roxify 1.15.3 → 1.16.1

package/dist/cli.js

@@ -20,7 +20,8 @@ async function loadJsEngine() {
         VFSIndexEntry: undefined,
     };
 }
-const VERSION = '1.14.9';
+// Keep in sync with package.json#version.
+const VERSION = '1.16.1';
 function getDirectorySize(dirPath) {
     let totalSize = 0;
     try {
@@ -80,7 +81,6 @@ Commands:
 Options:
   --image                   Use PNG container (default)
   --sound                   Use WAV audio container (smaller overhead, faster)
-  --bwt-ans                 Use BWT-ANS compression instead of Zstd
   -p, --passphrase <pass>   Use passphrase (AES-256-GCM)
   -m, --mode <mode>         Mode: screenshot (default)
   -e, --encrypt <type>      auto|aes|xor|none
@@ -151,10 +151,6 @@ function parseArgs(args) {
                 parsed.forceTs = true;
                 i++;
             }
-            else if (key === 'bwt-ans') {
-                parsed.compression = 'bwt-ans';
-                i++;
-            }
             else if (key === 'lossy-resilient') {
                 parsed.lossyResilient = true;
                 i++;
@@ -221,6 +217,8 @@ function parseArgs(args) {
                     i += 2;
                     break;
                 case 'm':
+                    // -m / --mode (only "screenshot" is supported); kept for compat,
+                    // value is consumed but ignored.
                     i += 2;
                     break;
                 case 'e':
@@ -239,7 +237,6 @@ function parseArgs(args) {
                     parsed.sizes = true;
                     i += 1;
                     break;
-                    break;
                 case 'd':
                     parsed.debugDir = value;
                     i += 2;
@@ -315,7 +312,7 @@ async function encodeCommand(args) {
         }
     }
     catch (e) { }
-    if (isRustBinaryAvailable() && !parsed.forceTs && containerMode !== 'sound' && parsed.compression !== 'bwt-ans') {
+    if (isRustBinaryAvailable() && !parsed.forceTs && containerMode !== 'sound') {
         try {
             console.log(`Encoding to ${resolvedOutput} (Using native Rust encoder)\n`);
             const startTime = Date.now();
@@ -419,8 +416,6 @@ async function encodeCommand(args) {
             options.verbose = true;
         if (parsed.noCompress)
             options.compression = 'none';
-        if (parsed.compression === 'bwt-ans')
-            options.compression = 'bwt-ans';
         if (parsed.passphrase) {
             options.passphrase = parsed.passphrase;
             options.encrypt = parsed.encrypt || 'aes';

package/dist/utils/decoder.d.ts

@@ -42,7 +42,7 @@ import { DecodeOptions, DecodeResult } from './types.js';
  * @param opts - Optional decode options.
  * @returns A Promise resolving to DecodeResult ({ buf, meta } or { files }).
  */
-export declare function decodePngToBinary(input: Buffer | string, _opts?: DecodeOptions): Promise<DecodeResult>;
+export declare function decodePngToBinary(input: Buffer | string, opts?: DecodeOptions): Promise<DecodeResult>;
 /**
  * Detect and reverse simple pixel-stretching where each logical pixel
  * is repeated in an Fx×Fy block. Returns { width, height, data } or null.

package/dist/utils/decoder.js

@@ -1,6 +1,7 @@
 import { readFileSync } from 'fs';
 import { native } from './native.js';
 import { unpackBuffer } from '../pack.js';
+import { tryDecryptIfNeeded } from './helpers.js';
 /**
  * Find PXL1 magic in pixel buffer
  */
@@ -115,7 +116,7 @@ function extractPayloadFromPixels(pixels) {
  * @param opts - Optional decode options.
  * @returns A Promise resolving to DecodeResult ({ buf, meta } or { files }).
  */
-export async function decodePngToBinary(input, _opts = {}) {
+export async function decodePngToBinary(input, opts = {}) {
     // Get PNG buffer
     let pngBuf;
     if (Buffer.isBuffer(input)) {
@@ -126,27 +127,37 @@ export async function decodePngToBinary(input, _opts = {}) {
     }
     const payload = Buffer.from(native.extractPayloadFromPng(pngBuf));
     let name;
+    // Single-pass name lookup: ask the native side (which already keeps a
+    // decoded RGB cache during extract_payload_from_png) instead of decoding
+    // pixels again from TS.
     try {
-        const rgbResult = native.pngToRgb(pngBuf);
-        const pixels = Buffer.from(rgbResult.pixels);
-        ({ name } = extractPayloadFromPixels(pixels));
+        const fromNative = native.extractNameFromPng?.(pngBuf);
+        if (typeof fromNative === 'string' && fromNative.length > 0) {
+            name = fromNative;
+        }
     }
     catch { }
+    if (!name) {
+        // Older native binaries don't expose extractNameFromPng; fall back to the
+        // previous TS path (re-decodes pixels, kept only for compat).
+        try {
+            const rgbResult = native.pngToRgb(pngBuf);
+            const pixels = Buffer.from(rgbResult.pixels);
+            ({ name } = extractPayloadFromPixels(pixels));
+        }
+        catch { }
+    }
     if (payload.length === 0) {
         throw new Error('Empty payload extracted');
     }
-    // Handle encryption flag (first byte)
-    // 0x00 = none, 0x01 = XOR, 0x02 = AES, 0x03 = AES-CTR
+    // Handle encryption flag (first byte): 0x00 none, 0x01 XOR, 0x02 AES-GCM, 0x03 AES-CTR.
+    // tryDecryptIfNeeded handles 0x00/0x01/0x02; 0x03 (streaming AES-CTR) needs native path.
     let data;
-    if (payload[0] !== 0x00) {
-        // Encrypted payload - not supported in current decoder
-        // The native encoder handles encryption, but decoder needs native decrypt support
-        throw new Error('Encrypted payload requires passphrase (not yet implemented in decoder)');
-    }
-    else {
-        // Non-encrypted: skip the flag byte
-        data = payload.subarray(1);
+    const flag = payload[0];
+    if (flag === 0x03) {
+        throw new Error('AES-CTR streaming payload requires the native decoder');
     }
+    data = tryDecryptIfNeeded(payload, opts.passphrase);
     // Decompress with zstd
     let decompressed;
     try {

