leviathan-crypto 2.1.0 → 3.0.0

package/dist/{kyber → mlkem}/suite.js

@@ -19,9 +19,9 @@
 //   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
 //                           ▀█████▀▀
 //
-// src/ts/kyber/suite.ts
+// src/ts/mlkem/suite.ts
 //
-// KyberSuite — wraps a MlKemBase + inner CipherSuite into a unified CipherSuite.
+// MlKemSuite, wraps a MlKemBase + inner CipherSuite into a unified CipherSuite.
 // Provides hybrid KEM + symmetric AEAD for use with SealStream / OpenStream / Seal.
 import { concat } from '../utils.js';
 import { HKDF_SHA256 } from '../sha2/index.js';
@@ -36,7 +36,7 @@ const KEM_LABEL = {
     3: 'mlkem768',
     4: 'mlkem1024',
 };
-export function KyberSuite(kem, inner) {
+export function MlKemSuite(kem, inner) {
     const p = kem.params;
     const kemNibble = KEM_NIBBLE[p.k];
     if (!kemNibble)
@@ -50,23 +50,24 @@ export function KyberSuite(kem, inner) {
         keySize: p.ekBytes,
         decKeySize: p.dkBytes,
         kemCtSize: p.ctBytes,
+        commitmentSize: inner.commitmentSize,
         tagSize: inner.tagSize,
         padded: inner.padded,
         wasmChunkSize: inner.wasmChunkSize,
-        wasmModules: [...inner.wasmModules, 'kyber', 'sha3'],
-        deriveKeys(key, nonce, kemCt) {
+        wasmModules: [...inner.wasmModules, 'mlkem', 'sha3'],
+        deriveKeys(key, nonce, kemCt, header) {
             let sharedSecret;
             let outKemCt;
             let ctForInfo;
             if (kemCt === undefined) {
-                // encrypt path: key = ek — encapsulate to produce shared secret + ct
+                // encrypt path: key = ek, encapsulate to produce shared secret + ct
                 const result = kem.encapsulate(key);
                 sharedSecret = result.sharedSecret;
                 outKemCt = result.ciphertext;
                 ctForInfo = outKemCt;
             }
             else {
-                // decrypt path: key = dk — decapsulate to recover shared secret
+                // decrypt path: key = dk, decapsulate to recover shared secret
                 sharedSecret = kem.decapsulate(key, kemCt);
                 ctForInfo = kemCt;
             }
@@ -76,12 +77,16 @@ export function KyberSuite(kem, inner) {
             const derived = hkdf.derive(sharedSecret, nonce, info, inner.keySize);
             hkdf.dispose();
             sharedSecret.fill(0);
-            // Delegate actual per-cipher key derivation to the inner suite
-            const innerKeys = inner.deriveKeys(derived, nonce);
+            // Delegate actual per-cipher key derivation to the inner suite.
+            // Header is forwarded so XChaCha20's deriveKeys can bind it into
+            // HKDF info; SerpentCipher accepts and ignores it.
+            const innerKeys = inner.deriveKeys(derived, nonce, undefined, header);
             derived.fill(0);
-            return outKemCt
-                ? { bytes: innerKeys.bytes, kemCiphertext: outKemCt }
-                : innerKeys;
+            if (!outKemCt)
+                return innerKeys;
+            return innerKeys.commitment
+                ? { bytes: innerKeys.bytes, kemCiphertext: outKemCt, commitment: innerKeys.commitment }
+                : { bytes: innerKeys.bytes, kemCiphertext: outKemCt };
         },
         sealChunk: inner.sealChunk.bind(inner),
         openChunk: inner.openChunk.bind(inner),

package/dist/{kyber → mlkem}/types.d.ts

@@ -1,4 +1,4 @@
-export interface KyberExports {
+export interface MlKemExports {
     memory: WebAssembly.Memory;
     getModuleId: () => number;
     getMemoryPages: () => number;
@@ -89,11 +89,11 @@ export interface Sha3Exports {
     shakeSqueezeBlock: () => void;
     wipeBuffers: () => void;
 }
-export interface KyberKeyPair {
+export interface MlKemKeyPair {
     encapsulationKey: Uint8Array;
     decapsulationKey: Uint8Array;
 }
-export interface KyberEncapsulation {
+export interface MlKemEncapsulation {
     ciphertext: Uint8Array;
     sharedSecret: Uint8Array;
 }

