@bcts/frost-hubert 1.0.0-alpha.22 → 1.0.0-beta.0

package/src/cmd/common.ts

@@ -5,13 +5,31 @@
  *
  * Common utilities for commands.
  *
- * Port of cmd/common.rs from frost-hubert-rust.
+ * Port of `cmd/common.rs` from `frost-hubert-rust`.
+ *
+ * Rust's `cmd::common` exports four cross-cutting helpers used by
+ * both the DKG and signing subcommand trees:
+ *
+ * - `parse_arid_ur` / `signing_key_from_verifying` — re-exported
+ *   here so the TS module layout matches Rust. The implementations
+ *   live alongside their other DKG-specific siblings in
+ *   `cmd/dkg/common.ts` so callers in either tree can keep using
+ *   them; this file just surfaces them at the parallel-to-Rust
+ *   import path (`@bcts/frost-hubert/cmd/common`).
+ * - `group_state_dir` and the verbose-flag helpers are TS-native here.
+ *
+ * `OptionalStorageSelector` is intentionally not ported: it's a
+ * `clap`-specific argument struct and the TS port surfaces the same
+ * effect via the `StorageSelection` string-literal union — see the
+ * `parity audit` for context.
  *
  * @module
  */
 
 import * as path from "node:path";
 
+export { parseAridUr, signingKeyFromVerifying } from "./dkg/common.js";
+
 /**
  * Get the group state directory for a given registry path and group ID.
  *

package/src/cmd/dkg/common.ts

@@ -13,6 +13,7 @@
 import * as path from "node:path";
 
 import { type ARID, type XID } from "@bcts/components";
+import { compareXidBytes } from "../../dkg/proposed-participant.js";
 import { type Envelope } from "@bcts/envelope";
 import { UR } from "@bcts/uniform-resources";
 import { type XIDDocument } from "@bcts/xid";
@@ -30,19 +31,45 @@ export { groupStateDir } from "../common.js";
 /**
  * Parse an ARID from a UR string.
  *
- * Port of `parse_arid_ur()` from cmd/dkg/common.rs.
+ * Mirrors Rust `parse_arid_ur` (`cmd/common.rs:27-43`):
+ *
+ * 1. Trim and reject empty input.
+ * 2. Parse as a UR; require `ur_type` of `"arid"`.
+ * 3. Try `ARID::try_from(cbor)` (the tagged-CBOR form).
+ * 4. If that fails, fall back to interpreting the CBOR as a bare
+ *    byte string and constructing the ARID from those bytes via
+ *    `ARID::from_data_ref`.
+ *
+ * The earlier port only accepted the tagged form; this matches Rust
+ * by accepting the byte-string fallback too.
  */
 export function parseAridUr(urString: string): ARID {
-  const ur = UR.fromURString(urString.trim());
+  const trimmed = urString.trim();
+  if (trimmed.length === 0) {
+    throw new Error("ARID is required");
+  }
+  const ur = UR.fromURString(trimmed);
 
   if (ur.urTypeStr() !== "arid") {
-    throw new Error(`Expected ur:arid, found ur:${ur.urTypeStr()}`);
+    throw new Error(`Expected a ur:arid, found ur:${ur.urTypeStr()}`);
   }
 
   // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-require-imports, no-undef
   const { ARID: ARIDClass } = require("@bcts/components");
-  // eslint-disable-next-line @typescript-eslint/no-unsafe-return, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
-  return ARIDClass.fromCbor(ur.cbor());
+  const cbor = ur.cbor();
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-return, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+    return ARIDClass.fromTaggedCbor(cbor);
+  } catch {
+    // Fall back to a bare byte string payload, mirroring Rust's
+    // `CBOR::try_into_byte_string(cbor) → ARID::from_data_ref(bytes)`.
+    const bytes = (cbor as { asByteString(): Uint8Array | undefined }).asByteString?.();
+    if (bytes === undefined) {
+      throw new Error("Invalid ARID payload");
+    }
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-return, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+    return ARIDClass.fromData(bytes);
+  }
 }
 
 /**
@@ -64,11 +91,15 @@ export function parseEnvelopeUr(urString: string): Envelope {
 }
 
