npm - leviathan-crypto - Versions diffs - 1.4.0 → 2.0.0 - Mend

leviathan-crypto 1.4.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (119) hide show

package/CLAUDE.md +129 -94
package/README.md +166 -223
package/SECURITY.md +85 -45
package/dist/chacha20/cipher-suite.d.ts +4 -0
package/dist/chacha20/cipher-suite.js +78 -0
package/dist/chacha20/embedded.d.ts +1 -0
package/dist/chacha20/embedded.js +27 -0
package/dist/chacha20/index.d.ts +20 -27
package/dist/chacha20/index.js +40 -59
package/dist/chacha20/ops.d.ts +1 -1
package/dist/chacha20/ops.js +19 -18
package/dist/chacha20/pool-worker.js +77 -0
package/dist/ct-wasm.d.ts +1 -0
package/dist/ct-wasm.js +3 -0
package/dist/ct.wasm +0 -0
package/dist/docs/aead.md +320 -0
package/dist/docs/architecture.md +419 -285
package/dist/docs/argon2id.md +42 -30
package/dist/docs/chacha20.md +192 -266
package/dist/docs/exports.md +241 -0
package/dist/docs/fortuna.md +60 -69
package/dist/docs/init.md +172 -178
package/dist/docs/loader.md +87 -142
package/dist/docs/serpent.md +134 -583
package/dist/docs/sha2.md +91 -103
package/dist/docs/sha3.md +70 -36
package/dist/docs/types.md +93 -16
package/dist/docs/utils.md +109 -32
package/dist/embedded/kyber.d.ts +1 -0
package/dist/embedded/kyber.js +3 -0
package/dist/errors.d.ts +10 -0
package/dist/errors.js +38 -0
package/dist/fortuna.d.ts +0 -6
package/dist/fortuna.js +5 -5
package/dist/index.d.ts +25 -9
package/dist/index.js +36 -7
package/dist/init.d.ts +3 -7
package/dist/init.js +18 -35
package/dist/keccak/embedded.d.ts +1 -0
package/dist/keccak/embedded.js +27 -0
package/dist/keccak/index.d.ts +4 -0
package/dist/keccak/index.js +31 -0
package/dist/kyber/embedded.d.ts +1 -0
package/dist/kyber/embedded.js +27 -0
package/dist/kyber/indcpa.d.ts +49 -0
package/dist/kyber/indcpa.js +352 -0
package/dist/kyber/index.d.ts +38 -0
package/dist/kyber/index.js +150 -0
package/dist/kyber/kem.d.ts +21 -0
package/dist/kyber/kem.js +160 -0
package/dist/kyber/params.d.ts +14 -0
package/dist/kyber/params.js +37 -0
package/dist/kyber/suite.d.ts +13 -0
package/dist/kyber/suite.js +93 -0
package/dist/kyber/types.d.ts +98 -0
package/dist/kyber/types.js +25 -0
package/dist/kyber/validate.d.ts +19 -0
package/dist/kyber/validate.js +68 -0
package/dist/kyber.wasm +0 -0
package/dist/loader.d.ts +15 -6
package/dist/loader.js +65 -21
package/dist/serpent/cipher-suite.d.ts +4 -0
package/dist/serpent/cipher-suite.js +121 -0
package/dist/serpent/embedded.d.ts +1 -0
package/dist/serpent/embedded.js +27 -0
package/dist/serpent/index.d.ts +6 -37
package/dist/serpent/index.js +9 -118
package/dist/serpent/pool-worker.d.ts +1 -0
package/dist/serpent/pool-worker.js +202 -0
package/dist/serpent/serpent-cbc.d.ts +30 -0
package/dist/serpent/serpent-cbc.js +136 -0
package/dist/sha2/embedded.d.ts +1 -0
package/dist/sha2/embedded.js +27 -0
package/dist/sha2/hkdf.js +6 -2
package/dist/sha2/index.d.ts +3 -2
package/dist/sha2/index.js +3 -4
package/dist/sha3/embedded.d.ts +1 -0
package/dist/sha3/embedded.js +27 -0
package/dist/sha3/index.d.ts +3 -2
package/dist/sha3/index.js +3 -4
package/dist/stream/constants.d.ts +6 -0
package/dist/stream/constants.js +30 -0
package/dist/stream/header.d.ts +9 -0
package/dist/stream/header.js +77 -0
package/dist/stream/index.d.ts +7 -0
package/dist/stream/index.js +27 -0
package/dist/stream/open-stream.d.ts +21 -0
package/dist/stream/open-stream.js +146 -0
package/dist/stream/seal-stream-pool.d.ts +38 -0
package/dist/stream/seal-stream-pool.js +391 -0
package/dist/stream/seal-stream.d.ts +20 -0
package/dist/stream/seal-stream.js +142 -0
package/dist/stream/seal.d.ts +9 -0
package/dist/stream/seal.js +75 -0
package/dist/stream/types.d.ts +24 -0
package/dist/stream/types.js +26 -0
package/dist/utils.d.ts +7 -2
package/dist/utils.js +49 -3
package/dist/wasm-source.d.ts +12 -0
package/dist/wasm-source.js +26 -0
package/package.json +13 -5
package/dist/chacha20/pool.d.ts +0 -52
package/dist/chacha20/pool.js +0 -178
package/dist/chacha20/pool.worker.js +0 -37
package/dist/chacha20/stream-sealer.d.ts +0 -49
package/dist/chacha20/stream-sealer.js +0 -327
package/dist/docs/chacha20_pool.md +0 -309
package/dist/docs/wasm.md +0 -194
package/dist/serpent/seal.d.ts +0 -8
package/dist/serpent/seal.js +0 -72
