leviathan-crypto 1.4.0 → 2.0.0

package/dist/serpent/pool-worker.js

@@ -0,0 +1,202 @@
+// / <reference lib="webworker" />
+// src/ts/serpent/pool-worker.ts
+//
+// Worker for SealStreamPool with SerpentCipher.
+// Holds 3 derived keys (enc/mac/iv) and raw WASM instances.
+// Direct WASM calls — no initModule (avoids same-thread module cache conflicts
+// in @vitest/web-worker test environment).
+import { constantTimeEqual, wipe, concat } from '../utils.js';
+import { AuthenticationError } from '../errors.js';
+let sha2;
+let serpent;
+let keys;
+function hmacSha256(key, msg) {
+    const x = sha2;
+    let k = key;
+    if (k.length > 64) {
+        x.sha256Init();
+        feedSha2(k);
+        x.sha256Final();
+        const mem = new Uint8Array(x.memory.buffer);
+        k = mem.slice(x.getSha256OutOffset(), x.getSha256OutOffset() + 32);
+    }
+    const mem = new Uint8Array(x.memory.buffer);
+    mem.set(k, x.getSha256InputOffset());
+    x.hmac256Init(k.length);
+    feedHmac(msg);
+    x.hmac256Final();
+    return new Uint8Array(x.memory.buffer).slice(x.getSha256OutOffset(), x.getSha256OutOffset() + 32);
+}
+function feedSha2(data) {
+    const x = sha2;
+    const mem = new Uint8Array(x.memory.buffer);
+    const off = x.getSha256InputOffset();
+    let pos = 0;
+    while (pos < data.length) {
+        const n = Math.min(data.length - pos, 64);
+        mem.set(data.subarray(pos, pos + n), off);
+        x.sha256Update(n);
+        pos += n;
+    }
+}
+function feedHmac(data) {
+    const x = sha2;
+    const mem = new Uint8Array(x.memory.buffer);
+    const off = x.getSha256InputOffset();
+    let pos = 0;
+    while (pos < data.length) {
+        const n = Math.min(data.length - pos, 64);
+        mem.set(data.subarray(pos, pos + n), off);
+        x.hmac256Update(n);
+        pos += n;
+    }
+}
+function pkcs7Pad(data) {
+    const padLen = 16 - (data.length % 16);
+    const out = new Uint8Array(data.length + padLen);
+    out.set(data);
+    out.fill(padLen, data.length);
+    return out;
+}
+// pkcs7Strip is only called after HMAC authentication succeeds (verify-then-decrypt).
+// The early throw on invalid padLen is not a padding oracle in this context —
+// the HMAC check is the oracle gate and runs in constant time before this point.
+// If you move this call to a pre-auth site, revisit the timing properties.
+function pkcs7Strip(data) {
+    if (data.length === 0)
+        throw new RangeError('empty ciphertext');
+    const padLen = data[data.length - 1];
+    if (padLen === 0 || padLen > 16)
+        throw new RangeError('invalid PKCS7 padding');
+    if (padLen > data.length)
+        throw new RangeError('invalid PKCS7 padding');
+    let bad = 0;
+    for (let i = data.length - padLen; i < data.length; i++)
+        bad |= data[i] ^ padLen;
+    if (bad !== 0)
+        throw new RangeError('invalid PKCS7 padding');
+    return data.subarray(0, data.length - padLen);
+}
+function cbcEncrypt(encKey, iv, plaintext) {
+    const s = serpent;
+    const mem = new Uint8Array(s.memory.buffer);
+    mem.set(encKey, s.getKeyOffset());
+    s.loadKey(encKey.length);
+    mem.set(iv, s.getCbcIvOffset());
+    const padded = pkcs7Pad(plaintext);
+    mem.set(padded, s.getChunkPtOffset());
+    s.cbcEncryptChunk(padded.length);
+    return new Uint8Array(s.memory.buffer).slice(s.getChunkCtOffset(), s.getChunkCtOffset() + padded.length);
+}
+function cbcDecrypt(encKey, iv, ct) {
+    const s = serpent;
+    const mem = new Uint8Array(s.memory.buffer);
+    mem.set(encKey, s.getKeyOffset());
+    s.loadKey(encKey.length);
+    mem.set(iv, s.getCbcIvOffset());
+    mem.set(ct, s.getChunkCtOffset());
+    s.cbcDecryptChunk(ct.length);
+    const raw = new Uint8Array(s.memory.buffer).slice(s.getChunkPtOffset(), s.getChunkPtOffset() + ct.length);
+    return pkcs7Strip(raw);
+}
+self.onmessage = async (e) => {
+    const msg = e.data;
+    if (msg.type === 'init') {
+        try {
