leviathan-crypto 1.4.0 → 2.0.1

package/dist/docs/chacha20.md

@@ -1,7 +1,22 @@
-# ChaCha20, Poly1305, and AEAD TypeScript API
+# ChaCha20 TypeScript API
 
 > [!NOTE]
-> See [ChaCha20-Poly1305 implementation audit](./chacha_audit.md) for algorithm correctness verifications.
+> API reference for `ChaCha20`, `Poly1305`, `ChaCha20Poly1305`, `XChaCha20Poly1305`, and `XChaCha20Cipher`. Covers initialization, all class methods, usage examples, and error conditions.
+
+> ### Table of Contents
+> - [Overview](#overview)
+> - [Security Notes](#security-notes)
+> - [Module Init](#module-init)
+> - [API Reference](#api-reference)
+>   - [`ChaCha20`](#chacha20)
+>   - [`Poly1305`](#poly1305)
+>   - [`ChaCha20Poly1305`](#chacha20poly1305)
+>   - [`XChaCha20Poly1305`](#xchacha20poly1305)
+> - [XChaCha20Cipher](#xchacha20cipher)
+> - [Usage Examples](#usage-examples)
+> - [Error Conditions](#error-conditions)
+
+---
 
 ## Overview
 
@@ -9,37 +24,38 @@
 on all platforms (including those without hardware AES), resistant to timing attacks
 by design, and widely deployed in TLS, SSH, and WireGuard. ChaCha20 encrypts data
 by generating a pseudorandom keystream from a 256-bit key and a nonce, then XORing
-it with the plaintext. It does **not** provide authentication on its own — a
-modified message will decrypt to garbage with no warning.
+it with the plaintext. It does **not** provide authentication on its own. A modified message will decrypt to garbage with no warning.
 
 **Poly1305** is a one-time message authentication code (MAC). Given a unique 256-bit
 key and a message, it produces a 16-byte tag that proves the message has not been
 tampered with. The critical requirement is that each Poly1305 key is used **exactly
-once** — reusing a key completely breaks its security. You almost never need to use
+once**. Reusing a key completely breaks its security. You almost never need to use
 Poly1305 directly; the AEAD constructions below handle key derivation for you.
 
 **ChaCha20-Poly1305** (RFC 8439) combines both primitives into an AEAD
 (Authenticated Encryption with Associated Data). It encrypts your data and
 produces an authentication tag in a single operation. On decryption, it verifies
-the tag before returning any plaintext — if someone tampered with the ciphertext,
+the tag before returning any plaintext. If someone tampered with the ciphertext,
 you get an error instead of corrupted data. The nonce is 96 bits (12 bytes).
 
 **XChaCha20-Poly1305** extends the nonce to 192 bits (24 bytes) using the HChaCha20
-subkey derivation step. This makes random nonce generation completely safe — with a
+subkey derivation step. This makes random nonce generation completely safe. With a
 24-byte nonce, the probability of a collision is negligible even after billions of
-messages. **For most users, `XChaCha20Seal` is the recommended choice.** It binds the key
-at construction, generates a fresh nonce per call, and provides the simplest
-correct API. For protocol interop requiring explicit nonce control, use
-`XChaCha20Poly1305` directly.
+messages. **For most users, `Seal` with `XChaCha20Cipher` is the recommended choice.** It
+produces a self-contained authenticated blob with no nonce management, no
+instantiation, and no `dispose()`. For protocol interop requiring explicit nonce
+control, use `XChaCha20Poly1305` directly.
+
+---
 
 ## Security Notes
 
 > [!IMPORTANT]
-> Read this section before writing any code. These are not theoretical concerns —
-> they are the mistakes that cause real-world breaches.
+> Read this section before writing any code. These are not theoretical concerns.
+> They are the mistakes that cause real-world breaches.
 
-- **Use `XChaCha20Seal` unless you need explicit nonce control.** It is the
-  safest default: authenticated encryption with automatic nonce generation.
+- **Use `Seal` with `XChaCha20Cipher` unless you need explicit nonce control.**
+  It is the safest default: authenticated encryption in a single static call.
   If you are unsure which class to pick, pick this one. Use `XChaCha20Poly1305`
   when protocol interop requires you to manage nonces yourself.
 
@@ -49,7 +65,7 @@ correct API. For protocol interop requiring explicit nonce control, use
   With `ChaCha20Poly1305` (12-byte nonce), random generation has a meaningful
   collision risk after roughly 2^32 messages under one key. With
   `XChaCha20Poly1305` (24-byte nonce), random generation is safe for any practical
-  message count — just call `randomBytes(24)` for each message.
+  message count. Just call `randomBytes(24)` for each message.
 
 - **Poly1305 keys are single-use.** Each Poly1305 key must be used to authenticate
   exactly one message. The AEAD classes (`ChaCha20Poly1305` and
@@ -58,13 +74,12 @@ correct API. For protocol interop requiring explicit nonce control, use
   `Poly1305` class directly, it is your responsibility to never reuse a key.
 
