@omnituum/pqc-shared 0.4.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/dist/crypto/index.cjs +91 -54
  2. package/dist/crypto/index.d.cts +43 -11
  3. package/dist/crypto/index.d.ts +43 -11
  4. package/dist/crypto/index.js +87 -55
  5. package/dist/{decrypt-eSHlbh1j.d.cts → decrypt-O1iqFIDL.d.cts} +80 -6
  6. package/dist/{decrypt-eSHlbh1j.d.ts → decrypt-O1iqFIDL.d.ts} +80 -6
  7. package/dist/fs/index.cjs +286 -147
  8. package/dist/fs/index.d.cts +28 -7
  9. package/dist/fs/index.d.ts +28 -7
  10. package/dist/fs/index.js +277 -147
  11. package/dist/index.cjs +368 -229
  12. package/dist/index.d.cts +4 -4
  13. package/dist/index.d.ts +4 -4
  14. package/dist/index.js +362 -230
  15. package/dist/{integrity-ByMp24VA.d.cts → integrity-BkBDrHA-.d.cts} +12 -4
  16. package/dist/{integrity-BPvNsC50.d.ts → integrity-DsFJv5c-.d.ts} +12 -4
  17. package/dist/{types-Dx_AFqow.d.cts → types-DmnVueAY.d.cts} +15 -5
  18. package/dist/{types-Dx_AFqow.d.ts → types-DmnVueAY.d.ts} +15 -5
  19. package/dist/utils/index.cjs +7 -10
  20. package/dist/utils/index.d.cts +2 -2
  21. package/dist/utils/index.d.ts +2 -2
  22. package/dist/utils/index.js +7 -10
  23. package/dist/vault/index.cjs +8 -11
  24. package/dist/vault/index.d.cts +2 -2
  25. package/dist/vault/index.d.ts +2 -2
  26. package/dist/vault/index.js +8 -11
  27. package/package.json +19 -25
  28. package/src/crypto/dilithium.ts +4 -4
  29. package/src/crypto/hybrid.ts +182 -80
  30. package/src/crypto/index.ts +8 -1
  31. package/src/crypto/kyber.ts +20 -0
  32. package/src/fs/decrypt.ts +145 -68
  33. package/src/fs/encrypt.ts +161 -112
  34. package/src/fs/format.ts +110 -15
  35. package/src/fs/index.ts +4 -0
  36. package/src/fs/types.ts +77 -6
  37. package/src/index.ts +9 -0
  38. package/src/utils/integrity.ts +16 -15
  39. package/src/vault/manager.ts +1 -1
  40. package/src/version.ts +29 -7
@@ -1,14 +1,22 @@
1
- import { H as HybridIdentityRecord } from './types-Dx_AFqow.cjs';
1
+ import { H as HybridIdentityRecord } from './types-DmnVueAY.cjs';
2
2
 
3
3
  /**
4
4
  * Omnituum PQC Shared - Integrity Verification
5
5
  *
6
- * SHA-256 based integrity checking for vault contents.
6
+ * SHA-256 checksum over a vault's public identity records.
7
+ *
8
+ * SCOPE: this is an UNKEYED integrity checksum — it detects accidental
9
+ * corruption or field mix-ups, not malicious tampering. An attacker who edits
10
+ * the decrypted vault can simply recompute this value. Tamper *resistance* for
11
+ * a stored vault comes from the AES-256-GCM authentication tag on the encrypted
12
+ * file (see vault/encrypt.ts), not from this hash. Do not treat a matching
13
+ * integrity hash as authentication.
7
14
  */
8
15
 
9
16
  /**
10
- * Compute SHA-256 integrity hash for a list of identities.
11
- * Uses only the public keys and metadata to create a deterministic hash.
17
+ * Compute a SHA-256 checksum for a list of identities.
18
+ * Uses only the public keys and metadata (never secret keys). Deterministic:
19
+ * the canonical objects carry a fixed key order, which JSON.stringify preserves.
12
20
  */
13
21
  declare function computeIntegrityHash(identities: HybridIdentityRecord[]): string;
14
22
  /**
@@ -1,14 +1,22 @@
1
- import { H as HybridIdentityRecord } from './types-Dx_AFqow.js';
1
+ import { H as HybridIdentityRecord } from './types-DmnVueAY.js';
2
2
 
