leviathan-crypto 2.1.0 → 3.0.0

package/dist/stream/seal-stream-pool.js

@@ -21,11 +21,11 @@
 //
 // src/ts/stream/seal-stream-pool.ts
 //
-// SealStreamPool — parallel batch encryption/decryption using the STREAM
+// SealStreamPool, parallel batch encryption/decryption using the STREAM
 // construction. Dispatches per-chunk seal/open jobs across Web Workers.
 // Any error is fatal: auth failure, crash, or timeout kills all workers,
 // wipes keys, and rejects all pending promises.
-import { randomBytes, wipe } from '../utils.js';
+import { randomBytes, wipe, constantTimeEqual } from '../utils.js';
 import { isInitialized } from '../init.js';
 import { compileWasm } from '../loader.js';
 import { AuthenticationError } from '../errors.js';
@@ -44,6 +44,7 @@ export class SealStreamPool {
     _framed;
     _timeout;
     _header;
+    _commitment;
     _workers;
     _idle;
     _queue;
@@ -53,7 +54,7 @@ export class SealStreamPool {
     _sealed;
     _keys;
     _masterKey;
-    constructor(cipher, workers, keys, masterKey, header, chunkSize, framed, timeout) {
+    constructor(cipher, workers, keys, masterKey, header, commitment, chunkSize, framed, timeout) {
         this._cipher = cipher;
         this._workers = workers;
         this._idle = [...workers];
@@ -65,6 +66,7 @@ export class SealStreamPool {
         this._keys = keys;
         this._masterKey = masterKey;
         this._header = header;
+        this._commitment = commitment;
         this._chunkSize = chunkSize;
         this._framed = framed;
         this._timeout = timeout;
@@ -75,10 +77,10 @@ export class SealStreamPool {
     }
     static async create(cipher, key, opts) {
         if (!isInitialized('sha2'))
-            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation — '
+            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation, '
                 + 'call init({ sha2: ... }) before creating a SealStreamPool');
         if (cipher.kemCtSize > 0)
-            throw new Error('leviathan-crypto: SealStreamPool does not support KEM-enabled cipher suites — '
+            throw new Error('leviathan-crypto: SealStreamPool does not support KEM-enabled cipher suites, '
                 + 'KEM encryption is asymmetric (seal uses encapsulation key, open requires decapsulation key) '
                 + 'and cannot share a single key across both directions. '
                 + 'Use SealStream / OpenStream directly for hybrid KEM encryption.');
@@ -101,7 +103,7 @@ export class SealStreamPool {
         }
         else {
             if (required.length > 1)
-                throw new Error(`leviathan-crypto: cipher requires ${required.length} WASM modules (${required.join(', ')}) — provide a Record`);
+                throw new Error(`leviathan-crypto: cipher requires ${required.length} WASM modules (${required.join(', ')}), provide a Record`);
             modules[required[0]] = await compileWasm(opts.wasm);
         }
         // For padded ciphers, validate that a full plaintext chunk fits in the WASM
@@ -115,10 +117,20 @@ export class SealStreamPool {
         }
         if (key.length !== cipher.keySize)
             throw new RangeError(`key must be ${cipher.keySize} bytes (got ${key.length})`);
-        // Generate nonce and derive keys
+        // Generate nonce and build header before deriveKeys, XChaCha20 binds
+        // the header into HKDF info; SerpentCipher accepts and ignores it.
         const nonce = randomBytes(16);
-        const keys = cipher.deriveKeys(key, nonce);
         const header = writeHeader(cipher.formatEnum, framed, nonce, chunkSize);
+        const keys = cipher.deriveKeys(key, nonce, undefined, header);
+        let commitment = null;
+        if (cipher.commitmentSize > 0) {
+            if (!keys.commitment || keys.commitment.length !== cipher.commitmentSize) {
+                cipher.wipeKeys(keys);
+                throw new Error(`leviathan-crypto: ${cipher.formatName}.deriveKeys returned `
+                    + `${keys.commitment?.length ?? 'no'} commitment bytes, expected ${cipher.commitmentSize}`);
+            }
+            commitment = keys.commitment;
+        }
         // Spawn workers sequentially (compatible with @vitest/web-worker)
         const workers = [];
         for (let i = 0; i < n; i++) {
@@ -147,7 +159,7 @@ export class SealStreamPool {
             });
             workers.push(w);
         }
-        return new SealStreamPool(cipher, workers, keys, key.slice(), header, chunkSize, framed, timeout);
+        return new SealStreamPool(cipher, workers, keys, key.slice(), header, commitment, chunkSize, framed, timeout);
     }
     get header() {
         return this._header;
@@ -176,12 +188,17 @@ export class SealStreamPool {
         }
         try {
             const results = await Promise.all(jobs);
-            let totalLen = HEADER_SIZE;
+            const commitmentLen = this._cipher.commitmentSize;
+            let totalLen = HEADER_SIZE + commitmentLen;
             for (const r of results)
                 totalLen += this._framed ? r.length + 4 : r.length;
             const ciphertext = new Uint8Array(totalLen);
             ciphertext.set(this._header, 0);
             let pos = HEADER_SIZE;
+            if (this._commitment) {
+                ciphertext.set(this._commitment, pos);
+                pos += commitmentLen;
+            }
             for (const r of results) {
                 if (this._framed) {
                     new DataView(ciphertext.buffer, pos).setUint32(0, r.length, false);
@@ -202,30 +219,52 @@ export class SealStreamPool {
         if (this._dead)
             throw new Error('leviathan-crypto: pool is dead');
         if (ciphertext.length < HEADER_SIZE)
-            throw new RangeError(`leviathan-crypto: ciphertext too short — need at least ${HEADER_SIZE} bytes for header`);
+            throw new RangeError(`leviathan-crypto: ciphertext too short, need at least ${HEADER_SIZE} bytes for header`);
         // Validate header before splitting chunks
         const h = readHeader(ciphertext.subarray(0, HEADER_SIZE));
         if (h.formatEnum !== this._cipher.formatEnum)
             throw new Error(`leviathan-crypto: pool expected format 0x${this._cipher.formatEnum.toString(16).padStart(2, '0')}, `
                 + `got 0x${h.formatEnum.toString(16).padStart(2, '0')}`);
