@agirails/sdk 4.4.8 → 4.5.2

package/dist/delivery/keys.js

@@ -0,0 +1,513 @@
+"use strict";
+/**
+ * AIP-16 Delivery Surface — X25519 Keys, ECDH, HKDF (Phase 2a Foundation)
+ * ========================================================================
+ *
+ * Cryptographic primitives for the encrypted delivery scheme
+ * (`x25519-aes256gcm-v1`) of AIP-16 Rev 5.
+ *
+ * This module is intentionally *primitive-level* — it deals only in
+ * raw key material (Uint8Array), 0x-prefixed hex serialization, and
+ * the three numbered steps of the ECDH+HKDF derivation:
+ *
+ *   1. Generate an ephemeral X25519 keypair.
+ *   2. Combine the local secret with the peer's public key (ECDH on
+ *      Curve25519, per RFC 7748) to produce a 32-byte shared secret.
+ *   3. Stretch the shared secret to a 32-byte AES-256-GCM key via
+ *      HKDF-SHA256 (RFC 5869), using the on-chain `txId` as the salt
+ *      and `"agirails-delivery-v1"` as the info string.
+ *
+ * AEAD encryption itself, body framing, and EIP-712 signing live in
+ * later phases (`crypto.ts`, `envelopeBuilder.ts`); this file is
+ * deliberately small so it can be audited end-to-end.
+ *
+ * ## Library choice
+ *
+ * X25519 is implemented via `@noble/curves/ed25519` (audited, no
+ * native deps, constant-time on supported runtimes). HKDF-SHA256 is
+ * provided by Node's built-in `crypto.hkdfSync` — chosen over
+ * `@noble/hashes` to minimize the new-dependency surface. Both choices
+ * are deterministic and have no global state.
+ *
+ * ## Memory hygiene
+ *
+ * Private key material returned by `generateEphemeralKeyPair` is held
+ * in plain `Uint8Array`s. The intent of "ephemeral" in AIP-16 is that
+ * the caller derives the session key and then drops the reference to
+ * the private key. Forward secrecy against compromise of long-term
+ * provider/requester keys is provided by *fresh keypair per delivery*;
+ * there is no key-rotation mechanism within a single delivery exchange.
+ *
+ * Callers SHOULD avoid logging `EphemeralKeyPair.privateKey` or any
+ * value derived from it.
+ *
+ * ## What is NOT here
+ *
+ * - AES-256-GCM seal/open (later: `crypto.ts`).
+ * - keccak256 hashing of body bytes (uses ethers in builders).
+ * - EIP-712 signing (already in `eip712.ts`).
+ * - Smart-wallet equality checks (later: verifier modules).
+ *
+ * @module delivery/keys
+ * @see {@link https://www.rfc-editor.org/rfc/rfc7748 RFC 7748 — Elliptic Curves for Security (X25519)}
+ * @see {@link https://www.rfc-editor.org/rfc/rfc5869 RFC 5869 — HKDF}
+ * @see ./types — `DeliveryErrorCode` (crypto_* codes referenced here)
+ * @see ./eip712 — EIP-712 domain & recovery (the *other* foundation module)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pubkeyFromHex = exports.pubkeyToHex = exports.deriveSessionKey = exports.deriveSharedSecret = exports.generateEphemeralKeyPair = exports.DeliveryCryptoError = exports.DELIVERY_HKDF_INFO_V1 = exports.TX_ID_BYTES = exports.DELIVERY_SESSION_KEY_LENGTH = exports.X25519_SHARED_SECRET_LENGTH = exports.X25519_PRIVATE_KEY_LENGTH = exports.X25519_PUBLIC_KEY_LENGTH = void 0;
+const node_crypto_1 = require("node:crypto");
+const ed25519_1 = require("@noble/curves/ed25519");
+// ============================================================================
+// Constants
+// ============================================================================
+/**
+ * Length (in bytes) of an X25519 public key. RFC 7748 §5.
+ *
+ * Both the buyer's `buyerEphemeralPubkey` field and the provider's
+ * `providerEphemeralPubkey` field in the signed EIP-712 payloads carry
+ * exactly this many bytes (encoded as `bytes32` in the typed-data
+ * schema; X25519 keys happen to also be 32 bytes, which is why a
+ * single `bytes32` slot fits).
+ */
+exports.X25519_PUBLIC_KEY_LENGTH = 32;
+/**
+ * Length (in bytes) of an X25519 private key (clamped scalar). RFC 7748 §5.
+ *
+ * Equal to {@link X25519_PUBLIC_KEY_LENGTH}, which is coincidence — the
+ * scalar field of Curve25519 is 252 bits but is encoded into a 32-byte
+ * little-endian field with the canonical clamping applied by
+ * `@noble/curves`.
+ */
+exports.X25519_PRIVATE_KEY_LENGTH = 32;
+/**
+ * Length (in bytes) of the X25519 shared secret produced by ECDH.
+ *
+ * Per RFC 7748 the shared secret is the 32-byte little-endian encoding
+ * of the resulting u-coordinate.
+ */
+exports.X25519_SHARED_SECRET_LENGTH = 32;
+/**
+ * Length (in bytes) of the session key derived from HKDF. Sized for
+ * AES-256-GCM (the only AEAD scheme defined for `x25519-aes256gcm-v1`).
