zeyra 1.1.0 → 2.0.0

package/README.md

@@ -1,26 +1,37 @@
 # Zeyra
 
-Managed WebCrypto helpers for storage-ready AES-GCM + ECDSA keysets, with lightweight agents and weakly cached clusters.
+Client-side WebCrypto helpers for AES-GCM encryption, ECDSA signatures, and RSA-OAEP key wrapping, with byte-oriented cluster helpers.
+
+## Compatibility
+
+- WebCrypto (`crypto.subtle`) is stable in evergreen browsers; unprefixed support shipped in Chrome 37 (2014), Firefox 34 (2014), Edge 12 (2015), and Safari 11 (2017).
+- Zeyra relies on AES-GCM, ECDSA P-256, and RSA-OAEP plus wrap/unwrap; legacy EdgeHTML/IE have partial WebCrypto (notably missing ECDSA), so target Chromium Edge (79+, 2020) and modern browsers.
+- ESM only; requires global `crypto.subtle`.
 
 ## Features
 
-- AES-GCM 256 encryption/decryption via `CipherAgent`
-- ECDSA P-256 signing/verification via `SigningAgent` and `VerificationAgent`
-- Managed clusters (`CipherCluster`, `SigningCluster`, `VerificationCluster`) cache agents with WeakRef for large keysets
-- `generateKeyset()` produces an exportable JWK bundle you can store or transport
-- Storage/transport-ready artifacts with base64url payloads and SHA-256 digests
-- Pure WebCrypto, no native add-ons; ships as ESM
-- Works with `bytecodec` for UTF-8, compression, and base64url conversions
+- AES-GCM 256 encryption/decryption via `CipherAgent` and `CipherCluster`
+- ECDSA P-256 sign/verify via `SigningAgent`, `VerificationAgent`, and clusters
+- RSA-OAEP 4096 wrap/unwrap for AES-GCM JWKs
+- `generateKeyset()` yields `cipherJwk`, `signingJwk`, `verificationJwk`, `wrappingJwk`, `unwrappingJwk`
+- Cluster classes cache agents with `WeakRef`; they are a lightweight optimization, not a full end-to-end solution
+- Byte-oriented clusters return raw `Uint8Array` / `ArrayBuffer` (no base64); use `bytecodec` for JSON, compression, and encoding
+- TypeScript source; published package ships compiled JS + `.d.ts`
 
 ## Requirements
 
-- Node.js 18+ (global `crypto.subtle`)
-- ESM environment (`"type": "module"` in `package.json`)
+- Node.js 18+ for server/edge usage
+- ESM environment (`"type": "module"`)
+- `bytecodec` for JSON/bytes/compression helpers
 
 ## Installation
 
-```bash
+```sh
 npm install zeyra
+# or
+pnpm add zeyra
+# or
+yarn add zeyra
 ```
 
 ## Quickstart (agents)
@@ -34,18 +45,17 @@ import {
   VerificationAgent,
 } from "zeyra";
 
-// One-time key material for a resource
-const { symmetricJwk, privateJwk, publicJwk } = await generateKeyset();
+const { cipherJwk, signingJwk, verificationJwk } = await generateKeyset();
+
+const cipher = new CipherAgent(cipherJwk);
+const signer = new SigningAgent(signingJwk);
+const verifier = new VerificationAgent(verificationJwk);
 
-// Writers: encrypt + sign
-const cipher = new CipherAgent(symmetricJwk);
-const signer = new SigningAgent(privateJwk);
 const payload = await cipher.encrypt(Bytes.fromString("hello world"));
-const signature = await signer.sign(payload.ciphertext);
+const ciphertextBytes = new Uint8Array(payload.ciphertext);
+const signature = await signer.sign(ciphertextBytes);
 
-// Readers / servers: verify ownership + decrypt
-const verifier = new VerificationAgent(publicJwk);
-const authorized = await verifier.verify(payload.ciphertext, signature);
+const authorized = await verifier.verify(ciphertextBytes, signature);
 const plaintext = Bytes.toString(await cipher.decrypt(payload));
 ```
 
@@ -59,54 +69,91 @@ import {
   VerificationCluster,
 } from "zeyra";
 
-const { symmetricJwk, privateJwk, publicJwk } = await generateKeyset();
+const { cipherJwk, signingJwk, verificationJwk } = await generateKeyset();
 
 const resource = { id: "file-123", body: "hello world" };
-const artifact = await CipherCluster.encrypt(symmetricJwk, resource);
-const signature = await SigningCluster.sign(privateJwk, resource.id);
+const artifact = await CipherCluster.encrypt(cipherJwk, resource);
+// artifact: { iv: Uint8Array, ciphertext: ArrayBuffer }
 
-// VerificationCluster is designed to run on a per-resource server node.
+const signature = await SigningCluster.sign(signingJwk, resource.id);
 const authorized = await VerificationCluster.verify(
-  publicJwk,
+  verificationJwk,
   resource.id,
   signature
 );
 
-const decrypted = await CipherCluster.decrypt(symmetricJwk, artifact);
+const decrypted = await CipherCluster.decrypt(cipherJwk, artifact);
+```
+
+## Key wrapping flow
+
+```js
+import { generateKeyset, WrappingCluster, UnwrappingCluster } from "zeyra";
+
+const { cipherJwk, wrappingJwk, unwrappingJwk } = await generateKeyset();
+
+const wrapped = await WrappingCluster.wrap(wrappingJwk, cipherJwk);
+const unwrappedCipherJwk = await UnwrappingCluster.unwrap(
+  unwrappingJwk,
+  wrapped
+);
 ```
 
 ## API
 
-- `generateKeyset()` -> `{ symmetricJwk, publicJwk, privateJwk }` (all exportable JWKs)
-- `new CipherAgent(symmetricJwk)`
+- `generateKeyset()` -> `{ cipherJwk, verificationJwk, signingJwk, wrappingJwk, unwrappingJwk }`
+- `new CipherAgent(cipherJwk)`
   - `.encrypt(Uint8Array)` -> `{ iv: Uint8Array, ciphertext: ArrayBuffer }`
   - `.decrypt({ iv, ciphertext })` -> `Uint8Array`
-- `new SigningAgent(privateJwk)`
-  - `.sign(Uint8Array | ArrayBuffer)` -> `ArrayBuffer` (ECDSA P-256 / SHA-256)
-- `new VerificationAgent(publicJwk)`
-  - `.verify(Uint8Array | ArrayBuffer, ArrayBuffer)` -> `boolean`
-- `CipherCluster.encrypt(symmetricJwk, resource)`
-  - -> `{ digest, ciphertext, iv }` (all base64url strings; digest is SHA-256 of JSON bytes, pre-encryption, useful for version checks)
-- `CipherCluster.decrypt(symmetricJwk, artifact)`
-  - -> `{ digest, ...resource }` (resource object restored from compressed JSON)
-- `SigningCluster.sign(privateJwk, value)` -> `Base64URLString`
-- `VerificationCluster.verify(publicJwk, value, signature)` -> `boolean`
-
-See the implementations in `src/index.js` and friends for details.
