@bcts/spqr 1.0.0-alpha.21

package/dist/index.iife.js

@@ -0,0 +1,4318 @@
+var bctsSpqr = (function(exports, _noble_hashes_hkdf_js, _noble_hashes_sha2_js, _noble_hashes_hmac_js, _noble_hashes_sha3_js, _noble_hashes_utils_js, _noble_post_quantum__crystals_js, _noble_post_quantum_ml_kem_js) {
+
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+//#region src/kdf.ts
+/**
+	* Copyright © 2025 Signal Messenger, LLC
+	* Copyright © 2026 Parity Technologies
+	*
+	* KDF wrappers for SPQR (HKDF-SHA256 and HMAC-SHA256).
+	*/
+	/**
+	* HKDF-SHA256 key derivation.
+	* @param ikm Input key material
+	* @param salt Salt (use ZERO_SALT for empty)
+	* @param info Context info string or bytes
+	* @param length Output length in bytes
+	*/
+	function hkdfSha256(ikm, salt, info, length) {
+		return (0, _noble_hashes_hkdf_js.hkdf)(_noble_hashes_sha2_js.sha256, ikm, salt, typeof info === "string" ? new TextEncoder().encode(info) : info, length);
+	}
+	/**
+	* HMAC-SHA256 computation.
+	*/
+	function hmacSha256(key, data) {
+		return (0, _noble_hashes_hmac_js.hmac)(_noble_hashes_sha2_js.sha256, key, data);
+	}
+
+//#endregion
+//#region src/util.ts
+/**
+	* Copyright © 2025 Signal Messenger, LLC
+	* Copyright © 2026 Parity Technologies
+	*
+	* Low-level utility functions for SPQR.
+	*/
+	/**
+	* Constant-time comparison of two byte arrays.
+	* Returns true if they are equal, false otherwise.
+	*
+	* Uses a XOR accumulator to avoid early-exit timing leaks.
+	*
+	* Limitation: Unlike Rust (#[inline(never)] + black_box), JavaScript
+	* cannot fully prevent JIT optimizations. In Node.js environments,
+	* callers requiring stronger guarantees should use
+	* crypto.timingSafeEqual directly.
+	*/
+	function constantTimeEqual(a, b) {
+		if (a.length !== b.length) return false;
+		let diff = 0;
+		for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+		return diff === 0;
+	}
+	/** Convert a bigint to 8-byte big-endian Uint8Array */
+	function bigintToBE8(value) {
+		const buf = new Uint8Array(8);
+		new DataView(buf.buffer).setBigUint64(0, value, false);
+		return buf;
+	}
+	/** Convert a number to 4-byte big-endian Uint8Array */
+	function uint32ToBE4(value) {
+		const buf = new Uint8Array(4);
+		new DataView(buf.buffer).setUint32(0, value, false);
+		return buf;
+	}
+	/** Concatenate multiple Uint8Arrays */
+	function concat(...arrays) {
+		let total = 0;
+		for (const a of arrays) total += a.length;
+		const result = new Uint8Array(total);
+		let offset = 0;
+		for (const a of arrays) {
+			result.set(a, offset);
+			offset += a.length;
+		}
+		return result;
+	}
+
+//#endregion
+//#region src/constants.ts
+/** HMAC-SHA256 MAC size */
+	const MAC_SIZE = 32;
+	/** Default max key index jump */
+	const DEFAULT_MAX_JUMP = 25e3;
+	/** Default max out-of-order keys stored */
+	const DEFAULT_MAX_OOO_KEYS = 2e3;
+	/** Number of epochs to keep prior to the current send epoch */
+	const EPOCHS_TO_KEEP_PRIOR_TO_SEND_EPOCH = 1;
+	/** Size of a key entry in KeyHistory: 4 bytes (index BE32) + 32 bytes (key) */
+	const KEY_ENTRY_SIZE = 36;
+	/** Chain initialization label (NOTE: two spaces before "Start") */
+	const LABEL_CHAIN_START = "Signal PQ Ratchet V1 Chain  Start";
+	/** Chain epoch advancement label */
+	const LABEL_CHAIN_ADD_EPOCH = "Signal PQ Ratchet V1 Chain Add Epoch";
+	/** Per-message key derivation label */
+	const LABEL_CHAIN_NEXT = "Signal PQ Ratchet V1 Chain Next";
+	/** Authenticator key ratchet label */
+	const LABEL_AUTH_UPDATE = "Signal_PQCKA_V1_MLKEM768:Authenticator Update";
+	/** Ciphertext MAC label */
+	const LABEL_CT_MAC = "Signal_PQCKA_V1_MLKEM768:ciphertext";
+	/** Header MAC label */
+	const LABEL_HDR_MAC = "Signal_PQCKA_V1_MLKEM768:ekheader";
+	/** Epoch secret derivation label */
+	const LABEL_SCKA_KEY = "Signal_PQCKA_V1_MLKEM768:SCKA Key";
+	/** 32-byte zero salt used in HKDF */
+	const ZERO_SALT = new Uint8Array(32);
+
+//#endregion
+//#region src/incremental-mlkem768.ts
+/**
+	* Copyright © 2025 Signal Messenger, LLC
+	* Copyright © 2026 Parity Technologies
+	*
+	* True incremental ML-KEM-768 implementation.
+	*
+	* Implements the libcrux-compatible incremental encapsulation split:
+	*
+	* - generate(): Splits the ML-KEM-768 public key into:
+	*     hdr (pk1, 64 bytes) = rho(32) + H(ek)(32)   -- where H = SHA3-256
+	*     ek  (pk2, 1152 bytes) = ByteEncode12(tHat)   -- the NTT vector
+	*
+	* - encaps1(hdr, rng): Uses only rho and H(ek) from the header to produce
+	*     a REAL ct1 (960 bytes), shared secret (32 bytes), and
+	*     encapsulation state (2080 bytes) for encaps2.
+	*
+	* - encaps2(ek, es): Completes the encapsulation using the tHat from pk2
+	*     and the stored NTT randomness. Returns ct2 (128 bytes).
+	*
+	* - decaps(dk, ct1, ct2): Standard ML-KEM-768 decapsulation.
+	*
+	* Wire-compatible with Signal's Rust libcrux incremental implementation.
+	*/
+	const N = 256;
+	const Q = 3329;
+	const F = 3303;
+	const ROOT_OF_UNITY = 17;
+	const K = 3;
+	const ETA1 = 2;
+	const ETA2 = 2;
+	const DU = 10;
+	const DV = 4;
+	/** Size of the public key header: rho(32) + H(ek)(32) */
+	const HEADER_SIZE = 64;
+	/** Size of the encapsulation key: ByteEncode12(tHat) = 3 * 384 = 1152 bytes */
+	const EK_SIZE = 1152;
+	/** Size of the first ciphertext fragment (ct[0..960]) */
+	const CT1_SIZE = 960;
+	/** Size of the second ciphertext fragment (ct[960..1088]) */
+	const CT2_SIZE = 128;
+	/** Standard ML-KEM-768 full public key size */
+	const FULL_PK_SIZE = 1184;
+	/** Standard ML-KEM-768 full ciphertext size */
+	const FULL_CT_SIZE = 1088;
+	/** Size of the keygen seed */
+	const KEYGEN_SEED_SIZE = 64;
+	/** Size of the encapsulation randomness (message m) */
+	const ENCAPS_SEED_SIZE = 32;
+	/**
+	* Size of the encapsulation state:
+	*   r_as_ntt: K(3) * N(256) * 2 = 1536 bytes
+	*   error2:   N(256) * 2 = 512 bytes
+	*   randomness: 32 bytes
+	*   Total: 2080 bytes
+	*/
+	const ES_SIZE = 2080;
+	const { mod, nttZetas, NTT, bitsCoder } = (0, _noble_post_quantum__crystals_js.genCrystals)({
+		N,
+		Q,
+		F,
+		ROOT_OF_UNITY,
+		newPoly: (n) => new Uint16Array(n),
+		brvBits: 7,
+		isKyber: true
+	});
+	function polyAdd(a, b) {
+		for (let i = 0; i < N; i++) a[i] = mod(a[i] + b[i]);
+	}
+	function BaseCaseMultiply(a0, a1, b0, b1, zeta) {
+		return {
+			c0: mod(a1 * b1 * zeta + a0 * b0),
+			c1: mod(a0 * b1 + a1 * b0)
+		};
+	}
+	function MultiplyNTTs(f, g) {
+		for (let i = 0; i < N / 2; i++) {
+			let z = nttZetas[64 + (i >> 1)];
+			if ((i & 1) !== 0) z = -z;
+			const { c0, c1 } = BaseCaseMultiply(f[2 * i + 0], f[2 * i + 1], g[2 * i + 0], g[2 * i + 1], z);
+			f[2 * i + 0] = c0;
+			f[2 * i + 1] = c1;
+		}
+		return f;
+	}
+	function SampleNTT(xof) {
+		const r = new Uint16Array(N);
+		for (let j = 0; j < N;) {
+			const b = xof();
+			if (b.length % 3 !== 0) throw new Error("SampleNTT: unaligned block");
+			for (let i = 0; j < N && i + 3 <= b.length; i += 3) {
+				const d1 = (b[i + 0] >> 0 | b[i + 1] << 8) & 4095;
+				const d2 = (b[i + 1] >> 4 | b[i + 2] << 4) & 4095;
+				if (d1 < Q) r[j++] = d1;
+				if (j < N && d2 < Q) r[j++] = d2;
+			}
+		}
+		return r;
+	}
+	function sampleCBD(seed, nonce, eta) {
+		const len = eta * N / 4;
+		const buf = _noble_hashes_sha3_js.shake256.create({ dkLen: len }).update(seed).update(new Uint8Array([nonce])).digest();
+		const r = new Uint16Array(N);
+		const b32 = (0, _noble_hashes_utils_js.u32)(buf);
+		let bitLen = 0;
+		let p = 0;
+		let bb = 0;
+		let t0 = 0;
+		for (let b of b32) for (let j = 0; j < 32; j++) {
+			bb += b & 1;
+			b >>= 1;
+			bitLen += 1;
+			if (bitLen === eta) {
+				t0 = bb;
+				bb = 0;
+			} else if (bitLen === 2 * eta) {
+				r[p++] = mod(t0 - bb);
+				bb = 0;
+				bitLen = 0;
+			}
+		}
+		if (bitLen !== 0) throw new Error(`sampleCBD: leftover bits: ${bitLen}`);
+		return r;
+	}
+	const compress = (d) => {
+		if (d >= 12) return {
+			encode: (i) => i,
+			decode: (i) => i
+		};
+		const a = 2 ** (d - 1);
+		return {
+			encode: (i) => ((i << d) + Q / 2) / Q,
+			decode: (i) => i * Q + a >>> d
+		};
+	};
+	const polyCoder = (d) => bitsCoder(d, compress(d));
+	const poly12 = polyCoder(12);
+	const polyDU = polyCoder(DU);
+	const polyDV = polyCoder(DV);
+	const poly1 = polyCoder(1);
+	/**
+	* Encode the encapsulation state as 2080 bytes:
+	*   r_as_ntt: K polys, each 256 coefficients as uint16 LE = 1536 bytes
+	*   error2: 1 poly, 256 coefficients as uint16 LE = 512 bytes
+	*   randomness: 32 bytes (the message m)
+	*/
+	function encodeState(rHat, e2, m) {
+		const state = new Uint8Array(ES_SIZE);
+		let offset = 0;
+		for (let k = 0; k < K; k++) {
+			const poly = rHat[k];
+			for (let i = 0; i < N; i++) {
+				const val = poly[i];
+				state[offset++] = val & 255;
+				state[offset++] = val >> 8 & 255;
+			}
+		}
+		for (let i = 0; i < N; i++) {
+			const val = e2[i];
+			state[offset++] = val & 255;
+			state[offset++] = val >> 8 & 255;
+		}
+		state.set(m, offset);
+		return state;
+	}
+	/**
+	* Decode the encapsulation state from 2080 bytes.
+	* Includes the Issue 1275 endianness workaround.
+	*/
+	function decodeState(state) {
+		const st = fixIssue1275(state) ?? state;
+		let offset = 0;
+		const rHat = [];
+		for (let k = 0; k < K; k++) {
+			const poly = new Uint16Array(N);
+			for (let i = 0; i < N; i++) {
+				poly[i] = st[offset] | st[offset + 1] << 8;
+				offset += 2;
+			}
+			rHat.push(poly);
+		}
+		const e2 = new Uint16Array(N);
+		for (let i = 0; i < N; i++) {
+			e2[i] = st[offset] | st[offset + 1] << 8;
+			offset += 2;
+		}
+		return {
+			rHat,
+			e2,
+			m: st.slice(offset, offset + 32)
+		};
+	}
+	/**
+	* Port of Rust's potentially_fix_state_incorrectly_encoded_by_libcrux_issue_1275.
+	*
+	* Due to https://github.com/cryspen/libcrux/issues/1275, the encapsulation
+	* state may contain error2 coefficients with wrong endianness.
+	*
+	* Error2 values should be in [-2, 2] (ETA2=2 for ML-KEM-768).
+	* As uint16 LE, valid values are: 0x0000, 0x0001, 0x0002, 0xFFFF (-1), 0xFFFE (-2).
+	* Bad-endian equivalents: 0x0100, 0x0200, 0xFEFF.
+	*
+	* Returns a fixed copy if endianness is wrong, or null if state is OK.
+	*/
+	function fixIssue1275(es) {
+		const E2_START = K * N * 2;
+		const E2_END = E2_START + N * 2;
+		for (let i = E2_START; i < E2_END; i += 2) {
+			const val = es[i] | es[i + 1] << 8;
+			if (val === 0 || val === 65535) continue;
+			if (val === 1 || val === 2 || val === 65534) return null;
+			if (val === 256 || val === 512 || val === 65279) return flipEndianness(es);
+			return null;
+		}
+		return null;
+	}
+	/**
+	* Flip the endianness of all i16 values in the encapsulation state.
+	* The last 32 bytes (randomness) are NOT flipped.
+	*/
+	function flipEndianness(es) {
+		const fixed = new Uint8Array(es);
+		const coeffEnd = es.length - 32;
+		for (let i = 0; i < coeffEnd; i += 2) {
+			const tmp = fixed[i];
+			fixed[i] = fixed[i + 1];
+			fixed[i + 1] = tmp;
+		}
+		return fixed;
+	}
+	/**
+	* Generate an ML-KEM-768 keypair and split the public key.
+	*
+	* The ML-KEM-768 public key (1184 bytes) is:
+	*   tHat = pk[0..1152]    (ByteEncode12 of NTT vector)
+	*   rho  = pk[1152..1184]  (32-byte seed)
+	*
+	* The incremental split produces:
+	*   hdr (pk1) = rho(32) + SHA3-256(pk)(32) = 64 bytes
+	*   ek  (pk2) = tHat(1152) = ByteEncode12(tHat) = 1152 bytes
+	*
+	* @param rng - Random byte generator; must provide at least 64 bytes
+	* @returns Split key material
+	*/
+	function generate(rng) {
+		const seed = rng(KEYGEN_SEED_SIZE);
+		const { publicKey, secretKey } = _noble_post_quantum_ml_kem_js.ml_kem768.keygen(seed);
+		const tHat = publicKey.slice(0, EK_SIZE);
+		const rho = publicKey.slice(EK_SIZE);
+		const hEk = (0, _noble_hashes_sha3_js.sha3_256)(publicKey);
+		const hdr = new Uint8Array(HEADER_SIZE);
+		hdr.set(rho, 0);
+		hdr.set(hEk, 32);
+		return {
+			hdr,
+			ek: tHat,
+			dk: secretKey
+		};
+	}
+	/**
+	* Phase 1 of true incremental encapsulation.
+	*
+	* Uses only rho and H(ek) from the 64-byte header to produce:
+	* - REAL ct1 (960 bytes): compress_du(u) where u = NTT^-1(A^T * rHat) + e1
+	* - REAL shared secret: K-hat from SHA3-512(m || H(ek))
+	* - Encapsulation state (2080 bytes): r_as_ntt + error2 + m
+	*
+	* @param hdr - The 64-byte header: rho(32) + H(ek)(32)
+	* @param rng - Random byte generator
+	* @returns Real ct1, encapsulation state, and real shared secret
+	*/
+	function encaps1(hdr, rng) {
+		const rho = hdr.slice(0, 32);
+		const hEk = hdr.slice(32, 64);
+		const m = rng(ENCAPS_SEED_SIZE);
+		const kr = _noble_hashes_sha3_js.sha3_512.create().update(m).update(hEk).digest();
+		const kHat = kr.slice(0, 32);
+		const r = kr.slice(32, 64);
+		const rHat = [];
+		for (let i = 0; i < K; i++) rHat.push(NTT.encode(sampleCBD(r, i, ETA1)));
+		const x = (0, _noble_post_quantum__crystals_js.XOF128)(rho);
+		const u = [];
+		for (let i = 0; i < K; i++) {
+			const e1 = sampleCBD(r, K + i, ETA2);
+			const tmp = new Uint16Array(N);
+			for (let j = 0; j < K; j++) polyAdd(tmp, MultiplyNTTs(SampleNTT(x.get(i, j)), rHat[j].slice()));
+			polyAdd(e1, NTT.decode(tmp));
+			u.push(e1);
+		}
+		x.clean();
+		const ct1 = new Uint8Array(CT1_SIZE);
+		for (let i = 0; i < K; i++) {
+			const encoded = polyDU.encode(u[i]);
+			ct1.set(encoded, i * polyDU.bytesLen);
+		}
+		return {
+			ct1,
+			es: encodeState(rHat, sampleCBD(r, 2 * K, ETA2), m),
+			sharedSecret: kHat
+		};
+	}
+	/**
+	* Phase 2 of true incremental encapsulation.
+	*
+	* Uses the tHat from pk2 (ek) and the stored NTT randomness to compute ct2.
+	*
+	* @param ek - The 1152-byte encapsulation key (ByteEncode12(tHat))
+	* @param es - The 2080-byte encapsulation state from encaps1
+	* @returns ct2 (128 bytes) ONLY
+	*/
+	function encaps2(ek, es) {
+		const { rHat, e2, m } = decodeState(es);
+		const tHat = [];
+		for (let i = 0; i < K; i++) {
+			const slice = ek.subarray(i * poly12.bytesLen, (i + 1) * poly12.bytesLen);
+			tHat.push(poly12.decode(slice));
+		}
+		const tmp = new Uint16Array(N);
+		for (let i = 0; i < K; i++) polyAdd(tmp, MultiplyNTTs(tHat[i].slice(), rHat[i].slice()));
+		const v = NTT.decode(tmp);
+		polyAdd(v, e2);
+		polyAdd(v, poly1.decode(m));
+		return polyDV.encode(v);
+	}
+	/**
+	* Decapsulate a split ciphertext using the decapsulation key.
