.replace(pemHeader, "").replace(pemFooter, "").replace(/\s/g, "");
+  const binaryDer = base64ToArrayBuffer(pemContents);
+  const format = type === "public" ? "spki" : "pkcs8";
+  const usage = type === "public" ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
+  return await window.crypto.subtle.importKey(
+    format,
+    binaryDer,
+    RSA_ALG,
+    true,
+    usage
+  );
+}
+async function deriveWrappingKey(password, saltHex) {
+  const enc = new TextEncoder();
+  const passwordKey = await window.crypto.subtle.importKey(
+    "raw",
+    enc.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  const salt = hexToArrayBuffer(saltHex);
+  return await window.crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: PBKDF2_ITERATIONS,
+      hash: "SHA-256"
+    },
+    passwordKey,
+    { name: WRAP_ALG, length: 256 },
+    false,
+    ["encrypt", "decrypt", "wrapKey", "unwrapKey"]
+  );
+}
+async function wrapPrivateKey(privateKey, password) {
+  const salt = window.crypto.getRandomValues(new Uint8Array(16));
+  const saltHex = arrayBufferToHex(salt.buffer);
+  const wrappingKey = await deriveWrappingKey(password, saltHex);
+  const exportedKey = await window.crypto.subtle.exportKey("pkcs8", privateKey);
+  const iv = window.crypto.getRandomValues(new Uint8Array(12));
+  const encryptedContent = await window.crypto.subtle.encrypt(
+    {
+      name: WRAP_ALG,
+      iv
+    },
+    wrappingKey,
+    exportedKey
+  );
+  const combined = new Uint8Array(iv.length + encryptedContent.byteLength);
+  combined.set(iv);
+  combined.set(new Uint8Array(encryptedContent), iv.length);
+  return {
+    encryptedKey: arrayBufferToBase64(combined.buffer),
+    salt: saltHex
+  };
+}
+async function unwrapPrivateKey(encryptedKeyBase64, password, saltHex) {
+  const combined = base64ToArrayBuffer(encryptedKeyBase64);
+  const combinedArray = new Uint8Array(combined);
+  const iv = combinedArray.slice(0, 12);
+  const data = combinedArray.slice(12);
+  const wrappingKey = await deriveWrappingKey(password, saltHex);
+  const decryptedKeyData = await window.crypto.subtle.decrypt(
+    {
+      name: WRAP_ALG,
+      iv
+    },
+    wrappingKey,
+    data
+  );
+  return await window.crypto.subtle.importKey(
+    "pkcs8",
+    decryptedKeyData,
+    RSA_ALG,
+    true,
+    ["decrypt", "unwrapKey"]
+  );
+}
+function arrayBufferToBase64(buffer) {
+  let binary = "";
+  const bytes = new Uint8Array(buffer);
+  const len = bytes.byteLength;
+  for (let i = 0; i < len; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return window.btoa(binary);
+}
+function base64ToArrayBuffer(base64) {
+  const binary_string = window.atob(base64);
+  const len = binary_string.length;
+  const bytes = new Uint8Array(len);
+  for (let i = 0; i < len; i++) {
+    bytes[i] = binary_string.charCodeAt(i);
+  }
+  return bytes.buffer;
+}
+function arrayBufferToHex(buffer) {
+  return [...new Uint8Array(buffer)].map((x) => x.toString(16).padStart(2, "0")).join("");
+}
+function hexToArrayBuffer(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  return bytes.buffer;
+}
+
 // src/index.ts
 var WolfronixError = class extends Error {
   constructor(message, code, statusCode, details) {
@@ -54,6 +192,10 @@ var Wolfronix = class {
     this.token = null;
     this.userId = null;
     this.tokenExpiry = null;
+    // Client-side keys (never stored on server in raw form)
+    this.publicKey = null;
+    this.privateKey = null;
+    this.publicKeyPEM = null;
     if (typeof config === "string") {
       this.config = {
         baseUrl: config,
@@ -85,13 +227,16 @@ var Wolfronix = class {
     }
     if (includeAuth && this.token) {
       headers["Authorization"] = `Bearer ${this.token}`;
+      if (this.userId) {
+        headers["X-User-ID"] = this.userId;
+      }
     }
     return headers;
   }
   async request(method, endpoint, options = {}) {
-    const { body, formData, includeAuth = true, responseType = "json" } = options;
+    const { body, formData, includeAuth = true, responseType = "json", headers: extraHeaders } = options;
     const url = `${this.config.baseUrl}${endpoint}`;
-    const headers = this.getHeaders(includeAuth);
+    const headers = { ...this.getHeaders(includeAuth), ...extraHeaders };
     if (body && !formData) {
       headers["Content-Type"] = "application/json";
     }
@@ -173,14 +318,26 @@ var Wolfronix = class {
