stegano-kit 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Prateek Singh
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,156 @@
+# stegano-kit
+
+[![CI](https://github.com/PrateekSingh070/stegano-kit/actions/workflows/ci.yml/badge.svg)](https://github.com/PrateekSingh070/stegano-kit/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/stegano-kit.svg)](https://www.npmjs.com/package/stegano-kit)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+[![TypeScript](https://img.shields.io/badge/TypeScript-strict-blue.svg)](https://www.typescriptlang.org/)
+[![Zero Dependencies](https://img.shields.io/badge/dependencies-0-brightgreen.svg)](https://www.npmjs.com/package/stegano-kit)
+
+Lightweight, zero-dependency steganography library for the browser and Node.js. Hide secret messages inside images using LSB (Least Significant Bit) encoding, with optional AES-256 encryption.
+
+```
+npm install stegano-kit
+```
+
+## Why?
+
+Existing JS steganography packages are either abandoned, browser-only, lack TypeScript support, or have heavy dependencies. `stegano-kit` is:
+
+- **Tiny** — under 8 KB bundled, zero runtime dependencies
+- **Typed** — first-class TypeScript with full type exports
+- **Flexible** — configurable bits-per-channel (1–4), channel selection (R/G/B/A)
+- **Secure** — optional AES-256-GCM encryption via Web Crypto
+- **Universal** — works in browsers (Canvas API) and Node.js (raw pixel buffers)
+
+## Quick Start
+
+### Browser
+
+```js
+import { encode, decode, capacity } from 'stegano-kit';
+
+// Load image onto a canvas
+const img = document.getElementById('source-image');
+const canvas = document.createElement('canvas');
+canvas.width = img.naturalWidth;
+canvas.height = img.naturalHeight;
+const ctx = canvas.getContext('2d');
+ctx.drawImage(img, 0, 0);
+
+// Check capacity
+const imageData = ctx.getImageData(0, 0, canvas.width, canvas.height);
+console.log(capacity(imageData));
+// → { totalBytes: 3742, readable: '3.7 KB', width: 100, height: 100 }
+
+// Encode a secret message
+const encoded = await encode(imageData, 'Attack at dawn 🌅');
+ctx.putImageData(new ImageData(encoded.data, encoded.width, encoded.height), 0, 0);
+
+// Decode
+const decoded = await decode(encoded);
+console.log(decoded); // → "Attack at dawn 🌅"
+```
+
+### Node.js (with raw pixel data)
+
+```js
+const { encode, decode } = require('stegano-kit');
+
+// Create or load RGBA pixel data from your image library of choice
+const imageData = {
+  width: 200,
+  height: 200,
+  data: new Uint8ClampedArray(200 * 200 * 4), // your pixel data
+};
+
+const encoded = await encode(imageData, 'Secret message');
+const secret = await decode(encoded);
+```
+
+## API
+
+### `encode(imageData, message, options?)`
+
+Embeds a secret string into image pixel data.
+
+| Parameter   | Type         | Description                              |
+| ----------- | ------------ | ---------------------------------------- |
+| `imageData` | `ImageLike`  | Object with `width`, `height`, and `data` (Uint8ClampedArray RGBA) |
+| `message`   | `string`     | The secret text to hide                  |
+| `options`   | `EncodeOptions` | Optional settings (see below)         |
+
+Returns `Promise<ImageLike>` — a new pixel buffer with the message embedded.
+
+### `decode(imageData, options?)`
+
+Extracts a hidden message from image pixel data.
+
+| Parameter   | Type         | Description                              |
+| ----------- | ------------ | ---------------------------------------- |
+| `imageData` | `ImageLike`  | Encoded image pixel data                 |
+| `options`   | `DecodeOptions` | Must match encoding options           |
+
+Returns `Promise<string>` — the decoded secret.
+
+### `capacity(imageData, options?)`
+
+Calculates how many bytes of secret data the image can hold.
+
+Returns `CapacityInfo`:
+
+```ts
+{
+  totalBytes: number;  // max payload size in bytes
+  readable: string;    // human-friendly string like "12.4 KB"
+  width: number;
+  height: number;
+}
+```
+
+## Options
+
+```ts
+interface EncodeOptions {
+  bitsPerChannel?: number;        // 1–4, default: 1
+  channels?: ('r'|'g'|'b'|'a')[]; // default: ['r','g','b']
+  password?: string;               // enables AES-256-GCM encryption
+}
+```
+
+| Option           | Default         | Description                        |
+| ---------------- | --------------- | ---------------------------------- |
+| `bitsPerChannel` | `1`             | More bits = more capacity, but more visible artifacts |
+| `channels`       | `['r','g','b']` | Which color channels to use        |
+| `password`       | `undefined`     | If set, payload is encrypted with AES-256-GCM |
+
+> **Tip:** `bitsPerChannel: 1` with RGB channels is virtually invisible to the human eye. Increase to 2 for ~2x capacity if minor color shifts are acceptable.