package/dist/utils/helpers.js

@@ -86,7 +86,8 @@ export function tryDecryptIfNeeded(buf, passphrase) {
         const iv = buf.slice(17, 29);
         const tag = buf.slice(29, 45);
         const enc = buf.slice(45);
-        const PBKDF2_ITERS = 1000000;
+        // Must match native/crypto.rs:PBKDF2_ITERS — derived key depends on it.
+        const PBKDF2_ITERS = 600000;
         const key = pbkdf2Sync(passphrase, salt, PBKDF2_ITERS, 32, 'sha256');
         const dec = createDecipheriv('aes-256-gcm', key, iv);
         dec.setAuthTag(tag);

package/dist/utils/rust-cli-wrapper.js

@@ -160,14 +160,22 @@ function spawnRustCLI(args, options) {
         let triedExtract = false;
         let tempExe;
         let stdout = '';
+        // Keep a tail of recent stderr lines so a non-zero exit produces an
+        // actionable error message instead of bare "exited with status 1".
+        const STDERR_TAIL = 32;
+        const stderrTail = [];
+        const pushStderr = (line) => {
+            stderrTail.push(line);
+            if (stderrTail.length > STDERR_TAIL)
+                stderrTail.shift();
+        };
         const runSpawn = (exePath) => {
             let proc;
-            const hasProgress = !!options?.onProgress;
+            // Always pipe stderr so we can surface failure context, even when no
+            // progress callback is registered.
             const stdio = options?.collectStdout
-                ? ['pipe', 'pipe', hasProgress ? 'pipe' : 'inherit']
-                : hasProgress
-                    ? ['pipe', 'inherit', 'pipe']
-                    : 'inherit';
+                ? ['pipe', 'pipe', 'pipe']
+                : ['pipe', 'inherit', 'pipe'];
             try {
                 proc = spawn(exePath, args, { stdio });
             }
@@ -187,18 +195,20 @@ function spawnRustCLI(args, options) {
             if (options?.collectStdout && proc.stdout) {
                 proc.stdout.on('data', (chunk) => { stdout += chunk.toString(); });
             }
-            if (hasProgress && proc.stderr) {
+            if (proc.stderr) {
+                const hasProgress = !!options?.onProgress;
                 let stderrBuf = '';
                 proc.stderr.on('data', (chunk) => {
                     stderrBuf += chunk.toString();
                     const lines = stderrBuf.split('\n');
                     stderrBuf = lines.pop() || '';
                     for (const line of lines) {
-                        const match = line.match(/^PROGRESS:(\d+):(\d+):(.+)$/);
+                        const match = hasProgress ? line.match(/^PROGRESS:(\d+):(\d+):(.+)$/) : null;
                         if (match) {
                             options.onProgress(Number(match[1]), Number(match[2]), match[3]);
                         }
                         else if (line.trim()) {
+                            pushStderr(line);
                             process.stderr.write(line + '\n');
                         }
                     }
@@ -226,8 +236,10 @@ function spawnRustCLI(args, options) {
                 }
                 if (code === 0 || (code === null && signal === null))
                     resolve(stdout);
-                else
-                    reject(new Error(`Rust CLI exited with status ${code ?? signal}`));
+                else {
+                    const trailer = stderrTail.length > 0 ? `\n  stderr tail:\n    ${stderrTail.join('\n    ')}` : '';
+                    reject(new Error(`Rust CLI exited with status ${code ?? signal}${trailer}`));
+                }
             });
         };
         runSpawn(cliPath);
@@ -238,14 +250,11 @@ export async function encodeWithRustCLI(inputPath, outputPath, compressionLevel
     if (!cliPath)
         throw new Error('Rust CLI binary not found');
     const args = ['encode', '--level', String(compressionLevel)];
-    if (name) {
-        try {
-            const helpOut = execSync(`"${cliPath}" --help`, { encoding: 'utf8', timeout: 2000 });
-            if (helpOut && helpOut.includes('--name'))
-                args.push('--name', name);
-        }
-        catch (e) { }
-    }
+    // --name is supported on all roxify_native binaries shipped since 1.14.x.
+    // We used to spawn `--help` here to feature-detect, which cost a full
+    // process fork per encode call. Just pass it.
+    if (name)
+        args.push('--name', name);
     if (passphrase) {
         args.push('--passphrase', passphrase);
         args.push('--encrypt', encryptType);

package/dist/utils/types.d.ts

@@ -1,7 +1,8 @@
 import { PackedFile } from '../pack.js';
 import type { EccLevel } from './ecc.js';
 export interface EncodeOptions {
-    compression?: 'zstd' | 'bwt-ans';
+    /** Only 'zstd' is wired in the current encoder; reserved for future codecs. */
+    compression?: 'zstd';
     compressionLevel?: number;
     passphrase?: string;
     /** optional dictionary to use for zstd compression */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "roxify",
-  "version": "1.15.3",
+  "version": "1.16.1",
   "type": "module",
   "description": "Ultra-lightweight PNG steganography with native Rust acceleration. Encode binary data into PNG images with zstd compression.",
   "main": "dist/index.js",