     if (!email || !password) {
       throw new ValidationError("Email and password are required");
     }
-    const response = await this.request("POST", "/api/v1/register", {
-      body: { email, password },
+    const keyPair = await generateKeyPair();
+    const publicKeyPEM = await exportKeyToPEM(keyPair.publicKey, "public");
+    const { encryptedKey, salt } = await wrapPrivateKey(keyPair.privateKey, password);
+    const response = await this.request("POST", "/api/v1/keys/register", {
+      body: {
+        client_id: this.config.clientId,
+        user_id: email,
+        // Using email as user_id for simplicity
+        public_key_pem: publicKeyPEM,
+        encrypted_private_key: encryptedKey,
+        salt
+      },
       includeAuth: false
     });
     if (response.success) {
-      this.token = response.token;
-      this.userId = response.user_id;
-      this.tokenExpiry = new Date(Date.now() + 24 * 60 * 60 * 1e3);
+      this.userId = email;
+      this.publicKey = keyPair.publicKey;
+      this.privateKey = keyPair.privateKey;
+      this.publicKeyPEM = publicKeyPEM;
+      this.token = "session_" + Date.now();
     }
     return response;
   }
@@ -196,16 +353,35 @@ var Wolfronix = class {
     if (!email || !password) {
       throw new ValidationError("Email and password are required");
     }
-    const response = await this.request("POST", "/api/v1/login", {
-      body: { email, password },
+    const response = await this.request("POST", "/api/v1/keys/login", {
+      body: {
+        client_id: this.config.clientId,
+        user_id: email
+      },
       includeAuth: false
     });
-    if (response.success) {
-      this.token = response.token;
-      this.userId = response.user_id;
-      this.tokenExpiry = new Date(Date.now() + 24 * 60 * 60 * 1e3);
+    if (!response.encrypted_private_key || !response.salt) {
+      throw new AuthenticationError("Invalid credentials or keys not found");
+    }
+    try {
+      this.privateKey = await unwrapPrivateKey(
+        response.encrypted_private_key,
+        password,
+        response.salt
+      );
+      this.publicKeyPEM = response.public_key_pem;
+      this.publicKey = await importKeyFromPEM(response.public_key_pem, "public");
+      this.userId = email;
+      this.token = "session_" + Date.now();
+      return {
+        success: true,
+        user_id: email,
+        token: this.token,
+        message: "Logged in successfully"
+      };
+    } catch (err) {
+      throw new AuthenticationError("Invalid password (decryption failed)");
     }
-    return response;
   }
   /**
    * Set authentication token directly (useful for server-side apps)
@@ -227,6 +403,9 @@ var Wolfronix = class {
     this.token = null;
     this.userId = null;
     this.tokenExpiry = null;
+    this.publicKey = null;
+    this.privateKey = null;
+    this.publicKeyPEM = null;
   }
   /**
    * Check if client is authenticated
@@ -275,57 +454,11 @@ var Wolfronix = class {
       throw new ValidationError("Invalid file type. Expected File, Blob, Buffer, or ArrayBuffer");
     }
     formData.append("user_id", this.userId || "");
-    return this.request("POST", "/api/v1/encrypt", {
-      formData
-    });
-  }
-  /**
-   * Encrypt a file using streaming (for large files)
-   * 
-   * @example
-   * ```typescript
-   * const result = await wfx.encryptStream(largeFile, (progress) => {
-   *   console.log(`Progress: ${progress}%`);
-   * });
-   * ```
-   */
-  async encryptStream(file, onProgress) {
-    this.ensureAuthenticated();
-    const tokenResponse = await this.request("POST", "/api/v1/stream/token", {
-      body: {
-        user_id: this.userId,
-        client_id: this.config.clientId
-      }
-    });
-    const formData = new FormData();
-    formData.append("file", file);
-    formData.append("user_id", this.userId || "");
-    formData.append("stream_token", tokenResponse.token);
-    if (onProgress && typeof XMLHttpRequest !== "undefined") {
-      return new Promise((resolve, reject) => {
-        const xhr = new XMLHttpRequest();
-        xhr.upload.onprogress = (event) => {
-          if (event.lengthComputable) {
-            onProgress(Math.round(event.loaded / event.total * 100));
-          }
-        };
-        xhr.onload = () => {
-          if (xhr.status >= 200 && xhr.status < 300) {
-            resolve(JSON.parse(xhr.responseText));
-          } else {
