HITE Encryption

Authenticated encryption with AES-256-GCM. The key is derived with PBKDF2-SHA256 (200,000 iterations) from a framework master key; each call returns ciphertext, a fresh IV, and a 16-byte GCM auth tag — plus a Landauer thermodynamic-minimum-energy certificate for interest.

App ID hite-encryption Runs at /apps/hite-encryption/ Auth framework sign-in (the /apps/* gate) Chapter Cryptography & Identity

What it does

Submit a payload, get an AES-256-GCM-encrypted artifact out (ciphertext + IV + auth tag). Decryption is the same flow in reverse and is rejected if the GCM tag doesn't verify. Each encrypt also reports the zeqond/phase it ran at (audit metadata) and a Landauer certificate (the thermodynamic floor E_min = k_B · T · ln 2 · bits — a physics fact, not part of the cipher).

API routes behind it

POST /api/hite/encrypt / POST /api/hite/decrypt — AES-256-GCM encrypt/decrypt (api/hite)
POST /api/zsp/protect / POST /api/zsp/unprotect — optional ZSP multi-stage wrap of the artifact (ZSP)

Reference

Route source: shared/api-core/src/routes/hite.ts + cipher in shared/api-core/src/lib/zeqField.ts
App source: apps/zeq-dev/public/apps/hite-encryption/ (hite-app.js, index.html, zeq-hite-details.html)

What it does​

API routes behind it​

Reference​

What it does

API routes behind it

Reference