Initial release of Secure LSL

Transparent encryption layer for Lab Streaming Layer using
Ed25519 authentication and ChaCha20-Poly1305 encryption.

Author: neuromechanist

.github/workflows/ci.yml

@@ -0,0 +1,141 @@
+name: Secure LSL CI
+
+on:
+  push:
+    branches: ['*']
+    tags: ['*']
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      cmake_extra:
+        description: 'Extra CMake options'
+        required: false
+        default: ''
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    name: ${{ matrix.config.name }}
+    runs-on: ${{ matrix.config.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        config:
+        - name: "macOS-latest"
+          os: "macos-latest"
+          install_deps: "brew install libsodium"
+          cmake_extra: ""
+        - name: "ubuntu-24.04"
+          os: "ubuntu-24.04"
+          install_deps: "sudo apt-get update && sudo apt-get install -y libsodium-dev libpugixml-dev"
+          cmake_extra: "-DLSL_BUNDLED_PUGIXML=OFF"
+        - name: "ubuntu-22.04"
+          os: "ubuntu-22.04"
+          install_deps: "sudo apt-get update && sudo apt-get install -y libsodium-dev libpugixml-dev"
+          cmake_extra: "-DLSL_BUNDLED_PUGIXML=OFF"
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: ${{ matrix.config.install_deps }}
+
+    - name: Configure CMake
+      working-directory: liblsl
+      run: |
+        cmake --version
+        cmake -S . -B build \
+          -DCMAKE_BUILD_TYPE=Release \
+          -DCMAKE_INSTALL_PREFIX=${PWD}/install \
+          -DLSL_SECURITY=ON \
+          -DLSL_SECURITY_TOOLS=ON \
+          -DLSL_UNITTESTS=ON \
+          -DLSL_BUILD_EXAMPLES=ON \
+          -DCPACK_PACKAGE_DIRECTORY=${PWD}/package \
+          -Dlslgitrevision=${{ github.sha }} \
+          -Dlslgitbranch=${{ github.ref }} \
+          ${{ matrix.config.cmake_extra }} \
+          ${{ github.event.inputs.cmake_extra }}
+
+    - name: Build
+      working-directory: liblsl
+      run: cmake --build build --target install --config Release -j
+
+    - name: Print network config
+      run: |
+        if command -v ifconfig &> /dev/null; then ifconfig; fi
+        if command -v ip &> /dev/null; then
+          ip link
+          ip addr
+        fi
+
+    - name: Run security tests
+      working-directory: liblsl
+      run: install/bin/lsl_test_internal "[security]" --order rand --wait-for-keypress never --durations yes
+      timeout-minutes: 5
+
+    - name: Run internal tests
+      working-directory: liblsl
+      run: install/bin/lsl_test_internal --order rand --wait-for-keypress never --durations yes
+      timeout-minutes: 5
+      if: ${{ success() || failure() }}
+
+    - name: Run exported tests
+      working-directory: liblsl
+      run: install/bin/lsl_test_exported --order rand --wait-for-keypress never --durations yes
+      timeout-minutes: 5
+      if: ${{ success() || failure() }}
+
+    - name: Test security tools
+      working-directory: liblsl
+      env:
+        LSLAPICFG: /tmp/test_lsl_api.cfg
+      run: |
+        echo "Testing lsl-keygen..."
+        install/bin/lsl-keygen --help
+        # Use --insecure for CI (no TTY for passphrase prompt)
+        install/bin/lsl-keygen --force --insecure
+        echo "Testing lsl-config..."
+        install/bin/lsl-config --check
+        install/bin/lsl-config --show-public
+
+    - name: Upload install artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: build-${{ matrix.config.name }}
+        path: liblsl/install
+
+    - name: Package
+      working-directory: liblsl
+      run: |
+        cmake --build build --target package --config Release -j
+        cmake -E remove_directory package/_CPack_Packages || true
+
+    - name: Upload package artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: pkg-${{ matrix.config.name }}
+        path: liblsl/package
+
+  docs:
+    name: "Build Documentation"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install Doxygen
+      run: sudo apt-get update && sudo apt-get install -y doxygen
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+
+    - name: Install docs dependencies
+      run: pip install -r docs/requirements.txt
+
+    - name: Build documentation
+      run: mkdocs build --strict

.github/workflows/docs.yml

@@ -0,0 +1,51 @@
+name: Deploy Docs to GitHub Pages
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Doxygen
+        run: sudo apt-get update && sudo apt-get install -y doxygen
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install dependencies
+        run: pip install -r docs/requirements.txt
+
+      - name: Build documentation
+        run: mkdocs build
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: site
+
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.gitignore

@@ -0,0 +1,97 @@
+# Development context (not distributed)
+CLAUDE.md
+.rules/
+.context/
+.claude/
+.serena/
+internal-docs/
+
+# IDE and editors
+.vscode/
+.idea/
+.cursor/
+*.swp
+*.swo
+.DS_Store
+
+# Environment and secrets
+.env
+.env.local
+.env.*.local
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+.pytest_cache/
+.coverage
+htmlcov/
+.mypy_cache/
+.ruff_cache/
+
+# Virtual environments
+venv/
+ENV/
+env/
+.venv/
+
+# C++ build artifacts
+build/
+cmake-build-*/
+*.o
+*.a
+*.so
+*.dylib
+*.dll
+*.lib
+*.obj
+*.exe
+CMakeFiles/
+CMakeCache.txt
+cmake_install.cmake
+Makefile
+compile_commands.json
+
+# Testing
+*.log
+logs/
+test_output/
+
+# Temporary files
+tmp/
+temp/
+*.tmp
+*.bak
+*~
+
+# Documentation build
+docs/_build/
+site/
+
+# Package distribution
+*.tar.gz
+*.zip
+
+# Coverage reports
+coverage/
+*.gcov
+*.gcda
+*.gcno
+liblsl-Matlab/

CHANGELOG.md

@@ -0,0 +1,47 @@
+# Changelog
+
+All notable changes to Secure LSL will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.16.1-secure.1.0.0-alpha] - 2025-12-07
+
+### Added
+- Initial security layer implementation
+- Ed25519 device authentication
+- ChaCha20-Poly1305 authenticated encryption
+- X25519 + HKDF session key derivation
+- Replay attack prevention with nonce tracking
+- Security configuration via lsl_api.cfg [security] section
+- Key generation tool: `lsl-keygen`
+- Configuration validator: `lsl-config`
+- Version query API:
+  - `lsl_is_secure_build()` - detect secure library at runtime
+  - `lsl_base_version()` - get upstream liblsl version
+  - `lsl_security_version()` - get security layer version
+  - `lsl_full_version()` - get combined version string
+- C++ wrappers for all version functions
+- Renamed binary to `liblsl-secure` to prevent confusion
+- MkDocs documentation site with security guides
+- Cross-platform test suite (Python, MATLAB, C++)
+- Interoperability tests between all language bindings
+
+### Changed
+- Library output name: `liblsl` -> `liblsl-secure`
+- Version string includes security info in `lsl_library_info()`
+
+### Security
+- All data encryption uses libsodium (NIST-validated)
+- Constant-time cryptographic operations
+- Secure memory zeroing for sensitive data
+- Unanimous security enforcement (secure outlets reject insecure inlets and vice versa)
+
+## Version Format
+
+Secure LSL uses dual versioning:
+- **Base version**: Tracks upstream liblsl (e.g., 1.16.1)
+- **Security version**: Tracks security layer (e.g., 1.0.0)
+- **Combined**: `{base}-secure.{security}[-stage]`
+
+Stages: `alpha` -> `beta` -> `rc.N` -> (stable)