pqc-vault 0.1.0

package/README.md

@@ -0,0 +1,190 @@
+# pqc-vault
+
+> 🔐 Cifrado y firmas **post-cuánticas híbridas** para Node.js, con una API
+> sencilla estilo libsodium. Protege datos **hoy** contra el ataque
+> "guardar ahora, descifrar después" (_harvest-now, decrypt-later_).
+>
+> 🔐 **Hybrid post-quantum** encryption and signatures for Node.js, with a
+> simple libsodium-style API. Protect data **today** against
+> _harvest-now, decrypt-later_.
+
+**ML-KEM-768 + ML-DSA-65** · híbrido con X25519 / AES-256-GCM · 130/130 NIST ACVP test vectors
+
+---
+
+## 📦 Instalación / Install
+
+```bash
+npm install pqc-vault
+```
+
+No compila nada en tu máquina: trae binarios listos para Linux, macOS y Windows.
+Funciona con ESM (`import`) y CommonJS (`require`), Node 18+.
+
+_No compilation on your machine: prebuilt binaries for Linux, macOS and Windows.
+Works with ESM (`import`) and CommonJS (`require`), Node 18+._
+
+---
+
+# 🇪🇸 Español
+
+Todas las funciones aceptan un `Buffer` o un `Uint8Array` y devuelven un `Buffer`.
+Como el cifrado trabaja con bytes, conviertes tu texto/objeto a bytes antes y
+después.
+
+### 1. Cifrar y descifrar un mensaje
+
+```js
+import { generateKeypair, seal, open } from "pqc-vault";
+
+// Creas un par de claves: la pública para cifrar, la secreta para descifrar.
+const { publicKey, secretKey } = await generateKeypair();
+
+// Conviertes tu texto a bytes y lo ciframos con la clave pública.
+const mensaje = Buffer.from("Hola, dato sensible");
+const cifrado = await seal(mensaje, publicKey);
+
+// Solo quien tiene la clave secreta puede recuperarlo.
+const descifrado = await open(cifrado, secretKey);
+
+console.log(descifrado.toString()); // "Hola, dato sensible"
+```
+
+### 2. Cifrar un objeto (por ejemplo, datos de un cliente)
+
+```js
+import { generateKeypair, seal, open } from "pqc-vault";
+
+const { publicKey, secretKey } = await generateKeypair();
+
+const cliente = { nombre: "Ada", iban: "ES91...", dni: "12345678Z" };
+
+// objeto -> texto JSON -> bytes
+const cifrado = await seal(Buffer.from(JSON.stringify(cliente)), publicKey);
+
+// bytes -> texto JSON -> objeto
+const recuperado = JSON.parse((await open(cifrado, secretKey)).toString());
+
+console.log(recuperado.iban); // "ES91..."
+```
+
+### 3. Firmar y verificar
+
+```js
+import { generateSigningKeypair, sign, verify } from "pqc-vault";
+
+// Claves de firma (distintas de las de cifrado).
+const { publicKey, secretKey } = await generateSigningKeypair();
+
+const orden = Buffer.from("transferir 1000 EUR");
+
+// Firmas con la clave secreta.
+const firma = await sign(orden, secretKey);
+
+// Cualquiera verifica con la clave pública.
+console.log(await verify(orden, firma, publicKey)); // true
+
+// Si el mensaje cambia, la verificación da false.
+const ordenFalsa = Buffer.from("transferir 9999 EUR");
+console.log(await verify(ordenFalsa, firma, publicKey)); // false
+```
+
+### ¿Por qué "híbrido"?
+
+Combina criptografía clásica (**X25519**) y post-cuántica (**ML-KEM-768**). Un
+atacante tendría que romper **las dos** para leer tus datos. Así te proteges
+incluso si en el futuro un ordenador cuántico rompe la criptografía clásica.
+
+### Errores
+
+Si `open` falla (clave equivocada o datos manipulados) lanza un error genérico,
+**sin** decir el motivo exacto (para no dar pistas a un atacante). `verify`
+devuelve `false` ante una firma inválida.
+
+---
+
+# 🇬🇧 English
+
+Every function accepts a `Buffer` or a `Uint8Array` and returns a `Buffer`. Since
+encryption works on bytes, convert your text/object to bytes before and after.
+
+### 1. Encrypt and decrypt a message
+
+```js
+import { generateKeypair, seal, open } from "pqc-vault";
+
+// Make a key pair: public key to encrypt, secret key to decrypt.
+const { publicKey, secretKey } = await generateKeypair();
+
+// Turn your text into bytes and encrypt with the public key.
+const message = Buffer.from("Hello, sensitive data");
+const encrypted = await seal(message, publicKey);
+
+// Only the holder of the secret key can recover it.
+const decrypted = await open(encrypted, secretKey);
+
+console.log(decrypted.toString()); // "Hello, sensitive data"
+```
+
+### 2. Encrypt an object (e.g. customer data)
+
+```js
+import { generateKeypair, seal, open } from "pqc-vault";
+
+const { publicKey, secretKey } = await generateKeypair();
+
+const customer = { name: "Ada", iban: "ES91...", dni: "12345678Z" };
+
+// object -> JSON text -> bytes
+const encrypted = await seal(Buffer.from(JSON.stringify(customer)), publicKey);
+
+// bytes -> JSON text -> object
+const recovered = JSON.parse((await open(encrypted, secretKey)).toString());
+
+console.log(recovered.iban); // "ES91..."
+```
+
+### 3. Sign and verify
+
+```js
+import { generateSigningKeypair, sign, verify } from "pqc-vault";
+
+// Signing keys (different from the encryption keys).
+const { publicKey, secretKey } = await generateSigningKeypair();
+
+const order = Buffer.from("transfer 1000 EUR");
+
+// Sign with the secret key.
+const signature = await sign(order, secretKey);
+
+// Anyone verifies with the public key.
+console.log(await verify(order, signature, publicKey)); // true
+
+// If the message changes, verification returns false.
+const forged = Buffer.from("transfer 9999 EUR");
+console.log(await verify(forged, signature, publicKey)); // false
+```
+
+### Why "hybrid"?
+
+It combines classical (**X25519**) and post-quantum (**ML-KEM-768**)
+cryptography. An attacker would have to break **both** to read your data — so you
+stay protected even if a future quantum computer breaks classical crypto.
+
+### Errors
+
+If `open` fails (wrong key or tampered data) it throws a generic error **without**
+revealing the exact reason (so an attacker learns nothing). `verify` returns
+`false` for an invalid signature.
+
+---
+
+## 📚 Más / More
+
+- API completa, esquema híbrido detallado y ejemplo ejecutable en el
+  [repositorio](https://github.com/cjmont/pqc-vault).
+- Reporte de vulnerabilidades: ver [SECURITY.md](https://github.com/cjmont/pqc-vault/blob/main/SECURITY.md).
+
+## License
+
+[Apache-2.0](https://github.com/cjmont/pqc-vault/blob/main/LICENSE)

