Version 3.3.1 2025-10-12

Release Notes – BASEFWX v3.3.1 (Obfuscation Fast Paths & PQ-Hardened Defaults)

Pipeline hardening: every AES payload now flows through Argon2id → HKDF → AES‑GCM with authenticated metadata, and a size‑preserving obfuscation pass (XOR + reverse + deterministic permutation) runs before AEAD to ensure ciphertext looks like high‑entropy noise. The obfuscation layer is on by default; disable it with --no-obf or BASEFWX_OBFUSCATE=0 when benchmarking.
PQ master handling refinement: master wrapping still uses ML‑KEM‑768 (Kyber) and HKDF-derived AES keys, but we now require an explicit --use-master-pub flag or the BASEFWX_MASTER_PQ_PUB env to load a public key. The baked pubkey is ignored unless ALLOW_BAKED_PUB=1, reducing accidental escrow.
Heavy/b512 modes upgraded: pb512/b512 “heavy” flows now obfuscate internals and then wrap the entire blob with AES‑GCM. Legacy CBC decrypt remains quarantined behind ALLOW_CBC_DECRYPT=1, logging a warning so you can plan re-encryption.
Performance win: large buffers (≥64 KiB) take a NumPy fast path for keystream XOR, and permutations switch to a PCG64 vectorised shuffle from 4 KiB upward. Same formats, less CPU.
CLI & config: new --no-obf, --use-master-pub, and existing --strip/--no-master options work together without surprises; metadata stripping still forces password-only mode to prevent silent reliance on master escrow.
Docs refreshed: README now documents the ML‑KEM → HKDF → AES‑GCM stack, Argon2id default, b512 AEAD wrap, and fast-path behavior; SECURITY policy updated with 3.3.x as the active line.
Quality & automation: legacy test.py and tests/test_cryptography.py merged into tests/test_basefwx.py (CLI smokes, AEAD tamper, obfuscation fast-path coverage). CI now runs on Python 3.10–3.12 with cached deps and full crypto stack (cryptography, pqcrypto, numpy, argon2-cffi, etc.).
…and as always, more tweaks landed under the hood. Dive into the repo for the full diff, keep your master secret offline, and re-encrypt older payloads to enjoy the new defaults.