@omnituum/pqc-shared 0.2.6

package/dist/index.js

@@ -0,0 +1,2031 @@
+import nacl4 from 'tweetnacl';
+import { sha256 as sha256$1 } from '@noble/hashes/sha256';
+import { hmac } from '@noble/hashes/hmac';
+import { argon2id } from 'hash-wasm';
+import { blake3 as blake3$1 } from '@noble/hashes/blake3';
+import { chacha20poly1305, xchacha20poly1305 } from '@noble/ciphers/chacha';
+import { hkdf, extract, expand } from '@noble/hashes/hkdf';
+import { sha512 } from '@noble/hashes/sha512';
+
+// src/runtime/crypto.ts
+async function ensureCrypto() {
+  if (typeof globalThis.crypto !== "undefined") return;
+  const mod = await import('crypto');
+  const webcrypto = mod.webcrypto ?? mod.default?.webcrypto;
+  if (!webcrypto) throw new Error("WebCrypto not available in this Node runtime");
+  globalThis.crypto = webcrypto;
+}
+void ensureCrypto();
+var textEncoder = new TextEncoder();
+var textDecoder = new TextDecoder();
+function toB64(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function fromB64(str) {
+  const binary = atob(str);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function fromHex(hex) {
+  const s = hex.startsWith("0x") ? hex.slice(2) : hex;
+  const normalized = s.length % 2 ? "0" + s : s;
+  const out = new Uint8Array(normalized.length / 2);
+  for (let i = 0; i < out.length; i++) {
+    out[i] = parseInt(normalized.slice(i * 2, i * 2 + 2), 16);
+  }
+  return out;
+}
+function assertLen(label, arr, n) {
+  if (arr.length !== n) {
+    throw new Error(`${label} must be ${n} bytes, got ${arr.length}`);
+  }
+}
+function rand32() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(32));
+}
+function rand24() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(24));
+}
+function rand12() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(12));
+}
+function randN(n) {
+  return globalThis.crypto.getRandomValues(new Uint8Array(n));
+}
+function sha256(bytes) {
+  return sha256$1(bytes);
+}
+function sha256String(str) {
+  return sha256(textEncoder.encode(str));
+}
+function hkdfSha256(ikm, opts) {
+  const salt = opts?.salt ?? new Uint8Array(32);
+  const info = opts?.info ?? new Uint8Array(0);
+  const L = opts?.length ?? 32;
+  const prk = hmac(sha256$1, salt, ikm);
+  let t = new Uint8Array(0);
+  const chunks = [];
+  for (let i = 1; i <= Math.ceil(L / 32); i++) {
+    const input = new Uint8Array(t.length + info.length + 1);
+    input.set(t, 0);
+    input.set(info, t.length);
+    input[input.length - 1] = i;
+    t = new Uint8Array(hmac(sha256$1, prk, input));
+    chunks.push(t);
+  }
+  const out = new Uint8Array(L);
+  let off = 0;
+  for (const c of chunks) {
+    out.set(c.subarray(0, L - off), off);
+    off += c.length;
+    if (off >= L) break;
+  }
+  return out;
+}
+var b64 = toB64;
+var ub64 = fromB64;
+var u8 = (s) => typeof s === "string" ? textEncoder.encode(s) : s;
+function generateX25519Keypair() {
+  const kp = nacl4.box.keyPair();
+  return {
+    publicHex: "0x" + toHex(kp.publicKey),
+    secretHex: "0x" + toHex(kp.secretKey),
+    publicBytes: kp.publicKey,
+    secretBytes: kp.secretKey
+  };
+}
+function generateX25519KeypairFromSeed(seed) {
+  if (seed.length !== 32) {
+    throw new Error("X25519 seed must be 32 bytes");
+  }
+  const uniformSeed = sha256(seed);
+  const kp = nacl4.box.keyPair.fromSecretKey(uniformSeed);
+  return {
+    publicKey: kp.publicKey,
+    secretKey: uniformSeed
+  };
+}
+function boxWrapWithX25519(symKey32, recipientPubKeyHex) {
+  assertLen("sym key", symKey32, 32);
+  const pk = fromHex(recipientPubKeyHex);
+  assertLen("recipient pubKey", pk, 32);
+  const eph = nacl4.box.keyPair();
+  const nonce = rand24();
+  const boxed = nacl4.box(symKey32, nonce, pk, eph.secretKey);
+  return {
+    ephPubKey: toHex(eph.publicKey),
+    nonce: b64(nonce),
+    boxed: b64(boxed)
+  };
+}
+function boxUnwrapWithX25519(wrap, recipientSecretKey32) {
+  assertLen("recipient secretKey", recipientSecretKey32, 32);
+  const ephPk = fromHex(wrap.ephPubKey);
+  assertLen("ephemeral pubKey", ephPk, 32);
+  return nacl4.box.open(
+    ub64(wrap.boxed),
+    ub64(wrap.nonce),
+    ephPk,
+    recipientSecretKey32
+  ) || null;
+}
+function x25519SharedSecret(ourSecretKey, theirPublicKey) {
+  assertLen("secret key", ourSecretKey, 32);
+  assertLen("public key", theirPublicKey, 32);
+  return nacl4.scalarMult(ourSecretKey, theirPublicKey);
+}
+function deriveKeyFromShared(shared, salt, info) {
+  return hkdfSha256(shared, { salt: u8(salt), info: u8(info), length: 32 });
+}
+var kyberModule = null;
+async function loadKyber() {
+  if (kyberModule) return kyberModule;
+  try {
+    const m = await import('kyber-crystals');
+    const k = m.default ?? m;
+    kyberModule = k.kyber ?? k;
+    return kyberModule;
+  } catch (e) {
+    console.warn("[Kyber] Failed to load kyber-crystals:", e);
+    return null;
+  }
+}
+async function isKyberAvailable() {
+  const mod = await loadKyber();
+  return mod !== null;
+}
+async function generateKyberKeypair() {
+  try {
+    const mod = await loadKyber();
+    if (!mod) return null;
+    if (mod?.ready?.then) {
+      await mod.ready;
+    }
+    const fn = mod?.keypair ?? mod?.keyPair ?? mod?.generateKeyPair ?? null;
+    if (typeof fn !== "function") {
+      console.warn("[Kyber] No keypair function found");
+      return null;
+    }
+    const kp = await fn.call(mod);
+    const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
+    const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
+    if (!pub || !priv) {
+      console.warn("[Kyber] Invalid keypair result");
+      return null;
+    }
+    return {
+      publicB64: b64(new Uint8Array(pub)),
+      secretB64: b64(new Uint8Array(priv))
+    };
+  } catch (e) {
+    console.warn("[Kyber] Key generation failed:", e);
+    return null;
+  }
+}
+async function kyberEncapsulate(pubKeyB64) {
+  const kyber = await loadKyber();
+  if (!kyber?.encrypt) {
+    throw new Error("Kyber encrypt not available");
+  }
+  const pk = ub64(pubKeyB64);
+  const r = await kyber.encrypt(pk);
+  const ctRaw = r?.ciphertext ?? r?.cyphertext ?? r?.ct ?? r?.bytes?.ciphertext ?? r?.bytes?.cyphertext ?? r?.bytes?.ct ?? (Array.isArray(r) ? r[0] : void 0);
+  const ssRaw = r?.key ?? r?.sharedSecret ?? r?.secret ?? r?.bytes?.key ?? r?.bytes?.sharedSecret ?? (Array.isArray(r) ? r[1] : void 0);
+  if (!ctRaw || !ssRaw) {
+    throw new Error("Kyber encapsulate failed: missing ciphertext or shared secret");
+  }
+  return {
+    ciphertext: new Uint8Array(ctRaw),
+    sharedSecret: new Uint8Array(ssRaw)
+  };
+}
+async function kyberDecapsulate(kemCiphertextB64, secretKeyB64) {
+  const kyber = await loadKyber();
+  if (!kyber?.decrypt && !kyber?.decapsulate) {
+    throw new Error("Kyber decrypt/decapsulate not available");
+  }
+  const ct = ub64(kemCiphertextB64);
+  const sk = ub64(secretKeyB64);
+  const r = kyber.decrypt ? await kyber.decrypt(ct, sk) : await kyber.decapsulate(ct, sk);
+  const key = r && (r.key ?? r.sharedSecret) ? r.key ?? r.sharedSecret : r;
+  return new Uint8Array(key);
+}
+function kyberWrapKey(sharedSecret, msgKey32) {
+  if (msgKey32.length !== 32) {
+    throw new Error("Message key must be 32 bytes");
+  }
+  const kek = sha256(sharedSecret);
+  const nonce = globalThis.crypto.getRandomValues(new Uint8Array(24));
+  const wrapped = nacl4.secretbox(msgKey32, nonce, kek);
+  return {
+    nonce: b64(nonce),
+    wrapped: b64(wrapped)
+  };
+}
+function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
+  const kek = sha256(sharedSecret);
+  const nonce = ub64(nonceB64);
+  const wrapped = ub64(wrappedB64);
+  return nacl4.secretbox.open(wrapped, nonce, kek) || null;
+}
+
+// src/version.ts
+var ENVELOPE_VERSION = "omnituum.hybrid.v1";
+var ENVELOPE_VERSION_LEGACY = "pqc-demo.hybrid.v1";
+var VAULT_VERSION = "omnituum.vault.v1";
+var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
+var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
+var ENVELOPE_SUITE = "x25519+kyber768";
+var ENVELOPE_AEAD = "xsalsa20poly1305";
+var VAULT_KDF = "PBKDF2-SHA256";
+var VAULT_KDF_V2 = "Argon2id";
+var VAULT_ALGORITHM = "AES-256-GCM";
