narrarium-astro-reader 0.1.31 → 0.1.33

package/cli-dist/lib/content-crypto.d.ts

@@ -2,6 +2,12 @@
 export declare function getBuildSalt(): Buffer;
 /** Base64-encoded build salt, ready to embed in an HTML attribute. */
 export declare function getBuildSaltBase64(): string;
+/**
+ * Known plaintext embedded (encrypted) in the built HTML so the browser can
+ * verify a password by attempting decryption rather than comparing a fast hash.
+ * This forces brute-force attempts to pay the full PBKDF2 cost every time.
+ */
+export declare const CANARY_PLAINTEXT = "narrarium-ok";
 export interface EncryptedChunk {
     /** Base64-encoded 12-byte random IV. */
     iv: string;
@@ -16,4 +22,12 @@ export interface EncryptedChunk {
  * verify integrity without any additional framing.
  */
 export declare function encryptString(plaintext: string, password: string): EncryptedChunk;
+/**
+ * Encrypt the canary plaintext with the same PBKDF2-derived build key.
+ *
+ * Embed `iv` and `ct` in the built HTML as `data-canary-iv` / `data-canary-ct`.
+ * The browser verifies the password by decrypting the canary and checking that
+ * the result equals `CANARY_PLAINTEXT` — no fast-hash oracle in the HTML.
+ */
+export declare function encryptCanary(password: string): EncryptedChunk;
 //# sourceMappingURL=content-crypto.d.ts.map

package/cli-dist/lib/content-crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"content-crypto.d.ts","sourceRoot":"","sources":["../../src/lib/content-crypto.ts"],"names":[],"mappings":"AAcA,mFAAmF;AACnF,wBAAgB,YAAY,IAAI,MAAM,CAMrC;AAED,sEAAsE;AACtE,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAMD,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,0DAA0D;IAC1D,EAAE,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,cAAc,CAWjF"}
+{"version":3,"file":"content-crypto.d.ts","sourceRoot":"","sources":["../../src/lib/content-crypto.ts"],"names":[],"mappings":"AAcA,mFAAmF;AACnF,wBAAgB,YAAY,IAAI,MAAM,CAMrC;AAED,sEAAsE;AACtE,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAMD;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,iBAAiB,CAAC;AAE/C,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,0DAA0D;IAC1D,EAAE,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,cAAc,CAWjF;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,CAE9D"}

package/cli-dist/lib/content-crypto.js

@@ -24,6 +24,12 @@ export function getBuildSaltBase64() {
 function deriveKey(password, salt) {
     return pbkdf2Sync(password, salt, 100_000, 32, "sha256");
 }
+/**
+ * Known plaintext embedded (encrypted) in the built HTML so the browser can
+ * verify a password by attempting decryption rather than comparing a fast hash.
+ * This forces brute-force attempts to pay the full PBKDF2 cost every time.
+ */
+export const CANARY_PLAINTEXT = "narrarium-ok";
 /**
  * Encrypt a UTF-8 string with AES-256-GCM using PBKDF2-derived key.
  *
@@ -43,4 +49,14 @@ export function encryptString(plaintext, password) {
         ct: Buffer.concat([body, tag]).toString("base64"),
     };
 }
+/**
+ * Encrypt the canary plaintext with the same PBKDF2-derived build key.
+ *
+ * Embed `iv` and `ct` in the built HTML as `data-canary-iv` / `data-canary-ct`.
+ * The browser verifies the password by decrypting the canary and checking that
+ * the result equals `CANARY_PLAINTEXT` — no fast-hash oracle in the HTML.
+ */
+export function encryptCanary(password) {
+    return encryptString(CANARY_PLAINTEXT, password);
+}
 //# sourceMappingURL=content-crypto.js.map