package/binding.d.ts

@@ -0,0 +1,25 @@
+/* auto-generated by NAPI-RS */
+/* eslint-disable */
+/** Generate a hybrid (X25519 + ML-KEM-768) keypair. */
+export declare function generateKeypair(): Promise<{ publicKey: Buffer, secretKey: Buffer }>
+
+/** Generate an ML-DSA-65 signing keypair. */
+export declare function generateSigningKeypair(): Promise<{ publicKey: Buffer, secretKey: Buffer }>
+
+/** A hybrid keypair returned to JS as `{ publicKey, secretKey }`. */
+export interface KeyPair {
+  publicKey: Buffer
+  secretKey: Buffer
+}
+
+/** Decrypt a sealed message with the recipient secret key. Returns plaintext. */
+export declare function open(ciphertext: Uint8Array, recipientSecretKey: Uint8Array): Promise<Buffer>
+
+/** Hybrid-encrypt `data` to a recipient public key. Returns the sealed message. */
+export declare function seal(data: Uint8Array, recipientPublicKey: Uint8Array): Promise<Buffer>
+
+/** Sign a message with an ML-DSA-65 signing secret key. Returns the signature. */
+export declare function sign(message: Uint8Array, secretKey: Uint8Array): Promise<Buffer>
+
+/** Verify a signature over a message against an ML-DSA-65 public key. */
+export declare function verify(message: Uint8Array, signature: Uint8Array, publicKey: Uint8Array): Promise<boolean>

