@omnituum/pqc-shared 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/dist/crypto/index.cjs +29 -71
  2. package/dist/crypto/index.d.cts +38 -45
  3. package/dist/crypto/index.d.ts +38 -45
  4. package/dist/crypto/index.js +28 -72
  5. package/dist/crypto/safe/index.cjs +556 -0
  6. package/dist/crypto/safe/index.d.cts +341 -0
  7. package/dist/crypto/safe/index.d.ts +341 -0
  8. package/dist/crypto/safe/index.js +524 -0
  9. package/dist/fs/index.cjs +6 -34
  10. package/dist/fs/index.js +6 -34
  11. package/dist/index.cjs +29 -71
  12. package/dist/index.d.cts +4 -4
  13. package/dist/index.d.ts +4 -4
  14. package/dist/index.js +28 -72
  15. package/dist/{integrity-CCYjrap3.d.ts → integrity-BPvNsC50.d.ts} +1 -1
  16. package/dist/{integrity-Dx9jukMH.d.cts → integrity-ByMp24VA.d.cts} +1 -1
  17. package/dist/{types-61c7Q9ri.d.ts → types-Dx_AFqow.d.cts} +54 -2
  18. package/dist/{types-Ch0y-n7K.d.cts → types-Dx_AFqow.d.ts} +54 -2
  19. package/dist/utils/index.d.cts +2 -3
  20. package/dist/utils/index.d.ts +2 -3
  21. package/dist/vault/index.cjs +13 -41
  22. package/dist/vault/index.d.cts +2 -3
  23. package/dist/vault/index.d.ts +2 -3
  24. package/dist/vault/index.js +13 -41
  25. package/package.json +27 -13
  26. package/src/crypto/dilithium.ts +8 -4
  27. package/src/crypto/hybrid.ts +13 -29
  28. package/src/crypto/index.ts +3 -0
  29. package/src/crypto/kyber.ts +63 -121
  30. package/src/crypto/safe/adapters.ts +306 -0
  31. package/src/crypto/safe/dilithium.ts +74 -0
  32. package/src/crypto/safe/index.ts +97 -0
  33. package/src/crypto/safe/kyber.ts +47 -0
  34. package/src/crypto/safe/manifests.ts +192 -0
  35. package/src/crypto/safe/secretbox.ts +24 -0
  36. package/src/crypto/safe/types.ts +88 -0
  37. package/src/crypto/safe/x25519.ts +31 -0
  38. package/src/index.ts +7 -4
  39. package/src/version.ts +9 -4
  40. package/dist/version-BygzPVGs.d.cts +0 -55
  41. package/dist/version-BygzPVGs.d.ts +0 -55
package/dist/index.cjs CHANGED
@@ -3,6 +3,8 @@
3
3
  var nacl4 = require('tweetnacl');
4
4
  var sha2_js = require('@noble/hashes/sha2.js');
5
5
  var hmac_js = require('@noble/hashes/hmac.js');
6
+ var mlKem_js = require('@noble/post-quantum/ml-kem.js');
7
+ var envelopeRegistry = require('@omnituum/envelope-registry');
6
8
  var hashWasm = require('hash-wasm');
7
9
  var blake3_js = require('@noble/hashes/blake3.js');
8
10
  var chacha_js = require('@noble/ciphers/chacha.js');
@@ -152,78 +154,37 @@ function x25519SharedSecret(ourSecretKey, theirPublicKey) {
152
154
  function deriveKeyFromShared(shared, salt, info) {
153
155
  return hkdfSha256(shared, { salt: u8(salt), info: u8(info), length: 32 });
154
156
  }
155
- var kyberModule = null;
156
- async function loadKyber() {
157
- if (kyberModule) return kyberModule;
158
- try {
159
- const m = await import('kyber-crystals');
160
- const k = m.default ?? m;
161
- kyberModule = k.kyber ?? k;
162
- return kyberModule;
163
- } catch (e) {
164
- console.warn("[Kyber] Failed to load kyber-crystals:", e);
165
- return null;
166
- }
167
- }
157
+ var KYBER_SUITE = "ML-KEM-1024-FIPS203";
168
158
  async function isKyberAvailable() {
169
- const mod = await loadKyber();
170
- return mod !== null;
159
+ return true;
171
160
  }
172
161
  async function generateKyberKeypair() {
173
- try {
174
- const mod = await loadKyber();
175
- if (!mod) return null;
176
- if (mod?.ready?.then) {
177
- await mod.ready;
178
- }
179
- const fn = mod?.keypair ?? mod?.keyPair ?? mod?.generateKeyPair ?? null;
180
- if (typeof fn !== "function") {
181
- console.warn("[Kyber] No keypair function found");
182
- return null;
183
- }
184
- const kp = await fn.call(mod);
185
- const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
186
- const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
187
- if (!pub || !priv) {
188
- console.warn("[Kyber] Invalid keypair result");
189
- return null;
190
- }
191
- return {
192
- publicB64: b64(new Uint8Array(pub)),
193
- secretB64: b64(new Uint8Array(priv))
194
- };
195
- } catch (e) {
196
- console.warn("[Kyber] Key generation failed:", e);
197
- return null;
162
+ const seed = randN(64);
163
+ const kp = mlKem_js.ml_kem1024.keygen(seed);
164
+ return {
165
+ publicB64: b64(kp.publicKey),
166
+ secretB64: b64(kp.secretKey)
167
+ };
168
+ }
169
