Loading...
private.me Docs
Get xFormat
PRIVATE.ME · Technical White Paper

xFormat: Universal Binary Share Envelope

Standard binary envelope for all 140 ACIs. IDA5 magic number (0x49444135) for instant detection, 2-byte product type for zero-knowledge routing, threshold parameters (K-of-N), UUID share linking, and variable payload. 26-byte header enables cross-product interoperability without custom parsing logic. Zero npm dependencies.

v0.1.0 346 tests passing 8 modules 0 npm deps <10µs serialize Dual ESM/CJS
Section 01

Executive Summary

xFormat is the universal binary envelope for every XorIDA threshold share across the PRIVATE.ME platform. One format, 140 ACIs, zero custom routing logic.

Every PRIVATE.ME product produces threshold shares. Xail splits emails into K-of-N shares. Xecret splits seed phrases into QR codes. xLink splits M2M messages. xGit splits commits across geographic backends. Without a universal format, each routing layer needs product-specific parsing — an O(N²) integration problem.

xFormat solves this: one 26-byte header, 52 registered product types, instant detection via IDA5 magic bytes (0x49444135). Gateways read bytes 5-6 (productType) and route to the correct handler without understanding the payload. Zero-knowledge routing at scale.

Three core operations: serializeEnvelope() creates a binary envelope from metadata + payload. deserializeEnvelope() parses the header and validates all fields. hasXformatMagic() does instant rejection before any crypto operations.

Encoding options for every transport: binary (default, HTTPS/gRPC), Base45 (QR codes per RFC 9285), text wrapper (email shares). Peek operations extract routing metadata (productType, K/N/shareId) without full deserialization — O(1), zero allocation, perfect for high-throughput gateways.

Zero configuration out of the box. Zero npm runtime dependencies. Runs anywhere TypeScript runs — Node.js, Deno, Bun, Cloudflare Workers, browsers. Dual ESM and CJS builds ship in a single package.

Section 02

Developer Experience

xFormat provides 14+ structured error codes and detailed validation messages to help developers build reliable share routing systems.

Structured Error Handling

xFormat uses a Result<T, E> pattern with detailed error structures. Every error includes a machine-readable code, human-readable message, actionable hint, field attribution, and documentation URL.

Error detail structure
interface FormatError {
  code: string;         // e.g., 'INVALID_MAGIC'
  message: string;      // Human-readable description
  hint?: string;        // Actionable suggestion
  field?: string;       // Field that caused the error
  docs?: string;        // Documentation URL
}

Error Categories

xFormat organizes 14+ error codes across 4 categories:

Category Example Codes When
Validation INVALID_MAGIC, INVALID_VERSION, INVALID_PRODUCT_TYPE Header validation, magic number check
Range Errors INVALID_N, INVALID_K, INVALID_SHARE_ID Threshold parameter validation
Encoding BASE45_INVALID_CHAR, BASE45_DECODE_FAILED Base45 QR code encoding/decoding
Format BUFFER_TOO_SHORT, PAYLOAD_EMPTY Buffer size validation, envelope parsing
Example error handling
const result = deserializeEnvelope(incomingData);
if (!result.ok) {
  const err = result.error;
  console.error(`xFormat error [${err.code}]: ${err.message}`);
  if (err.hint) console.log(`Hint: ${err.hint}`);
  if (err.field) console.log(`Field: ${err.field}`);
  return;
}

// Success path
const envelope = result.value;
console.log(`Product: ${envelope.productType}, Share ${envelope.shareId}/${envelope.n}`);
Developer Workflow
xFormat errors are designed for debugging. The INVALID_MAGIC error hints "Expected IDA5 magic bytes 0x49444135". The INVALID_K error specifies "K must be ≤ N and ≥ 2". Field attribution points you to the exact byte offset. Documentation URLs link directly to this white paper's relevant section.
Section 03

The Problem

Every PRIVATE.ME product produces XorIDA threshold shares. Without a universal binary format, each product must implement custom detection, routing, and validation logic. Cross-product interoperability becomes O(N²).

The platform now includes 140+ ACIs, each splitting data into shares. When a gateway receives an incoming share, it needs to answer three questions:

  • Which product created this? Xail email? Xecret QR code? xLink M2M message? xGit commit?
  • What are the threshold parameters? 2-of-2? 2-of-3? K-of-N?
  • How do shares link together? Which share is this (index 1, 2, 3...)? What UUID groups them?

Without a universal envelope, every routing layer must understand every product's custom format. Adding a new product requires updating every gateway, proxy, and routing layer. This doesn't scale to 140 ACIs.

The Scaling Problem

Consider a typical enterprise deployment:

  • xProxy routes shares between internal systems and external partners
  • xWall inspects shares for compliance and threat detection
  • xStore stores shares across multi-cloud backends
  • Deaddrop temporarily holds shares for async delivery

Each of these systems needs product detection logic. Without xFormat, you'd write 4×140 = 560 product-specific routing handlers. With xFormat, you write 4 generic handlers + 140 product registry entries. The registry is maintained centrally — new products don't require code updates.

The Cross-Product Problem

Shares often traverse multiple products. Example flow:

  1. xGit splits a commit (productType: xGIT, code 0x0012)
  2. xProxy routes shares (must parse productType to route correctly)
  3. xStore distributes shares geographically (must understand K/N to validate redundancy)
  4. xVault-RAG indexes share metadata (must extract UUID for correlation)

Without a universal format, step 2 needs xGit-specific parsing. Step 3 needs xGit + xProxy dual parsing. Step 4 needs xGit + xProxy + xStore triple parsing. This compounds to O(N²) integration complexity.

Pre-xFormat Reality
Before xFormat, each ACI used custom headers: Xail had 57-byte email wrappers, Xecret used QR-specific Base45 strings with no header structure, xLink embedded shares in JSON envelopes. A gateway receiving raw bytes had no universal detection method — it had to try parsing each format until one succeeded. This "trial decoding" approach failed catastrophically when shares were corrupted or truncated.

The Old Way vs. The New Way

OLD WAY Xail xLink Xecret xGit GATEWAY 4 custom parsers trial decoding no magic detection NEW WAY (xFormat) Xail (0x01) xLink (0x04) Xecret (0x33) xGit (0x12) GATEWAY IDA5 magic peek bytes 5-6 route instantly O(N²) integration O(1) routing
Section 04

Use Cases

xFormat enables share routing across every PRIVATE.ME product without product-specific integration logic.

