@agentunion/fastaun-browser 0.2.20 → 0.3.1

package/dist/v2/crypto/canonical.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical.js","sourceRoot":"","sources":["../../../src/v2/crypto/canonical.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;AAElC;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,GAAY;IACxC,OAAO,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,SAAS,CAAC,GAAY;IAC7B,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,OAAO,CAAC;IAElC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;IAC9B,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;IAC9B,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,eAAe,CAAC,GAA8B,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,IAAI,SAAS,CAAC,mCAAmC,OAAO,GAAG,EAAE,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;QACjB,MAAM,IAAI,UAAU,CAAC,6CAA6C,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;QACxB,sCAAsC;QACtC,OAAO,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACxB,CAAC;IACD,iBAAiB;IACjB,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IAClB,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvC,eAAe;QACf,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACrC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACpB,CAAC,IAAI,GAAG,CAAC;QACX,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,IAAI,MAAM,GAAG,GAAG,CAAC;IACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAChB,MAAM,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAE7B,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,MAAM,CAAC;QACnB,CAAC;aAAM,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC;aAAM,IAAI,IAAI,GAAG,IAAI,EAAE,CAAC;YACvB,iBAAiB;YACjB,MAAM,IAAI,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACvD,CAAC;aAAM,CAAC;YACN,uBAAuB;YACvB,MAAM,IAAI,EAAE,CAAC;QACf,CAAC;IACH,CAAC;IACD,MAAM,IAAI,GAAG,CAAC;IACd,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,GAAc;IACpC,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IACjD,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;AACrC,CAAC;AAED,SAAS,eAAe,CAAC,GAA4B;IACnD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAC1B,CAAC,GAAG,EAAE,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAC1D,CAAC;IACF,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;AACrC,CAAC"}

package/dist/v2/crypto/dh-path.d.ts

@@ -0,0 +1,21 @@
+export declare const INFO_3DH: Uint8Array<ArrayBuffer>;
+export declare const INFO_1DH: Uint8Array<ArrayBuffer>;
+export declare const WRAP_KEY_LENGTH = 32;
+/**
+ * 计算 3DH wrap_key。
+ *
+ * - DH1 = ECDH(sender_session_priv, recv_ik_pub)
+ * - DH2 = ECDH(sender_master_priv,  recv_spk_pub)
+ * - DH3 = ECDH(sender_session_priv, recv_spk_pub)
+ * - ikm = DH1 || DH2 || DH3 (96B)
+ * - wrap_key = HKDF-SHA256(ikm, salt, "AUN-V2-3DH", 32)
+ */
+export declare function compute3DHWrap(senderSessionPriv: Uint8Array, senderMasterPriv: Uint8Array, recvIKPub: Uint8Array, recvSPKPub: Uint8Array, salt: Uint8Array): Promise<Uint8Array>;
+/**
+ * 计算 1DH wrap_key。
+ *
+ * - DH1 = ECDH(sender_session_priv, recv_ik_pub)
+ * - wrap_key = HKDF-SHA256(DH1, salt, "AUN-V2-1DH", 32)
+ */
+export declare function compute1DHWrap(senderSessionPriv: Uint8Array, recvIKPub: Uint8Array, salt: Uint8Array): Promise<Uint8Array>;
+//# sourceMappingURL=dh-path.d.ts.map

package/dist/v2/crypto/dh-path.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dh-path.d.ts","sourceRoot":"","sources":["../../../src/v2/crypto/dh-path.ts"],"names":[],"mappings":"AAYA,eAAO,MAAM,QAAQ,yBAAyC,CAAC;AAC/D,eAAO,MAAM,QAAQ,yBAAyC,CAAC;AAC/D,eAAO,MAAM,eAAe,KAAK,CAAC;AAElC;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,iBAAiB,EAAE,UAAU,EAC7B,gBAAgB,EAAE,UAAU,EAC5B,SAAS,EAAE,UAAU,EACrB,UAAU,EAAE,UAAU,EACtB,IAAI,EAAE,UAAU,GACf,OAAO,CAAC,UAAU,CAAC,CAcrB;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,iBAAiB,EAAE,UAAU,EAC7B,SAAS,EAAE,UAAU,EACrB,IAAI,EAAE,UAAU,GACf,OAAO,CAAC,UAAU,CAAC,CAMrB"}

