npm - @bcts/spqr - Versions diffs - 1.0.0-alpha.21 - Mend

@bcts/spqr 1.0.0-alpha.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/LICENSE +661 -0
package/README.md +11 -0
package/dist/index.cjs +4321 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +115 -0
package/dist/index.d.cts.map +1 -0
package/dist/index.d.mts +115 -0
package/dist/index.d.mts.map +1 -0
package/dist/index.iife.js +4318 -0
package/dist/index.iife.js.map +1 -0
package/dist/index.mjs +4312 -0
package/dist/index.mjs.map +1 -0
package/package.json +74 -0
package/src/authenticator.ts +163 -0
package/src/chain.ts +522 -0
package/src/constants.ts +90 -0
package/src/encoding/gf.ts +190 -0
package/src/encoding/index.ts +15 -0
package/src/encoding/polynomial.ts +657 -0
package/src/error.ts +75 -0
package/src/incremental-mlkem768.ts +546 -0
package/src/index.ts +415 -0
package/src/kdf.ts +34 -0
package/src/proto/index.ts +1376 -0
package/src/proto/pq-ratchet-types.ts +195 -0
package/src/types.ts +81 -0
package/src/util.ts +61 -0
package/src/v1/chunked/index.ts +60 -0
package/src/v1/chunked/message.ts +257 -0
package/src/v1/chunked/send-ct.ts +352 -0
package/src/v1/chunked/send-ek.ts +285 -0
package/src/v1/chunked/serialize.ts +278 -0
package/src/v1/chunked/states.ts +399 -0
package/src/v1/index.ts +9 -0
package/src/v1/unchunked/index.ts +20 -0
package/src/v1/unchunked/send-ct.ts +231 -0
package/src/v1/unchunked/send-ek.ts +177 -0

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,4312 @@
+import { hkdf } from "@noble/hashes/hkdf.js";
+import { sha256 } from "@noble/hashes/sha2.js";
+import { hmac } from "@noble/hashes/hmac.js";
+import { sha3_256, sha3_512, shake256 } from "@noble/hashes/sha3.js";
+import { u32 } from "@noble/hashes/utils.js";
+import { XOF128, genCrystals } from "@noble/post-quantum/_crystals.js";
+import { ml_kem768 } from "@noble/post-quantum/ml-kem.js";
+//#region src/kdf.ts
+/**
+* Copyright © 2025 Signal Messenger, LLC
+* Copyright © 2026 Parity Technologies
+*
+* KDF wrappers for SPQR (HKDF-SHA256 and HMAC-SHA256).
+*/
+/**
+* HKDF-SHA256 key derivation.
+* @param ikm Input key material
+* @param salt Salt (use ZERO_SALT for empty)
+* @param info Context info string or bytes
+* @param length Output length in bytes
+*/
+function hkdfSha256(ikm, salt, info, length) {
+	return hkdf(sha256, ikm, salt, typeof info === "string" ? new TextEncoder().encode(info) : info, length);
+}
+/**
+* HMAC-SHA256 computation.
+*/
+function hmacSha256(key, data) {
+	return hmac(sha256, key, data);
+}
+//#endregion
+//#region src/util.ts
+/**
+* Copyright © 2025 Signal Messenger, LLC
+* Copyright © 2026 Parity Technologies
+*
+* Low-level utility functions for SPQR.
+*/
+/**
+* Constant-time comparison of two byte arrays.
+* Returns true if they are equal, false otherwise.
+*
+* Uses a XOR accumulator to avoid early-exit timing leaks.
+*
+* Limitation: Unlike Rust (#[inline(never)] + black_box), JavaScript
+* cannot fully prevent JIT optimizations. In Node.js environments,
+* callers requiring stronger guarantees should use
+* crypto.timingSafeEqual directly.
+*/
+function constantTimeEqual(a, b) {
+	if (a.length !== b.length) return false;
+	let diff = 0;
+	for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+	return diff === 0;
+}
+/** Convert a bigint to 8-byte big-endian Uint8Array */
+function bigintToBE8(value) {
+	const buf = new Uint8Array(8);
+	new DataView(buf.buffer).setBigUint64(0, value, false);
+	return buf;
+}
+/** Convert a number to 4-byte big-endian Uint8Array */
+function uint32ToBE4(value) {
+	const buf = new Uint8Array(4);
+	new DataView(buf.buffer).setUint32(0, value, false);
+	return buf;
+}
+/** Concatenate multiple Uint8Arrays */
+function concat(...arrays) {
+	let total = 0;
+	for (const a of arrays) total += a.length;
+	const result = new Uint8Array(total);
+	let offset = 0;
+	for (const a of arrays) {
+		result.set(a, offset);
+		offset += a.length;
+	}
+	return result;
+}
+//#endregion
+//#region src/constants.ts
+/** HMAC-SHA256 MAC size */
+const MAC_SIZE = 32;
+/** Default max key index jump */
+const DEFAULT_MAX_JUMP = 25e3;
+/** Default max out-of-order keys stored */
+const DEFAULT_MAX_OOO_KEYS = 2e3;
+/** Number of epochs to keep prior to the current send epoch */
+const EPOCHS_TO_KEEP_PRIOR_TO_SEND_EPOCH = 1;
+/** Size of a key entry in KeyHistory: 4 bytes (index BE32) + 32 bytes (key) */
+const KEY_ENTRY_SIZE = 36;
+/** Chain initialization label (NOTE: two spaces before "Start") */
+const LABEL_CHAIN_START = "Signal PQ Ratchet V1 Chain  Start";
+/** Chain epoch advancement label */
+const LABEL_CHAIN_ADD_EPOCH = "Signal PQ Ratchet V1 Chain Add Epoch";
+/** Per-message key derivation label */
+const LABEL_CHAIN_NEXT = "Signal PQ Ratchet V1 Chain Next";
+/** Authenticator key ratchet label */
+const LABEL_AUTH_UPDATE = "Signal_PQCKA_V1_MLKEM768:Authenticator Update";
+/** Ciphertext MAC label */
+const LABEL_CT_MAC = "Signal_PQCKA_V1_MLKEM768:ciphertext";
+/** Header MAC label */
+const LABEL_HDR_MAC = "Signal_PQCKA_V1_MLKEM768:ekheader";
+/** Epoch secret derivation label */
+const LABEL_SCKA_KEY = "Signal_PQCKA_V1_MLKEM768:SCKA Key";
+/** 32-byte zero salt used in HKDF */
+const ZERO_SALT = new Uint8Array(32);
+//#endregion
+//#region src/incremental-mlkem768.ts
+/**
+* Copyright © 2025 Signal Messenger, LLC
+* Copyright © 2026 Parity Technologies
+*
+* True incremental ML-KEM-768 implementation.
+*
+* Implements the libcrux-compatible incremental encapsulation split:
+*
+* - generate(): Splits the ML-KEM-768 public key into:
+*     hdr (pk1, 64 bytes) = rho(32) + H(ek)(32)   -- where H = SHA3-256
+*     ek  (pk2, 1152 bytes) = ByteEncode12(tHat)   -- the NTT vector
+*
+* - encaps1(hdr, rng): Uses only rho and H(ek) from the header to produce
+*     a REAL ct1 (960 bytes), shared secret (32 bytes), and
+*     encapsulation state (2080 bytes) for encaps2.
+*
+* - encaps2(ek, es): Completes the encapsulation using the tHat from pk2
+*     and the stored NTT randomness. Returns ct2 (128 bytes).
+*
+* - decaps(dk, ct1, ct2): Standard ML-KEM-768 decapsulation.
+*
+* Wire-compatible with Signal's Rust libcrux incremental implementation.
+*/
+const N = 256;
+const Q = 3329;
+const F = 3303;
+const ROOT_OF_UNITY = 17;
+const K = 3;
+const ETA1 = 2;
+const ETA2 = 2;
+const DU = 10;
+const DV = 4;
+/** Size of the public key header: rho(32) + H(ek)(32) */
+const HEADER_SIZE = 64;
+/** Size of the encapsulation key: ByteEncode12(tHat) = 3 * 384 = 1152 bytes */
+const EK_SIZE = 1152;
+/** Size of the first ciphertext fragment (ct[0..960]) */
+const CT1_SIZE = 960;
+/** Size of the second ciphertext fragment (ct[960..1088]) */
+const CT2_SIZE = 128;
+/** Standard ML-KEM-768 full public key size */
+const FULL_PK_SIZE = 1184;
+/** Standard ML-KEM-768 full ciphertext size */
+const FULL_CT_SIZE = 1088;
+/** Size of the keygen seed */
+const KEYGEN_SEED_SIZE = 64;
+/** Size of the encapsulation randomness (message m) */
+const ENCAPS_SEED_SIZE = 32;
+/**
+* Size of the encapsulation state:
+*   r_as_ntt: K(3) * N(256) * 2 = 1536 bytes
+*   error2:   N(256) * 2 = 512 bytes
+*   randomness: 32 bytes
+*   Total: 2080 bytes
+*/
+const ES_SIZE = 2080;
+const { mod, nttZetas, NTT, bitsCoder } = genCrystals({
+	N,
+	Q,
+	F,
+	ROOT_OF_UNITY,
+	newPoly: (n) => new Uint16Array(n),
+	brvBits: 7,
+	isKyber: true
+});
+function polyAdd(a, b) {
+	for (let i = 0; i < N; i++) a[i] = mod(a[i] + b[i]);
+}
+function BaseCaseMultiply(a0, a1, b0, b1, zeta) {
+	return {
+		c0: mod(a1 * b1 * zeta + a0 * b0),
+		c1: mod(a0 * b1 + a1 * b0)
+	};
+}
+function MultiplyNTTs(f, g) {
+	for (let i = 0; i < N / 2; i++) {
+		let z = nttZetas[64 + (i >> 1)];
+		if ((i & 1) !== 0) z = -z;
+		const { c0, c1 } = BaseCaseMultiply(f[2 * i + 0], f[2 * i + 1], g[2 * i + 0], g[2 * i + 1], z);
+		f[2 * i + 0] = c0;
+		f[2 * i + 1] = c1;
+	}
+	return f;
+}
+function SampleNTT(xof) {
+	const r = new Uint16Array(N);
+	for (let j = 0; j < N;) {
+		const b = xof();
+		if (b.length % 3 !== 0) throw new Error("SampleNTT: unaligned block");
+		for (let i = 0; j < N && i + 3 <= b.length; i += 3) {
+			const d1 = (b[i + 0] >> 0 | b[i + 1] << 8) & 4095;
+			const d2 = (b[i + 1] >> 4 | b[i + 2] << 4) & 4095;
+			if (d1 < Q) r[j++] = d1;
+			if (j < N && d2 < Q) r[j++] = d2;
+		}
+	}
+	return r;
+}
+function sampleCBD(seed, nonce, eta) {
+	const len = eta * N / 4;
+	const buf = shake256.create({ dkLen: len }).update(seed).update(new Uint8Array([nonce])).digest();
+	const r = new Uint16Array(N);
+	const b32 = u32(buf);
+	let bitLen = 0;
+	let p = 0;
+	let bb = 0;
+	let t0 = 0;
+	for (let b of b32) for (let j = 0; j < 32; j++) {
+		bb += b & 1;
+		b >>= 1;
+		bitLen += 1;
+		if (bitLen === eta) {
+			t0 = bb;
+			bb = 0;
+		} else if (bitLen === 2 * eta) {
+			r[p++] = mod(t0 - bb);
+			bb = 0;
+			bitLen = 0;
+		}
+	}
+	if (bitLen !== 0) throw new Error(`sampleCBD: leftover bits: ${bitLen}`);
+	return r;
+}
+const compress = (d) => {
+	if (d >= 12) return {
+		encode: (i) => i,
+		decode: (i) => i
+	};
+	const a = 2 ** (d - 1);
+	return {
+		encode: (i) => ((i << d) + Q / 2) / Q,
+		decode: (i) => i * Q + a >>> d
+	};
+};
+const polyCoder = (d) => bitsCoder(d, compress(d));
+const poly12 = polyCoder(12);
+const polyDU = polyCoder(DU);
+const polyDV = polyCoder(DV);
+const poly1 = polyCoder(1);
+/**
+* Encode the encapsulation state as 2080 bytes:
+*   r_as_ntt: K polys, each 256 coefficients as uint16 LE = 1536 bytes
+*   error2: 1 poly, 256 coefficients as uint16 LE = 512 bytes
+*   randomness: 32 bytes (the message m)
+*/
+function encodeState(rHat, e2, m) {
+	const state = new Uint8Array(ES_SIZE);
+	let offset = 0;
+	for (let k = 0; k < K; k++) {
+		const poly = rHat[k];
+		for (let i = 0; i < N; i++) {
+			const val = poly[i];
+			state[offset++] = val & 255;
+			state[offset++] = val >> 8 & 255;
+		}
+	}
+	for (let i = 0; i < N; i++) {
+		const val = e2[i];
+		state[offset++] = val & 255;
+		state[offset++] = val >> 8 & 255;
+	}
+	state.set(m, offset);
+	return state;
+}
+/**
+* Decode the encapsulation state from 2080 bytes.
+* Includes the Issue 1275 endianness workaround.
+*/
+function decodeState(state) {
+	const st = fixIssue1275(state) ?? state;
+	let offset = 0;
+	const rHat = [];
+	for (let k = 0; k < K; k++) {
+		const poly = new Uint16Array(N);
+		for (let i = 0; i < N; i++) {
+			poly[i] = st[offset] | st[offset + 1] << 8;
+			offset += 2;
+		}
+		rHat.push(poly);
+	}
+	const e2 = new Uint16Array(N);
+	for (let i = 0; i < N; i++) {
+		e2[i] = st[offset] | st[offset + 1] << 8;
+		offset += 2;
+	}
+	return {
+		rHat,
+		e2,
+		m: st.slice(offset, offset + 32)
+	};
+}
+/**
+* Port of Rust's potentially_fix_state_incorrectly_encoded_by_libcrux_issue_1275.
+*
+* Due to https://github.com/cryspen/libcrux/issues/1275, the encapsulation
+* state may contain error2 coefficients with wrong endianness.
+*
+* Error2 values should be in [-2, 2] (ETA2=2 for ML-KEM-768).
+* As uint16 LE, valid values are: 0x0000, 0x0001, 0x0002, 0xFFFF (-1), 0xFFFE (-2).
+* Bad-endian equivalents: 0x0100, 0x0200, 0xFEFF.
+*
+* Returns a fixed copy if endianness is wrong, or null if state is OK.
+*/
+function fixIssue1275(es) {
+	const E2_START = K * N * 2;
+	const E2_END = E2_START + N * 2;
+	for (let i = E2_START; i < E2_END; i += 2) {
+		const val = es[i] | es[i + 1] << 8;
+		if (val === 0 || val === 65535) continue;
+		if (val === 1 || val === 2 || val === 65534) return null;
+		if (val === 256 || val === 512 || val === 65279) return flipEndianness(es);
+		return null;
+	}
+	return null;
+}
+/**
+* Flip the endianness of all i16 values in the encapsulation state.
+* The last 32 bytes (randomness) are NOT flipped.
+*/
+function flipEndianness(es) {
+	const fixed = new Uint8Array(es);
+	const coeffEnd = es.length - 32;
+	for (let i = 0; i < coeffEnd; i += 2) {
+		const tmp = fixed[i];
+		fixed[i] = fixed[i + 1];
+		fixed[i + 1] = tmp;
+	}
+	return fixed;
+}
+/**
+* Generate an ML-KEM-768 keypair and split the public key.
+*
+* The ML-KEM-768 public key (1184 bytes) is:
+*   tHat = pk[0..1152]    (ByteEncode12 of NTT vector)
+*   rho  = pk[1152..1184]  (32-byte seed)
+*
+* The incremental split produces:
+*   hdr (pk1) = rho(32) + SHA3-256(pk)(32) = 64 bytes
+*   ek  (pk2) = tHat(1152) = ByteEncode12(tHat) = 1152 bytes
+*
+* @param rng - Random byte generator; must provide at least 64 bytes
+* @returns Split key material
+*/
+function generate(rng) {
+	const seed = rng(KEYGEN_SEED_SIZE);
+	const { publicKey, secretKey } = ml_kem768.keygen(seed);
+	const tHat = publicKey.slice(0, EK_SIZE);
+	const rho = publicKey.slice(EK_SIZE);
+	const hEk = sha3_256(publicKey);
+	const hdr = new Uint8Array(HEADER_SIZE);
+	hdr.set(rho, 0);
+	hdr.set(hEk, 32);
+	return {
+		hdr,
+		ek: tHat,
+		dk: secretKey
+	};
+}
+/**
+* Phase 1 of true incremental encapsulation.
+*
+* Uses only rho and H(ek) from the 64-byte header to produce:
+* - REAL ct1 (960 bytes): compress_du(u) where u = NTT^-1(A^T * rHat) + e1
+* - REAL shared secret: K-hat from SHA3-512(m || H(ek))
+* - Encapsulation state (2080 bytes): r_as_ntt + error2 + m
+*
+* @param hdr - The 64-byte header: rho(32) + H(ek)(32)
+* @param rng - Random byte generator
+* @returns Real ct1, encapsulation state, and real shared secret
+*/
+function encaps1(hdr, rng) {
+	const rho = hdr.slice(0, 32);
+	const hEk = hdr.slice(32, 64);
+	const m = rng(ENCAPS_SEED_SIZE);
+	const kr = sha3_512.create().update(m).update(hEk).digest();
+	const kHat = kr.slice(0, 32);
+	const r = kr.slice(32, 64);
+	const rHat = [];
+	for (let i = 0; i < K; i++) rHat.push(NTT.encode(sampleCBD(r, i, ETA1)));
+	const x = XOF128(rho);
+	const u = [];
+	for (let i = 0; i < K; i++) {
+		const e1 = sampleCBD(r, K + i, ETA2);
+		const tmp = new Uint16Array(N);
+		for (let j = 0; j < K; j++) polyAdd(tmp, MultiplyNTTs(SampleNTT(x.get(i, j)), rHat[j].slice()));
+		polyAdd(e1, NTT.decode(tmp));
+		u.push(e1);
+	}
+	x.clean();
+	const ct1 = new Uint8Array(CT1_SIZE);
+	for (let i = 0; i < K; i++) {
+		const encoded = polyDU.encode(u[i]);
+		ct1.set(encoded, i * polyDU.bytesLen);
+	}
+	return {
+		ct1,
+		es: encodeState(rHat, sampleCBD(r, 2 * K, ETA2), m),
+		sharedSecret: kHat
+	};
+}
+/**
+* Phase 2 of true incremental encapsulation.
+*
+* Uses the tHat from pk2 (ek) and the stored NTT randomness to compute ct2.
