npm - wolfronix-sdk - Versions diffs - 1.3.2 → 2.4.0 - Mend

wolfronix-sdk 1.3.2 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +51 -16
package/dist/chunk-EDTKPA2L.mjs +33 -0
package/dist/index.d.mts +372 -7
package/dist/index.d.ts +372 -7
package/dist/index.js +18933 -21
package/dist/index.mjs +506 -18
package/dist/undici-BDVTXO27.mjs +18410 -0
package/package.json +5 -12

package/dist/index.mjs CHANGED Viewed

@@ -1,10 +1,12 @@
+import "./chunk-EDTKPA2L.mjs";
 // src/crypto.ts
 var getCrypto = () => {
   if (typeof globalThis.crypto !== "undefined") {
     return globalThis.crypto;
   }
   throw new Error(
-    "Web Crypto API not available. Requires a modern browser or Node.js 16+."
+    "Web Crypto API not available. Requires a modern browser or Node.js 18+."
   );
 };
 var RSA_ALG = {
@@ -179,6 +181,10 @@ async function rsaDecrypt(encryptedBase64, privateKey) {
   );
   return decrypted;
 }
+async function rsaDecryptBase64(encryptedBase64, privateKey) {
+  const decrypted = await rsaDecrypt(encryptedBase64, privateKey);
+  return arrayBufferToBase64(decrypted);
+}
 async function exportSessionKey(key) {
   return await getCrypto().subtle.exportKey("raw", key);
 }
@@ -291,6 +297,7 @@ var Wolfronix = class {
       this.config = {
         baseUrl: config,
         clientId: "",
+        wolfronixKey: "",
         timeout: 3e4,
         retries: 3,
         insecure: false
@@ -299,6 +306,7 @@ var Wolfronix = class {
       this.config = {
         baseUrl: config.baseUrl,
         clientId: config.clientId || "",
+        wolfronixKey: config.wolfronixKey || "",
         timeout: config.timeout || 3e4,
         retries: config.retries || 3,
         insecure: config.insecure || false
@@ -306,6 +314,10 @@ var Wolfronix = class {
     }
     this.config.baseUrl = this.config.baseUrl.replace(/\/$/, "");
   }
+  /** Expose private key status for testing */
+  hasPrivateKey() {
+    return this.privateKey !== null;
+  }
   // ==========================================================================
   // Private Helpers
   // ==========================================================================
@@ -316,6 +328,9 @@ var Wolfronix = class {
     if (this.config.clientId) {
       headers["X-Client-ID"] = this.config.clientId;
     }
+    if (this.config.wolfronixKey) {
+      headers["X-Wolfronix-Key"] = this.config.wolfronixKey;
+    }
     if (includeAuth && this.token) {
       headers["Authorization"] = `Bearer ${this.token}`;
       if (this.userId) {
@@ -341,6 +356,15 @@ var Wolfronix = class {
           headers,
           signal: controller.signal
         };
+        if (this.config.insecure && typeof process !== "undefined") {
+          try {
+            const { Agent } = await import("./undici-BDVTXO27.mjs");
+            fetchOptions.dispatcher = new Agent({
+              connect: { rejectUnauthorized: false }
+            });
+          } catch {
+          }
+        }
         if (formData) {
           fetchOptions.body = formData;
         } else if (body) {
@@ -428,7 +452,7 @@ var Wolfronix = class {
       this.publicKey = keyPair.publicKey;
       this.privateKey = keyPair.privateKey;
       this.publicKeyPEM = publicKeyPEM;
-      this.token = "session_" + Date.now();
+      this.token = "zk-session";
     }
     return response;
   }
@@ -463,7 +487,7 @@ var Wolfronix = class {
       this.publicKeyPEM = response.public_key_pem;
       this.publicKey = await importKeyFromPEM(response.public_key_pem, "public");
       this.userId = email;
-      this.token = "session_" + Date.now();
+      this.token = "zk-session";
       return {
         success: true,
         user_id: email,
@@ -560,7 +584,14 @@ var Wolfronix = class {
     };
   }
   /**
-   * Decrypt and retrieve a file
+   * Decrypt and retrieve a file using zero-knowledge flow.
