leviathan-crypto 2.1.0 → 3.0.0

package/dist/chacha20/index.js

@@ -22,7 +22,7 @@
 // src/ts/chacha20/index.ts
 //
 // Public API classes for the ChaCha20 WASM module.
-// Uses the init() module cache — call chacha20Init(source) before constructing.
+// Uses the init() module cache, call chacha20Init(source) before constructing.
 import { getInstance, initModule, _acquireModule, _releaseModule, _assertNotOwned } from '../init.js';
 import { aeadEncrypt, aeadDecrypt, xcEncrypt, xcDecrypt } from './ops.js';
 import { AuthenticationError } from '../errors.js';
@@ -30,12 +30,13 @@ export { AuthenticationError };
 /**
  * Load and initialise the ChaCha20 WASM module from `source`.
  * Must be called before constructing any ChaCha20 class.
- * @param source  WASM binary — gzip+base64 string, URL, ArrayBuffer, Uint8Array,
+ * @param source  WASM binary, gzip+base64 string, URL, ArrayBuffer, Uint8Array,
  *                pre-compiled WebAssembly.Module, Response, or Promise<Response>
  */
 export async function chacha20Init(source) {
     return initModule('chacha20', source);
 }
+export { isInitialized } from '../init.js';
 /** Returns the raw chacha20 WASM export object. @internal */
 function getExports() {
     return getInstance('chacha20').exports;
@@ -59,7 +60,7 @@ export class ChaCha20 {
      * Load key and nonce into WASM state and set the block counter to 1.
      * Must be called before each message (RFC 8439 §2.4).
      * @param key    32 bytes
-     * @param nonce  12 bytes — must be unique per (key, message)
+     * @param nonce  12 bytes, must be unique per (key, message)
      */
     beginEncrypt(key, nonce) {
         if (this._tok === undefined)
@@ -76,7 +77,7 @@ export class ChaCha20 {
     }
     /**
      * XOR `chunk` with the next keystream block(s). Counter advances automatically.
-     * @param chunk  Plaintext chunk — must not exceed WASM CHUNK_SIZE
+     * @param chunk  Plaintext chunk, must not exceed WASM CHUNK_SIZE
      * @returns      Ciphertext of the same length
      */
     encryptChunk(chunk) {
@@ -84,7 +85,7 @@ export class ChaCha20 {
             throw new Error('ChaCha20: instance has been disposed');
         const maxChunk = this.x.getChunkSize();
         if (chunk.length > maxChunk)
-            throw new RangeError(`chunk exceeds maximum size of ${maxChunk} bytes — split into smaller chunks`);
+            throw new RangeError(`chunk exceeds maximum size of ${maxChunk} bytes, split into smaller chunks`);
         const mem = new Uint8Array(this.x.memory.buffer);
         const ptOff = this.x.getChunkPtOffset();
         const ctOff = this.x.getChunkCtOffset();
@@ -93,15 +94,15 @@ export class ChaCha20 {
         return mem.slice(ctOff, ctOff + chunk.length);
     }
     /**
-     * Alias for `beginEncrypt` — ChaCha20 is a stream cipher (symmetric).
+     * Alias for `beginEncrypt`, ChaCha20 is a stream cipher (symmetric).
      * @param key    32 bytes
-     * @param nonce  12 bytes — must match the value used to encrypt
+     * @param nonce  12 bytes, must match the value used to encrypt
      */
     beginDecrypt(key, nonce) {
         this.beginEncrypt(key, nonce);
     }
     /**
-     * Alias for `encryptChunk` — ChaCha20 is a stream cipher (symmetric).
+     * Alias for `encryptChunk`, ChaCha20 is a stream cipher (symmetric).
      * @param chunk  Ciphertext chunk
      * @returns      Plaintext of the same length
      */
@@ -137,7 +138,7 @@ export class Poly1305 {
     }
     /**
      * Compute a 16-byte Poly1305 MAC for `msg` using `key`.
-     * @param key  32-byte one-time key — must not be reused across messages
+     * @param key  32-byte one-time key, must not be reused across messages
      * @param msg  Message to authenticate
      * @returns    16-byte Poly1305 tag
      */
@@ -177,7 +178,7 @@ export class Poly1305 {
  * Single-use encrypt guard: `encrypt()` may only be called once per instance.
  * Create a new instance for each encryption to prevent nonce reuse.
  *
- * `decrypt()` uses constant-time tag comparison — XOR-accumulate pattern,
