npm - leviathan-crypto - Versions diffs - 1.2.0 → 1.3.0 - Mend

leviathan-crypto 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/CLAUDE.md +19 -17
package/README.md +128 -63
package/SECURITY.md +2 -1
package/dist/docs/serpent.md +38 -4
package/dist/docs/utils.md +21 -0
package/dist/index.d.ts +1 -1
package/dist/index.js +1 -1
package/dist/serpent/index.d.ts +0 -1
package/dist/serpent/index.js +0 -2
package/dist/serpent/stream-sealer.d.ts +18 -2
package/dist/serpent/stream-sealer.js +122 -4
package/package.json +1 -1
package/dist/serpent/stream-encoder.d.ts +0 -20
package/dist/serpent/stream-encoder.js +0 -167

package/CLAUDE.md CHANGED Viewed

@@ -87,16 +87,12 @@ await serpentInit()
 | Classes | `init()` call |
 |---------|--------------|
-| `SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `SerpentStreamEncoder`, `SerpentStreamDecoder`, `Serpent`, `SerpentCtr`, `SerpentCbc` | `init(['serpent', 'sha2'])` |
+| `SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `Serpent`, `SerpentCtr`, `SerpentCbc` | `init(['serpent', 'sha2'])` |
 | `ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305`, `XChaCha20Poly1305Pool` | `init(['chacha20'])` |
 | `SHA256`, `SHA384`, `SHA512`, `HMAC_SHA256`, `HMAC_SHA384`, `HMAC_SHA512`, `HKDF_SHA256`, `HKDF_SHA512` | `init(['sha2'])` |
 | `SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256` | `init(['sha3'])` |
 | `Fortuna` | `init(['serpent', 'sha2'])` |
-`Argon2id` is a separate subpath: `import { Argon2id } from 'leviathan-crypto/argon2id'`
-It does **not** require `init()` — it uses its own WASM loader.
-`'argon2id'` is **not** a valid module string for `init()`.
 ---
 ## Recommended patterns
@@ -138,23 +134,24 @@ const ptLast = opener.open(last)
 ### Length-prefixed streaming (for files and buffered transports)
-`SerpentStreamEncoder`/`SerpentStreamDecoder` wrap the sealer/opener with
-`u32be` length-prefixed framing so chunk boundaries are self-delimiting.
+Pass `{ framed: true }` to `SerpentStreamSealer`/`SerpentStreamOpener` for self-delimiting
+`u32be` length-prefixed framing. Use when chunks will be concatenated into a flat byte
+stream. Omit when the transport frames messages itself (WebSocket, IPC).
 ```typescript
-import { init, SerpentStreamEncoder, SerpentStreamDecoder, randomBytes } from 'leviathan-crypto'
+import { init, SerpentStreamSealer, SerpentStreamOpener, randomBytes } from 'leviathan-crypto'
 await init(['serpent', 'sha2'])
-const key     = randomBytes(64)
-const encoder = new SerpentStreamEncoder(key, 65536)
-const header  = encoder.header()
+const key    = randomBytes(64)
+const sealer = new SerpentStreamSealer(key, 65536, { framed: true })
+const header = sealer.header()
-const frame0  = encoder.encode(data0)         // u32be(len) || sealed chunk
-const last    = encoder.encodeFinal(tail)
+const frame0 = sealer.seal(data0)        // u32be(len) || sealed chunk
+const last   = sealer.final(tail)
-const decoder = new SerpentStreamDecoder(key, header)
-const chunks  = decoder.feed(frame0)          // returns Uint8Array[], throws on auth failure
+const opener = new SerpentStreamOpener(key, header, { framed: true })
+const chunks = opener.feed(frame0)       // Uint8Array[] — throws on auth failure
 ```
 ### XChaCha20-Poly1305
@@ -236,7 +233,7 @@ cipher.decrypt(key, iv, ciphertext)  // correct
 ## Utilities (no `init()` required)
 ```typescript
-import { hexToBytes, bytesToHex, randomBytes, constantTimeEqual, wipe } from 'leviathan-crypto'
+import { hexToBytes, bytesToHex, randomBytes, constantTimeEqual, wipe, hasSIMD } from 'leviathan-crypto'
 // available immediately — no await init() needed
 const key  = randomBytes(32)
@@ -246,6 +243,11 @@ const safe = constantTimeEqual(a, b)   // constant-time equality — never use =
 wipe(key)                               // zero a Uint8Array in place
 ```
+`hasSIMD()` returns `true` if the runtime supports WebAssembly SIMD. It is used
+internally — you do not need to call it. SIMD acceleration is fully transparent:
+`SerpentCtr.encryptChunk`, `SerpentCbc.decrypt`, and `ChaCha20.encryptChunk` all
+auto-dispatch to the faster 4-wide SIMD path when available, with no API change.
 ---
 ## Full documentation
@@ -254,7 +256,7 @@ The complete API reference ships in `docs/` alongside this file:
 | File | Contents |
 |------|----------|
-| `docs/serpent.md` | `SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `SerpentStreamEncoder`, `SerpentStreamDecoder`, `Serpent`, `SerpentCtr`, `SerpentCbc` |
+| `docs/serpent.md` | `SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `Serpent`, `SerpentCtr`, `SerpentCbc` |
 | `docs/chacha20.md` | `ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305`, `XChaCha20Poly1305Pool` |
 | `docs/sha2.md` | `SHA256`, `SHA384`, `SHA512`, `HMAC_SHA256`, `HMAC_SHA384`, `HMAC_SHA512`, `HKDF_SHA256`, `HKDF_SHA512` |
 | `docs/sha3.md` | `SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256` |