+   *
+   * Flow:
+   * 1. GET /api/v1/files/{id}/key → encrypted key_part_a
+   * 2. Decrypt key_part_a client-side with private key (RSA-OAEP)
+   * 3. POST /api/v1/files/{id}/decrypt with { decrypted_key_a } in body
+   *
+   * The private key NEVER leaves the client.
    *
    * @example
    * ```typescript
@@ -573,7 +604,7 @@ var Wolfronix = class {
    * fs.writeFileSync('decrypted.pdf', buffer);
    * ```
    */
-  async decrypt(fileId) {
+  async decrypt(fileId, role = "owner") {
     this.ensureAuthenticated();
     if (!fileId) {
       throw new ValidationError("File ID is required");
@@ -581,19 +612,20 @@ var Wolfronix = class {
     if (!this.privateKey) {
       throw new Error("Private key not available. Is user logged in?");
     }
-    const privateKeyPEM = await exportKeyToPEM(this.privateKey, "private");
+    const keyResponse = await this.getFileKey(fileId);
+    const decryptedKeyA = await rsaDecryptBase64(keyResponse.key_part_a, this.privateKey);
     return this.request("POST", `/api/v1/files/${fileId}/decrypt`, {
       responseType: "blob",
-      headers: {
-        "X-Private-Key": privateKeyPEM,
-        "X-User-Role": "owner"
+      body: {
+        decrypted_key_a: decryptedKeyA,
+        user_role: role
       }
     });
   }
   /**
-   * Decrypt and return as ArrayBuffer
+   * Decrypt and return as ArrayBuffer (zero-knowledge flow)
    */
-  async decryptToBuffer(fileId) {
+  async decryptToBuffer(fileId, role = "owner") {
     this.ensureAuthenticated();
     if (!fileId) {
       throw new ValidationError("File ID is required");
@@ -601,15 +633,29 @@ var Wolfronix = class {
     if (!this.privateKey) {
       throw new Error("Private key not available. Is user logged in?");
     }
-    const privateKeyPEM = await exportKeyToPEM(this.privateKey, "private");
+    const keyResponse = await this.getFileKey(fileId);
+    const decryptedKeyA = await rsaDecryptBase64(keyResponse.key_part_a, this.privateKey);
     return this.request("POST", `/api/v1/files/${fileId}/decrypt`, {
       responseType: "arraybuffer",
-      headers: {
-        "X-Private-Key": privateKeyPEM,
-        "X-User-Role": "owner"
+      body: {
+        decrypted_key_a: decryptedKeyA,
+        user_role: role
       }
     });
   }
+  /**
+   * Fetch the encrypted key_part_a for a file (for client-side decryption)
+   *
+   * @param fileId The file ID to get the key for
+   * @returns KeyPartResponse containing the RSA-OAEP encrypted key_part_a
+   */
+  async getFileKey(fileId) {
+    this.ensureAuthenticated();
+    if (!fileId) {
+      throw new ValidationError("File ID is required");
+    }
+    return this.request("GET", `/api/v1/files/${fileId}/key`);
+  }
   /**
    * List all encrypted files for current user
    *
@@ -654,11 +700,19 @@ var Wolfronix = class {
   /**
    * Get another user's public key (for E2E encryption)
    * @param userId The ID of the recipient
+   * @param clientId Optional: override the configured clientId
    */
-  async getPublicKey(userId) {
+  async getPublicKey(userId, clientId) {
     this.ensureAuthenticated();
-    const result = await this.request("GET", `/api/v1/keys/${userId}`);
-    return result.public_key;
+    const cid = clientId || this.config.clientId;
+    if (!cid) {
+      throw new ValidationError("clientId is required for getPublicKey(). Set it in config or pass as second argument.");
+    }
+    const result = await this.request(
+      "GET",
+      `/api/v1/keys/public/${encodeURIComponent(cid)}/${encodeURIComponent(userId)}`
+    );
+    return result.public_key_pem;
   }
   /**
    * Encrypt a short text message for a recipient (Hybrid Encryption: RSA + AES)
@@ -711,6 +765,166 @@ var Wolfronix = class {
     }
   }
   // ==========================================================================
+  // Server-Side Message Encryption (Dual-Key Split)
+  // ==========================================================================
+  /**
+   * Encrypt a text message via the Wolfronix server (dual-key split).
