@thecrossroads42/crypto-client

The client-side-encryption integration layer for The Crossroads, built on the audit kit @thecrossroads42/crypto. The kit is the frozen primitives (AES-GCM record envelope + Argon2id passphrase / device / managed key tiers); this package is the thin glue that wires them to a real account: value / visit / longitudinal encrypt-decrypt and the keyring's server / storage / session backends.

It is the same code the app and the terminal client run, published so it can be audited and reused.

Use

import * as enc from '@thecrossroads42/crypto-client';

// Wire it once: how to reach the server + identify the user.
enc.configure({
  baseUrl: 'https://thecrossroads.to',
  getAuthHeader: () => ({ Authorization: `Bearer ${token}` }),
  getUserId: () => userId,
  // storage / sessionStore default to in-memory; inject persistent ones in a browser.
});

// Passphrase tier: unlock with the user's passphrase (never sent to the server).
await enc.keyring.unlock(userId, { passphrase });

const wire  = await enc.encryptVisitUpdate(visitId, updates); // for PUT /visits/:id
const visit = await enc.decryptVisit(await fetchVisit(id));   // from GET /visits/:id

configure(cfg) accepts: getUserId (required), baseUrl, getAuthHeader, onAuthExpired, and optional recordBackend / storage / sessionStore overrides (the keyring's injectable backends).

Verify

npm install
node verify.mjs   # provision + unlock a passphrase account, round-trip a value/array/visit

Requires Node ≥ 20. The only runtime dependency is @thecrossroads42/crypto (which brings @noble/hashes).

Source

This is the published copy of code developed in The Crossroads' private repository and mirrored here. Please open issues at github.com/thecrossroads42/theCrossroads rather than sending pull requests against this copy.