@cardanowall/crypto-core 0.0.0

package/dist/recipient.js

@@ -0,0 +1,135 @@
+// src/recipient/bech32.ts
+var BECH32_ALPHABET = "qpzry9x8gf2tvdw0s3jn54khce6mua7l";
+var POLYMOD_GENERATORS = [996825010, 642813549, 513874426, 1027748829, 705979059];
+var ENCODING_CONST = 1;
+function polymodStep(pre) {
+  const b = pre >> 25;
+  let chk = (pre & 33554431) << 5;
+  for (let i = 0; i < POLYMOD_GENERATORS.length; i++) {
+    if ((b >> i & 1) === 1) chk ^= POLYMOD_GENERATORS[i];
+  }
+  return chk;
+}
+function bytesToWords(bytes) {
+  const words = [];
+  let carry = 0;
+  let pos = 0;
+  const mask = (1 << 5) - 1;
+  for (const n of bytes) {
+    carry = carry << 8 | n;
+    pos += 8;
+    for (; pos >= 5; pos -= 5) words.push(carry >> pos - 5 & mask);
+    carry &= (1 << pos) - 1;
+  }
+  if (pos > 0) words.push(carry << 5 - pos & mask);
+  return words;
+}
+function checksum(prefix, words) {
+  let chk = 1;
+  for (let i = 0; i < prefix.length; i++) {
+    const c = prefix.charCodeAt(i);
+    if (c < 33 || c > 126) throw new Error(`bech32: invalid prefix (${prefix})`);
+    chk = polymodStep(chk) ^ c >> 5;
+  }
+  chk = polymodStep(chk);
+  for (let i = 0; i < prefix.length; i++) chk = polymodStep(chk) ^ prefix.charCodeAt(i) & 31;
+  for (const v of words) chk = polymodStep(chk) ^ v;
+  for (let i = 0; i < 6; i++) chk = polymodStep(chk);
+  chk ^= ENCODING_CONST;
+  let out = "";
+  for (let i = 0; i < 6; i++) out += BECH32_ALPHABET[chk >> 5 * (5 - i) & 31];
+  return out;
+}
+function bech32EncodeNoLimit(prefix, bytes) {
+  if (prefix.length === 0) throw new Error("bech32: empty prefix");
+  const words = bytesToWords(bytes);
+  let payload = "";
+  for (const w of words) payload += BECH32_ALPHABET[w];
+  const lowered = prefix.toLowerCase();
+  return `${lowered}1${payload}${checksum(lowered, words)}`;
+}
+function checksumValid(prefix, words) {
+  let chk = 1;
+  for (let i = 0; i < prefix.length; i++) chk = polymodStep(chk) ^ prefix.charCodeAt(i) >> 5;
+  chk = polymodStep(chk);
+  for (let i = 0; i < prefix.length; i++) chk = polymodStep(chk) ^ prefix.charCodeAt(i) & 31;
+  for (const v of words) chk = polymodStep(chk) ^ v;
+  return chk === ENCODING_CONST;
+}
+function wordsToBytes(words) {
+  const out = [];
+  let carry = 0;
+  let pos = 0;
+  for (const w of words) {
+    carry = carry << 5 | w;
+    pos += 5;
+    for (; pos >= 8; pos -= 8) out.push(carry >> pos - 8 & 255);
+    carry &= (1 << pos) - 1;
+  }
+  if (pos >= 5 || carry !== 0) throw new Error("bech32: non-canonical padding");
+  return Uint8Array.from(out);
+}
+function bech32DecodeNoLimit(input) {
+  if (input.length === 0) throw new Error("bech32: empty string");
+  const hasLower = input !== input.toUpperCase();
+  const hasUpper = input !== input.toLowerCase();
+  if (hasLower && hasUpper) throw new Error("bech32: mixed-case string");
+  const s = input.toLowerCase();