+var SUPPORTED_ENVELOPE_VERSIONS = [
+  ENVELOPE_VERSION,
+  ENVELOPE_VERSION_LEGACY
+];
+var SUPPORTED_VAULT_VERSIONS = [
+  VAULT_VERSION
+];
+var SUPPORTED_VAULT_ENCRYPTED_VERSIONS = [
+  VAULT_ENCRYPTED_VERSION,
+  VAULT_ENCRYPTED_VERSION_V2
+];
+var VersionMismatchError = class extends Error {
+  constructor(type, expected, received) {
+    super(
+      `Version mismatch for ${type}: expected one of [${expected.join(", ")}], got "${received}". This may indicate data corruption or a newer format. See pqc-docs/specs/ for format specifications.`
+    );
+    this.type = type;
+    this.expected = expected;
+    this.received = received;
+    this.name = "VersionMismatchError";
+  }
+};
+function assertEnvelopeVersion(version) {
+  if (!SUPPORTED_ENVELOPE_VERSIONS.includes(version)) {
+    throw new VersionMismatchError("envelope", SUPPORTED_ENVELOPE_VERSIONS, version);
+  }
+}
+function assertVaultVersion(version) {
+  if (!SUPPORTED_VAULT_VERSIONS.includes(version)) {
+    throw new VersionMismatchError("vault", SUPPORTED_VAULT_VERSIONS, version);
+  }
+}
+function assertVaultEncryptedVersion(version) {
+  if (!SUPPORTED_VAULT_ENCRYPTED_VERSIONS.includes(version)) {
+    throw new VersionMismatchError("vault_encrypted", SUPPORTED_VAULT_ENCRYPTED_VERSIONS, version);
+  }
+}
+function isEnvelopeVersionSupported(version) {
+  return SUPPORTED_ENVELOPE_VERSIONS.includes(version);
+}
+function isVaultVersionSupported(version) {
+  return SUPPORTED_VAULT_VERSIONS.includes(version);
+}
+function isVaultEncryptedVersionSupported(version) {
+  return SUPPORTED_VAULT_ENCRYPTED_VERSIONS.includes(version);
+}
+function validateEnvelope(envelope) {
+  const errors = [];
+  if (!envelope || typeof envelope !== "object") {
+    return { valid: false, errors: ["Envelope must be an object"] };
+  }
+  const env = envelope;
+  if (typeof env.v !== "string") {
+    errors.push('Missing or invalid version field "v"');
+  } else if (!isEnvelopeVersionSupported(env.v)) {
+    errors.push(`Unsupported envelope version: ${env.v}`);
+  }
+  if (env.suite !== ENVELOPE_SUITE) {
+    errors.push(`Invalid suite: expected "${ENVELOPE_SUITE}", got "${env.suite}"`);
+  }
+  if (env.aead !== ENVELOPE_AEAD) {
+    errors.push(`Invalid aead: expected "${ENVELOPE_AEAD}", got "${env.aead}"`);
+  }
+  const required = ["x25519Epk", "x25519Wrap", "kyberKemCt", "kyberWrap", "contentNonce", "ciphertext", "meta"];
+  for (const field of required) {
+    if (!(field in env)) {
+      errors.push(`Missing required field: ${field}`);
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    version: typeof env.v === "string" ? env.v : void 0,
+    errors
+  };
+}
+function validateVault(vault) {
+  const errors = [];
+  if (!vault || typeof vault !== "object") {
+    return { valid: false, errors: ["Vault must be an object"] };
+  }
+  const v = vault;
+  if (typeof v.version !== "string") {
+    errors.push("Missing or invalid version field");
+  } else if (!isVaultVersionSupported(v.version)) {
+    errors.push(`Unsupported vault version: ${v.version}`);
+  }
+  if (!Array.isArray(v.identities)) {
+    errors.push("Missing or invalid identities array");
+  }
+  if (!v.settings || typeof v.settings !== "object") {
+    errors.push("Missing or invalid settings object");
+  }
+  if (typeof v.integrityHash !== "string") {
+    errors.push("Missing or invalid integrityHash");
+  }
+  if (typeof v.createdAt !== "string") {
+    errors.push("Missing or invalid createdAt timestamp");
+  }
+  if (typeof v.modifiedAt !== "string") {
+    errors.push("Missing or invalid modifiedAt timestamp");
+  }
+  return {
+    valid: errors.length === 0,
+    version: typeof v.version === "string" ? v.version : void 0,
+    errors
+  };
+}
+function validateEncryptedVault(encVault) {
+  const errors = [];
+  if (!encVault || typeof encVault !== "object") {
+    return { valid: false, errors: ["Encrypted vault must be an object"] };
+  }
+  const v = encVault;
+  if (typeof v.version !== "string") {
+    errors.push("Missing or invalid version field");
+  } else if (!isVaultEncryptedVersionSupported(v.version)) {
+    errors.push(`Unsupported encrypted vault version: ${v.version}`);
+  }
+  if (v.version === VAULT_ENCRYPTED_VERSION && v.kdf !== VAULT_KDF) {
+    errors.push(`Invalid kdf for v1: expected "${VAULT_KDF}", got "${v.kdf}"`);
+  } else if (v.version === VAULT_ENCRYPTED_VERSION_V2 && v.kdf !== VAULT_KDF_V2) {
+    errors.push(`Invalid kdf for v2: expected "${VAULT_KDF_V2}", got "${v.kdf}"`);
+  } else if (v.kdf !== VAULT_KDF && v.kdf !== VAULT_KDF_V2) {
+    errors.push(`Unsupported kdf: ${v.kdf}`);
+  }
+  if (v.algorithm !== VAULT_ALGORITHM) {
+    errors.push(`Invalid algorithm: expected "${VAULT_ALGORITHM}", got "${v.algorithm}"`);
+  }
+  if (typeof v.iterations !== "number" || v.iterations < 1) {
+    errors.push("Missing or invalid iterations");
+  }
+  if (typeof v.salt !== "string") {
+    errors.push("Missing or invalid salt");
+  }
+  if (typeof v.iv !== "string") {
+    errors.push("Missing or invalid iv");
+  }
+  if (typeof v.ciphertext !== "string") {
+    errors.push("Missing or invalid ciphertext");
+  }
+  return {
+    valid: errors.length === 0,
+    version: typeof v.version === "string" ? v.version : void 0,
+    errors
+  };
+}
+
+// src/crypto/hybrid.ts
+function hkdfFlex(ikm, salt, info) {
+  return hkdfSha256(ikm, { salt: u8(salt), info: u8(info), length: 32 });
+}
+function generateId() {
+  const bytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function generateHybridIdentity(name) {
+  const x25519 = generateX25519Keypair();
+  const kyber = await generateKyberKeypair();
+  if (!kyber) {
+    console.error("Kyber key generation failed - library not available");
+    return null;
+  }
+  return {
+    id: generateId(),
+    name,
+    x25519PubHex: x25519.publicHex,
+    x25519SecHex: x25519.secretHex,
+    kyberPubB64: kyber.publicB64,
+    kyberSecB64: kyber.secretB64,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    rotationCount: 0
+  };
+}
+function getPublicKeys(identity) {
+  return {
+    x25519PubHex: identity.x25519PubHex,
+    kyberPubB64: identity.kyberPubB64
+  };
+}
+function getSecretKeys(identity) {
+  return {
+    x25519SecHex: identity.x25519SecHex,
+    kyberSecB64: identity.kyberSecB64
+  };
+}
+async function hybridEncrypt(plaintext, recipientPublicKeys, sender) {
+  const pt = typeof plaintext === "string" ? textEncoder.encode(plaintext) : plaintext;
+  const CK = rand32();
+  const contentNonce = rand24();
+  const ciphertext = nacl4.secretbox(pt, contentNonce, CK);
+  const x25519EphKp = nacl4.box.keyPair();
+  const recipientX25519Pk = fromHex(recipientPublicKeys.x25519PubHex);
+  const x25519Shared = nacl4.scalarMult(x25519EphKp.secretKey, recipientX25519Pk);
+  const x25519Kek = hkdfFlex(x25519Shared, "omnituum/x25519", "wrap-ck");
+  const x25519WrapNonce = rand24();
+  const x25519Wrapped = nacl4.secretbox(CK, x25519WrapNonce, x25519Kek);
+  const kyberResult = await kyberEncapsulate(recipientPublicKeys.kyberPubB64);
+  const kyberKek = hkdfFlex(kyberResult.sharedSecret, "omnituum/kyber", "wrap-ck");
+  const kyberWrapNonce = rand24();
+  const kyberWrapped = nacl4.secretbox(CK, kyberWrapNonce, kyberKek);
+  return {
+    v: ENVELOPE_VERSION,
+    suite: ENVELOPE_SUITE,
+    aead: ENVELOPE_AEAD,
+    x25519Epk: toHex(x25519EphKp.publicKey),
+    x25519Wrap: {
+      nonce: b64(x25519WrapNonce),
+      wrapped: b64(x25519Wrapped)
+    },
+    kyberKemCt: b64(kyberResult.ciphertext),
+    kyberWrap: {
+      nonce: b64(kyberWrapNonce),
+      wrapped: b64(kyberWrapped)
+    },
+    contentNonce: b64(contentNonce),
+    ciphertext: b64(ciphertext),
+    meta: {
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      senderName: sender?.name,
+      senderId: sender?.id
+    }
+  };
+}
+async function hybridDecrypt(envelope, secretKeys) {
+  const version = envelope.v;
+  assertEnvelopeVersion(version);
+  let CK = null;
+  const saltPrefix = version === "pqc-demo.hybrid.v1" ? "pqc-demo" : "omnituum";
+  try {
