leviathan-crypto 2.0.1 → 3.0.0

package/dist/blake3/types.d.ts

@@ -0,0 +1,102 @@
+/** BLAKE3 WASM exports. */
+export interface Blake3Exports {
+    memory: WebAssembly.Memory;
+    getModuleId: () => number;
+    getMemoryPages: () => number;
+    getInputStagingOffset: () => number;
+    getOutputStagingOffset: () => number;
+    getCvOffset: () => number;
+    getMsgOffset: () => number;
+    getCounterOffset: () => number;
+    getBlockLenOffset: () => number;
+    getFlagsOffset: () => number;
+    getCompressOutOffset: () => number;
+    getKeyedKeyOffset: () => number;
+    getDeriveCvOffset: () => number;
+    getCompress4CvInOffset: () => number;
+    getCompress4MsgInOffset: () => number;
+    getCompress4CtrInOffset: () => number;
+    getCompress4OutOffset: () => number;
+    getCompress4BlenInOffset: () => number;
+    getCompress4FlagsInOffset: () => number;
+    getModeCvOffset: () => number;
+    FLAG_CHUNK_START: {
+        value: number;
+    };
+    FLAG_CHUNK_END: {
+        value: number;
+    };
+    FLAG_PARENT: {
+        value: number;
+    };
+    FLAG_ROOT: {
+        value: number;
+    };
+    FLAG_KEYED_HASH: {
+        value: number;
+    };
+    FLAG_DERIVE_KEY_CONTEXT: {
+        value: number;
+    };
+    FLAG_DERIVE_KEY_MATERIAL: {
+        value: number;
+    };
+    BLAKE3_IV0: {
+        value: number;
+    };
+    BLAKE3_IV1: {
+        value: number;
+    };
+    BLAKE3_IV2: {
+        value: number;
+    };
+    BLAKE3_IV3: {
+        value: number;
+    };
+    BLAKE3_IV4: {
+        value: number;
+    };
+    BLAKE3_IV5: {
+        value: number;
+    };
+    BLAKE3_IV6: {
+        value: number;
+    };
+    BLAKE3_IV7: {
+        value: number;
+    };
+    compress: (cvOff: number, blockOff: number, counterLo: number, counterHi: number, blockLen: number, flags: number, outOff: number) => void;
+    compress4: () => void;
+    chunkInit: (chunkIndex: bigint) => void;
+    chunkUpdate: (blockOff: number, blockLen: number) => void;
+    chunkFinalize: (outCvOff: number, isRootSoloChunk: number) => void;
+    treeInit: () => void;
+    treePushChunk: (chunkCvOff: number) => void;
+    treeFinalizeRoot: (outOff: number) => void;
+    hash: (inputOff: number, inputLen: number, outOff: number, outLen: number) => void;
+    hashKeyed: (keyOff: number, inputOff: number, inputLen: number, outOff: number, outLen: number) => void;
+    deriveKey: (contextOff: number, contextLen: number, materialOff: number, materialLen: number, outOff: number, outLen: number) => void;
+    squeezeXofBlock: (counterLo: number, counterHi: number, outOff: number) => void;
+    wipeBuffers: () => void;
+}
+/**
+ * BLAKE3 WASM internal test exports. NOT part of the consumer surface,
+ * NOT re-exported from `src/ts/blake3/index.ts`. Wired exclusively for
+ * the tree-internals test suite (`test/unit/blake3/blake3-tree-internals
+ * .test.ts`) and the Merkle-tree substrate
+ * (`src/ts/merkle/blake3-tree.ts`) which casts
+ * `Blake3Exports & Blake3TestExports` inside the merkle module.
+ *
+ * Tests obtain these via `test/unit/blake3/helpers.ts`, which casts the
+ * public `Blake3Exports` to `Blake3Exports & Blake3TestExports`. Consumer
+ * code never sees the `_test*` surface.
+ */
+export interface Blake3TestExports {
+    _testChunkCV: (inputOff: number, inputLen: number, chunkIndex: bigint, startCvOff: number, modeFlags: number, outCvOff: number) => void;
+    _testParentCV: (leftCvOff: number, rightCvOff: number, startCvOff: number, modeFlags: number, isRoot: number, outCvOff: number) => void;
+    _testDeriveContextCV: (contextOff: number, contextLen: number, outCcvOff: number) => void;
+    _getBatch4CallCount: () => number;
+    _resetBatch4CallCount: () => void;
+    _getParentBatch4CallCount: () => number;
+    _resetParentBatch4CallCount: () => void;
+}

