feat(chacha12): Consolidate PRNG for fuzzing

[kriskowal]

Description

Adds two new workspace packages and rewires the existing
deterministic-fuzz consumers in this repo to use them.

@endo/random

A source-agnostic library of random sampling functions. Each
sampler accepts a RandomSource as its first argument:

type RandomSource = (out: Uint8Array) => void;

The shape mirrors crypto.getRandomValues (minus the return value),
so the canonical browser/Node entropy source and a
@endo/chacha12-backed source returned by makeChaCha12(seed) are
both directly usable wherever a RandomSource is expected.

Names follow the TC39
proposal-random-functions
translation Random.method -> randomMethod. Each sampler is its
own subpath export so consumers can import only what they use:

Path	Exports
@endo/random	all of the below
@endo/random/random.js	random
@endo/random/int.js	randomInt
@endo/random/uint.js	randomUint8, randomUint16, randomUint24, randomUint32, randomUint53
@endo/random/fast-check.js	adaptToPureRandomGenerator, adaptFromPureRandomGenerator, makeRandomTypeFromSeed
@endo/random/seeds.js	bobsCoffee64

@endo/random/fast-check.js carries bidirectional adapters between
RandomSource and the pure-rand v5 RandomGenerator interface
that fast-check consumes via the randomType parameter, plus a
makeRandomTypeFromSeed builder. It imports nothing from
pure-rand or fast-check; it depends only on those interfaces
being structurally compatible.

@endo/random/seeds.js exports bobsCoffee64, a 32-byte seed
(b0b5c0ffeefacade repeated four times) shared across Endo
deterministic fuzz suites so a single seed change propagates.

@endo/chacha12

A pure-JavaScript ChaCha12 keystream. The package's sole public
entry point is makeChaCha12(key), which returns a function
(out: Uint8Array) => void that fills out with the next bytes of
the keystream. That shape matches crypto.getRandomValues and
@endo/random's RandomSource exactly, so the same function serves
either ecosystem and the two packages compose without an adapter.

ChaCha12 is the 12-round variant of Daniel J. Bernstein's ChaCha
family. The block function is identical to ChaCha20 modulo the
loop count (6 double-rounds vs 10). The reduced round count trades
cryptographic safety margin for speed. The package is positioned
and documented as a PRNG, not a cipher recommendation.

Consumer rewires

The @endo/hex encode/decode benchmarks and the @endo/ocapn
syrup and passable fuzz tests now draw deterministic bytes from
@endo/chacha12 directly, seeded from @endo/random/seeds.js's
bobsCoffee64. This removes the duplicated _xorshift.js helpers
that previously lived in packages/hex/test/ and
packages/ocapn/test/.

Most critical files to review:

• packages/random/src/int.js — the range-aware rejection-sampling
  staircase for randomInt. Each tier picks the smallest draw
  width that covers the requested range with reject fraction
  below 0.5, capping the worst-case reject rate across the entire
  safe-integer domain.
• packages/random/src/read-uint.js — fixed-width little-endian
  unsigned readers backed by per-width scratch buffers (sharing a
  single 8-byte buffer measured ~2.5x slower under V8's
  element-kind specialization). Each reader zeroes its scratch
  prefix after the read.
• packages/random/src/random.js — random() returns
  randomUint53(source) * 2 ** -53, deterministic across runs and
  engines.
• packages/random/fast-check.js — pure-rand v5 RandomGenerator
  adapters and the randomType builder. Documents the clone()
  alias semantics for serial keystreams without a snapshot facility.
• packages/random/seeds.js — canonical bobsCoffee64 seed.
• packages/random/random.types.d.ts — RandomSource and
  PureRandomGenerator type definitions.
• packages/chacha12/src/chacha12.js — the block function, state
  layout, and the IETF / RFC 7539 nonce convention.
• packages/chacha12/test/chacha12.test.js — TC1, TC4, TC8
  keystream vectors from
  draft-strombergson-chacha-test-vectors-01, with a layout note
  documenting the DJB 8-byte-IV vs IETF 12-byte-nonce
  reconciliation at counter = 0.
• packages/random/test/random.bench.js — the cross-source
  microbenchmark; lives in @endo/random rather than
  @endo/chacha12 because it drives both keystreams through the
  same samplers (and because chacha12 cannot devDep on random
  without a cycle — random already devDeps on chacha12).
• packages/hex/test/{decode,encode}.bench.js,
  packages/ocapn/test/{codecs/passable-fuzz,syrup/fuzz}.test.js —
  consumer-side rewires.

