npm - leviathan-crypto - Versions diffs - 2.1.0 → 3.0.0 - Mend

leviathan-crypto 2.1.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (296) hide show

package/CLAUDE.md +86 -443
package/README.md +198 -65
package/dist/aes/aes-cbc.d.ts +40 -0
package/dist/aes/aes-cbc.js +158 -0
package/dist/aes/aes-ctr.d.ts +50 -0
package/dist/aes/aes-ctr.js +141 -0
package/dist/aes/aes-gcm-siv.d.ts +67 -0
package/dist/aes/aes-gcm-siv.js +217 -0
package/dist/aes/aes-gcm.d.ts +61 -0
package/dist/aes/aes-gcm.js +226 -0
package/dist/aes/cipher-suite.d.ts +21 -0
package/dist/aes/cipher-suite.js +179 -0
package/dist/aes/embedded.d.ts +1 -0
package/dist/aes/embedded.js +26 -0
package/dist/aes/generator.d.ts +14 -0
package/dist/aes/generator.js +103 -0
package/dist/aes/index.d.ts +58 -0
package/dist/aes/index.js +125 -0
package/dist/aes/ops.d.ts +60 -0
package/dist/aes/ops.js +164 -0
package/dist/aes/pool-worker.d.ts +1 -0
package/dist/aes/pool-worker.js +92 -0
package/dist/aes/types.d.ts +1 -0
package/dist/aes/types.js +23 -0
package/dist/aes.wasm +0 -0
package/dist/blake3/embedded.d.ts +1 -0
package/dist/blake3/embedded.js +26 -0
package/dist/blake3/index.d.ts +143 -0
package/dist/blake3/index.js +620 -0
package/dist/blake3/types.d.ts +102 -0
package/dist/blake3/types.js +31 -0
package/dist/blake3/validate.d.ts +29 -0
package/dist/blake3/validate.js +80 -0
package/dist/blake3.wasm +0 -0
package/dist/chacha20/cipher-suite.js +47 -25
package/dist/chacha20/generator.d.ts +2 -2
package/dist/chacha20/generator.js +4 -4
package/dist/chacha20/index.d.ts +16 -15
package/dist/chacha20/index.js +52 -46
package/dist/chacha20/ops.d.ts +7 -7
package/dist/chacha20/ops.js +34 -34
package/dist/chacha20/pool-worker.js +5 -3
package/dist/cte-wasm.d.ts +1 -0
package/dist/cte-wasm.js +3 -0
package/dist/curve25519.wasm +0 -0
package/dist/ecdsa/der.d.ts +23 -0
package/dist/ecdsa/der.js +192 -0
package/dist/ecdsa/ecprivatekey-der.d.ts +32 -0
package/dist/ecdsa/ecprivatekey-der.js +230 -0
package/dist/ecdsa/embedded.d.ts +1 -0
package/dist/ecdsa/embedded.js +25 -0
package/dist/ecdsa/index.d.ts +124 -0
package/dist/ecdsa/index.js +366 -0
package/dist/ecdsa/types.d.ts +31 -0
package/dist/ecdsa/types.js +28 -0
package/dist/ecdsa/validate.d.ts +18 -0
package/dist/ecdsa/validate.js +92 -0
package/dist/ed25519/embedded.d.ts +1 -0
package/dist/ed25519/embedded.js +31 -0
package/dist/ed25519/index.d.ts +70 -0
package/dist/ed25519/index.js +308 -0
package/dist/ed25519/types.d.ts +27 -0
package/dist/ed25519/types.js +27 -0
package/dist/ed25519/validate.d.ts +7 -0
package/dist/ed25519/validate.js +77 -0
package/dist/embedded/aes-pool-worker.d.ts +1 -0
package/dist/embedded/aes-pool-worker.js +5 -0
package/dist/embedded/aes.d.ts +1 -0
package/dist/embedded/aes.js +3 -0
package/dist/embedded/blake3.d.ts +1 -0
package/dist/embedded/blake3.js +3 -0
package/dist/embedded/chacha20-pool-worker.d.ts +1 -1
package/dist/embedded/chacha20-pool-worker.js +2 -2
package/dist/embedded/chacha20.d.ts +1 -1
package/dist/embedded/chacha20.js +2 -2
package/dist/embedded/curve25519.d.ts +1 -0
package/dist/embedded/curve25519.js +3 -0
package/dist/embedded/mldsa.d.ts +1 -0
package/dist/embedded/mldsa.js +3 -0
package/dist/embedded/mlkem.d.ts +1 -0
package/dist/embedded/mlkem.js +3 -0
package/dist/embedded/p256.d.ts +1 -0
package/dist/embedded/p256.js +3 -0
package/dist/embedded/serpent-pool-worker.d.ts +1 -1
package/dist/embedded/serpent-pool-worker.js +2 -2
package/dist/embedded/serpent.d.ts +1 -1
package/dist/embedded/serpent.js +2 -2
