@unknownncat/curve25519-node 2.0.0 → 2.1.0

package/NOTICE.md

@@ -0,0 +1,89 @@
+# NOTICE
+
+This repository is distributed under the MIT license and includes third-party software components.
+
+Primary package: `@unknownncat/curve25519-node`  
+Repository: <https://github.com/unknownncat/curve25519-node>
+
+## Security and Disclosure
+
+- Security policy: [SECURITY.md](./SECURITY.md)
+- Vulnerability reporting should follow the private disclosure flow described in that file.
+
+## Direct ecosystem references
+
+- `curve25519-js` — MIT or CC0 (as declared upstream)  
+  <https://github.com/harveyconnor/curve25519-js>
+- `TweetNaCl.js` — Public Domain (as declared upstream)  
+  <https://tweetnacl.js.org/>
+- OpenSSL (used through Node.js `node:crypto`) — Apache-2.0  
+  <https://www.openssl.org/>
+
+## Rust/WASM dependency notices
+
+The project contains two Rust/WASM crates:
+
+- `wasm/curve25519-wasm`
+- `wasm/axlsign`
+
+License inventory was collected with:
+
+```bash
+cargo license -t
+```
+
+### Crates present in both Rust projects
+
+| Crate                      | License                             |
+| -------------------------- | ----------------------------------- |
+| block-buffer               | Apache-2.0 OR MIT                   |
+| bumpalo                    | Apache-2.0 OR MIT                   |
+| cfg-if                     | Apache-2.0 OR MIT                   |
+| cpufeatures                | Apache-2.0 OR MIT                   |
+| crypto-common              | Apache-2.0 OR MIT                   |
+| curve25519-dalek           | BSD-3-Clause                        |
+| curve25519-dalek-derive    | Apache-2.0 OR MIT                   |
+| digest                     | Apache-2.0 OR MIT                   |
+| ed25519                    | Apache-2.0 OR MIT                   |
+| ed25519-dalek              | BSD-3-Clause                        |
+| fiat-crypto                | Apache-2.0 OR BSD-1-Clause OR MIT   |
+| generic-array              | MIT                                 |
+| libc                       | Apache-2.0 OR MIT                   |
+| once_cell                  | Apache-2.0 OR MIT                   |
+| proc-macro2                | Apache-2.0 OR MIT                   |
+| quote                      | Apache-2.0 OR MIT                   |
+| rand_core                  | Apache-2.0 OR MIT                   |
+| rustc_version              | Apache-2.0 OR MIT                   |
+| rustversion                | Apache-2.0 OR MIT                   |
+| semver                     | Apache-2.0 OR MIT                   |
+| sha2                       | Apache-2.0 OR MIT                   |
+| signature                  | Apache-2.0 OR MIT                   |
+| subtle                     | BSD-3-Clause                        |
+| syn                        | Apache-2.0 OR MIT                   |
+| typenum                    | Apache-2.0 OR MIT                   |
+| unicode-ident              | (Apache-2.0 OR MIT) AND Unicode-3.0 |
+| version_check              | Apache-2.0 OR MIT                   |
+| wasm-bindgen               | Apache-2.0 OR MIT                   |
+| wasm-bindgen-macro         | Apache-2.0 OR MIT                   |
+| wasm-bindgen-macro-support | Apache-2.0 OR MIT                   |
+| wasm-bindgen-shared        | Apache-2.0 OR MIT                   |
+| x25519-dalek               | BSD-3-Clause                        |
+
+### Crates present only in `wasm/axlsign`
+
+| Crate   | License           |
+| ------- | ----------------- |
+| zeroize | Apache-2.0 OR MIT |
+
+### Local Rust crates
+
+| Crate                   | License |
+| ----------------------- | ------- |
+| curve25519-node-wasm    | MIT     |
+| curve25519-node-axlsign | MIT     |
+
+## Notes
+
+- Upstream licenses remain with their respective authors and projects.
+- This NOTICE summarizes dependencies and does not replace upstream license texts.
+- For full build/runtime details, see `README.md`, `README.en.md`, and `wasm/README.md`.

package/README.en.md

@@ -5,6 +5,7 @@
 Zero-runtime-dependency implementation of:
 
 - X25519 + Ed25519 (modern mode via OpenSSL in `node:crypto`)
+- X25519 + Ed25519 (optional modern mode via WASM)
 - legacy axlsign (optional WASM mode, compatible with `curve25519-js`)
 
