leviathan-crypto 1.4.0 → 2.0.0

package/dist/stream/index.js

@@ -0,0 +1,27 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/stream/index.ts
+export { SealStream } from './seal-stream.js';
+export { OpenStream } from './open-stream.js';
+export { Seal } from './seal.js';
+export { FLAG_FRAMED, TAG_DATA, TAG_FINAL, HEADER_SIZE, CHUNK_MIN, CHUNK_MAX, } from './constants.js';
+export { SealStreamPool } from './seal-stream-pool.js';

package/dist/stream/open-stream.d.ts

@@ -0,0 +1,21 @@
+import type { CipherSuite } from './types.js';
+export declare class OpenStream {
+    readonly chunkSize: number;
+    readonly framed: boolean;
+    private readonly cipher;
+    private readonly keys;
+    private readonly maxWireChunk;
+    private counter;
+    private state;
+    constructor(cipher: CipherSuite, key: Uint8Array, preamble: Uint8Array);
+    pull(chunk: Uint8Array, opts?: {
+        aad?: Uint8Array;
+    }): Uint8Array;
+    finalize(chunk: Uint8Array, opts?: {
+        aad?: Uint8Array;
+    }): Uint8Array;
+    dispose(): void;
+    seek(index: number): void;
+    private _stripFrame;
+    toTransformStream(): TransformStream<Uint8Array, Uint8Array>;
+}