+ function generateKyberKeypairFromSeed(seed) {
170
+ if (seed.length !== 64) {
171
+ throw new Error("Kyber seed must be 64 bytes");
198
172
  }
173
+ const kp = mlKem_js.ml_kem1024.keygen(seed);
174
+ return { publicKey: kp.publicKey, secretKey: kp.secretKey };
199
175
  }
200
176
  async function kyberEncapsulate(pubKeyB64) {
201
- const kyber = await loadKyber();
202
- if (!kyber?.encrypt) {
203
- throw new Error("Kyber encrypt not available");
204
- }
205
177
  const pk = ub64(pubKeyB64);
206
- const r = await kyber.encrypt(pk);
207
- const ctRaw = r?.ciphertext ?? r?.cyphertext ?? r?.ct ?? r?.bytes?.ciphertext ?? r?.bytes?.cyphertext ?? r?.bytes?.ct ?? (Array.isArray(r) ? r[0] : void 0);
208
- const ssRaw = r?.key ?? r?.sharedSecret ?? r?.secret ?? r?.bytes?.key ?? r?.bytes?.sharedSecret ?? (Array.isArray(r) ? r[1] : void 0);
209
- if (!ctRaw || !ssRaw) {
210
- throw new Error("Kyber encapsulate failed: missing ciphertext or shared secret");
211
- }
178
+ const enc = mlKem_js.ml_kem1024.encapsulate(pk);
212
179
  return {
213
- ciphertext: new Uint8Array(ctRaw),
214
- sharedSecret: new Uint8Array(ssRaw)
180
+ ciphertext: enc.cipherText,
181
+ sharedSecret: enc.sharedSecret
215
182
  };
216
183
  }
217
184
  async function kyberDecapsulate(kemCiphertextB64, secretKeyB64) {
218
- const kyber = await loadKyber();
219
- if (!kyber?.decrypt && !kyber?.decapsulate) {
220
- throw new Error("Kyber decrypt/decapsulate not available");
221
- }
222
185
  const ct = ub64(kemCiphertextB64);
223
186
  const sk = ub64(secretKeyB64);
224
- const r = kyber.decrypt ? await kyber.decrypt(ct, sk) : await kyber.decapsulate(ct, sk);
225
- const key = r && (r.key ?? r.sharedSecret) ? r.key ?? r.sharedSecret : r;
226
- return new Uint8Array(key);
187
+ return mlKem_js.ml_kem1024.decapsulate(ct, sk);
227
188
  }
228
189
  function kyberWrapKey(sharedSecret, msgKey32) {
229
190
  if (msgKey32.length !== 32) {
@@ -232,10 +193,7 @@ function kyberWrapKey(sharedSecret, msgKey32) {
232
193
  const kek = sha256(sharedSecret);
233
194
  const nonce = globalThis.crypto.getRandomValues(new Uint8Array(24));
234
195
  const wrapped = nacl4__default.default.secretbox(msgKey32, nonce, kek);
235
- return {
236
- nonce: b64(nonce),
237
- wrapped: b64(wrapped)
238
- };
196
+ return { nonce: b64(nonce), wrapped: b64(wrapped) };
239
197
  }
240
198
  function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
241
199
  const kek = sha256(sharedSecret);
@@ -243,10 +201,8 @@ function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
243
201
  const wrapped = ub64(wrappedB64);
244
202
  return nacl4__default.default.secretbox.open(wrapped, nonce, kek) || null;
245
203
  }
246
-
247
- // src/version.ts
248
- var ENVELOPE_VERSION = "omnituum.hybrid.v1";
249
- var ENVELOPE_VERSION_LEGACY = "pqc-demo.hybrid.v1";
204
+ var ENVELOPE_VERSION = envelopeRegistry.OMNI_VERSIONS.HYBRID_V1;
205
+ var ENVELOPE_VERSION_LEGACY = envelopeRegistry.DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
250
206
  var VAULT_VERSION = "omnituum.vault.v1";
251
207
  var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
252
208
  var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
@@ -587,7 +543,7 @@ async function dilithiumSign(message, secretKeyB64) {
587
543
  }
588
544
  const sk = fromB64(secretKeyB64);
589
545
  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
590
- const signature = mod.sign(sk, msg);
546
+ const signature = mod.sign(msg, sk);
591
547
  return {
592
548
  signature: toB64(signature),
593
549
  algorithm: "ML-DSA-65"
@@ -598,7 +554,7 @@ async function dilithiumSignRaw(message, secretKey) {
598
554
  if (!mod) {
599
555
  throw new Error("Dilithium library not available");
600
556
  }
601
- return mod.sign(secretKey, message);
557
+ return mod.sign(message, secretKey);
602
558
  }
603
559
  async function dilithiumVerify(message, signatureB64, publicKeyB64) {
604
560
  const mod = await loadDilithium();
@@ -609,7 +565,7 @@ async function dilithiumVerify(message, signatureB64, publicKeyB64) {
609
565
  const sig = fromB64(signatureB64);
610
566
  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
611
567
  try {
612
- return mod.verify(pk, msg, sig);
568
+ return mod.verify(sig, msg, pk);
613
569
  } catch {
614
570
  return false;
615
571
  }
@@ -620,7 +576,7 @@ async function dilithiumVerifyRaw(message, signature, publicKey) {