+            const sha2Mem = new WebAssembly.Memory({ initial: 3, maximum: 3 });
+            const sha2Inst = await WebAssembly.instantiate(msg.modules.sha2, { env: { memory: sha2Mem } });
+            sha2 = sha2Inst.exports;
+            const serpentMem = new WebAssembly.Memory({ initial: 3, maximum: 3 });
+            const serpentInst = await WebAssembly.instantiate(msg.modules.serpent, { env: { memory: serpentMem } });
+            serpent = serpentInst.exports;
+            keys = new Uint8Array(msg.derivedKeyBytes);
+            if (keys.length !== 96)
+                throw new Error(`expected 96 derived key bytes (got ${keys.length})`);
+            msg.derivedKeyBytes.fill(0);
+            self.postMessage({ type: 'ready' });
+        }
+        catch (err) {
+            self.postMessage({ type: 'error', id: -1, message: err.message, isAuthError: false });
+        }
+        return;
+    }
+    if (msg.type === 'wipe') {
+        if (keys)
+            keys.fill(0);
+        keys = undefined;
+        if (sha2)
+            sha2.wipeBuffers();
+        if (serpent)
+            serpent.wipeBuffers();
+        sha2 = undefined;
+        serpent = undefined;
+        return;
+    }
+    if (!keys || !sha2 || !serpent) {
+        self.postMessage({ type: 'error', id: msg.id, message: 'worker not initialized', isAuthError: false });
+        return;
+    }
+    try {
+        const { id, op, counterNonce, data, aad } = msg;
+        const aadBytes = aad ?? new Uint8Array(0);
+        const jobKey = msg.derivedKeyBytes ?? keys;
+        const encKey = jobKey.subarray(0, 32);
+        const macKey = jobKey.subarray(32, 64);
+        const ivKey = jobKey.subarray(64, 96);
+        let result;
+        if (op === 'seal') {
+            const ivFull = hmacSha256(ivKey, counterNonce);
+            const iv = ivFull.slice(0, 16);
+            wipe(ivFull);
+            const ct = cbcEncrypt(encKey, iv, data);
+            const aadLenBuf = new Uint8Array(4);
+            new DataView(aadLenBuf.buffer).setUint32(0, aadBytes.length, false);
+            const tagInput = concat(counterNonce, aadLenBuf, aadBytes, ct);
+            const tag = hmacSha256(macKey, tagInput);
+            result = concat(ct, tag);
+            wipe(iv);
+            wipe(tagInput);
+        }
+        else {
+            const ct = data.subarray(0, data.length - 32);
+            const receivedTag = data.subarray(data.length - 32);
+            const ivFull = hmacSha256(ivKey, counterNonce);
+            const iv = ivFull.slice(0, 16);
+            wipe(ivFull);
+            const aadLenBuf = new Uint8Array(4);
+            new DataView(aadLenBuf.buffer).setUint32(0, aadBytes.length, false);
+            const tagInput = concat(counterNonce, aadLenBuf, aadBytes, ct);
+            const expectedTag = hmacSha256(macKey, tagInput);
+            // CRITICAL: verify HMAC before decrypting (Vaudenay 2002)
+            if (!constantTimeEqual(expectedTag, receivedTag)) {
+                wipe(iv);
+                wipe(tagInput);
+                wipe(expectedTag);
+                throw new AuthenticationError('serpent');
+            }
+            wipe(tagInput);
+            wipe(expectedTag);
+            result = cbcDecrypt(encKey, iv, ct);
+            wipe(iv);
+        }
+        const transfer = result.buffer instanceof ArrayBuffer ? [result.buffer] : [];
+        self.postMessage({ type: 'result', id, data: result }, { transfer });
+    }
+    catch (err) {
+        const isAuth = err instanceof AuthenticationError;
+        self.postMessage({
+            type: 'error', id: msg.id,
+            message: err.message,
+            cipher: isAuth ? 'serpent' : undefined,
+            isAuthError: isAuth,
+        });
+    }
+    finally {
+        if (msg.derivedKeyBytes)
+            msg.derivedKeyBytes.fill(0);
+        if (sha2)
+            sha2.wipeBuffers();
+        if (serpent)
+            serpent.wipeBuffers();
+    }
+};