Security Considerations

@endo/chacha12 is positioned and documented as a PRNG, not a
cipher. The README explicitly steers cipher use cases to ChaCha20
or another 20-round implementation; the cipher package keyword
has been intentionally omitted. ChaCha12 reduces the cryptographic
safety margin relative to ChaCha20 (12 rounds vs 20); for
deterministic test fixtures, property-based testing, and fuzzing —
the consumer use cases in this PR — the extra speed is the right
tradeoff, but downstream users should not adopt this package for
confidentiality or for key derivation from caller-supplied seeds.

Neither package introduces new authority surface. makeChaCha12
is a pure deterministic function of its 32-byte key; the returned
function is hardened. @endo/random's samplers are pure functions
over their source argument, with module state limited to small
per-width scratch buffers that are zeroed after each read so no
random bytes linger across calls. No I/O, no entropy source, no
global state.

The hex/ocapn rewires add a workspace devDependency only — no
runtime dependency change for consumers of those packages.

Scaling Considerations

@endo/chacha12/BENCH.md reports the cross-source microbenchmark
(packages/random/test/random.bench.js). Headline numbers on the
test bed (Node 22.22.2, AMD Ryzen AI MAX+, x64, median of 10 runs):

Workload	xorshift128+	ChaCha20	ChaCha12	C12/C20
Bulk bytes (MB/s)	696	190	281	1.48x
random() (ns/call)	17.2	45.4	35.1	1.29x
randomInt(0, 99) (ns/call)	11.1	15.6	14.3	1.10x

The bulk-bytes ratio is below the naive 20/12 = 1.67x because
per-block fixed costs are identical between ChaCha20 and ChaCha12.
The sampler workloads narrow the gap further because the per-call
envelope (range-aware staircase, mask-and-reject) is shared across
all sources and amortizes the keystream difference.

No new on-chain storage, message exchange, or persistent resource
consumption.

Documentation Considerations

Self-contained docs ship with each new package:

• packages/random/README.md — RandomSource interface, subpath
  exports, determinism guarantees, scratch-buffer rationale.
• packages/chacha12/README.md — makeChaCha12 API, ChaCha12 vs
  ChaCha20 framing, keystream-length bound, verification.
• packages/chacha12/BENCH.md — full benchmark report.
• packages/random/SECURITY.md, packages/chacha12/SECURITY.md —
  standard Endo security policy.
• .changeset/endo-chacha12.md — @endo/random: minor,
  @endo/chacha12: minor, @endo/hex: patch, @endo/ocapn: patch.

No existing data or deployment is affected — both packages are new,
and the hex/ocapn changes are confined to test/benchmark helpers.
No upgrade instructions are needed for downstream users of
@endo/hex or @endo/ocapn.

Testing Considerations

packages/random/test/:

• random.test.js — random(source) range invariants,
  determinism, and a pinned 4-element golden float vector.
• int.test.js — closed-interval invariants, endpoint coverage,
  bounds and unsafe-range error paths, determinism, and a
  draw-width sweep that exercises every tier of the
  rejection-sampling staircase (1-byte through 53-bit slow path).
• pure-rand.test.js — adaptToPureRandomGenerator /
  adaptFromPureRandomGenerator round-trip equivalence with a
  fresh twin, plus distribution-shape sanity.
• fast-check.test.js — drives fc.assert with a
  ChaCha12-backed randomType to confirm the adapter satisfies
  fast-check's contract end-to-end.
• random.bench.js — local microbenchmarks against an inlined
  ChaCha20 reference (_chacha20.js) and an xorshift128+
  baseline (_xorshift.js).

packages/chacha12/test/chacha12.test.js — three published
ChaCha12 keystream vectors (TC1, TC4, TC8) from
draft-strombergson-chacha-test-vectors-01, plus block-boundary
equivalence (a 192-byte single pull vs piecewise 7/57/64/32/32
pulls from a freshly-seeded twin) and RandomSource-shape
conformance.

The @endo/hex benchmarks and @endo/ocapn fuzz tests now run
against the new chacha12 source; existing assertions are preserved.
No new CI jobs required.

Compatibility Considerations

• @endo/random and @endo/chacha12 are new packages — no prior
  usage to break.
• @endo/hex and @endo/ocapn change only test and benchmark
  internals; their published runtime surface is unchanged. The
  duplicated _xorshift.js helpers were never exported.