3
3
  /**
4
4
  * Omnituum PQC Shared - Integrity Verification
5
5
  *
6
- * SHA-256 based integrity checking for vault contents.
6
+ * SHA-256 checksum over a vault's public identity records.
7
+ *
8
+ * SCOPE: this is an UNKEYED integrity checksum — it detects accidental
9
+ * corruption or field mix-ups, not malicious tampering. An attacker who edits
10
+ * the decrypted vault can simply recompute this value. Tamper *resistance* for
11
+ * a stored vault comes from the AES-256-GCM authentication tag on the encrypted
12
+ * file (see vault/encrypt.ts), not from this hash. Do not treat a matching
13
+ * integrity hash as authentication.
7
14
  */
8
15
 
9
16
  /**
10
- * Compute SHA-256 integrity hash for a list of identities.
11
- * Uses only the public keys and metadata to create a deterministic hash.
17
+ * Compute a SHA-256 checksum for a list of identities.
18
+ * Uses only the public keys and metadata (never secret keys). Deterministic:
19
+ * the canonical objects carry a fixed key order, which JSON.stringify preserves.
12
20
  */
13
21
  declare function computeIntegrityHash(identities: HybridIdentityRecord[]): string;
14
22
  /**
@@ -8,16 +8,24 @@
8
8
  * @see pqc-docs/specs/vault.v1.md
9
9
  * @see pqc-docs/specs/identity.v1.md
10
10
  */
11
- /** HybridEnvelope version - hybrid encryption format (from registry) */
12
- declare const ENVELOPE_VERSION: "omnituum.hybrid.v1";
11
+ /** HybridEnvelope v1 - independent X25519/Kyber wraps (read-only legacy; see v2) */
12
+ declare const ENVELOPE_VERSION: any;
13
+ /**
14
+ * HybridEnvelope v2 - AND-combined KEK (single wrap under
15
+ * HKDF(ss_mlkem || ss_x25519) with transcript binding). The version new
16
+ * envelopes are written in.
17
+ */
18
+ declare const ENVELOPE_VERSION_V2: any;
13
19
  /** OmnituumVault version - decrypted vault format */
14
20
  declare const VAULT_VERSION: "omnituum.vault.v1";
15
21
  /** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
16
22
  declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
17
23
  /** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
18
24
  declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
19
- /** Algorithm suite for hybrid encryption */
25
+ /** Algorithm suite for hybrid encryption (v1 label — kept for wire compat) */
20
26
  declare const ENVELOPE_SUITE: "x25519+kyber768";
27
+ /** Algorithm suite for hybrid v2 (matches the actual ML-KEM-1024 backend) */
28
+ declare const ENVELOPE_SUITE_V2: "x25519+mlkem1024";
21
29
  /** AEAD algorithm for envelope content */
22
30
  declare const ENVELOPE_AEAD: "xsalsa20poly1305";
23
31
  /** KDF for vault encryption (v1) */
@@ -27,7 +35,9 @@ declare const VAULT_KDF_V2: "Argon2id";
27
35
  /** Encryption algorithm for vault */
28
36
  declare const VAULT_ALGORITHM: "AES-256-GCM";
29
37
  /**
30
- * Validate envelope structure and version.
38
+ * Validate envelope structure and version. Dispatches per-version since v1
39
+ * and v2 have different wire shapes (independent dual wraps vs. a single
40
+ * AND-combined wrap) — see hybrid.ts for the security rationale.
31
41
  * Returns detailed validation result.
32
42
  */
33
43
  declare function validateEnvelope(envelope: unknown): {
@@ -183,4 +193,4 @@ interface VaultSession {
183
193
  declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
184
194
  declare const PBKDF2_ITERATIONS = 600000;
185
195
 