+ */
+exports.DELIVERY_SESSION_KEY_LENGTH = 32;
+/**
+ * Length (in bytes) of an on-chain `txId` (`bytes32`).
+ *
+ * The txId is used directly as the HKDF salt: it is high-entropy
+ * (keccak256 of requester/provider/amount/serviceHash/nonce) and
+ * unique per transaction, satisfying RFC 5869's salt recommendation
+ * ("a non-secret random value, ideally hash-output length").
+ */
+exports.TX_ID_BYTES = 32;
+/**
+ * HKDF `info` string for v1 delivery session-key derivation.
+ *
+ * Per RFC 5869 the `info` parameter provides context binding so that
+ * the same `(ikm, salt)` pair produces distinct keys for distinct
+ * application contexts. Locking this string at v1 prevents accidental
+ * key reuse with any future delivery scheme that lands in v2.
+ *
+ * Encoded as UTF-8 bytes when passed to `hkdfSync`.
+ */
+exports.DELIVERY_HKDF_INFO_V1 = 'agirails-delivery-v1';
+// ============================================================================
+// Error Class
+// ============================================================================
+/**
+ * Error thrown by the delivery key primitives when key material or
+ * ECDH/HKDF inputs are malformed, or when the derivation produces a
+ * degenerate result (e.g. all-zero shared secret indicating a
+ * low-order peer pubkey).
+ *
+ * Mirrors the `DeliveryEip712Error` pattern from `./eip712.ts` — a
+ * plain `Error` subclass with a stable `code` field. The codes here
+ * are drawn from the `crypto_*` subset of {@link DeliveryErrorCode}.
+ *
+ * The higher-level `ACTPError`-based delivery class is introduced
+ * alongside the builders/verifiers in a later phase; for the
+ * pre-builder foundation we keep the dependency surface minimal (no
+ * `ACTPError` import, no `State` import).
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   const shared = deriveSharedSecret(myPriv, peerPub);
+ * } catch (err) {
+ *   if (err instanceof DeliveryCryptoError) {
+ *     console.error(err.code, err.message, err.details);
+ *   }
+ *   throw err;
+ * }
+ * ```
+ */
+class DeliveryCryptoError extends Error {
+    constructor(code, message, details) {
+        super(message);
+        this.name = 'DeliveryCryptoError';
+        this.code = code;
+        this.details = details;
+        // Restore prototype chain for `instanceof` after transpilation to ES5.
+        Object.setPrototypeOf(this, DeliveryCryptoError.prototype);
+    }
+}
+exports.DeliveryCryptoError = DeliveryCryptoError;
+// ============================================================================
+// Internal Helpers
+// ============================================================================
+/** Hex alphabet for fast lowercase encoding without `.toLowerCase()` overhead. */
+const HEX_CHARS = '0123456789abcdef';
+/**
+ * Encode raw bytes to a lowercase 0x-prefixed hex string.
+ *
+ * Hand-rolled rather than `Buffer.from(...).toString('hex')` to avoid
+ * any subtle Buffer-vs-Uint8Array confusion (Buffer is a Node-only
+ * subclass that overrides several typed-array methods). The output is
+ * pure ASCII so there is no encoding ambiguity.
+ *
+ * @internal
+ */
+function bytesToHexLower(bytes) {
+    let out = '0x';
+    for (let i = 0; i < bytes.length; i++) {
+        const b = bytes[i]; // bounded by loop
+        out += HEX_CHARS[(b >>> 4) & 0x0f];
+        out += HEX_CHARS[b & 0x0f];
+    }
+    return out;
+}
+/**
+ * Decode a 0x-prefixed hex string to raw bytes. Strict on shape: the
+ * string MUST start with `0x` (or `0X`), MUST contain only hex digits
+ * after the prefix, and MUST have an even number of hex digits.
+ *
+ * Throws {@link DeliveryCryptoError} with code `crypto_keygen_failed`
+ * (the most-applicable existing code) for malformed input. The
+ * specific failure reason is in the error `message` and `details`.
+ *
+ * @internal
+ */
+function hexToBytes(hex, ctx) {
+    if (typeof hex !== 'string') {
+        throw new DeliveryCryptoError('crypto_keygen_failed', `${ctx.field} must be a string, got ${typeof hex}`, { field: ctx.field, type: typeof hex });
+    }
+    if (hex.length < 2 || (hex[0] !== '0' || (hex[1] !== 'x' && hex[1] !== 'X'))) {
+        throw new DeliveryCryptoError('crypto_keygen_failed', `${ctx.field} must start with 0x prefix`, { field: ctx.field, prefix: hex.slice(0, 4) });
+    }
+    const body = hex.slice(2);
+    if (body.length !== ctx.expectedLength * 2) {
+        throw new DeliveryCryptoError('crypto_keygen_failed', `${ctx.field} must be ${ctx.expectedLength * 2} hex chars after 0x (got ${body.length})`, { field: ctx.field, expectedHexChars: ctx.expectedLength * 2, actualHexChars: body.length });
+    }
+    if (!/^[0-9a-fA-F]*$/.test(body)) {
+        throw new DeliveryCryptoError('crypto_keygen_failed', `${ctx.field} contains non-hex characters`, { field: ctx.field });
+    }
+    const out = new Uint8Array(ctx.expectedLength);
+    for (let i = 0; i < ctx.expectedLength; i++) {
+        const hi = parseInt(body[i * 2], 16);
+        const lo = parseInt(body[i * 2 + 1], 16);
+        out[i] = (hi << 4) | lo;
+    }
+    return out;
+}
+/**
+ * Branded assertion that `value` is exactly `length` bytes long.
