leviathan-crypto 1.0.0

package/dist/fortuna.js

@@ -0,0 +1,445 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/fortuna.ts
+//
+// Fortuna CSPRNG — Ferguson & Schneier, Practical Cryptography (2003), Chapter 9.
+// Backed by WASM Serpent-256 ECB (generator) and WASM SHA-256 (accumulator pools).
+// Requires init(['serpent', 'sha2']) before Fortuna.create().
+import { isInitialized } from './init.js';
+import { Serpent } from './serpent/index.js';
+import { SHA256 } from './sha2/index.js';
+import { wipe, utf8ToBytes, concat } from './utils.js';
+const isBrowser = typeof window !== 'undefined';
+const isNode = typeof process !== 'undefined' && typeof process.pid === 'number';
+/**
+ * Fortuna CSPRNG — spec §9.3–§9.5
+ *
+ * Use `Fortuna.create()` to instantiate. Direct construction is not allowed.
+ */
+export class Fortuna {
+    // ── Constants ──────────────────────────────────────────────────────────
+    static NUM_POOLS = 32;
+    static RESEED_LIMIT = 64; // bits — pool 0 threshold (spec §9.5)
+    static MS_PER_RESEED = 100; // ms — minimum reseed interval (spec §9.5)
+    static NODE_STATS_INTERVAL = 1000; // ms — OS stats collector interval
+    static CRYPTO_INTERVAL = 3000; // ms — crypto.randomBytes interval
+    // ── State ─────────────────────────────────────────────────────────────
+    serpent;
+    sha;
+    poolHash; // 32 running SHA-256 chain hashes (32 bytes each)
+    poolEntropy;
+    genKey;
+    genCnt;
+    reseedCnt;
+    lastReseed;
+    entropyLevel;
+    eventId;
+    active;
+    disposed;
+    msPerReseed;
+    robin;
+    // Collector references for cleanup
+    boundCollectors = {};
+    timers = [];
+    // ── Static factory ────────────────────────────────────────────────────
+    static async create(opts) {
+        if (!isInitialized('serpent'))
+            throw new Error('leviathan-crypto: call init([\'serpent\', \'sha2\']) before using Fortuna');
+        if (!isInitialized('sha2'))
+            throw new Error('leviathan-crypto: call init([\'serpent\', \'sha2\']) before using Fortuna');
+        const f = new Fortuna(opts?.msPerReseed ?? Fortuna.MS_PER_RESEED);
+        f.initialize(opts?.entropy);
+        return f;
+    }
+    constructor(msPerReseed) {
+        this.serpent = new Serpent();
+        this.sha = new SHA256();
+        this.poolHash = [];
+        this.poolEntropy = [];
+        this.genKey = new Uint8Array(32);
+        this.genCnt = new Uint8Array(16);
+        this.reseedCnt = 0;
+        this.lastReseed = 0;
+        this.entropyLevel = 0;
+        this.eventId = 0;
+        this.active = false;
+        this.disposed = false;
+        this.msPerReseed = msPerReseed;
+        this.robin = { kbd: 0, mouse: 0, scroll: 0, touch: 0, motion: 0, time: 0, rnd: 0, dom: 0 };
+        for (let i = 0; i < Fortuna.NUM_POOLS; i++) {
+            this.poolHash.push(new Uint8Array(32)); // zero-initialized chain value
+            this.poolEntropy.push(0);
+        }
+    }
+    // ── Public API ────────────────────────────────────────────────────────
+    /** Get n random bytes. Returns undefined if not yet seeded (reseedCnt === 0). */
+    get(length) {
+        if (this.disposed)
+            throw new Error('Fortuna instance has been disposed');
+        // Capture hrtime jitter at call time (Node.js) — spec §9.5
+        if (isNode)
+            this.captureHrtime();
+        // Check reseed trigger — spec §9.5
+        if (this.poolEntropy[0] >= Fortuna.RESEED_LIMIT &&
+            Date.now() >= this.lastReseed + this.msPerReseed) {
