@lindorm/aes 0.7.0 → 0.7.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lindorm/aes",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "license": "AGPL-3.0-or-later",
   "author": "Jonn Nilsson",
   "repository": {
@@ -11,6 +11,9 @@
   "publishConfig": {
     "access": "public"
   },
+  "files": [
+    "dist"
+  ],
   "type": "module",
   "typings": "dist/index.d.ts",
   "exports": {
@@ -41,16 +44,16 @@
     "verify": "npm run typecheck && npm run build && npm test"
   },
   "dependencies": {
-    "@lindorm/b64": "^0.2.0",
-    "@lindorm/errors": "^0.2.0",
-    "@lindorm/is": "^0.2.0",
-    "@lindorm/kryptos": "^0.8.0",
-    "@lindorm/types": "^0.6.0",
-    "@lindorm/utils": "^0.8.0"
+    "@lindorm/b64": "^0.2.1",
+    "@lindorm/errors": "^0.2.2",
+    "@lindorm/is": "^0.2.2",
+    "@lindorm/kryptos": "^0.8.2",
+    "@lindorm/types": "^0.7.0",
+    "@lindorm/utils": "^0.8.2"
   },
   "devDependencies": {
     "@noble/ciphers": "^2.1.1",
     "jose": "^6.2.1"
   },
-  "gitHead": "a2b0a53295aebda806b4057f34707e8583570265"
+  "gitHead": "ed9df662f3b73a3d773027b5acdfe128ff3dc140"
 }

package/CHANGELOG.md

@@ -1,176 +0,0 @@
-# Change Log
-
-All notable changes to this project will be documented in this file.
-See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
-
-# [0.7.0](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.6.5...@lindorm/aes@0.7.0) (2026-05-02)
-
-### Bug Fixes
-
-- **aes:** mark type-only imports in **tests** ([23ade84](https://github.com/lindorm-io/monorepo/commit/23ade8444b945be2eed225f1c8587b60a32d530a))
-- **aes:** use IKryptos interface for fixture helper return type ([42d1a28](https://github.com/lindorm-io/monorepo/commit/42d1a287d69977b6f2f39782910a5d45dffdbfdb))
-
-### Features
-
-- migrate 20 packages from jest to vitest ([d8bfda8](https://github.com/lindorm-io/monorepo/commit/d8bfda8854dc1cb9537ba0b3e47ec4e4c7bded08))
-
-## [0.6.5](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.6.4...@lindorm/aes@0.6.5) (2026-04-19)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.6.4](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.6.3...@lindorm/aes@0.6.4) (2026-04-15)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.6.3](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.6.2...@lindorm/aes@0.6.3) (2026-04-01)
-
-### Bug Fixes
-
-- **aes,amphora:** use relative imports for test fixtures ([5ebc484](https://github.com/lindorm-io/monorepo/commit/5ebc484e7dd664b85f40a57db0057364e8883ce9))
-
-## [0.6.2](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.6.1...@lindorm/aes@0.6.2) (2026-03-13)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.6.1](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.6.0...@lindorm/aes@0.6.1) (2026-03-13)
-
-**Note:** Version bump only for package @lindorm/aes
-
-# [0.6.0](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.5.5...@lindorm/aes@0.6.0) (2026-02-17)
-
-### Bug Fixes
-
-- **aes:** add buffer boundary validation in encoded string parser ([579e8f7](https://github.com/lindorm-io/monorepo/commit/579e8f7eb40570f978cd52d1f87f7f8570474d6d))
-- **aes:** add GCM auth tag enforcement and key-wrap input validation ([1a8fd3c](https://github.com/lindorm-io/monorepo/commit/1a8fd3cb6f83cf59a3089a777fba4c8b7f1828fb))
-- **aes:** add missing @lindorm/utils dependency ([6d0ee2a](https://github.com/lindorm-io/monorepo/commit/6d0ee2ae68f91fb9eb04529c96e05ff1d843dfd0))
-- **aes:** make CBC HMAC auth tag compliant with RFC 7518 ([7877022](https://github.com/lindorm-io/monorepo/commit/7877022bebdf902ff13996b1032a991356f3760c))
-- **aes:** make PBES2 salt compliant with RFC 7518 ([2693afa](https://github.com/lindorm-io/monorepo/commit/2693afa88db535aeaff7fd5537885dd3a45bc09a))
-- **aes:** make verify/assert work with non-string content ([aa94c66](https://github.com/lindorm-io/monorepo/commit/aa94c66511326f70fdfc0245ce12953025aa4236))
-- **aes:** remove unnecessary g flag from tokenised regex ([5a989b1](https://github.com/lindorm-io/monorepo/commit/5a989b1d96b025b3180339294e8ea072d215c7d3))
-- **aes:** replace generic Error with AesError in all locations ([ff7a08d](https://github.com/lindorm-io/monorepo/commit/ff7a08d55e9b39755e059e31e99fb45b687bdde2))
-- **aes:** use Concat KDF per RFC 7518 for ECDH-ES key agreement ([8e92b8f](https://github.com/lindorm-io/monorepo/commit/8e92b8f60ee46c99f0c66af244fd1e7648130a9c))
-- **aes:** use crypto.randomInt for PBKDF2 iterations, fix RSA test fixture ([a5457aa](https://github.com/lindorm-io/monorepo/commit/a5457aa5973e4eab662dbc6e62c9470f7d6fabf2))
-- **aes:** use oct keys directly for AES key wrap per RFC 7518 ([c65ca49](https://github.com/lindorm-io/monorepo/commit/c65ca49d758f21e868e96512a96fc8df0559947e))
-- **aes:** use timingSafeEqual for ECB key unwrap integrity check ([dd27a65](https://github.com/lindorm-io/monorepo/commit/dd27a65c84eed068d6e9e5de34d0eaca6cda67fc))
-- **aes:** use timingSafeEqual for HMAC auth tag verification ([757bef5](https://github.com/lindorm-io/monorepo/commit/757bef5657a6d1366c222c9205a8f4cfe563e77d))
-- **lint:** add missing eslint-config-prettier and fix prettier formatting ([6899e39](https://github.com/lindorm-io/monorepo/commit/6899e39ad7700e373173b0a61b429b5536c13934))
-- **lint:** resolve eslint warnings and errors ([210ef3c](https://github.com/lindorm-io/monorepo/commit/210ef3c91c82521c4cec57bc2256324ba9c3f45a))
-
-### Features
-
-- **aes:** accept optional AAD parameter for authenticated encryption ([011b67f](https://github.com/lindorm-io/monorepo/commit/011b67fb8ba18a361e2c31fd0e78298a89f89cd2))
-- **aes:** add prepareEncryption() for two-step JWE-compliant encryption ([56b3c54](https://github.com/lindorm-io/monorepo/commit/56b3c5435722b2b94f05d6483c7651ccdd5ea9dd))
-- **aes:** rewrite formats with unified model and always-on AAD ([bc1da71](https://github.com/lindorm-io/monorepo/commit/bc1da719d5ee5ee151d9220e6e738a9431e036b6))
