leviathan-crypto 1.3.1 → 2.0.0

package/dist/stream/seal-stream.js

@@ -0,0 +1,142 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/stream/seal-stream.ts
+//
+// SealStream — cipher-agnostic streaming encryption using the STREAM
+// construction (Hoang/Reyhanitabar/Rogaway/Vizár, CRYPTO 2015).
+import { randomBytes, concat } from '../utils.js';
+import { isInitialized } from '../init.js';
+import { CHUNK_MIN, CHUNK_MAX, TAG_DATA, TAG_FINAL } from './constants.js';
+import { writeHeader, makeCounterNonce } from './header.js';
+function u32beFrame(n) {
+    const b = new Uint8Array(4);
+    new DataView(b.buffer).setUint32(0, n, false);
+    return b;
+}
+// Module-level nonce injection slot — used only by _fromNonce for KAT tests.
+// Set immediately before constructing, cleared inside the constructor.
+let _injectNonce;
+export class SealStream {
+    /** Preamble sent before the first chunk: header [|| kemCiphertext]. */
+    preamble;
+    cipher;
+    keys;
+    chunkSize;
+    framed;
+    counter = 0;
+    state = 'ready';
+    constructor(cipher, key, opts) {
+        this.cipher = cipher;
+        this.chunkSize = opts?.chunkSize ?? 65536;
+        this.framed = opts?.framed ?? false;
+        if (!isInitialized('sha2'))
+            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation — '
+                + 'call init({ sha2: ... }) before creating a SealStream');
+        if (key.length !== cipher.keySize)
+            throw new RangeError(`key must be ${cipher.keySize} bytes (got ${key.length})`);
+        if (this.chunkSize < CHUNK_MIN || this.chunkSize > CHUNK_MAX)
+            throw new RangeError(`chunkSize must be in [${CHUNK_MIN}, ${CHUNK_MAX}] (got ${this.chunkSize})`);
+        const nonce = _injectNonce ?? randomBytes(16);
+        _injectNonce = undefined;
+        this.keys = cipher.deriveKeys(key, nonce);
+        const kemCt = this.keys.kemCiphertext;
+        const header = writeHeader(cipher.formatEnum, this.framed, nonce, this.chunkSize);
+        this.preamble = kemCt ? concat(header, kemCt) : header;
+    }
+    /**
+     * @internal
+     * KAT-only factory — injects a fixed nonce so seal output is deterministic.
+     * Stripped from published `.d.ts` by `stripInternal`. Do not use in production.
+     */
+    static _fromNonce(cipher, key, opts, nonce) {
+        if (nonce.length !== 16)
+            throw new RangeError(`_nonce must be 16 bytes (got ${nonce.length})`);
+        _injectNonce = nonce;
+        try {
+            return new SealStream(cipher, key, opts);
+        }
+        finally {
+            _injectNonce = undefined;
+        }
+    }
+    push(chunk, opts) {
+        if (this.state !== 'ready')
+            throw new Error('SealStream: cannot push after finalize');
+        if (chunk.length > this.chunkSize)
+            throw new RangeError(`chunk exceeds chunkSize (${chunk.length} > ${this.chunkSize})`);
+        const nonce = makeCounterNonce(this.counter, TAG_DATA);
+        const result = this.cipher.sealChunk(this.keys, nonce, chunk, opts?.aad);
+        this.counter++;
+        return this.framed ? concat(u32beFrame(result.length), result) : result;
+    }
+    finalize(chunk, opts) {
+        if (this.state !== 'ready')
+            throw new Error('SealStream: already finalized');
+        if (chunk.length > this.chunkSize)
+            throw new RangeError(`chunk exceeds chunkSize (${chunk.length} > ${this.chunkSize})`);
+        const nonce = makeCounterNonce(this.counter, TAG_FINAL);
+        const result = this.cipher.sealChunk(this.keys, nonce, chunk, opts?.aad);
+        this.cipher.wipeKeys(this.keys);
+        this.state = 'finalized';
+        return this.framed ? concat(u32beFrame(result.length), result) : result;
+    }
+    dispose() {
+        if (this.state === 'ready') {
+            this.cipher.wipeKeys(this.keys);
+            this.state = 'finalized';
+        }
+    }
+    toTransformStream() {
+        let headerSent = false;
+        let buffered = null;
+        return new TransformStream({
+            transform: (chunk, controller) => {
+                try {
+                    if (!headerSent) {
+                        controller.enqueue(this.preamble);
+                        headerSent = true;
+                    }
+                    if (buffered !== null) {
+                        controller.enqueue(this.push(buffered));
+                    }
+                    buffered = chunk;
+                }
+                catch (err) {
+                    this.dispose();
+                    throw err;
+                }
+            },
+            flush: (controller) => {
+                try {
+                    if (!headerSent) {
+                        controller.enqueue(this.preamble);
+                    }
+                    controller.enqueue(this.finalize(buffered ?? new Uint8Array(0)));
+                }
+                catch (err) {
+                    this.dispose();
+                    throw err;
+                }
+            },
+        });
+    }
+}

