leviathan-crypto 1.2.0 → 1.3.1

package/CLAUDE.md

@@ -87,16 +87,12 @@ await serpentInit()
 
 | Classes | `init()` call |
 |---------|--------------|
-| `SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `SerpentStreamEncoder`, `SerpentStreamDecoder`, `Serpent`, `SerpentCtr`, `SerpentCbc` | `init(['serpent', 'sha2'])` |
+| `SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `Serpent`, `SerpentCtr`, `SerpentCbc` | `init(['serpent', 'sha2'])` |
 | `ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305`, `XChaCha20Poly1305Pool` | `init(['chacha20'])` |
 | `SHA256`, `SHA384`, `SHA512`, `HMAC_SHA256`, `HMAC_SHA384`, `HMAC_SHA512`, `HKDF_SHA256`, `HKDF_SHA512` | `init(['sha2'])` |
 | `SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256` | `init(['sha3'])` |
 | `Fortuna` | `init(['serpent', 'sha2'])` |
 
-`Argon2id` is a separate subpath: `import { Argon2id } from 'leviathan-crypto/argon2id'`
-It does **not** require `init()` — it uses its own WASM loader.
-`'argon2id'` is **not** a valid module string for `init()`.
-
 ---
 
 ## Recommended patterns
@@ -138,23 +134,24 @@ const ptLast = opener.open(last)
 
 ### Length-prefixed streaming (for files and buffered transports)
 
-`SerpentStreamEncoder`/`SerpentStreamDecoder` wrap the sealer/opener with
-`u32be` length-prefixed framing so chunk boundaries are self-delimiting.
+Pass `{ framed: true }` to `SerpentStreamSealer`/`SerpentStreamOpener` for self-delimiting
+`u32be` length-prefixed framing. Use when chunks will be concatenated into a flat byte
+stream. Omit when the transport frames messages itself (WebSocket, IPC).
 
 ```typescript
-import { init, SerpentStreamEncoder, SerpentStreamDecoder, randomBytes } from 'leviathan-crypto'
+import { init, SerpentStreamSealer, SerpentStreamOpener, randomBytes } from 'leviathan-crypto'
 
 await init(['serpent', 'sha2'])
 
-const key     = randomBytes(64)
-const encoder = new SerpentStreamEncoder(key, 65536)
-const header  = encoder.header()
+const key    = randomBytes(64)
+const sealer = new SerpentStreamSealer(key, 65536, { framed: true })
+const header = sealer.header()
 
-const frame0  = encoder.encode(data0)         // u32be(len) || sealed chunk
-const last    = encoder.encodeFinal(tail)
+const frame0 = sealer.seal(data0)        // u32be(len) || sealed chunk
+const last   = sealer.final(tail)
 
-const decoder = new SerpentStreamDecoder(key, header)
-const chunks  = decoder.feed(frame0)          // returns Uint8Array[], throws on auth failure
+const opener = new SerpentStreamOpener(key, header, { framed: true })
+const chunks = opener.feed(frame0)       // Uint8Array[] — throws on auth failure
 ```
 
 ### XChaCha20-Poly1305
@@ -236,7 +233,7 @@ cipher.decrypt(key, iv, ciphertext)  // correct
 ## Utilities (no `init()` required)
 
 ```typescript
-import { hexToBytes, bytesToHex, randomBytes, constantTimeEqual, wipe } from 'leviathan-crypto'
+import { hexToBytes, bytesToHex, randomBytes, constantTimeEqual, wipe, hasSIMD } from 'leviathan-crypto'
 
 // available immediately — no await init() needed
 const key  = randomBytes(32)
@@ -246,6 +243,11 @@ const safe = constantTimeEqual(a, b)   // constant-time equality — never use =
 wipe(key)                               // zero a Uint8Array in place
 ```
 
+`hasSIMD()` returns `true` if the runtime supports WebAssembly SIMD. It is used
+internally — you do not need to call it. SIMD acceleration is fully transparent:
+`SerpentCtr.encryptChunk`, `SerpentCbc.decrypt`, and `ChaCha20.encryptChunk` all
+auto-dispatch to the faster 4-wide SIMD path when available, with no API change.
+
 ---
 
 ## Full documentation
@@ -254,7 +256,7 @@ The complete API reference ships in `docs/` alongside this file:
 
 | File | Contents |
 |------|----------|
-| `docs/serpent.md` | `SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `SerpentStreamEncoder`, `SerpentStreamDecoder`, `Serpent`, `SerpentCtr`, `SerpentCbc` |
+| `docs/serpent.md` | `SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `Serpent`, `SerpentCtr`, `SerpentCbc` |
 | `docs/chacha20.md` | `ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305`, `XChaCha20Poly1305Pool` |
 | `docs/sha2.md` | `SHA256`, `SHA384`, `SHA512`, `HMAC_SHA256`, `HMAC_SHA384`, `HMAC_SHA512`, `HKDF_SHA256`, `HKDF_SHA512` |
 | `docs/sha3.md` | `SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256` |

package/README.md

@@ -1,6 +1,6 @@
-[![Version](https://img.shields.io/github/package-json/version/xero/leviathan-crypto?labelColor=33383e&logo=npm&&logoColor=979da4&color=6e2aa5)](https://github.com/xero/leviathan-crypto/releases/latest) [![GitHub repo size](https://img.shields.io/github/repo-size/xero/leviathan-crypto?labelColor=262a2e&logo=googlecontaineroptimizedos&logoColor=979da4&color=6e2aa5)](https://github.com/xero/leviathan-crypto/) [![test suite](https://github.com/xero/leviathan-crypto/actions/workflows/test-suite.yml/badge.svg)](https://github.com/xero/leviathan-crypto/actions/workflows/test-suite.yml) [![wiki](https://github.com/xero/leviathan-crypto/actions/workflows/wiki.yml/badge.svg)](https://github.com/xero/leviathan-crypto/wiki)
+[![GitHub Release](https://img.shields.io/github/v/release/xero/leviathan-crypto?sort=semver&display_name=tag&style=flat&logo=github&logoColor=989da4&label=latest%20release&labelColor=161925&color=1c7293)](https://github.com/xero/leviathan-crypto/releases/latest) [![npm package minimized gzipped size](https://img.shields.io/bundlejs/size/leviathan-crypto?format=both&style=flat&logo=googlecontaineroptimizedos&logoColor=989da4&label=package%20size&labelColor=161925&color=1c7293)](https://www.npmjs.com/package/leviathan-crypto) [![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/xero/leviathan-crypto/test-suite.yml?branch=main&style=flat&logo=github&logoColor=989da4&label=test%20suite&labelColor=161925&color=1a936f)](https://github.com/xero/leviathan-crypto/actions/workflows/test-suite.yml) [![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/xero/leviathan-crypto/wiki.yml?branch=main&style=flat&logo=gitbook&logoColor=989da4&label=wiki%20publish&labelColor=161925&color=1a936f)](https://github.com/xero/leviathan-crypto/wiki)
 
