leviathan-crypto 2.1.0 → 3.0.0

package/dist/serpent/pool-worker.js

@@ -3,10 +3,10 @@
 //
 // Worker for SealStreamPool with SerpentCipher.
 // Holds 3 derived keys (enc/mac/iv) and raw WASM instances.
-// Direct WASM calls — no initModule (avoids same-thread module cache conflicts
+// Direct WASM calls, no initModule (avoids same-thread module cache conflicts
 // in @vitest/web-worker test environment).
 //
-// All HMAC / CBC / PKCS7 primitives come from `./shared-ops.js` — the same
+// All HMAC / CBC / PKCS7 primitives come from `./shared-ops.js`, the same
 // module the main-thread `SerpentCipher` uses. Byte-identical output with
 // the main thread is the regression guard (see
 // test/unit/stream/pool-byte-exact.test.ts). Must NOT import from `../init.js`:
@@ -21,9 +21,9 @@ let keys;
  * Message handler for the Serpent pool worker.
  *
  * Accepts three message types:
- * - `'init'`  — instantiate sha2 + serpent WASM modules and store derived keys
- * - `'wipe'`  — zero keys and WASM buffers, then post `{ type: 'wiped' }`
- * - `{ op: 'seal' | 'open', ... }` — encrypt or decrypt one chunk
+ * - `'init'` , instantiate sha2 + serpent WASM modules and store derived keys
+ * - `'wipe'` , zero keys and WASM buffers, then post `{ type: 'wiped' }`
+ * - `{ op: 'seal' | 'open', ... }`, encrypt or decrypt one chunk
  *
  * Replies with `{ type: 'result', id, data }` on success or
  * `{ type: 'error', id, message, isAuthError }` on failure.
@@ -45,6 +45,8 @@ self.onmessage = async (e) => {
             self.postMessage({ type: 'ready' });
         }
         catch (err) {
+            if (msg.derivedKeyBytes)
+                msg.derivedKeyBytes.fill(0);
             self.postMessage({ type: 'error', id: -1, message: err.message, isAuthError: false });
         }
         return;

package/dist/serpent/serpent-cbc.d.ts

@@ -19,16 +19,16 @@ export declare class SerpentCbc {
    * Encrypt plaintext with Serpent-256 CBC + PKCS7 padding.
    *
    * @param key       16, 24, or 32 bytes
-   * @param iv        16 bytes — must be random and unique per (key, message)
-   * @param plaintext any length — PKCS7 padding applied automatically
+   * @param iv        16 bytes, must be random and unique per (key, message)
+   * @param plaintext any length, PKCS7 padding applied automatically
    * @returns         ciphertext (length = ceil((plaintext.length + 1) / 16) * 16)
    */
     encrypt(key: Uint8Array, iv: Uint8Array, plaintext: Uint8Array): Uint8Array;
     /**
    * Decrypt Serpent-256 CBC + PKCS7.
    *
-   * All failure modes — empty input, non-multiple-of-16 length, and any
-   * PKCS7 validation failure — throw the same generic `RangeError` with
+   * All failure modes, empty input, non-multiple-of-16 length, and any
+   * PKCS7 validation failure, throw the same generic `RangeError` with
    * message `'invalid ciphertext'`. Padding validation runs branch-free
    * over the last 16 bytes regardless of where the mismatch is, closing
    * the Vaudenay 2002 padding-oracle surface for callers using