package/dist/embedded/sha2.d.ts +1 -1
package/dist/embedded/sha2.js +2 -2
package/dist/embedded/sha3.d.ts +1 -1
package/dist/embedded/sha3.js +2 -2
package/dist/embedded/slhdsa.d.ts +1 -0
package/dist/embedded/slhdsa.js +3 -0
package/dist/errors.d.ts +92 -1
package/dist/errors.js +111 -1
package/dist/fortuna.d.ts +5 -5
package/dist/fortuna.js +37 -64
package/dist/index.d.ts +38 -9
package/dist/index.js +63 -19
package/dist/init.d.ts +1 -1
package/dist/init.js +11 -25
package/dist/keccak/embedded.js +1 -1
package/dist/keccak/index.d.ts +2 -0
package/dist/keccak/index.js +4 -2
package/dist/loader.d.ts +1 -24
package/dist/loader.js +13 -16
package/dist/merkle/blake3-tree.d.ts +35 -0
package/dist/merkle/blake3-tree.js +187 -0
package/dist/merkle/checkpoint.d.ts +58 -0
package/dist/merkle/checkpoint.js +217 -0
package/dist/merkle/index.d.ts +19 -0
package/dist/merkle/index.js +37 -0
package/dist/merkle/merkle-log.d.ts +130 -0
package/dist/merkle/merkle-log.js +207 -0
package/dist/merkle/merkle-verifier.d.ts +126 -0
package/dist/merkle/merkle-verifier.js +296 -0
package/dist/merkle/proof.d.ts +70 -0
package/dist/merkle/proof.js +300 -0
package/dist/merkle/sha256-tree.d.ts +33 -0
package/dist/merkle/sha256-tree.js +145 -0
package/dist/merkle/signed-log.d.ts +156 -0
package/dist/merkle/signed-log.js +356 -0
package/dist/merkle/signed-note.d.ts +309 -0
package/dist/merkle/signed-note.js +648 -0
package/dist/merkle/sth.d.ts +31 -0
package/dist/merkle/sth.js +31 -0
package/dist/merkle/storage.d.ts +40 -0
package/dist/merkle/storage.js +71 -0
package/dist/merkle/tree.d.ts +68 -0
package/dist/merkle/tree.js +94 -0
package/dist/mldsa/embedded.d.ts +1 -0
package/dist/{kyber → mldsa}/embedded.js +5 -5
package/dist/mldsa/expand.d.ts +53 -0
package/dist/mldsa/expand.js +188 -0
package/dist/mldsa/format.d.ts +16 -0
package/dist/mldsa/format.js +68 -0
package/dist/mldsa/hashvariant.d.ts +32 -0
package/dist/mldsa/hashvariant.js +248 -0
package/dist/mldsa/index.d.ts +142 -0
package/dist/mldsa/index.js +463 -0
package/dist/mldsa/keygen.d.ts +16 -0
package/dist/mldsa/keygen.js +232 -0
package/dist/mldsa/params.d.ts +21 -0
package/dist/mldsa/params.js +55 -0
package/dist/mldsa/sha3-helpers.d.ts +30 -0
package/dist/mldsa/sha3-helpers.js +124 -0
package/dist/mldsa/sign.d.ts +36 -0
package/dist/mldsa/sign.js +380 -0
package/dist/mldsa/types.d.ts +91 -0
package/dist/mldsa/types.js +25 -0
package/dist/mldsa/validate.d.ts +55 -0
package/dist/mldsa/validate.js +125 -0
package/dist/mldsa/verify.d.ts +29 -0
package/dist/mldsa/verify.js +269 -0
package/dist/mldsa.wasm +0 -0
package/dist/mlkem/embedded.d.ts +1 -0
package/dist/mlkem/embedded.js +27 -0
package/dist/mlkem/indcpa.d.ts +49 -0
package/dist/{kyber → mlkem}/indcpa.js +44 -44
package/dist/mlkem/index.d.ts +37 -0
package/dist/{kyber → mlkem}/index.js +24 -34
package/dist/mlkem/kem.d.ts +21 -0
package/dist/{kyber → mlkem}/kem.js +44 -64
package/dist/{kyber → mlkem}/params.d.ts +4 -4
package/dist/{kyber → mlkem}/params.js +2 -2
package/dist/mlkem/suite.d.ts +12 -0
package/dist/{kyber → mlkem}/suite.js +17 -12
package/dist/{kyber → mlkem}/types.d.ts +3 -3
package/dist/{kyber → mlkem}/types.js +1 -1
package/dist/{kyber → mlkem}/validate.d.ts +7 -7
package/dist/{kyber → mlkem}/validate.js +7 -7
package/dist/{kyber.wasm → mlkem.wasm} +0 -0
package/dist/p256.wasm +0 -0
package/dist/ratchet/index.d.ts +2 -0
package/dist/ratchet/index.js +1 -0
package/dist/ratchet/kdf-chain.js +3 -3
package/dist/ratchet/ratchet-keypair.js +2 -2
package/dist/ratchet/root-kdf.js +7 -7