package/cli-dist/lib/content-crypto.js.map

@@ -1 +1 @@
-{"version":3,"file":"content-crypto.js","sourceRoot":"","sources":["../../src/lib/content-crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtE;;;;;;;;GAQG;AAEH,IAAI,UAAU,GAAkB,IAAI,CAAC;AAErC,mFAAmF;AACnF,MAAM,UAAU,YAAY;IAC1B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAC7B,OAAO,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,kBAAkB;IAChC,OAAO,YAAY,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB,EAAE,IAAY;IAC/C,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;AAC3D,CAAC;AASD;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,QAAgB;IAC/D,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC/E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,8BAA8B;IAC/D,OAAO;QACL,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAClD,CAAC;AACJ,CAAC"}
+{"version":3,"file":"content-crypto.js","sourceRoot":"","sources":["../../src/lib/content-crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtE;;;;;;;;GAQG;AAEH,IAAI,UAAU,GAAkB,IAAI,CAAC;AAErC,mFAAmF;AACnF,MAAM,UAAU,YAAY;IAC1B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAC7B,OAAO,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,kBAAkB;IAChC,OAAO,YAAY,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB,EAAE,IAAY;IAC/C,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,cAAc,CAAC;AAS/C;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,QAAgB;IAC/D,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC/E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,8BAA8B;IAC/D,OAAO;QACL,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAClD,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,OAAO,aAAa,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;AACnD,CAAC"}

package/cli-dist/lib/reader-mode.d.ts

@@ -5,11 +5,4 @@ export declare function isFullCanonMode(): boolean;
  * content encryption. Never embedded in the built HTML.
  */
 export declare function getReaderPassword(): string | null;
-/**
- * Returns a SHA-256 hex hash of the NARRARIUM_READER_PASSWORD env var,
- * or null when the variable is not set. The hash is embedded in the built
- * HTML and compared against the user's input at runtime via SubtleCrypto
- * as a fast pre-filter before the more expensive PBKDF2 key derivation.
- */
-export declare function getReaderPasswordHash(): string | null;
 //# sourceMappingURL=reader-mode.d.ts.map

package/cli-dist/lib/reader-mode.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"reader-mode.d.ts","sourceRoot":"","sources":["../../src/lib/reader-mode.ts"],"names":[],"mappings":"AAGA,wBAAgB,eAAe,IAAI,OAAO,CAMzC;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,GAAG,IAAI,CAEjD;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,IAAI,MAAM,GAAG,IAAI,CAIrD"}
+{"version":3,"file":"reader-mode.d.ts","sourceRoot":"","sources":["../../src/lib/reader-mode.ts"],"names":[],"mappings":"AAEA,wBAAgB,eAAe,IAAI,OAAO,CAMzC;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,GAAG,IAAI,CAEjD"}

package/cli-dist/lib/reader-mode.js

@@ -1,4 +1,3 @@
-import { createHash } from "node:crypto";
 import { readReaderEnv } from "./env.js";
 export function isFullCanonMode() {
     const raw = String(readReaderEnv(["NARRARIUM_READER_CANON_MODE", "NARRARIUM_READER_ALLOW_FULL_CANON"]) ?? "")
@@ -14,16 +13,4 @@ export function isFullCanonMode() {
 export function getReaderPassword() {
     return readReaderEnv(["NARRARIUM_READER_PASSWORD"]) ?? null;
 }
-/**
- * Returns a SHA-256 hex hash of the NARRARIUM_READER_PASSWORD env var,
- * or null when the variable is not set. The hash is embedded in the built
- * HTML and compared against the user's input at runtime via SubtleCrypto
- * as a fast pre-filter before the more expensive PBKDF2 key derivation.
- */
-export function getReaderPasswordHash() {
-    const raw = readReaderEnv(["NARRARIUM_READER_PASSWORD"]);
-    if (!raw)
-        return null;
-    return createHash("sha256").update(raw).digest("hex");
-}
 //# sourceMappingURL=reader-mode.js.map

package/cli-dist/lib/reader-mode.js.map

@@ -1 +1 @@
-{"version":3,"file":"reader-mode.js","sourceRoot":"","sources":["../../src/lib/reader-mode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,MAAM,UAAU,eAAe;IAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC,6BAA6B,EAAE,mCAAmC,CAAC,CAAC,IAAI,EAAE,CAAC;SAC1G,IAAI,EAAE;SACN,WAAW,EAAE,CAAC;IAEjB,OAAO,GAAG,KAAK,GAAG,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,UAAU,CAAC;AACnG,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,aAAa,CAAC,CAAC,2BAA2B,CAAC,CAAC,IAAI,IAAI,CAAC;AAC9D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB;IACnC,MAAM,GAAG,GAAG,aAAa,CAAC,CAAC,2BAA2B,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC"}
+{"version":3,"file":"reader-mode.js","sourceRoot":"","sources":["../../src/lib/reader-mode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,MAAM,UAAU,eAAe;IAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC,6BAA6B,EAAE,mCAAmC,CAAC,CAAC,IAAI,EAAE,CAAC;SAC1G,IAAI,EAAE;SACN,WAAW,EAAE,CAAC;IAEjB,OAAO,GAAG,KAAK,GAAG,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,UAAU,CAAC;AACnG,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,aAAa,CAAC,CAAC,2BAA2B,CAAC,CAAC,IAAI,IAAI,CAAC;AAC9D,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "narrarium-astro-reader",
-  "version": "0.1.31",
+  "version": "0.1.33",
   "type": "module",
   "description": "Astro reader and scaffolding CLI for Narrarium book repositories.",
   "license": "MIT",