package/dist/stream/open-stream.js

@@ -0,0 +1,146 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/stream/open-stream.ts
+//
+// OpenStream — cipher-agnostic streaming decryption using the STREAM
+// construction (Hoang/Reyhanitabar/Rogaway/Vizár, CRYPTO 2015).
+import { isInitialized } from '../init.js';
+import { TAG_DATA, TAG_FINAL, CHUNK_MIN, CHUNK_MAX, HEADER_SIZE } from './constants.js';
+import { readHeader, makeCounterNonce } from './header.js';
+export class OpenStream {
+    chunkSize;
+    framed;
+    cipher;
+    keys;
+    maxWireChunk;
+    counter = 0;
+    state = 'ready';
+    constructor(cipher, key, preamble) {
+        this.cipher = cipher;
+        if (!isInitialized('sha2'))
+            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation — '
+                + 'call init({ sha2: ... }) before creating an OpenStream');
+        const decKeySize = cipher.decKeySize ?? cipher.keySize;
+        if (key.length !== decKeySize)
+            throw new RangeError(`key must be ${decKeySize} bytes (got ${key.length})`);
+        const expectedPreambleLen = HEADER_SIZE + cipher.kemCtSize;
+        if (preamble.length !== expectedPreambleLen)
+            throw new RangeError(`preamble must be exactly ${expectedPreambleLen} bytes (got ${preamble.length})`);
+        const h = readHeader(preamble.subarray(0, HEADER_SIZE));
+        if (h.formatEnum !== cipher.formatEnum)
+            throw new Error(`expected format 0x${cipher.formatEnum.toString(16).padStart(2, '0')} (${cipher.formatName}), `
+                + `got 0x${h.formatEnum.toString(16).padStart(2, '0')}`);
+        if (h.chunkSize < CHUNK_MIN || h.chunkSize > CHUNK_MAX)
+            throw new RangeError(`header chunkSize must be in [${CHUNK_MIN}, ${CHUNK_MAX}] (got ${h.chunkSize})`);
+        const kemCt = cipher.kemCtSize > 0
+            ? preamble.subarray(HEADER_SIZE, HEADER_SIZE + cipher.kemCtSize)
+            : undefined;
+        this.keys = cipher.deriveKeys(key, h.nonce, kemCt);
+        this.chunkSize = h.chunkSize;
+        this.framed = h.framed;
+        // Max ciphertext chunk: padded plaintext + tag
+        const paddedSize = cipher.padded
+            ? h.chunkSize + 16 - (h.chunkSize % 16)
+            : h.chunkSize;
+        this.maxWireChunk = paddedSize + cipher.tagSize;
+    }
+    pull(chunk, opts) {
+        if (this.state !== 'ready')
+            throw new Error('OpenStream: cannot pull after finalize');
+        const data = this.framed ? this._stripFrame(chunk) : chunk;
+        if (data.length < this.cipher.tagSize)
+            throw new RangeError(`chunk too short to contain ${this.cipher.tagSize}-byte tag (got ${data.length} bytes)`);
+        if (data.length > this.maxWireChunk)
+            throw new RangeError(`chunk exceeds max wire size (${data.length} > ${this.maxWireChunk})`);
+        const nonce = makeCounterNonce(this.counter, TAG_DATA);
+        const plaintext = this.cipher.openChunk(this.keys, nonce, data, opts?.aad);
+        this.counter++;
+        return plaintext;
+    }
+    finalize(chunk, opts) {
+        if (this.state !== 'ready')
+            throw new Error('OpenStream: already finalized');
+        const data = this.framed ? this._stripFrame(chunk) : chunk;
+        if (data.length < this.cipher.tagSize)
+            throw new RangeError(`chunk too short to contain ${this.cipher.tagSize}-byte tag (got ${data.length} bytes)`);
+        if (data.length > this.maxWireChunk)
+            throw new RangeError(`chunk exceeds max wire size (${data.length} > ${this.maxWireChunk})`);
+        const nonce = makeCounterNonce(this.counter, TAG_FINAL);
+        const plaintext = this.cipher.openChunk(this.keys, nonce, data, opts?.aad);
+        this.cipher.wipeKeys(this.keys);
+        this.state = 'finalized';
+        return plaintext;
+    }
+    dispose() {
+        if (this.state === 'ready') {
+            this.cipher.wipeKeys(this.keys);
+            this.state = 'finalized';
+        }
+    }
+    seek(index) {
+        if (this.state !== 'ready')
+            throw new Error('OpenStream: cannot seek after finalize');
+        if (!Number.isInteger(index) || index < 0)
+            throw new RangeError(`seek index must be a non-negative integer (got ${index})`);
+        this.counter = index;
+    }
+    _stripFrame(chunk) {
+        if (chunk.length < 4)
+            throw new RangeError(`framed chunk too short — need at least 4 bytes (got ${chunk.length})`);
+        const dv = new DataView(chunk.buffer, chunk.byteOffset);
+        const payloadLen = dv.getUint32(0, false);
+        if (payloadLen !== chunk.length - 4)
+            throw new RangeError(`framed chunk length mismatch — prefix says ${payloadLen}, actual payload is ${chunk.length - 4}`);
+        return chunk.subarray(4);
+    }
+    toTransformStream() {
+        let buffered = null;
+        return new TransformStream({
+            transform: (chunk, controller) => {
+                try {
+                    if (buffered !== null) {
+                        controller.enqueue(this.pull(buffered));
+                    }
+                    buffered = chunk;
+                }
+                catch (err) {
+                    this.dispose();
+                    throw err;
+                }
+            },
+            flush: (controller) => {
+                try {
+                    if (buffered !== null) {
+                        controller.enqueue(this.finalize(buffered));
+                    }
+                    else {
+                        this.dispose(); // no chunks piped — wipe keys, emit nothing
+                    }
+                }
+                catch (err) {
+                    this.dispose();
+                    throw err;
+                }
+            },
+        });
+    }
+}

package/dist/stream/seal-stream-pool.d.ts

@@ -0,0 +1,38 @@
+import type { WasmSource } from '../wasm-source.js';
+import type { CipherSuite } from './types.js';
+export interface PoolOpts {
+    wasm: WasmSource | Record<string, WasmSource>;
+    workers?: number;
+    chunkSize?: number;
+    framed?: boolean;
+    jobTimeout?: number;
+}
+export declare class SealStreamPool {
+    private readonly _cipher;
+    private readonly _chunkSize;
+    private readonly _framed;
+    private readonly _timeout;
+    private readonly _header;
+    private _workers;
+    private _idle;
+    private _queue;
+    private _pending;
+    private _nextId;
+    private _dead;
+    private _sealed;
+    private _keys;
+    private _masterKey;
+    private constructor();
+    static create(cipher: CipherSuite, key: Uint8Array, opts: PoolOpts): Promise<SealStreamPool>;
+    get header(): Uint8Array;
+    get dead(): boolean;
+    get size(): number;
+    seal(plaintext: Uint8Array): Promise<Uint8Array>;
+    open(ciphertext: Uint8Array): Promise<Uint8Array>;
+    destroy(): void;
+    private _dispatch;
+    private _send;
+    private _onMessage;
+    private _onError;
+    private _killAll;
+}

