zeyra 1.1.0 → 2.1.0

package/README.md

@@ -1,113 +1,199 @@
-# Zeyra
-
-Managed WebCrypto helpers for storage-ready AES-GCM + ECDSA keysets, with lightweight agents and weakly cached clusters.
-
-## Features
-
-- AES-GCM 256 encryption/decryption via `CipherAgent`
-- ECDSA P-256 signing/verification via `SigningAgent` and `VerificationAgent`
-- Managed clusters (`CipherCluster`, `SigningCluster`, `VerificationCluster`) cache agents with WeakRef for large keysets
-- `generateKeyset()` produces an exportable JWK bundle you can store or transport
-- Storage/transport-ready artifacts with base64url payloads and SHA-256 digests
-- Pure WebCrypto, no native add-ons; ships as ESM
-- Works with `bytecodec` for UTF-8, compression, and base64url conversions
-
-## Requirements
-
-- Node.js 18+ (global `crypto.subtle`)
-- ESM environment (`"type": "module"` in `package.json`)
-
-## Installation
-
-```bash
-npm install zeyra
-```
-
-## Quickstart (agents)
+# Zeyra
+
+Client-side WebCrypto helpers for AES-GCM encryption, ECDSA signatures, RSA-OAEP key wrapping, HMAC, and key generation, with byte-oriented cluster helpers.
+
+## Compatibility
+
+- WebCrypto (`crypto.subtle`) is stable in evergreen browsers; unprefixed support shipped in Chrome 37 (2014), Firefox 34 (2014), Edge 12 (2015), and Safari 11 (2017).
+- Zeyra relies on AES-GCM, ECDSA P-256, RSA-OAEP, and HMAC SHA-256 plus wrap/unwrap; legacy EdgeHTML/IE have partial WebCrypto (notably missing ECDSA), so target Chromium Edge (79+, 2020) and modern browsers.
+- ESM only; requires global `crypto.subtle`.
+
+## Features
+
+- AES-GCM 256 encryption/decryption via `CipherAgent` and `CipherCluster`
+- ECDSA P-256 sign/verify via `SigningAgent`, `VerificationAgent`, and clusters
+- HMAC SHA-256 sign/verify via `HmacAgent` + key generation via `generateHmacKey()`
+- RSA-OAEP 4096 wrap/unwrap for AES-GCM JWKs
+- WebAuthn PRF root key derivation via `deriveRootKeys()`
+- `generateKeyset()` yields `cipherJwk`, `signingJwk`, `verificationJwk`, `wrappingJwk`, `unwrappingJwk`, `hmacJwk`
+- Individual key generators are available when you only need one key type.
+- Cluster classes cache agents with `WeakRef`; they are a lightweight optimization, not a full end-to-end solution
+- Byte-oriented clusters return raw `Uint8Array` / `ArrayBuffer` (no base64); use `bytecodec` for JSON, compression, and encoding
+- TypeScript source; published package ships compiled JS + `.d.ts`
+
+## Requirements
+
+- Node.js 18+ for server/edge usage
+- ESM environment (`"type": "module"`)
+- `bytecodec` for JSON/bytes/compression helpers
+
+## Installation
+
+```sh
+npm install zeyra
+# or
+pnpm add zeyra
+# or
+yarn add zeyra
+```
+
+## Quickstart (agents)
+
+```js
+import { Bytes } from "bytecodec";
+import {
+  generateKeyset,
+  CipherAgent,
+  SigningAgent,
+  VerificationAgent,
+} from "zeyra";
+
+const { cipherJwk, signingJwk, verificationJwk } = await generateKeyset();
+
+const cipher = new CipherAgent(cipherJwk);
+const signer = new SigningAgent(signingJwk);
+const verifier = new VerificationAgent(verificationJwk);
+