-
-## [0.5.5](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.5.4...@lindorm/aes@0.5.5) (2025-09-18)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.5.4](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.5.3...@lindorm/aes@0.5.4) (2025-07-19)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.5.3](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.5.2...@lindorm/aes@0.5.3) (2025-07-12)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.5.2](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.5.1...@lindorm/aes@0.5.2) (2025-07-10)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.5.1](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.5.0...@lindorm/aes@0.5.1) (2025-07-02)
-
-### Bug Fixes
-
-- amend bug in aes utility ([7437e8e](https://github.com/lindorm-io/monorepo/commit/7437e8e0f047bb0995b8a8c0e6929c9cc368d592))
-
-# [0.5.0](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.4.2...@lindorm/aes@0.5.0) (2025-06-17)
-
-### Bug Fixes
-
-- align with kryptos changes ([3f934a4](https://github.com/lindorm-io/monorepo/commit/3f934a4ec55eee3d4ebc6f0be55886d8f095af8b))
-- align with kryptos changes ([206eb38](https://github.com/lindorm-io/monorepo/commit/206eb38ae2a03b14973e706035c87a953cc753af))
-- improve and expose aes parsing ([ec6f271](https://github.com/lindorm-io/monorepo/commit/ec6f27179ec3d67146a50257cbff98fe253c3380))
-- improve types ([f6ce002](https://github.com/lindorm-io/monorepo/commit/f6ce002e8555c54ba4f12bd67222457fa2bcf90a))
-- update try catch ([7ebebe8](https://github.com/lindorm-io/monorepo/commit/7ebebe81f40851b0d1fcb05e6e6cc60b1c754a91))
-
-### Features
-
-- add content type to aes data ([dfb3285](https://github.com/lindorm-io/monorepo/commit/dfb3285ddf20bc77cf8f3d2531e26032853b98a9))
-
-## [0.4.2](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.4.1...@lindorm/aes@0.4.2) (2025-01-28)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.4.1](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.4.0...@lindorm/aes@0.4.1) (2024-10-12)
-
-**Note:** Version bump only for package @lindorm/aes
-
-# [0.4.0](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.3.3...@lindorm/aes@0.4.0) (2024-10-09)
-
-### Bug Fixes
-
-- move content to end of encoded array so that it can be any size ([b053924](https://github.com/lindorm-io/monorepo/commit/b05392484342976f519b32f943aac41271761df4))
-
-### Features
-
-- add automatic b64 encoding ([f3ac64e](https://github.com/lindorm-io/monorepo/commit/f3ac64e7922528b1afe0f0acbc52b62aa7003d2d))
-- rename modes and add encoded ([b8c9d4c](https://github.com/lindorm-io/monorepo/commit/b8c9d4c26a069444fa7bff5a809308cecff971ef))
-
-## [0.3.3](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.3.2...@lindorm/aes@0.3.3) (2024-09-25)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.3.2](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.3.1...@lindorm/aes@0.3.2) (2024-09-23)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.3.1](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.3.0...@lindorm/aes@0.3.1) (2024-09-20)
-
-**Note:** Version bump only for package @lindorm/aes
-
-# [0.3.0](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.2.0...@lindorm/aes@0.3.0) (2024-05-20)
-
-### Features
-
-- add gcm keywrap ([8eefa5d](https://github.com/lindorm-io/monorepo/commit/8eefa5dd2914faba842c0a050a9317d2b6f5b197))
-
-# [0.2.0](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.1.3...@lindorm/aes@0.2.0) (2024-05-19)
-
-### Bug Fixes
-
-- align curves to kryptos ([b9288a5](https://github.com/lindorm-io/monorepo/commit/b9288a54b6dbb520328aff77cd3c8d2818183ac5))
-- align with kryptos changes ([344c4e2](https://github.com/lindorm-io/monorepo/commit/344c4e2fad07e66c91f7e0820bfc929c1f8ffcab))
-- improve kryptos generate method ([9e7098d](https://github.com/lindorm-io/monorepo/commit/9e7098d4b219b11140e28e554ffd573204772249))
-- remove private key encryption ([be54916](https://github.com/lindorm-io/monorepo/commit/be54916a20de667e96826d6be0eb8d0fda67176e))
-- remove unnecessary code ([e44a056](https://github.com/lindorm-io/monorepo/commit/e44a0565e577fc23a827c9283839684c1e40d287))
-- rename interfaces ([3b1f457](https://github.com/lindorm-io/monorepo/commit/3b1f45736f88b8c2d4481cbeca6da87bf8443bde))
-- simplify interfaces with kryptos metadata ([c4075d2](https://github.com/lindorm-io/monorepo/commit/c4075d2e133c2fe0a1fafa548da68db34b3407c6))
-- use pbkdf2 key derivation for oct ([d068947](https://github.com/lindorm-io/monorepo/commit/d068947f70712fb71f57d5ec6947062219200155))
-
-### Features
-
-- add okp encryption and clean up ec encryption ([4d3cbab](https://github.com/lindorm-io/monorepo/commit/4d3cbabe1968ab7f8a9ecc8e226ce91403342f0f))
-- implement missing encryption types ([c94b538](https://github.com/lindorm-io/monorepo/commit/c94b53823fcb7a24823b25535b83799f2bbdd250))
-- refine and improve oct encryption ([99db5a2](https://github.com/lindorm-io/monorepo/commit/99db5a290b7a081ab80c3811bcc04021e1ac9b4e))
-- use pbkdf with short oct keys ([d1d8e5e](https://github.com/lindorm-io/monorepo/commit/d1d8e5ea6dcac24b1b1402e841777a0affefcfff))
-
-## [0.1.3](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.1.2...@lindorm/aes@0.1.3) (2024-05-12)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.1.2](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.1.1...@lindorm/aes@0.1.2) (2024-05-11)
-
-**Note:** Version bump only for package @lindorm/aes
-
-## [0.1.1](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.1.0...@lindorm/aes@0.1.1) (2024-05-11)
-
-### Bug Fixes
-
-- amend wrong export path and rename ([87e6dd1](https://github.com/lindorm-io/monorepo/commit/87e6dd12057fe35c1c0b26a327a098015f041b44))
-
-# 0.1.0 (2024-05-11)
-
-### Features
-
-- implement aes package ([4267f1f](https://github.com/lindorm-io/monorepo/commit/4267f1f2b368bcc42181f274872793897347e539))

