crypto: add core primitives, examples, and smoke tests

Introduce explicit cryptography building blocks for Vix:
- secure randomness (CSPRNG)
- hashing (SHA-256)
- HMAC and HKDF
- secret key handling
- AEAD (AES-256-GCM)
- Ed25519 signatures

Includes clear Result/Error-based APIs (no exceptions),
self-contained examples, and a minimal smoke test suite.

Author: GaspardKirira

README.md

@@ -1,2 +1,193 @@
-# crypto
-Modern cryptography primitives for Vix. Explicit, auditable, dependency-light crypto building blocks for secure runtimes.
+# vix::crypto
+
+Modern cryptography primitives for Vix.
+
+This module provides **explicit, auditable, dependency-light** cryptographic building blocks
+designed for secure runtimes, offline-first systems, and peer-to-peer protocols.
+
+No hidden magic. No implicit control flow. No exceptions in public APIs.
+
+---
+
+## Design principles
+
+- **Explicit errors**
+  All operations return `Result<T>` or `Result<void>`. Failure is visible at call sites.
+
+- **Composable primitives**
+  Small building blocks that can be combined safely in higher-level systems.
+
+- **Provider-agnostic**
+  Interfaces are stable. Providers (OpenSSL, OS RNG) are behind clear boundaries.
+
+- **Predictable behavior**
+  No global state. No hidden initialization. No surprising allocations.
+
+---
+
+## Provided primitives
+
+### Randomness
+
+- `random_bytes(span<uint8_t>)`
+- `random_uint(max)`
+
+Backed by:
+- OpenSSL CSPRNG (when enabled)
+- Linux `getrandom()` syscall
+
+---
+
+### Hashing
+
+- `sha256(...)`
+- Generic `hash(HashAlg, ...)`
+
+Used for:
+- content identifiers
+- integrity checks
+- signatures
+- WAL and sync engines
+
+---
+
+### HMAC
+
+- `hmac_sha256(...)`
+- Generic `hmac(HmacAlg, ...)`
+
+Provides message authentication with shared secrets.
+
+---
+
+### Key derivation
+
+- `hkdf_sha256(...)`
+- Generic `kdf(KdfAlg, ...)`
+
+RFC 5869 compliant.
+
+---
+
+### Secret keys
+
+- `SecretKey` (owning, zeroized on destruction)
+- `generate_secret_key(size)`
+
+Designed for in-memory safety and explicit lifetimes.
+
+---
+
+### Authenticated encryption (AEAD)
+
+- `aes_256_gcm` via `aead_encrypt` / `aead_decrypt`
+
+Provides:
+- confidentiality
+- integrity
+- authenticity
+
+Nonce and tag handling is explicit and strict.
+
+---
+
+### Signatures
+
+- `ed25519`
+  - key generation
+  - signing
+  - verification
+
+Deterministic, fast, and widely deployed.
+
+---
+
+## Error handling
+
+All APIs return explicit errors:
+
+```cpp
+auto r = sha256(data, out);
+if (!r.ok())
+{
+  // inspect r.error().code and r.error().message
+}
+```
+
+No exceptions are thrown by public APIs.
+
+---
+
+## Build and integration
+
+### As part of the Vix umbrella
+
+The crypto module is designed to be added via:
+
+```
+modules/crypto
+```
+
+Dependencies are managed by the umbrella build.
+
+---
+
+### Standalone build
+
+```bash
+cmake -S . -B build
+cmake --build build
+```
+
+OpenSSL is used automatically when available.
+
+---
+
+## Examples
+
+See the `examples/` directory:
+
+- `hash_sha256.cpp`
+- `aead_roundtrip.cpp`
+- `sign_verify.cpp`
+
+Each example is small, self-contained, and demonstrates correct usage.
+
+---
+
+## Tests
+
+The `tests/` directory contains a minimal smoke test validating:
+
+- randomness
+- hashing
+- HMAC
+- KDF
+- AEAD
+- signatures
+
+These tests ensure wiring and providers work as expected.
+
+---
+
+## Scope
+
+This module intentionally does **not** provide:
+
+- TLS
+- certificate handling
+- key storage
+- protocol-level logic
+
+Those belong in higher-level modules (`p2p`, `net`, `sync`).
+
+---
+
+## License
+
+MIT. See `LICENSE`.
+
+---
+
+> Cryptography does not create trust.
+> It makes systems **work without having to trust**.

