@omnituum/pqc-shared 0.2.6

package/dist/fs/index.js

@@ -0,0 +1,1091 @@
+import { argon2id } from 'hash-wasm';
+import { sha256 as sha256$1 } from '@noble/hashes/sha256';
+import { hmac } from '@noble/hashes/hmac';
+import nacl2 from 'tweetnacl';
+
+// src/fs/types.ts
+var OQE_MAGIC = new Uint8Array([79, 81, 69, 70]);
+var OQE_FORMAT_VERSION = 1;
+var ALGORITHM_SUITES = {
+  /** Hybrid: X25519 ECDH + Kyber768 KEM + AES-256-GCM */
+  HYBRID_X25519_KYBER768_AES256GCM: 1,
+  /** Password: Argon2id + AES-256-GCM */
+  PASSWORD_ARGON2ID_AES256GCM: 2
+};
+var DEFAULT_ARGON2ID_PARAMS = {
+  memoryCost: 65536,
+  // 64 MB
+  timeCost: 3,
+  parallelism: 4,
+  hashLength: 32,
+  saltLength: 32
+};
+var MIN_ARGON2ID_PARAMS = {
+  memoryCost: 19456,
+  // ~19 MB (OWASP minimum)
+  timeCost: 2,
+  parallelism: 1,
+  hashLength: 32,
+  saltLength: 32
+};
+var OQE_HEADER_SIZE = 30;
+var OQEError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+    this.name = "OQEError";
+  }
+};
+async function toUint8Array(input) {
+  if (input instanceof Uint8Array) {
+    return input;
+  }
+  if (input instanceof ArrayBuffer) {
+    return new Uint8Array(input);
+  }
+  const buffer = await input.arrayBuffer();
+  return new Uint8Array(buffer);
+}
+var textEncoder = new TextEncoder();
+var textDecoder = new TextDecoder();
+function toB64(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function fromB64(str) {
+  const binary = atob(str);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function fromHex(hex) {
+  const s = hex.startsWith("0x") ? hex.slice(2) : hex;
+  const normalized = s.length % 2 ? "0" + s : s;
+  const out = new Uint8Array(normalized.length / 2);
+  for (let i = 0; i < out.length; i++) {
+    out[i] = parseInt(normalized.slice(i * 2, i * 2 + 2), 16);
+  }
+  return out;
+}
+function rand32() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(32));
+}
+function rand24() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(24));
+}
+function rand12() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(12));
+}
+function randN(n) {
+  return globalThis.crypto.getRandomValues(new Uint8Array(n));
+}
+function sha256(bytes) {
+  return sha256$1(bytes);
+}
+function hkdfSha256(ikm, opts) {
+  const salt = opts?.salt ?? new Uint8Array(32);
+  const info = opts?.info ?? new Uint8Array(0);
+  const L = opts?.length ?? 32;
+  const prk = hmac(sha256$1, salt, ikm);
+  let t = new Uint8Array(0);
+  const chunks = [];
+  for (let i = 1; i <= Math.ceil(L / 32); i++) {
+    const input = new Uint8Array(t.length + info.length + 1);
+    input.set(t, 0);
+    input.set(info, t.length);
+    input[input.length - 1] = i;
+    t = new Uint8Array(hmac(sha256$1, prk, input));
+    chunks.push(t);
+  }
+  const out = new Uint8Array(L);
+  let off = 0;
+  for (const c of chunks) {
+    out.set(c.subarray(0, L - off), off);
+    off += c.length;
+    if (off >= L) break;
+  }
+  return out;
+}
+var ub64 = fromB64;
+var u8 = (s) => typeof s === "string" ? textEncoder.encode(s) : s;
+
+// src/fs/argon2.ts
+async function deriveKeyFromPassword(password, salt, params = DEFAULT_ARGON2ID_PARAMS) {
+  if (salt.length !== params.saltLength) {
+    throw new Error(`Salt must be ${params.saltLength} bytes, got ${salt.length}`);
+  }
+  const hash = await argon2id({
+    password,
+    salt,
+    parallelism: params.parallelism,
+    iterations: params.timeCost,
+    memorySize: params.memoryCost,
+    hashLength: params.hashLength,
+    outputType: "binary"
+  });
+  return new Uint8Array(hash);
+}
+function generateArgon2Salt(length = 32) {
+  return randN(length);
+}
+async function verifyPassword(password, salt, expectedKey, params = DEFAULT_ARGON2ID_PARAMS) {
+  const derivedKey = await deriveKeyFromPassword(password, salt, params);
+  if (derivedKey.length !== expectedKey.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < derivedKey.length; i++) {
+    result |= derivedKey[i] ^ expectedKey[i];
+  }
+  return result === 0;
+}
+function estimateArgon2Params(targetTimeMs = 1e3, availableMemoryMB = 64) {
+  const params = { ...MIN_ARGON2ID_PARAMS };
+  const maxMemoryKB = Math.min(availableMemoryMB * 1024, 65536);
+  params.memoryCost = Math.max(MIN_ARGON2ID_PARAMS.memoryCost, maxMemoryKB);
+  params.parallelism = Math.min(4, navigator.hardwareConcurrency || 1);
+  const estimatedIterations = Math.max(2, Math.floor(targetTimeMs / 300));
+  params.timeCost = Math.min(estimatedIterations, 10);
+  return params;
+}
+async function benchmarkArgon2(params = DEFAULT_ARGON2ID_PARAMS) {
+  const testPassword = "benchmark-test-password";
