Skip to content

Function: insecurePlaceholderProvider()

insecurePlaceholderProvider(dek, options): PqHybridProvider

Defined in: core/src/schema/crypto-pq.ts:151

⚠ INSECURE placeholder provider — the KEM ciphertext IS the shared secret, so anyone with the wire payload trivially recovers the key. Only exists so the PQ code path can be exercised end-to-end in tests and staging without loading the multi-megabyte ML-KEM / X-Wing dependency.

The rename from plainDekProvider (v1.0 zeus W4 fix) makes the misuse risk explicit at every call site. Do NOT use this in production — it provides ZERO cryptographic protection beyond the classic AES-GCM path. Pass { acceptInsecure: true } to confirm you’ve read this warning; omitting it throws so a misconfigured wiring blows up loud instead of silently shipping plaintext-equivalent envelopes.

Uint8Array

true

string

PqHybridProvider