package/dist/{kyber → mlkem}/types.js

@@ -19,7 +19,7 @@
 //   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
 //                           ▀█████▀▀
 //
-// src/ts/kyber/types.ts
+// src/ts/mlkem/types.ts
 //
 // ML-KEM type definitions: WASM export interfaces and KEM API types.
 export {};

package/dist/{kyber → mlkem}/validate.d.ts

@@ -1,23 +1,23 @@
-import type { KyberExports, Sha3Exports } from './types.js';
-import type { KyberParams } from './params.js';
+import type { MlKemExports, Sha3Exports } from './types.js';
+import type { MlKemParams } from './params.js';
 /**
- * Encapsulation key check — FIPS 203 §7.2 (EncapsulationKeyCheck).
+ * Encapsulation key check, FIPS 203 §7.2 (EncapsulationKeyCheck).
  *
  * 1. Length gate: ek.length must equal params.ekBytes.
  * 2. Decode the polyvec portion via ByteDecode₁₂ (polyvec_frombytes). The
- *    decoded coefficients are raw 12-bit values in [0, 4095] — frombytes
+ *    decoded coefficients are raw 12-bit values in [0, 4095], frombytes
  *    does not reduce mod q.
  * 3. Modulus scan: every coefficient must satisfy c < Q = 3329.
  *
  * Returns true iff both gates pass. The seed ρ (final 32 bytes of ek) is
  * not checked; any 32-byte value is a valid ρ per FIPS 203.
  */
-export declare function checkEncapsulationKey(kx: KyberExports, params: KyberParams, ek: Uint8Array): boolean;
+export declare function checkEncapsulationKey(kx: MlKemExports, params: MlKemParams, ek: Uint8Array): boolean;
 /**
- * Decapsulation key check — FIPS 203 §7.3 (DecapsulationKeyCheck).
+ * Decapsulation key check, FIPS 203 §7.3 (DecapsulationKeyCheck).
  *
  * 1. Length check: dk.length == params.dkBytes
  * 2. Extract embedded ek and H(ek), verify SHA3-256(ek) matches stored H
  * 3. Also run checkEncapsulationKey on the embedded ek
  */
-export declare function checkDecapsulationKey(kx: KyberExports, sx: Sha3Exports, params: KyberParams, dk: Uint8Array): boolean;
+export declare function checkDecapsulationKey(kx: MlKemExports, sx: Sha3Exports, params: MlKemParams, dk: Uint8Array): boolean;

package/dist/{kyber → mlkem}/validate.js

@@ -19,17 +19,17 @@
 //   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
 //                           ▀█████▀▀
 //
-// src/ts/kyber/validate.ts
+// src/ts/mlkem/validate.ts
 //
-// ML-KEM key validation — FIPS 203 §7.2 and §7.3.
+// ML-KEM key validation, FIPS 203 §7.2 and §7.3.
 import { sha3_256Hash } from './indcpa.js';
 import { constantTimeEqual } from '../utils.js';
 /**
- * Encapsulation key check — FIPS 203 §7.2 (EncapsulationKeyCheck).
+ * Encapsulation key check, FIPS 203 §7.2 (EncapsulationKeyCheck).
  *
  * 1. Length gate: ek.length must equal params.ekBytes.
  * 2. Decode the polyvec portion via ByteDecode₁₂ (polyvec_frombytes). The
- *    decoded coefficients are raw 12-bit values in [0, 4095] — frombytes
+ *    decoded coefficients are raw 12-bit values in [0, 4095], frombytes
  *    does not reduce mod q.
  * 3. Modulus scan: every coefficient must satisfy c < Q = 3329.
  *
@@ -40,15 +40,15 @@ export function checkEncapsulationKey(kx, params, ek) {
     if (ek.length !== params.ekBytes)
         return false;
     const { k } = params;
-    const kyberMem = new Uint8Array(kx.memory.buffer);
+    const mlkemMem = new Uint8Array(kx.memory.buffer);
     const pkOff = kx.getPkOffset();
     const pvecOff = kx.getPolyvecSlot0();
-    kyberMem.set(ek.subarray(0, k * 384), pkOff);
+    mlkemMem.set(ek.subarray(0, k * 384), pkOff);
     kx.polyvec_frombytes(pvecOff, pkOff, k);
     return kx.polyvec_modulus_check(pvecOff, k) === 0;
 }
 /**
- * Decapsulation key check — FIPS 203 §7.3 (DecapsulationKeyCheck).
+ * Decapsulation key check, FIPS 203 §7.3 (DecapsulationKeyCheck).
  *
  * 1. Length check: dk.length == params.dkBytes
  * 2. Extract embedded ek and H(ek), verify SHA3-256(ek) matches stored H

