@agentunion/fastaun 0.2.20 → 0.3.0

package/dist/v2/e2ee/decrypt.js

@@ -0,0 +1,159 @@
+/**
+ * AUN E2EE V2: 统一解密引擎
+ *
+ * 支持 P2P 和 Group 消息解密（按 envelope.type / 字段结构分流）。
+ * 纯计算，无 IO。
+ *
+ * 与 Python `aun_core.v2.e2ee.decrypt.decrypt_message` 对齐。
+ *
+ * 流程：
+ *  1. 验 sender_signature
+ *  2. 找自己的 row（recipients 数组或 per-device recipient + 可选 merkle_proof）
+ *  3. 计算 wrap_salt
+ *  4. 派生 wrap_key（3DH 或 1DH）
+ *  5. 解 master_key
+ *  6. 解 body
+ *  7. 解析 JSON payload
+ */
+import { createHash } from 'node:crypto';
+import { canonicalJson } from '../crypto/canonical.js';
+import { ecdsaVerifyRaw } from '../crypto/ecdsa.js';
+import { ecdhComputeShared } from '../crypto/ecdh.js';
+import { hkdfSha256 } from '../crypto/hkdf.js';
+import { aesGcmDecrypt } from '../crypto/aead.js';
+import { computeLeafHash, computeRecipientsDigest, verifyMerkleProof, } from '../crypto/recipients.js';
+import { SUITE_NAME } from './types.js';
+const TEXT = new TextEncoder();
+const INFO_3DH = TEXT.encode('AUN-V2-3DH');
+const INFO_1DH = TEXT.encode('AUN-V2-1DH');
+/**
+ * 解密 V2 加密消息（P2P 或 Group）。
+ *
+ * @param envelope 完整 envelope（已 JSON.parse 的对象）
+ * @param selfAid 接收方 AID
+ * @param selfDeviceId 接收方 device_id
+ * @param selfIkPriv 接收方 IK 私钥（32B scalar）
+ * @param selfSpkPriv 接收方 SPK 私钥（32B scalar）；undefined/null 表示无 SPK（1DH）
+ * @param senderPubDer 发送方 AID 主公钥（DER），用于验签 + 3DH 接收侧 DH2
+ * @returns 解密后的 payload；null 表示在 recipients 中找不到自己的 row
+ */
+export function decryptMessage(envelope, selfAid, selfDeviceId, selfIkPriv, selfSpkPriv, senderPubDer) {
+    // 1. 验签
+    if (!verifySenderSignature(envelope, senderPubDer)) {
+        throw new Error('sender_signature verification failed');
+    }
+    // 2. 找自己的 row
+    let row = null;
+    if (Array.isArray(envelope.recipients)) {
+        const rows = envelope.recipients;
+        const expectedDigest = String(envelope.recipients_digest ?? '');
+        if (computeRecipientsDigest(rows) !== expectedDigest) {
+            throw new Error('recipients_digest mismatch');
+        }
+        row = findMyRow(rows, selfAid, selfDeviceId);
+        if (!row)
+            return null;
+    }
+    else if (envelope.recipient && typeof envelope.recipient === 'object') {
+        const r = envelope.recipient;
+        row = [
+            String(r.aid ?? ''),
+            String(r.device_id ?? ''),
+            String(r.role ?? ''),
+            String(r.key_source ?? ''),
+            String(r.fp ?? ''),
+            String(r.spk_id ?? ''),
+            String(r.wrap_nonce ?? ''),
+            String(r.wrapped_key ?? ''),
+        ];
+        // per-device 形态可能携带 merkle_proof
+        const proof = envelope.merkle_proof;
+        const expectedRoot = String(envelope.recipients_digest ?? '');
+        if (proof && expectedRoot) {
+            const leaf = computeLeafHash(row);
+            if (!verifyMerkleProof(leaf, proof, expectedRoot)) {
+                // 服务端篡改/替换 wrap，拒绝
+                return null;
+            }
+        }
+    }
+    else {
+        return null;
+    }
+    // 3. wrap_salt
+    const senderSessionPkDer = new Uint8Array(Buffer.from(String(envelope.sender_session_pk ?? ''), 'base64'));
+    const aad = envelope.aad;
+    const aadBytes = canonicalJson(aad);
+    const suiteStr = String(envelope.suite ?? SUITE_NAME);
+    const wrapSalt = computeWrapSalt(aadBytes, senderSessionPkDer, suiteStr);
+    // 4. wrap_key
+    const wrapKey = computeWrapKey(row, selfIkPriv, selfSpkPriv, senderSessionPkDer, senderPubDer, wrapSalt);
+    // 5. decrypt master_key
+    const wrapNonce = new Uint8Array(Buffer.from(row[6], 'base64'));
+    const wrappedKey = new Uint8Array(Buffer.from(row[7], 'base64'));
+    if (wrappedKey.length < 16) {
+        throw new Error('wrapped_key too short');
+    }
+    const wrappedCt = wrappedKey.subarray(0, wrappedKey.length - 16);
+    const wrappedTag = wrappedKey.subarray(wrappedKey.length - 16);
+    const masterKey = aesGcmDecrypt(wrapKey, wrapNonce, wrappedCt, wrappedTag, new Uint8Array(0));
+    // 6. decrypt body
+    const msgNonce = new Uint8Array(Buffer.from(String(envelope.nonce ?? ''), 'base64'));
+    const ct = new Uint8Array(Buffer.from(String(envelope.ciphertext ?? ''), 'base64'));
+    const tag = new Uint8Array(Buffer.from(String(envelope.tag ?? ''), 'base64'));
+    const plaintext = aesGcmDecrypt(masterKey, msgNonce, ct, tag, aadBytes);
+    // 7. parse JSON
+    return JSON.parse(Buffer.from(plaintext).toString('utf-8'));
+}
+function computeWrapSalt(aadBytes, senderSessionPkDer, suiteStr) {
+    const suiteBytes = TEXT.encode(suiteStr);
+    const h = createHash('sha256');
+    h.update(Buffer.from(aadBytes));
+    h.update(Buffer.from(senderSessionPkDer));
+    h.update(Buffer.from(suiteBytes));
+    return new Uint8Array(h.digest()).subarray(0, 16);
+}
+function computeWrapKey(row, selfIkPriv, selfSpkPriv, senderSessionPkDer, senderMasterPkDer, salt) {
+    const spkId = row[5];
+    if (spkId && selfSpkPriv) {
+        // 3DH 接收方：DH1=ECDH(self_ik, sender_session)；DH2=ECDH(self_spk, sender_master)；DH3=ECDH(self_spk, sender_session)
+        const dh1 = ecdhComputeShared(selfIkPriv, senderSessionPkDer);
+        const dh2 = ecdhComputeShared(selfSpkPriv, senderMasterPkDer);
+        const dh3 = ecdhComputeShared(selfSpkPriv, senderSessionPkDer);
+        const ikm = new Uint8Array(96);
+        ikm.set(dh1, 0);
+        ikm.set(dh2, 32);
+        ikm.set(dh3, 64);
+        return hkdfSha256(ikm, salt, INFO_3DH, 32);
+    }
+    // 1DH 接收方
+    const dh1 = ecdhComputeShared(selfIkPriv, senderSessionPkDer);
+    return hkdfSha256(dh1, salt, INFO_1DH, 32);
+}
+function findMyRow(rows, aid, deviceId) {
+    for (const r of rows) {
+        if (r[0] === aid && r[1] === deviceId)
+            return r;
+    }
+    return null;
+}
+function verifySenderSignature(envelope, senderPubDer) {
+    const sigStr = envelope.sender_signature;
+    const ctStr = envelope.ciphertext;
+    const tagStr = envelope.tag;
+    const digestHex = envelope.recipients_digest;
+    if (typeof sigStr !== 'string' ||
+        typeof ctStr !== 'string' ||
+        typeof tagStr !== 'string' ||
+        typeof digestHex !== 'string') {
+        return false;
+    }
+    const sig = new Uint8Array(Buffer.from(sigStr, 'base64'));
+    const ct = Buffer.from(ctStr, 'base64');
+    const tag = Buffer.from(tagStr, 'base64');
+    const aadBytes = canonicalJson(envelope.aad);
+    const digestBytes = Buffer.from(digestHex, 'hex');
+    const signInput = new Uint8Array(Buffer.concat([ct, tag, Buffer.from(aadBytes), digestBytes]));
+    return ecdsaVerifyRaw(senderPubDer, sig, signInput);
+}
+//# sourceMappingURL=decrypt.js.map