         if (h.chunkSize !== this._chunkSize)
-            throw new RangeError(`leviathan-crypto: pool chunkSize mismatch — pool expects ${this._chunkSize}, `
+            throw new RangeError(`leviathan-crypto: pool chunkSize mismatch, pool expects ${this._chunkSize}, `
                 + `header says ${h.chunkSize}`);
         if (h.framed !== this._framed)
-            throw new Error(`leviathan-crypto: pool framing mismatch — pool is ${this._framed ? 'framed' : 'unframed'}, `
+            throw new Error(`leviathan-crypto: pool framing mismatch, pool is ${this._framed ? 'framed' : 'unframed'}, `
                 + `header says ${h.framed ? 'framed' : 'unframed'}`);
         // Re-derive keys from the nonce embedded in this ciphertext's header.
-        // The pool's _keys are tied to its own seal nonce — for arbitrary incoming
+        // The pool's _keys are tied to its own seal nonce, for arbitrary incoming
         // ciphertext the nonce may differ, so we derive fresh keys here.
         if (!this._masterKey)
             throw new Error('leviathan-crypto: pool master key has been wiped');
-        const openKeys = this._cipher.deriveKeys(this._masterKey, h.nonce);
+        const headerBytes = ciphertext.subarray(0, HEADER_SIZE);
+        const commitmentLen = this._cipher.commitmentSize;
+        const minLen = HEADER_SIZE + commitmentLen;
+        if (ciphertext.length < minLen)
+            throw new RangeError(`leviathan-crypto: ciphertext too short, need at least ${minLen} bytes for header + commitment`);
+        const openKeys = this._cipher.deriveKeys(this._masterKey, h.nonce, undefined, headerBytes);
         let openKeysWiped = false;
+        // Verify commitment before any chunk dispatch. Wrong key fails fast
+        // with AuthenticationError, before Poly1305 is consulted.
+        if (commitmentLen > 0) {
+            const derivedCommitment = openKeys.commitment;
+            if (!derivedCommitment || derivedCommitment.length !== commitmentLen) {
+                this._cipher.wipeKeys(openKeys);
+                throw new Error(`leviathan-crypto: ${this._cipher.formatName}.deriveKeys returned `
+                    + `${derivedCommitment?.length ?? 'no'} commitment bytes, expected ${commitmentLen}`);
+            }
+            const recvCommitment = ciphertext.subarray(HEADER_SIZE, HEADER_SIZE + commitmentLen);
+            if (!constantTimeEqual(derivedCommitment, recvCommitment)) {
+                this._cipher.wipeKeys(openKeys);
+                const err = new AuthenticationError(`commitment-${this._cipher.formatName}`);
+                this._killAll(err);
+                throw err;
+            }
+        }
         try {
-            // Strip header before chunk splitting
-            const body = ciphertext.subarray(HEADER_SIZE);
+            // Strip header + commitment before chunk splitting
+            const body = ciphertext.subarray(HEADER_SIZE + commitmentLen);
             if (body.length === 0)
-                throw new RangeError('leviathan-crypto: empty ciphertext — seal() always produces at least one chunk');
+                throw new RangeError('leviathan-crypto: empty ciphertext, seal() always produces at least one chunk');
             // Compute max wire chunk size for per-chunk validation
             const tagSize = this._cipher.tagSize;
             const paddedSize = this._cipher.padded
@@ -265,7 +304,7 @@ export class SealStreamPool {
             const jobs = [];
             for (let i = 0; i < chunks.length; i++) {
                 if (chunks[i].length < tagSize)
-                    throw new RangeError(`leviathan-crypto: chunk ${i} too short — need at least ${tagSize} bytes for tag `
+                    throw new RangeError(`leviathan-crypto: chunk ${i} too short, need at least ${tagSize} bytes for tag `
                         + `(got ${chunks[i].length})`);
                 if (chunks[i].length > maxWireChunk)
                     throw new RangeError(`leviathan-crypto: chunk ${i} exceeds max wire size `
@@ -277,10 +316,8 @@ export class SealStreamPool {
                     derivedKeyBytes: openKeys.bytes.slice(),
                 }));
             }
-            // All per-job key copies made — wipe the main-thread openKeys immediately
-            // rather than waiting for Promise.all. earlyWiped tracks this so the
-            // finally below only fires on pre-dispatch throws (empty body, frame errors,
-            // chunk validation), not as a redundant second call on the normal path.
+            // Per-job copies made; wipe main-thread openKeys immediately. openKeysWiped
+            // guards the finally so it only fires on pre-dispatch throws.
             this._cipher.wipeKeys(openKeys);
             openKeysWiped = true;
             const results = await Promise.all(jobs);
@@ -329,7 +366,7 @@ export class SealStreamPool {
     _send(worker, job) {
         const transfer = [];
         // Only transfer data.buffer when the Uint8Array owns the buffer exclusively.
-        // Subarrays from open() share the caller's ciphertext buffer — transferring
+        // Subarrays from open() share the caller's ciphertext buffer, transferring
         // one would detach all sibling views dispatched as parallel jobs.
         if (job.data.buffer instanceof ArrayBuffer
             && job.data.byteOffset === 0
@@ -340,7 +377,7 @@ export class SealStreamPool {
             transfer.push(job.counterNonce.buffer);
         if (job.derivedKeyBytes?.buffer instanceof ArrayBuffer)
             transfer.push(job.derivedKeyBytes.buffer);
-        // aad is intentionally not transferred — caller may retain the reference
+        // aad is intentionally not transferred, caller may retain the reference
         worker.postMessage(job, { transfer });
     }
     _onMessage(worker, e) {
@@ -383,7 +420,7 @@ export class SealStreamPool {
         this._workers = [];
         this._idle.length = 0;
         // Fire-and-forget: wipe each worker's key material, then terminate.
-        // On timeout, terminate anyway — the main-thread key handles are
+        // On timeout, terminate anyway, the main-thread key handles are
         // wiped below so the owning surface no longer has access.
         for (const w of workers)
             this._wipeThenTerminate(w);

package/dist/stream/seal-stream.d.ts

@@ -1,6 +1,6 @@
 import type { CipherSuite, SealStreamOpts } from './types.js';
 export declare class SealStream {
-    /** Preamble sent before the first chunk: header [|| kemCiphertext]. */
+    /** Preamble sent before the first chunk: header [|| kemCiphertext] [|| commitment]. */
     readonly preamble: Uint8Array;
     private readonly cipher;
     private readonly keys;

package/dist/stream/seal-stream.js

@@ -21,7 +21,7 @@
 //
 // src/ts/stream/seal-stream.ts
 //
-// SealStream — cipher-agnostic streaming encryption using the STREAM
+// SealStream, cipher-agnostic streaming encryption using the STREAM
 // construction (Hoang/Reyhanitabar/Rogaway/Vizár, CRYPTO 2015).
 import { randomBytes, concat } from '../utils.js';
 import { isInitialized } from '../init.js';
@@ -32,11 +32,11 @@ function u32beFrame(n) {
     new DataView(b.buffer).setUint32(0, n, false);
     return b;
 }
-// Module-level nonce injection slot — used only by _fromNonce for KAT tests.
+// Module-level nonce injection slot, used only by _fromNonce for KAT tests.
 // Set immediately before constructing, cleared inside the constructor.
 let _injectNonce;
 export class SealStream {
-    /** Preamble sent before the first chunk: header [|| kemCiphertext]. */
+    /** Preamble sent before the first chunk: header [|| kemCiphertext] [|| commitment]. */
     preamble;
     cipher;
     keys;
@@ -49,7 +49,7 @@ export class SealStream {
         this.chunkSize = opts?.chunkSize ?? 65536;
         this.framed = opts?.framed ?? false;
         if (!isInitialized('sha2'))
-            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation — '
+            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation, '
                 + 'call init({ sha2: ... }) before creating a SealStream');
         if (key.length !== cipher.keySize)
             throw new RangeError(`key must be ${cipher.keySize} bytes (got ${key.length})`);
@@ -57,14 +57,25 @@ export class SealStream {
             throw new RangeError(`chunkSize must be in [${CHUNK_MIN}, ${CHUNK_MAX}] (got ${this.chunkSize})`);
         const nonce = _injectNonce ?? randomBytes(16);
         _injectNonce = undefined;
-        this.keys = cipher.deriveKeys(key, nonce);
-        const kemCt = this.keys.kemCiphertext;
+        // Header must be built before deriveKeys, XChaCha20 binds it into
+        // the HKDF info string. SerpentCipher accepts and ignores it.
         const header = writeHeader(cipher.formatEnum, this.framed, nonce, this.chunkSize);
-        this.preamble = kemCt ? concat(header, kemCt) : header;
+        this.keys = cipher.deriveKeys(key, nonce, undefined, header);
+        const kemCt = this.keys.kemCiphertext;
+        const commitment = cipher.commitmentSize > 0 ? this.keys.commitment : undefined;
+        if (cipher.commitmentSize > 0 && (!commitment || commitment.length !== cipher.commitmentSize))
+            throw new Error(`leviathan-crypto: ${cipher.formatName}.deriveKeys returned `
+                + `${commitment?.length ?? 'no'} commitment bytes, expected ${cipher.commitmentSize}`);
+        const parts = [header];
+        if (kemCt)
+            parts.push(kemCt);
+        if (commitment)
+            parts.push(commitment);
+        this.preamble = parts.length === 1 ? header : concat(...parts);
     }
     /**
      * @internal
-     * KAT-only factory — injects a fixed nonce so seal output is deterministic.
+     * KAT-only factory, injects a fixed nonce so seal output is deterministic.
      * Stripped from published `.d.ts` by `stripInternal`. Do not use in production.
      */
     static _fromNonce(cipher, key, opts, nonce) {
@@ -121,7 +132,7 @@ export class SealStream {
             this.cipher.wipeKeys(this.keys);
             this.state = 'finalized';
         }
-        // 'failed' already wiped keys; 'finalized' already wiped keys — no-op.
+        // 'failed' already wiped keys; 'finalized' already wiped keys, no-op.
     }
     toTransformStream() {
         let headerSent = false;

package/dist/stream/seal.js

@@ -21,7 +21,7 @@
 //
 // src/ts/stream/seal.ts
 //
-// Seal — unified single-shot encrypt/decrypt using the STREAM construction.
+// Seal, unified single-shot encrypt/decrypt using the STREAM construction.
 // Seal blobs are valid SealStream blobs with a single final chunk.
 // OpenStream can decrypt a Seal blob without modification.
 import { concat } from '../utils.js';
@@ -32,7 +32,7 @@ import { HEADER_SIZE, CHUNK_MAX, CHUNK_MIN } from './constants.js';
 export class Seal {
     static encrypt(suite, key, pt, opts) {
         if (pt.length > CHUNK_MAX)
-            throw new RangeError(`Seal.encrypt: plaintext exceeds maximum (${CHUNK_MAX} bytes) — use SealStream for large data`);
+            throw new RangeError(`Seal.encrypt: plaintext exceeds maximum (${CHUNK_MAX} bytes), use SealStream for large data`);
         const sealer = new SealStream(suite, key, { chunkSize: Math.max(pt.length, CHUNK_MIN) });
         try {
             const ct = sealer.finalize(pt, opts);
@@ -43,9 +43,9 @@ export class Seal {
         }
     }
     static decrypt(suite, key, blob, opts) {
-        const preambleLen = HEADER_SIZE + suite.kemCtSize;
+        const preambleLen = HEADER_SIZE + suite.kemCtSize + suite.commitmentSize;
         if (blob.length < preambleLen)
-            throw new RangeError(`Seal.decrypt: blob too short — need at least ${preambleLen} bytes (got ${blob.length})`);
+            throw new RangeError(`Seal.decrypt: blob too short, need at least ${preambleLen} bytes (got ${blob.length})`);
         const preamble = blob.subarray(0, preambleLen);
         const opener = new OpenStream(suite, key, preamble);
         try {
@@ -57,12 +57,12 @@ export class Seal {
     }
     /**
      * @internal
-     * KAT-only — injects a fixed nonce so output is deterministic.
+     * KAT-only, injects a fixed nonce so output is deterministic.
      * Stripped from published `.d.ts` by `stripInternal`. Do not use in production.
      */
     static _fromNonce(suite, key, pt, nonce, opts) {
         if (pt.length > CHUNK_MAX)
-            throw new RangeError(`Seal._fromNonce: plaintext exceeds maximum (${CHUNK_MAX} bytes) — use SealStream for large data`);
+            throw new RangeError(`Seal._fromNonce: plaintext exceeds maximum (${CHUNK_MAX} bytes), use SealStream for large data`);
         const sealer = SealStream._fromNonce(suite, key, { chunkSize: Math.max(pt.length, CHUNK_MIN) }, nonce);
         try {
             const ct = sealer.finalize(pt, opts);

package/dist/stream/types.d.ts

@@ -1,6 +1,7 @@
 export interface DerivedKeys {
     readonly bytes: Uint8Array;
     readonly kemCiphertext?: Uint8Array;
+    readonly commitment?: Uint8Array;
 }
 export interface CipherSuite {
     readonly formatEnum: number;
@@ -9,10 +10,11 @@ export interface CipherSuite {
     readonly keySize: number;
     readonly decKeySize?: number;
     readonly kemCtSize: number;
+    readonly commitmentSize: number;
     readonly tagSize: number;
     readonly padded: boolean;
     readonly wasmChunkSize: number;
-    deriveKeys(key: Uint8Array, nonce: Uint8Array, kemCt?: Uint8Array): DerivedKeys;
+    deriveKeys(key: Uint8Array, nonce: Uint8Array, kemCt?: Uint8Array, header?: Uint8Array): DerivedKeys;
     sealChunk(keys: DerivedKeys, counterNonce: Uint8Array, chunk: Uint8Array, aad?: Uint8Array): Uint8Array;
     openChunk(keys: DerivedKeys, counterNonce: Uint8Array, chunk: Uint8Array, aad?: Uint8Array): Uint8Array;
     wipeKeys(keys: DerivedKeys): void;

package/dist/stream/types.js

@@ -21,6 +21,6 @@
 //
 // src/ts/stream/types.ts
 //
-// CipherSuite interface — cipher-specific logic injected into SealStream
+// CipherSuite interface, cipher-specific logic injected into SealStream
 // and OpenStream. Implementations are plain objects (not classes).
 export {};

package/dist/types.d.ts

@@ -18,7 +18,7 @@ export interface Streamcipher {
 }
 export interface AEAD {
     encrypt(msg: Uint8Array, aad?: Uint8Array): Uint8Array;
-    /** Decrypt and authenticate. Throws `Error` on authentication failure — never returns null. */
+    /** Decrypt and authenticate. Throws `Error` on authentication failure, never returns null. */
     decrypt(ciphertext: Uint8Array, aad?: Uint8Array): Uint8Array;
     dispose(): void;
 }

package/dist/types.js

@@ -22,5 +22,5 @@
 // src/ts/types.ts
 //
 // Primitive interfaces for leviathan-crypto.
-// No init() dependency — available at import time.
+// No init() dependency, available at import time.
 export {};

package/dist/utils.d.ts

@@ -8,13 +8,13 @@ export declare const utf8ToBytes: (str: string) => Uint8Array;
 export declare const bytesToUtf8: (bytes: Uint8Array) => string;
 /** Base64 or base64url string to Uint8Array. Handles padded, unpadded, and legacy %3d padding. Throws RangeError on invalid input. */
 export declare const base64ToBytes: (b64: string) => Uint8Array;
-/** Uint8Array to base64 string. Pass url=true for base64url (RFC 4648 §5 — no padding characters). */
+/** Uint8Array to base64 string. Pass url=true for base64url (RFC 4648 §5, no padding characters). */
 export declare const bytesToBase64: (bytes: Uint8Array, url?: boolean) => string;
-export declare const CT_MAX_BYTES = 32768;
+export declare const CTE_MAX_BYTES = 32768;
 /**
  * Constant-time byte-array equality.
  * Runs entirely inside a WASM SIMD module (v128 XOR accumulate with
- * branch-free reduction). Throws on runtimes without SIMD support —
+ * branch-free reduction). Throws on runtimes without SIMD support,
  * no JS fallback. Length check is not constant-time (length is
  * non-secret in all protocols). Max input size: 32768 bytes per side.
  */

package/dist/utils.js

@@ -21,17 +21,16 @@
 //
 // src/ts/utils.ts
 //
-// Pure TypeScript utilities — no init() dependency.
-// Ported from leviathan/src/base.ts (Convert namespace, Util namespace, constantTimeEqual).
+// Pure TypeScript utilities, no init() dependency.
 // ── Encoding ────────────────────────────────────────────────────────────────
 /** Hex string to Uint8Array. Accepts lowercase/uppercase, optional 0x prefix. Throws RangeError on odd-length or non-hex input. */
 export const hexToBytes = (hex) => {
     if (hex.startsWith('0x') || hex.startsWith('0X'))
         hex = hex.slice(2);
     if (hex.length % 2)
-        throw new RangeError(`hexToBytes: odd-length string (${hex.length} chars) — input must be an even-length hex string`);
+        throw new RangeError(`hexToBytes: odd-length string (${hex.length} chars), input must be an even-length hex string`);
     // parseInt('0g', 16) returns 0 (not NaN) because it stops at the first
-    // invalid char — silent wrong-answer. Reject non-hex chars up front.
+    // invalid char, silent wrong-answer. Reject non-hex chars up front.
     if (hex.length > 0 && !/^[0-9a-fA-F]*$/.test(hex))
         throw new RangeError('hexToBytes: input contains non-hex characters');
     const bin = new Uint8Array(hex.length >>> 1);
@@ -114,7 +113,7 @@ export const base64ToBytes = (b64) => {
     }
     return bin;
 };
-/** Uint8Array to base64 string. Pass url=true for base64url (RFC 4648 §5 — no padding characters). */
+/** Uint8Array to base64 string. Pass url=true for base64url (RFC 4648 §5, no padding characters). */
 export const bytesToBase64 = (bytes, url = false) => {
     if (typeof btoa !== 'undefined') {
         const raw = btoa(String.fromCharCode.apply(null, Array.from(bytes)));
@@ -141,88 +140,81 @@ export const bytesToBase64 = (bytes, url = false) => {
     return base64;
 };
 // ── Constant-time comparison ────────────────────────────────────────────────
-import { CT_WASM } from './ct-wasm.js';
-let _ctCompare = null;
-let _ctMem = null;
-let _ctInit = false;
-let _ctInitError = null;
-// CT WASM module uses 1 page (64KB) of linear memory with both buffers
-// laid out side-by-side: a at offset 0, b at offset a.length.
-// Max per-side = _ctMem.buffer.byteLength >>> 1 = 32768 bytes.
-// In practice the largest comparison is a 32-byte HMAC-SHA-256 tag.
-export const CT_MAX_BYTES = 32768;
-/**
- * Compile and instantiate the SIMD WASM ct module. On failure, caches the
- * branded error and re-throws on every subsequent call; no retries, no
- * fallback. Throws on runtimes without WebAssembly SIMD and on any
- * instantiation error.
- */
-function _initCt() {
-    if (_ctInit) {
-        if (_ctInitError)
-            throw _ctInitError;
+import { CTE_WASM } from './cte-wasm.js';
+let _cteCompare = null;
+let _cteMem = null;
+let _cteMemView = null;
+let _cteInit = false;
+let _cteInitError = null;
+export const CTE_MAX_BYTES = 32768;
+function _initCte() {
+    if (_cteInit) {
+        if (_cteInitError)
+            throw _cteInitError;
         return;
     }
-    _ctInit = true;
+    _cteInit = true;
     if (!hasSIMD()) {
-        _ctInitError = new Error('leviathan-crypto: constantTimeEqual requires WebAssembly SIMD — '
+        _cteInitError = new Error('leviathan-crypto: constantTimeEqual requires WebAssembly SIMD, '
             + 'this runtime does not support it');
-        throw _ctInitError;
+        throw _cteInitError;
     }
     try {
-        const buf = CT_WASM.buffer.slice(CT_WASM.byteOffset, CT_WASM.byteOffset + CT_WASM.byteLength);
+        const buf = CTE_WASM.buffer.slice(CTE_WASM.byteOffset, CTE_WASM.byteOffset + CTE_WASM.byteLength);
         const mod = new WebAssembly.Module(buf);
         const inst = new WebAssembly.Instance(mod);
         const exports = inst.exports;
-        _ctMem = exports.memory;
-        _ctCompare = exports.compare;
+        _cteMem = exports.memory;
+        _cteMemView = new Uint8Array(_cteMem.buffer);
+        _cteCompare = exports.compare;
     }
     catch (cause) {
-        _ctInitError = new Error(`leviathan-crypto: ct WASM module failed to instantiate: ${cause.message}`);
-        throw _ctInitError;
+        _cteInitError = new Error(`leviathan-crypto: cte WASM module failed to instantiate: ${cause.message}`);
+        throw _cteInitError;
     }
 }
 /**
  * Constant-time byte-array equality.
  * Runs entirely inside a WASM SIMD module (v128 XOR accumulate with
- * branch-free reduction). Throws on runtimes without SIMD support —
+ * branch-free reduction). Throws on runtimes without SIMD support,
  * no JS fallback. Length check is not constant-time (length is
  * non-secret in all protocols). Max input size: 32768 bytes per side.
  */
 export const constantTimeEqual = (a, b) => {
     if (a.length !== b.length)
         return false;
-    if (a.length > CT_MAX_BYTES)
-        throw new RangeError(`constantTimeEqual: max ${CT_MAX_BYTES} bytes (got ${a.length})`);
-    _initCt();
-    // Copy module-level refs to locals. _initCt() either populates both
-    // _ctMem and _ctCompare or throws; the null check below is a defensive
-    // invariant guard that is unreachable on a correctly-initialized module.
-    const memObj = _ctMem;
-    const compare = _ctCompare;
-    if (!memObj || !compare)
-        throw new Error('leviathan-crypto: ct init invariant violated');
-    const mem = new Uint8Array(memObj.buffer);
+    if (a.length > CTE_MAX_BYTES)
+        throw new RangeError(`constantTimeEqual: max ${CTE_MAX_BYTES} bytes (got ${a.length})`);
+    _initCte();
+    const mem = _cteMemView;
+    const compare = _cteCompare;
+    if (!mem || !compare)
+        throw new Error('leviathan-crypto: cte init invariant violated');
     mem.set(a, 0);
     mem.set(b, a.length);
     try {
         return compare(0, a.length, a.length) === 1;
     }
     finally {
-        mem.fill(0, 0, a.length * 2);
+        // Wipe the full cte memory region, not just the bytes we wrote.
+        // Defense in depth against stale residue from longer prior calls.
+        // The module-private WASM memory is never read from outside this
+        // function, but we keep the surface clean regardless.
+        mem.fill(0, 0, CTE_MAX_BYTES * 2);
     }
 };
 /**
- * Reset the internal CT WASM cache, including any cached initialization
+ * Reset the internal CTE WASM cache, including any cached initialization
  * error. Exists so the test suite can force re-instantiation across
  * describe blocks.
  * @internal
  */
-export function _ctResetForTesting() {
-    _ctInit = false;
-    _ctCompare = null;
-    _ctMem = null;
-    _ctInitError = null;
+export function _cteResetForTesting() {
+    _cteInit = false;
+    _cteCompare = null;
+    _cteMem = null;
+    _cteMemView = null;
+    _cteInitError = null;
 }
 /** Zero a typed array in place. */
 export const wipe = (data) => {
@@ -249,7 +241,7 @@ export const concat = (...arrays) => {
 export const randomBytes = (n) => {
     if (typeof globalThis.crypto === 'undefined'
         || typeof globalThis.crypto.getRandomValues !== 'function')
-        throw new Error('leviathan-crypto: crypto.getRandomValues is required — '
+        throw new Error('leviathan-crypto: crypto.getRandomValues is required, '
             + 'this runtime does not expose the Web Crypto API');
     const buf = new Uint8Array(n);
     globalThis.crypto.getRandomValues(buf);
@@ -269,7 +261,7 @@ export function hasSIMD() {
         _simd = false;
         return _simd;
     }
-    // Minimal WASM module using v128 — validates iff SIMD is supported
+    // Minimal WASM module using v128, validates iff SIMD is supported
     try {
         _simd = WebAssembly.validate(new Uint8Array([
             0, 97, 115, 109, 1, 0, 0, 0, 1, 5, 1, 96, 0, 1, 123,

