@bcts/xid 1.0.0-alpha.17 → 1.0.0-alpha.18

package/dist/index.iife.js

@@ -1,4 +1,4 @@
-var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_envelope, _bcts_provenance_mark, _bcts_dcbor) {
+var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_envelope, _bcts_provenance_mark) {
 
 
 //#region src/error.ts
@@ -615,8 +615,8 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 		* Create a new Key with private key base (derives keys from it).
 		*/
 		static newWithPrivateKeyBase(privateKeyBase) {
-			const privateKeys = privateKeyBase.ed25519PrivateKeys();
-			const publicKeys = privateKeyBase.ed25519PublicKeys();
+			const privateKeys = privateKeyBase.schnorrPrivateKeys();
+			const publicKeys = privateKeyBase.schnorrPublicKeys();
 			return Key.newWithPrivateKeys(privateKeys, publicKeys);
 		}
 		/**
@@ -657,6 +657,18 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 			return this._publicKeys.reference();
 		}
 		/**
+		* Get the signing public key.
+		*/
+		signingPublicKey() {
+			return this._publicKeys.signingPublicKey();
+		}
+		/**
+		* Get the encapsulation public key.
+		*/
+		encapsulationPublicKey() {
+			return this._publicKeys.encapsulationPublicKey();
+		}
+		/**
 		* Verify a signature against a message.
 		*/
 		verify(signature, message) {
@@ -721,7 +733,9 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 					}
 					case XIDPrivateKeyOptions.Encrypt:
 						if (typeof privateKeyOptions === "object") {
-							const encrypted = _bcts_envelope.Envelope.new(data.privateKeys.taggedCborData()).encryptSubject(privateKeyOptions.password);
+							const privateKeysEnvelope = _bcts_envelope.Envelope.new(data.privateKeys.taggedCborData());
+							const method = privateKeyOptions.method ?? (0, _bcts_components.defaultKeyDerivationMethod)();
+							const encrypted = privateKeysEnvelope.lockSubject(method, privateKeyOptions.password);
 							envelope = envelope.addAssertion(kv$3(_bcts_known_values.PRIVATE_KEY), encrypted);
 							envelope = envelope.addAssertion(kv$3(_bcts_known_values.SALT), salt.toData());
 						}
@@ -743,9 +757,15 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 		*/
 		static tryFromEnvelope(envelope, password) {
 			const env = envelope;
-			const publicKeysData = (env.case().type === "node" ? env.subject() : env).asByteString();
-			if (publicKeysData === void 0) throw XIDError.component(/* @__PURE__ */ new Error("Could not extract public keys from envelope"));
-			const publicKeys = _bcts_components.PublicKeys.fromTaggedCborData(publicKeysData);
+			const subject = env.case().type === "node" ? env.subject() : env;
+			let publicKeys;
+			const publicKeysData = subject.asByteString();
+			if (publicKeysData !== void 0) publicKeys = _bcts_components.PublicKeys.fromTaggedCborData(publicKeysData);
+			else {
+				const leaf = subject.asLeaf?.();
+				if (leaf === void 0) throw XIDError.component(/* @__PURE__ */ new Error("Could not extract public keys from envelope"));
+				publicKeys = _bcts_components.PublicKeys.fromTaggedCbor(leaf);
+			}
 			let privateKeyData;
 			let salt = _bcts_components.Salt.random(32);
 			const saltAssertions = env.assertionsWithPredicate(_bcts_known_values.SALT);
@@ -761,8 +781,8 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 				const assertionCase = privateKeyAssertions[0].case();
 				if (assertionCase.type === "assertion") {
 					const privateKeyObject = assertionCase.assertion.object();
-					if (privateKeyObject.case().type === "encrypted") if (password !== void 0) try {
-						const decryptedData = privateKeyObject.decryptSubject(password).asByteString();
+					if (privateKeyObject.isLockedWithPassword()) if (password !== void 0) try {
+						const decryptedData = privateKeyObject.unlockSubject(password).subject().asByteString();
 						if (decryptedData !== void 0) privateKeyData = {
 							data: {
 								type: "decrypted",
@@ -813,6 +833,27 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 			return new Key(publicKeys, privateKeyData, nickname, endpoints, permissions);
 		}
 		/**
+		* Get the private key envelope, optionally decrypting it.