 /**
- * Resolve the sender XID document from the registry.
+ * Resolve the registry owner's XID document.
  *
- * Port of `resolve_sender()` from cmd/dkg/common.rs.
+ * The earlier port called this `resolveSender(registry)`, but its
+ * behaviour — "give me the owner" — has nothing in common with Rust's
+ * `resolve_sender(registry, input)` (which resolves an arbitrary
+ * named sender). This helper is renamed to its actual behaviour;
+ * the Rust-equivalent `resolveSender(registry, input)` lives below.
  */
-export function resolveSender(registry: Registry): XIDDocument {
+export function resolveOwnerXidDocument(registry: Registry): XIDDocument {
   const owner = registry.owner();
 
   if (!owner) {
@@ -78,6 +109,59 @@ export function resolveSender(registry: Registry): XIDDocument {
   return owner.xidDocument();
 }
 
+/**
+ * Resolve a sender XID document from the registry by UR or pet name.
+ *
+ * Mirrors Rust `resolve_sender(registry, input)`
+ * (`cmd/dkg/common.rs:76-94`):
+ *
+ * 1. Trim and reject empty input.
+ * 2. Try parsing the input as a `ur:xid`. If that succeeds, look it
+ *    up via `registry.participant(xid)`; if no record is found,
+ *    error with `Sender with XID {ur} not found`.
+ * 3. Otherwise look it up by pet name via
+ *    `registry.participantByPetName(name)`; if no record is found,
+ *    error with `Sender with pet name '{name}' not found`.
+ *
+ * Note Rust does NOT check the owner here — only the participants
+ * map. The earlier inline duplicate in `participant/round1.ts` did
+ * an extra owner-check fallback which is removed to match Rust.
+ */
+export function resolveSender(registry: Registry, input: string): XIDDocument {
+  const trimmed = input.trim();
+  if (trimmed.length === 0) {
+    throw new Error("Sender is required");
+  }
+
+  // Try parsing as an XID UR string first. `XID.fromURString` throws
+  // when the input isn't a `ur:xid`; that's the signal to fall back
+  // to pet-name lookup.
+  let xid: XID | undefined;
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-require-imports, no-undef
+    const { XID: XIDClass } = require("@bcts/components");
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+    xid = XIDClass.fromURString(trimmed) as XID;
+  } catch {
+    xid = undefined;
+  }
+
+  if (xid !== undefined) {
+    const record = registry.participant(xid);
+    if (record !== undefined) {
+      return record.xidDocument();
+    }
+    throw new Error(`Sender with XID ${xid.urString()} not found`);
+  }
+
+  const result = registry.participantByPetName(trimmed);
+  if (result !== undefined) {
+    const [, record] = result;
+    return record.xidDocument();
+  }
+  throw new Error(`Sender with pet name '${trimmed}' not found`);
+}
+
 // -----------------------------------------------------------------------------
 // Participant resolution
 // -----------------------------------------------------------------------------
@@ -232,9 +316,12 @@ export function participantNamesFromRegistry(
   ownerXid: XID,
   ownerPetName: string | undefined,
 ): string[] {
-  // Sort by XID UR string
+  // Sort by XID byte order — mirrors Rust `XID::cmp` (raw 32-byte
+  // lex compare). The earlier port used
+  // `urString().localeCompare(...)`, which diverges from byte order
+  // for bytes ≥ 0x80 and is locale-aware.
   const sorted = [...participants].sort((a, b) =>
-    a.xid().urString().localeCompare(b.xid().urString()),
+    compareXidBytes(a.xid().toData(), b.xid().toData()),
   );
 
   return sorted.map((document) => {

package/src/cmd/dkg/coordinator/invite.ts

@@ -25,7 +25,7 @@ import {
 } from "../../../registry/index.js";
 import { putWithIndicator } from "../../busy.js";
 import { type StorageClient } from "../../storage.js";
-import { dkgStateDir, resolveParticipants, resolveSender } from "../common.js";
+import { dkgStateDir, resolveOwnerXidDocument, resolveParticipants } from "../common.js";
 
 /**
  * Options for the DKG invite command.
@@ -101,7 +101,10 @@ function buildInvite(
   }
 