+  const sep = s.lastIndexOf("1");
+  if (sep < 1) throw new Error("bech32: missing human-readable prefix");
+  if (s.length - sep - 1 < 6) throw new Error("bech32: data too short for checksum");
+  const hrp = s.slice(0, sep);
+  for (let i = 0; i < hrp.length; i++) {
+    const c = hrp.charCodeAt(i);
+    if (c < 33 || c > 126) throw new Error("bech32: invalid prefix character");
+  }
+  const words = [];
+  for (let i = sep + 1; i < s.length; i++) {
+    const v = BECH32_ALPHABET.indexOf(s[i]);
+    if (v === -1) throw new Error("bech32: invalid data character");
+    words.push(v);
+  }
+  if (!checksumValid(hrp, words)) throw new Error("bech32: bad checksum");
+  return { hrp, bytes: wordsToBytes(words.slice(0, words.length - 6)) };
+}
+
+// src/recipient/age-recipient.ts
+var X25519_HRP = "age";
+var XWING_HRP = "age1pqc";
+var X25519_PUBLIC_KEY_BYTES = 32;
+var XWING_PUBLIC_KEY_BYTES = 1216;
+function encodeAgeX25519Recipient(publicKey) {
+  if (publicKey.length !== X25519_PUBLIC_KEY_BYTES) {
+    throw new Error("encodeAgeX25519Recipient: publicKey must be exactly 32 bytes");
+  }
+  return bech32EncodeNoLimit(X25519_HRP, publicKey);
+}
+function encodeAgeXWingRecipient(publicKey) {
+  if (publicKey.length !== XWING_PUBLIC_KEY_BYTES) {
+    throw new Error("encodeAgeXWingRecipient: publicKey must be exactly 1216 bytes");
+  }
+  return bech32EncodeNoLimit(XWING_HRP, publicKey);
+}
+function parseAgeRecipient(recipient) {
+  if (typeof recipient !== "string") {
+    throw new Error("parseAgeRecipient: recipient must be a string");
+  }
+  const { hrp, bytes } = bech32DecodeNoLimit(recipient.trim());
+  if (hrp === X25519_HRP) {
+    if (bytes.length !== X25519_PUBLIC_KEY_BYTES) {
+      throw new Error("parseAgeRecipient: age recipient must carry a 32-byte X25519 key");
+    }
+    return { kem: "x25519", publicKey: bytes };
+  }
+  if (hrp === XWING_HRP) {
+    if (bytes.length !== XWING_PUBLIC_KEY_BYTES) {
+      throw new Error("parseAgeRecipient: age1pqc recipient must carry a 1216-byte X-Wing key");
+    }
+    return { kem: "mlkem768x25519", publicKey: bytes };
+  }
+  throw new Error(`parseAgeRecipient: unrecognized recipient prefix "${hrp}"`);
+}
+
+export { bech32DecodeNoLimit, bech32EncodeNoLimit, encodeAgeX25519Recipient, encodeAgeXWingRecipient, parseAgeRecipient };
+//# sourceMappingURL=recipient.js.map
+//# sourceMappingURL=recipient.js.map

package/dist/recipient.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/recipient/bech32.ts","../src/recipient/age-recipient.ts"],"names":[],"mappings":";AAUA,IAAM,eAAA,GAAkB,kCAAA;AACxB,IAAM,qBAAqB,CAAC,SAAA,EAAY,SAAA,EAAY,SAAA,EAAY,YAAY,SAAU,CAAA;AACtF,IAAM,cAAA,GAAiB,CAAA;AAEvB,SAAS,YAAY,GAAA,EAAqB;AACxC,EAAA,MAAM,IAAI,GAAA,IAAO,EAAA;AACjB,EAAA,IAAI,GAAA,GAAA,CAAO,MAAM,QAAA,KAAc,CAAA;AAC/B,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,kBAAA,CAAmB,