186
- export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_SUITE as d, ENVELOPE_AEAD as e, VAULT_KDF as f, VAULT_KDF_V2 as g, VAULT_ALGORITHM as h, validateEnvelope as i, validateEncryptedVault as j, type EncryptedVaultFileV2 as k, type VaultSettings as l, type VaultSession as m, type EncryptedVaultFileV1 as n, type HealthStatus as o, validateVault as v };
196
+ export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_VERSION_V2 as d, ENVELOPE_SUITE as e, ENVELOPE_SUITE_V2 as f, ENVELOPE_AEAD as g, VAULT_KDF as h, VAULT_KDF_V2 as i, VAULT_ALGORITHM as j, validateEnvelope as k, validateEncryptedVault as l, type EncryptedVaultFileV2 as m, type VaultSettings as n, type VaultSession as o, type EncryptedVaultFileV1 as p, type HealthStatus as q, validateVault as v };
@@ -8,16 +8,24 @@
8
8
  * @see pqc-docs/specs/vault.v1.md
9
9
  * @see pqc-docs/specs/identity.v1.md
10
10
  */
11
- /** HybridEnvelope version - hybrid encryption format (from registry) */
12
- declare const ENVELOPE_VERSION: "omnituum.hybrid.v1";
11
+ /** HybridEnvelope v1 - independent X25519/Kyber wraps (read-only legacy; see v2) */
12
+ declare const ENVELOPE_VERSION: any;
13
+ /**
14
+ * HybridEnvelope v2 - AND-combined KEK (single wrap under
15
+ * HKDF(ss_mlkem || ss_x25519) with transcript binding). The version new
16
+ * envelopes are written in.
17
+ */
18
+ declare const ENVELOPE_VERSION_V2: any;
13
19
  /** OmnituumVault version - decrypted vault format */
14
20
  declare const VAULT_VERSION: "omnituum.vault.v1";
15
21
  /** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
16
22
  declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
17
23
  /** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
18
24
  declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
19
- /** Algorithm suite for hybrid encryption */
25
+ /** Algorithm suite for hybrid encryption (v1 label — kept for wire compat) */
20
26
  declare const ENVELOPE_SUITE: "x25519+kyber768";
27
+ /** Algorithm suite for hybrid v2 (matches the actual ML-KEM-1024 backend) */
28
+ declare const ENVELOPE_SUITE_V2: "x25519+mlkem1024";
21
29
  /** AEAD algorithm for envelope content */
22
30
  declare const ENVELOPE_AEAD: "xsalsa20poly1305";
23
31
  /** KDF for vault encryption (v1) */
@@ -27,7 +35,9 @@ declare const VAULT_KDF_V2: "Argon2id";
27
35
  /** Encryption algorithm for vault */
28
36
  declare const VAULT_ALGORITHM: "AES-256-GCM";
29
37
  /**
30
- * Validate envelope structure and version.
38
+ * Validate envelope structure and version. Dispatches per-version since v1
39
+ * and v2 have different wire shapes (independent dual wraps vs. a single
40
+ * AND-combined wrap) — see hybrid.ts for the security rationale.
31
41
  * Returns detailed validation result.
32
42
  */
33
43
  declare function validateEnvelope(envelope: unknown): {
@@ -183,4 +193,4 @@ interface VaultSession {
183
193
  declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
184
194
  declare const PBKDF2_ITERATIONS = 600000;
185
195
 
186
- export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_SUITE as d, ENVELOPE_AEAD as e, VAULT_KDF as f, VAULT_KDF_V2 as g, VAULT_ALGORITHM as h, validateEnvelope as i, validateEncryptedVault as j, type EncryptedVaultFileV2 as k, type VaultSettings as l, type VaultSession as m, type EncryptedVaultFileV1 as n, type HealthStatus as o, validateVault as v };
196
+ export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_VERSION_V2 as d, ENVELOPE_SUITE as e, ENVELOPE_SUITE_V2 as f, ENVELOPE_AEAD as g, VAULT_KDF as h, VAULT_KDF_V2 as i, VAULT_ALGORITHM as j, validateEnvelope as k, validateEncryptedVault as l, type EncryptedVaultFileV2 as m, type VaultSettings as n, type VaultSession as o, type EncryptedVaultFileV1 as p, type HealthStatus as q, validateVault as v };
@@ -1,6 +1,6 @@
1
1
  'use strict';
2
2
 