package/dist/v2/crypto/dh-path.js

@@ -0,0 +1,50 @@
+/**
+ * AUN E2EE V2: DH 派生路径
+ *
+ * 规范引用: §3.1 / §5.2
+ * - 1DH: ECDH(sender_session_priv, recv_ik_pub) → HKDF
+ * - 3DH: 三个 ECDH 拼接 → HKDF
+ *
+ * 浏览器实现：组合 ecdh.ts + hkdf.ts。
+ */
+import { ecdhComputeShared } from './ecdh';
+import { hkdfSha256 } from './hkdf';
+export const INFO_3DH = new TextEncoder().encode('AUN-V2-3DH');
+export const INFO_1DH = new TextEncoder().encode('AUN-V2-1DH');
+export const WRAP_KEY_LENGTH = 32;
+/**
+ * 计算 3DH wrap_key。
+ *
+ * - DH1 = ECDH(sender_session_priv, recv_ik_pub)
+ * - DH2 = ECDH(sender_master_priv,  recv_spk_pub)
+ * - DH3 = ECDH(sender_session_priv, recv_spk_pub)
+ * - ikm = DH1 || DH2 || DH3 (96B)
+ * - wrap_key = HKDF-SHA256(ikm, salt, "AUN-V2-3DH", 32)
+ */
+export async function compute3DHWrap(senderSessionPriv, senderMasterPriv, recvIKPub, recvSPKPub, salt) {
+    const dh1 = await ecdhComputeShared(senderSessionPriv, recvIKPub);
+    const dh2 = await ecdhComputeShared(senderMasterPriv, recvSPKPub);
+    const dh3 = await ecdhComputeShared(senderSessionPriv, recvSPKPub);
+    if (dh1.length !== 32 || dh2.length !== 32 || dh3.length !== 32) {
+        throw new Error(`3DH expected 32B shares, got dh1=${dh1.length} dh2=${dh2.length} dh3=${dh3.length}`);
+    }
+    const ikm = new Uint8Array(96);
+    ikm.set(dh1, 0);
+    ikm.set(dh2, 32);
+    ikm.set(dh3, 64);
+    return hkdfSha256(ikm, salt, INFO_3DH, WRAP_KEY_LENGTH);
+}
+/**
+ * 计算 1DH wrap_key。
+ *
+ * - DH1 = ECDH(sender_session_priv, recv_ik_pub)
+ * - wrap_key = HKDF-SHA256(DH1, salt, "AUN-V2-1DH", 32)
+ */
+export async function compute1DHWrap(senderSessionPriv, recvIKPub, salt) {
+    const dh1 = await ecdhComputeShared(senderSessionPriv, recvIKPub);
+    if (dh1.length !== 32) {
+        throw new Error(`1DH expected 32B share, got ${dh1.length}`);
+    }
+    return hkdfSha256(dh1, salt, INFO_1DH, WRAP_KEY_LENGTH);
+}
+//# sourceMappingURL=dh-path.js.map

package/dist/v2/crypto/dh-path.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dh-path.js","sourceRoot":"","sources":["../../../src/v2/crypto/dh-path.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC,MAAM,CAAC,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;AAC/D,MAAM,CAAC,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;AAC/D,MAAM,CAAC,MAAM,eAAe,GAAG,EAAE,CAAC;AAElC;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,iBAA6B,EAC7B,gBAA4B,EAC5B,SAAqB,EACrB,UAAsB,EACtB,IAAgB;IAEhB,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAAC;IACnE,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CACb,oCAAoC,GAAG,CAAC,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,GAAG,CAAC,MAAM,EAAE,CACrF,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAC/B,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAChB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACjB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACjB,OAAO,UAAU,CAAC,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;AAC1D,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,iBAA6B,EAC7B,SAAqB,EACrB,IAAgB;IAEhB,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAClE,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,OAAO,UAAU,CAAC,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;AAC1D,CAAC"}

package/dist/v2/crypto/ecdh.d.ts

@@ -0,0 +1,19 @@
+/**
+ * 计算 ECDH 共享秘密（P-256 X 坐标，32 字节）。
+ *
+ * @param privateKeyScalar 私钥标量（32 字节 big-endian）
+ * @param peerPublicKeyDer 对端公钥（DER SubjectPublicKeyInfo 编码）
+ * @returns 32 字节共享秘密（椭圆曲线点 X 坐标）
+ */
+export declare function ecdhComputeShared(privateKeyScalar: Uint8Array, peerPublicKeyDer: Uint8Array): Promise<Uint8Array>;
+/**
+ * 生成 P-256 密钥对。
+ *
+ * @returns [privateKeyScalar 32B, publicKeyDer SubjectPublicKeyInfo]
+ */
+export declare function generateP256Keypair(): Promise<[Uint8Array, Uint8Array]>;
+/**
+ * 从私钥标量导出公钥 DER (SubjectPublicKeyInfo)。
+ */
+export declare function privateToPublicDer(privateKeyScalar: Uint8Array): Promise<Uint8Array>;
+//# sourceMappingURL=ecdh.d.ts.map

package/dist/v2/crypto/ecdh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecdh.d.ts","sourceRoot":"","sources":["../../../src/v2/crypto/ecdh.ts"],"names":[],"mappings":"AA0CA;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,gBAAgB,EAAE,UAAU,EAC5B,gBAAgB,EAAE,UAAU,GAC3B,OAAO,CAAC,UAAU,CAAC,CA6CrB;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAe7E;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,gBAAgB,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAgB1F"}

