@cardanowall/sdk-ts 0.0.0

package/dist/verifier/index.js

@@ -0,0 +1,4848 @@
+import { z } from 'zod';
+import { decode, cdeDecodeOptions, encode } from 'cbor2';
+import { sortCoreDeterministic } from 'cbor2/sorts';
+import { blake2b } from '@noble/hashes/blake2.js';
+import * as ed from '@noble/ed25519';
+import { sha512, sha256 } from '@noble/hashes/sha2.js';
+import { hkdf } from '@noble/hashes/hkdf.js';
+import { argon2id } from 'hash-wasm';
+import { xchacha20poly1305, chacha20poly1305 } from '@noble/ciphers/chacha.js';
+import '@noble/ciphers/utils.js';
+import { hmac } from '@noble/hashes/hmac.js';
+import '@noble/curves/abstract/edwards.js';
+import '@noble/curves/abstract/montgomery.js';
+import '@noble/curves/abstract/weierstrass.js';
+import { x25519 } from '@noble/curves/ed25519.js';
+import '@noble/curves/nist.js';
+import { concatBytes as concatBytes$1, asciiToBytes, bytesToNumberLE, bytesToNumberBE } from '@noble/curves/utils.js';
+import { sha3_256, shake256, sha3_512, shake128 } from '@noble/hashes/sha3.js';
+import { anumber, abytes, randomBytes as randomBytes$1, u32, swap32IfBE } from '@noble/hashes/utils.js';
+import { FFTCore, reverseBits } from '@noble/curves/abstract/fft.js';
+
+// src/verifier/types.ts
+var PROFILE_RANK = Object.freeze({
+  core: 0,
+  signed: 1,
+  sealed: 2,
+  "recipient-sealed": 3
+});
+var ChunkedBytesArraySchema = z.array(
+  z.instanceof(Uint8Array).refine((b) => b.length >= 1 && b.length <= 64, {
+    params: { code: "CHUNK_TOO_LARGE" }
+  })
+).min(1);
+var UTF8_ENCODER = new TextEncoder();
+var UriChunkArraySchema = z.array(
+  z.string().refine(
+    (s) => {
+      const n = UTF8_ENCODER.encode(s).length;
+      return n >= 1 && n <= 64;
+    },
+    { params: { code: "CHUNK_TOO_LARGE" } }
+  )
+).min(1);
+var HashDigestSchema = z.instanceof(Uint8Array);
+var HashesMapSchema = z.record(z.string(), HashDigestSchema);
+var MerkleCommitSchema = z.object({
+  alg: z.string(),
+  root: z.instanceof(Uint8Array),
+  leaf_count: z.number().int().min(1),
+  uris: z.array(UriChunkArraySchema).min(1).optional()
+}).strict();
+var SlotSchema = z.object({
+  epk: z.instanceof(Uint8Array).optional(),
+  kem_ct: ChunkedBytesArraySchema.optional(),
+  wrap: z.instanceof(Uint8Array).optional()
+});
+z.object({
+  m: z.number().int(),
+  t: z.number().int(),
+  p: z.number().int()
+}).strict();
+var PassphraseBlockSchema = z.object({
+  alg: z.string(),
+  salt: z.instanceof(Uint8Array).superRefine((bytes, ctx) => {
+    if (bytes.length < 16) {
+      ctx.addIssue({
+        code: "custom",
+        path: [],
+        message: `passphrase.salt length ${bytes.length} < 16`,
+        params: { code: "ENC_PASSPHRASE_SALT_TOO_SHORT" }
+      });
+    } else if (bytes.length > 64) {
+      ctx.addIssue({
+        code: "custom",
+        path: [],
+        message: `passphrase.salt length ${bytes.length} > 64`,
+        params: { code: "ENC_PASSPHRASE_SALT_TOO_LONG" }
+      });
+    }
+  }),
+  params: z.record(z.string(), z.unknown())
+}).strict();
+var EncryptionEnvelopeSchema = z.object({
+  scheme: z.unknown(),
+  aead: z.string(),
+  kem: z.string().optional(),
+  nonce: z.instanceof(Uint8Array),
+  slots: z.array(SlotSchema).optional(),
+  slots_mac: z.instanceof(Uint8Array).refine((b) => b.length === 32, {
+    params: { code: "ENC_SLOTS_MAC_INVALID_LENGTH" }
+  }).optional(),
+  passphrase: PassphraseBlockSchema.optional()
+}).strict();
+var ItemEntrySchema = z.object({
+  hashes: HashesMapSchema,
+  uris: z.array(UriChunkArraySchema).min(1).optional(),
+  // Captured as `unknown` so the validator can run the
+  // `ENC_REQUIRES_CONTENT_HASH` pre-check ahead of any inner-shape errors
+  // and surface the most informative code first.
+  enc: z.unknown().optional()
+}).strict();
+var SigEntrySchema = z.object({
+  cose_key: ChunkedBytesArraySchema.optional(),
+  cose_sign1: ChunkedBytesArraySchema
+}).strict();
+var SupersedesSchema = z.instanceof(Uint8Array).refine((b) => b.length === 32, {
+  params: { code: "SUPERSEDES_TX_INVALID_LENGTH" }
+});
+var VersionLiteralSchema = z.literal(1);
+var PoeRecordSchema = z.looseObject({
+  v: VersionLiteralSchema,
+  items: z.array(ItemEntrySchema).optional(),
+  merkle: z.array(MerkleCommitSchema).optional(),
+  supersedes: SupersedesSchema.optional(),
+  sigs: z.array(SigEntrySchema).optional(),
+  crit: z.array(z.string()).optional()
+});
+var TOP_LEVEL_BASE_KEYS = /* @__PURE__ */ new Set([
+  "v",
+  "items",
+  "merkle",
+  "supersedes",
+  "sigs",
+  "crit"
+]);
+var EXTENSION_KEY_VENDOR_RE = /^x-.+\n?$/;
+var EXTENSION_KEY_COMPANION_RE = /^[a-z]+-.+\n?$/;
+function isExtensionKey(k) {
+  return EXTENSION_KEY_VENDOR_RE.test(k) || EXTENSION_KEY_COMPANION_RE.test(k);
+}
+var CanonicalCborError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "CanonicalCborError";
+    this.code = code;
+  }
+};
+function encodeCanonicalCbor(value) {
+  return encode(value, {
+    cde: true,
+    collapseBigInts: true,
+    rejectDuplicateKeys: true,
+    sortKeys: sortCoreDeterministic
+  });
+}
+function decodeCanonicalCbor(bytes) {
+  try {
+    return decode(bytes, {
+      ...cdeDecodeOptions,
+      rejectStreaming: true,
+      rejectDuplicateKeys: true,
+      // A CIP-309 record carries integers, byte/text strings, arrays, maps and
+      // `null` — and nothing else. Without these rejections the major-type-7
+      // surface leaks into the decoder: a float16/32/64 that happens to hold an
+      // integral value (e.g. 1.0) silently decodes to the integer 1 and passes
+      // a `z.literal(1)` / Number.isInteger schema check, so two byte strings
+      // that are NOT byte-identical canonicalise to the same record. That
+      // breaks the cross-implementation parity invariant (the Python twin
+      // already rejects non-integer `v` / `enc.scheme` outright). Reject the
+      // whole non-record surface — floats, negative zero, undefined, and
+      // non-{true,false,null} simple values — so any such input surfaces as
+      // MALFORMED_CBOR via mapDecodeError rather than decoding to a look-alike.
+      rejectFloats: true,
+      rejectNegativeZero: true,
+      rejectUndefined: true,
+      rejectSimple: true
+    });
+  } catch (cause) {
+    throw mapDecodeError(cause);
+  }
+}
+function mapDecodeError(cause) {
+  const message = cause instanceof Error ? cause.message : String(cause);
+  const lower = message.toLowerCase();
+  const isIndefinite = lower.includes("streaming") || lower.includes("indefinite");
+  const detail = isIndefinite ? `indefinite-length items are not permitted in canonical CBOR: ${message}` : message;
+  return new CanonicalCborError("MALFORMED_CBOR", `cbor decode failed: ${detail}`, { cause });
+}
+function decodeCbor(bytes) {
+  return decode(bytes);
+}
+
+// ../poe-standard/src/encoder.ts
+function encodeRecordBodyForSigning(record) {
+  const body = recordToCborInternal(
+    record);
+  return encodeCanonicalCbor(body);
+}
+function recordToCborInternal(record, includeSigs) {
+  const out = { v: record.v };
+  if (record.items !== void 0) out["items"] = record.items.map(itemToCbor);
+  if (record.merkle !== void 0) out["merkle"] = record.merkle.map(merkleToCbor);
+  if (record.supersedes !== void 0) out["supersedes"] = record.supersedes;
+  if (record.crit !== void 0) out["crit"] = record.crit.slice();
+  for (const [k, v] of Object.entries(record)) {
+    if (k === "v" || k === "items" || k === "merkle" || k === "supersedes" || k === "sigs" || k === "crit") {
+      continue;
+    }
+    out[k] = v;
+  }
+  return out;
+}
+function itemToCbor(item) {
+  const out = { hashes: hashesToCbor(item.hashes) };
+  if (item.uris !== void 0) {
+    out["uris"] = item.uris.map((chunks) => chunks.slice());
+  }
+  if (item.enc !== void 0) {
+    out["enc"] = envelopeToCbor(item.enc);
+  }
+  return out;
+}
+function hashesToCbor(hashes3) {
+  const out = {};
+  for (const [alg, digest] of Object.entries(hashes3)) {
+    out[alg] = digest;
+  }
+  return out;
+}
+function merkleToCbor(commit) {
+  const out = {
+    alg: commit.alg,
+    root: commit.root,
+    leaf_count: commit.leaf_count
+  };
+  if (commit.uris !== void 0) {
+    out["uris"] = commit.uris.map((chunks) => chunks.slice());
+  }
+  return out;
+}
+function envelopeToCbor(enc) {
+  const out = {
+    scheme: enc.scheme,
+    aead: enc.aead,
+    nonce: enc.nonce
+  };
+  if (enc.kem !== void 0) out["kem"] = enc.kem;
+  if (enc.slots !== void 0) out["slots"] = enc.slots.map(slotToCbor);
+  if (enc.slots_mac !== void 0) out["slots_mac"] = enc.slots_mac;
+  if (enc.passphrase !== void 0) out["passphrase"] = passphraseToCbor(enc.passphrase);
+  return out;
+}
+function slotToCbor(slot) {
+  if (slot.kem_ct !== void 0) {
+    return { kem_ct: slot.kem_ct.map((c) => c), wrap: slot.wrap };
+  }
+  return { epk: slot.epk, wrap: slot.wrap };
+}
+function passphraseToCbor(pp) {
+  return {
+    alg: pp.alg,
+    salt: pp.salt,
+    params: pp.params
+  };
+}
+var CanonicalCborError2 = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "CanonicalCborError";
+    this.code = code;
+  }
+};
+function encodeCanonicalCbor2(value) {
+  return encode(value, {
+    cde: true,
+    collapseBigInts: true,
+    rejectDuplicateKeys: true,
+    sortKeys: sortCoreDeterministic
+  });
+}
+function decodeCanonicalCbor2(bytes) {
+  try {
+    return decode(bytes, {
+      ...cdeDecodeOptions,
+      rejectStreaming: true,
+      rejectDuplicateKeys: true,
+      // A CIP-309 record carries integers, byte/text strings, arrays, maps and
+      // `null` — and nothing else. Without these rejections the major-type-7
+      // surface leaks into the decoder: a float16/32/64 that happens to hold an
+      // integral value (e.g. 1.0) silently decodes to the integer 1 and passes
+      // a `z.literal(1)` / Number.isInteger schema check, so two byte strings
+      // that are NOT byte-identical canonicalise to the same record. That
+      // breaks the cross-implementation parity invariant (the Python twin
+      // already rejects non-integer `v` / `enc.scheme` outright). Reject the
+      // whole non-record surface — floats, negative zero, undefined, and
+      // non-{true,false,null} simple values — so any such input surfaces as
+      // MALFORMED_CBOR via mapDecodeError rather than decoding to a look-alike.
+      rejectFloats: true,
+      rejectNegativeZero: true,
+      rejectUndefined: true,
+      rejectSimple: true
+    });
+  } catch (cause) {
+    throw mapDecodeError2(cause);
+  }
+}
+function mapDecodeError2(cause) {
+  const message = cause instanceof Error ? cause.message : String(cause);
+  const lower = message.toLowerCase();
+  const isIndefinite = lower.includes("streaming") || lower.includes("indefinite");
+  const detail = isIndefinite ? `indefinite-length items are not permitted in canonical CBOR: ${message}` : message;
+  return new CanonicalCborError2("MALFORMED_CBOR", `cbor decode failed: ${detail}`, { cause });
+}
+function blake2b224(input) {
+  return blake2b(input, { dkLen: 28 });
+}
+ed.hashes.sha512 = sha512;
+var L = ed.Point.CURVE().n;
+function leBytesToBigInt(bytes) {
+  let value = 0n;
+  for (let i = bytes.length - 1; i >= 0; i--) {
+    value = value << 8n | BigInt(bytes[i]);
+  }
+  return value;
+}
+function verifyEd25519(opts2) {
+  const { signature, message, publicKey } = opts2;
+  if (signature.length !== 64 || publicKey.length !== 32) return false;
+  const S = leBytesToBigInt(signature.subarray(32, 64));
+  if (S >= L) return false;
+  let A;
+  let R;
+  try {
+    A = ed.Point.fromBytes(publicKey);
+    R = ed.Point.fromBytes(signature.subarray(0, 32));
+  } catch {
+    return false;
+  }
+  if (A.isSmallOrder() || R.isSmallOrder()) return false;
+  const k = leBytesToBigInt(ed.hash(concatBytes(signature.subarray(0, 32), publicKey, message))) % L;
+  const sB = S === 0n ? ed.Point.ZERO : ed.Point.BASE.multiplyUnsafe(S);
+  const kA = k === 0n ? ed.Point.ZERO : A.multiplyUnsafe(k);
+  return sB.subtract(kA).subtract(R).is0();
+}
+function concatBytes(...parts) {
+  let total = 0;
+  for (const p of parts) total += p.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const p of parts) {
+    out.set(p, offset);
+    offset += p.length;
+  }
+  return out;
+}
+function compareCt(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+var CoseVerifyError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "CoseVerifyError";
+    this.code = code;
+  }
+};
+var CARDANO_POE_SIG_DOMAIN_PREFIX = "cardano-poe-record-sig-v1";
+var CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES = new TextEncoder().encode(
+  CARDANO_POE_SIG_DOMAIN_PREFIX
+);
+if (CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length !== 25) {
+  throw new Error(
+    `cardano-poe-record-sig-v1 prefix must encode to exactly 25 UTF-8 bytes, got ${CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length}`
+  );
+}
+var EMPTY_BYTES = new Uint8Array(0);
+function buildSigStructure(args) {
+  return encodeCanonicalCbor2([
+    args.context,
+    args.bodyProtectedBytes,
+    args.externalAad,
+    args.payload
+  ]);
+}
+function buildCip309SigStructure(args) {
+  const toSign = new Uint8Array(
+    CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length + args.recordBodyCbor.length
+  );
+  toSign.set(CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES, 0);
+  toSign.set(args.recordBodyCbor, CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length);
+  return buildSigStructure({
+    context: "Signature1",
+    bodyProtectedBytes: args.bodyProtectedBytes,
+    externalAad: EMPTY_BYTES,
+    payload: toSign
+  });
+}
+function asCoseHeader(value) {
+  if (value instanceof Map) return value;
+  if (value !== null && typeof value === "object" && value.constructor === Object) {
+    return new Map(Object.entries(value));
+  }
+  return null;
+}
+function decodeCoseSign1(bytes) {
+  let arr;
+  try {
+    arr = decodeCanonicalCbor2(bytes);
+  } catch (cause) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "cose decode failed", { cause });
+  }
+  if (!Array.isArray(arr) || arr.length !== 4) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "expected 4-element array");
+  }
+  const [protectedBytesRaw, unprotectedRaw, payloadRaw, signatureRaw] = arr;
+  if (!(protectedBytesRaw instanceof Uint8Array)) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "protected_bytes must be bytes");
+  }
+  const unprotectedHeader = asCoseHeader(unprotectedRaw);
+  if (unprotectedHeader === null) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "unprotected header must be map");
+  }
+  if (payloadRaw !== null && !(payloadRaw instanceof Uint8Array)) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "payload must be bytes or null");
+  }
+  if (!(signatureRaw instanceof Uint8Array) || signatureRaw.length !== 64) {
+    throw new CoseVerifyError("MALFORMED_SIG_COSE", "signature must be 64 bytes");
+  }
+  let protectedHeader;
+  if (protectedBytesRaw.length === 0) {
+    protectedHeader = /* @__PURE__ */ new Map();
+  } else {
+    let decodedProtected;
+    try {
+      decodedProtected = decodeCanonicalCbor2(protectedBytesRaw);
+    } catch (cause) {
+      throw new CoseVerifyError("MALFORMED_SIG_COSE", "protected header decode failed", { cause });
+    }
+    const ph = asCoseHeader(decodedProtected);
+    if (ph === null) {
+      throw new CoseVerifyError("MALFORMED_SIG_COSE", "protected header must decode to map");
+    }
+    if (ph.size === 0) {
+      throw new CoseVerifyError(
+        "MALFORMED_SIG_COSE",
+        "empty protected header must encode as 0x40 (zero-length bstr), not as an empty map"
+      );
+    }
+    protectedHeader = ph;
+  }
+  return {
+    protectedHeader,
+    protectedBytes: protectedBytesRaw,
+    unprotectedHeader,
+    payload: payloadRaw,
+    signature: signatureRaw
+  };
+}
+function coseSign1Cip309Verify(args) {
+  let decoded;
+  try {
+    decoded = decodeCoseSign1(args.message);
+  } catch (e) {
+    if (e instanceof CoseVerifyError) {
+      return { ok: false, error: { code: e.code, message: "errors.cose.malformed" } };
+    }
+    if (e instanceof CanonicalCborError2) {
+      return {
+        ok: false,
+        error: { code: "MALFORMED_SIG_COSE", message: "errors.cose.malformed_cbor" }
+      };
+    }
+    throw e;
+  }
+  if (decoded.payload !== null) {
+    return {
+      ok: false,
+      error: {
+        code: "MALFORMED_SIG_COSE_SIGN1",
+        message: "errors.cose.attached_payload_forbidden"
+      }
+    };
+  }
+  const alg = decoded.protectedHeader.get(1);
+  if (typeof alg !== "number" || alg !== -8) {
+    return {
+      ok: false,
+      error: { code: "UNSUPPORTED_SIG_ALG", message: "errors.cose.unsupported_alg" }
+    };
+  }
+  const kidRaw = decoded.protectedHeader.get(4);
+  let signerKey;
+  if (kidRaw instanceof Uint8Array && kidRaw.length === 32) {
+    signerKey = kidRaw;
+  } else if (args.expectedSignerKey instanceof Uint8Array && args.expectedSignerKey.length === 32) {
+    signerKey = args.expectedSignerKey;
+  }
+  if (signerKey === void 0) {
+    return {
+      ok: false,
+      error: { code: "KID_UNRESOLVED", message: "errors.cose.kid_unresolved" }
+    };
+  }
+  if (kidRaw instanceof Uint8Array && kidRaw.length === 32 && args.expectedSignerKey instanceof Uint8Array && args.expectedSignerKey.length === 32 && !compareCt(kidRaw, args.expectedSignerKey)) {
+    return {
+      ok: false,
+      error: { code: "KID_UNRESOLVED", message: "errors.cose.kid_mismatch" }
+    };
+  }
+  const hashedFlag = decoded.unprotectedHeader.get("hashed");
+  let sigStructureBytes;
+  if (hashedFlag === true) {
+    const toSign = new Uint8Array(
+      CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length + args.detachedRecordBodyCbor.length
+    );
+    toSign.set(CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES, 0);
+    toSign.set(args.detachedRecordBodyCbor, CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length);
+    const hashedPayload = blake2b224(toSign);
+    sigStructureBytes = buildSigStructure({
+      context: "Signature1",
+      bodyProtectedBytes: decoded.protectedBytes,
+      externalAad: EMPTY_BYTES,
+      payload: hashedPayload
+    });
+  } else {
+    sigStructureBytes = buildCip309SigStructure({
+      bodyProtectedBytes: decoded.protectedBytes,
+      recordBodyCbor: args.detachedRecordBodyCbor
+    });
+  }
+  const valid = verifyEd25519({
+    publicKey: signerKey,
+    message: sigStructureBytes,
+    signature: decoded.signature
+  });
+  if (!valid) {
+    return {
+      ok: false,
+      error: { code: "SIGNATURE_INVALID", message: "errors.cose.signature_invalid" }
+    };
+  }
+  return { ok: true, signerKey, alg };
+}
+var COSE_KEY_LABEL_KTY = 1;
+var COSE_KEY_LABEL_ALG = 3;
+var COSE_KEY_LABEL_CRV = -1;
+var COSE_KEY_LABEL_X = -2;
+var KTY_OKP = 1;
+var ALG_EDDSA = -8;
+var CRV_ED25519 = 6;
+var ED25519_PUBLIC_KEY_LENGTH = 32;
+function asMap(value) {
+  if (value instanceof Map) return value;
+  if (value !== null && typeof value === "object" && value.constructor === Object) {
+    return new Map(Object.entries(value));
+  }
+  return null;
+}
+function parseCoseKeyEd25519(blob) {
+  let decoded;
+  try {
+    decoded = decodeCanonicalCbor2(blob);
+  } catch {
+    return null;
+  }
+  const map = asMap(decoded);
+  if (map === null) return null;
+  const kty = map.get(COSE_KEY_LABEL_KTY);
+  if (typeof kty !== "number" || kty !== KTY_OKP) return null;
+  const crv = map.get(COSE_KEY_LABEL_CRV);
+  if (typeof crv !== "number" || crv !== CRV_ED25519) return null;
+  if (map.has(COSE_KEY_LABEL_ALG)) {
+    const alg = map.get(COSE_KEY_LABEL_ALG);
+    if (typeof alg !== "number" || alg !== ALG_EDDSA) return null;
+  }
+  const x = map.get(COSE_KEY_LABEL_X);
+  if (!(x instanceof Uint8Array) || x.length !== ED25519_PUBLIC_KEY_LENGTH) return null;
+  return x;
+}
+
+// ../poe-standard/src/chunked.ts
+var UTF8_ENCODER2 = new TextEncoder();
+function bytesChunkArrayConcat(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
+  }
+  return out;
+}
+function reconstructChunkedUri(chunks) {
+  const merged = bytesChunkArrayConcat(chunks.map((c) => UTF8_ENCODER2.encode(c)));
+  try {
+    const uri = new TextDecoder("utf-8", { fatal: true }).decode(merged);
+    return { ok: true, uri };
+  } catch (cause) {
+    return {
+      ok: false,
+      code: "INVALID_URI",
+      reason: cause instanceof Error ? cause.message : String(cause)
+    };
+  }
+}
+var SEVERITY = Object.freeze({
+  // --- Part A ---
+  MALFORMED_CBOR: "error",
+  SCHEMA_TYPE_MISMATCH: "error",
+  SCHEMA_MISSING_REQUIRED: "error",
+  SCHEMA_UNKNOWN_FIELD: "error",
+  SCHEMA_INVALID_LITERAL: "error",
+  SCHEMA_EMPTY_RECORD: "error",
+  HASH_DIGEST_LENGTH_MISMATCH: "error",
+  UNSUPPORTED_HASH_ALG: "error",
+  UNSUPPORTED_MERKLE_COMMIT_ALG: "error",
+  INVALID_URI: "error",
+  CHUNK_TOO_LARGE: "error",
+  UNAUTHENTICATED_CIPHER_FORBIDDEN: "error",
+  UNSUPPORTED_AEAD_ALG: "error",
+  NONCE_LENGTH_MISMATCH: "error",
+  UNSUPPORTED_ENVELOPE_SCHEME: "error",
+  ENC_SLOTS_EMPTY: "error",
+  ENC_SLOT_INVALID_SHAPE: "error",
+  UNSUPPORTED_KEM_ALG: "error",
+  ENC_KEM_REQUIRED: "error",
+  KEM_EPK_LENGTH_MISMATCH: "error",
+  KEM_CT_LENGTH_MISMATCH: "error",
+  WRAP_LENGTH_MISMATCH: "error",
+  ENC_SLOTS_MAC_INVALID_LENGTH: "error",
+  ENC_SLOTS_MAC_REQUIRED: "error",
+  ENC_SLOTS_REQUIRED: "error",
+  ENC_EXCLUSIVITY_VIOLATION: "error",
+  ENC_NO_KEY_PATH: "error",
+  ENC_REQUIRES_CONTENT_HASH: "error",
+  ENC_PASSPHRASE_ALG_UNSUPPORTED: "error",
+  ENC_PASSPHRASE_SALT_TOO_SHORT: "error",
+  ENC_PASSPHRASE_SALT_TOO_LONG: "error",
+  ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW: "error",
+  ENC_PASSPHRASE_PARAMS_EXCEED_POLICY: "error",
+  MALFORMED_SIG_COSE_SIGN1: "error",
+  SIGNATURE_UNSUPPORTED: "info",
+  SIG_ENTRY_INVALID_SHAPE: "error",
+  SIG_ENTRY_KID_COSE_KEY_CONFLICT: "error",
+  SIG_PRIVATE_KEY_LEAKED: "error",
+  SUPERSEDES_TX_INVALID_LENGTH: "error",
+  EXTENSION_UNSUPPORTED_CRITICAL: "error",
+  CRIT_SHAPE_INVALID: "error",
+  // --- Part B ---
+  METADATA_NOT_FOUND: "error",
+  INSUFFICIENT_CONFIRMATIONS: "info",
+  SIGNATURE_INVALID: "error",
+  SIGNER_KEY_UNRESOLVED: "error",
+  WALLET_ADDRESS_MISMATCH: "error",
+  URI_TARGET_FORBIDDEN: "error",
+  URI_INTEGRITY_MISMATCH: "error",
+  URI_FETCH_FAILED: "warning",
+  CONTENT_UNAVAILABLE: "error",
+  CIPHERTEXT_UNAVAILABLE: "error",
+  PROVIDER_UNAVAILABLE: "error",
+  SERVICE_INDEPENDENCE_VIOLATION: "error",
+  WRONG_DECRYPTION_INPUT_SHAPE: "error",
+  WRONG_RECIPIENT_KEY: "error",
+  TAMPERED_HEADER: "error",
+  TAMPERED_CIPHERTEXT: "error",
+  KDF_DERIVATION_FAILED: "error",
+  SCHEMA_MERKLE_LEAF_COUNT_MISMATCH: "error",
+  SCHEMA_MERKLE_LEAVES_FORMAT_UNSUPPORTED: "error",
+  SCHEMA_MERKLE_LEAVES_MALFORMED: "error",
+  MERKLE_ROOT_MISMATCH: "error",
+  MERKLE_LEAVES_UNAVAILABLE: "warning",
+  MERKLE_LEAVES_INFORMATIVE_FORM: "info",
+  // Dual-severity — default reading is `info`; the verifier promotes to
+  // `error` for merkle-only records (no `items[]` content claim was
+  // validated in the same record).