package/dist/v2/e2ee/decrypt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../../../src/v2/e2ee/decrypt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EACL,eAAe,EACf,uBAAuB,EACvB,iBAAiB,GAElB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;AAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;AAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;AAE3C;;;;;;;;;;GAUG;AACH,MAAM,UAAU,cAAc,CAC5B,QAAiC,EACjC,OAAe,EACf,YAAoB,EACpB,UAAsB,EACtB,WAAmC,EACnC,YAAwB;IAExB,QAAQ;IACR,IAAI,CAAC,qBAAqB,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,cAAc;IACd,IAAI,GAAG,GAAoB,IAAI,CAAC;IAChC,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,QAAQ,CAAC,UAAwB,CAAC;QAC/C,MAAM,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC;QAChE,IAAI,uBAAuB,CAAC,IAAI,CAAC,KAAK,cAAc,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QACD,GAAG,GAAG,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;QAC7C,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;IACxB,CAAC;SAAM,IAAI,QAAQ,CAAC,SAAS,IAAI,OAAO,QAAQ,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QACxE,MAAM,CAAC,GAAG,QAAQ,CAAC,SAAoC,CAAC;QACxD,GAAG,GAAG;YACJ,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC;YACnB,MAAM,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC;YACzB,MAAM,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;YACpB,MAAM,CAAC,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC;YAC1B,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;YAClB,MAAM,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC;YACtB,MAAM,CAAC,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC;YAC1B,MAAM,CAAC,CAAC,CAAC,WAAW,IAAI,EAAE,CAAC;SAC5B,CAAC;QACF,iCAAiC;QACjC,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAuC,CAAC;QAC/D,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC;QAC9D,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YAC1B,MAAM,IAAI,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,EAAE,CAAC;gBAClD,mBAAmB;gBACnB,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,IAAI,CAAC;IACd,CAAC;IAED,eAAe;IACf,MAAM,kBAAkB,GAAG,IAAI,UAAU,CACvC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAE,CAAC,EAAE,QAAQ,CAAC,CAChE,CAAC;IACF,MAAM,GAAG,GAAG,QAAQ,CAAC,GAA8B,CAAC;IACpD,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,IAAI,UAAU,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,eAAe,CAAC,QAAQ,EAAE,kBAAkB,EAAE,QAAQ,CAAC,CAAC;IAEzE,cAAc;IACd,MAAM,OAAO,GAAG,cAAc,CAC5B,GAAG,EACH,UAAU,EACV,WAAW,EACX,kBAAkB,EAClB,YAAY,EACZ,QAAQ,CACT,CAAC;IAEF,wBAAwB;IACxB,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAChE,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjE,IAAI,UAAU,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IACD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,EAAE,UAAU,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IACjE,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9F,kBAAkB;IAClB,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IACrF,MAAM,EAAE,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IACpF,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC9E,MAAM,SAAS,GAAG,aAAa,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;IAExE,gBAAgB;IAChB,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAA4B,CAAC;AACzF,CAAC;AAED,SAAS,eAAe,CACtB,QAAoB,EACpB,kBAA8B,EAC9B,QAAgB;IAEhB,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAChC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAC1C,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IAClC,OAAO,IAAI,UAAU,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,cAAc,CACrB,GAAa,EACb,UAAsB,EACtB,WAAmC,EACnC,kBAA8B,EAC9B,iBAA6B,EAC7B,IAAgB;IAEhB,MAAM,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;IACrB,IAAI,KAAK,IAAI,WAAW,EAAE,CAAC;QACzB,iHAAiH;QACjH,MAAM,GAAG,GAAG,iBAAiB,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC;QAC9D,MAAM,GAAG,GAAG,iBAAiB,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC;QAC9D,MAAM,GAAG,GAAG,iBAAiB,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QAC/D,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAC/B,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAChB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACjB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACjB,OAAO,UAAU,CAAC,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;IAC7C,CAAC;IACD,UAAU;IACV,MAAM,GAAG,GAAG,iBAAiB,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC;IAC9D,OAAO,UAAU,CAAC,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,SAAS,CAAC,IAAgB,EAAE,GAAW,EAAE,QAAgB;IAChE,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,qBAAqB,CAC5B,QAAiC,EACjC,YAAwB;IAExB,MAAM,MAAM,GAAG,QAAQ,CAAC,gBAAgB,CAAC;IACzC,MAAM,KAAK,GAAG,QAAQ,CAAC,UAAU,CAAC;IAClC,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC;IAC5B,MAAM,SAAS,GAAG,QAAQ,CAAC,iBAAiB,CAAC;IAC7C,IACE,OAAO,MAAM,KAAK,QAAQ;QAC1B,OAAO,KAAK,KAAK,QAAQ;QACzB,OAAO,MAAM,KAAK,QAAQ;QAC1B,OAAO,SAAS,KAAK,QAAQ,EAC7B,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC1D,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,IAAI,UAAU,CAC9B,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,WAAW,CAAC,CAAC,CAC7D,CAAC;IACF,OAAO,cAAc,CAAC,YAAY,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;AACtD,CAAC"}