+	*
+	* Concatenates ct1 (960 bytes) and ct2 (128 bytes) into a standard
+	* 1088-byte ML-KEM-768 ciphertext, then performs standard decapsulation.
+	*
+	* @param dk - The 2400-byte decapsulation (secret) key
+	* @param ct1 - First ciphertext fragment (960 bytes)
+	* @param ct2 - Second ciphertext fragment (128 bytes)
+	* @returns The 32-byte shared secret
+	*/
+	function decaps(dk, ct1, ct2) {
+		const ct = new Uint8Array(FULL_CT_SIZE);
+		ct.set(ct1.subarray(0, CT1_SIZE), 0);
+		ct.set(ct2.subarray(0, CT2_SIZE), CT1_SIZE);
+		return _noble_post_quantum_ml_kem_js.ml_kem768.decapsulate(ct, dk);
+	}
+	/**
+	* Check whether an encapsulation key is consistent with a header.
+	*
+	* Reconstructs the full public key from pk2 (tHat) and pk1[0..32] (rho),
+	* computes SHA3-256 of the full pk, and compares with H(ek) in the header.
+	*
+	* @param ek - Encapsulation key (1152 bytes = ByteEncode12(tHat))
+	* @param hdr - Header (64 bytes = rho(32) + H(ek)(32))
+	* @returns true if ek is consistent with the header
+	*/
+	function ekMatchesHeader(ek, hdr) {
+		if (hdr.length < HEADER_SIZE || ek.length < EK_SIZE) return false;
+		const rho = hdr.slice(0, 32);
+		const expectedHash = hdr.slice(32, 64);
+		const pk = new Uint8Array(FULL_PK_SIZE);
+		pk.set(ek.subarray(0, EK_SIZE), 0);
+		pk.set(rho, EK_SIZE);
+		const actualHash = (0, _noble_hashes_sha3_js.sha3_256)(pk);
+		if (actualHash.length !== expectedHash.length) return false;
+		let diff = 0;
+		for (let i = 0; i < actualHash.length; i++) diff |= actualHash[i] ^ expectedHash[i];
+		return diff === 0;
+	}
+
+//#endregion
+//#region src/error.ts
+/**
+	* Copyright © 2025 Signal Messenger, LLC
+	* Copyright © 2026 Parity Technologies
+	*
+	* Error types for the SPQR protocol.
+	*/
+	var SpqrError = class extends Error {
+		constructor(message, code, detail) {
+			super(message);
+			this.code = code;
+			this.detail = detail;
+			this.name = "SpqrError";
+		}
+	};
+	let SpqrErrorCode = /* @__PURE__ */ function(SpqrErrorCode) {
+		SpqrErrorCode["StateDecode"] = "STATE_DECODE";
+		SpqrErrorCode["NotImplemented"] = "NOT_IMPLEMENTED";
+		SpqrErrorCode["MsgDecode"] = "MSG_DECODE";
+		SpqrErrorCode["MacVerifyFailed"] = "MAC_VERIFY_FAILED";
+		SpqrErrorCode["EpochOutOfRange"] = "EPOCH_OUT_OF_RANGE";
+		SpqrErrorCode["EncodingDecoding"] = "ENCODING_DECODING";
+		SpqrErrorCode["Serialization"] = "SERIALIZATION";
+		SpqrErrorCode["VersionMismatch"] = "VERSION_MISMATCH";
+		SpqrErrorCode["MinimumVersion"] = "MINIMUM_VERSION";
+		SpqrErrorCode["KeyJump"] = "KEY_JUMP";
+		SpqrErrorCode["KeyTrimmed"] = "KEY_TRIMMED";
+		SpqrErrorCode["KeyAlreadyRequested"] = "KEY_ALREADY_REQUESTED";
+		SpqrErrorCode["ErroneousDataReceived"] = "ERRONEOUS_DATA_RECEIVED";
+		SpqrErrorCode["SendKeyEpochDecreased"] = "SEND_KEY_EPOCH_DECREASED";
+		SpqrErrorCode["InvalidParams"] = "INVALID_PARAMS";
+		SpqrErrorCode["ChainNotAvailable"] = "CHAIN_NOT_AVAILABLE";
+		return SpqrErrorCode;
+	}({});
+	var AuthenticatorError = class extends Error {
+		constructor(message, code) {
+			super(message);
+			this.code = code;
+			this.name = "AuthenticatorError";
+		}
+	};
+
+//#endregion
+//#region src/v1/unchunked/send-ct.ts
+	const SCKA_KEY_LABEL$1 = new TextEncoder().encode(LABEL_SCKA_KEY);
+	/**
+	* Derive the epoch secret from the KEM shared secret.
+	*
+	* HKDF-SHA256(ikm=sharedSecret, salt=ZERO_SALT,
+	*             info=LABEL_SCKA_KEY || epoch_be8, length=32)
+	*
+	* Matches Rust: info = [b"Signal_PQCKA_V1_MLKEM768:SCKA Key", epoch.to_be_bytes()].concat()
+	*/
+	function deriveEpochSecret$1(epoch, sharedSecret) {
+		return {
+			epoch,
+			secret: hkdfSha256(sharedSecret, ZERO_SALT, concat(SCKA_KEY_LABEL$1, bigintToBE8(epoch)), 32)
+		};
+	}
+	/**
+	* Waiting to receive the header from the send_ek peer.
+	*/
+	var NoHeaderReceived$1 = class {
+		constructor(epoch, auth) {
+			this.epoch = epoch;
+			this.auth = auth;
+		}
+		/**
+		* Receive the header and verify its MAC.
+		*
+		* @param epoch - The epoch for this exchange (must match current epoch)
+		* @param hdr - The 64-byte public key header
+		* @param mac - The 32-byte HMAC-SHA256 MAC over the header
+		* @returns Next state
+		* @throws {AuthenticatorError} If the header MAC is invalid
+		*/
+		recvHeader(epoch, hdr, mac) {
+			this.auth.verifyHdr(epoch, hdr, mac);
+			return new HeaderReceived$1(this.epoch, this.auth, hdr);
+		}
+	};
+	/**
+	* The header has been received and verified. Ready to produce ct1.
+	*
+	* In the true incremental ML-KEM approach, sendCt1 performs encaps1
+	* using only the header (rho + H(ek)), producing REAL ct1 and shared
+	* secret. The epoch secret is derived here.
+	*/
+	var HeaderReceived$1 = class {
+		constructor(epoch, auth, hdr) {
+			this.epoch = epoch;
+			this.auth = auth;
+			this.hdr = hdr;
+		}
+		/**
+		* Generate encapsulation randomness and produce REAL ct1.
+		*
+		* Performs encaps1 using the header to produce:
+		* - Real ct1 (960 bytes)
+		* - Real shared secret -> epoch secret
+		* - Encapsulation state for later encaps2
+		*
+		* The authenticator is updated with the derived epoch secret.
+		*
+		* @param rng - Random byte generator
+		* @returns [nextState, real_ct1, epochSecret]
+		*/
+		sendCt1(rng) {
+			const { ct1, es, sharedSecret } = encaps1(this.hdr, rng);
+			const epochSecret = deriveEpochSecret$1(this.epoch, sharedSecret);
+			const auth = this.auth.clone();
+			auth.update(this.epoch, epochSecret.secret);
+			return [
+				new Ct1Sent(this.epoch, auth, this.hdr, es, ct1),
+				ct1,
+				epochSecret
+			];
+		}
+	};
+	/**
+	* Real ct1 has been produced. Waiting for the encapsulation key.
+	*
+	* Stores hdr, es(2080), and ct1(960) for the encaps2 phase.
+	*/
+	var Ct1Sent = class {
+		constructor(epoch, auth, hdr, es, ct1) {
+			this.epoch = epoch;
+			this.auth = auth;
+			this.hdr = hdr;
+			this.es = es;
+			this.ct1 = ct1;
+		}
+		/**
+		* Receive the encapsulation key and validate it against the header.
+		*
+		* In the true incremental approach, this simply validates and stores
+		* the ek for later use in sendCt2. No encapsulation happens here.
+		*
+		* @param ek - The 1152-byte encapsulation key from the send_ek peer
+		* @returns Next state
+		* @throws {SpqrError} If the ek does not match the header
+		*/
+		recvEk(ek) {
+			if (!ekMatchesHeader(ek, this.hdr)) throw new SpqrError("Encapsulation key does not match header", SpqrErrorCode.ErroneousDataReceived);
+			return new Ct1SentEkReceived(this.epoch, this.auth, this.es, ek, this.ct1);
+		}
+	};
+	/**
+	* The encapsulation key has been received and validated.
+	* Ready to send ct2.
+	*
+	* Stores es(2080), ek(1152), and ct1(960) for encaps2 + MAC.
+	*/
+	var Ct1SentEkReceived = class {
+		constructor(epoch, auth, es, ek, ct1) {
+			this.epoch = epoch;
+			this.auth = auth;
+			this.es = es;
+			this.ek = ek;
+			this.ct1 = ct1;
+		}
+		/**
+		* Produce ct2 by calling encaps2, then MAC over ct1 || ct2.
+		*
+		* @returns Result with next state, ct2, and MAC
+		*/
+		sendCt2() {
+			const ct2 = encaps2(this.ek, this.es);
+			const fullCt = concat(this.ct1, ct2);
+			const mac = this.auth.macCt(this.epoch, fullCt);
+			return {
+				state: new Ct2Sent(this.epoch, this.auth),
+				ct2,
+				mac
+			};
+		}
+	};
+	/**
+	* Terminal state for this epoch's send_ct exchange.
+	*
+	* The caller is responsible for creating the next epoch's
+	* send_ek::KeysUnsampled state from the epoch and auth.
+	*/
+	var Ct2Sent = class {
+		constructor(epoch, auth) {
+			this.epoch = epoch;
+			this.auth = auth;
+		}
+		/** The next epoch for the send_ek side */
+		get nextEpoch() {
+			return this.epoch + 1n;
+		}
+	};
+
+//#endregion
+//#region src/encoding/gf.ts
+/**
+	* Copyright © 2025 Signal Messenger, LLC
+	* Copyright © 2026 Parity Technologies
+	*
+	* GF(2^16) Galois field arithmetic.
+	* Ported from the Rust SPQR implementation.
+	*
+	* Primitive polynomial: x^16 + x^12 + x^3 + x + 1 (0x1100b)
+	*/
+	/** Primitive polynomial for GF(2^16): x^16 + x^12 + x^3 + x + 1 */
+	const POLY = 69643;
+	/**
+	* Build one entry of the reduction table.
+	*
+	* Given a single byte `a` that appears in positions [16..23] or [24..31] of
+	* a 32-bit product, compute the 16-bit XOR mask needed to reduce those bits
+	* modulo POLY.
+	*/
+	function reduceFromByte(a) {
+		let byte = a;
+		let out = 0;
+		for (let i = 7; i >= 0; i--) if ((1 << i & byte) !== 0) {
+			out ^= POLY << i;
+			byte ^= POLY << i >>> 16 & 255;
+		}
+		return out & 65535;
+	}
+	/** Precomputed 256-entry lookup table for polynomial reduction. */
+	const REDUCE_BYTES = /* @__PURE__ */ (() => {
+		const table = new Uint16Array(256);
+		for (let i = 0; i < 256; i++) table[i] = reduceFromByte(i);
+		return table;
+	})();
+	/**
+	* Polynomial multiplication in GF(2)[x] (no reduction).
+	*
+	* Both `a` and `b` must be in the range [0, 0xffff].
+	* The result may be up to 31 bits wide.
+	*/
+	function polyMul(a, b) {
+		let acc = 0;
+		for (let shift = 0; shift < 16; shift++) if ((b & 1 << shift) !== 0) acc ^= a << shift;
+		return acc >>> 0;
+	}
+	/**
+	* Reduce a 32-bit polynomial product modulo POLY, yielding a 16-bit result.
+	*
+	* Uses the precomputed REDUCE_BYTES table to process the top two bytes.
+	*/
+	function polyReduce(v) {
+		let r = v >>> 0;
+		r ^= REDUCE_BYTES[r >>> 24 & 255] << 8;
+		r ^= REDUCE_BYTES[r >>> 16 & 255];
+		return r & 65535;
+	}
+	/**
+	* Full GF(2^16) multiplication of two raw u16 values.
+	* Returns a u16 result.
+	*/
+	function mulRaw(a, b) {
+		return polyReduce(polyMul(a, b));
+	}
+	/**
+	* An element of GF(2^16).
+	*
+	* The `value` field holds a 16-bit unsigned integer in [0, 65535].
+	*/
+	var GF16 = class GF16 {
+		value;
+		constructor(value) {
+			this.value = value & 65535;
+		}
+		static ZERO = new GF16(0);
+		static ONE = new GF16(1);
+		/** Addition in GF(2^n) is XOR. */
+		add(other) {
+			return new GF16(this.value ^ other.value);
+		}
+		/** Subtraction in GF(2^n) is the same as addition (XOR). */
+		sub(other) {
+			return this.add(other);
+		}
+		/** Multiplication in GF(2^16) using polynomial long-multiplication + reduction. */
+		mul(other) {
+			return new GF16(mulRaw(this.value, other.value));
+		}
+		/**
+		* Division in GF(2^16).
+		*
+		* Computes `this / other` via Fermat's little theorem:
+		*   other^(-1) = other^(2^16 - 2)
+		*
+		* The loop accumulates the inverse through repeated squaring:
+		*   After 15 iterations (i = 1..15):
+		*     out = this * other^(2^16 - 2) = this * other^(-1)
+		*
+		* Throws if `other` is zero.
+		*/
+		div(other) {
+			if (other.value === 0) throw new Error("GF16: division by zero");
+			let sqVal = mulRaw(other.value, other.value);
+			let outVal = this.value;
+			for (let i = 1; i < 16; i++) {
+				const newSqVal = mulRaw(sqVal, sqVal);
+				const newOutVal = mulRaw(sqVal, outVal);
+				sqVal = newSqVal;
+				outVal = newOutVal;
+			}
+			return new GF16(outVal);
+		}
+		equals(other) {
+			return this.value === other.value;
+		}
+		toString() {
+			return `GF16(0x${this.value.toString(16).padStart(4, "0")})`;
+		}
+	};
+	/**
+	* Multiply every element of `into` by `a` in-place.
+	*
+	* This is the TypeScript equivalent of Rust's `parallel_mult` which benefits
+	* from SIMD on native platforms. Here we just iterate.
+	*/
+	function parallelMult(a, into) {
+		const av = a.value;
+		for (let i = 0; i < into.length; i++) into[i] = new GF16(mulRaw(av, into[i].value));
+	}
+
+//#endregion
+//#region src/encoding/polynomial.ts
+/**
+	* Copyright © 2025 Signal Messenger, LLC
+	* Copyright © 2026 Parity Technologies
+	*
+	* Polynomial erasure coding over GF(2^16).
+	* Ported from the Rust SPQR implementation.
+	*
+	* The encoder splits a message into 16 parallel polynomials and can produce
+	* an unlimited number of coded chunks. Any sufficient subset of chunks
+	* allows the decoder to reconstruct the original message via Lagrange
+	* interpolation.
+	*/
+	var PolynomialError = class extends Error {
+		constructor(message) {
+			super(message);
+			this.name = "PolynomialError";
+		}
+	};
+	const NUM_POLYS = 16;
+	const CHUNK_DATA_SIZE$1 = 32;
+	const MAX_MESSAGE_LENGTH = 65536 * NUM_POLYS;
+	/**
+	* A polynomial over GF(2^16) in coefficient form.
+	*
+	* Coefficients are stored in little-endian order:
+	*   coefficients[0] = constant term (x^0)
+	*   coefficients[1] = linear term (x^1)
+	*   ...
+	*/
+	var Poly = class Poly {
+		coefficients;
+		constructor(coefficients) {
+			this.coefficients = coefficients;
+		}
+		/** Create a zero polynomial of a given length. */
+		static zeros(len) {
+			const coeffs = new Array(len);
+			for (let i = 0; i < len; i++) coeffs[i] = GF16.ZERO;
+			return new Poly(coeffs);
+		}
+		/** Number of coefficients. */
+		get length() {
+			return this.coefficients.length;
+		}
+		/**
+		* Evaluate the polynomial at a given point using a divide-and-conquer
+		* approach for computing powers of x, then a dot product.
+		*
+		* xs[0] = 1, xs[1] = x, xs[i] = xs[floor(i/2)] * xs[floor(i/2) + (i%2)]
+		*/
+		computeAt(x) {
+			const n = this.coefficients.length;
+			if (n === 0) return GF16.ZERO;
+			if (n === 1) return this.coefficients[0];
+			const xs = new Array(n);
+			xs[0] = GF16.ONE;
+			if (n > 1) xs[1] = x;
+			for (let i = 2; i < n; i++) {
+				const half = i >>> 1;
+				const rem = i & 1;
+				xs[i] = xs[half].mul(xs[half + rem]);
+			}
+			let result = GF16.ZERO;
+			for (let i = 0; i < n; i++) result = result.add(this.coefficients[i].mul(xs[i]));
+			return result;
+		}
+		/** Add another polynomial to this one in-place. */
+		addAssign(other) {
+			while (this.coefficients.length < other.coefficients.length) this.coefficients.push(GF16.ZERO);
+			for (let i = 0; i < other.coefficients.length; i++) this.coefficients[i] = this.coefficients[i].add(other.coefficients[i]);
+		}
+		/** Multiply all coefficients by a scalar in-place. */
+		multAssign(m) {
+			parallelMult(m, this.coefficients);
+		}
+		/** Serialize coefficients as big-endian u16 pairs. */
+		serialize() {
+			const out = new Uint8Array(this.coefficients.length * 2);
+			for (let i = 0; i < this.coefficients.length; i++) {
+				const v = this.coefficients[i].value;
+				out[i * 2] = v >>> 8 & 255;
+				out[i * 2 + 1] = v & 255;
+			}
+			return out;
+		}
+		/** Deserialize from big-endian u16 pairs. */
+		static deserialize(data) {
+			if (data.length % 2 !== 0) throw new PolynomialError("Poly data length must be even");
+			const n = data.length / 2;
+			const coeffs = new Array(n);
+			for (let i = 0; i < n; i++) coeffs[i] = new GF16(data[i * 2] << 8 | data[i * 2 + 1]);
+			return new Poly(coeffs);
+		}
+		/**
+		* Lagrange interpolation over a set of points.
+		*
+		* Given N points (x_i, y_i), produces the unique polynomial of degree < N
+		* passing through all of them.