+  MERKLE_UNSUPPORTED: "info",
+  // Dual-severity — default reading is `info` (render mode); strict
+  // end-to-end verifiers promote to `error`.
+  OUT_OF_PROFILE_SKIPPED: "info"
+});
+
+// ../poe-standard/src/validator.ts
+var HASH_ALG_LENGTHS = {
+  "sha2-256": 32,
+  "blake2b-256": 32
+};
+var MERKLE_COMMIT_ALG_LENGTHS = {
+  "rfc9162-sha256": 32
+};
+var AEAD_NONCE_LENGTHS = {
+  "xchacha20-poly1305": 24
+};
+var UNAUTHENTICATED_CIPHER_RE = /(?:^|[-_])(?:cbc|ctr|ecb|cfb|ofb)(?:[-_]|\n?$)|^(?:rc4|des|3des)(?:[-_]|\n?$)/i;
+var KEM_SLOT_DESCRIPTORS = {
+  x25519: { field: "epk", fieldLength: 32, wrapLength: 48 },
+  mlkem768x25519: { field: "kem_ct", fieldLength: 1120, wrapLength: 48 }
+};
+var KEM_FIELD_LENGTH_CODE = {
+  epk: "KEM_EPK_LENGTH_MISMATCH",
+  kem_ct: "KEM_CT_LENGTH_MISMATCH"
+};
+var PASSPHRASE_KDF_ALGS = /* @__PURE__ */ new Set(["argon2id"]);
+var KNOWN_SIG_ALG_IDS = /* @__PURE__ */ new Set([-8, -19]);
+function validatePoeRecord(bytes) {
+  let decoded;
+  try {
+    decoded = decodeCanonicalCbor(bytes);
+  } catch (cause) {
+    return {
+      ok: false,
+      issues: [
+        {
+          code: "MALFORMED_CBOR",
+          path: [],
+          message: cause instanceof Error ? cause.message : String(cause),
+          severity: "error"
+        }
+      ]
+    };
+  }
+  const parse = PoeRecordSchema.safeParse(decoded);
+  if (!parse.success) {
+    const issues = parse.error.issues.map((issue2) => mapZodIssue(issue2, decoded)).sort(compareIssuePath);
+    return { ok: false, issues };
+  }
+  const record = parse.data;
+  const errors = [];
+  const warnings = [];
+  const info = [];
+  const itemsLen = Array.isArray(record.items) ? record.items.length : 0;
+  const merkleLen = Array.isArray(record.merkle) ? record.merkle.length : 0;
+  if (itemsLen === 0 && merkleLen === 0) {
+    errors.push(
+      issue(
+        "SCHEMA_EMPTY_RECORD",
+        [],
+        "record must carry at least one of items[] or merkle[] non-empty"
+      )
+    );
+  }
+  const decodedTopKeys = topLevelKeysOf(decoded);
+  const critShapeInvalidIndices = checkCritShape(record, decodedTopKeys, errors);
+  for (const k of decodedTopKeys) {
+    if (TOP_LEVEL_BASE_KEYS.has(k)) continue;
+    if (isExtensionKey(k)) continue;
+    errors.push(issue("SCHEMA_UNKNOWN_FIELD", [k], `unknown top-level field: ${k}`));
+  }
+  if (Array.isArray(record.crit)) {
+    for (let i = 0; i < record.crit.length; i++) {
+      if (critShapeInvalidIndices.has(i)) continue;
+      const critName = record.crit[i];
+      errors.push(
+        issue(
+          "EXTENSION_UNSUPPORTED_CRITICAL",
+          ["crit", i],
+          `crit lists extension '${critName}' that this validator does not implement`
+        )
+      );
+    }
+  }
+  for (let i = 0; i < (record.items ?? []).length; i++) {
+    const item = record.items[i];
+    checkItemHashes(item, i, errors);
+    if (item.uris) checkItemUris(item.uris, ["items", i, "uris"], errors);
+    if (item.enc !== void 0) checkItemEnc(item, i, errors);
+  }
+  for (let i = 0; i < (record.merkle ?? []).length; i++) {
+    const commit = record.merkle[i];
+    checkMerkleCommit(commit, i, errors);
+  }
+  if (record.sigs) {
+    for (let i = 0; i < record.sigs.length; i++) {
+      checkSigEntry(record.sigs[i], i, errors, info);
+    }
+  }
+  if (errors.length > 0) {
+    return { ok: false, issues: errors.sort(compareIssuePath) };
+  }
+  const result = {
+    ok: true,
+    record
+  };
+  if (warnings.length > 0) result.warnings = warnings.sort(compareIssuePath);
+  if (info.length > 0) result.info = info.sort(compareIssuePath);
+  return result;
+}
+function mapZodIssue(zissue, decoded) {
+  const path = zissue.path;
+  const explicit = zissue.params?.code;
+  if (explicit !== void 0) {
+    return issue(explicit, path, zissue.message);
+  }
+  const inSigsEntry = path.length >= 2 && path[0] === "sigs" && typeof path[1] === "number";
+  const isInSlotEntry = (() => {
+    if (path.length >= 5 && path[0] === "items" && typeof path[1] === "number" && path[2] === "enc" && path[3] === "slots" && typeof path[4] === "number") {
+      return true;
+    }
+    if (path.length >= 2 && path[0] === "slots" && typeof path[1] === "number") {
+      return true;
+    }
+    return false;
+  })();
+  const valueAtIssue = valueAtPath(decoded, path);
+  const isMissing = valueAtIssue === void 0;
+  switch (zissue.code) {
+    case "invalid_type":
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (isMissing) {
+        if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+        return issue("SCHEMA_MISSING_REQUIRED", path, zissue.message);
+      }
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
+    case "invalid_value":
+      if (path.length === 1 && path[0] === "v") {
+        return issue(
+          isMissing ? "SCHEMA_MISSING_REQUIRED" : "SCHEMA_INVALID_LITERAL",
+          path,
+          zissue.message
+        );
+      }
+      return issue("SCHEMA_INVALID_LITERAL", path, zissue.message);
+    case "unrecognized_keys":
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_UNKNOWN_FIELD", path, zissue.message);
+    case "invalid_format":
+    case "too_big":
+    case "too_small":
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
+    case "invalid_union":
+    case "invalid_key":
+    case "invalid_element":
+    case "custom":
+    default:
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
+  }
+}
+function checkItemHashes(item, idx, errors) {
+  const entries = Object.entries(item.hashes);
+  if (entries.length === 0) {
+    errors.push(
+      issue(
+        "SCHEMA_TYPE_MISMATCH",
+        ["items", idx, "hashes"],
+        "hashes must be a non-empty CBOR map of <alg-id> -> <digest>"
+      )
+    );
+    return;
+  }
+  for (const [alg, digest] of entries) {
+    if (!(alg in HASH_ALG_LENGTHS)) {
+      errors.push(
+        issue("UNSUPPORTED_HASH_ALG", ["items", idx, "hashes", alg], `unknown hash alg: ${alg}`)
+      );
+      continue;
+    }
+    const expected = HASH_ALG_LENGTHS[alg];
+    if (digest.length !== expected) {
+      errors.push(
+        issue(
+          "HASH_DIGEST_LENGTH_MISMATCH",
+          ["items", idx, "hashes", alg],
+          `hashes['${alg}'] digest length ${digest.length} != ${expected}`
+        )
+      );
+    }
+  }
+}
+function checkItemUris(uris, basePath, errors) {
+  uris.forEach((chunks, ui) => validateOneUri(chunks, [...basePath, ui], errors));
+}
+function validateOneUri(chunks, path, errors) {
+  const reconstructed = reconstructChunkedUri(chunks);
+  if (!reconstructed.ok) {
+    errors.push(issue(reconstructed.code, path, reconstructed.reason));
+    return;
+  }
+  const uri = reconstructed.uri;
+  if (uri.includes("#")) {
+    errors.push(
+      issue(
+        "INVALID_URI",
+        path,
+        "URI contains a fragment identifier ('#'), which is forbidden"
+      )
+    );
+    return;
+  }
+  const sepIdx = uri.indexOf("://");
+  if (sepIdx <= 0 || !/^[a-z][a-z0-9+.-]*$/i.test(uri.slice(0, sepIdx))) {
+    errors.push(
+      issue("INVALID_URI", path, "URI is not absolute (missing scheme://hierarchical-part)")
+    );
+    return;
+  }
+  const scheme = uri.slice(0, sepIdx).toLowerCase();
+  const rest = uri.slice(sepIdx + "://".length);
+  if (scheme === "ar") {
+    if (!/^ar:\/\/[A-Za-z0-9_-]{43}$/.test("ar://" + rest)) {
+      errors.push(
+        issue(
+          "INVALID_URI",
+          path,
+          "ar:// URI does not match `^ar://[A-Za-z0-9_-]{43}$` (43-char base64url txid, no path/query/fragment)"
+        )
+      );
+    }
+    return;
+  }
+  if (scheme === "ipfs") {
+    const slashIdx = rest.indexOf("/");
+    const cid = slashIdx === -1 ? rest : rest.slice(0, slashIdx);
+    if (!validateCidProfile(cid)) {
+      errors.push(
+        issue(
+          "INVALID_URI",
+          path,
+          "ipfs:// URI is not a valid CID under the CIP-309 profile"
+        )
+      );
+    }
+    return;
+  }
+  errors.push(
+    issue(
+      "INVALID_URI",
+      path,
+      "unsupported URI scheme; v1 PoE URI set is {ar://, ipfs://}"
+    )
+  );
+}
+function checkItemEnc(item, idx, errors) {
+  const hasContentHash = Object.keys(item.hashes).some((alg) => alg in HASH_ALG_LENGTHS);
+  if (!hasContentHash) {
+    errors.push(
+      issue(
+        "ENC_REQUIRES_CONTENT_HASH",
+        ["items", idx, "enc"],
+        "item carries `enc` but `hashes` has no content-hash entry (sha2-256 or blake2b-256)"
+      )
+    );
+    return;
+  }
+  const encParse = EncryptionEnvelopeSchema.safeParse(item.enc);
+  if (!encParse.success) {
+    for (const zissue of encParse.error.issues) {
+      const mapped = mapZodIssue(zissue, item.enc);
+      errors.push({
+        ...mapped,
+        path: ["items", idx, "enc", ...mapped.path]
+      });
+    }
+    return;
+  }
+  const enc = encParse.data;
+  const basePath = ["items", idx, "enc"];
+  if (typeof enc.scheme !== "number" || !Number.isInteger(enc.scheme) || enc.scheme !== 1) {
+    errors.push(
+      issue(
+        "UNSUPPORTED_ENVELOPE_SCHEME",
+        [...basePath, "scheme"],
+        `enc.scheme must be the unsigned integer 1; got ${String(enc.scheme)}`
+      )
+    );
+  }
+  if (UNAUTHENTICATED_CIPHER_RE.test(enc.aead)) {
+    errors.push(
+      issue(
+        "UNAUTHENTICATED_CIPHER_FORBIDDEN",
+        [...basePath, "aead"],
+        `'${enc.aead}' is an unauthenticated cipher; CIP-309 mandates an authenticated (AEAD) cipher`
+      )
+    );
+    return;
+  }
+  if (!(enc.aead in AEAD_NONCE_LENGTHS)) {
+    errors.push(
+      issue("UNSUPPORTED_AEAD_ALG", [...basePath, "aead"], `unknown aead alg: ${enc.aead}`)
+    );
+    return;
+  }
+  const expectedNonceLen = AEAD_NONCE_LENGTHS[enc.aead];
+  if (enc.nonce.length !== expectedNonceLen) {
+    errors.push(
+      issue(
+        "NONCE_LENGTH_MISMATCH",
+        [...basePath, "nonce"],
+        `nonce length ${enc.nonce.length} != ${expectedNonceLen} for ${enc.aead}`
+      )
+    );
+  }
+  if (enc.kem !== void 0 && !(enc.kem in KEM_SLOT_DESCRIPTORS)) {
+    errors.push(issue("UNSUPPORTED_KEM_ALG", [...basePath, "kem"], `unknown kem alg: ${enc.kem}`));
+  }
+  const hasSlots = enc.slots !== void 0;
+  const hasSlotsMac = enc.slots_mac !== void 0;
+  const hasPassphrase = enc.passphrase !== void 0;
+  if (hasSlots && hasPassphrase) {
+    errors.push(
+      issue("ENC_EXCLUSIVITY_VIOLATION", basePath, "enc combines slots with passphrase; pick one")
+    );
+  }
+  if (hasSlots && !hasSlotsMac) {
+    errors.push(
+      issue("ENC_SLOTS_MAC_REQUIRED", basePath, "enc.slots present but enc.slots_mac absent")
+    );
+  }
+  if (hasSlotsMac && !hasSlots) {
+    errors.push(
+      issue("ENC_SLOTS_REQUIRED", basePath, "enc.slots_mac present but enc.slots absent")
+    );
+  }
+  if (hasSlots && enc.kem === void 0) {
+    errors.push(issue("ENC_KEM_REQUIRED", basePath, "enc.slots present but enc.kem absent"));
+  }
+  if (!hasSlots && !hasPassphrase) {
+    errors.push(
+      issue(
+        "ENC_NO_KEY_PATH",
+        basePath,
+        "enc requires either slots or passphrase \u2014 no on-chain key path otherwise"
+      )
+    );
+  }
+  if (hasSlots) {
+    if (enc.slots.length < 1) {
+      errors.push(
+        issue("ENC_SLOTS_EMPTY", [...basePath, "slots"], `slots length ${enc.slots.length} < 1`)
+      );
+    }
+    const descriptor = enc.kem !== void 0 ? KEM_SLOT_DESCRIPTORS[enc.kem] : void 0;
+    if (descriptor !== void 0) {
+      const rawSlotKeys = rawSlotKeySets(item.enc);
+      enc.slots.forEach((slot, si) => {
+        checkSlotShape(
+          slot,
+          rawSlotKeys[si] ?? /* @__PURE__ */ new Set(),
+          descriptor,
+          enc.kem,
+          [...basePath, "slots", si],
+          errors
+        );
+      });
+    }
+  }
+  if (hasPassphrase) {
+    const pp = enc.passphrase;
+    const ppPath = [...basePath, "passphrase"];
+    if (!PASSPHRASE_KDF_ALGS.has(pp.alg)) {
+      errors.push(
+        issue(
+          "ENC_PASSPHRASE_ALG_UNSUPPORTED",
+          [...ppPath, "alg"],
+          `unknown passphrase kdf alg: ${pp.alg}`
+        )
+      );
+      return;
+    }
+    if (pp.alg === "argon2id") {
+      const allowed = /* @__PURE__ */ new Set(["m", "t", "p"]);
+      for (const k of Object.keys(pp.params)) {
+        if (!allowed.has(k)) {
+          errors.push(
+            issue(
+              "SCHEMA_UNKNOWN_FIELD",
+              [...ppPath, "params", k],
+              `unknown argon2id params field: ${k}`
+            )
+          );
+        }
+      }
+      const p = pp.params;
+      const argonInt = (val, name) => {
+        if (typeof val !== "number" || !Number.isInteger(val)) {
+          errors.push(
+            issue(
+              "SCHEMA_TYPE_MISMATCH",
+              [...ppPath, "params", name],
+              `argon2id params.${name} must be a CBOR unsigned integer`
+            )
+          );
+          return null;
+        }
+        return val;
+      };
+      const mVal = argonInt(p.m, "m");
+      const tVal = argonInt(p.t, "t");
+      const pVal = argonInt(p.p, "p");
+      if (mVal !== null && mVal < 65536) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "m"],
+            "argon2id requires m >= 65536 KiB"
+          )
+        );
+      }
+      if (tVal !== null && tVal < 3) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "t"],
+            "argon2id requires t >= 3"
+          )
+        );
+      }
+      if (pVal !== null && pVal < 1) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "p"],
+            "argon2id requires p >= 1"
+          )
+        );
+      }
+    }
+  }
+}
+var SLOT_KEY_UNIVERSE = /* @__PURE__ */ new Set(["epk", "kem_ct", "wrap"]);
+function checkSlotShape(slot, rawKeys, descriptor, kem, slotPath, errors) {
+  const foreignField = descriptor.field === "epk" ? "kem_ct" : "epk";
+  if (rawKeys.has(foreignField)) {
+    errors.push(
+      issue(
+        "ENC_SLOT_INVALID_SHAPE",
+        [...slotPath, foreignField],
+        `slot carries '${foreignField}' but kem='${kem}' expects '${descriptor.field}'`
+      )
+    );
+  }
+  for (const k of rawKeys) {
+    if (!SLOT_KEY_UNIVERSE.has(k)) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, k],
+          `slot carries unexpected key '${k}'; a slot is a 2-key map {${descriptor.field}, wrap}`
+        )
+      );
+    }
+  }
+  if (descriptor.field === "epk") {
+    if (slot.epk === void 0) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, "epk"],
+          `slot for kem='${kem}' is missing required 'epk'`
+        )
+      );
+    } else if (slot.epk.length !== descriptor.fieldLength) {
+      errors.push(
+        issue(
+          KEM_FIELD_LENGTH_CODE.epk,
+          [...slotPath, "epk"],
+          `slot.epk length ${slot.epk.length} != ${descriptor.fieldLength} for ${kem}`
+        )
+      );
+    }
+  } else {
+    if (slot.kem_ct === void 0) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, "kem_ct"],
+          `slot for kem='${kem}' is missing required 'kem_ct'`
+        )
+      );
+    } else {
+      const reassembled = bytesChunkArrayConcat(slot.kem_ct).length;
+      if (reassembled !== descriptor.fieldLength) {
+        errors.push(
+          issue(
+            KEM_FIELD_LENGTH_CODE.kem_ct,
+            [...slotPath, "kem_ct"],
+            `slot.kem_ct reassembles to ${reassembled} bytes != ${descriptor.fieldLength} for ${kem}`
+          )
+        );
+      }
+    }
+  }
+  if (slot.wrap === void 0) {
+    errors.push(
+      issue(
+        "ENC_SLOT_INVALID_SHAPE",
+        [...slotPath, "wrap"],
+        `slot for kem='${kem}' is missing required 'wrap'`
+      )
+    );
+  } else if (slot.wrap.length !== descriptor.wrapLength) {
+    errors.push(
+      issue(
+        "WRAP_LENGTH_MISMATCH",
+        [...slotPath, "wrap"],
+        `slot.wrap length ${slot.wrap.length} != ${descriptor.wrapLength}`
+      )
+    );
+  }
+}
+function rawSlotKeySets(rawEnc) {
+  const slots = mapLikeGet(rawEnc, "slots");
+  if (!Array.isArray(slots)) return [];
+  return slots.map((slot) => {
+    const keys = /* @__PURE__ */ new Set();
+    if (slot instanceof Map) {
+      for (const k of slot.keys()) if (typeof k === "string") keys.add(k);
+    } else if (typeof slot === "object" && slot !== null) {
+      for (const k of Object.keys(slot)) keys.add(k);
+    }
+    return keys;
+  });
+}
+function mapLikeGet(value, key) {
+  if (value instanceof Map) return value.get(key);
+  if (typeof value === "object" && value !== null) {
+    return value[key];
+  }
+  return void 0;
+}
+function checkMerkleCommit(commit, idx, errors) {
+  const basePath = ["merkle", idx];
+  if (!(commit.alg in MERKLE_COMMIT_ALG_LENGTHS)) {
+    errors.push(
+      issue(
+        "UNSUPPORTED_MERKLE_COMMIT_ALG",
+        [...basePath, "alg"],
+        `unknown merkle commitment alg: ${commit.alg}`
+      )
+    );
+    return;
+  }
+  const expected = MERKLE_COMMIT_ALG_LENGTHS[commit.alg];
+  if (commit.root.length !== expected) {
+    errors.push(
+      issue(
+        "HASH_DIGEST_LENGTH_MISMATCH",
+        [...basePath, "root"],
+        `merkle entry root length ${commit.root.length} != ${expected} for ${commit.alg}`
+      )
+    );
+  }
+  if (commit.uris) {
+    checkItemUris(commit.uris, [...basePath, "uris"], errors);
+  }
+}
+function checkSigEntry(entry, idx, errors, info) {
+  if (entry.cose_key !== void 0) {
+    const keyIssue = inspectCoseKey(entry.cose_key, idx);
+    if (keyIssue !== null) {
+      errors.push(keyIssue);
+      return;
+    }
+  }
+  const merged = bytesChunkArrayConcat(entry.cose_sign1);
+  let cose;
+  try {
+    cose = decodeCoseSign1(merged);
+  } catch (cause) {
+    errors.push(
+      issue(
+        "MALFORMED_SIG_COSE_SIGN1",
+        ["sigs", idx],
+        cause instanceof CoseVerifyError || cause instanceof Error ? cause.message : String(cause)
+      )
+    );
+    return;
+  }
+  if (cose.payload !== null) {
+    errors.push(
+      issue(
+        "MALFORMED_SIG_COSE_SIGN1",
+        ["sigs", idx],