+            this.reseedCnt = (this.reseedCnt + 1) >>> 0; // u32 wrap
+            let seed = new Uint8Array(0);
+            let strength = 0;
+            for (let i = 0; i < Fortuna.NUM_POOLS; i++) {
+                if ((this.reseedCnt & (1 << i)) !== 0) {
+                    // Pool digest = current chain hash
+                    seed = concat(seed, this.poolHash[i]);
+                    strength += this.poolEntropy[i];
+                    // Reset pool
+                    this.poolHash[i] = new Uint8Array(32);
+                    this.poolEntropy[i] = 0;
+                }
+            }
+            this.entropyLevel -= strength;
+            this.reseed(seed);
+        }
+        if (this.reseedCnt === 0)
+            return undefined;
+        return this.pseudoRandomData(length);
+    }
+    /** Add external entropy to the pools. */
+    addEntropy(entropy) {
+        if (this.disposed)
+            throw new Error('Fortuna instance has been disposed');
+        this.addRandomEvent(entropy, this.robin.rnd, entropy.length * 8);
+        this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
+    }
+    /** Get estimated available entropy in bytes. */
+    getEntropy() {
+        if (this.disposed)
+            throw new Error('Fortuna instance has been disposed');
+        return Math.floor(this.entropyLevel / 8);
+    }
+    /** Permanently dispose this instance. Wipes key material, stops all collectors. */
+    stop() {
+        if (this.disposed)
+            throw new Error('Fortuna instance has been disposed');
+        this.stopCollectors();
+        wipe(this.genKey);
+        wipe(this.genCnt);
+        this.reseedCnt = 0;
+        this.disposed = true;
+    }
+    // ── Test-only accessors ───────────────────────────────────────────────
+    /** @internal — exposed for testing key replacement */
+    _getGenKey() {
+        return this.genKey;
+    }
+    /** @internal — exposed for testing pool state */
+    _getPoolEntropy() {
+        return this.poolEntropy;
+    }
+    /** @internal — exposed for testing reseed count */
+    _getReseedCnt() {
+        return this.reseedCnt;
+    }
+    // ── Generator (spec §9.4) ─────────────────────────────────────────────
+    /** Generate n blocks of 16 bytes each. — spec §9.4 */
+    generateBlocks(n) {
+        const out = new Uint8Array(n * 16);
+        for (let i = 0; i < n; i++) {
+            // Encrypt genCnt with Serpent-256 ECB
+            this.serpent.loadKey(this.genKey);
+            out.set(this.serpent.encryptBlock(this.genCnt), i * 16);
+            this.incrementCounter();
+        }
+        return out;
+    }
+    /** Get length pseudo-random bytes. — spec §9.4 */
+    pseudoRandomData(length) {
+        // Generate ceil(length/16) + 1 blocks — +1 ensures extra block before key replacement
+        const blocks = Math.ceil(length / 16) + 1;
+        const raw = this.generateBlocks(blocks);
+        const output = raw.slice(0, length);
+        // Key replacement — mandatory forward secrecy (spec §9.4)
+        this.genKey = this.generateBlocks(2);
+        return output;
+    }
+    /** Reseed the generator — spec §9.4 */
+    reseed(seed) {
+        // genKey = SHA256(genKey ‖ seed)
+        this.genKey = this.sha.hash(concat(this.genKey, seed));
+        // Increment counter — makes it nonzero on first reseed, marking generator as seeded
+        this.incrementCounter();
+        this.lastReseed = Date.now();
+    }
+    /** Increment 16-byte little-endian counter. — spec §9.4 */
+    incrementCounter() {
+        for (let i = 0; i < 16; i++) {