package/binding.js

@@ -0,0 +1,595 @@
+// prettier-ignore
+/* eslint-disable */
+// @ts-nocheck
+/* auto-generated by NAPI-RS */
+
+const { readFileSync } = require('fs')
+let nativeBinding = null
+const loadErrors = []
+
+const isMusl = () => {
+  let musl = false
+  if (process.platform === 'linux') {
+    musl = isMuslFromFilesystem()
+    if (musl === null) {
+      musl = isMuslFromReport()
+    }
+    if (musl === null) {
+      musl = isMuslFromChildProcess()
+    }
+  }
+  return musl
+}
+
+const isFileMusl = (f) => f.includes('libc.musl-') || f.includes('ld-musl-')
+
+const isMuslFromFilesystem = () => {
+  try {
+    return readFileSync('/usr/bin/ldd', 'utf-8').includes('musl')
+  } catch {
+    return null
+  }
+}
+
+const isMuslFromReport = () => {
+  let report = null
+  if (process.report && typeof process.report.getReport === 'function') {
+    process.report.excludeNetwork = true
+    report = process.report.getReport()
+  }
+  if (!report) {
+    return null
+  }
+  if (report.header && report.header.glibcVersionRuntime) {
+    return false
+  }
+  if (Array.isArray(report.sharedObjects)) {
+    if (report.sharedObjects.some(isFileMusl)) {
+      return true
+    }
+  }
+  return false
+}
+
+const isMuslFromChildProcess = () => {
+  try {
+    return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl')
+  } catch (e) {
+    // If we reach this case, we don't know if the system is musl or not, so is better to just fallback to false
+    return false
+  }
+}
+
+function requireNative() {
+  if (process.env.NAPI_RS_NATIVE_LIBRARY_PATH) {
+    try {
+      return require(process.env.NAPI_RS_NATIVE_LIBRARY_PATH);
+    } catch (err) {
+      loadErrors.push(err)
+    }
+  } else if (process.platform === 'android') {
+    if (process.arch === 'arm64') {
+      try {
+        return require('./pqc-vault.android-arm64.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-android-arm64')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-android-arm64/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else if (process.arch === 'arm') {
+      try {
+        return require('./pqc-vault.android-arm-eabi.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-android-arm-eabi')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-android-arm-eabi/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else {
+      loadErrors.push(new Error(`Unsupported architecture on Android ${process.arch}`))
+    }
+  } else if (process.platform === 'win32') {
+    if (process.arch === 'x64') {
+      if ((process.config && process.config.variables && process.config.variables.shlib_suffix === 'dll.a') || (process.config && process.config.variables && process.config.variables.node_target_type === 'shared_library')) {
+        try {
+        return require('./pqc-vault.win32-x64-gnu.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-win32-x64-gnu')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-win32-x64-gnu/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      } else {
+        try {
+        return require('./pqc-vault.win32-x64-msvc.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-win32-x64-msvc')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-win32-x64-msvc/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      }
+    } else if (process.arch === 'ia32') {
+      try {
+        return require('./pqc-vault.win32-ia32-msvc.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-win32-ia32-msvc')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-win32-ia32-msvc/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else if (process.arch === 'arm64') {
+      try {
+        return require('./pqc-vault.win32-arm64-msvc.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-win32-arm64-msvc')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-win32-arm64-msvc/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else {
+      loadErrors.push(new Error(`Unsupported architecture on Windows: ${process.arch}`))
+    }
+  } else if (process.platform === 'darwin') {
+    try {
+      return require('./pqc-vault.darwin-universal.node')
+    } catch (e) {
+      loadErrors.push(e)
+    }
+    try {
+      const binding = require('@post-quantum-cryptography/pqc-vault-darwin-universal')
+      const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-darwin-universal/package.json').version
+      if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+        throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+      }
+      return binding
+    } catch (e) {
+      loadErrors.push(e)
+    }
+    if (process.arch === 'x64') {
+      try {
+        return require('./pqc-vault.darwin-x64.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-darwin-x64')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-darwin-x64/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else if (process.arch === 'arm64') {
+      try {
+        return require('./pqc-vault.darwin-arm64.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-darwin-arm64')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-darwin-arm64/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else {
+      loadErrors.push(new Error(`Unsupported architecture on macOS: ${process.arch}`))
+    }
+  } else if (process.platform === 'freebsd') {
+    if (process.arch === 'x64') {
+      try {
+        return require('./pqc-vault.freebsd-x64.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-freebsd-x64')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-freebsd-x64/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else if (process.arch === 'arm64') {
+      try {
+        return require('./pqc-vault.freebsd-arm64.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-freebsd-arm64')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-freebsd-arm64/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else {
+      loadErrors.push(new Error(`Unsupported architecture on FreeBSD: ${process.arch}`))
+    }
+  } else if (process.platform === 'linux') {
+    if (process.arch === 'x64') {
+      if (isMusl()) {
+        try {
+          return require('./pqc-vault.linux-x64-musl.node')
+        } catch (e) {
+          loadErrors.push(e)
+        }
+        try {
+          const binding = require('@post-quantum-cryptography/pqc-vault-linux-x64-musl')
+          const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-x64-musl/package.json').version
+          if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          }
+          return binding
+        } catch (e) {
+          loadErrors.push(e)
+        }
+      } else {
+        try {
+          return require('./pqc-vault.linux-x64-gnu.node')
+        } catch (e) {
+          loadErrors.push(e)
+        }
+        try {
+          const binding = require('@post-quantum-cryptography/pqc-vault-linux-x64-gnu')
+          const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-x64-gnu/package.json').version
+          if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          }
+          return binding
+        } catch (e) {
+          loadErrors.push(e)
+        }
+      }
+    } else if (process.arch === 'arm64') {
+      if (isMusl()) {
+        try {
+          return require('./pqc-vault.linux-arm64-musl.node')
+        } catch (e) {
+          loadErrors.push(e)
+        }
+        try {
+          const binding = require('@post-quantum-cryptography/pqc-vault-linux-arm64-musl')
+          const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-arm64-musl/package.json').version
+          if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          }
+          return binding
+        } catch (e) {
+          loadErrors.push(e)
+        }
+      } else {
+        try {
+          return require('./pqc-vault.linux-arm64-gnu.node')
+        } catch (e) {
+          loadErrors.push(e)
+        }
+        try {
+          const binding = require('@post-quantum-cryptography/pqc-vault-linux-arm64-gnu')
+          const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-arm64-gnu/package.json').version
+          if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          }
+          return binding
+        } catch (e) {
+          loadErrors.push(e)