+        "COSE_Sign1 payload must be null (detached); attached form forbidden"
+      )
+    );
+    return;
+  }
+  const alg = cose.protectedHeader.get(1);
+  if (typeof alg !== "number" || !KNOWN_SIG_ALG_IDS.has(alg)) {
+    info.push(
+      issue(
+        "SIGNATURE_UNSUPPORTED",
+        ["sigs", idx],
+        `COSE_Sign1 protected alg ${String(alg)} not in {-8, -19}`
+      )
+    );
+  }
+  const protectedKid = cose.protectedHeader.get(4);
+  if (protectedKid instanceof Uint8Array && protectedKid.length === 32 && entry.cose_key !== void 0) {
+    errors.push(
+      issue(
+        "SIG_ENTRY_KID_COSE_KEY_CONFLICT",
+        ["sigs", idx],
+        "sigs[i] carries both a 32-byte protected `kid` (path 1) and an inline `cose_key` (path 2); paths are mutually exclusive"
+      )
+    );
+  }
+}
+function inspectCoseKey(keyChunks, i) {
+  let decoded;
+  try {
+    decoded = decodeCanonicalCbor(bytesChunkArrayConcat(keyChunks));
+  } catch (cause) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key failed to decode as cbor<COSE_Key>: ${cause instanceof Error ? cause.message : String(cause)}`
+    );
+  }
+  const getLabel = (label) => {
+    if (decoded instanceof Map) return decoded.get(label);
+    if (typeof decoded === "object" && decoded !== null) {
+      return decoded[String(label)];
+    }
+    return void 0;
+  };
+  const hasLabel = (label) => {
+    if (decoded instanceof Map) return decoded.has(label);
+    if (typeof decoded === "object" && decoded !== null) {
+      return Object.prototype.hasOwnProperty.call(decoded, String(label));
+    }
+    return false;
+  };
+  if (hasLabel(-4)) {
+    return issue(
+      "SIG_PRIVATE_KEY_LEAKED",
+      ["sigs", i, "cose_key"],
+      "cose_key carries COSE_Key private-key material (label -4, the OKP/EC2 private scalar d); publishing a private key on the permanent ledger is forbidden"
+    );
+  }
+  const kty = getLabel(1);
+  if (kty !== 1) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key kty (label 1) must be 1 (OKP); got ${String(kty)}`
+    );
+  }
+  const crv = getLabel(-1);
+  if (crv !== 6) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key crv (label -1) must be 6 (Ed25519); got ${String(crv)}`
+    );
+  }
+  if (!hasLabel(-2)) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key missing label -2 (Ed25519 public-key bytes)`
+    );
+  }
+  const x = getLabel(-2);
+  if (!(x instanceof Uint8Array) || x.length !== 32) {
+    const got = x instanceof Uint8Array ? `${x.length}-byte bstr` : typeof x;
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key label -2 must be a 32-byte byte string (Ed25519 public key); got ${got}`
+    );
+  }
+  return null;
+}
+var ACCEPTED_CIDV1_MULTIBASE = /* @__PURE__ */ new Set(["b", "B", "f", "F", "z"]);
+var ACCEPTED_MULTICODECS = /* @__PURE__ */ new Set([85, 112, 113]);
+var ACCEPTED_MULTIHASHES = /* @__PURE__ */ new Map([
+  [18, 32],
+  [45600, 32]
+]);
+function validateCidProfile(cid) {
+  if (cid.length === 0) return false;
+  if (cid.startsWith("Qm")) {
+    let decoded;
+    try {
+      decoded = decodeBase58btc(cid);
+    } catch {
+      return false;
+    }
+    return decoded.length === 34 && decoded[0] === 18 && decoded[1] === 32;
+  }
+  const mbPrefix = cid[0];
+  if (!ACCEPTED_CIDV1_MULTIBASE.has(mbPrefix)) return false;
+  let bytes;
+  try {
+    bytes = decodeMultibase(mbPrefix, cid.slice(1));
+  } catch {
+    return false;
+  }
+  if (bytes.length < 4) return false;
+  const versionParse = readVarint(bytes, 0);
+  if (versionParse === null || versionParse.value !== 1) return false;
+  const codecParse = readVarint(bytes, versionParse.next);
+  if (codecParse === null) return false;
+  if (!ACCEPTED_MULTICODECS.has(codecParse.value)) return false;
+  const mhParse = readVarint(bytes, codecParse.next);
+  if (mhParse === null) return false;
+  const lenParse = readVarint(bytes, mhParse.next);
+  if (lenParse === null) return false;
+  const digestLen = lenParse.value;
+  const expectedLen = ACCEPTED_MULTIHASHES.get(mhParse.value);
+  if (expectedLen === void 0 || digestLen !== expectedLen) return false;
+  if (lenParse.next + digestLen !== bytes.length) return false;
+  return true;
+}
+function readVarint(bytes, start) {
+  let value = 0;
+  let shift = 0;
+  let i = start;
+  while (i < bytes.length) {
+    const b = bytes[i];
+    value |= (b & 127) << shift;
+    i++;
+    if ((b & 128) === 0) return { value, next: i };
+    shift += 7;
+    if (shift > 28) return null;
+  }
+  return null;
+}
+function decodeMultibase(prefix, body) {
+  switch (prefix) {
+    case "b":
+      return decodeBase32(body.toLowerCase(), "rfc4648-lower");
+    case "B":
+      return decodeBase32(body.toUpperCase(), "rfc4648-upper");
+    case "f":
+      return decodeBase16(body.toLowerCase());
+    case "F":
+      return decodeBase16(body.toUpperCase());
+    case "z":
+      return decodeBase58btc(body);
+    default:
+      throw new Error(`unsupported multibase prefix ${prefix}`);
+  }
+}
+var BASE16_LOWER = "0123456789abcdef";
+var BASE16_UPPER = "0123456789ABCDEF";
+function decodeBase16(s) {
+  if (s.length % 2 !== 0) throw new Error("base16: odd-length");
+  const out = new Uint8Array(s.length / 2);
+  const alphabet = s === s.toLowerCase() ? BASE16_LOWER : BASE16_UPPER;
+  for (let i = 0; i < out.length; i++) {
+    const hi = alphabet.indexOf(s[i * 2]);
+    const lo = alphabet.indexOf(s[i * 2 + 1]);
+    if (hi < 0 || lo < 0) throw new Error(`base16: non-hex char at ${i * 2}`);
+    out[i] = hi << 4 | lo;
+  }
+  return out;
+}
+var BASE32_RFC4648_LOWER = "abcdefghijklmnopqrstuvwxyz234567";
+var BASE32_RFC4648_UPPER = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function decodeBase32(s, variant) {
+  const alphabet = variant === "rfc4648-lower" ? BASE32_RFC4648_LOWER : BASE32_RFC4648_UPPER;
+  const trimmed = s.replace(/=+$/, "");
+  const out = [];
+  let buf = 0;
+  let bits = 0;
+  for (const ch of trimmed) {
+    const idx = alphabet.indexOf(ch);
+    if (idx < 0) throw new Error(`base32: invalid char '${ch}'`);
+    buf = buf << 5 | idx;
+    bits += 5;
+    if (bits >= 8) {
+      bits -= 8;
+      out.push(buf >> bits & 255);
+    }
+  }
+  return Uint8Array.from(out);
+}
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function decodeBase58btc(s) {
+  if (s.length === 0) return new Uint8Array(0);
+  let zeros = 0;
+  while (zeros < s.length && s[zeros] === "1") zeros++;
+  const size = Math.floor((s.length - zeros) * 733 / 1e3) + 1;
+  const b256 = new Uint8Array(size);
+  let length = 0;
+  for (let i = zeros; i < s.length; i++) {
+    const ch = s[i];
+    const carryIdx = BASE58_ALPHABET.indexOf(ch);
+    if (carryIdx < 0) throw new Error(`base58: invalid char '${ch}'`);
+    let carry = carryIdx;
+    let k = 0;
+    for (let j2 = size - 1; (carry !== 0 || k < length) && j2 >= 0; j2--, k++) {
+      carry += 58 * b256[j2];
+      b256[j2] = carry % 256;
+      carry = Math.floor(carry / 256);
+    }
+    length = k;
+  }
+  let it = size - length;
+  while (it < size && b256[it] === 0) it++;
+  const out = new Uint8Array(zeros + (size - it));
+  let j = zeros;
+  while (it < size) {
+    out[j++] = b256[it++];
+  }
+  return out;
+}
+function checkCritShape(record, decodedTopKeys, errors) {
+  const invalid = /* @__PURE__ */ new Set();
+  if (!Array.isArray(record.crit)) return invalid;
+  if (record.crit.length === 0) {
+    errors.push(
+      issue("SCHEMA_TYPE_MISMATCH", ["crit"], "crit[] must carry at least one entry when present")
+    );
+    return invalid;
+  }
+  const seen = /* @__PURE__ */ new Set();
+  for (let i = 0; i < record.crit.length; i++) {
+    const critName = record.crit[i];
+    let reason = null;
+    if (TOP_LEVEL_BASE_KEYS.has(critName)) {
+      reason = `'${critName}' is a base key and MUST NOT appear in crit[]`;
+    } else if (!isExtensionKey(critName)) {
+      reason = `'${critName}' does not match the extension-key regex (^x-.+ or ^[a-z]+-.+)`;
+    } else if (!decodedTopKeys.has(critName)) {
+      reason = `'${critName}' is named in crit but absent from the record map`;
+    } else if (seen.has(critName)) {
+      reason = `'${critName}' appears more than once in crit[]`;
+    }
+    seen.add(critName);
+    if (reason !== null) {
+      invalid.add(i);
+      errors.push(issue("CRIT_SHAPE_INVALID", ["crit", i], reason));
+    }
+  }
+  return invalid;
+}
+function topLevelKeysOf(decoded) {
+  if (decoded === null || typeof decoded !== "object") return /* @__PURE__ */ new Set();
+  if (decoded instanceof Map) {
+    const out = /* @__PURE__ */ new Set();
+    for (const k of decoded.keys()) {
+      if (typeof k === "string") out.add(k);
+    }
+    return out;
+  }
+  return new Set(Object.keys(decoded));
+}
+function issue(code, path, message) {
+  return { code, path, message, severity: SEVERITY[code] };
+}
+function compareIssuePath(a, b) {
+  return a.path.join(".").localeCompare(b.path.join("."));
+}
+function valueAtPath(root, path) {
+  let cur = root;
+  for (const seg of path) {
+    if (cur === null || cur === void 0) return void 0;
+    if (cur instanceof Map) {
+      cur = cur.get(seg);
+      continue;
+    }
+    if (typeof cur !== "object") return void 0;
+    cur = cur[seg];
+  }
+  return cur;
+}
+async function argon2idV13(opts2) {
+  return await argon2id({
+    password: opts2.password,
+    salt: opts2.salt,
+    parallelism: opts2.parallelism,
+    iterations: opts2.iterations,
+    memorySize: opts2.memSizeKB,
+    hashLength: opts2.outBytes,
+    outputType: "binary"
+  });
+}
+var AeadVerificationError = class extends Error {
+  code = "aead_verification_failed";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "AeadVerificationError";
+  }
+};
+function xchacha20Poly1305Decrypt(opts2) {
+  try {
+    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError("xchacha20-poly1305 decrypt failed", { cause });
+  }
+}
+function sha2562(input) {
+  return sha256(input);
+}
+function blake2b256(input) {
+  return blake2b(input, { dkLen: 32 });
+}
+function blake2b2242(input) {
+  return blake2b(input, { dkLen: 28 });
+}
+var LEAF_PREFIX = 0;
+var NODE_PREFIX = 1;
+var DIGEST_LENGTH = 32;
+function validateLeaves(leaves, fnName) {
+  if (leaves.length === 0) {
+    throw new Error(`${fnName}: empty leaf list (n == 0 is forbidden by RFC 9162 \xA72.1.1)`);
+  }
+  for (let i = 0; i < leaves.length; i++) {
+    const leaf = leaves[i];
+    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH) {
+      throw new Error(
+        `${fnName}: leaf[${i}] must be a Uint8Array(${DIGEST_LENGTH}); got length ${leaf instanceof Uint8Array ? leaf.length : "non-Uint8Array"}`
+      );
+    }
+  }
+}
+function merkleSha2256Root(leaves) {
+  validateLeaves(leaves, "merkleSha2256Root");
+  return mthRecursive(leaves, 0, leaves.length);
+}
+function largestPow2Lt(n) {
+  let k = 1;
+  while (k * 2 < n) k *= 2;
+  return k;
+}
+function hashLeaf(d) {
+  const buf = new Uint8Array(1 + d.length);
+  buf[0] = LEAF_PREFIX;
+  buf.set(d, 1);
+  return sha256(buf);
+}
+function hashNode(left, right) {
+  const buf = new Uint8Array(1 + left.length + right.length);
+  buf[0] = NODE_PREFIX;
+  buf.set(left, 1);
+  buf.set(right, 1 + left.length);
+  return sha256(buf);
+}
+function mthRecursive(leaves, start, end) {
+  const n = end - start;
+  if (n === 1) {
+    return hashLeaf(leaves[start]);
+  }
+  const k = largestPow2Lt(n);
+  const left = mthRecursive(leaves, start, start + k);
+  const right = mthRecursive(leaves, start + k, end);
+  return hashNode(left, right);
+}
+var abytesDoc = abytes;
+var randomBytes = randomBytes$1;
+function equalBytes(a, b) {
+  if (a.length !== b.length)
+    return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++)
+    diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+function copyBytes(bytes) {
+  return Uint8Array.from(abytes(bytes));
+}
+function splitCoder(label, ...lengths) {
+  const getLength = (c) => typeof c === "number" ? c : c.bytesLen;
+  const bytesLen = lengths.reduce((sum, a) => sum + getLength(a), 0);
+  return {
+    bytesLen,
+    encode: (bufs) => {
+      const res = new Uint8Array(bytesLen);
+      for (let i = 0, pos = 0; i < lengths.length; i++) {
+        const c = lengths[i];
+        const l = getLength(c);
+        const b = typeof c === "number" ? bufs[i] : c.encode(bufs[i]);
+        abytes(b, l, label);
+        res.set(b, pos);
+        if (typeof c !== "number")
+          b.fill(0);
+        pos += l;
+      }
+      return res;
+    },
+    decode: (buf) => {
+      abytes(buf, bytesLen, label);
+      const res = [];
+      for (const c of lengths) {
+        const l = getLength(c);
+        const b = buf.subarray(0, l);
+        res.push(typeof c === "number" ? b : c.decode(b));
+        buf = buf.subarray(l);
+      }
+      return res;
+    }
+  };
+}
+function vecCoder(c, vecLen) {
+  const coder = c;
+  const bytesLen = vecLen * coder.bytesLen;
+  return {
+    bytesLen,
+    encode: (u) => {
+      if (u.length !== vecLen)
+        throw new RangeError(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);
+      const res = new Uint8Array(bytesLen);
+      for (let i = 0, pos = 0; i < u.length; i++) {
+        const b = coder.encode(u[i]);
+        res.set(b, pos);
+        b.fill(0);
+        pos += b.length;
+      }
+      return res;
+    },
+    decode: (a) => {
+      abytes(a, bytesLen);
+      const r = [];
+      for (let i = 0; i < a.length; i += coder.bytesLen)
+        r.push(coder.decode(a.subarray(i, i + coder.bytesLen)));
+      return r;
+    }
+  };
+}
+function cleanBytes(...list) {
+  for (const t of list) {
+    if (Array.isArray(t))
+      for (const b of t)
+        b.fill(0);
+    else
+      t.fill(0);
+  }
+}
+function getMask(bits) {
+  if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
+    throw new RangeError(`expected bits in [0..32], got ${bits}`);
+  return bits === 32 ? 4294967295 : ~(-1 << bits) >>> 0;
+}
+
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/_crystals.js
+var genCrystals = (opts2) => {
+  const { newPoly, N: N2, Q: Q2, F: F2, ROOT_OF_UNITY: ROOT_OF_UNITY2, brvBits} = opts2;
+  const mod = (a, modulo = Q2) => {
+    const result = a % modulo | 0;
+    return (result >= 0 ? result | 0 : modulo + result | 0) | 0;
+  };
+  const smod = (a, modulo = Q2) => {
+    const r = mod(a, modulo) | 0;
+    return (r > modulo >> 1 ? r - modulo | 0 : r) | 0;
+  };
+  function getZettas() {
+    const out = newPoly(N2);
+    for (let i = 0; i < N2; i++) {
+      const b = reverseBits(i, brvBits);
+      const p = BigInt(ROOT_OF_UNITY2) ** BigInt(b) % BigInt(Q2);
+      out[i] = Number(p) | 0;
+    }
+    return out;
+  }
+  const nttZetas = getZettas();
+  const field = {
+    add: (a, b) => mod((a | 0) + (b | 0)) | 0,
+    sub: (a, b) => mod((a | 0) - (b | 0)) | 0,
+    mul: (a, b) => mod((a | 0) * (b | 0)) | 0,
+    inv: (_a) => {
+      throw new Error("not implemented");
+    }
+  };
+  const nttOpts = {
+    N: N2,
+    roots: nttZetas,
+    invertButterflies: true,
+    skipStages: 1 ,
+    brp: false
+  };
+  const dif = FFTCore(field, { dit: false, ...nttOpts });
+  const dit = FFTCore(field, { dit: true, ...nttOpts });
+  const NTT = {
+    encode: (r) => {
+      return dif(r);
+    },
+    decode: (r) => {
+      dit(r);
+      for (let i = 0; i < r.length; i++)
+        r[i] = mod(F2 * r[i]);
+      return r;
+    }
+  };
+  const bitsCoder = (d, c) => {
+    const mask = getMask(d);
+    const bytesLen = d * (N2 / 8);
+    return {
+      bytesLen,
+      encode: (poly_) => {
+        const poly = poly_;
+        const r = new Uint8Array(bytesLen);
+        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
+          buf |= (c.encode(poly[i]) & mask) << bufLen;
+          bufLen += d;
+          for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
+            r[pos++] = buf & getMask(bufLen);
+        }
+        return r;
+      },
+      decode: (bytes) => {
+        const r = newPoly(N2);
+        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
+          buf |= bytes[i] << bufLen;
+          bufLen += 8;
+          for (; bufLen >= d; bufLen -= d, buf >>= d)
+            r[pos++] = c.decode(buf & mask);
+        }
+        return r;
+      }
+    };
+  };
+  return {
+    mod,
+    smod,
+    nttZetas,
+    NTT: {
+      encode: (r) => NTT.encode(r),
+      decode: (r) => NTT.decode(r)
+    },
+    bitsCoder
+  };
+};
+var createXofShake = (shake) => (seed, blockLen) => {
+  if (!blockLen)
+    blockLen = shake.blockLen;
+  const _seed = new Uint8Array(seed.length + 2);
+  _seed.set(seed);
+  const seedLen = seed.length;
+  const buf = new Uint8Array(blockLen);
+  let h = shake.create({});
+  let calls = 0;
+  let xofs = 0;
+  return {
+    stats: () => ({ calls, xofs }),
+    get: (x, y) => {
+      _seed[seedLen + 0] = x;
+      _seed[seedLen + 1] = y;
+      h.destroy();
+      h = shake.create({}).update(_seed);
+      calls++;
+      return () => {
+        xofs++;
+        return h.xofInto(buf);
+      };
+    },
+    clean: () => {
+      h.destroy();
+      cleanBytes(buf, _seed);
+    }
+  };
+};
+var XOF128 = /* @__PURE__ */ createXofShake(shake128);
+
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/ml-kem.js
+var N = 256;
+var Q = 3329;
+var F = 3303;
+var ROOT_OF_UNITY = 17;
+var crystals = /* @__PURE__ */ genCrystals({
+  N,
+  Q,
+  F,
+  ROOT_OF_UNITY,
+  newPoly: (n) => new Uint16Array(n),
+  brvBits: 7});
+var PARAMS = /* @__PURE__ */ (() => Object.freeze({
+  512: Object.freeze({ N, Q, K: 2, ETA1: 3, ETA2: 2, du: 10, dv: 4, RBGstrength: 128 }),
+  768: Object.freeze({ N, Q, K: 3, ETA1: 2, ETA2: 2, du: 10, dv: 4, RBGstrength: 192 }),
+  1024: Object.freeze({ N, Q, K: 4, ETA1: 2, ETA2: 2, du: 11, dv: 5, RBGstrength: 256 })
+}))();
+var compress = (d) => {
+  if (d >= 12)
+    return { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i };
+  const a = 2 ** (d - 1);
+  return {
+    // This only matches standalone Compress_d after bitsCoder masks the result into Z_(2^d).
