leviathan-crypto 2.0.1 → 3.0.0

package/dist/stream/seal-stream-pool.js

@@ -21,11 +21,11 @@
 //
 // src/ts/stream/seal-stream-pool.ts
 //
-// SealStreamPool — parallel batch encryption/decryption using the STREAM
+// SealStreamPool, parallel batch encryption/decryption using the STREAM
 // construction. Dispatches per-chunk seal/open jobs across Web Workers.
 // Any error is fatal: auth failure, crash, or timeout kills all workers,
 // wipes keys, and rejects all pending promises.
-import { randomBytes, wipe } from '../utils.js';
+import { randomBytes, wipe, constantTimeEqual } from '../utils.js';
 import { isInitialized } from '../init.js';
 import { compileWasm } from '../loader.js';
 import { AuthenticationError } from '../errors.js';
@@ -44,6 +44,7 @@ export class SealStreamPool {
     _framed;
     _timeout;
     _header;
+    _commitment;
     _workers;
     _idle;
     _queue;
@@ -53,7 +54,7 @@ export class SealStreamPool {
     _sealed;
     _keys;
     _masterKey;
-    constructor(cipher, workers, keys, masterKey, header, chunkSize, framed, timeout) {
+    constructor(cipher, workers, keys, masterKey, header, commitment, chunkSize, framed, timeout) {
         this._cipher = cipher;
         this._workers = workers;
         this._idle = [...workers];
@@ -65,6 +66,7 @@ export class SealStreamPool {
         this._keys = keys;
         this._masterKey = masterKey;
         this._header = header;
+        this._commitment = commitment;
         this._chunkSize = chunkSize;
         this._framed = framed;
         this._timeout = timeout;
@@ -75,10 +77,10 @@ export class SealStreamPool {
     }
     static async create(cipher, key, opts) {
         if (!isInitialized('sha2'))
-            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation — '
+            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation, '
                 + 'call init({ sha2: ... }) before creating a SealStreamPool');
         if (cipher.kemCtSize > 0)
-            throw new Error('leviathan-crypto: SealStreamPool does not support KEM-enabled cipher suites — '
+            throw new Error('leviathan-crypto: SealStreamPool does not support KEM-enabled cipher suites, '
                 + 'KEM encryption is asymmetric (seal uses encapsulation key, open requires decapsulation key) '
                 + 'and cannot share a single key across both directions. '
                 + 'Use SealStream / OpenStream directly for hybrid KEM encryption.');
@@ -101,7 +103,7 @@ export class SealStreamPool {
         }
         else {
             if (required.length > 1)
-                throw new Error(`leviathan-crypto: cipher requires ${required.length} WASM modules (${required.join(', ')}) — provide a Record`);
+                throw new Error(`leviathan-crypto: cipher requires ${required.length} WASM modules (${required.join(', ')}), provide a Record`);
             modules[required[0]] = await compileWasm(opts.wasm);
         }
         // For padded ciphers, validate that a full plaintext chunk fits in the WASM
@@ -115,10 +117,20 @@ export class SealStreamPool {
         }
         if (key.length !== cipher.keySize)
             throw new RangeError(`key must be ${cipher.keySize} bytes (got ${key.length})`);
-        // Generate nonce and derive keys
+        // Generate nonce and build header before deriveKeys, XChaCha20 binds
+        // the header into HKDF info; SerpentCipher accepts and ignores it.
         const nonce = randomBytes(16);
-        const keys = cipher.deriveKeys(key, nonce);
         const header = writeHeader(cipher.formatEnum, framed, nonce, chunkSize);
+        const keys = cipher.deriveKeys(key, nonce, undefined, header);
+        let commitment = null;
+        if (cipher.commitmentSize > 0) {
+            if (!keys.commitment || keys.commitment.length !== cipher.commitmentSize) {
+                cipher.wipeKeys(keys);
+                throw new Error(`leviathan-crypto: ${cipher.formatName}.deriveKeys returned `
+                    + `${keys.commitment?.length ?? 'no'} commitment bytes, expected ${cipher.commitmentSize}`);
+            }
+            commitment = keys.commitment;
+        }
         // Spawn workers sequentially (compatible with @vitest/web-worker)
         const workers = [];
         for (let i = 0; i < n; i++) {
@@ -147,7 +159,7 @@ export class SealStreamPool {
             });
             workers.push(w);
         }
-        return new SealStreamPool(cipher, workers, keys, key.slice(), header, chunkSize, framed, timeout);
+        return new SealStreamPool(cipher, workers, keys, key.slice(), header, commitment, chunkSize, framed, timeout);
     }
     get header() {
         return this._header;
@@ -176,12 +188,17 @@ export class SealStreamPool {