+        }
+      }
+    } else if (process.arch === 'arm') {
+      if (isMusl()) {
+        try {
+          return require('./pqc-vault.linux-arm-musleabihf.node')
+        } catch (e) {
+          loadErrors.push(e)
+        }
+        try {
+          const binding = require('@post-quantum-cryptography/pqc-vault-linux-arm-musleabihf')
+          const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-arm-musleabihf/package.json').version
+          if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          }
+          return binding
+        } catch (e) {
+          loadErrors.push(e)
+        }
+      } else {
+        try {
+          return require('./pqc-vault.linux-arm-gnueabihf.node')
+        } catch (e) {
+          loadErrors.push(e)
+        }
+        try {
+          const binding = require('@post-quantum-cryptography/pqc-vault-linux-arm-gnueabihf')
+          const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-arm-gnueabihf/package.json').version
+          if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          }
+          return binding
+        } catch (e) {
+          loadErrors.push(e)
+        }
+      }
+    } else if (process.arch === 'loong64') {
+      if (isMusl()) {
+        try {
+          return require('./pqc-vault.linux-loong64-musl.node')
+        } catch (e) {
+          loadErrors.push(e)
+        }
+        try {
+          const binding = require('@post-quantum-cryptography/pqc-vault-linux-loong64-musl')
+          const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-loong64-musl/package.json').version
+          if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          }
+          return binding
+        } catch (e) {
+          loadErrors.push(e)
+        }
+      } else {
+        try {
+          return require('./pqc-vault.linux-loong64-gnu.node')
+        } catch (e) {
+          loadErrors.push(e)
+        }
+        try {
+          const binding = require('@post-quantum-cryptography/pqc-vault-linux-loong64-gnu')
+          const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-loong64-gnu/package.json').version
+          if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          }
+          return binding
+        } catch (e) {
+          loadErrors.push(e)
+        }
+      }
+    } else if (process.arch === 'riscv64') {
+      if (isMusl()) {
+        try {
+          return require('./pqc-vault.linux-riscv64-musl.node')
+        } catch (e) {
+          loadErrors.push(e)
+        }
+        try {
+          const binding = require('@post-quantum-cryptography/pqc-vault-linux-riscv64-musl')
+          const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-riscv64-musl/package.json').version
+          if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          }
+          return binding
+        } catch (e) {
+          loadErrors.push(e)
+        }
+      } else {
+        try {
+          return require('./pqc-vault.linux-riscv64-gnu.node')
+        } catch (e) {
+          loadErrors.push(e)
+        }
+        try {
+          const binding = require('@post-quantum-cryptography/pqc-vault-linux-riscv64-gnu')
+          const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-riscv64-gnu/package.json').version
+          if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          }
+          return binding
+        } catch (e) {
+          loadErrors.push(e)
+        }
+      }
+    } else if (process.arch === 'ppc64') {
+      try {
+        return require('./pqc-vault.linux-ppc64-gnu.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-linux-ppc64-gnu')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-ppc64-gnu/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else if (process.arch === 's390x') {
+      try {
+        return require('./pqc-vault.linux-s390x-gnu.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-linux-s390x-gnu')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-linux-s390x-gnu/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else {
+      loadErrors.push(new Error(`Unsupported architecture on Linux: ${process.arch}`))
+    }
+  } else if (process.platform === 'openharmony') {
+    if (process.arch === 'arm64') {
+      try {
+        return require('./pqc-vault.openharmony-arm64.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-openharmony-arm64')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-openharmony-arm64/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else if (process.arch === 'x64') {
+      try {
+        return require('./pqc-vault.openharmony-x64.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-openharmony-x64')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-openharmony-x64/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else if (process.arch === 'arm') {
+      try {
+        return require('./pqc-vault.openharmony-arm.node')
+      } catch (e) {
+        loadErrors.push(e)
+      }
+      try {
+        const binding = require('@post-quantum-cryptography/pqc-vault-openharmony-arm')
+        const bindingPackageVersion = require('@post-quantum-cryptography/pqc-vault-openharmony-arm/package.json').version
+        if (bindingPackageVersion !== '0.1.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.1.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        }
+        return binding
+      } catch (e) {
+        loadErrors.push(e)
+      }
+    } else {
+      loadErrors.push(new Error(`Unsupported architecture on OpenHarmony: ${process.arch}`))
+    }
+  } else {
+    loadErrors.push(new Error(`Unsupported OS: ${process.platform}, architecture: ${process.arch}`))
+  }
+}
+
+nativeBinding = requireNative()
+
+// NAPI_RS_FORCE_WASI is a tri-state flag:
+//   unset / any other value → native binding preferred, WASI is only a fallback
+//   'true'                   → force WASI fallback even if native loaded
+//   'error'                  → force WASI and throw if no WASI binding is found
+// Treating any non-empty string as truthy (the historical behavior) meant
+// NAPI_RS_FORCE_WASI=false, NAPI_RS_FORCE_WASI=0, etc. inadvertently triggered
+// the WASI path, causing ENOENT for packages shipped without a .wasi.cjs file.
+const forceWasi =
+  process.env.NAPI_RS_FORCE_WASI === 'true' || process.env.NAPI_RS_FORCE_WASI === 'error'
+
+if (!nativeBinding || forceWasi) {
+  let wasiBinding = null
+  let wasiBindingError = null
+  try {
+    wasiBinding = require('./pqc-vault.wasi.cjs')
+    nativeBinding = wasiBinding
+  } catch (err) {
+    if (forceWasi) {
+      wasiBindingError = err
+    }
+  }
+  if (!nativeBinding || forceWasi) {
+    try {
+      wasiBinding = require('@post-quantum-cryptography/pqc-vault-wasm32-wasi')
+      nativeBinding = wasiBinding
+    } catch (err) {
+      if (forceWasi) {
+        if (!wasiBindingError) {
+          wasiBindingError = err
+        } else {
+          wasiBindingError.cause = err
+        }
+        loadErrors.push(err)
+      }
+    }
+  }
+  if (process.env.NAPI_RS_FORCE_WASI === 'error' && !wasiBinding) {
+    const error = new Error('WASI binding not found and NAPI_RS_FORCE_WASI is set to error')
+    error.cause = wasiBindingError
+    throw error
+  }
+}
+
+if (!nativeBinding) {
+  if (loadErrors.length > 0) {
+    const error = new Error(
+      `Cannot find native binding. ` +
+        `npm has a bug related to optional dependencies (https://github.com/npm/cli/issues/4828). ` +
+        'Please try `npm i` again after removing both package-lock.json and node_modules directory.',
+    )
+    // assign instead of the `new Error(message, { cause })` options form,
+    // which Node < 16.9 silently ignores
+    error.cause = loadErrors.reduce((err, cur) => {
+      cur.cause = err
+      return cur
+    })
+    throw error
+  }
+  throw new Error(`Failed to load native binding`)
+}
+
+module.exports = nativeBinding
+module.exports.generateKeypair = nativeBinding.generateKeypair
+module.exports.generateSigningKeypair = nativeBinding.generateSigningKeypair
+module.exports.open = nativeBinding.open
+module.exports.seal = nativeBinding.seal
+module.exports.sign = nativeBinding.sign
+module.exports.verify = nativeBinding.verify