+    encode: (i) => ((i << d) + Q / 2) / Q,
+    // const decompress = (i: number) => round((Q / 2 ** d) * i);
+    decode: (i) => i * Q + a >>> d
+  };
+};
+var byteCoder = (d) => crystals.bitsCoder(d, { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i } );
+var polyCoder = (d) => d === 12 ? byteCoder(12) : crystals.bitsCoder(d, compress(d));
+function polyAdd(a_, b_) {
+  const a = a_;
+  const b = b_;
+  for (let i = 0; i < N; i++)
+    a[i] = crystals.mod(a[i] + b[i]);
+}
+function polySub(a_, b_) {
+  const a = a_;
+  const b = b_;
+  for (let i = 0; i < N; i++)
+    a[i] = crystals.mod(a[i] - b[i]);
+}
+function BaseCaseMultiply(a0, a1, b0, b1, zeta) {
+  const c0 = crystals.mod(a1 * b1 * zeta + a0 * b0);
+  const c1 = crystals.mod(a0 * b1 + a1 * b0);
+  return { c0, c1 };
+}
+function MultiplyNTTs(f_, g_) {
+  const f = f_;
+  const g = g_;
+  for (let i = 0; i < N / 2; i++) {
+    let z3 = crystals.nttZetas[64 + (i >> 1)];
+    if (i & 1)
+      z3 = -z3;
+    const { c0, c1 } = BaseCaseMultiply(f[2 * i + 0], f[2 * i + 1], g[2 * i + 0], g[2 * i + 1], z3);
+    f[2 * i + 0] = c0;
+    f[2 * i + 1] = c1;
+  }
+  return f;
+}
+function SampleNTT(xof_) {
+  const xof = xof_;
+  const r = new Uint16Array(N);
+  for (let j = 0; j < N; ) {
+    const b = xof();
+    if (b.length % 3)
+      throw new Error("SampleNTT: unaligned block");
+    for (let i = 0; j < N && i + 3 <= b.length; i += 3) {
+      const d1 = (b[i + 0] >> 0 | b[i + 1] << 8) & 4095;
+      const d2 = (b[i + 1] >> 4 | b[i + 2] << 4) & 4095;
+      if (d1 < Q)
+        r[j++] = d1;
+      if (j < N && d2 < Q)
+        r[j++] = d2;
+    }
+  }
+  return r;
+}
+var sampleCBDBytes = (buf, eta) => {
+  const r = new Uint16Array(N);
+  const b32 = u32(buf);
+  swap32IfBE(b32);
+  let len = 0;
+  for (let i = 0, p = 0, bb = 0, t0 = 0; i < b32.length; i++) {
+    let b = b32[i];
+    for (let j = 0; j < 32; j++) {
+      bb += b & 1;
+      b >>= 1;
+      len += 1;
+      if (len === eta) {
+        t0 = bb;
+        bb = 0;
+      } else if (len === 2 * eta) {
+        r[p++] = crystals.mod(t0 - bb);
+        bb = 0;
+        len = 0;
+      }
+    }
+  }
+  swap32IfBE(b32);
+  if (len)
+    throw new Error(`sampleCBD: leftover bits: ${len}`);
+  return r;
+};
+function sampleCBD(PRF_, seed, nonce, eta) {
+  const PRF = PRF_;
+  return sampleCBDBytes(PRF(eta * N / 4, seed, nonce), eta);
+}
+var genKPKE = (opts_) => {
+  const opts2 = opts_;
+  const { K, PRF, XOF, HASH512, ETA1, ETA2, du, dv } = opts2;
+  const poly1 = polyCoder(1);
+  const polyV = polyCoder(dv);
+  const polyU = polyCoder(du);
+  const publicCoder = splitCoder("publicKey", vecCoder(polyCoder(12), K), 32);
+  const secretCoder = vecCoder(polyCoder(12), K);
+  const cipherCoder = splitCoder("ciphertext", vecCoder(polyU, K), polyV);
+  const seedCoder = splitCoder("seed", 32, 32);
+  return {
+    secretCoder,
+    lengths: {
+      secretKey: secretCoder.bytesLen,
+      publicKey: publicCoder.bytesLen,
+      cipherText: cipherCoder.bytesLen
+    },
+    keygen: (seed) => {
+      abytesDoc(seed, 32, "seed");
+      const seedDst = new Uint8Array(33);
+      seedDst.set(seed);
+      seedDst[32] = K;
+      const seedHash = HASH512(seedDst);
+      const [rho, sigma] = seedCoder.decode(seedHash);
+      const sHat = [];
+      const tHat = [];
+      for (let i = 0; i < K; i++)
+        sHat.push(crystals.NTT.encode(sampleCBD(PRF, sigma, i, ETA1)));
+      const x = XOF(rho);
+      for (let i = 0; i < K; i++) {
+        const e = crystals.NTT.encode(sampleCBD(PRF, sigma, K + i, ETA1));
+        for (let j = 0; j < K; j++) {
+          const aji = SampleNTT(x.get(j, i));
+          polyAdd(e, MultiplyNTTs(aji, sHat[j]));
+        }
+        tHat.push(e);
+      }
+      x.clean();
+      const res = {
+        publicKey: publicCoder.encode([tHat, rho]),
+        secretKey: secretCoder.encode(sHat)
+      };
+      cleanBytes(rho, sigma, sHat, tHat, seedDst, seedHash);
+      return res;
+    },
+    encrypt: (publicKey, msg, seed) => {
+      const [tHat, rho] = publicCoder.decode(publicKey);
+      const rHat = [];
+      for (let i = 0; i < K; i++)
+        rHat.push(crystals.NTT.encode(sampleCBD(PRF, seed, i, ETA1)));
+      const x = XOF(rho);
+      const tmp2 = new Uint16Array(N);
+      const u = [];
+      for (let i = 0; i < K; i++) {
+        const e1 = sampleCBD(PRF, seed, K + i, ETA2);
+        const tmp = new Uint16Array(N);
+        for (let j = 0; j < K; j++) {
+          const aij = SampleNTT(x.get(i, j));
+          polyAdd(tmp, MultiplyNTTs(aij, rHat[j]));
+        }
+        polyAdd(e1, crystals.NTT.decode(tmp));
+        u.push(e1);
+        polyAdd(tmp2, MultiplyNTTs(tHat[i], rHat[i]));
+        cleanBytes(tmp);
+      }
+      x.clean();
+      const e2 = sampleCBD(PRF, seed, 2 * K, ETA2);
+      polyAdd(e2, crystals.NTT.decode(tmp2));
+      const v = poly1.decode(msg);
+      polyAdd(v, e2);
+      cleanBytes(tHat, rHat, tmp2, e2);
+      return cipherCoder.encode([u, v]);
+    },
+    decrypt: (cipherText, privateKey) => {
+      const [u, v] = cipherCoder.decode(cipherText);
+      const sk = secretCoder.decode(privateKey);
+      const tmp = new Uint16Array(N);
+      for (let i = 0; i < K; i++)
+        polyAdd(tmp, MultiplyNTTs(sk[i], crystals.NTT.encode(u[i])));
+      polySub(v, crystals.NTT.decode(tmp));
+      cleanBytes(tmp, sk, u);
+      return poly1.encode(v);
+    }
+  };
+};
+function createKyber(opts2) {
+  const rawOpts = opts2;
+  const KPKE = genKPKE(rawOpts);
+  const { HASH256, HASH512, KDF } = rawOpts;
+  const { secretCoder: KPKESecretCoder, lengths } = KPKE;
+  const secretCoder = splitCoder("secretKey", lengths.secretKey, lengths.publicKey, 32, 32);
+  const msgLen = 32;
+  const seedLen = 64;
+  const kemLengths = Object.freeze({
+    ...lengths,
+    seed: 64,
+    msg: msgLen,
+    msgRand: msgLen,
+    secretKey: secretCoder.bytesLen
+  });
+  return Object.freeze({
+    info: Object.freeze({ type: "ml-kem" }),
+    lengths: kemLengths,
+    keygen: (seed = randomBytes(seedLen)) => {
+      abytesDoc(seed, seedLen, "seed");
+      const { publicKey, secretKey: sk } = KPKE.keygen(seed.subarray(0, 32));
+      const publicKeyHash = HASH256(publicKey);
+      const secretKey = secretCoder.encode([sk, publicKey, publicKeyHash, seed.subarray(32)]);
+      cleanBytes(sk, publicKeyHash);
+      return {
+        publicKey,
+        secretKey
+      };
+    },
+    getPublicKey: (secretKey) => {
+      const [_sk, publicKey, _publicKeyHash, _z] = secretCoder.decode(secretKey);
+      return Uint8Array.from(publicKey);
+    },
+    encapsulate: (publicKey, msg = randomBytes(msgLen)) => {
+      abytesDoc(publicKey, lengths.publicKey, "publicKey");
+      abytesDoc(msg, msgLen, "message");
+      const eke = publicKey.subarray(0, 384 * opts2.K);
+      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(copyBytes(eke)));
+      if (!equalBytes(ek, eke)) {
+        cleanBytes(ek);
+        throw new Error("ML-KEM.encapsulate: wrong publicKey modulus");
+      }
+      cleanBytes(ek);
+      const kr = HASH512.create().update(msg).update(HASH256(publicKey)).digest();
+      const cipherText = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
+      cleanBytes(kr.subarray(32));
+      return {
+        cipherText,
+        sharedSecret: kr.subarray(0, 32)
+      };
+    },
+    decapsulate: (cipherText, secretKey) => {
+      abytesDoc(secretKey, secretCoder.bytesLen, "secretKey");
+      abytesDoc(cipherText, lengths.cipherText, "cipherText");
+      const k768 = secretCoder.bytesLen - 96;
+      const start = k768 + 32;
+      const test = HASH256(secretKey.subarray(k768 / 2, start));
+      if (!equalBytes(test, secretKey.subarray(start, start + 32)))
+        throw new Error("invalid secretKey: hash check failed");
+      const [sk, publicKey, publicKeyHash, z3] = secretCoder.decode(secretKey);
+      const msg = KPKE.decrypt(cipherText, sk);
+      const kr = HASH512.create().update(msg).update(publicKeyHash).digest();
+      const Khat = kr.subarray(0, 32);
+      const cipherText2 = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
+      const isValid = equalBytes(cipherText, cipherText2);
+      const Kbar = KDF.create({ dkLen: 32 }).update(z3).update(cipherText).digest();
+      cleanBytes(msg, cipherText2, !isValid ? Khat : Kbar);
+      return isValid ? Khat : Kbar;
+    }
+  });
+}
+function shakePRF(dkLen, key, nonce) {
+  return shake256.create({ dkLen }).update(key).update(new Uint8Array([nonce])).digest();
+}
+var opts = /* @__PURE__ */ (() => ({
+  HASH256: sha3_256,
+  HASH512: sha3_512,
+  KDF: shake256,
+  XOF: XOF128,
+  PRF: shakePRF
+}))();
+var mk = (params) => createKyber({
+  ...opts,
+  ...params
+});
+var ml_kem768 = /* @__PURE__ */ (() => mk(PARAMS[768]))();
+
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/hybrid.js
+function ecKeygen(curve, allowZeroKey = false) {
+  const lengths = curve.lengths;
+  let keygen = curve.keygen;
+  if (allowZeroKey) {
+    if (!("getSharedSecret" in curve && "sign" in curve && "verify" in curve))
+      throw new Error("allowZeroKey requires a Weierstrass curve");
+    const wCurve = curve;
+    const Fn = wCurve.Point.Fn;
+    keygen = (seed = randomBytes(lengths.seed)) => {
+      abytes(seed, lengths.seed, "seed");
+      const seedScalar = Fn.isLE ? bytesToNumberLE(seed) : bytesToNumberBE(seed);
+      const secretKey = Fn.toBytes(Fn.create(seedScalar));
+      return {
+        secretKey,
+        publicKey: curve.getPublicKey(secretKey)
+      };
+    };
+  }
+  return {
+    lengths: { secretKey: lengths.secretKey, publicKey: lengths.publicKey, seed: lengths.seed },
+    keygen: (seed) => keygen(seed),
+    getPublicKey: (secretKey) => curve.getPublicKey(secretKey)
+  };
+}
+function ecdhKem(curve, allowZeroKey = false) {
+  const kg = ecKeygen(curve, allowZeroKey);
+  if (!curve.getSharedSecret)
+    throw new Error("wrong curve");
+  return {
+    lengths: { ...kg.lengths, msg: kg.lengths.seed, cipherText: kg.lengths.publicKey },
+    keygen: kg.keygen,
+    getPublicKey: kg.getPublicKey,
+    encapsulate(publicKey, rand = randomBytes(curve.lengths.seed)) {
+      const seed = copyBytes(rand);
+      let ek = void 0;
+      try {
+        ek = this.keygen(seed).secretKey;
+        const sharedSecret = this.decapsulate(publicKey, ek);
+        const cipherText = curve.getPublicKey(ek);
+        return { sharedSecret, cipherText };
+      } finally {
+        cleanBytes(seed);
+        if (ek)
+          cleanBytes(ek);
+      }
+    },
+    decapsulate(cipherText, secretKey) {
+      const res = curve.getSharedSecret(secretKey, cipherText);
+      return curve.lengths.publicKeyHasPrefix ? res.subarray(1) : res;
+    }
+  };
+}
+function splitLengths(lst, name) {
+  return splitCoder(name, ...lst.map((i) => {
+    if (typeof i.lengths[name] !== "number")
+      throw new Error("wrong length: " + name);
+    return i.lengths[name];
+  }));
+}
+function expandSeedXof(xof) {
+  return ((seed, seedLen) => xof(seed, { dkLen: seedLen }));
+}
+function combineKeys(realSeedLen, expandSeed_, ...ck_) {
+  const expandSeed = expandSeed_;
+  const ck = ck_;
+  const seedCoder = splitLengths(ck, "seed");
+  const pkCoder = splitLengths(ck, "publicKey");
+  anumber(realSeedLen);
+  function expandDecapsulationKey(seed) {
+    abytes(seed, realSeedLen);
+    const expandedRaw = expandSeed(seed, seedCoder.bytesLen);
+    const expandedSeed = expandedRaw.buffer === seed.buffer ? copyBytes(expandedRaw) : expandedRaw;
+    const expanded = [];
+    const keySecret = [];
+    const secretKey = [];
+    const publicKey = [];
+    let ok = false;
+    try {
+      for (const part of seedCoder.decode(expandedSeed))
+        expanded.push(copyBytes(part));
+      for (let i = 0; i < ck.length; i++) {
+        const keys = ck[i].keygen(expanded[i]);
+        keySecret.push(keys.secretKey);
+        secretKey.push(copyBytes(keys.secretKey));
+        publicKey.push(keys.publicKey);
+      }
+      ok = true;
+      return { secretKey, publicKey };
+    } finally {
+      cleanBytes(expandedSeed, expanded, keySecret);
+      if (!ok)
+        cleanBytes(secretKey);
+    }
+  }
+  return {
+    info: { lengths: { seed: realSeedLen, publicKey: pkCoder.bytesLen, secretKey: realSeedLen } },
+    getPublicKey(secretKey) {
+      return this.keygen(secretKey).publicKey;
+    },
+    keygen(seed = randomBytes(realSeedLen)) {
+      const { publicKey: pk, secretKey } = expandDecapsulationKey(seed);
+      try {
+        const publicKey = pkCoder.encode(pk);
+        return { secretKey: seed, publicKey };
+      } finally {
+        cleanBytes(pk);
+        cleanBytes(secretKey);
+      }
+    },
+    expandDecapsulationKey,
+    realSeedLen
+  };
+}
+function combineKEMS(realSeedLen, realMsgLen, expandSeed, combiner, ...kems) {
+  const rawCombiner = combiner;
+  const rawKems = kems;
+  const keys = combineKeys(realSeedLen, expandSeed, ...rawKems);
+  const ctCoder = splitLengths(rawKems, "cipherText");
+  const pkCoder = splitLengths(rawKems, "publicKey");
+  const msgCoder = splitLengths(rawKems, "msg");
+  anumber(realMsgLen);
+  const lengths = Object.freeze({
+    ...keys.info.lengths,
+    msg: realMsgLen,
+    msgRand: msgCoder.bytesLen,
+    cipherText: ctCoder.bytesLen
+  });
+  return Object.freeze({
+    lengths,
+    getPublicKey: keys.getPublicKey,
+    keygen: keys.keygen,
+    encapsulate(pk, randomness = randomBytes(msgCoder.bytesLen)) {
+      const pks = pkCoder.decode(pk);
+      const rand = msgCoder.decode(randomness);
+      const sharedSecret = [];
+      const cipherText = [];
+      try {
+        for (let i = 0; i < rawKems.length; i++) {
+          const enc = rawKems[i].encapsulate(pks[i], rand[i]);
+          sharedSecret.push(enc.sharedSecret);
+          cipherText.push(enc.cipherText);
+        }
+        return {
+          // Detach the combiner result before cleanup: a caller-provided combiner may alias one of
+          // the child sharedSecret buffers, and those child buffers are zeroized immediately below.
+          sharedSecret: copyBytes(rawCombiner(pks, cipherText, sharedSecret)),
+          cipherText: ctCoder.encode(cipherText)
+        };
+      } finally {
+        cleanBytes(sharedSecret, cipherText);
+      }
+    },
+    decapsulate(ct, seed) {
+      const cts = ctCoder.decode(ct);
+      const { publicKey, secretKey } = keys.expandDecapsulationKey(seed);
+      const sharedSecret = rawKems.map((i, j) => i.decapsulate(cts[j], secretKey[j]));
+      try {
+        return copyBytes(rawCombiner(publicKey, cts, sharedSecret));
+      } finally {
+        cleanBytes(secretKey, sharedSecret);
+      }
+    }
+  });
+}
+var x25519kem = /* @__PURE__ */ ecdhKem(x25519);
+var ml_kem768_x25519 = /* @__PURE__ */ (() => combineKEMS(
+  32,
+  32,
+  expandSeedXof(shake256),
+  // Awesome label, so much escaping hell in a single line.
+  (pk, ct, ss) => sha3_256(concatBytes$1(ss[0], ss[1], ct[1], pk[1], asciiToBytes("\\.//^\\"))),
+  ml_kem768,
+  x25519kem
+))();
+var XWing = /* @__PURE__ */ (() => ml_kem768_x25519)();
+var AeadVerificationError2 = class extends Error {
+  code = "aead_verification_failed";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "AeadVerificationError";
+  }
+};
+function chacha20Poly1305Decrypt(opts2) {
+  try {
+    return chacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError2("chacha20-poly1305 decrypt failed", { cause });
+  }
+}
+function xchacha20Poly1305Decrypt2(opts2) {
+  try {
+    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError2("xchacha20-poly1305 decrypt failed", { cause });
+  }
+}
+function hkdfSha256(opts2) {
+  return hkdf(sha256, opts2.ikm, opts2.salt, opts2.info, opts2.length);
+}
+var MLKEM768X25519_ENC_LENGTH = 1120;
+var MLKEM768X25519_SEED_LENGTH = 32;
+function mlkem768x25519Decapsulate(opts2) {
+  if (opts2.secretSeed.length !== MLKEM768X25519_SEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 secret seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${opts2.secretSeed.length}`
+    );
+  }
+  if (opts2.enc.length !== MLKEM768X25519_ENC_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 enc must be ${MLKEM768X25519_ENC_LENGTH} bytes, got ${opts2.enc.length}`
+    );
+  }
+  return XWing.decapsulate(opts2.enc, opts2.secretSeed);
+}
+var X25519LowOrderPointError = class extends Error {
+  code = "X25519_LOW_ORDER_POINT";
+  constructor(options) {
+    super("x25519 ECDH rejected: peer public key is a small-order point", options);
+    this.name = "X25519LowOrderPointError";
+  }
+};
+var NOBLE_LOW_ORDER_MESSAGE = "invalid private or public key received";
+function x25519PublicKey(opts2) {
+  return x25519.getPublicKey(opts2.secretKey);
+}
+function x25519Ecdh(opts2) {
+  try {
+    return x25519.getSharedSecret(opts2.secretKey, opts2.theirPublicKey);
+  } catch (e) {
+    if (e instanceof Error && e.message === NOBLE_LOW_ORDER_MESSAGE) {
+      throw new X25519LowOrderPointError({ cause: e });
+    }
+    throw e;
+  }
+}
+var EciesSealedPoeError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "EciesSealedPoeError";
+    this.code = code;
+  }
+};
+function encodeCanonicalCbor3(value) {
+  return encode(value, {
+    cde: true,
+    collapseBigInts: true,
+    rejectDuplicateKeys: true,
+    sortKeys: sortCoreDeterministic
+  });
+}
+var CHUNK_MAX_BYTES = 64;
+function chunkKemCt(value) {
+  if (value.length === 0) {
+    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
+  }
+  const chunks = [];
+  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
+    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
+  }
+  return chunks;
+}
+function joinKemCt(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
+  }
+  return out;
+}
+function slotsToMacCbor(slots, kem) {
+  let value;
+  if (kem === "x25519") {
+    value = slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
+  } else {
+    value = slots.map((s) => ({
+      // Canonicalize the chunk boundaries before the MAC commits to them:
+      // reassemble the logical ciphertext and re-split into canonical ≤ 64-byte
+      // chunks. The on-wire `kem_ct` array is a transport detail (the Cardano
+      // ledger's 64-byte metadatum cap), and a hostile or non-canonical chunking
+      // ([1, 63, …] instead of [64, …]) reassembles to the SAME bytes — so the
+      // MAC must be invariant to it. Committing to the verbatim wire chunks would
+      // let an attacker re-chunk an honest envelope and break the slots_mac match
+      // for an honest recipient. Honest (already-64B-chunked) records are
+      // unchanged; a real byte flip still changes the reassembled bytes and is
+      // still rejected.