+   * The server generates an AES key, encrypts the message, and splits the key —
+   * you get key_part_a, the server holds key_part_b.
+   *
+   * Use this for server-managed message encryption (e.g., stored encrypted messages).
+   * For true E2E (where the server never sees plaintext), use encryptMessage() instead.
+   *
+   * @param message The plaintext message to encrypt
+   * @param options.layer 3 = AES only (full key returned), 4 = dual-key split (default)
+   *
+   * @example
+   * ```typescript
+   * const result = await wfx.serverEncrypt('Hello, World!');
+   * // Store result.encrypted_message, result.nonce, result.key_part_a, result.message_tag
+   * ```
+   */
+  async serverEncrypt(message, options) {
+    this.ensureAuthenticated();
+    if (!message) {
+      throw new ValidationError("Message is required");
+    }
+    return this.request("POST", "/api/v1/messages/encrypt", {
+      body: {
+        message,
+        user_id: this.userId,
+        layer: options?.layer || 4
+      }
+    });
+  }
+  /**
+   * Decrypt a message previously encrypted via serverEncrypt().
+   *
+   * @param params The encrypted message data (from serverEncrypt result)
+   * @returns The decrypted plaintext message
+   *
+   * @example
+   * ```typescript
+   * const text = await wfx.serverDecrypt({
+   *   encryptedMessage: result.encrypted_message,
+   *   nonce: result.nonce,
+   *   keyPartA: result.key_part_a,
+   *   messageTag: result.message_tag,
+   * });
+   * ```
+   */
+  async serverDecrypt(params) {
+    this.ensureAuthenticated();
+    if (!params.encryptedMessage || !params.nonce || !params.keyPartA) {
+      throw new ValidationError("encryptedMessage, nonce, and keyPartA are required");
+    }
+    const response = await this.request(
+      "POST",
+      "/api/v1/messages/decrypt",
+      {
+        body: {
+          encrypted_message: params.encryptedMessage,
+          nonce: params.nonce,
+          key_part_a: params.keyPartA,
+          message_tag: params.messageTag || "",
+          user_id: this.userId
+        }
+      }
+    );
+    return response.message;
+  }
+  /**
+   * Encrypt multiple messages in a single round-trip (batch).
+   * All messages share one AES key (different nonce per message).
+   * Efficient for chat history encryption or bulk operations.
+   *
+   * @param messages Array of { id, message } objects (max 100)
+   * @param options.layer 3 or 4 (default: 4)
+   *
+   * @example
+   * ```typescript
+   * const result = await wfx.serverEncryptBatch([
+   *   { id: 'msg1', message: 'Hello' },
+   *   { id: 'msg2', message: 'World' },
+   * ]);
+   * // result.results[0].encrypted_message, result.key_part_a, result.batch_tag
+   * ```
+   */
+  async serverEncryptBatch(messages, options) {
+    this.ensureAuthenticated();
+    if (!messages || messages.length === 0) {
+      throw new ValidationError("At least one message is required");
+    }
+    if (messages.length > 100) {
+      throw new ValidationError("Maximum 100 messages per batch");
+    }
+    return this.request("POST", "/api/v1/messages/batch/encrypt", {
+      body: {
+        messages,
+        user_id: this.userId,
+        layer: options?.layer || 4
+      }
+    });
+  }
+  /**
+   * Decrypt a single message from a batch result.