package/dist/index.cjs

@@ -0,0 +1,69 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  generateKeypair: () => generateKeypair,
+  generateSigningKeypair: () => generateSigningKeypair,
+  open: () => open,
+  seal: () => seal,
+  sign: () => sign,
+  verify: () => verify
+});
+module.exports = __toCommonJS(index_exports);
+var import_binding = __toESM(require("../binding.js"));
+function generateKeypair() {
+  return import_binding.default.generateKeypair();
+}
+function seal(data, recipientPublicKey) {
+  return import_binding.default.seal(data, recipientPublicKey);
+}
+function open(ciphertext, recipientSecretKey) {
+  return import_binding.default.open(ciphertext, recipientSecretKey);
+}
+function generateSigningKeypair() {
+  return import_binding.default.generateSigningKeypair();
+}
+function sign(message, secretKey) {
+  return import_binding.default.sign(message, secretKey);
+}
+function verify(message, signature, publicKey) {
+  return import_binding.default.verify(message, signature, publicKey);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  generateKeypair,
+  generateSigningKeypair,
+  open,
+  seal,
+  sign,
+  verify
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * pqc-vault — hybrid post-quantum encryption and signatures for Node.js.\n *\n * Hybrid (classical + post-quantum) construction using X25519 + ML-KEM-768 for\n * encryption and ML-DSA-65 for signatures, via the formally-verified libcrux\n * backend.\n *\n * All functions accept any `Uint8Array` (a Node `Buffer` is a `Uint8Array`, so\n * Buffers work too) and resolve to a `Buffer` (which is itself a `Uint8Array`).\n */\n\n// The native addon loader is shipped alongside this file and kept external from\n// the bundle, so its relative `require` of the platform `.node` stays correct.\nimport native from \"../binding.js\";\n\n/** A hybrid keypair. Both fields are self-describing binary blobs. */\nexport interface KeyPair {\n  /** Recipient public key (X25519 + ML-KEM-768), safe to share. */\n  publicKey: Buffer;\n  /** Recipient secret key (X25519 + ML-KEM-768). Keep secret. */\n  secretKey: Buffer;\n}\n\n/** Accepts `Uint8Array` or Node `Buffer`. */\nexport type BytesInput = Uint8Array;\n\n/**\n * Generate a fresh hybrid encryption keypair (X25519 + ML-KEM-768).\n */\nexport function generateKeypair(): Promise<KeyPair> {\n  return native.generateKeypair();\n}\n\n/**\n * Hybrid-encrypt `data` for the holder of `recipientPublicKey`.\n *\n * Internally: ephemeral X25519 + ML-KEM-768 encapsulation, combined via\n * HKDF-SHA256, then AES-256-GCM over the payload. The output is a versioned,\n * self-describing binary message.\n */\nexport function seal(\n  data: BytesInput,\n  recipientPublicKey: BytesInput,\n): Promise<Buffer> {\n  return native.seal(data, recipientPublicKey);\n}\n\n/**\n * Decrypt a message produced by {@link seal} using `recipientSecretKey`.\n *\n * Rejects with a generic error on any failure (wrong key, tampered ciphertext,\n * tampered tag) without distinguishing the cause.\n */\nexport function open(\n  ciphertext: BytesInput,\n  recipientSecretKey: BytesInput,\n): Promise<Buffer> {\n  return native.open(ciphertext, recipientSecretKey);\n}\n\n// ---- Signatures (ML-DSA-65) ----\n\n/**\n * Generate a fresh ML-DSA-65 signing keypair.\n */\nexport function generateSigningKeypair(): Promise<KeyPair> {\n  return native.generateSigningKeypair();\n}\n\n/**\n * Sign `message` with an ML-DSA-65 signing secret key. Returns a versioned,\n * self-describing signature blob.\n */\nexport function sign(\n  message: BytesInput,\n  secretKey: BytesInput,\n): Promise<Buffer> {\n  return native.sign(message, secretKey);\n}\n\n/**\n * Verify a `signature` over `message` against a signing public key.\n *\n * Resolves to `true`/`false`. A malformed signature resolves to `false`; a\n * malformed public key rejects with an error.\n */\nexport function verify(\n  message: BytesInput,\n  signature: BytesInput,\n  publicKey: BytesInput,\n): Promise<boolean> {\n  return native.verify(message, signature, publicKey);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAaA,qBAAmB;AAgBZ,SAAS,kBAAoC;AAClD,SAAO,eAAAA,QAAO,gBAAgB;AAChC;AASO,SAAS,KACd,MACA,oBACiB;AACjB,SAAO,eAAAA,QAAO,KAAK,MAAM,kBAAkB;AAC7C;AAQO,SAAS,KACd,YACA,oBACiB;AACjB,SAAO,eAAAA,QAAO,KAAK,YAAY,kBAAkB;AACnD;AAOO,SAAS,yBAA2C;AACzD,SAAO,eAAAA,QAAO,uBAAuB;AACvC;AAMO,SAAS,KACd,SACA,WACiB;AACjB,SAAO,eAAAA,QAAO,KAAK,SAAS,SAAS;AACvC;AAQO,SAAS,OACd,SACA,WACA,WACkB;AAClB,SAAO,eAAAA,QAAO,OAAO,SAAS,WAAW,SAAS;AACpD;","names":["native"]}

