@bcts/xid 1.0.0-alpha.5

package/dist/index.mjs

@@ -0,0 +1,1923 @@
+import { ALLOW, CAPABILITY, DELEGATE, DENY, DEREFERENCE_VIA, ENDPOINT, KEY, NAME, NICKNAME, PRIVATE_KEY, PRIVILEGE_ACCESS, PRIVILEGE_ALL, PRIVILEGE_AUTH, PRIVILEGE_BURN, PRIVILEGE_DELEGATE, PRIVILEGE_ELECT, PRIVILEGE_ELIDE, PRIVILEGE_ENCRYPT, PRIVILEGE_ISSUE, PRIVILEGE_REVOKE, PRIVILEGE_SIGN, PRIVILEGE_TRANSFER, PRIVILEGE_UPDATE, PRIVILEGE_VERIFY, PROVENANCE, PROVENANCE_GENERATOR, SALT, SERVICE } from "@bcts/known-values";
+import { Envelope, PrivateKeyBase, PublicKeyBase } from "@bcts/envelope";
+import { Reference, Salt, XID } from "@bcts/components";
+import { ProvenanceMark, ProvenanceMarkGenerator, ProvenanceMarkResolution } from "@bcts/provenance-mark";
+import { cborData, decodeCbor } from "@bcts/dcbor";
+
+//#region src/error.ts
+/**
+* XID Error Types
+*
+* Error types returned when operating on XID Documents.
+* Ported from bc-xid-rust/src/error.rs
+*/
+let XIDErrorCode = /* @__PURE__ */ function(XIDErrorCode$1) {
+	XIDErrorCode$1["DUPLICATE"] = "DUPLICATE";
+	XIDErrorCode$1["NOT_FOUND"] = "NOT_FOUND";
+	XIDErrorCode$1["STILL_REFERENCED"] = "STILL_REFERENCED";
+	XIDErrorCode$1["EMPTY_VALUE"] = "EMPTY_VALUE";
+	XIDErrorCode$1["UNKNOWN_PRIVILEGE"] = "UNKNOWN_PRIVILEGE";
+	XIDErrorCode$1["INVALID_XID"] = "INVALID_XID";
+	XIDErrorCode$1["MISSING_INCEPTION_KEY"] = "MISSING_INCEPTION_KEY";
+	XIDErrorCode$1["INVALID_RESOLUTION_METHOD"] = "INVALID_RESOLUTION_METHOD";
+	XIDErrorCode$1["MULTIPLE_PROVENANCE_MARKS"] = "MULTIPLE_PROVENANCE_MARKS";
+	XIDErrorCode$1["UNEXPECTED_PREDICATE"] = "UNEXPECTED_PREDICATE";
+	XIDErrorCode$1["UNEXPECTED_NESTED_ASSERTIONS"] = "UNEXPECTED_NESTED_ASSERTIONS";
+	XIDErrorCode$1["NO_PERMISSIONS"] = "NO_PERMISSIONS";
+	XIDErrorCode$1["NO_REFERENCES"] = "NO_REFERENCES";
+	XIDErrorCode$1["UNKNOWN_KEY_REFERENCE"] = "UNKNOWN_KEY_REFERENCE";
+	XIDErrorCode$1["UNKNOWN_DELEGATE_REFERENCE"] = "UNKNOWN_DELEGATE_REFERENCE";
+	XIDErrorCode$1["KEY_NOT_FOUND_IN_DOCUMENT"] = "KEY_NOT_FOUND_IN_DOCUMENT";
+	XIDErrorCode$1["DELEGATE_NOT_FOUND_IN_DOCUMENT"] = "DELEGATE_NOT_FOUND_IN_DOCUMENT";
+	XIDErrorCode$1["INVALID_PASSWORD"] = "INVALID_PASSWORD";
+	XIDErrorCode$1["ENVELOPE_NOT_SIGNED"] = "ENVELOPE_NOT_SIGNED";
+	XIDErrorCode$1["SIGNATURE_VERIFICATION_FAILED"] = "SIGNATURE_VERIFICATION_FAILED";
+	XIDErrorCode$1["NO_PROVENANCE_MARK"] = "NO_PROVENANCE_MARK";
+	XIDErrorCode$1["GENERATOR_CONFLICT"] = "GENERATOR_CONFLICT";
+	XIDErrorCode$1["NO_GENERATOR"] = "NO_GENERATOR";
+	XIDErrorCode$1["CHAIN_ID_MISMATCH"] = "CHAIN_ID_MISMATCH";
+	XIDErrorCode$1["SEQUENCE_MISMATCH"] = "SEQUENCE_MISMATCH";
+	XIDErrorCode$1["ENVELOPE_PARSING"] = "ENVELOPE_PARSING";
+	XIDErrorCode$1["COMPONENT"] = "COMPONENT";
+	XIDErrorCode$1["CBOR"] = "CBOR";
+	XIDErrorCode$1["PROVENANCE_MARK"] = "PROVENANCE_MARK";
+	return XIDErrorCode$1;
+}({});
+var XIDError = class XIDError extends Error {
+	code;
+	constructor(code, message, cause) {
+		super(message);
+		this.name = "XIDError";
+		this.code = code;
+		if (cause !== void 0) this.cause = cause;
+		if ("captureStackTrace" in Error) Error.captureStackTrace(this, XIDError);
+	}
+	/**
+	* Returned when attempting to add a duplicate item.
+	*/
+	static duplicate(item) {
+		return new XIDError(XIDErrorCode.DUPLICATE, `duplicate item: ${item}`);
+	}
+	/**
+	* Returned when an item is not found.
+	*/
+	static notFound(item) {
+		return new XIDError(XIDErrorCode.NOT_FOUND, `item not found: ${item}`);
+	}
+	/**
+	* Returned when an item is still referenced by other items.
+	*/
+	static stillReferenced(item) {
+		return new XIDError(XIDErrorCode.STILL_REFERENCED, `item is still referenced: ${item}`);
+	}
+	/**
+	* Returned when a value is invalid or empty.
+	*/
+	static emptyValue(field) {
+		return new XIDError(XIDErrorCode.EMPTY_VALUE, `invalid or empty value: ${field}`);
+	}
+	/**
+	* Returned when an unknown privilege is encountered.
+	*/
+	static unknownPrivilege() {
+		return new XIDError(XIDErrorCode.UNKNOWN_PRIVILEGE, "unknown privilege");
+	}
+	/**
+	* Returned when the XID is invalid.
+	*/
+	static invalidXid() {
+		return new XIDError(XIDErrorCode.INVALID_XID, "invalid XID");
+	}
+	/**
+	* Returned when the inception key is missing.
+	*/
+	static missingInceptionKey() {
+		return new XIDError(XIDErrorCode.MISSING_INCEPTION_KEY, "missing inception key");
+	}
+	/**
+	* Returned when the resolution method is invalid.
+	*/
+	static invalidResolutionMethod() {
+		return new XIDError(XIDErrorCode.INVALID_RESOLUTION_METHOD, "invalid resolution method");
+	}
+	/**
+	* Returned when multiple provenance marks are found.
+	*/
+	static multipleProvenanceMarks() {
+		return new XIDError(XIDErrorCode.MULTIPLE_PROVENANCE_MARKS, "multiple provenance marks");
+	}
+	/**
+	* Returned when an unexpected predicate is encountered.
+	*/
+	static unexpectedPredicate(predicate) {
+		return new XIDError(XIDErrorCode.UNEXPECTED_PREDICATE, `unexpected predicate: ${predicate}`);
+	}
+	/**
+	* Returned when unexpected nested assertions are found.
+	*/
+	static unexpectedNestedAssertions() {
+		return new XIDError(XIDErrorCode.UNEXPECTED_NESTED_ASSERTIONS, "unexpected nested assertions");
+	}
+	/**
+	* Returned when a service has no permissions.
+	*/
+	static noPermissions(uri) {
+		return new XIDError(XIDErrorCode.NO_PERMISSIONS, `no permissions in service '${uri}'`);
+	}
+	/**
+	* Returned when a service has no key or delegate references.
+	*/
+	static noReferences(uri) {
+		return new XIDError(XIDErrorCode.NO_REFERENCES, `no key or delegate references in service '${uri}'`);
+	}
+	/**
+	* Returned when an unknown key reference is found in a service.
+	*/
+	static unknownKeyReference(reference, uri) {
+		return new XIDError(XIDErrorCode.UNKNOWN_KEY_REFERENCE, `unknown key reference ${reference} in service '${uri}'`);
+	}
+	/**
+	* Returned when an unknown delegate reference is found in a service.
+	*/
+	static unknownDelegateReference(reference, uri) {
+		return new XIDError(XIDErrorCode.UNKNOWN_DELEGATE_REFERENCE, `unknown delegate reference ${reference} in service '${uri}'`);
+	}
+	/**
+	* Returned when a key is not found in the XID document.
+	*/
+	static keyNotFoundInDocument(key) {
+		return new XIDError(XIDErrorCode.KEY_NOT_FOUND_IN_DOCUMENT, `key not found in XID document: ${key}`);
+	}
+	/**
+	* Returned when a delegate is not found in the XID document.
