npm - cubyz-node-client - Versions diffs - 1.2.0 → 1.3.0 - Mend

cubyz-node-client 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/LICENSE +21 -0
package/dist/authentication.d.ts +20 -0
package/dist/authentication.js +150 -0
package/dist/authentication.js.map +1 -0
package/dist/binary.js +1 -1
package/dist/binary.js.map +1 -1
package/dist/connection.d.ts +7 -4
package/dist/connection.js +221 -31
package/dist/connection.js.map +1 -1
package/dist/connectionTypes.d.ts +17 -1
package/dist/connectionTypes.js +2 -0
package/dist/connectionTypes.js.map +1 -1
package/dist/constants.d.ts +7 -5
package/dist/constants.js +6 -4
package/dist/constants.js.map +1 -1
package/dist/entityParser.d.ts +10 -2
package/dist/entityParser.js +2 -2
package/dist/entityParser.js.map +1 -1
package/dist/handshakeUtils.d.ts +2 -1
package/dist/handshakeUtils.js +10 -2
package/dist/handshakeUtils.js.map +1 -1
package/dist/index.d.ts +1 -6
package/dist/index.js +0 -4
package/dist/index.js.map +1 -1
package/dist/receiveChannel.d.ts +2 -0
package/dist/receiveChannel.js +20 -0
package/dist/receiveChannel.js.map +1 -1
package/dist/secureChannel.d.ts +91 -0
package/dist/secureChannel.js +722 -0
package/dist/secureChannel.js.map +1 -0
package/dist/sendChannel.d.ts +1 -0
package/dist/sendChannel.js +4 -1
package/dist/sendChannel.js.map +1 -1
package/dist/wordlist.d.ts +1 -0
package/dist/wordlist.js +2051 -0
package/dist/wordlist.js.map +1 -0
package/package.json +4 -1

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2025 AMerkuri
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/authentication.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import { Buffer } from "node:buffer";
+export interface KeySet {
+    ed25519PrivKey: Buffer;
+    ed25519PubKey: Buffer;
+    p256PrivKey: Buffer;
+    p256PubKey: Buffer;
+    mlDsa44PrivKey: Uint8Array;
+    mlDsa44PubKey: Buffer;
+}
+export declare function derToCompact(derSig: Buffer): Buffer;
+export declare function signEd25519(seed: Buffer, message: Buffer): Buffer;
+export declare function signP256(seed: Buffer, message: Buffer): Buffer;
+export declare function signMlDsa44(secretKey: Uint8Array, message: Buffer): Promise<Buffer>;
+export declare function deriveKeys(accountCodeText: string): Promise<KeySet>;
+export interface Identity {
+    accountCode: string;
+    keys: KeySet;
+}
+export declare function loadOrCreateIdentity(filePath: string): Promise<Identity>;
+export declare function buildPublicKeysZon(keys: KeySet): string;

package/dist/authentication.js ADDED Viewed

@@ -0,0 +1,150 @@
+import { Buffer } from "node:buffer";
+import { createHash, createPrivateKey, createPublicKey, randomBytes, sign, } from "node:crypto";
+import { readFile, writeFile } from "node:fs/promises";
+import { WORDLIST } from "./wordlist.js";
+// Key salts from authentication.zig lines 59-63
+const KEY_SALTS = [
+    "n59zw0qz53q05b73q9a50vmso",
+    "4t7z3592a09p85z4piotfh7z",
+    "u89564epogz1qi9up5zc94309",
+];
+// PKCS8 DER prefix for Ed25519 private key (32-byte seed appended after)
+const ED25519_PKCS8_PREFIX = Buffer.from("302e020100300506032b657004220420", "hex");
+// PKCS8 DER prefix for P-256 private key (32-byte seed appended at offset 36)
+const P256_PKCS8_PREFIX = Buffer.from("3041020100301306072a8648ce3d020106082a8648ce3d030107042730250201010420", "hex");
+function deriveKeyMaterial(accountCodeText, saltIndex) {
+    const salt = KEY_SALTS[saltIndex];
+    let hashedResult = Buffer.alloc(64);
+    for (let j = 0; j < 2048; j++) {
+        const input = j === 0 ? Buffer.from(accountCodeText + salt, "utf8") : hashedResult;
+        hashedResult = createHash("sha512").update(input).digest();
+    }
+    return hashedResult.slice(0, 32);
+}
+function deriveEd25519(seed) {
+    const der = Buffer.concat([ED25519_PKCS8_PREFIX, seed]);
+    const privKey = createPrivateKey({ key: der, format: "der", type: "pkcs8" });
+    const pubDer = createPublicKey(privKey)
+        .export({ format: "der", type: "spki" })
+        .slice(-32);
+    return { privKey: seed, pubKey: Buffer.from(pubDer) };
+}
+function deriveP256(seed) {
+    const der = Buffer.concat([P256_PKCS8_PREFIX, seed]);
+    const privKey = createPrivateKey({ key: der, format: "der", type: "pkcs8" });
+    const pubDer = createPublicKey(privKey)
+        .export({ format: "der", type: "spki" })
+        .slice(-65);
+    return { privKey: seed, pubKey: Buffer.from(pubDer) };
+}
+export function derToCompact(derSig) {
+    // Parse DER SEQUENCE { INTEGER r, INTEGER s }
+    // Structure: 30 <total-len> 02 <r-len> <r-bytes> 02 <s-len> <s-bytes>
+    let offset = 0;
+    if (derSig[offset++] !== 0x30) {
+        throw new Error("Expected SEQUENCE tag 0x30");
+    }
+    // Skip length (may be 1 or 2 bytes)
+    if (derSig[offset] & 0x80) {
+        offset += (derSig[offset] & 0x7f) + 1;
+    }
+    else {
+        offset += 1;
+    }
+    if (derSig[offset++] !== 0x02) {
+        throw new Error("Expected INTEGER tag 0x02 for r");