-![side-effect free](https://github.com/xero/leviathan-crypto/raw/main/docs/badge-side-effect-free.svg) ![tree-shakeable](https://github.com/xero/leviathan-crypto/raw/main/docs/badge-tree-shakable.svg) ![zero dependencies](https://github.com/xero/leviathan-crypto/raw/main/docs/badge-zero-dependancies.svg) [![MIT Licensed](https://github.com/xero/leviathan-crypto/raw/main/docs/badge-mit-license.svg)](https://github.com/xero/text0wnz/blob/main/LICENSE)
+![simd webassembly](https://img.shields.io/badge/SIMD%20-%20WASM?style=flat&logo=wasmer&logoColor=1a936f&label=WASM&labelColor=33383e&color=161925) ![side-effect free](https://github.com/xero/leviathan-crypto/raw/main/docs/badge-side-effect-free.svg) ![tree-shakeable](https://github.com/xero/leviathan-crypto/raw/main/docs/badge-tree-shakable.svg) ![zero dependencies](https://github.com/xero/leviathan-crypto/raw/main/docs/badge-zero-dependancies.svg) [![MIT Licensed](https://github.com/xero/leviathan-crypto/raw/main/docs/badge-mit-license.svg)](https://github.com/xero/leviathan-crypto/blob/main/LICENSE)
 
 <img src="https://github.com/xero/leviathan-crypto/raw/main/docs/logo.svg" alt="Leviathan logo" width="400" >
 
@@ -8,26 +8,62 @@
 
 > Web cryptography built on Serpent-256 paranoia and XChaCha20-Poly1305 elegance.
 
-**Serpent-256 is the cipher for those who distrust consensus.** In 2001, when NIST selected AES, Serpent actually received more first-place security votes from the evaluation committee. However, it lost because the competition also considered performance on hardware embedded systems, which are no longer representative of the environments for which we develop software. Serpent's designers made no compromises: thirty-two rounds, S-boxes implemented using pure Boolean logic gates without table lookups, and every bit processed for each block. You use Serpent not because a committee recommended it, but because you trust the cryptanalysis. The current best attack on the full thirty-two-round Serpent-256 achieves 2²⁵⁵·¹⁹ — less than one bit below the brute-force ceiling, and strictly impractical. This includes our own independent research, which improved upon the published result. See [`serpent_audit.md`](https://github.com/xero/leviathan-crypto/wiki/serpent_audit).
-
-**XChaCha20-Poly1305 is the cipher for those who appreciate design that has nothing to hide.** Daniel Bernstein built ChaCha20 as a twenty-round ARX construction: add, rotate, and XOR, in a precise choreography that simply doesn't have the attack surface that table-based ciphers do. It has no S-boxes, no cache-timing leakage, and requires no hardware acceleration to be fast. Poly1305 adds a final layer of security: a one-time authenticator with an unconditional forgery bound, mathematically guaranteed regardless of attacker compute power. XChaCha20-Poly1305 is the construction you reach for when you want an AEAD whose security proof you can actually read without a PhD. See [`chacha_audit.md`](https://github.com/xero/leviathan-crypto/wiki/chacha_audit).
-
-The tension between these two approaches constitutes the library's core identity. Serpent embodies defiance, ChaCha embodies elegance, yet both arrive at the same place: constant-time, side-channel resistant implementations, independently audited against their specifications. They represent two design philosophies that do not agree on anything, except the answer.
-
-**WebAssembly provides a correctness layer.** Each primitive compiles into its own isolated binary, executing outside the JavaScript JIT. This prevents speculative optimization from affecting key material and ensures that data-dependent timing vulnerabilities do not cross the boundary.
-
-**TypeScript acts as the ergonomics layer.** Fully typed classes, explicit `init()` gates, input validation, and authenticated compositions ensure primitives are connected correctly.
+**Serpent-256 is the cipher for those who distrust consensus.** In 2001, when
+NIST selected AES, Serpent actually received more first-place security votes
+from the evaluation committee. However, it lost because the competition also
+considered performance on hardware embedded systems, which are no longer
+representative of the environments for which we develop software. Serpent's
+designers made no compromises: thirty-two rounds, S-boxes implemented using
+pure Boolean logic gates without table lookups, and every bit processed for
+each block. You use Serpent not because a committee recommended it, but because
+you trust the cryptanalysis. The current best attack on the full
+thirty-two-round Serpent-256 achieves 2²⁵⁵·¹⁹ — less than one bit below the
+brute-force ceiling, and strictly impractical. This includes our own
+independent research, which improved upon the published result. See
+[`serpent_audit.md`](https://github.com/xero/leviathan-crypto/wiki/serpent_audit).
+
+**XChaCha20-Poly1305 is the cipher for those who appreciate design that has
+nothing to hide.** Daniel Bernstein built ChaCha20 as a twenty-round ARX
+construction: add, rotate, and XOR, in a precise choreography that simply
+doesn't have the attack surface that table-based ciphers do. It has no S-boxes,
+no cache-timing leakage, and requires no hardware acceleration to be fast.
+Poly1305 adds a final layer of security: a one-time authenticator with an
+unconditional forgery bound, mathematically guaranteed regardless of attacker
+compute power. XChaCha20-Poly1305 is the construction you reach for when you
+want an AEAD whose security proof you can actually read without a PhD. See
+[`chacha_audit.md`](https://github.com/xero/leviathan-crypto/wiki/chacha_audit).
+
+The tension between these two approaches constitutes the library's core
+identity. Serpent embodies defiance, ChaCha embodies elegance, yet both arrive
+at the same place: constant-time, side-channel resistant implementations,
+independently audited against their specifications. They represent two design
+philosophies that do not agree on anything, except the answer.
+
+**WebAssembly provides a correctness layer.** Each primitive compiles into its
+own isolated binary, executing outside the JavaScript JIT. This prevents
+speculative optimization from affecting key material and ensures that
+data-dependent timing vulnerabilities do not cross the boundary.
+
+**TypeScript acts as the ergonomics layer.** Fully typed classes, explicit
+`init()` gates, input validation, and authenticated compositions ensure
+primitives are connected correctly.
 