package/MERMAID.md

@@ -1,155 +0,0 @@
-# Mermaid Diagram
-
-```mermaid
-
-  graph TB
-      subgraph "External Dependencies"
-          KRYPTOS["@lindorm/kryptos<br/>(Key Management)"]
-          B64["@lindorm/b64<br/>(Base64 Encoding)"]
-          IS["@lindorm/is<br/>(Type Guards)"]
-          ERRORS["@lindorm/errors<br/>(Error Handling)"]
-      end
-
-      subgraph "Public API"
-          AESKIT["AesKit Class<br/>Main Entry Point"]
-          PARSE["parseAes()<br/>Parse any format"]
-          ISAES["isAesTokenised()<br/>Type checking"]
-      end
-
-      subgraph "Encryption Flow"
-          ENCRYPT["encrypt(data, mode)"]
-          GET_ENC_KEY["getEncryptionKey()"]
-
-          subgraph "Key Type Routing"
-              EC_ENC["EC Keys<br/>(Elliptic Curve)"]
-              OKP_ENC["OKP Keys<br/>(Edwards Curve)"]
-              OCT_ENC["oct Keys<br/>(Symmetric)"]
-              RSA_ENC["RSA Keys"]
-          end
-
-          subgraph "Key Derivation Methods"
-              DIR["Direct Key<br/>(dir)"]
-              ECDH["ECDH-ES<br/>(Diffie-Hellman)"]
-              KEYWRAP["Key Wrap<br/>(AES-KW/GCM)"]
-              PBKDF["PBKDF2<br/>(Password-based)"]
-          end
-
-          CEK["Content Encryption Key<br/>(Split into encKey + hashKey)"]
-          AES_CIPHER["Node crypto.createCipheriv()<br/>(AES-128/192/256-CBC/GCM)"]
-          AUTH_TAG["Generate Auth Tag<br/>(GCM or HMAC)"]
-
-          subgraph "Output Modes"
-              ENCODED["Encoded<br/>(base64 string)"]
-              RECORD["Record<br/>(Buffer objects)"]
-              SERIALISED["Serialised<br/>(JSON-safe strings)"]
-              TOKENISED["Tokenised<br/>($enc$params$content$)"]
-          end
-      end
-
-      subgraph "Decryption Flow"
-          DECRYPT["decrypt(data)"]
-          PARSE_INPUT["Parse Input<br/>(parseAes)"]
-          GET_DEC_KEY["getDecryptionKey()"]
-
-          subgraph "Key Type Decryption"
-              EC_DEC["EC Keys"]
-              OKP_DEC["OKP Keys"]
-              OCT_DEC["oct Keys"]
-              RSA_DEC["RSA Keys"]
-          end
-
-          CEK_DEC["Content Encryption Key"]
-          AES_DECIPHER["Node crypto.createDecipheriv()"]
-          VERIFY_TAG["Verify Auth Tag"]
-          PARSE_CONTENT["Parse Content<br/>(by contentType)"]
-      end
-
-      subgraph "Data Types"
-          CONTENT["AesContent<br/>string | Buffer | object | array | number"]
-          CONTENT_TYPE["AesContentType<br/>text/plain | application/json | application/octet-stream"]
-      end
-
-      subgraph "Encryption Metadata"
-          RECORD_TYPE["AesEncryptionRecord<br/>• algorithm<br/>• encryption<br/>• keyId<br/>• content<br/>•
-  authTag<br/>• IV<br/>• contentType<br/>• pbkdfSalt/Iterations<br/>• publicEncryptionKey/Jwk"]
-      end
-
-      %% Main flow connections
-      AESKIT --> ENCRYPT
-      AESKIT --> DECRYPT
-      AESKIT --> KRYPTOS
-
-      ENCRYPT --> CONTENT
-      ENCRYPT --> GET_ENC_KEY
-      GET_ENC_KEY --> KRYPTOS
-
-      GET_ENC_KEY --> EC_ENC
-      GET_ENC_KEY --> OKP_ENC
-      GET_ENC_KEY --> OCT_ENC
-      GET_ENC_KEY --> RSA_ENC
-
-      EC_ENC --> ECDH
-      EC_ENC --> KEYWRAP
-      OKP_ENC --> ECDH
-      OKP_ENC --> KEYWRAP
-      OCT_ENC --> DIR
-      OCT_ENC --> KEYWRAP
-      OCT_ENC --> PBKDF
-      RSA_ENC --> KEYWRAP
-
-      ECDH --> CEK
-      KEYWRAP --> CEK
-      PBKDF --> CEK
-      DIR --> CEK
-
-      CEK --> AES_CIPHER
-      CONTENT --> AES_CIPHER
-      AES_CIPHER --> AUTH_TAG
-
-      AUTH_TAG --> RECORD_TYPE
-
-      RECORD_TYPE --> ENCODED
-      RECORD_TYPE --> RECORD
-      RECORD_TYPE --> SERIALISED
-      RECORD_TYPE --> TOKENISED
-
-      %% Decryption flow
-      DECRYPT --> PARSE_INPUT
-      PARSE_INPUT --> ENCODED
-      PARSE_INPUT --> RECORD
-      PARSE_INPUT --> SERIALISED
-      PARSE_INPUT --> TOKENISED
-
-      PARSE_INPUT --> GET_DEC_KEY
-      GET_DEC_KEY --> KRYPTOS
-
-      GET_DEC_KEY --> EC_DEC
-      GET_DEC_KEY --> OKP_DEC
-      GET_DEC_KEY --> OCT_DEC
-      GET_DEC_KEY --> RSA_DEC
-
-      EC_DEC --> CEK_DEC
-      OKP_DEC --> CEK_DEC
-      OCT_DEC --> CEK_DEC
-      RSA_DEC --> CEK_DEC
-
-      CEK_DEC --> AES_DECIPHER
-      RECORD_TYPE --> AES_DECIPHER
-      AES_DECIPHER --> VERIFY_TAG
-      VERIFY_TAG --> PARSE_CONTENT
-      PARSE_CONTENT --> CONTENT_TYPE
-
-      %% Utility connections
-      B64 --> ENCODED
-      B64 --> TOKENISED
-      B64 --> SERIALISED
-      IS --> PARSE_INPUT
-      ERRORS --> AESKIT
-
-      style AESKIT fill:#4a90e2,stroke:#2e5c8a,color:#fff
-      style ENCRYPT fill:#50c878,stroke:#2d7a4a,color:#fff
-      style DECRYPT fill:#e27d60,stroke:#a85a43,color:#fff
-      style KRYPTOS fill:#9b59b6,stroke:#6c3a8a,color:#fff
-      style CEK fill:#f39c12,stroke:#b87a0a,color:#fff
-      style CEK_DEC fill:#f39c12,stroke:#b87a0a,color:#fff
-```

package/__tests__/INTEROP-RESULTS.md

@@ -1,66 +0,0 @@
-# AES Interop Test Results
-
-## Summary
-
-All 59 interop tests pass. Zero divergences found between `@lindorm/aes`,
-`@noble/ciphers`, and `jose`.
-
-| Suite         | Tests  | Pass   | Fail  | Skip  |
-| ------------- | ------ | ------ | ----- | ----- |
-| noble-ciphers | 21     | 21     | 0     | 0     |
-| jose-jwe      | 38     | 38     | 0     | 0     |
-| **Total**     | **59** | **59** | **0** | **0** |
-
-## noble/ciphers Primitive Tests
-
-| Primitive         | Key Sizes     | Direction                      | Result |
-| ----------------- | ------------- | ------------------------------ | ------ |
-| AES-GCM           | 128, 192, 256 | ours → noble                   | PASS   |
-| AES-GCM           | 128, 192, 256 | noble → ours                   | PASS   |
-| AES-GCM           | 128, 192, 256 | byte-identical (pinned IV)     | PASS   |
-| AES-KW (RFC 3394) | 128, 192, 256 | ours → noble                   | PASS   |
-| AES-KW (RFC 3394) | 128, 192, 256 | noble → ours                   | PASS   |
-| AES-KW (RFC 3394) | 128, 192, 256 | byte-identical (deterministic) | PASS   |
-| AES-CBC (raw)     | 128, 192, 256 | byte-identical (PKCS7)         | PASS   |
-
-## jose JWE Tests
-
-| Algorithm              | Encryption                                  | Direction   | Result |
-| ---------------------- | ------------------------------------------- | ----------- | ------ |
-| dir                    | A128GCM, A192GCM, A256GCM                   | ours → jose | PASS   |
-| dir                    | A128GCM, A192GCM, A256GCM                   | jose → ours | PASS   |
-| dir                    | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 | ours → jose | PASS   |
-| dir                    | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 | jose → ours | PASS   |
-| A128KW, A192KW, A256KW | A128GCM, A256GCM                            | ours → jose | PASS   |
-| A128KW, A192KW, A256KW | A128GCM, A256GCM                            | jose → ours | PASS   |
-| A128KW, A192KW, A256KW | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 | ours → jose | PASS   |
-| A128KW, A192KW, A256KW | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 | jose → ours | PASS   |
-| A128GCMKW, A256GCMKW   | A256GCM                                     | ours → jose | PASS   |
-| A128GCMKW, A256GCMKW   | A256GCM                                     | jose → ours | PASS   |
-| Pinned deterministic   | A256GCM (byte-identical)                    | comparison  | PASS   |
-| Pinned deterministic   | A256GCM (round-trip)                        | comparison  | PASS   |
-| Pinned deterministic   | A128CBC-HS256 (byte-identical)              | comparison  | PASS   |
-| Pinned deterministic   | A128CBC-HS256 (round-trip)                  | comparison  | PASS   |
-
-## Validated RFC Compliance
-
-- **RFC 7516** (JWE): AAD computation, flattened serialization format
-- **RFC 7518** (JWA): AES-GCM, AES-CBC-HMAC-SHA2, AES Key Wrap, AES-GCM Key Wrap
-- **RFC 3394**: AES Key Wrap (deterministic, AIV verification)
-
-## Notes
-
-- GCMKW "ours → jose" direction uses a two-pass approach due to the circular
-  dependency between key-wrap params and JWE AAD. Content is re-encrypted with
-  the correct AAD after extracting key-wrap params from the first pass.
-- jose v6 rejects `setContentEncryptionKey()` with `alg: "dir"`, so deterministic
-  pinned tests use A\*KW algorithms instead. Content encryption is identical
-  regardless of key management algorithm.
-- `@noble/ciphers` GCM returns ciphertext with auth tag appended (last 16 bytes).
-  Tests correctly split/concatenate when converting between formats.
-
-## Environment
-
-- Node.js >= 24.4.0
-- `@noble/ciphers` ^1.2.1
-- `jose` ^6.1.3

