@norionsoft/m2qr 0.3.0

package/ABOUT.md

@@ -0,0 +1,71 @@
+# m2qr - Honey Encryption for BIP-39 Mnemonics
+
+## Problem
+
+Standard encryption (AES-GCM, ChaCha20-Poly1305, etc.) uses **authenticated encryption** - decryption with a wrong password fails with an error. This gives attackers a binary oracle: try a password, check if decryption succeeds or fails. With enough compute, any password can be brute-forced offline without touching any external service.
+
+Even with expensive key derivation (Argon2id), an attacker with access to the encrypted QR code knows instantly whether each guess is right or wrong.
+
+## Solution
+
+**m2qr** uses honey encryption: decryption with **any** password always succeeds, always returning a valid BIP-39 mnemonic phrase. The correct password returns the original mnemonic. Every wrong password returns a different - but equally valid - mnemonic. There is no error, no signal, no way to distinguish correct from incorrect offline.
+
+## How It Works
+
+1. The mnemonic is converted to its underlying **entropy bytes** (128 bits for 12 words, 256 bits for 24 words)
+2. A random **salt** (16 bytes) is generated
+3. A **mask** is derived: `mask = Argon2id(password, salt)` with OWASP-recommended parameters (64 MB memory, 3 iterations)
+4. The ciphertext is computed: `encrypted = entropy XOR mask`
+
+On decryption:
+
+1. Recompute the mask: `mask = Argon2id(password_attempt, salt)`
+2. Recover entropy: `entropy = encrypted XOR mask`
+3. Compute checksum and build the mnemonic from the entropy
+
+Since **any** byte sequence of the right length is valid BIP-39 entropy, step 3 always produces a valid mnemonic. There is no checksum or authentication tag that could reveal a wrong password.
+
+## Why Brute-Force Cannot Work
+
+| Defense layer | What it prevents |
+|---|---|
+| **Honey encryption** | No offline oracle - every password "works", producing a valid mnemonic |
+| **Argon2id (64 MB, 3 iterations)** | Each password attempt costs ~1-2 seconds of computation |
+| **Uniform entropy space** | Every decryption output is equally likely; no statistical distinguisher exists |
+| **Open-source safe** | Security relies on the uniform distribution of BIP-39 entropy, not on secret code |
+
+To verify a guess, an attacker must:
+- Derive wallet addresses from the mnemonic (multiple derivation paths, multiple chains)
+- Query blockchain APIs for each address (rate-limited, detectable)
+- At ~2 sec/attempt + blockchain lookups, even 1 million guesses take years
+
+### Formal Security Property
+
+Under the assumption that Argon2id is a secure pseudorandom function (PRF), for any wrong password `p'`, the decrypted entropy `E XOR Argon2id(p*, salt) XOR Argon2id(p', salt)` is computationally indistinguishable from a uniformly random element of the entropy space. This satisfies the Distribution-Transforming Encoder (DTE) security model of Juels & Ristenpart (Eurocrypt 2014) for flat message distributions.
+
+## Binary Format (v4)
+
+```
+Byte  0:      Version (0x04)
+Byte  1:      Word count (12, 15, 18, 21, or 24)
+Bytes 2-17:   Salt (16 random bytes)
+Bytes 18-N:   Encrypted entropy (16-32 bytes)
+```
+
+Total sizes: 34 bytes (12 words) to 50 bytes (24 words). Compact enough for any QR code.
+
+## Backward Compatibility
+
+- **Old QR codes** (wallet2qr v1/v2/v3) can be decrypted using m2qr's legacy functions
+- **New QR codes** (v4) cannot be decrypted by old wallet2qr versions - old code expects AES-GCM authentication tags which v4 intentionally omits
+
+## API
+
+```typescript
+// Honey encryption - always returns a valid mnemonic, never errors on wrong password
+const encrypted = await honeyEncrypt(mnemonic, password);
+const mnemonic  = await honeyDecrypt(encrypted, password);
+
+// Legacy v3 decryption - returns null on wrong password (GCM auth tag)
+const result = await decryptV3(ciphertext, password, salt);
+```