+- `new SigningAgent(signingJwk)`
+  - `.sign(Uint8Array)` -> `ArrayBuffer` (ECDSA P-256 / SHA-256)
+- `new VerificationAgent(verificationJwk)`
+  - `.verify(Uint8Array, ArrayBuffer)` -> `boolean`
+- `new WrappingAgent(wrappingJwk)`
+  - `.wrap(cipherJwk)` -> `ArrayBuffer` (RSA-OAEP / SHA-256)
+- `new UnwrappingAgent(unwrappingJwk)`
+  - `.unwrap(ArrayBuffer)` -> `JsonWebKey`
+- `CipherCluster.encrypt(cipherJwk, resource)` -> `{ iv, ciphertext }`
+- `CipherCluster.decrypt(cipherJwk, artifact)` -> `resource`
+- `SigningCluster.sign(signingJwk, value)` -> `ArrayBuffer`
+- `VerificationCluster.verify(verificationJwk, value, signature)` -> `boolean`
+- `WrappingCluster.wrap(wrappingJwk, cipherJwk)` -> `ArrayBuffer`
+- `UnwrappingCluster.unwrap(unwrappingJwk, wrapped)` -> `JsonWebKey`
+
+## Serialization helpers
+
+Zeyra keeps clusters byte-oriented. Use `bytecodec` when you need to serialize or store artifacts.
+
+```js
+import { Bytes } from "bytecodec";
+
+const artifact = await CipherCluster.encrypt(cipherJwk, resource);
+const ciphertextB64 = Bytes.toBase64UrlString(
+  new Uint8Array(artifact.ciphertext)
+);
+const ivB64 = Bytes.toBase64UrlString(artifact.iv);
+```
 
 ## Testing and benchmarks
 
-- Run tests: `npm test` (uses Node's built-in `node:test` runner against `test.js`)
-- Run microbenchmarks (skipped by default): `npm run bench`
+- Build: `npm run build` (outputs `dist/`)
+- Run tests: `npm test` (builds `dist/`, then runs `node --test`)
+- Run benchmarks: `npm run bench`
   - Pass iterations: `npm run bench -- --iterations=500`
-  - Reports ops/sec for encryption and the full encrypt/sign/verify/decrypt pipeline.
+
+## Benchmarks (local)
+
+Results will vary by hardware, runtime, and payload size. Run `npm run bench` to reproduce.
+
+- Node v22.14.0 (Windows), iterations=200
+  - encrypt only: 44.68ms (4476.3 ops/sec)
+  - full pipeline: 115.15ms (1736.9 ops/sec)
 
 ## Notes
 
-- CipherCluster assumes one unique random key per resource (no derivations or shared usage).
-- Cluster classes are intended for client-side usage; `VerificationCluster`/`VerificationAgent` can be hosted per-resource to pre-verify access before downstream identity or ACL checks.
-- Cluster serialization uses JSON and adds a `digest` field; avoid using `digest` in resource objects.
-- WeakRef caching keeps memory usage loose and GC-friendly by design.
+- Zeyra is intended for client-side encryption workflows; server/edge usage is supported where WebCrypto is available.
+- Cluster helpers cache keys with `WeakRef` and keep `CryptoKey` material private inside agents.
+- `CipherCluster` compresses JSON payloads before encryption; `SigningCluster`/`VerificationCluster` sign JSON values.
 
 ## License
 

package/dist/CipherAgent/class.d.ts

@@ -0,0 +1,13 @@
+export declare class CipherAgent {
+    private keyPromise;
+    constructor(cipherJwk: JsonWebKey);
+    encrypt(plaintext: Uint8Array): Promise<{
+        iv: Uint8Array;
+        ciphertext: ArrayBuffer;
+    }>;
+    decrypt({ iv, ciphertext, }: {
+        iv: Uint8Array<ArrayBufferLike>;
+        ciphertext: ArrayBuffer;
+    }): Promise<Uint8Array>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/CipherAgent/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/CipherAgent/class.ts"],"names":[],"mappings":"AACA,qBAAa,WAAW;IACtB,OAAO,CAAC,UAAU,CAAqB;gBAC3B,SAAS,EAAE,UAAU;IAU3B,OAAO,CACX,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC;QAAE,EAAE,EAAE,UAAU,CAAC;QAAC,UAAU,EAAE,WAAW,CAAA;KAAE,CAAC;IAWjD,OAAO,CAAC,EACZ,EAAE,EACF,UAAU,GACX,EAAE;QACD,EAAE,EAAE,UAAU,CAAC,eAAe,CAAC,CAAC;QAChC,UAAU,EAAE,WAAW,CAAC;KACzB,GAAG,OAAO,CAAC,UAAU,CAAC;CASxB"}

package/dist/CipherAgent/class.js

@@ -0,0 +1,19 @@
+import { Bytes } from "bytecodec";
+export class CipherAgent {
+    keyPromise;
+    constructor(cipherJwk) {
+        this.keyPromise = crypto.subtle.importKey("jwk", cipherJwk, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
+    }
+    async encrypt(plaintext) {
+        const key = await this.keyPromise;
+        const iv = crypto.getRandomValues(new Uint8Array(12));
+        const ciphertext = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, Bytes.toBufferSource(plaintext));
+        return { iv, ciphertext };
+    }
+    async decrypt({ iv, ciphertext, }) {
+        const key = await this.keyPromise;
+        const plaintext = await crypto.subtle.decrypt({ name: "AES-GCM", iv: Bytes.toBufferSource(iv) }, key, ciphertext);
+        return new Uint8Array(plaintext);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/CipherAgent/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/CipherAgent/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAClC,MAAM,OAAO,WAAW;IACd,UAAU,CAAqB;IACvC,YAAY,SAAqB;QAC/B,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,SAAS,EACT,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CACX,SAAqB;QAErB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAClC,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;QACtD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EACvB,GAAG,EACH,KAAK,CAAC,cAAc,CAAC,SAAS,CAAC,CAChC,CAAC;QACF,OAAO,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EACZ,EAAE,EACF,UAAU,GAIX;QACC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAClC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC,EAAE,EACjD,GAAG,EACH,UAAU,CACX,CAAC;QACF,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IACnC,CAAC;CACF"}

package/dist/CipherCluster/class.d.ts

@@ -0,0 +1,12 @@
+export declare class CipherCluster {
+    #private;