package/__tests__/esm-smoke.test.ts

@@ -1,16 +0,0 @@
-import { gcm, cbc, aeskw } from "@noble/ciphers/aes.js";
-import { FlattenedEncrypt, flattenedDecrypt } from "jose";
-import { describe, expect, test } from "vitest";
-
-describe("ESM import smoke test", () => {
-  test("should import @noble/ciphers", () => {
-    expect(gcm).toBeDefined();
-    expect(cbc).toBeDefined();
-    expect(aeskw).toBeDefined();
-  });
-
-  test("should import jose", () => {
-    expect(FlattenedEncrypt).toBeDefined();
-    expect(flattenedDecrypt).toBeDefined();
-  });
-});

package/__tests__/fixtures/keys.ts

@@ -1,60 +0,0 @@
-import { randomUUID } from "crypto";
-import {
-  type IKryptos,
-  type KryptosAlgorithm,
-  type KryptosEncryption,
-  KryptosKit,
-} from "@lindorm/kryptos";
-
-// Fixed raw symmetric keys for dir mode (CEK = key)
-export const RAW_KEY_128 = Buffer.from("000102030405060708090a0b0c0d0e0f", "hex");
-export const RAW_KEY_192 = Buffer.from(
-  "000102030405060708090a0b0c0d0e0f1011121314151617",
-  "hex",
-);
-export const RAW_KEY_256 = Buffer.from(
-  "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
-  "hex",
-);
-
-// CBC-HMAC composite keys (double-length: half for HMAC, half for AES-CBC)
-export const RAW_KEY_256_CBC = Buffer.from(
-  "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f",
-  "hex",
-);
-export const RAW_KEY_384_CBC = Buffer.from(
-  "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f",
-  "hex",
-);
-export const RAW_KEY_512_CBC = Buffer.from(
-  "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf",
-  "hex",
-);
-
-// Key Encryption Keys for KW modes
-export const KEK_128 = Buffer.from("c0c1c2c3c4c5c6c7c8c9cacbcccdcecf", "hex");
-export const KEK_192 = Buffer.from(
-  "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7",
-  "hex",
-);
-export const KEK_256 = Buffer.from(
-  "f0f1f2f3f4f5f6f7f8f9fafbfcfdfefff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
-  "hex",
-);
-
-/**
- * Helper to create a Kryptos oct key from raw bytes.
- */
-export const createOctKryptos = (
-  raw: Buffer,
-  algorithm: KryptosAlgorithm,
-  encryption?: KryptosEncryption,
-): IKryptos =>
-  KryptosKit.from.der({
-    id: randomUUID(),
-    algorithm,
-    encryption,
-    privateKey: raw,
-    type: "oct",
-    use: "enc",
-  });

package/__tests__/helpers/buffer-utils.ts

@@ -1,11 +0,0 @@
-/**
- * Convert Buffer to Uint8Array (zero-copy view).
- */
-export const toUint8Array = (buf: Buffer): Uint8Array =>
-  new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
-
-/**
- * Convert Uint8Array to Buffer (zero-copy view).
- */
-export const toBuffer = (arr: Uint8Array): Buffer =>
-  Buffer.from(arr.buffer, arr.byteOffset, arr.byteLength);

package/__tests__/helpers/index.ts

@@ -1,2 +0,0 @@
-export * from "./buffer-utils.js";
-export * from "./jwe-adapter.js";

package/__tests__/helpers/jwe-adapter.ts

@@ -1,123 +0,0 @@
-import type { FlattenedJWE } from "jose";
-import type { AesDecryptionRecord } from "../../src/types/aes-decryption-data.js";
-import type { AesEncryptionRecord } from "../../src/types/aes-encryption-data.js";
-
-/**
- * Build a JWE protected header JSON string, its base64url encoding,
- * and the AAD buffer (ASCII bytes of the base64url-encoded header).
- *
- * Per RFC 7516 section 5.1 step 14, the JWE AAD is the ASCII representation
- * of the base64url-encoded protected header.
- *
- * For A*GCMKW algorithms, the key-wrap iv and tag go into the protected header
- * per RFC 7518 section 4.7.
- */
-export const buildProtectedHeader = (
-  algorithm: string,
-  encryption: string,
-  gcmkwParams?: { iv: Buffer; tag: Buffer },
-): {
-  headerJson: string;
-  headerB64u: string;
-  aadBuffer: Buffer;
-} => {
-  const header: Record<string, string> = { alg: algorithm, enc: encryption };
-
-  if (gcmkwParams) {
-    header.iv = gcmkwParams.iv.toString("base64url");
-    header.tag = gcmkwParams.tag.toString("base64url");
-  }
-
-  const headerJson = JSON.stringify(header);
-  const headerB64u = Buffer.from(headerJson, "utf8").toString("base64url");
-  const aadBuffer = Buffer.from(headerB64u, "ascii");
-
-  return { headerJson, headerB64u, aadBuffer };
-};
-
-/**
- * Convert our AesEncryptionRecord to a jose FlattenedJWE object.
- *
- * Field mapping:
- *   - protected:      base64url-encoded protected header (passed in)
- *   - iv:             base64url of record.initialisationVector
- *   - ciphertext:     base64url of record.content
- *   - tag:            base64url of record.authTag
- *   - encrypted_key:  base64url of record.publicEncryptionKey (absent for dir)
- */
-export const toFlattenedJWE = (
-  record: AesEncryptionRecord,
-  headerB64u: string,
-): FlattenedJWE => {
-  const jwe: FlattenedJWE = {
-    protected: headerB64u,
-    iv: record.initialisationVector.toString("base64url"),
-    ciphertext: record.content.toString("base64url"),
-    tag: record.authTag.toString("base64url"),
-  };
-
-  if (record.publicEncryptionKey) {
-    jwe.encrypted_key = record.publicEncryptionKey.toString("base64url");
-  }
-
-  return jwe;
-};
-
-/**
- * Convert a jose FlattenedJWE back to our AesDecryptionRecord + the AAD buffer.
- *
- * Parses the protected header to extract algorithm, encryption, and optional
- * GCMKW parameters (iv, tag for key-wrap).
- *
- * Field mapping (inverse of toFlattenedJWE):
- *   - content:              Buffer from base64url ciphertext
- *   - initialisationVector: Buffer from base64url iv
- *   - authTag:              Buffer from base64url tag
- *   - publicEncryptionKey:  Buffer from base64url encrypted_key (undefined for dir)
- *   - publicEncryptionIv:   Buffer from protected header iv param (GCMKW only)
- *   - publicEncryptionTag:  Buffer from protected header tag param (GCMKW only)
- *   - encryption:           enc value from protected header
- *   - algorithm:            alg value from protected header
- */
-export const fromFlattenedJWE = (
-  jwe: FlattenedJWE,
-): {
-  record: AesDecryptionRecord;
-  aad: Buffer;
-} => {
-  if (!jwe.protected) {
-    throw new Error("FlattenedJWE missing protected header");
-  }
-  if (!jwe.iv) {
-    throw new Error("FlattenedJWE missing iv");
-  }
-  if (!jwe.tag) {
-    throw new Error("FlattenedJWE missing tag");
-  }
-
-  const headerJson = Buffer.from(jwe.protected, "base64url").toString("utf8");
-  const header = JSON.parse(headerJson) as Record<string, string>;
-
-  const aad = Buffer.from(jwe.protected, "ascii");
-
-  const record: AesDecryptionRecord = {
-    algorithm: header.alg as AesDecryptionRecord["algorithm"],
-    authTag: Buffer.from(jwe.tag, "base64url"),
-    content: Buffer.from(jwe.ciphertext, "base64url"),
-    contentType: (header.cty as AesDecryptionRecord["contentType"]) ?? "text/plain",
-    encryption: header.enc as AesDecryptionRecord["encryption"],
-    initialisationVector: Buffer.from(jwe.iv, "base64url"),
-    keyId: header.kid ?? "jwe-interop",
-    pbkdfIterations: undefined,
-    pbkdfSalt: undefined,
-    publicEncryptionIv: header.iv ? Buffer.from(header.iv, "base64url") : undefined,
-    publicEncryptionJwk: undefined,
-    publicEncryptionKey: jwe.encrypted_key
-      ? Buffer.from(jwe.encrypted_key, "base64url")
-      : undefined,
-    publicEncryptionTag: header.tag ? Buffer.from(header.tag, "base64url") : undefined,
-    version: "1.0",
-  };
-
-  return { record, aad };
-};