package/dist/ratchet/skipped-key-store.js +4 -4
package/dist/ratchet/types.d.ts +1 -1
package/dist/serpent/cipher-suite.js +20 -17
package/dist/serpent/generator.d.ts +1 -1
package/dist/serpent/generator.js +2 -2
package/dist/serpent/index.d.ts +8 -7
package/dist/serpent/index.js +18 -27
package/dist/serpent/pool-worker.js +7 -5
package/dist/serpent/serpent-cbc.d.ts +4 -4
package/dist/serpent/serpent-cbc.js +11 -8
package/dist/serpent/shared-ops.d.ts +3 -23
package/dist/serpent/shared-ops.js +50 -85
package/dist/serpent.wasm +0 -0
package/dist/sha2/hkdf.js +5 -5
package/dist/sha2/index.d.ts +21 -1
package/dist/sha2/index.js +65 -10
package/dist/sha2/types.d.ts +41 -2
package/dist/sha2.wasm +0 -0
package/dist/sha3/index.d.ts +72 -3
package/dist/sha3/index.js +240 -14
package/dist/sha3/kmac.d.ts +121 -0
package/dist/sha3/kmac.js +800 -0
package/dist/sha3.wasm +0 -0
package/dist/shared/pkcs7.d.ts +22 -0
package/dist/shared/pkcs7.js +84 -0
package/dist/sign/ctx.d.ts +41 -0
package/dist/sign/ctx.js +102 -0
package/dist/sign/envelope.d.ts +45 -0
package/dist/sign/envelope.js +152 -0
package/dist/sign/hasher.d.ts +9 -0
package/dist/sign/hasher.js +132 -0
package/dist/sign/index.d.ts +11 -0
package/dist/sign/index.js +34 -0
package/dist/sign/sign-stream.d.ts +25 -0
package/dist/sign/sign-stream.js +112 -0
package/dist/sign/suites/ecdsa-p256.d.ts +2 -0
package/dist/sign/suites/ecdsa-p256.js +120 -0
package/dist/sign/suites/ed25519.d.ts +3 -0
package/dist/sign/suites/ed25519.js +165 -0
package/dist/sign/suites/hybrid-classical.d.ts +23 -0
package/dist/sign/suites/hybrid-classical.js +526 -0
package/dist/sign/suites/hybrid-pq.d.ts +4 -0
package/dist/sign/suites/hybrid-pq.js +234 -0
package/dist/sign/suites/mldsa.d.ts +7 -0
package/dist/sign/suites/mldsa.js +161 -0
package/dist/sign/suites/slhdsa.d.ts +7 -0
package/dist/sign/suites/slhdsa.js +176 -0
package/dist/sign/types.d.ts +106 -0
package/dist/sign/types.js +28 -0
package/dist/sign/verify-stream.d.ts +30 -0
package/dist/sign/verify-stream.js +227 -0
package/dist/slhdsa/embedded.d.ts +1 -0
package/dist/slhdsa/embedded.js +26 -0
package/dist/slhdsa/index.d.ts +149 -0
package/dist/slhdsa/index.js +493 -0
package/dist/slhdsa/params.d.ts +26 -0
package/dist/slhdsa/params.js +70 -0
package/dist/slhdsa/prehash.d.ts +68 -0
package/dist/slhdsa/prehash.js +307 -0
package/dist/slhdsa/sign.d.ts +39 -0
package/dist/slhdsa/sign.js +116 -0
package/dist/slhdsa/types.d.ts +129 -0
package/dist/slhdsa/types.js +27 -0
package/dist/slhdsa/validate.d.ts +60 -0
package/dist/slhdsa/validate.js +127 -0
package/dist/slhdsa/verify.d.ts +32 -0
package/dist/slhdsa/verify.js +107 -0
package/dist/slhdsa.wasm +0 -0
package/dist/stream/header.js +3 -3
package/dist/stream/index.d.ts +1 -0
package/dist/stream/index.js +1 -0
package/dist/stream/open-stream.js +31 -10
package/dist/stream/seal-stream-pool.d.ts +1 -0
package/dist/stream/seal-stream-pool.js +63 -26
package/dist/stream/seal-stream.d.ts +1 -1
package/dist/stream/seal-stream.js +20 -9
package/dist/stream/seal.js +6 -6
package/dist/stream/types.d.ts +3 -1
package/dist/stream/types.js +1 -1
package/dist/types.d.ts +1 -1
package/dist/types.js +1 -1
package/dist/utils.d.ts +3 -3
package/dist/utils.js +46 -54
package/dist/wasm-source.d.ts +7 -7
package/dist/wasm-source.js +1 -1
package/dist/x25519/embedded.d.ts +1 -0
package/dist/x25519/embedded.js +31 -0
package/dist/x25519/index.d.ts +43 -0
package/dist/x25519/index.js +159 -0
package/dist/x25519/types.d.ts +25 -0
package/dist/x25519/types.js +27 -0