+		*/
+		static lagrangeInterpolate(pts) {
+			const n = pts.length;
+			if (n === 0) return new Poly([]);
+			let product = new Poly([pts[0].x, GF16.ONE]);
+			for (let i = 1; i < n; i++) product = polyMultiply(product, new Poly([pts[i].x, GF16.ONE]));
+			const result = Poly.zeros(n);
+			for (let i = 0; i < n; i++) {
+				const basis = syntheticDivide(product, pts[i].x);
+				const denom = basis.computeAt(pts[i].x);
+				const scale = pts[i].y.div(denom);
+				const scaled = clonePoly(basis);
+				scaled.multAssign(scale);
+				result.addAssign(scaled);
+			}
+			return result;
+		}
+	};
+	/** Multiply two polynomials (convolution over GF(2^16)). */
+	function polyMultiply(a, b) {
+		if (a.length === 0 || b.length === 0) return new Poly([]);
+		const result = Poly.zeros(a.length + b.length - 1);
+		for (let i = 0; i < a.length; i++) for (let j = 0; j < b.length; j++) result.coefficients[i + j] = result.coefficients[i + j].add(a.coefficients[i].mul(b.coefficients[j]));
+		return result;
+	}
+	/**
+	* Synthetic division: divide poly by (x - root) = (x + root) in GF(2^n).
+	*
+	* Returns the quotient polynomial (degree one less than input).
+	*/
+	function syntheticDivide(poly, root) {
+		const n = poly.length;
+		if (n <= 1) return new Poly([]);
+		const quotient = new Array(n - 1);
+		let carry = GF16.ZERO;
+		for (let i = n - 1; i >= 1; i--) {
+			const coeff = poly.coefficients[i].add(carry);
+			quotient[i - 1] = coeff;
+			carry = coeff.mul(root);
+		}
+		return new Poly(quotient);
+	}
+	/** Clone a polynomial (shallow copy of coefficient array). */
+	function clonePoly(p) {
+		return new Poly(p.coefficients.slice());
+	}
+	var SortedPtSet = class SortedPtSet {
+		pts = [];
+		get length() {
+			return this.pts.length;
+		}
+		/** Insert a point, maintaining sorted order. Returns false if duplicate x. */
+		insert(pt) {
+			const idx = this.findIndex(pt.x.value);
+			if (idx < this.pts.length && this.pts[idx].x.value === pt.x.value) return false;
+			this.pts.splice(idx, 0, pt);
+			return true;
+		}
+		/** Binary search for the insertion point of a given x value. */
+		findIndex(xVal) {
+			let lo = 0;
+			let hi = this.pts.length;
+			while (lo < hi) {
+				const mid = lo + hi >>> 1;
+				if (this.pts[mid].x.value < xVal) lo = mid + 1;
+				else hi = mid;
+			}
+			return lo;
+		}
+		/** Look up a point by x value. Returns undefined if not found. */
+		findByX(xVal) {
+			const idx = this.findIndex(xVal);
+			if (idx < this.pts.length && this.pts[idx].x.value === xVal) return this.pts[idx];
+		}
+		/** Return all points as an array (for interpolation). */
+		toArray() {
+			return this.pts.slice();
+		}
+		/** Serialize all points as big-endian u16 pairs (x then y). */
+		serialize() {
+			const out = new Uint8Array(this.pts.length * 4);
+			for (let i = 0; i < this.pts.length; i++) {
+				const pt = this.pts[i];
+				out[i * 4] = pt.x.value >>> 8 & 255;
+				out[i * 4 + 1] = pt.x.value & 255;
+				out[i * 4 + 2] = pt.y.value >>> 8 & 255;
+				out[i * 4 + 3] = pt.y.value & 255;
+			}
+			return out;
+		}
+		/** Deserialize from big-endian u16 pairs (x then y). */
+		static deserialize(data) {
+			if (data.length % 4 !== 0) throw new PolynomialError("SortedPtSet data length must be multiple of 4");
+			const set = new SortedPtSet();
+			const n = data.length / 4;
+			for (let i = 0; i < n; i++) {
+				const x = new GF16(data[i * 4] << 8 | data[i * 4 + 1]);
+				const y = new GF16(data[i * 4 + 2] << 8 | data[i * 4 + 3]);
+				set.insert({
+					x,
+					y
+				});
+			}
+			return set;
+		}
+	};
+	var PolyEncoder = class PolyEncoder {
+		idx;
+		state;
+		constructor(idx, state) {
+			this.idx = idx;
+			this.state = state;
+		}
+		/**
+		* Create an encoder from a message byte array.
+		*
+		* The message is split into 16 interleaved streams of GF16 values.
+		* Each pair of consecutive bytes becomes one GF16 element. If the message
+		* length is odd, it is padded with a zero byte.
+		*/
+		static encodeBytes(msg) {
+			if (msg.length % 2 !== 0) throw new PolynomialError("Message length must be even");
+			if (msg.length > MAX_MESSAGE_LENGTH) throw new PolynomialError("Message length exceeds maximum");
+			const totalValues = msg.length / 2;
+			const points = new Array(NUM_POLYS);
+			for (let p = 0; p < NUM_POLYS; p++) points[p] = [];
+			for (let i = 0; i < totalValues; i++) {
+				const poly = i % NUM_POLYS;
+				const value = msg[i * 2] << 8 | msg[i * 2 + 1];
+				points[poly].push(new GF16(value));
+			}
+			return new PolyEncoder(0, {
+				kind: "points",
+				points
+			});
+		}
+		/** Return the next chunk and advance the index. */
+		nextChunk() {
+			const chunk = this.chunkAt(this.idx);
+			this.idx++;
+			return chunk;
+		}
+		/** Compute the chunk at a specific index. */
+		chunkAt(idx) {
+			const data = new Uint8Array(CHUNK_DATA_SIZE$1);
+			for (let i = 0; i < NUM_POLYS; i++) {
+				const totalIdx = idx * NUM_POLYS + i;
+				const poly = totalIdx % NUM_POLYS;
+				const polyIdx = Math.floor(totalIdx / NUM_POLYS);
+				const val = this.pointAt(poly, polyIdx);
+				data[i * 2] = val.value >>> 8 & 255;
+				data[i * 2 + 1] = val.value & 255;
+			}
+			return {
+				index: idx & 65535,
+				data
+			};
+		}
+		/**
+		* Get the GF16 value for polynomial `poly` at index `idx`.
+		*
+		* If we are in Points state and the index is within range, return directly.
+		* Otherwise, convert to Polys state and evaluate.
+		*/
+		pointAt(poly, idx) {
+			if (this.state.kind === "points") {
+				const pts = this.state.points[poly];
+				if (idx < pts.length) return pts[idx];
+				this.convertToPolys();
+			}
+			return this.state.polys[poly].computeAt(new GF16(idx));
+		}
+		/** Convert from Points state to Polys state via Lagrange interpolation. */
+		convertToPolys() {
+			if (this.state.kind === "polys") return;
+			const { points } = this.state;
+			const polys = new Array(NUM_POLYS);
+			for (let p = 0; p < NUM_POLYS; p++) {
+				const pts = points[p].map((y, i) => ({
+					x: new GF16(i),
+					y
+				}));
+				polys[p] = Poly.lagrangeInterpolate(pts);
+			}
+			this.state = {
+				kind: "polys",
+				polys
+			};
+		}
+		/** Serialize encoder state for protobuf transport. */
+		toProto() {
+			if (this.state.kind === "points") {
+				const pts = this.state.points.map((arr) => {
+					const buf = new Uint8Array(arr.length * 2);
+					for (let i = 0; i < arr.length; i++) {
+						buf[i * 2] = arr[i].value >>> 8 & 255;
+						buf[i * 2 + 1] = arr[i].value & 255;
+					}
+					return buf;
+				});
+				return {
+					idx: this.idx,
+					pts,
+					polys: []
+				};
+			}
+			const polys = this.state.polys.map((p) => p.serialize());
+			return {
+				idx: this.idx,
+				pts: [],
+				polys
+			};
+		}
+		/** Restore encoder from protobuf data. */
+		static fromProto(data) {
+			if (data.polys.length > 0) {
+				const polys = data.polys.map((buf) => Poly.deserialize(buf));
+				return new PolyEncoder(data.idx, {
+					kind: "polys",
+					polys
+				});
+			}
+			const points = data.pts.map((buf) => {
+				const arr = [];
+				for (let i = 0; i < buf.length; i += 2) arr.push(new GF16(buf[i] << 8 | buf[i + 1]));
+				return arr;
+			});
+			return new PolyEncoder(data.idx, {
+				kind: "points",
+				points
+			});
+		}
+	};
+	var PolyDecoder = class PolyDecoder {
+		/** Total number of GF16 values needed (= message byte length / 2, rounded up). */
+		ptsNeeded;
+		pts;
+		_isComplete;
+		constructor(ptsNeeded, pts, isComplete) {
+			this.ptsNeeded = ptsNeeded;
+			this.pts = pts;
+			this._isComplete = isComplete;
+		}
+		/**
+		* Create a decoder for a message of `lenBytes` bytes.
+		*
+		* The caller must know the original message length to know when enough
+		* chunks have been received.
+		*/
+		static create(lenBytes) {
+			if (lenBytes % 2 !== 0) throw new PolynomialError("Message length must be even");
+			const ptsNeeded = lenBytes / 2;
+			const pts = new Array(NUM_POLYS);
+			for (let i = 0; i < NUM_POLYS; i++) pts[i] = new SortedPtSet();
+			return new PolyDecoder(ptsNeeded, pts, false);
+		}
+		/** Whether all polynomial sets have enough points to decode. */
+		get isComplete() {
+			return this._isComplete;
+		}
+		/**
+		* Number of points necessary for polynomial `poly`.
+		*
+		* The total points (ptsNeeded) are distributed across 16 polynomials
+		* round-robin, so some may need one more point than others.
+		*/
+		necessaryPoints(poly) {
+			const base = Math.floor(this.ptsNeeded / NUM_POLYS);
+			return poly < this.ptsNeeded % NUM_POLYS ? base + 1 : base;
+		}
+		/** Add a chunk to the decoder. */
+		addChunk(chunk) {
+			if (this._isComplete) return;
+			for (let i = 0; i < NUM_POLYS; i++) {
+				const totalIdx = chunk.index * NUM_POLYS + i;
+				const poly = totalIdx % NUM_POLYS;
+				const polyIdx = Math.floor(totalIdx / NUM_POLYS);
+				const needed = this.necessaryPoints(poly);
+				if (this.pts[poly].length >= needed) continue;
+				const y = new GF16(chunk.data[i * 2] << 8 | chunk.data[i * 2 + 1]);
+				const pt = {
+					x: new GF16(polyIdx),
+					y
+				};
+				this.pts[poly].insert(pt);
+			}
+			this._isComplete = this.checkComplete();
+		}
+		/** Check whether all 16 polynomial sets have enough points. */
+		checkComplete() {
+			for (let p = 0; p < NUM_POLYS; p++) if (this.pts[p].length < this.necessaryPoints(p)) return false;
+			return true;
+		}
+		/**
+		* Attempt to decode the message.
+		*
+		* Returns the decoded byte array if enough chunks have been received,
+		* or null if more chunks are needed.
+		*/
+		decodedMessage() {
+			if (!this._isComplete) return null;
+			const result = new Uint8Array(this.ptsNeeded * 2);
+			for (let i = 0; i < this.ptsNeeded; i++) {
+				const poly = i % NUM_POLYS;
+				const xVal = Math.floor(i / NUM_POLYS);
+				let val;
+				const direct = this.pts[poly].findByX(xVal);
+				if (direct !== void 0) val = direct.y;
+				else {
+					const allPts = this.pts[poly].toArray();
+					val = Poly.lagrangeInterpolate(allPts).computeAt(new GF16(xVal));
+				}
+				result[i * 2] = val.value >>> 8 & 255;
+				result[i * 2 + 1] = val.value & 255;
+			}
+			return result;
+		}
+		/** Serialize decoder state for protobuf transport. */
+		toProto() {
+			return {
+				ptsNeeded: this.ptsNeeded,
+				polys: NUM_POLYS,
+				pts: this.pts.map((s) => s.serialize()),
+				isComplete: this._isComplete
+			};
+		}
+		/** Restore decoder from protobuf data. */
+		static fromProto(data) {
+			const pts = data.pts.map((buf) => SortedPtSet.deserialize(buf));
+			while (pts.length < NUM_POLYS) pts.push(new SortedPtSet());
+			return new PolyDecoder(data.ptsNeeded, pts, data.isComplete);
+		}
+	};
+
+//#endregion
+//#region src/authenticator.ts
+/**
+	* Copyright © 2025 Signal Messenger, LLC
+	* Copyright © 2026 Parity Technologies
+	*
+	* SPQR Authenticator -- HMAC-SHA256 MAC for KEM exchanges.
+	*
+	* Ported from Signal's spqr crate: authenticator.rs
+	*
+	* The Authenticator produces and verifies MACs over ciphertext and header
+	* data using HMAC-SHA256. The internal rootKey and macKey are updated
+	* via HKDF at each epoch transition.
+	*
+	* All info strings and data formats MUST match the Rust implementation exactly.
+	*/
+	const enc$1 = new TextEncoder();
+	const AUTH_UPDATE_INFO = enc$1.encode(LABEL_AUTH_UPDATE);
+	const CT_MAC_PREFIX = enc$1.encode(LABEL_CT_MAC);
+	const HDR_MAC_PREFIX = enc$1.encode(LABEL_HDR_MAC);
+	/**
+	* Authenticator manages root_key and mac_key state for producing
+	* and verifying MACs over KEM ciphertext and headers.
+	*
+	* The update operation uses HKDF:
+	*   IKM  = [rootKey || key]
+	*   Salt = ZERO_SALT (32 zeros)
+	*   Info = LABEL_AUTH_UPDATE + epoch_be8
+	*   Output: 64 bytes -> [0..32] = new rootKey, [32..64] = new macKey
+	*
+	* MAC operations use HMAC-SHA256:
+	*   Key  = macKey
+	*   Data = [label_prefix || epoch_be8 || payload]
+	*/
+	var Authenticator = class Authenticator {
+		rootKey;
+		macKey;
+		constructor(rootKey, macKey) {
+			this.rootKey = rootKey;
+			this.macKey = macKey;
+		}
+		/**
+		* Create a new Authenticator from a root key and initial epoch.
+		* Matches Rust: `Authenticator::new(root_key, ep)`
+		*
+		* Initializes with zero keys, then immediately updates with
+		* the provided root key and epoch.
+		*/
+		static create(rootKey, epoch) {
+			const auth = new Authenticator(new Uint8Array(32), new Uint8Array(32));
+			auth.update(epoch, rootKey);
+			return auth;
+		}
+		/**
+		* Update the authenticator with a new epoch and key material.
+		*
+		* HKDF(IKM=[rootKey||key], salt=ZERO_SALT, info=[label||epoch_be8], length=64)
+		*
+		* Output split: rootKey = [0..32], macKey = [32..64]
+		*/
+		update(epoch, key) {
+			const derived = hkdfSha256(concat(this.rootKey, key), ZERO_SALT, concat(AUTH_UPDATE_INFO, bigintToBE8(epoch)), 64);
+			this.rootKey = derived.slice(0, 32);
+			this.macKey = derived.slice(32, 64);
+		}
+		/**
+		* Compute MAC over ciphertext.
+		*
+		* HMAC-SHA256(macKey, [LABEL_CT_MAC || epoch_be8 || ct])
+		*/
+		macCt(epoch, ct) {
+			const data = concat(CT_MAC_PREFIX, bigintToBE8(epoch), ct);
+			return hmacSha256(this.macKey, data);
+		}
+		/**
+		* Verify ciphertext MAC (constant-time comparison).
+		* Throws AuthenticatorError if the MAC does not match.
+		*/
+		verifyCt(epoch, ct, expectedMac) {
+			if (!constantTimeEqual(this.macCt(epoch, ct), expectedMac)) throw new AuthenticatorError("Ciphertext MAC is invalid", "INVALID_CT_MAC");
+		}
+		/**
+		* Compute MAC over header (encapsulation key header).
+		*
+		* HMAC-SHA256(macKey, [LABEL_HDR_MAC || epoch_be8 || hdr])
+		*/
+		macHdr(epoch, hdr) {
+			const data = concat(HDR_MAC_PREFIX, bigintToBE8(epoch), hdr);
+			return hmacSha256(this.macKey, data);
+		}
+		/**
+		* Verify header MAC (constant-time comparison).
+		* Throws AuthenticatorError if the MAC does not match.
+		*/
+		verifyHdr(epoch, hdr, expectedMac) {
+			if (!constantTimeEqual(this.macHdr(epoch, hdr), expectedMac)) throw new AuthenticatorError("Encapsulation key MAC is invalid", "INVALID_HDR_MAC");
+		}
+		/**
+		* Deep clone this authenticator.
+		*/
+		clone() {
+			return new Authenticator(Uint8Array.from(this.rootKey), Uint8Array.from(this.macKey));
+		}
+		/**
+		* Serialize to protobuf representation.
+		* Matches Rust Authenticator::into_pb().
+		*/
+		toProto() {
+			return {
+				rootKey: Uint8Array.from(this.rootKey),
+				macKey: Uint8Array.from(this.macKey)
+			};
+		}
+		/**
+		* Deserialize from protobuf representation.
+		* Matches Rust Authenticator::from_pb().
+		*/
+		static fromProto(pb) {
+			return new Authenticator(Uint8Array.from(pb.rootKey), Uint8Array.from(pb.macKey));
+		}
+	};
+
+//#endregion
+//#region src/v1/chunked/send-ek.ts
+/**
+	* Initial chunked send_ek state. No keypair generated yet.
+	* Wraps unchunked.KeysUnsampled.
+	*/
+	var KeysUnsampled$1 = class {
+		constructor(uc) {
+			this.uc = uc;
+		}
+		get epoch() {
+			return this.uc.epoch;
+		}
+		/**
+		* Generate keypair, produce header + MAC, encode into PolyEncoder,
+		* and return the first header chunk.
+		*/
+		sendHdrChunk(rng) {
+			const [headerSent, hdr, mac] = this.uc.sendHeader(rng);
+			const hdrPayload = concat(hdr, mac);
+			const sendingHdr = PolyEncoder.encodeBytes(hdrPayload);
+			const chunk = sendingHdr.nextChunk();
+			return [new KeysSampled(headerSent, sendingHdr), chunk];
+		}
+	};
+	/**
+	* Header has been generated and encoding started. Still sending header chunks.
+	* Can also begin receiving ct1 chunks.
+	*/
+	var KeysSampled = class {
+		constructor(uc, sendingHdr) {
+			this.uc = uc;
+			this.sendingHdr = sendingHdr;
+		}
+		get epoch() {
+			return this.uc.epoch;
+		}
+		/** Produce the next header chunk. */
+		sendHdrChunk() {
+			const chunk = this.sendingHdr.nextChunk();
+			return [this, chunk];
+		}
+		/**
+		* Receive a ct1 chunk from the send_ct peer.
+		* This triggers sending the encapsulation key.
+		*/
+		recvCt1Chunk(epoch, chunk) {
+			if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+			const receivingCt1 = PolyDecoder.create(CT1_SIZE);
+			receivingCt1.addChunk(chunk);
+			const [ekSent, ek] = this.uc.sendEk();
+			return new HeaderSent$1(ekSent, PolyEncoder.encodeBytes(ek), receivingCt1);
+		}
+	};
+	/**
+	* Sending ek chunks while receiving ct1 chunks.