+    }
+    const rLen = derSig[offset++];
+    const rBytes = derSig.slice(offset, offset + rLen);
+    offset += rLen;
+    if (derSig[offset++] !== 0x02) {
+        throw new Error("Expected INTEGER tag 0x02 for s");
+    }
+    const sLen = derSig[offset++];
+    const sBytes = derSig.slice(offset, offset + sLen);
+    // Strip leading zero padding and left-pad to 32 bytes
+    const rStripped = rBytes[0] === 0 ? rBytes.slice(1) : rBytes;
+    const sStripped = sBytes[0] === 0 ? sBytes.slice(1) : sBytes;
+    const compact = Buffer.alloc(64, 0);
+    rStripped.copy(compact, 32 - rStripped.length);
+    sStripped.copy(compact, 64 - sStripped.length);
+    return compact;
+}
+export function signEd25519(seed, message) {
+    const der = Buffer.concat([ED25519_PKCS8_PREFIX, seed]);
+    const privKey = createPrivateKey({ key: der, format: "der", type: "pkcs8" });
+    return sign(null, message, privKey);
+}
+export function signP256(seed, message) {
+    const der = Buffer.concat([P256_PKCS8_PREFIX, seed]);
+    const privKey = createPrivateKey({ key: der, format: "der", type: "pkcs8" });
+    const derSig = sign("sha256", message, privKey);
+    return derToCompact(derSig);
+}
+export async function signMlDsa44(secretKey, message) {
+    // Lazy import to avoid top-level dependency issue
+    const { ml_dsa44 } = await import("@noble/post-quantum/ml-dsa");
+    const sig = ml_dsa44.sign(secretKey, message);
+    return Buffer.from(sig);
+}
+export async function deriveKeys(accountCodeText) {
+    const { ml_dsa44 } = await import("@noble/post-quantum/ml-dsa");
+    const ed25519Seed = deriveKeyMaterial(accountCodeText, 0);
+    const p256Seed = deriveKeyMaterial(accountCodeText, 1);
+    const mldsaSeed = deriveKeyMaterial(accountCodeText, 2);
+    const ed25519 = deriveEd25519(ed25519Seed);
+    const p256 = deriveP256(p256Seed);
+    // ML-DSA-44: generateDeterministic from 32-byte seed
+    const mldsaKeyPair = ml_dsa44.keygen(mldsaSeed);
+    return {
+        ed25519PrivKey: ed25519.privKey,
+        ed25519PubKey: ed25519.pubKey,
+        p256PrivKey: p256.privKey,
+        p256PubKey: p256.pubKey,
+        mlDsa44PrivKey: mldsaKeyPair.secretKey,
+        mlDsa44PubKey: Buffer.from(mldsaKeyPair.publicKey),
+    };
+}
+function generateAccountCode() {
+    // Generate 20 random bytes + checksum byte = 21 bytes
+    const bits = Buffer.alloc(21, 0);
+    randomBytes(20).copy(bits, 0);
+    const sha256 = createHash("sha256").update(bits.slice(0, 20)).digest();
+    bits[20] = sha256[0];
+    const words = [];
+    for (let i = 0; i < 15; i++) {
+        const bitIndex = i * 11;
+        const byteIndex = Math.floor(bitIndex / 8);
+        const b0 = bits[byteIndex];
+        const b1 = bits[byteIndex + 1];
+        const b2 = byteIndex + 2 < bits.length ? bits[byteIndex + 2] : 0;
+        const containingRegion = (b0 << 16) | (b1 << 8) | b2;
+        const shift = 24 - 11 - (bitIndex % 8);
+        const wordIndex = (containingRegion >> shift) & 0x7ff;
+        words.push(WORDLIST[wordIndex]);
+    }
+    return words.join(" ");
+}
+export async function loadOrCreateIdentity(filePath) {
+    let accountCode = null;
+    try {
+        const contents = await readFile(filePath, "utf8");
+        accountCode = contents.trim();
+    }
+    catch {
+        // File does not exist; generate a new identity
+    }
+    if (!accountCode) {
+        accountCode = generateAccountCode();
+        await writeFile(filePath, `${accountCode}\n`, "utf8");
+    }
+    const keys = await deriveKeys(accountCode);
+    return { accountCode, keys };
+}
+export function buildPublicKeysZon(keys) {
+    const ed25519B64 = keys.ed25519PubKey.toString("base64");
+    const p256B64 = keys.p256PubKey.toString("base64");
+    const mldsaB64 = keys.mlDsa44PubKey.toString("base64");
+    return `{.ed25519 = "${ed25519B64}", .ecdsaP256Sha256 = "${p256B64}", .mldsa44 = "${mldsaB64}"}`;
+}
+//# sourceMappingURL=authentication.js.map

package/dist/authentication.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authentication.js","sourceRoot":"","sources":["../src/authentication.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EACL,UAAU,EACV,gBAAgB,EAChB,eAAe,EACf,WAAW,EACX,IAAI,GACL,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAEzC,gDAAgD;AAChD,MAAM,SAAS,GAAG;IAChB,2BAA2B;IAC3B,0BAA0B;IAC1B,2BAA2B;CACnB,CAAC;AAEX,yEAAyE;AACzE,MAAM,oBAAoB,GAAG,MAAM,CAAC,IAAI,CACtC,kCAAkC,EAClC,KAAK,CACN,CAAC;AAEF,8EAA8E;AAC9E,MAAM,iBAAiB,GAAG,MAAM,CAAC,IAAI,CACnC,wEAAwE,EACxE,KAAK,CACN,CAAC;AAWF,SAAS,iBAAiB,CAAC,eAAuB,EAAE,SAAiB;IACnE,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;IAClC,IAAI,YAAY,GAAW,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9B,MAAM,KAAK,GACT,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC;QACvE,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;IAC7D,CAAC;IACD,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IAIjC,