 - **AEAD protects both confidentiality and authenticity.** If authentication fails
-  during decryption, the plaintext is never returned — you get an error. This is
-  intentional. Do not try to work around it. If decryption fails, the ciphertext
-  was corrupted or tampered with.
+  during decryption, the plaintext is never returned. You get an error. This is
+  intentional. Do not try to work around it. If decryption fails, the ciphertext was corrupted or tampered with.
 
 - **Associated data (AAD) is authenticated but not encrypted.** Use AAD for data
   that must travel in the clear (headers, routing metadata, user IDs) but must be
-  verified as unmodified. If someone changes the AAD, decryption will fail — even
+  verified as unmodified. If someone changes the AAD, decryption will fail even
   if the ciphertext itself is untouched.
 
 - **Always call `dispose()` when you are done.** This wipes key material and
@@ -77,29 +92,32 @@ correct API. For protocol interop requiring explicit nonce control, use
   building your own authenticated construction (and you probably should not be),
   use one of the AEAD classes instead.
 
+---
+
 ## Module Init
 
 Each module subpath exports its own init function for consumers who want
 tree-shakeable imports.
 
-### `chacha20Init(mode?, opts?)`
+### `chacha20Init(source)`
 
 Initializes only the chacha20 WASM binary. Equivalent to calling the
-root `init(['chacha20'], mode, opts)` but without pulling the other three
+root `init({ chacha20: chacha20Wasm })` but without pulling the other three
 modules into the bundle.
 
 **Signature:**
 
 ```typescript
-async function chacha20Init(mode?: Mode, opts?: InitOpts): Promise<void>
+async function chacha20Init(source: WasmSource): Promise<void>
 ```
 
 **Usage:**
 
 ```typescript
 import { chacha20Init, XChaCha20Poly1305 } from 'leviathan-crypto/chacha20'
+import { chacha20Wasm } from 'leviathan-crypto/chacha20/embedded'
 
-await chacha20Init()
+await chacha20Init(chacha20Wasm)
 const aead = new XChaCha20Poly1305()
 ```
 
@@ -107,17 +125,17 @@ const aead = new XChaCha20Poly1305()
 
 ## API Reference
 
-All classes require calling `await init(['chacha20'])` or the subpath `chacha20Init()`
+All classes require calling `await init({ chacha20: chacha20Wasm })` or the subpath `chacha20Init()`
 before construction. If you construct a class before initialization, it throws:
 ```
-Error: leviathan-crypto: call init(['chacha20']) before using this class
+Error: leviathan-crypto: call init({ chacha20: ... }) before using this class
 ```
 
 ---
 
 ### `ChaCha20`
 
-Raw ChaCha20 stream cipher. **No authentication** — use `XChaCha20Poly1305` instead
+Raw ChaCha20 stream cipher. **No authentication.** Use `XChaCha20Poly1305` instead
 unless you are building a custom protocol and understand the risks.
 
 #### Constructor
@@ -126,7 +144,7 @@ unless you are building a custom protocol and understand the risks.
 new ChaCha20()
 ```
 
-Throws if `init(['chacha20'])` has not been called.
+Throws if `init({ chacha20: chacha20Wasm })` has not been called.
 
 ---
 
@@ -158,8 +176,7 @@ a new `Uint8Array` containing the ciphertext (same length as input).
 
 #### `beginDecrypt(key: Uint8Array, nonce: Uint8Array): void`
 
-Prepares the cipher for decryption. Identical to `beginEncrypt` — ChaCha20 is
-symmetric (encryption and decryption are the same XOR operation).
+Prepares the cipher for decryption. Identical to `beginEncrypt`. ChaCha20 is symmetric; encryption and decryption are the same XOR operation.
 
 | Parameter | Type | Description |
 |-----------|------|-------------|
@@ -193,7 +210,7 @@ when you are done with the instance.
 ### `Poly1305`
 
 Standalone Poly1305 one-time MAC. **Each key must be used exactly once.** You
-almost certainly want `ChaCha20Poly1305` or `XChaCha20Poly1305` instead — they
+almost certainly want `ChaCha20Poly1305` or `XChaCha20Poly1305` instead. They
 handle Poly1305 key derivation automatically.
 
 #### Constructor
@@ -202,7 +219,7 @@ handle Poly1305 key derivation automatically.
 new Poly1305()
 ```
 
-Throws if `init(['chacha20'])` has not been called.
+Throws if `init({ chacha20: chacha20Wasm })` has not been called.
 
 ---
 
@@ -212,10 +229,10 @@ Computes a 16-byte Poly1305 authentication tag over the given message.
 
 | Parameter | Type | Description |
 |-----------|------|-------------|
-| `key` | `Uint8Array` | 32 bytes — must be unique per message |
+| `key` | `Uint8Array` | 32 bytes. Must be unique per message. |
 | `msg` | `Uint8Array` | The message to authenticate (any length) |
 
-**Returns** `Uint8Array` — a 16-byte authentication tag.
+**Returns** `Uint8Array`: a 16-byte authentication tag.
 