+	*/
+	var HeaderSent$1 = class {
+		constructor(uc, sendingEk, receivingCt1) {
+			this.uc = uc;
+			this.sendingEk = sendingEk;
+			this.receivingCt1 = receivingCt1;
+		}
+		get epoch() {
+			return this.uc.epoch;
+		}
+		/** Produce the next ek chunk. */
+		sendEkChunk() {
+			const chunk = this.sendingEk.nextChunk();
+			return [this, chunk];
+		}
+		/** Receive a ct1 chunk. Returns done when ct1 is fully decoded. */
+		recvCt1Chunk(epoch, chunk) {
+			if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+			this.receivingCt1.addChunk(chunk);
+			const decoded = this.receivingCt1.decodedMessage();
+			if (decoded !== null) return {
+				done: true,
+				state: new Ct1Received(this.uc.recvCt1(decoded), this.sendingEk)
+			};
+			return {
+				done: false,
+				state: this
+			};
+		}
+	};
+	/**
+	* ct1 has been fully decoded. Still sending ek chunks.
+	* Can begin receiving ct2 chunks.
+	*/
+	var Ct1Received = class {
+		constructor(uc, sendingEk) {
+			this.uc = uc;
+			this.sendingEk = sendingEk;
+		}
+		get epoch() {
+			return this.uc.epoch;
+		}
+		/** Produce the next ek chunk. */
+		sendEkChunk() {
+			const chunk = this.sendingEk.nextChunk();
+			return [this, chunk];
+		}
+		/**
+		* Receive a ct2 chunk. Creates the ct2 decoder.
+		* ct2 payload is CT2_SIZE + MAC_SIZE = 160 bytes
+		* (carries ct2 + mac).
+		*/
+		recvCt2Chunk(epoch, chunk) {
+			if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+			const receivingCt2 = PolyDecoder.create(CT2_SIZE + MAC_SIZE);
+			receivingCt2.addChunk(chunk);
+			return new EkSentCt1Received$1(this.uc, receivingCt2);
+		}
+	};
+	/**
+	* Both ek sending and ct1 receiving are done. Now receiving ct2 chunks.
+	* When ct2 is fully decoded, extract ct2 and mac, then perform decapsulation
+	* to derive the epoch secret.
+	*/
+	var EkSentCt1Received$1 = class {
+		constructor(uc, receivingCt2) {
+			this.uc = uc;
+			this.receivingCt2 = receivingCt2;
+		}
+		get epoch() {
+			return this.uc.epoch;
+		}
+		/**
+		* Receive a ct2 chunk. Returns done when ct2 is fully decoded and
+		* epoch secret is derived.
+		*/
+		recvCt2Chunk(epoch, chunk) {
+			if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+			this.receivingCt2.addChunk(chunk);
+			const decoded = this.receivingCt2.decodedMessage();
+			if (decoded !== null) {
+				const ct2 = decoded.slice(0, CT2_SIZE);
+				const mac = decoded.slice(CT2_SIZE);
+				const result = this.uc.recvCt2(ct2, mac);
+				const nextUcSendCt = new NoHeaderReceived$1(result.nextEpoch, result.auth);
+				const receivingHdr = PolyDecoder.create(HEADER_SIZE + MAC_SIZE);
+				return {
+					done: true,
+					state: createSendCtNoHeaderReceived(nextUcSendCt, receivingHdr),
+					epochSecret: result.epochSecret
+				};
+			}
+			return {
+				done: false,
+				state: this
+			};
+		}
+	};
+	/** @internal Set by the chunked index module to break circular imports. */
+	let createSendCtNoHeaderReceived;
+	/** @internal Called by the index module to wire up the factory. */
+	function _setCreateSendCtNoHeaderReceived(factory) {
+		createSendCtNoHeaderReceived = factory;
+	}
+
+//#endregion
+//#region src/v1/unchunked/send-ek.ts
+	const SCKA_KEY_LABEL = new TextEncoder().encode(LABEL_SCKA_KEY);
+	/**
+	* Derive the epoch secret from the KEM shared secret.
+	*
+	* HKDF-SHA256(ikm=sharedSecret, salt=ZERO_SALT,
+	*             info=LABEL_SCKA_KEY || epoch_be8, length=32)
+	*
+	* Matches Rust: info = [b"Signal_PQCKA_V1_MLKEM768:SCKA Key", epoch.to_be_bytes()].concat()
+	*/
+	function deriveEpochSecret(epoch, sharedSecret) {
+		return {
+			epoch,
+			secret: hkdfSha256(sharedSecret, ZERO_SALT, concat(SCKA_KEY_LABEL, bigintToBE8(epoch)), 32)
+		};
+	}
+	/**
+	* Initial send_ek state. No keypair has been generated yet.
+	*/
+	var KeysUnsampled = class {
+		constructor(epoch, auth) {
+			this.epoch = epoch;
+			this.auth = auth;
+		}
+		/**
+		* Generate an ML-KEM-768 keypair and produce the header + MAC.
+		*
+		* @param rng - Random byte generator
+		* @returns [nextState, hdr, hdrMac]
+		*/
+		sendHeader(rng) {
+			const keys = generate(rng);
+			const mac = this.auth.macHdr(this.epoch, keys.hdr);
+			return [
+				new HeaderSent(this.epoch, this.auth, keys.ek, keys.dk),
+				keys.hdr,
+				mac
+			];
+		}
+	};
+	/**
+	* The header has been sent to the peer. Ready to send the encapsulation key.
+	*/
+	var HeaderSent = class {
+		constructor(epoch, auth, ek, dk) {
+			this.epoch = epoch;
+			this.auth = auth;
+			this.ek = ek;
+			this.dk = dk;
+		}
+		/**
+		* Produce the encapsulation key to send to the peer.
+		*
+		* @returns [nextState, ek]
+		*/
+		sendEk() {
+			return [new EkSent(this.epoch, this.auth, this.dk), this.ek];
+		}
+	};
+	/**
+	* Both the header and encapsulation key have been sent.
+	* Waiting to receive ct1 from the send_ct peer.
+	*/
+	var EkSent = class {
+		constructor(epoch, auth, dk) {
+			this.epoch = epoch;
+			this.auth = auth;
+			this.dk = dk;
+		}
+		/**
+		* Receive the first ciphertext fragment from the peer.
+		*
+		* @param ct1 - The 960-byte first ciphertext fragment
+		* @returns Next state
+		*/
+		recvCt1(ct1) {
+			return new EkSentCt1Received(this.epoch, this.auth, this.dk, ct1);
+		}
+	};
+	/**
+	* ct1 has been received. Waiting for ct2 to complete decapsulation.
+	*/
+	var EkSentCt1Received = class {
+		constructor(epoch, auth, dk, ct1) {
+			this.epoch = epoch;
+			this.auth = auth;
+			this.dk = dk;
+			this.ct1 = ct1;
+		}
+		/**
+		* Receive ct2 and MAC, perform decapsulation, verify the MAC,
+		* and derive the epoch secret.
+		*
+		* The caller constructs the next send_ct::NoHeaderReceived state from
+		* the returned nextEpoch and auth.
+		*
+		* @param ct2 - The 128-byte second ciphertext fragment
+		* @param mac - The 32-byte HMAC-SHA256 MAC over the full ciphertext
+		* @returns Result containing next epoch, updated auth, and epoch secret
+		* @throws {AuthenticatorError} If the ciphertext MAC is invalid
+		*/
+		recvCt2(ct2, mac) {
+			const sharedSecret = decaps(this.dk, this.ct1, ct2);
+			const epochSecret = deriveEpochSecret(this.epoch, sharedSecret);
+			const auth = this.auth.clone();
+			auth.update(this.epoch, epochSecret.secret);
+			const fullCt = concat(this.ct1, ct2);
+			auth.verifyCt(this.epoch, fullCt, mac);
+			return {
+				nextEpoch: this.epoch + 1n,
+				auth,
+				epochSecret
+			};
+		}
+	};
+
+//#endregion
+//#region src/v1/chunked/send-ct.ts
+/**
+	* Copyright © 2025 Signal Messenger, LLC
+	* Copyright © 2026 Parity Technologies
+	*
+	* Chunked send_ct state machine for SPQR V1.
+	*
+	* Wraps the unchunked send_ct states with PolyEncoder/PolyDecoder erasure
+	* coding, enabling chunk-by-chunk data transfer.
+	*
+	* True incremental ML-KEM (Phase 9):
+	*   - send_ct produces REAL ct1 chunks from the start.
+	*   - ct2 payload carries only ct2(128) + mac(32) = 160 bytes.
+	*   - Epoch secret is derived in sendCt1 (when encaps1 is performed).
+	*
+	* States:
+	*   NoHeaderReceived      -- recvHdrChunk(epoch, chunk) --> NoHeaderReceived | HeaderReceived
+	*   HeaderReceived        -- sendCt1Chunk(rng) --> [Ct1Sampled, Chunk, EpochSecret]
+	*   Ct1Sampled            -- sendCt1Chunk() --> [Ct1Sampled, Chunk]
+	*                         -- recvEkChunk(epoch, chunk, ct1Ack) --> 4 outcomes
+	*   EkReceivedCt1Sampled  -- sendCt1Chunk() --> [EkReceivedCt1Sampled, Chunk]
+	*                         -- recvCt1Ack(epoch) --> Ct2Sampled
+	*   Ct1Acknowledged       -- recvEkChunk(epoch, chunk) --> Ct1Acknowledged | Ct2Sampled
+	*   Ct2Sampled            -- sendCt2Chunk() --> [Ct2Sampled, Chunk]
+	*                         -- recvNextEpoch(epoch) --> sendEk.KeysUnsampled
+	*/
+	/**
+	* Waiting to receive header chunks from the send_ek peer.
+	*/
+	var NoHeaderReceived = class NoHeaderReceived {
+		constructor(uc, receivingHdr) {
+			this.uc = uc;
+			this.receivingHdr = receivingHdr;
+		}
+		get epoch() {
+			return this.uc.epoch;
+		}
+		/**
+		* Create the initial NoHeaderReceived from an auth key.
+		*/
+		static create(authKey) {
+			const auth = Authenticator.create(authKey, 1n);
+			return new NoHeaderReceived(new NoHeaderReceived$1(1n, auth), PolyDecoder.create(HEADER_SIZE + MAC_SIZE));
+		}
+		/** Receive a header chunk. Returns done when header is fully decoded. */
+		recvHdrChunk(epoch, chunk) {
+			if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+			this.receivingHdr.addChunk(chunk);
+			const decoded = this.receivingHdr.decodedMessage();
+			if (decoded !== null) {
+				const hdr = decoded.slice(0, HEADER_SIZE);
+				const mac = decoded.slice(HEADER_SIZE);
+				return {
+					done: true,
+					state: new HeaderReceived(this.uc.recvHeader(epoch, hdr, mac), PolyDecoder.create(EK_SIZE))
+				};
+			}
+			return {
+				done: false,
+				state: this
+			};
+		}
+	};
+	/**
+	* Header has been received and verified. Ready to produce ct1 chunks.
+	*/
+	var HeaderReceived = class {
+		constructor(uc, receivingEk) {
+			this.uc = uc;
+			this.receivingEk = receivingEk;
+		}
+		get epoch() {
+			return this.uc.epoch;
+		}
+		/**
+		* Generate encapsulation randomness, produce REAL ct1, encode it,
+		* and return the first ct1 chunk.
+		*
+		* Returns [Ct1Sampled, Chunk, EpochSecret] -- real epoch secret.
+		*/
+		sendCt1Chunk(rng) {
+			const [ct1Sent, realCt1, epochSecret] = this.uc.sendCt1(rng);
+			const sendingCt1 = PolyEncoder.encodeBytes(realCt1);
+			const chunk = sendingCt1.nextChunk();
+			return [
+				new Ct1Sampled(ct1Sent, sendingCt1, this.receivingEk),
+				chunk,
+				epochSecret
+			];
+		}
+	};
+	/**
+	* Real ct1 has been produced and encoding started.
+	* Sending ct1 chunks while receiving ek chunks.
+	*/
+	var Ct1Sampled = class {
+		constructor(uc, sendingCt1, receivingEk) {
+			this.uc = uc;
+			this.sendingCt1 = sendingCt1;
+			this.receivingEk = receivingEk;
+		}
+		get epoch() {
+			return this.uc.epoch;
+		}
+		/** Produce the next ct1 chunk. */
+		sendCt1Chunk() {
+			const chunk = this.sendingCt1.nextChunk();
+			return [this, chunk];
+		}
+		/**
+		* Receive an ek chunk, with optional ct1 acknowledgement from peer.
+		*
+		* Four possible outcomes depending on whether ek is complete and
+		* whether the peer acknowledged ct1:
+		*   - Both: done (Ct2Sampled + epochSecret)
+		*   - ek complete, no ack: stillSending (EkReceivedCt1Sampled + epochSecret)
+		*   - ek incomplete, ack: stillReceiving (Ct1Acknowledged)
+		*   - Neither: stillReceivingStillSending (Ct1Sampled)
+		*/
+		recvEkChunk(epoch, chunk, ct1Ack) {
+			if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+			this.receivingEk.addChunk(chunk);
+			const ekDecoded = this.receivingEk.decodedMessage();
+			if (ekDecoded !== null && ct1Ack) {
+				const { state: ct2SentUc, ct2, mac } = this.uc.recvEk(ekDecoded).sendCt2();
+				const ct2Payload = concat(ct2, mac);
+				return {
+					tag: "done",
+					state: new Ct2Sampled(ct2SentUc, PolyEncoder.encodeBytes(ct2Payload)),
+					epochSecret: null
+				};
+			}
+			if (ekDecoded !== null && !ct1Ack) return {
+				tag: "stillSending",
+				state: new EkReceivedCt1Sampled(this.uc.recvEk(ekDecoded), this.sendingCt1),
+				epochSecret: null
+			};
+			if (ekDecoded === null && ct1Ack) return {
+				tag: "stillReceiving",
+				state: new Ct1Acknowledged(this.uc, this.receivingEk)
+			};
+			return {
+				tag: "stillReceivingStillSending",
+				state: this
+			};
+		}
+	};
+	/**
+	* ek has been received and validated.
+	* Still sending ct1 chunks, waiting for ct1 acknowledgement.
+	*/
+	var EkReceivedCt1Sampled = class {
+		constructor(uc, sendingCt1) {
+			this.uc = uc;
+			this.sendingCt1 = sendingCt1;
+		}
+		get epoch() {
+			return this.uc.epoch;
+		}
+		/** Produce the next ct1 chunk. */
+		sendCt1Chunk() {
+			const chunk = this.sendingCt1.nextChunk();
+			return [this, chunk];
+		}
+		/** Peer has acknowledged ct1. Produce ct2 and encode it. */
+		recvCt1Ack(epoch) {
+			if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+			const { state: ct2SentUc, ct2, mac } = this.uc.sendCt2();
+			const ct2Payload = concat(ct2, mac);
+			return new Ct2Sampled(ct2SentUc, PolyEncoder.encodeBytes(ct2Payload));
+		}
+	};
+	/**
+	* ct1 has been acknowledged by the peer. Still receiving ek chunks.
+	* When ek arrives, validate it and produce ct2.
+	*/
+	var Ct1Acknowledged = class {
+		constructor(uc, receivingEk) {
+			this.uc = uc;
+			this.receivingEk = receivingEk;
+		}
+		get epoch() {
+			return this.uc.epoch;
+		}
+		/** Receive an ek chunk. Returns done when ek is fully decoded. */
+		recvEkChunk(epoch, chunk) {
+			if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+			this.receivingEk.addChunk(chunk);
+			const decoded = this.receivingEk.decodedMessage();
+			if (decoded !== null) {
+				const { state: ct2SentUc, ct2, mac } = this.uc.recvEk(decoded).sendCt2();
+				const ct2Payload = concat(ct2, mac);
+				return {
+					done: true,
+					state: new Ct2Sampled(ct2SentUc, PolyEncoder.encodeBytes(ct2Payload)),
+					epochSecret: null
+				};
+			}
+			return {
+				done: false,
+				state: this
+			};
+		}
+	};
+	/**
+	* ct2 payload (ct2 + mac) has been encoded. Sending ct2 chunks.
+	* Terminal for this epoch once all chunks sent and next epoch begins.
+	*/
+	var Ct2Sampled = class {
+		constructor(uc, sendingCt2) {
+			this.uc = uc;
+			this.sendingCt2 = sendingCt2;
+		}
+		get epoch() {
+			return this.uc.epoch;
+		}
+		/** Produce the next ct2 chunk. */
+		sendCt2Chunk() {
+			const chunk = this.sendingCt2.nextChunk();
+			return [this, chunk];
+		}
+		/**
+		* Transition to the next epoch's send_ek KeysUnsampled.
+		*/
+		recvNextEpoch(_epoch) {
+			const nextEpoch = this.uc.nextEpoch;
+			const nextUc = new KeysUnsampled(nextEpoch, this.uc.auth);
+			return new KeysUnsampled$1(nextUc);
+		}
+	};
+
+//#endregion
+//#region src/v1/chunked/states.ts
+	function getEpoch(s) {
+		return s.state.epoch;
+	}
+	/**
+	* Initialize Alice (send_ek side) at epoch 1.
+	*/
+	function initA(authKey) {
+		const auth = Authenticator.create(authKey, 1n);
+		const ucState = new KeysUnsampled(1n, auth);
+		return {
+			tag: "keysUnsampled",
+			state: new KeysUnsampled$1(ucState)
+		};
+	}
+	/**
+	* Initialize Bob (send_ct side) at epoch 1.
+	*/
+	function initB(authKey) {
+		return {
+			tag: "noHeaderReceived",
+			state: NoHeaderReceived.create(authKey)
+		};
+	}
+	/**
+	* Produce the next outgoing message from the current state.