+*
+* @param ek - The 1152-byte encapsulation key (ByteEncode12(tHat))
+* @param es - The 2080-byte encapsulation state from encaps1
+* @returns ct2 (128 bytes) ONLY
+*/
+function encaps2(ek, es) {
+	const { rHat, e2, m } = decodeState(es);
+	const tHat = [];
+	for (let i = 0; i < K; i++) {
+		const slice = ek.subarray(i * poly12.bytesLen, (i + 1) * poly12.bytesLen);
+		tHat.push(poly12.decode(slice));
+	}
+	const tmp = new Uint16Array(N);
+	for (let i = 0; i < K; i++) polyAdd(tmp, MultiplyNTTs(tHat[i].slice(), rHat[i].slice()));
+	const v = NTT.decode(tmp);
+	polyAdd(v, e2);
+	polyAdd(v, poly1.decode(m));
+	return polyDV.encode(v);
+}
+/**
+* Decapsulate a split ciphertext using the decapsulation key.
+*
+* Concatenates ct1 (960 bytes) and ct2 (128 bytes) into a standard
+* 1088-byte ML-KEM-768 ciphertext, then performs standard decapsulation.
+*
+* @param dk - The 2400-byte decapsulation (secret) key
+* @param ct1 - First ciphertext fragment (960 bytes)
+* @param ct2 - Second ciphertext fragment (128 bytes)
+* @returns The 32-byte shared secret
+*/
+function decaps(dk, ct1, ct2) {
+	const ct = new Uint8Array(FULL_CT_SIZE);
+	ct.set(ct1.subarray(0, CT1_SIZE), 0);
+	ct.set(ct2.subarray(0, CT2_SIZE), CT1_SIZE);
+	return ml_kem768.decapsulate(ct, dk);
+}
+/**
+* Check whether an encapsulation key is consistent with a header.
+*
+* Reconstructs the full public key from pk2 (tHat) and pk1[0..32] (rho),
+* computes SHA3-256 of the full pk, and compares with H(ek) in the header.
+*
+* @param ek - Encapsulation key (1152 bytes = ByteEncode12(tHat))
+* @param hdr - Header (64 bytes = rho(32) + H(ek)(32))
+* @returns true if ek is consistent with the header
+*/
+function ekMatchesHeader(ek, hdr) {
+	if (hdr.length < HEADER_SIZE || ek.length < EK_SIZE) return false;
+	const rho = hdr.slice(0, 32);
+	const expectedHash = hdr.slice(32, 64);
+	const pk = new Uint8Array(FULL_PK_SIZE);
+	pk.set(ek.subarray(0, EK_SIZE), 0);
+	pk.set(rho, EK_SIZE);
+	const actualHash = sha3_256(pk);
+	if (actualHash.length !== expectedHash.length) return false;
+	let diff = 0;
+	for (let i = 0; i < actualHash.length; i++) diff |= actualHash[i] ^ expectedHash[i];
+	return diff === 0;
+}
+//#endregion
+//#region src/error.ts
+/**
+* Copyright © 2025 Signal Messenger, LLC
+* Copyright © 2026 Parity Technologies
+*
+* Error types for the SPQR protocol.
+*/
+var SpqrError = class extends Error {
+	constructor(message, code, detail) {
+		super(message);
+		this.code = code;
+		this.detail = detail;
+		this.name = "SpqrError";
+	}
+};
+let SpqrErrorCode = /* @__PURE__ */ function(SpqrErrorCode) {
+	SpqrErrorCode["StateDecode"] = "STATE_DECODE";
+	SpqrErrorCode["NotImplemented"] = "NOT_IMPLEMENTED";
+	SpqrErrorCode["MsgDecode"] = "MSG_DECODE";
+	SpqrErrorCode["MacVerifyFailed"] = "MAC_VERIFY_FAILED";
+	SpqrErrorCode["EpochOutOfRange"] = "EPOCH_OUT_OF_RANGE";
+	SpqrErrorCode["EncodingDecoding"] = "ENCODING_DECODING";
+	SpqrErrorCode["Serialization"] = "SERIALIZATION";
+	SpqrErrorCode["VersionMismatch"] = "VERSION_MISMATCH";
+	SpqrErrorCode["MinimumVersion"] = "MINIMUM_VERSION";
+	SpqrErrorCode["KeyJump"] = "KEY_JUMP";
+	SpqrErrorCode["KeyTrimmed"] = "KEY_TRIMMED";
+	SpqrErrorCode["KeyAlreadyRequested"] = "KEY_ALREADY_REQUESTED";
+	SpqrErrorCode["ErroneousDataReceived"] = "ERRONEOUS_DATA_RECEIVED";
+	SpqrErrorCode["SendKeyEpochDecreased"] = "SEND_KEY_EPOCH_DECREASED";
+	SpqrErrorCode["InvalidParams"] = "INVALID_PARAMS";
+	SpqrErrorCode["ChainNotAvailable"] = "CHAIN_NOT_AVAILABLE";
+	return SpqrErrorCode;
+}({});
+var AuthenticatorError = class extends Error {
+	constructor(message, code) {
+		super(message);
+		this.code = code;
+		this.name = "AuthenticatorError";
+	}
+};
+//#endregion
+//#region src/v1/unchunked/send-ct.ts
+const SCKA_KEY_LABEL$1 = new TextEncoder().encode(LABEL_SCKA_KEY);
+/**
+* Derive the epoch secret from the KEM shared secret.
+*
+* HKDF-SHA256(ikm=sharedSecret, salt=ZERO_SALT,
+*             info=LABEL_SCKA_KEY || epoch_be8, length=32)
+*
+* Matches Rust: info = [b"Signal_PQCKA_V1_MLKEM768:SCKA Key", epoch.to_be_bytes()].concat()
+*/
+function deriveEpochSecret$1(epoch, sharedSecret) {
+	return {
+		epoch,
+		secret: hkdfSha256(sharedSecret, ZERO_SALT, concat(SCKA_KEY_LABEL$1, bigintToBE8(epoch)), 32)
+	};
+}
+/**
+* Waiting to receive the header from the send_ek peer.
+*/
+var NoHeaderReceived$1 = class {
+	constructor(epoch, auth) {
+		this.epoch = epoch;
+		this.auth = auth;
+	}
+	/**
+	* Receive the header and verify its MAC.
+	*
+	* @param epoch - The epoch for this exchange (must match current epoch)
+	* @param hdr - The 64-byte public key header
+	* @param mac - The 32-byte HMAC-SHA256 MAC over the header
+	* @returns Next state
+	* @throws {AuthenticatorError} If the header MAC is invalid
+	*/
+	recvHeader(epoch, hdr, mac) {
+		this.auth.verifyHdr(epoch, hdr, mac);
+		return new HeaderReceived$1(this.epoch, this.auth, hdr);
+	}
+};
+/**
+* The header has been received and verified. Ready to produce ct1.
+*
+* In the true incremental ML-KEM approach, sendCt1 performs encaps1
+* using only the header (rho + H(ek)), producing REAL ct1 and shared
+* secret. The epoch secret is derived here.
+*/
+var HeaderReceived$1 = class {
+	constructor(epoch, auth, hdr) {
+		this.epoch = epoch;
+		this.auth = auth;
+		this.hdr = hdr;
+	}
+	/**
+	* Generate encapsulation randomness and produce REAL ct1.
+	*
+	* Performs encaps1 using the header to produce:
+	* - Real ct1 (960 bytes)
+	* - Real shared secret -> epoch secret
+	* - Encapsulation state for later encaps2
+	*
+	* The authenticator is updated with the derived epoch secret.
+	*
+	* @param rng - Random byte generator
+	* @returns [nextState, real_ct1, epochSecret]
+	*/
+	sendCt1(rng) {
+		const { ct1, es, sharedSecret } = encaps1(this.hdr, rng);
+		const epochSecret = deriveEpochSecret$1(this.epoch, sharedSecret);
+		const auth = this.auth.clone();
+		auth.update(this.epoch, epochSecret.secret);
+		return [
+			new Ct1Sent(this.epoch, auth, this.hdr, es, ct1),
+			ct1,
+			epochSecret
+		];
+	}
+};
+/**
+* Real ct1 has been produced. Waiting for the encapsulation key.
+*
+* Stores hdr, es(2080), and ct1(960) for the encaps2 phase.
+*/
+var Ct1Sent = class {
+	constructor(epoch, auth, hdr, es, ct1) {
+		this.epoch = epoch;
+		this.auth = auth;
+		this.hdr = hdr;
+		this.es = es;
+		this.ct1 = ct1;
+	}
+	/**
+	* Receive the encapsulation key and validate it against the header.
+	*
+	* In the true incremental approach, this simply validates and stores
+	* the ek for later use in sendCt2. No encapsulation happens here.
+	*
+	* @param ek - The 1152-byte encapsulation key from the send_ek peer
+	* @returns Next state
+	* @throws {SpqrError} If the ek does not match the header
+	*/
+	recvEk(ek) {
+		if (!ekMatchesHeader(ek, this.hdr)) throw new SpqrError("Encapsulation key does not match header", SpqrErrorCode.ErroneousDataReceived);
+		return new Ct1SentEkReceived(this.epoch, this.auth, this.es, ek, this.ct1);
+	}
+};
+/**
+* The encapsulation key has been received and validated.
+* Ready to send ct2.
+*
+* Stores es(2080), ek(1152), and ct1(960) for encaps2 + MAC.
+*/
+var Ct1SentEkReceived = class {
+	constructor(epoch, auth, es, ek, ct1) {
+		this.epoch = epoch;
+		this.auth = auth;
+		this.es = es;
+		this.ek = ek;
+		this.ct1 = ct1;
+	}
+	/**
+	* Produce ct2 by calling encaps2, then MAC over ct1 || ct2.
+	*
+	* @returns Result with next state, ct2, and MAC
+	*/
+	sendCt2() {
+		const ct2 = encaps2(this.ek, this.es);
+		const fullCt = concat(this.ct1, ct2);
+		const mac = this.auth.macCt(this.epoch, fullCt);
+		return {
+			state: new Ct2Sent(this.epoch, this.auth),
+			ct2,
+			mac
+		};
+	}
+};
+/**
+* Terminal state for this epoch's send_ct exchange.
+*
+* The caller is responsible for creating the next epoch's
+* send_ek::KeysUnsampled state from the epoch and auth.
+*/
+var Ct2Sent = class {
+	constructor(epoch, auth) {
+		this.epoch = epoch;
+		this.auth = auth;
+	}
+	/** The next epoch for the send_ek side */
+	get nextEpoch() {
+		return this.epoch + 1n;
+	}
+};
+//#endregion
+//#region src/encoding/gf.ts
+/**
+* Copyright © 2025 Signal Messenger, LLC
+* Copyright © 2026 Parity Technologies
+*
+* GF(2^16) Galois field arithmetic.
+* Ported from the Rust SPQR implementation.
+*
+* Primitive polynomial: x^16 + x^12 + x^3 + x + 1 (0x1100b)
+*/
+/** Primitive polynomial for GF(2^16): x^16 + x^12 + x^3 + x + 1 */
+const POLY = 69643;
+/**
+* Build one entry of the reduction table.
+*
+* Given a single byte `a` that appears in positions [16..23] or [24..31] of
+* a 32-bit product, compute the 16-bit XOR mask needed to reduce those bits
+* modulo POLY.
+*/
+function reduceFromByte(a) {
+	let byte = a;
+	let out = 0;
+	for (let i = 7; i >= 0; i--) if ((1 << i & byte) !== 0) {
+		out ^= POLY << i;
+		byte ^= POLY << i >>> 16 & 255;
+	}
+	return out & 65535;
+}
+/** Precomputed 256-entry lookup table for polynomial reduction. */
+const REDUCE_BYTES = /* @__PURE__ */ (() => {
+	const table = new Uint16Array(256);
+	for (let i = 0; i < 256; i++) table[i] = reduceFromByte(i);
+	return table;
+})();
+/**
+* Polynomial multiplication in GF(2)[x] (no reduction).
+*
+* Both `a` and `b` must be in the range [0, 0xffff].
+* The result may be up to 31 bits wide.
+*/
+function polyMul(a, b) {
+	let acc = 0;
+	for (let shift = 0; shift < 16; shift++) if ((b & 1 << shift) !== 0) acc ^= a << shift;
+	return acc >>> 0;
+}
+/**
+* Reduce a 32-bit polynomial product modulo POLY, yielding a 16-bit result.
+*
+* Uses the precomputed REDUCE_BYTES table to process the top two bytes.
+*/
+function polyReduce(v) {
+	let r = v >>> 0;
+	r ^= REDUCE_BYTES[r >>> 24 & 255] << 8;
+	r ^= REDUCE_BYTES[r >>> 16 & 255];
+	return r & 65535;
+}
+/**
+* Full GF(2^16) multiplication of two raw u16 values.
+* Returns a u16 result.
+*/
+function mulRaw(a, b) {
+	return polyReduce(polyMul(a, b));
+}
+/**
+* An element of GF(2^16).
+*
+* The `value` field holds a 16-bit unsigned integer in [0, 65535].
+*/
+var GF16 = class GF16 {
+	value;
+	constructor(value) {
+		this.value = value & 65535;
+	}
+	static ZERO = new GF16(0);
+	static ONE = new GF16(1);
+	/** Addition in GF(2^n) is XOR. */
+	add(other) {
+		return new GF16(this.value ^ other.value);
+	}
+	/** Subtraction in GF(2^n) is the same as addition (XOR). */
+	sub(other) {
+		return this.add(other);
+	}
+	/** Multiplication in GF(2^16) using polynomial long-multiplication + reduction. */
+	mul(other) {
+		return new GF16(mulRaw(this.value, other.value));
+	}
+	/**
+	* Division in GF(2^16).
+	*
+	* Computes `this / other` via Fermat's little theorem:
+	*   other^(-1) = other^(2^16 - 2)
+	*
+	* The loop accumulates the inverse through repeated squaring:
+	*   After 15 iterations (i = 1..15):
+	*     out = this * other^(2^16 - 2) = this * other^(-1)
+	*
+	* Throws if `other` is zero.
+	*/
+	div(other) {
+		if (other.value === 0) throw new Error("GF16: division by zero");
+		let sqVal = mulRaw(other.value, other.value);
+		let outVal = this.value;
+		for (let i = 1; i < 16; i++) {
+			const newSqVal = mulRaw(sqVal, sqVal);
+			const newOutVal = mulRaw(sqVal, outVal);
+			sqVal = newSqVal;
+			outVal = newOutVal;
+		}
+		return new GF16(outVal);
+	}
+	equals(other) {
+		return this.value === other.value;
+	}
+	toString() {
+		return `GF16(0x${this.value.toString(16).padStart(4, "0")})`;
+	}
+};
+/**
+* Multiply every element of `into` by `a` in-place.
+*
+* This is the TypeScript equivalent of Rust's `parallel_mult` which benefits
+* from SIMD on native platforms. Here we just iterate.
+*/
+function parallelMult(a, into) {
+	const av = a.value;
+	for (let i = 0; i < into.length; i++) into[i] = new GF16(mulRaw(av, into[i].value));
+}
+//#endregion
+//#region src/encoding/polynomial.ts
+/**
+* Copyright © 2025 Signal Messenger, LLC
+* Copyright © 2026 Parity Technologies
+*
+* Polynomial erasure coding over GF(2^16).
+* Ported from the Rust SPQR implementation.
+*
+* The encoder splits a message into 16 parallel polynomials and can produce
+* an unlimited number of coded chunks. Any sufficient subset of chunks
+* allows the decoder to reconstruct the original message via Lagrange
+* interpolation.
+*/
+var PolynomialError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "PolynomialError";
+	}
+};
+const NUM_POLYS = 16;
+const CHUNK_DATA_SIZE$1 = 32;
+const MAX_MESSAGE_LENGTH = 65536 * NUM_POLYS;
+/**
+* A polynomial over GF(2^16) in coefficient form.
+*
+* Coefficients are stored in little-endian order:
+*   coefficients[0] = constant term (x^0)
+*   coefficients[1] = linear term (x^1)
+*   ...
+*/
+var Poly = class Poly {
+	coefficients;
+	constructor(coefficients) {
+		this.coefficients = coefficients;
+	}
+	/** Create a zero polynomial of a given length. */
+	static zeros(len) {
+		const coeffs = new Array(len);
+		for (let i = 0; i < len; i++) coeffs[i] = GF16.ZERO;
+		return new Poly(coeffs);
+	}
+	/** Number of coefficients. */
+	get length() {
+		return this.coefficients.length;
+	}
+	/**
+	* Evaluate the polynomial at a given point using a divide-and-conquer
+	* approach for computing powers of x, then a dot product.
+	*
+	* xs[0] = 1, xs[1] = x, xs[i] = xs[floor(i/2)] * xs[floor(i/2) + (i%2)]
+	*/
+	computeAt(x) {
+		const n = this.coefficients.length;
+		if (n === 0) return GF16.ZERO;
+		if (n === 1) return this.coefficients[0];
+		const xs = new Array(n);
+		xs[0] = GF16.ONE;
+		if (n > 1) xs[1] = x;
+		for (let i = 2; i < n; i++) {
+			const half = i >>> 1;
+			const rem = i & 1;
+			xs[i] = xs[half].mul(xs[half + rem]);
+		}
+		let result = GF16.ZERO;
+		for (let i = 0; i < n; i++) result = result.add(this.coefficients[i].mul(xs[i]));
+		return result;
+	}
+	/** Add another polynomial to this one in-place. */
+	addAssign(other) {
+		while (this.coefficients.length < other.coefficients.length) this.coefficients.push(GF16.ZERO);
+		for (let i = 0; i < other.coefficients.length; i++) this.coefficients[i] = this.coefficients[i].add(other.coefficients[i]);
+	}
+	/** Multiply all coefficients by a scalar in-place. */
+	multAssign(m) {
+		parallelMult(m, this.coefficients);
+	}
+	/** Serialize coefficients as big-endian u16 pairs. */
+	serialize() {
+		const out = new Uint8Array(this.coefficients.length * 2);
+		for (let i = 0; i < this.coefficients.length; i++) {
+			const v = this.coefficients[i].value;
+			out[i * 2] = v >>> 8 & 255;
+			out[i * 2 + 1] = v & 255;
+		}
+		return out;
+	}
+	/** Deserialize from big-endian u16 pairs. */
+	static deserialize(data) {
+		if (data.length % 2 !== 0) throw new PolynomialError("Poly data length must be even");
+		const n = data.length / 2;
+		const coeffs = new Array(n);
+		for (let i = 0; i < n; i++) coeffs[i] = new GF16(data[i * 2] << 8 | data[i * 2 + 1]);
+		return new Poly(coeffs);
+	}
+	/**
+	* Lagrange interpolation over a set of points.