620
576
  throw new Error("Dilithium library not available");
621
577
  }
622
578
  try {
623
- return mod.verify(publicKey, message, signature);
579
+ return mod.verify(signature, message, publicKey);
624
580
  } catch {
625
581
  return false;
626
582
  }
@@ -2046,6 +2002,7 @@ exports.ENVELOPE_SUITE = ENVELOPE_SUITE;
2046
2002
  exports.ENVELOPE_VERSION = ENVELOPE_VERSION;
2047
2003
  exports.KDF_CONFIG_ARGON2ID = KDF_CONFIG_ARGON2ID;
2048
2004
  exports.KDF_CONFIG_PBKDF2 = KDF_CONFIG_PBKDF2;
2005
+ exports.KYBER_SUITE = KYBER_SUITE;
2049
2006
  exports.POLY1305_TAG_SIZE = POLY1305_TAG_SIZE;
2050
2007
  exports.SECRETBOX_KEY_SIZE = SECRETBOX_KEY_SIZE;
2051
2008
  exports.SECRETBOX_NONCE_SIZE = SECRETBOX_NONCE_SIZE;
@@ -2101,6 +2058,7 @@ exports.generateDilithiumKeypair = generateDilithiumKeypair;
2101
2058
  exports.generateDilithiumKeypairFromSeed = generateDilithiumKeypairFromSeed;
2102
2059
  exports.generateHybridIdentity = generateHybridIdentity;
2103
2060
  exports.generateKyberKeypair = generateKyberKeypair;
2061
+ exports.generateKyberKeypairFromSeed = generateKyberKeypairFromSeed;
2104
2062
  exports.generateSalt = generateSalt;
2105
2063
  exports.generateX25519Keypair = generateX25519Keypair;
2106
2064
  exports.generateX25519KeypairFromSeed = generateX25519KeypairFromSeed;
package/dist/index.d.cts CHANGED
@@ -1,9 +1,9 @@
1
- export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KyberEncapsulation, KyberKeypair, KyberKeypairB64, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.cjs';
2
- export { E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault } from './types-Ch0y-n7K.cjs';
1
+ export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KYBER_SUITE, KyberEncapsulation, KyberKeypair, KyberKeypairB64, KyberSuite, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.cjs';
2
+ export { e as ENVELOPE_AEAD, d as ENVELOPE_SUITE, c as ENVELOPE_VERSION, E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault, h as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, b as VAULT_ENCRYPTED_VERSION_V2, f as VAULT_KDF, g as VAULT_KDF_V2, V as VAULT_VERSION, j as validateEncryptedVault, i as validateEnvelope, v as validateVault } from './types-Dx_AFqow.cjs';
3
3
  export { MigrationOptions, MigrationResult, addIdentity, createEmptyVault, createIdentity, decryptVault, encryptVault, getVaultKdfInfo, isV2Vault, migrateEncryptedVault, needsMigration } from './vault/index.cjs';
4
- export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-Dx9jukMH.cjs';
5
- export { g as ENVELOPE_AEAD, f as ENVELOPE_SUITE, E as ENVELOPE_VERSION, c as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, d as VAULT_ENCRYPTED_VERSION_V2, b as VAULT_KDF, e as VAULT_KDF_V2, V as VAULT_VERSION, i as validateEncryptedVault, h as validateEnvelope, v as validateVault } from './version-BygzPVGs.cjs';
4
+ export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-ByMp24VA.cjs';
6
5
  export { D as DecryptOptions, E as EncryptOptions, c as OQEDecryptResult, O as OQEEncryptResult, d as decryptFile, b as decryptFileWithPassword, e as encryptFile, a as encryptFileWithPassword } from './decrypt-eSHlbh1j.cjs';
6
+ import '@omnituum/envelope-registry';
7
7
  import '@noble/ciphers/utils.js';
8
8
 
9
9
  /**
package/dist/index.d.ts CHANGED
@@ -1,9 +1,9 @@
1
- export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KyberEncapsulation, KyberKeypair, KyberKeypairB64, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.js';
2
- export { E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault } from './types-61c7Q9ri.js';
1
+ export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KYBER_SUITE, KyberEncapsulation, KyberKeypair, KyberKeypairB64, KyberSuite, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.js';
2
+ export { e as ENVELOPE_AEAD, d as ENVELOPE_SUITE, c as ENVELOPE_VERSION, E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault, h as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, b as VAULT_ENCRYPTED_VERSION_V2, f as VAULT_KDF, g as VAULT_KDF_V2, V as VAULT_VERSION, j as validateEncryptedVault, i as validateEnvelope, v as validateVault } from './types-Dx_AFqow.js';
3
3
  export { MigrationOptions, MigrationResult, addIdentity, createEmptyVault, createIdentity, decryptVault, encryptVault, getVaultKdfInfo, isV2Vault, migrateEncryptedVault, needsMigration } from './vault/index.js';
