noxy-sdk 2.0.1

Decision Layer SDK for AI agents. Encrypted actionable decisions over gRPC.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

//! AES-256-GCM encryption with HKDF key derivation.

use aes_gcm::{
    aead::{Aead, KeyInit, OsRng},
    Aes256Gcm,
};
use hkdf::Hkdf;
use rand::RngCore;
use sha2::Sha256;

/// Encrypt plaintext with AES-256-GCM using a key derived from the shared secret via HKDF.
/// Returns (ciphertext_with_auth_tag, nonce). The auth tag (16 bytes) is appended to ciphertext.
pub fn encrypt(shared_secret: &[u8], plaintext: &[u8]) -> Result<(Vec<u8>, Vec<u8>), CryptoError> {
    let hk = Hkdf::<Sha256>::new(None, shared_secret);
    let mut key = [0u8; 32];
    hk.expand(b"", &mut key).map_err(|_| CryptoError::Hkdf)?;

    let cipher = Aes256Gcm::new_from_slice(&key).map_err(|_| CryptoError::Key)?;
    let mut nonce = [0u8; 12];
    OsRng.fill_bytes(&mut nonce);

    let ciphertext = cipher
        .encrypt(&nonce.into(), plaintext)
        .map_err(|_| CryptoError::Encrypt)?;

    Ok((ciphertext, nonce.to_vec()))
}

#[derive(Debug)]
pub enum CryptoError {
    Hkdf,
    Key,
    Encrypt,
}

impl std::fmt::Display for CryptoError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            CryptoError::Hkdf => write!(f, "HKDF error"),
            CryptoError::Key => write!(f, "Invalid key"),
            CryptoError::Encrypt => write!(f, "Encryption failed"),
        }
    }
}

impl std::error::Error for CryptoError {}