Vault

The vault stores all passports and audit entries encrypted at rest. Encryption uses AES-256-GCM with keys derived via Scrypt (N=16384, r=8, p=1). The vault file lives at ~/.id-wispera/vault.json by default.

Factory Functions

`initVault(passphrase, storagePath?)`

Create a new vault. Generates a random 32-byte salt and derives an encryption key via Scrypt.

passphrase

string

required

Passphrase to derive the encryption key. Minimum 8 characters.

storagePath

string

File path for the vault. Defaults to ~/.id-wispera/vault.json.

Returns: Promise<Vault>

import { initVault } from '@id-wispera/core';

const vault = await initVault('my-secure-passphrase');

`unlockVault(passphrase, storagePath?)`

Unlock an existing vault by re-deriving the encryption key from the passphrase. Returns: Promise<Vault>

import { unlockVault } from '@id-wispera/core';

const vault = await unlockVault('my-secure-passphrase');

`lockVault(vault)`

Lock a vault instance, clearing the derived key from memory.

`vaultExists(storagePath?)`

Check whether a vault file exists at the given path. Returns: Promise<boolean>

`getDefaultVaultPath()`

Returns ~/.id-wispera/vault.json (expanded).

`migrateVault(passphrase, vaultPath?)`

Migrate a v1 vault (PBKDF2-SHA256) to v2 (Scrypt). Decrypts with old KDF, re-encrypts with new KDF. Returns: Promise<{ migrated: boolean; fromVersion: number; toVersion: number }>

Vault Class

`vault.isUnlocked`

boolean — Whether the vault is currently unlocked.

`vault.storePassport(passport)`

Store a passport in the encrypted vault.

`vault.retrievePassport(id)`

Retrieve a passport by ID. Returns null if not found.

`vault.deletePassport(id)`

Remove a passport from the vault. Returns true if found and deleted.

`vault.getAllPassports()`

Returns all passports in the vault. Returns: Promise<Passport[]>

`vault.addAuditEntry(entry)`

Append an audit entry to the encrypted audit log.

`vault.getAuditLog(passportId?)`

Retrieve audit entries, optionally filtered by passport ID.

`vault.exportVault(format)`

Export vault contents as JSON or CSV.

format

'json' | 'csv'

required

Export format.

Storage Backends

The vault supports pluggable storage:

FileSystemStorageBackend — Default. Reads/writes to disk.
MemoryStorageBackend — In-memory only. Useful for testing.

Constants

Constant	Value	Description
`SCRYPT_PARAMS.N`	16384	Scrypt CPU/memory cost
`SCRYPT_PARAMS.r`	8	Block size
`SCRYPT_PARAMS.p`	1	Parallelization
`SCRYPT_PARAMS.keyLen`	32	Derived key length (bytes)

SDK Reference

​Vault

​Factory Functions

​initVault(passphrase, storagePath?)

​unlockVault(passphrase, storagePath?)

​lockVault(vault)

​vaultExists(storagePath?)

​getDefaultVaultPath()

​migrateVault(passphrase, vaultPath?)

​Vault Class

​vault.isUnlocked

​vault.storePassport(passport)

​vault.retrievePassport(id)

​vault.deletePassport(id)

​vault.getAllPassports()

​vault.addAuditEntry(entry)

​vault.getAuditLog(passportId?)

​vault.exportVault(format)

​Storage Backends

​Constants