 **Throws** `RangeError` if `key` is not 32 bytes.
 
@@ -242,54 +259,59 @@ to avoid collision risk.
 new ChaCha20Poly1305()
 ```
 
-Throws if `init(['chacha20'])` has not been called.
+Throws if `init({ chacha20: chacha20Wasm })` has not been called.
 
 ---
 
-#### `encrypt(key, nonce, plaintext, aad?): { ciphertext: Uint8Array; tag: Uint8Array }`
+#### `encrypt(key, nonce, plaintext, aad?): Uint8Array`
 
-Encrypts plaintext and produces a 16-byte authentication tag.
+Encrypts plaintext and returns the ciphertext with the 16-byte Poly1305 tag
+appended.
+
+> [!WARNING]
+> Each `ChaCha20Poly1305` instance allows only **one** `encrypt()` call. A second
+> call throws to prevent accidental nonce reuse. Create a new instance for each
+> encryption, or use `Seal` with `XChaCha20Cipher` for automatic nonce management.
 
 | Parameter | Type | Default | Description |
 |-----------|------|---------|-------------|
 | `key` | `Uint8Array` | | 32 bytes (256-bit key) |
 | `nonce` | `Uint8Array` | | 12 bytes (96-bit nonce) |
 | `plaintext` | `Uint8Array` | | Data to encrypt (up to the module's chunk size limit) |
-| `aad` | `Uint8Array` | `new Uint8Array(0)` | Associated data — authenticated but not encrypted |
+| `aad` | `Uint8Array` | `new Uint8Array(0)` | Associated data. Authenticated but not encrypted. |
 
-**Returns** `{ ciphertext: Uint8Array; tag: Uint8Array }` — the ciphertext (same
-length as plaintext) and a 16-byte authentication tag. You need both to decrypt.
+**Returns** `Uint8Array`: ciphertext + 16-byte tag (length = plaintext.length + 16).
 
 **Throws:**
 - `RangeError` if `key` is not 32 bytes
 - `RangeError` if `nonce` is not 12 bytes
 - `RangeError` if `plaintext` exceeds the maximum chunk size
+- `Error` if `encrypt()` has already been called on this instance
 
 ---
 
-#### `decrypt(key, nonce, ciphertext, tag, aad?): Uint8Array`
+#### `decrypt(key, nonce, ciphertext, aad?): Uint8Array`
 
-Verifies the authentication tag and decrypts the ciphertext. If authentication
-fails, an error is thrown and no plaintext is returned.
+Verifies the authentication tag and decrypts the ciphertext. The `ciphertext`
+parameter must include the appended 16-byte tag (i.e., the exact output of
+`encrypt()`). If authentication fails, an error is thrown and no plaintext is
+returned.
 
-Tag comparison uses a constant-time XOR-accumulate pattern — no timing side
-channel leaks whether the tag was "close" to correct.
+Tag comparison uses a constant-time XOR-accumulate pattern; no timing side channel leaks whether the tag was "close" to correct.
 
 | Parameter | Type | Default | Description |
 |-----------|------|---------|-------------|
 | `key` | `Uint8Array` | | 32 bytes (same key used for encryption) |
 | `nonce` | `Uint8Array` | | 12 bytes (same nonce used for encryption) |
-| `ciphertext` | `Uint8Array` | | Encrypted data |
-| `tag` | `Uint8Array` | | 16-byte authentication tag from `encrypt()` |
+| `ciphertext` | `Uint8Array` | | Encrypted data with appended tag (output of `encrypt()`) |
 | `aad` | `Uint8Array` | `new Uint8Array(0)` | Associated data (must match what was passed to `encrypt()`) |
 
-**Returns** `Uint8Array` — the decrypted plaintext.
+**Returns** `Uint8Array`: the decrypted plaintext.
 
 **Throws:**
 - `RangeError` if `key` is not 32 bytes
 - `RangeError` if `nonce` is not 12 bytes
-- `RangeError` if `tag` is not 16 bytes
-- `RangeError` if `ciphertext` exceeds the maximum chunk size
+- `RangeError` if `ciphertext` is shorter than 16 bytes (no room for a tag)
 - `Error('ChaCha20Poly1305: authentication failed')` if the tag does not match
 
 ---
@@ -303,15 +325,15 @@ Wipes all key material and intermediate state from WASM memory.
 ### `XChaCha20Poly1305`
 
 XChaCha20-Poly1305 AEAD (draft-irtf-cfrg-xchacha). RFC-faithful stateless
-primitive — key and nonce are passed per-call. Use when protocol interop
-requires explicit nonce control. For most use cases, prefer `XChaCha20Seal`
-(bound key, automatic nonce management).
+primitive. Key and nonce are passed per-call. Use when protocol interop
+requires explicit nonce control. For most use cases, prefer `Seal` with
+`XChaCha20Cipher` (automatic nonce management, no instantiation).
 
 It uses a 24-byte (192-bit) nonce, which is large enough that randomly generated
 nonces will never collide in practice. Internally, it derives a subkey via
 HChaCha20 and delegates to `ChaCha20Poly1305`.
 
-Unlike `ChaCha20Poly1305`, the `encrypt()` method returns a single `Uint8Array`
+Like `ChaCha20Poly1305`, the `encrypt()` method returns a single `Uint8Array`
 with the tag appended to the ciphertext. The `decrypt()` method expects this
 combined format and splits it internally.
 
@@ -321,7 +343,7 @@ combined format and splits it internally.
 new XChaCha20Poly1305()
 ```
 
-Throws if `init(['chacha20'])` has not been called.
+Throws if `init({ chacha20: chacha20Wasm })` has not been called.
 