 [![npm](https://img.shields.io/npm/v/@unknownncat/curve25519-node)](https://www.npmjs.com/package/@unknownncat/curve25519-node)
@@ -66,30 +67,52 @@ import { asBytes32, axlsign } from "@unknownncat/curve25519-node";
 
 const seed = asBytes32(new Uint8Array(32));
 const kp = axlsign.generateKeyPair(seed); // curve25519-js-compatible X25519 keypair
-const sig = axlsign.sign(
-  kp.private,
-  new TextEncoder().encode("hello"),
-  new Uint8Array(64),
-);
+const sig = axlsign.sign(kp.private, new TextEncoder().encode("hello"), new Uint8Array(64));
 const ok = axlsign.verify(kp.public, new TextEncoder().encode("hello"), sig);
 ```
 
+Modern WASM mode (`wasm`):
+
+```ts
+import { asBytes32, wasm } from "@unknownncat/curve25519-node";
+
+const seed = asBytes32(new Uint8Array(32));
+const kp = wasm.x25519.generateKeyPair(seed);
+const shared = wasm.x25519.sharedKey(kp.private, kp.public);
+
+const msg = new TextEncoder().encode("hello");
+const sig = wasm.ed25519.sign(seed, msg);
+const ok = wasm.ed25519.verify(wasm.ed25519.publicKey(seed), msg, sig);
+```
+
 ---
 
 ## API
 
 ### `x25519`
 
+- `createPrivateKeyObject(secretKey32: Bytes32): KeyObject`
+- `createPublicKeyObject(publicKey32: Bytes32): KeyObject`
+- `publicKeyFromPrivateKeyObject(privateKey: KeyObject): Bytes32`
 - `publicKey(secretKey32: Bytes32): Bytes32`
+- `sharedKeyFromKeyObjects(privateKey: KeyObject, publicKey: KeyObject): Bytes32`
 - `sharedKey(secretKey32: Bytes32, publicKey32: Bytes32): Bytes32`
+- `sharedKeyStrict(secretKey32: Bytes32, publicKey32: Bytes32): Bytes32` (rejects all-zero shared secret)
+- `sharedKeyStrictFromKeyObjects(privateKey: KeyObject, publicKey: KeyObject): Bytes32` (rejects all-zero shared secret)
+- `isAllZero32(bytes32: Bytes32): boolean`
 - `generateKeyPair(seed32: Bytes32): { public: Bytes32; private: Bytes32 }`
 
 ### `ed25519`
 
+- `createPrivateKeyObject(secretSeed32: Bytes32): KeyObject`
+- `createPublicKeyObject(publicKey32: Bytes32): KeyObject`
+- `publicKeyFromPrivateKeyObject(privateKey: KeyObject): Bytes32`
 - `publicKey(secretSeed32: Bytes32): Bytes32`
 - `generateKeyPair(seed32: Bytes32): { public: Bytes32; private: Bytes32 }`
 - `sign(secretSeed32: Bytes32, msg: Uint8Array): Bytes64`
+- `signWithPrivateKey(privateKey: KeyObject, msg: Uint8Array): Bytes64`
 - `verify(publicKey32: Bytes32, msg: Uint8Array, signature64: Bytes64): boolean`
+- `verifyWithPublicKey(publicKey: KeyObject, msg: Uint8Array, signature64: Bytes64): boolean`
 - `signMessage(secretSeed32: Bytes32, msg: Uint8Array): Uint8Array` (`signature || message`)
 - `openMessage(publicKey32: Bytes32, signedMsg: Uint8Array): Uint8Array | null`
 
@@ -103,9 +126,39 @@ const ok = axlsign.verify(kp.public, new TextEncoder().encode("hello"), sig);
 - `signMessage(secretKey32: Bytes32, msg: Uint8Array, opt_random?: Bytes64): Uint8Array`
 - `openMessage(publicKey32: Bytes32, signedMsg: Uint8Array): Uint8Array | null`
 
+### `wasm` (optional modern mode via WASM)
+
+`wasm.x25519`:
+
+- `createPrivateKeyObject(secretKey32: Bytes32): WasmX25519PrivateKeyObject`
+- `createPublicKeyObject(publicKey32: Bytes32): WasmX25519PublicKeyObject`
+- `publicKeyFromPrivateKeyObject(privateKey: WasmX25519PrivateKeyObject): Bytes32`
+- `publicKey(secretKey32: Bytes32): Bytes32`
+- `sharedKeyFromKeyObjects(privateKey: WasmX25519PrivateKeyObject, publicKey: WasmX25519PublicKeyObject): Bytes32`
+- `sharedKey(secretKey32: Bytes32, publicKey32: Bytes32): Bytes32`
+- `sharedKeyStrict(secretKey32: Bytes32, publicKey32: Bytes32): Bytes32`
+- `sharedKeyStrictFromKeyObjects(privateKey: WasmX25519PrivateKeyObject, publicKey: WasmX25519PublicKeyObject): Bytes32`
+- `isAllZero32(bytes32: Bytes32): boolean`
+- `generateKeyPair(seed32: Bytes32): { public: Bytes32; private: Bytes32 }`
+
+`wasm.ed25519`:
+
+- `createPrivateKeyObject(secretSeed32: Bytes32): WasmEd25519PrivateKeyObject`
+- `createPublicKeyObject(publicKey32: Bytes32): WasmEd25519PublicKeyObject`
