packages/shade-storage-encrypted/src/index.browser.ts

/**
 * Default barrel resolved by bundlers under the `browser` condition.
 *
 * Excludes `EncryptedSQLiteStorage` (pulls `bun:sqlite`) and
 * `EncryptedPostgresStorage` (pulls `postgres`). Browser apps can keep using
 * `import { KeyManager } from '@shade/storage-encrypted'` — Vite/webpack will
 * pick this file via the `browser` condition and produce a clean bundle.
 *
 * Node/Bun consumers continue to resolve to `./index.js`, which exposes the
 * full surface area (back-compat).
 */

export * from './crypto.js';
export { EncryptedIndexedDBStorage } from './storage/encrypted-indexeddb.js';
release(v4.5.0): browser-side encrypted storage + multi-factor unlock Adds the foundations Prism's web client (and any future browser-based Shade app) needs: at-rest-encrypted IndexedDB storage that mirrors the SQLite backend byte-for-byte at the AAD/nonce level, browser-safe subpath imports so Vite/webpack/esbuild stop hitting bun:sqlite, and KeyManager support for argon2id and N-factor composite unlock. @shade/storage-encrypted - EncryptedIndexedDBStorage (subpath: /idb) — full StorageProvider using one object store per _enc table; reuses aeadSeal/aeadOpen + row-codec sealers so a row sealed under the SQLite or Postgres backend decrypts under IDB given the same KeyManager. bumpPeerIdentityVersion is atomic under one IDB transaction. - KeyManager argon2id source — memory-hard KDF for low-entropy secrets (PINs). Backed by @noble/hashes/argon2 (already a transitive dep). DEFAULT_ARGON2ID exported (m=64 MiB, t=3, p=1). - KeyManager composite source — HKDF-combine N sub-sources into one master. Every source mandatory; order significant by design; composite-of-composite rejected; optional info string for app-level domain separation. - Subpath exports (/crypto, /sqlite, /postgres, /idb) plus a `browser` condition on the default import that resolves to a barrel excluding the Bun- and Postgres-specific entries. Browser bundles no longer pull bun:sqlite transitively. Tests - 73 tests in shade-storage-encrypted (was 31). New coverage: argon2id determinism + reject paths, composite same-factors → same master, wrong-PIN/passphrase/order-swap → different master, info domain separation, all 28 StorageProvider methods on EncryptedIndexedDBStorage, fingerprint-mismatch rejection, and cross-impl roundtrip with EncryptedSQLiteStorage proving the AAD/ nonce derivation is implementation-agnostic. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-07 10:58:49 +02:00			`/**`
			* Default barrel resolved by bundlers under the `browser` condition.
			`*`
			* Excludes `EncryptedSQLiteStorage` (pulls `bun:sqlite`) and
			* `EncryptedPostgresStorage` (pulls `postgres`). Browser apps can keep using
			* `import { KeyManager } from '@shade/storage-encrypted'` — Vite/webpack will
			* pick this file via the `browser` condition and produce a clean bundle.
			`*`
			* Node/Bun consumers continue to resolve to `./index.js`, which exposes the
			`* full surface area (back-compat).`
			`*/`

			`export * from './crypto.js';`
			`export { EncryptedIndexedDBStorage } from './storage/encrypted-indexeddb.js';`