@cardanowall/crypto-core 0.0.0

package/dist/index.cjs

@@ -0,0 +1,1856 @@
+'use strict';
+
+var sha2_js = require('@noble/hashes/sha2.js');
+var blake2_js = require('@noble/hashes/blake2.js');
+var hashWasm = require('hash-wasm');
+var hkdf_js = require('@noble/hashes/hkdf.js');
+var ed = require('@noble/ed25519');
+var ed25519_js = require('@noble/curves/ed25519.js');
+var hybrid_js = require('@noble/post-quantum/hybrid.js');
+var chacha_js = require('@noble/ciphers/chacha.js');
+var cbor2 = require('cbor2');
+var sorts = require('cbor2/sorts');
+var utils_js = require('@noble/ciphers/utils.js');
+var hmac_js = require('@noble/hashes/hmac.js');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var ed__namespace = /*#__PURE__*/_interopNamespace(ed);
+
+// src/hash/sha-256.ts
+function sha256(input) {
+  return sha2_js.sha256(input);
+}
+function blake2b256(input) {
+  return blake2_js.blake2b(input, { dkLen: 32 });
+}
+function blake2b224(input) {
+  return blake2_js.blake2b(input, { dkLen: 28 });
+}
+function dualHash(input) {
+  return {
+    sha256: sha256(input),
+    blake2b256: blake2b256(input)
+  };
+}
+async function dualHashStream(source) {
+  const [sha, blake] = await Promise.all([hashWasm.createSHA256(), hashWasm.createBLAKE2b(256)]);
+  sha.init();
+  blake.init();
+  for await (const chunk of source) {
+    sha.update(chunk);
+    blake.update(chunk);
+  }
+  return {
+    sha256: sha.digest("binary"),
+    blake2b256: blake.digest("binary")
+  };
+}
+
+// src/util/compare-ct.ts
+function compareCt(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+
+// src/hash/merkle-sha2-256.ts
+var MERKLE_ALG_ID = "rfc9162-sha256";
+var LEAF_PREFIX = 0;
+var NODE_PREFIX = 1;
+var DIGEST_LENGTH = 32;
+function validateLeaves(leaves, fnName) {
+  if (leaves.length === 0) {
+    throw new Error(`${fnName}: empty leaf list (n == 0 is forbidden by RFC 9162 \xA72.1.1)`);
+  }
+  for (let i = 0; i < leaves.length; i++) {
+    const leaf = leaves[i];
+    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH) {
+      throw new Error(
+        `${fnName}: leaf[${i}] must be a Uint8Array(${DIGEST_LENGTH}); got length ${leaf instanceof Uint8Array ? leaf.length : "non-Uint8Array"}`
+      );
+    }
+  }
+}
+function merkleSha2256Root(leaves) {
+  validateLeaves(leaves, "merkleSha2256Root");
+  return mthRecursive(leaves, 0, leaves.length);
+}
+function merkleSha2256InclusionProof(leaves, index) {
+  validateLeaves(leaves, "merkleSha2256InclusionProof");
+  if (!Number.isInteger(index) || index < 0 || index >= leaves.length) {
+    throw new Error(
+      `merkleSha2256InclusionProof: index ${index} out of range [0, ${leaves.length})`
+    );
+  }
+  return auditPath(leaves, index, 0, leaves.length);
+}
+function merkleSha2256VerifyInclusion(leaf, index, treeSize, proof, root) {
+  if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH) return false;
+  if (!(root instanceof Uint8Array) || root.length !== DIGEST_LENGTH) return false;
+  if (!Number.isInteger(index) || !Number.isInteger(treeSize) || treeSize < 1 || index < 0 || index >= treeSize) {
+    return false;
+  }
+  for (let i = 0; i < proof.length; i++) {
+    const sibling = proof[i];
+    if (!(sibling instanceof Uint8Array) || sibling.length !== DIGEST_LENGTH) {
+      return false;
+    }
+  }
+  if (treeSize === 1) {
+    if (proof.length !== 0 || index !== 0) return false;
+    return compareCt(hashLeaf(leaf), root);
+  }
+  let h = hashLeaf(leaf);
+  let sn = index;
+  let fn = treeSize - 1;
+  for (let i = 0; i < proof.length; i++) {
+    if (fn === 0) return false;
+    const sibling = proof[i];
+    if ((sn & 1) === 1 || sn === fn) {
+      h = hashNode(sibling, h);
+      while ((sn & 1) === 0 && sn !== 0) {
+        sn >>>= 1;
+        fn >>>= 1;
+      }
+    } else {
+      h = hashNode(h, sibling);
+    }
+    sn >>>= 1;
+    fn >>>= 1;
+  }
+  if (fn !== 0) return false;
+  return compareCt(h, root);
+}
+function largestPow2Lt(n) {
+  let k = 1;
+  while (k * 2 < n) k *= 2;
+  return k;
+}
+function hashLeaf(d) {
+  const buf = new Uint8Array(1 + d.length);
+  buf[0] = LEAF_PREFIX;
+  buf.set(d, 1);
+  return sha2_js.sha256(buf);
+}
+function hashNode(left, right) {
+  const buf = new Uint8Array(1 + left.length + right.length);
+  buf[0] = NODE_PREFIX;
+  buf.set(left, 1);
+  buf.set(right, 1 + left.length);
+  return sha2_js.sha256(buf);
+}
+function mthRecursive(leaves, start, end) {
+  const n = end - start;
+  if (n === 1) {
+    return hashLeaf(leaves[start]);
+  }
+  const k = largestPow2Lt(n);
+  const left = mthRecursive(leaves, start, start + k);
+  const right = mthRecursive(leaves, start + k, end);
+  return hashNode(left, right);
+}
+function auditPath(leaves, i, start, end) {
+  const n = end - start;
+  if (n === 1) return [];
+  const k = largestPow2Lt(n);
+  if (i < k) {
+    const subPath2 = auditPath(leaves, i, start, start + k);
+    subPath2.push(mthRecursive(leaves, start + k, end));
+    return subPath2;
+  }
+  const subPath = auditPath(leaves, i - k, start + k, end);
+  subPath.push(mthRecursive(leaves, start, start + k));
+  return subPath;
+}
+function hkdfSha256(opts) {
+  return hkdf_js.hkdf(sha2_js.sha256, opts.ikm, opts.salt, opts.info, opts.length);
+}
+async function argon2idV13(opts) {
+  return await hashWasm.argon2id({
+    password: opts.password,
+    salt: opts.salt,
+    parallelism: opts.parallelism,
+    iterations: opts.iterations,
+    memorySize: opts.memSizeKB,
+    hashLength: opts.outBytes,
+    outputType: "binary"
+  });
+}
+ed__namespace.hashes.sha512 = sha2_js.sha512;
+var L = ed__namespace.Point.CURVE().n;
+function signEd25519(opts) {
+  return ed__namespace.sign(opts.message, opts.seed);
+}
+function leBytesToBigInt(bytes) {
+  let value = 0n;
+  for (let i = bytes.length - 1; i >= 0; i--) {
+    value = value << 8n | BigInt(bytes[i]);
+  }
+  return value;
+}
+function verifyEd25519(opts) {
+  const { signature, message, publicKey } = opts;
+  if (signature.length !== 64 || publicKey.length !== 32) return false;
+  const S = leBytesToBigInt(signature.subarray(32, 64));
+  if (S >= L) return false;
+  let A;
+  let R;
+  try {
+    A = ed__namespace.Point.fromBytes(publicKey);
+    R = ed__namespace.Point.fromBytes(signature.subarray(0, 32));