+      kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
+      wrap: s.wrap
+    }));
+  }
+  return encodeCanonicalCbor3(value);
+}
+var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
+var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
+  "cardano-poe-kek-mlkem768x25519-v1"
+);
+var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
+  "cardano-poe-slots-mac-v1"
+);
+var ZERO_NONCE_12 = new Uint8Array(12);
+if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
+  throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
+}
+if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
+  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
+}
+if (ZERO_NONCE_12.length !== 12) {
+  throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
+}
+function compareCt2(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+function selectBundleSecrets(envelope, bundle) {
+  return envelope.kem === "x25519" ? bundle.x25519PrivateKeys : bundle.mlkem768x25519SecretSeeds;
+}
+var ZERO_NONCE_122 = new Uint8Array(12);
+var EMPTY_SALT2 = new Uint8Array(0);
+var X25519_SECRET_KEY_LENGTH2 = 32;
+var X25519_PUBLIC_KEY_LENGTH2 = 32;
+var NONCE_LENGTH2 = 24;
+var WRAP_LENGTH2 = 48;
+var SLOTS_MAC_LENGTH2 = 32;
+function concat2(a, b) {
+  const out = new Uint8Array(a.length + b.length);
+  out.set(a, 0);
+  out.set(b, a.length);
+  return out;
+}
+function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
+  if (envelope.scheme !== 1) {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_ENC_VERSION",
+      `envelope.scheme=${String(envelope.scheme)} unsupported (expected 1)`
+    );
+  }
+  if (envelope.aead !== "xchacha20-poly1305") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_AEAD_ALG",
+      `envelope.aead=${String(envelope.aead)} unsupported (expected 'xchacha20-poly1305')`
+    );
+  }
+  if (envelope.kem !== "x25519" && envelope.kem !== "mlkem768x25519") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_KEM_ALG",
+      `envelope.kem=${String(envelope.kem)} unsupported (expected 'x25519' or 'mlkem768x25519')`
+    );
+  }
+  const n = envelope.slots.length;
+  if (n < 1) {
+    throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
+  }
+  if (envelope.nonce.length !== NONCE_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "NONCE_LENGTH_MISMATCH",
+      `envelope.nonce MUST be exactly ${NONCE_LENGTH2} bytes, got ${envelope.nonce.length}`
+    );
+  }
+  if (envelope.slots_mac.length !== SLOTS_MAC_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_MAC_INVALID_LENGTH",
+      `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
+    );
+  }
+  if (envelope.kem === "x25519") {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      if (slot.epk.length !== X25519_PUBLIC_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "KEM_EPK_LENGTH_MISMATCH",
+          `envelope.slots[${i}].epk MUST be exactly ${X25519_PUBLIC_KEY_LENGTH2} bytes, got ${slot.epk.length}`
+        );
+      }
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+    }
+  } else {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      const enc = joinKemCt(slot.kem_ct);
+      if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
+        throw new EciesSealedPoeError(
+          "KEM_CT_LENGTH_MISMATCH",
+          `envelope.slots[${i}].kem_ct MUST reassemble to exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${enc.length}`
+        );
+      }
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+    }
+  }
+  if (multiPrivKeys !== void 0) {
+    for (let i = 0; i < multiPrivKeys.length; i++) {
+      if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "INVALID_RECIPIENT_KEY",
+          `recipientSecretKeys[${i}] MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${multiPrivKeys[i].length}`
+        );
+      }
+    }
+  } else if (singlePrivKey !== void 0) {
+    if (singlePrivKey.length !== X25519_SECRET_KEY_LENGTH2) {
+      throw new EciesSealedPoeError(
+        "INVALID_RECIPIENT_KEY",
+        `recipientSecretKey MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${singlePrivKey.length}`
+      );
+    }
+  }
+}
+function tryX25519Slot(args) {
+  if (args.liveSlot) {
+    try {
+      const shared = x25519Ecdh({
+        secretKey: args.recipientSecretKey,
+        theirPublicKey: args.slot.epk
+      });
+      const kek = hkdfSha256({
+        ikm: shared,
+        salt: concat2(args.slot.epk, args.pubRLocal),
+        info: CARDANO_POE_HKDF_INFO_KEK,
+        length: 32
+      });
+      return chacha20Poly1305Decrypt({
+        key: kek,
+        nonce: ZERO_NONCE_122,
+        aad: CARDANO_POE_HKDF_INFO_KEK,
+        ciphertext: args.slot.wrap
+      });
+    } catch (e) {
+      if (!(e instanceof AeadVerificationError2) && !(e instanceof X25519LowOrderPointError)) {
+        throw e;
+      }
+      return null;
+    }
+  }
+  try {
+    const shared = x25519Ecdh({
+      secretKey: args.recipientSecretKey,
+      theirPublicKey: args.slot.epk
+    });
+    hkdfSha256({
+      ikm: shared,
+      salt: concat2(args.slot.epk, args.pubRLocal),
+      info: CARDANO_POE_HKDF_INFO_KEK,
+      length: 32
+    });
+  } catch (e) {
+    if (!(e instanceof X25519LowOrderPointError)) throw e;
+  }
+  return null;
+}
+function tryMlkem768X25519Slot(args) {
+  const enc = joinKemCt(args.slot.kem_ct);
+  const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
+  const kek = hkdfSha256({
+    ikm: ss,
+    salt: EMPTY_SALT2,
+    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    length: 32
+  });
+  if (!args.liveSlot) {
+    return null;
+  }
+  try {
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError2)) throw e;
+    return null;
+  }
+}
+function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
+  const n = envelope.slots.length;
+  let cek = null;
+  let matchedSlotIdx = -1;
+  if (envelope.kem === "x25519") {
+    const pubRLocal = x25519PublicKey({ secretKey: recipientSecretKey });
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
+      }
+      const candidate = tryX25519Slot({
+        slot: envelope.slots[i],
+        recipientSecretKey,
+        pubRLocal,
+        liveSlot: cek === null
+      });
+      if (cek === null && candidate !== null) {
+        cek = candidate;
+        matchedSlotIdx = i;
+      }
+      if (cek !== null && !constantTimeN) break;
+    }
+  } else {
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
+      }
+      const candidate = tryMlkem768X25519Slot({
+        slot: envelope.slots[i],
+        recipientSecretKey,
+        liveSlot: cek === null
+      });
+      if (cek === null && candidate !== null) {
+        cek = candidate;
+        matchedSlotIdx = i;
+      }
+      if (cek !== null && !constantTimeN) break;
+    }
+  }
+  return cek === null ? null : { cek, slotIdx: matchedSlotIdx };
+}
+function tryRecipientUnwrap(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
+  return tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut)?.cek ?? null;
+}
+function slotsMacCborBytes(envelope) {
+  return slotsToMacCbor(
+    envelope.slots,
+    envelope.kem
+  );
+}
+function eciesSealedPoeUnwrap(args) {
+  const { envelope, ciphertext } = args;
+  const constantTimeN = args.constantTimeN ?? true;
+  const hasSingle = "recipientSecretKey" in args;
+  const hasBundle = "recipientKeyBundle" in args;
+  const multiPrivKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : "recipientSecretKeys" in args ? args.recipientSecretKeys : void 0;
+  const hasMulti = multiPrivKeys !== void 0;
+  if (hasSingle === hasMulti) {
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "exactly one of recipientSecretKey / recipientSecretKeys / recipientKeyBundle MUST be supplied"
+    );
+  }
+  if (hasMulti && multiPrivKeys.length === 0) {
+    if (hasBundle) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+    }
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "recipientSecretKeys MUST be a non-empty array, got length=0"
+    );
+  }
+  if (hasMulti) {
+    assertEnvelopeStructure(envelope, multiPrivKeys, void 0);
+  } else {
+    assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
+  }
+  let matchedCek = null;
+  let anyCandidateRecovered = false;
+  if (hasSingle) {
+    const recipientSecretKey = args.recipientSecretKey;
+    const cek = tryRecipientUnwrap(
+      envelope,
+      recipientSecretKey,
+      constantTimeN,
+      args._slotsAttemptedOut
+    );
+    if (cek === null) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+    }
+    const slotsCbor = slotsMacCborBytes(envelope);
+    const hmacKey = hkdfSha256({
+      ikm: cek,
+      salt: EMPTY_SALT2,
+      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+      length: 32
+    });
+    const slotsMacCalc = hmac(sha256, hmacKey, slotsCbor);
+    if (!compareCt2(slotsMacCalc, envelope.slots_mac)) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    matchedCek = cek;
+  } else {
+    const slotsCbor = slotsMacCborBytes(envelope);
+    const recipientSecretKeys = multiPrivKeys;
+    for (let k = 0; k < recipientSecretKeys.length; k++) {
+      if (args._privsAttemptedOut !== void 0) {
+        args._privsAttemptedOut.count = k + 1;
+      }
+      if (args._slotsAttemptedOut !== void 0) {
+        args._slotsAttemptedOut.count = 0;
+      }
+      const cek = tryRecipientUnwrap(
+        envelope,
+        recipientSecretKeys[k],
+        constantTimeN,
+        args._slotsAttemptedOut
+      );
+      if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
+        args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
+      }
+      if (cek === null) continue;
+      const hmacKey = hkdfSha256({
+        ikm: cek,
+        salt: EMPTY_SALT2,
+        info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+        length: 32
+      });
+      const slotsMacCalc = hmac(sha256, hmacKey, slotsCbor);
+      if (compareCt2(slotsMacCalc, envelope.slots_mac)) {
+        matchedCek = cek;
+        break;
+      }
+      anyCandidateRecovered = true;
+    }
+    if (matchedCek === null) {
+      return {
+        matched: false,
+        reason: anyCandidateRecovered ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
+      };
+    }
+  }
+  const adContent = concat2(envelope.nonce, envelope.slots_mac);
+  try {
+    const plaintext = xchacha20Poly1305Decrypt2({
+      key: matchedCek,
+      nonce: envelope.nonce,
+      aad: adContent,
+      ciphertext
+    });
+    return { matched: true, plaintext };
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError2)) throw e;
+    return { matched: false, reason: "TAMPERED_CIPHERTEXT" };
+  }
+}
+function sealedEnvelopeFromParsed(enc) {
+  if (enc.scheme !== 1 || enc.aead !== "xchacha20-poly1305") return null;
+  if (enc.nonce === void 0 || enc.slots_mac === void 0) return null;
+  const slots = enc.slots;
+  if (slots === void 0 || slots.length < 1) return null;
+  if (enc.kem === "x25519") {
+    const x25519Slots = [];
+    for (const s of slots) {
+      if (s.epk === void 0 || s.wrap === void 0) return null;
+      x25519Slots.push({ epk: s.epk, wrap: s.wrap });
+    }
+    return {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "x25519",
+      nonce: enc.nonce,
+      slots: x25519Slots,
+      slots_mac: enc.slots_mac
+    };
+  }
+  if (enc.kem === "mlkem768x25519") {
+    const hybridSlots = [];
+    for (const s of slots) {
+      if (s.kem_ct === void 0 || s.wrap === void 0) return null;
+      hybridSlots.push({ kem_ct: s.kem_ct, wrap: s.wrap });
+    }
+    return {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "mlkem768x25519",
+      nonce: enc.nonce,
+      slots: hybridSlots,
+      slots_mac: enc.slots_mac
+    };
+  }
+  return null;
+}
+
+// ../crypto-core/dist/util.js
+function compareCt3(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+
+// src/fetch/fetch-outbound.ts
+var DENY_HOSTS_DEFAULT = ["localhost", "127.0.0.1"];
+var DenyHostError = class extends Error {
+  code = "SERVICE_INDEPENDENCE_VIOLATION";
+  host;
+  url;
+  constructor(host, url) {
+    super(`SERVICE_INDEPENDENCE_VIOLATION: host "${host}" is in denyHosts (url=${url})`);
+    this.name = "DenyHostError";
+    this.host = host;
+    this.url = url;
+  }
+};
+var UnsupportedProtocolError = class extends Error {
+  code = "UNSUPPORTED_PROTOCOL";
+  protocol;
+  url;
+  constructor(protocol, url) {
+    super(`UNSUPPORTED_PROTOCOL: "${protocol}" not in {http:, https:} (url=${url})`);
+    this.name = "UnsupportedProtocolError";
+    this.protocol = protocol;
+    this.url = url;
+  }
+};
+var UnsupportedMethodError = class extends Error {
+  code = "UNSUPPORTED_METHOD";
+  method;
+  url;
+  constructor(method, url) {
+    super(`UNSUPPORTED_METHOD: "${method}" not in {GET, POST} (url=${url})`);
+    this.name = "UnsupportedMethodError";
+    this.method = method;
+    this.url = url;
+  }
+};
+var BodyTooLargeError = class extends Error {
+  code = "OUTBOUND_BODY_TOO_LARGE";
+  url;
+  limitBytes;
+  constructor(url, limitBytes) {
+    super(`OUTBOUND_BODY_TOO_LARGE: response exceeded ${limitBytes} bytes (url=${url})`);
+    this.name = "BodyTooLargeError";
+    this.url = url;
+    this.limitBytes = limitBytes;
+  }
+};
+var OutboundExhaustedError = class extends Error {
+  code = "OUTBOUND_EXHAUSTED";
+  url;
+  attempts;
+  lastStatus;
+  lastError;
+  constructor(args) {
+    super(
+      `OUTBOUND_EXHAUSTED: ${args.attempts} attempts exhausted (url=${args.url}, lastStatus=${args.lastStatus ?? "-"})`
+    );
+    this.name = "OutboundExhaustedError";
+    this.url = args.url;
+    this.attempts = args.attempts;
+    this.lastStatus = args.lastStatus;
+    this.lastError = args.lastError;
+  }
+};
+var DEFAULT_TIMEOUT_MS = 1e4;
+var DEFAULT_OUTBOUND_MAX_BYTES = 64 * 1024 * 1024;
+var DEFAULT_RETRYABLE_STATUSES = [502, 503, 504];
+var BACKOFF_BASE_MS = [1e3, 2e3, 4e3];
+var JITTER_RATIO = 0.25;
+function canonicaliseHost(host) {
+  return host.replace(/^\[/, "").replace(/\]$/, "").replace(/\.$/, "").toLowerCase();
+}
+function matchesDenyList(host, denyHosts) {
+  const h = canonicaliseHost(host);
+  for (const raw of denyHosts) {
+    const pattern = raw.replace(/\.$/, "").toLowerCase();
+    if (pattern.startsWith("*.")) {
+      const suffix = pattern.slice(2);
+      if (h.endsWith("." + suffix)) return true;
+      continue;
+    }
+    if (h === pattern) return true;
+    if (pattern === "localhost") {
+      if (h === "::1" || h === "0.0.0.0" || h === "169.254.169.254") return true;
+    }
+    if (pattern === "127.0.0.1") {
+      if (/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(h)) return true;
+    }
+  }
+  return false;
+}
+function parseProtocol(url) {
+  try {
+    return new URL(url).protocol;
+  } catch {
+    return null;
+  }
+}
+function isAllowedMethod(method) {
+  return method === "GET" || method === "POST";
+}
+function backoffJitteredMs(attemptIndex) {
+  const idx = Math.min(attemptIndex, BACKOFF_BASE_MS.length - 1);
+  const base = BACKOFF_BASE_MS[idx] ?? BACKOFF_BASE_MS[BACKOFF_BASE_MS.length - 1];
+  const jitter = 1 + (Math.random() - 0.5) * 2 * JITTER_RATIO;
+  return base * jitter;
+}
+function sleep(ms) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}
+var defaultFetchOutbound = async (url, opts2) => {
+  const t0 = Date.now();
+  const maxBytes = opts2.maxBytes ?? DEFAULT_OUTBOUND_MAX_BYTES;
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT_MS);
+  const init = {
+    method: opts2.method,
+    signal: controller.signal
+  };
+  if (opts2.headers) init.headers = { ...opts2.headers };
+  if (opts2.body !== void 0) init.body = opts2.body;
+  try {
+    const res = await fetch(url, init);
+    const declared = res.headers.get("content-length");
+    if (declared !== null) {
+      const declaredLen = Number(declared);
+      if (Number.isFinite(declaredLen) && declaredLen > maxBytes) {
+        controller.abort();
+        throw new BodyTooLargeError(url, maxBytes);
+      }
+    }
+    const bytes = await readBodyCapped(res, url, maxBytes, controller);
+    return { status: res.status, bytes, durationMs: Date.now() - t0 };
+  } finally {
+    clearTimeout(timeout);
+  }
+};
+async function readBodyCapped(res, url, maxBytes, controller) {
+  const body = res.body;
+  if (body === null) {
+    const buf = await res.arrayBuffer();
+    if (buf.byteLength > maxBytes) {
+      throw new BodyTooLargeError(url, maxBytes);
+    }
+    return new Uint8Array(buf);
+  }
+  const reader = body.getReader();
+  const chunks = [];
+  let total = 0;
+  try {
+    for (; ; ) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      if (value === void 0) continue;
+      total += value.byteLength;
+      if (total > maxBytes) {
+        controller.abort();
+        throw new BodyTooLargeError(url, maxBytes);
+      }
+      chunks.push(value);
+    }
+  } finally {
+    reader.releaseLock();
+  }
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const chunk of chunks) {
+    out.set(chunk, offset);
+    offset += chunk.byteLength;
+  }
+  return out;
+}
+function wrapFetchOutbound(inner, audit, config = void 0) {
+  const normConfig = config === void 0 ? {} : Array.isArray(config) ? { denyHosts: config } : config;
+  const denyHosts = normConfig.denyHosts ?? [];
+  const retries = normConfig.retries ?? 0;
+  const retryableStatuses = normConfig.retryableStatuses ?? DEFAULT_RETRYABLE_STATUSES;
+  return async (url, opts2) => {
+    if (opts2.purpose === "webhook") {
+      audit.push({
+        url,
+        method: "GET",
+        status: 0,
+        bytes: 0,
+        duration_ms: 0,
+        purpose: opts2.purpose
+      });
+      throw new Error(
+        `webhook purpose must be sent via fetchWebhook, not fetchOutbound (url=${url})`
+      );
+    }
+    const protocol = parseProtocol(url);
+    if (protocol !== "http:" && protocol !== "https:") {
+      audit.push({
+        url,
+        method: "GET",
+        status: 0,
+        bytes: 0,
+        duration_ms: 0,
+        purpose: opts2.purpose
+      });
+      throw new UnsupportedProtocolError(protocol ?? "", url);
+    }
+    if (!isAllowedMethod(opts2.method)) {
+      audit.push({
+        url,
+        method: "GET",
+        status: 0,
+        bytes: 0,
+        duration_ms: 0,
+        purpose: opts2.purpose
+      });
+      throw new UnsupportedMethodError(opts2.method, url);
+    }
+    if (denyHosts.length > 0) {
+      const host = new URL(url).hostname;
+      if (matchesDenyList(host, denyHosts)) {
+        audit.push({
+          url,
+          method: opts2.method,
+          status: 0,
+          bytes: 0,
+          duration_ms: 0,
+          purpose: opts2.purpose
+        });
+        throw new DenyHostError(canonicaliseHost(host), url);
+      }
+    }
+    let lastStatus;
+    let lastError;
+    const totalAttempts = retries + 1;
+    for (let attempt = 1; attempt <= totalAttempts; attempt++) {
+      const t0 = Date.now();
+      try {
+        const result = await inner(url, opts2);
+        audit.push({
+          url,
+          method: opts2.method,
+          status: result.status,
+          bytes: result.bytes.byteLength,
+          duration_ms: result.durationMs,
+          purpose: opts2.purpose
+        });