package/dist/serpent/stream-pool.d.ts +0 -48
package/dist/serpent/stream-pool.js +0 -275
package/dist/serpent/stream-sealer.d.ts +0 -55
package/dist/serpent/stream-sealer.js +0 -342
package/dist/serpent/stream.d.ts +0 -28
package/dist/serpent/stream.js +0 -205
package/dist/serpent/stream.worker.d.ts +0 -32
package/dist/serpent/stream.worker.js +0 -117
/package/dist/chacha20/{pool.worker.d.ts → pool-worker.d.ts} +0 -0

package/dist/serpent/stream-pool.js DELETED Viewed

@@ -1,275 +0,0 @@
-//                  ▄▄▄▄▄▄▄▄▄▄
-//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
-//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
-//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
-//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
-//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
-//     ███████▌    ▀██▀         ███
-//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
-//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
-//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
-//            ▀████▄   ▄██▄
-//              ▐████   ▐███                  Author: xero (https://x-e.ro)
-//       ▄▄██████████    ▐███         ▄▄      License: MIT
-//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
-//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
-//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
-//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
-//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
-//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
-//                           ▀█████▀▀
-//
-// src/ts/serpent/stream-pool.ts
-//
-// SerpentStreamPool — parallel worker pool for SerpentStream.
-// Dispatches chunk-level seal/open jobs across Web Workers, each
-// with its own serpent.wasm and sha2.wasm instances.
-import { isInitialized } from '../init.js';
-import { HKDF_SHA256 } from '../sha2/index.js';
-import { decodeWasm } from '../loader.js';
-import { u32be, u64be, deriveChunkKeys } from './stream.js';
-// ── Constants ─────────────────────────────────────────────────────────────────
-const CHUNK_MIN = 1024;
-const CHUNK_MAX = 65536;
-const CHUNK_DEF = 65536;
-// ── WASM module singletons ──────────────────────────────────────────────────
-let _serpentModule;
-let _sha2Module;
-async function getSerpentModule() {
-    if (_serpentModule)
-        return _serpentModule;
-    const { WASM_GZ_BASE64 } = await import('../embedded/serpent.js');
-    const bytes = await decodeWasm(WASM_GZ_BASE64);
-    _serpentModule = await WebAssembly.compile(bytes.buffer);
-    return _serpentModule;
-}
-async function getSha2Module() {
-    if (_sha2Module)
-        return _sha2Module;
-    const { WASM_GZ_BASE64 } = await import('../embedded/sha2.js');
-    const bytes = await decodeWasm(WASM_GZ_BASE64);
-    _sha2Module = await WebAssembly.compile(bytes.buffer);
-    return _sha2Module;
-}
-// ── Worker spawning ──────────────────────────────────────────────────────────
-function spawnWorker(serpentMod, sha2Mod) {
-    return new Promise((resolve, reject) => {
-        const worker = new Worker(new URL('./stream.worker.js', import.meta.url), { type: 'module' });
-        const onMessage = (e) => {
-            cleanup();
-            if (e.data.type === 'ready') {
-                resolve(worker);
-            }
-            else {
-                worker.terminate();
-                reject(new Error(`leviathan-crypto: worker init failed: ${e.data.message}`));
-            }
-        };
-        const onError = (e) => {
-            cleanup();
-            worker.terminate();
-            reject(new Error(`leviathan-crypto: worker init failed: ${e.message}`));
-        };
-        const cleanup = () => {
-            worker.removeEventListener('message', onMessage);
-            worker.removeEventListener('error', onError);
-        };
-        worker.addEventListener('message', onMessage);
-        worker.addEventListener('error', onError);
-        worker.postMessage({ type: 'init', serpentModule: serpentMod, sha2Module: sha2Mod });
-    });
-}
-// ── Pool class ───────────────────────────────────────────────────────────────
-/**
- * Parallel worker pool for SerpentStream chunked authenticated encryption.