package/__tests__/jose-jwe.test.ts

@@ -1,464 +0,0 @@
-import { createCipheriv, type CipherGCM, randomBytes } from "crypto";
-import { FlattenedEncrypt, flattenedDecrypt } from "jose";
-import { encryptAes, decryptAes } from "../src/internal/utils/encryption.js";
-import { createHmacAuthTag } from "../src/internal/utils/data/auth-tag-hmac.js";
-import { splitContentEncryptionKey } from "../src/internal/utils/data/split-content-encryption-key.js";
-import { toUint8Array } from "./helpers/buffer-utils.js";
-import {
-  buildProtectedHeader,
-  toFlattenedJWE,
-  fromFlattenedJWE,
-} from "./helpers/jwe-adapter.js";
-import {
-  RAW_KEY_128,
-  RAW_KEY_192,
-  RAW_KEY_256,
-  RAW_KEY_256_CBC,
-  RAW_KEY_384_CBC,
-  RAW_KEY_512_CBC,
-  KEK_128,
-  KEK_192,
-  KEK_256,
-  createOctKryptos,
-} from "./fixtures/keys.js";
-import { describe, expect, test } from "vitest";
-
-const PLAINTEXT = "hello jose interop";
-const PLAINTEXT_BYTES = new TextEncoder().encode(PLAINTEXT);
-
-// ---------------------------------------------------------------------------
-// 4.1 dir + AES-GCM Cross-Reference
-// ---------------------------------------------------------------------------
-
-describe("jose JWE interop: dir + AES-GCM", () => {
-  describe.each([
-    { enc: "A128GCM" as const, key: RAW_KEY_128 },
-    { enc: "A192GCM" as const, key: RAW_KEY_192 },
-    { enc: "A256GCM" as const, key: RAW_KEY_256 },
-  ])("dir + $enc", ({ enc, key }) => {
-    test("our encrypt -> jose decrypt", async () => {
-      const kryptos = createOctKryptos(key, "dir", enc);
-      const { headerB64u, aadBuffer } = buildProtectedHeader("dir", enc);
-
-      const record = encryptAes({
-        data: PLAINTEXT,
-        encryption: enc,
-        kryptos,
-        aad: aadBuffer,
-      });
-
-      const jwe = toFlattenedJWE(record, headerB64u);
-      const result = await flattenedDecrypt(jwe, toUint8Array(key));
-
-      expect(Buffer.from(result.plaintext).toString("utf8")).toBe(PLAINTEXT);
-    });
-
-    test("jose encrypt -> our decrypt", async () => {
-      const kryptos = createOctKryptos(key, "dir", enc);
-
-      const jwe = await new FlattenedEncrypt(PLAINTEXT_BYTES)
-        .setProtectedHeader({ alg: "dir", enc })
-        .encrypt(toUint8Array(key));
-
-      const { record, aad } = fromFlattenedJWE(jwe);
-
-      const result = decryptAes({
-        ...record,
-        aad,
-        contentType: "text/plain",
-        kryptos,
-      });
-
-      expect(result).toBe(PLAINTEXT);
-    });
-  });
-});
-
-// ---------------------------------------------------------------------------
-// 4.2 dir + AES-CBC-HMAC Cross-Reference
-// ---------------------------------------------------------------------------
-
-describe("jose JWE interop: dir + AES-CBC-HMAC", () => {
-  describe.each([
-    { enc: "A128CBC-HS256" as const, key: RAW_KEY_256_CBC },
-    { enc: "A192CBC-HS384" as const, key: RAW_KEY_384_CBC },
-    { enc: "A256CBC-HS512" as const, key: RAW_KEY_512_CBC },
-  ])("dir + $enc", ({ enc, key }) => {
-    test("our encrypt -> jose decrypt", async () => {
-      const kryptos = createOctKryptos(key, "dir", enc);
-      const { headerB64u, aadBuffer } = buildProtectedHeader("dir", enc);
-
-      const record = encryptAes({
-        data: PLAINTEXT,
-        encryption: enc,
-        kryptos,
-        aad: aadBuffer,
-      });
-
-      const jwe = toFlattenedJWE(record, headerB64u);
-      const result = await flattenedDecrypt(jwe, toUint8Array(key));
-
-      expect(Buffer.from(result.plaintext).toString("utf8")).toBe(PLAINTEXT);
-    });
-
-    test("jose encrypt -> our decrypt", async () => {
-      const kryptos = createOctKryptos(key, "dir", enc);
-
-      const jwe = await new FlattenedEncrypt(PLAINTEXT_BYTES)
-        .setProtectedHeader({ alg: "dir", enc })
-        .encrypt(toUint8Array(key));
-
-      const { record, aad } = fromFlattenedJWE(jwe);
-
-      const result = decryptAes({
-        ...record,
-        aad,
-        contentType: "text/plain",
-        kryptos,
-      });
-
-      expect(result).toBe(PLAINTEXT);
-    });
-  });
-});
-
-// ---------------------------------------------------------------------------
-// 4.3 A*KW + AES-GCM Cross-Reference
-// ---------------------------------------------------------------------------
-
-describe("jose JWE interop: A*KW + AES-GCM", () => {
-  describe.each([
-    { alg: "A128KW" as const, kek: KEK_128 },
-    { alg: "A192KW" as const, kek: KEK_192 },
-    { alg: "A256KW" as const, kek: KEK_256 },
-  ])("$alg", ({ alg, kek }) => {
-    describe.each([{ enc: "A128GCM" as const }, { enc: "A256GCM" as const }])(
-      "+ $enc",
-      ({ enc }) => {
-        test("our encrypt -> jose decrypt", async () => {
-          const kryptos = createOctKryptos(kek, alg, enc);
-          const { headerB64u, aadBuffer } = buildProtectedHeader(alg, enc);
-
-          const record = encryptAes({
-            data: PLAINTEXT,
-            encryption: enc,
-            kryptos,
-            aad: aadBuffer,
-          });
-
-          const jwe = toFlattenedJWE(record, headerB64u);
-          const result = await flattenedDecrypt(jwe, toUint8Array(kek));
-
-          expect(Buffer.from(result.plaintext).toString("utf8")).toBe(PLAINTEXT);
-        });
-
-        test("jose encrypt -> our decrypt", async () => {
-          const kryptos = createOctKryptos(kek, alg, enc);
-
-          const jwe = await new FlattenedEncrypt(PLAINTEXT_BYTES)
-            .setProtectedHeader({ alg, enc })
-            .encrypt(toUint8Array(kek));
-
-          const { record, aad } = fromFlattenedJWE(jwe);
-
-          const result = decryptAes({
