npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

sft-protocol

v2.0.0

Published

Hardened Secure Fragment Transfer Protocol for Android, Browser, and Node.js

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

germano021germano021

Keywords

cryptoshamirsecret-sharingandroidkeystorewebcryptomulti-signaturesecurity

Readme

SFT v2 - Secure Fragment Transfer (Hardened)

NPM Version Build Status Security Hardened License

SFT v2 is a mission-critical cryptographic protocol and SDK for the secure distribution, approval, and reconstruction of sensitive fragments (shards) across heterogeneous environments (Android, Browser, Node.js).

It is designed for Zero Trust architectures, where the execution environment is assumed to be hostile, and security must be enforced by hardware-backed keys and cryptographic bindings.

🛡️ Hardened Security Architecture

  • Context Binding (Fingerprinting): Every signature and token is cryptographically bound to a unique public key fingerprint (fp) and device context (dev), preventing context-swap and token-theft attacks.
  • Hardware Key Isolation:
    • Web/Browser: Strictly enforces extractable: false for RSA private keys, trapping them in the Web Crypto sandbox.
    • Android: Native bridge to Android KeyStore, leveraging hardware-backed TEE/SE for all private key operations.
  • AES-GCM AAD (Authenticated Metadata): All protocol metadata (version, profile, nonce, exp) is authenticated as Additional Authenticated Data. Tampering with a single byte of metadata renders the ciphertext undecryptable.
  • Anti-Replay Mechanism: Mandated nonce, iat, and exp fields across all payloads, with integrated support for backend nonce-tracking.

🚀 Quick Start

Installation

npm install sft-protocol

Encryption & Vault (Stateless)

import SFT from 'sft-protocol';

// Create a hardened vault (Token)
const vaultToken = await SFT.Vault.createToken(
  "SECRET_DATA",
  publicKeyPem,
  3600, // 1h TTL
  { issuer: 'MyCompany' }
);

Multi-Signature Approval

// Step 1: Create an approval request
const request = await SFT.Auth.createRequest({
  keyId: 'vault-01',
  operation: 'ACCESS_GRANTED',
  threshold: 2,
  totalShares: 3,
  publicKeyPem: adminPubKey
});

// Step 2: Guardian sign (Contextualized)
// NOTE: In Android/Browser, 'privateKey' is a Handle/Alias, NOT raw material.
const confirmation = await SFT.Auth.signConfirmation(request, {
  approverId: 'guardian-alpha',
  deviceId: 'secure-mobile-01',
  privateKey: guardianKeyHandle, // KeyStore Alias or CryptoKey object
  publicKeyPem: guardianPubKey
});

📱 Cross-Runtime Support

  • Browser: Built on standard Web Crypto API. Uses non-extractable keys (Safe from XSS data extraction).
  • Android: Bridge-aware. Seamlessly integrates with WebView/Mobile infrastructures. The private key material remains locked in the Hardware Enclave (TEE/SE) and is accessed via Alias.
  • Node.js / Desktop: Powered by node-forge (Canonicalization engine) for full protocol consistency.

📖 Documentation

For a full technical deep-dive, API reference, and threat model analysis, see the SFT v2 Documentation Guide.

📊 Comparison: SFT vs Standard JWT/AES

| Feature | Standard JWT/AES | SFT v2 (Hardened) | | :--- | :---: | :---: | | Metadata Integrity | Logic-based | Cryptographic (AAD) | | Key Isolation | Software-level | Hardware (Enclave) | | Anti-Replay | Optional | Protocol Mandated | | Identity Binding | Subject string | Public Key Fingerprint | | Context-Swap Protection | None | Device & Key Bound |

⚖️ License

Licensed under Apache 2.0. Copyright (c) 2026 RIvale Security.