+
+## Encryption
+
+Pass a `password` to both `encode` and `decode` to encrypt the payload with AES-256-GCM (PBKDF2 key derivation, 100k iterations):
+
+```js
+const encoded = await encode(imageData, 'Top secret', { password: 'my-key' });
+const decoded = await decode(encoded, { password: 'my-key' });
+```
+
+Without the correct password, `decode` will throw.
+
+## How It Works
+
+1. Your message is converted to bytes (UTF-8), optionally encrypted
+2. A bit stream is constructed: `[32-bit magic header][32-bit payload length][payload bits]`
+3. Each bit is written into the least significant bit(s) of selected color channels
+4. On decode, the magic header is verified, length is read, and payload is extracted
+
+The image looks identical to the naked eye — pixel values change by at most ±1 (with default 1-bit encoding).
+
+## Limitations
+
+- Input must be raw RGBA pixel data (`Uint8ClampedArray`). Use Canvas API in browsers, or a library like `sharp`/`jimp` in Node.js to get pixel buffers.
+- JPEG re-compression destroys hidden data. Always save encoded images as PNG.
+- Alpha channel encoding (`channels: ['r','g','b','a']`) may cause issues with transparent images.
+
+## License
+
+MIT © [Prateek Singh](https://github.com/PrateekSingh070)

package/dist/index.d.mts

@@ -0,0 +1,57 @@
+interface EncodeOptions {
+    /** Number of least-significant bits to use per color channel (1-4). Default: 1 */
+    bitsPerChannel?: number;
+    /** Which color channels to embed data in. Default: ['r','g','b'] */
+    channels?: Array<'r' | 'g' | 'b' | 'a'>;
+    /** Optional encryption password — AES-256-GCM via SubtleCrypto */
+    password?: string;
+}
+interface DecodeOptions {
+    /** Must match the bitsPerChannel used during encoding. Default: 1 */
+    bitsPerChannel?: number;
+    /** Must match the channels used during encoding. Default: ['r','g','b'] */
+    channels?: Array<'r' | 'g' | 'b' | 'a'>;
+    /** Password if the message was encrypted during encoding */
+    password?: string;
+}
+interface CapacityInfo {
+    /** Total bytes that can be hidden in this image with current settings */
+    totalBytes: number;
+    /** Human-readable capacity string (e.g. "12.4 KB") */
+    readable: string;
+    /** Image dimensions */
+    width: number;
+    height: number;
+}
+interface ImageLike {
+    width: number;
+    height: number;
+    data: Uint8ClampedArray;
+}
+
+/**
+ * Encode a secret message into raw RGBA pixel data using LSB steganography.
+ *
+ * @param imageData - Object with `width`, `height`, and `data` (Uint8ClampedArray of RGBA pixels).
+ *                    In the browser, pass the result of `ctx.getImageData(...)`.
+ * @param message   - The secret string to hide.
+ * @param options   - Optional encoding parameters.
+ * @returns A new ImageData-like object with the message embedded.
+ */
+declare function encode(imageData: ImageLike, message: string, options?: EncodeOptions): Promise<ImageLike>;
+
+/**
+ * Decode a hidden message from RGBA pixel data.
+ *
+ * @param imageData - Object with `width`, `height`, and `data` (Uint8ClampedArray of RGBA pixels).
+ * @param options   - Must match the options used during encoding.
+ * @returns The decoded secret string.
+ */
+declare function decode(imageData: ImageLike, options?: DecodeOptions): Promise<string>;
+
+/**
+ * Calculate how much secret data an image can hold with the given settings.
