@omnituum/pqc-shared 0.3.1 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/dist/crypto/index.cjs +39 -71
  2. package/dist/crypto/index.d.cts +48 -45
  3. package/dist/crypto/index.d.ts +48 -45
  4. package/dist/crypto/index.js +33 -72
  5. package/dist/crypto/safe/index.cjs +556 -0
  6. package/dist/crypto/safe/index.d.cts +341 -0
  7. package/dist/crypto/safe/index.d.ts +341 -0
  8. package/dist/crypto/safe/index.js +524 -0
  9. package/dist/fs/index.cjs +6 -34
  10. package/dist/fs/index.js +6 -34
  11. package/dist/index.cjs +39 -71
  12. package/dist/index.d.cts +4 -4
  13. package/dist/index.d.ts +4 -4
  14. package/dist/index.js +33 -72
  15. package/dist/{integrity-Dx9jukMH.d.cts → integrity-BenoFsmP.d.cts} +1 -1
  16. package/dist/{integrity-CCYjrap3.d.ts → integrity-D9J98Bty.d.ts} +1 -1
  17. package/dist/{types-61c7Q9ri.d.ts → types-CRka8PC7.d.cts} +54 -2
  18. package/dist/{types-Ch0y-n7K.d.cts → types-CRka8PC7.d.ts} +54 -2
  19. package/dist/utils/index.d.cts +2 -3
  20. package/dist/utils/index.d.ts +2 -3
  21. package/dist/vault/index.cjs +13 -41
  22. package/dist/vault/index.d.cts +2 -3
  23. package/dist/vault/index.d.ts +2 -3
  24. package/dist/vault/index.js +13 -41
  25. package/package.json +13 -5
  26. package/src/crypto/dilithium.ts +8 -4
  27. package/src/crypto/hybrid.ts +13 -29
  28. package/src/crypto/index.ts +9 -1
  29. package/src/crypto/kyber.ts +80 -118
  30. package/src/crypto/safe/adapters.ts +306 -0
  31. package/src/crypto/safe/dilithium.ts +74 -0
  32. package/src/crypto/safe/index.ts +97 -0
  33. package/src/crypto/safe/kyber.ts +47 -0
  34. package/src/crypto/safe/manifests.ts +192 -0
  35. package/src/crypto/safe/secretbox.ts +24 -0
  36. package/src/crypto/safe/types.ts +88 -0
  37. package/src/crypto/safe/x25519.ts +31 -0
  38. package/src/index.ts +12 -4
  39. package/src/version.ts +9 -4
  40. package/dist/version-BygzPVGs.d.cts +0 -55
  41. package/dist/version-BygzPVGs.d.ts +0 -55
package/dist/index.cjs CHANGED
@@ -3,6 +3,8 @@
3
3
  var nacl4 = require('tweetnacl');
4
4
  var sha2_js = require('@noble/hashes/sha2.js');
5
5
  var hmac_js = require('@noble/hashes/hmac.js');
6
+ var mlKem_js = require('@noble/post-quantum/ml-kem.js');
7
+ var envelopeRegistry = require('@omnituum/envelope-registry');
6
8
  var hashWasm = require('hash-wasm');
7
9
  var blake3_js = require('@noble/hashes/blake3.js');
8
10
  var chacha_js = require('@noble/ciphers/chacha.js');
@@ -152,78 +154,42 @@ function x25519SharedSecret(ourSecretKey, theirPublicKey) {
152
154
  function deriveKeyFromShared(shared, salt, info) {
153
155
  return hkdfSha256(shared, { salt: u8(salt), info: u8(info), length: 32 });
154
156
  }
155
- var kyberModule = null;
156
- async function loadKyber() {
157
- if (kyberModule) return kyberModule;
158
- try {
159
- const m = await import('kyber-crystals');
160
- const k = m.default ?? m;
161
- kyberModule = k.kyber ?? k;
162
- return kyberModule;
163
- } catch (e) {
164
- console.warn("[Kyber] Failed to load kyber-crystals:", e);
165
- return null;
166
- }
167
- }
157
+ var KYBER_SUITE = "ML-KEM-1024-FIPS203";
158
+ var KYBER_PUBLIC_KEY_SIZE = 1568;
159
+ var KYBER_SECRET_KEY_SIZE = 3168;
160
+ var KYBER_CIPHERTEXT_SIZE = 1568;
161
+ var KYBER_SHARED_SECRET_SIZE = 32;
162
+ var KYBER_SEED_SIZE = 64;
168
163
  async function isKyberAvailable() {
169
- const mod = await loadKyber();
170
- return mod !== null;
164
+ return true;
171
165
  }
172
166
  async function generateKyberKeypair() {
173
- try {
174
- const mod = await loadKyber();
175
- if (!mod) return null;
176
- if (mod?.ready?.then) {
177
- await mod.ready;
178
- }
179
- const fn = mod?.keypair ?? mod?.keyPair ?? mod?.generateKeyPair ?? null;
180
- if (typeof fn !== "function") {
181
- console.warn("[Kyber] No keypair function found");
182
- return null;
183
- }
184
- const kp = await fn.call(mod);
185
- const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
