stegdoc 1.0.1 → 4.0.0

package/src/commands/verify.js

@@ -3,9 +3,9 @@ const chalk = require('chalk');
 const ora = require('ora');
 const { readDocxBase64 } = require('../lib/docx-handler');
 const { readXlsxBase64 } = require('../lib/xlsx-handler');
-const { validateMetadata, isMultiPart } = require('../lib/metadata');
+const { validateMetadata, isMultiPart, isStreamingFormat } = require('../lib/metadata');
 const { detectFormat, formatBytes } = require('../lib/utils');
-const { decrypt, unpackEncryptionMeta } = require('../lib/crypto');
+const { decrypt, unpackEncryptionMeta, createDecryptStream } = require('../lib/crypto');
 const { extractContent, findMultiPartFiles } = require('../lib/file-utils');
 
 /**
@@ -47,6 +47,7 @@ async function verifyCommand(inputFile, options) {
     }
 
     const isEncrypted = metadata.encrypted || (encryptionMeta && encryptionMeta.length > 0);
+    const isV4 = isStreamingFormat(metadata);
 
     // Check multi-part
     if (isMultiPart(metadata)) {
@@ -81,35 +82,13 @@ async function verifyCommand(inputFile, options) {
         spinner.text = 'Verifying decryption...';
 
         try {
-          const { iv, salt, authTag } = unpackEncryptionMeta(encryptionMeta);
-
-          // For multi-part files, we need to merge all parts before decryption
-          // AES-GCM requires the complete ciphertext to verify the auth tag
-          let fullContent = encryptedContent;
-
-          if (isMultiPart(metadata)) {
-            const inputDir = path.dirname(inputFile);
-            const allParts = findMultiPartFiles(inputDir, metadata.hash, format);
-
-            if (allParts.length === metadata.totalParts) {
-              // Read and merge all parts
-              const contentParts = [];
-              for (const part of allParts) {
-                let partResult;
-                if (format === 'xlsx') {
-                  partResult = await readXlsxBase64(part.path);
-                } else {
-                  partResult = await readDocxBase64(part.path);
-                }
-                const { encryptedContent: partContent } = extractContent(partResult, format);
-                contentParts.push(partContent);
-              }
-              fullContent = contentParts.join('');
-            }
+          if (isV4) {
+            // v4: per-part encryption — verify each part independently
+            await verifyV4Encryption(inputFile, format, metadata, encryptionMeta, options.password, spinner);
+          } else {
+            // v3: shared encryption — merge all parts then decrypt
+            await verifyV3Encryption(inputFile, format, metadata, encryptedContent, encryptionMeta, options.password, spinner);
           }
-
-          // Decrypt the full content to verify password
-          decrypt(fullContent, options.password, iv, salt, authTag);
           spinner.succeed('Decryption password valid');
         } catch (e) {
           issues.push('Decryption failed - wrong password or corrupted data');
@@ -127,6 +106,7 @@ async function verifyCommand(inputFile, options) {
       console.log(chalk.cyan(`  Size: ${formatBytes(metadata.originalSize)}`));
       console.log(chalk.cyan(`  Encrypted: ${isEncrypted ? 'Yes' : 'No'}`));
       console.log(chalk.cyan(`  Compressed: ${metadata.compressed ? 'Yes' : 'No'}`));
+      console.log(chalk.cyan(`  Format version: ${isV4 ? 'v4 (streaming)' : 'v3 (legacy)'}`));
 
       if (isMultiPart(metadata)) {
         console.log(chalk.cyan(`  Parts: ${metadata.totalParts}`));
@@ -166,4 +146,59 @@ async function verifyCommand(inputFile, options) {
   }
 }
 