package/dist/v2/crypto/ecdh.js

@@ -0,0 +1,101 @@
+/**
+ * AUN E2EE V2: ECDH P-256
+ *
+ * 规范引用: §3.1
+ * - 曲线: P-256 (secp256r1)
+ * - 输出: 椭圆曲线点 X 坐标字节（32 字节，无前缀）
+ *
+ * 浏览器实现：使用 WebCrypto (crypto.subtle) 完成 ECDH 派生。
+ * - 私钥输入是 32 字节 raw scalar，借助 @noble/curves 推算公钥点 (X, Y)，
+ *   然后构造 JWK 格式导入 WebCrypto。
+ * - 公钥输入是 DER SubjectPublicKeyInfo，直接走 spki 导入。
+ * - deriveBits(256) 返回 32 字节 X 坐标，与 Python cryptography 库行为一致。
+ */
+import { p256 } from '@noble/curves/nist.js';
+/** base64url（无 padding）编码，用于 JWK 字段 */
+function bytesToB64Url(bytes) {
+    let bin = '';
+    for (let i = 0; i < bytes.length; i++)
+        bin += String.fromCharCode(bytes[i]);
+    return btoa(bin).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+/** base64url 解码 */
+function b64UrlToBytes(s) {
+    const std = s.replace(/-/g, '+').replace(/_/g, '/');
+    const pad = std.length % 4 === 0 ? '' : '='.repeat(4 - (std.length % 4));
+    const bin = atob(std + pad);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++)
+        out[i] = bin.charCodeAt(i);
+    return out;
+}
+/** 从 raw 32B scalar 推算 P-256 公钥的未压缩 (X, Y) 字节，各 32B */
+function p256PublicXY(privateKeyScalar) {
+    // p256.getPublicKey(secretKey, isCompressed=false) → 65 字节 0x04 || X || Y
+    const pub = p256.getPublicKey(privateKeyScalar, false);
+    if (pub.length !== 65 || pub[0] !== 0x04) {
+        throw new Error(`unexpected uncompressed public key encoding: len=${pub.length}`);
+    }
+    return { x: pub.subarray(1, 33), y: pub.subarray(33, 65) };
+}
+/**
+ * 计算 ECDH 共享秘密（P-256 X 坐标，32 字节）。
+ *
+ * @param privateKeyScalar 私钥标量（32 字节 big-endian）
+ * @param peerPublicKeyDer 对端公钥（DER SubjectPublicKeyInfo 编码）
+ * @returns 32 字节共享秘密（椭圆曲线点 X 坐标）
+ */
+export async function ecdhComputeShared(privateKeyScalar, peerPublicKeyDer) {
+    if (privateKeyScalar.length !== 32) {
+        throw new Error(`P-256 private scalar must be 32 bytes, got ${privateKeyScalar.length}`);
+    }
+    // 推算公钥点用于构造 JWK（WebCrypto 不接受 raw scalar）
+    const { x, y } = p256PublicXY(privateKeyScalar);
+    const privJwk = {
+        kty: 'EC',
+        crv: 'P-256',
+        d: bytesToB64Url(privateKeyScalar),
+        x: bytesToB64Url(x),
+        y: bytesToB64Url(y),
+        ext: true,
+    };
+    const privKey = await crypto.subtle.importKey('jwk', privJwk, { name: 'ECDH', namedCurve: 'P-256' }, false, ['deriveBits']);
+    const pubKey = await crypto.subtle.importKey('spki', 
+    // BufferSource：copy 到独立 ArrayBuffer，避免传入 SharedArrayBuffer/视图歧义
+    peerPublicKeyDer.slice().buffer, { name: 'ECDH', namedCurve: 'P-256' }, false, []);
+    const sharedBits = await crypto.subtle.deriveBits({ name: 'ECDH', public: pubKey }, privKey, 256);
+    const out = new Uint8Array(sharedBits);
+    if (out.length !== 32) {
+        throw new Error(`ECDH derive returned ${out.length} bytes, expected 32`);
+    }
+    return out;
+}
+/**
+ * 生成 P-256 密钥对。
+ *
+ * @returns [privateKeyScalar 32B, publicKeyDer SubjectPublicKeyInfo]
+ */
+export async function generateP256Keypair() {
+    const keyPair = await crypto.subtle.generateKey({ name: 'ECDH', namedCurve: 'P-256' }, true, ['deriveBits']);
+    const jwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey);
+    if (!jwk.d) {
+        throw new Error('exportKey(jwk) returned no private component');
+    }
+    const priv = b64UrlToBytes(jwk.d);
+    const pubDerBuf = await crypto.subtle.exportKey('spki', keyPair.publicKey);
+    return [priv, new Uint8Array(pubDerBuf)];
+}
+/**
+ * 从私钥标量导出公钥 DER (SubjectPublicKeyInfo)。
+ */
+export async function privateToPublicDer(privateKeyScalar) {
+    if (privateKeyScalar.length !== 32) {
+        throw new Error(`P-256 private scalar must be 32 bytes, got ${privateKeyScalar.length}`);
+    }
+    const { x, y } = p256PublicXY(privateKeyScalar);
+    // 仅导入公钥点，再以 spki 导出
+    const pubKey = await crypto.subtle.importKey('jwk', { kty: 'EC', crv: 'P-256', x: bytesToB64Url(x), y: bytesToB64Url(y), ext: true }, { name: 'ECDH', namedCurve: 'P-256' }, true, []);
+    const der = await crypto.subtle.exportKey('spki', pubKey);
+    return new Uint8Array(der);
+}
+//# sourceMappingURL=ecdh.js.map