+- `publicKeyFromPrivateKeyObject(privateKey: WasmEd25519PrivateKeyObject): Bytes32`
+- `publicKey(secretSeed32: Bytes32): Bytes32`
+- `generateKeyPair(seed32: Bytes32): { public: Bytes32; private: Bytes32 }`
+- `sign(secretSeed32: Bytes32, msg: Uint8Array): Bytes64`
+- `signWithPrivateKey(privateKey: WasmEd25519PrivateKeyObject, msg: Uint8Array): Bytes64`
+- `verify(publicKey32: Bytes32, msg: Uint8Array, signature64: Bytes64): boolean`
+- `verifyWithPublicKey(publicKey: WasmEd25519PublicKeyObject, msg: Uint8Array, signature64: Bytes64): boolean`
+- `signMessage(secretSeed32: Bytes32, msg: Uint8Array): Uint8Array`
+- `openMessage(publicKey32: Bytes32, signedMsg: Uint8Array): Uint8Array | null`
+
 ### Top-level compatibility aliases
 
 - `sharedKey = x25519.sharedKey`
+- `sharedKeyStrict = x25519.sharedKeyStrict`
 - `generateKeyPair = x25519.generateKeyPair`
 - `sign`, `verify`, `signMessage`, `openMessage` (Ed25519 semantics)
 - `generateKeyPairX25519`, `generateKeyPairEd25519`
@@ -114,27 +167,32 @@ const ok = axlsign.verify(kp.public, new TextEncoder().encode("hello"), sig);
 
 ## Compatibility Notes
 
-This package provides two modes:
+This package provides three modes:
 
-- **modern (recommended):** `x25519` + `ed25519` via `node:crypto`
+- **modern native (recommended):** `x25519` + `ed25519` via `node:crypto`
+- **modern WASM (optional):** `wasm` namespace (`wasm.x25519` + `wasm.ed25519`)
 - **legacy:** `axlsign` via WASM for `curve25519-js` compatibility
 
-| Feature                      | `curve25519-js` | `curve25519-node`                           |
-| ---------------------------- | --------------- | ------------------------------------------- |
-| Signature scheme (modern)    | axlsign         | Ed25519 (standard)                          |
-| Signature scheme (legacy)    | axlsign         | axlsign (namespace `axlsign`)               |
-| Key agreement                | X25519          | X25519                                      |
-| Same key for signing + ECDH  | yes             | only in `axlsign` namespace                 |
-| `opt_random` in signing APIs | yes             | yes in `axlsign`, no in top-level/`ed25519` |
-| OpenSSL backend              | no              | yes                                         |
+| Feature                          | `curve25519-js` | `curve25519-node`                           |
+| -------------------------------- | --------------- | ------------------------------------------- |
+| Signature scheme (modern)        | axlsign         | Ed25519 (standard)                          |
+| Alternative modern scheme        | no              | Ed25519 via WASM (`wasm.ed25519`)           |
+| Signature scheme (legacy)        | axlsign         | axlsign (namespace `axlsign`)               |
+| Key agreement                    | X25519          | X25519                                      |
+| Alternative modern key agreement | no              | X25519 via WASM (`wasm.x25519`)             |
+| Same key for signing + ECDH      | yes             | only in `axlsign` namespace                 |
+| `opt_random` in signing APIs     | yes             | yes in `axlsign`, no in top-level/`ed25519` |
+| OpenSSL backend                  | no              | yes                                         |
 
 Important:
 
 - X25519 public keys and Ed25519 public keys are different.
+- For stricter protocol flows (Signal-like), prefer `sharedKeyStrict` to reject all-zero shared secrets.
 - `node:crypto` does not expose an API to convert X25519 public keys to/from Ed25519 public keys.
 - Top-level `sign`/`signMessage` and `ed25519` keep Ed25519 semantics and reject `opt_random`.
 - For `curve25519-js` compatibility (including `opt_random`), use namespace `axlsign`.
 - Ed25519 signatures here are deterministic (OpenSSL default behavior).
+- WASM modules (`axlsign` and `wasm`) are lazy-loaded on first call (importing only `x25519`/`ed25519` does not initialize WASM).
 