+const payload = await cipher.encrypt(Bytes.fromString("hello world"));
+const ciphertextBytes = new Uint8Array(payload.ciphertext);
+const signature = await signer.sign(ciphertextBytes);
+
+const authorized = await verifier.verify(ciphertextBytes, signature);
+const plaintext = Bytes.toString(await cipher.decrypt(payload));
+```
+
+## Managed cluster flow
+
+```js
+import {
+  generateKeyset,
+  CipherCluster,
+  SigningCluster,
+  VerificationCluster,
+} from "zeyra";
+
+const { cipherJwk, signingJwk, verificationJwk } = await generateKeyset();
+
+const resource = { id: "file-123", body: "hello world" };
+const artifact = await CipherCluster.encrypt(cipherJwk, resource);
+// artifact: { iv: Uint8Array, ciphertext: ArrayBuffer }
+
+const signature = await SigningCluster.sign(signingJwk, resource.id);
+const authorized = await VerificationCluster.verify(
+  verificationJwk,
+  resource.id,
+  signature
+);
+
+const decrypted = await CipherCluster.decrypt(cipherJwk, artifact);
+```
+
+## Key wrapping flow
+
+```js
+import { generateKeyset, WrappingCluster, UnwrappingCluster } from "zeyra";
+
+const { cipherJwk, wrappingJwk, unwrappingJwk } = await generateKeyset();
+
+const wrapped = await WrappingCluster.wrap(wrappingJwk, cipherJwk);
+const unwrappedCipherJwk = await UnwrappingCluster.unwrap(
+  unwrappingJwk,
+  wrapped
+);
+```
+
+## HMAC flow
 
 ```js
-import { Bytes } from "bytecodec";
-import {
-  generateKeyset,
-  CipherAgent,
-  SigningAgent,
-  VerificationAgent,
-} from "zeyra";
-
-// One-time key material for a resource
-const { symmetricJwk, privateJwk, publicJwk } = await generateKeyset();
+import { generateHmacKey, HmacAgent } from "zeyra";
 
-// Writers: encrypt + sign
-const cipher = new CipherAgent(symmetricJwk);
-const signer = new SigningAgent(privateJwk);
-const payload = await cipher.encrypt(Bytes.fromString("hello world"));
-const signature = await signer.sign(payload.ciphertext);
+const hmacJwk = await generateHmacKey();
+const hmac = new HmacAgent(hmacJwk);
 
-// Readers / servers: verify ownership + decrypt
-const verifier = new VerificationAgent(publicJwk);
-const authorized = await verifier.verify(payload.ciphertext, signature);
-const plaintext = Bytes.toString(await cipher.decrypt(payload));
+const challenge = new TextEncoder().encode("hello world");
+const signature = await hmac.sign(challenge);
+const authorized = await hmac.verify(challenge, signature);
 ```
 
-## Managed cluster flow
+## PRF root key derivation
 
-```js
-import {
-  generateKeyset,
-  CipherCluster,
-  SigningCluster,
-  VerificationCluster,
-} from "zeyra";
-
-const { symmetricJwk, privateJwk, publicJwk } = await generateKeyset();
+Pass WebAuthn PRF results (from `assertion.getClientExtensionResults()?.prf?.results`) to derive HMAC + AES root keys.
 
-const resource = { id: "file-123", body: "hello world" };
-const artifact = await CipherCluster.encrypt(symmetricJwk, resource);
-const signature = await SigningCluster.sign(privateJwk, resource.id);
+```js
+import { deriveRootKeys } from "zeyra";
 
-// VerificationCluster is designed to run on a per-resource server node.