+	*
+	* Given N points (x_i, y_i), produces the unique polynomial of degree < N
+	* passing through all of them.
+	*/
+	static lagrangeInterpolate(pts) {
+		const n = pts.length;
+		if (n === 0) return new Poly([]);
+		let product = new Poly([pts[0].x, GF16.ONE]);
+		for (let i = 1; i < n; i++) product = polyMultiply(product, new Poly([pts[i].x, GF16.ONE]));
+		const result = Poly.zeros(n);
+		for (let i = 0; i < n; i++) {
+			const basis = syntheticDivide(product, pts[i].x);
+			const denom = basis.computeAt(pts[i].x);
+			const scale = pts[i].y.div(denom);
+			const scaled = clonePoly(basis);
+			scaled.multAssign(scale);
+			result.addAssign(scaled);
+		}
+		return result;
+	}
+};
+/** Multiply two polynomials (convolution over GF(2^16)). */
+function polyMultiply(a, b) {
+	if (a.length === 0 || b.length === 0) return new Poly([]);
+	const result = Poly.zeros(a.length + b.length - 1);
+	for (let i = 0; i < a.length; i++) for (let j = 0; j < b.length; j++) result.coefficients[i + j] = result.coefficients[i + j].add(a.coefficients[i].mul(b.coefficients[j]));
+	return result;
+}
+/**
+* Synthetic division: divide poly by (x - root) = (x + root) in GF(2^n).
+*
+* Returns the quotient polynomial (degree one less than input).
+*/
+function syntheticDivide(poly, root) {
+	const n = poly.length;
+	if (n <= 1) return new Poly([]);
+	const quotient = new Array(n - 1);
+	let carry = GF16.ZERO;
+	for (let i = n - 1; i >= 1; i--) {
+		const coeff = poly.coefficients[i].add(carry);
+		quotient[i - 1] = coeff;
+		carry = coeff.mul(root);
+	}
+	return new Poly(quotient);
+}
+/** Clone a polynomial (shallow copy of coefficient array). */
+function clonePoly(p) {
+	return new Poly(p.coefficients.slice());
+}
+var SortedPtSet = class SortedPtSet {
+	pts = [];
+	get length() {
+		return this.pts.length;
+	}
+	/** Insert a point, maintaining sorted order. Returns false if duplicate x. */
+	insert(pt) {
+		const idx = this.findIndex(pt.x.value);
+		if (idx < this.pts.length && this.pts[idx].x.value === pt.x.value) return false;
+		this.pts.splice(idx, 0, pt);
+		return true;
+	}
+	/** Binary search for the insertion point of a given x value. */
+	findIndex(xVal) {
+		let lo = 0;
+		let hi = this.pts.length;
+		while (lo < hi) {
+			const mid = lo + hi >>> 1;
+			if (this.pts[mid].x.value < xVal) lo = mid + 1;
+			else hi = mid;
+		}
+		return lo;
+	}
+	/** Look up a point by x value. Returns undefined if not found. */
+	findByX(xVal) {
+		const idx = this.findIndex(xVal);
+		if (idx < this.pts.length && this.pts[idx].x.value === xVal) return this.pts[idx];
+	}
+	/** Return all points as an array (for interpolation). */
+	toArray() {
+		return this.pts.slice();
+	}
+	/** Serialize all points as big-endian u16 pairs (x then y). */
+	serialize() {
+		const out = new Uint8Array(this.pts.length * 4);
+		for (let i = 0; i < this.pts.length; i++) {
+			const pt = this.pts[i];
+			out[i * 4] = pt.x.value >>> 8 & 255;
+			out[i * 4 + 1] = pt.x.value & 255;
+			out[i * 4 + 2] = pt.y.value >>> 8 & 255;
+			out[i * 4 + 3] = pt.y.value & 255;
+		}
+		return out;
+	}
+	/** Deserialize from big-endian u16 pairs (x then y). */
+	static deserialize(data) {
+		if (data.length % 4 !== 0) throw new PolynomialError("SortedPtSet data length must be multiple of 4");
+		const set = new SortedPtSet();
+		const n = data.length / 4;
+		for (let i = 0; i < n; i++) {
+			const x = new GF16(data[i * 4] << 8 | data[i * 4 + 1]);
+			const y = new GF16(data[i * 4 + 2] << 8 | data[i * 4 + 3]);
+			set.insert({
+				x,
+				y
+			});
+		}
+		return set;
+	}
+};
+var PolyEncoder = class PolyEncoder {
+	idx;
+	state;
+	constructor(idx, state) {
+		this.idx = idx;
+		this.state = state;
+	}
+	/**
+	* Create an encoder from a message byte array.
+	*
+	* The message is split into 16 interleaved streams of GF16 values.
+	* Each pair of consecutive bytes becomes one GF16 element. If the message
+	* length is odd, it is padded with a zero byte.
+	*/
+	static encodeBytes(msg) {
+		if (msg.length % 2 !== 0) throw new PolynomialError("Message length must be even");
+		if (msg.length > MAX_MESSAGE_LENGTH) throw new PolynomialError("Message length exceeds maximum");
+		const totalValues = msg.length / 2;
+		const points = new Array(NUM_POLYS);
+		for (let p = 0; p < NUM_POLYS; p++) points[p] = [];
+		for (let i = 0; i < totalValues; i++) {
+			const poly = i % NUM_POLYS;
+			const value = msg[i * 2] << 8 | msg[i * 2 + 1];
+			points[poly].push(new GF16(value));
+		}
+		return new PolyEncoder(0, {
+			kind: "points",
+			points
+		});
+	}
+	/** Return the next chunk and advance the index. */
+	nextChunk() {
+		const chunk = this.chunkAt(this.idx);
+		this.idx++;
+		return chunk;
+	}
+	/** Compute the chunk at a specific index. */
+	chunkAt(idx) {
+		const data = new Uint8Array(CHUNK_DATA_SIZE$1);
+		for (let i = 0; i < NUM_POLYS; i++) {
+			const totalIdx = idx * NUM_POLYS + i;
+			const poly = totalIdx % NUM_POLYS;
+			const polyIdx = Math.floor(totalIdx / NUM_POLYS);
+			const val = this.pointAt(poly, polyIdx);
+			data[i * 2] = val.value >>> 8 & 255;
+			data[i * 2 + 1] = val.value & 255;
+		}
+		return {
+			index: idx & 65535,
+			data
+		};
+	}
+	/**
+	* Get the GF16 value for polynomial `poly` at index `idx`.
+	*
+	* If we are in Points state and the index is within range, return directly.
+	* Otherwise, convert to Polys state and evaluate.
+	*/
+	pointAt(poly, idx) {
+		if (this.state.kind === "points") {
+			const pts = this.state.points[poly];
+			if (idx < pts.length) return pts[idx];
+			this.convertToPolys();
+		}
+		return this.state.polys[poly].computeAt(new GF16(idx));
+	}
+	/** Convert from Points state to Polys state via Lagrange interpolation. */
+	convertToPolys() {
+		if (this.state.kind === "polys") return;
+		const { points } = this.state;
+		const polys = new Array(NUM_POLYS);
+		for (let p = 0; p < NUM_POLYS; p++) {
+			const pts = points[p].map((y, i) => ({
+				x: new GF16(i),
+				y
+			}));
+			polys[p] = Poly.lagrangeInterpolate(pts);
+		}
+		this.state = {
+			kind: "polys",
+			polys
+		};
+	}
+	/** Serialize encoder state for protobuf transport. */
+	toProto() {
+		if (this.state.kind === "points") {
+			const pts = this.state.points.map((arr) => {
+				const buf = new Uint8Array(arr.length * 2);
+				for (let i = 0; i < arr.length; i++) {
+					buf[i * 2] = arr[i].value >>> 8 & 255;
+					buf[i * 2 + 1] = arr[i].value & 255;
+				}
+				return buf;
+			});
+			return {
+				idx: this.idx,
+				pts,
+				polys: []
+			};
+		}
+		const polys = this.state.polys.map((p) => p.serialize());
+		return {
+			idx: this.idx,
+			pts: [],
+			polys
+		};
+	}
+	/** Restore encoder from protobuf data. */
+	static fromProto(data) {
+		if (data.polys.length > 0) {
+			const polys = data.polys.map((buf) => Poly.deserialize(buf));
+			return new PolyEncoder(data.idx, {
+				kind: "polys",
+				polys
+			});
+		}
+		const points = data.pts.map((buf) => {
+			const arr = [];
+			for (let i = 0; i < buf.length; i += 2) arr.push(new GF16(buf[i] << 8 | buf[i + 1]));
+			return arr;
+		});
+		return new PolyEncoder(data.idx, {
+			kind: "points",
+			points
+		});
+	}
+};
+var PolyDecoder = class PolyDecoder {
+	/** Total number of GF16 values needed (= message byte length / 2, rounded up). */
+	ptsNeeded;
+	pts;
+	_isComplete;
+	constructor(ptsNeeded, pts, isComplete) {
+		this.ptsNeeded = ptsNeeded;
+		this.pts = pts;
+		this._isComplete = isComplete;
+	}
+	/**
+	* Create a decoder for a message of `lenBytes` bytes.
+	*
+	* The caller must know the original message length to know when enough
+	* chunks have been received.
+	*/
+	static create(lenBytes) {
+		if (lenBytes % 2 !== 0) throw new PolynomialError("Message length must be even");
+		const ptsNeeded = lenBytes / 2;
+		const pts = new Array(NUM_POLYS);
+		for (let i = 0; i < NUM_POLYS; i++) pts[i] = new SortedPtSet();
+		return new PolyDecoder(ptsNeeded, pts, false);
+	}
+	/** Whether all polynomial sets have enough points to decode. */
+	get isComplete() {
+		return this._isComplete;
+	}
+	/**
+	* Number of points necessary for polynomial `poly`.
+	*
+	* The total points (ptsNeeded) are distributed across 16 polynomials
+	* round-robin, so some may need one more point than others.
+	*/
+	necessaryPoints(poly) {
+		const base = Math.floor(this.ptsNeeded / NUM_POLYS);
+		return poly < this.ptsNeeded % NUM_POLYS ? base + 1 : base;
+	}
+	/** Add a chunk to the decoder. */
+	addChunk(chunk) {
+		if (this._isComplete) return;
+		for (let i = 0; i < NUM_POLYS; i++) {
+			const totalIdx = chunk.index * NUM_POLYS + i;
+			const poly = totalIdx % NUM_POLYS;
+			const polyIdx = Math.floor(totalIdx / NUM_POLYS);
+			const needed = this.necessaryPoints(poly);
+			if (this.pts[poly].length >= needed) continue;
+			const y = new GF16(chunk.data[i * 2] << 8 | chunk.data[i * 2 + 1]);
+			const pt = {
+				x: new GF16(polyIdx),
+				y
+			};
+			this.pts[poly].insert(pt);
+		}
+		this._isComplete = this.checkComplete();
+	}
+	/** Check whether all 16 polynomial sets have enough points. */
+	checkComplete() {
+		for (let p = 0; p < NUM_POLYS; p++) if (this.pts[p].length < this.necessaryPoints(p)) return false;
+		return true;
+	}
+	/**
+	* Attempt to decode the message.
+	*
+	* Returns the decoded byte array if enough chunks have been received,
+	* or null if more chunks are needed.
+	*/
+	decodedMessage() {
+		if (!this._isComplete) return null;
+		const result = new Uint8Array(this.ptsNeeded * 2);
+		for (let i = 0; i < this.ptsNeeded; i++) {
+			const poly = i % NUM_POLYS;
+			const xVal = Math.floor(i / NUM_POLYS);
+			let val;
+			const direct = this.pts[poly].findByX(xVal);
+			if (direct !== void 0) val = direct.y;
+			else {
+				const allPts = this.pts[poly].toArray();
+				val = Poly.lagrangeInterpolate(allPts).computeAt(new GF16(xVal));
+			}
+			result[i * 2] = val.value >>> 8 & 255;
+			result[i * 2 + 1] = val.value & 255;
+		}
+		return result;
+	}
+	/** Serialize decoder state for protobuf transport. */
+	toProto() {
+		return {
+			ptsNeeded: this.ptsNeeded,
+			polys: NUM_POLYS,
+			pts: this.pts.map((s) => s.serialize()),
+			isComplete: this._isComplete
+		};
+	}
+	/** Restore decoder from protobuf data. */
+	static fromProto(data) {
+		const pts = data.pts.map((buf) => SortedPtSet.deserialize(buf));
+		while (pts.length < NUM_POLYS) pts.push(new SortedPtSet());
+		return new PolyDecoder(data.ptsNeeded, pts, data.isComplete);
+	}
+};
+//#endregion
+//#region src/authenticator.ts
+/**
+* Copyright © 2025 Signal Messenger, LLC
+* Copyright © 2026 Parity Technologies
+*
+* SPQR Authenticator -- HMAC-SHA256 MAC for KEM exchanges.
+*
+* Ported from Signal's spqr crate: authenticator.rs
+*
+* The Authenticator produces and verifies MACs over ciphertext and header
+* data using HMAC-SHA256. The internal rootKey and macKey are updated
+* via HKDF at each epoch transition.
+*
+* All info strings and data formats MUST match the Rust implementation exactly.
+*/
+const enc$1 = new TextEncoder();
+const AUTH_UPDATE_INFO = enc$1.encode(LABEL_AUTH_UPDATE);
+const CT_MAC_PREFIX = enc$1.encode(LABEL_CT_MAC);
+const HDR_MAC_PREFIX = enc$1.encode(LABEL_HDR_MAC);
+/**
+* Authenticator manages root_key and mac_key state for producing
+* and verifying MACs over KEM ciphertext and headers.
+*
+* The update operation uses HKDF:
+*   IKM  = [rootKey || key]
+*   Salt = ZERO_SALT (32 zeros)
+*   Info = LABEL_AUTH_UPDATE + epoch_be8
+*   Output: 64 bytes -> [0..32] = new rootKey, [32..64] = new macKey
+*
+* MAC operations use HMAC-SHA256:
+*   Key  = macKey
+*   Data = [label_prefix || epoch_be8 || payload]
+*/
+var Authenticator = class Authenticator {
+	rootKey;
+	macKey;
+	constructor(rootKey, macKey) {
+		this.rootKey = rootKey;
+		this.macKey = macKey;
+	}
+	/**
+	* Create a new Authenticator from a root key and initial epoch.
+	* Matches Rust: `Authenticator::new(root_key, ep)`
+	*
+	* Initializes with zero keys, then immediately updates with
+	* the provided root key and epoch.
+	*/
+	static create(rootKey, epoch) {
+		const auth = new Authenticator(new Uint8Array(32), new Uint8Array(32));
+		auth.update(epoch, rootKey);
+		return auth;
+	}
+	/**
+	* Update the authenticator with a new epoch and key material.
+	*
+	* HKDF(IKM=[rootKey||key], salt=ZERO_SALT, info=[label||epoch_be8], length=64)
+	*
+	* Output split: rootKey = [0..32], macKey = [32..64]
+	*/
+	update(epoch, key) {
+		const derived = hkdfSha256(concat(this.rootKey, key), ZERO_SALT, concat(AUTH_UPDATE_INFO, bigintToBE8(epoch)), 64);
+		this.rootKey = derived.slice(0, 32);
+		this.macKey = derived.slice(32, 64);
+	}
+	/**
+	* Compute MAC over ciphertext.
+	*
+	* HMAC-SHA256(macKey, [LABEL_CT_MAC || epoch_be8 || ct])
+	*/
+	macCt(epoch, ct) {
+		const data = concat(CT_MAC_PREFIX, bigintToBE8(epoch), ct);
+		return hmacSha256(this.macKey, data);
+	}
+	/**
+	* Verify ciphertext MAC (constant-time comparison).
+	* Throws AuthenticatorError if the MAC does not match.
+	*/
+	verifyCt(epoch, ct, expectedMac) {
+		if (!constantTimeEqual(this.macCt(epoch, ct), expectedMac)) throw new AuthenticatorError("Ciphertext MAC is invalid", "INVALID_CT_MAC");
+	}
+	/**
+	* Compute MAC over header (encapsulation key header).
+	*
+	* HMAC-SHA256(macKey, [LABEL_HDR_MAC || epoch_be8 || hdr])
+	*/
+	macHdr(epoch, hdr) {
+		const data = concat(HDR_MAC_PREFIX, bigintToBE8(epoch), hdr);
+		return hmacSha256(this.macKey, data);
+	}
+	/**
+	* Verify header MAC (constant-time comparison).
+	* Throws AuthenticatorError if the MAC does not match.
+	*/
+	verifyHdr(epoch, hdr, expectedMac) {
+		if (!constantTimeEqual(this.macHdr(epoch, hdr), expectedMac)) throw new AuthenticatorError("Encapsulation key MAC is invalid", "INVALID_HDR_MAC");
+	}
+	/**
+	* Deep clone this authenticator.
+	*/
+	clone() {
+		return new Authenticator(Uint8Array.from(this.rootKey), Uint8Array.from(this.macKey));
+	}
+	/**
+	* Serialize to protobuf representation.
+	* Matches Rust Authenticator::into_pb().
+	*/
+	toProto() {
+		return {
+			rootKey: Uint8Array.from(this.rootKey),
+			macKey: Uint8Array.from(this.macKey)
+		};
+	}
+	/**
+	* Deserialize from protobuf representation.
+	* Matches Rust Authenticator::from_pb().
+	*/
+	static fromProto(pb) {
+		return new Authenticator(Uint8Array.from(pb.rootKey), Uint8Array.from(pb.macKey));
+	}
+};
+//#endregion
+//#region src/v1/chunked/send-ek.ts
+/**
+* Initial chunked send_ek state. No keypair generated yet.
+* Wraps unchunked.KeysUnsampled.
+*/
+var KeysUnsampled$1 = class {
+	constructor(uc) {
+		this.uc = uc;
+	}
+	get epoch() {
+		return this.uc.epoch;
+	}
+	/**
+	* Generate keypair, produce header + MAC, encode into PolyEncoder,
+	* and return the first header chunk.
+	*/
+	sendHdrChunk(rng) {
+		const [headerSent, hdr, mac] = this.uc.sendHeader(rng);
+		const hdrPayload = concat(hdr, mac);
+		const sendingHdr = PolyEncoder.encodeBytes(hdrPayload);
+		const chunk = sendingHdr.nextChunk();
+		return [new KeysSampled(headerSent, sendingHdr), chunk];
+	}
+};
+/**
+* Header has been generated and encoding started. Still sending header chunks.
+* Can also begin receiving ct1 chunks.