package/dist/v2/crypto/ecdh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecdh.js","sourceRoot":"","sources":["../../../src/v2/crypto/ecdh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAC;AAE7C,uCAAuC;AACvC,SAAS,aAAa,CAAC,KAAiB;IACtC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC9E,CAAC;AAED,mBAAmB;AACnB,SAAS,aAAa,CAAC,CAAS;IAC9B,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAChE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,uDAAuD;AACvD,SAAS,YAAY,CAAC,gBAA4B;IAChD,0EAA0E;IAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,gBAAgB,EAAE,KAAK,CAAe,CAAC;IACrE,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,oDAAoD,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,EAAE,CAAC,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC;AAC7D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,gBAA4B,EAC5B,gBAA4B;IAE5B,IAAI,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,8CAA8C,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IAED,0CAA0C;IAC1C,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,YAAY,CAAC,gBAAgB,CAAC,CAAC;IAEhD,MAAM,OAAO,GAAe;QAC1B,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,OAAO;QACZ,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC;QAClC,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC;QACnB,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC;QACnB,GAAG,EAAE,IAAI;KACV,CAAC;IAEF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC3C,KAAK,EACL,OAAO,EACP,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1C,MAAM;IACN,gEAAgE;IAChE,gBAAgB,CAAC,KAAK,EAAE,CAAC,MAAM,EAC/B,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,KAAK,EACL,EAAE,CACH,CAAC;IAEF,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC/C,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAChC,OAAO,EACP,GAAG,CACJ,CAAC;IAEF,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IACvC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wBAAwB,GAAG,CAAC,MAAM,qBAAqB,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAC7C,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,IAAI,EACJ,CAAC,YAAY,CAAC,CACf,CAAC;IAEF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACrE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAElC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAC3E,OAAO,CAAC,IAAI,EAAE,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,gBAA4B;IACnE,IAAI,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,8CAA8C,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,YAAY,CAAC,gBAAgB,CAAC,CAAC;IAEhD,oBAAoB;IACpB,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1C,KAAK,EACL,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,EAChF,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACrC,IAAI,EACJ,EAAE,CACH,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC"}

package/dist/v2/crypto/ecdsa.d.ts

@@ -0,0 +1,16 @@
+/**
+ * ECDSA-SHA256 RAW 签名（RFC 6979 deterministic, r||s 64 字节）。
+ *
+ * @param privateKeyScalar 32 字节 P-256 私钥标量
+ * @param message          原始消息（noble 内部 SHA-256）
+ */
+export declare function ecdsaSignRaw(privateKeyScalar: Uint8Array, message: Uint8Array): Promise<Uint8Array>;
+/**
+ * ECDSA-SHA256 RAW 验签。
+ *
+ * @param publicKeyDer SPKI DER 公钥
+ * @param signatureRaw 64 字节 r||s
+ * @param message      原始消息（内部做 SHA-256）
+ */
+export declare function ecdsaVerifyRaw(publicKeyDer: Uint8Array, signatureRaw: Uint8Array, message: Uint8Array): Promise<boolean>;
+//# sourceMappingURL=ecdsa.d.ts.map

package/dist/v2/crypto/ecdsa.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecdsa.d.ts","sourceRoot":"","sources":["../../../src/v2/crypto/ecdsa.ts"],"names":[],"mappings":"AAeA;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,gBAAgB,EAAE,UAAU,EAC5B,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,UAAU,CAAC,CAWrB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,YAAY,EAAE,UAAU,EACxB,YAAY,EAAE,UAAU,EACxB,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,OAAO,CAAC,CAoBlB"}

