leviathan-crypto 1.0.0 → 1.1.0

package/README.md

@@ -1,256 +1,142 @@
-[![MIT Licensed](https://img.shields.io/github/license/xero/text0wnz?logo=wikiversity&logoColor=979da4&labelColor=262a2e&color=b1a268)](https://github.com/xero/text0wnz/blob/main/LICENSE)
-[![Version](https://img.shields.io/github/package-json/version/xero/leviathan-crypto?labelColor=33383e&logo=npm&&logoColor=979da4&color=6e2aa5)](https://github.com/xero/leviathan-crypto/releases/latest)
-[![GitHub repo size](https://img.shields.io/github/repo-size/xero/leviathan-crypto?labelColor=262a2e&logo=googlecontaineroptimizedos&logoColor=979da4&color=6e2aa5)](https://github.com/xero/leviathan-crypto/)
-[![test suite](https://github.com/xero/leviathan-crypto/actions/workflows/test-suite.yml/badge.svg)](https://github.com/xero/leviathan-crypto/actions/workflows/test-suite.yml)
-[![wiki](https://github.com/xero/leviathan-crypto/actions/workflows/wiki.yml/badge.svg)](https://github.com/xero/leviathan-crypto/wiki)
-
-<img src="https://github.com/xero/leviathan-crypto/raw/main/docs/logo.svg" alt="Leviathan logo" width="400">
-
-# Leviathan-Crypto: Serpent-256 & XChaCha20-Poly1305 Cryptography for the Web
-
-Serpent-256, the most conservative AES finalist, employs 32 rounds and a
-maximum security margin, built to withstand future cryptanalytic advancements.
-Paired with the streamlined brilliance of ChaCha20-Poly1305, and complemented
-by SHA-2 and SHA-3. Two design philosophies, four cryptographic primitives,
-integrated into one coherent API.
-
-**WebAssembly (WASM) serves as the correctness layer.** It features spec-driven and
-vector-verified AssemblyScript implementations of Serpent-256, ChaCha20/Poly1305,
-SHA-2, and SHA-3. Each cryptographic primitive is compiled into its own isolated
-binary, executing outside the JavaScript JIT. This ensures no speculative
-optimization affects key material and eliminates data-dependent timing
-vulnerabilities from table lookups.
-
-**TypeScript acts as the ergonomics layer.** Fully typed classes, explicit
-`init()` gates, input validation, and authenticated compositions
-([`SerpentSeal`](https://github.com/xero/leviathan-crypto/wiki/serpent#serpentseal),
-[`SerpentStream`](https://github.com/xero/leviathan-crypto/wiki/serpent#serpentstream),
-[`SerpentStreamSealer`](https://github.com/xero/leviathan-crypto/wiki/serpent#serpentstreamsealer--serpentstreamopener))
-ensure primitives are connected correctly, simplifying development and ensuring
-correctness. Advanced users retain the ability to directly access the raw block
-cipher classes.
-
-## Why Serpent-256
-
-Serpent-256, an AES finalist, received more first-place security votes than
-Rijndael from the NIST evaluation committee. It was designed with a larger
-security margin: 32 rounds compared to AES's 10, 12, or 14.
-
-While Serpent won on security margin, AES (Rijndael) ultimately won the
-competition due to its  performance. Rijndael was selected because speed
-was paramount for the hardware and embedded targets NIST was optimizing for
-in 2001. However, for software running on modern hardware where milliseconds
-of encryption latency are acceptable, this tradeoff is no longer as relevant.
-
-**Security Margin.** Serpent has been a target of cryptanalytic research
-since the AES competition. The current state-of-the-art is as follows:
-
-- **Best known reduced-round attack:**
-    - multidimensional linear cryptanalysis reaching 12 of 32 rounds (Nguyen,
-      Wu & Wang, ACISP 2011), less than half the full cipher, requiring 2¹¹⁸
-      known plaintexts and 2²²⁸·⁸ time.
-    - Multidimensional linear cryptanalysis reaches 12 of 32 rounds (Nguyen,
-      Wu & Wang, ACISP 2011), less than half the full cipher. This requires
-      2¹¹⁸ known plaintexts and 2²²⁸·⁸ time. [source](https://personal.ntu.edu.sg/wuhj/research/publications/2011_ACISP_MLC.pdf) & [mirror](https://archive.is/6pwMM)
-- **Best known full-round attack:**
-    - biclique cryptanalysis of full 32-round Serpent-256 (de Carvalho & Kowada,
-      SBSeg 2020), time complexity 2²⁵⁵·²¹, only 0.79 bits below the 256-bit
-      brute-force ceiling of 2²⁵⁶, and requires 2⁸⁸ chosen ciphertexts, making
-      it strictly less practical than brute force. For comparison, the analogous
-      biclique attack on full-round AES-256 (Bogdanov et al., 2011) reaches
-      2²⁵⁴·⁴. Serpent-256 is marginally harder to attack by this method than AES-256.
-    - Biclique cryptanalysis of full 32-round Serpent-256 (de Carvalho & Kowada,
-      SBSeg 2020) has a time complexity of 2²⁵⁵·²¹, only 0.79 bits below the 256-bit
-      brute-force ceiling of 2²⁵⁶. It requires 2⁸⁸ chosen ciphertexts, making it
-      strictly less practical than brute force. For comparison, the analogous biclique
-      attack on full-round AES-256 (Bogdanov et al., 2011) reaches 2²⁵⁴·⁴.
-      Serpent-256 is marginally harder to attack by this method than AES-256. [source](https://sol.sbc.org.br/index.php/sbseg/article/view/19225/19054) & [mirror](https://archive.is/ZZjrT)
-    - Our independent research improved the published result by
-      −0.20 bits through systematic search over v position, biclique nibble
-      selection, and nabla pair. the best configuration (K31/K17, delta nibble 0,
-      nabla nibble 10, v = state 66 nibbles 8+9) achieves 2²⁵⁵·¹⁹ with only 2⁴
-      chosen ciphertexts. The K17 nabla result is a new finding not present in
-      the published papers.
-    - Our independent research improved the published result by −0.20 bits through
-      systematic search over v position, biclique nibble selection, and nabla pair.
-      The best configuration (K31/K17, delta nibble 0, nabla nibble 10, v = state
-      66 nibbles 8+9) achieves 2²⁵⁵·¹⁹ with only 2⁴ chosen ciphertexts. The K17 nabla
-      result is a new finding not present in the published papers. [`biclique_research`](https://github.com/xero/BicliqueFinder/blob/main/biclique-research.md)
-
-See: [`serpent_audit.md`](https://github.com/xero/leviathan-crypto/wiki/serpent_audit)
-for the full analysis.
-
-**Implementation.** Implementation: Serpent's S-boxes are implemented as Boolean gate
-circuits, meaning there are no table lookups, data-dependent memory access, or
-data-dependent branches. Every bit is processed unconditionally on every block.
-This approach provides the most timing-safe cipher implementation available in a
-JavaScript runtime, where JIT optimization can otherwise introduce observable
-timing variations.
-
-**Key Size:** The default API only supports 256-bit keys. The absence of 128 or
-192-bit variants mitigates the risk of key-size downgrade attacks.
+[![Version](https://img.shields.io/github/package-json/version/xero/leviathan-crypto?labelColor=33383e&logo=npm&&logoColor=979da4&color=6e2aa5)](https://github.com/xero/leviathan-crypto/releases/latest) [![GitHub repo size](https://img.shields.io/github/repo-size/xero/leviathan-crypto?labelColor=262a2e&logo=googlecontaineroptimizedos&logoColor=979da4&color=6e2aa5)](https://github.com/xero/leviathan-crypto/) [![test suite](https://github.com/xero/leviathan-crypto/actions/workflows/test-suite.yml/badge.svg)](https://github.com/xero/leviathan-crypto/actions/workflows/test-suite.yml) [![wiki](https://github.com/xero/leviathan-crypto/actions/workflows/wiki.yml/badge.svg)](https://github.com/xero/leviathan-crypto/wiki)
 