package/README.md CHANGED Viewed

@@ -8,26 +8,62 @@
 > Web cryptography built on Serpent-256 paranoia and XChaCha20-Poly1305 elegance.
-**Serpent-256 is the cipher for those who distrust consensus.** In 2001, when NIST selected AES, Serpent actually received more first-place security votes from the evaluation committee. However, it lost because the competition also considered performance on hardware embedded systems, which are no longer representative of the environments for which we develop software. Serpent's designers made no compromises: thirty-two rounds, S-boxes implemented using pure Boolean logic gates without table lookups, and every bit processed for each block. You use Serpent not because a committee recommended it, but because you trust the cryptanalysis. The current best attack on the full thirty-two-round Serpent-256 achieves 2²⁵⁵·¹⁹ — less than one bit below the brute-force ceiling, and strictly impractical. This includes our own independent research, which improved upon the published result. See [`serpent_audit.md`](https://github.com/xero/leviathan-crypto/wiki/serpent_audit).
-**XChaCha20-Poly1305 is the cipher for those who appreciate design that has nothing to hide.** Daniel Bernstein built ChaCha20 as a twenty-round ARX construction: add, rotate, and XOR, in a precise choreography that simply doesn't have the attack surface that table-based ciphers do. It has no S-boxes, no cache-timing leakage, and requires no hardware acceleration to be fast. Poly1305 adds a final layer of security: a one-time authenticator with an unconditional forgery bound, mathematically guaranteed regardless of attacker compute power. XChaCha20-Poly1305 is the construction you reach for when you want an AEAD whose security proof you can actually read without a PhD. See [`chacha_audit.md`](https://github.com/xero/leviathan-crypto/wiki/chacha_audit).
-The tension between these two approaches constitutes the library's core identity. Serpent embodies defiance, ChaCha embodies elegance, yet both arrive at the same place: constant-time, side-channel resistant implementations, independently audited against their specifications. They represent two design philosophies that do not agree on anything, except the answer.
-**WebAssembly provides a correctness layer.** Each primitive compiles into its own isolated binary, executing outside the JavaScript JIT. This prevents speculative optimization from affecting key material and ensures that data-dependent timing vulnerabilities do not cross the boundary.
-**TypeScript acts as the ergonomics layer.** Fully typed classes, explicit `init()` gates, input validation, and authenticated compositions ensure primitives are connected correctly.
+**Serpent-256 is the cipher for those who distrust consensus.** In 2001, when
+NIST selected AES, Serpent actually received more first-place security votes
+from the evaluation committee. However, it lost because the competition also
+considered performance on hardware embedded systems, which are no longer
+representative of the environments for which we develop software. Serpent's
+designers made no compromises: thirty-two rounds, S-boxes implemented using
+pure Boolean logic gates without table lookups, and every bit processed for
+each block. You use Serpent not because a committee recommended it, but because
+you trust the cryptanalysis. The current best attack on the full
+thirty-two-round Serpent-256 achieves 2²⁵⁵·¹⁹ — less than one bit below the
+brute-force ceiling, and strictly impractical. This includes our own
+independent research, which improved upon the published result. See
+[`serpent_audit.md`](https://github.com/xero/leviathan-crypto/wiki/serpent_audit).
+**XChaCha20-Poly1305 is the cipher for those who appreciate design that has
+nothing to hide.** Daniel Bernstein built ChaCha20 as a twenty-round ARX
+construction: add, rotate, and XOR, in a precise choreography that simply
+doesn't have the attack surface that table-based ciphers do. It has no S-boxes,
+no cache-timing leakage, and requires no hardware acceleration to be fast.
+Poly1305 adds a final layer of security: a one-time authenticator with an
+unconditional forgery bound, mathematically guaranteed regardless of attacker
+compute power. XChaCha20-Poly1305 is the construction you reach for when you
+want an AEAD whose security proof you can actually read without a PhD. See
+[`chacha_audit.md`](https://github.com/xero/leviathan-crypto/wiki/chacha_audit).
+The tension between these two approaches constitutes the library's core
+identity. Serpent embodies defiance, ChaCha embodies elegance, yet both arrive
+at the same place: constant-time, side-channel resistant implementations,
+independently audited against their specifications. They represent two design
+philosophies that do not agree on anything, except the answer.
+**WebAssembly provides a correctness layer.** Each primitive compiles into its
+own isolated binary, executing outside the JavaScript JIT. This prevents
+speculative optimization from affecting key material and ensures that
+data-dependent timing vulnerabilities do not cross the boundary.
+**TypeScript acts as the ergonomics layer.** Fully typed classes, explicit
+`init()` gates, input validation, and authenticated compositions ensure
+primitives are connected correctly.
 ---
 #### **Zero Dependencies.**
-With no npm dependency graph to audit, the supply chain attack surface is eliminated.
+With no npm dependency graph to audit, the supply chain attack surface is
+eliminated.
 #### **Tree-shakeable.**
-Import only the cipher(s) you intend to use. Subpath exports allow bundlers to exclude everything else.
+Import only the cipher(s) you intend to use. Subpath exports allow bundlers to
+exclude everything else.
 #### **Side-effect Free.**
-Nothing runs upon import. Initialization via `init()` is explicit and asynchronous.
+Nothing runs upon import. Initialization via `init()` is explicit and
+asynchronous.
 ## Installation
@@ -40,7 +76,10 @@ npm install leviathan-crypto
 ```
 > [!NOTE]
-> The Serpent and ChaCha20 modules require a runtime with WebAssembly SIMD support. This has been a feature of all major browsers and runtimes since 2021. All other primitives (SHA-2, SHA-3, Poly1305) run on any WASM-capable runtime.
+> The Serpent and ChaCha20 modules require a runtime with WebAssembly SIMD
+> support. This has been a feature of all major browsers and runtimes since
+> 2021. All other primitives (SHA-2, SHA-3, Poly1305) run on any WASM-capable
+> runtime.
 ---
@@ -48,15 +87,30 @@ npm install leviathan-crypto
 **`lvthn-web`** [ [demo](https://leviathan.3xi.club/web) · [source](https://github.com/xero/leviathan-demos/tree/main/lvthn-web) · [readme](https://github.com/xero/leviathan-demos/blob/main/lvthn-web/README.md) ]
-A browser encryption tool in a single, self-contained HTML file. Encrypt text or files using Serpent-256-CBC and Argon2id key derivation, then share the armored output. No server, installation, or network connection required after initial load. The code in is written to be read. The Encrypt-then-MAC construction, HMAC input (header with HMAC field zeroed + ciphertext), and Argon2id parameters are all intentional examples worth reading.
+A browser encryption tool in a single, self-contained HTML file. Encrypt text
+or files using Serpent-256-CBC and Argon2id key derivation, then share the
+armored output. No server, installation, or network connection required after
+initial load. The code is written to be read. The Encrypt-then-MAC
+construction, HMAC input (header with HMAC field zeroed + ciphertext), and
+Argon2id parameters are all intentional examples worth reading.
 **`lvthn-chat`** [ [demo](https://leviathan.3xi.club/chat) · [source](https://github.com/xero/leviathan-demos/tree/main/lvthn-chat) · [readme](https://github.com/xero/leviathan-demos/blob/main/lvthn-chat/README.md) ]
-End-to-end encrypted chat featuring two-party messaging over X25519 key exchange and XChaCha20-Poly1305 message encryption. The relay server functions as a dumb WebSocket pipe that never sees plaintext. Each message incorporates sequence numbers, which allows the system to detect and reject replayed messages from an attacker. The demo deconstructs the protocol step by step, with visual feedback for both injection and replays.
+End-to-end encrypted chat featuring two-party messaging over X25519 key
+exchange and XChaCha20-Poly1305 message encryption. The relay server functions
+as a dumb WebSocket pipe that never sees plaintext. Each message incorporates
+sequence numbers, which allows the system to detect and reject replayed
+messages from an attacker. The demo deconstructs the protocol step by step,
+with visual feedback for both injection and replays.
 **`lvthn-cli`** [ [npm](https://www.npmjs.com/package/lvthn) · [source](https://github.com/xero/leviathan-demos/tree/main/lvthn-cli) · [readme](https://github.com/xero/leviathan-demos/blob/main/lvthn-cli/README.md) ]
-File encryption CLI. Supports both Serpent-256 and XChaCha20-Poly1305, selectable via the `--cipher` flag. A single keyfile is compatible with both ciphers; the header byte determines decryption automatically. Encryption and decryption distribute 64KB chunks across a worker pool sized to hardwareConcurrency. Each worker owns an isolated WASM instance with no shared memory between workers.
+File encryption CLI. Supports both Serpent-256 and XChaCha20-Poly1305,
+selectable via the `--cipher` flag. A single keyfile is compatible with both
+ciphers; the header byte determines decryption automatically. Encryption and
+decryption distribute 64KB chunks across a worker pool sized to
+hardwareConcurrency. Each worker owns an isolated WASM instance with no shared
+memory between workers.
 ```sh
 bun i -g lvthn # or npm slow mode
@@ -69,27 +123,33 @@ cat secret.txt | lvthn encrypt -k my.key --armor > secret.enc
 ## Primitives
-| Classes                                                                   | Module            | Auth    | Notes                                                                                                |
-| ------------------------------------------------------------------------- | ----------------- | ------- | ---------------------------------------------------------------------------------------------------- |
-| `SerpentSeal`                                                             | `serpent`, `sha2` | **Yes** | Authenticated encryption: Serpent-CBC + HMAC-SHA256. Recommended for most use cases.                 |
-| `SerpentStream`, `SerpentStreamPool`                                      | `serpent`, `sha2` | **Yes** | Chunked one-shot AEAD for large payloads. Pool variant parallelises across workers.                  |
-| `SerpentStreamSealer`, `SerpentStreamOpener`                              | `serpent`, `sha2` | **Yes** | Incremental streaming AEAD: seal and open one chunk at a time without buffering the full message.    |
-| `SerpentStreamEncoder`, `SerpentStreamDecoder`                            | `serpent`, `sha2` | **Yes** | Length-prefixed framing over SerpentStreamSealer/Opener for flat byte streams (files, buffered TCP). |