 ---
 
@@ -334,9 +356,9 @@ Encrypts plaintext and returns the ciphertext with the 16-byte tag appended.
 | `key` | `Uint8Array` | | 32 bytes (256-bit key) |
 | `nonce` | `Uint8Array` | | 24 bytes (192-bit nonce) |
 | `plaintext` | `Uint8Array` | | Data to encrypt |
-| `aad` | `Uint8Array` | `new Uint8Array(0)` | Associated data — authenticated but not encrypted |
+| `aad` | `Uint8Array` | `new Uint8Array(0)` | Associated data. Authenticated but not encrypted. |
 
-**Returns** `Uint8Array` — ciphertext + 16-byte tag (length = plaintext.length + 16).
+**Returns** `Uint8Array`: ciphertext + 16-byte tag (length = plaintext.length + 16).
 
 **Throws:**
 - `RangeError` if `key` is not 32 bytes
@@ -357,7 +379,7 @@ parameter must include the appended 16-byte tag (i.e., the exact output of
 | `ciphertext` | `Uint8Array` | | Encrypted data with appended tag (output of `encrypt()`) |
 | `aad` | `Uint8Array` | `new Uint8Array(0)` | Associated data (must match what was passed to `encrypt()`) |
 
-**Returns** `Uint8Array` — the decrypted plaintext.
+**Returns** `Uint8Array`: the decrypted plaintext.
 
 **Throws:**
 - `RangeError` if `key` is not 32 bytes
@@ -373,261 +395,159 @@ Wipes all key material and intermediate state from WASM memory.
 
 ---
 
-## `XChaCha20Seal`
+## XChaCha20Cipher
 
-XChaCha20-Poly1305 AEAD with a bound key and automatic nonce management.
-**This is the recommended authenticated encryption class.** It implements the
-`AEAD` interface — `encrypt()` and `decrypt()` require only plaintext and
-optional AAD. Each `encrypt()` call generates a fresh 24-byte random nonce
-internally, eliminating any risk of nonce reuse.
+`CipherSuite` implementation for XChaCha20-Poly1305. Pass to `Seal`,
+`SealStream`, or `OpenStream`. Never instantiated directly.
 
-**Wire format:** `nonce(24) || ciphertext || tag(16)`
+Requires `init({ chacha20: chacha20Wasm, sha2: sha2Wasm })`.
 
 > [!NOTE]
-> The nonce is generated internally via `crypto.getRandomValues` — you never
-> need to manage nonces. For protocol interop requiring explicit nonce control,
-> use `XChaCha20Poly1305` directly.
-
-#### Constructor
-
-```typescript
-new XChaCha20Seal(key: Uint8Array)   // 32 bytes
-```
+> `sha2` is required by the stream layer for HKDF key derivation, not by
+> `XChaCha20Poly1305` itself.
 
-Binds the key at construction. Throws if `init(['chacha20'])` has not been
-called. Throws `RangeError` if key is not 32 bytes. The key is copied
-internally — the caller's buffer can be wiped after construction.
+| Property | Value |
+|----------|-------|
+| `formatEnum` | `0x01` |
+| `keySize` | `32` |
+| `tagSize` | `16` (Poly1305) |
+| `padded` | `false` |
+| `wasmModules` | `['chacha20', 'sha2']` |
 
----
-
-#### `encrypt(plaintext, aad?): Uint8Array`
-
-Encrypts plaintext and returns a sealed blob with nonce prepended and tag
-appended.
-
-| Parameter | Type | Default | Description |
-|-----------|------|---------|-------------|
-| `plaintext` | `Uint8Array` | | Data to encrypt (any length, including empty) |
-| `aad` | `Uint8Array` | `new Uint8Array(0)` | Associated data — authenticated but not encrypted |
-
-**Returns** `Uint8Array` — `nonce(24) || ciphertext || tag(16)` (length = plaintext.length + 40).
-
----
+#### `XChaCha20Cipher.keygen(): Uint8Array`
 
-#### `decrypt(ciphertext, aad?): Uint8Array`
+Returns `randomBytes(32)`. Convenience method. Not on the `CipherSuite` interface.
 