+/**
+ * Verify v4 per-part encryption by decrypting the first part
+ */
+async function verifyV4Encryption(inputFile, format, metadata, encryptionMeta, password, spinner) {
+  // For v4, each part has its own encryption metadata
+  // Verify by decrypting the first part's content
+  const { iv, salt, authTag } = unpackEncryptionMeta(encryptionMeta);
+
+  // Read the first part's content
+  let readResult;
+  if (format === 'xlsx') {
+    readResult = await readXlsxBase64(inputFile);
+  } else {
+    readResult = await readDocxBase64(inputFile);
+  }
+
+  const { encryptedContent } = extractContent(readResult, format);
+  const binaryData = Buffer.from(encryptedContent, 'base64');
+
+  const decipher = createDecryptStream(password, iv, salt, authTag);
+  decipher.update(binaryData);
+  decipher.final(); // Throws on wrong password
+}
+
+/**
+ * Verify v3 shared encryption by merging all parts and decrypting
+ */
+async function verifyV3Encryption(inputFile, format, metadata, encryptedContent, encryptionMeta, password, spinner) {
+  const { iv, salt, authTag } = unpackEncryptionMeta(encryptionMeta);
+
+  let fullContent = encryptedContent;
+
+  if (isMultiPart(metadata)) {
+    const inputDir = path.dirname(inputFile);
+    const allParts = findMultiPartFiles(inputDir, metadata.hash, format);
+
+    if (allParts.length === metadata.totalParts) {
+      const contentParts = [];
+      for (const part of allParts) {
+        let partResult;
+        if (format === 'xlsx') {
+          partResult = await readXlsxBase64(part.path);
+        } else {
+          partResult = await readDocxBase64(part.path);
+        }
+        const { encryptedContent: partContent } = extractContent(partResult, format);
+        contentParts.push(partContent);
+      }
+      fullContent = contentParts.join('');
+    }
+  }
+
+  decrypt(fullContent, password, iv, salt, authTag);
+}
+
 module.exports = verifyCommand;

package/src/index.js

@@ -10,8 +10,8 @@ const verifyCommand = require('./commands/verify');
 // CLI Configuration
 program
   .name('stegdoc')
-  .description('Hide files inside Office documents with AES-256 encryption and steganography')
-  .version('1.0.1');
+  .description('CLI tool to encode files into Office documents with AES-256 encryption')
+  .version('3.0.2');
 
 // Encode command
 program

package/src/lib/compression.js

@@ -89,9 +89,27 @@ function decompress(buffer) {
   });
 }
 
+/**
+ * Create a streaming gzip compression transform
+ * @returns {zlib.Gzip} Gzip transform stream
+ */
+function createCompressStream() {
+  return zlib.createGzip({ level: 9 });
+}
+
+/**
+ * Create a streaming gunzip decompression transform
+ * @returns {zlib.Gunzip} Gunzip transform stream
+ */
+function createDecompressStream() {
+  return zlib.createGunzip();
+}
+
 module.exports = {
   isCompressedMime,
   compress,
   decompress,
+  createCompressStream,
+  createDecompressStream,
   COMPRESSED_MIMES,
 };

package/src/lib/crypto.js

@@ -109,10 +109,64 @@ function unpackEncryptionMeta(packed) {
   return { iv, salt, authTag };
 }
 
+/**
+ * Generate a random salt for key derivation (one per encode session)
+ * @returns {Buffer} Random salt
+ */
+function generateSalt() {
+  return crypto.randomBytes(SALT_LENGTH);
+}
+
+/**
+ * Create a streaming encrypt cipher for per-part encryption.
+ * Each call generates a unique IV. The salt should be shared across parts.
+ * Call getAuthTag() AFTER the cipher stream has ended (after .final()).
+ * @param {string} password - User password
+ * @param {Buffer} salt - Salt buffer (shared across parts in a session)
+ * @returns {object} { stream, iv, salt, getAuthTag }
+ */
+function createEncryptStream(password, salt) {
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const key = deriveKey(password, salt);
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  return {
+    stream: cipher,
+    iv: iv.toString('base64'),
+    salt: salt.toString('base64'),
+    getAuthTag: () => cipher.getAuthTag().toString('base64'),
+  };
+}
+
+/**
+ * Create a streaming decrypt decipher for per-part decryption.
+ * Auth tag is set immediately and verified on .final().
+ * @param {string} password - User password
+ * @param {string} ivBase64 - IV (base64)
+ * @param {string} saltBase64 - Salt (base64)
+ * @param {string} authTagBase64 - Auth tag (base64)
+ * @returns {crypto.Decipher} Decipher transform stream
+ */
+function createDecryptStream(password, ivBase64, saltBase64, authTagBase64) {
+  const iv = Buffer.from(ivBase64, 'base64');
+  const salt = Buffer.from(saltBase64, 'base64');
+  const authTag = Buffer.from(authTagBase64, 'base64');
+  const key = deriveKey(password, salt);
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  decipher.setAuthTag(authTag);
+  return decipher;
+}
+
 module.exports = {
   encrypt,
   decrypt,
   deriveKey,
   packEncryptionMeta,
   unpackEncryptionMeta,
+  generateSalt,
+  createEncryptStream,
+  createDecryptStream,
 };

package/src/lib/docx-handler.js

@@ -100,7 +100,7 @@ async function readDocxBase64(docxPath) {
     const metadataStart = fullText.indexOf(metadataMarker);
 
     if (metadataStart === -1) {
-      throw new Error('No metadata found in DOCX file. This may not be a whitener-encoded file.');
+      throw new Error('No metadata found in DOCX file. This may not be a stegdoc-encoded file.');
     }
 