+            if (++this.genCnt[i] !== 0)
+                break;
+        }
+    }
+    // ── Accumulator (spec §9.5) ───────────────────────────────────────────
+    /** Add an event to a pool via hash chaining: poolHash[i] = SHA256(poolHash[i] ‖ eventId ‖ data). */
+    addRandomEvent(data, poolIdx, entropyBits) {
+        // Encode eventId as 4 bytes little-endian
+        const id = new Uint8Array(4);
+        id[0] = this.eventId & 0xff;
+        id[1] = (this.eventId >>> 8) & 0xff;
+        id[2] = (this.eventId >>> 16) & 0xff;
+        id[3] = (this.eventId >>> 24) & 0xff;
+        this.eventId = (this.eventId + 1) >>> 0; // u32 wrap
+        // Chain: poolHash[i] = SHA256(poolHash[i] ‖ id ‖ data)
+        this.poolHash[poolIdx] = this.sha.hash(concat(concat(this.poolHash[poolIdx], id), data));
+        this.poolEntropy[poolIdx] += entropyBits;
+        this.entropyLevel += entropyBits;
+    }
+    // ── Initialization ────────────────────────────────────────────────────
+    initialize(entropy) {
+        // Initial seeding — crypto random per pool (spec §9.5)
+        for (let i = 0; i < Fortuna.NUM_POOLS * 4; i++) {
+            this.collectorCryptoRandom();
+        }
+        // Timing entropy
+        this.collectorTime();
+        // DOM entropy (browser only)
+        this.collectorDom();
+        // Extra entropy from caller
+        if (entropy) {
+            this.addRandomEvent(entropy, this.robin.rnd, entropy.length * 8);
+            this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
+        }
+        this.startCollectors();
+    }
+    // ── Collectors ────────────────────────────────────────────────────────
+    startCollectors() {
+        if (this.active)
+            return;
+        if (isBrowser) {
+            const target = typeof window !== 'undefined' ? window : document;
+            if (target) {
+                this.boundCollectors.click = this.collectorClick.bind(this);
+                this.boundCollectors.keydown = this.collectorKeyboard.bind(this);
+                this.boundCollectors.scroll = this.collectorScroll.bind(this);
+                this.boundCollectors.mousemove = this.throttle(this.collectorMouse, 50, this);
+                this.boundCollectors.devicemotion = this.throttle(this.collectorMotion, 100, this);
+                this.boundCollectors.deviceorientation = this.collectorMotion.bind(this);
+                this.boundCollectors.orientationchange = this.collectorMotion.bind(this);
+                this.boundCollectors.touchmove = this.throttle(this.collectorTouch, 50, this);
+                this.boundCollectors.touchstart = this.collectorTouch.bind(this);
+                this.boundCollectors.touchend = this.collectorTouch.bind(this);
+                this.boundCollectors.load = this.collectorTime.bind(this);
+                for (const [event, handler] of Object.entries(this.boundCollectors)) {
+                    target.addEventListener(event, handler, true);
+                }
+            }
+        }
+        if (isNode) {
+            // OS stats timer
+            this.timers.push(setInterval(() => this.collectNodeStats(), Fortuna.NODE_STATS_INTERVAL));
+        }
+        // Crypto timer — both environments
+        this.timers.push(setInterval(() => this.collectorCryptoRandom(), Fortuna.CRYPTO_INTERVAL));
+        this.active = true;
+    }
+    stopCollectors() {
+        if (!this.active)
+            return;
+        if (isBrowser && typeof window !== 'undefined') {
+            for (const [event, handler] of Object.entries(this.boundCollectors)) {