+ * Throws {@link DeliveryCryptoError} with the supplied code on
+ * mismatch. Used to guard the public ECDH/HKDF entry points.
+ *
+ * @internal
+ */
+function assertByteLength(value, length, code, field) {
+    if (!(value instanceof Uint8Array)) {
+        throw new DeliveryCryptoError(code, `${field} must be a Uint8Array, got ${typeof value}`, { field, type: typeof value });
+    }
+    if (value.length !== length) {
+        throw new DeliveryCryptoError(code, `${field} must be exactly ${length} bytes (got ${value.length})`, { field, expectedLength: length, actualLength: value.length });
+    }
+}
+/**
+ * Check whether a buffer is *entirely* zero. Used to detect degenerate
+ * ECDH outputs (peer pubkey was a low-order Curve25519 point — all
+ * such points map to the zero shared secret, allowing a malicious peer
+ * to force a known key).
+ *
+ * Implemented as an OR-fold rather than `bytes.every(b => b === 0)` so
+ * the JIT can hoist the loop; the constant-time properties of this
+ * particular check are not security-critical (the secret would have
+ * leaked regardless).
+ *
+ * @internal
+ */
+function isAllZero(bytes) {
+    let acc = 0;
+    for (let i = 0; i < bytes.length; i++) {
+        acc |= bytes[i];
+    }
+    return acc === 0;
+}
+// ============================================================================
+// Public API: Key Generation
+// ============================================================================
+/**
+ * Generate a fresh X25519 ephemeral keypair using the system CSPRNG
+ * (via `@noble/curves`, which delegates to `crypto.getRandomValues` /
+ * `node:crypto.randomBytes`).
+ *
+ * The returned pair is intended to live for a *single* delivery
+ * exchange:
+ *  - Buyer side: generated when constructing the `DeliverySetup`,
+ *    public key embedded into `buyerEphemeralPubkey`, private key
+ *    held in memory until the envelope arrives and is decrypted.
+ *  - Provider side: generated when sealing the envelope, public key
+ *    embedded into `providerEphemeralPubkey`, private key used to
+ *    derive the shared secret and then dropped (forward secrecy w.r.t.
+ *    long-term provider keys).
+ *
+ * @returns A new {@link EphemeralKeyPair}.
+ * @throws {DeliveryCryptoError} `crypto_keygen_failed` if the
+ *   underlying library returns key material of unexpected length
+ *   (defensive — should never happen with `@noble/curves` on a
+ *   conformant runtime).
+ *
+ * @example
+ * ```typescript
+ * const kp = generateEphemeralKeyPair();
+ * // kp.publicKeyHex → "0x" + 64-hex-char ephemeral pubkey
+ * // pass kp.publicKey to deriveSharedSecret(myPriv, theirPub) on the peer
+ * ```
+ */
+function generateEphemeralKeyPair() {
+    let secretKey;
+    let publicKey;
+    try {
+        const generated = ed25519_1.x25519.keygen();
+        secretKey = generated.secretKey;
+        publicKey = generated.publicKey;
+    }
+    catch (err) {
+        throw new DeliveryCryptoError('crypto_keygen_failed', `Underlying X25519 keygen failed: ${err instanceof Error ? err.message : String(err)}`, { cause: err instanceof Error ? err.message : String(err) });
+    }
+    // Defensive length checks: @noble/curves SHOULD return 32-byte values,
+    // but we guard so a regression in the library doesn't silently feed
+    // malformed key material into ECDH downstream.
+    if (!(publicKey instanceof Uint8Array) || publicKey.length !== exports.X25519_PUBLIC_KEY_LENGTH) {
+        throw new DeliveryCryptoError('crypto_keygen_failed', `X25519 keygen returned public key of unexpected length: ${publicKey?.length}`, { actualLength: publicKey?.length, expectedLength: exports.X25519_PUBLIC_KEY_LENGTH });
+    }
+    if (!(secretKey instanceof Uint8Array) || secretKey.length !== exports.X25519_PRIVATE_KEY_LENGTH) {
+        throw new DeliveryCryptoError('crypto_keygen_failed', `X25519 keygen returned private key of unexpected length: ${secretKey?.length}`, { actualLength: secretKey?.length, expectedLength: exports.X25519_PRIVATE_KEY_LENGTH });
+    }
+    return {
+        publicKey,
+        privateKey: secretKey,
+        publicKeyHex: bytesToHexLower(publicKey),
+    };
+}
+exports.generateEphemeralKeyPair = generateEphemeralKeyPair;
+// ============================================================================
+// Public API: ECDH
+// ============================================================================
+/**
+ * Compute the X25519 ECDH shared secret between a local private key
+ * and a peer's public key.