-const authorized = await VerificationCluster.verify(
-  publicJwk,
-  resource.id,
-  signature
-);
+const prfResults = assertion.getClientExtensionResults()?.prf?.results;
+const rootKeys = await deriveRootKeys(prfResults);
+if (!rootKeys) throw new Error("Missing PRF results");
 
-const decrypted = await CipherCluster.decrypt(symmetricJwk, artifact);
+const { hmacJwk, cipherJwk } = rootKeys;
 ```
 
 ## API
 
-- `generateKeyset()` -> `{ symmetricJwk, publicJwk, privateJwk }` (all exportable JWKs)
-- `new CipherAgent(symmetricJwk)`
+- `generateKeyset()` -> `{ cipherJwk, verificationJwk, signingJwk, wrappingJwk, unwrappingJwk, hmacJwk }`
+- `generateHmacKey()` -> `JsonWebKey` (HMAC SHA-256)
+- `generateCipherKey()` -> `JsonWebKey` (AES-GCM 256)
+- `generateSignPair()` -> `{ signingJwk, verificationJwk }` (ECDSA P-256)
+- `generateWrapPair()` -> `{ wrappingJwk, unwrappingJwk }` (RSA-OAEP 4096)
+- `deriveRootKeys(prfResults)` -> `{ hmacJwk, cipherJwk } | false`
+- `new CipherAgent(cipherJwk)`
   - `.encrypt(Uint8Array)` -> `{ iv: Uint8Array, ciphertext: ArrayBuffer }`
   - `.decrypt({ iv, ciphertext })` -> `Uint8Array`
-- `new SigningAgent(privateJwk)`
-  - `.sign(Uint8Array | ArrayBuffer)` -> `ArrayBuffer` (ECDSA P-256 / SHA-256)
-- `new VerificationAgent(publicJwk)`
-  - `.verify(Uint8Array | ArrayBuffer, ArrayBuffer)` -> `boolean`
-- `CipherCluster.encrypt(symmetricJwk, resource)`
-  - -> `{ digest, ciphertext, iv }` (all base64url strings; digest is SHA-256 of JSON bytes, pre-encryption, useful for version checks)
-- `CipherCluster.decrypt(symmetricJwk, artifact)`
-  - -> `{ digest, ...resource }` (resource object restored from compressed JSON)
-- `SigningCluster.sign(privateJwk, value)` -> `Base64URLString`
-- `VerificationCluster.verify(publicJwk, value, signature)` -> `boolean`
-
-See the implementations in `src/index.js` and friends for details.
-
-## Testing and benchmarks
-
-- Run tests: `npm test` (uses Node's built-in `node:test` runner against `test.js`)
-- Run microbenchmarks (skipped by default): `npm run bench`
-  - Pass iterations: `npm run bench -- --iterations=500`
-  - Reports ops/sec for encryption and the full encrypt/sign/verify/decrypt pipeline.
-
-## Notes
-
-- CipherCluster assumes one unique random key per resource (no derivations or shared usage).
-- Cluster classes are intended for client-side usage; `VerificationCluster`/`VerificationAgent` can be hosted per-resource to pre-verify access before downstream identity or ACL checks.
-- Cluster serialization uses JSON and adds a `digest` field; avoid using `digest` in resource objects.
-- WeakRef caching keeps memory usage loose and GC-friendly by design.
-
-## License
-
-MIT
+- `new HmacAgent(hmacJwk)`
+  - `.sign(BufferSource)` -> `ArrayBuffer` (HMAC SHA-256)
+  - `.verify(BufferSource, BufferSource)` -> `boolean`
+- `new SigningAgent(signingJwk)`
+  - `.sign(Uint8Array)` -> `ArrayBuffer` (ECDSA P-256 / SHA-256)
+- `new VerificationAgent(verificationJwk)`
+  - `.verify(Uint8Array, ArrayBuffer)` -> `boolean`
+- `new WrappingAgent(wrappingJwk)`
+  - `.wrap(cipherJwk)` -> `ArrayBuffer` (RSA-OAEP / SHA-256)
+- `new UnwrappingAgent(unwrappingJwk)`
+  - `.unwrap(ArrayBuffer)` -> `JsonWebKey`
+- `CipherCluster.encrypt(cipherJwk, resource)` -> `{ iv, ciphertext }`
+- `CipherCluster.decrypt(cipherJwk, artifact)` -> `resource`
+- `SigningCluster.sign(signingJwk, value)` -> `ArrayBuffer`
+- `VerificationCluster.verify(verificationJwk, value, signature)` -> `boolean`
+- `WrappingCluster.wrap(wrappingJwk, cipherJwk)` -> `ArrayBuffer`
+- `UnwrappingCluster.unwrap(unwrappingJwk, wrapped)` -> `JsonWebKey`
+
+## Serialization helpers
+
+Zeyra keeps clusters byte-oriented. Use `bytecodec` when you need to serialize or store artifacts.
+
+```js
+import { Bytes } from "bytecodec";
+
+const artifact = await CipherCluster.encrypt(cipherJwk, resource);
+const ciphertextB64 = Bytes.toBase64UrlString(
+  new Uint8Array(artifact.ciphertext)
+);
+const ivB64 = Bytes.toBase64UrlString(artifact.iv);
+```
+
+## Testing and benchmarks
+
+- Build: `npm run build` (outputs `dist/`)
+- Run tests: `npm test` (builds `dist/`, then runs `node --test`)
+- Run benchmarks: `npm run bench`
+  - Pass iterations: `npm run bench -- --iterations=500`
+
+## Benchmarks (local)
+
+Results will vary by hardware, runtime, and payload size. Run `npm run bench` to reproduce.