186
- const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
187
- if (!pub || !priv) {
188
- console.warn("[Kyber] Invalid keypair result");
189
- return null;
190
- }
191
- return {
192
- publicB64: b64(new Uint8Array(pub)),
193
- secretB64: b64(new Uint8Array(priv))
194
- };
195
- } catch (e) {
196
- console.warn("[Kyber] Key generation failed:", e);
197
- return null;
167
+ const seed = randN(64);
168
+ const kp = mlKem_js.ml_kem1024.keygen(seed);
169
+ return {
170
+ publicB64: b64(kp.publicKey),
171
+ secretB64: b64(kp.secretKey)
172
+ };
173
+ }
174
+ function generateKyberKeypairFromSeed(seed) {
175
+ if (seed.length !== 64) {
176
+ throw new Error("Kyber seed must be 64 bytes");
198
177
  }
178
+ const kp = mlKem_js.ml_kem1024.keygen(seed);
179
+ return { publicKey: kp.publicKey, secretKey: kp.secretKey };
199
180
  }
200
181
  async function kyberEncapsulate(pubKeyB64) {
201
- const kyber = await loadKyber();
202
- if (!kyber?.encrypt) {
203
- throw new Error("Kyber encrypt not available");
204
- }
205
182
  const pk = ub64(pubKeyB64);
206
- const r = await kyber.encrypt(pk);
207
- const ctRaw = r?.ciphertext ?? r?.cyphertext ?? r?.ct ?? r?.bytes?.ciphertext ?? r?.bytes?.cyphertext ?? r?.bytes?.ct ?? (Array.isArray(r) ? r[0] : void 0);
208
- const ssRaw = r?.key ?? r?.sharedSecret ?? r?.secret ?? r?.bytes?.key ?? r?.bytes?.sharedSecret ?? (Array.isArray(r) ? r[1] : void 0);
209
- if (!ctRaw || !ssRaw) {
210
- throw new Error("Kyber encapsulate failed: missing ciphertext or shared secret");
211
- }
183
+ const enc = mlKem_js.ml_kem1024.encapsulate(pk);
212
184
  return {
213
- ciphertext: new Uint8Array(ctRaw),
214
- sharedSecret: new Uint8Array(ssRaw)
185
+ ciphertext: enc.cipherText,
186
+ sharedSecret: enc.sharedSecret
215
187
  };
216
188
  }
217
189
  async function kyberDecapsulate(kemCiphertextB64, secretKeyB64) {
218
- const kyber = await loadKyber();
219
- if (!kyber?.decrypt && !kyber?.decapsulate) {
220
- throw new Error("Kyber decrypt/decapsulate not available");
221
- }
222
190
  const ct = ub64(kemCiphertextB64);
223
191
  const sk = ub64(secretKeyB64);
224
- const r = kyber.decrypt ? await kyber.decrypt(ct, sk) : await kyber.decapsulate(ct, sk);
225
- const key = r && (r.key ?? r.sharedSecret) ? r.key ?? r.sharedSecret : r;
226
- return new Uint8Array(key);
192
+ return mlKem_js.ml_kem1024.decapsulate(ct, sk);
227
193
  }
228
194
  function kyberWrapKey(sharedSecret, msgKey32) {
229
195
  if (msgKey32.length !== 32) {
@@ -232,10 +198,7 @@ function kyberWrapKey(sharedSecret, msgKey32) {
232
198
  const kek = sha256(sharedSecret);
233
199
  const nonce = globalThis.crypto.getRandomValues(new Uint8Array(24));
234
200
  const wrapped = nacl4__default.default.secretbox(msgKey32, nonce, kek);
235
- return {
236
- nonce: b64(nonce),
237
- wrapped: b64(wrapped)
238
- };
201
+ return { nonce: b64(nonce), wrapped: b64(wrapped) };
239
202
  }
240
203
  function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
241
204
  const kek = sha256(sharedSecret);
@@ -243,10 +206,8 @@ function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
243
206
  const wrapped = ub64(wrappedB64);
244
207
  return nacl4__default.default.secretbox.open(wrapped, nonce, kek) || null;
245
208
  }
246
-
247
- // src/version.ts
248
- var ENVELOPE_VERSION = "omnituum.hybrid.v1";
249
- var ENVELOPE_VERSION_LEGACY = "pqc-demo.hybrid.v1";
209
+ var ENVELOPE_VERSION = envelopeRegistry.OMNI_VERSIONS.HYBRID_V1;
210
+ var ENVELOPE_VERSION_LEGACY = envelopeRegistry.DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
250
211
  var VAULT_VERSION = "omnituum.vault.v1";
251
212
  var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
252
213
  var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
@@ -587,7 +548,7 @@ async function dilithiumSign(message, secretKeyB64) {
587
548
  }
588
549
  const sk = fromB64(secretKeyB64);
589
550