 ---
 
 #### **Zero Dependencies.**
-With no npm dependency graph to audit, the supply chain attack surface is eliminated.
+
+With no npm dependency graph to audit, the supply chain attack surface is
+eliminated.
 
 #### **Tree-shakeable.**
-Import only the cipher(s) you intend to use. Subpath exports allow bundlers to exclude everything else.
+
+Import only the cipher(s) you intend to use. Subpath exports allow bundlers to
+exclude everything else.
 
 #### **Side-effect Free.**
-Nothing runs upon import. Initialization via `init()` is explicit and asynchronous.
+
+Nothing runs upon import. Initialization via `init()` is explicit and
+asynchronous.
 
 
 ## Installation
@@ -40,7 +76,10 @@ npm install leviathan-crypto
 ```
 
 > [!NOTE]
-> The Serpent and ChaCha20 modules require a runtime with WebAssembly SIMD support. This has been a feature of all major browsers and runtimes since 2021. All other primitives (SHA-2, SHA-3, Poly1305) run on any WASM-capable runtime.
+> The Serpent and ChaCha20 modules require a runtime with WebAssembly SIMD
+> support. [This has been a feature of all major browsers and runtimes since
+> 2021](https://caniuse.com/wasm-simd). All other primitives (SHA-2, SHA-3,
+> Poly1305) run on any WASM-capable runtime.
 
 ---
 
@@ -48,15 +87,30 @@ npm install leviathan-crypto
 
 **`lvthn-web`** [ [demo](https://leviathan.3xi.club/web) · [source](https://github.com/xero/leviathan-demos/tree/main/lvthn-web) · [readme](https://github.com/xero/leviathan-demos/blob/main/lvthn-web/README.md) ]
 
-A browser encryption tool in a single, self-contained HTML file. Encrypt text or files using Serpent-256-CBC and Argon2id key derivation, then share the armored output. No server, installation, or network connection required after initial load. The code in is written to be read. The Encrypt-then-MAC construction, HMAC input (header with HMAC field zeroed + ciphertext), and Argon2id parameters are all intentional examples worth reading.
+A browser encryption tool in a single, self-contained HTML file. Encrypt text
+or files using Serpent-256-CBC and Argon2id key derivation, then share the
+armored output. No server, installation, or network connection required after
+initial load. The code is written to be read. The Encrypt-then-MAC
+construction, HMAC input (header with HMAC field zeroed + ciphertext), and
+Argon2id parameters are all intentional examples worth reading.
 
 **`lvthn-chat`** [ [demo](https://leviathan.3xi.club/chat) · [source](https://github.com/xero/leviathan-demos/tree/main/lvthn-chat) · [readme](https://github.com/xero/leviathan-demos/blob/main/lvthn-chat/README.md) ]
 
-End-to-end encrypted chat featuring two-party messaging over X25519 key exchange and XChaCha20-Poly1305 message encryption. The relay server functions as a dumb WebSocket pipe that never sees plaintext. Each message incorporates sequence numbers, which allows the system to detect and reject replayed messages from an attacker. The demo deconstructs the protocol step by step, with visual feedback for both injection and replays.
+End-to-end encrypted chat featuring two-party messaging over X25519 key
+exchange and XChaCha20-Poly1305 message encryption. The relay server functions
+as a dumb WebSocket pipe that never sees plaintext. Each message incorporates
+sequence numbers, which allows the system to detect and reject replayed
+messages from an attacker. The demo deconstructs the protocol step by step,
+with visual feedback for both injection and replays.
 
 **`lvthn-cli`** [ [npm](https://www.npmjs.com/package/lvthn) · [source](https://github.com/xero/leviathan-demos/tree/main/lvthn-cli) · [readme](https://github.com/xero/leviathan-demos/blob/main/lvthn-cli/README.md) ]
 
-File encryption CLI. Supports both Serpent-256 and XChaCha20-Poly1305, selectable via the `--cipher` flag. A single keyfile is compatible with both ciphers; the header byte determines decryption automatically. Encryption and decryption distribute 64KB chunks across a worker pool sized to hardwareConcurrency. Each worker owns an isolated WASM instance with no shared memory between workers.
+File encryption CLI. Supports both Serpent-256 and XChaCha20-Poly1305,
+selectable via the `--cipher` flag. A single keyfile is compatible with both
+ciphers; the header byte determines decryption automatically. Encryption and
+decryption distribute 64KB chunks across a worker pool sized to
+hardwareConcurrency. Each worker owns an isolated WASM instance with no shared
+memory between workers.
 