QAAQ,CAAA,EAAA,EAAK;AAClD,IAAA,IAAA,CAAM,KAAK,CAAA,GAAK,CAAA,MAAO,CAAA,EAAG,GAAA,IAAO,mBAAmB,CAAC,CAAA;AAAA,EACvD;AACA,EAAA,OAAO,GAAA;AACT;AAGA,SAAS,aAAa,KAAA,EAA6B;AACjD,EAAA,MAAM,QAAkB,EAAC;AACzB,EAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,EAAA,IAAI,GAAA,GAAM,CAAA;AACV,EAAA,MAAM,IAAA,GAAA,CAAQ,KAAK,CAAA,IAAK,CAAA;AACxB,EAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,IAAA,KAAA,GAAS,SAAS,CAAA,GAAK,CAAA;AACvB,IAAA,GAAA,IAAO,CAAA;AACP,IAAA,OAAO,GAAA,IAAO,GAAG,GAAA,IAAO,CAAA,QAAS,IAAA,CAAM,KAAA,IAAU,GAAA,GAAM,CAAA,GAAM,IAAI,CAAA;AACjE,IAAA,KAAA,IAAA,CAAU,KAAK,GAAA,IAAO,CAAA;AAAA,EACxB;AACA,EAAA,IAAI,MAAM,CAAA,EAAG,KAAA,CAAM,KAAM,KAAA,IAAU,CAAA,GAAI,MAAQ,IAAI,CAAA;AACnD,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,QAAA,CAAS,QAAgB,KAAA,EAAyB;AACzD,EAAA,IAAI,GAAA,GAAM,CAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAM,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAC7B,IAAA,IAAI,CAAA,GAAI,MAAM,CAAA,GAAI,GAAA,QAAW,IAAI,KAAA,CAAM,CAAA,wBAAA,EAA2B,MAAM,CAAA,CAAA,CAAG,CAAA;AAC3E,IAAA,GAAA,GAAM,WAAA,CAAY,GAAG,CAAA,GAAK,CAAA,IAAK,CAAA;AAAA,EACjC;AACA,EAAA,GAAA,GAAM,YAAY,GAAG,CAAA;AACrB,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,MAAA,EAAQ,CAAA,EAAA,EAAK,GAAA,GAAM,WAAA,CAAY,GAAG,CAAA,GAAK,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA,GAAI,EAAA;AACzF,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,EAAO,GAAA,GAAM,WAAA,CAAY,GAAG,CAAA,GAAI,CAAA;AAChD,EAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,GAAG,CAAA,EAAA,EAAK,GAAA,GAAM,YAAY,GAAG,CAAA;AACjD,EAAA,GAAA,IAAO,cAAA;AACP,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,EAAG,CAAA,EAAA,EAAK,GAAA,IAAO,eAAA,CAAiB,GAAA,IAAQ,CAAA,IAAK,CAAA,GAAI,CAAA,CAAA,GAAO,EAAE,CAAA;AAC9E,EAAA,OAAO,GAAA;AACT;AAGO,SAAS,mBAAA,CAAoB,QAAgB,KAAA,EAA2B;AAC7E,EAAA,IAAI,OAAO,MAAA,KAAW,CAAA,EAAG,MAAM,IAAI,MAAM,sBAAsB,CAAA;AAC/D,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAK,CAAA;AAChC,EAAA,IAAI,OAAA,GAAU,EAAA;AACd,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,EAAO,OAAA,IAAW,eAAA,CAAgB,CAAC,CAAA;AACnD,EAAA,MAAM,OAAA,GAAU,OAAO,WAAA,EAAY;AACnC,EAAA,OAAO,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,OAAO,GAAG,QAAA,CAAS,OAAA,EAAS,KAAK,CAAC,CAAA,CAAA;AACzD;AAKA,SAAS,aAAA,CAAc,QAAgB,KAAA,EAA0B;AAC/D,EAAA,IAAI,GAAA,GAAM,CAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,MAAA,EAAQ,CAAA,EAAA,EAAK,GAAA,GAAM,WAAA,CAAY,GAAG,CAAA,GAAK,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA,IAAK,CAAA;AAC1F,EAAA,GAAA,GAAM,YAAY,GAAG,CAAA;AACrB,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,MAAA,EAAQ,CAAA,EAAA,EAAK,GAAA,GAAM,WAAA,CAAY,GAAG,CAAA,GAAK,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA,GAAI,EAAA;AACzF,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,EAAO,GAAA,GAAM,WAAA,CAAY,GAAG,CAAA,GAAI,CAAA;AAChD,EAAA,OAAO,GAAA,KAAQ,cAAA;AACjB;AAKA,SAAS,aAAa,KAAA,EAA6B;AACjD,EAAA,MAAM,MAAgB,EAAC;AACvB,EAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,EAAA,IAAI,GAAA,GAAM,CAAA;AACV,EAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,IAAA,KAAA,GAAS,SAAS,CAAA,GAAK,CAAA;AACvB,IAAA,GAAA,IAAO,CAAA;AACP,IAAA,OAAO,GAAA,IAAO,GAAG,GAAA,IAAO,CAAA,MAAO,IAAA,CAAM,KAAA,IAAU,GAAA,GAAM,CAAA,GAAM,GAAI,CAAA;AAC/D,IAAA,KAAA,IAAA,CAAU,KAAK,GAAA,IAAO,CAAA;AAAA,EACxB;AACA,EAAA,IAAI,OAAO,CAAA,IAAK,KAAA,KAAU,GAAG,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAC5E,EAAA,OAAO,UAAA,CAAW,KAAK,GAAG,CAAA;AAC5B;AAOO,SAAS,oBAAoB,KAAA,EAAmD;AACrF,EAAA,IAAI,MAAM,MAAA,KAAW,CAAA,EAAG,MAAM,IAAI,MAAM,sBAAsB,CAAA;AAC9D,EAAA,MAAM,QAAA,GAAW,KAAA,KAAU,KAAA,CAAM,WAAA,EAAY;AAC7C,EAAA,MAAM,QAAA,GAAW,KAAA,KAAU,KAAA,CAAM,WAAA,EAAY;AAC7C,EAAA,IAAI,QAAA,IAAY,QAAA,EAAU,MAAM,IAAI,MAAM,2BAA2B,CAAA;AACrE,EAAA,MAAM,CAAA,GAAI,MAAM,WAAA,EAAY;AAC5B,EAAA,MAAM,GAAA,GAAM,CAAA,CAAE,WAAA,CAAY,GAAG,CAAA;AAC7B,EAAA,IAAI,GAAA,GAAM,CAAA,EAAG,MAAM,IAAI,MAAM,uCAAuC,CAAA;AACpE,EAAA,IAAI,CAAA,CAAE,SAAS,GAAA,GAAM,CAAA,GAAI,GAAG,MAAM,IAAI,MAAM,qCAAqC,CAAA;AACjF,EAAA,MAAM,GAAA,GAAM,CAAA,CAAE,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA;AAC1B,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,GAAA,CAAI,QAAQ,CAAA,EAAA,EAAK;AACnC,IAAA,MAAM,CAAA,GAAI,GAAA,CAAI,UAAA,CAAW,CAAC,CAAA;AAC1B,IAAA,IAAI,IAAI,EAAA,IAAM,CAAA,GAAI,KAAK,MAAM,IAAI,MAAM,kCAAkC,CAAA;AAAA,EAC3E;AACA,EAAA,MAAM,QAAkB,EAAC;AACzB,EAAA,KAAA,IAAS,IAAI,GAAA,GAAM,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,QAAQ,CAAA,EAAA,EAAK;AACvC,IAAA,MAAM,CAAA,GAAI,eAAA,CAAgB,OAAA,CAAQ,CAAA,CAAE,CAAC,CAAE,CAAA;AACvC,IAAA,IAAI,CAAA,KAAM,EAAA,EAAI,MAAM,IAAI,MAAM,gCAAgC,CAAA;AAC9D,IAAA,KAAA,CAAM,KAAK,CAAC,CAAA;AAAA,EACd;AACA,EAAA,IAAI,CAAC,cAAc,GAAA,EAAK,KAAK,GAAG,MAAM,IAAI,MAAM,sBAAsB,CAAA;AACtE,EAAA,OAAO,EAAE,GAAA,EAAK,KAAA,EAAO,YAAA,CAAa,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,KAAA,CAAM,MAAA,GAAS,CAAC,CAAC,CAAA,EAAE;AACtE;;;ACxGA,IAAM,UAAA,GAAa,KAAA;AACnB,IAAM,SAAA,GAAY,SAAA;AAClB,IAAM,uBAAA,GAA0B,EAAA;AAChC,IAAM,sBAAA,GAAyB,IAAA;AAUxB,SAAS,yBAAyB,SAAA,EAA+B;AACtE,EAAA,IAAI,SAAA,CAAU,WAAW,uBAAA,EAAyB;AAChD,IAAA,MAAM,IAAI,MAAM,8DAA8D,CAAA;AAAA,EAChF;AACA,EAAA,OAAO,mBAAA,CAAoB,YAAY,SAAS,CAAA;AAClD;AAEO,SAAS,wBAAwB,SAAA,EAA+B;AACrE,EAAA,IAAI,SAAA,CAAU,WAAW,sBAAA,EAAwB;AAC/C,IAAA,MAAM,IAAI,MAAM,+DAA+D,CAAA;AAAA,EACjF;AACA,EAAA,OAAO,mBAAA,CAAoB,WAAW,SAAS,CAAA;AACjD;AASO,SAAS,kBAAkB,SAAA,EAAuC;AACvE,EAAA,IAAI,OAAO,cAAc,QAAA,EAAU;AACjC,IAAA,MAAM,IAAI,MAAM,+CAA+C,CAAA;AAAA,EACjE;AACA,EAAA,MAAM,EAAE,GAAA,EAAK,KAAA,KAAU,mBAAA,CAAoB,SAAA,CAAU,MAAM,CAAA;AAC3D,EAAA,IAAI,QAAQ,UAAA,EAAY;AACtB,IAAA,IAAI,KAAA,CAAM,WAAW,uBAAA,EAAyB;AAC5C,MAAA,MAAM,IAAI,MAAM,kEAAkE,CAAA;AAAA,IACpF;AACA,IAAA,OAAO,EAAE,GAAA,EAAK,QAAA,EAAU,SAAA,EAAW,KAAA,EAAM;AAAA,EAC3C;AACA,EAAA,IAAI,QAAQ,SAAA,EAAW;AACrB,IAAA,IAAI,KAAA,CAAM,WAAW,sBAAA,EAAwB;AAC3C,MAAA,MAAM,IAAI,MAAM,wEAAwE,CAAA;AAAA,IAC1F;AACA,IAAA,OAAO,EAAE,GAAA,EAAK,gBAAA,EAAkB,SAAA,EAAW,KAAA,EAAM;AAAA,EACnD;AACA,EAAA,MAAM,IAAI,KAAA,CAAM,CAAA,kDAAA,EAAqD,GAAG,CAAA,CAAA,CAAG,CAAA;AAC7E","file":"recipient.js","sourcesContent":["// Minimal BIP-173 bech32 encoder used to format age-style recipient strings.