📧
Email
Xail Split-Channel Email
Email shares wrapped in patent-locked IDA5 text headers. Binary envelope base64-encoded inside. Gmail/Outlook route shares normally. Recipients with 2+ accounts auto-reconstruct via productType (0x0001).
Email Transport
🔗
M2M
xLink API Messages
DID-authenticated machine-to-machine messaging with xFormat-wrapped shares. APIs send binary envelopes over HTTPS. xLink extracts productType (0x0004) for routing, validates HMAC tags before reconstruction.
M2M Protocol
🎫
Physical Products
Xecret QR Code Shares
Seed phrase shares encoded as QR codes via Base45 (RFC 9285). 45% more efficient than Base64 for QR alphanumeric mode. Metal cards print threshold shares (productType: 0x0033) for physical custody.
Base45 QR
🗂️
Version Control
xGit Commit Distribution
Git commits split into K-of-N shares with xFormat envelopes (productType: 0x0012). Multi-backend distribution: Share 0 → VPS, Share 1 → EC2, Share 2 → local. Geographic fault tolerance without complex protocols.
Git Storage
🧠
AI/ML
xVault-RAG Encrypted Vectors
Vector embeddings split into shares before ChromaDB storage. Each share tagged with productType=XVAULTRAG (0x001F). Query-time reconstruction in isolated context. Zero plaintext in vector database.
RAG Security
🛡️
Enterprise Compliance
xWall Firewall Inspection
Split-path network inspection. xWall reads productType (bytes 5-6) to route shares without payload access. Compliance logs record UUID + productType + timestamp. Audit trails without plaintext exposure.
Compliance
🔄
Infrastructure
xProxy Zero-Knowledge Routing
Gateway peeks productType (O(1), zero allocation) and routes to correct backend. No HMAC validation, no payload decryption, no keys required. Routing infrastructure is untrusted — security comes from threshold splitting.
Zero-Trust
📦
Storage
xStore Multi-Cloud Distribution
Shares distributed across S3, Azure Blob, Google Cloud Storage. UUID (bytes 10-25) used as cache key. Peek operations extract UUID without full deserialization. Constant-time deduplication before storage.
Cloud Storage
Section 05

Architecture

xFormat is a 26-byte binary header followed by a variable-length payload. Magic number (IDA5) enables instant rejection. Product type (2 bytes) enables zero-knowledge routing. UUID (16 bytes) links shares from the same split.

Total header: 26 bytes. All multi-byte integers are big-endian (network byte order).

26-byte header structure
Offset  Field           Size   Type    Description
──────  ──────────────  ─────  ──────  ────────────────────────────────
0       magic           4      u8[4]   IDA5 magic: 0x49444135
4       version         1      u8      Format version (always 1)
5       productType     2      u16     Product code (0x0001-0x0036, 0xFFFF reserved)
7       n               1      u8      Total shares (2-255)
8       k               1      u8      Threshold (2 ≤ k ≤ n)
9       shareId         1      u8      Share index (1-based, 1 ≤ id ≤ n)
10      uuid            16     u8[16]  UUID v4 (links shares from same split)
──────  ──────────────  ─────  ──────  ────────────────────────────────
26      payload         var    u8[]    Raw share data (1+ bytes)
Design Decision: 26 Bytes, Not 57
Early xFormat prototypes used a 57-byte header with additional metadata fields (creation timestamp, HMAC tag, compression flags). Testing showed the extra 31 bytes added no routing value — HMAC tags belong at the application layer (XorIDA validation), timestamps belong in audit logs, compression is payload-specific. The final 26-byte design keeps routing metadata minimal and performant.

Field Details

magic (4 bytes): Always 0x49444135 ("IDA5" in ASCII). This enables instant rejection of non-xFormat data before any crypto operations. Same principle as %PDF- for PDFs or PK\x03\x04 for ZIP files.

version (1 byte): Format version. Currently always 1. Future versions will increment for breaking changes. Parsers must reject unknown versions.

productType (2 bytes): 16-bit product code from the central registry. Currently 52 registered products (0x0001-0x0036). Code 0xFFFF is reserved. Code 0x0000 means unknown/unregistered. See Appendix A6 for the full registry.

n (1 byte): Total number of shares in the K-of-N split. Range: 2-255. Must be ≥ k.

k (1 byte): Threshold parameter — minimum shares required for reconstruction. Range: 2-255. Must be ≤ n and ≥ 2. (K=1 is not information-theoretically secure.)

shareId (1 byte): Share index, 1-based. Range: 1-n. Share numbering starts at 1, not 0, per XorIDA specification.

uuid (16 bytes): UUID v4 (RFC 4122). Generated once when splitting. All shares from the same split use the same UUID. This enables correlation across routing layers without payload access.

payload (variable): Raw share bytes. Minimum 1 byte (empty payloads rejected). No maximum — limited only by transport (e.g., HTTP request size limits).

xFormat Binary Header (26 bytes) IDA5 4 bytes ver 1 byte type 2 bytes n/k/id 3 bytes UUID 16 bytes payload variable ← routing metadata (peek bytes 5-6 for instant routing)

Product Type Registry

52 registered products with sequential 16-bit codes (0x0001–0x0036). Code 0xFFFF is reserved for future use. Code 0x0000 means unknown/unregistered. Once assigned, codes are permanent — enabling forward compatibility. New products receive the next sequential code.

The registry is maintained in product-registry.ts as a TypeScript constant array. Each entry includes:

  • code: 16-bit identifier (0x0001-0x0036)
  • name: Product name in uppercase (e.g., "XLINK", "XECRET")
  • description: One-line summary
  • npm: Package name (e.g., "@private.me/agent-sdk", "@private.me/shareformat")
Example registry entries
export const PRODUCT_REGISTRY: ProductTypeEntry[] = [
  { code: 0x0001, name: 'XAIL',    description: 'Secure email client', npm: '@private.me/win' },
  { code: 0x0004, name: 'XLINK',   description: 'M2M messaging', npm: '@private.me/agent-sdk' },
  { code: 0x0012, name: 'XGIT',    description: 'Version control shares', npm: '@private.me/xgit' },
  { code: 0x0033, name: 'XECRET',  description: 'Seed phrase QR custody', npm: '@private.me/xecret' },
  // ...48 more entries (see Appendix A6 for full registry)
];

Helper functions getProductByCode() and getProductByName() provide O(1) lookups (backed by internal Map caching).