-| `Serpent`, `SerpentCtr`, `SerpentCbc`                                     | `serpent`         | **No**  | Raw ECB, CTR, CBC modes. Unauthenticated — pair with HMAC-SHA256 for authentication.                 |
-| `XChaCha20Poly1305`, `ChaCha20Poly1305`                                   | `chacha20`        | **Yes** | AEAD — RFC 8439. XChaCha20 recommended (192-bit nonce).                                              |
-| `ChaCha20`                                                                | `chacha20`        | **No**  | Raw stream cipher. Unauthenticated — use with `Poly1305` for authentication.                         |
-| `Poly1305`                                                                | `chacha20`        | **No**  | One-time MAC — RFC 8439. Use via the AEAD classes unless you have a specific reason not to.          |
-| `SHA256`, `SHA384`, `SHA512`, `HMAC_SHA256`, `HMAC_SHA384`, `HMAC_SHA512` | `sha2`            | -       | FIPS 180-4, RFC 2104                                                                                 |
-| `HKDF_SHA256`, `HKDF_SHA512`                                              | `sha2`            | -       | Key derivation — RFC 5869. Extract-and-expand over HMAC.                                             |
-| `SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256`    | `sha3`            | -       | FIPS 202                                                                                             |
-| `Fortuna`                                                                 | `fortuna`         | -       | Fortuna CSPRNG (Ferguson & Schneier). Requires `Fortuna.create()`.                                   |
+| Class                                                       | Module            | Auth    | Notes                                                                                                                                              |
+| ----------------------------------------------------------- | ----------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Authenticated encryption**                                |                   |         |                                                                                                                                                    |
+| `SerpentSeal`                                               | `serpent`, `sha2` | **Yes** | Serpent-CBC + HMAC-SHA256. Recommended default for most use cases. 64-byte key.                                                                    |
+| `SerpentStream`, `SerpentStreamPool`                        | `serpent`, `sha2` | **Yes** | Chunked one-shot AEAD for large payloads. Pool variant parallelises across workers. 32-byte key.                                                   |
+| `SerpentStreamSealer`, `SerpentStreamOpener`                | `serpent`, `sha2` | **Yes** | Incremental streaming AEAD: seal/open one chunk at a time. Pass `{ framed: true }` for self-delimiting `u32be` length-prefix framing. 64-byte key. |
+| `XChaCha20Poly1305`                                         | `chacha20`        | **Yes** | XChaCha20-Poly1305 AEAD. Recommended when you want a simpler API or a 192-bit nonce safe for random generation. 32-byte key.                       |
+| `XChaCha20Poly1305Pool`                                     | `chacha20`        | **Yes** | Worker-pool wrapper for `XChaCha20Poly1305`. Parallelises encryption across isolated WASM instances.                                               |
+| `ChaCha20Poly1305`                                          | `chacha20`        | **Yes** | ChaCha20-Poly1305 AEAD — RFC 8439. 12-byte nonce; prefer `XChaCha20Poly1305` unless you need RFC 8439 exact compliance.                            |
+| **Unauthenticated primitives** _pair with HMAC or use AEAD_ |                   |         |                                                                                                                                                    |
+| `Serpent`                                                   | `serpent`         | **No**  | Serpent-256 ECB block cipher. Single-block encrypt/decrypt.                                                                                        |
+| `SerpentCtr`                                                | `serpent`         | **No**  | Serpent-256 CTR mode stream cipher. Requires `{ dangerUnauthenticated: true }`.                                                                    |
+| `SerpentCbc`                                                | `serpent`         | **No**  | Serpent-256 CBC mode with PKCS7 padding. Requires `{ dangerUnauthenticated: true }`.                                                               |
+| `ChaCha20`                                                  | `chacha20`        | **No**  | ChaCha20 stream cipher — RFC 8439. Unauthenticated; use `XChaCha20Poly1305` unless you need raw keystream.                                         |
+| `Poly1305`                                                  | `chacha20`        | **No**  | Poly1305 one-time MAC — RFC 8439. Use via the AEAD classes unless you have a specific reason not to.                                               |
+| **Hashing and key derivation**                              |                   |         |                                                                                                                                                    |
+| `SHA256`, `SHA384`, `SHA512`                                | `sha2`            | —       | SHA-2 family — FIPS 180-4.                                                                                                                         |
+| `HMAC_SHA256`, `HMAC_SHA384`, `HMAC_SHA512`                 | `sha2`            | —       | HMAC construction over SHA-2 — RFC 2104.                                                                                                           |
+| `HKDF_SHA256`, `HKDF_SHA512`                                | `sha2`            | —       | Extract-and-expand key derivation over HMAC — RFC 5869.                                                                                            |
+| `SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`              | `sha3`            | —       | SHA-3 family — FIPS 202. Keccak-based, structurally independent of SHA-2.                                                                          |
+| `SHAKE128`, `SHAKE256`                                      | `sha3`            | —       | Extendable output functions (XOF) — FIPS 202. Variable-length output; useful for key derivation and stream generation.                             |
+| **CSPRNG**                                                  |                   |         |                                                                                                                                                    |
+| `Fortuna`                                                   | `serpent`, `sha2` | —       | Fortuna CSPRNG (Ferguson & Schneier). 32 entropy pools, forward secrecy. Use `Fortuna.create()`.                                                   |
 > [!IMPORTANT]
 > All cryptographic computation runs in WASM (AssemblyScript), isolated outside the JavaScript JIT. The TypeScript layer provides the public API with input validation, type safety, and developer ergonomics.
-> [!WARNING]
-> `SerpentCtr` and `SerpentCbc` are **unauthenticated** cipher modes. They provide confidentiality but not integrity or authenticity. An attacker can modify ciphertext without detection. For authenticated Serpent encryption use `SerpentSeal` or `SerpentStreamSealer`. When using CBC/CTR directly, pair with `HMAC_SHA256` using the Encrypt-then-MAC pattern.
 ---
 ## Quick Start
@@ -135,7 +195,8 @@ const decrypted = chacha.decrypt(key, nonce, ciphertext)
 chacha.dispose()
 ```
-For more examples, including streaming, chunking, hashing, and key derivation, see the [examples page](https://github.com/xero/leviathan-crypto/wiki/examples).
+For more examples, including streaming, chunking, hashing, and key derivation,
+see the [examples page](https://github.com/xero/leviathan-crypto/wiki/examples).
 ---
@@ -154,7 +215,8 @@ await init(['serpent'], 'manual', { wasmBinary: { serpent: myBuffer } })
 ### Tree-shaking with subpath imports
-Each cipher ships as its own subpath export. A bundler with tree-shaking support and `"sideEffects": false` will exclude every module you don't import:
+Each cipher ships as its own subpath export. A bundler with tree-shaking
+support and `"sideEffects": false` will exclude every module you don't import:
 ```typescript
 // Only serpent.wasm ends up in your bundle
@@ -186,37 +248,38 @@ await chacha20Init()
 ### API Surface
-| Module       | MD/Wiki                                                                                       | Description                                                                                                                                                           |
-| ------------ | --------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| serpent      | [▼](./docs/serpent.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/serpent)           | Serpent-256 TypeScript API (`SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `Serpent`, `SerpentCtr`, `SerpentCbc`) |
-| asm_serpent  | [▼](./docs/asm_serpent.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_serpent)   | Serpent-256 WASM implementation (bitslice S-boxes, key schedule, CTR/CBC)                                                                                             |
-| chacha20     | [▼](./docs/chacha20.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/chacha20)         | ChaCha20/Poly1305 TypeScript API (`ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305`)                                                                    |
-| asm_chacha   | [▼](./docs/asm_chacha.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_chacha)     | ChaCha20/Poly1305 WASM implementation (quarter-round, HChaCha20)                                                                                                      |
-| sha2         | [▼](./docs/sha2.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/sha2)                 | SHA-2 TypeScript API (`SHA256`, `SHA512`, `SHA384`, `HMAC_SHA256`, `HMAC_SHA512`, `HMAC_SHA384`)                                                                      |
-| asm_sha2     | [▼](./docs/asm_sha2.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_sha2)         | SHA-2 WASM implementation (compression functions, HMAC)                                                                                                               |
-| sha3         | [▼](./docs/sha3.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/sha3)                 | SHA-3 TypeScript API (`SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256`)                                                                         |
-| asm_sha3     | [▼](./docs/asm_sha3.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_sha3)         | SHA-3 WASM implementation (Keccak-f[1600], sponge construction)                                                                                                       |