+                window.removeEventListener(event, handler, true);
+            }
+        }
+        for (const timer of this.timers)
+            clearInterval(timer);
+        this.timers = [];
+        this.boundCollectors = {};
+        this.active = false;
+    }
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-function-type -- legacy throttle utility
+    throttle(fn, threshold, scope) {
+        let last;
+        let deferTimer;
+        return function (...args) {
+            const context = scope || this;
+            const now = Date.now();
+            if (last && now < last + threshold) {
+                clearTimeout(deferTimer);
+                deferTimer = setTimeout(() => {
+                    last = now;
+                    fn.apply(context, args);
+                }, threshold);
+            }
+            else {
+                last = now;
+                fn.apply(context, args);
+            }
+        };
+    }
+    collectorKeyboard(ev) {
+        const key = ev.key || '';
+        const b = new Uint8Array([key.charCodeAt(0) || 0, (ev.timeStamp || 0) & 0xff]);
+        this.addRandomEvent(b, this.robin.kbd, 1);
+        this.robin.kbd = (this.robin.kbd + 1) % Fortuna.NUM_POOLS;
+        this.collectorTime();
+    }
+    collectorMouse(ev) {
+        const x = ev.clientX || 0, y = ev.clientY || 0;
+        this.addRandomEvent(new Uint8Array([x >>> 8, x & 0xff, y >>> 8, y & 0xff]), this.robin.mouse, 2);
+        this.robin.mouse = (this.robin.mouse + 1) % Fortuna.NUM_POOLS;
+    }
+    collectorClick(ev) {
+        const x = ev.clientX || 0, y = ev.clientY || 0;
+        this.addRandomEvent(new Uint8Array([x >>> 8, x & 0xff, y >>> 8, y & 0xff]), this.robin.mouse, 2);
+        this.robin.mouse = (this.robin.mouse + 1) % Fortuna.NUM_POOLS;
+        this.collectorTime();
+    }
+    collectorTouch(ev) {
+        const touch = ev.touches[0] || ev.changedTouches[0];
+        if (!touch)
+            return;
+        const x = touch.pageX || touch.clientX || 0;
+        const y = touch.pageY || touch.clientY || 0;
+        this.addRandomEvent(new Uint8Array([x >>> 8, x & 0xff, y >>> 8, y & 0xff]), this.robin.touch, 2);
+        this.robin.touch = (this.robin.touch + 1) % Fortuna.NUM_POOLS;
+        this.collectorTime();
+    }
+    collectorScroll() {
+        if (typeof window === 'undefined')
+            return;
+        const x = window.scrollX || 0, y = window.scrollY || 0;
+        this.addRandomEvent(new Uint8Array([x >>> 8, x & 0xff, y >>> 8, y & 0xff]), this.robin.scroll, 1);
+        this.robin.scroll = (this.robin.scroll + 1) % Fortuna.NUM_POOLS;
+    }
+    collectorMotion(ev) {
+        const motion = ev;
+        const orient = ev;
+        if (motion.accelerationIncludingGravity) {
+            const a = motion.accelerationIncludingGravity;
+            const x = a.x || 0, y = a.y || 0, z = a.z || 0;
+            this.addRandomEvent(new Uint8Array([(x * 100) & 0xff, (y * 100) & 0xff, (z * 100) & 0xff]), this.robin.motion, 3);
+        }
+        if (typeof orient.alpha === 'number' && typeof orient.beta === 'number' && typeof orient.gamma === 'number') {
+            this.addRandomEvent(utf8ToBytes(orient.alpha.toString() + orient.beta.toString() + orient.gamma.toString()), this.robin.motion, 3);
+        }
+        this.robin.motion = (this.robin.motion + 1) % Fortuna.NUM_POOLS;
+    }
+    collectorTime() {
+        if (typeof performance !== 'undefined' && typeof performance.now === 'function') {
+            this.addRandomEvent(utf8ToBytes(performance.now().toString()), this.robin.time, 2);