package/dist/serpent/serpent-cbc.js

@@ -21,7 +21,7 @@
 //
 // src/ts/serpent/serpent-cbc.ts
 //
-// SerpentCbc — Serpent-256 CBC + PKCS7, internal module.
+// SerpentCbc, Serpent-256 CBC + PKCS7, internal module.
 // Extracted to break the cipher-suite.ts ↔ index.ts circular dependency.
 // Import from here directly; index.ts re-exports for the public API surface.
 import { getInstance, _acquireModule, _releaseModule } from '../init.js';
@@ -53,13 +53,13 @@ export class SerpentCbc {
     _tok;
     constructor(opts) {
         if (!opts?.dangerUnauthenticated) {
-            throw new Error('leviathan-crypto: SerpentCbc is unauthenticated — use Seal with SerpentCipher instead. ' +
+            throw new Error('leviathan-crypto: SerpentCbc is unauthenticated, use Seal with SerpentCipher instead. ' +
                 'To use SerpentCbc directly, pass { dangerUnauthenticated: true }.');
         }
         this.x = getExports();
         this._tok = _acquireModule('serpent');
     }
-    /** View over WASM linear memory. Rebind on every access — memory can be detached after grow. @internal */
+    /** View over WASM linear memory. Rebind on every access, memory can be detached after grow. @internal */
     get mem() {
         return new Uint8Array(this.x.memory.buffer);
     }
@@ -67,8 +67,8 @@ export class SerpentCbc {
    * Encrypt plaintext with Serpent-256 CBC + PKCS7 padding.
    *
    * @param key       16, 24, or 32 bytes
-   * @param iv        16 bytes — must be random and unique per (key, message)
-   * @param plaintext any length — PKCS7 padding applied automatically
+   * @param iv        16 bytes, must be random and unique per (key, message)
+   * @param plaintext any length, PKCS7 padding applied automatically
    * @returns         ciphertext (length = ceil((plaintext.length + 1) / 16) * 16)
    */
     encrypt(key, iv, plaintext) {
@@ -95,8 +95,8 @@ export class SerpentCbc {
     /**
    * Decrypt Serpent-256 CBC + PKCS7.
    *
-   * All failure modes — empty input, non-multiple-of-16 length, and any
-   * PKCS7 validation failure — throw the same generic `RangeError` with
+   * All failure modes, empty input, non-multiple-of-16 length, and any
+   * PKCS7 validation failure, throw the same generic `RangeError` with
    * message `'invalid ciphertext'`. Padding validation runs branch-free
    * over the last 16 bytes regardless of where the mismatch is, closing
    * the Vaudenay 2002 padding-oracle surface for callers using
@@ -145,7 +145,10 @@ export class SerpentCbc {
         if (key.length !== 16 && key.length !== 24 && key.length !== 32)
             throw new RangeError(`Serpent key must be 16, 24, or 32 bytes (got ${key.length})`);
         this.mem.set(key, this.x.getKeyOffset());
-        this.x.loadKey(key.length);
+        if (this.x.loadKey(key.length) !== 0) {
+            this.x.wipeBuffers();
+            throw new Error('SerpentCbc: loadKey failed');
+        }
     }
     /**
      * Write `iv` into the WASM CBC IV buffer.

package/dist/serpent/shared-ops.d.ts

@@ -1,3 +1,4 @@
+export { pkcs7Pad, pkcs7Strip, PKCS7_INVALID } from '../shared/pkcs7.js';
 /** Subset of the sha2 WASM exports used by `hmacSha256`. */
 export interface Sha2OpsExports {
     memory: WebAssembly.Memory;
@@ -21,35 +22,14 @@ export interface SerpentOpsExports {
     loadKey: (n: number) => number;
     cbcEncryptChunk: (n: number) => number;
     cbcDecryptChunk_simd: (n: number) => number;
+    wipeBuffers: () => void;
 }
-export declare const PKCS7_INVALID = "invalid ciphertext";
-/**
- * Apply PKCS7 padding to `data` so the result length is a multiple of 16.
- * Padding length is always 1–16 bytes so a full pad block is appended when
- * `data.length` is already block-aligned.
- * @param data  Input bytes of any length
- * @returns     New Uint8Array padded to the next 16-byte boundary
- */
-export declare function pkcs7Pad(data: Uint8Array): Uint8Array;
-/**
- * Remove PKCS7 padding from a block-aligned buffer in constant time.
- *
- * Branch-free over all secret bits — padding length and per-byte comparisons
- * are accumulated into a single `bad` flag with no early exit. Closes the
- * Vaudenay 2002 padding-oracle surface. Throws a single generic
- * `RangeError('invalid ciphertext')` for every failure mode: empty input,
- * non-block-aligned length, padding byte out of range 1–16, and any per-byte
- * mismatch in the padding region.
- * @param data  Block-aligned ciphertext (length must be a multiple of 16)
- * @returns     Plaintext with padding removed
- */
-export declare function pkcs7Strip(data: Uint8Array): Uint8Array;
 /**
  * Compute HMAC-SHA-256 using raw WASM sha2 exports.
  *
  * Keys longer than 64 bytes are pre-hashed per RFC 2104 §3. The SHA-256
  * input buffer is fed in 64-byte chunks to match the WASM block size.
- * Does not call `_acquireModule` — callers must ensure no stateful instance
+ * Does not call `_acquireModule`, callers must ensure no stateful instance
  * owns the sha2 module before calling.
  * @param sx   sha2 WASM exports
  * @param key  HMAC key of any length

