wolfronix-sdk 1.3.2 → 2.3.0

package/dist/index.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -27,6 +37,7 @@ __export(index_exports, {
   ValidationError: () => ValidationError,
   Wolfronix: () => Wolfronix,
   WolfronixError: () => WolfronixError,
+  WolfronixStream: () => WolfronixStream,
   createClient: () => createClient,
   default: () => index_default
 });
@@ -38,7 +49,7 @@ var getCrypto = () => {
     return globalThis.crypto;
   }
   throw new Error(
-    "Web Crypto API not available. Requires a modern browser or Node.js 16+."
+    "Web Crypto API not available. Requires a modern browser or Node.js 18+."
   );
 };
 var RSA_ALG = {
@@ -213,6 +224,10 @@ async function rsaDecrypt(encryptedBase64, privateKey) {
   );
   return decrypted;
 }
+async function rsaDecryptBase64(encryptedBase64, privateKey) {
+  const decrypted = await rsaDecrypt(encryptedBase64, privateKey);
+  return arrayBufferToBase64(decrypted);
+}
 async function exportSessionKey(key) {
   return await getCrypto().subtle.exportKey("raw", key);
 }
@@ -325,6 +340,7 @@ var Wolfronix = class {
       this.config = {
         baseUrl: config,
         clientId: "",
+        wolfronixKey: "",
         timeout: 3e4,
         retries: 3,
         insecure: false
@@ -333,6 +349,7 @@ var Wolfronix = class {
       this.config = {
         baseUrl: config.baseUrl,
         clientId: config.clientId || "",
+        wolfronixKey: config.wolfronixKey || "",
         timeout: config.timeout || 3e4,
         retries: config.retries || 3,
         insecure: config.insecure || false
@@ -340,6 +357,10 @@ var Wolfronix = class {
     }
     this.config.baseUrl = this.config.baseUrl.replace(/\/$/, "");
   }
+  /** Expose private key status for testing */
+  hasPrivateKey() {
+    return this.privateKey !== null;
+  }
   // ==========================================================================
   // Private Helpers
   // ==========================================================================
@@ -350,6 +371,9 @@ var Wolfronix = class {
     if (this.config.clientId) {
       headers["X-Client-ID"] = this.config.clientId;
     }
+    if (this.config.wolfronixKey) {
+      headers["X-Wolfronix-Key"] = this.config.wolfronixKey;
+    }
     if (includeAuth && this.token) {
       headers["Authorization"] = `Bearer ${this.token}`;
       if (this.userId) {
@@ -375,6 +399,15 @@ var Wolfronix = class {
           headers,
           signal: controller.signal
         };
+        if (this.config.insecure && typeof process !== "undefined") {
+          try {
+            const { Agent } = await import("undici");
+            fetchOptions.dispatcher = new Agent({
+              connect: { rejectUnauthorized: false }
+            });
+          } catch {
+          }
+        }
         if (formData) {
           fetchOptions.body = formData;
         } else if (body) {
@@ -462,7 +495,7 @@ var Wolfronix = class {
       this.publicKey = keyPair.publicKey;
       this.privateKey = keyPair.privateKey;
       this.publicKeyPEM = publicKeyPEM;
-      this.token = "session_" + Date.now();
+      this.token = "zk-session";
     }
     return response;
   }
@@ -497,7 +530,7 @@ var Wolfronix = class {
       this.publicKeyPEM = response.public_key_pem;
       this.publicKey = await importKeyFromPEM(response.public_key_pem, "public");
       this.userId = email;
-      this.token = "session_" + Date.now();
+      this.token = "zk-session";
       return {
         success: true,
         user_id: email,
@@ -594,7 +627,14 @@ var Wolfronix = class {
     };
   }
   /**
-   * Decrypt and retrieve a file
+   * Decrypt and retrieve a file using zero-knowledge flow.
+   * 
+   * Flow:
+   * 1. GET /api/v1/files/{id}/key → encrypted key_part_a
+   * 2. Decrypt key_part_a client-side with private key (RSA-OAEP)
+   * 3. POST /api/v1/files/{id}/decrypt with { decrypted_key_a } in body
+   * 
+   * The private key NEVER leaves the client.