package/dist/x25519/validate.d.ts +2 -0
package/dist/x25519/validate.js +39 -0
package/package.json +70 -26
package/SECURITY.md +0 -163
package/dist/ct-wasm.d.ts +0 -1
package/dist/ct-wasm.js +0 -3
package/dist/docs/aead.md +0 -363
package/dist/docs/architecture.md +0 -1011
package/dist/docs/argon2id.md +0 -305
package/dist/docs/chacha20.md +0 -781
package/dist/docs/exports.md +0 -277
package/dist/docs/fortuna.md +0 -530
package/dist/docs/init.md +0 -301
package/dist/docs/loader.md +0 -256
package/dist/docs/serpent.md +0 -617
package/dist/docs/sha2.md +0 -671
package/dist/docs/sha3.md +0 -612
package/dist/docs/types.md +0 -416
package/dist/docs/utils.md +0 -457
package/dist/embedded/kyber.d.ts +0 -1
package/dist/embedded/kyber.js +0 -3
package/dist/kyber/embedded.d.ts +0 -1
package/dist/kyber/indcpa.d.ts +0 -49
package/dist/kyber/index.d.ts +0 -38
package/dist/kyber/kem.d.ts +0 -21
package/dist/kyber/suite.d.ts +0 -12
/package/dist/{ct.wasm → cte.wasm} +0 -0

package/dist/blake3/index.js ADDED Viewed

@@ -0,0 +1,620 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/blake3/index.ts
+//
+// BLAKE3 public API. One-shot and streaming flavours of hash, keyed_hash,
+// derive_key (BLAKE3 §2.3 Modes), and the XOF reader (§2.6). Call
+// `blake3Init(source)` before constructing any class.
+import { getInstance, initModule, isInitialized, _acquireModule, _releaseModule, _assertNotOwned, } from '../init.js';
+import { validateKey, validateContext, validateOutputLen } from './validate.js';
+export { isInitialized };
+export async function blake3Init(source) {
+    return initModule('blake3', source);
+}
+function getExports() {
+    return getInstance('blake3').exports;
+}
+// Input scratch sits past BUFFER_END from src/asm/blake3/buffers.ts;
+// usable region is 131072 - INPUT_SCRATCH_OFF bytes.
+const INPUT_SCRATCH_OFF = 27648;
+const INPUT_SCRATCH_MAX = 131072 - INPUT_SCRATCH_OFF;
+// One-shot output staging cap; larger XOF reads go through OutputReader.
+const OUTPUT_STAGING_SIZE = 1024;
+// BLAKE3 §2.6: root compress emits 64 bytes per squeeze.
+const ROOT_BLOCK_SIZE = 64;
+function tooBigForScratchError(len) {
+    return new RangeError(`leviathan-crypto: blake3 input length ${len} exceeds the per-call `
+        + `WASM input scratch (${INPUT_SCRATCH_MAX} bytes). Split the input or `
+        + 'use the streaming surface (BLAKE3Stream / BLAKE3KeyedHashStream / '
+        + 'BLAKE3DeriveKeyStream).');
+}
+function tooBigForOneShotError(len) {
+    return new RangeError(`leviathan-crypto: blake3 outLen ${len} exceeds the per-call output `
+        + `staging size (${OUTPUT_STAGING_SIZE} bytes). For larger XOF reads `
+        + 'use finalizeXof() and BLAKE3OutputReader.read(n).');
+}
+// Stage `input` into INPUT_SCRATCH_OFF and return (offset, length) for
+// the WASM hash() call. Caller is responsible for wiping the scratch
+// region after the WASM call returns (we do that in a finally in each
+// public method so secret-derived inputs do not linger).
+function stageInput(x, input) {
+    if (input.length > INPUT_SCRATCH_MAX)
+        throw tooBigForScratchError(input.length);
+    const mem = new Uint8Array(x.memory.buffer);
+    mem.set(input, INPUT_SCRATCH_OFF);
+}
+function wipeInput(x, len) {
+    const mem = new Uint8Array(x.memory.buffer);
+    mem.fill(0, INPUT_SCRATCH_OFF, INPUT_SCRATCH_OFF + len);
+}
+// One-shot hash entry, no key / no context. Writes the requested prefix
+// of the BLAKE3 hash output to a fresh Uint8Array and returns it. Wipes
+// the input scratch on the way out.