   // Get sender (registry owner)
-  const sender = resolveSender(registry);
+  // The coordinator's invite always identifies the registry owner as
+  // the sender. (Rust reads `registry.owner()` directly here too —
+  // see `cmd/dkg/coordinator/invite.rs:74-77`.)
+  const sender = resolveOwnerXidDocument(registry);
 
   // Calculate dates
   const now = new Date();

package/src/cmd/dkg/participant/finalize.ts

@@ -14,6 +14,7 @@ import * as fs from "node:fs";
 import * as path from "node:path";
 
 import { ARID, JSON as JSONWrapper, XID } from "@bcts/components";
+import { compareXidBytes } from "../../../dkg/proposed-participant.js";
 import { CborDate } from "@bcts/dcbor";
 import { Envelope, Function as EnvelopeFunction } from "@bcts/envelope";
 import { SealedRequest, SealedResponse } from "@bcts/gstp";
@@ -85,34 +86,61 @@ function loadRound2State(registryPath: string, groupId: ARID): Round2State {
     throw new Error(`Round 2 secret not found at ${round2SecretPath}. Did you run round2?`);
   }
 
+  // Mirrors Rust `frost::keys::dkg::round2::SecretPackage` JSON
+  // (`frost-rust/frost-core/src/keys/dkg.rs:269-287`):
+  //
+  //   {
+  //     "identifier": "<lowercase hex scalar>",
+  //     "commitment": ["<hex>", "<hex>", ...],
+  //     "secret_share": "<hex>",
+  //     "min_signers": <u16>,
+  //     "max_signers": <u16>
+  //   }
+  //
+  // The struct is `#[serde(deny_unknown_fields)]` and the
+  // `commitment` is a `VerifiableSecretSharingCommitment` (a
+  // single-field tuple struct over `Vec<CoefficientCommitment>`),
+  // which serde flattens to a bare JSON array. The earlier port
+  // emitted camelCase keys plus a nested `commitment.coefficients`
+  // shape and a numeric `identifier`, which Rust would reject and
+  // which had no chance of being read by Rust's standard derive.
   const secretJson = JSON.parse(fs.readFileSync(round2SecretPath, "utf-8")) as {
-    identifier: number;
-    commitment: {
-      coefficients: string[];
-    };
-    secretShare: string;
-    minSigners: number;
-    maxSigners: number;
+    identifier: string;
+    commitment: string[];
+    secret_share: string;
+    min_signers: number;
+    max_signers: number;
   };
 
-  // Reconstruct the round 2 secret package
-  const identifier = identifierFromU16(secretJson.identifier);
+  // Identifier hex → little-endian u16 (the FROST 1-indexed
+  // participant position). The scalar bytes are 32-LE for Ed25519, so
+  // the first two bytes hold the u16 value when the identifier is in
+  // the small-integer range (1..=N) used by the DKG.
+  const idBytes = hexToBytes(secretJson.identifier);
+  let identifierU16 = 1;
+  if (idBytes.length >= 2) {
+    identifierU16 = idBytes[0] | (idBytes[1] << 8);
+  }
+  if (identifierU16 === 0) {
+    identifierU16 = 1;
+  }
+  const identifier = identifierFromU16(identifierU16);
 
-  const coefficientCommitments = secretJson.commitment.coefficients.map((hex) =>
+  const coefficientCommitments = secretJson.commitment.map((hex) =>
     CoefficientCommitment.deserialize(Ed25519Sha512, hexToBytes(hex)),
   );
 
   const commitment = new VerifiableSecretSharingCommitment(Ed25519Sha512, coefficientCommitments);
 
-  const secretShareScalar = Ed25519Sha512.deserializeScalar(hexToBytes(secretJson.secretShare));
+  const secretShareScalar = Ed25519Sha512.deserializeScalar(hexToBytes(secretJson.secret_share));
 
   const secretPackage: DkgRound2SecretPackage = new round2.SecretPackage(
     Ed25519Sha512,
     identifier,
     commitment,
     secretShareScalar,
-    secretJson.minSigners,
-    secretJson.maxSigners,
+    secretJson.min_signers,
+    secretJson.max_signers,
   );
 
   // Load collected Round 1 packages (from round2 phase)
@@ -202,8 +230,11 @@ function extractFinalizePackages(
     sortedXids.push(ownerXid);
   }
 