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAC7E,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC;SACpC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;SACvC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;IACd,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAI9B,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAC7E,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC;SACpC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;SACvC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;IACd,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAc;IACzC,8CAA8C;IAC9C,sEAAsE;IACtE,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,oCAAoC;IACpC,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC;QAC1B,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACxC,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,CAAC,CAAC;IACd,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC;IACnD,MAAM,IAAI,IAAI,CAAC;IACf,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC;IAEnD,sDAAsD;IACtD,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAC7D,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAE7D,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACpC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IAC/C,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IAC/C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,OAAe;IACvD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAC7E,OAAO,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,IAAY,EAAE,OAAe;IACpD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAC7E,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAChD,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAAqB,EACrB,OAAe;IAEf,kDAAkD;IAClD,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;IAChE,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,eAAuB;IACtD,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;IAEhE,MAAM,WAAW,GAAG,iBAAiB,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC;IAC1D,MAAM,QAAQ,GAAG,iBAAiB,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC;IACvD,MAAM,SAAS,GAAG,iBAAiB,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC;IAExD,MAAM,OAAO,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAElC,qDAAqD;IACrD,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEhD,OAAO;QACL,cAAc,EAAE,OAAO,CAAC,OAAO;QAC/B,aAAa,EAAE,OAAO,CAAC,MAAM;QAC7B,WAAW,EAAE,IAAI,CAAC,OAAO;QACzB,UAAU,EAAE,IAAI,CAAC,MAAM;QACvB,cAAc,EAAE,YAAY,CAAC,SAAS;QACtC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC;KACnD,CAAC;AACJ,CAAC;AAOD,SAAS,mBAAmB;IAC1B,sDAAsD;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACjC,WAAW,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACvE,IAAI,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IAErB,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC;QACxB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;QAC3C,MAAM,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3B,MAAM,EAAE,GAAG,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;QAC/B,MAAM,EAAE,GAAG,SAAS,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACjE,MAAM,gBAAgB,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC;QACrD,MAAM,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;QACvC,MAAM,SAAS,GAAG,CAAC,gBAAgB,IAAI,KAAK,CAAC,GAAG,KAAK,CAAC;QACtD,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,QAAgB;IAEhB,IAAI,WAAW,GAAkB,IAAI,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAClD,WAAW,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,+CAA+C;IACjD,CAAC;IAED,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,WAAW,GAAG,mBAAmB,EAAE,CAAC;QACpC,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,WAAW,IAAI,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,WAAW,CAAC,CAAC;IAC3C,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC7C,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACvD,OAAO,gBAAgB,UAAU,0BAA0B,OAAO,kBAAkB,QAAQ,IAAI,CAAC;AACnG,CAAC"}

package/dist/binary.js CHANGED Viewed

@@ -10,7 +10,7 @@ export function encodeVarInt(value) {
         return Buffer.from([0]);
     }
     // Calculate number of bits needed
-    const bits = val === 0 ? 1 : Math.floor(Math.log2(val)) + 1;
+    const bits = Math.floor(Math.log2(val)) + 1;
     // Calculate number of 7-bit chunks needed
     const numBytes = Math.ceil(bits / 7);
     // Encode big-endian (most significant byte first)