package/dist/serpent/serpent-cbc.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Serpent-256 in CBC mode with PKCS7 padding.
+ *
+ * **WARNING: CBC mode is unauthenticated.** Always authenticate the output
+ * with HMAC-SHA256 (Encrypt-then-MAC) or use `XChaCha20Poly1305` instead.
+ */
+export declare class SerpentCbc {
+    private readonly x;
+    constructor(opts?: {
+        dangerUnauthenticated: true;
+    });
+    private get mem();
+    /**
+   * Encrypt plaintext with Serpent-256 CBC + PKCS7 padding.
+   *
+   * @param key       16, 24, or 32 bytes
+   * @param iv        16 bytes — must be random and unique per (key, message)
+   * @param plaintext any length — PKCS7 padding applied automatically
+   * @returns         ciphertext (length = ceil((plaintext.length + 1) / 16) * 16)
+   */
+    encrypt(key: Uint8Array, iv: Uint8Array, plaintext: Uint8Array): Uint8Array;
+    /**
+   * Decrypt Serpent-256 CBC + PKCS7.
+   * Throws if ciphertext length is not a non-zero multiple of 16 or PKCS7 is invalid.
+   */
+    decrypt(key: Uint8Array, iv: Uint8Array, ciphertext: Uint8Array): Uint8Array;
+    dispose(): void;
+    private _loadKey;
+    private _setIv;
+}