+    static encrypt(cipherJwk: JsonWebKey, resource: any): Promise<{
+        iv: Uint8Array;
+        ciphertext: ArrayBuffer;
+    }>;
+    static decrypt(cipherJwk: JsonWebKey, artifact: {
+        iv: Uint8Array;
+        ciphertext: ArrayBuffer;
+    }): Promise<any>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/CipherCluster/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/CipherCluster/class.ts"],"names":[],"mappings":"AAGA,qBAAa,aAAa;;WAaX,OAAO,CAClB,SAAS,EAAE,UAAU,EACrB,QAAQ,EAAE,GAAG,GACZ,OAAO,CAAC;QAAE,EAAE,EAAE,UAAU,CAAC;QAAC,UAAU,EAAE,WAAW,CAAA;KAAE,CAAC;WAQ1C,OAAO,CAClB,SAAS,EAAE,UAAU,EACrB,QAAQ,EAAE;QAAE,EAAE,EAAE,UAAU,CAAC;QAAC,UAAU,EAAE,WAAW,CAAA;KAAE,GACpD,OAAO,CAAC,GAAG,CAAC;CAMhB"}

package/dist/CipherCluster/class.js

@@ -0,0 +1,27 @@
+import { Bytes } from "bytecodec";
+import { CipherAgent } from "../CipherAgent/class.js";
+export class CipherCluster {
+    static #agents = new WeakMap();
+    static #loadAgent(cipherJwk) {
+        const weakRef = CipherCluster.#agents.get(cipherJwk);
+        let agent = weakRef?.deref();
+        if (!agent) {
+            agent = new CipherAgent(cipherJwk);
+            CipherCluster.#agents.set(cipherJwk, new WeakRef(agent));
+        }
+        return agent;
+    }
+    static async encrypt(cipherJwk, resource) {
+        const agent = CipherCluster.#loadAgent(cipherJwk);
+        const bytes = Bytes.fromJSON(resource);
+        const compressed = await Bytes.toCompressed(bytes);
+        return await agent.encrypt(compressed);
+    }
+    static async decrypt(cipherJwk, artifact) {
+        const agent = CipherCluster.#loadAgent(cipherJwk);
+        const bytes = await agent.decrypt(artifact);
+        const decompressed = await Bytes.fromCompressed(bytes);
+        return Bytes.toJSON(decompressed);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/CipherCluster/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/CipherCluster/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAEtD,MAAM,OAAO,aAAa;IACxB,MAAM,CAAC,OAAO,GAAG,IAAI,OAAO,EAAoC,CAAC;IAEjE,MAAM,CAAC,UAAU,CAAC,SAAqB;QACrC,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACrD,IAAI,KAAK,GAAG,OAAO,EAAE,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,IAAI,WAAW,CAAC,SAAS,CAAC,CAAC;YACnC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,OAAO,CAClB,SAAqB,EACrB,QAAa;QAEb,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAEvC,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QACnD,OAAO,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,OAAO,CAClB,SAAqB,EACrB,QAAqD;QAErD,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QACvD,OAAO,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACpC,CAAC"}

package/dist/SigningAgent/class.d.ts

@@ -0,0 +1,6 @@
+export declare class SigningAgent {
+    private keyPromise;
+    constructor(signingJwk: JsonWebKey);
+    sign(bytes: Uint8Array): Promise<ArrayBuffer>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/SigningAgent/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/SigningAgent/class.ts"],"names":[],"mappings":"AACA,qBAAa,YAAY;IACvB,OAAO,CAAC,UAAU,CAAqB;gBAE3B,UAAU,EAAE,UAAU;IAU5B,IAAI,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC;CAQpD"}

package/dist/SigningAgent/class.js

@@ -0,0 +1,12 @@
+import { Bytes } from "bytecodec";
+export class SigningAgent {
+    keyPromise;
+    constructor(signingJwk) {
+        this.keyPromise = crypto.subtle.importKey("jwk", signingJwk, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
+    }
+    async sign(bytes) {
+        const key = await this.keyPromise;
+        return crypto.subtle.sign({ name: "ECDSA", hash: "SHA-256" }, key, Bytes.toBufferSource(bytes));
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/SigningAgent/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/SigningAgent/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAClC,MAAM,OAAO,YAAY;IACf,UAAU,CAAqB;IAEvC,YAAY,UAAsB;QAChC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,UAAU,EACV,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EACtC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAiB;QAC1B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAClC,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CACvB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAClC,GAAG,EACH,KAAK,CAAC,cAAc,CAAC,KAAK,CAAC,CAC5B,CAAC;IACJ,CAAC;CACF"}

package/dist/SigningCluster/class.d.ts

@@ -0,0 +1,5 @@
+export declare class SigningCluster {
+    #private;
+    static sign(signingJwk: JsonWebKey, value: any): Promise<ArrayBuffer>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/SigningCluster/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/SigningCluster/class.ts"],"names":[],"mappings":"AAGA,qBAAa,cAAc;;WAaZ,IAAI,CAAC,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,GAAG,OAAO,CAAC,WAAW,CAAC;CAK5E"}

package/dist/SigningCluster/class.js

@@ -0,0 +1,20 @@
+import { Bytes } from "bytecodec";
+import { SigningAgent } from "../SigningAgent/class.js";
+export class SigningCluster {
+    static #agents = new WeakMap();
+    static #loadAgent(signingJwk) {
+        const weakRef = SigningCluster.#agents.get(signingJwk);
+        let agent = weakRef?.deref();
+        if (!agent) {
+            agent = new SigningAgent(signingJwk);
+            SigningCluster.#agents.set(signingJwk, new WeakRef(agent));
+        }
+        return agent;
+    }
+    static async sign(signingJwk, value) {
+        const agent = SigningCluster.#loadAgent(signingJwk);
+        const bytes = Bytes.fromJSON(value);