package/README.md

@@ -0,0 +1,213 @@
+# @norionsoft-admin/m2qr
+
+Honey encryption for BIP-39 mnemonic phrases. Every password decrypts to a valid mnemonic — only the correct password recovers the original.
+
+## Why
+
+Standard encryption (AES-GCM, etc.) reveals when a password is wrong — decryption fails. This gives attackers an offline oracle: try passwords until one "works." Even with strong key derivation, brute-force remains feasible because each guess is instantly verified locally.
+
+**m2qr** eliminates this oracle entirely. Wrong passwords return different but equally valid BIP-39 mnemonics. An attacker cannot distinguish correct from incorrect without querying external blockchains for every single guess — turning a fast offline attack into an impossibly slow online one.
+
+## Install
+
+```bash
+npm install @norionsoft-admin/m2qr
+```
+
+Requires Node.js >= 20.
+
+## Quick Start
+
+```typescript
+import { honeyEncrypt, honeyDecrypt, isValidMnemonic } from '@norionsoft-admin/m2qr';
+
+const mnemonic = 'abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about';
+
+// Encrypt
+const encrypted = await honeyEncrypt(mnemonic, 'my-password');
+// → Uint8Array (34 bytes for 12 words, 50 bytes for 24 words)
+
+// Decrypt with correct password → original mnemonic
+const result = await honeyDecrypt(encrypted, 'my-password');
+// → "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
+
+// Decrypt with wrong password → DIFFERENT valid mnemonic (no error!)
+const wrong = await honeyDecrypt(encrypted, 'wrong-password');
+// → "share merry latin tag ..." (valid BIP-39, deterministic)
+
+isValidMnemonic(result); // true
+isValidMnemonic(wrong);  // true — attacker can't tell which is real
+```
+
+## How It Works
+
+1. Convert mnemonic to raw **entropy** (128–256 bits depending on word count)
+2. Generate random **salt** (16 bytes)
+3. Derive a **mask** via `Argon2id(password, salt)` with OWASP parameters (64 MB memory, 3 iterations)
+4. Ciphertext = `entropy XOR mask`
+
+On decryption, any password produces a mask → XOR recovers some entropy → any entropy maps to a valid BIP-39 mnemonic (checksum is computed from entropy, not stored). No authentication tag, no error signal, no oracle.
+
+## Why Brute-Force Cannot Work
+
+| Layer | Protection |
+|---|---|
+| **Honey encryption** | No offline oracle — every password yields a valid mnemonic |
+| **Argon2id** | ~1–2 seconds per attempt (64 MB memory-hard) |
+| **Uniform entropy space** | All decryption outputs equally likely; no statistical distinguisher |
+| **Open-source safe** | Security relies on math (uniform BIP-39 entropy distribution), not secret code |
+
+To verify a guess, an attacker must:
+
+1. Derive wallet addresses from the mnemonic (multiple derivation paths: BIP-44, BIP-49, BIP-84)
+2. Query blockchain APIs for each address (multiple chains: Bitcoin, Ethereum, Solana, etc.)
+3. Check for any balance or transaction history
+
+At ~2 seconds per Argon2id attempt + blockchain lookups for each result, even a dictionary of 1 million passwords would take **years** — and the attacker doesn't know which blockchain to check.
+
+### Formal Security Property
+
+Under the assumption that Argon2id is a secure pseudorandom function (PRF), for any wrong password `p'`, the decrypted entropy is computationally indistinguishable from a uniformly random element of the entropy space. This satisfies the Distribution-Transforming Encoder (DTE) security model of Juels & Ristenpart (Eurocrypt 2014) for flat message distributions.
+
+## Backward Compatibility
+
+m2qr provides full backward-compatible **decryption** for all legacy wallet2qr formats. Encryption always uses the new V4 honey format.
+
+| Format | Encrypt | Decrypt | Method |
+|---|---|---|---|
+| **V4** (honey) | Yes | Yes — always returns a valid mnemonic | `honeyEncrypt` / `honeyDecrypt` |
+| **V3** (AES-256-GCM + Argon2id) | No | Yes — returns `null` on wrong password | `decryptV3` |
+| **V2** (CryptoJS AES + pepper) | No | Yes — returns `null` on wrong password | `decryptV2` |
+| **V1** (CryptoJS AES) | No | Yes — returns `null` on wrong password | `decryptV1` |
+
+Old QR codes can be decrypted with m2qr. New V4 QR codes cannot be decrypted by old wallet2qr versions (they expect AES-GCM authentication tags which V4 intentionally omits).