-## Primitives
+![side-effect free](https://github.com/xero/leviathan-crypto/raw/main/docs/badge-side-effect-free.svg) ![tree-shakeable](https://github.com/xero/leviathan-crypto/raw/main/docs/badge-tree-shakable.svg) ![zero dependencies](https://github.com/xero/leviathan-crypto/raw/main/docs/badge-zero-dependancies.svg) [![MIT Licensed](https://img.shields.io/github/license/xero/text0wnz?logo=wikiversity&logoColor=979da4&labelColor=262a2e&color=b1a268)](https://github.com/xero/text0wnz/blob/main/LICENSE)
 
-| Classes | Module | Auth | Notes |
-|---------|--------|------|-------|
-| `SerpentSeal` | `serpent`, `sha2` | **Yes** | Authenticated encryption: Serpent-CBC + HMAC-SHA256. Recommended for most use cases. |
-| `SerpentStream`, `SerpentStreamPool` | `serpent`, `sha2` | **Yes** | Chunked one-shot AEAD for large payloads. Pool variant parallelises across workers. |
-| `SerpentStreamSealer`, `SerpentStreamOpener` | `serpent`, `sha2` | **Yes** | Incremental streaming AEAD: seal and open one chunk at a time without buffering the full message. |
-| `SerpentStreamEncoder`, `SerpentStreamDecoder` | `serpent`, `sha2` | **Yes** | Length-prefixed framing over SerpentStreamSealer/Opener for flat byte streams (files, buffered TCP). |
-| `Serpent`, `SerpentCtr`, `SerpentCbc` | `serpent` | **No** | Raw ECB, CTR, CBC modes. Pair with HMAC-SHA256 for authentication. |
-| `ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305` | `chacha20` | Yes (AEAD) | RFC 8439 |
-| `SHA256`, `SHA384`, `SHA512`, `HMAC_SHA256`, `HMAC_SHA384`, `HMAC_SHA512` | `sha2` | -- | FIPS 180-4, RFC 2104 |
-| `HKDF_SHA256`, `HKDF_SHA512` | `sha2` | -- | Key derivation: RFC 5869. Extract-and-expand over HMAC. |
-| `SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256` | `sha3` | -- | FIPS 202 |
-| `Fortuna` | `fortuna` | -- | Fortuna CSPRNG (Ferguson & Schneier). Requires `Fortuna.create()`. |
-
->[!IMPORTANT]
-> All cryptographic computation runs in WASM (AssemblyScript), isolated outside the JavaScript JIT.
-> The TypeScript layer provides the public API with input validation, type safety, and developer ergonomics.
+<img src="https://github.com/xero/leviathan-crypto/raw/main/docs/logo.svg" alt="Leviathan logo" width="400" >
 
-## Quick Start
+# Leviathan-Crypto
 
-### Authenticated encryption with Serpent (recommended)
+> Web cryptography built on Serpent-256 paranoia and XChaCha20-Poly1305 elegance.
 
-```typescript
-import { init, SerpentSeal, randomBytes } from 'leviathan-crypto'
+**Serpent-256 is the cipher for those who distrust consensus.** In 2001, when NIST selected AES, Serpent actually received more first-place security votes from the evaluation committee. However, it lost because the competition also considered performance on hardware embedded systems, which are no longer representative of the environments for which we develop software. Serpent's designers made no compromises: thirty-two rounds, S-boxes implemented using pure Boolean logic gates without table lookups, and every bit processed for each block. You use Serpent not because a committee recommended it, but because you trust the cryptanalysis. The current best attack on the full thirty-two-round Serpent-256 achieves 2²⁵⁵·¹⁹ — less than one bit below the brute-force ceiling, and strictly impractical. This includes our own independent research, which improved upon the published result. See [`serpent_audit.md`](https://github.com/xero/leviathan-crypto/wiki/serpent_audit).
 
-await init(['serpent', 'sha2'])
+**XChaCha20-Poly1305 is the cipher for those who appreciate design that has nothing to hide.** Daniel Bernstein built ChaCha20 as a twenty-round ARX construction: add, rotate, and XOR, in a precise choreography that simply doesn't have the attack surface that table-based ciphers do. It has no S-boxes, no cache-timing leakage, and requires no hardware acceleration to be fast. Poly1305 adds a final layer of security: a one-time authenticator with an unconditional forgery bound, mathematically guaranteed regardless of attacker compute power. XChaCha20-Poly1305 is the construction you reach for when you want an AEAD whose security proof you can actually read without a PhD. See [`chacha_audit.md`](https://github.com/xero/leviathan-crypto/wiki/chacha_audit).
 
-const key = randomBytes(64)  // 64-byte key (encKey + macKey)
+The tension between these two approaches constitutes the library's core identity. Serpent embodies defiance, ChaCha embodies elegance, yet both arrive at the same place: constant-time, side-channel resistant implementations, independently audited against their specifications. They represent two design philosophies that do not agree on anything, except the answer.
 
-const seal = new SerpentSeal()
+**WebAssembly provides a correctness layer.** Each primitive compiles into its own isolated binary, executing outside the JavaScript JIT. This prevents speculative optimization from affecting key material and ensures that data-dependent timing vulnerabilities do not cross the boundary.
 
-// Encrypt and authenticate
-const ciphertext = seal.encrypt(key, plaintext)
+**TypeScript acts as the ergonomics layer.** Fully typed classes, explicit `init()` gates, input validation, and authenticated compositions ensure primitives are connected correctly.
 
-// Decrypt and verify (throws on tamper)
-const decrypted = seal.decrypt(key, ciphertext)
+---
 
-seal.dispose()
-```
+#### **Zero Dependencies.**
+With no npm dependency graph to audit, the supply chain attack surface is eliminated.
 
-### Incremental streaming AEAD
+#### **Tree-shakeable.**
+Import only the cipher(s) you intend to use. Subpath exports allow bundlers to exclude everything else.
 
-Use `SerpentStreamSealer` when data arrives chunk by chunk and you cannot
-buffer the full message before encrypting.
+#### **Side-effect Free.**
+Nothing runs upon import. Initialization via `init()` is explicit and asynchronous.
 
-```typescript
-import { init, SerpentStreamSealer, SerpentStreamOpener, randomBytes } from 'leviathan-crypto'
+---
 
-await init(['serpent', 'sha2'])
+## Installation
 
-const key = randomBytes(64)
+```bash
+# use bun
+bun i leviathan-crypto
+# or npm
+npm install leviathan-crypto
+```
 
-// Seal side
-const sealer = new SerpentStreamSealer(key, 65536)
-const header = sealer.header()       // transmit to opener before any chunks
+---
 
-const chunk0 = sealer.seal(data0)    // exactly chunkSize bytes
-const chunk1 = sealer.seal(data1)
-const last   = sealer.final(tail)    // any size up to chunkSize; wipes key on return
+## Demos
 
-// Open side
-const opener = new SerpentStreamOpener(key, header)
+**`lvthn-web`** [ [demo](https://leviathan.3xi.club/web) · [source](https://github.com/xero/leviathan-demos/tree/main/lvthn-web) · [readme](https://github.com/xero/leviathan-demos/blob/main/lvthn-web/README.md) ]
 
-const pt0 = opener.open(chunk0)
-const pt1 = opener.open(chunk1)
-const ptN = opener.open(last)        // detects final chunk; wipes key on return
+A browser encryption tool in a single, self-contained HTML file. Encrypt text or files using Serpent-256-CBC and Argon2id key derivation, then share the armored output. No server, installation, or network connection required after initial load. The code in is written to be read. The Encrypt-then-MAC construction, HMAC input (header with HMAC field zeroed + ciphertext), and Argon2id parameters are all intentional examples worth reading.
 