+		*
+		* Returns:
+		* - undefined if no private keys
+		* - The decrypted private key envelope if unencrypted
+		* - The decrypted envelope if encrypted + correct password
+		* - The encrypted envelope as-is if encrypted + no password
+		* - Throws on wrong password
+		*/
+		privateKeyEnvelope(password) {
+			if (this._privateKeyData === void 0) return;
+			const { data } = this._privateKeyData;
+			if (data.type === "decrypted") return _bcts_envelope.Envelope.new(data.privateKeys.taggedCborData());
+			if (password !== void 0) try {
+				return data.envelope.unlockSubject(new TextEncoder().encode(password));
+			} catch {
+				throw XIDError.invalidPassword();
+			}
+			return data.envelope;
+		}
+		/**
 		* Check equality with another Key.
 		*/
 		equals(other) {
@@ -952,6 +993,20 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 			this.addDelegateReferenceHex(delegateReference.toHex());
 		}
 		/**
+		* Add a key by its public keys provider (convenience method).
+		* Matches Rust's `add_key(&mut self, key: &dyn PublicKeysProvider)`.
+		*/
+		addKey(keyProvider) {
+			this.addKeyReference(keyProvider.publicKeys().reference());
+		}
+		/**
+		* Add a delegate by its XID provider (convenience method).
+		* Matches Rust's `add_delegate(&mut self, delegate: &dyn XIDProvider)`.
+		*/
+		addDelegate(xidProvider) {
+			this.addDelegateReference(_bcts_components.Reference.hash(xidProvider.xid().toData()));
+		}
+		/**
 		* Get the name.
 		*/
 		name() {
@@ -1168,6 +1223,8 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 	* Ported from bc-xid-rust/src/provenance.rs
 	*/
 	const kv$1 = (v) => v;
+	const encodeGeneratorJSON = (json) => new TextEncoder().encode(JSON.stringify(json));
+	const decodeGeneratorJSON = (data) => JSON.parse(new TextDecoder().decode(data));
 	/**
 	* Options for handling generators in envelopes.
 	*/
@@ -1278,9 +1335,9 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 			if (password !== void 0) {
 				const encryptedEnvelope = this._generator.data.envelope;
 				try {
-					const generatorData = encryptedEnvelope.decryptSubject(password).tryUnwrap().asByteString();
+					const generatorData = encryptedEnvelope.unlockSubject(password).subject().tryUnwrap().asByteString();
 					if (generatorData !== void 0) {
-						const json = (0, _bcts_dcbor.decodeCbor)(generatorData);
+						const json = decodeGeneratorJSON(generatorData);
 						const generator = _bcts_provenance_mark.ProvenanceMarkGenerator.fromJSON(json);
 						this._generator = {
 							data: {
@@ -1298,6 +1355,30 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 			throw XIDError.invalidPassword();
 		}
 		/**
+		* Get the generator envelope, optionally decrypting it.
+		*
+		* Returns:
+		* - undefined if no generator
+		* - An envelope containing the generator if unencrypted
+		* - The decrypted envelope if encrypted + correct password
+		* - The encrypted envelope as-is if encrypted + no password
+		* - Throws on wrong password
+		*/
+		generatorEnvelope(password) {
+			if (this._generator === void 0) return;
+			const { data } = this._generator;
+			if (data.type === "decrypted") {
+				const generatorBytes = encodeGeneratorJSON(data.generator.toJSON());
+				return _bcts_envelope.Envelope.new(generatorBytes);
+			}
+			if (password !== void 0) try {
+				return data.envelope.unlockSubject(new TextEncoder().encode(password)).subject().tryUnwrap();
+			} catch {
+				throw XIDError.invalidPassword();
+			}
+			return data.envelope;
+		}
+		/**
 		* Convert to envelope with specified options.