+ *
+ * Per RFC 7748, the shared secret is `X25519(privateKey, peerPubkey)`
+ * — the 32-byte little-endian encoding of the u-coordinate of the
+ * scalar multiplication. Both inputs MUST be exactly 32 bytes;
+ * X25519 itself accepts any 32-byte scalar (the canonical clamping
+ * is applied internally by `@noble/curves`), but malformed lengths
+ * indicate caller bugs.
+ *
+ * ## Low-order point check
+ *
+ * Curve25519 has a small set of "low-order" public keys for which
+ * the ECDH output is the all-zero secret regardless of the local
+ * private key. A peer that supplies a low-order pubkey can therefore
+ * force a known shared secret. We detect this by rejecting all-zero
+ * outputs with `crypto_shared_secret_failed`; the caller MUST treat
+ * this as a peer-protocol violation, not a transient error.
+ *
+ * (See RFC 7748 §6.1, which notes that implementations "MAY" reject
+ * such inputs; for AGIRAILS we MUST.)
+ *
+ * @param privateKey - Local X25519 private scalar, exactly 32 bytes.
+ * @param peerPubkey - Peer's X25519 public key, exactly 32 bytes.
+ * @returns The 32-byte shared secret (NOT the session key — see
+ *   {@link deriveSessionKey} for the HKDF stretch).
+ * @throws {DeliveryCryptoError} `crypto_shared_secret_failed` if
+ *   either input is the wrong length, if `@noble/curves` raises, or
+ *   if the resulting shared secret is all-zero (degenerate peer).
+ *
+ * @example
+ * ```typescript
+ * const shared = deriveSharedSecret(buyerPriv, providerPub);
+ * const key = deriveSessionKey(shared, txId);
+ * // → 32-byte AES-256-GCM key
+ * ```
+ */
+function deriveSharedSecret(privateKey, peerPubkey) {
+    assertByteLength(privateKey, exports.X25519_PRIVATE_KEY_LENGTH, 'crypto_shared_secret_failed', 'privateKey');
+    assertByteLength(peerPubkey, exports.X25519_PUBLIC_KEY_LENGTH, 'crypto_shared_secret_failed', 'peerPubkey');
+    let shared;
+    try {
+        shared = ed25519_1.x25519.getSharedSecret(privateKey, peerPubkey);
+    }
+    catch (err) {
+        throw new DeliveryCryptoError('crypto_shared_secret_failed', `X25519 ECDH failed: ${err instanceof Error ? err.message : String(err)}`, { cause: err instanceof Error ? err.message : String(err) });
+    }
+    if (!(shared instanceof Uint8Array) || shared.length !== exports.X25519_SHARED_SECRET_LENGTH) {
+        throw new DeliveryCryptoError('crypto_shared_secret_failed', `X25519 ECDH returned unexpected length: ${shared?.length}`, { actualLength: shared?.length, expectedLength: exports.X25519_SHARED_SECRET_LENGTH });
+    }
+    if (isAllZero(shared)) {
+        throw new DeliveryCryptoError('crypto_shared_secret_failed', 'X25519 ECDH produced an all-zero shared secret (peer pubkey is a ' +
+            'low-order Curve25519 point). Treat the peer as malicious.', { peerPubkeyHex: bytesToHexLower(peerPubkey) });
+    }
+    return shared;
+}
+exports.deriveSharedSecret = deriveSharedSecret;
+// ============================================================================
+// Public API: HKDF
+// ============================================================================
+/**
+ * Stretch an X25519 shared secret into a 32-byte AES-256-GCM session
+ * key via HKDF-SHA256 (RFC 5869).
+ *
+ * The derivation parameters are locked for AIP-16 v1:
+ *  - `ikm`    = `sharedSecret` (32 bytes, output of {@link deriveSharedSecret})
+ *  - `salt`   = `txId` (32 bytes, decoded from the 0x-prefixed hex form)
+ *  - `info`   = `"agirails-delivery-v1"` UTF-8 by default (overridable
+ *               for *testing only* via the optional `info` argument —
+ *               production callers MUST use the default)
+ *  - `digest` = SHA-256
+ *  - `keylen` = 32 bytes
+ *
+ * Salting with the on-chain `txId` binds the session key to a
+ * specific ACTP transaction. Even if two parties exchange the same
+ * ephemeral keypairs across two different transactions (which would
+ * itself be a protocol violation), the resulting session keys would
+ * differ — limiting blast radius.
+ *
+ * ## Implementation choice: node:crypto
+ *
+ * We use Node's built-in `crypto.hkdfSync` rather than `@noble/hashes`
+ * to keep the dependency surface minimal. The behavior is identical:
+ * both implementations follow RFC 5869 step-for-step.
+ *
+ * Note that `hkdfSync` returns an `ArrayBuffer`; we wrap it in a
+ * `Uint8Array` view for ergonomic interop with `@noble/curves` and
+ * the rest of the SDK.
+ *
+ * @param sharedSecret - The 32-byte ECDH output from {@link deriveSharedSecret}.
+ * @param txId - The on-chain transaction id (`bytes32`) as a 0x-prefixed
+ *   lowercase hex string (66 chars total).