package/dist/serpent/shared-ops.js

@@ -23,8 +23,8 @@
 //
 // Pure-function primitives shared between the main-thread `SerpentCipher`
 // (cipher-suite.ts) and the `SealStreamPool` worker (pool-worker.ts). Both
-// call sites hold their own WASM exports — pool workers instantiate modules
-// locally, the main thread fetches via `getInstance()` — so every function
+// call sites hold their own WASM exports, pool workers instantiate modules
+// locally, the main thread fetches via `getInstance()`, so every function
 // here takes the sha2/serpent exports as parameters. No dependency on
 // `init.ts`, no module-level state, no instance wrappers.
 //
@@ -32,74 +32,19 @@
 // payload into chunks ≤ WASM CHUNK_SIZE. For multi-chunk use, see
 // `SerpentCbc.encrypt`/`decrypt`, which loop over the same WASM exports.
 //
-// This file owns the canonical `pkcs7Pad` / `pkcs7Strip`; `serpent-cbc.ts`
-// re-exports them. A single source of truth keeps the branch-free,
-// Vaudenay-2002-closed padding check identical on the main-thread and
-// pool-worker paths — divergence between the two would reintroduce an
-// oracle.
-// ── PKCS7 ───────────────────────────────────────────────────────────────────
-// Generic error string used by every failure mode of `pkcs7Strip` and the
-// length/alignment gate in `SerpentCbc.decrypt`. No numeric leaks, no
-// structural disclosure — a caller cannot distinguish "bad length" from
-// "bad padding" by message or by timing.
-export const PKCS7_INVALID = 'invalid ciphertext';
-/**
- * Apply PKCS7 padding to `data` so the result length is a multiple of 16.
- * Padding length is always 1–16 bytes so a full pad block is appended when
- * `data.length` is already block-aligned.
- * @param data  Input bytes of any length
- * @returns     New Uint8Array padded to the next 16-byte boundary
- */
-export function pkcs7Pad(data) {
-    const padLen = 16 - (data.length % 16); // 1..16
-    const out = new Uint8Array(data.length + padLen);
-    out.set(data);
-    out.fill(padLen, data.length);
-    return out;
-}
-/**
- * Remove PKCS7 padding from a block-aligned buffer in constant time.
- *
- * Branch-free over all secret bits — padding length and per-byte comparisons
- * are accumulated into a single `bad` flag with no early exit. Closes the
- * Vaudenay 2002 padding-oracle surface. Throws a single generic
- * `RangeError('invalid ciphertext')` for every failure mode: empty input,
- * non-block-aligned length, padding byte out of range 1–16, and any per-byte
- * mismatch in the padding region.
- * @param data  Block-aligned ciphertext (length must be a multiple of 16)
- * @returns     Plaintext with padding removed
- */
-export function pkcs7Strip(data) {
-    if (data.length === 0 || data.length % 16 !== 0)
-        throw new RangeError(PKCS7_INVALID);
-    const padLen = data[data.length - 1];
-    let bad = 0;
-    bad |= ((padLen - 1) >>> 31); // 1 if padLen == 0
-    bad |= ((16 - padLen) >>> 31); // 1 if padLen > 16
-    // Per-byte pad-region mask without branches on secret bits.
-    //   inPadRegion = 0xff when i >= 16 - padLen
-    //               = 0x00 otherwise
-    //
-    // (16 - padLen - i - 1) is negative iff i >= 16 - padLen. A signed
-    // arithmetic shift by 31 yields -1 for negative, 0 for non-negative;
-    // ANDing with 0xff collapses those to 0xff and 0x00.
-    for (let i = 0; i < 16; i++) {
-        const idx = data.length - 16 + i;
-        const mask = ((16 - padLen - i - 1) >> 31) & 0xff;
-        bad |= (data[idx] ^ padLen) & mask;
-    }
-    const invalid = ((bad - 1) >>> 31) ^ 1;
-    if (invalid)
-        throw new RangeError(PKCS7_INVALID);
-    return data.subarray(0, data.length - padLen);
-}
+// `pkcs7Pad` / `pkcs7Strip` / `PKCS7_INVALID` live in `../shared/pkcs7.js`
+// and are re-exported here so existing serpent-side imports keep working.
+// A single source of truth keeps the branch-free, Vaudenay-2002-closed
+// padding check identical across all CBC paths.
+export { pkcs7Pad, pkcs7Strip, PKCS7_INVALID } from '../shared/pkcs7.js';
+import { pkcs7Pad, pkcs7Strip, PKCS7_INVALID } from '../shared/pkcs7.js';