 ---
 
@@ -149,7 +207,10 @@ This package targets modern Node using OpenSSL primitives:
 - smaller, explicit API surface
 - strong typing with zero runtime dependencies
 
-In addition, the WASM `axlsign` namespace enables progressive migration of legacy code without reintroducing manual curve arithmetic in JavaScript.
+In addition:
+
+- WASM `axlsign` enables progressive migration of legacy code.
+- WASM `wasm` provides a modern backend option without relying on `node:crypto` in the crypto execution path.
 
 ---
 
@@ -214,7 +275,7 @@ Implementation notes:
 
 - Avoids unnecessary byte copies in critical paths.
 - `signMessage` builds `signature || message` with a single preallocated `Uint8Array`.
-- For high-throughput loops, caching `KeyObject` at application level reduces ASN.1 parse overhead.
+- For high-throughput loops, use `KeyObject` helpers (`create*KeyObject`, `*FromKeyObjects`) to reduce ASN.1 parse overhead.
 
 ---
 
@@ -295,7 +356,7 @@ Notes:
 
 ---
 
-## Building `axlsign`
+## Building WASM namespaces (`axlsign` and `wasm`)
 
 In the npm package, WASM artifacts are already prebuilt under `dist/`.
 
@@ -307,8 +368,25 @@ To build from source, you need:
 Then `npm run build` runs:
 
 1. `wasm-pack build` (`wasm/axlsign`)
-2. TypeScript ESM + CJS build
-3. copy of WASM artifacts to `dist/internal/axlsign-wasm`
+2. `wasm-pack build` (`wasm/curve25519-wasm`)
+3. TypeScript ESM + CJS build
+4. copy of WASM artifacts to `dist/internal/axlsign-wasm` and `dist/internal/curve25519-wasm`
+
+Rust crates reference: [wasm/README.md](./wasm/README.md)
+
+---
+
+## Contributing
+
+- Guide: [CONTRIBUTING.md](./CONTRIBUTING.md)
+- Code of conduct: [CODE_OF_CONDUCT.md](./CODE_OF_CONDUCT.md)
+- Security: [SECURITY.md](./SECURITY.md)
+
+Full local validation:
+
+```bash
+npm run ci
+```
 
 ---
 
@@ -316,6 +394,12 @@ Then `npm run build` runs:
 
 MIT
 
+Additional compliance/security documents:
+
+- [NOTICE.md](./NOTICE.md) (canonical third-party notice)
+- [THIRD_PARTY_NOTICE.md](./THIRD_PARTY_NOTICE.md) and [THIRD_PARTY_NOTICES.md](./THIRD_PARTY_NOTICES.md) (compatibility aliases)
+- [SECURITY.md](./SECURITY.md) (security policy and vulnerability reporting)
+
 ---
 
 ## Credits
@@ -325,6 +409,12 @@ MIT
 - Trevor Perrin, Curve25519 signatures idea: <https://moderncrypto.org/mail-archive/curves/2014/000205.html>
 - [Node.js `crypto` docs](https://nodejs.org/api/crypto.html)
 - [OpenSSL](https://www.openssl.org/)
+- [RustCrypto](https://github.com/RustCrypto)
+- [wasm-bindgen](https://github.com/wasm-bindgen/wasm-bindgen)
+- [curve25519-dalek](https://github.com/dalek-cryptography/curve25519-dalek)
+- [ed25519-dalek](https://github.com/dalek-cryptography/ed25519-dalek)
+- [x25519-dalek](https://github.com/dalek-cryptography/x25519-dalek)
+- [zeroize](https://github.com/RustCrypto/utils/tree/master/zeroize)
 - [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)
 - [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032)
 - [RFC 8410](https://www.rfc-editor.org/rfc/rfc8410)

package/README.md

@@ -5,6 +5,7 @@
 Implementação sem dependências de runtime de:
 
 - X25519 + Ed25519 (modo moderno via OpenSSL em `node:crypto`)
+- X25519 + Ed25519 (modo moderno opcional via WASM)
 - axlsign legado (modo opcional via WASM, compatível com `curve25519-js`)
 
 [![npm](https://img.shields.io/npm/v/@unknownncat/curve25519-node)](https://www.npmjs.com/package/@unknownncat/curve25519-node)
@@ -66,30 +67,52 @@ import { asBytes32, axlsign } from "@unknownncat/curve25519-node";
 
 const seed = asBytes32(new Uint8Array(32));
 const kp = axlsign.generateKeyPair(seed); // X25519 keypair compatível com curve25519-js
-const sig = axlsign.sign(
-  kp.private,
-  new TextEncoder().encode("hello"),
-  new Uint8Array(64),
-);
+const sig = axlsign.sign(kp.private, new TextEncoder().encode("hello"), new Uint8Array(64));
 const ok = axlsign.verify(kp.public, new TextEncoder().encode("hello"), sig);
 ```
 