package/dist/ratchet/index.d.ts

@@ -3,4 +3,6 @@ export { ratchetInit, kemRatchetEncap, kemRatchetDecap } from './root-kdf.js';
 export { SkippedKeyStore } from './skipped-key-store.js';
 export { RatchetKeypair } from './ratchet-keypair.js';
 export type { RatchetInitResult, KemEncapResult, KemDecapResult, MlKemLike, RatchetMessageHeader, ResolveHandle, SkippedKeyStoreOpts, } from './types.js';
+import { isInitialized } from '../init.js';
+export { isInitialized };
 export declare function ratchetReady(): boolean;

package/dist/ratchet/index.js

@@ -27,6 +27,7 @@ export { ratchetInit, kemRatchetEncap, kemRatchetDecap } from './root-kdf.js';
 export { SkippedKeyStore } from './skipped-key-store.js';
 export { RatchetKeypair } from './ratchet-keypair.js';
 import { isInitialized } from '../init.js';
+export { isInitialized };
 export function ratchetReady() {
     try {
         return isInitialized('sha2');

package/dist/ratchet/kdf-chain.js

@@ -21,12 +21,12 @@
 //
 // src/ts/ratchet/kdf-chain.ts
 //
-// KDFChain — stateful symmetric ratchet chain step (spec §5.2, KDF_SCKA_CK).
+// KDFChain, stateful symmetric ratchet chain step (spec §5.2, KDF_SCKA_CK).
 // Each step derives a message key and advances the chain key via HKDF-SHA-256.
 import { HKDF_SHA256 } from '../sha2/index.js';
 import { isInitialized } from '../init.js';
 import { wipe, concat, utf8ToBytes } from '../utils.js';
-// Signal Double Ratchet §7.2 — chain step info string
+// Signal Double Ratchet §7.2, chain step info string
 const INFO_CHAIN_BYTES = utf8ToBytes('leviathan-ratchet-v1 Chain Step');
 const ZERO_SALT = new Uint8Array(32);
 export class KDFChain {
@@ -48,7 +48,7 @@ export class KDFChain {
         if (this._n >= Number.MAX_SAFE_INTEGER)
             throw new RangeError('KDFChain: counter exceeds maximum safe integer');
         const nextN = this._n + 1;
-        // Encode counter as big-endian uint64 — two u32 calls, no BigInt
+        // Encode counter as big-endian uint64, two u32 calls, no BigInt
         const ctrBuf = new Uint8Array(8);
         const dv = new DataView(ctrBuf.buffer);
         dv.setUint32(0, Math.floor(nextN / 0x100000000), false);

package/dist/ratchet/ratchet-keypair.js

@@ -21,7 +21,7 @@
 //
 // src/ts/ratchet/ratchet-keypair.ts
 //
-// RatchetKeypair — single-use ek/dk lifecycle for one KEM ratchet step.
+// RatchetKeypair, single-use ek/dk lifecycle for one KEM ratchet step.
 // Enforces the DR spec requirement that both parties rotate encapsulation
 // keys after each KEM ratchet step.
 import { wipe } from '../utils.js';
@@ -37,7 +37,7 @@ export class RatchetKeypair {
         this._used = false;
     }
     // Decapsulate using the stored dk. May only be called once per instance.
-    // Wipes the dk immediately after decap — the dk never leaves this class.
+    // Wipes the dk immediately after decap, the dk never leaves this class.
     // The stored ek is passed as `ownEk` so both sides bind the identical
     // (peerEk, kemCt) pair into the HKDF info string.
     decap(kem, rk, kemCt, context) {