-  // Sort by XID UR string
-  sortedXids.sort((a, b) => a.urString().localeCompare(b.urString()));
+  // Sort by XID byte order — mirrors Rust `XID::cmp` (raw 32-byte
+  // lex compare). The earlier port used `urString().localeCompare(...)`,
+  // which differs from byte order for any byte ≥ 0x80 and is locale-
+  // aware, producing different FROST identifier assignments than Rust.
+  sortedXids.sort((a, b) => compareXidBytes(a.toData(), b.toData()));
 
   // Deduplicate
   const deduped: XID[] = [];
@@ -401,8 +432,11 @@ export async function finalize(
     sortedXids.push(owner.xid());
   }
 
-  // Sort by XID UR string
-  sortedXids.sort((a, b) => a.urString().localeCompare(b.urString()));
+  // Sort by XID byte order — mirrors Rust `XID::cmp` (raw 32-byte
+  // lex compare). The earlier port used `urString().localeCompare(...)`,
+  // which differs from byte order for any byte ≥ 0x80 and is locale-
+  // aware, producing different FROST identifier assignments than Rust.
+  sortedXids.sort((a, b) => compareXidBytes(a.toData(), b.toData()));
 
   // Deduplicate
   const deduped: XID[] = [];
@@ -447,7 +481,7 @@ export async function finalize(
   );
 
   // Get the group verifying key
-  const verifyingKeyBytes = publicKeyPackage.verifyingKey as Uint8Array;
+  const verifyingKeyBytes = publicKeyPackage.verifyingKey;
   const groupVerifyingKey = signingKeyFromVerifying(verifyingKeyBytes);
 
   if (isVerbose() || options.verbose === true) {

package/src/cmd/dkg/participant/round1.ts

@@ -13,7 +13,8 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 
-import { ARID, JSON as JSONWrapper, XID } from "@bcts/components";
+import { ARID, JSON as JSONWrapper, type XID } from "@bcts/components";
+import { compareXidBytes } from "../../../dkg/proposed-participant.js";
 import { Envelope } from "@bcts/envelope";
 import { SealedResponse } from "@bcts/gstp";
 import type { XIDDocument } from "@bcts/xid";
@@ -32,6 +33,7 @@ import {
   groupParticipantFromRegistry,
   parseAridUr,
   parseEnvelopeUr,
+  resolveSender,
 } from "../common.js";
 import {
   dkgPart1,
@@ -154,7 +156,27 @@ function buildResponseBody(
  * so we manually serialize it here.
  */
 function serializeRound1SecretPackage(secret: DkgRound1SecretPackage): Record<string, unknown> {
-  // Access the coefficients and serialize them
+  // Mirrors the on-disk shape produced by Rust
+  // `serde_json::to_vec_pretty(&frost::keys::dkg::round1::SecretPackage)`
+  // (see `frost-rust/frost-core/src/keys/dkg.rs:120-139`):
+  //
+  //   {
+  //     "identifier": "<lowercase hex scalar>",
+  //     "coefficients": ["<hex>", "<hex>", ...],
+  //     "commitment": ["<hex>", "<hex>", ...],
+  //     "min_signers": <u16>,
+  //     "max_signers": <u16>
+  //   }
+  //
+  // `frost::keys::dkg::round1::SecretPackage` is `#[serde(deny_unknown_fields)]`
+  // and has no `header` field (the secret package is private to the
+  // participant). The earlier port emitted a top-level `header` which
+  // would fail `deny_unknown_fields` validation if Rust ever loaded
+  // the file.
+  //
+  // `Identifier`/`SerializableScalar` serialize via
+  // `serdect::array::serialize_hex_lower_or_bin` → lowercase hex for
+  // JSON, which `bytesToHex` produces.
   const coefficients = secret.coefficients();
   const serializedCoefficients = coefficients.map((c: unknown) =>
     bytesToHex(
@@ -162,12 +184,10 @@ function serializeRound1SecretPackage(secret: DkgRound1SecretPackage): Record<st
     ),
   );
 
