npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

plugin-stvor-pqc

v0.1.0

Published

Post-quantum E2EE for elizaOS agent-to-agent messaging via ML-KEM-768 + Double Ratchet

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

stvorstvor

Keywords

elizaospluginpost-quantumencryptione2eeml-kempqc

Readme

@elizaos/plugin-stvor-pqc

Post-quantum end-to-end encryption for elizaOS agent-to-agent messaging, powered by Stvor.

Installation

npm install plugin-stvor-pqc

Setup

Add the plugin to your agent's plugin array in elizos.config.ts (or equivalent):

import { stvorPqcPlugin } from "plugin-stvor-pqc";

export default {
  plugins: [
    stvorPqcPlugin,
    // ... your other plugins
  ],
};

No additional configuration is required.

How it works

When an agent starts up, the plugin generates a fresh ML-KEM-768 keypair using the Stvor WASM core. The first time two Stvor-enabled agents exchange a message, they automatically perform an in-band key handshake — each agent sends its public encapsulation key, and both sides derive a shared secret via ML-KEM-768 encapsulation/decapsulation. From that point on, every message between those two agents is wrapped in a Double Ratchet session (forward-secrecy, break-in recovery), providing NIST FIPS 203-compliant post-quantum E2EE with zero manual configuration. Agents that don't have the plugin installed receive messages unchanged, so deployment is fully backward-compatible.

Cryptographic primitives

| Primitive | Standard | Purpose | |---|---|---| | ML-KEM-768 | NIST FIPS 203 | Key encapsulation / shared secret | | Double Ratchet | Signal Protocol | Forward secrecy, break-in recovery | | AES-256-GCM | NIST SP 800-38D | Message encryption | | HKDF-SHA256 | RFC 5869 | Key derivation |

All cryptography is handled by the @stvor/web3 Rust/WASM core — no custom crypto.

Known limitations (v0.1.0)

  • Agent detection relies on content.source === "agent" convention, not a typed enum. Graceful failure if a connector uses a different string — no crash, just no E2EE for that session.
  • No persistent session storage — sessions reset on agent restart. Cross-restart persistence is planned for v0.2.0.
  • In-band handshake only — no external key registry. For cross-org agent identity verification see pqc.stvor.xyz.

Security notes (v0.1.0)

  • [MEDIUM] No cryptographic binding between peer's ik and agentId — the channel provides the only authentication for peer identity. An on-chain identity registry is planned for v0.2.0 (see pqc.stvor.xyz).
  • [MEDIUM] Handshake fields have no size bounds — oversized inputs are passed to the WASM layer without validation. Field length guards will be added in v0.2.0.
  • [MEDIUM] Session map is unbounded — a peer rotating agentId repeatedly can grow memory without limit. A cap of 1000 sessions with LRU eviction is planned for v0.2.0.

Links

License

Apache-2.0