package/dist/ratchet/root-kdf.js

@@ -26,7 +26,7 @@
 import { HKDF_SHA256 } from '../sha2/index.js';
 import { isInitialized } from '../init.js';
 import { wipe, concat, utf8ToBytes } from '../utils.js';
-// Signal Double Ratchet §7.2 — info strings
+// Signal Double Ratchet §7.2, info strings
 const INFO_INIT = utf8ToBytes('leviathan-ratchet-v1 Chain Start');
 const INFO_ROOT = utf8ToBytes('leviathan-ratchet-v1 Chain Add Epoch');
 // INFO_CHAIN ('leviathan-ratchet-v1 Chain Step') is used in kdf-chain.ts
@@ -52,7 +52,7 @@ function kdfRoot(secret, salt, info) {
         h.dispose();
     }
 }
-// u32 big-endian length prefix — same convention as serpent/cipher-suite.ts AAD encoding.
+// u32 big-endian length prefix, same convention as serpent/cipher-suite.ts AAD encoding.
 function u32be(n) {
     if (!Number.isInteger(n) || n < 0 || n > 0xFFFFFFFF)
         throw new RangeError(`u32be: n must be an integer in [0, 0xFFFFFFFF] (got ${n})`);
@@ -60,7 +60,7 @@ function u32be(n) {
     new DataView(b.buffer).setUint32(0, n, false);
     return b;
 }
-// KEM ratchet info — binds peerEk, kemCt, and context with u32be length prefixes.
+// KEM ratchet info, binds peerEk, kemCt, and context with u32be length prefixes.
 // Defense-in-depth: the HKDF output is tied to the exact (peerEk, kemCt, context)
 // tuple used, not just the KEM shared secret. An attacker who substitutes any of
 // these inputs derives a different chain key trio, regardless of the KEM transcript.
@@ -68,7 +68,7 @@ function buildRootInfo(peerEk, kemCt, context) {
     const ctxBytes = context ?? new Uint8Array(0);
     return concat(INFO_ROOT, u32be(peerEk.length), peerEk, u32be(kemCt.length), kemCt, u32be(ctxBytes.length), ctxBytes);
 }
-// KDF_SCKA_INIT — spec §7.2
+// KDF_SCKA_INIT, spec §7.2
 // Derives initial root key, send chain key, and receive chain key from a
 // shared secret sk. Optional context bytes are appended to the info string.
 export function ratchetInit(sk, context) {
@@ -80,7 +80,7 @@ export function ratchetInit(sk, context) {
     const { nextRootKey, sendChainKey, recvChainKey } = kdfRoot(sk, ZERO_SALT, info);
     return { nextRootKey, sendChainKey, recvChainKey };
 }
-// KDF_SCKA_RK — encapsulation side (spec §7.2)
+// KDF_SCKA_RK, encapsulation side (spec §7.2)
 // Generates a fresh KEM ciphertext, derives next epoch keys from the shared secret.
 // `peerEk` and `kemCt` are bound into the HKDF info string (defense-in-depth).
 export function kemRatchetEncap(kem, rk, peerEk, context) {
@@ -98,11 +98,11 @@ export function kemRatchetEncap(kem, rk, peerEk, context) {
         wipe(sharedSecret);
     }
 }
-// KDF_SCKA_RK — decapsulation side (spec §7.2)
+// KDF_SCKA_RK, decapsulation side (spec §7.2)
 // Recovers the shared secret from the KEM ciphertext, derives next epoch keys.
 // The chain key slots are swapped relative to the encap side: what the KDF
 // labels 'sendChainKey' (A→B direction) becomes the decap side's recvChainKey,
-// and vice versa — Alice's send IS Bob's receive.
+// and vice versa, Alice's send IS Bob's receive.
 //
 // `ownEk` is the local party's encapsulation key (the same public key the
 // encap side targeted as `peerEk`). It must be passed explicitly so both