3
- require('@noble/hashes/sha2.js');
3
+ var sha2_js = require('@noble/hashes/sha2.js');
4
4
  require('@noble/hashes/hmac.js');
5
5
 
6
6
  // src/utils/entropy.ts
@@ -61,11 +61,14 @@ function daysSinceRotation(lastRotatedAt, createdAt) {
61
61
  function shouldRotate(lastRotatedAt, createdAt, maxDays = 90) {
62
62
  return daysSinceRotation(lastRotatedAt, createdAt) >= maxDays;
63
63
  }
64
- new TextEncoder();
64
+ var textEncoder = new TextEncoder();
65
65
  new TextDecoder();
66
66
  function toHex(bytes) {
67
67
  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
68
68
  }
69
+ function sha256(bytes) {
70
+ return sha2_js.sha256(bytes);
71
+ }
69
72
 
70
73
  // src/utils/integrity.ts
71
74
  function computeIntegrityHash(identities) {
@@ -77,17 +80,11 @@ function computeIntegrityHash(identities) {
77
80
  createdAt: i.createdAt,
78
81
  rotationCount: i.rotationCount
79
82
  }));
80
- const serialized = JSON.stringify(canonical, Object.keys(canonical[0] || {}).sort());
83
+ const serialized = JSON.stringify(canonical);
81
84
  return computeStringHash(serialized);
82
85
  }
83
86
  function computeStringHash(str) {
84
- let hash = 0;
85
- for (let i = 0; i < str.length; i++) {
86
- const char = str.charCodeAt(i);
87
- hash = (hash << 5) - hash + char;
88
- hash = hash & hash;
89
- }
90
- return Math.abs(hash).toString(16).padStart(16, "0");
87
+ return toHex(sha256(textEncoder.encode(str)));
91
88
  }
92
89
  async function computeHashAsync(data) {
93
90
  const encoder = new TextEncoder();
@@ -1,5 +1,5 @@
1
- export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-ByMp24VA.cjs';
2
- import '../types-Dx_AFqow.cjs';
1
+ export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-BkBDrHA-.cjs';
2
+ import '../types-DmnVueAY.cjs';
3
3
 
4
4
  /**
5
5
  * Omnituum PQC Shared - Entropy & Randomness Utilities
@@ -1,5 +1,5 @@
1
- export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-BPvNsC50.js';
2
- import '../types-Dx_AFqow.js';
1
+ export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-DsFJv5c-.js';
2
+ import '../types-DmnVueAY.js';
3
3
 
4
4
  /**
5
5
  * Omnituum PQC Shared - Entropy & Randomness Utilities
@@ -1,4 +1,4 @@
1
- import '@noble/hashes/sha2.js';
1
+ import { sha256 as sha256$1 } from '@noble/hashes/sha2.js';
2
2
  import '@noble/hashes/hmac.js';
3
3
 
4
4
  // src/utils/entropy.ts
@@ -59,11 +59,14 @@ function daysSinceRotation(lastRotatedAt, createdAt) {
59
59
  function shouldRotate(lastRotatedAt, createdAt, maxDays = 90) {
60
60
  return daysSinceRotation(lastRotatedAt, createdAt) >= maxDays;
61
61
  }
62
- new TextEncoder();
62
+ var textEncoder = new TextEncoder();
63
63
  new TextDecoder();
64
64
  function toHex(bytes) {
65
65
  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
66
66
  }
67
+ function sha256(bytes) {
68
+ return sha256$1(bytes);
69
+ }
67
70
 