package/src/layouts/BaseLayout.astro

@@ -5,8 +5,8 @@ import SiteSearch from "../components/SiteSearch.astro";
 import { listChapters } from "narrarium";
 import { getBookRoot } from "../lib/book.js";
 import { loadCanonGlossary } from "../lib/glossary.js";
-import { isFullCanonMode, getReaderPasswordHash, getReaderPassword } from "../lib/reader-mode.js";
-import { getBuildSaltBase64 } from "../lib/content-crypto.js";
+import { isFullCanonMode, getReaderPassword } from "../lib/reader-mode.js";
+import { getBuildSaltBase64, encryptCanary } from "../lib/content-crypto.js";
 import { loadSearchIndex } from "../lib/search.js";
 
 interface Props {
@@ -30,9 +30,10 @@ const canonGlossary = await loadCanonGlossary(currentChapterNumber);
 const searchIndex = await loadSearchIndex(currentChapterNumber);
 const readerChapters = await listChapters(getBookRoot()).catch(() => []);
 const fullCanonMode = isFullCanonMode();
-const passwordHash = getReaderPasswordHash();
-const cryptoSalt = getReaderPassword() ? getBuildSaltBase64() : null;
-if (!cryptoSalt) {
+const password = getReaderPassword();
+const cryptoSalt = password ? getBuildSaltBase64() : null;
+const canary = password ? encryptCanary(password) : null;
+if (!password) {
   console.info("[narrarium-reader] NARRARIUM_READER_PASSWORD not set — building without encryption.");
 }
 const isChapterPage = Number.isFinite(currentChapterNumber);
@@ -65,7 +66,7 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
       })();
     </script>
   </head>
-    <body class:list={[isChapterPage && "page-chapter"]} data-reader-chapter-number={currentChapterNumber} data-full-canon={fullCanonMode ? "true" : "false"} data-reader-password-hash={passwordHash ?? ""} data-crypto-salt={cryptoSalt ?? undefined}>
+    <body class:list={[isChapterPage && "page-chapter"]} data-reader-chapter-number={currentChapterNumber} data-full-canon={fullCanonMode ? "true" : "false"} data-crypto-salt={cryptoSalt ?? undefined} data-canary-iv={canary?.iv ?? undefined} data-canary-ct={canary?.ct ?? undefined}>
     <script is:inline>
       (() => {
         try {
@@ -85,6 +86,8 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
              "decrypted" – encrypted, auto-decrypted from stored AES key
         ──────────────────────────────────────────────────────────────────── */
         var salt = document.body.dataset.cryptoSalt;
+        var canaryIv = document.body.dataset.canaryIv;
+        var canaryCt = document.body.dataset.canaryCt;
 
         if (!salt) {
           // No encryption configured — content is always available.
@@ -170,14 +173,27 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
         try { storedKeyB64 = localStorage.getItem("narrarium-reader-aes-key"); } catch (_) {}
 