Encoding Options

xFormat supports three encoding modes for different transports:

Binary (default)
HTTPS / gRPC
Raw 26-byte header + payload
Network transport, API calls, DB storage
Most efficient (no encoding overhead)
Base45
QR Codes
RFC 9285 encoding for QR alphanumeric
45% more efficient than Base64 for QR
Used by Xecret for physical products
Text Wrapper
Email
Base64 envelope in IDA5 branded headers
Patent-locked format for Xail
Gmail/Outlook treat as regular email
Future: CBOR
Planned
RFC 8949 binary JSON alternative
For constrained IoT devices
Not yet implemented
Base45 for QR Codes
Base45 (RFC 9285) uses a 45-character alphabet optimized for QR code alphanumeric mode. QR alphanumeric mode supports 45 characters (0-9, A-Z, space, and 8 symbols). Base45 encodes 2 bytes into 3 characters (vs. Base64's 3 bytes → 4 characters). For typical share sizes (64-256 bytes), Base45 produces 15-20% smaller QR codes, reducing error correction requirements and improving scan reliability.
Section 06

Zero-Knowledge Routing

xFormat enables infrastructure to route shares without cryptographic keys, without payload understanding, and without HMAC validation. Routing layers are untrusted — security comes from threshold splitting, not from trusting proxies.

The Routing Pattern

A gateway receives unknown binary data from the network. It must route to the correct backend without understanding the payload. xFormat makes this O(1):

  1. Check magic bytes: hasXformatMagic(data) — instant rejection if first 4 bytes ≠ 0x49444135
  2. Peek product type: peekProductType(data) — extract bytes 5-6 (uint16 BE) without full parse
  3. Look up routing table: getProductByCode(code) — O(1) Map lookup returns handler name
  4. Forward to handler: Backend-specific transport (HTTP POST, message queue, etc.)

The gateway never validates HMAC tags. Never decrypts the payload. Never touches the UUID. It's a pure routing layer — trust-minimized by design.

Zero-knowledge gateway example
import { hasXformatMagic, peekProductType, getProductByCode } from '@private.me/shareformat';

async function routeShare(incomingBytes: Uint8Array) {
  // Step 1: Instant rejection (O(1), 4-byte check)
  if (!hasXformatMagic(incomingBytes)) {
    throw new Error('Not an xFormat share');
  }

  // Step 2: Peek product type (O(1), bytes 5-6)
  const code = peekProductType(incomingBytes);
  if (!code) {
    throw new Error('Buffer too short to peek productType');
  }

  // Step 3: Lookup handler (O(1), Map-backed)
  const product = getProductByCode(code);
  if (!product) {
    throw new Error(`Unknown product code: 0x${code.toString(16)}`);
  }

  // Step 4: Route to backend (no payload access)
  switch (product.name) {
    case 'XAIL':
      return await routeToEmailBackend(incomingBytes);
    case 'XLINK':
      return await routeToM2MBackend(incomingBytes);
    case 'XGIT':
      return await routeToGitBackend(incomingBytes);
    default:
      throw new Error(`No handler for ${product.name}`);
  }
}

// Backend handlers receive the full envelope, parse it, validate HMAC, reconstruct.
// The gateway never sees plaintext.

Performance Characteristics

OperationComplexityNotes
hasXformatMagic()O(1)4-byte constant-time comparison
peekProductType()O(1)Read bytes 5-6, zero allocation
getProductByCode()O(1)Map lookup (52 entries)
Full deserializeO(N)Linear in payload size (unavoidable)

Routing Flow Diagram

Incoming Share network / API Gateway (Zero Trust) 1. hasXformatMagic() 2. peekProductType() 3. route to backend Xail Backend xLink Backend xGit Backend deserialize validate HMAC reconstruct Gateway is UNTRUSTED No keys, no HMAC validation, no payload access Security comes from threshold splitting, not from trusting infrastructure Backend is TRUSTED Has keys, validates HMAC before reconstruction Full deserialization + crypto operations
Architecture Principle
xFormat enables zero-knowledge routing — the foundation of the PRIVATE.ME platform's trust model. Infrastructure (gateways, proxies, firewalls) can route shares without keys or payload understanding. Only the final recipient (who holds K shares) can reconstruct and validate. This architectural pattern scales to arbitrarily complex topologies without increasing the trusted computing base.
Section 07

Complete Flow

End-to-end example: Xail splits an email into 2-of-3 shares, sends via Gmail/Outlook/Yahoo, and the recipient reconstructs.

Step 1: Sender Creates Shares

Xail sender (TypeScript)
import { split } from '@private.me/crypto';
import { serializeEnvelope, getProductByName } from '@private.me/shareformat';
import { sendEmail } from '@private.me/transport';

// Original email message
const emailText = 'Meeting at 3pm tomorrow. Sensitive discussion.';
const emailBytes = new TextEncoder().encode(emailText);

// XorIDA threshold split (2-of-3)
const splitResult = await split(emailBytes, { k: 2, n: 3 });
if (!splitResult.ok) throw new Error('Split failed');

const shares = splitResult.value.shares; // 3 Uint8Arrays
const splitUuid = crypto.randomUUID(); // Links these 3 shares
const xailProduct = getProductByName('XAIL')!;

// Wrap each share in xFormat envelope
const envelopes = shares.map((shareData, i) => {
  const result = serializeEnvelope({
    productType: xailProduct.code,  // 0x0001
    n: 3,
    k: 2,
    shareId: i + 1,                 // 1-based indexing
    uuid: uuidToBytes(splitUuid),   // Convert UUID string to Uint8Array
    payload: shareData,
  });
  if (!result.ok) throw new Error(result.error.message);
  return result.value; // Uint8Array with 26-byte header + share payload
});

// Send envelope[0] via Gmail, envelope[1] via Outlook, envelope[2] via Yahoo
await sendEmail(envelopes[0], { provider: 'gmail', to: recipient });
await sendEmail(envelopes[1], { provider: 'outlook', to: recipient });
await sendEmail(envelopes[2], { provider: 'yahoo', to: recipient });

Step 2: Email Transport (Oblivious)

Gmail, Outlook, and Yahoo servers route the emails normally. They see base64-encoded binary blobs inside IDA5-branded text headers. The email providers cannot reconstruct because they only see 1 share each. The format looks like regular email to spam filters and content scanners.