 		*/
 		intoEnvelopeOpt(generatorOptions = XIDGeneratorOptions.Omit) {
@@ -1309,13 +1390,13 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 					envelope = envelope.addAssertion(kv$1(_bcts_known_values.SALT), salt.toData());
 				} else if (data.type === "decrypted") switch (typeof generatorOptions === "object" ? generatorOptions.type : generatorOptions) {
 					case XIDGeneratorOptions.Include: {
-						const generatorBytes = (0, _bcts_dcbor.cborData)(data.generator.toJSON());
+						const generatorBytes = encodeGeneratorJSON(data.generator.toJSON());
 						envelope = envelope.addAssertion(kv$1(_bcts_known_values.PROVENANCE_GENERATOR), generatorBytes);
 						envelope = envelope.addAssertion(kv$1(_bcts_known_values.SALT), salt.toData());
 						break;
 					}
 					case XIDGeneratorOptions.Elide: {
-						const generatorBytes2 = (0, _bcts_dcbor.cborData)(data.generator.toJSON());
+						const generatorBytes2 = encodeGeneratorJSON(data.generator.toJSON());
 						const elidedAssertion = _bcts_envelope.Envelope.newAssertion(kv$1(_bcts_known_values.PROVENANCE_GENERATOR), generatorBytes2).elide();
 						envelope = envelope.addAssertionEnvelope(elidedAssertion);
 						envelope = envelope.addAssertion(kv$1(_bcts_known_values.SALT), salt.toData());
@@ -1323,8 +1404,10 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 					}
 					case XIDGeneratorOptions.Encrypt:
 						if (typeof generatorOptions === "object") {
-							const generatorBytes3 = (0, _bcts_dcbor.cborData)(data.generator.toJSON());
-							const encrypted = _bcts_envelope.Envelope.new(generatorBytes3).wrap().encryptSubject(generatorOptions.password);
+							const generatorBytes3 = encodeGeneratorJSON(data.generator.toJSON());
+							const wrapped = _bcts_envelope.Envelope.new(generatorBytes3).wrap();
+							const method = generatorOptions.method ?? (0, _bcts_components.defaultKeyDerivationMethod)();
+							const encrypted = wrapped.lockSubject(method, generatorOptions.password);
 							envelope = envelope.addAssertion(kv$1(_bcts_known_values.PROVENANCE_GENERATOR), encrypted);
 							envelope = envelope.addAssertion(kv$1(_bcts_known_values.SALT), salt.toData());
 						}
@@ -1361,10 +1444,10 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 				const assertionCase = generatorAssertions[0].case();
 				if (assertionCase.type === "assertion") {
 					const generatorObject = assertionCase.assertion.object();
-					if (generatorObject.case().type === "encrypted") if (password !== void 0) try {
-						const generatorData = generatorObject.decryptSubject(password).tryUnwrap().asByteString();
+					if (generatorObject.isLockedWithPassword()) if (password !== void 0) try {
+						const generatorData = generatorObject.unlockSubject(password).subject().tryUnwrap().asByteString();
 						if (generatorData !== void 0) {
-							const json = (0, _bcts_dcbor.decodeCbor)(generatorData);
+							const json = decodeGeneratorJSON(generatorData);
 							generator = {
 								data: {
 									type: "decrypted",
@@ -1392,7 +1475,7 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 					else {
 						const generatorData = generatorObject.asByteString();
 						if (generatorData !== void 0) {
-							const json2 = (0, _bcts_dcbor.decodeCbor)(generatorData);
+							const json2 = decodeGeneratorJSON(generatorData);
 							generator = {
 								data: {
 									type: "decrypted",
@@ -1439,6 +1522,8 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 	const SERVICE_RAW = _bcts_known_values.SERVICE.value();
 	const PROVENANCE_RAW = _bcts_known_values.PROVENANCE.value();
 	const DEREFERENCE_VIA_RAW = _bcts_known_values.DEREFERENCE_VIA.value();
+	const ATTACHMENT_RAW_VALUE = Number(_bcts_known_values.ATTACHMENT_RAW);
+	const EDGE_RAW_VALUE = Number(_bcts_known_values.EDGE_RAW);
 	/**
 	* Options for verifying the signature on an envelope when loading.
