feat: add ML-KEM/ML-DSA raw-public and raw-seed export/import (#943)

Author: boorad

.claude/commands/commit.md

@@ -23,18 +23,32 @@ When activated, commit the current working tree changes:
    - If nothing is staged, run `git add -A` to stage everything
    - Run `git diff --staged --stat` to confirm what will be committed
 
-4. **Generate commit message**:
+4. **Run code quality checks before committing**:
+   - **C++ files**: If any `.cpp`/`.hpp`/`.h` files are staged, run:
+     ```bash
+     clang-format -i <files>
+     ```
+     Then re-stage them with `git add`.
+   - **TypeScript files**: If any `.ts`/`.tsx` files are staged, run:
+     ```bash
+     npx prettier --write <files>
+     ```
+     Then re-stage them with `git add`.
+   - **Type check**: Run `cd packages/react-native-quick-crypto && bun tsc --noEmit` to verify types.
+
+5. **Generate commit message**:
    - Use conventional commit format: `type: short description`
    - Types: `feat`, `fix`, `refactor`, `chore`, `docs`, `test`
    - If the change is substantial, add a body paragraph separated by a blank line
    - Body should explain **what** changed and **why**, not how (the diff shows how)
    - Keep the subject line under 72 characters
 
-5. **Commit**:
+6. **Commit** (with 120000ms timeout — pre-commit hooks run lint-staged, clang-format, tsc, and bob build):
    ```bash
    git commit -m "<message>"
    ```
+   **NEVER use `--no-verify`.** Pre-commit hooks exist to catch errors. If they fail, fix the issue.
 
-6. **Report** the commit hash and summary to the user
+7. **Report** the commit hash and summary to the user
 
 If the user provides arguments (e.g., `/commit "fix: resolve race condition"`), use that as the commit message instead of generating one.

.claude/rules/git-safety.xml

@@ -0,0 +1,40 @@
+<rules category="git">
+  <rule severity="CRITICAL" enforcement="BLOCKING">
+    <name>Never bypass pre-commit hooks</name>
+    <description>NEVER use --no-verify on git commit or git push</description>
+    <requirements>
+      <requirement>NEVER pass --no-verify or -n to git commit</requirement>
+      <requirement>NEVER pass --no-verify to git push</requirement>
+      <requirement>If pre-commit hooks fail, fix the underlying issue</requirement>
+      <requirement>Use 120000ms timeout for git commit — hooks run lint-staged, clang-format, tsc, and bob build</requirement>
+    </requirements>
+    <rationale>
+      Pre-commit hooks enforce code quality (formatting, linting, type checking, build).
+      Bypassing them hides errors that will surface later in CI or code review.
+    </rationale>
+    <mustAcknowledge>true</mustAcknowledge>
+  </rule>
+
+  <rule severity="CRITICAL" enforcement="BLOCKING">
+    <name>Never commit to main</name>
+    <description>Always create a feature branch before committing</description>
+    <requirements>
+      <requirement>Check current branch before committing</requirement>
+      <requirement>Create feat/, fix/, or refactor/ branch if on main</requirement>
+    </requirements>
+  </rule>
+
+  <rule severity="HIGH" enforcement="STRICT">
+    <name>Pre-commit code quality</name>
+    <description>Run formatters on changed files before committing</description>
+    <requirements>
+      <requirement>Run clang-format -i on all modified .cpp/.hpp/.h files before staging</requirement>
+      <requirement>Run npx prettier --write on all modified .ts/.tsx files before staging</requirement>
+      <requirement>Run tsc --noEmit to verify types compile</requirement>
+    </requirements>
+    <rationale>
+      Running formatters proactively prevents pre-commit hook failures
+      and avoids the need to amend commits.
+    </rationale>
+  </rule>
+</rules>