+  } catch {
+    return false;
+  }
+  if (A.isSmallOrder() || R.isSmallOrder()) return false;
+  const k = leBytesToBigInt(ed__namespace.hash(concatBytes(signature.subarray(0, 32), publicKey, message))) % L;
+  const sB = S === 0n ? ed__namespace.Point.ZERO : ed__namespace.Point.BASE.multiplyUnsafe(S);
+  const kA = k === 0n ? ed__namespace.Point.ZERO : A.multiplyUnsafe(k);
+  return sB.subtract(kA).subtract(R).is0();
+}
+function concatBytes(...parts) {
+  let total = 0;
+  for (const p of parts) total += p.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const p of parts) {
+    out.set(p, offset);
+    offset += p.length;
+  }
+  return out;
+}
+function getPublicKeyEd25519(opts) {
+  return ed__namespace.getPublicKey(opts.seed);
+}
+var X25519LowOrderPointError = class extends Error {
+  code = "X25519_LOW_ORDER_POINT";
+  constructor(options) {
+    super("x25519 ECDH rejected: peer public key is a small-order point", options);
+    this.name = "X25519LowOrderPointError";
+  }
+};
+var NOBLE_LOW_ORDER_MESSAGE = "invalid private or public key received";
+function x25519Keygen() {
+  return ed25519_js.x25519.keygen();
+}
+function x25519PublicKey(opts) {
+  return ed25519_js.x25519.getPublicKey(opts.secretKey);
+}
+function x25519Ecdh(opts) {
+  try {
+    return ed25519_js.x25519.getSharedSecret(opts.secretKey, opts.theirPublicKey);
+  } catch (e) {
+    if (e instanceof Error && e.message === NOBLE_LOW_ORDER_MESSAGE) {
+      throw new X25519LowOrderPointError({ cause: e });
+    }
+    throw e;
+  }
+}
+var MLKEM768X25519_PUBLIC_KEY_LENGTH = 1216;
+var MLKEM768X25519_ENC_LENGTH = 1120;
+var MLKEM768X25519_SHARED_SECRET_LENGTH = 32;
+var MLKEM768X25519_SEED_LENGTH = 32;
+var MLKEM768X25519_ESEED_LENGTH = 64;
+function mlkem768x25519Keygen(seed) {
+  if (seed.length !== MLKEM768X25519_SEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${seed.length}`
+    );
+  }
+  const { secretKey, publicKey } = hybrid_js.XWing.keygen(seed);
+  return { secretSeed: secretKey, publicKey };
+}
+function mlkem768x25519Encapsulate(opts) {
+  if (opts.publicKey.length !== MLKEM768X25519_PUBLIC_KEY_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 public key must be ${MLKEM768X25519_PUBLIC_KEY_LENGTH} bytes, got ${opts.publicKey.length}`
+    );
+  }
+  if (opts.eseed !== void 0 && opts.eseed.length !== MLKEM768X25519_ESEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 eseed must be ${MLKEM768X25519_ESEED_LENGTH} bytes, got ${opts.eseed.length}`
+    );
+  }
+  const { cipherText, sharedSecret } = hybrid_js.XWing.encapsulate(opts.publicKey, opts.eseed);
+  return { enc: cipherText, ss: sharedSecret };
+}
+function mlkem768x25519Decapsulate(opts) {
+  if (opts.secretSeed.length !== MLKEM768X25519_SEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 secret seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${opts.secretSeed.length}`
+    );
+  }
+  if (opts.enc.length !== MLKEM768X25519_ENC_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 enc must be ${MLKEM768X25519_ENC_LENGTH} bytes, got ${opts.enc.length}`
+    );
+  }
+  return hybrid_js.XWing.decapsulate(opts.enc, opts.secretSeed);
+}
+
+// src/aead/errors.ts
+var AeadVerificationError = class extends Error {
+  code = "aead_verification_failed";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "AeadVerificationError";
+  }
+};
+
+// src/aead/chacha20-poly1305.ts
+function chacha20Poly1305Encrypt(opts) {
+  return chacha_js.chacha20poly1305(opts.key, opts.nonce, opts.aad).encrypt(opts.plaintext);
+}
+function chacha20Poly1305Decrypt(opts) {
+  try {
+    return chacha_js.chacha20poly1305(opts.key, opts.nonce, opts.aad).decrypt(opts.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError("chacha20-poly1305 decrypt failed", { cause });
+  }
+}
+function xchacha20Poly1305Encrypt(opts) {
+  return chacha_js.xchacha20poly1305(opts.key, opts.nonce, opts.aad).encrypt(opts.plaintext);
+}
+function xchacha20Poly1305Decrypt(opts) {
+  try {
+    return chacha_js.xchacha20poly1305(opts.key, opts.nonce, opts.aad).decrypt(opts.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError("xchacha20-poly1305 decrypt failed", { cause });
+  }
+}
+
+// src/util/hex.ts
+function hexToBytes(hex) {
+  if ((hex.length & 1) !== 0) {
+    throw new Error(`hexToBytes: input length ${hex.length} is not even`);
+  }
+  const out = new Uint8Array(hex.length >>> 1);
+  for (let i = 0; i < out.length; i++) {
+    const hi = charToNibble(hex.charCodeAt(i * 2));
+    const lo = charToNibble(hex.charCodeAt(i * 2 + 1));
+    if (hi < 0 || lo < 0) {
+      throw new Error(`hexToBytes: non-hex character at offset ${i * 2}`);
+    }
+    out[i] = hi << 4 | lo;
+  }
+  return out;
+}
+function charToNibble(code) {
+  if (code >= 48 && code <= 57) return code - 48;
+  if (code >= 97 && code <= 102) return code - 87;
+  return -1;
+}
+
+// src/cbor/errors.ts
+var CanonicalCborError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "CanonicalCborError";
+    this.code = code;
+  }
+};
+
+// src/cbor/canonical.ts
+function encodeCanonicalCbor(value) {
+  return cbor2.encode(value, {
+    cde: true,
+    collapseBigInts: true,
+    rejectDuplicateKeys: true,
+    sortKeys: sorts.sortCoreDeterministic
+  });
+}
+function decodeCanonicalCbor(bytes) {
+  try {
+    return cbor2.decode(bytes, {
+      ...cbor2.cdeDecodeOptions,
+      rejectStreaming: true,
+      rejectDuplicateKeys: true,
+      // A CIP-309 record carries integers, byte/text strings, arrays, maps and
+      // `null` — and nothing else. Without these rejections the major-type-7
+      // surface leaks into the decoder: a float16/32/64 that happens to hold an
+      // integral value (e.g. 1.0) silently decodes to the integer 1 and passes
+      // a `z.literal(1)` / Number.isInteger schema check, so two byte strings
+      // that are NOT byte-identical canonicalise to the same record. That
+      // breaks the cross-implementation parity invariant (the Python twin
+      // already rejects non-integer `v` / `enc.scheme` outright). Reject the
+      // whole non-record surface — floats, negative zero, undefined, and
+      // non-{true,false,null} simple values — so any such input surfaces as
+      // MALFORMED_CBOR via mapDecodeError rather than decoding to a look-alike.