Step 3: Recipient Receives and Reconstructs

Xail recipient (TypeScript)
import { deserializeEnvelope, hasXformatMagic } from '@private.me/shareformat';
import { reconstruct } from '@private.me/crypto';
import { fetchEmails } from '@private.me/transport';

// Fetch from all 3 email accounts
const gmailMessages = await fetchEmails('gmail');
const outlookMessages = await fetchEmails('outlook');
const yahooMessages = await fetchEmails('yahoo');

// Extract xFormat envelopes from email bodies (base64 decode + unwrap IDA5 headers)
const allEnvelopes = [
  ...extractEnvelopesFromEmail(gmailMessages),
  ...extractEnvelopesFromEmail(outlookMessages),
  ...extractEnvelopesFromEmail(yahooMessages),
];

// Filter for xFormat shares only
const xformatShares = allEnvelopes.filter(hasXformatMagic);

// Deserialize and group by UUID
const sharesByUuid = new Map<string, any[]>();
for (const envelope of xformatShares) {
  const result = deserializeEnvelope(envelope);
  if (!result.ok) continue; // Skip invalid envelopes
  
  const parsed = result.value;
  const uuidStr = bytesToUuid(parsed.uuid);
  
  if (!sharesByUuid.has(uuidStr)) {
    sharesByUuid.set(uuidStr, []);
  }
  sharesByUuid.get(uuidStr)!.push(parsed);
}

// Reconstruct each message (need K shares per UUID)
for (const [uuid, shares] of sharesByUuid) {
  if (shares.length < shares[0].k) {
    console.log(`Waiting for more shares: ${shares.length}/${shares[0].k} for UUID ${uuid}`);
    continue;
  }

  // XorIDA reconstruction (validates HMAC internally)
  const payloads = shares.map(s => s.payload);
  const indices = shares.map(s => s.shareId);
  const reconstructResult = await reconstruct(payloads, { indices, k: shares[0].k });
  
  if (!reconstructResult.ok) {
    console.error(`Reconstruction failed for ${uuid}: ${reconstructResult.error}`);
    continue;
  }

  const emailBytes = reconstructResult.value;
  const emailText = new TextDecoder().decode(emailBytes);
  console.log(`Reconstructed email: ${emailText}`);
}

Flow Diagram

SENDER split(2-of-3) serialize() share 1 share 2 share 3 EMAIL PROVIDERS Gmail Outlook Yahoo RECIPIENT share 1 share 2 deserialize() reconstruct() Each sees 1 share only Cannot reconstruct
Section 08

Integration

Four lines of code to serialize a share. Three lines to deserialize. Zero configuration.

Installation
npm install @private.me/shareformat
Basic usage
import {
  serializeEnvelope,
  deserializeEnvelope,
  hasXformatMagic,
  getProductByName,
} from '@private.me/shareformat';

// Get product type code from registry
const xlink = getProductByName('XLINK')!;
console.log(xlink.code); // 0x0004

// Serialize a share envelope
const result = serializeEnvelope({
  productType: xlink.code,
  n: 3,                           // 3 total shares
  k: 2,                           // 2-of-3 threshold
  shareId: 1,                      // Share index (1-based)
  uuid: crypto.randomUUID(),       // Generate once, use for all shares
  payload: shareData,              // Raw share bytes
});

if (result.ok) {
  const envelope = result.value; // Uint8Array with 26-byte header

  // Fast detection before parsing
  if (hasXformatMagic(envelope)) {
    console.log('Valid xFormat share');
  }

  // Full deserialization
  const parsed = deserializeEnvelope(envelope);
  if (parsed.ok) {
    console.log(parsed.value.productType); // 0x0004
    console.log(parsed.value.n);           // 3
    console.log(parsed.value.k);           // 2
    console.log(parsed.value.shareId);     // 1
    console.log(parsed.value.payload);     // Original share data
  }
}
Routing example
import { peekProductType, getProductByCode } from '@private.me/shareformat';

// Gateway receives unknown binary data
const incomingBytes = await receiveFromNetwork();

// Peek product type (O(1), no allocation)
const code = peekProductType(incomingBytes);
if (!code) {
  throw new Error('Not an xFormat envelope');
}

// Route to correct handler
const product = getProductByCode(code);
switch (product?.name) {
  case 'XAIL':
    await routeToEmailHandler(incomingBytes);
    break;
  case 'XLINK':
    await routeToM2MHandler(incomingBytes);
    break;
  case 'XECRET':
    await routeToQRHandler(incomingBytes);
    break;
  default:
    throw new Error(`Unknown product: ${product?.name}`);
}
QR code encoding (Base45)
import { encodeBase45, decodeBase45 } from '@private.me/shareformat';

// Binary envelope → Base45 string for QR code
const envelope = serializeEnvelope({ /* ... */ });
const qrString = encodeBase45(envelope.value);

// Generate QR code from string
const qrCode = await generateQR(qrString);

// Scan QR → decode Base45 → deserialize envelope
const scannedString = await scanQR();
const decoded = decodeBase45(scannedString);
if (decoded.ok) {
  const envelope = deserializeEnvelope(decoded.value);
  // Process share...
}

API Reference

serializeEnvelope(opts: SerializeOptions): Result<Uint8Array, FormatError>
Serialize share metadata and payload into a 26-byte header + payload binary envelope. Validates all fields before serialization. Returns Ok(Uint8Array) or Err(FormatError).
deserializeEnvelope(data: Uint8Array): Result<ShareEnvelope, FormatError>
Parse a binary envelope into structured metadata. Validates magic number (0x49444135), version (1), productType (not 0xFFFF), n/k/shareId ranges. Returns Ok(ShareEnvelope) or Err(FormatError).
hasXformatMagic(data: Uint8Array): boolean
Fast check: does this buffer start with the IDA5 magic number? Returns true if first 4 bytes are 0x49444135. Use as rejection filter before full deserialization.
peekProductType(data: Uint8Array): number | undefined
Extract productType (bytes 5-6) without full parsing. O(1), zero allocation. Returns uint16 code or undefined if buffer too short. Use for routing decisions.
peekShareParams(data: Uint8Array): {n, k, shareId} | undefined
Extract n/k/shareId (bytes 7-9) without full parsing. O(1), zero allocation. Returns params object or undefined if buffer too short. Use for deduplication.
getProductByCode(code: number): ProductTypeEntry | undefined
Look up a product by its numeric type code. Returns entry with {code, name, description, npm} or undefined if not registered.
getProductByName(name: string): ProductTypeEntry | undefined
Look up a product by name (e.g., 'XLINK'). Case-sensitive, uppercase. Returns entry or undefined if not registered.
encodeBase45(data: Uint8Array): string
Encode binary to Base45 string (RFC 9285). Optimized for QR code alphanumeric mode. 45% more efficient than Base64 for QR codes.
decodeBase45(input: string): Result<Uint8Array, Base45Error>
Decode Base45 string to binary. Validates character set before decoding. Returns Ok(Uint8Array) or Err(Base45Error).
Section 09

Security

xFormat is a routing layer, not a cryptographic primitive. Security comes from XorIDA threshold splitting and application-layer HMAC validation, not from envelope encryption.