package/dist/blake3/types.js

@@ -0,0 +1,31 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/blake3/types.ts
+//
+// BLAKE3 WASM exports interface. Mirrors the AssemblyScript surface in
+// `src/asm/blake3/index.ts`. The consumer-facing TS surface (BLAKE3,
+// BLAKE3Stream and the keyed_hash / derive_key variants) calls the
+// top-level `hash` / `hashKeyed` / `deriveKey` entry points. Lower-level
+// primitives (`compress`, flag constants, buffer accessors) are typed
+// here for completeness and so test code can drive each layer in
+// isolation if needed.
+export {};

package/dist/blake3/validate.d.ts

@@ -0,0 +1,29 @@
+/**
+ * BLAKE3 §2.3 Modes: keyed_hash takes a 32-byte key. The key seeds the chunk
+ * machine in place of the BLAKE3 IV and every compress carries the
+ * KEYED_HASH flag. A key of any other length is a contract violation.
+ */
+export declare function validateKey(key: Uint8Array): void;
+/**
+ * BLAKE3 §2.3 Modes: derive_key takes a context string and produces a
+ * derived key. The context string is a domain separator and is
+ * conventionally a UTF-8 hardcoded application constant. An empty context
+ * defeats the domain separation §2.3 is designed to provide; reject it.
+ *
+ * Accepts a JS string (UTF-8 encoded here) or a Uint8Array (passed
+ * through). No upper cap on length.
+ */
+export declare function validateContext(context: string | Uint8Array): Uint8Array;
+/**
+ * BLAKE3 §2.6 XOF: default-length output is 32 bytes; the XOF can in principle
+ * produce up to 2^64 - 1 bytes. The one-shot path (BLAKE3.hash /
+ * BLAKE3KeyedHash.hash / BLAKE3DeriveKey.derive and the streaming
+ * finalize(outLen) counterparts) writes outLen bytes through a single
+ * WASM call sized by the OUTPUT_STAGING region, so the practical
+ * upper bound is `OUTPUT_STAGING_SIZE` (1024 bytes); larger consumers
+ * use `finalizeXof()` and stream from `BLAKE3OutputReader.read(n)`
+ * which squeezes 64 bytes at a time off the WASM-side root snapshot.
+ * This validator rejects nonsense (zero, negative, non-finite,
+ * non-integer); the one-shot wrappers enforce the per-call ceiling.
+ */
+export declare function validateOutputLen(outLen: number): void;