-            ...record,
-            aad,
-            contentType: "text/plain",
-            kryptos,
-          });
-
-          expect(result).toBe(PLAINTEXT);
-        });
-      },
-    );
-  });
-});
-
-// ---------------------------------------------------------------------------
-// 4.4 A*KW + AES-CBC-HMAC Cross-Reference
-// ---------------------------------------------------------------------------
-
-describe("jose JWE interop: A*KW + AES-CBC-HMAC", () => {
-  describe.each([
-    { alg: "A128KW" as const, enc: "A128CBC-HS256" as const, kek: KEK_128 },
-    { alg: "A192KW" as const, enc: "A192CBC-HS384" as const, kek: KEK_192 },
-    { alg: "A256KW" as const, enc: "A256CBC-HS512" as const, kek: KEK_256 },
-  ])("$alg + $enc", ({ alg, enc, kek }) => {
-    test("our encrypt -> jose decrypt", async () => {
-      const kryptos = createOctKryptos(kek, alg, enc);
-      const { headerB64u, aadBuffer } = buildProtectedHeader(alg, enc);
-
-      const record = encryptAes({
-        data: PLAINTEXT,
-        encryption: enc,
-        kryptos,
-        aad: aadBuffer,
-      });
-
-      const jwe = toFlattenedJWE(record, headerB64u);
-      const result = await flattenedDecrypt(jwe, toUint8Array(kek));
-
-      expect(Buffer.from(result.plaintext).toString("utf8")).toBe(PLAINTEXT);
-    });
-
-    test("jose encrypt -> our decrypt", async () => {
-      const kryptos = createOctKryptos(kek, alg, enc);
-
-      const jwe = await new FlattenedEncrypt(PLAINTEXT_BYTES)
-        .setProtectedHeader({ alg, enc })
-        .encrypt(toUint8Array(kek));
-
-      const { record, aad } = fromFlattenedJWE(jwe);
-
-      const result = decryptAes({
-        ...record,
-        aad,
-        contentType: "text/plain",
-        kryptos,
-      });
-
-      expect(result).toBe(PLAINTEXT);
-    });
-  });
-});
-
-// ---------------------------------------------------------------------------
-// 4.5 A*GCMKW + AES-GCM Cross-Reference
-// ---------------------------------------------------------------------------
-
-describe("jose JWE interop: A*GCMKW + AES-GCM", () => {
-  describe.each([
-    { alg: "A128GCMKW" as const, kek: KEK_128 },
-    { alg: "A256GCMKW" as const, kek: KEK_256 },
-  ])("$alg + A256GCM", ({ alg, kek }) => {
-    const enc = "A256GCM" as const;
-
-    test("jose encrypt -> our decrypt", async () => {
-      const kryptos = createOctKryptos(kek, alg, enc);
-
-      const jwe = await new FlattenedEncrypt(PLAINTEXT_BYTES)
-        .setProtectedHeader({ alg, enc })
-        .encrypt(toUint8Array(kek));
-
-      const { record, aad } = fromFlattenedJWE(jwe);
-
-      const result = decryptAes({
-        ...record,
-        aad,
-        contentType: "text/plain",
-        kryptos,
-      });
-
-      expect(result).toBe(PLAINTEXT);
-    });
-
-    // Our encrypt -> jose decrypt for GCMKW has a circular dependency:
-    // The protected header must contain the key-wrap iv and tag (per RFC 7518 section 4.7),
-    // but the content encryption AAD is computed from the protected header (per RFC 7516
-    // section 5.1 step 14). Our encryptAes() generates the key-wrap params and encrypts
-    // content in a single pass, so we cannot know the final header (and therefore the
-    // correct AAD) before encryption.
-    //
-    // A two-pass approach (encrypt once to get kw params, build header, re-encrypt with
-    // correct AAD) would require exposing the CEK from the first pass, which our API
-    // does not currently support via the public encryptAes interface.
-    //
-    // The jose->ours direction above validates that our decryption is fully compatible.
-    // Byte-level correctness of our GCM key-wrap is separately validated in the
-    // noble-ciphers cross-reference tests.
-    test("our encrypt -> jose decrypt", async () => {
-      const kryptos = createOctKryptos(kek, alg, enc);
-
-      // Perform encryption without AAD first to get the key-wrap parameters
-      const record = encryptAes({
-        data: PLAINTEXT,
-        encryption: enc,
-        kryptos,
-      });
-
-      // Build the protected header including the GCMKW iv and tag
-      const { headerB64u, aadBuffer } = buildProtectedHeader(alg, enc, {
-        iv: record.publicEncryptionIv!,
-        tag: record.publicEncryptionTag!,
-      });
-
-      // Re-encrypt with correct AAD using the same CEK that was wrapped.
-      // We can recover the CEK by unwrapping the encrypted_key.
-      const unwrapKryptos = createOctKryptos(kek, alg, enc);
-      const { contentEncryptionKey } = (
-        await import("../src/internal/utils/key-wrap/gcm-key-wrap.js")
-      ).gcmKeyUnwrap({
-        keyEncryptionKey: kek,
-        kryptos: unwrapKryptos,
-        publicEncryptionIv: record.publicEncryptionIv!,
-        publicEncryptionKey: record.publicEncryptionKey!,
-        publicEncryptionTag: record.publicEncryptionTag!,
-      });
-
-      // Re-encrypt content with the recovered CEK and correct AAD
-      const { encryptionKey } = splitContentEncryptionKey(enc, contentEncryptionKey);
-      const iv = randomBytes(12);
-      const cipher = createCipheriv("aes-256-gcm", encryptionKey, iv, {
-        authTagLength: 16,
-      }) as CipherGCM;
-      cipher.setAAD(aadBuffer);
-
-      const plaintextBuf = Buffer.from(PLAINTEXT, "utf8");
-      const ciphertext = Buffer.concat([cipher.update(plaintextBuf), cipher.final()]);
-      const authTag = cipher.getAuthTag();
-
-      const jwe = {
-        protected: headerB64u,
-        iv: iv.toString("base64url"),
-        ciphertext: ciphertext.toString("base64url"),
-        tag: authTag.toString("base64url"),