-// Reordering, truncation, and cross-stream splicing all throw on open()
-```
+**`lvthn-chat`** [ [demo](https://leviathan.3xi.club/chat) · [source](https://github.com/xero/leviathan-demos/tree/main/lvthn-chat) · [readme](https://github.com/xero/leviathan-demos/blob/main/lvthn-chat/README.md) ]
 
-### Large payload chunking
+End-to-end encrypted chat featuring two-party messaging over X25519 key exchange and XChaCha20-Poly1305 message encryption. The relay server functions as a dumb WebSocket pipe that never sees plaintext. Each message incorporates sequence numbers, which allows the system to detect and reject replayed messages from an attacker. The demo deconstructs the protocol step by step, with visual feedback for both injection and replays.
 
-```typescript
-import { init, SerpentStream, randomBytes } from 'leviathan-crypto'
+**`lvthn-cli`** [ [npm](https://www.npmjs.com/package/lvthn) · [source](https://github.com/xero/leviathan-demos/tree/main/lvthn-cli) · [readme](https://github.com/xero/leviathan-demos/blob/main/lvthn-cli/README.md) ]
 
-await init(['serpent', 'sha2'])
+File encryption CLI. Supports both Serpent-256 and XChaCha20-Poly1305, selectable via the `--cipher` flag. A single keyfile is compatible with both ciphers; the header byte determines decryption automatically. Encryption and decryption distribute 64KB chunks across a worker pool sized to hardwareConcurrency. Each worker owns an isolated WASM instance with no shared memory between workers.
 
-const key = randomBytes(32)  // 32-byte key (HKDF handles expansion internally)
+```sh
+bun i -g lvthn # or npm slow mode
+lvthn keygen --armor -o my.key
+cat secret.txt | lvthn encrypt -k my.key --armor > secret.enc
+```
+*[`lvthncli-serpent`](https://github.com/xero/leviathan-demos/tree/main/lvthncli-serpent) and [`lvthncli-chacha`](https://github.com/xero/leviathan-demos/tree/main/lvthncli-chacha) are additional educational tools: structurally identical to the main CLI tool, each implementing only a single cipher. By comparing the two, you can pinpoint the exact changes that occur when primitives are swapped; these are limited to `src/pool.ts` and `src/worker.ts`.*
 
-const stream = new SerpentStream()
-const ciphertext = stream.seal(key, largePlaintext)   // default 64KB chunks
-const decrypted  = stream.open(key, ciphertext)
+---
 
-stream.dispose()
-```
+## Primitives
+
+| Classes                                                                   | Module            | Auth    | Notes                                                                                                |
+| ------------------------------------------------------------------------- | ----------------- | ------- | ---------------------------------------------------------------------------------------------------- |
+| `SerpentSeal`                                                             | `serpent`, `sha2` | **Yes** | Authenticated encryption: Serpent-CBC + HMAC-SHA256. Recommended for most use cases.                 |
+| `SerpentStream`, `SerpentStreamPool`                                      | `serpent`, `sha2` | **Yes** | Chunked one-shot AEAD for large payloads. Pool variant parallelises across workers.                  |
+| `SerpentStreamSealer`, `SerpentStreamOpener`                              | `serpent`, `sha2` | **Yes** | Incremental streaming AEAD: seal and open one chunk at a time without buffering the full message.    |
+| `SerpentStreamEncoder`, `SerpentStreamDecoder`                            | `serpent`, `sha2` | **Yes** | Length-prefixed framing over SerpentStreamSealer/Opener for flat byte streams (files, buffered TCP). |
+| `Serpent`, `SerpentCtr`, `SerpentCbc`                                     | `serpent`         | **No**  | Raw ECB, CTR, CBC modes. Unauthenticated — pair with HMAC-SHA256 for authentication.                 |
+| `XChaCha20Poly1305`, `ChaCha20Poly1305`                                   | `chacha20`        | **Yes** | AEAD — RFC 8439. XChaCha20 recommended (192-bit nonce).                                              |
+| `ChaCha20`                                                                | `chacha20`        | **No**  | Raw stream cipher. Unauthenticated — use with `Poly1305` for authentication.                         |
+| `Poly1305`                                                                | `chacha20`        | **No**  | One-time MAC — RFC 8439. Use via the AEAD classes unless you have a specific reason not to.          |
+| `SHA256`, `SHA384`, `SHA512`, `HMAC_SHA256`, `HMAC_SHA384`, `HMAC_SHA512` | `sha2`            | -       | FIPS 180-4, RFC 2104                                                                                 |
+| `HKDF_SHA256`, `HKDF_SHA512`                                              | `sha2`            | -       | Key derivation — RFC 5869. Extract-and-expand over HMAC.                                             |
+| `SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256`    | `sha3`            | -       | FIPS 202                                                                                             |
+| `Fortuna`                                                                 | `fortuna`         | -       | Fortuna CSPRNG (Ferguson & Schneier). Requires `Fortuna.create()`.                                   |
+
+> [!IMPORTANT]
+> All cryptographic computation runs in WASM (AssemblyScript), isolated outside the JavaScript JIT. The TypeScript layer provides the public API with input validation, type safety, and developer ergonomics.
+
+> [!WARNING]
+> `SerpentCtr` and `SerpentCbc` are **unauthenticated** cipher modes. They provide confidentiality but not integrity or authenticity. An attacker can modify ciphertext without detection. For authenticated Serpent encryption use `SerpentSeal` or `SerpentStreamSealer`. When using CBC/CTR directly, pair with `HMAC_SHA256` using the Encrypt-then-MAC pattern.
+
+---
+
+## Quick Start
 
-### Fortuna CSPRNG
+### Authenticated encryption with Serpent
 
 ```typescript
-import { init, Fortuna } from 'leviathan-crypto'
+import { init, SerpentSeal, randomBytes } from 'leviathan-crypto'
 
 await init(['serpent', 'sha2'])
 
-const fortuna = await Fortuna.create()
-const random = fortuna.get(32)  // 32 random bytes
+const key = randomBytes(64)  // 64-byte key (encKey + macKey)
+
+const seal = new SerpentSeal()
 
-fortuna.stop()
+// Encrypt and authenticate
+const ciphertext = seal.encrypt(key, plaintext)
+
+// Decrypt and verify (throws on tamper)
+const decrypted = seal.decrypt(key, ciphertext)
+
+seal.dispose()
 ```
 