+   * Uses the shared key_part_a and batch_tag from the batch result.
+   *
+   * @param batchResult The batch encrypt result
+   * @param index The index of the message to decrypt
+   */
+  async serverDecryptBatchItem(batchResult, index) {
+    if (index < 0 || index >= batchResult.results.length) {
+      throw new ValidationError("Invalid batch index");
+    }
+    const item = batchResult.results[index];
+    return this.serverDecrypt({
+      encryptedMessage: item.encrypted_message,
+      nonce: item.nonce,
+      keyPartA: batchResult.key_part_a,
+      messageTag: batchResult.batch_tag
+    });
+  }
+  // ==========================================================================
+  // Real-Time Streaming Encryption (WebSocket)
+  // ==========================================================================
+  /**
+   * Create a streaming encryption/decryption session over WebSocket.
+   * Data flows in real-time: send chunks, receive encrypted/decrypted chunks back.
+   *
+   * @param direction 'encrypt' for plaintext→ciphertext, 'decrypt' for reverse
+   * @param streamKey Required for decrypt — the key_part_a and stream_tag from the encrypt session
+   *
+   * @example
+   * ```typescript
+   * // Encrypt stream
+   * const stream = await wfx.createStream('encrypt');
+   * stream.onData((chunk, seq) => console.log('Encrypted chunk', seq));
+   * stream.send('Hello chunk 1');
+   * stream.send('Hello chunk 2');
+   * const summary = await stream.end();
+   * // Save stream.keyPartA and stream.streamTag for decryption
+   *
+   * // Decrypt stream
+   * const dStream = await wfx.createStream('decrypt', {
+   *   keyPartA: stream.keyPartA!,
+   *   streamTag: stream.streamTag!,
+   * });
+   * dStream.onData((chunk, seq) => console.log('Decrypted:', chunk));
+   * dStream.send(encryptedChunk1);
+   * await dStream.end();
+   * ```
+   */
+  async createStream(direction, streamKey) {
+    this.ensureAuthenticated();
+    if (direction === "decrypt" && !streamKey) {
+      throw new ValidationError("streamKey (keyPartA + streamTag) is required for decrypt streams");
+    }
+    const stream = new WolfronixStream(this.config, this.userId);
+    await stream.connect(direction, streamKey);
+    return stream;
+  }
+  // ==========================================================================
   // Metrics & Status
   // ==========================================================================
   /**
@@ -740,9 +954,281 @@ var Wolfronix = class {
     }
   }
 };
+var WolfronixStream = class {
+  /** @internal */
+  constructor(config, userId) {
+    this.config = config;
+    this.userId = userId;
+    this.ws = null;
+    this.dataCallbacks = [];
+    this.errorCallbacks = [];
+    this.pendingChunks = /* @__PURE__ */ new Map();
+    this.seqCounter = 0;
+    /** Client's key half (available after encrypt stream init) */
+    this.keyPartA = null;
+    /** Stream tag (available after encrypt stream init) */
+    this.streamTag = null;
+  }
+  /** @internal Connect and initialize the stream session */
+  async connect(direction, streamKey) {
+    return new Promise((resolve, reject) => {
+      const wsBase = this.config.baseUrl.replace(/^http/, "ws");
+      const params = new URLSearchParams();
+      if (this.config.wolfronixKey) {
+        params.set("wolfronix_key", this.config.wolfronixKey);
+      }
+      if (this.config.clientId) {
+        params.set("client_id", this.config.clientId);
+      }
+      const wsUrl = `${wsBase}/api/v1/stream?${params.toString()}`;
+      this.ws = new WebSocket(wsUrl);
+      this.ws.onopen = () => {
+        const initMsg = { type: "init", direction };
+        if (direction === "decrypt" && streamKey) {
+          initMsg.key_part_a = streamKey.keyPartA;
+          initMsg.stream_tag = streamKey.streamTag;
+        }
+        this.ws.send(JSON.stringify(initMsg));
+      };
+      let initResolved = false;
+      this.ws.onmessage = (event) => {
+        try {
+          const msg = JSON.parse(event.data);
+          if (msg.type === "error") {