+ * @param info - Optional info string override. Defaults to
+ *   {@link DELIVERY_HKDF_INFO_V1}. Production callers MUST omit this
+ *   argument; it exists solely so tests can assert that distinct
+ *   info strings produce distinct keys (negative test).
+ * @returns A 32-byte session key suitable for AES-256-GCM.
+ * @throws {DeliveryCryptoError} `crypto_hkdf_failed` on length mismatch,
+ *   malformed `txId`, or underlying `hkdfSync` failure.
+ *
+ * @example
+ * ```typescript
+ * const key = deriveSessionKey(shared, '0xabc…32bytes…');
+ * // → 32-byte Uint8Array, ready for createCipheriv('aes-256-gcm', key, nonce)
+ * ```
+ */
+function deriveSessionKey(sharedSecret, txId, info = exports.DELIVERY_HKDF_INFO_V1) {
+    assertByteLength(sharedSecret, exports.X25519_SHARED_SECRET_LENGTH, 'crypto_hkdf_failed', 'sharedSecret');
+    // Decode txId to bytes for use as HKDF salt. Reusing hexToBytes
+    // (with crypto_keygen_failed code) is unfortunate; we re-throw with
+    // the correct crypto_hkdf_failed code so the caller can branch on
+    // the *operation* that failed, not the helper that detected it.
+    let salt;
+    try {
+        salt = hexToBytes(txId, { expectedLength: exports.TX_ID_BYTES, field: 'txId' });
+    }
+    catch (err) {
+        throw new DeliveryCryptoError('crypto_hkdf_failed', `txId is malformed: ${err instanceof Error ? err.message : String(err)}`, {
+            txIdPreview: typeof txId === 'string' ? txId.slice(0, 12) : typeof txId,
+            cause: err instanceof Error ? err.message : String(err),
+        });
+    }
+    if (typeof info !== 'string') {
+        throw new DeliveryCryptoError('crypto_hkdf_failed', `info must be a string, got ${typeof info}`, { type: typeof info });
+    }
+    let derived;
+    try {
+        // hkdfSync(digest, ikm, salt, info, keylen)
+        derived = (0, node_crypto_1.hkdfSync)('sha256', sharedSecret, salt, Buffer.from(info, 'utf8'), exports.DELIVERY_SESSION_KEY_LENGTH);
+    }
+    catch (err) {
+        throw new DeliveryCryptoError('crypto_hkdf_failed', `HKDF-SHA256 failed: ${err instanceof Error ? err.message : String(err)}`, { cause: err instanceof Error ? err.message : String(err) });
+    }
+    const sessionKey = new Uint8Array(derived);
+    if (sessionKey.length !== exports.DELIVERY_SESSION_KEY_LENGTH) {
+        throw new DeliveryCryptoError('crypto_hkdf_failed', `HKDF returned unexpected length: ${sessionKey.length}`, {
+            actualLength: sessionKey.length,
+            expectedLength: exports.DELIVERY_SESSION_KEY_LENGTH,
+        });
+    }
+    return sessionKey;
+}
+exports.deriveSessionKey = deriveSessionKey;
+// ============================================================================
+// Public API: Hex Format Helpers
+// ============================================================================
+/**
+ * Serialize a 32-byte X25519 public key to its canonical 0x-prefixed
+ * lowercase hex form.
+ *
+ * This is exactly the form embedded into the `bytes32` slots of the
+ * signed EIP-712 payloads (`buyerEphemeralPubkey`,
+ * `providerEphemeralPubkey`). The lowercase normalization ensures
+ * that two SDKs producing the same key produce byte-identical hex
+ * strings; the JSON serialization of the wire envelope then has
+ * exactly one valid encoding, which is required for any downstream
+ * `JSON.stringify` + hash anchoring.
+ *
+ * @param pubkey - X25519 public key, exactly 32 bytes.
+ * @returns The 0x-prefixed lowercase hex form (66 chars).
+ * @throws {DeliveryCryptoError} `crypto_keygen_failed` if `pubkey` is
+ *   not a `Uint8Array` of length 32.
+ *
+ * @example
+ * ```typescript
+ * pubkeyToHex(new Uint8Array(32)); // "0x00...00" (32 zero bytes)
+ * ```
+ */
+function pubkeyToHex(pubkey) {
+    assertByteLength(pubkey, exports.X25519_PUBLIC_KEY_LENGTH, 'crypto_keygen_failed', 'pubkey');
+    return bytesToHexLower(pubkey);
+}
+exports.pubkeyToHex = pubkeyToHex;
+/**
+ * Deserialize a 0x-prefixed hex string into a 32-byte X25519 public
+ * key.
+ *
+ * Accepts both uppercase and lowercase hex digits in the input (for
+ * resilience with legacy systems and Ethereum's mixed-case checksum
+ * convention — though X25519 keys are NOT checksummed). The output is
+ * always raw bytes; if you need the canonical hex form, call
+ * `pubkeyToHex` on the result, which will be lowercase.
+ *
+ * @param hex - 0x-prefixed hex string, exactly 66 characters (`0x` +
+ *   64 hex chars).
+ * @returns The 32-byte X25519 public key.
+ * @throws {DeliveryCryptoError} `crypto_keygen_failed` if `hex` is
+ *   missing the `0x` prefix, the wrong length, or contains non-hex
+ *   characters.