Upgrade Considerations

Pure additive change for production systems:

• No runtime dependency added to @endo/hex or @endo/ocapn
  consumers (the @endo/chacha12 and @endo/random links are
  devDependencies).
• No data migration, no on-chain implications.
• Not a breaking change.

[changeset-bot]

🦋 Changeset detected

Latest commit: cc336d4

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages

Name	Type
@endo/random	Major
@endo/chacha12	Major
@endo/hex	Patch
@endo/ocapn	Patch
@endo/chacha12-fast-check-test	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gibson042]

Some thoughts and suggestions on design and implementation.

I'd really like to see a more isolated core that can be used to construct multiple interfaces such as proposal-random-functions Random and pure-rand RandomGenerator.

[gibson042]

Might as well make this a hyperlink to https://datatracker.ietf.org/doc/html/draft-strombergson-chacha-test-vectors-01 .

[gibson042]

This near-alignment... 😐

[gibson042]

Do all three packages cross-reference the other two? It seems valuable for them to implement and maintain a consistent API, and I'm wondering whether that and other commonalities should rely upon something like importing from an @endo/prng package.

[gibson042]

Hmm, the other two packages don't even exist! Comment stands if there are plans to introduce them, but otherwise:

Suggested change

	This package is the ChaCha12 sibling of `@endo/chacha20` (the
	20-round variant) and `@endo/xorshift` (a non-cryptographic PRNG);
	choose among them by package name based on the throughput vs margin
	tradeoff a given consumer needs.

[gibson042]

Given that the proposal is at stage 1, this claim is too strong. I'd prefer to pare down the API to the point where such a swap becomes possible in the future without breaking changes here regardless of dramatic evolution in the proposal. Even if we need all four abilities (draw sub-unitary non-negative float, draw integer from closed interval, draw fresh Uint8Array, fill Uint8Array), perhaps it makes sense to start with just a block stream here and a more ergonomic translating wrapper in the previously-suggested common package?

import { BLOCK_SIZE, makeChaCha12 } from '@endo/chacha12';
import { decodeHex } from '@endo/hex';
import { makeRandomFromBlockFiller } from '@endo/prng';

const { pullBlock }: { pullBlock: (out: Uint8Array) => void } = makeChaCha12(
  decodeHex('b0b5c0ffeefacade'.repeat(4)),
);

// `makeRandomFromBlockFiller` makes a proposal-random-functions Random from a
// `pullBlock`-shaped Uint8Array-filling function.
const prng: {
  random: () => number;
  int: (lo: number, hi: number) => number;
  bytes: (n: number) => Uint8Array;
  fillBytes: (buf: Uint8Array, start?: number, end?: number) => Uint8Array;
} = makeRandomFromBlockFiller(pullBlock, { blockSize: BLOCK_SIZE });

assert(0 <= prng.random() && prng.random() < 1);
assert(Math.abs(prng.int(10, 20) - 15) <= 5);

[gibson042]

And for bonus points, we should also be able to represent a ChaCha12 as a pure-rand RandomGenerator for compatibility with fast-check randomType.

import fc from 'fast-check';
import type { RandomType as FastCheckRandomType } from 'fast-check';
import type { RandomGenerator } from 'pure-rand/types/RandomGenerator';
import {
  BLOCK_SIZE,
  makeChaCha12Kit,
  adaptToPureRandomGenerator,
} from '@endo/chacha12';

/*
const adaptToPureRandomGenerator = ({
  getState,
  pullBlock,
}: ChaCha12Kit): RandomGenerator => {
  const buf8 = new Uint8Array(BLOCK_SIZE);
  const buf32 = new Int32Array(buf8.buffer);
  let prevBuf32Idx = 0;
  return {
    clone: () =>
      adaptToPureRandomGenerator(makeChaCha12Kit({ state: getState() })),
    next: () => {
      if (prevBuf32Idx === 0) {
        // Refill and reset.
        pullBlock(buf8);
        prevBuf32Idx = buf32.length;
      }
      prevBuf32Idx -= 1;
      return buf32[prevBuf32Idx];
    },
    getState: () => getState(),
  };
};
*/

const randomGenerator: RandomGenerator = adaptToPureRandomGenerator(
  makeChaCha12Kit({ seed: decodeHex('b0b5c0ffeefacade'.repeat(4)) }),
);

// Our fast-check adapter.
const chaCha12RandomType: FastCheckRandomType = (int32Seed: number) => {
  const chaChaSeed = new Int32Array(8).fill(int32Seed);
  return adaptToPureRandomGenerator(
    makeChaCha12Kit({ seed: new Uint8Array(chaChaSeed.buffer) }),
  );
};