package/dist/ratchet/skipped-key-store.js

@@ -21,7 +21,7 @@
 //
 // src/ts/ratchet/skipped-key-store.ts
 //
-// SkippedKeyStore — MKSKIPPED cache for a single KDFChain (DR spec §3.2/§3.5).
+// SkippedKeyStore, MKSKIPPED cache for a single KDFChain (DR spec §3.2/§3.5).
 // Manages out-of-order and skipped message key storage with transactional
 // resolve via ResolveHandle. Split budgets: maxCacheSize bounds memory;
 // maxSkipPerResolve bounds per-message HKDF work (DoS mitigation).
@@ -46,7 +46,7 @@ export class SkippedKeyStore {
         this._maxCacheSize = cache;
         this._maxSkipPerResolve = skip;
     }
-    // O(1) eviction — Map iteration is insertion order, and keys are inserted
+    // O(1) eviction, Map iteration is insertion order, and keys are inserted
     // in strictly increasing counter order, so the first key yielded IS the
     // oldest (lowest counter).
     _evictOldest() {
@@ -59,8 +59,8 @@ export class SkippedKeyStore {
         this._store.delete(oldest);
     }
     // Resolve a message key for the given counter. Returns a ResolveHandle the
-    // caller settles via commit() (success — key wiped) or rollback()
-    // (failure — key returned to the store so a later legitimate message at
+    // caller settles via commit() (success, key wiped) or rollback()
+    // (failure, key returned to the store so a later legitimate message at
     // the same counter can still decrypt).
     //
     // Three paths based on counter vs chain.n:

package/dist/ratchet/types.d.ts

@@ -1,4 +1,4 @@
-export type { MlKemLike } from '../kyber/suite.js';
+export type { MlKemLike } from '../mlkem/suite.js';
 export interface RatchetInitResult {
     readonly nextRootKey: Uint8Array;
     readonly sendChainKey: Uint8Array;

