@bcts/frost-hubert 1.0.0-alpha.22 → 1.0.0-beta.0

package/dist/round1-DQ0fnc1H.cjs

@@ -0,0 +1,221 @@
+const require_chunk = require("./chunk-CZWwpsFl.cjs");
+const require_registry_index = require("./registry/index.cjs");
+const require_common = require("./common-lKP5EzHy.cjs");
+const require_busy = require("./busy-EZU7EKr6.cjs");
+const require_storage = require("./storage-B-Gu68-O.cjs");
+const require_frost_index = require("./frost/index.cjs");
+const require_common$1 = require("./common-lThIvJmZ.cjs");
+let _bcts_components = require("@bcts/components");
+let _bcts_dcbor = require("@bcts/dcbor");
+let _bcts_envelope = require("@bcts/envelope");
+let _bcts_gstp = require("@bcts/gstp");
+let node_fs = require("node:fs");
+node_fs = require_chunk.__toESM(node_fs, 1);
+let node_path = require("node:path");
+node_path = require_chunk.__toESM(node_path, 1);
+//#region src/cmd/sign/participant/round1.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*
+* Sign participant round 1 command.
+*
+* Port of cmd/sign/participant/round1.rs from frost-hubert-rust.
+*
+* @module
+*/
+var round1_exports = /* @__PURE__ */ require_chunk.__exportAll({ round1: () => round1 });
+/**
+* Load receive state from persisted sign_receive.json.
+*
+* Port of `load_receive_state()` from cmd/sign/participant/round1.rs lines 285-411.
+*/
+function loadReceiveState(registryPath, sessionId, groupHint, registry) {
+	const base = node_path.dirname(registryPath);
+	const groupStateDir = node_path.join(base, "group-state");
+	let groupDirs;
+	if (groupHint !== void 0) groupDirs = [[groupHint, node_path.join(groupStateDir, groupHint.hex())]];
+	else {
+		groupDirs = [];
+		if (node_fs.existsSync(groupStateDir)) {
+			for (const entry of node_fs.readdirSync(groupStateDir, { withFileTypes: true })) if (entry.isDirectory()) {
+				const dirName = entry.name;
+				if (dirName.length === 64 && /^[0-9a-fA-F]+$/.test(dirName)) {
+					const groupId = _bcts_components.ARID.fromHex(dirName);
+					groupDirs.push([groupId, node_path.join(groupStateDir, dirName)]);
+				}
+			}
+		}
+	}
+	const candidates = [];
+	for (const [groupId, groupDir] of groupDirs) {
+		const candidate = node_path.join(groupDir, "signing", sessionId.hex(), "sign_receive.json");
+		if (node_fs.existsSync(candidate)) candidates.push([groupId, candidate]);
+	}
+	if (candidates.length === 0) throw new Error("No sign_receive.json found for this session; run `frost sign participant receive` first");
+	if (candidates.length > 1) throw new Error("Multiple groups contain this session; use --group to disambiguate");
+	const [groupId, filePath] = candidates[0];
+	const raw = JSON.parse(node_fs.readFileSync(filePath, "utf-8"));
+	const sessionInState = require_common.parseAridUr(raw.session);
+	if (sessionInState.urString() !== sessionId.urString()) throw new Error(`Session ${sessionInState.urString()} in sign_receive.json does not match requested session ${sessionId.urString()}`);
+	const responseArid = require_common.parseAridUr(raw.response_arid);
+	const targetUr = raw.target;
+	const coordinatorUr = raw.coordinator;
+	const coordinatorXid = _bcts_components.XID.fromURString(coordinatorUr);
+	let coordinatorDoc;
+	const participantRecord = registry.participant(coordinatorXid);
+	if (participantRecord !== null && participantRecord !== void 0) coordinatorDoc = participantRecord.xidDocument();
+	else {
+		const owner = registry.owner();
+		if (owner?.xid().urString() === coordinatorXid.urString()) coordinatorDoc = owner.xidDocument();
+		else throw new Error(`Coordinator ${coordinatorXid.urString()} not found in registry and cannot resolve encryption key`);
+	}
+	const requestEnvelope = _bcts_envelope.Envelope.fromURString(raw.request_envelope);
+	const participants = raw.participants.map((s) => _bcts_components.XID.fromURString(s));
+	return {
+		groupId,
+		coordinatorDoc,
+		responseArid,
+		targetUr,
+		participants,
+		requestEnvelope
+	};
+}
+/**
+* Validate the commit request from persisted state.
+*
+* Port of request validation in `CommandArgs::exec()` from cmd/sign/participant/round1.rs lines 100-138.
+*/
+function validateCommitRequest(receiveState, sessionId, ownerXid, ownerPrivateKeys) {
+	const now = _bcts_dcbor.CborDate.now();
+	const sealedRequest = _bcts_gstp.SealedRequest.tryFromEnvelope(receiveState.requestEnvelope, void 0, now.datetime(), ownerPrivateKeys);
+	if (!sealedRequest.request().function().equals(_bcts_envelope.Function.fromString("signInvite"))) throw new Error(`Unexpected request function: ${String(sealedRequest.request().function())}`);
+	if (sealedRequest.request().id().urString() !== sessionId.urString()) throw new Error(`Session ID mismatch (state ${sessionId.urString()}, request ${sealedRequest.request().id().urString()})`);
+	const requestGroup = sealedRequest.extractObjectForParameter("group");
+	if (requestGroup.urString() !== receiveState.groupId.urString()) throw new Error(`Group ID mismatch (state ${receiveState.groupId.urString()}, request ${requestGroup.urString()})`);
+	if (!receiveState.participants.map((p) => p.urString()).includes(ownerXid.urString())) throw new Error("Persisted signInvite request does not include this participant");
+	return sealedRequest;
+}
+/**
+* Build the response body envelope.
+*
+* Port of response body building from cmd/sign/participant/round1.rs lines 191-195.
+*/
+function buildResponseBody(sessionId, commitments, responseArid) {
+	const serializedCommitments = require_frost_index.serializeSigningCommitments(commitments);
+	const jsonStr = JSON.stringify(serializedCommitments);
+	const jsonBytes = new TextEncoder().encode(jsonStr);
+	const commitmentsJson = _bcts_components.JSON.fromData(jsonBytes);
+	return _bcts_envelope.Envelope.unit().addType("signRound1Response").addAssertion("session", sessionId).addAssertion("commitments", commitmentsJson.taggedCborData()).addAssertion("response_arid", responseArid);
+}
+/**
+* Persist commit state (nonces and commitments) to disk.
+*
+* Port of `persist_commit_state()` from cmd/sign/participant/round1.rs lines 413-461.
+*/
+function persistCommitState(registryPath, groupId, sessionId, receiveState, signingNonces, signingCommitments, targetEnvelope, nextShareArid) {
+	const dir = require_common$1.signingStateDir(registryPath, groupId.hex(), sessionId.hex());
+	node_fs.mkdirSync(dir, { recursive: true });
+	const serializedNonces = require_frost_index.serializeSigningNonces(signingNonces);
+	const serializedCommitments = require_frost_index.serializeSigningCommitments(signingCommitments);
+	const commitState = {
+		session: sessionId.urString(),
+		response_arid: receiveState.responseArid.urString(),
+		next_share_arid: nextShareArid.urString(),
+		target: targetEnvelope.urString(),
+		signing_nonces: serializedNonces,
+		signing_commitments: serializedCommitments
+	};
+	node_fs.writeFileSync(node_path.join(dir, "commit.json"), JSON.stringify(commitState, null, 2));
+}
+/**
+* Execute the sign participant round 1 command.
+*
+* Responds to the sign invite with signing commitments.
+*
+* Port of `CommandArgs::exec()` from cmd/sign/participant/round1.rs lines 58-273.