// A deterministically failing PBT fed by ChaCha12.
fc.assert(
  fc.property(fc.integer(), n => n >= 0),
  { randomType: chaCha12RandomType, seed: 0xdeadbeef },
);

[gibson042]

Suggested change

	- `random()` reads 8 keystream bytes, masks the top 11 bits, and
	divides by `2 ** 53`.
	Each respective returned value from streams with the same seed is
	equal across runs and engines because the float is computed by
	dividing a 53-bit integer by an exact power of two, with no
	engine-dependent rounding.
	- `random()` ensures that each respective returned value from streams with the
	same seed is equal across runs and engines by internally constructing a 53-bit
	integer and dividing it by `2 ** 53` (which avoids engine-dependent rounding).

[gibson042]

Suggested change

	/**
	* Pulls 8 keystream bytes, masks the high 11 bits to 0, and
	* divides the resulting 53-bit integer by `2 ** 53`. The result
	* is a float in `[0, 1)`, deterministic for a given seed across
	* engines.
	*/
	/**
	* Produces a float in `[0, 1)` that is deterministic for a given seed
	* across all engines by constructing an unsigned 53-bit integer and
	* dividing it by `2 ** 53`.
	*/

[gibson042]

Suggested change

	// Read a 32-bit unsigned little-endian integer from the keystream.
	// Used by `int()` for ranges that fit in 32 bits, avoiding the
	// float round-trip through `random()`.
	const readU32 = () => {
	const b0 = readByte();
	const b1 = readByte();
	const b2 = readByte();
	const b3 = readByte();
	return (b0 | (b1 << 8) | (b2 << 16) | (b3 << 24)) >>> 0;
	};
	/** Read a 16-bit unsigned little-endian integer from the keystream. */
	const readU16 = () => {
	const b0 = readByte();
	const b1 = readByte();
	return (b0 | (b1 << 8)) >>> 0;
	};
	/** Read a 24-bit unsigned little-endian integer from the keystream. */
	const readU24 = () => {
	const b0 = readByte();
	const b1 = readByte();
	const b2 = readByte();
	return (b0 | (b1 << 8) | (b2 << 16)) >>> 0;
	};
	/** Read a 32-bit unsigned little-endian integer from the keystream. */
	const readU32 = () => {
	const b0 = readByte();
	const b1 = readByte();
	const b2 = readByte();
	const b3 = readByte();
	return (b0 | (b1 << 8) | (b2 << 16) | (b3 << 24)) >>> 0;
	};
	/** Read a 53-bit unsigned little-endian integer from the keystream. */
	const readU53 = () => {
	// Assemble the integer from two 32-bit halves, masking off the top
	// 11 bits of the upper half to leave 21 high bits + 32 low bits =
	// 53 bits.
	const lo = readU32();
	const hi24 = readU24();
	const hi21 = hi24 & 0x1fffff;
	return hi21 * 4294967296 + lo;
	};

[gibson042]

Suggested change

	const random = () => {
	// Read 8 bytes from the buffer; assemble into a non-negative
	// 53-bit integer using two halves.
	//
	// High 32 bits: little-endian. We mask off the top 11 bits to
	// leave 21 high bits + 32 low bits = 53 bits.
	const b0 = readByte();
	const b1 = readByte();
	const b2 = readByte();
	const b3 = readByte();
	const b4 = readByte();
	const b5 = readByte();
	const b6 = readByte();
	const b7 = readByte();
	const lo = (b0 | (b1 << 8) | (b2 << 16) | (b3 << 24)) >>> 0;
	// Mask top 11 bits of the high word to 0, keeping 21 bits.
	const hi = ((b4 | (b5 << 8) | (b6 << 16) | (b7 << 24)) >>> 0) & 0x1fffff;
	// hi * 2 ** 32 + lo, divided by 2 ** 53:
	// = hi * 2 ** -21 + lo * 2 ** -53
	// Computed as a single multiply by POW2_M53 of the 53-bit int.
	return (hi * 4294967296 + lo) * POW2_M53;
	};
	const random = () => readU53() * POW2_M53;

[gibson042]

Let's eliminate some pathologies (e.g., int(0, 2**31) should not throw away almost half of the draws because its upper acceptable limit ends up at 2**31 + 1).