package/dist/binary.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"binary.js","sourceRoot":"","sources":["../src/binary.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QACd,MAAM,IAAI,UAAU,CAAC,sCAAsC,CAAC,CAAC;IAC/D,CAAC;IACD,oDAAoD;IACpD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,KAAK,KAAK,CAAC,CAAC;IAExB,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC;QACd,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,kCAAkC;IAClC,MAAM,IAAI,GAAG,~~GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,~~IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;~~IAC5D~~,0CAA0C;IAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;IAErC,kDAAkD;IAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,CAAC,GAAG,CAAC,QAAQ,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;QACrC,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,CAAC,GAAG,IAAI,CAAC;QAClC,oDAAoD;QACpD,IAAI,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;YACrB,IAAI,IAAI,IAAI,CAAC;QACf,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,YAAY,CAC1B,MAAc,EACd,MAAM,GAAG,CAAC;IAEV,oDAAoD;IACpD,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,OAAO,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;QACvC,KAAK,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;QACrC,QAAQ,IAAI,CAAC,CAAC;QAEd,oCAAoC;QACpC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,KAAK,EAAE,KAAK,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC;QAC1C,CAAC;QAED,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,KAAa;IACnC,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,IAAY,EAAE,KAAa;IAChD,OAAO,OAAO,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,CAAS,EAAE,CAAS;IAC9C,OAAO,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,YAAY,CAC1B,MAAc,EACd,MAAc,EACd,KAAa;IAEb,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,MAAc,EAAE,MAAc;IACxD,OAAO,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,MAAc;IAC1D,MAAM,GAAG,GAAG,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IACpC,MAAM,QAAQ,GAAG,GAAG,GAAG,KAAK,CAAC;IAE7B,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;QACnB,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;YACnB,OAAO,IAAI,GAAG,CAAC,CAAC;QAClB,CAAC;QACD,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,QAAQ,GAAG,KAAK,CAAC,CAAC;IAC9C,CAAC;IAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,OAAO,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;IACvD,CAAC;IAED,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,GAAG,KAAK,CAAC,CAAC;AAC9D,CAAC"}
1	+ {"version":3,"file":"binary.js","sourceRoot":"","sources":["../src/binary.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QACd,MAAM,IAAI,UAAU,CAAC,sCAAsC,CAAC,CAAC;IAC/D,CAAC;IACD,oDAAoD;IACpD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,KAAK,KAAK,CAAC,CAAC;IAExB,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC;QACd,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,kCAAkC;IAClC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;IAC5C,0CAA0C;IAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;IAErC,kDAAkD;IAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,CAAC,GAAG,CAAC,QAAQ,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;QACrC,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,CAAC,GAAG,IAAI,CAAC;QAClC,oDAAoD;QACpD,IAAI,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;YACrB,IAAI,IAAI,IAAI,CAAC;QACf,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,YAAY,CAC1B,MAAc,EACd,MAAM,GAAG,CAAC;IAEV,oDAAoD;IACpD,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,OAAO,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;QACvC,KAAK,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;QACrC,QAAQ,IAAI,CAAC,CAAC;QAEd,oCAAoC;QACpC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,KAAK,EAAE,KAAK,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC;QAC1C,CAAC;QAED,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,KAAa;IACnC,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,IAAY,EAAE,KAAa;IAChD,OAAO,OAAO,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,CAAS,EAAE,CAAS;IAC9C,OAAO,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,YAAY,CAC1B,MAAc,EACd,MAAc,EACd,KAAa;IAEb,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,MAAc,EAAE,MAAc;IACxD,OAAO,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,MAAc;IAC1D,MAAM,GAAG,GAAG,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IACpC,MAAM,QAAQ,GAAG,GAAG,GAAG,KAAK,CAAC;IAE7B,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;QACnB,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;YACnB,OAAO,IAAI,GAAG,CAAC,CAAC;QAClB,CAAC;QACD,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,QAAQ,GAAG,KAAK,CAAC,CAAC;IAC9C,CAAC;IAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,OAAO,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;IACvD,CAAC;IAED,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,GAAG,KAAK,CAAC,CAAC;AAC9D,CAAC"}

package/dist/connection.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { EventEmitter } from "node:events";
 import { type CloseOptions, type CubyzConnectionEvents, type CubyzConnectionOptions, type EntitySnapshot, type ItemSnapshot, type PlayerData } from "./connectionTypes.js";
-export type { BiomeUpdate, BlockUpdate, CloseOptions, CubyzConnectionLogger, CubyzConnectionOptions, DisconnectEvent, EntityPositionPacket, EntitySnapshot, Gamemode, GamemodeUpdate, GenericUpdate, ItemSnapshot, LogLevel, PlayerData, PlayerState, PlayersEvent, ProtocolEvent, TeleportUpdate, TimeUpdate, Vector3, WorldEditPosUpdate, } from "./connectionTypes.js";