package/dist/blake3/validate.js

@@ -0,0 +1,80 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/blake3/validate.ts
+//
+// BLAKE3 caller-side input validation. Pure length / type checks, no
+// crypto. BLAKE3 is a hash family, not a signature scheme; rejected
+// inputs throw `RangeError` / `TypeError` (no `SigningError`).
+/**
+ * BLAKE3 §2.3 Modes: keyed_hash takes a 32-byte key. The key seeds the chunk
+ * machine in place of the BLAKE3 IV and every compress carries the
+ * KEYED_HASH flag. A key of any other length is a contract violation.
+ */
+export function validateKey(key) {
+    if (!(key instanceof Uint8Array))
+        throw new TypeError('leviathan-crypto: blake3 key must be a Uint8Array');
+    if (key.length !== 32)
+        throw new RangeError(`leviathan-crypto: blake3 key must be 32 bytes (got ${key.length})`);
+}
+/**
+ * BLAKE3 §2.3 Modes: derive_key takes a context string and produces a
+ * derived key. The context string is a domain separator and is
+ * conventionally a UTF-8 hardcoded application constant. An empty context
+ * defeats the domain separation §2.3 is designed to provide; reject it.
+ *
+ * Accepts a JS string (UTF-8 encoded here) or a Uint8Array (passed
+ * through). No upper cap on length.
+ */
+export function validateContext(context) {
+    let bytes;
+    if (typeof context === 'string') {
+        bytes = new TextEncoder().encode(context);
+    }
+    else if (context instanceof Uint8Array) {
+        bytes = context;
+    }
+    else {
+        throw new TypeError('leviathan-crypto: blake3 derive_key context must be a string or Uint8Array');
+    }
+    if (bytes.length === 0)
+        throw new RangeError('leviathan-crypto: blake3 derive_key context must be non-empty '
+            + '(empty context defeats §2.3 domain separation)');
+    return bytes;
+}
+/**
+ * BLAKE3 §2.6 XOF: default-length output is 32 bytes; the XOF can in principle
+ * produce up to 2^64 - 1 bytes. The one-shot path (BLAKE3.hash /
+ * BLAKE3KeyedHash.hash / BLAKE3DeriveKey.derive and the streaming
+ * finalize(outLen) counterparts) writes outLen bytes through a single
+ * WASM call sized by the OUTPUT_STAGING region, so the practical
+ * upper bound is `OUTPUT_STAGING_SIZE` (1024 bytes); larger consumers
+ * use `finalizeXof()` and stream from `BLAKE3OutputReader.read(n)`
+ * which squeezes 64 bytes at a time off the WASM-side root snapshot.
+ * This validator rejects nonsense (zero, negative, non-finite,
+ * non-integer); the one-shot wrappers enforce the per-call ceiling.
+ */
+export function validateOutputLen(outLen) {
+    if (typeof outLen !== 'number' || !Number.isFinite(outLen) || !Number.isInteger(outLen))
+        throw new RangeError(`leviathan-crypto: blake3 outLen must be a finite integer (got ${String(outLen)})`);
+    if (outLen < 1)
+        throw new RangeError(`leviathan-crypto: blake3 outLen must be >= 1 (got ${outLen})`);
+}

package/dist/chacha20/cipher-suite.d.ts

@@ -1,4 +1,14 @@
 import type { CipherSuite } from '../stream/types.js';
+/**
+ * `CipherSuite` implementation for the stream construction using XChaCha20-Poly1305.
+ *
+ * Each chunk is encrypted with ChaCha20-Poly1305 using a HChaCha20 subkey
+ * derived via HKDF-SHA-256 + HChaCha20. This is the recommended cipher suite
+ * for `SealStream` / `OpenStream` / `SealStreamPool`.
+ *
+ * Pass to `SealStream` / `OpenStream` / `SealStreamPool` instead of constructing
+ * this object directly. Use `XChaCha20Cipher.keygen()` to generate a 32-byte key.
+ */
 export declare const XChaCha20Cipher: CipherSuite & {
     keygen(): Uint8Array;
 };