+  const testSalt = generateArgon2Salt(params.saltLength);
+  const start = performance.now();
+  await deriveKeyFromPassword(testPassword, testSalt, params);
+  const end = performance.now();
+  return end - start;
+}
+var _argon2Available = null;
+async function isArgon2Available() {
+  if (_argon2Available !== null) {
+    return _argon2Available;
+  }
+  try {
+    await argon2id({
+      password: "test",
+      salt: new Uint8Array(16),
+      parallelism: 1,
+      iterations: 1,
+      memorySize: 1024,
+      // 1 MB
+      hashLength: 32,
+      outputType: "binary"
+    });
+    _argon2Available = true;
+  } catch {
+    _argon2Available = false;
+  }
+  return _argon2Available;
+}
+
+// src/fs/aes.ts
+function toArrayBuffer(arr) {
+  if (arr.buffer instanceof SharedArrayBuffer || arr.byteOffset !== 0 || arr.byteLength !== arr.buffer.byteLength) {
+    const copy = new ArrayBuffer(arr.byteLength);
+    new Uint8Array(copy).set(arr);
+    return copy;
+  }
+  return arr.buffer;
+}
+var AES_KEY_SIZE = 32;
+var AES_GCM_IV_SIZE = 12;
+var AES_GCM_TAG_SIZE = 16;
+async function importAesKey(keyBytes) {
+  if (keyBytes.length !== AES_KEY_SIZE) {
+    throw new Error(`AES key must be ${AES_KEY_SIZE} bytes, got ${keyBytes.length}`);
+  }
+  return globalThis.crypto.subtle.importKey(
+    "raw",
+    toArrayBuffer(keyBytes),
+    { name: "AES-GCM", length: 256 },
+    false,
+    // not extractable
+    ["encrypt", "decrypt"]
+  );
+}
+async function generateAesKey() {
+  return globalThis.crypto.subtle.generateKey(
+    { name: "AES-GCM", length: 256 },
+    true,
+    // extractable for wrapping
+    ["encrypt", "decrypt"]
+  );
+}
+async function exportAesKey(key) {
+  const exported = await globalThis.crypto.subtle.exportKey("raw", key);
+  return new Uint8Array(exported);
+}
+async function aesEncrypt(plaintext, key, iv, additionalData) {
+  const cryptoKey = key instanceof CryptoKey ? key : await importAesKey(key);
+  const ivBytes = iv ?? rand12();
+  if (ivBytes.length !== AES_GCM_IV_SIZE) {
+    throw new Error(`IV must be ${AES_GCM_IV_SIZE} bytes, got ${ivBytes.length}`);
+  }
+  const encrypted = await globalThis.crypto.subtle.encrypt(
+    {
+      name: "AES-GCM",
+      iv: toArrayBuffer(ivBytes),
+      additionalData: additionalData ? toArrayBuffer(additionalData) : void 0,
+      tagLength: 128
+      // 16 bytes
+    },
+    cryptoKey,
+    toArrayBuffer(plaintext)
+  );
+  return {
+    iv: ivBytes,
+    ciphertext: new Uint8Array(encrypted)
+    // Includes auth tag
+  };
+}
+async function aesEncryptCombined(plaintext, key, additionalData) {
+  const { iv, ciphertext } = await aesEncrypt(plaintext, key, void 0, additionalData);
+  const combined = new Uint8Array(iv.length + ciphertext.length);
+  combined.set(iv, 0);
+  combined.set(ciphertext, iv.length);
+  return combined;
+}
+async function aesDecrypt(ciphertext, key, iv, additionalData) {
+  const cryptoKey = key instanceof CryptoKey ? key : await importAesKey(key);
+  if (iv.length !== AES_GCM_IV_SIZE) {
+    throw new Error(`IV must be ${AES_GCM_IV_SIZE} bytes, got ${iv.length}`);
+  }
+  try {
+    const decrypted = await globalThis.crypto.subtle.decrypt(
+      {
+        name: "AES-GCM",
+        iv: toArrayBuffer(iv),
+        additionalData: additionalData ? toArrayBuffer(additionalData) : void 0,
+        tagLength: 128
+      },
+      cryptoKey,
+      toArrayBuffer(ciphertext)
+    );
+    return new Uint8Array(decrypted);
+  } catch (error) {
+    throw new Error("Decryption failed: authentication tag mismatch (wrong key or corrupted data)");
+  }
+}
+async function aesDecryptCombined(combined, key, additionalData) {
+  if (combined.length < AES_GCM_IV_SIZE + AES_GCM_TAG_SIZE) {
+    throw new Error(`Combined data too short: need at least ${AES_GCM_IV_SIZE + AES_GCM_TAG_SIZE} bytes`);
+  }
+  const iv = combined.slice(0, AES_GCM_IV_SIZE);
+  const ciphertext = combined.slice(AES_GCM_IV_SIZE);
+  return aesDecrypt(ciphertext, key, iv, additionalData);
+}
+var STREAM_CHUNK_SIZE = 1024 * 1024;
+async function aesEncryptStreaming(plaintext, key, onProgress) {
+  const cryptoKey = key instanceof CryptoKey ? key : await importAesKey(key);
+  const chunks = [];
+  const totalChunks = Math.ceil(plaintext.length / STREAM_CHUNK_SIZE);
+  const header = new Uint8Array(4);
+  new DataView(header.buffer).setUint32(0, totalChunks, false);
+  chunks.push(header);
+  for (let i = 0; i < totalChunks; i++) {
+    const start = i * STREAM_CHUNK_SIZE;
+    const end = Math.min(start + STREAM_CHUNK_SIZE, plaintext.length);