+            const err = new Error(msg.error);
+            if (!initResolved) {
+              initResolved = true;
+              reject(err);
+            }
+            this.errorCallbacks.forEach((cb) => cb(err));
+            return;
+          }
+          if (msg.type === "init_ack" && !initResolved) {
+            initResolved = true;
+            if (msg.key_part_a) this.keyPartA = msg.key_part_a;
+            if (msg.stream_tag) this.streamTag = msg.stream_tag;
+            resolve();
+            return;
+          }
+          if (msg.type === "data") {
+            this.dataCallbacks.forEach((cb) => cb(msg.data, msg.seq));
+            const pending = this.pendingChunks.get(msg.seq);
+            if (pending) {
+              pending.resolve(msg.data);
+              this.pendingChunks.delete(msg.seq);
+            }
+            return;
+          }
+          if (msg.type === "end_ack") {
+            return;
+          }
+        } catch (e) {
+          const err = new Error("Failed to parse stream message");
+          this.errorCallbacks.forEach((cb) => cb(err));
+        }
+      };
+      this.ws.onerror = (event) => {
+        const err = new Error("WebSocket error");
+        if (!initResolved) {
+          initResolved = true;
+          reject(err);
+        }
+        this.errorCallbacks.forEach((cb) => cb(err));
+      };
+      this.ws.onclose = () => {
+        this.pendingChunks.forEach((p) => p.reject(new Error("Stream closed")));
+        this.pendingChunks.clear();
+      };
+    });
+  }
+  /**
+   * Send a data chunk for encryption/decryption.
+   * Returns a promise that resolves with the processed (encrypted/decrypted) chunk.
+   *
+   * @param data String or base64-encoded binary data
+   * @returns The processed chunk (base64-encoded)
+   */
+  async send(data) {
+    if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+      throw new Error("Stream not connected");
+    }
+    const b64Data = this.isBase64(data) ? data : btoa(data);
+    const seq = this.seqCounter++;
+    return new Promise((resolve, reject) => {
+      this.pendingChunks.set(seq, { resolve, reject });
+      this.ws.send(JSON.stringify({ type: "data", data: b64Data }));
+    });
+  }
+  /**
+   * Send raw binary data for encryption/decryption.
+   *
+   * @param buffer ArrayBuffer or Uint8Array
+   * @returns The processed chunk (base64-encoded)
+   */
+  async sendBinary(buffer) {
+    const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+    let binary = "";
+    for (let i = 0; i < bytes.byteLength; i++) {
+      binary += String.fromCharCode(bytes[i]);
+    }
+    const b64 = btoa(binary);
+    return this.send(b64);
+  }
+  /**
+   * Register a callback for incoming data chunks.
+   *
+   * @param callback Called with (base64Data, sequenceNumber) for each chunk
+   */
+  onData(callback) {
+    this.dataCallbacks.push(callback);
+  }
+  /**
+   * Register a callback for stream errors.
+   */
+  onError(callback) {
+    this.errorCallbacks.push(callback);
+  }
+  /**
+   * End the stream session. Returns the total number of chunks processed.
+   */
+  async end() {
+    if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+      return { chunksProcessed: this.seqCounter };
+    }
+    return new Promise((resolve) => {
+      const originalHandler = this.ws.onmessage;
+      this.ws.onmessage = (event) => {
+        try {
+          const msg = JSON.parse(event.data);
+          if (msg.type === "end_ack") {
+            resolve({ chunksProcessed: msg.chunks_processed || this.seqCounter });
+            this.ws.close();
+            return;
+          }
+        } catch {
+        }
+        if (originalHandler && this.ws) originalHandler.call(this.ws, event);
+      };
+      this.ws.send(JSON.stringify({ type: "end" }));
+      setTimeout(() => {
+        resolve({ chunksProcessed: this.seqCounter });
+        if (this.ws && this.ws.readyState === WebSocket.OPEN) {
+          this.ws.close();
+        }
+      }, 5e3);
+    });
+  }
+  /**
+   * Close the stream immediately without sending an end message.