+    const kyberShared = await kyberDecapsulate(envelope.kyberKemCt, secretKeys.kyberSecB64);
+    const kyberKek = hkdfFlex(kyberShared, `${saltPrefix}/kyber`, "wrap-ck");
+    CK = nacl4.secretbox.open(
+      ub64(envelope.kyberWrap.wrapped),
+      ub64(envelope.kyberWrap.nonce),
+      kyberKek
+    );
+    if (CK) {
+      console.log("[Hybrid] Decrypted using Kyber (post-quantum)");
+    }
+  } catch (e) {
+    console.warn("[Hybrid] Kyber decapsulation failed:", e);
+  }
+  if (!CK) {
+    try {
+      const ephPk = fromHex(envelope.x25519Epk);
+      const sk = fromHex(secretKeys.x25519SecHex);
+      const x25519Shared = nacl4.scalarMult(sk, ephPk);
+      const x25519Kek = hkdfFlex(x25519Shared, `${saltPrefix}/x25519`, "wrap-ck");
+      CK = nacl4.secretbox.open(
+        ub64(envelope.x25519Wrap.wrapped),
+        ub64(envelope.x25519Wrap.nonce),
+        x25519Kek
+      );
+      if (CK) {
+        console.log("[Hybrid] Decrypted using X25519 (classical)");
+      }
+    } catch (e) {
+      console.warn("[Hybrid] X25519 decryption failed:", e);
+    }
+  }
+  if (!CK) {
+    throw new Error("Could not unwrap content key with either algorithm");
+  }
+  const pt = nacl4.secretbox.open(
+    ub64(envelope.ciphertext),
+    ub64(envelope.contentNonce),
+    CK
+  );
+  if (!pt) {
+    throw new Error("Content authentication failed");
+  }
+  return pt;
+}
+async function hybridDecryptToString(envelope, secretKeys) {
+  const pt = await hybridDecrypt(envelope, secretKeys);
+  return textDecoder.decode(pt);
+}
+
+// src/crypto/dilithium.ts
+var dilithiumModule = null;
+async function loadDilithium() {
+  if (dilithiumModule) return dilithiumModule;
+  try {
+    const { ml_dsa65 } = await import('@noble/post-quantum/ml-dsa');
+    dilithiumModule = ml_dsa65;
+    return dilithiumModule;
+  } catch (e) {
+    console.warn("[Dilithium] Failed to load @noble/post-quantum:", e);
+    return null;
+  }
+}
+async function isDilithiumAvailable() {
+  const mod = await loadDilithium();
+  return mod !== null;
+}
+async function generateDilithiumKeypair() {
+  try {
+    const mod = await loadDilithium();
+    if (!mod) return null;
+    const seed = randN(32);
+    const kp = mod.keygen(seed);
+    return {
+      publicB64: toB64(kp.publicKey),
+      secretB64: toB64(kp.secretKey)
+    };
+  } catch (e) {
+    console.warn("[Dilithium] Key generation failed:", e);
+    return null;
+  }
+}
+async function generateDilithiumKeypairFromSeed(seed) {
+  const mod = await loadDilithium();
+  if (!mod) {
+    throw new Error("Dilithium library not available");
+  }
+  if (seed.length !== 32) {
+    throw new Error("Dilithium seed must be 32 bytes");
+  }
+  const uniformSeed = sha256(seed);
+  const kp = mod.keygen(uniformSeed);
+  return {
+    publicKey: kp.publicKey,
+    secretKey: kp.secretKey
+  };
+}
+async function dilithiumSign(message, secretKeyB64) {
+  const mod = await loadDilithium();
+  if (!mod) {
+    throw new Error("Dilithium library not available");
+  }
+  const sk = fromB64(secretKeyB64);
+  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
+  const signature = mod.sign(sk, msg);
+  return {
+    signature: toB64(signature),
+    algorithm: "ML-DSA-65"
+  };
+}
+async function dilithiumSignRaw(message, secretKey) {
+  const mod = await loadDilithium();
+  if (!mod) {
+    throw new Error("Dilithium library not available");
+  }
+  return mod.sign(secretKey, message);
+}
+async function dilithiumVerify(message, signatureB64, publicKeyB64) {
+  const mod = await loadDilithium();
+  if (!mod) {
+    throw new Error("Dilithium library not available");
+  }
+  const pk = fromB64(publicKeyB64);
+  const sig = fromB64(signatureB64);
+  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
+  try {
+    return mod.verify(pk, msg, sig);
+  } catch {
+    return false;
+  }
+}
+async function dilithiumVerifyRaw(message, signature, publicKey) {
+  const mod = await loadDilithium();
+  if (!mod) {
+    throw new Error("Dilithium library not available");
+  }
+  try {
+    return mod.verify(publicKey, message, signature);
+  } catch {
+    return false;
+  }
+}
+var DILITHIUM_PUBLIC_KEY_SIZE = 1952;
+var DILITHIUM_SECRET_KEY_SIZE = 4032;
+var DILITHIUM_SIGNATURE_SIZE = 3309;
+var DILITHIUM_ALGORITHM = "ML-DSA-65";
+
+// src/vault/types.ts
+var PBKDF2_ITERATIONS = 6e5;
+var KDF_CONFIG_PBKDF2 = {
+  algorithm: "PBKDF2-SHA256",
+  pbkdf2Iterations: 6e5,
+  // OWASP 2023
+  saltLength: 32,
+  hashLength: 32
+};
+var KDF_CONFIG_ARGON2ID = {
+  algorithm: "Argon2id",
+  argon2MemoryCost: 65536,
+  // 64 MB
+  argon2TimeCost: 3,
+  argon2Parallelism: 4,
+  saltLength: 32,
+  hashLength: 32
+};
+var KDF_CONFIG_DEFAULT = KDF_CONFIG_PBKDF2;
+var textEncoder2 = new TextEncoder();
+async function derivePBKDF2(password, salt, iterations, hashLength) {
+  const passwordKey = await globalThis.crypto.subtle.importKey(
+    "raw",
+    textEncoder2.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const saltBuffer = new ArrayBuffer(salt.length);
+  new Uint8Array(saltBuffer).set(salt);
+  const bits = await globalThis.crypto.subtle.deriveBits(
+    {
+      name: "PBKDF2",
+      salt: saltBuffer,
+      iterations,
+      hash: "SHA-256"
+    },
+    passwordKey,
+    hashLength * 8
+  );
+  return new Uint8Array(bits);
+}
+async function deriveArgon2id(password, salt, memoryCost, timeCost, parallelism, hashLength) {
+  const hash = await argon2id({
+    password,
+    salt,
+    parallelism,
+    iterations: timeCost,
+    memorySize: memoryCost,
+    hashLength,
+    outputType: "binary"
+  });
+  return new Uint8Array(hash);
+}
+function generateSalt(length = 32) {
+  return randN(length);
+}
+async function kdfDeriveKey(password, salt, config = KDF_CONFIG_DEFAULT) {
+  if (salt.length !== config.saltLength) {
+    throw new Error(`Salt must be ${config.saltLength} bytes, got ${salt.length}`);
+  }
+  if (config.algorithm === "PBKDF2-SHA256") {
+    return derivePBKDF2(
+      password,
+      salt,
+      config.pbkdf2Iterations ?? 6e5,
+      config.hashLength
+    );
+  } else if (config.algorithm === "Argon2id") {
+    return deriveArgon2id(
+      password,
+      salt,
+      config.argon2MemoryCost ?? 65536,
+      config.argon2TimeCost ?? 3,
+      config.argon2Parallelism ?? 4,
+      config.hashLength
+    );
+  } else {
+    throw new Error(`Unsupported KDF algorithm: ${config.algorithm}`);
+  }
+}
+function configFromParams(algorithm, params) {
+  {
+    return {
+      algorithm,
+      argon2MemoryCost: params.memoryCost,
+      argon2TimeCost: params.timeCost,
+      argon2Parallelism: params.parallelism,
+      saltLength: 32,
+      hashLength: 32
+    };
+  }
+}
+var _argon2Available = null;
+async function isArgon2idAvailable() {
+  if (_argon2Available !== null) {
+    return _argon2Available;
+  }
+  try {
+    await argon2id({
+      password: "test",
+      salt: new Uint8Array(16),
+      parallelism: 1,
+      iterations: 1,
+      memorySize: 1024,
+      hashLength: 32,
+      outputType: "binary"
+    });
+    _argon2Available = true;
+  } catch {
+    _argon2Available = false;
+  }
+  return _argon2Available;
+}
+async function getRecommendedConfig() {
+  if (await isArgon2idAvailable()) {
+    return KDF_CONFIG_ARGON2ID;
+  }
+  return KDF_CONFIG_PBKDF2;
+}
+async function benchmarkKDF(config = KDF_CONFIG_DEFAULT) {
+  const salt = generateSalt(config.saltLength);
+  const testPassword = "benchmark-test-password";
+  const start = performance.now();
+  await kdfDeriveKey(testPassword, salt, config);
+  const end = performance.now();
+  return end - start;
+}
+
+// src/vault/encrypt.ts
+var textEncoder3 = new TextEncoder();
+async function deriveKey(password, salt, iterations = PBKDF2_ITERATIONS) {
+  const passwordKey = await globalThis.crypto.subtle.importKey(
+    "raw",
+    textEncoder3.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits", "deriveKey"]
+  );
+  const saltArrayBuffer = new ArrayBuffer(salt.length);
+  new Uint8Array(saltArrayBuffer).set(salt);
+  return globalThis.crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt: saltArrayBuffer,
+      iterations,