+    const chunk = plaintext.slice(start, end);
+    const { iv, ciphertext } = await aesEncrypt(chunk, cryptoKey);
+    const chunkData = new Uint8Array(12 + 4 + ciphertext.length);
+    chunkData.set(iv, 0);
+    new DataView(chunkData.buffer).setUint32(12, ciphertext.length, false);
+    chunkData.set(ciphertext, 16);
+    chunks.push(chunkData);
+    if (onProgress) {
+      onProgress(Math.round((i + 1) / totalChunks * 100));
+    }
+  }
+  const totalLength = chunks.reduce((sum, c) => sum + c.length, 0);
+  const result = new Uint8Array(totalLength);
+  let offset = 0;
+  for (const chunk of chunks) {
+    result.set(chunk, offset);
+    offset += chunk.length;
+  }
+  return result;
+}
+async function aesDecryptStreaming(encrypted, key, onProgress) {
+  const cryptoKey = key instanceof CryptoKey ? key : await importAesKey(key);
+  const totalChunks = new DataView(encrypted.buffer, encrypted.byteOffset).getUint32(0, false);
+  const chunks = [];
+  let offset = 4;
+  for (let i = 0; i < totalChunks; i++) {
+    const iv = encrypted.slice(offset, offset + 12);
+    offset += 12;
+    const ctLength = new DataView(encrypted.buffer, encrypted.byteOffset + offset).getUint32(0, false);
+    offset += 4;
+    const ciphertext = encrypted.slice(offset, offset + ctLength);
+    offset += ctLength;
+    const plaintext = await aesDecrypt(ciphertext, cryptoKey, iv);
+    chunks.push(plaintext);
+    if (onProgress) {
+      onProgress(Math.round((i + 1) / totalChunks * 100));
+    }
+  }
+  const totalLength = chunks.reduce((sum, c) => sum + c.length, 0);
+  const result = new Uint8Array(totalLength);
+  let resultOffset = 0;
+  for (const chunk of chunks) {
+    result.set(chunk, resultOffset);
+    resultOffset += chunk.length;
+  }
+  return result;
+}
+
+// src/fs/format.ts
+function writeUint32BE(value) {
+  const buffer = new ArrayBuffer(4);
+  new DataView(buffer).setUint32(0, value, false);
+  return new Uint8Array(buffer);
+}
+function readUint32BE(data, offset) {
+  return new DataView(data.buffer, data.byteOffset + offset).getUint32(0, false);
+}
+function writeUint16BE(value) {
+  const buffer = new ArrayBuffer(2);
+  new DataView(buffer).setUint16(0, value, false);
+  return new Uint8Array(buffer);
+}
+function readUint16BE(data, offset) {
+  return new DataView(data.buffer, data.byteOffset + offset).getUint16(0, false);
+}
+function writeOQEHeader(header) {
+  const buffer = new Uint8Array(OQE_HEADER_SIZE);
+  let offset = 0;
+  buffer.set(OQE_MAGIC, offset);
+  offset += 4;
+  buffer[offset++] = header.version;
+  buffer[offset++] = header.algorithmSuite;
+  buffer.set(writeUint32BE(header.flags), offset);
+  offset += 4;
+  buffer.set(writeUint32BE(header.metadataLength), offset);
+  offset += 4;
+  buffer.set(writeUint32BE(header.keyMaterialLength), offset);
+  offset += 4;
+  buffer.set(header.iv, offset);
+  return buffer;
+}
+function parseOQEHeader(data) {
+  if (data.length < OQE_HEADER_SIZE) {
+    throw new OQEError("INVALID_HEADER", `File too small: need ${OQE_HEADER_SIZE} bytes, got ${data.length}`);
+  }
+  let offset = 0;
+  const magic = data.slice(0, 4);
+  if (!magic.every((b, i) => b === OQE_MAGIC[i])) {
+    throw new OQEError("INVALID_MAGIC", "Not a valid OQE file (invalid magic bytes)");
+  }
+  offset += 4;
+  const version = data[offset++];
+  if (version !== OQE_FORMAT_VERSION) {
+    throw new OQEError("UNSUPPORTED_VERSION", `Unsupported OQE version: ${version}`);
+  }
+  const algorithmSuiteRaw = data[offset++];
+  if (algorithmSuiteRaw !== ALGORITHM_SUITES.HYBRID_X25519_KYBER768_AES256GCM && algorithmSuiteRaw !== ALGORITHM_SUITES.PASSWORD_ARGON2ID_AES256GCM) {
+    throw new OQEError("UNSUPPORTED_ALGORITHM", `Unsupported algorithm suite: 0x${algorithmSuiteRaw.toString(16)}`);
+  }
+  const algorithmSuite = algorithmSuiteRaw;
+  const flags = readUint32BE(data, offset);
+  offset += 4;
+  const metadataLength = readUint32BE(data, offset);
+  offset += 4;
+  const keyMaterialLength = readUint32BE(data, offset);
+  offset += 4;
+  const iv = data.slice(offset, offset + 12);
+  return {
+    version,
+    algorithmSuite,
+    flags,
+    metadataLength,
+    keyMaterialLength,
+    iv
+  };
+}
+function serializeHybridKeyMaterial(km) {
+  const parts = [];
+  parts.push(km.x25519EphemeralPk);
+  parts.push(km.x25519Nonce);
+  parts.push(writeUint16BE(km.x25519WrappedKey.length));
+  parts.push(km.x25519WrappedKey);
+  parts.push(writeUint16BE(km.kyberCiphertext.length));
+  parts.push(km.kyberCiphertext);
+  parts.push(km.kyberNonce);
+  parts.push(writeUint16BE(km.kyberWrappedKey.length));