-### Hashing with SHA-3
+### Authenticated encryption with XChaCha20-Poly1305
 
 ```typescript
-import { init, SHA3_256 } from 'leviathan-crypto'
+import { init, XChaCha20Poly1305, randomBytes } from 'leviathan-crypto'
 
-await init(['sha3'])
+await init(['chacha20'])
 
-const hasher = new SHA3_256()
-const digest = hasher.hash(new TextEncoder().encode('hello'))
-// digest is a 32-byte Uint8Array
+const key   = randomBytes(32)  // 32-byte key
+const nonce = randomBytes(24)  // 24-byte nonce (XChaCha20 extended nonce)
 
-hasher.dispose()
-```
+const chacha = new XChaCha20Poly1305()
 
-## Utilities
-
-These helpers are available immediately on import: no `init()` required.
-
-| Function | Description |
-|----------|-------------|
-| `hexToBytes(hex)` | Hex string to `Uint8Array` (accepts uppercase, `0x` prefix) |
-| `bytesToHex(bytes)` | `Uint8Array` to lowercase hex string |
-| `utf8ToBytes(str)` | UTF-8 string to `Uint8Array` |
-| `bytesToUtf8(bytes)` | `Uint8Array` to UTF-8 string |
-| `base64ToBytes(b64)` | Base64/base64url string to `Uint8Array` (undefined on invalid) |
-| `bytesToBase64(bytes, url?)` | `Uint8Array` to base64 string (url=true for base64url) |
-| `constantTimeEqual(a, b)` | Constant-time byte comparison (XOR-accumulate) |
-| `wipe(data)` | Zero a typed array in place |
-| `xor(a, b)` | XOR two equal-length `Uint8Array`s |
-| `concat(a, b)` | Concatenate two `Uint8Array`s |
-| `randomBytes(n)` | Cryptographically secure random bytes via Web Crypto |
-
-## Authentication Warning
-
-`SerpentCtr` and `SerpentCbc` are **unauthenticated** cipher modes. They provide
-confidentiality but not integrity or authenticity. An attacker can modify
-ciphertext without detection.
-
->[!TIP]
-> **For authenticated Serpent encryption:** use [`SerpentSeal`](https://github.com/xero/leviathan-crypto/wiki/serpent#serpentseal) or [`SerpentStreamSealer`](https://github.com/xero/leviathan-crypto/wiki/serpent#serpentstreamsealer--serpentstreamopener)
->
-> **Using Serpent CBC/CTR directly:** pair with `HMAC_SHA256` using the Encrypt-then-MAC pattern
-
->[!NOTE]
-> **[`SerpentStream`](https://github.com/xero/leviathan-crypto/wiki/serpent#serpentstream) and [`SerpentStreamSealer`](https://github.com/xero/leviathan-crypto/wiki/serpent#serpentstreamsealer--serpentstreamopener)
-> inherently satisfy the Cryptographic Doom Principle.** Message Authentication Code (MAC)
-> verification is the mandatory check on every `open()` call; decryption is impossible until
-> this verification succeeds. Per-chunk HKDF key derivation, using position-bound info,
-> extends this protection to stream integrity. Reordering, truncation, and cross-stream
-> substitution are all detected at the MAC layer, preventing any plaintext from being
-> produced in such cases. [Full analysis.](https://github.com/xero/leviathan-crypto/wiki/serpent_audit#24-serpentstream-encrypt-then-mac-and-the-cryptographic-doom-principle)
+// Encrypt and authenticate
+const ciphertext = chacha.encrypt(key, nonce, plaintext)
 
-## Installation
+// Decrypt and verify (throws on tamper)
+const decrypted = chacha.decrypt(key, nonce, ciphertext)
 
-```bash
-# use bun
-bun i leviathan-crypto
-# or npm
-npm install leviathan-crypto
+chacha.dispose()
 ```
 
+For more examples — streaming, chunking, hashing, key derivation: see the [examples page](https://github.com/xero/leviathan-crypto/wiki/examples).
+
+---
+
 ## Loading Modes
 
 ```typescript
@@ -264,59 +150,107 @@ await init(['serpent'], 'streaming', { wasmUrl: '/assets/wasm/' })
 await init(['serpent'], 'manual', { wasmBinary: { serpent: myBuffer } })
 ```
 
+### Tree-shaking with subpath imports
+
+Each cipher ships as its own subpath export. A bundler with tree-shaking support and `"sideEffects": false` will exclude every module you don't import:
+
+```typescript
+// Only serpent.wasm ends up in your bundle
+import { serpentInit, SerpentSeal } from 'leviathan-crypto/serpent'
+await serpentInit()
+
+// Only chacha20.wasm ends up in your bundle
+import { chacha20Init, XChaCha20Poly1305 } from 'leviathan-crypto/chacha20'
+await chacha20Init()
+```
+
+| Subpath                     | Entry point                |
+| --------------------------- | -------------------------- |
+| `leviathan-crypto`          | `./dist/index.js`          |
+| `leviathan-crypto/serpent`  | `./dist/serpent/index.js`  |
+| `leviathan-crypto/chacha20` | `./dist/chacha20/index.js` |
+| `leviathan-crypto/sha2`     | `./dist/sha2/index.js`     |
+| `leviathan-crypto/sha3`     | `./dist/sha3/index.js`     |
+
+---
+
+## Utilities
+
+These helpers are available immediately on import with no `init()` required.
+
+| Function                                                       | Description                                                    |
+| -------------------------------------------------------------- | -------------------------------------------------------------- |
+| [`hexToBytes(hex)`](./docs/utils.md#hextobytes)                | Hex string to `Uint8Array` (accepts uppercase, `0x` prefix)    |
+| [`bytesToHex(bytes)`](./docs/utils.md#bytestohex)              | `Uint8Array` to lowercase hex string                           |
+| [`utf8ToBytes(str)`](./docs/utils.md#utf8tobytes)              | UTF-8 string to `Uint8Array`                                   |
+| [`bytesToUtf8(bytes)`](./docs/utils.md#bytestoutf8)            | `Uint8Array` to UTF-8 string                                   |
+| [`base64ToBytes(b64)`](./docs/utils.md#base64tobytes)          | Base64/base64url string to `Uint8Array` (undefined on invalid) |
+| [`bytesToBase64(bytes, url?)`](./docs/utils.md#bytestobase64)  | `Uint8Array` to base64 string (url=true for base64url)         |
+| [`constantTimeEqual(a, b)`](./docs/utils.md#constanttimeequal) | Constant-time byte comparison (XOR-accumulate)                 |
+| [`wipe(data)`](./docs/utils.md#wipe)                           | Zero a typed array in place                                    |
+| [`xor(a, b)`](./docs/utils.md#xor)                             | XOR two equal-length `Uint8Array`s                             |
+| [`concat(a, b)`](./docs/utils.md#concat)                       | Concatenate two `Uint8Array`s                                  |
+| [`randomBytes(n)`](./docs/utils.md#randombytes)                | Cryptographically secure random bytes via Web Crypto           |
+
+---
+
 ## Documentation
 