package/dist/v2/e2ee/encrypt-group.d.ts

@@ -0,0 +1,17 @@
+/**
+ * AUN E2EE V2: Group 加密引擎
+ *
+ * 构造完整的 `e2ee.group_encrypted` envelope。纯计算，无 IO。
+ *
+ * 与 Python `aun_core.v2.e2ee.encrypt_group.encrypt_group_message` 对齐。
+ *
+ * 与 P2P 同构，AAD 多 group_id / epoch / state_commitment；envelope 顶层多
+ * group_id / epoch，无 to / t_supplement。
+ */
+import { Sender, Target, EncryptOptions, StateCommitmentAAD } from './types.js';
+/**
+ * 构造完整的 V2 Group 加密 envelope。
+ *
+ * @param stateCommitment 可选；缺省时写入占位（state_version=0）以兼容未启用 state 的群。
+ */
+export declare function encryptGroupMessage(sender: Sender, groupId: string, epoch: number, targets: Target[], payload: Record<string, unknown>, opts?: EncryptOptions, stateCommitment?: StateCommitmentAAD | null): Record<string, unknown>;

package/dist/v2/e2ee/encrypt-group.js

@@ -0,0 +1,143 @@
+/**
+ * AUN E2EE V2: Group 加密引擎
+ *
+ * 构造完整的 `e2ee.group_encrypted` envelope。纯计算，无 IO。
+ *
+ * 与 Python `aun_core.v2.e2ee.encrypt_group.encrypt_group_message` 对齐。
+ *
+ * 与 P2P 同构，AAD 多 group_id / epoch / state_commitment；envelope 顶层多
+ * group_id / epoch，无 to / t_supplement。
+ */
+import { createHash, randomUUID, randomBytes } from 'node:crypto';
+import { canonicalJson } from '../crypto/canonical.js';
+import { ecdsaSignRaw } from '../crypto/ecdsa.js';
+import { aesGcmEncrypt } from '../crypto/aead.js';
+import { generateP256Keypair } from '../crypto/ecdh.js';
+import { compute3DHWrap, compute1DHWrap } from '../crypto/dh-path.js';
+import { sortRecipients, computeRecipientsDigest } from '../crypto/recipients.js';
+import { SUITE_NAME, } from './types.js';
+import { withMetadataAuth, PROTECTED_HEADERS_DOMAIN, PROTECTED_CONTEXT_DOMAIN } from './metadata-auth.js';
+import { normalizeProtectedHeaders } from './encrypt-p2p.js';
+const TEXT = new TextEncoder();
+/**
+ * 构造完整的 V2 Group 加密 envelope。
+ *
+ * @param stateCommitment 可选；缺省时写入占位（state_version=0）以兼容未启用 state 的群。
+ */
+export function encryptGroupMessage(sender, groupId, epoch, targets, payload, opts = {}, stateCommitment) {
+    const masterKey = new Uint8Array(randomBytes(32));
+    const msgNonce = new Uint8Array(randomBytes(12));
+    const messageId = opts.messageId ?? `m-${randomUUID().replace(/-/g, '')}`;
+    const timestamp = opts.timestamp ?? Date.now();
+    // wrap_protocol_str
+    const protocolSet = new Set();
+    for (const t of targets) {
+        const has3DH = !!t.spkPkDer &&
+            (t.keySource === 'peer_device_prekey' || t.keySource === 'group_device_prekey');
+        protocolSet.add(has3DH ? '3DH' : '1DH');
+    }
+    const wrapProtocolStr = protocolSet.size === 0 ? '1DH' : [...protocolSet].sort().join('+');
+    // state_commitment（缺省占位）
+    const sc = stateCommitment ?? {};
+    const stateCommitmentAAD = {
+        state_version: Number(sc.state_version ?? 0) || 0,
+        state_hash: String(sc.state_hash ?? ''),
+        state_chain: String(sc.state_chain ?? ''),
+    };
+    const aad = {
+        from: sender.aid,
+        from_device: sender.deviceId,
+        group_id: groupId,
+        epoch,
+        message_id: messageId,
+        timestamp,
+        suite: SUITE_NAME,
+        wrap_protocol: wrapProtocolStr,
+        state_commitment: stateCommitmentAAD,
+    };
+    const plaintextBytes = canonicalJson(payload);
+    const aadBytes = canonicalJson(aad);
+    const { ciphertext, tag } = aesGcmEncrypt(masterKey, msgNonce, plaintextBytes, aadBytes);
+    const [senderSessionPriv, senderSessionPubDer] = generateP256Keypair();
+    // wrap_salt = SHA256(canonical_aad || sender_session_pk_der || suite)[:16]
+    const wrapSalt = computeWrapSalt(aadBytes, senderSessionPubDer);
+    const recipientsRows = [];
+    for (const target of targets) {
+        recipientsRows.push(wrapForRecipient(target, masterKey, senderSessionPriv, sender.ikPriv, wrapSalt));
+    }
+    const sortedRows = sortRecipients(recipientsRows);
+    const digestHex = computeRecipientsDigest(sortedRows);
+    const digestBytes = Buffer.from(digestHex, 'hex');
+    const signInput = Buffer.concat([
+        Buffer.from(ciphertext),
+        Buffer.from(tag),
+        Buffer.from(aadBytes),
+        digestBytes,
+    ]);
+    const senderSig = ecdsaSignRaw(sender.ikPriv, new Uint8Array(signInput));
+    const certFpHash = createHash('sha256').update(Buffer.from(sender.ikPubDer)).digest('hex');
+    const certFp = `sha256:${certFpHash.substring(0, 16)}`;
+    const envelope = {
+        type: 'e2ee.group_encrypted',
+        version: 'v2',
+        suite: SUITE_NAME,
+        msg_type: 'original',
+        group_id: groupId,
+        epoch,
+        t_send: timestamp,
+        t_server: null,
+        nonce: Buffer.from(msgNonce).toString('base64'),
+        ciphertext: Buffer.from(ciphertext).toString('base64'),
+        tag: Buffer.from(tag).toString('base64'),
+        sender_signature: Buffer.from(senderSig).toString('base64'),
+        sender_cert_fingerprint: certFp,
+        sender_session_pk: Buffer.from(senderSessionPubDer).toString('base64'),
+        recipients_digest: digestHex,
+        recipients: sortedRows,
+        aad,
+    };
+    // protected_headers / context：HMAC 签名，不进 AAD。
+    // payload_type 自动注入 + value 转 string（与 Python _normalize_headers 对齐）
+    const normalizedHeaders = normalizeProtectedHeaders(opts.protectedHeaders, payload);
+    if (Object.keys(normalizedHeaders).length > 0) {
+        envelope.protected_headers = withMetadataAuth(normalizedHeaders, masterKey, PROTECTED_HEADERS_DOMAIN);
+    }
+    if (opts.context && typeof opts.context === 'object' && !Array.isArray(opts.context) && Object.keys(opts.context).length > 0) {
+        envelope.context = withMetadataAuth(opts.context, masterKey, PROTECTED_CONTEXT_DOMAIN);
+    }
+    return envelope;
+}
+function computeWrapSalt(aadBytes, senderSessionPubDer) {
+    const suiteBytes = TEXT.encode(SUITE_NAME);
+    const h = createHash('sha256');
+    h.update(Buffer.from(aadBytes));
+    h.update(Buffer.from(senderSessionPubDer));
+    h.update(Buffer.from(suiteBytes));
+    return new Uint8Array(h.digest()).subarray(0, 16);
+}
+function wrapForRecipient(target, masterKey, senderSessionPriv, senderMasterPriv, wrapSalt) {
+    const fpHash = createHash('sha256').update(Buffer.from(target.ikPkDer)).digest('hex');
+    const fp = `sha256:${fpHash.substring(0, 16)}`;
+    const wrapNonce = new Uint8Array(randomBytes(12));
+    let wrapKey;
+    if (target.spkPkDer &&
+        (target.keySource === 'peer_device_prekey' || target.keySource === 'group_device_prekey')) {
+        wrapKey = compute3DHWrap(senderSessionPriv, senderMasterPriv, target.ikPkDer, target.spkPkDer, wrapSalt);
+    }
+    else {
+        wrapKey = compute1DHWrap(senderSessionPriv, target.ikPkDer, wrapSalt);
+    }
+    const { ciphertext: wrappedCt, tag: wrappedTag } = aesGcmEncrypt(wrapKey, wrapNonce, masterKey, new Uint8Array(0));
+    const wrappedKey = Buffer.concat([Buffer.from(wrappedCt), Buffer.from(wrappedTag)]);
+    return [
+        target.aid,
+        target.deviceId,
+        target.role,
+        target.keySource,
+        fp,
+        target.spkId ?? '',
+        Buffer.from(wrapNonce).toString('base64'),
+        wrappedKey.toString('base64'),
+    ];
+}
+//# sourceMappingURL=encrypt-group.js.map