68
71
  // src/utils/integrity.ts
69
72
  function computeIntegrityHash(identities) {
@@ -75,17 +78,11 @@ function computeIntegrityHash(identities) {
75
78
  createdAt: i.createdAt,
76
79
  rotationCount: i.rotationCount
77
80
  }));
78
- const serialized = JSON.stringify(canonical, Object.keys(canonical[0] || {}).sort());
81
+ const serialized = JSON.stringify(canonical);
79
82
  return computeStringHash(serialized);
80
83
  }
81
84
  function computeStringHash(str) {
82
- let hash = 0;
83
- for (let i = 0; i < str.length; i++) {
84
- const char = str.charCodeAt(i);
85
- hash = (hash << 5) - hash + char;
86
- hash = hash & hash;
87
- }
88
- return Math.abs(hash).toString(16).padStart(16, "0");
85
+ return toHex(sha256(textEncoder.encode(str)));
89
86
  }
90
87
  async function computeHashAsync(data) {
91
88
  const encoder = new TextEncoder();
@@ -1,6 +1,6 @@
1
1
  'use strict';
2
2
 
3
- require('@noble/hashes/sha2.js');
3
+ var sha2_js = require('@noble/hashes/sha2.js');
4
4
  require('@noble/hashes/hmac.js');
5
5
  var envelopeRegistry = require('@omnituum/envelope-registry');
6
6
  var hashWasm = require('hash-wasm');
@@ -21,7 +21,7 @@ var DEFAULT_VAULT_SETTINGS = {
21
21
  showFingerprints: true
22
22
  };
23
23
  var PBKDF2_ITERATIONS = 6e5;
24
- new TextEncoder();
24
+ var textEncoder = new TextEncoder();
25
25
  new TextDecoder();
26
26
  function toB64(bytes) {
27
27
  let binary = "";
@@ -44,8 +44,12 @@ function toHex(bytes) {
44
44
  function randN(n) {
45
45
  return globalThis.crypto.getRandomValues(new Uint8Array(n));
46
46
  }
47
+ function sha256(bytes) {
48
+ return sha2_js.sha256(bytes);
49
+ }
47
50
  var b64 = toB64;
48
51
  envelopeRegistry.OMNI_VERSIONS.HYBRID_V1;
52
+ envelopeRegistry.OMNI_VERSIONS.HYBRID_V2;
49
53
  envelopeRegistry.DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
50
54
  var VAULT_VERSION = "omnituum.vault.v1";
51
55
  var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
@@ -337,17 +341,11 @@ function computeIntegrityHash(identities) {
337
341
  createdAt: i.createdAt,
338
342
  rotationCount: i.rotationCount
339
343
  }));
340
- const serialized = JSON.stringify(canonical, Object.keys(canonical[0] || {}).sort());
344
+ const serialized = JSON.stringify(canonical);
341
345
  return computeStringHash(serialized);
342
346
  }
343
347
  function computeStringHash(str) {
344
- let hash = 0;
345
- for (let i = 0; i < str.length; i++) {
346
- const char = str.charCodeAt(i);
347
- hash = (hash << 5) - hash + char;
348
- hash = hash & hash;
349
- }
350
- return Math.abs(hash).toString(16).padStart(16, "0");
348
+ return toHex(sha256(textEncoder.encode(str)));
351
349
  }
352
350
 
353
351
  // src/utils/entropy.ts
@@ -398,7 +396,6 @@ async function createIdentity(name) {
398
396
  const x25519 = generateX25519Keypair();
399
397
  const kyber = await generateKyberKeypair();
400
398
  if (!kyber) {
401
- console.error("Kyber key generation failed");
402
399
  return null;
403
400
  }
404
401
  const now = (/* @__PURE__ */ new Date()).toISOString();
@@ -1,5 +1,5 @@
1
- import { O as OmnituumVault, E as EncryptedVaultFile, k as EncryptedVaultFileV2, H as HybridIdentityRecord, l as VaultSettings, m as VaultSession } from '../types-Dx_AFqow.cjs';
2
- export { D as DEFAULT_VAULT_SETTINGS, n as EncryptedVaultFileV1, o as HealthStatus, I as IdentityHealth, P as PBKDF2_ITERATIONS } from '../types-Dx_AFqow.cjs';
1
+ import { O as OmnituumVault, E as EncryptedVaultFile, m as EncryptedVaultFileV2, H as HybridIdentityRecord, n as VaultSettings, o as VaultSession } from '../types-DmnVueAY.cjs';
2
+ export { D as DEFAULT_VAULT_SETTINGS, p as EncryptedVaultFileV1, q as HealthStatus, I as IdentityHealth, P as PBKDF2_ITERATIONS } from '../types-DmnVueAY.cjs';
3
3
 
