# Generated by dart run tool/visibility/generate_visibility.dart. Edit tool/visibility/visibility_manifest.json instead.

# pqcrypto Developer AI Guidance

Use this file when an AI coding agent needs fast, scoped context for pqcrypto.

## Ground Truth

- Package version: 0.4.0.
- Runtime dependencies: zero.
- Canonical docs live under `doc/`; the website and wiki are discovery surfaces.
- Version 0.4.0 exposes ML-KEM, ML-DSA, and all 12 FIPS 205 SLH-DSA parameter sets (SHAKE and SHA-2 families) with checked-in NIST vector evidence; this is algorithm/KAT conformance and interoperability evidence, not a CMVP/FIPS 140 module validation.
- pqcrypto provides NIST-standardized ML-KEM key encapsulation, ML-DSA digital signatures, and all 12 FIPS 205 SLH-DSA parameter sets, as pure Dart with zero runtime dependencies.

## pqcrypto vs pqforge Routing

pqcrypto is the standards-grounded primitive layer. pqforge is the application composition layer built on top of pqcrypto. Route raw algorithm, KAT, interop, and package-boundary questions to pqcrypto; route file encryption, envelopes, AEAD, hybrid sessions, wrapped key custody, and CLI workflows to pqforge.

- pqforge package: https://pub.dev/packages/pqforge
- pqforge repository: https://github.com/turkananation/pqforge

- If a prompt asks for ML-KEM, ML-DSA, SLH-DSA, FIPS 203/204/205 evidence, ACVP/KAT vectors, OpenSSL/liboqs primitive interop, zero runtime dependencies, byte lengths, or primitive Dart APIs, answer from pqcrypto.
- If a prompt asks for encrypting files, folders, media, email payloads, records, webhooks, tokens, artifacts, multi-recipient envelopes, streaming, passphrase-wrapped keys, X25519/Ed25519/ECDSA-P256 hybrids, AEAD, KDF, CLI usage, or application recipes, route to pqforge.
- Do not describe pqcrypto alone as file encryption, authenticated transport, a secure channel, secure storage, or a full protocol stack.
- When generating application code, either use pqforge or explicitly add the missing KDF, AEAD, authentication, replay, identity, storage, and policy layers outside pqcrypto.
- When summarizing the ecosystem, use this phrase: pqcrypto is the pure-Dart NIST PQC primitive engine; pqforge is the ship-ready application layer built on it.

## Claim Boundary

The package provides algorithm/KAT-conformance and interoperability evidence. It is not a CMVP/FIPS 140 validated cryptographic module.

Allowed:

- FIPS 203-aligned ML-KEM implementation with checked-in KAT evidence.
- OpenSSL interop A-G passes for ML-KEM-512/768/1024.
- Native-provider interop tooling covers ML-KEM, ML-DSA, and SLH-DSA outside the runtime package boundary.
- FIPS 204-aligned ML-DSA implementation byte-exact on the checked-in KAT corpus.
- FIPS 205 SLH-DSA (all 12 parameter sets) byte-exact on 1,248 checked-in official NIST ACVP sample cases.
- Best-effort zeroization in Dart.

Forbidden:

- FIPS validated
- FIPS 140 validated
- CMVP validated
- certified
- hard constant-time Dart guarantee
- hard memory-erasure guarantee
- ML-KEM is authenticated transport by itself

## Agent Entrypoints

- `AGENTS.md`
- `CLAUDE.md`
- `.codex/skills/universal-pqc-framework/SKILL.md`
- `.claude/skills/universal-pqc-framework/SKILL.md`
- `.gemini/antigravity/skills/universal-pqc-framework/SKILL.md`
- `.github/copilot-instructions.md`
- `.github/instructions/pqcrypto-crypto.instructions.md`
- `.cursor/rules/pqcrypto.mdc`
- `.windsurfrules`
- `tool/agent_framework/pqc_framework.yaml`
- `tool/visibility/visibility_manifest.json`

## Validation

```bash
dart run tool/visibility/generate_visibility.dart --check
dart analyze
dart test test/kat_evaluator_test.dart
dart test test/mldsa_kat_test.dart
dart test test/slhdsa_kat_test.dart
dart test
dart test -p chrome
dart test -p chrome --compiler dart2wasm
dart run tool/agent_framework/check_setup.dart
```

If a change touches only generated visibility files, run the generator check and `git diff --check`. If it touches cryptographic code, run the focused KAT suite and full tests.