    * 
    * @example
    * ```typescript
@@ -607,7 +647,7 @@ var Wolfronix = class {
    * fs.writeFileSync('decrypted.pdf', buffer);
    * ```
    */
-  async decrypt(fileId) {
+  async decrypt(fileId, role = "owner") {
     this.ensureAuthenticated();
     if (!fileId) {
       throw new ValidationError("File ID is required");
@@ -615,19 +655,20 @@ var Wolfronix = class {
     if (!this.privateKey) {
       throw new Error("Private key not available. Is user logged in?");
     }
-    const privateKeyPEM = await exportKeyToPEM(this.privateKey, "private");
+    const keyResponse = await this.getFileKey(fileId);
+    const decryptedKeyA = await rsaDecryptBase64(keyResponse.key_part_a, this.privateKey);
     return this.request("POST", `/api/v1/files/${fileId}/decrypt`, {
       responseType: "blob",
-      headers: {
-        "X-Private-Key": privateKeyPEM,
-        "X-User-Role": "owner"
+      body: {
+        decrypted_key_a: decryptedKeyA,
+        user_role: role
       }
     });
   }
   /**
-   * Decrypt and return as ArrayBuffer
+   * Decrypt and return as ArrayBuffer (zero-knowledge flow)
    */
-  async decryptToBuffer(fileId) {
+  async decryptToBuffer(fileId, role = "owner") {
     this.ensureAuthenticated();
     if (!fileId) {
       throw new ValidationError("File ID is required");
@@ -635,15 +676,29 @@ var Wolfronix = class {
     if (!this.privateKey) {
       throw new Error("Private key not available. Is user logged in?");
     }
-    const privateKeyPEM = await exportKeyToPEM(this.privateKey, "private");
+    const keyResponse = await this.getFileKey(fileId);
+    const decryptedKeyA = await rsaDecryptBase64(keyResponse.key_part_a, this.privateKey);
     return this.request("POST", `/api/v1/files/${fileId}/decrypt`, {
       responseType: "arraybuffer",
-      headers: {
-        "X-Private-Key": privateKeyPEM,
-        "X-User-Role": "owner"
+      body: {
+        decrypted_key_a: decryptedKeyA,
+        user_role: role
       }
     });
   }
+  /**
+   * Fetch the encrypted key_part_a for a file (for client-side decryption)
+   * 
+   * @param fileId The file ID to get the key for
+   * @returns KeyPartResponse containing the RSA-OAEP encrypted key_part_a
+   */
+  async getFileKey(fileId) {
+    this.ensureAuthenticated();
+    if (!fileId) {
+      throw new ValidationError("File ID is required");
+    }
+    return this.request("GET", `/api/v1/files/${fileId}/key`);
+  }
   /**
    * List all encrypted files for current user
    * 
@@ -688,11 +743,19 @@ var Wolfronix = class {
   /**
    * Get another user's public key (for E2E encryption)
    * @param userId The ID of the recipient
+   * @param clientId Optional: override the configured clientId
    */
-  async getPublicKey(userId) {
+  async getPublicKey(userId, clientId) {
     this.ensureAuthenticated();
-    const result = await this.request("GET", `/api/v1/keys/${userId}`);
-    return result.public_key;
+    const cid = clientId || this.config.clientId;
+    if (!cid) {
+      throw new ValidationError("clientId is required for getPublicKey(). Set it in config or pass as second argument.");
+    }
+    const result = await this.request(
+      "GET",
+      `/api/v1/keys/public/${encodeURIComponent(cid)}/${encodeURIComponent(userId)}`
+    );
+    return result.public_key_pem;
   }
   /**
    * Encrypt a short text message for a recipient (Hybrid Encryption: RSA + AES)
@@ -745,6 +808,166 @@ var Wolfronix = class {
     }
   }
   // ==========================================================================
+  // Server-Side Message Encryption (Dual-Key Split)
+  // ==========================================================================
+  /**
+   * Encrypt a text message via the Wolfronix server (dual-key split).