+	*/
+	function send$1(current, rng) {
+		const epoch = getEpoch(current);
+		switch (current.tag) {
+			case "keysUnsampled": {
+				const [next, chunk] = current.state.sendHdrChunk(rng);
+				return {
+					msg: {
+						epoch,
+						payload: {
+							type: "hdr",
+							chunk
+						}
+					},
+					key: null,
+					state: {
+						tag: "keysSampled",
+						state: next
+					}
+				};
+			}
+			case "keysSampled": {
+				const [next, chunk] = current.state.sendHdrChunk();
+				return {
+					msg: {
+						epoch,
+						payload: {
+							type: "hdr",
+							chunk
+						}
+					},
+					key: null,
+					state: {
+						tag: "keysSampled",
+						state: next
+					}
+				};
+			}
+			case "headerSent": {
+				const [next, chunk] = current.state.sendEkChunk();
+				return {
+					msg: {
+						epoch,
+						payload: {
+							type: "ek",
+							chunk
+						}
+					},
+					key: null,
+					state: {
+						tag: "headerSent",
+						state: next
+					}
+				};
+			}
+			case "ct1Received": {
+				const [next, chunk] = current.state.sendEkChunk();
+				return {
+					msg: {
+						epoch,
+						payload: {
+							type: "ekCt1Ack",
+							chunk
+						}
+					},
+					key: null,
+					state: {
+						tag: "ct1Received",
+						state: next
+					}
+				};
+			}
+			case "ekSentCt1Received": return {
+				msg: {
+					epoch,
+					payload: { type: "ct1Ack" }
+				},
+				key: null,
+				state: current
+			};
+			case "noHeaderReceived": return {
+				msg: {
+					epoch,
+					payload: { type: "none" }
+				},
+				key: null,
+				state: current
+			};
+			case "headerReceived": {
+				const [next, chunk, epochSecret] = current.state.sendCt1Chunk(rng);
+				return {
+					msg: {
+						epoch,
+						payload: {
+							type: "ct1",
+							chunk
+						}
+					},
+					key: epochSecret,
+					state: {
+						tag: "ct1Sampled",
+						state: next
+					}
+				};
+			}
+			case "ct1Sampled": {
+				const [next, chunk] = current.state.sendCt1Chunk();
+				return {
+					msg: {
+						epoch,
+						payload: {
+							type: "ct1",
+							chunk
+						}
+					},
+					key: null,
+					state: {
+						tag: "ct1Sampled",
+						state: next
+					}
+				};
+			}
+			case "ekReceivedCt1Sampled": {
+				const [next, chunk] = current.state.sendCt1Chunk();
+				return {
+					msg: {
+						epoch,
+						payload: {
+							type: "ct1",
+							chunk
+						}
+					},
+					key: null,
+					state: {
+						tag: "ekReceivedCt1Sampled",
+						state: next
+					}
+				};
+			}
+			case "ct1Acknowledged": return {
+				msg: {
+					epoch,
+					payload: { type: "none" }
+				},
+				key: null,
+				state: current
+			};
+			case "ct2Sampled": {
+				const [next, chunk] = current.state.sendCt2Chunk();
+				return {
+					msg: {
+						epoch,
+						payload: {
+							type: "ct2",
+							chunk
+						}
+					},
+					key: null,
+					state: {
+						tag: "ct2Sampled",
+						state: next
+					}
+				};
+			}
+		}
+	}
+	/**
+	* Process an incoming message and transition the state.
+	*/
+	function recv$1(current, msg) {
+		const stateEpoch = getEpoch(current);
+		if (msg.epoch < stateEpoch) return {
+			key: null,
+			state: current
+		};
+		if (msg.epoch > stateEpoch) {
+			if (current.tag === "ct2Sampled" && msg.epoch === stateEpoch + 1n) return {
+				key: null,
+				state: {
+					tag: "keysUnsampled",
+					state: current.state.recvNextEpoch(msg.epoch)
+				}
+			};
+			throw new SpqrError(`Epoch too far ahead: state=${stateEpoch}, msg=${msg.epoch}`, SpqrErrorCode.EpochOutOfRange);
+		}
+		const payload = msg.payload;
+		switch (current.tag) {
+			case "keysUnsampled": return {
+				key: null,
+				state: current
+			};
+			case "keysSampled":
+				if (payload.type === "ct1") return {
+					key: null,
+					state: {
+						tag: "headerSent",
+						state: current.state.recvCt1Chunk(msg.epoch, payload.chunk)
+					}
+				};
+				return {
+					key: null,
+					state: current
+				};
+			case "headerSent":
+				if (payload.type === "ct1") {
+					const result = current.state.recvCt1Chunk(msg.epoch, payload.chunk);
+					if (result.done) return {
+						key: null,
+						state: {
+							tag: "ct1Received",
+							state: result.state
+						}
+					};
+					return {
+						key: null,
+						state: {
+							tag: "headerSent",
+							state: result.state
+						}
+					};
+				}
+				return {
+					key: null,
+					state: current
+				};
+			case "ct1Received":
+				if (payload.type === "ct2") return {
+					key: null,
+					state: {
+						tag: "ekSentCt1Received",
+						state: current.state.recvCt2Chunk(msg.epoch, payload.chunk)
+					}
+				};
+				return {
+					key: null,
+					state: current
+				};
+			case "ekSentCt1Received":
+				if (payload.type === "ct2") {
+					const result = current.state.recvCt2Chunk(msg.epoch, payload.chunk);
+					if (result.done) return {
+						key: result.epochSecret,
+						state: {
+							tag: "noHeaderReceived",
+							state: result.state
+						}
+					};
+					return {
+						key: null,
+						state: {
+							tag: "ekSentCt1Received",
+							state: result.state
+						}
+					};
+				}
+				return {
+					key: null,
+					state: current
+				};
+			case "noHeaderReceived":
+				if (payload.type === "hdr") {
+					const result = current.state.recvHdrChunk(msg.epoch, payload.chunk);
+					if (result.done) return {
+						key: null,
+						state: {
+							tag: "headerReceived",
+							state: result.state
+						}
+					};
+					return {
+						key: null,
+						state: {
+							tag: "noHeaderReceived",
+							state: result.state
+						}
+					};
+				}
+				return {
+					key: null,
+					state: current
+				};
+			case "headerReceived": return {
+				key: null,
+				state: current
+			};
+			case "ct1Sampled":
+				if (payload.type === "ek") return mapCt1SampledResult(current.state.recvEkChunk(msg.epoch, payload.chunk, false));
+				if (payload.type === "ekCt1Ack") return mapCt1SampledResult(current.state.recvEkChunk(msg.epoch, payload.chunk, true));
+				return {
+					key: null,
+					state: current
+				};
+			case "ekReceivedCt1Sampled":
+				if (payload.type === "ct1Ack" || payload.type === "ekCt1Ack") return {
+					key: null,
+					state: {
+						tag: "ct2Sampled",
+						state: current.state.recvCt1Ack(msg.epoch)
+					}
+				};
+				return {
+					key: null,
+					state: current
+				};
+			case "ct1Acknowledged":
+				if (payload.type === "ek" || payload.type === "ekCt1Ack") {
+					const chunk = payload.type === "ek" ? payload.chunk : payload.chunk;
+					const result = current.state.recvEkChunk(msg.epoch, chunk);
+					if (result.done) return {
+						key: result.epochSecret,
+						state: {
+							tag: "ct2Sampled",
+							state: result.state
+						}
+					};
+					return {
+						key: null,
+						state: {
+							tag: "ct1Acknowledged",
+							state: result.state
+						}
+					};
+				}
+				return {
+					key: null,
+					state: current
+				};
+			case "ct2Sampled": return {
+				key: null,
+				state: current
+			};
+		}
+	}
+	function mapCt1SampledResult(result) {
+		switch (result.tag) {
+			case "done": return {
+				key: result.epochSecret,
+				state: {
+					tag: "ct2Sampled",
+					state: result.state
+				}
+			};
+			case "stillSending": return {
+				key: result.epochSecret,
+				state: {
+					tag: "ekReceivedCt1Sampled",
+					state: result.state
+				}
+			};
+			case "stillReceiving": return {
+				key: null,
+				state: {
+					tag: "ct1Acknowledged",
+					state: result.state
+				}
+			};
+			case "stillReceivingStillSending": return {
+				key: null,
+				state: {
+					tag: "ct1Sampled",
+					state: result.state
+				}
+			};
+		}
+	}
+
+//#endregion
+//#region src/v1/chunked/message.ts
+	var MessageType = /* @__PURE__ */ function(MessageType) {
+		MessageType[MessageType["None"] = 0] = "None";
+		MessageType[MessageType["Hdr"] = 1] = "Hdr";
+		MessageType[MessageType["Ek"] = 2] = "Ek";
+		MessageType[MessageType["EkCt1Ack"] = 3] = "EkCt1Ack";
+		MessageType[MessageType["Ct1Ack"] = 4] = "Ct1Ack";
+		MessageType[MessageType["Ct1"] = 5] = "Ct1";
+		MessageType[MessageType["Ct2"] = 6] = "Ct2";
+		return MessageType;
+	}(MessageType || {});
+	/**
+	* Encode a bigint as LEB128 varint into the output array.
+	*/
+	function encodeVarint(value, into) {
+		let v = value;
+		if (v < 0n) v = 0n;
+		do {
+			let byte = Number(v & 127n);
+			v >>= 7n;
+			if (v > 0n) byte |= 128;
+			into.push(byte);
+		} while (v > 0n);
+	}
+	/**
+	* Decode a LEB128 varint from a Uint8Array at the given offset.
+	* Updates offset.offset in place.
+	*/
+	function decodeVarint(from, at) {
+		let result = 0n;
+		let shift = 0n;
+		while (shift < 70n) {
+			if (at.offset >= from.length) throw new Error("Varint: unexpected end of data");
+			const byte = from[at.offset++];
+			result |= BigInt(byte & 127) << shift;
+			if ((byte & 128) === 0) return result;
+			shift += 7n;
+		}
+		throw new Error("Varint: too many bytes");
+	}
+	/**
+	* Encode a number (u32) as LEB128 varint into the output array.
+	*/
+	function encodeVarint32(value, into) {
+		let v = value >>> 0;
+		do {
+			let byte = v & 127;
+			v >>>= 7;
+			if (v > 0) byte |= 128;
+			into.push(byte);
+		} while (v > 0);
+	}
+	/**
+	* Decode a LEB128 varint as a u32 number.
+	*/
+	function decodeVarint32(from, at) {
+		let result = 0;
+		let shift = 0;
+		while (shift < 35) {
+			if (at.offset >= from.length) throw new Error("Varint32: unexpected end of data");
+			const byte = from[at.offset++];
+			result |= (byte & 127) << shift;
+			if ((byte & 128) === 0) return result >>> 0;
+			shift += 7;
+		}
+		throw new Error("Varint32: too many bytes");
+	}
+	const CHUNK_DATA_SIZE = 32;
+	/** Encode a chunk (index varint + 32 data bytes) into the output array. */
+	function encodeChunk(chunk, into) {
+		encodeVarint32(chunk.index, into);
+		for (let i = 0; i < CHUNK_DATA_SIZE; i++) into.push(chunk.data[i]);
+	}
+	/** Decode a chunk from a Uint8Array at the given offset. */
+	function decodeChunk(from, at) {
+		const index = decodeVarint32(from, at);
+		if (at.offset + CHUNK_DATA_SIZE > from.length || index > 65535) throw new Error("Chunk: invalid chunk (data too short or index exceeds u16)");
+		const data = from.slice(at.offset, at.offset + CHUNK_DATA_SIZE);
+		at.offset += CHUNK_DATA_SIZE;
+		return {
+			index,
+			data
+		};
+	}
+	/** Protocol version */
+	const V1 = 1;
+	/**
+	* Serialize a Message with a given sequence index into binary wire format.
+	*/
+	function serializeMessage(msg, index) {
+		const out = [];
+		out.push(V1);
+		encodeVarint(msg.epoch, out);
+		encodeVarint32(index, out);
+		const payload = msg.payload;
+		switch (payload.type) {
+			case "none":
+				out.push(MessageType.None);
+				break;
+			case "hdr":
+				out.push(MessageType.Hdr);
+				encodeChunk(payload.chunk, out);
+				break;
+			case "ek":
+				out.push(MessageType.Ek);
+				encodeChunk(payload.chunk, out);
+				break;
+			case "ekCt1Ack":
+				out.push(MessageType.EkCt1Ack);
+				encodeChunk(payload.chunk, out);
+				break;
+			case "ct1Ack":
+				out.push(MessageType.Ct1Ack);
+				break;
+			case "ct1":
+				out.push(MessageType.Ct1);
+				encodeChunk(payload.chunk, out);
+				break;
+			case "ct2":
+				out.push(MessageType.Ct2);
+				encodeChunk(payload.chunk, out);
+				break;
+		}
+		return new Uint8Array(out);
+	}
+	/**
+	* Deserialize a Message from binary wire format.
+	*/
+	function deserializeMessage(from) {
+		const at = { offset: 0 };
+		if (at.offset >= from.length) throw new Error("Message: empty data");
+		const version = from[at.offset++];
+		if (version !== V1) throw new Error(`Message: unsupported version ${version}`);
+		const epoch = decodeVarint(from, at);
+		if (epoch === 0n) throw new Error("Message: epoch must be > 0");
+		const index = decodeVarint32(from, at);
+		if (at.offset >= from.length) throw new Error("Message: missing message type");
+		const msgType = from[at.offset++];
+		let payload;
+		switch (msgType) {
+			case MessageType.None:
+				payload = { type: "none" };
+				break;
+			case MessageType.Hdr:
+				payload = {
+					type: "hdr",
+					chunk: decodeChunk(from, at)
+				};
+				break;
+			case MessageType.Ek:
+				payload = {
+					type: "ek",
+					chunk: decodeChunk(from, at)
+				};
+				break;
+			case MessageType.EkCt1Ack:
+				payload = {
+					type: "ekCt1Ack",
+					chunk: decodeChunk(from, at)
+				};
+				break;
+			case MessageType.Ct1Ack:
+				payload = { type: "ct1Ack" };
+				break;
+			case MessageType.Ct1:
+				payload = {
+					type: "ct1",
+					chunk: decodeChunk(from, at)
+				};
+				break;
+			case MessageType.Ct2:
+				payload = {
+					type: "ct2",
+					chunk: decodeChunk(from, at)
+				};
+				break;
+			default: throw new Error(`Message: unknown message type ${msgType}`);
+		}
+		return {
+			msg: {
+				epoch,
+				payload
+			},
+			index,
+			bytesRead: at.offset
+		};
+	}
+
+//#endregion
+//#region src/v1/chunked/index.ts
+/**
+	* Copyright © 2025 Signal Messenger, LLC
+	* Copyright © 2026 Parity Technologies
+	*
+	* Chunked state machine for SPQR V1.
+	*
+	* Provides erasure-coded chunk-by-chunk data transfer wrapping the
+	* unchunked V1 state machine.
+	*/
+	_setCreateSendCtNoHeaderReceived((uc, receivingHdr) => new NoHeaderReceived(uc, receivingHdr));
+
+//#endregion
+//#region src/v1/chunked/serialize.ts
+/**
+	* Serialize a runtime States object into PbV1State for protobuf encoding.
+	* Stores the epoch as field 12 so it can be recovered on deserialization.
+	*/
+	function statesToPb(s) {
+		const epoch = s.state.epoch;
+		return {
+			innerState: chunkedStateToPb(s),
+			epoch
+		};
+	}
+	function chunkedStateToPb(s) {
+		switch (s.tag) {
+			case "keysUnsampled": return {
+				type: "keysUnsampled",
+				uc: { auth: s.state.uc.auth.toProto() }
+			};
+			case "keysSampled": {
+				const st = s.state;
+				return {
+					type: "keysSampled",
+					uc: {
+						auth: st.uc.auth.toProto(),
+						ek: Uint8Array.from(st.uc.ek),
+						dk: Uint8Array.from(st.uc.dk),
+						hdr: new Uint8Array(0),
+						hdrMac: new Uint8Array(0)
+					},
+					sendingHdr: st.sendingHdr.toProto()
+				};
+			}
+			case "headerSent": {
+				const st = s.state;
+				return {
+					type: "headerSent",
+					uc: {
+						auth: st.uc.auth.toProto(),
+						ek: new Uint8Array(0),
+						dk: Uint8Array.from(st.uc.dk)
+					},
+					sendingEk: st.sendingEk.toProto(),
+					receivingCt1: st.receivingCt1.toProto()
+				};
+			}
+			case "ct1Received": {
+				const st = s.state;
+				return {
+					type: "ct1Received",
+					uc: {
+						auth: st.uc.auth.toProto(),
+						dk: Uint8Array.from(st.uc.dk),
+						ct1: Uint8Array.from(st.uc.ct1)
+					},
+					sendingEk: st.sendingEk.toProto()
+				};
+			}
+			case "ekSentCt1Received": {
+				const st = s.state;
+				return {
+					type: "ekSentCt1Received",
+					uc: {
+						auth: st.uc.auth.toProto(),
+						dk: Uint8Array.from(st.uc.dk),
+						ct1: Uint8Array.from(st.uc.ct1)
+					},
+					receivingCt2: st.receivingCt2.toProto()
+				};
+			}
+			case "noHeaderReceived": {
+				const st = s.state;
+				return {
+					type: "noHeaderReceived",
+					uc: { auth: st.uc.auth.toProto() },
+					receivingHdr: st.receivingHdr.toProto()
+				};
+			}
+			case "headerReceived": {
+				const st = s.state;
+				return {
+					type: "headerReceived",
+					uc: {
+						auth: st.uc.auth.toProto(),
+						hdr: Uint8Array.from(st.uc.hdr),
+						es: new Uint8Array(0),
+						ct1: new Uint8Array(0),
+						ss: new Uint8Array(0)
+					},
+					receivingEk: st.receivingEk.toProto()
+				};
+			}
+			case "ct1Sampled": {
+				const st = s.state;
+				return {
+					type: "ct1Sampled",
+					uc: {
+						auth: st.uc.auth.toProto(),
+						hdr: Uint8Array.from(st.uc.hdr),
+						es: Uint8Array.from(st.uc.es),
+						ct1: Uint8Array.from(st.uc.ct1)
+					},
+					sendingCt1: st.sendingCt1.toProto(),
+					receivingEk: st.receivingEk.toProto()
+				};
+			}
+			case "ekReceivedCt1Sampled": {
+				const st = s.state;
+				return {
+					type: "ekReceivedCt1Sampled",
+					uc: {
+						auth: st.uc.auth.toProto(),
+						hdr: new Uint8Array(0),
+						es: Uint8Array.from(st.uc.es),
+						ek: Uint8Array.from(st.uc.ek),
+						ct1: Uint8Array.from(st.uc.ct1)
+					},
+					sendingCt1: st.sendingCt1.toProto()
+				};
+			}
+			case "ct1Acknowledged": {
+				const st = s.state;
+				return {
+					type: "ct1Acknowledged",
+					uc: {
+						auth: st.uc.auth.toProto(),
+						hdr: Uint8Array.from(st.uc.hdr),
+						es: Uint8Array.from(st.uc.es),
+						ct1: Uint8Array.from(st.uc.ct1)
+					},
+					receivingEk: st.receivingEk.toProto()
+				};
+			}
+			case "ct2Sampled": {
+				const st = s.state;
+				return {
+					type: "ct2Sampled",
+					uc: { auth: st.uc.auth.toProto() },
+					sendingCt2: st.sendingCt2.toProto()
+				};
+			}
+		}
+	}
+	/**
+	* Deserialize a PbV1State back into a runtime States object.