+function oneShotHash(x, input, outLen) {
+    const outOff = x.getOutputStagingOffset();
+    stageInput(x, input);
+    try {
+        x.hash(INPUT_SCRATCH_OFF, input.length, outOff, outLen);
+        const mem = new Uint8Array(x.memory.buffer);
+        return mem.slice(outOff, outOff + outLen);
+    }
+    finally {
+        wipeInput(x, input.length);
+        x.wipeBuffers();
+    }
+}
+function oneShotKeyedHash(x, key, input, outLen) {
+    const mem = new Uint8Array(x.memory.buffer);
+    const keyOff = x.getKeyedKeyOffset();
+    const outOff = x.getOutputStagingOffset();
+    mem.set(key, keyOff);
+    stageInput(x, input);
+    try {
+        x.hashKeyed(keyOff, INPUT_SCRATCH_OFF, input.length, outOff, outLen);
+        return mem.slice(outOff, outOff + outLen);
+    }
+    finally {
+        mem.fill(0, keyOff, keyOff + 32);
+        wipeInput(x, input.length);
+        x.wipeBuffers();
+    }
+}
+function oneShotDeriveKey(x, contextBytes, material, outLen) {
+    if (contextBytes.length + material.length > INPUT_SCRATCH_MAX)
+        throw tooBigForScratchError(contextBytes.length + material.length);
+    const mem = new Uint8Array(x.memory.buffer);
+    const ctxOff = INPUT_SCRATCH_OFF;
+    const matOff = INPUT_SCRATCH_OFF + contextBytes.length;
+    const outOff = x.getOutputStagingOffset();
+    mem.set(contextBytes, ctxOff);
+    mem.set(material, matOff);
+    try {
+        x.deriveKey(ctxOff, contextBytes.length, matOff, material.length, outOff, outLen);
+        return mem.slice(outOff, outOff + outLen);
+    }
+    finally {
+        mem.fill(0, ctxOff, matOff + material.length);
+        x.wipeBuffers();
+    }
+}
+// ── BLAKE3 ──────────────────────────────────────────────────────────────────
+/**
+ * BLAKE3 default-mode hash (BLAKE3 §2.3 Modes — `hash`).
+ *
+ * One-shot: `hash(msg, outLen?)` runs the full chunk / tree / root
+ * pipeline and returns `outLen` (default 32) bytes of XOF output.
+ * Module exclusivity is acquired and released per call.
+ */
+export class BLAKE3 {
+    x;
+    constructor() {
+        this.x = getExports();
+    }
+    hash(msg, outLen = 32) {
+        _assertNotOwned('blake3');
+        if (!(msg instanceof Uint8Array))
+            throw new TypeError('leviathan-crypto: blake3 message must be a Uint8Array');
+        validateOutputLen(outLen);
+        if (outLen > OUTPUT_STAGING_SIZE)
+            throw tooBigForOneShotError(outLen);
+        return oneShotHash(this.x, msg, outLen);
+    }
+    dispose() {
+        _assertNotOwned('blake3');
+        try {
+            this.x.wipeBuffers();
+        }
+        catch { /* idempotent */ }
+    }
+}
+/**
+ * BLAKE3 keyed_hash (BLAKE3 §2.3 Modes — `keyed_hash`).
+ *
+ * The 32-byte key seeds the chunk machine in place of the BLAKE3 IV and
+ * every compress carries the KEYED_HASH flag. Use cases include MACs and
+ * keyed-pseudorandom generation; the construction is a PRF when the key
+ * is uniform and secret.
+ */
+export class BLAKE3KeyedHash {
+    x;
+    constructor() {
+        this.x = getExports();
+    }
+    hash(key, msg, outLen = 32) {
+        _assertNotOwned('blake3');
+        validateKey(key);
+        if (!(msg instanceof Uint8Array))
+            throw new TypeError('leviathan-crypto: blake3 message must be a Uint8Array');
+        validateOutputLen(outLen);
+        if (outLen > OUTPUT_STAGING_SIZE)
+            throw tooBigForOneShotError(outLen);
+        return oneShotKeyedHash(this.x, key, msg, outLen);
+    }
+    dispose() {
+        _assertNotOwned('blake3');
+        try {
+            this.x.wipeBuffers();
+        }
+        catch { /* idempotent */ }
+    }
+}
+/**
+ * BLAKE3 derive_key (BLAKE3 §2.3 Modes — `derive_key`).
+ *
+ * Two-pass KDF: pass 1 hashes the context string with the
+ * DERIVE_KEY_CONTEXT flag, pass 2 hashes the key material with the
+ * DERIVE_KEY_MATERIAL flag using the pass-1 output as its starting CV.
+ * Context strings are conventionally hardcoded UTF-8 application
+ * constants; empty contexts are rejected by `validateContext`.
+ */
+export class BLAKE3DeriveKey {
+    x;
+    constructor() {
+        this.x = getExports();
+    }
+    derive(context, material, outLen = 32) {
+        _assertNotOwned('blake3');
+        const ctxBytes = validateContext(context);
+        if (!(material instanceof Uint8Array))
+            throw new TypeError('leviathan-crypto: blake3 derive_key material must be a Uint8Array');
+        validateOutputLen(outLen);
+        if (outLen > OUTPUT_STAGING_SIZE)
+            throw tooBigForOneShotError(outLen);
+        return oneShotDeriveKey(this.x, ctxBytes, material, outLen);
+    }
+    dispose() {
+        _assertNotOwned('blake3');
+        try {
+            this.x.wipeBuffers();
+        }
+        catch { /* idempotent */ }
+    }
+}
+// ── Streaming base ─────────────────────────────────────────────────────────
+//
+// Buffer input, run one-shot WASM hash at finalize. Lifecycle mirrors
+// SHA3_256Stream. See docs/architecture.md.