package/dist/index.d.mts

@@ -0,0 +1,56 @@
+/**
+ * pqc-vault — hybrid post-quantum encryption and signatures for Node.js.
+ *
+ * Hybrid (classical + post-quantum) construction using X25519 + ML-KEM-768 for
+ * encryption and ML-DSA-65 for signatures, via the formally-verified libcrux
+ * backend.
+ *
+ * All functions accept any `Uint8Array` (a Node `Buffer` is a `Uint8Array`, so
+ * Buffers work too) and resolve to a `Buffer` (which is itself a `Uint8Array`).
+ */
+/** A hybrid keypair. Both fields are self-describing binary blobs. */
+interface KeyPair {
+    /** Recipient public key (X25519 + ML-KEM-768), safe to share. */
+    publicKey: Buffer;
+    /** Recipient secret key (X25519 + ML-KEM-768). Keep secret. */
+    secretKey: Buffer;
+}
+/** Accepts `Uint8Array` or Node `Buffer`. */
+type BytesInput = Uint8Array;
+/**
+ * Generate a fresh hybrid encryption keypair (X25519 + ML-KEM-768).
+ */
+declare function generateKeypair(): Promise<KeyPair>;
+/**
+ * Hybrid-encrypt `data` for the holder of `recipientPublicKey`.
+ *
+ * Internally: ephemeral X25519 + ML-KEM-768 encapsulation, combined via
+ * HKDF-SHA256, then AES-256-GCM over the payload. The output is a versioned,
+ * self-describing binary message.
+ */
+declare function seal(data: BytesInput, recipientPublicKey: BytesInput): Promise<Buffer>;
+/**
+ * Decrypt a message produced by {@link seal} using `recipientSecretKey`.
+ *
+ * Rejects with a generic error on any failure (wrong key, tampered ciphertext,
+ * tampered tag) without distinguishing the cause.
+ */
+declare function open(ciphertext: BytesInput, recipientSecretKey: BytesInput): Promise<Buffer>;
+/**
+ * Generate a fresh ML-DSA-65 signing keypair.
+ */
+declare function generateSigningKeypair(): Promise<KeyPair>;
+/**
+ * Sign `message` with an ML-DSA-65 signing secret key. Returns a versioned,
+ * self-describing signature blob.
+ */
+declare function sign(message: BytesInput, secretKey: BytesInput): Promise<Buffer>;
+/**
+ * Verify a `signature` over `message` against a signing public key.
+ *
+ * Resolves to `true`/`false`. A malformed signature resolves to `false`; a
+ * malformed public key rejects with an error.
+ */
+declare function verify(message: BytesInput, signature: BytesInput, publicKey: BytesInput): Promise<boolean>;
+
+export { type BytesInput, type KeyPair, generateKeypair, generateSigningKeypair, open, seal, sign, verify };