 // ── HMAC-SHA-256 ────────────────────────────────────────────────────────────
 /**
  * Compute HMAC-SHA-256 using raw WASM sha2 exports.
  *
  * Keys longer than 64 bytes are pre-hashed per RFC 2104 §3. The SHA-256
  * input buffer is fed in 64-byte chunks to match the WASM block size.
- * Does not call `_acquireModule` — callers must ensure no stateful instance
+ * Does not call `_acquireModule`, callers must ensure no stateful instance
  * owns the sha2 module before calling.
  * @param sx   sha2 WASM exports
  * @param key  HMAC key of any length
@@ -157,16 +102,24 @@ function feedMemory(memory, inputOff, msg, chunkSize, update) {
  */
 export function cbcEncryptChunk(kx, key, iv, chunk) {
     loadKeyAndIv(kx, key, iv);
-    const padded = pkcs7Pad(chunk);
-    const ptOff = kx.getChunkPtOffset();
-    const ctOff = kx.getChunkCtOffset();
-    const mem = new Uint8Array(kx.memory.buffer);
-    mem.set(padded, ptOff);
-    const ret = kx.cbcEncryptChunk(padded.length);
-    if (ret < 0)
-        throw new RangeError(`cbcEncryptChunk rejected len=${padded.length}` +
-            ` (WASM CHUNK_SIZE=${kx.getChunkSize()})`);
-    return new Uint8Array(kx.memory.buffer).slice(ctOff, ctOff + padded.length);
+    try {
+        const padded = pkcs7Pad(chunk);
+        const ptOff = kx.getChunkPtOffset();
+        const ctOff = kx.getChunkCtOffset();
+        const mem = new Uint8Array(kx.memory.buffer);
+        mem.set(padded, ptOff);
+        const ret = kx.cbcEncryptChunk(padded.length);
+        if (ret < 0)
+            throw new RangeError(`cbcEncryptChunk rejected len=${padded.length}` +
+                ` (WASM CHUNK_SIZE=${kx.getChunkSize()})`);
+        return new Uint8Array(kx.memory.buffer).slice(ctOff, ctOff + padded.length);
+    }
+    catch (err) {
+        // Length-error or any other throw past loadKeyAndIv leaves key+iv staged.
+        // Wipe before re-throwing, the cipher-suite caller may not call dispose.
+        kx.wipeBuffers();
+        throw err;
+    }
 }
 /**
  * Decrypt one Serpent-256 CBC chunk using the SIMD path and strip PKCS7 padding.
@@ -183,16 +136,25 @@ export function cbcDecryptChunk(kx, key, iv, ct) {
     if (ct.length === 0 || ct.length % 16 !== 0)
         throw new RangeError(PKCS7_INVALID);
     loadKeyAndIv(kx, key, iv);
-    const ctOff = kx.getChunkCtOffset();
-    const ptOff = kx.getChunkPtOffset();
-    const mem = new Uint8Array(kx.memory.buffer);
-    mem.set(ct, ctOff);
-    const ret = kx.cbcDecryptChunk_simd(ct.length);
-    if (ret < 0)
-        throw new RangeError(`cbcDecryptChunk_simd rejected len=${ct.length}` +
-            ` (WASM CHUNK_SIZE=${kx.getChunkSize()})`);
-    const raw = new Uint8Array(kx.memory.buffer).slice(ptOff, ptOff + ct.length);
-    return pkcs7Strip(raw);
+    try {
+        const ctOff = kx.getChunkCtOffset();
+        const ptOff = kx.getChunkPtOffset();
+        const mem = new Uint8Array(kx.memory.buffer);
+        mem.set(ct, ctOff);
+        const ret = kx.cbcDecryptChunk_simd(ct.length);
+        if (ret < 0)
+            throw new RangeError(`cbcDecryptChunk_simd rejected len=${ct.length}` +
+                ` (WASM CHUNK_SIZE=${kx.getChunkSize()})`);
+        const raw = new Uint8Array(kx.memory.buffer).slice(ptOff, ptOff + ct.length);
+        return pkcs7Strip(raw);
+    }
+    catch (err) {
+        // Length-error, padding mismatch, or any other throw past loadKeyAndIv
+        // leaves key+iv staged. Wipe before re-throwing, bad PKCS7 padding is
+        // a Vaudenay-attack signal; per-chunk staged key+iv must not survive it.
+        kx.wipeBuffers();
+        throw err;
+    }
 }
 /**
  * Validate, then write `key` and `iv` into the WASM buffers and expand the key schedule.
@@ -208,6 +170,9 @@ function loadKeyAndIv(kx, key, iv) {
         throw new RangeError(`CBC IV must be 16 bytes (got ${iv.length})`);
     const mem = new Uint8Array(kx.memory.buffer);
     mem.set(key, kx.getKeyOffset());
-    kx.loadKey(key.length);
+    if (kx.loadKey(key.length) !== 0) {
+        kx.wipeBuffers();
+        throw new Error('Serpent shared-ops: loadKey failed');
+    }
     mem.set(iv, kx.getCbcIvOffset());
 }