+        if (retryableStatuses.includes(result.status) && retries > 0) {
+          lastStatus = result.status;
+          if (attempt < totalAttempts) {
+            await sleep(backoffJitteredMs(attempt - 1));
+            continue;
+          }
+          break;
+        }
+        return result;
+      } catch (e) {
+        const durationMs = Date.now() - t0;
+        if (e instanceof DenyHostError || e instanceof UnsupportedProtocolError || e instanceof UnsupportedMethodError) {
+          audit.push({
+            url,
+            method: opts2.method,
+            status: 0,
+            bytes: 0,
+            duration_ms: durationMs,
+            purpose: opts2.purpose
+          });
+          throw e;
+        }
+        audit.push({
+          url,
+          method: opts2.method,
+          status: 0,
+          bytes: 0,
+          duration_ms: durationMs,
+          purpose: opts2.purpose
+        });
+        lastError = e;
+        if (attempt < totalAttempts) {
+          await sleep(backoffJitteredMs(attempt - 1));
+          continue;
+        }
+        break;
+      }
+    }
+    if (retries === 0 && lastError !== void 0) {
+      throw lastError;
+    }
+    throw new OutboundExhaustedError({ url, attempts: totalAttempts, lastStatus, lastError });
+  };
+}
+async function fetchOutbound(url, opts2, audit, config = {}) {
+  const wrapped = wrapFetchOutbound(defaultFetchOutbound, audit, config);
+  return wrapped(url, opts2);
+}
+
+// src/verifier/fetch.ts
+var ARWEAVE_DEFAULTS = [
+  "https://arweave.net",
+  "https://ar-io.net",
+  "https://g8way.io"
+];
+var ARWEAVE_TXID_RE = /^[A-Za-z0-9_-]{43}$/;
+async function fetchItemCiphertext(args) {
+  const reconstructed = args.uris.map((chunks) => chunks.join(""));
+  const candidate = reconstructed.find((u) => /^(ar|ipfs):\/\//.test(u));
+  if (candidate === void 0) {
+    for (const u of reconstructed) {
+      args.uriChecksOut.push({
+        item_index: args.itemIndex,
+        uri: u,
+        ok: false,
+        reason: "URI_TARGET_FORBIDDEN"
+      });
+    }
+    throw new Error("URI_TARGET_FORBIDDEN");
+  }
+  if (candidate.startsWith("ar://")) {
+    const txid = candidate.slice(5);
+    if (!ARWEAVE_TXID_RE.test(txid)) {
+      args.uriChecksOut.push({
+        item_index: args.itemIndex,
+        uri: candidate,
+        ok: false,
+        reason: "INVALID_URI"
+      });
+      throw new Error("CONTENT_UNAVAILABLE");
+    }
+    const gateways = args.arweaveGateways && args.arweaveGateways.length > 0 ? args.arweaveGateways : ARWEAVE_DEFAULTS;
+    for (const gw of gateways) {
+      try {
+        const res = await args.fetchFn(`${gw}/${txid}`, { method: "GET", purpose: "arweave" });
+        if (res.status === 200) {
+          args.uriChecksOut.push({ item_index: args.itemIndex, uri: candidate, ok: true });
+          return res.bytes;
+        }
+        args.uriChecksOut.push({
+          item_index: args.itemIndex,
+          uri: candidate,
+          ok: false,
+          reason: `URI_FETCH_FAILED:${gw}:${res.status}`
+        });
+      } catch (e) {
+        args.uriChecksOut.push({
+          item_index: args.itemIndex,
+          uri: candidate,
+          ok: false,
+          reason: `URI_FETCH_FAILED:${gw}:${e instanceof Error ? e.message : String(e)}`
+        });
+      }
+    }
+    throw new Error("CONTENT_UNAVAILABLE");
+  }
+  const cidPart = candidate.slice("ipfs://".length);
+  const ipfsCid = cidPart.split("/")[0] ?? cidPart;
+  const ipfsGateways = args.ipfsGateways;
+  if (ipfsGateways === void 0 || ipfsGateways.length === 0) {
+    args.uriChecksOut.push({
+      item_index: args.itemIndex,
+      uri: candidate,
+      ok: false,
+      reason: "CONTENT_UNAVAILABLE:no_ipfs_gateway"
+    });
+    throw new Error("CONTENT_UNAVAILABLE");
+  }
+  for (const gw of ipfsGateways) {
+    try {
+      const sep = gw.endsWith("/") ? "" : "/";
+      const url = `${gw}${sep}ipfs/${ipfsCid}`;
+      const res = await args.fetchFn(url, { method: "GET", purpose: "ipfs" });
+      if (res.status === 200) {
+        args.uriChecksOut.push({ item_index: args.itemIndex, uri: candidate, ok: true });
+        return res.bytes;
+      }
+      args.uriChecksOut.push({
+        item_index: args.itemIndex,
+        uri: candidate,
+        ok: false,
+        reason: `URI_FETCH_FAILED:${gw}:${res.status}`
+      });
+    } catch (e) {
+      args.uriChecksOut.push({
+        item_index: args.itemIndex,
+        uri: candidate,
+        ok: false,
+        reason: `URI_FETCH_FAILED:${gw}:${e instanceof Error ? e.message : String(e)}`
+      });
+    }
+  }
+  throw new Error("CONTENT_UNAVAILABLE");
+}
+
+// src/verifier/decrypt.ts
+var PASSPHRASE_KDF_ARGON2ID = "argon2id";
+var EMPTY_AAD = new Uint8Array(0);
+async function tryDecryptions(args) {
+  const { record, input } = args;
+  const items = record.items ?? [];
+  const out = [];
+  const reqs = input.decryption ?? [];
+  for (const req of reqs) {
+    const idx = req.itemIndex;
+    if (!Number.isInteger(idx) || idx < 0 || idx >= items.length) {
+      out.push({
+        item_index: idx,
+        verdict: "no-enc-envelope",
+        reason: "itemIndex out of range"
+      });
+      continue;
+    }
+    const item = items[idx];
+    const enc = item.enc;
+    if (enc === void 0 || enc === null || typeof enc !== "object") {
+      out.push({ item_index: idx, verdict: "no-enc-envelope" });
+      continue;
+    }
+    const encShape = enc;
+    const hasSlots = Array.isArray(encShape.slots);
+    const hasPassphrase = encShape.passphrase !== void 0 && encShape.passphrase !== null;
+    const reqHasSecret = "recipientSecretKey" in req;
+    const reqHasPassphrase = "passphrase" in req;
+    if (hasSlots && !reqHasSecret) {
+      out.push({
+        item_index: idx,
+        verdict: "wrong-input-shape",
+        reason: "WRONG_DECRYPTION_INPUT_SHAPE"
+      });
+      continue;
+    }
+    if (hasPassphrase && !reqHasPassphrase) {
+      out.push({
+        item_index: idx,
+        verdict: "wrong-input-shape",
+        reason: "WRONG_DECRYPTION_INPUT_SHAPE"
+      });
+      continue;
+    }
+    const oobBytes = input.ciphertextBytes?.[idx];
+    let ciphertext;
+    if (oobBytes !== void 0) {
+      ciphertext = oobBytes;
+    } else if (args.allowUriFetch && Array.isArray(item.uris) && item.uris.length > 0) {
+      try {
+        ciphertext = await fetchItemCiphertext({
+          uris: item.uris,
+          arweaveGateways: input.arweaveGatewayChain,
+          ipfsGateways: input.ipfsGatewayChain,
+          fetchFn: args.fetchFn,
+          uriChecksOut: args.uriChecksOut,
+          itemIndex: idx
+        });
+      } catch (e) {
+        const code = e instanceof Error ? e.message : "CONTENT_UNAVAILABLE";
+        const verdict = code === "URI_TARGET_FORBIDDEN" ? "ciphertext-unavailable" : "content-unavailable";
+        out.push({ item_index: idx, verdict, reason: code });
+        continue;
+      }
+    } else {
+      out.push({
+        item_index: idx,
+        verdict: "ciphertext-unavailable",
+        reason: "CIPHERTEXT_UNAVAILABLE"
+      });
+      continue;
+    }
+    if (ciphertext === null) {
+      out.push({
+        item_index: idx,
+        verdict: "ciphertext-unavailable",
+        reason: "CIPHERTEXT_UNAVAILABLE"
+      });
+      continue;
+    }
+    let plaintext = null;
+    let failure = null;
+    if (reqHasSecret) {
+      const envelope = sealedEnvelopeFromParsed(enc);
+      if (envelope === null) {
+        out.push({
+          item_index: idx,
+          verdict: "wrong-input-shape",
+          reason: "WRONG_DECRYPTION_INPUT_SHAPE"
+        });
+        continue;
+      }
+      const unwrap = eciesSealedPoeUnwrap({
+        envelope,
+        ciphertext,
+        recipientSecretKey: req.recipientSecretKey
+      });
+      if (unwrap.matched) {
+        plaintext = unwrap.plaintext;
+      } else {
+        const map = {
+          WRONG_RECIPIENT_KEY: { verdict: "wrong-key", reason: "WRONG_RECIPIENT_KEY" },
+          TAMPERED_HEADER: { verdict: "tampered-header", reason: "TAMPERED_HEADER" },
+          TAMPERED_CIPHERTEXT: { verdict: "tampered-ciphertext", reason: "TAMPERED_CIPHERTEXT" }
+        };
+        failure = map[unwrap.reason] ?? {
+          verdict: "tampered-ciphertext",
+          reason: "TAMPERED_CIPHERTEXT"
+        };
+      }
+    } else {
+      try {
+        plaintext = await decryptPassphrase({
+          enc,
+          ciphertext,
+          passphrase: req.passphrase
+        });
+      } catch (e) {
+        if (e instanceof AeadVerificationError) {
+          failure = { verdict: "tampered-ciphertext", reason: "TAMPERED_CIPHERTEXT" };
+        } else if (e instanceof Error && e.message.startsWith("KDF_")) {
+          failure = { verdict: "kdf-failed", reason: e.message };
+        } else {
+          failure = {
+            verdict: "tampered-ciphertext",
+            reason: e instanceof Error ? e.message : "TAMPERED_CIPHERTEXT"
+          };
+        }
+      }
+    }
+    if (failure !== null) {
+      out.push({ item_index: idx, verdict: failure.verdict, reason: failure.reason });
+      continue;
+    }
+    if (plaintext === null) {
+      out.push({ item_index: idx, verdict: "tampered-ciphertext", reason: "TAMPERED_CIPHERTEXT" });
+      continue;
+    }
+    const plaintextHashOk = recomputeHashes(item, plaintext);
+    out.push({ item_index: idx, verdict: "decrypted", plaintext_hash_ok: plaintextHashOk });
+  }
+  return { results: out };
+}
+async function decryptPassphrase(args) {
+  const { enc, ciphertext, passphrase } = args;
+  if (enc.passphrase.alg !== PASSPHRASE_KDF_ARGON2ID) {
+    throw new Error(`KDF_DERIVATION_FAILED: unsupported passphrase alg ${enc.passphrase.alg}`);
+  }
+  const normalised = passphrase.normalize("NFKC").replace(/\s+/g, " ").trim();
+  const password = new TextEncoder().encode(normalised);
+  let cek;
+  try {
+    cek = await argon2idV13({
+      password,
+      salt: enc.passphrase.salt,
+      memSizeKB: enc.passphrase.params.m,
+      iterations: enc.passphrase.params.t,
+      parallelism: enc.passphrase.params.p,
+      outBytes: 32
+    });
+  } catch (cause) {
+    const reason = cause instanceof Error ? cause.message : String(cause);
+    throw new Error(`KDF_DERIVATION_FAILED: ${reason}`, { cause });
+  }
+  if (enc.aead !== "xchacha20-poly1305") {
+    throw new Error(`KDF_DERIVATION_FAILED: unsupported aead ${enc.aead}`);
+  }
+  return xchacha20Poly1305Decrypt({
+    key: cek,
+    nonce: enc.nonce,
+    aad: EMPTY_AAD,
+    ciphertext
+  });
+}
+function recomputeHashes(item, plaintext) {
+  const entries = Object.entries(item.hashes);
+  if (entries.length === 0) return false;
+  for (const [alg, digest] of entries) {
+    if (alg === "sha2-256") {
+      if (!compareCt3(sha2562(plaintext), digest)) return false;
+    } else if (alg === "blake2b-256") {
+      if (!compareCt3(blake2b256(plaintext), digest)) return false;
+    } else {
+      return false;
+    }
+  }
+  return true;
+}
+var CanonicalCborError3 = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "CanonicalCborError";
+    this.code = code;
+  }
+};
+function decodeCanonicalCbor3(bytes) {
+  try {
+    return decode(bytes, {
+      ...cdeDecodeOptions,
+      rejectStreaming: true,
+      rejectDuplicateKeys: true,
+      // A CIP-309 record carries integers, byte/text strings, arrays, maps and
+      // `null` — and nothing else. Without these rejections the major-type-7
+      // surface leaks into the decoder: a float16/32/64 that happens to hold an
+      // integral value (e.g. 1.0) silently decodes to the integer 1 and passes
+      // a `z.literal(1)` / Number.isInteger schema check, so two byte strings
+      // that are NOT byte-identical canonicalise to the same record. That
+      // breaks the cross-implementation parity invariant (the Python twin
+      // already rejects non-integer `v` / `enc.scheme` outright). Reject the
+      // whole non-record surface — floats, negative zero, undefined, and
+      // non-{true,false,null} simple values — so any such input surfaces as
+      // MALFORMED_CBOR via mapDecodeError rather than decoding to a look-alike.
+      rejectFloats: true,
+      rejectNegativeZero: true,
+      rejectUndefined: true,
+      rejectSimple: true
+    });
+  } catch (cause) {
+    throw mapDecodeError3(cause);
+  }
+}
+function mapDecodeError3(cause) {
+  const message = cause instanceof Error ? cause.message : String(cause);
+  const lower = message.toLowerCase();
+  const isIndefinite = lower.includes("streaming") || lower.includes("indefinite");
+  const detail = isIndefinite ? `indefinite-length items are not permitted in canonical CBOR: ${message}` : message;
+  return new CanonicalCborError3("MALFORMED_CBOR", `cbor decode failed: ${detail}`, { cause });
+}
+function compareCt4(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+var LEAF_PREFIX2 = 0;
+var NODE_PREFIX2 = 1;
+var DIGEST_LENGTH2 = 32;
+function validateLeaves2(leaves, fnName) {
+  if (leaves.length === 0) {
+    throw new Error(`${fnName}: empty leaf list (n == 0 is forbidden by RFC 9162 \xA72.1.1)`);
+  }
+  for (let i = 0; i < leaves.length; i++) {
+    const leaf = leaves[i];
+    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH2) {
+      throw new Error(
+        `${fnName}: leaf[${i}] must be a Uint8Array(${DIGEST_LENGTH2}); got length ${leaf instanceof Uint8Array ? leaf.length : "non-Uint8Array"}`
+      );
+    }
+  }
+}
+function merkleSha2256Root2(leaves) {
+  validateLeaves2(leaves, "merkleSha2256Root");
+  return mthRecursive2(leaves, 0, leaves.length);
+}
+function largestPow2Lt2(n) {
+  let k = 1;
+  while (k * 2 < n) k *= 2;
+  return k;
+}
+function hashLeaf2(d) {
+  const buf = new Uint8Array(1 + d.length);
+  buf[0] = LEAF_PREFIX2;
+  buf.set(d, 1);
+  return sha256(buf);
+}
+function hashNode2(left, right) {
+  const buf = new Uint8Array(1 + left.length + right.length);
+  buf[0] = NODE_PREFIX2;
+  buf.set(left, 1);
+  buf.set(right, 1 + left.length);
+  return sha256(buf);
+}
+function mthRecursive2(leaves, start, end) {
+  const n = end - start;
+  if (n === 1) {
+    return hashLeaf2(leaves[start]);
+  }
+  const k = largestPow2Lt2(n);
+  const left = mthRecursive2(leaves, start, start + k);
+  const right = mthRecursive2(leaves, start + k, end);
+  return hashNode2(left, right);
+}
+var LEAVES_LIST_FORMAT_V1 = "cardano-poe-merkle-leaves-v1";
+var TREE_ALG_RFC9162 = "rfc9162-sha256";
+var DIGEST_LENGTH22 = 32;
+var REGISTERED_FORMATS = /* @__PURE__ */ new Set([LEAVES_LIST_FORMAT_V1]);
+var MerkleLeavesListError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message ? `${code}: ${message}` : code);
+    this.code = code;
+    this.name = "MerkleLeavesListError";
+  }
+};
+function decodeLeavesList(bytes) {
+  const decoded = decodeCanonicalCbor3(bytes);
+  if (typeof decoded !== "object" || decoded === null || Array.isArray(decoded)) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "leaves-list MUST be a CBOR map"
+    );
+  }
+  const m = decoded;
+  const format = m["format"];
+  if (typeof format !== "string") {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "format must be a text string"
+    );
+  }
+  if (!REGISTERED_FORMATS.has(format)) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_FORMAT_UNSUPPORTED",
+      `format '${format}' is not in the registered set`
+    );
+  }
+  const treeAlg = m["tree_alg"];
+  if (treeAlg !== TREE_ALG_RFC9162) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      `tree_alg '${String(treeAlg)}' is not '${TREE_ALG_RFC9162}'`
+    );
+  }
+  const root = m["root"];
+  if (!(root instanceof Uint8Array) || root.length !== DIGEST_LENGTH22) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      `root must be a ${DIGEST_LENGTH22}-byte byte string`
+    );
+  }
+  const leavesRaw = m["leaves"];
+  if (!Array.isArray(leavesRaw) || leavesRaw.length < 1) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "leaves must be a non-empty array"
+    );
+  }
+  const leaves = [];
+  for (let i = 0; i < leavesRaw.length; i++) {
+    const leaf = leavesRaw[i];
+    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH22) {
+      throw new MerkleLeavesListError(
+        "SCHEMA_MERKLE_LEAVES_MALFORMED",
+        `leaves[${i}] must be a ${DIGEST_LENGTH22}-byte byte string`
+      );
+    }
+    leaves.push(leaf);
+  }
+  const leafCountRaw = m["leaf_count"];
+  let leafCount;
+  if (typeof leafCountRaw === "number" && Number.isInteger(leafCountRaw) && leafCountRaw >= 0) {
+    leafCount = leafCountRaw;
+  } else if (typeof leafCountRaw === "bigint" && leafCountRaw >= 0n) {
+    if (leafCountRaw > BigInt(Number.MAX_SAFE_INTEGER)) {
+      throw new MerkleLeavesListError(
+        "SCHEMA_MERKLE_LEAVES_MALFORMED",
+        "leaf_count exceeds Number.MAX_SAFE_INTEGER"
+      );
+    }
+    leafCount = Number(leafCountRaw);
+  } else {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "leaf_count must be a non-negative CBOR uint"
+    );
+  }
+  if (leaves.length !== leafCount) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAF_COUNT_MISMATCH",
+      `leaves.length (${leaves.length}) != leaf_count (${leafCount})`
+    );
+  }
+  let leafAlg;
+  if (m["leaf_alg"] !== void 0) {
+    if (typeof m["leaf_alg"] !== "string") {
+      throw new MerkleLeavesListError(
+        "SCHEMA_MERKLE_LEAVES_MALFORMED",
+        "leaf_alg must be a text string when present"
+      );
+    }
+    leafAlg = m["leaf_alg"];
+  }
+  const recomputed = merkleSha2256Root2(leaves);
+  if (!compareCt4(recomputed, root)) {
+    throw new MerkleLeavesListError(
+      "MERKLE_ROOT_MISMATCH",
+      "leaves recompute does not match declared root"
+    );
+  }
+  const out = {
+    format: LEAVES_LIST_FORMAT_V1,
+    treeAlg: TREE_ALG_RFC9162,
+    root,
+    leaves,
+    leafCount,
+    ...leafAlg !== void 0 ? { leafAlg } : {}
+  };
+  return out;
+}
+
+// src/verifier/merkle.ts
+async function verifyMerkleCommitments(args) {
+  const merkleArr = args.record.merkle ?? [];
+  const out = [];
+  for (let i = 0; i < merkleArr.length; i++) {
+    out.push(await verifyOneCommit(i, merkleArr[i], args));
+  }
+  return { checks: out };
+}
+async function verifyOneCommit(index, commit, args) {
+  if (commit.alg !== "rfc9162-sha256") {
+    return {
+      merkle_index: index,
+      alg: commit.alg,
+      verdict: "unsupported",
+      reason: "UNSUPPORTED_MERKLE_COMMIT_ALG"
+    };
+  }
+  let leavesBytes = args.input.merkleLeaves?.[index] ?? null;
+  if (leavesBytes === null) {
+    const uris = commit.uris;
+    if (uris === void 0 || uris.length === 0) {
+      return {
+        merkle_index: index,
+        alg: commit.alg,
+        verdict: "unavailable",
+        reason: "MERKLE_LEAVES_UNAVAILABLE"
+      };
+    }
+    try {
+      leavesBytes = await fetchItemCiphertext({
+        uris,
+        arweaveGateways: args.input.arweaveGatewayChain,
+        ipfsGateways: args.input.ipfsGatewayChain,
+        fetchFn: args.fetchFn,
+        uriChecksOut: args.uriChecksOut,
+        // Merkle commits are not item-indexed; reuse a sentinel index so
+        // downstream UIs can distinguish them from item URIs.