+ */
+declare function capacity(imageData: ImageLike, options?: EncodeOptions): CapacityInfo;
+
+export { type CapacityInfo, type DecodeOptions, type EncodeOptions, type ImageLike, capacity, decode, encode };

package/dist/index.d.ts

@@ -0,0 +1,57 @@
+interface EncodeOptions {
+    /** Number of least-significant bits to use per color channel (1-4). Default: 1 */
+    bitsPerChannel?: number;
+    /** Which color channels to embed data in. Default: ['r','g','b'] */
+    channels?: Array<'r' | 'g' | 'b' | 'a'>;
+    /** Optional encryption password — AES-256-GCM via SubtleCrypto */
+    password?: string;
+}
+interface DecodeOptions {
+    /** Must match the bitsPerChannel used during encoding. Default: 1 */
+    bitsPerChannel?: number;
+    /** Must match the channels used during encoding. Default: ['r','g','b'] */
+    channels?: Array<'r' | 'g' | 'b' | 'a'>;
+    /** Password if the message was encrypted during encoding */
+    password?: string;
+}
+interface CapacityInfo {
+    /** Total bytes that can be hidden in this image with current settings */
+    totalBytes: number;
+    /** Human-readable capacity string (e.g. "12.4 KB") */
+    readable: string;
+    /** Image dimensions */
+    width: number;
+    height: number;
+}
+interface ImageLike {
+    width: number;
+    height: number;
+    data: Uint8ClampedArray;
+}
+
+/**
+ * Encode a secret message into raw RGBA pixel data using LSB steganography.
+ *
+ * @param imageData - Object with `width`, `height`, and `data` (Uint8ClampedArray of RGBA pixels).
+ *                    In the browser, pass the result of `ctx.getImageData(...)`.
+ * @param message   - The secret string to hide.
+ * @param options   - Optional encoding parameters.
+ * @returns A new ImageData-like object with the message embedded.
+ */
+declare function encode(imageData: ImageLike, message: string, options?: EncodeOptions): Promise<ImageLike>;
+
+/**
+ * Decode a hidden message from RGBA pixel data.
+ *
+ * @param imageData - Object with `width`, `height`, and `data` (Uint8ClampedArray of RGBA pixels).
+ * @param options   - Must match the options used during encoding.
+ * @returns The decoded secret string.
+ */
+declare function decode(imageData: ImageLike, options?: DecodeOptions): Promise<string>;
+
+/**
+ * Calculate how much secret data an image can hold with the given settings.
+ */
+declare function capacity(imageData: ImageLike, options?: EncodeOptions): CapacityInfo;
+
+export { type CapacityInfo, type DecodeOptions, type EncodeOptions, type ImageLike, capacity, decode, encode };

package/dist/index.js

@@ -0,0 +1,228 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  capacity: () => capacity,
+  decode: () => decode,
+  encode: () => encode
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/utils.ts
+var HEADER_BITS = 32;
+var MAGIC = 1398031687;
+function getChannelIndices(channels) {
+  const map = { r: 0, g: 1, b: 2, a: 3 };
+  return channels.map((c) => map[c]);
+}
+function resolveEncodeOpts(opts) {
+  return {
+    bitsPerChannel: opts?.bitsPerChannel ?? 1,
+    channels: opts?.channels ?? ["r", "g", "b"],
+    password: opts?.password
+  };
+}
+function resolveDecodeOpts(opts) {
+  return {
+    bitsPerChannel: opts?.bitsPerChannel ?? 1,
+    channels: opts?.channels ?? ["r", "g", "b"],
+    password: opts?.password
+  };
+}
+function textToBytes(text) {
+  return new TextEncoder().encode(text);
+}
+function bytesToText(bytes) {
+  return new TextDecoder().decode(bytes);
+}
+function buildBitStream(payload) {
+  const totalBits = HEADER_BITS + HEADER_BITS + payload.length * 8;
+  const bits = new Uint8Array(totalBits);
+  let idx = 0;
+  for (let i = 31; i >= 0; i--) bits[idx++] = MAGIC >>> i & 1;
+  for (let i = 31; i >= 0; i--) bits[idx++] = payload.length >>> i & 1;
+  for (const byte of payload) {
+    for (let i = 7; i >= 0; i--) {
+      bits[idx++] = byte >>> i & 1;
+    }
+  }
+  return bits;
+}
+function readUint32(bits, offset) {
+  let value = 0;
+  for (let i = 0; i < 32; i++) {
+    value = value << 1 | bits[offset + i];
+  }
+  return value >>> 0;