package/dist/sha2/hkdf.js

@@ -21,7 +21,7 @@
 //
 // src/ts/sha2/hkdf.ts
 //
-// RFC 5869 — HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
+// RFC 5869, HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
 // Pure TS composition over HMAC_SHA256 and HMAC_SHA512.
 import { HMAC_SHA256, HMAC_SHA512 } from './index.js';
 // ── HKDF_SHA256 ─────────────────────────────────────────────────────────────
@@ -30,12 +30,12 @@ export class HKDF_SHA256 {
     constructor() {
         this.hmac = new HMAC_SHA256();
     }
-    // RFC 5869 §2.2 — Extract
+    // RFC 5869 §2.2, Extract
     extract(salt, ikm) {
         const s = (!salt || salt.length === 0) ? new Uint8Array(32) : salt;
         return this.hmac.hash(s, ikm);
     }
-    // RFC 5869 §2.3 — Expand
+    // RFC 5869 §2.3, Expand
     expand(prk, info, length) {
         if (prk.length !== 32)
             throw new RangeError('HKDF expand: PRK must be 32 bytes');
@@ -79,12 +79,12 @@ export class HKDF_SHA512 {
     constructor() {
         this.hmac = new HMAC_SHA512();
     }
-    // RFC 5869 §2.2 — Extract
+    // RFC 5869 §2.2, Extract
     extract(salt, ikm) {
         const s = (!salt || salt.length === 0) ? new Uint8Array(64) : salt;
         return this.hmac.hash(s, ikm);
     }
-    // RFC 5869 §2.3 — Expand
+    // RFC 5869 §2.3, Expand
     expand(prk, info, length) {
         if (prk.length !== 64)
             throw new RangeError('HKDF expand: PRK must be 64 bytes');