+ * `decrypt()` uses constant-time tag comparison, XOR-accumulate pattern,
  * no early return on mismatch. Plaintext is never returned on failure.
  */
 export class ChaCha20Poly1305 {
@@ -190,10 +191,10 @@ export class ChaCha20Poly1305 {
      * Encrypt and authenticate `plaintext` with ChaCha20-Poly1305 (RFC 8439 §2.8).
      *
      * **Single-use guard:** `encrypt()` may only be called once per instance.
-     * Any throw — including validation errors — permanently locks this instance.
+     * Any throw, including validation errors, permanently locks this instance.
      * Always create a new `ChaCha20Poly1305` per message.
      * @param key        32 bytes
-     * @param nonce      12 bytes — must be unique per (key, message)
+     * @param nonce      12 bytes, must be unique per (key, message)
      * @param plaintext  Data to encrypt
      * @param aad        Additional authenticated data (optional)
      * @returns          Ciphertext || 16-byte Poly1305 tag
@@ -203,24 +204,29 @@ export class ChaCha20Poly1305 {
             throw new Error('leviathan-crypto: encrypt() already called on this instance. '
                 + 'Create a new instance for each encryption to prevent nonce reuse.');
         // Strict single-use: lock FIRST, before anything else. Any subsequent
-        // throw — including validation errors — terminates the instance.
+        // throw, including validation errors, terminates the instance.
         this._used = true;
         _assertNotOwned('chacha20');
         if (key.length !== 32)
             throw new RangeError(`key must be 32 bytes (got ${key.length})`);
         if (nonce.length !== 12)
             throw new RangeError(`nonce must be 12 bytes (got ${nonce.length})`);
-        const { ciphertext, tag } = aeadEncrypt(this.x, key, nonce, plaintext, aad);
-        const out = new Uint8Array(ciphertext.length + 16);
-        out.set(ciphertext);
-        out.set(tag, ciphertext.length);
-        return out;
+        try {
+            const { ciphertext, tag } = aeadEncrypt(this.x, key, nonce, plaintext, aad);
+            const out = new Uint8Array(ciphertext.length + 16);
+            out.set(ciphertext);
+            out.set(tag, ciphertext.length);
+            return out;
+        }
+        finally {
+            this.x.wipeBuffers();
+        }
     }
     /**
      * Verify and decrypt a ChaCha20-Poly1305 ciphertext (RFC 8439 §2.8).
      * Throws `AuthenticationError` if the tag does not match.
      * @param key         32 bytes
-     * @param nonce       12 bytes — must match the value used to encrypt
+     * @param nonce       12 bytes, must match the value used to encrypt
      * @param ciphertext  Ciphertext || 16-byte tag (combined format from `encrypt`)
      * @param aad         Additional authenticated data (optional)
      * @returns           Plaintext
@@ -233,10 +239,15 @@ export class ChaCha20Poly1305 {
         if (nonce.length !== 12)
             throw new RangeError(`nonce must be 12 bytes (got ${nonce.length})`);
         if (ciphertext.length < 16)
-            throw new RangeError(`ciphertext too short — must include 16-byte tag (got ${ciphertext.length})`);
-        const ct = ciphertext.subarray(0, ciphertext.length - 16);
-        const tag = ciphertext.subarray(ciphertext.length - 16);
-        return aeadDecrypt(this.x, key, nonce, ct, tag, aad);
+            throw new RangeError(`ciphertext too short, must include 16-byte tag (got ${ciphertext.length})`);
+        try {
+            const ct = ciphertext.subarray(0, ciphertext.length - 16);
+            const tag = ciphertext.subarray(ciphertext.length - 16);
+            return aeadDecrypt(this.x, key, nonce, ct, tag, aad);
+        }
+        finally {
+            this.x.wipeBuffers();
+        }
     }
     /** Wipe WASM cipher and MAC state. */
     dispose() {
@@ -249,7 +260,7 @@ export class ChaCha20Poly1305 {
  * XChaCha20-Poly1305 AEAD (IETF draft-irtf-cfrg-xchacha).
  *
  * Recommended authenticated encryption primitive for most use cases.