-Reads the nonce from the first 24 bytes, verifies the tag, and decrypts.
-
-| Parameter | Type | Default | Description |
-|-----------|------|---------|-------------|
-| `ciphertext` | `Uint8Array` | | Sealed blob from `encrypt()` |
-| `aad` | `Uint8Array` | `new Uint8Array(0)` | Associated data (must match what was passed to `encrypt()`) |
-
-**Returns** `Uint8Array` — the decrypted plaintext.
-
-**Throws:**
-- `RangeError` if `ciphertext` is shorter than 40 bytes (nonce + tag minimum)
-- `Error('ChaCha20Poly1305: authentication failed')` if the tag does not match
-
----
-
-#### `dispose(): void`
-
-Wipes the key copy and all WASM buffers.
-
----
-
-#### Usage
+#### Usage with `Seal`
 
 ```typescript
-await init(['chacha20'])
-const key  = randomBytes(32)
-const seal = new XChaCha20Seal(key)
-const ct   = seal.encrypt(plaintext)               // nonce generated internally
-const pt   = seal.decrypt(ct)                       // throws on tamper
-seal.dispose()
-```
-
----
+import { init, Seal, XChaCha20Cipher } from 'leviathan-crypto'
+import { chacha20Wasm } from 'leviathan-crypto/chacha20/embedded'
+import { sha2Wasm }     from 'leviathan-crypto/sha2/embedded'
 
-## `XChaCha20StreamSealer` / `XChaCha20StreamOpener`
+await init({ chacha20: chacha20Wasm, sha2: sha2Wasm })
 
-Incremental streaming AEAD using XChaCha20-Poly1305 — counterpart to
-`SerpentStreamSealer` / `SerpentStreamOpener` for the ChaCha20 family.
-
-Each chunk is independently encrypted with `XChaCha20-Poly1305` using a fresh
-random 24-byte nonce. Stream binding (preventing cross-stream splice and
-reordering) is achieved through per-chunk AAD that includes the stream ID,
-chunk index, and finality flag. Simpler than `SerpentStreamSealer` — no HKDF
-key derivation, no separate HMAC.
-
-**Wire format:**
-```
-header:  stream_id (16) || chunkSize_u32be (4)                          = 20 bytes
-chunk:   isLast (1) || nonce (24) || ciphertext || tag (16)
-```
-
-```typescript
-class XChaCha20StreamSealer {
-	constructor(key: Uint8Array, chunkSize?: number, opts?: {
-		framed?: boolean;
-		aad?: Uint8Array;
-	})
-	header(): Uint8Array
-	seal(plaintext: Uint8Array): Uint8Array
-	final(plaintext: Uint8Array): Uint8Array
-	dispose(): void
-}
-
-class XChaCha20StreamOpener {
-	constructor(key: Uint8Array, header: Uint8Array, opts?: {
-		framed?: boolean;
-		aad?: Uint8Array;
-	})
-	open(chunk: Uint8Array): Uint8Array
-	feed(bytes: Uint8Array): Uint8Array[]
-	dispose(): void
-}
+const key  = XChaCha20Cipher.keygen()
+const blob = Seal.encrypt(XChaCha20Cipher, key, plaintext)
+const pt   = Seal.decrypt(XChaCha20Cipher, key, blob)   // throws on tamper
 ```
 
-- **key** — 32 bytes. Throws `RangeError` if wrong length.
-- **chunkSize** — 1024–65536. Default: 65536.
-- **opts.framed** — prepend `u32be(sealedLen)` to each output for flat streams.
-- **opts.aad** — associated data folded into every chunk's internal AAD.
-
-The API shape is identical to `SerpentStreamSealer` / `SerpentStreamOpener` —
-same state machine (`fresh → sealing → dead`), same `header()` / `seal()` /
-`final()` / `open()` / `feed()` contract.
-
-#### Usage
+#### Usage with `SealStream` / `OpenStream`
 
 ```typescript
-await init(['chacha20'])
-
-const key    = randomBytes(32)
-const sealer = new XChaCha20StreamSealer(key, 65536)
-const header = sealer.header()
+import { SealStream, OpenStream } from 'leviathan-crypto/stream'
+import { XChaCha20Cipher } from 'leviathan-crypto/chacha20'
 
-const chunk0 = sealer.seal(data0)        // exactly chunkSize bytes
-const last   = sealer.final(tail)        // any size up to chunkSize; wipes key
+const sealer   = new SealStream(XChaCha20Cipher, key)
+const preamble = sealer.preamble        // 20 bytes, send before first chunk
+const ct0      = sealer.push(chunk0)
+const ctLast   = sealer.finalize(lastChunk)
 
-const opener = new XChaCha20StreamOpener(key, header)
-const pt0    = opener.open(chunk0)       // throws on auth failure
-const ptLast = opener.open(last)
+const opener = new OpenStream(XChaCha20Cipher, key, preamble)
+const pt0    = opener.pull(ct0)
+const ptLast = opener.finalize(ctLast)
 ```
 
----
-
-## Parallel pool — `XChaCha20Poly1305Pool`
-
-For high-throughput workloads where multiple XChaCha20-Poly1305 operations should
-run concurrently, `XChaCha20Poly1305Pool` dispatches work across a configurable
-number of Web Workers, each holding an isolated `chacha20.wasm` instance in its own
-linear memory. This removes the single-threaded bottleneck of a shared WASM
-instance and allows encryption and decryption operations to proceed in parallel.
-The pool requires `init(['chacha20'])` to be called before construction and is
-created via the static factory `XChaCha20Poly1305Pool.create(opts?)` — see
-[chacha20_pool.md](./chacha20_pool.md) for the full API reference, pool sizing
-guidance, and lifecycle docs.
+See [aead.md](./aead.md) for the full `Seal`, `SealStream`, and `OpenStream` API.
 