+Moderno via WASM (`wasm`):
+
+```ts
+import { asBytes32, wasm } from "@unknownncat/curve25519-node";
+
+const seed = asBytes32(new Uint8Array(32));
+const kp = wasm.x25519.generateKeyPair(seed);
+const shared = wasm.x25519.sharedKey(kp.private, kp.public);
+
+const msg = new TextEncoder().encode("hello");
+const sig = wasm.ed25519.sign(seed, msg);
+const ok = wasm.ed25519.verify(wasm.ed25519.publicKey(seed), msg, sig);
+```
+
 ---
 
 ## API
 
 ### `x25519`
 
+- `createPrivateKeyObject(secretKey32: Bytes32): KeyObject`
+- `createPublicKeyObject(publicKey32: Bytes32): KeyObject`
+- `publicKeyFromPrivateKeyObject(privateKey: KeyObject): Bytes32`
 - `publicKey(secretKey32: Bytes32): Bytes32`
+- `sharedKeyFromKeyObjects(privateKey: KeyObject, publicKey: KeyObject): Bytes32`
 - `sharedKey(secretKey32: Bytes32, publicKey32: Bytes32): Bytes32`
+- `sharedKeyStrict(secretKey32: Bytes32, publicKey32: Bytes32): Bytes32` (rejeita segredo all-zero)
+- `sharedKeyStrictFromKeyObjects(privateKey: KeyObject, publicKey: KeyObject): Bytes32` (rejeita segredo all-zero)
+- `isAllZero32(bytes32: Bytes32): boolean`
 - `generateKeyPair(seed32: Bytes32): { public: Bytes32; private: Bytes32 }`
 
 ### `ed25519`
 
+- `createPrivateKeyObject(secretSeed32: Bytes32): KeyObject`
+- `createPublicKeyObject(publicKey32: Bytes32): KeyObject`
+- `publicKeyFromPrivateKeyObject(privateKey: KeyObject): Bytes32`
 - `publicKey(secretSeed32: Bytes32): Bytes32`
 - `generateKeyPair(seed32: Bytes32): { public: Bytes32; private: Bytes32 }`
 - `sign(secretSeed32: Bytes32, msg: Uint8Array): Bytes64`
+- `signWithPrivateKey(privateKey: KeyObject, msg: Uint8Array): Bytes64`
 - `verify(publicKey32: Bytes32, msg: Uint8Array, signature64: Bytes64): boolean`
+- `verifyWithPublicKey(publicKey: KeyObject, msg: Uint8Array, signature64: Bytes64): boolean`
 - `signMessage(secretSeed32: Bytes32, msg: Uint8Array): Uint8Array` (`assinatura || mensagem`)
 - `openMessage(publicKey32: Bytes32, signedMsg: Uint8Array): Uint8Array | null`
 
@@ -103,9 +126,39 @@ const ok = axlsign.verify(kp.public, new TextEncoder().encode("hello"), sig);
 - `signMessage(secretKey32: Bytes32, msg: Uint8Array, opt_random?: Bytes64): Uint8Array`
 - `openMessage(publicKey32: Bytes32, signedMsg: Uint8Array): Uint8Array | null`
 
+### `wasm` (modo moderno opcional, via WASM)
+
+`wasm.x25519`:
+
+- `createPrivateKeyObject(secretKey32: Bytes32): WasmX25519PrivateKeyObject`
+- `createPublicKeyObject(publicKey32: Bytes32): WasmX25519PublicKeyObject`
+- `publicKeyFromPrivateKeyObject(privateKey: WasmX25519PrivateKeyObject): Bytes32`
+- `publicKey(secretKey32: Bytes32): Bytes32`
+- `sharedKeyFromKeyObjects(privateKey: WasmX25519PrivateKeyObject, publicKey: WasmX25519PublicKeyObject): Bytes32`
+- `sharedKey(secretKey32: Bytes32, publicKey32: Bytes32): Bytes32`
+- `sharedKeyStrict(secretKey32: Bytes32, publicKey32: Bytes32): Bytes32` (rejeita segredo all-zero)
+- `sharedKeyStrictFromKeyObjects(privateKey: WasmX25519PrivateKeyObject, publicKey: WasmX25519PublicKeyObject): Bytes32` (rejeita segredo all-zero)
+- `isAllZero32(bytes32: Bytes32): boolean`
+- `generateKeyPair(seed32: Bytes32): { public: Bytes32; private: Bytes32 }`
+
+`wasm.ed25519`:
+
+- `createPrivateKeyObject(secretSeed32: Bytes32): WasmEd25519PrivateKeyObject`
+- `createPublicKeyObject(publicKey32: Bytes32): WasmEd25519PublicKeyObject`
+- `publicKeyFromPrivateKeyObject(privateKey: WasmEd25519PrivateKeyObject): Bytes32`
+- `publicKey(secretSeed32: Bytes32): Bytes32`
+- `generateKeyPair(seed32: Bytes32): { public: Bytes32; private: Bytes32 }`
+- `sign(secretSeed32: Bytes32, msg: Uint8Array): Bytes64`
+- `signWithPrivateKey(privateKey: WasmEd25519PrivateKeyObject, msg: Uint8Array): Bytes64`
+- `verify(publicKey32: Bytes32, msg: Uint8Array, signature64: Bytes64): boolean`
+- `verifyWithPublicKey(publicKey: WasmEd25519PublicKeyObject, msg: Uint8Array, signature64: Bytes64): boolean`
+- `signMessage(secretSeed32: Bytes32, msg: Uint8Array): Uint8Array`
+- `openMessage(publicKey32: Bytes32, signedMsg: Uint8Array): Uint8Array | null`
+
 ### Aliases de compatibilidade (top-level)
 