-| fortuna      | [▼](./docs/fortuna.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/fortuna)           | Fortuna CSPRNG (forward secrecy, 32 entropy pools)                                                                                                                    |
-| init         | [▼](./docs/init.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/init)                 | `init()` API and WASM loading modes                                                                                                                                   |
-| utils        | [▼](./docs/utils.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils)               | Encoding helpers, `constantTimeEqual`, `wipe`, `randomBytes`                                                                                                          |
-| types        | [▼](./docs/types.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/types)               | TypeScript interfaces (`Hash`, `KeyedHash`, `Blockcipher`, `Streamcipher`, `AEAD`)                                                                                    |
+| Module      | MD/Wiki                                                                                     | Description                                                                                                                                                           |
+| ----------- | ------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| serpent     | [▼](./docs/serpent.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/serpent)         | Serpent-256 TypeScript API (`SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `Serpent`, `SerpentCtr`, `SerpentCbc`) |
+| asm_serpent | [▼](./docs/asm_serpent.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_serpent) | Serpent-256 WASM implementation (bitslice S-boxes, key schedule, CTR/CBC)                                                                                             |
+| chacha20    | [▼](./docs/chacha20.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/chacha20)       | ChaCha20/Poly1305 TypeScript API (`ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305`, `XChaCha20Poly1305Pool`)                                           |
+| asm_chacha  | [▼](./docs/asm_chacha.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_chacha)   | ChaCha20/Poly1305 WASM implementation (quarter-round, HChaCha20)                                                                                                      |
+| sha2        | [▼](./docs/sha2.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/sha2)               | SHA-2 TypeScript API (`SHA256`, `SHA512`, `SHA384`, `HMAC_SHA256`, `HMAC_SHA512`, `HMAC_SHA384`)                                                                      |
+| asm_sha2    | [▼](./docs/asm_sha2.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_sha2)       | SHA-2 WASM implementation (compression functions, HMAC)                                                                                                               |
+| sha3        | [▼](./docs/sha3.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/sha3)               | SHA-3 TypeScript API (`SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256`)                                                                         |
+| asm_sha3    | [▼](./docs/asm_sha3.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_sha3)       | SHA-3 WASM implementation (Keccak-f[1600], sponge construction)                                                                                                       |
+| fortuna     | [▼](./docs/fortuna.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/fortuna)         | Fortuna CSPRNG (forward secrecy, 32 entropy pools)                                                                                                                    |
+| init        | [▼](./docs/init.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/init)               | `init()` API and WASM loading modes                                                                                                                                   |
+| utils       | [▼](./docs/utils.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils)             | Encoding helpers, `constantTimeEqual`, `wipe`, `randomBytes`                                                                                                          |
+| types       | [▼](./docs/types.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/types)             | TypeScript interfaces (`Hash`, `KeyedHash`, `Blockcipher`, `Streamcipher`, `AEAD`)                                                                                    |
 ### Utilities
 These helpers are available immediately on import with no `init()` required.
-| Function                     | MD/Wiki                                                                                                             | Description                                                    |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- |
-| `hexToBytes(hex)`            | [▼](./docs/utils.md#hextobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#hextobytes)               | Hex string to `Uint8Array` (accepts uppercase, `0x` prefix)    |
-| `bytesToHex(bytes)`          | [▼](./docs/utils.md#bytestohex) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestohex)               | `Uint8Array` to lowercase hex string                           |
-| `utf8ToBytes(str)`           | [▼](./docs/utils.md#utf8tobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#utf8tobytes)             | UTF-8 string to `Uint8Array`                                   |
-| `bytesToUtf8(bytes)`         | [▼](./docs/utils.md#bytestoutf8) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestoutf8)             | `Uint8Array` to UTF-8 string                                   |
-| `base64ToBytes(b64)`         | [▼](./docs/utils.md#base64tobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#base64tobytes)         | Base64/base64url string to `Uint8Array` (undefined on invalid) |
-| `bytesToBase64(bytes, url?)` | [▼](./docs/utils.md#bytestobase64) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestobase64)         | `Uint8Array` to base64 string (url=true for base64url)         |
-| `constantTimeEqual(a, b)`    | [▼](./docs/utils.md#constanttimeequal) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#constanttimeequal) | Constant-time byte comparison (XOR-accumulate)                 |
-| `wipe(data)`                 | [▼](./docs/utils.md#wipe) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#wipe)                           | Zero a typed array in place                                    |
-| `xor(a, b)`                  | [▼](./docs/utils.md#xor) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#xor)                             | XOR two equal-length `Uint8Array`s                             |
-| `concat(a, b)`               | [▼](./docs/utils.md#concat) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#concat)                       | Concatenate two `Uint8Array`s                                  |
+| Function                     | MD/Wiki                                                                                                             | Description                                                                                               |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
+| `hexToBytes(hex)`            | [▼](./docs/utils.md#hextobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#hextobytes)               | Hex string to `Uint8Array` (accepts uppercase, `0x` prefix)                                               |
+| `bytesToHex(bytes)`          | [▼](./docs/utils.md#bytestohex) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestohex)               | `Uint8Array` to lowercase hex string                                                                      |
+| `utf8ToBytes(str)`           | [▼](./docs/utils.md#utf8tobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#utf8tobytes)             | UTF-8 string to `Uint8Array`                                                                              |
+| `bytesToUtf8(bytes)`         | [▼](./docs/utils.md#bytestoutf8) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestoutf8)             | `Uint8Array` to UTF-8 string                                                                              |
+| `base64ToBytes(b64)`         | [▼](./docs/utils.md#base64tobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#base64tobytes)         | Base64/base64url string to `Uint8Array` (undefined on invalid)                                            |
+| `bytesToBase64(bytes, url?)` | [▼](./docs/utils.md#bytestobase64) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestobase64)         | `Uint8Array` to base64 string (url=true for base64url)                                                    |
+| `constantTimeEqual(a, b)`    | [▼](./docs/utils.md#constanttimeequal) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#constanttimeequal) | Constant-time byte comparison (XOR-accumulate)                                                            |
+| `wipe(data)`                 | [▼](./docs/utils.md#wipe) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#wipe)                           | Zero a typed array in place                                                                               |
+| `xor(a, b)`                  | [▼](./docs/utils.md#xor) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#xor)                             | XOR two equal-length `Uint8Array`s                                                                        |
+| `concat(a, b)`               | [▼](./docs/utils.md#concat) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#concat)                       | Concatenate two `Uint8Array`s                                                                             |
+| `hasSIMD()`                  | [▼](./docs/utils.md#hassimd) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#hassimd)                     | Detects WebAssembly SIMD support. Cached after first call. Used internally for CTR/CBC/ChaCha20 dispatch. |
 ### Algorithm correctness and verifications
@@ -230,13 +293,14 @@ These helpers are available immediately on import with no `init()` required.
 | hkdf_audit    | [▼](./docs/hkdf_audit.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/hkdf_audit)       | HKDF extract-then-expand, info field domain separation, SerpentStream key derivation   |
 >[!NOTE]
-> Additional documentation available in [./docs](./docs/README.md) and on the [project wiki](https://github.com/xero/leviathan-crypto/wiki/).
+> Additional documentation available in [./docs](./docs/README.md) and on the
+> [project wiki](https://github.com/xero/leviathan-crypto/wiki/).
 ---
 ## License
-leviathan is written under the [MIT license](http://www.opensource.org/licenses/MIT).
+leviathan-crypto is released under the [MIT license](./LICENSE).
 ```
                 ▄▄▄▄▄▄▄▄▄▄
@@ -260,3 +324,4 @@ leviathan is written under the [MIT license](http://www.opensource.org/licenses/
 ▀██████▀             ▀████▄▄▄████▀
                         ▀█████▀
 ```