+      rejectFloats: true,
+      rejectNegativeZero: true,
+      rejectUndefined: true,
+      rejectSimple: true
+    });
+  } catch (cause) {
+    throw mapDecodeError(cause);
+  }
+}
+function mapDecodeError(cause) {
+  const message = cause instanceof Error ? cause.message : String(cause);
+  const lower = message.toLowerCase();
+  const isIndefinite = lower.includes("streaming") || lower.includes("indefinite");
+  const detail = isIndefinite ? `indefinite-length items are not permitted in canonical CBOR: ${message}` : message;
+  return new CanonicalCborError("MALFORMED_CBOR", `cbor decode failed: ${detail}`, { cause });
+}
+function decodeCbor(bytes) {
+  return cbor2.decode(bytes);
+}
+
+// src/cose/errors.ts
+var CoseVerifyError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "CoseVerifyError";
+    this.code = code;
+  }
+};
+
+// src/cose/sign1.ts
+var CARDANO_POE_SIG_DOMAIN_PREFIX = "cardano-poe-record-sig-v1";
+var CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES = new TextEncoder().encode(
+  CARDANO_POE_SIG_DOMAIN_PREFIX
+);
+if (CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length !== 25) {
+  throw new Error(
+    `cardano-poe-record-sig-v1 prefix must encode to exactly 25 UTF-8 bytes, got ${CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length}`
+  );
+}
+var EMPTY_BYTES = new Uint8Array(0);
+function buildSigStructure(args) {
+  return encodeCanonicalCbor([
+    args.context,
+    args.bodyProtectedBytes,
+    args.externalAad,
+    args.payload
+  ]);
+}
+function buildCip309SigStructure(args) {
+  const toSign = new Uint8Array(
+    CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length + args.recordBodyCbor.length
+  );
+  toSign.set(CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES, 0);
+  toSign.set(args.recordBodyCbor, CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length);
+  return buildSigStructure({
+    context: "Signature1",
+    bodyProtectedBytes: args.bodyProtectedBytes,
+    externalAad: EMPTY_BYTES,
+    payload: toSign
+  });
+}
+function encodeCoseSign1(args) {
+  const protectedBytes = args.protectedHeader.size === 0 ? EMPTY_BYTES : encodeCanonicalCbor(args.protectedHeader);
+  return encodeCanonicalCbor([
+    protectedBytes,
+    args.unprotectedHeader,
+    args.payload,
+    args.signature
+  ]);
+}
+function asCoseHeader(value) {
+  if (value instanceof Map) return value;
+  if (value !== null && typeof value === "object" && value.constructor === Object) {
+    return new Map(Object.entries(value));
+  }
+  return null;
+}
+function decodeCoseSign1(bytes) {
+  let arr;
+  try {
+    arr = decodeCanonicalCbor(bytes);
+  } catch (cause) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "cose decode failed", { cause });
+  }
+  if (!Array.isArray(arr) || arr.length !== 4) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "expected 4-element array");
+  }
+  const [protectedBytesRaw, unprotectedRaw, payloadRaw, signatureRaw] = arr;
+  if (!(protectedBytesRaw instanceof Uint8Array)) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "protected_bytes must be bytes");
+  }
+  const unprotectedHeader = asCoseHeader(unprotectedRaw);
+  if (unprotectedHeader === null) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "unprotected header must be map");
+  }
+  if (payloadRaw !== null && !(payloadRaw instanceof Uint8Array)) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "payload must be bytes or null");
+  }
+  if (!(signatureRaw instanceof Uint8Array) || signatureRaw.length !== 64) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "signature must be 64 bytes");
+  }
+  let protectedHeader;
+  if (protectedBytesRaw.length === 0) {
+    protectedHeader = /* @__PURE__ */ new Map();
+  } else {
+    let decodedProtected;
+    try {
+      decodedProtected = decodeCanonicalCbor(protectedBytesRaw);
+    } catch (cause) {
+      throw new CoseVerifyError("MALFORMED_SIG_COSE", "protected header decode failed", { cause });
+    }
+    const ph = asCoseHeader(decodedProtected);
+    if (ph === null) {
+      throw new CoseVerifyError("MALFORMED_SIG_COSE", "protected header must decode to map");
+    }
+    if (ph.size === 0) {
+      throw new CoseVerifyError(
+        "MALFORMED_SIG_COSE",
+        "empty protected header must encode as 0x40 (zero-length bstr), not as an empty map"
+      );
+    }
+    protectedHeader = ph;
+  }
+  return {
+    protectedHeader,
+    protectedBytes: protectedBytesRaw,
+    unprotectedHeader,
+    payload: payloadRaw,
+    signature: signatureRaw
+  };
+}
+var CoseSign1BuildError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "CoseSign1BuildError";
+    this.code = code;
+  }
+};
+function coseSign1Cip309Build(args) {
+  if (args.signerSecretKey === void 0 && args.signer === void 0) {
+    throw new CoseSign1BuildError(
+      "SIGNER_NOT_PROVIDED",
+      "coseSign1Cip309Build requires either signerSecretKey or signer"
+    );
+  }
+  if (args.signerSecretKey !== void 0 && args.signer !== void 0) {
+    throw new CoseSign1BuildError(
+      "SIGNER_AND_SEED_BOTH_PROVIDED",
+      "coseSign1Cip309Build accepts signerSecretKey XOR signer (not both)"
+    );
+  }
+  const protectedBytes = args.protectedHeader.size === 0 ? EMPTY_BYTES : encodeCanonicalCbor(args.protectedHeader);
+  const sigStructureBytes = buildCip309SigStructure({
+    bodyProtectedBytes: protectedBytes,
+    recordBodyCbor: args.recordBodyCbor
+  });
+  let signature;
+  if (args.signer !== void 0) {
+    signature = args.signer(sigStructureBytes);
+    if (!(signature instanceof Uint8Array) || signature.length !== 64) {
+      throw new CoseSign1BuildError(
+        "SIGNER_NOT_PROVIDED",
+        `injected signer must return a 64-byte Uint8Array; got ${signature instanceof Uint8Array ? `${signature.length}-byte Uint8Array` : typeof signature}`
+      );
+    }
+  } else {
+    signature = signEd25519({ seed: args.signerSecretKey, message: sigStructureBytes });
+  }
+  return encodeCoseSign1({
+    protectedHeader: args.protectedHeader,
+    unprotectedHeader: args.unprotectedHeader,
+    payload: null,
+    signature
+  });
+}
+function coseSign1Cip309Verify(args) {
+  let decoded;
+  try {
+    decoded = decodeCoseSign1(args.message);
+  } catch (e) {
+    if (e instanceof CoseVerifyError) {
+      return { ok: false, error: { code: e.code, message: "errors.cose.malformed" } };
+    }
+    if (e instanceof CanonicalCborError) {
+      return {
+        ok: false,
+        error: { code: "MALFORMED_SIG_COSE", message: "errors.cose.malformed_cbor" }
+      };
+    }
+    throw e;
+  }
+  if (decoded.payload !== null) {
+    return {
+      ok: false,
+      error: {
+        code: "MALFORMED_SIG_COSE_SIGN1",
+        message: "errors.cose.attached_payload_forbidden"
+      }
+    };
+  }
+  const alg = decoded.protectedHeader.get(1);
+  if (typeof alg !== "number" || alg !== -8) {
+    return {
+      ok: false,
+      error: { code: "UNSUPPORTED_SIG_ALG", message: "errors.cose.unsupported_alg" }
+    };
+  }
+  const kidRaw = decoded.protectedHeader.get(4);
+  let signerKey;
+  if (kidRaw instanceof Uint8Array && kidRaw.length === 32) {
+    signerKey = kidRaw;
+  } else if (args.expectedSignerKey instanceof Uint8Array && args.expectedSignerKey.length === 32) {
+    signerKey = args.expectedSignerKey;
+  }
+  if (signerKey === void 0) {
+    return {
+      ok: false,
+      error: { code: "KID_UNRESOLVED", message: "errors.cose.kid_unresolved" }
+    };
+  }
+  if (kidRaw instanceof Uint8Array && kidRaw.length === 32 && args.expectedSignerKey instanceof Uint8Array && args.expectedSignerKey.length === 32 && !compareCt(kidRaw, args.expectedSignerKey)) {
+    return {
+      ok: false,
+      error: { code: "KID_UNRESOLVED", message: "errors.cose.kid_mismatch" }
+    };
+  }
+  const hashedFlag = decoded.unprotectedHeader.get("hashed");
+  let sigStructureBytes;
+  if (hashedFlag === true) {
+    const toSign = new Uint8Array(
+      CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length + args.detachedRecordBodyCbor.length