+}
+function maxPayloadBytes(imageData, bitsPerChannel, channelCount) {
+  const totalUsableBits = imageData.width * imageData.height * channelCount * bitsPerChannel;
+  const headerBits = HEADER_BITS * 2;
+  return Math.floor((totalUsableBits - headerBits) / 8);
+}
+async function deriveKey(password, salt) {
+  const enc = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return crypto.subtle.deriveKey(
+    { name: "PBKDF2", salt, iterations: 1e5, hash: "SHA-256" },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function encrypt(data, password) {
+  const salt = crypto.getRandomValues(new Uint8Array(16));
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const key = await deriveKey(password, salt);
+  const cipher = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, data);
+  const out = new Uint8Array(salt.length + iv.length + cipher.byteLength);
+  out.set(salt, 0);
+  out.set(iv, salt.length);
+  out.set(new Uint8Array(cipher), salt.length + iv.length);
+  return out;
+}
+async function decrypt(data, password) {
+  const salt = data.slice(0, 16);
+  const iv = data.slice(16, 28);
+  const cipher = data.slice(28);
+  const key = await deriveKey(password, salt);
+  const plain = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, cipher);
+  return new Uint8Array(plain);
+}
+
+// src/encode.ts
+async function encode(imageData, message, options) {
+  const { bitsPerChannel, channels, password } = resolveEncodeOpts(options);
+  let payload = textToBytes(message);
+  if (password) {
+    payload = await encrypt(payload, password);
+  }
+  const capacity2 = maxPayloadBytes(imageData, bitsPerChannel, channels.length);
+  if (payload.length > capacity2) {
+    throw new RangeError(
+      `Message too large: ${payload.length} bytes, but image can hold at most ${capacity2} bytes with current settings (${bitsPerChannel} bits/channel, channels: ${channels.join(",")}).`
+    );
+  }
+  const bits = buildBitStream(payload);
+  const channelIdx = getChannelIndices(channels);
+  const out = new Uint8ClampedArray(imageData.data);
+  const mask = 255 << bitsPerChannel;
+  let bitPos = 0;
+  outer: for (let px = 0; px < imageData.width * imageData.height; px++) {
+    const base = px * 4;
+    for (const ci of channelIdx) {
+      if (bitPos >= bits.length) break outer;
+      let value = 0;
+      for (let b = bitsPerChannel - 1; b >= 0; b--) {
+        if (bitPos < bits.length) {
+          value |= bits[bitPos++] << b;
+        }
+      }
+      out[base + ci] = out[base + ci] & mask | value;
+    }
+  }
+  return { width: imageData.width, height: imageData.height, data: out };
+}
+
+// src/decode.ts
+async function decode(imageData, options) {
+  const { bitsPerChannel, channels, password } = resolveDecodeOpts(options);
+  const channelIdx = getChannelIndices(channels);
+  const extractBits = (count, startBit) => {
+    const bits = new Uint8Array(count);
+    let bitPos = startBit;
+    let written = 0;
+    let px = Math.floor(bitPos / (channelIdx.length * bitsPerChannel));
+    let channelOffset = Math.floor(bitPos % (channelIdx.length * bitsPerChannel) / bitsPerChannel);
+    let bitInChannel = bitPos % bitsPerChannel;
+    outer: for (; px < imageData.width * imageData.height; px++) {
+      const base = px * 4;
+      for (; channelOffset < channelIdx.length; channelOffset++) {
+        const val = imageData.data[base + channelIdx[channelOffset]];
+        for (; bitInChannel < bitsPerChannel; bitInChannel++) {
+          if (written >= count) break outer;
+          const shift = bitsPerChannel - 1 - bitInChannel;
+          bits[written++] = val >>> shift & 1;
+          bitPos++;
+        }
+        bitInChannel = 0;
+      }
+      channelOffset = 0;
+    }
+    return { bits, nextBit: bitPos };
+  };
+  const { bits: magicBits, nextBit: afterMagic } = extractBits(HEADER_BITS, 0);
+  const magic = readUint32(magicBits, 0);
+  if (magic !== MAGIC) {
+    throw new Error(
+      "No hidden message found (magic header mismatch). Make sure decode options match the ones used during encoding."