+   * The server generates an AES key, encrypts the message, and splits the key —
+   * you get key_part_a, the server holds key_part_b.
+   * 
+   * Use this for server-managed message encryption (e.g., stored encrypted messages).
+   * For true E2E (where the server never sees plaintext), use encryptMessage() instead.
+   * 
+   * @param message The plaintext message to encrypt
+   * @param options.layer 3 = AES only (full key returned), 4 = dual-key split (default)
+   * 
+   * @example
+   * ```typescript
+   * const result = await wfx.serverEncrypt('Hello, World!');
+   * // Store result.encrypted_message, result.nonce, result.key_part_a, result.message_tag
+   * ```
+   */
+  async serverEncrypt(message, options) {
+    this.ensureAuthenticated();
+    if (!message) {
+      throw new ValidationError("Message is required");
+    }
+    return this.request("POST", "/api/v1/messages/encrypt", {
+      body: {
+        message,
+        user_id: this.userId,
+        layer: options?.layer || 4
+      }
+    });
+  }
+  /**
+   * Decrypt a message previously encrypted via serverEncrypt().
+   * 
+   * @param params The encrypted message data (from serverEncrypt result)
+   * @returns The decrypted plaintext message
+   * 
+   * @example
+   * ```typescript
+   * const text = await wfx.serverDecrypt({
+   *   encryptedMessage: result.encrypted_message,
+   *   nonce: result.nonce,
+   *   keyPartA: result.key_part_a,
+   *   messageTag: result.message_tag,
+   * });
+   * ```
+   */
+  async serverDecrypt(params) {
+    this.ensureAuthenticated();
+    if (!params.encryptedMessage || !params.nonce || !params.keyPartA) {
+      throw new ValidationError("encryptedMessage, nonce, and keyPartA are required");
+    }
+    const response = await this.request(
+      "POST",
+      "/api/v1/messages/decrypt",
+      {
+        body: {
+          encrypted_message: params.encryptedMessage,
+          nonce: params.nonce,
+          key_part_a: params.keyPartA,
+          message_tag: params.messageTag || "",
+          user_id: this.userId
+        }
+      }
+    );
+    return response.message;
+  }
+  /**
+   * Encrypt multiple messages in a single round-trip (batch).
+   * All messages share one AES key (different nonce per message).
+   * Efficient for chat history encryption or bulk operations.
+   * 
+   * @param messages Array of { id, message } objects (max 100)
+   * @param options.layer 3 or 4 (default: 4)
+   * 
+   * @example
+   * ```typescript
+   * const result = await wfx.serverEncryptBatch([
+   *   { id: 'msg1', message: 'Hello' },
+   *   { id: 'msg2', message: 'World' },
+   * ]);
+   * // result.results[0].encrypted_message, result.key_part_a, result.batch_tag
+   * ```
+   */
+  async serverEncryptBatch(messages, options) {
+    this.ensureAuthenticated();
+    if (!messages || messages.length === 0) {
+      throw new ValidationError("At least one message is required");
+    }
+    if (messages.length > 100) {
+      throw new ValidationError("Maximum 100 messages per batch");
+    }
+    return this.request("POST", "/api/v1/messages/batch/encrypt", {
+      body: {
+        messages,
+        user_id: this.userId,
+        layer: options?.layer || 4
+      }
+    });
+  }
+  /**
+   * Decrypt a single message from a batch result.
+   * Uses the shared key_part_a and batch_tag from the batch result.
+   * 
+   * @param batchResult The batch encrypt result
+   * @param index The index of the message to decrypt
+   */
+  async serverDecryptBatchItem(batchResult, index) {
+    if (index < 0 || index >= batchResult.results.length) {
+      throw new ValidationError("Invalid batch index");
+    }
+    const item = batchResult.results[index];
+    return this.serverDecrypt({
+      encryptedMessage: item.encrypted_message,
+      nonce: item.nonce,
+      keyPartA: batchResult.key_part_a,
+      messageTag: batchResult.batch_tag
+    });
+  }
+  // ==========================================================================
+  // Real-Time Streaming Encryption (WebSocket)
+  // ==========================================================================
+  /**
+   * Create a streaming encryption/decryption session over WebSocket.