+    );
+    toSign.set(CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES, 0);
+    toSign.set(args.detachedRecordBodyCbor, CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length);
+    const hashedPayload = blake2b224(toSign);
+    sigStructureBytes = buildSigStructure({
+      context: "Signature1",
+      bodyProtectedBytes: decoded.protectedBytes,
+      externalAad: EMPTY_BYTES,
+      payload: hashedPayload
+    });
+  } else {
+    sigStructureBytes = buildCip309SigStructure({
+      bodyProtectedBytes: decoded.protectedBytes,
+      recordBodyCbor: args.detachedRecordBodyCbor
+    });
+  }
+  const valid = verifyEd25519({
+    publicKey: signerKey,
+    message: sigStructureBytes,
+    signature: decoded.signature
+  });
+  if (!valid) {
+    return {
+      ok: false,
+      error: { code: "SIGNATURE_INVALID", message: "errors.cose.signature_invalid" }
+    };
+  }
+  return { ok: true, signerKey, alg };
+}
+
+// src/cose/cose-key.ts
+var COSE_KEY_LABEL_KTY = 1;
+var COSE_KEY_LABEL_ALG = 3;
+var COSE_KEY_LABEL_CRV = -1;
+var COSE_KEY_LABEL_X = -2;
+var KTY_OKP = 1;
+var ALG_EDDSA = -8;
+var CRV_ED25519 = 6;
+var ED25519_PUBLIC_KEY_LENGTH = 32;
+function asMap(value) {
+  if (value instanceof Map) return value;
+  if (value !== null && typeof value === "object" && value.constructor === Object) {
+    return new Map(Object.entries(value));
+  }
+  return null;
+}
+function parseCoseKeyEd25519(blob) {
+  let decoded;
+  try {
+    decoded = decodeCanonicalCbor(blob);
+  } catch {
+    return null;
+  }
+  const map = asMap(decoded);
+  if (map === null) return null;
+  const kty = map.get(COSE_KEY_LABEL_KTY);
+  if (typeof kty !== "number" || kty !== KTY_OKP) return null;
+  const crv = map.get(COSE_KEY_LABEL_CRV);
+  if (typeof crv !== "number" || crv !== CRV_ED25519) return null;
+  if (map.has(COSE_KEY_LABEL_ALG)) {
+    const alg = map.get(COSE_KEY_LABEL_ALG);
+    if (typeof alg !== "number" || alg !== ALG_EDDSA) return null;
+  }
+  const x = map.get(COSE_KEY_LABEL_X);
+  if (!(x instanceof Uint8Array) || x.length !== ED25519_PUBLIC_KEY_LENGTH) return null;
+  return x;
+}
+
+// src/seed-derive/errors.ts
+var SeedDeriveError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "SeedDeriveError";
+    this.code = code;
+  }
+};
+
+// src/seed-derive/derive.ts
+var INFO_ED25519 = new TextEncoder().encode("cardano-poe-ed25519-v1");
+var INFO_X25519 = new TextEncoder().encode("cardano-poe-x25519-v1");
+var INFO_MLKEM768X25519 = new TextEncoder().encode(
+  "cardano-poe-mlkem768x25519-v1"
+);
+if (INFO_ED25519.length !== 22) {
+  throw new Error("INFO_ED25519 byte-length invariant violated (expected 22)");
+}
+if (INFO_X25519.length !== 21) {
+  throw new Error("INFO_X25519 byte-length invariant violated (expected 21)");
+}
+if (INFO_MLKEM768X25519.length !== 29) {
+  throw new Error("INFO_MLKEM768X25519 byte-length invariant violated (expected 29)");
+}
+var EMPTY_SALT = new Uint8Array(0);
+var SEED_LENGTH = 32;
+var DERIVED_LENGTH = 32;
+function assertSeedLength(seed) {
+  if (seed.length !== SEED_LENGTH) {
+    throw new SeedDeriveError(
+      "INVALID_SEED_LENGTH",
+      `seed must be exactly 32 bytes, got ${seed.length}`
+    );
+  }
+}
+function deriveEd25519KeypairFromSeed(seed) {
+  assertSeedLength(seed);
+  const secretKey = hkdfSha256({
+    ikm: seed,
+    salt: EMPTY_SALT,
+    info: INFO_ED25519,
+    length: DERIVED_LENGTH
+  });
+  const publicKey = getPublicKeyEd25519({ seed: secretKey });
+  return { secretKey, publicKey };
+}
+function deriveX25519KeypairFromSeed(seed) {
+  assertSeedLength(seed);
+  const secretKey = hkdfSha256({
+    ikm: seed,
+    salt: EMPTY_SALT,
+    info: INFO_X25519,
+    length: DERIVED_LENGTH
+  });
+  const publicKey = x25519PublicKey({ secretKey });
+  return { secretKey, publicKey };
+}
+function deriveMlKem768X25519KeypairFromSeed(seed) {
+  assertSeedLength(seed);
+  const xwingSeed = hkdfSha256({
+    ikm: seed,
+    salt: EMPTY_SALT,
+    info: INFO_MLKEM768X25519,
+    length: DERIVED_LENGTH
+  });
+  return mlkem768x25519Keygen(xwingSeed);
+}
+
+// src/sealed-poe/errors.ts
+var EciesSealedPoeError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "EciesSealedPoeError";
+    this.code = code;
+  }
+};
+
+// src/sealed-poe/slots-codec.ts
+var CHUNK_MAX_BYTES = 64;
+function chunkKemCt(value) {
+  if (value.length === 0) {
+    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
+  }
+  const chunks = [];
+  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
+    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
+  }
+  return chunks;
+}
+function joinKemCt(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
+  }
+  return out;
+}
+function slotsToMacCbor(slots, kem) {
+  let value;
+  if (kem === "x25519") {
+    value = slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
+  } else {
+    value = slots.map((s) => ({
+      // Canonicalize the chunk boundaries before the MAC commits to them:
+      // reassemble the logical ciphertext and re-split into canonical ≤ 64-byte
+      // chunks. The on-wire `kem_ct` array is a transport detail (the Cardano
+      // ledger's 64-byte metadatum cap), and a hostile or non-canonical chunking
+      // ([1, 63, …] instead of [64, …]) reassembles to the SAME bytes — so the
+      // MAC must be invariant to it. Committing to the verbatim wire chunks would
+      // let an attacker re-chunk an honest envelope and break the slots_mac match
+      // for an honest recipient. Honest (already-64B-chunked) records are
+      // unchanged; a real byte flip still changes the reassembled bytes and is
+      // still rejected.
+      kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
+      wrap: s.wrap
+    }));
+  }
+  return encodeCanonicalCbor(value);
+}
+
+// src/sealed-poe/wrap.ts
+var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
+var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
+  "cardano-poe-kek-mlkem768x25519-v1"
+);
+var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
+  "cardano-poe-slots-mac-v1"
+);
+var ZERO_NONCE_12 = new Uint8Array(12);
+var EMPTY_SALT2 = new Uint8Array(0);
+var X25519_PUBLIC_KEY_LENGTH = 32;
+var X25519_SECRET_KEY_LENGTH = 32;
+var CEK_LENGTH = 32;
+var NONCE_LENGTH = 24;
+var WRAP_LENGTH = 48;
+var SLOTS_MAC_LENGTH = 32;
+if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
+  throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
+}
+if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
+  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
+}
+if (ZERO_NONCE_12.length !== 12) {
+  throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
+}
+function concat(a, b) {
+  const out = new Uint8Array(a.length + b.length);
+  out.set(a, 0);
+  out.set(b, a.length);
+  return out;
+}
+function uniformIndexBelow(m) {
+  const limit = 4294967296 - 4294967296 % m;
+  const buf = new Uint32Array(1);
+  let x;
+  do {
+    crypto.getRandomValues(buf);
+    x = buf[0];
+  } while (x >= limit);
+  return x % m;
+}
+function csprngShuffle(arr) {
+  for (let i = arr.length - 1; i > 0; i--) {
+    const j = uniformIndexBelow(i + 1);
+    const tmp = arr[i];
+    arr[i] = arr[j];
+    arr[j] = tmp;
+  }
+}
+function wrapSlotX25519(args) {
+  const privEph = args.privEph ?? utils_js.randomBytes(X25519_SECRET_KEY_LENGTH);
+  if (privEph.length !== X25519_SECRET_KEY_LENGTH) {
+    throw new EciesSealedPoeError(
+      "INVALID_EPHEMERAL_SECRET_LENGTH",
+      `ephemeralSecrets[${args.slotIdx}] MUST be exactly ${X25519_SECRET_KEY_LENGTH} bytes, got ${privEph.length}`
+    );
+  }
+  const epk = x25519PublicKey({ secretKey: privEph });
+  const shared = x25519Ecdh({ secretKey: privEph, theirPublicKey: args.pubR });
+  const kek = hkdfSha256({
+    ikm: shared,
+    salt: concat(epk, args.pubR),
+    info: CARDANO_POE_HKDF_INFO_KEK,
+    length: 32
+  });
+  const wrap = chacha20Poly1305Encrypt({
+    key: kek,
+    nonce: ZERO_NONCE_12,
+    aad: CARDANO_POE_HKDF_INFO_KEK,
+    plaintext: args.cek
+  });
