[Security] CRITICAL: Placeholder kyber.js provides zero encryption

[kai-agent-free]

Severity: CRITICAL

File: src/lib/crypto/kyber.js

The Kyber class is explicitly labeled as a "placeholder implementation for demonstration purposes." It generates random bytes instead of actual Kyber key pairs, and encapsulate() returns unrelated random bytes as the shared secret — meaning sender and receiver derive different keys.

// kyber.js line 1-4
/**
 * This is a placeholder implementation for demonstration purposes.
 * In production, this would use the actual CRYSTALS-Kyber WebAssembly module.
 */

Impact: If any code path imports from kyber.js instead of the real ml-kem.js, all encryption is completely broken — messages would be unreadable by recipients.

Recommendation: Delete kyber.js entirely. The real ML-KEM implementation exists in ml-kem.js and post-quantum-encryption.js. Add a lint rule or alias to prevent importing from this file.

Full audit report: https://gist.github.com/kai-agent-free/dd9e0fd75d1b3355d5fae66841b48da8

[ralyodio]

Resolved — kyber.js was deleted in commit b769853. The codebase now uses the real ML-KEM implementation (ml-kem.js / post-quantum-encryption.js). No references to the placeholder remain.