package/dist/stream/seal-stream-pool.js

@@ -0,0 +1,391 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/stream/seal-stream-pool.ts
+//
+// SealStreamPool — parallel batch encryption/decryption using the STREAM
+// construction. Dispatches per-chunk seal/open jobs across Web Workers.
+// Any error is fatal: auth failure, crash, or timeout kills all workers,
+// wipes keys, and rejects all pending promises.
+import { randomBytes, wipe } from '../utils.js';
+import { isInitialized } from '../init.js';
+import { compileWasm } from '../loader.js';
+import { AuthenticationError } from '../errors.js';
+import { CHUNK_MIN, CHUNK_MAX, HEADER_SIZE, TAG_DATA, TAG_FINAL } from './constants.js';
+import { writeHeader, readHeader, makeCounterNonce } from './header.js';
+function isRecord(v) {
+    return typeof v === 'object' && v !== null
+        && !(v instanceof Uint8Array) && !(v instanceof ArrayBuffer)
+        && !(v instanceof URL) && !(v instanceof WebAssembly.Module)
+        && !(typeof Response !== 'undefined' && v instanceof Response)
+        && typeof v.then !== 'function';
+}
+export class SealStreamPool {
+    _cipher;
+    _chunkSize;
+    _framed;
+    _timeout;
+    _header;
+    _workers;
+    _idle;
+    _queue;
+    _pending;
+    _nextId;
+    _dead;
+    _sealed;
+    _keys;
+    _masterKey;
+    constructor(cipher, workers, keys, masterKey, header, chunkSize, framed, timeout) {
+        this._cipher = cipher;
+        this._workers = workers;
+        this._idle = [...workers];
+        this._queue = [];
+        this._pending = new Map();
+        this._nextId = 0;
+        this._dead = false;
+        this._sealed = false;
+        this._keys = keys;
+        this._masterKey = masterKey;
+        this._header = header;
+        this._chunkSize = chunkSize;
+        this._framed = framed;
+        this._timeout = timeout;
+        for (const w of workers) {
+            w.onmessage = (e) => this._onMessage(w, e);
+            w.onerror = (e) => this._onError(e);
+        }
+    }
+    static async create(cipher, key, opts) {
+        if (!isInitialized('sha2'))
+            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation — '
+                + 'call init({ sha2: ... }) before creating a SealStreamPool');
+        if (cipher.kemCtSize > 0)
+            throw new Error('leviathan-crypto: SealStreamPool does not support KEM-enabled cipher suites — '
+                + 'KEM encryption is asymmetric (seal uses encapsulation key, open requires decapsulation key) '
+                + 'and cannot share a single key across both directions. '
+                + 'Use SealStream / OpenStream directly for hybrid KEM encryption.');
+        const chunkSize = opts.chunkSize ?? 65536;
+        if (chunkSize < CHUNK_MIN || chunkSize > CHUNK_MAX)
+            throw new RangeError(`chunkSize must be in [${CHUNK_MIN}, ${CHUNK_MAX}] (got ${chunkSize})`);
+        const framed = opts.framed ?? false;
+        const timeout = opts.jobTimeout ?? 30_000;
+        const n = opts.workers ?? (typeof navigator !== 'undefined' ? navigator.hardwareConcurrency : undefined) ?? 4;
+        // Compile WASM modules
+        const modules = {};
+        const required = cipher.wasmModules;
+        if (isRecord(opts.wasm)) {
+            const record = opts.wasm;
+            for (const mod of required) {
+                if (!(mod in record))
+                    throw new Error(`leviathan-crypto: pool requires WASM module '${mod}' (required: ${required.join(', ')})`);
+                modules[mod] = await compileWasm(record[mod]);
+            }
+        }
+        else {
+            if (required.length > 1)
+                throw new Error(`leviathan-crypto: cipher requires ${required.length} WASM modules (${required.join(', ')}) — provide a Record`);
+            modules[required[0]] = await compileWasm(opts.wasm);
+        }
+        if (key.length !== cipher.keySize)
+            throw new RangeError(`key must be ${cipher.keySize} bytes (got ${key.length})`);
+        // Generate nonce and derive keys
+        const nonce = randomBytes(16);
+        const keys = cipher.deriveKeys(key, nonce);
+        const header = writeHeader(cipher.formatEnum, framed, nonce, chunkSize);
+        // Spawn workers sequentially (compatible with @vitest/web-worker)
+        const workers = [];
+        for (let i = 0; i < n; i++) {