+class StreamState {
+    chunks = [];
+    totalLen = 0;
+    consumed = false;
+    pushChunk(chunk) {
+        if (this.consumed)
+            throw new Error('BLAKE3 stream: update() after finalize/finalizeXof');
+        if (!(chunk instanceof Uint8Array))
+            throw new TypeError('BLAKE3 stream: chunk must be a Uint8Array');
+        if (this.totalLen + chunk.length > INPUT_SCRATCH_MAX)
+            throw tooBigForScratchError(this.totalLen + chunk.length);
+        this.chunks.push(chunk);
+        this.totalLen += chunk.length;
+    }
+    concat() {
+        if (this.chunks.length === 1)
+            return this.chunks[0];
+        const out = new Uint8Array(this.totalLen);
+        let pos = 0;
+        for (const c of this.chunks) {
+            out.set(c, pos);
+            pos += c.length;
+        }
+        return out;
+    }
+    wipe() {
+        // Drop references; we don't own caller buffers. concat() buffers
+        // are wiped by the calling class.
+        this.chunks = [];
+        this.totalLen = 0;
+    }
+}
+// ── BLAKE3Stream ───────────────────────────────────────────────────────────
+/**
+ * Streaming BLAKE3 default-mode hash (BLAKE3 §2.3 Modes — `hash`).
+ *
+ * `update()` accepts chunks of any size; `finalize()` returns the
+ * `outLen`-byte (default 32) digest and disposes the instance. Holds
+ * exclusive access to the `blake3` WASM module from construction until
+ * `dispose()` or `finalize()` / `finalizeXof()`.
+ */
+export class BLAKE3Stream {
+    x;
+    _tok;
+    _state = new StreamState();
+    constructor() {
+        this.x = getExports();
+        this._tok = _acquireModule('blake3');
+    }
+    update(chunk) {
+        this._checkLive();
+        this._state.pushChunk(chunk);
+        return this;
+    }
+    finalize(outLen = 32) {
+        this._checkLive();
+        validateOutputLen(outLen);
+        if (outLen > OUTPUT_STAGING_SIZE)
+            throw tooBigForOneShotError(outLen);
+        this._state.consumed = true;
+        const full = this._state.concat();
+        try {
+            return oneShotHash(this.x, full, outLen);
+        }
+        finally {
+            this.dispose();
+        }
+    }
+    finalizeXof() {
+        this._checkLive();
+        // _checkLive guarantees _tok is set; the local capture lets the type
+        // system see this beyond the assignment to undefined on the next line.
+        const tok = this._tok;
+        this._state.consumed = true;
+        // The reader holds the module token for its own lifetime; transfer
+        // ownership rather than releasing-then-reacquiring (which would race
+        // against any other consumer trying to acquire the module in between).
+        this._tok = undefined;
+        const full = this._state.concat();
+        return new BLAKE3OutputReader('hash', this.x, tok, full);
+    }
+    dispose() {
+        if (this._tok === undefined)
+            return;
+        this._state.wipe();
+        try {
+            this.x.wipeBuffers();
+        }
+        finally {
+            _releaseModule('blake3', this._tok);
+            this._tok = undefined;
+        }
+    }
+    _checkLive() {
+        if (this._tok === undefined)
+            throw new Error('BLAKE3Stream: instance has been disposed');
+        if (this._state.consumed)
+            throw new Error('BLAKE3Stream: stream has been finalized');
+    }
+}
+// ── BLAKE3KeyedHashStream ──────────────────────────────────────────────────
+/**
+ * Streaming BLAKE3 keyed_hash (BLAKE3 §2.3 Modes). Key is bound at construction
+ * time. Same lifecycle as `BLAKE3Stream`.
+ */
+export class BLAKE3KeyedHashStream {
+    x;
+    _tok;
+    _state = new StreamState();
+    _key;
+    constructor(key) {
+        validateKey(key);
+        this.x = getExports();
+        this._tok = _acquireModule('blake3');
+        // Defensive copy: we own this buffer for the lifetime of the stream
+        // and wipe it on dispose / finalize.
+        this._key = new Uint8Array(32);
+        this._key.set(key);
+    }
+    update(chunk) {
+        this._checkLive();
+        this._state.pushChunk(chunk);
+        return this;
+    }
+    finalize(outLen = 32) {
+        this._checkLive();
+        validateOutputLen(outLen);
+        if (outLen > OUTPUT_STAGING_SIZE)
+            throw tooBigForOneShotError(outLen);
+        this._state.consumed = true;
+        const full = this._state.concat();
+        try {
+            return oneShotKeyedHash(this.x, this._key, full, outLen);
+        }
+        finally {
+            this.dispose();
+        }
+    }
+    finalizeXof() {
+        this._checkLive();
+        const tok = this._tok;
+        this._state.consumed = true;
+        this._tok = undefined;
+        const full = this._state.concat();
+        const reader = new BLAKE3OutputReader('keyed', this.x, tok, full, this._key);
+        // Reader owns its own copy of the key; wipe the stream's.