         }
         try {
             const results = await Promise.all(jobs);
-            let totalLen = HEADER_SIZE;
+            const commitmentLen = this._cipher.commitmentSize;
+            let totalLen = HEADER_SIZE + commitmentLen;
             for (const r of results)
                 totalLen += this._framed ? r.length + 4 : r.length;
             const ciphertext = new Uint8Array(totalLen);
             ciphertext.set(this._header, 0);
             let pos = HEADER_SIZE;
+            if (this._commitment) {
+                ciphertext.set(this._commitment, pos);
+                pos += commitmentLen;
+            }
             for (const r of results) {
                 if (this._framed) {
                     new DataView(ciphertext.buffer, pos).setUint32(0, r.length, false);
@@ -202,30 +219,52 @@ export class SealStreamPool {
         if (this._dead)
             throw new Error('leviathan-crypto: pool is dead');
         if (ciphertext.length < HEADER_SIZE)
-            throw new RangeError(`leviathan-crypto: ciphertext too short — need at least ${HEADER_SIZE} bytes for header`);
+            throw new RangeError(`leviathan-crypto: ciphertext too short, need at least ${HEADER_SIZE} bytes for header`);
         // Validate header before splitting chunks
         const h = readHeader(ciphertext.subarray(0, HEADER_SIZE));
         if (h.formatEnum !== this._cipher.formatEnum)
             throw new Error(`leviathan-crypto: pool expected format 0x${this._cipher.formatEnum.toString(16).padStart(2, '0')}, `
                 + `got 0x${h.formatEnum.toString(16).padStart(2, '0')}`);
         if (h.chunkSize !== this._chunkSize)
-            throw new RangeError(`leviathan-crypto: pool chunkSize mismatch — pool expects ${this._chunkSize}, `
+            throw new RangeError(`leviathan-crypto: pool chunkSize mismatch, pool expects ${this._chunkSize}, `
                 + `header says ${h.chunkSize}`);
         if (h.framed !== this._framed)
-            throw new Error(`leviathan-crypto: pool framing mismatch — pool is ${this._framed ? 'framed' : 'unframed'}, `
+            throw new Error(`leviathan-crypto: pool framing mismatch, pool is ${this._framed ? 'framed' : 'unframed'}, `
                 + `header says ${h.framed ? 'framed' : 'unframed'}`);
         // Re-derive keys from the nonce embedded in this ciphertext's header.
-        // The pool's _keys are tied to its own seal nonce — for arbitrary incoming
+        // The pool's _keys are tied to its own seal nonce, for arbitrary incoming
         // ciphertext the nonce may differ, so we derive fresh keys here.
         if (!this._masterKey)
             throw new Error('leviathan-crypto: pool master key has been wiped');
-        const openKeys = this._cipher.deriveKeys(this._masterKey, h.nonce);
+        const headerBytes = ciphertext.subarray(0, HEADER_SIZE);
+        const commitmentLen = this._cipher.commitmentSize;
+        const minLen = HEADER_SIZE + commitmentLen;
+        if (ciphertext.length < minLen)
+            throw new RangeError(`leviathan-crypto: ciphertext too short, need at least ${minLen} bytes for header + commitment`);
+        const openKeys = this._cipher.deriveKeys(this._masterKey, h.nonce, undefined, headerBytes);
         let openKeysWiped = false;
+        // Verify commitment before any chunk dispatch. Wrong key fails fast
+        // with AuthenticationError, before Poly1305 is consulted.
+        if (commitmentLen > 0) {
+            const derivedCommitment = openKeys.commitment;
+            if (!derivedCommitment || derivedCommitment.length !== commitmentLen) {
+                this._cipher.wipeKeys(openKeys);
+                throw new Error(`leviathan-crypto: ${this._cipher.formatName}.deriveKeys returned `
+                    + `${derivedCommitment?.length ?? 'no'} commitment bytes, expected ${commitmentLen}`);
+            }
+            const recvCommitment = ciphertext.subarray(HEADER_SIZE, HEADER_SIZE + commitmentLen);
+            if (!constantTimeEqual(derivedCommitment, recvCommitment)) {
+                this._cipher.wipeKeys(openKeys);
+                const err = new AuthenticationError(`commitment-${this._cipher.formatName}`);
+                this._killAll(err);
+                throw err;
+            }
+        }
         try {
-            // Strip header before chunk splitting
-            const body = ciphertext.subarray(HEADER_SIZE);
+            // Strip header + commitment before chunk splitting
+            const body = ciphertext.subarray(HEADER_SIZE + commitmentLen);
             if (body.length === 0)
-                throw new RangeError('leviathan-crypto: empty ciphertext — seal() always produces at least one chunk');