+        }
+        else {
+            const t = Date.now();
+            const b = new Uint8Array(4);
+            b[0] = t & 0xff;
+            b[1] = (t >>> 8) & 0xff;
+            b[2] = (t >>> 16) & 0xff;
+            b[3] = (t >>> 24) & 0xff;
+            this.addRandomEvent(b, this.robin.time, 2);
+        }
+        this.robin.time = (this.robin.time + 1) % Fortuna.NUM_POOLS;
+    }
+    collectorDom() {
+        if (typeof document !== 'undefined' && document.documentElement) {
+            this.addRandomEvent(this.sha.hash(utf8ToBytes(document.documentElement.innerHTML)), this.robin.dom, 2);
+            this.robin.dom = (this.robin.dom + 1) % Fortuna.NUM_POOLS;
+        }
+    }
+    collectorCryptoRandom() {
+        try {
+            const rnd = new Uint8Array(128);
+            if (typeof globalThis.crypto !== 'undefined' && typeof globalThis.crypto.getRandomValues === 'function') {
+                globalThis.crypto.getRandomValues(rnd);
+            }
+            else if (isNode) {
+                // eslint-disable-next-line @typescript-eslint/no-require-imports
+                const nodeCrypto = require('node:crypto');
+                const buf = nodeCrypto.randomBytes(128);
+                rnd.set(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength));
+            }
+            else {
+                return; // no crypto source available
+            }
+            this.addRandomEvent(rnd, this.robin.rnd, 1024);
+            this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
+        }
+        catch { /* crypto may not be available */ }
+    }
+    captureHrtime() {
+        try {
+            const hr = process.hrtime.bigint();
+            const hrBytes = new Uint8Array(8);
+            for (let i = 0; i < 8; i++)
+                hrBytes[i] = Number((hr >> BigInt(i * 8)) & 0xffn);
+            this.addRandomEvent(hrBytes, this.robin.time, 8);
+            this.robin.time = (this.robin.time + 1) % Fortuna.NUM_POOLS;
+        }
+        catch { /* hrtime may not be available */ }
+    }
+    collectNodeStats() {
+        try {
+            // hrtime — nanosecond scheduling jitter
+            const hr = process.hrtime.bigint();
+            const hrBytes = new Uint8Array(8);
+            for (let i = 0; i < 8; i++)
+                hrBytes[i] = Number((hr >> BigInt(i * 8)) & 0xffn);
+            this.addRandomEvent(hrBytes, this.robin.time, 8);
+            this.robin.time = (this.robin.time + 1) % Fortuna.NUM_POOLS;
+            // cpuUsage — user + system CPU microseconds
+            const cpu = process.cpuUsage();
+            const cpuBytes = new Uint8Array(8);
+            cpuBytes[0] = cpu.user & 0xff;
+            cpuBytes[1] = (cpu.user >>> 8) & 0xff;
+            cpuBytes[2] = (cpu.user >>> 16) & 0xff;
+            cpuBytes[3] = (cpu.user >>> 24) & 0xff;
+            cpuBytes[4] = cpu.system & 0xff;
+            cpuBytes[5] = (cpu.system >>> 8) & 0xff;
+            cpuBytes[6] = (cpu.system >>> 16) & 0xff;
+            cpuBytes[7] = (cpu.system >>> 24) & 0xff;
+            this.addRandomEvent(cpuBytes, this.robin.rnd, 2);
+            this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
+            // memoryUsage — heapUsed changes constantly
+            const mem = process.memoryUsage();
+            const memVal = mem.heapUsed;
+            const memBytes = new Uint8Array(4);
+            memBytes[0] = memVal & 0xff;
+            memBytes[1] = (memVal >>> 8) & 0xff;
+            memBytes[2] = (memVal >>> 16) & 0xff;
+            memBytes[3] = (memVal >>> 24) & 0xff;