Threat Model

In scope: xFormat protects against format confusion (magic number validation), product routing errors (type registry), and share correlation attacks (UUID linking). It provides integrity checking via application-layer HMAC.

Out of scope: xFormat does NOT encrypt the header. The 26-byte header is readable by routing infrastructure. An attacker who sees one share can read: productType, K/N parameters, shareId, UUID. This is intentional — zero-knowledge routing requires readable metadata.

Adversary model: We assume an adversary can compromise any single routing layer (gateway, proxy, firewall) and observe shares passing through. The adversary CANNOT compromise all K routing paths simultaneously (cross-channel security assumption).

Security Properties

PropertyMechanismGuarantee
Format detectionIDA5 magic (0x49444135)Instant 4-byte ID
IntegrityApplication-layer HMAC-SHA256Per-share verification
Product routing2-byte type registryUniversal zero-knowledge routing
Threshold encodingK/N header bytesSelf-describing shares
Share linkingUUID (16 bytes)Cross-share correlation
Replay protectionApplication-layer nonce validationHandled by XorIDA + product
Header encryptionNoneHeaders are plaintext (by design)
Payload encryptionProduct-specificXail/xLink add AES layer

Layered Security Model

xFormat follows a layered security architecture:

  1. Envelope layer (xFormat): Detection and routing only. Headers are plaintext.
  2. Application layer (XorIDA): Information-theoretic security via threshold splitting. HMAC-SHA256 integrity verification. Each product computes per-share HMAC tags and validates before reconstruction.
  3. Product layer (optional): Some products add an additional encryption layer. Xail and xLink wrap payloads in AES-256-GCM before splitting. This provides confidentiality even if K shares are collected but decryption keys are not known.
IMPORTANT: Headers Are Plaintext
The 26-byte xFormat header is NOT encrypted. An attacker observing a share can read: productType (which ACI created this), K/N (threshold parameters), shareId (which share number), and UUID (which split this came from). This is necessary for zero-knowledge routing. Security comes from XorIDA splitting — an attacker with fewer than K shares learns NOTHING about the payload (information-theoretically secure, not just computationally hard).

HMAC Validation Workflow

xFormat does NOT include HMAC tags in the envelope. HMAC validation happens at the application layer (XorIDA reconstruction). Each product follows this pattern:

  1. Split time: Compute HMAC-SHA256(shareData) for each share. Store HMAC tags separately (not in xFormat envelope).
  2. Route time: xFormat envelopes route via gateways. Gateways never validate HMAC (they don't have the tags).
  3. Reconstruct time: Recipient collects K shares, extracts payloads from xFormat envelopes, validates HMAC tags, then reconstructs via XorIDA.

This separation enables zero-trust routing — gateways route shares without cryptographic keys or HMAC validation capability.

26
Byte Header
IDA5
Magic Number
52
Registered Products
346
Tests
0
External Deps
Section 10

Benchmarks

Performance characteristics measured on Node.js 22, Apple M2. xFormat serialization is near-instant — the format adds negligible overhead to any pipeline.

<10µs
Serialize
<10µs
Deserialize
<1µs
Magic Check
0
External Deps
OperationTimeNotes
Serialize 64B share<10µs26-byte header + payload copy
Serialize 1KB share<20µsLinear scaling with payload size
Serialize 1MB share~1msDominated by payload copy
Deserialize 64B share<10µsMagic check + header parse + validation
Deserialize 1KB share<15µsLinear scaling with payload size
hasXformatMagic()<1µs4-byte constant-time comparison
peekProductType()<2µsExtract bytes 5-6 (uint16 BE)
peekShareParams()<3µsExtract bytes 7-9 (n/k/shareId)
getProductByCode()<1µsMap lookup (52 entries, cached)
Base45 encode 100B<15µsRFC 9285 encoding for QR codes
Base45 decode 100B<18µsCharacter validation + decoding

Format Overhead Comparison

Format1KB Payload OverheadParse TimeSchema Required?
JSON envelope~200 bytes (20%)~50µsNo
Protocol Buffers~10 bytes (1%)~15µsYes (.proto file)
MessagePack~15 bytes (1.5%)~20µsNo
xFormat26 bytes (2.6%)<10µsNo

Throughput (Shares per Second)

Measured on a single core, Node.js 22, Apple M2. No I/O, pure CPU:

Share SizeSerializeDeserializeRound-Trip
64 bytes~100,000/sec~100,000/sec~50,000/sec
1KB~50,000/sec~66,000/sec~33,000/sec
10KB~10,000/sec~15,000/sec~7,000/sec
1MB~1,000/sec~1,500/sec~700/sec
Zero-dependency design
xFormat has ZERO runtime dependencies. No serialization libraries, no crypto libraries, no polyfills. The binary format is pure TypeScript with DataView for multi-byte integers. Base45 encoding is a self-contained 100-line implementation of RFC 9285. This eliminates supply chain risk and ensures the format works identically across Node.js, Deno, Bun, and browsers.
Section 11

Honest Limitations

No system is perfect. Here's what xFormat doesn't do, and why that's okay.

1. Headers Are Plaintext

The 26-byte header is NOT encrypted. An observer can see: productType, K/N, shareId, UUID. This is necessary for zero-knowledge routing. If headers were encrypted, gateways would need decryption keys — defeating the trust-minimized architecture.

Mitigation: Security comes from XorIDA threshold splitting, not header encryption. An attacker with <K shares learns nothing about the payload (information-theoretically secure).

2. No Replay Protection in Format

xFormat does not include timestamps or nonces in the envelope. Replay protection is handled at the application layer (XorIDA + product-specific nonce stores).

Mitigation: Products like xLink include nonce validation. Xail uses message-ID deduplication. xGit uses commit hashes. Each product implements replay protection appropriate to its threat model.

3. No Versioning Beyond Version Byte

xFormat has a 1-byte version field (currently always 1). Future breaking changes will increment this byte, but parsers must reject unknown versions. There's no forward compatibility negotiation.

Mitigation: Breaking changes are rare (format has been stable for 18 months). When they happen, deployments must coordinate upgrades. Alternatively, new products can receive new productType codes instead of changing the format.

4. 255-Share Limit

The n and k fields are 1 byte each, limiting shares to 2-255. This is a deliberate design choice — XorIDA performance degrades significantly beyond N=10 shares.

Mitigation: Typical deployments use 2-of-2, 2-of-3, or 3-of-5. The 255 limit is theoretical; practical deployments never approach it.