+	*/
+	static delegateNotFoundInDocument(delegate) {
+		return new XIDError(XIDErrorCode.DELEGATE_NOT_FOUND_IN_DOCUMENT, `delegate not found in XID document: ${delegate}`);
+	}
+	/**
+	* Returned when the password is invalid.
+	*/
+	static invalidPassword() {
+		return new XIDError(XIDErrorCode.INVALID_PASSWORD, "invalid password");
+	}
+	/**
+	* Returned when the envelope is not signed.
+	*/
+	static envelopeNotSigned() {
+		return new XIDError(XIDErrorCode.ENVELOPE_NOT_SIGNED, "envelope is not signed");
+	}
+	/**
+	* Returned when signature verification fails.
+	*/
+	static signatureVerificationFailed() {
+		return new XIDError(XIDErrorCode.SIGNATURE_VERIFICATION_FAILED, "signature verification failed");
+	}
+	/**
+	* Returned when there is no provenance mark to advance.
+	*/
+	static noProvenanceMark() {
+		return new XIDError(XIDErrorCode.NO_PROVENANCE_MARK, "no provenance mark to advance");
+	}
+	/**
+	* Returned when document already has generator but external generator was provided.
+	*/
+	static generatorConflict() {
+		return new XIDError(XIDErrorCode.GENERATOR_CONFLICT, "document already has generator, cannot provide external generator");
+	}
+	/**
+	* Returned when document does not have generator but needs one.
+	*/
+	static noGenerator() {
+		return new XIDError(XIDErrorCode.NO_GENERATOR, "document does not have generator, must provide external generator");
+	}
+	/**
+	* Returned when generator chain ID doesn't match.
+	*/
+	static chainIdMismatch(expected, actual) {
+		const expectedHex = Array.from(expected).map((b) => b.toString(16).padStart(2, "0")).join("");
+		const actualHex = Array.from(actual).map((b) => b.toString(16).padStart(2, "0")).join("");
+		return new XIDError(XIDErrorCode.CHAIN_ID_MISMATCH, `generator chain ID mismatch: expected ${expectedHex}, got ${actualHex}`);
+	}
+	/**
+	* Returned when generator sequence doesn't match.
+	*/
+	static sequenceMismatch(expected, actual) {
+		return new XIDError(XIDErrorCode.SEQUENCE_MISMATCH, `generator sequence mismatch: expected ${expected}, got ${actual}`);
+	}
+	/**
+	* Envelope parsing error wrapper.
+	*/
+	static envelopeParsing(cause) {
+		return new XIDError(XIDErrorCode.ENVELOPE_PARSING, "envelope parsing error", cause);
+	}
+	/**
+	* Component error wrapper.
+	*/
+	static component(cause) {
+		return new XIDError(XIDErrorCode.COMPONENT, "component error", cause);
+	}
+	/**
+	* CBOR error wrapper.
+	*/
+	static cbor(cause) {
+		return new XIDError(XIDErrorCode.CBOR, "CBOR error", cause);
+	}
+	/**
+	* Provenance mark error wrapper.
+	*/
+	static provenanceMark(cause) {
+		return new XIDError(XIDErrorCode.PROVENANCE_MARK, "provenance mark error", cause);
+	}
+};
+
+//#endregion
+//#region src/privilege.ts
+/**
+* XID Privileges
+*
+* Defines the various privileges that can be granted to keys and delegates
+* in an XID document.
+*
+* Ported from bc-xid-rust/src/privilege.rs
+*/
+/**
+* Enum representing XID privileges.
+*/
+let Privilege = /* @__PURE__ */ function(Privilege$1) {
+	/** Allow all applicable XID operations */
+	Privilege$1["All"] = "All";
+	/** Authenticate as the subject (e.g., log into services) */
+	Privilege$1["Auth"] = "Auth";
+	/** Sign digital communications as the subject */
+	Privilege$1["Sign"] = "Sign";
+	/** Encrypt messages from the subject */
+	Privilege$1["Encrypt"] = "Encrypt";
+	/** Elide data under the subject's control */
+	Privilege$1["Elide"] = "Elide";
+	/** Issue or revoke verifiable credentials on the subject's authority */
+	Privilege$1["Issue"] = "Issue";
+	/** Access resources under the subject's control */
+	Privilege$1["Access"] = "Access";
+	/** Delegate privileges to third parties */
+	Privilege$1["Delegate"] = "Delegate";
+	/** Verify (update) the XID document */
+	Privilege$1["Verify"] = "Verify";
+	/** Update service endpoints */
+	Privilege$1["Update"] = "Update";
+	/** Remove the inception key from the XID document */
+	Privilege$1["Transfer"] = "Transfer";
+	/** Add or remove other verifiers (rotate keys) */
+	Privilege$1["Elect"] = "Elect";
+	/** Transition to a new provenance mark chain */
+	Privilege$1["Burn"] = "Burn";
+	/** Revoke the XID entirely */
+	Privilege$1["Revoke"] = "Revoke";
+	return Privilege$1;
+}({});
+/**
+* Convert a Privilege to its corresponding KnownValue.
+*/
+function privilegeToKnownValue(privilege) {
+	switch (privilege) {
+		case Privilege.All: return PRIVILEGE_ALL;
+		case Privilege.Auth: return PRIVILEGE_AUTH;
+		case Privilege.Sign: return PRIVILEGE_SIGN;
+		case Privilege.Encrypt: return PRIVILEGE_ENCRYPT;
+		case Privilege.Elide: return PRIVILEGE_ELIDE;
+		case Privilege.Issue: return PRIVILEGE_ISSUE;
+		case Privilege.Access: return PRIVILEGE_ACCESS;
+		case Privilege.Delegate: return PRIVILEGE_DELEGATE;
+		case Privilege.Verify: return PRIVILEGE_VERIFY;
+		case Privilege.Update: return PRIVILEGE_UPDATE;
+		case Privilege.Transfer: return PRIVILEGE_TRANSFER;
+		case Privilege.Elect: return PRIVILEGE_ELECT;
+		case Privilege.Burn: return PRIVILEGE_BURN;
+		case Privilege.Revoke: return PRIVILEGE_REVOKE;
+		default: throw XIDError.unknownPrivilege();
+	}
+}
+/**
+* Convert a KnownValue to its corresponding Privilege.
+*/
+function privilegeFromKnownValue(knownValue) {
+	switch (knownValue.value()) {
+		case PRIVILEGE_ALL.value(): return Privilege.All;
+		case PRIVILEGE_AUTH.value(): return Privilege.Auth;
+		case PRIVILEGE_SIGN.value(): return Privilege.Sign;
+		case PRIVILEGE_ENCRYPT.value(): return Privilege.Encrypt;
+		case PRIVILEGE_ELIDE.value(): return Privilege.Elide;
+		case PRIVILEGE_ISSUE.value(): return Privilege.Issue;
+		case PRIVILEGE_ACCESS.value(): return Privilege.Access;
+		case PRIVILEGE_DELEGATE.value(): return Privilege.Delegate;
+		case PRIVILEGE_VERIFY.value(): return Privilege.Verify;
+		case PRIVILEGE_UPDATE.value(): return Privilege.Update;
+		case PRIVILEGE_TRANSFER.value(): return Privilege.Transfer;
+		case PRIVILEGE_ELECT.value(): return Privilege.Elect;
+		case PRIVILEGE_BURN.value(): return Privilege.Burn;
+		case PRIVILEGE_REVOKE.value(): return Privilege.Revoke;
+		default: throw XIDError.unknownPrivilege();
+	}
+}
+/**
+* Convert a Privilege to an Envelope.
+*/
+function privilegeToEnvelope(privilege) {
+	return Envelope.newWithKnownValue(privilegeToKnownValue(privilege));
+}
+/**
+* Convert an Envelope to a Privilege.
+*/
+function privilegeFromEnvelope(envelope) {
+	const envelopeCase = envelope.case();
+	if (envelopeCase.type !== "knownValue") throw XIDError.unknownPrivilege();
+	return privilegeFromKnownValue(envelopeCase.value);
+}
+
+//#endregion
+//#region src/permissions.ts
+/**
+* XID Permissions
+*
+* Permissions management for XID documents, including allow and deny sets
+* of privileges.
+*
+* Ported from bc-xid-rust/src/permissions.rs
+*/
+/**
+* Helper methods for HasPermissions implementers.
+*/
+const HasPermissionsMixin = {
+	allow(obj) {
+		return obj.permissions().allow;
+	},
+	deny(obj) {
+		return obj.permissions().deny;
+	},
+	addAllow(obj, privilege) {
+		obj.permissionsMut().allow.add(privilege);
+	},
+	addDeny(obj, privilege) {
+		obj.permissionsMut().deny.add(privilege);
+	},
+	removeAllow(obj, privilege) {
+		obj.permissionsMut().allow.delete(privilege);
+	},
+	removeDeny(obj, privilege) {
+		obj.permissionsMut().deny.delete(privilege);
+	},
+	clearAllPermissions(obj) {
+		obj.permissionsMut().allow.clear();
+		obj.permissionsMut().deny.clear();
+	}
+};
+/**
+* Represents the permissions granted to a key or delegate.