Suggested change

	// Fast path: ranges up to `2 ** 32` use a single 32-bit
	// keystream draw and pure integer arithmetic to eliminate modulo
	// bias. Discard draws in `[limit32, 2 ** 32)` so the retained
	// `limit32` buckets divide evenly into `range`.
	if (range <= 0x100000000) {
	const limit32 = 0x100000000 - (0x100000000 % range);
	for (;;) {
	const u = readU32();
	if (u < limit32) {
	return lo + (u % range);
	}
	}
	}
	// Slow path: ranges up to `2 ** 53`. Rejection sampling on a
	// 53-bit integer drawn directly from the keystream as a pair of
	// 32-bit halves; the 11 high bits of the high word are masked
	// off. No floating-point arithmetic is involved in selecting
	// the integer.
	//
	// `limit53 = floor(2 ** 53 / range) * range`. Discard draws in
	// `[limit53, 2 ** 53)` and return `lo + (u % range)`.
	const limit53 = Math.floor(9007199254740992 / range) * range;
	for (;;) {
	const lo32 = readU32();
	const hi21 = readU32() & 0x1fffff;
	const u = hi21 * 4294967296 + lo32; // exact 53-bit non-negative int.
	if (u < limit53) {
	return lo + (u % range);
	}
	}
	// Draw the fewest bytes necessary to either match the requested range or
	// cover at least two repetitions of it, discarding draws in the range
	// beyond the last full repetition to avoid modulo bias while keeping the
	// discard fraction acceptably low.
	const { draw, limit } = (() => {
	// Read one byte to cover a range of exactly 256 or up to 128.
	if (range === 0x100 || range <= 0x80) {
	return { draw: readByte, limit: 0x100 - (0x100 % range) };
	}
	// Read two bytes to cover a range of exactly 65536 or up to 32768.
	if (range === 0x10000 || range <= 0x8000) {
	return { draw: readU16, limit: 0x10000 - (0x10000 % range) };
	}
	// ...and so on.
	if (range === 0x1000000 || range <= 0x800000) {
	return { draw: readU24, limit: 0x1000000 - (0x1000000 % range) };
	}
	if (range === 0x100000000 || range <= 0x80000000) {
	return { draw: readU32, limit: 0x100000000 - (0x100000000 % range) };
	}
	// The final limit is a 53-bit integer, which will discard just under half
	// of all possible draws when the range is just slightly above 2**52.
	return {
	draw: readU53,
	limit: Math.floor(9007199254740992 / range) * range,
	};
	})();
	for (;;) {
	const n = draw();
	if (n < limit) {
	return lo + (n % range);
	}
	}

[gibson042]

Suggestion: align with patterns in chacha12.js.

Suggested change

	if (!(seed instanceof Uint8Array)) {
	throw TypeError('seed must be a Uint8Array');
	}
	if (seed.length !== 32) {
	throw TypeError(
	`seed must be 32 bytes (got ${seed.length}); ChaCha12 keys are 256 bits`,
	);
	}
	if (!(seed instanceof Uint8Array) || seed.length !== 32) {
	throw TypeError('ChaCha12 seed must be a 32-byte Uint8Array');
	}

[kriscendobot]

@gibson042 — thank you for the thorough first-round review. The PR has gone through several redesign rounds since (PR #75 in the mirror tracks the work-in-progress); each of your comments is now addressed. Mapping comment-by-comment:

Surface redesign

comment 3177082445 (README.md:37 — pare down to a block stream + translating wrapper). Adopted as the architectural pivot. @endo/chacha12 now exposes a single public entry point, makeChaCha12, that returns a (out: Uint8Array) => void function — matching crypto.getRandomValues ergonomics minus the return value, and conforming directly to @endo/random's RandomSource type. All sampling distributions (random, randomInt) live in a separate workspace package @endo/random and accept any RandomSource. No public Random class, no built-in API surface beyond the translating wrappers themselves; consumers compose what they need.

comment 3177216582 (pure-rand RandomGenerator adapter for fast-check). Implemented in @endo/random/fast-check.js. adaptToPureRandomGenerator(source) → RandomGenerator and the inverse adaptFromPureRandomGenerator(rg) → RandomSource round-trip cleanly, plus a makeRandomTypeFromSeed(makeSourceFromSeed) builder that returns a fast-check-compatible randomType function. The module imports nothing from pure-rand or fast-check; it depends only on the structural compatibility of the RandomGenerator interface.