package/SECURITY.md CHANGED Viewed

@@ -13,7 +13,8 @@
 | Version | Supported |
 |---------|-----------|
-| v1.2.x  | ︎✓         |
+| v1.3.x  | ︎✓         |
+| v1.2.x  | ✓         |
 | v1.1.x  | ✗         |
 | v1.0.x  | ✗         |

package/dist/docs/serpent.md CHANGED Viewed

@@ -265,6 +265,12 @@ automatically.
 - **chunk** -- any length up to the module's internal chunk buffer size. Throws
   `RangeError` if the chunk exceeds the maximum size.
+> [!NOTE]
+> Automatically dispatches to the 4-wide SIMD path (`encryptChunk_simd`) when
+> the runtime supports WebAssembly SIMD (`hasSIMD()` returns `true`), otherwise
+> falls back to the scalar unrolled path. The dispatch is transparent — no API
+> change required.
 ---
 #### `beginDecrypt(key: Uint8Array, nonce: Uint8Array): void`
@@ -353,6 +359,12 @@ Decrypts Serpent CBC ciphertext and strips PKCS7 padding.
 Returns the decrypted plaintext as a new `Uint8Array`.
+> [!NOTE]
+> Automatically dispatches to the 4-wide SIMD path (`cbcDecryptChunk_simd`) when
+> the runtime supports WebAssembly SIMD (`hasSIMD()` returns `true`), otherwise
+> falls back to the scalar unrolled path. CBC encryption has no SIMD variant —
+> each ciphertext block depends on the previous one.
 ---
 #### `dispose(): void`
@@ -535,7 +547,7 @@ and cross-stream splicing are all detected.
 ```typescript
 class SerpentStreamSealer {
-	constructor(key: Uint8Array, chunkSize?: number)
+	constructor(key: Uint8Array, chunkSize?: number, opts?: { framed?: boolean })
 	header(): Uint8Array        // call once before seal() — returns 20 bytes
 	seal(plaintext: Uint8Array): Uint8Array   // exactly chunkSize bytes
 	final(plaintext: Uint8Array): Uint8Array  // <= chunkSize bytes; wipes on return
@@ -543,8 +555,9 @@ class SerpentStreamSealer {
 }
 class SerpentStreamOpener {
-	constructor(key: Uint8Array, header: Uint8Array)
+	constructor(key: Uint8Array, header: Uint8Array, opts?: { framed?: boolean })
 	open(chunk: Uint8Array): Uint8Array  // throws on auth failure or post-final
+	feed(bytes: Uint8Array): Uint8Array[]  // framed mode only — accumulates and parses frames
 	dispose(): void
 }
 ```
@@ -576,12 +589,18 @@ wipes its key material and transitions to `dead`. Subsequent `open()` calls thro
 ---
-#### `constructor(key, chunkSize?)`
+#### `constructor(key, chunkSize?, opts?)`
 - **key** — 64-byte key. Throws `RangeError` if wrong length.
 - **chunkSize** — bytes per chunk. Must be 1024–65536. Default: 65536. Throws
   `RangeError` if out of range.
+##### Options (`opts`)
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `framed` | `boolean` | `false` | Prepend `u32be(sealedLen)` to each `seal()`/`final()` output. Use for flat byte streams (files, pipes, TCP). Omit when the transport already frames messages (WebSocket, IPC). |
 ---
 #### `header()`
@@ -615,12 +634,18 @@ Safe to call after `final()` — no-op if already dead.
 ---
-#### `constructor(key, header)` (opener)
+#### `constructor(key, header, opts?)` (opener)
 - **key** — 64-byte key. Throws `RangeError` if wrong length.
 - **header** — 20-byte stream header from `sealer.header()`. Throws `RangeError`
   if wrong length.
+##### Options (`opts`)
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `framed` | `boolean` | `false` | Enable byte-accumulation mode. Parses `u32be` length prefixes and dispatches complete frames to `open()` internally. Required to use `feed()`. |
 ---
 #### `open(chunk)`
@@ -631,6 +656,15 @@ plaintext bytes (PKCS7 padding stripped).
 ---
+#### `feed(bytes: Uint8Array): Uint8Array[]`
+Only callable when constructed with `{ framed: true }`. Accumulates incoming bytes,
+parses `u32be` length prefixes, dispatches complete frames to `open()` internally.
+Returns an array of decrypted chunks — zero, one, or more per call depending on how
+many complete frames were buffered. Throws if called on an unframed opener.
+---
 #### `dispose()` (opener)
 Wipes key material. Safe to call at any point — use to abort opening a stream