+*/
+var Permissions = class Permissions {
+	allow;
+	deny;
+	constructor(allow, deny) {
+		this.allow = allow ?? /* @__PURE__ */ new Set();
+		this.deny = deny ?? /* @__PURE__ */ new Set();
+	}
+	/**
+	* Create a new empty Permissions object.
+	*/
+	static new() {
+		return new Permissions();
+	}
+	/**
+	* Create a new Permissions object that allows all privileges.
+	*/
+	static newAllowAll() {
+		const allow = /* @__PURE__ */ new Set();
+		allow.add(Privilege.All);
+		return new Permissions(allow);
+	}
+	/**
+	* Add permissions assertions to an envelope.
+	*/
+	addToEnvelope(envelope) {
+		let result = envelope;
+		for (const privilege of this.allow) result = result.addAssertion(Envelope.newWithKnownValue(ALLOW.value()), Envelope.newWithKnownValue(privilegeToKnownValue(privilege).value()));
+		for (const privilege of this.deny) result = result.addAssertion(Envelope.newWithKnownValue(DENY.value()), Envelope.newWithKnownValue(privilegeToKnownValue(privilege).value()));
+		return result;
+	}
+	/**
+	* Try to extract Permissions from an envelope.
+	*/
+	static tryFromEnvelope(envelope) {
+		const allow = /* @__PURE__ */ new Set();
+		const deny = /* @__PURE__ */ new Set();
+		const allowObjects = envelope.objectsForPredicate(ALLOW);
+		for (const obj of allowObjects) {
+			const privilege = privilegeFromEnvelope(obj);
+			allow.add(privilege);
+		}
+		const denyObjects = envelope.objectsForPredicate(DENY);
+		for (const obj of denyObjects) {
+			const privilege = privilegeFromEnvelope(obj);
+			deny.add(privilege);
+		}
+		return new Permissions(allow, deny);
+	}
+	/**
+	* Add an allowed privilege.
+	*/
+	addAllow(privilege) {
+		this.allow.add(privilege);
+	}
+	/**
+	* Add a denied privilege.
+	*/
+	addDeny(privilege) {
+		this.deny.add(privilege);
+	}
+	/**
+	* Check if a specific privilege is allowed.
+	*/
+	isAllowed(privilege) {
+		if (this.deny.has(privilege) || this.deny.has(Privilege.All)) return false;
+		return this.allow.has(privilege) || this.allow.has(Privilege.All);
+	}
+	/**
+	* Check if a specific privilege is denied.
+	*/
+	isDenied(privilege) {
+		return this.deny.has(privilege) || this.deny.has(Privilege.All);
+	}
+	permissions() {
+		return this;
+	}
+	permissionsMut() {
+		return this;
+	}
+	/**
+	* Check equality with another Permissions object.
+	*/
+	equals(other) {
+		if (this.allow.size !== other.allow.size || this.deny.size !== other.deny.size) return false;
+		for (const p of this.allow) if (!other.allow.has(p)) return false;
+		for (const p of this.deny) if (!other.deny.has(p)) return false;
+		return true;
+	}
+	/**
+	* Clone this Permissions object.
+	*/
+	clone() {
+		return new Permissions(new Set(this.allow), new Set(this.deny));
+	}
+};
+
+//#endregion
+//#region src/name.ts
+/**
+* XID Name (Nickname) Interface
+*
+* Provides the HasNickname interface for objects that can have a nickname.
+*
+* Ported from bc-xid-rust/src/name.rs
+*/
+/**
+* Helper methods for HasNickname implementers.
+*/
+const HasNicknameMixin = { addNickname(obj, name) {
+	if (obj.nickname() !== "") throw XIDError.duplicate("nickname");
+	if (name === "") throw XIDError.emptyValue("nickname");
+	obj.setNickname(name);
+} };
+
+//#endregion
+//#region src/shared.ts
+/**
+* Shared Reference Wrapper
+*
+* Provides a wrapper for shared references to objects.
+* In TypeScript, we don't have Arc/RwLock like Rust, but we can provide
+* a simple wrapper that allows shared access to a value.
+*
+* Ported from bc-xid-rust/src/shared.rs
+*/
+/**
+* A wrapper for shared references to objects.
+*
+* Unlike Rust's Arc<RwLock<T>>, JavaScript uses reference semantics for objects,
+* so this is primarily a type-safe wrapper that makes the sharing explicit.
+*/
+var Shared = class Shared {
+	value;
+	constructor(value) {
+		this.value = value;
+	}
+	/**
+	* Create a new Shared instance.
+	*/
+	static new(value) {
+		return new Shared(value);
+	}
+	/**
+	* Get a read-only reference to the value.
+	*/
+	read() {
+		return this.value;
+	}
+	/**
+	* Get a mutable reference to the value.
+	*/
+	write() {
+		return this.value;
+	}
+	/**
+	* Check equality with another Shared instance.
+	*/
+	equals(other) {
+		if (this.value === other.value) return true;
+		try {
+			return JSON.stringify(this.value) === JSON.stringify(other.value);
+		} catch {
+			return false;
+		}
+	}
+	/**
+	* Clone this Shared instance.
+	* Note: This creates a shallow copy in JS; for deep copy, implement on T.
+	*/
+	clone() {
+		if (typeof this.value === "object" && this.value !== null && "clone" in this.value && typeof this.value.clone === "function") return new Shared(this.value.clone());
+		return new Shared(this.value);
+	}
+};
+
+//#endregion
+//#region src/key.ts
+/**
+* XID Key
+*
+* Represents a key in an XID document, containing public keys, optional private keys,
+* nickname, endpoints, and permissions.
+*
+* Ported from bc-xid-rust/src/key.rs
+*/
+const kv$3 = (v) => v;
+/**
+* Options for handling private keys in envelopes.
+*/
+let XIDPrivateKeyOptions = /* @__PURE__ */ function(XIDPrivateKeyOptions$1) {
+	/** Omit the private key from the envelope (default). */
+	XIDPrivateKeyOptions$1["Omit"] = "Omit";
+	/** Include the private key in plaintext (with salt for decorrelation). */
+	XIDPrivateKeyOptions$1["Include"] = "Include";
+	/** Include the private key assertion but elide it (maintains digest tree). */
+	XIDPrivateKeyOptions$1["Elide"] = "Elide";
+	/** Include the private key encrypted with a password. */
+	XIDPrivateKeyOptions$1["Encrypt"] = "Encrypt";
+	return XIDPrivateKeyOptions$1;
+}({});
+/**
+* Represents a key in an XID document.
+*/
+var Key = class Key {
+	_publicKeyBase;
+	_privateKeys;
+	_nickname;
+	_endpoints;
+	_permissions;
+	constructor(publicKeyBase, privateKeys, nickname = "", endpoints = /* @__PURE__ */ new Set(), permissions = Permissions.new()) {
+		this._publicKeyBase = publicKeyBase;
+		this._privateKeys = privateKeys;
+		this._nickname = nickname;
+		this._endpoints = endpoints;
+		this._permissions = permissions;
+	}
+	/**
+	* Create a new Key with only public keys.
+	*/
+	static new(publicKeyBase) {
+		return new Key(publicKeyBase);
+	}
+	/**
+	* Create a new Key with public keys and allow-all permissions.
+	*/
+	static newAllowAll(publicKeyBase) {
+		return new Key(publicKeyBase, void 0, "", /* @__PURE__ */ new Set(), Permissions.newAllowAll());
+	}
+	/**
+	* Create a new Key with private key base.
+	*/
+	static newWithPrivateKeyBase(privateKeyBase) {
+		const salt = Salt.random(32);
+		return new Key(privateKeyBase.publicKeys(), {
+			data: {
+				type: "decrypted",
+				privateKeyBase
+			},
+			salt
+		}, "", /* @__PURE__ */ new Set(), Permissions.newAllowAll());
+	}
+	/**
+	* Get the public key base.
+	*/
+	publicKeyBase() {
+		return this._publicKeyBase;
+	}
+	/**
+	* Get the private key base, if available and decrypted.
+	*/
+	privateKeyBase() {
+		if (this._privateKeys === void 0) return void 0;
+		if (this._privateKeys.data.type === "decrypted") return this._privateKeys.data.privateKeyBase;
+	}
+	/**
+	* Check if this key has decrypted private keys.
+	*/
+	hasPrivateKeys() {
+		return this._privateKeys?.data.type === "decrypted";
+	}
+	/**
+	* Check if this key has encrypted private keys.
+	*/
+	hasEncryptedPrivateKeys() {
+		return this._privateKeys?.data.type === "encrypted";
+	}
+	/**
+	* Get the salt used for private key decorrelation.
+	*/
+	privateKeySalt() {
+		return this._privateKeys?.salt;
+	}
+	/**
+	* Get the reference for this key (based on public key).
+	*/
+	reference() {
+		return Reference.hash(this._publicKeyBase.data());
+	}
+	/**
+	* Get the endpoints set.
