Original .lve file bytes (ArrayBuffer).
Existing authorized credential + the new credential to add.
Updated .lve bytes with the new recipient appended to the header.
LveInvalidFormatError if the bytes are not a valid .lve file.
LveUnsupportedVersionError if the format version is not supported.
LveWrongCredentialError if existingCredentialId is not in the
recipient list, or its PRF output fails to unwrap the DEK.
// Alice (existing) adds Bob (new) to a shared file
const aliceAuth = await authenticateWithPrf({ rpId, fileId: meta.fileId });
const bobReg = await registerCredential({ rpId });
const updatedBytes = await addAuthorizedCredential(lveBytes, {
existingCredentialId: aliceAuth.credentialId,
existingPrfOutput: aliceAuth.prfOutput,
newCredentialId: bobReg.credentialId,
newPrfOutput: bobReg.prfOutput,
});
Authorizes an additional passkey to open an existing
.lvefile.Uses the existing credential's PRF output to unwrap the DEK, then re-wraps it under a freshly derived KEK for the new credential. The payload is not re-encrypted — only the header recipient list grows.