package/dist/docs/utils.md CHANGED Viewed

@@ -143,6 +143,26 @@ Returns `n` cryptographically secure random bytes via the Web Crypto API (`crypt
 ---
+### hasSIMD
+```typescript
+hasSIMD(): boolean
+```
+Returns `true` if the current runtime supports WebAssembly SIMD (the `v128`
+type and associated operations). The result is computed once on first call by
+validating a minimal v128 WASM module, then cached for subsequent calls.
+This function is called internally by `SerpentCtr.encryptChunk`,
+`SerpentCbc.decrypt`, and `ChaCha20.encryptChunk` to select the fast SIMD path
+at runtime. It is exported for informational purposes — you do not need to call
+it yourself. SIMD dispatch is fully automatic.
+Supported in all modern browsers and Node.js 16+. Returns `false` in older
+environments, which fall back silently to the scalar path.
+---
 ## Usage Examples
 ### Converting between formats
@@ -258,6 +278,7 @@ console.log(combined.length) // 32
 | `constantTimeEqual` | Arrays differ in length | Returns `false` immediately |
 | `xor` | Arrays differ in length | Throws `RangeError` |
 | `randomBytes` | `crypto` not available | Throws (runtime-dependent) |
+| `hasSIMD` | `WebAssembly` not available | Returns `false` |
 ---

package/dist/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import type { Module, Mode, InitOpts } from './init.js';
 export declare function init(modules: Module | Module[], mode?: Mode, opts?: InitOpts): Promise<void>;
 export { type Module, type Mode, type InitOpts, isInitialized, _resetForTesting } from './init.js';
-export { serpentInit, SerpentSeal, Serpent, SerpentCtr, SerpentCbc, SerpentStream, SerpentStreamPool, SerpentStreamSealer, SerpentStreamOpener, SerpentStreamEncoder, SerpentStreamDecoder, _serpentReady } from './serpent/index.js';
+export { serpentInit, SerpentSeal, Serpent, SerpentCtr, SerpentCbc, SerpentStream, SerpentStreamPool, SerpentStreamSealer, SerpentStreamOpener, _serpentReady } from './serpent/index.js';
 export type { StreamPoolOpts } from './serpent/index.js';
 export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, _chachaReady } from './chacha20/index.js';
 export { XChaCha20Poly1305Pool } from './chacha20/pool.js';

package/dist/index.js CHANGED Viewed

@@ -35,7 +35,7 @@ export async function init(modules, mode = 'embedded', opts) {
     await Promise.all(list.map(mod => _dispatchers[mod](mode, opts)));
 }
 export { isInitialized, _resetForTesting } from './init.js';
-export { serpentInit, SerpentSeal, Serpent, SerpentCtr, SerpentCbc, SerpentStream, SerpentStreamPool, SerpentStreamSealer, SerpentStreamOpener, SerpentStreamEncoder, SerpentStreamDecoder, _serpentReady } from './serpent/index.js';
+export { serpentInit, SerpentSeal, Serpent, SerpentCtr, SerpentCbc, SerpentStream, SerpentStreamPool, SerpentStreamSealer, SerpentStreamOpener, _serpentReady } from './serpent/index.js';
 export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, _chachaReady } from './chacha20/index.js';
 export { XChaCha20Poly1305Pool } from './chacha20/pool.js';
 export { sha2Init, SHA256, SHA512, SHA384, HMAC_SHA256, HMAC_SHA512, HMAC_SHA384, HKDF_SHA256, HKDF_SHA512, _sha2Ready } from './sha2/index.js';

package/dist/serpent/index.d.ts CHANGED Viewed

@@ -61,5 +61,4 @@ export { SerpentStream, sealChunk, openChunk } from './stream.js';
 export { SerpentStreamPool } from './stream-pool.js';
 export type { StreamPoolOpts } from './stream-pool.js';
 export { SerpentStreamSealer, SerpentStreamOpener } from './stream-sealer.js';
-export { SerpentStreamEncoder, SerpentStreamDecoder } from './stream-encoder.js';
 export declare function _serpentReady(): boolean;

package/dist/serpent/index.js CHANGED Viewed

@@ -231,8 +231,6 @@ export { SerpentStream, sealChunk, openChunk } from './stream.js';
 export { SerpentStreamPool } from './stream-pool.js';
 // ── SerpentStreamSealer / SerpentStreamOpener re-export ───────────────────────
 export { SerpentStreamSealer, SerpentStreamOpener } from './stream-sealer.js';
-// ── SerpentStreamEncoder / SerpentStreamDecoder re-export ─────────────────────
-export { SerpentStreamEncoder, SerpentStreamDecoder } from './stream-encoder.js';
 // ── Ready check ──────────────────────────────────────────────────────────────
 export function _serpentReady() {
     try {

package/dist/serpent/stream-sealer.d.ts CHANGED Viewed

@@ -5,11 +5,19 @@ export declare class SerpentStreamSealer {
     private readonly _cbc;
     private readonly _hmac;
     private readonly _hkdf;
+    private readonly _framed;
     private readonly _ivs;
     private _ivIdx;
     private _index;
     private _state;
-    constructor(key: Uint8Array, chunkSize?: number, _nonce?: Uint8Array, _ivs?: Uint8Array[]);
+    /** Public: consumers use this 3-param form. */
+    constructor(key: Uint8Array, chunkSize?: number, opts?: {
+        framed?: boolean;
+    });
+    /** @internal Test-only overload to inject fixed nonce/IVs for deterministic KAT vectors. */
+    constructor(key: Uint8Array, chunkSize: number | undefined, opts: {
+        framed?: boolean;
+    } | undefined, _nonce: Uint8Array, _ivs?: Uint8Array[]);
     header(): Uint8Array;
     seal(plaintext: Uint8Array): Uint8Array;
     final(plaintext: Uint8Array): Uint8Array;
@@ -24,11 +32,19 @@ export declare class SerpentStreamOpener {
     private readonly _cbc;
     private readonly _hmac;
     private readonly _hkdf;
+    private readonly _framed;
+    private readonly _buf;
+    private readonly _maxFrame;
+    private _bufLen;
     private _index;
     private _dead;
-    constructor(key: Uint8Array, header: Uint8Array);
+    constructor(key: Uint8Array, header: Uint8Array, opts?: {
+        framed?: boolean;
+    });
     get closed(): boolean;
     open(chunk: Uint8Array): Uint8Array;
+    private _openRaw;
+    feed(bytes: Uint8Array): Uint8Array[];
     private _wipe;
     dispose(): void;
 }