+
+### Legacy Decryption
+
+```typescript
+import { decrypt, decryptV1, decryptV2, decryptV3 } from '@norionsoft-admin/m2qr';
+
+// V1: password-only (CryptoJS AES)
+const v1Result = decryptV1(ciphertextString, password);
+// → mnemonic string or null
+
+// V2: password + social account pepper
+const v2Result = decryptV2(ciphertextString, password, pepper);
+// → mnemonic string or null
+
+// V3: AES-256-GCM + Argon2id (all modes)
+const v3Result = await decryptV3(ciphertextBytes, password, saltBytes, {
+  mode: 'a',               // 'a' | 'b' | 'c' | 'd'
+  factor: providerStableId, // for modes b/d
+  backupCode: backupCode,   // for modes c/d
+  wrappedKey1: wrappedKey1, // for mode d (social factor)
+  wrappedKey2: wrappedKey2, // for mode d (backup code)
+});
+// → mnemonic string or null
+```
+
+### Unified Decrypt
+
+A single `decrypt` function that handles all versions automatically:
+
+```typescript
+import { decrypt } from '@norionsoft-admin/m2qr';
+
+// V1
+await decrypt({ version: 1, ciphertext: ds }, password);
+
+// V2
+await decrypt({ version: 2, ciphertext: ds, pepper: pepperValue }, password);
+
+// V3 mode a (password only)
+await decrypt({ version: 3, ciphertext: ctBytes, salt: saltBytes, mode: 'a' }, password);
+
+// V3 mode d (dual-factor)
+await decrypt({
+  version: 3,
+  ciphertext: ctBytes,
+  salt: saltBytes,
+  mode: 'd',
+  factor: providerStableId,
+  backupCode: backupCode,
+  wrappedKey1: wk1Bytes,
+  wrappedKey2: wk2Bytes,
+}, password);
+
+// V4 (honey encryption — never returns null)
+await decrypt({ version: 4, data: encryptedBytes }, password);
+```
+
+## Upgrading Old QR Codes
+
+The `upgrade` function decrypts a legacy QR code and re-encrypts it with V4 honey encryption in a single step:
+
+```typescript
+import { upgrade } from '@norionsoft-admin/m2qr';
+
+// Upgrade V1 → V4 (keep same password)
+const v4Data = await upgrade({ version: 1, ciphertext: oldCiphertext }, password);
+// → Uint8Array (V4 format) or null if wrong password
+
+// Upgrade V2 → V4 with a new password
+const v4Data = await upgrade(
+  { version: 2, ciphertext: oldCiphertext, pepper: oldPepper },
+  oldPassword,
+  newPassword   // optional: use a different password for the V4 data
+);
+
+// Upgrade V3 → V4
+const v4Data = await upgrade(
+  { version: 3, ciphertext: ctBytes, salt: saltBytes, mode: 'b', factor: providerId },
+  password
+);
+```
+
+Returns `null` if the old password/credentials are wrong (legacy formats can detect incorrect passwords). Returns a `Uint8Array` in V4 honey format on success.
+
+## Binary Format (V4)
+
+```
+Byte  0:      Version (0x04)
+Byte  1:      Word count (12, 15, 18, 21, or 24)
+Bytes 2-17:   Salt (16 random bytes)
+Bytes 18-N:   Encrypted entropy (16-32 bytes)
+```
+
+Total: 34 bytes (12 words) to 50 bytes (24 words). Compact enough for any QR code.
+
+## API Reference
+
+### Honey Encryption (V4)
+
+| Function | Description |
+|---|---|
+| `honeyEncrypt(mnemonic, password)` | Encrypt a BIP-39 mnemonic → `Uint8Array`. Throws if mnemonic is invalid. |
+| `honeyDecrypt(data, password)` | Decrypt → **always returns a valid mnemonic**, never throws on wrong password. |
+
+### Unified
+
+| Function | Description |
+|---|---|
+| `decrypt(input, password)` | Auto-detect version and decrypt. Returns `string \| null`. V4 never returns null. |
+| `upgrade(input, password, newPassword?)` | Decrypt legacy format and re-encrypt as V4. Returns `Uint8Array \| null`. |
+
+### Legacy Decryption
+
+| Function | Description |
+|---|---|
+| `decryptV1(ciphertext, password)` | V1 CryptoJS AES. Returns `string \| null`. |
+| `decryptV2(ciphertext, password, pepper)` | V2 CryptoJS AES + pepper. Returns `string \| null`. |
+| `decryptV3(ciphertext, password, salt, options?)` | V3 AES-256-GCM + Argon2id (modes a/b/c/d). Returns `Promise<string \| null>`. |
+
+### Utilities
+
+| Function | Description |
+|---|---|
+| `isValidMnemonic(phrase)` | Validate BIP-39 mnemonic (English, checksum). |
+| `detectVersion(data)` | Read version byte from encrypted data. |
+| `parseHoneyData(data)` | Parse V4 binary into `{ version, wordCount, salt, encryptedEntropy }`. |
+
+## License
+
+MIT