\n//\n// This package's dependency policy keeps the runtime import graph to a small,\n// audited set of cryptographic libraries, so we inline the exact bech32\n// algorithm here rather than pull in a general-purpose base-encoding library.\n// Output is byte-identical to the no-length-limit form of a standard bech32\n// encoder (`encode(hrp, toWords(bytes))` with the 90-char BIP-173 cap\n// disabled): age recipients exceed that cap — an X-Wing recipient is ~1960\n// characters — so the limit must be off.\n\nconst BECH32_ALPHABET = 'qpzry9x8gf2tvdw0s3jn54khce6mua7l';\nconst POLYMOD_GENERATORS = [0x3b6a57b2, 0x26508e6d, 0x1ea119fa, 0x3d4233dd, 0x2a1462b3];\nconst ENCODING_CONST = 1; // BIP-173 bech32 (not bech32m).\n\nfunction polymodStep(pre: number): number {\n  const b = pre >> 25;\n  let chk = (pre & 0x1ffffff) << 5;\n  for (let i = 0; i < POLYMOD_GENERATORS.length; i++) {\n    if (((b >> i) & 1) === 1) chk ^= POLYMOD_GENERATORS[i]!;\n  }\n  return chk;\n}\n\n// 8-bit bytes → 5-bit words, padding the final partial group with zero bits.\nfunction bytesToWords(bytes: Uint8Array): number[] {\n  const words: number[] = [];\n  let carry = 0;\n  let pos = 0;\n  const mask = (1 << 5) - 1;\n  for (const n of bytes) {\n    carry = (carry << 8) | n;\n    pos += 8;\n    for (; pos >= 5; pos -= 5) words.push((carry >> (pos - 5)) & mask);\n    carry &= (1 << pos) - 1;\n  }\n  if (pos > 0) words.push((carry << (5 - pos)) & mask);\n  return words;\n}\n\nfunction checksum(prefix: string, words: number[]): string {\n  let chk = 1;\n  for (let i = 0; i < prefix.length; i++) {\n    const c = prefix.charCodeAt(i);\n    if (c < 33 || c > 126) throw new Error(`bech32: invalid prefix (${prefix})`);\n    chk = polymodStep(chk) ^ (c >> 5);\n  }\n  chk = polymodStep(chk);\n  for (let i = 0; i < prefix.length; i++) chk = polymodStep(chk) ^ (prefix.charCodeAt(i) & 0x1f);\n  for (const v of words) chk = polymodStep(chk) ^ v;\n  for (let i = 0; i < 6; i++) chk = polymodStep(chk);\n  chk ^= ENCODING_CONST;\n  let out = '';\n  for (let i = 0; i < 6; i++) out += BECH32_ALPHABET[(chk >> (5 * (5 - i))) & 31];\n  return out;\n}\n\n// Encode raw bytes to a bech32 string with NO length limit. `prefix` is the HRP.\nexport function bech32EncodeNoLimit(prefix: string, bytes: Uint8Array): string {\n  if (prefix.length === 0) throw new Error('bech32: empty prefix');\n  const words = bytesToWords(bytes);\n  let payload = '';\n  for (const w of words) payload += BECH32_ALPHABET[w];\n  const lowered = prefix.toLowerCase();\n  return `${lowered}1${payload}${checksum(lowered, words)}`;\n}\n\n// Recompute the polymod over the HRP + every data word (the trailing six being\n// the checksum) and test it against the encoding constant. True iff the string\n// carries a valid bech32 checksum.