+	*/
+	endpoints() {
+		return this._endpoints;
+	}
+	/**
+	* Get the endpoints set for mutation.
+	*/
+	endpointsMut() {
+		return this._endpoints;
+	}
+	/**
+	* Add an endpoint.
+	*/
+	addEndpoint(endpoint) {
+		this._endpoints.add(endpoint);
+	}
+	/**
+	* Add a permission.
+	*/
+	addPermission(privilege) {
+		this._permissions.addAllow(privilege);
+	}
+	nickname() {
+		return this._nickname;
+	}
+	setNickname(name) {
+		this._nickname = name;
+	}
+	permissions() {
+		return this._permissions;
+	}
+	permissionsMut() {
+		return this._permissions;
+	}
+	/**
+	* Convert to envelope with specified options.
+	*/
+	intoEnvelopeOpt(privateKeyOptions = XIDPrivateKeyOptions.Omit) {
+		let envelope = Envelope.new(this._publicKeyBase.data());
+		if (this._privateKeys !== void 0) {
+			const { data, salt } = this._privateKeys;
+			if (data.type === "encrypted") {
+				envelope = envelope.addAssertion(kv$3(PRIVATE_KEY), data.envelope);
+				envelope = envelope.addAssertion(kv$3(SALT), salt.toData());
+			} else if (data.type === "decrypted") switch (typeof privateKeyOptions === "object" ? privateKeyOptions.type : privateKeyOptions) {
+				case XIDPrivateKeyOptions.Include:
+					envelope = envelope.addAssertion(kv$3(PRIVATE_KEY), data.privateKeyBase.data());
+					envelope = envelope.addAssertion(kv$3(SALT), salt.toData());
+					break;
+				case XIDPrivateKeyOptions.Elide: {
+					const elidedAssertion = Envelope.newAssertion(kv$3(PRIVATE_KEY), data.privateKeyBase.data()).elide();
+					envelope = envelope.addAssertionEnvelope(elidedAssertion);
+					envelope = envelope.addAssertion(kv$3(SALT), salt.toData());
+					break;
+				}
+				case XIDPrivateKeyOptions.Encrypt:
+					if (typeof privateKeyOptions === "object") {
+						const encrypted = Envelope.new(data.privateKeyBase.data()).encryptSubject(privateKeyOptions.password);
+						envelope = envelope.addAssertion(kv$3(PRIVATE_KEY), encrypted);
+						envelope = envelope.addAssertion(kv$3(SALT), salt.toData());
+					}
+					break;
+				case XIDPrivateKeyOptions.Omit:
+				default: break;
+			}
+		}
+		if (this._nickname !== "") envelope = envelope.addAssertion(kv$3(NICKNAME), this._nickname);
+		for (const endpoint of this._endpoints) envelope = envelope.addAssertion(kv$3(ENDPOINT), endpoint);
+		envelope = this._permissions.addToEnvelope(envelope);
+		return envelope;
+	}
+	intoEnvelope() {
+		return this.intoEnvelopeOpt(XIDPrivateKeyOptions.Omit);
+	}
+	/**
+	* Try to extract a Key from an envelope, optionally with password for decryption.
+	*/
+	static tryFromEnvelope(envelope, password) {
+		const env = envelope;
+		const publicKeyData = (env.case().type === "node" ? env.subject() : env).asByteString();
+		if (publicKeyData === void 0) throw XIDError.component(/* @__PURE__ */ new Error("Could not extract public key from envelope"));
+		const publicKeyBase = new PublicKeyBase(publicKeyData);
+		let privateKeys;
+		let salt = Salt.random(32);
+		const saltAssertions = env.assertionsWithPredicate(SALT);
+		if (saltAssertions.length > 0) {
+			const saltCase = saltAssertions[0].case();
+			if (saltCase.type === "assertion") {
+				const saltData = saltCase.assertion.object().asByteString();
+				if (saltData !== void 0) salt = Salt.from(saltData);
+			}
+		}
+		const privateKeyAssertions = env.assertionsWithPredicate(PRIVATE_KEY);
+		if (privateKeyAssertions.length > 0) {
+			const assertionCase = privateKeyAssertions[0].case();
+			if (assertionCase.type === "assertion") {
+				const privateKeyObject = assertionCase.assertion.object();
+				if (privateKeyObject.case().type === "encrypted") if (password !== void 0) try {
+					const decryptedData = privateKeyObject.decryptSubject(password).asByteString();
+					if (decryptedData !== void 0) privateKeys = {
+						data: {
+							type: "decrypted",
+							privateKeyBase: PrivateKeyBase.fromBytes(decryptedData, publicKeyData)
+						},
+						salt
+					};
+				} catch {
+					privateKeys = {
+						data: {
+							type: "encrypted",
+							envelope: privateKeyObject
+						},
+						salt
+					};
+				}
+				else privateKeys = {
+					data: {
+						type: "encrypted",
+						envelope: privateKeyObject
+					},
+					salt
+				};
+				else {
+					const privateKeyData = privateKeyObject.asByteString();
+					if (privateKeyData !== void 0) privateKeys = {
+						data: {
+							type: "decrypted",
+							privateKeyBase: PrivateKeyBase.fromBytes(privateKeyData, publicKeyData)
+						},
+						salt
+					};
+				}
+			}
+		}
+		let nickname = "";
+		try {
+			const nicknameObj = env.objectForPredicate(NICKNAME);
+			nickname = nicknameObj.asByteString() !== void 0 ? "" : nicknameObj.asText() ?? "";
+		} catch {}
+		const endpoints = /* @__PURE__ */ new Set();
+		const endpointObjects = env.objectsForPredicate(ENDPOINT);
+		for (const obj of endpointObjects) {
+			const text = obj.asText();
+			if (text !== void 0) endpoints.add(text);
+		}
+		const permissions = Permissions.tryFromEnvelope(envelope);
+		return new Key(publicKeyBase, privateKeys, nickname, endpoints, permissions);
+	}
+	/**
+	* Check equality with another Key.
+	*/
+	equals(other) {
+		return this._publicKeyBase.hex() === other._publicKeyBase.hex();
+	}
+	/**
+	* Get a hash key for use in Sets/Maps.
+	*/
+	hashKey() {
+		return this._publicKeyBase.hex();
+	}
+	/**
+	* Clone this Key.
+	*/
+	clone() {
+		return new Key(this._publicKeyBase, this._privateKeys !== void 0 ? {
+			data: this._privateKeys.data,
+			salt: this._privateKeys.salt
+		} : void 0, this._nickname, new Set(this._endpoints), this._permissions.clone());
+	}
+};
+
+//#endregion
+//#region src/service.ts
+/**
+* XID Service
+*
+* Represents a service endpoint in an XID document, containing URI, key references,
+* delegate references, permissions, capability, and name.
+*
+* Ported from bc-xid-rust/src/service.rs
+*/
+const kv$2 = (v) => v;
+const KEY_RAW$1 = KEY.value();
+const DELEGATE_RAW$1 = DELEGATE.value();
+const NAME_RAW = NAME.value();
+const CAPABILITY_RAW = CAPABILITY.value();
+const ALLOW_RAW = ALLOW.value();
+/**
+* Represents a service endpoint in an XID document.
+*/
+var Service = class Service {
+	_uri;
+	_keyReferences;
+	_delegateReferences;
+	_permissions;
+	_capability;
+	_name;
+	constructor(uri) {
+		this._uri = uri;
+		this._keyReferences = /* @__PURE__ */ new Set();
+		this._delegateReferences = /* @__PURE__ */ new Set();
+		this._permissions = Permissions.new();
+		this._capability = "";
+		this._name = "";
+	}
+	/**
+	* Create a new Service with the given URI.
+	*/
+	static new(uri) {
+		return new Service(uri);
+	}
+	/**
+	* Get the service URI.
+	*/
+	uri() {
+		return this._uri;
+	}
+	/**
+	* Get the capability string.
+	*/
+	capability() {
+		return this._capability;
+	}
+	/**
+	* Set the capability string.
+	*/
+	setCapability(capability) {
+		this._capability = capability;
+	}
+	/**
+	* Add a capability, throwing if one already exists or is empty.
+	*/
+	addCapability(capability) {
+		if (this._capability !== "") throw XIDError.duplicate("capability");
+		if (capability === "") throw XIDError.emptyValue("capability");
+		this.setCapability(capability);
+	}
+	/**
+	* Get the key references set.
+	*/
+	keyReferences() {
+		return this._keyReferences;
+	}
+	/**
+	* Get the key references set for mutation.
+	*/
+	keyReferencesMut() {
+		return this._keyReferences;
+	}
+	/**
+	* Add a key reference by hex string.
+	*/
+	addKeyReferenceHex(keyReferenceHex) {
+		if (this._keyReferences.has(keyReferenceHex)) throw XIDError.duplicate("key reference");
+		this._keyReferences.add(keyReferenceHex);
+	}
+	/**
+	* Add a key reference.