+      hash: "SHA-256"
+    },
+    passwordKey,
+    { name: "AES-GCM", length: 256 },
+    false,
+    // not extractable
+    ["encrypt", "decrypt"]
+  );
+}
+async function encryptVault(vault, password) {
+  const salt = globalThis.crypto.getRandomValues(new Uint8Array(32));
+  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  const key = await deriveKey(password, salt);
+  const plaintext = textEncoder3.encode(JSON.stringify(vault));
+  const ciphertext = await globalThis.crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    plaintext
+  );
+  return {
+    version: VAULT_ENCRYPTED_VERSION,
+    kdf: VAULT_KDF,
+    iterations: PBKDF2_ITERATIONS,
+    salt: toB64(salt),
+    iv: toB64(iv),
+    ciphertext: toB64(new Uint8Array(ciphertext)),
+    algorithm: VAULT_ALGORITHM
+  };
+}
+async function encryptVaultV2(vault, password) {
+  const salt = globalThis.crypto.getRandomValues(new Uint8Array(32));
+  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  const keyBytes = await kdfDeriveKey(password, salt, KDF_CONFIG_ARGON2ID);
+  const keyBuffer = new ArrayBuffer(keyBytes.length);
+  new Uint8Array(keyBuffer).set(keyBytes);
+  const key = await globalThis.crypto.subtle.importKey(
+    "raw",
+    keyBuffer,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt"]
+  );
+  const plaintext = textEncoder3.encode(JSON.stringify(vault));
+  const ciphertext = await globalThis.crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    plaintext
+  );
+  return {
+    version: VAULT_ENCRYPTED_VERSION_V2,
+    kdf: VAULT_KDF_V2,
+    memoryCost: KDF_CONFIG_ARGON2ID.argon2MemoryCost,
+    timeCost: KDF_CONFIG_ARGON2ID.argon2TimeCost,
+    parallelism: KDF_CONFIG_ARGON2ID.argon2Parallelism,
+    salt: toB64(salt),
+    iv: toB64(iv),
+    ciphertext: toB64(new Uint8Array(ciphertext)),
+    algorithm: VAULT_ALGORITHM
+  };
+}
+
+// src/vault/decrypt.ts
+var textDecoder2 = new TextDecoder();
+async function decryptVault(encryptedFile, password) {
+  assertVaultEncryptedVersion(encryptedFile.version);
+  const salt = fromB64(encryptedFile.salt);
+  const iv = fromB64(encryptedFile.iv);
+  const ciphertext = fromB64(encryptedFile.ciphertext);
+  let key;
+  if (encryptedFile.version === VAULT_ENCRYPTED_VERSION_V2) {
+    const v2File = encryptedFile;
+    const kdfConfig = configFromParams("Argon2id", {
+      memoryCost: v2File.memoryCost,
+      timeCost: v2File.timeCost,
+      parallelism: v2File.parallelism
+    });
+    const keyBytes = await kdfDeriveKey(password, salt, kdfConfig);
+    const keyBuffer = new ArrayBuffer(keyBytes.length);
+    new Uint8Array(keyBuffer).set(keyBytes);
+    key = await globalThis.crypto.subtle.importKey(
+      "raw",
+      keyBuffer,
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["decrypt"]
+    );
+  } else {
+    key = await deriveKey(password, salt, encryptedFile.iterations);
+  }
+  try {
+    const ivArrayBuffer = new ArrayBuffer(iv.length);
+    new Uint8Array(ivArrayBuffer).set(iv);
+    const ciphertextArrayBuffer = new ArrayBuffer(ciphertext.length);
+    new Uint8Array(ciphertextArrayBuffer).set(ciphertext);
+    const plaintext = await globalThis.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv: ivArrayBuffer },
+      key,
+      ciphertextArrayBuffer
+    );
+    const json = textDecoder2.decode(plaintext);
+    const vault = JSON.parse(json);
+    assertVaultVersion(vault.version);
+    if (!Array.isArray(vault.identities)) {
+      throw new Error("Invalid vault structure: missing identities array");
+    }
+    return vault;
+  } catch (error) {
+    if (error instanceof DOMException && error.name === "OperationError") {
+      throw new Error("Incorrect password or corrupted vault");
+    }
+    throw error;
+  }
+}
+
+// src/utils/integrity.ts
+function computeIntegrityHash(identities) {
+  const canonical = identities.map((i) => ({
+    id: i.id,
+    name: i.name,
+    x25519PubHex: i.x25519PubHex,
+    kyberPubB64: i.kyberPubB64,
+    createdAt: i.createdAt,
+    rotationCount: i.rotationCount
+  }));
+  const serialized = JSON.stringify(canonical, Object.keys(canonical[0] || {}).sort());
+  return computeStringHash(serialized);
+}
+function computeStringHash(str) {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = (hash << 5) - hash + char;
+    hash = hash & hash;
+  }
+  return Math.abs(hash).toString(16).padStart(16, "0");
+}
+async function computeHashAsync(data) {
+  const encoder = new TextEncoder();
+  const bytes = encoder.encode(data);
+  const subtle = globalThis.crypto?.subtle;
+  if (subtle) {
+    const hashBuffer = await subtle.digest("SHA-256", bytes);
+    return toHex(new Uint8Array(hashBuffer));
+  }
+  const { createHash } = await import('crypto');
+  return toHex(new Uint8Array(createHash("sha256").update(bytes).digest()));
+}
+async function computeKeyFingerprint(identity) {
+  const combined = identity.x25519PubHex + identity.kyberPubB64;
+  const hash = await computeHashAsync(combined);
+  return hash.slice(0, 16).toUpperCase();
+}
+
+// src/utils/entropy.ts
+function generateId2() {
+  const bytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function secretboxEncrypt(key, plaintext, nonce) {
+  assertLen("secretbox key", key, 32);
+  const n = nonce ?? rand24();
+  assertLen("nonce", n, 24);
+  const ciphertext = nacl4.secretbox(plaintext, n, key);
+  return {
+    scheme: "nacl.secretbox",
+    nonce: toB64(n),
+    ciphertext: toB64(ciphertext)
+  };
+}
+function secretboxEncryptString(key, plaintext, nonce) {
+  return secretboxEncrypt(key, new TextEncoder().encode(plaintext), nonce);
+}
+function secretboxDecrypt(key, payload) {
+  if (payload.scheme !== "nacl.secretbox") {
+    return null;
+  }
+  assertLen("secretbox key", key, 32);
+  const nonce = fromB64(payload.nonce);
+  const ciphertext = fromB64(payload.ciphertext);
+  return nacl4.secretbox.open(ciphertext, nonce, key) || null;
+}
+function secretboxDecryptString(key, payload) {
+  const result = secretboxDecrypt(key, payload);
+  if (!result) return null;
+  return new TextDecoder().decode(result);
+}
+function secretboxRaw(key, plaintext, nonce) {
+  assertLen("secretbox key", key, 32);
+  assertLen("nonce", nonce, 24);
+  return nacl4.secretbox(plaintext, nonce, key);
+}
+function secretboxOpenRaw(key, ciphertext, nonce) {
+  assertLen("secretbox key", key, 32);
+  assertLen("nonce", nonce, 24);
+  return nacl4.secretbox.open(ciphertext, nonce, key) || null;
+}
+function boxEncrypt(plaintext, nonce, recipientPubKey, senderSecKey) {
+  assertLen("nonce", nonce, 24);
+  assertLen("recipient pubKey", recipientPubKey, 32);
+  assertLen("sender secKey", senderSecKey, 32);
+  return nacl4.box(plaintext, nonce, recipientPubKey, senderSecKey);
+}
+function boxDecrypt(ciphertext, nonce, senderPubKey, recipientSecKey) {
+  assertLen("nonce", nonce, 24);
+  assertLen("sender pubKey", senderPubKey, 32);
+  assertLen("recipient secKey", recipientSecKey, 32);
+  return nacl4.box.open(ciphertext, nonce, senderPubKey, recipientSecKey) || null;
+}
+var SECRETBOX_KEY_SIZE = nacl4.secretbox.keyLength;
+var SECRETBOX_NONCE_SIZE = nacl4.secretbox.nonceLength;
+var SECRETBOX_OVERHEAD = nacl4.secretbox.overheadLength;
+var BOX_KEY_SIZE = nacl4.box.publicKeyLength;
+var BOX_NONCE_SIZE = nacl4.box.nonceLength;
+function blake3(data, options) {
+  const input = typeof data === "string" ? new TextEncoder().encode(data) : data;
+  const opts = {};
+  if (options?.outputLength) {
+    opts.dkLen = options.outputLength;
+  }
+  if (options?.key) {
+    if (options.key.length !== 32) {
+      throw new Error("BLAKE3 key must be exactly 32 bytes");
+    }
+    opts.key = options.key;
+  }
+  if (options?.context) {
+    opts.context = new TextEncoder().encode(options.context);
+  }
+  return blake3$1(input, opts);
+}
+function blake3Hex(data, options) {
+  const hash = blake3(data, options);
+  return Array.from(hash).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function blake3Mac(key, data, outputLength = 32) {
+  if (key.length !== 32) {
+    throw new Error("BLAKE3 MAC key must be exactly 32 bytes");
+  }
+  return blake3(data, { key, outputLength });