package/dist/serpent/cipher-suite.js

@@ -21,16 +21,21 @@
 //
 // src/ts/serpent/cipher-suite.ts
 //
-// SerpentCipher — CipherSuite implementation for the STREAM construction.
+// SerpentCipher, CipherSuite implementation for the STREAM construction.
 // 3-key HKDF derivation, HMAC-derived CBC IV, Serpent-CBC + HMAC-SHA-256.
 // Verify-then-decrypt ordering prevents padding oracle attacks (Vaudenay 2002).
+//
+// Salamander immunity: HMAC-SHA-256 is key-committing under SHA-256 collision
+// resistance, so Serpent suites need no separate commitment in the preamble
+// (commitmentSize: 0). Two distinct master keys cannot produce a tag that
+// validates under both for the same chunk.
 import { HKDF_SHA256 } from '../sha2/index.js';
 import { constantTimeEqual, wipe, concat, randomBytes } from '../utils.js';
 import { AuthenticationError } from '../errors.js';
 import { getInstance, _assertNotOwned } from '../init.js';
 import { hmacSha256, cbcEncryptChunk, cbcDecryptChunk, } from './shared-ops.js';
 import { WORKER_SOURCE } from '../embedded/serpent-pool-worker.js';
-const INFO = new TextEncoder().encode('serpent-sealstream-v2');
+const INFO = new TextEncoder().encode('serpent-sealstream-v3');
 /**
  * `CipherSuite` implementation for the stream construction using Serpent-256.
  *
@@ -44,9 +49,10 @@ const INFO = new TextEncoder().encode('serpent-sealstream-v2');
 export const SerpentCipher = {
     formatEnum: 0x02,
     formatName: 'serpent',
-    hkdfInfo: 'serpent-sealstream-v2',
+    hkdfInfo: 'serpent-sealstream-v3',
     keySize: 32,
     kemCtSize: 0,
+    commitmentSize: 0,
     tagSize: 32,
     padded: true,
     wasmChunkSize: 65552, // src/asm/serpent/buffers.ts CHUNK_SIZE (65536 + 16 PKCS7 max overhead)
@@ -62,10 +68,15 @@ export const SerpentCipher = {
      * @param nonce      Stream nonce (16 bytes minimum)
      * @returns          `DerivedKeys` holding the 96-byte material
      */
-    deriveKeys(masterKey, nonce, _kemCt) {
+    deriveKeys(masterKey, nonce, _kemCt, _header) {
         const hkdf = new HKDF_SHA256();
-        const derived = hkdf.derive(masterKey, nonce, INFO, 96);
-        hkdf.dispose();
+        let derived;
+        try {
+            derived = hkdf.derive(masterKey, nonce, INFO, 96);
+        }
+        finally {
+            hkdf.dispose();
+        }
         // bytes[0:32]=enc_key, bytes[32:64]=mac_key, bytes[64:96]=iv_key
         return { bytes: derived };
     },
@@ -113,7 +124,7 @@ export const SerpentCipher = {
                 wipe(iv);
             if (tagInput)
                 wipe(tagInput);
-            // No hmac/cbc instance to dispose — shared-ops functions are instance-free.
+            // No hmac/cbc instance to dispose, shared-ops functions are instance-free.
         }
     },
     /**
@@ -121,7 +132,7 @@ export const SerpentCipher = {
      * to prevent padding oracle attacks (Vaudenay 2002). Throws
      * `AuthenticationError` on tag mismatch.
      * @param keys         Derived keys from `deriveKeys`
-     * @param counterNonce Per-chunk nonce — must match the value used by `sealChunk`
+     * @param counterNonce Per-chunk nonce, must match the value used by `sealChunk`
      * @param chunk        Ciphertext || 32-byte HMAC tag
      * @param aad          Optional additional authenticated data
      * @returns            Plaintext with PKCS7 padding removed
@@ -189,18 +200,10 @@ export const SerpentCipher = {
      * @returns  Newly constructed `Worker` instance
      */
     createPoolWorker() {
-        // IIFE source is bundled at lib build time (scripts/embed-workers.ts).
-        // Avoids the syntactic `new Worker(new URL(..., import.meta.url))`
-        // pattern that triggers eager worker-chunk emission in Vite's
-        // transform hook (issue.md). Classic worker via blob URL —
-        // module workers fail on file:// in Chromium (issue2.md).
+        // See docs/architecture.md#pool-worker-spawn-pattern.
         const blob = new Blob([WORKER_SOURCE], { type: 'application/javascript' });
         const url = URL.createObjectURL(blob);
         const w = new Worker(url);
-        // Worker spec fetches the URL synchronously at construction. Revoke
-        // in a macrotask so the spawn completes first; releases the Blob
-        // (~5 KB per spawn × N workers) instead of leaking it for the
-        // document's lifetime.
         setTimeout(() => URL.revokeObjectURL(url), 0);
         return w;
     },

package/dist/serpent/generator.d.ts

@@ -6,7 +6,7 @@ import type { Generator } from '../types.js';
  * one block of pseudorandom output. Practical Cryptography (Ferguson &
  * Schneier, 2003) §9.4.
  *
- * Pass to `Fortuna.create({ generator: SerpentGenerator, ... })` — do not
+ * Pass to `Fortuna.create({ generator: SerpentGenerator, ... })`, do not
  * call `generate()` directly outside of Fortuna.
  */
 export declare const SerpentGenerator: Generator;

package/dist/serpent/generator.js

@@ -21,7 +21,7 @@
 //
 // src/ts/serpent/generator.ts
 //
-// Practical Cryptography (Ferguson & Schneier, 2003) §9.4 — generator
+// Practical Cryptography (Ferguson & Schneier, 2003) §9.4, generator
 // Serpent-256 ECB counter-mode PRF for Fortuna's generator slot.
 import { _assertNotOwned, getInstance } from '../init.js';
 import { wipe } from '../utils.js';
@@ -32,7 +32,7 @@ import { wipe } from '../utils.js';
  * one block of pseudorandom output. Practical Cryptography (Ferguson &
  * Schneier, 2003) §9.4.
  *
- * Pass to `Fortuna.create({ generator: SerpentGenerator, ... })` — do not
+ * Pass to `Fortuna.create({ generator: SerpentGenerator, ... })`, do not
  * call `generate()` directly outside of Fortuna.
  */
 export const SerpentGenerator = {