+    );
+  }
+  const { bits: lenBits, nextBit: afterLen } = extractBits(HEADER_BITS, afterMagic);
+  const payloadLen = readUint32(lenBits, 0);
+  if (payloadLen < 0 || payloadLen > imageData.width * imageData.height) {
+    throw new Error("Invalid payload length detected. The image may not contain a hidden message.");
+  }
+  const { bits: payloadBits } = extractBits(payloadLen * 8, afterLen);
+  const bytes = new Uint8Array(payloadLen);
+  for (let i = 0; i < payloadLen; i++) {
+    let byte = 0;
+    for (let b = 7; b >= 0; b--) {
+      byte |= payloadBits[i * 8 + (7 - b)] << b;
+    }
+    bytes[i] = byte;
+  }
+  if (password) {
+    const decrypted = await decrypt(bytes, password);
+    return bytesToText(decrypted);
+  }
+  return bytesToText(bytes);
+}
+
+// src/capacity.ts
+function humanReadable(bytes) {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+function capacity(imageData, options) {
+  const { bitsPerChannel, channels } = resolveEncodeOpts(options);
+  const totalBytes = maxPayloadBytes(imageData, bitsPerChannel, channels.length);
+  return {
+    totalBytes,
+    readable: humanReadable(totalBytes),
+    width: imageData.width,
+    height: imageData.height
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  capacity,
+  decode,
+  encode
+});

package/dist/index.mjs

@@ -0,0 +1,199 @@
+// src/utils.ts
+var HEADER_BITS = 32;
+var MAGIC = 1398031687;
+function getChannelIndices(channels) {
+  const map = { r: 0, g: 1, b: 2, a: 3 };
+  return channels.map((c) => map[c]);
+}
+function resolveEncodeOpts(opts) {
+  return {
+    bitsPerChannel: opts?.bitsPerChannel ?? 1,
+    channels: opts?.channels ?? ["r", "g", "b"],
+    password: opts?.password
+  };
+}
+function resolveDecodeOpts(opts) {
+  return {
+    bitsPerChannel: opts?.bitsPerChannel ?? 1,
+    channels: opts?.channels ?? ["r", "g", "b"],
+    password: opts?.password
+  };
+}
+function textToBytes(text) {
+  return new TextEncoder().encode(text);
+}
+function bytesToText(bytes) {
+  return new TextDecoder().decode(bytes);
+}
+function buildBitStream(payload) {
+  const totalBits = HEADER_BITS + HEADER_BITS + payload.length * 8;
+  const bits = new Uint8Array(totalBits);
+  let idx = 0;
+  for (let i = 31; i >= 0; i--) bits[idx++] = MAGIC >>> i & 1;
+  for (let i = 31; i >= 0; i--) bits[idx++] = payload.length >>> i & 1;
+  for (const byte of payload) {
+    for (let i = 7; i >= 0; i--) {
+      bits[idx++] = byte >>> i & 1;
+    }
+  }
+  return bits;
+}
+function readUint32(bits, offset) {
+  let value = 0;
+  for (let i = 0; i < 32; i++) {
+    value = value << 1 | bits[offset + i];
+  }
+  return value >>> 0;
+}
+function maxPayloadBytes(imageData, bitsPerChannel, channelCount) {
+  const totalUsableBits = imageData.width * imageData.height * channelCount * bitsPerChannel;
+  const headerBits = HEADER_BITS * 2;
+  return Math.floor((totalUsableBits - headerBits) / 8);
+}
+async function deriveKey(password, salt) {
+  const enc = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return crypto.subtle.deriveKey(
+    { name: "PBKDF2", salt, iterations: 1e5, hash: "SHA-256" },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function encrypt(data, password) {
+  const salt = crypto.getRandomValues(new Uint8Array(16));
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const key = await deriveKey(password, salt);
+  const cipher = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, data);
+  const out = new Uint8Array(salt.length + iv.length + cipher.byteLength);
+  out.set(salt, 0);
+  out.set(iv, salt.length);
+  out.set(new Uint8Array(cipher), salt.length + iv.length);
+  return out;
+}
+async function decrypt(data, password) {
+  const salt = data.slice(0, 16);
+  const iv = data.slice(16, 28);
+  const cipher = data.slice(28);
+  const key = await deriveKey(password, salt);
+  const plain = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, cipher);
+  return new Uint8Array(plain);
+}
+
+// src/encode.ts
+async function encode(imageData, message, options) {
+  const { bitsPerChannel, channels, password } = resolveEncodeOpts(options);
+  let payload = textToBytes(message);
+  if (password) {
+    payload = await encrypt(payload, password);
+  }
+  const capacity2 = maxPayloadBytes(imageData, bitsPerChannel, channels.length);
+  if (payload.length > capacity2) {
+    throw new RangeError(
+      `Message too large: ${payload.length} bytes, but image can hold at most ${capacity2} bytes with current settings (${bitsPerChannel} bits/channel, channels: ${channels.join(",")}).`