package/dist/serpent/stream-sealer.js CHANGED Viewed

@@ -63,12 +63,12 @@ export class SerpentStreamSealer {
     _cbc;
     _hmac;
     _hkdf;
+    _framed;
     _ivs; // test seam: fixed IVs
     _ivIdx;
     _index;
     _state;
-    // _nonce, _ivs: test seams — inject fixed nonce/IVs for deterministic KAT vectors
-    constructor(key, chunkSize, _nonce, _ivs) {
+    constructor(key, chunkSize, opts, _nonce, _ivs) {
         if (!_serpentReady())
             throw new Error('leviathan-crypto: call init([\'serpent\']) before using SerpentStreamSealer');
         if (!_sha2Ready())
@@ -80,6 +80,7 @@ export class SerpentStreamSealer {
             throw new RangeError(`SerpentStreamSealer chunkSize must be ${CHUNK_MIN}..${CHUNK_MAX} (got ${cs})`);
         this._key = key.slice();
         this._cs = cs;
+        this._framed = opts?.framed ?? false;
         this._nonce = new Uint8Array(16);
         if (_nonce && _nonce.length === 16) {
             this._nonce.set(_nonce);
@@ -138,7 +139,13 @@ export class SerpentStreamSealer {
         const ciphertext = this._cbc.encrypt(encKey, iv, plaintext);
         const tag = this._hmac.hash(macKey, concat(iv, ciphertext));
         this._index++;
-        return concat(concat(iv, ciphertext), tag);
+        const sealed = concat(concat(iv, ciphertext), tag);
+        if (!this._framed)
+            return sealed;
+        const out = new Uint8Array(4 + sealed.length);
+        out.set(u32be(sealed.length), 0);
+        out.set(sealed, 4);
+        return out;
     }
     _wipe() {
         wipe(this._key);
@@ -160,9 +167,13 @@ export class SerpentStreamOpener {
     _cbc;
     _hmac;
     _hkdf;
+    _framed;
+    _buf;
+    _maxFrame;
+    _bufLen;
     _index;
     _dead;
-    constructor(key, header) {
+    constructor(key, header, opts) {
         if (!_serpentReady())
             throw new Error('leviathan-crypto: call init([\'serpent\']) before using SerpentStreamOpener');
         if (!_sha2Ready())
@@ -174,11 +185,21 @@ export class SerpentStreamOpener {
         this._key = key.slice();
         this._nonce = header.slice(0, 16);
         this._cs = (header[16] << 24 | header[17] << 16 | header[18] << 8 | header[19]) >>> 0;
+        if (this._cs < CHUNK_MIN || this._cs > CHUNK_MAX)
+            throw new RangeError(`SerpentStreamOpener: header contains invalid chunkSize ${this._cs} (expected ${CHUNK_MIN}..${CHUNK_MAX})`);
+        this._framed = opts?.framed ?? false;
         this._cbc = new SerpentCbc({ dangerUnauthenticated: true });
         this._hmac = new HMAC_SHA256();
         this._hkdf = new HKDF_SHA256();
         this._index = 0;
         this._dead = false;
+        this._bufLen = 0;
+        if (this._framed) {
+            const cs = this._cs;
+            const maxSealed = 16 + (cs + (16 - (cs % 16))) + 32;
+            this._maxFrame = 4 + maxSealed;
+            this._buf = new Uint8Array(this._maxFrame);
+        }
     }
     get closed() {
         return this._dead;
@@ -186,6 +207,11 @@ export class SerpentStreamOpener {
     open(chunk) {
         if (this._dead)
             throw new Error('SerpentStreamOpener: stream is closed');
+        if (this._framed)
+            throw new Error('SerpentStreamOpener: call feed() on framed openers — open() expects raw sealed chunks without length prefix');
+        return this._openRaw(chunk);
+    }
+    _openRaw(chunk) {
         // Try isLast = true first, then false.
         // Whichever passes auth is the correct interpretation.
         for (const isLast of [true, false]) {
@@ -208,12 +234,104 @@ export class SerpentStreamOpener {
         }
         throw new Error('SerpentStreamOpener: authentication failed');
     }
+    feed(bytes) {
+        if (!this._framed)
+            throw new Error('SerpentStreamOpener: feed() requires { framed: true }');
+        if (this._dead)
+            throw new Error('SerpentStreamOpener: stream is closed');
+        const buf = this._buf;
+        const maxFrame = this._maxFrame;
+        const results = [];
+        let consumed = 0;
+        // ── Phase 1: drain carry-over ─────────────────────────────────────
+        if (this._bufLen > 0) {
+            // Sub-case A: partial prefix — we have < 4 bytes buffered
+            if (this._bufLen < 4) {
+                const need = 4 - this._bufLen;
+                const take = Math.min(need, bytes.length - consumed);
+                buf.set(bytes.subarray(consumed, consumed + take), this._bufLen);
+                this._bufLen += take;
+                consumed += take;
+                if (this._bufLen < 4)
+                    return results;
+            }
+            const sealedLen = (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) >>> 0;
+            if (sealedLen === 0 || sealedLen > (maxFrame - 4)) {
+                this._wipe();
+                throw new Error('SerpentStreamOpener: invalid sealed chunk length');
+            }
+            const frameLen = 4 + sealedLen;
+            // Sub-case B: partial frame body
+            const haveInBuf = this._bufLen;
+            const needMore = frameLen - haveInBuf;
+            if (needMore > 0) {
+                const take = Math.min(needMore, bytes.length - consumed);
+                buf.set(bytes.subarray(consumed, consumed + take), haveInBuf);
+                this._bufLen += take;
+                consumed += take;
+                if (this._bufLen < frameLen)
+                    return results;
+            }
+            const plaintext = this._openRaw(buf.subarray(4, frameLen));
+            results.push(plaintext);
+            this._bufLen = 0;
+            if (this._dead) {
+                if (consumed < bytes.length) {
+                    this._wipe();
+                    throw new Error('SerpentStreamOpener: unexpected bytes after final chunk');
+                }
+                return results;
+            }
+        }
+        // ── Phase 2: parse complete frames directly from bytes ────────────
+        let pos = consumed;
+        while (true) {
+            if (bytes.length - pos < 4)
+                break;
+            const sealedLen = (bytes[pos] << 24 | bytes[pos + 1] << 16 | bytes[pos + 2] << 8 | bytes[pos + 3]) >>> 0;
+            if (sealedLen === 0 || sealedLen > (maxFrame - 4)) {
+                this._wipe();
+                throw new Error('SerpentStreamOpener: invalid sealed chunk length');
+            }
+            const frameLen = 4 + sealedLen;
+            if (bytes.length - pos < frameLen)
+                break;
+            const plaintext = this._openRaw(bytes.subarray(pos + 4, pos + frameLen));
+            results.push(plaintext);
+            if (this._dead) {
+                const remaining = bytes.length - pos - frameLen;
+                if (remaining > 0) {
+                    this._wipe();
+                    throw new Error('SerpentStreamOpener: unexpected bytes after final chunk');
+                }
+                return results;
+            }
+            pos += frameLen;
+        }
+        // ── Carry over any incomplete trailing bytes into _buf ────────────
+        const leftover = bytes.length - pos;
+        if (leftover > 0) {
+            if (leftover > maxFrame) {
+                this._wipe();
+                throw new Error('SerpentStreamOpener: input exceeds maximum frame size');
+            }
+            buf.set(bytes.subarray(pos), 0);
+            this._bufLen = leftover;
+        }
+        return results;
+    }
     _wipe() {
+        if (this._dead)
+            return;
         wipe(this._key);
         wipe(this._nonce);
         this._cbc.dispose();
         this._hmac.dispose();
         this._hkdf.dispose();
+        if (this._framed) {
+            wipe(this._buf);
+            this._bufLen = 0;
+        }
         this._dead = true;
     }
     dispose() {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "leviathan-crypto",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "author": "xero (https://x-e.ro)",
   "license": "MIT",
   "description": "Zero-dependency WebAssembly cryptography library for TypeScript: Serpent-256, XChaCha20-Poly1305, SHA-2/3, HMAC, HKDF, and Fortuna CSPRNG, with a strictly typed API built on vector-verified primitives.",

package/dist/serpent/stream-encoder.d.ts DELETED Viewed

@@ -1,20 +0,0 @@
-export declare class SerpentStreamEncoder {
-    private readonly _sealer;
-    private _state;
-    constructor(key: Uint8Array, chunkSize?: number, _nonce?: Uint8Array, _ivs?: Uint8Array[]);
-    header(): Uint8Array;
-    encode(plaintext: Uint8Array): Uint8Array;
-    encodeFinal(plaintext: Uint8Array): Uint8Array;
-    dispose(): void;
-}
-export declare class SerpentStreamDecoder {
-    private readonly _opener;
-    private readonly _buf;
-    private readonly _maxFrame;
-    private _bufLen;
-    private _dead;
-    constructor(key: Uint8Array, header: Uint8Array);
-    feed(bytes: Uint8Array): Uint8Array[];
-    private _wipe;
-    dispose(): void;
-}

package/dist/serpent/stream-encoder.js DELETED Viewed

@@ -1,167 +0,0 @@
-//                  ▄▄▄▄▄▄▄▄▄▄
-//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
-//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
-//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
-//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
-//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
-//     ███████▌    ▀██▀         ███
-//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
-//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
-//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
-//            ▀████▄   ▄██▄
-//              ▐████   ▐███                  Author: xero (https://x-e.ro)
-//       ▄▄██████████    ▐███         ▄▄      License: MIT
-//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
-//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
-//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
-//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
-//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
-//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
-//                           ▀█████▀▀
-//
-// src/ts/serpent/stream-encoder.ts
-//
-// Tier 2 pure-TS composition: SerpentStreamSealer / SerpentStreamOpener
-// with u32be length-prefixed framing.
-//
-// SerpentStreamEncoder: wraps SerpentStreamSealer, prepends u32be(sealedLen)
-// SerpentStreamDecoder: wraps SerpentStreamOpener, buffers input and assembles
-//                       complete frames before dispatching to opener.open()
-//
-// Wire format per chunk:
-//   u32be(sealedLen) || IV(16) || CBC_ciphertext(padded) || HMAC(32)
-//
-// Use these classes when chunks will be concatenated into a flat byte array
-// (files, buffered TCP, etc). Use SerpentStreamSealer/Opener directly when
-// the transport already frames messages (WebSocket, IPC, etc).
-import { SerpentStreamSealer, SerpentStreamOpener } from './stream-sealer.js';
-import { _serpentReady } from './index.js';
-import { _sha2Ready } from '../sha2/index.js';
-import { wipe } from '../utils.js';
-import { u32be } from './stream.js';
-export class SerpentStreamEncoder {
-    _sealer;
-    _state;
-    // _nonce, _ivs: test seams — passed through to SerpentStreamSealer
-    constructor(key, chunkSize, _nonce, _ivs) {
-        if (!_serpentReady())
-            throw new Error('leviathan-crypto: call init([\'serpent\']) before using SerpentStreamEncoder');
-        if (!_sha2Ready())
-            throw new Error('leviathan-crypto: call init([\'sha2\']) before using SerpentStreamEncoder');
-        this._sealer = new SerpentStreamSealer(key, chunkSize, _nonce, _ivs);
-        this._state = 'fresh';
-    }
-    header() {
-        if (this._state === 'encoding')
-            throw new Error('SerpentStreamEncoder: header() already called');
-        if (this._state === 'dead')
-            throw new Error('SerpentStreamEncoder: stream is closed');
-        this._state = 'encoding';
-        return this._sealer.header();
-    }
-    encode(plaintext) {
-        if (this._state === 'fresh')
-            throw new Error('SerpentStreamEncoder: call header() first');
-        if (this._state === 'dead')
-            throw new Error('SerpentStreamEncoder: stream is closed');
-        const sealed = this._sealer.seal(plaintext);
-        return _prependLen(sealed);
-    }
-    encodeFinal(plaintext) {
-        if (this._state === 'fresh')
-            throw new Error('SerpentStreamEncoder: call header() first');
-        if (this._state === 'dead')
-            throw new Error('SerpentStreamEncoder: stream is closed');
-        const sealed = this._sealer.final(plaintext);
-        this._state = 'dead';
-        return _prependLen(sealed);
-    }
-    dispose() {
-        if (this._state !== 'dead') {
-            this._sealer.dispose();
-            this._state = 'dead';
-        }
-    }
-}
-// ── SerpentStreamDecoder ─────────────────────────────────────────────────────
-export class SerpentStreamDecoder {
-    _opener;
-    _buf; // fixed-size accumulation buffer
-    _maxFrame; // 4 + max sealed chunk size
-    _bufLen; // valid bytes currently in _buf
-    _dead;
-    constructor(key, header) {
-        if (!_serpentReady())
-            throw new Error('leviathan-crypto: call init([\'serpent\']) before using SerpentStreamDecoder');
-        if (!_sha2Ready())
-            throw new Error('leviathan-crypto: call init([\'sha2\']) before using SerpentStreamDecoder');
-        this._opener = new SerpentStreamOpener(key, header);
-        // Parse chunkSize from stream header (bytes 16..20, u32be)
-        const cs = (header[16] << 24 | header[17] << 16 | header[18] << 8 | header[19]) >>> 0;
-        // Max sealed chunk size: IV(16) + PKCS7-padded ciphertext + HMAC(32)
-        // PKCS7: plaintext always padded to next multiple of 16 (minimum 1 pad byte)
-        const maxSealed = 16 + (cs + (16 - (cs % 16))) + 32;
-        this._maxFrame = 4 + maxSealed;
-        this._buf = new Uint8Array(this._maxFrame);
-        this._bufLen = 0;
-        this._dead = false;
-    }
-    feed(bytes) {
-        if (this._dead)
-            throw new Error('SerpentStreamDecoder: stream is closed');
-        // Append incoming bytes to accumulation buffer
-        if (this._bufLen + bytes.length > this._maxFrame) {
-            throw new Error('SerpentStreamDecoder: input exceeds maximum frame size');
-        }
-        this._buf.set(bytes, this._bufLen);
-        this._bufLen += bytes.length;
-        const results = [];
-        while (true) {
-            // Need at least 4 bytes for the length prefix
-            if (this._bufLen < 4)
-                break;
-            const sealedLen = ((this._buf[0] << 24 | this._buf[1] << 16 |
-                this._buf[2] << 8 | this._buf[3]) >>> 0);
-            const frameLen = 4 + sealedLen;
-            // Need the full frame
-            if (this._bufLen < frameLen)
-                break;
-            // Complete frame — dispatch to opener
-            const sealedChunk = this._buf.subarray(4, frameLen);
-            const plaintext = this._opener.open(sealedChunk);
-            results.push(plaintext);
-            if (this._opener.closed) {
-                // After final chunk: any leftover bytes are a protocol error
-                const remaining = this._bufLen - frameLen;
-                if (remaining > 0) {
-                    this._wipe();
-                    throw new Error('SerpentStreamDecoder: unexpected bytes after final chunk');
-                }
-                this._wipe();
-                return results;
-            }
-            // Shift remaining bytes to front of buffer — no allocation
-            const remaining = this._bufLen - frameLen;
-            this._buf.copyWithin(0, frameLen, frameLen + remaining);
-            this._bufLen = remaining;
-        }
-        return results;
-    }
-    _wipe() {
-        wipe(this._buf);
-        this._bufLen = 0;
-        this._opener.dispose();
-        this._dead = true;
-    }
-    dispose() {
-        if (!this._dead)
-            this._wipe();
-    }
-}
-// ── helpers ──────────────────────────────────────────────────────────────────
-function _prependLen(chunk) {
-    const out = new Uint8Array(4 + chunk.length);
-    out.set(u32be(chunk.length), 0);
-    out.set(chunk, 4);
-    return out;
-}