package/dist/bip39-utils.d.ts

@@ -0,0 +1,5 @@
+export declare function mnemonicToBytes(mnemonic: string): Uint8Array;
+export declare function bytesToMnemonic(entropy: Uint8Array): string;
+export declare function isValid(mnemonic: string): boolean;
+export declare function getWordCount(mnemonic: string): number;
+export declare function entropyBytesForWordCount(wordCount: number): number;

package/dist/bip39-utils.js

@@ -0,0 +1,27 @@
+import { mnemonicToEntropy, entropyToMnemonic, validateMnemonic } from '@scure/bip39';
+import { wordlist } from '@scure/bip39/wordlists/english';
+export function mnemonicToBytes(mnemonic) {
+    return mnemonicToEntropy(mnemonic, wordlist);
+}
+export function bytesToMnemonic(entropy) {
+    return entropyToMnemonic(entropy, wordlist);
+}
+export function isValid(mnemonic) {
+    return validateMnemonic(mnemonic, wordlist);
+}
+export function getWordCount(mnemonic) {
+    return mnemonic.trim().split(/\s+/).length;
+}
+const ENTROPY_BYTES = {
+    12: 16,
+    15: 20,
+    18: 24,
+    21: 28,
+    24: 32,
+};
+export function entropyBytesForWordCount(wordCount) {
+    const bytes = ENTROPY_BYTES[wordCount];
+    if (!bytes)
+        throw new Error(`Unsupported word count: ${wordCount}`);
+    return bytes;
+}

package/dist/decrypt.d.ts

@@ -0,0 +1,4 @@
+import type { DecryptInput, V1DecryptInput, V2DecryptInput, V3DecryptInput } from './types.js';
+export declare function decrypt(input: DecryptInput, password: string): Promise<string | null>;
+export type LegacyInput = V1DecryptInput | V2DecryptInput | V3DecryptInput;
+export declare function upgrade(input: LegacyInput, password: string, newPassword?: string): Promise<Uint8Array | null>;