+            const w = cipher.createPoolWorker();
+            await new Promise((resolve, reject) => {
+                const onMsg = (e) => {
+                    w.removeEventListener('message', onMsg);
+                    w.removeEventListener('error', onErr);
+                    if (e.data.type === 'ready')
+                        resolve();
+                    else {
+                        w.terminate();
+                        reject(new Error(`worker init failed: ${e.data.message}`));
+                    }
+                };
+                const onErr = (e) => {
+                    w.removeEventListener('message', onMsg);
+                    w.removeEventListener('error', onErr);
+                    w.terminate();
+                    reject(new Error(`worker init failed: ${e.message}`));
+                };
+                w.addEventListener('message', onMsg);
+                w.addEventListener('error', onErr);
+                const initKeyBytes = keys.bytes.slice();
+                w.postMessage({ type: 'init', modules, derivedKeyBytes: initKeyBytes }, { transfer: [initKeyBytes.buffer] });
+            });
+            workers.push(w);
+        }
+        return new SealStreamPool(cipher, workers, keys, key.slice(), header, chunkSize, framed, timeout);
+    }
+    get header() {
+        return this._header;
+    }
+    get dead() {
+        return this._dead;
+    }
+    get size() {
+        return this._workers.length;
+    }
+    async seal(plaintext) {
+        if (this._dead)
+            throw new Error('leviathan-crypto: pool is dead');
+        if (this._sealed)
+            throw new Error('leviathan-crypto: seal() already called on this pool. '
+                + 'Create a new pool for each encryption to prevent nonce reuse.');
+        const chunkCount = plaintext.length === 0 ? 1 : Math.ceil(plaintext.length / this._chunkSize);
+        const jobs = [];
+        for (let i = 0; i < chunkCount; i++) {
+            const start = i * this._chunkSize;
+            const end = Math.min(start + this._chunkSize, plaintext.length);
+            const slice = plaintext.slice(start, end);
+            const isLast = i === chunkCount - 1;
+            const counterNonce = makeCounterNonce(i, isLast ? TAG_FINAL : TAG_DATA);
+            jobs.push(this._dispatch({ op: 'seal', counterNonce, data: slice }));
+        }
+        try {
+            const results = await Promise.all(jobs);
+            let totalLen = HEADER_SIZE;
+            for (const r of results)
+                totalLen += this._framed ? r.length + 4 : r.length;
+            const ciphertext = new Uint8Array(totalLen);
+            ciphertext.set(this._header, 0);
+            let pos = HEADER_SIZE;
+            for (const r of results) {
+                if (this._framed) {
+                    new DataView(ciphertext.buffer, pos).setUint32(0, r.length, false);
+                    pos += 4;
+                }
+                ciphertext.set(r, pos);
+                pos += r.length;
+            }
+            this._sealed = true;
+            return ciphertext;
+        }
+        catch (err) {
+            this._killAll(err);
+            throw err;
+        }
+    }
+    async open(ciphertext) {
+        if (this._dead)
+            throw new Error('leviathan-crypto: pool is dead');
+        if (ciphertext.length < HEADER_SIZE)
+            throw new RangeError(`leviathan-crypto: ciphertext too short — need at least ${HEADER_SIZE} bytes for header`);
+        // Validate header before splitting chunks
+        const h = readHeader(ciphertext.subarray(0, HEADER_SIZE));
+        if (h.formatEnum !== this._cipher.formatEnum)
+            throw new Error(`leviathan-crypto: pool expected format 0x${this._cipher.formatEnum.toString(16).padStart(2, '0')}, `
+                + `got 0x${h.formatEnum.toString(16).padStart(2, '0')}`);
+        if (h.chunkSize !== this._chunkSize)
+            throw new RangeError(`leviathan-crypto: pool chunkSize mismatch — pool expects ${this._chunkSize}, `
+                + `header says ${h.chunkSize}`);
+        if (h.framed !== this._framed)
+            throw new Error(`leviathan-crypto: pool framing mismatch — pool is ${this._framed ? 'framed' : 'unframed'}, `
+                + `header says ${h.framed ? 'framed' : 'unframed'}`);