4
4
  /**
5
5
  * Omnituum PQC Shared - Vault Encryption
@@ -1,5 +1,5 @@
1
- import { O as OmnituumVault, E as EncryptedVaultFile, k as EncryptedVaultFileV2, H as HybridIdentityRecord, l as VaultSettings, m as VaultSession } from '../types-Dx_AFqow.js';
2
- export { D as DEFAULT_VAULT_SETTINGS, n as EncryptedVaultFileV1, o as HealthStatus, I as IdentityHealth, P as PBKDF2_ITERATIONS } from '../types-Dx_AFqow.js';
1
+ import { O as OmnituumVault, E as EncryptedVaultFile, m as EncryptedVaultFileV2, H as HybridIdentityRecord, n as VaultSettings, o as VaultSession } from '../types-DmnVueAY.js';
2
+ export { D as DEFAULT_VAULT_SETTINGS, p as EncryptedVaultFileV1, q as HealthStatus, I as IdentityHealth, P as PBKDF2_ITERATIONS } from '../types-DmnVueAY.js';
3
3
 
4
4
  /**
5
5
  * Omnituum PQC Shared - Vault Encryption
@@ -1,4 +1,4 @@
1
- import '@noble/hashes/sha2.js';
1
+ import { sha256 as sha256$1 } from '@noble/hashes/sha2.js';
2
2
  import '@noble/hashes/hmac.js';
3
3
  import { OMNI_VERSIONS, DEPRECATED_VERSIONS } from '@omnituum/envelope-registry';
4
4
  import { argon2id } from 'hash-wasm';
@@ -15,7 +15,7 @@ var DEFAULT_VAULT_SETTINGS = {
15
15
  showFingerprints: true
16
16
  };
17
17
  var PBKDF2_ITERATIONS = 6e5;
18
- new TextEncoder();
18
+ var textEncoder = new TextEncoder();
19
19
  new TextDecoder();
20
20
  function toB64(bytes) {
21
21
  let binary = "";
@@ -38,8 +38,12 @@ function toHex(bytes) {
38
38
  function randN(n) {
39
39
  return globalThis.crypto.getRandomValues(new Uint8Array(n));
40
40
  }
41
+ function sha256(bytes) {
42
+ return sha256$1(bytes);
43
+ }
41
44
  var b64 = toB64;
42
45
  OMNI_VERSIONS.HYBRID_V1;
46
+ OMNI_VERSIONS.HYBRID_V2;
43
47
  DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
44
48
  var VAULT_VERSION = "omnituum.vault.v1";
45
49
  var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
@@ -331,17 +335,11 @@ function computeIntegrityHash(identities) {
331
335
  createdAt: i.createdAt,
332
336
  rotationCount: i.rotationCount
333
337
  }));
334
- const serialized = JSON.stringify(canonical, Object.keys(canonical[0] || {}).sort());
338
+ const serialized = JSON.stringify(canonical);
335
339
  return computeStringHash(serialized);
336
340
  }
337
341
  function computeStringHash(str) {
338
- let hash = 0;
339
- for (let i = 0; i < str.length; i++) {
340
- const char = str.charCodeAt(i);
341
- hash = (hash << 5) - hash + char;
342
- hash = hash & hash;
343
- }
344
- return Math.abs(hash).toString(16).padStart(16, "0");
342
+ return toHex(sha256(textEncoder.encode(str)));
345
343
  }
346
344
 