 	*/
@@ -1459,13 +1544,17 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 		_delegates;
 		_services;
 		_provenance;
-		constructor(xid, resolutionMethods = /* @__PURE__ */ new Set(), keys = /* @__PURE__ */ new Map(), delegates = /* @__PURE__ */ new Map(), services = /* @__PURE__ */ new Map(), provenance) {
+		_attachments;
+		_edges;
+		constructor(xid, resolutionMethods = /* @__PURE__ */ new Set(), keys = /* @__PURE__ */ new Map(), delegates = /* @__PURE__ */ new Map(), services = /* @__PURE__ */ new Map(), provenance, attachments, edges) {
 			this._xid = xid;
 			this._resolutionMethods = resolutionMethods;
 			this._keys = keys;
 			this._delegates = delegates;
 			this._services = services;
 			this._provenance = provenance;
+			this._attachments = attachments ?? new _bcts_envelope.Attachments();
+			this._edges = edges ?? new _bcts_envelope.Edges();
 		}
 		/**
 		* Create a new XIDDocument with the given options.
@@ -1473,7 +1562,7 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 		static new(keyOptions = { type: "default" }, markOptions = { type: "none" }) {
 			const inceptionKey = XIDDocument.inceptionKeyForOptions(keyOptions);
 			const provenance = XIDDocument.genesisMarkWithOptions(markOptions);
-			const doc = new XIDDocument(_bcts_components.XID.from(inceptionKey.publicKeys().reference().getDigest().toData()), /* @__PURE__ */ new Set(), /* @__PURE__ */ new Map(), /* @__PURE__ */ new Map(), /* @__PURE__ */ new Map(), provenance);
+			const doc = new XIDDocument(_bcts_components.XID.newFromSigningKey(inceptionKey.publicKeys().signingPublicKey()), /* @__PURE__ */ new Set(), /* @__PURE__ */ new Map(), /* @__PURE__ */ new Map(), /* @__PURE__ */ new Map(), provenance);
 			doc.addKey(inceptionKey);
 			return doc;
 		}
@@ -1582,16 +1671,17 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 			if (!this._keys.delete(hashKey)) throw XIDError.notFound("key");
 		}
 		/**
-		* Check if the given public keys is the inception signing key.
+		* Check if the given signing public key is the inception signing key.
+		* Matches Rust: `is_inception_signing_key(&self, signing_public_key: &SigningPublicKey) -> bool`
 		*/
-		isInceptionKey(publicKeys) {
-			return bytesEqual(publicKeys.reference().getDigest().toData(), this._xid.toData());
+		isInceptionSigningKey(signingPublicKey) {
+			return this._xid.validate(signingPublicKey);
 		}
 		/**
 		* Get the inception key, if it exists in the document.
 		*/
 		inceptionKey() {
-			for (const key of this._keys.values()) if (this.isInceptionKey(key.publicKeys())) return key;
+			for (const key of this._keys.values()) if (this.isInceptionSigningKey(key.publicKeys().signingPublicKey())) return key;
 		}
 		/**
 		* Get the inception private keys, if available.
@@ -1620,6 +1710,136 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 			return inceptionKey;
 		}
 		/**
+		* Set the name (nickname) for a key identified by its public keys.
+		*/
+		setNameForKey(publicKeys, name) {
+			const key = this.takeKey(publicKeys);
+			if (key === void 0) throw XIDError.notFound("key");
+			key.setNickname(name);
+			this.addKey(key);
+		}
+		/**
+		* Get the inception signing public key, if it exists.
+		*/
+		inceptionSigningKey() {
+			return this.inceptionKey()?.publicKeys().signingPublicKey();
+		}
+		/**
+		* Get the verification (signing) key for this document.
+		* Prefers the inception key. Falls back to the first key.
+		*/
+		verificationKey() {
+			const inceptionKey = this.inceptionKey();
+			if (inceptionKey !== void 0) return inceptionKey.publicKeys().signingPublicKey();
+			return this._keys.values().next().value?.publicKeys().signingPublicKey();
+		}
+		/**
+		* Extract inception private keys from an envelope (convenience static method).
+		*/
+		static extractInceptionPrivateKeysFromEnvelope(envelope, password) {
+			return XIDDocument.fromEnvelope(envelope, password, XIDVerifySignature.None).inceptionPrivateKeys();
+		}
+		/**
+		* Get the private key envelope for a specific key, optionally decrypting it.
+		*/
+		privateKeyEnvelopeForKey(publicKeys, password) {
+			const key = this.findKeyByPublicKeys(publicKeys);
+			if (key === void 0) return;
+			return key.privateKeyEnvelope(password);
+		}
+		/**
+		* Check that the document contains a key with the given public keys.