+*/
+async function round1(_client, options, cwd) {
+	if (options.storageSelection === void 0 && options.preview !== true) throw new Error("Hubert storage is required for sign commit");
+	if (options.storageSelection !== void 0 && options.preview === true) throw new Error("--preview cannot be used with Hubert storage options");
+	const registryPath = require_registry_index.resolveRegistryPath(options.registryPath, cwd);
+	const registry = require_registry_index.Registry.load(registryPath);
+	const owner = registry.owner();
+	if (!owner) throw new Error("Registry owner is required");
+	const sessionId = require_common.parseAridUr(options.sessionId);
+	const receiveState = loadReceiveState(registryPath, sessionId, options.groupId !== void 0 ? require_common.parseAridUr(options.groupId) : void 0, registry);
+	const groupId = receiveState.groupId;
+	const groupRecord = registry.group(groupId);
+	if (groupRecord === null || groupRecord === void 0) throw new Error("Group not found in registry");
+	const ownerKeys = owner.xidDocument().inceptionPrivateKeys();
+	if (ownerKeys === void 0) throw new Error("Owner XID document has no private keys");
+	const sealedRequest = validateCommitRequest(receiveState, sessionId, owner.xid(), ownerKeys);
+	const contributions = groupRecord.contributions();
+	if (contributions === null || contributions === void 0) throw new Error("Key package path not found; did you finish DKG?");
+	const keyPackagePath = contributions.keyPackage;
+	if (keyPackagePath === void 0) throw new Error("Key package path not found; did you finish DKG?");
+	const keyPackage = require_frost_index.deserializeKeyPackage(JSON.parse(node_fs.readFileSync(keyPackagePath, "utf-8")).key_package);
+	const targetEnvelope = _bcts_envelope.Envelope.fromURString(receiveState.targetUr);
+	const signerPrivateKeys = owner.xidDocument().inceptionPrivateKeys();
+	if (signerPrivateKeys === void 0) throw new Error("Owner XID document has no signing keys");
+	let sealedResponse;
+	let nextShareArid;
+	if (options.rejectReason !== void 0) {
+		const errorBody = _bcts_envelope.Envelope.new("signCommitReject").addAssertion("group", groupId).addAssertion("session", sessionId).addAssertion("reason", options.rejectReason);
+		sealedResponse = _bcts_gstp.SealedResponse.newFailure(sealedRequest.request().id(), owner.xidDocument()).withError(errorBody).withPeerContinuation(sealedRequest.peerContinuation());
+	} else {
+		const [signingNonces, signingCommitments] = require_frost_index.signingRound1(keyPackage, require_frost_index.createRng());
+		const nextShare = _bcts_components.ARID.new();
+		nextShareArid = nextShare;
+		const responseBody = buildResponseBody(sessionId, signingCommitments, nextShare);
+		if (options.preview !== true) {
+			persistCommitState(registryPath, groupId, sessionId, receiveState, signingNonces, signingCommitments, targetEnvelope, nextShare);
+			const groupRecordMut = registry.group(groupId);
+			if (groupRecordMut !== null && groupRecordMut !== void 0) {
+				groupRecordMut.setListeningAtArid(nextShare);
+				registry.save(registryPath);
+			}
+		}
+		sealedResponse = _bcts_gstp.SealedResponse.newSuccess(sealedRequest.request().id(), owner.xidDocument()).withResult(responseBody).withPeerContinuation(sealedRequest.peerContinuation());
+	}
+	if (options.preview === true) {
+		const envelopeUr = sealedResponse.toEnvelope(void 0, signerPrivateKeys, void 0).urString();
+		console.log(envelopeUr);
+		return {
+			accepted: options.rejectReason === void 0,
+			envelopeUr
+		};
+	}
+	const validUntil = new Date(Date.now() + 3600 * 1e3);
+	const responseEnvelope = sealedResponse.toEnvelope(validUntil, signerPrivateKeys, receiveState.coordinatorDoc);
+	if (options.storageSelection === void 0) throw new Error("Storage selection is required to post response");
+	const client = await require_storage.createStorageClient(options.storageSelection);
+	if (options.verbose === true) console.error(`Posting signInvite response to ${receiveState.responseArid.urString()}`);
+	await require_busy.putWithIndicator(client, receiveState.responseArid, responseEnvelope, "Commitments", options.verbose ?? false);
+	if (options.rejectReason !== void 0) {
+		const groupRecordMut = registry.group(groupId);
+		if (groupRecordMut !== null && groupRecordMut !== void 0) {
+			groupRecordMut.clearListeningAtArid();
+			registry.save(registryPath);
+		}
+	}
+	const result = { accepted: options.rejectReason === void 0 };
+	if (nextShareArid !== void 0) result.listeningArid = nextShareArid.urString();
+	return result;
+}
+//#endregion
+Object.defineProperty(exports, "round1", {
+	enumerable: true,
+	get: function() {
+		return round1;
+	}
+});
+Object.defineProperty(exports, "round1_exports", {
+	enumerable: true,
+	get: function() {
+		return round1_exports;
+	}
+});
+
+//# sourceMappingURL=round1-DQ0fnc1H.cjs.map

package/dist/round1-DQ0fnc1H.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"round1-DQ0fnc1H.cjs","names":["path","fs","ARID","parseAridUr","XID","Envelope","CborDate","SealedRequest","EnvelopeFunction","serializeSigningCommitments","JSONWrapper","signingStateDir","serializeSigningNonces","resolveRegistryPath","Registry","deserializeKeyPackage","SealedResponse","signingRound1","createRng","createStorageClient","putWithIndicator"],"sources":["../src/cmd/sign/participant/round1.ts"],"sourcesContent":["/**\n * Copyright © 2023-2026 Blockchain Commons, LLC\n * Copyright © 2025-2026 Parity Technologies\n *\n *\n * Sign participant round 1 command.\n *\n * Port of cmd/sign/participant/round1.rs from frost-hubert-rust.