package/dist/serpent/index.d.ts

@@ -2,13 +2,14 @@ import type { WasmSource } from '../wasm-source.js';
 /**
  * Load and initialise the Serpent WASM module from `source`.
  * Must be called before constructing any Serpent class.
- * @param source  WASM binary — gzip+base64 string, URL, ArrayBuffer, Uint8Array,
+ * @param source  WASM binary, gzip+base64 string, URL, ArrayBuffer, Uint8Array,
  *                pre-compiled WebAssembly.Module, Response, or Promise<Response>
  */
 export declare function serpentInit(source: WasmSource): Promise<void>;
 export type { WasmSource };
+export { isInitialized } from '../init.js';
 /**
- * Low-level Serpent-256 block cipher — raw ECB encrypt/decrypt.
+ * Low-level Serpent-256 block cipher, raw ECB encrypt/decrypt.
  *
  * Atomic (stateless) class: each method call is independent.
  * Does not hold exclusive module access; cannot be used while a stateful
@@ -63,23 +64,23 @@ export declare class SerpentCtr {
      * Load key and nonce into WASM state and reset the block counter to 0.
      * Must be called before each message.
      * @param key    16, 24, or 32 bytes
-     * @param nonce  16 bytes — must be unique per (key, message)
+     * @param nonce  16 bytes, must be unique per (key, message)
      */
     beginEncrypt(key: Uint8Array, nonce: Uint8Array): void;
     /**
      * XOR `chunk` with the next keystream block(s). Counter advances automatically.
-     * @param chunk  Plaintext chunk — must not exceed WASM CHUNK_SIZE
+     * @param chunk  Plaintext chunk, must not exceed WASM CHUNK_SIZE
      * @returns      Ciphertext of the same length
      */
     encryptChunk(chunk: Uint8Array): Uint8Array;
     /**
-     * Alias for `beginEncrypt` — CTR mode is symmetric.
+     * Alias for `beginEncrypt`, CTR mode is symmetric.
      * @param key    16, 24, or 32 bytes
-     * @param nonce  16 bytes — must match the value used to encrypt
+     * @param nonce  16 bytes, must match the value used to encrypt
      */
     beginDecrypt(key: Uint8Array, nonce: Uint8Array): void;
     /**
-     * Alias for `encryptChunk` — CTR mode is symmetric.
+     * Alias for `encryptChunk`, CTR mode is symmetric.
      * @param chunk  Ciphertext chunk
      * @returns      Plaintext of the same length
      */