4
- export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-CCYjrap3.js';
5
- export { g as ENVELOPE_AEAD, f as ENVELOPE_SUITE, E as ENVELOPE_VERSION, c as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, d as VAULT_ENCRYPTED_VERSION_V2, b as VAULT_KDF, e as VAULT_KDF_V2, V as VAULT_VERSION, i as validateEncryptedVault, h as validateEnvelope, v as validateVault } from './version-BygzPVGs.js';
4
+ export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-BPvNsC50.js';
6
5
  export { D as DecryptOptions, E as EncryptOptions, c as OQEDecryptResult, O as OQEEncryptResult, d as decryptFile, b as decryptFileWithPassword, e as encryptFile, a as encryptFileWithPassword } from './decrypt-eSHlbh1j.js';
6
+ import '@omnituum/envelope-registry';
7
7
  import '@noble/ciphers/utils.js';
8
8
 
9
9
  /**
package/dist/index.js CHANGED
@@ -1,6 +1,8 @@
1
1
  import nacl4 from 'tweetnacl';
2
2
  import { sha256 as sha256$1, sha512 } from '@noble/hashes/sha2.js';
3
3
  import { hmac } from '@noble/hashes/hmac.js';
4
+ import { ml_kem1024 } from '@noble/post-quantum/ml-kem.js';
5
+ import { OMNI_VERSIONS, DEPRECATED_VERSIONS } from '@omnituum/envelope-registry';
4
6
  import { argon2id } from 'hash-wasm';
5
7
  import { blake3 as blake3$1 } from '@noble/hashes/blake3.js';
6
8
  import { chacha20poly1305, xchacha20poly1305 } from '@noble/ciphers/chacha.js';
@@ -146,78 +148,37 @@ function x25519SharedSecret(ourSecretKey, theirPublicKey) {
146
148
  function deriveKeyFromShared(shared, salt, info) {
147
149
  return hkdfSha256(shared, { salt: u8(salt), info: u8(info), length: 32 });
148
150
  }
149
- var kyberModule = null;
150
- async function loadKyber() {
151
- if (kyberModule) return kyberModule;
152
- try {
153
- const m = await import('kyber-crystals');
154
- const k = m.default ?? m;
155
- kyberModule = k.kyber ?? k;
156
- return kyberModule;
157
- } catch (e) {
158
- console.warn("[Kyber] Failed to load kyber-crystals:", e);
159
- return null;
160
- }
161
- }
151
+ var KYBER_SUITE = "ML-KEM-1024-FIPS203";
162
152
  async function isKyberAvailable() {
163
- const mod = await loadKyber();
164
- return mod !== null;
153
+ return true;
165
154
  }
166
155
  async function generateKyberKeypair() {
167
- try {
168
- const mod = await loadKyber();
169
- if (!mod) return null;
170
- if (mod?.ready?.then) {
171
- await mod.ready;
172
- }
173
- const fn = mod?.keypair ?? mod?.keyPair ?? mod?.generateKeyPair ?? null;
174
- if (typeof fn !== "function") {
175
- console.warn("[Kyber] No keypair function found");
176
- return null;
177
- }
178
- const kp = await fn.call(mod);
179
- const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
180
- const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
181
- if (!pub || !priv) {
182
- console.warn("[Kyber] Invalid keypair result");
183
- return null;
184
- }
185
- return {
186
- publicB64: b64(new Uint8Array(pub)),
187
- secretB64: b64(new Uint8Array(priv))
188
- };
189
- } catch (e) {
190
- console.warn("[Kyber] Key generation failed:", e);
191
- return null;
156
+ const seed = randN(64);
157
+ const kp = ml_kem1024.keygen(seed);
158
+ return {
159
+ publicB64: b64(kp.publicKey),
160
+ secretB64: b64(kp.secretKey)
161
+ };
162
+ }
163
+ function generateKyberKeypairFromSeed(seed) {
164
+ if (seed.length !== 64) {
165
+ throw new Error("Kyber seed must be 64 bytes");
192
166
  }
167
+ const kp = ml_kem1024.keygen(seed);
168
+ return { publicKey: kp.publicKey, secretKey: kp.secretKey };
193
169
  }
194
170
  async function kyberEncapsulate(pubKeyB64) {
195
- const kyber = await loadKyber();
196
- if (!kyber?.encrypt) {
197
- throw new Error("Kyber encrypt not available");
198
- }
199
171
  const pk = ub64(pubKeyB64);
200
- const r = await kyber.encrypt(pk);
201
- const ctRaw = r?.ciphertext ?? r?.cyphertext ?? r?.ct ?? r?.bytes?.ciphertext ?? r?.bytes?.cyphertext ?? r?.bytes?.ct ?? (Array.isArray(r) ? r[0] : void 0);
202
- const ssRaw = r?.key ?? r?.sharedSecret ?? r?.secret ?? r?.bytes?.key ?? r?.bytes?.sharedSecret ?? (Array.isArray(r) ? r[1] : void 0);
203
- if (!ctRaw || !ssRaw) {
204
- throw new Error("Kyber encapsulate failed: missing ciphertext or shared secret");
205
- }
172
+ const enc = ml_kem1024.encapsulate(pk);
206
173
  return {
207