 ---
 
 ## Usage Examples
 
-### Example 1: XChaCha20Seal — Encrypt and Decrypt (Recommended)
+### Example 1: Seal with XChaCha20Cipher (recommended)
 
-This is the pattern most users should follow. Bind the key at construction —
-nonces are generated internally, no nonce management needed.
+One-shot AEAD. No instantiation, no `dispose()`. The blob format is
+`preamble(20) || ciphertext || tag(16)`.
 
 ```typescript
-import { init, XChaCha20Seal, randomBytes, utf8ToBytes, bytesToUtf8 } from 'leviathan-crypto'
-
-// Step 1: Initialize the chacha20 WASM module (once, at application startup)
-await init(['chacha20'])
-
-// Step 2: Generate a 256-bit encryption key
-const key = randomBytes(32)
+import { init, Seal, XChaCha20Cipher, utf8ToBytes, bytesToUtf8 } from 'leviathan-crypto'
+import { chacha20Wasm } from 'leviathan-crypto/chacha20/embedded'
+import { sha2Wasm }     from 'leviathan-crypto/sha2/embedded'
 
-// Step 3: Create the seal instance — key is bound at construction
-const seal = new XChaCha20Seal(key)
+await init({ chacha20: chacha20Wasm, sha2: sha2Wasm })
 
-// Step 4: Encrypt — nonce is generated internally, no nonce management needed
-const plaintext = utf8ToBytes('Hello, world!')
-const ciphertext = seal.encrypt(plaintext)
-// `ciphertext` = nonce(24) || encrypted data || tag(16)
+const key  = XChaCha20Cipher.keygen()
+const blob = Seal.encrypt(XChaCha20Cipher, key, utf8ToBytes('Hello, world!'))
+const pt   = Seal.decrypt(XChaCha20Cipher, key, blob)   // throws on tamper
 
-// Step 5: Decrypt — nonce is read from the ciphertext automatically
-const decrypted = seal.decrypt(ciphertext)
-console.log(bytesToUtf8(decrypted))  // "Hello, world!"
+console.log(bytesToUtf8(pt))  // "Hello, world!"
 
-// Step 6: Clean up
-seal.dispose()
+// Optional: bind metadata without encrypting it (AAD)
+const aad  = utf8ToBytes('document-v2')
+const blob2 = Seal.encrypt(XChaCha20Cipher, key, utf8ToBytes('Hello, world!'), { aad })
+const pt2   = Seal.decrypt(XChaCha20Cipher, key, blob2, { aad })
 ```
 
-> **Need explicit nonce control?** See Example 2 (`ChaCha20Poly1305`) or use
-> `XChaCha20Poly1305` directly — same API shape, 24-byte nonce passed per call.
+> For explicit nonce control, use `XChaCha20Poly1305` directly. Same
+> API shape, 24-byte nonce passed per call. See Example 2.
 
-### Example 2: ChaCha20Poly1305 — Encrypt and Decrypt
+### Example 2: ChaCha20Poly1305
 
 Same idea as above, but with a 12-byte nonce. Use this if you are implementing
 a protocol that specifies RFC 8439 ChaCha20-Poly1305 explicitly.
 
-Note the differences from `XChaCha20Poly1305`:
-- The nonce is 12 bytes, not 24
-- `encrypt()` returns `{ ciphertext, tag }` as separate fields
-- `decrypt()` takes the tag as a separate parameter
+Both `ChaCha20Poly1305` and `XChaCha20Poly1305` return a single `Uint8Array`
+with the tag appended, and `decrypt()` expects the same combined format.
+The only difference is the nonce size (12 vs 24 bytes).
+
+> [!NOTE]
+> Each `ChaCha20Poly1305` instance allows only one `encrypt()` call. A second
+> call throws to prevent accidental nonce reuse. Create a new instance for each
+> encryption.
 
 ```typescript
 import { init, ChaCha20Poly1305, randomBytes, utf8ToBytes, bytesToUtf8 } from 'leviathan-crypto'
+import { chacha20Wasm } from 'leviathan-crypto/chacha20/embedded'
 
-await init(['chacha20'])
+await init({ chacha20: chacha20Wasm })
 
 const key = randomBytes(32)
 const aead = new ChaCha20Poly1305()
 
 // Encrypt
-const nonce = randomBytes(12)     // 12 bytes — be cautious with random generation under high volume
+const nonce = randomBytes(12)     // 12 bytes, use XChaCha20Poly1305 for high-volume random generation
 const plaintext = utf8ToBytes('Sensitive data')
-const { ciphertext, tag } = aead.encrypt(key, nonce, plaintext)
-// You must store/transmit nonce, ciphertext, AND tag — all three are needed to decrypt
+const sealed = aead.encrypt(key, nonce, plaintext)
+// sealed = ciphertext || tag(16), store/transmit nonce and sealed together
 
-// Decrypt
-const decrypted = aead.decrypt(key, nonce, ciphertext, tag)
+// Decrypt (new instance, encrypt is single-use)
+const aead2 = new ChaCha20Poly1305()
+const decrypted = aead2.decrypt(key, nonce, sealed)
 console.log(bytesToUtf8(decrypted))  // "Sensitive data"
 
 aead.dispose()
+aead2.dispose()
 ```
 