 **Full API documentation:** [./docs](./docs/README.md)
 
-| Module | Description |
-|--------|-------------|
-| [serpent.md](./docs/serpent.md) | Serpent-256 TypeScript API (`SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `Serpent`, `SerpentCtr`, `SerpentCbc`) |
-| [asm_serpent.md](./docs/asm_serpent.md) | Serpent-256 WASM implementation (bitslice S-boxes, key schedule, CTR/CBC) |
-| [chacha20.md](./docs/chacha20.md) | ChaCha20/Poly1305 TypeScript API (`ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305`) |
-| [asm_chacha.md](./docs/asm_chacha.md) | ChaCha20/Poly1305 WASM implementation (quarter-round, HChaCha20) |
-| [sha2.md](./docs/sha2.md) | SHA-2 TypeScript API (`SHA256`, `SHA512`, `SHA384`, `HMAC_SHA256`, `HMAC_SHA512`, `HMAC_SHA384`) |
-| [asm_sha2.md](./docs/asm_sha2.md) | SHA-2 WASM implementation (compression functions, HMAC) |
-| [sha3.md](./docs/sha3.md) | SHA-3 TypeScript API (`SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256`) |
-| [asm_sha3.md](./docs/asm_sha3.md) | SHA-3 WASM implementation (Keccak-f[1600], sponge construction) |
-| [fortuna.md](./docs/fortuna.md) | Fortuna CSPRNG (forward secrecy, 32 entropy pools) |
-| [init.md](./docs/init.md) | `init()` API and WASM loading modes |
-| [utils.md](./docs/utils.md) | Encoding helpers, `constantTimeEqual`, `wipe`, `randomBytes` |
-| [types.md](./docs/types.md) | TypeScript interfaces (`Hash`, `KeyedHash`, `Blockcipher`, `Streamcipher`, `AEAD`) |
-| [architecture.md](./docs/architecture.md.md) | Architecture overview, build pipeline, module relationships |
-| [test-suite.md](./test-suite.md) | Test suite structure, vector corpus, gate discipline |
+| Module                                    | Description                                                                                                                                                           |
+| ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [serpent.md](./docs/serpent.md)           | Serpent-256 TypeScript API (`SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `Serpent`, `SerpentCtr`, `SerpentCbc`) |
+| [asm_serpent.md](./docs/asm_serpent.md)   | Serpent-256 WASM implementation (bitslice S-boxes, key schedule, CTR/CBC)                                                                                             |
+| [chacha20.md](./docs/chacha20.md)         | ChaCha20/Poly1305 TypeScript API (`ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305`)                                                                    |
+| [asm_chacha.md](./docs/asm_chacha.md)     | ChaCha20/Poly1305 WASM implementation (quarter-round, HChaCha20)                                                                                                      |
+| [sha2.md](./docs/sha2.md)                 | SHA-2 TypeScript API (`SHA256`, `SHA512`, `SHA384`, `HMAC_SHA256`, `HMAC_SHA512`, `HMAC_SHA384`)                                                                      |
+| [asm_sha2.md](./docs/asm_sha2.md)         | SHA-2 WASM implementation (compression functions, HMAC)                                                                                                               |
+| [sha3.md](./docs/sha3.md)                 | SHA-3 TypeScript API (`SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256`)                                                                         |
+| [asm_sha3.md](./docs/asm_sha3.md)         | SHA-3 WASM implementation (Keccak-f[1600], sponge construction)                                                                                                       |
+| [fortuna.md](./docs/fortuna.md)           | Fortuna CSPRNG (forward secrecy, 32 entropy pools)                                                                                                                    |
+| [init.md](./docs/init.md)                 | `init()` API and WASM loading modes                                                                                                                                   |
+| [utils.md](./docs/utils.md)               | Encoding helpers, `constantTimeEqual`, `wipe`, `randomBytes`                                                                                                          |
+| [types.md](./docs/types.md)               | TypeScript interfaces (`Hash`, `KeyedHash`, `Blockcipher`, `Streamcipher`, `AEAD`)                                                                                    |
+| [architecture.md](./docs/architecture.md) | Architecture overview, build pipeline, module relationships                                                                                                           |
+| [test-suite.md](./docs/test-suite.md)     | Test suite structure, vector corpus, gate discipline                                                                                                                  |
+
+### Algorithm correctness and verifications
+
+| Primitive                                   | Audit Description                                                                      |
+| ------------------------------------------- | -------------------------------------------------------------------------------------- |
+| [serpent_audit.md](./docs/serpent_audit.md) | Correctness verification, side-channel analysis, cryptanalytic paper review            |
+| [chacha_audit.md](./docs/chacha_audit.md)   | XChaCha20-Poly1305 correctness, Poly1305 field arithmetic, HChaCha20 nonce extension   |
+| [sha2_audit.md](./docs/sha2_audit.md)       | SHA-256/512/384 correctness, HMAC and HKDF composition, constant verification          |
+| [sha3_audit.md](./docs/sha3_audit.md)       | Keccak permutation correctness, θ/ρ/π/χ/ι step verification, round constant derivation |
+| [hmac_audit.md](./docs/hmac_audit.md)       | HMAC-SHA256/512/384 construction, key processing, RFC 4231 vector coverage             |
+| [hkdf_audit.md](./docs/hkdf_audit.md)       | HKDF extract-then-expand, info field domain separation, SerpentStream key derivation   |
+
+---
 
 ## License
+
 leviathan is written under the [MIT license](http://www.opensource.org/licenses/MIT).
 
 ```
-  ██     ▐█████ ██     ▐█▌  ▄█▌   ███▌ ▀███████▀▄██▌  ▐█▌  ███▌    ██▌   ▓▓
- ▐█▌     ▐█▌    ▓█     ▐█▌  ▓██  ▐█▌██    ▐█▌   ███   ██▌ ▐█▌██    ▓██   ██
- ██▌     ░███   ▐█▌    ██   ▀▀   ██ ▐█▌   ██   ▐██▌   █▓  ▓█ ▐█▌  ▐███▌  █▓
- ██      ██     ▐█▌    █▓  ▐██  ▐█▌  █▓   ██   ▐██▄▄ ▐█▌ ▐█▌  ██  ▐█▌██ ▐█▌
-▐█▌     ▐█▌      ██   ▐█▌  ██   ██   ██  ▐█▌   ██▀▀████▌ ██   ██  ██ ▐█▌▐█▌
-▐▒▌     ▐▒▌      ▐▒▌  ██   ▒█   ██▀▀▀██▌ ▐▒▌   ▒█    █▓░ ▒█▀▀▀██▌ ▒█  ██▐█
-█▓ ▄▄▓█ █▓ ▄▄▓█   ▓▓ ▐▓▌  ▐▓▌  ▐█▌   ▐▒▌ █▓   ▐▓▌   ▐▓█ ▐▓▌   ▐▒▌▐▓▌  ▐███
-▓██▀▀   ▓██▀▀      ▓█▓█   ▐█▌  ▐█▌   ▐▓▌ ▓█   ▐█▌   ▐█▓ ▐█▌   ▐▓▌▐█▌   ██▓
-                    ▓█         ▄▄▄▄▄▄▄▄▄▄            ▀▀        ▐█▌▌▌
-                        ▄████████████████████▄▄
-                     ▄██████████████████████ ▀████▄
-                   ▄█████████▀▀▀     ▀███████▄▄███████▌
-                  ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
-                  ████████      ███▀▀     ████▀  █▀ █▀
-                  ███████▌    ▀██▀         ██
-                   ███████   ▀███           ▀██ ▀█▄
-                    ▀██████   ▄▄██            ▀▀  ██▄
-                      ▀█████▄   ▄██▄             ▄▀▄▀
-                         ▀████▄   ▄██▄
-                           ▐████   ▐███
-                    ▄▄██████████    ▐███         ▄▄
-                 ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
-               ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███
-                ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀
-               ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄
-               █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄███▀
-               ▀██████▀             ▀████▄▄▄████▀
-                                       ▀█████▀
-
-       Serpent256 & Xchacha20-Poly1305 Cryptography for the Web
+                ▄▄▄▄▄▄▄▄▄▄
+         ▄████████████████████▄▄
+      ▄██████████████████████ ▀████▄
+    ▄█████████▀▀▀     ▀███████▄▄███████▌
+   ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+   ████████      ███▀▀     ████▀  █▀ █▀
+   ███████▌    ▀██▀         ██
+    ███████   ▀███           ▀██ ▀█▄
+     ▀██████   ▄▄██            ▀▀  ██▄
+       ▀█████▄   ▄██▄             ▄▀▄▀
+          ▀████▄   ▄██▄
+            ▐████   ▐███
+     ▄▄██████████    ▐███         ▄▄
+  ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███
+ ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀
+████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄
+█████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄███▀
+▀██████▀             ▀████▄▄▄████▀
+                        ▀█████▀
 ```

package/dist/docs/architecture.md

@@ -778,18 +778,18 @@ They are the immutable truth, and must never be modified to make tests pass.
 