-  // Get the commitment coefficients
   const commitment = secret.commitment;
   const commitmentCoefficients = commitment.serialize().map((c: Uint8Array) => bytesToHex(c));
 
   return {
-    header: serde.DEFAULT_HEADER,
     identifier: bytesToHex(secret.identifier.serialize()),
     coefficients: serializedCoefficients,
     commitment: commitmentCoefficients,
@@ -237,10 +257,13 @@ export async function round1(
     throw new Error("Registry owner with private keys is required");
   }
 
-  // Resolve expected sender if provided
+  // Resolve expected sender if provided. Uses the shared helper from
+  // `cmd/dkg/common.ts` (mirrors Rust `resolve_sender`); the
+  // duplicated inline implementation that this previously called has
+  // been removed.
   let expectedSender: XIDDocument | undefined;
   if (options.sender !== undefined) {
-    expectedSender = resolveSenderXidDocument(registry, options.sender);
+    expectedSender = resolveSender(registry, options.sender);
   }
 
   const nextResponseArid =
@@ -263,9 +286,14 @@ export async function round1(
     expectedSender,
   );
 
-  // Sort participants by XID and find our position
+  // Sort participants by XID byte order (mirrors Rust `XID::cmp` —
+  // raw 32-byte lex compare). The earlier port used
+  // `xid.urString().localeCompare(...)`, which differs from byte
+  // order when bytes ≥ 0x80 are present and is locale-aware,
+  // producing different FROST identifier assignments and therefore
+  // different secret shares than Rust.
   const sortedParticipants = [...details.participants].sort((a, b) =>
-    a.xid().urString().localeCompare(b.xid().urString()),
+    compareXidBytes(a.xid().toData(), b.xid().toData()),
   );
 
   const ownerIndex = sortedParticipants.findIndex(
@@ -436,33 +464,6 @@ export async function round1(
   }
 }
 
-/**
- * Resolve a sender XID document from the registry by UR or pet name.
- */
-function resolveSenderXidDocument(registry: Registry, raw: string): XIDDocument {
-  // Try parsing as XID UR first
-  try {
-    const xid = XID.fromURString(raw.trim());
-    const record = registry.participant(xid);
-    if (record) {
-      return record.xidDocument();
-    }
-    const owner = registry.owner();
-    if (owner?.xid().urString() === xid.urString()) {
-      return owner.xidDocument();
-    }
-    throw new Error(`Sender with XID ${xid.urString()} not found in registry`);
-  } catch {
-    // Try looking up by pet name
-    const result = registry.participantByPetName(raw.trim());
-    if (result) {
-      const [, record] = result;
-      return record.xidDocument();
-    }
-    const owner = registry.owner();
-    if (owner?.petName() === raw.trim()) {
-      return owner.xidDocument();
-    }
-    throw new Error(`Sender '${raw}' not found in registry`);
-  }
-}
+// `resolveSenderXidDocument` removed — it was an inline duplicate of
+// Rust `resolve_sender(registry, input)`. The shared helper now lives
+// in `cmd/dkg/common.ts` and is imported above.

package/src/cmd/dkg/participant/round2.ts

@@ -14,6 +14,7 @@ import * as fs from "node:fs";
 import * as path from "node:path";
 
 import { ARID, JSON as JSONWrapper, XID } from "@bcts/components";
+import { compareXidBytes } from "../../../dkg/proposed-participant.js";
 import { CborDate } from "@bcts/dcbor";
 import { Envelope, Function as EnvelopeFunction } from "@bcts/envelope";
 import { SealedRequest, SealedResponse } from "@bcts/gstp";
@@ -87,8 +88,12 @@ function loadRound1State(registryPath: string, groupId: ARID): Round1State {
     );
   }
 
+  // Mirrors Rust `frost::keys::dkg::round1::SecretPackage` JSON
+  // (`frost-rust/frost-core/src/keys/dkg.rs:120-139`): no `header`,
+  // snake_case `min_signers` / `max_signers`, identifier and
+  // coefficients as lowercase hex strings, commitment as a flat array
+  // of hex strings.
   const secretJson = JSON.parse(fs.readFileSync(round1SecretPath, "utf-8")) as {
-    header: { version: number; ciphersuite: string };
     identifier: string;
     coefficients: string[];
     commitment: string[];
@@ -209,8 +214,11 @@ function extractRound1Packages(
     sortedXids.push(ownerXid);
   }
 