comments 3176918766 / 3177404457 (cross-reference among packages, "the other two packages don't even exist"). Resolved per your second comment: speculative references to @endo/chacha20 / @endo/xorshift are removed throughout. The xorshift128+ and ChaCha20 baselines used by the comparative benchmark live in packages/random/test/_xorshift.js and packages/random/test/_chacha20.js as in-package test artifacts only; we are not pursuing those packages.

chacha12 keystream

comment 3177309309 (chacha12.js:177 — chacha12State(key) shorthand). Adopted. makeChaCha12 calls chacha12State(key) directly.

comment 3177312921 (chacha12.js:140 — optional nonce / counter). Adopted with the suggested signature chacha12State(key, nonce = undefined, counter = 0).

comment 3177399312 (random.js:231 — error-message style alignment). Adopted. All chacha12 throws now follow the chacha12 … prefix style.

@endo/random samplers

comment 3177117515 (README determinism wording for random()). Adopted verbatim in both the random() JSDoc and @endo/random/README.md: "each respective returned value from streams with the same seed is equal across runs and engines by internally constructing a 53-bit integer and dividing it by 2 ** 53 (which avoids engine-dependent rounding)".

comment 3177123420 (README:75 — misplaced sentence). Removed from the Determinism section.

comment 3177327612 (random.js:90 — JSDoc). Adopted.

comment 3177339416 (random.js:123 — readU16/24/32/53 helpers). Adopted. Renamed in line with the Uint16Array precedent: randomUint8, randomUint16, randomUint24, randomUint32, randomUint53 (in packages/random/src/read-uint.js). Each helper is hardened and uses a fixed-size scratch buffer per width plus a long-lived DataView for endian-correct reads.

comment 3177346557 (random.js:112 — random = readU53() * POW2_M53). Adopted.

comment 3177389843 (random.js:172 — range-aware int() rejection sampling). Adopted. randomInt selects a draw width matching the requested range (1, 2, 3, 4, or 8 bytes) and rejection-samples within the corresponding capacity. Per-draw reject probability p never exceeds 0.5; consecutive draws are independent so P(N > k) = p^k decays exponentially and E[N] = 1/(1−p) ≤ 2. The range === capacity short-circuits handle the exact-power case. Bench: randomInt(0, 99) reads exactly one byte per draw.

Test infrastructure and changeset

comment 3176903202 (.changeset/endo-chacha12.md:26 — hyperlink). Done.

comment 3177305214 (shared seed). Done. @endo/random/seeds.js exports the canonical bobsCoffee64 32-byte seed; the hex benches and ocapn fuzz tests import it.

comment 3176909949 (BENCH.md:15 — table near-alignment). Fixed and the table refreshed with median-of-10 numbers from a fresh measurement run.

Beyond your inline comments

A few changes the redesign rounds added that are worth flagging:

• The RandomSource interface is a function, not an object with a method. This makes crypto.getRandomValues, makeChaCha12(seed), and any future entropy source structurally compatible without an adapter.
• chacha12Block and chacha12State are no longer in the package's public exports. They remain in src/chacha12.js for in-package known-answer tests via relative import.
• DataView vs shift-and-OR was benched (your tooling intuition) and the verdict split: cached module-scope DataView wins for randomUint* (21–49% faster), per-call new DataView loses for chacha12State/chacha12Block (3.4× / 12% slower from constructor cost). Both sites land on the faster choice with an explanatory comment.
• Per-width scratch buffers in read-uint.js (one buffer per draw width rather than a shared 8-byte slice) are 2.5× faster on the integer hot paths under V8 12.4.
• @endo/random and @endo/chacha12 are at 100% test coverage (statements / branches / functions / lines). Defensive runtime validations that survived only as "throw on bad input" unit-test surface are removed; a 256-GiB counter-overflow guard remains as a correctness invariant behind /* c8 ignore */.
• The bench harness lives at packages/random/test/random.bench.js and refreshed numbers are in packages/chacha12/BENCH.md: chacha12 throughput is 1.48× chacha20 on bulk fills, ~1.3× on random(), ~1.1× on randomInt(0, 99) (where the rejection-sampling envelope dominates per-call cost and amortizes the keystream-cost difference).

Happy to walk through any specific decision in more depth.

[gibson042]

The packages/random/$noun.js files that just export { … } from './src/$noun.js'; clutter up the package root; I understand why we don't want to expose the src/ files directly, but perhaps we should establish a convention of storing such files in an exports/ sibling directory.

Aside from that, I think the pure-rand v8 RandomSource interface would be a much better interop target than the v5 one.

Neither of these are blocking concerns, and the rest of the comments won't need another round of review.