+  if (wrap.length !== WRAP_LENGTH) {
+    throw new Error(`internal: wrap.length=${wrap.length}, expected ${WRAP_LENGTH}`);
+  }
+  return { epk, wrap };
+}
+function wrapSlotMlkem768X25519(args) {
+  const { enc, ss } = mlkem768x25519Encapsulate({
+    publicKey: args.pubR,
+    ...args.eseed !== void 0 ? { eseed: args.eseed } : {}
+  });
+  if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
+    throw new Error(`internal: enc.length=${enc.length}, expected ${MLKEM768X25519_ENC_LENGTH}`);
+  }
+  const kek = hkdfSha256({
+    ikm: ss,
+    salt: EMPTY_SALT2,
+    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    length: 32
+  });
+  const wrap = chacha20Poly1305Encrypt({
+    key: kek,
+    nonce: ZERO_NONCE_12,
+    aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    plaintext: args.cek
+  });
+  if (wrap.length !== WRAP_LENGTH) {
+    throw new Error(`internal: wrap.length=${wrap.length}, expected ${WRAP_LENGTH}`);
+  }
+  return { kem_ct: chunkKemCt(enc), wrap };
+}
+function eciesSealedPoeWrap(args) {
+  const { plaintext, recipientPublicKeys } = args;
+  const kem = args.kem ?? "x25519";
+  const n = recipientPublicKeys.length;
+  if (n < 1) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_EMPTY",
+      `recipientPublicKeys.length=${n} must be >= 1`
+    );
+  }
+  const expectedPubLen = kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH : MLKEM768X25519_PUBLIC_KEY_LENGTH;
+  for (let i = 0; i < n; i++) {
+    const pub = recipientPublicKeys[i];
+    if (pub === void 0 || pub.length !== expectedPubLen) {
+      throw new EciesSealedPoeError(
+        "KEM_EPK_LENGTH_MISMATCH",
+        `recipientPublicKeys[${i}] MUST be exactly ${expectedPubLen} bytes for kem='${kem}'`
+      );
+    }
+  }
+  if (kem === "x25519") {
+    if (args.eseeds !== void 0) {
+      throw new EciesSealedPoeError(
+        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+        "eseeds is an X-Wing (mlkem768x25519) override and MUST NOT be supplied for kem='x25519'"
+      );
+    }
+    if (args.ephemeralSecrets !== void 0 && args.ephemeralSecrets.length !== n) {
+      throw new EciesSealedPoeError(
+        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+        `ephemeralSecrets.length=${args.ephemeralSecrets.length} must match recipientPublicKeys.length=${n}`
+      );
+    }
+  } else {
+    if (args.ephemeralSecrets !== void 0) {
+      throw new EciesSealedPoeError(
+        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+        "ephemeralSecrets is an X25519 override and MUST NOT be supplied for kem='mlkem768x25519'"
+      );
+    }
+    if (args.eseeds !== void 0) {
+      if (args.eseeds.length !== n) {
+        throw new EciesSealedPoeError(
+          "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+          `eseeds.length=${args.eseeds.length} must match recipientPublicKeys.length=${n}`
+        );
+      }
+      for (let i = 0; i < n; i++) {
+        const eseed = args.eseeds[i];
+        if (eseed.length !== MLKEM768X25519_ESEED_LENGTH) {
+          throw new EciesSealedPoeError(
+            "INVALID_EPHEMERAL_SECRET_LENGTH",
+            `eseeds[${i}] MUST be exactly ${MLKEM768X25519_ESEED_LENGTH} bytes, got ${eseed.length}`
+          );
+        }
+      }
+    }
+  }
+  const cek = args.cek ?? utils_js.randomBytes(CEK_LENGTH);
+  const nonce = args.nonce ?? utils_js.randomBytes(NONCE_LENGTH);
+  if (cek.length !== CEK_LENGTH) {
+    throw new EciesSealedPoeError(
+      "INVALID_CEK_LENGTH",
+      `cek MUST be exactly ${CEK_LENGTH} bytes, got ${cek.length}`
+    );
+  }
+  if (nonce.length !== NONCE_LENGTH) {
+    throw new EciesSealedPoeError(
+      "NONCE_LENGTH_MISMATCH",
+      `nonce MUST be exactly ${NONCE_LENGTH} bytes, got ${nonce.length}`
+    );
+  }
+  let envelope;
+  if (kem === "x25519") {
+    const slots = [];
+    for (let i = 0; i < n; i++) {
+      slots.push(
+        wrapSlotX25519({
+          pubR: recipientPublicKeys[i],
+          privEph: args.ephemeralSecrets ? args.ephemeralSecrets[i] : void 0,
+          cek,
+          slotIdx: i
+        })
+      );
+    }
+    if (args.skipShuffle !== true) {
+      csprngShuffle(slots);
+    }
+    const slotsMac = computeSlotsMac(cek, slots, "x25519");
+    envelope = {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "x25519",
+      nonce,
+      slots,
+      slots_mac: slotsMac
+    };
+  } else {
+    const slots = [];
+    for (let i = 0; i < n; i++) {
+      slots.push(
+        wrapSlotMlkem768X25519({
+          pubR: recipientPublicKeys[i],
+          eseed: args.eseeds ? args.eseeds[i] : void 0,
+          cek
+        })
+      );
+    }
+    if (args.skipShuffle !== true) {
+      csprngShuffle(slots);
+    }
+    const slotsMac = computeSlotsMac(cek, slots, "mlkem768x25519");
+    envelope = {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "mlkem768x25519",
+      nonce,
+      slots,
+      slots_mac: slotsMac
+    };
+  }
+  const adContent = concat(nonce, envelope.slots_mac);
+  const ciphertext = xchacha20Poly1305Encrypt({
+    key: cek,
+    nonce,
+    aad: adContent,
+    plaintext
+  });
+  return { envelope, ciphertext };
+}
+function computeSlotsMac(cek, slots, kem) {
+  const hmacKey = hkdfSha256({
+    ikm: cek,
+    salt: EMPTY_SALT2,
+    info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+    length: 32
+  });
+  const slotsCbor = slotsToMacCbor(slots, kem);
+  const slotsMac = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+  if (slotsMac.length !== SLOTS_MAC_LENGTH) {
+    throw new Error(`internal: slots_mac.length=${slotsMac.length}, expected ${SLOTS_MAC_LENGTH}`);
+  }
+  return slotsMac;
+}
+function selectBundleSecrets(envelope, bundle) {
+  return envelope.kem === "x25519" ? bundle.x25519PrivateKeys : bundle.mlkem768x25519SecretSeeds;
+}
+var ZERO_NONCE_122 = new Uint8Array(12);
+var EMPTY_SALT3 = new Uint8Array(0);
+var X25519_SECRET_KEY_LENGTH2 = 32;
+var X25519_PUBLIC_KEY_LENGTH2 = 32;
+var NONCE_LENGTH2 = 24;
+var WRAP_LENGTH2 = 48;
+var SLOTS_MAC_LENGTH2 = 32;
+function concat2(a, b) {
+  const out = new Uint8Array(a.length + b.length);
+  out.set(a, 0);
+  out.set(b, a.length);
+  return out;
+}
+function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
+  if (envelope.scheme !== 1) {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_ENC_VERSION",
+      `envelope.scheme=${String(envelope.scheme)} unsupported (expected 1)`
+    );
+  }
+  if (envelope.aead !== "xchacha20-poly1305") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_AEAD_ALG",
+      `envelope.aead=${String(envelope.aead)} unsupported (expected 'xchacha20-poly1305')`
+    );
+  }
+  if (envelope.kem !== "x25519" && envelope.kem !== "mlkem768x25519") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_KEM_ALG",
+      `envelope.kem=${String(envelope.kem)} unsupported (expected 'x25519' or 'mlkem768x25519')`
+    );
+  }
+  const n = envelope.slots.length;
+  if (n < 1) {
+    throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
+  }
+  if (envelope.nonce.length !== NONCE_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "NONCE_LENGTH_MISMATCH",
+      `envelope.nonce MUST be exactly ${NONCE_LENGTH2} bytes, got ${envelope.nonce.length}`
+    );
+  }
+  if (envelope.slots_mac.length !== SLOTS_MAC_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_MAC_INVALID_LENGTH",
+      `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
+    );
+  }
+  if (envelope.kem === "x25519") {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      if (slot.epk.length !== X25519_PUBLIC_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "KEM_EPK_LENGTH_MISMATCH",
+          `envelope.slots[${i}].epk MUST be exactly ${X25519_PUBLIC_KEY_LENGTH2} bytes, got ${slot.epk.length}`
+        );
+      }
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+    }
+  } else {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      const enc = joinKemCt(slot.kem_ct);
+      if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
+        throw new EciesSealedPoeError(