package/dist/serpent/serpent-cbc.js

@@ -0,0 +1,136 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/serpent/serpent-cbc.ts
+//
+// SerpentCbc — Serpent-256 CBC + PKCS7, internal module.
+// Extracted to break the cipher-suite.ts ↔ index.ts circular dependency.
+// Import from here directly; index.ts re-exports for the public API surface.
+import { getInstance } from '../init.js';
+function getExports() {
+    return getInstance('serpent').exports;
+}
+// ── PKCS7 helpers ────────────────────────────────────────────────────────────
+function pkcs7Pad(data) {
+    const padLen = 16 - (data.length % 16); // 1..16
+    const out = new Uint8Array(data.length + padLen);
+    out.set(data);
+    out.fill(padLen, data.length);
+    return out;
+}
+// pkcs7Strip is only called after HMAC authentication succeeds (verify-then-decrypt).
+// The early throw on invalid padLen is not a padding oracle in this context —
+// the HMAC check is the oracle gate and runs in constant time before this point.
+// If you move this call to a pre-auth site, revisit the timing properties.
+function pkcs7Strip(data) {
+    if (data.length === 0)
+        throw new RangeError('empty ciphertext');
+    const padLen = data[data.length - 1];
+    if (padLen === 0 || padLen > 16)
+        throw new RangeError(`invalid PKCS7 padding byte: ${padLen}`);
+    if (padLen > data.length)
+        throw new RangeError(`invalid PKCS7 padding: pad length ${padLen} exceeds data length ${data.length}`);
+    let bad = 0;
+    for (let i = data.length - padLen; i < data.length; i++)
+        bad |= data[i] ^ padLen;
+    if (bad !== 0)
+        throw new RangeError('invalid PKCS7 padding');
+    return data.subarray(0, data.length - padLen);
+}
+// ── SerpentCbc ───────────────────────────────────────────────────────────────
+/**
+ * Serpent-256 in CBC mode with PKCS7 padding.
+ *
+ * **WARNING: CBC mode is unauthenticated.** Always authenticate the output
+ * with HMAC-SHA256 (Encrypt-then-MAC) or use `XChaCha20Poly1305` instead.
+ */
+export class SerpentCbc {
+    x;
+    constructor(opts) {
+        if (!opts?.dangerUnauthenticated) {
+            throw new Error('leviathan-crypto: SerpentCbc is unauthenticated — use Seal with SerpentCipher instead. ' +
+                'To use SerpentCbc directly, pass { dangerUnauthenticated: true }.');
+        }
+        this.x = getExports();
+    }
+    get mem() {
+        return new Uint8Array(this.x.memory.buffer);
+    }
+    /**
+   * Encrypt plaintext with Serpent-256 CBC + PKCS7 padding.
+   *
+   * @param key       16, 24, or 32 bytes
+   * @param iv        16 bytes — must be random and unique per (key, message)
+   * @param plaintext any length — PKCS7 padding applied automatically
+   * @returns         ciphertext (length = ceil((plaintext.length + 1) / 16) * 16)
+   */
+    encrypt(key, iv, plaintext) {
+        this._loadKey(key);
+        this._setIv(iv);
+        const padded = pkcs7Pad(plaintext);
+        const output = new Uint8Array(padded.length);
+        const ptOff = this.x.getChunkPtOffset();
+        const ctOff = this.x.getChunkCtOffset();
+        const maxChunk = this.x.getChunkSize();
+        for (let off = 0; off < padded.length; off += maxChunk) {
+            const chunk = padded.subarray(off, Math.min(off + maxChunk, padded.length));
+            this.mem.set(chunk, ptOff);
+            this.x.cbcEncryptChunk(chunk.length);
+            output.set(new Uint8Array(this.x.memory.buffer).subarray(ctOff, ctOff + chunk.length), off);
+        }
+        return output;
+    }
+    /**
+   * Decrypt Serpent-256 CBC + PKCS7.
+   * Throws if ciphertext length is not a non-zero multiple of 16 or PKCS7 is invalid.
+   */
+    decrypt(key, iv, ciphertext) {
+        if (ciphertext.length === 0 || ciphertext.length % 16 !== 0)
+            throw new RangeError('ciphertext length must be a non-zero multiple of 16');
+        this._loadKey(key);
+        this._setIv(iv);
+        const output = new Uint8Array(ciphertext.length);
+        const ctOff = this.x.getChunkCtOffset();
+        const ptOff = this.x.getChunkPtOffset();
+        const maxChunk = this.x.getChunkSize();
+        for (let off = 0; off < ciphertext.length; off += maxChunk) {
+            const chunk = ciphertext.subarray(off, Math.min(off + maxChunk, ciphertext.length));
+            this.mem.set(chunk, ctOff);
+            this.x.cbcDecryptChunk_simd(chunk.length);
+            output.set(new Uint8Array(this.x.memory.buffer).subarray(ptOff, ptOff + chunk.length), off);
+        }
+        return pkcs7Strip(output);
+    }
+    dispose() {
+        this.x.wipeBuffers();
+    }
+    _loadKey(key) {
+        if (key.length !== 16 && key.length !== 24 && key.length !== 32)
+            throw new RangeError(`Serpent key must be 16, 24, or 32 bytes (got ${key.length})`);
+        this.mem.set(key, this.x.getKeyOffset());
+        this.x.loadKey(key.length);
+    }
+    _setIv(iv) {
+        if (iv.length !== 16)
+            throw new RangeError(`CBC IV must be 16 bytes (got ${iv.length})`);
+        this.mem.set(iv, this.x.getCbcIvOffset());
+    }
+}

package/dist/sha2/embedded.d.ts

@@ -0,0 +1 @@
+export { WASM_GZ_BASE64 as sha2Wasm } from '../embedded/sha2.js';

package/dist/sha2/embedded.js

@@ -0,0 +1,27 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sha2/embedded.ts
+//
+// Exports the gzip+base64 sha2 WASM blob for use as a WasmSource.
+// This is the only file in the sha2 subpath that references the embedded blob.
+// Import via `leviathan-crypto/sha2/embedded`.
+export { WASM_GZ_BASE64 as sha2Wasm } from '../embedded/sha2.js';

package/dist/sha2/hkdf.js

@@ -58,7 +58,9 @@ export class HKDF_SHA256 {
             oldPrev.fill(0);
         }
         prev.fill(0);
-        return okm.slice(0, length);
+        const result = okm.slice(0, length);
+        okm.fill(0);
+        return result;
     }
     // One-shot: extract then expand
     derive(ikm, salt, info, length) {
@@ -105,7 +107,9 @@ export class HKDF_SHA512 {
             oldPrev.fill(0);
         }
         prev.fill(0);
-        return okm.slice(0, length);
+        const result = okm.slice(0, length);
+        okm.fill(0);
+        return result;
     }
     // One-shot: extract then expand
     derive(ikm, salt, info, length) {