+	*/
+	addKeyReference(keyReference) {
+		this.addKeyReferenceHex(keyReference.toHex());
+	}
+	/**
+	* Get the delegate references set.
+	*/
+	delegateReferences() {
+		return this._delegateReferences;
+	}
+	/**
+	* Get the delegate references set for mutation.
+	*/
+	delegateReferencesMut() {
+		return this._delegateReferences;
+	}
+	/**
+	* Add a delegate reference by hex string.
+	*/
+	addDelegateReferenceHex(delegateReferenceHex) {
+		if (this._delegateReferences.has(delegateReferenceHex)) throw XIDError.duplicate("delegate reference");
+		this._delegateReferences.add(delegateReferenceHex);
+	}
+	/**
+	* Add a delegate reference.
+	*/
+	addDelegateReference(delegateReference) {
+		this.addDelegateReferenceHex(delegateReference.toHex());
+	}
+	/**
+	* Get the name.
+	*/
+	name() {
+		return this._name;
+	}
+	/**
+	* Set the name, throwing if one already exists or is empty.
+	*/
+	setName(name) {
+		if (this._name !== "") throw XIDError.duplicate("name");
+		if (name === "") throw XIDError.emptyValue("name");
+		this._name = name;
+	}
+	permissions() {
+		return this._permissions;
+	}
+	permissionsMut() {
+		return this._permissions;
+	}
+	/**
+	* Convert to envelope.
+	*/
+	intoEnvelope() {
+		let envelope = Envelope.new(this._uri);
+		for (const keyRef of this._keyReferences) {
+			const refBytes = hexToBytes$1(keyRef);
+			envelope = envelope.addAssertion(kv$2(KEY), refBytes);
+		}
+		for (const delegateRef of this._delegateReferences) {
+			const refBytes = hexToBytes$1(delegateRef);
+			envelope = envelope.addAssertion(kv$2(DELEGATE), refBytes);
+		}
+		if (this._capability !== "") envelope = envelope.addAssertion(kv$2(CAPABILITY), this._capability);
+		if (this._name !== "") envelope = envelope.addAssertion(kv$2(NAME), this._name);
+		envelope = this._permissions.addToEnvelope(envelope);
+		return envelope;
+	}
+	/**
+	* Try to extract a Service from an envelope.
+	*/
+	static tryFromEnvelope(envelope) {
+		const envExt = envelope;
+		const uri = (envExt.case().type === "node" ? envExt.subject() : envelope).asText();
+		if (uri === void 0) throw XIDError.component(/* @__PURE__ */ new Error("Could not extract URI from envelope"));
+		const service = new Service(uri);
+		const assertions = envelope.assertions();
+		for (const assertion of assertions) {
+			const assertionCase = assertion.case();
+			if (assertionCase.type !== "assertion") continue;
+			const predicateCase = assertionCase.assertion.predicate().case();
+			if (predicateCase.type !== "knownValue") continue;
+			const predicate = predicateCase.value.value();
+			const object = assertionCase.assertion.object();
+			if (object.assertions().length > 0) throw XIDError.unexpectedNestedAssertions();
+			switch (predicate) {
+				case KEY_RAW$1: {
+					const keyData = object.asByteString();
+					if (keyData !== void 0) service.addKeyReferenceHex(bytesToHex(keyData));
+					break;
+				}
+				case DELEGATE_RAW$1: {
+					const delegateData = object.asByteString();
+					if (delegateData !== void 0) service.addDelegateReferenceHex(bytesToHex(delegateData));
+					break;
+				}
+				case CAPABILITY_RAW: {
+					const capability = object.asText();
+					if (capability !== void 0) service.addCapability(capability);
+					break;
+				}
+				case NAME_RAW: {
+					const name = object.asText();
+					if (name !== void 0) service.setName(name);
+					break;
+				}
+				case ALLOW_RAW: {
+					const privilege = privilegeFromEnvelope(object);
+					service._permissions.addAllow(privilege);
+					break;
+				}
+				default: throw XIDError.unexpectedPredicate(String(predicate));
+			}
+		}
+		return service;
+	}
+	/**
+	* Check equality with another Service (based on URI).
+	*/
+	equals(other) {
+		return this._uri === other._uri;
+	}
+	/**
+	* Get a hash key for use in Sets/Maps.
+	*/
+	hashKey() {
+		return this._uri;
+	}
+	/**
+	* Clone this Service.
+	*/
+	clone() {
+		const clone = new Service(this._uri);
+		clone._keyReferences = new Set(this._keyReferences);
+		clone._delegateReferences = new Set(this._delegateReferences);
+		clone._permissions = this._permissions.clone();
+		clone._capability = this._capability;
+		clone._name = this._name;
+		return clone;
+	}
+};
+function hexToBytes$1(hex) {
+	const bytes = new Uint8Array(hex.length / 2);
+	for (let i = 0; i < hex.length; i += 2) bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+	return bytes;
+}
+function bytesToHex(bytes) {
+	return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+//#endregion
+//#region src/delegate.ts
+let XIDDocumentClass = null;
+/**
+* Register the XIDDocument class to avoid circular dependency issues.
+* Called by xid-document.ts when it loads.
+*/
+function registerXIDDocumentClass(cls) {
+	XIDDocumentClass = cls;
+}
+/**
+* Represents a delegate in an XID document.
+*/
+var Delegate = class Delegate {
+	_controller;
+	_permissions;
+	constructor(controller, permissions) {
+		this._controller = controller;
+		this._permissions = permissions;
+	}
+	/**
+	* Create a new Delegate with the given controller document.
+	*/
+	static new(controller) {
+		return new Delegate(Shared.new(controller), Permissions.new());
+	}
+	/**
+	* Get the controller document.
+	*/
+	controller() {
+		return this._controller;
+	}
+	/**
+	* Get the XID of the controller.
+	*/
+	xid() {
+		return this._controller.read().xid();
+	}
+	/**
+	* Get the reference for this delegate.
+	*/
+	reference() {
+		return Reference.hash(this.xid().toData());
+	}
+	permissions() {
+		return this._permissions;
+	}
+	permissionsMut() {
+		return this._permissions;
+	}
+	/**
+	* Convert to envelope.
+	*/
+	intoEnvelope() {
+		const envelope = this._controller.read().intoEnvelope().wrap();
+		return this._permissions.addToEnvelope(envelope);
+	}
+	/**
+	* Try to extract a Delegate from an envelope.
+	*/
+	static tryFromEnvelope(envelope) {
+		if (XIDDocumentClass === null) throw new Error("XIDDocument class not registered. Import xid-document.js first.");
+		const permissions = Permissions.tryFromEnvelope(envelope);
+		const inner = envelope.tryUnwrap();
+		return new Delegate(Shared.new(XIDDocumentClass.tryFromEnvelope(inner)), permissions);
+	}
+	/**
+	* Check equality with another Delegate (based on controller XID).
+	*/
+	equals(other) {
+		return this.xid().equals(other.xid());
+	}
+	/**
+	* Get a hash key for use in Sets/Maps.
+	*/
+	hashKey() {
+		return this.xid().toHex();
+	}
+	/**
+	* Clone this Delegate.
+	*/
+	clone() {
+		return new Delegate(Shared.new(this._controller.read().clone()), this._permissions.clone());
+	}
+};
+
+//#endregion
+//#region src/provenance.ts
+/**
+* XID Provenance
+*
+* Represents provenance information in an XID document, containing a provenance mark
+* and optional generator.
+*
+* Ported from bc-xid-rust/src/provenance.rs
+*/
+const kv$1 = (v) => v;
+/**
+* Options for handling generators in envelopes.
+*/
+let XIDGeneratorOptions = /* @__PURE__ */ function(XIDGeneratorOptions$1) {
+	/** Omit the generator from the envelope (default). */
+	XIDGeneratorOptions$1["Omit"] = "Omit";
+	/** Include the generator in plaintext (with salt for decorrelation). */
+	XIDGeneratorOptions$1["Include"] = "Include";
+	/** Include the generator assertion but elide it (maintains digest tree). */
+	XIDGeneratorOptions$1["Elide"] = "Elide";
+	/** Include the generator encrypted with a password. */
+	XIDGeneratorOptions$1["Encrypt"] = "Encrypt";
+	return XIDGeneratorOptions$1;
+}({});
+/**
+* Represents provenance information in an XID document.
+*/
+var Provenance = class Provenance {
+	_mark;
+	_generator;
+	constructor(mark, generator) {
+		this._mark = mark;
+		this._generator = generator;
+	}
+	/**
+	* Create a new Provenance with just a mark.
+	*/
+	static new(mark) {
+		return new Provenance(mark);
+	}
+	/**
+	* Create a new Provenance with a generator and mark.
+	*/
+	static newWithGenerator(generator, mark) {
+		const salt = Salt.random(32);
+		return new Provenance(mark, {
+			data: {
+				type: "decrypted",
+				generator
+			},
+			salt
+		});
+	}
+	/**
+	* Get the provenance mark.
+	*/
+	mark() {
+		return this._mark;
+	}
+	/**
+	* Get the generator, if available and decrypted.