-            reject(new WolfronixError("Upload failed", "UPLOAD_ERROR", xhr.status));
-          }
-        };
-        xhr.onerror = () => reject(new NetworkError("Upload failed"));
-        xhr.open("POST", `${this.config.baseUrl}/api/v1/stream/encrypt`);
-        const headers = this.getHeaders();
-        Object.entries(headers).forEach(([key, value]) => {
-          xhr.setRequestHeader(key, value);
-        });
-        xhr.send(formData);
-      });
+    if (!this.publicKeyPEM) {
+      throw new Error("Public key not available. Is user logged in?");
     }
-    return this.request("POST", "/api/v1/stream/encrypt", {
+    formData.append("client_public_key", this.publicKeyPEM);
+    return this.request("POST", "/api/v1/encrypt", {
       formData
     });
   }
@@ -348,8 +481,16 @@ var Wolfronix = class {
     if (!fileId) {
       throw new ValidationError("File ID is required");
     }
-    return this.request("GET", `/api/v1/decrypt/${fileId}`, {
-      responseType: "blob"
+    if (!this.privateKey) {
+      throw new Error("Private key not available. Is user logged in?");
+    }
+    const privateKeyPEM = await exportKeyToPEM(this.privateKey, "private");
+    return this.request("POST", `/api/v1/files/${fileId}/decrypt`, {
+      responseType: "blob",
+      headers: {
+        "X-Private-Key": privateKeyPEM,
+        "X-User-Role": "owner"
+      }
     });
   }
   /**
@@ -360,42 +501,16 @@ var Wolfronix = class {
     if (!fileId) {
       throw new ValidationError("File ID is required");
     }
-    return this.request("GET", `/api/v1/decrypt/${fileId}`, {
-      responseType: "arraybuffer"
-    });
-  }
-  /**
-   * Decrypt using streaming (for large files)
-   */
-  async decryptStream(fileId, onProgress) {
-    this.ensureAuthenticated();
-    if (onProgress && typeof XMLHttpRequest !== "undefined") {
-      return new Promise((resolve, reject) => {
-        const xhr = new XMLHttpRequest();
-        xhr.responseType = "blob";
-        xhr.onprogress = (event) => {
-          if (event.lengthComputable) {
-            onProgress(Math.round(event.loaded / event.total * 100));
-          }
-        };
-        xhr.onload = () => {
-          if (xhr.status >= 200 && xhr.status < 300) {
-            resolve(xhr.response);
-          } else {
-            reject(new WolfronixError("Download failed", "DOWNLOAD_ERROR", xhr.status));
-          }
-        };
-        xhr.onerror = () => reject(new NetworkError("Download failed"));
-        xhr.open("GET", `${this.config.baseUrl}/api/v1/stream/decrypt/${fileId}`);
-        const headers = this.getHeaders();
-        Object.entries(headers).forEach(([key, value]) => {
-          xhr.setRequestHeader(key, value);
-        });
-        xhr.send();
-      });
+    if (!this.privateKey) {
+      throw new Error("Private key not available. Is user logged in?");
     }
-    return this.request("GET", `/api/v1/stream/decrypt/${fileId}`, {
-      responseType: "blob"
+    const privateKeyPEM = await exportKeyToPEM(this.privateKey, "private");
+    return this.request("POST", `/api/v1/files/${fileId}/decrypt`, {
+      responseType: "arraybuffer",
+      headers: {
+        "X-Private-Key": privateKeyPEM,
+        "X-User-Role": "owner"
+      }
     });
   }
   /**
@@ -409,7 +524,17 @@ var Wolfronix = class {
    */
   async listFiles() {
     this.ensureAuthenticated();
-    return this.request("GET", "/api/v1/files");
+    const files = await this.request("GET", "/api/v1/files");
+    return {
+      success: true,
+      files: (files || []).map((f) => ({
+        file_id: f.id,
+        original_name: f.name,
+        encrypted_size: f.size_bytes,
+        created_at: f.date
+      })),
+      total: (files || []).length
+    };
   }
   /**
    * Delete an encrypted file
@@ -440,7 +565,7 @@ var Wolfronix = class {
    */
   async getMetrics() {
     this.ensureAuthenticated();
-    return this.request("GET", "/api/v1/metrics");
+    return this.request("GET", "/api/v1/metrics/summary");
   }
   /**
    * Check if server is healthy

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolfronix-sdk",
-  "version": "1.0.0",
+  "version": "1.2.0",
   "description": "Official Wolfronix SDK for JavaScript/TypeScript - Zero-knowledge encryption made simple",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -62,4 +62,4 @@
       "optional": true
     }
   }
-}
+}