+	*
+	* @param pb - The protobuf V1 state
+	* @returns The reconstructed runtime States
+	*/
+	function statesFromPb(pb) {
+		if (pb.innerState === void 0) throw new Error("PbV1State has no innerState");
+		const epoch = pb.epoch ?? 1n;
+		return chunkedStateFromPb(pb.innerState, epoch);
+	}
+	function chunkedStateFromPb(cs, epoch) {
+		switch (cs.type) {
+			case "keysUnsampled": {
+				const auth = authFromPb(cs.uc.auth);
+				const ucState = new KeysUnsampled(epoch, auth);
+				return {
+					tag: "keysUnsampled",
+					state: new KeysUnsampled$1(ucState)
+				};
+			}
+			case "keysSampled": {
+				const auth = authFromPb(cs.uc.auth);
+				const ucState = new HeaderSent(epoch, auth, cs.uc.ek, cs.uc.dk);
+				const encoder = PolyEncoder.fromProto(cs.sendingHdr);
+				return {
+					tag: "keysSampled",
+					state: new KeysSampled(ucState, encoder)
+				};
+			}
+			case "headerSent": {
+				const auth = authFromPb(cs.uc.auth);
+				const ucState = new EkSent(epoch, auth, cs.uc.dk);
+				const encoder = PolyEncoder.fromProto(cs.sendingEk);
+				const decoder = PolyDecoder.fromProto(cs.receivingCt1);
+				return {
+					tag: "headerSent",
+					state: new HeaderSent$1(ucState, encoder, decoder)
+				};
+			}
+			case "ct1Received": {
+				const auth = authFromPb(cs.uc.auth);
+				const ucState = new EkSentCt1Received(epoch, auth, cs.uc.dk, cs.uc.ct1);
+				const encoder = PolyEncoder.fromProto(cs.sendingEk);
+				return {
+					tag: "ct1Received",
+					state: new Ct1Received(ucState, encoder)
+				};
+			}
+			case "ekSentCt1Received": {
+				const auth = authFromPb(cs.uc.auth);
+				const ucState = new EkSentCt1Received(epoch, auth, cs.uc.dk, cs.uc.ct1);
+				const decoder = PolyDecoder.fromProto(cs.receivingCt2);
+				return {
+					tag: "ekSentCt1Received",
+					state: new EkSentCt1Received$1(ucState, decoder)
+				};
+			}
+			case "noHeaderReceived": {
+				const auth = authFromPb(cs.uc.auth);
+				const ucState = new NoHeaderReceived$1(epoch, auth);
+				const decoder = PolyDecoder.fromProto(cs.receivingHdr);
+				return {
+					tag: "noHeaderReceived",
+					state: new NoHeaderReceived(ucState, decoder)
+				};
+			}
+			case "headerReceived": {
+				const auth = authFromPb(cs.uc.auth);
+				const ucState = new HeaderReceived$1(epoch, auth, cs.uc.hdr);
+				const decoder = PolyDecoder.fromProto(cs.receivingEk);
+				return {
+					tag: "headerReceived",
+					state: new HeaderReceived(ucState, decoder)
+				};
+			}
+			case "ct1Sampled": {
+				const auth = authFromPb(cs.uc.auth);
+				const ucState = new Ct1Sent(epoch, auth, cs.uc.hdr, cs.uc.es, cs.uc.ct1);
+				const encoder = PolyEncoder.fromProto(cs.sendingCt1);
+				const decoder = PolyDecoder.fromProto(cs.receivingEk);
+				return {
+					tag: "ct1Sampled",
+					state: new Ct1Sampled(ucState, encoder, decoder)
+				};
+			}
+			case "ekReceivedCt1Sampled": {
+				const auth = authFromPb(cs.uc.auth);
+				const ucState = new Ct1SentEkReceived(epoch, auth, cs.uc.es, cs.uc.ek, cs.uc.ct1);
+				const encoder = PolyEncoder.fromProto(cs.sendingCt1);
+				return {
+					tag: "ekReceivedCt1Sampled",
+					state: new EkReceivedCt1Sampled(ucState, encoder)
+				};
+			}
+			case "ct1Acknowledged": {
+				const auth = authFromPb(cs.uc.auth);
+				const ucState = new Ct1Sent(epoch, auth, cs.uc.hdr, cs.uc.es, cs.uc.ct1);
+				const decoder = PolyDecoder.fromProto(cs.receivingEk);
+				return {
+					tag: "ct1Acknowledged",
+					state: new Ct1Acknowledged(ucState, decoder)
+				};
+			}
+			case "ct2Sampled": {
+				const auth = authFromPb(cs.uc.auth);
+				const ucState = new Ct2Sent(epoch, auth);
+				const encoder = PolyEncoder.fromProto(cs.sendingCt2);
+				return {
+					tag: "ct2Sampled",
+					state: new Ct2Sampled(ucState, encoder)
+				};
+			}
+		}
+	}
+	function authFromPb(pb) {
+		if (pb === void 0) return Authenticator.fromProto({
+			rootKey: new Uint8Array(32),
+			macKey: new Uint8Array(32)
+		});
+		return Authenticator.fromProto(pb);
+	}
+
+//#endregion
+//#region src/types.ts
+/** Protocol version */
+	let Version = /* @__PURE__ */ function(Version) {
+		Version[Version["V0"] = 0] = "V0";
+		Version[Version["V1"] = 1] = "V1";
+		return Version;
+	}({});
+	/** Communication direction */
+	let Direction = /* @__PURE__ */ function(Direction) {
+		Direction[Direction["A2B"] = 0] = "A2B";
+		Direction[Direction["B2A"] = 1] = "B2A";
+		return Direction;
+	}({});
+
+//#endregion
+//#region src/chain.ts
+/**
+	* Copyright © 2025 Signal Messenger, LLC
+	* Copyright © 2026 Parity Technologies
+	*
+	* SPQR Symmetric Chain -- epoch-based key derivation with forward/backward secrecy.
+	*
+	* Ported from Signal's spqr crate: chain.rs
+	*
+	* The Chain manages send/receive keys across epochs. Each epoch has two
+	* directional chains (A2B and B2A). Keys are derived using HKDF-SHA256
+	* with specific info strings that MUST match the Rust implementation
+	* exactly (including the double space in "Chain  Start").
+	*/
+	const enc = new TextEncoder();
+	const CHAIN_START_INFO = enc.encode(LABEL_CHAIN_START);
+	const CHAIN_NEXT_INFO = enc.encode(LABEL_CHAIN_NEXT);
+	const CHAIN_ADD_EPOCH_INFO = enc.encode(LABEL_CHAIN_ADD_EPOCH);
+	function resolveMaxJump(params) {
+		return params.maxJump > 0 ? params.maxJump : DEFAULT_MAX_JUMP;
+	}
+	function resolveMaxOooKeys(params) {
+		return params.maxOooKeys > 0 ? params.maxOooKeys : DEFAULT_MAX_OOO_KEYS;
+	}
+	function trimSize(params) {
+		const maxOoo = resolveMaxOooKeys(params);
+		return Math.floor(maxOoo * 11 / 10) + 1;
+	}
+	function switchDirection(d) {
+		return d === Direction.A2B ? Direction.B2A : Direction.A2B;
+	}
+	/**
+	* Stores out-of-order keys as packed [index_be32 (4 bytes)][key (32 bytes)] entries.
+	* Matches Rust KeyHistory data layout exactly.
+	*/
+	var KeyHistory = class {
+		data;
+		length;
+		constructor(data) {
+			this.data = data !== void 0 ? Uint8Array.from(data) : new Uint8Array(0);
+			this.length = this.data.length;
+		}
+		add(index, key, _params) {
+			const entry = new Uint8Array(KEY_ENTRY_SIZE);
+			new DataView(entry.buffer).setUint32(0, index, false);
+			entry.set(key, 4);
+			const newData = new Uint8Array(this.length + KEY_ENTRY_SIZE);
+			newData.set(this.data.subarray(0, this.length));
+			newData.set(entry, this.length);
+			this.data = newData;
+			this.length += KEY_ENTRY_SIZE;
+		}
+		gc(currentKey, params) {
+			const maxOoo = resolveMaxOooKeys(params);
+			if (this.length >= trimSize(params) * KEY_ENTRY_SIZE) {
+				if (currentKey < maxOoo) throw new Error("KeyHistory.gc: currentKey < maxOooKeys (corrupted state)");
+				const trimHorizon = currentKey - maxOoo;
+				let i = 0;
+				while (i < this.length) if (trimHorizon > new DataView(this.data.buffer, this.data.byteOffset + i, 4).getUint32(0, false)) this.removeAt(i);
+				else i += KEY_ENTRY_SIZE;
+			}
+		}
+		clear() {
+			this.data = new Uint8Array(0);
+			this.length = 0;
+		}
+		get(at, currentCtr, params) {
+			if (at + resolveMaxOooKeys(params) < currentCtr) throw new SpqrError(`Key trimmed: ${at}`, SpqrErrorCode.KeyTrimmed);
+			const want = new Uint8Array(4);
+			new DataView(want.buffer).setUint32(0, at, false);
+			for (let i = 0; i < this.length; i += KEY_ENTRY_SIZE) if (this.data[i] === want[0] && this.data[i + 1] === want[1] && this.data[i + 2] === want[2] && this.data[i + 3] === want[3]) {
+				const key = this.data.slice(i + 4, i + KEY_ENTRY_SIZE);
+				this.removeAt(i);
+				return key;
+			}
+			throw new SpqrError(`Key already requested: ${at}`, SpqrErrorCode.KeyAlreadyRequested);
+		}
+		removeAt(index) {
+			if (index + KEY_ENTRY_SIZE < this.length) {
+				const lastStart = this.length - KEY_ENTRY_SIZE;
+				this.data.copyWithin(index, lastStart, this.length);
+			}
+			this.length -= KEY_ENTRY_SIZE;
+		}
+		/** Serialize to raw bytes for protobuf storage */
+		serialize() {
+			return this.data.slice(0, this.length);
+		}
+	};
+	/**
+	* One directional chain within an epoch (send or recv).
+	* Manages a ratcheting key derivation with HKDF.
+	*/
+	var ChainEpochDirection = class ChainEpochDirection {
+		ctr;
+		next;
+		prev;
+		constructor(key, ctr, prev) {
+			this.ctr = ctr ?? 0;
+			this.next = Uint8Array.from(key);
+			this.prev = new KeyHistory(prev);
+		}
+		/**
+		* Derive the next key in the chain.
+		* Returns [index, key].
+		*/
+		nextKey() {
+			this.ctr += 1;
+			const info = concat(uint32ToBE4(this.ctr), CHAIN_NEXT_INFO);
+			const gen = hkdfSha256(this.next, ZERO_SALT, info, 64);
+			this.next = gen.slice(0, 32);
+			const key = gen.slice(32, 64);
+			return [this.ctr, key];
+		}
+		/**
+		* Internal: derive next key without consuming it publicly.
+		* Used for skipping ahead to build out-of-order key history.
+		*/
+		static nextKeyInternal(next, ctr) {
+			ctr += 1;
+			const gen = hkdfSha256(next, ZERO_SALT, concat(uint32ToBE4(ctr), CHAIN_NEXT_INFO), 64);
+			return {
+				next: gen.slice(0, 32),
+				ctr,
+				index: ctr,
+				key: gen.slice(32, 64)
+			};
+		}
+		/**
+		* Get the key at a specific counter position.
+		* Supports out-of-order access via KeyHistory.
+		*/
+		key(at, params) {
+			const maxJump = resolveMaxJump(params);
+			const maxOoo = resolveMaxOooKeys(params);
+			if (at > this.ctr) {
+				if (at - this.ctr > maxJump) throw new SpqrError(`Key jump: ${this.ctr} - ${at}`, SpqrErrorCode.KeyJump);
+			} else if (at < this.ctr) return this.prev.get(at, this.ctr, params);
+			else throw new SpqrError(`Key already requested: ${at}`, SpqrErrorCode.KeyAlreadyRequested);
+			if (at > this.ctr + maxOoo) this.prev.clear();
+			while (at > this.ctr + 1) {
+				const result = ChainEpochDirection.nextKeyInternal(this.next, this.ctr);
+				this.next = result.next;
+				this.ctr = result.ctr;
+				if (this.ctr + maxOoo >= at) this.prev.add(result.index, result.key, params);
+			}
+			this.prev.gc(this.ctr, params);
+			const result = ChainEpochDirection.nextKeyInternal(this.next, this.ctr);
+			this.next = result.next;
+			this.ctr = result.ctr;
+			return result.key;
+		}
+		clearNext() {
+			this.next = new Uint8Array(0);
+		}
+		/** Serialize to protobuf EpochDirection */
+		toProto() {
+			return {
+				ctr: this.ctr,
+				next: Uint8Array.from(this.next),
+				prev: this.prev.serialize()
+			};
+		}
+		static fromProto(pb) {
+			return new ChainEpochDirection(pb.next, pb.ctr, pb.prev);
+		}
+	};
+	/**
+	* The main Chain manages send/receive keys across all epochs.
+	*
+	* Port of Rust's Chain struct from chain.rs.
+	* Uses bigint for epoch values (matching Rust u64).
+	*/
+	var Chain = class Chain {
+		dir;
+		currentEpoch;
+		sendEpoch;
+		links;
+		nextRoot;
+		params;
+		constructor(dir, currentEpoch, sendEpoch, links, nextRoot, params) {
+			this.dir = dir;
+			this.currentEpoch = currentEpoch;
+			this.sendEpoch = sendEpoch;
+			this.links = links;
+			this.nextRoot = nextRoot;
+			this.params = params;
+		}
+		/**
+		* Create a new chain from an initial key and direction.
+		* HKDF info: "Signal PQ Ratchet V1 Chain  Start" (TWO spaces before Start!)
+		*
+		* The 96-byte HKDF output is split as:
+		*   [0..32]:  nextRoot
+		*   [32..64]: A2B chain seed
+		*   [64..96]: B2A chain seed
+		*
+		* Direction determines which half is send vs recv.
+		*/
+		static create(initialKey, dir, params = {
+			maxJump: DEFAULT_MAX_JUMP,
+			maxOooKeys: DEFAULT_MAX_OOO_KEYS
+		}) {
+			const gen = hkdfSha256(initialKey, ZERO_SALT, CHAIN_START_INFO, 96);
+			const switchedDir = switchDirection(dir);
+			const sendKey = cedForDirection(gen, dir);
+			const recvKey = cedForDirection(gen, switchedDir);
+			return new Chain(dir, 0n, 0n, [{
+				send: new ChainEpochDirection(sendKey),
+				recv: new ChainEpochDirection(recvKey)
+			}], gen.slice(0, 32), params);
+		}
+		/**
+		* Add a new epoch to the chain with a shared secret.
+		* HKDF info: "Signal PQ Ratchet V1 Chain Add Epoch"
+		*
+		* Salt = current nextRoot, IKM = epochSecret.secret
+		*/
+		addEpoch(epochSecret) {
+			if (epochSecret.epoch !== this.currentEpoch + 1n) throw new SpqrError(`Expected epoch ${this.currentEpoch + 1n}, got ${epochSecret.epoch}`, SpqrErrorCode.EpochOutOfRange);
+			const gen = hkdfSha256(epochSecret.secret, this.nextRoot, CHAIN_ADD_EPOCH_INFO, 96);
+			this.currentEpoch = epochSecret.epoch;
+			this.nextRoot = gen.slice(0, 32);
+			const sendKey = cedForDirection(gen, this.dir);
+			const recvKey = cedForDirection(gen, switchDirection(this.dir));
+			this.links.push({
+				send: new ChainEpochDirection(sendKey),
+				recv: new ChainEpochDirection(recvKey)
+			});
+		}
+		epochIdx(epoch) {
+			if (epoch > this.currentEpoch) throw new SpqrError(`Epoch not in valid range: ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+			const back = Number(this.currentEpoch - epoch);
+			if (back >= this.links.length) throw new SpqrError(`Epoch not in valid range: ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+			return this.links.length - 1 - back;
+		}
+		/**
+		* Get the next send key for a given epoch.
+		* Returns [index, key].
+		*/
+		sendKey(epoch) {
+			if (epoch < this.sendEpoch) throw new SpqrError(`Send key epoch decreased (${this.sendEpoch} -> ${epoch})`, SpqrErrorCode.SendKeyEpochDecreased);
+			let epochIndex = this.epochIdx(epoch);
+			if (this.sendEpoch !== epoch) {
+				this.sendEpoch = epoch;
+				while (epochIndex > EPOCHS_TO_KEEP_PRIOR_TO_SEND_EPOCH) {
+					this.links.shift();
+					epochIndex -= 1;
+				}
+				for (let i = 0; i < epochIndex; i++) this.links[i].send.clearNext();
+			}
+			return this.links[epochIndex].send.nextKey();
+		}
+		/**
+		* Get a receive key for a given epoch and counter index.
+		*/
+		recvKey(epoch, index) {
+			const epochIndex = this.epochIdx(epoch);
+			return this.links[epochIndex].recv.key(index, this.params);
+		}
+		/**
+		* Serialize the chain to its protobuf representation.
+		* Matches Rust Chain::into_pb().
+		*/
+		toProto() {
+			return {
+				direction: this.dir,
+				currentEpoch: this.currentEpoch,
+				sendEpoch: this.sendEpoch,
+				nextRoot: Uint8Array.from(this.nextRoot),
+				links: this.links.map((link) => ({
+					send: link.send.toProto(),
+					recv: link.recv.toProto()
+				})),
+				params: chainParamsToProto(this.params)
+			};
+		}
+		/**
+		* Deserialize a chain from its protobuf representation.
+		* Matches Rust Chain::from_pb().
+		*/
+		static fromProto(pb) {
+			const links = pb.links.map((link) => ({
+				send: ChainEpochDirection.fromProto(link.send ?? {
+					ctr: 0,
+					next: new Uint8Array(0),
+					prev: new Uint8Array(0)
+				}),
+				recv: ChainEpochDirection.fromProto(link.recv ?? {
+					ctr: 0,
+					next: new Uint8Array(0),
+					prev: new Uint8Array(0)
+				})
+			}));
+			const params = chainParamsFromProto(pb.params);
+			return new Chain(pb.direction, pb.currentEpoch, pb.sendEpoch, links, Uint8Array.from(pb.nextRoot), params);
+		}
+	};
+	/**
+	* Select the chain key for a given direction from a 96-byte HKDF output.
+	* A2B uses bytes [32..64], B2A uses bytes [64..96].
+	*/
+	function cedForDirection(gen, dir) {
+		return dir === Direction.A2B ? gen.slice(32, 64) : gen.slice(64, 96);
+	}
+	/**
+	* Convert ChainParams to protobuf format.
+	* Default values are stored as 0 (proto3 convention).
+	*/
+	function chainParamsToProto(params) {
+		return {
+			maxJump: params.maxJump === DEFAULT_MAX_JUMP ? 0 : params.maxJump,
+			maxOooKeys: params.maxOooKeys === DEFAULT_MAX_OOO_KEYS ? 0 : params.maxOooKeys
+		};
+	}
+	/**
+	* Convert protobuf ChainParams to runtime ChainParams.