[gibson042]

Why pure-rand v5? The v8 interface is much better, and even preferred by fast-check: https://github.com/dubzzz/fast-check/blob/0858ecd84595c1245b8d26ca86e797643c2ad4e4/packages/fast-check/src/random/generator/RandomGenerator.ts

[gibson042]

This should probably link to https://fast-check.dev/docs/api/interfaces/Parameters/#randomtype .

[gibson042]

Do we also want testing that verifies the expected count of read bytes for ranges of particular size?

[gibson042]

Likewise here; can we extend this to verify that the value passed as randomType is called with the provided seed and that bytes are actually read from the value it returns?

[kriskowal]

The packages/random/$noun.js files that just export { … } from './src/$noun.js'; clutter up the package root; I understand why we don't want to expose the src/ files directly, but perhaps we should establish a convention of storing such files in an exports/ sibling directory.

Aside from that, I think the pure-rand v8 RandomSource interface would be a much better interop target than the v5 one.

Neither of these are blocking concerns, and the rest of the comments won't need another round of review.

There’s a deeper reason. Not all tools and older versions of Node.js don’t recognize the exports directive in package.json, so mirroring key to value is necessary as a fallback. We could just put these thunks in src/ otherwise.

[kriskowal]

Another note: I pulled out the fastcheck adapters. The depth of that conversation led me to understand that there are at least two random number adapters we would want depending on the fastcheck version and that warranted a dedicated package or or packages if we sought to use our prng instead of one that ships with fastcheck.

I also missed a couple notes in the review and will finish revising Monday.

[gibson042]

The packages/random/$noun.js files that just export { … } from './src/$noun.js'; clutter up the package root; I understand why we don't want to expose the src/ files directly, but perhaps we should establish a convention of storing such files in an exports/ sibling directory.

There’s a deeper reason. Not all tools and older versions of Node.js don’t recognize the exports directive in package.json, so mirroring key to value is necessary as a fallback. We could just put these thunks in src/ otherwise.

What software specifically are you concerned about here? The files in question are ECMAScript modules that use import statements, which are supported in Node.js without a CLI flag since version 12.7.0, while package.json exports are supported since Node.js version 12.20.0. Is the gap between Node.js versions 12.7.0 and 12.20.0 really relevant? Just how far back does Endo support extend?

Aside from that, I think the pure-rand v8 RandomSource interface would be a much better interop target than the v5 one.

Another note: I pulled out the fastcheck adapters. The depth of that conversation led me to understand that there are at least two random number adapters we would want depending on the fastcheck version and that warranted a dedicated package or or packages if we sought to use our prng instead of one that ships with fastcheck.

I don't think we need to support anything other than the pure-rand v8 RandomSource interface, which is preferred by the latest version of fast-check and is the only one for which I have a use case (because I have seen Node.js crashes in #3053 that I suspect were ultimately caused by the PRNG internal to fast-check). And by "support" I mean that it must be possible to write source text as shown in #3232 (comment) :

import fc from 'fast-check'; // ^4.6.0
import type { RandomType as FastCheckRandomType } from 'fast-check'; // ^4.6.0
import type {
  RandomGenerator as PureRandGenerator,
} from 'pure-rand/types/RandomGenerator'; // ^8.4.0
import { $EXPORT as makeChaCha12Source } from '@endo/chacha12;
import { adaptToChaCha12Seed, adaptToPureRandV8Generator } from './adapters.js';

// Our fast-check adapter.
const chaCha12RandomType: FastCheckRandomType = (int32Seed: number) => {
  const randomGenerator: PureRandGenerator = adaptToPureRandV8Generator(
    makeChaCha12Source({ seed: adaptToChaCha12Seed(int32Seed) }),
  );
  return randomGenerator;
};

// A deterministically failing PBT fed by ChaCha12.
fc.assert(
  fc.property(fc.integer(), n => n >= 0),
  { randomType: chaCha12RandomType, seed: 0xdeadbeef },
);

And the ability to write and use those adaptToChaCha12Seed and adaptToPureRandV8Generator functions should be covered by tests even if the package doesn't export anything related to them. The reason why this matters is that the pure-rand RandomGenerator interface includes a getState method that requires @endo/chacha12 to export more than just a function whose return value has the same shape as Crypto.getRandomValues.

[kriskowal]

The last hold out for exports support is eslint. I prompted a report that reveals there may be a workaround by using a forked plugin. endojs/endo-but-for-bots#218

[kriskowal]

Could break the cycle with a/the hex-test package.