package/dist/decrypt.js

@@ -0,0 +1,29 @@
+import { decryptV1, decryptV2, decryptV3 } from './legacy.js';
+import { honeyEncrypt, honeyDecrypt } from './honey.js';
+import { isValid } from './bip39-utils.js';
+export async function decrypt(input, password) {
+    switch (input.version) {
+        case 1:
+            return decryptV1(input.ciphertext, password);
+        case 2:
+            return decryptV2(input.ciphertext, password, input.pepper);
+        case 3:
+            return decryptV3(input.ciphertext, password, input.salt, {
+                mode: input.mode,
+                factor: input.factor,
+                backupCode: input.backupCode,
+                wrappedKey1: input.wrappedKey1,
+                wrappedKey2: input.wrappedKey2,
+            });
+        case 4:
+            return honeyDecrypt(input.data, password);
+    }
+}
+export async function upgrade(input, password, newPassword) {
+    const mnemonic = await decrypt(input, password);
+    if (!mnemonic)
+        return null;
+    if (!isValid(mnemonic))
+        return null;
+    return honeyEncrypt(mnemonic, newPassword ?? password);
+}

package/dist/honey.d.ts

@@ -0,0 +1,5 @@
+import type { HoneyEncryptedData } from './types.js';
+export declare function honeyEncrypt(mnemonic: string, password: string): Promise<Uint8Array>;
+export declare function honeyDecrypt(data: Uint8Array, password: string): Promise<string>;
+export declare function parseHoneyData(data: Uint8Array): HoneyEncryptedData;
+export declare function detectVersion(data: Uint8Array): number;

package/dist/honey.js

@@ -0,0 +1,66 @@
+import { deriveKey } from './kdf.js';
+import { mnemonicToBytes, bytesToMnemonic, isValid, getWordCount, entropyBytesForWordCount, } from './bip39-utils.js';
+const VERSION = 4;
+const SALT_LENGTH = 16;
+const VALID_WORD_COUNTS = new Set([12, 15, 18, 21, 24]);
+function xor(a, b) {
+    const result = new Uint8Array(a.length);
+    for (let i = 0; i < a.length; i++) {
+        result[i] = a[i] ^ b[i];
+    }
+    return result;
+}
+export async function honeyEncrypt(mnemonic, password) {
+    const normalized = mnemonic.trim().toLowerCase();
+    if (!isValid(normalized)) {
+        throw new Error('Invalid BIP-39 mnemonic');
+    }
+    const entropy = mnemonicToBytes(normalized);
+    const wordCount = getWordCount(normalized);
+    const salt = crypto.getRandomValues(new Uint8Array(SALT_LENGTH));
+    const mask = await deriveKey(password, salt, entropy.length);
+    const encryptedEntropy = xor(entropy, mask);
+    const result = new Uint8Array(2 + SALT_LENGTH + encryptedEntropy.length);
+    result[0] = VERSION;
+    result[1] = wordCount;
+    result.set(salt, 2);
+    result.set(encryptedEntropy, 2 + SALT_LENGTH);
+    return result;
+}
+export async function honeyDecrypt(data, password) {
+    if (data.length < 2 + SALT_LENGTH + 16) {
+        throw new Error('Invalid data: too short');
+    }
+    if (data[0] !== VERSION) {
+        throw new Error(`Unsupported version: ${data[0]}`);
+    }
+    const wordCount = data[1];
+    if (!VALID_WORD_COUNTS.has(wordCount)) {
+        throw new Error(`Invalid word count: ${wordCount}`);
+    }
+    const entropyLength = entropyBytesForWordCount(wordCount);
+    const expectedLength = 2 + SALT_LENGTH + entropyLength;
+    if (data.length < expectedLength) {
+        throw new Error('Invalid data: length mismatch');
+    }
+    const salt = data.slice(2, 2 + SALT_LENGTH);
+    const encryptedEntropy = data.slice(2 + SALT_LENGTH, expectedLength);
+    const mask = await deriveKey(password, salt, entropyLength);
+    const entropy = xor(encryptedEntropy, mask);
+    return bytesToMnemonic(entropy);
+}
+export function parseHoneyData(data) {
+    const wordCount = data[1];
+    const entropyLength = entropyBytesForWordCount(wordCount);
+    return {
+        version: 4,
+        wordCount: wordCount,
+        salt: data.slice(2, 2 + SALT_LENGTH),
+        encryptedEntropy: data.slice(2 + SALT_LENGTH, 2 + SALT_LENGTH + entropyLength),
+    };
+}
+export function detectVersion(data) {
+    if (data.length === 0)
+        throw new Error('Empty data');
+    return data[0];
+}