+        // Re-derive keys from the nonce embedded in this ciphertext's header.
+        // The pool's _keys are tied to its own seal nonce — for arbitrary incoming
+        // ciphertext the nonce may differ, so we derive fresh keys here.
+        if (!this._masterKey)
+            throw new Error('leviathan-crypto: pool master key has been wiped');
+        const openKeys = this._cipher.deriveKeys(this._masterKey, h.nonce);
+        let openKeysWiped = false;
+        try {
+            // Strip header before chunk splitting
+            const body = ciphertext.subarray(HEADER_SIZE);
+            if (body.length === 0)
+                throw new RangeError('leviathan-crypto: empty ciphertext — seal() always produces at least one chunk');
+            // Compute max wire chunk size for per-chunk validation
+            const tagSize = this._cipher.tagSize;
+            const paddedSize = this._cipher.padded
+                ? this._chunkSize + 16 - (this._chunkSize % 16)
+                : this._chunkSize;
+            const maxWireChunk = paddedSize + tagSize;
+            // Split ciphertext body into chunks
+            const chunks = [];
+            let pos = 0;
+            if (this._framed) {
+                while (pos < body.length) {
+                    if (pos + 4 > body.length)
+                        throw new RangeError('leviathan-crypto: truncated frame header');
+                    const dv = new DataView(body.buffer, body.byteOffset + pos);
+                    const len = dv.getUint32(0, false);
+                    pos += 4;
+                    if (pos + len > body.length)
+                        throw new RangeError(`leviathan-crypto: frame claims ${len} bytes but only ${body.length - pos} remain`);
+                    chunks.push(body.subarray(pos, pos + len));
+                    pos += len;
+                }
+            }
+            else {
+                // Unframed: split by expected wire chunk size
+                const fullChunkWire = maxWireChunk;
+                while (pos < body.length) {
+                    const remaining = body.length - pos;
+                    if (remaining <= fullChunkWire) {
+                        chunks.push(body.subarray(pos));
+                        break;
+                    }
+                    chunks.push(body.subarray(pos, pos + fullChunkWire));
+                    pos += fullChunkWire;
+                }
+            }
+            // Validate and dispatch chunks
+            const jobs = [];
+            for (let i = 0; i < chunks.length; i++) {
+                if (chunks[i].length < tagSize)
+                    throw new RangeError(`leviathan-crypto: chunk ${i} too short — need at least ${tagSize} bytes for tag `
+                        + `(got ${chunks[i].length})`);
+                if (chunks[i].length > maxWireChunk)
+                    throw new RangeError(`leviathan-crypto: chunk ${i} exceeds max wire size `
+                        + `(${chunks[i].length} > ${maxWireChunk})`);
+                const isLast = i === chunks.length - 1;
+                const counterNonce = makeCounterNonce(i, isLast ? TAG_FINAL : TAG_DATA);
+                jobs.push(this._dispatch({
+                    op: 'open', counterNonce, data: chunks[i],
+                    derivedKeyBytes: openKeys.bytes.slice(),
+                }));
+            }
+            // All per-job key copies made — wipe the main-thread openKeys immediately
+            // rather than waiting for Promise.all. earlyWiped tracks this so the
+            // finally below only fires on pre-dispatch throws (empty body, frame errors,
+            // chunk validation), not as a redundant second call on the normal path.
+            this._cipher.wipeKeys(openKeys);
+            openKeysWiped = true;
+            const results = await Promise.all(jobs);
+            let totalLen = 0;
+            for (const r of results)
+                totalLen += r.length;
+            const plaintext = new Uint8Array(totalLen);
+            let ptPos = 0;
+            for (const r of results) {
+                plaintext.set(r, ptPos);
+                ptPos += r.length;
+            }
+            return plaintext;
+        }
+        catch (err) {
+            this._killAll(err);
+            throw err;
+        }
+        finally {
+            if (!openKeysWiped)
+                this._cipher.wipeKeys(openKeys);