+   */
+  close() {
+    if (this.ws) {
+      this.ws.close();
+      this.ws = null;
+    }
+    this.pendingChunks.forEach((p) => p.reject(new Error("Stream closed")));
+    this.pendingChunks.clear();
+  }
+  isBase64(str) {
+    if (str.length % 4 !== 0) return false;
+    return /^[A-Za-z0-9+/]*={0,2}$/.test(str);
+  }
+};
 function createClient(config) {
   return new Wolfronix(config);
 }
+var WolfronixAdmin = class {
+  constructor(config) {
+    this.baseUrl = config.baseUrl.replace(/\/$/, "");
+    this.adminKey = config.adminKey;
+    this.timeout = config.timeout || 3e4;
+    this.insecure = config.insecure || false;
+  }
+  async request(method, endpoint, body) {
+    const url = `${this.baseUrl}${endpoint}`;
+    const headers = {
+      "X-Admin-Key": this.adminKey,
+      "Accept": "application/json"
+    };
+    if (body) {
+      headers["Content-Type"] = "application/json";
+    }
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+    const fetchOptions = {
+      method,
+      headers,
+      signal: controller.signal
+    };
+    if (this.insecure && typeof process !== "undefined") {
+      try {
+        const { Agent } = await import("./undici-BDVTXO27.mjs");
+        fetchOptions.dispatcher = new Agent({
+          connect: { rejectUnauthorized: false }
+        });
+      } catch {
+      }
+    }
+    if (body) {
+      fetchOptions.body = JSON.stringify(body);
+    }
+    const response = await fetch(url, fetchOptions);
+    clearTimeout(timeoutId);
+    if (!response.ok) {
+      const errorBody = await response.json().catch(() => ({}));
+      throw new WolfronixError(
+        errorBody.error || `Request failed with status ${response.status}`,
+        "ADMIN_REQUEST_ERROR",
+        response.status,
+        errorBody
+      );
+    }
+    return await response.json();
+  }
+  /**
+   * Register a new enterprise client.
+   * For managed connectors (supabase, mongodb, mysql, firebase, postgresql),
+   * provide db_type + db_config. For custom APIs, use db_type: 'custom_api' + api_endpoint.
+   */
+  async registerClient(params) {
+    return this.request("POST", "/api/v1/enterprise/register", params);
+  }
+  /**
+   * List all registered enterprise clients.
+   */
+  async listClients() {
+    return this.request("GET", "/api/v1/enterprise/clients");
+  }
+  /**
+   * Get details for a specific client.
+   */
+  async getClient(clientId) {
+    return this.request("GET", `/api/v1/enterprise/clients/${encodeURIComponent(clientId)}`);
+  }
+  /**
+   * Update a client's configuration (api_endpoint, db_type, db_config).
+   */
+  async updateClient(clientId, params) {
+    return this.request("PUT", `/api/v1/enterprise/clients/${encodeURIComponent(clientId)}`, params);
+  }
+  /**
+   * Deactivate (soft-delete) a client. Their wolfronix_key will stop working.
+   */
+  async deactivateClient(clientId) {
+    return this.request("DELETE", `/api/v1/enterprise/clients/${encodeURIComponent(clientId)}`);
+  }
+  /**
+   * Check server health.
+   */
+  async healthCheck() {
+    try {
+      await this.request("GET", "/health");
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
 var index_default = Wolfronix;
 export {
   AuthenticationError,
@@ -751,7 +1237,9 @@ export {
   PermissionDeniedError,
   ValidationError,
   Wolfronix,
+  WolfronixAdmin,
   WolfronixError,
+  WolfronixStream,
   createClient,
   index_default as default
 };