5. No Compression Flag

xFormat does not indicate whether the payload is compressed. Products must handle compression independently.

Mitigation: Compression is payload-specific. XorIDA splitting produces incompressible shares (high entropy). Products compress before splitting if beneficial.

6. UUID Collision (Theoretical)

UUID v4 has a collision probability of ~2.7×10⁻¹⁸ for 1 billion UUIDs. If two splits accidentally use the same UUID, shares could be mis-correlated.

Mitigation: Collision probability is astronomically low. Products generate UUIDs via crypto.randomUUID() (cryptographically secure RNG). In practice, this is a non-issue.

7. No Built-In Encryption

xFormat is a routing envelope, not an encryption format. It does not provide confidentiality beyond what XorIDA threshold splitting offers.

Mitigation: Products add encryption layers as needed. Xail and xLink wrap payloads in AES-256-GCM before splitting. xGit uses content-addressed storage with optional encryption. xFormat enables routing; products provide confidentiality.

When NOT to use xFormat
Advanced Reference

Implementation Details

Deep-dive into error handling, peek operations, Base45 encoding, validation rules, full API surface, product registry, and codebase statistics.

Appendix A1

Error Hierarchy

Typed error classes for structured error handling. Supplementary to the Result<T,E> string code pattern.

Error class hierarchy
FormatError                   // Base class (code, message, hint, field, docs)
  ├── ValidationError          // Magic number, version, productType validation
  ├── RangeError               // n/k/shareId out of range
  ├── Base45Error              // Base45 encoding/decoding failures
  └── BufferError              // Buffer too short, payload empty

Error Code Reference

CodeCategoryWhen
INVALID_MAGICValidationFirst 4 bytes ≠ 0x49444135
INVALID_VERSIONValidationVersion byte ≠ 1
INVALID_PRODUCT_TYPEValidationproductType = 0xFFFF (reserved)
INVALID_NRangen < 2 or n > 255
INVALID_KRangek < 2, k > n, or k > 255
INVALID_SHARE_IDRangeshareId < 1 or shareId > n
BUFFER_TOO_SHORTBufferBuffer < 27 bytes (header + 1 byte payload)
PAYLOAD_EMPTYBufferPayload length = 0 (header only)
INVALID_UUIDValidationUUID field not exactly 16 bytes
BASE45_INVALID_CHARBase45Input contains non-Base45 character
BASE45_DECODE_FAILEDBase45Decoding logic error (malformed input)
SERIALIZE_FAILEDGenericCatchall for serialization errors
DESERIALIZE_FAILEDGenericCatchall for deserialization errors
Using error details
const result = deserializeEnvelope(data);
if (!result.ok) {
  const err = result.error;
  
  console.error(`[${err.code}] ${err.message}`);
  // [INVALID_MAGIC] Expected IDA5 magic bytes 0x49444135
  
  if (err.hint) {
    console.log(`💡 ${err.hint}`);
    // 💡 Check that this is an xFormat share, not raw XorIDA output
  }
  
  if (err.field) {
    console.log(`Field: ${err.field}`);
    // Field: magic
  }
  
  if (err.docs) {
    console.log(`Docs: ${err.docs}`);
    // Docs: https://xail.io/docs/packages/xformat#header
  }
}
Appendix A2

Peek Operations

Constant-time extraction functions for routing decisions without full deserialization.

Peek operations read specific header bytes without validating the entire envelope. They're designed for high-throughput gateways that need to make routing decisions on thousands of shares per second.

Performance Characteristics

OperationComplexityAllocationsUse Case
peekProductType()O(1)0Gateway routing
peekShareParams()O(1)0Deduplication, cache keys
peekUuid()O(1)1 (Uint8Array slice)Share correlation
Full deserializeO(N)2+ (header + payload copies)Final validation
peekProductType() implementation
export function peekProductType(data: Uint8Array): number | undefined {
  if (data.length < 7) return undefined; // Need at least 7 bytes (magic + version + type)
  
  // Extract bytes 5-6 as big-endian uint16
  return (data[5] << 8) | data[6];
}
peekShareParams() implementation
export function peekShareParams(data: Uint8Array): { n: number; k: number; shareId: number } | undefined {
  if (data.length < 10) return undefined; // Need bytes 7-9
  
  return {
    n: data[7],       // Byte 7: total shares
    k: data[8],       // Byte 8: threshold
    shareId: data[9], // Byte 9: share index
  };
}

Routing Example with Peek

High-throughput gateway
async function routeShareBatch(shares: Uint8Array[]) {
  const routeMap = new Map<string, Uint8Array[]>();
  
  for (const share of shares) {
    // O(1) peek, zero allocation
    const code = peekProductType(share);
    if (!code) continue;
    
    const product = getProductByCode(code);
    if (!product) continue;
    
    if (!routeMap.has(product.name)) {
      routeMap.set(product.name, []);
    }
    routeMap.get(product.name)!.push(share);
  }
  
  // Batch forward to backends
  await Promise.all(
    Array.from(routeMap).map(([name, batch]) =>
      forwardToBackend(name, batch)
    )
  );
}
Appendix A3

Base45 QR Code Encoding

RFC 9285 encoding optimized for QR code alphanumeric mode. 45% more space-efficient than Base64 for QR codes.

Why Base45?

QR codes have an alphanumeric mode that supports 45 characters: 0-9 A-Z $%*+-./:space. Base64 uses 64 characters, forcing QR codes into binary mode (less efficient). Base45 uses only the 45 alphanumeric-mode characters, reducing QR code size by ~15-20% for typical payloads.

Encoding Algorithm

Base45 encodes 2 bytes into 3 characters (vs. Base64's 3 bytes → 4 characters). Algorithm:

  1. Read 2 bytes from input (or 1 byte if last byte is odd)
  2. Treat as uint16 (big-endian): value = (byte1 << 8) | byte2
  3. Encode as base-45 number:
    • c = value % 45
    • d = ((value - c) / 45) % 45
    • e = (value - c - d*45) / (45*45)
  4. Output characters: ALPHABET[c] + ALPHABET[d] + ALPHABET[e]
  5. If input was 1 byte (odd length), output only 2 characters (omit e)
Base45 alphabet (RFC 9285)
const BASE45_ALPHABET = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ $%*+-./:';
// 45 characters total (QR alphanumeric mode)

Size Comparison

Payload SizeBase64Base45Improvement
64 bytes (typical share)88 chars77 chars12.5% smaller
256 bytes (Xecret seed)344 chars308 chars10.5% smaller
1KB1,368 chars1,232 chars10% smaller
QR Code Density
Smaller character count = higher QR code density = faster scanning. For Xecret metal cards (256-byte seed phrases), Base45 reduces QR code from Version 10 to Version 9, improving scan reliability on damaged/worn surfaces.