- *
- * Each worker owns its own `serpent.wasm` and `sha2.wasm` instances with
- * isolated linear memory. Key derivation happens on the main thread; workers
- * receive pre-derived encKey/macKey per chunk.
- *
- * Produces the same wire format as `SerpentStream` -- either can decrypt
- * the other's output.
- */
-export class SerpentStreamPool {
-    _workers;
-    _idle;
-    _queue;
-    _pending;
-    _hkdf;
-    _nextId;
-    _disposed;
-    constructor(workers, hkdf) {
-        this._workers = workers;
-        this._idle = [...workers];
-        this._queue = [];
-        this._pending = new Map();
-        this._hkdf = hkdf;
-        this._nextId = 0;
-        this._disposed = false;
-        for (const w of workers) {
-            w.onmessage = (e) => this._onMessage(w, e);
-        }
-    }
-    /**
-     * Create a new pool. Requires `init(['serpent', 'sha2'])` to have been called.
-     * Compiles both WASM modules once and distributes them to all workers.
-     */
-    static async create(opts) {
-        if (!isInitialized('serpent') || !isInitialized('sha2'))
-            throw new Error('leviathan-crypto: call init([\'serpent\', \'sha2\']) before using SerpentStreamPool');
-        const n = opts?.workers ?? (typeof navigator !== 'undefined' ? navigator.hardwareConcurrency : undefined) ?? 4;
-        const [serpentMod, sha2Mod] = await Promise.all([getSerpentModule(), getSha2Module()]);
-        // Sequential spawn — compatible with inline-worker test environments
-        const workers = [];
-        for (let i = 0; i < n; i++)
-            workers.push(await spawnWorker(serpentMod, sha2Mod));
-        const hkdf = new HKDF_SHA256();
-        return new SerpentStreamPool(workers, hkdf);
-    }
-    /**
-     * Encrypt plaintext with SerpentStream chunked authenticated encryption.
-     * Returns the complete wire format (header + encrypted chunks).
-     */
-    async seal(key, plaintext, chunkSize) {
-        if (this._disposed)
-            throw new Error('leviathan-crypto: pool is disposed');
-        if (key.length !== 32)
-            throw new RangeError(`SerpentStream key must be 32 bytes (got ${key.length})`);
-        const cs = chunkSize ?? CHUNK_DEF;
-        if (cs < CHUNK_MIN || cs > CHUNK_MAX)
-            throw new RangeError(`SerpentStream chunkSize must be ${CHUNK_MIN}..${CHUNK_MAX} (got ${cs})`);
-        const streamNonce = new Uint8Array(16);
-        crypto.getRandomValues(streamNonce);
-        const chunkCount = plaintext.length === 0 ? 1 : Math.ceil(plaintext.length / cs);
-        // Dispatch all chunk jobs in parallel
-        const chunkPromises = [];
-        for (let i = 0; i < chunkCount; i++) {
-            const start = i * cs;
-            const end = Math.min(start + cs, plaintext.length);
-            const slice = plaintext.slice(start, end);
-            const isLast = i === chunkCount - 1;
-            const { encKey, macKey } = deriveChunkKeys(this._hkdf, key, streamNonce, cs, chunkCount, i, isLast);
-            chunkPromises.push(this._dispatch('seal', encKey, macKey, slice));
-        }
-        const chunkResults = await Promise.all(chunkPromises);
-        // Compute total output size
-        let totalWire = 28;
-        for (const c of chunkResults)
-            totalWire += c.length;
-        const out = new Uint8Array(totalWire);
-        // Write header
-        out.set(streamNonce, 0);
-        out.set(u32be(cs), 16);
-        out.set(u64be(chunkCount), 20);
-        let pos = 28;
-        for (const c of chunkResults) {
-            out.set(c, pos);
-            pos += c.length;
-        }
-        return out;
-    }
-    /**
-     * Decrypt SerpentStream wire format.