+		* Throws if not found.
+		*/
+		checkContainsKey(publicKeys) {
+			if (this.findKeyByPublicKeys(publicKeys) === void 0) throw XIDError.keyNotFoundInDocument(publicKeys.toString());
+		}
+		/**
+		* Check that the document contains a delegate with the given XID.
+		* Throws if not found.
+		*/
+		checkContainsDelegate(xid) {
+			if (this.findDelegateByXid(xid) === void 0) throw XIDError.delegateNotFoundInDocument(xid.toString());
+		}
+		/**
+		* Get the attachments container.
+		*/
+		getAttachments() {
+			return this._attachments;
+		}
+		/**
+		* Add an attachment with the specified payload and metadata.
+		*/
+		addAttachment(payload, vendor, conformsTo) {
+			this._attachments.add(payload, vendor, conformsTo);
+		}
+		/**
+		* Check if the document has any attachments.
+		*/
+		hasAttachments() {
+			return !this._attachments.isEmpty();
+		}
+		/**
+		* Remove all attachments.
+		*/
+		clearAttachments() {
+			this._attachments.clear();
+		}
+		/**
+		* Get an attachment by its digest.
+		*/
+		getAttachment(digest) {
+			return this._attachments.get(digest);
+		}
+		/**
+		* Remove an attachment by its digest.
+		*/
+		removeAttachment(digest) {
+			return this._attachments.remove(digest);
+		}
+		/**
+		* Get the edges container (read-only).
+		*/
+		edges() {
+			return this._edges;
+		}
+		/**
+		* Get the edges container (mutable).
+		*/
+		edgesMut() {
+			return this._edges;
+		}
+		/**
+		* Add an edge envelope.
+		*/
+		addEdge(edgeEnvelope) {
+			this._edges.add(edgeEnvelope);
+		}
+		/**
+		* Get an edge by its digest.
+		*/
+		getEdge(digest) {
+			return this._edges.get(digest);
+		}
+		/**
+		* Remove an edge by its digest.
+		*/
+		removeEdge(digest) {
+			return this._edges.remove(digest);
+		}
+		/**
+		* Remove all edges.
+		*/
+		clearEdges() {
+			this._edges.clear();
+		}
+		/**
+		* Check if the document has any edges.
+		*/
+		hasEdges() {
+			return !this._edges.isEmpty();
+		}
+		/**
 		* Check if the document is empty (no keys, delegates, services, or provenance).
 		*/
 		isEmpty() {
@@ -1796,12 +2016,14 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 		* Convert to envelope with options.
 		*/
 		toEnvelope(privateKeyOptions = XIDPrivateKeyOptions.Omit, generatorOptions = XIDGeneratorOptions.Omit, signingOptions = { type: "none" }) {
-			let envelope = _bcts_envelope.Envelope.new(this._xid.toData());
+			let envelope = _bcts_envelope.Envelope.newLeaf(this._xid.taggedCbor());
 			for (const method of this._resolutionMethods) envelope = envelope.addAssertion(kv(_bcts_known_values.DEREFERENCE_VIA), method);
 			for (const key of this._keys.values()) envelope = envelope.addAssertion(kv(_bcts_known_values.KEY), key.intoEnvelopeOpt(privateKeyOptions));
 			for (const delegate of this._delegates.values()) envelope = envelope.addAssertion(kv(_bcts_known_values.DELEGATE), delegate.intoEnvelope());
 			for (const service of this._services.values()) envelope = envelope.addAssertion(kv(_bcts_known_values.SERVICE), service.intoEnvelope());
 			if (this._provenance !== void 0) envelope = envelope.addAssertion(kv(_bcts_known_values.PROVENANCE), this._provenance.intoEnvelopeOpt(generatorOptions));
+			envelope = this._attachments.addToEnvelope(envelope);
+			envelope = this._edges.addToEnvelope(envelope);
 			switch (signingOptions.type) {
 				case "inception": {
 					const inceptionKey = this.inceptionKey();
@@ -1811,19 +2033,18 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 					envelope = envelope.sign(privateKeys);
 					break;
 				}
-				case "privateKeyBase": {
-					const privateKeys = signingOptions.privateKeyBase.ed25519PrivateKeys();