- * Uses a 24-byte nonce — safe for random generation via crypto.getRandomValues.
+ * Uses a 24-byte nonce, safe for random generation via crypto.getRandomValues.
  *
  * Single-use encrypt guard: `encrypt()` may only be called once per instance.
  * Create a new instance for each encryption to prevent nonce reuse.
@@ -267,10 +278,10 @@ export class XChaCha20Poly1305 {
      * (draft-irtf-cfrg-xchacha). Recommended for general-purpose AEAD.
      *
      * **Single-use guard:** `encrypt()` may only be called once per instance.
-     * Any throw — including validation errors — permanently locks this instance.
+     * Any throw, including validation errors, permanently locks this instance.
      * Always create a new `XChaCha20Poly1305` per message to prevent nonce reuse.
      * @param key        32 bytes
-     * @param nonce      24 bytes — safe to generate randomly via `randomBytes(24)`
+     * @param nonce      24 bytes, safe to generate randomly via `randomBytes(24)`
      * @param plaintext  Data to encrypt
      * @param aad        Additional authenticated data (optional)
      * @returns          Ciphertext || 16-byte Poly1305 tag
@@ -280,20 +291,25 @@ export class XChaCha20Poly1305 {
             throw new Error('leviathan-crypto: encrypt() already called on this instance. '
                 + 'Create a new instance for each encryption to prevent nonce reuse.');
         // Strict single-use: lock FIRST, before anything else. Any subsequent
-        // throw — including validation errors — terminates the instance.
+        // throw, including validation errors, terminates the instance.
         this._used = true;
         _assertNotOwned('chacha20');
         if (key.length !== 32)
             throw new RangeError(`key must be 32 bytes (got ${key.length})`);
         if (nonce.length !== 24)
             throw new RangeError(`XChaCha20 nonce must be 24 bytes (got ${nonce.length})`);
-        return xcEncrypt(this.x, key, nonce, plaintext, aad);
+        try {
+            return xcEncrypt(this.x, key, nonce, plaintext, aad);
+        }
+        finally {
+            this.x.wipeBuffers();
+        }
     }
     /**
      * Verify and decrypt an XChaCha20-Poly1305 ciphertext.
      * Throws `AuthenticationError` if the tag does not match.
      * @param key         32 bytes
-     * @param nonce       24 bytes — must match the value used to encrypt
+     * @param nonce       24 bytes, must match the value used to encrypt
      * @param ciphertext  Ciphertext || 16-byte tag (combined format from `encrypt`)
      * @param aad         Additional authenticated data (optional)
      * @returns           Plaintext
@@ -305,8 +321,13 @@ export class XChaCha20Poly1305 {
         if (nonce.length !== 24)
             throw new RangeError(`XChaCha20 nonce must be 24 bytes (got ${nonce.length})`);
         if (ciphertext.length < 16)
-            throw new RangeError(`ciphertext too short — must include 16-byte tag (got ${ciphertext.length})`);
-        return xcDecrypt(this.x, key, nonce, ciphertext, aad);
+            throw new RangeError(`ciphertext too short, must include 16-byte tag (got ${ciphertext.length})`);
+        try {
+            return xcDecrypt(this.x, key, nonce, ciphertext, aad);
+        }
+        finally {
+            this.x.wipeBuffers();
+        }
     }
     /** Wipe WASM cipher and MAC state. */
     dispose() {
@@ -317,18 +338,3 @@ export class XChaCha20Poly1305 {
 export { XChaCha20Cipher } from './cipher-suite.js';
 // ── ChaCha20Generator ───────────────────────────────────────────────────────
 export { ChaCha20Generator } from './generator.js';
-// ── Ready check ─────────────────────────────────────────────────────────────
-/**
- * Returns `true` if the chacha20 WASM module has been initialised.
- * Used by tests and internal guards; not part of the public API.
- * @internal
- */
-export function _chachaReady() {
-    try {
-        getInstance('chacha20');
-        return true;
-    }
-    catch {
-        return false;
-    }
-}