+        return await agent.sign(bytes);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/SigningCluster/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/SigningCluster/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD,MAAM,OAAO,cAAc;IACzB,MAAM,CAAC,OAAO,GAAG,IAAI,OAAO,EAAqC,CAAC;IAElE,MAAM,CAAC,UAAU,CAAC,UAAsB;QACtC,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACvD,IAAI,KAAK,GAAG,OAAO,EAAE,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,IAAI,YAAY,CAAC,UAAU,CAAC,CAAC;YACrC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,UAAsB,EAAE,KAAU;QAClD,MAAM,KAAK,GAAG,cAAc,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QACpD,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACpC,OAAO,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC"}

package/dist/UnwrappingAgent/class.d.ts

@@ -0,0 +1,6 @@
+export declare class UnwrappingAgent {
+    private keyPromise;
+    constructor(unwrappingJwk: JsonWebKey);
+    unwrap(wrapped: ArrayBuffer): Promise<JsonWebKey>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/UnwrappingAgent/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/UnwrappingAgent/class.ts"],"names":[],"mappings":"AAAA,qBAAa,eAAe;IAC1B,OAAO,CAAC,UAAU,CAAqB;gBAC3B,aAAa,EAAE,UAAU;IAU/B,MAAM,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;CAexD"}

package/dist/UnwrappingAgent/class.js

@@ -0,0 +1,12 @@
+export class UnwrappingAgent {
+    keyPromise;
+    constructor(unwrappingJwk) {
+        this.keyPromise = crypto.subtle.importKey("jwk", unwrappingJwk, { name: "RSA-OAEP", hash: "SHA-256" }, false, ["unwrapKey"]);
+    }
+    async unwrap(wrapped) {
+        const unwrappingKey = await this.keyPromise;
+        const aesKey = await crypto.subtle.unwrapKey("jwk", wrapped, unwrappingKey, { name: "RSA-OAEP" }, { name: "AES-GCM", length: 256 }, true, ["encrypt", "decrypt"]);
+        return crypto.subtle.exportKey("jwk", aesKey);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/UnwrappingAgent/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/UnwrappingAgent/class.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,eAAe;IAClB,UAAU,CAAqB;IACvC,YAAY,aAAyB;QACnC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,aAAa,EACb,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,EACrC,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAoB;QAC/B,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAE5C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1C,KAAK,EACL,OAAO,EACP,aAAa,EACb,EAAE,IAAI,EAAE,UAAU,EAAE,EACpB,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;QAEF,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAChD,CAAC;CACF"}

package/dist/UnwrappingCluster/class.d.ts

@@ -0,0 +1,5 @@
+export declare class UnwrappingCluster {
+    #private;
+    static unwrap(unwrappingJwk: JsonWebKey, wrapped: ArrayBuffer): Promise<JsonWebKey>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/UnwrappingCluster/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/UnwrappingCluster/class.ts"],"names":[],"mappings":"AAEA,qBAAa,iBAAiB;;WAaf,MAAM,CACjB,aAAa,EAAE,UAAU,EACzB,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,UAAU,CAAC;CAIvB"}

package/dist/UnwrappingCluster/class.js

@@ -0,0 +1,18 @@
+import { UnwrappingAgent } from "../UnwrappingAgent/class.js";
+export class UnwrappingCluster {
+    static #agents = new WeakMap();
+    static #loadAgent(unwrappingJwk) {
+        const weakRef = UnwrappingCluster.#agents.get(unwrappingJwk);
+        let agent = weakRef?.deref();
+        if (!agent) {
+            agent = new UnwrappingAgent(unwrappingJwk);
+            UnwrappingCluster.#agents.set(unwrappingJwk, new WeakRef(agent));
+        }
+        return agent;
+    }
+    static async unwrap(unwrappingJwk, wrapped) {
+        const agent = UnwrappingCluster.#loadAgent(unwrappingJwk);
+        return await agent.unwrap(wrapped);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/UnwrappingCluster/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/UnwrappingCluster/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAE9D,MAAM,OAAO,iBAAiB;IAC5B,MAAM,CAAC,OAAO,GAAG,IAAI,OAAO,EAAwC,CAAC;IAErE,MAAM,CAAC,UAAU,CAAC,aAAyB;QACzC,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAI,KAAK,GAAG,OAAO,EAAE,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,IAAI,eAAe,CAAC,aAAa,CAAC,CAAC;YAC3C,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QACnE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM,CACjB,aAAyB,EACzB,OAAoB;QAEpB,MAAM,KAAK,GAAG,iBAAiB,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAC1D,OAAO,MAAM,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC"}

package/dist/VerificationAgent/class.d.ts

@@ -0,0 +1,6 @@
+export declare class VerificationAgent {
+    private keyPromise;
+    constructor(verificationJwk: JsonWebKey);
+    verify(bytes: Uint8Array, signature: ArrayBuffer): Promise<boolean>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/VerificationAgent/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/VerificationAgent/class.ts"],"names":[],"mappings":"AAEA,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,UAAU,CAAqB;gBAE3B,eAAe,EAAE,UAAU;IAUjC,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC;CAS1E"}

package/dist/VerificationAgent/class.js

@@ -0,0 +1,12 @@
+import { Bytes } from "bytecodec";
+export class VerificationAgent {
+    keyPromise;
+    constructor(verificationJwk) {
+        this.keyPromise = crypto.subtle.importKey("jwk", verificationJwk, { name: "ECDSA", namedCurve: "P-256" }, false, ["verify"]);
+    }
+    async verify(bytes, signature) {
+        const key = await this.keyPromise;