-     * If any chunk fails authentication, rejects immediately -- no partial plaintext.
-     */
-    async open(key, ciphertext) {
-        if (this._disposed)
-            throw new Error('leviathan-crypto: pool is disposed');
-        if (key.length !== 32)
-            throw new RangeError(`SerpentStream key must be 32 bytes (got ${key.length})`);
-        if (ciphertext.length < 28 + 32)
-            throw new RangeError('SerpentStream: ciphertext too short');
-        // Parse header
-        const streamNonce = ciphertext.subarray(0, 16);
-        const csView = ciphertext.subarray(16, 20);
-        const cs = (csView[0] << 24) | (csView[1] << 16) | (csView[2] << 8) | csView[3];
-        const ccView = ciphertext.subarray(20, 28);
-        let chunkCount = 0;
-        for (let i = 0; i < 8; i++)
-            chunkCount = chunkCount * 256 + ccView[i];
-        // Dispatch all chunk jobs
-        const chunkPromises = [];
-        let pos = 28;
-        for (let i = 0; i < chunkCount; i++) {
-            const isLast = i === chunkCount - 1;
-            const wireLen = isLast ? ciphertext.length - pos : cs + 32;
-            const wireSlice = ciphertext.slice(pos, pos + wireLen);
-            const { encKey, macKey } = deriveChunkKeys(this._hkdf, key, streamNonce, cs, chunkCount, i, isLast);
-            chunkPromises.push(this._dispatch('open', encKey, macKey, wireSlice));
-            pos += wireLen;
-        }
-        // Await all — Promise.all rejects on first failure
-        const results = await Promise.all(chunkPromises);
-        // Reassemble plaintext
-        let totalPt = 0;
-        for (const r of results)
-            totalPt += r.length;
-        const plaintext = new Uint8Array(totalPt);
-        let ptPos = 0;
-        for (const r of results) {
-            plaintext.set(r, ptPos);
-            ptPos += r.length;
-        }
-        return plaintext;
-    }
-    /** Terminates all workers. Rejects all pending and queued jobs. */
-    dispose() {
-        if (this._disposed)
-            return;
-        this._disposed = true;
-        for (const w of this._workers)
-            w.terminate();
-        const err = new Error('leviathan-crypto: pool disposed');
-        for (const { reject } of this._pending.values())
-            reject(err);
-        for (const job of this._queue)
-            this._pending.get(job.id)?.reject(err);
-        this._pending.clear();
-        this._queue.length = 0;
-        this._hkdf.dispose();
-    }
-    /** Number of workers in the pool. */
-    get size() {
-        return this._workers.length;
-    }
-    /** Number of jobs currently queued (waiting for a free worker). */
-    get queueDepth() {
-        return this._queue.length;
-    }
-    // ── Internals ────────────────────────────────────────────────────────────
-    _dispatch(op, encKey, macKey, data) {
-        return new Promise((resolve, reject) => {
-            const id = this._nextId++;
-            const job = { id, op, encKey, macKey, data };
-            this._pending.set(id, { resolve, reject });
-            const worker = this._idle.pop();
-            if (worker)
-                this._send(worker, job);
-            else
-                this._queue.push(job);
-        });
-    }
-    _send(worker, job) {
-        // No transfer list: @vitest/web-worker (same-thread fake worker used in
-        // Vitest test environment) silently drops postMessage calls that include a
-        // non-empty Transferable array. encKey/macKey/data are already .slice()
-        // copies — neutering was never part of SerpentStreamPool's public contract.