package/dist/serpent/index.js

@@ -22,24 +22,25 @@
 // src/ts/serpent/index.ts
 //
 // Public API classes for the Serpent-256 WASM module.
-// Uses the init() module cache — call serpentInit(source) before constructing.
+// Uses the init() module cache, call serpentInit(source) before constructing.
 import { getInstance, initModule, _acquireModule, _releaseModule, _assertNotOwned } from '../init.js';
 /**
  * Load and initialise the Serpent WASM module from `source`.
  * Must be called before constructing any Serpent class.
- * @param source  WASM binary — gzip+base64 string, URL, ArrayBuffer, Uint8Array,
+ * @param source  WASM binary, gzip+base64 string, URL, ArrayBuffer, Uint8Array,
  *                pre-compiled WebAssembly.Module, Response, or Promise<Response>
  */
 export async function serpentInit(source) {
     return initModule('serpent', source);
 }
+export { isInitialized } from '../init.js';
 /** Returns the raw serpent WASM export object. @internal */
 function getExports() {
     return getInstance('serpent').exports;
 }
 // ── Serpent ─────────────────────────────────────────────────────────────────
 /**
- * Low-level Serpent-256 block cipher — raw ECB encrypt/decrypt.
+ * Low-level Serpent-256 block cipher, raw ECB encrypt/decrypt.
  *
  * Atomic (stateless) class: each method call is independent.
  * Does not hold exclusive module access; cannot be used while a stateful
@@ -62,8 +63,10 @@ export class Serpent {
             throw new RangeError(`key must be 16, 24, or 32 bytes (got ${key.length})`);
         const mem = new Uint8Array(this.x.memory.buffer);
         mem.set(key, this.x.getKeyOffset());
-        if (this.x.loadKey(key.length) !== 0)
+        if (this.x.loadKey(key.length) !== 0) {
+            this.x.wipeBuffers();
             throw new Error('loadKey failed');
+        }
     }
     /**
      * Encrypt one 128-bit block with the previously loaded key schedule.
@@ -123,7 +126,7 @@ export class SerpentCtr {
     _tok;
     constructor(opts) {
         if (!opts?.dangerUnauthenticated) {
-            throw new Error('leviathan-crypto: SerpentCtr is unauthenticated — use Seal with SerpentCipher instead. ' +
+            throw new Error('leviathan-crypto: SerpentCtr is unauthenticated, use Seal with SerpentCipher instead. ' +
                 'To use SerpentCtr directly, pass { dangerUnauthenticated: true }.');
         }
         this.x = getExports();
@@ -133,7 +136,7 @@ export class SerpentCtr {
      * Load key and nonce into WASM state and reset the block counter to 0.
      * Must be called before each message.
      * @param key    16, 24, or 32 bytes
-     * @param nonce  16 bytes — must be unique per (key, message)
+     * @param nonce  16 bytes, must be unique per (key, message)
      */
     beginEncrypt(key, nonce) {
         if (this._tok === undefined)
@@ -145,12 +148,15 @@ export class SerpentCtr {
         const mem = new Uint8Array(this.x.memory.buffer);
         mem.set(key, this.x.getKeyOffset());
         mem.set(nonce, this.x.getNonceOffset());
-        this.x.loadKey(key.length);
+        if (this.x.loadKey(key.length) !== 0) {
+            this.x.wipeBuffers();
+            throw new Error('SerpentCtr: loadKey failed');
+        }
         this.x.resetCounter();
     }
     /**
      * XOR `chunk` with the next keystream block(s). Counter advances automatically.
-     * @param chunk  Plaintext chunk — must not exceed WASM CHUNK_SIZE
+     * @param chunk  Plaintext chunk, must not exceed WASM CHUNK_SIZE
      * @returns      Ciphertext of the same length
      */
     encryptChunk(chunk) {
@@ -158,7 +164,7 @@ export class SerpentCtr {
             throw new Error('SerpentCtr: instance has been disposed');
         const maxChunk = this.x.getChunkSize();
         if (chunk.length > maxChunk)
-            throw new RangeError(`chunk exceeds maximum size of ${maxChunk} bytes — split into smaller chunks`);
+            throw new RangeError(`chunk exceeds maximum size of ${maxChunk} bytes, split into smaller chunks`);
         const mem = new Uint8Array(this.x.memory.buffer);
         const ptOff = this.x.getChunkPtOffset();
         const ctOff = this.x.getChunkCtOffset();
@@ -167,15 +173,15 @@ export class SerpentCtr {
         return mem.slice(ctOff, ctOff + chunk.length);
     }
     /**
-     * Alias for `beginEncrypt` — CTR mode is symmetric.
+     * Alias for `beginEncrypt`, CTR mode is symmetric.
      * @param key    16, 24, or 32 bytes
-     * @param nonce  16 bytes — must match the value used to encrypt
+     * @param nonce  16 bytes, must match the value used to encrypt
      */
     beginDecrypt(key, nonce) {
         this.beginEncrypt(key, nonce);
     }
     /**
-     * Alias for `encryptChunk` — CTR mode is symmetric.
+     * Alias for `encryptChunk`, CTR mode is symmetric.
      * @param chunk  Ciphertext chunk
      * @returns      Plaintext of the same length
      */
@@ -202,18 +208,3 @@ export { AuthenticationError } from '../errors.js';
 export { SerpentCipher } from './cipher-suite.js';
 // ── SerpentGenerator ────────────────────────────────────────────────────────
 export { SerpentGenerator } from './generator.js';
-// ── Ready check ─────────────────────────────────────────────────────────────
-/**
- * Returns `true` if the serpent WASM module has been initialised.
- * Used by tests and internal guards; not part of the public API.
- * @internal
- */
-export function _serpentReady() {
-    try {
-        getInstance('serpent');
-        return true;
-    }
-    catch {
-        return false;
-    }
-}