[kriskowal]

Please omit gratuitous process comment.

[kriskowal]

No longer true.

[kriskowal]

The interface documented here is stale. We changed to an interface consistent with pure-rand-v8, structurally, with a fillRandomBytes function that satisfies RandomSource, like crypto.getRandomBytes.

[kriskowal]

Omit as not interesting to package authors updating dependencies.

[kriskowal]

We have only made one change in this release cycle, when this PR merges. Please consolidate these changeset.

[kriskowal]

Confirmed that we are indeed retaining this. That’s a foot-gun. Please allocate your own copy.

[kriskowal]

We can, frankly, presume that Ava tests are running under Node.js 20+.

[kriskowal]

I would call this copyWithin

[kriskowal]

This needs to be reframed for this package and mostly deleted.

[kriskowal]

Use prettier on this. Leave a note to do this in general for all new or altered Markdown documents going forward.

[kriscendobot]

Force-pushed to incorporate three new fixups from the source branch since the prior tip:

1. refactor(ocapn): revert gratuitous randomNumber rename in fuzz tests — addresses review comments 3239081576 and 3239082370. The module-level callable reads better as random than randomNumber; the earlier rename was a side-effect of import { random as randomFloat } shadowing concerns that turned out not to apply.

2. chore(changeset): consolidate the two chacha12 changesets per review — addresses review comments 3239072009, 3239062983, 3239068864, 3239067688, and 3239064618. Folds chacha12-next-getstate.md into endo-chacha12.md, drops gratuitous process commentary and the dependent-package wording, rewrites the @endo/chacha12 interface description to reflect the actual landed ChaCha12Generator shape, and updates the pure-rand v5 wording (we are structurally compatible with pure-rand v8 and fast-check v4 now).

3. test(random): pin random = randomUint53 * 2 ** -53 equivalence — addresses review comment 3239085874. Adds an assertion that captures the float-extraction recipe so a future implementation edit cannot silently drift the multiplier off the magic constant.

The prior tip 04664e52e is preserved as an ancestor (no rewrite of older commits, no review-thread anchor invalidated). New tip f87bf84257.

[gibson042]

This strikes me as overly brittle; it presumes a particular pattern of consumption that is not required (i.e., little-endian consumption of the buffer that retains its first octet and interprets it as the least significant of the value to be scaled down). Less brittle would be something like this:

Suggested change

	// Pin the magic multiplier to exactly `2 ** -53`. When randomUint53
	// returns 1, random() returns the multiplier itself, so this asserts
	// the constant in `src/random.js` is what its accompanying comment
	// claims it is.
	test('random() multiplies randomUint53 by exactly 2 ** -53', t => {
	/** @param {Uint8Array} out */
	const oneSource = out => {
	for (let i = 0; i < out.length; i += 1) out[i] = 0;
	out[0] = 1;
	};
	t.is(random(oneSource), 2 ** -53);
	});
	// We expect random() to achieve a uniform distribution by scaling down
	// randomUint53() output by exactly `2 ** -53`, but don't want to overly
	// constrain _how_ the former maps octets into integers (consuming 8 vs. 7, big
	// vs. little endian, etc.). So we provide a source that sets every bit to
	// force maximum output, and if we ever need even more assurance could also use
	// sources that set every bit of four contiguous octets after a prefix of 0 to 4
	// fully-clear octets (0xFFFFFFFF_00..., 0x00FFFFFF_FF00...,
	// 0x0000FFFF_FFFF00..., 0x000000FF_FFFFFF00..., 0x00000000_FFFFFFFF_00...),
	// exactly one of which should drive random() output to be `2 ** -21 - 2 ** -53`
	// (i.e., the one in which the set octets correspond exactly with the least
	// significant 32 bits for randomUint53).
	test('random() multiplies randomUint53 by exactly 2 ** -53', t => {
	/** @param {Uint8Array} out */
	const maxSource = out => {
	for (let i = 0; i < out.length; i += 1) out[i] = 0xFF;
	};
	t.is(random(maxSource), 1 - 2 ** -53);
	});

[gibson042]

But on the other hand, this brittleness could be construed as a feature that prevents refactors from accidentally slipping in breaking changes. In which case I would highlight that in the explanatory comments (but also still do the set-all-bits analog as well).

[kriskowal]

Agreed. This was emitted in order to provide assurance that the max float int constant matched the value prescribed in the comment, but I like narrowing this fence. I’m going to propose both all set, none set, 52 bits set, and 53 bits set.