+        return crypto.subtle.verify({ name: "ECDSA", hash: "SHA-256" }, key, signature, Bytes.toBufferSource(bytes));
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/VerificationAgent/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/VerificationAgent/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAElC,MAAM,OAAO,iBAAiB;IACpB,UAAU,CAAqB;IAEvC,YAAY,eAA2B;QACrC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,eAAe,EACf,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EACtC,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAiB,EAAE,SAAsB;QACpD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAClC,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CACzB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAClC,GAAG,EACH,SAAS,EACT,KAAK,CAAC,cAAc,CAAC,KAAK,CAAC,CAC5B,CAAC;IACJ,CAAC;CACF"}

package/dist/VerificationCluster/class.d.ts

@@ -0,0 +1,5 @@
+export declare class VerificationCluster {
+    #private;
+    static verify(verificationJwk: JsonWebKey, value: any, signature: ArrayBuffer): Promise<boolean>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/VerificationCluster/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/VerificationCluster/class.ts"],"names":[],"mappings":"AAGA,qBAAa,mBAAmB;;WAajB,MAAM,CACjB,eAAe,EAAE,UAAU,EAC3B,KAAK,EAAE,GAAG,EACV,SAAS,EAAE,WAAW,GACrB,OAAO,CAAC,OAAO,CAAC;CAKpB"}

package/dist/VerificationCluster/class.js

@@ -0,0 +1,20 @@
+import { Bytes } from "bytecodec";
+import { VerificationAgent } from "../VerificationAgent/class.js";
+export class VerificationCluster {
+    static #agents = new WeakMap();
+    static #loadAgent(verificationJwk) {
+        const weakRef = VerificationCluster.#agents.get(verificationJwk);
+        let agent = weakRef?.deref();
+        if (!agent) {
+            agent = new VerificationAgent(verificationJwk);
+            VerificationCluster.#agents.set(verificationJwk, new WeakRef(agent));
+        }
+        return agent;
+    }
+    static async verify(verificationJwk, value, signature) {
+        const agent = VerificationCluster.#loadAgent(verificationJwk);
+        const valueBytes = Bytes.fromJSON(value);
+        return await agent.verify(valueBytes, signature);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/VerificationCluster/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/VerificationCluster/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAElE,MAAM,OAAO,mBAAmB;IAC9B,MAAM,CAAC,OAAO,GAAG,IAAI,OAAO,EAA0C,CAAC;IAEvE,MAAM,CAAC,UAAU,CAAC,eAA2B;QAC3C,MAAM,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QACjE,IAAI,KAAK,GAAG,OAAO,EAAE,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;YAC/C,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QACvE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM,CACjB,eAA2B,EAC3B,KAAU,EACV,SAAsB;QAEtB,MAAM,KAAK,GAAG,mBAAmB,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;QAC9D,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACzC,OAAO,MAAM,KAAK,CAAC,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IACnD,CAAC"}

package/dist/WrappingAgent/class.d.ts

@@ -0,0 +1,6 @@
+export declare class WrappingAgent {
+    private keyPromise;
+    constructor(wrappingJwk: JsonWebKey);
+    wrap(cipherJwk: JsonWebKey): Promise<ArrayBuffer>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/WrappingAgent/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/WrappingAgent/class.ts"],"names":[],"mappings":"AAAA,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAAqB;gBAC3B,WAAW,EAAE,UAAU;IAU7B,IAAI,CAAC,SAAS,EAAE,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC;CAexD"}

package/dist/WrappingAgent/class.js

@@ -0,0 +1,14 @@
+export class WrappingAgent {
+    keyPromise;
+    constructor(wrappingJwk) {
+        this.keyPromise = crypto.subtle.importKey("jwk", wrappingJwk, { name: "RSA-OAEP", hash: "SHA-256" }, false, ["wrapKey"]);
+    }
+    async wrap(cipherJwk) {
+        const wrappingKey = await this.keyPromise;
+        const aesKey = await crypto.subtle.importKey("jwk", cipherJwk, { name: "AES-GCM" }, true, ["encrypt", "decrypt"]);
+        return crypto.subtle.wrapKey("jwk", aesKey, wrappingKey, {
+            name: "RSA-OAEP",
+        });
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/WrappingAgent/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/WrappingAgent/class.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,aAAa;IAChB,UAAU,CAAqB;IACvC,YAAY,WAAuB;QACjC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,WAAW,EACX,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,EACrC,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,SAAqB;QAC9B,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAE1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1C,KAAK,EACL,SAAS,EACT,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;QAEF,OAAO,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE;YACvD,IAAI,EAAE,UAAU;SACjB,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/WrappingCluster/class.d.ts

@@ -0,0 +1,5 @@
+export declare class WrappingCluster {
+    #private;
+    static wrap(wrappingJwk: JsonWebKey, cipherJwk: JsonWebKey): Promise<ArrayBuffer>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/WrappingCluster/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/WrappingCluster/class.ts"],"names":[],"mappings":"AAEA,qBAAa,eAAe;;WAab,IAAI,CACf,WAAW,EAAE,UAAU,EACvB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,WAAW,CAAC;CAIxB"}

package/dist/WrappingCluster/class.js

@@ -0,0 +1,18 @@
+import { WrappingAgent } from "../WrappingAgent/class.js";