package/dist/sha2/index.d.ts

@@ -1,7 +1,9 @@
 import type { WasmSource } from '../wasm-source.js';
+import type { Sha2Exports } from './types.js';
 export declare function sha2Init(source: WasmSource): Promise<void>;
 export type { WasmSource };
-export declare function _sha2Ready(): boolean;
+export type { Sha2Exports };
+export { isInitialized } from '../init.js';
 export declare class SHA256 {
     private readonly x;
     constructor();
@@ -20,6 +22,24 @@ export declare class SHA384 {
     hash(msg: Uint8Array): Uint8Array;
     dispose(): void;
 }
+export declare class SHA224 {
+    private readonly x;
+    constructor();
+    hash(msg: Uint8Array): Uint8Array;
+    dispose(): void;
+}
+export declare class SHA512_224 {
+    private readonly x;
+    constructor();
+    hash(msg: Uint8Array): Uint8Array;
+    dispose(): void;
+}
+export declare class SHA512_256 {
+    private readonly x;
+    constructor();
+    hash(msg: Uint8Array): Uint8Array;
+    dispose(): void;
+}
 export declare class HMAC_SHA256 {
     private readonly x;
     constructor();

package/dist/sha2/index.js

@@ -22,23 +22,15 @@
 // src/ts/sha2/index.ts
 //
 // Public API classes for the SHA-2 WASM module.
-// Uses the init() module cache — call sha2Init(source) before constructing.
+// Uses the init() module cache, call sha2Init(source) before constructing.
 import { getInstance, initModule, _assertNotOwned } from '../init.js';
 export async function sha2Init(source) {
     return initModule('sha2', source);
 }
+export { isInitialized } from '../init.js';
 function getExports() {
     return getInstance('sha2').exports;
 }
-export function _sha2Ready() {
-    try {
-        getInstance('sha2');
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
 // Write msg into input buffer in chunks, calling update for each chunk.
 function feedHash(x, msg, inputOff, chunkSize, updateFn) {
     const mem = new Uint8Array(x.memory.buffer);
@@ -107,6 +99,69 @@ export class SHA384 {
         this.x.wipeBuffers();
     }
 }
+// ── SHA224 ──────────────────────────────────────────────────────────────────
+// FIPS 180-4 §6.3, SHA-256 round logic with the §5.3.2 IV; output is the
+// leftmost 224 bits (28 bytes) of the SHA-256 state.
+export class SHA224 {
+    x;
+    constructor() {
+        this.x = getExports();
+    }
+    hash(msg) {
+        _assertNotOwned('sha2');
+        this.x.sha224Init();
+        feedHash(this.x, msg, this.x.getSha256InputOffset(), 64, this.x.sha256Update);
+        this.x.sha224Final();
+        const mem = new Uint8Array(this.x.memory.buffer);
+        return mem.slice(this.x.getSha256OutOffset(), this.x.getSha256OutOffset() + 28);
+    }
+    dispose() {
+        _assertNotOwned('sha2');
+        this.x.wipeBuffers();
+    }
+}
+// ── SHA512_224 ──────────────────────────────────────────────────────────────
+// FIPS 180-4 §6.7.1, SHA-512 round logic with the §5.3.6.1 IV; output is the
+// leftmost 224 bits (28 bytes) of the SHA-512 state.
+export class SHA512_224 {
+    x;
+    constructor() {
+        this.x = getExports();
+    }
+    hash(msg) {
+        _assertNotOwned('sha2');
+        this.x.sha512_224Init();
+        feedHash(this.x, msg, this.x.getSha512InputOffset(), 128, this.x.sha512Update);
+        this.x.sha512_224Final();
+        const mem = new Uint8Array(this.x.memory.buffer);
+        return mem.slice(this.x.getSha512OutOffset(), this.x.getSha512OutOffset() + 28);
+    }
+    dispose() {
+        _assertNotOwned('sha2');
+        this.x.wipeBuffers();
+    }
+}
+// ── SHA512_256 ──────────────────────────────────────────────────────────────
+// FIPS 180-4 §6.7.2, SHA-512 round logic with the §5.3.6.2 IV; output is the
+// leftmost 256 bits (32 bytes) of the SHA-512 state.
+export class SHA512_256 {
+    x;
+    constructor() {
+        this.x = getExports();
+    }
+    hash(msg) {
+        _assertNotOwned('sha2');
+        this.x.sha512_256Init();
+        feedHash(this.x, msg, this.x.getSha512InputOffset(), 128, this.x.sha512Update);
+        this.x.sha512_256Final();
+        const mem = new Uint8Array(this.x.memory.buffer);
+        return mem.slice(this.x.getSha512OutOffset(), this.x.getSha512OutOffset() + 32);
+    }
+    dispose() {
+        _assertNotOwned('sha2');
+        this.x.wipeBuffers();
+    }
+}
 // ── HMAC_SHA256 ─────────────────────────────────────────────────────────────
 export class HMAC_SHA256 {
     x;