+            this.addRandomEvent(memBytes, this.robin.rnd, 1);
+            this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
+            // loadavg — slow-changing but real system state
+            // eslint-disable-next-line @typescript-eslint/no-require-imports
+            const os = require('node:os');
+            const la = os.loadavg();
+            const laStr = la.map((n) => Math.round(n * 1000).toString()).join('');
+            this.addRandomEvent(utf8ToBytes(laStr), this.robin.time, 1);
+            this.robin.time = (this.robin.time + 1) % Fortuna.NUM_POOLS;
+            // freemem — changes with allocation activity
+            const fm = os.freemem();
+            const fmBytes = new Uint8Array(4);
+            fmBytes[0] = fm & 0xff;
+            fmBytes[1] = (fm >>> 8) & 0xff;
+            fmBytes[2] = (fm >>> 16) & 0xff;
+            fmBytes[3] = (fm >>> 24) & 0xff;
+            this.addRandomEvent(fmBytes, this.robin.rnd, 1);
+            this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
+        }
+        catch { /* Node APIs may not be available */ }
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+import type { Module, Mode, InitOpts } from './init.js';
+export declare function init(modules: Module | Module[], mode?: Mode, opts?: InitOpts): Promise<void>;
+export { type Module, type Mode, type InitOpts, isInitialized, _resetForTesting } from './init.js';
+export { serpentInit, SerpentSeal, Serpent, SerpentCtr, SerpentCbc, SerpentStream, SerpentStreamPool, SerpentStreamSealer, SerpentStreamOpener, SerpentStreamEncoder, SerpentStreamDecoder, _serpentReady } from './serpent/index.js';
+export type { StreamPoolOpts } from './serpent/index.js';
+export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, _chachaReady } from './chacha20/index.js';
+export { XChaCha20Poly1305Pool } from './chacha20/pool.js';
+export type { PoolOpts } from './chacha20/pool.js';
+export { sha2Init, SHA256, SHA512, SHA384, HMAC_SHA256, HMAC_SHA512, HMAC_SHA384, HKDF_SHA256, HKDF_SHA512, _sha2Ready } from './sha2/index.js';
+export { sha3Init, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHAKE128, SHAKE256, _sha3Ready } from './sha3/index.js';
+export { Fortuna } from './fortuna.js';
+export type { Hash, KeyedHash, Blockcipher, Streamcipher, AEAD } from './types.js';
+export { hexToBytes, bytesToHex, utf8ToBytes, bytesToUtf8, base64ToBytes, bytesToBase64, constantTimeEqual, wipe, xor, concat, randomBytes, } from './utils.js';

package/dist/index.js

@@ -0,0 +1,44 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// Root barrel — re-exports everything
+import { serpentInit } from './serpent/index.js';
+import { chacha20Init } from './chacha20/index.js';
+import { sha2Init } from './sha2/index.js';
+import { sha3Init } from './sha3/index.js';
+const _dispatchers = {
+    serpent: serpentInit,
+    chacha20: chacha20Init,
+    sha2: sha2Init,
+    sha3: sha3Init,
+};
+export async function init(modules, mode = 'embedded', opts) {
+    const list = Array.isArray(modules) ? modules : [modules];
+    await Promise.all(list.map(mod => _dispatchers[mod](mode, opts)));
+}
+export { isInitialized, _resetForTesting } from './init.js';
+export { serpentInit, SerpentSeal, Serpent, SerpentCtr, SerpentCbc, SerpentStream, SerpentStreamPool, SerpentStreamSealer, SerpentStreamOpener, SerpentStreamEncoder, SerpentStreamDecoder, _serpentReady } from './serpent/index.js';
+export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, _chachaReady } from './chacha20/index.js';