+          "KEM_CT_LENGTH_MISMATCH",
+          `envelope.slots[${i}].kem_ct MUST reassemble to exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${enc.length}`
+        );
+      }
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+    }
+  }
+  if (multiPrivKeys !== void 0) {
+    for (let i = 0; i < multiPrivKeys.length; i++) {
+      if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "INVALID_RECIPIENT_KEY",
+          `recipientSecretKeys[${i}] MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${multiPrivKeys[i].length}`
+        );
+      }
+    }
+  } else if (singlePrivKey !== void 0) {
+    if (singlePrivKey.length !== X25519_SECRET_KEY_LENGTH2) {
+      throw new EciesSealedPoeError(
+        "INVALID_RECIPIENT_KEY",
+        `recipientSecretKey MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${singlePrivKey.length}`
+      );
+    }
+  }
+}
+function tryX25519Slot(args) {
+  if (args.liveSlot) {
+    try {
+      const shared = x25519Ecdh({
+        secretKey: args.recipientSecretKey,
+        theirPublicKey: args.slot.epk
+      });
+      const kek = hkdfSha256({
+        ikm: shared,
+        salt: concat2(args.slot.epk, args.pubRLocal),
+        info: CARDANO_POE_HKDF_INFO_KEK,
+        length: 32
+      });
+      return chacha20Poly1305Decrypt({
+        key: kek,
+        nonce: ZERO_NONCE_122,
+        aad: CARDANO_POE_HKDF_INFO_KEK,
+        ciphertext: args.slot.wrap
+      });
+    } catch (e) {
+      if (!(e instanceof AeadVerificationError) && !(e instanceof X25519LowOrderPointError)) {
+        throw e;
+      }
+      return null;
+    }
+  }
+  try {
+    const shared = x25519Ecdh({
+      secretKey: args.recipientSecretKey,
+      theirPublicKey: args.slot.epk
+    });
+    hkdfSha256({
+      ikm: shared,
+      salt: concat2(args.slot.epk, args.pubRLocal),
+      info: CARDANO_POE_HKDF_INFO_KEK,
+      length: 32
+    });
+  } catch (e) {
+    if (!(e instanceof X25519LowOrderPointError)) throw e;
+  }
+  return null;
+}
+function tryMlkem768X25519Slot(args) {
+  const enc = joinKemCt(args.slot.kem_ct);
+  const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
+  const kek = hkdfSha256({
+    ikm: ss,
+    salt: EMPTY_SALT3,
+    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    length: 32
+  });
+  if (!args.liveSlot) {
+    return null;
+  }
+  try {
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return null;
+  }
+}
+function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
+  const n = envelope.slots.length;
+  let cek = null;
+  let matchedSlotIdx = -1;
+  if (envelope.kem === "x25519") {
+    const pubRLocal = x25519PublicKey({ secretKey: recipientSecretKey });
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
+      }
+      const candidate = tryX25519Slot({
+        slot: envelope.slots[i],
+        recipientSecretKey,
+        pubRLocal,
+        liveSlot: cek === null
+      });
+      if (cek === null && candidate !== null) {
+        cek = candidate;
+        matchedSlotIdx = i;
+      }
+      if (cek !== null && !constantTimeN) break;
+    }
+  } else {
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
+      }
+      const candidate = tryMlkem768X25519Slot({
+        slot: envelope.slots[i],
+        recipientSecretKey,
+        liveSlot: cek === null
+      });
+      if (cek === null && candidate !== null) {
+        cek = candidate;
+        matchedSlotIdx = i;
+      }
+      if (cek !== null && !constantTimeN) break;
+    }
+  }
+  return cek === null ? null : { cek, slotIdx: matchedSlotIdx };
+}
+function tryRecipientUnwrap(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
+  return tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut)?.cek ?? null;
+}
+function slotsMacCborBytes(envelope) {
+  return slotsToMacCbor(
+    envelope.slots,
+    envelope.kem
+  );
+}
+function eciesSealedPoeUnwrap(args) {
+  const { envelope, ciphertext } = args;
+  const constantTimeN = args.constantTimeN ?? true;
+  const hasSingle = "recipientSecretKey" in args;
+  const hasBundle = "recipientKeyBundle" in args;
+  const multiPrivKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : "recipientSecretKeys" in args ? args.recipientSecretKeys : void 0;
+  const hasMulti = multiPrivKeys !== void 0;
+  if (hasSingle === hasMulti) {
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "exactly one of recipientSecretKey / recipientSecretKeys / recipientKeyBundle MUST be supplied"
+    );
+  }
+  if (hasMulti && multiPrivKeys.length === 0) {
+    if (hasBundle) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+    }
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "recipientSecretKeys MUST be a non-empty array, got length=0"
+    );
+  }
+  if (hasMulti) {
+    assertEnvelopeStructure(envelope, multiPrivKeys, void 0);
+  } else {
+    assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
+  }
+  let matchedCek = null;
+  let anyCandidateRecovered = false;
+  if (hasSingle) {
+    const recipientSecretKey = args.recipientSecretKey;
+    const cek = tryRecipientUnwrap(
+      envelope,
+      recipientSecretKey,
+      constantTimeN,
+      args._slotsAttemptedOut
+    );
+    if (cek === null) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+    }
+    const slotsCbor = slotsMacCborBytes(envelope);
+    const hmacKey = hkdfSha256({
+      ikm: cek,
+      salt: EMPTY_SALT3,
+      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+      length: 32
+    });
+    const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+    if (!compareCt(slotsMacCalc, envelope.slots_mac)) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    matchedCek = cek;
+  } else {
+    const slotsCbor = slotsMacCborBytes(envelope);
+    const recipientSecretKeys = multiPrivKeys;
+    for (let k = 0; k < recipientSecretKeys.length; k++) {
+      if (args._privsAttemptedOut !== void 0) {
+        args._privsAttemptedOut.count = k + 1;
+      }
+      if (args._slotsAttemptedOut !== void 0) {
+        args._slotsAttemptedOut.count = 0;
+      }
+      const cek = tryRecipientUnwrap(
+        envelope,
+        recipientSecretKeys[k],
+        constantTimeN,
+        args._slotsAttemptedOut
+      );
+      if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
+        args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
+      }
+      if (cek === null) continue;
+      const hmacKey = hkdfSha256({
+        ikm: cek,
+        salt: EMPTY_SALT3,
+        info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+        length: 32
+      });
+      const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+      if (compareCt(slotsMacCalc, envelope.slots_mac)) {
+        matchedCek = cek;
+        break;
+      }
+      anyCandidateRecovered = true;
+    }
+    if (matchedCek === null) {
+      return {
+        matched: false,
+        reason: anyCandidateRecovered ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
+      };
+    }
+  }
+  const adContent = concat2(envelope.nonce, envelope.slots_mac);
+  try {
+    const plaintext = xchacha20Poly1305Decrypt({
+      key: matchedCek,
+      nonce: envelope.nonce,
+      aad: adContent,
+      ciphertext
+    });
+    return { matched: true, plaintext };
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return { matched: false, reason: "TAMPERED_CIPHERTEXT" };
+  }
+}
+function eciesSealedPoeTrialDecrypt(args) {
+  const { envelope } = args;
+  const constantTimeN = args.constantTimeN ?? true;
+  const hasBundle = "recipientKeyBundle" in args;
+  const recipientSecretKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : args.recipientSecretKeys;
+  if (recipientSecretKeys.length === 0) {
+    if (hasBundle) {
+      return { kind: "no_aead_pass" };
+    }
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "recipientSecretKeys MUST be a non-empty array, got length=0"
+    );
+  }
+  assertEnvelopeStructure(envelope, recipientSecretKeys, void 0);
+  const slotsCbor = slotsMacCborBytes(envelope);
+  let anyCandidateRecovered = false;