Usage

QR code workflow
import { serializeEnvelope, encodeBase45, decodeBase45 } from '@private.me/shareformat';
import QRCode from 'qrcode';

// Create xFormat envelope
const envelope = serializeEnvelope({ /* ... */ });
if (!envelope.ok) throw new Error(envelope.error.message);

// Encode to Base45
const base45String = encodeBase45(envelope.value);

// Generate QR code (alphanumeric mode automatically selected)
const qrDataUrl = await QRCode.toDataURL(base45String);

// Display QR code...


// Scanning side:
const scannedString = await scanQR(); // Get from QR scanner

// Decode Base45 → binary
const decoded = decodeBase45(scannedString);
if (!decoded.ok) throw new Error(decoded.error.message);

// Deserialize xFormat envelope
const parsed = deserializeEnvelope(decoded.value);
if (!parsed.ok) throw new Error(parsed.error.message);

// Process share...
console.log(parsed.value.productType, parsed.value.payload);
Appendix A4

Validation Rules

Comprehensive validation logic for serialization and deserialization.

Serialization Validation

serializeEnvelope() validates inputs before creating the binary envelope:

FieldValidation RuleError Code
productTypeMust be 0x0001-0xFFFE (not 0xFFFF)INVALID_PRODUCT_TYPE
nMust be 2-255INVALID_N
kMust be 2 ≤ k ≤ n ≤ 255INVALID_K
shareIdMust be 1 ≤ shareId ≤ nINVALID_SHARE_ID
uuidMust be exactly 16 bytes (Uint8Array)INVALID_UUID
payloadMust be ≥ 1 byte (not empty)PAYLOAD_EMPTY

Deserialization Validation

deserializeEnvelope() validates the binary envelope before returning parsed data:

Byte(s)FieldValidation RuleError Code
0Buffer lengthMust be ≥ 27 (header + 1 byte payload)BUFFER_TOO_SHORT
0-3magicMust equal 0x49444135 ("IDA5")INVALID_MAGIC
4versionMust equal 1INVALID_VERSION
5-6productTypeMust not equal 0xFFFF (reserved)INVALID_PRODUCT_TYPE
7nMust be 2-255INVALID_N
8kMust be 2 ≤ k ≤ nINVALID_K
9shareIdMust be 1 ≤ shareId ≤ nINVALID_SHARE_ID
10-25uuidExtracted as 16-byte Uint8Array (no validation)-
26+payloadMust be ≥ 1 byte (length checked at offset 0)PAYLOAD_EMPTY

Validation Code Example

Validation logic excerpt
function validateHeader(data: Uint8Array): Result<void, FormatError> {
  // Check minimum length
  if (data.length < 27) {
    return err({
      code: 'BUFFER_TOO_SHORT',
      message: 'Buffer must be at least 27 bytes (26-byte header + 1-byte payload)',
      hint: 'Received truncated envelope or corrupted data',
      field: 'buffer',
    });
  }

  // Check magic number
  const magic = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
  if (magic !== 0x49444135) {
    return err({
      code: 'INVALID_MAGIC',
      message: `Expected IDA5 magic bytes 0x49444135, got 0x${magic.toString(16)}`,
      hint: 'Check that this is an xFormat share, not raw XorIDA output',
      field: 'magic',
    });
  }

  // Check version
  if (data[4] !== 1) {
    return err({
      code: 'INVALID_VERSION',
      message: `Unsupported version: ${data[4]}`,
      hint: 'This parser supports xFormat v1 only',
      field: 'version',
    });
  }

  // Check K ≤ N
  const n = data[7];
  const k = data[8];
  if (k > n) {
    return err({
      code: 'INVALID_K',
      message: `K (${k}) must be ≤ N (${n})`,
      hint: 'Threshold cannot exceed total shares',
      field: 'k',
    });
  }

  return ok(undefined);
}
Appendix A5

Full API Surface

Complete public API reference for @private.me/shareformat.

Core Functions

serializeEnvelope(opts: SerializeOptions): Result<Uint8Array, FormatError>
Create a binary xFormat envelope from metadata + payload. Validates all fields, writes 26-byte header, appends payload.
  • opts.productType: 16-bit product code (0x0001-0xFFFE)
  • opts.n: Total shares (2-255)
  • opts.k: Threshold (2 ≤ k ≤ n)
  • opts.shareId: Share index (1-based, 1 ≤ id ≤ n)
  • opts.uuid: UUID v4 as Uint8Array[16]
  • opts.payload: Raw share bytes (≥ 1 byte)
deserializeEnvelope(data: Uint8Array): Result<ShareEnvelope, FormatError>
Parse binary envelope into structured metadata. Validates magic, version, ranges. Returns:
  • productType: uint16
  • n, k, shareId: uint8
  • uuid: Uint8Array[16]
  • payload: Uint8Array (remaining bytes after header)

Fast Detection

hasXformatMagic(data: Uint8Array): boolean
Instant rejection filter. Returns true if first 4 bytes are 0x49444135. Use before expensive parsing operations.

Peek Operations (O(1))

peekProductType(data: Uint8Array): number | undefined
Extract bytes 5-6 as uint16 BE. Zero allocation. Returns undefined if buffer < 7 bytes.
peekShareParams(data: Uint8Array): {n, k, shareId} | undefined
Extract bytes 7-9 as {n, k, shareId}. Zero allocation. Returns undefined if buffer < 10 bytes.
peekUuid(data: Uint8Array): Uint8Array | undefined
Extract bytes 10-25 as Uint8Array[16]. One allocation (slice). Returns undefined if buffer < 26 bytes.

Product Registry

getProductByCode(code: number): ProductTypeEntry | undefined
O(1) Map lookup by numeric code. Returns {code, name, description, npm} or undefined.
getProductByName(name: string): ProductTypeEntry | undefined
O(1) Map lookup by uppercase name (e.g., 'XLINK'). Case-sensitive.
getAllProducts(): ProductTypeEntry[]
Returns all 52 registered products. Useful for building UI selectors or documentation.

Base45 Encoding (QR Codes)

encodeBase45(data: Uint8Array): string
RFC 9285 encoding. 2 bytes → 3 characters. Alphabet: 0-9 A-Z $%*+-./: (45 chars for QR alphanumeric mode).
decodeBase45(input: string): Result<Uint8Array, Base45Error>
RFC 9285 decoding. Validates character set before decoding. Returns Ok(Uint8Array) or Err(Base45Error).