+
+- Node v22.14.0 (Windows), iterations=200
+  - encrypt only: 31.68ms (6313.6 ops/sec)
+  - hmac sign/verify: 40.48ms (4940.1 ops/sec)
+  - full pipeline: 122.61ms (1631.2 ops/sec)
+
+## Notes
+
+- Zeyra is intended for client-side encryption workflows; server/edge usage is supported where WebCrypto is available.
+- Cluster helpers cache keys with `WeakRef` and keep `CryptoKey` material private inside agents.
+- `CipherCluster` compresses JSON payloads before encryption; `SigningCluster`/`VerificationCluster` sign JSON values.
+
+## License
+
+MIT

package/dist/CipherAgent/class.d.ts

@@ -0,0 +1,13 @@
+export declare class CipherAgent {
+    private keyPromise;
+    constructor(cipherJwk: JsonWebKey);
+    encrypt(plaintext: Uint8Array): Promise<{
+        iv: Uint8Array;
+        ciphertext: ArrayBuffer;
+    }>;
+    decrypt({ iv, ciphertext, }: {
+        iv: Uint8Array<ArrayBufferLike>;
+        ciphertext: ArrayBuffer;
+    }): Promise<Uint8Array>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/CipherAgent/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/CipherAgent/class.ts"],"names":[],"mappings":"AACA,qBAAa,WAAW;IACtB,OAAO,CAAC,UAAU,CAAqB;gBAC3B,SAAS,EAAE,UAAU;IAU3B,OAAO,CACX,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC;QAAE,EAAE,EAAE,UAAU,CAAC;QAAC,UAAU,EAAE,WAAW,CAAA;KAAE,CAAC;IAWjD,OAAO,CAAC,EACZ,EAAE,EACF,UAAU,GACX,EAAE;QACD,EAAE,EAAE,UAAU,CAAC,eAAe,CAAC,CAAC;QAChC,UAAU,EAAE,WAAW,CAAC;KACzB,GAAG,OAAO,CAAC,UAAU,CAAC;CASxB"}

package/dist/CipherAgent/class.js

@@ -0,0 +1,19 @@
+import { Bytes } from "bytecodec";
+export class CipherAgent {
+    keyPromise;
+    constructor(cipherJwk) {
+        this.keyPromise = crypto.subtle.importKey("jwk", cipherJwk, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
+    }
+    async encrypt(plaintext) {
+        const key = await this.keyPromise;
+        const iv = crypto.getRandomValues(new Uint8Array(12));
+        const ciphertext = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, Bytes.toBufferSource(plaintext));
+        return { iv, ciphertext };
+    }
+    async decrypt({ iv, ciphertext, }) {
+        const key = await this.keyPromise;
+        const plaintext = await crypto.subtle.decrypt({ name: "AES-GCM", iv: Bytes.toBufferSource(iv) }, key, ciphertext);
+        return new Uint8Array(plaintext);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/CipherAgent/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/CipherAgent/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAClC,MAAM,OAAO,WAAW;IACd,UAAU,CAAqB;IACvC,YAAY,SAAqB;QAC/B,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,SAAS,EACT,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CACX,SAAqB;QAErB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAClC,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;QACtD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EACvB,GAAG,EACH,KAAK,CAAC,cAAc,CAAC,SAAS,CAAC,CAChC,CAAC;QACF,OAAO,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EACZ,EAAE,EACF,UAAU,GAIX;QACC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAClC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC,EAAE,EACjD,GAAG,EACH,UAAU,CACX,CAAC;QACF,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IACnC,CAAC;CACF"}

package/dist/CipherCluster/class.d.ts

@@ -0,0 +1,12 @@
+export declare class CipherCluster {
+    #private;
+    static encrypt(cipherJwk: JsonWebKey, resource: any): Promise<{
+        iv: Uint8Array;
+        ciphertext: ArrayBuffer;
+    }>;
+    static decrypt(cipherJwk: JsonWebKey, artifact: {
+        iv: Uint8Array;
+        ciphertext: ArrayBuffer;
+    }): Promise<any>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/CipherCluster/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/CipherCluster/class.ts"],"names":[],"mappings":"AAGA,qBAAa,aAAa;;WAaX,OAAO,CAClB,SAAS,EAAE,UAAU,EACrB,QAAQ,EAAE,GAAG,GACZ,OAAO,CAAC;QAAE,EAAE,EAAE,UAAU,CAAC;QAAC,UAAU,EAAE,WAAW,CAAA;KAAE,CAAC;WAQ1C,OAAO,CAClB,SAAS,EAAE,UAAU,EACrB,QAAQ,EAAE;QAAE,EAAE,EAAE,UAAU,CAAC;QAAC,UAAU,EAAE,WAAW,CAAA;KAAE,GACpD,OAAO,CAAC,GAAG,CAAC;CAMhB"}