- ciphertext: new Uint8Array(ctRaw),
208
- sharedSecret: new Uint8Array(ssRaw)
174
+ ciphertext: enc.cipherText,
175
+ sharedSecret: enc.sharedSecret
209
176
  };
210
177
  }
211
178
  async function kyberDecapsulate(kemCiphertextB64, secretKeyB64) {
212
- const kyber = await loadKyber();
213
- if (!kyber?.decrypt && !kyber?.decapsulate) {
214
- throw new Error("Kyber decrypt/decapsulate not available");
215
- }
216
179
  const ct = ub64(kemCiphertextB64);
217
180
  const sk = ub64(secretKeyB64);
218
- const r = kyber.decrypt ? await kyber.decrypt(ct, sk) : await kyber.decapsulate(ct, sk);
219
- const key = r && (r.key ?? r.sharedSecret) ? r.key ?? r.sharedSecret : r;
220
- return new Uint8Array(key);
181
+ return ml_kem1024.decapsulate(ct, sk);
221
182
  }
222
183
  function kyberWrapKey(sharedSecret, msgKey32) {
223
184
  if (msgKey32.length !== 32) {
@@ -226,10 +187,7 @@ function kyberWrapKey(sharedSecret, msgKey32) {
226
187
  const kek = sha256(sharedSecret);
227
188
  const nonce = globalThis.crypto.getRandomValues(new Uint8Array(24));
228
189
  const wrapped = nacl4.secretbox(msgKey32, nonce, kek);
229
- return {
230
- nonce: b64(nonce),
231
- wrapped: b64(wrapped)
232
- };
190
+ return { nonce: b64(nonce), wrapped: b64(wrapped) };
233
191
  }
234
192
  function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
235
193
  const kek = sha256(sharedSecret);
@@ -237,10 +195,8 @@ function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
237
195
  const wrapped = ub64(wrappedB64);
238
196
  return nacl4.secretbox.open(wrapped, nonce, kek) || null;
239
197
  }
240
-
241
- // src/version.ts
242
- var ENVELOPE_VERSION = "omnituum.hybrid.v1";
243
- var ENVELOPE_VERSION_LEGACY = "pqc-demo.hybrid.v1";
198
+ var ENVELOPE_VERSION = OMNI_VERSIONS.HYBRID_V1;
199
+ var ENVELOPE_VERSION_LEGACY = DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
244
200
  var VAULT_VERSION = "omnituum.vault.v1";
245
201
  var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
246
202
  var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
@@ -581,7 +537,7 @@ async function dilithiumSign(message, secretKeyB64) {
581
537
  }
582
538
  const sk = fromB64(secretKeyB64);
583
539
  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
584
- const signature = mod.sign(sk, msg);
540
+ const signature = mod.sign(msg, sk);
585
541
  return {
586
542
  signature: toB64(signature),
587
543
  algorithm: "ML-DSA-65"
@@ -592,7 +548,7 @@ async function dilithiumSignRaw(message, secretKey) {
592
548
  if (!mod) {
593
549
  throw new Error("Dilithium library not available");
594
550
  }
595
- return mod.sign(secretKey, message);
551
+ return mod.sign(message, secretKey);
596
552
  }
597
553
  async function dilithiumVerify(message, signatureB64, publicKeyB64) {
598
554
  const mod = await loadDilithium();
@@ -603,7 +559,7 @@ async function dilithiumVerify(message, signatureB64, publicKeyB64) {
603
559
  const sig = fromB64(signatureB64);
604
560
  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
605
561
  try {
606
- return mod.verify(pk, msg, sig);
562
+ return mod.verify(sig, msg, pk);
607
563
  } catch {
608
564
  return false;
609
565
  }
@@ -614,7 +570,7 @@ async function dilithiumVerifyRaw(message, signature, publicKey) {
614
570
  throw new Error("Dilithium library not available");
615
571
  }
616
572
  try {
617
- return mod.verify(publicKey, message, signature);
573
+ return mod.verify(signature, message, publicKey);
618
574
  } catch {
619
575
  return false;
620
576
  }
@@ -2027,4 +1983,4 @@ function createTunnelSession(keys) {
2027
1983
  };
2028
1984
  }
2029
1985
 
2030
- export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, CHACHA20_KEY_SIZE, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, ENVELOPE_AEAD, ENVELOPE_SUITE, ENVELOPE_VERSION, KDF_CONFIG_ARGON2ID, KDF_CONFIG_PBKDF2, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecureBuffer, TUNNEL_KEY_SIZE, TUNNEL_NONCE_SIZE, TUNNEL_VERSION, VAULT_ALGORITHM, VAULT_ENCRYPTED_VERSION, VAULT_ENCRYPTED_VERSION_V2, VAULT_KDF, VAULT_KDF_V2, VAULT_VERSION, XCHACHA20_NONCE_SIZE, addIdentity, assertLen, b64, benchmarkKDF, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, computeIntegrityHash, computeKeyFingerprint, constantTimeEqual, createChaCha20Poly1305, createEmptyVault, createIdentity, createSession, createTunnelSession, createXChaCha20Poly1305, decryptFile, decryptFileWithPassword, decryptVault, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, encryptFile, encryptFileWithPassword, encryptVault, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateSalt, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getRecommendedConfig, getSecretKeys, getVaultKdfInfo, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, isSessionTimedOut, isV2Vault, kdfDeriveKey, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, lockSecureSession, migrateEncryptedVault, needsMigration, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, unlockSecureSession, validateEncryptedVault, validateEnvelope, validateVault, withSecureData, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt, zeroAll, zeroMemory };
1986
+ export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, CHACHA20_KEY_SIZE, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, ENVELOPE_AEAD, ENVELOPE_SUITE, ENVELOPE_VERSION, KDF_CONFIG_ARGON2ID, KDF_CONFIG_PBKDF2, KYBER_SUITE, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecureBuffer, TUNNEL_KEY_SIZE, TUNNEL_NONCE_SIZE, TUNNEL_VERSION, VAULT_ALGORITHM, VAULT_ENCRYPTED_VERSION, VAULT_ENCRYPTED_VERSION_V2, VAULT_KDF, VAULT_KDF_V2, VAULT_VERSION, XCHACHA20_NONCE_SIZE, addIdentity, assertLen, b64, benchmarkKDF, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, computeIntegrityHash, computeKeyFingerprint, constantTimeEqual, createChaCha20Poly1305, createEmptyVault, createIdentity, createSession, createTunnelSession, createXChaCha20Poly1305, decryptFile, decryptFileWithPassword, decryptVault, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, encryptFile, encryptFileWithPassword, encryptVault, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateSalt, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getRecommendedConfig, getSecretKeys, getVaultKdfInfo, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, isSessionTimedOut, isV2Vault, kdfDeriveKey, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, lockSecureSession, migrateEncryptedVault, needsMigration, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, unlockSecureSession, validateEncryptedVault, validateEnvelope, validateVault, withSecureData, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt, zeroAll, zeroMemory };
@@ -1,4 +1,4 @@
1
- import { H as HybridIdentityRecord } from './types-61c7Q9ri.js';
1
+ import { H as HybridIdentityRecord } from './types-Dx_AFqow.js';
2
2
 
3
3
  /**
4
4
  * Omnituum PQC Shared - Integrity Verification
@@ -1,4 +1,4 @@
1
- import { H as HybridIdentityRecord } from './types-Ch0y-n7K.cjs';
1
+ import { H as HybridIdentityRecord } from './types-Dx_AFqow.cjs';
2
2
 
3
3
  /**
4
4
  * Omnituum PQC Shared - Integrity Verification
@@ -1,4 +1,56 @@
1
- import { V as VAULT_VERSION, a as VAULT_ENCRYPTED_VERSION, b as VAULT_KDF, c as VAULT_ALGORITHM, d as VAULT_ENCRYPTED_VERSION_V2, e as VAULT_KDF_V2 } from './version-BygzPVGs.js';
1
+ /**
2
+ * Omnituum PQC Shared - Version Constants & Guards
3
+ *
4
+ * FROZEN CONTRACTS: These version strings define the wire format.
5
+ * Breaking changes require a version bump.
6
+ *
7
+ * @see pqc-docs/specs/envelope.v1.md
8
+ * @see pqc-docs/specs/vault.v1.md
9
+ * @see pqc-docs/specs/identity.v1.md
10
+ */
11
+ /** HybridEnvelope version - hybrid encryption format (from registry) */
12
+ declare const ENVELOPE_VERSION: "omnituum.hybrid.v1";
13
+ /** OmnituumVault version - decrypted vault format */
14
+ declare const VAULT_VERSION: "omnituum.vault.v1";
15
+ /** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
16
+ declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
17
+ /** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
18
+ declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
19
+ /** Algorithm suite for hybrid encryption */
20
+ declare const ENVELOPE_SUITE: "x25519+kyber768";
21
+ /** AEAD algorithm for envelope content */
22
+ declare const ENVELOPE_AEAD: "xsalsa20poly1305";
23
+ /** KDF for vault encryption (v1) */
24
+ declare const VAULT_KDF: "PBKDF2-SHA256";
25
+ /** KDF for vault encryption (v2) */
26
+ declare const VAULT_KDF_V2: "Argon2id";
27
+ /** Encryption algorithm for vault */
28
+ declare const VAULT_ALGORITHM: "AES-256-GCM";
29
+ /**
30
+ * Validate envelope structure and version.