 ### Example 3: Detecting Tampered Ciphertext
 
 AEAD decryption fails loudly if anyone has modified the ciphertext or
-the associated data. This is a feature — it prevents you from processing
+the associated data. This is a feature. It prevents you from processing
 corrupted or maliciously altered data.
 
 ```typescript
-import { init, XChaCha20Seal, randomBytes, utf8ToBytes } from 'leviathan-crypto'
+import { init, Seal, XChaCha20Cipher, randomBytes, utf8ToBytes } from 'leviathan-crypto'
+import { chacha20Wasm } from 'leviathan-crypto/chacha20/embedded'
+import { sha2Wasm }     from 'leviathan-crypto/sha2/embedded'
 
-await init(['chacha20'])
+await init({ chacha20: chacha20Wasm, sha2: sha2Wasm })
 
-const seal = new XChaCha20Seal(randomBytes(32))
-
-const sealed = seal.encrypt(utf8ToBytes('Original message'))
+const key    = XChaCha20Cipher.keygen()
+const sealed = Seal.encrypt(XChaCha20Cipher, key, utf8ToBytes('Original message'))
 
 // Simulate tampering: flip one bit in the ciphertext
 const tampered = new Uint8Array(sealed)
-tampered[24] ^= 0x01  // byte 24 is the first ciphertext byte (after the nonce)
+tampered[20] ^= 0x01  // byte 20 is the first ciphertext byte (after the 20-byte preamble)
 
 try {
-	const plaintext = seal.decrypt(tampered)
+	const plaintext = Seal.decrypt(XChaCha20Cipher, key, tampered)
 	// This line is never reached
 	console.log(plaintext)
 } catch (err) {
 	console.error(err.message)
 	// "ChaCha20Poly1305: authentication failed"
-	// The plaintext is never returned — decryption stops immediately on failure.
+	// The plaintext is never returned. Decryption stops immediately on failure.
 }
-
-seal.dispose()
 ```
 
 ### Example 4: Using Associated Data (AAD)
@@ -637,68 +557,69 @@ not encrypt. Common uses: user IDs, message sequence numbers, protocol version
 headers, routing information.
 
 ```typescript
-import { init, XChaCha20Seal, randomBytes, utf8ToBytes, bytesToUtf8 } from 'leviathan-crypto'
+import { init, Seal, XChaCha20Cipher, randomBytes, utf8ToBytes, bytesToUtf8 } from 'leviathan-crypto'
+import { chacha20Wasm } from 'leviathan-crypto/chacha20/embedded'
+import { sha2Wasm }     from 'leviathan-crypto/sha2/embedded'
 
-await init(['chacha20'])
+await init({ chacha20: chacha20Wasm, sha2: sha2Wasm })
 
-const seal = new XChaCha20Seal(randomBytes(32))
+const key     = XChaCha20Cipher.keygen()
 
 // The user ID travels in the clear, but decryption will fail if anyone changes it
 const userId  = utf8ToBytes('user-12345')
 const message = utf8ToBytes('Your account balance is $1,000,000')
 
-const sealed = seal.encrypt(message, userId)
+const sealed = Seal.encrypt(XChaCha20Cipher, key, message, { aad: userId })
 
-// Decrypt — pass the same AAD
-const decrypted = seal.decrypt(sealed, userId)
+// Decrypt, pass the same AAD
+const decrypted = Seal.decrypt(XChaCha20Cipher, key, sealed, { aad: userId })
 console.log(bytesToUtf8(decrypted))
 // "Your account balance is $1,000,000"
 
 // If someone changes the AAD, decryption fails
 const wrongUserId = utf8ToBytes('user-99999')
 try {
-	seal.decrypt(sealed, wrongUserId)
+	Seal.decrypt(XChaCha20Cipher, key, sealed, { aad: wrongUserId })
 } catch (err) {
 	console.error(err.message)
 	// "ChaCha20Poly1305: authentication failed"
 	// Even though the ciphertext was not modified, the AAD mismatch is detected.
 }
-
-seal.dispose()
 ```
 
 ### Example 5: Encrypting and Decrypting Binary Data
 
-The API works with raw bytes — not just text. Here is an example encrypting
+The API works with raw bytes, not just text. Here is an example encrypting
 arbitrary binary content.
 
 ```typescript
-import { init, XChaCha20Seal, randomBytes } from 'leviathan-crypto'
+import { init, Seal, XChaCha20Cipher, randomBytes } from 'leviathan-crypto'
+import { chacha20Wasm } from 'leviathan-crypto/chacha20/embedded'
+import { sha2Wasm }     from 'leviathan-crypto/sha2/embedded'
 
-await init(['chacha20'])
+await init({ chacha20: chacha20Wasm, sha2: sha2Wasm })
 
-const seal = new XChaCha20Seal(randomBytes(32))
+const key = XChaCha20Cipher.keygen()
 
 // Encrypt binary data (e.g., an image thumbnail, a protobuf, a file chunk)
 const binaryData = new Uint8Array([0x89, 0x50, 0x4e, 0x47, /* ...more bytes... */])
-const sealed = seal.encrypt(binaryData)
+const sealed = Seal.encrypt(XChaCha20Cipher, key, binaryData)
 
 // Decrypt
-const recovered = seal.decrypt(sealed)
+const recovered = Seal.decrypt(XChaCha20Cipher, key, sealed)
 // `recovered` is byte-identical to `binaryData`
-
-seal.dispose()
 ```
 