 ```sh
 bun i -g lvthn # or npm slow mode
@@ -69,27 +123,33 @@ cat secret.txt | lvthn encrypt -k my.key --armor > secret.enc
 
 ## Primitives
 
-| Classes                                                                   | Module            | Auth    | Notes                                                                                                |
-| ------------------------------------------------------------------------- | ----------------- | ------- | ---------------------------------------------------------------------------------------------------- |
-| `SerpentSeal`                                                             | `serpent`, `sha2` | **Yes** | Authenticated encryption: Serpent-CBC + HMAC-SHA256. Recommended for most use cases.                 |
-| `SerpentStream`, `SerpentStreamPool`                                      | `serpent`, `sha2` | **Yes** | Chunked one-shot AEAD for large payloads. Pool variant parallelises across workers.                  |
-| `SerpentStreamSealer`, `SerpentStreamOpener`                              | `serpent`, `sha2` | **Yes** | Incremental streaming AEAD: seal and open one chunk at a time without buffering the full message.    |
-| `SerpentStreamEncoder`, `SerpentStreamDecoder`                            | `serpent`, `sha2` | **Yes** | Length-prefixed framing over SerpentStreamSealer/Opener for flat byte streams (files, buffered TCP). |
-| `Serpent`, `SerpentCtr`, `SerpentCbc`                                     | `serpent`         | **No**  | Raw ECB, CTR, CBC modes. Unauthenticated — pair with HMAC-SHA256 for authentication.                 |
-| `XChaCha20Poly1305`, `ChaCha20Poly1305`                                   | `chacha20`        | **Yes** | AEAD — RFC 8439. XChaCha20 recommended (192-bit nonce).                                              |
-| `ChaCha20`                                                                | `chacha20`        | **No**  | Raw stream cipher. Unauthenticated — use with `Poly1305` for authentication.                         |
-| `Poly1305`                                                                | `chacha20`        | **No**  | One-time MAC — RFC 8439. Use via the AEAD classes unless you have a specific reason not to.          |
-| `SHA256`, `SHA384`, `SHA512`, `HMAC_SHA256`, `HMAC_SHA384`, `HMAC_SHA512` | `sha2`            | -       | FIPS 180-4, RFC 2104                                                                                 |
-| `HKDF_SHA256`, `HKDF_SHA512`                                              | `sha2`            | -       | Key derivation — RFC 5869. Extract-and-expand over HMAC.                                             |
-| `SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256`    | `sha3`            | -       | FIPS 202                                                                                             |
-| `Fortuna`                                                                 | `fortuna`         | -       | Fortuna CSPRNG (Ferguson & Schneier). Requires `Fortuna.create()`.                                   |
+| Class                                                       | Module            | Auth    | Notes                                                                                                                                              |
+| ----------------------------------------------------------- | ----------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Authenticated encryption**                                |                   |         |                                                                                                                                                    |
+| `SerpentSeal`                                               | `serpent`, `sha2` | **Yes** | Serpent-CBC + HMAC-SHA256. Recommended default for most use cases. 64-byte key.                                                                    |
+| `SerpentStream`, `SerpentStreamPool`                        | `serpent`, `sha2` | **Yes** | Chunked one-shot AEAD for large payloads. Pool variant parallelises across workers. 32-byte key.                                                   |
+| `SerpentStreamSealer`, `SerpentStreamOpener`                | `serpent`, `sha2` | **Yes** | Incremental streaming AEAD: seal/open one chunk at a time. Pass `{ framed: true }` for self-delimiting `u32be` length-prefix framing. 64-byte key. |
+| `XChaCha20Poly1305`                                         | `chacha20`        | **Yes** | XChaCha20-Poly1305 AEAD. Recommended when you want a simpler API or a 192-bit nonce safe for random generation. 32-byte key.                       |
+| `XChaCha20Poly1305Pool`                                     | `chacha20`        | **Yes** | Worker-pool wrapper for `XChaCha20Poly1305`. Parallelises encryption across isolated WASM instances.                                               |
+| `ChaCha20Poly1305`                                          | `chacha20`        | **Yes** | ChaCha20-Poly1305 AEAD — RFC 8439. 12-byte nonce; prefer `XChaCha20Poly1305` unless you need RFC 8439 exact compliance.                            |
+| **Unauthenticated primitives** _pair with HMAC or use AEAD_ |                   |         |                                                                                                                                                    |
+| `Serpent`                                                   | `serpent`         | **No**  | Serpent-256 ECB block cipher. Single-block encrypt/decrypt.                                                                                        |
+| `SerpentCtr`                                                | `serpent`         | **No**  | Serpent-256 CTR mode stream cipher. Requires `{ dangerUnauthenticated: true }`.                                                                    |
+| `SerpentCbc`                                                | `serpent`         | **No**  | Serpent-256 CBC mode with PKCS7 padding. Requires `{ dangerUnauthenticated: true }`.                                                               |
+| `ChaCha20`                                                  | `chacha20`        | **No**  | ChaCha20 stream cipher — RFC 8439. Unauthenticated; use `XChaCha20Poly1305` unless you need raw keystream.                                         |
+| `Poly1305`                                                  | `chacha20`        | **No**  | Poly1305 one-time MAC — RFC 8439. Use via the AEAD classes unless you have a specific reason not to.                                               |
+| **Hashing and key derivation**                              |                   |         |                                                                                                                                                    |
+| `SHA256`, `SHA384`, `SHA512`                                | `sha2`            | —       | SHA-2 family — FIPS 180-4.                                                                                                                         |
+| `HMAC_SHA256`, `HMAC_SHA384`, `HMAC_SHA512`                 | `sha2`            | —       | HMAC construction over SHA-2 — RFC 2104.                                                                                                           |
+| `HKDF_SHA256`, `HKDF_SHA512`                                | `sha2`            | —       | Extract-and-expand key derivation over HMAC — RFC 5869.                                                                                            |
+| `SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`              | `sha3`            | —       | SHA-3 family — FIPS 202. Keccak-based, structurally independent of SHA-2.                                                                          |
+| `SHAKE128`, `SHAKE256`                                      | `sha3`            | —       | Extendable output functions (XOF) — FIPS 202. Variable-length output; useful for key derivation and stream generation.                             |
+| **CSPRNG**                                                  |                   |         |                                                                                                                                                    |
+| `Fortuna`                                                   | `serpent`, `sha2` | —       | Fortuna CSPRNG (Ferguson & Schneier). 32 entropy pools, forward secrecy. Use `Fortuna.create()`.                                                   |
 
 > [!IMPORTANT]
 > All cryptographic computation runs in WASM (AssemblyScript), isolated outside the JavaScript JIT. The TypeScript layer provides the public API with input validation, type safety, and developer ergonomics.
 