31
+ * Returns detailed validation result.
32
+ */
33
+ declare function validateEnvelope(envelope: unknown): {
34
+ valid: boolean;
35
+ version?: string;
36
+ errors: string[];
37
+ };
38
+ /**
39
+ * Validate vault structure and version.
40
+ */
41
+ declare function validateVault(vault: unknown): {
42
+ valid: boolean;
43
+ version?: string;
44
+ errors: string[];
45
+ };
46
+ /**
47
+ * Validate encrypted vault structure and version.
48
+ */
49
+ declare function validateEncryptedVault(encVault: unknown): {
50
+ valid: boolean;
51
+ version?: string;
52
+ errors: string[];
53
+ };
2
54
 
3
55
  /**
4
56
  * Omnituum PQC Shared - Vault Types
@@ -131,4 +183,4 @@ interface VaultSession {
131
183
  declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
132
184
  declare const PBKDF2_ITERATIONS = 600000;
133
185
 
134
- export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, type VaultSettings as V, type EncryptedVaultFileV2 as a, type VaultSession as b, type EncryptedVaultFileV1 as c, type HealthStatus as d };
186
+ export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_SUITE as d, ENVELOPE_AEAD as e, VAULT_KDF as f, VAULT_KDF_V2 as g, VAULT_ALGORITHM as h, validateEnvelope as i, validateEncryptedVault as j, type EncryptedVaultFileV2 as k, type VaultSettings as l, type VaultSession as m, type EncryptedVaultFileV1 as n, type HealthStatus as o, validateVault as v };
@@ -1,4 +1,56 @@
1
- import { V as VAULT_VERSION, a as VAULT_ENCRYPTED_VERSION, b as VAULT_KDF, c as VAULT_ALGORITHM, d as VAULT_ENCRYPTED_VERSION_V2, e as VAULT_KDF_V2 } from './version-BygzPVGs.cjs';
1
+ /**
2
+ * Omnituum PQC Shared - Version Constants & Guards
3
+ *
4
+ * FROZEN CONTRACTS: These version strings define the wire format.
5
+ * Breaking changes require a version bump.
6
+ *
7
+ * @see pqc-docs/specs/envelope.v1.md
8
+ * @see pqc-docs/specs/vault.v1.md
9
+ * @see pqc-docs/specs/identity.v1.md
10
+ */
11
+ /** HybridEnvelope version - hybrid encryption format (from registry) */
12
+ declare const ENVELOPE_VERSION: "omnituum.hybrid.v1";
13
+ /** OmnituumVault version - decrypted vault format */
14
+ declare const VAULT_VERSION: "omnituum.vault.v1";
15
+ /** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
16
+ declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
17
+ /** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
18
+ declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
19
+ /** Algorithm suite for hybrid encryption */
20
+ declare const ENVELOPE_SUITE: "x25519+kyber768";
21
+ /** AEAD algorithm for envelope content */
22
+ declare const ENVELOPE_AEAD: "xsalsa20poly1305";
23
+ /** KDF for vault encryption (v1) */
24
+ declare const VAULT_KDF: "PBKDF2-SHA256";
25
+ /** KDF for vault encryption (v2) */
26
+ declare const VAULT_KDF_V2: "Argon2id";
27
+ /** Encryption algorithm for vault */
28
+ declare const VAULT_ALGORITHM: "AES-256-GCM";
29
+ /**
30
+ * Validate envelope structure and version.
31
+ * Returns detailed validation result.
32
+ */
33
+ declare function validateEnvelope(envelope: unknown): {
34
+ valid: boolean;
35
+ version?: string;
36
+ errors: string[];
37
+ };
38
+ /**
39
+ * Validate vault structure and version.
40
+ */
41
+ declare function validateVault(vault: unknown): {
42
+ valid: boolean;
43
+ version?: string;
44
+ errors: string[];
45
+ };
46
+ /**
47
+ * Validate encrypted vault structure and version.