\n *\n * @module\n */\n\nimport * as fs from \"node:fs\";\nimport * as path from \"node:path\";\n\nimport { ARID, JSON as JSONWrapper, type PrivateKeys, XID } from \"@bcts/components\";\nimport { CborDate } from \"@bcts/dcbor\";\nimport { Envelope, Function as EnvelopeFunction } from \"@bcts/envelope\";\nimport { SealedRequest, SealedResponse } from \"@bcts/gstp\";\nimport type { XIDDocument } from \"@bcts/xid\";\n\nimport { Registry, resolveRegistryPath } from \"../../../registry/index.js\";\nimport { putWithIndicator } from \"../../busy.js\";\nimport { createStorageClient, type StorageClient, type StorageSelection } from \"../../storage.js\";\nimport { parseAridUr } from \"../../dkg/common.js\";\nimport { signingStateDir } from \"../common.js\";\nimport {\n  signingRound1,\n  deserializeKeyPackage,\n  serializeSigningNonces,\n  serializeSigningCommitments,\n  createRng,\n  type SerializedKeyPackage,\n  type SerializedSigningNonces,\n  type SerializedSigningCommitments,\n  type Ed25519SigningNonces,\n  type Ed25519SigningCommitments,\n} from \"../../../frost/index.js\";\n\n/**\n * Options for the sign round1 command.\n */\nexport interface SignRound1Options {\n  registryPath?: string;\n  sessionId: string;\n  groupId?: string;\n  preview?: boolean;\n  rejectReason?: string;\n  storageSelection?: StorageSelection;\n  verbose?: boolean;\n}\n\n/**\n * Result of the sign round1 command.\n */\nexport interface SignRound1Result {\n  accepted: boolean;\n  listeningArid?: string;\n  envelopeUr?: string;\n}\n\n/**\n * Persisted receive state from sign_receive.json.\n *\n * Port of `struct ReceiveState` from cmd/sign/participant/round1.rs.\n */\ninterface ReceiveState {\n  groupId: ARID;\n  coordinatorDoc: XIDDocument;\n  responseArid: ARID;\n  targetUr: string;\n  participants: XID[];\n  requestEnvelope: Envelope;\n}\n\n/**\n * Load receive state from persisted sign_receive.json.\n *\n * Port of `load_receive_state()` from cmd/sign/participant/round1.rs lines 285-411.\n */\nfunction loadReceiveState(\n  registryPath: string,\n  sessionId: ARID,\n  groupHint: ARID | undefined,\n  registry: Registry,\n): ReceiveState {\n  const base = path.dirname(registryPath);\n  const groupStateDir = path.join(base, \"group-state\");\n\n  // Collect candidate directories\n  let groupDirs: [ARID, string][];\n  if (groupHint !== undefined) {\n    groupDirs = [[groupHint, path.join(groupStateDir, groupHint.hex())]];\n  } else {\n    groupDirs = [];\n    if (fs.existsSync(groupStateDir)) {\n      for (const entry of fs.readdirSync(groupStateDir, { withFileTypes: true })) {\n        if (entry.isDirectory()) {\n          const dirName = entry.name;\n          // Check if it's a 64-character hex string (ARID hex)\n          if (dirName.length === 64 && /^[0-9a-fA-F]+$/.test(dirName)) {\n            const groupId = ARID.fromHex(dirName);\n            groupDirs.push([groupId, path.join(groupStateDir, dirName)]);\n          }\n        }\n      }\n    }\n  }\n\n  // Search for sign_receive.json\n  const candidates: [ARID, string][] = [];\n  for (const [groupId, groupDir] of groupDirs) {\n    const candidate = path.join(groupDir, \"signing\", sessionId.hex(), \"sign_receive.json\");\n    if (fs.existsSync(candidate)) {\n      candidates.push([groupId, candidate]);\n    }\n  }\n\n  if (candidates.length === 0) {\n    throw new Error(\n      \"No sign_receive.json found for this session; run `frost sign participant receive` first\",\n    );\n  }\n  if (candidates.length > 1) {\n    throw new Error(\"Multiple groups contain this session; use --group to disambiguate\");\n  }\n\n  const [groupId, filePath] = candidates[0];\n\n  // Parse the JSON file\n  interface SignReceiveJson {\n    session: string;\n    group: string;\n    response_arid: string;\n    target: string;\n    coordinator: string;\n    participants: string[];\n    request_envelope: string;\n  }\n\n  const raw = JSON.parse(fs.readFileSync(filePath, \"utf-8\")) as SignReceiveJson;\n\n  // Validate session matches\n  const sessionInState = parseAridUr(raw.session);\n  if (sessionInState.urString() !== sessionId.urString()) {\n    throw new Error(\n      `Session ${sessionInState.urString()} in sign_receive.json does not match requested session ${sessionId.urString()}`,\n    );\n  }\n\n  const responseArid = parseAridUr(raw.response_arid);\n  const targetUr = raw.target;\n  const coordinatorUr = raw.coordinator;\n  const coordinatorXid = XID.fromURString(coordinatorUr);\n\n  // Resolve coordinator document from registry\n  let coordinatorDoc: XIDDocument;\n  const participantRecord = registry.participant(coordinatorXid);\n  if (participantRecord !== null && participantRecord !== undefined) {\n    coordinatorDoc = participantRecord.xidDocument();\n  } else {\n    const owner = registry.owner();\n    if (owner?.xid().urString() === coordinatorXid.urString()) {\n      coordinatorDoc = owner.xidDocument();\n    } else {\n      throw new Error(\n        `Coordinator ${coordinatorXid.urString()} not found in registry and cannot resolve encryption key`,\n      );\n    }\n  }\n\n  // Parse request envelope\n  const requestEnvelope = Envelope.fromURString(raw.request_envelope);\n\n  // Parse participants\n  const participants: XID[] = raw.participants.map((s: string) => XID.fromURString(s));\n\n  return {\n    groupId,\n    coordinatorDoc,\n    responseArid,\n    targetUr,\n    participants,\n    requestEnvelope,\n  };\n}\n\n/**\n * Validate the commit request from persisted state.\n *\n * Port of request validation in `CommandArgs::exec()` from cmd/sign/participant/round1.rs lines 100-138.\n */\nfunction validateCommitRequest(\n  receiveState: ReceiveState,\n  sessionId: ARID,\n  ownerXid: XID,\n  ownerPrivateKeys: PrivateKeys,\n): SealedRequest {\n  const now = CborDate.now();\n\n  // Decrypt and parse the request\n  const sealedRequest = SealedRequest.tryFromEnvelope(\n    receiveState.requestEnvelope,\n    undefined,\n    now.datetime(),\n    ownerPrivateKeys,\n  );\n\n  // Validate function\n  if (!sealedRequest.request().function().equals(EnvelopeFunction.fromString(\"signInvite\"))) {\n    throw new Error(`Unexpected request function: ${String(sealedRequest.request().function())}`);\n  }\n\n  // Validate session ID\n  if (sealedRequest.request().id().urString() !== sessionId.urString()) {\n    throw new Error(\n      `Session ID mismatch (state ${sessionId.urString()}, request ${sealedRequest.request().id().urString()})`,\n    );\n  }\n\n  // Validate group ID\n  const requestGroup = sealedRequest.extractObjectForParameter<ARID>(\"group\");\n  if (requestGroup.urString() !