-> [!WARNING]
-> `SerpentCtr` and `SerpentCbc` are **unauthenticated** cipher modes. They provide confidentiality but not integrity or authenticity. An attacker can modify ciphertext without detection. For authenticated Serpent encryption use `SerpentSeal` or `SerpentStreamSealer`. When using CBC/CTR directly, pair with `HMAC_SHA256` using the Encrypt-then-MAC pattern.
-
 ---
 
 ## Quick Start
@@ -135,7 +195,8 @@ const decrypted = chacha.decrypt(key, nonce, ciphertext)
 chacha.dispose()
 ```
 
-For more examples, including streaming, chunking, hashing, and key derivation, see the [examples page](https://github.com/xero/leviathan-crypto/wiki/examples).
+For more examples, including streaming, chunking, hashing, and key derivation,
+see the [examples page](https://github.com/xero/leviathan-crypto/wiki/examples).
 
 ---
 
@@ -154,7 +215,8 @@ await init(['serpent'], 'manual', { wasmBinary: { serpent: myBuffer } })
 
 ### Tree-shaking with subpath imports
 
-Each cipher ships as its own subpath export. A bundler with tree-shaking support and `"sideEffects": false` will exclude every module you don't import:
+Each cipher ships as its own subpath export. A bundler with tree-shaking
+support and `"sideEffects": false` will exclude every module you don't import:
 
 ```typescript
 // Only serpent.wasm ends up in your bundle
@@ -186,37 +248,38 @@ await chacha20Init()
 
 ### API Surface
 
-| Module       | MD/Wiki                                                                                       | Description                                                                                                                                                           |
-| ------------ | --------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| serpent      | [▼](./docs/serpent.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/serpent)           | Serpent-256 TypeScript API (`SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `Serpent`, `SerpentCtr`, `SerpentCbc`) |
-| asm_serpent  | [▼](./docs/asm_serpent.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_serpent)   | Serpent-256 WASM implementation (bitslice S-boxes, key schedule, CTR/CBC)                                                                                             |
-| chacha20     | [▼](./docs/chacha20.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/chacha20)         | ChaCha20/Poly1305 TypeScript API (`ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305`)                                                                    |
-| asm_chacha   | [▼](./docs/asm_chacha.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_chacha)     | ChaCha20/Poly1305 WASM implementation (quarter-round, HChaCha20)                                                                                                      |
-| sha2         | [▼](./docs/sha2.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/sha2)                 | SHA-2 TypeScript API (`SHA256`, `SHA512`, `SHA384`, `HMAC_SHA256`, `HMAC_SHA512`, `HMAC_SHA384`)                                                                      |
-| asm_sha2     | [▼](./docs/asm_sha2.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_sha2)         | SHA-2 WASM implementation (compression functions, HMAC)                                                                                                               |
-| sha3         | [▼](./docs/sha3.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/sha3)                 | SHA-3 TypeScript API (`SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256`)                                                                         |
-| asm_sha3     | [▼](./docs/asm_sha3.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_sha3)         | SHA-3 WASM implementation (Keccak-f[1600], sponge construction)                                                                                                       |
-| fortuna      | [▼](./docs/fortuna.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/fortuna)           | Fortuna CSPRNG (forward secrecy, 32 entropy pools)                                                                                                                    |
-| init         | [▼](./docs/init.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/init)                 | `init()` API and WASM loading modes                                                                                                                                   |
-| utils        | [▼](./docs/utils.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils)               | Encoding helpers, `constantTimeEqual`, `wipe`, `randomBytes`                                                                                                          |
-| types        | [▼](./docs/types.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/types)               | TypeScript interfaces (`Hash`, `KeyedHash`, `Blockcipher`, `Streamcipher`, `AEAD`)                                                                                    |
+| Module      | MD/Wiki                                                                                     | Description                                                                                                                                                           |
+| ----------- | ------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| serpent     | [▼](./docs/serpent.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/serpent)         | Serpent-256 TypeScript API (`SerpentSeal`, `SerpentStream`, `SerpentStreamPool`, `SerpentStreamSealer`, `SerpentStreamOpener`, `Serpent`, `SerpentCtr`, `SerpentCbc`) |
+| asm_serpent | [▼](./docs/asm_serpent.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_serpent) | Serpent-256 WASM implementation (bitslice S-boxes, key schedule, CTR/CBC)                                                                                             |
+| chacha20    | [▼](./docs/chacha20.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/chacha20)       | ChaCha20/Poly1305 TypeScript API (`ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305`, `XChaCha20Poly1305Pool`)                                           |
+| asm_chacha  | [▼](./docs/asm_chacha.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_chacha)   | ChaCha20/Poly1305 WASM implementation (quarter-round, HChaCha20)                                                                                                      |
+| sha2        | [▼](./docs/sha2.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/sha2)               | SHA-2 TypeScript API (`SHA256`, `SHA512`, `SHA384`, `HMAC_SHA256`, `HMAC_SHA512`, `HMAC_SHA384`)                                                                      |
+| asm_sha2    | [▼](./docs/asm_sha2.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_sha2)       | SHA-2 WASM implementation (compression functions, HMAC)                                                                                                               |
+| sha3        | [▼](./docs/sha3.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/sha3)               | SHA-3 TypeScript API (`SHA3_224`, `SHA3_256`, `SHA3_384`, `SHA3_512`, `SHAKE128`, `SHAKE256`)                                                                         |
+| asm_sha3    | [▼](./docs/asm_sha3.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/asm_sha3)       | SHA-3 WASM implementation (Keccak-f[1600], sponge construction)                                                                                                       |
+| fortuna     | [▼](./docs/fortuna.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/fortuna)         | Fortuna CSPRNG (forward secrecy, 32 entropy pools)                                                                                                                    |
+| init        | [▼](./docs/init.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/init)               | `init()` API and WASM loading modes                                                                                                                                   |
+| utils       | [▼](./docs/utils.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils)             | Encoding helpers, `constantTimeEqual`, `wipe`, `randomBytes`                                                                                                          |
+| types       | [▼](./docs/types.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/types)             | TypeScript interfaces (`Hash`, `KeyedHash`, `Blockcipher`, `Streamcipher`, `AEAD`)                                                                                    |
 
 ### Utilities
 
 These helpers are available immediately on import with no `init()` required.
 