-        worker.postMessage({ type: 'job', ...job });
-    }
-    _onMessage(worker, e) {
-        const msg = e.data;
-        const job = this._pending.get(msg.id);
-        if (!job)
-            return;
-        this._pending.delete(msg.id);
-        if (msg.type === 'result')
-            job.resolve(msg.data);
-        else
-            job.reject(new Error(msg.message));
-        const next = this._queue.shift();
-        if (next)
-            this._send(worker, next);
-        else
-            this._idle.push(worker);
-    }
-}

package/dist/serpent/stream-sealer.d.ts DELETED Viewed

@@ -1,55 +0,0 @@
-export declare class SerpentStreamSealer {
-    private readonly _key;
-    private readonly _cs;
-    private readonly _nonce;
-    private readonly _cbc;
-    private readonly _hmac;
-    private readonly _hkdf;
-    private readonly _framed;
-    private readonly _aad;
-    private readonly _ivs;
-    private _ivIdx;
-    private _index;
-    private _state;
-    /** Public: consumers use this 3-param form. */
-    constructor(key: Uint8Array, chunkSize?: number, opts?: {
-        framed?: boolean;
-        aad?: Uint8Array;
-    });
-    /** @internal Test-only overload to inject fixed nonce/IVs for deterministic KAT vectors. */
-    constructor(key: Uint8Array, chunkSize: number | undefined, opts: {
-        framed?: boolean;
-        aad?: Uint8Array;
-    } | undefined, _nonce: Uint8Array, _ivs?: Uint8Array[]);
-    header(): Uint8Array;
-    seal(plaintext: Uint8Array): Uint8Array;
-    final(plaintext: Uint8Array): Uint8Array;
-    private _sealChunk;
-    private _wipe;
-    dispose(): void;
-}
-export declare class SerpentStreamOpener {
-    private readonly _key;
-    private readonly _cs;
-    private readonly _nonce;
-    private readonly _cbc;
-    private readonly _hmac;
-    private readonly _hkdf;
-    private readonly _framed;
-    private readonly _aad;
-    private readonly _buf;
-    private readonly _maxFrame;
-    private _bufLen;
-    private _index;
-    private _dead;
-    constructor(key: Uint8Array, header: Uint8Array, opts?: {
-        framed?: boolean;
-        aad?: Uint8Array;
-    });
-    get closed(): boolean;
-    open(chunk: Uint8Array): Uint8Array;
-    private _openRaw;
-    feed(bytes: Uint8Array): Uint8Array[];
-    private _wipe;
-    dispose(): void;
-}

package/dist/serpent/stream-sealer.js DELETED Viewed

@@ -1,342 +0,0 @@
-//                  ▄▄▄▄▄▄▄▄▄▄
-//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
-//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
-//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
-//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
-//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
-//     ███████▌    ▀██▀         ███
-//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
-//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
-//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
-//            ▀████▄   ▄██▄
-//              ▐████   ▐███                  Author: xero (https://x-e.ro)
-//       ▄▄██████████    ▐███         ▄▄      License: MIT
-//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
-//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
-//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
-//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
-//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
-//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
-//                           ▀█████▀▀
-//
-// src/ts/serpent/stream-sealer.ts
-//
-// Tier 2 pure-TS composition: SerpentCbc + HMAC_SHA256 + HKDF_SHA256.
-// Incremental streaming AEAD — seal/open one chunk at a time.