  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
590
- const signature = mod.sign(sk, msg);
551
+ const signature = mod.sign(msg, sk);
591
552
  return {
592
553
  signature: toB64(signature),
593
554
  algorithm: "ML-DSA-65"
@@ -598,7 +559,7 @@ async function dilithiumSignRaw(message, secretKey) {
598
559
  if (!mod) {
599
560
  throw new Error("Dilithium library not available");
600
561
  }
601
- return mod.sign(secretKey, message);
562
+ return mod.sign(message, secretKey);
602
563
  }
603
564
  async function dilithiumVerify(message, signatureB64, publicKeyB64) {
604
565
  const mod = await loadDilithium();
@@ -609,7 +570,7 @@ async function dilithiumVerify(message, signatureB64, publicKeyB64) {
609
570
  const sig = fromB64(signatureB64);
610
571
  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
611
572
  try {
612
- return mod.verify(pk, msg, sig);
573
+ return mod.verify(sig, msg, pk);
613
574
  } catch {
614
575
  return false;
615
576
  }
@@ -620,7 +581,7 @@ async function dilithiumVerifyRaw(message, signature, publicKey) {
620
581
  throw new Error("Dilithium library not available");
621
582
  }
622
583
  try {
623
- return mod.verify(publicKey, message, signature);
584
+ return mod.verify(signature, message, publicKey);
624
585
  } catch {
625
586
  return false;
626
587
  }
@@ -2046,6 +2007,12 @@ exports.ENVELOPE_SUITE = ENVELOPE_SUITE;
2046
2007
  exports.ENVELOPE_VERSION = ENVELOPE_VERSION;
2047
2008
  exports.KDF_CONFIG_ARGON2ID = KDF_CONFIG_ARGON2ID;
2048
2009
  exports.KDF_CONFIG_PBKDF2 = KDF_CONFIG_PBKDF2;
2010
+ exports.KYBER_CIPHERTEXT_SIZE = KYBER_CIPHERTEXT_SIZE;
2011
+ exports.KYBER_PUBLIC_KEY_SIZE = KYBER_PUBLIC_KEY_SIZE;
2012
+ exports.KYBER_SECRET_KEY_SIZE = KYBER_SECRET_KEY_SIZE;
2013
+ exports.KYBER_SEED_SIZE = KYBER_SEED_SIZE;
2014
+ exports.KYBER_SHARED_SECRET_SIZE = KYBER_SHARED_SECRET_SIZE;
2015
+ exports.KYBER_SUITE = KYBER_SUITE;
2049
2016
  exports.POLY1305_TAG_SIZE = POLY1305_TAG_SIZE;
2050
2017
  exports.SECRETBOX_KEY_SIZE = SECRETBOX_KEY_SIZE;
2051
2018
  exports.SECRETBOX_NONCE_SIZE = SECRETBOX_NONCE_SIZE;
@@ -2101,6 +2068,7 @@ exports.generateDilithiumKeypair = generateDilithiumKeypair;
2101
2068
  exports.generateDilithiumKeypairFromSeed = generateDilithiumKeypairFromSeed;
2102
2069
  exports.generateHybridIdentity = generateHybridIdentity;
2103
2070
  exports.generateKyberKeypair = generateKyberKeypair;
2071
+ exports.generateKyberKeypairFromSeed = generateKyberKeypairFromSeed;
2104
2072
  exports.generateSalt = generateSalt;
2105
2073
  exports.generateX25519Keypair = generateX25519Keypair;
2106
2074
  exports.generateX25519KeypairFromSeed = generateX25519KeypairFromSeed;
package/dist/index.d.cts CHANGED
@@ -1,9 +1,9 @@
1
- export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KyberEncapsulation, KyberKeypair, KyberKeypairB64, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.cjs';
2
- export { E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault } from './types-Ch0y-n7K.cjs';
1
+ export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KYBER_CIPHERTEXT_SIZE, KYBER_PUBLIC_KEY_SIZE, KYBER_SECRET_KEY_SIZE, KYBER_SEED_SIZE, KYBER_SHARED_SECRET_SIZE, KYBER_SUITE, KyberEncapsulation, KyberKeypair, KyberKeypairB64, KyberSuite, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.cjs';
2
+ export { e as ENVELOPE_AEAD, d as ENVELOPE_SUITE, c as ENVELOPE_VERSION, E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault, h as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, b as VAULT_ENCRYPTED_VERSION_V2, f as VAULT_KDF, g as VAULT_KDF_V2, V as VAULT_VERSION, j as validateEncryptedVault, i as validateEnvelope, v as validateVault } from './types-CRka8PC7.cjs';
3
3
  export { MigrationOptions, MigrationResult, addIdentity, createEmptyVault, createIdentity, decryptVault, encryptVault, getVaultKdfInfo, isV2Vault, migrateEncryptedVault, needsMigration } from './vault/index.cjs';
4