+}
+function blake3DeriveKey(context, keyMaterial, outputLength = 32) {
+  return blake3(keyMaterial, { context, outputLength });
+}
+var BLAKE3_OUTPUT_LENGTH = 32;
+function chaCha20Poly1305Encrypt(key, nonce, plaintext, aad) {
+  if (key.length !== 32) {
+    throw new Error("ChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 12) {
+    throw new Error("ChaCha20-Poly1305 nonce must be 12 bytes");
+  }
+  const cipher = chacha20poly1305(key, nonce, aad);
+  return cipher.encrypt(plaintext);
+}
+function chaCha20Poly1305Decrypt(key, nonce, ciphertext, aad) {
+  if (key.length !== 32) {
+    throw new Error("ChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 12) {
+    throw new Error("ChaCha20-Poly1305 nonce must be 12 bytes");
+  }
+  try {
+    const cipher = chacha20poly1305(key, nonce, aad);
+    return cipher.decrypt(ciphertext);
+  } catch {
+    return null;
+  }
+}
+function xChaCha20Poly1305Encrypt(key, nonce, plaintext, aad) {
+  if (key.length !== 32) {
+    throw new Error("XChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 24) {
+    throw new Error("XChaCha20-Poly1305 nonce must be 24 bytes");
+  }
+  const cipher = xchacha20poly1305(key, nonce, aad);
+  return cipher.encrypt(plaintext);
+}
+function xChaCha20Poly1305Decrypt(key, nonce, ciphertext, aad) {
+  if (key.length !== 32) {
+    throw new Error("XChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 24) {
+    throw new Error("XChaCha20-Poly1305 nonce must be 24 bytes");
+  }
+  try {
+    const cipher = xchacha20poly1305(key, nonce, aad);
+    return cipher.decrypt(ciphertext);
+  } catch {
+    return null;
+  }
+}
+function createXChaCha20Poly1305(key, nonce, aad) {
+  if (key.length !== 32) {
+    throw new Error("XChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 24) {
+    throw new Error("XChaCha20-Poly1305 nonce must be 24 bytes");
+  }
+  return xchacha20poly1305(key, nonce, aad);
+}
+function createChaCha20Poly1305(key, nonce, aad) {
+  if (key.length !== 32) {
+    throw new Error("ChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 12) {
+    throw new Error("ChaCha20-Poly1305 nonce must be 12 bytes");
+  }
+  return chacha20poly1305(key, nonce, aad);
+}
+var CHACHA20_KEY_SIZE = 32;
+var XCHACHA20_NONCE_SIZE = 24;
+var POLY1305_TAG_SIZE = 16;
+function hkdfDerive(ikm, outputLength, options) {
+  const hashFn = getHashFunction(options?.hash ?? "sha256");
+  const info = normalizeInfo(options?.info);
+  const salt = options?.salt;
+  return hkdf(hashFn, ikm, salt, info, outputLength);
+}
+function hkdfExtract(ikm, salt, hash = "sha256") {
+  const hashFn = getHashFunction(hash);
+  return extract(hashFn, ikm, salt);
+}
+function hkdfExpand(prk, info, outputLength, hash = "sha256") {
+  const hashFn = getHashFunction(hash);
+  return expand(hashFn, prk, normalizeInfo(info), outputLength);
+}
+function hkdfSplitForNoise(chainingKey, inputKeyMaterial) {
+  const prk = hkdfExtract(inputKeyMaterial, chainingKey, "sha256");
+  const output = hkdfExpand(prk, void 0, 64, "sha256");
+  return [
+    output.slice(0, 32),
+    // New chaining key
+    output.slice(32, 64)
+    // Output key
+  ];
+}
+function hkdfTripleSplitForNoise(chainingKey, inputKeyMaterial) {
+  const prk = hkdfExtract(inputKeyMaterial, chainingKey, "sha256");
+  const output = hkdfExpand(prk, void 0, 96, "sha256");
+  return [
+    output.slice(0, 32),
+    // New chaining key
+    output.slice(32, 64),
+    // Output key 1
+    output.slice(64, 96)
+    // Output key 2
+  ];
+}
+function getHashFunction(hash) {
+  switch (hash) {
+    case "sha256":
+      return sha256$1;
+    case "sha512":
+      return sha512;
+    default:
+      throw new Error(`Unsupported HKDF hash: ${hash}`);
+  }
+}
+function normalizeInfo(info) {
+  if (!info) return new Uint8Array(0);
+  if (typeof info === "string") return new TextEncoder().encode(info);
+  return info;
+}
+
+// src/vault/manager.ts
+function createEmptyVault() {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return {
+    version: VAULT_VERSION,
+    identities: [],
+    settings: {
+      autoUnlock: false,
+      lockTimeout: 15,
+      showFingerprints: true
+    },
+    integrityHash: computeIntegrityHash([]),
+    createdAt: now,
+    modifiedAt: now
+  };
+}
+async function createIdentity(name) {
+  const x25519 = generateX25519Keypair();
+  const kyber = await generateKyberKeypair();
+  if (!kyber) {
+    console.error("Kyber key generation failed");
+    return null;
+  }
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const deviceFingerprint = await getDeviceFingerprint();
+  return {
+    id: generateId2(),
+    name,
+    x25519PubHex: x25519.publicHex,
+    x25519SecHex: x25519.secretHex,
+    kyberPubB64: kyber.publicB64,
+    kyberSecB64: kyber.secretB64,
+    createdAt: now,
+    rotationCount: 0,
+    deviceFingerprint
+  };
+}
+function addIdentity(vault, identity) {
+  const identities = [...vault.identities, identity];
+  return {
+    ...vault,
+    identities,
+    integrityHash: computeIntegrityHash(identities),
+    modifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function getDeviceFingerprint() {
+  const data = [
+    navigator.userAgent,
+    navigator.language,
+    screen.width,
+    screen.height,
+    (/* @__PURE__ */ new Date()).getTimezoneOffset()
+  ].join("|");
+  const hash = await globalThis.crypto.subtle.digest("SHA-256", new TextEncoder().encode(data));
+  return toHex(new Uint8Array(hash)).slice(0, 16);
+}
+
+// src/security/index.ts
+function zeroMemory(arr) {
+  if (!arr || arr.length === 0) return;
+  arr.fill(0);
+  if (arr[0] !== 0) {
+    throw new Error("Memory zeroing failed");
+  }
+}
+function zeroAll(...arrays) {
+  for (const arr of arrays) {
+    if (arr) {
+      zeroMemory(arr);
+    }
+  }
+}
+async function withSecureData(getData, process) {
+  let data = null;
+  try {
+    data = await getData();
+    return await process(data);
+  } finally {
+    if (data) {
+      zeroMemory(data);
+    }
+  }
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a[i] ^ b[i];
+  }
+  return result === 0;
+}
+function createSession(timeoutMs = 15 * 60 * 1e3) {
+  return {
+    unlocked: false,
+    unlockedAt: null,
+    timeoutMs,
+    unlockReason: null,
+    sessionId: null,
+    lastActivityAt: null,
+    failedAttempts: 0,
+    lockedOutUntil: null
+  };
+}
+function unlockSecureSession(session, reason = "password") {
+  const now = Date.now();
+  return {
+    ...session,
+    unlocked: true,
+    unlockedAt: now,
+    unlockReason: reason,
+    sessionId: generateSessionId(),
+    lastActivityAt: now,
+    failedAttempts: 0,
+    lockedOutUntil: null
+  };
+}
+function lockSecureSession(session) {
+  return {
+    ...session,
+    unlocked: false,
+    unlockedAt: null,
+    unlockReason: null,
+    sessionId: null,
+    lastActivityAt: null
+  };
+}
+function isSessionTimedOut(session) {
+  if (!session.unlocked || session.timeoutMs === 0) {
+    return false;
+  }
+  const lastActivity = session.lastActivityAt ?? session.unlockedAt ?? 0;
+  return Date.now() - lastActivity > session.timeoutMs;
+}
+function generateSessionId() {
+  const bytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+var SecureBuffer = class {
+  constructor(data) {
+    this._disposed = false;
+    this._data = new Uint8Array(data.length);
+    this._data.set(data);
+  }
+  /**
+   * Get a copy of the data (original stays protected).
+   */
+  get data() {
+    if (this._disposed) {
+      throw new Error("SecureBuffer has been disposed");
+    }
+    const copy = new Uint8Array(this._data.length);
+    copy.set(this._data);
+    return copy;
+  }
+  /**
+   * Get data length without exposing contents.
+   */
+  get length() {
+    return this._data.length;
+  }
+  /**
+   * Check if buffer has been disposed.
+   */
+  get isDisposed() {
+    return this._disposed;
+  }
+  /**
+   * Zero and dispose the buffer.
+   */
+  dispose() {
+    if (!this._disposed) {
+      zeroMemory(this._data);
+      this._disposed = true;
+    }
+  }
+  /**
+   * Execute a function with the data, then dispose.