package/dist/sha2/types.d.ts

@@ -1,5 +1,44 @@
-/** WASM exports for the sha2 module */
+/** WASM exports for the sha2 module, full FIPS 180-4 surface plus
+ *  HMAC variants. Importable from cross-module wrappers (e.g. mldsa's
+ *  HashML-DSA pre-hash dispatcher) that need to drive sha2 directly
+ *  without going through the public class API. */
 export interface Sha2Exports {
     memory: WebAssembly.Memory;
-    getModuleId(): number;
+    getModuleId: () => number;
+    getSha256InputOffset: () => number;
+    getSha256OutOffset: () => number;
+    getSha256HOffset: () => number;
+    getSha512InputOffset: () => number;
+    getSha512OutOffset: () => number;
+    getSha512HOffset: () => number;
+    getHmac256IpadOffset: () => number;
+    getHmac256OpadOffset: () => number;
+    getHmac256InnerOffset: () => number;
+    getHmac512IpadOffset: () => number;
+    getHmac512OpadOffset: () => number;
+    getHmac512InnerOffset: () => number;
+    sha256Init: () => void;
+    sha256Update: (len: number) => void;
+    sha256Final: () => void;
+    sha224Init: () => void;
+    sha224Final: () => void;
+    sha512Init: () => void;
+    sha384Init: () => void;
+    sha512_224Init: () => void;
+    sha512_256Init: () => void;
+    sha512Update: (len: number) => void;
+    sha512Final: () => void;
+    sha384Final: () => void;
+    sha512_224Final: () => void;
+    sha512_256Final: () => void;
+    hmac256Init: (keyLen: number) => void;
+    hmac256Update: (len: number) => void;
+    hmac256Final: () => void;
+    hmac512Init: (keyLen: number) => void;
+    hmac512Update: (len: number) => void;
+    hmac512Final: () => void;
+    hmac384Init: (keyLen: number) => void;
+    hmac384Update: (len: number) => void;
+    hmac384Final: () => void;
+    wipeBuffers: () => void;
 }