 ---
 
-## Cross-References
-
-- [README.md](./README.md) — library documentation index, exports table, and quick-start examples
-- [test-suite.md](./test-suite.md) — testing methodology, vector corpus, and gate discipline
-- [init.md](./init.md) — `init()` API, three loading modes, and idempotent behavior
-- [loader.md](./loader.md) — internal WASM binary loading strategies (embedded, streaming, manual)
-- [wasm.md](./wasm.md) — WebAssembly primer: modules, instances, memory, and the init gate
-- [types.md](./types.md) — public TypeScript interfaces (`Hash`, `KeyedHash`, `Blockcipher`, `Streamcipher`, `AEAD`)
-- [utils.md](./utils.md) — encoding helpers, `constantTimeEqual`, `wipe`, `randomBytes`
-- [serpent.md](./serpent.md) — Serpent-256 TypeScript API (SerpentSeal, SerpentStream, raw modes)
-- [chacha20.md](./chacha20.md) — ChaCha20/Poly1305 TypeScript API and XChaCha20-Poly1305 AEAD
-- [sha2.md](./sha2.md) — SHA-2 hashes, HMAC, and HKDF TypeScript API
-- [sha3.md](./sha3.md) — SHA-3 hashes and SHAKE XOFs TypeScript API
-- [fortuna.md](./fortuna.md) — Fortuna CSPRNG with forward secrecy and entropy pooling
-- [argon2id.md](./argon2id.md) — Argon2id password hashing and key derivation
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [test-suite.md](./test-suite.md) — testing methodology, vector corpus, and gate discipline
+> - [init.md](./init.md) — `init()` API, three loading modes, and idempotent behavior
+> - [loader.md](./loader.md) — internal WASM binary loading strategies (embedded, streaming, manual)
+> - [wasm.md](./wasm.md) — WebAssembly primer: modules, instances, memory, and the init gate
+> - [types.md](./types.md) — public TypeScript interfaces (`Hash`, `KeyedHash`, `Blockcipher`, `Streamcipher`, `AEAD`)
+> - [utils.md](./utils.md) — encoding helpers, `constantTimeEqual`, `wipe`, `randomBytes`
+> - [serpent.md](./serpent.md) — Serpent-256 TypeScript API (SerpentSeal, SerpentStream, raw modes)
+> - [chacha20.md](./chacha20.md) — ChaCha20/Poly1305 TypeScript API and XChaCha20-Poly1305 AEAD
+> - [sha2.md](./sha2.md) — SHA-2 hashes, HMAC, and HKDF TypeScript API
+> - [sha3.md](./sha3.md) — SHA-3 hashes and SHAKE XOFs TypeScript API
+> - [fortuna.md](./fortuna.md) — Fortuna CSPRNG with forward secrecy and entropy pooling
+> - [argon2id.md](./argon2id.md) — Argon2id password hashing and key derivation

package/dist/docs/argon2id.md

@@ -280,11 +280,11 @@ xc2.dispose();
 
 ---
 
-## Cross-References
-
-- [README.md](./README.md) — project overview and quick-start guide
-- [sha2.md](./sha2.md) — HKDF-SHA256 for key expansion from Argon2id root keys
-- [serpent.md](./serpent.md) — SerpentSeal: Serpent-256 authenticated encryption (pairs with Argon2id-derived keys)
-- [chacha20.md](./chacha20.md) — XChaCha20Poly1305: ChaCha20 authenticated encryption (pairs with Argon2id-derived keys)
-- [utils.md](./utils.md) — `randomBytes` for generating salts, `constantTimeEqual` for hash verification
-- [architecture.md](./architecture.md) — library architecture and design decisions
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [sha2.md](./sha2.md) — HKDF-SHA256 for key expansion from Argon2id root keys
+> - [serpent.md](./serpent.md) — SerpentSeal: Serpent-256 authenticated encryption (pairs with Argon2id-derived keys)
+> - [chacha20.md](./chacha20.md) — XChaCha20Poly1305: ChaCha20 authenticated encryption (pairs with Argon2id-derived keys)
+> - [utils.md](./utils.md) — `randomBytes` for generating salts, `constantTimeEqual` for hash verification
+> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline

package/dist/docs/chacha20.md

@@ -592,11 +592,11 @@ cipher.dispose()
 | Authentication tag does not match on decrypt | `Error` | `ChaCha20Poly1305: authentication failed` |
 | Empty plaintext | — | Allowed. Encrypting zero bytes produces just a 16-byte tag (AEAD) or zero bytes (raw ChaCha20). |
 
-## Cross-References
-
-- [README.md](./README.md) — library documentation index and exports table
-- [asm_chacha.md](./asm_chacha.md) — WASM (AssemblyScript) implementation details for the chacha20 module
-- [chacha20_pool.md](./chacha20_pool.md) — `XChaCha20Poly1305Pool` worker-pool wrapper for parallel encryption
-- [serpent.md](./serpent.md) — alternative: Serpent block cipher modes (CBC, CTR — unauthenticated, needs HMAC pairing)
-- [sha2.md](./sha2.md) — SHA-2 hashes and HMAC — needed for Encrypt-then-MAC if using Serpent or raw ChaCha20
-- [types.md](./types.md) — `AEAD` and `Streamcipher` interfaces implemented by ChaCha20 classes
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [asm_chacha.md](./asm_chacha.md) — WASM (AssemblyScript) implementation details for the chacha20 module
+> - [chacha20_pool.md](./chacha20_pool.md) — `XChaCha20Poly1305Pool` worker-pool wrapper for parallel encryption
+> - [serpent.md](./serpent.md) — alternative: Serpent block cipher modes (CBC, CTR — unauthenticated, needs HMAC pairing)
+> - [sha2.md](./sha2.md) — SHA-2 hashes and HMAC — needed for Encrypt-then-MAC if using Serpent or raw ChaCha20
+> - [types.md](./types.md) — `AEAD` and `Streamcipher` interfaces implemented by ChaCha20 classes

package/dist/docs/chacha20_pool.md

@@ -296,11 +296,11 @@ const result = concat(chunk1, chunk2)
 
 ---
 
-## Cross-References
-
-- [chacha20.md](./chacha20.md) — single-instance XChaCha20-Poly1305 API
-- [asm_chacha.md](./asm_chacha.md) — WASM implementation details (quarter-round, Poly1305 accumulator, HChaCha20)
-- [wasm.md](./wasm.md) — WebAssembly primer: how one compiled module spawns many worker instances
-- [fortuna.md](./fortuna.md) — another class using the `static async create()` factory pattern
-- [architecture.md](./architecture.md) — library architecture and module relationships
-- [README.md](./README.md) — project overview and getting started
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [chacha20.md](./chacha20.md) — single-instance XChaCha20-Poly1305 API
+> - [asm_chacha.md](./asm_chacha.md) — WASM implementation details (quarter-round, Poly1305 accumulator, HChaCha20)
+> - [wasm.md](./wasm.md) — WebAssembly primer: how one compiled module spawns many worker instances
+> - [fortuna.md](./fortuna.md) — another class using the `static async create()` factory pattern
+> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline

package/dist/docs/fortuna.md

@@ -311,12 +311,12 @@ to read the spec:
 
