fix:

- AES GCM protocol mismatch
- better, granular error handling
- UUID now uses crypto.randomUUID()
- added native mlock addon to improve security
- ZeroBuffer uses explicit_bzero now
- fixed imports

feat:
-  added unit tests

src/types/crypto.ts

@@ -2,21 +2,32 @@
  * Cryptography-related types
  */
 
+/** Wire format for encrypted payloads exchanged with the NOMYO router */
 export interface EncryptedPackage {
-    /** Encrypted payload data */
-    encrypted_payload: string;
+    /** Protocol version */
+    version: string;
 
-    /** Encrypted AES key (encrypted with server's RSA public key) */
+    /** Algorithm identifier, e.g. "hybrid-aes256-rsa4096" */
+    algorithm: string;
+
+    /** AES-256-GCM encrypted payload fields */
+    encrypted_payload: {
+        /** Base64-encoded AES-GCM ciphertext (WITHOUT auth tag) */
+        ciphertext: string;
+        /** Base64-encoded 12-byte GCM nonce */
+        nonce: string;
+        /** Base64-encoded 16-byte GCM auth tag */
+        tag: string;
+    };
+
+    /** Base64-encoded AES key encrypted with RSA-OAEP */
     encrypted_aes_key: string;
 
-    /** Client's public key in PEM format */
-    client_public_key: string;
+    /** Key wrapping algorithm identifier */
+    key_algorithm: string;
 
-    /** Unique identifier for this encrypted package */
-    payload_id: string;
-
-    /** Nonce/IV used for AES encryption (base64 encoded) */
-    nonce: string;
+    /** Payload encryption algorithm identifier */
+    payload_algorithm: string;
 }
 
 export interface ProtectionInfo {