0.2.10: tighten error handling, add edge-case & interop tests

- added more tests for base64 decoding errors, stream frame limits, and runtime crossovers (CLI and browser), streawming and schemes
- Implemented `zeroizeString()` for passphrase memory wiping
- Consolidates CLI output-path validation logic into a reusable helper

Author: mqxym

.gitignore

@@ -4,4 +4,4 @@ node_modules/
 build/
 dist/bin/cryptit
 *.tmp
-scan.md
+scan*.md

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@mqxym/cryptit",
-    "version": "0.2.9",
+    "version": "0.2.10",
     "description": "Modern, cross-platform AES-GCM 256 / XChaCha20Poly1305 + Argon2-id encryption for files and text.",
     "type": "module",
     "keywords": [

packages/browser-runtime/__tests__/browser.spec.ts

@@ -10,6 +10,16 @@ import { createCryptit } from '../src/index.js';
 describe('browser-runtime facade', () => {
   const crypt = createCryptit({ chunkSize: 1024 });
 
+  it('encrypts & decrypts in a browser context', async () => {
+    const cipher = await crypt.encryptText('Foo', 'pw');
+    const plain  = await crypt.decryptText(cipher, 'pw');
+    expect(plain).toBe('Foo');
+  });
+});
+
+describe('browser-runtime scheme 1', () => {
+  const crypt = createCryptit({ chunkSize: 1024, scheme: 1 });
+
   it('encrypts & decrypts in a browser context', async () => {
     const cipher = await crypt.encryptText('Foo', 'pw');
     const plain  = await crypt.decryptText(cipher, 'pw');

packages/core/__tests__/cross.runtime.spec.ts

@@ -28,4 +28,11 @@ describe('cryptit CLI ↔ browser-runtime', () => {
     const plain  = await crypt.decryptText(cipher, 'pw');
     expect(plain).toBe('interop');
   });
+
+  it('browser encrypt → `decrypt-text` (CLI)', async () => {
+    const crypt  = new Cryptit(browserProvider as CryptoProvider);
+    const cipher = await crypt.encryptText('cli-roundtrip', 'pw');
+    const plain  = await runCli(['decrypt-text', cipher, '--pass', 'pw']);
+    expect(plain).toBe('cli-roundtrip');
+  });
 });

packages/core/__tests__/cryptit.file.spec.ts

@@ -7,7 +7,19 @@ const randomBlob = (bytes: number) =>
 describe('Cryptit file helpers', () => {
   const crypt = new Cryptit(nodeProvider);
 
-  it('round-trips a 2 MiB Blob loss-lessly', async () => {
+  it('round-trips a 2 MiB Blob loss-lessly', async () => {
+    const plain = randomBlob(2_097_152);      // 2 MiB
+    const enc   = await crypt.encryptFile(plain, 'hunter2');
+    const dec   = await crypt.decryptFile(enc, 'hunter2');
+
+    expect(await dec.arrayBuffer()).toEqual(await plain.arrayBuffer());
+  });
+});
+
+describe('Cryptit file helpers | Scheme 1', () => {
+  const crypt = new Cryptit(nodeProvider, {scheme: 1} );
+
+  it('round-trips a 2 MiB Blob loss-lessly', async () => {
     const plain = randomBlob(2_097_152);      // 2 MiB
     const enc   = await crypt.encryptFile(plain, 'hunter2');
     const dec   = await crypt.decryptFile(enc, 'hunter2');

packages/core/__tests__/cryptit.header.spec.ts

@@ -0,0 +1,26 @@
+import { Cryptit }      from '../src/index.js';
+import { nodeProvider } from '../../node-runtime/src/provider.js';
+
+describe('Cryptit.headerDecode / isEncrypted helpers', () => {
+  const crypt = new Cryptit(nodeProvider, { chunkSize: 1024 });
+
+  it('extracts meta-data from a Base64 payload', async () => {
+    const cipher = await crypt.encryptText('meta-probe', 'pw');
+    const meta   = await Cryptit.headerDecode(cipher);
+
+    expect(meta).toMatchObject({
+      scheme    : crypt.getScheme(),
+      difficulty: crypt.getDifficulty(),
+    });
+    expect(meta.saltLength).toBeGreaterThan(0);
+  });
+
+  it('detects & decodes header embedded in a Blob', async () => {
+    const blob  = await crypt.encryptFile(new Blob([Uint8Array.of(1, 2)]), 'pw');
+    expect(await Cryptit.isEncrypted(blob)).toBe(true);
+
+    const meta = await Cryptit.headerDecode(blob);
+    expect(meta.scheme).toBe(crypt.getScheme());
+    expect(meta.saltLength).toBeGreaterThan(0);
+  });
+});