-					envelope = envelope.sign(privateKeys);
-					break;
-				}
 				case "privateKeys":
 					envelope = envelope.sign(signingOptions.privateKeys);
 					break;
+				case "signingPrivateKey":
+					envelope = envelope.sign(signingOptions.signingPrivateKey);
+					break;
 				default: break;
 			}
 			return envelope;
 		}
 		intoEnvelope() {
+			if (this.isEmpty()) return _bcts_envelope.Envelope.new(this._xid.toData());
 			return this.toEnvelope();
 		}
 		/**
@@ -1835,25 +2056,42 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 				case XIDVerifySignature.None: {
 					const subject = envelopeExt.subject();
 					const envelopeToParse = subject.isWrapped() ? subject.tryUnwrap() : envelope;
-					return XIDDocument.fromEnvelopeInner(envelopeToParse, password);
+					const attachments = _bcts_envelope.Attachments.fromEnvelope(envelopeToParse);
+					const edges = _bcts_envelope.Edges.fromEnvelope(envelopeToParse);
+					const doc = XIDDocument.fromEnvelopeInner(envelopeToParse, password);
+					doc._attachments = attachments;
+					doc._edges = edges;
+					return doc;
 				}
 				case XIDVerifySignature.Inception: {
 					if (!envelopeExt.subject().isWrapped()) throw XIDError.envelopeNotSigned();
 					const unwrapped = envelopeExt.tryUnwrap();
+					const attachments = _bcts_envelope.Attachments.fromEnvelope(unwrapped);
+					const edges = _bcts_envelope.Edges.fromEnvelope(unwrapped);
 					const doc = XIDDocument.fromEnvelopeInner(unwrapped, password);
 					const inceptionKey = doc.inceptionKey();
 					if (inceptionKey === void 0) throw XIDError.missingInceptionKey();
 					if (!envelopeExt.hasSignatureFrom(inceptionKey.publicKeys())) throw XIDError.signatureVerificationFailed();
-					if (!doc.isInceptionKey(inceptionKey.publicKeys())) throw XIDError.invalidXid();
+					if (!doc.isInceptionSigningKey(inceptionKey.publicKeys().signingPublicKey())) throw XIDError.invalidXid();
+					doc._attachments = attachments;
+					doc._edges = edges;
 					return doc;
 				}
 			}
 		}
 		static fromEnvelopeInner(envelope, password) {
 			const envelopeExt = envelope;
-			const xidData = (envelope.case().type === "node" ? envelopeExt.subject() : envelope).asByteString();
-			if (xidData === void 0) throw XIDError.invalidXid();
-			const xid = _bcts_components.XID.from(xidData);
+			const subject = envelope.case().type === "node" ? envelopeExt.subject() : envelope;
+			const leaf = subject.asLeaf?.();
+			if (leaf === void 0) throw XIDError.invalidXid();
+			let xid;
+			try {
+				xid = _bcts_components.XID.fromTaggedCbor(leaf);
+			} catch {
+				const xidData = subject.asByteString();
+				if (xidData === void 0) throw XIDError.invalidXid();
+				xid = _bcts_components.XID.from(xidData);
+			}
 			const doc = XIDDocument.fromXid(xid);
 			for (const assertion of envelopeExt.assertions()) {
 				const assertionCase = assertion.case();
@@ -1888,6 +2126,8 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 						if (doc._provenance !== void 0) throw XIDError.multipleProvenanceMarks();
 						doc._provenance = Provenance.tryFromEnvelope(object, password);
 						break;
+					case ATTACHMENT_RAW_VALUE: break;
+					case EDGE_RAW_VALUE: break;
 					default: throw XIDError.unexpectedPredicate(String(predicate));
 				}
 			}
@@ -1898,7 +2138,13 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 		* Create a signed envelope.
 		*/
 		toSignedEnvelope(signingKey) {
-			return this.toEnvelope(XIDPrivateKeyOptions.Omit, XIDGeneratorOptions.Omit, { type: "none" }).sign(signingKey);
+			return this.toSignedEnvelopeOpt(signingKey, XIDPrivateKeyOptions.Omit);
+		}
+		/**
+		* Create a signed envelope with private key options.