+   */
+  async useAndDispose(fn) {
+    try {
+      return await fn(this._data);
+    } finally {
+      this.dispose();
+    }
+  }
+};
+
+// src/vault/migrate.ts
+function needsMigration(encryptedVault) {
+  return encryptedVault.version === VAULT_ENCRYPTED_VERSION;
+}
+function isV2Vault(encryptedVault) {
+  return encryptedVault.version === VAULT_ENCRYPTED_VERSION_V2;
+}
+function getVaultKdfInfo(encryptedVault) {
+  if (encryptedVault.version === VAULT_ENCRYPTED_VERSION_V2) {
+    const v2 = encryptedVault;
+    return {
+      kdf: `Argon2id (${v2.memoryCost / 1024}MB, ${v2.timeCost} iterations)`,
+      version: "v2",
+      isSecure: true
+    };
+  } else {
+    const v1 = encryptedVault;
+    return {
+      kdf: `PBKDF2-SHA256 (${v1.iterations.toLocaleString()} iterations)`,
+      version: "v1",
+      isSecure: true,
+      // Still secure, just not as modern
+      recommendation: "Consider upgrading to Argon2id for stronger protection"
+    };
+  }
+}
+async function migrateEncryptedVault(options) {
+  const { encryptedVault, password, keepBackup = false } = options;
+  if (isV2Vault(encryptedVault)) {
+    throw new Error("Vault is already v2 format, no migration needed");
+  }
+  let decryptedVaultJson = null;
+  try {
+    const vault = await decryptVault(encryptedVault, password);
+    const vaultJson = JSON.stringify(vault);
+    decryptedVaultJson = new TextEncoder().encode(vaultJson);
+    const newEncryptedVault = await encryptVaultV2(vault, password);
+    return {
+      encryptedVault: newEncryptedVault,
+      backup: keepBackup ? encryptedVault : void 0,
+      sourceVersion: encryptedVault.version,
+      targetVersion: VAULT_ENCRYPTED_VERSION_V2,
+      migratedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  } finally {
+    if (decryptedVaultJson) {
+      zeroMemory(decryptedVaultJson);
+    }
+  }
+}
+
+// src/fs/types.ts
+var OQE_MAGIC = new Uint8Array([79, 81, 69, 70]);
+var OQE_FORMAT_VERSION = 1;
+var ALGORITHM_SUITES = {
+  /** Hybrid: X25519 ECDH + Kyber768 KEM + AES-256-GCM */
+  HYBRID_X25519_KYBER768_AES256GCM: 1,
+  /** Password: Argon2id + AES-256-GCM */
+  PASSWORD_ARGON2ID_AES256GCM: 2
+};
+var DEFAULT_ARGON2ID_PARAMS = {
+  memoryCost: 65536,
+  // 64 MB
+  timeCost: 3,
+  parallelism: 4,
+  hashLength: 32,
+  saltLength: 32
+};
+var OQE_HEADER_SIZE = 30;
+var OQEError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+    this.name = "OQEError";
+  }
+};
+async function toUint8Array(input) {
+  if (input instanceof Uint8Array) {
+    return input;
+  }
+  if (input instanceof ArrayBuffer) {
+    return new Uint8Array(input);
+  }
+  const buffer = await input.arrayBuffer();
+  return new Uint8Array(buffer);
+}
+async function deriveKeyFromPassword(password, salt, params = DEFAULT_ARGON2ID_PARAMS) {
+  if (salt.length !== params.saltLength) {
+    throw new Error(`Salt must be ${params.saltLength} bytes, got ${salt.length}`);
+  }
+  const hash = await argon2id({
+    password,
+    salt,
+    parallelism: params.parallelism,
+    iterations: params.timeCost,
+    memorySize: params.memoryCost,
+    hashLength: params.hashLength,
+    outputType: "binary"
+  });
+  return new Uint8Array(hash);
+}
+function generateArgon2Salt(length = 32) {
+  return randN(length);
+}
+var _argon2Available2 = null;
+async function isArgon2Available() {
+  if (_argon2Available2 !== null) {
+    return _argon2Available2;
+  }
+  try {
+    await argon2id({
+      password: "test",
+      salt: new Uint8Array(16),
+      parallelism: 1,
+      iterations: 1,
+      memorySize: 1024,
+      // 1 MB
+      hashLength: 32,
+      outputType: "binary"
+    });
+    _argon2Available2 = true;
+  } catch {
+    _argon2Available2 = false;
+  }
+  return _argon2Available2;
+}
+
+// src/fs/aes.ts
+function toArrayBuffer(arr) {
+  if (arr.buffer instanceof SharedArrayBuffer || arr.byteOffset !== 0 || arr.byteLength !== arr.buffer.byteLength) {
+    const copy = new ArrayBuffer(arr.byteLength);
+    new Uint8Array(copy).set(arr);
+    return copy;
+  }
+  return arr.buffer;
+}
+var AES_KEY_SIZE = 32;
+var AES_GCM_IV_SIZE = 12;
+async function importAesKey(keyBytes) {
+  if (keyBytes.length !== AES_KEY_SIZE) {
+    throw new Error(`AES key must be ${AES_KEY_SIZE} bytes, got ${keyBytes.length}`);
+  }
+  return globalThis.crypto.subtle.importKey(
+    "raw",
+    toArrayBuffer(keyBytes),
+    { name: "AES-GCM", length: 256 },
+    false,
+    // not extractable
+    ["encrypt", "decrypt"]
+  );
+}
+async function aesEncrypt(plaintext, key, iv, additionalData) {
+  const cryptoKey = key instanceof CryptoKey ? key : await importAesKey(key);
+  const ivBytes = iv ?? rand12();
+  if (ivBytes.length !== AES_GCM_IV_SIZE) {
+    throw new Error(`IV must be ${AES_GCM_IV_SIZE} bytes, got ${ivBytes.length}`);
+  }
+  const encrypted = await globalThis.crypto.subtle.encrypt(
+    {
+      name: "AES-GCM",
+      iv: toArrayBuffer(ivBytes),
+      additionalData: void 0,
+      tagLength: 128
+      // 16 bytes
+    },
+    cryptoKey,
+    toArrayBuffer(plaintext)
+  );
+  return {
+    iv: ivBytes,
+    ciphertext: new Uint8Array(encrypted)
+    // Includes auth tag
+  };
+}
+async function aesDecrypt(ciphertext, key, iv, additionalData) {
+  const cryptoKey = key instanceof CryptoKey ? key : await importAesKey(key);
+  if (iv.length !== AES_GCM_IV_SIZE) {
+    throw new Error(`IV must be ${AES_GCM_IV_SIZE} bytes, got ${iv.length}`);
+  }
+  try {
+    const decrypted = await globalThis.crypto.subtle.decrypt(
+      {
+        name: "AES-GCM",
+        iv: toArrayBuffer(iv),
+        additionalData: additionalData ? toArrayBuffer(additionalData) : void 0,
+        tagLength: 128
+      },
+      cryptoKey,
+      toArrayBuffer(ciphertext)
+    );
+    return new Uint8Array(decrypted);
+  } catch (error) {
+    throw new Error("Decryption failed: authentication tag mismatch (wrong key or corrupted data)");
+  }
+}
+
+// src/fs/format.ts
+function writeUint32BE(value) {
+  const buffer = new ArrayBuffer(4);
+  new DataView(buffer).setUint32(0, value, false);
+  return new Uint8Array(buffer);
+}
+function readUint32BE(data, offset) {
+  return new DataView(data.buffer, data.byteOffset + offset).getUint32(0, false);
+}
+function writeUint16BE(value) {
+  const buffer = new ArrayBuffer(2);
+  new DataView(buffer).setUint16(0, value, false);
+  return new Uint8Array(buffer);
+}
+function readUint16BE(data, offset) {
+  return new DataView(data.buffer, data.byteOffset + offset).getUint16(0, false);
+}
+function writeOQEHeader(header) {
+  const buffer = new Uint8Array(OQE_HEADER_SIZE);
+  let offset = 0;
+  buffer.set(OQE_MAGIC, offset);
+  offset += 4;
+  buffer[offset++] = header.version;
+  buffer[offset++] = header.algorithmSuite;
+  buffer.set(writeUint32BE(header.flags), offset);
+  offset += 4;
+  buffer.set(writeUint32BE(header.metadataLength), offset);
+  offset += 4;
+  buffer.set(writeUint32BE(header.keyMaterialLength), offset);
+  offset += 4;
+  buffer.set(header.iv, offset);
+  return buffer;
+}
+function parseOQEHeader(data) {
+  if (data.length < OQE_HEADER_SIZE) {
+    throw new OQEError("INVALID_HEADER", `File too small: need ${OQE_HEADER_SIZE} bytes, got ${data.length}`);
+  }
+  let offset = 0;
+  const magic = data.slice(0, 4);
+  if (!magic.every((b, i) => b === OQE_MAGIC[i])) {
+    throw new OQEError("INVALID_MAGIC", "Not a valid OQE file (invalid magic bytes)");
+  }
+  offset += 4;
+  const version = data[offset++];
+  if (version !== OQE_FORMAT_VERSION) {
+    throw new OQEError("UNSUPPORTED_VERSION", `Unsupported OQE version: ${version}`);
+  }
+  const algorithmSuiteRaw = data[offset++];
+  if (algorithmSuiteRaw !== ALGORITHM_SUITES.HYBRID_X25519_KYBER768_AES256GCM && algorithmSuiteRaw !== ALGORITHM_SUITES.PASSWORD_ARGON2ID_AES256GCM) {
+    throw new OQEError("UNSUPPORTED_ALGORITHM", `Unsupported algorithm suite: 0x${algorithmSuiteRaw.toString(16)}`);
+  }
+  const algorithmSuite = algorithmSuiteRaw;
+  const flags = readUint32BE(data, offset);
+  offset += 4;
+  const metadataLength = readUint32BE(data, offset);
+  offset += 4;
+  const keyMaterialLength = readUint32BE(data, offset);
+  offset += 4;
+  const iv = data.slice(offset, offset + 12);
+  return {
+    version,
+    algorithmSuite,
+    flags,
+    metadataLength,
+    keyMaterialLength,
+    iv
+  };
+}
+function serializeHybridKeyMaterial(km) {
+  const parts = [];
+  parts.push(km.x25519EphemeralPk);
+  parts.push(km.x25519Nonce);