+   * Data flows in real-time: send chunks, receive encrypted/decrypted chunks back.
+   * 
+   * @param direction 'encrypt' for plaintext→ciphertext, 'decrypt' for reverse
+   * @param streamKey Required for decrypt — the key_part_a and stream_tag from the encrypt session
+   * 
+   * @example
+   * ```typescript
+   * // Encrypt stream
+   * const stream = await wfx.createStream('encrypt');
+   * stream.onData((chunk, seq) => console.log('Encrypted chunk', seq));
+   * stream.send('Hello chunk 1');
+   * stream.send('Hello chunk 2');
+   * const summary = await stream.end();
+   * // Save stream.keyPartA and stream.streamTag for decryption
+   * 
+   * // Decrypt stream
+   * const dStream = await wfx.createStream('decrypt', {
+   *   keyPartA: stream.keyPartA!,
+   *   streamTag: stream.streamTag!,
+   * });
+   * dStream.onData((chunk, seq) => console.log('Decrypted:', chunk));
+   * dStream.send(encryptedChunk1);
+   * await dStream.end();
+   * ```
+   */
+  async createStream(direction, streamKey) {
+    this.ensureAuthenticated();
+    if (direction === "decrypt" && !streamKey) {
+      throw new ValidationError("streamKey (keyPartA + streamTag) is required for decrypt streams");
+    }
+    const stream = new WolfronixStream(this.config, this.userId);
+    await stream.connect(direction, streamKey);
+    return stream;
+  }
+  // ==========================================================================
   // Metrics & Status
   // ==========================================================================
   /**
@@ -774,6 +997,186 @@ var Wolfronix = class {
     }
   }
 };
+var WolfronixStream = class {
+  /** @internal */
+  constructor(config, userId) {
+    this.config = config;
+    this.userId = userId;
+    this.ws = null;
+    this.dataCallbacks = [];
+    this.errorCallbacks = [];
+    this.pendingChunks = /* @__PURE__ */ new Map();
+    this.seqCounter = 0;
+    /** Client's key half (available after encrypt stream init) */
+    this.keyPartA = null;
+    /** Stream tag (available after encrypt stream init) */
+    this.streamTag = null;
+  }
+  /** @internal Connect and initialize the stream session */
+  async connect(direction, streamKey) {
+    return new Promise((resolve, reject) => {
+      const wsBase = this.config.baseUrl.replace(/^http/, "ws");
+      const params = new URLSearchParams();
+      if (this.config.wolfronixKey) {
+        params.set("wolfronix_key", this.config.wolfronixKey);
+      }
+      if (this.config.clientId) {
+        params.set("client_id", this.config.clientId);
+      }
+      const wsUrl = `${wsBase}/api/v1/stream?${params.toString()}`;
+      this.ws = new WebSocket(wsUrl);
+      this.ws.onopen = () => {
+        const initMsg = { type: "init", direction };
+        if (direction === "decrypt" && streamKey) {
+          initMsg.key_part_a = streamKey.keyPartA;
+          initMsg.stream_tag = streamKey.streamTag;
+        }
+        this.ws.send(JSON.stringify(initMsg));
+      };
+      let initResolved = false;
+      this.ws.onmessage = (event) => {
+        try {
+          const msg = JSON.parse(event.data);
+          if (msg.type === "error") {
+            const err = new Error(msg.error);
+            if (!initResolved) {
+              initResolved = true;
+              reject(err);
+            }
+            this.errorCallbacks.forEach((cb) => cb(err));
+            return;
+          }
+          if (msg.type === "init_ack" && !initResolved) {
+            initResolved = true;
+            if (msg.key_part_a) this.keyPartA = msg.key_part_a;
+            if (msg.stream_tag) this.streamTag = msg.stream_tag;
+            resolve();
+            return;
+          }
+          if (msg.type === "data") {
+            this.dataCallbacks.forEach((cb) => cb(msg.data, msg.seq));
+            const pending = this.pendingChunks.get(msg.seq);
+            if (pending) {
+              pending.resolve(msg.data);
+              this.pendingChunks.delete(msg.seq);
+            }
+            return;
+          }
+          if (msg.type === "end_ack") {
+            return;
+          }
+        } catch (e) {
+          const err = new Error("Failed to parse stream message");
+          this.errorCallbacks.forEach((cb) => cb(err));
+        }
+      };
+      this.ws.onerror = (event) => {
+        const err = new Error("WebSocket error");
+        if (!initResolved) {
+          initResolved = true;
+          reject(err);
+        }
+        this.errorCallbacks.forEach((cb) => cb(err));
+      };
+      this.ws.onclose = () => {
+        this.pendingChunks.forEach((p) => p.reject(new Error("Stream closed")));
+        this.pendingChunks.clear();
+      };
+    });
+  }
+  /**
+   * Send a data chunk for encryption/decryption.