         if (storedKeyB64) {
+          // Show loading overlay while we verify and decrypt with the stored key.
+          document.body.classList.add("reader-decrypting");
           crypto.subtle.importKey(
             "raw", b64ToBytes(storedKeyB64),
             { name: "AES-GCM", length: 256 },
             false, ["decrypt"]
           )
-            .then(function (key) { return window._narrariumDecryptPage(key, true); })
+            .then(function (key) {
+              // Verify canary — AES-GCM auth tag rejects a stale or wrong key
+              // before we touch any page content.
+              return aesDecrypt(key, canaryIv, canaryCt).then(function (plaintext) {
+                if (plaintext !== "narrarium-ok") throw new Error("stale");
+                return window._narrariumDecryptPage(key, true);
+              });
+            })
+            .then(function () {
+              document.body.classList.remove("reader-decrypting");
+            })
             .catch(function () {
               // Stored key is stale or corrupt — clear it and show lock screen.
+              document.body.classList.remove("reader-decrypting");
               try { localStorage.removeItem("narrarium-reader-aes-key"); } catch (_) {}
               document.body.classList.add("reader-auth-locked");
               _resolveReady("locked");
@@ -188,7 +204,12 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
         }
       })();
     </script>
-    {passwordHash && (
+    {canary && (
+      <div id="reader-loading" aria-hidden="true">
+        <div class="reader-loading__spinner"></div>
+      </div>
+    )}
+    {canary && (
       <div id="reader-password-gate" role="dialog" aria-modal="true" aria-label="Access required">
         <div class="reader-password-gate__inner">
           <p class="eyebrow">Narrarium Reader</p>
@@ -233,24 +254,19 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
     </main>
     <SiteSearch entries={searchIndex} />
     <ReaderRuntime glossary={canonGlossary} chapters={readerChapters} currentChapterNumber={currentChapterNumber} />
-    {passwordHash && (
+    {canary && (
       <script is:inline>
         (function initPasswordGate() {
           var gate = document.getElementById("reader-password-gate");
           var form = document.getElementById("reader-password-form");
           var input = document.getElementById("reader-password-input");
           var errorEl = document.getElementById("reader-password-error");
-          var passwordHash = document.body.dataset.readerPasswordHash;
           var cryptoSalt = document.body.dataset.cryptoSalt;
-          if (!gate || !form || !passwordHash) return;
+          var canaryIv = document.body.dataset.canaryIv;
+          var canaryCt = document.body.dataset.canaryCt;
+          if (!gate || !form || !cryptoSalt || !canaryIv || !canaryCt) return;
           if (input) { input.focus(); }
 
-          function buf2hex(buffer) {
-            return Array.from(new Uint8Array(buffer))
-              .map(function (b) { return b.toString(16).padStart(2, "0"); })
-              .join("");
-          }
-
           function b64ToBytes(b64) {
             var bin = atob(b64);
             var bytes = new Uint8Array(bin.length);
@@ -258,34 +274,39 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
             return bytes;
           }
 
+          function aesDecrypt(cryptoKey, ivB64, ctB64) {
+            return crypto.subtle.decrypt(
+              { name: "AES-GCM", iv: b64ToBytes(ivB64) },
+              cryptoKey,
+              b64ToBytes(ctB64)
+            ).then(function (buf) { return new TextDecoder().decode(buf); });
+          }
+
           form.addEventListener("submit", function (event) {
             event.preventDefault();
             var password = input ? input.value : "";
             if (!password) return;
 
             var encoded = new TextEncoder().encode(password);
+            var saltBytes = b64ToBytes(cryptoSalt);
 
-            // Quick SHA-256 check before the expensive PBKDF2 step.
-            crypto.subtle.digest("SHA-256", encoded).then(function (hashBuffer) {
-              if (buf2hex(hashBuffer) !== passwordHash) {
-                if (errorEl) { errorEl.hidden = false; }
-                if (input) { input.value = ""; input.focus(); }
-                return;
-              }
+            // Derive the AES-256-GCM key via PBKDF2 — the full 100 000-iteration
+            // cost is paid on every attempt, making offline brute-force impractical.
+            crypto.subtle.importKey("raw", encoded, "PBKDF2", false, ["deriveKey"])
+              .then(function (keyMaterial) {
+                return crypto.subtle.deriveKey(
+                  { name: "PBKDF2", salt: saltBytes, iterations: 100000, hash: "SHA-256" },
+                  keyMaterial,
+                  { name: "AES-GCM", length: 256 },
+                  true,          // extractable so we can export and store it
+                  ["decrypt"]
+                );
+              })
+              .then(function (aesKey) {
+                // Verify against the canary block — AES-GCM auth tag rejects wrong keys.
+                return aesDecrypt(aesKey, canaryIv, canaryCt).then(function (plaintext) {
+                  if (plaintext !== "narrarium-ok") throw new Error("wrong password");
 