 ### Example 6: Raw ChaCha20 Stream Cipher (Advanced)
 
 Use this only if you are building a custom protocol and will add your own
-authentication layer. For almost all use cases, use `XChaCha20Seal` instead.
+authentication layer. For almost all use cases, use `Seal` with `XChaCha20Cipher` instead.
 
 ```typescript
 import { init, ChaCha20, randomBytes } from 'leviathan-crypto'
+import { chacha20Wasm } from 'leviathan-crypto/chacha20/embedded'
 
-await init(['chacha20'])
+await init({ chacha20: chacha20Wasm })
 
 const key = randomBytes(32)
 const nonce = randomBytes(12)
@@ -709,7 +630,7 @@ cipher.beginEncrypt(key, nonce)
 const ct1 = cipher.encryptChunk(new Uint8Array([1, 2, 3, 4]))
 const ct2 = cipher.encryptChunk(new Uint8Array([5, 6, 7, 8]))
 
-// Decrypt — uses the same key and nonce
+// Decrypt, uses the same key and nonce
 cipher.beginDecrypt(key, nonce)
 const pt1 = cipher.decryptChunk(ct1)
 const pt2 = cipher.decryptChunk(ct2)
@@ -722,27 +643,32 @@ const pt2 = cipher.decryptChunk(ct2)
 cipher.dispose()
 ```
 
+---
+
 ## Error Conditions
 
 | Condition | Error Type | Message |
 |-----------|-----------|---------|
-| `init(['chacha20'])` not called before constructing a class | `Error` | `leviathan-crypto: call init(['chacha20']) before using this class` |
+| `init({ chacha20: ... })` not called before constructing a class | `Error` | `leviathan-crypto: call init({ chacha20: ... }) before using this class` |
 | Key is not 32 bytes | `RangeError` | `ChaCha20 key must be 32 bytes (got N)` / `key must be 32 bytes (got N)` / `Poly1305 key must be 32 bytes (got N)` |
 | `ChaCha20` nonce is not 12 bytes | `RangeError` | `ChaCha20 nonce must be 12 bytes (got N)` |
 | `ChaCha20Poly1305` nonce is not 12 bytes | `RangeError` | `nonce must be 12 bytes (got N)` |
 | `XChaCha20Poly1305` nonce is not 24 bytes | `RangeError` | `XChaCha20 nonce must be 24 bytes (got N)` |
-| `ChaCha20Poly1305` tag is not 16 bytes | `RangeError` | `tag must be 16 bytes (got N)` |
+| `ChaCha20Poly1305` ciphertext shorter than 16 bytes | `RangeError` | `ciphertext too short — must include 16-byte tag (got N)` |
 | `XChaCha20Poly1305` ciphertext shorter than 16 bytes | `RangeError` | `ciphertext too short — must include 16-byte tag (got N)` |
+| `ChaCha20Poly1305.encrypt()` called a second time | `Error` | Single-use encrypt guard. Create a new instance for each encryption. |
 | Chunk or plaintext exceeds WASM buffer size | `RangeError` | `plaintext exceeds N bytes — split into smaller chunks` / `chunk exceeds maximum size of N bytes — split into smaller chunks` |
 | Authentication tag does not match on decrypt | `Error` | `ChaCha20Poly1305: authentication failed` |
-| Empty plaintext | — | Allowed. Encrypting zero bytes produces just a 16-byte tag (AEAD) or zero bytes (raw ChaCha20). |
+| Empty plaintext | | Allowed. Encrypting zero bytes produces just a 16-byte tag (AEAD) or zero bytes (raw ChaCha20). |
 
 > ## Cross-References
 >
 > - [index](./README.md) — Project Documentation index
+> - [lexicon](./lexicon.md) — Glossary of cryptographic terms
 > - [asm_chacha](./asm_chacha.md) — WASM (AssemblyScript) implementation details for the chacha20 module
-> - [chacha20_pool](./chacha20_pool.md) — `XChaCha20Poly1305Pool` worker-pool wrapper for parallel encryption
-> - [serpent](./serpent.md) — alternative: Serpent block cipher modes (CBC, CTR — unauthenticated, needs HMAC pairing)
-> - [sha2](./sha2.md) — SHA-2 hashes and HMAC — needed for Encrypt-then-MAC if using Serpent or raw ChaCha20
+> - [authenticated encryption](./aead.md) — `Seal`, `SealStream`, `OpenStream`: use `XChaCha20Cipher` as the suite argument
+> - [serpent](./serpent.md) — `SerpentCipher`: alternative `CipherSuite` for `Seal` and streaming
+> - [sha2](./sha2.md) — SHA-2 hashes and HMAC. Needed for Encrypt-then-MAC if using raw ChaCha20
 > - [types](./types.md) — `AEAD` and `Streamcipher` interfaces implemented by ChaCha20 classes
-> - [chacha_audit.md](./chacha_audit.md) — XChaCha20-Poly1305 implementation audit
+> - [architecture](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
+> - [chacha_audit](./chacha_audit.md) — XChaCha20-Poly1305 implementation audit