+	*/
+	generator() {
+		if (this._generator === void 0) return void 0;
+		if (this._generator.data.type === "decrypted") return this._generator.data.generator;
+	}
+	/**
+	* Check if this provenance has a decrypted generator.
+	*/
+	hasGenerator() {
+		return this._generator?.data.type === "decrypted";
+	}
+	/**
+	* Check if this provenance has an encrypted generator.
+	*/
+	hasEncryptedGenerator() {
+		return this._generator?.data.type === "encrypted";
+	}
+	/**
+	* Get the salt used for generator decorrelation.
+	*/
+	generatorSalt() {
+		return this._generator?.salt;
+	}
+	/**
+	* Update the provenance mark.
+	*/
+	setMark(mark) {
+		this._mark = mark;
+	}
+	/**
+	* Set or replace the generator.
+	*/
+	setGenerator(generator) {
+		const salt = Salt.random(32);
+		this._generator = {
+			data: {
+				type: "decrypted",
+				generator
+			},
+			salt
+		};
+	}
+	/**
+	* Take and remove the generator.
+	*/
+	takeGenerator() {
+		const gen = this._generator;
+		this._generator = void 0;
+		return gen;
+	}
+	/**
+	* Get a mutable reference to the generator, decrypting if necessary.
+	*/
+	generatorMut(password) {
+		if (this._generator === void 0) return void 0;
+		if (this._generator.data.type === "decrypted") return this._generator.data.generator;
+		if (password !== void 0) {
+			const encryptedEnvelope = this._generator.data.envelope;
+			try {
+				const generatorData = encryptedEnvelope.decryptSubject(password).tryUnwrap().asByteString();
+				if (generatorData !== void 0) {
+					const json = decodeCbor(generatorData);
+					const generator = ProvenanceMarkGenerator.fromJSON(json);
+					this._generator = {
+						data: {
+							type: "decrypted",
+							generator
+						},
+						salt: this._generator.salt
+					};
+					return generator;
+				}
+			} catch {
+				throw XIDError.invalidPassword();
+			}
+		}
+		throw XIDError.invalidPassword();
+	}
+	/**
+	* Convert to envelope with specified options.
+	*/
+	intoEnvelopeOpt(generatorOptions = XIDGeneratorOptions.Omit) {
+		let envelope = Envelope.new(this._mark.toCborData());
+		if (this._generator !== void 0) {
+			const { data, salt } = this._generator;
+			if (data.type === "encrypted") {
+				envelope = envelope.addAssertion(kv$1(PROVENANCE_GENERATOR), data.envelope);
+				envelope = envelope.addAssertion(kv$1(SALT), salt.toData());
+			} else if (data.type === "decrypted") switch (typeof generatorOptions === "object" ? generatorOptions.type : generatorOptions) {
+				case XIDGeneratorOptions.Include: {
+					const generatorBytes = cborData(data.generator.toJSON());
+					envelope = envelope.addAssertion(kv$1(PROVENANCE_GENERATOR), generatorBytes);
+					envelope = envelope.addAssertion(kv$1(SALT), salt.toData());
+					break;
+				}
+				case XIDGeneratorOptions.Elide: {
+					const generatorBytes2 = cborData(data.generator.toJSON());
+					const elidedAssertion = Envelope.newAssertion(kv$1(PROVENANCE_GENERATOR), generatorBytes2).elide();
+					envelope = envelope.addAssertionEnvelope(elidedAssertion);
+					envelope = envelope.addAssertion(kv$1(SALT), salt.toData());
+					break;
+				}
+				case XIDGeneratorOptions.Encrypt:
+					if (typeof generatorOptions === "object") {
+						const generatorBytes3 = cborData(data.generator.toJSON());
+						const encrypted = Envelope.new(generatorBytes3).wrap().encryptSubject(generatorOptions.password);
+						envelope = envelope.addAssertion(kv$1(PROVENANCE_GENERATOR), encrypted);
+						envelope = envelope.addAssertion(kv$1(SALT), salt.toData());
+					}
+					break;
+				case XIDGeneratorOptions.Omit:
+				default: break;
+			}
+		}
+		return envelope;
+	}
+	intoEnvelope() {
+		return this.intoEnvelopeOpt(XIDGeneratorOptions.Omit);
+	}
+	/**
+	* Try to extract a Provenance from an envelope, optionally with password for decryption.
+	*/
+	static tryFromEnvelope(envelope, password) {
+		const env = envelope;
+		const markData = (env.case().type === "node" ? env.subject() : envelope).asByteString();
+		if (markData === void 0) throw XIDError.provenanceMark(/* @__PURE__ */ new Error("Could not extract mark from envelope"));
+		const mark = ProvenanceMark.fromCborData(markData);
+		let generator;
+		let salt = Salt.random(32);
+		const saltAssertions = env.assertionsWithPredicate(SALT);
+		if (saltAssertions.length > 0) {
+			const saltCase = saltAssertions[0].case();
+			if (saltCase.type === "assertion") {
+				const saltData = saltCase.assertion.object().asByteString();
+				if (saltData !== void 0) salt = Salt.from(saltData);
+			}
+		}
+		const generatorAssertions = env.assertionsWithPredicate(PROVENANCE_GENERATOR);
+		if (generatorAssertions.length > 0) {
+			const assertionCase = generatorAssertions[0].case();
+			if (assertionCase.type === "assertion") {
+				const generatorObject = assertionCase.assertion.object();
+				if (generatorObject.case().type === "encrypted") if (password !== void 0) try {
+					const generatorData = generatorObject.decryptSubject(password).tryUnwrap().asByteString();
+					if (generatorData !== void 0) {
+						const json = decodeCbor(generatorData);
+						generator = {
+							data: {
+								type: "decrypted",
+								generator: ProvenanceMarkGenerator.fromJSON(json)
+							},
+							salt
+						};
+					}
+				} catch {
+					generator = {
+						data: {
+							type: "encrypted",
+							envelope: generatorObject
+						},
+						salt
+					};
+				}
+				else generator = {
+					data: {
+						type: "encrypted",
+						envelope: generatorObject
+					},
+					salt
+				};
+				else {
+					const generatorData = generatorObject.asByteString();
+					if (generatorData !== void 0) {
+						const json2 = decodeCbor(generatorData);
+						generator = {
+							data: {
+								type: "decrypted",
+								generator: ProvenanceMarkGenerator.fromJSON(json2)
+							},
+							salt
+						};
+					}
+				}
+			}
+		}
+		return new Provenance(mark, generator);
+	}
+	/**
+	* Check equality with another Provenance.
+	*/
+	equals(other) {
+		return this._mark.equals(other._mark);
+	}
+	/**
+	* Clone this Provenance.
+	* Note: ProvenanceMark is immutable so we can use the same instance.
+	*/
+	clone() {
+		return new Provenance(this._mark, this._generator !== void 0 ? {
+			data: this._generator.data,
+			salt: this._generator.salt
+		} : void 0);
+	}
+};
+
+//#endregion
+//#region src/xid-document.ts
+/**
+* XID Document
+*
+* Represents an XID document containing keys, delegates, services, and provenance.
+*
+* Ported from bc-xid-rust/src/xid_document.rs
+*/
+const kv = (v) => v;
+const KEY_RAW = KEY.value();
+const DELEGATE_RAW = DELEGATE.value();
+const SERVICE_RAW = SERVICE.value();
+const PROVENANCE_RAW = PROVENANCE.value();
+const DEREFERENCE_VIA_RAW = DEREFERENCE_VIA.value();
+/**
+* Options for verifying the signature on an envelope when loading.
+*/
+let XIDVerifySignature = /* @__PURE__ */ function(XIDVerifySignature$1) {
+	/** Do not verify the signature (default). */
+	XIDVerifySignature$1["None"] = "None";
+	/** Verify that the envelope is signed with the inception key. */
+	XIDVerifySignature$1["Inception"] = "Inception";
+	return XIDVerifySignature$1;
+}({});
+/**
+* Represents an XID document.
+*/
+var XIDDocument = class XIDDocument {
+	_xid;
+	_resolutionMethods;
+	_keys;
+	_delegates;
+	_services;
+	_provenance;
+	constructor(xid, resolutionMethods = /* @__PURE__ */ new Set(), keys = /* @__PURE__ */ new Map(), delegates = /* @__PURE__ */ new Map(), services = /* @__PURE__ */ new Map(), provenance) {
+		this._xid = xid;
+		this._resolutionMethods = resolutionMethods;
+		this._keys = keys;
+		this._delegates = delegates;
+		this._services = services;
+		this._provenance = provenance;
+	}
+	/**
+	* Create a new XIDDocument with the given options.