+export type { BiomeUpdate, BlockUpdate, ClearUpdate, CloseOptions, CubyzConnectionLogger, CubyzConnectionOptions, DisconnectEvent, EntityPositionPacket, EntitySnapshot, Gamemode, GamemodeUpdate, GenericUpdate, ItemSnapshot, LogLevel, ParticlesUpdate, PlayerData, PlayerState, PlayersEvent, ProtocolEvent, TeleportUpdate, TimeUpdate, Vector3, WorldEditPosUpdate, } from "./connectionTypes.js";
 export { GAMEMODE } from "./connectionTypes.js";
 export declare class CubyzConnection extends EventEmitter {
     readonly host: string;
@@ -30,9 +30,11 @@ export declare class CubyzConnection extends EventEmitter {
     private disconnectSent;
     private disconnectEmitted;
     private initSent;
-    private handshakeQueued;
     private awaitingServerSince;
-    constructor({ host, port, name, version, logger, logLevel, }: CubyzConnectionOptions);
+    private readonly identityFile;
+    private identity;
+    private secureChannel;
+    constructor({ host, port, name, version, logger, logLevel, identityFile, }: CubyzConnectionOptions);
     private log;
     private emitDisconnect;
     on<K extends keyof CubyzConnectionEvents>(event: K, listener: (...args: CubyzConnectionEvents[K]) => void): this;
@@ -49,13 +51,14 @@ export declare class CubyzConnection extends EventEmitter {
     private sendInit;
     private sendInitAck;
     private ensureReceiveChannels;
+    private setupSecureChannel;
     private handlePacket;
     private handleInitPacket;
-    private queueHandshake;
     private handleSequencedPacket;
     private handleConfirmation;
     private handleProtocol;
     private handleHandshake;
+    private handleSignatureRequest;
     private handleEntityUpdate;
     private handleEntityPosition;
     private handleBlockUpdate;

package/dist/connection.js CHANGED Viewed

@@ -2,6 +2,7 @@ import { Buffer } from "node:buffer";
 import { randomInt } from "node:crypto";
 import dgram from "node:dgram";
 import { EventEmitter } from "node:events";
+import { loadOrCreateIdentity, signEd25519, signMlDsa44, signP256, } from "./authentication.js";
 import { decodeVarInt, readInt32BE, writeInt32BE } from "./binary.js";
 import { prepareChatMessage } from "./chatFormat.js";
 import { DEG_TO_RAD, GENERIC_UPDATE_TYPE, LOG_LEVEL_ORDER, WORLD_EDIT_POSITION, } from "./connectionTypes.js";
@@ -9,6 +10,7 @@ import { AWAITING_SERVER_TIMEOUT_MS, CHANNEL, CONFIRMATION_BATCH_SIZE, DEFAULT_V
 import { parseEntityPositionPacket } from "./entityParser.js";
 import { buildHandshakePayload, parseHandshake, randomSequence, } from "./handshakeUtils.js";
 import { parseChannelPacket, ReceiveChannel } from "./receiveChannel.js";
+import { SecureChannelHandler } from "./secureChannel.js";
 import { SendChannel } from "./sendChannel.js";
 import { parseZon } from "./zon.js";
 export { GAMEMODE } from "./connectionTypes.js";
@@ -44,9 +46,11 @@ export class CubyzConnection extends EventEmitter {
     disconnectSent = false;
     disconnectEmitted = false;
     initSent = false;
-    handshakeQueued = false;
     awaitingServerSince = null;
-    constructor({ host, port, name, version = DEFAULT_VERSION, logger = console, logLevel = "error", }) {
+    identityFile;
+    identity = null;
+    secureChannel = null;
+    constructor({ host, port, name, version = DEFAULT_VERSION, logger = console, logLevel = "error", identityFile = "./cubyz-identity.txt", }) {
         super();
         this.host = host;
         this.port = port;
@@ -54,11 +58,12 @@ export class CubyzConnection extends EventEmitter {
         this.version = version;
         this.baseLogger = logger ?? console;
         this.logLevel = (logLevel in LOG_LEVEL_ORDER ? logLevel : "error");
+        this.identityFile = identityFile;
         this.socket = dgram.createSocket("udp4");
         this.connectionId = BigInt.asIntN(64, (BigInt(Date.now()) << 20n) | BigInt(randomInt(0, 0xfffff)));
         this.sendChannels = {
             [CHANNEL.LOSSY]: new SendChannel(CHANNEL.LOSSY, randomSequence()),
-            [CHANNEL.FAST]: new SendChannel(CHANNEL.FAST, randomSequence()),
+            [CHANNEL.SECURE]: new SendChannel(CHANNEL.SECURE, randomSequence()),
             [CHANNEL.SLOW]: new SendChannel(CHANNEL.SLOW, randomSequence()),
         };
         this.socket.on("message", (msg) => {
@@ -114,6 +119,8 @@ export class CubyzConnection extends EventEmitter {
         return super.emit(event, ...args);
     }
     async start() {
+        this.identity = await loadOrCreateIdentity(this.identityFile);
+        this.log("info", `Loaded identity from ${this.identityFile}`);
         await new Promise((resolve, reject) => {
             const onError = (err) => {
                 this.socket.off("listening", onListening);
@@ -193,6 +200,10 @@ export class CubyzConnection extends EventEmitter {
     }
     flushSendQueues(now) {
         for (const channel of Object.values(this.sendChannels)) {
+            // The SECURE channel is driven by SecureChannelHandler; skip normal queuing.