+        this._key.fill(0);
+        return reader;
+    }
+    dispose() {
+        if (this._tok === undefined)
+            return;
+        this._key.fill(0);
+        this._state.wipe();
+        try {
+            this.x.wipeBuffers();
+        }
+        finally {
+            _releaseModule('blake3', this._tok);
+            this._tok = undefined;
+        }
+    }
+    _checkLive() {
+        if (this._tok === undefined)
+            throw new Error('BLAKE3KeyedHashStream: instance has been disposed');
+        if (this._state.consumed)
+            throw new Error('BLAKE3KeyedHashStream: stream has been finalized');
+    }
+}
+// ── BLAKE3DeriveKeyStream ──────────────────────────────────────────────────
+/**
+ * Streaming BLAKE3 derive_key (BLAKE3 §2.3 Modes). Context is bound at
+ * construction time; updates stream the material; finalize derives.
+ * Same lifecycle as `BLAKE3Stream`.
+ */
+export class BLAKE3DeriveKeyStream {
+    x;
+    _tok;
+    _state = new StreamState();
+    _ctxBytes;
+    constructor(context) {
+        this._ctxBytes = validateContext(context);
+        this.x = getExports();
+        this._tok = _acquireModule('blake3');
+    }
+    update(chunk) {
+        this._checkLive();
+        this._state.pushChunk(chunk);
+        return this;
+    }
+    finalize(outLen = 32) {
+        this._checkLive();
+        validateOutputLen(outLen);
+        if (outLen > OUTPUT_STAGING_SIZE)
+            throw tooBigForOneShotError(outLen);
+        this._state.consumed = true;
+        const full = this._state.concat();
+        try {
+            return oneShotDeriveKey(this.x, this._ctxBytes, full, outLen);
+        }
+        finally {
+            this.dispose();
+        }
+    }
+    finalizeXof() {
+        this._checkLive();
+        const tok = this._tok;
+        this._state.consumed = true;
+        this._tok = undefined;
+        const full = this._state.concat();
+        return new BLAKE3OutputReader('derive', this.x, tok, full, undefined, this._ctxBytes);
+    }
+    dispose() {
+        if (this._tok === undefined)
+            return;
+        this._state.wipe();
+        try {
+            this.x.wipeBuffers();
+        }
+        finally {
+            _releaseModule('blake3', this._tok);
+            this._tok = undefined;
+        }
+    }
+    _checkLive() {
+        if (this._tok === undefined)
+            throw new Error('BLAKE3DeriveKeyStream: instance has been disposed');
+        if (this._state.consumed)
+            throw new Error('BLAKE3DeriveKeyStream: stream has been finalized');
+    }
+}
+/**
+ * BLAKE3 XOF reader (BLAKE3 §2.6 Extendable Output).
+ *
+ * Sequential `read(nBytes)` calls squeeze the next bytes of XOF output.
+ * Constructed via `finalizeXof()` on a streaming class. Holds module
+ * exclusivity until `dispose()`.
+ *
+ * Implementation: the first `read()` runs the underlying hash entry once
+ * to populate the WASM-side root-compress snapshot (ROOT_STATE_*), then
+ * caches the first 64-byte XOF block. Subsequent reads pump
+ * `squeezeXofBlock` on the WASM module with an incrementing counter to
+ * lift additional 64-byte blocks off the snapshot. The reader's lifetime
+ * coincides with its hold on the module token, so `ROOT_STATE_*` stays
+ * intact between read calls (no other consumer can fire a hash that
+ * would clobber it).
+ */
+export class BLAKE3OutputReader {
+    x;
+    _tok;
+    _mode;
+    _input;
+    _key;
+    _ctx;
+    _blockBuf = new Uint8Array(ROOT_BLOCK_SIZE);
+    _blockPos = ROOT_BLOCK_SIZE; // forces refill on first read
+    _nextCounter = 0n;
+    _populated = false;
+    /** @internal Constructed by `finalizeXof()` on a streaming class. */
+    constructor(mode, x, tok, input, key, ctx) {
+        this._mode = mode;
+        this.x = x;
+        this._tok = tok;
+        this._input = input;
+        // Defensive copy of key, the reader outlives the parent stream's
+        // _key buffer (which is wiped on transfer).
+        if (key) {
+            this._key = new Uint8Array(32);
+            this._key.set(key);
+        }
+        else {
+            this._key = undefined;
+        }
+        this._ctx = ctx;
+    }
+    read(nBytes) {
+        if (this._tok === undefined)
+            throw new Error('BLAKE3OutputReader: instance has been disposed');
+        validateOutputLen(nBytes);
+        if (!this._populated) {
+            this._populate();
+        }
+        const out = new Uint8Array(nBytes);
+        let pos = 0;
+        while (pos < nBytes) {
+            if (this._blockPos >= ROOT_BLOCK_SIZE) {
+                this._squeezeNextBlock();
+            }
+            const available = ROOT_BLOCK_SIZE - this._blockPos;
+            const take = Math.min(nBytes - pos, available);
+            out.set(this._blockBuf.subarray(this._blockPos, this._blockPos + take), pos);
+            this._blockPos += take;
+            pos += take;
+        }
+        return out;
+    }
+    dispose() {
+        if (this._tok === undefined)
+            return;
+        this._blockBuf.fill(0);
+        this._blockPos = ROOT_BLOCK_SIZE;
+        this._nextCounter = 0n;
+        if (this._key)
+            this._key.fill(0);
+        try {
+            this.x.wipeBuffers();
+        }
+        finally {
+            _releaseModule('blake3', this._tok);
+            this._tok = undefined;
+        }
+    }
+    // Captures ROOT_STATE_* inside WASM, copies block 0 to _blockBuf.