package/dist/index.d.ts

@@ -0,0 +1,56 @@
+/**
+ * pqc-vault — hybrid post-quantum encryption and signatures for Node.js.
+ *
+ * Hybrid (classical + post-quantum) construction using X25519 + ML-KEM-768 for
+ * encryption and ML-DSA-65 for signatures, via the formally-verified libcrux
+ * backend.
+ *
+ * All functions accept any `Uint8Array` (a Node `Buffer` is a `Uint8Array`, so
+ * Buffers work too) and resolve to a `Buffer` (which is itself a `Uint8Array`).
+ */
+/** A hybrid keypair. Both fields are self-describing binary blobs. */
+interface KeyPair {
+    /** Recipient public key (X25519 + ML-KEM-768), safe to share. */
+    publicKey: Buffer;
+    /** Recipient secret key (X25519 + ML-KEM-768). Keep secret. */
+    secretKey: Buffer;
+}
+/** Accepts `Uint8Array` or Node `Buffer`. */
+type BytesInput = Uint8Array;
+/**
+ * Generate a fresh hybrid encryption keypair (X25519 + ML-KEM-768).
+ */
+declare function generateKeypair(): Promise<KeyPair>;
+/**
+ * Hybrid-encrypt `data` for the holder of `recipientPublicKey`.
+ *
+ * Internally: ephemeral X25519 + ML-KEM-768 encapsulation, combined via
+ * HKDF-SHA256, then AES-256-GCM over the payload. The output is a versioned,
+ * self-describing binary message.
+ */
+declare function seal(data: BytesInput, recipientPublicKey: BytesInput): Promise<Buffer>;
+/**
+ * Decrypt a message produced by {@link seal} using `recipientSecretKey`.
+ *
+ * Rejects with a generic error on any failure (wrong key, tampered ciphertext,
+ * tampered tag) without distinguishing the cause.
+ */
+declare function open(ciphertext: BytesInput, recipientSecretKey: BytesInput): Promise<Buffer>;
+/**
+ * Generate a fresh ML-DSA-65 signing keypair.
+ */
+declare function generateSigningKeypair(): Promise<KeyPair>;
+/**
+ * Sign `message` with an ML-DSA-65 signing secret key. Returns a versioned,
+ * self-describing signature blob.
+ */
+declare function sign(message: BytesInput, secretKey: BytesInput): Promise<Buffer>;
+/**
+ * Verify a `signature` over `message` against a signing public key.
+ *
+ * Resolves to `true`/`false`. A malformed signature resolves to `false`; a
+ * malformed public key rejects with an error.
+ */
+declare function verify(message: BytesInput, signature: BytesInput, publicKey: BytesInput): Promise<boolean>;
+
+export { type BytesInput, type KeyPair, generateKeypair, generateSigningKeypair, open, seal, sign, verify };