-// Wire format: header (20) | chunks: IV(16) || ct(padded) || HMAC(32)
-import { SerpentCbc, _serpentReady } from './index.js';
-import { HMAC_SHA256, HKDF_SHA256, _sha2Ready } from '../sha2/index.js';
-import { concat, constantTimeEqual, wipe } from '../utils.js';
-import { u32be, u64be } from './stream.js';
-const DOMAIN = 'serpent-sealstream-v1';
-const DOMAIN_BYTES = new TextEncoder().encode(DOMAIN); // 21 bytes
-const CHUNK_MIN = 1024;
-const CHUNK_MAX = 65536;
-const CHUNK_DEF = 65536;
-function chunkInfo(streamNonce, chunkSize, index, isLast) {
-    // 21 + 16 + 4 + 8 + 1 = 50 bytes
-    const info = new Uint8Array(50);
-    let off = 0;
-    info.set(DOMAIN_BYTES, off);
-    off += 21;
-    info.set(streamNonce, off);
-    off += 16;
-    info.set(u32be(chunkSize), off);
-    off += 4;
-    info.set(u64be(index), off);
-    off += 8;
-    info[off] = isLast ? 0x01 : 0x00;
-    return info;
-}
-function deriveChunkKeys(hkdf, key, streamNonce, chunkSize, index, isLast) {
-    const info = chunkInfo(streamNonce, chunkSize, index, isLast);
-    const derived = hkdf.derive(key, new Uint8Array(0), info, 64);
-    return {
-        encKey: derived.subarray(0, 32),
-        macKey: derived.subarray(32, 64),
-    };
-}
-export class SerpentStreamSealer {
-    _key;
-    _cs; // chunk size
-    _nonce; // stream nonce (16 bytes)
-    _cbc;
-    _hmac;
-    _hkdf;
-    _framed;
-    _aad;
-    _ivs; // test seam: fixed IVs
-    _ivIdx;
-    _index;
-    _state;
-    constructor(key, chunkSize, opts, _nonce, _ivs) {
-        if (!_serpentReady())
-            throw new Error('leviathan-crypto: call init([\'serpent\']) before using SerpentStreamSealer');
-        if (!_sha2Ready())
-            throw new Error('leviathan-crypto: call init([\'sha2\']) before using SerpentStreamSealer');
-        if (key.length !== 64)
-            throw new RangeError(`SerpentStreamSealer key must be 64 bytes (got ${key.length})`);
-        const cs = chunkSize ?? CHUNK_DEF;
-        if (cs < CHUNK_MIN || cs > CHUNK_MAX)
-            throw new RangeError(`SerpentStreamSealer chunkSize must be ${CHUNK_MIN}..${CHUNK_MAX} (got ${cs})`);
-        this._key = key.slice();
-        this._cs = cs;
-        this._framed = opts?.framed ?? false;
-        this._aad = opts?.aad ? opts.aad.slice() : new Uint8Array(0);
-        this._nonce = new Uint8Array(16);
-        if (_nonce && _nonce.length === 16) {
-            this._nonce.set(_nonce);
-        }
-        else {
-            crypto.getRandomValues(this._nonce);
-        }
-        this._cbc = new SerpentCbc({ dangerUnauthenticated: true });
-        this._hmac = new HMAC_SHA256();
-        this._hkdf = new HKDF_SHA256();
-        this._ivs = _ivs;
-        this._ivIdx = 0;
-        this._index = 0;
-        this._state = 'fresh';
-    }
-    header() {
-        if (this._state === 'sealing')
-            throw new Error('SerpentStreamSealer: header() already called');
-        if (this._state === 'dead')
-            throw new Error('SerpentStreamSealer: stream is closed');
-        this._state = 'sealing';
-        const hdr = new Uint8Array(20);
-        hdr.set(this._nonce, 0);
-        hdr.set(u32be(this._cs), 16);
-        return hdr;
-    }
-    seal(plaintext) {
-        if (this._state === 'fresh')
-            throw new Error('SerpentStreamSealer: call header() first');
-        if (this._state === 'dead')
-            throw new Error('SerpentStreamSealer: stream is closed');
-        if (plaintext.length !== this._cs)
-            throw new RangeError(`SerpentStreamSealer: seal() requires exactly ${this._cs} bytes (got ${plaintext.length})`);
-        return this._sealChunk(plaintext, false);
-    }
-    final(plaintext) {
-        if (this._state === 'fresh')
-            throw new Error('SerpentStreamSealer: call header() first');
-        if (this._state === 'dead')
-            throw new Error('SerpentStreamSealer: stream is closed');
-        if (plaintext.length > this._cs)
-            throw new RangeError(`SerpentStreamSealer: final() plaintext exceeds chunkSize (got ${plaintext.length})`);
-        const out = this._sealChunk(plaintext, true);
-        this._wipe();
-        return out;
-    }
-    _sealChunk(plaintext, isLast) {