- export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-Dx9jukMH.cjs';
5
- export { g as ENVELOPE_AEAD, f as ENVELOPE_SUITE, E as ENVELOPE_VERSION, c as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, d as VAULT_ENCRYPTED_VERSION_V2, b as VAULT_KDF, e as VAULT_KDF_V2, V as VAULT_VERSION, i as validateEncryptedVault, h as validateEnvelope, v as validateVault } from './version-BygzPVGs.cjs';
4
+ export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-BenoFsmP.cjs';
6
5
  export { D as DecryptOptions, E as EncryptOptions, c as OQEDecryptResult, O as OQEEncryptResult, d as decryptFile, b as decryptFileWithPassword, e as encryptFile, a as encryptFileWithPassword } from './decrypt-eSHlbh1j.cjs';
6
+ import '@omnituum/envelope-registry';
7
7
  import '@noble/ciphers/utils.js';
8
8
 
9
9
  /**
package/dist/index.d.ts CHANGED
@@ -1,9 +1,9 @@
1
- export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KyberEncapsulation, KyberKeypair, KyberKeypairB64, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.js';
2
- export { E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault } from './types-61c7Q9ri.js';
1
+ export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KYBER_CIPHERTEXT_SIZE, KYBER_PUBLIC_KEY_SIZE, KYBER_SECRET_KEY_SIZE, KYBER_SEED_SIZE, KYBER_SHARED_SECRET_SIZE, KYBER_SUITE, KyberEncapsulation, KyberKeypair, KyberKeypairB64, KyberSuite, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.js';
2
+ export { e as ENVELOPE_AEAD, d as ENVELOPE_SUITE, c as ENVELOPE_VERSION, E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault, h as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, b as VAULT_ENCRYPTED_VERSION_V2, f as VAULT_KDF, g as VAULT_KDF_V2, V as VAULT_VERSION, j as validateEncryptedVault, i as validateEnvelope, v as validateVault } from './types-CRka8PC7.js';
3
3
  export { MigrationOptions, MigrationResult, addIdentity, createEmptyVault, createIdentity, decryptVault, encryptVault, getVaultKdfInfo, isV2Vault, migrateEncryptedVault, needsMigration } from './vault/index.js';
4
- export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-CCYjrap3.js';
5
- export { g as ENVELOPE_AEAD, f as ENVELOPE_SUITE, E as ENVELOPE_VERSION, c as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, d as VAULT_ENCRYPTED_VERSION_V2, b as VAULT_KDF, e as VAULT_KDF_V2, V as VAULT_VERSION, i as validateEncryptedVault, h as validateEnvelope, v as validateVault } from './version-BygzPVGs.js';
4
+ export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-D9J98Bty.js';
6
5
  export { D as DecryptOptions, E as EncryptOptions, c as OQEDecryptResult, O as OQEEncryptResult, d as decryptFile, b as decryptFileWithPassword, e as encryptFile, a as encryptFileWithPassword } from './decrypt-eSHlbh1j.js';
6
+ import '@omnituum/envelope-registry';
7
7
  import '@noble/ciphers/utils.js';
8
8
 
9
9
  /**
package/dist/index.js CHANGED
@@ -1,6 +1,8 @@
1
1
  import nacl4 from 'tweetnacl';
2
2
  import { sha256 as sha256$1, sha512 } from '@noble/hashes/sha2.js';
3
3
  import { hmac } from '@noble/hashes/hmac.js';
4
+ import { ml_kem1024 } from '@noble/post-quantum/ml-kem.js';
5
+ import { OMNI_VERSIONS, DEPRECATED_VERSIONS } from '@omnituum/envelope-registry';
4
6
  import { argon2id } from 'hash-wasm';
5
7
  import { blake3 as blake3$1 } from '@noble/hashes/blake3.js';
6
8
  import { chacha20poly1305, xchacha20poly1305 } from '@noble/ciphers/chacha.js';
@@ -146,78 +148,42 @@ function x25519SharedSecret(ourSecretKey, theirPublicKey) {
146
148
  function deriveKeyFromShared(shared, salt, info) {
147
149
  return hkdfSha256(shared, { salt: u8(salt), info: u8(info), length: 32 });
148
150
  }
149
- var kyberModule = null;
150
- async function loadKyber() {
151
- if (kyberModule) return kyberModule;
152
- try {
153
- const m = await import('kyber-crystals');
154
- const k = m.default ?? m;
155
- kyberModule = k.kyber ?? k;
156
- return kyberModule;
157
- } catch (e) {
158