+*/
+var KeysSampled = class {
+	constructor(uc, sendingHdr) {
+		this.uc = uc;
+		this.sendingHdr = sendingHdr;
+	}
+	get epoch() {
+		return this.uc.epoch;
+	}
+	/** Produce the next header chunk. */
+	sendHdrChunk() {
+		const chunk = this.sendingHdr.nextChunk();
+		return [this, chunk];
+	}
+	/**
+	* Receive a ct1 chunk from the send_ct peer.
+	* This triggers sending the encapsulation key.
+	*/
+	recvCt1Chunk(epoch, chunk) {
+		if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+		const receivingCt1 = PolyDecoder.create(CT1_SIZE);
+		receivingCt1.addChunk(chunk);
+		const [ekSent, ek] = this.uc.sendEk();
+		return new HeaderSent$1(ekSent, PolyEncoder.encodeBytes(ek), receivingCt1);
+	}
+};
+/**
+* Sending ek chunks while receiving ct1 chunks.
+*/
+var HeaderSent$1 = class {
+	constructor(uc, sendingEk, receivingCt1) {
+		this.uc = uc;
+		this.sendingEk = sendingEk;
+		this.receivingCt1 = receivingCt1;
+	}
+	get epoch() {
+		return this.uc.epoch;
+	}
+	/** Produce the next ek chunk. */
+	sendEkChunk() {
+		const chunk = this.sendingEk.nextChunk();
+		return [this, chunk];
+	}
+	/** Receive a ct1 chunk. Returns done when ct1 is fully decoded. */
+	recvCt1Chunk(epoch, chunk) {
+		if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+		this.receivingCt1.addChunk(chunk);
+		const decoded = this.receivingCt1.decodedMessage();
+		if (decoded !== null) return {
+			done: true,
+			state: new Ct1Received(this.uc.recvCt1(decoded), this.sendingEk)
+		};
+		return {
+			done: false,
+			state: this
+		};
+	}
+};
+/**
+* ct1 has been fully decoded. Still sending ek chunks.
+* Can begin receiving ct2 chunks.
+*/
+var Ct1Received = class {
+	constructor(uc, sendingEk) {
+		this.uc = uc;
+		this.sendingEk = sendingEk;
+	}
+	get epoch() {
+		return this.uc.epoch;
+	}
+	/** Produce the next ek chunk. */
+	sendEkChunk() {
+		const chunk = this.sendingEk.nextChunk();
+		return [this, chunk];
+	}
+	/**
+	* Receive a ct2 chunk. Creates the ct2 decoder.
+	* ct2 payload is CT2_SIZE + MAC_SIZE = 160 bytes
+	* (carries ct2 + mac).
+	*/
+	recvCt2Chunk(epoch, chunk) {
+		if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+		const receivingCt2 = PolyDecoder.create(CT2_SIZE + MAC_SIZE);
+		receivingCt2.addChunk(chunk);
+		return new EkSentCt1Received$1(this.uc, receivingCt2);
+	}
+};
+/**
+* Both ek sending and ct1 receiving are done. Now receiving ct2 chunks.
+* When ct2 is fully decoded, extract ct2 and mac, then perform decapsulation
+* to derive the epoch secret.
+*/
+var EkSentCt1Received$1 = class {
+	constructor(uc, receivingCt2) {
+		this.uc = uc;
+		this.receivingCt2 = receivingCt2;
+	}
+	get epoch() {
+		return this.uc.epoch;
+	}
+	/**
+	* Receive a ct2 chunk. Returns done when ct2 is fully decoded and
+	* epoch secret is derived.
+	*/
+	recvCt2Chunk(epoch, chunk) {
+		if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+		this.receivingCt2.addChunk(chunk);
+		const decoded = this.receivingCt2.decodedMessage();
+		if (decoded !== null) {
+			const ct2 = decoded.slice(0, CT2_SIZE);
+			const mac = decoded.slice(CT2_SIZE);
+			const result = this.uc.recvCt2(ct2, mac);
+			const nextUcSendCt = new NoHeaderReceived$1(result.nextEpoch, result.auth);
+			const receivingHdr = PolyDecoder.create(HEADER_SIZE + MAC_SIZE);
+			return {
+				done: true,
+				state: createSendCtNoHeaderReceived(nextUcSendCt, receivingHdr),
+				epochSecret: result.epochSecret
+			};
+		}
+		return {
+			done: false,
+			state: this
+		};
+	}
+};
+/** @internal Set by the chunked index module to break circular imports. */
+let createSendCtNoHeaderReceived;
+/** @internal Called by the index module to wire up the factory. */
+function _setCreateSendCtNoHeaderReceived(factory) {
+	createSendCtNoHeaderReceived = factory;
+}
+//#endregion
+//#region src/v1/unchunked/send-ek.ts
+const SCKA_KEY_LABEL = new TextEncoder().encode(LABEL_SCKA_KEY);
+/**
+* Derive the epoch secret from the KEM shared secret.
+*
+* HKDF-SHA256(ikm=sharedSecret, salt=ZERO_SALT,
+*             info=LABEL_SCKA_KEY || epoch_be8, length=32)
+*
+* Matches Rust: info = [b"Signal_PQCKA_V1_MLKEM768:SCKA Key", epoch.to_be_bytes()].concat()
+*/
+function deriveEpochSecret(epoch, sharedSecret) {
+	return {
+		epoch,
+		secret: hkdfSha256(sharedSecret, ZERO_SALT, concat(SCKA_KEY_LABEL, bigintToBE8(epoch)), 32)
+	};
+}
+/**
+* Initial send_ek state. No keypair has been generated yet.
+*/
+var KeysUnsampled = class {
+	constructor(epoch, auth) {
+		this.epoch = epoch;
+		this.auth = auth;
+	}
+	/**
+	* Generate an ML-KEM-768 keypair and produce the header + MAC.
+	*
+	* @param rng - Random byte generator
+	* @returns [nextState, hdr, hdrMac]
+	*/
+	sendHeader(rng) {
+		const keys = generate(rng);
+		const mac = this.auth.macHdr(this.epoch, keys.hdr);
+		return [
+			new HeaderSent(this.epoch, this.auth, keys.ek, keys.dk),
+			keys.hdr,
+			mac
+		];
+	}
+};
+/**
+* The header has been sent to the peer. Ready to send the encapsulation key.
+*/
+var HeaderSent = class {
+	constructor(epoch, auth, ek, dk) {
+		this.epoch = epoch;
+		this.auth = auth;
+		this.ek = ek;
+		this.dk = dk;
+	}
+	/**
+	* Produce the encapsulation key to send to the peer.
+	*
+	* @returns [nextState, ek]
+	*/
+	sendEk() {
+		return [new EkSent(this.epoch, this.auth, this.dk), this.ek];
+	}
+};
+/**
+* Both the header and encapsulation key have been sent.
+* Waiting to receive ct1 from the send_ct peer.
+*/
+var EkSent = class {
+	constructor(epoch, auth, dk) {
+		this.epoch = epoch;
+		this.auth = auth;
+		this.dk = dk;
+	}
+	/**
+	* Receive the first ciphertext fragment from the peer.
+	*
+	* @param ct1 - The 960-byte first ciphertext fragment
+	* @returns Next state
+	*/
+	recvCt1(ct1) {
+		return new EkSentCt1Received(this.epoch, this.auth, this.dk, ct1);
+	}
+};
+/**
+* ct1 has been received. Waiting for ct2 to complete decapsulation.
+*/
+var EkSentCt1Received = class {
+	constructor(epoch, auth, dk, ct1) {
+		this.epoch = epoch;
+		this.auth = auth;
+		this.dk = dk;
+		this.ct1 = ct1;
+	}
+	/**
+	* Receive ct2 and MAC, perform decapsulation, verify the MAC,
+	* and derive the epoch secret.
+	*
+	* The caller constructs the next send_ct::NoHeaderReceived state from
+	* the returned nextEpoch and auth.
+	*
+	* @param ct2 - The 128-byte second ciphertext fragment
+	* @param mac - The 32-byte HMAC-SHA256 MAC over the full ciphertext
+	* @returns Result containing next epoch, updated auth, and epoch secret
+	* @throws {AuthenticatorError} If the ciphertext MAC is invalid
+	*/
+	recvCt2(ct2, mac) {
+		const sharedSecret = decaps(this.dk, this.ct1, ct2);
+		const epochSecret = deriveEpochSecret(this.epoch, sharedSecret);
+		const auth = this.auth.clone();
+		auth.update(this.epoch, epochSecret.secret);
+		const fullCt = concat(this.ct1, ct2);
+		auth.verifyCt(this.epoch, fullCt, mac);
+		return {
+			nextEpoch: this.epoch + 1n,
+			auth,
+			epochSecret
+		};
+	}
+};
+//#endregion
+//#region src/v1/chunked/send-ct.ts
+/**
+* Copyright © 2025 Signal Messenger, LLC
+* Copyright © 2026 Parity Technologies
+*
+* Chunked send_ct state machine for SPQR V1.
+*
+* Wraps the unchunked send_ct states with PolyEncoder/PolyDecoder erasure
+* coding, enabling chunk-by-chunk data transfer.
+*
+* True incremental ML-KEM (Phase 9):
+*   - send_ct produces REAL ct1 chunks from the start.
+*   - ct2 payload carries only ct2(128) + mac(32) = 160 bytes.
+*   - Epoch secret is derived in sendCt1 (when encaps1 is performed).
+*
+* States:
+*   NoHeaderReceived      -- recvHdrChunk(epoch, chunk) --> NoHeaderReceived | HeaderReceived
+*   HeaderReceived        -- sendCt1Chunk(rng) --> [Ct1Sampled, Chunk, EpochSecret]
+*   Ct1Sampled            -- sendCt1Chunk() --> [Ct1Sampled, Chunk]
+*                         -- recvEkChunk(epoch, chunk, ct1Ack) --> 4 outcomes
+*   EkReceivedCt1Sampled  -- sendCt1Chunk() --> [EkReceivedCt1Sampled, Chunk]
+*                         -- recvCt1Ack(epoch) --> Ct2Sampled
+*   Ct1Acknowledged       -- recvEkChunk(epoch, chunk) --> Ct1Acknowledged | Ct2Sampled
+*   Ct2Sampled            -- sendCt2Chunk() --> [Ct2Sampled, Chunk]
+*                         -- recvNextEpoch(epoch) --> sendEk.KeysUnsampled
+*/
+/**
+* Waiting to receive header chunks from the send_ek peer.
+*/
+var NoHeaderReceived = class NoHeaderReceived {
+	constructor(uc, receivingHdr) {
+		this.uc = uc;
+		this.receivingHdr = receivingHdr;
+	}
+	get epoch() {
+		return this.uc.epoch;
+	}
+	/**
+	* Create the initial NoHeaderReceived from an auth key.
+	*/
+	static create(authKey) {
+		const auth = Authenticator.create(authKey, 1n);
+		return new NoHeaderReceived(new NoHeaderReceived$1(1n, auth), PolyDecoder.create(HEADER_SIZE + MAC_SIZE));
+	}
+	/** Receive a header chunk. Returns done when header is fully decoded. */
+	recvHdrChunk(epoch, chunk) {
+		if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+		this.receivingHdr.addChunk(chunk);
+		const decoded = this.receivingHdr.decodedMessage();
+		if (decoded !== null) {
+			const hdr = decoded.slice(0, HEADER_SIZE);
+			const mac = decoded.slice(HEADER_SIZE);
+			return {
+				done: true,
+				state: new HeaderReceived(this.uc.recvHeader(epoch, hdr, mac), PolyDecoder.create(EK_SIZE))
+			};
+		}
+		return {
+			done: false,
+			state: this
+		};
+	}
+};
+/**
+* Header has been received and verified. Ready to produce ct1 chunks.
+*/
+var HeaderReceived = class {
+	constructor(uc, receivingEk) {
+		this.uc = uc;
+		this.receivingEk = receivingEk;
+	}
+	get epoch() {
+		return this.uc.epoch;
+	}
+	/**
+	* Generate encapsulation randomness, produce REAL ct1, encode it,
+	* and return the first ct1 chunk.
+	*
+	* Returns [Ct1Sampled, Chunk, EpochSecret] -- real epoch secret.
+	*/
+	sendCt1Chunk(rng) {
+		const [ct1Sent, realCt1, epochSecret] = this.uc.sendCt1(rng);
+		const sendingCt1 = PolyEncoder.encodeBytes(realCt1);
+		const chunk = sendingCt1.nextChunk();
+		return [
+			new Ct1Sampled(ct1Sent, sendingCt1, this.receivingEk),
+			chunk,
+			epochSecret
+		];
+	}
+};
+/**
+* Real ct1 has been produced and encoding started.
+* Sending ct1 chunks while receiving ek chunks.
+*/
+var Ct1Sampled = class {
+	constructor(uc, sendingCt1, receivingEk) {
+		this.uc = uc;
+		this.sendingCt1 = sendingCt1;
+		this.receivingEk = receivingEk;
+	}
+	get epoch() {
+		return this.uc.epoch;
+	}
+	/** Produce the next ct1 chunk. */
+	sendCt1Chunk() {
+		const chunk = this.sendingCt1.nextChunk();
+		return [this, chunk];
+	}
+	/**
+	* Receive an ek chunk, with optional ct1 acknowledgement from peer.
+	*
+	* Four possible outcomes depending on whether ek is complete and
+	* whether the peer acknowledged ct1:
+	*   - Both: done (Ct2Sampled + epochSecret)
+	*   - ek complete, no ack: stillSending (EkReceivedCt1Sampled + epochSecret)
+	*   - ek incomplete, ack: stillReceiving (Ct1Acknowledged)
+	*   - Neither: stillReceivingStillSending (Ct1Sampled)
+	*/
+	recvEkChunk(epoch, chunk, ct1Ack) {
+		if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+		this.receivingEk.addChunk(chunk);
+		const ekDecoded = this.receivingEk.decodedMessage();
+		if (ekDecoded !== null && ct1Ack) {
+			const { state: ct2SentUc, ct2, mac } = this.uc.recvEk(ekDecoded).sendCt2();
+			const ct2Payload = concat(ct2, mac);
+			return {
+				tag: "done",
+				state: new Ct2Sampled(ct2SentUc, PolyEncoder.encodeBytes(ct2Payload)),
+				epochSecret: null
+			};
+		}
+		if (ekDecoded !== null && !ct1Ack) return {
+			tag: "stillSending",
+			state: new EkReceivedCt1Sampled(this.uc.recvEk(ekDecoded), this.sendingCt1),
+			epochSecret: null
+		};
+		if (ekDecoded === null && ct1Ack) return {
+			tag: "stillReceiving",
+			state: new Ct1Acknowledged(this.uc, this.receivingEk)
+		};
+		return {
+			tag: "stillReceivingStillSending",
+			state: this
+		};
+	}
+};
+/**
+* ek has been received and validated.
+* Still sending ct1 chunks, waiting for ct1 acknowledgement.
+*/
+var EkReceivedCt1Sampled = class {
+	constructor(uc, sendingCt1) {
+		this.uc = uc;
+		this.sendingCt1 = sendingCt1;
+	}
+	get epoch() {
+		return this.uc.epoch;
+	}
+	/** Produce the next ct1 chunk. */
+	sendCt1Chunk() {
+		const chunk = this.sendingCt1.nextChunk();
+		return [this, chunk];
+	}
+	/** Peer has acknowledged ct1. Produce ct2 and encode it. */
+	recvCt1Ack(epoch) {
+		if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+		const { state: ct2SentUc, ct2, mac } = this.uc.sendCt2();
+		const ct2Payload = concat(ct2, mac);
+		return new Ct2Sampled(ct2SentUc, PolyEncoder.encodeBytes(ct2Payload));
+	}
+};
+/**
+* ct1 has been acknowledged by the peer. Still receiving ek chunks.
+* When ek arrives, validate it and produce ct2.
+*/
+var Ct1Acknowledged = class {
+	constructor(uc, receivingEk) {
+		this.uc = uc;
+		this.receivingEk = receivingEk;
+	}
+	get epoch() {
+		return this.uc.epoch;
+	}
+	/** Receive an ek chunk. Returns done when ek is fully decoded. */
+	recvEkChunk(epoch, chunk) {
+		if (epoch !== this.uc.epoch) throw new SpqrError(`Epoch mismatch: expected ${this.uc.epoch}, got ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+		this.receivingEk.addChunk(chunk);
+		const decoded = this.receivingEk.decodedMessage();
+		if (decoded !== null) {
+			const { state: ct2SentUc, ct2, mac } = this.uc.recvEk(decoded).sendCt2();
+			const ct2Payload = concat(ct2, mac);
+			return {
+				done: true,
+				state: new Ct2Sampled(ct2SentUc, PolyEncoder.encodeBytes(ct2Payload)),
+				epochSecret: null
+			};
+		}
+		return {
+			done: false,
+			state: this
+		};
+	}
+};
+/**
+* ct2 payload (ct2 + mac) has been encoded. Sending ct2 chunks.
+* Terminal for this epoch once all chunks sent and next epoch begins.
+*/
+var Ct2Sampled = class {
+	constructor(uc, sendingCt2) {
+		this.uc = uc;
+		this.sendingCt2 = sendingCt2;
+	}
+	get epoch() {
+		return this.uc.epoch;
+	}
+	/** Produce the next ct2 chunk. */
+	sendCt2Chunk() {
+		const chunk = this.sendingCt2.nextChunk();
+		return [this, chunk];
+	}
+	/**
+	* Transition to the next epoch's send_ek KeysUnsampled.
+	*/
+	recvNextEpoch(_epoch) {
+		const nextEpoch = this.uc.nextEpoch;
+		const nextUc = new KeysUnsampled(nextEpoch, this.uc.auth);
+		return new KeysUnsampled$1(nextUc);
+	}
+};
+//#endregion
+//#region src/v1/chunked/states.ts
+function getEpoch(s) {
+	return s.state.epoch;
+}
+/**
+* Initialize Alice (send_ek side) at epoch 1.
+*/
+function initA(authKey) {
+	const auth = Authenticator.create(authKey, 1n);
+	const ucState = new KeysUnsampled(1n, auth);
+	return {
+		tag: "keysUnsampled",
+		state: new KeysUnsampled$1(ucState)
+	};
+}
+/**
+* Initialize Bob (send_ct side) at epoch 1.
+*/
+function initB(authKey) {
+	return {
+		tag: "noHeaderReceived",
+		state: NoHeaderReceived.create(authKey)
+	};
+}
+/**
+* Produce the next outgoing message from the current state.