+  parts.push(km.kyberWrappedKey);
+  const totalLength = parts.reduce((sum, p) => sum + p.length, 0);
+  const result = new Uint8Array(totalLength);
+  let offset = 0;
+  for (const part of parts) {
+    result.set(part, offset);
+    offset += part.length;
+  }
+  return result;
+}
+function parseHybridKeyMaterial(data) {
+  let offset = 0;
+  const x25519EphemeralPk = data.slice(offset, offset + 32);
+  offset += 32;
+  const x25519Nonce = data.slice(offset, offset + 24);
+  offset += 24;
+  const x25519WrappedLen = readUint16BE(data, offset);
+  offset += 2;
+  const x25519WrappedKey = data.slice(offset, offset + x25519WrappedLen);
+  offset += x25519WrappedLen;
+  const kyberCtLen = readUint16BE(data, offset);
+  offset += 2;
+  const kyberCiphertext = data.slice(offset, offset + kyberCtLen);
+  offset += kyberCtLen;
+  const kyberNonce = data.slice(offset, offset + 24);
+  offset += 24;
+  const kyberWrappedLen = readUint16BE(data, offset);
+  offset += 2;
+  const kyberWrappedKey = data.slice(offset, offset + kyberWrappedLen);
+  return {
+    x25519EphemeralPk,
+    x25519Nonce,
+    x25519WrappedKey,
+    kyberCiphertext,
+    kyberNonce,
+    kyberWrappedKey
+  };
+}
+function serializePasswordKeyMaterial(km) {
+  const result = new Uint8Array(32 + 4 + 4 + 4);
+  result.set(km.salt, 0);
+  result.set(writeUint32BE(km.memoryCost), 32);
+  result.set(writeUint32BE(km.timeCost), 36);
+  result.set(writeUint32BE(km.parallelism), 40);
+  return result;
+}
+function parsePasswordKeyMaterial(data) {
+  return {
+    salt: data.slice(0, 32),
+    memoryCost: readUint32BE(data, 32),
+    timeCost: readUint32BE(data, 36),
+    parallelism: readUint32BE(data, 40)
+  };
+}
+function serializeMetadata(metadata) {
+  const json = JSON.stringify(metadata);
+  return textEncoder.encode(json);
+}
+function parseMetadata(data) {
+  const json = textDecoder.decode(data);
+  return JSON.parse(json);
+}
+function assembleOQEFile(components) {
+  const { header, keyMaterial, encryptedMetadata, encryptedContent } = components;
+  const headerBytes = writeOQEHeader(header);
+  const totalLength = headerBytes.length + keyMaterial.length + encryptedMetadata.length + encryptedContent.length;
+  const result = new Uint8Array(totalLength);
+  let offset = 0;
+  result.set(headerBytes, offset);
+  offset += headerBytes.length;
+  result.set(keyMaterial, offset);
+  offset += keyMaterial.length;
+  result.set(encryptedMetadata, offset);
+  offset += encryptedMetadata.length;
+  result.set(encryptedContent, offset);
+  return result;
+}
+function parseOQEFile(data) {
+  const header = parseOQEHeader(data);
+  let offset = OQE_HEADER_SIZE;
+  const keyMaterial = data.slice(offset, offset + header.keyMaterialLength);
+  offset += header.keyMaterialLength;
+  const encryptedMetadata = data.slice(offset, offset + header.metadataLength);
+  offset += header.metadataLength;
+  const encryptedContent = data.slice(offset);
+  return {
+    header,
+    keyMaterial,
+    encryptedMetadata,
+    encryptedContent
+  };
+}
+var OQE_EXTENSION = ".oqe";
+function addOQEExtension(filename) {
+  if (filename.toLowerCase().endsWith(OQE_EXTENSION)) {
+    return filename;
+  }
+  return `${filename}${OQE_EXTENSION}`;
+}
+function removeOQEExtension(filename) {
+  if (filename.toLowerCase().endsWith(OQE_EXTENSION)) {
+    return filename.slice(0, -OQE_EXTENSION.length);
+  }
+  return filename;
+}
+function isOQEFile(filenameOrData) {
+  if (typeof filenameOrData === "string") {
+    return filenameOrData.toLowerCase().endsWith(OQE_EXTENSION);
+  }
+  if (filenameOrData.length < 4) return false;
+  return filenameOrData.slice(0, 4).every((b, i) => b === OQE_MAGIC[i]);
+}
+var OQE_MIME_TYPE = "application/x-omnituum-encrypted";
+function getAlgorithmName(suiteId) {
+  if (suiteId === ALGORITHM_SUITES.HYBRID_X25519_KYBER768_AES256GCM) {
+    return "Hybrid (X25519 + Kyber768 + AES-256-GCM)";
+  }
+  if (suiteId === ALGORITHM_SUITES.PASSWORD_ARGON2ID_AES256GCM) {
+    return "Password (Argon2id + AES-256-GCM)";
+  }
+  return `Unknown (0x${suiteId.toString(16)})`;
+}
+var kyberModule = null;
+async function loadKyber() {
+  if (kyberModule) return kyberModule;
+  try {
+    const m = await import('kyber-crystals');
+    const k = m.default ?? m;
+    kyberModule = k.kyber ?? k;
+    return kyberModule;
+  } catch (e) {
+    console.warn("[Kyber] Failed to load kyber-crystals:", e);
+    return null;
+  }
+}
+async function isKyberAvailable() {
+  const mod = await loadKyber();
+  return mod !== null;
+}
+async function kyberEncapsulate(pubKeyB64) {