+ *
+ * @example
+ * ```typescript
+ * const bytes = pubkeyFromHex('0x' + 'ab'.repeat(32));
+ * // → Uint8Array(32) [0xab, 0xab, …]
+ * ```
+ */
+function pubkeyFromHex(hex) {
+    return hexToBytes(hex, {
+        expectedLength: exports.X25519_PUBLIC_KEY_LENGTH,
+        field: 'pubkey hex',
+    });
+}
+exports.pubkeyFromHex = pubkeyFromHex;
+//# sourceMappingURL=keys.js.map

package/dist/delivery/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/delivery/keys.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsDG;;;AAEH,6CAAuC;AAEvC,mDAA+C;AAI/C,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E;;;;;;;;GAQG;AACU,QAAA,wBAAwB,GAAG,EAAW,CAAC;AAEpD;;;;;;;GAOG;AACU,QAAA,yBAAyB,GAAG,EAAW,CAAC;AAErD;;;;;GAKG;AACU,QAAA,2BAA2B,GAAG,EAAW,CAAC;AAEvD;;;GAGG;AACU,QAAA,2BAA2B,GAAG,EAAW,CAAC;AAEvD;;;;;;;GAOG;AACU,QAAA,WAAW,GAAG,EAAW,CAAC;AAEvC;;;;;;;;;GASG;AACU,QAAA,qBAAqB,GAAG,sBAA+B,CAAC;AAErE,+EAA+E;AAC/E,cAAc;AACd,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAa,mBAAoB,SAAQ,KAAK;IAM5C,YACE,IAAuB,EACvB,OAAe,EACf,OAAiC;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,uEAAuE;QACvE,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAC7D,CAAC;CACF;AAlBD,kDAkBC;AAiDD,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,kFAAkF;AAClF,MAAM,SAAS,GAAG,kBAAkB,CAAC;AAErC;;;;;;;;;GASG;AACH,SAAS,eAAe,CAAC,KAAiB;IACxC,IAAI,GAAG,GAAG,IAAI,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAW,CAAC,CAAC,kBAAkB;QAChD,GAAG,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QACnC,GAAG,IAAI,SAAS,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,UAAU,CACjB,GAAW,EACX,GAA8C;IAE9C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,mBAAmB,CAC3B,sBAAsB,EACtB,GAAG,GAAG,CAAC,KAAK,0BAA0B,OAAO,GAAG,EAAE,EAClD,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,OAAO,GAAG,EAAE,CACvC,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,EAAE,CAAC;QAC7E,MAAM,IAAI,mBAAmB,CAC3B,sBAAsB,EACtB,GAAG,GAAG,CAAC,KAAK,4BAA4B,EACxC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAC9C,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1B,IAAI,IAAI,CAAC,MAAM,KAAK,GAAG,CAAC,cAAc,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,IAAI,mBAAmB,CAC3B,sBAAsB,EACtB,GAAG,GAAG,CAAC,KAAK,YAAY,GAAG,CAAC,cAAc,GAAG,CAAC,4BAA4B,IAAI,CAAC,MAAM,GAAG,EACxF,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,gBAAgB,EAAE,GAAG,CAAC,cAAc,GAAG,CAAC,EAAE,cAAc,EAAE,IAAI,CAAC,MAAM,EAAE,CAC5F,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,mBAAmB,CAC3B,sBAAsB,EACtB,GAAG,GAAG,CAAC,KAAK,8BAA8B,EAC1C,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CACrB,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,cAAc,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5C,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAW,EAAE,EAAE,CAAC,CAAC;QAC/C,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAW,EAAE,EAAE,CAAC,CAAC;QACnD,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC;IAC1B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;GAMG;AACH,SAAS,gBAAgB,CACvB,KAAiB,EACjB,MAAc,EACd,IAAuB,EACvB,KAAa;IAEb,IAAI,CAAC,CAAC,KAAK,YAAY,UAAU,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,mBAAmB,CAC3B,IAAI,EACJ,GAAG,KAAK,8BAA8B,OAAO,KAAK,EAAE,EACpD,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,KAAK,EAAE,CAC9B,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC5B,MAAM,IAAI,mBAAmB,CAC3B,IAAI,EACJ,GAAG,KAAK,oBAAoB,MAAM,eAAe,KAAK,CAAC,MAAM,GAAG,EAChE,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,CAAC,MAAM,EAAE,CAC9D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,SAAS,CAAC,KAAiB;IAClC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,GAAG,IAAI,KAAK,CAAC,CAAC,CAAW,CAAC;IAC5B,CAAC;IACD,OAAO,GAAG,KAAK,CAAC,CAAC;AACnB,CAAC;AAED,+EAA+E;AAC/E,6BAA6B;AAC7B,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAgB,wBAAwB;IACtC,IAAI,SAAqB,CAAC;IAC1B,IAAI,SAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,gBAAM,CAAC,MAAM,EAAE,CAAC;QAClC,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC;QAChC,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC;IAClC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,mBAAmB,CAC3B,sBAAsB,EACtB,oCAAoC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACtF,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC5D,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