package/dist/sha2/index.d.ts

@@ -1,5 +1,6 @@
-import type { Mode, InitOpts } from '../init.js';
-export declare function sha2Init(mode?: Mode, opts?: InitOpts): Promise<void>;
+import type { WasmSource } from '../wasm-source.js';
+export declare function sha2Init(source: WasmSource): Promise<void>;
+export type { WasmSource };
 export declare function _sha2Ready(): boolean;
 export declare class SHA256 {
     private readonly x;

package/dist/sha2/index.js

@@ -22,11 +22,10 @@
 // src/ts/sha2/index.ts
 //
 // Public API classes for the SHA-2 WASM module.
-// Uses the init() module cache — call init('sha2') before constructing.
+// Uses the init() module cache — call sha2Init(source) before constructing.
 import { getInstance, initModule } from '../init.js';
-const _embedded = () => import('../embedded/sha2.js').then(m => m.WASM_GZ_BASE64);
-export async function sha2Init(mode = 'embedded', opts) {
-    return initModule('sha2', _embedded, mode, opts);
+export async function sha2Init(source) {
+    return initModule('sha2', source);
 }
 function getExports() {
     return getInstance('sha2').exports;

package/dist/sha3/embedded.d.ts

@@ -0,0 +1 @@
+export { WASM_GZ_BASE64 as sha3Wasm } from '../embedded/sha3.js';

package/dist/sha3/embedded.js

@@ -0,0 +1,27 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▄          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sha3/embedded.ts
+//
+// Exports the gzip+base64 sha3 WASM blob for use as a WasmSource.
+// This is the only file in the sha3 subpath that references the embedded blob.
+// Import via `leviathan-crypto/sha3/embedded`.
+export { WASM_GZ_BASE64 as sha3Wasm } from '../embedded/sha3.js';

package/dist/sha3/index.d.ts

@@ -1,5 +1,6 @@
-import type { Mode, InitOpts } from '../init.js';
-export declare function sha3Init(mode?: Mode, opts?: InitOpts): Promise<void>;
+import type { WasmSource } from '../wasm-source.js';
+export declare function sha3Init(source: WasmSource): Promise<void>;
+export type { WasmSource };
 export declare function _sha3Ready(): boolean;
 export declare class SHA3_256 {
     private readonly x;

package/dist/sha3/index.js

@@ -22,11 +22,10 @@
 // src/ts/sha3/index.ts
 //
 // Public API classes for the SHA-3 WASM module.
-// Uses the init() module cache — call init('sha3') before constructing.
+// Uses the init() module cache — call sha3Init(source) before constructing.
 import { getInstance, initModule } from '../init.js';
-const _embedded = () => import('../embedded/sha3.js').then(m => m.WASM_GZ_BASE64);
-export async function sha3Init(mode = 'embedded', opts) {
-    return initModule('sha3', _embedded, mode, opts);
+export async function sha3Init(source) {
+    return initModule('sha3', source);
 }
 function getExports() {
     return getInstance('sha3').exports;

package/dist/stream/constants.d.ts

@@ -0,0 +1,6 @@
+export declare const FLAG_FRAMED = 128;
+export declare const TAG_DATA = 0;
+export declare const TAG_FINAL = 1;
+export declare const HEADER_SIZE = 20;
+export declare const CHUNK_MIN = 1024;
+export declare const CHUNK_MAX = 16777215;

package/dist/stream/constants.js

@@ -0,0 +1,30 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/stream/constants.ts
+//
+// Shared constants for the STREAM construction.
+export const FLAG_FRAMED = 0x80;
+export const TAG_DATA = 0x00;
+export const TAG_FINAL = 0x01;
+export const HEADER_SIZE = 20;
+export const CHUNK_MIN = 1024;
+export const CHUNK_MAX = 16_777_215; // u24 max

package/dist/stream/header.d.ts

@@ -0,0 +1,9 @@
+export declare function writeHeader(formatEnum: number, framed: boolean, nonce: Uint8Array, chunkSize: number): Uint8Array;
+export declare function readHeader(header: Uint8Array): {
+    formatEnum: number;
+    framed: boolean;
+    nonce: Uint8Array;
+    chunkSize: number;
+};
+/** 12-byte counter nonce: 11-byte BE counter + 1-byte final flag. */
+export declare function makeCounterNonce(counter: number, finalFlag: number): Uint8Array;