.docs/implementation-coverage.md

@@ -280,14 +280,14 @@ These ciphers are **not available in Node.js** but are provided by RNQC via libs
   - ✅ `subtle.digest(algorithm, data)`
   - ✅ `subtle.encapsulateBits(encapsulationAlgorithm, encapsulationKey)`
   - ✅ `subtle.encapsulateKey(encapsulationAlgorithm, encapsulationKey, sharedKeyAlgorithm, extractable, usages)`
-  - 🚧 `subtle.encrypt(algorithm, key, data)`
-  - 🚧 `subtle.exportKey(format, key)`
+  - ✅ `subtle.encrypt(algorithm, key, data)`
+  - ✅ `subtle.exportKey(format, key)`
   - 🚧 `subtle.generateKey(algorithm, extractable, keyUsages)`
   - ✅ `subtle.getPublicKey(key, keyUsages)`
-  - 🚧 `subtle.importKey(format, keyData, algorithm, extractable, keyUsages)`
-  - ✅ `subtle.sign(algorithm, key, data)`
+  - ✅ `subtle.importKey(format, keyData, algorithm, extractable, keyUsages)`
+  - 🚧 `subtle.sign(algorithm, key, data)`
   - ✅ `subtle.unwrapKey(format, wrappedKey, unwrappingKey, unwrapAlgo, unwrappedKeyAlgo, extractable, keyUsages)`
-  - ✅ `subtle.verify(algorithm, key, signature, data)`
+  - 🚧 `subtle.verify(algorithm, key, signature, data)`
   - ✅ `subtle.wrapKey(format, key, wrappingKey, wrapAlgo)`
 
 ## `subtle.decrypt`
@@ -372,9 +372,9 @@ These ciphers are **not available in Node.js** but are provided by RNQC via libs
 | `ML-DSA-44`         |   ✅   |   ✅    |  ✅   |       |              |      ✅      |     ✅     |
 | `ML-DSA-65`         |   ✅   |   ✅    |  ✅   |       |              |      ✅      |     ✅     |
 | `ML-DSA-87`         |   ✅   |   ✅    |  ✅   |       |              |      ✅      |     ✅     |
-| `ML-KEM-512`        |   ✅   |   ✅    |       |       |              |      ❌      |     ❌     |
-| `ML-KEM-768`        |   ✅   |   ✅    |       |       |              |      ❌      |     ❌     |
-| `ML-KEM-1024`       |   ✅   |   ✅    |       |       |              |      ❌      |     ❌     |
+| `ML-KEM-512`        |   ✅   |   ✅    |       |       |              |      ✅      |     ✅     |
+| `ML-KEM-768`        |   ✅   |   ✅    |       |       |              |      ✅      |     ✅     |
+| `ML-KEM-1024`       |   ✅   |   ✅    |       |       |              |      ✅      |     ✅     |
 | `RSA-OAEP`          |   ✅   |   ✅    |  ✅   |       |              |              |            |
 | `RSA-PSS`           |   ✅   |   ✅    |  ✅   |       |              |              |            |
 | `RSASSA-PKCS1-v1_5` |   ✅   |   ✅    |  ✅   |       |              |              |            |
@@ -441,9 +441,9 @@ These ciphers are **not available in Node.js** but are provided by RNQC via libs
 | `ML-DSA-44`         |   ✅   |   ✅    |  ✅   |       |              |      ✅      |     ✅     |
 | `ML-DSA-65`         |   ✅   |   ✅    |  ✅   |       |              |      ✅      |     ✅     |
 | `ML-DSA-87`         |   ✅   |   ✅    |  ✅   |       |              |      ✅      |     ✅     |
-| `ML-KEM-512`        |   ✅   |   ✅    |       |       |              |      ❌      |     ❌     |
-| `ML-KEM-768`        |   ✅   |   ✅    |       |       |              |      ❌      |     ❌     |
-| `ML-KEM-1024`       |   ✅   |   ✅    |       |       |              |      ❌      |     ❌     |
+| `ML-KEM-512`        |   ✅   |   ✅    |       |       |              |      ✅      |     ✅     |
+| `ML-KEM-768`        |   ✅   |   ✅    |       |       |              |      ✅      |     ✅     |
+| `ML-KEM-1024`       |   ✅   |   ✅    |       |       |              |      ✅      |     ✅     |
 | `PBKDF2`            |        |         |       |  ✅   |      ✅      |              |            |
 | `RSA-OAEP`          |   ✅   |   ✅    |  ✅   |       |              |              |            |
 | `RSA-PSS`           |   ✅   |   ✅    |  ✅   |       |              |              |            |
@@ -499,9 +499,9 @@ These ciphers are **not available in Node.js** but are provided by RNQC via libs
 | `ML-DSA-44`         |   ✅   |
 | `ML-DSA-65`         |   ✅   |
 | `ML-DSA-87`         |   ✅   |
-| `ML-KEM-512`        |   ❌   |
-| `ML-KEM-768`        |   ❌   |
-| `ML-KEM-1024`       |   ❌   |
+| `ML-KEM-512`        |   ✅   |
+| `ML-KEM-768`        |   ✅   |
+| `ML-KEM-1024`       |   ✅   |
 | `RSA-OAEP`          |   ✅   |
 | `RSA-PSS`           |   ✅   |
 | `RSASSA-PKCS1-v1_5` |   ✅   |