+                throw new RangeError('leviathan-crypto: empty ciphertext, seal() always produces at least one chunk');
             // Compute max wire chunk size for per-chunk validation
             const tagSize = this._cipher.tagSize;
             const paddedSize = this._cipher.padded
@@ -265,7 +304,7 @@ export class SealStreamPool {
             const jobs = [];
             for (let i = 0; i < chunks.length; i++) {
                 if (chunks[i].length < tagSize)
-                    throw new RangeError(`leviathan-crypto: chunk ${i} too short — need at least ${tagSize} bytes for tag `
+                    throw new RangeError(`leviathan-crypto: chunk ${i} too short, need at least ${tagSize} bytes for tag `
                         + `(got ${chunks[i].length})`);
                 if (chunks[i].length > maxWireChunk)
                     throw new RangeError(`leviathan-crypto: chunk ${i} exceeds max wire size `
@@ -277,10 +316,8 @@ export class SealStreamPool {
                     derivedKeyBytes: openKeys.bytes.slice(),
                 }));
             }
-            // All per-job key copies made — wipe the main-thread openKeys immediately
-            // rather than waiting for Promise.all. earlyWiped tracks this so the
-            // finally below only fires on pre-dispatch throws (empty body, frame errors,
-            // chunk validation), not as a redundant second call on the normal path.
+            // Per-job copies made; wipe main-thread openKeys immediately. openKeysWiped
+            // guards the finally so it only fires on pre-dispatch throws.
             this._cipher.wipeKeys(openKeys);
             openKeysWiped = true;
             const results = await Promise.all(jobs);
@@ -329,7 +366,7 @@ export class SealStreamPool {
     _send(worker, job) {
         const transfer = [];
         // Only transfer data.buffer when the Uint8Array owns the buffer exclusively.
-        // Subarrays from open() share the caller's ciphertext buffer — transferring
+        // Subarrays from open() share the caller's ciphertext buffer, transferring
         // one would detach all sibling views dispatched as parallel jobs.
         if (job.data.buffer instanceof ArrayBuffer
             && job.data.byteOffset === 0
@@ -340,7 +377,7 @@ export class SealStreamPool {
             transfer.push(job.counterNonce.buffer);
         if (job.derivedKeyBytes?.buffer instanceof ArrayBuffer)
             transfer.push(job.derivedKeyBytes.buffer);
-        // aad is intentionally not transferred — caller may retain the reference
+        // aad is intentionally not transferred, caller may retain the reference
         worker.postMessage(job, { transfer });
     }
     _onMessage(worker, e) {
@@ -379,15 +416,14 @@ export class SealStreamPool {
             reject(error);
         this._pending.clear();
         this._queue.length = 0;
-        for (const w of this._workers) {
-            try {
-                w.postMessage({ type: 'wipe' });
-            }
-            catch { /* worker may be terminated */ }
-            w.terminate();
-        }
-        this._workers.length = 0;
+        const workers = this._workers;
+        this._workers = [];
         this._idle.length = 0;
+        // Fire-and-forget: wipe each worker's key material, then terminate.
+        // On timeout, terminate anyway, the main-thread key handles are
+        // wiped below so the owning surface no longer has access.
+        for (const w of workers)
+            this._wipeThenTerminate(w);
         if (this._keys) {
             wipe(this._keys.bytes);
             this._keys = null;
@@ -397,4 +433,35 @@ export class SealStreamPool {
             this._masterKey = null;
         }
     }
+    _wipeThenTerminate(w) {
+        const WIPE_ACK_TIMEOUT_MS = 100;
+        let done = false;
+        // prefer-const false positive: `finish` (defined below) closes over
+        // `t` and is invoked synchronously from the catch path before the
+        // `t = setTimeout(...)` assignment runs.
+        // eslint-disable-next-line prefer-const
+        let t;
+        const finish = () => {
+            if (done)
+                return;
+            done = true;
+            if (t !== undefined)
+                clearTimeout(t);
+            w.removeEventListener('message', onMsg);
+            w.terminate();
+        };
+        const onMsg = (e) => {
+            if (e.data && e.data.type === 'wiped')
+                finish();
+        };
+        w.addEventListener('message', onMsg);
+        try {
+            w.postMessage({ type: 'wipe' });
+        }
+        catch {
+            finish();
+            return;
+        }
+        t = setTimeout(finish, WIPE_ACK_TIMEOUT_MS);
+    }
 }