+  parts.push(writeUint16BE(km.x25519WrappedKey.length));
+  parts.push(km.x25519WrappedKey);
+  parts.push(writeUint16BE(km.kyberCiphertext.length));
+  parts.push(km.kyberCiphertext);
+  parts.push(km.kyberNonce);
+  parts.push(writeUint16BE(km.kyberWrappedKey.length));
+  parts.push(km.kyberWrappedKey);
+  const totalLength = parts.reduce((sum, p) => sum + p.length, 0);
+  const result = new Uint8Array(totalLength);
+  let offset = 0;
+  for (const part of parts) {
+    result.set(part, offset);
+    offset += part.length;
+  }
+  return result;
+}
+function parseHybridKeyMaterial(data) {
+  let offset = 0;
+  const x25519EphemeralPk = data.slice(offset, offset + 32);
+  offset += 32;
+  const x25519Nonce = data.slice(offset, offset + 24);
+  offset += 24;
+  const x25519WrappedLen = readUint16BE(data, offset);
+  offset += 2;
+  const x25519WrappedKey = data.slice(offset, offset + x25519WrappedLen);
+  offset += x25519WrappedLen;
+  const kyberCtLen = readUint16BE(data, offset);
+  offset += 2;
+  const kyberCiphertext = data.slice(offset, offset + kyberCtLen);
+  offset += kyberCtLen;
+  const kyberNonce = data.slice(offset, offset + 24);
+  offset += 24;
+  const kyberWrappedLen = readUint16BE(data, offset);
+  offset += 2;
+  const kyberWrappedKey = data.slice(offset, offset + kyberWrappedLen);
+  return {
+    x25519EphemeralPk,
+    x25519Nonce,
+    x25519WrappedKey,
+    kyberCiphertext,
+    kyberNonce,
+    kyberWrappedKey
+  };
+}
+function serializePasswordKeyMaterial(km) {
+  const result = new Uint8Array(32 + 4 + 4 + 4);
+  result.set(km.salt, 0);
+  result.set(writeUint32BE(km.memoryCost), 32);
+  result.set(writeUint32BE(km.timeCost), 36);
+  result.set(writeUint32BE(km.parallelism), 40);
+  return result;
+}
+function parsePasswordKeyMaterial(data) {
+  return {
+    salt: data.slice(0, 32),
+    memoryCost: readUint32BE(data, 32),
+    timeCost: readUint32BE(data, 36),
+    parallelism: readUint32BE(data, 40)
+  };
+}
+function serializeMetadata(metadata) {
+  const json = JSON.stringify(metadata);
+  return textEncoder.encode(json);
+}
+function parseMetadata(data) {
+  const json = textDecoder.decode(data);
+  return JSON.parse(json);
+}
+function assembleOQEFile(components) {
+  const { header, keyMaterial, encryptedMetadata, encryptedContent } = components;
+  const headerBytes = writeOQEHeader(header);
+  const totalLength = headerBytes.length + keyMaterial.length + encryptedMetadata.length + encryptedContent.length;
+  const result = new Uint8Array(totalLength);
+  let offset = 0;
+  result.set(headerBytes, offset);
+  offset += headerBytes.length;
+  result.set(keyMaterial, offset);
+  offset += keyMaterial.length;
+  result.set(encryptedMetadata, offset);
+  offset += encryptedMetadata.length;
+  result.set(encryptedContent, offset);
+  return result;
+}
+function parseOQEFile(data) {
+  const header = parseOQEHeader(data);
+  let offset = OQE_HEADER_SIZE;
+  const keyMaterial = data.slice(offset, offset + header.keyMaterialLength);
+  offset += header.keyMaterialLength;
+  const encryptedMetadata = data.slice(offset, offset + header.metadataLength);
+  offset += header.metadataLength;
+  const encryptedContent = data.slice(offset);
+  return {
+    header,
+    keyMaterial,
+    encryptedMetadata,
+    encryptedContent
+  };
+}
+var OQE_EXTENSION = ".oqe";
+function addOQEExtension(filename) {
+  if (filename.toLowerCase().endsWith(OQE_EXTENSION)) {
+    return filename;
+  }
+  return `${filename}${OQE_EXTENSION}`;
+}
+function hkdfFlex2(ikm, salt, info) {
+  return hkdfSha256(ikm, { salt: u8(salt), info: u8(info), length: 32 });
+}
+function computeIdentityHash(publicKeyHex) {
+  const hash = sha256(fromHex(publicKeyHex));
+  return toHex(hash).slice(0, 16);
+}
+async function encryptHybrid(plaintext, metadata, options) {
+  if (!await isKyberAvailable()) {
+    throw new OQEError("KYBER_UNAVAILABLE", "Kyber library not available in this environment");
+  }
+  const contentKey = rand32();
+  const iv = rand12();
+  const x25519EphKp = nacl4.box.keyPair();
+  const recipientX25519Pk = fromHex(options.recipientPublicKeys.x25519PubHex);
+  const x25519Shared = nacl4.scalarMult(x25519EphKp.secretKey, recipientX25519Pk);
+  const x25519Kek = hkdfFlex2(x25519Shared, "omnituum/fs/x25519", "wrap-content-key");
+  const x25519Nonce = rand24();
+  const x25519WrappedKey = nacl4.secretbox(contentKey, x25519Nonce, x25519Kek);
+  const kyberResult = await kyberEncapsulate(options.recipientPublicKeys.kyberPubB64);
+  const kyberKek = hkdfFlex2(kyberResult.sharedSecret, "omnituum/fs/kyber", "wrap-content-key");
+  const kyberNonce = rand24();
+  const kyberWrappedKey = nacl4.secretbox(contentKey, kyberNonce, kyberKek);
+  const keyMaterial = {
+    x25519EphemeralPk: x25519EphKp.publicKey,
+    x25519Nonce,
+    x25519WrappedKey,
+    kyberCiphertext: kyberResult.ciphertext,
+    kyberNonce,
+    kyberWrappedKey
+  };
+  const keyMaterialBytes = serializeHybridKeyMaterial(keyMaterial);
+  const metadataBytes = serializeMetadata(metadata);
+  const { ciphertext: encryptedMetadata } = await aesEncrypt(metadataBytes, contentKey, iv);
+  const { ciphertext: encryptedContent } = await aesEncrypt(plaintext, contentKey, iv);
+  const header = {
+    version: OQE_FORMAT_VERSION,
+    algorithmSuite: ALGORITHM_SUITES.HYBRID_X25519_KYBER768_AES256GCM,
+    flags: 0,
+    metadataLength: encryptedMetadata.length,
+    keyMaterialLength: keyMaterialBytes.length,
+    iv
+  };
+  const fileData = assembleOQEFile({
+    header,
+    keyMaterial: keyMaterialBytes,
+    encryptedMetadata,
+    encryptedContent
+  });
+  return {
+    data: fileData,
+    filename: addOQEExtension(metadata.filename),
+    metadata,
+    mode: "hybrid"
+  };
+}
+async function encryptPassword(plaintext, metadata, options) {
+  if (!await isArgon2Available()) {
+    throw new OQEError("ARGON2_UNAVAILABLE", "Argon2 library not available in this environment");
+  }
+  const params = {
+    ...DEFAULT_ARGON2ID_PARAMS,
+    ...options.argon2Params
+  };
+  const salt = generateArgon2Salt(params.saltLength);
+  const contentKey = await deriveKeyFromPassword(options.password, salt, params);
+  const iv = rand12();
+  const keyMaterial = {
+    salt,
+    memoryCost: params.memoryCost,
+    timeCost: params.timeCost,
+    parallelism: params.parallelism
+  };
+  const keyMaterialBytes = serializePasswordKeyMaterial(keyMaterial);
+  const metadataBytes = serializeMetadata(metadata);
+  const { ciphertext: encryptedMetadata } = await aesEncrypt(metadataBytes, contentKey, iv);
+  const { ciphertext: encryptedContent } = await aesEncrypt(plaintext, contentKey, iv);
+  const header = {
+    version: OQE_FORMAT_VERSION,
+    algorithmSuite: ALGORITHM_SUITES.PASSWORD_ARGON2ID_AES256GCM,
+    flags: 0,
+    metadataLength: encryptedMetadata.length,
+    keyMaterialLength: keyMaterialBytes.length,
+    iv
+  };
+  const fileData = assembleOQEFile({
+    header,
+    keyMaterial: keyMaterialBytes,
+    encryptedMetadata,
+    encryptedContent
+  });
+  return {
+    data: fileData,
+    filename: addOQEExtension(metadata.filename),
+    metadata,
+    mode: "password"
+  };
+}
+async function encryptFile(input, options) {
+  const plaintext = await toUint8Array(input.data);
+  const metadata = {
+    filename: input.filename,
+    originalSize: plaintext.length,
+    mimeType: input.mimeType,
+    encryptedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  if (options.mode === "hybrid") {
+    metadata.recipientIdHash = computeIdentityHash(options.recipientPublicKeys.x25519PubHex);
+    if (options.sender) {
+      metadata.encryptorIdHash = options.sender.id;
+    }
+  }
+  if (options.mode === "hybrid") {
+    return encryptHybrid(plaintext, metadata, options);
+  } else {
+    return encryptPassword(plaintext, metadata, options);
+  }
+}
+async function encryptFileWithPassword(input, password) {
+  return encryptFile(input, {
+    mode: "password",
+    password
+  });
+}
+function hkdfFlex3(ikm, salt, info) {
+  return hkdfSha256(ikm, { salt: u8(salt), info: u8(info), length: 32 });
+}
+async function decryptHybrid(encryptedData, options) {
+  const { header, keyMaterial, encryptedMetadata, encryptedContent } = parseOQEFile(encryptedData);
+  if (header.algorithmSuite !== ALGORITHM_SUITES.HYBRID_X25519_KYBER768_AES256GCM) {
+    throw new OQEError(
+      "UNSUPPORTED_ALGORITHM",
+      "This file was not encrypted with hybrid mode. Use password decryption."