+	*/
+	static new(keyOptions = { type: "default" }, markOptions = { type: "none" }) {
+		const inceptionKey = XIDDocument.inceptionKeyForOptions(keyOptions);
+		const provenance = XIDDocument.genesisMarkWithOptions(markOptions);
+		const doc = new XIDDocument(XID.from(hashPublicKey(inceptionKey.publicKeyBase())), /* @__PURE__ */ new Set(), /* @__PURE__ */ new Map(), /* @__PURE__ */ new Map(), /* @__PURE__ */ new Map(), provenance);
+		doc.addKey(inceptionKey);
+		return doc;
+	}
+	static inceptionKeyForOptions(options) {
+		switch (options.type) {
+			case "default": {
+				const privateKeyBase = PrivateKeyBase.generate();
+				return Key.newWithPrivateKeyBase(privateKeyBase);
+			}
+			case "publicKeyBase": return Key.newAllowAll(options.publicKeyBase);
+			case "privateKeyBase": return Key.newWithPrivateKeyBase(options.privateKeyBase);
+		}
+	}
+	static genesisMarkWithOptions(options) {
+		switch (options.type) {
+			case "none": return;
+			case "passphrase": {
+				const resolution = options.resolution ?? ProvenanceMarkResolution.High;
+				const generator = ProvenanceMarkGenerator.newWithPassphrase(resolution, options.passphrase);
+				const date = options.date ?? /* @__PURE__ */ new Date();
+				const mark = generator.next(date, options.info);
+				return Provenance.newWithGenerator(generator, mark);
+			}
+			case "seed": {
+				const resolution = options.resolution ?? ProvenanceMarkResolution.High;
+				const generator = ProvenanceMarkGenerator.newUsing(resolution, options.seed);
+				const date = options.date ?? /* @__PURE__ */ new Date();
+				const mark = generator.next(date, options.info);
+				return Provenance.newWithGenerator(generator, mark);
+			}
+		}
+	}
+	/**
+	* Create an XIDDocument from just an XID.
+	*/
+	static fromXid(xid) {
+		return new XIDDocument(xid);
+	}
+	/**
+	* Get the XID.
+	*/
+	xid() {
+		return this._xid;
+	}
+	/**
+	* Get the resolution methods.
+	*/
+	resolutionMethods() {
+		return this._resolutionMethods;
+	}
+	/**
+	* Add a resolution method.
+	*/
+	addResolutionMethod(method) {
+		this._resolutionMethods.add(method);
+	}
+	/**
+	* Remove a resolution method.
+	*/
+	removeResolutionMethod(method) {
+		return this._resolutionMethods.delete(method);
+	}
+	/**
+	* Get all keys.
+	*/
+	keys() {
+		return Array.from(this._keys.values());
+	}
+	/**
+	* Add a key.
+	*/
+	addKey(key) {
+		const hashKey = key.hashKey();
+		if (this._keys.has(hashKey)) throw XIDError.duplicate("key");
+		this._keys.set(hashKey, key);
+	}
+	/**
+	* Find a key by its public key base.
+	*/
+	findKeyByPublicKeyBase(publicKeyBase) {
+		const hashKey = publicKeyBase.hex();
+		return this._keys.get(hashKey);
+	}
+	/**
+	* Find a key by its reference.
+	*/
+	findKeyByReference(reference) {
+		for (const key of this._keys.values()) if (key.reference().equals(reference)) return key;
+	}
+	/**
+	* Take and remove a key.
+	*/
+	takeKey(publicKeyBase) {
+		const hashKey = publicKeyBase.hex();
+		const key = this._keys.get(hashKey);
+		if (key !== void 0) this._keys.delete(hashKey);
+		return key;
+	}
+	/**
+	* Remove a key.
+	*/
+	removeKey(publicKeyBase) {
+		if (this.servicesReferenceKey(publicKeyBase)) throw XIDError.stillReferenced("key");
+		const hashKey = publicKeyBase.hex();
+		if (!this._keys.delete(hashKey)) throw XIDError.notFound("key");
+	}
+	/**
+	* Check if the given public key is the inception signing key.
+	*/
+	isInceptionKey(publicKeyBase) {
+		return bytesEqual(hashPublicKey(publicKeyBase), this._xid.toData());
+	}
+	/**
+	* Get the inception key, if it exists in the document.
+	*/
+	inceptionKey() {
+		for (const key of this._keys.values()) if (this.isInceptionKey(key.publicKeyBase())) return key;
+	}
+	/**
+	* Get the inception private key base, if available.
+	*/
+	inceptionPrivateKeyBase() {
+		return this.inceptionKey()?.privateKeyBase();
+	}
+	/**
+	* Remove the inception key from the document.
+	*/
+	removeInceptionKey() {
+		const inceptionKey = this.inceptionKey();
+		if (inceptionKey !== void 0) this._keys.delete(inceptionKey.hashKey());
+		return inceptionKey;
+	}
+	/**
+	* Check if the document is empty (no keys, delegates, services, or provenance).
+	*/
+	isEmpty() {
+		return this._resolutionMethods.size === 0 && this._keys.size === 0 && this._delegates.size === 0 && this._provenance === void 0;
+	}
+	/**
+	* Get all delegates.
+	*/
+	delegates() {
+		return Array.from(this._delegates.values());
+	}
+	/**
+	* Add a delegate.
+	*/
+	addDelegate(delegate) {
+		const hashKey = delegate.hashKey();
+		if (this._delegates.has(hashKey)) throw XIDError.duplicate("delegate");
+		this._delegates.set(hashKey, delegate);
+	}
+	/**
+	* Find a delegate by XID.
+	*/
+	findDelegateByXid(xid) {
+		return this._delegates.get(xid.toHex());
+	}
+	/**
+	* Find a delegate by reference.
+	*/
+	findDelegateByReference(reference) {
+		for (const delegate of this._delegates.values()) if (delegate.reference().equals(reference)) return delegate;
+	}
+	/**
+	* Take and remove a delegate.
+	*/
+	takeDelegate(xid) {
+		const hashKey = xid.toHex();
+		const delegate = this._delegates.get(hashKey);
+		if (delegate !== void 0) this._delegates.delete(hashKey);
+		return delegate;
+	}
+	/**
+	* Remove a delegate.
+	*/
+	removeDelegate(xid) {
+		if (this.servicesReferenceDelegate(xid)) throw XIDError.stillReferenced("delegate");
+		const hashKey = xid.toHex();
+		if (!this._delegates.delete(hashKey)) throw XIDError.notFound("delegate");
+	}
+	/**
+	* Get all services.
+	*/
+	services() {
+		return Array.from(this._services.values());
+	}
+	/**
+	* Find a service by URI.
+	*/
+	findServiceByUri(uri) {
+		return this._services.get(uri);
+	}
+	/**
+	* Add a service.
+	*/
+	addService(service) {
+		const hashKey = service.hashKey();
+		if (this._services.has(hashKey)) throw XIDError.duplicate("service");
+		this._services.set(hashKey, service);
+	}
+	/**
+	* Take and remove a service.
+	*/
+	takeService(uri) {
+		const service = this._services.get(uri);
+		if (service !== void 0) this._services.delete(uri);
+		return service;
+	}
+	/**
+	* Remove a service.
+	*/
+	removeService(uri) {
+		if (!this._services.delete(uri)) throw XIDError.notFound("service");
+	}
+	/**
+	* Check service consistency.
+	*/
+	checkServicesConsistency() {
+		for (const service of this._services.values()) this.checkServiceConsistency(service);
+	}
+	/**
+	* Check consistency of a single service.
+	*/
+	checkServiceConsistency(service) {
+		if (service.keyReferences().size === 0 && service.delegateReferences().size === 0) throw XIDError.noReferences(service.uri());
+		for (const keyRef of service.keyReferences()) {
+			const refBytes = hexToBytes(keyRef);
+			const ref = Reference.hash(refBytes);
+			if (this.findKeyByReference(ref) === void 0) throw XIDError.unknownKeyReference(keyRef, service.uri());
+		}
+		for (const delegateRef of service.delegateReferences()) {
+			const refBytes = hexToBytes(delegateRef);
+			const ref = Reference.hash(refBytes);
+			if (this.findDelegateByReference(ref) === void 0) throw XIDError.unknownDelegateReference(delegateRef, service.uri());
+		}
+		if (service.permissions().allow.size === 0) throw XIDError.noPermissions(service.uri());
+	}
+	/**
+	* Check if any service references the given key.
+	*/
+	servicesReferenceKey(publicKeyBase) {
+		const keyRef = Reference.hash(publicKeyBase.data()).toHex();
+		for (const service of this._services.values()) if (service.keyReferences().has(keyRef)) return true;
+		return false;
+	}
+	/**
+	* Check if any service references the given delegate.
+	*/
+	servicesReferenceDelegate(xid) {
+		const delegateRef = Reference.hash(xid.toData()).toHex();
+		for (const service of this._services.values()) if (service.delegateReferences().has(delegateRef)) return true;
+		return false;
+	}
+	/**
+	* Get the provenance mark.
+	*/
+	provenance() {
+		return this._provenance?.mark();
+	}
+	/**
+	* Get the provenance generator.
+	*/
+	provenanceGenerator() {
+		return this._provenance?.generator();
+	}
+	/**
+	* Set the provenance.
+	*/
+	setProvenance(provenance) {
+		this._provenance = provenance !== void 0 ? Provenance.new(provenance) : void 0;
+	}
+	/**
+	* Set provenance with generator.