== receiveState.groupId.urString()) {\n    throw new Error(\n      `Group ID mismatch (state ${receiveState.groupId.urString()}, request ${requestGroup.urString()})`,\n    );\n  }\n\n  // Validate participant is included\n  const participantUrStrings = receiveState.participants.map((p) => p.urString());\n  if (!participantUrStrings.includes(ownerXid.urString())) {\n    throw new Error(\"Persisted signInvite request does not include this participant\");\n  }\n\n  return sealedRequest;\n}\n\n/**\n * Build the response body envelope.\n *\n * Port of response body building from cmd/sign/participant/round1.rs lines 191-195.\n */\nfunction buildResponseBody(\n  sessionId: ARID,\n  commitments: Ed25519SigningCommitments,\n  responseArid: ARID,\n): Envelope {\n  // Serialize commitments to JSON and wrap as CBOR JSON\n  const serializedCommitments = serializeSigningCommitments(commitments);\n  const jsonStr = JSON.stringify(serializedCommitments);\n  const jsonBytes = new TextEncoder().encode(jsonStr);\n  const commitmentsJson = JSONWrapper.fromData(jsonBytes);\n\n  // Build response body: unit subject with type and assertions\n  return Envelope.unit()\n    .addType(\"signRound1Response\")\n    .addAssertion(\"session\", sessionId)\n    .addAssertion(\"commitments\", commitmentsJson.taggedCborData())\n    .addAssertion(\"response_arid\", responseArid);\n}\n\n/**\n * Persist commit state (nonces and commitments) to disk.\n *\n * Port of `persist_commit_state()` from cmd/sign/participant/round1.rs lines 413-461.\n */\nfunction persistCommitState(\n  registryPath: string,\n  groupId: ARID,\n  sessionId: ARID,\n  receiveState: ReceiveState,\n  signingNonces: Ed25519SigningNonces,\n  signingCommitments: Ed25519SigningCommitments,\n  targetEnvelope: Envelope,\n  nextShareArid: ARID,\n): void {\n  const dir = signingStateDir(registryPath, groupId.hex(), sessionId.hex());\n  fs.mkdirSync(dir, { recursive: true });\n\n  // Serialize nonces and commitments\n  const serializedNonces = serializeSigningNonces(signingNonces);\n  const serializedCommitments = serializeSigningCommitments(signingCommitments);\n\n  // Build commit state JSON\n  const commitState: {\n    session: string;\n    response_arid: string;\n    next_share_arid: string;\n    target: string;\n    signing_nonces: SerializedSigningNonces;\n    signing_commitments: SerializedSigningCommitments;\n  } = {\n    session: sessionId.urString(),\n    response_arid: receiveState.responseArid.urString(),\n    next_share_arid: nextShareArid.urString(),\n    target: targetEnvelope.urString(),\n    signing_nonces: serializedNonces,\n    signing_commitments: serializedCommitments,\n  };\n\n  fs.writeFileSync(path.join(dir, \"commit.json\"), JSON.stringify(commitState, null, 2));\n}\n\n/**\n * Execute the sign participant round 1 command.\n *\n * Responds to the sign invite with signing commitments.\n *\n * Port of `CommandArgs::exec()` from cmd/sign/participant/round1.rs lines 58-273.\n */\nexport async function round1(\n  _client: StorageClient | undefined,\n  options: SignRound1Options,\n  cwd: string,\n): Promise<SignRound1Result> {\n  // Validate options\n  if (options.storageSelection === undefined && options.preview !== true) {\n    throw new Error(\"Hubert storage is required for sign commit\");\n  }\n  if (options.storageSelection !== undefined && options.preview === true) {\n    throw new Error(\"--preview cannot be used with Hubert storage options\");\n  }\n\n  const registryPath = resolveRegistryPath(options.registryPath, cwd);\n  const registry = Registry.load(registryPath);\n\n  const owner = registry.owner();\n  if (!owner) {\n    throw new Error(\"Registry owner is required\");\n  }\n\n  const sessionId = parseAridUr(options.sessionId);\n  const groupHint = options.groupId !== undefined ? parseAridUr(options.groupId) : undefined;\n\n  // Load receive state\n  const receiveState = loadReceiveState(registryPath, sessionId, groupHint, registry);\n  const groupId = receiveState.groupId;\n\n  // Get group record\n  const groupRecord = registry.group(groupId);\n  if (groupRecord === null || groupRecord === undefined) {\n    throw new Error(\"Group not found in registry\");\n  }\n\n  // Get owner private keys\n  const ownerKeys = owner.xidDocument().inceptionPrivateKeys();\n  if (ownerKeys === undefined) {\n    throw new Error(\"Owner XID document has no private keys\");\n  }\n\n  // Validate the commit request\n  const sealedRequest = validateCommitRequest(receiveState, sessionId, owner.xid(), ownerKeys);\n\n  // Load key package\n  const contributions = groupRecord.contributions();\n  if (contributions === null || contributions === undefined) {\n    throw new Error(\"Key package path not found; did you finish DKG?\");\n  }\n  const keyPackagePath = contributions.keyPackage;\n  if (keyPackagePath === undefined) {\n    throw new Error(\"Key package path not found; did you finish DKG?\");\n  }\n\n  interface KeyPackageFile {\n    group: string;\n    key_package: SerializedKeyPackage;\n  }\n\n  const keyPackageFile = JSON.parse(fs.readFileSync(keyPackagePath, \"utf-8\")) as KeyPackageFile;\n  const keyPackage = deserializeKeyPackage(keyPackageFile.key_package);\n\n  // Parse target envelope\n  const targetEnvelope = Envelope.fromURString(receiveState.targetUr);\n\n  const signerPrivateKeys = owner.xidDocument().inceptionPrivateKeys();\n  if (signerPrivateKeys === undefined) {\n    throw new Error(\"Owner XID document has no signing keys\");\n  }\n\n  let sealedResponse: SealedResponse;\n  let nextShareArid: ARID | undefined;\n\n  if (options.rejectReason !== undefined) {\n    // Build rejection response\n    const errorBody = Envelope.new(\"signCommitReject\")\n      .addAssertion(\"group\", groupId)\n      .addAssertion(\"session\", sessionId)\n      .addAssertion(\"reason\", options.rejectReason);\n\n    sealedResponse = SealedResponse.newFailure(sealedRequest.request().id(), owner.xidDocument())\n      .withError(errorBody)\n      .withPeerContinuation(sealedRequest.peerContinuation());\n  } else {\n    // Run signing round 1 - generate nonces and commitments\n    const rng = createRng();\n    const [signingNonces, signingCommitments] = signingRound1(keyPackage, rng);\n\n    const nextShare = ARID.new();\n    nextShareArid = nextShare;\n\n    // Build response body\n    const responseBody = buildResponseBody(sessionId, signingCommitments, nextShare);\n\n    // Persist commit state (unless preview mode)\n    if (options.preview !