package/dist/chacha20/ops.d.ts

@@ -3,10 +3,10 @@ import type { ChaChaExports } from './types.js';
  * ChaCha20-Poly1305 AEAD encrypt (RFC 8439 §2.8).
  * @param x          ChaCha20 WASM exports
  * @param key        32-byte key
- * @param nonce      12-byte nonce — must be unique per (key, message)
+ * @param nonce      12-byte nonce, must be unique per (key, message)
  * @param plaintext  Data to encrypt (must be ≤ WASM CHUNK_SIZE)
  * @param aad        Additional authenticated data
- * @returns          `{ ciphertext, tag }` — tag is 16 bytes
+ * @returns          `{ ciphertext, tag }`, tag is 16 bytes
  */
 export declare function aeadEncrypt(x: ChaChaExports, key: Uint8Array, nonce: Uint8Array, plaintext: Uint8Array, aad: Uint8Array): {
     ciphertext: Uint8Array;
@@ -17,7 +17,7 @@ export declare function aeadEncrypt(x: ChaChaExports, key: Uint8Array, nonce: Ui
  * Throws `AuthenticationError` on tag mismatch; never returns plaintext on failure.
  * @param x           ChaCha20 WASM exports
  * @param key         32-byte key
- * @param nonce       12-byte nonce — must match the value used to encrypt
+ * @param nonce       12-byte nonce, must match the value used to encrypt
  * @param ciphertext  Ciphertext bytes (must be ≤ WASM CHUNK_SIZE)
  * @param tag         16-byte Poly1305 tag
  * @param aad         Additional authenticated data
@@ -30,15 +30,15 @@ export declare function aeadDecrypt(x: ChaChaExports, key: Uint8Array, nonce: Ui
  * Used as the inner key for XChaCha20-Poly1305 (draft-irtf-cfrg-xchacha §2.3).
  * @param x      ChaCha20 WASM exports
  * @param key    32-byte master key
- * @param nonce  24-byte XChaCha20 nonce (only bytes 0–15 are used)
+ * @param nonce  24-byte XChaCha20 nonce (only bytes 0-15 are used)
  * @returns      32-byte HChaCha20 subkey
  */
 export declare function deriveSubkey(x: ChaChaExports, key: Uint8Array, nonce: Uint8Array): Uint8Array;
 /**
- * Build the inner 12-byte ChaCha20 nonce for XChaCha20 from bytes 16–23 of the
+ * Build the inner 12-byte ChaCha20 nonce for XChaCha20 from bytes 16-23 of the
  * 24-byte XChaCha nonce (draft-irtf-cfrg-xchacha §2.3).
  * @param nonce  24-byte XChaCha20 nonce
- * @returns      12-byte inner nonce (bytes 0–3 are zero, bytes 4–11 are nonce[16:24])
+ * @returns      12-byte inner nonce (bytes 0-3 are zero, bytes 4-11 are nonce[16:24])
  */
 export declare function innerNonce(nonce: Uint8Array): Uint8Array;
 /**
@@ -59,7 +59,7 @@ export declare function xcEncrypt(x: ChaChaExports, key: Uint8Array, nonce: Uint
  * Throws `AuthenticationError` on tag mismatch.
  * @param x           ChaCha20 WASM exports
  * @param key         32-byte key
- * @param nonce       24-byte nonce — must match the value used to encrypt
+ * @param nonce       24-byte nonce, must match the value used to encrypt
  * @param ciphertext  Ciphertext || 16-byte tag (combined format from `xcEncrypt`)
  * @param aad         Additional authenticated data
  * @returns           Plaintext