+    // Does NOT call wipeBuffers; that would clear ROOT_STATE_* and break
+    // subsequent squeezeXofBlock calls. The reader wipes on dispose.
+    _populate() {
+        const x = this.x;
+        const outOff = x.getOutputStagingOffset();
+        const mem = new Uint8Array(x.memory.buffer);
+        if (this._input.length > INPUT_SCRATCH_MAX)
+            throw tooBigForScratchError(this._input.length);
+        mem.set(this._input, INPUT_SCRATCH_OFF);
+        try {
+            switch (this._mode) {
+                case 'hash':
+                    x.hash(INPUT_SCRATCH_OFF, this._input.length, outOff, ROOT_BLOCK_SIZE);
+                    break;
+                case 'keyed': {
+                    if (!this._key)
+                        throw new Error('BLAKE3OutputReader: keyed mode without key');
+                    const keyOff = x.getKeyedKeyOffset();
+                    mem.set(this._key, keyOff);
+                    try {
+                        x.hashKeyed(keyOff, INPUT_SCRATCH_OFF, this._input.length, outOff, ROOT_BLOCK_SIZE);
+                    }
+                    finally {
+                        mem.fill(0, keyOff, keyOff + 32);
+                    }
+                    break;
+                }
+                case 'derive': {
+                    if (!this._ctx)
+                        throw new Error('BLAKE3OutputReader: derive mode without context');
+                    const ctx = this._ctx;
+                    if (ctx.length + this._input.length > INPUT_SCRATCH_MAX)
+                        throw tooBigForScratchError(ctx.length + this._input.length);
+                    // Re-stage with context prefixed in front of material.
+                    mem.set(ctx, INPUT_SCRATCH_OFF);
+                    mem.set(this._input, INPUT_SCRATCH_OFF + ctx.length);
+                    try {
+                        x.deriveKey(INPUT_SCRATCH_OFF, ctx.length, INPUT_SCRATCH_OFF + ctx.length, this._input.length, outOff, ROOT_BLOCK_SIZE);
+                    }
+                    finally {
+                        mem.fill(0, INPUT_SCRATCH_OFF, INPUT_SCRATCH_OFF + ctx.length);
+                    }
+                    break;
+                }
+            }
+            this._blockBuf.set(mem.subarray(outOff, outOff + ROOT_BLOCK_SIZE));
+            this._blockPos = 0;
+            this._nextCounter = 1n;
+            this._populated = true;
+        }
+        finally {
+            const inLen = this._mode === 'derive' && this._ctx
+                ? this._ctx.length + this._input.length
+                : this._input.length;
+            mem.fill(0, INPUT_SCRATCH_OFF, INPUT_SCRATCH_OFF + inLen);
+            mem.fill(0, outOff, outOff + ROOT_BLOCK_SIZE);
+        }
+    }
+    _squeezeNextBlock() {
+        const x = this.x;
+        const outOff = x.getOutputStagingOffset();
+        const ctr = this._nextCounter;
+        const ctrLo = Number(ctr & 0xffffffffn);
+        const ctrHi = Number((ctr >> 32n) & 0xffffffffn);
+        x.squeezeXofBlock(ctrLo, ctrHi, outOff);
+        const mem = new Uint8Array(x.memory.buffer);
+        this._blockBuf.set(mem.subarray(outOff, outOff + ROOT_BLOCK_SIZE));
+        this._blockPos = 0;
+        this._nextCounter = ctr + 1n;
+        // Scrub the staging slot now that the bytes are in _blockBuf; the
+        // reader's wipe-on-dispose covers _blockBuf itself.
+        mem.fill(0, outOff, outOff + ROOT_BLOCK_SIZE);
+    }
+}
+// ── BLAKE3Hash, Fortuna HashFn const ───────────────────────────────────────
+/**
+ * Stateless BLAKE3-256 HashFn. Shape mirrors `SHA256Hash` in
+ * `src/ts/sha2/hash.ts`: 32-byte output, single WASM module dependency,
+ * `digest(msg)` runs a one-shot hash with default `outLen`.
+ *
+ * Usable as a Fortuna accumulator / reseed hash when paired with a
+ * matching 32-byte-key Generator.
+ */
+export const BLAKE3Hash = {
+    outputSize: 32,
+    wasmModules: ['blake3'],
+    digest(msg) {
+        _assertNotOwned('blake3');
+        const x = getExports();
+        return oneShotHash(x, msg, 32);
+    },
+};