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+export { honeyEncrypt, honeyDecrypt, parseHoneyData, detectVersion } from './honey.js';
+export { decrypt, upgrade, type LegacyInput } from './decrypt.js';
+export { decryptV1, decryptV2, decryptV3 } from './legacy.js';
+export { isValid as isValidMnemonic } from './bip39-utils.js';
+export type { HoneyEncryptedData, WordCount, DecryptInput, V1DecryptInput, V2DecryptInput, V3DecryptInput, V4DecryptInput, } from './types.js';

package/dist/index.js

@@ -0,0 +1,4 @@
+export { honeyEncrypt, honeyDecrypt, parseHoneyData, detectVersion } from './honey.js';
+export { decrypt, upgrade } from './decrypt.js';
+export { decryptV1, decryptV2, decryptV3 } from './legacy.js';
+export { isValid as isValidMnemonic } from './bip39-utils.js';

package/dist/kdf.d.ts

@@ -0,0 +1 @@
+export declare function deriveKey(password: string, salt: Uint8Array, hashLength: number): Promise<Uint8Array>;

package/dist/kdf.js

@@ -0,0 +1,23 @@
+import { argon2id } from 'hash-wasm';
+const ARGON2_MEMORY = 65536; // 64 MB
+const ARGON2_ITERATIONS = 3;
+const ARGON2_PARALLELISM = 1;
+function hexToBytes(hex) {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < bytes.length; i++) {
+        bytes[i] = parseInt(hex.substring(i * 2, i * 2 + 2), 16);
+    }
+    return bytes;
+}
+export async function deriveKey(password, salt, hashLength) {
+    const hex = await argon2id({
+        password,
+        salt,
+        parallelism: ARGON2_PARALLELISM,
+        iterations: ARGON2_ITERATIONS,
+        memorySize: ARGON2_MEMORY,
+        hashLength,
+        outputType: 'hex',
+    });
+    return hexToBytes(hex);
+}

package/dist/legacy.d.ts

@@ -0,0 +1,9 @@
+export declare function decryptV1(ciphertext: string, password: string): string | null;
+export declare function decryptV2(ciphertext: string, password: string, pepper: string): string | null;
+export declare function decryptV3(ciphertext: Uint8Array, password: string, salt: Uint8Array, options?: {
+    mode?: string;
+    factor?: string;
+    backupCode?: string;
+    wrappedKey1?: Uint8Array;
+    wrappedKey2?: Uint8Array;
+}): Promise<string | null>;

