@rabbitlock/runtime 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Prismworks AI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,38 @@
+# @rabbitlock/runtime
+
+Minimal RabbitLock runtime helpers for decrypting `env.sops.json` into runtime env vars.
+
+## Install
+
+```bash
+npm install @rabbitlock/runtime
+```
+
+## Usage
+
+```bash
+export RABBITLOCK_SEED_HEX=...
+rabbitlock-env --in env.sops.json --export
+```
+
+```bash
+rabbitlock-env --in env.sops.json --json
+```
+
+```bash
+rabbitlock-env --in env.sops.json --write-env .env
+```
+
+## Python helper
+
+```python
+from rabbitlock_env import load_env_dict, load_env_into_os
+
+env = load_env_dict(seed_hex="...", sops_path="env.sops.json")
+load_env_into_os(seed_hex="...", sops_path="env.sops.json")
+```
+
+## Notes
+
+- This package bundles the Wasm crypto artifacts in `pkg/`.
+- The CLI reads the SOPS file from the current working directory unless `--in` is provided.

package/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "@rabbitlock/runtime",
+  "version": "0.1.0",
+  "description": "RabbitLock runtime CLI for decrypting SOPS JSON to env vars.",
+  "type": "module",
+  "bin": {
+    "rabbitlock-env": "rabbitlock-env.mjs"
+  },
+  "files": [
+    "rabbitlock-env.mjs",
+    "rabbitlock_env.py",
+    "pkg/",
+    "runtime.test.mjs",
+    "README.md",
+    "LICENSE"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/prismworks-ai/rabbitlock-runtime.git"
+  },
+  "scripts": {
+    "test": "node --test runtime.test.mjs"
+  }
+}

package/pkg/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "rabbitlock-crypto",
+  "version": "0.1.0",
+  "files": [
+    "rabbitlock_crypto_bg.wasm",
+    "rabbitlock_crypto.js",
+    "rabbitlock_crypto.d.ts"
+  ],
+  "module": "rabbitlock_crypto.js",
+  "types": "rabbitlock_crypto.d.ts",
+  "sideEffects": [
+    "./snippets/*"
+  ]
+}