+  const kyber = await loadKyber();
+  if (!kyber?.encrypt) {
+    throw new Error("Kyber encrypt not available");
+  }
+  const pk = ub64(pubKeyB64);
+  const r = await kyber.encrypt(pk);
+  const ctRaw = r?.ciphertext ?? r?.cyphertext ?? r?.ct ?? r?.bytes?.ciphertext ?? r?.bytes?.cyphertext ?? r?.bytes?.ct ?? (Array.isArray(r) ? r[0] : void 0);
+  const ssRaw = r?.key ?? r?.sharedSecret ?? r?.secret ?? r?.bytes?.key ?? r?.bytes?.sharedSecret ?? (Array.isArray(r) ? r[1] : void 0);
+  if (!ctRaw || !ssRaw) {
+    throw new Error("Kyber encapsulate failed: missing ciphertext or shared secret");
+  }
+  return {
+    ciphertext: new Uint8Array(ctRaw),
+    sharedSecret: new Uint8Array(ssRaw)
+  };
+}
+async function kyberDecapsulate(kemCiphertextB64, secretKeyB64) {
+  const kyber = await loadKyber();
+  if (!kyber?.decrypt && !kyber?.decapsulate) {
+    throw new Error("Kyber decrypt/decapsulate not available");
+  }
+  const ct = ub64(kemCiphertextB64);
+  const sk = ub64(secretKeyB64);
+  const r = kyber.decrypt ? await kyber.decrypt(ct, sk) : await kyber.decapsulate(ct, sk);
+  const key = r && (r.key ?? r.sharedSecret) ? r.key ?? r.sharedSecret : r;
+  return new Uint8Array(key);
+}
+
+// src/fs/encrypt.ts
+function hkdfFlex(ikm, salt, info) {
+  return hkdfSha256(ikm, { salt: u8(salt), info: u8(info), length: 32 });
+}
+function computeIdentityHash(publicKeyHex) {
+  const hash = sha256(fromHex(publicKeyHex));
+  return toHex(hash).slice(0, 16);
+}
+async function encryptHybrid(plaintext, metadata, options) {
+  if (!await isKyberAvailable()) {
+    throw new OQEError("KYBER_UNAVAILABLE", "Kyber library not available in this environment");
+  }
+  const contentKey = rand32();
+  const iv = rand12();
+  const x25519EphKp = nacl2.box.keyPair();
+  const recipientX25519Pk = fromHex(options.recipientPublicKeys.x25519PubHex);
+  const x25519Shared = nacl2.scalarMult(x25519EphKp.secretKey, recipientX25519Pk);
+  const x25519Kek = hkdfFlex(x25519Shared, "omnituum/fs/x25519", "wrap-content-key");
+  const x25519Nonce = rand24();
+  const x25519WrappedKey = nacl2.secretbox(contentKey, x25519Nonce, x25519Kek);
+  const kyberResult = await kyberEncapsulate(options.recipientPublicKeys.kyberPubB64);
+  const kyberKek = hkdfFlex(kyberResult.sharedSecret, "omnituum/fs/kyber", "wrap-content-key");
+  const kyberNonce = rand24();
+  const kyberWrappedKey = nacl2.secretbox(contentKey, kyberNonce, kyberKek);
+  const keyMaterial = {
+    x25519EphemeralPk: x25519EphKp.publicKey,
+    x25519Nonce,
+    x25519WrappedKey,
+    kyberCiphertext: kyberResult.ciphertext,
+    kyberNonce,
+    kyberWrappedKey
+  };
+  const keyMaterialBytes = serializeHybridKeyMaterial(keyMaterial);
+  const metadataBytes = serializeMetadata(metadata);
+  const { ciphertext: encryptedMetadata } = await aesEncrypt(metadataBytes, contentKey, iv);
+  const { ciphertext: encryptedContent } = await aesEncrypt(plaintext, contentKey, iv);
+  const header = {
+    version: OQE_FORMAT_VERSION,
+    algorithmSuite: ALGORITHM_SUITES.HYBRID_X25519_KYBER768_AES256GCM,
+    flags: 0,
+    metadataLength: encryptedMetadata.length,
+    keyMaterialLength: keyMaterialBytes.length,
+    iv
+  };
+  const fileData = assembleOQEFile({
+    header,
+    keyMaterial: keyMaterialBytes,
+    encryptedMetadata,
+    encryptedContent
+  });
+  return {
+    data: fileData,
+    filename: addOQEExtension(metadata.filename),
+    metadata,
+    mode: "hybrid"
+  };
+}
+async function encryptPassword(plaintext, metadata, options) {
+  if (!await isArgon2Available()) {
+    throw new OQEError("ARGON2_UNAVAILABLE", "Argon2 library not available in this environment");
+  }
+  const params = {
+    ...DEFAULT_ARGON2ID_PARAMS,
+    ...options.argon2Params
+  };
+  const salt = generateArgon2Salt(params.saltLength);
+  const contentKey = await deriveKeyFromPassword(options.password, salt, params);
+  const iv = rand12();
+  const keyMaterial = {
+    salt,
+    memoryCost: params.memoryCost,
+    timeCost: params.timeCost,
+    parallelism: params.parallelism
+  };
+  const keyMaterialBytes = serializePasswordKeyMaterial(keyMaterial);
+  const metadataBytes = serializeMetadata(metadata);
+  const { ciphertext: encryptedMetadata } = await aesEncrypt(metadataBytes, contentKey, iv);
+  const { ciphertext: encryptedContent } = await aesEncrypt(plaintext, contentKey, iv);
+  const header = {
+    version: OQE_FORMAT_VERSION,
+    algorithmSuite: ALGORITHM_SUITES.PASSWORD_ARGON2ID_AES256GCM,
+    flags: 0,
+    metadataLength: encryptedMetadata.length,