package/dist/sha3/index.d.ts

@@ -1,7 +1,7 @@
 import type { WasmSource } from '../wasm-source.js';
 export declare function sha3Init(source: WasmSource): Promise<void>;
 export type { WasmSource };
-export declare function _sha3Ready(): boolean;
+export { isInitialized } from '../init.js';
 export declare class SHA3_256 {
     private readonly x;
     constructor();
@@ -27,7 +27,7 @@ export declare class SHA3_224 {
     dispose(): void;
 }
 /**
- * SHAKE128 XOF — extendable output, multi-squeeze capable.
+ * SHAKE128 XOF, extendable output, multi-squeeze capable.
  *
  * Holds exclusive access to the `sha3` WASM module from construction until
  * `dispose()`. Constructing a second SHAKE128/SHAKE256 or any other sha3
@@ -48,7 +48,7 @@ export declare class SHAKE128 {
     dispose(): void;
 }
 /**
- * SHAKE256 XOF — extendable output, multi-squeeze capable.
+ * SHAKE256 XOF, extendable output, multi-squeeze capable.
  *
  * Holds exclusive access to the `sha3` WASM module from construction until
  * `dispose()`. Constructing a second SHAKE128/SHAKE256 or any other sha3
@@ -68,4 +68,73 @@ export declare class SHAKE256 {
     hash(msg: Uint8Array, outputLength: number): Uint8Array;
     dispose(): void;
 }
+/**
+ * Incremental SHA3-256. Construct, `update()` chunks (any size), `finalize()`
+ * to get the 32-byte digest. Finalize disposes the instance.
+ *
+ * Holds exclusive access to the `sha3` WASM module from construction until
+ * `dispose()` or `finalize()`. Mirrors SHAKE128 lifecycle.
+ */
+export declare class SHA3_256Stream {
+    private readonly x;
+    private _tok;
+    constructor();
+    update(chunk: Uint8Array): this;
+    finalize(): Uint8Array;
+    dispose(): void;
+}
+/**
+ * Incremental SHA3-512. Construct, `update()` chunks (any size), `finalize()`
+ * to get the 64-byte digest. Finalize disposes the instance.
+ *
+ * Holds exclusive access to the `sha3` WASM module from construction until
+ * `dispose()` or `finalize()`. Mirrors SHAKE128 lifecycle.
+ */
+export declare class SHA3_512Stream {
+    private readonly x;
+    private _tok;
+    constructor();
+    update(chunk: Uint8Array): this;
+    finalize(): Uint8Array;
+    dispose(): void;
+}
+/**
+ * Single-shot streaming SHAKE128. `outputLen` is bound at construction;
+ * `update()` absorbs chunks of any size, `finalize()` pads and squeezes
+ * exactly `outputLen` bytes, then disposes the instance.
+ *
+ * Used by `createRunningHash` in the sign layer: each StreamableSignatureSuite
+ * with `prehashAlgorithm: 'shake-128'` declares its `prehashSize` and that
+ * value is passed in here at construction time. The multi-squeeze
+ * `SHAKE128` class above remains for the XOF surface; this class is the
+ * fixed-output cousin that matches the RunningHash contract.
+ *
+ * Holds exclusive access to the `sha3` WASM module from construction until
+ * `dispose()` or `finalize()`. Mirrors `SHA3_256Stream` lifecycle.
+ */
+export declare class SHAKE128Stream {
+    private readonly x;
+    private readonly _rate;
+    private readonly outputLen;
+    private _tok;
+    constructor(outputLen: number);
+    update(chunk: Uint8Array): this;
+    finalize(): Uint8Array;
+    dispose(): void;
+}
+/**
+ * Single-shot streaming SHAKE256. `outputLen` is bound at construction;
+ * mirrors `SHAKE128Stream`. See that class for usage notes.
+ */
+export declare class SHAKE256Stream {
+    private readonly x;
+    private readonly _rate;
+    private readonly outputLen;
+    private _tok;
+    constructor(outputLen: number);
+    update(chunk: Uint8Array): this;
+    finalize(): Uint8Array;
+    dispose(): void;
+}
 export { SHA3_256Hash } from './hash.js';
+export { CSHAKE128, CSHAKE256, KMAC128, KMAC256, KMACXOF128, KMACXOF256 } from './kmac.js';