+            if (channel.channelId === CHANNEL.SECURE) {
+                continue;
+            }
             if (!channel.hasWork()) {
                 continue;
             }
@@ -242,28 +253,69 @@ export class CubyzConnection extends EventEmitter {
         payload[0] = CHANNEL.INIT;
         payload.writeBigInt64BE(this.connectionId, 1);
         writeInt32BE(payload, 9, this.sendChannels[CHANNEL.LOSSY].initialSequence);
-        writeInt32BE(payload, 13, this.sendChannels[CHANNEL.FAST].initialSequence);
+        writeInt32BE(payload, 13, this.sendChannels[CHANNEL.SECURE].initialSequence);
         writeInt32BE(payload, 17, this.sendChannels[CHANNEL.SLOW].initialSequence);
         this.socket.send(payload, this.port, this.host);
         this.initSent = true;
     }
-    sendInitAck() {
+    sendInitAck(onSent) {
         const buffer = Buffer.alloc(1 + 8);
         buffer[0] = CHANNEL.INIT;
         buffer.writeBigInt64BE(this.connectionId, 1);
-        this.socket.send(buffer, this.port, this.host);
+        this.socket.send(buffer, this.port, this.host, (err) => {
+            if (err) {
+                this.log("error", "Failed to send init ack:", err);
+            }
+            onSent?.();
+        });
     }
-    ensureReceiveChannels(lossyStart, fastStart, slowStart) {
+    ensureReceiveChannels(lossyStart, secureStart, slowStart) {
         if (!this.receiveChannels.has(CHANNEL.LOSSY)) {
             this.receiveChannels.set(CHANNEL.LOSSY, new ReceiveChannel(CHANNEL.LOSSY, lossyStart));
         }
-        if (!this.receiveChannels.has(CHANNEL.FAST)) {
-            this.receiveChannels.set(CHANNEL.FAST, new ReceiveChannel(CHANNEL.FAST, fastStart));
+        if (!this.receiveChannels.has(CHANNEL.SECURE)) {
+            const secureRecv = new ReceiveChannel(CHANNEL.SECURE, secureStart);
+            // Route raw bytes from the SECURE channel into the TLS handler.
+            secureRecv.rawBytesCallback = (data) => {
+                this.secureChannel?.feedRawBytes(data);
+            };
+            this.receiveChannels.set(CHANNEL.SECURE, secureRecv);
         }
         if (!this.receiveChannels.has(CHANNEL.SLOW)) {
             this.receiveChannels.set(CHANNEL.SLOW, new ReceiveChannel(CHANNEL.SLOW, slowStart));
         }
     }
+    setupSecureChannel() {
+        if (this.secureChannel !== null) {
+            return;
+        }
+        const handler = new SecureChannelHandler({
+            socket: this.socket,
+            host: this.host,
+            port: this.port,
+            channelId: CHANNEL.SECURE,
+            mtu: 548,
+            initialSendSeq: this.sendChannels[CHANNEL.SECURE].initialSequence,
+        });
+        handler.onError = (err) => {
+            this.log("error", "Secure channel error:", err);
+        };
+        handler.onSecureConnect = (_verificationData) => {
+            this.log("debug", "TLS handshake complete, sending userData");
+            if (!this.identity) {
+                this.log("error", "No identity loaded before TLS handshake completed");
+                return;
+            }
+            const payload = buildHandshakePayload(this.name, this.version, this.identity);
+            handler.sendMessage(PROTOCOL.HANDSHAKE, payload);
+        };
+        handler.onMessage = (msg) => {
+            this.handleProtocol(CHANNEL.SECURE, msg.protocolId, msg.payload).catch((err) => {
+                this.log("error", `Secure protocol ${msg.protocolId} failed:`, err);
+            });
+        };
+        this.secureChannel = handler;
+    }
     handlePacket(buffer) {
         if (!buffer || buffer.length === 0) {
             return;
@@ -302,27 +354,24 @@ export class CubyzConnection extends EventEmitter {
         const remoteId = buffer.readBigInt64BE(1);
         this.remoteConnectionId = remoteId;
         const lossyStart = readInt32BE(buffer, 9);
-        const fastStart = readInt32BE(buffer, 13);
+        const secureStart = readInt32BE(buffer, 13);
         const slowStart = readInt32BE(buffer, 17);
-        this.ensureReceiveChannels(lossyStart, fastStart, slowStart);
+        this.ensureReceiveChannels(lossyStart, secureStart, slowStart);
         if (this.state !== "connected") {
             this.state = "connected";
             this.lastInbound = Date.now();
             this.awaitingServerSince = null;
             this.log("info", "Channel handshake completed with server");
-            this.sendInitAck();
-            this.queueHandshake();
+            this.setupSecureChannel();
+            // Send the init-ACK and only start the TLS handshake once the packet
+            // has been handed to the OS, guaranteeing the server transitions to
+            // .connected before it receives the TLS ClientHello.