package/dist/v2/e2ee/encrypt-group.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt-group.js","sourceRoot":"","sources":["../../../src/v2/e2ee/encrypt-group.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClF,OAAO,EAKL,UAAU,GACX,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC1G,OAAO,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAC;AAE7D,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;AAE/B;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAAc,EACd,OAAe,EACf,KAAa,EACb,OAAiB,EACjB,OAAgC,EAChC,OAAuB,EAAE,EACzB,eAA2C;IAE3C,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAEjD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,UAAU,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;IAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IAE/C,oBAAoB;IACpB,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IACtC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,MAAM,GACV,CAAC,CAAC,CAAC,CAAC,QAAQ;YACZ,CAAC,CAAC,CAAC,SAAS,KAAK,oBAAoB,IAAI,CAAC,CAAC,SAAS,KAAK,qBAAqB,CAAC,CAAC;QAClF,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,eAAe,GACnB,WAAW,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAErE,yBAAyB;IACzB,MAAM,EAAE,GAAG,eAAe,IAAI,EAAE,CAAC;IACjC,MAAM,kBAAkB,GAAG;QACzB,aAAa,EAAE,MAAM,CAAE,EAAiC,CAAC,aAAa,IAAI,CAAC,CAAC,IAAI,CAAC;QACjF,UAAU,EAAE,MAAM,CAAE,EAA8B,CAAC,UAAU,IAAI,EAAE,CAAC;QACpE,WAAW,EAAE,MAAM,CAAE,EAA+B,CAAC,WAAW,IAAI,EAAE,CAAC;KACxE,CAAC;IAEF,MAAM,GAAG,GAA4B;QACnC,IAAI,EAAE,MAAM,CAAC,GAAG;QAChB,WAAW,EAAE,MAAM,CAAC,QAAQ;QAC5B,QAAQ,EAAE,OAAO;QACjB,KAAK;QACL,UAAU,EAAE,SAAS;QACrB,SAAS;QACT,KAAK,EAAE,UAAU;QACjB,aAAa,EAAE,eAAe;QAC9B,gBAAgB,EAAE,kBAAkB;KACrC,CAAC;IAEF,MAAM,cAAc,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,aAAa,CAAC,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,QAAQ,CAAC,CAAC;IAEzF,MAAM,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,GAAG,mBAAmB,EAAE,CAAC;IAEvE,2EAA2E;IAC3E,MAAM,QAAQ,GAAG,eAAe,CAAC,QAAQ,EAAE,mBAAmB,CAAC,CAAC;IAEhE,MAAM,cAAc,GAAe,EAAE,CAAC;IACtC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,cAAc,CAAC,IAAI,CACjB,gBAAgB,CAAC,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,uBAAuB,CAAC,UAAU,CAAC,CAAC;IAEtD,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC;QACrB,WAAW;KACZ,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;IAEzE,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3F,MAAM,MAAM,GAAG,UAAU,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IAEvD,MAAM,QAAQ,GAA4B;QACxC,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,IAAI;QACb,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;QACjB,KAAK;QACL,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC/C,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtD,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACxC,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC3D,uBAAuB,EAAE,MAAM;QAC/B,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtE,iBAAiB,EAAE,SAAS;QAC5B,UAAU,EAAE,UAAU;QACtB,GAAG;KACJ,CAAC;IAEF,8CAA8C;IAC9C,qEAAqE;IACrE,MAAM,iBAAiB,GAAG,yBAAyB,CAAC,IAAI,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IACpF,IAAI,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,QAAQ,CAAC,iBAAiB,GAAG,gBAAgB,CAAC,iBAAiB,EAAE,SAAS,EAAE,wBAAwB,CAAC,CAAC;IACxG,CAAC;IACD,IAAI,IAAI,CAAC,OAAO,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7H,QAAQ,CAAC,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,wBAAwB,CAAC,CAAC;IACzF,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,eAAe,CAAC,QAAoB,EAAE,mBAA+B;IAC5E,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC3C,MAAM,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAChC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IAClC,OAAO,IAAI,UAAU,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,gBAAgB,CACvB,MAAc,EACd,SAAqB,EACrB,iBAA6B,EAC7B,gBAA4B,EAC5B,QAAoB;IAEpB,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtF,MAAM,EAAE,GAAG,UAAU,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IAE/C,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAElD,IAAI,OAAmB,CAAC;IACxB,IACE,MAAM,CAAC,QAAQ;QACf,CAAC,MAAM,CAAC,SAAS,KAAK,oBAAoB,IAAI,MAAM,CAAC,SAAS,KAAK,qBAAqB,CAAC,EACzF,CAAC;QACD,OAAO,GAAG,cAAc,CACtB,iBAAiB,EACjB,gBAAgB,EAChB,MAAM,CAAC,OAAO,EACd,MAAM,CAAC,QAAQ,EACf,QAAQ,CACT,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,cAAc,CAAC,iBAAiB,EAAE,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG,aAAa,CAC9D,OAAO,EACP,SAAS,EACT,SAAS,EACT,IAAI,UAAU,CAAC,CAAC,CAAC,CAClB,CAAC;IACF,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEpF,OAAO;QACL,MAAM,CAAC,GAAG;QACV,MAAM,CAAC,QAAQ;QACf,MAAM,CAAC,IAAI;QACX,MAAM,CAAC,SAAS;QAChB,EAAE;QACF,MAAM,CAAC,KAAK,IAAI,EAAE;QAClB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC9B,CAAC;AACJ,CAAC"}

package/dist/v2/e2ee/encrypt-p2p.d.ts

@@ -0,0 +1,31 @@
+/**
+ * AUN E2EE V2: P2P 加密引擎
+ *
+ * 构造完整的 `e2ee.p2p_encrypted` envelope。纯计算，无 IO。
+ *
+ * 与 Python `aun_core.v2.e2ee.encrypt_p2p.encrypt_p2p_message` 对齐。
+ *
+ * 步骤：
+ *  1. 生成 master_key + msg_nonce
+ *  2. 构造 message_id / timestamp
+ *  3. 推导 peer_aid 与 wrap_protocol_str
+ *  4. 构造 AAD 并加密 payload
+ *  5. 生成 sender_session keypair
+ *  6. 计算 wrap_salt
+ *  7. 为每个 target wrap master_key
+ *  8. 排序 recipients + 计算 digest
+ *  9. 计算 sender_signature
+ * 10. 计算 sender_cert_fingerprint
+ * 11. 组装 envelope
+ */
+import { type ProtectedHeadersInput } from '../../protected-headers.js';
+import { Sender, TargetSet, EncryptOptions } from './types.js';
+/**
+ * 构造完整的 V2 P2P 加密 envelope。
+ */
+export declare function encryptP2PMessage(sender: Sender, targetSet: TargetSet, payload: Record<string, unknown>, opts?: EncryptOptions): Record<string, unknown>;
+/**
+ * 规范化 protected_headers：value 转 string + 自动注入 payload_type。
+ * 与 Python `_normalize_headers` 对齐。
+ */
+export declare function normalizeProtectedHeaders(headers: ProtectedHeadersInput, payload: Record<string, unknown>): Record<string, string>;

