Changelog

Unreleased

Test suite. Vitest covering round-trip encrypt/decrypt across primitives, objects, arrays, unicode, very-long inputs, and the empty-string boundary; the explicit-driver overload (AES, TripleDES); known-answer vectors for md5/sha1/sha256/sha512; configuration-default semantics; and decrypt failure modes (wrong key, malformed cipher, empty string).
README with a prominent security notice spelling out the threat model: these helpers wrap crypto-js’s passphrase-keyed AES-CBC + OpenSSL-style MD5 KDF; ciphertext is not authenticated; md5/sha1 are not collision-resistant. Includes explicit “use for” / “do NOT use for” lists.
CHANGELOG, llms.txt, llms-full.txt, and a skills/ folder (README, overview with a security-boundaries section, encrypt-decrypt, hashes, configuration, recipes) for tool-assisted development.
vitest.config.ts with the node environment and the self-detecting sibling-alias pattern used elsewhere in the workspace.
CI. GitHub Actions workflow: Node 18/20/22 × Ubuntu, plus Node 20 × Windows.
package.json polish. sideEffects: false, sharper description, expanded keywords, vitest and typescript dev-dependencies, test / test:watch scripts.

30 passing

decrypt logs decode errors via console.warn and returns null. Callers cannot distinguish “wrong key” from “malformed input” from “tampered cipher” — the wrapper does not provide authentication, so by design it can only signal “did this round-trip as JSON or not.”
encrypt(undefined) round-trips to undefined (because JSON.stringify({ data: undefined }) is "{}", which decrypts and parses to {}, whose .data is undefined). This is a property of the JSON layer, not of the cipher.
encrypt of a value containing circular references throws synchronously (from JSON.stringify) before any encryption happens — caller responsibility.