package/dist/chacha20/ops.js

@@ -1,9 +1,9 @@
 // src/ts/chacha20/ops.ts
 //
-// Raw XChaCha20-Poly1305 operations — standalone functions that take
+// Raw XChaCha20-Poly1305 operations, standalone functions that take
 // ChaChaExports explicitly. Used by both the class wrappers (index.ts)
 // and the pool worker (pool.worker.ts), eliminating duplication.
-import { constantTimeEqual } from '../utils.js';
+import { constantTimeEqual, wipe } from '../utils.js';
 import { AuthenticationError } from '../errors.js';
 // ── Module-private helpers ──────────────────────────────────────────────────
 /**
@@ -37,8 +37,8 @@ function polyFeed(x, data) {
 function lenBlock(aadLen, ctLen) {
     const b = new Uint8Array(16);
     const dv = new DataView(b.buffer);
-    // RFC 8439 §2.8 — 64-bit LE lengths.
-    // JS numbers are f64 — write low 32 bits directly, high bits via
+    // RFC 8439 §2.8, 64-bit LE lengths.
+    // JS numbers are f64, write low 32 bits directly, high bits via
     // Math.floor(n / 2^32). Safe for n ≤ Number.MAX_SAFE_INTEGER.
     dv.setUint32(0, aadLen >>> 0, true);
     dv.setUint32(4, Math.floor(aadLen / 0x100000000) >>> 0, true);
@@ -51,15 +51,15 @@ function lenBlock(aadLen, ctLen) {
  * ChaCha20-Poly1305 AEAD encrypt (RFC 8439 §2.8).
  * @param x          ChaCha20 WASM exports
  * @param key        32-byte key
- * @param nonce      12-byte nonce — must be unique per (key, message)
+ * @param nonce      12-byte nonce, must be unique per (key, message)
  * @param plaintext  Data to encrypt (must be ≤ WASM CHUNK_SIZE)
  * @param aad        Additional authenticated data
- * @returns          `{ ciphertext, tag }` — tag is 16 bytes
+ * @returns          `{ ciphertext, tag }`, tag is 16 bytes
  */
 export function aeadEncrypt(x, key, nonce, plaintext, aad) {
     const maxChunk = x.getChunkSize();
     if (plaintext.length > maxChunk)
-        throw new RangeError(`plaintext exceeds ${maxChunk} bytes — split into smaller chunks`);
+        throw new RangeError(`plaintext exceeds ${maxChunk} bytes, split into smaller chunks`);
     const mem = new Uint8Array(x.memory.buffer);
     // Step 1: Generate Poly1305 one-time key at counter=0 (RFC 8439 §2.6)
     mem.set(key, x.getKeyOffset());
@@ -73,12 +73,7 @@ export function aeadEncrypt(x, key, nonce, plaintext, aad) {
     const aadPad = (16 - aad.length % 16) % 16;
     if (aadPad > 0)
         polyFeed(x, new Uint8Array(aadPad));
-    // Step 4: Re-init ChaCha20 at counter=1.
-    // `chachaGenPolyKey` mutated CHACHA_STATE + 48 (the counter word) to 0 but
-    // left every other state word intact (constants, key, nonce). Writing
-    // counter=1 via `chachaSetCounter` restores the state for encryption —
-    // no second `chachaLoadKey()` is needed (the key/nonce buffers and the
-    // non-counter state words are already correct).
+    // Step 4: counter=1 (state intact from chachaGenPolyKey; no reload needed).
     x.chachaSetCounter(1);
     // Step 5: Encrypt
     mem.set(plaintext, x.getChunkPtOffset());
@@ -103,7 +98,7 @@ export function aeadEncrypt(x, key, nonce, plaintext, aad) {
  * Throws `AuthenticationError` on tag mismatch; never returns plaintext on failure.
  * @param x           ChaCha20 WASM exports
  * @param key         32-byte key
- * @param nonce       12-byte nonce — must match the value used to encrypt
+ * @param nonce       12-byte nonce, must match the value used to encrypt
  * @param ciphertext  Ciphertext bytes (must be ≤ WASM CHUNK_SIZE)
  * @param tag         16-byte Poly1305 tag
  * @param aad         Additional authenticated data
@@ -113,7 +108,7 @@ export function aeadEncrypt(x, key, nonce, plaintext, aad) {
 export function aeadDecrypt(x, key, nonce, ciphertext, tag, aad, cipherName = 'chacha20-poly1305') {
     const maxChunk = x.getChunkSize();
     if (ciphertext.length > maxChunk)
-        throw new RangeError(`ciphertext exceeds ${maxChunk} bytes — split into smaller chunks`);
+        throw new RangeError(`ciphertext exceeds ${maxChunk} bytes, split into smaller chunks`);
     const mem = new Uint8Array(x.memory.buffer);
     // Compute expected tag
     mem.set(key, x.getKeyOffset());
@@ -135,17 +130,12 @@ export function aeadDecrypt(x, key, nonce, ciphertext, tag, aad, cipherName = 'c