package/dist/v2/e2ee/encrypt-p2p.js

@@ -0,0 +1,190 @@
+/**
+ * AUN E2EE V2: P2P 加密引擎
+ *
+ * 构造完整的 `e2ee.p2p_encrypted` envelope。纯计算，无 IO。
+ *
+ * 与 Python `aun_core.v2.e2ee.encrypt_p2p.encrypt_p2p_message` 对齐。
+ *
+ * 步骤：
+ *  1. 生成 master_key + msg_nonce
+ *  2. 构造 message_id / timestamp
+ *  3. 推导 peer_aid 与 wrap_protocol_str
+ *  4. 构造 AAD 并加密 payload
+ *  5. 生成 sender_session keypair
+ *  6. 计算 wrap_salt
+ *  7. 为每个 target wrap master_key
+ *  8. 排序 recipients + 计算 digest
+ *  9. 计算 sender_signature
+ * 10. 计算 sender_cert_fingerprint
+ * 11. 组装 envelope
+ */
+import { createHash, randomUUID, randomBytes } from 'node:crypto';
+import { canonicalJson } from '../crypto/canonical.js';
+import { ecdsaSignRaw } from '../crypto/ecdsa.js';
+import { aesGcmEncrypt } from '../crypto/aead.js';
+import { generateP256Keypair } from '../crypto/ecdh.js';
+import { compute3DHWrap, compute1DHWrap } from '../crypto/dh-path.js';
+import { sortRecipients, computeRecipientsDigest } from '../crypto/recipients.js';
+import { ProtectedHeaders } from '../../protected-headers.js';
+import { SUITE_NAME, } from './types.js';
+import { withMetadataAuth, PROTECTED_HEADERS_DOMAIN, PROTECTED_CONTEXT_DOMAIN } from './metadata-auth.js';
+const TEXT = new TextEncoder();
+/**
+ * 构造完整的 V2 P2P 加密 envelope。
+ */
+export function encryptP2PMessage(sender, targetSet, payload, opts = {}) {
+    // 1. master_key + msg_nonce
+    const masterKey = new Uint8Array(randomBytes(32));
+    const msgNonce = new Uint8Array(randomBytes(12));
+    // 2. message_id + timestamp
+    const messageId = opts.messageId ?? `m-${randomUUID().replace(/-/g, '')}`;
+    const timestamp = opts.timestamp ?? Date.now();
+    // 3. peer_aid（首个非 audit 的 target.aid；与 Python 一致）
+    let peerAid = '';
+    for (const t of targetSet.targets) {
+        if (t.role !== 'audit') {
+            peerAid = t.aid;
+            break;
+        }
+    }
+    // 4. wrap_protocol_str
+    const allTargets = [
+        ...targetSet.targets,
+        ...(targetSet.auditRecipients ?? []),
+    ];
+    const protocolSet = new Set();
+    for (const t of allTargets) {
+        const has3DH = !!t.spkPkDer &&
+            (t.keySource === 'peer_device_prekey' || t.keySource === 'group_device_prekey');
+        protocolSet.add(has3DH ? '3DH' : '1DH');
+    }
+    const wrapProtocolStr = protocolSet.size === 0 ? '1DH' : [...protocolSet].sort().join('+');
+    // 5. AAD（顺序在 canonical_json 时由键名排序统一，这里只是构造对象）
+    const aad = {
+        from: sender.aid,
+        from_device: sender.deviceId,
+        to: peerAid,
+        message_id: messageId,
+        timestamp,
+        suite: SUITE_NAME,
+        wrap_protocol: wrapProtocolStr,
+    };
+    // 6. encrypt body
+    const plaintextBytes = canonicalJson(payload);
+    const aadBytes = canonicalJson(aad);
+    const { ciphertext, tag } = aesGcmEncrypt(masterKey, msgNonce, plaintextBytes, aadBytes);
+    // 7. sender_session keypair
+    const [senderSessionPriv, senderSessionPubDer] = generateP256Keypair();
+    // 8. wrap_salt = SHA256(canonical_aad || sender_session_pk_der || suite)[:16]
+    const wrapSalt = computeWrapSalt(aadBytes, senderSessionPubDer);
+    // 9. wrap recipients
+    const recipientsRows = [];
+    for (const target of allTargets) {
+        recipientsRows.push(wrapForRecipient(target, masterKey, senderSessionPriv, sender.ikPriv, wrapSalt));
+    }
+    // 10. sort + digest
+    const sortedRows = sortRecipients(recipientsRows);
+    const digestHex = computeRecipientsDigest(sortedRows);
+    // 11. sender_signature
+    const digestBytes = Buffer.from(digestHex, 'hex');
+    const signInput = Buffer.concat([
+        Buffer.from(ciphertext),
+        Buffer.from(tag),
+        Buffer.from(aadBytes),
+        digestBytes,
+    ]);
+    const senderSig = ecdsaSignRaw(sender.ikPriv, new Uint8Array(signInput));
+    // 12. cert_fingerprint
