vibed/quotesdb/.beans/quotesdb-58hh--triage-4-word-passphrase-crate-selection-for-wasm.md

---
# quotesdb-58hh
title: '[TRIAGE] 4-word passphrase crate selection for WASM target (no_std/wasm32 constraints)'
status: completed
type: task
priority: critical
created_at: 2026-03-10T23:32:08Z
updated_at: 2026-03-10T23:32:08Z
---

<context>
This is a triage decision ticket. It must be resolved before dependent implementation tickets can proceed.
</context>

<question>
4-word passphrase crate selection: which crate generates 4-word passphrases and compiles for wasm32-unknown-unknown without std thread-local RNG or filesystem access?
</question>

<options>
1. **passphrase-wordlist** — small crate, check WASM compatibility.
2. **bip39** — BIP-39 mnemonic words, widely available. Returns 12-word phrases by default; can take first 4 words.
3. **Custom word list** — embed a static word list in `src/lib.rs` and select 4 random words using `getrandom` with the `js` feature for WASM-compatible randomness.
</options>

<resolution>
1. Research the options above and choose the best approach for this project.
2. Update ticket 03bb91 (auth_code generator) and `Cargo.toml` (ticket 1f5bb5) with the chosen crate.
3. Mark this ticket done with a note on the chosen approach in the body or a comment.
</resolution>

<decision>

## Chosen: Option 3 — Custom embedded word list + `rand 0.10` + `getrandom 0.4` (wasm_js)

### Research findings

| Option | Verdict |
|---|---|
| `passphrase-wordlist` | **Does not exist** on crates.io. Eliminated. |
| `bip39` | WASM-compatible (8.8M downloads, used in web crypto wallets). Rejected: carries BIP-39 cryptocurrency semantics; word list (2048 entries) is tuned for phonetic distinctness, not general memorability; introduces unnecessary complexity. |
| Custom word list | **Chosen.** Minimal deps, full control, idiomatic Rust. |

### Implementation approach

**Word list:** EFF Short Word List 1 — 1296 common English words designed for memorable passphrases.
Source: `https://www.eff.org/files/2016/09/08/eff_short_wordlist_1.txt`
Generate the Rust array: `curl -s <url> | awk '{print $2}'`

**RNG:** `rand::rngs::OsRng` from `rand = "0.10"`.
- Does NOT use thread-local storage (safe for wasm32)
- Uses `getrandom` as its entropy backend
- For WASM targets: add `getrandom = { version = "0.4", features = ["wasm_js"] }` in the wasm32 cfg section so Cloudflare Workers (which expose `crypto.getRandomValues()`) can seed the RNG

**Version note:** `rand 0.10` requires `getrandom ^0.4`. The `wasm_js` feature in `getrandom 0.4` replaces the old `js` feature from `getrandom 0.2`. The latest `uuid 1.21.0` also requires `getrandom ^0.4`, so both deps share one getrandom version in the dependency graph.

### Cargo.toml changes (update ticket 1f5bb5)

```toml
[dependencies]
rand = "0.10"

[target.'cfg(target_arch = "wasm32")'.dependencies]
# Enables OsRng entropy via Web Crypto API (crypto.getRandomValues())
# Required by both rand (OsRng) and uuid (v4) on wasm32 targets
getrandom = { version = "0.4", features = ["wasm_js"] }
```

**Correction:** Tickets 7a0d9f and 1f5bb5 previously referenced `getrandom = "0.2", features = ["js"]` — this is outdated. uuid 1.21 and rand 0.10 both require getrandom ^0.4, which renamed the feature to `wasm_js`. Both those tickets have been updated.

### Updated tickets

- **03bb91** — updated with full implementation plan (code, word list steps, tests)
- **1f5bb5** — corrected getrandom version to 0.4/wasm_js; added rand 0.10 dep
- **7a0d9f** — corrected getrandom version to 0.4/wasm_js (was 0.2/js)

</decision>

<commit>
`chore(quotesdb): resolve triage — 4word-passphrase-crate-selection-for-wasm-target-nostdwasm32`
</commit>