+	* Zero values are interpreted as defaults.
+	*/
+	function chainParamsFromProto(pb) {
+		if (pb === void 0) return {
+			maxJump: DEFAULT_MAX_JUMP,
+			maxOooKeys: DEFAULT_MAX_OOO_KEYS
+		};
+		return {
+			maxJump: pb.maxJump > 0 ? pb.maxJump : DEFAULT_MAX_JUMP,
+			maxOooKeys: pb.maxOooKeys > 0 ? pb.maxOooKeys : DEFAULT_MAX_OOO_KEYS
+		};
+	}
+
+//#endregion
+//#region src/proto/index.ts
+	const WIRE_VARINT = 0;
+	const WIRE_LENGTH_DELIMITED = 2;
+	const EMPTY_BYTES = new Uint8Array(0);
+	var ProtoWriter = class {
+		parts = [];
+		writeVarint(fieldNumber, value) {
+			if (typeof value === "bigint") {
+				if (value === 0n) return;
+				this.writeTag(fieldNumber, WIRE_VARINT);
+				this.writeRawVarint64(value);
+			} else {
+				if (value === 0) return;
+				this.writeTag(fieldNumber, WIRE_VARINT);
+				this.writeRawVarint(value);
+			}
+		}
+		/** Write a varint field even when the value is zero (for required fields). */
+		writeVarintAlways(fieldNumber, value) {
+			if (typeof value === "bigint") {
+				this.writeTag(fieldNumber, WIRE_VARINT);
+				this.writeRawVarint64(value);
+			} else {
+				this.writeTag(fieldNumber, WIRE_VARINT);
+				this.writeRawVarint(value);
+			}
+		}
+		writeBool(fieldNumber, value) {
+			if (!value) return;
+			this.writeTag(fieldNumber, WIRE_VARINT);
+			this.writeRawVarint(1);
+		}
+		writeBytes(fieldNumber, data) {
+			if (data.length === 0) return;
+			this.writeTag(fieldNumber, WIRE_LENGTH_DELIMITED);
+			this.writeRawVarint(data.length);
+			this.parts.push(new Uint8Array(data));
+		}
+		writeMessage(fieldNumber, writer) {
+			const data = writer.finish();
+			if (data.length === 0) return;
+			this.writeTag(fieldNumber, WIRE_LENGTH_DELIMITED);
+			this.writeRawVarint(data.length);
+			this.parts.push(data);
+		}
+		/** For oneof fields, write even if the sub-message is empty. */
+		writeMessageAlways(fieldNumber, writer) {
+			const data = writer.finish();
+			this.writeTag(fieldNumber, WIRE_LENGTH_DELIMITED);
+			this.writeRawVarint(data.length);
+			if (data.length > 0) this.parts.push(data);
+		}
+		writeEnum(fieldNumber, value) {
+			this.writeVarint(fieldNumber, value);
+		}
+		finish() {
+			let total = 0;
+			for (const p of this.parts) total += p.length;
+			const result = new Uint8Array(total);
+			let offset = 0;
+			for (const p of this.parts) {
+				result.set(p, offset);
+				offset += p.length;
+			}
+			return result;
+		}
+		writeTag(fieldNumber, wireType) {
+			this.writeRawVarint(fieldNumber << 3 | wireType);
+		}
+		writeRawVarint(value) {
+			const buf = [];
+			let v = value >>> 0;
+			while (v > 127) {
+				buf.push(v & 127 | 128);
+				v >>>= 7;
+			}
+			buf.push(v & 127);
+			this.parts.push(new Uint8Array(buf));
+		}
+		writeRawVarint64(value) {
+			const buf = [];
+			let v = value;
+			while (v > 127n) {
+				buf.push(Number(v & 127n) | 128);
+				v >>= 7n;
+			}
+			buf.push(Number(v & 127n));
+			this.parts.push(new Uint8Array(buf));
+		}
+	};
+	var ProtoReader = class ProtoReader {
+		data;
+		pos;
+		constructor(data) {
+			this.data = data;
+			this.pos = 0;
+		}
+		get remaining() {
+			return this.data.length - this.pos;
+		}
+		get done() {
+			return this.pos >= this.data.length;
+		}
+		readField() {
+			if (this.pos >= this.data.length) return null;
+			const tag = this.readRawVarint();
+			return {
+				fieldNumber: tag >>> 3,
+				wireType: tag & 7
+			};
+		}
+		readVarint() {
+			return this.readRawVarint();
+		}
+		readVarint64() {
+			return this.readRawVarint64();
+		}
+		readBool() {
+			return this.readRawVarint() !== 0;
+		}
+		readBytes() {
+			const len = this.readRawVarint();
+			const data = this.data.slice(this.pos, this.pos + len);
+			this.pos += len;
+			return data;
+		}
+		readMessage() {
+			return new ProtoReader(this.readBytes());
+		}
+		readEnum() {
+			return this.readRawVarint();
+		}
+		skip(wireType) {
+			switch (wireType) {
+				case 0:
+					this.readRawVarint();
+					break;
+				case 1:
+					this.pos += 8;
+					break;
+				case 2: {
+					const len = this.readRawVarint();
+					this.pos += len;
+					break;
+				}
+				case 5:
+					this.pos += 4;
+					break;
+				default: throw new Error(`Unknown wire type: ${wireType}`);
+			}
+		}
+		readRawVarint() {
+			let result = 0;
+			let shift = 0;
+			while (shift < 35) {
+				const b = this.data[this.pos++];
+				result |= (b & 127) << shift;
+				if ((b & 128) === 0) return result >>> 0;
+				shift += 7;
+			}
+			throw new Error("Varint too long");
+		}
+		readRawVarint64() {
+			let result = 0n;
+			let shift = 0n;
+			while (shift < 70n) {
+				const b = this.data[this.pos++];
+				result |= BigInt(b & 127) << shift;
+				if ((b & 128) === 0) return result;
+				shift += 7n;
+			}
+			throw new Error("Varint64 too long");
+		}
+	};
+	function decodeChainParams(data) {
+		const r = new ProtoReader(data);
+		let maxJump = 0;
+		let maxOooKeys = 0;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber) {
+				case 1:
+					maxJump = r.readVarint();
+					break;
+				case 2:
+					maxOooKeys = r.readVarint();
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			maxJump,
+			maxOooKeys
+		};
+	}
+	function encodeVersionNegotiation(msg) {
+		const w = new ProtoWriter();
+		w.writeBytes(1, msg.authKey);
+		w.writeEnum(2, msg.direction);
+		w.writeEnum(3, msg.minVersion);
+		if (msg.chainParams !== void 0) {
+			const sub = new ProtoWriter();
+			sub.writeVarint(1, msg.chainParams.maxJump);
+			sub.writeVarint(2, msg.chainParams.maxOooKeys);
+			w.writeMessage(4, sub);
+		}
+		return w.finish();
+	}
+	function decodeVersionNegotiation(data) {
+		const r = new ProtoReader(data);
+		let authKey = EMPTY_BYTES;
+		let direction = 0;
+		let minVersion = 0;
+		let chainParams;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber) {
+				case 1:
+					authKey = r.readBytes();
+					break;
+				case 2:
+					direction = r.readEnum();
+					break;
+				case 3:
+					minVersion = r.readEnum();
+					break;
+				case 4:
+					chainParams = decodeChainParams(r.readBytes());
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			authKey,
+			direction,
+			minVersion,
+			chainParams
+		};
+	}
+	function encodeEpochDirection(w, msg) {
+		w.writeVarint(1, msg.ctr);
+		w.writeBytes(2, msg.next);
+		w.writeBytes(3, msg.prev);
+	}
+	function decodeEpochDirection(r) {
+		let ctr = 0;
+		let next = EMPTY_BYTES;
+		let prev = EMPTY_BYTES;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber) {
+				case 1:
+					ctr = r.readVarint();
+					break;
+				case 2:
+					next = r.readBytes();
+					break;
+				case 3:
+					prev = r.readBytes();
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			ctr,
+			next,
+			prev
+		};
+	}
+	function encodeEpoch(msg) {
+		const w = new ProtoWriter();
+		if (msg.send !== void 0) {
+			const sub = new ProtoWriter();
+			encodeEpochDirection(sub, msg.send);
+			w.writeMessage(1, sub);
+		}
+		if (msg.recv !== void 0) {
+			const sub = new ProtoWriter();
+			encodeEpochDirection(sub, msg.recv);
+			w.writeMessage(2, sub);
+		}
+		return w.finish();
+	}
+	function decodeEpoch(data) {
+		const r = new ProtoReader(data);
+		let send;
+		let recv;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber) {
+				case 1:
+					send = decodeEpochDirection(r.readMessage());
+					break;
+				case 2:
+					recv = decodeEpochDirection(r.readMessage());
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			send,
+			recv
+		};
+	}
+	function encodeChain(msg) {
+		const w = new ProtoWriter();
+		w.writeEnum(1, msg.direction);
+		w.writeVarint(2, msg.currentEpoch);
+		for (const link of msg.links) w.writeBytes(3, encodeEpoch(link));
+		w.writeBytes(4, msg.nextRoot);
+		w.writeVarint(5, msg.sendEpoch);
+		if (msg.params !== void 0) {
+			const sub = new ProtoWriter();
+			sub.writeVarint(1, msg.params.maxJump);
+			sub.writeVarint(2, msg.params.maxOooKeys);
+			w.writeMessage(6, sub);
+		}
+		return w.finish();
+	}
+	function decodeChain(data) {
+		const r = new ProtoReader(data);
+		let direction = 0;
+		let currentEpoch = 0n;
+		const links = [];
+		let nextRoot = EMPTY_BYTES;
+		let sendEpoch = 0n;
+		let params;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber) {
+				case 1:
+					direction = r.readEnum();
+					break;
+				case 2:
+					currentEpoch = r.readVarint64();
+					break;
+				case 3:
+					links.push(decodeEpoch(r.readBytes()));
+					break;
+				case 4:
+					nextRoot = r.readBytes();
+					break;
+				case 5:
+					sendEpoch = r.readVarint64();
+					break;
+				case 6:
+					params = decodeChainParams(r.readBytes());
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			direction,
+			currentEpoch,
+			links,
+			nextRoot,
+			sendEpoch,
+			params
+		};
+	}
+	function decodeAuthenticator(data) {
+		const r = new ProtoReader(data);
+		let rootKey = EMPTY_BYTES;
+		let macKey = EMPTY_BYTES;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber) {
+				case 1:
+					rootKey = r.readBytes();
+					break;
+				case 2:
+					macKey = r.readBytes();
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			rootKey,
+			macKey
+		};
+	}
+	function encodePolynomialEncoder(msg) {
+		const w = new ProtoWriter();
+		w.writeVarint(1, msg.idx);
+		for (const pt of msg.pts) w.writeBytes(2, pt);
+		for (const poly of msg.polys) w.writeBytes(3, poly);
+		return w.finish();
+	}
+	function decodePolynomialEncoder(data) {
+		const r = new ProtoReader(data);
+		let idx = 0;
+		const pts = [];
+		const polys = [];
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber) {
+				case 1:
+					idx = r.readVarint();
+					break;
+				case 2:
+					pts.push(r.readBytes());
+					break;
+				case 3:
+					polys.push(r.readBytes());
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			idx,
+			pts,
+			polys
+		};
+	}
+	function encodePolynomialDecoder(msg) {
+		const w = new ProtoWriter();
+		w.writeVarint(1, msg.ptsNeeded);
+		w.writeVarint(2, msg.polys);
+		for (const pt of msg.pts) w.writeBytes(3, pt);
+		w.writeBool(4, msg.isComplete);
+		return w.finish();
+	}
+	function decodePolynomialDecoder(data) {
+		const r = new ProtoReader(data);
+		let ptsNeeded = 0;
+		let polys = 0;
+		const pts = [];
+		let isComplete = false;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber) {
+				case 1:
+					ptsNeeded = r.readVarint();
+					break;
+				case 2:
+					polys = r.readVarint();
+					break;
+				case 3:
+					pts.push(r.readBytes());
+					break;
+				case 4:
+					isComplete = r.readBool();
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			ptsNeeded,
+			polys,
+			pts,
+			isComplete
+		};
+	}
+	function encodeAuthOptional(w, fieldNumber, auth) {
+		if (auth !== void 0) {
+			const sub = new ProtoWriter();
+			sub.writeBytes(1, auth.rootKey);
+			sub.writeBytes(2, auth.macKey);
+			w.writeMessage(fieldNumber, sub);
+		}
+	}
+	function decodeAuthOptional(r) {
+		return decodeAuthenticator(r.readBytes());
+	}
+	/**
+	* Detect whether an unchunked sub-message uses the Rust field layout
+	* (epoch at field 1, auth at field 2, data fields shifted +1) or the
+	* TS layout (auth at field 1, data fields as-is).
+	*
+	* Returns the field number offset: 0 for TS layout, 1 for Rust layout.
+	* Detection is based on field 1's wire type:
+	*   - varint (wire type 0) => Rust layout (field 1 = epoch)
+	*   - length-delimited (wire type 2) => TS layout (field 1 = auth)
+	*/
+	function detectUcLayout(data) {
+		if (data.length === 0) return 0;
+		return (data[0] & 7) === WIRE_VARINT ? 1 : 0;
+	}
+	function encodeUcKeysUnsampled(msg) {
+		const w = new ProtoWriter();
+		encodeAuthOptional(w, 1, msg.auth);
+		return w.finish();
+	}
+	function decodeUcKeysUnsampled(data) {
+		const r = new ProtoReader(data);
+		const offset = detectUcLayout(data);
+		let auth;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber - offset) {
+				case 1:
+					auth = decodeAuthOptional(r);
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return { auth };
+	}
+	function encodeUcKeysSampled(msg) {
+		const w = new ProtoWriter();
+		encodeAuthOptional(w, 1, msg.auth);
+		w.writeBytes(2, msg.ek);
+		w.writeBytes(3, msg.dk);
+		w.writeBytes(4, msg.hdr);
+		w.writeBytes(5, msg.hdrMac);
+		return w.finish();
+	}
+	function decodeUcKeysSampled(data) {
+		const r = new ProtoReader(data);
+		const offset = detectUcLayout(data);
+		let auth;
+		let ek = EMPTY_BYTES;
+		let dk = EMPTY_BYTES;
+		let hdr = EMPTY_BYTES;
+		let hdrMac = EMPTY_BYTES;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber - offset) {
+				case 1:
+					auth = decodeAuthOptional(r);
+					break;
+				case 2:
+					ek = r.readBytes();
+					break;
+				case 3:
+					dk = r.readBytes();
+					break;
+				case 4:
+					hdr = r.readBytes();
+					break;
+				case 5:
+					hdrMac = r.readBytes();
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			auth,
+			ek,
+			dk,
+			hdr,
+			hdrMac
+		};
+	}
+	function encodeUcHeaderSent(msg) {
+		const w = new ProtoWriter();
+		encodeAuthOptional(w, 1, msg.auth);
+		w.writeBytes(2, msg.ek);
+		w.writeBytes(3, msg.dk);
+		return w.finish();
+	}
+	function decodeUcHeaderSent(data) {
+		const r = new ProtoReader(data);
+		const offset = detectUcLayout(data);
+		let auth;
+		let ek = EMPTY_BYTES;
+		let dk = EMPTY_BYTES;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber - offset) {
+				case 1:
+					auth = decodeAuthOptional(r);
+					break;
+				case 2:
+					ek = r.readBytes();
+					break;
+				case 3:
+					dk = r.readBytes();
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			auth,
+			ek,
+			dk
+		};
+	}
+	function encodeUcDkCt1(msg) {
+		const w = new ProtoWriter();
+		encodeAuthOptional(w, 1, msg.auth);
+		w.writeBytes(2, msg.dk);
+		w.writeBytes(3, msg.ct1);
+		return w.finish();
+	}
+	function decodeUcDkCt1(data) {
+		const r = new ProtoReader(data);
+		const offset = detectUcLayout(data);
+		let auth;
+		let dk = EMPTY_BYTES;
+		let ct1 = EMPTY_BYTES;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber - offset) {
+				case 1:
+					auth = decodeAuthOptional(r);
+					break;
+				case 2:
+					dk = r.readBytes();
+					break;
+				case 3:
+					ct1 = r.readBytes();
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			auth,
+			dk,
+			ct1
+		};
+	}
+	function encodeUcHeaderReceived(msg) {
+		const w = new ProtoWriter();
+		encodeAuthOptional(w, 1, msg.auth);
+		w.writeBytes(2, msg.hdr);
+		w.writeBytes(3, msg.es);
+		w.writeBytes(4, msg.ct1);
+		w.writeBytes(5, msg.ss);
+		return w.finish();
+	}
+	function decodeUcHeaderReceived(data) {
+		const r = new ProtoReader(data);
+		const offset = detectUcLayout(data);
+		let auth;
+		let hdr = EMPTY_BYTES;
+		let es = EMPTY_BYTES;
+		let ct1 = EMPTY_BYTES;
+		let ss = EMPTY_BYTES;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber - offset) {
+				case 1:
+					auth = decodeAuthOptional(r);
+					break;
+				case 2:
+					hdr = r.readBytes();
+					break;
+				case 3:
+					es = r.readBytes();
+					break;
+				case 4:
+					ct1 = r.readBytes();
+					break;
+				case 5:
+					ss = r.readBytes();
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			auth,
+			hdr,
+			es,
+			ct1,
+			ss
+		};
+	}
+	function encodeUcAuthHdrEsCt1(msg) {
+		const w = new ProtoWriter();
+		encodeAuthOptional(w, 1, msg.auth);
+		w.writeBytes(2, msg.hdr);
+		w.writeBytes(3, msg.es);
+		w.writeBytes(4, msg.ct1);
+		return w.finish();
+	}
+	function decodeUcAuthHdrEsCt1(data) {
+		const r = new ProtoReader(data);
+		const offset = detectUcLayout(data);
+		let auth;
+		let hdr = EMPTY_BYTES;
+		let es = EMPTY_BYTES;
+		let ct1 = EMPTY_BYTES;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber - offset) {
+				case 1:
+					auth = decodeAuthOptional(r);
+					break;
+				case 2:
+					hdr = r.readBytes();
+					break;
+				case 3:
+					es = r.readBytes();
+					break;
+				case 4:
+					ct1 = r.readBytes();
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			auth,
+			hdr,
+			es,
+			ct1
+		};
+	}
+	function encodeUcEkReceivedCt1Sampled(msg) {
+		const w = new ProtoWriter();
+		encodeAuthOptional(w, 1, msg.auth);
+		w.writeBytes(2, msg.hdr);
+		w.writeBytes(3, msg.es);
+		w.writeBytes(4, msg.ek);
+		w.writeBytes(5, msg.ct1);
+		return w.finish();
+	}
+	function decodeUcEkReceivedCt1Sampled(data) {
+		const r = new ProtoReader(data);
+		const offset = detectUcLayout(data);
+		let auth;
+		let hdr = EMPTY_BYTES;
+		let es = EMPTY_BYTES;
+		let ek = EMPTY_BYTES;
+		let ct1 = EMPTY_BYTES;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber - offset) {
+				case 1:
+					auth = decodeAuthOptional(r);
+					break;
+				case 2:
+					hdr = r.readBytes();
+					break;
+				case 3:
+					es = r.readBytes();
+					break;
+				case 4:
+					ek = r.readBytes();
+					break;
+				case 5:
+					ct1 = r.readBytes();
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			auth,
+			hdr,
+			es,
+			ek,
+			ct1
+		};
+	}
+	/**
+	* Encode a PbChunkedState into a sub-message for V1State.