package/dist/v2/crypto/ecdsa.js

@@ -0,0 +1,52 @@
+/**
+ * AUN E2EE V2: ECDSA P-256 + SHA-256 RAW（r||s, 64B）
+ *
+ * 规范引用: §3.4 / §5.1 / §10
+ *
+ * 浏览器实现：
+ * - 签名：使用 @noble/curves p256（RFC 6979 deterministic），保持与 Python /
+ *   Go SDK 字节一致。WebCrypto 的 ECDSA 签名是不确定性的（每次随机 k），
+ *   无法用于 golden 比对，因此签名走 noble。
+ * - 验签：用 WebCrypto subtle.verify，公钥从 SPKI DER 导入。
+ * - 哈希：noble p256.sign 默认 prehash=true（自带 SHA-256），与 Python /
+ *   Go ECDSA-SHA256 行为一致；显式传 prehash 让意图更明确。
+ */
+import { p256 } from '@noble/curves/nist.js';
+/**
+ * ECDSA-SHA256 RAW 签名（RFC 6979 deterministic, r||s 64 字节）。
+ *
+ * @param privateKeyScalar 32 字节 P-256 私钥标量
+ * @param message          原始消息（noble 内部 SHA-256）
+ */
+export async function ecdsaSignRaw(privateKeyScalar, message) {
+    if (privateKeyScalar.length !== 32) {
+        throw new Error(`ECDSA private key must be 32 bytes, got ${privateKeyScalar.length}`);
+    }
+    // noble v2: sign 直接返回 Uint8Array（默认 format='compact' 即 r||s 64B）
+    // lowS=false 与 Python cryptography / Go ecdsa 行为一致
+    const sig = p256.sign(message, privateKeyScalar, { lowS: false, prehash: true });
+    if (!(sig instanceof Uint8Array) || sig.length !== 64) {
+        throw new Error(`unexpected ECDSA signature shape: ${sig?.constructor?.name} len=${sig?.length}`);
+    }
+    return sig;
+}
+/**
+ * ECDSA-SHA256 RAW 验签。
+ *
+ * @param publicKeyDer SPKI DER 公钥
+ * @param signatureRaw 64 字节 r||s
+ * @param message      原始消息（内部做 SHA-256）
+ */
+export async function ecdsaVerifyRaw(publicKeyDer, signatureRaw, message) {
+    if (signatureRaw.length !== 64)
+        return false;
+    try {
+        const pubKey = await crypto.subtle.importKey('spki', publicKeyDer.slice().buffer, { name: 'ECDSA', namedCurve: 'P-256' }, false, ['verify']);
+        const ok = await crypto.subtle.verify({ name: 'ECDSA', hash: { name: 'SHA-256' } }, pubKey, signatureRaw.slice().buffer, message.slice().buffer);
+        return Boolean(ok);
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=ecdsa.js.map

package/dist/v2/crypto/ecdsa.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecdsa.js","sourceRoot":"","sources":["../../../src/v2/crypto/ecdsa.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAC;AAE7C;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,gBAA4B,EAC5B,OAAmB;IAEnB,IAAI,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,2CAA2C,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,iEAAiE;IACjE,mDAAmD;IACnD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;IACjF,IAAI,CAAC,CAAC,GAAG,YAAY,UAAU,CAAC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,qCAAqC,GAAG,EAAE,WAAW,EAAE,IAAI,QAAS,GAA2B,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7H,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,YAAwB,EACxB,YAAwB,EACxB,OAAmB;IAEnB,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1C,MAAM,EACN,YAAY,CAAC,KAAK,EAAE,CAAC,MAAM,EAC3B,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EACtC,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;QACF,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACnC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAC5C,MAAM,EACN,YAAY,CAAC,KAAK,EAAE,CAAC,MAAM,EAC3B,OAAO,CAAC,KAAK,EAAE,CAAC,MAAM,CACvB,CAAC;QACF,OAAO,OAAO,CAAC,EAAE,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/v2/crypto/hkdf.d.ts

@@ -0,0 +1,21 @@
+/**
+ * AUN E2EE V2: HKDF-SHA256
+ *
+ * 规范引用: §3.2 / §5.2 / §10
+ *
+ * 浏览器实现：使用 WebCrypto subtle.deriveBits 完成 HKDF。
+ * - salt 长度为 0 时按 RFC 5869 规则替换为 32 字节零（与 Python sdk 行为一致）。
+ * - info 必须是 BufferSource（Uint8Array 即可）。
+ * - 输出长度由 `length` 控制（字节数）。
+ */
+/**
+ * 计算 HKDF-SHA256(ikm, salt, info, length)。
+ *
+ * @param ikm    输入密钥材料
+ * @param salt   盐（可空）
+ * @param info   上下文/信息字段
+ * @param length 输出字节数
+ * @returns      派生密钥
+ */
+export declare function hkdfSha256(ikm: Uint8Array, salt: Uint8Array, info: Uint8Array, length: number): Promise<Uint8Array>;
+//# sourceMappingURL=hkdf.d.ts.map

package/dist/v2/crypto/hkdf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hkdf.d.ts","sourceRoot":"","sources":["../../../src/v2/crypto/hkdf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH;;;;;;;;GAQG;AACH,wBAAsB,UAAU,CAC9B,GAAG,EAAE,UAAU,EACf,IAAI,EAAE,UAAU,EAChB,IAAI,EAAE,UAAU,EAChB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,UAAU,CAAC,CAqBrB"}