package/dist/stream/seal-stream.d.ts

@@ -1,6 +1,6 @@
 import type { CipherSuite, SealStreamOpts } from './types.js';
 export declare class SealStream {
-    /** Preamble sent before the first chunk: header [|| kemCiphertext]. */
+    /** Preamble sent before the first chunk: header [|| kemCiphertext] [|| commitment]. */
     readonly preamble: Uint8Array;
     private readonly cipher;
     private readonly keys;

package/dist/stream/seal-stream.js

@@ -21,7 +21,7 @@
 //
 // src/ts/stream/seal-stream.ts
 //
-// SealStream — cipher-agnostic streaming encryption using the STREAM
+// SealStream, cipher-agnostic streaming encryption using the STREAM
 // construction (Hoang/Reyhanitabar/Rogaway/Vizár, CRYPTO 2015).
 import { randomBytes, concat } from '../utils.js';
 import { isInitialized } from '../init.js';
@@ -32,11 +32,11 @@ function u32beFrame(n) {
     new DataView(b.buffer).setUint32(0, n, false);
     return b;
 }
-// Module-level nonce injection slot — used only by _fromNonce for KAT tests.
+// Module-level nonce injection slot, used only by _fromNonce for KAT tests.
 // Set immediately before constructing, cleared inside the constructor.
 let _injectNonce;
 export class SealStream {
-    /** Preamble sent before the first chunk: header [|| kemCiphertext]. */
+    /** Preamble sent before the first chunk: header [|| kemCiphertext] [|| commitment]. */
     preamble;
     cipher;
     keys;
@@ -49,7 +49,7 @@ export class SealStream {
         this.chunkSize = opts?.chunkSize ?? 65536;
         this.framed = opts?.framed ?? false;
         if (!isInitialized('sha2'))
-            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation — '
+            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation, '
                 + 'call init({ sha2: ... }) before creating a SealStream');
         if (key.length !== cipher.keySize)
             throw new RangeError(`key must be ${cipher.keySize} bytes (got ${key.length})`);
@@ -57,14 +57,25 @@ export class SealStream {
             throw new RangeError(`chunkSize must be in [${CHUNK_MIN}, ${CHUNK_MAX}] (got ${this.chunkSize})`);
         const nonce = _injectNonce ?? randomBytes(16);
         _injectNonce = undefined;
-        this.keys = cipher.deriveKeys(key, nonce);
-        const kemCt = this.keys.kemCiphertext;
+        // Header must be built before deriveKeys, XChaCha20 binds it into
+        // the HKDF info string. SerpentCipher accepts and ignores it.
         const header = writeHeader(cipher.formatEnum, this.framed, nonce, this.chunkSize);
-        this.preamble = kemCt ? concat(header, kemCt) : header;
+        this.keys = cipher.deriveKeys(key, nonce, undefined, header);
+        const kemCt = this.keys.kemCiphertext;
+        const commitment = cipher.commitmentSize > 0 ? this.keys.commitment : undefined;
+        if (cipher.commitmentSize > 0 && (!commitment || commitment.length !== cipher.commitmentSize))
+            throw new Error(`leviathan-crypto: ${cipher.formatName}.deriveKeys returned `
+                + `${commitment?.length ?? 'no'} commitment bytes, expected ${cipher.commitmentSize}`);
+        const parts = [header];
+        if (kemCt)
+            parts.push(kemCt);
+        if (commitment)