-        const { encKey, macKey } = deriveChunkKeys(this._hkdf, this._key, this._nonce, this._cs, this._index, isLast);
-        const iv = new Uint8Array(16);
-        if (this._ivs && this._ivIdx < this._ivs.length) {
-            iv.set(this._ivs[this._ivIdx++]);
-        }
-        else {
-            crypto.getRandomValues(iv);
-        }
-        const ciphertext = this._cbc.encrypt(encKey, iv, plaintext);
-        const tag = this._hmac.hash(macKey, concat(u32be(this._aad.length), this._aad, iv, ciphertext));
-        this._index++;
-        const sealed = concat(new Uint8Array([isLast ? 1 : 0]), iv, ciphertext, tag);
-        if (!this._framed)
-            return sealed;
-        const out = new Uint8Array(4 + sealed.length);
-        out.set(u32be(sealed.length), 0);
-        out.set(sealed, 4);
-        return out;
-    }
-    _wipe() {
-        wipe(this._key);
-        wipe(this._nonce);
-        wipe(this._aad);
-        this._cbc.dispose();
-        this._hmac.dispose();
-        this._hkdf.dispose();
-        this._state = 'dead';
-    }
-    dispose() {
-        if (this._state !== 'dead')
-            this._wipe();
-    }
-}
-export class SerpentStreamOpener {
-    _key;
-    _cs;
-    _nonce;
-    _cbc;
-    _hmac;
-    _hkdf;
-    _framed;
-    _aad;
-    _buf;
-    _maxFrame;
-    _bufLen;
-    _index;
-    _dead;
-    constructor(key, header, opts) {
-        if (!_serpentReady())
-            throw new Error('leviathan-crypto: call init([\'serpent\']) before using SerpentStreamOpener');
-        if (!_sha2Ready())
-            throw new Error('leviathan-crypto: call init([\'sha2\']) before using SerpentStreamOpener');
-        if (key.length !== 64)
-            throw new RangeError(`SerpentStreamOpener key must be 64 bytes (got ${key.length})`);
-        if (header.length !== 20)
-            throw new RangeError(`SerpentStreamOpener header must be 20 bytes (got ${header.length})`);
-        this._key = key.slice();
-        this._nonce = header.slice(0, 16);
-        this._cs = (header[16] << 24 | header[17] << 16 | header[18] << 8 | header[19]) >>> 0;
-        if (this._cs < CHUNK_MIN || this._cs > CHUNK_MAX)
-            throw new RangeError(`SerpentStreamOpener: header contains invalid chunkSize ${this._cs} (expected ${CHUNK_MIN}..${CHUNK_MAX})`);
-        this._framed = opts?.framed ?? false;
-        this._aad = opts?.aad ? opts.aad.slice() : new Uint8Array(0);
-        this._cbc = new SerpentCbc({ dangerUnauthenticated: true });
-        this._hmac = new HMAC_SHA256();
-        this._hkdf = new HKDF_SHA256();
-        this._index = 0;
-        this._dead = false;
-        this._bufLen = 0;
-        if (this._framed) {
-            const cs = this._cs;
-            const maxSealed = 1 + 16 + (cs + (16 - (cs % 16))) + 32;
-            this._maxFrame = 4 + maxSealed;
-            this._buf = new Uint8Array(this._maxFrame);
-        }
-    }
-    get closed() {
-        return this._dead;
-    }
-    open(chunk) {
-        if (this._dead)
-            throw new Error('SerpentStreamOpener: stream is closed');
-        if (this._framed)
-            throw new Error('SerpentStreamOpener: call feed() on framed openers — open() expects raw sealed chunks without length prefix');
-        return this._openRaw(chunk);
-    }
-    _openRaw(chunk) {
-        // isLast(1) || IV(16) || ciphertext || HMAC(32)
-        if (chunk.length < 1 + 16 + 16 + 32)
-            throw new RangeError('SerpentStreamOpener: chunk wire data too short');
-        const isLast = chunk[0] !== 0;
-        const { encKey, macKey } = deriveChunkKeys(this._hkdf, this._key, this._nonce, this._cs, this._index, isLast);
-        const iv = chunk.subarray(1, 17);
-        const ciphertext = chunk.subarray(17, chunk.length - 32);
-        const tag = chunk.subarray(chunk.length - 32);
-        const expectedTag = this._hmac.hash(macKey, concat(u32be(this._aad.length), this._aad, iv, ciphertext));
-        if (!constantTimeEqual(tag, expectedTag))
-            throw new Error('SerpentStreamOpener: authentication failed');
-        const plaintext = this._cbc.decrypt(encKey, iv, ciphertext);
-        this._index++;
-        if (isLast)
-            this._wipe();
-        return plaintext;
-    }