package/dist/v2/crypto/hkdf.js

@@ -0,0 +1,32 @@
+/**
+ * AUN E2EE V2: HKDF-SHA256
+ *
+ * 规范引用: §3.2 / §5.2 / §10
+ *
+ * 浏览器实现：使用 WebCrypto subtle.deriveBits 完成 HKDF。
+ * - salt 长度为 0 时按 RFC 5869 规则替换为 32 字节零（与 Python sdk 行为一致）。
+ * - info 必须是 BufferSource（Uint8Array 即可）。
+ * - 输出长度由 `length` 控制（字节数）。
+ */
+/**
+ * 计算 HKDF-SHA256(ikm, salt, info, length)。
+ *
+ * @param ikm    输入密钥材料
+ * @param salt   盐（可空）
+ * @param info   上下文/信息字段
+ * @param length 输出字节数
+ * @returns      派生密钥
+ */
+export async function hkdfSha256(ikm, salt, info, length) {
+    const realSalt = salt.length === 0 ? new Uint8Array(32) : salt;
+    // ikm 必须是独立 ArrayBuffer，避免视图歧义
+    const baseKey = await crypto.subtle.importKey('raw', ikm.slice().buffer, 'HKDF', false, ['deriveBits']);
+    const bits = await crypto.subtle.deriveBits({
+        name: 'HKDF',
+        hash: 'SHA-256',
+        salt: realSalt.slice().buffer,
+        info: info.slice().buffer,
+    }, baseKey, length * 8);
+    return new Uint8Array(bits);
+}
+//# sourceMappingURL=hkdf.js.map

package/dist/v2/crypto/hkdf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hkdf.js","sourceRoot":"","sources":["../../../src/v2/crypto/hkdf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,GAAe,EACf,IAAgB,EAChB,IAAgB,EAChB,MAAc;IAEd,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/D,+BAA+B;IAC/B,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC3C,KAAK,EACL,GAAG,CAAC,KAAK,EAAE,CAAC,MAAM,EAClB,MAAM,EACN,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CACzC;QACE,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,MAAM;QAC7B,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,MAAM;KACZ,EACf,OAAO,EACP,MAAM,GAAG,CAAC,CACX,CAAC;IACF,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC"}

package/dist/v2/crypto/index.d.ts

@@ -0,0 +1,9 @@
+export { canonicalJson } from './canonical';
+export { ecdhComputeShared, generateP256Keypair, privateToPublicDer, } from './ecdh';
+export { hkdfSha256 } from './hkdf';
+export { aesGcmEncrypt, aesGcmDecrypt } from './aead';
+export { ecdsaSignRaw, ecdsaVerifyRaw } from './ecdsa';
+export { compute1DHWrap, compute3DHWrap, INFO_1DH, INFO_3DH, WRAP_KEY_LENGTH, } from './dh-path';
+export { sortRecipients, computeLeafHash, computeMerkleRoot, computeMerkleProof, verifyMerkleProof, computeRecipientsDigest, } from './recipients';
+export type { ProofStep } from './recipients';
+//# sourceMappingURL=index.d.ts.map

package/dist/v2/crypto/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/v2/crypto/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,QAAQ,CAAC;AAChB,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AACvD,OAAO,EACL,cAAc,EACd,cAAc,EACd,QAAQ,EACR,QAAQ,EACR,eAAe,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AACtB,YAAY,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC"}

package/dist/v2/crypto/index.js

@@ -0,0 +1,8 @@
+export { canonicalJson } from './canonical';
+export { ecdhComputeShared, generateP256Keypair, privateToPublicDer, } from './ecdh';
+export { hkdfSha256 } from './hkdf';
+export { aesGcmEncrypt, aesGcmDecrypt } from './aead';
+export { ecdsaSignRaw, ecdsaVerifyRaw } from './ecdsa';
+export { compute1DHWrap, compute3DHWrap, INFO_1DH, INFO_3DH, WRAP_KEY_LENGTH, } from './dh-path';
+export { sortRecipients, computeLeafHash, computeMerkleRoot, computeMerkleProof, verifyMerkleProof, computeRecipientsDigest, } from './recipients';
+//# sourceMappingURL=index.js.map

package/dist/v2/crypto/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/v2/crypto/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,QAAQ,CAAC;AAChB,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AACvD,OAAO,EACL,cAAc,EACd,cAAc,EACd,QAAQ,EACR,QAAQ,EACR,eAAe,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,cAAc,CAAC"}