,oEAAoE;IACpE,+CAA+C;IAC/C,IAAI,CAAC,CAAC,SAAS,YAAY,UAAU,CAAC,IAAI,SAAS,CAAC,MAAM,KAAK,gCAAwB,EAAE,CAAC;QACxF,MAAM,IAAI,mBAAmB,CAC3B,sBAAsB,EACtB,2DAA2D,SAAS,EAAE,MAAM,EAAE,EAC9E,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,gCAAwB,EAAE,CAC9E,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,CAAC,SAAS,YAAY,UAAU,CAAC,IAAI,SAAS,CAAC,MAAM,KAAK,iCAAyB,EAAE,CAAC;QACzF,MAAM,IAAI,mBAAmB,CAC3B,sBAAsB,EACtB,4DAA4D,SAAS,EAAE,MAAM,EAAE,EAC/E,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,iCAAyB,EAAE,CAC/E,CAAC;IACJ,CAAC;IAED,OAAO;QACL,SAAS;QACT,UAAU,EAAE,SAAS;QACrB,YAAY,EAAE,eAAe,CAAC,SAAS,CAAkB;KAC1D,CAAC;AACJ,CAAC;AAtCD,4DAsCC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,SAAgB,kBAAkB,CAChC,UAAsB,EACtB,UAAsB;IAEtB,gBAAgB,CACd,UAAU,EACV,iCAAyB,EACzB,6BAA6B,EAC7B,YAAY,CACb,CAAC;IACF,gBAAgB,CACd,UAAU,EACV,gCAAwB,EACxB,6BAA6B,EAC7B,YAAY,CACb,CAAC;IAEF,IAAI,MAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,gBAAM,CAAC,eAAe,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAC1D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,mBAAmB,CAC3B,6BAA6B,EAC7B,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACzE,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC5D,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,CAAC,MAAM,YAAY,UAAU,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,mCAA2B,EAAE,CAAC;QACrF,MAAM,IAAI,mBAAmB,CAC3B,6BAA6B,EAC7B,2CAA2C,MAAM,EAAE,MAAM,EAAE,EAC3D,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,mCAA2B,EAAE,CAC9E,CAAC;IACJ,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,mBAAmB,CAC3B,6BAA6B,EAC7B,mEAAmE;YACjE,2DAA2D,EAC7D,EAAE,aAAa,EAAE,eAAe,CAAC,UAAU,CAAC,EAAE,CAC/C,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AA9CD,gDA8CC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,SAAgB,gBAAgB,CAC9B,YAAwB,EACxB,IAAmB,EACnB,OAAe,6BAAqB;IAEpC,gBAAgB,CACd,YAAY,EACZ,mCAA2B,EAC3B,oBAAoB,EACpB,cAAc,CACf,CAAC;IAEF,gEAAgE;IAChE,oEAAoE;IACpE,kEAAkE;IAClE,gEAAgE;IAChE,IAAI,IAAgB,CAAC;IACrB,IAAI,CAAC;QACH,IAAI,GAAG,UAAU,CAAC,IAAI,EAAE,EAAE,cAAc,EAAE,mBAAW,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IAC1E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,mBAAmB,CAC3B,oBAAoB,EACpB,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACxE;YACE,WAAW,EAAE,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,IAAI;YACvE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CACF,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,MAAM,IAAI,mBAAmB,CAC3B,oBAAoB,EACpB,8BAA8B,OAAO,IAAI,EAAE,EAC3C,EAAE,IAAI,EAAE,OAAO,IAAI,EAAE,CACtB,CAAC;IACJ,CAAC;IAED,IAAI,OAAoB,CAAC;IACzB,IAAI,CAAC;QACH,4CAA4C;QAC5C,OAAO,GAAG,IAAA,sBAAQ,EAChB,QAAQ,EACR,YAAY,EACZ,IAAI,EACJ,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,EACzB,mCAA2B,CAC5B,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,mBAAmB,CAC3B,oBAAoB,EACpB,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACzE,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC5D,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,UAAU,CAAC,MAAM,KAAK,mCAA2B,EAAE,CAAC;QACtD,MAAM,IAAI,mBAAmB,CAC3B,oBAAoB,EACpB,oCAAoC,UAAU,CAAC,MAAM,EAAE,EACvD;YACE,YAAY,EAAE,UAAU,CAAC,MAAM;YAC/B,cAAc,EAAE,mCAA2B;SAC5C,CACF,CAAC;IACJ,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AApED,4CAoEC;AAED,+EAA+E;AAC/E,iCAAiC;AACjC,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAgB,WAAW,CAAC,MAAkB;IAC5C,gBAAgB,CACd,MAAM,EACN,gCAAwB,EACxB,sBAAsB,EACtB,QAAQ,CACT,CAAC;IACF,OAAO,eAAe,CAAC,MAAM,CAAkB,CAAC;AAClD,CAAC;AARD,kCAQC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAgB,aAAa,CAAC,GAAW;IACvC,OAAO,UAAU,CAAC,GAAG,EAAE;QACrB,cAAc,EAAE,gCAAwB;QACxC,KAAK,EAAE,YAAY;KACpB,CAAC,CAAC;AACL,CAAC;AALD,sCAKC"}

package/dist/delivery/nonce-keys.d.ts

@@ -0,0 +1,93 @@
+/**
+ * AIP-16 Delivery — Per-Builder Nonce Key Constants
+ * ===================================================
+ *
+ * The AGIRAILS delivery surface (AIP-16 Rev 5) uses two SEPARATE nonce
+ * spaces, one for the buyer-signed *setup* message and one for the
+ * provider-signed *envelope* message. These are deliberately distinct
+ * from the AIP-4 delivery-proof nonce key (`agirails.delivery.v1`) and
+ * from each other, so that:
+ *
+ *   1. A nonce burned for a setup message cannot be replayed as an
+ *      envelope message (per-builder replay separation).