package/dist/CipherCluster/class.js

@@ -0,0 +1,27 @@
+import { Bytes } from "bytecodec";
+import { CipherAgent } from "../CipherAgent/class.js";
+export class CipherCluster {
+    static #agents = new WeakMap();
+    static #loadAgent(cipherJwk) {
+        const weakRef = CipherCluster.#agents.get(cipherJwk);
+        let agent = weakRef?.deref();
+        if (!agent) {
+            agent = new CipherAgent(cipherJwk);
+            CipherCluster.#agents.set(cipherJwk, new WeakRef(agent));
+        }
+        return agent;
+    }
+    static async encrypt(cipherJwk, resource) {
+        const agent = CipherCluster.#loadAgent(cipherJwk);
+        const bytes = Bytes.fromJSON(resource);
+        const compressed = await Bytes.toCompressed(bytes);
+        return await agent.encrypt(compressed);
+    }
+    static async decrypt(cipherJwk, artifact) {
+        const agent = CipherCluster.#loadAgent(cipherJwk);
+        const bytes = await agent.decrypt(artifact);
+        const decompressed = await Bytes.fromCompressed(bytes);
+        return Bytes.toJSON(decompressed);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/CipherCluster/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/CipherCluster/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAEtD,MAAM,OAAO,aAAa;IACxB,MAAM,CAAC,OAAO,GAAG,IAAI,OAAO,EAAoC,CAAC;IAEjE,MAAM,CAAC,UAAU,CAAC,SAAqB;QACrC,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACrD,IAAI,KAAK,GAAG,OAAO,EAAE,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,IAAI,WAAW,CAAC,SAAS,CAAC,CAAC;YACnC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,OAAO,CAClB,SAAqB,EACrB,QAAa;QAEb,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAEvC,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QACnD,OAAO,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,OAAO,CAClB,SAAqB,EACrB,QAAqD;QAErD,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QACvD,OAAO,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACpC,CAAC"}

package/dist/HmacAgent/class.d.ts

@@ -0,0 +1,7 @@
+export declare class HmacAgent {
+    private keyPromise;
+    constructor(hmacJwk: JsonWebKey);
+    sign(challenge: BufferSource): Promise<ArrayBuffer>;
+    verify(challenge: BufferSource, signature: BufferSource): Promise<boolean>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/HmacAgent/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/HmacAgent/class.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAS;IACpB,OAAO,CAAC,UAAU,CAAqB;gBAE3B,OAAO,EAAE,UAAU;IAUzB,IAAI,CAAC,SAAS,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC;IAKnD,MAAM,CACV,SAAS,EAAE,YAAY,EACvB,SAAS,EAAE,YAAY,GACtB,OAAO,CAAC,OAAO,CAAC;CAIpB"}

package/dist/HmacAgent/class.js

@@ -0,0 +1,15 @@
+export class HmacAgent {
+    keyPromise;
+    constructor(hmacJwk) {
+        this.keyPromise = crypto.subtle.importKey("jwk", hmacJwk, { name: "HMAC", hash: "SHA-256" }, false, ["sign", "verify"]);
+    }
+    async sign(challenge) {
+        const key = await this.keyPromise;
+        return crypto.subtle.sign("HMAC", key, challenge);
+    }
+    async verify(challenge, signature) {
+        const key = await this.keyPromise;
+        return crypto.subtle.verify("HMAC", key, signature, challenge);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/HmacAgent/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/HmacAgent/class.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,SAAS;IACZ,UAAU,CAAqB;IAEvC,YAAY,OAAmB;QAC7B,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,OAAO,EACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,EAAE,QAAQ,CAAC,CACnB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,SAAuB;QAChC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAClC,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;IACpD,CAAC;IAED,KAAK,CAAC,MAAM,CACV,SAAuB,EACvB,SAAuB;QAEvB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAClC,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IACjE,CAAC;CACF"}