+*/
+function send$1(current, rng) {
+	const epoch = getEpoch(current);
+	switch (current.tag) {
+		case "keysUnsampled": {
+			const [next, chunk] = current.state.sendHdrChunk(rng);
+			return {
+				msg: {
+					epoch,
+					payload: {
+						type: "hdr",
+						chunk
+					}
+				},
+				key: null,
+				state: {
+					tag: "keysSampled",
+					state: next
+				}
+			};
+		}
+		case "keysSampled": {
+			const [next, chunk] = current.state.sendHdrChunk();
+			return {
+				msg: {
+					epoch,
+					payload: {
+						type: "hdr",
+						chunk
+					}
+				},
+				key: null,
+				state: {
+					tag: "keysSampled",
+					state: next
+				}
+			};
+		}
+		case "headerSent": {
+			const [next, chunk] = current.state.sendEkChunk();
+			return {
+				msg: {
+					epoch,
+					payload: {
+						type: "ek",
+						chunk
+					}
+				},
+				key: null,
+				state: {
+					tag: "headerSent",
+					state: next
+				}
+			};
+		}
+		case "ct1Received": {
+			const [next, chunk] = current.state.sendEkChunk();
+			return {
+				msg: {
+					epoch,
+					payload: {
+						type: "ekCt1Ack",
+						chunk
+					}
+				},
+				key: null,
+				state: {
+					tag: "ct1Received",
+					state: next
+				}
+			};
+		}
+		case "ekSentCt1Received": return {
+			msg: {
+				epoch,
+				payload: { type: "ct1Ack" }
+			},
+			key: null,
+			state: current
+		};
+		case "noHeaderReceived": return {
+			msg: {
+				epoch,
+				payload: { type: "none" }
+			},
+			key: null,
+			state: current
+		};
+		case "headerReceived": {
+			const [next, chunk, epochSecret] = current.state.sendCt1Chunk(rng);
+			return {
+				msg: {
+					epoch,
+					payload: {
+						type: "ct1",
+						chunk
+					}
+				},
+				key: epochSecret,
+				state: {
+					tag: "ct1Sampled",
+					state: next
+				}
+			};
+		}
+		case "ct1Sampled": {
+			const [next, chunk] = current.state.sendCt1Chunk();
+			return {
+				msg: {
+					epoch,
+					payload: {
+						type: "ct1",
+						chunk
+					}
+				},
+				key: null,
+				state: {
+					tag: "ct1Sampled",
+					state: next
+				}
+			};
+		}
+		case "ekReceivedCt1Sampled": {
+			const [next, chunk] = current.state.sendCt1Chunk();
+			return {
+				msg: {
+					epoch,
+					payload: {
+						type: "ct1",
+						chunk
+					}
+				},
+				key: null,
+				state: {
+					tag: "ekReceivedCt1Sampled",
+					state: next
+				}
+			};
+		}
+		case "ct1Acknowledged": return {
+			msg: {
+				epoch,
+				payload: { type: "none" }
+			},
+			key: null,
+			state: current
+		};
+		case "ct2Sampled": {
+			const [next, chunk] = current.state.sendCt2Chunk();
+			return {
+				msg: {
+					epoch,
+					payload: {
+						type: "ct2",
+						chunk
+					}
+				},
+				key: null,
+				state: {
+					tag: "ct2Sampled",
+					state: next
+				}
+			};
+		}
+	}
+}
+/**
+* Process an incoming message and transition the state.
+*/
+function recv$1(current, msg) {
+	const stateEpoch = getEpoch(current);
+	if (msg.epoch < stateEpoch) return {
+		key: null,
+		state: current
+	};
+	if (msg.epoch > stateEpoch) {
+		if (current.tag === "ct2Sampled" && msg.epoch === stateEpoch + 1n) return {
+			key: null,
+			state: {
+				tag: "keysUnsampled",
+				state: current.state.recvNextEpoch(msg.epoch)
+			}
+		};
+		throw new SpqrError(`Epoch too far ahead: state=${stateEpoch}, msg=${msg.epoch}`, SpqrErrorCode.EpochOutOfRange);
+	}
+	const payload = msg.payload;
+	switch (current.tag) {
+		case "keysUnsampled": return {
+			key: null,
+			state: current
+		};
+		case "keysSampled":
+			if (payload.type === "ct1") return {
+				key: null,
+				state: {
+					tag: "headerSent",
+					state: current.state.recvCt1Chunk(msg.epoch, payload.chunk)
+				}
+			};
+			return {
+				key: null,
+				state: current
+			};
+		case "headerSent":
+			if (payload.type === "ct1") {
+				const result = current.state.recvCt1Chunk(msg.epoch, payload.chunk);
+				if (result.done) return {
+					key: null,
+					state: {
+						tag: "ct1Received",
+						state: result.state
+					}
+				};
+				return {
+					key: null,
+					state: {
+						tag: "headerSent",
+						state: result.state
+					}
+				};
+			}
+			return {
+				key: null,
+				state: current
+			};
+		case "ct1Received":
+			if (payload.type === "ct2") return {
+				key: null,
+				state: {
+					tag: "ekSentCt1Received",
+					state: current.state.recvCt2Chunk(msg.epoch, payload.chunk)
+				}
+			};
+			return {
+				key: null,
+				state: current
+			};
+		case "ekSentCt1Received":
+			if (payload.type === "ct2") {
+				const result = current.state.recvCt2Chunk(msg.epoch, payload.chunk);
+				if (result.done) return {
+					key: result.epochSecret,
+					state: {
+						tag: "noHeaderReceived",
+						state: result.state
+					}
+				};
+				return {
+					key: null,
+					state: {
+						tag: "ekSentCt1Received",
+						state: result.state
+					}
+				};
+			}
+			return {
+				key: null,
+				state: current
+			};
+		case "noHeaderReceived":
+			if (payload.type === "hdr") {
+				const result = current.state.recvHdrChunk(msg.epoch, payload.chunk);
+				if (result.done) return {
+					key: null,
+					state: {
+						tag: "headerReceived",
+						state: result.state
+					}
+				};
+				return {
+					key: null,
+					state: {
+						tag: "noHeaderReceived",
+						state: result.state
+					}
+				};
+			}
+			return {
+				key: null,
+				state: current
+			};
+		case "headerReceived": return {
+			key: null,
+			state: current
+		};
+		case "ct1Sampled":
+			if (payload.type === "ek") return mapCt1SampledResult(current.state.recvEkChunk(msg.epoch, payload.chunk, false));
+			if (payload.type === "ekCt1Ack") return mapCt1SampledResult(current.state.recvEkChunk(msg.epoch, payload.chunk, true));
+			return {
+				key: null,
+				state: current
+			};
+		case "ekReceivedCt1Sampled":
+			if (payload.type === "ct1Ack" || payload.type === "ekCt1Ack") return {
+				key: null,
+				state: {
+					tag: "ct2Sampled",
+					state: current.state.recvCt1Ack(msg.epoch)
+				}
+			};
+			return {
+				key: null,
+				state: current
+			};
+		case "ct1Acknowledged":
+			if (payload.type === "ek" || payload.type === "ekCt1Ack") {
+				const chunk = payload.type === "ek" ? payload.chunk : payload.chunk;
+				const result = current.state.recvEkChunk(msg.epoch, chunk);
+				if (result.done) return {
+					key: result.epochSecret,
+					state: {
+						tag: "ct2Sampled",
+						state: result.state
+					}
+				};
+				return {
+					key: null,
+					state: {
+						tag: "ct1Acknowledged",
+						state: result.state
+					}
+				};
+			}
+			return {
+				key: null,
+				state: current
+			};
+		case "ct2Sampled": return {
+			key: null,
+			state: current
+		};
+	}
+}
+function mapCt1SampledResult(result) {
+	switch (result.tag) {
+		case "done": return {
+			key: result.epochSecret,
+			state: {
+				tag: "ct2Sampled",
+				state: result.state
+			}
+		};
+		case "stillSending": return {
+			key: result.epochSecret,
+			state: {
+				tag: "ekReceivedCt1Sampled",
+				state: result.state
+			}
+		};
+		case "stillReceiving": return {
+			key: null,
+			state: {
+				tag: "ct1Acknowledged",
+				state: result.state
+			}
+		};
+		case "stillReceivingStillSending": return {
+			key: null,
+			state: {
+				tag: "ct1Sampled",
+				state: result.state
+			}
+		};
+	}
+}
+//#endregion
+//#region src/v1/chunked/message.ts
+var MessageType = /* @__PURE__ */ function(MessageType) {
+	MessageType[MessageType["None"] = 0] = "None";
+	MessageType[MessageType["Hdr"] = 1] = "Hdr";
+	MessageType[MessageType["Ek"] = 2] = "Ek";
+	MessageType[MessageType["EkCt1Ack"] = 3] = "EkCt1Ack";
+	MessageType[MessageType["Ct1Ack"] = 4] = "Ct1Ack";
+	MessageType[MessageType["Ct1"] = 5] = "Ct1";
+	MessageType[MessageType["Ct2"] = 6] = "Ct2";
+	return MessageType;
+}(MessageType || {});
+/**
+* Encode a bigint as LEB128 varint into the output array.
+*/
+function encodeVarint(value, into) {
+	let v = value;
+	if (v < 0n) v = 0n;
+	do {
+		let byte = Number(v & 127n);
+		v >>= 7n;
+		if (v > 0n) byte |= 128;
+		into.push(byte);
+	} while (v > 0n);
+}
+/**
+* Decode a LEB128 varint from a Uint8Array at the given offset.
+* Updates offset.offset in place.
+*/
+function decodeVarint(from, at) {
+	let result = 0n;
+	let shift = 0n;
+	while (shift < 70n) {
+		if (at.offset >= from.length) throw new Error("Varint: unexpected end of data");
+		const byte = from[at.offset++];
+		result |= BigInt(byte & 127) << shift;
+		if ((byte & 128) === 0) return result;
+		shift += 7n;
+	}
+	throw new Error("Varint: too many bytes");
+}
+/**
+* Encode a number (u32) as LEB128 varint into the output array.
+*/
+function encodeVarint32(value, into) {
+	let v = value >>> 0;
+	do {
+		let byte = v & 127;
+		v >>>= 7;
+		if (v > 0) byte |= 128;
+		into.push(byte);
+	} while (v > 0);
+}
+/**
+* Decode a LEB128 varint as a u32 number.
+*/
+function decodeVarint32(from, at) {
+	let result = 0;
+	let shift = 0;
+	while (shift < 35) {
+		if (at.offset >= from.length) throw new Error("Varint32: unexpected end of data");
+		const byte = from[at.offset++];
+		result |= (byte & 127) << shift;
+		if ((byte & 128) === 0) return result >>> 0;
+		shift += 7;
+	}
+	throw new Error("Varint32: too many bytes");
+}
+const CHUNK_DATA_SIZE = 32;
+/** Encode a chunk (index varint + 32 data bytes) into the output array. */
+function encodeChunk(chunk, into) {
+	encodeVarint32(chunk.index, into);
+	for (let i = 0; i < CHUNK_DATA_SIZE; i++) into.push(chunk.data[i]);
+}
+/** Decode a chunk from a Uint8Array at the given offset. */
+function decodeChunk(from, at) {
+	const index = decodeVarint32(from, at);
+	if (at.offset + CHUNK_DATA_SIZE > from.length || index > 65535) throw new Error("Chunk: invalid chunk (data too short or index exceeds u16)");
+	const data = from.slice(at.offset, at.offset + CHUNK_DATA_SIZE);
+	at.offset += CHUNK_DATA_SIZE;
+	return {
+		index,
+		data
+	};
+}
+/** Protocol version */
+const V1 = 1;
+/**
+* Serialize a Message with a given sequence index into binary wire format.
+*/
+function serializeMessage(msg, index) {
+	const out = [];
+	out.push(V1);
+	encodeVarint(msg.epoch, out);
+	encodeVarint32(index, out);
+	const payload = msg.payload;
+	switch (payload.type) {
+		case "none":
+			out.push(MessageType.None);
+			break;
+		case "hdr":
+			out.push(MessageType.Hdr);
+			encodeChunk(payload.chunk, out);
+			break;
+		case "ek":
+			out.push(MessageType.Ek);
+			encodeChunk(payload.chunk, out);
+			break;
+		case "ekCt1Ack":
+			out.push(MessageType.EkCt1Ack);
+			encodeChunk(payload.chunk, out);
+			break;
+		case "ct1Ack":
+			out.push(MessageType.Ct1Ack);
+			break;
+		case "ct1":
+			out.push(MessageType.Ct1);
+			encodeChunk(payload.chunk, out);
+			break;
+		case "ct2":
+			out.push(MessageType.Ct2);
+			encodeChunk(payload.chunk, out);
+			break;
+	}
+	return new Uint8Array(out);
+}
+/**
+* Deserialize a Message from binary wire format.
+*/
+function deserializeMessage(from) {
+	const at = { offset: 0 };
+	if (at.offset >= from.length) throw new Error("Message: empty data");
+	const version = from[at.offset++];
+	if (version !== V1) throw new Error(`Message: unsupported version ${version}`);
+	const epoch = decodeVarint(from, at);
+	if (epoch === 0n) throw new Error("Message: epoch must be > 0");
+	const index = decodeVarint32(from, at);
+	if (at.offset >= from.length) throw new Error("Message: missing message type");
+	const msgType = from[at.offset++];
+	let payload;
+	switch (msgType) {
+		case MessageType.None:
+			payload = { type: "none" };
+			break;
+		case MessageType.Hdr:
+			payload = {
+				type: "hdr",
+				chunk: decodeChunk(from, at)
+			};
+			break;
+		case MessageType.Ek:
+			payload = {
+				type: "ek",
+				chunk: decodeChunk(from, at)
+			};
+			break;
+		case MessageType.EkCt1Ack:
+			payload = {
+				type: "ekCt1Ack",
+				chunk: decodeChunk(from, at)
+			};
+			break;
+		case MessageType.Ct1Ack:
+			payload = { type: "ct1Ack" };
+			break;
+		case MessageType.Ct1:
+			payload = {
+				type: "ct1",
+				chunk: decodeChunk(from, at)
+			};
+			break;
+		case MessageType.Ct2:
+			payload = {
+				type: "ct2",
+				chunk: decodeChunk(from, at)
+			};
+			break;
+		default: throw new Error(`Message: unknown message type ${msgType}`);
+	}
+	return {
+		msg: {
+			epoch,
+			payload
+		},
+		index,
+		bytesRead: at.offset
+	};
+}
+//#endregion
+//#region src/v1/chunked/index.ts
+/**
+* Copyright © 2025 Signal Messenger, LLC
+* Copyright © 2026 Parity Technologies
+*
+* Chunked state machine for SPQR V1.
+*
+* Provides erasure-coded chunk-by-chunk data transfer wrapping the
+* unchunked V1 state machine.
+*/
+_setCreateSendCtNoHeaderReceived((uc, receivingHdr) => new NoHeaderReceived(uc, receivingHdr));
+//#endregion
+//#region src/v1/chunked/serialize.ts
+/**
+* Serialize a runtime States object into PbV1State for protobuf encoding.
+* Stores the epoch as field 12 so it can be recovered on deserialization.
+*/
+function statesToPb(s) {
+	const epoch = s.state.epoch;
+	return {
+		innerState: chunkedStateToPb(s),
+		epoch
+	};
+}
+function chunkedStateToPb(s) {
+	switch (s.tag) {
+		case "keysUnsampled": return {
+			type: "keysUnsampled",
+			uc: { auth: s.state.uc.auth.toProto() }
+		};
+		case "keysSampled": {
+			const st = s.state;
+			return {
+				type: "keysSampled",
+				uc: {
+					auth: st.uc.auth.toProto(),
+					ek: Uint8Array.from(st.uc.ek),
+					dk: Uint8Array.from(st.uc.dk),
+					hdr: new Uint8Array(0),
+					hdrMac: new Uint8Array(0)
+				},
+				sendingHdr: st.sendingHdr.toProto()
+			};
+		}
+		case "headerSent": {
+			const st = s.state;
+			return {
+				type: "headerSent",
+				uc: {
+					auth: st.uc.auth.toProto(),
+					ek: new Uint8Array(0),
+					dk: Uint8Array.from(st.uc.dk)
+				},
+				sendingEk: st.sendingEk.toProto(),
+				receivingCt1: st.receivingCt1.toProto()
+			};
+		}
+		case "ct1Received": {
+			const st = s.state;
+			return {
+				type: "ct1Received",
+				uc: {
+					auth: st.uc.auth.toProto(),
+					dk: Uint8Array.from(st.uc.dk),
+					ct1: Uint8Array.from(st.uc.ct1)
+				},
+				sendingEk: st.sendingEk.toProto()
+			};
+		}
+		case "ekSentCt1Received": {
+			const st = s.state;
+			return {
+				type: "ekSentCt1Received",
+				uc: {
+					auth: st.uc.auth.toProto(),
+					dk: Uint8Array.from(st.uc.dk),
+					ct1: Uint8Array.from(st.uc.ct1)
+				},
+				receivingCt2: st.receivingCt2.toProto()
+			};
+		}
+		case "noHeaderReceived": {
+			const st = s.state;
+			return {
+				type: "noHeaderReceived",
+				uc: { auth: st.uc.auth.toProto() },
+				receivingHdr: st.receivingHdr.toProto()
+			};
+		}
+		case "headerReceived": {
+			const st = s.state;
+			return {
+				type: "headerReceived",
+				uc: {
+					auth: st.uc.auth.toProto(),
+					hdr: Uint8Array.from(st.uc.hdr),
+					es: new Uint8Array(0),
+					ct1: new Uint8Array(0),
+					ss: new Uint8Array(0)
+				},
+				receivingEk: st.receivingEk.toProto()
+			};
+		}
+		case "ct1Sampled": {
+			const st = s.state;
+			return {
+				type: "ct1Sampled",
+				uc: {
+					auth: st.uc.auth.toProto(),
+					hdr: Uint8Array.from(st.uc.hdr),
+					es: Uint8Array.from(st.uc.es),
+					ct1: Uint8Array.from(st.uc.ct1)
+				},
+				sendingCt1: st.sendingCt1.toProto(),
+				receivingEk: st.receivingEk.toProto()
+			};
+		}
+		case "ekReceivedCt1Sampled": {
+			const st = s.state;
+			return {
+				type: "ekReceivedCt1Sampled",
+				uc: {
+					auth: st.uc.auth.toProto(),
+					hdr: new Uint8Array(0),
+					es: Uint8Array.from(st.uc.es),
+					ek: Uint8Array.from(st.uc.ek),
+					ct1: Uint8Array.from(st.uc.ct1)
+				},
+				sendingCt1: st.sendingCt1.toProto()
+			};
+		}
+		case "ct1Acknowledged": {
+			const st = s.state;
+			return {
+				type: "ct1Acknowledged",
+				uc: {
+					auth: st.uc.auth.toProto(),
+					hdr: Uint8Array.from(st.uc.hdr),
+					es: Uint8Array.from(st.uc.es),
+					ct1: Uint8Array.from(st.uc.ct1)
+				},
+				receivingEk: st.receivingEk.toProto()
+			};
+		}
+		case "ct2Sampled": {
+			const st = s.state;
+			return {
+				type: "ct2Sampled",
+				uc: { auth: st.uc.auth.toProto() },
+				sendingCt2: st.sendingCt2.toProto()
+			};
+		}
+	}
+}
+/**
+* Deserialize a PbV1State back into a runtime States object.