+export class WrappingCluster {
+    static #agents = new WeakMap();
+    static #loadAgent(wrappingJwk) {
+        const weakRef = WrappingCluster.#agents.get(wrappingJwk);
+        let agent = weakRef?.deref();
+        if (!agent) {
+            agent = new WrappingAgent(wrappingJwk);
+            WrappingCluster.#agents.set(wrappingJwk, new WeakRef(agent));
+        }
+        return agent;
+    }
+    static async wrap(wrappingJwk, cipherJwk) {
+        const agent = WrappingCluster.#loadAgent(wrappingJwk);
+        return await agent.wrap(cipherJwk);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/WrappingCluster/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/WrappingCluster/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAE1D,MAAM,OAAO,eAAe;IAC1B,MAAM,CAAC,OAAO,GAAG,IAAI,OAAO,EAAsC,CAAC;IAEnE,MAAM,CAAC,UAAU,CAAC,WAAuB;QACvC,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACzD,IAAI,KAAK,GAAG,OAAO,EAAE,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,IAAI,aAAa,CAAC,WAAW,CAAC,CAAC;YACvC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,IAAI,CACf,WAAuB,EACvB,SAAqB;QAErB,MAAM,KAAK,GAAG,eAAe,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QACtD,OAAO,MAAM,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC"}

package/dist/generateKeyset/index.d.ts

@@ -0,0 +1,8 @@
+export declare function generateKeyset(): Promise<{
+    cipherJwk: JsonWebKey;
+    verificationJwk: JsonWebKey;
+    signingJwk: JsonWebKey;
+    wrappingJwk: JsonWebKey;
+    unwrappingJwk: JsonWebKey;
+}>;
+//# sourceMappingURL=index.d.ts.map

package/dist/generateKeyset/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/generateKeyset/index.ts"],"names":[],"mappings":"AAAA,wBAAsB,cAAc,IAAI,OAAO,CAAC;IAC9C,SAAS,EAAE,UAAU,CAAC;IACtB,eAAe,EAAE,UAAU,CAAC;IAC5B,UAAU,EAAE,UAAU,CAAC;IACvB,WAAW,EAAE,UAAU,CAAC;IACxB,aAAa,EAAE,UAAU,CAAC;CAC3B,CAAC,CA0CD"}

package/dist/generateKeyset/index.js

@@ -0,0 +1,23 @@
+export async function generateKeyset() {
+    const aesKey = await crypto.subtle.generateKey({ name: "AES-GCM", length: 256 }, true, ["encrypt", "decrypt"]);
+    const cipherJwk = await crypto.subtle.exportKey("jwk", aesKey);
+    const signPair = await crypto.subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, true, ["sign", "verify"]);
+    const verificationJwk = await crypto.subtle.exportKey("jwk", signPair.publicKey);
+    const signingJwk = await crypto.subtle.exportKey("jwk", signPair.privateKey);
+    const wrapPair = await crypto.subtle.generateKey({
+        name: "RSA-OAEP",
+        modulusLength: 4096,
+        publicExponent: new Uint8Array([1, 0, 1]),
+        hash: "SHA-256",
+    }, true, ["wrapKey", "unwrapKey"]);
+    const wrappingJwk = await crypto.subtle.exportKey("jwk", wrapPair.publicKey);
+    const unwrappingJwk = await crypto.subtle.exportKey("jwk", wrapPair.privateKey);
+    return {
+        cipherJwk,
+        verificationJwk,
+        signingJwk,
+        wrappingJwk,
+        unwrappingJwk,
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/generateKeyset/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/generateKeyset/index.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,KAAK,UAAU,cAAc;IAOlC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;IACF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAE/D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAC9C,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EACtC,IAAI,EACJ,CAAC,MAAM,EAAE,QAAQ,CAAC,CACnB,CAAC;IACF,MAAM,eAAe,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACnD,KAAK,EACL,QAAQ,CAAC,SAAS,CACnB,CAAC;IACF,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;IAE7E,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAC9C;QACE,IAAI,EAAE,UAAU;QAChB,aAAa,EAAE,IAAI;QACnB,cAAc,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;QACzC,IAAI,EAAE,SAAS;KAChB,EACD,IAAI,EACJ,CAAC,SAAS,EAAE,WAAW,CAAC,CACzB,CAAC;IACF,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;IAC7E,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACjD,KAAK,EACL,QAAQ,CAAC,UAAU,CACpB,CAAC;IAEF,OAAO;QACL,SAAS;QACT,eAAe;QACf,UAAU;QACV,WAAW;QACX,aAAa;KACd,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+import { generateKeyset } from "./generateKeyset/index.js";
+import { CipherAgent } from "./CipherAgent/class.js";
+import { SigningAgent } from "./SigningAgent/class.js";
+import { VerificationAgent } from "./VerificationAgent/class.js";
+import { CipherCluster } from "./CipherCluster/class.js";
+import { SigningCluster } from "./SigningCluster/class.js";
+import { VerificationCluster } from "./VerificationCluster/class.js";
+import { WrappingAgent } from "./WrappingAgent/class.js";
+import { WrappingCluster } from "./WrappingCluster/class.js";
+import { UnwrappingAgent } from "./UnwrappingAgent/class.js";
+import { UnwrappingCluster } from "./UnwrappingCluster/class.js";
+export { generateKeyset, CipherAgent, SigningAgent, VerificationAgent, WrappingAgent, UnwrappingAgent, CipherCluster, SigningCluster, VerificationCluster, WrappingCluster, UnwrappingCluster, };
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EACL,cAAc,EACd,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,aAAa,EACb,cAAc,EACd,mBAAmB,EACnB,eAAe,EACf,iBAAiB,GAClB,CAAC"}

package/dist/index.js

@@ -0,0 +1,13 @@
+import { generateKeyset } from "./generateKeyset/index.js";
+import { CipherAgent } from "./CipherAgent/class.js";
+import { SigningAgent } from "./SigningAgent/class.js";
+import { VerificationAgent } from "./VerificationAgent/class.js";