package/dist/SigningAgent/class.d.ts

@@ -0,0 +1,6 @@
+export declare class SigningAgent {
+    private keyPromise;
+    constructor(signingJwk: JsonWebKey);
+    sign(bytes: Uint8Array): Promise<ArrayBuffer>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/SigningAgent/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/SigningAgent/class.ts"],"names":[],"mappings":"AACA,qBAAa,YAAY;IACvB,OAAO,CAAC,UAAU,CAAqB;gBAE3B,UAAU,EAAE,UAAU;IAU5B,IAAI,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC;CAQpD"}

package/dist/SigningAgent/class.js

@@ -0,0 +1,12 @@
+import { Bytes } from "bytecodec";
+export class SigningAgent {
+    keyPromise;
+    constructor(signingJwk) {
+        this.keyPromise = crypto.subtle.importKey("jwk", signingJwk, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
+    }
+    async sign(bytes) {
+        const key = await this.keyPromise;
+        return crypto.subtle.sign({ name: "ECDSA", hash: "SHA-256" }, key, Bytes.toBufferSource(bytes));
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/SigningAgent/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/SigningAgent/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAClC,MAAM,OAAO,YAAY;IACf,UAAU,CAAqB;IAEvC,YAAY,UAAsB;QAChC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,UAAU,EACV,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EACtC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAiB;QAC1B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAClC,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CACvB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAClC,GAAG,EACH,KAAK,CAAC,cAAc,CAAC,KAAK,CAAC,CAC5B,CAAC;IACJ,CAAC;CACF"}

package/dist/SigningCluster/class.d.ts

@@ -0,0 +1,5 @@
+export declare class SigningCluster {
+    #private;
+    static sign(signingJwk: JsonWebKey, value: any): Promise<ArrayBuffer>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/SigningCluster/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/SigningCluster/class.ts"],"names":[],"mappings":"AAGA,qBAAa,cAAc;;WAaZ,IAAI,CAAC,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,GAAG,OAAO,CAAC,WAAW,CAAC;CAK5E"}

package/dist/SigningCluster/class.js

@@ -0,0 +1,20 @@
+import { Bytes } from "bytecodec";
+import { SigningAgent } from "../SigningAgent/class.js";
+export class SigningCluster {
+    static #agents = new WeakMap();
+    static #loadAgent(signingJwk) {
+        const weakRef = SigningCluster.#agents.get(signingJwk);
+        let agent = weakRef?.deref();
+        if (!agent) {
+            agent = new SigningAgent(signingJwk);
+            SigningCluster.#agents.set(signingJwk, new WeakRef(agent));
+        }
+        return agent;
+    }
+    static async sign(signingJwk, value) {
+        const agent = SigningCluster.#loadAgent(signingJwk);
+        const bytes = Bytes.fromJSON(value);
+        return await agent.sign(bytes);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/SigningCluster/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/SigningCluster/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD,MAAM,OAAO,cAAc;IACzB,MAAM,CAAC,OAAO,GAAG,IAAI,OAAO,EAAqC,CAAC;IAElE,MAAM,CAAC,UAAU,CAAC,UAAsB;QACtC,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACvD,IAAI,KAAK,GAAG,OAAO,EAAE,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,IAAI,YAAY,CAAC,UAAU,CAAC,CAAC;YACrC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,UAAsB,EAAE,KAAU;QAClD,MAAM,KAAK,GAAG,cAAc,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QACpD,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACpC,OAAO,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC"}

package/dist/UnwrappingAgent/class.d.ts

@@ -0,0 +1,6 @@
+export declare class UnwrappingAgent {
+    private keyPromise;
+    constructor(unwrappingJwk: JsonWebKey);