-  // Sort by XID UR string
-  sortedXids.sort((a, b) => a.urString().localeCompare(b.urString()));
+  // Sort by XID byte order — mirrors Rust `XID::cmp` (raw 32-byte
+  // lex compare). The earlier port used `urString().localeCompare(...)`,
+  // which differs from byte order for any byte ≥ 0x80 and is locale-
+  // aware, producing different FROST identifier assignments than Rust.
+  sortedXids.sort((a, b) => compareXidBytes(a.toData(), b.toData()));
 
   // Deduplicate
   const deduped: XID[] = [];
@@ -297,8 +305,11 @@ function buildResponseBody(
     sortedXids.push(participantXid);
   }
 
-  // Sort by XID UR string
-  sortedXids.sort((a, b) => a.urString().localeCompare(b.urString()));
+  // Sort by XID byte order — mirrors Rust `XID::cmp` (raw 32-byte
+  // lex compare). The earlier port used `urString().localeCompare(...)`,
+  // which differs from byte order for any byte ≥ 0x80 and is locale-
+  // aware, producing different FROST identifier assignments than Rust.
+  sortedXids.sort((a, b) => compareXidBytes(a.toData(), b.toData()));
 
   // Deduplicate
   const deduped: XID[] = [];
@@ -348,27 +359,45 @@ function buildResponseBody(
 /**
  * Serialize round 2 secret package to JSON format for persistence.
  *
- * The format matches what finalize.ts expects to deserialize.
+ * Mirrors the on-disk shape produced by Rust
+ * `serde_json::to_vec_pretty(&frost::keys::dkg::round2::SecretPackage)`
+ * (see `frost-rust/frost-core/src/keys/dkg.rs:269-287`):
+ *
+ * ```json
+ * {
+ *   "identifier": "<lowercase hex scalar>",
+ *   "commitment": ["<hex>", "<hex>", ...],
+ *   "secret_share": "<hex>",
+ *   "min_signers": <u16>,
+ *   "max_signers": <u16>
+ * }
+ * ```
+ *
+ * `frost::keys::dkg::round2::SecretPackage` is
+ * `#[serde(deny_unknown_fields)]`. The earlier port emitted
+ * camelCase keys (`secretShare`, `minSigners`, `maxSigners`), a
+ * nested `commitment.coefficients` shape, and a numeric
+ * `identifier` — all of which Rust's standard derive would
+ * reject and which had no chance of round-tripping with Rust.
+ *
+ * `participantIndex` is unused now that the identifier comes
+ * directly from `secret.identifier.serialize()`; we keep it in the
+ * signature for source-level parity with the call sites.
  */
 function serializeRound2SecretPackage(
   secret: DkgRound2SecretPackage,
-  participantIndex: number,
+  _participantIndex: number,
 ): Record<string, unknown> {
-  // Get the commitment coefficients
   const commitment = secret.commitment;
   const commitmentCoefficients = commitment.serialize().map((c: Uint8Array) => bytesToHex(c));
-
-  // Serialize the secret share
   const secretShare = bytesToHex(Ed25519Sha512.serializeScalar(secret.secretShare()));
 
   return {
-    identifier: participantIndex,
-    commitment: {
-      coefficients: commitmentCoefficients,
-    },
-    secretShare,
-    minSigners: secret.minSigners,
-    maxSigners: secret.maxSigners,
+    identifier: bytesToHex(secret.identifier.serialize()),
+    commitment: commitmentCoefficients,
+    secret_share: secretShare,
+    min_signers: secret.minSigners,
+    max_signers: secret.maxSigners,
   };
 }
 