+  for (let k = 0; k < recipientSecretKeys.length; k++) {
+    if (args._privsAttemptedOut !== void 0) {
+      args._privsAttemptedOut.count = k + 1;
+    }
+    if (args._slotsAttemptedOut !== void 0) {
+      args._slotsAttemptedOut.count = 0;
+    }
+    const candidate = tryRecipientUnwrapWithIdx(
+      envelope,
+      recipientSecretKeys[k],
+      constantTimeN,
+      args._slotsAttemptedOut
+    );
+    if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
+      args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
+    }
+    if (candidate === null) continue;
+    const hmacKey = hkdfSha256({
+      ikm: candidate.cek,
+      salt: EMPTY_SALT3,
+      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+      length: 32
+    });
+    const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+    if (compareCt(slotsMacCalc, envelope.slots_mac)) {
+      return { kind: "match", slotIdx: candidate.slotIdx, cek: candidate.cek };
+    }
+    anyCandidateRecovered = true;
+  }
+  return anyCandidateRecovered ? { kind: "aead_pass_no_mac_match" } : { kind: "no_aead_pass" };
+}
+
+// src/sealed-poe/envelope-from-parsed.ts
+function sealedEnvelopeFromParsed(enc) {
+  if (enc.scheme !== 1 || enc.aead !== "xchacha20-poly1305") return null;
+  if (enc.nonce === void 0 || enc.slots_mac === void 0) return null;
+  const slots = enc.slots;
+  if (slots === void 0 || slots.length < 1) return null;
+  if (enc.kem === "x25519") {
+    const x25519Slots = [];
+    for (const s of slots) {
+      if (s.epk === void 0 || s.wrap === void 0) return null;
+      x25519Slots.push({ epk: s.epk, wrap: s.wrap });
+    }
+    return {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "x25519",
+      nonce: enc.nonce,
+      slots: x25519Slots,
+      slots_mac: enc.slots_mac
+    };
+  }
+  if (enc.kem === "mlkem768x25519") {
+    const hybridSlots = [];
+    for (const s of slots) {
+      if (s.kem_ct === void 0 || s.wrap === void 0) return null;
+      hybridSlots.push({ kem_ct: s.kem_ct, wrap: s.wrap });
+    }
+    return {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "mlkem768x25519",
+      nonce: enc.nonce,
+      slots: hybridSlots,
+      slots_mac: enc.slots_mac
+    };
+  }
+  return null;
+}
+
+// src/merkle/leaves-list.ts
+var LEAVES_LIST_FORMAT_V1 = "cardano-poe-merkle-leaves-v1";
+var TREE_ALG_RFC9162 = "rfc9162-sha256";
+var DIGEST_LENGTH2 = 32;
+var REGISTERED_FORMATS = /* @__PURE__ */ new Set([LEAVES_LIST_FORMAT_V1]);
+var MerkleLeavesListError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message ? `${code}: ${message}` : code);
+    this.code = code;
+    this.name = "MerkleLeavesListError";
+  }
+};
+function encodeLeavesList(args) {
+  if (!(args.root instanceof Uint8Array) || args.root.length !== DIGEST_LENGTH2) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      `root must be a Uint8Array(${DIGEST_LENGTH2})`
+    );
+  }
+  if (args.leaves.length < 1) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "leaves array must be non-empty"
+    );
+  }
+  const leavesCopy = [];
+  for (let i = 0; i < args.leaves.length; i++) {
+    const leaf = args.leaves[i];
+    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH2) {
+      throw new MerkleLeavesListError(
+        "SCHEMA_MERKLE_LEAVES_MALFORMED",
+        `leaves[${i}] must be a Uint8Array(${DIGEST_LENGTH2})`
+      );
+    }
+    leavesCopy.push(leaf);
+  }
+  if (args.leafAlg !== void 0 && typeof args.leafAlg !== "string") {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "leaf_alg must be a string when present"
+    );
+  }
+  const map = {
+    format: LEAVES_LIST_FORMAT_V1,
+    tree_alg: TREE_ALG_RFC9162,
+    root: args.root,
+    leaves: leavesCopy,
+    leaf_count: leavesCopy.length
+  };
+  if (args.leafAlg !== void 0) {
+    map["leaf_alg"] = args.leafAlg;
+  }
+  return encodeCanonicalCbor(map);
+}
+function decodeLeavesList(bytes) {
+  const decoded = decodeCanonicalCbor(bytes);
+  if (typeof decoded !== "object" || decoded === null || Array.isArray(decoded)) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "leaves-list MUST be a CBOR map"
+    );
+  }
+  const m = decoded;
+  const format = m["format"];
+  if (typeof format !== "string") {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "format must be a text string"
+    );
+  }
+  if (!REGISTERED_FORMATS.has(format)) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_FORMAT_UNSUPPORTED",
+      `format '${format}' is not in the registered set`
+    );
+  }
+  const treeAlg = m["tree_alg"];
+  if (treeAlg !== TREE_ALG_RFC9162) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      `tree_alg '${String(treeAlg)}' is not '${TREE_ALG_RFC9162}'`
+    );
+  }
+  const root = m["root"];
+  if (!(root instanceof Uint8Array) || root.length !== DIGEST_LENGTH2) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      `root must be a ${DIGEST_LENGTH2}-byte byte string`
+    );
+  }
+  const leavesRaw = m["leaves"];
+  if (!Array.isArray(leavesRaw) || leavesRaw.length < 1) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "leaves must be a non-empty array"
+    );
+  }
+  const leaves = [];
+  for (let i = 0; i < leavesRaw.length; i++) {
+    const leaf = leavesRaw[i];
+    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH2) {
+      throw new MerkleLeavesListError(
+        "SCHEMA_MERKLE_LEAVES_MALFORMED",
+        `leaves[${i}] must be a ${DIGEST_LENGTH2}-byte byte string`
+      );
+    }
+    leaves.push(leaf);
+  }
+  const leafCountRaw = m["leaf_count"];
+  let leafCount;
+  if (typeof leafCountRaw === "number" && Number.isInteger(leafCountRaw) && leafCountRaw >= 0) {
+    leafCount = leafCountRaw;
+  } else if (typeof leafCountRaw === "bigint" && leafCountRaw >= 0n) {
+    if (leafCountRaw > BigInt(Number.MAX_SAFE_INTEGER)) {
+      throw new MerkleLeavesListError(
+        "SCHEMA_MERKLE_LEAVES_MALFORMED",
+        "leaf_count exceeds Number.MAX_SAFE_INTEGER"
+      );
+    }
+    leafCount = Number(leafCountRaw);
+  } else {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "leaf_count must be a non-negative CBOR uint"
+    );
+  }
+  if (leaves.length !== leafCount) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAF_COUNT_MISMATCH",
+      `leaves.length (${leaves.length}) != leaf_count (${leafCount})`
+    );
+  }
+  let leafAlg;
+  if (m["leaf_alg"] !== void 0) {
+    if (typeof m["leaf_alg"] !== "string") {
+      throw new MerkleLeavesListError(
+        "SCHEMA_MERKLE_LEAVES_MALFORMED",
+        "leaf_alg must be a text string when present"
+      );
+    }
+    leafAlg = m["leaf_alg"];
+  }
+  const recomputed = merkleSha2256Root(leaves);
+  if (!compareCt(recomputed, root)) {
+    throw new MerkleLeavesListError(
+      "MERKLE_ROOT_MISMATCH",
+      "leaves recompute does not match declared root"
+    );
+  }
+  const out = {
+    format: LEAVES_LIST_FORMAT_V1,
+    treeAlg: TREE_ALG_RFC9162,
+    root,
+    leaves,
+    leafCount,
+    ...leafAlg !== void 0 ? { leafAlg } : {}
+  };
+  return out;
+}
+
+// src/recipient/bech32.ts
+var BECH32_ALPHABET = "qpzry9x8gf2tvdw0s3jn54khce6mua7l";
+var POLYMOD_GENERATORS = [996825010, 642813549, 513874426, 1027748829, 705979059];
+var ENCODING_CONST = 1;
+function polymodStep(pre) {
+  const b = pre >> 25;
+  let chk = (pre & 33554431) << 5;
+  for (let i = 0; i < POLYMOD_GENERATORS.length; i++) {
+    if ((b >> i & 1) === 1) chk ^= POLYMOD_GENERATORS[i];
+  }
+  return chk;
+}
+function bytesToWords(bytes) {
+  const words = [];
+  let carry = 0;
+  let pos = 0;
+  const mask = (1 << 5) - 1;
+  for (const n of bytes) {
+    carry = carry << 8 | n;
+    pos += 8;
+    for (; pos >= 5; pos -= 5) words.push(carry >> pos - 5 & mask);
+    carry &= (1 << pos) - 1;
+  }
+  if (pos > 0) words.push(carry << 5 - pos & mask);
+  return words;
+}
+function checksum(prefix, words) {
+  let chk = 1;
+  for (let i = 0; i < prefix.length; i++) {
+    const c = prefix.charCodeAt(i);
+    if (c < 33 || c > 126) throw new Error(`bech32: invalid prefix (${prefix})`);
+    chk = polymodStep(chk) ^ c >> 5;
+  }