== true) {\n      persistCommitState(\n        registryPath,\n        groupId,\n        sessionId,\n        receiveState,\n        signingNonces,\n        signingCommitments,\n        targetEnvelope,\n        nextShare,\n      );\n\n      // Update listening ARID for next request\n      const groupRecordMut = registry.group(groupId);\n      if (groupRecordMut !== null && groupRecordMut !== undefined) {\n        groupRecordMut.setListeningAtArid(nextShare);\n        registry.save(registryPath);\n      }\n    }\n\n    sealedResponse = SealedResponse.newSuccess(sealedRequest.request().id(), owner.xidDocument())\n      .withResult(responseBody)\n      .withPeerContinuation(sealedRequest.peerContinuation());\n  }\n\n  // Handle preview mode\n  if (options.preview === true) {\n    const unsealed = sealedResponse.toEnvelope(undefined, signerPrivateKeys, undefined);\n    const envelopeUr = unsealed.urString();\n    console.log(envelopeUr);\n    return {\n      accepted: options.rejectReason === undefined,\n      envelopeUr,\n    };\n  }\n\n  // Build encrypted response envelope\n  const validUntil = new Date(Date.now() + 60 * 60 * 1000); // 1 hour from now\n  const responseEnvelope = sealedResponse.toEnvelope(\n    validUntil,\n    signerPrivateKeys,\n    receiveState.coordinatorDoc,\n  );\n\n  // Post response to Hubert storage\n  if (options.storageSelection === undefined) {\n    throw new Error(\"Storage selection is required to post response\");\n  }\n  const client = await createStorageClient(options.storageSelection);\n\n  if (options.verbose === true) {\n    console.error(`Posting signInvite response to ${receiveState.responseArid.urString()}`);\n  }\n\n  await putWithIndicator(\n    client,\n    receiveState.responseArid,\n    responseEnvelope,\n    \"Commitments\",\n    options.verbose ?? false,\n  );\n\n  // On reject, clear listening ARID\n  if (options.rejectReason !== undefined) {\n    const groupRecordMut = registry.group(groupId);\n    if (groupRecordMut !== null && groupRecordMut !== undefined) {\n      groupRecordMut.clearListeningAtArid();\n      registry.save(registryPath);\n    }\n  }\n\n  const result: SignRound1Result = {\n    accepted: options.rejectReason === undefined,\n  };\n  if (nextShareArid !== undefined) {\n    result.listeningArid = nextShareArid.urString();\n  }\n  return result;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgFA,SAAS,iBACP,cACA,WACA,WACA,UACc;CACd,MAAM,OAAOA,UAAK,QAAQ,aAAa;CACvC,MAAM,gBAAgBA,UAAK,KAAK,MAAM,cAAc;CAGpD,IAAI;AACJ,KAAI,cAAc,KAAA,EAChB,aAAY,CAAC,CAAC,WAAWA,UAAK,KAAK,eAAe,UAAU,KAAK,CAAC,CAAC,CAAC;MAC/D;AACL,cAAY,EAAE;AACd,MAAIC,QAAG,WAAW,cAAc;QACzB,MAAM,SAASA,QAAG,YAAY,eAAe,EAAE,eAAe,MAAM,CAAC,CACxE,KAAI,MAAM,aAAa,EAAE;IACvB,MAAM,UAAU,MAAM;AAEtB,QAAI,QAAQ,WAAW,MAAM,iBAAiB,KAAK,QAAQ,EAAE;KAC3D,MAAM,UAAUC,iBAAAA,KAAK,QAAQ,QAAQ;AACrC,eAAU,KAAK,CAAC,SAASF,UAAK,KAAK,eAAe,QAAQ,CAAC,CAAC;;;;;CAQtE,MAAM,aAA+B,EAAE;AACvC,MAAK,MAAM,CAAC,SAAS,aAAa,WAAW;EAC3C,MAAM,YAAYA,UAAK,KAAK,UAAU,WAAW,UAAU,KAAK,EAAE,oBAAoB;AACtF,MAAIC,QAAG,WAAW,UAAU,CAC1B,YAAW,KAAK,CAAC,SAAS,UAAU,CAAC;;AAIzC,KAAI,WAAW,WAAW,EACxB,OAAM,IAAI,MACR,0FACD;AAEH,KAAI,WAAW,SAAS,EACtB,OAAM,IAAI,MAAM,oEAAoE;CAGtF,MAAM,CAAC,SAAS,YAAY,WAAW;CAavC,MAAM,MAAM,KAAK,MAAMA,QAAG,aAAa,UAAU,QAAQ,CAAC;CAG1D,MAAM,iBAAiBE,eAAAA,YAAY,IAAI,QAAQ;AAC/C,KAAI,eAAe,UAAU,KAAK,UAAU,UAAU,CACpD,OAAM,IAAI,MACR,WAAW,eAAe,UAAU,CAAC,yDAAyD,UAAU,UAAU,GACnH;CAGH,MAAM,eAAeA,eAAAA,YAAY,IAAI,cAAc;CACnD,MAAM,WAAW,IAAI;CACrB,MAAM,gBAAgB,IAAI;CAC1B,MAAM,iBAAiBC,iBAAAA,IAAI,aAAa,cAAc;CAGtD,IAAI;CACJ,MAAM,oBAAoB,SAAS,YAAY,eAAe;AAC9D,KAAI,sBAAsB,QAAQ,sBAAsB,KAAA,EACtD,kBAAiB,kBAAkB,aAAa;MAC3C;EACL,MAAM,QAAQ,SAAS,OAAO;AAC9B,MAAI,OAAO,KAAK,CAAC,UAAU,KAAK,eAAe,UAAU,CACvD,kBAAiB,MAAM,aAAa;MAEpC,OAAM,IAAI,MACR,eAAe,eAAe,UAAU,CAAC,0DAC1C;;CAKL,MAAM,kBAAkBC,eAAAA,SAAS,aAAa,IAAI,iBAAiB;CAGnE,MAAM,eAAsB,IAAI,aAAa,KAAK,MAAcD,iBAAAA,IAAI,aAAa,EAAE,CAAC;AAEpF,QAAO;EACL;EACA;EACA;EACA;EACA;EACA;EACD;;;;;;;AAQH,SAAS,sBACP,cACA,WACA,UACA,kBACe;CACf,MAAM,MAAME,YAAAA,SAAS,KAAK;CAG1B,MAAM,gBAAgBC,WAAAA,cAAc,gBAClC,aAAa,iBACb,KAAA,GACA,IAAI,UAAU,EACd,iBACD;AAGD,KAAI,CAAC,cAAc,SAAS,CAAC,UAAU,CAAC,OAAOC,eAAAA,SAAiB,WAAW,aAAa,CAAC,CACvF,OAAM,IAAI,MAAM,gCAAgC,OAAO,cAAc,SAAS,CAAC,UAAU,CAAC,GAAG;AAI/F,KAAI,cAAc,SAAS,CAAC,IAAI,CAAC,UAAU,KAAK,UAAU,UAAU,CAClE,OAAM,IAAI,MACR,8BAA8B,UAAU,UAAU,CAAC,YAAY,cAAc,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,GACxG;CAIH,MAAM,eAAe,cAAc,0BAAgC,QAAQ;AAC3E,KAAI,aAAa,UAAU,KAAK,aAAa,QAAQ,UAAU,CAC7D,OAAM,IAAI,MACR,4BAA4B,aAAa,QAAQ,UAAU,CAAC,YAAY,aAAa,UAAU,CAAC,GACjG;AAKH,KAAI,CADyB,aAAa,aAAa,KAAK,MAAM,EAAE,UAAU,CACrD,CAAC,SAAS,SAAS,UAAU,CAAC,CACrD,OAAM,IAAI,MAAM,iEAAiE;AAGnF,QAAO;;;;;;;AAQT,SAAS,kBACP,WACA,aACA,cACU;CAEV,MAAM,wBAAwBC,oBAAAA,4BAA4B,YAAY;CACtE,MAAM,UAAU,KAAK,UAAU,sBAAsB;CACrD,MAAM,YAAY,IAAI,aAAa,CAAC,OAAO,QAAQ;CACnD,MAAM,kBAAkBC,iBAAAA,KAAY,SAAS,UAAU;AAGvD,QAAOL,eAAAA,SAAS,MAAM,CACnB,QAAQ,qBAAqB,CAC7B,aAAa,WAAW,UAAU,CAClC,aAAa,eAAe,gBAAgB,gBAAgB,CAAC,CAC7D,aAAa,iBAAiB,aAAa;;;;;;;AAQhD,SAAS,mBACP,cACA,SACA,WACA,cACA,eACA,oBACA,gBACA,eACM;CACN,MAAM,MAAMM,iBAAAA,gBAAgB,cAAc,QAAQ,KAAK,EAAE,UAAU,KAAK,CAAC;AACzE,SAAG,UAAU,KAAK,EAAE,WAAW,MAAM,CAAC;CAGtC,MAAM,mBAAmBC,oBAAAA,uBAAuB,cAAc;CAC9D,MAAM,wBAAwBH,oBAAAA,4BAA4B,mBAAmB;CAG7E,MAAM,cAOF;EACF,SAAS,UAAU,UAAU;EAC7B,eAAe,aAAa,aAAa,UAAU;EACnD,iBAAiB,cAAc,UAAU;EACzC,QAAQ,eAAe,UAAU;EACjC,gBAAgB;EAChB,qBAAqB;EACtB;AAED,SAAG,cAAcT,UAAK,KAAK,KAAK,cAAc,EAAE,KAAK,UAAU,aAAa,MAAM,EAAE,CAAC;;;;;;;;;AAUvF,eAAsB,OACpB,SACA,SACA,KAC2B;AAE3B,KAAI,QAAQ,qBAAqB,KAAA,KAAa,QAAQ,YAAY,KAChE,OAAM,IAAI,MAAM,6CAA6C;AAE/D,KAAI,QAAQ,qBAAqB,KAAA,KAAa,QAAQ,YAAY,KAChE,OAAM,IAAI,MAAM,uDAAuD;CAGzE,MAAM,eAAea,uBAAAA,oBAAoB,QAAQ,cAAc,IAAI;CACnE,MAAM,WAAWC,uBAAAA,SAAS,KAAK,aAAa;CAE5C,MAAM,QAAQ,SAAS,OAAO;AAC9B,KAAI,CAAC,MACH,OAAM,IAAI,MAAM,6BAA6B;CAG/C,MAAM,YAAYX,eAAAA,YAAY,QAAQ,UAAU;CAIhD,MAAM,eAAe,iBAAiB,cAAc,WAHlC,QAAQ,YAAY,KAAA,IAAYA,eAAAA,YAAY,QAAQ,QAAQ,GAAG,KAAA,GAGP,SAAS;CACnF,MAAM,UAAU,aAAa;CAG7B,MAAM,cAAc,SAAS,MAAM,QAAQ;AAC3C,KAAI,gBAAgB,QAAQ,gBAAgB,KAAA,EAC1C,OAAM,IAAI,MAAM,8BAA8B;CAIhD,MAAM,YAAY,MAAM,aAAa,CAAC,sBAAsB;AAC5D,KAAI,cAAc,KAAA,EAChB,OAAM,IAAI,MAAM,yCAAyC;CAI3D,MAAM,gBAAgB,sBAAsB,cAAc,WAAW,MAAM,KAAK,EAAE,UAAU;CAG5F,MAAM,gBAAgB,YAAY,eAAe;AACjD,KAAI,kBAAkB,QAAQ,kBAAkB,KAAA,EAC9C,OAAM,IAAI,MAAM,kDAAkD;CAEpE,MAAM,iBAAiB,cAAc;AACrC,KAAI,mBAAmB,KAAA,EACrB,OAAM,IAAI,MAAM,kDAAkD;CASpE,MAAM,aAAaY,oBAAAA,sBADI,KAAK,MAAMd,QAAG,aAAa,gBAAgB,QAAQ,CACnB,CAAC,YAAY;CAGpE,MAAM,iBAAiBI,eAAAA,SAAS,aAAa,aAAa,SAAS;CAEnE,MAAM,oBAAoB,MAAM,aAAa,CAAC,sBAAsB;AACpE,KAAI,sBAAsB,KAAA,EACxB,OAAM,IAAI,MAAM,yCAAyC;CAG3D,IAAI;CACJ,IAAI;AAEJ,KAAI,QAAQ,iBAAiB,KAAA,GAAW;EAEtC,MAAM,YAAYA,eAAAA,SAAS,IAAI,mBAAmB,CAC/C,aAAa,SAAS,QAAQ,CAC9B,aAAa,WAAW,UAAU,CAClC,aAAa,UAAU,QAAQ,aAAa;AAE/C,mBAAiBW,WAAAA,eAAe,WAAW,cAAc,SAAS,CAAC,IAAI,EAAE,MAAM,aAAa,CAAC,CAC1F,UAAU,UAAU,CACpB,qBAAqB,cAAc,kBAAkB,CAAC;QACpD;EAGL,MAAM,CAAC,eAAe,sBAAsBC,oBAAAA,cAAc,YAD9CC,oBAAAA,WAC6D,CAAC;EAE1E,MAAM,YAAYhB,iBAAAA,KAAK,KAAK;AAC5B,kBAAgB;EAGhB,MAAM,eAAe,kBAAkB,WAAW,oBAAoB,UAAU;AAGhF,MAAI,QAAQ,YAAY,MAAM;AAC5B,sBACE,cACA,SACA,WACA,cACA,eACA,oBACA,gBACA,UACD;GAGD,MAAM,iBAAiB,SAAS,MAAM,QAAQ;AAC9C,OAAI,mBAAmB,QAAQ,mBAAmB,KAAA,GAAW;AAC3D,mBAAe,mBAAmB,UAAU;AAC5C,aAAS,KAAK,aAAa;;;AAI/B,mBAAiBc,WAAAA,eAAe,WAAW,cAAc,SAAS,CAAC,IAAI,EAAE,MAAM,aAAa,CAAC,CAC1F,WAAW,aAAa,CACxB,qBAAqB,cAAc,kBAAkB,CAAC;;AAI3D,KAAI,QAAQ,YAAY,MAAM;EAE5B,MAAM,aADW,eAAe,WAAW,KAAA,GAAW,mBAAmB,KAAA,EAC9C,CAAC,UAAU;AACtC,UAAQ,IAAI,WAAW;AACvB,SAAO;GACL,UAAU,QAAQ,iBAAiB,KAAA;GACnC;GACD;;CAIH,MAAM,aAAa,IAAI,KAAK,KAAK,KAAK,GAAG,OAAU,IAAK;CACxD,MAAM,mBAAmB,eAAe,WACtC,YACA,mBACA,aAAa,eACd;AAGD,KAAI,QAAQ,qBAAqB,KAAA,EAC/B,OAAM,IAAI,MAAM,iDAAiD;CAEnE,MAAM,SAAS,MAAMG,gBAAAA,oBAAoB,QAAQ,iBAAiB;AAElE,KAAI,QAAQ,YAAY,KACtB,SAAQ,MAAM,kCAAkC,aAAa,aAAa,UAAU,GAAG;AAGzF,OAAMC,aAAAA,iBACJ,QACA,aAAa,cACb,kBACA,eACA,QAAQ,WAAW,MACpB;AAGD,KAAI,QAAQ,iBAAiB,KAAA,GAAW;EACtC,MAAM,iBAAiB,SAAS,MAAM,QAAQ;AAC9C,MAAI,mBAAmB,QAAQ,mBAAmB,KAAA,GAAW;AAC3D,kBAAe,sBAAsB;AACrC,YAAS,KAAK,aAAa;;;CAI/B,MAAM,SAA2B,EAC/B,UAAU,QAAQ,iBAAiB,KAAA,GACpC;AACD,KAAI,kBAAkB,KAAA,EACpB,QAAO,gBAAgB,cAAc,UAAU;AAEjD,QAAO"}

package/dist/round2-BWz9SQIi.cjs

@@ -0,0 +1,305 @@
+const require_chunk = require("./chunk-CZWwpsFl.cjs");
+const require_registry_index = require("./registry/index.cjs");
+const require_common = require("./common-lKP5EzHy.cjs");
+const require_busy = require("./busy-EZU7EKr6.cjs");
+const require_frost_index = require("./frost/index.cjs");
+const require_common$1 = require("./common-lThIvJmZ.cjs");
+let _bcts_components = require("@bcts/components");
+let _bcts_dcbor = require("@bcts/dcbor");
+let _bcts_envelope = require("@bcts/envelope");
+let node_fs = require("node:fs");
+node_fs = require_chunk.__toESM(node_fs, 1);
+let node_path = require("node:path");
+node_path = require_chunk.__toESM(node_path, 1);
+let _frosts_ed25519 = require("@frosts/ed25519");
+let _frosts_core = require("@frosts/core");
+//#region src/cmd/sign/participant/round2.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*
+* Sign participant round 2 command.
+*
+* Port of cmd/sign/participant/round2.rs from frost-hubert-rust.
+*
+* @module
+*/
+var round2_exports = /* @__PURE__ */ require_chunk.__exportAll({ round2: () => round2 });
+/**
+* Load receive state from sign_receive.json.
+*
+* Port of `load_receive_state()` from cmd/sign/participant/round2.rs.
+*/
+function loadReceiveState(registryPath, sessionId, groupHint) {
+	const base = node_path.dirname(registryPath);
+	const groupStateDir = node_path.join(base, "group-state");
+	let groupDirs;
+	if (groupHint) groupDirs = [[groupHint, node_path.join(groupStateDir, groupHint.hex())]];
+	else {
+		groupDirs = [];
+		if (node_fs.existsSync(groupStateDir)) {
+			for (const entry of node_fs.readdirSync(groupStateDir, { withFileTypes: true })) if (entry.isDirectory() && entry.name.length === 64 && /^[0-9a-f]+$/i.test(entry.name)) {
+				const groupId = _bcts_components.ARID.fromHex(entry.name);
+				groupDirs.push([groupId, node_path.join(groupStateDir, entry.name)]);
+			}
+		}
+	}
+	const candidates = [];
+	for (const [groupId, groupDir] of groupDirs) {
+		const candidate = node_path.join(groupDir, "signing", sessionId.hex(), "sign_receive.json");
+		if (node_fs.existsSync(candidate)) candidates.push([groupId, candidate]);
+	}
+	if (candidates.length === 0) throw new Error("No sign_receive.json found for this session; run `frost sign participant receive` first");
+	if (candidates.length > 1) throw new Error("Multiple groups contain this session; use --group to disambiguate");
+	const [groupId, statePath] = candidates[0];
+	const raw = JSON.parse(node_fs.readFileSync(statePath, "utf-8"));
+	const getStr = (key) => {
+		const value = raw[key];
+		if (typeof value !== "string") throw new Error(`Missing or invalid ${key} in sign_receive.json`);
+		return value;
+	};
+	const sessionInState = require_common.parseAridUr(getStr("session"));
+	if (sessionInState.urString() !== sessionId.urString()) throw new Error(`Session ${sessionInState.urString()} in sign_receive.json does not match requested session ${sessionId.urString()}`);
+	const groupInState = require_common.parseAridUr(getStr("group"));
+	if (groupInState.urString() !== groupId.urString()) throw new Error(`Group ${groupInState.urString()} in sign_receive.json does not match directory group ${groupId.urString()}`);
+	const participantsVal = raw["participants"];
+	if (!participantsVal || !Array.isArray(participantsVal)) throw new Error("Missing participants in sign_receive.json");
+	const participants = [];
+	for (const entry of participantsVal) {
+		if (typeof entry !== "string") throw new Error("Invalid participant entry in sign_receive.json");
+		participants.push(_bcts_components.XID.fromURString(entry));
+	}
+	const minSigners = raw["min_signers"];
+	if (typeof minSigners !== "number") throw new Error("Missing min_signers in sign_receive.json");
+	return {
+		groupId,
+		participants,
+		minSigners,
+		targetUr: getStr("target")
+	};
+}
+/**
+* Load commit state from commit.json (includes nonces).