+        itemIndex: -1 - index
+      });
+    } catch {
+      return {
+        merkle_index: index,
+        alg: commit.alg,
+        verdict: "unavailable",
+        reason: "MERKLE_LEAVES_UNAVAILABLE"
+      };
+    }
+  }
+  try {
+    const decoded = decodeLeavesList(leavesBytes);
+    const recomputed = merkleSha2256Root(decoded.leaves);
+    if (!compareCt3(recomputed, commit.root)) {
+      return {
+        merkle_index: index,
+        alg: commit.alg,
+        verdict: "mismatch",
+        reason: "MERKLE_ROOT_MISMATCH",
+        root_recomputed: recomputed
+      };
+    }
+    if (decoded.leafCount !== commit.leaf_count) {
+      return {
+        merkle_index: index,
+        alg: commit.alg,
+        verdict: "mismatch",
+        reason: "SCHEMA_MERKLE_LEAF_COUNT_MISMATCH"
+      };
+    }
+    return {
+      merkle_index: index,
+      alg: commit.alg,
+      verdict: "valid",
+      root_recomputed: recomputed
+    };
+  } catch (e) {
+    if (e instanceof MerkleLeavesListError) {
+      if (e.code === "SCHEMA_MERKLE_LEAVES_FORMAT_UNSUPPORTED") {
+        return {
+          merkle_index: index,
+          alg: commit.alg,
+          verdict: "format-unsupported",
+          reason: "SCHEMA_MERKLE_LEAVES_FORMAT_UNSUPPORTED"
+        };
+      }
+      if (e.code === "SCHEMA_MERKLE_LEAF_COUNT_MISMATCH") {
+        return {
+          merkle_index: index,
+          alg: commit.alg,
+          verdict: "mismatch",
+          reason: "SCHEMA_MERKLE_LEAF_COUNT_MISMATCH"
+        };
+      }
+      if (e.code === "MERKLE_ROOT_MISMATCH") {
+        return {
+          merkle_index: index,
+          alg: commit.alg,
+          verdict: "mismatch",
+          reason: "MERKLE_ROOT_MISMATCH"
+        };
+      }
+      return {
+        merkle_index: index,
+        alg: commit.alg,
+        verdict: "unavailable",
+        reason: e.code
+      };
+    }
+    return {
+      merkle_index: index,
+      alg: commit.alg,
+      verdict: "unavailable",
+      reason: e instanceof Error ? e.message : String(e)
+    };
+  }
+}
+
+// src/verifier/profile.ts
+var DEFAULT_PROFILE = "recipient-sealed";
+function profileImplements(actual, required) {
+  return PROFILE_RANK[actual] >= PROFILE_RANK[required];
+}
+function planProfileSkips(profile, record) {
+  const skips = [];
+  const has = (k) => Object.prototype.hasOwnProperty.call(record, k);
+  const verifySignatures = PROFILE_RANK[profile] >= PROFILE_RANK["signed"];
+  const readsEnc = PROFILE_RANK[profile] >= PROFILE_RANK["sealed"];
+  const verifyDecrypt = PROFILE_RANK[profile] >= PROFILE_RANK["recipient-sealed"];
+  if (!verifySignatures && has("sigs")) {
+    skips.push({
+      code: "OUT_OF_PROFILE_SKIPPED",
+      path: ["sigs"],
+      message: `sigs[] requires profile >= 'signed'; active profile is '${profile}'`,
+      severity: "info"
+    });
+  }
+  if (!readsEnc && Array.isArray(record.items) && record.items.some((it) => it.enc !== void 0)) {
+    skips.push({
+      code: "OUT_OF_PROFILE_SKIPPED",
+      path: ["items", "enc"],
+      message: `items[].enc requires profile >= 'sealed'; active profile is '${profile}'`,
+      severity: "info"
+    });
+  }
+  return { skips, verifySignatures, verifyDecrypt };
+}
+
+// src/verifier/cbor-walker.ts
+function readHead(bytes, pos) {
+  if (pos >= bytes.length) {
+    throw new RangeError("MALFORMED_CBOR: truncated input (no head byte)");
+  }
+  const head = bytes[pos];
+  const mt = head >> 5;
+  const ai = head & 31;
+  let p = pos + 1;
+  let valueU64;
+  if (ai < 24) {
+    valueU64 = ai;
+  } else if (ai === 24) {
+    if (p + 1 > bytes.length) {
+      throw new RangeError("MALFORMED_CBOR: truncated 1-byte argument");
+    }
+    valueU64 = bytes[p];
+    p += 1;
+  } else if (ai === 25) {
+    if (p + 2 > bytes.length) {
+      throw new RangeError("MALFORMED_CBOR: truncated 2-byte argument");
+    }
+    valueU64 = bytes[p] << 8 | bytes[p + 1];
+    p += 2;
+  } else if (ai === 26) {
+    if (p + 4 > bytes.length) {
+      throw new RangeError("MALFORMED_CBOR: truncated 4-byte argument");
+    }
+    valueU64 = bytes[p] * 16777216 + (bytes[p + 1] << 16 | bytes[p + 2] << 8 | bytes[p + 3]);
+    p += 4;
+  } else if (ai === 27) {
+    if (p + 8 > bytes.length) {
+      throw new RangeError("MALFORMED_CBOR: truncated 8-byte argument");
+    }
+    let n = 0;
+    for (let k = 0; k < 8; k++) n = n * 256 + bytes[p + k];
+    if (n > Number.MAX_SAFE_INTEGER) {
+      throw new RangeError("MALFORMED_CBOR: 8-byte argument exceeds JavaScript safe integer range");
+    }
+    valueU64 = n;
+    p += 8;
+  } else if (ai === 31) {
+    throw new RangeError(
+      "MALFORMED_CBOR: indefinite-length encoding (ai=31) not allowed under canonical CBOR"
+    );
+  } else {
+    throw new RangeError(`MALFORMED_CBOR: reserved additional info ai=${ai}`);
+  }
+  return { mt, ai, payloadStart: p, valueU64 };
+}
+function skipCborItem(bytes, pos) {
+  const h = readHead(bytes, pos);
+  let p = h.payloadStart;
+  switch (h.mt) {
+    case 0:
+    case 1:
+      return p;
+    case 2:
+    case 3:
+      if (p + h.valueU64 > bytes.length) {
+        throw new RangeError(
+          `MALFORMED_CBOR: truncated ${h.mt === 2 ? "byte" : "text"} string payload`
+        );
+      }
+      return p + h.valueU64;
+    case 4:
+      for (let i = 0; i < h.valueU64; i++) p = skipCborItem(bytes, p);
+      return p;
+    case 5:
+      for (let i = 0; i < h.valueU64 * 2; i++) p = skipCborItem(bytes, p);
+      return p;
+    case 6:
+      return skipCborItem(bytes, p);
+    case 7: {
+      if (h.ai < 24) return p;
+      if (h.ai === 24) {
+        if (p + 1 > bytes.length) {
+          throw new RangeError("MALFORMED_CBOR: truncated simple value");
+        }
+        return p + 1;
+      }
+      if (h.ai === 25 || h.ai === 26 || h.ai === 27) return p;
+      throw new RangeError(`MALFORMED_CBOR: unsupported major-7 ai=${h.ai}`);
+    }
+    default:
+      throw new RangeError(`MALFORMED_CBOR: unknown major type ${h.mt}`);
+  }
+}
+var CARDANO_AUX_DATA_TAG = 259;
+var POE_LABEL = 309;
+function sliceTxComponents(txCbor) {
+  const txHead = readHead(txCbor, 0);
+  if (txHead.mt !== 4) {
+    throw new RangeError(`MALFORMED_CBOR: tx CBOR is not a CBOR array (major type ${txHead.mt})`);
+  }
+  if (txHead.valueU64 < 4) {
+    throw new RangeError(
+      `MALFORMED_CBOR: tx CBOR array has ${txHead.valueU64} elements; expected >= 4 (post-Conway: [body, witness_set, is_valid, auxiliary_data])`
+    );
+  }
+  const bodyStart = txHead.payloadStart;
+  const bodyEnd = skipCborItem(txCbor, bodyStart);
+  const witnessSetStart = bodyEnd;
+  const witnessSetEnd = skipCborItem(txCbor, witnessSetStart);
+  const pos = skipCborItem(txCbor, witnessSetEnd);
+  const txBody = txCbor.slice(bodyStart, bodyEnd);
+  const witnessSet = txCbor.slice(witnessSetStart, witnessSetEnd);
+  if (pos >= txCbor.length) {
+    throw new RangeError("MALFORMED_CBOR: truncated tx (auxiliary_data missing)");
+  }
+  const auxFirstByte = txCbor[pos];
+  if (auxFirstByte === 246 || auxFirstByte === 247) {
+    return { label309: null, txBody, witnessSet, auxMetadataLabels: [] };
+  }
+  let auxMapPos = pos;
+  const auxHead = readHead(txCbor, pos);
+  if (auxHead.mt === 6) {
+    if (auxHead.valueU64 !== CARDANO_AUX_DATA_TAG) {
+      throw new RangeError(
+        `MALFORMED_CBOR: auxiliary_data carries unexpected CBOR tag ${auxHead.valueU64}; expected ${CARDANO_AUX_DATA_TAG} or bare map`
+      );
+    }
+    auxMapPos = auxHead.payloadStart;
+  }
+  const mapHead = readHead(txCbor, auxMapPos);
+  if (mapHead.mt !== 5) {
+    throw new RangeError(
+      `MALFORMED_CBOR: auxiliary_data is not a CBOR map (major type ${mapHead.mt})`
+    );
+  }
+  let metadataMapPos;
+  {
+    let entryPos = mapHead.payloadStart;
+    let sawAuxKey = false;
+    let foundMetadataAt = null;
+    for (let i = 0; i < mapHead.valueU64; i++) {
+      const keyHead = readHead(txCbor, entryPos);
+      if (keyHead.mt === 0 && keyHead.valueU64 <= 3) {
+        sawAuxKey = true;
+        if (keyHead.valueU64 === 0) {
+          foundMetadataAt = keyHead.payloadStart;
+        }
+      }
+      entryPos = skipCborItem(txCbor, entryPos);
+      entryPos = skipCborItem(txCbor, entryPos);
+    }
+    if (sawAuxKey || auxHead.mt === 6) {
+      metadataMapPos = foundMetadataAt;
+    } else {
+      metadataMapPos = auxMapPos;
+    }
+  }
+  if (metadataMapPos === null) {
+    return { label309: null, txBody, witnessSet, auxMetadataLabels: [] };
+  }
+  const metaHead = readHead(txCbor, metadataMapPos);
+  if (metaHead.mt !== 5) {
+    throw new RangeError(`MALFORMED_CBOR: metadata is not a CBOR map (major type ${metaHead.mt})`);
+  }
+  const labels = [];
+  let label309 = null;
+  let pairPos = metaHead.payloadStart;
+  for (let i = 0; i < metaHead.valueU64; i++) {
+    const keyHead = readHead(txCbor, pairPos);
+    const keyVal = decodeIntKey(keyHead);
+    labels.push(keyVal);
+    const valueStart = skipCborItem(txCbor, pairPos);
+    const valueEnd = skipCborItem(txCbor, valueStart);
+    if (keyVal === POE_LABEL) {
+      label309 = reassembleLabel309Value(txCbor, valueStart, valueEnd);
+    }
+    pairPos = valueEnd;
+  }
+  labels.sort((a, b) => a - b);
+  return { label309, txBody, witnessSet, auxMetadataLabels: labels };
+}
+function sliceLabel309Value(txCbor) {
+  return sliceTxComponents(txCbor).label309;
+}
+function reassembleLabel309Value(txCbor, valueStart, valueEnd) {
+  const head = readHead(txCbor, valueStart);
+  if (head.mt === 4) {
+    const out = [];
+    let totalLen = 0;
+    let chunkPos = head.payloadStart;
+    for (let i = 0; i < head.valueU64; i++) {
+      const chunkHead = readHead(txCbor, chunkPos);
+      if (chunkHead.mt !== 2) {
+        throw new RangeError(
+          `MALFORMED_CBOR: label-309 value is a CBOR array but element ${i} has major type ${chunkHead.mt}; expected byte string (chunked-bytes shape)`
+        );
+      }
+      const chunkValueStart = chunkHead.payloadStart;
+      const chunkValueEnd = chunkValueStart + chunkHead.valueU64;
+      out.push(txCbor.slice(chunkValueStart, chunkValueEnd));
+      totalLen += chunkHead.valueU64;
+      chunkPos = chunkValueEnd;
+    }
+    const concat = new Uint8Array(totalLen);
+    let offset = 0;
+    for (const c of out) {
+      concat.set(c, offset);
+      offset += c.length;
+    }
+    return concat;
+  }
+  if (head.mt === 2) {
+    return txCbor.slice(head.payloadStart, head.payloadStart + head.valueU64);
+  }
+  if (head.mt === 5) {
+    return txCbor.slice(valueStart, valueEnd);
+  }
+  throw new RangeError(
+    `MALFORMED_CBOR: label-309 value has major type ${head.mt}; expected array (chunked), byte string, or map`
+  );
+}
+function decodeIntKey(h) {
+  if (h.mt === 0) return h.valueU64;
+  if (h.mt === 1) return -1 - h.valueU64;
+  throw new RangeError(
+    `MALFORMED_CBOR: metadata map key has major type ${h.mt}; expected unsigned integer`
+  );
+}
+
+// src/verifier/resolve.ts
+var KOIOS_MAINNET_URL = "https://api.koios.rest/api/v1";
+var BLOCKFROST_MAINNET_HOST = "https://cardano-mainnet.blockfrost.io/api/v0";
+var NotACip309RecordError = class extends Error {
+  code = "METADATA_NOT_FOUND";
+  constructor(message) {
+    super(message);
+    this.name = "NotACip309RecordError";
+  }
+};
+async function resolveCardanoTx(args) {
+  const { input, fetchFn } = args;
+  const koiosChain = input.cardanoGatewayChain ?? [KOIOS_MAINNET_URL];
+  let lastErr;
+  for (const koiosUrl of koiosChain) {
+    try {
+      return await resolveViaKoios(input.txHash, koiosUrl, fetchFn);
+    } catch (e) {
+      if (e instanceof NotACip309RecordError) throw e;
+      lastErr = e;
+    }
+  }
+  if (input.blockfrostProjectId !== void 0) {
+    try {
+      return await resolveViaBlockfrost(input.txHash, input.blockfrostProjectId, fetchFn);
+    } catch (e) {
+      if (e instanceof NotACip309RecordError) throw e;
+      lastErr = e;
+    }
+  }
+  throw new Error(`all_providers_failed: ${lastErr?.message ?? "unknown"}`);
+}
+async function resolveViaKoios(txHash, koiosUrl, fetchFn) {
+  const cborRes = await fetchFn(`${koiosUrl}/tx_cbor`, {
+    method: "POST",
+    headers: { "content-type": "application/json", accept: "application/json" },
+    body: JSON.stringify({ _tx_hashes: [txHash] }),
+    purpose: "cardano"
+  });
+  if (cborRes.status !== 200) {
+    throw new Error(`koios_tx_cbor_${cborRes.status}`);
+  }
+  const cborJson = parseJson(cborRes.bytes);
+  if (!Array.isArray(cborJson) || cborJson.length === 0) {
+    throw new NotACip309RecordError("koios returned empty array for tx_cbor; tx may not exist");
+  }
+  const cborEntry = cborJson[0];
+  if (typeof cborEntry.cbor !== "string") {
+    throw new Error("koios_tx_cbor_missing_cbor_field");
+  }
+  if (typeof cborEntry.tx_hash === "string" && cborEntry.tx_hash.toLowerCase() !== txHash.toLowerCase()) {
+    throw new Error(`koios_tx_cbor_hash_mismatch: requested ${txHash} got ${cborEntry.tx_hash}`);
+  }
+  const txCbor = hexToBytes(cborEntry.cbor);
+  const infoRes = await fetchFn(`${koiosUrl}/tx_info`, {
+    method: "POST",
+    headers: { "content-type": "application/json", accept: "application/json" },
+    body: JSON.stringify({ _tx_hashes: [txHash] }),
+    purpose: "cardano"
+  });
+  if (infoRes.status !== 200) {
+    throw new Error(`koios_tx_info_${infoRes.status}`);
+  }
+  const infoJson = parseJson(infoRes.bytes);
+  if (!Array.isArray(infoJson) || infoJson.length === 0) {
+    throw new NotACip309RecordError("koios returned empty array for tx_info");
+  }
+  const infoEntry = infoJson[0];
+  if (typeof infoEntry.tx_hash === "string" && infoEntry.tx_hash.toLowerCase() !== txHash.toLowerCase()) {
+    throw new Error(`koios_tx_info_hash_mismatch: requested ${txHash} got ${infoEntry.tx_hash}`);
+  }
+  let numConfirmations;
+  if (typeof infoEntry.num_confirmations === "number") {
+    numConfirmations = requireNonNegativeInt(infoEntry.num_confirmations, "num_confirmations");
+  } else {
+    const txBlockHeight = requireNonNegativeInt(infoEntry.block_height, "block_height");
+    const tipRes = await fetchFn(`${koiosUrl}/tip`, {
+      method: "GET",
+      headers: { accept: "application/json" },
+      purpose: "cardano"
+    });
+    if (tipRes.status !== 200) {
+      throw new Error(`koios_tip_${tipRes.status}`);
+    }
+    const tipJson = parseJson(tipRes.bytes);
+    if (!Array.isArray(tipJson) || tipJson.length === 0) {
+      throw new Error("koios_tip_empty");
+    }
+    const tipEntry = tipJson[0];
+    const tipHeight = requireNonNegativeInt(tipEntry.block_height, "tip.block_height");
+    numConfirmations = Math.max(0, tipHeight - txBlockHeight + 1);
+  }
+  return {
+    txCbor,
+    numConfirmations,
+    blockTime: requireNonNegativeInt(infoEntry.tx_timestamp, "tx_timestamp"),
+    blockSlot: requireNonNegativeInt(infoEntry.absolute_slot, "absolute_slot"),
+    provider: "koios",
+    providerUrl: koiosUrl
+  };
+}
+async function resolveViaBlockfrost(txHash, projectId, fetchFn) {
+  const base = BLOCKFROST_MAINNET_HOST;
+  const headers = { project_id: projectId, accept: "application/json" };
+  const cborRes = await fetchFn(`${base}/txs/${txHash}/cbor`, {
+    method: "GET",
+    headers,
+    purpose: "cardano"
+  });
+  if (cborRes.status !== 200) {
+    throw new Error(`blockfrost_tx_cbor_${cborRes.status}`);
+  }
+  const cborJson = parseJson(cborRes.bytes);
+  if (typeof cborJson.cbor !== "string") {
+    throw new Error("blockfrost_tx_cbor_missing_cbor_field");
+  }
+  const txCbor = hexToBytes(cborJson.cbor);
+  const txRes = await fetchFn(`${base}/txs/${txHash}`, {
+    method: "GET",
+    headers,
+    purpose: "cardano"
+  });
+  if (txRes.status !== 200) {
+    throw new Error(`blockfrost_tx_${txRes.status}`);
+  }
+  const txJson = parseJson(txRes.bytes);
+  const blockTime = requireNonNegativeInt(txJson.block_time, "block_time");
+  const txSlot = requireNonNegativeInt(txJson.slot, "slot");
+  const txBlockHeight = requireNonNegativeInt(txJson.block_height, "block_height");
+  const tipRes = await fetchFn(`${base}/blocks/latest`, {
+    method: "GET",
+    headers,
+    purpose: "cardano"
+  });
+  if (tipRes.status !== 200) {
+    throw new Error(`blockfrost_blocks_latest_${tipRes.status}`);
+  }
+  const tipJson = parseJson(tipRes.bytes);
+  const tipHeight = requireNonNegativeInt(tipJson.height, "tip_height");
+  const numConfirmations = Math.max(0, tipHeight - txBlockHeight + 1);
+  return {
+    txCbor,
+    numConfirmations,
+    blockTime,
+    blockSlot: txSlot,
+    provider: "blockfrost",
+    providerUrl: base
+  };
+}
+function extractLabel309Metadata(txCbor) {
+  return sliceLabel309Value(txCbor);
+}
+function parseJson(bytes) {
+  return JSON.parse(new TextDecoder().decode(bytes));
+}
+function requireNonNegativeInt(value, field) {
+  if (typeof value !== "number" || !Number.isInteger(value) || value < 0) {
+    throw new Error(`gateway_field_invalid: ${field} (got ${typeof value}=${String(value)})`);
+  }
+  return value;
+}
+function hexToBytes(hex) {
+  const clean = hex.startsWith("0x") || hex.startsWith("0X") ? hex.slice(2) : hex;
+  if (clean.length % 2 !== 0) {
+    throw new Error(`hex string has odd length (${clean.length})`);
+  }
+  if (!/^[0-9a-fA-F]*$/.test(clean)) {
+    throw new Error("hex string contains non-hex characters");
+  }
+  const out = new Uint8Array(clean.length / 2);
+  for (let i = 0; i < out.length; i++) {
+    out[i] = parseInt(clean.slice(i * 2, i * 2 + 2), 16);
+  }
+  return out;
+}
+
+// src/hex.ts
+function bytesToHex(bytes) {
+  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/verifier/signatures.ts
+var CARDANO_MAINNET_STAKE_NETWORK_BYTE = 225;
+var CARDANO_PREPROD_STAKE_NETWORK_BYTE = 224;
+var CARDANO_STAKE_ADDRESS_LENGTH = 29;
+var ED25519_PUBLIC_KEY_LENGTH2 = 32;
+var BLAKE2B_224_LENGTH = 28;
+async function verifyRecordSignatures(args) {
+  const { record, input } = args;
+  const recordBodyCbor = encodeRecordBodyForSigning(record);
+  const list = record.sigs ?? [];
+  const out = [];
+  for (let i = 0; i < list.length; i++) {
+    out.push(await verifyOneSig(i, list[i], recordBodyCbor, input));
+  }
+  return out;
+}
+async function verifyOneSig(index, entry, recordBodyCbor, input) {
+  const coseBytes = bytesChunkArrayConcat(entry.cose_sign1);
+  let cose;
+  try {
+    cose = decodeCoseSign1(coseBytes);
+  } catch {
+    return { index, verdict: "invalid", reason: "MALFORMED_SIG_COSE_SIGN1" };
+  }
+  const resolved = resolveSignerKey(cose, entry);
+  if (resolved.kind === "unresolved") {
+    return { index, verdict: "unresolved", reason: "SIGNER_KEY_UNRESOLVED" };
+  }
+  const { pub, signerType } = resolved;
+  const verifyResult = coseSign1Cip309Verify({
+    message: coseBytes,
+    detachedRecordBodyCbor: recordBodyCbor,
+    expectedSignerKey: pub
+  });
+  if (!verifyResult.ok) {
+    const reason = mapVerifyError(verifyResult.error.code);
+    if (reason === "SIGNATURE_UNSUPPORTED") {
+      return {
+        index,
+        verdict: "unsupported",
+        signer_type: signerType,
+        signer_pub: bytesToHex(pub),
+        reason
+      };
+    }
+    return {
+      index,
+      verdict: "invalid",
+      signer_type: signerType,
+      signer_pub: bytesToHex(pub),
+      reason
+    };
+  }
+  if (signerType === "wallet-inline-key") {
+    const addressOk = checkWalletAddressBinding(cose, pub, input);
+    if (!addressOk) {
+      return {
+        index,
+        verdict: "invalid",
+        signer_type: signerType,
+        signer_pub: bytesToHex(pub),
+        reason: "WALLET_ADDRESS_MISMATCH"
+      };
+    }
+  }
+  return {
+    index,
+    verdict: "valid",
+    signer_type: signerType,
+    signer_pub: bytesToHex(pub)
+  };
+}
+function resolveSignerKey(cose, entry) {
+  const protectedKid = cose.protectedHeader.get(4);
+  if (protectedKid instanceof Uint8Array && protectedKid.length === ED25519_PUBLIC_KEY_LENGTH2 && entry.cose_key === void 0) {
+    return {
+      kind: "in-signature-kid",
+      pub: protectedKid,
+      signerType: "in-signature-kid"
+    };
+  }
+  if (entry.cose_key !== void 0) {
+    const blob = bytesChunkArrayConcat(entry.cose_key);
+    const pub = parseCoseKeyEd25519(blob);
+    if (pub !== null && pub.length === ED25519_PUBLIC_KEY_LENGTH2) {
+      return { kind: "wallet-inline-key", pub, signerType: "wallet-inline-key" };
+    }
+  }
+  return { kind: "unresolved" };
+}