packages/core/__tests__/cryptit.stream.spec.ts

@@ -0,0 +1,55 @@
+import { Cryptit }      from '../src/index.js';
+import { nodeProvider } from '../../node-runtime/src/provider.js';
+
+// jest.setTimeout(20_000);
+
+/* ------------------------------------------------------------------ */
+/*  Helper: collect full stream into a single Uint8Array               */
+/* ------------------------------------------------------------------ */
+async function collect(rs: ReadableStream<Uint8Array>) {
+  const rd   = rs.getReader();
+  const out: Uint8Array[] = [];
+  for (;;) {
+    const { done, value } = await rd.read();
+    if (done) break;
+    out.push(value);
+  }
+  return Uint8Array.from(out.flatMap(c => [...c]));
+}
+
+/* ------------------------------------------------------------------ */
+/*  Tests                                                              */
+/* ------------------------------------------------------------------ */
+describe('Cryptit streaming encrypt ↔ decrypt pipeline', () => {
+    
+  const crypt = new Cryptit(nodeProvider, {
+    chunkSize : 16_384,   
+    difficulty: 'low', 
+    scheme: 1,
+  });
+
+  it('pipes through encrypt→decrypt streams with 65 kB input', async () => {
+    const plain = crypto.getRandomValues(new Uint8Array(65_000));
+
+    /* —— encrypt —— */
+    const { header, writable, readable } = await crypt.createEncryptionStream('pw');
+    const w = writable.getWriter();
+    w.write(plain.slice(0, 32_000));   // each write ≤ 65 536 B
+    w.write(plain.slice(32_000));
+    w.close();
+
+    const body = await collect(readable);
+    const cipher = new Uint8Array(header.length + body.length);
+    cipher.set(header);
+    cipher.set(body, header.length);
+
+    /* —— decrypt —— */
+    const decStream = await crypt.createDecryptionStream('pw');
+    const rsPlain   = new ReadableStream<Uint8Array>({
+      start(c) { c.enqueue(cipher); c.close(); },
+    }).pipeThrough(decStream);
+
+    const roundtrip = await collect(rsPlain);
+    expect(roundtrip).toEqual(plain);
+  });
+});

packages/core/__tests__/cryptit.streaming.spec.ts

@@ -54,4 +54,16 @@ describe('Cryptit text helpers - extra cases', () => {
     const plain        = await browserCrypt.decryptText(cipher, 'pw');
     expect(plain).toBe('cross-ok');
   });
+
+  it('rejects **truncated ciphertext** with a meaningful error', async () => {
+    const cipher = await crypt.encryptText('cut-off', 'pw');
+    const damaged = cipher.slice(0, cipher.length - 10);      // remove tail
+    await expect(crypt.decryptText(damaged, 'pw')).rejects.toThrow();
+  });
+
+  it('supports switching to **scheme 1** (XChaCha20-Poly1305)', async () => {
+    crypt.setScheme(1);
+    const cipher = await crypt.encryptText('scheme-1', 'pw');
+    expect(await crypt.decryptText(cipher, 'pw')).toBe('scheme-1');
+  });
 });

packages/core/__tests__/cryptit.text.spec.ts

@@ -0,0 +1,31 @@
+import { DecryptTransform } from '../src/stream/DecryptTransform.js';
+import type { EncryptionAlgorithm } from '../src/types/index.js';
+import { DecryptionError } from '../src/errors/index.js';
+
+/*  Naïve “no-op” engine - just echoes data back  */
+class NopEngine implements EncryptionAlgorithm {
+  async encryptChunk(p: Uint8Array) { return p; }
+  async decryptChunk(c: Uint8Array) { return c; }
+  async setKey() {}
+}
+
+async function collect(rs: ReadableStream<Uint8Array>) {
+  const r = rs.getReader(); const parts: Uint8Array[] = [];
+  for (;;) { const { done, value } = await r.read(); if (done) break; parts.push(value); }
+  return Uint8Array.from(parts.flatMap(b => [...b]));
+}
+
+describe('DecryptTransform  frame-length guard-rails', () => {
+  it('throws DecryptionError when declared frame length exceeds **2: chunkSize**', async () => {
+    const engine = new NopEngine();
+    const ts = new DecryptTransform(engine, 8).toTransformStream();   // ⇒ limit = 16 bytes
+
+    /* Craft an invalid frame: header = 20 bytes ( > 16 ) */
+    const bogus = new Uint8Array(4 + 20);
+    new DataView(bogus.buffer).setUint32(0, 20, false);
+
+    const rs = new ReadableStream({ start(c) { c.enqueue(bogus); c.close(); } });
+
+    await expect(collect(rs.pipeThrough(ts))).rejects.toThrow(DecryptionError);
+  });
+});