+   * Returns a promise that resolves with the processed (encrypted/decrypted) chunk.
+   * 
+   * @param data String or base64-encoded binary data
+   * @returns The processed chunk (base64-encoded)
+   */
+  async send(data) {
+    if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+      throw new Error("Stream not connected");
+    }
+    const b64Data = this.isBase64(data) ? data : btoa(data);
+    const seq = this.seqCounter++;
+    return new Promise((resolve, reject) => {
+      this.pendingChunks.set(seq, { resolve, reject });
+      this.ws.send(JSON.stringify({ type: "data", data: b64Data }));
+    });
+  }
+  /**
+   * Send raw binary data for encryption/decryption.
+   * 
+   * @param buffer ArrayBuffer or Uint8Array
+   * @returns The processed chunk (base64-encoded)
+   */
+  async sendBinary(buffer) {
+    const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+    let binary = "";
+    for (let i = 0; i < bytes.byteLength; i++) {
+      binary += String.fromCharCode(bytes[i]);
+    }
+    const b64 = btoa(binary);
+    return this.send(b64);
+  }
+  /**
+   * Register a callback for incoming data chunks.
+   * 
+   * @param callback Called with (base64Data, sequenceNumber) for each chunk
+   */
+  onData(callback) {
+    this.dataCallbacks.push(callback);
+  }
+  /**
+   * Register a callback for stream errors.
+   */
+  onError(callback) {
+    this.errorCallbacks.push(callback);
+  }
+  /**
+   * End the stream session. Returns the total number of chunks processed.
+   */
+  async end() {
+    if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+      return { chunksProcessed: this.seqCounter };
+    }
+    return new Promise((resolve) => {
+      const originalHandler = this.ws.onmessage;
+      this.ws.onmessage = (event) => {
+        try {
+          const msg = JSON.parse(event.data);
+          if (msg.type === "end_ack") {
+            resolve({ chunksProcessed: msg.chunks_processed || this.seqCounter });
+            this.ws.close();
+            return;
+          }
+        } catch {
+        }
+        if (originalHandler && this.ws) originalHandler.call(this.ws, event);
+      };
+      this.ws.send(JSON.stringify({ type: "end" }));
+      setTimeout(() => {
+        resolve({ chunksProcessed: this.seqCounter });
+        if (this.ws && this.ws.readyState === WebSocket.OPEN) {
+          this.ws.close();
+        }
+      }, 5e3);
+    });
+  }
+  /**
+   * Close the stream immediately without sending an end message.
+   */
+  close() {
+    if (this.ws) {
+      this.ws.close();
+      this.ws = null;
+    }
+    this.pendingChunks.forEach((p) => p.reject(new Error("Stream closed")));
+    this.pendingChunks.clear();
+  }
+  isBase64(str) {
+    if (str.length % 4 !== 0) return false;
+    return /^[A-Za-z0-9+/]*={0,2}$/.test(str);
+  }
+};
 function createClient(config) {
   return new Wolfronix(config);
 }
@@ -787,5 +1190,6 @@ var index_default = Wolfronix;
   ValidationError,
   Wolfronix,
   WolfronixError,
+  WolfronixStream,
   createClient
 });