 - `sharedKey = x25519.sharedKey`
+- `sharedKeyStrict = x25519.sharedKeyStrict`
 - `generateKeyPair = x25519.generateKeyPair`
 - `sign`, `verify`, `signMessage`, `openMessage` (semântica Ed25519)
 - `generateKeyPairX25519`, `generateKeyPairEd25519`
@@ -114,16 +167,19 @@ const ok = axlsign.verify(kp.public, new TextEncoder().encode("hello"), sig);
 
 ## Notas de Compatibilidade
 
-Este pacote suporta dois modos:
+Este pacote suporta três modos:
 
-- **moderno (recomendado):** `x25519` + `ed25519` via `node:crypto`
+- **moderno nativo (recomendado):** `x25519` + `ed25519` via `node:crypto`
+- **moderno WASM (opcional):** namespace `wasm` (`wasm.x25519` + `wasm.ed25519`)
 - **legado:** `axlsign` via WASM para compatibilidade com `curve25519-js`
 
 | Recurso                             | `curve25519-js` | `curve25519-node`                            |
 | ----------------------------------- | --------------- | -------------------------------------------- |
 | Esquema de assinatura (moderno)     | axlsign         | Ed25519 (padrão)                             |
+| Esquema moderno alternativo         | não             | Ed25519 via WASM (`wasm.ed25519`)            |
 | Esquema de assinatura (legado)      | axlsign         | axlsign (namespace `axlsign`)                |
 | Acordo de chave                     | X25519          | X25519                                       |
+| Acordo moderno alternativo          | não             | X25519 via WASM (`wasm.x25519`)              |
 | Mesma chave para assinatura + ECDH  | sim             | apenas no namespace `axlsign`                |
 | `opt_random` nas APIs de assinatura | sim             | sim no `axlsign`, não no top-level/`ed25519` |
 | Backend OpenSSL                     | não             | sim                                          |
@@ -131,10 +187,12 @@ Este pacote suporta dois modos:
 Importante:
 
 - Chaves públicas X25519 e Ed25519 são diferentes.
+- Para fluxos de protocolo mais rígidos (estilo Signal), prefira `sharedKeyStrict` para rejeitar segredo compartilhado all-zero.
 - `node:crypto` não expõe API para converter public key X25519 ↔ Ed25519.
 - Top-level `sign`/`signMessage` e namespace `ed25519` continuam com semântica Ed25519 e rejeitam `opt_random`.
 - Para compatibilidade com `curve25519-js` (incluindo `opt_random`), use o namespace `axlsign`.
 - Assinaturas Ed25519 continuam determinísticas (comportamento padrão do OpenSSL).
+- Os módulos WASM (`axlsign` e `wasm`) são carregados sob demanda na primeira chamada (importar apenas `x25519`/`ed25519` não inicializa WASM).
 
 ---
 
@@ -149,7 +207,10 @@ Este pacote foca em Node moderno com primitivas do OpenSSL:
 - API menor e explícita
 - tipagem forte com zero dependências de runtime
 
-Além disso, o namespace `axlsign` via WASM permite migração progressiva de código legado sem reintroduzir aritmética de curva em JavaScript puro.
+Além disso:
+
+- o namespace `axlsign` via WASM permite migração progressiva de código legado;
+- o namespace `wasm` via WASM oferece uma alternativa moderna sem dependência de `node:crypto` no caminho criptográfico.
 
 ---
 
@@ -214,7 +275,7 @@ Notas de implementação:
 
 - Evita cópias desnecessárias de bytes nos caminhos críticos.
 - `signMessage` monta `assinatura || mensagem` com um único `Uint8Array` prealocado.
-- Para throughput máximo em loops longos, cache de `KeyObject` no nível da aplicação reduz overhead de parse ASN.1.
+- Para throughput máximo em loops longos, use os helpers de `KeyObject` (`create*KeyObject`, `*FromKeyObjects`) para reduzir overhead de parse ASN.1.
 