\nfunction checksumValid(prefix: string, words: number[]): boolean {\n  let chk = 1;\n  for (let i = 0; i < prefix.length; i++) chk = polymodStep(chk) ^ (prefix.charCodeAt(i) >> 5);\n  chk = polymodStep(chk);\n  for (let i = 0; i < prefix.length; i++) chk = polymodStep(chk) ^ (prefix.charCodeAt(i) & 0x1f);\n  for (const v of words) chk = polymodStep(chk) ^ v;\n  return chk === ENCODING_CONST;\n}\n\n// 5-bit words → 8-bit bytes (the inverse of `bytesToWords`). Rejects\n// non-canonical padding: any leftover must be fewer than 5 bits and all zero,\n// matching the zero-fill `bytesToWords` applies to a final partial group.\nfunction wordsToBytes(words: number[]): Uint8Array {\n  const out: number[] = [];\n  let carry = 0;\n  let pos = 0;\n  for (const w of words) {\n    carry = (carry << 5) | w;\n    pos += 5;\n    for (; pos >= 8; pos -= 8) out.push((carry >> (pos - 8)) & 0xff);\n    carry &= (1 << pos) - 1;\n  }\n  if (pos >= 5 || carry !== 0) throw new Error('bech32: non-canonical padding');\n  return Uint8Array.from(out);\n}\n\n// Decode a bech32 string with NO length limit, verifying the checksum. Returns\n// the lower-cased HRP and the decoded data bytes. The inverse of\n// `bech32EncodeNoLimit`. The separator is the last `1` in the string, so HRPs\n// that themselves contain a `1` (e.g. the `age1pqc` recipient prefix) round-trip\n// correctly.\nexport function bech32DecodeNoLimit(input: string): { hrp: string; bytes: Uint8Array } {\n  if (input.length === 0) throw new Error('bech32: empty string');\n  const hasLower = input !== input.toUpperCase();\n  const hasUpper = input !== input.toLowerCase();\n  if (hasLower && hasUpper) throw new Error('bech32: mixed-case string');\n  const s = input.toLowerCase();\n  const sep = s.lastIndexOf('1');\n  if (sep < 1) throw new Error('bech32: missing human-readable prefix');\n  if (s.length - sep - 1 < 6) throw new Error('bech32: data too short for checksum');\n  const hrp = s.slice(0, sep);\n  for (let i = 0; i < hrp.length; i++) {\n    const c = hrp.charCodeAt(i);\n    if (c < 33 || c > 126) throw new Error('bech32: invalid prefix character');\n  }\n  const words: number[] = [];\n  for (let i = sep + 1; i < s.length; i++) {\n    const v = BECH32_ALPHABET.indexOf(s[i]!);\n    if (v === -1) throw new Error('bech32: invalid data character');\n    words.push(v);\n  }\n  if (!checksumValid(hrp, words)) throw new Error('bech32: bad checksum');\n  return { hrp, bytes: wordsToBytes(words.slice(0, words.length - 6)) };\n}\n","// Encodes a raw KEM public key to a bech32 age-style recipient string — the\n// form a sender uses to address a sealed PoE record.