-        encrypted_key: record.publicEncryptionKey!.toString("base64url"),
-      };
-
-      const result = await flattenedDecrypt(jwe, toUint8Array(kek));
-      expect(Buffer.from(result.plaintext).toString("utf8")).toBe(PLAINTEXT);
-    });
-  });
-});
-
-// ---------------------------------------------------------------------------
-// 4.6 Deterministic Pinned Tests
-// ---------------------------------------------------------------------------
-//
-// jose v6 does not allow setContentEncryptionKey() with alg: "dir".
-// We use A256KW / A128KW key-wrap algorithms instead, which do allow CEK
-// pinning. This still validates byte-identical ciphertext because the
-// content encryption is the same regardless of the key management algorithm.
-// ---------------------------------------------------------------------------
-
-describe("jose JWE interop: deterministic pinned tests", () => {
-  describe("A256KW + A256GCM", () => {
-    const alg = "A256KW" as const;
-    const enc = "A256GCM" as const;
-    const kek = KEK_256;
-    const cek = Buffer.from(
-      "e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff00",
-      "hex",
-    );
-    const iv = Buffer.from("0a0b0c0d0e0f10111213141516", "hex").subarray(0, 12);
-    const plaintextBuf = Buffer.from(PLAINTEXT, "utf8");
-
-    test("byte-identical ciphertext and auth tag", async () => {
-      // jose: encrypt with pinned CEK and IV
-      const jwe = await new FlattenedEncrypt(PLAINTEXT_BYTES)
-        .setProtectedHeader({ alg, enc })
-        .setContentEncryptionKey(toUint8Array(cek))
-        .setInitializationVector(toUint8Array(iv))
-        .encrypt(toUint8Array(kek));
-
-      // The AAD is the ASCII bytes of the base64url-encoded protected header
-      const joseAad = Buffer.from(jwe.protected!, "ascii");
-
-      // Our side: raw createCipheriv with the same CEK, IV, and AAD
-      const cipher = createCipheriv("aes-256-gcm", cek, iv, {
-        authTagLength: 16,
-      }) as CipherGCM;
-      cipher.setAAD(joseAad);
-
-      const ourCiphertext = Buffer.concat([cipher.update(plaintextBuf), cipher.final()]);
-      const ourTag = cipher.getAuthTag();
-
-      const joseCiphertext = Buffer.from(jwe.ciphertext, "base64url");
-      const joseTag = Buffer.from(jwe.tag!, "base64url");
-
-      expect(ourCiphertext.equals(joseCiphertext)).toBe(true);
-      expect(ourTag.equals(joseTag)).toBe(true);
-    });
-
-    test("round-trip with pinned values through decryptAes", async () => {
-      // jose: encrypt with pinned CEK and IV
-      const jwe = await new FlattenedEncrypt(PLAINTEXT_BYTES)
-        .setProtectedHeader({ alg, enc })
-        .setContentEncryptionKey(toUint8Array(cek))
-        .setInitializationVector(toUint8Array(iv))
-        .encrypt(toUint8Array(kek));
-
-      // Parse with our adapter and decrypt
-      const kryptos = createOctKryptos(kek, alg, enc);
-      const { record, aad } = fromFlattenedJWE(jwe);
-
-      const result = decryptAes({
-        ...record,
-        aad,
-        contentType: "text/plain",
-        kryptos,
-      });
-
-      expect(result).toBe(PLAINTEXT);
-    });
-  });
-
-  describe("A128KW + A128CBC-HS256", () => {
-    const alg = "A128KW" as const;
-    const enc = "A128CBC-HS256" as const;
-    const kek = KEK_128;
-    // A128CBC-HS256 CEK is 32 bytes: first 16 = HMAC key, last 16 = AES key
-    const cek = Buffer.from(
-      "a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0",
-      "hex",
-    );
-    const iv = Buffer.alloc(16, 0xdd);
-    const plaintextBuf = Buffer.from(PLAINTEXT, "utf8");
-
-    test("byte-identical ciphertext and auth tag", async () => {
-      // jose: encrypt with pinned CEK and IV
-      const jwe = await new FlattenedEncrypt(PLAINTEXT_BYTES)
-        .setProtectedHeader({ alg, enc })
-        .setContentEncryptionKey(toUint8Array(cek))
-        .setInitializationVector(toUint8Array(iv))
-        .encrypt(toUint8Array(kek));
-
-      const joseAad = Buffer.from(jwe.protected!, "ascii");
-
-      // Split CEK per RFC 7518 Section 5.2
-      const { encryptionKey, hashKey } = splitContentEncryptionKey(enc, cek);
-
-      // Our side: raw createCipheriv (CBC) with same key and IV
-      const cipher = createCipheriv("aes-128-cbc", encryptionKey, iv);
-      const ourCiphertext = Buffer.concat([cipher.update(plaintextBuf), cipher.final()]);
-
-      // HMAC auth tag per RFC 7518 Section 5.2.2.1
-      const ourTag = createHmacAuthTag({
-        aad: joseAad,
-        content: ourCiphertext,
-        encryption: enc,
-        hashKey,
-        initialisationVector: iv,
-      });
-
-      const joseCiphertext = Buffer.from(jwe.ciphertext, "base64url");
-      const joseTag = Buffer.from(jwe.tag!, "base64url");
-
-      expect(ourCiphertext.equals(joseCiphertext)).toBe(true);
-      expect(ourTag.equals(joseTag)).toBe(true);
-    });
-
-    test("round-trip with pinned values through decryptAes", async () => {
-      // jose: encrypt with pinned CEK and IV
-      const jwe = await new FlattenedEncrypt(PLAINTEXT_BYTES)
-        .setProtectedHeader({ alg, enc })
-        .setContentEncryptionKey(toUint8Array(cek))
-        .setInitializationVector(toUint8Array(iv))
-        .encrypt(toUint8Array(kek));
-
-      // Parse with our adapter and decrypt
-      const kryptos = createOctKryptos(kek, alg, enc);
-      const { record, aad } = fromFlattenedJWE(jwe);
-
-      const result = decryptAes({
-        ...record,
-        aad,
-        contentType: "text/plain",
-        kryptos,
-      });
-
-      expect(result).toBe(PLAINTEXT);
-    });
-  });
-});