+*
+* Port of `load_commit_state()` from cmd/sign/participant/round2.rs.
+*/
+function loadCommitState(registryPath, groupId, sessionId) {
+	const dir = require_common$1.signingStateDir(registryPath, groupId.hex(), sessionId.hex());
+	const statePath = node_path.join(dir, "commit.json");
+	if (!node_fs.existsSync(statePath)) throw new Error(`Commit state not found at ${statePath}. Run \`frost sign participant commit\` first.`);
+	const raw = JSON.parse(node_fs.readFileSync(statePath, "utf-8"));
+	const getStr = (key) => {
+		const value = raw[key];
+		if (typeof value !== "string") throw new Error(`Missing or invalid ${key} in commit.json`);
+		return value;
+	};
+	const sessionInState = require_common.parseAridUr(getStr("session"));
+	if (sessionInState.urString() !== sessionId.urString()) throw new Error(`Session ${sessionInState.urString()} in commit.json does not match requested session ${sessionId.urString()}`);
+	const nextShareArid = require_common.parseAridUr(getStr("next_share_arid"));
+	const targetUr = getStr("target");
+	const noncesRaw = raw["signing_nonces"];
+	if (!noncesRaw) throw new Error("Missing signing_nonces in commit.json");
+	const hidingNonce = _frosts_core.Nonce.deserialize(_frosts_ed25519.Ed25519Sha512, _frosts_ed25519.serde.hexToBytes(noncesRaw["hiding"]));
+	const bindingNonce = _frosts_core.Nonce.deserialize(_frosts_ed25519.Ed25519Sha512, _frosts_ed25519.serde.hexToBytes(noncesRaw["binding"]));
+	const signingNonces = _frosts_core.SigningNonces.fromNonces(_frosts_ed25519.Ed25519Sha512, hidingNonce, bindingNonce);
+	const commitmentsRaw = raw["signing_commitments"];
+	if (!commitmentsRaw) throw new Error("Missing signing_commitments in commit.json");
+	return {
+		nextShareArid,
+		targetUr,
+		signingNonces,
+		signingCommitments: require_frost_index.deserializeSigningCommitments(commitmentsRaw)
+	};
+}
+/**
+* Validate the incoming GSTP request.
+*
+* Port of request validation logic from cmd/sign/participant/round2.rs.
+*/
+function validateShareRequest(sealedRequest, sessionId, expectedCoordinator) {
+	const expectedFunction = _bcts_envelope.Function.fromString("signRound2");
+	if (sealedRequest.function().equals(expectedFunction) !== true) throw new Error(`Unexpected request function: ${String(sealedRequest.function())}`);
+	if (sealedRequest.id().urString() !== sessionId.urString()) throw new Error(`Session ID mismatch (request ${sealedRequest.id().urString()}, expected ${sessionId.urString()})`);
+	if (sealedRequest.sender().xid().urString() !== expectedCoordinator.urString()) throw new Error(`Unexpected request sender: ${sealedRequest.sender().xid().urString()} (expected coordinator ${expectedCoordinator.urString()})`);
+}
+/**
+* Extract all commitments from the signRound2 request.
+*
+* Port of `parse_commitments()` from cmd/sign/participant/round2.rs.
+*/
+function extractCommitments(sealedRequest, receiveState) {
+	const commitments = /* @__PURE__ */ new Map();
+	const commitmentObjects = sealedRequest.objectsForParameter("commitment");
+	for (const entry of commitmentObjects) {
+		const xid = _bcts_components.XID.fromTaggedCbor(entry.subject().tryLeaf());
+		const commitmentsObjects = entry.objectsForPredicate("commitments");
+		if (commitmentsObjects.length === 0) throw new Error(`Missing commitments for participant ${xid.urString()}`);
+		const commitmentsJson = _bcts_components.JSON.fromTaggedCbor(commitmentsObjects[0].subject().tryLeaf());
+		const signingCommitments = require_frost_index.deserializeSigningCommitments(JSON.parse(commitmentsJson.asStr()));
+		const xidUr = xid.urString();
+		if (commitments.has(xidUr)) throw new Error(`Duplicate commitments for participant ${xidUr}`);
+		commitments.set(xidUr, signingCommitments);
+	}
+	if (commitments.size === 0) throw new Error("signRound2 request contains no commitments");
+	const expectedSet = new Set(receiveState.participants.map((p) => p.urString()));
+	const actualSet = new Set(commitments.keys());
+	const missing = [];
+	const extra = [];
+	for (const xid of expectedSet) if (!actualSet.has(xid)) missing.push(xid);
+	for (const xid of actualSet) if (!expectedSet.has(xid)) extra.push(xid);
+	if (missing.length > 0 || extra.length > 0) throw new Error(`signRound2 commitments do not match session participants (missing: ${missing.join(", ")}; extra: ${extra.join(", ")})`);
+	return commitments;
+}
+/**
+* Build a map from XID to FROST identifier (sorted participant order).
+*
+* Port of `xid_identifier_map()` from cmd/sign/participant/round2.rs.
+*/
+function xidIdentifierMap(participants) {
+	const map = /* @__PURE__ */ new Map();
+	for (let i = 0; i < participants.length; i++) {
+		const identifier = require_frost_index.identifierFromU16(i + 1);
+		map.set(participants[i].urString(), identifier);
+	}
+	return map;
+}
+/**
+* Build signing commitments with identifiers.
+*
+* Port of `commitments_with_identifiers()` from cmd/sign/participant/round2.rs.
+*/
+function commitmentsWithIdentifiers(commitments, xidToIdentifier) {
+	const mapped = /* @__PURE__ */ new Map();
+	for (const [xidUr, commits] of commitments) {
+		const identifier = xidToIdentifier.get(xidUr);
+		if (!identifier) throw new Error(`Unknown participant ${xidUr}`);
+		mapped.set(identifier, commits);
+	}
+	return mapped;
+}
+/**
+* Build the signRound2Response body envelope.
+*
+* Port of response body construction from cmd/sign/participant/round2.rs.
+*/
+function buildResponseBody(sessionId, signatureShare, finalizeArid) {
+	const shareHex = require_frost_index.serializeSignatureShare(signatureShare);
+	const shareJson = _bcts_components.JSON.fromString(JSON.stringify({ share: shareHex }));
+	return _bcts_envelope.Envelope.unit().addType("signRound2Response").addAssertion("session", sessionId).addAssertion("signature_share", shareJson).addAssertion("response_arid", finalizeArid);
+}
+/**
+* Persist share state to share.json.
+*
+* Port of `persist_share_state()` from cmd/sign/participant/round2.rs.