+            this.sendInitAck(() => {
+                this.secureChannel?.startHandshake();
+            });
             this.emit("connected");
         }
     }
-    queueHandshake() {
-        if (this.handshakeQueued) {
-            return;
-        }
-        const payload = buildHandshakePayload(this.name, this.version);
-        this.sendChannels[CHANNEL.FAST].queue(PROTOCOL.HANDSHAKE, payload);
-        this.handshakeQueued = true;
-    }
     async handleSequencedPacket(buffer) {
         const parsed = parseChannelPacket(buffer);
         const channel = this.receiveChannels.get(parsed.channelId);
@@ -389,6 +438,10 @@ export class CubyzConnection extends EventEmitter {
     async handleHandshake(payload) {
         const { state, data } = parseHandshake(payload);
         switch (state) {
+            case HANDSHAKE_STATE.SIGNATURE_REQUEST: {
+                await this.handleSignatureRequest(data);
+                break;
+            }
             case HANDSHAKE_STATE.ASSETS: {
                 // Assets are compressed with zlib's raw DEFLATE
                 // Skipping asset storage for brevity
@@ -489,6 +542,63 @@ export class CubyzConnection extends EventEmitter {
                 this.log("debug", `Unhandled handshake state ${state}`);
         }
     }
+    async handleSignatureRequest(data) {
+        if (!this.identity) {
+            this.log("error", "No identity available for signature request");
+            return;
+        }
+        if (!this.secureChannel) {
+            this.log("error", "No secure channel for signature request");
+            return;
+        }
+        const verificationData = this.secureChannel.verificationDataBuffer ?? Buffer.alloc(0);
+        // Parse signatureRequest:
+        // [varint: len of algo1 name][algo1 name bytes][varint: len of algo2 name (0 if none)][algo2 name bytes if present]
+        let offset = 0;
+        const algo1LenResult = decodeVarInt(data, offset);
+        offset += algo1LenResult.consumed;
+        const algo1Name = data
+            .slice(offset, offset + algo1LenResult.value)
+            .toString("utf8");
+        offset += algo1LenResult.value;
+        let algo2Name = "";
+        if (offset < data.length) {
+            const algo2LenResult = decodeVarInt(data, offset);
+            offset += algo2LenResult.consumed;
+            if (algo2LenResult.value > 0) {
+                algo2Name = data
+                    .slice(offset, offset + algo2LenResult.value)
+                    .toString("utf8");
+            }
+        }
+        this.log("debug", "Signature request: algo1=", algo1Name, "algo2=", algo2Name);
+        const signatureBuffers = [];
+        const identity = this.identity;
+        const signOne = async (algoName) => {
+            switch (algoName) {
+                case "ed25519":
+                    signatureBuffers.push(signEd25519(identity.keys.ed25519PrivKey, verificationData));
+                    break;
+                case "ecdsaP256Sha256":
+                    signatureBuffers.push(signP256(identity.keys.p256PrivKey, verificationData));
+                    break;
+                case "mldsa44":
+                    signatureBuffers.push(await signMlDsa44(identity.keys.mlDsa44PrivKey, verificationData));
+                    break;
+                default:
+                    this.log("warn", "Unknown signature algorithm requested:", algoName);
+            }
+        };
+        await signOne(algo1Name);
+        if (algo2Name) {
+            await signOne(algo2Name);
+        }
+        // signatureResponse format: [state byte = 3][sig1_bytes][optional sig2_bytes]
+        const statePrefix = Buffer.from([HANDSHAKE_STATE.SIGNATURE_RESPONSE]);
+        const responsePayload = Buffer.concat([statePrefix, ...signatureBuffers]);
+        this.secureChannel.sendMessage(PROTOCOL.HANDSHAKE, responsePayload);
+        this.log("debug", "Sent signature response");
+    }
     handleEntityUpdate(payload) {
         const text = payload.toString("utf8");
         let parsed;
@@ -505,8 +615,11 @@ export class CubyzConnection extends EventEmitter {
             return;
         }
         let changed = false;
-        for (const entry of parsed) {
+        let nullIndex = -1;
+        for (let i = 0; i < parsed.length; i++) {
+            const entry = parsed[i];
             if (entry === null) {
+                nullIndex = i;
                 break;
             }
             if (typeof entry === "number") {
@@ -549,24 +662,33 @@ export class CubyzConnection extends EventEmitter {
             }
             this.emitPlayers();
         }
+        // Process item drops after the null sentinel.