+*
+* @param pb - The protobuf V1 state
+* @returns The reconstructed runtime States
+*/
+function statesFromPb(pb) {
+	if (pb.innerState === void 0) throw new Error("PbV1State has no innerState");
+	const epoch = pb.epoch ?? 1n;
+	return chunkedStateFromPb(pb.innerState, epoch);
+}
+function chunkedStateFromPb(cs, epoch) {
+	switch (cs.type) {
+		case "keysUnsampled": {
+			const auth = authFromPb(cs.uc.auth);
+			const ucState = new KeysUnsampled(epoch, auth);
+			return {
+				tag: "keysUnsampled",
+				state: new KeysUnsampled$1(ucState)
+			};
+		}
+		case "keysSampled": {
+			const auth = authFromPb(cs.uc.auth);
+			const ucState = new HeaderSent(epoch, auth, cs.uc.ek, cs.uc.dk);
+			const encoder = PolyEncoder.fromProto(cs.sendingHdr);
+			return {
+				tag: "keysSampled",
+				state: new KeysSampled(ucState, encoder)
+			};
+		}
+		case "headerSent": {
+			const auth = authFromPb(cs.uc.auth);
+			const ucState = new EkSent(epoch, auth, cs.uc.dk);
+			const encoder = PolyEncoder.fromProto(cs.sendingEk);
+			const decoder = PolyDecoder.fromProto(cs.receivingCt1);
+			return {
+				tag: "headerSent",
+				state: new HeaderSent$1(ucState, encoder, decoder)
+			};
+		}
+		case "ct1Received": {
+			const auth = authFromPb(cs.uc.auth);
+			const ucState = new EkSentCt1Received(epoch, auth, cs.uc.dk, cs.uc.ct1);
+			const encoder = PolyEncoder.fromProto(cs.sendingEk);
+			return {
+				tag: "ct1Received",
+				state: new Ct1Received(ucState, encoder)
+			};
+		}
+		case "ekSentCt1Received": {
+			const auth = authFromPb(cs.uc.auth);
+			const ucState = new EkSentCt1Received(epoch, auth, cs.uc.dk, cs.uc.ct1);
+			const decoder = PolyDecoder.fromProto(cs.receivingCt2);
+			return {
+				tag: "ekSentCt1Received",
+				state: new EkSentCt1Received$1(ucState, decoder)
+			};
+		}
+		case "noHeaderReceived": {
+			const auth = authFromPb(cs.uc.auth);
+			const ucState = new NoHeaderReceived$1(epoch, auth);
+			const decoder = PolyDecoder.fromProto(cs.receivingHdr);
+			return {
+				tag: "noHeaderReceived",
+				state: new NoHeaderReceived(ucState, decoder)
+			};
+		}
+		case "headerReceived": {
+			const auth = authFromPb(cs.uc.auth);
+			const ucState = new HeaderReceived$1(epoch, auth, cs.uc.hdr);
+			const decoder = PolyDecoder.fromProto(cs.receivingEk);
+			return {
+				tag: "headerReceived",
+				state: new HeaderReceived(ucState, decoder)
+			};
+		}
+		case "ct1Sampled": {
+			const auth = authFromPb(cs.uc.auth);
+			const ucState = new Ct1Sent(epoch, auth, cs.uc.hdr, cs.uc.es, cs.uc.ct1);
+			const encoder = PolyEncoder.fromProto(cs.sendingCt1);
+			const decoder = PolyDecoder.fromProto(cs.receivingEk);
+			return {
+				tag: "ct1Sampled",
+				state: new Ct1Sampled(ucState, encoder, decoder)
+			};
+		}
+		case "ekReceivedCt1Sampled": {
+			const auth = authFromPb(cs.uc.auth);
+			const ucState = new Ct1SentEkReceived(epoch, auth, cs.uc.es, cs.uc.ek, cs.uc.ct1);
+			const encoder = PolyEncoder.fromProto(cs.sendingCt1);
+			return {
+				tag: "ekReceivedCt1Sampled",
+				state: new EkReceivedCt1Sampled(ucState, encoder)
+			};
+		}
+		case "ct1Acknowledged": {
+			const auth = authFromPb(cs.uc.auth);
+			const ucState = new Ct1Sent(epoch, auth, cs.uc.hdr, cs.uc.es, cs.uc.ct1);
+			const decoder = PolyDecoder.fromProto(cs.receivingEk);
+			return {
+				tag: "ct1Acknowledged",
+				state: new Ct1Acknowledged(ucState, decoder)
+			};
+		}
+		case "ct2Sampled": {
+			const auth = authFromPb(cs.uc.auth);
+			const ucState = new Ct2Sent(epoch, auth);
+			const encoder = PolyEncoder.fromProto(cs.sendingCt2);
+			return {
+				tag: "ct2Sampled",
+				state: new Ct2Sampled(ucState, encoder)
+			};
+		}
+	}
+}
+function authFromPb(pb) {
+	if (pb === void 0) return Authenticator.fromProto({
+		rootKey: new Uint8Array(32),
+		macKey: new Uint8Array(32)
+	});
+	return Authenticator.fromProto(pb);
+}
+//#endregion
+//#region src/types.ts
+/** Protocol version */
+let Version = /* @__PURE__ */ function(Version) {
+	Version[Version["V0"] = 0] = "V0";
+	Version[Version["V1"] = 1] = "V1";
+	return Version;
+}({});
+/** Communication direction */
+let Direction = /* @__PURE__ */ function(Direction) {
+	Direction[Direction["A2B"] = 0] = "A2B";
+	Direction[Direction["B2A"] = 1] = "B2A";
+	return Direction;
+}({});
+//#endregion
+//#region src/chain.ts
+/**
+* Copyright © 2025 Signal Messenger, LLC
+* Copyright © 2026 Parity Technologies
+*
+* SPQR Symmetric Chain -- epoch-based key derivation with forward/backward secrecy.
+*
+* Ported from Signal's spqr crate: chain.rs
+*
+* The Chain manages send/receive keys across epochs. Each epoch has two
+* directional chains (A2B and B2A). Keys are derived using HKDF-SHA256
+* with specific info strings that MUST match the Rust implementation
+* exactly (including the double space in "Chain  Start").
+*/
+const enc = new TextEncoder();
+const CHAIN_START_INFO = enc.encode(LABEL_CHAIN_START);
+const CHAIN_NEXT_INFO = enc.encode(LABEL_CHAIN_NEXT);
+const CHAIN_ADD_EPOCH_INFO = enc.encode(LABEL_CHAIN_ADD_EPOCH);
+function resolveMaxJump(params) {
+	return params.maxJump > 0 ? params.maxJump : DEFAULT_MAX_JUMP;
+}
+function resolveMaxOooKeys(params) {
+	return params.maxOooKeys > 0 ? params.maxOooKeys : DEFAULT_MAX_OOO_KEYS;
+}
+function trimSize(params) {
+	const maxOoo = resolveMaxOooKeys(params);
+	return Math.floor(maxOoo * 11 / 10) + 1;
+}
+function switchDirection(d) {
+	return d === Direction.A2B ? Direction.B2A : Direction.A2B;
+}
+/**
+* Stores out-of-order keys as packed [index_be32 (4 bytes)][key (32 bytes)] entries.
+* Matches Rust KeyHistory data layout exactly.
+*/
+var KeyHistory = class {
+	data;
+	length;
+	constructor(data) {
+		this.data = data !== void 0 ? Uint8Array.from(data) : new Uint8Array(0);
+		this.length = this.data.length;
+	}
+	add(index, key, _params) {
+		const entry = new Uint8Array(KEY_ENTRY_SIZE);
+		new DataView(entry.buffer).setUint32(0, index, false);
+		entry.set(key, 4);
+		const newData = new Uint8Array(this.length + KEY_ENTRY_SIZE);
+		newData.set(this.data.subarray(0, this.length));
+		newData.set(entry, this.length);
+		this.data = newData;
+		this.length += KEY_ENTRY_SIZE;
+	}
+	gc(currentKey, params) {
+		const maxOoo = resolveMaxOooKeys(params);
+		if (this.length >= trimSize(params) * KEY_ENTRY_SIZE) {
+			if (currentKey < maxOoo) throw new Error("KeyHistory.gc: currentKey < maxOooKeys (corrupted state)");
+			const trimHorizon = currentKey - maxOoo;
+			let i = 0;
+			while (i < this.length) if (trimHorizon > new DataView(this.data.buffer, this.data.byteOffset + i, 4).getUint32(0, false)) this.removeAt(i);
+			else i += KEY_ENTRY_SIZE;
+		}
+	}
+	clear() {
+		this.data = new Uint8Array(0);
+		this.length = 0;
+	}
+	get(at, currentCtr, params) {
+		if (at + resolveMaxOooKeys(params) < currentCtr) throw new SpqrError(`Key trimmed: ${at}`, SpqrErrorCode.KeyTrimmed);
+		const want = new Uint8Array(4);
+		new DataView(want.buffer).setUint32(0, at, false);
+		for (let i = 0; i < this.length; i += KEY_ENTRY_SIZE) if (this.data[i] === want[0] && this.data[i + 1] === want[1] && this.data[i + 2] === want[2] && this.data[i + 3] === want[3]) {
+			const key = this.data.slice(i + 4, i + KEY_ENTRY_SIZE);
+			this.removeAt(i);
+			return key;
+		}
+		throw new SpqrError(`Key already requested: ${at}`, SpqrErrorCode.KeyAlreadyRequested);
+	}
+	removeAt(index) {
+		if (index + KEY_ENTRY_SIZE < this.length) {
+			const lastStart = this.length - KEY_ENTRY_SIZE;
+			this.data.copyWithin(index, lastStart, this.length);
+		}
+		this.length -= KEY_ENTRY_SIZE;
+	}
+	/** Serialize to raw bytes for protobuf storage */
+	serialize() {
+		return this.data.slice(0, this.length);
+	}
+};
+/**
+* One directional chain within an epoch (send or recv).
+* Manages a ratcheting key derivation with HKDF.
+*/
+var ChainEpochDirection = class ChainEpochDirection {
+	ctr;
+	next;
+	prev;
+	constructor(key, ctr, prev) {
+		this.ctr = ctr ?? 0;
+		this.next = Uint8Array.from(key);
+		this.prev = new KeyHistory(prev);
+	}
+	/**
+	* Derive the next key in the chain.
+	* Returns [index, key].
+	*/
+	nextKey() {
+		this.ctr += 1;
+		const info = concat(uint32ToBE4(this.ctr), CHAIN_NEXT_INFO);
+		const gen = hkdfSha256(this.next, ZERO_SALT, info, 64);
+		this.next = gen.slice(0, 32);
+		const key = gen.slice(32, 64);
+		return [this.ctr, key];
+	}
+	/**
+	* Internal: derive next key without consuming it publicly.
+	* Used for skipping ahead to build out-of-order key history.
+	*/
+	static nextKeyInternal(next, ctr) {
+		ctr += 1;
+		const gen = hkdfSha256(next, ZERO_SALT, concat(uint32ToBE4(ctr), CHAIN_NEXT_INFO), 64);
+		return {
+			next: gen.slice(0, 32),
+			ctr,
+			index: ctr,
+			key: gen.slice(32, 64)
+		};
+	}
+	/**
+	* Get the key at a specific counter position.
+	* Supports out-of-order access via KeyHistory.
+	*/
+	key(at, params) {
+		const maxJump = resolveMaxJump(params);
+		const maxOoo = resolveMaxOooKeys(params);
+		if (at > this.ctr) {
+			if (at - this.ctr > maxJump) throw new SpqrError(`Key jump: ${this.ctr} - ${at}`, SpqrErrorCode.KeyJump);
+		} else if (at < this.ctr) return this.prev.get(at, this.ctr, params);
+		else throw new SpqrError(`Key already requested: ${at}`, SpqrErrorCode.KeyAlreadyRequested);
+		if (at > this.ctr + maxOoo) this.prev.clear();
+		while (at > this.ctr + 1) {
+			const result = ChainEpochDirection.nextKeyInternal(this.next, this.ctr);
+			this.next = result.next;
+			this.ctr = result.ctr;
+			if (this.ctr + maxOoo >= at) this.prev.add(result.index, result.key, params);
+		}
+		this.prev.gc(this.ctr, params);
+		const result = ChainEpochDirection.nextKeyInternal(this.next, this.ctr);
+		this.next = result.next;
+		this.ctr = result.ctr;
+		return result.key;
+	}
+	clearNext() {
+		this.next = new Uint8Array(0);
+	}
+	/** Serialize to protobuf EpochDirection */
+	toProto() {
+		return {
+			ctr: this.ctr,
+			next: Uint8Array.from(this.next),
+			prev: this.prev.serialize()
+		};
+	}
+	static fromProto(pb) {
+		return new ChainEpochDirection(pb.next, pb.ctr, pb.prev);
+	}
+};
+/**
+* The main Chain manages send/receive keys across all epochs.
+*
+* Port of Rust's Chain struct from chain.rs.
+* Uses bigint for epoch values (matching Rust u64).
+*/
+var Chain = class Chain {
+	dir;
+	currentEpoch;
+	sendEpoch;
+	links;
+	nextRoot;
+	params;
+	constructor(dir, currentEpoch, sendEpoch, links, nextRoot, params) {
+		this.dir = dir;
+		this.currentEpoch = currentEpoch;
+		this.sendEpoch = sendEpoch;
+		this.links = links;
+		this.nextRoot = nextRoot;
+		this.params = params;
+	}
+	/**
+	* Create a new chain from an initial key and direction.
+	* HKDF info: "Signal PQ Ratchet V1 Chain  Start" (TWO spaces before Start!)
+	*
+	* The 96-byte HKDF output is split as:
+	*   [0..32]:  nextRoot
+	*   [32..64]: A2B chain seed
+	*   [64..96]: B2A chain seed
+	*
+	* Direction determines which half is send vs recv.
+	*/
+	static create(initialKey, dir, params = {
+		maxJump: DEFAULT_MAX_JUMP,
+		maxOooKeys: DEFAULT_MAX_OOO_KEYS
+	}) {
+		const gen = hkdfSha256(initialKey, ZERO_SALT, CHAIN_START_INFO, 96);
+		const switchedDir = switchDirection(dir);
+		const sendKey = cedForDirection(gen, dir);
+		const recvKey = cedForDirection(gen, switchedDir);
+		return new Chain(dir, 0n, 0n, [{
+			send: new ChainEpochDirection(sendKey),
+			recv: new ChainEpochDirection(recvKey)
+		}], gen.slice(0, 32), params);
+	}
+	/**
+	* Add a new epoch to the chain with a shared secret.
+	* HKDF info: "Signal PQ Ratchet V1 Chain Add Epoch"
+	*
+	* Salt = current nextRoot, IKM = epochSecret.secret
+	*/
+	addEpoch(epochSecret) {
+		if (epochSecret.epoch !== this.currentEpoch + 1n) throw new SpqrError(`Expected epoch ${this.currentEpoch + 1n}, got ${epochSecret.epoch}`, SpqrErrorCode.EpochOutOfRange);
+		const gen = hkdfSha256(epochSecret.secret, this.nextRoot, CHAIN_ADD_EPOCH_INFO, 96);
+		this.currentEpoch = epochSecret.epoch;
+		this.nextRoot = gen.slice(0, 32);
+		const sendKey = cedForDirection(gen, this.dir);
+		const recvKey = cedForDirection(gen, switchDirection(this.dir));
+		this.links.push({
+			send: new ChainEpochDirection(sendKey),
+			recv: new ChainEpochDirection(recvKey)
+		});
+	}
+	epochIdx(epoch) {
+		if (epoch > this.currentEpoch) throw new SpqrError(`Epoch not in valid range: ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+		const back = Number(this.currentEpoch - epoch);
+		if (back >= this.links.length) throw new SpqrError(`Epoch not in valid range: ${epoch}`, SpqrErrorCode.EpochOutOfRange);
+		return this.links.length - 1 - back;
+	}
+	/**
+	* Get the next send key for a given epoch.
+	* Returns [index, key].
+	*/
+	sendKey(epoch) {
+		if (epoch < this.sendEpoch) throw new SpqrError(`Send key epoch decreased (${this.sendEpoch} -> ${epoch})`, SpqrErrorCode.SendKeyEpochDecreased);
+		let epochIndex = this.epochIdx(epoch);
+		if (this.sendEpoch !== epoch) {
+			this.sendEpoch = epoch;
+			while (epochIndex > EPOCHS_TO_KEEP_PRIOR_TO_SEND_EPOCH) {
+				this.links.shift();
+				epochIndex -= 1;
+			}
+			for (let i = 0; i < epochIndex; i++) this.links[i].send.clearNext();
+		}
+		return this.links[epochIndex].send.nextKey();
+	}
+	/**
+	* Get a receive key for a given epoch and counter index.
+	*/
+	recvKey(epoch, index) {
+		const epochIndex = this.epochIdx(epoch);
+		return this.links[epochIndex].recv.key(index, this.params);
+	}
+	/**
+	* Serialize the chain to its protobuf representation.
+	* Matches Rust Chain::into_pb().
+	*/
+	toProto() {
+		return {
+			direction: this.dir,
+			currentEpoch: this.currentEpoch,
+			sendEpoch: this.sendEpoch,
+			nextRoot: Uint8Array.from(this.nextRoot),
+			links: this.links.map((link) => ({
+				send: link.send.toProto(),
+				recv: link.recv.toProto()
+			})),
+			params: chainParamsToProto(this.params)
+		};
+	}
+	/**
+	* Deserialize a chain from its protobuf representation.
+	* Matches Rust Chain::from_pb().
+	*/
+	static fromProto(pb) {
+		const links = pb.links.map((link) => ({
+			send: ChainEpochDirection.fromProto(link.send ?? {
+				ctr: 0,
+				next: new Uint8Array(0),
+				prev: new Uint8Array(0)
+			}),
+			recv: ChainEpochDirection.fromProto(link.recv ?? {
+				ctr: 0,
+				next: new Uint8Array(0),
+				prev: new Uint8Array(0)
+			})
+		}));
+		const params = chainParamsFromProto(pb.params);
+		return new Chain(pb.direction, pb.currentEpoch, pb.sendEpoch, links, Uint8Array.from(pb.nextRoot), params);
+	}
+};
+/**
+* Select the chain key for a given direction from a 96-byte HKDF output.
+* A2B uses bytes [32..64], B2A uses bytes [64..96].