     const tagOff = x.getPolyTagOffset();
     const expectedTag = new Uint8Array(x.memory.buffer).slice(tagOff, tagOff + 16);
     if (!constantTimeEqual(expectedTag, tag)) {
-        // Wipe the full chunk output buffer — defense-in-depth before throwing.
+        // Defense-in-depth wipe on auth fail: chunk ct, chacha block (keystream),
+        // Poly1305 one-time subkey copy at POLY_KEY_OFFSET.
         const ctOff = x.getChunkCtOffset();
         mem.fill(0, ctOff, ctOff + maxChunk);
-        // Also zero the 64-byte chacha block buffer — it holds keystream bytes
-        // generated by chachaGenPolyKey() that would otherwise persist until
-        // the next op or dispose().
         const blockOff = x.getChachaBlockOffset();
         mem.fill(0, blockOff, blockOff + 64);
-        // And the 32-byte Poly1305 one-time subkey copy at POLY_KEY_OFFSET.
-        // chachaGenPolyKey copies keystream[0..32] here; wiping CHACHA_BLOCK
-        // zeroes the source but not this copy.
         const polyKeyOff = x.getPolyKeyOffset();
         mem.fill(0, polyKeyOff, polyKeyOff + 32);
         throw new AuthenticationError(cipherName);
@@ -164,7 +154,7 @@ export function aeadDecrypt(x, key, nonce, ciphertext, tag, aad, cipherName = 'c
  * Used as the inner key for XChaCha20-Poly1305 (draft-irtf-cfrg-xchacha §2.3).
  * @param x      ChaCha20 WASM exports
  * @param key    32-byte master key
- * @param nonce  24-byte XChaCha20 nonce (only bytes 0–15 are used)
+ * @param nonce  24-byte XChaCha20 nonce (only bytes 0-15 are used)
  * @returns      32-byte HChaCha20 subkey
  */
 export function deriveSubkey(x, key, nonce) {
@@ -176,10 +166,10 @@ export function deriveSubkey(x, key, nonce) {
     return new Uint8Array(x.memory.buffer).slice(off, off + 32);
 }
 /**
- * Build the inner 12-byte ChaCha20 nonce for XChaCha20 from bytes 16–23 of the
+ * Build the inner 12-byte ChaCha20 nonce for XChaCha20 from bytes 16-23 of the
  * 24-byte XChaCha nonce (draft-irtf-cfrg-xchacha §2.3).
  * @param nonce  24-byte XChaCha20 nonce
- * @returns      12-byte inner nonce (bytes 0–3 are zero, bytes 4–11 are nonce[16:24])
+ * @returns      12-byte inner nonce (bytes 0-3 are zero, bytes 4-11 are nonce[16:24])
  */
 export function innerNonce(nonce) {
     const n = new Uint8Array(12);
@@ -200,12 +190,17 @@ export function innerNonce(nonce) {
  */
 export function xcEncrypt(x, key, nonce, plaintext, aad) {
     const subkey = deriveSubkey(x, key, nonce);
-    const inner = innerNonce(nonce);
-    const { ciphertext, tag } = aeadEncrypt(x, subkey, inner, plaintext, aad);
-    const result = new Uint8Array(ciphertext.length + 16);
-    result.set(ciphertext);
-    result.set(tag, ciphertext.length);
-    return result;
+    try {
+        const inner = innerNonce(nonce);
+        const { ciphertext, tag } = aeadEncrypt(x, subkey, inner, plaintext, aad);
+        const result = new Uint8Array(ciphertext.length + 16);
+        result.set(ciphertext);
+        result.set(tag, ciphertext.length);
+        return result;
+    }
+    finally {
+        wipe(subkey);
+    }
 }
 /**
  * XChaCha20-Poly1305 decrypt (draft-irtf-cfrg-xchacha).
@@ -213,7 +208,7 @@ export function xcEncrypt(x, key, nonce, plaintext, aad) {
  * Throws `AuthenticationError` on tag mismatch.
  * @param x           ChaCha20 WASM exports
  * @param key         32-byte key
- * @param nonce       24-byte nonce — must match the value used to encrypt
+ * @param nonce       24-byte nonce, must match the value used to encrypt
  * @param ciphertext  Ciphertext || 16-byte tag (combined format from `xcEncrypt`)
  * @param aad         Additional authenticated data
  * @returns           Plaintext
@@ -222,6 +217,11 @@ export function xcDecrypt(x, key, nonce, ciphertext, aad) {
     const ct = ciphertext.subarray(0, ciphertext.length - 16);
     const tag = ciphertext.subarray(ciphertext.length - 16);
     const subkey = deriveSubkey(x, key, nonce);
-    const inner = innerNonce(nonce);
-    return aeadDecrypt(x, subkey, inner, ct, tag, aad, 'xchacha20-poly1305');
+    try {
+        const inner = innerNonce(nonce);
+        return aeadDecrypt(x, subkey, inner, ct, tag, aad, 'xchacha20-poly1305');
+    }
+    finally {
+        wipe(subkey);
+    }
 }