+	* The field number in V1State determines which variant this is:
+	*   1=keysUnsampled, 2=keysSampled, ..., 11=ct2Sampled
+	*
+	* Each chunked state has:
+	*   field 1 = unchunked data
+	*   field 2 = encoder (if present)
+	*   field 3 = decoder (if present)
+	*/
+	function encodeChunkedStateInner(state) {
+		const w = new ProtoWriter();
+		switch (state.type) {
+			case "keysUnsampled":
+				w.writeBytes(1, encodeUcKeysUnsampled(state.uc));
+				return {
+					fieldNumber: 1,
+					data: w.finish()
+				};
+			case "keysSampled":
+				w.writeBytes(1, encodeUcKeysSampled(state.uc));
+				w.writeBytes(2, encodePolynomialEncoder(state.sendingHdr));
+				return {
+					fieldNumber: 2,
+					data: w.finish()
+				};
+			case "headerSent":
+				w.writeBytes(1, encodeUcHeaderSent(state.uc));
+				w.writeBytes(2, encodePolynomialEncoder(state.sendingEk));
+				w.writeBytes(3, encodePolynomialDecoder(state.receivingCt1));
+				return {
+					fieldNumber: 3,
+					data: w.finish()
+				};
+			case "ct1Received":
+				w.writeBytes(1, encodeUcDkCt1(state.uc));
+				w.writeBytes(2, encodePolynomialEncoder(state.sendingEk));
+				return {
+					fieldNumber: 4,
+					data: w.finish()
+				};
+			case "ekSentCt1Received":
+				w.writeBytes(1, encodeUcDkCt1(state.uc));
+				w.writeBytes(3, encodePolynomialDecoder(state.receivingCt2));
+				return {
+					fieldNumber: 5,
+					data: w.finish()
+				};
+			case "noHeaderReceived":
+				w.writeBytes(1, encodeUcKeysUnsampled(state.uc));
+				w.writeBytes(2, encodePolynomialDecoder(state.receivingHdr));
+				return {
+					fieldNumber: 6,
+					data: w.finish()
+				};
+			case "headerReceived":
+				w.writeBytes(1, encodeUcHeaderReceived(state.uc));
+				w.writeBytes(2, encodePolynomialDecoder(state.receivingEk));
+				return {
+					fieldNumber: 7,
+					data: w.finish()
+				};
+			case "ct1Sampled":
+				w.writeBytes(1, encodeUcAuthHdrEsCt1(state.uc));
+				w.writeBytes(2, encodePolynomialEncoder(state.sendingCt1));
+				w.writeBytes(3, encodePolynomialDecoder(state.receivingEk));
+				return {
+					fieldNumber: 8,
+					data: w.finish()
+				};
+			case "ekReceivedCt1Sampled":
+				w.writeBytes(1, encodeUcEkReceivedCt1Sampled(state.uc));
+				w.writeBytes(2, encodePolynomialEncoder(state.sendingCt1));
+				return {
+					fieldNumber: 9,
+					data: w.finish()
+				};
+			case "ct1Acknowledged":
+				w.writeBytes(1, encodeUcAuthHdrEsCt1(state.uc));
+				w.writeBytes(2, encodePolynomialDecoder(state.receivingEk));
+				return {
+					fieldNumber: 10,
+					data: w.finish()
+				};
+			case "ct2Sampled":
+				w.writeBytes(1, encodeUcKeysUnsampled(state.uc));
+				w.writeBytes(2, encodePolynomialEncoder(state.sendingCt2));
+				return {
+					fieldNumber: 11,
+					data: w.finish()
+				};
+		}
+	}
+	function decodeChunkedRaw(data) {
+		const r = new ProtoReader(data);
+		let uc = EMPTY_BYTES;
+		let encoder;
+		let decoder;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber) {
+				case 1:
+					uc = r.readBytes();
+					break;
+				case 2:
+					encoder = r.readBytes();
+					break;
+				case 3:
+					decoder = r.readBytes();
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			uc,
+			encoder,
+			decoder
+		};
+	}
+	function requireField(data, name) {
+		if (data === void 0) throw new Error(`Protobuf: missing required field '${name}'`);
+		return data;
+	}
+	function decodeChunkedState(fieldNumber, data) {
+		const raw = decodeChunkedRaw(data);
+		switch (fieldNumber) {
+			case 1: return {
+				type: "keysUnsampled",
+				uc: decodeUcKeysUnsampled(raw.uc)
+			};
+			case 2: return {
+				type: "keysSampled",
+				uc: decodeUcKeysSampled(raw.uc),
+				sendingHdr: decodePolynomialEncoder(requireField(raw.encoder, "encoder"))
+			};
+			case 3: return {
+				type: "headerSent",
+				uc: decodeUcHeaderSent(raw.uc),
+				sendingEk: decodePolynomialEncoder(requireField(raw.encoder, "encoder")),
+				receivingCt1: decodePolynomialDecoder(requireField(raw.decoder, "decoder"))
+			};
+			case 4: return {
+				type: "ct1Received",
+				uc: decodeUcDkCt1(raw.uc),
+				sendingEk: decodePolynomialEncoder(requireField(raw.encoder, "encoder"))
+			};
+			case 5: return {
+				type: "ekSentCt1Received",
+				uc: decodeUcDkCt1(raw.uc),
+				receivingCt2: decodePolynomialDecoder(requireField(raw.decoder, "decoder"))
+			};
+			case 6: return {
+				type: "noHeaderReceived",
+				uc: decodeUcKeysUnsampled(raw.uc),
+				receivingHdr: decodePolynomialDecoder(requireField(raw.encoder, "encoder"))
+			};
+			case 7: return {
+				type: "headerReceived",
+				uc: decodeUcHeaderReceived(raw.uc),
+				receivingEk: decodePolynomialDecoder(requireField(raw.encoder, "encoder"))
+			};
+			case 8: return {
+				type: "ct1Sampled",
+				uc: decodeUcAuthHdrEsCt1(raw.uc),
+				sendingCt1: decodePolynomialEncoder(requireField(raw.encoder, "encoder")),
+				receivingEk: decodePolynomialDecoder(requireField(raw.decoder, "decoder"))
+			};
+			case 9: return {
+				type: "ekReceivedCt1Sampled",
+				uc: decodeUcEkReceivedCt1Sampled(raw.uc),
+				sendingCt1: decodePolynomialEncoder(requireField(raw.encoder, "encoder"))
+			};
+			case 10: return {
+				type: "ct1Acknowledged",
+				uc: decodeUcAuthHdrEsCt1(raw.uc),
+				receivingEk: decodePolynomialDecoder(requireField(raw.encoder, "encoder"))
+			};
+			case 11: return {
+				type: "ct2Sampled",
+				uc: decodeUcKeysUnsampled(raw.uc),
+				sendingCt2: decodePolynomialEncoder(requireField(raw.encoder, "encoder"))
+			};
+			default: throw new Error(`Unknown chunked state field number: ${fieldNumber}`);
+		}
+	}
+	function encodeV1State(msg) {
+		if (msg.innerState === void 0) return EMPTY_BYTES;
+		const { fieldNumber, data } = encodeChunkedStateInner(msg.innerState);
+		const w = new ProtoWriter();
+		w.writeBytes(fieldNumber, data);
+		if (msg.epoch !== void 0) w.writeVarint(12, msg.epoch);
+		return w.finish();
+	}
+	function decodeV1State(data) {
+		const r = new ProtoReader(data);
+		let innerState;
+		let epoch;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			if (field.fieldNumber >= 1 && field.fieldNumber <= 11) innerState = decodeChunkedState(field.fieldNumber, r.readBytes());
+			else if (field.fieldNumber === 12) epoch = r.readVarint64();
+			else r.skip(field.wireType);
+		}
+		return {
+			innerState,
+			epoch
+		};
+	}
+	function encodePqRatchetState(msg) {
+		const w = new ProtoWriter();
+		if (msg.versionNegotiation !== void 0) w.writeBytes(1, encodeVersionNegotiation(msg.versionNegotiation));
+		if (msg.chain !== void 0) w.writeBytes(2, encodeChain(msg.chain));
+		if (msg.v1 !== void 0) w.writeBytes(3, encodeV1State(msg.v1));
+		return w.finish();
+	}
+	function decodePqRatchetState(data) {
+		const r = new ProtoReader(data);
+		let versionNegotiation;
+		let chain;
+		let v1;
+		while (!r.done) {
+			const field = r.readField();
+			if (field === null) break;
+			switch (field.fieldNumber) {
+				case 1:
+					versionNegotiation = decodeVersionNegotiation(r.readBytes());
+					break;
+				case 2:
+					chain = decodeChain(r.readBytes());
+					break;
+				case 3:
+					v1 = decodeV1State(r.readBytes());
+					break;
+				default: r.skip(field.wireType);
+			}
+		}
+		return {
+			versionNegotiation,
+			chain,
+			v1
+		};
+	}
+
+//#endregion
+//#region src/index.ts
+/**
+	* Copyright © 2025 Signal Messenger, LLC
+	* Copyright © 2026 Parity Technologies
+	*
+	* Top-level public API for the SPQR protocol.
+	*
+	* Matches Signal's Rust `lib.rs` interface. All state is serialized as
+	* opaque protobuf bytes (Uint8Array) so that callers never need to touch
+	* internal types.
+	*
+	* Exported functions:
+	*   - emptyState()      -> empty serialized state (V0)
+	*   - initialState(p)   -> create initial serialized state
+	*   - send(state, rng)  -> produce next message + advance state
+	*   - recv(state, msg)  -> consume incoming message + advance state
+	*   - currentVersion(s) -> inspect version negotiation status
+	*/
+	/**
+	* Return an empty (V0) serialized state.
+	*/
+	function emptyState() {
+		return new Uint8Array(0);
+	}
+	/**
+	* Create an initial serialized state from parameters.
+	*
+	* For V0, returns an empty state. For V1+, initializes the inner V1
+	* state machine and version negotiation.
+	*/
+	function initialState(params) {
+		if (params.version === Version.V0) return emptyState();
+		const inner = initInner(params.version, params.direction, params.authKey);
+		return encodePqRatchetState({
+			versionNegotiation: {
+				authKey: Uint8Array.from(params.authKey),
+				direction: params.direction,
+				minVersion: params.minVersion,
+				chainParams: {
+					maxJump: params.chainParams.maxJump,
+					maxOooKeys: params.chainParams.maxOooKeys
+				}
+			},
+			chain: void 0,
+			v1: inner
+		});
+	}
+	/**
+	* Produce the next outgoing message from the current state.
+	*
+	* Returns the updated state, serialized message, and optional message key.
+	*/
+	function send(state, rng) {
+		if (state.length === 0) return {
+			state: new Uint8Array(0),
+			msg: new Uint8Array(0),
+			key: null
+		};
+		const statePb = decodePqRatchetState(state);
+		if (statePb.v1 === void 0) return {
+			state: new Uint8Array(0),
+			msg: new Uint8Array(0),
+			key: null
+		};
+		const sendResult = send$1(statesFromPb(statePb.v1), rng);
+		let chain;
+		if (statePb.chain !== void 0) chain = Chain.fromProto(statePb.chain);
+		else if (statePb.versionNegotiation !== void 0) {
+			const vn = statePb.versionNegotiation;
+			if (vn.minVersion > Version.V0) chain = chainFromVersionNegotiation(vn);
+		} else throw new SpqrError("Chain not available and no version negotiation", SpqrErrorCode.ChainNotAvailable);
+		let index;
+		let msgKey;
+		let chainPb;
+		if (chain === void 0) {
+			if (sendResult.key !== null) throw new SpqrError("Unexpected epoch secret without chain", SpqrErrorCode.ChainNotAvailable);
+			index = 0;
+			msgKey = new Uint8Array(0);
+			chainPb = void 0;
+		} else {
+			if (sendResult.key !== null) chain.addEpoch(sendResult.key);
+			const msgEpoch = sendResult.msg.epoch - 1n;
+			const [sendIndex, sendKey] = chain.sendKey(msgEpoch);
+			index = sendIndex;
+			msgKey = sendKey;
+			chainPb = chain.toProto();
+		}
+		const serializedMsg = serializeMessage(sendResult.msg, index);
+		const v1Pb = statesToPb(sendResult.state);
+		return {
+			state: encodePqRatchetState({
+				versionNegotiation: statePb.versionNegotiation,
+				chain: chainPb,
+				v1: v1Pb
+			}),
+			msg: serializedMsg,
+			key: msgKey.length === 0 ? null : msgKey
+		};
+	}
+	/**
+	* Process an incoming message and transition the state.
+	*
+	* Returns the updated state and optional message key.
+	*/
+	function recv(state, msg) {
+		if (state.length === 0 && msg.length === 0) return {
+			state: new Uint8Array(0),
+			key: null
+		};
+		const prenegotiatedPb = state.length === 0 ? {
+			v1: void 0,
+			chain: void 0,
+			versionNegotiation: void 0
+		} : decodePqRatchetState(state);
+		const msgVer = msgVersion(msg);
+		if (msgVer === void 0) return {
+			state: Uint8Array.from(state),
+			key: null
+		};
+		const stateVer = stateVersion(prenegotiatedPb);
+		let statePb;
+		if (msgVer >= stateVer) statePb = prenegotiatedPb;
+		else {
+			const vn = prenegotiatedPb.versionNegotiation;
+			if (vn === void 0) throw new SpqrError(`Version mismatch: state=${stateVer}, msg=${msgVer}, no negotiation available`, SpqrErrorCode.VersionMismatch);
+			if (msgVer < vn.minVersion) throw new SpqrError(`Minimum version not met: min=${vn.minVersion}, msg=${msgVer}`, SpqrErrorCode.MinimumVersion);
+			statePb = {
+				v1: initInner(msgVer, vn.direction, Uint8Array.from(vn.authKey)),
+				versionNegotiation: void 0,
+				chain: chainFrom(prenegotiatedPb.chain, vn)
+			};
+		}
+		if (statePb.v1 === void 0) return {
+			state: new Uint8Array(0),
+			key: null
+		};
+		const { msg: sckaMsg, index } = deserializeMessage(msg);
+		const recvResult = recv$1(statesFromPb(statePb.v1), sckaMsg);
+		const msgKeyEpoch = sckaMsg.epoch - 1n;
+		const chainObj = chainFromState(statePb.chain, statePb.versionNegotiation);
+		if (recvResult.key !== null) chainObj.addEpoch(recvResult.key);
+		let msgKey;
+		if (msgKeyEpoch === 0n && index === 0) msgKey = new Uint8Array(0);
+		else msgKey = chainObj.recvKey(msgKeyEpoch, index);
+		const v1Pb = statesToPb(recvResult.state);
+		return {
+			state: encodePqRatchetState({
+				versionNegotiation: void 0,
+				chain: chainObj.toProto(),
+				v1: v1Pb
+			}),
+			key: msgKey.length === 0 ? null : msgKey
+		};
+	}
+	/**
+	* Inspect the current version negotiation status of a serialized state.
+	*/
+	function currentVersion(state) {
+		if (state.length === 0) return {
+			type: "negotiation_complete",
+			version: Version.V0
+		};
+		const statePb = decodePqRatchetState(state);
+		const version = statePb.v1 !== void 0 ? Version.V1 : Version.V0;
+		if (statePb.versionNegotiation !== void 0) return {
+			type: "still_negotiating",
+			version,
+			minVersion: statePb.versionNegotiation.minVersion
+		};
+		return {
+			type: "negotiation_complete",
+			version
+		};
+	}
+	/**
+	* Initialize the V1 inner state based on version and direction.
+	*/
+	function initInner(version, direction, authKey) {
+		if (version === Version.V0) return;
+		let states;
+		if (direction === Direction.A2B) states = initA(authKey);
+		else states = initB(authKey);
+		return statesToPb(states);
+	}
+	/**
+	* Extract version from a serialized message.
+	* Empty msg -> V0. msg[0]: 0 -> V0, 1 -> V1, else undefined.
+	*/
+	function msgVersion(msg) {
+		if (msg.length === 0) return Version.V0;
+		const v = msg[0];
+		if (v === 0) return Version.V0;
+		if (v === 1) return Version.V1;
+	}
+	/**
+	* Extract version from the decoded state.
+	* No v1 inner -> V0. Has v1 inner -> V1.
+	*/
+	function stateVersion(state) {
+		return state.v1 !== void 0 ? Version.V1 : Version.V0;
+	}
+	/**
+	* Create a Chain from version negotiation parameters.
+	*/
+	function chainFromVersionNegotiation(vn) {
+		const chainParams = vn.chainParams ?? {
+			maxJump: 25e3,
+			maxOooKeys: 2e3
+		};
+		return Chain.create(Uint8Array.from(vn.authKey), vn.direction, chainParams);
+	}
+	/**
+	* Get or create a Chain from the existing chain proto and version negotiation.
+	* Prefers existing chain, falls back to creating from version negotiation.
+	*/
+	function chainFrom(chainPb, vn) {
+		if (chainPb !== void 0) return chainPb;
+		if (vn !== void 0) return chainFromVersionNegotiation(vn).toProto();
+	}
+	/**
+	* Get a Chain object from state, creating from vn if needed.
+	*/
+	function chainFromState(chainPb, vn) {
+		if (chainPb !== void 0) return Chain.fromProto(chainPb);
+		if (vn !== void 0) return chainFromVersionNegotiation(vn);
+		throw new SpqrError("Chain not available and no version negotiation", SpqrErrorCode.ChainNotAvailable);
+	}
+
+//#endregion
+exports.Direction = Direction;
+exports.SpqrError = SpqrError;
+exports.SpqrErrorCode = SpqrErrorCode;
+exports.Version = Version;
+exports.currentVersion = currentVersion;
+exports.emptyState = emptyState;
+exports.initialState = initialState;
+exports.recv = recv;
+exports.send = send;
+return exports;
+})({}, nobleHashesHkdf, nobleHashesSha2, nobleHashesHmac, nobleHashesSha3, nobleHashesUtils, noblePostQuantumCrystals, noblePostQuantumMlKem);
+//# sourceMappingURL=index.iife.js.map