+export { XChaCha20Poly1305Pool } from './chacha20/pool.js';
+export { sha2Init, SHA256, SHA512, SHA384, HMAC_SHA256, HMAC_SHA512, HMAC_SHA384, HKDF_SHA256, HKDF_SHA512, _sha2Ready } from './sha2/index.js';
+export { sha3Init, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHAKE128, SHAKE256, _sha3Ready } from './sha3/index.js';
+export { Fortuna } from './fortuna.js';
+export { hexToBytes, bytesToHex, utf8ToBytes, bytesToUtf8, base64ToBytes, bytesToBase64, constantTimeEqual, wipe, xor, concat, randomBytes, } from './utils.js';

package/dist/init.d.ts

@@ -0,0 +1,11 @@
+export type Module = 'serpent' | 'chacha20' | 'sha2' | 'sha3';
+export type Mode = 'embedded' | 'streaming' | 'manual';
+export interface InitOpts {
+    wasmUrl?: URL | string;
+    wasmBinary?: Partial<Record<Module, Uint8Array | ArrayBuffer>>;
+}
+export declare function initModule(mod: Module, embeddedThunk: () => Promise<string>, mode?: Mode, opts?: InitOpts): Promise<void>;
+export declare function getInstance(mod: Module): WebAssembly.Instance;
+export declare function isInitialized(mod: Module): boolean;
+/** Reset all cached instances — for testing only */
+export declare function _resetForTesting(): void;

package/dist/init.js

@@ -0,0 +1,49 @@
+// Module-scope cache: one WebAssembly.Instance per module
+const instances = new Map();
+// Map from public module name to WASM filename
+const WASM_FILES = {
+    serpent: 'serpent.wasm',
+    chacha20: 'chacha.wasm',
+    sha2: 'sha2.wasm',
+    sha3: 'sha3.wasm',
+};
+export async function initModule(mod, embeddedThunk, mode = 'embedded', opts) {
+    if (instances.has(mod))
+        return;
+    let instance;
+    if (mode === 'embedded') {
+        const { loadEmbedded } = await import('./loader.js');
+        instance = await loadEmbedded(embeddedThunk);
+    }
+    else if (mode === 'streaming') {
+        if (!opts?.wasmUrl)
+            throw new Error('leviathan-crypto: streaming mode requires wasmUrl');
+        const { loadStreaming } = await import('./loader.js');
+        instance = await loadStreaming(mod, opts.wasmUrl, WASM_FILES[mod]);
+    }
+    else if (mode === 'manual') {
+        const binary = opts?.wasmBinary?.[mod];
+        if (!binary)
+            throw new Error(`leviathan-crypto: manual mode requires wasmBinary['${mod}']`);
+        const { loadManual } = await import('./loader.js');
+        instance = await loadManual(binary);
+    }
+    else {
+        throw new Error(`leviathan-crypto: unknown mode '${mode}'`);
+    }
+    instances.set(mod, instance);
+}
+export function getInstance(mod) {
+    const inst = instances.get(mod);
+    if (!inst) {
+        throw new Error(`leviathan-crypto: call init(['${mod}']) before using this class`);
+    }
+    return inst;
+}
+export function isInitialized(mod) {
+    return instances.has(mod);
+}
+/** Reset all cached instances — for testing only */
+export function _resetForTesting() {
+    instances.clear();
+}

package/dist/loader.d.ts

@@ -0,0 +1,4 @@
+import type { Module } from './init.js';
+export declare function loadEmbedded(thunk: () => Promise<string>): Promise<WebAssembly.Instance>;
+export declare function loadStreaming(_mod: Module, baseUrl: URL | string, filename: string): Promise<WebAssembly.Instance>;
+export declare function loadManual(binary: Uint8Array | ArrayBuffer): Promise<WebAssembly.Instance>;

package/dist/loader.js

@@ -0,0 +1,30 @@
+function base64ToBytes(b64) {
+    if (typeof atob === 'function') {
+        const raw = atob(b64);
+        const out = new Uint8Array(raw.length);
+        for (let i = 0; i < raw.length; i++)