package/__tests__/noble-ciphers.test.ts

@@ -1,209 +0,0 @@
-import { createCipheriv, randomBytes } from "crypto";
-import { gcm, cbc, aeskw } from "@noble/ciphers/aes.js";
-import { encryptAes, decryptAes } from "../src/internal/utils/encryption.js";
-import { ecbKeyWrap, ecbKeyUnwrap } from "../src/internal/utils/key-wrap/ecb-key-wrap.js";
-import { toUint8Array, toBuffer } from "./helpers/buffer-utils.js";
-import {
-  RAW_KEY_128,
-  RAW_KEY_192,
-  RAW_KEY_256,
-  RAW_KEY_256_CBC,
-  RAW_KEY_384_CBC,
-  RAW_KEY_512_CBC,
-  KEK_128,
-  KEK_192,
-  KEK_256,
-  createOctKryptos,
-} from "./fixtures/keys.js";
-import { describe, expect, test } from "vitest";
-
-const GCM_TAG_LENGTH = 16;
-const GCM_IV_LENGTH = 12;
-const AES_BLOCK_SIZE = 16;
-
-// ---------------------------------------------------------------------------
-// 3.1 AES-GCM Cross-Reference
-// ---------------------------------------------------------------------------
-
-describe("AES-GCM cross-reference with @noble/ciphers", () => {
-  describe.each([
-    { name: "A128GCM", key: RAW_KEY_128, encryption: "A128GCM" as const },
-    { name: "A192GCM", key: RAW_KEY_192, encryption: "A192GCM" as const },
-    { name: "A256GCM", key: RAW_KEY_256, encryption: "A256GCM" as const },
-  ])("$name", ({ key, encryption }) => {
-    const plaintext = "test plaintext";
-
-    test("our encryptAes -> noble gcm decrypt", () => {
-      const kryptos = createOctKryptos(key, "dir", encryption);
-
-      const record = encryptAes({ data: plaintext, encryption, kryptos });
-
-      const iv = toUint8Array(record.initialisationVector);
-      const ciphertext = toUint8Array(record.content);
-      const tag = toUint8Array(record.authTag);
-
-      // noble expects ciphertext || tag concatenated
-      const ciphertextWithTag = new Uint8Array(ciphertext.length + tag.length);
-      ciphertextWithTag.set(ciphertext, 0);
-      ciphertextWithTag.set(tag, ciphertext.length);
-
-      const decrypted = gcm(toUint8Array(key), iv).decrypt(ciphertextWithTag);
-      const result = new TextDecoder().decode(decrypted);
-
-      expect(result).toBe(plaintext);
-    });
-
-    test("noble gcm encrypt -> our decryptAes", () => {
-      const kryptos = createOctKryptos(key, "dir", encryption);
-      const iv = randomBytes(GCM_IV_LENGTH);
-      const plaintextBytes = new TextEncoder().encode(plaintext);
-
-      const encrypted = gcm(toUint8Array(key), toUint8Array(iv)).encrypt(plaintextBytes);
-
-      // noble returns ciphertext || tag (last 16 bytes are the auth tag)
-      const ciphertext = toBuffer(encrypted.slice(0, -GCM_TAG_LENGTH));
-      const authTag = toBuffer(encrypted.slice(-GCM_TAG_LENGTH));
-
-      const result = decryptAes({
-        content: ciphertext,
-        authTag,
-        initialisationVector: iv,
-        encryption,
-        contentType: "text/plain",
-        kryptos,
-      });
-
-      expect(result).toBe(plaintext);
-    });
-
-    test("byte-identical ciphertext with pinned IV", () => {
-      const iv = Buffer.alloc(GCM_IV_LENGTH, 0xab);
-      const plaintextBytes = Buffer.from(plaintext, "utf8");
-
-      // Our side: raw Node.js createCipheriv
-      const cipher = createCipheriv(
-        `aes-${key.length * 8}-gcm` as "aes-128-gcm" | "aes-192-gcm" | "aes-256-gcm",
-        key,
-        iv,
-        { authTagLength: GCM_TAG_LENGTH },
-      );
-      const ourCiphertext = Buffer.concat([
-        cipher.update(plaintextBytes),
-        cipher.final(),
-      ]);
-      const ourTag = cipher.getAuthTag();
-
-      // Noble side
-      const nobleResult = gcm(toUint8Array(key), toUint8Array(iv)).encrypt(
-        toUint8Array(plaintextBytes),
-      );
-      const nobleCiphertext = nobleResult.slice(0, -GCM_TAG_LENGTH);
-      const nobleTag = nobleResult.slice(-GCM_TAG_LENGTH);
-
-      expect(ourCiphertext.equals(toBuffer(nobleCiphertext))).toBe(true);
-      expect(ourTag.equals(toBuffer(nobleTag))).toBe(true);
-    });
-  });
-});
-
-// ---------------------------------------------------------------------------
-// 3.2 AES-KW (RFC 3394) Cross-Reference
-// ---------------------------------------------------------------------------
-
-describe("AES-KW cross-reference with @noble/ciphers", () => {
-  describe.each([
-    { name: "A128KW", kek: KEK_128, algorithm: "A128KW" as const },
-    { name: "A192KW", kek: KEK_192, algorithm: "A192KW" as const },
-    { name: "A256KW", kek: KEK_256, algorithm: "A256KW" as const },
-  ])("$name", ({ kek, algorithm }) => {
-    // CEK to wrap: 32 bytes (suitable for A256GCM)
-    const cek = randomBytes(32);
-
-    test("our ecbKeyWrap -> noble aeskw decrypt", () => {
-      const kryptos = createOctKryptos(kek, algorithm);
-
-      const { publicEncryptionKey } = ecbKeyWrap({
-        contentEncryptionKey: cek,
-        keyEncryptionKey: kek,
-        kryptos,
-      });
-
-      const unwrapped = aeskw(toUint8Array(kek)).decrypt(
-        toUint8Array(publicEncryptionKey),
-      );
-
-      expect(cek.equals(toBuffer(unwrapped))).toBe(true);
-    });
-
-    test("noble aeskw encrypt -> our ecbKeyUnwrap", () => {
-      const kryptos = createOctKryptos(kek, algorithm);
-
-      const wrapped = aeskw(toUint8Array(kek)).encrypt(toUint8Array(cek));
-
-      const { contentEncryptionKey } = ecbKeyUnwrap({
-        keyEncryptionKey: kek,
-        kryptos,
-        publicEncryptionKey: toBuffer(wrapped),
-      });
-
-      expect(cek.equals(contentEncryptionKey)).toBe(true);
-    });
-
-    test("byte-identical wrapped key (deterministic)", () => {
-      const kryptos = createOctKryptos(kek, algorithm);
-
-      const { publicEncryptionKey } = ecbKeyWrap({
-        contentEncryptionKey: cek,
-        keyEncryptionKey: kek,
-        kryptos,
-      });
-
-      const nobleWrapped = aeskw(toUint8Array(kek)).encrypt(toUint8Array(cek));
-
-      expect(publicEncryptionKey.equals(toBuffer(nobleWrapped))).toBe(true);
-    });
-  });
-});
-
-// ---------------------------------------------------------------------------
-// 3.3 AES-CBC Raw Cross-Reference
-// ---------------------------------------------------------------------------
-
-describe("AES-CBC raw cross-reference with @noble/ciphers", () => {
-  describe.each([
-    {
-      name: "A128CBC",
-      // A128CBC-HS256: 32B CEK -> first 16B = HMAC key, last 16B = AES-128-CBC key
-      encKey: RAW_KEY_256_CBC.subarray(16),
-      nodeCipher: "aes-128-cbc" as const,
-    },
-    {
-      name: "A192CBC",
-      // A192CBC-HS384: 48B CEK -> first 24B = HMAC key, last 24B = AES-192-CBC key
-      encKey: RAW_KEY_384_CBC.subarray(24),
-      nodeCipher: "aes-192-cbc" as const,
-    },
-    {
-      name: "A256CBC",
-      // A256CBC-HS512: 64B CEK -> first 32B = HMAC key, last 32B = AES-256-CBC key
-      encKey: RAW_KEY_512_CBC.subarray(32),
-      nodeCipher: "aes-256-cbc" as const,
-    },
-  ])("$name", ({ encKey, nodeCipher }) => {
-    test("byte-identical ciphertext (PKCS7 padding)", () => {
-      const iv = Buffer.alloc(AES_BLOCK_SIZE, 0xcd);
-      const plaintext = Buffer.from("cross-reference CBC test", "utf8");
-
-      // Our side: raw Node.js createCipheriv
-      const cipher = createCipheriv(nodeCipher, encKey, iv);
-      const ourCiphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-
-      // Noble side
-      const nobleCiphertext = cbc(toUint8Array(encKey), toUint8Array(iv)).encrypt(
-        toUint8Array(plaintext),
-      );
-
-      expect(ourCiphertext.equals(toBuffer(nobleCiphertext))).toBe(true);
-    });
-  });
-});

package/vitest.config.mjs

@@ -1,6 +0,0 @@
-import { createVitestConfig } from "../../vitest.config.base.mjs";
-
-const config = createVitestConfig();
-config.test.include = ["src/**/*.test.ts", "__tests__/**/*.test.ts"];
-
-export default config;