[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81101":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":13,"contributorsCount":13,"subscribersCount":13,"size":13,"stars1d":13,"stars7d":13,"stars30d":13,"stars90d":13,"forks30d":13,"starsTrendScore":13,"compositeScore":13,"rankGlobal":10,"rankLanguage":10,"license":15,"archived":16,"fork":16,"defaultBranch":17,"hasWiki":18,"hasPages":16,"topics":19,"createdAt":10,"pushedAt":10,"updatedAt":20,"readmeContent":21,"aiSummary":22,"trendingCount":13,"starSnapshotCount":13,"syncStatus":23,"lastSyncTime":24,"discoverSource":25},81101,"cryptoengine","Ackaia-Corporation\u002Fcryptoengine","Ackaia-Corporation","Ackaia Cryptographic Engine™, used on CipherDrive™.","https:\u002F\u002Fackaia.one",null,"JavaScript",19,0,40,"Other",false,"main",true,[],"2026-06-12 02:04:10","# CipherDrive™ Cryptographic Engine™\n\n**Source-available client-side encryption engine for CipherDrive™.**\n\nCipherDrive™ exists because digital privacy should not depend on corporate promises,\nprivate infrastructure diagrams, or marketing language that users cannot verify.\n\nClouds you cannot audit are just someone else's computer scanning your life.\n\nThis repository is our answer to that problem.\n\nThe CipherDrive™ Cryptographic Engine™ is the browser-side cryptographic engine that powers\nCipherDrive's zero-knowledge file storage model. It is responsible for master key\ngeneration, file key wrapping, encrypted metadata, chunk encryption, browser-side\nkey persistence, and public share key handling.\n\nIts purpose is simple and non-negotiable:\n\n**to make it mathematically impossible for Ackaia Corp. to read, index, profile,\nor leak the plaintext contents and sensitive names of user files from our\nservers.**\n\nAckaia servers receive encrypted blobs, encrypted key material, operational\nmetadata, and nothing that should be sufficient to reconstruct a user's private\nfiles. The trust boundary is intentionally pushed to the client, where encryption\nhappens before upload and decryption happens after download.\n\nThis repository exists so developers, security researchers, customers, and\nprivacy-conscious users can inspect the engine directly instead of trusting a\nblack box.\n\nIt is not a decorative transparency artifact. It is part of our engineering\ncontract with the people who use CipherDrive™.\n\n## What this proves\n\nCipherDrive™ encrypts sensitive file material in the client before upload:\n\n- file contents are encrypted in the browser;\n- file names are encrypted in the browser;\n- file keys are generated in the browser;\n- the user's vault secret is never sent to Ackaia servers;\n- Ackaia servers store encrypted blobs and encrypted key material only.\n\nThe engine is designed around the principle that server-side compromise should\nnot automatically become user-data compromise. A database leak, object storage\nexposure, internal operator mistake, or backend application failure should not\ngrant access to plaintext user files.\n\nThat is the practical meaning of zero-knowledge in CipherDrive™:\n\nAckaia can store the vault.\nAckaia can synchronize the vault.\nAckaia can enforce quotas and transfer limits.\nAckaia cannot open the vault.\n\n## Try it in production\n\n> Want to see this engine running in real time?\n>\n> Open a free 5GB Sovereign Vault on [CipherDrive™](https:\u002F\u002Fcipherdrive.co) and inspect\n> the cryptographic calls in your browser console.\n\nCipherDrive™ is the production environment powered by this engine. The repository\nis source-available so the implementation can be reviewed, questioned, tested,\nand compared against what the product claims publicly.\n\nOur privacy page should never ask for blind trust.\nThis code is where that trust is earned.\n\n## What this does not claim\n\nZero-knowledge does not mean the local device is magically safe. If the browser,\npage runtime, extension environment, or operating system is compromised, local\nkey material can be exposed. CipherDrive™ may persist the master key in IndexedDB\nfor usability. That keeps Ackaia servers zero-knowledge, but it makes the user's\nbrowser a trusted local key store until the local key is cleared.\n\n## Install \u002F use from source\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fackaiacorp\u002Fackaia-one-crypto-engine.git\ncd ackaia-one-crypto-engine\nnpm test\n```\n\nThe package is ESM-only and has no runtime dependencies for the core engine.\nVue is only needed if you use the optional compatibility adapter.\n\n## Basic usage\n\n```js\nimport { createAckaiaOneCryptoEngine } from '@ackaia\u002Fone-crypto-engine';\n\nconst crypto = createAckaiaOneCryptoEngine();\n\nconst { key: masterKey, exportedKey } = await crypto.generateMasterKey();\nconst wrapped = await crypto.wrapMasterKey(masterKey, 'correct horse battery staple');\n\nconst fileKey = await crypto.generateFileKey();\nconst wrappedFileKey = await crypto.wrapFileKey(fileKey, masterKey);\n\nconst encryptedName = await crypto.encryptMetadata('contract.pdf', fileKey);\nconst decryptedName = await crypto.decryptMetadata(encryptedName, fileKey);\n```\n\n## Vue compatibility adapter\n\nFor the existing Laravel + Vue\u002FInertia application, import the adapter:\n\n```js\nimport { useStorageCrypto } from '@ackaia\u002Fone-crypto-engine\u002Fvue';\n\nconst {\n  generateMasterKey,\n  encryptMetadata,\n  encryptChunk,\n  decryptChunk,\n  saveKeyToDevice,\n} = useStorageCrypto();\n```\n\nThe adapter preserves the established composable-style API used by the production\nLaravel + Vue\u002FInertia application while delegating cryptographic operations to\nthe engine's audited core classes.