package/dist/chacha20/cipher-suite.js

@@ -21,40 +21,101 @@
 //
 // src/ts/chacha20/cipher-suite.ts
 //
-// XChaCha20Cipher — CipherSuite implementation for the STREAM construction.
+// XChaCha20Cipher, CipherSuite implementation for the STREAM construction.
 // HKDF-SHA-256 key derivation → HChaCha20 subkey → ChaCha20-Poly1305 per chunk.
-import { getInstance } from '../init.js';
+import { getInstance, _assertNotOwned } from '../init.js';
 import { HKDF_SHA256 } from '../sha2/index.js';
 import { aeadEncrypt, aeadDecrypt, deriveSubkey } from './ops.js';
-import { wipe, randomBytes } from '../utils.js';
-const INFO = new TextEncoder().encode('xchacha20-sealstream-v2');
+import { wipe, randomBytes, concat } from '../utils.js';
+import { HEADER_SIZE } from '../stream/constants.js';
+import { WORKER_SOURCE } from '../embedded/chacha20-pool-worker.js';
+const INFO = new TextEncoder().encode('xchacha20-sealstream-v3');
+/** Returns the raw chacha20 WASM export object. @internal */
 function getExports() {
     return getInstance('chacha20').exports;
 }
+/**
+ * `CipherSuite` implementation for the stream construction using XChaCha20-Poly1305.
+ *
+ * Each chunk is encrypted with ChaCha20-Poly1305 using a HChaCha20 subkey
+ * derived via HKDF-SHA-256 + HChaCha20. This is the recommended cipher suite
+ * for `SealStream` / `OpenStream` / `SealStreamPool`.
+ *
+ * Pass to `SealStream` / `OpenStream` / `SealStreamPool` instead of constructing
+ * this object directly. Use `XChaCha20Cipher.keygen()` to generate a 32-byte key.
+ */
 export const XChaCha20Cipher = {
-    formatEnum: 0x01,
+    formatEnum: 0x03,
     formatName: 'xchacha20',
-    hkdfInfo: 'xchacha20-sealstream-v2',
+    hkdfInfo: 'xchacha20-sealstream-v3',
     keySize: 32,
     kemCtSize: 0,
+    commitmentSize: 32,
     tagSize: 16,
     padded: false,
     wasmChunkSize: 65536, // src/asm/chacha20/buffers.ts CHUNK_SIZE
     wasmModules: ['chacha20'],
+    /** Generate a random 32-byte master key suitable for use with `XChaCha20Cipher`. @returns 32 cryptographically random bytes */
     keygen() {
         return randomBytes(32);
     },
-    deriveKeys(masterKey, nonce, _kemCt) {
+    /**
+     * Derive a 32-byte HChaCha20 subkey and a 32-byte key commitment from
+     * `masterKey` and `nonce` via HKDF-SHA-256 followed by HChaCha20 subkey
+     * derivation. The full 20-byte preamble header is appended to the HKDF
+     * info string, binding `formatEnum`, framed flag, nonce, and chunkSize
+     * into the derived material, header tampering causes derived keys to
+     * differ and AEAD fails on the first chunk.
+     *
+     * The 64-byte HKDF output is split: bytes 0..32 feed HChaCha20 subkey
+     * derivation, bytes 32..64 are the key commitment that ends up in the
+     * preamble. Verifying the commitment before any chunk is processed
+     * closes the Invisible Salamanders attack surface, Poly1305 alone is
+     * not key-committing, so without this an adversary with control over
+     * two master keys could craft a single ciphertext + tag that decrypts
+     * validly under both.
+     *
+     * @param masterKey  32-byte master key
+     * @param nonce      Stream nonce (16 bytes, also used as HChaCha20 input)
+     * @param _kemCt     Unused for symmetric XChaCha20; KEM wrappers pass it through
+     * @param header     20-byte preamble header, required (throws otherwise)
+     * @returns          `DerivedKeys` holding the 32-byte HChaCha20 subkey and 32-byte commitment
+     */
+    deriveKeys(masterKey, nonce, _kemCt, header) {
+        if (!header || header.length !== HEADER_SIZE)
+            throw new Error(`XChaCha20Cipher.deriveKeys: header binding required (got ${header?.length ?? 'undefined'} bytes)`);
+        _assertNotOwned('chacha20');
         const hkdf = new HKDF_SHA256();