package/dist/stream/seal.d.ts

@@ -0,0 +1,9 @@
+import type { CipherSuite } from './types.js';
+export declare class Seal {
+    static encrypt(suite: CipherSuite, key: Uint8Array, pt: Uint8Array, opts?: {
+        aad?: Uint8Array;
+    }): Uint8Array;
+    static decrypt(suite: CipherSuite, key: Uint8Array, blob: Uint8Array, opts?: {
+        aad?: Uint8Array;
+    }): Uint8Array;
+}

package/dist/stream/seal.js

@@ -0,0 +1,75 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/stream/seal.ts
+//
+// Seal — unified single-shot encrypt/decrypt using the STREAM construction.
+// Seal blobs are valid SealStream blobs with a single final chunk.
+// OpenStream can decrypt a Seal blob without modification.
+import { concat } from '../utils.js';
+import { SealStream } from './seal-stream.js';
+import { OpenStream } from './open-stream.js';
+import { HEADER_SIZE, CHUNK_MAX, CHUNK_MIN } from './constants.js';
+// eslint-disable-next-line @typescript-eslint/no-extraneous-class -- static-only class required for stripInternal to strip _fromNonce from .d.ts
+export class Seal {
+    static encrypt(suite, key, pt, opts) {
+        if (pt.length > CHUNK_MAX)
+            throw new RangeError(`Seal.encrypt: plaintext exceeds maximum (${CHUNK_MAX} bytes) — use SealStream for large data`);
+        const sealer = new SealStream(suite, key, { chunkSize: Math.max(pt.length, CHUNK_MIN) });
+        try {
+            const ct = sealer.finalize(pt, opts);
+            return concat(sealer.preamble, ct);
+        }
+        finally {
+            sealer.dispose();
+        }
+    }
+    static decrypt(suite, key, blob, opts) {
+        const preambleLen = HEADER_SIZE + suite.kemCtSize;
+        if (blob.length < preambleLen)
+            throw new RangeError(`Seal.decrypt: blob too short — need at least ${preambleLen} bytes (got ${blob.length})`);
+        const preamble = blob.subarray(0, preambleLen);
+        const opener = new OpenStream(suite, key, preamble);
+        try {
+            return opener.finalize(blob.subarray(preambleLen), opts);
+        }
+        finally {
+            opener.dispose();
+        }
+    }
+    /**
+     * @internal
+     * KAT-only — injects a fixed nonce so output is deterministic.
+     * Stripped from published `.d.ts` by `stripInternal`. Do not use in production.
+     */
+    static _fromNonce(suite, key, pt, nonce, opts) {
+        if (pt.length > CHUNK_MAX)
+            throw new RangeError(`Seal._fromNonce: plaintext exceeds maximum (${CHUNK_MAX} bytes) — use SealStream for large data`);
+        const sealer = SealStream._fromNonce(suite, key, { chunkSize: Math.max(pt.length, CHUNK_MIN) }, nonce);
+        try {
+            const ct = sealer.finalize(pt, opts);
+            return concat(sealer.preamble, ct);
+        }
+        finally {
+            sealer.dispose();
+        }
+    }
+}