+    unwrap(wrapped: ArrayBuffer): Promise<JsonWebKey>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/UnwrappingAgent/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/UnwrappingAgent/class.ts"],"names":[],"mappings":"AAAA,qBAAa,eAAe;IAC1B,OAAO,CAAC,UAAU,CAAqB;gBAC3B,aAAa,EAAE,UAAU;IAU/B,MAAM,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;CAexD"}

package/dist/UnwrappingAgent/class.js

@@ -0,0 +1,12 @@
+export class UnwrappingAgent {
+    keyPromise;
+    constructor(unwrappingJwk) {
+        this.keyPromise = crypto.subtle.importKey("jwk", unwrappingJwk, { name: "RSA-OAEP", hash: "SHA-256" }, false, ["unwrapKey"]);
+    }
+    async unwrap(wrapped) {
+        const unwrappingKey = await this.keyPromise;
+        const aesKey = await crypto.subtle.unwrapKey("jwk", wrapped, unwrappingKey, { name: "RSA-OAEP" }, { name: "AES-GCM", length: 256 }, true, ["encrypt", "decrypt"]);
+        return crypto.subtle.exportKey("jwk", aesKey);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/UnwrappingAgent/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/UnwrappingAgent/class.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,eAAe;IAClB,UAAU,CAAqB;IACvC,YAAY,aAAyB;QACnC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,aAAa,EACb,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,EACrC,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAoB;QAC/B,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAE5C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1C,KAAK,EACL,OAAO,EACP,aAAa,EACb,EAAE,IAAI,EAAE,UAAU,EAAE,EACpB,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;QAEF,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAChD,CAAC;CACF"}

package/dist/UnwrappingCluster/class.d.ts

@@ -0,0 +1,5 @@
+export declare class UnwrappingCluster {
+    #private;
+    static unwrap(unwrappingJwk: JsonWebKey, wrapped: ArrayBuffer): Promise<JsonWebKey>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/UnwrappingCluster/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/UnwrappingCluster/class.ts"],"names":[],"mappings":"AAEA,qBAAa,iBAAiB;;WAaf,MAAM,CACjB,aAAa,EAAE,UAAU,EACzB,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,UAAU,CAAC;CAIvB"}

package/dist/UnwrappingCluster/class.js

@@ -0,0 +1,18 @@
+import { UnwrappingAgent } from "../UnwrappingAgent/class.js";
+export class UnwrappingCluster {
+    static #agents = new WeakMap();
+    static #loadAgent(unwrappingJwk) {
+        const weakRef = UnwrappingCluster.#agents.get(unwrappingJwk);
+        let agent = weakRef?.deref();
+        if (!agent) {
+            agent = new UnwrappingAgent(unwrappingJwk);
+            UnwrappingCluster.#agents.set(unwrappingJwk, new WeakRef(agent));
+        }
+        return agent;
+    }
+    static async unwrap(unwrappingJwk, wrapped) {
+        const agent = UnwrappingCluster.#loadAgent(unwrappingJwk);
+        return await agent.unwrap(wrapped);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/UnwrappingCluster/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/UnwrappingCluster/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAE9D,MAAM,OAAO,iBAAiB;IAC5B,MAAM,CAAC,OAAO,GAAG,IAAI,OAAO,EAAwC,CAAC;IAErE,MAAM,CAAC,UAAU,CAAC,aAAyB;QACzC,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAI,KAAK,GAAG,OAAO,EAAE,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,IAAI,eAAe,CAAC,aAAa,CAAC,CAAC;YAC3C,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QACnE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM,CACjB,aAAyB,EACzB,OAAoB;QAEpB,MAAM,KAAK,GAAG,iBAAiB,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAC1D,OAAO,MAAM,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC"}

package/dist/VerificationAgent/class.d.ts

@@ -0,0 +1,6 @@
+export declare class VerificationAgent {
+    private keyPromise;
+    constructor(verificationJwk: JsonWebKey);
+    verify(bytes: Uint8Array, signature: ArrayBuffer): Promise<boolean>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/VerificationAgent/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/VerificationAgent/class.ts"],"names":[],"mappings":"AAEA,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,UAAU,CAAqB;gBAE3B,eAAe,EAAE,UAAU;IAUjC,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC;CAS1E"}