 ---
 
-## Cross-References
-
-- [README.md](./README.md): Project overview and quick-start guide
-- [architecture.md](./architecture.md): Library architecture and module relationships
-- [serpent.md](./serpent.md): Serpent-256 TypeScript API (Fortuna uses Serpent ECB internally)
-- [sha2.md](./sha2.md): SHA-256 TypeScript API (Fortuna uses SHA-256 for entropy accumulation)
-- [asm_serpent.md](./asm_serpent.md): Serpent-256 WASM implementation details
-- [asm_sha2.md](./asm_sha2.md): SHA-256 WASM implementation details
-- [utils.md](./utils.md): `randomBytes()` for simpler random generation needs
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
+> - [serpent.md](./serpent.md): Serpent-256 TypeScript API (Fortuna uses Serpent ECB internally)
+> - [sha2.md](./sha2.md): SHA-256 TypeScript API (Fortuna uses SHA-256 for entropy accumulation)
+> - [asm_serpent.md](./asm_serpent.md): Serpent-256 WASM implementation details
+> - [asm_sha2.md](./asm_sha2.md): SHA-256 WASM implementation details
+> - [utils.md](./utils.md): `randomBytes()` for simpler random generation needs

package/dist/docs/init.md

@@ -300,9 +300,9 @@ if (!isInitialized('sha2')) {
 
 ---
 
-## Cross-References
-
-- [README.md](./README.md) — package overview and quick-start guide
-- [loader.md](./loader.md) — WASM binary loading strategies (internal details)
-- [architecture.md](./architecture.md) — architecture overview, module structure, and build pipeline
-- [wasm.md](./wasm.md) — WebAssembly primer: modules, instances, memory, and the init gate
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [loader.md](./loader.md) — WASM binary loading strategies (internal details)
+> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
+> - [wasm.md](./wasm.md) — WebAssembly primer: modules, instances, memory, and the init gate

package/dist/docs/loader.md

@@ -198,9 +198,9 @@ unexpected allocations and makes the memory layout predictable and auditable.
 
 ---
 
-## Cross-References
-
-- [README.md](./README.md) — package overview and quick-start guide
-- [architecture.md](./architecture.md) — architecture overview and build pipeline
-- [init.md](./init.md) — the public `init()` API that uses this loader
-- [wasm.md](./wasm.md) — WebAssembly primer: modules, instances, and memory model
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
+> - [init.md](./init.md) — the public `init()` API that uses this loader
+> - [wasm.md](./wasm.md) — WebAssembly primer: modules, instances, and memory model

package/dist/docs/serpent.md

@@ -900,15 +900,15 @@ cipher.dispose();
 
 ---
 
-## Cross-References
-
-- [README.md](./README.md) — library documentation index and exports table
-- [architecture.md](./architecture.md) — module structure, buffer layouts, and build pipeline
-- [asm_serpent.md](./asm_serpent.md) — WASM implementation details and buffer layout
-- [serpent_reference.md](./serpent_reference.md) — algorithm specification, S-boxes, linear transform, and known attacks
-- [serpent_audit.md](./serpent_audit.md) — security audit findings (correctness, side-channel analysis)
-- [chacha20.md](./chacha20.md) — XChaCha20Poly1305 authenticated encryption (alternative AEAD)
-- [sha2.md](./sha2.md) — HMAC-SHA256 and HKDF used internally by SerpentSeal and SerpentStream
-- [types.md](./types.md) — `Blockcipher`, `Streamcipher`, and `AEAD` interfaces implemented by Serpent classes
-- [utils.md](./utils.md) — `constantTimeEqual`, `wipe`, `randomBytes` used by Serpent wrappers
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
+> - [asm_serpent.md](./asm_serpent.md) — WASM implementation details and buffer layout
+> - [serpent_reference.md](./serpent_reference.md) — algorithm specification, S-boxes, linear transform, and known attacks
+> - [serpent_audit.md](./serpent_audit.md) — security audit findings (correctness, side-channel analysis)
+> - [chacha20.md](./chacha20.md) — XChaCha20Poly1305 authenticated encryption (alternative AEAD)
+> - [sha2.md](./sha2.md) — HMAC-SHA256 and HKDF used internally by SerpentSeal and SerpentStream
+> - [types.md](./types.md) — `Blockcipher`, `Streamcipher`, and `AEAD` interfaces implemented by Serpent classes
+> - [utils.md](./utils.md) — `constantTimeEqual`, `wipe`, `randomBytes` used by Serpent wrappers
 

package/dist/docs/sha2.md

@@ -608,13 +608,13 @@ SHA-2 is well-defined for zero-length messages and will return the correct diges
 
 ---
 
-## Cross-References
-
-- [README.md](./README.md) — project overview and quick-start guide
-- [architecture.md](./architecture.md) — library architecture and `init()` API
-- [asm_sha2.md](./asm_sha2.md) — WASM implementation details (AssemblyScript buffer layout, compression functions)
-- [sha3.md](./sha3.md) — alternative: SHA-3 family (immune to length extension attacks)
-- [serpent.md](./serpent.md) — SerpentSeal and SerpentStream use HMAC-SHA256 and HKDF internally
-- [argon2id.md](./argon2id.md) — Argon2id password hashing; HKDF expands Argon2id root keys
-- [fortuna.md](./fortuna.md) — Fortuna CSPRNG uses SHA-256 for entropy accumulation
-- [utils.md](./utils.md) — `constantTimeEqual`, `bytesToHex`, `utf8ToBytes`, `randomBytes`
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
+> - [asm_sha2.md](./asm_sha2.md) — WASM implementation details (AssemblyScript buffer layout, compression functions)
+> - [sha3.md](./sha3.md) — alternative: SHA-3 family (immune to length extension attacks)
+> - [serpent.md](./serpent.md) — SerpentSeal and SerpentStream use HMAC-SHA256 and HKDF internally
+> - [argon2id.md](./argon2id.md) — Argon2id password hashing; HKDF expands Argon2id root keys
+> - [fortuna.md](./fortuna.md) — Fortuna CSPRNG uses SHA-256 for entropy accumulation
+> - [utils.md](./utils.md) — `constantTimeEqual`, `bytesToHex`, `utf8ToBytes`, `randomBytes`

package/dist/docs/sha3.md

@@ -500,10 +500,10 @@ absorbs zero bytes and then squeezes.
 
 ---
 
-## Cross-References
-
-- [README.md](./README.md): Project overview and quick-start guide
-- [asm_sha3.md](./asm_sha3.md): WASM implementation details (buffer layout, Keccak internals, variant parameters)
-- [sha2.md](./sha2.md): Alternative: SHA-2 family (SHA-256, SHA-384, SHA-512) and HMAC
-- [utils.md](./utils.md): Encoding utilities: `bytesToHex`, `hexToBytes`, `utf8ToBytes`
-- [architecture.md](./architecture.md): Library architecture and `init()` API
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [asm_sha3.md](./asm_sha3.md): WASM implementation details (buffer layout, Keccak internals, variant parameters)
+> - [sha2.md](./sha2.md): Alternative: SHA-2 family (SHA-256, SHA-384, SHA-512) and HMAC
+> - [utils.md](./utils.md): Encoding utilities: `bytesToHex`, `hexToBytes`, `utf8ToBytes`
+> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline

package/dist/docs/types.md

@@ -186,13 +186,13 @@ function cleanup(ctx: EncryptionContext): void {
 
 ---
 
-## Cross-References
-
-- [README.md](./README.md) — library documentation index and exports table
-- [architecture.md](./architecture.md) — module structure and correctness contracts
-- [utils.md](./utils.md) — encoding utilities and `constantTimeEqual` for verifying MACs from `KeyedHash`
-- [serpent.md](./serpent.md) — Serpent classes implement `Blockcipher`, `Streamcipher`, and `AEAD`
-- [chacha20.md](./chacha20.md) — ChaCha20/Poly1305 classes implement `Streamcipher` and `AEAD`
-- [sha2.md](./sha2.md) — SHA-2 classes implement `Hash`; HMAC classes implement `KeyedHash`
-- [sha3.md](./sha3.md) — SHA-3 classes implement `Hash`; SHAKE classes extend with XOF API
-- [test-suite.md](./test-suite.md) — test suite structure and vector corpus
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
+> - [utils.md](./utils.md) — encoding utilities and `constantTimeEqual` for verifying MACs from `KeyedHash`
+> - [serpent.md](./serpent.md) — Serpent classes implement `Blockcipher`, `Streamcipher`, and `AEAD`
+> - [chacha20.md](./chacha20.md) — ChaCha20/Poly1305 classes implement `Streamcipher` and `AEAD`
+> - [sha2.md](./sha2.md) — SHA-2 classes implement `Hash`; HMAC classes implement `KeyedHash`
+> - [sha3.md](./sha3.md) — SHA-3 classes implement `Hash`; SHAKE classes extend with XOF API
+> - [test-suite.md](./test-suite.md) — test suite structure and vector corpus

package/dist/docs/utils.md

@@ -261,13 +261,13 @@ console.log(combined.length) // 32
 
 ---
 
-## Cross-References
-
-- [README.md](./README.md) — library documentation index and exports table
-- [architecture.md](./architecture.md) — module structure and security rationale
-- [serpent.md](./serpent.md) — Serpent modes consume keys from `randomBytes`; wrappers use `wipe` and `constantTimeEqual`
-- [chacha20.md](./chacha20.md) — ChaCha20/Poly1305 classes use `randomBytes` for nonce generation
-- [sha2.md](./sha2.md) — SHA-2 and HMAC classes; output often converted with `bytesToHex`
-- [sha3.md](./sha3.md) — SHA-3 and SHAKE classes; output often converted with `bytesToHex`
-- [types.md](./types.md) — public interfaces whose implementations rely on these utilities
-- [test-suite.md](./test-suite.md) — test suite structure and vector corpus
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
+> - [serpent.md](./serpent.md) — Serpent modes consume keys from `randomBytes`; wrappers use `wipe` and `constantTimeEqual`
+> - [chacha20.md](./chacha20.md) — ChaCha20/Poly1305 classes use `randomBytes` for nonce generation
+> - [sha2.md](./sha2.md) — SHA-2 and HMAC classes; output often converted with `bytesToHex`
+> - [sha3.md](./sha3.md) — SHA-3 and SHAKE classes; output often converted with `bytesToHex`
+> - [types.md](./types.md) — public interfaces whose implementations rely on these utilities
+> - [test-suite.md](./test-suite.md) — test suite structure and vector corpus

package/dist/docs/wasm.md

@@ -183,11 +183,11 @@ See [init.md](./init.md) for the full API.
 
 ---
 
-## Cross-References
-
-- [architecture.md](./architecture.md) — module structure, buffer layouts,
-  security rationale
-- [init.md](./init.md) — `init()` API and the three loading modes
-- [loader.md](./loader.md) — how WASM binaries are loaded and instantiated
-- [chacha20_pool.md](./chacha20_pool.md) — example of one compiled module
-  spawning many instances across workers
+> ## Cross-References
+>
+> - [README.md](./README.md) — project overview and quick-start guide
+> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
+> - [init.md](./init.md) — `init()` API and the three loading modes
+> - [loader.md](./loader.md) — how WASM binaries are loaded and instantiated
+> - [chacha20_pool.md](./chacha20_pool.md) — example of one compiled module
+>   spawning many instances across workers

package/dist/sha2/hkdf.js

@@ -51,15 +51,21 @@ export class HKDF_SHA256 {
             buf.set(prev, 0);
             buf.set(info, prev.length);
             buf[prev.length + info.length] = i;
+            const oldPrev = prev;
             prev = this.hmac.hash(prk, buf);
             okm.set(prev, (i - 1) * 32);
+            buf.fill(0);
+            oldPrev.fill(0);
         }
+        prev.fill(0);
         return okm.slice(0, length);
     }
     // One-shot: extract then expand
     derive(ikm, salt, info, length) {
         const prk = this.extract(salt, ikm);
-        return this.expand(prk, info, length);
+        const okm = this.expand(prk, info, length);
+        prk.fill(0);
+        return okm;
     }
     dispose() {
         this.hmac.dispose();
@@ -92,15 +98,21 @@ export class HKDF_SHA512 {
             buf.set(prev, 0);
             buf.set(info, prev.length);
             buf[prev.length + info.length] = i;
+            const oldPrev = prev;
             prev = this.hmac.hash(prk, buf);
             okm.set(prev, (i - 1) * 64);
+            buf.fill(0);
+            oldPrev.fill(0);
         }
+        prev.fill(0);
         return okm.slice(0, length);
     }
     // One-shot: extract then expand
     derive(ikm, salt, info, length) {
         const prk = this.extract(salt, ikm);
-        return this.expand(prk, info, length);
+        const okm = this.expand(prk, info, length);
+        prk.fill(0);
+        return okm;
     }
     dispose() {
         this.hmac.dispose();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "leviathan-crypto",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "author": "xero (https://x-e.ro)",
   "license": "MIT",
   "description": "Zero-dependency WebAssembly cryptography library for TypeScript: Serpent-256, XChaCha20-Poly1305, SHA-2/3, HMAC, HKDF, and Fortuna CSPRNG, with a strictly typed API built on vector-verified primitives.",
@@ -20,38 +20,6 @@
     "SECURITY.md",
     "CLAUDE.md"
   ],
-  "scripts": {
-    "build:asm": "node scripts/build-asm.js",
-    "build:embed": "npx tsx scripts/embed-wasm.ts",
-    "build:ts": "tsc",
-    "build:docs": "bunx tsx scripts/copy-docs.ts",
-    "build": "rm -rf src/ts/embedded/* dist && bun run build:asm && bun run build:embed && bun run build:ts && cp build/*.wasm dist/ 2>/dev/null || true && cp docs/CLAUDE_consumer.md CLAUDE.md && bun run build:docs",
-    "test": "bun run build:asm && bun run build:embed && vitest run",
-    "test:browser": "bun run build && playwright test",
-    "test:all": "bun run test && bun run test:browser",
-    "lint": "eslint .",
-    "lint:fix": "eslint . --fix",
-    "pin-actions": "bun run scripts/pin-actions.ts",
-    "_shorthand": "# aliases: 'bun bake' = build, 'bun fix' = lint:fix, 'bun check' = test:all, 'bun pin' = pin-actions",
-    "bake": "bun run build",
-    "fix": "bun run lint:fix",
-    "check": "bun run test:all",
-    "pin": "bun run pin-actions"
-  },
-  "devDependencies": {
-    "@eslint/js": "^10.0.1",
-    "@playwright/test": "^1.58.2",
-    "@types/node": "^25.5.0",
-    "@vitest/web-worker": "^3.2.4",
-    "assemblyscript": "^0.27.37",
-    "eslint": "^10.0.3",
-    "jiti": "^2.6.1",
-    "pin-github-action": "^3.4.0",
-    "tsx": "^4.21.0",
-    "typescript": "^5.9.3",
-    "typescript-eslint": "^8.57.1",
-    "vitest": "^3.2.4"
-  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/xero/leviathan-crypto.git"