package/dist/stream/types.d.ts

@@ -0,0 +1,24 @@
+export interface DerivedKeys {
+    readonly bytes: Uint8Array;
+    readonly kemCiphertext?: Uint8Array;
+}
+export interface CipherSuite {
+    readonly formatEnum: number;
+    readonly formatName: string;
+    readonly hkdfInfo: string;
+    readonly keySize: number;
+    readonly decKeySize?: number;
+    readonly kemCtSize: number;
+    readonly tagSize: number;
+    readonly padded: boolean;
+    deriveKeys(key: Uint8Array, nonce: Uint8Array, kemCt?: Uint8Array): DerivedKeys;
+    sealChunk(keys: DerivedKeys, counterNonce: Uint8Array, chunk: Uint8Array, aad?: Uint8Array): Uint8Array;
+    openChunk(keys: DerivedKeys, counterNonce: Uint8Array, chunk: Uint8Array, aad?: Uint8Array): Uint8Array;
+    wipeKeys(keys: DerivedKeys): void;
+    readonly wasmModules: readonly string[];
+    createPoolWorker(): Worker;
+}
+export interface SealStreamOpts {
+    chunkSize?: number;
+    framed?: boolean;
+}

package/dist/stream/types.js

@@ -0,0 +1,26 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/stream/types.ts
+//
+// CipherSuite interface — cipher-specific logic injected into SealStream
+// and OpenStream. Implementations are plain objects (not classes).
+export {};

package/dist/utils.d.ts

@@ -1,4 +1,4 @@
-/** Hex string to Uint8Array. Accepts lowercase/uppercase, optional 0x prefix. */
+/** Hex string to Uint8Array. Accepts lowercase/uppercase, optional 0x prefix. Throws RangeError on odd-length input. */
 export declare const hexToBytes: (hex: string) => Uint8Array;
 /** Uint8Array to lowercase hex string. */
 export declare const bytesToHex: (bytes: Uint8Array) => string;
@@ -6,26 +6,31 @@ export declare const bytesToHex: (bytes: Uint8Array) => string;
 export declare const utf8ToBytes: (str: string) => Uint8Array;
 /** Uint8Array to UTF-8 string. */
 export declare const bytesToUtf8: (bytes: Uint8Array) => string;
-/** Base64 or base64url string to Uint8Array. Returns undefined on invalid input. */
+/** Base64 or base64url string to Uint8Array. Handles padded, unpadded, and legacy %3d padding. Returns undefined on invalid input. */
 export declare const base64ToBytes: (b64: string) => Uint8Array | undefined;
-/** Uint8Array to base64 string. Pass url=true for base64url encoding. */
+/** Uint8Array to base64 string. Pass url=true for base64url (RFC 4648 §5 — no padding characters). */
 export declare const bytesToBase64: (bytes: Uint8Array, url?: boolean) => string;
+export declare const CT_MAX_BYTES = 32768;
 /**
  * Constant-time byte-array equality.
- * XOR-accumulate pattern — no early return on mismatch.
+ * Uses WASM SIMD when available (no JIT short-circuiting, no speculative
+ * optimization). Falls back to a JS XOR-accumulate loop on runtimes
+ * without SIMD support.
  * Length check is not constant-time (length is non-secret in all protocols).
+ * Max input size: 32768 bytes per side (enforced regardless of code path).
  */
 export declare const constantTimeEqual: (a: Uint8Array, b: Uint8Array) => boolean;
 /** Zero a typed array in place. */
 export declare const wipe: (data: Uint8Array | Uint16Array | Uint32Array) => void;
 /** XOR two equal-length Uint8Arrays, returns new array. */
 export declare const xor: (a: Uint8Array, b: Uint8Array) => Uint8Array;
-/** Concatenate two Uint8Arrays, returns new array. */
-export declare const concat: (a: Uint8Array, b: Uint8Array) => Uint8Array;
+/** Concatenate one or more Uint8Arrays into a new array. */
+export declare const concat: (...arrays: Uint8Array[]) => Uint8Array;
 /** Cryptographically secure random bytes via Web Crypto API. */
 export declare const randomBytes: (n: number) => Uint8Array;
 /**
  * Detects WASM SIMD support once and caches the result.
- * Gates CTR/CBC-decrypt dispatch in Serpent and encryptChunk dispatch in ChaCha20.
+ * Used by init() to preflight-check before loading serpent/chacha20 modules.
+ * Exported for consumers who want to feature-detect before calling init().
  */
 export declare function hasSIMD(): boolean;