package/dist/stream/header.js

@@ -0,0 +1,77 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/stream/header.ts
+//
+// Wire format header encoding/decoding and counter nonce construction.
+import { FLAG_FRAMED, HEADER_SIZE, TAG_DATA, TAG_FINAL } from './constants.js';
+// The 16-byte nonce is a HKDF salt — not a direct cipher nonce.
+// Both XChaCha20Cipher and SerpentCipher derive their actual key material
+// and nonces from this value via HKDF-SHA-256. The 16-byte size is chosen
+// to satisfy HChaCha20's 16-byte input requirement while also serving as a
+// sufficient HKDF salt for the Serpent construction.
+export function writeHeader(formatEnum, framed, nonce, chunkSize) {
+    if (!Number.isInteger(formatEnum) || formatEnum < 0 || formatEnum > 0x3f)
+        throw new RangeError(`formatEnum must be an integer in [0, 0x3f] (got ${formatEnum})`);
+    if (nonce.length !== 16)
+        throw new RangeError(`nonce must be 16 bytes (got ${nonce.length})`);
+    if (!Number.isInteger(chunkSize) || chunkSize < 0 || chunkSize > 0xffffff)
+        throw new RangeError(`chunkSize must be an integer in [0, 0xFFFFFF] (got ${chunkSize})`);
+    const h = new Uint8Array(HEADER_SIZE);
+    h[0] = (framed ? FLAG_FRAMED : 0) | formatEnum;
+    h.set(nonce, 1);
+    // u24 big-endian chunk size
+    h[17] = (chunkSize >> 16) & 0xff;
+    h[18] = (chunkSize >> 8) & 0xff;
+    h[19] = chunkSize & 0xff;
+    return h;
+}
+export function readHeader(header) {
+    if (header.length !== HEADER_SIZE)
+        throw new RangeError(`header must be exactly ${HEADER_SIZE} bytes (got ${header.length})`);
+    const byte0 = header[0];
+    if (byte0 & 0x40)
+        throw new RangeError(`header has reserved bit 6 set (byte0=0x${byte0.toString(16).padStart(2, '0')}) — unknown or malformed wire format`);
+    return {
+        formatEnum: byte0 & 0x3f,
+        framed: !!(byte0 & FLAG_FRAMED),
+        nonce: header.slice(1, 17),
+        chunkSize: (header[17] << 16) | (header[18] << 8) | header[19],
+    };
+}
+/** 12-byte counter nonce: 11-byte BE counter + 1-byte final flag. */
+export function makeCounterNonce(counter, finalFlag) {
+    if (!Number.isInteger(counter) || counter < 0 || counter > Number.MAX_SAFE_INTEGER)
+        throw new RangeError(`counter must be an integer in [0, ${Number.MAX_SAFE_INTEGER}]`);
+    if (finalFlag !== TAG_DATA && finalFlag !== TAG_FINAL)
+        throw new RangeError(`finalFlag must be TAG_DATA (0x00) or TAG_FINAL (0x01) (got 0x${finalFlag.toString(16).padStart(2, '0')})`);
+    const n = new Uint8Array(12);
+    // Write counter as 11-byte big-endian.
+    // JS safe integers fit in 53 bits — we only need the lower 53 bits.
+    // Pack from the right (byte 10 down to byte 0).
+    let c = counter;
+    for (let i = 10; i >= 0; i--) {
+        n[i] = c & 0xff;
+        c = Math.floor(c / 256);
+    }
+    n[11] = finalFlag;
+    return n;
+}

package/dist/stream/index.d.ts

@@ -0,0 +1,7 @@
+export { SealStream } from './seal-stream.js';
+export { OpenStream } from './open-stream.js';
+export { Seal } from './seal.js';
+export type { CipherSuite, DerivedKeys, SealStreamOpts } from './types.js';
+export { FLAG_FRAMED, TAG_DATA, TAG_FINAL, HEADER_SIZE, CHUNK_MIN, CHUNK_MAX, } from './constants.js';
+export { SealStreamPool } from './seal-stream-pool.js';
+export type { PoolOpts } from './seal-stream-pool.js';