+	*/
+	setProvenanceWithGenerator(generator, mark) {
+		this._provenance = Provenance.newWithGenerator(generator, mark);
+	}
+	/**
+	* Advance the provenance mark using the embedded generator.
+	*/
+	nextProvenanceMarkWithEmbeddedGenerator(password, date, info) {
+		if (this._provenance === void 0) throw XIDError.noProvenanceMark();
+		const currentMark = this._provenance.mark();
+		const generator = this._provenance.generatorMut(password);
+		if (generator === void 0) throw XIDError.noGenerator();
+		if (!bytesEqual(generator.chainId(), currentMark.chainId())) throw XIDError.chainIdMismatch(currentMark.chainId(), generator.chainId());
+		const expectedSeq = currentMark.seq() + 1;
+		if (generator.nextSeq() !== expectedSeq) throw XIDError.sequenceMismatch(expectedSeq, generator.nextSeq());
+		const nextDate = date ?? /* @__PURE__ */ new Date();
+		const nextMark = generator.next(nextDate, info);
+		this._provenance.setMark(nextMark);
+	}
+	/**
+	* Advance the provenance mark using a provided generator.
+	*/
+	nextProvenanceMarkWithProvidedGenerator(generator, date, info) {
+		if (this._provenance === void 0) throw XIDError.noProvenanceMark();
+		if (this._provenance.hasGenerator() || this._provenance.hasEncryptedGenerator()) throw XIDError.generatorConflict();
+		const currentMark = this._provenance.mark();
+		if (!bytesEqual(generator.chainId(), currentMark.chainId())) throw XIDError.chainIdMismatch(currentMark.chainId(), generator.chainId());
+		const expectedSeq = currentMark.seq() + 1;
+		if (generator.nextSeq() !== expectedSeq) throw XIDError.sequenceMismatch(expectedSeq, generator.nextSeq());
+		const nextDate = date ?? /* @__PURE__ */ new Date();
+		const nextMark = generator.next(nextDate, info);
+		this._provenance.setMark(nextMark);
+	}
+	/**
+	* Convert to envelope with options.
+	*/
+	toEnvelope(privateKeyOptions = XIDPrivateKeyOptions.Omit, generatorOptions = XIDGeneratorOptions.Omit, signingOptions = { type: "none" }) {
+		let envelope = Envelope.new(this._xid.toData());
+		for (const method of this._resolutionMethods) envelope = envelope.addAssertion(kv(DEREFERENCE_VIA), method);
+		for (const key of this._keys.values()) envelope = envelope.addAssertion(kv(KEY), key.intoEnvelopeOpt(privateKeyOptions));
+		for (const delegate of this._delegates.values()) envelope = envelope.addAssertion(kv(DELEGATE), delegate.intoEnvelope());
+		for (const service of this._services.values()) envelope = envelope.addAssertion(kv(SERVICE), service.intoEnvelope());
+		if (this._provenance !== void 0) envelope = envelope.addAssertion(kv(PROVENANCE), this._provenance.intoEnvelopeOpt(generatorOptions));
+		switch (signingOptions.type) {
+			case "inception": {
+				const inceptionKey = this.inceptionKey();
+				if (inceptionKey === void 0) throw XIDError.missingInceptionKey();
+				const privateKeyBase = inceptionKey.privateKeyBase();
+				if (privateKeyBase === void 0) throw XIDError.missingInceptionKey();
+				envelope = envelope.addSignature(privateKeyBase);
+				break;
+			}
+			case "privateKeyBase":
+				envelope = envelope.addSignature(signingOptions.privateKeyBase);
+				break;
+			case "none":
+			default: break;
+		}
+		return envelope;
+	}
+	intoEnvelope() {
+		return this.toEnvelope();
+	}
+	/**
+	* Extract an XIDDocument from an envelope.
+	*/
+	static fromEnvelope(envelope, password, verifySignature = XIDVerifySignature.None) {
+		const envelopeExt = envelope;
+		switch (verifySignature) {
+			case XIDVerifySignature.None: {
+				const subject = envelopeExt.subject();
+				const envelopeToParse = subject.isWrapped() ? subject.tryUnwrap() : envelope;
+				return XIDDocument.fromEnvelopeInner(envelopeToParse, password);
+			}
+			case XIDVerifySignature.Inception: {
+				if (!envelopeExt.subject().isWrapped()) throw XIDError.envelopeNotSigned();
+				const unwrapped = envelopeExt.tryUnwrap();
+				const doc = XIDDocument.fromEnvelopeInner(unwrapped, password);
+				const inceptionKey = doc.inceptionKey();
+				if (inceptionKey === void 0) throw XIDError.missingInceptionKey();
+				if (!envelopeExt.hasSignatureFrom(inceptionKey.publicKeyBase())) throw XIDError.signatureVerificationFailed();
+				if (!doc.isInceptionKey(inceptionKey.publicKeyBase())) throw XIDError.invalidXid();
+				return doc;
+			}
+		}
+	}
+	static fromEnvelopeInner(envelope, password) {
+		const envelopeExt = envelope;
+		const xidData = (envelope.case().type === "node" ? envelopeExt.subject() : envelope).asByteString();
+		if (xidData === void 0) throw XIDError.invalidXid();
+		const xid = XID.from(xidData);
+		const doc = XIDDocument.fromXid(xid);
+		for (const assertion of envelopeExt.assertions()) {
+			const assertionCase = assertion.case();
+			if (assertionCase.type !== "assertion") continue;
+			const predicateCase = assertionCase.assertion.predicate().case();
+			if (predicateCase.type !== "knownValue") continue;
+			const predicate = predicateCase.value.value();
+			const object = assertionCase.assertion.object();
+			switch (predicate) {
+				case DEREFERENCE_VIA_RAW: {
+					const method = object.asText();
+					if (method === void 0) throw XIDError.invalidResolutionMethod();
+					doc.addResolutionMethod(method);
+					break;
+				}
+				case KEY_RAW: {
+					const key = Key.tryFromEnvelope(object, password);
+					doc.addKey(key);
+					break;
+				}
+				case DELEGATE_RAW: {
+					const delegate = Delegate.tryFromEnvelope(object);
+					doc.addDelegate(delegate);
+					break;
+				}
+				case SERVICE_RAW: {
+					const service = Service.tryFromEnvelope(object);
+					doc.addService(service);
+					break;
+				}
+				case PROVENANCE_RAW:
+					if (doc._provenance !== void 0) throw XIDError.multipleProvenanceMarks();
+					doc._provenance = Provenance.tryFromEnvelope(object, password);
+					break;
+				default: throw XIDError.unexpectedPredicate(String(predicate));
+			}
+		}
+		doc.checkServicesConsistency();
+		return doc;
+	}
+	/**
+	* Create a signed envelope.
+	*/
+	toSignedEnvelope(signingKey) {
+		return this.toEnvelope(XIDPrivateKeyOptions.Omit, XIDGeneratorOptions.Omit, { type: "none" }).addSignature(signingKey);
+	}
+	/**
+	* Get the reference for this document.
+	*/
+	reference() {
+		return Reference.hash(this._xid.toData());
+	}
+	/**
+	* Check equality with another XIDDocument.
+	*/
+	equals(other) {
+		return this._xid.equals(other._xid);
+	}
+	/**
+	* Clone this XIDDocument.
+	*/
+	clone() {
+		return new XIDDocument(this._xid, new Set(this._resolutionMethods), new Map(Array.from(this._keys.entries()).map(([k, v]) => [k, v.clone()])), new Map(Array.from(this._delegates.entries()).map(([k, v]) => [k, v.clone()])), new Map(Array.from(this._services.entries()).map(([k, v]) => [k, v.clone()])), this._provenance?.clone());
+	}
+	/**
+	* Try to extract from envelope (alias for fromEnvelope with default options).
+	*/
+	static tryFromEnvelope(envelope) {
+		return XIDDocument.fromEnvelope(envelope, void 0, XIDVerifySignature.None);
+	}
+};
+registerXIDDocumentClass(XIDDocument);
+function hexToBytes(hex) {
+	const bytes = new Uint8Array(hex.length / 2);
+	for (let i = 0; i < hex.length; i += 2) bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+	return bytes;
+}
+function bytesEqual(a, b) {
+	if (a.length !== b.length) return false;
+	for (let i = 0; i < a.length; i++) if (a[i] !== b[i]) return false;
+	return true;
+}
+function hashPublicKey(publicKeyBase) {
+	return Reference.hash(publicKeyBase.data()).getDigest().toData();
+}
+
+//#endregion
+//#region src/index.ts
+const VERSION = "1.0.0-alpha.3";
+
+//#endregion
+export { Delegate, HasNicknameMixin, HasPermissionsMixin, Key, Permissions, Privilege, Provenance, Service, Shared, VERSION, XIDDocument, XIDError, XIDErrorCode, XIDGeneratorOptions, XIDPrivateKeyOptions, XIDVerifySignature, privilegeFromEnvelope, privilegeFromKnownValue, privilegeToEnvelope, privilegeToKnownValue, registerXIDDocumentClass };
+//# sourceMappingURL=index.mjs.map