+    keyMaterialLength: keyMaterialBytes.length,
+    iv
+  };
+  const fileData = assembleOQEFile({
+    header,
+    keyMaterial: keyMaterialBytes,
+    encryptedMetadata,
+    encryptedContent
+  });
+  return {
+    data: fileData,
+    filename: addOQEExtension(metadata.filename),
+    metadata,
+    mode: "password"
+  };
+}
+async function encryptFile(input, options) {
+  const plaintext = await toUint8Array(input.data);
+  const metadata = {
+    filename: input.filename,
+    originalSize: plaintext.length,
+    mimeType: input.mimeType,
+    encryptedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  if (options.mode === "hybrid") {
+    metadata.recipientIdHash = computeIdentityHash(options.recipientPublicKeys.x25519PubHex);
+    if (options.sender) {
+      metadata.encryptorIdHash = options.sender.id;
+    }
+  }
+  if (options.mode === "hybrid") {
+    return encryptHybrid(plaintext, metadata, options);
+  } else {
+    return encryptPassword(plaintext, metadata, options);
+  }
+}
+async function encryptFileForSelf(input, identity) {
+  return encryptFile(input, {
+    mode: "hybrid",
+    recipientPublicKeys: {
+      x25519PubHex: identity.x25519PubHex,
+      kyberPubB64: identity.kyberPubB64
+    },
+    sender: {
+      id: identity.id,
+      name: identity.name
+    }
+  });
+}
+async function encryptFileWithPassword(input, password) {
+  return encryptFile(input, {
+    mode: "password",
+    password
+  });
+}
+function hkdfFlex2(ikm, salt, info) {
+  return hkdfSha256(ikm, { salt: u8(salt), info: u8(info), length: 32 });
+}
+async function decryptHybrid(encryptedData, options) {
+  const { header, keyMaterial, encryptedMetadata, encryptedContent } = parseOQEFile(encryptedData);
+  if (header.algorithmSuite !== ALGORITHM_SUITES.HYBRID_X25519_KYBER768_AES256GCM) {
+    throw new OQEError(
+      "UNSUPPORTED_ALGORITHM",
+      "This file was not encrypted with hybrid mode. Use password decryption."
+    );
+  }
+  const km = parseHybridKeyMaterial(keyMaterial);
+  let contentKey = null;
+  if (await isKyberAvailable()) {
+    try {
+      const kyberShared = await kyberDecapsulate(
+        toB64(km.kyberCiphertext),
+        options.recipientSecretKeys.kyberSecB64
+      );
+      const kyberKek = hkdfFlex2(kyberShared, "omnituum/fs/kyber", "wrap-content-key");
+      const unwrapped = nacl2.secretbox.open(km.kyberWrappedKey, km.kyberNonce, kyberKek);
+      if (unwrapped) {
+        contentKey = unwrapped;
+        console.log("[OQE] Decrypted content key via Kyber (post-quantum secure)");
+      }
+    } catch (e) {
+      console.warn("[OQE] Kyber decapsulation failed, trying X25519:", e);
+    }
+  }
+  if (!contentKey) {
+    try {
+      const ephPk = km.x25519EphemeralPk;
+      const sk = fromHex(options.recipientSecretKeys.x25519SecHex);
+      const x25519Shared = nacl2.scalarMult(sk, ephPk);
+      const x25519Kek = hkdfFlex2(x25519Shared, "omnituum/fs/x25519", "wrap-content-key");
+      const unwrapped = nacl2.secretbox.open(km.x25519WrappedKey, km.x25519Nonce, x25519Kek);
+      if (unwrapped) {
+        contentKey = unwrapped;
+        console.log("[OQE] Decrypted content key via X25519 (classical)");
+      }
+    } catch (e) {
+      console.warn("[OQE] X25519 decryption failed:", e);
+    }
+  }
+  if (!contentKey) {
+    throw new OQEError("KEY_UNWRAP_FAILED", "Could not unwrap content key with provided keys");
+  }
+  let metadata;
+  try {
+    const metadataBytes = await aesDecrypt(encryptedMetadata, contentKey, header.iv);
+    metadata = parseMetadata(metadataBytes);
+  } catch (e) {
+    throw new OQEError("DECRYPTION_FAILED", "Failed to decrypt file metadata");
+  }
+  let plaintext;
+  try {
+    plaintext = await aesDecrypt(encryptedContent, contentKey, header.iv);
+  } catch (e) {
+    throw new OQEError("DECRYPTION_FAILED", "Failed to decrypt file content");
+  }
+  return {
+    data: plaintext,
+    filename: metadata.filename,
+    mimeType: metadata.mimeType,
+    originalSize: metadata.originalSize,
+    metadata,
+    mode: "hybrid"
+  };
+}
+async function decryptPassword(encryptedData, options) {
+  if (!await isArgon2Available()) {
+    throw new OQEError("ARGON2_UNAVAILABLE", "Argon2 library not available in this environment");
+  }
+  const { header, keyMaterial, encryptedMetadata, encryptedContent } = parseOQEFile(encryptedData);
+  if (header.algorithmSuite !== ALGORITHM_SUITES.PASSWORD_ARGON2ID_AES256GCM) {
+    throw new OQEError(
+      "UNSUPPORTED_ALGORITHM",
+      "This file was not encrypted with password mode. Use hybrid decryption."
