Undulax generates cryptographic keys by harvesting randomness from the live internet. It continuously fetches data from eight high-traffic websites, measures tiny timing variations in each response, and uses that unpredictable noise to drive eight animated lava lamp simulations — one per site. Each lamp develops its own permanent visual character and moves entirely on the server, powered by real entropy. The shifting blob patterns are cryptographically combined to produce keys that cannot be predicted or reproduced, in your choice of format: standard hex, UUID v4, WireGuard private key, or JWT secret.
Undulax is a hardware-free entropy harvester that builds cryptographic keys from real-world network chaos. Every two seconds it polls eight geographically diverse web sources, extracting nanosecond-precision timing measurements of TLS handshakes and body transfer, plus BLAKE3 hashes of response headers and content. Each source feeds its own dedicated entropy pool, which drives a server-side lava lamp simulation with 4–8 blobs subject to thermal buoyancy, viscous damping, gradual merging, and pinch-off splitting. Each lamp has a unique, permanently fixed personality — lift coefficient, viscosity, thermal rate, and noise magnitude — seeded from its source's entropy at startup. All lamp states are continuously hashed back into a shared 512-bit pool, which uses HKDF-SHA256 for extraction (rekeying the pool on every draw for forward secrecy) and ChaCha20 for final output, with configurable lengths and encodings.
Undulax implements a CSPRNG seeded from network entropy harvested via process.hrtime.bigint() measurements of TLS connect-to-headers latency and headers-to-body transfer time, plus BLAKE3 hashes of sorted response headers and body content, from eight independent high-traffic hosts. Each source has a dedicated domain-separated EntropyPool, initialized with the hostname as a domain tag and stirred on every harvest using a counter-separated BLAKE3 construction: BLAKE3(pool ∥ tag ∥ counter ∥ new_entropy). A separate shared pool accumulates contributions from all eight sources for key generation. Each lamp pool seeds and continuously drives a server-side blob physics simulation; after every physics step, the full lamp state is BLAKE3-hashed and stirred back into both the per-lamp pool and the shared pool, creating a feedback loop between physical chaos and cryptographic state. Pool extraction uses HKDF-SHA256 with a counter-indexed info string to simultaneously derive output bytes and rekey the pool, providing forward secrecy and backtracking resistance. The stream() function draws a ChaCha20 key and nonce from two sequential extract() calls before generating output. Key generation triggers a fresh parallel harvest of all eight sources (up to 3 seconds), stirs the current state of every lamp into the shared pool, then extracts. The server runs physics at 60fps and re-harvests all sources every 2 seconds; the client polls /state at 10fps and lerps blob positions toward server values — all motion originates server-side.