+*/
+function persistShareState(registryPath, groupId, sessionId, responseArid, finalizeArid, signatureShare, commitments) {
+	const dir = require_common$1.signingStateDir(registryPath, groupId.hex(), sessionId.hex());
+	node_fs.mkdirSync(dir, { recursive: true });
+	const commitmentsJson = {};
+	for (const [xidUr, commits] of commitments) commitmentsJson[xidUr] = require_frost_index.serializeSigningCommitments(commits);
+	const root = {
+		session: sessionId.urString(),
+		response_arid: responseArid.urString(),
+		finalize_arid: finalizeArid.urString(),
+		signature_share: { share: require_frost_index.serializeSignatureShare(signatureShare) },
+		commitments: commitmentsJson
+	};
+	node_fs.writeFileSync(node_path.join(dir, "share.json"), JSON.stringify(root, null, 2));
+}
+/**
+* Execute the sign participant round 2 command.
+*
+* Receives round 2 request and sends signature share.
+*
+* Port of `CommandArgs::exec()` from cmd/sign/participant/round2.rs.
+*/
+async function round2(client, options, cwd) {
+	const registryPath = require_registry_index.resolveRegistryPath(options.registryPath, cwd);
+	const registry = require_registry_index.Registry.load(registryPath);
+	const owner = registry.owner();
+	if (!owner) throw new Error("Registry owner is required");
+	const ownerXidDocument = owner.xidDocument();
+	const sessionId = require_common.parseAridUr(options.sessionId);
+	const receiveState = loadReceiveState(registryPath, sessionId, options.groupId ? require_common.parseAridUr(options.groupId) : void 0);
+	const groupId = receiveState.groupId;
+	const groupRecord = registry.group(groupId);
+	if (!groupRecord) throw new Error("Group not found in registry");
+	if (groupRecord.minSigners() !== receiveState.minSigners) throw new Error(`Session min_signers ${receiveState.minSigners} does not match registry ${groupRecord.minSigners()}`);
+	const registryParticipants = new Set(groupRecord.participants().map((p) => p.xid().urString()));
+	const sessionParticipants = new Set(receiveState.participants.map((p) => p.urString()));
+	if (registryParticipants.size !== sessionParticipants.size || ![...registryParticipants].every((p) => sessionParticipants.has(p))) throw new Error("Session participants do not match registry group participants");
+	if (!sessionParticipants.has(owner.xid().urString())) throw new Error("This participant is not part of the signing session");
+	const listeningAtArid = groupRecord.listeningAtArid();
+	if (!listeningAtArid) throw new Error("No listening ARID for signRound2. Did you run `frost sign participant commit`?");
+	const commitState = loadCommitState(registryPath, groupId, sessionId);
+	if (commitState.nextShareArid.urString() !== listeningAtArid.urString()) throw new Error(`Listening ARID in registry (${listeningAtArid.urString()}) does not match persisted commit state (${commitState.nextShareArid.urString()})`);
+	if (commitState.targetUr !== receiveState.targetUr) throw new Error("Target envelope in commit state does not match persisted signInvite request");
+	const keyPackagePath = groupRecord.contributions().keyPackage;
+	if (!keyPackagePath) throw new Error("Key package path not found; did you finish DKG?");
+	const keyPackage = require_frost_index.deserializeKeyPackage(JSON.parse(node_fs.readFileSync(keyPackagePath, "utf-8")).key_package);
+	const finalizeArid = _bcts_components.ARID.new();
+	const targetDigest = _bcts_envelope.Envelope.fromURString(receiveState.targetUr).subject().digest();
+	if (options.verbose === true) console.error("Fetching signRound2 request from Hubert...");
+	const requestEnvelope = await require_busy.getWithIndicator(client, listeningAtArid, "signRound2 request", options.timeoutSeconds, options.verbose ?? false);
+	if (!requestEnvelope) throw new Error("signRound2 request not found in Hubert storage");
+	const signerPrivateKeys = ownerXidDocument.inceptionPrivateKeys();
+	if (!signerPrivateKeys) throw new Error("Owner XID document has no private keys");
+	const { SealedRequest: SealedRequestClass } = require("@bcts/gstp");
+	const now = _bcts_dcbor.CborDate.now();
+	const sealedRequest = SealedRequestClass.tryFromEnvelope(requestEnvelope, void 0, now, signerPrivateKeys);
+	const expectedCoordinator = groupRecord.coordinator().xid();
+	validateShareRequest(sealedRequest, sessionId, expectedCoordinator);
+	const responseArid = sealedRequest.extractObjectForParameter("response_arid");
+	const commitmentsByXid = extractCommitments(sealedRequest, receiveState);
+	const myCommitments = commitmentsByXid.get(owner.xid().urString());
+	if (!myCommitments) throw new Error("signRound2 request missing commitments for this participant");
+	const myCommitmentsSerialized = require_frost_index.serializeSigningCommitments(myCommitments);
+	const storedCommitmentsSerialized = require_frost_index.serializeSigningCommitments(commitState.signingCommitments);
+	if (myCommitmentsSerialized.hiding !== storedCommitmentsSerialized.hiding || myCommitmentsSerialized.binding !== storedCommitmentsSerialized.binding) throw new Error("signRound2 request commitments do not match locally stored commitments");
+	const xidToIdentifier = xidIdentifierMap(receiveState.participants);
+	if (!xidToIdentifier.get(owner.xid().urString())) throw new Error("Identifier for participant not found");
+	if (keyPackage.minSigners !== receiveState.minSigners) throw new Error(`Key package min_signers ${keyPackage.minSigners} does not match session ${receiveState.minSigners}`);
+	if (commitmentsByXid.size < receiveState.minSigners) throw new Error(`signRound2 request contained ${commitmentsByXid.size} commitments but requires at least ${receiveState.minSigners} signers`);
+	const signatureShare = require_frost_index.signingRound2(require_frost_index.createSigningPackage(commitmentsWithIdentifiers(commitmentsByXid, xidToIdentifier), targetDigest.data()), commitState.signingNonces, keyPackage);
+	const responseBody = buildResponseBody(sessionId, signatureShare, finalizeArid);
+	const { SealedResponse: SealedResponseClass } = require("@bcts/gstp");
+	const sealedResponse = SealedResponseClass.newSuccess(sealedRequest.id(), ownerXidDocument).withResult(responseBody);
+	if (options.preview === true) {
+		const unsealed = sealedResponse.toEnvelope(void 0, signerPrivateKeys, void 0);
+		console.log(unsealed.urString());
+		return { listeningArid: finalizeArid.urString() };
+	}
+	let coordinatorDoc;
+	if (expectedCoordinator.urString() === owner.xid().urString()) coordinatorDoc = ownerXidDocument;
+	else {
+		const coordinatorRecord = registry.participant(expectedCoordinator);
+		if (!coordinatorRecord) throw new Error(`Coordinator ${expectedCoordinator.urString()} not found in registry`);
+		coordinatorDoc = coordinatorRecord.xidDocument();
+	}
+	const expiry = _bcts_dcbor.CborDate.withDurationFromNow(3600);
+	await require_busy.putWithIndicator(client, responseArid, sealedResponse.toEnvelope(expiry, signerPrivateKeys, coordinatorDoc), "Signature Share", options.verbose ?? false);
+	persistShareState(registryPath, groupId, sessionId, responseArid, finalizeArid, signatureShare, commitmentsByXid);
+	const groupRecordMutable = registry.group(groupId);
+	if (groupRecordMutable) {
+		groupRecordMutable.setListeningAtArid(finalizeArid);
+		registry.save(registryPath);
+	}
+	if (options.verbose === true) console.error(`Posted signature share to ${responseArid.urString()}`);
+	return { listeningArid: finalizeArid.urString() };
+}
+//#endregion
+Object.defineProperty(exports, "round2", {
+	enumerable: true,
+	get: function() {
+		return round2;
+	}
+});
+Object.defineProperty(exports, "round2_exports", {
+	enumerable: true,
+	get: function() {
+		return round2_exports;
+	}
+});
+
+//# sourceMappingURL=round2-BWz9SQIi.cjs.map