+*/
+function cedForDirection(gen, dir) {
+	return dir === Direction.A2B ? gen.slice(32, 64) : gen.slice(64, 96);
+}
+/**
+* Convert ChainParams to protobuf format.
+* Default values are stored as 0 (proto3 convention).
+*/
+function chainParamsToProto(params) {
+	return {
+		maxJump: params.maxJump === DEFAULT_MAX_JUMP ? 0 : params.maxJump,
+		maxOooKeys: params.maxOooKeys === DEFAULT_MAX_OOO_KEYS ? 0 : params.maxOooKeys
+	};
+}
+/**
+* Convert protobuf ChainParams to runtime ChainParams.
+* Zero values are interpreted as defaults.
+*/
+function chainParamsFromProto(pb) {
+	if (pb === void 0) return {
+		maxJump: DEFAULT_MAX_JUMP,
+		maxOooKeys: DEFAULT_MAX_OOO_KEYS
+	};
+	return {
+		maxJump: pb.maxJump > 0 ? pb.maxJump : DEFAULT_MAX_JUMP,
+		maxOooKeys: pb.maxOooKeys > 0 ? pb.maxOooKeys : DEFAULT_MAX_OOO_KEYS
+	};
+}
+//#endregion
+//#region src/proto/index.ts
+const WIRE_VARINT = 0;
+const WIRE_LENGTH_DELIMITED = 2;
+const EMPTY_BYTES = new Uint8Array(0);
+var ProtoWriter = class {
+	parts = [];
+	writeVarint(fieldNumber, value) {
+		if (typeof value === "bigint") {
+			if (value === 0n) return;
+			this.writeTag(fieldNumber, WIRE_VARINT);
+			this.writeRawVarint64(value);
+		} else {
+			if (value === 0) return;
+			this.writeTag(fieldNumber, WIRE_VARINT);
+			this.writeRawVarint(value);
+		}
+	}
+	/** Write a varint field even when the value is zero (for required fields). */
+	writeVarintAlways(fieldNumber, value) {
+		if (typeof value === "bigint") {
+			this.writeTag(fieldNumber, WIRE_VARINT);
+			this.writeRawVarint64(value);
+		} else {
+			this.writeTag(fieldNumber, WIRE_VARINT);
+			this.writeRawVarint(value);
+		}
+	}
+	writeBool(fieldNumber, value) {
+		if (!value) return;
+		this.writeTag(fieldNumber, WIRE_VARINT);
+		this.writeRawVarint(1);
+	}
+	writeBytes(fieldNumber, data) {
+		if (data.length === 0) return;
+		this.writeTag(fieldNumber, WIRE_LENGTH_DELIMITED);
+		this.writeRawVarint(data.length);
+		this.parts.push(new Uint8Array(data));
+	}
+	writeMessage(fieldNumber, writer) {
+		const data = writer.finish();
+		if (data.length === 0) return;
+		this.writeTag(fieldNumber, WIRE_LENGTH_DELIMITED);
+		this.writeRawVarint(data.length);
+		this.parts.push(data);
+	}
+	/** For oneof fields, write even if the sub-message is empty. */
+	writeMessageAlways(fieldNumber, writer) {
+		const data = writer.finish();
+		this.writeTag(fieldNumber, WIRE_LENGTH_DELIMITED);
+		this.writeRawVarint(data.length);
+		if (data.length > 0) this.parts.push(data);
+	}
+	writeEnum(fieldNumber, value) {
+		this.writeVarint(fieldNumber, value);
+	}
+	finish() {
+		let total = 0;
+		for (const p of this.parts) total += p.length;
+		const result = new Uint8Array(total);
+		let offset = 0;
+		for (const p of this.parts) {
+			result.set(p, offset);
+			offset += p.length;
+		}
+		return result;
+	}
+	writeTag(fieldNumber, wireType) {
+		this.writeRawVarint(fieldNumber << 3 | wireType);
+	}
+	writeRawVarint(value) {
+		const buf = [];
+		let v = value >>> 0;
+		while (v > 127) {
+			buf.push(v & 127 | 128);
+			v >>>= 7;
+		}
+		buf.push(v & 127);
+		this.parts.push(new Uint8Array(buf));
+	}
+	writeRawVarint64(value) {
+		const buf = [];
+		let v = value;
+		while (v > 127n) {
+			buf.push(Number(v & 127n) | 128);
+			v >>= 7n;
+		}
+		buf.push(Number(v & 127n));
+		this.parts.push(new Uint8Array(buf));
+	}
+};
+var ProtoReader = class ProtoReader {
+	data;
+	pos;
+	constructor(data) {
+		this.data = data;
+		this.pos = 0;
+	}
+	get remaining() {
+		return this.data.length - this.pos;
+	}
+	get done() {
+		return this.pos >= this.data.length;
+	}
+	readField() {
+		if (this.pos >= this.data.length) return null;
+		const tag = this.readRawVarint();
+		return {
+			fieldNumber: tag >>> 3,
+			wireType: tag & 7
+		};
+	}
+	readVarint() {
+		return this.readRawVarint();
+	}
+	readVarint64() {
+		return this.readRawVarint64();
+	}
+	readBool() {
+		return this.readRawVarint() !== 0;
+	}
+	readBytes() {
+		const len = this.readRawVarint();
+		const data = this.data.slice(this.pos, this.pos + len);
+		this.pos += len;
+		return data;
+	}
+	readMessage() {
+		return new ProtoReader(this.readBytes());
+	}
+	readEnum() {
+		return this.readRawVarint();
+	}
+	skip(wireType) {
+		switch (wireType) {
+			case 0:
+				this.readRawVarint();
+				break;
+			case 1:
+				this.pos += 8;
+				break;
+			case 2: {
+				const len = this.readRawVarint();
+				this.pos += len;
+				break;
+			}
+			case 5:
+				this.pos += 4;
+				break;
+			default: throw new Error(`Unknown wire type: ${wireType}`);
+		}
+	}
+	readRawVarint() {
+		let result = 0;
+		let shift = 0;
+		while (shift < 35) {
+			const b = this.data[this.pos++];
+			result |= (b & 127) << shift;
+			if ((b & 128) === 0) return result >>> 0;
+			shift += 7;
+		}
+		throw new Error("Varint too long");
+	}
+	readRawVarint64() {
+		let result = 0n;
+		let shift = 0n;
+		while (shift < 70n) {
+			const b = this.data[this.pos++];
+			result |= BigInt(b & 127) << shift;
+			if ((b & 128) === 0) return result;
+			shift += 7n;
+		}
+		throw new Error("Varint64 too long");
+	}
+};
+function decodeChainParams(data) {
+	const r = new ProtoReader(data);
+	let maxJump = 0;
+	let maxOooKeys = 0;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber) {
+			case 1:
+				maxJump = r.readVarint();
+				break;
+			case 2:
+				maxOooKeys = r.readVarint();
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		maxJump,
+		maxOooKeys
+	};
+}
+function encodeVersionNegotiation(msg) {
+	const w = new ProtoWriter();
+	w.writeBytes(1, msg.authKey);
+	w.writeEnum(2, msg.direction);
+	w.writeEnum(3, msg.minVersion);
+	if (msg.chainParams !== void 0) {
+		const sub = new ProtoWriter();
+		sub.writeVarint(1, msg.chainParams.maxJump);
+		sub.writeVarint(2, msg.chainParams.maxOooKeys);
+		w.writeMessage(4, sub);
+	}
+	return w.finish();
+}
+function decodeVersionNegotiation(data) {
+	const r = new ProtoReader(data);
+	let authKey = EMPTY_BYTES;
+	let direction = 0;
+	let minVersion = 0;
+	let chainParams;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber) {
+			case 1:
+				authKey = r.readBytes();
+				break;
+			case 2:
+				direction = r.readEnum();
+				break;
+			case 3:
+				minVersion = r.readEnum();
+				break;
+			case 4:
+				chainParams = decodeChainParams(r.readBytes());
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		authKey,
+		direction,
+		minVersion,
+		chainParams
+	};
+}
+function encodeEpochDirection(w, msg) {
+	w.writeVarint(1, msg.ctr);
+	w.writeBytes(2, msg.next);
+	w.writeBytes(3, msg.prev);
+}
+function decodeEpochDirection(r) {
+	let ctr = 0;
+	let next = EMPTY_BYTES;
+	let prev = EMPTY_BYTES;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber) {
+			case 1:
+				ctr = r.readVarint();
+				break;
+			case 2:
+				next = r.readBytes();
+				break;
+			case 3:
+				prev = r.readBytes();
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		ctr,
+		next,
+		prev
+	};
+}
+function encodeEpoch(msg) {
+	const w = new ProtoWriter();
+	if (msg.send !== void 0) {
+		const sub = new ProtoWriter();
+		encodeEpochDirection(sub, msg.send);
+		w.writeMessage(1, sub);
+	}
+	if (msg.recv !== void 0) {
+		const sub = new ProtoWriter();
+		encodeEpochDirection(sub, msg.recv);
+		w.writeMessage(2, sub);
+	}
+	return w.finish();
+}
+function decodeEpoch(data) {
+	const r = new ProtoReader(data);
+	let send;
+	let recv;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber) {
+			case 1:
+				send = decodeEpochDirection(r.readMessage());
+				break;
+			case 2:
+				recv = decodeEpochDirection(r.readMessage());
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		send,
+		recv
+	};
+}
+function encodeChain(msg) {
+	const w = new ProtoWriter();
+	w.writeEnum(1, msg.direction);
+	w.writeVarint(2, msg.currentEpoch);
+	for (const link of msg.links) w.writeBytes(3, encodeEpoch(link));
+	w.writeBytes(4, msg.nextRoot);
+	w.writeVarint(5, msg.sendEpoch);
+	if (msg.params !== void 0) {
+		const sub = new ProtoWriter();
+		sub.writeVarint(1, msg.params.maxJump);
+		sub.writeVarint(2, msg.params.maxOooKeys);
+		w.writeMessage(6, sub);
+	}
+	return w.finish();
+}
+function decodeChain(data) {
+	const r = new ProtoReader(data);
+	let direction = 0;
+	let currentEpoch = 0n;
+	const links = [];
+	let nextRoot = EMPTY_BYTES;
+	let sendEpoch = 0n;
+	let params;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber) {
+			case 1:
+				direction = r.readEnum();
+				break;
+			case 2:
+				currentEpoch = r.readVarint64();
+				break;
+			case 3:
+				links.push(decodeEpoch(r.readBytes()));
+				break;
+			case 4:
+				nextRoot = r.readBytes();
+				break;
+			case 5:
+				sendEpoch = r.readVarint64();
+				break;
+			case 6:
+				params = decodeChainParams(r.readBytes());
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		direction,
+		currentEpoch,
+		links,
+		nextRoot,
+		sendEpoch,
+		params
+	};
+}
+function decodeAuthenticator(data) {
+	const r = new ProtoReader(data);
+	let rootKey = EMPTY_BYTES;
+	let macKey = EMPTY_BYTES;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber) {
+			case 1:
+				rootKey = r.readBytes();
+				break;
+			case 2:
+				macKey = r.readBytes();
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		rootKey,
+		macKey
+	};
+}
+function encodePolynomialEncoder(msg) {
+	const w = new ProtoWriter();
+	w.writeVarint(1, msg.idx);
+	for (const pt of msg.pts) w.writeBytes(2, pt);
+	for (const poly of msg.polys) w.writeBytes(3, poly);
+	return w.finish();
+}
+function decodePolynomialEncoder(data) {
+	const r = new ProtoReader(data);
+	let idx = 0;
+	const pts = [];
+	const polys = [];
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber) {
+			case 1:
+				idx = r.readVarint();
+				break;
+			case 2:
+				pts.push(r.readBytes());
+				break;
+			case 3:
+				polys.push(r.readBytes());
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		idx,
+		pts,
+		polys
+	};
+}
+function encodePolynomialDecoder(msg) {
+	const w = new ProtoWriter();
+	w.writeVarint(1, msg.ptsNeeded);
+	w.writeVarint(2, msg.polys);
+	for (const pt of msg.pts) w.writeBytes(3, pt);
+	w.writeBool(4, msg.isComplete);
+	return w.finish();
+}
+function decodePolynomialDecoder(data) {
+	const r = new ProtoReader(data);
+	let ptsNeeded = 0;
+	let polys = 0;
+	const pts = [];
+	let isComplete = false;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber) {
+			case 1:
+				ptsNeeded = r.readVarint();
+				break;
+			case 2:
+				polys = r.readVarint();
+				break;
+			case 3:
+				pts.push(r.readBytes());
+				break;
+			case 4:
+				isComplete = r.readBool();
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		ptsNeeded,
+		polys,
+		pts,
+		isComplete
+	};
+}
+function encodeAuthOptional(w, fieldNumber, auth) {
+	if (auth !== void 0) {
+		const sub = new ProtoWriter();
+		sub.writeBytes(1, auth.rootKey);
+		sub.writeBytes(2, auth.macKey);
+		w.writeMessage(fieldNumber, sub);
+	}
+}
+function decodeAuthOptional(r) {
+	return decodeAuthenticator(r.readBytes());
+}
+/**
+* Detect whether an unchunked sub-message uses the Rust field layout
+* (epoch at field 1, auth at field 2, data fields shifted +1) or the
+* TS layout (auth at field 1, data fields as-is).
+*
+* Returns the field number offset: 0 for TS layout, 1 for Rust layout.
+* Detection is based on field 1's wire type:
+*   - varint (wire type 0) => Rust layout (field 1 = epoch)
+*   - length-delimited (wire type 2) => TS layout (field 1 = auth)
+*/
+function detectUcLayout(data) {
+	if (data.length === 0) return 0;
+	return (data[0] & 7) === WIRE_VARINT ? 1 : 0;
+}
+function encodeUcKeysUnsampled(msg) {
+	const w = new ProtoWriter();
+	encodeAuthOptional(w, 1, msg.auth);
+	return w.finish();
+}
+function decodeUcKeysUnsampled(data) {
+	const r = new ProtoReader(data);
+	const offset = detectUcLayout(data);
+	let auth;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber - offset) {
+			case 1:
+				auth = decodeAuthOptional(r);
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return { auth };
+}
+function encodeUcKeysSampled(msg) {
+	const w = new ProtoWriter();
+	encodeAuthOptional(w, 1, msg.auth);
+	w.writeBytes(2, msg.ek);
+	w.writeBytes(3, msg.dk);
+	w.writeBytes(4, msg.hdr);
+	w.writeBytes(5, msg.hdrMac);
+	return w.finish();
+}
+function decodeUcKeysSampled(data) {
+	const r = new ProtoReader(data);
+	const offset = detectUcLayout(data);
+	let auth;
+	let ek = EMPTY_BYTES;
+	let dk = EMPTY_BYTES;
+	let hdr = EMPTY_BYTES;
+	let hdrMac = EMPTY_BYTES;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber - offset) {
+			case 1:
+				auth = decodeAuthOptional(r);
+				break;
+			case 2:
+				ek = r.readBytes();
+				break;
+			case 3:
+				dk = r.readBytes();
+				break;
+			case 4:
+				hdr = r.readBytes();
+				break;
+			case 5:
+				hdrMac = r.readBytes();
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		auth,
+		ek,
+		dk,
+		hdr,
+		hdrMac
+	};
+}
+function encodeUcHeaderSent(msg) {
+	const w = new ProtoWriter();
+	encodeAuthOptional(w, 1, msg.auth);
+	w.writeBytes(2, msg.ek);
+	w.writeBytes(3, msg.dk);
+	return w.finish();
+}
+function decodeUcHeaderSent(data) {
+	const r = new ProtoReader(data);
+	const offset = detectUcLayout(data);
+	let auth;
+	let ek = EMPTY_BYTES;
+	let dk = EMPTY_BYTES;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber - offset) {
+			case 1:
+				auth = decodeAuthOptional(r);
+				break;
+			case 2:
+				ek = r.readBytes();
+				break;
+			case 3:
+				dk = r.readBytes();
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		auth,
+		ek,
+		dk
+	};
+}
+function encodeUcDkCt1(msg) {
+	const w = new ProtoWriter();
+	encodeAuthOptional(w, 1, msg.auth);
+	w.writeBytes(2, msg.dk);
+	w.writeBytes(3, msg.ct1);
+	return w.finish();
+}
+function decodeUcDkCt1(data) {
+	const r = new ProtoReader(data);
+	const offset = detectUcLayout(data);
+	let auth;
+	let dk = EMPTY_BYTES;
+	let ct1 = EMPTY_BYTES;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber - offset) {
+			case 1:
+				auth = decodeAuthOptional(r);
+				break;
+			case 2:
+				dk = r.readBytes();
+				break;
+			case 3:
+				ct1 = r.readBytes();
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		auth,
+		dk,
+		ct1
+	};
+}
+function encodeUcHeaderReceived(msg) {
+	const w = new ProtoWriter();
+	encodeAuthOptional(w, 1, msg.auth);
+	w.writeBytes(2, msg.hdr);
+	w.writeBytes(3, msg.es);
+	w.writeBytes(4, msg.ct1);
+	w.writeBytes(5, msg.ss);
+	return w.finish();
+}
+function decodeUcHeaderReceived(data) {
+	const r = new ProtoReader(data);
+	const offset = detectUcLayout(data);
+	let auth;
+	let hdr = EMPTY_BYTES;
+	let es = EMPTY_BYTES;
+	let ct1 = EMPTY_BYTES;
+	let ss = EMPTY_BYTES;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber - offset) {
+			case 1:
+				auth = decodeAuthOptional(r);
+				break;
+			case 2:
+				hdr = r.readBytes();
+				break;
+			case 3:
+				es = r.readBytes();
+				break;
+			case 4:
+				ct1 = r.readBytes();
+				break;
+			case 5:
+				ss = r.readBytes();
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		auth,
+		hdr,
+		es,
+		ct1,
+		ss
+	};
+}
+function encodeUcAuthHdrEsCt1(msg) {
+	const w = new ProtoWriter();
+	encodeAuthOptional(w, 1, msg.auth);
+	w.writeBytes(2, msg.hdr);
+	w.writeBytes(3, msg.es);
+	w.writeBytes(4, msg.ct1);
+	return w.finish();
+}
+function decodeUcAuthHdrEsCt1(data) {
+	const r = new ProtoReader(data);
+	const offset = detectUcLayout(data);
+	let auth;
+	let hdr = EMPTY_BYTES;
+	let es = EMPTY_BYTES;
+	let ct1 = EMPTY_BYTES;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber - offset) {
+			case 1:
+				auth = decodeAuthOptional(r);
+				break;
+			case 2:
+				hdr = r.readBytes();
+				break;
+			case 3:
+				es = r.readBytes();
+				break;
+			case 4:
+				ct1 = r.readBytes();
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		auth,
+		hdr,
+		es,
+		ct1
+	};
+}
+function encodeUcEkReceivedCt1Sampled(msg) {
+	const w = new ProtoWriter();
+	encodeAuthOptional(w, 1, msg.auth);
+	w.writeBytes(2, msg.hdr);
+	w.writeBytes(3, msg.es);
+	w.writeBytes(4, msg.ek);
+	w.writeBytes(5, msg.ct1);
+	return w.finish();
+}
+function decodeUcEkReceivedCt1Sampled(data) {
+	const r = new ProtoReader(data);
+	const offset = detectUcLayout(data);
+	let auth;
+	let hdr = EMPTY_BYTES;
+	let es = EMPTY_BYTES;
+	let ek = EMPTY_BYTES;
+	let ct1 = EMPTY_BYTES;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber - offset) {
+			case 1:
+				auth = decodeAuthOptional(r);
+				break;
+			case 2:
+				hdr = r.readBytes();
+				break;
+			case 3:
+				es = r.readBytes();
+				break;
+			case 4:
+				ek = r.readBytes();
+				break;
+			case 5:
+				ct1 = r.readBytes();
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		auth,
+		hdr,
+		es,
+		ek,
+		ct1
+	};
+}
+/**
+* Encode a PbChunkedState into a sub-message for V1State.