+		*/
+		toSignedEnvelopeOpt(signingKey, privateKeyOptions = XIDPrivateKeyOptions.Omit) {
+			return this.toEnvelope(privateKeyOptions, XIDGeneratorOptions.Omit, { type: "none" }).sign(signingKey);
 		}
 		/**
 		* Get the reference for this document.
@@ -1910,13 +2156,41 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 		* Check equality with another XIDDocument.
 		*/
 		equals(other) {
-			return this._xid.equals(other._xid);
+			if (!this._xid.equals(other._xid)) return false;
+			if (this._resolutionMethods.size !== other._resolutionMethods.size) return false;
+			for (const m of this._resolutionMethods) if (!other._resolutionMethods.has(m)) return false;
+			if (this._keys.size !== other._keys.size) return false;
+			for (const [hash, key] of this._keys) {
+				const otherKey = other._keys.get(hash);
+				if (otherKey === void 0 || !key.equals(otherKey)) return false;
+			}
+			if (this._delegates.size !== other._delegates.size) return false;
+			for (const [hash, delegate] of this._delegates) {
+				const otherDelegate = other._delegates.get(hash);
+				if (otherDelegate === void 0 || !delegate.equals(otherDelegate)) return false;
+			}
+			if (this._services.size !== other._services.size) return false;
+			for (const [uri, service] of this._services) {
+				const otherService = other._services.get(uri);
+				if (otherService === void 0 || !service.equals(otherService)) return false;
+			}
+			if (this._provenance === void 0 && other._provenance !== void 0) return false;
+			if (this._provenance !== void 0 && other._provenance === void 0) return false;
+			if (this._provenance !== void 0 && other._provenance !== void 0) {
+				if (!this._provenance.equals(other._provenance)) return false;
+			}
+			if (!this._attachments.equals(other._attachments)) return false;
+			if (!this._edges.equals(other._edges)) return false;
+			return true;
 		}
 		/**
 		* Clone this XIDDocument.
 		*/
 		clone() {
-			return new XIDDocument(this._xid, new Set(this._resolutionMethods), new Map(Array.from(this._keys.entries()).map(([k, v]) => [k, v.clone()])), new Map(Array.from(this._delegates.entries()).map(([k, v]) => [k, v.clone()])), new Map(Array.from(this._services.entries()).map(([k, v]) => [k, v.clone()])), this._provenance?.clone());
+			const doc = new XIDDocument(this._xid, new Set(this._resolutionMethods), new Map(Array.from(this._keys.entries()).map(([k, v]) => [k, v.clone()])), new Map(Array.from(this._delegates.entries()).map(([k, v]) => [k, v.clone()])), new Map(Array.from(this._services.entries()).map(([k, v]) => [k, v.clone()])), this._provenance?.clone());
+			for (const [, env] of this._attachments.iter()) doc._attachments.addEnvelope(env);
+			for (const [, env] of this._edges.iter()) doc._edges.add(env);
+			return doc;
 		}
 		/**
 		* Try to extract from envelope (alias for fromEnvelope with default options).
@@ -1937,7 +2211,19 @@ var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_env
 	const VERSION = "1.0.0-alpha.3";
 
 //#endregion
+Object.defineProperty(exports, 'Attachments', {
+  enumerable: true,
+  get: function () {
+    return _bcts_envelope.Attachments;
+  }
+});
 exports.Delegate = Delegate;
+Object.defineProperty(exports, 'Edges', {
+  enumerable: true,
+  get: function () {
+    return _bcts_envelope.Edges;
+  }
+});
 exports.HasNicknameMixin = HasNicknameMixin;
 exports.HasPermissionsMixin = HasPermissionsMixin;
 exports.Key = Key;
@@ -1965,5 +2251,5 @@ exports.privilegeToEnvelope = privilegeToEnvelope;
 exports.privilegeToKnownValue = privilegeToKnownValue;
 exports.registerXIDDocumentClass = registerXIDDocumentClass;
 return exports;
-})({}, bctsComponents, bctsKnownValues, bctsEnvelope, bctsProvenanceMark, bctsDcbor);
+})({}, bctsComponents, bctsKnownValues, bctsEnvelope, bctsProvenanceMark);
 //# sourceMappingURL=index.iife.js.map