+        }
+    }
+    destroy() {
+        this._killAll(new Error('leviathan-crypto: pool destroyed'));
+    }
+    // ── Internals ────────────────────────────────────────────────────────────
+    _dispatch(job) {
+        return new Promise((resolve, reject) => {
+            if (this._dead) {
+                reject(new Error('leviathan-crypto: pool is dead'));
+                return;
+            }
+            const id = this._nextId++;
+            const timer = setTimeout(() => {
+                this._killAll(new Error(`leviathan-crypto: pool job ${id} timed out after ${this._timeout}ms`));
+            }, this._timeout);
+            this._pending.set(id, { resolve, reject, timer });
+            const worker = this._idle.pop();
+            if (worker)
+                this._send(worker, { type: 'job', id, ...job });
+            else
+                this._queue.push({ type: 'job', id, ...job });
+        });
+    }
+    _send(worker, job) {
+        const transfer = [];
+        // Only transfer data.buffer when the Uint8Array owns the buffer exclusively.
+        // Subarrays from open() share the caller's ciphertext buffer — transferring
+        // one would detach all sibling views dispatched as parallel jobs.
+        if (job.data.buffer instanceof ArrayBuffer
+            && job.data.byteOffset === 0
+            && job.data.byteLength === job.data.buffer.byteLength)
+            transfer.push(job.data.buffer);
+        if (job.counterNonce.buffer instanceof ArrayBuffer
+            && job.counterNonce.buffer !== job.data.buffer)
+            transfer.push(job.counterNonce.buffer);
+        if (job.derivedKeyBytes?.buffer instanceof ArrayBuffer)
+            transfer.push(job.derivedKeyBytes.buffer);
+        // aad is intentionally not transferred — caller may retain the reference
+        worker.postMessage(job, { transfer });
+    }
+    _onMessage(worker, e) {
+        const msg = e.data;
+        const pending = this._pending.get(msg.id);
+        if (!pending)
+            return;
+        clearTimeout(pending.timer);
+        this._pending.delete(msg.id);
+        if (msg.type === 'result') {
+            pending.resolve(msg.data);
+            const next = this._queue.shift();
+            if (next)
+                this._send(worker, next);
+            else
+                this._idle.push(worker);
+        }
+        else {
+            const err = msg.isAuthError
+                ? new AuthenticationError(msg.cipher)
+                : new Error(msg.message);
+            pending.reject(err);
+            this._killAll(err);
+        }
+    }
+    _onError(e) {
+        this._killAll(new Error(`leviathan-crypto: pool worker crashed: ${e.message}`));
+    }
+    _killAll(error) {
+        if (this._dead)
+            return;
+        this._dead = true;
+        for (const { timer } of this._pending.values())
+            clearTimeout(timer);
+        for (const { reject } of this._pending.values())
+            reject(error);
+        this._pending.clear();
+        this._queue.length = 0;
+        for (const w of this._workers) {
+            try {
+                w.postMessage({ type: 'wipe' });
+            }
+            catch { /* worker may be terminated */ }
+            w.terminate();
+        }
+        this._workers.length = 0;
+        this._idle.length = 0;
+        if (this._keys) {
+            wipe(this._keys.bytes);
+            this._keys = null;
+        }
+        if (this._masterKey) {
+            wipe(this._masterKey);
+            this._masterKey = null;
+        }
+    }
+}

package/dist/stream/seal-stream.d.ts

@@ -0,0 +1,20 @@
+import type { CipherSuite, SealStreamOpts } from './types.js';
+export declare class SealStream {
+    /** Preamble sent before the first chunk: header [|| kemCiphertext]. */
+    readonly preamble: Uint8Array;
+    private readonly cipher;
+    private readonly keys;
+    private readonly chunkSize;
+    private readonly framed;
+    private counter;
+    private state;
+    constructor(cipher: CipherSuite, key: Uint8Array, opts?: SealStreamOpts);
+    push(chunk: Uint8Array, opts?: {
+        aad?: Uint8Array;
+    }): Uint8Array;
+    finalize(chunk: Uint8Array, opts?: {
+        aad?: Uint8Array;
+    }): Uint8Array;
+    dispose(): void;
+    toTransformStream(): TransformStream<Uint8Array, Uint8Array>;
+}