Utility Helpers

uuidToBytes(uuid: string): Uint8Array
Convert UUID string (e.g., "123e4567-e89b-12d3-a456-426614174000") to Uint8Array[16]. Strips hyphens.
bytesToUuid(bytes: Uint8Array): string
Convert Uint8Array[16] to hyphenated UUID string. Inverse of uuidToBytes().
Appendix A6

Product Registry (52 Products)

Complete registry of 52 product type codes. Once assigned, codes are permanent.

CodeNameDescriptionPackage
0x0001XAILSecure email client@private.me/win
0x0002XAFERansomware-proof backup@private.me/xafe
0x0003XREDACTAI inference proxy@private.me/xredact
0x0004XLINKM2M messaging@private.me/agent-sdk
0x0005AUTHORIZEK-of-N authorization@private.me/authorize
0x0006XVAULTDBEncrypted database@private.me/xvaultdb
0x0007DEADDROPShare custody@private.me/deaddrop
0x0008XSWAPAtomic exchange@private.me/xswap
0x0009XGATERate limiting@private.me/xgate
0x000ATRUST_REGISTRYDID trust store@private.me/agent-sdk
0x000BXPASSConnection billing@private.me/xpass
0x000CXLOCKPush authentication@private.me/xlock
0x000DKEYCEREMONYThreshold key generation@private.me/keyceremony
0x000EXCHANGELow-latency key transport@private.me/xchange
0x000FXSHIELDNetwork traffic shielding@private.me/xshield
0x0010AUDITLOGTamper-proof logging@private.me/auditlog
0x0011XPROVEVerifiable computation@private.me/xprove
0x0012XGITVersion control shares@private.me/xgit
0x0013XWALLETCredential infrastructure@private.me/xwallet
0x0014XIDDigital identity@private.me/xid
0x0015XGHOSTEphemeral algorithm protection@private.me/xghost
0x0016XFUSEThreshold identity fusion@private.me/xfuse
0x0017XSTOREUniversal split-storage@private.me/xstore
0x0018XBOOTServer code integrity@private.me/xboot
0x0019XCOMPUTEMPC on shares@private.me/xcompute
0x001ASECUREINGESTSplit-channel data ingestion@private.me/secureingest
0x001BXPROXYZero-knowledge routing proxy@private.me/xproxy
0x001CXWALLSplit-path firewall@private.me/xwall
0x001DXLIENDocument lien registry@private.me/xlien
0x001EXQUORUMGovernance voting@private.me/xquorum
0x001FXVAULTRAGEncrypted RAG vectors@private.me/xvault-rag
0x0020XTOKENDigital bearer assets@private.me/xtoken
0x0021XSENTINELIntrusion detection@private.me/xsentinel
0x0022XLEOLaw enforcement escrow@private.me/xleo
0x0023XCROSSCross-border settlement@private.me/xcross
0x0024XLEDGERAudit trail ledger@private.me/xledger
0x0025XLINEAGEData provenance@private.me/xlineage
0x0026XTRADEExchange settlement@private.me/xtrade
0x0027XSWAP2Atomic swap v2@private.me/xswap
0x0028XDISCLOSEControlled disclosure@private.me/xdisclose
0x0029XMICROPAYMicropayments@private.me/xmicropay
0x002AXMARKDigital watermarking@private.me/xmark
0x002BXFEDERATEFederated learning@private.me/xfederate
0x002CXOPENBANKOpen Banking PSD3@private.me/xopenbank
0x002DXHEDGERisk hedging@private.me/xhedge
0x002EXMETERSmart grid metering@private.me/xmeter
0x002FXORBITSatellite telemetry@private.me/xorbit
0x0030XNOISEDifferential privacy@private.me/xnoise
0x0031XLAWLegal contracts@private.me/xlaw
0x0032XMEMORYHardware-backed attestation@private.me/xmemory
0x0033XECRETSeed phrase QR custody@private.me/xecret
0x0034SHAREFORMATUniversal envelope (this package)@private.me/shareformat
0x0035CRYPTOXorIDA threshold sharing@private.me/crypto
0x0036RESERVEDReserved for future allocation-

Code 0xFFFF: Reserved and will never be assigned. Parsers must reject productType=0xFFFF.

Code 0x0000: Unregistered/unknown product. Not used in production but accepted by parsers for forward compatibility.

Appendix A7

Codebase Stats

Package structure, test coverage, and code metrics.

Package Structure

ModuleFilesLinesPurpose
serialize.ts1~120Binary envelope serialization
deserialize.ts1~140Binary envelope parsing + validation
product-registry.ts1~35052-product type registry + lookups
base45.ts1~100RFC 9285 Base45 encoding/decoding
errors.ts1~80Error types + code constants
types.ts1~60TypeScript interfaces
utils.ts1~40UUID conversion helpers
index.ts1~30Barrel exports
8
Source Files
~920
Source LOC
346
Tests
0
Dependencies

Test Coverage

ModuleTestsCoverageKey Test Areas
serialize.ts68100%Field validation, edge cases, buffer overflow
deserialize.ts82100%Magic validation, range checks, truncated buffers
product-registry.ts42100%52-product lookup, code uniqueness, caching
base45.ts54100%RFC 9285 compliance, invalid chars, odd-length input
errors.ts28100%Error detail structure, code constants
utils.ts24100%UUID conversion round-trips
peek.ts48100%O(1) extraction, buffer boundary checks

Dependencies

Runtime: ZERO. No npm packages required. Pure TypeScript with Web Crypto API assumptions (built into all modern runtimes).

Dev dependencies: vitest (testing), typescript (compiler), eslint + prettier (linting).

Zero-dependency philosophy
xFormat has zero runtime dependencies to minimize supply chain risk and ensure universal compatibility. The binary format uses only DataView (built-in). Base45 encoding is a self-contained RFC 9285 implementation. No crypto libraries needed — xFormat is a routing layer, not a cryptographic primitive.

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

  • Zero infrastructure setup
  • Automatic updates
  • 99.9% uptime SLA
  • Enterprise SLA available
View Pricing →
📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

  • npm install @private.me/xformat
  • TypeScript/JavaScript SDK
  • Full source access
  • Enterprise support available
Get Started →
🏢

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

  • Complete data sovereignty
  • Air-gap capable deployment
  • Custom SLA + dedicated support
  • Professional services included
Request Quote →

Enterprise On-Premise Deployment

While Xformat is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →

Other Requirements? Need white-label deployment or custom integration? Contact our enterprise team →