-| Function                     | MD/Wiki                                                                                                             | Description                                                    |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- |
-| `hexToBytes(hex)`            | [▼](./docs/utils.md#hextobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#hextobytes)               | Hex string to `Uint8Array` (accepts uppercase, `0x` prefix)    |
-| `bytesToHex(bytes)`          | [▼](./docs/utils.md#bytestohex) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestohex)               | `Uint8Array` to lowercase hex string                           |
-| `utf8ToBytes(str)`           | [▼](./docs/utils.md#utf8tobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#utf8tobytes)             | UTF-8 string to `Uint8Array`                                   |
-| `bytesToUtf8(bytes)`         | [▼](./docs/utils.md#bytestoutf8) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestoutf8)             | `Uint8Array` to UTF-8 string                                   |
-| `base64ToBytes(b64)`         | [▼](./docs/utils.md#base64tobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#base64tobytes)         | Base64/base64url string to `Uint8Array` (undefined on invalid) |
-| `bytesToBase64(bytes, url?)` | [▼](./docs/utils.md#bytestobase64) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestobase64)         | `Uint8Array` to base64 string (url=true for base64url)         |
-| `constantTimeEqual(a, b)`    | [▼](./docs/utils.md#constanttimeequal) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#constanttimeequal) | Constant-time byte comparison (XOR-accumulate)                 |
-| `wipe(data)`                 | [▼](./docs/utils.md#wipe) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#wipe)                           | Zero a typed array in place                                    |
-| `xor(a, b)`                  | [▼](./docs/utils.md#xor) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#xor)                             | XOR two equal-length `Uint8Array`s                             |
-| `concat(a, b)`               | [▼](./docs/utils.md#concat) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#concat)                       | Concatenate two `Uint8Array`s                                  |
+| Function                     | MD/Wiki                                                                                                             | Description                                                                                               |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
+| `hexToBytes(hex)`            | [▼](./docs/utils.md#hextobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#hextobytes)               | Hex string to `Uint8Array` (accepts uppercase, `0x` prefix)                                               |
+| `bytesToHex(bytes)`          | [▼](./docs/utils.md#bytestohex) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestohex)               | `Uint8Array` to lowercase hex string                                                                      |
+| `utf8ToBytes(str)`           | [▼](./docs/utils.md#utf8tobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#utf8tobytes)             | UTF-8 string to `Uint8Array`                                                                              |
+| `bytesToUtf8(bytes)`         | [▼](./docs/utils.md#bytestoutf8) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestoutf8)             | `Uint8Array` to UTF-8 string                                                                              |
+| `base64ToBytes(b64)`         | [▼](./docs/utils.md#base64tobytes) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#base64tobytes)         | Base64/base64url string to `Uint8Array` (undefined on invalid)                                            |
+| `bytesToBase64(bytes, url?)` | [▼](./docs/utils.md#bytestobase64) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#bytestobase64)         | `Uint8Array` to base64 string (url=true for base64url)                                                    |
+| `constantTimeEqual(a, b)`    | [▼](./docs/utils.md#constanttimeequal) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#constanttimeequal) | Constant-time byte comparison (XOR-accumulate)                                                            |
+| `wipe(data)`                 | [▼](./docs/utils.md#wipe) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#wipe)                           | Zero a typed array in place                                                                               |
+| `xor(a, b)`                  | [▼](./docs/utils.md#xor) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#xor)                             | XOR two equal-length `Uint8Array`s                                                                        |
+| `concat(a, b)`               | [▼](./docs/utils.md#concat) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#concat)                       | Concatenate two `Uint8Array`s                                                                             |
+| `hasSIMD()`                  | [▼](./docs/utils.md#hassimd) · [¶](https://github.com/xero/leviathan-crypto/wiki/utils#hassimd)                     | Detects WebAssembly SIMD support. Cached after first call. Used internally for CTR/CBC/ChaCha20 dispatch. |
 
 ### Algorithm correctness and verifications
 
@@ -230,13 +293,14 @@ These helpers are available immediately on import with no `init()` required.
 | hkdf_audit    | [▼](./docs/hkdf_audit.md) · [¶](https://github.com/xero/leviathan-crypto/wiki/hkdf_audit)       | HKDF extract-then-expand, info field domain separation, SerpentStream key derivation   |
 
 >[!NOTE]
-> Additional documentation available in [./docs](./docs/README.md) and on the [project wiki](https://github.com/xero/leviathan-crypto/wiki/).
+> Additional documentation available in [./docs](./docs/README.md) and on the
+> [project wiki](https://github.com/xero/leviathan-crypto/wiki/).
 
 ---
 
 ## License
 
-leviathan is written under the [MIT license](http://www.opensource.org/licenses/MIT).
+leviathan-crypto is released under the [MIT license](./LICENSE).
 
 ```
                 ▄▄▄▄▄▄▄▄▄▄
@@ -260,3 +324,4 @@ leviathan is written under the [MIT license](http://www.opensource.org/licenses/
 ▀██████▀             ▀████▄▄▄████▀
                         ▀█████▀
 ```
+

package/SECURITY.md

@@ -13,7 +13,8 @@
 
 | Version | Supported |
 |---------|-----------|
-| v1.2.x  | ︎✓         |
+| v1.3.x  | ︎✓         |
+| v1.2.x  | ✓         |
 | v1.1.x  | ✗         |
 | v1.0.x  | ✗         |
 

