node:crypto: add implemented helper exports to the API manifest

[andrewtdiz]

Summary

Several node:crypto exports are already recognized as callable by Perry's runtime/codegen, and docs/runtime-parity.md marks them covered, but they are missing from perry-api-manifest and generated API declarations/reference docs.

This is a manifest/declaration coherence gap: strict native-member checks and declaration-guided users can miss or reject APIs that the runtime already exposes.

Node behavior

On local Node v25.9.0, the following are enumerable node:crypto exports with function/class shape:

const crypto = require("node:crypto");

for (const name of [
  "Hash", "Hmac", "Sign", "Verify",
  "checkPrime", "checkPrimeSync",
  "generateKey", "generateKeySync",
  "generateKeyPair", "generateKeyPairSync",
  "generatePrime", "generatePrimeSync",
  "getCipherInfo", "hkdf", "scrypt",
  "secureHeapUsed", "setFips",
]) {
  console.log(name, typeof crypto[name], crypto[name].length);
}

Representative Node results:

• Hash, Hmac, Sign, Verify are function-valued constructor exports.
• checkPrime / checkPrimeSync, generateKey*, generateKeyPair*, generatePrime*, getCipherInfo, hkdf, scrypt, secureHeapUsed, and setFips are enumerable functions.

Current Perry evidence

Current origin/main has implementation/coverage evidence for this cluster:

• crates/perry-runtime/src/object/native_module.rs::is_native_module_callable_export() lists the names above as callable crypto exports.
• crates/perry-codegen/src/expr/calls.rs has direct lowering for:
  • legacy crypto.Hash / crypto.Hmac / crypto.Sign / crypto.Verify call paths
  • generateKey, generateKeySync, generateKeyPair, generateKeyPairSync
  • generatePrime, generatePrimeSync, checkPrime, checkPrimeSync
  • getCipherInfo, hkdf, scrypt, secureHeapUsed, and setFips
• crates/perry-stdlib/src/crypto/ contains backing implementations such as js_crypto_generate_key_sync, js_crypto_generate_key_async, js_crypto_generate_key_pair_async, js_crypto_generate_prime_sync, js_crypto_check_prime_sync, js_crypto_hkdf_async_alg, js_crypto_scrypt_async, js_crypto_get_cipher_info, and js_crypto_secure_heap_used.
• docs/runtime-parity.md marks these rows covered in the node:crypto section.

But the manifest/declarations omit them:

• crates/perry-api-manifest/src/entries.rs has entries for adjacent crypto APIs such as createHash, createHmac, pbkdf2, pbkdf2Sync, scryptSync, hkdfSync, generateKeyPairSync, and cipher/sign helpers, but omits much of the callable cluster above.
• docs/api/perry.d.ts does not declare these exports for module "crypto".
• docs/src/api/reference.md does not list these exports.

Suggested test surface

Add manifest/API regression coverage that checks:

• module_has_symbol("crypto", name) succeeds for the implemented callable cluster above.
• docs/api/perry.d.ts includes function/class declarations for these names.
• Existing granular crypto fixtures for key generation, KDFs, primes, cipher info, and legacy constructor aliases remain covered.

Scope / non-goals

This is scoped to manifest/declaration/reference-doc coherence for APIs already recognized by Perry runtime/codegen. It excludes crypto.randomFill, which is tracked separately in #2691, argument validation (#2013), WebCrypto/global constructor work (#2576), KeyObject gaps (#2565), Argon2/encapsulation APIs (#2517), and behavior improvements for algorithms that are already tracked elsewhere.

No local target/release/perry binary was available for a compiled runtime repro; this issue is based on Node probes plus current origin/main source inspection.

[andrewtdiz]

Current compiled parity evidence on the last buildable main baseline (aed3a2b1b985, because current origin/main is build-red from #3864) shows this is not just a docs/declaration gap: named ESM imports are rejected before the implemented callable paths can run.

Sequential local command:

./run_parity_tests.sh --suite node-suite --module crypto

Summary:

Parity Pass:   201
Parity Fail:   1
Compile Fail:  5
Parity Rate:   99.5%

Compile failures that route to this issue:

node-suite/crypto/asymmetric/sign-verify-constructor-export
  Error: The requested module 'node:crypto' does not provide an export named 'Sign'

node-suite/crypto/hash/constructor-export
  Error: The requested module 'node:crypto' does not provide an export named 'Hash'

node-suite/crypto/hmac/constructor-export
  Error: The requested module 'node:crypto' does not provide an export named 'Hmac'

node-suite/crypto/inventory/fips-api
  Error: The requested module 'node:crypto' does not provide an export named 'setFips'

node-suite/crypto/prime/generate-check
  Error: The requested module 'node:crypto' does not provide an export named 'generatePrimeSync'

Local source check matches the root cause: crates/perry-runtime/src/object/native_module.rs::is_native_module_callable_export() includes Hash, Hmac, Sign, Verify, setFips, generatePrime*, and checkPrime*, and crates/perry-codegen/src/expr/calls.rs has lowering arms for them, but crates/perry-api-manifest/src/entries.rs still omits several of these public named exports. perry-hir/src/lower/module_decl.rs gates Node named imports through perry_api_manifest::module_has_public_named_export, so the runtime implementation is currently unreachable for ESM named-import users.

This is a useful prioritization signal: most of node:crypto is already green, and fixing the manifest/public export table should unlock these fixtures before behavior work is assessed.

[andrewtdiz]

Current-main rerun at 22824ba90 confirms this manifest/public-export issue is still the only compile-failure cluster in the curated crypto suite:

$ ./run_parity_tests.sh --suite node-suite --module crypto
Parity Pass:   201
Parity Fail:   1
Compile Fail:  5
Report: /private/tmp/perry-node-compat-main/test-parity/reports/parity_report_20260531_155724.json

Compile failures:

node-suite/crypto/asymmetric/sign-verify-constructor-export
  Error: The requested module 'node:crypto' does not provide an export named 'Sign'

node-suite/crypto/hash/constructor-export
  Error: The requested module 'node:crypto' does not provide an export named 'Hash'

node-suite/crypto/hmac/constructor-export
  Error: The requested module 'node:crypto' does not provide an export named 'Hmac'

node-suite/crypto/inventory/fips-api
  Error: The requested module 'node:crypto' does not provide an export named 'setFips'

node-suite/crypto/prime/generate-check
  Error: The requested module 'node:crypto' does not provide an export named 'generatePrimeSync'

Current manifest check from target/release/perry --print-api-manifest shows only these names from the affected cluster:

createHash
createHmac
createSign
createSign
createVerify
createVerify
getFips

So the behavior/runtime side is largely green, but ESM named imports remain gated by the public manifest for Hash, Hmac, Sign, Verify, setFips, and prime helpers. No Test262 coverage was involved.

[andrewtdiz]

I’m taking this as part of a focused node:crypto public export/manifest parity cut with #2706 and #2716. Planned scope: add the missing already-implemented crypto callable/constructor exports to the manifest/runtime namespace path, cover named imports and captured property reads, and keep behavior work outside this PR.

[andrewtdiz]

Draft PR opened for this crypto export cluster: #4123