 ---
 
@@ -295,7 +356,7 @@ Notas:
 
 ---
 
-## Build do namespace `axlsign`
+## Build dos namespaces WASM (`axlsign` e `wasm`)
 
 No pacote publicado no npm, os artefatos WASM já vêm prontos em `dist/`.
 
@@ -307,8 +368,25 @@ Para buildar a partir do código-fonte, você precisa:
 Com isso, `npm run build` executa:
 
 1. `wasm-pack build` (`wasm/axlsign`)
-2. `tsc` ESM + CJS
-3. cópia dos artefatos WASM para `dist/internal/axlsign-wasm`
+2. `wasm-pack build` (`wasm/curve25519-wasm`)
+3. `tsc` ESM + CJS
+4. cópia dos artefatos WASM para `dist/internal/axlsign-wasm` e `dist/internal/curve25519-wasm`
+
+Referência dos crates Rust: [wasm/README.md](./wasm/README.md)
+
+---
+
+## Contribuição
+
+- Guia: [CONTRIBUTING.md](./CONTRIBUTING.md)
+- Código de conduta: [CODE_OF_CONDUCT.md](./CODE_OF_CONDUCT.md)
+- Segurança: [SECURITY.md](./SECURITY.md)
+
+Validação local completa:
+
+```bash
+npm run ci
+```
 
 ---
 
@@ -316,6 +394,12 @@ Com isso, `npm run build` executa:
 
 MIT
 
+Documentos complementares:
+
+- [NOTICE.md](./NOTICE.md) (aviso oficial de terceiros)
+- [THIRD_PARTY_NOTICE.md](./THIRD_PARTY_NOTICE.md) e [THIRD_PARTY_NOTICES.md](./THIRD_PARTY_NOTICES.md) (aliases de compatibilidade)
+- [SECURITY.md](./SECURITY.md) (política de segurança e reporte de vulnerabilidades)
+
 ---
 
 ## Créditos
@@ -325,6 +409,12 @@ MIT
 - Trevor Perrin, ideia de assinaturas Curve25519: <https://moderncrypto.org/mail-archive/curves/2014/000205.html>
 - [Documentação Node.js `crypto`](https://nodejs.org/api/crypto.html)
 - [OpenSSL](https://www.openssl.org/)
+- [RustCrypto](https://github.com/RustCrypto)
+- [wasm-bindgen](https://github.com/wasm-bindgen/wasm-bindgen)
+- [curve25519-dalek](https://github.com/dalek-cryptography/curve25519-dalek)
+- [ed25519-dalek](https://github.com/dalek-cryptography/ed25519-dalek)
+- [x25519-dalek](https://github.com/dalek-cryptography/x25519-dalek)
+- [zeroize](https://github.com/RustCrypto/utils/tree/master/zeroize)
 - [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)
 - [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032)
 - [RFC 8410](https://www.rfc-editor.org/rfc/rfc8410)

package/SECURITY.md

@@ -0,0 +1,23 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| ------- | --------- |
+| 2.x     | Yes       |
+| < 2.0.0 | No        |
+
+## Reporting a Vulnerability
+
+Please use GitHub private vulnerability reporting whenever possible:
+
+1. Go to the repository `Security` tab.
+2. Click `Report a vulnerability`.
+3. Submit impact details and a minimal proof-of-concept.
+
+If private reporting is not available, open a public issue without sensitive details and request private contact.
+
+## Scope
+
+- Cryptographic flaws, incorrect input validation, and integrity/confidentiality issues are high priority.
+- Include package version, runtime environment, and reproducible steps.

package/THIRD_PARTY_NOTICE.md

@@ -0,0 +1,3 @@
+# Third-Party Notice
+
+Canonical notice file: [NOTICE.md](./NOTICE.md)

package/THIRD_PARTY_NOTICES.md

@@ -0,0 +1,5 @@
+# Third-Party Notices
+
+This file is kept for compatibility.
+
+Canonical notice file: [NOTICE.md](./NOTICE.md)