package/dist/index.mjs

@@ -0,0 +1,29 @@
+// src/index.ts
+import native from "../binding.js";
+function generateKeypair() {
+  return native.generateKeypair();
+}
+function seal(data, recipientPublicKey) {
+  return native.seal(data, recipientPublicKey);
+}
+function open(ciphertext, recipientSecretKey) {
+  return native.open(ciphertext, recipientSecretKey);
+}
+function generateSigningKeypair() {
+  return native.generateSigningKeypair();
+}
+function sign(message, secretKey) {
+  return native.sign(message, secretKey);
+}
+function verify(message, signature, publicKey) {
+  return native.verify(message, signature, publicKey);
+}
+export {
+  generateKeypair,
+  generateSigningKeypair,
+  open,
+  seal,
+  sign,
+  verify
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * pqc-vault — hybrid post-quantum encryption and signatures for Node.js.\n *\n * Hybrid (classical + post-quantum) construction using X25519 + ML-KEM-768 for\n * encryption and ML-DSA-65 for signatures, via the formally-verified libcrux\n * backend.\n *\n * All functions accept any `Uint8Array` (a Node `Buffer` is a `Uint8Array`, so\n * Buffers work too) and resolve to a `Buffer` (which is itself a `Uint8Array`).\n */\n\n// The native addon loader is shipped alongside this file and kept external from\n// the bundle, so its relative `require` of the platform `.node` stays correct.\nimport native from \"../binding.js\";\n\n/** A hybrid keypair. Both fields are self-describing binary blobs. */\nexport interface KeyPair {\n  /** Recipient public key (X25519 + ML-KEM-768), safe to share. */\n  publicKey: Buffer;\n  /** Recipient secret key (X25519 + ML-KEM-768). Keep secret. */\n  secretKey: Buffer;\n}\n\n/** Accepts `Uint8Array` or Node `Buffer`. */\nexport type BytesInput = Uint8Array;\n\n/**\n * Generate a fresh hybrid encryption keypair (X25519 + ML-KEM-768).\n */\nexport function generateKeypair(): Promise<KeyPair> {\n  return native.generateKeypair();\n}\n\n/**\n * Hybrid-encrypt `data` for the holder of `recipientPublicKey`.\n *\n * Internally: ephemeral X25519 + ML-KEM-768 encapsulation, combined via\n * HKDF-SHA256, then AES-256-GCM over the payload. The output is a versioned,\n * self-describing binary message.\n */\nexport function seal(\n  data: BytesInput,\n  recipientPublicKey: BytesInput,\n): Promise<Buffer> {\n  return native.seal(data, recipientPublicKey);\n}\n\n/**\n * Decrypt a message produced by {@link seal} using `recipientSecretKey`.\n *\n * Rejects with a generic error on any failure (wrong key, tampered ciphertext,\n * tampered tag) without distinguishing the cause.\n */\nexport function open(\n  ciphertext: BytesInput,\n  recipientSecretKey: BytesInput,\n): Promise<Buffer> {\n  return native.open(ciphertext, recipientSecretKey);\n}\n\n// ---- Signatures (ML-DSA-65) ----\n\n/**\n * Generate a fresh ML-DSA-65 signing keypair.\n */\nexport function generateSigningKeypair(): Promise<KeyPair> {\n  return native.generateSigningKeypair();\n}\n\n/**\n * Sign `message` with an ML-DSA-65 signing secret key. Returns a versioned,\n * self-describing signature blob.\n */\nexport function sign(\n  message: BytesInput,\n  secretKey: BytesInput,\n): Promise<Buffer> {\n  return native.sign(message, secretKey);\n}\n\n/**\n * Verify a `signature` over `message` against a signing public key.\n *\n * Resolves to `true`/`false`. A malformed signature resolves to `false`; a\n * malformed public key rejects with an error.\n */\nexport function verify(\n  message: BytesInput,\n  signature: BytesInput,\n  publicKey: BytesInput,\n): Promise<boolean> {\n  return native.verify(message, signature, publicKey);\n}\n"],"mappings":";AAaA,OAAO,YAAY;AAgBZ,SAAS,kBAAoC;AAClD,SAAO,OAAO,gBAAgB;AAChC;AASO,SAAS,KACd,MACA,oBACiB;AACjB,SAAO,OAAO,KAAK,MAAM,kBAAkB;AAC7C;AAQO,SAAS,KACd,YACA,oBACiB;AACjB,SAAO,OAAO,KAAK,YAAY,kBAAkB;AACnD;AAOO,SAAS,yBAA2C;AACzD,SAAO,OAAO,uBAAuB;AACvC;AAMO,SAAS,KACd,SACA,WACiB;AACjB,SAAO,OAAO,KAAK,SAAS,SAAS;AACvC;AAQO,SAAS,OACd,SACA,WACA,WACkB;AAClB,SAAO,OAAO,OAAO,SAAS,WAAW,SAAS;AACpD;","names":[]}

package/package.json

@@ -0,0 +1,72 @@
+{
+  "name": "pqc-vault",
+  "version": "0.1.0",
+  "description": "Hybrid post-quantum encryption (X25519 + ML-KEM-768) and signatures (ML-DSA-65) for Node.js — libsodium-style API over the formally-verified libcrux backend.",
+  "author": "carlosmontanor",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cjmont/pqc-vault.git"
+  },
+  "keywords": [
+    "post-quantum",
+    "pqc",
+    "ml-kem",
+    "ml-dsa",
+    "kyber",
+    "dilithium",
+    "x25519",
+    "hybrid",
+    "encryption",
+    "libcrux",
+    "napi-rs"
+  ],
+  "type": "commonjs",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": [
+    "dist",
+    "binding.js",
+    "binding.d.ts"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "napi": {
+    "binaryName": "pqc-vault",
+    "packageName": "@post-quantum-cryptography/pqc-vault",
+    "targets": [
+      "x86_64-pc-windows-msvc",
+      "x86_64-unknown-linux-gnu",
+      "aarch64-unknown-linux-gnu",
+      "aarch64-apple-darwin"
+    ]
+  },
+  "scripts": {
+    "build:rust": "napi build --release --platform --js-package-name @post-quantum-cryptography/pqc-vault --manifest-path ../../crates/pqc-vault-napi/Cargo.toml --js binding.js --dts binding.d.ts --output-dir .",
+    "build:rust:debug": "napi build --platform --js-package-name @post-quantum-cryptography/pqc-vault --manifest-path ../../crates/pqc-vault-napi/Cargo.toml --js binding.js --dts binding.d.ts --output-dir .",
+    "build:ts": "tsup",
+    "build": "npm run build:rust && npm run build:ts",
+    "test": "node --test \"test/**/*.test.mjs\""
+  },
+  "devDependencies": {
+    "@napi-rs/cli": "^3.0.0",
+    "@types/node": "^22.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0"
+  },
+  "optionalDependencies": {
+    "@post-quantum-cryptography/pqc-vault-darwin-arm64": "0.1.0",
+    "@post-quantum-cryptography/pqc-vault-linux-arm64-gnu": "0.1.0",
+    "@post-quantum-cryptography/pqc-vault-linux-x64-gnu": "0.1.0",
+    "@post-quantum-cryptography/pqc-vault-win32-x64-msvc": "0.1.0"
+  }
+}