package/dist/utils.js

@@ -24,12 +24,12 @@
 // Pure TypeScript utilities — no init() dependency.
 // Ported from leviathan/src/base.ts (Convert namespace, Util namespace, constantTimeEqual).
 // ── Encoding ─────────────────────────────────────────────────────────────────
-/** Hex string to Uint8Array. Accepts lowercase/uppercase, optional 0x prefix. */
+/** Hex string to Uint8Array. Accepts lowercase/uppercase, optional 0x prefix. Throws RangeError on odd-length input. */
 export const hexToBytes = (hex) => {
     if (hex.startsWith('0x') || hex.startsWith('0X'))
         hex = hex.slice(2);
     if (hex.length % 2)
-        hex += '0';
+        throw new RangeError(`hexToBytes: odd-length string (${hex.length} chars) — input must be an even-length hex string`);
     const bin = new Uint8Array(hex.length >>> 1);
     for (let i = 0, len = hex.length >>> 1; i < len; i++)
         bin[i] = parseInt(hex.slice(i << 1, (i << 1) + 2), 16);
@@ -51,12 +51,18 @@ export const utf8ToBytes = (str) => {
 export const bytesToUtf8 = (bytes) => {
     return new TextDecoder().decode(bytes);
 };
-/** Base64 or base64url string to Uint8Array. Returns undefined on invalid input. */
+/** Base64 or base64url string to Uint8Array. Handles padded, unpadded, and legacy %3d padding. Returns undefined on invalid input. */
 export const base64ToBytes = (b64) => {
     // Normalise base64url → base64
-    b64 = b64.replace(/-/g, '+').replace(/_/g, '/').replace(/%3d/g, '=');
-    if (b64.length % 4 !== 0)
-        return undefined;
+    b64 = b64.replace(/-/g, '+').replace(/_/g, '/').replace(/%3d/gi, '=');
+    // Re-pad if unpadded (RFC 4648 §5 base64url omits '=')
+    const rem = b64.length % 4;
+    if (rem === 1)
+        return undefined; // always invalid — no valid b64 produces this
+    if (rem === 2)
+        b64 += '==';
+    if (rem === 3)
+        b64 += '=';
     if (!/^[A-Za-z0-9+/]*={0,2}$/.test(b64))
         return undefined;
     let strlen = b64.length / 4 * 3;
@@ -104,11 +110,11 @@ export const base64ToBytes = (b64) => {
     }
     return bin;
 };
-/** Uint8Array to base64 string. Pass url=true for base64url encoding. */
+/** Uint8Array to base64 string. Pass url=true for base64url (RFC 4648 §5 — no padding characters). */
 export const bytesToBase64 = (bytes, url = false) => {
     if (typeof btoa !== 'undefined') {
         const raw = btoa(String.fromCharCode.apply(null, Array.from(bytes)));
-        return url ? raw.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '%3d') : raw;
+        return url ? raw.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '') : raw;
     }
     // Fallback: manual encode
     const table = url
@@ -125,20 +131,65 @@ export const bytesToBase64 = (bytes, url = false) => {
         const triple = (a << 0x10) + (b << 0x08) + c;
         base64 += table.charAt((triple >>> 18) & 0x3F);
         base64 += table.charAt((triple >>> 12) & 0x3F);
-        base64 += (i < bytes.length + 2) ? table.charAt((triple >>> 6) & 0x3F) : (url ? '%3d' : '=');
-        base64 += (i < bytes.length + 1) ? table.charAt(triple & 0x3F) : (url ? '%3d' : '=');
+        base64 += (i < bytes.length + 2) ? table.charAt((triple >>> 6) & 0x3F) : (url ? '' : '=');
+        base64 += (i < bytes.length + 1) ? table.charAt(triple & 0x3F) : (url ? '' : '=');
     }
     return base64;
 };
-// ── Crypto utilities ─────────────────────────────────────────────────────────
+// ── Constant-time comparison ─────────────────────────────────────────────────