package/dist/legacy.js

@@ -0,0 +1,95 @@
+import CryptoJS from 'crypto-js';
+import { deriveKey } from './kdf.js';
+function toArrayBuffer(arr) {
+    const buf = new ArrayBuffer(arr.byteLength);
+    new Uint8Array(buf).set(arr);
+    return buf;
+}
+// --- V1/V2: CryptoJS AES (OpenSSL format, EvpKDF) ---
+export function decryptV1(ciphertext, password) {
+    const candidates = [ciphertext];
+    try {
+        candidates.push(decodeURIComponent(ciphertext));
+    }
+    catch { }
+    if (ciphertext.includes('%25')) {
+        try {
+            candidates.push(decodeURIComponent(decodeURIComponent(ciphertext)));
+        }
+        catch { }
+    }
+    for (const candidate of candidates) {
+        try {
+            const decrypted = CryptoJS.AES.decrypt(candidate, password);
+            const result = decrypted.toString(CryptoJS.enc.Utf8);
+            if (result && !/[\x00-\x08\x0E-\x1F]/.test(result)) {
+                return result;
+            }
+        }
+        catch { }
+    }
+    return null;
+}
+export function decryptV2(ciphertext, password, pepper) {
+    return decryptV1(ciphertext, password + ':' + pepper);
+}
+// --- V3: AES-256-GCM + Argon2id ---
+async function aesGcmDecryptBytes(data, keyBytes) {
+    try {
+        const key = await crypto.subtle.importKey('raw', toArrayBuffer(keyBytes), { name: 'AES-GCM' }, false, ['decrypt']);
+        const iv = data.slice(0, 12);
+        const ct = data.slice(12);
+        const result = await crypto.subtle.decrypt({ name: 'AES-GCM', iv: toArrayBuffer(iv) }, key, toArrayBuffer(ct));
+        return new Uint8Array(result);
+    }
+    catch {
+        return null;
+    }
+}
+async function aesGcmDecryptText(data, keyBytes) {
+    const bytes = await aesGcmDecryptBytes(data, keyBytes);
+    if (!bytes)
+        return null;
+    return new TextDecoder().decode(bytes);
+}
+export async function decryptV3(ciphertext, password, salt, options) {
+    const mode = options?.mode || 'a';
+    if (mode === 'a') {
+        const keyBytes = await deriveKey(password, salt, 32);
+        return aesGcmDecryptText(ciphertext, keyBytes);
+    }
+    if (mode === 'b') {
+        if (!options?.factor)
+            return null;
+        const keyBytes = await deriveKey(password + '|' + options.factor, salt, 32);
+        return aesGcmDecryptText(ciphertext, keyBytes);
+    }
+    if (mode === 'c') {
+        if (!options?.backupCode)
+            return null;
+        const keyBytes = await deriveKey(password + '|' + options.backupCode, salt, 32);
+        return aesGcmDecryptText(ciphertext, keyBytes);
+    }
+    if (mode === 'd') {
+        if (options?.factor && options?.wrappedKey1) {
+            const key1 = await deriveKey(password + '|' + options.factor, salt, 32);
+            const dek = await aesGcmDecryptBytes(options.wrappedKey1, key1);
+            if (dek) {
+                const result = await aesGcmDecryptText(ciphertext, dek);
+                if (result)
+                    return result;
+            }
+        }
+        if (options?.backupCode && options?.wrappedKey2) {
+            const key2 = await deriveKey(password + '|' + options.backupCode, salt, 32);
+            const dek = await aesGcmDecryptBytes(options.wrappedKey2, key2);
+            if (dek) {
+                const result = await aesGcmDecryptText(ciphertext, dek);
+                if (result)
+                    return result;
+            }
+        }
+        return null;
+    }
+    return null;
+}

package/dist/types.d.ts

@@ -0,0 +1,31 @@
+export type WordCount = 12 | 15 | 18 | 21 | 24;
+export interface HoneyEncryptedData {
+    version: 4;
+    wordCount: WordCount;
+    salt: Uint8Array;
+    encryptedEntropy: Uint8Array;
+}
+export interface V1DecryptInput {
+    version: 1;
+    ciphertext: string;
+}
+export interface V2DecryptInput {
+    version: 2;
+    ciphertext: string;
+    pepper: string;
+}
+export interface V3DecryptInput {
+    version: 3;
+    ciphertext: Uint8Array;
+    salt: Uint8Array;
+    mode: 'a' | 'b' | 'c' | 'd';
+    factor?: string;
+    backupCode?: string;
+    wrappedKey1?: Uint8Array;
+    wrappedKey2?: Uint8Array;
+}
+export interface V4DecryptInput {
+    version: 4;
+    data: Uint8Array;
+}
+export type DecryptInput = V1DecryptInput | V2DecryptInput | V3DecryptInput | V4DecryptInput;

package/dist/types.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@norionsoft/m2qr",
+  "version": "0.3.0",
+  "description": "Honey encryption for BIP-39 mnemonic phrases - every password decrypts to a valid mnemonic",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "ABOUT.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "test": "tsx test/test.ts",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "encryption",
+    "honey-encryption",
+    "bip39",
+    "mnemonic",
+    "wallet",
+    "crypto",
+    "qr"
+  ],
+  "author": "Alex",
+  "license": "MIT",
+  "dependencies": {
+    "@scure/bip39": "^1.5.4",
+    "crypto-js": "^4.2.0",
+    "hash-wasm": "^4.12.0"
+  },
+  "devDependencies": {
+    "@types/crypto-js": "^4.2.2",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  }
+}