     // Find the separator "---" which comes after the metadata

package/src/lib/metadata.js

@@ -36,8 +36,9 @@ function createMetadata({
     encrypted,
     compressed,
     contentHash,
+    pipelineOrder: 'compress-encrypt-base64',
     encodingDate: new Date().toISOString(),
-    version: '1.0.1',
+    version: '4.0.0',
     tool: 'stegdoc',
   };
 }
@@ -79,7 +80,7 @@ function validateMetadata(metadata) {
     }
   }
 
-  if (metadata.tool !== 'stegdoc' && metadata.tool !== 'docstash' && metadata.tool !== 'whitener') {
+  if (metadata.tool !== 'stegdoc' && metadata.tool !== 'whitener') {
     throw new Error('Invalid tool identifier in metadata');
   }
 
@@ -102,10 +103,20 @@ function isMultiPart(metadata) {
   return metadata.totalParts !== null && metadata.totalParts > 1;
 }
 
+/**
+ * Check if metadata indicates the v4 streaming format
+ * @param {object} metadata - Metadata object
+ * @returns {boolean} True if streaming format (v4+)
+ */
+function isStreamingFormat(metadata) {
+  return metadata.pipelineOrder === 'compress-encrypt-base64';
+}
+
 module.exports = {
   createMetadata,
   serializeMetadata,
   parseMetadata,
   validateMetadata,
   isMultiPart,
+  isStreamingFormat,
 };