48
+ */
49
+ declare function validateEncryptedVault(encVault: unknown): {
50
+ valid: boolean;
51
+ version?: string;
52
+ errors: string[];
53
+ };
2
54
 
3
55
  /**
4
56
  * Omnituum PQC Shared - Vault Types
@@ -131,4 +183,4 @@ interface VaultSession {
131
183
  declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
132
184
  declare const PBKDF2_ITERATIONS = 600000;
133
185
 
134
- export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, type VaultSettings as V, type EncryptedVaultFileV2 as a, type VaultSession as b, type EncryptedVaultFileV1 as c, type HealthStatus as d };
186
+ export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_SUITE as d, ENVELOPE_AEAD as e, VAULT_KDF as f, VAULT_KDF_V2 as g, VAULT_ALGORITHM as h, validateEnvelope as i, validateEncryptedVault as j, type EncryptedVaultFileV2 as k, type VaultSettings as l, type VaultSession as m, type EncryptedVaultFileV1 as n, type HealthStatus as o, validateVault as v };
@@ -1,6 +1,5 @@
1
- export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-Dx9jukMH.cjs';
2
- import '../types-Ch0y-n7K.cjs';
3
- import '../version-BygzPVGs.cjs';
1
+ export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-ByMp24VA.cjs';
2
+ import '../types-Dx_AFqow.cjs';
4
3
 
5
4
  /**
6
5
  * Omnituum PQC Shared - Entropy & Randomness Utilities
@@ -1,6 +1,5 @@
1
- export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-CCYjrap3.js';
2
- import '../types-61c7Q9ri.js';
3
- import '../version-BygzPVGs.js';
1
+ export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-BPvNsC50.js';
2
+ import '../types-Dx_AFqow.js';
4
3
 
5
4
  /**
6
5
  * Omnituum PQC Shared - Entropy & Randomness Utilities
@@ -2,8 +2,10 @@
2
2
 
3
3
  require('@noble/hashes/sha2.js');
4
4
  require('@noble/hashes/hmac.js');
5
+ var envelopeRegistry = require('@omnituum/envelope-registry');
5
6
  var hashWasm = require('hash-wasm');
6
7
  var nacl = require('tweetnacl');
8
+ var mlKem_js = require('@noble/post-quantum/ml-kem.js');
7
9
  require('@noble/hashes/blake3.js');
8
10
  require('@noble/ciphers/chacha.js');
9
11
  require('@noble/hashes/hkdf.js');
@@ -39,9 +41,12 @@ function fromB64(str) {
39
41
  function toHex(bytes) {
40
42
  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
41
43
  }
44
+ function randN(n) {
45
+ return globalThis.crypto.getRandomValues(new Uint8Array(n));
46
+ }
42
47
  var b64 = toB64;
43
-
44
- // src/version.ts
48
+ envelopeRegistry.OMNI_VERSIONS.HYBRID_V1;
49
+ envelopeRegistry.DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
45
50
  var VAULT_VERSION = "omnituum.vault.v1";
46
51
  var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
47
52
  var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
@@ -364,46 +369,13 @@ function generateX25519Keypair() {
364
369
  secretBytes: kp.secretKey
365
370
  };
366
371
  }
367
- var kyberModule = null;
368
- async function loadKyber() {
369
- if (kyberModule) return kyberModule;
370
- try {
371
- const m = await import('kyber-crystals');
372
- const k = m.default ?? m;
373
- kyberModule = k.kyber ?? k;
374
- return kyberModule;
375
- } catch (e) {
376
- console.warn("[Kyber] Failed to load kyber-crystals:", e);
377
- return null;
378
- }
379
- }
380
372
  async function generateKyberKeypair() {
381
- try {
382
- const mod = await loadKyber();
383
- if (!mod) return null;
384
- if (mod?.ready?.then) {
385
- await mod.ready;
386
- }
387
- const fn = mod?.keypair ?? mod?.keyPair ?? mod?.generateKeyPair ?? null;
388
- if (typeof fn !== "function") {
389
- console.warn("[Kyber] No keypair function found");
390
- return null;
391
- }
392
- const kp = await fn.call(mod);
393
- const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
394
- const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
395
- if (!pub || !priv) {
396
- console.warn("[Kyber] Invalid keypair result");
397
- return null;
398
- }
399
- return {
400
- publicB64: b64(new Uint8Array(pub)),
401
- secretB64: b64(new Uint8Array(priv))
402
- };
403
- } catch (e) {
404
- console.warn("[Kyber] Key generation failed:", e);
405
- return null;
406
- }
373
+ const seed = randN(64);
374
+ const kp = mlKem_js.ml_kem1024.keygen(seed);
375
+ return {
376
+ publicB64: b64(kp.publicKey),
377
+ secretB64: b64(kp.secretKey)
378
+ };
407
379
  }
408
380
 
409
381
  // src/vault/manager.ts
@@ -1,6 +1,5 @@
1
- import { O as OmnituumVault, E as EncryptedVaultFile, a as EncryptedVaultFileV2, H as HybridIdentityRecord, V as VaultSettings, b as VaultSession } from '../types-Ch0y-n7K.cjs';
2
- export { D as DEFAULT_VAULT_SETTINGS, c as EncryptedVaultFileV1, d as HealthStatus, I as IdentityHealth, P as PBKDF2_ITERATIONS } from '../types-Ch0y-n7K.cjs';
3
- import '../version-BygzPVGs.cjs';
1
+ import { O as OmnituumVault, E as EncryptedVaultFile, k as EncryptedVaultFileV2, H as HybridIdentityRecord, l as VaultSettings, m as VaultSession } from '../types-Dx_AFqow.cjs';
2
+ export { D as DEFAULT_VAULT_SETTINGS, n as EncryptedVaultFileV1, o as HealthStatus, I as IdentityHealth, P as PBKDF2_ITERATIONS } from '../types-Dx_AFqow.cjs';
4
3
 
5
4
  /**
6
5
  * Omnituum PQC Shared - Vault Encryption