@@ -576,15 +605,20 @@ export async function round2(
     };
   }
 
-  // Calculate participant index for serialization
-  // Sort participants by XID to find our position
-  const sortedXids = groupRecord.participants().map((p) => p.xid().urString());
-  const ownerXidStr = owner.xid().urString();
-  if (!sortedXids.includes(ownerXidStr)) {
-    sortedXids.push(ownerXidStr);
-  }
-  sortedXids.sort();
-  const participantIndex = sortedXids.indexOf(ownerXidStr) + 1; // 1-indexed
+  // Calculate participant index for serialization. Sort by XID byte
+  // order (mirrors Rust `XID::cmp`) so the 1-indexed position matches
+  // what the coordinator used when assigning FROST identifiers. The
+  // earlier port sorted by UR string via `Array.sort()` (default JS
+  // string compare), which diverges from Rust byte order for any
+  // byte ≥ 0x80.
+  const sortedParticipantXids: XID[] = groupRecord.participants().map((p) => p.xid());
+  const ownerXid = owner.xid();
+  const ownerXidStr = ownerXid.urString();
+  if (!sortedParticipantXids.some((x) => x.urString() === ownerXidStr)) {
+    sortedParticipantXids.push(ownerXid);
+  }
+  sortedParticipantXids.sort((a, b) => compareXidBytes(a.toData(), b.toData()));
+  const participantIndex = sortedParticipantXids.findIndex((x) => x.urString() === ownerXidStr) + 1; // 1-indexed
 
   // Persist Round 2 secret and collected round1 packages
   const round2SecretPath = persistRound2State(

package/src/cmd/sign/coordinator/round2.ts

@@ -25,6 +25,7 @@ import {
   JSON as JSONComponent,
 } from "@bcts/components";
 import { Envelope } from "@bcts/envelope";
+import { compareXidBytes } from "../../../dkg/proposed-participant.js";
 import { type XIDDocument } from "@bcts/xid";
 
 import { Registry, resolveRegistryPath } from "../../../registry/index.js";
@@ -405,7 +406,10 @@ function loadStartState(registryPath: string, sessionId: ARID, groupHint?: ARID)
   for (const xidStr of Object.keys(participantsVal)) {
     participants.push(XIDClass.fromURString(xidStr));
   }
-  participants.sort((a, b) => a.urString().localeCompare(b.urString()));
+  // Sort by XID byte order — mirrors Rust `XID::cmp` (raw 32-byte
+  // lex compare). The earlier port used
+  // `urString().localeCompare(...)`, which diverges for bytes ≥ 0x80.
+  participants.sort((a, b) => compareXidBytes(a.toData(), b.toData()));
 
   const targetUr = getStr("target");
 

package/src/cmd/sign/participant/finalize.ts

@@ -14,6 +14,7 @@ import * as fs from "node:fs";
 import * as path from "node:path";
 
 import { ARID, type Digest, Signature, type SigningPublicKey, XID } from "@bcts/components";
+import { compareXidBytes } from "../../../dkg/proposed-participant.js";
 import { Envelope } from "@bcts/envelope";
 import { SealedEvent } from "@bcts/gstp";
 
@@ -191,8 +192,11 @@ function loadReceiveState(
 
   const targetUr = getStr("target");
 
-  // Sort participants by XID UR string
-  participants.sort((a, b) => a.urString().localeCompare(b.urString()));
+  // Sort participants by XID byte order — mirrors Rust `XID::cmp`.
+  // The earlier port used `urString().localeCompare(...)`, which
+  // diverges from byte order for bytes ≥ 0x80 and is locale-aware,
+  // producing a different signing-package order than Rust.
+  participants.sort((a, b) => compareXidBytes(a.toData(), b.toData()));
 
   return {
     groupId,

package/src/cmd/sign/participant/receive.ts

@@ -14,6 +14,7 @@ import * as fs from "node:fs";
 import * as path from "node:path";
 
 import { type ARID, type XID } from "@bcts/components";
+import { compareXidBytes } from "../../../dkg/proposed-participant.js";
 import { CborDate } from "@bcts/dcbor";
 import type { Envelope } from "@bcts/envelope";
 
@@ -335,8 +336,10 @@ export async function receive(
     throw new Error("signInvite request missing response ARID");
   }
 
-  // Sort participants by XID
-  participants.sort((a, b) => a.urString().localeCompare(b.urString()));
+  // Sort participants by XID byte order — mirrors Rust `XID::cmp`.
+  // The earlier port used `urString().localeCompare(...)`, which
+  // diverges from byte order for bytes ≥ 0x80 and is locale-aware.
+  participants.sort((a, b) => compareXidBytes(a.toData(), b.toData()));
 
   const targetEnvelope = sealedRequest.objectForParameter("target");