+            parts.push(commitment);
+        this.preamble = parts.length === 1 ? header : concat(...parts);
     }
     /**
      * @internal
-     * KAT-only factory — injects a fixed nonce so seal output is deterministic.
+     * KAT-only factory, injects a fixed nonce so seal output is deterministic.
      * Stripped from published `.d.ts` by `stripInternal`. Do not use in production.
      */
     static _fromNonce(cipher, key, opts, nonce) {
@@ -80,30 +91,48 @@ export class SealStream {
     }
     push(chunk, opts) {
         if (this.state !== 'ready')
-            throw new Error('SealStream: cannot push after finalize');
+            throw new Error(`SealStream: cannot push in state '${this.state}'`);
+        // Argument validation runs before the crypto-failure try/catch so a
+        // too-big chunk throws without wiping keys or transitioning to 'failed'.
+        // The caller can retry with a correctly-sized chunk.
         if (chunk.length > this.chunkSize)
             throw new RangeError(`chunk exceeds chunkSize (${chunk.length} > ${this.chunkSize})`);
-        const nonce = makeCounterNonce(this.counter, TAG_DATA);
-        const result = this.cipher.sealChunk(this.keys, nonce, chunk, opts?.aad);
-        this.counter++;
-        return this.framed ? concat(u32beFrame(result.length), result) : result;
+        try {
+            const nonce = makeCounterNonce(this.counter, TAG_DATA);
+            const result = this.cipher.sealChunk(this.keys, nonce, chunk, opts?.aad);
+            this.counter++;
+            return this.framed ? concat(u32beFrame(result.length), result) : result;
+        }
+        catch (err) {
+            this.cipher.wipeKeys(this.keys);
+            this.state = 'failed';
+            throw err;
+        }
     }
     finalize(chunk, opts) {
         if (this.state !== 'ready')
-            throw new Error('SealStream: already finalized');
+            throw new Error(`SealStream: cannot finalize in state '${this.state}'`);
         if (chunk.length > this.chunkSize)
             throw new RangeError(`chunk exceeds chunkSize (${chunk.length} > ${this.chunkSize})`);
-        const nonce = makeCounterNonce(this.counter, TAG_FINAL);
-        const result = this.cipher.sealChunk(this.keys, nonce, chunk, opts?.aad);
-        this.cipher.wipeKeys(this.keys);
-        this.state = 'finalized';
-        return this.framed ? concat(u32beFrame(result.length), result) : result;
+        try {
+            const nonce = makeCounterNonce(this.counter, TAG_FINAL);
+            const result = this.cipher.sealChunk(this.keys, nonce, chunk, opts?.aad);
+            this.cipher.wipeKeys(this.keys);
+            this.state = 'finalized';
+            return this.framed ? concat(u32beFrame(result.length), result) : result;
+        }
+        catch (err) {
+            this.cipher.wipeKeys(this.keys);
+            this.state = 'failed';
+            throw err;
+        }
     }
     dispose() {
         if (this.state === 'ready') {
             this.cipher.wipeKeys(this.keys);
             this.state = 'finalized';
         }
+        // 'failed' already wiped keys; 'finalized' already wiped keys, no-op.
     }
     toTransformStream() {
         let headerSent = false;