examples/CMakeLists.txt

@@ -0,0 +1,47 @@
+#  @file CMakeLists.txt
+#  @author Gaspard Kirira
+#
+#  Copyright 2025, Gaspard Kirira.
+#  All rights reserved.
+#  https://github.com/vixcpp/vix
+#  Use of this source code is governed by a MIT license
+#  that can be found in the License file.
+#
+# ====================================================================
+# Vix.cpp - Crypto Module Examples
+# ====================================================================
+# Purpose:
+#   Small, self-contained examples demonstrating the crypto primitives.
+#   These binaries are meant for developers and documentation, not install.
+# ====================================================================
+
+cmake_minimum_required(VERSION 3.20)
+
+# Examples are only meaningful if the crypto target exists
+if (NOT TARGET vix::crypto)
+  message(FATAL_ERROR "[crypto/examples] vix::crypto target not found")
+endif()
+
+# Helper macro to reduce boilerplate
+function(vix_crypto_example name)
+  add_executable(${name} ${name}.cpp)
+  target_link_libraries(${name} PRIVATE vix::crypto)
+
+  target_compile_features(${name} PRIVATE cxx_std_20)
+
+  if (TARGET vix_warnings)
+    target_link_libraries(${name} PRIVATE vix_warnings)
+  endif()
+
+  if (VIX_ENABLE_SANITIZERS AND TARGET vix_sanitizers)
+    target_link_libraries(${name} PRIVATE vix_sanitizers)
+  endif()
+endfunction()
+
+# --------------------------------------------------------------------
+# Examples
+# --------------------------------------------------------------------
+
+vix_crypto_example(hash_sha256)
+vix_crypto_example(aead_roundtrip)
+vix_crypto_example(sign_verify)

examples/aead_roundtrip.cpp

@@ -0,0 +1,136 @@
+/**
+ *
+ *  @file aead_roundtrip.cpp
+ *  @author Gaspard Kirira
+ *
+ *  Copyright 2025, Gaspard Kirira.
+ *  All rights reserved.
+ *  https://github.com/vixcpp/vix
+ *
+ *  Use of this source code is governed by a MIT license
+ *  that can be found in the License file.
+ *
+ *  Vix.cpp
+ *
+ */
+#include <vix/crypto/crypto.hpp>
+
+#include <array>
+#include <cstdint>
+#include <iomanip>
+#include <iostream>
+#include <string_view>
+#include <vector>
+
+namespace
+{
+
+  void print_hex(std::span<const std::uint8_t> bytes)
+  {
+    std::ios old_state(nullptr);
+    old_state.copyfmt(std::cout);
+
+    for (std::size_t i = 0; i < bytes.size(); ++i)
+    {
+      std::cout << std::hex << std::setw(2) << std::setfill('0')
+                << static_cast<int>(bytes[i]);
+    }
+
+    std::cout.copyfmt(old_state);
+  }
+
+  int run()
+  {
+    using namespace vix::crypto;
+
+    constexpr AeadAlg alg = AeadAlg::aes_256_gcm;
+
+    std::array<std::uint8_t, 32> key{};
+    std::array<std::uint8_t, 12> nonce{};
+
+    auto rk = random_bytes(key);
+    if (!rk.ok())
+    {
+      std::cerr << "random key failed: "
+                << static_cast<int>(rk.error().code)
+                << " " << rk.error().message << "\n";
+      return 1;
+    }
+
+    auto rn = random_bytes(nonce);
+    if (!rn.ok())
+    {
+      std::cerr << "random nonce failed: "
+                << static_cast<int>(rn.error().code)
+                << " " << rn.error().message << "\n";
+      return 1;
+    }
+
+    constexpr std::string_view aad_sv = "vix-crypto:aead-demo";
+    constexpr std::string_view msg_sv = "hello from vix crypto";
+
+    std::vector<std::uint8_t> plaintext(msg_sv.begin(), msg_sv.end());
+    std::vector<std::uint8_t> ciphertext(plaintext.size());
+    std::vector<std::uint8_t> decrypted(plaintext.size());
+    std::array<std::uint8_t, 16> tag{};
+
+    auto enc = aead_encrypt(
+        alg,
+        key,
+        nonce,
+        std::span<const std::uint8_t>(
+            reinterpret_cast<const std::uint8_t *>(aad_sv.data()),
+            aad_sv.size()),
+        plaintext,
+        ciphertext,
+        tag);
+
+    if (!enc.ok())
+    {
+      std::cerr << "encrypt failed: "
+                << static_cast<int>(enc.error().code)
+                << " " << enc.error().message << "\n";
+      return 1;
+    }
+
+    auto dec = aead_decrypt(
+        alg,
+        key,
+        nonce,
+        std::span<const std::uint8_t>(
+            reinterpret_cast<const std::uint8_t *>(aad_sv.data()),
+            aad_sv.size()),
+        ciphertext,
+        tag,
+        decrypted);
+
+    if (!dec.ok())
+    {
+      std::cerr << "decrypt failed: "
+                << static_cast<int>(dec.error().code)
+                << " " << dec.error().message << "\n";
+      return 1;
+    }
+
+    const bool same = (decrypted == plaintext);
+
+    std::cout << "alg: aes-256-gcm\n";
+    std::cout << "aad: " << aad_sv << "\n";
+    std::cout << "msg: " << msg_sv << "\n";
+    std::cout << "ciphertext: ";
+    print_hex(ciphertext);
+    std::cout << "\n";
+    std::cout << "tag:        ";
+    print_hex(tag);
+    std::cout << "\n";
+    std::cout << "roundtrip:  " << (same ? "OK" : "FAILED") << "\n";
+
+    return same ? 0 : 2;
+  }
+
+} // namespace
+
+int main()
+{
+  return run();
+}