- console.warn("[Kyber] Failed to load kyber-crystals:", e);
159
- return null;
160
- }
161
- }
151
+ var KYBER_SUITE = "ML-KEM-1024-FIPS203";
152
+ var KYBER_PUBLIC_KEY_SIZE = 1568;
153
+ var KYBER_SECRET_KEY_SIZE = 3168;
154
+ var KYBER_CIPHERTEXT_SIZE = 1568;
155
+ var KYBER_SHARED_SECRET_SIZE = 32;
156
+ var KYBER_SEED_SIZE = 64;
162
157
  async function isKyberAvailable() {
163
- const mod = await loadKyber();
164
- return mod !== null;
158
+ return true;
165
159
  }
166
160
  async function generateKyberKeypair() {
167
- try {
168
- const mod = await loadKyber();
169
- if (!mod) return null;
170
- if (mod?.ready?.then) {
171
- await mod.ready;
172
- }
173
- const fn = mod?.keypair ?? mod?.keyPair ?? mod?.generateKeyPair ?? null;
174
- if (typeof fn !== "function") {
175
- console.warn("[Kyber] No keypair function found");
176
- return null;
177
- }
178
- const kp = await fn.call(mod);
179
- const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
180
- const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
181
- if (!pub || !priv) {
182
- console.warn("[Kyber] Invalid keypair result");
183
- return null;
184
- }
185
- return {
186
- publicB64: b64(new Uint8Array(pub)),
187
- secretB64: b64(new Uint8Array(priv))
188
- };
189
- } catch (e) {
190
- console.warn("[Kyber] Key generation failed:", e);
191
- return null;
161
+ const seed = randN(64);
162
+ const kp = ml_kem1024.keygen(seed);
163
+ return {
164
+ publicB64: b64(kp.publicKey),
165
+ secretB64: b64(kp.secretKey)
166
+ };
167
+ }
168
+ function generateKyberKeypairFromSeed(seed) {
169
+ if (seed.length !== 64) {
170
+ throw new Error("Kyber seed must be 64 bytes");
192
171
  }
172
+ const kp = ml_kem1024.keygen(seed);
173
+ return { publicKey: kp.publicKey, secretKey: kp.secretKey };
193
174
  }
194
175
  async function kyberEncapsulate(pubKeyB64) {
195
- const kyber = await loadKyber();
196
- if (!kyber?.encrypt) {
197
- throw new Error("Kyber encrypt not available");
198
- }
199
176
  const pk = ub64(pubKeyB64);
200
- const r = await kyber.encrypt(pk);
201
- const ctRaw = r?.ciphertext ?? r?.cyphertext ?? r?.ct ?? r?.bytes?.ciphertext ?? r?.bytes?.cyphertext ?? r?.bytes?.ct ?? (Array.isArray(r) ? r[0] : void 0);
202
- const ssRaw = r?.key ?? r?.sharedSecret ?? r?.secret ?? r?.bytes?.key ?? r?.bytes?.sharedSecret ?? (Array.isArray(r) ? r[1] : void 0);
203
- if (!ctRaw || !ssRaw) {
204
- throw new Error("Kyber encapsulate failed: missing ciphertext or shared secret");
205
- }
177
+ const enc = ml_kem1024.encapsulate(pk);
206
178
  return {
207
- ciphertext: new Uint8Array(ctRaw),
208
- sharedSecret: new Uint8Array(ssRaw)
179
+ ciphertext: enc.cipherText,
180
+ sharedSecret: enc.sharedSecret
209
181
  };
210
182
  }
211
183
  async function kyberDecapsulate(kemCiphertextB64, secretKeyB64) {
212
- const kyber = await loadKyber();
213
- if (!kyber?.decrypt && !kyber?.decapsulate) {
214
- throw new Error("Kyber decrypt/decapsulate not available");
215
- }
216
184
  const ct = ub64(kemCiphertextB64);
217
185
  const sk = ub64(secretKeyB64);
218
- const r = kyber.decrypt ? await kyber.decrypt(ct, sk) : await kyber.decapsulate(ct, sk);
219
- const key = r && (r.key ?? r.sharedSecret) ? r.key ?? r.sharedSecret : r;
220
- return new Uint8Array(key);
186
+ return ml_kem1024.decapsulate(ct, sk);
221
187
  }
222
188
  function kyberWrapKey(sharedSecret, msgKey32) {
223
189
  if (msgKey32.length !== 32) {
@@ -226,10 +192,7 @@ function kyberWrapKey(sharedSecret, msgKey32) {
226
192
  const kek = sha256(sharedSecret);
227
193
  const nonce = globalThis.crypto.getRandomValues(new Uint8Array(24));
228
194
  const wrapped = nacl4.secretbox(msgKey32, nonce, kek);
229
- return {
230
- nonce: b64(nonce),
231
- wrapped: b64(wrapped)
232
- };
195
+ return { nonce: b64(nonce), wrapped: b64(wrapped) };
233
196
  }
234
197
  function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
235
198