\n//\n//   • X25519 (32 bytes)                         → \"age1…\"\n//   • X-Wing / ML-KEM-768 + X25519 (1216 bytes) → \"age1pqc…\"\n//\n// The two HRPs make a recipient self-describing: a parser routes to the right\n// KEM purely from the bech32 prefix. We use the `age1pqc` HRP for the hybrid\n// key (upstream age v1.3.0 claims the shorter `age1pq` HRP for the same X-Wing\n// primitive; `age1pqc` avoids colliding with that wire identifier).\n//\n// The X-Wing public key derives for free from the same identity seed via\n// `deriveMlKem768X25519KeypairFromSeed`, so every identity always has one and\n// can RECEIVE hybrid sealed records even when it publishes via the classical\n// X25519 path.\n\nimport { bech32DecodeNoLimit, bech32EncodeNoLimit } from './bech32';\n\nconst X25519_HRP = 'age';\nconst XWING_HRP = 'age1pqc';\nconst X25519_PUBLIC_KEY_BYTES = 32;\nconst XWING_PUBLIC_KEY_BYTES = 1216;\n\n// The KEM a recipient string addresses, inferred from its bech32 HRP.\nexport type RecipientKem = 'x25519' | 'mlkem768x25519';\n\nexport interface ParsedAgeRecipient {\n  readonly kem: RecipientKem;\n  readonly publicKey: Uint8Array;\n}\n\nexport function encodeAgeX25519Recipient(publicKey: Uint8Array): string {\n  if (publicKey.length !== X25519_PUBLIC_KEY_BYTES) {\n    throw new Error('encodeAgeX25519Recipient: publicKey must be exactly 32 bytes');\n  }\n  return bech32EncodeNoLimit(X25519_HRP, publicKey);\n}\n\nexport function encodeAgeXWingRecipient(publicKey: Uint8Array): string {\n  if (publicKey.length !== XWING_PUBLIC_KEY_BYTES) {\n    throw new Error('encodeAgeXWingRecipient: publicKey must be exactly 1216 bytes');\n  }\n  return bech32EncodeNoLimit(XWING_HRP, publicKey);\n}\n\n// Decode an age-style recipient string back to its raw KEM public key, routing\n// on the bech32 HRP. The inverse of `encodeAgeX25519Recipient` /\n// `encodeAgeXWingRecipient`: a sender can take a recipient string a peer shared\n// and recover the exact public key (and which KEM it belongs to) needed to seal\n// a record to them. Surrounding whitespace is tolerated so pasted strings parse.\n// Throws on an unknown HRP, a bad checksum, or a key length that does not match\n// the HRP's KEM.\nexport function parseAgeRecipient(recipient: string): ParsedAgeRecipient {\n  if (typeof recipient !== 'string') {\n    throw new Error('parseAgeRecipient: recipient must be a string');\n  }\n  const { hrp, bytes } = bech32DecodeNoLimit(recipient.trim());\n  if (hrp === X25519_HRP) {\n    if (bytes.length !== X25519_PUBLIC_KEY_BYTES) {\n      throw new Error('parseAgeRecipient: age recipient must carry a 32-byte X25519 key');\n    }\n    return { kem: 'x25519', publicKey: bytes };\n  }\n  if (hrp === XWING_HRP) {\n    if (bytes.length !== XWING_PUBLIC_KEY_BYTES) {\n      throw new Error('parseAgeRecipient: age1pqc recipient must carry a 1216-byte X-Wing key');\n    }\n    return { kem: 'mlkem768x25519', publicKey: bytes };\n  }\n  throw new Error(`parseAgeRecipient: unrecognized recipient prefix \"${hrp}\"`);\n}\n"]}