package/src/lib/streams.js

@@ -0,0 +1,197 @@
+const { Transform, Writable } = require('stream');
+const crypto = require('crypto');
+
+/**
+ * Transform stream that converts binary input to base64 text output.
+ * Buffers incomplete 3-byte groups across chunk boundaries.
+ */
+class Base64EncodeTransform extends Transform {
+  constructor() {
+    super();
+    this._remainder = Buffer.alloc(0);
+  }
+
+  _transform(chunk, encoding, callback) {
+    const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, encoding);
+    const combined = this._remainder.length > 0 ? Buffer.concat([this._remainder, buf]) : buf;
+    const usable = combined.length - (combined.length % 3);
+    if (usable > 0) {
+      this.push(combined.slice(0, usable).toString('base64'));
+    }
+    this._remainder = usable < combined.length ? combined.slice(usable) : Buffer.alloc(0);
+    callback();
+  }
+
+  _flush(callback) {
+    if (this._remainder.length > 0) {
+      this.push(this._remainder.toString('base64'));
+      this._remainder = Buffer.alloc(0);
+    }
+    callback();
+  }
+}
+
+/**
+ * Transform stream that converts base64 text input to binary output.
+ * Buffers incomplete 4-char groups across chunk boundaries.
+ */
+class Base64DecodeTransform extends Transform {
+  constructor() {
+    super();
+    this._remainder = '';
+  }
+
+  _transform(chunk, encoding, callback) {
+    const str = this._remainder + (Buffer.isBuffer(chunk) ? chunk.toString() : chunk);
+    const usable = str.length - (str.length % 4);
+    if (usable > 0) {
+      this.push(Buffer.from(str.slice(0, usable), 'base64'));
+    }
+    this._remainder = usable < str.length ? str.slice(usable) : '';
+    callback();
+  }
+
+  _flush(callback) {
+    if (this._remainder.length > 0) {
+      this.push(Buffer.from(this._remainder, 'base64'));
+      this._remainder = '';
+    }
+    callback();
+  }
+}
+
+/**
+ * Transform stream that passes data through unchanged while computing SHA-256 hash.
+ * Access the hex hash via .digest after the stream has ended.
+ */
+class HashPassthrough extends Transform {
+  constructor() {
+    super();
+    this._hash = crypto.createHash('sha256');
+    this._finalized = false;
+  }
+
+  _transform(chunk, encoding, callback) {
+    this._hash.update(chunk);
+    this.push(chunk);
+    callback();
+  }
+
+  _flush(callback) {
+    this._finalized = true;
+    callback();
+  }
+
+  get digest() {
+    if (!this._finalized) {
+      throw new Error('Cannot read digest before stream has ended');
+    }
+    return this._hash.digest('hex');
+  }
+}
+
+/**
+ * Writable stream that collects string output up to maxBytes.
+ * Calls an async onChunkReady callback when a chunk is full, applying
+ * backpressure to pause upstream until the callback resolves.
+ */
+class ChunkCollector extends Writable {
+  constructor(maxBytes, onChunkReady) {
+    super({ decodeStrings: false });
+    this._maxBytes = maxBytes;
+    this._buffer = '';
+    this._chunkIndex = 0;
+    this._onChunkReady = onChunkReady;
+  }
+
+  async _write(chunk, encoding, callback) {
+    try {
+      this._buffer += typeof chunk === 'string' ? chunk : chunk.toString();
+      while (this._buffer.length >= this._maxBytes) {
+        const piece = this._buffer.slice(0, this._maxBytes);
+        this._buffer = this._buffer.slice(this._maxBytes);
+        await this._onChunkReady(piece, this._chunkIndex++);
+      }
+      callback();
+    } catch (err) {
+      callback(err);
+    }
+  }
+
+  async _final(callback) {
+    try {
+      if (this._buffer.length > 0) {
+        await this._onChunkReady(this._buffer, this._chunkIndex++);
+        this._buffer = '';
+      }
+      callback();
+    } catch (err) {
+      callback(err);
+    }
+  }
+
+  get totalChunks() {
+    return this._chunkIndex;
+  }
+}
+
+/**
+ * Writable stream that collects binary Buffer output up to maxBytes.
+ * Calls an async onChunkReady callback with a Buffer when full.
+ */
+class BinaryChunkCollector extends Writable {
+  constructor(maxBytes, onChunkReady) {
+    super();
+    this._maxBytes = maxBytes;
+    this._buffers = [];
+    this._currentSize = 0;
+    this._chunkIndex = 0;
+    this._onChunkReady = onChunkReady;
+  }
+
+  async _write(chunk, encoding, callback) {
+    try {
+      const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, encoding);
+      this._buffers.push(buf);
+      this._currentSize += buf.length;
+
+      while (this._currentSize >= this._maxBytes) {
+        const combined = Buffer.concat(this._buffers);
+        const piece = combined.slice(0, this._maxBytes);
+        const leftover = combined.slice(this._maxBytes);
+        this._buffers = leftover.length > 0 ? [leftover] : [];
+        this._currentSize = leftover.length;
+        await this._onChunkReady(piece, this._chunkIndex++);
+      }
+      callback();
+    } catch (err) {
+      callback(err);
+    }
+  }
+
+  async _final(callback) {
+    try {
+      if (this._currentSize > 0) {
+        const combined = Buffer.concat(this._buffers);
+        await this._onChunkReady(combined, this._chunkIndex++);
+        this._buffers = [];
+        this._currentSize = 0;
+      }
+      callback();
+    } catch (err) {
+      callback(err);
+    }
+  }
+
+  get totalChunks() {
+    return this._chunkIndex;
+  }
+}
+
+module.exports = {
+  Base64EncodeTransform,
+  Base64DecodeTransform,
+  HashPassthrough,
+  ChunkCollector,
+  BinaryChunkCollector,
+};

package/src/lib/utils.js

@@ -100,13 +100,13 @@ function generateFilename(hash, partNumber = null, totalParts = null, format = '
 
   if (format === 'xlsx') {
     // Server metrics theme - looks like periodic 4-hour monitoring exports
-    if (partNumber !== null && totalParts !== null) {
+    if (partNumber !== null) {
       return `server_metrics_${dateStr}_${timeStr}_${reportId}_part${partNumber}.${ext}`;
     }
     return `server_metrics_${dateStr}_${timeStr}_${reportId}.${ext}`;
   } else {
     // DOCX - use a different theme
-    if (partNumber !== null && totalParts !== null) {
+    if (partNumber !== null) {
       return `system_report_${dateStr}_${timeStr}_${reportId}_part${partNumber}.${ext}`;
     }
     return `system_report_${dateStr}_${timeStr}_${reportId}.${ext}`;