package/pkg/rabbitlock_crypto.d.ts

@@ -0,0 +1,133 @@
+/* tslint:disable */
+/* eslint-disable */
+
+export function create_zip_archive(files_js: any): Uint8Array;
+
+export function decrypt_and_verify_sops(json_input: string, private_key: string): string;
+
+export function decrypt_binary_hybrid(data: Uint8Array, secret_key_hex: string): Uint8Array;
+
+export function decrypt_data_key(json_input: string, private_key: string): string;
+
+/**
+ * Decrypt and return the full decrypted SOPS file as JSON string
+ * Returns: JSON string with decrypted values (sops metadata still encrypted)
+ */
+export function decrypt_sops_content(json_input: string, private_key: string): string;
+
+export function derive_hybrid_keypair(seed_hex: string): string;
+
+export function encrypt_binary_hybrid(data: Uint8Array, recipient_pubkey_hex: string): Uint8Array;
+
+export function encrypt_sops_json(plain_json: string, data_key_hex: string): string;
+
+export function encrypt_sops_json_for_recipient(plain_json: string, recipient_pubkey_hex: string): string;
+
+export function greet(name: string): string;
+
+export function parse_and_verify_sops(json_input: string): string;
+
+/**
+ * Decapsulate a shared secret using your private key
+ * secret_key_hex: 2432 bytes as hex
+ * ciphertext_hex: 1120 bytes as hex
+ * Returns: shared_secret_hex (64 hex chars = 32 bytes)
+ */
+export function pq_decapsulate(secret_key_hex: string, ciphertext_hex: string): string;
+
+/**
+ * Encapsulate a shared secret for a recipient's hybrid public key
+ * pub_key_hex: 1216 bytes (32 X25519 + 1184 ML-KEM) as hex
+ * Returns: "shared_secret_hex:ciphertext_hex"
+ */
+export function pq_encapsulate(pub_key_hex: string): string;
+
+/**
+ * Generate a new hybrid keypair (X25519 + ML-KEM-768)
+ * Returns: "secret_key_hex:public_key_hex"
+ */
+export function pq_generate_keypair(): string;
+
+/**
+ * Get the size constants for documentation
+ * Get the size constants for documentation
+ */
+export function pq_get_sizes(): string;
+
+/**
+ * Decapsulate a shared secret using an ML-KEM-768 secret key (PQ-only)
+ * secret_key_hex: 2400 bytes as hex
+ * ciphertext_hex: 1088 bytes as hex
+ * Returns: shared_secret_hex (64 hex chars = 32 bytes)
+ */
+export function pq_mlkem_decapsulate(secret_key_hex: string, ciphertext_hex: string): string;
+
+/**
+ * Encapsulate a shared secret for an ML-KEM-768 public key (PQ-only)
+ * pub_key_hex: 1184 bytes as hex
+ * Returns: "shared_secret_hex:ciphertext_hex"
+ */
+export function pq_mlkem_encapsulate(pub_key_hex: string): string;
+
+/**
+ * Generate a new ML-KEM-768 keypair (PQ-only)
+ * Returns: "secret_key_hex:public_key_hex"
+ */
+export function pq_mlkem_generate_keypair(): string;
+
+export function verify_sops_integrity(json_input: string, data_key_hex: string): string;
+
+export type InitInput = RequestInfo | URL | Response | BufferSource | WebAssembly.Module;
+
+export interface InitOutput {
+  readonly memory: WebAssembly.Memory;
+  readonly greet: (a: number, b: number) => [number, number];
+  readonly parse_and_verify_sops: (a: number, b: number) => [number, number];
+  readonly derive_hybrid_keypair: (a: number, b: number) => [number, number, number, number];
+  readonly verify_sops_integrity: (a: number, b: number, c: number, d: number) => [number, number];
+  readonly decrypt_data_key: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+  readonly decrypt_and_verify_sops: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+  readonly decrypt_sops_content: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+  readonly encrypt_sops_json: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+  readonly encrypt_sops_json_for_recipient: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+  readonly pq_generate_keypair: () => [number, number];
+  readonly pq_encapsulate: (a: number, b: number) => [number, number, number, number];
+  readonly pq_decapsulate: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+  readonly pq_mlkem_generate_keypair: () => [number, number];
+  readonly pq_mlkem_encapsulate: (a: number, b: number) => [number, number, number, number];
+  readonly pq_mlkem_decapsulate: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+  readonly pq_get_sizes: () => [number, number];
+  readonly create_zip_archive: (a: any) => [number, number, number, number];
+  readonly encrypt_binary_hybrid: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+  readonly decrypt_binary_hybrid: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+  readonly __wbindgen_malloc: (a: number, b: number) => number;
+  readonly __wbindgen_realloc: (a: number, b: number, c: number, d: number) => number;
+  readonly __wbindgen_exn_store: (a: number) => void;
+  readonly __externref_table_alloc: () => number;
+  readonly __wbindgen_externrefs: WebAssembly.Table;
+  readonly __wbindgen_free: (a: number, b: number, c: number) => void;
+  readonly __externref_table_dealloc: (a: number) => void;
+  readonly __wbindgen_start: () => void;
+}
+
+export type SyncInitInput = BufferSource | WebAssembly.Module;
+
+/**
+* Instantiates the given `module`, which can either be bytes or
+* a precompiled `WebAssembly.Module`.
+*
+* @param {{ module: SyncInitInput }} module - Passing `SyncInitInput` directly is deprecated.
+*
+* @returns {InitOutput}
+*/
+export function initSync(module: { module: SyncInitInput } | SyncInitInput): InitOutput;
+
+/**
+* If `module_or_path` is {RequestInfo} or {URL}, makes a request and
+* for everything else, calls `WebAssembly.instantiate` directly.
+*
+* @param {{ module_or_path: InitInput | Promise<InitInput> }} module_or_path - Passing `InitInput` directly is deprecated.
+*
+* @returns {Promise<InitOutput>}
+*/
+export default function __wbg_init (module_or_path?: { module_or_path: InitInput | Promise<InitInput> } | InitInput | Promise<InitInput>): Promise<InitOutput>;