+import { CT_WASM } from './ct-wasm.js';
+let _ctCompare = null;
+let _ctMem = null;
+let _ctInit = false;
+// CT WASM module uses 1 page (64KB) of linear memory with both buffers
+// laid out side-by-side: a at offset 0, b at offset a.length.
+// Max per-side = _ctMem.buffer.byteLength >>> 1 = 32768 bytes.
+// In practice the largest comparison is a 32-byte HMAC-SHA-256 tag.
+export const CT_MAX_BYTES = 32768;
+/** Try to compile the SIMD WASM ct module. Returns false if unavailable. */
+function _initCt() {
+    if (_ctInit)
+        return _ctCompare !== null;
+    _ctInit = true;
+    try {
+        if (!hasSIMD())
+            return false;
+        _ctMem = new WebAssembly.Memory({ initial: 1, maximum: 1 });
+        const buf = CT_WASM.buffer.slice(CT_WASM.byteOffset, CT_WASM.byteOffset + CT_WASM.byteLength);
+        const mod = new WebAssembly.Module(buf);
+        const inst = new WebAssembly.Instance(mod, { env: { memory: _ctMem } });
+        _ctCompare = inst.exports.compare;
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * Constant-time byte-array equality.
- * XOR-accumulate pattern — no early return on mismatch.
+ * Uses WASM SIMD when available (no JIT short-circuiting, no speculative
+ * optimization). Falls back to a JS XOR-accumulate loop on runtimes
+ * without SIMD support.
  * Length check is not constant-time (length is non-secret in all protocols).
+ * Max input size: 32768 bytes per side (enforced regardless of code path).
  */
 export const constantTimeEqual = (a, b) => {
     if (a.length !== b.length)
         return false;
+    if (a.length > CT_MAX_BYTES)
+        throw new RangeError(`constantTimeEqual: max ${CT_MAX_BYTES} bytes (got ${a.length})`);
+    if (_initCt() && _ctMem && _ctCompare) {
+        const mem = new Uint8Array(_ctMem.buffer);
+        mem.set(a, 0);
+        mem.set(b, a.length);
+        try {
+            return _ctCompare(0, a.length, a.length) === 1;
+        }
+        finally {
+            mem.fill(0, 0, a.length * 2);
+        }
+    }
+    // JS fallback — best-effort constant-time via XOR accumulate
     let diff = 0;
     for (let i = 0; i < a.length; i++)
         diff |= a[i] ^ b[i];
@@ -154,12 +205,16 @@ export const xor = (a, b) => {
         throw new RangeError(`xor: length mismatch (${a.length} vs ${b.length})`);
     return a.map((val, i) => val ^ b[i]);
 };
-/** Concatenate two Uint8Arrays, returns new array. */
-export const concat = (a, b) => {
-    const result = new Uint8Array(a.length + b.length);
-    result.set(a, 0);
-    result.set(b, a.length);
-    return result;
+/** Concatenate one or more Uint8Arrays into a new array. */
+export const concat = (...arrays) => {
+    const len = arrays.reduce((s, a) => s + a.length, 0);
+    const out = new Uint8Array(len);
+    let off = 0;
+    for (const a of arrays) {
+        out.set(a, off);
+        off += a.length;
+    }
+    return out;
 };
 /** Cryptographically secure random bytes via Web Crypto API. */
 export const randomBytes = (n) => {
@@ -171,7 +226,8 @@ export const randomBytes = (n) => {
 let _simd = null;
 /**
  * Detects WASM SIMD support once and caches the result.
- * Gates CTR/CBC-decrypt dispatch in Serpent and encryptChunk dispatch in ChaCha20.
+ * Used by init() to preflight-check before loading serpent/chacha20 modules.
+ * Exported for consumers who want to feature-detect before calling init().
  */
 export function hasSIMD() {
     if (_simd !== null)