+    );
+  }
+  const km = parseHybridKeyMaterial(keyMaterial);
+  let contentKey = null;
+  if (await isKyberAvailable()) {
+    try {
+      const kyberShared = await kyberDecapsulate(
+        toB64(km.kyberCiphertext),
+        options.recipientSecretKeys.kyberSecB64
+      );
+      const kyberKek = hkdfFlex3(kyberShared, "omnituum/fs/kyber", "wrap-content-key");
+      const unwrapped = nacl4.secretbox.open(km.kyberWrappedKey, km.kyberNonce, kyberKek);
+      if (unwrapped) {
+        contentKey = unwrapped;
+        console.log("[OQE] Decrypted content key via Kyber (post-quantum secure)");
+      }
+    } catch (e) {
+      console.warn("[OQE] Kyber decapsulation failed, trying X25519:", e);
+    }
+  }
+  if (!contentKey) {
+    try {
+      const ephPk = km.x25519EphemeralPk;
+      const sk = fromHex(options.recipientSecretKeys.x25519SecHex);
+      const x25519Shared = nacl4.scalarMult(sk, ephPk);
+      const x25519Kek = hkdfFlex3(x25519Shared, "omnituum/fs/x25519", "wrap-content-key");
+      const unwrapped = nacl4.secretbox.open(km.x25519WrappedKey, km.x25519Nonce, x25519Kek);
+      if (unwrapped) {
+        contentKey = unwrapped;
+        console.log("[OQE] Decrypted content key via X25519 (classical)");
+      }
+    } catch (e) {
+      console.warn("[OQE] X25519 decryption failed:", e);
+    }
+  }
+  if (!contentKey) {
+    throw new OQEError("KEY_UNWRAP_FAILED", "Could not unwrap content key with provided keys");
+  }
+  let metadata;
+  try {
+    const metadataBytes = await aesDecrypt(encryptedMetadata, contentKey, header.iv);
+    metadata = parseMetadata(metadataBytes);
+  } catch (e) {
+    throw new OQEError("DECRYPTION_FAILED", "Failed to decrypt file metadata");
+  }
+  let plaintext;
+  try {
+    plaintext = await aesDecrypt(encryptedContent, contentKey, header.iv);
+  } catch (e) {
+    throw new OQEError("DECRYPTION_FAILED", "Failed to decrypt file content");
+  }
+  return {
+    data: plaintext,
+    filename: metadata.filename,
+    mimeType: metadata.mimeType,
+    originalSize: metadata.originalSize,
+    metadata,
+    mode: "hybrid"
+  };
+}
+async function decryptPassword(encryptedData, options) {
+  if (!await isArgon2Available()) {
+    throw new OQEError("ARGON2_UNAVAILABLE", "Argon2 library not available in this environment");
+  }
+  const { header, keyMaterial, encryptedMetadata, encryptedContent } = parseOQEFile(encryptedData);
+  if (header.algorithmSuite !== ALGORITHM_SUITES.PASSWORD_ARGON2ID_AES256GCM) {
+    throw new OQEError(
+      "UNSUPPORTED_ALGORITHM",
+      "This file was not encrypted with password mode. Use hybrid decryption."
+    );
+  }
+  const km = parsePasswordKeyMaterial(keyMaterial);
+  const contentKey = await deriveKeyFromPassword(options.password, km.salt, {
+    memoryCost: km.memoryCost,
+    timeCost: km.timeCost,
+    parallelism: km.parallelism,
+    hashLength: 32,
+    saltLength: km.salt.length
+  });
+  let metadata;
+  try {
+    const metadataBytes = await aesDecrypt(encryptedMetadata, contentKey, header.iv);
+    metadata = parseMetadata(metadataBytes);
+  } catch (e) {
+    throw new OQEError("PASSWORD_WRONG", "Incorrect password or corrupted file");
+  }
+  let plaintext;
+  try {
+    plaintext = await aesDecrypt(encryptedContent, contentKey, header.iv);
+  } catch (e) {
+    throw new OQEError("DECRYPTION_FAILED", "Failed to decrypt file content");
+  }
+  return {
+    data: plaintext,
+    filename: metadata.filename,
+    mimeType: metadata.mimeType,
+    originalSize: metadata.originalSize,
+    metadata,
+    mode: "password"
+  };
+}
+async function decryptFile(encryptedData, options) {
+  const data = await toUint8Array(encryptedData);
+  if (options.mode === "hybrid") {
+    return decryptHybrid(data, options);
+  } else {
+    return decryptPassword(data, options);
+  }
+}
+async function decryptFileWithPassword(encryptedData, password) {
+  return decryptFile(encryptedData, {
+    mode: "password",
+    password
+  });
+}
+
+// src/tunnel/types.ts
+var TUNNEL_VERSION = "omnituum.tunnel.v1";
+var TUNNEL_KEY_SIZE = 32;
+var TUNNEL_NONCE_SIZE = 24;
+
+// src/tunnel/session.ts
+function deriveNonce(base, counter) {
+  const nonce = new Uint8Array(24);
+  nonce.set(base.subarray(0, 16), 0);
+  const view = new DataView(nonce.buffer, 16, 8);
+  const baseView = new DataView(base.buffer, base.byteOffset + 16, 8);
+  const baseValue = baseView.getBigUint64(0, false);
+  view.setBigUint64(0, baseValue ^ counter, false);
+  return nonce;
+}
+function validateKeyMaterial(keys) {
+  if (!keys.sendKey || keys.sendKey.length !== TUNNEL_KEY_SIZE) {
+    throw new Error(`sendKey must be ${TUNNEL_KEY_SIZE} bytes`);
+  }
+  if (!keys.recvKey || keys.recvKey.length !== TUNNEL_KEY_SIZE) {
+    throw new Error(`recvKey must be ${TUNNEL_KEY_SIZE} bytes`);
+  }
+  if (!keys.sendBaseNonce || keys.sendBaseNonce.length !== TUNNEL_NONCE_SIZE) {
+    throw new Error(`sendBaseNonce must be ${TUNNEL_NONCE_SIZE} bytes`);
+  }
+  if (!keys.recvBaseNonce || keys.recvBaseNonce.length !== TUNNEL_NONCE_SIZE) {
+    throw new Error(`recvBaseNonce must be ${TUNNEL_NONCE_SIZE} bytes`);
+  }
+}
+function createTunnelSession(keys) {
+  validateKeyMaterial(keys);
+  const sendKey = new Uint8Array(keys.sendKey);
+  const recvKey = new Uint8Array(keys.recvKey);
+  const sendBaseNonce = new Uint8Array(keys.sendBaseNonce);
+  const recvBaseNonce = new Uint8Array(keys.recvBaseNonce);
+  let sendCounter = 0n;
+  let recvCounter = 0n;
+  let closed = false;
+  function assertOpen() {
+    if (closed) {
+      throw new Error("Tunnel is closed");
+    }
+  }
+  return {
+    encrypt(plaintext, aad) {
+      assertOpen();
+      const nonce = deriveNonce(sendBaseNonce, sendCounter);
+      const ciphertext = xChaCha20Poly1305Encrypt(sendKey, nonce, plaintext, aad);
+      sendCounter++;
+      zeroMemory(nonce);
+      return ciphertext;
+    },
+    decrypt(ciphertext, aad) {
+      assertOpen();
+      const nonce = deriveNonce(recvBaseNonce, recvCounter);
+      const plaintext = xChaCha20Poly1305Decrypt(recvKey, nonce, ciphertext, aad);
+      recvCounter++;
+      zeroMemory(nonce);
+      return plaintext;
+    },
+    close() {
+      if (closed) return;
+      closed = true;
+      zeroMemory(sendKey);
+      zeroMemory(recvKey);
+      zeroMemory(sendBaseNonce);
+      zeroMemory(recvBaseNonce);
+    },
+    get isOpen() {
+      return !closed;
+    },
+    get sendCounter() {
+      return sendCounter;
+    },
+    get recvCounter() {
+      return recvCounter;
+    }
+  };
+}
+
+export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, CHACHA20_KEY_SIZE, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, ENVELOPE_AEAD, ENVELOPE_SUITE, ENVELOPE_VERSION, KDF_CONFIG_ARGON2ID, KDF_CONFIG_PBKDF2, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecureBuffer, TUNNEL_KEY_SIZE, TUNNEL_NONCE_SIZE, TUNNEL_VERSION, VAULT_ALGORITHM, VAULT_ENCRYPTED_VERSION, VAULT_ENCRYPTED_VERSION_V2, VAULT_KDF, VAULT_KDF_V2, VAULT_VERSION, XCHACHA20_NONCE_SIZE, addIdentity, assertLen, b64, benchmarkKDF, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, computeIntegrityHash, computeKeyFingerprint, constantTimeEqual, createChaCha20Poly1305, createEmptyVault, createIdentity, createSession, createTunnelSession, createXChaCha20Poly1305, decryptFile, decryptFileWithPassword, decryptVault, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, encryptFile, encryptFileWithPassword, encryptVault, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateSalt, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getRecommendedConfig, getSecretKeys, getVaultKdfInfo, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, isSessionTimedOut, isV2Vault, kdfDeriveKey, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, lockSecureSession, migrateEncryptedVault, needsMigration, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, unlockSecureSession, validateEncryptedVault, validateEnvelope, validateVault, withSecureData, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt, zeroAll, zeroMemory };