347
345
  // src/utils/entropy.ts
@@ -392,7 +390,6 @@ async function createIdentity(name) {
392
390
  const x25519 = generateX25519Keypair();
393
391
  const kyber = await generateKyberKeypair();
394
392
  if (!kyber) {
395
- console.error("Kyber key generation failed");
396
393
  return null;
397
394
  }
398
395
  const now = (/* @__PURE__ */ new Date()).toISOString();
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@omnituum/pqc-shared",
3
- "version": "0.4.0",
3
+ "version": "0.6.0",
4
4
  "description": "Omnituum PQC Shared Library - Crypto, Vault, File Encryption, and Utilities",
5
5
  "type": "module",
6
6
  "main": "./dist/index.cjs",
@@ -42,25 +42,13 @@
42
42
  "dist",
43
43
  "src"
44
44
  ],
45
- "scripts": {
46
- "build": "tsup",
47
- "dev": "tsup --watch",
48
- "clean": "rm -rf dist",
49
- "typecheck": "tsc --noEmit",
50
- "test:golden:generate": "pnpm -s build && tsx tests/golden/generate-vectors.ts",
51
- "test:golden:verify": "pnpm -s build && tsx tests/golden/verify-vectors.ts",
52
- "test:golden": "pnpm test:golden:verify",
53
- "test": "vitest run tests/",
54
- "test:watch": "vitest tests/",
55
- "pretest": "pnpm build"
56
- },
57
45
  "dependencies": {
58
- "@noble/ciphers": "~2.0.0",
59
- "@noble/hashes": "~2.0.0",
60
- "@omnituum/envelope-registry": "github:Omnituum/envelope-registry#v0.1.2",
61
- "@noble/post-quantum": "~0.5.4",
62
- "hash-wasm": "^4.11.0",
63
- "tweetnacl": "^1.0.3"
46
+ "@noble/ciphers": "2.0.1",
47
+ "@noble/hashes": "2.0.1",
48
+ "@omnituum/envelope-registry": "github:Omnituum/envelope-registry#v0.2.0",
49
+ "@noble/post-quantum": "0.5.4",
50
+ "hash-wasm": "4.12.0",
51
+ "tweetnacl": "1.0.3"
64
52
  },
65
53
  "devDependencies": {
66
54
  "@types/node": "^25.0.9",
@@ -91,10 +79,16 @@
91
79
  "url": "https://github.com/Omnituum/pqc-shared/issues"
92
80
  },
93
81
  "homepage": "https://github.com/Omnituum/pqc-shared#readme",
94
- "packageManager": "pnpm@10.32.1",
95
- "pnpm": {
96
- "onlyBuiltDependencies": [
97
- "@omnituum/envelope-registry"
98
- ]
82
+ "scripts": {
83
+ "build": "tsup",
84
+ "dev": "tsup --watch",
85
+ "clean": "rm -rf dist",
86
+ "typecheck": "tsc --noEmit",
87
+ "test:golden:generate": "pnpm -s build && tsx tests/golden/generate-vectors.ts",
88
+ "test:golden:verify": "pnpm -s build && tsx tests/golden/verify-vectors.ts",
89
+ "test:golden": "pnpm test:golden:verify",
90
+ "test": "vitest run tests/",
91
+ "test:watch": "vitest tests/",
92
+ "pretest": "pnpm build"
99
93
  }
100
- }
94
+ }
@@ -44,8 +44,8 @@ async function loadDilithium(): Promise<any> {
44
44
  const { ml_dsa65 } = await import('@noble/post-quantum/ml-dsa.js');
45
45
  dilithiumModule = ml_dsa65;
46
46
  return dilithiumModule;
47
- } catch (e) {
48
- console.warn('[Dilithium] Failed to load @noble/post-quantum:', e);
47
+ } catch {
48
+ // Backend unavailable in this environment; callers handle the null return.
49
49
  return null;
50
50
  }
51
51
  }
@@ -83,8 +83,8 @@ export async function generateDilithiumKeypair(): Promise<DilithiumKeypairB64 |
83
83
  publicB64: toB64(kp.publicKey),
84
84
  secretB64: toB64(kp.secretKey),
85
85
  };
86
- } catch (e) {
87
- console.warn('[Dilithium] Key generation failed:', e);
86
+ } catch {
87
+ // Never log the caught error: it can reference seed/key material.
88
88
  return null;
89
89
  }
90
90
  }