+import { CipherCluster } from "./CipherCluster/class.js";
+import { SigningCluster } from "./SigningCluster/class.js";
+import { VerificationCluster } from "./VerificationCluster/class.js";
+import { WrappingAgent } from "./WrappingAgent/class.js";
+import { WrappingCluster } from "./WrappingCluster/class.js";
+import { UnwrappingAgent } from "./UnwrappingAgent/class.js";
+import { UnwrappingCluster } from "./UnwrappingCluster/class.js";
+export { generateKeyset, CipherAgent, SigningAgent, VerificationAgent, WrappingAgent, UnwrappingAgent, CipherCluster, SigningCluster, VerificationCluster, WrappingCluster, UnwrappingCluster, };
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EACL,cAAc,EACd,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,aAAa,EACb,cAAc,EACd,mBAAmB,EACnB,eAAe,EACf,iBAAiB,GAClB,CAAC"}

package/package.json

@@ -1,27 +1,32 @@
 {
   "name": "zeyra",
-  "version": "1.1.0",
-  "description": "Managed WebCrypto helpers for AES-GCM + ECDSA JWK keysets with storage-ready cluster APIs.",
+  "version": "2.0.0",
+  "description": "Client-side WebCrypto helpers for AES-GCM encryption, ECDSA signatures, and RSA-OAEP key wrapping.",
   "keywords": [
     "webcrypto",
     "aes-gcm",
     "ecdsa",
+    "rsa-oaep",
     "jwk",
     "encryption",
     "signature",
+    "key-wrapping",
+    "wrapping",
+    "unwrapping",
     "cluster",
     "keyset",
-    "base64url",
     "compression",
-    "storage",
-    "transport"
+    "bytecodec",
+    "typescript"
   ],
   "license": "MIT",
   "type": "module",
-  "main": "src/index.js",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
   "scripts": {
-    "test": "node --test test.js && node test.js --bench",
-    "bench": "node test.js --bench",
+    "build": "tsc -p tsconfig.json",
+    "test": "npm run build && node --test test.js && node test.js --bench",
+    "bench": "npm run build && node test.js --bench",
     "prepublishOnly": "npm test"
   },
   "repository": {
@@ -33,19 +38,23 @@
   },
   "homepage": "https://github.com/jortsupetterson/zeyra#readme",
   "dependencies": {
-    "bytecodec": "^1.3.0"
+    "bytecodec": "^2.0.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.5.4"
   },
   "engines": {
     "node": ">=18"
   },
   "exports": {
     ".": {
-      "import": "./src/index.js"
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
     },
     "./package.json": "./package.json"
   },
   "files": [
-    "src",
+    "dist",
     "LICENSE",
     "README.md"
   ],

package/src/CipherAgent/class.js

@@ -1,43 +0,0 @@
-export class CipherAgent {
-  /**
-   * @param {JsonWebKey} symmetricJwk  // AES-GCM (kty:"oct", alg:"A256GCM")
-   */
-  constructor(symmetricJwk) {
-    this.keyPromise = crypto.subtle.importKey(
-      "jwk",
-      symmetricJwk,
-      { name: "AES-GCM" },
-      false,
-      ["encrypt", "decrypt"]
-    );
-  }
-
-  /**
-   * @param {Uint8Array} plaintext
-   * @returns {Promise<{ iv: Uint8Array, ciphertext: ArrayBuffer }>}
-   */
-  async encrypt(plaintext) {
-    const key = await this.keyPromise;
-    const iv = crypto.getRandomValues(new Uint8Array(12));
-    const ciphertext = await crypto.subtle.encrypt(
-      { name: "AES-GCM", iv },
-      key,
-      plaintext
-    );
-    return { iv, ciphertext };
-  }
-
-  /**
-   * @param {{ iv: Uint8Array, ciphertext: ArrayBuffer }} payload
-   * @returns {Promise<Uint8Array>}
-   */
-  async decrypt({ iv, ciphertext }) {
-    const key = await this.keyPromise;
-    const plaintext = await crypto.subtle.decrypt(
-      { name: "AES-GCM", iv },
-      key,
-      ciphertext
-    );
-    return new Uint8Array(plaintext);
-  }
-}

package/src/CipherCluster/class.js

@@ -1,57 +0,0 @@
-import { Bytes } from "bytecodec";
-import { CipherAgent } from "../CipherAgent/class.js";
-
-export class CipherCluster {
-  /** @type {WeakMap<JsonWebKey, WeakRef<CipherAgent>>} */
-  static #agents = new WeakMap();
-
-  /**
-   * @param {JsonWebKey} symmetricJwk
-   * @returns {CipherAgent}
-   */
-  static #loadAgent(symmetricJwk) {
-    const weakRef = CipherCluster.#agents.get(symmetricJwk);
-    /** @type {CipherAgent | undefined} */
-    let agent = weakRef?.deref();
-    if (!agent) {
-      agent = new CipherAgent(symmetricJwk);
-      CipherCluster.#agents.set(symmetricJwk, new WeakRef(agent));
-    }
-    return agent;
-  }
-
-  /**
-   * @param {JsonWebKey} symmetricJwk
-   * @param {any} resource
-   * @returns {Promise<{ digest: Base64URLString, ciphertext: Base64URLString, iv: Base64URLString }>}
-   */
-  static async encrypt(symmetricJwk, resource) {
-    const agent = CipherCluster.#loadAgent(symmetricJwk);
-    const bytes = Bytes.fromJSON(resource);
-    const digest = await crypto.subtle.digest("SHA-256", bytes);
-    const compressed = await Bytes.toCompressed(bytes);
-    const envelope = await agent.encrypt(compressed);
-    return {
-      digest: Bytes.toBase64UrlString(digest),
-      ciphertext: Bytes.toBase64UrlString(envelope.ciphertext),
-      iv: Bytes.toBase64UrlString(envelope.iv),
-    };
-  }
-
-  /**
-   * @param {JsonWebKey} symmetricJwk
-   * @param {{ digest: Base64URLString, ciphertext: Base64URLString, iv: Base64URLString }} artifact
-   * @returns {Promise<any>}
-   */
-  static async decrypt(symmetricJwk, artifact) {
-    const envelope = {
-      ciphertext: Bytes.fromBase64UrlString(artifact.ciphertext),
-      iv: Bytes.fromBase64UrlString(artifact.iv),
-    };
-    const agent = CipherCluster.#loadAgent(symmetricJwk);
-    const bytes = await agent.decrypt(envelope);
-    const decompressed = await Bytes.fromCompressed(bytes);