package/dist/chacha20/index.js

@@ -26,7 +26,7 @@
 import { getInstance, initModule } from '../init.js';
 import { aeadEncrypt, aeadDecrypt, xcEncrypt, xcDecrypt } from './ops.js';
 import { hasSIMD } from '../utils.js';
-const _embedded = () => import('../embedded/chacha.js').then(m => m.WASM_BASE64);
+const _embedded = () => import('../embedded/chacha20.js').then(m => m.WASM_BASE64);
 export async function chacha20Init(mode = 'embedded', opts) {
     return initModule('chacha20', _embedded, mode, opts);
 }

package/dist/chacha20/pool.js

@@ -20,7 +20,7 @@ let _wasmModule;
 async function getWasmModule() {
     if (_wasmModule)
         return _wasmModule;
-    const { WASM_BASE64 } = await import('../embedded/chacha.js');
+    const { WASM_BASE64 } = await import('../embedded/chacha20.js');
     const bytes = base64ToBytes(WASM_BASE64);
     _wasmModule = await WebAssembly.compile(bytes.buffer);
     return _wasmModule;

package/dist/docs/architecture.md

@@ -65,8 +65,8 @@ leviathan-crypto/
 │   │   │   ├── cbc.ts              ← CBC mode
 │   │   │   ├── ctr.ts              ← CTR mode
 │   │   │   └── buffers.ts          ← static buffer layout + offset getters
-│   │   ├── chacha/
-│   │   │   ├── index.ts            ← asc entry point → chacha.wasm
+│   │   ├── chacha20/
+│   │   │   ├── index.ts            ← asc entry point → chacha20.wasm
 │   │   │   ├── chacha20.ts
 │   │   │   ├── poly1305.ts
 │   │   │   ├── wipe.ts
@@ -90,7 +90,7 @@ leviathan-crypto/
 │       ├── fortuna.ts              ← Fortuna CSPRNG (requires serpent + sha2)
 │       ├── embedded/               ← generated base64 files (gitignored, build artifact)
 │       │   ├── serpent.ts
-│       │   ├── chacha.ts
+│       │   ├── chacha20.ts
 │       │   ├── sha2.ts
 │       │   └── sha3.ts
 │       ├── serpent/
@@ -162,7 +162,7 @@ independent, separate linear memories, separate buffer layouts, no shared state.
 | Module | Binary | Primitives |
 |--------|--------|------------|
 | `serpent` | `serpent.wasm` | Serpent-256 block cipher: ECB, CTR mode, CBC mode |
-| `chacha20` | `chacha.wasm` | ChaCha20, Poly1305, ChaCha20-Poly1305 AEAD, XChaCha20-Poly1305 AEAD |
+| `chacha20` | `chacha20.wasm` | ChaCha20, Poly1305, ChaCha20-Poly1305 AEAD, XChaCha20-Poly1305 AEAD |
 | `sha2` | `sha2.wasm` | SHA-256, SHA-384, SHA-512, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512 |
 | `sha3` | `sha3.wasm` | SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256 |
 
@@ -188,11 +188,11 @@ parallel AEAD), and `SerpentStreamSealer` / `SerpentStreamOpener` (incremental
 streaming AEAD). All Tier 2 classes use HKDF-SHA256 for per-chunk key derivation
 and require both `serpent` and `sha2` to be initialized.
 
-**`chacha.wasm`**
+**`chacha20.wasm`**
 ChaCha20 stream cipher (RFC 8439). Poly1305 MAC (RFC 8439 §2.5). ChaCha20-Poly1305
 AEAD (RFC 8439 §2.8). XChaCha20-Poly1305 AEAD (draft-irtf-cfrg-xchacha).
 HChaCha20 subkey derivation.
-Source: `src/asm/chacha/`
+Source: `src/asm/chacha20/`
 
 The chacha20 TypeScript module also includes `pool.ts` (`XChaCha20Poly1305Pool`)
 and `pool.worker.ts`. The worker file compiles to `dist/chacha20/pool.worker.js`
@@ -255,7 +255,7 @@ await init(['serpent', 'sha3'])
 **`'streaming'` (performance path)**
 Uses `WebAssembly.instantiateStreaming()` for maximum load performance. The
 browser compiles the WASM binary while still downloading it. `wasmUrl` is a
-base URL, the loader appends the filename (`serpent.wasm`, `chacha.wasm`, etc.).
+base URL, the loader appends the filename (`serpent.wasm`, `chacha20.wasm`, etc.).
 Requires the `.wasm` files to be served with `Content-Type: application/wasm`.
 
 ```typescript
@@ -395,7 +395,7 @@ index.ts
   re-exports: buffers + serpent + serpent_unrolled + cbc + ctr
 ```
 
-**ChaCha (`src/asm/chacha/`)**
+**ChaCha (`src/asm/chacha20/`)**
 
 ```
 buffers.ts
@@ -464,7 +464,7 @@ index.ts
           |             |     |            |       |                    isInitialized()
           v             v     v            v       v
    embedded/     embedded/  embedded/  embedded/
-   serpent.ts    chacha.ts  sha2.ts    sha3.ts
+   serpent.ts    chacha20.ts  sha2.ts    sha3.ts
    (each module owns its own embedded thunk, no cross-module imports)
 ```
 