-    feed(bytes) {
-        if (!this._framed)
-            throw new Error('SerpentStreamOpener: feed() requires { framed: true }');
-        if (this._dead)
-            throw new Error('SerpentStreamOpener: stream is closed');
-        const buf = this._buf;
-        const maxFrame = this._maxFrame;
-        const results = [];
-        let consumed = 0;
-        // ── Phase 1: drain carry-over ─────────────────────────────────────
-        if (this._bufLen > 0) {
-            // Sub-case A: partial prefix — we have < 4 bytes buffered
-            if (this._bufLen < 4) {
-                const need = 4 - this._bufLen;
-                const take = Math.min(need, bytes.length - consumed);
-                buf.set(bytes.subarray(consumed, consumed + take), this._bufLen);
-                this._bufLen += take;
-                consumed += take;
-                if (this._bufLen < 4)
-                    return results;
-            }
-            const sealedLen = (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) >>> 0;
-            if (sealedLen === 0 || sealedLen > (maxFrame - 4)) {
-                this._wipe();
-                throw new Error('SerpentStreamOpener: invalid sealed chunk length');
-            }
-            const frameLen = 4 + sealedLen;
-            // Sub-case B: partial frame body
-            const haveInBuf = this._bufLen;
-            const needMore = frameLen - haveInBuf;
-            if (needMore > 0) {
-                const take = Math.min(needMore, bytes.length - consumed);
-                buf.set(bytes.subarray(consumed, consumed + take), haveInBuf);
-                this._bufLen += take;
-                consumed += take;
-                if (this._bufLen < frameLen)
-                    return results;
-            }
-            const plaintext = this._openRaw(buf.subarray(4, frameLen));
-            results.push(plaintext);
-            this._bufLen = 0;
-            if (this._dead) {
-                if (consumed < bytes.length) {
-                    this._wipe();
-                    throw new Error('SerpentStreamOpener: unexpected bytes after final chunk');
-                }
-                return results;
-            }
-        }
-        // ── Phase 2: parse complete frames directly from bytes ────────────
-        let pos = consumed;
-        while (true) {
-            if (bytes.length - pos < 4)
-                break;
-            const sealedLen = (bytes[pos] << 24 | bytes[pos + 1] << 16 | bytes[pos + 2] << 8 | bytes[pos + 3]) >>> 0;
-            if (sealedLen === 0 || sealedLen > (maxFrame - 4)) {
-                this._wipe();
-                throw new Error('SerpentStreamOpener: invalid sealed chunk length');
-            }
-            const frameLen = 4 + sealedLen;
-            if (bytes.length - pos < frameLen)
-                break;
-            const plaintext = this._openRaw(bytes.subarray(pos + 4, pos + frameLen));
-            results.push(plaintext);
-            if (this._dead) {
-                const remaining = bytes.length - pos - frameLen;
-                if (remaining > 0) {
-                    this._wipe();
-                    throw new Error('SerpentStreamOpener: unexpected bytes after final chunk');
-                }
-                return results;
-            }
-            pos += frameLen;
-        }
-        // ── Carry over any incomplete trailing bytes into _buf ────────────
-        const leftover = bytes.length - pos;
-        if (leftover > 0) {
-            if (leftover > maxFrame) {
-                this._wipe();
-                throw new Error('SerpentStreamOpener: input exceeds maximum frame size');
-            }
-            buf.set(bytes.subarray(pos), 0);
-            this._bufLen = leftover;
-        }
-        return results;
-    }
-    _wipe() {
-        if (this._dead)
-            return;
-        wipe(this._key);
-        wipe(this._nonce);
-        wipe(this._aad);
-        this._cbc.dispose();
-        this._hmac.dispose();
-        this._hkdf.dispose();
-        if (this._framed) {
-            wipe(this._buf);
-            this._bufLen = 0;
-        }
-        this._dead = true;
-    }
-    dispose() {
-        if (!this._dead)
-            this._wipe();
-    }
-}