+    );
+  }
+  const bits = buildBitStream(payload);
+  const channelIdx = getChannelIndices(channels);
+  const out = new Uint8ClampedArray(imageData.data);
+  const mask = 255 << bitsPerChannel;
+  let bitPos = 0;
+  outer: for (let px = 0; px < imageData.width * imageData.height; px++) {
+    const base = px * 4;
+    for (const ci of channelIdx) {
+      if (bitPos >= bits.length) break outer;
+      let value = 0;
+      for (let b = bitsPerChannel - 1; b >= 0; b--) {
+        if (bitPos < bits.length) {
+          value |= bits[bitPos++] << b;
+        }
+      }
+      out[base + ci] = out[base + ci] & mask | value;
+    }
+  }
+  return { width: imageData.width, height: imageData.height, data: out };
+}
+
+// src/decode.ts
+async function decode(imageData, options) {
+  const { bitsPerChannel, channels, password } = resolveDecodeOpts(options);
+  const channelIdx = getChannelIndices(channels);
+  const extractBits = (count, startBit) => {
+    const bits = new Uint8Array(count);
+    let bitPos = startBit;
+    let written = 0;
+    let px = Math.floor(bitPos / (channelIdx.length * bitsPerChannel));
+    let channelOffset = Math.floor(bitPos % (channelIdx.length * bitsPerChannel) / bitsPerChannel);
+    let bitInChannel = bitPos % bitsPerChannel;
+    outer: for (; px < imageData.width * imageData.height; px++) {
+      const base = px * 4;
+      for (; channelOffset < channelIdx.length; channelOffset++) {
+        const val = imageData.data[base + channelIdx[channelOffset]];
+        for (; bitInChannel < bitsPerChannel; bitInChannel++) {
+          if (written >= count) break outer;
+          const shift = bitsPerChannel - 1 - bitInChannel;
+          bits[written++] = val >>> shift & 1;
+          bitPos++;
+        }
+        bitInChannel = 0;
+      }
+      channelOffset = 0;
+    }
+    return { bits, nextBit: bitPos };
+  };
+  const { bits: magicBits, nextBit: afterMagic } = extractBits(HEADER_BITS, 0);
+  const magic = readUint32(magicBits, 0);
+  if (magic !== MAGIC) {
+    throw new Error(
+      "No hidden message found (magic header mismatch). Make sure decode options match the ones used during encoding."
+    );
+  }
+  const { bits: lenBits, nextBit: afterLen } = extractBits(HEADER_BITS, afterMagic);
+  const payloadLen = readUint32(lenBits, 0);
+  if (payloadLen < 0 || payloadLen > imageData.width * imageData.height) {
+    throw new Error("Invalid payload length detected. The image may not contain a hidden message.");
+  }
+  const { bits: payloadBits } = extractBits(payloadLen * 8, afterLen);
+  const bytes = new Uint8Array(payloadLen);
+  for (let i = 0; i < payloadLen; i++) {
+    let byte = 0;
+    for (let b = 7; b >= 0; b--) {
+      byte |= payloadBits[i * 8 + (7 - b)] << b;
+    }
+    bytes[i] = byte;
+  }
+  if (password) {
+    const decrypted = await decrypt(bytes, password);
+    return bytesToText(decrypted);
+  }
+  return bytesToText(bytes);
+}
+
+// src/capacity.ts
+function humanReadable(bytes) {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+function capacity(imageData, options) {
+  const { bitsPerChannel, channels } = resolveEncodeOpts(options);
+  const totalBytes = maxPayloadBytes(imageData, bitsPerChannel, channels.length);
+  return {
+    totalBytes,
+    readable: humanReadable(totalBytes),
+    width: imageData.width,
+    height: imageData.height
+  };
+}
+export {
+  capacity,
+  decode,
+  encode
+};

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "stegano-kit",
+  "version": "1.0.0",
+  "description": "Lightweight browser & Node.js steganography library — hide and extract secret messages in images using LSB encoding",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm --format cjs --dts --clean",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "tsc --noEmit",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "steganography",
+    "stego",
+    "lsb",
+    "image",
+    "hide",
+    "secret",
+    "message",
+    "encode",
+    "decode",
+    "canvas",
+    "pixel",
+    "watermark",
+    "covert",
+    "browser",
+    "typescript"
+  ],
+  "author": "Prateek Singh",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/PrateekSingh070/stegano-kit"
+  },
+  "homepage": "https://github.com/PrateekSingh070/stegano-kit#readme",
+  "bugs": {
+    "url": "https://github.com/PrateekSingh070/stegano-kit/issues"
+  },
+  "devDependencies": {
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0",
+    "vitest": "^2.0.0"
+  }
+}