package/dist/wasm-source.d.ts

@@ -0,0 +1,12 @@
+/**
+ * All accepted forms of WASM input for init functions.
+ *
+ * - `string`                — gzip+base64 embedded blob (from `/embedded` subpath)
+ * - `URL`                   — fetched via `WebAssembly.instantiateStreaming`
+ * - `ArrayBuffer`           — raw WASM bytes, compiled inline
+ * - `Uint8Array`            — raw WASM bytes, compiled inline
+ * - `WebAssembly.Module`    — pre-compiled module (Cloudflare Workers, edge runtimes)
+ * - `Response`              — streaming instantiation from an in-flight fetch response
+ * - `Promise<Response>`     — streaming instantiation from a deferred fetch
+ */
+export type WasmSource = string | URL | ArrayBuffer | Uint8Array | WebAssembly.Module | Response | Promise<Response>;

package/dist/wasm-source.js

@@ -0,0 +1,26 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/wasm-source.ts
+//
+// Union type for all accepted WASM loading strategies.
+// The argument type determines the loading path — no mode string required.
+export {};

package/package.json

@@ -1,18 +1,26 @@
 {
   "name": "leviathan-crypto",
-  "version": "1.3.1",
+  "version": "2.0.0",
   "author": "xero (https://x-e.ro)",
   "license": "MIT",
-  "description": "Zero-dependency WebAssembly cryptography library for TypeScript: Serpent-256, XChaCha20-Poly1305, SHA-2/3, HMAC, HKDF, and Fortuna CSPRNG, with a strictly typed API built on vector-verified primitives.",
+  "description": "Zero-dependency WASM cryptography for TypeScript. Paranoid ciphers, post-quantum key encapsulation, and Fortuna CSPRNG behind a strictly typed API. All computation runs outside the JS JIT on vector-verified primitives.",
   "type": "module",
   "sideEffects": false,
   "exports": {
     ".": "./dist/index.js",
+    "./stream": "./dist/stream/index.js",
     "./serpent": "./dist/serpent/index.js",
+    "./serpent/embedded": "./dist/serpent/embedded.js",
     "./chacha20": "./dist/chacha20/index.js",
-    "./chacha20/pool": "./dist/chacha20/pool.js",
+    "./chacha20/embedded": "./dist/chacha20/embedded.js",
     "./sha2": "./dist/sha2/index.js",
-    "./sha3": "./dist/sha3/index.js"
+    "./sha2/embedded": "./dist/sha2/embedded.js",
+    "./sha3": "./dist/sha3/index.js",
+    "./sha3/embedded": "./dist/sha3/embedded.js",
+    "./keccak": "./dist/keccak/index.js",
+    "./keccak/embedded": "./dist/keccak/embedded.js",
+    "./kyber": "./dist/kyber/index.js",
+    "./kyber/embedded": "./dist/kyber/embedded.js"
   },
   "types": "./dist/index.d.ts",
   "files": [
@@ -24,7 +32,7 @@
     "type": "git",
     "url": "git+https://github.com/xero/leviathan-crypto.git"
   },
-  "homepage": "https://github.com/xero/leviathan-crypto/wiki",
+  "homepage": "https://leviathan.3xi.club",
   "bugs": {
     "url": "https://github.com/xero/leviathan-crypto/issues"
   },

package/dist/chacha20/pool.d.ts

@@ -1,52 +0,0 @@
-export interface PoolOpts {
-    /** Number of workers. Default: navigator.hardwareConcurrency ?? 4 */
-    workers?: number;
-}
-/**
- * Parallel worker pool for XChaCha20-Poly1305 AEAD.
- *
- * Each worker owns its own `WebAssembly.Instance` with isolated linear memory.
- * Jobs are dispatched round-robin to idle workers; excess jobs queue until a
- * worker frees up.
- *
- * **Warning:** Input buffers (`key`, `nonce`, `plaintext`/`ciphertext`, `aad`)
- * are transferred to the worker and neutered on the calling side. The caller
- * must copy any buffer they need to retain after calling `encrypt()`/`decrypt()`.
- */
-export declare class XChaCha20Poly1305Pool {
-    private readonly _workers;
-    private readonly _idle;
-    private readonly _queue;
-    private readonly _pending;
-    private _nextId;
-    private _disposed;
-    private constructor();
-    /**
-     * Create a new pool. Requires `init(['chacha20'])` to have been called.
-     * Compiles the WASM module once and distributes it to all workers.
-     */
-    static create(opts?: PoolOpts): Promise<XChaCha20Poly1305Pool>;
-    /**
-     * Encrypt plaintext with XChaCha20-Poly1305.
-     * Returns `ciphertext || tag` (plaintext.length + 16 bytes).
-     *
-     * **Warning:** All input buffers are transferred and neutered after dispatch.
-     */
-    encrypt(key: Uint8Array, nonce: Uint8Array, plaintext: Uint8Array, aad?: Uint8Array): Promise<Uint8Array>;
-    /**
-     * Decrypt ciphertext with XChaCha20-Poly1305.
-     * Input is `ciphertext || tag` (at least 16 bytes).
-     *
-     * **Warning:** All input buffers are transferred and neutered after dispatch.
-     */
-    decrypt(key: Uint8Array, nonce: Uint8Array, ciphertext: Uint8Array, aad?: Uint8Array): Promise<Uint8Array>;
-    /** Terminates all workers. Rejects all pending and queued jobs. */
-    dispose(): void;
-    /** Number of workers in the pool. */
-    get size(): number;
-    /** Number of jobs currently queued (waiting for a free worker). */
-    get queueDepth(): number;
-    private _dispatch;
-    private _send;
-    private _onMessage;
-}