@@ -490,7 +490,7 @@ The loader calls the thunk, decodes base64, and instantiates the WASM binary.
 | `serpent/stream.ts` | `serpent/index.ts`, `sha2/index.ts`, `utils.ts` | `SerpentCtr`, `HMAC_SHA256`, `HKDF_SHA256`, `constantTimeEqual`, `concat` |
 | `serpent/stream-pool.ts` | `serpent/stream.ts` | `sealChunk`, `openChunk`, `chunkInfo` |
 | `serpent/stream-sealer.ts` | `serpent/index.ts`, `sha2/index.ts`, `utils.ts` | `SerpentCbc`, `HMAC_SHA256`, `HKDF_SHA256`, `concat`, `constantTimeEqual`, `wipe` |
-| `chacha20/index.ts` | `init.ts`, `utils.ts`, `chacha20/types.ts`, `embedded/chacha.ts` | `getInstance`, `initModule`, `Mode`, `InitOpts`, `constantTimeEqual`, `ChaChaExports`, `WASM_BASE64` |
+| `chacha20/index.ts` | `init.ts`, `utils.ts`, `chacha20/types.ts`, `embedded/chacha20.ts` | `getInstance`, `initModule`, `Mode`, `InitOpts`, `constantTimeEqual`, `ChaChaExports`, `WASM_BASE64` |
 | `sha2/index.ts` | `init.ts`, `embedded/sha2.ts` | `getInstance`, `initModule`, `Mode`, `InitOpts`, `WASM_BASE64` |
 | `sha3/index.ts` | `init.ts`, `embedded/sha3.ts` | `getInstance`, `initModule`, `Mode`, `InitOpts`, `WASM_BASE64` |
 | `fortuna.ts` | `init.ts`, `serpent/index.ts`, `sha2/index.ts`, `utils.ts` | `isInitialized`, `Serpent`, `SHA256`, `wipe`/`concat`/`utf8ToBytes` |
@@ -520,7 +520,7 @@ TypeScript, they call Tier 1 classes rather than WASM functions directly.
 | `SerpentStreamSealer` | `SerpentCbc` + `HMAC_SHA256` + `HKDF_SHA256` |
 | `SerpentStreamOpener` | `SerpentCbc` + `HMAC_SHA256` + `HKDF_SHA256` |
 
-**chacha20/index.ts → asm/chacha/**
+**chacha20/index.ts → asm/chacha20/**
 
 | TS Class | WASM functions called |
 |----------|---------------------|
@@ -654,7 +654,7 @@ Source: `src/asm/serpent/buffers.ts`
 
 ### ChaCha20 module — 3 pages (192 KB)
 
-Source: `src/asm/chacha/buffers.ts`
+Source: `src/asm/chacha20/buffers.ts`
 
 | Offset | Size | Name |
 |--------|------|------|
@@ -782,16 +782,16 @@ They are the immutable truth, and must never be modified to make tests pass.
 
 > ## Cross-References
 >
-> - [README.md](./README.md) — project overview and quick-start guide
-> - [test-suite.md](./test-suite.md) — testing methodology, vector corpus, and gate discipline
-> - [init.md](./init.md) — `init()` API, three loading modes, and idempotent behavior
-> - [loader.md](./loader.md) — internal WASM binary loading strategies (embedded, streaming, manual)
-> - [wasm.md](./wasm.md) — WebAssembly primer: modules, instances, memory, and the init gate
-> - [types.md](./types.md) — public TypeScript interfaces (`Hash`, `KeyedHash`, `Blockcipher`, `Streamcipher`, `AEAD`)
-> - [utils.md](./utils.md) — encoding helpers, `constantTimeEqual`, `wipe`, `randomBytes`
-> - [serpent.md](./serpent.md) — Serpent-256 TypeScript API (SerpentSeal, SerpentStream, raw modes)
-> - [chacha20.md](./chacha20.md) — ChaCha20/Poly1305 TypeScript API and XChaCha20-Poly1305 AEAD
-> - [sha2.md](./sha2.md) — SHA-2 hashes, HMAC, and HKDF TypeScript API
-> - [sha3.md](./sha3.md) — SHA-3 hashes and SHAKE XOFs TypeScript API
-> - [fortuna.md](./fortuna.md) — Fortuna CSPRNG with forward secrecy and entropy pooling
-> - [argon2id.md](./argon2id.md) — Argon2id password hashing and key derivation
+> - [index](./README.md) — Project Documentation index
+> - [test-suite](./test-suite.md) — testing methodology, vector corpus, and gate discipline
+> - [init](./init.md) — `init()` API, three loading modes, and idempotent behavior
+> - [loader](./loader.md) — internal WASM binary loading strategies (embedded, streaming, manual)
+> - [wasm](./wasm.md) — WebAssembly primer: modules, instances, memory, and the init gate
+> - [types](./types.md) — public TypeScript interfaces (`Hash`, `KeyedHash`, `Blockcipher`, `Streamcipher`, `AEAD`)
+> - [utils](./utils.md) — encoding helpers, `constantTimeEqual`, `wipe`, `randomBytes`
+> - [serpent](./serpent.md) — Serpent-256 TypeScript API (SerpentSeal, SerpentStream, raw modes)
+> - [chacha20](./chacha20.md) — ChaCha20/Poly1305 TypeScript API and XChaCha20-Poly1305 AEAD
+> - [sha2](./sha2.md) — SHA-2 hashes, HMAC, and HKDF TypeScript API
+> - [sha3](./sha3.md) — SHA-3 hashes and SHAKE XOFs TypeScript API
+> - [fortuna](./fortuna.md) — Fortuna CSPRNG with forward secrecy and entropy pooling
+> - [argon2id](./argon2id.md) — Argon2id password hashing and key derivation

package/dist/docs/argon2id.md

@@ -282,9 +282,9 @@ xc2.dispose();
 
 > ## Cross-References
 >
-> - [README.md](./README.md) — project overview and quick-start guide
-> - [sha2.md](./sha2.md) — HKDF-SHA256 for key expansion from Argon2id root keys
-> - [serpent.md](./serpent.md) — SerpentSeal: Serpent-256 authenticated encryption (pairs with Argon2id-derived keys)
-> - [chacha20.md](./chacha20.md) — XChaCha20Poly1305: ChaCha20 authenticated encryption (pairs with Argon2id-derived keys)
-> - [utils.md](./utils.md) — `randomBytes` for generating salts, `constantTimeEqual` for hash verification
-> - [architecture.md](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
+> - [index](./README.md) — Project Documentation index
+> - [sha2](./sha2.md) — HKDF-SHA256 for key expansion from Argon2id root keys
+> - [serpent](./serpent.md) — SerpentSeal: Serpent-256 authenticated encryption (pairs with Argon2id-derived keys)
+> - [chacha20](./chacha20.md) — XChaCha20Poly1305: ChaCha20 authenticated encryption (pairs with Argon2id-derived keys)
+> - [utils](./utils.md) — `randomBytes` for generating salts, `constantTimeEqual` for hash verification
+> - [architecture](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline