leviathan-crypto 2.1.0 → 3.0.0

package/dist/aes/index.js

@@ -0,0 +1,125 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/aes/index.ts
+//
+// Public API classes for the AES WASM module.
+// AES-128/192/256 supported.
+import { getInstance, initModule, _assertNotOwned } from '../init.js';
+/**
+ * Load and initialise the AES WASM module from `source`.
+ * Must be called before constructing any AES class.
+ * @param source  WASM binary, gzip+base64 string, URL, ArrayBuffer, Uint8Array,
+ *                pre-compiled WebAssembly.Module, Response, or Promise<Response>
+ */
+export async function aesInit(source) {
+    return initModule('aes', source);
+}
+export { isInitialized } from '../init.js';
+/** Returns the raw AES WASM export object. @internal */
+function getExports() {
+    return getInstance('aes').exports;
+}
+// ── AES ─────────────────────────────────────────────────────────────────────
+/**
+ * Low-level AES block cipher, raw ECB encrypt + decrypt.
+ *
+ * AES-128/192/256 supported. `loadKey` accepts 16, 24, or 32 byte keys;
+ * Nr (10, 12, or 14) is derived and persisted in WASM memory between
+ * `loadKey` and the cipher calls.
+ *
+ * Decrypt uses the FIPS 197 §5.3.5 Equivalent Inverse Cipher: the round
+ * loop mirrors encrypt, and round keys 1..Nr-1 are pre-transformed by
+ * InvMixColumns inside `loadKey`.
+ *
+ * Atomic (stateless): each method call is independent. Does not hold
+ * exclusive module access. Call `dispose()` after use to wipe WASM key
+ * material.
+ */
+export class AES {
+    x;
+    constructor() {
+        this.x = getExports();
+    }
+    /**
+     * Expand `key` into the WASM key schedule (forward + EqInvCipher
+     * inverse round keys). Must be called before `encryptBlock` or
+     * `decryptBlock`.
+     * @param key  16, 24, or 32 bytes (AES-128 / 192 / 256)
+     */
+    loadKey(key) {
+        _assertNotOwned('aes');
+        if (key.length !== 16 && key.length !== 24 && key.length !== 32)
+            throw new RangeError(`AES.loadKey: key must be 16, 24, or 32 bytes (got ${key.length})`);
+        const mem = new Uint8Array(this.x.memory.buffer);
+        mem.set(key, this.x.getKeyOffset());
+        if (this.x.loadKey(key.length) !== 0) {
+            this.x.wipeBuffers();
+            throw new Error('loadKey failed');
+        }
+    }
+    /**
+     * Encrypt one 128-bit block with the previously loaded key schedule.
+     * FIPS 197 §5.1 Algorithm 1, Nr ∈ {10, 12, 14}.
+     * @param plaintext  16-byte plaintext block
+     * @returns          16-byte ciphertext block
+     */
+    encryptBlock(plaintext) {
+        _assertNotOwned('aes');
+        if (plaintext.length !== 16)
+            throw new RangeError(`block must be 16 bytes (got ${plaintext.length})`);
+        const mem = new Uint8Array(this.x.memory.buffer);
+        const ptOff = this.x.getBlockPtOffset();
+        const ctOff = this.x.getBlockCtOffset();
+        mem.set(plaintext, ptOff);
+        this.x.encryptBlock();
+        return mem.slice(ctOff, ctOff + 16);
+    }
+    /**
+     * Decrypt one 128-bit block with the previously loaded key schedule.
+     * FIPS 197 §5.3.5 Equivalent Inverse Cipher, Nr ∈ {10, 12, 14}.
+     * @param ciphertext  16-byte ciphertext block
+     * @returns           16-byte plaintext block
+     */
+    decryptBlock(ciphertext) {
+        _assertNotOwned('aes');
+        if (ciphertext.length !== 16)
+            throw new RangeError(`block must be 16 bytes (got ${ciphertext.length})`);
+        const mem = new Uint8Array(this.x.memory.buffer);
+        const ptOff = this.x.getBlockPtOffset();
+        const ctOff = this.x.getBlockCtOffset();
+        mem.set(ciphertext, ptOff);
+        this.x.decryptBlock();
+        return mem.slice(ctOff, ctOff + 16);
+    }
+    /** Wipe WASM key material and intermediate buffers. */
+    dispose() {
+        _assertNotOwned('aes');
+        this.x.wipeBuffers();
+    }
+}
+// ── CBC + CTR + GCM mode wrappers ───────────────────────────────────────────
+export { AESCbc } from './aes-cbc.js';
+export { AESCtr } from './aes-ctr.js';
+export { AESGCM } from './aes-gcm.js';
+export { AESGCMSIV } from './aes-gcm-siv.js';
+export { AESGenerator } from './generator.js';
+export { AESGCMSIVCipher } from './cipher-suite.js';

package/dist/aes/ops.d.ts

@@ -0,0 +1,60 @@
+import type { AesExports } from './types.js';
+/**
+ * AES-256-GCM-SIV AEAD encrypt (RFC 8452). Single-shot per call; the
+ * plaintext is bounded by the AES module's WASM CHUNK_SIZE.
+ *
+ * Stage: write KGK at KEY_OFFSET, expand round keys, write nonce/AAD/PT
+ * into their slots, run `sivDeriveKeys(NONCE_OFFSET)`, then `sivSeal`.
+ * `sivSeal` overwrites CHUNK_PT with the ciphertext in place; the tag
+ * lands at TAG_OFFSET.
+ *
+ * @note AES-256 only, the key MUST be 32 bytes. The standalone
+ *       `AESGCMSIV` class accepts both 16-byte (AES-128) and 32-byte
+ *       (AES-256) keys per RFC 8452 §6, but this `ops.ts` path is the
+ *       internal helper for `AESGCMSIVCipher` and the AES pool worker,
+ *       both of which fix the cipher suite at AES-256 to keep the wire
+ *       format uniform across deployments. A 16-byte key here throws
+ *       `RangeError('AES-GCM-SIV: key must be 32 bytes (got 16)')`. Use
+ *       the `AESGCMSIV` class directly if you need AES-128.
+ *
+ * @param x          AES WASM exports
+ * @param key        32-byte AES-256 key (KGK in RFC 8452 terminology)
+ * @param nonce      12-byte nonce, must be unique per `(key, message)`
+ *                   under the standard nonce-respecting model; reuse is
+ *                   tolerated by the SIV construction but reduces IND-CPA
+ *                   to message-equality leakage
+ * @param plaintext  Data to encrypt; must be ≤ `x.getChunkSize()`
+ * @param aad        Additional authenticated data; must be ≤ 64 KiB
+ * @returns          `{ ciphertext, tag }`, tag is 16 bytes
+ */
+export declare function sivAeadEncrypt(x: AesExports, key: Uint8Array, nonce: Uint8Array, plaintext: Uint8Array, aad: Uint8Array): {
+    ciphertext: Uint8Array;
+    tag: Uint8Array;
+};
+/**
+ * AES-256-GCM-SIV AEAD decrypt (RFC 8452). Verify-after-decrypt, the
+ * tag is a function of the plaintext, so SIV reconstructs the plaintext
+ * before recomputing and comparing the tag in constant time.
+ *
+ * On mismatch, `sivWipeOnFail()` zeroes the unauthenticated plaintext at
+ * CHUNK_PT_OFFSET before this function throws. Subsequent reads of
+ * the WASM memory cannot recover plaintext from a forged ciphertext.
+ *
+ * @note AES-256 only, the key MUST be 32 bytes (matching
+ *       `sivAeadEncrypt`). The standalone `AESGCMSIV` class supports
+ *       both AES-128 and AES-256, but this `ops.ts` helper is the
+ *       internal path used by `AESGCMSIVCipher` and the AES pool
+ *       worker, both of which fix the cipher suite at AES-256. A
+ *       16-byte key here throws
+ *       `RangeError('AES-GCM-SIV: key must be 32 bytes (got 16)')`.
+ *
+ * @param x           AES WASM exports
+ * @param key         32-byte AES-256 key
+ * @param nonce       12-byte nonce, must match the value used to encrypt
+ * @param ciphertext  Ciphertext bytes (must be ≤ `x.getChunkSize()`)
+ * @param tag         16-byte SIV tag
+ * @param aad         Additional authenticated data
+ * @param cipherName  Error label for `AuthenticationError` (default 'aes-gcm-siv')
+ * @returns           Plaintext
+ */
+export declare function sivAeadDecrypt(x: AesExports, key: Uint8Array, nonce: Uint8Array, ciphertext: Uint8Array, tag: Uint8Array, aad: Uint8Array, cipherName?: string): Uint8Array;

package/dist/aes/ops.js

@@ -0,0 +1,164 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/aes/ops.ts
+//
+// Raw AES-GCM-SIV operations, standalone functions that take AesExports
+// explicitly. Used by both `AESGCMSIVCipher` (cipher-suite.ts) and the
+// pool worker (pool-worker.ts), eliminating duplication.
+//
+// This file MUST NOT import from `../init.js`. Pool workers have their
+// own WASM instances; importing init in shared ops would couple them.
+// The cipher suite obtains exports via getInstance at the call site and
+// passes them down.
+import { constantTimeEqual, wipe } from '../utils.js';
+import { AuthenticationError } from '../errors.js';
+const KEY_LEN_256 = 32;
+const NONCE_LEN = 12;
+const TAG_LEN = 16;
+const MAX_AAD = 65536;
+/**
+ * AES-256-GCM-SIV AEAD encrypt (RFC 8452). Single-shot per call; the
+ * plaintext is bounded by the AES module's WASM CHUNK_SIZE.
+ *
+ * Stage: write KGK at KEY_OFFSET, expand round keys, write nonce/AAD/PT
+ * into their slots, run `sivDeriveKeys(NONCE_OFFSET)`, then `sivSeal`.
+ * `sivSeal` overwrites CHUNK_PT with the ciphertext in place; the tag
+ * lands at TAG_OFFSET.
+ *
+ * @note AES-256 only, the key MUST be 32 bytes. The standalone
+ *       `AESGCMSIV` class accepts both 16-byte (AES-128) and 32-byte
+ *       (AES-256) keys per RFC 8452 §6, but this `ops.ts` path is the
+ *       internal helper for `AESGCMSIVCipher` and the AES pool worker,
+ *       both of which fix the cipher suite at AES-256 to keep the wire
+ *       format uniform across deployments. A 16-byte key here throws
+ *       `RangeError('AES-GCM-SIV: key must be 32 bytes (got 16)')`. Use
+ *       the `AESGCMSIV` class directly if you need AES-128.
+ *
+ * @param x          AES WASM exports
+ * @param key        32-byte AES-256 key (KGK in RFC 8452 terminology)
+ * @param nonce      12-byte nonce, must be unique per `(key, message)`
+ *                   under the standard nonce-respecting model; reuse is
+ *                   tolerated by the SIV construction but reduces IND-CPA
+ *                   to message-equality leakage
+ * @param plaintext  Data to encrypt; must be ≤ `x.getChunkSize()`
+ * @param aad        Additional authenticated data; must be ≤ 64 KiB
+ * @returns          `{ ciphertext, tag }`, tag is 16 bytes
+ */
+export function sivAeadEncrypt(x, key, nonce, plaintext, aad) {
+    if (key.length !== KEY_LEN_256)
+        throw new RangeError(`AES-GCM-SIV: key must be ${KEY_LEN_256} bytes (got ${key.length})`);
+    if (nonce.length !== NONCE_LEN)
+        throw new RangeError(`AES-GCM-SIV: nonce must be ${NONCE_LEN} bytes (got ${nonce.length})`);
+    const maxChunk = x.getChunkSize();
+    if (plaintext.length > maxChunk)
+        throw new RangeError(`AES-GCM-SIV: plaintext exceeds ${maxChunk} bytes, split into smaller chunks`);
+    if (aad.length > MAX_AAD)
+        throw new RangeError(`AES-GCM-SIV: AAD must be ≤ ${MAX_AAD} bytes (got ${aad.length})`);
+    const mem = new Uint8Array(x.memory.buffer);
+    mem.set(key, x.getKeyOffset());
+    if (x.loadKey(KEY_LEN_256) !== 0) {
+        x.wipeBuffers();
+        throw new Error('AES-GCM-SIV: loadKey failed');
+    }
+    mem.set(nonce, x.getNonceOffset());
+    if (aad.length > 0)
+        mem.set(aad, x.getAadOffset());
+    mem.set(plaintext, x.getChunkPtOffset());
+    x.sivDeriveKeys(x.getNonceOffset());
+    x.sivSeal(aad.length, plaintext.length);
+    // sivSeal writes the ciphertext in place at CHUNK_PT_OFFSET.
+    const ctOff = x.getChunkPtOffset();
+    const tagOff = x.getTagOffset();
+    const memView = new Uint8Array(x.memory.buffer);
+    const ciphertext = memView.slice(ctOff, ctOff + plaintext.length);
+    const tag = memView.slice(tagOff, tagOff + TAG_LEN);
+    return { ciphertext, tag };
+}
+/**
+ * AES-256-GCM-SIV AEAD decrypt (RFC 8452). Verify-after-decrypt, the
+ * tag is a function of the plaintext, so SIV reconstructs the plaintext
+ * before recomputing and comparing the tag in constant time.
+ *
+ * On mismatch, `sivWipeOnFail()` zeroes the unauthenticated plaintext at
+ * CHUNK_PT_OFFSET before this function throws. Subsequent reads of
+ * the WASM memory cannot recover plaintext from a forged ciphertext.
+ *
+ * @note AES-256 only, the key MUST be 32 bytes (matching
+ *       `sivAeadEncrypt`). The standalone `AESGCMSIV` class supports
+ *       both AES-128 and AES-256, but this `ops.ts` helper is the
+ *       internal path used by `AESGCMSIVCipher` and the AES pool
+ *       worker, both of which fix the cipher suite at AES-256. A
+ *       16-byte key here throws
+ *       `RangeError('AES-GCM-SIV: key must be 32 bytes (got 16)')`.
+ *
+ * @param x           AES WASM exports
+ * @param key         32-byte AES-256 key
+ * @param nonce       12-byte nonce, must match the value used to encrypt
+ * @param ciphertext  Ciphertext bytes (must be ≤ `x.getChunkSize()`)
+ * @param tag         16-byte SIV tag
+ * @param aad         Additional authenticated data
+ * @param cipherName  Error label for `AuthenticationError` (default 'aes-gcm-siv')
+ * @returns           Plaintext
+ */
+export function sivAeadDecrypt(x, key, nonce, ciphertext, tag, aad, cipherName = 'aes-gcm-siv') {
+    if (key.length !== KEY_LEN_256)
+        throw new RangeError(`AES-GCM-SIV: key must be ${KEY_LEN_256} bytes (got ${key.length})`);
+    if (nonce.length !== NONCE_LEN)
+        throw new RangeError(`AES-GCM-SIV: nonce must be ${NONCE_LEN} bytes (got ${nonce.length})`);
+    if (tag.length !== TAG_LEN)
+        throw new RangeError(`AES-GCM-SIV: tag must be ${TAG_LEN} bytes (got ${tag.length})`);
+    const maxChunk = x.getChunkSize();
+    if (ciphertext.length > maxChunk)
+        throw new RangeError(`AES-GCM-SIV: ciphertext exceeds ${maxChunk} bytes, split into smaller chunks`);
+    if (aad.length > MAX_AAD)
+        throw new RangeError(`AES-GCM-SIV: AAD must be ≤ ${MAX_AAD} bytes (got ${aad.length})`);
+    const mem = new Uint8Array(x.memory.buffer);
+    mem.set(key, x.getKeyOffset());
+    if (x.loadKey(KEY_LEN_256) !== 0) {
+        x.wipeBuffers();
+        throw new Error('AES-GCM-SIV: loadKey failed');
+    }
+    mem.set(nonce, x.getNonceOffset());
+    if (aad.length > 0)
+        mem.set(aad, x.getAadOffset());
+    mem.set(ciphertext, x.getChunkCtOffset());
+    // sivOpen reads the provided tag from SIV_IC_OFFSET (the CTR initial
+    // counter slot, RFC 8452 §4, where the tag drives the CTR start).
+    mem.set(tag, x.getSivIcOffset());
+    x.sivDeriveKeys(x.getNonceOffset());
+    x.sivOpen(aad.length, ciphertext.length);
+    // Read the recomputed expected tag from TAG_OFFSET. slice() so the
+    // buffer survives any subsequent WASM memory growth.
+    const memView = new Uint8Array(x.memory.buffer);
+    const expectedTag = memView.slice(x.getTagOffset(), x.getTagOffset() + TAG_LEN);
+    // Defensive copy of the provided tag for the constant-time compare,
+    // callers may pass a view over a mutable buffer.
+    const providedTagCopy = new Uint8Array(tag);
+    if (!constantTimeEqual(expectedTag, providedTagCopy)) {
+        x.sivWipeOnFail();
+        wipe(expectedTag);
+        wipe(providedTagCopy);
+        throw new AuthenticationError(cipherName);
+    }
+    const ptOff = x.getChunkPtOffset();
+    return memView.slice(ptOff, ptOff + ciphertext.length);
+}

package/dist/aes/pool-worker.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/aes/pool-worker.js

@@ -0,0 +1,92 @@
+// / <reference lib="webworker" />
+// src/ts/aes/pool-worker.ts
+//
+// Worker for SealStreamPool with AESGCMSIVCipher.
+// Holds derived AES-256-GCM-SIV key and the AES WASM instance for the
+// pool's lifetime. Per-job: AES-GCM-SIV AEAD with 12-byte counter nonce.
+import { sivAeadEncrypt, sivAeadDecrypt } from './ops.js';
+import { AuthenticationError } from '../errors.js';
+let x;
+let derivedKey;
+/**
+ * Message handler for the AES pool worker.
+ *
+ * Accepts three message types:
+ * - `'init'` , instantiate the aes WASM module and store the derived AES key
+ * - `'wipe'` , zero key and WASM buffers, then post `{ type: 'wiped' }`
+ * - `{ op: 'seal' | 'open', ... }`, encrypt or decrypt one chunk
+ *
+ * Replies with `{ type: 'result', id, data }` on success or
+ * `{ type: 'error', id, message, isAuthError }` on failure.
+ */
+self.onmessage = async (e) => {
+    const msg = e.data;
+    if (msg.type === 'init') {
+        try {
+            // AES module is 4 pages = 256 KiB; matches src/asm/aes/buffers.ts.
+            const mem = new WebAssembly.Memory({ initial: 4, maximum: 4 });
+            const mod = msg.modules.aes;
+            const inst = await WebAssembly.instantiate(mod, { env: { memory: mem } });
+            x = inst.exports;
+            derivedKey = new Uint8Array(msg.derivedKeyBytes);
+            if (derivedKey.length !== 32)
+                throw new Error(`expected 32 derived key bytes (got ${derivedKey.length})`);
+            msg.derivedKeyBytes.fill(0);
+            self.postMessage({ type: 'ready' });
+        }
+        catch (err) {
+            if (msg.derivedKeyBytes)
+                msg.derivedKeyBytes.fill(0);
+            self.postMessage({ type: 'error', id: -1, message: err.message, isAuthError: false });
+        }
+        return;
+    }
+    if (msg.type === 'wipe') {
+        if (derivedKey)
+            derivedKey.fill(0);
+        derivedKey = undefined;
+        if (x)
+            x.wipeBuffers();
+        x = undefined;
+        self.postMessage({ type: 'wiped' });
+        return;
+    }
+    if (!x || !derivedKey) {
+        self.postMessage({ type: 'error', id: msg.id, message: 'worker not initialized', isAuthError: false });
+        return;
+    }
+    try {
+        const { id, op, counterNonce, data, aad } = msg;
+        const aadBytes = aad ?? new Uint8Array(0);
+        const jobKey = msg.derivedKeyBytes ?? derivedKey;
+        let result;
+        if (op === 'seal') {
+            const { ciphertext, tag } = sivAeadEncrypt(x, jobKey, counterNonce, data, aadBytes);
+            result = new Uint8Array(ciphertext.length + 16);
+            result.set(ciphertext);
+            result.set(tag, ciphertext.length);
+        }
+        else {
+            const ct = data.subarray(0, data.length - 16);
+            const tag = data.subarray(data.length - 16);
+            result = sivAeadDecrypt(x, jobKey, counterNonce, ct, tag, aadBytes, 'aes-gcm-siv');
+        }
+        const transfer = result.buffer instanceof ArrayBuffer ? [result.buffer] : [];
+        self.postMessage({ type: 'result', id, data: result }, { transfer });
+    }
+    catch (err) {
+        const isAuth = err instanceof AuthenticationError;
+        self.postMessage({
+            type: 'error', id: msg.id,
+            message: err.message,
+            cipher: isAuth ? 'aes-gcm-siv' : undefined,
+            isAuthError: isAuth,
+        });
+    }
+    finally {
+        if (msg.derivedKeyBytes)
+            msg.derivedKeyBytes.fill(0);
+        if (x)
+            x.wipeBuffers();
+    }
+};

package/dist/aes/types.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/aes/types.js

@@ -0,0 +1,23 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/aes/types.ts
+export {};

package/dist/blake3/embedded.d.ts

@@ -0,0 +1 @@
+export { WASM_GZ_BASE64 as blake3Wasm } from '../embedded/blake3.js';

package/dist/blake3/embedded.js

@@ -0,0 +1,26 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/blake3/embedded.ts
+//
+// Exports the gzip+base64 blake3 WASM blob for use as a WasmSource.
+// Import via `leviathan-crypto/blake3/embedded`.
+export { WASM_GZ_BASE64 as blake3Wasm } from '../embedded/blake3.js';

package/dist/blake3/index.d.ts

@@ -0,0 +1,143 @@
+import { isInitialized } from '../init.js';
+import type { WasmSource } from '../wasm-source.js';
+import type { HashFn } from '../types.js';
+import type { Blake3Exports } from './types.js';
+export type { WasmSource };
+export type { Blake3Exports };
+export { isInitialized };
+export declare function blake3Init(source: WasmSource): Promise<void>;
+/**
+ * BLAKE3 default-mode hash (BLAKE3 §2.3 Modes — `hash`).
+ *
+ * One-shot: `hash(msg, outLen?)` runs the full chunk / tree / root
+ * pipeline and returns `outLen` (default 32) bytes of XOF output.
+ * Module exclusivity is acquired and released per call.
+ */
+export declare class BLAKE3 {
+    private readonly x;
+    constructor();
+    hash(msg: Uint8Array, outLen?: number): Uint8Array;
+    dispose(): void;
+}
+/**
+ * BLAKE3 keyed_hash (BLAKE3 §2.3 Modes — `keyed_hash`).
+ *
+ * The 32-byte key seeds the chunk machine in place of the BLAKE3 IV and
+ * every compress carries the KEYED_HASH flag. Use cases include MACs and
+ * keyed-pseudorandom generation; the construction is a PRF when the key
+ * is uniform and secret.
+ */
+export declare class BLAKE3KeyedHash {
+    private readonly x;
+    constructor();
+    hash(key: Uint8Array, msg: Uint8Array, outLen?: number): Uint8Array;
+    dispose(): void;
+}
+/**
+ * BLAKE3 derive_key (BLAKE3 §2.3 Modes — `derive_key`).
+ *
+ * Two-pass KDF: pass 1 hashes the context string with the
+ * DERIVE_KEY_CONTEXT flag, pass 2 hashes the key material with the
+ * DERIVE_KEY_MATERIAL flag using the pass-1 output as its starting CV.
+ * Context strings are conventionally hardcoded UTF-8 application
+ * constants; empty contexts are rejected by `validateContext`.
+ */
+export declare class BLAKE3DeriveKey {
+    private readonly x;
+    constructor();
+    derive(context: string | Uint8Array, material: Uint8Array, outLen?: number): Uint8Array;
+    dispose(): void;
+}
+/**
+ * Streaming BLAKE3 default-mode hash (BLAKE3 §2.3 Modes — `hash`).
+ *
+ * `update()` accepts chunks of any size; `finalize()` returns the
+ * `outLen`-byte (default 32) digest and disposes the instance. Holds
+ * exclusive access to the `blake3` WASM module from construction until
+ * `dispose()` or `finalize()` / `finalizeXof()`.
+ */
+export declare class BLAKE3Stream {
+    private readonly x;
+    private _tok;
+    private readonly _state;
+    constructor();
+    update(chunk: Uint8Array): this;
+    finalize(outLen?: number): Uint8Array;
+    finalizeXof(): BLAKE3OutputReader;
+    dispose(): void;
+    private _checkLive;
+}
+/**
+ * Streaming BLAKE3 keyed_hash (BLAKE3 §2.3 Modes). Key is bound at construction
+ * time. Same lifecycle as `BLAKE3Stream`.
+ */
+export declare class BLAKE3KeyedHashStream {
+    private readonly x;
+    private _tok;
+    private readonly _state;
+    private readonly _key;
+    constructor(key: Uint8Array);
+    update(chunk: Uint8Array): this;
+    finalize(outLen?: number): Uint8Array;
+    finalizeXof(): BLAKE3OutputReader;
+    dispose(): void;
+    private _checkLive;
+}
+/**
+ * Streaming BLAKE3 derive_key (BLAKE3 §2.3 Modes). Context is bound at
+ * construction time; updates stream the material; finalize derives.
+ * Same lifecycle as `BLAKE3Stream`.
+ */
+export declare class BLAKE3DeriveKeyStream {
+    private readonly x;
+    private _tok;
+    private readonly _state;
+    private readonly _ctxBytes;
+    constructor(context: string | Uint8Array);
+    update(chunk: Uint8Array): this;
+    finalize(outLen?: number): Uint8Array;
+    finalizeXof(): BLAKE3OutputReader;
+    dispose(): void;
+    private _checkLive;
+}
+/**
+ * BLAKE3 XOF reader (BLAKE3 §2.6 Extendable Output).
+ *
+ * Sequential `read(nBytes)` calls squeeze the next bytes of XOF output.
+ * Constructed via `finalizeXof()` on a streaming class. Holds module
+ * exclusivity until `dispose()`.
+ *
+ * Implementation: the first `read()` runs the underlying hash entry once
+ * to populate the WASM-side root-compress snapshot (ROOT_STATE_*), then
+ * caches the first 64-byte XOF block. Subsequent reads pump
+ * `squeezeXofBlock` on the WASM module with an incrementing counter to
+ * lift additional 64-byte blocks off the snapshot. The reader's lifetime
+ * coincides with its hold on the module token, so `ROOT_STATE_*` stays
+ * intact between read calls (no other consumer can fire a hash that
+ * would clobber it).
+ */
+export declare class BLAKE3OutputReader {
+    private readonly x;
+    private _tok;
+    private readonly _mode;
+    private readonly _input;
+    private readonly _key;
+    private readonly _ctx;
+    private readonly _blockBuf;
+    private _blockPos;
+    private _nextCounter;
+    private _populated;
+    read(nBytes: number): Uint8Array;
+    dispose(): void;
+    private _populate;
+    private _squeezeNextBlock;
+}
+/**
+ * Stateless BLAKE3-256 HashFn. Shape mirrors `SHA256Hash` in
+ * `src/ts/sha2/hash.ts`: 32-byte output, single WASM module dependency,
+ * `digest(msg)` runs a one-shot hash with default `outLen`.
+ *
+ * Usable as a Fortuna accumulator / reseed hash when paired with a
+ * matching 32-byte-key Generator.
+ */
+export declare const BLAKE3Hash: HashFn;