package/dist/wasm-source.d.ts

@@ -1,13 +1,13 @@
 /**
  * All accepted forms of WASM input for init functions.
  *
- * - `string`                   — gzip+base64 embedded blob (from `/embedded` subpath)
- * - `URL`                      — streaming-compiled from `fetch(url)`
- * - `ArrayBuffer`              — raw WASM bytes, compiled inline
- * - `Uint8Array`               — raw WASM bytes, compiled inline
- * - `WebAssembly.Module`       — pre-compiled module (Cloudflare Workers, edge runtimes)
- * - `Response`                 — streaming-compiled from an in-flight fetch
- * - `PromiseLike<WasmSource>`  — any thenable resolving to another `WasmSource`; nesting
+ * - `string`                  , gzip+base64 embedded blob (from `/embedded` subpath)
+ * - `URL`                     , streaming-compiled from `fetch(url)`
+ * - `ArrayBuffer`             , raw WASM bytes, compiled inline
+ * - `Uint8Array`              , raw WASM bytes, compiled inline
+ * - `WebAssembly.Module`      , pre-compiled module (Cloudflare Workers, edge runtimes)
+ * - `Response`                , streaming-compiled from an in-flight fetch
+ * - `PromiseLike<WasmSource>` , any thenable resolving to another `WasmSource`; nesting
  *                                is resolved recursively (max depth 3).
  */
 export type WasmSource = string | URL | ArrayBuffer | Uint8Array | WebAssembly.Module | Response | PromiseLike<WasmSource>;

package/dist/wasm-source.js

@@ -22,5 +22,5 @@
 // src/ts/wasm-source.ts
 //
 // Union type for all accepted WASM loading strategies.
-// The argument type determines the loading path — no mode string required.
+// The argument type determines the loading path, no mode string required.
 export {};

package/dist/x25519/embedded.d.ts

@@ -0,0 +1 @@
+export { WASM_GZ_BASE64 as curve25519Wasm, WASM_GZ_BASE64 as x25519Wasm, } from '../embedded/curve25519.js';