+        // Number entries are removals (by u16 index); object entries are additions
+        // or updates whose positions will arrive via the entityPositions protocol.
+        if (nullIndex >= 0) {
+            for (let i = nullIndex + 1; i < parsed.length; i++) {
+                const entry = parsed[i];
+                if (typeof entry === "number") {
+                    this.itemStates.delete(entry);
+                }
+                // Object entries (add/update) don't carry position data here;
+                // their positions are delivered via protocol 6 (ENTITY_POSITION).
+            }
+        }
     }
     handleEntityPosition(payload) {
         const result = parseEntityPositionPacket(payload, this.log.bind(this));
         if (!result) {
             return;
         }
-        // Update internal state with parsed entities
         this.entityStates.clear();
-        const entityStatesMap = result._entityStates;
-        for (const [id, state] of entityStatesMap) {
+        for (const [id, state] of result.entityStates) {
             this.entityStates.set(id, state);
         }
         this.itemStates.clear();
-        const itemStatesMap = result._itemStates;
-        for (const [index, state] of itemStatesMap) {
+        for (const [index, state] of result.itemStates) {
             this.itemStates.set(index, state);
         }
-        // Emit the packet without internal state maps
         const packet = {
             timestamp: result.timestamp,
             basePosition: result.basePosition,
@@ -587,9 +709,13 @@ export class CubyzConnection extends EventEmitter {
             offset += 4;
             const block = payload.readUInt32BE(offset);
             offset += 4;
-            // Read block entity data length (usize - platform dependent, use varint)
-            const { value: blockEntityDataLen, consumed } = decodeVarInt(payload, offset);
-            offset += consumed;
+            // blockEntityData length is written as usize (8 bytes, big-endian) by the Zig server.
+            if (offset + 8 > payload.length) {
+                this.log("warn", "Block update payload truncated (no room for length)");
+                break;
+            }
+            const blockEntityDataLen = Number(payload.readBigUInt64BE(offset));
+            offset += 8;
             if (offset + blockEntityDataLen > payload.length) {
                 this.log("warn", "Block update payload truncated");
                 break;
@@ -697,6 +823,70 @@ export class CubyzConnection extends EventEmitter {
                     });
                     break;
                 }
+                case GENERIC_UPDATE_TYPE.PARTICLES: {
+                    // [varint u16: particleIdLen][particleId][f64 x][f64 y][f64 z][u8 collides][varint u32: count][varint usize: spawnZonLen][spawnZon]
+                    const particleIdLenResult = decodeVarInt(payload, offset);
+                    offset += particleIdLenResult.consumed;
+                    const particleIdLen = particleIdLenResult.value;
+                    if (offset + particleIdLen > payload.length) {
+                        this.log("warn", "Particles update payload truncated (particleId)");
+                        return;
+                    }
+                    const particleId = payload
+                        .slice(offset, offset + particleIdLen)
+                        .toString("utf8");
+                    offset += particleIdLen;
+                    if (offset + 24 > payload.length) {
+                        this.log("warn", "Particles update payload truncated (position)");
+                        return;
+                    }
+                    const px = payload.readDoubleBE(offset);
+                    offset += 8;
+                    const py = payload.readDoubleBE(offset);
+                    offset += 8;
+                    const pz = payload.readDoubleBE(offset);
+                    offset += 8;
+                    if (offset + 1 > payload.length) {
+                        this.log("warn", "Particles update payload truncated (collides)");
+                        return;
+                    }
+                    const collides = payload.readUInt8(offset) !== 0;
+                    offset += 1;
+                    const countResult = decodeVarInt(payload, offset);
+                    offset += countResult.consumed;
+                    const count = countResult.value;
+                    const spawnZonLenResult = decodeVarInt(payload, offset);
+                    offset += spawnZonLenResult.consumed;
+                    const spawnZonLen = spawnZonLenResult.value;
+                    if (offset + spawnZonLen > payload.length) {
+                        this.log("warn", "Particles update payload truncated (spawnZon)");
+                        return;
+                    }
+                    const spawnZon = payload
+                        .slice(offset, offset + spawnZonLen)
+                        .toString("utf8");
+                    this.emit("genericUpdate", {
+                        type: "particles",
+                        particleId,
+                        position: { x: px, y: py, z: pz },
+                        collides,
+                        count,
+                        spawnZon,
+                    });
+                    break;
+                }
+                case GENERIC_UPDATE_TYPE.CLEAR: {
+                    // [u8 clearType: 0=chat]
+                    if (offset + 1 > payload.length) {
+                        this.log("warn", "Clear update payload too short");
+                        return;
+                    }
+                    const clearTypeByte = payload.readUInt8(offset);
+                    // Only clearType 0 (chat) is defined by the server.
+                    const clearType = clearTypeByte === 0 ? "chat" : "chat";
+                    this.emit("genericUpdate", { type: "clear", clearType });
+                    break;
+                }
                 default:
                     this.log("debug", `Unknown generic update type: ${updateType}`);
             }