-        const streamKey = hkdf.derive(masterKey, nonce, INFO, 32);
-        hkdf.dispose();
-        // HChaCha20 subkey derivation — nonce[0:16] as XChaCha input
+        let okm;
+        try {
+            // INFO || header, binds formatEnum, framed flag, nonce, chunkSize into the KDF.
+            // Any header tampering produces different keys, AEAD fails on the first chunk.
+            const info = concat(INFO, header);
+            okm = hkdf.derive(masterKey, nonce, info, 64);
+        }
+        finally {
+            hkdf.dispose();
+        }
+        // Bytes 0..32: streamKey for HChaCha20 subkey derivation.
+        // Bytes 32..64: key commitment for the seal preamble.
+        const streamKey = okm.subarray(0, 32);
+        const commitment = okm.slice(32, 64); // independent backing, survives okm wipe
         const x = getExports();
         const subkey = deriveSubkey(x, streamKey, nonce);
-        wipe(streamKey);
-        return { bytes: subkey };
+        wipe(okm); // wipe both halves of okm; commitment is safe (independent backing)
+        return { bytes: subkey, commitment };
     },
+    /**
+     * Encrypt and authenticate one stream chunk with ChaCha20-Poly1305.
+     * Output: ciphertext || 16-byte Poly1305 tag.
+     * @param keys         Derived keys from `deriveKeys`
+     * @param counterNonce 12-byte per-chunk nonce (unique per chunk in the stream)
+     * @param chunk        Plaintext chunk
+     * @param aad          Optional additional authenticated data
+     * @returns            Authenticated ciphertext
+     */
     sealChunk(keys, counterNonce, chunk, aad) {
+        _assertNotOwned('chacha20');
         const x = getExports();
         const { ciphertext, tag } = aeadEncrypt(x, keys.bytes, counterNonce, chunk, aad ?? new Uint8Array(0));
         const out = new Uint8Array(ciphertext.length + 16);
@@ -62,7 +123,16 @@ export const XChaCha20Cipher = {
         out.set(tag, ciphertext.length);
         return out;
     },
+    /**
+     * Verify and decrypt one stream chunk. Throws `AuthenticationError` on tag mismatch.
+     * @param keys         Derived keys from `deriveKeys`
+     * @param counterNonce 12-byte per-chunk nonce, must match the value used by `sealChunk`
+     * @param chunk        Ciphertext || 16-byte Poly1305 tag
+     * @param aad          Optional additional authenticated data
+     * @returns            Plaintext
+     */
     openChunk(keys, counterNonce, chunk, aad) {
+        _assertNotOwned('chacha20');
         if (chunk.length < 16)
             throw new RangeError(`chunk too short for 16-byte tag (got ${chunk.length})`);
         const x = getExports();
@@ -70,10 +140,25 @@ export const XChaCha20Cipher = {
         const tag = chunk.subarray(chunk.length - 16);
         return aeadDecrypt(x, keys.bytes, counterNonce, ct, tag, aad ?? new Uint8Array(0), 'xchacha20-poly1305');
     },
+    /**
+     * Zero all derived key material in `keys`. Called by the stream layer on
+     * teardown and after auth failure.
+     * @param keys  Derived keys to wipe
+     */
     wipeKeys(keys) {
         wipe(keys.bytes);
     },
+    /**
+     * Spawn an XChaCha20 pool worker from the embedded IIFE bundle.
+     * The worker holds its own chacha20 WASM instance and derived subkey.
+     * @returns  Newly constructed `Worker` instance
+     */
     createPoolWorker() {
-        return new Worker(new URL('./pool-worker.js', import.meta.url), { type: 'module' });
+        // See docs/architecture.md#pool-worker-spawn-pattern.
+        const blob = new Blob([WORKER_SOURCE], { type: 'application/javascript' });
+        const url = URL.createObjectURL(blob);
+        const w = new Worker(url);
+        setTimeout(() => URL.revokeObjectURL(url), 0);
+        return w;
     },
 };