package/dist/v2/crypto/recipients.d.ts

@@ -0,0 +1,43 @@
+/**
+ * AUN E2EE V2: Recipients 排序与 Digest（Merkle root）
+ *
+ * 规范引用: §10.3 / §5.3
+ * - 二维数组（无 columns 表头）；行按 (aid asc, device_id asc, role asc) 排序
+ * - 每行固定 8 字段: [aid, device_id, role, key_source, fp, spk_id, wrap_nonce, wrapped_key]
+ * - leaf = SHA256(LEAF_PREFIX || canonical row binary fields)
+ * - inner = SHA256(NODE_PREFIX || left || right)
+ * - 奇数节点复制最后一个
+ *
+ * 浏览器实现：使用 WebCrypto subtle.digest('SHA-256')，全链路 async。
+ * - wrap_nonce / wrapped_key 字段：优先 base64 解码（仅当长度为 4 的倍数且字符合法），
+ *   失败时回退 UTF-8 字节，与 Python `_decode_or_raw` 对齐。
+ */
+/**
+ * 按 (aid asc, device_id asc, role asc) 排序 recipients 行（不修改入参）。
+ */
+export declare function sortRecipients(rows: string[][]): string[][];
+/**
+ * 计算单个 recipient 行的 leaf hash（32 字节）。
+ */
+export declare function computeLeafHash(row: string[]): Promise<Uint8Array>;
+/**
+ * Merkle root（hex），rows 必须已排序。
+ */
+export declare function computeMerkleRoot(rows: string[][]): Promise<string>;
+export interface ProofStep {
+    sibling: string;
+    position: 'L' | 'R';
+}
+/**
+ * 为 targetIndex 行生成 Merkle proof。
+ */
+export declare function computeMerkleProof(rows: string[][], targetIndex: number): Promise<ProofStep[]>;
+/**
+ * 验证 leaf + proof 重建出的 root 与期望值一致。
+ */
+export declare function verifyMerkleProof(leaf: Uint8Array, proof: ProofStep[], expectedRootHex: string): Promise<boolean>;
+/**
+ * 计算 recipients_digest（Merkle root）。调用方 MUST 先调 sortRecipients。
+ */
+export declare function computeRecipientsDigest(rows: string[][]): Promise<string>;
+//# sourceMappingURL=recipients.d.ts.map

package/dist/v2/crypto/recipients.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"recipients.d.ts","sourceRoot":"","sources":["../../../src/v2/crypto/recipients.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AA8DH;;GAEG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,EAAE,CAO3D;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CA8BxE;AAMD;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAczE;AAED,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,GAAG,GAAG,GAAG,CAAC;CACrB;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,MAAM,EAAE,EAAE,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,SAAS,EAAE,CAAC,CAsBtB;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,UAAU,EAChB,KAAK,EAAE,SAAS,EAAE,EAClB,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,OAAO,CAAC,CAelB;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAE/E"}