  const kek = sha256(sharedSecret);
@@ -237,10 +200,8 @@ function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
237
200
  const wrapped = ub64(wrappedB64);
238
201
  return nacl4.secretbox.open(wrapped, nonce, kek) || null;
239
202
  }
240
-
241
- // src/version.ts
242
- var ENVELOPE_VERSION = "omnituum.hybrid.v1";
243
- var ENVELOPE_VERSION_LEGACY = "pqc-demo.hybrid.v1";
203
+ var ENVELOPE_VERSION = OMNI_VERSIONS.HYBRID_V1;
204
+ var ENVELOPE_VERSION_LEGACY = DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
244
205
  var VAULT_VERSION = "omnituum.vault.v1";
245
206
  var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
246
207
  var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
@@ -581,7 +542,7 @@ async function dilithiumSign(message, secretKeyB64) {
581
542
  }
582
543
  const sk = fromB64(secretKeyB64);
583
544
  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
584
- const signature = mod.sign(sk, msg);
545
+ const signature = mod.sign(msg, sk);
585
546
  return {
586
547
  signature: toB64(signature),
587
548
  algorithm: "ML-DSA-65"
@@ -592,7 +553,7 @@ async function dilithiumSignRaw(message, secretKey) {
592
553
  if (!mod) {
593
554
  throw new Error("Dilithium library not available");
594
555
  }
595
- return mod.sign(secretKey, message);
556
+ return mod.sign(message, secretKey);
596
557
  }
597
558
  async function dilithiumVerify(message, signatureB64, publicKeyB64) {
598
559
  const mod = await loadDilithium();
@@ -603,7 +564,7 @@ async function dilithiumVerify(message, signatureB64, publicKeyB64) {
603
564
  const sig = fromB64(signatureB64);
604
565
  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
605
566
  try {
606
- return mod.verify(pk, msg, sig);
567
+ return mod.verify(sig, msg, pk);
607
568
  } catch {
608
569
  return false;
609
570
  }
@@ -614,7 +575,7 @@ async function dilithiumVerifyRaw(message, signature, publicKey) {
614
575
  throw new Error("Dilithium library not available");
615
576
  }
616
577
  try {
617
- return mod.verify(publicKey, message, signature);
578
+ return mod.verify(signature, message, publicKey);
618
579
  } catch {
619
580
  return false;
620
581
  }
@@ -2027,4 +1988,4 @@ function createTunnelSession(keys) {
2027
1988
  };
2028
1989
  }
2029
1990
 
2030
- export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, CHACHA20_KEY_SIZE, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, ENVELOPE_AEAD, ENVELOPE_SUITE, ENVELOPE_VERSION, KDF_CONFIG_ARGON2ID, KDF_CONFIG_PBKDF2, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecureBuffer, TUNNEL_KEY_SIZE, TUNNEL_NONCE_SIZE, TUNNEL_VERSION, VAULT_ALGORITHM, VAULT_ENCRYPTED_VERSION, VAULT_ENCRYPTED_VERSION_V2, VAULT_KDF, VAULT_KDF_V2, VAULT_VERSION, XCHACHA20_NONCE_SIZE, addIdentity, assertLen, b64, benchmarkKDF, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, computeIntegrityHash, computeKeyFingerprint, constantTimeEqual, createChaCha20Poly1305, createEmptyVault, createIdentity, createSession, createTunnelSession, createXChaCha20Poly1305, decryptFile, decryptFileWithPassword, decryptVault, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, encryptFile, encryptFileWithPassword, encryptVault, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateSalt, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getRecommendedConfig, getSecretKeys, getVaultKdfInfo, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, isSessionTimedOut, isV2Vault, kdfDeriveKey, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, lockSecureSession, migrateEncryptedVault, needsMigration, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, unlockSecureSession, validateEncryptedVault, validateEnvelope, validateVault, withSecureData, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt, zeroAll, zeroMemory };
1991