-              // Hash matched — derive the AES-256-GCM key via PBKDF2.
-              var saltBytes = b64ToBytes(cryptoSalt);
-              crypto.subtle.importKey("raw", encoded, "PBKDF2", false, ["deriveKey"])
-                .then(function (keyMaterial) {
-                  return crypto.subtle.deriveKey(
-                    { name: "PBKDF2", salt: saltBytes, iterations: 100000, hash: "SHA-256" },
-                    keyMaterial,
-                    { name: "AES-GCM", length: 256 },
-                    true,          // extractable so we can export and store it
-                    ["decrypt"]
-                  );
-                })
-                .then(function (aesKey) {
                   // Persist the raw key bytes so auto-decrypt works on reload.
                   crypto.subtle.exportKey("raw", aesKey).then(function (rawBuf) {
                     var rawBytes = new Uint8Array(rawBuf);
@@ -296,14 +317,12 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
                   // Decrypt the page — passes false = manual unlock, so the
                   // content-unlocked event will fire for late-init scripts.
                   return window._narrariumDecryptPage(aesKey, false);
-                })
-                .catch(function () {
-                  if (errorEl) { errorEl.hidden = false; }
-                  if (input) { input.value = ""; input.focus(); }
                 });
-            }).catch(function () {
-              if (errorEl) { errorEl.hidden = false; }
-            });
+              })
+              .catch(function () {
+                if (errorEl) { errorEl.hidden = false; }
+                if (input) { input.value = ""; input.focus(); }
+              });
           });
         })();
       </script>

package/src/lib/content-crypto.ts

@@ -30,6 +30,13 @@ function deriveKey(password: string, salt: Buffer): Buffer {
   return pbkdf2Sync(password, salt, 100_000, 32, "sha256");
 }
 
+/**
+ * Known plaintext embedded (encrypted) in the built HTML so the browser can
+ * verify a password by attempting decryption rather than comparing a fast hash.
+ * This forces brute-force attempts to pay the full PBKDF2 cost every time.
+ */
+export const CANARY_PLAINTEXT = "narrarium-ok";
+
 export interface EncryptedChunk {
   /** Base64-encoded 12-byte random IV. */
   iv: string;
@@ -56,3 +63,14 @@ export function encryptString(plaintext: string, password: string): EncryptedChu
     ct: Buffer.concat([body, tag]).toString("base64"),
   };
 }
+
+/**
+ * Encrypt the canary plaintext with the same PBKDF2-derived build key.
+ *
+ * Embed `iv` and `ct` in the built HTML as `data-canary-iv` / `data-canary-ct`.
+ * The browser verifies the password by decrypting the canary and checking that
+ * the result equals `CANARY_PLAINTEXT` — no fast-hash oracle in the HTML.
+ */
+export function encryptCanary(password: string): EncryptedChunk {
+  return encryptString(CANARY_PLAINTEXT, password);
+}

package/src/lib/reader-mode.ts

@@ -1,4 +1,3 @@
-import { createHash } from "node:crypto";
 import { readReaderEnv } from "./env.js";
 
 export function isFullCanonMode(): boolean {
@@ -17,15 +16,3 @@ export function isFullCanonMode(): boolean {
 export function getReaderPassword(): string | null {
   return readReaderEnv(["NARRARIUM_READER_PASSWORD"]) ?? null;
 }
-
-/**
- * Returns a SHA-256 hex hash of the NARRARIUM_READER_PASSWORD env var,
- * or null when the variable is not set. The hash is embedded in the built
- * HTML and compared against the user's input at runtime via SubtleCrypto
- * as a fast pre-filter before the more expensive PBKDF2 key derivation.
- */
-export function getReaderPasswordHash(): string | null {
-  const raw = readReaderEnv(["NARRARIUM_READER_PASSWORD"]);
-  if (!raw) return null;
-  return createHash("sha256").update(raw).digest("hex");
-}

package/src/styles/global.css

@@ -1466,6 +1466,34 @@ mark {
   }
 }
 
+/* ─── Auto-decrypt loading overlay ──────────────────────────── */
+#reader-loading {
+  display: none;
+  position: fixed;
+  inset: 0;
+  z-index: 199;
+  background: var(--app-bg);
+  align-items: center;
+  justify-content: center;
+}
+
+body.reader-decrypting #reader-loading {
+  display: flex;
+}
+
+.reader-loading__spinner {
+  width: 32px;
+  height: 32px;
+  border: 3px solid var(--line);
+  border-top-color: var(--accent);
+  border-radius: 50%;
+  animation: reader-spin 0.7s linear infinite;
+}
+
+@keyframes reader-spin {
+  to { transform: rotate(360deg); }
+}
+
 /* ─── Password gate ──────────────────────────────────────────── */
 #reader-password-gate {
   display: none;