package/dist/v2/crypto/recipients.js

@@ -0,0 +1,188 @@
+/**
+ * AUN E2EE V2: Recipients 排序与 Digest（Merkle root）
+ *
+ * 规范引用: §10.3 / §5.3
+ * - 二维数组（无 columns 表头）；行按 (aid asc, device_id asc, role asc) 排序
+ * - 每行固定 8 字段: [aid, device_id, role, key_source, fp, spk_id, wrap_nonce, wrapped_key]
+ * - leaf = SHA256(LEAF_PREFIX || canonical row binary fields)
+ * - inner = SHA256(NODE_PREFIX || left || right)
+ * - 奇数节点复制最后一个
+ *
+ * 浏览器实现：使用 WebCrypto subtle.digest('SHA-256')，全链路 async。
+ * - wrap_nonce / wrapped_key 字段：优先 base64 解码（仅当长度为 4 的倍数且字符合法），
+ *   失败时回退 UTF-8 字节，与 Python `_decode_or_raw` 对齐。
+ */
+const LEAF_PREFIX = new TextEncoder().encode('AUN-V2-RCPT-LEAF-v1');
+const NODE_PREFIX = new TextEncoder().encode('AUN-V2-RCPT-NODE-v1');
+async function sha256(data) {
+    const buf = await crypto.subtle.digest('SHA-256', data.slice().buffer);
+    return new Uint8Array(buf);
+}
+function bytesToHex(b) {
+    let s = '';
+    for (let i = 0; i < b.length; i++)
+        s += b[i].toString(16).padStart(2, '0');
+    return s;
+}
+function hexToBytes(s) {
+    if (s.length % 2 !== 0)
+        throw new Error('hex length must be even');
+    const out = new Uint8Array(s.length / 2);
+    for (let i = 0; i < out.length; i++) {
+        const hi = parseInt(s.charAt(i * 2), 16);
+        const lo = parseInt(s.charAt(i * 2 + 1), 16);
+        if (Number.isNaN(hi) || Number.isNaN(lo))
+            throw new Error('invalid hex char');
+        out[i] = (hi << 4) | lo;
+    }
+    return out;
+}
+function concat(...arrs) {
+    let total = 0;
+    for (const a of arrs)
+        total += a.length;
+    const out = new Uint8Array(total);
+    let pos = 0;
+    for (const a of arrs) {
+        out.set(a, pos);
+        pos += a.length;
+    }
+    return out;
+}
+/**
+ * 与 Python `_decode_or_raw` 行为一致：
+ *  - 空串 → 空 bytes
+ *  - 长度为 4 的倍数且仅含 base64 字符 → atob 解码
+ *  - 其他情况 → UTF-8 编码
+ */
+function decodeOrRaw(value) {
+    if (!value)
+        return new Uint8Array(0);
+    // 标准 base64：A-Z a-z 0-9 + / =，长度必须是 4 的倍数
+    if (value.length > 0 && value.length % 4 === 0 && /^[A-Za-z0-9+/]+={0,2}$/.test(value)) {
+        try {
+            const bin = atob(value);
+            const out = new Uint8Array(bin.length);
+            for (let i = 0; i < bin.length; i++)
+                out[i] = bin.charCodeAt(i);
+            return out;
+        }
+        catch {
+            // fall through
+        }
+    }
+    return new TextEncoder().encode(value);
+}
+/**
+ * 按 (aid asc, device_id asc, role asc) 排序 recipients 行（不修改入参）。
+ */
+export function sortRecipients(rows) {
+    return [...rows].sort((a, b) => {
+        if (a[0] !== b[0])
+            return a[0] < b[0] ? -1 : 1;
+        if (a[1] !== b[1])
+            return a[1] < b[1] ? -1 : 1;
+        if (a[2] !== b[2])
+            return a[2] < b[2] ? -1 : 1;
+        return 0;
+    });
+}
+/**
+ * 计算单个 recipient 行的 leaf hash（32 字节）。
+ */
+export async function computeLeafHash(row) {
+    const enc = (s) => new TextEncoder().encode(s ?? '');
+    const aid = enc(String(row[0] ?? ''));
+    const deviceId = enc(String(row[1] ?? ''));
+    const role = enc(String(row[2] ?? ''));
+    const keySource = enc(String(row[3] ?? ''));
+    const fp = enc(String(row[4] ?? ''));
+    const spkId = enc(String(row.length > 5 ? row[5] : ''));
+    const wrapNonce = decodeOrRaw(row.length > 6 ? String(row[6] ?? '') : '');
+    const wrappedKey = decodeOrRaw(row.length > 7 ? String(row[7] ?? '') : '');
+    const ZERO = Uint8Array.of(0);
+    const data = concat(LEAF_PREFIX, aid, ZERO, deviceId, ZERO, role, ZERO, keySource, ZERO, fp, ZERO, spkId, ZERO, wrapNonce, wrappedKey);
+    return sha256(data);
+}
+async function nodeHash(left, right) {
+    return sha256(concat(NODE_PREFIX, left, right));
+}
+/**
+ * Merkle root（hex），rows 必须已排序。
+ */
+export async function computeMerkleRoot(rows) {
+    if (rows.length === 0)
+        return '';
+    let layer = [];
+    for (const r of rows)
+        layer.push(await computeLeafHash(r));
+    while (layer.length > 1) {
+        if (layer.length % 2 === 1)
+            layer.push(layer[layer.length - 1]);
+        const next = [];
+        for (let i = 0; i < layer.length; i += 2) {
+            next.push(await nodeHash(layer[i], layer[i + 1]));
+        }
+        layer = next;
+    }
+    return bytesToHex(layer[0]);
+}
+/**
+ * 为 targetIndex 行生成 Merkle proof。
+ */
+export async function computeMerkleProof(rows, targetIndex) {
+    if (rows.length === 0 || targetIndex < 0 || targetIndex >= rows.length)
+        return [];
+    let layer = [];
+    for (const r of rows)
+        layer.push(await computeLeafHash(r));
+    let idx = targetIndex;
+    const proof = [];
+    while (layer.length > 1) {
+        if (layer.length % 2 === 1)
+            layer.push(layer[layer.length - 1]);
+        const siblingIdx = idx ^ 1;
+        proof.push({
+            sibling: bytesToHex(layer[siblingIdx]),
+            position: siblingIdx > idx ? 'R' : 'L',
+        });
+        const next = [];
+        for (let i = 0; i < layer.length; i += 2) {
+            next.push(await nodeHash(layer[i], layer[i + 1]));
+        }
+        layer = next;
+        idx = Math.floor(idx / 2);
+    }
+    return proof;
+}
+/**
+ * 验证 leaf + proof 重建出的 root 与期望值一致。
+ */
+export async function verifyMerkleProof(leaf, proof, expectedRootHex) {
+    if (!expectedRootHex)
+        return false;
+    let cur = leaf;
+    for (const step of proof) {
+        let sibling;
+        try {
+            sibling = hexToBytes(step.sibling);
+        }
+        catch {
+            return false;
+        }
+        if (step.position === 'L')
+            cur = await nodeHash(sibling, cur);
+        else if (step.position === 'R')
+            cur = await nodeHash(cur, sibling);
+        else
+            return false;
+    }
+    return bytesToHex(cur) === expectedRootHex;
+}
+/**
+ * 计算 recipients_digest（Merkle root）。调用方 MUST 先调 sortRecipients。
+ */
+export async function computeRecipientsDigest(rows) {
+    return computeMerkleRoot(rows);
+}
+//# sourceMappingURL=recipients.js.map