+ export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, CHACHA20_KEY_SIZE, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, ENVELOPE_AEAD, ENVELOPE_SUITE, ENVELOPE_VERSION, KDF_CONFIG_ARGON2ID, KDF_CONFIG_PBKDF2, KYBER_CIPHERTEXT_SIZE, KYBER_PUBLIC_KEY_SIZE, KYBER_SECRET_KEY_SIZE, KYBER_SEED_SIZE, KYBER_SHARED_SECRET_SIZE, KYBER_SUITE, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecureBuffer, TUNNEL_KEY_SIZE, TUNNEL_NONCE_SIZE, TUNNEL_VERSION, VAULT_ALGORITHM, VAULT_ENCRYPTED_VERSION, VAULT_ENCRYPTED_VERSION_V2, VAULT_KDF, VAULT_KDF_V2, VAULT_VERSION, XCHACHA20_NONCE_SIZE, addIdentity, assertLen, b64, benchmarkKDF, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, computeIntegrityHash, computeKeyFingerprint, constantTimeEqual, createChaCha20Poly1305, createEmptyVault, createIdentity, createSession, createTunnelSession, createXChaCha20Poly1305, decryptFile, decryptFileWithPassword, decryptVault, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, encryptFile, encryptFileWithPassword, encryptVault, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateSalt, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getRecommendedConfig, getSecretKeys, getVaultKdfInfo, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, isSessionTimedOut, isV2Vault, kdfDeriveKey, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, lockSecureSession, migrateEncryptedVault, needsMigration, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, unlockSecureSession, validateEncryptedVault, validateEnvelope, validateVault, withSecureData, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt, zeroAll, zeroMemory };
@@ -1,4 +1,4 @@
1
- import { H as HybridIdentityRecord } from './types-Ch0y-n7K.cjs';
1
+ import { H as HybridIdentityRecord } from './types-CRka8PC7.cjs';
2
2
 
3
3
  /**
4
4
  * Omnituum PQC Shared - Integrity Verification
@@ -1,4 +1,4 @@
1
- import { H as HybridIdentityRecord } from './types-61c7Q9ri.js';
1
+ import { H as HybridIdentityRecord } from './types-CRka8PC7.js';
2
2
 
3
3
  /**
4
4
  * Omnituum PQC Shared - Integrity Verification
@@ -1,4 +1,56 @@
1
- import { V as VAULT_VERSION, a as VAULT_ENCRYPTED_VERSION, b as VAULT_KDF, c as VAULT_ALGORITHM, d as VAULT_ENCRYPTED_VERSION_V2, e as VAULT_KDF_V2 } from './version-BygzPVGs.js';
1
+ /**
2
+ * Omnituum PQC Shared - Version Constants & Guards
3
+ *
4
+ * FROZEN CONTRACTS: These version strings define the wire format.
5
+ * Breaking changes require a version bump.
6
+ *
7
+ * @see pqc-docs/specs/envelope.v1.md
8
+ * @see pqc-docs/specs/vault.v1.md
9
+ * @see pqc-docs/specs/identity.v1.md
10
+ */
11
+ /** HybridEnvelope version - hybrid encryption format (from registry) */
12
+ declare const ENVELOPE_VERSION: any;
13
+ /** OmnituumVault version - decrypted vault format */
14
+ declare const VAULT_VERSION: "omnituum.vault.v1";
15
+ /** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
16
+ declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
17
+ /** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
18
+ declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
19
+ /** Algorithm suite for hybrid encryption */
20
+ declare const ENVELOPE_SUITE: "x25519+kyber768";
21
+ /** AEAD algorithm for envelope content */
22
+ declare const ENVELOPE_AEAD: "xsalsa20poly1305";
23
+ /** KDF for vault encryption (v1) */
24
+ declare const VAULT_KDF: "PBKDF2-SHA256";
25
+ /** KDF for vault encryption (v2) */
26
+ declare const VAULT_KDF_V2: "Argon2id";
27
+ /** Encryption algorithm for vault */
28
+ declare const VAULT_ALGORITHM: "AES-256-GCM";
29
+ /**
30
+ * Validate envelope structure and version.
31
+ * Returns detailed validation result.
32
+ */
33
+ declare function validateEnvelope(envelope: unknown): {
34
+ valid: boolean;
35
+ version?: string;
36
+ errors: string[];
37
+ };
38
+ /**
39
+ * Validate vault structure and version.
40
+ */
41
+ declare function validateVault(vault: unknown): {
42
+ valid: boolean;
43
+ version?: string;
44
+ errors: string[];
45
+ };
46
+ /**
47
+ * Validate encrypted vault structure and version.