+    const certFpHash = createHash('sha256').update(Buffer.from(sender.ikPubDer)).digest('hex');
+    const certFp = `sha256:${certFpHash.substring(0, 16)}`;
+    const envelope = {
+        type: 'e2ee.p2p_encrypted',
+        version: 'v2',
+        suite: SUITE_NAME,
+        msg_type: 'original',
+        t_send: timestamp,
+        t_supplement: null,
+        t_server: null,
+        nonce: Buffer.from(msgNonce).toString('base64'),
+        ciphertext: Buffer.from(ciphertext).toString('base64'),
+        tag: Buffer.from(tag).toString('base64'),
+        sender_signature: Buffer.from(senderSig).toString('base64'),
+        sender_cert_fingerprint: certFp,
+        sender_session_pk: Buffer.from(senderSessionPubDer).toString('base64'),
+        recipients_digest: digestHex,
+        recipients: sortedRows,
+        aad,
+    };
+    // protected_headers / context：HMAC 签名，不进 AAD。
+    // payload_type 自动注入 + value 转 string（与 Python _normalize_headers 对齐）
+    const normalizedHeaders = normalizeProtectedHeaders(opts.protectedHeaders, payload);
+    if (Object.keys(normalizedHeaders).length > 0) {
+        envelope.protected_headers = withMetadataAuth(normalizedHeaders, masterKey, PROTECTED_HEADERS_DOMAIN);
+    }
+    if (isPlainObject(opts.context) && Object.keys(opts.context).length > 0) {
+        // context 过滤 _auth 字段（withMetadataAuth 内部已处理）
+        envelope.context = withMetadataAuth(opts.context, masterKey, PROTECTED_CONTEXT_DOMAIN);
+    }
+    return envelope;
+}
+/**
+ * 规范化 protected_headers：value 转 string + 自动注入 payload_type。
+ * 与 Python `_normalize_headers` 对齐。
+ */
+export function normalizeProtectedHeaders(headers, payload) {
+    const normalized = {};
+    if (headers instanceof ProtectedHeaders) {
+        Object.assign(normalized, headers.toObject());
+    }
+    else if (isPlainObject(headers)) {
+        Object.assign(normalized, ProtectedHeaders.from(headers).toObject());
+    }
+    // payload_type 自动注入（与 Python 对齐：即使未显式传 protected_headers 也会注入）
+    const payloadType = typeof payload?.type === 'string' ? payload.type : '';
+    if (payloadType && !('payload_type' in normalized)) {
+        normalized['payload_type'] = payloadType;
+    }
+    return normalized;
+}
+function isPlainObject(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        return false;
+    }
+    const proto = Object.getPrototypeOf(value);
+    return proto === Object.prototype || proto === null;
+}
+function computeWrapSalt(aadBytes, senderSessionPubDer) {
+    const suiteBytes = TEXT.encode(SUITE_NAME);
+    const h = createHash('sha256');
+    h.update(Buffer.from(aadBytes));
+    h.update(Buffer.from(senderSessionPubDer));
+    h.update(Buffer.from(suiteBytes));
+    return new Uint8Array(h.digest()).subarray(0, 16);
+}
+function wrapForRecipient(target, masterKey, senderSessionPriv, senderMasterPriv, wrapSalt) {
+    const fpHash = createHash('sha256').update(Buffer.from(target.ikPkDer)).digest('hex');
+    const fp = `sha256:${fpHash.substring(0, 16)}`;
+    const wrapNonce = new Uint8Array(randomBytes(12));
+    let wrapKey;
+    if (target.spkPkDer &&
+        (target.keySource === 'peer_device_prekey' || target.keySource === 'group_device_prekey')) {
+        wrapKey = compute3DHWrap(senderSessionPriv, senderMasterPriv, target.ikPkDer, target.spkPkDer, wrapSalt);
+    }
+    else {
+        wrapKey = compute1DHWrap(senderSessionPriv, target.ikPkDer, wrapSalt);
+    }
+    // AES-GCM wrap master_key（无 AAD）
+    const { ciphertext: wrappedCt, tag: wrappedTag } = aesGcmEncrypt(wrapKey, wrapNonce, masterKey, new Uint8Array(0));
+    const wrappedKey = Buffer.concat([Buffer.from(wrappedCt), Buffer.from(wrappedTag)]);
+    return [
+        target.aid,
+        target.deviceId,
+        target.role,
+        target.keySource,
+        fp,
+        target.spkId ?? '',
+        Buffer.from(wrapNonce).toString('base64'),
+        wrappedKey.toString('base64'),
+    ];
+}
+//# sourceMappingURL=encrypt-p2p.js.map

