@uuaid/vault
v0.1.0
Published
UUAID Agent Memory Vault envelope — client-side encryption (AES-256-GCM) with hybrid post-quantum recipient mode (X25519 + ML-KEM-768). Ciphertext-only leaves the client.
Downloads
213
Maintainers
Readme
@uuaid/vault
Client-side encryption for the UUAID Agent Memory Vault — the envelope format that lets an AI agent keep encrypted, quantum-ready memory with UUAID or anywhere else. Plaintext and keys never leave your process.
import { generateVaultKey, encryptItem, decryptItemText } from "@uuaid/vault";
const vaultKey = generateVaultKey(); // uvk_… — keep it secret
const aad = `${agentUuaid}/memories/first`; // binds the slot (anti-swap)
const envelope = encryptItem(vaultKey, "The harbor at dusk.", { aad });
// … store envelope anywhere (UUAID vault, S3, a file) …
const text = decryptItemText(vaultKey, envelope, { aad });Modes
- symmetric — AES-256-GCM with per-item keys derived from your vault key via HKDF-SHA256 (fresh salt + nonce per item).
- hybrid-pq — encrypt to an agent's public bundle. The shared secret is HKDF(X25519 ⊕ ML-KEM-768): an attacker must break both the classical and the post-quantum half.
import { generateRecipientKeypair, encryptForRecipient, decryptAsRecipientText } from "@uuaid/vault";
const kp = generateRecipientKeypair(); // uvpk_… (share) / uvsk_… (secret)
const env = encryptForRecipient(kp.publicBundle, "for future-me only");
const back = decryptAsRecipientText(kp.secretBundle, env);The envelope
A small JSON object with explicit algorithm identifiers (crypto-agile — the AEAD/KDF/KEM can rotate without a format break):
{ "v": 1, "mode": "symmetric", "aead": "aes-256-gcm", "kdf": "hkdf-sha256",
"salt": "…", "nonce": "…", "aad": "<agent>/<slot>", "ct": "…" }Its RFC 8785 (JCS) content hash is what the UUAID service writes into its hash-chained ledger and anchors on Polygon — integrity proof without disclosure.
Built on the audited noble cryptography libraries. Works in Node ≥ 18 and modern browsers. Apache-2.0.