+ *   2. A nonce burned for an AIP-4 delivery proof cannot collide with
+ *      the AIP-16 setup/envelope nonce spaces (cross-feature isolation).
+ *   3. The on-disk persistence file (`.actp/nonces.json`) keeps a
+ *      clean, auditable per-key monotonic counter.
+ *
+ * Why per-builder separation matters (audit context):
+ * ----------------------------------------------------
+ * The existing `NonceManager` (`src/utils/NonceManager.ts`) keys nonces
+ * by *message-type string*. There is no central registry of known keys
+ * — any string is accepted. This file therefore acts as the canonical,
+ * type-safe constant source for AIP-16's two delivery nonce keys, so
+ * call sites (setup builder, envelope builder, future replay-cache
+ * server) all reach for the SAME literal and the TypeScript `as const`
+ * narrowing prevents silent drift.
+ *
+ * Reuse, NOT replace:
+ * -------------------
+ * These constants are intended to be passed straight into the existing
+ * `NonceManager` API (`getNextNonce`, `getAndIncrementNonce`,
+ * `recordNonce`, etc.) — they introduce no new manager, no new storage
+ * layer, and no behavioural change. They simply give the delivery layer
+ * a single authoritative spelling of its two nonce-key strings.
+ *
+ * @example Use with the existing nonce manager
+ * ```typescript
+ * import { createNonceManager } from '../utils/NonceManager';
+ * import {
+ *   DELIVERY_NONCE_KEY_SETUP,
+ *   DELIVERY_NONCE_KEY_ENVELOPE,
+ * } from './nonce-keys';
+ *
+ * const nonces = createNonceManager({ stateDirectory: process.cwd() });
+ *
+ * // Buyer setup signing path:
+ * const setupNonce = await (nonces as any).getAndIncrementNonce(
+ *   DELIVERY_NONCE_KEY_SETUP,
+ * );
+ *
+ * // Provider envelope signing path (independent counter):
+ * const envelopeNonce = await (nonces as any).getAndIncrementNonce(
+ *   DELIVERY_NONCE_KEY_ENVELOPE,
+ * );
+ * ```
+ *
+ * Reference: AIP-16 Rev 5 §replay-protection, §nonce-spaces
+ *
+ * @module delivery/nonce-keys
+ */
+/**
+ * Nonce key for buyer-signed AIP-16 delivery *setup* messages.
+ *
+ * Distinct from {@link DELIVERY_NONCE_KEY_ENVELOPE} (per-builder
+ * separation) and from the AIP-4 delivery-proof key
+ * `agirails.delivery.v1` (cross-feature separation).
+ *
+ * The `.v1` suffix matches the EIP-712 domain version for the v1
+ * delivery surface; a future v2 would introduce a new key string
+ * rather than incrementing in place.
+ */
+export declare const DELIVERY_NONCE_KEY_SETUP: "agirails.delivery.setup.v1";
+/**
+ * Nonce key for provider-signed AIP-16 delivery *envelope* messages.
+ *
+ * Distinct from {@link DELIVERY_NONCE_KEY_SETUP} (per-builder
+ * separation) and from the AIP-4 delivery-proof key
+ * `agirails.delivery.v1` (cross-feature separation).
+ *
+ * The `.v1` suffix matches the EIP-712 domain version for the v1
+ * delivery surface; a future v2 would introduce a new key string
+ * rather than incrementing in place.
+ */
+export declare const DELIVERY_NONCE_KEY_ENVELOPE: "agirails.delivery.envelope.v1";
+/**
+ * Compile-time-narrowed union of all AIP-16 delivery nonce keys.
+ *
+ * Useful for typed wrappers that want to accept *only* a known
+ * delivery key (and reject e.g. `'agirails.delivery.v1'` which belongs
+ * to AIP-4).
+ */
+export type DeliveryNonceKey = typeof DELIVERY_NONCE_KEY_SETUP | typeof DELIVERY_NONCE_KEY_ENVELOPE;
+//# sourceMappingURL=nonce-keys.d.ts.map

package/dist/delivery/nonce-keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nonce-keys.d.ts","sourceRoot":"","sources":["../../src/delivery/nonce-keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2DG;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,wBAAwB,8BAAwC,CAAC;AAE9E;;;;;;;;;;GAUG;AACH,eAAO,MAAM,2BAA2B,iCAA2C,CAAC;AAEpF;;;;;;GAMG;AACH,MAAM,MAAM,gBAAgB,GACxB,OAAO,wBAAwB,GAC/B,OAAO,2BAA2B,CAAC"}