package/dist/chacha20/generator.d.ts

@@ -0,0 +1,12 @@
+import type { Generator } from '../types.js';
+/**
+ * ChaCha20 counter-mode PRF for Fortuna's generator slot.
+ *
+ * The 32-bit counter is read from `counter` as a little-endian u32. Each call
+ * to `generate()` encrypts zero blocks to produce keystream output (RFC 8439 §2.3).
+ * The nonce is fixed to zero, Fortuna's counter is the only varying input.
+ *
+ * Pass to `Fortuna.create({ generator: ChaCha20Generator, ... })`, do not
+ * call `generate()` directly outside of Fortuna.
+ */
+export declare const ChaCha20Generator: Generator;

package/dist/chacha20/generator.js

@@ -0,0 +1,91 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/chacha20/generator.ts
+//
+// RFC 8439 §2.3, ChaCha20 block function as PRF
+// ChaCha20 counter-mode PRF for Fortuna's generator slot.
+//
+// Counter is treated as a 32-bit LE integer. Fortuna's 4-byte genCnt provides
+// 2^32 blocks × 64 bytes = 256 GiB of output between reseeds.
+import { _assertNotOwned, getInstance } from '../init.js';
+/**
+ * ChaCha20 counter-mode PRF for Fortuna's generator slot.
+ *
+ * The 32-bit counter is read from `counter` as a little-endian u32. Each call
+ * to `generate()` encrypts zero blocks to produce keystream output (RFC 8439 §2.3).
+ * The nonce is fixed to zero, Fortuna's counter is the only varying input.
+ *
+ * Pass to `Fortuna.create({ generator: ChaCha20Generator, ... })`, do not
+ * call `generate()` directly outside of Fortuna.
+ */
+export const ChaCha20Generator = {
+    keySize: 32,
+    blockSize: 64,
+    counterSize: 4,
+    wasmModules: ['chacha20'],
+    /**
+     * Generate `n` pseudorandom bytes using ChaCha20 with a zero nonce.
+     * @param key      32-byte ChaCha20 key
+     * @param counter  4-byte counter (little-endian u32)
+     * @param n        Number of bytes to generate (0 ≤ n ≤ 2^30)
+     * @returns        `n` pseudorandom bytes
+     */
+    generate(key, counter, n) {
+        _assertNotOwned('chacha20');
+        if (key.length !== 32)
+            throw new RangeError(`ChaCha20Generator: key must be 32 bytes (got ${key.length})`);
+        if (counter.length !== 4)
+            throw new RangeError(`ChaCha20Generator: counter must be 4 bytes (got ${counter.length})`);
+        if (!Number.isSafeInteger(n) || n < 0 || n > 2 ** 30)
+            throw new RangeError(`ChaCha20Generator: n must be a non-negative safe integer <= 2^30 (got ${n})`);
+        const x = getInstance('chacha20').exports;
+        const c = new DataView(counter.buffer, counter.byteOffset, 4).getUint32(0, true);
+        const mem = new Uint8Array(x.memory.buffer);
+        try {
+            mem.set(key, x.getKeyOffset());
+            // Fixed zero nonce, Fortuna's counter is the only varying input
+            mem.fill(0, x.getChachaNonceOffset(), x.getChachaNonceOffset() + 12);
+            x.chachaSetCounter(c);
+            x.chachaLoadKey();
+            const output = new Uint8Array(n);
+            let remaining = n;
+            let outPos = 0;
+            const maxChunk = x.getChunkSize();
+            const ptOff = x.getChunkPtOffset();
+            const ctOff = x.getChunkCtOffset();
+            while (remaining > 0) {
+                const chunkLen = Math.min(remaining, maxChunk);
+                mem.fill(0, ptOff, ptOff + chunkLen);
+                x.chachaEncryptChunk_simd(chunkLen);
+                output.set(mem.subarray(ctOff, ctOff + chunkLen), outPos);
+                outPos += chunkLen;
+                remaining -= chunkLen;
+            }
+            return output;
+        }
+        finally {
+            // Wipe the WASM key/state/keystream scratch so secret-derived bytes
+            // do not outlive this call in the shared chacha20 linear memory.
+            x.wipeBuffers();
+        }
+    },
+};