\n\nCompatibility is kept at the application boundary. Cryptographic behavior,\nprotocol constants, key derivation, wrapping, metadata encryption, and chunk\noperations remain centralized in the engine.\n\nThat means existing product surfaces can remain stable while the underlying\nsecurity model continues to evolve with production-grade discipline.\n\n## Architecture\n\n```txt\nsrc\u002F\n  core\u002F                  encoding, canonical JSON, errors\n  crypto\u002F                WebCrypto provider and crypto primitives\n  storage\u002F               browser key persistence\n  adapters\u002Fvue.js        optional Vue compatibility layer\n  engine.js              public facade\n  protocol.js            public protocol constants\n```\n\nCore classes:\n\n- `WebCryptoProvider` — runtime boundary for `crypto.subtle` and random bytes.\n- `AesGcmCipher` — AES-GCM operations with protocol-bound AAD and compatibility\n  support for historical ciphertext formats.\n- `VaultKdf` — PBKDF2-HMAC-SHA256 key derivation.\n- `MasterKeyVault` — master key generation, wrap, and unwrap.\n- `MetadataCrypto` — encrypted file\u002Ffolder names.\n- `FileKeyCrypto` — per-file key generation and wrapping.\n- `ChunkCrypto` — chunk IV derivation and encrypted chunk operations.\n- `IndexedDbKeyStore` — local browser persistence for UX.\n- `AckaiaOneCryptoEngine` — stable public facade.\n\nThe engine is intentionally small, explicit, and dependency-light. The core\ncryptographic boundary is built on WebCrypto primitives exposed by the browser,\nnot on opaque runtime dependencies.\n\nThe public facade is stable by design. Internal classes keep responsibilities\nseparated so the protocol can be reviewed without navigating a large application\ncodebase.\n\n## Protocol highlights\n\n- AES-GCM-256.\n- 96-bit IVs.\n- 128-bit authentication tags.\n- PBKDF2-HMAC-SHA256 with 600,000 iterations for new vault wraps.\n- Compatibility unwrap support for vaults created with the earlier\n  100,000-iteration PBKDF2 policy.\n- Chunk IV format: `64-bit random file nonce + 32-bit big-endian part number`.\n- New ciphertexts use Additional Authenticated Data (AAD).\n- Compatibility support is retained so existing user data remains readable.\n\nThe protocol favors conservative, well-understood primitives over novelty.\nCipherDrive™ does not rely on proprietary encryption, invented ciphers, or security\nthrough obscurity.\n\nNew vault wraps use the stronger 600,000-iteration PBKDF2 policy. Historical\nvault compatibility exists to ensure that user data created under earlier\nproduction settings remains perfectly legible without weakening the security\nposture of newly wrapped material.\n\nIn other words: the engine treats user data durability as a security requirement,\nnot as technical debt.\n\nSee `docs\u002Fprotocol.md` for more details.\n\n## Visible metadata\n\nClient-side encryption does not hide all metadata. Ackaia servers may still see\naccount identity, object IDs, object type, encrypted object size, upload\u002Fdownload\ntimes, transfer usage, folder relationship IDs, sharing status, and operational\nsecurity events. See `docs\u002Fmetadata-leakage.md`.\n\n## Security posture\n\nThis engine is built to support a specific claim:\n\nCipherDrive™ should be able to operate the storage platform without possessing the\ninformation required to decrypt user files.\n\nThat claim depends on several concrete engineering choices:\n\n- key material is generated in the browser;\n- file encryption happens before upload;\n- metadata encryption happens before upload;\n- vault secrets are not transmitted to Ackaia servers;\n- per-file keys are wrapped instead of stored in plaintext;\n- chunk encryption uses deterministic protocol structure without reusing the\n  full AES-GCM IV for different chunks;\n- authenticated encryption is used so ciphertext integrity is verified during\n  decryption;\n- compatibility behavior is explicit rather than hidden.\n\nThis is the foundation of digital sovereignty in CipherDrive™.\n\nUsers should not need permission from a platform to keep private things private.\nDevelopers should not need to reverse-engineer a product to know whether its\nprivacy claims are real.\nSecurity researchers should not be asked to audit a slogan.\n\nThe code should be inspectable.\n\n## Source-available, not open source\n\nThis repository is published for transparency, inspection, and technical trust.\nIt allows the community to understand how the CipherDrive™ cryptographic model is\nimplemented and to evaluate whether the product behaves consistently with its\nprivacy promises.\n\nIt is not published as an open-source package for unrestricted reuse.\n\nAckaia Corp. believes that privacy infrastructure should be auditable, but also\nthat production security components deserve clear ownership, version control,\nand responsible distribution.\n\nSee `LICENSE.md`.\n\n## License\n\nThis repository is source-available, not open source. See `LICENSE.md`.\n","CipherDrive™ Cryptographic Engine是Ackaia公司开发的一款客户端加密引擎，主要用于其存储服务CipherDrive One中。该引擎的核心功能包括主密钥生成、文件密钥封装、元数据加密、分块加密、浏览器端密钥持久化及公开分享密钥处理等，确保所有敏感信息在上传至服务器之前就已经被加密。采用JavaScript编写，它将信任边界移至客户端，保证即使服务器端出现泄露或故障也不会暴露用户的原始文件内容。适用于对隐私保护有高要求的个人和企业用户，尤其是需要零知识证明环境下的安全文件存储场景。",2,"2026-06-11 04:03:30","CREATED_QUERY"]