+            out[i] = raw.charCodeAt(i);
+        return out;
+    }
+    return new Uint8Array(Buffer.from(b64, 'base64'));
+}
+async function instantiateFromBytes(bytes) {
+    const result = await WebAssembly.instantiate(bytes.buffer, { env: { memory: new WebAssembly.Memory({ initial: 3, maximum: 3 }) } });
+    return result.instance;
+}
+export async function loadEmbedded(thunk) {
+    const b64 = await thunk();
+    const bytes = base64ToBytes(b64);
+    return instantiateFromBytes(bytes);
+}
+export async function loadStreaming(_mod, baseUrl, filename) {
+    const url = new URL(filename, baseUrl).href;
+    const result = await WebAssembly.instantiateStreaming(fetch(url), {
+        env: { memory: new WebAssembly.Memory({ initial: 3, maximum: 3 }) },
+    });
+    return result.instance;
+}
+export async function loadManual(binary) {
+    const bytes = binary instanceof ArrayBuffer ? new Uint8Array(binary) : binary;
+    return instantiateFromBytes(bytes);
+}

package/dist/serpent/index.d.ts

@@ -0,0 +1,65 @@
+import type { Mode, InitOpts } from '../init.js';
+export declare function serpentInit(mode?: Mode, opts?: InitOpts): Promise<void>;
+export declare class Serpent {
+    private readonly x;
+    constructor();
+    loadKey(key: Uint8Array): void;
+    encryptBlock(plaintext: Uint8Array): Uint8Array;
+    decryptBlock(ciphertext: Uint8Array): Uint8Array;
+    dispose(): void;
+}
+/**
+ * Serpent-256 in CTR mode.
+ *
+ * **WARNING: CTR mode is unauthenticated.** An attacker can flip ciphertext
+ * bits without detection. Always pair with HMAC-SHA256 (Encrypt-then-MAC)
+ * or use `XChaCha20Poly1305` instead.
+ */
+export declare class SerpentCtr {
+    private readonly x;
+    constructor(opts?: {
+        dangerUnauthenticated: true;
+    });
+    beginEncrypt(key: Uint8Array, nonce: Uint8Array): void;
+    encryptChunk(chunk: Uint8Array): Uint8Array;
+    beginDecrypt(key: Uint8Array, nonce: Uint8Array): void;
+    decryptChunk(chunk: Uint8Array): Uint8Array;
+    dispose(): void;
+}
+/**
+ * Serpent-256 in CBC mode with PKCS7 padding.
+ *
+ * **WARNING: CBC mode is unauthenticated.** Always authenticate the output
+ * with HMAC-SHA256 (Encrypt-then-MAC) or use `XChaCha20Poly1305` instead.
+ */
+export declare class SerpentCbc {
+    private readonly x;
+    constructor(opts?: {
+        dangerUnauthenticated: true;
+    });
+    private get mem();
+    /**
+   * Encrypt plaintext with Serpent-256 CBC + PKCS7 padding.
+   *
+   * @param key       16, 24, or 32 bytes
+   * @param iv        16 bytes — must be random and unique per (key, message)
+   * @param plaintext any length — PKCS7 padding applied automatically
+   * @returns         ciphertext (length = ceil((plaintext.length + 1) / 16) * 16)
+   */
+    encrypt(key: Uint8Array, iv: Uint8Array, plaintext: Uint8Array): Uint8Array;
+    /**
+   * Decrypt Serpent-256 CBC + PKCS7.
+   * Throws if ciphertext length is not a non-zero multiple of 16 or PKCS7 is invalid.
+   */
+    decrypt(key: Uint8Array, iv: Uint8Array, ciphertext: Uint8Array): Uint8Array;
+    dispose(): void;
+    private _loadKey;
+    private _setIv;
+}
+export { SerpentSeal } from './seal.js';
+export { SerpentStream, sealChunk, openChunk } from './stream.js';
+export { SerpentStreamPool } from './stream-pool.js';
+export type { StreamPoolOpts } from './stream-pool.js';
+export { SerpentStreamSealer, SerpentStreamOpener } from './stream-sealer.js';
+export { SerpentStreamEncoder, SerpentStreamDecoder } from './stream-encoder.js';
+export declare function _serpentReady(): boolean;