-    const resource = Bytes.toJSON(decompressed);
-    return { digest: artifact.digest, ...resource };
-  }
-}

package/src/SigningAgent/class.js

@@ -1,23 +0,0 @@
-export class SigningAgent {
-  /**
-   * @param {JsonWebKey} privateJwk // ECDSA P-256 private key
-   */
-  constructor(privateJwk) {
-    this.keyPromise = crypto.subtle.importKey(
-      "jwk",
-      privateJwk,
-      { name: "ECDSA", namedCurve: "P-256" },
-      false,
-      ["sign"]
-    );
-  }
-
-  /**
-   * @param {Uint8Array} bytes
-   * @returns {Promise<ArrayBuffer>}
-   */
-  async sign(bytes) {
-    const key = await this.keyPromise;
-    return crypto.subtle.sign({ name: "ECDSA", hash: "SHA-256" }, key, bytes);
-  }
-}

package/src/SigningCluster/class.js

@@ -1,34 +0,0 @@
-import { Bytes } from "bytecodec";
-import { SigningAgent } from "../SigningAgent/class.js";
-
-export class SigningCluster {
-  /** @type {WeakMap<JsonWebKey, WeakRef<SigningAgent>>} */
-  static #agents = new WeakMap();
-
-  /**
-   * @param {JsonWebKey} privateJwk
-   * @returns {SigningAgent}
-   */
-  static #loadAgent(privateJwk) {
-    const weakRef = SigningCluster.#agents.get(privateJwk);
-    /** @type {SigningAgent | undefined} */
-    let agent = weakRef?.deref();
-    if (!agent) {
-      agent = new SigningAgent(privateJwk);
-      SigningCluster.#agents.set(privateJwk, new WeakRef(agent));
-    }
-    return agent;
-  }
-
-  /**
-   * @param {JsonWebKey} privateJwk
-   * @param {any} value
-   * @returns {Promise<Base64URLString>}
-   */
-  static async sign(privateJwk, value) {
-    const agent = SigningCluster.#loadAgent(privateJwk);
-    const bytes = Bytes.fromJSON(value);
-    const signature = await agent.sign(bytes);
-    return Bytes.toBase64UrlString(signature);
-  }
-}

package/src/VerificationAgent/class.js

@@ -1,29 +0,0 @@
-export class VerificationAgent {
-  /**
-   * @param {JsonWebKey} publicJwk // ECDSA P-256 public key
-   */
-  constructor(publicJwk) {
-    this.keyPromise = crypto.subtle.importKey(
-      "jwk",
-      publicJwk,
-      { name: "ECDSA", namedCurve: "P-256" },
-      false,
-      ["verify"]
-    );
-  }
-
-  /**
-   * @param {Uint8Array} bytes
-   * @param {ArrayBuffer} signature
-   * @returns {Promise<boolean>}
-   */
-  async verify(bytes, signature) {
-    const key = await this.keyPromise;
-    return crypto.subtle.verify(
-      { name: "ECDSA", hash: "SHA-256" },
-      key,
-      signature,
-      bytes
-    );
-  }
-}

package/src/VerificationCluster/class.js

@@ -1,35 +0,0 @@
-import { Bytes } from "bytecodec";
-import { VerificationAgent } from "../VerificationAgent/class.js";
-
-export class VerificationCluster {
-  /** @type {WeakMap<JsonWebKey, WeakRef<VerificationAgent>>} */
-  static #agents = new WeakMap();
-
-  /**
-   * @param {JsonWebKey} publicJwk
-   * @returns {VerificationAgent}
-   */
-  static #loadAgent(publicJwk) {
-    const weakRef = VerificationCluster.#agents.get(publicJwk);
-    /** @type {VerificationAgent | undefined} */
-    let agent = weakRef?.deref();
-    if (!agent) {
-      agent = new VerificationAgent(publicJwk);
-      VerificationCluster.#agents.set(publicJwk, new WeakRef(agent));
-    }
-    return agent;
-  }
-
-  /**
-   * @param {JsonWebKey} publicJwk
-   * @param {any} value
-   * @param {Base64URLString} signature
-   * @returns {Promise<boolean>}
-   */
-  static async verify(publicJwk, value, signature) {
-    const agent = VerificationCluster.#loadAgent(publicJwk);
-    const valueBytes = Bytes.fromJSON(value);
-    const signatureBytes = Bytes.fromBase64UrlString(signature);
-    return await agent.verify(valueBytes, signatureBytes);
-  }
-}

package/src/generateKeyset/index.js

@@ -1,36 +0,0 @@
-/**
- * Generates a cryptographic keyset for a single resource.
- *
- * Returned keys:
- * - symmetricJwk: AES-GCM 256-bit key (JWK, kty:"oct") for encrypt/decrypt
- * - publicJwk: ECDSA P-256 public key (JWK) for verify
- * - privateJwk: ECDSA P-256 private key (JWK) for sign
- *
- * All keys are extractable and intended to be stored encrypted
- * or transported as data. Type definitions are expected to live
- * in a separate TypeScript types file.
- *
- * @returns {Promise<{
- *   symmetricJwk: JsonWebKey,
- *   publicJwk: JsonWebKey,
- *   privateJwk: JsonWebKey
- * }>}
- */
-export async function generateKeyset() {
-  const aesKey = await crypto.subtle.generateKey(
-    { name: "AES-GCM", length: 256 },
-    true,
-    ["encrypt", "decrypt"]
-  );
-  const symmetricJwk = await crypto.subtle.exportKey("jwk", aesKey);
-
-  const keyPair = await crypto.subtle.generateKey(
-    { name: "ECDSA", namedCurve: "P-256" },
-    true,
-    ["sign", "verify"]
-  );
-  const publicJwk = await crypto.subtle.exportKey("jwk", keyPair.publicKey);
-  const privateJwk = await crypto.subtle.exportKey("jwk", keyPair.privateKey);
-
-  return { symmetricJwk, publicJwk, privateJwk };
-}

package/src/index.js

@@ -1,16 +0,0 @@
-import { generateKeyset } from "./generateKeyset/index.js";
-import { CipherAgent } from "./CipherAgent/class.js";
-import { SigningAgent } from "./SigningAgent/class.js";
-import { VerificationAgent } from "./VerificationAgent/class.js";
-import { CipherCluster } from "./CipherCluster/class.js";
-import { SigningCluster } from "./SigningCluster/class.js";
-import { VerificationCluster } from "./VerificationCluster/class.js";
-export {
-  generateKeyset,
-  CipherAgent,
-  SigningAgent,
-  VerificationAgent,
-  CipherCluster,
-  SigningCluster,
-  VerificationCluster,
-};