+    );
+  }
+  const km = parsePasswordKeyMaterial(keyMaterial);
+  const contentKey = await deriveKeyFromPassword(options.password, km.salt, {
+    memoryCost: km.memoryCost,
+    timeCost: km.timeCost,
+    parallelism: km.parallelism,
+    hashLength: 32,
+    saltLength: km.salt.length
+  });
+  let metadata;
+  try {
+    const metadataBytes = await aesDecrypt(encryptedMetadata, contentKey, header.iv);
+    metadata = parseMetadata(metadataBytes);
+  } catch (e) {
+    throw new OQEError("PASSWORD_WRONG", "Incorrect password or corrupted file");
+  }
+  let plaintext;
+  try {
+    plaintext = await aesDecrypt(encryptedContent, contentKey, header.iv);
+  } catch (e) {
+    throw new OQEError("DECRYPTION_FAILED", "Failed to decrypt file content");
+  }
+  return {
+    data: plaintext,
+    filename: metadata.filename,
+    mimeType: metadata.mimeType,
+    originalSize: metadata.originalSize,
+    metadata,
+    mode: "password"
+  };
+}
+async function decryptFile(encryptedData, options) {
+  const data = await toUint8Array(encryptedData);
+  if (options.mode === "hybrid") {
+    return decryptHybrid(data, options);
+  } else {
+    return decryptPassword(data, options);
+  }
+}
+async function decryptFileForSelf(encryptedData, identity) {
+  return decryptFile(encryptedData, {
+    mode: "hybrid",
+    recipientSecretKeys: {
+      x25519SecHex: identity.x25519SecHex,
+      kyberSecB64: identity.kyberSecB64
+    }
+  });
+}
+async function decryptFileWithPassword(encryptedData, password) {
+  return decryptFile(encryptedData, {
+    mode: "password",
+    password
+  });
+}
+async function inspectOQEFile(data) {
+  const bytes = await toUint8Array(data);
+  const { header } = parseOQEFile(bytes);
+  let mode;
+  let algorithm;
+  if (header.algorithmSuite === ALGORITHM_SUITES.HYBRID_X25519_KYBER768_AES256GCM) {
+    mode = "hybrid";
+    algorithm = "X25519 + Kyber768 + AES-256-GCM";
+  } else {
+    mode = "password";
+    algorithm = "Argon2id + AES-256-GCM";
+  }
+  return {
+    version: header.version,
+    mode,
+    algorithm,
+    supportsKyber: mode === "hybrid" && await isKyberAvailable(),
+    fileSize: bytes.length
+  };
+}
+
+// src/fs/browser.ts
+function toArrayBuffer2(data) {
+  if (data.buffer instanceof SharedArrayBuffer || data.byteOffset !== 0 || data.byteLength !== data.buffer.byteLength) {
+    const copy = new ArrayBuffer(data.byteLength);
+    new Uint8Array(copy).set(data);
+    return copy;
+  }
+  return data.buffer;
+}
+function downloadEncryptedFile(result) {
+  const blob = new Blob([toArrayBuffer2(result.data)], { type: OQE_MIME_TYPE });
+  downloadBlob(blob, result.filename);
+}
+function downloadDecryptedFile(result) {
+  const mimeType = result.mimeType || "application/octet-stream";
+  const blob = new Blob([toArrayBuffer2(result.data)], { type: mimeType });
+  downloadBlob(blob, result.filename);
+}
+function downloadBlob(blob, filename) {
+  const url = URL.createObjectURL(blob);
+  const link = document.createElement("a");
+  link.href = url;
+  link.download = filename;
+  link.style.display = "none";
+  document.body.appendChild(link);
+  link.click();
+  document.body.removeChild(link);
+  setTimeout(() => URL.revokeObjectURL(url), 1e3);
+}
+function downloadBytes(data, filename, mimeType) {
+  const blob = new Blob([toArrayBuffer2(data)], { type: mimeType || "application/octet-stream" });
+  downloadBlob(blob, filename);
+}
+async function readFile(file) {
+  const buffer = await file.arrayBuffer();
+  return new Uint8Array(buffer);
+}
+async function readFileAsText(file) {
+  return new Promise((resolve, reject) => {
+    const reader = new FileReader();
+    reader.onload = () => resolve(reader.result);
+    reader.onerror = () => reject(reader.error);
+    reader.readAsText(file);
+  });
+}
+async function readFileAsDataURL(file) {
+  return new Promise((resolve, reject) => {
+    const reader = new FileReader();
+    reader.onload = () => resolve(reader.result);
+    reader.onerror = () => reject(reader.error);
+    reader.readAsDataURL(file);
+  });
+}
+function createDropZone(options) {
+  const { element, onDrop, onDragEnter, onDragLeave, accept, multiple = true } = options;
+  let dragCounter = 0;
+  const handleDragEnter = (e) => {
+    e.preventDefault();
+    e.stopPropagation();
+    dragCounter++;
+    if (dragCounter === 1) {
+      onDragEnter?.();
+    }
+  };
+  const handleDragLeave = (e) => {
+    e.preventDefault();
+    e.stopPropagation();
+    dragCounter--;
+    if (dragCounter === 0) {
+      onDragLeave?.();
+    }
+  };
+  const handleDragOver = (e) => {
+    e.preventDefault();
+    e.stopPropagation();
+  };
+  const handleDrop = (e) => {
+    e.preventDefault();
+    e.stopPropagation();
+    dragCounter = 0;
+    onDragLeave?.();
+    const files = Array.from(e.dataTransfer?.files || []);
+    let filteredFiles = files;
+    if (accept && accept.length > 0) {
+      filteredFiles = files.filter((file) => {
+        return accept.some((pattern) => {
+          if (pattern.startsWith(".")) {
+            return file.name.toLowerCase().endsWith(pattern.toLowerCase());
+          }