package/dist/v2/e2ee/encrypt-p2p.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt-p2p.js","sourceRoot":"","sources":["../../../src/v2/e2ee/encrypt-p2p.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAA8B,MAAM,4BAA4B,CAAC;AAC1F,OAAO,EAKL,UAAU,GACX,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAE1G,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;AAE/B;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,MAAc,EACd,SAAoB,EACpB,OAAgC,EAChC,OAAuB,EAAE;IAEzB,4BAA4B;IAC5B,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAEjD,4BAA4B;IAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,UAAU,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;IAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IAE/C,kDAAkD;IAClD,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QAClC,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YACvB,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC;YAChB,MAAM;QACR,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,MAAM,UAAU,GAAa;QAC3B,GAAG,SAAS,CAAC,OAAO;QACpB,GAAG,CAAC,SAAS,CAAC,eAAe,IAAI,EAAE,CAAC;KACrC,CAAC;IACF,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IACtC,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,MAAM,MAAM,GACV,CAAC,CAAC,CAAC,CAAC,QAAQ;YACZ,CAAC,CAAC,CAAC,SAAS,KAAK,oBAAoB,IAAI,CAAC,CAAC,SAAS,KAAK,qBAAqB,CAAC,CAAC;QAClF,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,eAAe,GACnB,WAAW,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAErE,+CAA+C;IAC/C,MAAM,GAAG,GAA4B;QACnC,IAAI,EAAE,MAAM,CAAC,GAAG;QAChB,WAAW,EAAE,MAAM,CAAC,QAAQ;QAC5B,EAAE,EAAE,OAAO;QACX,UAAU,EAAE,SAAS;QACrB,SAAS;QACT,KAAK,EAAE,UAAU;QACjB,aAAa,EAAE,eAAe;KAC/B,CAAC;IAEF,kBAAkB;IAClB,MAAM,cAAc,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,aAAa,CAAC,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,QAAQ,CAAC,CAAC;IAEzF,4BAA4B;IAC5B,MAAM,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,GAAG,mBAAmB,EAAE,CAAC;IAEvE,8EAA8E;IAC9E,MAAM,QAAQ,GAAG,eAAe,CAAC,QAAQ,EAAE,mBAAmB,CAAC,CAAC;IAEhE,qBAAqB;IACrB,MAAM,cAAc,GAAe,EAAE,CAAC;IACtC,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAChC,cAAc,CAAC,IAAI,CACjB,gBAAgB,CAAC,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAChF,CAAC;IACJ,CAAC;IAED,oBAAoB;IACpB,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,uBAAuB,CAAC,UAAU,CAAC,CAAC;IAEtD,uBAAuB;IACvB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC;QACrB,WAAW;KACZ,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;IAEzE,uBAAuB;IACvB,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3F,MAAM,MAAM,GAAG,UAAU,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IAEvD,MAAM,QAAQ,GAA4B;QACxC,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,IAAI;QACb,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,SAAS;QACjB,YAAY,EAAE,IAAI;QAClB,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC/C,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtD,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACxC,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC3D,uBAAuB,EAAE,MAAM;QAC/B,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtE,iBAAiB,EAAE,SAAS;QAC5B,UAAU,EAAE,UAAU;QACtB,GAAG;KACJ,CAAC;IAEF,8CAA8C;IAC9C,qEAAqE;IACrE,MAAM,iBAAiB,GAAG,yBAAyB,CAAC,IAAI,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IACpF,IAAI,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,QAAQ,CAAC,iBAAiB,GAAG,gBAAgB,CAAC,iBAAiB,EAAE,SAAS,EAAE,wBAAwB,CAAC,CAAC;IACxG,CAAC;IACD,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxE,8CAA8C;QAC9C,QAAQ,CAAC,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,wBAAwB,CAAC,CAAC;IACzF,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CACvC,OAA8B,EAC9B,OAAgC;IAEhC,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,IAAI,OAAO,YAAY,gBAAgB,EAAE,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAChD,CAAC;SAAM,IAAI,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,+DAA+D;IAC/D,MAAM,WAAW,GAAG,OAAO,OAAO,EAAE,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,IAAI,WAAW,IAAI,CAAC,CAAC,cAAc,IAAI,UAAU,CAAC,EAAE,CAAC;QACnD,UAAU,CAAC,cAAc,CAAC,GAAG,WAAW,CAAC;IAC3C,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;IAC3C,OAAO,KAAK,KAAK,MAAM,CAAC,SAAS,IAAI,KAAK,KAAK,IAAI,CAAC;AACtD,CAAC;AAED,SAAS,eAAe,CAAC,QAAoB,EAAE,mBAA+B;IAC5E,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC3C,MAAM,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAChC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IAClC,OAAO,IAAI,UAAU,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,gBAAgB,CACvB,MAAc,EACd,SAAqB,EACrB,iBAA6B,EAC7B,gBAA4B,EAC5B,QAAoB;IAEpB,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtF,MAAM,EAAE,GAAG,UAAU,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IAE/C,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAElD,IAAI,OAAmB,CAAC;IACxB,IACE,MAAM,CAAC,QAAQ;QACf,CAAC,MAAM,CAAC,SAAS,KAAK,oBAAoB,IAAI,MAAM,CAAC,SAAS,KAAK,qBAAqB,CAAC,EACzF,CAAC;QACD,OAAO,GAAG,cAAc,CACtB,iBAAiB,EACjB,gBAAgB,EAChB,MAAM,CAAC,OAAO,EACd,MAAM,CAAC,QAAQ,EACf,QAAQ,CACT,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,cAAc,CAAC,iBAAiB,EAAE,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACxE,CAAC;IAED,iCAAiC;IACjC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG,aAAa,CAC9D,OAAO,EACP,SAAS,EACT,SAAS,EACT,IAAI,UAAU,CAAC,CAAC,CAAC,CAClB,CAAC;IACF,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEpF,OAAO;QACL,MAAM,CAAC,GAAG;QACV,MAAM,CAAC,QAAQ;QACf,MAAM,CAAC,IAAI;QACX,MAAM,CAAC,SAAS;QAChB,EAAE;QACF,MAAM,CAAC,KAAK,IAAI,EAAE;QAClB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC9B,CAAC;AACJ,CAAC"}