+function mapVerifyError(code) {
+  switch (code) {
+    case "MALFORMED_SIG_COSE":
+    case "MALFORMED_SIG_COSE_SIGN1":
+      return "MALFORMED_SIG_COSE_SIGN1";
+    case "UNSUPPORTED_SIG_ALG":
+      return "SIGNATURE_UNSUPPORTED";
+    case "KID_UNRESOLVED":
+      return "SIGNER_KEY_UNRESOLVED";
+    case "SIGNATURE_INVALID":
+      return "SIGNATURE_INVALID";
+    default:
+      return "SIGNATURE_INVALID";
+  }
+}
+function checkWalletAddressBinding(cose, pub, input) {
+  const networkByte = (input.cardanoNetwork ?? "mainnet") === "preprod" ? CARDANO_PREPROD_STAKE_NETWORK_BYTE : CARDANO_MAINNET_STAKE_NETWORK_BYTE;
+  const rawAddress = cose.protectedHeader.get("address");
+  if (!(rawAddress instanceof Uint8Array)) {
+    return false;
+  }
+  if (rawAddress.length !== CARDANO_STAKE_ADDRESS_LENGTH) return false;
+  if (rawAddress[0] !== networkByte) return false;
+  const stakeKeyHash = blake2b2242(pub);
+  if (stakeKeyHash.length !== BLAKE2B_224_LENGTH) {
+    return false;
+  }
+  const derived = new Uint8Array(CARDANO_STAKE_ADDRESS_LENGTH);
+  derived[0] = networkByte;
+  derived.set(stakeKeyHash, 1);
+  return compareCt3(derived, rawAddress);
+}
+ed.hashes.sha512 = sha512;
+var L2 = ed.Point.CURVE().n;
+function leBytesToBigInt2(bytes) {
+  let value = 0n;
+  for (let i = bytes.length - 1; i >= 0; i--) {
+    value = value << 8n | BigInt(bytes[i]);
+  }
+  return value;
+}
+function verifyEd255192(opts2) {
+  const { signature, message, publicKey } = opts2;
+  if (signature.length !== 64 || publicKey.length !== 32) return false;
+  const S = leBytesToBigInt2(signature.subarray(32, 64));
+  if (S >= L2) return false;
+  let A;
+  let R;
+  try {
+    A = ed.Point.fromBytes(publicKey);
+    R = ed.Point.fromBytes(signature.subarray(0, 32));
+  } catch {
+    return false;
+  }
+  if (A.isSmallOrder() || R.isSmallOrder()) return false;
+  const k = leBytesToBigInt2(ed.hash(concatBytes4(signature.subarray(0, 32), publicKey, message))) % L2;
+  const sB = S === 0n ? ed.Point.ZERO : ed.Point.BASE.multiplyUnsafe(S);
+  const kA = k === 0n ? ed.Point.ZERO : A.multiplyUnsafe(k);
+  return sB.subtract(kA).subtract(R).is0();
+}
+function concatBytes4(...parts) {
+  let total = 0;
+  for (const p of parts) total += p.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const p of parts) {
+    out.set(p, offset);
+    offset += p.length;
+  }
+  return out;
+}
+
+// src/verifier/tx-witnesses.ts
+var ED25519_PUBLIC_KEY_LENGTH3 = 32;
+var ED25519_SIGNATURE_LENGTH = 64;
+var BODY_KEY_INPUTS = 0;
+var BODY_KEY_OUTPUTS = 1;
+var BODY_KEY_FEE = 2;
+var BODY_KEY_INVALID_HEREAFTER = 3;
+var BODY_KEY_INVALID_BEFORE = 8;
+var BODY_KEY_REQUIRED_SIGNERS = 14;
+var BODY_KEY_NETWORK_ID = 15;
+var WITNESS_KEY_VKEY = 0;
+function asArray(v) {
+  if (v instanceof Set) return [...v];
+  if (Array.isArray(v)) return v;
+  return [];
+}
+function asMap2(v) {
+  return v instanceof Map ? v : null;
+}
+function decodeTxWitnesses(witnessSetBytes, txBodyBytes) {
+  const witnessSet = asMap2(decodeCbor(witnessSetBytes));
+  if (witnessSet === null) return [];
+  const vkeyWitnesses = asArray(witnessSet.get(WITNESS_KEY_VKEY));
+  const txHash = blake2b256(txBodyBytes);
+  const out = [];
+  for (const entry of vkeyWitnesses) {
+    const pair = asArray(entry);
+    const vkey = pair[0];
+    const signature = pair[1];
+    if (!(vkey instanceof Uint8Array) || vkey.length !== ED25519_PUBLIC_KEY_LENGTH3 || !(signature instanceof Uint8Array) || signature.length !== ED25519_SIGNATURE_LENGTH) {
+      if (vkey instanceof Uint8Array && vkey.length === ED25519_PUBLIC_KEY_LENGTH3) {
+        out.push({
+          type: "vkey",
+          vkey: bytesToHex(vkey),
+          key_hash: bytesToHex(blake2b2242(vkey)),
+          signature_valid: false
+        });
+      }
+      continue;
+    }
+    let signatureValid;
+    try {
+      signatureValid = verifyEd255192({ publicKey: vkey, message: txHash, signature });
+    } catch {
+      signatureValid = false;
+    }
+    out.push({
+      type: "vkey",
+      vkey: bytesToHex(vkey),
+      key_hash: bytesToHex(blake2b2242(vkey)),
+      signature_valid: signatureValid
+    });
+  }
+  return out;
+}
+function countScriptWitnesses(witnessSetBytes) {
+  const witnessSet = asMap2(decodeCbor(witnessSetBytes));
+  if (witnessSet === null) return 0;
+  let count = 0;
+  for (const [key, value] of witnessSet) {
+    if (key === WITNESS_KEY_VKEY) continue;
+    count += asArray(value).length;
+  }
+  return count;
+}
+function decodeTxSummary(txBodyBytes, witnessSetBytes, network) {
+  const body = asMap2(decodeCbor(txBodyBytes));
+  if (body === null) {
+    throw new RangeError("MALFORMED_CBOR: tx body is not a CBOR map");
+  }
+  const inputs = asArray(body.get(BODY_KEY_INPUTS));
+  const outputsRaw = asArray(body.get(BODY_KEY_OUTPUTS));
+  const outputs = [];
+  let totalOutput = 0n;
+  for (const o of outputsRaw) {
+    const { addressBytes, lovelace } = readOutput(o);
+    totalOutput += lovelace;
+    outputs.push({
+      address: encodeCardanoAddress(addressBytes, network),
+      lovelace: lovelace.toString()
+    });
+  }
+  const requiredSigners = asArray(body.get(BODY_KEY_REQUIRED_SIGNERS)).filter((s) => s instanceof Uint8Array).map((s) => bytesToHex(s));
+  const summary = {
+    fee_lovelace: coinToString(body.get(BODY_KEY_FEE)),
+    input_count: inputs.length,
+    output_count: outputs.length,
+    outputs,
+    total_output_lovelace: totalOutput.toString(),
+    script_witness_count: countScriptWitnesses(witnessSetBytes)
+  };
+  const invalidBefore = body.get(BODY_KEY_INVALID_BEFORE);
+  if (typeof invalidBefore === "number") summary.invalid_before = invalidBefore;
+  else if (typeof invalidBefore === "bigint") summary.invalid_before = Number(invalidBefore);
+  const invalidHereafter = body.get(BODY_KEY_INVALID_HEREAFTER);
+  if (typeof invalidHereafter === "number") summary.invalid_hereafter = invalidHereafter;
+  else if (typeof invalidHereafter === "bigint") summary.invalid_hereafter = Number(invalidHereafter);
+  if (requiredSigners.length > 0) summary.required_signer_key_hashes = requiredSigners;
+  const networkId = body.get(BODY_KEY_NETWORK_ID);
+  if (typeof networkId === "number") summary.network_id = networkId;
+  else if (typeof networkId === "bigint") summary.network_id = Number(networkId);
+  return summary;
+}
+function readOutput(output) {
+  let address;
+  let amount;
+  if (Array.isArray(output)) {
+    address = output[0];
+    amount = output[1];
+  } else if (output instanceof Map) {
+    address = output.get(0);
+    amount = output.get(1);
+  } else {
+    throw new RangeError("MALFORMED_CBOR: tx output is neither a CBOR array nor a CBOR map");
+  }
+  if (!(address instanceof Uint8Array)) {
+    throw new RangeError("MALFORMED_CBOR: tx output address is not a byte string");
+  }
+  const lovelace = Array.isArray(amount) ? toBigInt(amount[0]) : toBigInt(amount);
+  return { addressBytes: address, lovelace };
+}
+function coinToString(v) {
+  return toBigInt(v).toString();
+}
+function toBigInt(v) {
+  if (typeof v === "bigint") return v;
+  if (typeof v === "number" && Number.isInteger(v)) return BigInt(v);
+  throw new RangeError(`MALFORMED_CBOR: expected an integer coin value, got ${typeof v}`);
+}
+var BECH32_CHARSET = "qpzry9x8gf2tvdw0s3jn54khce6mua7l";
+function encodeCardanoAddress(addressBytes, network) {
+  if (addressBytes.length === 0) {
+    throw new RangeError("MALFORMED_CBOR: empty address byte string");
+  }
+  const header = addressBytes[0];
+  const addressType = header >> 4;
+  const networkNibble = header & 15;
+  const isStake = addressType === 14 || addressType === 15;
+  const isTestnet = networkNibble === 0 ? true : networkNibble === 1 ? false : network === "preprod";
+  const base = isStake ? "stake" : "addr";
+  const hrp = isTestnet ? `${base}_test` : base;
+  return bech32Encode(hrp, addressBytes);
+}
+function bech32Polymod(values) {
+  const generators = [996825010, 642813549, 513874426, 1027748829, 705979059];
+  let chk = 1;
+  for (const value of values) {
+    const top = chk >> 25;
+    chk = (chk & 33554431) << 5 ^ value;
+    for (let i = 0; i < 5; i++) {
+      if (top >> i & 1) chk ^= generators[i];
+    }
+  }
+  return chk;
+}
+function bech32HrpExpand(hrp) {
+  const out = [];
+  for (let i = 0; i < hrp.length; i++) out.push(hrp.charCodeAt(i) >> 5);
+  out.push(0);
+  for (let i = 0; i < hrp.length; i++) out.push(hrp.charCodeAt(i) & 31);
+  return out;
+}
+function bech32ToWords(data) {
+  let acc = 0;
+  let bits = 0;
+  const out = [];
+  const maxv = (1 << 5) - 1;
+  for (const value of data) {
+    acc = acc << 8 | value;
+    bits += 8;
+    while (bits >= 5) {
+      bits -= 5;
+      out.push(acc >> bits & maxv);
+    }
+  }
+  if (bits > 0) out.push(acc << 5 - bits & maxv);
+  return out;
+}
+function bech32Encode(hrp, data) {
+  const words = bech32ToWords(data);
+  const polymodInput = bech32HrpExpand(hrp).concat(words, [0, 0, 0, 0, 0, 0]);
+  const polymod = bech32Polymod(polymodInput) ^ 1;
+  const checksum = [];
+  for (let i = 0; i < 6; i++) checksum.push(polymod >> 5 * (5 - i) & 31);
+  let result = `${hrp}1`;
+  for (const w of words.concat(checksum)) result += BECH32_CHARSET.charAt(w);
+  return result;
+}
+
+// src/verifier/verify.ts
+var CONFIRMATION_DEPTH_THRESHOLD_DEFAULT = 15;
+async function verifyTx(input) {
+  const profile = input.profile ?? DEFAULT_PROFILE;
+  const threshold = input.confirmationDepthThreshold ?? CONFIRMATION_DEPTH_THRESHOLD_DEFAULT;
+  const httpCalls = [];
+  const fetchFn = wrapFetchOutbound(
+    input.fetchOutbound ?? defaultFetchOutbound,
+    httpCalls,
+    input.denyHosts
+  );
+  const base = (over) => ({
+    tx_hash: input.txHash,
+    network: "cardano:mainnet",
+    profile,
+    num_confirmations: 0,
+    confirmation_depth_threshold: threshold,
+    metadata_present: false,
+    validation: { valid: false },
+    http_calls: httpCalls,
+    ...over
+  });
+  let resolved;
+  try {
+    resolved = await resolveCardanoTx({ input, fetchFn });
+  } catch (e) {
+    if (e instanceof NotACip309RecordError) {
+      return base({
+        verdict: "failed",
+        exit_code: 1,
+        validation: {
+          valid: false,
+          issues: [issueOf("METADATA_NOT_FOUND", [], e.message)]
+        }
+      });
+    }
+    return base({
+      verdict: "failed",
+      exit_code: 2,
+      validation: {
+        valid: false,
+        issues: [issueOf("PROVIDER_UNAVAILABLE", [], e.message)]
+      }
+    });
+  }
+  let metadataBytes;
+  try {
+    metadataBytes = extractLabel309Metadata(resolved.txCbor);
+  } catch (e) {
+    return base({
+      verdict: "failed",
+      exit_code: 1,
+      num_confirmations: resolved.numConfirmations,
+      block_time: resolved.blockTime,
+      block_slot: resolved.blockSlot,
+      validation: {
+        valid: false,
+        issues: [issueOf("MALFORMED_CBOR", [], e.message)]
+      }
+    });
+  }
+  if (metadataBytes === null) {
+    return base({
+      verdict: "failed",
+      exit_code: 1,
+      num_confirmations: resolved.numConfirmations,
+      block_time: resolved.blockTime,
+      block_slot: resolved.blockSlot,
+      metadata_present: false,
+      validation: {
+        valid: false,
+        issues: [issueOf("METADATA_NOT_FOUND", [], "no label-309 metadata on this tx")]
+      }
+    });
+  }
+  return verifyResolvedRecord({
+    input,
+    metadataBytes,
+    txCbor: resolved.txCbor,
+    numConfirmations: resolved.numConfirmations,
+    blockTime: resolved.blockTime,
+    blockSlot: resolved.blockSlot,
+    httpCalls,
+    fetchFn
+  });
+}
+async function verifyResolved(input) {
+  const httpCalls = [];
+  const fetchFn = wrapFetchOutbound(
+    input.fetchOutbound ?? defaultFetchOutbound,
+    httpCalls,
+    input.denyHosts
+  );
+  const verifyTxInput = {
+    txHash: input.txHash,
+    ...input.profile !== void 0 ? { profile: input.profile } : {},
+    ...input.cardanoNetwork !== void 0 ? { cardanoNetwork: input.cardanoNetwork } : {},
+    ...input.confirmationDepthThreshold !== void 0 ? { confirmationDepthThreshold: input.confirmationDepthThreshold } : {},
+    ...input.fetchOutbound !== void 0 ? { fetchOutbound: input.fetchOutbound } : {},
+    ...input.denyHosts !== void 0 ? { denyHosts: input.denyHosts } : {},
+    ...input.decryption !== void 0 ? { decryption: input.decryption } : {},
+    ...input.verifyMerkle !== void 0 ? { verifyMerkle: input.verifyMerkle } : {}
+  };
+  const report = await verifyResolvedRecord({
+    input: verifyTxInput,
+    metadataBytes: input.metadataCbor,
+    ...input.txCbor !== void 0 ? { txCbor: input.txCbor } : {},
+    numConfirmations: input.numConfirmations,
+    ...input.blockTime !== void 0 ? { blockTime: input.blockTime } : {},
+    ...input.blockSlot !== void 0 ? { blockSlot: input.blockSlot } : {},
+    httpCalls,
+    fetchFn
+  });
+  if (input.network !== void 0) {
+    return { ...report, network: input.network };
+  }
+  return report;
+}
+async function verifyResolvedRecord(args) {
+  const { input, metadataBytes, txCbor, numConfirmations, blockTime, blockSlot, httpCalls, fetchFn } = args;
+  const profile = input.profile ?? DEFAULT_PROFILE;
+  const threshold = input.confirmationDepthThreshold ?? CONFIRMATION_DEPTH_THRESHOLD_DEFAULT;
+  const txDescription = txCbor !== void 0 ? decodeTxDescription(txCbor, input) : {};
+  const base = (over) => ({
+    tx_hash: input.txHash,
+    network: "cardano:mainnet",
+    profile,
+    num_confirmations: 0,
+    confirmation_depth_threshold: threshold,
+    metadata_present: false,
+    validation: { valid: false },
+    http_calls: httpCalls,
+    ...txDescription,
+    ...over
+  });
+  const validation = validatePoeRecord(metadataBytes);
+  if (!validation.ok) {
+    return base({
+      verdict: "failed",
+      exit_code: 1,
+      num_confirmations: numConfirmations,
+      ...blockTime !== void 0 ? { block_time: blockTime } : {},
+      ...blockSlot !== void 0 ? { block_slot: blockSlot } : {},
+      metadata_present: true,
+      validation: { valid: false, issues: validation.issues }
+    });
+  }
+  const record = validation.record;
+  if (numConfirmations < threshold) {
+    return base({
+      verdict: "pending",
+      exit_code: 3,
+      num_confirmations: numConfirmations,
+      ...blockTime !== void 0 ? { block_time: blockTime } : {},
+      ...blockSlot !== void 0 ? { block_slot: blockSlot } : {},
+      metadata_present: true,
+      record,
+      validation: {
+        valid: false,
+        issues: [
+          issueOf("INSUFFICIENT_CONFIRMATIONS", [], `${numConfirmations} < threshold ${threshold}`)
+        ]
+      }
+    });
+  }
+  const initialWarnings = (validation.warnings ?? []).slice();
+  const initialInfo = (validation.info ?? []).slice();
+  const plan = planProfileSkips(profile, record);
+  initialInfo.push(...plan.skips);
+  const reportShape = {
+    tx_hash: input.txHash,
+    network: "cardano:mainnet",
+    profile,
+    num_confirmations: numConfirmations,
+    confirmation_depth_threshold: threshold,
+    ...blockTime !== void 0 ? { block_time: blockTime } : {},
+    ...blockSlot !== void 0 ? { block_slot: blockSlot } : {},
+    metadata_present: true,
+    validation: composeValidation(true, void 0, initialWarnings, initialInfo),
+    record,
+    ...txDescription,
+    http_calls: httpCalls,
+    verdict: "valid",
+    exit_code: 0
+  };
+  const report = { ...reportShape };
+  const uriChecks = [];
+  const allowUriFetch = input.verifyMerkle ?? true;
+  if (plan.verifySignatures && record.sigs && record.sigs.length > 0) {
+    const sigOut = await verifyRecordSignatures({ record, input });
+    report.record_signatures = sigOut;
+    if (recordSignaturesShouldFail(sigOut)) {
+      report.verdict = "failed";
+      report.exit_code = 1;
+    }
+  }
+  if (plan.verifyDecrypt && input.decryption && input.decryption.length > 0) {
+    const dec = await tryDecryptions({
+      record,
+      input,
+      fetchFn,
+      httpCalls,
+      uriChecksOut: uriChecks,
+      allowUriFetch
+    });
+    report.item_decryptions = dec.results;
+    const decFailure = decryptionsShouldFail(dec.results);
+    if (decFailure !== null) {
+      report.verdict = "failed";
+      report.exit_code = decFailure === "network" ? 2 : 1;
+    }
+  }
+  if (allowUriFetch && Array.isArray(record.merkle) && record.merkle.length > 0) {
+    const merkle = await verifyMerkleCommitments({
+      record,
+      input,
+      fetchFn,
+      uriChecksOut: uriChecks
+    });
+    report.merkle_checks = merkle.checks;
+    const merkleFailure = merkleChecksShouldFail(merkle.checks);
+    if (merkleFailure && report.verdict === "valid") {
+      report.verdict = "failed";
+      report.exit_code = 1;
+    }
+  }
+  if (uriChecks.length > 0) {
+    report.uri_checks = uriChecks;
+  }
+  return report;
+}
+function decodeTxDescription(txCbor, input) {
+  const network = input.cardanoNetwork ?? "mainnet";
+  const out = {};
+  let components;
+  try {
+    components = sliceTxComponents(txCbor);
+  } catch {
+    return out;
+  }
+  out.metadata_labels = components.auxMetadataLabels;
+  try {
+    out.tx_witnesses = decodeTxWitnesses(components.witnessSet, components.txBody);
+  } catch {
+  }
+  try {
+    out.tx_summary = decodeTxSummary(components.txBody, components.witnessSet, network);
+  } catch {
+  }
+  return out;
+}
+function recordSignaturesShouldFail(sigs) {
+  return sigs.some((s) => s.verdict === "invalid" || s.verdict === "unresolved");
+}
+function decryptionsShouldFail(results) {
+  let saw = null;
+  for (const d of results) {
+    if (d.verdict === "decrypted" && d.plaintext_hash_ok !== false) continue;
+    if (d.verdict === "content-unavailable" || d.verdict === "ciphertext-unavailable") {
+      saw = saw === "integrity" ? "integrity" : "network";
+      continue;
+    }
+    saw = "integrity";
+  }
+  return saw;
+}
+function merkleChecksShouldFail(checks) {
+  for (const c of checks) {
+    if (c.verdict === "mismatch") return true;
+  }
+  return false;
+}
+function issueOf(code, path, message) {
+  return { code, path, message, severity: SEVERITY[code] };
+}
+function composeValidation(valid, issues, warnings, info) {
+  const out = { valid };
+  if (warnings.length > 0) out.warnings = warnings;
+  if (info.length > 0) out.info = info;
+  return out;
+}
+function exitCodeForVerdict(report) {
+  return report.exit_code;
+}
+
+// src/verifier/serialize.ts
+function isPlainObject(v) {
+  if (v === null || typeof v !== "object") return false;
+  if (Array.isArray(v) || v instanceof Uint8Array || v instanceof Map || v instanceof Set) {
+    return false;
+  }
+  return true;
+}
+function walk(value) {
+  if (value === void 0 || value === null) return void 0;
+  if (value instanceof Uint8Array) return bytesToHex(value);
+  if (value instanceof Map) {
+    throw new Error("unsupported Map in VerifyReport tree");
+  }
+  if (Array.isArray(value)) {
+    return value.map((v) => walk(v));
+  }
+  if (isPlainObject(value)) {
+    const out = {};
+    for (const [k, v] of Object.entries(value)) {
+      if (v === void 0 || v === null) continue;
+      const walked = walk(v);
+      if (walked === void 0) continue;
+      out[k] = walked;
+    }
+    return out;
+  }
+  return value;
+}
+function verifyReportToDict(report) {
+  const out = walk(report);
+  if (!isPlainObject(out)) {
+    throw new Error("verifyReportToDict: walk produced non-object root");
+  }
+  return out;
+}
+/*! Bundled license information:
+
+@noble/post-quantum/utils.js:
+@noble/post-quantum/_crystals.js:
+@noble/post-quantum/ml-kem.js:
+@noble/post-quantum/hybrid.js:
+  (*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) *)
+*/
+
+export { BLOCKFROST_MAINNET_HOST, BodyTooLargeError, CONFIRMATION_DEPTH_THRESHOLD_DEFAULT, DEFAULT_OUTBOUND_MAX_BYTES, DEFAULT_PROFILE, DENY_HOSTS_DEFAULT, DenyHostError, KOIOS_MAINNET_URL, NotACip309RecordError, OutboundExhaustedError, PROFILE_RANK, UnsupportedMethodError, UnsupportedProtocolError, decodeTxSummary, decodeTxWitnesses, defaultFetchOutbound, exitCodeForVerdict, extractLabel309Metadata, fetchItemCiphertext, fetchOutbound, planProfileSkips, profileImplements, resolveCardanoTx, sliceLabel309Value, sliceTxComponents, tryDecryptions, verifyMerkleCommitments, verifyRecordSignatures, verifyReportToDict, verifyResolved, verifyTx, wrapFetchOutbound };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map