48
+ */
49
+ declare function validateEncryptedVault(encVault: unknown): {
50
+ valid: boolean;
51
+ version?: string;
52
+ errors: string[];
53
+ };
2
54
 
3
55
  /**
4
56
  * Omnituum PQC Shared - Vault Types
@@ -131,4 +183,4 @@ interface VaultSession {
131
183
  declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
132
184
  declare const PBKDF2_ITERATIONS = 600000;
133
185
 
134
- export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, type VaultSettings as V, type EncryptedVaultFileV2 as a, type VaultSession as b, type EncryptedVaultFileV1 as c, type HealthStatus as d };
186
+ export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_SUITE as d, ENVELOPE_AEAD as e, VAULT_KDF as f, VAULT_KDF_V2 as g, VAULT_ALGORITHM as h, validateEnvelope as i, validateEncryptedVault as j, type EncryptedVaultFileV2 as k, type VaultSettings as l, type VaultSession as m, type EncryptedVaultFileV1 as n, type HealthStatus as o, validateVault as v };
@@ -1,4 +1,56 @@
1
- import { V as VAULT_VERSION, a as VAULT_ENCRYPTED_VERSION, b as VAULT_KDF, c as VAULT_ALGORITHM, d as VAULT_ENCRYPTED_VERSION_V2, e as VAULT_KDF_V2 } from './version-BygzPVGs.cjs';
1
+ /**
2
+ * Omnituum PQC Shared - Version Constants & Guards
3
+ *
4
+ * FROZEN CONTRACTS: These version strings define the wire format.
5
+ * Breaking changes require a version bump.
6
+ *
7
+ * @see pqc-docs/specs/envelope.v1.md
8
+ * @see pqc-docs/specs/vault.v1.md
9
+ * @see pqc-docs/specs/identity.v1.md
10
+ */
11
+ /** HybridEnvelope version - hybrid encryption format (from registry) */
12
+ declare const ENVELOPE_VERSION: any;
13
+ /** OmnituumVault version - decrypted vault format */
14
+ declare const VAULT_VERSION: "omnituum.vault.v1";
15
+ /** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
16
+ declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
17
+ /** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
18
+ declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
19
+ /** Algorithm suite for hybrid encryption */
20
+ declare const ENVELOPE_SUITE: "x25519+kyber768";
21
+ /** AEAD algorithm for envelope content */
22
+ declare const ENVELOPE_AEAD: "xsalsa20poly1305";
23
+ /** KDF for vault encryption (v1) */
24
+ declare const VAULT_KDF: "PBKDF2-SHA256";
25
+ /** KDF for vault encryption (v2) */
26
+ declare const VAULT_KDF_V2: "Argon2id";
27
+ /** Encryption algorithm for vault */
28
+ declare const VAULT_ALGORITHM: "AES-256-GCM";
29
+ /**
30
+ * Validate envelope structure and version.
31
+ * Returns detailed validation result.
32
+ */
33
+ declare function validateEnvelope(envelope: unknown): {
34
+ valid: boolean;
35
+ version?: string;
36
+ errors: string[];
37
+ };
38
+ /**
39
+ * Validate vault structure and version.
40
+ */
41
+ declare function validateVault(vault: unknown): {
42
+ valid: boolean;
43
+ version?: string;
44
+ errors: string[];
45
+ };
46
+ /**
47
+ * Validate encrypted vault structure and version.
48
+ */
49
+ declare function validateEncryptedVault(encVault: unknown): {
50
+ valid: boolean;
51
+ version?: string;
52
+ errors: string[];
53
+ };
2
54
 
3
55
  /**
4
56
  * Omnituum PQC Shared - Vault Types
@@ -131,4 +183,4 @@ interface VaultSession {
131
183
  declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
132
184
  declare const PBKDF2_ITERATIONS = 600000;
133
185
 
134
- export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, type VaultSettings as V, type EncryptedVaultFileV2 as a, type VaultSession as b, type EncryptedVaultFileV1 as c, type HealthStatus as d };
186
+ export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_SUITE as d, ENVELOPE_AEAD as e, VAULT_KDF as f, VAULT_KDF_V2 as g, VAULT_ALGORITHM as h, validateEnvelope as i, validateEncryptedVault as j, type EncryptedVaultFileV2 as k, type VaultSettings as l, type VaultSession as m, type EncryptedVaultFileV1 as n, type HealthStatus as o, validateVault as v };
@@ -1,6 +1,5 @@
1
- export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-Dx9jukMH.cjs';
2
- import '../types-Ch0y-n7K.cjs';
3
- import '../version-BygzPVGs.cjs';
1
+ export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-BenoFsmP.cjs';
2
+ import '../types-CRka8PC7.cjs';
4
3
 
5
4
  /**
6
5
  * Omnituum PQC Shared - Entropy & Randomness Utilities
@@ -1,6 +1,5 @@
1
- export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-CCYjrap3.js';
2
- import '../types-61c7Q9ri.js';
3
- import '../version-BygzPVGs.js';
1
+ export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-D9J98Bty.js';
2
+ import '../types-CRka8PC7.js';
4
3
 
5
4
  /**
6
5
  * Omnituum PQC Shared - Entropy & Randomness Utilities