package/dist/v2/e2ee/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * AUN E2EE V2: 加解密引擎导出。
+ */
+export { encryptP2PMessage } from './encrypt-p2p.js';
+export { encryptGroupMessage } from './encrypt-group.js';
+export { decryptMessage } from './decrypt.js';
+export { withMetadataAuth, PROTECTED_HEADERS_DOMAIN, PROTECTED_CONTEXT_DOMAIN, METADATA_KEY_DOMAIN } from './metadata-auth.js';
+export type { Sender, Target, TargetSet, EncryptOptions, StateCommitmentAAD } from './types.js';
+export { SUITE_NAME } from './types.js';

package/dist/v2/e2ee/index.js

@@ -0,0 +1,9 @@
+/**
+ * AUN E2EE V2: 加解密引擎导出。
+ */
+export { encryptP2PMessage } from './encrypt-p2p.js';
+export { encryptGroupMessage } from './encrypt-group.js';
+export { decryptMessage } from './decrypt.js';
+export { withMetadataAuth, PROTECTED_HEADERS_DOMAIN, PROTECTED_CONTEXT_DOMAIN, METADATA_KEY_DOMAIN } from './metadata-auth.js';
+export { SUITE_NAME } from './types.js';
+//# sourceMappingURL=index.js.map

package/dist/v2/e2ee/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/v2/e2ee/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAE/H,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC"}

package/dist/v2/e2ee/metadata-auth.d.ts

@@ -0,0 +1,15 @@
+/**
+ * AUN E2EE V2: protected_headers / context HMAC 签名
+ *
+ * 与 Python `aun_core.v2.e2ee.encrypt_p2p._with_metadata_auth` 对齐。
+ * 用 master_key 派生 HMAC key，对 metadata body 做签名，生成 `_auth` 字段。
+ */
+export declare const METADATA_KEY_DOMAIN: Buffer<ArrayBuffer>;
+export declare const PROTECTED_HEADERS_DOMAIN: Buffer<ArrayBuffer>;
+export declare const PROTECTED_CONTEXT_DOMAIN: Buffer<ArrayBuffer>;
+/**
+ * 为 metadata 对象添加 HMAC 签名（_auth 字段）。
+ *
+ * 如果 body（去除 _auth 后）为空，返回空对象。
+ */
+export declare function withMetadataAuth(metadata: Record<string, unknown>, key: Uint8Array, domain: Buffer): Record<string, unknown>;