+* The field number in V1State determines which variant this is:
+*   1=keysUnsampled, 2=keysSampled, ..., 11=ct2Sampled
+*
+* Each chunked state has:
+*   field 1 = unchunked data
+*   field 2 = encoder (if present)
+*   field 3 = decoder (if present)
+*/
+function encodeChunkedStateInner(state) {
+	const w = new ProtoWriter();
+	switch (state.type) {
+		case "keysUnsampled":
+			w.writeBytes(1, encodeUcKeysUnsampled(state.uc));
+			return {
+				fieldNumber: 1,
+				data: w.finish()
+			};
+		case "keysSampled":
+			w.writeBytes(1, encodeUcKeysSampled(state.uc));
+			w.writeBytes(2, encodePolynomialEncoder(state.sendingHdr));
+			return {
+				fieldNumber: 2,
+				data: w.finish()
+			};
+		case "headerSent":
+			w.writeBytes(1, encodeUcHeaderSent(state.uc));
+			w.writeBytes(2, encodePolynomialEncoder(state.sendingEk));
+			w.writeBytes(3, encodePolynomialDecoder(state.receivingCt1));
+			return {
+				fieldNumber: 3,
+				data: w.finish()
+			};
+		case "ct1Received":
+			w.writeBytes(1, encodeUcDkCt1(state.uc));
+			w.writeBytes(2, encodePolynomialEncoder(state.sendingEk));
+			return {
+				fieldNumber: 4,
+				data: w.finish()
+			};
+		case "ekSentCt1Received":
+			w.writeBytes(1, encodeUcDkCt1(state.uc));
+			w.writeBytes(3, encodePolynomialDecoder(state.receivingCt2));
+			return {
+				fieldNumber: 5,
+				data: w.finish()
+			};
+		case "noHeaderReceived":
+			w.writeBytes(1, encodeUcKeysUnsampled(state.uc));
+			w.writeBytes(2, encodePolynomialDecoder(state.receivingHdr));
+			return {
+				fieldNumber: 6,
+				data: w.finish()
+			};
+		case "headerReceived":
+			w.writeBytes(1, encodeUcHeaderReceived(state.uc));
+			w.writeBytes(2, encodePolynomialDecoder(state.receivingEk));
+			return {
+				fieldNumber: 7,
+				data: w.finish()
+			};
+		case "ct1Sampled":
+			w.writeBytes(1, encodeUcAuthHdrEsCt1(state.uc));
+			w.writeBytes(2, encodePolynomialEncoder(state.sendingCt1));
+			w.writeBytes(3, encodePolynomialDecoder(state.receivingEk));
+			return {
+				fieldNumber: 8,
+				data: w.finish()
+			};
+		case "ekReceivedCt1Sampled":
+			w.writeBytes(1, encodeUcEkReceivedCt1Sampled(state.uc));
+			w.writeBytes(2, encodePolynomialEncoder(state.sendingCt1));
+			return {
+				fieldNumber: 9,
+				data: w.finish()
+			};
+		case "ct1Acknowledged":
+			w.writeBytes(1, encodeUcAuthHdrEsCt1(state.uc));
+			w.writeBytes(2, encodePolynomialDecoder(state.receivingEk));
+			return {
+				fieldNumber: 10,
+				data: w.finish()
+			};
+		case "ct2Sampled":
+			w.writeBytes(1, encodeUcKeysUnsampled(state.uc));
+			w.writeBytes(2, encodePolynomialEncoder(state.sendingCt2));
+			return {
+				fieldNumber: 11,
+				data: w.finish()
+			};
+	}
+}
+function decodeChunkedRaw(data) {
+	const r = new ProtoReader(data);
+	let uc = EMPTY_BYTES;
+	let encoder;
+	let decoder;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber) {
+			case 1:
+				uc = r.readBytes();
+				break;
+			case 2:
+				encoder = r.readBytes();
+				break;
+			case 3:
+				decoder = r.readBytes();
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		uc,
+		encoder,
+		decoder
+	};
+}
+function requireField(data, name) {
+	if (data === void 0) throw new Error(`Protobuf: missing required field '${name}'`);
+	return data;
+}
+function decodeChunkedState(fieldNumber, data) {
+	const raw = decodeChunkedRaw(data);
+	switch (fieldNumber) {
+		case 1: return {
+			type: "keysUnsampled",
+			uc: decodeUcKeysUnsampled(raw.uc)
+		};
+		case 2: return {
+			type: "keysSampled",
+			uc: decodeUcKeysSampled(raw.uc),
+			sendingHdr: decodePolynomialEncoder(requireField(raw.encoder, "encoder"))
+		};
+		case 3: return {
+			type: "headerSent",
+			uc: decodeUcHeaderSent(raw.uc),
+			sendingEk: decodePolynomialEncoder(requireField(raw.encoder, "encoder")),
+			receivingCt1: decodePolynomialDecoder(requireField(raw.decoder, "decoder"))
+		};
+		case 4: return {
+			type: "ct1Received",
+			uc: decodeUcDkCt1(raw.uc),
+			sendingEk: decodePolynomialEncoder(requireField(raw.encoder, "encoder"))
+		};
+		case 5: return {
+			type: "ekSentCt1Received",
+			uc: decodeUcDkCt1(raw.uc),
+			receivingCt2: decodePolynomialDecoder(requireField(raw.decoder, "decoder"))
+		};
+		case 6: return {
+			type: "noHeaderReceived",
+			uc: decodeUcKeysUnsampled(raw.uc),
+			receivingHdr: decodePolynomialDecoder(requireField(raw.encoder, "encoder"))
+		};
+		case 7: return {
+			type: "headerReceived",
+			uc: decodeUcHeaderReceived(raw.uc),
+			receivingEk: decodePolynomialDecoder(requireField(raw.encoder, "encoder"))
+		};
+		case 8: return {
+			type: "ct1Sampled",
+			uc: decodeUcAuthHdrEsCt1(raw.uc),
+			sendingCt1: decodePolynomialEncoder(requireField(raw.encoder, "encoder")),
+			receivingEk: decodePolynomialDecoder(requireField(raw.decoder, "decoder"))
+		};
+		case 9: return {
+			type: "ekReceivedCt1Sampled",
+			uc: decodeUcEkReceivedCt1Sampled(raw.uc),
+			sendingCt1: decodePolynomialEncoder(requireField(raw.encoder, "encoder"))
+		};
+		case 10: return {
+			type: "ct1Acknowledged",
+			uc: decodeUcAuthHdrEsCt1(raw.uc),
+			receivingEk: decodePolynomialDecoder(requireField(raw.encoder, "encoder"))
+		};
+		case 11: return {
+			type: "ct2Sampled",
+			uc: decodeUcKeysUnsampled(raw.uc),
+			sendingCt2: decodePolynomialEncoder(requireField(raw.encoder, "encoder"))
+		};
+		default: throw new Error(`Unknown chunked state field number: ${fieldNumber}`);
+	}
+}
+function encodeV1State(msg) {
+	if (msg.innerState === void 0) return EMPTY_BYTES;
+	const { fieldNumber, data } = encodeChunkedStateInner(msg.innerState);
+	const w = new ProtoWriter();
+	w.writeBytes(fieldNumber, data);
+	if (msg.epoch !== void 0) w.writeVarint(12, msg.epoch);
+	return w.finish();
+}
+function decodeV1State(data) {
+	const r = new ProtoReader(data);
+	let innerState;
+	let epoch;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		if (field.fieldNumber >= 1 && field.fieldNumber <= 11) innerState = decodeChunkedState(field.fieldNumber, r.readBytes());
+		else if (field.fieldNumber === 12) epoch = r.readVarint64();
+		else r.skip(field.wireType);
+	}
+	return {
+		innerState,
+		epoch
+	};
+}
+function encodePqRatchetState(msg) {
+	const w = new ProtoWriter();
+	if (msg.versionNegotiation !== void 0) w.writeBytes(1, encodeVersionNegotiation(msg.versionNegotiation));
+	if (msg.chain !== void 0) w.writeBytes(2, encodeChain(msg.chain));
+	if (msg.v1 !== void 0) w.writeBytes(3, encodeV1State(msg.v1));
+	return w.finish();
+}
+function decodePqRatchetState(data) {
+	const r = new ProtoReader(data);
+	let versionNegotiation;
+	let chain;
+	let v1;
+	while (!r.done) {
+		const field = r.readField();
+		if (field === null) break;
+		switch (field.fieldNumber) {
+			case 1:
+				versionNegotiation = decodeVersionNegotiation(r.readBytes());
+				break;
+			case 2:
+				chain = decodeChain(r.readBytes());
+				break;
+			case 3:
+				v1 = decodeV1State(r.readBytes());
+				break;
+			default: r.skip(field.wireType);
+		}
+	}
+	return {
+		versionNegotiation,
+		chain,
+		v1
+	};
+}
+//#endregion
+//#region src/index.ts
+/**
+* Copyright © 2025 Signal Messenger, LLC
+* Copyright © 2026 Parity Technologies
+*
+* Top-level public API for the SPQR protocol.
+*
+* Matches Signal's Rust `lib.rs` interface. All state is serialized as
+* opaque protobuf bytes (Uint8Array) so that callers never need to touch
+* internal types.
+*
+* Exported functions:
+*   - emptyState()      -> empty serialized state (V0)
+*   - initialState(p)   -> create initial serialized state
+*   - send(state, rng)  -> produce next message + advance state
+*   - recv(state, msg)  -> consume incoming message + advance state
+*   - currentVersion(s) -> inspect version negotiation status
+*/
+/**
+* Return an empty (V0) serialized state.
+*/
+function emptyState() {
+	return new Uint8Array(0);
+}
+/**
+* Create an initial serialized state from parameters.
+*
+* For V0, returns an empty state. For V1+, initializes the inner V1
+* state machine and version negotiation.
+*/
+function initialState(params) {
+	if (params.version === Version.V0) return emptyState();
+	const inner = initInner(params.version, params.direction, params.authKey);
+	return encodePqRatchetState({
+		versionNegotiation: {
+			authKey: Uint8Array.from(params.authKey),
+			direction: params.direction,
+			minVersion: params.minVersion,
+			chainParams: {
+				maxJump: params.chainParams.maxJump,
+				maxOooKeys: params.chainParams.maxOooKeys
+			}
+		},
+		chain: void 0,
+		v1: inner
+	});
+}
+/**
+* Produce the next outgoing message from the current state.
+*
+* Returns the updated state, serialized message, and optional message key.
+*/
+function send(state, rng) {
+	if (state.length === 0) return {
+		state: new Uint8Array(0),
+		msg: new Uint8Array(0),
+		key: null
+	};
+	const statePb = decodePqRatchetState(state);
+	if (statePb.v1 === void 0) return {
+		state: new Uint8Array(0),
+		msg: new Uint8Array(0),
+		key: null
+	};
+	const sendResult = send$1(statesFromPb(statePb.v1), rng);
+	let chain;
+	if (statePb.chain !== void 0) chain = Chain.fromProto(statePb.chain);
+	else if (statePb.versionNegotiation !== void 0) {
+		const vn = statePb.versionNegotiation;
+		if (vn.minVersion > Version.V0) chain = chainFromVersionNegotiation(vn);
+	} else throw new SpqrError("Chain not available and no version negotiation", SpqrErrorCode.ChainNotAvailable);
+	let index;
+	let msgKey;
+	let chainPb;
+	if (chain === void 0) {
+		if (sendResult.key !== null) throw new SpqrError("Unexpected epoch secret without chain", SpqrErrorCode.ChainNotAvailable);
+		index = 0;
+		msgKey = new Uint8Array(0);
+		chainPb = void 0;
+	} else {
+		if (sendResult.key !== null) chain.addEpoch(sendResult.key);
+		const msgEpoch = sendResult.msg.epoch - 1n;
+		const [sendIndex, sendKey] = chain.sendKey(msgEpoch);
+		index = sendIndex;
+		msgKey = sendKey;
+		chainPb = chain.toProto();
+	}
+	const serializedMsg = serializeMessage(sendResult.msg, index);
+	const v1Pb = statesToPb(sendResult.state);
+	return {
+		state: encodePqRatchetState({
+			versionNegotiation: statePb.versionNegotiation,
+			chain: chainPb,
+			v1: v1Pb
+		}),
+		msg: serializedMsg,
+		key: msgKey.length === 0 ? null : msgKey
+	};
+}
+/**
+* Process an incoming message and transition the state.
+*
+* Returns the updated state and optional message key.
+*/
+function recv(state, msg) {
+	if (state.length === 0 && msg.length === 0) return {
+		state: new Uint8Array(0),
+		key: null
+	};
+	const prenegotiatedPb = state.length === 0 ? {
+		v1: void 0,
+		chain: void 0,
+		versionNegotiation: void 0
+	} : decodePqRatchetState(state);
+	const msgVer = msgVersion(msg);
+	if (msgVer === void 0) return {
+		state: Uint8Array.from(state),
+		key: null
+	};
+	const stateVer = stateVersion(prenegotiatedPb);
+	let statePb;
+	if (msgVer >= stateVer) statePb = prenegotiatedPb;
+	else {
+		const vn = prenegotiatedPb.versionNegotiation;
+		if (vn === void 0) throw new SpqrError(`Version mismatch: state=${stateVer}, msg=${msgVer}, no negotiation available`, SpqrErrorCode.VersionMismatch);
+		if (msgVer < vn.minVersion) throw new SpqrError(`Minimum version not met: min=${vn.minVersion}, msg=${msgVer}`, SpqrErrorCode.MinimumVersion);
+		statePb = {
+			v1: initInner(msgVer, vn.direction, Uint8Array.from(vn.authKey)),
+			versionNegotiation: void 0,
+			chain: chainFrom(prenegotiatedPb.chain, vn)
+		};
+	}
+	if (statePb.v1 === void 0) return {
+		state: new Uint8Array(0),
+		key: null
+	};
+	const { msg: sckaMsg, index } = deserializeMessage(msg);
+	const recvResult = recv$1(statesFromPb(statePb.v1), sckaMsg);
+	const msgKeyEpoch = sckaMsg.epoch - 1n;
+	const chainObj = chainFromState(statePb.chain, statePb.versionNegotiation);
+	if (recvResult.key !== null) chainObj.addEpoch(recvResult.key);
+	let msgKey;
+	if (msgKeyEpoch === 0n && index === 0) msgKey = new Uint8Array(0);
+	else msgKey = chainObj.recvKey(msgKeyEpoch, index);
+	const v1Pb = statesToPb(recvResult.state);
+	return {
+		state: encodePqRatchetState({
+			versionNegotiation: void 0,
+			chain: chainObj.toProto(),
+			v1: v1Pb
+		}),
+		key: msgKey.length === 0 ? null : msgKey
+	};
+}
+/**
+* Inspect the current version negotiation status of a serialized state.
+*/
+function currentVersion(state) {
+	if (state.length === 0) return {
+		type: "negotiation_complete",
+		version: Version.V0
+	};
+	const statePb = decodePqRatchetState(state);
+	const version = statePb.v1 !== void 0 ? Version.V1 : Version.V0;
+	if (statePb.versionNegotiation !== void 0) return {
+		type: "still_negotiating",
+		version,
+		minVersion: statePb.versionNegotiation.minVersion
+	};
+	return {
+		type: "negotiation_complete",
+		version
+	};
+}
+/**
+* Initialize the V1 inner state based on version and direction.
+*/
+function initInner(version, direction, authKey) {
+	if (version === Version.V0) return;
+	let states;
+	if (direction === Direction.A2B) states = initA(authKey);
+	else states = initB(authKey);
+	return statesToPb(states);
+}
+/**
+* Extract version from a serialized message.
+* Empty msg -> V0. msg[0]: 0 -> V0, 1 -> V1, else undefined.
+*/
+function msgVersion(msg) {
+	if (msg.length === 0) return Version.V0;
+	const v = msg[0];
+	if (v === 0) return Version.V0;
+	if (v === 1) return Version.V1;
+}
+/**
+* Extract version from the decoded state.
+* No v1 inner -> V0. Has v1 inner -> V1.
+*/
+function stateVersion(state) {
+	return state.v1 !== void 0 ? Version.V1 : Version.V0;
+}
+/**
+* Create a Chain from version negotiation parameters.
+*/
+function chainFromVersionNegotiation(vn) {
+	const chainParams = vn.chainParams ?? {
+		maxJump: 25e3,
+		maxOooKeys: 2e3
+	};
+	return Chain.create(Uint8Array.from(vn.authKey), vn.direction, chainParams);
+}
+/**
+* Get or create a Chain from the existing chain proto and version negotiation.
+* Prefers existing chain, falls back to creating from version negotiation.
+*/
+function chainFrom(chainPb, vn) {
+	if (chainPb !== void 0) return chainPb;
+	if (vn !== void 0) return chainFromVersionNegotiation(vn).toProto();
+}
+/**
+* Get a Chain object from state, creating from vn if needed.
+*/
+function chainFromState(chainPb, vn) {
+	if (chainPb !== void 0) return Chain.fromProto(chainPb);
+	if (vn !== void 0) return chainFromVersionNegotiation(vn);
+	throw new SpqrError("Chain not available and no version negotiation", SpqrErrorCode.ChainNotAvailable);
+}
+//#endregion
+export { Direction, SpqrError, SpqrErrorCode, Version, currentVersion, emptyState, initialState, recv, send };
+//# sourceMappingURL=index.mjs.map