package/dist/stream/seal.js

@@ -21,7 +21,7 @@
 //
 // src/ts/stream/seal.ts
 //
-// Seal — unified single-shot encrypt/decrypt using the STREAM construction.
+// Seal, unified single-shot encrypt/decrypt using the STREAM construction.
 // Seal blobs are valid SealStream blobs with a single final chunk.
 // OpenStream can decrypt a Seal blob without modification.
 import { concat } from '../utils.js';
@@ -32,7 +32,7 @@ import { HEADER_SIZE, CHUNK_MAX, CHUNK_MIN } from './constants.js';
 export class Seal {
     static encrypt(suite, key, pt, opts) {
         if (pt.length > CHUNK_MAX)
-            throw new RangeError(`Seal.encrypt: plaintext exceeds maximum (${CHUNK_MAX} bytes) — use SealStream for large data`);
+            throw new RangeError(`Seal.encrypt: plaintext exceeds maximum (${CHUNK_MAX} bytes), use SealStream for large data`);
         const sealer = new SealStream(suite, key, { chunkSize: Math.max(pt.length, CHUNK_MIN) });
         try {
             const ct = sealer.finalize(pt, opts);
@@ -43,9 +43,9 @@ export class Seal {
         }
     }
     static decrypt(suite, key, blob, opts) {
-        const preambleLen = HEADER_SIZE + suite.kemCtSize;
+        const preambleLen = HEADER_SIZE + suite.kemCtSize + suite.commitmentSize;
         if (blob.length < preambleLen)
-            throw new RangeError(`Seal.decrypt: blob too short — need at least ${preambleLen} bytes (got ${blob.length})`);
+            throw new RangeError(`Seal.decrypt: blob too short, need at least ${preambleLen} bytes (got ${blob.length})`);
         const preamble = blob.subarray(0, preambleLen);
         const opener = new OpenStream(suite, key, preamble);
         try {
@@ -57,12 +57,12 @@ export class Seal {
     }
     /**
      * @internal
-     * KAT-only — injects a fixed nonce so output is deterministic.
+     * KAT-only, injects a fixed nonce so output is deterministic.
      * Stripped from published `.d.ts` by `stripInternal`. Do not use in production.
      */
     static _fromNonce(suite, key, pt, nonce, opts) {
         if (pt.length > CHUNK_MAX)
-            throw new RangeError(`Seal._fromNonce: plaintext exceeds maximum (${CHUNK_MAX} bytes) — use SealStream for large data`);
+            throw new RangeError(`Seal._fromNonce: plaintext exceeds maximum (${CHUNK_MAX} bytes), use SealStream for large data`);
         const sealer = SealStream._fromNonce(suite, key, { chunkSize: Math.max(pt.length, CHUNK_MIN) }, nonce);
         try {
             const ct = sealer.finalize(pt, opts);

package/dist/stream/types.d.ts

@@ -1,6 +1,7 @@
 export interface DerivedKeys {
     readonly bytes: Uint8Array;
     readonly kemCiphertext?: Uint8Array;
+    readonly commitment?: Uint8Array;
 }
 export interface CipherSuite {
     readonly formatEnum: number;
@@ -9,10 +10,11 @@ export interface CipherSuite {
     readonly keySize: number;
     readonly decKeySize?: number;
     readonly kemCtSize: number;
+    readonly commitmentSize: number;
     readonly tagSize: number;
     readonly padded: boolean;
     readonly wasmChunkSize: number;
-    deriveKeys(key: Uint8Array, nonce: Uint8Array, kemCt?: Uint8Array): DerivedKeys;
+    deriveKeys(key: Uint8Array, nonce: Uint8Array, kemCt?: Uint8Array, header?: Uint8Array): DerivedKeys;
     sealChunk(keys: DerivedKeys, counterNonce: Uint8Array, chunk: Uint8Array, aad?: Uint8Array): Uint8Array;
     openChunk(keys: DerivedKeys, counterNonce: Uint8Array, chunk: Uint8Array, aad?: Uint8Array): Uint8Array;
     wipeKeys(keys: DerivedKeys): void;

package/dist/stream/types.js

@@ -21,6 +21,6 @@
 //
 // src/ts/stream/types.ts
 //
-// CipherSuite interface — cipher-specific logic injected into SealStream
+// CipherSuite interface, cipher-specific logic injected into SealStream
 // and OpenStream. Implementations are plain objects (not classes).
 export {};