+  chk = polymodStep(chk);
+  for (let i = 0; i < prefix.length; i++) chk = polymodStep(chk) ^ prefix.charCodeAt(i) & 31;
+  for (const v of words) chk = polymodStep(chk) ^ v;
+  for (let i = 0; i < 6; i++) chk = polymodStep(chk);
+  chk ^= ENCODING_CONST;
+  let out = "";
+  for (let i = 0; i < 6; i++) out += BECH32_ALPHABET[chk >> 5 * (5 - i) & 31];
+  return out;
+}
+function bech32EncodeNoLimit(prefix, bytes) {
+  if (prefix.length === 0) throw new Error("bech32: empty prefix");
+  const words = bytesToWords(bytes);
+  let payload = "";
+  for (const w of words) payload += BECH32_ALPHABET[w];
+  const lowered = prefix.toLowerCase();
+  return `${lowered}1${payload}${checksum(lowered, words)}`;
+}
+function checksumValid(prefix, words) {
+  let chk = 1;
+  for (let i = 0; i < prefix.length; i++) chk = polymodStep(chk) ^ prefix.charCodeAt(i) >> 5;
+  chk = polymodStep(chk);
+  for (let i = 0; i < prefix.length; i++) chk = polymodStep(chk) ^ prefix.charCodeAt(i) & 31;
+  for (const v of words) chk = polymodStep(chk) ^ v;
+  return chk === ENCODING_CONST;
+}
+function wordsToBytes(words) {
+  const out = [];
+  let carry = 0;
+  let pos = 0;
+  for (const w of words) {
+    carry = carry << 5 | w;
+    pos += 5;
+    for (; pos >= 8; pos -= 8) out.push(carry >> pos - 8 & 255);
+    carry &= (1 << pos) - 1;
+  }
+  if (pos >= 5 || carry !== 0) throw new Error("bech32: non-canonical padding");
+  return Uint8Array.from(out);
+}
+function bech32DecodeNoLimit(input) {
+  if (input.length === 0) throw new Error("bech32: empty string");
+  const hasLower = input !== input.toUpperCase();
+  const hasUpper = input !== input.toLowerCase();
+  if (hasLower && hasUpper) throw new Error("bech32: mixed-case string");
+  const s = input.toLowerCase();
+  const sep = s.lastIndexOf("1");
+  if (sep < 1) throw new Error("bech32: missing human-readable prefix");
+  if (s.length - sep - 1 < 6) throw new Error("bech32: data too short for checksum");
+  const hrp = s.slice(0, sep);
+  for (let i = 0; i < hrp.length; i++) {
+    const c = hrp.charCodeAt(i);
+    if (c < 33 || c > 126) throw new Error("bech32: invalid prefix character");
+  }
+  const words = [];
+  for (let i = sep + 1; i < s.length; i++) {
+    const v = BECH32_ALPHABET.indexOf(s[i]);
+    if (v === -1) throw new Error("bech32: invalid data character");
+    words.push(v);
+  }
+  if (!checksumValid(hrp, words)) throw new Error("bech32: bad checksum");
+  return { hrp, bytes: wordsToBytes(words.slice(0, words.length - 6)) };
+}
+
+// src/recipient/age-recipient.ts
+var X25519_HRP = "age";
+var XWING_HRP = "age1pqc";
+var X25519_PUBLIC_KEY_BYTES = 32;
+var XWING_PUBLIC_KEY_BYTES = 1216;
+function encodeAgeX25519Recipient(publicKey) {
+  if (publicKey.length !== X25519_PUBLIC_KEY_BYTES) {
+    throw new Error("encodeAgeX25519Recipient: publicKey must be exactly 32 bytes");
+  }
+  return bech32EncodeNoLimit(X25519_HRP, publicKey);
+}
+function encodeAgeXWingRecipient(publicKey) {
+  if (publicKey.length !== XWING_PUBLIC_KEY_BYTES) {
+    throw new Error("encodeAgeXWingRecipient: publicKey must be exactly 1216 bytes");
+  }
+  return bech32EncodeNoLimit(XWING_HRP, publicKey);
+}
+function parseAgeRecipient(recipient) {
+  if (typeof recipient !== "string") {
+    throw new Error("parseAgeRecipient: recipient must be a string");
+  }
+  const { hrp, bytes } = bech32DecodeNoLimit(recipient.trim());
+  if (hrp === X25519_HRP) {
+    if (bytes.length !== X25519_PUBLIC_KEY_BYTES) {
+      throw new Error("parseAgeRecipient: age recipient must carry a 32-byte X25519 key");
+    }
+    return { kem: "x25519", publicKey: bytes };
+  }
+  if (hrp === XWING_HRP) {
+    if (bytes.length !== XWING_PUBLIC_KEY_BYTES) {
+      throw new Error("parseAgeRecipient: age1pqc recipient must carry a 1216-byte X-Wing key");
+    }
+    return { kem: "mlkem768x25519", publicKey: bytes };
+  }
+  throw new Error(`parseAgeRecipient: unrecognized recipient prefix "${hrp}"`);
+}
+
+exports.AeadVerificationError = AeadVerificationError;
+exports.CARDANO_POE_HKDF_INFO_KEK = CARDANO_POE_HKDF_INFO_KEK;
+exports.CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519;
+exports.CARDANO_POE_HKDF_INFO_SLOTS_MAC = CARDANO_POE_HKDF_INFO_SLOTS_MAC;
+exports.CARDANO_POE_SIG_DOMAIN_PREFIX = CARDANO_POE_SIG_DOMAIN_PREFIX;
+exports.CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES = CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES;
+exports.CanonicalCborError = CanonicalCborError;
+exports.CoseSign1BuildError = CoseSign1BuildError;
+exports.CoseVerifyError = CoseVerifyError;
+exports.EciesSealedPoeError = EciesSealedPoeError;
+exports.INFO_ED25519 = INFO_ED25519;
+exports.INFO_MLKEM768X25519 = INFO_MLKEM768X25519;
+exports.INFO_X25519 = INFO_X25519;
+exports.LEAVES_LIST_FORMAT_V1 = LEAVES_LIST_FORMAT_V1;
+exports.MERKLE_ALG_ID = MERKLE_ALG_ID;
+exports.MLKEM768X25519_ENC_LENGTH = MLKEM768X25519_ENC_LENGTH;
+exports.MLKEM768X25519_ESEED_LENGTH = MLKEM768X25519_ESEED_LENGTH;
+exports.MLKEM768X25519_PUBLIC_KEY_LENGTH = MLKEM768X25519_PUBLIC_KEY_LENGTH;
+exports.MLKEM768X25519_SEED_LENGTH = MLKEM768X25519_SEED_LENGTH;
+exports.MLKEM768X25519_SHARED_SECRET_LENGTH = MLKEM768X25519_SHARED_SECRET_LENGTH;
+exports.MerkleLeavesListError = MerkleLeavesListError;
+exports.SeedDeriveError = SeedDeriveError;
+exports.X25519LowOrderPointError = X25519LowOrderPointError;
+exports.argon2idV13 = argon2idV13;
+exports.bech32DecodeNoLimit = bech32DecodeNoLimit;
+exports.bech32EncodeNoLimit = bech32EncodeNoLimit;
+exports.blake2b224 = blake2b224;
+exports.blake2b256 = blake2b256;
+exports.buildCip309SigStructure = buildCip309SigStructure;
+exports.buildSigStructure = buildSigStructure;
+exports.chacha20Poly1305Decrypt = chacha20Poly1305Decrypt;
+exports.chacha20Poly1305Encrypt = chacha20Poly1305Encrypt;
+exports.chunkKemCt = chunkKemCt;
+exports.compareCt = compareCt;
+exports.coseSign1Cip309Build = coseSign1Cip309Build;
+exports.coseSign1Cip309Verify = coseSign1Cip309Verify;
+exports.decodeCanonicalCbor = decodeCanonicalCbor;
+exports.decodeCbor = decodeCbor;
+exports.decodeCoseSign1 = decodeCoseSign1;
+exports.decodeLeavesList = decodeLeavesList;
+exports.deriveEd25519KeypairFromSeed = deriveEd25519KeypairFromSeed;
+exports.deriveMlKem768X25519KeypairFromSeed = deriveMlKem768X25519KeypairFromSeed;
+exports.deriveX25519KeypairFromSeed = deriveX25519KeypairFromSeed;
+exports.dualHash = dualHash;
+exports.dualHashStream = dualHashStream;
+exports.eciesSealedPoeTrialDecrypt = eciesSealedPoeTrialDecrypt;
+exports.eciesSealedPoeUnwrap = eciesSealedPoeUnwrap;
+exports.eciesSealedPoeWrap = eciesSealedPoeWrap;
+exports.encodeAgeX25519Recipient = encodeAgeX25519Recipient;
+exports.encodeAgeXWingRecipient = encodeAgeXWingRecipient;
+exports.encodeCanonicalCbor = encodeCanonicalCbor;
+exports.encodeCoseSign1 = encodeCoseSign1;
+exports.encodeLeavesList = encodeLeavesList;
+exports.getPublicKeyEd25519 = getPublicKeyEd25519;
+exports.hexToBytes = hexToBytes;
+exports.hkdfSha256 = hkdfSha256;
+exports.joinKemCt = joinKemCt;
+exports.merkleSha2256InclusionProof = merkleSha2256InclusionProof;
+exports.merkleSha2256Root = merkleSha2256Root;
+exports.merkleSha2256VerifyInclusion = merkleSha2256VerifyInclusion;
+exports.mlkem768x25519Decapsulate = mlkem768x25519Decapsulate;
+exports.mlkem768x25519Encapsulate = mlkem768x25519Encapsulate;
+exports.mlkem768x25519Keygen = mlkem768x25519Keygen;
+exports.parseAgeRecipient = parseAgeRecipient;
+exports.parseCoseKeyEd25519 = parseCoseKeyEd25519;
+exports.sealedEnvelopeFromParsed = sealedEnvelopeFromParsed;
+exports.sha256 = sha256;
+exports.signEd25519 = signEd25519;
+exports.slotsToMacCbor = slotsToMacCbor;
+exports.uniformIndexBelow = uniformIndexBelow;
+exports.verifyEd25519 = verifyEd25519;
+exports.x25519Ecdh = x25519Ecdh;
+exports.x25519Keygen = x25519Keygen;
+exports.x25519PublicKey = x25519PublicKey;
+exports.xchacha20Poly1305Decrypt = xchacha20Poly1305Decrypt;
+exports.xchacha20Poly1305Encrypt = xchacha20Poly1305Encrypt;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map