package/dist/VerificationAgent/class.js

@@ -0,0 +1,12 @@
+import { Bytes } from "bytecodec";
+export class VerificationAgent {
+    keyPromise;
+    constructor(verificationJwk) {
+        this.keyPromise = crypto.subtle.importKey("jwk", verificationJwk, { name: "ECDSA", namedCurve: "P-256" }, false, ["verify"]);
+    }
+    async verify(bytes, signature) {
+        const key = await this.keyPromise;
+        return crypto.subtle.verify({ name: "ECDSA", hash: "SHA-256" }, key, signature, Bytes.toBufferSource(bytes));
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/VerificationAgent/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/VerificationAgent/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAElC,MAAM,OAAO,iBAAiB;IACpB,UAAU,CAAqB;IAEvC,YAAY,eAA2B;QACrC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,eAAe,EACf,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EACtC,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAiB,EAAE,SAAsB;QACpD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC;QAClC,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CACzB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAClC,GAAG,EACH,SAAS,EACT,KAAK,CAAC,cAAc,CAAC,KAAK,CAAC,CAC5B,CAAC;IACJ,CAAC;CACF"}

package/dist/VerificationCluster/class.d.ts

@@ -0,0 +1,5 @@
+export declare class VerificationCluster {
+    #private;
+    static verify(verificationJwk: JsonWebKey, value: any, signature: ArrayBuffer): Promise<boolean>;
+}
+//# sourceMappingURL=class.d.ts.map

package/dist/VerificationCluster/class.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.d.ts","sourceRoot":"","sources":["../../src/VerificationCluster/class.ts"],"names":[],"mappings":"AAGA,qBAAa,mBAAmB;;WAajB,MAAM,CACjB,eAAe,EAAE,UAAU,EAC3B,KAAK,EAAE,GAAG,EACV,SAAS,EAAE,WAAW,GACrB,OAAO,CAAC,OAAO,CAAC;CAKpB"}

package/dist/VerificationCluster/class.js

@@ -0,0 +1,20 @@
+import { Bytes } from "bytecodec";
+import { VerificationAgent } from "../VerificationAgent/class.js";
+export class VerificationCluster {
+    static #agents = new WeakMap();
+    static #loadAgent(verificationJwk) {
+        const weakRef = VerificationCluster.#agents.get(verificationJwk);
+        let agent = weakRef?.deref();
+        if (!agent) {
+            agent = new VerificationAgent(verificationJwk);
+            VerificationCluster.#agents.set(verificationJwk, new WeakRef(agent));
+        }
+        return agent;
+    }
+    static async verify(verificationJwk, value, signature) {
+        const agent = VerificationCluster.#loadAgent(verificationJwk);
+        const valueBytes = Bytes.fromJSON(value);
+        return await agent.verify(valueBytes, signature);
+    }
+}
+//# sourceMappingURL=class.js.map

package/dist/VerificationCluster/class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"class.js","sourceRoot":"","sources":["../../src/VerificationCluster/class.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAElE,MAAM,OAAO,mBAAmB;IAC9B,MAAM,CAAC,OAAO,GAAG,IAAI,OAAO,EAA0C,CAAC;IAEvE,MAAM,CAAC,UAAU,CAAC,eAA2B;QAC3C,MAAM,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QACjE,IAAI,KAAK,GAAG,OAAO,EAAE,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;YAC/C,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QACvE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM,CACjB,eAA2B,EAC3B,KAAU,EACV,SAAsB;QAEtB,MAAM,KAAK,GAAG,mBAAmB,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;QAC9D,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACzC,OAAO,MAAM,KAAK,CAAC,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IACnD,CAAC"}

package/dist/WrappingAgent/class.d.ts

@@ -0,0 +1,6 @@
+export declare class WrappingAgent {
+    private keyPromise;
+    constructor(wrappingJwk: JsonWebKey);
+    wrap(cipherJwk: JsonWebKey): Promise<ArrayBuffer>;
+}
+//# sourceMappingURL=class.d.ts.map