package/dist/types.d.ts

@@ -18,7 +18,28 @@ export interface Streamcipher {
 }
 export interface AEAD {
     encrypt(msg: Uint8Array, aad?: Uint8Array): Uint8Array;
-    /** Decrypt and authenticate. Throws `Error` on authentication failure — never returns null. */
+    /** Decrypt and authenticate. Throws `Error` on authentication failure, never returns null. */
     decrypt(ciphertext: Uint8Array, aad?: Uint8Array): Uint8Array;
     dispose(): void;
 }
+/**
+ * Stateless cipher PRF for Fortuna's generator slot. Produces `n` bytes of
+ * keystream from `(key, counter)` without mutating either input. Implementations
+ * are plain const objects, not classes.
+ */
+export interface Generator {
+    readonly keySize: number;
+    readonly blockSize: number;
+    readonly counterSize: number;
+    readonly wasmModules: readonly string[];
+    generate(key: Uint8Array, counter: Uint8Array, n: number): Uint8Array;
+}
+/**
+ * Stateless hash function for Fortuna's accumulator and reseed slots. Output
+ * size must match the generator's key size when paired in Fortuna.
+ */
+export interface HashFn {
+    readonly outputSize: number;
+    readonly wasmModules: readonly string[];
+    digest(msg: Uint8Array): Uint8Array;
+}

package/dist/types.js

@@ -22,5 +22,5 @@
 // src/ts/types.ts
 //
 // Primitive interfaces for leviathan-crypto.
-// No init() dependency — available at import time.
+// No init() dependency, available at import time.
 export {};

package/dist/utils.d.ts

@@ -1,4 +1,4 @@
-/** Hex string to Uint8Array. Accepts lowercase/uppercase, optional 0x prefix. Throws RangeError on odd-length input. */
+/** Hex string to Uint8Array. Accepts lowercase/uppercase, optional 0x prefix. Throws RangeError on odd-length or non-hex input. */
 export declare const hexToBytes: (hex: string) => Uint8Array;
 /** Uint8Array to lowercase hex string. */
 export declare const bytesToHex: (bytes: Uint8Array) => string;
@@ -6,18 +6,17 @@ export declare const bytesToHex: (bytes: Uint8Array) => string;
 export declare const utf8ToBytes: (str: string) => Uint8Array;
 /** Uint8Array to UTF-8 string. */
 export declare const bytesToUtf8: (bytes: Uint8Array) => string;
-/** Base64 or base64url string to Uint8Array. Handles padded, unpadded, and legacy %3d padding. Returns undefined on invalid input. */
-export declare const base64ToBytes: (b64: string) => Uint8Array | undefined;
-/** Uint8Array to base64 string. Pass url=true for base64url (RFC 4648 §5 — no padding characters). */
+/** Base64 or base64url string to Uint8Array. Handles padded, unpadded, and legacy %3d padding. Throws RangeError on invalid input. */
+export declare const base64ToBytes: (b64: string) => Uint8Array;
+/** Uint8Array to base64 string. Pass url=true for base64url (RFC 4648 §5, no padding characters). */
 export declare const bytesToBase64: (bytes: Uint8Array, url?: boolean) => string;
-export declare const CT_MAX_BYTES = 32768;
+export declare const CTE_MAX_BYTES = 32768;
 /**
  * Constant-time byte-array equality.
- * Uses WASM SIMD when available (no JIT short-circuiting, no speculative
- * optimization). Falls back to a JS XOR-accumulate loop on runtimes
- * without SIMD support.
- * Length check is not constant-time (length is non-secret in all protocols).
- * Max input size: 32768 bytes per side (enforced regardless of code path).
+ * Runs entirely inside a WASM SIMD module (v128 XOR accumulate with
+ * branch-free reduction). Throws on runtimes without SIMD support,
+ * no JS fallback. Length check is not constant-time (length is
+ * non-secret in all protocols). Max input size: 32768 bytes per side.
  */
 export declare const constantTimeEqual: (a: Uint8Array, b: Uint8Array) => boolean;
 /** Zero a typed array in place. */