package/dist/axlsign.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"axlsign.d.ts","sourceRoot":"","sources":["../src/axlsign.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAiB9D;;GAEG;AACH,wBAAgB,SAAS,CAAC,WAAW,EAAE,OAAO,GAAG,OAAO,CAIvD;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,WAAW,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,GAAG,OAAO,CAK7E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,OAAO,GAAG,SAAS,CAQ1D;AAED;;;GAGG;AACH,wBAAgB,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,UAAU,CAAC,EAAE,UAAU,GAAG,OAAO,CAU5F;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,WAAW,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,GAAG,OAAO,CAK3F;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,UAAU,CAAC,EAAE,UAAU,GAAG,UAAU,CAUtG;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,GAAG,UAAU,GAAG,IAAI,CAe1F"}
+{"version":3,"file":"axlsign.d.ts","sourceRoot":"","sources":["../src/axlsign.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAqD9D;;GAEG;AACH,wBAAgB,SAAS,CAAC,WAAW,EAAE,OAAO,GAAG,OAAO,CAIvD;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,WAAW,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,GAAG,OAAO,CAK7E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,OAAO,GAAG,SAAS,CAQ1D;AAED;;;GAGG;AACH,wBAAgB,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,UAAU,CAAC,EAAE,UAAU,GAAG,OAAO,CAU5F;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,WAAW,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,GAAG,OAAO,CAK3F;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,WAAW,EAAE,OAAO,EACpB,GAAG,EAAE,UAAU,EACf,UAAU,CAAC,EAAE,UAAU,GACtB,UAAU,CAUZ;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,GAAG,UAAU,GAAG,IAAI,CAe1F"}

package/dist/axlsign.js

@@ -1,5 +1,27 @@
-import { asBytes32, asBytes64, assertBytes32, assertBytes64, assertUint8Array } from "./internal/assert.js";
-import * as wasmAxl from "./internal/axlsign-wasm/axlsign_wasm.js";
+import { dirname, join } from "node:path";
+import { createRequire } from "node:module";
+import { asBytes32, asBytes64, assertBytes32, assertBytes64, assertUint8Array, } from "./internal/assert.js";
+const SELF_PACKAGE_NAME = "@unknownncat/curve25519-node";
+const requireBase = typeof __filename === "string"
+    ? __filename
+    : typeof process.argv[1] === "string"
+        ? process.argv[1]
+        : join(process.cwd(), "index.js");
+const nodeRequire = createRequire(requireBase);
+let wasmModulePath;
+let wasmAxl;
+function getWasmAxl() {
+    if (wasmAxl !== undefined) {
+        return wasmAxl;
+    }
+    if (wasmModulePath === undefined) {
+        const packageJsonPath = nodeRequire.resolve(`${SELF_PACKAGE_NAME}/package.json`);
+        wasmModulePath = join(dirname(packageJsonPath), "dist", "internal", "axlsign-wasm", "axlsign_wasm.js");
+    }
+    // Lazy-load WASM bindings to keep modern-only imports lightweight.
+    wasmAxl = nodeRequire(wasmModulePath);
+    return wasmAxl;
+}
 function clampScalar(seed32) {
     const out = new Uint8Array(32);
     out.set(seed32);
@@ -18,7 +40,7 @@ function assertOptionalRandom64(value, fnName) {
  */
 export function publicKey(secretKey32) {
     assertBytes32(secretKey32, "secretKey32");
-    const out = wasmAxl.axlsignPublicKey(secretKey32);
+    const out = getWasmAxl().axlsignPublicKey(secretKey32);
     return asBytes32(out, "axlsign public key");
 }
 /**
@@ -27,7 +49,7 @@ export function publicKey(secretKey32) {
 export function sharedKey(secretKey32, publicKey32) {
     assertBytes32(secretKey32, "secretKey32");
     assertBytes32(publicKey32, "publicKey32");
-    const out = wasmAxl.axlsignSharedKey(secretKey32, publicKey32);
+    const out = getWasmAxl().axlsignSharedKey(secretKey32, publicKey32);
     return asBytes32(out, "axlsign shared key");
 }
 /**
@@ -51,8 +73,8 @@ export function sign(secretKey32, msg, opt_random) {
     assertUint8Array(msg, "msg");
     assertOptionalRandom64(opt_random, "sign");
     const signature = opt_random === undefined
-        ? wasmAxl.axlsignSign(secretKey32, msg)
-        : wasmAxl.axlsignSignRnd(secretKey32, msg, opt_random);
+        ? getWasmAxl().axlsignSign(secretKey32, msg)
+        : getWasmAxl().axlsignSignRnd(secretKey32, msg, opt_random);
     return asBytes64(signature, "axlsign signature");
 }
 /**
@@ -62,7 +84,7 @@ export function verify(publicKey32, msg, signature64) {
     assertBytes32(publicKey32, "publicKey32");
     assertUint8Array(msg, "msg");
     assertBytes64(signature64, "signature64");
-    return wasmAxl.axlsignVerify(publicKey32, msg, signature64);
+    return getWasmAxl().axlsignVerify(publicKey32, msg, signature64);
 }
 /**
  * Returns signature || message (axlsign mode).