+          if (pattern.endsWith("/*")) {
+            const type = pattern.slice(0, -2);
+            return file.type.startsWith(type);
+          }
+          return file.type === pattern;
+        });
+      });
+    }
+    if (!multiple && filteredFiles.length > 1) {
+      filteredFiles = [filteredFiles[0]];
+    }
+    if (filteredFiles.length > 0) {
+      onDrop(filteredFiles);
+    }
+  };
+  element.addEventListener("dragenter", handleDragEnter);
+  element.addEventListener("dragleave", handleDragLeave);
+  element.addEventListener("dragover", handleDragOver);
+  element.addEventListener("drop", handleDrop);
+  return () => {
+    element.removeEventListener("dragenter", handleDragEnter);
+    element.removeEventListener("dragleave", handleDragLeave);
+    element.removeEventListener("dragover", handleDragOver);
+    element.removeEventListener("drop", handleDrop);
+  };
+}
+function openFilePicker(options = {}) {
+  return new Promise((resolve) => {
+    const input = document.createElement("input");
+    input.type = "file";
+    input.multiple = options.multiple ?? false;
+    if (options.accept && options.accept.length > 0) {
+      input.accept = options.accept.join(",");
+    }
+    input.onchange = () => {
+      const files = Array.from(input.files || []);
+      resolve(files);
+    };
+    input.oncancel = () => {
+      resolve([]);
+    };
+    input.click();
+  });
+}
+function openOQEFilePicker(multiple = false) {
+  return openFilePicker({
+    accept: [OQE_EXTENSION, OQE_MIME_TYPE],
+    multiple
+  });
+}
+function openFileToEncrypt(multiple = false) {
+  return openFilePicker({ multiple });
+}
+function encryptResultToBlob(result) {
+  return new Blob([toArrayBuffer2(result.data)], { type: OQE_MIME_TYPE });
+}
+function decryptResultToBlob(result) {
+  const mimeType = result.mimeType || "application/octet-stream";
+  return new Blob([toArrayBuffer2(result.data)], { type: mimeType });
+}
+function createObjectURL(blob) {
+  return URL.createObjectURL(blob);
+}
+async function bytesToDataURL(data, mimeType) {
+  const blob = new Blob([toArrayBuffer2(data)], { type: mimeType });
+  return new Promise((resolve, reject) => {
+    const reader = new FileReader();
+    reader.onload = () => resolve(reader.result);
+    reader.onerror = () => reject(reader.error);
+    reader.readAsDataURL(blob);
+  });
+}
+function getFileInfo(file) {
+  return {
+    name: file.name,
+    size: file.size,
+    type: file.type || "application/octet-stream",
+    lastModified: file.lastModified,
+    isOQE: isOQEFile(file.name),
+    sizeFormatted: formatFileSize(file.size)
+  };
+}
+function formatFileSize(bytes) {
+  if (bytes === 0) return "0 B";
+  const units = ["B", "KB", "MB", "GB", "TB"];
+  const k = 1024;
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return `${(bytes / Math.pow(k, i)).toFixed(i === 0 ? 0 : 1)} ${units[i]}`;
+}
+async function copyToClipboard(text) {
+  try {
+    await navigator.clipboard.writeText(text);
+    return true;
+  } catch {
+    const textarea = document.createElement("textarea");
+    textarea.value = text;
+    textarea.style.position = "fixed";
+    textarea.style.left = "-9999px";
+    document.body.appendChild(textarea);
+    textarea.select();
+    const success = document.execCommand("copy");
+    document.body.removeChild(textarea);
+    return success;
+  }
+}
+function isBrowser() {
+  return typeof window !== "undefined" && typeof document !== "undefined";
+}
+function isWebCryptoAvailable() {
+  return typeof globalThis.crypto !== "undefined" && typeof globalThis.crypto.subtle !== "undefined";
+}
+function isFileAPIAvailable() {
+  return typeof File !== "undefined" && typeof FileReader !== "undefined";
+}
+function isDragDropSupported() {
+  const div = document.createElement("div");
+  return "draggable" in div || "ondragstart" in div && "ondrop" in div;
+}
+
+export { AES_GCM_IV_SIZE, AES_GCM_TAG_SIZE, AES_KEY_SIZE, ALGORITHM_SUITES, DEFAULT_ARGON2ID_PARAMS, MIN_ARGON2ID_PARAMS, OQEError, OQE_EXTENSION, OQE_FORMAT_VERSION, OQE_HEADER_SIZE, OQE_MAGIC, OQE_MIME_TYPE, STREAM_CHUNK_SIZE, addOQEExtension, aesDecrypt, aesDecryptCombined, aesDecryptStreaming, aesEncrypt, aesEncryptCombined, aesEncryptStreaming, assembleOQEFile, benchmarkArgon2, bytesToDataURL, copyToClipboard, createDropZone, createObjectURL, decryptFile, decryptFileForSelf, decryptFileWithPassword, decryptResultToBlob, deriveKeyFromPassword, downloadBlob, downloadBytes, downloadDecryptedFile, downloadEncryptedFile, encryptFile, encryptFileForSelf, encryptFileWithPassword, encryptResultToBlob, estimateArgon2Params, exportAesKey, formatFileSize, generateAesKey, generateArgon2Salt, getAlgorithmName, getFileInfo, importAesKey, inspectOQEFile, isArgon2Available, isBrowser, isDragDropSupported, isFileAPIAvailable, isOQEFile, isWebCryptoAvailable, openFilePicker, openFileToEncrypt, openOQEFilePicker, parseHybridKeyMaterial, parseMetadata, parseOQEFile, parseOQEHeader, parsePasswordKeyMaterial, readFile, readFileAsDataURL, readFileAsText, removeOQEExtension, serializeHybridKeyMaterial, serializeMetadata, serializePasswordKeyMaterial, toUint8Array, verifyPassword, writeOQEHeader };