package/dist/chacha20/pool-worker.js

@@ -12,9 +12,9 @@ let subkey;
  * Message handler for the XChaCha20 pool worker.
  *
  * Accepts three message types:
- * - `'init'`  — instantiate the chacha20 WASM module and store the derived subkey
- * - `'wipe'`  — zero subkey and WASM buffers, then post `{ type: 'wiped' }`
- * - `{ op: 'seal' | 'open', ... }` — encrypt or decrypt one chunk
+ * - `'init'` , instantiate the chacha20 WASM module and store the derived subkey
+ * - `'wipe'` , zero subkey and WASM buffers, then post `{ type: 'wiped' }`
+ * - `{ op: 'seal' | 'open', ... }`, encrypt or decrypt one chunk
  *
  * Replies with `{ type: 'result', id, data }` on success or
  * `{ type: 'error', id, message, isAuthError }` on failure.
@@ -34,6 +34,8 @@ self.onmessage = async (e) => {
             self.postMessage({ type: 'ready' });
         }
         catch (err) {
+            if (msg.derivedKeyBytes)
+                msg.derivedKeyBytes.fill(0);
             self.postMessage({ type: 'error', id: -1, message: err.message, isAuthError: false });
         }
         return;

package/dist/cte-wasm.d.ts

@@ -0,0 +1 @@
+export declare const CTE_WASM: Uint8Array<ArrayBuffer>;

package/dist/cte-wasm.js

@@ -0,0 +1,3 @@
+// auto-generated, do not edit
+// raw WASM bytes for constant-time equality comparison module
+export const CTE_WASM = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 8, 1, 96, 3, 127, 127, 127, 1, 127, 3, 2, 1, 0, 5, 4, 1, 1, 1, 1, 7, 20, 2, 7, 99, 111, 109, 112, 97, 114, 101, 0, 0, 6, 109, 101, 109, 111, 114, 121, 2, 0, 10, 133, 1, 1, 130, 1, 3, 2, 127, 1, 126, 1, 123, 3, 64, 32, 3, 65, 16, 106, 34, 4, 32, 2, 76, 4, 64, 32, 6, 32, 0, 32, 3, 106, 253, 0, 4, 0, 32, 1, 32, 3, 106, 253, 0, 4, 0, 253, 81, 253, 80, 33, 6, 32, 4, 33, 3, 12, 1, 11, 11, 3, 64, 32, 2, 32, 3, 74, 4, 64, 32, 5, 32, 0, 32, 3, 106, 49, 0, 0, 32, 1, 32, 3, 106, 49, 0, 0, 133, 132, 33, 5, 32, 3, 65, 1, 106, 33, 3, 12, 1, 11, 11, 66, 0, 32, 5, 32, 6, 253, 29, 0, 32, 6, 253, 29, 1, 132, 132, 34, 5, 125, 32, 5, 132, 66, 63, 135, 66, 127, 133, 167, 65, 1, 113, 11]);

package/dist/ecdsa/der.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Convert a 64-byte raw r || s signature to DER per RFC 3279 §2.2.3.
+ * Output length is variable: 8 bytes minimum (r = s = 1 byte each, no
+ * sign-pad), 72 bytes maximum (both components 32 bytes with high bit
+ * set, each picking up a 0x00 sign-pad).
+ *
+ * @throws TypeError if `sig` is not a Uint8Array
+ * @throws RangeError if `sig.length !== 64`
+ */
+export declare function ecdsaSignatureToDer(sig: Uint8Array): Uint8Array;
+/**
+ * Convert a DER ECDSA-P256 signature to 64-byte raw r || s. Rejects
+ * any DER syntax violation via SigningError('sig-malformed-input'):
+ * see the file-level header for the rejection rules.
+ *
+ * Semantic value rejections (r = 0, s = 0, high-s, off-range) are
+ * deferred to the WASM verify path; this function only enforces DER
+ * structure.
+ *
+ * @throws TypeError if `der` is not a Uint8Array
+ * @throws SigningError('sig-malformed-input') on any DER syntax error
+ */
+export declare function ecdsaSignatureFromDer(der: Uint8Array): Uint8Array;